aboutsummaryrefslogtreecommitdiff
path: root/tests
Commit message (Collapse)AuthorAge
* HTTP: fix classification (#1692)Ivan Nardi2022-07-30
| | | | | | | | | | If we have a valid HTTP sessions, we should ignore `flow->guessed_protocol_id` field (i.e. classification "by-port") altogheter. The attached trace was classified as "SIP/HTTP" only because the *client* port was 5060... As a general rule, having a classification such as "XXXX/HTTP" is *extremely* suspicious.
* SMTPS, POPS, IMAPS: fix classification and extra dissection (#1685)Ivan Nardi2022-07-30
| | | | | | The big change in TLS code is to allow "master" protocols other than TLS/DTLS, like SMTPS, POPS and IMAPS. This change will allow, in a future, a proper and complete TLS dissection for all these protocols with "STARTTLS"-like messages.
* Add Softether dissector. (#1679)Toni2022-07-29
| | | Signed-off-by: lns <matzeton@googlemail.com>
* Patricia tree, Ahocarasick automa, LRU cache: add statistics (#1683)Ivan Nardi2022-07-29
| | | | | | | | | | Add (basic) internal stats to the main data structures used by the library; they might be usefull to check how effective these structures are. Add an option to `ndpiReader` to dump them; enabled by default in the unit tests. This new option enables/disables dumping of "num dissectors calls" values, too (see b4cb14ec).
* TINC: avoid processing SYN packets (#1676)Ivan Nardi2022-07-28
| | | | | | | | | | | Since e6b332aa, we have proper support for detecting client/server direction. So Tinc dissector is now able to properly initialize the cache entry only when needed and not anymore at the SYN time; initializing that entry for **every** SYN packets was a complete waste of resources. Since 4896dabb, the various `struct ndpi_call_function_struct` structures are not more separate objects and therefore comparing them using only their pointers is bogus: this bug was triggered by this change because `ndpi_str->callback_buffer_size_tcp_no_payload` is now 0.
* Update the protocol bitmask for some protocols (#1675)Ivan Nardi2022-07-27
| | | | | | | Tcp retransmissions should be ignored. Remove some unused protocol bitmasks. Update script to download Whatsapp IP list.
* Add AVAST dissector. (#1674)Toni2022-07-25
| | | Signed-off-by: lns <matzeton@googlemail.com>
* Improve handling of HTTP-Proxy and HTTP-Connect (#1673)Ivan Nardi2022-07-25
| | | | | | | | | | | | Treat HTTP-Proxy and HTTP-Connect flows like the HTTP ones: print/serialize all the attributes and allow parsing of replies. The line about "1kxun" has been removed to avoid regressions in 1KXUN classification in `tests/pcap/1kxun.pcap`. I haven't fully understod what was happening but the comment at the beginning of `static ndpi_category_match category_match[]` says that we can't have overlaps between `host_match` and `category_match` lists and that is no longer true since 938e89ca. Bottom line: removing this line seems the right thing to do, anyway.
* Add support for flow client/server information (#1671)Ivan Nardi2022-07-24
| | | | | | | | | | | | | | | | | | In a lot of places in ndPI we use *packet* source/dest info (address/port/direction) when we are interested in *flow* client/server info, instead. Add basic logic to autodetect this kind of information. nDPI doesn't perform any "flow management" itself but this task is delegated to the external application. It is then likely that the application might provide more reliable hints about flow client/server direction and about the TCP handshake presence: in that case, these information might be (optionally) passed to the library, disabling the internal "autodetect" logic. These new fields have been used in some LRU caches and in the "guessing" algorithm. It is quite likely that some other code needs to be updated.
* Added AliCloud server access dissector. (#1672)Toni2022-07-23
| | | | Signed-off-by: lns <matzeton@googlemail.com> Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* TLS: improve reassembler (#1669)Ivan Nardi2022-07-22
| | | | | | | | * TLS: cosmetic changes * TLS: improve reassembler We might need to contemporary re-order messages from both directions: use one buffer per direction.
* STUN: improve detection of Hangout/Duo and FB voip callsNardi Ivan2022-07-20
|
* DTLS: fix exclusion of DTLS protocolNardi Ivan2022-07-20
| | | | Add an helper to exclude a generic protocol
* SKYPE: fix detection over UDPNardi Ivan2022-07-20
| | | | | | | | | Commit ba6a48c9 is completely bogus: we can't set extra dissection without having set a proper classification. The idea behind that commit seems to be that we need to look for 2 (consecutives?) packets with the same crc/pattern: try to implement this logic in a saner way.
* SKYPE: remove detection over TCPNardi Ivan2022-07-20
| | | | | | Skype detection over TCP has been completely disable since 659f75138 (3 years ago!). Since that logic was too weak anyway, remove it.
* reader_util: stop processing a flow (#1666)Ivan Nardi2022-07-20
| | | | We should stop processing a flow if all protocols have been excluded or if we have already processed too many packets.
