aboutsummaryrefslogtreecommitdiff
path: root/src/lib/ndpi_utils.c
Commit message (Collapse)AuthorAge
* Reworked TCP fingeprint implementationLuca Deri2024-10-20
|
* Renamed os hints to avoid name clashesLuca Deri2024-10-19
|
* Improved TCP fingepring calculationLuca Deri2024-10-18
| | | | Adde basidc OS detection based on TCP fingerprint
* Added -L <domain suffix> for loading domain suffixesLuca Deri2024-10-15
| | | | Exported domainanme in JSON file (-K JSON)
* Implemented nDPI TCP fingerprintLuca Deri2024-10-15
|
* Slightly better ndpi_strrstr implementation (#2570)Vladimir Gavrilov2024-09-25
|
* Changed too restrictive checkLuca Deri2024-09-25
|
* buffer lenghtt is now returned by ndpi_quick_encrypt() and ndpi_quick_deecrypt()Luca Deri2024-09-24
|
* Added new API callsLuca Deri2024-09-24
| | | | | u_int ndpi_hex2bin(u_char *out, u_int out_len, u_char* in, u_int in_len); u_int ndpi_bin2hex(u_char *out, u_int out_len, u_char* in, u_int in_len);
* Added ndpi_quick_encrypt() ndpi_quick_decrypt() APi calls (#2568)Luca Deri2024-09-24
| | | | | * Added ndpi_quick_encrypt() ndpi_quick_decrypt(0 APi calls based on AES * Added aes.c
* Fix `ndpi_strrstr()` (#2565)Ivan Nardi2024-09-23
| | | | | | | | | | | | | ``` ==6591==ERROR: AddressSanitizer: SEGV on unknown address 0x502000230000 (pc 0x55fbd836a5a0 bp 0x7ffdf4503670 sp 0x7ffdf4502e28 T0) ==6591==The signal is caused by a READ memory access. #0 0x55fbd836a5a0 in __sanitizer::internal_strlen(char const*) /src/llvm-project/compiler-rt/lib/sanitizer_common/sanitizer_libc.cpp:176:10 #1 0x55fbd82cfc28 in StrstrCheck(void*, char*, char const*, char const*) /src/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:579:17 #2 0x55fbd82cfbc2 in strstr /src/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:598:5 #3 0x55fbd840a04a in ndpi_strrstr /src/ndpi/src/lib/ndpi_utils.c:3471:15 #4 0x55fbd840ba95 in ndpi_get_host_domain /src/ndpi/src/lib/ndpi_domains.c:149:9 #5 0x55fbd83ef751 in ndpi_check_dga_name /src/ndpi/src/lib/ndpi_main.c:10748:17 ``` Found by oss-fuzz
* Implemented ndpi_strrstr()Luca Deri2024-09-19
| | | | Fixed bug in ndpi_get_host_domain
* Improved fingerprint serializationLuca2024-09-17
|
* Added DHCP class idnetifierLuca2024-09-17
|
* Add an heuristic to detect encrypted/obfuscated OpenVPN flows (#2547)Ivan Nardi2024-09-16
| | | | | | | | | | | | Based on the paper: "OpenVPN is Open to VPN Fingerprinting" See: https://www.usenix.org/conference/usenixsecurity22/presentation/xue-diwen Basic idea: * the distribution of the first byte of the messages (i.e. the distribution of the op-codes) is quite unique * this fingerprint might be still detectable even if the OpenVPN packets are somehow fully encrypted/obfuscated The heuristic is disabled by default.
* Reworked fingerprint export now in JSONLuca2024-09-16
|
* Align serialized risk names to all others (first letter; uppercase letter) ↵Toni2024-09-03
| | | | | (#2541) Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* TLS: better state about handshake (#2534)Ivan Nardi2024-09-03
| | | | Keep track if we received CH or/and SH messsages: usefull with unidirectional flows
* fuzz: improve fuzzing coverage (#2535)Ivan Nardi2024-09-03
| | | | Updtae pl7m code (fix a Use-of-uninitialized-value error and add GTP support)
* Add missing risks in ndpi_risk2code and ndpi_risk2codeAlfredo Cardigliano2024-08-28
|
* Added print_ndpi_address_port in nDPi APILuca Deri2024-08-27
|
* Added ndpi_risk2code and ndpi_code2riskLuca Deri2024-08-27
|
* Changed NDPI_MALICIOUS_JA3 to NDPI_MALICIOUS_FINGERPRINTLuca Deri2024-08-25
|
* Introduced ndpi_master_app_protocol typedefLuca Deri2024-08-24
|
* FPC: add DNS correlation (#2497)mmanoj2024-07-22
| | | | | | | | | Use DNS information to get a better First Packet Classification. See: #2322 --------- Co-authored-by: Nardi Ivan <nardi.ivan@gmail.com>
* Zoom: remove "stun_zoom" LRU cacheNardi Ivan2024-06-17
| | | | | Since 070a0908b we are able to detect P2P calls directly from the packet content, without any correlation among flows
* More NDPI_PROBING_ATTEMPT changesLuca2024-05-22
|
* DTLS: add support for DTLS 1.3 (#2445)Ivan Nardi2024-05-21
|
* Added dpi.compute_entropy configuration parameterLuca Deri2024-05-18
|
* Cleaned up APILuca Deri2024-05-17
| | | | | | | | | Removed - int ndpi_load_ipv4_ptree_file(ndpi_ptree_t *tree, const char *path, u_int16_t protocol_id); - int ndpi_load_ipv6_ptree_file(ndpi_ptree_t *tree, const char *path, u_int16_t protocol_id); Added (it supports both IPv4 and v6) + int ndpi_load_ptree_file(ndpi_ptree_t *tree, const char *path, u_int16_t protocol_id);
* Add extra entropy checks and more precise(?) analysis. (#2383)Toni2024-05-09
| | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Fix a memory access error and some leaks (#2425)Ivan Nardi2024-05-08
