vrr/nDPI
2
0
Fork 0
mirror of https://github.com/vel21ripn/nDPI.git synced 2026-05-05 19:15:12 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 5
5405 commits 9 branches 12 tags 263 MiB
Commit graph

517 commits

Author SHA1 Message Date
Luca
cbfc20d2d5 Updated test result 2025-02-21 14:11:22 +01:00
Luca Deri
30c3613f2f Improved RTP dissection with EVS and other mobile voice codecs 2025-02-20 22:59:23 +01:00
Luca Deri
9ee24d5bc1 Updated test rsults after RTP payload extraction 2025-02-19 11:40:00 +01:00
Luca Deri
2c414f1b28 Fixed bug in domain name computation 2025-02-17 21:50:19 +00:00
Ivan Nardi
491698fe02
DNS: rework "extra-dissection" code (#2735) 2025-02-17 13:57:50 +01:00
Ivan Nardi
86af01c74d
DNS: fix message parsing (#2732) 2025-02-16 17:19:43 +01:00
Ivan Kapranov
ccb15db9b3
Implement SSDP Metadata export (#2729) 
Close #2524
 2025-02-16 17:04:16 +01:00
Ivan Nardi
d51b6ab049
DNS: fix parsing of hostname for empty response messages (#2731) 2025-02-16 14:32:56 +01:00
Ivan Nardi
7dc5890c0f
DNS: rework adding entries to the FPC-DNS cache (#2730) 
Try to populate the FPC-DNS cache using directly the info from the current
packet, and not from the metadata saved in `struct ndpi_flow_struct`. This
will be important when adding monitoring support
 2025-02-16 13:33:08 +01:00
Ivan Nardi
c458c42712
DNS: improved detection and handling of TCP packets (#2728) 2025-02-15 22:28:47 +01:00
Ivan Nardi
15b84b4192
DNS: rework code (#2727) 2025-02-15 21:57:34 +01:00
Ivan Kapranov
e4521440ab
Added RUTUBE (#2725) 2025-02-15 16:03:58 +01:00
Ivan Nardi
9bf513b342
DNS: fix dissection (#2726) 2025-02-15 15:13:01 +01:00
Ivan Nardi
091e1423e2
DNS: set NDPI_MALFORMED_PACKET risk if the answer message is invalid (#2724) 
We already set the same flow risk for invalid request messages
 2025-02-15 14:23:45 +01:00
Ivan Nardi
3dbc6d2523
DNS: faster exclusion (#2719) 2025-02-12 17:42:00 +01:00
Ivan Nardi
dba7e9a8ec
DNS: try to simplify the code (#2718) 
Set the classification in only one place in the code.
 2025-02-12 09:48:35 +01:00
Ivan Nardi
baca06bfd2
ndpiReader: print more DNS information (#2717) 2025-02-11 18:16:55 +01:00
Ivan Nardi
1dccaf37b0
DNS: fix check for DGA domain (#2716) 
If we have a (potential) valid sub-classification, we shoudn't check for
DGA, even if the subclassification itself is disabled!
 2025-02-11 15:48:53 +01:00
Ivan Nardi
73d1856525
DNS: disable subclassification by default (#2715) 
Prelimary change to start supporting multiple DNS transactions on the
same flow
 2025-02-11 13:50:00 +01:00
Ivan Nardi
65c224e19c dns: fix writing to flow->protos.dns 
We can't write to `flow->protos.dns` until we are sure it is a valid DNS
flow
 2025-02-11 12:44:46 +01:00
Ivan Nardi
dff5b2beac DNS: fix dissection when there is only the response message 2025-02-11 12:44:46 +01:00
Ivan Nardi
a298d26c20 DNS: extend tests 2025-02-11 12:44:46 +01:00
Ivan Nardi
642cf5764a Extend regression tests 2025-02-04 14:33:32 +01:00
Ivan Nardi
dd4807f8ee
bittorrent: add configuration for "hash" metadata (#2706) 
Fix confidence value for same TCP flows
 2025-01-31 17:42:47 +01:00
Ivan Nardi
62d64afde7
Auto-generate Microsoft-related list of domains (#2688) 2025-01-31 15:44:28 +01:00
Ivan Nardi
c669bb3140
DNS: fix relationship between FPC and subclassification (#2702) 
Allow optimal FPC even if DNS subclassification is disabled
 2025-01-30 21:26:47 +01:00
Luca Deri
2bf8dbf40f Added health category 2025-01-24 22:21:04 +01:00
Ivan Nardi
819b00670c
RTP: improve detection of multimedia type for Signal calls (#2697) 2025-01-24 14:13:51 +01:00
Ivan Nardi
f3532f0bad
Unify "Skype" and "Teams" ids (#2687) 
* Rename `NDPI_PROTOCOL_SKYPE_TEAMS_CALL` ->
  `NDPI_PROTOCOL_MSTEAMS_CALL`

