aboutsummaryrefslogtreecommitdiff
path: root/src
Commit message (Collapse)AuthorAge
...
* Implemented ndpi_predict_linear() for predicting a timeseries value overtimeLuca Deri2023-05-19
|
* Add support for roaring_bitmap_xor_inplace (#1983)Yuriy Rymarchuk2023-05-18
|
* Fix classification-by-ip in `ndpi_detection_giveup` (#1981)Ivan Nardi2023-05-17
| | | | | | | | | | | | | | Return the "classification-by-ip" as protocol results only if no other results are available. In particular, never return something like "protocol_by_port/protocol_by_ip" (i.e. `NTP/Apple`, BitTorrent/GoogleCloud`, `Zoom/AWS`) because this kind of classification is quite confusing, if not plainly wrong. Notes: * the information about "classification-by-ip" is always available, so no information is lost with this change; * in the unit tests, the previous classifications with confidence `NDPI_CONFIDENCE_DPI_PARTIAL` were wrong, as noted in #1957
* Add support for SRTP (#1977)Ivan Nardi2023-05-16
| | | | | | | The goal is to have Zoom flows classified as "Encrypted" and not as "Cleartext". Start documenting the list of protocols supported by nDPI; format, verbosity and content are still a work-in-progress.
* HTTP: rework state machine (#1966)Ivan Nardi2023-05-16
| | | | | | | | | | | | | | | | | The goal if to correlate the right request-response pair, exporting metadata from only one transaction (for example, the right url & return state pair) As a nice side effect, the code should be much cleaner, but that is a matter of taste. Two differences respect to the previous code: * as it happens in the CI, if in the flow there are only one response (before) and one request (after), only the metadata of the response are saved/exported * for performance reasons, we don't call `ndpi_parse_packet_line_info()` anymore for ALL packets triggering the HTTP dissector, but only for the packets that we already know belong to an HTTP flow. This is the reason for the changes in RTSP/SOAP/... code
* Fix MS Teams detection with heuristic (#1972)Ivan Nardi2023-05-10
| | | | | | When we reconcile a TLS session to Teams, we need to keep TLs as master. This way: * we keep exporting all the TLS metadata * we avoid some memory leaks (of these metadata themeselves)
* Improved MS Teams detection with heuristicLuca2023-05-10
|
* Enhanced MS teams STUN/Azure detectionLuca2023-05-10
|
* MS Teams enhancementLuca2023-05-10
|
* MS Teams improvementsLuca2023-05-10
|
* All protocols should be excluded sooner or later (#1969)Ivan Nardi2023-05-10
| | | | | For a lot of protocols, reduce the number of packets after which the protocols dissector gives up. The values are quite arbitary, tring to not impact on classification
* Remove special handling of some TCP flows without SYN (#1965)Ivan Nardi2023-05-09
| | | | | | | | | | | | | | | | | | | | | This piece of code has multiple problems: * nDPI is able to detect some TCP protocols even with mid-flows (i.e. without the initial packets of the session); TLS is the most significative example * since e6b332aa4a1399e33df68998cf8351bccaee3fc4 it is perfectly valid to not pass the TCP Handshake packets to nDPI * in any case, we shouldn't call `ndpi_detection_giveup()`. That function is usually called by the application and we end up calling it twice in some cases. The simple solution is to completely remove that code: process these kinds of flows like everyone else. Note that the application can always avoid to pass to nDPI any TCP flows without the initial handshake; the flow managemnt is always up to the application. Looking at the CI results, some rare flows are now processed significantly longer. As a follow-up we could look into that.
