aboutsummaryrefslogtreecommitdiff
path: root/src/lib/ndpi_main.c
Commit message (Collapse)AuthorAge
* Add Remote Management Control Protocol (RMCP).add/rmcpToni Uhlig2023-10-18
| | | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* fuzz: extend fuzzing coverageNardi Ivan2023-10-15
|
* Added NDPI_MALWARE_HOST_CONTACTED flow riskLuca Deri2023-10-13
|
* fuzzing: extend fuzzing coverageNardi Ivan2023-10-09
| | | | | Try fuzzing some functions which write to file/file descriptor; to avoid slowing the fuzzer, close its stdout
* fuzz: extend fuzzing coverageNardi Ivan2023-10-07
|
* Windows code reworkLuca Deri2023-10-05
|
* Windows compilation fixesLuca Deri2023-10-05
|
* Win include changeLuca Deri2023-10-05
|
* Added HAProxy protocol. (#2088)Toni2023-10-02
| | | | | | * fixed tests/do.sh.in failure print Signed-off-by: lns <matzeton@googlemail.com> Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Added printf/fprintf replacement for some internal modules. (#1974)Toni2023-09-26
| | | | | | * logging is instead redirected to `ndpi_debug_printf` Signed-off-by: lns <matzeton@googlemail.com> Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Renamed HTTP/2 to HTTP2 as the '/' can have side effects with applications ↵Luca Deri2023-09-20
| | | | sitting on top of nDPI
* Add support for (un-encrypted) HTTP/2 (#2087)Ivan Nardi2023-09-18
| | | | Plaintext HTTP/2 is quite rare on the general "internet" but it is used in some private networks (example: 5G core network)
* fuzz: extend fuzzing coverageNardi Ivan2023-09-16
|
* Add `ndpi_domain_classify_finalize()` function (#2084)Ivan Nardi2023-09-12
| | | | | | | | | The "domain classify" data structure is immutable, since it uses "bitmap64". Allow to finalize it before starting to process packets (i.e. before calling `ndpi_domain_classify_contains()`) to avoid, in the data-path, all the memory allocations due to compression. Calling `ndpi_domain_classify_finalize()` is optional.
* Fix some errors found by fuzzers (#2078)Ivan Nardi2023-09-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix compilation on Windows. "dirent.h" file has been taken from https://github.com/tronkko/dirent/ Fix Python bindings Fix some warnings with x86_64-w64-mingw32-gcc: ``` protocols/dns.c: In function ‘ndpi_search_dns’: protocols/dns.c:775:41: error: cast from pointer to integer of different size [-Werror=pointer-to-int-cast] 775 | unsigned long first_element_len = (unsigned long)dot - (unsigned long)_hostname; | ^ protocols/dns.c:775:62: error: cast from pointer to integer of different size [-Werror=pointer-to-int-cast] 775 | unsigned long first_element_len = (unsigned long)dot - (unsigned long)_hostname; | ``` ``` In file included from ndpi_bitmap64.c:31: third_party/include/binaryfusefilter.h: In function ‘binary_fuse8_hash’: third_party/include/binaryfusefilter.h:160:32: error: left shift count >= width of type [-Werror=shift-count-overflow] 160 | uint64_t hh = hash & ((1UL << 36) - 1); ``` ``` In function ‘ndpi_match_custom_category’, inlined from ‘ndpi_fill_protocol_category.part.0’ at ndpi_main.c:7056:16: ndpi_main.c:3419:3: error: ‘strncpy’ specified bound depends on the length of the source argument [-Werror=stringop-overflow=] 3419 | strncpy(buf, name, name_len); ```
* Added OperaVPN detectionLuca Deri2023-09-09
|
* Added NDPI_TLS_ALPN_SNI_MISMATCH flow riskLuca Deri2023-09-07
|
* Disabled debug messageLuca Deri2023-09-05
|
* Merged new and old version of ndpi_domain_classify.c codeLuca Deri2023-09-02
|
* Reworked domain classification based on binary filtersLuca Deri2023-09-02
|
* Code cleanupLuca Deri2023-09-01
|
* Fixed heap-buffer-overflow issueLuca Deri2023-08-31
|
* Warning fixesLuca Deri2023-08-29
|
* Swap from Aho-Corasick to an experimental/home-grown algorithm that uses a ↵Luca Deri2023-08-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | probabilistic approach for handling Internet domain names. For switching back to Aho-Corasick it is necessary to edit ndpi-typedefs.h and uncomment the line // #define USE_LEGACY_AHO_CORASICK [1] With Aho-Corasick $ ./example/ndpiReader -G ./lists/ -i tests/pcap/ookla.pcap | grep Memory nDPI Memory statistics: nDPI Memory (once): 37.34 KB Flow Memory (per flow): 960 B Actual Memory: 33.09 MB Peak Memory: 33.09 MB [2] With the new algorithm $ ./example/ndpiReader -G ./lists/ -i tests/pcap/ookla.pcap | grep Memory nDPI Memory statistics: nDPI Memory (once): 37.31 KB Flow Memory (per flow): 960 B Actual Memory: 7.42 MB Peak Memory: 7.42 MB In essence from ~33 MB to ~7 MB This new algorithm will enable larger lists to be loaded (e.g. top 1M domans https://s3-us-west-1.amazonaws.com/umbrella-static/index.html) In ./lists there are file names that are named as <category>_<string>.list With -G ndpiReader can load all of them at startup
* fix compilationToni Uhlig2023-08-27
| | | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Changes for supporinng more efficient sub-string matchingLuca Deri2023-08-26
|
* Boundary checkLuca2023-08-21
|
* fuzz: extend coverage (#2073)Ivan Nardi2023-08-20
|
* Mullvad VPN service added (based on entry node IP addresses) (#2062)snicket21002023-08-02
|
* Add Service Location Protocol dissector. (#2036)Toni2023-08-01
| | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* ProtonVPN: split the ip list (#2060)Ivan Nardi2023-07-27
| | | | | | | | | | | Use two separate lists: * one for the ingress nodes, which triggers a ProtonVPN classification * one for the egress nodes, which triggers the `NDPI_ANONYMOUS_SUBSCRIBER` risk Add a command line option (to `ndpiReader`) to easily test IP/port matching. Add another example of custom rule.
