Accepting request 759184 from home:mnhauke:security

- Drop not longer needed patches (fixed upstream) * ndpi-fix-build.patch * reproducible.patch - Update to version 3.0 New Features * nDPI now reports the protocol ASAP even when specific fields have not yet been dissected because such packets have not yet been observed. This is important for inline applications that can immediately act on traffic. Applications that need full dissection need to call the new API function ndpi_extra_dissection_possible() to check if metadata dissection has been completely performed or if there is more to read before declaring it completed. * TLS (formerly identified as SSL in nDPI v2.x) is now dissected more deeply, certificate validity is extracted as well certificate SHA-1. * nDPIreader can now export data in CSV format with option -C * Implemented Sequence of Packet Length and Time (SPLT) and Byte Distribution (BD) as specified by Cisco Joy (https://github.com/cisco/joy). This allows malware activities on encrypted TLS streams. * Available as library and in ndpiReader with option -J * Promoted usage of protocol categories rather than protocol identifiers in order to classify protocols. This allows application protocols to be clustered in families and thus better managed by users/developers rather than using hundred of protocols unknown to most of the people. * Added Inter-Arrival Time (IAT) calculation used to detect protocol misbehaviour (e.g. slow-DoS detection) * Added data analysis features for computign metrics such as OBS-URL: https://build.opensuse.org/request/show/759184 OBS-URL: https://build.opensuse.org/package/show/server:monitoring/ndpi?expand=0&rev=13
2019-12-29 17:30:45 +00:00 · 2019-12-29 17:30:45 +00:00 · 7ebf3ddb22
commit 7ebf3ddb22
parent aa19bf79d9
6 changed files with 101 additions and 67 deletions
--- a/ndpi-2.8.tar.gz
+++ b/ndpi-2.8.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:f98def4d0e43818317b20e2887ce500b2d6a5a9c8ddb28cf57ae51caae0f33cc
-size 19754226
--- a/ndpi-3.0.tar.gz
+++ b/ndpi-3.0.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:69fb8003f00e9b9be3d06925398e15a83ac517cd155b6768f5f0e9342471c164
+size 26902734
--- a/ndpi-fix-build.patch
+++ b/ndpi-fix-build.patch
@ -1,27 +0,0 @@
-Index: nDPI-2.6/Makefile.am
-===================================================================
--- nDPI-2.6.orig/Makefile.am
-+++ nDPI-2.6/Makefile.am
-@@ -1,7 +1,7 @@
- ACLOCAL_AMFLAGS = -I m4
- SUBDIRS = src/lib example tests
- 
-pkgconfigdir = $(prefix)/libdata/pkgconfig
-+pkgconfigdir = $(libdir)/pkgconfig
- pkgconfig_DATA = libndpi.pc
- 
- EXTRA_DIST = autogen.sh
-Index: nDPI-2.6/src/lib/Makefile.in
-===================================================================
--- nDPI-2.6.orig/src/lib/Makefile.in
-+++ nDPI-2.6/src/lib/Makefile.in
-@@ -61,7 +61,7 @@ distclean: clean
- install: $(NDPI_LIBS)
- 	mkdir -p $(DESTDIR)$(libdir)
- 	cp $(NDPI_LIBS) $(DESTDIR)$(libdir)/
-	ln -Ffs $(DESTDIR)$(libdir)/$(NDPI_LIB_SHARED) $(DESTDIR)$(libdir)/$(NDPI_LIB_SHARED_BASE)
-	ln -Ffs $(DESTDIR)$(libdir)/$(NDPI_LIB_SHARED) $(DESTDIR)$(libdir)/$(NDPI_LIB_SHARED_BASE).$(NDPI_VERSION_MAJOR)
-+	ln -Ffs $(NDPI_LIB_SHARED) $(DESTDIR)$(libdir)/$(NDPI_LIB_SHARED_BASE)
-+	ln -Ffs $(NDPI_LIB_SHARED) $(DESTDIR)$(libdir)/$(NDPI_LIB_SHARED_BASE).$(NDPI_VERSION_MAJOR)
- 	mkdir -p $(DESTDIR)$(includedir)
- 	cp ../include/*.h $(DESTDIR)$(includedir)
--- a/ndpi.changes
+++ b/ndpi.changes
@ -1,3 +1,98 @@
+-------------------------------------------------------------------
+Wed Dec 25 10:13:32 UTC 2019 - Martin Hauke <mardnh@gmx.de>
+
+- Drop not longer needed patches (fixed upstream)
+  * ndpi-fix-build.patch
+  * reproducible.patch
+- Update to version 3.0
+  New Features
+  * nDPI now reports the protocol ASAP even when specific fields
+    have not yet been dissected because such packets have not yet
+    been observed. This is important for inline applications that
+    can immediately act on traffic. Applications that need full
+    dissection need to call the new API function
+    ndpi_extra_dissection_possible() to check if metadata dissection
+    has been completely performed or if there is more to read before
+    declaring it completed.
+  * TLS (formerly identified as SSL in nDPI v2.x) is now dissected
+    more deeply, certificate validity is extracted as well
+    certificate SHA-1.
+  * nDPIreader can now export data in CSV format with option -C
+  * Implemented Sequence of Packet Length and Time (SPLT) and Byte
+    Distribution (BD) as specified by Cisco Joy
+    (https://github.com/cisco/joy). This allows malware activities
+    on encrypted TLS streams.
+  * Available as library and in ndpiReader with option -J
+  * Promoted usage of protocol categories rather than protocol
+    identifiers in order to classify protocols. This allows
+    application protocols to be clustered in families and thus better
+    managed by users/developers rather than using hundred of
+    protocols unknown to most of the people.
+  * Added Inter-Arrival Time (IAT) calculation used to detect
+    protocol misbehaviour (e.g. slow-DoS detection)
+  * Added data analysis features for computign metrics such as
+    entropy, average, stddev, variance on a single and consistent
+    place that will prevent when possible. This should ease traffic
+    analysis on monitoring/security applications. New API calls have
+    been implemented such as ndpi_data_XXX() to handle these
+    calculations.
+  * Initial release of Python bindings available under nDPI/python.
+  * Implemented search of human readable strings for promoting data
+    exfiltration detection
+  * Available as library and in ndpiReader with option -e
+  * Fingerprints
+    JA3 (https://github.com/salesforce/ja3)
+    HASSH (https://github.com/salesforce/hassh)
+    DHCP
+  * Implemented a library to serialize/deserialize data in both
+    Type-Length-Value (TLV) and JSON format
+  New Supported Protocols and Services
+  * DTLS (i.e. TLS over UDP)
+  * Hulu
+  * TikTok/Musical.ly
+  * WhatsApp Video
+  * DNSoverHTTPS
+  * Datasaver
+  * Line protocol
+  * Google Duo and Hangout merged
+  * WireGuard VPN
+  * IMO
+  * Zoom.us
+  Improvements
+  * TLS
+    + Organizations
+    + Ciphers
+    + Certificate analysis
+  * Added PUBLISH/SUBSCRIBE methods to SIP
+  * Implemented STUN cache to enhance matching of STUN-based protocols
+  * Dissection improvements
+    + Viber
+    + WhatsApp
+    + AmazonVideo
+    + SnapChat
+    + FTP
+    + QUIC
+    + OpenVPN support for UDP-based VPNs
+    + Facebook Messenger mobile
+    + Various improvements for STUN, Hangout and Duo
+  * Added new categories:
+    + CUSTOM_CATEGORY_ANTIMALWARE,
+    + NDPI_PROTOCOL_CATEGORY_MUSIC,
+    + NDPI_PROTOCOL_CATEGORY_VIDEO,
+    + NDPI_PROTOCOL_CATEGORY_SHOPPING,
+    + NDPI_PROTOCOL_CATEGORY_PRODUCTIVITY
+    + NDPI_PROTOCOL_CATEGORY_FILE_SHARING
+  * Added NDPI_PROTOCOL_DANGEROUS classification
+  Fixes
+  * Fixed the dissection of certain invalid DNS responses
+  * Fixed Spotify dissection
+  * Fixed false positives with FTP and FTP_DATA
+  * Fix to discard STUN over TCP flows
+  * Fixed MySQL dissector
+  * Fix category detection due to missing initialization
+  * Fix DNS rsp_addr missing in some tiny responses
+  * Various hardening fixes
+
 -------------------------------------------------------------------
 Wed Jun  5 04:03:31 UTC 2019 - Bernhard Wiedemann <bwiedemann@suse.com>

