aboutsummaryrefslogtreecommitdiff
path: root/src/lib/ndpi_main.c
Commit message (Collapse)AuthorAge
* Add an heuristic to detect fully encrypted flows (#2058)Ivan Nardi2023-07-26
| | | | | | | | A fully encrypted session is a flow where every bytes of the payload is encrypted in an attempt to “look like nothing”. The heuristic needs only the very first packet of the flow. See: https://www.usenix.org/system/files/sec23fall-prepub-234-wu-mingshi.pdf A basic, but generic, inplementation of the popcpunt alg has been added
* Allow init of app protocols w/o any hostnames set. (#2057)Toni2023-07-22
|
* Fix string truncation. (#2056)Toni2023-07-22
| | | | | | | | ndpi_main.c: In function ‘ndpi_load_ip_category’: ndpi_main.c:6598:3: warning: ‘strncpy’ specified bound 64 equals destination size [-Wstringop-truncation] 6598 | strncpy(ipbuf, ip_address_and_mask, sizeof(ipbuf)); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* zabbix: improve detection (#2055)Ivan Nardi2023-07-21
|
* Add detection of Roblox games (#2054)Ivan Nardi2023-07-21
|
* Add a configuration knob to enable/disable loading of gambling list (#2047)Ivan Nardi2023-07-14
|
* Fixes risk mask exception handling while improving the overall performanceLuca Deri2023-07-14
|
* Cosmetic fixesLuca Deri2023-07-13
|
* added feature to extract filename from http attachment (#2037)Chiara Maggi2023-07-11
| | | | | | | | | | | | | | | | | | | * added feature to extract filename from http attachment * fixed some issues * added check for filename format * added check for filename format * remove an unnecessary print * changed the size from 952 to 960 * modified some test result files * small changes string size * comment removed and mallocs checked
* fuzz: extend fuzzing coverage (#2040)Ivan Nardi2023-07-11
| | | | | | | | | Some notes: * libinjection: according to https://github.com/libinjection/libinjection/issues/44, it seems NULL characters are valid in the input string; * RTP: `rtp_get_stream_type()` is called only for RTP packets; if you want to tell RTP from RTCP you should use `is_rtp_or_rtcp()`; * TLS: unnecessary check; we already make the same check just above, at the beginning of the `while` loop
* fix Stack overflow caused by invalid write in ndpi_automa_match_strin… ↵Ivan Kapranov2023-07-06
| | | | | | | | | | | | | | | | | (#2035) * minor fixes fixed 'handle leak' in ndpi_load_malicious_sha1_file and removed the redundant comparison ndpi_search_eaq * fix Stack overflow caused by invalid write in ndpi_automa_match_string_subprotocol * fix compile errors * fix --------- Co-authored-by: Ivan Kapranov <i.kapranov@securitycode.ru>
* STUN: fix Skype/MsTeams detection and monitoring logic (#2028)Ivan Nardi2023-07-03
|
* Hangout: detect Hangout/Duo/GoogleMeet/... in the STUN code (#2025)Ivan Nardi2023-06-27
| | | | | | Regardless of the name, the removed trace doesn't contain meaningful Hangout traffic. Remove last piece of sub-classifiction based only on ip addresses.
* STUN: add dissection of DTLS handshake (#2018)Ivan Nardi2023-06-26
|
* Simplify the report of streaming multimedia info (#2026)Ivan Nardi2023-06-26
| | | | | The two fields `flow->flow_type` and `flow->protos.rtp.stream_type` are pretty much identical: rename the former in `flow->flow_multimedia_type` and remove the latter.
