aboutsummaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAge
* Explicit cast Referer / Host line to the type `ndpi_strnstr(...)` expects ↵HEADdevToni Uhlig2025-01-25
| | | | | | (unsigned char -> char) Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Extracted http host and referer metadata (http protocol)Luca Deri2025-01-24
|
* Added health categoryLuca Deri2025-01-24
|
* CI: move tests with "local gcrypt" to a scheduled job (#2699)Ivan Nardi2025-01-24
| | | The goal is always the same: faster CI when pushing/committing
* CI: fix documentation job (#2698)Ivan Nardi2025-01-24
|
* RTP: improve detection of multimedia type for Signal calls (#2697)Ivan Nardi2025-01-24
|
* fuzz: extend fuzzing coverage (#2696)Ivan Nardi2025-01-23
|
* Minor extension for custom nDPIIvan Nardi2025-01-23
|
* Removed OpenDPI references now obsoleteLuca Deri2025-01-20
|
* Added Windows fingerprintsLuca Deri2025-01-20
|
* Unify "Skype" and "Teams" ids (#2687)Ivan Nardi2025-01-20
| | | | | | * Rename `NDPI_PROTOCOL_SKYPE_TEAMS_CALL` -> `NDPI_PROTOCOL_MSTEAMS_CALL` * Rename ip list from "Skype/Teams" to "Teams"
* OpenVPN: fix a warning (#2686)Ivan Nardi2025-01-19
| | | | | | ``` protocols/openvpn.c:378:11: error: variable 'iter' set but not used [-Werror,-Wunused-but-set-variable] 378 | int rc, iter, offset; ```
* Add missing Dropbox domain (#2685)Vladimir Gavrilov2025-01-19
|
* JA4: Fix SSL 2 version and remove fictional SSL 1 version along with ↵Daniel Roethlisberger2025-01-19
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | mis-mapping to s3 (#2684) * JA4: Fix SSL 2 version constant to 0x0002 SSL 2 uses a version field of 0x0002, not 0x0200. This is confirmed not only in the original Netscape spec [1] and RFC draft of the time [2], but also in major implementations such as OpenSSL [3] and Wireshark [4]. An earlier version of the JA4 spec [5] also mistakenly used 0x0200 for SSL 2 and 0x0100 for SSL 1. This was fixed in [6] in August 2024. [1] https://www-archive.mozilla.org/projects/security/pki/nss/ssl/draft02.html [2] https://datatracker.ietf.org/doc/html/draft-hickman-netscape-ssl-00 [3] https://github.com/openssl/openssl/blob/OpenSSL_0_9_6m/ssl/ssl2.h#L66-L71 [4] https://github.com/wireshark/wireshark/blob/release-4.4/epan/dissectors/packet-tls-utils.h#L266-L277 [5] https://github.com/FoxIO-LLC/ja4/blob/main/technical_details/JA4.md#tls-and-dtls-version [6] FoxIO-LLC/ja4#150 * JA4: Remove fictional (and mis-mapped to "s3") SSL 1 SSL 1 was never actually deployed, the design was iterated upon to become SSL 2 before it was released by Netscape [1] [2] [3] [4]. I don't think it's public knowledge what the version field for SSL 1 would have looked like, or if it even was two bytes large or at the same offset on the wire; given that SSL 2 used 0x0002 it seems more likely to have been 0x0001 than 0x0100. Version field 0x0100, that is currently misattributed to SSL 1, was used by an early pre-RFC4347 implementation of DTLS in OpenSSL before 0.9.8f [5], when OpenSSL switched to the version field specified by RFC4347. This use of 0x0100 is also reflected in Wireshark's TLS dissector [4] (`DTLSV1DOT0_OPENSSL_VERSION`). For these reasons, it seems to make sense to remove the fictional SSL 1 code entirely. This also removes an issue where the resulting JA4 string would be "s3" instead of the intended "s1". An earlier version of the JA4 spec [6] also mistakenly used 0x0200 for SSL 2 and 0x0100 for SSL 1. This was fixed in [7] in August 2024. [1] https://www-archive.mozilla.org/projects/security/pki/nss/ssl/draft02.html [2] https://datatracker.ietf.org/doc/html/draft-hickman-netscape-ssl-00 [3] https://github.com/openssl/openssl/blob/OpenSSL_0_9_6m/ssl/ssl2.h#L66-L71 [4] https://github.com/wireshark/wireshark/blob/release-4.4/epan/dissectors/packet-tls-utils.h#L266-L277 [5] https://github.com/openssl/openssl/compare/OpenSSL_0_9_8e...OpenSSL_0_9_8f [6] https://github.com/FoxIO-LLC/ja4/blob/main/technical_details/JA4.md#tls-and-dtls-version [7] FoxIO-LLC/ja4#150 * Fix tests where old DTLS (0x0100) was mis-identified as SSL 3.0 These two tests contain DTLS flows using a version field of 0x0100 as used by OpenSSL pre 0.9.8f, before OpenSSL switched to the standardised version code points for its DTLS implementation. The correct JA4 mapping is "d00", not "ds3".
