vrr/nDPI
2
0
Fork 0
mirror of https://github.com/vel21ripn/nDPI.git synced 2026-05-04 18:00:17 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 5
4969 commits 9 branches 12 tags 263 MiB
Commit graph

354 commits

Author SHA1 Message Date
Ivan Nardi
88d1416b70
STUN: fix detection of Google Meet over IPv6 (#2241) 2024-01-02 19:30:59 +01:00
Vladimir Gavrilov
0180c1f04a
Add IEC62056 (DLMS/COSEM) protocol dissector (#2229) 
* Add IEC62056 (DLMS/COSEM) protocol dissector

* Fix detection on big endian architectures

* Update protocols.rst

* Add ndpi_crc16_x25 to fuzz/fuzz_alg_crc32_md5.c

* Update pcap sample

* Remove empty .out file

* iec62056: add some documentation

---------

Co-authored-by: Nardi Ivan <nardi.ivan@gmail.com>
 2024-01-02 16:45:54 +01:00
Vladimir Gavrilov
0f4d9f5054
Remove Google Hangouts/Duo stuff (#2233) 
* Remove Google Hangouts/Duo support

* Update protocols.rst
 2024-01-02 14:01:33 +01:00
Ivan Nardi
d886a6107f
Teamviewer: varius fixes (#2228) 
We already have a generic (and up to date) logic to handle ip addresses:
remove that stale list.

Teamviewer uses TCP and UDP, both; we can't access `flow->l4.udp`.

According to a comment, we set the flow risk
`NDPI_DESKTOP_OR_FILE_SHARING_SESSION` only for the UDP flows.
 2024-01-02 11:22:43 +01:00
Vladimir Gavrilov
2796bc9b47
Add NoMachine NX protocol dissector (#2234) 
* Add NoMachine protocol dissector

* Fix detection on big endian architectures

* Make NoMachine over UDP check more strict

* Small fixes
 2024-01-02 10:23:42 +01:00
Luca Deri
7c4be6d077 Updated result 2023-12-22 21:29:45 +01:00
Luca Deri
8285fffdae Implements JA4 Support (#2191) 2023-12-22 20:40:42 +01:00
Vladimir Gavrilov
5eb468d07b
Add Apache Kafka protocol dissector (#2226) 2023-12-22 14:42:47 +01:00
Vladimir Gavrilov
6fc8aa4e61
Add WebDAV detection support (#2224) 
* Add WebDAV detection support

* Add pcap example

* Update test results

* Remove redundant checks

* Add WebDAV related HTTP methods to fuzz/dictionary.dict

* Add note about WebDAV
 2023-12-22 13:23:37 +01:00
Vladimir Gavrilov
149067b3fc
Add JSON-RPC protocol dissector (#2217) 
* Add JSON-RPC protocol dissector

* Small fixes

* Improve detection
 2023-12-20 12:42:25 +01:00
Vladimir Gavrilov
33f11cb10f
Add OpenFlow protocol dissector (#2222) 2023-12-20 10:48:45 +01:00
Ivan Nardi
8aa09f9c99
mining: a better identification logic (#2221) 
It is quite simple (and not so efficient) but it should fix all the
false positives reported in #2216. Add support for Ethereum mining.

Merge all the mining traces.

Remove duplicated function.

Close #2216
 2023-12-20 10:46:57 +01:00
Ivan Nardi
308b266333
fuzz: improve fuzzing coverage (#2220) 2023-12-19 20:33:08 +01:00
Vladimir Gavrilov
59c8eabc0e
Add UFTP protocol dissector (#2215) 
* Add UFTP protocol dissector

* Update docs

* Merge pcap files
 2023-12-18 11:21:07 +01:00
Vladimir Gavrilov
d8c7a76611
Add HiSLIP protocol dissector (#2214) 
* Add HiSLIP protocol dissector

* Fix error
 2023-12-17 11:52:55 +01:00
Vladimir Gavrilov
0f3e6d832b
Add PROFINET/IO protocol dissector (#2213) 
* Add PROFINET/IO protocol dissector

