aboutsummaryrefslogtreecommitdiff
path: root/src/lib/protocols
Commit message (Collapse)AuthorAge
...
* Fix access to some TLS fields in flow structure (#1277)Ivan Nardi2021-08-20
| | | | Fields 'tls.hello_processed` and `tls.subprotocol_detected` are used by QUIC (i.e UDP...), too.
* Compile everything with "-W -Wall -Wno-unused-parameter" flags (#1276)Ivan Nardi2021-08-20
| | | | | | | | | | | | | | | | Fix all the warnings. Getting rid of "-Wno-unused-parameter" is quite complex because some parameters usage depends on compilation variable (i.e. `--enable-debug-messages`). The "-Werror" flag has been added only in Travis builds to avoid breaking the builds to users using uncommon/untested OS/compiler/enviroment. Tested on: * x86_64; Ubuntu 20.04; gcc 7,8,9,10,11; clang 7,8,9,10,11,12 * x86_64; CentOS 7.7; gcc 4.8.5 (with "--disable-gcrypt" flag) * Raspberry 4; Debian 10.10; gcc 8.3.0
* Fixes a crash on ARM (Raspberry Pi 4 Model B Rev 1.1)Luca Deri2021-08-18
|
* Fixed some invalid TLS guessesLuca Deri2021-08-17
|
* Added check to avoid clases on similar protocols (FTP adn SMTP) on setting ↵Luca Deri2021-08-11
| | | | hostname
* Added extraction of hostname in SMTPLuca Deri2021-08-11
| | | | Fixed mail incalid subprotocol calculation
* Skip whitespaces between HTTP method and URL. (#1271)Toni2021-08-08
| | | | | * be less case-restrictive, RFC2616 wants it that way Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Added TLS fatal alert flow riskLuca Deri2021-08-07
|
* Improved RTSP detection and fixed HTTP false-positive. Fixes #1229. (#1266)Toni2021-07-31
| | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Improved TFTP detection. Fixes #1242, #1256 (#1262)Toni2021-07-25
| | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Implemented ALPN automa for checking uncommon ALPNsLuca Deri2021-07-24
|
* Reworked flow risk implementationLuca Deri2021-07-23
|
* Implemented function to retrieve flow information. #1253 (#1254)Toni2021-07-23
| | | | | * fixed [h]euristic typo Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Added risk: TLS_EXTENSION_SUSPICIOUS (#1252)Toni2021-07-19
| | | | | | * validates client/server hello TLS extensions * inspects content for some extensions Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Fixed TLS certificate threshold (#1248)pacant2021-07-16
| | | Co-authored-by: pacant <a.pace97@outlook.com>
* Code cleanup. (#1246)Vitaly Lavrov2021-07-16
| | | | ndpi_utils.c: use ndpi_malloc,ndpi_calloc,ndpi_free genshin_impact.c, git.c, hpvirtgrp.c, http.c, z3950.c: removed "#include stdlib.h"
* Code cleanupLuca Deri2021-07-14
|
* TLS Risks - Certificate Validity Too Long (#1239)pacant2021-07-14
| | | | | | | | | | | * Added flow risk: TLS certificate too long * Added flow risk: TLS certificate too long * Date for TLS limit added * TLS certificate check fixed Co-authored-by: pacant <a.pace97@outlook.com>
* Added AVAST SecureDNS protocol. (#1244)Toni2021-07-14
| | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Improved Steam detection (Steam Datagram Relay - SDR). (#1243)Toni2021-07-14
| | | | | * improved DNSCrypt midstream detection again (sufficient for all tested use-cases) Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Improved dnscrypt midstream detection. (#1241)Toni2021-07-13
| | | | | * fixed skype false-positive detection of dnscrypt traffic Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Fixed false positives in Z39.50Luca Deri2021-07-09
|
* Fix for #1230 (#1235)Vitaly Lavrov2021-07-07
| | | | | | | | | | | | | | | * Revert "Fix return value of ndpi_match_string_subprotocol() (#1230)" This reverts commit 58665e93a98d014b53d131b2481ccab074efc9ff. * Checking the return code after calling ndpi_match_string_subprotocol() ndpi_api.h: Description of the returned error codes for the ndpi_match_string_subprotocol() function. If the ndpi_match_string_subprotocol() function returned an error, then return NDPI_PROTOCOL_UNKNOWN. http: The "Content-type" header is only checked if it is not empty.
