aboutsummaryrefslogtreecommitdiff
path: root/src/lib/protocols
Commit message (Collapse)AuthorAge
* Explicit cast Referer / Host line to the type `ndpi_strnstr(...)` expects ↵HEADdevToni Uhlig2025-01-25
| | | | | | (unsigned char -> char) Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Extracted http host and referer metadata (http protocol)Luca Deri2025-01-24
|
* RTP: improve detection of multimedia type for Signal calls (#2697)Ivan Nardi2025-01-24
|
* Unify "Skype" and "Teams" ids (#2687)Ivan Nardi2025-01-20
| | | | | | * Rename `NDPI_PROTOCOL_SKYPE_TEAMS_CALL` -> `NDPI_PROTOCOL_MSTEAMS_CALL` * Rename ip list from "Skype/Teams" to "Teams"
* OpenVPN: fix a warning (#2686)Ivan Nardi2025-01-19
| | | | | | ``` protocols/openvpn.c:378:11: error: variable 'iter' set but not used [-Werror,-Wunused-but-set-variable] 378 | int rc, iter, offset; ```
* JA4: Fix SSL 2 version and remove fictional SSL 1 version along with ↵Daniel Roethlisberger2025-01-19
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | mis-mapping to s3 (#2684) * JA4: Fix SSL 2 version constant to 0x0002 SSL 2 uses a version field of 0x0002, not 0x0200. This is confirmed not only in the original Netscape spec [1] and RFC draft of the time [2], but also in major implementations such as OpenSSL [3] and Wireshark [4]. An earlier version of the JA4 spec [5] also mistakenly used 0x0200 for SSL 2 and 0x0100 for SSL 1. This was fixed in [6] in August 2024. [1] https://www-archive.mozilla.org/projects/security/pki/nss/ssl/draft02.html [2] https://datatracker.ietf.org/doc/html/draft-hickman-netscape-ssl-00 [3] https://github.com/openssl/openssl/blob/OpenSSL_0_9_6m/ssl/ssl2.h#L66-L71 [4] https://github.com/wireshark/wireshark/blob/release-4.4/epan/dissectors/packet-tls-utils.h#L266-L277 [5] https://github.com/FoxIO-LLC/ja4/blob/main/technical_details/JA4.md#tls-and-dtls-version [6] FoxIO-LLC/ja4#150 * JA4: Remove fictional (and mis-mapped to "s3") SSL 1 SSL 1 was never actually deployed, the design was iterated upon to become SSL 2 before it was released by Netscape [1] [2] [3] [4]. I don't think it's public knowledge what the version field for SSL 1 would have looked like, or if it even was two bytes large or at the same offset on the wire; given that SSL 2 used 0x0002 it seems more likely to have been 0x0001 than 0x0100. Version field 0x0100, that is currently misattributed to SSL 1, was used by an early pre-RFC4347 implementation of DTLS in OpenSSL before 0.9.8f [5], when OpenSSL switched to the version field specified by RFC4347. This use of 0x0100 is also reflected in Wireshark's TLS dissector [4] (`DTLSV1DOT0_OPENSSL_VERSION`). For these reasons, it seems to make sense to remove the fictional SSL 1 code entirely. This also removes an issue where the resulting JA4 string would be "s3" instead of the intended "s1". An earlier version of the JA4 spec [6] also mistakenly used 0x0200 for SSL 2 and 0x0100 for SSL 1. This was fixed in [7] in August 2024. [1] https://www-archive.mozilla.org/projects/security/pki/nss/ssl/draft02.html [2] https://datatracker.ietf.org/doc/html/draft-hickman-netscape-ssl-00 [3] https://github.com/openssl/openssl/blob/OpenSSL_0_9_6m/ssl/ssl2.h#L66-L71 [4] https://github.com/wireshark/wireshark/blob/release-4.4/epan/dissectors/packet-tls-utils.h#L266-L277 [5] https://github.com/openssl/openssl/compare/OpenSSL_0_9_8e...OpenSSL_0_9_8f [6] https://github.com/FoxIO-LLC/ja4/blob/main/technical_details/JA4.md#tls-and-dtls-version [7] FoxIO-LLC/ja4#150 * Fix tests where old DTLS (0x0100) was mis-identified as SSL 3.0 These two tests contain DTLS flows using a version field of 0x0100 as used by OpenSSL pre 0.9.8f, before OpenSSL switched to the standardised version code points for its DTLS implementation. The correct JA4 mapping is "d00", not "ds3".
* Renamed ips_match to ndpi_ips_matchLuca Deri2025-01-17
|
* Improved DICOM detectionLuca Deri2025-01-17
|
* STUN: improve detection of Telegram calls (#2671)Ivan Nardi2025-01-14
|
* TLS: remove JA3C (#2679)Ivan Nardi2025-01-14
| | | | | | | | Last step of removing JA3C fingerprint Remove some duplicate tests: testing with ja4c/ja3s disabled is already performed by `disable_metadata_and_flowrisks` configuration. Close:#2551
* Add (kind of) support for loading a list of JA4C malicious fingerprints (#2678)Ivan Nardi2025-01-14
| | | | | | | | | It might be usefull to be able to match traffic against a list of suspicious JA4C fingerprints Use the same code/logic/infrastructure used for JA3C (note that we are going to remove JA3C...) See: #2551
* Fix code scanning alert no. 14: Redundant null check due to previous ↵Luca Deri2025-01-13
| | | | | dereference (#2674) Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
* Improved WebSocket-over-HTTP detection (#2664)Toni2025-01-11
| | | | | | * detect `chisel` SSH-over-HTTP-WebSocket * use `strncasecmp()` for `LINE_*` matching macros Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* QUIC: remove extraction of user-agent (#2650)Ivan Nardi2025-01-07
| | | | | In very old (G)QUIC versions by Google, the user agent was available on plain text. That is not true anymore, since about end of 2021. See: https://github.com/google/quiche/commit/f282c934f4731a9f4be93409c9f3e8687f0566a7
* Classifications "by-port"/"by-ip" should never change (#2656)Ivan Nardi2025-01-06
| | | Add a new variable to keep track of internal partial classification
* Add the ability to enable/disable every specific flow risks (#2653)Ivan Nardi2025-01-06
|
* QUIC: extract "max idle timeout" parameter (#2649)Ivan Nardi2025-01-06
| | | | | Even if it is only the proposed value by the client (and not the negotiated one), it might be use as hint for timeout by the (external) flows manager
* TLS: fix `NDPI_TLS_WEAK_CIPHER` flow risk (#2647)Ivan Nardi2025-01-06
| | | | We should set it also for "obsolete"/"insecure" ciphers, not only for the "weak" ones.