| | | | | | | | | | | | | | | | | | | | | ``` SCARINESS: 12 (1-byte-read-heap-buffer-overflow) #0 0x557f3a5b5100 in ndpi_get_host_domain /src/ndpi/src/lib/ndpi_domains.c:158:8 #1 0x557f3a59b561 in ndpi_check_dga_name /src/ndpi/src/lib/ndpi_main.c:10412:17 #2 0x557f3a51163a in process_chlo /src/ndpi/src/lib/protocols/quic.c:1467:7 #3 0x557f3a469f4b in LLVMFuzzerTestOneInput /src/ndpi/fuzz/fuzz_quic_get_crypto_data.c:44:7 #4 0x557f3a46abc8 in NaloFuzzerTestOneInput (/out/fuzz_quic_get_crypto_data+0x4cfbc8) ``` Some notes about the leak: if the insertion into the uthash fails (because of an allocation failure), we need to free the just allocated entry. But the only way to check if the `HASH_ADD_*` failed, is to perform a new lookup: a bit costly, but we don't use that code in the fast-path. See also efb261a95c5a Credits for finding the issues to Philippe Antoine (@catenacyber) and his `nallocfuzz` fuzzing engine See: https://github.com/catenacyber/nallocfuzz See: https://github.com/google/oss-fuzz/pull/9902
* Remove "zoom" cache (#2420)Ivan Nardi2024-05-06
| | | | | | | | | This cache was added in b6b4967aa, when there was no real Zoom support. With 63f349319, a proper identification of multimedia stream has been added, making this cache quite useless: any improvements on Zoom classification should be properly done in Zoom dissector. Tested for some months with a few 10Gbits links of residential traffic: the cache pretty much never returned a valid hit.
* fuzz: improvements (#2400)Ivan Nardi2024-04-20
| | | | | Create the zip file with all the traces only once. Add a new fuzzer to test "shoco" compression algorithm
* Domain Classification Improvements (#2396)Luca Deri2024-04-18
| | | | | | | | | | | | | | | | | | | * Added size_t ndpi_compress_str(const char * in, size_t len, char * out, size_t bufsize); size_t ndpi_decompress_str(const char * in, size_t len, char * out, size_t bufsize); used to compress short strings such as domain names. This code is based on https://github.com/Ed-von-Schleck/shoco * Major code rewrite for ndpi_hash and ndpi_domain_classify * Improvements to make sure custom categories are loaded and enabled * Fixed string encoding * Extended SalesForce/Cloudflare domains list
* Implemented STUN peer_address, relayed_address, response_origin, ↵Luca Deri2024-04-12
| | | | | | | other_address parsing Added code to ignore invalid STUN realm Extended JSON output with STUN information
* Serialize amount of found TLS blocks and signature algos. (#2384)Toni2024-04-11
| | | | | * partially fixes #2282 Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Tuned DNS risk valuesLuca Deri2024-04-09
| | | | Modified NDPI_BINARY_TRANSFER_ATTEMPT in NDPI_BINARY_DATA_TRANSFER
* Added binary data transfer risk alertLuca2024-04-03
|
* Disable `-Wno-unused-parameter -Wno-unused-function`. (#2358)Toni2024-04-03
| | | | | * unused parameters and functions pollute the code and decrease readability Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Fixes exception handling glitchLuca Deri2024-02-22
|
* fuzz: improve fuzzing coverage (#2309)Ivan Nardi2024-02-09
|
* Fix `ndpi_get_lru_cache_stats()` (#2303)Ivan Nardi2024-02-05
| | | Found while fuzzing
* Serialize JA4 to JSON. (#2305)Toni2024-02-05
| | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* config: follow-up (#2268)Ivan Nardi2024-01-20
| | | | | | Some changes in the parameters names. Add a fuzzer to fuzz the configuration file format. Add the infrastructure to configuratin callbacks. Add an helper to map LRU cache indexes to names.
* config: configure TLS certificate expiration with the new APINardi Ivan2024-01-18
|
* Fix some warnings reported by CODESonar (#2227)Ivan Nardi2024-01-12
| | | | | | | | | | | | | | | | | | | Remove some unreached/duplicated code. Add error checking for `atoi()` calls. About `isdigit()` and similar functions. The warning reported is: ``` Negative Character Value help isdigit() is invoked here with an argument of signed type char, but only has defined behavior for int arguments that are either representable as unsigned char or equal to the value of macro EOF(-1). Casting the argument to unsigned char will avoid the undefined behavior. In a number of libc implementations, isdigit() is implemented using lookup tables (arrays): passing in a negative value can result in a read underrun. ``` Switching to our macros fix that. Add a check to `check_symbols.sh` to avoid using the original functions from libc.
* Add realtime protocol output to `ndpiReader`. (#2197)Toni2024-01-09
| | | | | | * support for using a new flow callback invoked before the flow memory is free'd * minor fixes Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Add an implementation of the BSD function `strtonum` (#2238)Ivan Nardi2024-01-04
| | | | | The main difference with the original function is that we allow to specify the base. Credit for the original idea and the first implementation to @0xA50C1A1
* Add WebDAV detection support (#2224)Vladimir Gavrilov2023-12-22
| | | | | | | | | | | | | * Add WebDAV detection support * Add pcap example * Update test results * Remove redundant checks * Add WebDAV related HTTP methods to fuzz/dictionary.dict * Add note about WebDAV
Powered by cgit, Themed by Ted Yin.