aboutsummaryrefslogtreecommitdiff
path: root/src/lib/ndpi_utils.c
Commit message (Collapse)AuthorAge
* Align serialized risk names to all others (first letter; uppercase letter)improve/risks-namingToni Uhlig2024-09-03
| | | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Add missing risks in ndpi_risk2code and ndpi_risk2codeAlfredo Cardigliano2024-08-28
|
* Added print_ndpi_address_port in nDPi APILuca Deri2024-08-27
|
* Added ndpi_risk2code and ndpi_code2riskLuca Deri2024-08-27
|
* Changed NDPI_MALICIOUS_JA3 to NDPI_MALICIOUS_FINGERPRINTLuca Deri2024-08-25
|
* Introduced ndpi_master_app_protocol typedefLuca Deri2024-08-24
|
* FPC: add DNS correlation (#2497)mmanoj2024-07-22
| | | | | | | | | Use DNS information to get a better First Packet Classification. See: #2322 --------- Co-authored-by: Nardi Ivan <nardi.ivan@gmail.com>
* Zoom: remove "stun_zoom" LRU cacheNardi Ivan2024-06-17
| | | | | Since 070a0908b we are able to detect P2P calls directly from the packet content, without any correlation among flows
* More NDPI_PROBING_ATTEMPT changesLuca2024-05-22
|
* DTLS: add support for DTLS 1.3 (#2445)Ivan Nardi2024-05-21
|
* Added dpi.compute_entropy configuration parameterLuca Deri2024-05-18
|
* Cleaned up APILuca Deri2024-05-17
| | | | | | | | | Removed - int ndpi_load_ipv4_ptree_file(ndpi_ptree_t *tree, const char *path, u_int16_t protocol_id); - int ndpi_load_ipv6_ptree_file(ndpi_ptree_t *tree, const char *path, u_int16_t protocol_id); Added (it supports both IPv4 and v6) + int ndpi_load_ptree_file(ndpi_ptree_t *tree, const char *path, u_int16_t protocol_id);
* Add extra entropy checks and more precise(?) analysis. (#2383)Toni2024-05-09
| | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Fix a memory access error and some leaks (#2425)Ivan Nardi2024-05-08
| | | | | | | | | | | | | | | | | | | | | ``` SCARINESS: 12 (1-byte-read-heap-buffer-overflow) #0 0x557f3a5b5100 in ndpi_get_host_domain /src/ndpi/src/lib/ndpi_domains.c:158:8 #1 0x557f3a59b561 in ndpi_check_dga_name /src/ndpi/src/lib/ndpi_main.c:10412:17 #2 0x557f3a51163a in process_chlo /src/ndpi/src/lib/protocols/quic.c:1467:7 #3 0x557f3a469f4b in LLVMFuzzerTestOneInput /src/ndpi/fuzz/fuzz_quic_get_crypto_data.c:44:7 #4 0x557f3a46abc8 in NaloFuzzerTestOneInput (/out/fuzz_quic_get_crypto_data+0x4cfbc8) ``` Some notes about the leak: if the insertion into the uthash fails (because of an allocation failure), we need to free the just allocated entry. But the only way to check if the `HASH_ADD_*` failed, is to perform a new lookup: a bit costly, but we don't use that code in the fast-path. See also efb261a95c5a Credits for finding the issues to Philippe Antoine (@catenacyber) and his `nallocfuzz` fuzzing engine See: https://github.com/catenacyber/nallocfuzz See: https://github.com/google/oss-fuzz/pull/9902
* Remove "zoom" cache (#2420)Ivan Nardi2024-05-06
| | | | | | | | | This cache was added in b6b4967aa, when there was no real Zoom support. With 63f349319, a proper identification of multimedia stream has been added, making this cache quite useless: any improvements on Zoom classification should be properly done in Zoom dissector. Tested for some months with a few 10Gbits links of residential traffic: the cache pretty much never returned a valid hit.
* fuzz: improvements (#2400)Ivan Nardi2024-04-20
| | | | | Create the zip file with all the traces only once. Add a new fuzzer to test "shoco" compression algorithm
* Domain Classification Improvements (#2396)Luca Deri2024-04-18
| | | | | | | | | | | | | | | | | | | * Added size_t ndpi_compress_str(const char * in, size_t len, char * out, size_t bufsize); size_t ndpi_decompress_str(const char * in, size_t len, char * out, size_t bufsize); used to compress short strings such as domain names. This code is based on https://github.com/Ed-von-Schleck/shoco * Major code rewrite for ndpi_hash and ndpi_domain_classify * Improvements to make sure custom categories are loaded and enabled * Fixed string encoding * Extended SalesForce/Cloudflare domains list
* Implemented STUN peer_address, relayed_address, response_origin, ↵Luca Deri2024-04-12
| | | | | | | other_address parsing Added code to ignore invalid STUN realm Extended JSON output with STUN information
* Serialize amount of found TLS blocks and signature algos. (#2384)Toni2024-04-11
| | | | | * partially fixes #2282 Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Tuned DNS risk valuesLuca Deri2024-04-09
| | | | Modified NDPI_BINARY_TRANSFER_ATTEMPT in NDPI_BINARY_DATA_TRANSFER
* Added binary data transfer risk alertLuca2024-04-03
|
* Disable `-Wno-unused-parameter -Wno-unused-function`. (#2358)Toni2024-04-03
| | | | | * unused parameters and functions pollute the code and decrease readability Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Fixes exception handling glitchLuca Deri2024-02-22
|
* fuzz: improve fuzzing coverage (#2309)Ivan Nardi2024-02-09
|
* Fix `ndpi_get_lru_cache_stats()` (#2303)Ivan Nardi2024-02-05
| | | Found while fuzzing
* Serialize JA4 to JSON. (#2305)Toni2024-02-05
| | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* config: follow-up (#2268)Ivan Nardi2024-01-20
| | | | | | Some changes in the parameters names. Add a fuzzer to fuzz the configuration file format. Add the infrastructure to configuratin callbacks. Add an helper to map LRU cache indexes to names.