* Add LE (Little Endian) to the file name

* Rework dissector

* Remove redundant check
 2023-12-16 13:30:21 +01:00
Toni
ef62391dba
Add Monero protocol classification. (#2196) 
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
 2023-12-13 19:55:18 +01:00
Ivan Nardi
bda037c57f
Sync unit tests results after latest merge (#2211) 2023-12-13 17:47:20 +01:00
Ivan Nardi
193f28582b
QUIC: add heuristic to detect unidirectional *G*QUIC flows (#2207) 
Fix extraction of `flow->protos.tls_quic.quic_version` metadata.
 2023-12-13 17:14:04 +01:00
Ivan Nardi
241c42ad7e
ndpiReader: fix guessed_flow_protocols statistic (#2203) 
Increment the counter only if the flow has been guessed
 2023-12-12 19:44:03 +01:00
Ivan Nardi
673b6e7345
HTTP: faster processing of asymmetric flows (#2198) 2023-12-11 14:52:31 +01:00
Ivan Nardi
adf8982d8e
fuzz: extend fuzzing coverage (#2205) 2023-12-11 12:48:50 +01:00
Ivan Nardi
f74cf16c36
OpenVPN: rework detection (#2199) 
Close #1873
 2023-12-06 10:24:26 +01:00
Vladimir Gavrilov
ad20846fad
Add Ether-S-Bus protocol dissector (#2200) 2023-12-05 17:20:38 +01:00
Vladimir Gavrilov
be50493f44
Add IEEE C37.118 protocol dissector (#2193) 2023-12-05 08:06:15 +01:00
Vladimir Gavrilov
c34bded4ef
Add ISO 9506-1 MMS protocol dissector (#2189) 
* Add ISO 9506-1 MMS protocol dissector
* Fix detection on big-endian architectures
 2023-12-01 09:03:07 +01:00
Ivan Nardi
983b8e8eee
STUN: parsing of DATA attribute (#2179) 2023-12-01 07:01:49 +01:00
Vladimir Gavrilov
24df1913ac
Add Beckhoff ADS protocol dissector (#2181) 
* Add Beckhoff ADS protocol dissector

* Remove redundant le32toh

* Fix detection on big-endian architectures
 2023-11-30 09:13:45 +01:00
Ivan Nardi
6f046df0dc
STUN: fix detection of DTLS (#2187) 
Fix a memory leak
```
==97697==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 16 byte(s) in 1 object(s) allocated from:
    #0 0x55a6967cfa7e in malloc (/home/ivan/svnrepos/nDPI/fuzz/fuzz_ndpi_reader+0x701a7e) (BuildId: c7124999fa1ccc54346fa7bd536d8eab88c3ea01)
    #1 0x55a696972ab5 in ndpi_malloc /home/ivan/svnrepos/nDPI/src/lib/ndpi_memory.c:60:25
    #2 0x55a696972da0 in ndpi_strdup /home/ivan/svnrepos/nDPI/src/lib/ndpi_memory.c:113:13
    #3 0x55a696b7658d in processClientServerHello /home/ivan/svnrepos/nDPI/src/lib/protocols/tls.c:2394:46
    #4 0x55a696b86e81 in processTLSBlock /home/ivan/svnrepos/nDPI/src/lib/protocols/tls.c:897:5
    #5 0x55a696b80649 in ndpi_search_tls_udp /home/ivan/svnrepos/nDPI/src/lib/protocols/tls.c:1262:11
    #6 0x55a696b67a57 in ndpi_search_tls_wrapper /home/ivan/svnrepos/nDPI/src/lib/protocols/tls.c:2751:5
    #7 0x55a696b67758 in switch_to_tls /home/ivan/svnrepos/nDPI/src/lib/protocols/tls.c:1408:3
    #8 0x55a696c47810 in stun_search_again /home/ivan/svnrepos/nDPI/src/lib/protocols/stun.c:422:4
    #9 0x55a6968a22af in ndpi_process_extra_packet /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:7247:9
    #10 0x55a6968acd6f in ndpi_internal_detection_process_packet /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:7746:5
    #11 0x55a6968aba3f in ndpi_detection_process_packet /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:8013:22
    #12 0x55a69683d30e in packet_processing /home/ivan/svnrepos/nDPI/fuzz/../example/reader_util.c:1723:31
    #13 0x55a69683d30e in ndpi_workflow_process_packet /home/ivan/svnrepos/nDPI/fuzz/../example/reader_util.c:2440:10
    #14 0x55a69680f08f in LLVMFuzzerTestOneInput /home/ivan/svnrepos/nDPI/fuzz/fuzz_ndpi_reader.c:135:7
[...]
SUMMARY: AddressSanitizer: 16 byte(s) leaked in 1 allocation(s).
```
Found by oss-fuzzer
See: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=64564
 2023-11-30 09:09:40 +01:00
Ivan Nardi
ac90b1f009
Fix detection of NDPI_TCP_ISSUES flow risk (#2177) 
We need to take into account retransmissions: they increase
`flow->all_packets_counter` counter but not `flows->packet_counter`
one.
Therefore, the right way to check for 3WH + RST pattern involves checking
for `flows->packet_counter == 0`
 2023-11-29 16:55:39 +01:00
Vladimir Gavrilov
c60c03766c
Add Schneider Electric’s UMAS detection support (#2180) 
* Add Schneider Electric’s UMAS detection support

* Swap proto IDs in ndpi_set_detected_protocol

* Update unit test result
 2023-11-28 18:03:00 +01:00
Vladimir Gavrilov
ebb1bc2f34
Add Ether-S-I/O protocol dissector (#2174) 2023-11-27 19:04:05 +01:00
Vladimir Gavrilov
84427b0754
Add Omron FINS protocol dissector (#2172) 
* Add Omron FINS protocol dissector

