| Commit message (Collapse) | Author | Age |
|
|
| |
Close #2540
|
| |
|
|
|
| |
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(TLS/QUIC/HTTP) whose hostname
was not previously resolved via DNS.
Added new API calls
- bool ndpi_cache_hostname_ip(struct ndpi_detection_module_struct *ndpi_struct, ndpi_ip_addr_t *ip_addr, char *hostname);
- bool ndpi_cache_find_hostname_ip(struct ndpi_detection_module_struct *ndpi_struct, ndpi_ip_addr_t *ip_addr, char *hostname);
- void ndpi_cache_hostname_ip_swap(struct ndpi_detection_module_struct *ndpi_struct);
Usage example:
- ./example/ndpiReader --cfg hostname_dns_check,1 -i tests/pcap/netflix.pcap
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The idea is to remove the limitation of only two protocols ("master" and
"app") in the flow classifcation.
This is quite handy expecially for STUN flows and, in general, for any
flows where there is some kind of transitionf from a cleartext protocol
to TLS: HTTP_PROXY -> TLS/Youtube; SMTP -> SMTPS (via STARTTLS msg).
In the vast majority of the cases, the protocol stack is simply
Master/Application.
Examples of real stacks (from the unit tests) different from the standard
"master/app":
* "STUN.WhatsAppCall.SRTP": a WA call
* "STUN.DTLS.GoogleCall": a Meet call
* "Telegram.STUN.DTLS.TelegramVoip": a Telegram call
* "SMTP.SMTPS.Google": a SMTP connection to Google server started in
cleartext and updated to TLS
* "HTTP.Google.ntop": a HTTP connection to a Google domain (match via
"Host" header) and to a ntop server (match via "Server" header)
The logic to create the stack is still a bit coarse: we have a decade of
code try to push everything in only ywo protocols... Therefore, the
content of the stack is still **highly experimental** and might change
in the next future; do you have any suggestions?
It is quite likely that the legacy fields "master_protocol" and
"app_protocol" will be there for a long time.
Add some helper to use the stack:
```
ndpi_stack_get_upper_proto();
ndpi_stack_get_lower_proto();
bool ndpi_stack_contains(struct ndpi_proto_stack *s, u_int16_t proto_id);
bool ndpi_stack_is_tls_like(struct ndpi_proto_stack *s);
bool ndpi_stack_is_http_like(struct ndpi_proto_stack *s);
```
Be sure new stack logic is compatible with legacy code:
```
assert(ndpi_stack_get_upper_proto(&flow->detected_protocol.protocol_stack) ==
ndpi_get_upper_proto(flow->detected_protocol));
assert(ndpi_stack_get_lower_proto(&flow->detected_protocol.protocol_stack) ==
ndpi_get_lower_proto(flow->detected_protocol));
```
|
|
|
| |
Close #2922
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Fix JA4 ALPN fingerprint to use first and last characters
According to the JA4 specification (line 2139), the ALPN field should
contain the first and last characters of the first ALPN extension value.
Currently, nDPI uses the first and second characters (alpn[0] and alpn[1]),
which produces incorrect fingerprints that don't match other JA4
implementations like Wireshark.
For example, with ALPN 'http/1.1':
- Current (incorrect): 'ht' (first + second char)
- Fixed (correct): 'h1' (first + last char)
This change ensures nDPI's JA4 implementation conforms to the official
specification and maintains interoperability with other JA4 tools.
Fixes: Incorrect JA4 ALPN fingerprint generation
* Fix JA4 ALPN implementation to correctly parse first ALPN protocol
The previous fix attempted to use strlen(ja->client.alpn)-1 but this was
insufficient because nDPI modifies the ALPN string by:
1. Adding null terminators that truncate the last character
2. Converting semicolons to dashes, affecting multi-protocol ALPNs
This complete fix:
- Adds alpn_original_last field to store the true last character
- Captures the last character of the FIRST ALPN protocol only (before ;/,)
- Preserves the original character before nDPI's string modifications
Now correctly implements JA4 spec: first + last characters of first ALPN protocol
Examples:
- ALPN 'h2;http/1.1' -> 'h2' (not 'h.' or 'h1')
- ALPN 'http/1.1' -> 'h1' (not 'ht' or 'h.')
Fixes: #2914
* Fix JA4 SNI detection to properly handle missing SNI extensions
Previously, nDPI incorrectly set JA4 SNI flag to 'd' (domain present) for
flows without any SNI extension. This was because the logic only checked
for NDPI_NUMERIC_IP_HOST risk (set when SNI contains IP) but didn't
distinguish between missing SNI and domain SNI.