* TLS: remove ESNI support (#2648)Ivan Nardi2025-01-06
| | | | | ESNI has been superseded by ECH for years, now. See: https://blog.cloudflare.com/encrypted-client-hello/ Set the existing flow risk if we still found this extension.
* SSH: fix how the flow risk is set (#2652)Ivan Nardi2025-01-06
| | | We should use the existing helper
* Path of Exile 2 support (#2654)Vladimir Gavrilov2025-01-06
|
* Imporoved SMBv1 heuristic to avoid triggering risks for SMBv1 broadcast ↵Luca Deri2025-01-03
| | | | messages when used to browse (old) network devices
* Telegram STUN improvementLuca Deri2024-12-13
|
* DNS: fix Index-out-of-bounds error (#2644)Ivan Nardi2024-12-13
| | | | | | | | | | | | | ``` Running: /home/ivan/Downloads/clusterfuzz-testcase-minimized-fuzz_ndpi_reader_pl7m_simplest_internal-5759495480868864 protocols/dns.c:482:5: runtime error: index 4 out of bounds for type 'u_int8_t[4]' (aka 'unsigned char[4]') SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior protocols/dns.c:482:5 protocols/dns.c:483:5: runtime error: index 4 out of bounds for type 'u_int32_t[4]' (aka 'unsigned int[4]') SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior protocols/dns.c:483:5 protocols/dns.c:490:12: runtime error: index 4 out of bounds for type 'u_int32_t[4]' (aka 'unsigned int[4]') ``` Found by oss-fuzz See: https://issues.oss-fuzz.com/issues/383911300?pli=1
* STUN/RTP: improve metadata extraction (#2641)Ivan Nardi2024-12-11
|
* Added missing checkLuca Deri2024-12-09
|
* STUN: fix monitoring (#2639)Ivan Nardi2024-12-06
|
* signal: improve detection of chats and calls (#2637)Ivan Nardi2024-12-04
|
* fix license typo (#2638)Tina DiPierro2024-12-04
|
* Minor fixLuca Deri2024-11-29
|
* STUN counter changesLuca Deri2024-11-29
|
* STUN: improve Whatsapp monitoring (#2635)Ivan Nardi2024-11-29
|
* Enhanced STUN statsLuca Deri2024-11-28
|
* Update `flow->flow_multimedia_types` to a bitmask (#2625)Ivan Nardi2024-11-25
| | | In the same flow, we can have multiple multimedia types
* RTP, STUN: improve detection of multimedia flow type (#2620)Ivan Nardi2024-11-19
| | | | Let's see if we are able to tell audio from video calls only looking at RTP Payload Type field...
* Zoom: fix heap-buffer-overflow (#2621)Ivan Nardi2024-11-18
| | | | | | | | | | | | | ``` ================================================================= ==30923==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x50400023cc34 at pc 0x591f8b5dd546 bp 0x7ffe5ffc3530 sp 0x7ffe5ffc3528 READ of size 1 at 0x50400023cc34 thread T0 #0 0x591f8b5dd545 in is_sfu_5 /home/ivan/svnrepos/nDPI/src/lib/protocols/zoom.c:146:6 #1 0x591f8b5dda11 in zoom_search_again /home/ivan/svnrepos/nDPI/src/lib/protocols/zoom.c:166:6 #2 0x591f8b22182f in ndpi_process_extra_packet /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:8156:9 #3 0x591f8b236f88 in ndpi_internal_detection_process_packet /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:8793:5 ``` Found by oss-fuzz See: https://issues.oss-fuzz.com/issues/379072455
* Heap overflow fixLuca Deri2024-11-16
|
* Added DICOM supportLuca2024-11-15
| | | | Testing pcaps courtesy of https://github.com/virtalabs/tapirx.git
* Implemented Mikrotik discovery protocol dissection and metadata extraction ↵Luca Deri2024-11-14
| | | | (#2618)
* SIP: extract some basic metadataIvan Nardi2024-11-12
|
* SIP: rework detectionIvan Nardi2024-11-12
|
* Heap-buffer-overflow fixLuca Deri2024-11-04
|
* HTTP: fix leak and out-of-bound error on credential extraction (#2611)Ivan Nardi2024-11-01
|
* Added HTTP credentials extractionLuca Deri2024-10-31
|
* TLS: export heuristic fingerprint as metadata (#2609)Ivan Nardi2024-10-28
|
* Add Paltalk protocol support (#2606)Vladimir Gavrilov2024-10-28
|
* STUN: fix monitoring with RTCP flows (#2603)Ivan Nardi2024-10-19
|
* Added support for RDP over TLSLuca Deri2024-10-19
|
* STUN: minor fix for RTCP traffic (#2593)Ivan Nardi2024-10-15
|
* STUN: if the same metadata is found multiple times, keep the first value (#2591)Ivan Nardi2024-10-15
|