vrr/nDPI
2
0
Fork 0
mirror of https://github.com/vel21ripn/nDPI.git synced 2026-05-03 09:20:17 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 5
2937 commits 9 branches 12 tags 263 MiB
Commit graph

190 commits

Author SHA1 Message Date
Luca Deri
d19bad1581 Added pcap for testing fragments reassembly 2021-02-03 11:48:53 +01:00
Ivan Nardi
2080cc7365
QUIC: add suppport for DNS-over-QUIC (#1107) 
Even if it is only an early internet draft, DoQ has already (at least)
one deployed implementation.
See: https://www.zdnet.com/article/ad-blocker-adguard-deploys-worlds-first-dns-over-quic-resolver/
Draft: https://tools.ietf.org/html/draft-huitema-dprive-dnsoquic-00

In the future, if this protocol will be really used, it might be worth to
rename NDPI_PROTOCOL_DOH_DOT in NDPI_PROTOCOL_DOH_DOT_DOQ
 2021-01-07 10:56:39 +01:00
Ivan Nardi
1b524f5538
QUIC: update to draft-33 (#1104) 
QUIC (final!?) constants for v1 are defined in draft-33
 2021-01-04 15:50:14 +01:00
Ivan Nardi
23b84cd3ee
Remove FB_ZERO protocol (#1102) 
FB_ZERO was an experimental protocol run by Facebook.
They switched to QUIC/TLS1.3 more than 2 years ago; no one ever used it but
them so it is definitely dead.
See: https://engineering.fb.com/2018/08/06/security/fizz/
 2021-01-04 15:49:19 +01:00
Luca Deri
4ddb5f4245 Added TLS test with long certificate 2021-01-04 11:31:25 +01:00
Luca Deri
05d76525b0 Added HTTP suspicious content securirty risk (useful for tracking trickbot) 2021-01-02 21:11:42 +01:00
rafaliusz
1ecc6d323e
Add a connectionless DCE/RPC detection (#1078) 
* Add connectionless DCE/RPC detection

* Add DCE/RPC pcap file as well as its test result

Co-authored-by: rafal <rafal.burzynski@cryptomage.com>
 2020-12-08 15:48:53 +01:00
Ivan Nardi
53a5c354d8
Quic fixes (#1067) 
* QUIC: fix return value on error path on quic_cipher_init()

* QUIC: allow dissection of sessions forcing version negotiation

Enhance heuristic to avoid false positives.
 2020-11-22 11:04:10 +01:00
Zied Aouini
bfabb0ddf4
Add Virtual Asssitant (Alexa, Siri) support. (#1057) 
* Add AmazonAlexa protocol.

* Add AmazonAlexa test file and result.

* Include pcapng as file format.

* Rename Category to VirtualAssistant.

* Add AppleSiri virtual assistant.

* Fix pcapng test files format support.

Co-authored-by: Luca Deri <lucaderi@users.noreply.github.com>
 2020-11-16 21:19:38 +01:00
Zied Aouini
3529268df8
Add Tumblr support. (#1061) 
* Add Tumblr protocol.

* Add Tumblr test file and result.

Co-authored-by: Luca Deri <lucaderi@users.noreply.github.com>
 2020-11-16 21:14:06 +01:00
Zied Aouini
22780da8d5
Add Reddit support. (#1060) 
* Add Reddit protocol.

* Add Reddit test file and result.

Co-authored-by: Luca Deri <lucaderi@users.noreply.github.com>
 2020-11-16 21:13:01 +01:00
Zied Aouini
13dab51cc7
Add Pinterest support. (#1059) 
* Add Pinterest protocol.

* Add Pinterest test file and result.

Co-authored-by: Luca Deri <lucaderi@users.noreply.github.com>
 2020-11-16 21:11:43 +01:00
Toni
6b5bdf773d
Added support for AmongUs. (#1054) 
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
 2020-11-09 16:19:00 +01:00
Luca Deri
89a363aff6 Updated ESNI/SNI alarm generation prolicy 2020-11-08 10:07:35 +01:00
Leonn
0576dc2a49
💡 Add mongodb protocol dissector (#1048) 2020-11-03 16:16:02 +01:00
Ivan Nardi
a9547da138
QUIC: fix dissection of Initial packets coalesced with 0-RTT one (#1044) 
* QUIC: fix dissection of Initial packets coalesced with 0-RTT one

* QUIC: fix a memory leak
 2020-11-03 11:35:52 +01:00
Igor Duarte
ba6a48c9fe
Improve skype detection (#1039) 
* Add new skype pcap

PCAP extracted from SkypeIRC.cap (available in https://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=get&target=SkypeIRC.cap)

