Navigation:
Browse pkgsrc
(this page)Log Message: ndpi: updated to 3.2 nDPI 3.2: New Features * New API calls * Protocol detection: ndpi_is_protocol_detected * Categories: ndpi_load_categories_file / ndpi_load_category * JSON/TLV serialization: ndpi_serialize_string_boolean / \ ndpi_serialize_uint32_boolean * Patricia tree: ndpi_load_ipv4_ptree * Module initialization: ndpi_init_detection_module / ndpi_finalize_initalization * Base64 encoding: ndpi_base64_encode * JSON exprot: ndpi_flow2json * Print protocol: ndpi_get_l4_proto_name / ndpi_get_l4_proto_info * Libfuzz integration * Implemented Community ID hash (API call ndpi_flowv6_flow_hash and \ ndpi_flowv4_flow_hash) * Detection of RCE in HTTP GET requests via PCRE * Integration of the libinjection library to detect SQL injections and XSS type \ attacks in HTTP requests New Supported Protocols and Services * TLS * Added ALPN support * Added export of supported version in TLS header * Added Telnet dissector with metadata extraction * Added Zabbix dissector * Added POP3/IMAP metadata extraction * Added FTP user/password extraction * Added NetBIOS metadata extraction * Added Kerberos metadata extraction * Implemented SQL Injection and XSS attack detection * Host-based detection improvements and changes * Added Microsoft range * Added twitch.tv website * Added brasilbandalarga.com.br and .eaqbr.com.br as EAQ * Added 20.180.0.0/14, 20.184.0.0/13 range as Skype * Added 52.84.0.0/14 range as Amazon * Added ^pastebin.com * Changed 13.64.0.0/11 range from Skype to Microsoft * Refreshed Whatsapp server list, added *whatsapp-*.fbcdn.net IPs * Added public DNSoverHTTPS servers Improvements * Reworked and improved the TLS dissector * Reworked Kerberos dissector * Improved DNS response decoding * Support for DNS continuous flow dissection * Improved Python bindings * Improved Ethereum support * Improved categories detection with streaming and HTTP * Support for IP-based detection to compute the application protocol * Renamed protocol 104 to IEC60870 (more meaningful) * Added failed authentication support with FTP * Renamed DNSoverHTTPS to handle bot DoH and DoT * Implemented stacked DPI decoding * Improvements for CapWAP and Bloomberg * Improved SMB dissection * Improved SSH dissection * Added capwap support * Modified API signatures for ndpi_ssl_version2str / ndpi_detection_giveup * Removed ndpi_pref_http_dont_dissect_response / \ ndpi_pref_dns_dont_dissect_response (replaced by ndpi_extra_dissection_possible) Fixes * Fixed memory invalid access in SMTP and leaks in TLS * Fixed a few memory leaks * Fixrd invalid memory access in a few protocol dissectors (HTTP, memcached, \ Citrix, STUN, DNS, Amazon Video, TLS, Viber) * Fixed IPv6 address format across the various platforms/distributions * Fixed infinite loop in ndpi_workflow_process_packet * Fixed SHA1 certificate detection * Fixed custom protocol detection * Fixed SMTP dissection (including email) * Fixed Telnet dissection and invalid password report * Fixed invalid category matching in HTTP * Fixed Skype and STUN false positives * Fixed SQL Injection detection * Fixed invalid SMBv1 detection * Fixed SSH dissection * Fixed ndpi_ssl_version2str * Fixed ndpi_extra_dissection_possible * Fixed out of bounds read in ndpi_match_custom_category Misc * ndpiReader * CSV output enhancements * Added tunnelling decapsulation * Improved HTTP reporting nDPI 3.0: New Features * nDPI now reports the protocol ASAP even when specific fields have not yet been \ dissected because such packets have not yet been observed. This is important for \ inline applications that can immediately act on traffic. Applications that need \ full dissection need to call the new API function \ ndpi_extra_dissection_possible() to check if metadata dissection has been \ completely performed or if there is more to read before declaring it completed. * TLS (formerly identified as SSL in nDPI v2.x) is now dissected more deeply, \ certificate validity is extracted as well certificate SHA-1. * nDPIreader can now export data in CSV format with option `-C` * Implemented Sequence of Packet Length and Time (SPLT) and Byte Distribution \ (BD) as specified by Cisco Joy (https://github.com/cisco/joy). This allows \ malware activities on encrypted TLS streams. Read more at \ https://blogs.cisco.com/security/detecting-encrypted-malware-traffic-without-decryption * Available as library and in `ndpiReader` with option `-J` * Promoted usage of protocol categories rather than protocol identifiers in \ order to classify protocols. This allows application protocols to be clustered \ in families and thus better managed by users/developers rather than using \ hundred of protocols unknown to most of the people. * Added Inter-Arrival Time (IAT) calculation used to detect protocol \ misbehaviour (e.g. slow-DoS detection) * Added data analysis features for computign metrics such as entropy, average, \ stddev, variance on a single and consistent place that will prevent when \ possible. This should ease traffic analysis on monitoring/security applications. \ New API calls have been implemented such as ndpi_data_XXX() to handle these \ calculations. * Initial release of Python bindings available under nDPI/python. * Implemented search of human readable strings for promoting data exfiltration \ detection * Available as library and in `ndpiReader` with option `-e` * Fingerprints * JA3 (https://github.com/salesforce/ja3) * HASSH (https://github.com/salesforce/hassh) * DHCP * Implemented a library to serialize/deserialize data in both Type-Length-Value \ (TLV) and JSON format * Used by nProbe/ntopng to exchange data via ZMQ New Supported Protocols and Services * DTLS (i.e. TLS over UDP) * Hulu * TikTok/Musical.ly * WhatsApp Video * DNSoverHTTPS * Datasaver * Line protocol * Google Duo and Hangout merged * WireGuard VPN * IMO * Zoom.us Improvements * TLS * Organizations * Ciphers * Certificate analysis * Added PUBLISH/SUBSCRIBE methods to SIP * Implemented STUN cache to enhance matching of STUN-based protocols * Dissection improvements * Viber * WhatsApp * AmazonVideo * SnapChat * FTP * QUIC * OpenVPN support for UDP-based VPNs * Facebook Messenger mobile * Various improvements for STUN, Hangout and Duo * Added new categories: CUSTOM_CATEGORY_ANTIMALWARE, \ NDPI_PROTOCOL_CATEGORY_MUSIC, NDPI_PROTOCOL_CATEGORY_VIDEO, \ NDPI_PROTOCOL_CATEGORY_SHOPPING, NDPI_PROTOCOL_CATEGORY_PRODUCTIVITY and \ NDPI_PROTOCOL_CATEGORY_FILE_SHARING * Added NDPI_PROTOCOL_DANGEROUS classification Fixes * Fixed the dissection of certain invalid DNS responses * Fixed Spotify dissection * Fixed false positives with FTP and FTP_DATA * Fix to discard STUN over TCP flows * Fixed MySQL dissector * Fix category detection due to missing initialization * Fix DNS rsp_addr missing in some tiny responses * Various hardening fixes
New packages: