aboutsummaryrefslogtreecommitdiff
path: root/tests/result/fuzz-2006-06-26-2594.pcap.out
Commit message (Collapse)AuthorAge
* Add TiVoConnect dissector. Fixes #1697. (#1699)Toni2022-08-08
| | | | | * added static assert if supported, to complain if the flow struct changes Signed-off-by: lns <matzeton@googlemail.com>
* Add Discord dissector. (#1694)Toni2022-08-03
| | | | | * fixed RiotGames false positive Signed-off-by: lns <matzeton@googlemail.com>
* Add Activision dissector. (#1693)Toni2022-08-02
| | | Signed-off-by: lns <matzeton@googlemail.com>
* Add Softether dissector. (#1679)Toni2022-07-29
| | | Signed-off-by: lns <matzeton@googlemail.com>
* Patricia tree, Ahocarasick automa, LRU cache: add statistics (#1683)Ivan Nardi2022-07-29
| | | | | | | | | | Add (basic) internal stats to the main data structures used by the library; they might be usefull to check how effective these structures are. Add an option to `ndpiReader` to dump them; enabled by default in the unit tests. This new option enables/disables dumping of "num dissectors calls" values, too (see b4cb14ec).
* TINC: avoid processing SYN packets (#1676)Ivan Nardi2022-07-28
| | | | | | | | | | | Since e6b332aa, we have proper support for detecting client/server direction. So Tinc dissector is now able to properly initialize the cache entry only when needed and not anymore at the SYN time; initializing that entry for **every** SYN packets was a complete waste of resources. Since 4896dabb, the various `struct ndpi_call_function_struct` structures are not more separate objects and therefore comparing them using only their pointers is bogus: this bug was triggered by this change because `ndpi_str->callback_buffer_size_tcp_no_payload` is now 0.
* Update the protocol bitmask for some protocols (#1675)Ivan Nardi2022-07-27
| | | | | | | Tcp retransmissions should be ignored. Remove some unused protocol bitmasks. Update script to download Whatsapp IP list.
* Add AVAST dissector. (#1674)Toni2022-07-25
| | | Signed-off-by: lns <matzeton@googlemail.com>
* Add support for flow client/server information (#1671)Ivan Nardi2022-07-24
| | | | | | | | | | | | | | | | | | In a lot of places in ndPI we use *packet* source/dest info (address/port/direction) when we are interested in *flow* client/server info, instead. Add basic logic to autodetect this kind of information. nDPI doesn't perform any "flow management" itself but this task is delegated to the external application. It is then likely that the application might provide more reliable hints about flow client/server direction and about the TCP handshake presence: in that case, these information might be (optionally) passed to the library, disabling the internal "autodetect" logic. These new fields have been used in some LRU caches and in the "guessing" algorithm. It is quite likely that some other code needs to be updated.
* Added AliCloud server access dissector. (#1672)Toni2022-07-23
| | | | Signed-off-by: lns <matzeton@googlemail.com> Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* SKYPE: remove detection over TCPNardi Ivan2022-07-20
| | | | | | Skype detection over TCP has been completely disable since 659f75138 (3 years ago!). Since that logic was too weak anyway, remove it.
* Improved Jabber/XMPP detection. (#1661)Toni2022-07-13
| | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Keep track of how many dissectors calls we made for each flow (#1657)Ivan Nardi2022-07-11
|
* Fix handling of NDPI_UNIDIRECTIONAL_TRAFFIC risk (#1636)Ivan Nardi2022-07-05
|
* Added unidirectional traffic flow riskLuca Deri2022-06-20
|
* Updated DNS alert triggered only with TTL == 0Luca Deri2022-06-14
|
* Improved DNS traffic analysisLuca Deri2022-06-13
| | | | Added ability to identify application and network protocols
* Updated tests resultsLuca Deri2022-05-30
| | | | Code cleanup
* Sync unit tests results (#1533)Ivan Nardi2022-04-27
|
* Updated test resultsLuca Deri2022-02-03
|
* Sync unit tests results (#1423)Ivan Nardi2022-01-28
| | | Fix: 7a3aa41a
* Add a "confidence" field about the reliability of the classification. (#1395)Ivan Nardi2022-01-11
| | | | | | | | | | | | | As a general rule, the higher the confidence value, the higher the "reliability/precision" of the classification. In other words, this new field provides an hint about "how" the flow classification has been obtained. For example, the application may want to ignore classification "by-port" (they are not real DPI classifications, after all) or give a second glance at flows classified via LRU caches (because of false positives). Setting only one value for the confidence field is a bit tricky: more work is probably needed in the next future to tweak/fix/improve the logic.
* Improve/add several protocols (#1383)Ivan Nardi2021-12-18
| | | | | | | | | | | | | | | | | | | Improve Microsoft, GMail, Likee, Whatsapp, DisneyPlus and Tiktok detection. Add Vimeo, Fuze, Alibaba and Firebase Crashlytics detection. Try to differentiate between Messenger/Signal standard flows (i.e chat) and their VOIP (video)calls (like we already do for Whatsapp and Snapchat). Add a partial list of some ADS/Tracking stuff. Fix Cassandra, Radius and GTP false positives. Fix DNS, Syslog and SIP false negatives. Improve GTP (sub)classification: differentiate among GTP-U, GTP_C and GTP_PRIME. Fix 3 LGTM warnings.
