aboutsummaryrefslogtreecommitdiff
path: root/tests
Commit message (Collapse)AuthorAge
...
* Add Path of Exile protocol dissector (#2337)Vladimir Gavrilov2024-03-06
| | | | | * Add Path of Exile protocol dissector * Update protocols.rst
* ahocorasick: improve matching with subdomains (#2331)Ivan Nardi2024-03-06
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The basic idea is to have the following logic: * pattern "DOMAIN" matches the domain itself (i.e exact match) *and* any subdomains (i.e. "ANYTHING.DOMAIN") * pattern "DOMAIN." matches *also* any strings for which is a prefix [please, note that this kind of match is handy but it is quite dangerous...] * pattern "-DOMAIN" matches *also* any strings for which is a postfix Examples: * pattern "wikipedia.it": * "wikipiedia.it" -> OK * "foo.wikipedia.it -> OK * "foowikipedia.it -> NO MATCH * "wikipedia.it.com -> NO MATCH * pattern "wikipedia.": * "wikipedia.it" -> OK * "foo.wikipedia.it -> OK * "foowikipedia.it -> NO MATCH * "wikipedia.it.com -> OK * pattern "-wikipedia.it": * "wikipedia.it" -> NO MATCH * "foo.wikipedia.it -> NO MATCH * "0001-wikipedia.it -> OK * "foo.0001-wikipedia.it -> OK Bottom line: * exact match * prefix with "." (always, implicit) * prefix with "-" (only if esplicitly set) * postfix with "." (only if esplicitly set) That means that the patterns cannot start with '.' anymore. Close #2330
* Improved alert on suspicious DNS trafficLuca Deri2024-03-05
|
* Add NetEase Games detection support (#2335)Vladimir Gavrilov2024-03-05
|
* Add Naraka Bladepoint detection support (#2334)Vladimir Gavrilov2024-03-04
|
* Add BFD protocol dissector (#2332)Vladimir Gavrilov2024-02-29
|
* TLS: avoid setting some flow risks for webrtc trafficNardi Ivan2024-02-26
| | | | | Is quite rare to have a SNI or an ALPN on Client Hello of STUN/DTLS/SRTP traffic
* Telegram: improve identificationNardi Ivan2024-02-26
| | | | | | | | | | | | | | | | | Follow up of 31c706c3dbbf0afc4c8e0a6d0bb6f20796296549 and 75485e177ccc4fafcc62dd46c6917d5b735cf7d2. Allow fast classification by ip, but give time to other dissectors to kick in (for example, the TLS code for the Telegram Web flows). Even if we don't classify it anymore at the very first packet (i.e. SYN) we fully classify Telegram traffic at the first packet with payload, as *any* other protocol. This way, we always have the proper category, the proper confidence for the UDP flows and we don't overwrite previous classifications (TLS or ICMP) Remove old and stale identification logic for TCP flows
* STUN: fix category when sub-classification is set in "extra-dissection" data ↵Ivan Nardi2024-02-24
| | | | path (#2320)
* Updated telegam outLuca Deri2024-02-23
|
* Fixes exception handling glitchLuca Deri2024-02-22
|
* Improved telegram detectionLuca Deri2024-02-22
|
* Add DLEP protocol dissector (#2326)Vladimir Gavrilov2024-02-20
|
* Add identification of Huawei generic and cloud traffic (#2325)Ivan Nardi2024-02-20
|
* Add ANSI C12.22 protocol dissector (#2317)Vladimir Gavrilov2024-02-15
| | | | | * Add ANSI C12.22 protocol dissector * Add UDP sample
* Skype: remove old detection logic (#1954)Ivan Nardi2024-02-12
| | | | | | | Skype has been using standard protocols (STUN/ICE or TLS) for a long, long time, now. Long gone are the days of Skype as a distribuited protocol. See: #2166
* reader_util: fix GRE detunneling (#2314)Ivan Nardi2024-02-10
|
* TLS: add configuration of JA* fingerprints (#2313)Ivan Nardi2024-02-10
|
* fuzz: improve fuzzing coverage (#2309)Ivan Nardi2024-02-09
|
* Add detection of Gaijin Entertainment games (#2311)Vladimir Gavrilov2024-02-09
| | | | | | | | | * Add detection of Gaijin Entertainment games * Short NDPI_PROTOCOL_GAIJINENTERTAINMENT to NDPI_PROTOCOL_GAIJIN * Add default UDP port for Gaijin Entertainment games * Remove NDPI_PROTOCOL_CROSSOUT protocol id
* Add TencentGames protocol dissector (#2306)Vladimir Gavrilov2024-02-08
|
* Completly disable all pthread related code in the library if ↵Toni2024-02-03
| | | | | `USE_GLOBAL_CONTEXT` macro is not defined. (#2302) Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Add Gearman protocol dissector (#2297)Vladimir Gavrilov2024-02-01
|
* Sync unit tests resultsNardi Ivan2024-02-01
|
* Allow multiple `struct ndpi_detection_module_struct` to share some state (#2271)Ivan Nardi2024-02-01