Now properly detects:
- No SNI extension → 'i' flag
- SNI with IP address → 'i' flag
- SNI with domain → 'd' flag
This matches the JA4 specification.
|
|
|
| |
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
|
|
|
|
| |
Fix: b07a910dc
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
| |
- AdultContent -> Category Adult Content
- LLM -> Category Artificial Intelligence
|
|
|
| |
GLBP is a Cisco proprietary first-hop redundancy protocol similar to HSRP and VRRP, but with additional load balancing capabilities.
|
| |
|
|
|
|
| |
direction
|
| |
|
|
|
|
| |
PCRE2 is now enabled (if present) by default as necessary to report some HTTP risks
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We want to get rid of the defines `NDPI_MAX_SUPPORTED_PROTOCOLS` and
`NDPI_MAX_NUM_CUSTOM_PROTOCOLS`.
You can use:
```
ndpi_get_num_protocols()
```
See #2136
Removed some unused functions from public API
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
`ndpi_set_protocol_detection_bitmask2()` (#2853)
The main goal is not to have the bitmask depending on the total number
of protocols anymore: `NDPI_INTERNAL_PROTOCOL_BITMASK` depends only on
internal protocols, i.e. on `NDPI_MAX_INTERNAL_PROTOCOLS`, i.e.
custom-defined protocols are not counted.
See #2136
Keep the old data structure `NDPI_PROTOCOL_BITMASK` with the old
semantic.
Since we need to change the API (and all the application code...)
anyway, simplify the API: by default all the protocols are enabled.
If you need otherwise, please use `ndpi_init_detection_module_ext()`
instead of `ndpi_init_detection_module()` (you can find an example in
the `ndpiReader` code).
To update the application code you likely only need to remove these 3
lines from your code:
```
- NDPI_PROTOCOL_BITMASK all;
- NDPI_BITMASK_SET_ALL(all);
- ndpi_set_protocol_detection_bitmask2(ndpi_str, &all);
```
Removed an unused field and struct definition.
|
| |
|
|
|
|
|
|
| |
We should be able to identified this protocol on the first packet,
without keeping any state
Close #2745
|
|
|
| |
See #2827
|
|
|
| |
Close #2807
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We use `registr_dissector()` instead of
`ndpi_set_bitmask_protocol_detection()`.
Every file in `src/lib/protocols/*.c` is a dissector.
Every dissector can handle multiple protocols.
The real goal is this small change:
```
struct call_function_struct {
- NDPI_PROTOCOL_BITMASK detection_bitmask;
```
i.e. getting rid of another protocol bitmask: this is mandatory to try
to fix #2136 (see also e845e8205b68752c997d05224d8b2fd45acde714)
As a nice side effect, we remove a bitmask comparison in the hot function
`check_ndpi_detection_func()`
TODO: change logging configuration from per-protocol to per-dissector
|
| |
|
| |
|
|
|
|
| |
IPP is identified *only* as HTTP subprotocol, so it can't be over UDP
(HTTP is only over TCP...)
|
|
|
| |
Co-authored-by: Ivan Nardi <nardi.ivan@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Don't use the same id for the same protocol identified via L3 info or
via standard TCP/UDP detection (example: ospf ip_proto 0x59 or TCP port
2604)
Before:
```
ivan@ivan-Precision-3591:~/svnrepos/nDPI(dev)$ ./example/ndpiReader -H | grep -wE 'OSPF|IPSec|AH|ESP|IP_OSPF'
79 79 IPSec UDP X Safe VPN 500,4500 500
85 85 OSPF X Acceptable Network - 2604
```
After:
```
ivan@ivan-Precision-3591:~/svnrepos/nDPI(ospf-ipsec)$ ./example/ndpiReader -H | grep -wE 'OSPF|IPSec|AH|ESP|IP_OSPF'
79 79 IPSec UDP X Safe VPN 500,4500 500
85 85 IP_OSPF X Acceptable Network - -
116 116 AH X Safe VPN - -
117 117 ESP X Safe VPN - -
184 184 OSPF TCP X Safe Network - 2604
```
|
| |
|
| |
|
| |
|
| |
|
|
|
| |
Close #2818
|
|
|
|
|
| |
* Removed dupe extension
* Removed ECH from suspicious extensions
|
| |
|
|
|
|
| |
This is the first, tiny, step into a better separation between
"protocols" and "dissectors"
|
| |
|
| |
|
| |
|
| |
|