aboutsummaryrefslogtreecommitdiff
path: root/tests/pcap
Commit message (Collapse)AuthorAge
...
* HTTP: fix classification (#1692)Ivan Nardi2022-07-30
| | | | | | | | | | If we have a valid HTTP sessions, we should ignore `flow->guessed_protocol_id` field (i.e. classification "by-port") altogheter. The attached trace was classified as "SIP/HTTP" only because the *client* port was 5060... As a general rule, having a classification such as "XXXX/HTTP" is *extremely* suspicious.
* SMTPS, POPS, IMAPS: fix classification and extra dissection (#1685)Ivan Nardi2022-07-30
| | | | | | The big change in TLS code is to allow "master" protocols other than TLS/DTLS, like SMTPS, POPS and IMAPS. This change will allow, in a future, a proper and complete TLS dissection for all these protocols with "STARTTLS"-like messages.
* Add Softether dissector. (#1679)Toni2022-07-29
| | | Signed-off-by: lns <matzeton@googlemail.com>
* Add AVAST dissector. (#1674)Toni2022-07-25
| | | Signed-off-by: lns <matzeton@googlemail.com>
* Improve handling of HTTP-Proxy and HTTP-Connect (#1673)Ivan Nardi2022-07-25
| | | | | | | | | | | | Treat HTTP-Proxy and HTTP-Connect flows like the HTTP ones: print/serialize all the attributes and allow parsing of replies. The line about "1kxun" has been removed to avoid regressions in 1KXUN classification in `tests/pcap/1kxun.pcap`. I haven't fully understod what was happening but the comment at the beginning of `static ndpi_category_match category_match[]` says that we can't have overlaps between `host_match` and `category_match` lists and that is no longer true since 938e89ca. Bottom line: removing this line seems the right thing to do, anyway.
* Added AliCloud server access dissector. (#1672)Toni2022-07-23
| | | | Signed-off-by: lns <matzeton@googlemail.com> Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* TLS: improve reassembler (#1669)Ivan Nardi2022-07-22
| | | | | | | | * TLS: cosmetic changes * TLS: improve reassembler We might need to contemporary re-order messages from both directions: use one buffer per direction.
* DTLS: fix exclusion of DTLS protocolNardi Ivan2022-07-20
| | | | Add an helper to exclude a generic protocol
* Improved Jabber/XMPP detection. (#1661)Toni2022-07-13
| | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* HTTP: improve detection of WindowsUpdate (#1658)Ivan Nardi2022-07-10
| | | | WindowsUpdate is also transported over HTTP, using a numeric IP as hostname (some kinds of CDN?)
* SIP: improve detection (#1654)Ivan Nardi2022-07-09
|
* SMB: add (partial) support for messages split into multiple TCP segments (#1644)Ivan Nardi2022-07-07
|
* Kerberos: add support for Krb-Error messages (#1647)Ivan Nardi2022-07-07
|
* MONGODB: avoid false positivesNardi Ivan2022-07-07
|
* TLS: ignore invalid Content Type valuesNardi Ivan2022-07-07
|
* Added Threema Messenger. (#1643)Toni2022-07-06
| | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Added another RiotGames signature.Toni Uhlig2022-07-06
| | | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Added UltraSurf protocol dissector. (#1618)Toni2022-07-04
| | | | | * TLSv1.3 UltraSurf flows are not detected by now Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Update host content list match (#1633)Ivan Nardi2022-07-04
| | | | Improve classifications of Outlook, Cachefly, Cloudflare, Tiktok and Cybersecurity.
* Added Psiphon detection patterns. See #566 and #1099. (#1631)Toni2022-07-04
| | | | | * The traces are not up to date, but this is the best we got so far. Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Added i3D and RiotGames protocol dissectors. (#1609)Toni2022-07-03
| | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* TargusDataspeed: avoid false positives (#1628)Ivan Nardi2022-07-03
| | | | | TargusDataspeed dissector doesn't perform any real DPI checks but it only looks at the TCP/UDP ports. Delete it, and use standard logic to classify these flows by port.