* Rename ip list from "Skype/Teams" to "Teams"
 2025-01-20 18:06:56 +01:00
Daniel Roethlisberger
d55ff1fd80
JA4: Fix SSL 2 version and remove fictional SSL 1 version along with mis-mapping to s3 (#2684) 
* JA4: Fix SSL 2 version constant to 0x0002

SSL 2 uses a version field of 0x0002, not 0x0200.  This is confirmed not
only in the original Netscape spec [1] and RFC draft of the time [2],
but also in major implementations such as OpenSSL [3] and Wireshark [4].

An earlier version of the JA4 spec [5] also mistakenly used 0x0200 for
SSL 2 and 0x0100 for SSL 1.  This was fixed in [6] in August 2024.

[1] https://www-archive.mozilla.org/projects/security/pki/nss/ssl/draft02.html
[2] https://datatracker.ietf.org/doc/html/draft-hickman-netscape-ssl-00
[3] https://github.com/openssl/openssl/blob/OpenSSL_0_9_6m/ssl/ssl2.h#L66-L71
[4] https://github.com/wireshark/wireshark/blob/release-4.4/epan/dissectors/packet-tls-utils.h#L266-L277
[5] https://github.com/FoxIO-LLC/ja4/blob/main/technical_details/JA4.md#tls-and-dtls-version
[6] FoxIO-LLC/ja4#150

* JA4: Remove fictional (and mis-mapped to "s3") SSL 1

SSL 1 was never actually deployed, the design was iterated upon to
become SSL 2 before it was released by Netscape [1] [2] [3] [4].  I
don't think it's public knowledge what the version field for SSL 1 would
have looked like, or if it even was two bytes large or at the same
offset on the wire; given that SSL 2 used 0x0002 it seems more likely to
have been 0x0001 than 0x0100.

Version field 0x0100, that is currently misattributed to SSL 1, was used
by an early pre-RFC4347 implementation of DTLS in OpenSSL before 0.9.8f
[5], when OpenSSL switched to the version field specified by RFC4347.
This use of 0x0100 is also reflected in Wireshark's TLS dissector [4]
(`DTLSV1DOT0_OPENSSL_VERSION`).

For these reasons, it seems to make sense to remove the fictional SSL 1
code entirely.

This also removes an issue where the resulting JA4 string would be "s3"
instead of the intended "s1".

An earlier version of the JA4 spec [6] also mistakenly used 0x0200 for
SSL 2 and 0x0100 for SSL 1.  This was fixed in [7] in August 2024.

[1] https://www-archive.mozilla.org/projects/security/pki/nss/ssl/draft02.html
[2] https://datatracker.ietf.org/doc/html/draft-hickman-netscape-ssl-00
[3] https://github.com/openssl/openssl/blob/OpenSSL_0_9_6m/ssl/ssl2.h#L66-L71
[4] https://github.com/wireshark/wireshark/blob/release-4.4/epan/dissectors/packet-tls-utils.h#L266-L277
[5] https://github.com/openssl/openssl/compare/OpenSSL_0_9_8e...OpenSSL_0_9_8f
[6] https://github.com/FoxIO-LLC/ja4/blob/main/technical_details/JA4.md#tls-and-dtls-version
[7] FoxIO-LLC/ja4#150

* Fix tests where old DTLS (0x0100) was mis-identified as SSL 3.0

These two tests contain DTLS flows using a version field of 0x0100 as
used by OpenSSL pre 0.9.8f, before OpenSSL switched to the standardised
version code points for its DTLS implementation.  The correct JA4
mapping is "d00", not "ds3".
 2025-01-19 18:19:44 +01:00
Luca Deri
511228d36d Added DigitalOcean protocol 2025-01-17 18:26:27 +01:00
Ivan Nardi
252be78acc
STUN: improve detection of Telegram calls (#2671) 2025-01-14 17:33:34 +01:00
Ivan Nardi
63a3547f99
Add (kind of) support for loading a list of JA4C malicious fingerprints (#2678) 
It might be usefull to be able to match traffic against a list of
suspicious JA4C fingerprints

Use the same code/logic/infrastructure used for JA3C (note that we are
going to remove JA3C...)