* Add a kludge to avoid invalid FINS over UDP detection as SkypeTeams and RTP

* Update unit test results

* Update protocols.rst

* Remove dummy flows from fins.pcap
 2023-11-27 17:09:53 +01:00
Vladimir Gavrilov
3763c702f0
Rework S7Comm dissector; add S7Comm Plus support (#2165) 
* Rework S7Comm dissector; add S7Comm Plus support

* Cleanup s7comm.c

* Improve S7Comm Plus detection

* s7comm/s7commplus: faster detection

---------

Co-authored-by: 0xA50C1A1 <mage.wizard88@gmail.com>
Co-authored-by: Nardi Ivan <nardi.ivan@gmail.com>
 2023-11-27 14:37:48 +01:00
Vladimir Gavrilov
0b6e261523
Improve CORBA detection (#2167) 
* Improve CORBA detection

* Remove dummy flow from ziop.pcap

* Merge ziop.pcap and miop.pcap into corba.pcap
 2023-11-27 13:10:50 +01:00
Vladimir Gavrilov
da629709f3
Add OPC UA protocol dissector (#2169) 2023-11-27 12:13:23 +01:00
Ivan Nardi
7ff22a7e3c
STUN: improve demultiplexing of DTLS packets (#2153) 
Keep demultiplexing STUN/RTP/RTCP packets after DTLS ones.

We might end up processing the session a little longer, because we will
process the STUN/RTP/RTCP packets after the DTLS handshake.
 2023-11-27 11:10:38 +01:00
Vladimir Gavrilov
87399b3544
Add RTPS protocol dissector (#2168) 2023-11-27 07:17:39 +01:00
Vladimir Gavrilov
27802b0134
Reduce false positives for H.323 over TCP (#2164) 
Co-authored-by: 0xA50C1A1 <mage.wizard88@gmail.com>
 2023-11-23 17:29:00 +01:00
Vladimir Gavrilov
fbae51ae9d
Get rid of RDP false positives (#2161) 
* Get rid of false positives in the RDP protocol dissector

* Remove kludge for RDP

* RDP: improve detection

---------

Co-authored-by: 0xA50C1A1 <mage.wizard88@gmail.com>
Co-authored-by: Nardi Ivan <nardi.ivan@gmail.com>
 2023-11-23 09:35:43 +01:00
Vladimir Gavrilov
5c8c5c90c2
Add HART-IP protocol dissector (#2163) 
* Add HART-IP protocol dissector

* Update docs

* Update protocols.rst

* Reuse free proto id and re-run tests

* docs: move HART-IP to top of list

---------

Co-authored-by: 0xA50C1A1 <mage.wizard88@gmail.com>
 2023-11-22 22:04:22 +01:00
Toni
21f2574033
Improved TFTP. Fixes #2075. (#2149) 
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
 2023-11-21 16:56:46 +01:00
Vladimir Gavrilov
35abafec4f
Get rid of Apache Cassandra false positives (#2159) 
* Rewrite Apache Cassandra dissector

* Replace memcmp with strncmp

* Add payload length check

* Update Cassandra dissector

* Update test results

---------

Co-authored-by: 0xA50C1A1 <mage.wizard88@gmail.com>
 2023-11-21 16:56:01 +01:00
Vladimir Gavrilov
ae6e6d61f0
Add IEEE 1588-2008 (PTPv2) dissector (#2156) 
* Add IEEE 1588-2008 (PTPv2) dissector

PTPv2 is a time synchronization protocol in computer networks, similar to NTP.

* Add default protocol ports

* Update default test result for PTPv2

* Update copyright

---------

Co-authored-by: 0xA50C1A1 <mage.wizard88@gmail.com>
 2023-11-21 13:39:54 +01:00
Vladimir Gavrilov
8d71998670
Remove Google+ support (#2155) 
* Remove Google+ support

Google+ was discontiued in 2019, so I think that its protocol id can be freed for reuse.

* Fix typo

* Update tests

---------

Co-authored-by: 0xA50C1A1 <mage.wizard88@gmail.com>
 2023-11-21 08:14:20 +01:00
Ivan Nardi
bdb73db1a4
IP lists: aggregate addresses wherever possible (#2152) 
See #2150
 2023-11-17 12:26:23 +01:00
Toni
38f9a74713
Added TeslaServices and improved TikTok host names. Fixes #2140. (#2144) 
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
 2023-11-10 11:25:10 +01:00
Toni
0673da54b5
Fixed implicit u32 cast in ndpi_data_min() / ndpi_data_max(). (#2139) 
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
 2023-11-09 10:16:57 +01:00
Ivan Nardi
b539b0d090
fuzz: improve coverage and remove dead code (#2135) 
We are not able to remove custom rules: remove the empty stubs (which
originate from the original OpenDPI code).

`ndpi_guess_protocol_id()` is only called on the first packet of the
flow, so the bitmask `flow->excluded_protocol_bitmask` is always empty,
since we didn't call any dissectors yet.

Move another hash function to the dedicated source file.
 2023-11-07 17:46:29 +01:00
Toni
6dcecd73d3
Added malicious sites from the polish cert. (#2121) 
* added handling of parsing errors

Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
 2023-11-02 09:04:04 +01:00