aboutsummaryrefslogtreecommitdiff
path: root/tests/cfgs/default
Commit message (Collapse)AuthorAge
...
* STUN: add support for ipv6 in some metadata (#2389)Ivan Nardi2024-04-13
|
* STUN: fix boundary checks on attribute list parsing (#2387)Ivan Nardi2024-04-12
| | | | | Restore all unit tests. Add some configuration knobs. Fix the endianess.
* Implemented STUN peer_address, relayed_address, response_origin, ↵Luca Deri2024-04-12
| | | | | | | other_address parsing Added code to ignore invalid STUN realm Extended JSON output with STUN information
* Add Label Distribution Protocol support (#2385)Vladimir Gavrilov2024-04-12
| | | | | | | * Add Label Distribution Protocol support * Fix typo * Update unit test results
* Fix `ndpi_reconcile_msteams_udp` (#2377)Ivan Nardi2024-04-12
| | | | | | | Microsoft UDP traffic over port ~3478 is voip traffic, using some kind of proprietary STUN-like protocol: so use the most specific protocol id. More important, we definitely want `Stun/Skype_TeamsCall` and not `Stun/Skype_Teams`
* Updated unit test resultsToni Uhlig2024-04-12
| | | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* STUN:Luca Deri2024-04-12
| | | | | - Fixed issue with XOR-MAPPED-ADDRESS decoding - Implemented MAPPED_ADDRESS (IPv4 only)
* Update unit tests resultsNardi Ivan2024-04-11
|
* Add The Elder Scrolls Online support (#2376)Vladimir Gavrilov2024-04-10
| | | | | | | | | | | * Add The Elder Scrolls Online support * Use ndpi_memmem instead of memmem from libc * Add protocol description * Change selection bitmask to V4_V6 * Update protocols.rst
* Add Shellscript risk detection. (#2375)Toni2024-04-10
| | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Fix a warning and restore a unit test result (#2379)Ivan Nardi2024-04-10
|
* Tuned DNS risk valuesLuca Deri2024-04-09
| | | | Modified NDPI_BINARY_TRANSFER_ATTEMPT in NDPI_BINARY_DATA_TRANSFER
* Disabled "known proto on non standard port" for FTP_DATALuca Deri2024-04-09
|
* Fixed false positives on binary application transfer riskLuca Deri2024-04-08
|
* STUN: improve extraction of Mapped-Address metadata (#2370)Ivan Nardi2024-04-08
| | | | | | | | | | | | | Enable parsing of Mapped-Address attribute for all STUN flows: that means that STUN classification might require more packets. Add a configuration knob to enable/disable this feature. Note that we can have (any) STUN metadata also for flows *not* classified as STUN (because of DTLS). Add support for ipv6. Restore the correct extra dissection logic for Telegram flows.
* Add ELF risk detection (detect transmitted linux executables). (#2373)Toni2024-04-06
| | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Calculate packet entropy for unknown protocols. (#2369)Toni2024-04-06
| | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Get rid of Apache Kafka false positives (#2372)Vladimir Gavrilov2024-04-06
|
* Add PE32/PE32+ risk detection (detect transmitted windows executables). (#2312)Toni2024-04-05
| | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* STUN: rework sub-classification (#2361)Ivan Nardi2024-04-04
| | | | | The main goal is to have the "real" application (if any; i.e. Signal/Whatsapp/Telegram/...) always as "application" protocol and not as "master" one
* Added support for STUN Mapped IP addressLuca Deri2024-04-03
|
* Update unit tests resultsNardi Ivan2024-04-03
|
* Added binary data transfer risk alertLuca2024-04-03
|
* Improve LoL: Wild Rift detection (#2359)Vladimir Gavrilov2024-03-28
|
* Add LoL: Wild Rift detection (#2356)Vladimir Gavrilov2024-03-26
|
* Add more TencentGames signatures (#2354)Vladimir Gavrilov2024-03-21
|
* Improve TencentGames detection (#2353)Vladimir Gavrilov2024-03-20
| | | | | * Improve TencentGames detection * Add more signatures
* STUN: remove workaround to identify RTP trafficNardi Ivan2024-03-20
| | | | | We are able to demultiplex RTP packets in STUN flows since 3608ab01b, at least; no need to explicity call the RTP dissector
* STUN: dissection of TURN Channel DataNardi Ivan2024-03-20
|
* Add FLUTE protocol dissector (#2351)Vladimir Gavrilov2024-03-19
| | | | | * Add FLUTE protocol dissector * Add flute.c to MSVC project
* LRU cache: move to 64 bits long keys (#2346)Ivan Nardi2024-03-15
| | | | | | Tradeoff between key comparison efficiency (i.e. no `memcmp`) and key length. At least in the ipv4 cases, we have no more different entries with the same key.
