vrr/nDPI
2
0
Fork 0
mirror of https://github.com/vel21ripn/nDPI.git synced 2026-04-29 23:49:41 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 6
5656 commits 9 branches 12 tags 263 MiB
Commit graph

294 commits

Author SHA1 Message Date
Vladimir Gavrilov
7f9973bd0c
Add HL7 protocol dissector (#2240) 
* Add HL7 protocol dissector

* Small fixes

* Small fixes
 2024-01-02 20:57:05 +01:00
Ivan Nardi
88d1416b70
STUN: fix detection of Google Meet over IPv6 (#2241) 2024-01-02 19:30:59 +01:00
Vladimir Gavrilov
0180c1f04a
Add IEC62056 (DLMS/COSEM) protocol dissector (#2229) 
* Add IEC62056 (DLMS/COSEM) protocol dissector

* Fix detection on big endian architectures

* Update protocols.rst

* Add ndpi_crc16_x25 to fuzz/fuzz_alg_crc32_md5.c

* Update pcap sample

* Remove empty .out file

* iec62056: add some documentation

---------

Co-authored-by: Nardi Ivan <nardi.ivan@gmail.com>
 2024-01-02 16:45:54 +01:00
Vladimir Gavrilov
0f4d9f5054
Remove Google Hangouts/Duo stuff (#2233) 
* Remove Google Hangouts/Duo support

* Update protocols.rst
 2024-01-02 14:01:33 +01:00
Ivan Nardi
d886a6107f
Teamviewer: varius fixes (#2228) 
We already have a generic (and up to date) logic to handle ip addresses:
remove that stale list.

Teamviewer uses TCP and UDP, both; we can't access `flow->l4.udp`.

According to a comment, we set the flow risk
`NDPI_DESKTOP_OR_FILE_SHARING_SESSION` only for the UDP flows.
 2024-01-02 11:22:43 +01:00
Vladimir Gavrilov
2796bc9b47
Add NoMachine NX protocol dissector (#2234) 
* Add NoMachine protocol dissector

* Fix detection on big endian architectures

* Make NoMachine over UDP check more strict

* Small fixes
 2024-01-02 10:23:42 +01:00
Vladimir Gavrilov
5eb468d07b
Add Apache Kafka protocol dissector (#2226) 2023-12-22 14:42:47 +01:00
Vladimir Gavrilov
6fc8aa4e61
Add WebDAV detection support (#2224) 
* Add WebDAV detection support

* Add pcap example

* Update test results

* Remove redundant checks

* Add WebDAV related HTTP methods to fuzz/dictionary.dict

* Add note about WebDAV
 2023-12-22 13:23:37 +01:00
Vladimir Gavrilov
149067b3fc
Add JSON-RPC protocol dissector (#2217) 
* Add JSON-RPC protocol dissector

* Small fixes

* Improve detection
 2023-12-20 12:42:25 +01:00
Vladimir Gavrilov
33f11cb10f
Add OpenFlow protocol dissector (#2222) 2023-12-20 10:48:45 +01:00
Ivan Nardi
8aa09f9c99
mining: a better identification logic (#2221) 
It is quite simple (and not so efficient) but it should fix all the
false positives reported in #2216. Add support for Ethereum mining.

Merge all the mining traces.

Remove duplicated function.

Close #2216
 2023-12-20 10:46:57 +01:00
Ivan Nardi
308b266333
fuzz: improve fuzzing coverage (#2220) 2023-12-19 20:33:08 +01:00
Vladimir Gavrilov
59c8eabc0e
Add UFTP protocol dissector (#2215) 
* Add UFTP protocol dissector

* Update docs

* Merge pcap files
 2023-12-18 11:21:07 +01:00
Vladimir Gavrilov
d8c7a76611
Add HiSLIP protocol dissector (#2214) 
* Add HiSLIP protocol dissector

* Fix error
 2023-12-17 11:52:55 +01:00
Vladimir Gavrilov
0f3e6d832b
Add PROFINET/IO protocol dissector (#2213) 
* Add PROFINET/IO protocol dissector

