aboutsummaryrefslogtreecommitdiff
path: root/src/lib/protocols
Commit message (Collapse)AuthorAge
...
* Prohibit MPEG-DASH to set HTTP as application protocol. (#1560)Toni2022-05-30
| | | Signed-off-by: lns <matzeton@googlemail.com>
* HTTP: fix heap-buffer-overflow error (#1564)Ivan Nardi2022-05-30
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | ``` ==222479==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60b000014739 at pc 0x55af06f2364f bp 0x7ffd7b6f4bf0 sp 0x7ffd7b6f4378 READ of size 12 at 0x60b000014739 thread T0 #0 0x55af06f2364e in printf_common(void*, char const*, __va_list_tag*) asan_interceptors.cpp.o #1 0x55af06f24f70 in __interceptor_snprintf (/home/ivan/svnrepos/nDPI/fuzz/fuzz_ndpi_reader_with_main+0x613f70) (BuildId: f6545ec2bd7663bc3f16aeeb87bddc64d173a2a8) #2 0x55af0720927f in ndpi_check_http_header /home/ivan/svnrepos/nDPI/src/lib/protocols/http.c:982:2 #3 0x55af071f4797 in ndpi_check_http_tcp /home/ivan/svnrepos/nDPI/src/lib/protocols/http.c:1219:5 #4 0x55af071f05c5 in ndpi_search_http_tcp /home/ivan/svnrepos/nDPI/src/lib/protocols/http.c:1402:3 #5 0x55af07080d1e in check_ndpi_detection_func /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:5150:6 #6 0x55af07081734 in check_ndpi_tcp_flow_func /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:5198:12 #7 0x55af070813d7 in ndpi_check_flow_func /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:5217:12 #8 0x55af070939f7 in ndpi_detection_process_packet /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:6076:15 #9 0x55af06fc7e1f in packet_processing /home/ivan/svnrepos/nDPI/example/reader_util.c:1541 #10 0x55af06fc7e1f in ndpi_workflow_process_packet /home/ivan/svnrepos/nDPI/example/reader_util.c:2110 #11 0x55af06fc2859 in LLVMFuzzerTestOneInput /home/ivan/svnrepos/nDPI/fuzz/fuzz_ndpi_reader.c:109:7 #12 0x55af06fc2feb in main /home/ivan/svnrepos/nDPI/fuzz/fuzz_ndpi_reader.c:181:17 #13 0x7efe5eaac082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16 #14 0x55af06f0055d in _start (/home/ivan/svnrepos/nDPI/fuzz/fuzz_ndpi_reader_with_main+0x5ef55d) (BuildId: f6545ec2bd7663bc3f16aeeb87bddc64d173a2a8) 0x60b000014739 is located 0 bytes to the right of 105-byte region [0x60b0000146d0,0x60b000014739) allocated by thread T0 here: #0 0x55af06f84bae in malloc (/home/ivan/svnrepos/nDPI/fuzz/fuzz_ndpi_reader_with_main+0x673bae) (BuildId: f6545ec2bd7663bc3f16aeeb87bddc64d173a2a8) #1 0x55af06fc2673 in LLVMFuzzerTestOneInput /home/ivan/svnrepos/nDPI/fuzz/fuzz_ndpi_reader.c:103:31 #2 0x55af06fc2feb in main /home/ivan/svnrepos/nDPI/fuzz/fuzz_ndpi_reader.c:181:17 #3 0x7efe5eaac082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16 ``` Fiund by oss-fuzzer. See: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47724
* Certificate timestamps should be printed in UTC (#1563)Ivan Nardi2022-05-30
| | | This way, the CI results are consistent
* Updated tests resultsLuca Deri2022-05-30
| | | | Code cleanup
* Added RiskInfo stringLuca Deri2022-05-30
|
* Fix dissection of IPv4 header (#1561)Ivan Nardi2022-05-29
| | | | | See: https://github.com/ntop/nDPI/runs/6643914510?check_suite_focus=true Convert al the `MIN(a,b)` calls to `ndpi_min(a,b)`
* Compilation fixes for old ggc'sLuca Deri2022-05-29
|
* Added detection for WordPress exploitsLuca Deri2022-05-29
| | | | Fixed ndpi_iph_is_valid_and_not_fragmented() that was bugged with non UDP traffic
* Added MPEG-DASH dissector. Fixes #1223. (#1555)Toni2022-05-29
| | | | | | * Improved HTTP POST detection * Refactored subprotocol detection Signed-off-by: lns <matzeton@googlemail.com>
