aboutsummaryrefslogtreecommitdiff
path: root/tests/pcap
Commit message (Collapse)AuthorAge
* Add support for Snapchat voip calls (#1147)Ivan Nardi2021-03-06
| | | | | | | | | * Add support for Snapchat voip calls Snapchat multiplexes some of its audio/video real time traffic with QUIC sessions. The peculiarity of these sessions is that they are Q046 and don't have any SNI. * Fix tests with libgcrypt disabled
* DTLS: improve support (#1146)Ivan Nardi2021-03-02
| | | | | | | * DTLS: add some pcap tests * DTLS: fix parsing of Client/Server Helllo message * DTLS: add parsing of server certificates
* QUIC: fix mvfst-27 test (#1145)Ivan Nardi2021-03-02
| | | | Regardless of its name, quic-mvfst-27 trace doesn't contain mvfst-27 traffic
* Implemented TLS Certificate Sibject matchingLuca Deri2021-02-22
| | | | Improved AnyDesk detection
* Added risky domain flow-risk supportLuca Deri2021-02-21
|
* Fixed CPHA missing protocol initializationLuca Deri2021-02-10
| | | | Improved IEC104 and IRC detection
* IRC test filesLuca Deri2021-02-09
|
* Partial fix for #1129Luca Deri2021-02-05
|
* Added test pcapLuca Deri2021-02-03
|
* Added pcap for testing fragments reassemblyLuca Deri2021-02-03
|
* QUIC: add suppport for DNS-over-QUIC (#1107)Ivan Nardi2021-01-07
| | | | | | | | | Even if it is only an early internet draft, DoQ has already (at least) one deployed implementation. See: https://www.zdnet.com/article/ad-blocker-adguard-deploys-worlds-first-dns-over-quic-resolver/ Draft: https://tools.ietf.org/html/draft-huitema-dprive-dnsoquic-00 In the future, if this protocol will be really used, it might be worth to rename NDPI_PROTOCOL_DOH_DOT in NDPI_PROTOCOL_DOH_DOT_DOQ
* QUIC: update to draft-33 (#1104)Ivan Nardi2021-01-04
| | | QUIC (final!?) constants for v1 are defined in draft-33
* Remove FB_ZERO protocol (#1102)Ivan Nardi2021-01-04
| | | | | | FB_ZERO was an experimental protocol run by Facebook. They switched to QUIC/TLS1.3 more than 2 years ago; no one ever used it but them so it is definitely dead. See: https://engineering.fb.com/2018/08/06/security/fizz/
* Added TLS test with long certificateLuca Deri2021-01-04
|
* Added HTTP suspicious content securirty risk (useful for tracking trickbot)Luca Deri2021-01-02
|
* Add a connectionless DCE/RPC detection (#1078)rafaliusz2020-12-08
| | | | | | | * Add connectionless DCE/RPC detection * Add DCE/RPC pcap file as well as its test result Co-authored-by: rafal <rafal.burzynski@cryptomage.com>
* Quic fixes (#1067)Ivan Nardi2020-11-22
| | | | | | | * QUIC: fix return value on error path on quic_cipher_init() * QUIC: allow dissection of sessions forcing version negotiation Enhance heuristic to avoid false positives.
