aboutsummaryrefslogtreecommitdiff
path: root/src/lib/protocols
Commit message (Collapse)AuthorAge
* HSRP: fix dissection over IPv6 (#1443)Ivan Nardi2022-02-10
| | | Handle all message types.
* HSRP: add support for IPv6 (#1440)Ivan Nardi2022-02-09
|
* Added VXLAN dissector (#1439)Dmytrii Vitman2022-02-09
| | | * RFC 7348
* Added HSRP protocol detectionLuca Deri2022-02-08
| | | | Removed attic directory now obsolete
* Added check to ignore multicast packets marking the as SkypeLuca Deri2022-02-08
|
* Improved MDNS/LLMNR detection. (#1437)Toni2022-02-07
| | | | | | * Checking for port 5353/5355 is not enough. * Added additional multicast address and header checks. Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* TLS: fix parsing of certificate elements (#1435)Ivan Nardi2022-02-07
| | | | | | | | | | | | | | Found by oss-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=44280 ``` ==263603==WARNING: MemorySanitizer: use-of-uninitialized-value #0 0x592478 in ndpi_is_printable_string ndpi/src/lib/ndpi_utils.c:2200:9 #1 0x5b047c in processCertificateElements ndpi/src/lib/protocols/tls.c:400:7 #2 0x5ac880 in processCertificate ndpi/src/lib/protocols/tls.c:790:7 #3 0x5c3a32 in processTLSBlock ndpi/src/lib/protocols/tls.c:844:13 #4 0x5c2c61 in ndpi_search_tls_tcp ndpi/src/lib/protocols/tls.c:973:2 #5 0x5c117d in ndpi_search_tls_wrapper ndpi/src/lib/protocols/tls.c:2367:5 #6 0x552a50 in check_ndpi_detection_func ndpi/src/lib/ndpi_main.c:4792:6 ```
* Added NDPI_ERROR_CODE_DETECTED riskLuca Deri2022-02-03
|
* Renamed DCERPC to more generic RPC protocol so we can use also for other ↵Luca Deri2022-02-03
| | | | | | | types of RPCs (not limited to DCE) Extended HTTP plugin to support RPC Improved HTTP crear text detection to limit it to Basic and Digest
* Remove `struct ndpi_id_struct` (#1427)Ivan Nardi2022-01-30
| | | | | | | | | | | | | | | | | | | | | | | | | | | Remove the last uses of `struct ndpi_id_struct`. That code is not really used and it has not been updated for a very long time: see #1279 for details. Correlation among flows is achieved via LRU caches. This change allows to further reduce memory consumption (see also 91bb77a8). At nDPI 4.0 (more precisly, at a6b10cf, because memory stats were wrong until that commit): ``` nDPI Memory statistics: nDPI Memory (once): 221.15 KB Flow Memory (per flow): 2.94 KB ``` Now: ``` nDPI Memory statistics: nDPI Memory (once): 235.27 KB Flow Memory (per flow): 688 B <-------- ``` i.e. memory usage per flow has been reduced by 77%. Close #1279
* Extend protocols support (#1422)Ivan Nardi2022-01-29
| | | | | | | | | | | | | | | | | | Add detection of AccuWeather site/app and Google Classroom. Improve detection of Azure, Zattoo, Whatsapp, MQTT and LDAP. Fix some RX false positives. Fix some "Uncommon TLS ALPN"-risk false positives. Fix "confidence" value for some Zoom/Torrent classifications. Minor fix in Lua script for Wireshark extcap. Update .gitignore file. Let GitHub correctly detect the language type of *.inc files. Zattoo example has been provided by @subhajit-cdot in #1148.