* Fixed HTTP lower/upper protocol mess for Aimini/IPP. (#1557)Toni2022-05-28
| | | | | * If HTTP was already detected, there is no need to overwrite the detection again Signed-off-by: lns <matzeton@googlemail.com>
* Compilation fixesLuca Deri2022-05-27
|
* Updated SkypeCall -> Skype_TeamsCallLuca Deri2022-05-26
|
* Fixed false positives with NATSLuca Deri2022-05-26
|
* Added invalid SNI check in QUICLuca Deri2022-05-24
|
* Improved detection of invalid SNI and hostnames in TLS, HTTPLuca Deri2022-05-24
|
* Moved RTSP http patterns to the protocol source file.lns2022-05-19
| | | | Signed-off-by: lns <matzeton@googlemail.com>
* Improved Viber (TCP) detection. (#1547)Toni2022-05-10
| | | Signed-off-by: lns <matzeton@googlemail.com>
* Improved Xiaomi HTTP detection. (#1546)Toni2022-05-10
| | | | | * Merged Xiaomi pcap files Signed-off-by: lns <matzeton@googlemail.com>
* Removed TLS patterns in the CiscoVPN aka Anyconnect dissector as mentioned ↵Toni2022-05-09
| | | | | in PR #1534. (#1543) Signed-off-by: lns <matzeton@googlemail.com>
* Improved TLS alert detection. (#1542)Toni2022-05-08
| | | Signed-off-by: lns <matzeton@googlemail.com>
* Improved TLS application data detection. (#1541)Toni2022-05-08
| | | | | | * #1532 did fx TLS appdata detection only partially * use flow->l4.tcp.tls.message.buffer_used instead of packet->payload Signed-off-by: lns <matzeton@googlemail.com>
* Fixes outdated descriptionLuca Deri2022-05-04
|
* Improved suspicious http user agent detection. (#1537)Toni2022-05-02
| | | Signed-off-by: lns <matzeton@googlemail.com>
* Added ndpi_get_flow_error_code() API callLuca Deri2022-05-02
| | | | Fixed typo
* Improved TLS application data detection. (#1532)Toni2022-04-27
| | | Signed-off-by: lns <matzeton@googlemail.com>
* Added ability to store custom category file in patricia treeLuca Deri2022-04-26
|
* Raknet: fix heap-buffer-overflow (#1531)Ivan Nardi2022-04-25
| | | | | | | | | | | | | | | | | | | | | | | | ``` ==120637==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x606000000488 at pc 0x55a0598d97ec bp 0x7ffcfe13f2e0 sp 0x7ffcfe13f2d8 READ of size 2 at 0x606000000488 thread T0 #0 0x55a0598d97eb in ndpi_search_raknet /home/ivan/svnrepos/nDPI/src/lib/protocols/raknet.c:152:38 #1 0x55a05966c48e in check_ndpi_detection_func /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:5060:6 #2 0x55a05966e428 in check_ndpi_udp_flow_func /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:5119:10 #3 0x55a05966dddc in ndpi_check_flow_func /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:5152:12 #4 0x55a05967fa7a in ndpi_detection_process_packet /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:5971:15 #5 0x55a05962b860 in LLVMFuzzerTestOneInput /home/ivan/svnrepos/nDPI/fuzz/fuzz_process_packet.c:24:3 #6 0x55a05962bd9b in main /home/ivan/svnrepos/nDPI/fuzz/fuzz_process_packet.c:84:17 #7 0x7f4aad7d80b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16 #8 0x55a05956b46d in _start (/home/ivan/svnrepos/nDPI/fuzz/fuzz_process_packet_with_main+0x5d746d) (BuildId: 9429d3d08edc3836e5536f93c07f140716d8b82e) 0x606000000488 is located 9 bytes to the right of 63-byte region [0x606000000440,0x60600000047f) allocated by thread T0 here: #0 0x55a0595ee80e in malloc (/home/ivan/svnrepos/nDPI/fuzz/fuzz_process_packet_with_main+0x65a80e) (BuildId: 9429d3d08edc3836e5536f93c07f140716d8b82e) #1 0x55a05962bd06 in main /home/ivan/svnrepos/nDPI/fuzz/fuzz_process_packet.c:70:17 #2 0x7f4aad7d80b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16 ``` Found by oss-fuzz See: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47000
