vrr/nDPI
2
0
Fork 0
mirror of https://github.com/vel21ripn/nDPI.git synced 2026-05-02 17:00:16 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 5
4969 commits 9 branches 12 tags 263 MiB
Commit graph

4969 commits

This branch
This branch
All branches
Author SHA1 Message Date
Luca Deri
9a8dc640be buffer lenghtt is now returned by ndpi_quick_encrypt() and ndpi_quick_deecrypt() 2024-09-24 12:51:55 +02:00
Luca Deri
42cfd29cc3 Added new API calls 
u_int ndpi_hex2bin(u_char *out, u_int out_len, u_char* in, u_int in_len);
u_int ndpi_bin2hex(u_char *out, u_int out_len, u_char* in, u_int in_len);
 2024-09-24 12:28:21 +02:00
Luca Deri
806f47337d Added Sonos protocol detection 2024-09-24 10:55:48 +02:00
Luca Deri
9f3b7cfd65
Added ndpi_quick_encrypt() ndpi_quick_decrypt() APi calls (#2568) 
* Added ndpi_quick_encrypt() ndpi_quick_decrypt(0 APi calls based on AES

* Added aes.c
 2024-09-24 09:40:21 +02:00
Ivan Nardi
2bf869ca59
TLS: improve handling of Change Cipher message (#2564) 2024-09-23 17:58:21 +02:00
Ivan Nardi
efe1930b02
Fix ndpi_strrstr() (#2565) 
```
==6591==ERROR: AddressSanitizer: SEGV on unknown address 0x502000230000 (pc 0x55fbd836a5a0 bp 0x7ffdf4503670 sp 0x7ffdf4502e28 T0)
==6591==The signal is caused by a READ memory access.
    #0 0x55fbd836a5a0 in __sanitizer::internal_strlen(char const*) /src/llvm-project/compiler-rt/lib/sanitizer_common/sanitizer_libc.cpp:176:10
    #1 0x55fbd82cfc28 in StrstrCheck(void*, char*, char const*, char const*) /src/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:579:17
    #2 0x55fbd82cfbc2 in strstr /src/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:598:5
    #3 0x55fbd840a04a in ndpi_strrstr /src/ndpi/src/lib/ndpi_utils.c:3471:15
    #4 0x55fbd840ba95 in ndpi_get_host_domain /src/ndpi/src/lib/ndpi_domains.c:149:9
    #5 0x55fbd83ef751 in ndpi_check_dga_name /src/ndpi/src/lib/ndpi_main.c:10748:17
```
Found by oss-fuzz
 2024-09-23 17:57:17 +02:00
Ivan Nardi
5c6e8da86c
wireshark: lua: add script for QUIC fingerprints [WIP] (#2566) 2024-09-23 17:53:40 +02:00
Luca Deri
08a37dc779 Replaced traces with debug messages 2024-09-20 18:44:05 +02:00
Liam Wilson
80971e4a17
Allow IP guess before port in ndpi_detection_giveup (#2562) 
Add dpi.guess_ip_before_port which when enabled uses classification
by-ip before classification by-port.
 2024-09-20 10:25:41 +02:00
Luca Deri
191694f797 Implemented ndpi_strrstr() 
Fixed bug in ndpi_get_host_domain
 2024-09-19 13:18:26 +02:00
Ivan Nardi
456bc2a52c
Tls out of order (#2561) 
* Revert "Added fix for handling Server Hello before CLient Hello"

This reverts commit eb15b22e77.

* TLS: add some tests with unidirectional traffic

* TLS: another attempt to process CH received after the SH

Obviously, we will process unidirectional traffic longer, because we are
now waiting for messages in both directions
 2024-09-18 21:04:03 +02:00
Nardi Ivan
b6f187dffb fuzz: fix compilation 2024-09-17 20:17:35 +02:00
Luca
eb15b22e77 Added fix for handling Server Hello before CLient Hello 2024-09-17 19:04:01 +02:00
Luca
eeb1c281ad Fixed handling of spurious TCP retransmissions 2024-09-17 19:04:01 +02:00
Luca
a726c70f9b Updated ndpi_serialize_flow_fingerprint API signature 2024-09-17 19:04:01 +02:00
Luca
1d1edfc1c7 domain lists are not loaded when -E is used 2024-09-17 19:04:01 +02:00
Luca
40fefd59a7 Improved fingerprint serialization 2024-09-17 19:04:01 +02:00
Luca
7cc2432098 Added DHCP class idnetifier 2024-09-17 19:04:01 +02:00
Ivan Nardi
85485ea28c
OpenVPN: heuristic: add a simple check to avoid false positives (#2560) 
We should have too big packets during the initial handshake
 2024-09-17 18:03:46 +02:00
Ivan Nardi
9d07cf2811
fuzz: try to be a little bit faster (#2559) 
Some fuzzers don't really need a real and complete local context.
Try to avoid setting it up, creating a simpler fake version with only the
features really needed.
That is a kind of experiment: if it works, we can extend the same logic
to other fuzzers
 2024-09-17 11:46:55 +02:00
Ivan Nardi
a1602dd0a5
dns: add a check before setting NDPI_MALFORMED_PACKET risk (#2558) 
"Invalid DNS Header"-risk should be set only if the flow has been
already classified as DNS. Otherwise, almost any non-DNS flows on port 53
will end up having the `NDPI_MALFORMED_PACKET` risk set, which is a little
bit confusing for non DNS traffic
 2024-09-16 22:21:14 +02:00
Ivan Nardi
1197cbdf58
wireshark: extcap: rework trailer header (#2557) 2024-09-16 22:19:20 +02:00
Ivan Nardi
0ddbda1f82
Add an heuristic to detect encrypted/obfuscated OpenVPN flows (#2547) 
Based on the paper: "OpenVPN is Open to VPN Fingerprinting"
See: https://www.usenix.org/conference/usenixsecurity22/presentation/xue-diwen