* Improved RTSP detection the second. (#1232) (#1233)Toni2021-07-07
| | | | | | | * RTSP is no subprotocol of HTTP (most of the time) * detection patterns should stay in rtsp.c * set detected HTTP protocol only if at least a valid HTTP method detected Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Improved RTSP via HTTP detection. (#1232)Toni2021-07-06
| | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Minor fixLuca Deri2021-07-05
|
* Code cleanupLuca Deri2021-07-05
|
* TLS: fix a memory error in JA3 code (#1227)Ivan Nardi2021-07-05
| | | | protocols/tls.c:1856:5: runtime error: index 256 out of bounds for type 'char [256]' SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior protocols/tls.c:1856:5
* Improved Z39.50 detection. (#1225)Toni2021-07-05
| | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Fixed off-by-one memory error for TLS-JA3. (#1222)Toni2021-06-29
| | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Added Z39.50 protocol. (#1219)Toni2021-06-29
| | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* QUIC: add basic support for fragmented Client Hello (#1216)Ivan Nardi2021-06-24
| | | | Only in-order and non overlapping fragments are handled See #1195
* Restored 32 bit value in ndpi_match_string_value()Luca Deri2021-06-21
|
* NetBIOS decoding changesLuca Deri2021-06-16
|
* Code review. (#1205)Vitaly Lavrov2021-06-15
| | | | | | | | | | | | | | | The common actions required to call the ac_automata_search() function have been moved to the ndpi_match_string_common function. This made it possible to simplify the ndpi_match_string, ndpi_match_string_protocol_id, ndpi_match_string_value, ndpi_match_custom_category, ndpi_match_string_subprotocol, ndpi_match_bigram, ndpi_match_trigram functions. Using u_int16_t type for protocol identifiers when working with the ahocorasick library (changes src/include/ndpi_api.h.in and src/include/ndpi_typedefs.h). Reworked "finalization" of all AC_AUTOMATA_t structures. Changing the order of fields in the ndpi_call_function_struct structure reduces the size of the ndpi_detection_module_struct structure by 10 kB (for x86_64).
* Reimplememnted SNMP dissectorLuca Deri2021-06-11
|
* Renamed Skyp in Skype_Teams as the protocol is now shared across these appsLuca Deri2021-06-02
|
* TLS: improve check for common ALPNs (#1191)Ivan Nardi2021-06-01
| | | Facebook is still using its own ALPN for HTTP2 as well
* Added TLS check to avoid crash with UDP-based trafficLuca2021-05-25
|
* Improved TLS browser detection heuristicsLuca Deri2021-05-19
|
* Added risk/score dump (ndpiReader -h)Luca Deri2021-05-18
| | | | Added ndpi_dump_risks_score() API score
* Added further checksLuca Deri2021-05-15
|
* Added TLS certifiacate cachingLuca Deri2021-05-15
| | | | Added Fortigate protocol
* Added browser TLS heuristicLuca Deri2021-05-13
|
* Implemented heuristic to detect Safari and Firefox TLS browsingLuca Deri2021-05-13
|
* Improved SSL certificate name wildcard handling and risk. #1182 (#1183)Toni2021-05-11
| | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Added check to reduce MongoDB false positive detectionLuca Deri2021-05-10
|
* TLS: fix extraction for TLS signature algorithms (#1180)Ivan Nardi2021-05-09
| | | | | | | | | | ``` ==69562==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6100009000fb at pc 0x7f41882003a7 bp 0x7f4183cfbfc0 sp 0x7f4183cfb768 READ of size 32 at 0x6100009000fb thread T1 #0 0x7f41882003a6 in __interceptor_memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827 #1 0x560b2d7462a1 in processClientServerHello protocols/tls.c:1647 #2 0x560b2d73be6a in processTLSBlock protocols/tls.c:712 #3 0x560b2d73e61f in ndpi_search_tls_udp protocols/tls.c:968 ```
* TLS: fix another use-of-uninitialized-value error in ClientHello parsing (#1179)Ivan Nardi2021-05-09
| | | | | | | | | | | | Error detected with valgrind. ==13127== Conditional jump or move depends on uninitialised value(s) ==13127== at 0x483EF58: strlen (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==13127== by 0x1A93B6: ndpi_strdup (ndpi_main.c:159) ==13127== by 0x1C07CC: processClientServerHello (tls.c:1678) ==13127== by 0x1C0C4C: processTLSBlock (tls.c:712) ==13127== by 0x1C0C4C: ndpi_search_tls_tcp.part.0 (tls.c:849) See also 8c3674e9
* Initial work towards detection via TLS of browser typesLuca2021-05-06
|
Powered by cgit, Themed by Ted Yin.