Commit message (Collapse) | Author | Age | ||
---|---|---|---|---|
... | ||||
* | Fixed JA3+ computation | Luca Deri | 2021-03-11 | |
| | ||||
* | Added experiemntal JA3+ implementation that can be used with -z i ndpiReader | Luca Deri | 2021-03-09 | |
| | ||||
* | Improved DGA detection with trigrams. Disadvantage: slower startup time | Luca Deri | 2021-03-03 | |
| | | | | | Reworked Tor dissector embedded in TLS (fixes #1141) Removed false positive on HTTP User-Agent | |||
* | DTLS: improve support (#1146) | Ivan Nardi | 2021-03-02 | |
| | | | | | | | * DTLS: add some pcap tests * DTLS: fix parsing of Client/Server Helllo message * DTLS: add parsing of server certificates | |||
* | Added NDPI_MALICIOUS_SHA1 flow risk. (#1142) | Toni | 2021-02-26 | |
| | | | | | | * An external file which contains known malicious SSL certificate SHA-1 hashes can be loaded via ndpi_load_malicious_sha1_file(...) Signed-off-by: Toni Uhlig <matzeton@googlemail.com> | |||
* | Added NDPI_MALICIOUS_JA3 flow risk | Luca Deri | 2021-02-22 | |
| | | | | Added ndpi_load_malicious_ja3_file() API call | |||
* | Implemented TLS Certificate Sibject matching | Luca Deri | 2021-02-22 | |
| | | | | Improved AnyDesk detection | |||
* | Improved (partial) TLS dissection | Luca Deri | 2021-02-04 | |
| | ||||
* | debug message bugfix (#1108) | ragostino | 2021-02-03 | |
| | | | you can not look for memory enlargement if you print debug message after updating the variables | |||
* | Cleaned up tls/quic datatypes | Luca Deri | 2021-01-21 | |
| | ||||
* | Reworked TLS fingerprint calcolation | Luca Deri | 2021-01-21 | |
| | | | | Modified TLS memory free | |||
* | Rewored UPnP protocol that in essence was WSD hence it has been renamed | Luca | 2021-01-20 | |
| | | | | Cleaned up TLS code for DTLS detection by defining a new DTLS protocol | |||
* | (C) Update | Luca Deri | 2021-01-07 | |
| | ||||
* | Quic fixes (#1106) | Ivan Nardi | 2021-01-07 | |
| | | | | | * QUIC: fix heap-buffer-overflow * TLS: fix parsing of QUIC Transport Parameters | |||
* | QUIC: update to draft-33 (#1104) | Ivan Nardi | 2021-01-04 | |
| | | | QUIC (final!?) constants for v1 are defined in draft-33 | |||
* | Introduced fix on TLS for discarding traffic out of sequence that might ↵ | Luca Deri | 2020-12-22 | |
| | | | | invalidate dissection | |||
* | fixes issue #1050 Syntax error caused buffer pointer to equal 0x1 (#1051) | Don J. Rude | 2020-11-09 | |
| | | | | | | | | | | | | | | | | | * Syntax error caused buffer pointer to equal 0x1 Possible copy-paste from lines 141-142? * Another comma operator * whitespace matching * another comma operator * another comma operator * another comma operator * Check for non-zero payload | |||
* | Updated ESNI/SNI alarm generation prolicy | Luca Deri | 2020-11-08 | |
| | ||||
* | Added -D flag for detecting DoH in the wild | Luca Deri | 2020-10-26 | |
| | | | | Removed heuristic from CiscoVPN as it leads to false positives | |||
* | Various improvemement when using ndpi_pref_enable_tls_block_dissection: | Luca Deri | 2020-10-24 | |
| | | | | | | application data TLS blocks are now ignored when exchanged before - the end of certificate negotiation (up to TLS 1.2) - change cipher | |||
* | Added fix for invalid SNI check when SNI is missing | Luca Deri | 2020-10-02 | |
| | ||||
* | Added risks for checking | Luca Deri | 2020-09-21 | |
| | | | | | - invalid DNS traffic (probably carrying exfiltrated data) - TLS traffic with no SNI extension | |||
* | Merge pull request #1012 from IvanNardi/ua | Luca Deri | 2020-09-17 | |
|\ | | | | | QUIC: extract User Agent information | |||
| * | TLS: fix memory accesses in QUIC transport parameters extension | Nardi Ivan | 2020-09-10 | |
| | | ||||
| * | QUIC: extract User Agent information | Nardi Ivan | 2020-09-08 | |
| | | ||||
