aboutsummaryrefslogtreecommitdiff
path: root/src/lib/protocols
Commit message (Collapse)AuthorAge
* HTTP: fix user-agent parsing (#1124)Ivan Nardi2021-02-03
| | | | | | | | | | | User-agent information is used to try to detect the user OS; since the UA is extracted for QUIC traffic too, the "detected_os" field must be generic and not associated to HTTP flows only. Otherwise, you might overwrite some "tls_quic_stun" fields (SNI...) with random data. Strangely enough, the "detected_os" field is never used: it is never logged, or printed, or exported...
* HTTP: fix logs when NDPI_ENABLE_DEBUG_MESSAGES is defined (#1123)Ivan Nardi2021-02-03
|
* Increased number of extra packets that is necessary since the frgament ↵Luca Deri2021-02-03
| | | | mananger introduction
* debug message bugfix (#1108)ragostino2021-02-03
| | | you can not look for memory enlargement if you print debug message after updating the variables
* Improved wireguard dissectionLuca Deri2021-01-29
|
* DCE/RPC improvement to avoid false positivesLuca Deri2021-01-29
|
* Cleaned up tls/quic datatypesLuca Deri2021-01-21
|
* Reworked TLS fingerprint calcolationLuca Deri2021-01-21
| | | | Modified TLS memory free
* Rewored UPnP protocol that in essence was WSD hence it has been renamedLuca2021-01-20
| | | | Cleaned up TLS code for DTLS detection by defining a new DTLS protocol
* Improves STUN dissection removing an invalid termination condition that ↵Luca Deri2021-01-13
| | | | prevented Skype calls to be properly identified
* (C) UpdateLuca Deri2021-01-07
|
* Warning fixLuca Deri2021-01-07
|
* STUN: avoid false positives (#1110)Ivan Nardi2021-01-07
| | | STUN traffic doesn't use multicast addresses
* HTTP: fix compilation and a memory error when NDPI_ENABLE_DEBUG_MESSAGES is ↵Ivan Nardi2021-01-07
| | | | defined (#1109)
* QUIC: add suppport for DNS-over-QUIC (#1107)Ivan Nardi2021-01-07
| | | | | | | | | Even if it is only an early internet draft, DoQ has already (at least) one deployed implementation. See: https://www.zdnet.com/article/ad-blocker-adguard-deploys-worlds-first-dns-over-quic-resolver/ Draft: https://tools.ietf.org/html/draft-huitema-dprive-dnsoquic-00 In the future, if this protocol will be really used, it might be worth to rename NDPI_PROTOCOL_DOH_DOT in NDPI_PROTOCOL_DOH_DOT_DOQ
* Quic fixes (#1106)Ivan Nardi2021-01-07
| | | | | * QUIC: fix heap-buffer-overflow * TLS: fix parsing of QUIC Transport Parameters
* QUIC: improve handling of SNI (#1105)Ivan Nardi2021-01-07
| | | | | | | | | | | | | * QUIC: SNI should be always saved in flow->protos.stun_ssl.ssl.client_requested_server_name Close #1077 * QUIC: fix matching of custom categories * QUIC: add NDPI_TLS_MISSING_SNI support for older GQUIC versions * QUIC: fix serialization * QUIC: add DGA check for older GQUIC versions
* Split HTTP request from response Content-Type. Request Content-Type should ↵Luca Deri2021-01-06
| | | | be present with POSTs and not with other methods such as GET
* Added check for invalid HTTP contentLuca Deri2021-01-06
|
* QUIC: update to draft-33 (#1104)Ivan Nardi2021-01-04
| | | QUIC (final!?) constants for v1 are defined in draft-33
* Remove FB_ZERO protocol (#1102)Ivan Nardi2021-01-04
| | | | | | FB_ZERO was an experimental protocol run by Facebook. They switched to QUIC/TLS1.3 more than 2 years ago; no one ever used it but them so it is definitely dead. See: https://engineering.fb.com/2018/08/06/security/fizz/
* Fixed missing symbolLuca Deri2021-01-02
|
* Added HTTP suspicious content securirty risk (useful for tracking trickbot)Luca Deri2021-01-02
|