* CI: remove support for ubuntu-20.04 (#2683)Ivan Nardi2025-01-17
| | | | This Ubuntu version is going to be deprecated. See: https://github.com/actions/runner-images/issues/11101
* Minor follow-up for DigitalOcean support (#2682)Ivan Nardi2025-01-17
|
* Renamed ips_match to ndpi_ips_matchLuca Deri2025-01-17
|
* Improved DICOM detectionLuca Deri2025-01-17
|
* Added DigitalOcean protocolLuca Deri2025-01-17
|
* ndpiReader: add some global statistics about FPC (#2680)Ivan Nardi2025-01-17
| | | Enabled via `--dump-fpc-stats` option
* CI: use Linux arm64 hosted runners provided directly from GitHub (#2681)Ivan Nardi2025-01-17
| | | | | See: https://github.blog/changelog/2025-01-16-linux-arm64-hosted-runners-now-available-for-free-in-public-repositories-public-preview/ Native runners are incredibly faster that using docker (as expected...).
* Fix compilation on latest mac versions with external libraries (#2669)Ivan Nardi2025-01-15
| | | | | | Fix also Performance job on ubuntu-latest/24.04: see similar fix in 957a05050. Close: #2412
* STUN: improve detection of Telegram calls (#2671)Ivan Nardi2025-01-14
|
* TLS: remove JA3C (#2679)Ivan Nardi2025-01-14
| | | | | | | | Last step of removing JA3C fingerprint Remove some duplicate tests: testing with ja4c/ja3s disabled is already performed by `disable_metadata_and_flowrisks` configuration. Close:#2551
* Add (kind of) support for loading a list of JA4C malicious fingerprints (#2678)Ivan Nardi2025-01-14
| | | | | | | | | It might be usefull to be able to match traffic against a list of suspicious JA4C fingerprints Use the same code/logic/infrastructure used for JA3C (note that we are going to remove JA3C...) See: #2551
* Temporarely reverts ↵Luca Deri2025-01-13
| | | | https://github.com/ntop/nDPI/commit/d351907af8b93020d5d4ac2949d8e9dd0cfb0dd7
* Fix code scanning alert no. 13: Multiplication result converted to larger ↵Luca Deri2025-01-13
| | | | | type (#2675) Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
* Fix code scanning alert no. 12: Multiplication result converted to larger ↵Luca Deri2025-01-13
| | | | | type (#2676) Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
* Fix code scanning alert no. 7: Multiplication result converted to larger ↵Luca Deri2025-01-13
| | | | | type (#2677) Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
* Fix code scanning alert no. 14: Redundant null check due to previous ↵Luca Deri2025-01-13
| | | | | dereference (#2674) Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
* Fixes https://github.com/ntop/nDPI/issues/2673Luca Deri2025-01-13
|
* Fixes https://github.com/ntop/nDPI/issues/2672Luca Deri2025-01-13
|
* fuzz: add 2 new fuzzers for KD-trees and Ball-trees (#2670)Ivan Nardi2025-01-13
|
* Remove JA3C output from ndpiReader (#2667)Ivan Nardi2025-01-12
| | | | | | | | | | | | | Removing JA3C is an big task. Let's start with a simple change having an huge impact on unit tests: remove printing of JA3C information from ndpiReader. This way, when we will delete the actual code, the unit tests diffs should be a lot simpler to look at. Note that the information if the client/server cipher is weak or obsolete is still available via flow risk See: #2551
* HTTP: fix entropy calculation (#2666)Ivan Nardi2025-01-12
| | | | We calculate HTTP entropy according to "Content-type:" header, see `ndpi_validate_http_content()` on HTTP code
* Add Vivox support (#2668)Vladimir Gavrilov2025-01-11
|
* Make CI faster (#2662)Ivan Nardi2025-01-11