* Added generic user agent setter. (#1530)Toni2022-04-25
| | | | | * ndpiReader: Print user agent if one was set and not just for certain protocols. Signed-off-by: lns <matzeton@googlemail.com>
* XIAOMI: add detection of Xiaomi traffic (#1529)Ivan Nardi2022-04-25
| | | Most of the credits should go to @utoni (see #1521)
* Added RakNet protocol dissector. (#1527)Toni2022-04-24
| | | | | * Frame Set PDU's do not get fully dissected for the sake of simplicity Signed-off-by: lns <matzeton@googlemail.com>
* Tiny gnutella improvement if gtk-gnutella used. (#1525)Toni2022-04-22
| | | Signed-off-by: lns <matzeton@googlemail.com>
* Added proprietary Agora Software Defined Real-time Network (SD-RTN) protocol ↵Toni2022-04-20
| | | | | dissector. (#1520) Signed-off-by: lns <matzeton@googlemail.com>
* Added Toca Boca protocol dissector. (#1517)Toni2022-04-19
| | | Signed-off-by: lns <matzeton@googlemail.com>
* Improved sflow protocol detection false-positives. (#1518)Toni2022-04-19
| | | Signed-off-by: lns <matzeton@googlemail.com>
* Kerberos: fix Undefined-shift error (#1516)Ivan Nardi2022-04-18
| | | | | Similar to the error fixed in 4775be3d Found by oss-fuzz. See: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=46713
* Fixed msys2 build warnings and re-activated CI Mingw64 build.fix/windows-msys2Toni Uhlig2022-04-14
| | | | | | | * Removed Visual Studio leftovers. Maintaining an autotools project with VS integration requires some additional overhead. Signed-off-by: Toni Uhlig <matzeton@googlemail.com> Signed-off-by: lns <matzeton@googlemail.com>
* Kerberos: fix some memory access errors (#1514)Ivan Nardi2022-04-13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | ``` ==19724==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60e00000045e at pc 0x5620b8b3d3cc bp 0x7ffe0fda6b50 sp 0x7ffe0fda6310 READ of size 2 at 0x60e00000045e thread T0 #0 0x5620b8b3d3cb in __interceptor_strncpy (/home/ivan/svnrepos/nDPI/fuzz/fuzz_process_packet_with_main+0x63f3cb) (BuildId: ee53ff920c8cd4c226d8520a0d4846d8864726b6) #1 0x5620b8d9b69c in strncpy_lower /home/ivan/svnrepos/nDPI/src/lib/protocols/kerberos.c:208:4 #2 0x5620b8d995a0 in krb_parse /home/ivan/svnrepos/nDPI/src/lib/protocols/kerberos.c:316:5 #3 0x5620b8d97a90 in ndpi_search_kerberos /home/ivan/svnrepos/nDPI/src/lib/protocols/kerberos.c:687:12 #4 0x5620b8bcef35 in check_ndpi_detection_func /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:4996:4 #5 0x5620b8bd1be8 in check_ndpi_udp_flow_func /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:5072:10 #6 0x5620b8bd159c in ndpi_check_flow_func /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:5105:12 #7 0x5620b8be323a in ndpi_detection_process_packet /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:5924:15 #8 0x5620b8b8f7e0 in LLVMFuzzerTestOneInput /home/ivan/svnrepos/nDPI/fuzz/fuzz_process_packet.c:24:3 #9 0x5620b8b8fd1b in main /home/ivan/svnrepos/nDPI/fuzz/fuzz_process_packet.c:84:17 #10 0x7f45b32b90b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16 #11 0x5620b8acf47d in _start (/home/ivan/svnrepos/nDPI/fuzz/fuzz_process_packet_with_main+0x5d147d) (BuildId: ee53ff920c8cd4c226d8520a0d4846d8864726b6) 0x60e00000045e is located 0 bytes to the right of 158-byte region [0x60e0000003c0,0x60e00000045e) allocated by thread T0 here: #0 0x5620b8b5283e in malloc (/home/ivan/svnrepos/nDPI/fuzz/fuzz_process_packet_with_main+0x65483e) (BuildId: ee53ff920c8cd4c226d8520a0d4846d8864726b6) #1 0x5620b8b8fc86 in main /home/ivan/svnrepos/nDPI/fuzz/fuzz_process_packet.c:70:17 #2 0x7f45b32b90b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16 ``` ``` protocols/kerberos.c:79:52: runtime error: left shift of 255 by 24 places cannot be represented in type 'int' ``` Found by oss-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=46670 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=46636
