vrr/nDPI
2
0
Fork 0
mirror of https://github.com/vel21ripn/nDPI.git synced 2026-05-05 19:15:12 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 6
2937 commits 9 branches 12 tags 263 MiB
Commit graph

470 commits

Author SHA1 Message Date
Nardi Ivan
dcac633878 QUIC: add support for MVFST EXPERIMENTAL version 2020-09-20 16:38:28 +02:00
Luca Deri
6a7139bb24 Updated results 2020-09-18 00:17:43 +02:00
Luca Deri
d81bc1add6 Reworked MDNS dissector that is not based on the DNS dissector 2020-09-17 23:24:02 +02:00
Luca Deri
753b5dde16
Merge pull request #1012 from IvanNardi/ua 
QUIC: extract User Agent information
 2020-09-17 21:32:25 +02:00
Luca Deri
5ac870074b
Merge pull request #1014 from lnslbrty/improved/teamspeak 
Improved Teamspeak(3) protocol detection.
 2020-09-09 23:28:21 +02:00
Luca Deri
7086197047 Added extension to detect nested subdomains as used in Browsertunnel attack tool 
https://github.com/veggiedefender/browsertunnel
 2020-09-09 23:25:19 +02:00
Toni Uhlig
8ca13bc46a
Improved Teamspeak(3) protocol detection. 
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
 2020-09-09 21:57:31 +02:00
Nardi Ivan
7d5a0e1f04 QUIC: extract User Agent information 2020-09-08 11:03:22 +02:00
Toni Uhlig
df14d225f6
Added pcap file which contains dnscrypt-v1 data and resolver update requests/responses (v1/v2). 
* Renamed dnscrypt.pcap to simple-dnscrypt.pcap

Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
 2020-09-07 21:04:23 +02:00
Toni Uhlig
fe5aa7ebca
Added dnscrypt-v2-doh resolver test pcaps. 
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
 2020-09-07 20:22:52 +02:00
Toni Uhlig
580859a47d
Fixed false positive detection for Skype.SkypeCall (affects at least Cisco HSRP and RADIUS). 
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
 2020-09-02 07:29:33 +02:00
Luca Deri
029448759b
Merge pull request #999 from IvanNardi/quic 
QUIC: add support for GQUIC T050 and T051
 2020-08-30 20:56:15 +02:00
Nardi Ivan
7da4abe6ad QUIC: add support for GQUIC T050 and T051 
QUIC versioning wasn't complex enough without T05X family...
These versions are very similar to Q050, but use TLS as their handshake
protocol.
 2020-08-30 20:51:33 +02:00
Luca Deri
638624869a Added new risk for NDPI_UNSAFE_PROTOCOL that identifies protocols that are not condidered safe/secure 2020-08-30 20:48:58 +02:00
Luca Deri
f597086386 Stddev calculation changes 2020-08-30 12:48:32 +02:00
Luca Deri
dd75060932 Fixed false positive in suspicous user agent 
Optimized stddev calculation
 2020-08-30 12:25:15 +02:00
Nardi Ivan
97b80a8838 QUIC: minor fixes 
LGTM found a real issue on a boundary check
Fix unit tests: a pcap ha been uploaded twice (with different names)
Fix compilation when using DPDK (see #990)
 2020-08-24 13:53:36 +02:00
Luca Deri
b8307eb855 Creared IoT-Scada category 
Minor dnp3 changes
 2020-08-23 13:32:36 +02:00
Luca Deri
fe1e2c241f Added som GQUIC and IETF QUIC test pcaps 2020-08-22 16:47:05 +02:00
Nardi Ivan
b23cfd6b84 Add sub-classification for GQUIC >= Q050 and (IETF-)QUIC 
Add QUIC payload and header decryption: most of the crypto code has been
"copied-and-incolled" from Wireshark. That code has been clearly marked
as such. All credits for that code should go to the original authors.

