libndpi.git - Open Source Deep Packet Inspection Software Toolkit

	Commit message (Collapse)	Author	Age
*	Removed SRV record from suspicious DNS traffic	Luca Deri	2022-03-31
\|
*	Improved MDNS/LLMNR detection. (#1437)	Toni	2022-02-07
\| \| \| \| \| \|	* Checking for port 5353/5355 is not enough. * Added additional multicast address and header checks. Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
*	Added NDPI_ERROR_CODE_DETECTED risk	Luca Deri	2022-02-03
\|
*	Add a "confidence" field about the reliability of the classification. (#1395)	Ivan Nardi	2022-01-11
\| \| \| \| \| \| \| \| \| \| \| \| \|	As a general rule, the higher the confidence value, the higher the "reliability/precision" of the classification. In other words, this new field provides an hint about "how" the flow classification has been obtained. For example, the application may want to ignore classification "by-port" (they are not real DPI classifications, after all) or give a second glance at flows classified via LRU caches (because of false positives). Setting only one value for the confidence field is a bit tricky: more work is probably needed in the next future to tweak/fix/improve the logic.
*	Update copyright	Alfredo Cardigliano	2022-01-03
\|
*	Improve/add several protocols (#1383)	Ivan Nardi	2021-12-18
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	Improve Microsoft, GMail, Likee, Whatsapp, DisneyPlus and Tiktok detection. Add Vimeo, Fuze, Alibaba and Firebase Crashlytics detection. Try to differentiate between Messenger/Signal standard flows (i.e chat) and their VOIP (video)calls (like we already do for Whatsapp and Snapchat). Add a partial list of some ADS/Tracking stuff. Fix Cassandra, Radius and GTP false positives. Fix DNS, Syslog and SIP false negatives. Improve GTP (sub)classification: differentiate among GTP-U, GTP_C and GTP_PRIME. Fix 3 LGTM warnings.
*	Fixed issue that prevented alt certificate names to be fully detected when ↵	Luca Deri	2021-12-07
\| \| \| \|	ipAddress and rfc822Name were specified in certificates
*	Rework how hostname/SNI info is saved (#1330)	Ivan Nardi	2021-11-24
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	Looking at `struct ndpi_flow_struct` the two bigger fields are `host_server_name[240]` (mainly for HTTP hostnames and DNS domains) and `protos.tls_quic.client_requested_server_name[256]` (for TLS/QUIC SNIs). This commit aims to reduce `struct ndpi_flow_struct` size, according to two simple observations: 1) maximum one of these two fields is used for each flow. So it seems safe to merge them; 2) even if hostnames/SNIs might be very long, in practice they are rarely longer than a fews tens of bytes. So, using a (single) large buffer is a waste of memory for all kinds of flows. If we need to truncate the name, we keep the last characters, easing domain matching. Analyzing some real traffic, it seems safe to assume that the vast majority of hostnames/SNIs is shorter than 80 bytes. Hostnames/SNIs are always converted to lowercase. Attention was given so as to be sure that unit-tests outputs are not affected by this change. Because of a bug, TLS/QUIC SNI were always truncated to 64 bytes (the first 64 ones): as a consequence, there were some "Suspicious DGA domain name" and "TLS Certificate Mismatch" false positives.
*	Detect invalid characters in text and set a risk. Fixes #1347. (#1363)	Toni	2021-10-26
\| \| \|	Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
*	Remove `struct ndpi_packet_struct` from `struct ndpi_flow_struct` (#1319)	Ivan Nardi	2021-10-05
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	There are no real reasons to embed `struct ndpi_packet_struct` (i.e. "packet") in `struct ndpi_flow_struct` (i.e. "flow"). In other words, we can avoid saving dissection information of "current packet" into the "flow" state, i.e. in the flow management table. The nDPI detection module processes only one packet at the time, so it is safe to save packet dissection information in `struct ndpi_detection_module_struct`, reusing always the same "packet" instance and saving a huge amount of memory. Bottom line: we need only one copy of "packet" (for detection module), not one for each "flow". It is not clear how/why "packet" ended up in "flow" in the first place. It has been there since the beginning of the GIT history, but in the original OpenDPI code `struct ipoque_packet_struct` was embedded in `struct ipoque_detection_module_struct`, i.e. there was the same exact situation this commit wants to achieve. Most of the changes in this PR are some boilerplate to update something like "flow->packet" into something like "module->packet" throughout the code. Some attention has been paid to update `ndpi_init_packet()` since we need to reset some "packet" fields before starting to process another packet. There has been one important change, though, in ndpi_detection_giveup(). Nothing changed for the applications/users, but this function can't access "packet" anymore. The reason is that this function can be called "asynchronously" with respect to the data processing, i.e in context where there is no valid notion of "current packet"; for example ndpiReader calls it after having processed all the traffic, iterating the entire session table. Mining LRU stuff seems a bit odd (even before this patch): probably we need to rethink it, as a follow-up.