* Improve skype detection
 2020-10-27 08:45:09 +01:00
Luca Deri
833d0eee53 Added CPHA - CheckPoint High Availability Protocol protocl support 2020-10-22 18:39:13 +02:00
Ivan Nardi
6027a7c799
Fix parsing of DLT_PPP datalink type (#1042) 2020-10-21 22:27:42 +02:00
Luca Deri
044ed14b4f Various optimizations to reduce not-necessary calls 
Optimized various UDP dissectors
Removed dead protocols such as pando and pplive
 2020-09-24 23:26:03 +02:00
Luca Deri
60a9f6610d Added risks for checking 
- invalid DNS traffic (probably carrying exfiltrated data)
- TLS traffic with no SNI extension
 2020-09-21 19:57:23 +02:00
Nardi Ivan
dcac633878 QUIC: add support for MVFST EXPERIMENTAL version 2020-09-20 16:38:28 +02:00
Luca Deri
d81bc1add6 Reworked MDNS dissector that is not based on the DNS dissector 2020-09-17 23:24:02 +02:00
Luca Deri
5ac870074b
Merge pull request #1014 from lnslbrty/improved/teamspeak 
Improved Teamspeak(3) protocol detection.
 2020-09-09 23:28:21 +02:00
Luca Deri
7086197047 Added extension to detect nested subdomains as used in Browsertunnel attack tool 
https://github.com/veggiedefender/browsertunnel
 2020-09-09 23:25:19 +02:00
Toni Uhlig
8ca13bc46a
Improved Teamspeak(3) protocol detection. 
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
 2020-09-09 21:57:31 +02:00
Toni Uhlig
df14d225f6
Added pcap file which contains dnscrypt-v1 data and resolver update requests/responses (v1/v2). 
* Renamed dnscrypt.pcap to simple-dnscrypt.pcap

Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
 2020-09-07 21:04:23 +02:00
Toni Uhlig
fe5aa7ebca
Added dnscrypt-v2-doh resolver test pcaps. 
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
 2020-09-07 20:22:52 +02:00
Nardi Ivan
7da4abe6ad QUIC: add support for GQUIC T050 and T051 
QUIC versioning wasn't complex enough without T05X family...
These versions are very similar to Q050, but use TLS as their handshake
protocol.
 2020-08-30 20:51:33 +02:00
Nardi Ivan
97b80a8838 QUIC: minor fixes 
LGTM found a real issue on a boundary check
Fix unit tests: a pcap ha been uploaded twice (with different names)
Fix compilation when using DPDK (see #990)
 2020-08-24 13:53:36 +02:00
Luca Deri
fe1e2c241f Added som GQUIC and IETF QUIC test pcaps 2020-08-22 16:47:05 +02:00
Nardi Ivan
23ec82b59d Major rework of QUIC dissector 
Improve support for GQUIC (up to Q046) and add support for Q050 and (IETF-)QUIC
Still no sub-classification for Q050 and QUIC
 2020-08-21 22:04:55 +02:00
Luca Deri
b23781e807 Added the ability do identigy as DGA those host/domain names with too many consucutive repeated characters 
such as ckaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa used fr netbios reflection attacks
https://www.akamai.com/uk/en/multimedia/documents/state-of-the-internet/ddos-reflection-netbios-name-server-rpc-portmap-sentinel-udp-threat-advisory.pdf
 2020-08-21 18:41:35 +02:00
Toni Uhlig
f4421314b0
Added (manipulated) MySQL 8 test pcap. 
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
 2020-08-20 23:46:47 +02:00
Nardi Ivan
2722861d6e Suspicious ESNI usage: add a comment and a pcap example 
See: 79b89d2866
 2020-08-06 10:29:35 +02:00
Toni Uhlig
4b8c8608d1
Improved HTTP line parsing if request splitted into multiple packets. 
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
 2020-07-05 18:36:57 +02:00
Toni Uhlig
05d7400563
Fixed heap overflow in tls esni extraction triggered by manipulated packets. 
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
 2020-06-29 21:51:46 +02:00
Nardi Ivan
b68b45f3bb TLS: extract JA3 signatures in some corner cases 
In some (rare) cases, Client Hello message contains lots of cipher
suits.
 2020-06-28 12:05:12 +02:00
Toni Uhlig
fbfa54eee6
Fixed off-by-one error in h323. 
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
 2020-06-27 22:58:05 +02:00
Luca Deri
8566288e43 Added malformed packet risk support 2020-06-26 22:37:52 +02:00
Toni Uhlig
ca68beda85
Fixed missing length check in fbzero. 
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
 2020-06-23 18:35:50 +02:00
Toni Uhlig
6a9f5e4f7c
Fixed use after free caused by dangling pointer 
* This fix also improved RCE Injection detection

Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
 2020-06-21 20:05:38 +02:00
Luca Deri
fd0591b4fc
Merge pull request #920 from lnslbrty/fix/tls-rdn-crash 
Fixed stack overflow caused by missing length check
 2020-06-19 11:44:37 +02:00
Luca Deri
48758d28ea Added GoogleDNS DoH on Android 10 2020-06-19 09:55:58 +02:00
Toni Uhlig
23594f0365
Fixed stack overflow caused by missing length check 
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
 2020-06-18 00:52:04 +02:00
Toni Uhlig
da37f2444f
Implemented proprietary AnyDesk protocol 
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
 2020-06-17 01:23:03 +02:00
Luca Deri
b6eef17e54 Added check to avoid producing alerts for known protocol on unknown port when using TLS 2020-05-30 19:33:13 +02:00
Luca Deri
3085d8e4ff Refreshed test pcap 2020-05-28 21:23:02 +02:00
Luca Deri
9c3bfeca80 Added support for Encrypted TLS SNI dissection 
https://datatracker.ietf.org/doc/draft-ietf-tls-sni-encryption/
 2020-05-28 17:44:18 +02:00
Luca Deri
3108c75059 Result update 2020-05-27 15:26:30 +02:00