aboutsummaryrefslogtreecommitdiff
path: root/src/include
Commit message (Collapse)AuthorAge
* Fix broken ndpi_timeval_to_(milli|micro)seconds (>UINT_MAX). (#1720)Toni2022-09-04
| | | | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com> Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Add support to opportunistic TLSNardi Ivan2022-09-04
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | A lot of protocols provide the feature to upgrade their plain text connections to an encrypted one, via some kind of "STARTTLS" command. Add generic code to support this extension, and allow dissection of the entire TLS handshake. As examples, SMTP, POP, IMAP and FTP dissectors have been updated. Since this feature requires to process more packets per flow, add the possibility to disable it. Fix some log messages. Slight improvement on TCP sequence number tracking. As a side effect, this commit fix also a memory leak found by oss-fuzzer ``` ==108966==ERROR: LeakSanitizer: detected memory leaks Direct leak of 22 byte(s) in 1 object(s) allocated from: #0 0x55f8b367a0be in malloc (/home/ivan/svnrepos/nDPI/fuzz/fuzz_ndpi_reader_with_main+0x5480be) (BuildId: 94debacb4a6784c30420ab748c8bf3cc59621063) #1 0x55f8b36e1345 in ndpi_malloc_wrapper /home/ivan/svnrepos/nDPI/example/reader_util.c:321:10 #2 0x55f8b379c7d2 in ndpi_malloc /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:212:25 #3 0x55f8b379cb18 in ndpi_strdup /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:279:13 #4 0x55f8b386ce46 in processClientServerHello /home/ivan/svnrepos/nDPI/src/lib/protocols/tls.c:2153:34 #5 0x55f8b385ebf7 in processTLSBlock /home/ivan/svnrepos/nDPI/src/lib/protocols/tls.c:867:5 #6 0x55f8b39e708c in ndpi_extra_search_mail_smtp_tcp /home/ivan/svnrepos/nDPI/src/lib/protocols/mail_smtp.c:422:9 #7 0x55f8b37e636c in ndpi_process_extra_packet /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:5884:9 #8 0x55f8b37edc05 in ndpi_detection_process_packet /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:6276:5 #9 0x55f8b3701ffc in packet_processing /home/ivan/svnrepos/nDPI/example/reader_util.c:1619:31 #10 0x55f8b36faf14 in ndpi_workflow_process_packet /home/ivan/svnrepos/nDPI/example/reader_util.c:2189:10 #11 0x55f8b36b6a50 in LLVMFuzzerTestOneInput /home/ivan/svnrepos/nDPI/fuzz/fuzz_ndpi_reader.c:107:7 ``` See: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50765
* Serializer supports double for JSON and CSV only for the time being (TLV ↵Alfredo Cardigliano2022-09-01
| | | | needs to be extended)
* Temporarily restore ndpi_serialization_unknown = 0Alfredo Cardigliano2022-09-01
|
* Restore ndpi_serialization_type item values. Use 0 for the new ↵Alfredo Cardigliano2022-09-01
| | | | ndpi_serialization_double as there is no more key left (4 bit). Use 16 for ndpi_serialization_unknown which is not used in TLV encoded data.
* Improved MGCP dissector. (#1717)Toni2022-08-30
| | | | | | | | * typ0s fixed * dissect endpoint hostnames Signed-off-by: Toni Uhlig <matzeton@googlemail.com> Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* QUIC: add support for 0-RTT packets received before the InitialNardi Ivan2022-08-24
| | | | | | | | | | | | | | | | | | | | | RFC9001 4.6.1: "A client that wishes to send 0-RTT packets uses the early_data extension in the ClientHello message of a subsequent handshake; see Section 4.2.10 of [TLS13]. It then sends application data in 0-RTT packets." That means the client sends before the CH (in the Initial) and then the 0-RTT (in the same UDP datagram or not)". However, because of packet loss or out-of-order delivery, it might happens that a 0-RTT packet is received before the Initial (the original one or a retransmission). For example, Google and Facebook servers save 0-RTT packets for a small amount of time in hopes of receiving the corresponding Initial. Update the QUIC dissector to detect 0-RTT packets and keep looking for the Initial. Issue found by @utoni in #1706; the trace example has been taken from that PR.
