| Commit message (Collapse) | Author | Age |
|---|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
NDPI_PROTOCOL_CATEGORY_FINANCE
NDPI_PROTOCOL_CATEGORY_NEWS
NDPI_PROTOCOL_CATEGORY_SPORT
NDPI_PROTOCOL_CATEGORY_BUSINESS
NDPI_PROTOCOL_CATEGORY_INTERNET_HOSTING
NDPI_PROTOCOL_CATEGORY_BLOCKCHAIN_CRYPTO
NDPI_PROTOCOL_CATEGORY_BLOG_FORUM
NDPI_PROTOCOL_CATEGORY_GOVERNMENT
NDPI_PROTOCOL_CATEGORY_EDUCATION
NDPI_PROTOCOL_CATEGORY_CND_PROXY
NDPI_PROTOCOL_CATEGORY_HARDWARE_SOFTWARE
NDPI_PROTOCOL_CATEGORY_DATING
NDPI_PROTOCOL_CATEGORY_TRAVEL
|
| |
|
| |
Be sure that entries expire sooner or later
|
| |
|
|
| |
Cloudflare CDN
|
| | |
|
| |
|
|
|
| |
Remove the specific dissector and use the Blizzard's generic one.
For the time being, keep `NDPI_PROTOCOL_WORLDOFWARCRAFT`
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
```
==40795==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7dd7ff94a6a0 at pc 0x5f2e95e21423 bp 0x7ffccfe0f110 sp 0x7ffccfe0e8d0
READ of size 129 at 0x7dd7ff94a6a0 thread T0
#0 0x5f2e95e21422 in StrtolFixAndCheck(void*, char const*, char**, char*, int) asan_interceptors.cpp.o
#1 0x5f2e95e0ceb1 in __isoc23_strtol (/home/ivan/svnrepos/nDPI/fuzz/fuzz_filecfg_config+0x7bfeb1) (BuildId: 2cfb818387b5d84d6fa1447db291acb2595493d4)
#2 0x5f2e95f1d036 in __get_flowrisk_id /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:11524:9
#3 0x5f2e95f1c3c7 in _set_param_flowrisk_enable_disable /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:11793:17
#4 0x5f2e95e9e17f in ndpi_set_config /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:12051:12
#5 0x5f2e95e9cbe5 in load_config_file_fd /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:4985:14
```
Found by oss-fuzz.
See: https://issues.oss-fuzz.com/issues/406446504
|
| |
|
|
| |
Follow-up of f56831336334dddcff00eaf2132e5e0f226f0e32: now the
configuration is for flow-risk, not global
|
| | |
|
| |
|
|
|
|
|
| |
int ndpi_add_tcp_fingerprint(struct ndpi_detection_module_struct *ndpi_str,
char *fingerprint, enum operating_system_hint os);
int load_tcp_fingerprint_file_fd(struct ndpi_detection_module_struct *ndpi_str, FILE *fd);
int ndpi_load_tcp_fingerprint_file(struct ndpi_detection_module_struct *ndpi_str, const char *path);
|
| |
|
|
|
| |
games (#2776)
Remove `NDPI_PROTOCOL_STARCRAFT` and add a generic `NDPI_PROTOCOL_BLIZZARD`.
|
| |
|
|
|
|
|
| |
Use `NDPI_OBFUSCATED_TRAFFIC` instead; this way, all the obfuscated
traffic is identified via `NDPI_OBFUSCATED_TRAFFIC` flow risk.
Disable fully-encryption detection by default, like all the obfuscation
heuristics.
|
| |
|
|
|
|
| |
That flow risk was introduced in 79b89d286605635f15edfe3c21297aaa3b5f3acf
but we can now use the generic `NDPI_TLS_SUSPICIOUS_EXTENSION` instead:
ESNI is quite suspicious nowadays in itself (i.e. even without SNI).
Note that ESNI support has been removed in cae9fb9989838f213eeb857b8fc4bbeac6940049
|
| | |
|
| |
|
|
|
|
| |
(#2773)
Remove `NDPI_PROTOCOL_MAPLESTORY` and add a generic
`NDPI_PROTOCOL_NEXON`
|
| |
|
|
|
|
| |
protocols
Fixes #2762
|
| |\
| |
| | |
Add a new internal function `internal_giveup()`
|
| | |
| |
| |
| |
| |
| |
| |
| | |
This function is always called once for every flow, as last code
processing the flow itself.
As a first usage example, check here if the flow is unidirectional
(instead of checking it at every packets)
|
| | |
| |
| | |
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
|
| |/
|
|
|
| |
protocol dissector will follow
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
|
| |
|
|
| |
For the most common protocols, avoid creating the string message if we
are not going to use it
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Custom rules with *new* protocols are checked "first": if there is a
match, the first packet of the flow provides a complete and final
classification.
The same logic should apply to custom rules with "existing" protocols:
if there is match, nDPI shouldn't do anything else.
Remove the `tcp:3000@ntop` custom rule.
Fix the default port for ElasticSearch (in the protocol file)
|
| |
|
|
|
|
|
| |
There are no reasons to keep entropy calculation and sanity checks code
on the "guessing" algorithm.
BTW, this change also fix the entropy calculation for non TCP/UDP/ICMP
flows
|
| |
|
|
| |
One list is from ingress nodes (used for protocol classification) and
the second one is from exit nodes (used for flow risk check)
|
| |
|
| |
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
|
| | |
|
| |
|
| |
Close #2738
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
| |
Close #2524
|
| |
|
|
|
| |
Try to populate the FPC-DNS cache using directly the info from the current
packet, and not from the metadata saved in `struct ndpi_flow_struct`. This
will be important when adding monitoring support
|
| |
|
|
| |
If we have a (potential) valid sub-classification, we shoudn't check for
DGA, even if the subclassification itself is disabled!
|
| |
|
|
| |
Prelimary change to start supporting multiple DNS transactions on the
same flow
|
| | |
|
| | |
|
| |
|
|
| |
Updated (C)
|
| | |
|
| |
|
|
|
|
|
|
| |
No significant changes:
* Move around some fields to avoid holes in the structures.
* Some fields are about protocols based only on TCP.
* Remove some unused (or set but never read) fields.
See #2631
|
| |
|
|
|
| |
(#2709)
See: c669bb314
|
| | |
|
| |
|
| |
Fix confidence value for same TCP flows
|
| |
|
| |
Extend file configuration for just subclassification.
|