aboutsummaryrefslogtreecommitdiff
path: root/src/lib/protocols/tls.c
Commit message (Collapse)AuthorAge
...
* Improved TLS browser detection heuristicsLuca Deri2021-05-19
|
* Added risk/score dump (ndpiReader -h)Luca Deri2021-05-18
| | | | Added ndpi_dump_risks_score() API score
* Added further checksLuca Deri2021-05-15
|
* Added TLS certifiacate cachingLuca Deri2021-05-15
| | | | Added Fortigate protocol
* Added browser TLS heuristicLuca Deri2021-05-13
|
* Implemented heuristic to detect Safari and Firefox TLS browsingLuca Deri2021-05-13
|
* Improved SSL certificate name wildcard handling and risk. #1182 (#1183)Toni2021-05-11
| | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* TLS: fix extraction for TLS signature algorithms (#1180)Ivan Nardi2021-05-09
| | | | | | | | | | ``` ==69562==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6100009000fb at pc 0x7f41882003a7 bp 0x7f4183cfbfc0 sp 0x7f4183cfb768 READ of size 32 at 0x6100009000fb thread T1 #0 0x7f41882003a6 in __interceptor_memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827 #1 0x560b2d7462a1 in processClientServerHello protocols/tls.c:1647 #2 0x560b2d73be6a in processTLSBlock protocols/tls.c:712 #3 0x560b2d73e61f in ndpi_search_tls_udp protocols/tls.c:968 ```
* TLS: fix another use-of-uninitialized-value error in ClientHello parsing (#1179)Ivan Nardi2021-05-09
| | | | | | | | | | | | Error detected with valgrind. ==13127== Conditional jump or move depends on uninitialised value(s) ==13127== at 0x483EF58: strlen (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==13127== by 0x1A93B6: ndpi_strdup (ndpi_main.c:159) ==13127== by 0x1C07CC: processClientServerHello (tls.c:1678) ==13127== by 0x1C0C4C: processTLSBlock (tls.c:712) ==13127== by 0x1C0C4C: ndpi_search_tls_tcp.part.0 (tls.c:849) See also 8c3674e9
* Initial work towards detection via TLS of browser typesLuca2021-05-06
|
* Add extraction for TLS signature algorithmsLuca2021-05-06
|
* Check for common ALPNs and set a flow risk if not known. (#1175)Toni2021-04-27
| | | | | | * Increased risk bitmask to 64bit (instead of 32bit). * Removed annoying "Unknown datalink" error message for fuzzers. Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* TLS: fix some use-of-uninitialized-value errors in ClientHello parsing (#1169)Ivan Nardi2021-04-18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Error detected with valgrind. ==125883== Conditional jump or move depends on uninitialised value(s) ==125883== at 0x438F57: processClientServerHello (tls.c:1421) ==125883== by 0x43B35A: processTLSBlock (tls.c:712) ==125883== by 0x43B1C4: ndpi_search_tls_tcp (tls.c:849) ==125883== by 0x42C60B: check_ndpi_detection_func (ndpi_main.c:4426) ==125883== by 0x42E920: ndpi_detection_process_packet (ndpi_main.c:5301) ==125916== Conditional jump or move depends on uninitialised value(s) ==125916== at 0x438D7D: processClientServerHello (tls.c:1379) ==125916== by 0x43B35A: processTLSBlock (tls.c:712) ==125916== by 0x43B1C4: ndpi_search_tls_tcp (tls.c:849) ==125916== by 0x42C60B: check_ndpi_detection_func (ndpi_main.c:4426) ==125932== Conditional jump or move depends on uninitialised value(s) ==125932== at 0x438C1D: processClientServerHello (tls.c:1298) ==125932== by 0x43B35A: processTLSBlock (tls.c:712) ==125932== by 0x43B1C4: ndpi_search_tls_tcp (tls.c:849) ==125932== by 0x42C60B: check_ndpi_detection_func (ndpi_main.c:4426) ==125950== Conditional jump or move depends on uninitialised value(s) ==125950== at 0x438D4F: processClientServerHello (tls.c:1371) ==125950== by 0x43B35A: processTLSBlock (tls.c:712) ==125950== by 0x43B1C4: ndpi_search_tls_tcp (tls.c:849) ==125950== by 0x42C079: check_ndpi_detection_func (ndpi_main.c:4443)
* Added NDPI_DESKTOP_OR_FILE_SHARING_SESSION risk to remote protocols for ↵Luca Deri2021-04-12
| | | | remote assistance sessions
* Added NDPI_DESKTOP_OR_FILE_SHARING_SESSION flow riskLuca Deri2021-04-11
|
* Win compilation fixLuca Deri2021-03-22
|
* Better DGA detection (slightly decreased accuracy)Luca Deri2021-03-20
|