* Add FastCGI protocol detection. (#1711)Toni2022-08-24
| | | | | | | | * CQL: fixed byte order conversion (BigEndian not LittleEndian) * CQL: increased required successful dissected packets to prevent false-positives Signed-off-by: Toni Uhlig <matzeton@googlemail.com> Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Add Kismet protocol detection. (#1710)Toni2022-08-24
| | | | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com> Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Support serialization of double-precision floating-point numbers. Fixes #1702.lns2022-08-24
| | | | | Signed-off-by: lns <matzeton@googlemail.com> Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Modified definition of hll_addLuca Deri2022-08-17
|
* Add TiVoConnect dissector. Fixes #1697. (#1699)Toni2022-08-08
| | | | | * added static assert if supported, to complain if the flow struct changes Signed-off-by: lns <matzeton@googlemail.com>
* Further simplification of `ndpi_process_extra_packet()` (#1698)Ivan Nardi2022-08-05
| | | | | | | | See 95e16872. After c0732eda, we can safely remove the protocol list from `ndpi_process_extra_packet()`. The field `flow->check_extra_packets` is redundant; remove it.
* HTTP: improve sub-classification (#1696)Ivan Nardi2022-08-05
| | | | | | | | | | Content-matched sub-protocols (DASH, IPP, MPEGDASH...) shouldn't ovewrite the previous master protocol (if any; usually HTTP). Furthermore. the HTTP dissector shouldn't update the classification (in the extra-dissection code path) if a content-matched sub-protocols has already been found. This commit should address the first part of the changes described in #1687.
* Win fixesLuca Deri2022-08-05
|
* Add Discord dissector. (#1694)Toni2022-08-03
| | | | | * fixed RiotGames false positive Signed-off-by: lns <matzeton@googlemail.com>
* Compilation fix (not all compilers like restrict)Luca Deri2022-08-03
|
* Improved nDPI JSON serialization. (#1689)Toni2022-08-02
| | | | | | | | * fixed autoconf CFLAGS/LDFLAGS MSAN issue which could lead to build errors * introduced portable version of gmtime_r aka ndpi_gmtime_r * do as most as possible of the serialization work in ndpi_utils.c * use flow2json in ndpiReader Signed-off-by: lns <matzeton@googlemail.com>
* Add Activision dissector. (#1693)Toni2022-08-02
| | | Signed-off-by: lns <matzeton@googlemail.com>
* TLS: avoid useless extra dissection (#1690)Ivan Nardi2022-07-31
| | | | | | | If we have seen Application Data blocks in both directions, it means we are after the handshake. At that point, extra dissection is useless. Useful feature with TLS mid-sessions, i.e. sessions without initial packets.
* Add Softether dissector. (#1679)Toni2022-07-29
| | | Signed-off-by: lns <matzeton@googlemail.com>
* Patricia tree, Ahocarasick automa, LRU cache: add statistics (#1683)Ivan Nardi2022-07-29
| | | | | | | | | | Add (basic) internal stats to the main data structures used by the library; they might be usefull to check how effective these structures are. Add an option to `ndpiReader` to dump them; enabled by default in the unit tests. This new option enables/disables dumping of "num dissectors calls" values, too (see b4cb14ec).
* Revert "Patricia tree, Ahocarasick automa, LRU cache: add statistics ↵Ivan Nardi2022-07-29
| | | | | (#1677)" (#1682) This reverts commit bb83899985c25097341b947c2c535f56254a075c.
* Patricia tree, Ahocarasick automa, LRU cache: add statistics (#1677)Ivan Nardi2022-07-29
| | | | | | | | Add (basic) internal stats to the main data structures used by the library; they might be usefull to check how effective these structures are. Add an option to `ndpiReader` to dump them; disabled by default to avoid too much fuss with the unit tests.
* TINC: avoid processing SYN packets (#1676)Ivan Nardi2022-07-28
| | | | | | | | | | | Since e6b332aa, we have proper support for detecting client/server direction. So Tinc dissector is now able to properly initialize the cache entry only when needed and not anymore at the SYN time; initializing that entry for **every** SYN packets was a complete waste of resources. Since 4896dabb, the various `struct ndpi_call_function_struct` structures are not more separate objects and therefore comparing them using only their pointers is bogus: this bug was triggered by this change because `ndpi_str->callback_buffer_size_tcp_no_payload` is now 0.
* Update the protocol bitmask for some protocols (#1675)Ivan Nardi2022-07-27
| | | | | | | Tcp retransmissions should be ignored. Remove some unused protocol bitmasks. Update script to download Whatsapp IP list.
* Add AVAST dissector. (#1674)Toni2022-07-25
| | | Signed-off-by: lns <matzeton@googlemail.com>
* Add support for flow client/server information (#1671)Ivan Nardi2022-07-24
| | | | | | | | | | | | | | | | | | In a lot of places in ndPI we use *packet* source/dest info (address/port/direction) when we are interested in *flow* client/server info, instead. Add basic logic to autodetect this kind of information. nDPI doesn't perform any "flow management" itself but this task is delegated to the external application. It is then likely that the application might provide more reliable hints about flow client/server direction and about the TCP handshake presence: in that case, these information might be (optionally) passed to the library, disabling the internal "autodetect" logic. These new fields have been used in some LRU caches and in the "guessing" algorithm. It is quite likely that some other code needs to be updated.