* Improve detection of crawlers/bots (#1968)Ivan Nardi2023-05-09
| | | Add support for Facebook crawler
* Extend content-match list (#1967)Ivan Nardi2023-05-09
|
* Disabled query string validation in MDNS in order to avoid zapping chars ↵Luca Deri2023-05-09
| | | | that in DNS (instead) are not permitted
* Refreshed listsLuca Deri2023-05-08
|
* add 2 ns from fdn.fr to DoH section (#1964)Clément BRUGUERA2023-05-05
|
* HTTP: improve extraction of metadata and of flow risks (#1959)Ivan Nardi2023-05-05
|
* HTTP: remove useless code about XBOX (#1958)Ivan Nardi2023-05-04
| | | | | Old nDPI versions were able to detect XBOX flows over HTTP via user-agent matching. This feature has been removed from a long time (89d548f9d, at very least)
* Improve detection of crawler/bot traffic (#1956)Ivan Nardi2023-05-04
|
* Added detection of Facebook Reels and StoriesLuca Deri2023-05-03
| | | | https://www.switcherstudio.com/blog/the-ultimate-guide-to-reels-and-stories#:~:text=Audience%3A%20Reels%20are%20served%20to,things%20like%20photos%20and%20boomerangs.
* Make Bittorrent LRU cache IPv6 aware. (#1909)Ivan Nardi2023-04-29
| | | | It was the only remaining LRU cache without IPv6 support. See 81e1ea545ca465cda064e7cc80333fe7f0ef2aff
* Added missing checkLuca Deri2023-04-28
|
* Added ndpi_guess_undetected_protocol_v4() to restore logic thatLuca Deri2023-04-28
| | | | was removed in https://github.com/ntop/nDPI/commit/032e778a6dc1ee2173c4cdb2c671180c5b5df245
* Updated (C)Luca Deri2023-04-28
|
* Added missing checkLuca Deri2023-04-28
|
* Add an heuristic to detect/ignore some anomalous TCP ACK packets (#1948)Ivan Nardi2023-04-25
| | | | | | | | | | | | | | | | | | | In some networks, there are some anomalous TCP flows where the smallest ACK packets have some kind of zero padding. It looks like the IP and TCP headers in those frames wrongly consider the 0x00 Ethernet padding bytes as part of the TCP payload. While this kind of packets is perfectly valid per-se, in some conditions they might be treated by the TCP reassembler logic as (partial) overlaps, deceiving the classification engine. Add an heuristic to detect these packets and to ignore them, allowing correct detection/classification. This heuristic is configurable. Default value: * in the library, it is disabled * in `ndpiReader` and in the fuzzers, it is enabled (to ease testing) Credit to @vel21ripn for the initial patch. Close #1946
* fuzz: extend fuzzers coverage (#1952)Ivan Nardi2023-04-25
|
* RTP: remove dead-code (#1953)Ivan Nardi2023-04-25
| | | | | | | | | | | | The checks `isValidMSRTPType(..) == 1` is a subset of `is_valid_rtp_payload_type()` so this if-branch is never reached. More importantly, the article describing how to detect Microsoft Lync and Skype for Business is from 2014. These payload types are static or they are in the dynamic range: in both cases, these values might be used (and they are used indeed) pretty much by every application. Bottom line: we can't use PT alone to identify a specific protocol. Keep the list, since it is used to tell audio streams from video ones.
* Compilation fix on RH7Luca Deri2023-04-24
|
* Add "Heroes of the Storm" video game signature detection. (#1949)nikitamishagin2023-04-22
|
* Improved debug output. (#1951)Toni2023-04-21
| | | | | | * try to get rid of some `printf(..)`s as they do not belong to a shared library * replaced all `exit(..)`s with `abort()`s to indicate an abnormal process termination Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Added OICQ dissector. (#1950)Toni2023-04-21
| | | | Signed-off-by: lns <matzeton@googlemail.com> Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Simplify `ndpi_internal_guess_undetected_protocol()` (#1941)Ivan Nardi2023-04-12
| | | | | | | | | | | | | | | | | | | `ndpi_guess_undetected_protocol()/ndpi_internal_guess_undetected_protocol()` is a strange function: * it is exported by the library and it is actively used by `ntopng` * it is intrinsecally ipv4-only * it returns basically something like "classification_by_ip"/"classification_by_port" (these information have already been calculated in `ndpi_do_guess()`...) * it access the bittorrent LRU caches (similarly to `ndpi_detection_giveup()` but without all the other caches...) So: * make the interface IPv4/6 agnostic * use the classifications already available This work will allow to make the Bittorrent caches IPV6-aware (see 81e1ea5). Handle Dropbox classification "by-port" in the "standard" way.
