vrr/nDPI
2
0
Fork 0
mirror of https://github.com/vel21ripn/nDPI.git synced 2026-05-05 10:41:40 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 5
5405 commits 9 branches 12 tags 263 MiB
Commit graph

517 commits

Author SHA1 Message Date
Toni Uhlig
b7405c8e39
Sync unit tests results 
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
 2024-11-27 08:52:37 +01:00
Ivan Nardi
d93fd27bcc Sync unit tests results 2024-11-26 14:43:26 +01:00
Ivan Nardi
7330f65939 Add support for Paramount+ streaming service 2024-11-25 14:01:55 +01:00
Ivan Nardi
cff8bd1bb2
Update flow->flow_multimedia_types to a bitmask (#2625) 
In the same flow, we can have multiple multimedia types
 2024-11-25 10:12:48 +01:00
Ivan Nardi
5c4061d0cd Sync unit tests results 2024-11-25 09:49:04 +01:00
Luca Deri
56e52448c4 When triggering risk "Known Proto on Non Std Port", nDPi now reports the port that was supposed to be used as default 2024-11-22 18:21:58 +01:00
Ivan Nardi
1140d28c3d Sync unit tests results 2024-11-21 09:53:10 +01:00
Ivan Nardi
c5bd9d8bff
RTP, STUN: improve detection of multimedia flow type (#2620) 
Let's see if we are able to tell audio from video calls only looking at
RTP Payload Type field...
 2024-11-19 16:38:14 +01:00
Luca Deri
95bf287c02 Results update 2024-11-16 09:27:08 +01:00
Luca
4fd12278b1 Added DICOM support 
Testing pcaps courtesy of https://github.com/virtalabs/tapirx.git
 2024-11-15 18:45:51 +01:00
Luca Deri
3ce8d0e508
Implemented Mikrotik discovery protocol dissection and metadata extraction (#2618) 2024-11-14 23:34:31 +01:00
Ivan Nardi
59ee1fe115
Add support for some Chinese shopping platforms (Temu, Shein and Taobao) (#2615) 
Extend content match list
 2024-11-12 20:11:07 +01:00
Ivan Nardi
1bda2bf414 SIP: extract some basic metadata 2024-11-12 13:34:25 +01:00
Vladimir Gavrilov
137d87fd87
Add Naver protocol support (#2610) 2024-11-01 14:56:25 +01:00
Ivan Nardi
a903932155
HTTP: fix leak and out-of-bound error on credential extraction (#2611) 2024-11-01 13:11:06 +01:00
Luca Deri
412ca8700f Added HTTP credentials extraction 2024-10-31 21:20:46 +01:00
Vladimir Gavrilov
dc125dc2a8
Add Paltalk protocol support (#2606) 2024-10-28 16:57:05 +01:00
Luca Deri
d5236c0aaf Fixes TCP fingerprint calculation when multiple EOL are specified in TCP options 2024-10-27 08:17:27 +01:00
Luca Deri
ddbdae9947 Improved fingerprints 2024-10-21 10:58:29 +02:00
Luca Deri
4e78d903e8 Improved TCP fingerprint 2024-10-20 23:14:46 +02:00
Luca Deri
14b076a58b Improved TCP fingerprint 2024-10-20 22:25:55 +02:00
Ivan Nardi
9021e08901
ndpiReader: explicitly remove non ipv4/6 packets (#2601) 2024-10-19 21:44:32 +02:00
Luca Deri
6dc4533c3c Added support for RDP over TLS 2024-10-19 16:24:11 +02:00
Luca Deri
0cc84e4fdd Improved TCP fingepring calculation 
Adde basidc OS detection based on TCP fingerprint
 2024-10-18 23:47:34 +02:00
Luca Deri
0ef0752c80
Increased struct ndpi_flow_struct size (#2596) 
Build fix
 2024-10-18 07:17:03 +02:00
Ivan Nardi
2d7085a23e
STUN: if the same metadata is found multiple times, keep the first value (#2591) 2024-10-15 15:12:37 +02:00
Ivan Nardi
8299f5abab
STUN: fix monitoring of Whatsapp and Zoom flows (#2590) 2024-10-15 12:05:22 +02:00
Luca Deri
2b40611082 Fixed JA4 invalid computation due to code bug and uninitialized values 2024-10-13 20:45:20 +02:00
Luca Deri
ec5efe5cf2 Added sonos dissector 2024-10-13 18:50:34 +02:00
Vladimir Gavrilov
6cb1631132
Add DingTalk protocol support (#2581) 2024-10-07 15:45:51 +02:00
Luca
45323e3bf8 Exports DNS A/AAAA responses (up to 4 addresses) 
Changed the default to IPv4 (used to be IPv6) in case of DNS error response
 2024-10-02 15:55:35 +02:00
Ivan Nardi
623b7e236f
TLS: detect abnormal padding usage (#2579) 
Padding is usually some hundreds byte long. Longer padding might be used
as obfuscation technique to force unusual CH fragmentation
 2024-10-01 17:15:03 +02:00
Ivan Nardi
69c89f9061
TLS: heuristics: fix memory allocations (#2577) 
Allocate heuristics state only if really needed.
Fix memory leak (it happened with WebSocket traffic on port 443)
 2024-09-30 16:55:07 +02:00
Ivan Nardi
ddd08f913c
Add some heuristics to detect encrypted/obfuscated/proxied TLS flows (#2553) 
Based on the paper: "Fingerprinting Obfuscated Proxy Traffic with
Encapsulated TLS Handshakes".
See: https://www.usenix.org/conference/usenixsecurity24/presentation/xue-fingerprinting

