aboutsummaryrefslogtreecommitdiff
path: root/src/lib/protocols
Commit message (Collapse)AuthorAge
* Telegram STUN improvementLuca Deri2024-12-13
|
* DNS: fix Index-out-of-bounds error (#2644)Ivan Nardi2024-12-13
| | | | | | | | | | | | | ``` Running: /home/ivan/Downloads/clusterfuzz-testcase-minimized-fuzz_ndpi_reader_pl7m_simplest_internal-5759495480868864 protocols/dns.c:482:5: runtime error: index 4 out of bounds for type 'u_int8_t[4]' (aka 'unsigned char[4]') SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior protocols/dns.c:482:5 protocols/dns.c:483:5: runtime error: index 4 out of bounds for type 'u_int32_t[4]' (aka 'unsigned int[4]') SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior protocols/dns.c:483:5 protocols/dns.c:490:12: runtime error: index 4 out of bounds for type 'u_int32_t[4]' (aka 'unsigned int[4]') ``` Found by oss-fuzz See: https://issues.oss-fuzz.com/issues/383911300?pli=1
* STUN/RTP: improve metadata extraction (#2641)Ivan Nardi2024-12-11
|
* Added missing checkLuca Deri2024-12-09
|
* STUN: fix monitoring (#2639)Ivan Nardi2024-12-06
|
* signal: improve detection of chats and calls (#2637)Ivan Nardi2024-12-04
|
* fix license typo (#2638)Tina DiPierro2024-12-04
|
* Minor fixLuca Deri2024-11-29
|
* STUN counter changesLuca Deri2024-11-29
|
* STUN: improve Whatsapp monitoring (#2635)Ivan Nardi2024-11-29
|
* Enhanced STUN statsLuca Deri2024-11-28
|
* Update `flow->flow_multimedia_types` to a bitmask (#2625)Ivan Nardi2024-11-25
| | | In the same flow, we can have multiple multimedia types
* RTP, STUN: improve detection of multimedia flow type (#2620)Ivan Nardi2024-11-19
| | | | Let's see if we are able to tell audio from video calls only looking at RTP Payload Type field...
* Zoom: fix heap-buffer-overflow (#2621)Ivan Nardi2024-11-18
| | | | | | | | | | | | | ``` ================================================================= ==30923==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x50400023cc34 at pc 0x591f8b5dd546 bp 0x7ffe5ffc3530 sp 0x7ffe5ffc3528 READ of size 1 at 0x50400023cc34 thread T0 #0 0x591f8b5dd545 in is_sfu_5 /home/ivan/svnrepos/nDPI/src/lib/protocols/zoom.c:146:6 #1 0x591f8b5dda11 in zoom_search_again /home/ivan/svnrepos/nDPI/src/lib/protocols/zoom.c:166:6 #2 0x591f8b22182f in ndpi_process_extra_packet /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:8156:9 #3 0x591f8b236f88 in ndpi_internal_detection_process_packet /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:8793:5 ``` Found by oss-fuzz See: https://issues.oss-fuzz.com/issues/379072455
* Heap overflow fixLuca Deri2024-11-16
|
* Added DICOM supportLuca2024-11-15
| | | | Testing pcaps courtesy of https://github.com/virtalabs/tapirx.git
* Implemented Mikrotik discovery protocol dissection and metadata extraction ↵Luca Deri2024-11-14
| | | | (#2618)
* SIP: extract some basic metadataIvan Nardi2024-11-12
|
* SIP: rework detectionIvan Nardi2024-11-12
|
* Heap-buffer-overflow fixLuca Deri2024-11-04
|
* HTTP: fix leak and out-of-bound error on credential extraction (#2611)Ivan Nardi2024-11-01
|
* Added HTTP credentials extractionLuca Deri2024-10-31
|
* TLS: export heuristic fingerprint as metadata (#2609)Ivan Nardi2024-10-28
|
* Add Paltalk protocol support (#2606)Vladimir Gavrilov2024-10-28
|
* STUN: fix monitoring with RTCP flows (#2603)Ivan Nardi2024-10-19
|
* Added support for RDP over TLSLuca Deri2024-10-19
|
* STUN: minor fix for RTCP traffic (#2593)Ivan Nardi2024-10-15
|
* STUN: if the same metadata is found multiple times, keep the first value (#2591)Ivan Nardi2024-10-15
|
* STUN: fix monitoring of Whatsapp and Zoom flows (#2590)Ivan Nardi2024-10-15
|
* Add monitoring capability (#2588)Ivan Nardi2024-10-14
| | | | | | | | | | | | | Allow nDPI to process the entire flows and not only the first N packets. Usefull when the application is interested in some metadata spanning the entire life of the session. As initial step, only STUN flows can be put in monitoring. See `doc/monitoring.md` for further details. This feature is disabled by default. Close #2583
* Fixed JA4 invalid computation due to code bug and uninitialized valuesLuca Deri2024-10-13
|
* Added sonos dissectorLuca Deri2024-10-13
|
* Added support for printing JA4r when enabledLuca Deri2024-10-11
|
* Implemented (disabled by default) DNS host cache. You can set the cache size ↵Luca Deri2024-10-07
| | | | | | | | | | as follows: ndpiReader --cfg=dpi.address_cache_size,1000 -i <pcap>.pcap In the above example the cache has up to 1000 entries. In jcase ndpiReader exports data in JSON, the cache hostname (if found) is exported in the field server_hostname
* Add DingTalk protocol support (#2581)Vladimir Gavrilov2024-10-07
|
* Exports DNS A/AAAA responses (up to 4 addresses)Luca2024-10-02
| | | | Changed the default to IPv4 (used to be IPv6) in case of DNS error response
* TLS: detect abnormal padding usage (#2579)Ivan Nardi2024-10-01
| | | | Padding is usually some hundreds byte long. Longer padding might be used as obfuscation technique to force unusual CH fragmentation
* TLS: heuristics: fix memory allocations (#2577)Ivan Nardi2024-09-30
| | | | Allocate heuristics state only if really needed. Fix memory leak (it happened with WebSocket traffic on port 443)
* Added check for avoiding heap buffer overflowsLuca Deri2024-09-28
|
* Add some heuristics to detect encrypted/obfuscated/proxied TLS flows (#2553)Ivan Nardi2024-09-24
| | | | | | | | | | | | Based on the paper: "Fingerprinting Obfuscated Proxy Traffic with Encapsulated TLS Handshakes". See: https://www.usenix.org/conference/usenixsecurity24/presentation/xue-fingerprinting Basic idea: * the packets/bytes distribution of a TLS handshake is quite unique * this fingerprint is still detectable if the handshake is encrypted/proxied/obfuscated All heuristics are disabled by default.
