aboutsummaryrefslogtreecommitdiff
path: root/src/lib/protocols
Commit message (Collapse)AuthorAge
* Added CPHA - CheckPoint High Availability Protocol protocl supportLuca Deri2020-10-22
|
* Fixes #1033Luca Deri2020-10-21
|
* Added fix for invalid SNI check when SNI is missingLuca Deri2020-10-02
|
* QUIC: fix dissection of "offset" field (#1025)Ivan Nardi2020-09-29
| | | | | | | The "offset" field is a variable-length integer. This bug hasn't any practical effects right now, since we are ignoring any packet with "offset" != 0 (and the value 0 is always encoded in only one byte). But extracting a correct "offset" is important if we are ever going to handle fragmented Client Hello messages.
* Added extra boundary checksLuca Deri2020-09-26
|
* Boundary fixLuca Deri2020-09-25
|
* Various optimizations to reduce not-necessary callsLuca Deri2020-09-24
| | | | | Optimized various UDP dissectors Removed dead protocols such as pando and pplive
* Improved boundary check to prevent overflowLuca Deri2020-09-23
|
* Minor UA handling improvement to avoid heap-overflowLuca Deri2020-09-22
|
* Minor change for alignment issueLuca Deri2020-09-21
|
* Added risks for checkingLuca Deri2020-09-21
| | | | | - invalid DNS traffic (probably carrying exfiltrated data) - TLS traffic with no SNI extension
* Merge pull request #1019 from IvanNardi/quic_fbLuca Deri2020-09-20
|\ | | | | QUIC: add support for MVFST EXPERIMENTAL version
| * QUIC: add support for MVFST EXPERIMENTAL versionNardi Ivan2020-09-20
| |
* | Merge pull request #1017 from lnslbrty/fix/mingw-xcompileLuca Deri2020-09-20
|\ \ | |/ |/| Added support for mingw xcompile.
| * Fixed shlib xcompile for x86_64-w64-mingw32Toni Uhlig2020-09-08
| | | | | | | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* | Reworked MDNS dissector that is not based on the DNS dissectorLuca Deri2020-09-17
| |
* | Merge pull request #1012 from IvanNardi/uaLuca Deri2020-09-17
|\ \ | | | | | | QUIC: extract User Agent information
| * | TLS: fix memory accesses in QUIC transport parameters extensionNardi Ivan2020-09-10
| | |
| * | QUIC: extract User Agent informationNardi Ivan2020-09-08
| | |
| * | http: create a common function to parse User Agent fieldNardi Ivan2020-09-08
| | | | | | | | | | | | Prepare the code to handle UA information from flows other than HTTP
* | | Disabled QUIC tracing that pollutes the outputLuca Deri2020-09-17
| | |
* | | Added boundary checkLuca Deri2020-09-10
| | |
* | | Merge pull request #1014 from lnslbrty/improved/teamspeakLuca Deri2020-09-09
|\ \ \ | | | | | | | | Improved Teamspeak(3) protocol detection.
| * | | Improved Teamspeak(3) protocol detection.Toni Uhlig2020-09-09
| |/ / | | | | | | | | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* / / Added extension to detect nested subdomains as used in Browsertunnel attack toolLuca Deri2020-09-09
|/ / | | | | | | https://github.com/veggiedefender/browsertunnel
* / Improved dnscrypt v1/v2 protocol detection.Toni Uhlig2020-09-06
|/ | | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Fixed off-by-one error in Kerberos protocol.Toni Uhlig2020-09-02
| | | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Fixed false positive detection for Skype.SkypeCall (affects at least Cisco ↵Toni Uhlig2020-09-02
| | | | | | HSRP and RADIUS). Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Added boundary checkLuca Deri2020-09-01
|
* Added (optional) notifier for LRU addLuca Deri2020-08-31
|
* QUIC: add support for GQUIC T050 and T051Nardi Ivan2020-08-30
| | | | | | QUIC versioning wasn't complex enough without T05X family... These versions are very similar to Q050, but use TLS as their handshake protocol.
