aboutsummaryrefslogtreecommitdiff
path: root/src/lib
Commit message (Collapse)AuthorAge
* Added extra checkLuca Deri2021-10-07
|
* Fix compilation with clang-13 or if some debug macros are enabled (#1326)Ivan Nardi2021-10-06
|
* Added checkLuca Deri2021-10-06
|
* Compilation fix for old Linux distributionsLuca Deri2021-10-06
|
* Compilation fixLuca Deri2021-10-05
|
* Numeric IPs are not considered for DGA checksLuca Deri2021-10-05
|
* Improved DGA detection for skipping potential DGAs of known/popular domain namesLuca Deri2021-10-05
|
* TLS obsolete protocol is set when TLS < 1.2 (used to be 1.1)Luca Deri2021-10-05
|
* Remove `struct ndpi_packet_struct` from `struct ndpi_flow_struct` (#1319)Ivan Nardi2021-10-05
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | There are no real reasons to embed `struct ndpi_packet_struct` (i.e. "packet") in `struct ndpi_flow_struct` (i.e. "flow"). In other words, we can avoid saving dissection information of "current packet" into the "flow" state, i.e. in the flow management table. The nDPI detection module processes only one packet at the time, so it is safe to save packet dissection information in `struct ndpi_detection_module_struct`, reusing always the same "packet" instance and saving a huge amount of memory. Bottom line: we need only one copy of "packet" (for detection module), not one for each "flow". It is not clear how/why "packet" ended up in "flow" in the first place. It has been there since the beginning of the GIT history, but in the original OpenDPI code `struct ipoque_packet_struct` was embedded in `struct ipoque_detection_module_struct`, i.e. there was the same exact situation this commit wants to achieve. Most of the changes in this PR are some boilerplate to update something like "flow->packet" into something like "module->packet" throughout the code. Some attention has been paid to update `ndpi_init_packet()` since we need to reset some "packet" fields before starting to process another packet. There has been one important change, though, in ndpi_detection_giveup(). Nothing changed for the applications/users, but this function can't access "packet" anymore. The reason is that this function can be called "asynchronously" with respect to the data processing, i.e in context where there is no valid notion of "current packet"; for example ndpiReader calls it after having processed all the traffic, iterating the entire session table. Mining LRU stuff seems a bit odd (even before this patch): probably we need to rethink it, as a follow-up.
* Updated descriptionLuca Deri2021-10-05
|
* WHOIS: enhance detection, avoiding false positives (#1320)Ivan Nardi2021-10-05
| | | We are interested only in the domain name required, not in the long reply.
* Added -a <num> to ndpiReader for generating OPNsense configurationLuca Deri2021-10-04
| | | | See https://github.com/ntop/opnsense
* Fix how some protocols handle tcp retransmissions (#1321)Ivan Nardi2021-10-03
| | | | | | | Most (all?) protocols don't care about (tcp) retransmissions. If a protocol registers itself with a NDPI_SELECTION_BITMASK_PROTOCOL_*_WITHOUT_RETRANSMISSION value, its callback is never triggered with a retransmitted packet.
* Remove `detected_protocol_stack` field from `ndpi_packet_struct` (#1317)Ivan Nardi2021-09-29
| | | | | | | | | | | | | This field is an exact copy of `ndpi_flow_struct->detected_protocol_stack[2]`: * at the very beginning of packet dissection, the value saved in `flow->detected_protocol_stack` is copied in `packet->detected_protocol_stack` (via `ndpi_detection_process_packet()` -> `ndpi_init_packet_header()`) * every time we update `flow->detected_protocol_stack` we update `packet->detected_protocol_stack` too (via `ndpi_int_change_protocol()` -> `ndpi_int_change_packet_protocol()`) These two fields are always in sync: keeping the same value in two different places is useless.
