aboutsummaryrefslogtreecommitdiff
path: root/tests/cfgs
Commit message (Collapse)AuthorAge
* Fix nBPF matchesHEADdevIvan Nardi8 days
|
* Rework calling `check_tcp_flags()` and `check_probing_attempt()`Ivan Nardi8 days
|
* Z39.50: avoid false positives (#2938)Ivan Nardi13 days
| | | Close #2540
* HTTP: fix protocol stack for some proxy flows (#2935)Ivan Nardi14 days
|
* Add Mudfish protocol dissector (#2932)Toni2025-08-06
| | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Sync unit tests resultsIvan Nardi2025-08-06
|
* Sync unit tests resultsIvan Nardi2025-08-05
|
* Follow-up of 8e1b17215: `NDPI_UNRESOLVED_HOSTNAME` (#2933)Ivan Nardi2025-08-05
| | | Add fuzzing, documentation and unit tests
* Add the concept of protocols stack: more than 2 protocols per flow (#2913)Ivan Nardi2025-08-01
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The idea is to remove the limitation of only two protocols ("master" and "app") in the flow classifcation. This is quite handy expecially for STUN flows and, in general, for any flows where there is some kind of transitionf from a cleartext protocol to TLS: HTTP_PROXY -> TLS/Youtube; SMTP -> SMTPS (via STARTTLS msg). In the vast majority of the cases, the protocol stack is simply Master/Application. Examples of real stacks (from the unit tests) different from the standard "master/app": * "STUN.WhatsAppCall.SRTP": a WA call * "STUN.DTLS.GoogleCall": a Meet call * "Telegram.STUN.DTLS.TelegramVoip": a Telegram call * "SMTP.SMTPS.Google": a SMTP connection to Google server started in cleartext and updated to TLS * "HTTP.Google.ntop": a HTTP connection to a Google domain (match via "Host" header) and to a ntop server (match via "Server" header) The logic to create the stack is still a bit coarse: we have a decade of code try to push everything in only ywo protocols... Therefore, the content of the stack is still **highly experimental** and might change in the next future; do you have any suggestions? It is quite likely that the legacy fields "master_protocol" and "app_protocol" will be there for a long time. Add some helper to use the stack: ``` ndpi_stack_get_upper_proto(); ndpi_stack_get_lower_proto(); bool ndpi_stack_contains(struct ndpi_proto_stack *s, u_int16_t proto_id); bool ndpi_stack_is_tls_like(struct ndpi_proto_stack *s); bool ndpi_stack_is_http_like(struct ndpi_proto_stack *s); ``` Be sure new stack logic is compatible with legacy code: ``` assert(ndpi_stack_get_upper_proto(&flow->detected_protocol.protocol_stack) == ndpi_get_upper_proto(flow->detected_protocol)); assert(ndpi_stack_get_lower_proto(&flow->detected_protocol.protocol_stack) == ndpi_get_lower_proto(flow->detected_protocol)); ```
* Whois/DAS: avoid false positives (#2925)Ivan Nardi2025-07-30
| | | Close #2922
* ndpiReader: add breed to flow information (#2924)Ivan Nardi2025-07-30
|
* Google, Signal: fix breed value (#2920)Ivan Nardi2025-07-29
| | | | Use the same breed value for both standard and content-matching classification
* Workaround for big-endian buildsIvan Nardi2025-07-19
| | | | | | Fix CI tests on big-endian builds. We have a long-standing issue on big-endian archs: it might be related to utash or about how we use utash in ndpiReader
* Fix JA4 fingerprinting (#2915)Adrian Pekar2025-07-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Fix JA4 ALPN fingerprint to use first and last characters According to the JA4 specification (line 2139), the ALPN field should contain the first and last characters of the first ALPN extension value. Currently, nDPI uses the first and second characters (alpn[0] and alpn[1]), which produces incorrect fingerprints that don't match other JA4 implementations like Wireshark. For example, with ALPN 'http/1.1': - Current (incorrect): 'ht' (first + second char) - Fixed (correct): 'h1' (first + last char) This change ensures nDPI's JA4 implementation conforms to the official specification and maintains interoperability with other JA4 tools. Fixes: Incorrect JA4 ALPN fingerprint generation * Fix JA4 ALPN implementation to correctly parse first ALPN protocol The previous fix attempted to use strlen(ja->client.alpn)-1 but this was insufficient because nDPI modifies the ALPN string by: 1. Adding null terminators that truncate the last character 2. Converting semicolons to dashes, affecting multi-protocol ALPNs This complete fix: - Adds alpn_original_last field to store the true last character - Captures the last character of the FIRST ALPN protocol only (before ;/,) - Preserves the original character before nDPI's string modifications Now correctly implements JA4 spec: first + last characters of first ALPN protocol Examples: - ALPN 'h2;http/1.1' -> 'h2' (not 'h.' or 'h1') - ALPN 'http/1.1' -> 'h1' (not 'ht' or 'h.') Fixes: #2914 * Fix JA4 SNI detection to properly handle missing SNI extensions Previously, nDPI incorrectly set JA4 SNI flag to 'd' (domain present) for flows without any SNI extension. This was because the logic only checked for NDPI_NUMERIC_IP_HOST risk (set when SNI contains IP) but didn't distinguish between missing SNI and domain SNI. Now properly detects: - No SNI extension → 'i' flag - SNI with IP address → 'i' flag - SNI with domain → 'd' flag This matches the JA4 specification.