* Add an heuristic to detect fully encrypted flows (#2058)Ivan Nardi2023-07-26
| | | | | | | | A fully encrypted session is a flow where every bytes of the payload is encrypted in an attempt to “look like nothing”. The heuristic needs only the very first packet of the flow. See: https://www.usenix.org/system/files/sec23fall-prepub-234-wu-mingshi.pdf A basic, but generic, inplementation of the popcpunt alg has been added
* Allow init of app protocols w/o any hostnames set. (#2057)Toni2023-07-22
|
* Fix string truncation. (#2056)Toni2023-07-22
| | | | | | | | ndpi_main.c: In function ‘ndpi_load_ip_category’: ndpi_main.c:6598:3: warning: ‘strncpy’ specified bound 64 equals destination size [-Wstringop-truncation] 6598 | strncpy(ipbuf, ip_address_and_mask, sizeof(ipbuf)); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* zabbix: improve detection (#2055)Ivan Nardi2023-07-21
|
* Add detection of Roblox games (#2054)Ivan Nardi2023-07-21
|
* Add a configuration knob to enable/disable loading of gambling list (#2047)Ivan Nardi2023-07-14
|
* Fixes risk mask exception handling while improving the overall performanceLuca Deri2023-07-14
|
* Cosmetic fixesLuca Deri2023-07-13
|
* added feature to extract filename from http attachment (#2037)Chiara Maggi2023-07-11
| | | | | | | | | | | | | | | | | | | * added feature to extract filename from http attachment * fixed some issues * added check for filename format * added check for filename format * remove an unnecessary print * changed the size from 952 to 960 * modified some test result files * small changes string size * comment removed and mallocs checked
* fuzz: extend fuzzing coverage (#2040)Ivan Nardi2023-07-11
| | | | | | | | | Some notes: * libinjection: according to https://github.com/libinjection/libinjection/issues/44, it seems NULL characters are valid in the input string; * RTP: `rtp_get_stream_type()` is called only for RTP packets; if you want to tell RTP from RTCP you should use `is_rtp_or_rtcp()`; * TLS: unnecessary check; we already make the same check just above, at the beginning of the `while` loop
* fix Stack overflow caused by invalid write in ndpi_automa_match_strin… ↵Ivan Kapranov2023-07-06
| | | | | | | | | | | | | | | | | (#2035) * minor fixes fixed 'handle leak' in ndpi_load_malicious_sha1_file and removed the redundant comparison ndpi_search_eaq * fix Stack overflow caused by invalid write in ndpi_automa_match_string_subprotocol * fix compile errors * fix --------- Co-authored-by: Ivan Kapranov <i.kapranov@securitycode.ru>
* STUN: fix Skype/MsTeams detection and monitoring logic (#2028)Ivan Nardi2023-07-03
|
* Hangout: detect Hangout/Duo/GoogleMeet/... in the STUN code (#2025)Ivan Nardi2023-06-27
| | | | | | Regardless of the name, the removed trace doesn't contain meaningful Hangout traffic. Remove last piece of sub-classifiction based only on ip addresses.
* STUN: add dissection of DTLS handshake (#2018)Ivan Nardi2023-06-26
|
* Simplify the report of streaming multimedia info (#2026)Ivan Nardi2023-06-26
| | | | | The two fields `flow->flow_type` and `flow->protos.rtp.stream_type` are pretty much identical: rename the former in `flow->flow_multimedia_type` and remove the latter.
* Optimizes and fixes possible out0of0boundary write in ndpi_fill_prefix_v4()Luca Deri2023-06-23
|
* minor fixes (#2023)Ivan Kapranov2023-06-22
| | | | | fixed 'handle leak' in ndpi_load_malicious_sha1_file and removed the redundant comparison ndpi_search_eaq Co-authored-by: Ivan Kapranov <i.kapranov@securitycode.ru>
* Add Apache Thrift protocol dissector. (#2007)Toni2023-06-22
| | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* STUN: keep monitoring/processing STUN flows (#2012)Ivan Nardi2023-06-21
| | | | Look for RTP packets in the STUN sessions. TODO: tell RTP from RTCP
Powered by cgit, Themed by Ted Yin.