- default (0) is the native nDPI format
- MuonOF (1) has been added
The format can be changed using metadata.tcp_fingerprint_format
Added ability to identify mass scanners using TCP fingerprint
Don't use the same id for the same protocol identified via L3 info or
via standard TCP/UDP detection (example: ospf ip_proto 0x59 or TCP port
2604)
Before:
```
ivan@ivan-Precision-3591:~/svnrepos/nDPI(dev)$ ./example/ndpiReader -H | grep -wE 'OSPF|IPSec|AH|ESP|IP_OSPF'
79 79 IPSec UDP X Safe VPN 500,4500 500
85 85 OSPF X Acceptable Network - 2604
```
After:
```
ivan@ivan-Precision-3591:~/svnrepos/nDPI(ospf-ipsec)$ ./example/ndpiReader -H | grep -wE 'OSPF|IPSec|AH|ESP|IP_OSPF'
79 79 IPSec UDP X Safe VPN 500,4500 500
85 85 IP_OSPF X Acceptable Network - -
116 116 AH X Safe VPN - -
117 117 ESP X Safe VPN - -
184 184 OSPF TCP X Safe Network - 2604
```
ProtonVPN script have been not working in the last week.
```
Error "Invalid access token"
```
ProtonVPN is doing a major upgrade in its infrastructure:
```
In progress - Scheduled maintenance is currently in progress. We will provide updates as necessary.
Apr 09, 2025 - 11:30 CEST
Scheduled - In the following period from the 9th of April up to the 30th of April, various Proton VPN dedicated servers will be in temporary maintenance mode, for a short duration period, in order to allow us to perform a major infrastructure upgrade, paving the way for overall increased performance and efficiency of our Proton VPN infrastructure.
We apologize for the occasional inconvenience.
Apr 9, 2025 11:30 - Apr 30, 2025 23:30 CEST
```
Let's wait if it works again in the future...
Use `NDPI_OBFUSCATED_TRAFFIC` instead; this way, all the obfuscated
traffic is identified via `NDPI_OBFUSCATED_TRAFFIC` flow risk.
Disable fully-encryption detection by default, like all the obfuscation
heuristics.
That flow risk was introduced in 79b89d2866
but we can now use the generic `NDPI_TLS_SUSPICIOUS_EXTENSION` instead:
ESNI is quite suspicious nowadays in itself (i.e. even without SNI).
Note that ESNI support has been removed in cae9fb9989
These flows are already classified as TLS.RDP.
This change also fix a memory leak
```
Direct leak of 62 byte(s) in 1 object(s) allocated from:
#0 0x5883d762429f in __interceptor_malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:68:3
#1 0x5883d76fe46a in ndpi_malloc ndpi/src/lib/ndpi_memory.c:57:46
#2 0x5883d76fe46a in ndpi_strdup ndpi/src/lib/ndpi_memory.c:110:13
#3 0x5883d77adcd6 in ndpi_compute_ja4 ndpi/src/lib/protocols/tls.c:2298:46
#4 0x5883d77ab2ec in processClientServerHello ndpi/src/lib/protocols/tls.c:3314:10
#5 0x5883d77a4c51 in processTLSBlock ndpi/src/lib/protocols/tls.c:1319:5
```
Found by oss-fuzz.
See: https://oss-fuzz.com/testcase-detail/5244512192757760