* Added known protocol on unknown port for ntopLuca Deri2020-12-28
|
* Introduced fix on TLS for discarding traffic out of sequence that might ↵Luca Deri2020-12-22
| | | | invalidate dissection
* Type change to avoid Windows compilation issuesLuca Deri2020-12-17
|
* Improved HTTP dissectionLuca Deri2020-12-16
|
* soulseek: fix heap buffer overflow (#1083)Ivan Nardi2020-12-11
| | | Close #1082
* Added initializationLuca Deri2020-12-11
|
* Rename Jabber detection name as we are not sure if it is unencrypted e.g. if ↵Toni2020-12-08
| | | | | START_TLS used. (#1079) Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Add a connectionless DCE/RPC detection (#1078)rafaliusz2020-12-08
| | | | | | | * Add connectionless DCE/RPC detection * Add DCE/RPC pcap file as well as its test result Co-authored-by: rafal <rafal.burzynski@cryptomage.com>
* QUIC: sync with Wireshark latest changes (#1074)Ivan Nardi2020-12-08
| | | | | | | | | Most of the QUIC crypto code has been "copied-and-pasted" from Wireshark; try to stay in sync with the original sources to ease backporting of fixes. Only cosmetic changes and code refactoring; no behaviour changes or bugfixes. See: https://gitlab.com/wireshark/wireshark/-/commit/5e45f770fd79ca979c41ed397fee72d2e8fb5f1e https://gitlab.com/wireshark/wireshark/-/commit/5798b91c1526747bf688b6746b33562c1b24a9e0
* Warning fixAlfredo Cardigliano2020-11-23
|
* Quic fixes (#1067)Ivan Nardi2020-11-22
| | | | | | | * QUIC: fix return value on error path on quic_cipher_init() * QUIC: allow dissection of sessions forcing version negotiation Enhance heuristic to avoid false positives.
* iec60870-5-104: fix heap-buffer-overflow error (#1066)Ivan Nardi2020-11-22
|
* Added support for AmongUs. (#1054)Toni2020-11-09
| | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Improved SSH protocol detection. (#1052)Toni2020-11-09
| | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* fixes issue #1050 Syntax error caused buffer pointer to equal 0x1 (#1051)Don J. Rude2020-11-09
| | | | | | | | | | | | | | | | | * Syntax error caused buffer pointer to equal 0x1 Possible copy-paste from lines 141-142? * Another comma operator * whitespace matching * another comma operator * another comma operator * another comma operator * Check for non-zero payload
* Updated ESNI/SNI alarm generation prolicyLuca Deri2020-11-08
|
* Reworked IEC60870 dissectorLuca Deri2020-11-04
|
* IEC60870 dissection improvementsLuca Deri2020-11-04
|
* :bulb: Add mongodb protocol dissector (#1048)Leonn2020-11-03
|
* QUIC: fix dissection of Initial packets coalesced with 0-RTT one (#1044)Ivan Nardi2020-11-03
| | | | | * QUIC: fix dissection of Initial packets coalesced with 0-RTT one * QUIC: fix a memory leak
* Fix for detecting numeric IPsLuca Deri2020-11-01
|
* Added boundary checkLuca Deri2020-10-27
|
* Improve skype detection (#1039)Igor Duarte2020-10-27
| | | | | | | * Add new skype pcap PCAP extracted from SkypeIRC.cap (available in https://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=get&target=SkypeIRC.cap) * Improve skype detection
* Added -D flag for detecting DoH in the wildLuca Deri2020-10-26
| | | | Removed heuristic from CiscoVPN as it leads to false positives
* Various improvemement when using ndpi_pref_enable_tls_block_dissection:Luca Deri2020-10-24
| | | | | | application data TLS blocks are now ignored when exchanged before - the end of certificate negotiation (up to TLS 1.2) - change cipher
* Added CPHA - CheckPoint High Availability Protocol protocl supportLuca Deri2020-10-22
|
* Fixes #1033Luca Deri2020-10-21
|
Powered by cgit, Themed by Ted Yin.