See: #2551
 2025-01-14 12:05:03 +01:00
Ivan Nardi
72fd940301
Remove JA3C output from ndpiReader (#2667) 
Removing JA3C is an big task. Let's start with a simple change having an
huge impact on unit tests: remove printing of JA3C information from
ndpiReader.

This way, when we will delete the actual code, the unit tests diffs
should be a lot simpler to look at.

Note that the information if the client/server cipher is weak or
obsolete is still available via flow risk

See: #2551
 2025-01-12 13:24:27 +01:00
Ivan Nardi
5c0143ce58
HTTP: fix entropy calculation (#2666) 
We calculate HTTP entropy according to "Content-type:" header, see
`ndpi_validate_http_content()` on HTTP code
 2025-01-12 12:49:32 +01:00
Vladimir Gavrilov
674428d824
Add Vivox support (#2668) 2025-01-11 19:37:31 +01:00
Toni
9a0a3bb8e7
Improved WebSocket-over-HTTP detection (#2664) 
* detect `chisel` SSH-over-HTTP-WebSocket
 * use `strncasecmp()` for `LINE_*` matching macros

Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
 2025-01-11 11:23:42 +01:00
Ivan Nardi
4756904222
QUIC: remove extraction of user-agent (#2650) 
In very old (G)QUIC versions by Google, the user agent was available on
plain text. That is not true anymore, since about end of 2021.
See: f282c934f4
 2025-01-07 19:58:43 +01:00
Ivan Nardi
c34b692a4b
Classifications "by-port"/"by-ip" should never change (#2656) 
Add a new variable to keep track of internal partial classification
 2025-01-06 18:58:24 +01:00
Ivan Nardi
c3d19be26f
ndpiReader: update JA statistics (#2646) 
Show JA4C and JA3S information (instead of JA3C and JA3S)
See #2551 for context
 2025-01-06 15:09:25 +01:00
Ivan Nardi
2e20f670dd
QUIC: extract "max idle timeout" parameter (#2649) 
Even if it is only the proposed value by the client (and not the
negotiated one), it might be use as hint for timeout by the (external)
flows manager
 2025-01-06 13:45:12 +01:00
Ivan Nardi
e77ff5ebd8
TLS: fix NDPI_TLS_WEAK_CIPHER flow risk (#2647) 
We should set it also for "obsolete"/"insecure" ciphers, not only for
the "weak" ones.
 2025-01-06 13:16:57 +01:00
Ivan Nardi
cae9fb9989
TLS: remove ESNI support (#2648) 
ESNI has been superseded by ECH for years, now.
See: https://blog.cloudflare.com/encrypted-client-hello/
Set the existing flow risk if we still found this extension.
 2025-01-06 11:04:50 +01:00
Vladimir Gavrilov
12a7d55d27
Path of Exile 2 support (#2654) 2025-01-06 10:57:16 +01:00
Luca Deri
71de91dc7a Imporoved SMBv1 heuristic to avoid triggering risks for SMBv1 broadcast messages when used to browse (old) network devices 2025-01-03 11:15:27 +01:00
paolomonti
3b602e73ba
IPv6: fix bad ipv6 format (#1890) (#2651) 
ipv6 addresses already containing "::" token shall
not be searched for ":0:" nor patched

Close #1890
 2024-12-20 11:02:09 +01:00
Ivan Nardi
f4d3851913
Update all IPs lists (#2643) 2024-12-13 08:54:32 +01:00
Ivan Nardi
a156d69ea4
STUN: fix monitoring (#2639) 2024-12-06 20:19:28 +01:00
Ivan Nardi
83ce341796
signal: improve detection of chats and calls (#2637) 2024-12-04 16:14:27 +01:00
Evgeny Shtanov
74792e49c8
Add support Yandex Alice (#2633) 
Co-authored-by: Evgeny Shtanov <evg.shtanov@gmail.comm>
Co-authored-by: Ivan Nardi <nardi.ivan@gmail.com>
 2024-11-29 14:13:36 +01:00