* config: configure TLS certificate expiration with the new APINardi Ivan2024-01-18
|
* Fix some warnings reported by CODESonar (#2227)Ivan Nardi2024-01-12
| | | | | | | | | | | | | | | | | | | Remove some unreached/duplicated code. Add error checking for `atoi()` calls. About `isdigit()` and similar functions. The warning reported is: ``` Negative Character Value help isdigit() is invoked here with an argument of signed type char, but only has defined behavior for int arguments that are either representable as unsigned char or equal to the value of macro EOF(-1). Casting the argument to unsigned char will avoid the undefined behavior. In a number of libc implementations, isdigit() is implemented using lookup tables (arrays): passing in a negative value can result in a read underrun. ``` Switching to our macros fix that. Add a check to `check_symbols.sh` to avoid using the original functions from libc.
* Add realtime protocol output to `ndpiReader`. (#2197)Toni2024-01-09
| | | | | | * support for using a new flow callback invoked before the flow memory is free'd * minor fixes Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Add an implementation of the BSD function `strtonum` (#2238)Ivan Nardi2024-01-04
| | | | | The main difference with the original function is that we allow to specify the base. Credit for the original idea and the first implementation to @0xA50C1A1
* Add WebDAV detection support (#2224)Vladimir Gavrilov2023-12-22
| | | | | | | | | | | | | * Add WebDAV detection support * Add pcap example * Update test results * Remove redundant checks * Add WebDAV related HTTP methods to fuzz/dictionary.dict * Add note about WebDAV
* CI: update list of compilers (#2223)Ivan Nardi2023-12-20
| | | | | Try using latest gcc and clang versions. We still care about RHEL7: since handling a RHEL7 runner on GitHub is quite complex, let try to use a similar version of gcc, at least
* Rename NDPI_PROTOCOL_RPC to NDPI_PROTOCOL_MS_RPCH (#2218)Vladimir Gavrilov2023-12-19
| | | | | | | * Rename NDPI_PROTOCOL_RPC to NDPI_PROTOCOL_MS_RPCH * Add protocol description * Improve MS-RPCH detection
* Replace complicated TPKT header validation with an helper function (#2201)Vladimir Gavrilov2023-12-10
| | | | | * Replace complicated TPKT header validation with an helper function * Move tpkt_verify_hdr function definition to ndpi_utils.c
* Keep separating public and private API (#2157)Ivan Nardi2023-11-29
| | | See: b08c787fe
* Have a clear distinction between public and private/internal API (#2137)Ivan Nardi2023-11-09
| | | | | | 1) Public API/headers in `src/include/` [as it has always been] 2) Private API/headers in `src/lib/` Try to keep the "ndpi_" prefix only for the public functions
* fuzz: improve coverage and remove dead code (#2135)Ivan Nardi2023-11-07
| | | | | | | | | | We are not able to remove custom rules: remove the empty stubs (which originate from the original OpenDPI code). `ndpi_guess_protocol_id()` is only called on the first packet of the flow, so the bitmask `flow->excluded_protocol_bitmask` is always empty, since we didn't call any dissectors yet. Move another hash function to the dedicated source file.
* Move from PCRE to PCRE2 (#2134)Christian Marangi2023-11-01
| | | | | | | | | | Move from PCRE to PCRE2. PCRE is EOL and won't receive any security updates anymore. Convert to PCRE2 by converting any function PCRE2 new API. Also update every entry in github workflows and README to point to the new configure flag. (--with-pcre2) Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
* Added pointer checkLuca Deri2023-10-31
|
* STUN: major code rework (#2116)Ivan Nardi2023-10-30
| | | | | | | | | | | | Try to have a faster classification, on first packet; use standard extra dissection data path for sub-classification, metadata extraction and monitoring. STUN caches: * use the proper confidence value * lookup into the caches only once per flow, after having found a proper STUN classification Add identification of Telegram VoIP calls.
* Added checkLuca Deri2023-10-29
|
* IPv6: add support for IPv6 risk exceptions (#2122)Ivan Nardi2023-10-29
|
* fuzz: extend fuzzing coverageNardi Ivan2023-10-15
|
* Added NDPI_MALWARE_HOST_CONTACTED flow riskLuca Deri2023-10-13
|
* QUIC: export QUIC version as metadataNardi Ivan2023-10-11
|
* Added printf/fprintf replacement for some internal modules. (#1974)Toni2023-09-26
| | | | | | * logging is instead redirected to `ndpi_debug_printf` Signed-off-by: lns <matzeton@googlemail.com> Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Improved detection of invalid chars in DNS namesLuca Deri2023-09-09
|
* Added NDPI_TLS_ALPN_SNI_MISMATCH flow riskLuca Deri2023-09-07
|
* Minor warning fixesLuca Deri2023-09-05
|
Powered by cgit, Themed by Ted Yin.