Basic idea:
* the packets/bytes distribution of a TLS handshake is quite unique
* this fingerprint is still detectable if the handshake is
encrypted/proxied/obfuscated

All heuristics are disabled by default.
 2024-09-24 14:20:31 +02:00
Nardi Ivan
686d0e3839 Fix Sonos trace 2024-09-24 13:28:19 +02:00
Luca Deri
806f47337d Added Sonos protocol detection 2024-09-24 10:55:48 +02:00
Ivan Nardi
2bf869ca59
TLS: improve handling of Change Cipher message (#2564) 2024-09-23 17:58:21 +02:00
Ivan Nardi
456bc2a52c
Tls out of order (#2561) 
* Revert "Added fix for handling Server Hello before CLient Hello"

This reverts commit eb15b22e77.

* TLS: add some tests with unidirectional traffic

* TLS: another attempt to process CH received after the SH

Obviously, we will process unidirectional traffic longer, because we are
now waiting for messages in both directions
 2024-09-18 21:04:03 +02:00
Luca
eb15b22e77 Added fix for handling Server Hello before CLient Hello 2024-09-17 19:04:01 +02:00
Luca
eeb1c281ad Fixed handling of spurious TCP retransmissions 2024-09-17 19:04:01 +02:00
Ivan Nardi
a1602dd0a5
dns: add a check before setting NDPI_MALFORMED_PACKET risk (#2558) 
"Invalid DNS Header"-risk should be set only if the flow has been
already classified as DNS. Otherwise, almost any non-DNS flows on port 53
will end up having the `NDPI_MALFORMED_PACKET` risk set, which is a little
bit confusing for non DNS traffic
 2024-09-16 22:21:14 +02:00
Ivan Nardi
0ddbda1f82
Add an heuristic to detect encrypted/obfuscated OpenVPN flows (#2547) 
Based on the paper: "OpenVPN is Open to VPN Fingerprinting"
See: https://www.usenix.org/conference/usenixsecurity22/presentation/xue-diwen

Basic idea:
* the distribution of the first byte of the messages (i.e. the distribution
of the op-codes) is quite unique
* this fingerprint might be still detectable even if the OpenVPN packets are
somehow fully encrypted/obfuscated

The heuristic is disabled by default.
 2024-09-16 18:38:26 +02:00
Nardi Ivan
9e5d0e05d3 QUIC: add a basic heuristic to detect mid-flows 2024-09-10 19:32:31 +02:00
Ivan Nardi
bc9472277d
RTMP: improve detection (#2549) 2024-09-10 16:33:06 +02:00
Ivan Nardi
92507c0146
oracle: fix dissector (#2548) 
We can do definitely better, but this change is a big improvements
respect the current broken code
 2024-09-07 12:00:31 +02:00
Nardi Ivan
2964c23ca1 Add detection of Windscribe VPN 2024-09-05 16:36:50 +02:00
Nardi Ivan
c99646e4af Add detection of CactusVPN 2024-09-05 16:36:50 +02:00
Nardi Ivan
5b0374c28b Add detection of SurfShark VPN 2024-09-05 16:36:50 +02:00
Nardi Ivan
85ebda434d OpenVPN, Wireguard: improve sub-classification 
Allow sub-classification of OpenVPN/Wireguard flows using their server IP.
That is useful to detect the specific VPN application/app used.
At the moment, the supported protocols are: Mullvad, NordVPN, ProtonVPN.

This feature is configurable.
 2024-09-05 16:36:50 +02:00
Nardi Ivan
f350379e95 Add detection of NordVPN 2024-09-05 16:36:50 +02:00