*	Remove `detected_protocol_stack` field from `ndpi_packet_struct` (#1317)	Ivan Nardi	2021-09-29
\| \| \| \| \| \| \| \| \| \| \| \| \|	This field is an exact copy of `ndpi_flow_struct->detected_protocol_stack[2]`: * at the very beginning of packet dissection, the value saved in `flow->detected_protocol_stack` is copied in `packet->detected_protocol_stack` (via `ndpi_detection_process_packet()` -> `ndpi_init_packet_header()`) * every time we update `flow->detected_protocol_stack` we update `packet->detected_protocol_stack` too (via `ndpi_int_change_protocol()` -> `ndpi_int_change_packet_protocol()`) These two fields are always in sync: keeping the same value in two different places is useless.
*	Small fixes after latest commits (#1308)	Ivan Nardi	2021-09-18
\|
*	Improved fragmented DNS detection	Luca Deri	2021-09-17
\|
*	DNS dissection fixes	Luca Deri	2021-09-17
\|
*	Progetto esame Gestione di Reti - Debora Cerretini (#1290)	deboracerretini	2021-09-17
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	* Add files via upload * Add files via upload * Add files via upload * Add files via upload * Add files via upload * Add files via upload * Add files via upload * Add files via upload * Add files via upload * Add files via upload * Add files via upload * Add files via upload * Add files via upload * Add files via upload * Add files via upload Co-authored-by: Luca Deri <lucaderi@users.noreply.github.com>
*	Reworked flow risk implementation	Luca Deri	2021-07-23
\|
*	Fixed invalid DNS dissection	Luca Deri	2021-04-26
\|
*	Improved DGA detection with trigrams. Disadvantage: slower startup time	Luca Deri	2021-03-03
\| \| \| \| \|	Reworked Tor dissector embedded in TLS (fixes #1141) Removed false positive on HTTP User-Agent
*	Improved DNS dissector	Luca Deri	2021-02-26
\|
*	Removed now obsolete NDPI_DETECTION_SUPPORT_IPV6: code is more readeable now	Luca Deri	2021-02-10
\|
*	(C) Update	Luca Deri	2021-01-07
\|
*	Various optimizations to reduce not-necessary calls	Luca Deri	2020-09-24
\| \| \| \| \|	Optimized various UDP dissectors Removed dead protocols such as pando and pplive
*	Added risks for checking	Luca Deri	2020-09-21
\| \| \| \| \|	- invalid DNS traffic (probably carrying exfiltrated data) - TLS traffic with no SNI extension
*	Reworked MDNS dissector that is not based on the DNS dissector	Luca Deri	2020-09-17
\|
*	Added extension to detect nested subdomains as used in Browsertunnel attack tool	Luca Deri	2020-09-09
\| \| \| \|	https://github.com/veggiedefender/browsertunnel
*	Added malformed packet risk support	Luca Deri	2020-06-26
\|
*	Added checks for DGA detection	Luca Deri	2020-06-17
\|
*	Added DGA risk for names that look like a DGA	Luca Deri	2020-06-11
\|
*	Adds different checks against overflows	Philippe Antoine	2020-03-19
\|
*	Fix buffer over read in dns	Philippe Antoine	2020-03-12
\|
*	Fix various buffer over reads	Philippe Antoine	2020-02-18
\|
*	Improvements for DNS continuous flow dissection	Luca	2020-02-06
\|
*	Improved DNS response decoding	Luca Deri	2020-02-04
\| \| \| \|	The first decoded address is now reported by ndpiReader
*	Fix undefined shift in dns	Philippe Antoine	2020-01-31
\|
*	Updated (C)	Luca Deri	2020-01-05
\|
*	Code cleanup	Luca Deri	2019-12-09
\|
*	Fixed buffer overflow in DNS dissection	Luca Deri	2019-11-26
\|
*	Major cleanup	Luca Deri	2019-10-24
\| \| \| \|	Removed ndpi_pref_http_dont_dissect_response and ndpi_pref_dns_dont_dissect_response as the ndpi_extra_dissection_possible() call will now handle everything
*	Added extra processing for POP and SMTP	Luca Deri	2019-10-22
\|
*	Handle TCP DNS replies and add is_reply flag	emanuele-f	2019-10-03
\|
*	Fix DNS reply dissection issues	emanuele-f	2019-10-03
\|
*	Improved category handlign in subprotocols	Luca Deri	2019-09-27
\| \| \| \| \|	Further DNS dissection fixes Fixed WeChat invalid category
*	Fixed partial string matches	Luca Deri	2019-09-27
\|
*	Added ndpi_extra_dissection_possible() API call	Luca Deri	2019-09-26
\|
*	Restructure DNS search code	emanuele-f	2019-09-26
\|
*	Adedd DTLS check in STUN	Luca Deri	2019-09-21
\| \| \| \|	Uodated (C)
*	Code cleanup	Luca Deri	2019-07-27
\|
*	Fix DNS rsp_addr missing in some tiny responses	emanuele-f	2019-04-15
\|
*	Implemented ndpi_process_partial_detection() API call to handle partial ↵	Luca Deri	2019-04-01
\| \| \| \|	matches due to the nDPI specified configuration
*	Add DNS response address	emanuele-f	2019-03-29
\|