* Optimizes and fixes possible out0of0boundary write in ndpi_fill_prefix_v4()Luca Deri2023-06-23
|
* minor fixes (#2023)Ivan Kapranov2023-06-22
| | | | | fixed 'handle leak' in ndpi_load_malicious_sha1_file and removed the redundant comparison ndpi_search_eaq Co-authored-by: Ivan Kapranov <i.kapranov@securitycode.ru>
* Add Apache Thrift protocol dissector. (#2007)Toni2023-06-22
| | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* STUN: keep monitoring/processing STUN flows (#2012)Ivan Nardi2023-06-21
| | | | Look for RTP packets in the STUN sessions. TODO: tell RTP from RTCP
* Fix access to packet/flow information (#2013)Ivan Nardi2023-06-17
| | | We can't access to `ndpi_str->packet` from `ndpi_detection_giveup()`
* Reworked teams handlingLuca Deri2023-06-15
|
* Fix compilation (#2011)Ivan Nardi2023-06-15
|
* Implemented Zoom/Teams stream type detectionLuca Deri2023-06-14
|
* Fix missing u_char, u_short and u_int typedefs for some platforms e.g.: (#2009)Toni2023-06-12
| | | | | | | | | | In file included from ../include/ndpi_main.h:34, from ../include/ndpi_api.h:28, from protocols/activision.c:26: ../include/ndpi_typedefs.h:294:3: error: unknown type name 'u_char' 294 | u_char h_dest[6]; /* destination eth addr */ | ^~~~~~ Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* ProtonVPN: add basic detection (#2006)Ivan Nardi2023-06-08
|
* Add bitcoing protocol dissector. (#1992)Maatuq2023-05-31
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Add bitcoing protocol dissector. * remove bitcoin protcol detection from mining.c * add a new bitcoin deissector. * add a new category: Cryptocurrency. Signed-off-by: Mahmoud Maatuq <mahmoudmatook.mm@gmail.com> * Remove useless checks and add missing windows and docs file. Signed-off-by: Mahmoud Maatuq <mahmoudmatook.mm@gmail.com> * update affected tests. Signed-off-by: Mahmoud Maatuq <mahmoudmatook.mm@gmail.com> * add a brief version. Add notes on the difference between normal bitcoin protocol and the mining protocol. Signed-off-by: Mahmoud Maatuq <mahmoudmatook.mm@gmail.com> * update enable_payload_stat test after dev rebasing. Signed-off-by: Mahmoud Maatuq <mahmoudmatook.mm@gmail.com> --------- Signed-off-by: Mahmoud Maatuq <mahmoudmatook.mm@gmail.com>
* Changed logging callback function sig. (#2000)Toni2023-05-30
| | | | | * make user data available for any build config Signed-off-by: lns <matzeton@googlemail.com>
* Fix some memory errors triggered by allocation failures (#1995)Ivan Nardi2023-05-29
| | | | | | | | | | | | Some low hanging fruits found using nallocfuzz. See: https://github.com/catenacyber/nallocfuzz See: https://github.com/google/oss-fuzz/pull/9902 Most of these errors are quite trivial to fix; the only exception is the stuff in the uthash. If the insertion fails (because of an allocation failure), we need to avoid some memory leaks. But the only way to check if the `HASH_ADD_*` failed, is to perform a new lookup: a bit costly, but we don't use that code in any critical data-path.
* Avoid calling `ndpi_reconcile_protocols()` twice in ↵Ivan Nardi2023-05-29
| | | | | | `ndpi_detection_giveup()` (#1996) `ndpi_reconcile_protocols()` is already called by `ndpi_set_detected_protocol()`
* Add support for Epic Games and GeForceNow/Nvidia (#1990)Ivan Nardi2023-05-27
|
* Cosmetic changesLuca Deri2023-05-23
|
* Improved missing usage of nDPIs malloc wrapper. Fixes #1978. (#1979)Toni2023-05-20
| | | | | * added CI check Signed-off-by: lns <matzeton@googlemail.com>
* Added scripts to auto generate hostname/SNI *.inc files. (#1984)Toni2023-05-20
| | | | | * add illegal gambling sites (Belgium) Signed-off-by: lns <matzeton@googlemail.com>
* Fix classification-by-ip in `ndpi_detection_giveup` (#1981)Ivan Nardi2023-05-17
| | | | | | | | | | | | | | Return the "classification-by-ip" as protocol results only if no other results are available. In particular, never return something like "protocol_by_port/protocol_by_ip" (i.e. `NTP/Apple`, BitTorrent/GoogleCloud`, `Zoom/AWS`) because this kind of classification is quite confusing, if not plainly wrong. Notes: * the information about "classification-by-ip" is always available, so no information is lost with this change; * in the unit tests, the previous classifications with confidence `NDPI_CONFIDENCE_DPI_PARTIAL` were wrong, as noted in #1957
* Add support for SRTP (#1977)Ivan Nardi2023-05-16
| | | | | | | The goal is to have Zoom flows classified as "Encrypted" and not as "Cleartext". Start documenting the list of protocols supported by nDPI; format, verbosity and content are still a work-in-progress.
