aboutsummaryrefslogtreecommitdiff
path: root/tests/cfgs
Commit message (Collapse)AuthorAge
...
* ndpiReader: explicitly remove non ipv4/6 packets (#2601)Ivan Nardi2024-10-19
|
* ndpiReader: add some statistics about monitoring (#2602)Ivan Nardi2024-10-19
|
* Added support for RDP over TLSLuca Deri2024-10-19
|
* Improved TCP fingepring calculationLuca Deri2024-10-18
| | | | Adde basidc OS detection based on TCP fingerprint
* Add configuration of TCP fingerprint computation (#2598)Ivan Nardi2024-10-18
| | | Extend configuration of raw format of JA4C fingerprint
* Increased struct ndpi_flow_struct size (#2596)Luca Deri2024-10-18
| | | Build fix
* STUN: if the same metadata is found multiple times, keep the first value (#2591)Ivan Nardi2024-10-15
|
* STUN: fix monitoring of Whatsapp and Zoom flows (#2590)Ivan Nardi2024-10-15
|
* Add monitoring capability (#2588)Ivan Nardi2024-10-14
| | | | | | | | | | | | | Allow nDPI to process the entire flows and not only the first N packets. Usefull when the application is interested in some metadata spanning the entire life of the session. As initial step, only STUN flows can be put in monitoring. See `doc/monitoring.md` for further details. This feature is disabled by default. Close #2583
* Fixed JA4 invalid computation due to code bug and uninitialized valuesLuca Deri2024-10-13
|
* Added sonos dissectorLuca Deri2024-10-13
|
* Add DingTalk protocol support (#2581)Vladimir Gavrilov2024-10-07
|
* Exports DNS A/AAAA responses (up to 4 addresses)Luca2024-10-02
| | | | Changed the default to IPv4 (used to be IPv6) in case of DNS error response
* TLS: detect abnormal padding usage (#2579)Ivan Nardi2024-10-01
| | | | Padding is usually some hundreds byte long. Longer padding might be used as obfuscation technique to force unusual CH fragmentation
* TLS: heuristics: fix memory allocations (#2577)Ivan Nardi2024-09-30
| | | | Allocate heuristics state only if really needed. Fix memory leak (it happened with WebSocket traffic on port 443)
* Add enable/disable guessing using client IP/port (#2569)Liam Wilson2024-09-27
| | | | | | | | Add configurable options for whether to include client port or client IP in the flow's protocol guesses. This defaults to include both client port/IP if the protocol is not guessed with the server IP/port. This is intended for when flow direction detection is enabled, so we know that sport = client port, dport = server port.
* Add some heuristics to detect encrypted/obfuscated/proxied TLS flows (#2553)Ivan Nardi2024-09-24
| | | | | | | | | | | | Based on the paper: "Fingerprinting Obfuscated Proxy Traffic with Encapsulated TLS Handshakes". See: https://www.usenix.org/conference/usenixsecurity24/presentation/xue-fingerprinting Basic idea: * the packets/bytes distribution of a TLS handshake is quite unique * this fingerprint is still detectable if the handshake is encrypted/proxied/obfuscated All heuristics are disabled by default.
* Fix Sonos traceNardi Ivan2024-09-24
|
* Added Sonos protocol detectionLuca Deri2024-09-24
|
* TLS: improve handling of Change Cipher message (#2564)Ivan Nardi2024-09-23
|
* Allow IP guess before port in ndpi_detection_giveup (#2562)Liam Wilson2024-09-20
| | | | Add dpi.guess_ip_before_port which when enabled uses classification by-ip before classification by-port.
