forked from OISF/suricata
-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
ndpi: initial implementation of nDPI plugin
Ticket: OISF#7231
- Loading branch information
1 parent
5d766df
commit 09a3da0
Showing
8 changed files
with
708 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,43 @@ | ||
nDPI Protocol Keyword | ||
===================== | ||
|
||
ndpi-protocol | ||
------------- | ||
|
||
Match on the Layer-7 protocol detected by nDPI. | ||
|
||
Suricata should be compiled with the nDPI support and the ``ndpi`` | ||
plugin must be loaded before it can be used. | ||
|
||
Example of configuring Suricata to be compiled with nDPI support: | ||
|
||
.. code-block:: console | ||
./configure --enable-ndpi --with-ndpi=/home/user/nDPI | ||
Example of suricata.yaml configuration file to load the ``ndpi`` plugin:: | ||
|
||
plugins: | ||
- /usr/lib/suricata/ndpi.so | ||
|
||
Syntax:: | ||
|
||
ndpi-protocol:[!]<protocol>; | ||
|
||
Where protocol is one of the application protocols detected by nDPI. | ||
Plase check ndpiReader -H for the full list. | ||
It is possible to specify the transport protocol, the application | ||
protocol, or both (dot-separated). | ||
|
||
Examples:: | ||
|
||
ndpi-protocol:HTTP; | ||
ndpi-protocol:!TLS; | ||
ndpi-protocol:TLS.YouTube; | ||
|
||
Here is an example of a rule matching TLS traffic on port 53: | ||
|
||
.. container:: example-rule | ||
|
||
alert tcp any any -> any 53 (msg:"TLS traffic over DNS standard port"; ndpi-protocol:TLS; sid:1;) | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
nDPI Risk Keyword | ||
================= | ||
|
||
ndpi-risk | ||
--------- | ||
|
||
Match on the flow risks detected by nDPI. Risks are potential issues detected | ||
by nDPI during the packet dissection and include: | ||
|
||
- Known Proto on Non Std Port | ||
- Binary App Transfer | ||
- Self-signed Certificate | ||
- Susp DGA Domain name | ||
- Malware host contacted | ||
- and many other... | ||
|
||
Suricata should be compiled with the nDPI support and the ``ndpi`` | ||
plugin must be loaded before it can be used. | ||
|
||
Example of configuring Suricata to be compiled with nDPI support: | ||
|
||
.. code-block:: console | ||
./configure --enable-ndpi --with-ndpi=/home/user/nDPI | ||
Example of suricata.yaml configuration file to load the ``ndpi`` plugin:: | ||
|
||
plugins: | ||
- /usr/lib/suricata/ndpi.so | ||
|
||
Syntax:: | ||
|
||
ndpi-risk:[!]<risk>; | ||
|
||
Where risk is one (or multiple comma-separated) of the risk codes supported by | ||
nDPI (e.g. NDPI_BINARY_APPLICATION_TRANSFER). Please check ndpiReader -H for the | ||
full list. | ||
|
||
Examples:: | ||
|
||
ndpi-risk:NDPI_BINARY_APPLICATION_TRANSFER; | ||
ndpi-risk:NDPI_TLS_OBSOLETE_VERSION,NDPI_TLS_WEAK_CIPHER; | ||
|
||
Here is an example of a rule matching HTTP traffic transferring a binary application: | ||
|
||
.. container:: example-rule | ||
|
||
alert tcp any any -> any any (msg:"Binary application transfer over HTTP"; ndpi-protocol:HTTP; ndpi-risk:NDPI_BINARY_APPLICATION_TRANSFER; sid:1;) | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -7,3 +7,7 @@ endif | |
if BUILD_NAPATECH | ||
SUBDIRS += napatech | ||
endif | ||
|
||
if BUILD_NDPI | ||
SUBDIRS += ndpi | ||
endif |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
pkglib_LTLIBRARIES = ndpi.la | ||
|
||
ndpi_la_LDFLAGS = -module -avoid-version -shared | ||
ndpi_la_LIBADD = @NDPI_LIB@ | ||
|
||
# Only required to find these headers when building plugins from the | ||
# source directory. | ||
ndpi_la_CFLAGS = -I../../rust/gen -I../../rust/dist | ||
|
||
ndpi_la_SOURCES = ndpi.c | ||
|
||
install-exec-hook: | ||
cd $(DESTDIR)$(pkglibdir) && $(RM) $(pkglib_LTLIBRARIES) |
Oops, something went wrong.