libndpi.git - Open Source Deep Packet Inspection Software Toolkit

	Commit message (Collapse)	Author	Age
*	Renamed ips_match to ndpi_ips_match	Luca Deri	2025-01-17
\|
*	Improved DICOM detection	Luca Deri	2025-01-17
\|
*	STUN: improve detection of Telegram calls (#2671)	Ivan Nardi	2025-01-14
\|
*	TLS: remove JA3C (#2679)	Ivan Nardi	2025-01-14
\| \| \| \| \| \| \| \|	Last step of removing JA3C fingerprint Remove some duplicate tests: testing with ja4c/ja3s disabled is already performed by `disable_metadata_and_flowrisks` configuration. Close:#2551
*	Add (kind of) support for loading a list of JA4C malicious fingerprints (#2678)	Ivan Nardi	2025-01-14
\| \| \| \| \| \| \| \| \|	It might be usefull to be able to match traffic against a list of suspicious JA4C fingerprints Use the same code/logic/infrastructure used for JA3C (note that we are going to remove JA3C...) See: #2551
*	Fix code scanning alert no. 14: Redundant null check due to previous ↵	Luca Deri	2025-01-13
\| \| \| \| \|	dereference (#2674) Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
*	Improved WebSocket-over-HTTP detection (#2664)	Toni	2025-01-11
\| \| \| \| \| \|	* detect `chisel` SSH-over-HTTP-WebSocket * use `strncasecmp()` for `LINE_*` matching macros Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
*	QUIC: remove extraction of user-agent (#2650)	Ivan Nardi	2025-01-07
\| \| \| \| \|	In very old (G)QUIC versions by Google, the user agent was available on plain text. That is not true anymore, since about end of 2021. See: https://github.com/google/quiche/commit/f282c934f4731a9f4be93409c9f3e8687f0566a7
*	Classifications "by-port"/"by-ip" should never change (#2656)	Ivan Nardi	2025-01-06
\| \| \|	Add a new variable to keep track of internal partial classification
*	Add the ability to enable/disable every specific flow risks (#2653)	Ivan Nardi	2025-01-06
\|
*	QUIC: extract "max idle timeout" parameter (#2649)	Ivan Nardi	2025-01-06
\| \| \| \| \|	Even if it is only the proposed value by the client (and not the negotiated one), it might be use as hint for timeout by the (external) flows manager
*	TLS: fix `NDPI_TLS_WEAK_CIPHER` flow risk (#2647)	Ivan Nardi	2025-01-06
\| \| \| \|	We should set it also for "obsolete"/"insecure" ciphers, not only for the "weak" ones.
*	TLS: remove ESNI support (#2648)	Ivan Nardi	2025-01-06
\| \| \| \| \|	ESNI has been superseded by ECH for years, now. See: https://blog.cloudflare.com/encrypted-client-hello/ Set the existing flow risk if we still found this extension.
*	SSH: fix how the flow risk is set (#2652)	Ivan Nardi	2025-01-06
\| \| \|	We should use the existing helper
*	Path of Exile 2 support (#2654)	Vladimir Gavrilov	2025-01-06
\|
*	Imporoved SMBv1 heuristic to avoid triggering risks for SMBv1 broadcast ↵	Luca Deri	2025-01-03
\| \| \| \|	messages when used to browse (old) network devices
*	Telegram STUN improvement	Luca Deri	2024-12-13
\|
*	DNS: fix Index-out-of-bounds error (#2644)	Ivan Nardi	2024-12-13
\| \| \| \| \| \| \| \| \| \| \| \| \|	``` Running: /home/ivan/Downloads/clusterfuzz-testcase-minimized-fuzz_ndpi_reader_pl7m_simplest_internal-5759495480868864 protocols/dns.c:482:5: runtime error: index 4 out of bounds for type 'u_int8_t[4]' (aka 'unsigned char[4]') SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior protocols/dns.c:482:5 protocols/dns.c:483:5: runtime error: index 4 out of bounds for type 'u_int32_t[4]' (aka 'unsigned int[4]') SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior protocols/dns.c:483:5 protocols/dns.c:490:12: runtime error: index 4 out of bounds for type 'u_int32_t[4]' (aka 'unsigned int[4]') ``` Found by oss-fuzz See: https://issues.oss-fuzz.com/issues/383911300?pli=1
*	STUN/RTP: improve metadata extraction (#2641)	Ivan Nardi	2024-12-11
\|
*	Added missing check	Luca Deri	2024-12-09
\|
*	STUN: fix monitoring (#2639)	Ivan Nardi	2024-12-06
\|
*	signal: improve detection of chats and calls (#2637)	Ivan Nardi	2024-12-04
\|
*	fix license typo (#2638)	Tina DiPierro	2024-12-04
\|
*	Minor fix	Luca Deri	2024-11-29
\|
*	STUN counter changes	Luca Deri	2024-11-29
\|
*	STUN: improve Whatsapp monitoring (#2635)	Ivan Nardi	2024-11-29
\|
*	Enhanced STUN stats	Luca Deri	2024-11-28
\|
*	Update `flow->flow_multimedia_types` to a bitmask (#2625)	Ivan Nardi	2024-11-25
\| \| \|	In the same flow, we can have multiple multimedia types
*	RTP, STUN: improve detection of multimedia flow type (#2620)	Ivan Nardi	2024-11-19
\| \| \| \|	Let's see if we are able to tell audio from video calls only looking at RTP Payload Type field...