* Add LE (Little Endian) to the file name

* Rework dissector

* Remove redundant check
 2023-12-16 13:30:21 +01:00
Toni
ef62391dba
Add Monero protocol classification. (#2196) 
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
 2023-12-13 19:55:18 +01:00
Ivan Nardi
193f28582b
QUIC: add heuristic to detect unidirectional *G*QUIC flows (#2207) 
Fix extraction of `flow->protos.tls_quic.quic_version` metadata.
 2023-12-13 17:14:04 +01:00
Ivan Nardi
adf8982d8e
fuzz: extend fuzzing coverage (#2205) 2023-12-11 12:48:50 +01:00
Ivan Nardi
f74cf16c36
OpenVPN: rework detection (#2199) 
Close #1873
 2023-12-06 10:24:26 +01:00
Vladimir Gavrilov
ad20846fad
Add Ether-S-Bus protocol dissector (#2200) 2023-12-05 17:20:38 +01:00
Vladimir Gavrilov
be50493f44
Add IEEE C37.118 protocol dissector (#2193) 2023-12-05 08:06:15 +01:00
Vladimir Gavrilov
c34bded4ef
Add ISO 9506-1 MMS protocol dissector (#2189) 
* Add ISO 9506-1 MMS protocol dissector
* Fix detection on big-endian architectures
 2023-12-01 09:03:07 +01:00
Vladimir Gavrilov
24df1913ac
Add Beckhoff ADS protocol dissector (#2181) 
* Add Beckhoff ADS protocol dissector

* Remove redundant le32toh

* Fix detection on big-endian architectures
 2023-11-30 09:13:45 +01:00
Ivan Nardi
6f046df0dc
STUN: fix detection of DTLS (#2187) 
Fix a memory leak
```
==97697==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 16 byte(s) in 1 object(s) allocated from:
    #0 0x55a6967cfa7e in malloc (/home/ivan/svnrepos/nDPI/fuzz/fuzz_ndpi_reader+0x701a7e) (BuildId: c7124999fa1ccc54346fa7bd536d8eab88c3ea01)
    #1 0x55a696972ab5 in ndpi_malloc /home/ivan/svnrepos/nDPI/src/lib/ndpi_memory.c:60:25
    #2 0x55a696972da0 in ndpi_strdup /home/ivan/svnrepos/nDPI/src/lib/ndpi_memory.c:113:13
    #3 0x55a696b7658d in processClientServerHello /home/ivan/svnrepos/nDPI/src/lib/protocols/tls.c:2394:46
    #4 0x55a696b86e81 in processTLSBlock /home/ivan/svnrepos/nDPI/src/lib/protocols/tls.c:897:5
    #5 0x55a696b80649 in ndpi_search_tls_udp /home/ivan/svnrepos/nDPI/src/lib/protocols/tls.c:1262:11
    #6 0x55a696b67a57 in ndpi_search_tls_wrapper /home/ivan/svnrepos/nDPI/src/lib/protocols/tls.c:2751:5
    #7 0x55a696b67758 in switch_to_tls /home/ivan/svnrepos/nDPI/src/lib/protocols/tls.c:1408:3
    #8 0x55a696c47810 in stun_search_again /home/ivan/svnrepos/nDPI/src/lib/protocols/stun.c:422:4
    #9 0x55a6968a22af in ndpi_process_extra_packet /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:7247:9
    #10 0x55a6968acd6f in ndpi_internal_detection_process_packet /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:7746:5
    #11 0x55a6968aba3f in ndpi_detection_process_packet /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:8013:22
    #12 0x55a69683d30e in packet_processing /home/ivan/svnrepos/nDPI/fuzz/../example/reader_util.c:1723:31
    #13 0x55a69683d30e in ndpi_workflow_process_packet /home/ivan/svnrepos/nDPI/fuzz/../example/reader_util.c:2440:10
    #14 0x55a69680f08f in LLVMFuzzerTestOneInput /home/ivan/svnrepos/nDPI/fuzz/fuzz_ndpi_reader.c:135:7
[...]
SUMMARY: AddressSanitizer: 16 byte(s) leaked in 1 allocation(s).
```
Found by oss-fuzzer
See: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=64564
 2023-11-30 09:09:40 +01:00
Vladimir Gavrilov
c60c03766c
Add Schneider Electric’s UMAS detection support (#2180) 
* Add Schneider Electric’s UMAS detection support

* Swap proto IDs in ndpi_set_detected_protocol

* Update unit test result
 2023-11-28 18:03:00 +01:00
Vladimir Gavrilov
ebb1bc2f34
Add Ether-S-I/O protocol dissector (#2174) 2023-11-27 19:04:05 +01:00
Vladimir Gavrilov
84427b0754
Add Omron FINS protocol dissector (#2172) 
* Add Omron FINS protocol dissector

* Add a kludge to avoid invalid FINS over UDP detection as SkypeTeams and RTP

* Update unit test results

* Update protocols.rst

* Remove dummy flows from fins.pcap
 2023-11-27 17:09:53 +01:00
Vladimir Gavrilov
0b6e261523
Improve CORBA detection (#2167) 
* Improve CORBA detection

* Remove dummy flow from ziop.pcap

* Merge ziop.pcap and miop.pcap into corba.pcap
 2023-11-27 13:10:50 +01:00
Vladimir Gavrilov
da629709f3
Add OPC UA protocol dissector (#2169) 2023-11-27 12:13:23 +01:00
Ivan Nardi
7ff22a7e3c
STUN: improve demultiplexing of DTLS packets (#2153) 
Keep demultiplexing STUN/RTP/RTCP packets after DTLS ones.