* Added BACnet dissector. (#1940)Toni2023-04-11
| | | | Signed-off-by: lns <matzeton@googlemail.com> Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Improved debug logging.lns2023-04-11
| | | | | Signed-off-by: lns <matzeton@googlemail.com> Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Improved invalid logging via printf().lns2023-04-11
| | | | | Signed-off-by: lns <matzeton@googlemail.com> Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Added Source Engine dissector. (#1937)Toni2023-04-11
| | | | Signed-off-by: lns <matzeton@googlemail.com> Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* RiotGames: add detection of flows (#1935)Jacopo2023-04-11
| | | | | * RiotGames: add detection of flows * remove of akamai domains
* Implemented ndpi_XXX_reset() API calls whre XXX is ses, des, hwLuca Deri2023-04-08
|
* Extend content list of Microsoft protocols (#1930)Ivan Nardi2023-04-06
|
* MySql: improve detection (#1928)Ivan Nardi2023-04-06
| | | | | Add support for flows with "caching_sha2_password" authentication plugin. See #1924
* H323: fix false positives (#1916)Ivan Nardi2023-04-06
|
* add support for gre decapsulation (#1442) (#1921)Maatuq2023-04-04
|
* fuzz: add fuzzer to test internal gcrypt code (#1920)Ivan Nardi2023-04-04
|
* Update libinjection code (#1918)Ivan Nardi2023-04-04
| | | | | | | | | | Update libinjection code to the current master https://github.com/libinjection/libinjection/commit/7e4b74e824dc3f0623ba4894df2a0d817351ec39 The goal is to finally fix #1820 See: https://github.com/libinjection/libinjection/issues/33 Update the corpus of the libinjection fuzzers Close #1820
* Ookla: rework detection (#1922)Ivan Nardi2023-03-30
| | | | | | | | | | | | | | | | | | | | | | | | | | The logic of the LRU cache has been changed: once we know an ip has connected to an Ookla server, all the following (unknown) flows (for a short time interval) from the same ip to the port 8080 are treated as Ookla ones. Most of the changes in this commit are about introducing the concept of "aggressive detection". In some cases, to properly detect a protocol we might use some statistical/behavior logic that, from one side, let us to identify the protocol more often but, from the other side, might lead to some false positives. To allow the user/application to easily detect when such logic has been triggered, the new confidence value `NDPI_CONFIDENCE_DPI_AGGRESSIVE` has been added. It is always possible to disable/configure this kind of logic via the API. Detection of Ookla flows using plain TLS over port 8080 is the first example of aggressive detection in nDPI. Tested with: * Android 9.0 with app 4.8.3 * Ubuntu 20.04 with Firefox 110 * Win 10 with app 1.15 and 1.16 * Win 10 with Chrome 108, Edge 108 and Firefox 106
* TLS: fix another interger overflow in certificate processing (#1915)Ivan Nardi2023-03-30
|
* remove redefinition to vxlanhdr struct in vxlan dissector (#1911)Maatuq2023-03-25
|
* TLS: fix parsing of certificate elements (#1910)Ivan Nardi2023-03-22
| | | | | | | | | | | | | | | | | ``` ==1228==ERROR: AddressSanitizer: SEGV on unknown address 0x6040000bed05 (pc 0x00000056e148 bp 0x7ffcca534320 sp 0x7ffcca5330c0 T0) ==1228==The signal is caused by a WRITE memory access. #0 0x56e148 in processCertificateElements ndpi/src/lib/protocols/tls.c:682:79 #1 0x56c60f in LLVMFuzzerTestOneInput ndpi/fuzz/fuzz_tls_certificate.c:43:3 #2 0x43de63 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 #3 0x4295c2 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6 #4 0x42ee6c in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:860:9 #5 0x4583a2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 #6 0x7f8c021c9082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/libc-start.c:308:16 #7 0x41f78d in _start ``` Found by oss-fuzz. See: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=57317
Powered by cgit, Themed by Ted Yin.