| Commit message (Collapse) | Author | Age |
|---|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Refactored and merged callback buffer routines for non-udp-tcp / udp / tcp / tcp-wo-payload.
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Try to detect one subprotocol if a detected protocol can have one.
* This adds a performance overhead due to much more protocol detection routine calls.
See #1148 for more information.
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Refactor subprotocol handling (1/2).
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Refactor subprotocol handling (2/2).
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Prevent some code duplication by using macros for ndpi_int_one_line_struct string comparision.
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Refactored aimini HTTP detection parts (somehow related to #1148).
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Added aimini client/server test pcap.
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Removed master protocol as it was only used for STUN and via also removed API function ndpi_get_protocol_id_master_proto
* Adjusted Python code to conform to the changes made during the refactoring process.
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
User-agent information is used to try to detect the user OS; since the
UA is extracted for QUIC traffic too, the "detected_os" field must be
generic and not associated to HTTP flows only.
Otherwise, you might overwrite some "tls_quic_stun" fields (SNI...) with
random data.
Strangely enough, the "detected_os" field is never used: it is never
logged, or printed, or exported...
|
| | |
|
| | |
|
| |
|
|
|
| |
nDPI but still somehow essential. (#1024)
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
|
| |
|
|
|
| |
- invalid DNS traffic (probably carrying exfiltrated data)
- TLS traffic with no SNI extension
|
| | |
|
| |
|
|
| |
not condidered safe/secure
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In a Client Hello, the presence of both SNI and ESNI may obfuscate the real
domain of an HTTPS connection, fooling DPI engines and firewalls, similarly
to Domain Fronting.
Such technique is reported in a presentation at DEF CON 28:
"Domain Fronting is Dead, Long Live Domain Fronting: Using TLS 1.3 to evade
censors, bypass network defenses, and blend in with the noise"
Full credit for the idea must go the original author
At the moment, the only way to get the pdf presention and related video is via
https://forum.defcon.org/node/234492
Hopefully a direct link (and an example pcap) will be available soon
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
Removed GenericProtocol and replaced with categories
Removed ndpi_pref_enable_category_substring_match option: substring matching is now default
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|