Project

General

Profile

Actions

Feature #7231

open

ndpi: augment flows/alerts with ndpi metadata and extend signature keywords

Added by Alfredo Cardigliano 4 months ago. Updated 4 months ago.

Status:
In Review
Priority:
Normal
Target version:
Effort:
Difficulty:
Label:

Description

This is to propose the integration with nDPI.

This would allow Suricata to
- augment exported alerts and netflow records with the layer-7 protocol and metadata extracted by nDPI
- add a new ndpi-protocol keyword to match traffic against hundreds of Layer-7 protocols (e.g. TLS.YouTube)
- add a new ndpi-risk keyword to match flow risks detected by nDPI (e.g. Binary Application Transfer, Malware Host Contacted, etc.)

There is already a pending PR #11671. With the proposed PR, nDPI can be optionally linked in Suricata
with configure flags (e.g. configure --enable-ndpi --with-ndpi=/home/user/nDPI).


Related issues 2 (0 open2 closed)

Related to Suricata - Feature #7319: flow: add user registerable flow initialization callbackClosedJason IshActions
Related to Suricata - Feature #7320: flow: add user registerable flow update callbacksClosedJason IshActions
Actions #1

Updated by Jason Ish 4 months ago

  • Status changed from New to In Review
Actions #2

Updated by Jason Ish 2 months ago

  • Related to Feature #7319: flow: add user registerable flow initialization callback added
Actions #3

Updated by Jason Ish 2 months ago

  • Related to Feature #7320: flow: add user registerable flow update callbacks added
Actions

Also available in: Atom PDF