* Make some protocols more "big-endian" friendly (#1402)Ivan Nardi2022-01-29
| | | See #1312
* Kerberos, TLS, example: fix some memory errors (#1419)Ivan Nardi2022-01-27
| | | | | | Detected by oss-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43823 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43921 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43925
* Added NDPI_TLS_CERTIFICATE_ABOUT_TO_EXPIRE flow riskLuca Deri2022-01-26
| | | | Added ndpi_set_tls_cert_expire_days() API call to modify the number of days for triggering the above alert that by default is set to 30 days
* Improved Zoom protocol detectionLuca Deri2022-01-23
|
* Fix Grease values parsing (#1416)havsah2022-01-21
| | | | | | | | | | | The check for grease was too broad and filtered some valid values. In particular, the value 257 was skipped because it matched the previous check. This has been discovered while parsing tests/pcap/443-firefox.pcap expected ja3: 771,4865-4867-4866-49195-49199-52393-52392-49196-49200-49162-49161-49171-49172-51-57-47-53-10,0-23-65281-10-11-35-16-5-51-43-13-45-28-21,29-23-24-25-256-257,0 previously generated ja3: 771,4865-4867-4866-49195-49199-52393-52392-49196-49200-49162-49161-49171-49172-51-57-47-53-10,0-23-65281-10-11-35-16-5-51-43-13-45-28-21,29-23-24-25-256,0 Signed-off-by: Patrick Havelange <patrick.havelange_ext@softathome.com>
* Fixed certificate mismatch checkLuca Deri2022-01-19
|
* TLS, H323, examples: fix some memory errors (#1414)Ivan Nardi2022-01-18
| | | | | | | Detected by oss-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26880 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26906 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43782 https://oss-fuzz.com/testcase-detail/6334089358082048
* Netbios, CSGO: fix two memory errors (#1413)Ivan Nardi2022-01-18
| | | | | Detected by oss-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43754 https://oss-fuzz.com/testcase-detail/5329842395021312
* H323: fix a use-after-poison error (#1412)Ivan Nardi2022-01-17
| | | | | | | Detected by oss-fuzz See: https://oss-fuzz.com/testcase-detail/6730505580576768 Fix a function prototype Update a unit test results
* TLS: fix a use-of-uninitialized-value error (#1411)Ivan Nardi2022-01-16
| | | | Detected by oss-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43705
* Zattoo: fix Null-dereference READ with ipv6 traffic (#1410)Ivan Nardi2022-01-16
| | | | | Fix: 20b5f6d7 Detected by oss-fux: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43700
* XBox, Diameter: fix dissectors initialization (#1405)Ivan Nardi2022-01-16
| | | | | | | | These dissectors have *never* been triggered because their registration functions use the wrong parameter/bitmask. Diameter code is buggy since the origianl commit (1d108234), while XBox code since 5266c726. Fix some false positives in Xbox code.
* Kerberos: fix use-of-uninitialized-value error (#1409)Ivan Nardi2022-01-15
| | | | Detected by oss-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43677
* TLS: fix heap-buffer-overflow error (#1408)Ivan Nardi2022-01-15
| | | | Detected by oss-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43664
* STUN: fix "confidence" value for some classifications (#1407)Ivan Nardi2022-01-15
|
* Improve IPv6 support, enabling IPv6 traffic on (almost) all dissectors. (#1406)Ivan Nardi2022-01-15
| | | Follow-up of 7cba34a1
* Added the ability to specify trusted issueDN often used in companies to ↵Luca Deri2022-01-13
| | | | | | | | | | | self-signed certificates This allows to avoid triggering alerts for trusted albeit private certificate issuers. Extended the example/protos.txt with the new syntax for specifying trusted issueDN. Example: trusted_issuer_dn:"CN=813845657003339838, O=Code42, OU=TEST, ST=MN, C=US"
* Added EthernetIP dissectorLuca Deri2022-01-12
|
* Fix two use-of-uninitialized-value errors (#1398)Ivan Nardi2022-01-12
| | | | | | | Found by oss-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40269 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=41432 Fix fuzz compilation (follow-up of f5545a80)
* QUIC: fix an integer overflow (#1396)Ivan Nardi2022-01-11
| | | | | | | | | | | | | | | | | Reported by oss-fuzz: ``` ==685288==ERROR: AddressSanitizer: SEGV on unknown address 0x61a100000687 (pc 0x0000005aba64 bp 0x7ffe3f29f510 sp 0x7ffe3f29f400 T0) ==685288==The signal is caused by a READ memory access. SCARINESS: 20 (wild-addr-read) #0 0x5aba64 in quic_len ndpi/src/lib/protocols/quic.c:203:12 #1 0x5aba64 in decrypt_initial_packet ndpi/src/lib/protocols/quic.c:993:16 #2 0x5aba64 in get_clear_payload ndpi/src/lib/protocols/quic.c:1302:21 #3 0x5aba64 in ndpi_search_quic ndpi/src/lib/protocols/quic.c:1658:19 #4 0x579f00 in check_ndpi_detection_func ndpi/src/lib/ndpi_main.c:4683:6 #5 0x57abe6 in ndpi_check_flow_func ndpi/src/lib/ndpi_main.c:0 #6 0x583b2c in ndpi_detection_process_packet ndpi/src/lib/ndpi_main.c:5545:15 #7 0x55e75e in LLVMFuzzerTestOneInput ndpi/fuzz/fuzz_process_packet.c:30:3 [...] ```
* Add a "confidence" field about the reliability of the classification. (#1395)Ivan Nardi2022-01-11
| | | | | | | | | | | | | As a general rule, the higher the confidence value, the higher the "reliability/precision" of the classification. In other words, this new field provides an hint about "how" the flow classification has been obtained. For example, the application may want to ignore classification "by-port" (they are not real DPI classifications, after all) or give a second glance at flows classified via LRU caches (because of false positives). Setting only one value for the confidence field is a bit tricky: more work is probably needed in the next future to tweak/fix/improve the logic.