* Added Sonos protocol detectionLuca Deri2024-09-24
|
* TLS: improve handling of Change Cipher message (#2564)Ivan Nardi2024-09-23
|
* Replaced traces with debug messagesLuca Deri2024-09-20
|
* Tls out of order (#2561)Ivan Nardi2024-09-18
| | | | | | | | | | | | * Revert "Added fix for handling Server Hello before CLient Hello" This reverts commit eb15b22e7757cb70894fdcde440e62bc40f22df1. * TLS: add some tests with unidirectional traffic * TLS: another attempt to process CH received after the SH Obviously, we will process unidirectional traffic longer, because we are now waiting for messages in both directions
* Added fix for handling Server Hello before CLient HelloLuca2024-09-17
|
* OpenVPN: heuristic: add a simple check to avoid false positives (#2560)Ivan Nardi2024-09-17
| | | We should have too big packets during the initial handshake
* dns: add a check before setting `NDPI_MALFORMED_PACKET` risk (#2558)Ivan Nardi2024-09-16
| | | | | | "Invalid DNS Header"-risk should be set only if the flow has been already classified as DNS. Otherwise, almost any non-DNS flows on port 53 will end up having the `NDPI_MALFORMED_PACKET` risk set, which is a little bit confusing for non DNS traffic
* Add an heuristic to detect encrypted/obfuscated OpenVPN flows (#2547)Ivan Nardi2024-09-16
| | | | | | | | | | | | Based on the paper: "OpenVPN is Open to VPN Fingerprinting" See: https://www.usenix.org/conference/usenixsecurity22/presentation/xue-diwen Basic idea: * the distribution of the first byte of the messages (i.e. the distribution of the op-codes) is quite unique * this fingerprint might be still detectable even if the OpenVPN packets are somehow fully encrypted/obfuscated The heuristic is disabled by default.
* TLS: fix stack-buffer-overflowNardi Ivan2024-09-16
| | | | | | | | | | | | | | | | | | | | | ``` SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior protocols/tls.c:1812:22 ================================================================= ==97754==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ba835bde8e5 at pc 0x557ebb644241 bp 0x7ffec04b0ea0 sp 0x7ffec04b0648 WRITE of size 7 at 0x7ba835bde8e5 thread T0 #0 0x557ebb644240 in vsnprintf (/home/ivan/svnrepos/nDPI/fuzz/fuzz_quic_get_crypto_data+0x6bf240) (BuildId: ce17f7c48055e1f051360bed543c1e18c05f684f) #1 0x557ebb645b1d in snprintf (/home/ivan/svnrepos/nDPI/fuzz/fuzz_quic_get_crypto_data+0x6c0b1d) (BuildId: ce17f7c48055e1f051360bed543c1e18c05f684f) #2 0x557ebb749dbc in ndpi_compute_ja4 /home/ivan/svnrepos/nDPI/src/lib/protocols/tls.c:1812:12 #3 0x557ebb7445a7 in processClientServerHello /home/ivan/svnrepos/nDPI/src/lib/protocols/tls.c:2946:10 #4 0x557ebb7073c9 in process_tls /home/ivan/svnrepos/nDPI/src/lib/protocols/quic.c:1397:3 #5 0x557ebb6ff815 in LLVMFuzzerTestOneInput /home/ivan/svnrepos/nDPI/fuzz/fuzz_quic_get_crypto_data.c:46:7 #6 0x557ebb602dcb in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/ivan/svnrepos/nDPI/fuzz/fuzz_quic_get_crypto_data+0x67ddcb) (BuildId: ce17f7c48055e1f051360bed543c1e18c05f684f) #7 0x557ebb5ecea8 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/ivan/svnrepos/nDPI/fuzz/fuzz_quic_get_crypto_data+0x667ea8) (BuildId: ce17f7c48055e1f051360bed543c1e18c05f684f) #8 0x557ebb5f299a in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/ivan/svnrepos/nDPI/fuzz/fuzz_quic_get_crypto_data+0x66d99a) (BuildId: ce17f7c48055e1f051360bed543c1e18c05f684f) #9 0x557ebb61c482 in main (/home/ivan/svnrepos/nDPI/fuzz/fuzz_quic_get_crypto_data+0x697482) (BuildId: ce17f7c48055e1f051360bed543c1e18c05f684f) #10 0x7fa837e27082 in __libc_start_main /build/glibc-LcI20x/glibc-2.31/csu/../csu/libc-start.c:308:16 #11 0x557ebb5e7b5d in _start (/home/ivan/svnrepos/nDPI/fuzz/fuzz_quic_get_crypto_data+0x662b5d) (BuildId: ce17f7c48055e1f051360bed543c1e18c05f684f) ```
* dhcp: fix out of bounds accesNardi Ivan2024-09-16
|