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add the concept of "global context". Right now every instance of `struct ndpi_detection_module_struct` (we will call it "local context" in this description) is completely independent from each other. This provide optimal performances in multithreaded environment, where we pin each local context to a thread, and each thread to a specific CPU core: we don't have any data shared across the cores. Each local context has, internally, also some information correlating **different** flows; something like: ``` if flow1 (PeerA <-> Peer B) is PROTOCOL_X; then flow2 (PeerC <-> PeerD) will be PROTOCOL_Y ``` To get optimal classification results, both flow1 and flow2 must be processed by the same local context. This is not an issue at all in the far most common scenario where there is only one local context, but it might be impractical in some more complex scenarios. Create the concept of "global context": multiple local contexts can use the same global context and share some data (structures) using it. This way the data correlating multiple flows can be read/write from different local contexts. This is an optional feature, disabled by default. Obviously data structures shared in a global context must be thread safe. This PR updates the code of the LRU implementation to be, optionally, thread safe. Right now, only the LRU caches can be shared; the other main structures (trees and automas) are basically read-only: there is little sense in sharing them. Furthermore, these structures don't have any information correlating multiple flows. Every LRU cache can be shared, independently from the others, via `ndpi_set_config(ndpi_struct, NULL, "lru.$CACHE_NAME.scope", "1")`. It's up to the user to find the right trade-off between performances (i.e. without shared data) and classification results (i.e. with some shared data among the local contexts), depending on the specific traffic patterns and on the algorithms used to balance the flows across the threads/cores/local contexts. Add some basic examples of library initialization in `doc/library_initialization.md`. This code needs libpthread as external dependency. It shouldn't be a big issue; however a configure flag has been added to disable global context support. A new CI job has been added to test it. TODO: we should need to find a proper way to add some tests on multithreaded enviroment... not an easy task... *** API changes *** If you are not interested in this feature, simply add a NULL parameter to any `ndpi_init_detection_module()` calls.
* Updated results (missing `cip_io.pcap.out`)Toni Uhlig2024-01-29
| | | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Implemented CIP I/O (UDP version of the CIP protocol), Common Industrial ↵Luca Deri2024-01-29
| | | | protocol
* Updated resultLuca Deri2024-01-29
|
* Fix RESP detection (#2289)Vladimir Gavrilov2024-01-27
| | | | | * Rename redis_net.c to resp.c * Fix RESP detection
* Add Raft protocol dissector. (#2286)Toni2024-01-25
| | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Improve MySQL detection (#2279)Vladimir Gavrilov2024-01-25
| | | | | * Improve MySQL detection * Update copyright
* Add Radmin protocol dissector (#2283)Vladimir Gavrilov2024-01-25
| | | | | * Add Radmin protocol dissector * Update test results
* fuzz: extend fuzzing coverage (#2281)Ivan Nardi2024-01-24
|
* QUIC: fix decryption with CH fragments with different Destination CID (#2278)Ivan Nardi2024-01-24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | QUIC decryption fails when the Client Hello is split into multiple UDP packets and these packets have different Destination Connection IDs (because the server told the client to switch to a different CID; see RFC 9000 7.2) ``` The Destination Connection ID field from the first Initial packet sent by a client is used to determine packet protection keys for Initial packets. [..] Upon first receiving an Initial or Retry packet from the server, the client uses the Source Connection ID supplied by the server as the Destination Connection ID for subsequent packets ``` From a logical point of view, the ciphers used for decryption should be initialized only once, with the first Initial pkt sent by the client and kept for later usage with the following packets (if any). However it seems that we can safely initialize them at each packet, if we keep using the DCID of the **first** packet sent by the client. Keep initializing the ciphers at each packet greatly simplifie this patch. This issue has been undetected for so long because: * in the vast majority of the cases we only decrypt one packet per flow; * the available traces with the Client Hello split into multiple packets (i.e. cases where we need to decrypt at least two packets per flow) were created in a simple test environment to simulate Post-Quantum handshake, and in that scenario the client sent all the packets (with the same DCID) before any reply from the server. However, in the last months all major browsers started supporting PQ key, so it is now common to have split CH in real traffic. Please note that in the attached example, the CH is split into 2 (in-order) fragments (in different UDP packets) and the second one in turn is divided into 9 (out-of-order) CRYPTO frames; the reassembler code works out-of-the-box even in this (new) scenario.