--- a/ndpi.spec
+++ b/ndpi.spec
@ -21,9 +21,9 @@
 %bcond_without hyperscan
 %endif

-%define sover 2
+%define sover 3
 Name:           ndpi
-Version:        2.8
+Version:        3.0
 Release:        0
 Summary:        Extensible deep packet inspection library
 # wireshark/ndpi.lua is GPL-3.0-or-later
@ -31,10 +31,6 @@ License:        LGPL-3.0-only
 Group:          Development/Libraries/C and C++
 URL:            https://github.com/ntop/nDPI
 Source:         https://github.com/ntop/nDPI/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz
-# FIXME: Upstream makefile is broken
-Patch0:         ndpi-fix-build.patch
-# PATCH-FIX-UPSTREAM https://github.com/ntop/nDPI/pull/662
-Patch1:         reproducible.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  gcc-c++
@ -90,8 +86,6 @@ This package contains the ndpiReader binary.

 %prep
 %setup -q -n nDPI-%{version}
-%patch0 -p1
-%patch1 -p1

 %build
 sh autogen.sh
@ -105,6 +99,7 @@ make %{?_smp_mflags}
 %install
 %make_install PREFIX=%{_prefix} prefix=%{_prefix} libdir=%{_libdir}
 rm -f %{buildroot}/%{_libdir}/libndpi.a
+rm -rf %{buildroot}/%{_sbindir}/ndpi

 %post   -n libndpi%{sover} -p /sbin/ldconfig
 %postun -n libndpi%{sover} -p /sbin/ldconfig
--- a/reproducible.patch
+++ b/reproducible.patch
@ -1,29 +0,0 @@
-https://github.com/ntop/nDPI/pull/662
-
-From e91123e17a6ebe2cb1f718aa3e44edb10b707779 Mon Sep 17 00:00:00 2001
-From: "Bernhard M. Wiedemann" <bwiedemann@suse.de>
-Date: Thu, 24 Jan 2019 14:21:06 +0100
-Subject: [PATCH] Use ChangeLog date instead of build date
-
-in order to make builds reproducible.
-See https://reproducible-builds.org/ for why this is good.
-
-This date call works with GNU date and BSD date.
-Also use UTC/gmtime to be independent of timezone.
---
- configure.seed | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/configure.seed b/configure.seed
-index 1aa68f17..006e6d97 100644
--- a/configure.seed
-+++ b/configure.seed
-@@ -30,7 +30,7 @@ if test -d ".git"; then :
-      GIT_RELEASE="${PACKAGE_VERSION}-${GIT_NUM}-${GIT_TAG}"
- else
-      GIT_RELEASE="${PACKAGE_VERSION}"
-     GIT_DATE=`date`
-+     GIT_DATE=`date -u -r CHANGELOG.md`
- fi
- 
- AC_DEFINE_UNQUOTED(NDPI_GIT_RELEASE, "${GIT_RELEASE}", [GIT Release])