* Skinny: rework and improve classification (#1625)Ivan Nardi2022-07-03
|
* TLS: add support for old DTLS versions and for detection of mid-sessions (#1619)Ivan Nardi2022-07-03
|
* Improved TFTP. Dissect Read/Write Request filenames. (#1617)Toni2022-07-03
| | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Added Cloudflare WARP detection patterns. (#1615) (#1616)Toni2022-07-02
| | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Added TunnelBear VPN detection patterns. (#1615)Toni2022-07-01
| | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Improved SOAP via HTTP. (#1605)Toni2022-06-18
| | | Signed-off-by: lns <matzeton@googlemail.com>
* Improved GenshinImpact protocol dissector. (#1604)Toni2022-06-18
| | | Signed-off-by: lns <matzeton@googlemail.com>
* Added collectd dissector (again). (#1601)Toni2022-06-17
| | | Signed-off-by: lns <matzeton@googlemail.com>
* Improved IPSec/ISAKMP detection. (#1600)Toni2022-06-16
| | | Signed-off-by: lns <matzeton@googlemail.com>
* Added new test pcapsLuca2022-06-15
|
* Add support for PIM (Protocol Indipendent Multicast) protocol (#1599)Ivan Nardi2022-06-15
| | | Close #1598
* Improved WhatsApp detection. (#1595)Toni2022-06-14
| | | Signed-off-by: lns <matzeton@googlemail.com>
* Added Pragmatic General Multicast (PGM) protocol detectionLuca Deri2022-06-08
|
* Reimplemented 1kxun application protocol. (#1585)Toni2022-06-06
| | | Signed-off-by: lns <matzeton@googlemail.com>
* Fixed syslog false negatives. (#1582)Toni2022-06-05
| | | | | - RSH vs Syslog may still happen for midstream traffic Signed-off-by: lns <matzeton@googlemail.com>
* Added RSH dissector. Fixes #202. (#1581)Toni2022-06-04
| | | | | | - added syslog false-positive pcap that was missing in 09fbe0a64a11b08a35435f516e9a19f7e0c20d7c - added NDPI_ARRAY_LENGTH() macro, usable on `type var[]` declarations Signed-off-by: lns <matzeton@googlemail.com>
* Fixed syslog false positives. (#1577)Toni2022-06-03
| | | | | | | * syslog: removed unnecessary/unreliable printable string check * added `ndpi_isalnum()` * splitted `ndpi_is_printable_string()` into `ndpi_is_printable_buffer()` and `ndpi_normalize_printable_string()` Signed-off-by: lns <matzeton@googlemail.com>
* Prohibit MPEG-DASH to set HTTP as application protocol. (#1560)Toni2022-05-30
| | | Signed-off-by: lns <matzeton@googlemail.com>
* Dazn: add support for Dazn streaming service (#1559)Ivan Nardi2022-05-29
| | | Update .gitignore file
* Added MPEG-DASH dissector. Fixes #1223. (#1555)Toni2022-05-29
| | | | | | * Improved HTTP POST detection * Refactored subprotocol detection Signed-off-by: lns <matzeton@googlemail.com>
* Moved mgcp.pcapng to tests/pcap/ instead of tests/Toni Uhlig2022-05-16
| | | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Improved Viber (TCP) detection. (#1547)Toni2022-05-10
| | | Signed-off-by: lns <matzeton@googlemail.com>
* Improved Xiaomi HTTP detection. (#1546)Toni2022-05-10
| | | | | * Merged Xiaomi pcap files Signed-off-by: lns <matzeton@googlemail.com>
* Added Softether(-VPN) DDNS service detection. (#1544)Toni2022-05-09
| | | Signed-off-by: lns <matzeton@googlemail.com>
* Improved TLS alert detection. (#1542)Toni2022-05-08
| | | Signed-off-by: lns <matzeton@googlemail.com>
* Improved TLS application data detection. (#1541)Toni2022-05-08
| | | | | | * #1532 did fx TLS appdata detection only partially * use flow->l4.tcp.tls.message.buffer_used instead of packet->payload Signed-off-by: lns <matzeton@googlemail.com>
* Improved suspicious http user agent detection. (#1537)Toni2022-05-02
| | | Signed-off-by: lns <matzeton@googlemail.com>
* Improved TLS application data detection. (#1532)Toni2022-04-27
| | | Signed-off-by: lns <matzeton@googlemail.com>
Powered by cgit, Themed by Ted Yin.