* Compilation fixed on CentOS 7Luca Deri2021-09-27
| | | | Bitmap APi changes
* Bitmap codeLuca Deri2021-09-27
|
* Reworked bitmap codeLuca Deri2021-09-27
|
* Fix armhf (#1315)Gianfranco Costamagna2021-09-26
| | | | | | | | | | | | | | | | * Fix unaligned memory accesses with get_u_int64_t at armhf see: https://bugs.debian.org/993627 * Use get_u_int64_t to avoid unaligned memory access at armhf see: https://bugs.debian.org/993627 * Update src/include/ndpi_define.h.in Drop const type from get_u_int64_t, from lnslbrty Co-authored-by: Bernhard Übelacker <bernhardu@mailbox.org> Co-authored-by: Toni <matzeton@googlemail.com>
* Added API for handling compressed bitmapsLuca Deri2021-09-26
| | | | | | | | | | | | | | ndpi_bitmap* ndpi_bitmap_alloc(); void ndpi_bitmap_free(ndpi_bitmap* b); u_int64_t ndpi_bitmap_cardinality(ndpi_bitmap* b); void ndpi_bitmap_set(ndpi_bitmap* b, u_int32_t value); void ndpi_bitmap_unset(ndpi_bitmap* b, u_int32_t value); bool ndpi_bitmap_isset(ndpi_bitmap* b, u_int32_t value); void ndpi_bitmap_clear(ndpi_bitmap* b); size_t ndpi_bitmap_serialize(ndpi_bitmap* b, char **buf); ndpi_bitmap* ndpi_bitmap_deserialize(char *buf); based on https://github.com/RoaringBitmap/CRoaring
* QUIC: fix old GQUIC versions on big-endian machines (#1313)Ivan Nardi2021-09-23
|
* Improve CI (#1303)Zied Aouini2021-09-22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Improve CI pipeline * Fix branch name. * Fix branch name. * Fix libgcrypt configuration. * Update build.yml * Move to Github Actions instead of Travis CI. * Fix mingw on ubuntu bionic. * Reactivate cross compile on Ubuntu Bionic. * Switch to single line steps. * Add several compilers versions * Minor fix. * Fix build all and delete cxx * Fix RCE detection. * Fix PCRE configuration. * Add condition on PCRE test pcap. * Update WebattackRCE.pcap.out * Add missing SUBST. * Delete WebattackRCE.pcap.out * Update WebAttackRCE result. * Fix typo. * Extend jobs with pcre+msan+maxminddb. * Fix code inpector warnings. * Delete .appveyor.yml
* FTP: fix support for START-TLS sessionsNardi Ivan2021-09-21
| | | | | | When TLS-over-FTP is used, the credentials are encrypted. So we must not wait for the username and the password commands, otherwise we elaborate a lot of packets for nothing.
* Merge pull request #1309 from IvanNardi/ipv6-headersToni2021-09-20
|\ | | | | Fix parsing of ipv6 packets with extension headers
| * Fix parsing of ipv6 packets with extension headersNardi Ivan2021-09-19
| | | | | | | | | | | | | | | | Decoding of ipv6 traffic with extension headers was completely broken, since the beginning of the L4 header was always set to a wrong value. Handle the ipv6 fragments in the same way as the ipv4 ones: keep the first one and drop the others.
* | STUN: fix extraction of Realm attributeNardi Ivan2021-09-20
|/ | | | While at it, improve detection of Facebook Messenger
* Small fixes after latest commits (#1308)Ivan Nardi2021-09-18
|
* A (tiny) effort to reduce memory usage per flow (#1304)Ivan Nardi2021-09-18
| | | | | | | Follow-up of 22241a1d Only trivial changes: * remove completely unused fields * remove fields only written (but never read) * CSGO protocol only handles UDP traffic
* Improved fragmented DNS detectionLuca Deri2021-09-17
|
* DNS dissection fixesLuca Deri2021-09-17
|
* Progetto esame Gestione di Reti - Debora Cerretini (#1290)deboracerretini2021-09-17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Add files via upload * Add files via upload * Add files via upload * Add files via upload * Add files via upload * Add files via upload * Add files via upload * Add files via upload * Add files via upload * Add files via upload * Add files via upload * Add files via upload * Add files via upload * Add files via upload * Add files via upload Co-authored-by: Luca Deri <lucaderi@users.noreply.github.com>
* TLS: avoid zeroing large structures (#1300)Ivan Nardi2021-09-16
| | | | | | | | | | Zeroing large structures (i.e. size > KB) is quite costly (from a CPU point of view): we can safely avoid doing that for a couple of big structures. Standard and Valgrind tests have been diverging quite a lot: it is time to re-sync them. Use the same script and enable Valgrind via an enviroment variable: NDPI_TESTS_VALGRIND=1 ./tests/do.sh
* Hangout: fix usage of STUN function (#1299)Ivan Nardi2021-09-13
|
* Fix some ndpi_malloc/ndpi_free pairs (#1298)Ivan Nardi2021-09-13
|
* Update the list of default ports for QUIC protocol (#1297)Ivan Nardi2021-09-13
| | | There are no reasons to register UDP/80 as a default port for QUIC
* Bittorrent: fix a potential use-of-uninitialized-value error (#1296)Ivan Nardi2021-09-13
| | | | | | Not sure if this is the right fix (from a logical point-of-view): this code hasn't changed since OpenDPI era (!) and I have't found a trace triggering this code path. Anyway, the use-of-uninitialized-value error itself should be fixed.