* Added AliCloud server access dissector. (#1672)Toni2022-07-23
| | | | Signed-off-by: lns <matzeton@googlemail.com> Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Windows error C2466 fix (array size init with 0).Zied Aouini2022-07-22
|
* Windows compilation fix.Zied Aouini2022-07-22
|
* TLS: improve reassembler (#1669)Ivan Nardi2022-07-22
| | | | | | | | * TLS: cosmetic changes * TLS: improve reassembler We might need to contemporary re-order messages from both directions: use one buffer per direction.
* DTLS: fix exclusion of DTLS protocolNardi Ivan2022-07-20
| | | | Add an helper to exclude a generic protocol
* SKYPE: fix detection over UDPNardi Ivan2022-07-20
| | | | | | | | | Commit ba6a48c9 is completely bogus: we can't set extra dissection without having set a proper classification. The idea behind that commit seems to be that we need to look for 2 (consecutives?) packets with the same crc/pattern: try to implement this logic in a saner way.
* SKYPE: remove detection over TCPNardi Ivan2022-07-20
| | | | | | Skype detection over TCP has been completely disable since 659f75138 (3 years ago!). Since that logic was too weak anyway, remove it.
* ASN1/BER: fix signed integer overflow (#1660)Ivan Nardi2022-07-12
| | | | | | | | | | | | | ``` protocols/snmp_proto.c:77:23: runtime error: signed integer overflow: 6 + 2147483647 cannot be represented in type 'int' #0 0x52f69e in ndpi_search_snmp ndpi/src/lib/protocols/snmp_proto.c:77:23 #1 0x4c5347 in check_ndpi_detection_func ndpi/src/lib/ndpi_main.c:5211:4 #2 0x4c5591 in ndpi_check_flow_func ndpi/src/lib/ndpi_main.c:0 #3 0x4c8903 in ndpi_detection_process_packet ndpi/src/lib/ndpi_main.c:6145:15 #4 0x4b3712 in LLVMFuzzerTestOneInput ndpi/fuzz/fuzz_process_packet.c:29:5 [...] ``` Found by oss-fuzzer. See: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=49057
* Introduced risk accountabilityLuca2022-07-12
|
* Keep track of how many dissectors calls we made for each flow (#1657)Ivan Nardi2022-07-11
|
* LDAP: rewrite dissection (#1649)Ivan Nardi2022-07-08
|
* Added Threema Messenger. (#1643)Toni2022-07-06
| | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Label SMTP w/ STARTTLS as SMTPS *and* dissect TLS clho. (#1639)Toni2022-07-06
| | | | | | | | | | | | | | | | | * Label SMTP w/ STARTTLS as SMTPS *and* dissect TLS clho. Signed-off-by: Toni Uhlig <matzeton@googlemail.com> * Revert "SMTP with STARTTLS is now identified as SMTPS" This reverts commit 52d987b603f49d996b4060f43265d1cf43c3c482. * Revert "Compilation fix" This reverts commit c019946f601bf3b55f64f78841a0d696e6c0bfc5. * Sync unit tests. Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Compilation fixLuca Deri2022-07-05
|
* Fix handling of NDPI_UNIDIRECTIONAL_TRAFFIC risk (#1636)Ivan Nardi2022-07-05
|
* Updated ndpi_check_flow_risk_exceptions() signatureLuca Deri2022-07-04
|
* Cleaned-up issuer DN check code addingLuca Deri2022-07-04
| | | | | | | | | u_int8_t ndpi_check_issuerdn_risk_exception(struct ndpi_detection_module_struct *ndpi_str, char *issuerDN); Added new API function for checking nDPI-configured exceptions u_int8_t ndpi_check_flow_risk_exception(struct ndpi_detection_module_struct *ndpi_str, u_int num_params, ndpi_risk_params **params);
* Replaced malicious JA3-md5/SSL-cert-sha1 ac automata with hashmaps.Toni Uhlig2022-07-04
| | | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Added UltraSurf protocol dissector. (#1618)Toni2022-07-04
| | | | | * TLSv1.3 UltraSurf flows are not detected by now Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Add two new confidence values: confidence by partial DPI (#1632)Ivan Nardi2022-07-04
| | | | Used for all classifications based on partial/incomplete DPI information, i.e. all classifications done in `ndpi_detection_giveup()`.
* Added Psiphon detection patterns. See #566 and #1099. (#1631)Toni2022-07-04
| | | | | * The traces are not up to date, but this is the best we got so far. Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Added i3D and RiotGames protocol dissectors. (#1609)Toni2022-07-03
| | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
Powered by cgit, Themed by Ted Yin.