aboutsummaryrefslogtreecommitdiff
path: root/tests/pcap
Commit message (Collapse)AuthorAge
...
* Added test pcapLuca Deri2021-07-06
|
* Improved RTSP via HTTP detection. (#1232)Toni2021-07-06
| | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Improved Z39.50 detection. (#1225)Toni2021-07-05
| | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Added Z39.50 protocol. (#1219)Toni2021-06-29
| | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* QUIC: add basic support for fragmented Client Hello (#1216)Ivan Nardi2021-06-24
| | | | Only in-order and non overlapping fragments are handled See #1195
* New testing pcap with syn scan attackLuca2021-06-08
|
* Added TLS certifiacate cachingLuca Deri2021-05-15
| | | | Added Fortigate protocol
* Converted some test .pcapng files to pcap formatLuca Deri2021-05-13
|
* Added browser TLS heuristicLuca Deri2021-05-13
|
* Improved SSL certificate name wildcard handling and risk. #1182 (#1183)Toni2021-05-11
| | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* TLS: fix another use-of-uninitialized-value error in ClientHello parsing (#1179)Ivan Nardi2021-05-09
| | | | | | | | | | | | Error detected with valgrind. ==13127== Conditional jump or move depends on uninitialised value(s) ==13127== at 0x483EF58: strlen (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==13127== by 0x1A93B6: ndpi_strdup (ndpi_main.c:159) ==13127== by 0x1C07CC: processClientServerHello (tls.c:1678) ==13127== by 0x1C0C4C: processTLSBlock (tls.c:712) ==13127== by 0x1C0C4C: ndpi_search_tls_tcp.part.0 (tls.c:849) See also 8c3674e9
* Add Genshin Impact protocol. (#1173)Toni2021-04-25
| | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Add HP Virtual Machine Group Management (hpvirtgrp) protocol. (#1170)Toni2021-04-20
| | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* TLS: fix some use-of-uninitialized-value errors in ClientHello parsing (#1169)Ivan Nardi2021-04-18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Error detected with valgrind. ==125883== Conditional jump or move depends on uninitialised value(s) ==125883== at 0x438F57: processClientServerHello (tls.c:1421) ==125883== by 0x43B35A: processTLSBlock (tls.c:712) ==125883== by 0x43B1C4: ndpi_search_tls_tcp (tls.c:849) ==125883== by 0x42C60B: check_ndpi_detection_func (ndpi_main.c:4426) ==125883== by 0x42E920: ndpi_detection_process_packet (ndpi_main.c:5301) ==125916== Conditional jump or move depends on uninitialised value(s) ==125916== at 0x438D7D: processClientServerHello (tls.c:1379) ==125916== by 0x43B35A: processTLSBlock (tls.c:712) ==125916== by 0x43B1C4: ndpi_search_tls_tcp (tls.c:849) ==125916== by 0x42C60B: check_ndpi_detection_func (ndpi_main.c:4426) ==125932== Conditional jump or move depends on uninitialised value(s) ==125932== at 0x438C1D: processClientServerHello (tls.c:1298) ==125932== by 0x43B35A: processTLSBlock (tls.c:712) ==125932== by 0x43B1C4: ndpi_search_tls_tcp (tls.c:849) ==125932== by 0x42C60B: check_ndpi_detection_func (ndpi_main.c:4426) ==125950== Conditional jump or move depends on uninitialised value(s) ==125950== at 0x438D4F: processClientServerHello (tls.c:1371) ==125950== by 0x43B35A: processTLSBlock (tls.c:712) ==125950== by 0x43B1C4: ndpi_search_tls_tcp (tls.c:849) ==125950== by 0x42C079: check_ndpi_detection_func (ndpi_main.c:4443)
* Fix detunneling of GTP-U traffic (#1168)Ivan Nardi2021-04-18
| | | | | Fuzzing #1161 exposed some (completely unrelated) issues on GTP-U detunneling code. (see https://github.com/ntop/nDPI/actions/runs/719882047)
* Refactored nDPI subprotocol handling and aimini protocol detection. (#1156)Toni2021-03-23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Refactored and merged callback buffer routines for non-udp-tcp / udp / tcp / tcp-wo-payload. Signed-off-by: Toni Uhlig <matzeton@googlemail.com> * Try to detect one subprotocol if a detected protocol can have one. * This adds a performance overhead due to much more protocol detection routine calls. See #1148 for more information. Signed-off-by: Toni Uhlig <matzeton@googlemail.com> * Refactor subprotocol handling (1/2). Signed-off-by: Toni Uhlig <matzeton@googlemail.com> * Refactor subprotocol handling (2/2). Signed-off-by: Toni Uhlig <matzeton@googlemail.com> * Prevent some code duplication by using macros for ndpi_int_one_line_struct string comparision. Signed-off-by: Toni Uhlig <matzeton@googlemail.com> * Refactored aimini HTTP detection parts (somehow related to #1148). Signed-off-by: Toni Uhlig <matzeton@googlemail.com> * Added aimini client/server test pcap. Signed-off-by: Toni Uhlig <matzeton@googlemail.com> * Removed master protocol as it was only used for STUN and via also removed API function ndpi_get_protocol_id_master_proto * Adjusted Python code to conform to the changes made during the refactoring process. Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Add support for Snapchat voip calls (#1147)Ivan Nardi2021-03-06