Basic idea:
* the distribution of the first byte of the messages (i.e. the distribution
of the op-codes) is quite unique
* this fingerprint might be still detectable even if the OpenVPN packets are
somehow fully encrypted/obfuscated

The heuristic is disabled by default.
 2024-09-16 18:38:26 +02:00
Nardi Ivan
47ea30fdaa TLS: fix stack-buffer-overflow 
```
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior protocols/tls.c:1812:22
=================================================================
==97754==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ba835bde8e5 at pc 0x557ebb644241 bp 0x7ffec04b0ea0 sp 0x7ffec04b0648
WRITE of size 7 at 0x7ba835bde8e5 thread T0
    #0 0x557ebb644240 in vsnprintf (/home/ivan/svnrepos/nDPI/fuzz/fuzz_quic_get_crypto_data+0x6bf240) (BuildId: ce17f7c48055e1f051360bed543c1e18c05f684f)
    #1 0x557ebb645b1d in snprintf (/home/ivan/svnrepos/nDPI/fuzz/fuzz_quic_get_crypto_data+0x6c0b1d) (BuildId: ce17f7c48055e1f051360bed543c1e18c05f684f)
    #2 0x557ebb749dbc in ndpi_compute_ja4 /home/ivan/svnrepos/nDPI/src/lib/protocols/tls.c:1812:12
    #3 0x557ebb7445a7 in processClientServerHello /home/ivan/svnrepos/nDPI/src/lib/protocols/tls.c:2946:10
    #4 0x557ebb7073c9 in process_tls /home/ivan/svnrepos/nDPI/src/lib/protocols/quic.c:1397:3
    #5 0x557ebb6ff815 in LLVMFuzzerTestOneInput /home/ivan/svnrepos/nDPI/fuzz/fuzz_quic_get_crypto_data.c:46:7
    #6 0x557ebb602dcb in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/ivan/svnrepos/nDPI/fuzz/fuzz_quic_get_crypto_data+0x67ddcb) (BuildId: ce17f7c48055e1f051360bed543c1e18c05f684f)
    #7 0x557ebb5ecea8 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/ivan/svnrepos/nDPI/fuzz/fuzz_quic_get_crypto_data+0x667ea8) (BuildId: ce17f7c48055e1f051360bed543c1e18c05f684f)
    #8 0x557ebb5f299a in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/ivan/svnrepos/nDPI/fuzz/fuzz_quic_get_crypto_data+0x66d99a) (BuildId: ce17f7c48055e1f051360bed543c1e18c05f684f)
    #9 0x557ebb61c482 in main (/home/ivan/svnrepos/nDPI/fuzz/fuzz_quic_get_crypto_data+0x697482) (BuildId: ce17f7c48055e1f051360bed543c1e18c05f684f)
    #10 0x7fa837e27082 in __libc_start_main /build/glibc-LcI20x/glibc-2.31/csu/../csu/libc-start.c:308:16
    #11 0x557ebb5e7b5d in _start (/home/ivan/svnrepos/nDPI/fuzz/fuzz_quic_get_crypto_data+0x662b5d) (BuildId: ce17f7c48055e1f051360bed543c1e18c05f684f)
```
 2024-09-16 17:30:39 +02:00
Nardi Ivan
3161c8a3de dhcp: fix out of bounds acces 2024-09-16 17:30:39 +02:00
Nardi Ivan
f310424037 fuzz: fix compilation 2024-09-16 10:10:49 +02:00
Luca
6de91c7895 Reworked fingerprint export now in JSON 2024-09-16 09:21:17 +02:00
Luca Deri
b77d3e3ab6 Enhanced DHCP fingerprint 
Exported it with -E
 2024-09-15 20:21:32 +02:00
Luca Deri
fda3730cf0 Added -E option for dumping flow fingerprint 2024-09-15 19:38:33 +02:00
Nardi Ivan
9e5d0e05d3 QUIC: add a basic heuristic to detect mid-flows 2024-09-10 19:32:31 +02:00
Nardi Ivan
def86ba0a9 RTP: fix identification over TCP 
We can access `flow->l4.udp` structure only with UDP flows...
 2024-09-10 19:32:31 +02:00
Ivan Nardi
bc9472277d
RTMP: improve detection (#2549) 2024-09-10 16:33:06 +02:00
Luca Deri
7fdc4b2472
Implemented algorithms for K-Nearest Neighbor Search (KNN) (#2554) 
* Extended API with functions for vector similarity based on KD-trees https://en.wikipedia.org/wiki/K-d_tree