* STUN: fix parsing of DATA attribute (#2345)Ivan Nardi2024-03-14
|
* Add PFCP protocol dissector (#2342)Vladimir Gavrilov2024-03-13
|
* STUN: add a parameter to configure how long the extra dissection lasts (#2336)Ivan Nardi2024-03-07
| | | Tradeoff: performance (i.e. number of packets) vs sub-classification
* Add a specific protocol id for audio/video calls made using Google apps (#2341)Ivan Nardi2024-03-07
| | | Same logic already used for Signal/Whatsapp/Line/Facebook/...
* Add Path of Exile protocol dissector (#2337)Vladimir Gavrilov2024-03-06
| | | | | * Add Path of Exile protocol dissector * Update protocols.rst
* ahocorasick: improve matching with subdomains (#2331)Ivan Nardi2024-03-06
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The basic idea is to have the following logic: * pattern "DOMAIN" matches the domain itself (i.e exact match) *and* any subdomains (i.e. "ANYTHING.DOMAIN") * pattern "DOMAIN." matches *also* any strings for which is a prefix [please, note that this kind of match is handy but it is quite dangerous...] * pattern "-DOMAIN" matches *also* any strings for which is a postfix Examples: * pattern "wikipedia.it": * "wikipiedia.it" -> OK * "foo.wikipedia.it -> OK * "foowikipedia.it -> NO MATCH * "wikipedia.it.com -> NO MATCH * pattern "wikipedia.": * "wikipedia.it" -> OK * "foo.wikipedia.it -> OK * "foowikipedia.it -> NO MATCH * "wikipedia.it.com -> OK * pattern "-wikipedia.it": * "wikipedia.it" -> NO MATCH * "foo.wikipedia.it -> NO MATCH * "0001-wikipedia.it -> OK * "foo.0001-wikipedia.it -> OK Bottom line: * exact match * prefix with "." (always, implicit) * prefix with "-" (only if esplicitly set) * postfix with "." (only if esplicitly set) That means that the patterns cannot start with '.' anymore. Close #2330
* Improved alert on suspicious DNS trafficLuca Deri2024-03-05
|
* Add NetEase Games detection support (#2335)Vladimir Gavrilov2024-03-05
|
* Add Naraka Bladepoint detection support (#2334)Vladimir Gavrilov2024-03-04
|
* Add BFD protocol dissector (#2332)Vladimir Gavrilov2024-02-29
|
* TLS: avoid setting some flow risks for webrtc trafficNardi Ivan2024-02-26
| | | | | Is quite rare to have a SNI or an ALPN on Client Hello of STUN/DTLS/SRTP traffic
* Telegram: improve identificationNardi Ivan2024-02-26
| | | | | | | | | | | | | | | | | Follow up of 31c706c3dbbf0afc4c8e0a6d0bb6f20796296549 and 75485e177ccc4fafcc62dd46c6917d5b735cf7d2. Allow fast classification by ip, but give time to other dissectors to kick in (for example, the TLS code for the Telegram Web flows). Even if we don't classify it anymore at the very first packet (i.e. SYN) we fully classify Telegram traffic at the first packet with payload, as *any* other protocol. This way, we always have the proper category, the proper confidence for the UDP flows and we don't overwrite previous classifications (TLS or ICMP) Remove old and stale identification logic for TCP flows
* STUN: fix category when sub-classification is set in "extra-dissection" data ↵Ivan Nardi2024-02-24
| | | | path (#2320)
* Updated telegam outLuca Deri2024-02-23
|
* Fixes exception handling glitchLuca Deri2024-02-22
|
* Improved telegram detectionLuca Deri2024-02-22
|
* Add DLEP protocol dissector (#2326)Vladimir Gavrilov2024-02-20
|
* Add identification of Huawei generic and cloud traffic (#2325)Ivan Nardi2024-02-20
|
* Add ANSI C12.22 protocol dissector (#2317)Vladimir Gavrilov2024-02-15
| | | | | * Add ANSI C12.22 protocol dissector * Add UDP sample
Powered by cgit, Themed by Ted Yin.