We might end up processing the session a little longer, because we will
process the STUN/RTP/RTCP packets after the DTLS handshake.
 2023-11-27 11:10:38 +01:00
Vladimir Gavrilov
87399b3544
Add RTPS protocol dissector (#2168) 2023-11-27 07:17:39 +01:00
Vladimir Gavrilov
27802b0134
Reduce false positives for H.323 over TCP (#2164) 
Co-authored-by: 0xA50C1A1 <mage.wizard88@gmail.com>
 2023-11-23 17:29:00 +01:00
Vladimir Gavrilov
fbae51ae9d
Get rid of RDP false positives (#2161) 
* Get rid of false positives in the RDP protocol dissector

* Remove kludge for RDP

* RDP: improve detection

---------

Co-authored-by: 0xA50C1A1 <mage.wizard88@gmail.com>
Co-authored-by: Nardi Ivan <nardi.ivan@gmail.com>
 2023-11-23 09:35:43 +01:00
Vladimir Gavrilov
5c8c5c90c2
Add HART-IP protocol dissector (#2163) 
* Add HART-IP protocol dissector

* Update docs

* Update protocols.rst

* Reuse free proto id and re-run tests

* docs: move HART-IP to top of list

---------

Co-authored-by: 0xA50C1A1 <mage.wizard88@gmail.com>
 2023-11-22 22:04:22 +01:00
Toni
21f2574033
Improved TFTP. Fixes #2075. (#2149) 
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
 2023-11-21 16:56:46 +01:00
Vladimir Gavrilov
ae6e6d61f0
Add IEEE 1588-2008 (PTPv2) dissector (#2156) 
* Add IEEE 1588-2008 (PTPv2) dissector

PTPv2 is a time synchronization protocol in computer networks, similar to NTP.

* Add default protocol ports

* Update default test result for PTPv2

* Update copyright

---------

Co-authored-by: 0xA50C1A1 <mage.wizard88@gmail.com>
 2023-11-21 13:39:54 +01:00
Ivan Nardi
b539b0d090
fuzz: improve coverage and remove dead code (#2135) 
We are not able to remove custom rules: remove the empty stubs (which
originate from the original OpenDPI code).

`ndpi_guess_protocol_id()` is only called on the first packet of the
flow, so the bitmask `flow->excluded_protocol_bitmask` is always empty,
since we didn't call any dissectors yet.

Move another hash function to the dedicated source file.
 2023-11-07 17:46:29 +01:00
Toni
6dcecd73d3
Added malicious sites from the polish cert. (#2121) 
* added handling of parsing errors

Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
 2023-11-02 09:04:04 +01:00
Ivan Nardi
42d24f8799
STUN: major code rework (#2116) 
Try to have a faster classification, on first packet; use standard extra
dissection data path for sub-classification, metadata extraction and
monitoring.

STUN caches:
* use the proper confidence value
* lookup into the caches only once per flow, after having found a proper
STUN classification

Add identification of Telegram VoIP calls.
 2023-10-30 10:28:19 +01:00
Ivan Nardi
03fd155ae3
IPv6: add support for custom categories (#2126) 2023-10-29 12:56:44 +01:00
Ivan Nardi
32b50f5aa4
IPv6: add support for IPv6 risk exceptions (#2122) 2023-10-29 12:14:20 +01:00
Ivan Nardi
c711251578
IPv6: add support for custom rules (#2120) 2023-10-29 11:26:35 +01:00
Toni
ed17f4d658
Improved Protobuf dissector. (#2119) 
* tag extraction/validation was done wrong

Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
 2023-10-27 10:19:47 +02:00
Toni
e70333de87
Added generic Google Protobuf dissector. (#2109) 
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
 2023-10-24 12:18:31 +02:00
Toni Uhlig
a443bba0dd Add CAN over Ethernet dissector. 
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
 2023-10-23 13:45:56 +02:00
Toni Uhlig
25c54dd6d7 Improved CryNetwork protocol dissector. 
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
 2023-10-23 13:44:34 +02:00
Toni Uhlig
f69909d49b Add Remote Management Control Protocol (RMCP). 
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
 2023-10-19 19:50:57 +02:00
Toni
01f384f7ff
Improved Steam detection by adding steamdiscover pattern. (#2105) 
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
 2023-10-17 22:13:02 +02:00
lns
304747f1fa Improved MGCP detection by allowing '\r' as line feed. 
Signed-off-by: lns <matzeton@googlemail.com>
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
 2023-10-11 16:44:26 +02:00
Toni
a98d7ff433
Added HAProxy protocol. (#2088) 
* fixed tests/do.sh.in failure print

Signed-off-by: lns <matzeton@googlemail.com>
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
 2023-10-02 18:10:47 +02:00