| | | | | | | | | | | | | | | | | Right now the CI takes ~30 minutes; the goal is to have it ending in < 15 min. The basic trick is to run the longer jobs (no_x86_64 and masan) only with the recently updated pcaps. The same jobs will run again on schedule (every night) testing all the traces. This way the CI will be "green" (hopefully!) earlier while pushing new commit/PR; full tests are simply delayed. Details: when `NDPI_TEST_ONLY_RECENTLY_UPDATED_PCAPS` is set, `tests/do.sh` checks only the latest 10 pcaps (i.e. the more recent pcap added/updated) for *every* configuration. Notes that no_x86_64 and masan jobs run twice: when pushing/merging and on schedule (every night)
* Fix CodeQL GitHub action (#2665)Ivan Nardi2025-01-11
| | | | | | | For some reansons, the installation of golang-1.16 fails on ubuntu 24.04 (note that ubuntu-latest now is pointing to ubuntu-24.04). It seems that everything is fine if we use the already installed version of golang
* Improved WebSocket-over-HTTP detection (#2664)Toni2025-01-11
| | | | | | * detect `chisel` SSH-over-HTTP-WebSocket * use `strncasecmp()` for `LINE_*` matching macros Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Improve documentation (#2661)Ivan Nardi2025-01-10
| | | | Integrate .md files into official documentation See: https://stackoverflow.com/questions/46278683/include-my-markdown-readme-into-sphinx/68005314#68005314
* Update some CI jobs (#2660)Ivan Nardi2025-01-09
| | | | | | | | | | | | | * Move ThreadSanitizer job to the scheduled jobs (once a day): all our tests are intrinsically mono-thread and this job takes quite some time * Two explicit jobs to test LTO and Gold linker, used by oss-fuzz * Two explicit jobs for Windows (with msys2) * Run address sanitizer only on the 4 main jobs: newest/oldest gcc/clang * Reduce the time used by fuzzing jobs. Note that oss-fuzz is continuosly fuzzing our code! * Move the no x86_64 jobs to a dedicated file This way, the main matrix is a little bit simpler and the CI jobs last a little shorter
* Added ICMP risk checks for valid packet payloadsLuca Deri2025-01-08
|
* QUIC: remove extraction of user-agent (#2650)Ivan Nardi2025-01-07
| | | | | In very old (G)QUIC versions by Google, the user agent was available on plain text. That is not true anymore, since about end of 2021. See: https://github.com/google/quiche/commit/f282c934f4731a9f4be93409c9f3e8687f0566a7
* Classifications "by-port"/"by-ip" should never change (#2656)Ivan Nardi2025-01-06
| | | Add a new variable to keep track of internal partial classification
* Fix classification "by-port" (#2655)Ivan Nardi2025-01-06
| | | | | Classification "by-port" is the latest possible shot at getting a classification, when everything else failed: we should always use the configured ports (as expected by the users, IMO)
* Add the ability to enable/disable every specific flow risks (#2653)Ivan Nardi2025-01-06
|
* ndpiReader: update JA statistics (#2646)Ivan Nardi2025-01-06
| | | | Show JA4C and JA3S information (instead of JA3C and JA3S) See #2551 for context
* QUIC: extract "max idle timeout" parameter (#2649)Ivan Nardi2025-01-06
| | | | | Even if it is only the proposed value by the client (and not the negotiated one), it might be use as hint for timeout by the (external) flows manager
* TLS: fix `NDPI_TLS_WEAK_CIPHER` flow risk (#2647)Ivan Nardi2025-01-06
| | | | We should set it also for "obsolete"/"insecure" ciphers, not only for the "weak" ones.
* TLS: remove ESNI support (#2648)Ivan Nardi2025-01-06
| | | | | ESNI has been superseded by ECH for years, now. See: https://blog.cloudflare.com/encrypted-client-hello/ Set the existing flow risk if we still found this extension.
Powered by cgit, Themed by Ted Yin.