ndpi_kd_tree* ndpi_kd_create(u_int num_dimensions);
void ndpi_kd_free(ndpi_kd_tree *tree);
void ndpi_kd_clear(ndpi_kd_tree *tree);
bool ndpi_kd_insert(ndpi_kd_tree *tree, const double *data_vector, void *user_data);
ndpi_kd_tree_result *ndpi_kd_nearest(ndpi_kd_tree *tree, const double *data_vector);
u_int32_t ndpi_kd_num_results(ndpi_kd_tree_result *res);
bool ndpi_kd_result_end(ndpi_kd_tree_result *res);
double* ndpi_kd_result_get_item(ndpi_kd_tree_result *res, double **user_data);
bool ndpi_kd_result_next(ndpi_kd_tree_result *res);
void ndpi_kd_result_free(ndpi_kd_tree_result *res);
double ndpi_kd_distance(double *a1, double *b2, u_int num_dimensions);
 2024-09-10 16:22:06 +02:00
Luca Deri
f4d2002ce9 Fix for name clash on some compilers 2024-09-09 15:12:24 +02:00
Luca Deri
d15dd430e7 Added ability to save JA4_r as decimal value 2024-09-08 22:09:59 +02:00
Ivan Nardi
92507c0146
oracle: fix dissector (#2548) 
We can do definitely better, but this change is a big improvements
respect the current broken code
 2024-09-07 12:00:31 +02:00
Ivan Nardi
3b5dee1cc0
Fix compilation (#2546) 2024-09-05 22:05:47 +02:00
Luca Deri
42ded07139 Implemented JA4 raw (ja4_r) fingerprint 
Example:
./example/ndpiReader -i tests/pcap/safari.pcap --cfg=tls,metadata.ja4r_fingerprint,1
 2024-09-05 19:47:01 +02:00
Nardi Ivan
2964c23ca1 Add detection of Windscribe VPN 2024-09-05 16:36:50 +02:00
Nardi Ivan
c99646e4af Add detection of CactusVPN 2024-09-05 16:36:50 +02:00
Nardi Ivan
5b0374c28b Add detection of SurfShark VPN 2024-09-05 16:36:50 +02:00
Nardi Ivan
85ebda434d OpenVPN, Wireguard: improve sub-classification 
Allow sub-classification of OpenVPN/Wireguard flows using their server IP.
That is useful to detect the specific VPN application/app used.
At the moment, the supported protocols are: Mullvad, NordVPN, ProtonVPN.

This feature is configurable.
 2024-09-05 16:36:50 +02:00
Nardi Ivan
f350379e95 Add detection of NordVPN 2024-09-05 16:36:50 +02:00
Nardi Ivan
c713c894b6 OpenVPN: improve detection 2024-09-05 16:36:50 +02:00
Nardi Ivan
23ae3d0c26 wireshark: extcap: export flow risk info 2024-09-05 16:27:24 +02:00
Nardi Ivan
e562cdc5bd wireshark: extcap: fix output data link type 
Avoid forcing `DLT_EN10MB` but use the same data link type of the input
pcap.
This way, we can use extcap functionality with input traces having Linux
"cooked" capture encapsulation, i.e. traces captured on "any" interface
 2024-09-05 16:27:24 +02:00
Vladimir Gavrilov
81eaa3bd52
Add Lustre protocol detection support (#2544) 2024-09-04 10:22:04 +02:00
Toni
bf93f77f02
Align serialized risk names to all others (first letter; uppercase letter) (#2541) 
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
 2024-09-03 13:02:33 +02:00
Ivan Nardi
eb133b8fa5
TLS: better state about handshake (#2534) 
Keep track if we received CH or/and SH messsages: usefull with
unidirectional flows
 2024-09-03 12:44:22 +02:00
Ivan Nardi
f2da169895
bins: fix ndpi_set_bin, ndpi_inc_bin and ndpi_get_bin_value (#2536) 
When the required slot is too big, use the latest/bigger available bin,
not in the first one.
 2024-09-03 12:41:50 +02:00