libndpi.git - Open Source Deep Packet Inspection Software Toolkit

	Commit message (Collapse)	Author	Age
*	IPv6: add support for IPv6 risk tree (#2118)	Ivan Nardi	2023-10-27
\| \| \|	Fix the script to download crawler addressess
*	Improved Protobuf dissector. (#2119)	Toni	2023-10-27
\| \| \| \| \|	* tag extraction/validation was done wrong Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
*	Jabber: remove support for UDP (#2115)	Ivan Nardi	2023-10-26
\| \| \| \| \| \|	Jabber/XMPP is only over TCP (even the name `ndpi_search_jabber_tcp` suggests that...). Bug introduced in 5266c726f
*	ipv6: add support for ipv6 addresses lists (#2113)	Ivan Nardi	2023-10-26
\|
*	add ethereum protocol dissector. (#2111)	Maatuq	2023-10-25
\| \| \| \| \| \| \|	as explained here for bitcoin https://www.ntop.org/guides/nDPI/protocols.html#ndpi-protocol-bitcoin the same is applicable for ethereum. ethereum detection was removed from mining protocol and is now handled separately. Signed-off-by: Mahmoud Maatuq <mahmoudmatook.mm@gmail.com>
*	Added generic Google Protobuf dissector. (#2109)	Toni	2023-10-24
\| \| \|	Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
*	Add CAN over Ethernet dissector.	Toni Uhlig	2023-10-23
\| \| \| \|	Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
*	Improved CryNetwork protocol dissector.	Toni Uhlig	2023-10-23
\| \| \| \|	Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
*	Add Remote Management Control Protocol (RMCP).	Toni Uhlig	2023-10-19
\| \| \| \|	Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
*	Improved Steam detection by adding steamdiscover pattern. (#2105)	Toni	2023-10-17
\| \| \|	Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
*	Added NDPI_MALWARE_HOST_CONTACTED flow risk	Luca Deri	2023-10-13
\|
*	Improved MGCP detection by allowing '\r' as line feed.	lns	2023-10-11
\| \| \| \| \|	Signed-off-by: lns <matzeton@googlemail.com> Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
*	QUIC: export QUIC version as metadata	Nardi Ivan	2023-10-11
\|
*	Added HAProxy protocol. (#2088)	Toni	2023-10-02
\| \| \| \| \| \|	* fixed tests/do.sh.in failure print Signed-off-by: lns <matzeton@googlemail.com> Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
*	Cleaned up mining datastructure	Luca	2023-09-27
\|
*	Renamed HTTP/2 to HTTP2 as the '/' can have side effects with applications ↵	Luca Deri	2023-09-20
\| \| \| \|	sitting on top of nDPI
*	Add support for (un-encrypted) HTTP/2 (#2087)	Ivan Nardi	2023-09-18
\| \| \| \|	Plaintext HTTP/2 is quite rare on the general "internet" but it is used in some private networks (example: 5G core network)
*	tftp: update pcap results	Thomas Winter	2023-09-12
\| \| \| \| \| \| \| \|	The two malformed TFTP packets are no longer considered as risk and instead match by port only. This is because the TFTP detection was rather sparse so could match on several other protocols if the first two opcode bytes happened to match.
*	Fixes matches with domain name strings that start with a dot	Luca Deri	2023-09-11
\|
*	Update every ip lists (#2079)	Ivan Nardi	2023-09-10
\|
*	Fix some errors found by fuzzers (#2078)	Ivan Nardi	2023-09-10
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	Fix compilation on Windows. "dirent.h" file has been taken from https://github.com/tronkko/dirent/ Fix Python bindings Fix some warnings with x86_64-w64-mingw32-gcc: ``` protocols/dns.c: In function ‘ndpi_search_dns’: protocols/dns.c:775:41: error: cast from pointer to integer of different size [-Werror=pointer-to-int-cast] 775 \| unsigned long first_element_len = (unsigned long)dot - (unsigned long)_hostname; \| ^ protocols/dns.c:775:62: error: cast from pointer to integer of different size [-Werror=pointer-to-int-cast] 775 \| unsigned long first_element_len = (unsigned long)dot - (unsigned long)_hostname; \| ``` ``` In file included from ndpi_bitmap64.c:31: third_party/include/binaryfusefilter.h: In function ‘binary_fuse8_hash’: third_party/include/binaryfusefilter.h:160:32: error: left shift count >= width of type [-Werror=shift-count-overflow] 160 \| uint64_t hh = hash & ((1UL << 36) - 1); ``` ``` In function ‘ndpi_match_custom_category’, inlined from ‘ndpi_fill_protocol_category.part.0’ at ndpi_main.c:7056:16: ndpi_main.c:3419:3: error: ‘strncpy’ specified bound depends on the length of the source argument [-Werror=stringop-overflow=] 3419 \| strncpy(buf, name, name_len); ```
*	Added OperaVPN detection	Luca Deri	2023-09-09
\|
*	Enhance DNS risk for long hostnames (> 32)	Luca Deri	2023-09-09
\|
*	Improved detection of invalid chars in DNS names	Luca Deri	2023-09-09
\|
*	Added NDPI_TLS_ALPN_SNI_MISMATCH flow risk	Luca Deri	2023-09-07
\|
*	Improved classification further reducing memory used	Luca Deri	2023-09-05
\|
*	Swap from Aho-Corasick to an experimental/home-grown algorithm that uses a ↵	Luca Deri	2023-08-29
