| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
|
|
|
|
|
| |
* Add detection of Gaijin Entertainment games
* Short NDPI_PROTOCOL_GAIJINENTERTAINMENT to NDPI_PROTOCOL_GAIJIN
* Add default UDP port for Gaijin Entertainment games
* Remove NDPI_PROTOCOL_CROSSOUT protocol id
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Follow-up of 4543385d107fcc5a7e8632e35d9a60bcc40cb4f4
Remove trailing spaces for any HTTP header (we already remove leading
spaces)
We want:
* a "normalized" string in `flow->host_server_name`, but
* to parse the original string for flow risk checking
`ndpi_hostname_sni_set()` is a private function, so there is no need to
export its flags.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
* Normalization of host_server_name
The ndpi_hostname_sni_set() function replaces all non-printable
characters with the "?" character and removing whitespace characters
at the end of the line.
* Added conditional hostname normalization.
|
| |
|
|
| |
sitting on top of nDPI to faile at compilation
|
| |
|
| |
Found while fuzzing
|
| |
|
| |
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
|
| | |
|
| |
|
|
|
| |
`USE_GLOBAL_CONTEXT` macro is not defined. (#2302)
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* additional JA4 string buffer is not needed and may cause a string truncation warning
```
protocols/tls.c: In function ‘ndpi_compute_ja4’:
protocols/tls.c:1738:3: warning: ‘strncpy’ output may be truncated copying 36 bytes from a string of length 1023 [-Wstringop-truncation]
1738 | strncpy(flow->protos.tls_quic.ja4_client, ja_str, 36);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
```
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
|
| |
|
|
|
| |
Found by oss-fuzzer
See: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=66342
See: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=66320
|
| | |
|
| |
|
| |
Found while fuzzing fuzz_config
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add the concept of "global context".
Right now every instance of `struct ndpi_detection_module_struct` (we
will call it "local context" in this description) is completely
independent from each other. This provide optimal performances in
multithreaded environment, where we pin each local context to a thread,
and each thread to a specific CPU core: we don't have any data shared
across the cores.
Each local context has, internally, also some information correlating
**different** flows; something like:
```
if flow1 (PeerA <-> Peer B) is PROTOCOL_X; then
flow2 (PeerC <-> PeerD) will be PROTOCOL_Y
```
To get optimal classification results, both flow1 and flow2 must be
processed by the same local context. This is not an issue at all in the far
most common scenario where there is only one local context, but it might
be impractical in some more complex scenarios.
Create the concept of "global context": multiple local contexts can use
the same global context and share some data (structures) using it.
This way the data correlating multiple flows can be read/write from
different local contexts.
This is an optional feature, disabled by default.
Obviously data structures shared in a global context must be thread safe.
This PR updates the code of the LRU implementation to be, optionally,
thread safe.
Right now, only the LRU caches can be shared; the other main structures
(trees and automas) are basically read-only: there is little sense in
sharing them. Furthermore, these structures don't have any information
correlating multiple flows.
Every LRU cache can be shared, independently from the others, via
`ndpi_set_config(ndpi_struct, NULL, "lru.$CACHE_NAME.scope", "1")`.
It's up to the user to find the right trade-off between performances
(i.e. without shared data) and classification results (i.e. with some
shared data among the local contexts), depending on the specific traffic
patterns and on the algorithms used to balance the flows across the
threads/cores/local contexts.
Add some basic examples of library initialization in
`doc/library_initialization.md`.
This code needs libpthread as external dependency. It shouldn't be a big
issue; however a configure flag has been added to disable global context
support. A new CI job has been added to test it.
TODO: we should need to find a proper way to add some tests on
multithreaded enviroment... not an easy task...
*** API changes ***
If you are not interested in this feature, simply add a NULL parameter to
any `ndpi_init_detection_module()` calls.
|
| |
|
| |
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
|
| |
|
|
| |
protocol
|
| | |
|
| | |
|
| |
|
|
|
| |
* Add missing NDPI_LOG_DBG
* Add missing NDPI_LOG_DBG in yojimbo.c
|
| |
|
|
|
| |
* Rename redis_net.c to resp.c
* Fix RESP detection
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
ndpi_load_domain_suffixes
Minor hash optimization
|
| |
|
| |
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
|
| |
|
|
|
| |
* Improve MySQL detection
* Update copyright
|
| | |
|
| |
|
|
|
| |
* Add Radmin protocol dissector
* Update test results
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
QUIC decryption fails when the Client Hello is split into multiple UDP
packets and these packets have different Destination Connection IDs
(because the server told the client to switch to a different CID; see
RFC 9000 7.2)
```
The Destination Connection ID field from the first Initial packet sent by
a client is used to determine packet protection keys for Initial packets.
