aboutsummaryrefslogtreecommitdiff
path: root/wireshark
Commit message (Collapse)AuthorAge
* Added NDPI_MALWARE_HOST_CONTACTED flow riskLuca Deri2023-10-13
|
* Added NDPI_TLS_ALPN_SNI_MISMATCH flow riskLuca Deri2023-09-07
|
* Add an heuristic to detect fully encrypted flows (#2058)Ivan Nardi2023-07-26
| | | | | | | | A fully encrypted session is a flow where every bytes of the payload is encrypted in an attempt to “look like nothing”. The heuristic needs only the very first packet of the flow. See: https://www.usenix.org/system/files/sec23fall-prepub-234-wu-mingshi.pdf A basic, but generic, inplementation of the popcpunt alg has been added
* Add a new flow risk about literal IP addresses used as SNI (#1892)Ivan Nardi2023-03-02
| | | | | | | | | | RFC 6066 3: "Literal IPv4 and IPv6 addresses are not permitted in "HostName"." Don't set this risk if we have a valid sub-classification (example: via certificate) Since a similar risk already exists for HTTP hostnames, reuse it, with a more generic name.
* Added new risk NDPI_TCP_ISSUESLuca Deri2023-01-24
|
* Added NDPI_MINOR_ISSUES risk used for storing generic/relevant information ↵Luca Deri2022-12-31
| | | | about issues found on traffic.
* Added NDPI_PERIODIC_FLOW flow risk to be used by apps based on nDPILuca Deri2022-12-30
|
* Added new flow risk NDPI_HTTP_OBSOLETE_SERVER. Currently Apache and nginx ↵Luca2022-10-04
| | | | are supported
* Added unidirectional traffic flow riskLuca Deri2022-06-20
|
* Add a new flow risk `NDPI_ANONYMOUS_SUBSCRIBER` (#1462)Ivan Nardi2022-02-28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The main goal of a DPI engine is usually to determine "what", i.e. which types of traffic flow on the network. However the applications using DPI are often interested also in "who", i.e. which "user/subscriber" generated that traffic. The association between a flow and a subscriber is usually done via some kind of DHCP/GTP/RADIUS/NAT mappings. In all these cases the key element of the flow used to identify the user is the source ip address. That usually happens for the vast majority of the traffic. However, depending on the protocols involved and on the position on the net where the traffic is captured, the source ip address might have been changed/anonymized. In that case, that address is useless for any flow-username association. Example: iCloud Private Relay traffic captured between the exit relay and the server. See the picture at page 5 on: https://www.apple.com/privacy/docs/iCloud_Private_Relay_Overview_Dec2021.PDF This commit adds new generic flow risk `NDPI_ANONYMOUS_SUBSCRIBER` hinting that the ip addresses shouldn't be used to identify the user associated with the flow. As a first example of this new feature, the entire list of the relay ip addresses used by Private Relay is added. A key point to note is that list is NOT used for flow classification (unlike all the other ip lists present in nDPI) but only for setting this new flow risk. TODO: IPv6
* Added newflow risk NDPI_HTTP_CRAWLER_BOTLuca Deri2022-02-17
|
* Added NDPI_ERROR_CODE_DETECTED riskLuca Deri2022-02-03
|
* Added new IDN/Punycode risk for spotting internationalized domain namesLuca2022-02-03
|
* Extend protocols support (#1422)Ivan Nardi2022-01-29
| | | | | | | | | | | | | | | | | | Add detection of AccuWeather site/app and Google Classroom. Improve detection of Azure, Zattoo, Whatsapp, MQTT and LDAP. Fix some RX false positives. Fix some "Uncommon TLS ALPN"-risk false positives. Fix "confidence" value for some Zoom/Torrent classifications. Minor fix in Lua script for Wireshark extcap. Update .gitignore file. Let GitHub correctly detect the language type of *.inc files. Zattoo example has been provided by @subhajit-cdot in #1148.