* BITTORRENT: fix confidence (#1664)Ivan Nardi2022-07-20
| | | Remove two unused parameters.
* Do not interfere with CFLAGS/LDFLAGS env anymore. (#1659)Toni2022-07-13
| | | | | | | * CI fixes * some build systems do not like that (e.g. OpenWrt) * fixed some rrdtool related build warnings/errors Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Improved Jabber/XMPP detection. (#1661)Toni2022-07-13
| | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Keep track of how many dissectors calls we made for each flow (#1657)Ivan Nardi2022-07-11
|
* HTTP: improve detection of WindowsUpdate (#1658)Ivan Nardi2022-07-10
| | | | WindowsUpdate is also transported over HTTP, using a numeric IP as hostname (some kinds of CDN?)
* SIP: improve detection (#1654)Ivan Nardi2022-07-09
|
* Enhances gprof usage. (#1651)Toni2022-07-08
| | | | | * gprof results were incorrectly displayed Signed-off-by: lns <matzeton@googlemail.com>
* SMB: add (partial) support for messages split into multiple TCP segments (#1644)Ivan Nardi2022-07-07
|
* Avoid spurious calls to extra dissection (#1648)Ivan Nardi2022-07-07
| | | | If the extra callabck is not set, calling the extra dissection is only a waste of resources...
* Kerberos: add support for Krb-Error messages (#1647)Ivan Nardi2022-07-07
|
* MONGODB: avoid false positivesNardi Ivan2022-07-07
|
* TLS: ignore invalid Content Type valuesNardi Ivan2022-07-07
|
* Added Threema Messenger. (#1643)Toni2022-07-06
| | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Added another RiotGames signature.Toni Uhlig2022-07-06
| | | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Label SMTP w/ STARTTLS as SMTPS *and* dissect TLS clho. (#1639)Toni2022-07-06
| | | | | | | | | | | | | | | | | * Label SMTP w/ STARTTLS as SMTPS *and* dissect TLS clho. Signed-off-by: Toni Uhlig <matzeton@googlemail.com> * Revert "SMTP with STARTTLS is now identified as SMTPS" This reverts commit 52d987b603f49d996b4060f43265d1cf43c3c482. * Revert "Compilation fix" This reverts commit c019946f601bf3b55f64f78841a0d696e6c0bfc5. * Sync unit tests. Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Fix handling of NDPI_UNIDIRECTIONAL_TRAFFIC risk (#1636)Ivan Nardi2022-07-05
|
* SMTP with STARTTLS is now identified as SMTPSLuca Deri2022-07-05
|
* Detect SMTPs w/ STARTTLS as TLS and dissect client/server hello. Fixes ↵Toni2022-07-05
| | | | | | | #1630. (#1637) * FTP needs to get updated as well as it has similiar STARTTLS semantics -> follow-up Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Run regression tests from different locations at the same time w/o side ↵Toni2022-07-05
| | | | | effects on the results. (#1638) Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Exported username in flow informationLuca Deri2022-07-04
|
* Updated JA3/SSL fingerprints.Toni Uhlig2022-07-04
| | | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Added UltraSurf protocol dissector. (#1618)Toni2022-07-04
| | | | | * TLSv1.3 UltraSurf flows are not detected by now Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Add two new confidence values: confidence by partial DPI (#1632)Ivan Nardi2022-07-04
| | | | Used for all classifications based on partial/incomplete DPI information, i.e. all classifications done in `ndpi_detection_giveup()`.
* Update host content list match (#1633)Ivan Nardi2022-07-04
| | | | Improve classifications of Outlook, Cachefly, Cloudflare, Tiktok and Cybersecurity.
* Sync Psiphon unit test. (#1634)Toni2022-07-04
| | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Added Psiphon detection patterns. See #566 and #1099. (#1631)Toni2022-07-04
| | | | | * The traces are not up to date, but this is the best we got so far. Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Added i3D and RiotGames protocol dissectors. (#1609)Toni2022-07-03
| | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* TargusDataspeed: avoid false positives (#1628)Ivan Nardi2022-07-03
| | | | | TargusDataspeed dissector doesn't perform any real DPI checks but it only looks at the TCP/UDP ports. Delete it, and use standard logic to classify these flows by port.
* Skinny: rework and improve classification (#1625)Ivan Nardi2022-07-03
|
* Skype_Teams, Mining, SnapchatCall: fix flow category (#1624)Ivan Nardi2022-07-03
|
* Fix category for mail sessions (#1621)Ivan Nardi2022-07-03
| | | Close #629
* TLS: add support for old DTLS versions and for detection of mid-sessions (#1619)Ivan Nardi2022-07-03
|
* Generate profiling results as PNG.Toni Uhlig2022-07-03
| | | | | | * use -ltcmalloc_and_profiler and try to get rid of LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libprofiler.so Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* gprof test/CI integrationlns2022-07-03
| | | | | Signed-off-by: lns <matzeton@googlemail.com> Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
Powered by cgit, Themed by Ted Yin.