aboutsummaryrefslogtreecommitdiff
path: root/tests/result/dns_exfiltration.pcap.out
Commit message (Collapse)AuthorAge
* Keep track of how many dissectors calls we made for each flow (#1657)Ivan Nardi2022-07-11
|
* Fix handling of NDPI_UNIDIRECTIONAL_TRAFFIC risk (#1636)Ivan Nardi2022-07-05
|
* Added unidirectional traffic flow riskLuca Deri2022-06-20
|
* Updated DNS alert triggered only with TTL == 0Luca Deri2022-06-14
|
* Restored ndpi_set_proto_defaults() prototypeLuca Deri2022-06-13
| | | | Updated test results
* Improved DNS traffic analysisLuca Deri2022-06-13
| | | | Added ability to identify application and network protocols
* Updated tests resultsLuca Deri2022-05-30
| | | | Code cleanup
* Modified risk labelsLuca Deri2022-05-04
|
* Sync unit tests results (#1533)Ivan Nardi2022-04-27
|
* Sync unit tests results (#1423)Ivan Nardi2022-01-28
| | | Fix: 7a3aa41a
* Add a "confidence" field about the reliability of the classification. (#1395)Ivan Nardi2022-01-11
| | | | | | | | | | | | | As a general rule, the higher the confidence value, the higher the "reliability/precision" of the classification. In other words, this new field provides an hint about "how" the flow classification has been obtained. For example, the application may want to ignore classification "by-port" (they are not real DPI classifications, after all) or give a second glance at flows classified via LRU caches (because of false positives). Setting only one value for the confidence field is a bit tricky: more work is probably needed in the next future to tweak/fix/improve the logic.
* ndpiReader: slight simplificaton of the output (#1378)Ivan Nardi2021-11-27
|
* Rework how hostname/SNI info is saved (#1330)Ivan Nardi2021-11-24
| | | | | | | | | | | | | | | | | | | | | | | | | | | Looking at `struct ndpi_flow_struct` the two bigger fields are `host_server_name[240]` (mainly for HTTP hostnames and DNS domains) and `protos.tls_quic.client_requested_server_name[256]` (for TLS/QUIC SNIs). This commit aims to reduce `struct ndpi_flow_struct` size, according to two simple observations: 1) maximum one of these two fields is used for each flow. So it seems safe to merge them; 2) even if hostnames/SNIs might be very long, in practice they are rarely longer than a fews tens of bytes. So, using a (single) large buffer is a waste of memory for all kinds of flows. If we need to truncate the name, we keep the *last* characters, easing domain matching. Analyzing some real traffic, it seems safe to assume that the vast majority of hostnames/SNIs is shorter than 80 bytes. Hostnames/SNIs are always converted to lowercase. Attention was given so as to be sure that unit-tests outputs are not affected by this change. Because of a bug, TLS/QUIC SNI were always truncated to 64 bytes (the *first* 64 ones): as a consequence, there were some "Suspicious DGA domain name" and "TLS Certificate Mismatch" false positives.
* Updated outputLuca Deri2021-08-07
|
* ndpiReader: add statistics about nDPI performance (#1240)Ivan Nardi2021-07-13
| | | | | | | The goal is to have a (roughly) idea about how many packets nDPI needs to properly classify a flow. Log this information (and guessed flows number too) during unit tests, to keep track of improvements/regressions across commits.
* Added flow risk scoreLuca Deri2021-05-18
|
* Changed due to bin size extensionLuca Deri2020-07-30
|
* Updated test results due to bin changesLuca Deri2020-07-09
|
* Added ndpi_bin_XXX APILuca Deri2020-06-22
| | | | Added packet lenght distribution bins
* DGA detection improvementsLuca Deri2020-06-18
|
* Added dns_exfiltration.pcapLuca Deri2020-03-23
Powered by cgit, Themed by Ted Yin.