* TINC: fix invalid memory read (#1512)Ivan Nardi2022-04-10
| | | | | | | | | | | | | | | | | | | | | | | | | ``` ================================================================= ==19324==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60600061be96 at pc 0x55b4a4cb4460 bp 0x7ffc7b461a70 sp 0x7ffc7b461a68 READ of size 1 at 0x60600061be96 thread T0 #0 0x55b4a4cb445f in ndpi_check_tinc /home/ivan/svnrepos/nDPI/src/lib/protocols/tinc.c:105:9 #1 0x55b4a4cb1888 in ndpi_search_tinc /home/ivan/svnrepos/nDPI/src/lib/protocols/tinc.c:135:5 #2 0x55b4a4b4a6e1 in check_ndpi_detection_func /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:5013:6 #3 0x55b4a4b4c2d4 in check_ndpi_tcp_flow_func /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:5084:12 #4 0x55b4a4b4bf77 in ndpi_check_flow_func /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:5103:12 #5 0x55b4a4b5dcca in ndpi_detection_process_packet /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:5924:15 #6 0x55b4a4a87734 in packet_processing /home/ivan/svnrepos/nDPI/example/reader_util.c:1519:31 #7 0x55b4a4a80761 in ndpi_workflow_process_packet /home/ivan/svnrepos/nDPI/example/reader_util.c:2093:10 #8 0x55b4a4a39c8d in LLVMFuzzerTestOneInput /home/ivan/svnrepos/nDPI/fuzz/fuzz_ndpi_reader.c:107:7 #9 0x55b4a4a3a46b in main /home/ivan/svnrepos/nDPI/fuzz/fuzz_ndpi_reader.c:179:17 #10 0x7f69c63760b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16 #11 0x55b4a497954d in _start (/home/ivan/svnrepos/nDPI/fuzz/fuzz_ndpi_reader_with_main+0x61654d) (BuildId: 705ebc5c412d267294a65cb01f03a1f012aeaf20) 0x60600061be96 is located 0 bytes to the right of 54-byte region [0x60600061be60,0x60600061be96) allocated by thread T0 here: [...] ``` Found by oss-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=46499
* Improved ASN.1 parsing for Keberos. Fixes #1492. (#1497)Toni2022-04-10
| | | | | | * This is a quick fix, the Kerberos protocol dissector requires some refactoring effort. Signed-off-by: Toni Uhlig <matzeton@googlemail.com> Signed-off-by: lns <matzeton@googlemail.com>
* QUIC: handle retransmissions and overlapping fragments in reassembler ↵Vinicius Silva Nogueira2022-04-07
| | | | | | | | | | | | | | | | | | | | | (#1195) (#1498) * QUIC: handle retransmissions and overlapping fragments in reassembler * Trigger CI * minor fix: parentheses * Changing ndpi_malloc to ndpi_calloc * fix memory leak * quic_reasm_buf calloc to malloc * change order of is_ch_complete && is_reasm_buf_complete call * is_reasm_buf_complete: added handling for case where frame size is not multiple of 8 * add extra check
* Removed un-necessary guess in miningLuca Deri2022-04-01
|
* Removed SRV record from suspicious DNS trafficLuca Deri2022-03-31
|
* [SSDP] Extract HTTP user-agent when available. (#1500)Darryl Sokoloski2022-03-27
| | | | | | [SSDP] Added capture file with UA header. [SSDP] Added pcap test output log file. Signed-off-by: Darryl Sokoloski <darryl@sokoloski.ca>
* QUIC: add support for version 2 draft 01 (#1493)Ivan Nardi2022-03-25
| | | | | | Support for v2-00 has been removed (it has never been used in real networks and it is incompatible with v2-01). Chrome already supports v2-01 in latest versions in Chrome Beta channel.