* Tls out of order (#2561)Ivan Nardi2024-09-18
| | | | | | | | | | | | * Revert "Added fix for handling Server Hello before CLient Hello" This reverts commit eb15b22e7757cb70894fdcde440e62bc40f22df1. * TLS: add some tests with unidirectional traffic * TLS: another attempt to process CH received after the SH Obviously, we will process unidirectional traffic longer, because we are now waiting for messages in both directions
* Added fix for handling Server Hello before CLient HelloLuca2024-09-17
|
* Fixed handling of spurious TCP retransmissionsLuca2024-09-17
|
* dns: add a check before setting `NDPI_MALFORMED_PACKET` risk (#2558)Ivan Nardi2024-09-16
| | | | | | "Invalid DNS Header"-risk should be set only if the flow has been already classified as DNS. Otherwise, almost any non-DNS flows on port 53 will end up having the `NDPI_MALFORMED_PACKET` risk set, which is a little bit confusing for non DNS traffic
* Add an heuristic to detect encrypted/obfuscated OpenVPN flows (#2547)Ivan Nardi2024-09-16
| | | | | | | | | | | | Based on the paper: "OpenVPN is Open to VPN Fingerprinting" See: https://www.usenix.org/conference/usenixsecurity22/presentation/xue-diwen Basic idea: * the distribution of the first byte of the messages (i.e. the distribution of the op-codes) is quite unique * this fingerprint might be still detectable even if the OpenVPN packets are somehow fully encrypted/obfuscated The heuristic is disabled by default.
* QUIC: add a basic heuristic to detect mid-flowsNardi Ivan2024-09-10
|
* RTMP: improve detection (#2549)Ivan Nardi2024-09-10
|
* oracle: fix dissector (#2548)Ivan Nardi2024-09-07
| | | | We can do definitely better, but this change is a big improvements respect the current broken code
* Add detection of Windscribe VPNNardi Ivan2024-09-05
|
* Add detection of CactusVPNNardi Ivan2024-09-05
|
* Add detection of SurfShark VPNNardi Ivan2024-09-05
|
* OpenVPN, Wireguard: improve sub-classificationNardi Ivan2024-09-05
| | | | | | | | Allow sub-classification of OpenVPN/Wireguard flows using their server IP. That is useful to detect the specific VPN application/app used. At the moment, the supported protocols are: Mullvad, NordVPN, ProtonVPN. This feature is configurable.
* Add detection of NordVPNNardi Ivan2024-09-05
|
* OpenVPN: improve detectionNardi Ivan2024-09-05
|
* Add Lustre protocol detection support (#2544)Vladimir Gavrilov2024-09-04
|
* Align serialized risk names to all others (first letter; uppercase letter) ↵Toni2024-09-03
| | | | | (#2541) Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Bittorrent: improve detection of UTPv1 and avoid false positivesNardi Ivan2024-09-03
|
* Bittorrent: fix extra dissectionNardi Ivan2024-09-03
| | | | | | | On extra-dissection data-path we only need to look for the hash (the flow is already classified as Bittorrent). As a nice side-effect, the confidence is now always with the right value.
* HTTP, QUIC, TLS: allow to disable sub-classification (#2533)Ivan Nardi2024-09-03
|
* Fix CNP-IP false positives (#2531)Vladimir Gavrilov2024-08-30
|
* Add TRDP protocol support (#2528)Vladimir Gavrilov2024-08-25
| | | The Train Real Time Data Protocol (TRDP) is a UDP/TCP-based communication protocol designed for IP networks in trains, enabling data exchange between devices such as door controls and air conditioning systems. It is standardized by the IEC under IEC 61375-2-3 and is not related to the Remote Desktop Protocol (RDP).
* Tests output updateLuca Deri2024-08-25
|
* Add Automatic Tank Gauge protocol (#2527)wssxsxxsx2024-08-23
| | | | | | | See also #2523 --------- Co-authored-by: Nardi Ivan <nardi.ivan@gmail.com>
* Add CNP/IP protocol support (#2521)Vladimir Gavrilov2024-08-22
| | | ISO/IEC 14908-4 defines how to tunnel Control Network Protocol (CNP) over IP networks. It encapsulates protocols like EIA-709, EIA-600, and CNP, making it a versatile solution for building automation and control systems.
* Sync unit tests resultsNardi Ivan2024-08-07
|
* Fixed probing attempt risk that was creating false positivesLuca Deri2024-08-07
|
* Update all IP lists (#2515)Ivan Nardi2024-08-02
| | | | | The `suffix_id` is simply an incremental index (see `ndpi_load_domain_suffixes`), so its value might changes every time we update the public suffix list.
* Improved ICMP malformed packet risk descriptionLuca Deri2024-07-25
|
* FPC: add DPI information (#2514)Ivan Nardi2024-07-23
| | | | If the flow is classified (via DPI) after the first packet, we should use this information as FPC
Powered by cgit, Themed by Ted Yin.