aboutsummaryrefslogtreecommitdiff
path: root/tests/cfgs/default/pcap
Commit message (Collapse)AuthorAge
* Add Shellscript risk detection.add/shellscript-risk-detectionToni Uhlig2024-04-09
| | | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Add ELF risk detection (detect transmitted linux executables). (#2373)Toni2024-04-06
| | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Add PE32/PE32+ risk detection (detect transmitted windows executables). (#2312)Toni2024-04-05
| | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Added binary data transfer risk alertLuca2024-04-03
|
* Improve LoL: Wild Rift detection (#2359)Vladimir Gavrilov2024-03-28
|
* Add LoL: Wild Rift detection (#2356)Vladimir Gavrilov2024-03-26
|
* Add more TencentGames signatures (#2354)Vladimir Gavrilov2024-03-21
|
* Improve TencentGames detection (#2353)Vladimir Gavrilov2024-03-20
| | | | | * Improve TencentGames detection * Add more signatures
* STUN: dissection of TURN Channel DataNardi Ivan2024-03-20
|
* Add FLUTE protocol dissector (#2351)Vladimir Gavrilov2024-03-19
| | | | | * Add FLUTE protocol dissector * Add flute.c to MSVC project
* Add PFCP protocol dissector (#2342)Vladimir Gavrilov2024-03-13
|
* Add Path of Exile protocol dissector (#2337)Vladimir Gavrilov2024-03-06
| | | | | * Add Path of Exile protocol dissector * Update protocols.rst
* ahocorasick: improve matching with subdomains (#2331)Ivan Nardi2024-03-06
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The basic idea is to have the following logic: * pattern "DOMAIN" matches the domain itself (i.e exact match) *and* any subdomains (i.e. "ANYTHING.DOMAIN") * pattern "DOMAIN." matches *also* any strings for which is a prefix [please, note that this kind of match is handy but it is quite dangerous...] * pattern "-DOMAIN" matches *also* any strings for which is a postfix Examples: * pattern "wikipedia.it": * "wikipiedia.it" -> OK * "foo.wikipedia.it -> OK * "foowikipedia.it -> NO MATCH * "wikipedia.it.com -> NO MATCH * pattern "wikipedia.": * "wikipedia.it" -> OK * "foo.wikipedia.it -> OK * "foowikipedia.it -> NO MATCH * "wikipedia.it.com -> OK * pattern "-wikipedia.it": * "wikipedia.it" -> NO MATCH * "foo.wikipedia.it -> NO MATCH * "0001-wikipedia.it -> OK * "foo.0001-wikipedia.it -> OK Bottom line: * exact match * prefix with "." (always, implicit) * prefix with "-" (only if esplicitly set) * postfix with "." (only if esplicitly set) That means that the patterns cannot start with '.' anymore. Close #2330
* Add NetEase Games detection support (#2335)Vladimir Gavrilov2024-03-05
|
* Add Naraka Bladepoint detection support (#2334)Vladimir Gavrilov2024-03-04
|
* Add BFD protocol dissector (#2332)Vladimir Gavrilov2024-02-29
|
* Telegram: improve identificationNardi Ivan2024-02-26
| | | | | | | | | | | | | | | | | Follow up of 31c706c3dbbf0afc4c8e0a6d0bb6f20796296549 and 75485e177ccc4fafcc62dd46c6917d5b735cf7d2. Allow fast classification by ip, but give time to other dissectors to kick in (for example, the TLS code for the Telegram Web flows). Even if we don't classify it anymore at the very first packet (i.e. SYN) we fully classify Telegram traffic at the first packet with payload, as *any* other protocol. This way, we always have the proper category, the proper confidence for the UDP flows and we don't overwrite previous classifications (TLS or ICMP) Remove old and stale identification logic for TCP flows
* Add DLEP protocol dissector (#2326)Vladimir Gavrilov2024-02-20
|
* Add identification of Huawei generic and cloud traffic (#2325)Ivan Nardi2024-02-20
|
* Add ANSI C12.22 protocol dissector (#2317)Vladimir Gavrilov2024-02-15
| | | | | * Add ANSI C12.22 protocol dissector * Add UDP sample
* Skype: remove old detection logic (#1954)Ivan Nardi2024-02-12
| | | | | | | Skype has been using standard protocols (STUN/ICE or TLS) for a long, long time, now. Long gone are the days of Skype as a distribuited protocol. See: #2166
* reader_util: fix GRE detunneling (#2314)Ivan Nardi2024-02-10
|
* fuzz: improve fuzzing coverage (#2309)Ivan Nardi2024-02-09
|
* Add detection of Gaijin Entertainment games (#2311)Vladimir Gavrilov2024-02-09
| | | | | | | | | * Add detection of Gaijin Entertainment games * Short NDPI_PROTOCOL_GAIJINENTERTAINMENT to NDPI_PROTOCOL_GAIJIN * Add default UDP port for Gaijin Entertainment games * Remove NDPI_PROTOCOL_CROSSOUT protocol id
* Add TencentGames protocol dissector (#2306)Vladimir Gavrilov2024-02-08
|
* Add Gearman protocol dissector (#2297)Vladimir Gavrilov2024-02-01
|
* Implemented CIP I/O (UDP version of the CIP protocol), Common Industrial ↵Luca Deri2024-01-29
| | | | protocol
* Fix RESP detection (#2289)Vladimir Gavrilov2024-01-27
| | | | | * Rename redis_net.c to resp.c * Fix RESP detection
* Add Raft protocol dissector. (#2286)Toni2024-01-25
| | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Improve MySQL detection (#2279)Vladimir Gavrilov2024-01-25
| | | | | * Improve MySQL detection * Update copyright
* Add Radmin protocol dissector (#2283)Vladimir Gavrilov2024-01-25
| | | | | * Add Radmin protocol dissector * Update test results
* fuzz: extend fuzzing coverage (#2281)Ivan Nardi2024-01-24
|
* QUIC: fix decryption with CH fragments with different Destination CID (#2278)Ivan Nardi2024-01-24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | QUIC decryption fails when the Client Hello is split into multiple UDP packets and these packets have different Destination Connection IDs (because the server told the client to switch to a different CID; see RFC 9000 7.2) ``` The Destination Connection ID field from the first Initial packet sent by a client is used to determine packet protection keys for Initial packets. [..] Upon first receiving an Initial or Retry packet from the server, the client uses the Source Connection ID supplied by the server as the Destination Connection ID for subsequent packets ``` From a logical point of view, the ciphers used for decryption should be initialized only once, with the first Initial pkt sent by the client and kept for later usage with the following packets (if any). However it seems that we can safely initialize them at each packet, if we keep using the DCID of the **first** packet sent by the client. Keep initializing the ciphers at each packet greatly simplifie this patch. This issue has been undetected for so long because: * in the vast majority of the cases we only decrypt one packet per flow; * the available traces with the Client Hello split into multiple packets (i.e. cases where we need to decrypt at least two packets per flow) were created in a simple test environment to simulate Post-Quantum handshake, and in that scenario the client sent all the packets (with the same DCID) before any reply from the server. However, in the last months all major browsers started supporting PQ key, so it is now common to have split CH in real traffic. Please note that in the attached example, the CH is split into 2 (in-order) fragments (in different UDP packets) and the second one in turn is divided into 9 (out-of-order) CRYPTO frames; the reassembler code works out-of-the-box even in this (new) scenario.
* Add STOMP protocol dissector (#2280)Vladimir Gavrilov2024-01-23
|
* Add ElectronicArts detection support (#2274)Vladimir Gavrilov2024-01-21
| | | | | * Add ElectronicArts detection support * Merge electronicarts.pcapng into sites.pcapng
* Add Yojimbo (netcode) protocol dissector (#2277)Toni2024-01-21
| | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Zoom: improve detection (#2270)Ivan Nardi2024-01-21
|
* Fix detection of new Cassandra versions (#2272)Vladimir Gavrilov2024-01-20
| | | | | | | * Fix detection of new Cassandra versions * Add Cassandra Internode Communication protocol support * Add default port for Cassandra Internode Communication protocol
* Add Mumble detection support (#2269)Vladimir Gavrilov2024-01-19
|
* Rework Steam detection (part 1) (#2264)Vladimir Gavrilov2024-01-18
| | | | | | | | | | | | | | | | | | | | | * Clean up Steam dissector * Add Steam Datagram Relay dissector * Update docs * Update test results * Remove csgo.c from MSVC project * Small fixes * Add Steam TLS pcap sample * Merge Steam pcap samples into single one * Fix typo * Update test results
* config: DNS: add two configuration optionsNardi Ivan2024-01-18
| | | | | * Enable/disable sub-classification of DNS flows * Enable/disable processing of DNS responses
* config: HTTP: enable/disable processing of HTTP responsesNardi Ivan2024-01-18
|
* Add KCP protocol dissector. (#2257)Toni2024-01-12
| | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Improved uTorrent via utp (TCP-like streams over UDP). (#2255)Toni2024-01-11
| | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Add PIA (Private Internet Access) support (#2250)Vladimir Gavrilov2024-01-09
| | | | | | | * Fix typo in protocols.rst * Add PIA (Private Internet Access) support * Update ndpi_main.c
* Add Roughtime protocol dissector. (#2248)Toni2024-01-09
| | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Make some test traces smaller (#2243)Ivan Nardi2024-01-08
| | | | | | Having smaller traces help fuzzing: we want the fuzzers to mutate "interesting" packets analyzed by nDPI, i.e. the first packets of each flows. Try hard to keep the same classification and extraction capabilities
* Add Google Chat support (#2244)Vladimir Gavrilov2024-01-07
|
* Add Ceph protocol dissector (#2242)Vladimir Gavrilov2024-01-04
| | | | | * Add Ceph protocol dissector * Update protocols.rst
* Add HL7 protocol dissector (#2240)Vladimir Gavrilov2024-01-02
| | | | | | | * Add HL7 protocol dissector * Small fixes * Small fixes
Powered by cgit, Themed by Ted Yin.