OISF · cardigliano · Aug 21, 2024 · Aug 28, 2024 · Aug 28, 2024 · Oct 11, 2024
@@ -2415,6 +2415,35 @@ if test "${enable_ebpf}" = "yes" || test "${enable_nfqueue}" = "yes" || test "${
   AC_DEFINE([CAPTURE_OFFLOAD], [1],[Building flow capture bypass code])
 fi
 
+AC_ARG_ENABLE(ndpi,  AS_HELP_STRING([--enable-ndpi], [Enable nDPI support]),[enable_ndpi=$enableval],[enable_ndpi=no])
+
+NDPI_HOME=
+AC_ARG_WITH([ndpi], [  --with-ndpi=<path>    path to nDPI source tree.], [NDPI_HOME="$withval"])
+
+if ! test -z "${NDPI_HOME}" = "yes"; then
+ AC_MSG_CHECKING(for nDPI source)
+
+ if test ! -z "$NDPI_HOME" ; then :
+   AC_MSG_RESULT(found in $NDPI_HOME)
+   NDPI_LIB=$NDPI_HOME/src/lib/libndpi.a
+   AC_MSG_CHECKING(for $NDPI_LIB)
+   if test -r $NDPI_LIB ; then :
+     AC_MSG_RESULT(found $NDPI_LIB)
+   else
+     AC_MSG_RESULT(not found $NDPI_LIB: compiling)
+     cd $NDPI_HOME; ./autogen.sh; ${MAKE}; cd -
+   fi
+
+   CPPFLAGS="${CPPFLAGS} -I$NDPI_HOME/src/include"
+   LIBS="${LIBS} $NDPI_HOME/src/lib/libndpi.a"
+   AC_DEFINE_UNQUOTED(HAVE_NDPI, "1", [nDPI is present])
+   enable_ndpi="yes ($NDPI_HOME)"
+ else
+   AC_MSG_RESULT(not found)
+   enable_ndpi="no"
+ fi
+fi
+
 # Add diagnostic filename
 CPPFLAGS="${CPPFLAGS} -D__SCFILENAME__=\\\"\$(*F)\\\""
 
@@ -2566,6 +2595,7 @@ SURICATA_BUILD_CONF="Suricata Configuration:
   liblz4 support:                          ${enable_liblz4}
   Landlock support:                        ${enable_landlock}
   Systemd support:                         ${enable_systemd}
+  nDPI support:                            ${enable_ndpi}
 
   Rust support:                            ${enable_rust}
   Rust strict mode:                        ${enable_rust_strict}

@@ -38,6 +38,8 @@ Suricata Rules
    smtp-keywords
    websocket-keywords
    app-layer
+   ndpi-protocol
+   ndpi-risk
    xbits
    noalert
    thresholding

