| Commit message (Collapse) | Author | Age |
|---|
| ... | |
| |
|
|
| |
Minor dnp3 changes
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
Add QUIC payload and header decryption: most of the crypto code has been
"copied-and-incolled" from Wireshark. That code has been clearly marked
as such. All credits for that code should go to the original authors.
I tried to keep the Wireshark code as similar as possible to the original,
comments included, to ease future backporting of fixes.
Inevitably, glibc data types and data structures, tvbuff abstraction and
allocation functions have been converted.
|
| |
|
|
|
|
|
| |
Latest QUIC versions use TLS for the encryption layer: reuse existing code
to allow Client Hello parsing and sub-classification based on SNI value.
Side effect: we might have J3AC, TLS negotiated version, SNI value and
supported cipher list for QUIC, too.
|
| |
|
|
|
| |
Improve support for GQUIC (up to Q046) and add support for Q050 and (IETF-)QUIC
Still no sub-classification for Q050 and QUIC
|
| |\
| |
| | |
Updated MySQL protocol detection to support server version 8.
|
| | |
| |
| |
| | |
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
|
| |/
|
|
| |
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
|
| |
|
|
| |
See: 79b89d286605635f15edfe3c21297aaa3b5f3acf
|
| |\
| |
| | |
Add risk flag about suspicious ESNI usage
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
In a Client Hello, the presence of both SNI and ESNI may obfuscate the real
domain of an HTTPS connection, fooling DPI engines and firewalls, similarly
to Domain Fronting.
Such technique is reported in a presentation at DEF CON 28:
"Domain Fronting is Dead, Long Live Domain Fronting: Using TLS 1.3 to evade
censors, bypass network defenses, and blend in with the noise"
Full credit for the idea must go the original author
At the moment, the only way to get the pdf presention and related video is via
https://forum.defcon.org/node/234492
Hopefully a direct link (and an example pcap) will be available soon
|
| |/ |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |\ |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| |\| |
|
| | | |
|
| | | |
|
| |/
|
|
| |
signature version of ssh
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
the version string buffer.
* added also GREASE supported tls versions as specified in
https://tools.ietf.org/html/draft-davidben-tls-grease-01#page-4
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
|
| |
|
|
|
|
| |
* triggered by fuzz traces from wireshark
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
|
| |\
| |
| | |
Log
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
NDPI_LOG* macros dereference ndpi_detection_module_struct object which is
private to ndpi library (via NDPI_LIB_COMPILATION define). So we can't use
them outside the library itself, i.e. in ndpiReader code
Therefore, in files in example/, convert all (rare) uses of NDPI_LOG* macros
to a new very simple macro, private to ndpiReader program. If necessary,
such macro may be improved.
According to a comment in ndpi_define.h, each dissector must define its own
NDPI_CURRENT_PROTO macro before including ndpi_api.h file
|
| | |
| |
| |
| | |
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
|
| | |
| |
| |
| | |
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
|
| | |
| |
| |
| |
| | |
In some (rare) cases, Client Hello message contains lots of cipher
suits.
|
| | |
| |
| |
| | |
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
|
| |/ |
|
| |
|
|
| |
Fixes warning
|
| |
|
|
| |
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
|
| |
|
|
| |
Packet bins are not printed wehn empty
|