| Commit message (Collapse) | Author | Age |
|---|
| ... | |
| |
|
|
| |
Added ndpi_load_malicious_ja3_file() API call
|
| |
|
|
| |
Improved AnyDesk detection
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
- NDPI_RISKY_ASN
- NDPI_RISKY_DOMAIN
- NDPI_RISKY_COUNTRY
|
| | |
|
| |
|
|
| |
Improved IEC104 and IRC detection
|
| |
|
|
|
|
| |
- ndpi_jitter_init()
- ndpi_jitter_free()
- ndpi_jitter_add_value()
|
| |
|
|
|
|
|
|
|
| |
confidence interval
New API calls added
- ndpi_hw_init()
- ndpi_hw_add_value()
- ndpi_hw_free()
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
void ndpi_init_rsi(struct ndpi_rsi_struct *s, u_int16_t num_learning_values);
void ndpi_free_rsi(struct ndpi_rsi_struct *s);
float ndpi_rsi_add_value(struct ndpi_rsi_struct *s, const u_int32_t value);
|
| |
|
|
|
|
|
|
|
|
|
| |
User-agent information is used to try to detect the user OS; since the
UA is extracted for QUIC traffic too, the "detected_os" field must be
generic and not associated to HTTP flows only.
Otherwise, you might overwrite some "tls_quic_stun" fields (SNI...) with
random data.
Strangely enough, the "detected_os" field is never used: it is never
logged, or printed, or exported...
|
| |
|
|
|
|
| |
Management of tcp segments managements.
Co-authored-by: ragostino <ragostino73@gmail.com>
Co-authored-by: Luca Deri <lucaderi@users.noreply.github.com>
|
| | |
|
| |
|
|
| |
Modified TLS memory free
|
| | |
|
| |
|
|
| |
Cleaned up TLS code for DTLS detection by defining a new DTLS protocol
|
| | |
|
| |
|
|
|
|
|
|
|
| |
According to RFC 4366, SNI host names can be up to 255 bytes.
Previous size of 64 resulted in failed application matches due to truncation.
For example:
0976e041e65b1aece3e720df36ac6bd7.safeframe.googlesyndication.co|m
Signed-off-by: Darryl Sokoloski <darryl@sokoloski.ca>
|
| |
|
|
|
|
|
|
|
| |
Even if it is only an early internet draft, DoQ has already (at least)
one deployed implementation.
See: https://www.zdnet.com/article/ad-blocker-adguard-deploys-worlds-first-dns-over-quic-resolver/
Draft: https://tools.ietf.org/html/draft-huitema-dprive-dnsoquic-00
In the future, if this protocol will be really used, it might be worth to
rename NDPI_PROTOCOL_DOH_DOT in NDPI_PROTOCOL_DOH_DOT_DOQ
|
| |
|
|
| |
be present with POSTs and not with other methods such as GET
|
| | |
|
| |
|
|
|
|
| |
FB_ZERO was an experimental protocol run by Facebook.
They switched to QUIC/TLS1.3 more than 2 years ago; no one ever used it but
them so it is definitely dead.
See: https://engineering.fb.com/2018/08/06/security/fizz/
|
| |
|
|
|
| |
ndpi_flow_struct but not the struct itself. (#1101)
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
invalidate dissection
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
START_TLS used. (#1079)
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Add AmazonAlexa protocol.
* Add AmazonAlexa test file and result.
* Include pcapng as file format.
* Rename Category to VirtualAssistant.
* Add AppleSiri virtual assistant.
* Fix pcapng test files format support.
Co-authored-by: Luca Deri <lucaderi@users.noreply.github.com>
|
| |
|
|
|
|
|
| |
* Add Tumblr protocol.
* Add Tumblr test file and result.
Co-authored-by: Luca Deri <lucaderi@users.noreply.github.com>
|
| |
|
|
|
|
|
| |
* Add Reddit protocol.
* Add Reddit test file and result.
Co-authored-by: Luca Deri <lucaderi@users.noreply.github.com>
|
| |
|
|
|
|
|
| |
* Add Pinterest protocol.
* Add Pinterest test file and result.
Co-authored-by: Luca Deri <lucaderi@users.noreply.github.com>
|
| | |
|
| | |
|
| | |
|
| |
|
| |
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
|