*	Zoom: fix heap-buffer-overflow (#2621)	Ivan Nardi	2024-11-18
\| \| \| \| \| \| \| \| \| \| \| \| \|	``` ================================================================= ==30923==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x50400023cc34 at pc 0x591f8b5dd546 bp 0x7ffe5ffc3530 sp 0x7ffe5ffc3528 READ of size 1 at 0x50400023cc34 thread T0 #0 0x591f8b5dd545 in is_sfu_5 /home/ivan/svnrepos/nDPI/src/lib/protocols/zoom.c:146:6 #1 0x591f8b5dda11 in zoom_search_again /home/ivan/svnrepos/nDPI/src/lib/protocols/zoom.c:166:6 #2 0x591f8b22182f in ndpi_process_extra_packet /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:8156:9 #3 0x591f8b236f88 in ndpi_internal_detection_process_packet /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:8793:5 ``` Found by oss-fuzz See: https://issues.oss-fuzz.com/issues/379072455
*	Heap overflow fix	Luca Deri	2024-11-16
\|
*	Added DICOM support	Luca	2024-11-15
\| \| \| \|	Testing pcaps courtesy of https://github.com/virtalabs/tapirx.git
*	Implemented Mikrotik discovery protocol dissection and metadata extraction ↵	Luca Deri	2024-11-14
\| \| \| \|	(#2618)
*	SIP: extract some basic metadata	Ivan Nardi	2024-11-12
\|
*	SIP: rework detection	Ivan Nardi	2024-11-12
\|
*	Heap-buffer-overflow fix	Luca Deri	2024-11-04
\|
*	HTTP: fix leak and out-of-bound error on credential extraction (#2611)	Ivan Nardi	2024-11-01
\|
*	Added HTTP credentials extraction	Luca Deri	2024-10-31
\|
*	TLS: export heuristic fingerprint as metadata (#2609)	Ivan Nardi	2024-10-28
\|
*	Add Paltalk protocol support (#2606)	Vladimir Gavrilov	2024-10-28
\|
*	STUN: fix monitoring with RTCP flows (#2603)	Ivan Nardi	2024-10-19
\|
*	Added support for RDP over TLS	Luca Deri	2024-10-19
\|
*	STUN: minor fix for RTCP traffic (#2593)	Ivan Nardi	2024-10-15
\|
*	STUN: if the same metadata is found multiple times, keep the first value (#2591)	Ivan Nardi	2024-10-15
\|
*	STUN: fix monitoring of Whatsapp and Zoom flows (#2590)	Ivan Nardi	2024-10-15
\|
*	Add monitoring capability (#2588)	Ivan Nardi	2024-10-14
\| \| \| \| \| \| \| \| \| \| \| \| \|	Allow nDPI to process the entire flows and not only the first N packets. Usefull when the application is interested in some metadata spanning the entire life of the session. As initial step, only STUN flows can be put in monitoring. See `doc/monitoring.md` for further details. This feature is disabled by default. Close #2583
*	Fixed JA4 invalid computation due to code bug and uninitialized values	Luca Deri	2024-10-13
\|
*	Added sonos dissector	Luca Deri	2024-10-13
\|
*	Added support for printing JA4r when enabled	Luca Deri	2024-10-11
\|
*	Implemented (disabled by default) DNS host cache. You can set the cache size ↵	Luca Deri	2024-10-07
\| \| \| \| \| \| \| \| \| \|	as follows: ndpiReader --cfg=dpi.address_cache_size,1000 -i <pcap>.pcap In the above example the cache has up to 1000 entries. In jcase ndpiReader exports data in JSON, the cache hostname (if found) is exported in the field server_hostname