| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
|
|
| |
```
ndpiReader.c:6415:28: error: initializer-string for array of 'unsigned char' truncates NUL terminator but destination lacks 'nonstring' attribute (65 chars into 64 available) [-Werror=unterminated-string-initialization]
6415 | u_char enc_dec_key[64] = "9dedb817e5a8805c1de62eb8982665b9a2b4715174c34d23b9a46ffafacfb2a7" /* SHA256("nDPI") */;
```
|
| | |
|
| |
|
|
| |
Follow-up of f56831336334dddcff00eaf2132e5e0f226f0e32: now the
configuration is for flow-risk, not global
|
| |
|
|
|
|
|
| |
Use `NDPI_OBFUSCATED_TRAFFIC` instead; this way, all the obfuscated
traffic is identified via `NDPI_OBFUSCATED_TRAFFIC` flow risk.
Disable fully-encryption detection by default, like all the obfuscation
heuristics.
|
| | |
|
| |
|
|
| |
We are going to use HTTP metadata only for real HTTP traffic; FastCGI
should be the only protocol using them improperly
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Custom rules with *new* protocols are checked "first": if there is a
match, the first packet of the flow provides a complete and final
classification.
The same logic should apply to custom rules with "existing" protocols:
if there is match, nDPI shouldn't do anything else.
Remove the `tcp:3000@ntop` custom rule.
Fix the default port for ElasticSearch (in the protocol file)
|
| | |
|
| | |
|
| |
|
|
|
| |
Thiw way, the code is ready to handle rtp info from STUN flows too.
And, most important, this change works as workaround to fix some crashes
reported by oss-fuzz
|
| | |
|
| |
|
|
| |
Added ndpi_rtp_payload_type2str() API call
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
If we have a (potential) valid sub-classification, we shoudn't check for
DGA, even if the subclassification itself is disabled!
|
| |
|
|
| |
Updated (C)
|
| |
|
| |
Fix confidence value for same TCP flows
|
| |
|
| |
Extend file configuration for just subclassification.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In some scenarios, you might not be interested in flow metadata or
flow-risks at all, but you might want only flow (sub-)classification.
Examples: you only want to forward the traffic according to the
classification or you are only interested in some protocol statistics.
Create a new configuration file (for `ndpiReader`, but you can trivially
adapt it for the library itself) allowing exactly that. You can use it
via: `ndpiReader --conf=example/only_classification.conf ...`
Note that this way, the nDPI overhead is lower because it might need
less packets per flow:
* TLS: nDPI processes only the CH (in most cases) and not also the SH
and certificates
* DNS: only the request is processed (instead of both request and
response)
We might extend the same "shortcut-logic" (stop processing the flow
immediately when there is a final sub-classification) for others
protocols.
Add the configuration options to enable/disable the extraction of some
TLS metadata.
|
| | |
|
| |
|
| |
Enabled via `--dump-fpc-stats` option
|
| |
|
|
|
|
|
|
| |
Last step of removing JA3C fingerprint
Remove some duplicate tests: testing with ja4c/ja3s disabled is already
performed by `disable_metadata_and_flowrisks` configuration.
Close:#2551
|
| |
|
|
|
|
|
|
|
| |
It might be usefull to be able to match traffic against a list of
suspicious JA4C fingerprints
Use the same code/logic/infrastructure used for JA3C (note that we are
going to remove JA3C...)
See: #2551
|
| |
|
|
|
| |
type (#2677)
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Removing JA3C is an big task. Let's start with a simple change having an
huge impact on unit tests: remove printing of JA3C information from
ndpiReader.
This way, when we will delete the actual code, the unit tests diffs
should be a lot simpler to look at.
Note that the information if the client/server cipher is weak or
obsolete is still available via flow risk
See: #2551
|
| |
|
|
| |
Show JA4C and JA3S information (instead of JA3C and JA3S)
See #2551 for context
|
| |
|
|
|
| |
Even if it is only the proposed value by the client (and not the
negotiated one), it might be use as hint for timeout by the (external)
flows manager
|
| |
|
|
|
| |
ESNI has been superseded by ECH for years, now.
See: https://blog.cloudflare.com/encrypted-client-hello/
Set the existing flow risk if we still found this extension.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
Example:
./example/ndpiReader --conf=./example/calls.conf -i ./tests/pcap/signal_videocall.pcapng -v2
Close #2608
|
| |
|
| |
In the same flow, we can have multiple multimedia types
|
| | |
|
| |
|
|
|
| |
When capturing live traffic, accounting and export of expired flows is
wrong (see #2617).
Let's try to fix some statistics, at least
|
| | |
|
| |
|
|
|
| |
* fixes SonarCloud complaint
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
Adde basidc OS detection based on TCP fingerprint
|
| |
|
|
| |
Exported domainanme in JSON file (-K JSON)
|
| | |
|