vrr/nDPI
2
0
Fork 0
mirror of https://github.com/vel21ripn/nDPI.git synced 2026-04-28 23:19:42 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 6
5656 commits 9 branches 12 tags 263 MiB
Commit graph

585 commits

Author SHA1 Message Date
Ivan Nardi
63a3547f99
Add (kind of) support for loading a list of JA4C malicious fingerprints (#2678) 
It might be usefull to be able to match traffic against a list of
suspicious JA4C fingerprints

Use the same code/logic/infrastructure used for JA3C (note that we are
going to remove JA3C...)

See: #2551
 2025-01-14 12:05:03 +01:00
Ivan Nardi
72fd940301
Remove JA3C output from ndpiReader (#2667) 
Removing JA3C is an big task. Let's start with a simple change having an
huge impact on unit tests: remove printing of JA3C information from
ndpiReader.

This way, when we will delete the actual code, the unit tests diffs
should be a lot simpler to look at.

Note that the information if the client/server cipher is weak or
obsolete is still available via flow risk

See: #2551
 2025-01-12 13:24:27 +01:00
Ivan Nardi
5c0143ce58
HTTP: fix entropy calculation (#2666) 
We calculate HTTP entropy according to "Content-type:" header, see
`ndpi_validate_http_content()` on HTTP code
 2025-01-12 12:49:32 +01:00
Vladimir Gavrilov
674428d824
Add Vivox support (#2668) 2025-01-11 19:37:31 +01:00
Toni
9a0a3bb8e7
Improved WebSocket-over-HTTP detection (#2664) 
* detect `chisel` SSH-over-HTTP-WebSocket
 * use `strncasecmp()` for `LINE_*` matching macros

Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
 2025-01-11 11:23:42 +01:00
Ivan Nardi
4756904222
QUIC: remove extraction of user-agent (#2650) 
In very old (G)QUIC versions by Google, the user agent was available on
plain text. That is not true anymore, since about end of 2021.
See: f282c934f4
 2025-01-07 19:58:43 +01:00
Ivan Nardi
c34b692a4b
Classifications "by-port"/"by-ip" should never change (#2656) 
Add a new variable to keep track of internal partial classification
 2025-01-06 18:58:24 +01:00
Ivan Nardi
c3d19be26f
ndpiReader: update JA statistics (#2646) 
Show JA4C and JA3S information (instead of JA3C and JA3S)
See #2551 for context
 2025-01-06 15:09:25 +01:00
Ivan Nardi
2e20f670dd
QUIC: extract "max idle timeout" parameter (#2649) 
Even if it is only the proposed value by the client (and not the
negotiated one), it might be use as hint for timeout by the (external)
flows manager
 2025-01-06 13:45:12 +01:00
Ivan Nardi
e77ff5ebd8
TLS: fix NDPI_TLS_WEAK_CIPHER flow risk (#2647) 
We should set it also for "obsolete"/"insecure" ciphers, not only for
the "weak" ones.
 2025-01-06 13:16:57 +01:00
Ivan Nardi
cae9fb9989
TLS: remove ESNI support (#2648) 
ESNI has been superseded by ECH for years, now.
See: https://blog.cloudflare.com/encrypted-client-hello/
Set the existing flow risk if we still found this extension.
 2025-01-06 11:04:50 +01:00
Vladimir Gavrilov
12a7d55d27
Path of Exile 2 support (#2654) 2025-01-06 10:57:16 +01:00
Luca Deri
71de91dc7a Imporoved SMBv1 heuristic to avoid triggering risks for SMBv1 broadcast messages when used to browse (old) network devices 2025-01-03 11:15:27 +01:00
paolomonti
3b602e73ba
IPv6: fix bad ipv6 format (#1890) (#2651) 
ipv6 addresses already containing "::" token shall
not be searched for ":0:" nor patched