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	probabilistic approach for handling Internet domain names. For switching back to Aho-Corasick it is necessary to edit ndpi-typedefs.h and uncomment the line // #define USE_LEGACY_AHO_CORASICK [1] With Aho-Corasick $ ./example/ndpiReader -G ./lists/ -i tests/pcap/ookla.pcap \| grep Memory nDPI Memory statistics: nDPI Memory (once): 37.34 KB Flow Memory (per flow): 960 B Actual Memory: 33.09 MB Peak Memory: 33.09 MB [2] With the new algorithm $ ./example/ndpiReader -G ./lists/ -i tests/pcap/ookla.pcap \| grep Memory nDPI Memory statistics: nDPI Memory (once): 37.31 KB Flow Memory (per flow): 960 B Actual Memory: 7.42 MB Peak Memory: 7.42 MB In essence from ~33 MB to ~7 MB This new algorithm will enable larger lists to be loaded (e.g. top 1M domans https://s3-us-west-1.amazonaws.com/umbrella-static/index.html) In ./lists there are file names that are named as <category>_<string>.list With -G ndpiReader can load all of them at startup
*	fuzz: extend coverage (#2073)	Ivan Nardi	2023-08-20
\|
*	Mullvad VPN service added (based on entry node IP addresses) (#2062)	snicket2100	2023-08-02
\|
*	Add Service Location Protocol dissector. (#2036)	Toni	2023-08-01
\| \| \|	Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
*	DNS: extract geolocation information, if available (#2065)	Ivan Nardi	2023-07-31
\| \| \| \| \| \| \|	The option NSID (RFC5001) is used by Google DNS to report the airport code of the metro where the DNS query is handled. This option is quite rare, but the added overhead in DNS code is pretty much zero for "normal" DNS traffic
*	ProtonVPN: split the ip list (#2060)	Ivan Nardi	2023-07-27
\| \| \| \| \| \| \| \| \| \| \|	Use two separate lists: * one for the ingress nodes, which triggers a ProtonVPN classification * one for the egress nodes, which triggers the `NDPI_ANONYMOUS_SUBSCRIBER` risk Add a command line option (to `ndpiReader`) to easily test IP/port matching. Add another example of custom rule.
*	Add an heuristic to detect fully encrypted flows (#2058)	Ivan Nardi	2023-07-26
\| \| \| \| \| \| \| \|	A fully encrypted session is a flow where every bytes of the payload is encrypted in an attempt to “look like nothing”. The heuristic needs only the very first packet of the flow. See: https://www.usenix.org/system/files/sec23fall-prepub-234-wu-mingshi.pdf A basic, but generic, inplementation of the popcpunt alg has been added
*	zabbix: improve detection (#2055)	Ivan Nardi	2023-07-21
\|
*	TLS: add basic, basic, detection of Encrypted ClientHello (#2053)	Ivan Nardi	2023-07-21
\|
*	Add detection of Roblox games (#2054)	Ivan Nardi	2023-07-21
\|
*	fuzz: extend fuzzing coverage (#2052)	Ivan Nardi	2023-07-18
\| \| \| \|	Added/merged some traces. Improved Socks identification
*	Fix compilation in CI jobs (#2048)	Ivan Nardi	2023-07-15
\|
*	ndpireader: fix detection of DoH traffic based on packet distributions (#2045)	Ivan Nardi	2023-07-14
\|
*	Adds new pcap for testing "funny" HTTP servers	Luca Deri	2023-07-14
\|
*	Restored files	Luca Deri	2023-07-14
\|
*	Fixes risk mask exception handling while improving the overall performance	Luca Deri	2023-07-14
\|
*	RDP: improve detection over UDP (#2043)	Ivan Nardi	2023-07-13
\|
*	added feature to extract filename from http attachment (#2037)	Chiara Maggi	2023-07-11
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	* added feature to extract filename from http attachment * fixed some issues * added check for filename format * added check for filename format * remove an unnecessary print * changed the size from 952 to 960 * modified some test result files * small changes string size * comment removed and mallocs checked
*	fuzz: extend fuzzing coverage (#2040)	Ivan Nardi	2023-07-11
\| \| \| \| \| \| \| \| \|	Some notes: * libinjection: according to https://github.com/libinjection/libinjection/issues/44, it seems NULL characters are valid in the input string; * RTP: `rtp_get_stream_type()` is called only for RTP packets; if you want to tell RTP from RTCP you should use `is_rtp_or_rtcp()`; * TLS: unnecessary check; we already make the same check just above, at the beginning of the `while` loop
*	STUN: fix detection of Google Voip apps (#2031)	Ivan Nardi	2023-07-05
\| \| \|	Fix: 2c7fb9179
*	STUN: avoid FacebookVoip false positives (#2029)	Ivan Nardi	2023-07-03
\| \| \| \|	Attribute 0xC057 is defined in the Google public implementation of webrtc (which is used by Google products but also by other applications)
*	STUN: fix Skype/MsTeams detection and monitoring logic (#2028)	Ivan Nardi	2023-07-03
\|
*	STUN: tell RTP from RTCP while in monitoring state (#2027)	Ivan Nardi	2023-06-27
\|
*	Hangout: detect Hangout/Duo/GoogleMeet/... in the STUN code (#2025)	Ivan Nardi	2023-06-27
\| \| \| \| \| \|	Regardless of the name, the removed trace doesn't contain meaningful Hangout traffic. Remove last piece of sub-classifiction based only on ip addresses.