| Commit message (Collapse) | Author | Age |
|---|
| |
|
| |
Enabled via `--dump-fpc-stats` option
|
| | |
|
| |
|
|
|
|
|
|
| |
Last step of removing JA3C fingerprint
Remove some duplicate tests: testing with ja4c/ja3s disabled is already
performed by `disable_metadata_and_flowrisks` configuration.
Close:#2551
|
| |
|
|
|
|
|
|
|
| |
It might be usefull to be able to match traffic against a list of
suspicious JA4C fingerprints
Use the same code/logic/infrastructure used for JA3C (note that we are
going to remove JA3C...)
See: #2551
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Removing JA3C is an big task. Let's start with a simple change having an
huge impact on unit tests: remove printing of JA3C information from
ndpiReader.
This way, when we will delete the actual code, the unit tests diffs
should be a lot simpler to look at.
Note that the information if the client/server cipher is weak or
obsolete is still available via flow risk
See: #2551
|
| |
|
|
| |
We calculate HTTP entropy according to "Content-type:" header, see
`ndpi_validate_http_content()` on HTTP code
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Right now the CI takes ~30 minutes; the goal is to have it ending in
< 15 min.
The basic trick is to run the longer jobs (no_x86_64 and masan) only
with the recently updated pcaps. The same jobs will run again on schedule
(every night) testing all the traces.
This way the CI will be "green" (hopefully!) earlier while pushing new
commit/PR; full tests are simply delayed.
Details: when `NDPI_TEST_ONLY_RECENTLY_UPDATED_PCAPS` is set,
`tests/do.sh` checks only the latest 10 pcaps (i.e. the more recent pcap
added/updated) for *every* configuration.
Notes that no_x86_64 and masan jobs run twice: when pushing/merging and
on schedule (every night)
|
| |
|
|
|
|
| |
* detect `chisel` SSH-over-HTTP-WebSocket
* use `strncasecmp()` for `LINE_*` matching macros
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
|
| |
|
|
|
| |
In very old (G)QUIC versions by Google, the user agent was available on
plain text. That is not true anymore, since about end of 2021.
See: https://github.com/google/quiche/commit/f282c934f4731a9f4be93409c9f3e8687f0566a7
|
| |
|
| |
Add a new variable to keep track of internal partial classification
|
| | |
|
| |
|
|
| |
Show JA4C and JA3S information (instead of JA3C and JA3S)
See #2551 for context
|
| |
|
|
|
| |
Even if it is only the proposed value by the client (and not the
negotiated one), it might be use as hint for timeout by the (external)
flows manager
|
| |
|
|
| |
We should set it also for "obsolete"/"insecure" ciphers, not only for
the "weak" ones.
|
| |
|
|
|
| |
ESNI has been superseded by ECH for years, now.
See: https://blog.cloudflare.com/encrypted-client-hello/
Set the existing flow risk if we still found this extension.
|
| | |
|
| |
|
|
| |
messages when used to browse (old) network devices
|
| |
|
|
|
|
| |
ipv6 addresses already containing "::" token shall
not be searched for ":0:" nor patched
Close #1890
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
Co-authored-by: Evgeny Shtanov <evg.shtanov@gmail.comm>
Co-authored-by: Ivan Nardi <nardi.ivan@gmail.com>
|
| |
|
|
| |
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
|
| |
|
|
|
|
| |
Example:
./example/ndpiReader --conf=./example/calls.conf -i ./tests/pcap/signal_videocall.pcapng -v2
Close #2608
|
| | |
|
| | |
|
| |
|
| |
In the same flow, we can have multiple multimedia types
|
| | |
|
| |
|
|
| |
port that was supposed to be used as default
|
| | |
|
| |
|
|
| |
Let's see if we are able to tell audio from video calls only looking at
RTP Payload Type field...
|
| | |
|
| |
|
|
| |
Testing pcaps courtesy of https://github.com/virtalabs/tapirx.git
|
| |
|
|
| |
(#2618)
|
| |
|
| |
Extend content match list
|
| | |
|
| |
|
|
|
| |
* fixes SonarCloud complaint
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|