aboutsummaryrefslogtreecommitdiff
path: root/src/lib/ndpi_main.c
Commit message (Collapse)AuthorAge
* Minor follow-up for DigitalOcean support (#2682)Ivan Nardi2025-01-17
|
* Added DigitalOcean protocolLuca Deri2025-01-17
|
* TLS: remove JA3C (#2679)Ivan Nardi2025-01-14
| | | | | | | | Last step of removing JA3C fingerprint Remove some duplicate tests: testing with ja4c/ja3s disabled is already performed by `disable_metadata_and_flowrisks` configuration. Close:#2551
* Add (kind of) support for loading a list of JA4C malicious fingerprints (#2678)Ivan Nardi2025-01-14
| | | | | | | | | It might be usefull to be able to match traffic against a list of suspicious JA4C fingerprints Use the same code/logic/infrastructure used for JA3C (note that we are going to remove JA3C...) See: #2551
* HTTP: fix entropy calculation (#2666)Ivan Nardi2025-01-12
| | | | We calculate HTTP entropy according to "Content-type:" header, see `ndpi_validate_http_content()` on HTTP code
* Improved WebSocket-over-HTTP detection (#2664)Toni2025-01-11
| | | | | | * detect `chisel` SSH-over-HTTP-WebSocket * use `strncasecmp()` for `LINE_*` matching macros Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Added ICMP risk checks for valid packet payloadsLuca Deri2025-01-08
|
* Classifications "by-port"/"by-ip" should never change (#2656)Ivan Nardi2025-01-06
| | | Add a new variable to keep track of internal partial classification
* Fix classification "by-port" (#2655)Ivan Nardi2025-01-06
| | | | | Classification "by-port" is the latest possible shot at getting a classification, when everything else failed: we should always use the configured ports (as expected by the users, IMO)
* Add the ability to enable/disable every specific flow risks (#2653)Ivan Nardi2025-01-06
|
* TLS: remove ESNI support (#2648)Ivan Nardi2025-01-06
| | | | | ESNI has been superseded by ECH for years, now. See: https://blog.cloudflare.com/encrypted-client-hello/ Set the existing flow risk if we still found this extension.
* Imporoved SMBv1 heuristic to avoid triggering risks for SMBv1 broadcast ↵Luca Deri2025-01-03
| | | | messages when used to browse (old) network devices
* Removed old USE_LEGACY_AHO_CORASICK codeLuca Deri2024-11-26
|
* Update `flow->flow_multimedia_types` to a bitmask (#2625)Ivan Nardi2024-11-25
| | | In the same flow, we can have multiple multimedia types
* Probing attempt checkLuca Deri2024-11-24
|
* When triggering risk "Known Proto on Non Std Port", nDPi now reports the ↵Luca Deri2024-11-22
| | | | port that was supposed to be used as default
* Improved TCP probing attemptLuca Deri2024-11-20
|
* Added DICOM supportLuca2024-11-15
| | | | Testing pcaps courtesy of https://github.com/virtalabs/tapirx.git
* Implemented Mikrotik discovery protocol dissection and metadata extraction ↵Luca Deri2024-11-14
| | | | (#2618)
* SIP: extract some basic metadataIvan Nardi2024-11-12
|
* Unify ndpi debug logging to always use a u16 protocol id (#2613)Toni2024-11-11
| | | | | * fixes SonarCloud complaint Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Added HTTP credentials extractionLuca Deri2024-10-31
|
* TLS: export heuristic fingerprint as metadata (#2609)Ivan Nardi2024-10-28
|
* Add Paltalk protocol support (#2606)Vladimir Gavrilov2024-10-28
|
* Fixes TCP fingerprint calculation when multiple EOL are specified in TCP optionsLuca Deri2024-10-27
|
* Improved fingerprintsLuca Deri2024-10-21
|
* Improved TCP fingerprintLuca Deri2024-10-20
|
* Improved TCP fingerprintLuca Deri2024-10-20
|
* Reworked TCP fingeprint implementationLuca Deri2024-10-20
|
* Renamed os hints to avoid name clashesLuca Deri2024-10-19
|
* Improved TCP fingepring calculationLuca Deri2024-10-18
