vrr/nDPI
2
0
Fork 0
mirror of https://github.com/vel21ripn/nDPI.git synced 2026-04-30 16:09:43 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 5
5656 commits 9 branches 12 tags 263 MiB
Commit graph

369 commits

Author SHA1 Message Date
Ivan Nardi
2a596c79e6
HTTP: fix classification (#1692) 
If we have a valid HTTP sessions, we should ignore
`flow->guessed_protocol_id` field (i.e. classification "by-port")
altogheter.

The attached trace was classified as "SIP/HTTP" only because the *client*
port was 5060...
As a general rule, having a classification such as "XXXX/HTTP" is
*extremely* suspicious.
 2022-07-30 22:57:20 +02:00
Ivan Nardi
d54d5083b3
SMTPS, POPS, IMAPS: fix classification and extra dissection (#1685) 
The big change in TLS code is to allow "master" protocols other than
TLS/DTLS, like SMTPS, POPS and IMAPS.
This change will allow, in a future, a proper and complete TLS dissection
for all these protocols with "STARTTLS"-like messages.
 2022-07-30 12:05:43 +02:00
Toni
ed4f106a0d
Add Softether dissector. (#1679) 
Signed-off-by: lns <matzeton@googlemail.com>
 2022-07-29 19:29:54 +02:00
Toni
ab3a678ad4
Add AVAST dissector. (#1674) 
Signed-off-by: lns <matzeton@googlemail.com>
 2022-07-25 18:07:44 +02:00
Ivan Nardi
b190dab6bc
Improve handling of HTTP-Proxy and HTTP-Connect (#1673) 
Treat HTTP-Proxy and HTTP-Connect flows like the HTTP ones:
print/serialize all the attributes and allow parsing of replies.

The line about "1kxun" has been removed to avoid regressions in 1KXUN
classification in `tests/pcap/1kxun.pcap`. I haven't fully understod
what was happening but the comment at the beginning of `static
ndpi_category_match category_match[]` says that we can't have overlaps
between `host_match` and `category_match` lists and that is no longer true
since 938e89ca.
Bottom line: removing this line seems the right thing to do, anyway.
 2022-07-25 12:57:33 +02:00
Toni
a25b2a7e37
Added AliCloud server access dissector. (#1672) 
Signed-off-by: lns <matzeton@googlemail.com>
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
 2022-07-23 11:21:49 +02:00
Ivan Nardi
52005e88ed
TLS: improve reassembler (#1669) 
* TLS: cosmetic changes

* TLS: improve reassembler

We might need to contemporary re-order messages from both directions:
use one buffer per direction.
 2022-07-22 12:19:21 +02:00
Nardi Ivan
d66aa49787 DTLS: fix exclusion of DTLS protocol 
Add an helper to exclude a generic protocol
 2022-07-20 19:16:18 +02:00
Toni
ae2bedce3a
Improved Jabber/XMPP detection. (#1661) 
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
 2022-07-13 17:55:33 +02:00
Ivan Nardi
df599e5eff
HTTP: improve detection of WindowsUpdate (#1658) 
WindowsUpdate is also transported over HTTP, using a numeric IP as
hostname (some kinds of CDN?)
 2022-07-10 17:08:37 +02:00
Ivan Nardi
997dce0f04
SIP: improve detection (#1654) 2022-07-09 05:45:42 +02:00
Ivan Nardi
f8076e3a58
SMB: add (partial) support for messages split into multiple TCP segments (#1644) 2022-07-07 19:24:31 +02:00
Ivan Nardi
feaa1df1ed
Kerberos: add support for Krb-Error messages (#1647) 2022-07-07 16:45:49 +02:00
Nardi Ivan
2636c07571 MONGODB: avoid false positives 2022-07-07 15:36:05 +02:00
Nardi Ivan
a31e79fc3c TLS: ignore invalid Content Type values 2022-07-07 15:36:05 +02:00
Toni
15042870f9
Added Threema Messenger. (#1643) 
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
 2022-07-06 19:30:10 +02:00
Toni Uhlig
a1c3d05a74 Added another RiotGames signature. 
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
 2022-07-06 14:37:26 +02:00
Toni
4ff8aa48b2
Added UltraSurf protocol dissector. (#1618) 
* TLSv1.3 UltraSurf flows are not detected by now

Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
 2022-07-04 16:04:53 +02:00
Ivan Nardi
4445989588
Update host content list match (#1633) 
Improve classifications of Outlook, Cachefly, Cloudflare, Tiktok and
Cybersecurity.
 2022-07-04 13:21:11 +02:00
Toni
75f7da5c26
Added Psiphon detection patterns. See #566 and #1099. (#1631) 
* The traces are not up to date, but this is the best we got so far.

Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
 2022-07-04 10:34:54 +02:00
Toni
a74fc089c4
Added i3D and RiotGames protocol dissectors. (#1609) 
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
 2022-07-03 20:43:30 +02:00
Ivan Nardi
faaff58620
TargusDataspeed: avoid false positives (#1628) 
TargusDataspeed dissector doesn't perform any real DPI checks but it only
looks at the TCP/UDP ports.
Delete it, and use standard logic to classify these flows by port.
 2022-07-03 20:28:58 +02:00
Ivan Nardi
422d002542
Skinny: rework and improve classification (#1625) 2022-07-03 19:25:00 +02:00
Ivan Nardi
5fe6087686
TLS: add support for old DTLS versions and for detection of mid-sessions (#1619) 2022-07-03 17:44:17 +02:00
Toni
1a01e8dc68
Improved TFTP. Dissect Read/Write Request filenames. (#1617) 
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
 2022-07-03 14:37:05 +02:00
Toni
7c5c811eb0
Added Cloudflare WARP detection patterns. (#1615) (#1616) 
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
 2022-07-02 14:57:56 +02:00
Toni
bb72aa4767
Added TunnelBear VPN detection patterns. (#1615) 
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
 2022-07-01 13:19:17 +02:00
Toni
c287eb835b
Improved SOAP via HTTP. (#1605) 
Signed-off-by: lns <matzeton@googlemail.com>
 2022-06-18 17:19:16 +02:00
Toni
6cd8f8cc6d
Improved GenshinImpact protocol dissector. (#1604) 
Signed-off-by: lns <matzeton@googlemail.com>
 2022-06-18 15:11:59 +02:00
Toni
432de5eb57
Added collectd dissector (again). (#1601) 
Signed-off-by: lns <matzeton@googlemail.com>
 2022-06-17 19:56:33 +02:00
Toni
20a29c393f
Improved IPSec/ISAKMP detection. (#1600) 
Signed-off-by: lns <matzeton@googlemail.com>
 2022-06-16 09:16:18 +02:00
Luca
c43360f8e6 Added new test pcaps 2022-06-15 18:57:46 +02:00
Ivan Nardi
e2cc08bfe5
Add support for PIM (Protocol Indipendent Multicast) protocol (#1599) 
Close #1598
 2022-06-15 12:25:26 +02:00
Toni
d1773cc8e3
Improved WhatsApp detection. (#1595) 
Signed-off-by: lns <matzeton@googlemail.com>
 2022-06-14 20:06:48 +02:00
Luca Deri
11babc7ea3 Added Pragmatic General Multicast (PGM) protocol detection 2022-06-08 09:11:22 +02:00
Toni
938e89ca33
Reimplemented 1kxun application protocol. (#1585) 
Signed-off-by: lns <matzeton@googlemail.com>
 2022-06-06 18:04:49 +02:00
Toni
0b3f8ed849
Fixed syslog false negatives. (#1582) 
- RSH vs Syslog may still happen for midstream traffic

Signed-off-by: lns <matzeton@googlemail.com>
 2022-06-05 23:01:56 +02:00
Toni
7419cfee64
Added RSH dissector. Fixes #202. (#1581) 
- added syslog false-positive pcap that was missing in 09fbe0a64a
 - added NDPI_ARRAY_LENGTH() macro, usable on `type var[]` declarations

Signed-off-by: lns <matzeton@googlemail.com>
 2022-06-04 19:12:53 +02:00
Toni
09fbe0a64a
Fixed syslog false positives. (#1577) 
* syslog: removed unnecessary/unreliable printable string check
 * added `ndpi_isalnum()`
 * splitted `ndpi_is_printable_string()` into `ndpi_is_printable_buffer()` and `ndpi_normalize_printable_string()`

Signed-off-by: lns <matzeton@googlemail.com>
 2022-06-03 18:21:29 +02:00
Toni
32750271c3
Prohibit MPEG-DASH to set HTTP as application protocol. (#1560) 
Signed-off-by: lns <matzeton@googlemail.com>
 2022-05-30 14:54:27 +02:00
Ivan Nardi
9c1a53f39f
Dazn: add support for Dazn streaming service (#1559) 
Update .gitignore file
 2022-05-29 17:47:16 +02:00
Toni
33f9729ee4
Added MPEG-DASH dissector. Fixes #1223. (#1555) 
* Improved HTTP POST detection
 * Refactored subprotocol detection

Signed-off-by: lns <matzeton@googlemail.com>
 2022-05-29 13:12:13 +02:00
Toni Uhlig
7162bf6abf Moved mgcp.pcapng to tests/pcap/ instead of tests/ 
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
 2022-05-16 16:54:18 +02:00
Toni
054d151373
Improved Viber (TCP) detection. (#1547) 
Signed-off-by: lns <matzeton@googlemail.com>
 2022-05-10 21:37:03 +02:00
Toni
704920414a
Improved Xiaomi HTTP detection. (#1546) 
* Merged Xiaomi pcap files

Signed-off-by: lns <matzeton@googlemail.com>
 2022-05-10 11:10:04 +02:00
Toni
915ffebade
Added Softether(-VPN) DDNS service detection. (#1544) 
Signed-off-by: lns <matzeton@googlemail.com>
 2022-05-09 08:16:19 +02:00
Toni
4319d760e0
Improved TLS alert detection. (#1542) 
Signed-off-by: lns <matzeton@googlemail.com>
 2022-05-08 20:33:59 +02:00
Toni
34882d9cf0
Improved TLS application data detection. (#1541) 
* #1532 did fx TLS appdata detection only partially
 * use flow->l4.tcp.tls.message.buffer_used instead of packet->payload

Signed-off-by: lns <matzeton@googlemail.com>
 2022-05-08 19:56:08 +02:00
Toni
47d6a65522
Improved suspicious http user agent detection. (#1537) 
Signed-off-by: lns <matzeton@googlemail.com>
 2022-05-02 19:17:32 +02:00
Toni
10161448bc
Improved TLS application data detection. (#1532) 
Signed-off-by: lns <matzeton@googlemail.com>
 2022-04-27 17:22:53 +02:00