| Commit message (Collapse) | Author | Age |
|---|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
Last step of removing JA3C fingerprint
Remove some duplicate tests: testing with ja4c/ja3s disabled is already
performed by `disable_metadata_and_flowrisks` configuration.
Close:#2551
|
| |
|
|
|
|
|
|
|
| |
It might be usefull to be able to match traffic against a list of
suspicious JA4C fingerprints
Use the same code/logic/infrastructure used for JA3C (note that we are
going to remove JA3C...)
See: #2551
|
| |
|
|
|
| |
type (#2675)
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
|
| |
|
|
|
| |
type (#2676)
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
|
| |
|
|
|
| |
dereference (#2674)
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
|
| | |
|
| | |
|
| |
|
|
| |
We calculate HTTP entropy according to "Content-type:" header, see
`ndpi_validate_http_content()` on HTTP code
|
| | |
|
| |
|
|
|
|
| |
* detect `chisel` SSH-over-HTTP-WebSocket
* use `strncasecmp()` for `LINE_*` matching macros
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
|
| | |
|
| |
|
|
|
| |
In very old (G)QUIC versions by Google, the user agent was available on
plain text. That is not true anymore, since about end of 2021.
See: https://github.com/google/quiche/commit/f282c934f4731a9f4be93409c9f3e8687f0566a7
|
| |
|
| |
Add a new variable to keep track of internal partial classification
|
| |
|
|
|
| |
Classification "by-port" is the latest possible shot at getting a
classification, when everything else failed: we should always use
the configured ports (as expected by the users, IMO)
|
| | |
|
| |
|
|
|
| |
Even if it is only the proposed value by the client (and not the
negotiated one), it might be use as hint for timeout by the (external)
flows manager
|
| |
|
|
| |
We should set it also for "obsolete"/"insecure" ciphers, not only for
the "weak" ones.
|
| |
|
|
|
| |
ESNI has been superseded by ECH for years, now.
See: https://blog.cloudflare.com/encrypted-client-hello/
Set the existing flow risk if we still found this extension.
|
| |
|
| |
We should use the existing helper
|
| | |
|
| |
|
|
| |
messages when used to browse (old) network devices
|
| |
|
|
|
|
| |
ipv6 addresses already containing "::" token shall
not be searched for ":0:" nor patched
Close #1890
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
```
Running: /home/ivan/Downloads/clusterfuzz-testcase-minimized-fuzz_ndpi_reader_pl7m_simplest_internal-5759495480868864
protocols/dns.c:482:5: runtime error: index 4 out of bounds for type 'u_int8_t[4]' (aka 'unsigned char[4]')
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior protocols/dns.c:482:5
protocols/dns.c:483:5: runtime error: index 4 out of bounds for type 'u_int32_t[4]' (aka 'unsigned int[4]')
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior protocols/dns.c:483:5
protocols/dns.c:490:12: runtime error: index 4 out of bounds for type 'u_int32_t[4]' (aka 'unsigned int[4]')
```
Found by oss-fuzz
See: https://issues.oss-fuzz.com/issues/383911300?pli=1
|
| | |
|
| | |
|
| |
|
| |
Updtae pl7m code (Fix swap-direction mutation)
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
Co-authored-by: Evgeny Shtanov <evg.shtanov@gmail.comm>
Co-authored-by: Ivan Nardi <nardi.ivan@gmail.com>
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
| |
Fix: 1bda2bf41
|
| | |
|
| | |
|
| | |
|
| |
|
| |
In the same flow, we can have multiple multimedia types
|
| | |
|