| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
RFC9001 4.6.1: "A client that wishes to send 0-RTT packets uses the
early_data extension in the ClientHello message of a subsequent handshake;
see Section 4.2.10 of [TLS13]. It then sends application data in 0-RTT
packets."
That means the client sends before the CH (in the Initial) and then the
0-RTT (in the same UDP datagram or not)".
However, because of packet loss or out-of-order delivery, it might
happens that a 0-RTT packet is received before the Initial (the original
one or a retransmission).
For example, Google and Facebook servers save 0-RTT packets for a small
amount of time in hopes of receiving the corresponding Initial.
Update the QUIC dissector to detect 0-RTT packets and keep looking for
the Initial.
Issue found by @utoni in #1706; the trace example has been taken from that
PR.
|
| |
|
|
|
|
|
|
| |
* CQL: fixed byte order conversion (BigEndian not LittleEndian)
* CQL: increased required successful dissected packets to prevent false-positives
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
|
| |
|
|
|
| |
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
|
| |
|
|
|
| |
Signed-off-by: lns <matzeton@googlemail.com>
Signed-off-by: lns <matzeton@googlemail.com>
|
| |
|
|
|
| |
* added static assert if supported, to complain if the flow struct changes
Signed-off-by: lns <matzeton@googlemail.com>
|
| |
|
|
|
| |
* fixed RiotGames false positive
Signed-off-by: lns <matzeton@googlemail.com>
|
| |
|
| |
Signed-off-by: lns <matzeton@googlemail.com>
|
| |
|
|
|
|
|
|
|
|
| |
If we have a valid HTTP sessions, we should ignore
`flow->guessed_protocol_id` field (i.e. classification "by-port")
altogheter.
The attached trace was classified as "SIP/HTTP" only because the *client*
port was 5060...
As a general rule, having a classification such as "XXXX/HTTP" is
*extremely* suspicious.
|
| |
|
|
|
|
| |
The big change in TLS code is to allow "master" protocols other than
TLS/DTLS, like SMTPS, POPS and IMAPS.
This change will allow, in a future, a proper and complete TLS dissection
for all these protocols with "STARTTLS"-like messages.
|
| |
|
| |
Signed-off-by: lns <matzeton@googlemail.com>
|
| |
|
| |
Signed-off-by: lns <matzeton@googlemail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Treat HTTP-Proxy and HTTP-Connect flows like the HTTP ones:
print/serialize all the attributes and allow parsing of replies.
The line about "1kxun" has been removed to avoid regressions in 1KXUN
classification in `tests/pcap/1kxun.pcap`. I haven't fully understod
what was happening but the comment at the beginning of `static
ndpi_category_match category_match[]` says that we can't have overlaps
between `host_match` and `category_match` lists and that is no longer true
since 938e89ca.
Bottom line: removing this line seems the right thing to do, anyway.
|
| |
|
|
| |
Signed-off-by: lns <matzeton@googlemail.com>
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
|
| |
|
|
|
|
|
|
| |
* TLS: cosmetic changes
* TLS: improve reassembler
We might need to contemporary re-order messages from both directions:
use one buffer per direction.
|
| |
|
|
| |
Add an helper to exclude a generic protocol
|
| |
|
| |
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
|
| |
|
|
| |
WindowsUpdate is also transported over HTTP, using a numeric IP as
hostname (some kinds of CDN?)
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
| |
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
|
| |
|
|
| |
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
|
| |
|
|
|
| |
* TLSv1.3 UltraSurf flows are not detected by now
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
|
| |
|
|
| |
Improve classifications of Outlook, Cachefly, Cloudflare, Tiktok and
Cybersecurity.
|
| |
|
|
|
| |
* The traces are not up to date, but this is the best we got so far.
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
|
| |
|
| |
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
|
| |
|
|
|
| |
TargusDataspeed dissector doesn't perform any real DPI checks but it only
looks at the TCP/UDP ports.
Delete it, and use standard logic to classify these flows by port.
|
| | |
|
| | |
|
| |
|
| |
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
|
| |
|
| |
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
|
| |
|
| |
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
|
| |
|
| |
Signed-off-by: lns <matzeton@googlemail.com>
|
| |
|
| |
Signed-off-by: lns <matzeton@googlemail.com>
|
| |
|
| |
Signed-off-by: lns <matzeton@googlemail.com>
|
| |
|
| |
Signed-off-by: lns <matzeton@googlemail.com>
|
| | |
|
| |
|
| |
Close #1598
|
| |
|
| |
Signed-off-by: lns <matzeton@googlemail.com>
|
| | |
|
| |
|
| |
Signed-off-by: lns <matzeton@googlemail.com>
|
| |
|
|
|
| |
- RSH vs Syslog may still happen for midstream traffic
Signed-off-by: lns <matzeton@googlemail.com>
|
| |
|
|
|
|
| |
- added syslog false-positive pcap that was missing in 09fbe0a64a11b08a35435f516e9a19f7e0c20d7c
- added NDPI_ARRAY_LENGTH() macro, usable on `type var[]` declarations
Signed-off-by: lns <matzeton@googlemail.com>
|
| |
|
|
|
|
|
| |
* syslog: removed unnecessary/unreliable printable string check
* added `ndpi_isalnum()`
* splitted `ndpi_is_printable_string()` into `ndpi_is_printable_buffer()` and `ndpi_normalize_printable_string()`
Signed-off-by: lns <matzeton@googlemail.com>
|
| |
|
| |
Signed-off-by: lns <matzeton@googlemail.com>
|
| |
|
| |
Update .gitignore file
|
| |
|
|
|
|
| |
* Improved HTTP POST detection
* Refactored subprotocol detection
Signed-off-by: lns <matzeton@googlemail.com>
|
| |
|
|
| |
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
|