[..]
Upon first receiving an Initial or Retry packet from the server, the
client uses the Source Connection ID supplied by the server as the
Destination Connection ID for subsequent packets
```
From a logical point of view, the ciphers used for decryption should be
initialized only once, with the first Initial pkt sent by the client and
kept for later usage with the following packets (if any).
However it seems that we can safely initialize them at each packet, if
we keep using the DCID of the **first** packet sent by the client.
Keep initializing the ciphers at each packet greatly simplifie this patch.
This issue has been undetected for so long because:
* in the vast majority of the cases we only decrypt one packet per flow;
* the available traces with the Client Hello split into multiple packets
(i.e. cases where we need to decrypt at least two packets per flow) were
created in a simple test environment to simulate Post-Quantum handshake,
and in that scenario the client sent all the packets (with the same
DCID) before any reply from the server.
However, in the last months all major browsers started supporting PQ
key, so it is now common to have split CH in real traffic.
Please note that in the attached example, the CH is split into 2
(in-order) fragments (in different UDP packets) and the second one in
turn is divided into 9 (out-of-order) CRYPTO frames; the reassembler
code works out-of-the-box even in this (new) scenario.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Avoid collisions between user-ids and internal-ids protocols in the
`example/protos.txt` file.
Add a new value for the classification confidence:
`NDPI_CONFIDENCE_CUSTOM_RULE`
With `./example/ndpiReader -p example/protos.txt -H` we now see also the
custom protocols and their internal/external ids:
```
nDPI supported protocols:
Id Userd-id Protocol Layer_4 Nw_Proto Breed Category
0 0 Unknown TCP X Unrated Unspecified
...
387 387 Mumble UDP X Fun VoIP
388 388 iSCSI TCP Acceptable Unspecified
389 389 Kibana TCP Acceptable Unspecified
390 390 TestProto TCP Acceptable Unspecified
391 391 HomeRouter TCP Acceptable Unspecified
392 392 CustomProtocol TCP Acceptable Unspecified
393 393 AmazonPrime TCP Acceptable Unspecified
394 394 CustomProtocolA TCP Acceptable Unspecified
395 395 CustomProtocolB TCP Acceptable Unspecified
396 800 CustomProtocolC TCP Acceptable Unspecified
397 1024 CustomProtocolD TCP Acceptable Unspecified
398 2048 CustomProtocolE TCP Acceptable Unspecified
399 2049 CustomProtocolF TCP Acceptable Unspecified
400 2050 CustomProtocolG TCP Acceptable Unspecified
401 65535 CustomProtocolH TCP Acceptable Unspecified
```
We likely need to take a better look in general at the iteration between
internal and external protocols ids...
This PR fixes the issue observed in
https://github.com/ntop/nDPI/pull/2274#discussion_r1460674874 and in
https://github.com/ntop/nDPI/pull/2275.
|
| |
|
|
|
| |
* Add ElectronicArts detection support
* Merge electronicarts.pcapng into sites.pcapng
|
| |
|
| |
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
|
| | |
|
| |
|
|
|
|
| |
Some changes in the parameters names.
Add a fuzzer to fuzz the configuration file format.
Add the infrastructure to configuratin callbacks.
Add an helper to map LRU cache indexes to names.
|
| |
|
|
|
|
|
| |
* Fix detection of new Cassandra versions
* Add Cassandra Internode Communication protocol support
* Add default port for Cassandra Internode Communication protocol
|
| |
|
| |
Move it from the RTP code and extend it
|
| |
|
|
|
| |
When switching to (D)TLS dissector from the STUN one, we need to clear
any flow risks set from the latter (because we don't have anymore
`NDPI_PROTOCOL_STUN` in the classification results)
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Clean up Steam dissector
* Add Steam Datagram Relay dissector
* Update docs
* Update test results
* Remove csgo.c from MSVC project
* Small fixes
* Add Steam TLS pcap sample
* Merge Steam pcap samples into single one
* Fix typo
* Update test results
|
| | |
|
| | |
|
| |
|
|
|
| |
* Enable/disable sub-classification of DNS flows
* Enable/disable processing of DNS responses
|
| | |
|
| | |
|
| | |
|
| | |
|