* ndpiReader: slight simplificaton of the output (#1378)Ivan Nardi2021-11-27
|
* Rework how hostname/SNI info is saved (#1330)Ivan Nardi2021-11-24
| | | | | | | | | | | | | | | | | | | | | | | | | | | Looking at `struct ndpi_flow_struct` the two bigger fields are `host_server_name[240]` (mainly for HTTP hostnames and DNS domains) and `protos.tls_quic.client_requested_server_name[256]` (for TLS/QUIC SNIs). This commit aims to reduce `struct ndpi_flow_struct` size, according to two simple observations: 1) maximum one of these two fields is used for each flow. So it seems safe to merge them; 2) even if hostnames/SNIs might be very long, in practice they are rarely longer than a fews tens of bytes. So, using a (single) large buffer is a waste of memory for all kinds of flows. If we need to truncate the name, we keep the *last* characters, easing domain matching. Analyzing some real traffic, it seems safe to assume that the vast majority of hostnames/SNIs is shorter than 80 bytes. Hostnames/SNIs are always converted to lowercase. Attention was given so as to be sure that unit-tests outputs are not affected by this change. Because of a bug, TLS/QUIC SNI were always truncated to 64 bytes (the *first* 64 ones): as a consequence, there were some "Suspicious DGA domain name" and "TLS Certificate Mismatch" false positives.
* Fix writes to `flow->protos` union fields (#1354)Ivan Nardi2021-11-15
| | | | | | | | | | | | | | | | | | | | | | | | | We can write to `flow->protos` only after a proper classification. This issue has been found in Kerberos, DHCP, HTTP, STUN, IMO, FTP, SMTP, IMAP and POP code. There are two kinds of fixes: * write to `flow->protos` only if a final protocol has been detected * move protocol state out of `flow->protos` The hard part is to find, for each protocol, the right tradeoff between memory usage and code complexity. Handle Kerberos like DNS: if we find a request, we set the protocol and an extra callback to further parsing the reply. For all the other protocols, move the state out of `flow->protos`. This is an issue only for the FTP/MAIL stuff. Add DHCP Class Identification value to the output of ndpiReader and to the Jason serialization. Extend code coverage of fuzz tests. Close #1343 Close #1342
* Detect invalid characters in text and set a risk. Fixes #1347. (#1363)Toni2021-10-26
| | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Updated test results after latest commitLuca Deri2021-10-16
|
* Removed outdated (and broken) soulseek dissectorLuca Deri2021-10-15
|
* Fix unit test results after 00857abf (#1295)Ivan Nardi2021-09-11
|
* Fixed some invalid TLS guessesLuca Deri2021-08-17
|
* Updated outputLuca Deri2021-08-07
|
* Reworked flow risk implementationLuca Deri2021-07-23
|
* Updated download category nameLuca Deri2021-07-16
|
* ndpiReader: add statistics about nDPI performance (#1240)Ivan Nardi2021-07-13
| | | | | | | The goal is to have a (roughly) idea about how many packets nDPI needs to properly classify a flow. Log this information (and guessed flows number too) during unit tests, to keep track of improvements/regressions across commits.
* Updated category labelsLuca Deri2021-07-08
|
* Added flow risk scoreLuca Deri2021-05-18
|
* Fixed invalid DNS dissectionLuca Deri2021-04-26
|
* Improved DGA detectionLuca Deri2021-03-03
| | | | | | | | Before Accuracy 66%, Precision 86%, Recall 38% After Accuracy 71%, Precision 89%, Recall 49%
* Improved DGA detection with trigrams. Disadvantage: slower startup timeLuca Deri2021-03-03
| | | | | Reworked Tor dissector embedded in TLS (fixes #1141) Removed false positive on HTTP User-Agent
* Improved DNS dissectorLuca Deri2021-02-26
|
* Fixes #1029Luca Deri2020-11-27
|
* Reworked MDNS dissector that is not based on the DNS dissectorLuca Deri2020-09-17
|
* Added new risk for NDPI_UNSAFE_PROTOCOL that identifies protocols that are ↵Luca Deri2020-08-30
| | | | not condidered safe/secure
* Fixed false positive in suspicous user agentLuca Deri2020-08-30
| | | | Optimized stddev calculation
* Changed due to bin size extensionLuca Deri2020-07-30
|
* Updated test results due to bin changesLuca Deri2020-07-09
|
* Added malformed packet risk supportLuca Deri2020-06-26
|
* Fixes #906Luca Deri2020-06-22
| | | | Packet bins are not printed wehn empty
* Added ndpi_bin_XXX APILuca Deri2020-06-22
| | | | Added packet lenght distribution bins
Powered by cgit, Themed by Ted Yin.