* Add STOMP protocol dissector (#2280)Vladimir Gavrilov2024-01-23
|
* Improve handling of custom rules (#2276)Ivan Nardi2024-01-21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Avoid collisions between user-ids and internal-ids protocols in the `example/protos.txt` file. Add a new value for the classification confidence: `NDPI_CONFIDENCE_CUSTOM_RULE` With `./example/ndpiReader -p example/protos.txt -H` we now see also the custom protocols and their internal/external ids: ``` nDPI supported protocols: Id Userd-id Protocol Layer_4 Nw_Proto Breed Category 0 0 Unknown TCP X Unrated Unspecified ... 387 387 Mumble UDP X Fun VoIP 388 388 iSCSI TCP Acceptable Unspecified 389 389 Kibana TCP Acceptable Unspecified 390 390 TestProto TCP Acceptable Unspecified 391 391 HomeRouter TCP Acceptable Unspecified 392 392 CustomProtocol TCP Acceptable Unspecified 393 393 AmazonPrime TCP Acceptable Unspecified 394 394 CustomProtocolA TCP Acceptable Unspecified 395 395 CustomProtocolB TCP Acceptable Unspecified 396 800 CustomProtocolC TCP Acceptable Unspecified 397 1024 CustomProtocolD TCP Acceptable Unspecified 398 2048 CustomProtocolE TCP Acceptable Unspecified 399 2049 CustomProtocolF TCP Acceptable Unspecified 400 2050 CustomProtocolG TCP Acceptable Unspecified 401 65535 CustomProtocolH TCP Acceptable Unspecified ``` We likely need to take a better look in general at the iteration between internal and external protocols ids... This PR fixes the issue observed in https://github.com/ntop/nDPI/pull/2274#discussion_r1460674874 and in https://github.com/ntop/nDPI/pull/2275.
* Add ElectronicArts detection support (#2274)Vladimir Gavrilov2024-01-21
| | | | | * Add ElectronicArts detection support * Merge electronicarts.pcapng into sites.pcapng
* Add Yojimbo (netcode) protocol dissector (#2277)Toni2024-01-21
| | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Zoom: improve detection (#2270)Ivan Nardi2024-01-21
|
* config: follow-up (#2268)Ivan Nardi2024-01-20
| | | | | | Some changes in the parameters names. Add a fuzzer to fuzz the configuration file format. Add the infrastructure to configuratin callbacks. Add an helper to map LRU cache indexes to names.
* Fix detection of new Cassandra versions (#2272)Vladimir Gavrilov2024-01-20
| | | | | | | * Fix detection of new Cassandra versions * Add Cassandra Internode Communication protocol support * Add default port for Cassandra Internode Communication protocol
* Add a dedicated dissector for Zoom (#2265)Ivan Nardi2024-01-19
| | | Move it from the RTP code and extend it
* STUN: fix flow risks when DTLS packets are found (#2266)Ivan Nardi2024-01-19
| | | | | When switching to (D)TLS dissector from the STUN one, we need to clear any flow risks set from the latter (because we don't have anymore `NDPI_PROTOCOL_STUN` in the classification results)
* Add Mumble detection support (#2269)Vladimir Gavrilov2024-01-19
|
* Rework Steam detection (part 1) (#2264)Vladimir Gavrilov2024-01-18
| | | | | | | | | | | | | | | | | | | | | * Clean up Steam dissector * Add Steam Datagram Relay dissector * Update docs * Update test results * Remove csgo.c from MSVC project * Small fixes * Add Steam TLS pcap sample * Merge Steam pcap samples into single one * Fix typo * Update test results
* config: allow configuration of guessing algorithmsNardi Ivan2024-01-18
|
* config: move debug/log configuration to the new APINardi Ivan2024-01-18
|
* config: DNS: add two configuration optionsNardi Ivan2024-01-18
| | | | | * Enable/disable sub-classification of DNS flows * Enable/disable processing of DNS responses
* config: HTTP: enable/disable processing of HTTP responsesNardi Ivan2024-01-18
|
* config: remove `enum ndpi_prefs`Nardi Ivan2024-01-18
|
Powered by cgit, Themed by Ted Yin.