* Removed duplicate extesions lenLuca Deri2021-03-19
|
* Added ALPN and elliptic curve in JA3S+Luca Deri2021-03-19
|
* Implemented JA3+ also for JA3SLuca Deri2021-03-19
|
* Reworked JA3Luca Deri2021-03-19
|
* JA3 debug improvementsLuca Deri2021-03-19
|
* Fix compilation warningAlfredo Cardigliano2021-03-12
|
* Fixed JA3+ computationLuca Deri2021-03-11
|
* Added experiemntal JA3+ implementation that can be used with -z i ndpiReaderLuca Deri2021-03-09
|
* Improved DGA detection with trigrams. Disadvantage: slower startup timeLuca Deri2021-03-03
| | | | | Reworked Tor dissector embedded in TLS (fixes #1141) Removed false positive on HTTP User-Agent
* DTLS: improve support (#1146)Ivan Nardi2021-03-02
| | | | | | | * DTLS: add some pcap tests * DTLS: fix parsing of Client/Server Helllo message * DTLS: add parsing of server certificates
* Added NDPI_MALICIOUS_SHA1 flow risk. (#1142)Toni2021-02-26
| | | | | | * An external file which contains known malicious SSL certificate SHA-1 hashes can be loaded via ndpi_load_malicious_sha1_file(...) Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Added NDPI_MALICIOUS_JA3 flow riskLuca Deri2021-02-22
| | | | Added ndpi_load_malicious_ja3_file() API call
* Implemented TLS Certificate Sibject matchingLuca Deri2021-02-22
| | | | Improved AnyDesk detection
* Improved (partial) TLS dissectionLuca Deri2021-02-04
|
* debug message bugfix (#1108)ragostino2021-02-03
| | | you can not look for memory enlargement if you print debug message after updating the variables
* Cleaned up tls/quic datatypesLuca Deri2021-01-21
|
* Reworked TLS fingerprint calcolationLuca Deri2021-01-21
| | | | Modified TLS memory free
* Rewored UPnP protocol that in essence was WSD hence it has been renamedLuca2021-01-20
| | | | Cleaned up TLS code for DTLS detection by defining a new DTLS protocol
* (C) UpdateLuca Deri2021-01-07
|
* Quic fixes (#1106)Ivan Nardi2021-01-07
| | | | | * QUIC: fix heap-buffer-overflow * TLS: fix parsing of QUIC Transport Parameters
* QUIC: update to draft-33 (#1104)Ivan Nardi2021-01-04
| | | QUIC (final!?) constants for v1 are defined in draft-33
* Introduced fix on TLS for discarding traffic out of sequence that might ↵Luca Deri2020-12-22
| | | | invalidate dissection
* fixes issue #1050 Syntax error caused buffer pointer to equal 0x1 (#1051)Don J. Rude2020-11-09
| | | | | | | | | | | | | | | | | * Syntax error caused buffer pointer to equal 0x1 Possible copy-paste from lines 141-142? * Another comma operator * whitespace matching * another comma operator * another comma operator * another comma operator * Check for non-zero payload
* Updated ESNI/SNI alarm generation prolicyLuca Deri2020-11-08
|
* Added -D flag for detecting DoH in the wildLuca Deri2020-10-26
| | | | Removed heuristic from CiscoVPN as it leads to false positives
* Various improvemement when using ndpi_pref_enable_tls_block_dissection:Luca Deri2020-10-24
| | | | | | application data TLS blocks are now ignored when exchanged before - the end of certificate negotiation (up to TLS 1.2) - change cipher
* Added fix for invalid SNI check when SNI is missingLuca Deri2020-10-02
|
* Added risks for checkingLuca Deri2020-09-21
| | | | | - invalid DNS traffic (probably carrying exfiltrated data) - TLS traffic with no SNI extension
* Merge pull request #1012 from IvanNardi/uaLuca Deri2020-09-17
|\ | | | | QUIC: extract User Agent information
| * TLS: fix memory accesses in QUIC transport parameters extensionNardi Ivan2020-09-10
| |
| * QUIC: extract User Agent informationNardi Ivan2020-09-08
| |
* | Added extension to detect nested subdomains as used in Browsertunnel attack toolLuca Deri2020-09-09
|/ | | | https://github.com/veggiedefender/browsertunnel
* Update TLS dissector to handle QUIC flowsNardi Ivan2020-08-21
| | | | | | | Latest QUIC versions use TLS for the encryption layer: reuse existing code to allow Client Hello parsing and sub-classification based on SNI value. Side effect: we might have J3AC, TLS negotiated version, SNI value and supported cipher list for QUIC, too.
Powered by cgit, Themed by Ted Yin.