aboutsummaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAge
* Add realtime protocol output to `ndpiReader`. (#2197)Toni2024-01-09
| | | | | | * support for using a new flow callback invoked before the flow memory is free'd * minor fixes Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Fix default port conflicts between AJP and CiscoVPN (#2245)Ivan Nardi2024-01-08
| | | | | | | | | | | | | | | | | | | | | We shouldn't have the same default port associated with multiple protocols. The key reason is that we use only one of them (for classification by-port, for example) and which one we really use depends on the internal order of the protocolsi's initialization (which is unknown to the user). We have 3 port collisions: * 8009: AJP and CiscoVPN * 445: SMBv1 and SMBv23 * 8080: HTTP_Connect and HTTP_Proxy I think that the two last cases don't really matter... About the first one: it seems that CiscoVPN is retired from 2011/2014 (see https://www.cisco.com/c/en/us/obsolete/security/cisco-vpn-client.html) and superseded by AnyConnect, which uses different ports (see https://community.cisco.com/t5/network-security/what-protocols-are-used-on-anyconnect-mobility-client/td-p/4713525). Therefore it should be safe to remove 8009 from the CiscoVPN default ports.
* Make some test traces smaller (#2243)Ivan Nardi2024-01-08
| | | | | | Having smaller traces help fuzzing: we want the fuzzers to mutate "interesting" packets analyzed by nDPI, i.e. the first packets of each flows. Try hard to keep the same classification and extraction capabilities
* Add Google Chat support (#2244)Vladimir Gavrilov2024-01-07
|
* ndpiReader: add breed stats on output used for CI (#2236)Ivan Nardi2024-01-05
|
* Add Ceph protocol dissector (#2242)Vladimir Gavrilov2024-01-04
| | | | | * Add Ceph protocol dissector * Update protocols.rst
* Add an implementation of the BSD function `strtonum` (#2238)Ivan Nardi2024-01-04
| | | | | The main difference with the original function is that we allow to specify the base. Credit for the original idea and the first implementation to @0xA50C1A1
* Add HL7 protocol dissector (#2240)Vladimir Gavrilov2024-01-02
| | | | | | | * Add HL7 protocol dissector * Small fixes * Small fixes
* STUN: fix detection of Google Meet over IPv6 (#2241)Ivan Nardi2024-01-02
|
* Add IEC62056 (DLMS/COSEM) protocol dissector (#2229)Vladimir Gavrilov2024-01-02
| | | | | | | | | | | | | | | | | | | * Add IEC62056 (DLMS/COSEM) protocol dissector * Fix detection on big endian architectures * Update protocols.rst * Add ndpi_crc16_x25 to fuzz/fuzz_alg_crc32_md5.c * Update pcap sample * Remove empty .out file * iec62056: add some documentation --------- Co-authored-by: Nardi Ivan <nardi.ivan@gmail.com>
* fuzz: improve fuzzing coverage (#2239)Ivan Nardi2024-01-02
|
* Remove Google Hangouts/Duo stuff (#2233)Vladimir Gavrilov2024-01-02
| | | | | * Remove Google Hangouts/Duo support * Update protocols.rst
* sha256: fix undefined-shift error (#2237)Ivan Nardi2024-01-02
| | | | | | | | ``` third_party/src/ndpi_sha256.c:51:21: runtime error: left shift of 128 by 24 places cannot be represented in type 'int' ``` Found by oss-fuzzer See: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=65305
* TLS: fix heap-buffer-overflow (#2235)Ivan Nardi2024-01-02
| | | | | | | | | | | | | | | | | | | | ``` ==53992==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x511000007e04 at pc 0x555da2165fd0 bp 0x7ffddf7e3990 sp 0x7ffddf7e3988 READ of size 2 at 0x511000007e04 thread T0 #0 0x555da2165fcf in processClientServerHello /home/ivan/svnrepos/nDPI/src/lib/protocols/tls.c:2384:50 #1 0x555da217c31f in processTLSBlock /home/ivan/svnrepos/nDPI/src/lib/protocols/tls.c:908:5 #2 0x555da2176720 in ndpi_search_tls_udp /home/ivan/svnrepos/nDPI/src/lib/protocols/tls.c:1273:11 #3 0x555da215a628 in ndpi_search_tls_wrapper /home/ivan/svnrepos/nDPI/src/lib/protocols/tls.c:2883:5 #4 0x555da1e95c30 in check_ndpi_detection_func /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:6720:6 #5 0x555da1e969f3 in check_ndpi_udp_flow_func /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:6756:10 #6 0x555da1e96394 in ndpi_check_flow_func /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:6789:12 #7 0x555da1ea7991 in ndpi_internal_detection_process_packet /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:7929:15 #8 0x555da1ea547f in ndpi_detection_process_packet /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:8104:22 #9 0x555da1de137f in packet_processing /home/ivan/svnrepos/nDPI/fuzz/../example/reader_util.c:1721:31 #10 0x555da1de137f in ndpi_workflow_process_packet /home/ivan/svnrepos/nDPI/fuzz/../example/reader_util.c:2438:1 ``` Found by oss-fuzzer See: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=65362
* Teamviewer: varius fixes (#2228)Ivan Nardi2024-01-02
| | | | | | | | | We already have a generic (and up to date) logic to handle ip addresses: remove that stale list. Teamviewer uses TCP and UDP, both; we can't access `flow->l4.udp`. According to a comment, we set the flow risk `NDPI_DESKTOP_OR_FILE_SHARING_SESSION` only for the UDP flows.