@@ -0,0 +1,35 @@
+nDPI Protocol Keyword
+=====================
+
+ndpi-protocol
+-------------
+
+Match on the Layer-7 protocol detected by nDPI.
+
+This requires Suricata to be compiled with nDPI support:
+
+.. code-block:: console
+
+    ./configure --enable-ndpi --with-ndpi=/home/user/nDPI
+
+Syntax::
+
+    ndpi-protocol:[!]<protocol>;
+
+Where protocol is one of the application protocols detected by nDPI.
+Plase check ndpiReader -H for the full list.
+It is possible to specify the transport protocol, the application
+protocol, or both (dot-separated).
+
+Examples::
+
+    ndpi-protocol:HTTP;
+    ndpi-protocol:!TLS;
+    ndpi-protocol:TLS.YouTube;
+
+Here is an example of a rule matching TLS traffic on port 53:
+
+.. container:: example-rule
+
+    alert tcp any any -> any 53 (msg:"TLS traffic over DNS standard port"; ndpi-protocol:TLS; sid:1;)
+
@@ -0,0 +1,41 @@
+nDPI Risk Keyword
+=================
+
+ndpi-risk
+---------
+
+Match on the flow risks detected by nDPI. Risks are potential issues detected
+by nDPI during the packet dissection and include:
+
+- Known Proto on Non Std Port
+- Binary App Transfer
+- Self-signed Certificate
+- Susp DGA Domain name
+- Malware host contacted
+- and many other...
+
+This requires Suricata to be compiled with nDPI support:
+
+.. code-block:: console
+
+    ./configure --enable-ndpi --with-ndpi=/home/user/nDPI
+
+Syntax::
+
+    ndpi-risk:[!]<risk>;
+
+Where risk is one (or multiple comma-separated) of the risk codes supported by
+nDPI (e.g. NDPI_BINARY_APPLICATION_TRANSFER). Please check ndpiReader -H for the
+full list.
+
+Examples::
+
+    ndpi-risk:NDPI_BINARY_APPLICATION_TRANSFER;
+    ndpi-risk:NDPI_TLS_OBSOLETE_VERSION,NDPI_TLS_WEAK_CIPHER;
+
+Here is an example of a rule matching HTTP traffic transferring a binary application:
+
+.. container:: example-rule
+
+    alert tcp any any -> any any (msg:"Binary application transfer over HTTP"; ndpi-protocol:HTTP; ndpi-risk:NDPI_BINARY_APPLICATION_TRANSFER; sid:1;)
+
@@ -236,6 +236,8 @@ noinst_HEADERS = \
 	detect-mark.h \
 	detect-metadata.h \
 	detect-modbus.h \
+	detect-ndpi-protocol.h \
+	detect-ndpi-risk.h \
 	detect-quic-sni.h \
 	detect-quic-ua.h \
 	detect-quic-version.h \
@@ -811,6 +813,8 @@ libsuricata_c_a_SOURCES = \
 	detect-quic-cyu-hash.c \
 	detect-quic-cyu-string.c \
 	detect-msg.c \
+	detect-ndpi-protocol.c \
+	detect-ndpi-risk.c \
 	detect-nfs-procedure.c \
 	detect-nfs-version.c \
 	detect-noalert.c \

@@ -500,6 +500,10 @@ static const IPV4Hdr *DecodeIPV4Packet(Packet *p, const uint8_t *pkt, uint16_t l
         return NULL;
     }
 
+#ifdef HAVE_NDPI
+    p->ip_len = len;
+#endif
+
     /* set the address struct */
     SET_IPV4_SRC_ADDR(ip4h, &p->src);
     SET_IPV4_DST_ADDR(ip4h, &p->dst);

@@ -551,6 +551,10 @@ static const IPV6Hdr *DecodeIPV6Packet(
         return NULL;
     }
 
+#ifdef HAVE_NDPI
+    p->ip_len = len;
+#endif
+
     SET_IPV6_SRC_ADDR(ip6h, &p->src);
     SET_IPV6_DST_ADDR(ip6h, &p->dst);
 

@@ -573,6 +573,10 @@ typedef struct Packet_
     uint8_t *payload;
     uint16_t payload_len;
 
+#ifdef HAVE_NDPI
+    uint16_t ip_len;
+#endif
+
     /* IPS action to take */
     uint8_t action;
 

@@ -210,6 +210,10 @@
 #include "detect-quic-cyu-hash.h"
 #include "detect-quic-cyu-string.h"
 #include "detect-ja4-hash.h"
+#ifdef HAVE_NDPI
+#include "detect-ndpi-protocol.h"
+#include "detect-ndpi-risk.h"
+#endif
 
 #include "detect-bypass.h"
 #include "detect-ftpdata.h"
@@ -695,6 +699,11 @@ void SigTableSetup(void)
     ScDetectSipRegister();
     ScDetectTemplateRegister();
 
+#ifdef HAVE_NDPI
+    DetectnDPIProtocolRegister();
+    DetectnDPIRiskRegister();
+#endif
+
     /* close keyword registration */
     DetectBufferTypeCloseRegistration();
 }

@@ -30,8 +30,12 @@ enum DetectKeywordId {
     DETECT_REV,
     DETECT_CLASSTYPE,
 
-    /* sorted by prefilter priority. Higher in this list means it will be
-     * picked over ones lower in the list */
+/* sorted by prefilter priority. Higher in this list means it will be
+ * picked over ones lower in the list */
+#ifdef HAVE_NDPI
+    DETECT_NDPI_PROTOCOL,
+    DETECT_NDPI_RISK,
+#endif
     DETECT_AL_APP_LAYER_PROTOCOL,
     DETECT_ACK,
     DETECT_SEQ,