* HTTP: rework state machine (#1966)Ivan Nardi2023-05-16
| | | | | | | | | | | | | | | | | The goal if to correlate the right request-response pair, exporting metadata from only one transaction (for example, the right url & return state pair) As a nice side effect, the code should be much cleaner, but that is a matter of taste. Two differences respect to the previous code: * as it happens in the CI, if in the flow there are only one response (before) and one request (after), only the metadata of the response are saved/exported * for performance reasons, we don't call `ndpi_parse_packet_line_info()` anymore for ALL packets triggering the HTTP dissector, but only for the packets that we already know belong to an HTTP flow. This is the reason for the changes in RTSP/SOAP/... code
* Fix MS Teams detection with heuristic (#1972)Ivan Nardi2023-05-10
| | | | | | When we reconcile a TLS session to Teams, we need to keep TLs as master. This way: * we keep exporting all the TLS metadata * we avoid some memory leaks (of these metadata themeselves)
* Improved MS Teams detection with heuristicLuca2023-05-10
|
* Enhanced MS teams STUN/Azure detectionLuca2023-05-10
|
* Remove special handling of some TCP flows without SYN (#1965)Ivan Nardi2023-05-09
| | | | | | | | | | | | | | | | | | | | | This piece of code has multiple problems: * nDPI is able to detect some TCP protocols even with mid-flows (i.e. without the initial packets of the session); TLS is the most significative example * since e6b332aa4a1399e33df68998cf8351bccaee3fc4 it is perfectly valid to not pass the TCP Handshake packets to nDPI * in any case, we shouldn't call `ndpi_detection_giveup()`. That function is usually called by the application and we end up calling it twice in some cases. The simple solution is to completely remove that code: process these kinds of flows like everyone else. Note that the application can always avoid to pass to nDPI any TCP flows without the initial handshake; the flow managemnt is always up to the application. Looking at the CI results, some rare flows are now processed significantly longer. As a follow-up we could look into that.
* Improve detection of crawler/bot traffic (#1956)Ivan Nardi2023-05-04
|
* Make Bittorrent LRU cache IPv6 aware. (#1909)Ivan Nardi2023-04-29
| | | | It was the only remaining LRU cache without IPv6 support. See 81e1ea545ca465cda064e7cc80333fe7f0ef2aff
* Added missing checkLuca Deri2023-04-28
|
* Added ndpi_guess_undetected_protocol_v4() to restore logic thatLuca Deri2023-04-28
| | | | was removed in https://github.com/ntop/nDPI/commit/032e778a6dc1ee2173c4cdb2c671180c5b5df245
* Updated (C)Luca Deri2023-04-28
|
* Add an heuristic to detect/ignore some anomalous TCP ACK packets (#1948)Ivan Nardi2023-04-25
| | | | | | | | | | | | | | | | | | | In some networks, there are some anomalous TCP flows where the smallest ACK packets have some kind of zero padding. It looks like the IP and TCP headers in those frames wrongly consider the 0x00 Ethernet padding bytes as part of the TCP payload. While this kind of packets is perfectly valid per-se, in some conditions they might be treated by the TCP reassembler logic as (partial) overlaps, deceiving the classification engine. Add an heuristic to detect these packets and to ignore them, allowing correct detection/classification. This heuristic is configurable. Default value: * in the library, it is disabled * in `ndpiReader` and in the fuzzers, it is enabled (to ease testing) Credit to @vel21ripn for the initial patch. Close #1946
* fuzz: extend fuzzers coverage (#1952)Ivan Nardi2023-04-25
|
* Add "Heroes of the Storm" video game signature detection. (#1949)nikitamishagin2023-04-22
|
* Improved debug output. (#1951)Toni2023-04-21
| | | | | | * try to get rid of some `printf(..)`s as they do not belong to a shared library * replaced all `exit(..)`s with `abort()`s to indicate an abnormal process termination Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Added OICQ dissector. (#1950)Toni2023-04-21
| | | | Signed-off-by: lns <matzeton@googlemail.com> Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
Powered by cgit, Themed by Ted Yin.