vrr/nDPI
2
0
Fork 0
mirror of https://github.com/vel21ripn/nDPI.git synced 2026-05-06 03:45:32 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 6
3936 commits 9 branches 12 tags 263 MiB
Commit graph

2670 commits

Author SHA1 Message Date
Luca
9c235796af Introduced risk accountability 2022-07-12 10:36:40 +02:00
Luca
cba2d12051 Cosmetic change 2022-07-12 10:36:32 +02:00
Ivan Nardi
b4cb14ec19
Keep track of how many dissectors calls we made for each flow (#1657) 2022-07-11 09:47:47 +02:00
Ivan Nardi
df599e5eff
HTTP: improve detection of WindowsUpdate (#1658) 
WindowsUpdate is also transported over HTTP, using a numeric IP as
hostname (some kinds of CDN?)
 2022-07-10 17:08:37 +02:00
Ivan Nardi
1fcd03a6b6
Remove unsafe access to flow->protos union (#1656) 
We can access `flow->protos` only if we already have set a valid
classification.

It is quite likely that this code is never trigger, anyway.
 2022-07-10 17:08:22 +02:00
Ivan Nardi
2edfaeba4a
SNMP: fix detection (#1655) 
We can write to `flow->protos` only when we are sure about SNMP
classification.

Use the generic wrapper to decode ASN1 BER integer
 2022-07-10 17:07:52 +02:00
Ivan Nardi
997dce0f04
SIP: improve detection (#1654) 2022-07-09 05:45:42 +02:00
Ivan Nardi
dfe6557e18
TFTP: fix memory access (#1653) 2022-07-08 18:39:05 +02:00
Ivan Nardi
510517126a
LDAP: rewrite dissection (#1649) 2022-07-08 12:50:46 +02:00
Ivan Nardi
f8076e3a58
SMB: add (partial) support for messages split into multiple TCP segments (#1644) 2022-07-07 19:24:31 +02:00
Ivan Nardi
ff4e010501
Avoid spurious calls to extra dissection (#1648) 
If the extra callabck is not set, calling the extra dissection is only a
waste of resources...
 2022-07-07 17:49:35 +02:00
Ivan Nardi
d254ae54f3
SMTP: add support for X-ANONYMOUSTLS comamnd (#1650) 2022-07-07 16:46:18 +02:00
Ivan Nardi
feaa1df1ed
Kerberos: add support for Krb-Error messages (#1647) 2022-07-07 16:45:49 +02:00
Ivan Nardi
056e742304
Spotify: remove some useless ip ranges (#1646) 
These AS numbers are no more related to Spotify (or, if they are, they
don't have any prefixes anyway).
Even if we find some valid Spotify AS, we should handle them via the
generic "autogenerated logic" used for every AS, and not in the
dissector code.
 2022-07-07 15:39:19 +02:00
Nardi Ivan
2636c07571 MONGODB: avoid false positives 2022-07-07 15:36:05 +02:00
Nardi Ivan
a31e79fc3c TLS: ignore invalid Content Type values 2022-07-07 15:36:05 +02:00
Toni
15042870f9
Added Threema Messenger. (#1643) 
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
 2022-07-06 19:30:10 +02:00
Toni Uhlig
105f661e46 Added RiotGames ASN update. 
* updated asn lists

Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
 2022-07-06 14:37:26 +02:00
Toni Uhlig
a1c3d05a74 Added another RiotGames signature. 
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
 2022-07-06 14:37:26 +02:00
Toni
175f863665
Label SMTP w/ STARTTLS as SMTPS *and* dissect TLS clho. (#1639) 
* Label SMTP w/ STARTTLS as SMTPS *and* dissect TLS clho.

Signed-off-by: Toni Uhlig <matzeton@googlemail.com>

* Revert "SMTP with STARTTLS is now identified as SMTPS"

This reverts commit 52d987b603.

* Revert "Compilation fix"

This reverts commit c019946f60.

* Sync unit tests.

Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
 2022-07-06 12:40:25 +02:00
Luca Deri
c019946f60 Compilation fix 2022-07-05 17:38:32 +02:00
Ivan Nardi
7645909460
Fix handling of NDPI_UNIDIRECTIONAL_TRAFFIC risk (#1636) 2022-07-05 17:01:00 +02:00
Luca Deri
52d987b603 SMTP with STARTTLS is now identified as SMTPS 2022-07-05 17:00:21 +02:00
Toni
f4a1739f9c
Detect SMTPs w/ STARTTLS as TLS and dissect client/server hello. Fixes #1630. (#1637) 
* FTP needs to get updated as well as it has similiar STARTTLS semantics -> follow-up

Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
 2022-07-05 16:35:23 +02:00
Luca Deri
7fa8d882d8 Exported username in flow information 2022-07-04 22:52:54 +02:00
Luca Deri
461589517e Updated ndpi_check_flow_risk_exceptions() signature 2022-07-04 21:38:38 +02:00
Luca Deri
e7a5eaecde Cleaned-up issuer DN check code adding 
u_int8_t ndpi_check_issuerdn_risk_exception(struct ndpi_detection_module_struct *ndpi_str, char *issuerDN);

Added new API function for checking nDPI-configured exceptions
u_int8_t ndpi_check_flow_risk_exception(struct ndpi_detection_module_struct *ndpi_str,
                                        u_int num_params,
                                        ndpi_risk_params **params);
 2022-07-04 18:41:01 +02:00
Luca Deri
8ff2860601 Set CiscoVPN as a network protocol 2022-07-04 18:41:01 +02:00
Toni Uhlig
b3d3e3b210 Replaced malicious JA3-md5/SSL-cert-sha1 ac automata with hashmaps. 
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
 2022-07-04 16:05:22 +02:00
Toni
4ff8aa48b2
Added UltraSurf protocol dissector. (#1618) 
* TLSv1.3 UltraSurf flows are not detected by now

Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
 2022-07-04 16:04:53 +02:00
Ivan Nardi
5aa3d9126f
Add two new confidence values: confidence by partial DPI (#1632) 
Used for all classifications based on partial/incomplete DPI
information, i.e. all classifications done in `ndpi_detection_giveup()`.
 2022-07-04 13:56:51 +02:00
Ivan Nardi
4445989588
Update host content list match (#1633) 
Improve classifications of Outlook, Cachefly, Cloudflare, Tiktok and
Cybersecurity.
 2022-07-04 13:21:11 +02:00
Toni
75f7da5c26
Added Psiphon detection patterns. See #566 and #1099. (#1631) 
* The traces are not up to date, but this is the best we got so far.

Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
 2022-07-04 10:34:54 +02:00
Ivan Nardi
192a32207c
OCSP: improve detection (#1629) 2022-07-04 07:22:56 +02:00
Toni
a74fc089c4
Added i3D and RiotGames protocol dissectors. (#1609) 
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
 2022-07-03 20:43:30 +02:00
Ivan Nardi
faaff58620
TargusDataspeed: avoid false positives (#1628) 
TargusDataspeed dissector doesn't perform any real DPI checks but it only
looks at the TCP/UDP ports.
Delete it, and use standard logic to classify these flows by port.
 2022-07-03 20:28:58 +02:00
Ivan Nardi
50c0212df1
Update ASN/IPs lists (#1627) 2022-07-03 19:50:47 +02:00
Ivan Nardi
b5fb2066cb
bins: add support for 64bit bins (#1626) 2022-07-03 19:25:15 +02:00
Ivan Nardi
422d002542
Skinny: rework and improve classification (#1625) 2022-07-03 19:25:00 +02:00
Ivan Nardi
eed47acfc8
Skype_Teams, Mining, SnapchatCall: fix flow category (#1624) 2022-07-03 18:51:16 +02:00
Ivan Nardi
77ac58e553
Minor changes in how classification results are set (#1623) 
Protocol classification should always be set via
`ndpi_set_detected_protocol()`: this way, the values in
`flow->detected_protocol_stack[]` are always coherent.
 2022-07-03 18:45:24 +02:00
Ivan Nardi
060e894d5b
Usenet: improve dissection (#1622) 2022-07-03 18:08:04 +02:00
Ivan Nardi
fdb1649a49
Fix category for mail sessions (#1621) 
Close #629
 2022-07-03 17:47:58 +02:00
Ivan Nardi
5fe6087686
TLS: add support for old DTLS versions and for detection of mid-sessions (#1619) 2022-07-03 17:44:17 +02:00
Ivan Nardi
5f6fa6d164
Fix a compilation warning (#1620) 
With clang-15 (nightly build)
```
In file included from ndpi_bitmap.c:39:
./third_party/src/roaring.cc:14233:13: warning: variable 'run_count' set but not used [-Wunused-but-set-variable]
        int run_count = 0;
```
 2022-07-03 17:43:38 +02:00
Toni
1a01e8dc68
Improved TFTP. Dissect Read/Write Request filenames. (#1617) 
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
 2022-07-03 14:37:05 +02:00
Toni
7c5c811eb0
Added Cloudflare WARP detection patterns. (#1615) (#1616) 
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
 2022-07-02 14:57:56 +02:00
Luca Deri
008a1790e4 Fixed SMTP default port 587 2022-07-02 11:49:22 +02:00
Toni
bb72aa4767
Added TunnelBear VPN detection patterns. (#1615) 
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
 2022-07-01 13:19:17 +02:00
Luca Deri
8f6a006e36 Updated (C) 2022-06-30 14:53:47 +02:00