Skip to content

Commit

Permalink
ndpi: initial implementation of nDPI plugin
Browse files Browse the repository at this point in the history
Ticket: OISF#7231
  • Loading branch information
cardigliano authored and jasonish committed Nov 14, 2024
1 parent 5d766df commit 09a3da0
Show file tree
Hide file tree
Showing 8 changed files with 708 additions and 0 deletions.
55 changes: 55 additions & 0 deletions configure.ac
Original file line number Diff line number Diff line change
Expand Up @@ -2310,6 +2310,57 @@ fi
])
AC_SUBST(RUST_FEATURES)

# nDPI support (no library checks for this stub)
NDPI_HOME=
AC_ARG_ENABLE(ndpi,
AS_HELP_STRING([--enable-ndpi], [Enable nDPI support]),
[enable_ndpi=$enableval],[enable_ndpi=no])
AC_ARG_WITH([ndpi],
[ --with-ndpi=<path> path to nDPI source tree.],
[NDPI_HOME="$withval"])

# Require --with-ndpi to be provided with an argument.
AS_IF([test "x$NDPI_HOME" = "xyes"], [
AC_MSG_ERROR([--with-ndpi requires a path])
exit 1
])

AS_IF([test "x$enable_dpi" = "xyes"], [
if test "x$enable_shared" = "xno"; then
echo
echo " ERROR! ndpi cannot be enabled with --disable-shared"
echo
exit 1
fi
])

if test "x$enable_ndpi" = "xyes"; then
AC_MSG_CHECKING(for nDPI source)
if test "x$NDPI_HOME" != "x"; then
AC_MSG_RESULT(found in $NDPI_HOME)
NDPI_LIB=$NDPI_HOME/src/lib/libndpi.a
AC_MSG_CHECKING(for $NDPI_LIB)
if test -r $NDPI_LIB ; then :
AC_MSG_RESULT(found $NDPI_LIB)
fi
CPPFLAGS="${CPPFLAGS} -I$NDPI_HOME/src/include"
NDPI_LIB="$NDPI_HOME/src/lib/libndpi.a"
AC_SUBST([NDPI_LIB])
else
AC_MSG_RESULT(not found)
enable_ndpi="no"
fi
fi

if test "x$enable_ndpi" = "xyes"; then
AM_CONDITIONAL([BUILD_NDPI], [true])
ndpi_comment=""
else
AM_CONDITIONAL([BUILD_NDPI], [false])
ndpi_comment="#"
fi
AC_SUBST([ndpi_comment])

AC_ARG_ENABLE(warnings,
AS_HELP_STRING([--enable-warnings], [Enable supported C compiler warnings]),[enable_warnings=$enableval],[enable_warnings=no])
AS_IF([test "x$enable_warnings" = "xyes"], [
Expand Down Expand Up @@ -2531,6 +2582,7 @@ AC_CONFIG_FILES(examples/lib/simple/Makefile examples/lib/simple/Makefile.exampl
AC_CONFIG_FILES(plugins/Makefile)
AC_CONFIG_FILES(plugins/pfring/Makefile)
AC_CONFIG_FILES(plugins/napatech/Makefile)
AC_CONFIG_FILES(plugins/ndpi/Makefile)

AC_OUTPUT

Expand Down Expand Up @@ -2587,6 +2639,9 @@ SURICATA_BUILD_CONF="Suricata Configuration:
Plugin support (experimental): ${plugin_support}
DPDK Bond PMD: ${enable_dpdk_bond_pmd}

Plugins:
nDPI ${enable_ndpi}

Development settings:
Coccinelle / spatch: ${enable_coccinelle}
Unit tests enabled: ${enable_unittests}
Expand Down
2 changes: 2 additions & 0 deletions doc/userguide/rules/index.rst
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,8 @@ Suricata Rules
smtp-keywords
websocket-keywords
app-layer
ndpi-protocol
ndpi-risk
xbits
noalert
thresholding
Expand Down
43 changes: 43 additions & 0 deletions doc/userguide/rules/ndpi-protocol.rst
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
nDPI Protocol Keyword
=====================

ndpi-protocol
-------------

Match on the Layer-7 protocol detected by nDPI.

