Actions
Feature #7231
openndpi: augment flows/alerts with ndpi metadata and extend signature keywords
Effort:
Difficulty:
Label:
Description
This is to propose the integration with nDPI.
This would allow Suricata to
- augment exported alerts and netflow records with the layer-7 protocol and metadata extracted by nDPI
- add a new ndpi-protocol keyword to match traffic against hundreds of Layer-7 protocols (e.g. TLS.YouTube)
- add a new ndpi-risk keyword to match flow risks detected by nDPI (e.g. Binary Application Transfer, Malware Host Contacted, etc.)
There is already a pending PR #11671. With the proposed PR, nDPI can be optionally linked in Suricata
with configure flags (e.g. configure --enable-ndpi --with-ndpi=/home/user/nDPI).
Updated by Jason Ish 2 months ago
- Related to Feature #7319: flow: add user registerable flow initialization callback added
Updated by Jason Ish 2 months ago
- Related to Feature #7320: flow: add user registerable flow update callbacks added
Actions