| Commit message (Collapse) | Author | Age |
|---|
| ... | |
| | |
|
| | |
|
| | |
|
| |
|
|
| |
If we have a (potential) valid sub-classification, we shoudn't check for
DGA, even if the subclassification itself is disabled!
|
| | |
|
| | |
|
| |
|
|
| |
Updated (C)
|
| | |
|
| |
|
|
|
|
|
|
| |
No significant changes:
* Move around some fields to avoid holes in the structures.
* Some fields are about protocols based only on TCP.
* Remove some unused (or set but never read) fields.
See #2631
|
| | |
|
| |
|
| |
Fix confidence value for same TCP flows
|
| |
|
| |
Extend file configuration for just subclassification.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In some scenarios, you might not be interested in flow metadata or
flow-risks at all, but you might want only flow (sub-)classification.
Examples: you only want to forward the traffic according to the
classification or you are only interested in some protocol statistics.
Create a new configuration file (for `ndpiReader`, but you can trivially
adapt it for the library itself) allowing exactly that. You can use it
via: `ndpiReader --conf=example/only_classification.conf ...`
Note that this way, the nDPI overhead is lower because it might need
less packets per flow:
* TLS: nDPI processes only the CH (in most cases) and not also the SH
and certificates
* DNS: only the request is processed (instead of both request and
response)
We might extend the same "shortcut-logic" (stop processing the flow
immediately when there is a final sub-classification) for others
protocols.
Add the configuration options to enable/disable the extraction of some
TLS metadata.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
* Rename `NDPI_PROTOCOL_SKYPE_TEAMS_CALL` ->
`NDPI_PROTOCOL_MSTEAMS_CALL`
* Rename ip list from "Skype/Teams" to "Teams"
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
Last step of removing JA3C fingerprint
Remove some duplicate tests: testing with ja4c/ja3s disabled is already
performed by `disable_metadata_and_flowrisks` configuration.
Close:#2551
|
| |
|
|
|
|
|
|
|
| |
It might be usefull to be able to match traffic against a list of
suspicious JA4C fingerprints
Use the same code/logic/infrastructure used for JA3C (note that we are
going to remove JA3C...)
See: #2551
|
| | |
|
| |
|
|
|
|
| |
* detect `chisel` SSH-over-HTTP-WebSocket
* use `strncasecmp()` for `LINE_*` matching macros
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
|
| |
|
|
|
| |
In very old (G)QUIC versions by Google, the user agent was available on
plain text. That is not true anymore, since about end of 2021.
See: https://github.com/google/quiche/commit/f282c934f4731a9f4be93409c9f3e8687f0566a7
|
| |
|
| |
Add a new variable to keep track of internal partial classification
|
| | |
|
| |
|
|
|
| |
Even if it is only the proposed value by the client (and not the
negotiated one), it might be use as hint for timeout by the (external)
flows manager
|
| |
|
|
|
| |
ESNI has been superseded by ECH for years, now.
See: https://blog.cloudflare.com/encrypted-client-hello/
Set the existing flow risk if we still found this extension.
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
Co-authored-by: Evgeny Shtanov <evg.shtanov@gmail.comm>
Co-authored-by: Ivan Nardi <nardi.ivan@gmail.com>
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
| |
In the same flow, we can have multiple multimedia types
|
| |
|
|
| |
Let's see if we are able to tell audio from video calls only looking at
RTP Payload Type field...
|
| |
|
|
| |
Implemented Mikrotik JSON serialization
|
| |
|
|
| |
Testing pcaps courtesy of https://github.com/virtalabs/tapirx.git
|
| |
|
|
| |
(#2618)
|
| | |
|
| |
|
| |
Extend content match list
|
| | |
|
| |
|
|
|
| |
* fixes SonarCloud complaint
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
|
| | |
|
| | |
|