* Improved user agent analysisLuca Deri2022-01-09
|
* GTP: fix some false positives (#1394)Ivan Nardi2022-01-08
|
* Remove some unused fields (#1393)Ivan Nardi2022-01-08
|
* Invalid checkLuca Deri2022-01-06
|
* Update copyrightAlfredo Cardigliano2022-01-03
|
* Added support for Log4J/Log4Shell detection in nDPI via a new flow risk ↵Luca Deri2021-12-23
| | | | named NDPI_POSSIBLE_EXPLOIT
* A final(?) effort to reduce memory usage per flow (#1389)Ivan Nardi2021-12-22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Remove some unused fields and re-organize other ones. In particular: * Update the parameters of `ndpi_ssl_version2str()` function * Zattoo, Thunder: these timestamps aren't really used. * Ftp/mail: these protocols are dissected only over TCP. * Attention must be paid to TLS.Bittorrent flows to avoid invalid read/write to `flow->protos.bittorrent.hash` field. This is the last(?) commit of a long series (see 22241a1d, 227e586e, 730c2360, a8ffcd8b) aiming to reduce library memory consumption. Before, at nDPI 4.0 (more precisly, at a6b10cf7, because memory stats were wrong until that commit): ``` nDPI Memory statistics: nDPI Memory (once): 221.15 KB Flow Memory (per flow): 2.94 KB ``` Now: ``` nDPI Memory statistics: nDPI Memory (once): 231.71 KB Flow Memory (per flow): 1008 B <--------- ``` i.e. memory usage per flow has been reduced by 66%, dropping below the psychological threshold of 1 KB. To further reduce this value, we probably need to look into #1279: let's fight this battle another day.
* Improved bittorrent heuristicLuca Deri2021-12-21
|
* Improve/add several protocols (#1383)Ivan Nardi2021-12-18
| | | | | | | | | | | | | | | | | | | Improve Microsoft, GMail, Likee, Whatsapp, DisneyPlus and Tiktok detection. Add Vimeo, Fuze, Alibaba and Firebase Crashlytics detection. Try to differentiate between Messenger/Signal standard flows (i.e chat) and their VOIP (video)calls (like we already do for Whatsapp and Snapchat). Add a partial list of some ADS/Tracking stuff. Fix Cassandra, Radius and GTP false positives. Fix DNS, Syslog and SIP false negatives. Improve GTP (sub)classification: differentiate among GTP-U, GTP_C and GTP_PRIME. Fix 3 LGTM warnings.
* TLS: add support for IPV6 in Subject Alt Names field (#1385)Ivan Nardi2021-12-18
|
* TLS: fix usage of certificate cache (#1384)Ivan Nardi2021-12-18
|
* Improved bittorrent detectionLuca Deri2021-12-17
|
* QUIC: fix old versions of GQUIC on big-endian machines (#1387)Ivan Nardi2021-12-17
| | | Credits to @viniciussn (see #1312)
* Improved BitTorrent classificationLuca Deri2021-12-07
|
* Fixed issue that prevented alt certificate names to be fully detected when ↵Luca Deri2021-12-07
| | | | ipAddress and rfc822Name were specified in certificates
* Improve IPv6 support, enabling IPv6 traffic on (almost) all dissectors. (#1380)Ivan Nardi2021-12-04
| | | | | | | | | | | There are no valid reasons for a (generic) protocol to ignore IPv6 traffic. Note that: * I have not found the specifications of "CheckPoint High Availability Protocol", so I don't know how/if it supports IPv6 * all LRU caches are still IPv4 only Even if src_id/dst_id stuff is probably useless (see #1279), the right way to update the protocol classification is via `ndpi_set_detected_protocol()`
* QUIC: add support for QUICv2 (draft 00) (#1379)Ivan Nardi2021-12-04
| | | | It is already time to start looking at the new QUIC version. See: https://datatracker.ietf.org/doc/html/draft-ietf-quic-v2-00
* HTTP proxy improvementLuca Deri2021-11-25
|
Powered by cgit, Themed by Ted Yin.