Close #1890
 2024-12-20 11:02:09 +01:00
Ivan Nardi
f4d3851913
Update all IPs lists (#2643) 2024-12-13 08:54:32 +01:00
Ivan Nardi
a156d69ea4
STUN: fix monitoring (#2639) 2024-12-06 20:19:28 +01:00
Ivan Nardi
83ce341796
signal: improve detection of chats and calls (#2637) 2024-12-04 16:14:27 +01:00
Evgeny Shtanov
74792e49c8
Add support Yandex Alice (#2633) 
Co-authored-by: Evgeny Shtanov <evg.shtanov@gmail.comm>
Co-authored-by: Ivan Nardi <nardi.ivan@gmail.com>
 2024-11-29 14:13:36 +01:00
Toni Uhlig
b7405c8e39
Sync unit tests results 
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
 2024-11-27 08:52:37 +01:00
Ivan Nardi
d93fd27bcc Sync unit tests results 2024-11-26 14:43:26 +01:00
Ivan Nardi
7330f65939 Add support for Paramount+ streaming service 2024-11-25 14:01:55 +01:00
Ivan Nardi
cff8bd1bb2
Update flow->flow_multimedia_types to a bitmask (#2625) 
In the same flow, we can have multiple multimedia types
 2024-11-25 10:12:48 +01:00
Ivan Nardi
5c4061d0cd Sync unit tests results 2024-11-25 09:49:04 +01:00
Luca Deri
56e52448c4 When triggering risk "Known Proto on Non Std Port", nDPi now reports the port that was supposed to be used as default 2024-11-22 18:21:58 +01:00
Ivan Nardi
1140d28c3d Sync unit tests results 2024-11-21 09:53:10 +01:00
Ivan Nardi
c5bd9d8bff
RTP, STUN: improve detection of multimedia flow type (#2620) 
Let's see if we are able to tell audio from video calls only looking at
RTP Payload Type field...
 2024-11-19 16:38:14 +01:00
Luca Deri
95bf287c02 Results update 2024-11-16 09:27:08 +01:00
Luca
4fd12278b1 Added DICOM support 
Testing pcaps courtesy of https://github.com/virtalabs/tapirx.git
 2024-11-15 18:45:51 +01:00
Luca Deri
3ce8d0e508
Implemented Mikrotik discovery protocol dissection and metadata extraction (#2618) 2024-11-14 23:34:31 +01:00
Ivan Nardi
59ee1fe115
Add support for some Chinese shopping platforms (Temu, Shein and Taobao) (#2615) 
Extend content match list
 2024-11-12 20:11:07 +01:00
Ivan Nardi
1bda2bf414 SIP: extract some basic metadata 2024-11-12 13:34:25 +01:00
Vladimir Gavrilov
137d87fd87
Add Naver protocol support (#2610) 2024-11-01 14:56:25 +01:00
Ivan Nardi
a903932155
HTTP: fix leak and out-of-bound error on credential extraction (#2611) 2024-11-01 13:11:06 +01:00
Luca Deri
412ca8700f Added HTTP credentials extraction 2024-10-31 21:20:46 +01:00
Vladimir Gavrilov
dc125dc2a8
Add Paltalk protocol support (#2606) 2024-10-28 16:57:05 +01:00
Luca Deri
d5236c0aaf Fixes TCP fingerprint calculation when multiple EOL are specified in TCP options 2024-10-27 08:17:27 +01:00
Luca Deri
ddbdae9947 Improved fingerprints 2024-10-21 10:58:29 +02:00
Luca Deri
4e78d903e8 Improved TCP fingerprint 2024-10-20 23:14:46 +02:00
Luca Deri
14b076a58b Improved TCP fingerprint 2024-10-20 22:25:55 +02:00
Ivan Nardi
9021e08901
ndpiReader: explicitly remove non ipv4/6 packets (#2601) 2024-10-19 21:44:32 +02:00
Luca Deri
6dc4533c3c Added support for RDP over TLS 2024-10-19 16:24:11 +02:00
Luca Deri
0cc84e4fdd Improved TCP fingepring calculation 
Adde basidc OS detection based on TCP fingerprint
 2024-10-18 23:47:34 +02:00
Luca Deri
0ef0752c80
Increased struct ndpi_flow_struct size (#2596) 
Build fix
 2024-10-18 07:17:03 +02:00
Ivan Nardi
2d7085a23e
STUN: if the same metadata is found multiple times, keep the first value (#2591) 2024-10-15 15:12:37 +02:00
Ivan Nardi
8299f5abab
STUN: fix monitoring of Whatsapp and Zoom flows (#2590) 2024-10-15 12:05:22 +02:00
Luca Deri
2b40611082 Fixed JA4 invalid computation due to code bug and uninitialized values 2024-10-13 20:45:20 +02:00
Luca Deri
ec5efe5cf2 Added sonos dissector 2024-10-13 18:50:34 +02:00
Vladimir Gavrilov
6cb1631132
Add DingTalk protocol support (#2581) 2024-10-07 15:45:51 +02:00
Luca
45323e3bf8 Exports DNS A/AAAA responses (up to 4 addresses) 
Changed the default to IPv4 (used to be IPv6) in case of DNS error response
 2024-10-02 15:55:35 +02:00
Ivan Nardi
623b7e236f
TLS: detect abnormal padding usage (#2579) 
Padding is usually some hundreds byte long. Longer padding might be used
as obfuscation technique to force unusual CH fragmentation
 2024-10-01 17:15:03 +02:00