I tried to keep the Wireshark code as similar as possible to the original,
comments included, to ease future backporting of fixes.
Inevitably, glibc data types and data structures, tvbuff abstraction and
allocation functions have been converted.
 2020-08-21 22:04:55 +02:00
Nardi Ivan
23ec82b59d Major rework of QUIC dissector 
Improve support for GQUIC (up to Q046) and add support for Q050 and (IETF-)QUIC
Still no sub-classification for Q050 and QUIC
 2020-08-21 22:04:55 +02:00
Luca Deri
fef199ad45 Added new check for detecting suspicious (too long) names 2020-08-21 19:35:27 +02:00
Luca Deri
b23781e807 Added the ability do identigy as DGA those host/domain names with too many consucutive repeated characters 
such as ckaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa used fr netbios reflection attacks
https://www.akamai.com/uk/en/multimedia/documents/state-of-the-internet/ddos-reflection-netbios-name-server-rpc-portmap-sentinel-udp-threat-advisory.pdf
 2020-08-21 18:41:35 +02:00
Luca Deri
da2684dbe1 MySQL8 update 2020-08-21 07:17:34 +02:00
Toni Uhlig
f4421314b0
Added (manipulated) MySQL 8 test pcap. 
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
 2020-08-20 23:46:47 +02:00
Luca Deri
8090765a64
Merge pull request #974 from IvanNardi/esni4 
Suspicious ESNI usage: add a comment and a pcap example
 2020-08-13 10:40:51 +02:00
Luca Deri
9edddee0b7 Fixes invalid detection on traffic on non standard ports 2020-08-12 11:08:28 +02:00
Nardi Ivan
2722861d6e Suspicious ESNI usage: add a comment and a pcap example 
See: 79b89d2866
 2020-08-06 10:29:35 +02:00
Luca Deri
e16675b700 Added new traffic category for connectivity check detection 2020-08-04 18:09:13 +02:00
Luca Deri
2ae4c6675d Fixed partial TLS dissection 2020-07-30 18:30:07 +02:00
Luca Deri
e71df49b3e Changed due to bin size extension 2020-07-30 00:06:46 +02:00
Luca Deri
32bd3d7a59 TLS dissection improvements 2020-07-28 01:06:38 +02:00
Luca Deri
da87cc3157 Added NDPI_SMB_INSECURE_VERSION for detecting insecure SMB versions (e.g. v1) 2020-07-27 13:05:06 +02:00
Luca Deri
1c405e382a SSH code cleanup 2020-07-25 16:43:54 +02:00
Luca Deri
879cec94b2 User agent detection improvements 2020-07-21 12:06:34 +02:00
Luca Deri
a8ad99aca5 Fixed makefile error message 
Code hardedning fix
 2020-07-13 15:46:19 +02:00
Toni Uhlig
23c0721538
Fixed race condition in ndpi_ssl_version2str() caused by static qualifier in the version string buffer. 
* added also GREASE supported tls versions as specified in
   https://tools.ietf.org/html/draft-davidben-tls-grease-01#page-4

Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
 2020-07-11 01:05:39 +02:00
Luca Deri
12abcd516b Updated test results due to bin changes 2020-07-09 17:28:02 +02:00
Luca Deri
c0b34555c2
Merge pull request #951 from lnslbrty/fix/ossfuzzer 
ossfuzz.sh: do not use wildcards for fuzzer e.g. fuzz/fuzz*
 2020-07-06 10:23:50 +02:00
Luca Deri
b4edb75824
Merge pull request #950 from lnslbrty/improved/http-line-parsing 
Improved HTTP line parsing if request splitted into multiple packets.
 2020-07-06 10:23:29 +02:00
Luca Deri
dfb9e8ec1f
Merge pull request #940 from lnslbrty/fix/small-and-optimistic-improvments 
Fixed CodeInspector issues.
 2020-07-06 10:23:04 +02:00
Toni Uhlig
c17a21359b
Fixed CodeInspector issues. 
* Added compiler search list for AC_PROG_CC, AM_PROG_CC_C_O, AC_PROG_CXX, AC_PROG_CC_STDC
   for Mac OS X only
   The list rendered the AX_CHECK_COMPILE_FLAG([-fsanitize=fuzzer]) useless as it did use
   clang for AX_CHECK_COMPILE_FLAG but gcc during the compile process. Seems broken somehow.

Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
 2020-07-05 20:41:02 +02:00
Toni Uhlig
6e8f268873
ossfuzz.sh: do not use wildcards for fuzzer e.g. fuzz/fuzz* 
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
 2020-07-05 20:18:16 +02:00
Toni Uhlig
4b8c8608d1
Improved HTTP line parsing if request splitted into multiple packets. 
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
 2020-07-05 18:36:57 +02:00
Luca Deri
08698c65e5
Merge pull request #943 from lnslbrty/fix/missing-lengthcheck-in-tls-esni 
Fixed heap overflow in tls esni extraction triggered by manipulated p…
 2020-07-01 12:37:29 +02:00
Toni Uhlig
05d7400563
Fixed heap overflow in tls esni extraction triggered by manipulated packets. 
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
 2020-06-29 21:51:46 +02:00
Toni Uhlig
3068306b60
Copy&Paste ./tests/ossfuzz.sh from https://github.com/google/oss-fuzz/pull/4041 
* Changing the OSS-Fuzz script from our side is much more easier then
   opening a PR to google/oss-fuzz every time we have to change a single line.
 * https://github.com/google/oss-fuzz/pull/4041 will be updated once this PR is merged

Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
 2020-06-29 20:50:09 +02:00
Toni Uhlig
4a6c525db8
Improved fuzz_ndpi_reader which supports now SMP/MT w/o race-coniditions. 
./tests/do.sh can supports SMP/MT via environment variables.
Removed -fno-sanitize=shift as well, was fixed by 317d3ffd.

Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
 2020-06-29 19:07:59 +02:00
Nardi Ivan
f39e3c98f0 Update test results 2020-06-28 12:47:27 +02:00
Nardi Ivan
3669c14afd DNP3: add missing initialization 2020-06-28 12:05:12 +02:00