* Added NDPI_TLS_CERTIFICATE_ABOUT_TO_EXPIRE flow riskLuca Deri2022-01-26
| | | | Added ndpi_set_tls_cert_expire_days() API call to modify the number of days for triggering the above alert that by default is set to 30 days
* Added support for Log4J/Log4Shell detection in nDPI via a new flow risk ↵Luca Deri2021-12-23
| | | | named NDPI_POSSIBLE_EXPLOIT
* Detect invalid characters in text and set a risk. Fixes #1347. (#1363)Toni2021-10-26
| | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Small fixes after latest commits (#1308)Ivan Nardi2021-09-18
|
* Progetto esame Gestione di Reti - Debora Cerretini (#1290)deboracerretini2021-09-17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Add files via upload * Add files via upload * Add files via upload * Add files via upload * Add files via upload * Add files via upload * Add files via upload * Add files via upload * Add files via upload * Add files via upload * Add files via upload * Add files via upload * Add files via upload * Add files via upload * Add files via upload Co-authored-by: Luca Deri <lucaderi@users.noreply.github.com>
* Added new risk for clear text credentialsLuca Deri2021-09-10
|
* wireshark/lua: restore full flow risks dissection (#1275)Ivan Nardi2021-08-18
| | | | | | | | It was partially disabled in 3eba8cc5. Wireshark and Wireshark-Lua bindings don't handle 64 bit integer very well. (see https://www.wireshark.org/docs/wsdg_html_chunked/lua_module_Int64.html). As workaround, only for visualization purpose, split the (64 bit) risk mask into two 32 bit integer values.
* Clode cleanup (after last merge)Luca Deri2021-08-08
|
* Added TLS fatal alert flow riskLuca Deri2021-08-07
|
* Temporary fix for avoiding wireshark errorsLuca Deri2021-07-14
|
* TLS Risks - Certificate Validity Too Long (#1239)pacant2021-07-14
| | | | | | | | | | | * Added flow risk: TLS certificate too long * Added flow risk: TLS certificate too long * Date for TLS limit added * TLS certificate check fixed Co-authored-by: pacant <a.pace97@outlook.com>
* Added nDPI Score reportLuca Deri2021-06-17
|
* fixed lua errors in non-iec104 packets (#1209)martinscheu2021-06-17
| | | | | | | | | * Update iec.lua fixed lua errors in non iec 104 packets * Update iec.lua Co-authored-by: tinu <martin.scheu@switch.ch>
* IEC analysis wireshark pluginLuca Deri2021-06-14
|
* Syntax error fixesLuca Deri2021-06-11
|
* Fixed flow score labelLuca Deri2021-06-11
|
* Changed output for the sharkfest lua scriptsMatteo Biscosi2021-06-11
|
* Updated scriptsLuca Deri2021-06-08
|
* Companion scripts written for the Sharkfest conferenceLuca2021-06-08
|
* wireshark/lua: improve flow risk visualization (#1194)Ivan Nardi2021-06-02
| | | | | Create a separated proto field entry for each possible flow risk. This way, filtering will be more natural: you can use something like "ndpi.flow_risk.desktop_file_sharing_session"
* wireshark/lua: fix offsets (#1187)Ivan Nardi2021-05-18
|
* Fixed typoLuca Deri2021-05-11
|
* Implemented flow score in Wireshark integrationLuca Deri2021-05-10
|
* Updated code due to https://github.com/ntop/nDPI/pull/1175Luca Deri2021-04-27
|
* Added flow risk to wireshark dissectionLuca Deri2021-04-26
|
* Added tshark descriptionLuca Deri2021-04-25
|
* README for the tshark classLuca Deri2021-04-25
|
* Lua tshark class and examplesLuca Deri2021-04-25
|
* wireshark/lua: fix handling of VLAN traffic (#1162)Ivan Nardi2021-04-05
|
* Readme updateLuca Deri2021-04-01
|
* added shell script to download wireshark fuzzing traces, can be used in ↵Toni Uhlig2020-07-02
| | | | | | combination with ./tests/do.sh Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Make lua script more robustNardi Ivan2020-06-25
|
* Fixes for wireshark 3Luca2019-03-01
|
* Added timeseries dump (disabled by default)Luca Deri2018-05-02
|
* Added NetFlix block for RogersLuca Deri2018-04-28
|
* Added flow and timing supportLuca Deri2018-04-26
|
Powered by cgit, Themed by Ted Yin.