Suricata should be compiled with the nDPI support and the ``ndpi``
plugin must be loaded before it can be used.

Example of configuring Suricata to be compiled with nDPI support:

.. code-block:: console
./configure --enable-ndpi --with-ndpi=/home/user/nDPI
Example of suricata.yaml configuration file to load the ``ndpi`` plugin::

plugins:
- /usr/lib/suricata/ndpi.so

Syntax::

ndpi-protocol:[!]<protocol>;

Where protocol is one of the application protocols detected by nDPI.
Plase check ndpiReader -H for the full list.
It is possible to specify the transport protocol, the application
protocol, or both (dot-separated).

Examples::

ndpi-protocol:HTTP;
ndpi-protocol:!TLS;
ndpi-protocol:TLS.YouTube;

Here is an example of a rule matching TLS traffic on port 53:

.. container:: example-rule

alert tcp any any -> any 53 (msg:"TLS traffic over DNS standard port"; ndpi-protocol:TLS; sid:1;)

49 changes: 49 additions & 0 deletions doc/userguide/rules/ndpi-risk.rst
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
nDPI Risk Keyword
=================

ndpi-risk
---------

Match on the flow risks detected by nDPI. Risks are potential issues detected
by nDPI during the packet dissection and include:

- Known Proto on Non Std Port
- Binary App Transfer
- Self-signed Certificate
- Susp DGA Domain name
- Malware host contacted
- and many other...

Suricata should be compiled with the nDPI support and the ``ndpi``
plugin must be loaded before it can be used.

Example of configuring Suricata to be compiled with nDPI support:

.. code-block:: console
./configure --enable-ndpi --with-ndpi=/home/user/nDPI
Example of suricata.yaml configuration file to load the ``ndpi`` plugin::

plugins:
- /usr/lib/suricata/ndpi.so

Syntax::

ndpi-risk:[!]<risk>;

Where risk is one (or multiple comma-separated) of the risk codes supported by
nDPI (e.g. NDPI_BINARY_APPLICATION_TRANSFER). Please check ndpiReader -H for the
full list.

Examples::

ndpi-risk:NDPI_BINARY_APPLICATION_TRANSFER;
ndpi-risk:NDPI_TLS_OBSOLETE_VERSION,NDPI_TLS_WEAK_CIPHER;

Here is an example of a rule matching HTTP traffic transferring a binary application:

.. container:: example-rule

alert tcp any any -> any any (msg:"Binary application transfer over HTTP"; ndpi-protocol:HTTP; ndpi-risk:NDPI_BINARY_APPLICATION_TRANSFER; sid:1;)

4 changes: 4 additions & 0 deletions plugins/Makefile.am
Original file line number Diff line number Diff line change
Expand Up @@ -7,3 +7,7 @@ endif
if BUILD_NAPATECH
SUBDIRS += napatech
endif

if BUILD_NDPI
SUBDIRS += ndpi
endif
13 changes: 13 additions & 0 deletions plugins/ndpi/Makefile.am
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
pkglib_LTLIBRARIES = ndpi.la

ndpi_la_LDFLAGS = -module -avoid-version -shared
ndpi_la_LIBADD = @NDPI_LIB@

# Only required to find these headers when building plugins from the
# source directory.
ndpi_la_CFLAGS = -I../../rust/gen -I../../rust/dist

ndpi_la_SOURCES = ndpi.c

install-exec-hook:
cd $(DESTDIR)$(pkglibdir) && $(RM) $(pkglib_LTLIBRARIES)
Loading

0 comments on commit 09a3da0

Please sign in to comment.