* Results updateLuca Deri2025-07-08
|
* Add Blacknut ,Boosteroid and Rumble protocol(SNI detection WIP) (#2907)kalinda2025-07-03
| | | Co-authored-by: Ivan Nardi <nardi.ivan@gmail.com>
* Added EasyWeather protocol dissector (#2912)Toni2025-07-03
| | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* websocket: `ndpi_set_detected_protocol()` should be called only onceIvan Nardi2025-07-02
| | | | Fix: b07a910dc
* DNS: `ndpi_match_host_subprotocol()` should be called only onceIvan Nardi2025-07-01
|
* Rework classification in `ndpi_match_host_subprotocol()`-like functions (#2910)Ivan Nardi2025-07-01
|
* Jabber: proper subclassification of TruPhoneIvan Nardi2025-07-01
|
* Remove some hack for Google traffic in `ndpi_reconcile_protocols()`Ivan Nardi2025-07-01
|
* Fix `ndpi_reconcile_protocols` with classification by port/ipIvan Nardi2025-07-01
|
* Fix classification with nBPF rulesIvan Nardi2025-07-01
|
* Bittorrent: update default ports (#2902)Ivan Nardi2025-06-23
|
* STUN: don't check `NDPI_KNOWN_PROTOCOL_ON_NON_STANDARD_PORT` flow risk (#2901)Ivan Nardi2025-06-23
|
* ndpiReader: fix check on max number of packets per flowIvan Nardi2025-06-23
|
* Viber: fix categoryIvan Nardi2025-06-23
|
* Classify Tracking/ADS/Analytics traffic only via category (#2900)Ivan Nardi2025-06-23
| | | See 3a243bb40 for similar work about porn and LLM
* ndpiReader: print categories summary (#2895)Ivan Nardi2025-06-21
|
* Rework default ports initialization (#2893)Ivan Nardi2025-06-20
| | | | | | | Default ports trees are initialized during `ndpi_finalize_initialization()` Make `ndpi_init_detection_module()` less likely to fail, because there are less memory allocations.
* Merged protocols (now free to use) into existing categoriesLuca Deri2025-06-17
| | | | | - AdultContent -> Category Adult Content - LLM -> Category Artificial Intelligence
* No limits on the number of (custom) protocols (#2875)Ivan Nardi2025-06-16
| | | | | | | | | | | | | | | | The hard limit of total number of protocols (internal and custom) is ~65535, because protocol ids are `u_int16_t`... API changes: 1. From `NDPI_MAX_SUPPORTED_PROTOCOLS + NDPI_MAX_NUM_CUSTOM_PROTOCOLS` to `ndpi_get_num_protocols()` (after having called `ndpi_finalize_initialization()`); 2. From `proto_id >= NDPI_MAX_SUPPORTED_PROTOCOLS` to `ndpi_is_custom_protocol(proto_id)` (after having called `ndpi_finalize_initialization()`); Close #2136 Close #2545
* Add GLBP dissector (#2879)Vladimir Gavrilov2025-06-10
| | | GLBP is a Cisco proprietary first-hop redundancy protocol similar to HSRP and VRRP, but with additional load balancing capabilities.
* Simplify `ndpi_internal_detection_process_packet()` (#2877)Ivan Nardi2025-06-10
| | | Simplify process of each packet
* Add category and breed support for custom rules (#2872)Vladimir Gavrilov2025-06-08
| | | Close #2594
* Fixes invalid SSH client/server detection based on stage and not on packet ↵Luca Deri2025-06-08
| | | | direction
* Sync unit tests results and fix `NDPI_HTTP_SUSPICIOUS_HEADER` (#2874)Ivan Nardi2025-06-08
|
* Sync unit tests resultsIvan Nardi2025-06-08
|
* Improved HTTP risk reportLuca Deri2025-06-08
| | | | PCRE2 is now enabled (if present) by default as necessary to report some HTTP risks
* Normalize breed/category names: use _ instead of spaces and slashes (#2873)Vladimir Gavrilov2025-06-07
|
* Added IMO and Badoo filesLuca Deri2025-06-06
|
* Dynamic allocation of `ndpi_struct->proto_defaults[]` (#2866)Ivan Nardi2025-06-06
| | | | | | | | Partial revert of 88bfe2cf0: in the trees we save the index and no more a pointer to `ndpi_struct->proto_defaults[]`. Remove same functions from public API See #2136
* Sync unit tests resultsIvan Nardi2025-06-05
|
* Sync unit tests resultsIvan Nardi2025-06-05
|
* Improved HTTP risk message reportLuca Deri2025-06-05
|
* Add a configuration to test a huge number of custom protocols (#2865)Ivan Nardi2025-06-03
| | | File taken from #2136
* Add Hamachi protocol detection support (#2860)Vladimir Gavrilov2025-06-02
|
* Updated bots and scanners listLuca Deri2025-05-29
| | | | Improved lists file parsing
* Fix configuration of ip lists of flow risks (#2859)Ivan Nardi2025-05-28
| | | | | Add some new tests about these configuration parameters. Close #2858
Powered by cgit, Themed by Ted Yin.