| Commit message (Collapse) | Author | Age |
|---|
| ... | |
| |
|
|
|
|
| |
That flow risk was introduced in 79b89d286605635f15edfe3c21297aaa3b5f3acf
but we can now use the generic `NDPI_TLS_SUSPICIOUS_EXTENSION` instead:
ESNI is quite suspicious nowadays in itself (i.e. even without SNI).
Note that ESNI support has been removed in cae9fb9989838f213eeb857b8fc4bbeac6940049
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
(#2773)
Remove `NDPI_PROTOCOL_MAPLESTORY` and add a generic
`NDPI_PROTOCOL_NEXON`
|
| |
|
|
| |
We are going to use HTTP metadata only for real HTTP traffic; FastCGI
should be the only protocol using them improperly
|
| |
|
|
|
| |
Update the list
Close #2767
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
These flows are already classified as TLS.RDP.
This change also fix a memory leak
```
Direct leak of 62 byte(s) in 1 object(s) allocated from:
#0 0x5883d762429f in __interceptor_malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:68:3
#1 0x5883d76fe46a in ndpi_malloc ndpi/src/lib/ndpi_memory.c:57:46
#2 0x5883d76fe46a in ndpi_strdup ndpi/src/lib/ndpi_memory.c:110:13
#3 0x5883d77adcd6 in ndpi_compute_ja4 ndpi/src/lib/protocols/tls.c:2298:46
#4 0x5883d77ab2ec in processClientServerHello ndpi/src/lib/protocols/tls.c:3314:10
#5 0x5883d77a4c51 in processTLSBlock ndpi/src/lib/protocols/tls.c:1319:5
```
Found by oss-fuzz.
See: https://oss-fuzz.com/testcase-detail/5244512192757760
|
| |
|
|
|
|
| |
protocols
Fixes #2762
|
| |\
| |
| | |
Add a new internal function `internal_giveup()`
|
| | |
| |
| |
| |
| |
| |
| |
| | |
This function is always called once for every flow, as last code
processing the flow itself.
As a first usage example, check here if the flow is unidirectional
(instead of checking it at every packets)
|
| | | |
|
| | |
| |
| | |
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
|
| | |
| |
| |
| |
| | |
protocol dissector will follow
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
|
| |/
|
| |
Co-authored-by: Leonardo Teixeira Alves <leonardo.alves@zerum.com>
|
| |
|
|
| |
For the most common protocols, avoid creating the string message if we
are not going to use it
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Custom rules with *new* protocols are checked "first": if there is a
match, the first packet of the flow provides a complete and final
classification.
The same logic should apply to custom rules with "existing" protocols:
if there is match, nDPI shouldn't do anything else.
Remove the `tcp:3000@ntop` custom rule.
Fix the default port for ElasticSearch (in the protocol file)
|
| |
|
|
|
|
|
|
| |
This way, the `ndpiReader` output doesn't change if we change the
internal logic about the order we set/check the various flow risks.
Note that the flow risk *list* is already printed by `ndpiReader`
in order.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
```
==29602==WARNING: MemorySanitizer: use-of-uninitialized-value
#0 0x563af77d47ac in ndpi_address_cache_restore /home/ivan/svnrepos/nDPI/src/lib/ndpi_cache.c:450:8
#1 0x563af77d6b52 in ndpi_cache_address_restore /home/ivan/svnrepos/nDPI/src/lib/ndpi_cache.c:518:10
#2 0x563af77c73e5 in LLVMFuzzerTestOneInput /home/ivan/svnrepos/nDPI/fuzz/fuzz_ds_address_cache.cpp:100:5
```
Found by oss-fuzz.
See: https://oss-fuzz.com/testcase-detail/6653546833707008
|
| |
|
|
| |
This `if` check is always false
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
```
==13852==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x5150000027da at pc 0x5fa4b65d08ac bp 0x7ffc4c57ed60 sp 0x7ffc4c57e508
READ of size 4 at 0x5150000027da thread T0
#0 0x5fa4b65d08ab in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned long), void const*, void const*, unsigned long) (/home/ivan/svnrepos/nDPI/fuzz/fuzz_ndpi_reader_pl7m_64k+0x78c8ab) (BuildId: 15b63a623e404a4a0be658cae7336391fc8353db)
#1 0x5fa4b65d0d80 in memcmp (/home/ivan/svnrepos/nDPI/fuzz/fuzz_ndpi_reader_pl7m_64k+0x78cd80) (BuildId: 15b63a623e404a4a0be658cae7336391fc8353db)
#2 0x5fa4b68bfe7e in ndpi_search_flute /home/ivan/svnrepos/nDPI/src/lib/protocols/flute.c:52:9
#3 0x5fa4b6764406 in check_ndpi_detection_func /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:7571:6
#4 0x5fa4b67bf703 in check_ndpi_udp_flow_func /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:7606:10
```
Found by oss-fuzz
See: https://oss-fuzz.com/testcase-detail/5261204335689728
|
| |
|
|
| |
Add a new fuzzer to test it
|
| |
|
|
|
|
|
| |
There are no reasons to keep entropy calculation and sanity checks code
on the "guessing" algorithm.
BTW, this change also fix the entropy calculation for non TCP/UDP/ICMP
flows
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
```
==17==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f8d7c8bc915 bp 0x7ffd25039910 sp 0x7ffd250390c8 T0)
==17==The signal is caused by a READ memory access.
==17==Hint: address points to the zero page.
SCARINESS: 10 (null-deref)
#0 0x7f8d7c8bc915 (/lib/x86_64-linux-gnu/libc.so.6+0x188915) (BuildId: 0323ab4806bee6f846d9ad4bccfc29afdca49a58)
#1 0x55f437be04a3 in strlen /src/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc
#2 0x55f437cfa3cb in ndpi_get_host_domain /src/ndpi/src/lib/ndpi_domains.c:144:9
#3 0x55f437caf21e in LLVMFuzzerTestOneInput /src/ndpi/fuzz/fuzz_config.cpp:703:3
```
|
| |
|
|
| |
One list is from ingress nodes (used for protocol classification) and
the second one is from exit nodes (used for flow risk check)
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
| |
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
|
| | |
|
| |
|
| |
Close #2738
|
| |
|
|
|
| |
Thiw way, the code is ready to handle rtp info from STUN flows too.
And, most important, this change works as workaround to fix some crashes
reported by oss-fuzz
|
| |
|
|
|
| |
* fixed buffer overflow in RTP dissector
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
|
| | |
|
| | |
|
| |
|
|
| |
Added ndpi_rtp_payload_type2str() API call
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
| |
See 6899f6c17 and 9bf513b34
|
| | |
|