* Mining: cleanup registration (#1496)Ivan Nardi2022-03-25
| | | | | Use the same pattern of all the other dissectors: one registration and one callback. Spotted by @dsokoloski
* Trying to improve QUIC reassembler (#1195) (#1489)Vinicius Silva Nogueira2022-03-24
| | | | | | | | | | | * handling QUIC out-of-order fragments * minor fix * updated quic_frags_ch_out_of_order_same_packet_craziness.pcapng.out * quic test: buf_len + last_pos * QUIC: comment update in __reassemble function and minor change is_ch_complete function
* QUIC: convert logs to standard mechanism (#1485)Ivan Nardi2022-03-15
|
* QUIC: fix dissection of draft-34 (#1484)dev-1Ivan Nardi2022-03-09
| | | | QUIC-34 is probably not used in production, but fixing it is trivial and it doesn't add any noise to the already complex QUIC code.
* Extend tests coverage (#1476)Ivan Nardi2022-03-09
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Now there is at least one flow under `tests/pcap` for 249 protocols out of the 284 ones supported by nDPI. The 35 protocols without any tests are: * P2P/sharing protocols: DIRECT_DOWNLOAD_LINK, OPENFT, FASTTRACK, EDONKEY, SOPCAST, THUNDER, APPLEJUICE, DIRECTCONNECT, STEALTHNET * games: CSGO, HALFLIFE2, ARMAGETRON, CROSSFIRE, DOFUS, FIESTA, FLORENSIA, GUILDWARS, MAPLESTORY, WORLD_OF_KUNG_FU * voip/streaming: VHUA, ICECAST, SHOUTCAST, TVUPLAYER, TRUPHONE * other: AYIYA, SOAP, TARGUS_GETDATA, RPC, ZMQ, REDIS, VMWARE, NOE, LOTUS_NOTES, EGP, SAP Most of these protocols (expecially the P2P and games ones) have been inherited by OpenDPI and have not been updated since then: even if they are still used, the detection rules might be outdated. However code coverage (of `lib/protocols`) only increases from 65.6% to 68.9%. Improve Citrix, Corba, Fix, Aimini, Megaco, PPStream, SNMP and Some/IP dissection. Treat IPP as a HTTP sub protocol. Fix Cassandra false positives. Remove `NDPI_PROTOCOL_QQLIVE` and `NDPI_PROTOCOL_REMOTE_SCAN`: these protocol ids are defined but they are never used. Remove Collectd support: its code has never been called. If someone is really interested in this protocol, we can re-add it later, updating the dissector. Add decoding of PPI (Per-Packet Information) data link type.
* Some small fixes (#1481)Ivan Nardi2022-03-08
| | | | | | FTP: if the authentication fails, stop analyzing the flow WSD: call the initialization routine; the dissector code has never been triggered MINING: fix dissection
Powered by cgit, Themed by Ted Yin.