* Cassandra: fix compilation when "--enable-debug-messages" option is used (#1294)Ivan Nardi2021-09-11
| | | | Let's try adding a dedicated compilation in GitHub Actions to easily detect this kind of errors in the future
* Added new risk for clear text credentialsLuca Deri2021-09-10
|
* Add Cassandra protocol dissector (#1285)lucasbaile2021-09-09
| | | Co-authored-by: Lucas Santos <lucas.santos@zerum.com>
* ARM fixesLuca Deri2021-08-25
|
* Fix access to some TLS fields in flow structure (#1277)Ivan Nardi2021-08-20
| | | | Fields 'tls.hello_processed` and `tls.subprotocol_detected` are used by QUIC (i.e UDP...), too.
* Compile everything with "-W -Wall -Wno-unused-parameter" flags (#1276)Ivan Nardi2021-08-20
| | | | | | | | | | | | | | | | Fix all the warnings. Getting rid of "-Wno-unused-parameter" is quite complex because some parameters usage depends on compilation variable (i.e. `--enable-debug-messages`). The "-Werror" flag has been added only in Travis builds to avoid breaking the builds to users using uncommon/untested OS/compiler/enviroment. Tested on: * x86_64; Ubuntu 20.04; gcc 7,8,9,10,11; clang 7,8,9,10,11,12 * x86_64; CentOS 7.7; gcc 4.8.5 (with "--disable-gcrypt" flag) * Raspberry 4; Debian 10.10; gcc 8.3.0
* Fixed Mingw64 build, SonerCloud-CI and more. (#1273)Toni2021-08-18
| | | | | | | | | | | | | * Added ARM build and unit test run for SonarCloud-CI. Signed-off-by: Toni Uhlig <matzeton@googlemail.com> * Fixed Mingw64 build. * adapted to SonarCloud-CI workflow * removed broken and incomplete Windows example (tested on VS2017/VS2019) * removed unnecessary include (e.g. pthread.h for the library which does not make use of it) Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Fixes a crash on ARM (Raspberry Pi 4 Model B Rev 1.1)Luca Deri2021-08-18
|
* Fixed some invalid TLS guessesLuca Deri2021-08-17
|
* Added check to avoid clases on similar protocols (FTP adn SMTP) on setting ↵Luca Deri2021-08-11
| | | | hostname
* Added extraction of hostname in SMTPLuca Deri2021-08-11
| | | | Fixed mail incalid subprotocol calculation
* Clode cleanup (after last merge)Luca Deri2021-08-08
|
* Added entropy calculation to check for suspicious (encrypted) payload. (#1270)Toni2021-08-08
| | | | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com> Co-authored-by: Luca Deri <lucaderi@users.noreply.github.com>
* Skip whitespaces between HTTP method and URL. (#1271)Toni2021-08-08
| | | | | * be less case-restrictive, RFC2616 wants it that way Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Added TLS fatal alert flow riskLuca Deri2021-08-07
|
Powered by cgit, Themed by Ted Yin.