vrr/nDPI
2
0
Fork 0
mirror of https://github.com/vel21ripn/nDPI.git synced 2026-04-30 07:59:49 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 5
5656 commits 9 branches 12 tags 263 MiB
Commit graph

580 commits

Author SHA1 Message Date
Toni
6a591b67aa
Add GearUP Booster protocol dissector (heuristic based). (#2765) 
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
 2025-03-07 20:05:44 +01:00
Toni
d5dd8e02ef
Add GearUP Booster application protocol. (#2764) 
protocol dissector will follow

Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
 2025-03-06 19:41:31 +01:00
Ivan Nardi
34dcf18128 Add a new internal function internal_giveup() 
This function is always called once for every flow, as last code
processing the flow itself.

As a first usage example, check here if the flow is unidirectional
(instead of checking it at every packets)
 2025-03-05 20:51:06 +01:00
Ivan Nardi
086d41c22e Fix function checking if a packet is multicast 2025-03-04 19:40:24 +01:00
Ivan Nardi
fbb7b8c578 custom rules: try to have a coherent behaviour 
Custom rules with *new* protocols are checked "first": if there is a
match, the first packet of the flow provides a complete and final
classification.

The same logic should apply to custom rules with "existing" protocols:
if there is match, nDPI shouldn't do anything else.

Remove the `tcp:3000@ntop` custom rule.

Fix the default port for ElasticSearch (in the protocol file)
 2025-03-04 18:15:00 +01:00
Ivan Nardi
85fb7eb2e5 Flow risk infos are always exported "in order" (by flow risk id) 
This way, the `ndpiReader` output doesn't change if we change the
internal logic about the order we set/check the various flow risks.