* Add Virtual Asssitant (Alexa, Siri) support. (#1057)Zied Aouini2020-11-16
| | | | | | | | | | | | | | | * Add AmazonAlexa protocol. * Add AmazonAlexa test file and result. * Include pcapng as file format. * Rename Category to VirtualAssistant. * Add AppleSiri virtual assistant. * Fix pcapng test files format support. Co-authored-by: Luca Deri <lucaderi@users.noreply.github.com>
* Add Tumblr support. (#1061)Zied Aouini2020-11-16
| | | | | | | * Add Tumblr protocol. * Add Tumblr test file and result. Co-authored-by: Luca Deri <lucaderi@users.noreply.github.com>
* Add Reddit support. (#1060)Zied Aouini2020-11-16
| | | | | | | * Add Reddit protocol. * Add Reddit test file and result. Co-authored-by: Luca Deri <lucaderi@users.noreply.github.com>
* Add Pinterest support. (#1059)Zied Aouini2020-11-16
| | | | | | | * Add Pinterest protocol. * Add Pinterest test file and result. Co-authored-by: Luca Deri <lucaderi@users.noreply.github.com>
* Added support for AmongUs. (#1054)Toni2020-11-09
| | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Updated ESNI/SNI alarm generation prolicyLuca Deri2020-11-08
|
* :bulb: Add mongodb protocol dissector (#1048)Leonn2020-11-03
|
* QUIC: fix dissection of Initial packets coalesced with 0-RTT one (#1044)Ivan Nardi2020-11-03
| | | | | * QUIC: fix dissection of Initial packets coalesced with 0-RTT one * QUIC: fix a memory leak
* Improve skype detection (#1039)Igor Duarte2020-10-27
| | | | | | | * Add new skype pcap PCAP extracted from SkypeIRC.cap (available in https://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=get&target=SkypeIRC.cap) * Improve skype detection
* Added CPHA - CheckPoint High Availability Protocol protocl supportLuca Deri2020-10-22
|
* Fix parsing of DLT_PPP datalink type (#1042)Ivan Nardi2020-10-21
|
* Various optimizations to reduce not-necessary callsLuca Deri2020-09-24
| | | | | Optimized various UDP dissectors Removed dead protocols such as pando and pplive
* Added risks for checkingLuca Deri2020-09-21
| | | | | - invalid DNS traffic (probably carrying exfiltrated data) - TLS traffic with no SNI extension
* QUIC: add support for MVFST EXPERIMENTAL versionNardi Ivan2020-09-20
|
* Reworked MDNS dissector that is not based on the DNS dissectorLuca Deri2020-09-17
|
* Merge pull request #1014 from lnslbrty/improved/teamspeakLuca Deri2020-09-09
|\ | | | | Improved Teamspeak(3) protocol detection.
| * Improved Teamspeak(3) protocol detection.Toni Uhlig2020-09-09
| | | | | | | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* | Added extension to detect nested subdomains as used in Browsertunnel attack toolLuca Deri2020-09-09
|/ | | | https://github.com/veggiedefender/browsertunnel
* Added pcap file which contains dnscrypt-v1 data and resolver update ↵Toni Uhlig2020-09-07
| | | | | | | | requests/responses (v1/v2). * Renamed dnscrypt.pcap to simple-dnscrypt.pcap Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Added dnscrypt-v2-doh resolver test pcaps.Toni Uhlig2020-09-07
| | | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* QUIC: add support for GQUIC T050 and T051Nardi Ivan2020-08-30
| | | | | | QUIC versioning wasn't complex enough without T05X family... These versions are very similar to Q050, but use TLS as their handshake protocol.
* QUIC: minor fixesNardi Ivan2020-08-24
| | | | | | LGTM found a real issue on a boundary check Fix unit tests: a pcap ha been uploaded twice (with different names) Fix compilation when using DPDK (see #990)
* Added som GQUIC and IETF QUIC test pcapsLuca Deri2020-08-22
|
* Major rework of QUIC dissectorNardi Ivan2020-08-21
| | | | | Improve support for GQUIC (up to Q046) and add support for Q050 and (IETF-)QUIC Still no sub-classification for Q050 and QUIC
* Added the ability do identigy as DGA those host/domain names with too many ↵Luca Deri2020-08-21
| | | | | | | consucutive repeated characters such as ckaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa used fr netbios reflection attacks https://www.akamai.com/uk/en/multimedia/documents/state-of-the-internet/ddos-reflection-netbios-name-server-rpc-portmap-sentinel-udp-threat-advisory.pdf
* Added (manipulated) MySQL 8 test pcap.Toni Uhlig2020-08-20
| | | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Suspicious ESNI usage: add a comment and a pcap exampleNardi Ivan2020-08-06
| | | | See: 79b89d286605635f15edfe3c21297aaa3b5f3acf
* Improved HTTP line parsing if request splitted into multiple packets.Toni Uhlig2020-07-05
| | | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Fixed heap overflow in tls esni extraction triggered by manipulated packets.Toni Uhlig2020-06-29
| | | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* TLS: extract JA3 signatures in some corner casesNardi Ivan2020-06-28
| | | | | In some (rare) cases, Client Hello message contains lots of cipher suits.
* Fixed off-by-one error in h323.Toni Uhlig2020-06-27
| | | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Added malformed packet risk supportLuca Deri2020-06-26
|
* Fixed missing length check in fbzero.Toni Uhlig2020-06-23
| | | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
Powered by cgit, Themed by Ted Yin.