| | | | | | | | | * Add support for Snapchat voip calls Snapchat multiplexes some of its audio/video real time traffic with QUIC sessions. The peculiarity of these sessions is that they are Q046 and don't have any SNI. * Fix tests with libgcrypt disabled
* DTLS: improve support (#1146)Ivan Nardi2021-03-02
| | | | | | | * DTLS: add some pcap tests * DTLS: fix parsing of Client/Server Helllo message * DTLS: add parsing of server certificates
* QUIC: fix mvfst-27 test (#1145)Ivan Nardi2021-03-02
| | | | Regardless of its name, quic-mvfst-27 trace doesn't contain mvfst-27 traffic
* Implemented TLS Certificate Sibject matchingLuca Deri2021-02-22
| | | | Improved AnyDesk detection
* Added risky domain flow-risk supportLuca Deri2021-02-21
|
* Fixed CPHA missing protocol initializationLuca Deri2021-02-10
| | | | Improved IEC104 and IRC detection
* IRC test filesLuca Deri2021-02-09
|
* Partial fix for #1129Luca Deri2021-02-05
|
* Added test pcapLuca Deri2021-02-03
|
* Added pcap for testing fragments reassemblyLuca Deri2021-02-03
|
* QUIC: add suppport for DNS-over-QUIC (#1107)Ivan Nardi2021-01-07
| | | | | | | | | Even if it is only an early internet draft, DoQ has already (at least) one deployed implementation. See: https://www.zdnet.com/article/ad-blocker-adguard-deploys-worlds-first-dns-over-quic-resolver/ Draft: https://tools.ietf.org/html/draft-huitema-dprive-dnsoquic-00 In the future, if this protocol will be really used, it might be worth to rename NDPI_PROTOCOL_DOH_DOT in NDPI_PROTOCOL_DOH_DOT_DOQ
* QUIC: update to draft-33 (#1104)Ivan Nardi2021-01-04
| | | QUIC (final!?) constants for v1 are defined in draft-33
* Remove FB_ZERO protocol (#1102)Ivan Nardi2021-01-04
| | | | | | FB_ZERO was an experimental protocol run by Facebook. They switched to QUIC/TLS1.3 more than 2 years ago; no one ever used it but them so it is definitely dead. See: https://engineering.fb.com/2018/08/06/security/fizz/
* Added TLS test with long certificateLuca Deri2021-01-04
|
* Added HTTP suspicious content securirty risk (useful for tracking trickbot)Luca Deri2021-01-02
|
* Add a connectionless DCE/RPC detection (#1078)rafaliusz2020-12-08
| | | | | | | * Add connectionless DCE/RPC detection * Add DCE/RPC pcap file as well as its test result Co-authored-by: rafal <rafal.burzynski@cryptomage.com>
* Quic fixes (#1067)Ivan Nardi2020-11-22
| | | | | | | * QUIC: fix return value on error path on quic_cipher_init() * QUIC: allow dissection of sessions forcing version negotiation Enhance heuristic to avoid false positives.
* Add Virtual Asssitant (Alexa, Siri) support. (#1057)Zied Aouini2020-11-16
| | | | | | | | | | | | | | | * Add AmazonAlexa protocol. * Add AmazonAlexa test file and result. * Include pcapng as file format. * Rename Category to VirtualAssistant. * Add AppleSiri virtual assistant. * Fix pcapng test files format support. Co-authored-by: Luca Deri <lucaderi@users.noreply.github.com>
* Add Tumblr support. (#1061)Zied Aouini2020-11-16
| | | | | | | * Add Tumblr protocol. * Add Tumblr test file and result. Co-authored-by: Luca Deri <lucaderi@users.noreply.github.com>
* Add Reddit support. (#1060)Zied Aouini2020-11-16
| | | | | | | * Add Reddit protocol. * Add Reddit test file and result. Co-authored-by: Luca Deri <lucaderi@users.noreply.github.com>
* Add Pinterest support. (#1059)Zied Aouini2020-11-16
| | | | | | | * Add Pinterest protocol. * Add Pinterest test file and result. Co-authored-by: Luca Deri <lucaderi@users.noreply.github.com>
* Added support for AmongUs. (#1054)Toni2020-11-09
| | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Updated ESNI/SNI alarm generation prolicyLuca Deri2020-11-08
|
* :bulb: Add mongodb protocol dissector (#1048)Leonn2020-11-03
|
* QUIC: fix dissection of Initial packets coalesced with 0-RTT one (#1044)Ivan Nardi2020-11-03
| | | | | * QUIC: fix dissection of Initial packets coalesced with 0-RTT one * QUIC: fix a memory leak
* Improve skype detection (#1039)Igor Duarte2020-10-27
| | | | | | | * Add new skype pcap PCAP extracted from SkypeIRC.cap (available in https://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=get&target=SkypeIRC.cap) * Improve skype detection
* Added CPHA - CheckPoint High Availability Protocol protocl supportLuca Deri2020-10-22
|
* Fix parsing of DLT_PPP datalink type (#1042)Ivan Nardi2020-10-21
|
* Various optimizations to reduce not-necessary callsLuca Deri2020-09-24
| | | | | Optimized various UDP dissectors Removed dead protocols such as pando and pplive
* Added risks for checkingLuca Deri2020-09-21
| | | | | - invalid DNS traffic (probably carrying exfiltrated data) - TLS traffic with no SNI extension
* QUIC: add support for MVFST EXPERIMENTAL versionNardi Ivan2020-09-20
|
* Reworked MDNS dissector that is not based on the DNS dissectorLuca Deri2020-09-17
|
* Merge pull request #1014 from lnslbrty/improved/teamspeakLuca Deri2020-09-09
|\ | | | | Improved Teamspeak(3) protocol detection.
| * Improved Teamspeak(3) protocol detection.Toni Uhlig2020-09-09
| | | | | | | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
Powered by cgit, Themed by Ted Yin.