Note that the flow risk *list* is already printed by `ndpiReader`
in order.
 2025-03-04 13:23:58 +01:00
Ivan Nardi
c040faef08 ICMP: move all the logic to the proper dissector file 
There are no reasons to keep entropy calculation and sanity checks code
on the "guessing" algorithm.
BTW, this change also fix the entropy calculation for non TCP/UDP/ICMP
flows
 2025-02-28 19:11:59 +01:00
Luca Deri
b162e5406e Added valid TLS extensions that used to trigger invalid risks 2025-02-27 20:19:39 +01:00
Luca Deri
beea70d689 Improved Tor detection 2025-02-24 22:14:41 +01:00
Ivan Nardi
78c648d0fa Sync unit tests results 2025-02-24 20:18:07 +01:00
Luca Deri
050ea7e229 Improved Tor exit node download and added IPv6 support 2025-02-24 19:57:46 +01:00
Luca Deri
4c15036e3d Improved Google PlayStore detection 2025-02-24 18:41:24 +01:00
Ivan Nardi
084a5808d5
UBNTAC2: rework detection (#2744) 2025-02-23 17:51:51 +01:00
Toni
5858e1debf
Add LagoFast protocol dissector. (#2743) 
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
 2025-02-23 13:13:38 +01:00
Ivan Nardi
2d3f08362e
RTP: payload type info should be set only for real RTP flows (#2742) 2025-02-22 13:35:40 +01:00
Ivan Nardi
551930bc5a
Create a new protocol id to handle Mozilla/Firefox generic traffic (#2740) 
Close #2738
 2025-02-21 19:18:01 +01:00
Luca
cbfc20d2d5 Updated test result 2025-02-21 14:11:22 +01:00
Luca Deri
30c3613f2f Improved RTP dissection with EVS and other mobile voice codecs 2025-02-20 22:59:23 +01:00
Luca Deri
9ee24d5bc1 Updated test rsults after RTP payload extraction 2025-02-19 11:40:00 +01:00
Luca Deri
2c414f1b28 Fixed bug in domain name computation 2025-02-17 21:50:19 +00:00
Ivan Nardi
491698fe02
DNS: rework "extra-dissection" code (#2735) 2025-02-17 13:57:50 +01:00
Ivan Nardi
86af01c74d
DNS: fix message parsing (#2732) 2025-02-16 17:19:43 +01:00
Ivan Kapranov
ccb15db9b3
Implement SSDP Metadata export (#2729) 
Close #2524
 2025-02-16 17:04:16 +01:00
Ivan Nardi
d51b6ab049
DNS: fix parsing of hostname for empty response messages (#2731) 2025-02-16 14:32:56 +01:00
Ivan Nardi
7dc5890c0f
DNS: rework adding entries to the FPC-DNS cache (#2730) 
Try to populate the FPC-DNS cache using directly the info from the current
packet, and not from the metadata saved in `struct ndpi_flow_struct`. This
will be important when adding monitoring support
 2025-02-16 13:33:08 +01:00
Ivan Nardi
c458c42712
DNS: improved detection and handling of TCP packets (#2728) 2025-02-15 22:28:47 +01:00
Ivan Nardi
15b84b4192
DNS: rework code (#2727) 2025-02-15 21:57:34 +01:00
Ivan Kapranov
e4521440ab
Added RUTUBE (#2725) 2025-02-15 16:03:58 +01:00
Ivan Nardi
9bf513b342
DNS: fix dissection (#2726) 2025-02-15 15:13:01 +01:00
Ivan Nardi
091e1423e2
DNS: set NDPI_MALFORMED_PACKET risk if the answer message is invalid (#2724) 
We already set the same flow risk for invalid request messages
 2025-02-15 14:23:45 +01:00
Ivan Nardi
3dbc6d2523
DNS: faster exclusion (#2719) 2025-02-12 17:42:00 +01:00
Ivan Nardi
dba7e9a8ec
DNS: try to simplify the code (#2718) 
Set the classification in only one place in the code.
 2025-02-12 09:48:35 +01:00
Ivan Nardi
baca06bfd2
ndpiReader: print more DNS information (#2717) 2025-02-11 18:16:55 +01:00
Ivan Nardi
1dccaf37b0
DNS: fix check for DGA domain (#2716) 
If we have a (potential) valid sub-classification, we shoudn't check for
DGA, even if the subclassification itself is disabled!
 2025-02-11 15:48:53 +01:00
Ivan Nardi
73d1856525
DNS: disable subclassification by default (#2715) 
Prelimary change to start supporting multiple DNS transactions on the
same flow
 2025-02-11 13:50:00 +01:00
Ivan Nardi
65c224e19c dns: fix writing to flow->protos.dns 
We can't write to `flow->protos.dns` until we are sure it is a valid DNS
flow
 2025-02-11 12:44:46 +01:00
Ivan Nardi
dff5b2beac DNS: fix dissection when there is only the response message 2025-02-11 12:44:46 +01:00
Ivan Nardi
a298d26c20 DNS: extend tests 2025-02-11 12:44:46 +01:00
Ivan Nardi
642cf5764a Extend regression tests 2025-02-04 14:33:32 +01:00
Ivan Nardi
dd4807f8ee
bittorrent: add configuration for "hash" metadata (#2706) 
Fix confidence value for same TCP flows
 2025-01-31 17:42:47 +01:00
Ivan Nardi
62d64afde7
Auto-generate Microsoft-related list of domains (#2688) 2025-01-31 15:44:28 +01:00
Ivan Nardi
c669bb3140
DNS: fix relationship between FPC and subclassification (#2702) 
Allow optimal FPC even if DNS subclassification is disabled
 2025-01-30 21:26:47 +01:00
Luca Deri
2bf8dbf40f Added health category 2025-01-24 22:21:04 +01:00
Ivan Nardi
819b00670c
RTP: improve detection of multimedia type for Signal calls (#2697) 2025-01-24 14:13:51 +01:00
Ivan Nardi
f3532f0bad
Unify "Skype" and "Teams" ids (#2687) 
* Rename `NDPI_PROTOCOL_SKYPE_TEAMS_CALL` ->
  `NDPI_PROTOCOL_MSTEAMS_CALL`

* Rename ip list from "Skype/Teams" to "Teams"
 2025-01-20 18:06:56 +01:00
Daniel Roethlisberger
d55ff1fd80
JA4: Fix SSL 2 version and remove fictional SSL 1 version along with mis-mapping to s3 (#2684) 
* JA4: Fix SSL 2 version constant to 0x0002

SSL 2 uses a version field of 0x0002, not 0x0200.  This is confirmed not
only in the original Netscape spec [1] and RFC draft of the time [2],
but also in major implementations such as OpenSSL [3] and Wireshark [4].