* | | Added extension to detect nested subdomains as used in Browsertunnel attack tool | Luca Deri | 2020-09-09 | |
|/ | | | | https://github.com/veggiedefender/browsertunnel | |||
* | Update TLS dissector to handle QUIC flows | Nardi Ivan | 2020-08-21 | |
| | | | | | | | Latest QUIC versions use TLS for the encryption layer: reuse existing code to allow Client Hello parsing and sub-classification based on SNI value. Side effect: we might have J3AC, TLS negotiated version, SNI value and supported cipher list for QUIC, too. | |||
* | Suspicious ESNI usage: add a comment and a pcap example | Nardi Ivan | 2020-08-06 | |
| | | | | See: 79b89d286605635f15edfe3c21297aaa3b5f3acf | |||
* | Merge pull request #973 from IvanNardi/esni3 | Luca Deri | 2020-08-06 | |
|\ | | | | | Add risk flag about suspicious ESNI usage | |||
| * | Add risk flag about suspicious ESNI usage | Nardi Ivan | 2020-08-05 | |
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In a Client Hello, the presence of both SNI and ESNI may obfuscate the real domain of an HTTPS connection, fooling DPI engines and firewalls, similarly to Domain Fronting. Such technique is reported in a presentation at DEF CON 28: "Domain Fronting is Dead, Long Live Domain Fronting: Using TLS 1.3 to evade censors, bypass network defenses, and blend in with the noise" Full credit for the idea must go the original author At the moment, the only way to get the pdf presention and related video is via https://forum.defcon.org/node/234492 Hopefully a direct link (and an example pcap) will be available soon | |||
* | | Fixed possible memory leak in TLS certificate handling | Luca Deri | 2020-08-05 | |
|/ | ||||
* | Added memory checks | Luca Deri | 2020-08-02 | |
| | ||||
* | Fixed partial TLS dissection | Luca Deri | 2020-07-30 | |
| | ||||
* | Restored TLS dissection | Luca Deri | 2020-07-30 | |
| | ||||
* | Tiny changes for TLS block lenght dissection | Luca Deri | 2020-07-29 | |
| | ||||
* | TLS dissection improvements | Luca Deri | 2020-07-28 | |
| | ||||
* | Fix for invalid boundary check | Luca Deri | 2020-07-17 | |
| | ||||
* | Fixed race condition in ndpi_ssl_version2str() caused by static qualifier in ↵ | Toni Uhlig | 2020-07-11 | |
| | | | | | | | | | the version string buffer. * added also GREASE supported tls versions as specified in https://tools.ietf.org/html/draft-davidben-tls-grease-01#page-4 Signed-off-by: Toni Uhlig <matzeton@googlemail.com> | |||
* | Fixed heap overflow in tls esni extraction triggered by manipulated packets. | Toni Uhlig | 2020-06-29 | |
| | | | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com> | |||
* | TLS: extract JA3 signatures in some corner cases | Nardi Ivan | 2020-06-28 | |
| | | | | | In some (rare) cases, Client Hello message contains lots of cipher suits. | |||
* | Added malformed packet risk support | Luca Deri | 2020-06-26 | |
| | ||||
* | Fixes #906 | Luca Deri | 2020-06-22 | |
| | | | | Packet bins are not printed wehn empty | |||
* | Merge pull request #920 from lnslbrty/fix/tls-rdn-crash | Luca Deri | 2020-06-19 | |
|\ | | | | | Fixed stack overflow caused by missing length check | |||
| * | Fixed stack overflow caused by missing length check | Toni Uhlig | 2020-06-18 | |
| | | | | | | | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com> | |||
* | | Fixed API documentation: packet tiestamp is expressed in milliseconds | Luca Deri | 2020-06-18 | |
|/ | ||||
* | Added DGA risk for names that look like a DGA | Luca Deri | 2020-06-11 | |
| | ||||
* | Win fixes | Luca Deri | 2020-06-08 | |
| | ||||
* | Added check in TLS 1.2+ for reporting a risk when TLS is not used to carry HTTPS | Luca Deri | 2020-06-08 | |
| | ||||
* | Added TLS bounadry check | Luca Deri | 2020-06-07 | |
| | ||||
* | Removed some obsolete protocols (battlefield, oscar, pcanywhere, tvants) | Luca Deri | 2020-06-06 | |
| |