* Add NoMachine NX protocol dissector (#2234)Vladimir Gavrilov2024-01-02
| | | | | | | | | * Add NoMachine protocol dissector * Fix detection on big endian architectures * Make NoMachine over UDP check more strict * Small fixes
* Implemented ndpi_is_outlier() for detecting outliers using z-scoreLuca2023-12-28
|
* Implements ndpi_pearson_correlation for measuring how correlated are two seriesLuca Deri2023-12-27
|
* New ndpi_sha256() nDPI API call (#2230)Luca Deri2023-12-23
| | | | | * Added ndpi_sha256.c to the Windows project * Added ndpi_sha256() nDPI API call
* Removed type redefinitionLuca Deri2023-12-23
|
* Changes to avoid type redefinition on windowsLuca Deri2023-12-23
|
* Buffer overflow fixLuca Deri2023-12-23
|
* Updated resultLuca Deri2023-12-22
|
* Warning fixLuca Deri2023-12-22
|
* Fixed check (when using ./autogen.sh --enable-option-checking=fatal ↵Luca Deri2023-12-22
| | | | --enable-debug-messages --with-thread-sanitizer --with-pcre2 --with-maxminddb --enable-tls-sigs)
* Fixes nDPI datastructs size checkLuca Deri2023-12-22
|
* Implements JA4 Support (#2191)Luca Deri2023-12-22
|
* Changes to make room for JA4Luca Deri2023-12-22
|
* Add Apache Kafka protocol dissector (#2226)Vladimir Gavrilov2023-12-22
|
* Add WebDAV detection support (#2224)Vladimir Gavrilov2023-12-22
| | | | | | | | | | | | | * Add WebDAV detection support * Add pcap example * Update test results * Remove redundant checks * Add WebDAV related HTTP methods to fuzz/dictionary.dict * Add note about WebDAV
* Various MDNS flow risks fixesLuca2023-12-21
|
* MDNS fixLuca2023-12-21
|
* CI: update list of compilers (#2223)Ivan Nardi2023-12-20
| | | | | Try using latest gcc and clang versions. We still care about RHEL7: since handling a RHEL7 runner on GitHub is quite complex, let try to use a similar version of gcc, at least
* Add JSON-RPC protocol dissector (#2217)Vladimir Gavrilov2023-12-20
| | | | | | | * Add JSON-RPC protocol dissector * Small fixes * Improve detection
* Add OpenFlow protocol dissector (#2222)Vladimir Gavrilov2023-12-20
|
* mining: a better identification logic (#2221)Ivan Nardi2023-12-20
| | | | | | | | | | It is quite simple (and not so efficient) but it should fix all the false positives reported in #2216. Add support for Ethereum mining. Merge all the mining traces. Remove duplicated function. Close #2216
* fuzz: improve fuzzing coverage (#2220)Ivan Nardi2023-12-19
|
* Rename NDPI_PROTOCOL_RPC to NDPI_PROTOCOL_MS_RPCH (#2218)Vladimir Gavrilov2023-12-19
| | | | | | | * Rename NDPI_PROTOCOL_RPC to NDPI_PROTOCOL_MS_RPCH * Add protocol description * Improve MS-RPCH detection
* Add UFTP protocol dissector (#2215)Vladimir Gavrilov2023-12-18
| | | | | | | * Add UFTP protocol dissector * Update docs * Merge pcap files
* Add HiSLIP protocol dissector (#2214)Vladimir Gavrilov2023-12-17
| | | | | * Add HiSLIP protocol dissector * Fix error
* Add PROFINET/IO protocol dissector (#2213)Vladimir Gavrilov2023-12-16
| | | | | | | | | * Add PROFINET/IO protocol dissector * Add LE (Little Endian) to the file name * Rework dissector * Remove redundant check
* TLS: be sure to always set a category value (#2206)Ivan Nardi2023-12-14
| | | | | We probably need to check everywhere we set the category in the "extra dissection" data path: a flow with a proper classification can't have NDPI_PROTOCOL_CATEGORY_UNSPECIFIED as category.
* Add Monero protocol classification. (#2196)Toni2023-12-13
| | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Sync unit tests results after latest merge (#2211)Ivan Nardi2023-12-13
|
* QUIC: add heuristic to detect unidirectional *G*QUIC flows (#2207)Ivan Nardi2023-12-13
| | | Fix extraction of `flow->protos.tls_quic.quic_version` metadata.
* ndpiReader: avoid creating two detection modules when processing ↵Ivan Nardi2023-12-12
| | | | traffic/traces (#2209)
* ndpiReader: fix `guessed_flow_protocols` statistic (#2203)Ivan Nardi2023-12-12
| | | Increment the counter only if the flow has been guessed
* fuzz: extend fuzzing coverage (#2208)Ivan Nardi2023-12-11
|
* STUN: rework extra dissection (#2202)Ivan Nardi2023-12-11
| | | | | | | Keep looking for RTP packets but remove the monitoring concept. We will re-introduce a more general concept of "flow in monitoring state" later. The function was disabled by default. Some configuration knobs will be provided when/if #2190 is merged.
* HTTP: faster processing of asymmetric flows (#2198)Ivan Nardi2023-12-11
|
Powered by cgit, Themed by Ted Yin.