| | | | Adde basidc OS detection based on TCP fingerprint
* Add configuration of TCP fingerprint computation (#2598)Ivan Nardi2024-10-18
| | | Extend configuration of raw format of JA4C fingerprint
* Added further boundary checks in TCP options parsing (#2597)Luca Deri2024-10-18
| | | * Added further memory checks
* Added TCP header checkLuca Deri2024-10-18
|
* Fixes buffer overflow when parsing invalid TCP optionsLuca Deri2024-10-17
|
* Implemented nDPI TCP fingerprintLuca Deri2024-10-15
|
* Add monitoring capability (#2588)Ivan Nardi2024-10-14
| | | | | | | | | | | | | Allow nDPI to process the entire flows and not only the first N packets. Usefull when the application is interested in some metadata spanning the entire life of the session. As initial step, only STUN flows can be put in monitoring. See `doc/monitoring.md` for further details. This feature is disabled by default. Close #2583
* Added sonos dissectorLuca Deri2024-10-13
|
* Implemented (disabled by default) DNS host cache. You can set the cache size ↵Luca Deri2024-10-07
| | | | | | | | | | as follows: ndpiReader --cfg=dpi.address_cache_size,1000 -i <pcap>.pcap In the above example the cache has up to 1000 entries. In jcase ndpiReader exports data in JSON, the cache hostname (if found) is exported in the field server_hostname
* Add DingTalk protocol support (#2581)Vladimir Gavrilov2024-10-07
|
* Moved ndpi_lru in a separate fileLuca Deri2024-10-04
|
* Exports DNS A/AAAA responses (up to 4 addresses)Luca2024-10-02
| | | | Changed the default to IPv4 (used to be IPv6) in case of DNS error response
* Let the library returning the packet direction calculated internally (#2572)Ivan Nardi2024-09-27
| | | wireshark, lua: add basic analysis of possible obfuscated flows
* Add enable/disable guessing using client IP/port (#2569)Liam Wilson2024-09-27
| | | | | | | | Add configurable options for whether to include client port or client IP in the flow's protocol guesses. This defaults to include both client port/IP if the protocol is not guessed with the server IP/port. This is intended for when flow direction detection is enabled, so we know that sport = client port, dport = server port.
* Add some heuristics to detect encrypted/obfuscated/proxied TLS flows (#2553)Ivan Nardi2024-09-24
| | | | | | | | | | | | Based on the paper: "Fingerprinting Obfuscated Proxy Traffic with Encapsulated TLS Handshakes". See: https://www.usenix.org/conference/usenixsecurity24/presentation/xue-fingerprinting Basic idea: * the packets/bytes distribution of a TLS handshake is quite unique * this fingerprint is still detectable if the handshake is encrypted/proxied/obfuscated All heuristics are disabled by default.
* Allow IP guess before port in ndpi_detection_giveup (#2562)Liam Wilson2024-09-20
| | | | Add dpi.guess_ip_before_port which when enabled uses classification by-ip before classification by-port.
* Fixed handling of spurious TCP retransmissionsLuca2024-09-17
|
* Add an heuristic to detect encrypted/obfuscated OpenVPN flows (#2547)Ivan Nardi2024-09-16
| | | | | | | | | | | | Based on the paper: "OpenVPN is Open to VPN Fingerprinting" See: https://www.usenix.org/conference/usenixsecurity22/presentation/xue-diwen Basic idea: * the distribution of the first byte of the messages (i.e. the distribution of the op-codes) is quite unique * this fingerprint might be still detectable even if the OpenVPN packets are somehow fully encrypted/obfuscated The heuristic is disabled by default.
* Implemented JA4 raw (ja4_r) fingerprintLuca Deri2024-09-05
| | | | | Example: ./example/ndpiReader -i tests/pcap/safari.pcap --cfg=tls,metadata.ja4r_fingerprint,1
* Add detection of SurfShark VPNNardi Ivan2024-09-05
|
Powered by cgit, Themed by Ted Yin.