* Improved ntop detection over HTTPLuca Deri2020-08-30
| | | | Added cap on number of attempts for CiscoVPN
* Fixed false positive in suspicous user agentLuca Deri2020-08-30
| | | | Optimized stddev calculation
* Merge pull request #996 from lnslbrty/fix/travis-ciLuca Deri2020-08-28
|\ | | | | Fix travis-ci related errors.
| * Fixed use-of-uninitialized-value in QUIC clho decryption probably caused by ↵Toni Uhlig2020-08-27
| | | | | | | | | | | | a BUG in libgcrypt (not verified). Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
| * Moved NDPI_CURRENT_PROTO define before ndpi_api.h include to prevent a ↵Toni Uhlig2020-08-27
| | | | | | | | | | | | redefinition warning. Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* | Passes method_len param to ndpi_http_str2methodSimone Mainardi2020-08-27
| |
* | Added ndpi_http_method ndpi_http_str2method(const char* method) API callLuca Deri2020-08-26
|/
* QUIC: minor fixesNardi Ivan2020-08-24
| | | | | | LGTM found a real issue on a boundary check Fix unit tests: a pcap ha been uploaded twice (with different names) Fix compilation when using DPDK (see #990)
* Creared IoT-Scada categoryLuca Deri2020-08-23
| | | | Minor dnp3 changes
* Warning fixLuca Deri2020-08-22
|
* Add sub-classification for GQUIC >= Q050 and (IETF-)QUICNardi Ivan2020-08-21
| | | | | | | | | | | Add QUIC payload and header decryption: most of the crypto code has been "copied-and-incolled" from Wireshark. That code has been clearly marked as such. All credits for that code should go to the original authors. I tried to keep the Wireshark code as similar as possible to the original, comments included, to ease future backporting of fixes. Inevitably, glibc data types and data structures, tvbuff abstraction and allocation functions have been converted.
* Update TLS dissector to handle QUIC flowsNardi Ivan2020-08-21
| | | | | | | Latest QUIC versions use TLS for the encryption layer: reuse existing code to allow Client Hello parsing and sub-classification based on SNI value. Side effect: we might have J3AC, TLS negotiated version, SNI value and supported cipher list for QUIC, too.
* Major rework of QUIC dissectorNardi Ivan2020-08-21
| | | | | Improve support for GQUIC (up to Q046) and add support for Q050 and (IETF-)QUIC Still no sub-classification for Q050 and QUIC
* Merge pull request #987 from lnslbrty/update/mysql-protocol-detectionLuca Deri2020-08-19
|\ | | | | Updated MySQL protocol detection to support server version 8.
| * Updated MySQL protocol detection to support server version 8.Toni Uhlig2020-08-19
| | | | | | | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* | Added support for SOAP.Toni Uhlig2020-08-18
|/ | | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Suspicious ESNI usage: add a comment and a pcap exampleNardi Ivan2020-08-06
| | | | See: 79b89d286605635f15edfe3c21297aaa3b5f3acf
* Merge pull request #973 from IvanNardi/esni3Luca Deri2020-08-06
|\ | | | | Add risk flag about suspicious ESNI usage
| * Add risk flag about suspicious ESNI usageNardi Ivan2020-08-05
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In a Client Hello, the presence of both SNI and ESNI may obfuscate the real domain of an HTTPS connection, fooling DPI engines and firewalls, similarly to Domain Fronting. Such technique is reported in a presentation at DEF CON 28: "Domain Fronting is Dead, Long Live Domain Fronting: Using TLS 1.3 to evade censors, bypass network defenses, and blend in with the noise" Full credit for the idea must go the original author At the moment, the only way to get the pdf presention and related video is via https://forum.defcon.org/node/234492 Hopefully a direct link (and an example pcap) will be available soon
Powered by cgit, Themed by Ted Yin.