An earlier version of the JA4 spec [5] also mistakenly used 0x0200 for
SSL 2 and 0x0100 for SSL 1.  This was fixed in [6] in August 2024.

[1] https://www-archive.mozilla.org/projects/security/pki/nss/ssl/draft02.html
[2] https://datatracker.ietf.org/doc/html/draft-hickman-netscape-ssl-00
[3] https://github.com/openssl/openssl/blob/OpenSSL_0_9_6m/ssl/ssl2.h#L66-L71
[4] https://github.com/wireshark/wireshark/blob/release-4.4/epan/dissectors/packet-tls-utils.h#L266-L277
[5] https://github.com/FoxIO-LLC/ja4/blob/main/technical_details/JA4.md#tls-and-dtls-version
[6] FoxIO-LLC/ja4#150

* JA4: Remove fictional (and mis-mapped to "s3") SSL 1

SSL 1 was never actually deployed, the design was iterated upon to
become SSL 2 before it was released by Netscape [1] [2] [3] [4].  I
don't think it's public knowledge what the version field for SSL 1 would
have looked like, or if it even was two bytes large or at the same
offset on the wire; given that SSL 2 used 0x0002 it seems more likely to
have been 0x0001 than 0x0100.

Version field 0x0100, that is currently misattributed to SSL 1, was used
by an early pre-RFC4347 implementation of DTLS in OpenSSL before 0.9.8f
[5], when OpenSSL switched to the version field specified by RFC4347.
This use of 0x0100 is also reflected in Wireshark's TLS dissector [4]
(`DTLSV1DOT0_OPENSSL_VERSION`).

For these reasons, it seems to make sense to remove the fictional SSL 1
code entirely.

This also removes an issue where the resulting JA4 string would be "s3"
instead of the intended "s1".

An earlier version of the JA4 spec [6] also mistakenly used 0x0200 for
SSL 2 and 0x0100 for SSL 1.  This was fixed in [7] in August 2024.

[1] https://www-archive.mozilla.org/projects/security/pki/nss/ssl/draft02.html
[2] https://datatracker.ietf.org/doc/html/draft-hickman-netscape-ssl-00
[3] https://github.com/openssl/openssl/blob/OpenSSL_0_9_6m/ssl/ssl2.h#L66-L71
[4] https://github.com/wireshark/wireshark/blob/release-4.4/epan/dissectors/packet-tls-utils.h#L266-L277
[5] https://github.com/openssl/openssl/compare/OpenSSL_0_9_8e...OpenSSL_0_9_8f
[6] https://github.com/FoxIO-LLC/ja4/blob/main/technical_details/JA4.md#tls-and-dtls-version
[7] FoxIO-LLC/ja4#150

* Fix tests where old DTLS (0x0100) was mis-identified as SSL 3.0

These two tests contain DTLS flows using a version field of 0x0100 as
used by OpenSSL pre 0.9.8f, before OpenSSL switched to the standardised
version code points for its DTLS implementation.  The correct JA4
mapping is "d00", not "ds3".
 2025-01-19 18:19:44 +01:00
Luca Deri
511228d36d Added DigitalOcean protocol 2025-01-17 18:26:27 +01:00
Ivan Nardi
252be78acc
STUN: improve detection of Telegram calls (#2671) 2025-01-14 17:33:34 +01:00
Ivan Nardi
63a3547f99
Add (kind of) support for loading a list of JA4C malicious fingerprints (#2678) 
It might be usefull to be able to match traffic against a list of
suspicious JA4C fingerprints

Use the same code/logic/infrastructure used for JA3C (note that we are
going to remove JA3C...)

See: #2551
 2025-01-14 12:05:03 +01:00
Ivan Nardi
72fd940301
Remove JA3C output from ndpiReader (#2667) 
Removing JA3C is an big task. Let's start with a simple change having an
huge impact on unit tests: remove printing of JA3C information from
ndpiReader.

This way, when we will delete the actual code, the unit tests diffs
should be a lot simpler to look at.

Note that the information if the client/server cipher is weak or
obsolete is still available via flow risk

See: #2551
 2025-01-12 13:24:27 +01:00