Project

General

Profile

Actions

Feature #7231

open

ndpi: augment flows/alerts with ndpi metadata and extend signature keywords

Added by Alfredo Cardigliano 3 months ago. Updated 3 months ago.

Status:
In Review
Priority:
Normal
Target version:
Effort:
Difficulty:
Label:

Description

This is to propose the integration with nDPI.

This would allow Suricata to
- augment exported alerts and netflow records with the layer-7 protocol and metadata extracted by nDPI
- add a new ndpi-protocol keyword to match traffic against hundreds of Layer-7 protocols (e.g. TLS.YouTube)
- add a new ndpi-risk keyword to match flow risks detected by nDPI (e.g. Binary Application Transfer, Malware Host Contacted, etc.)

There is already a pending PR #11671. With the proposed PR, nDPI can be optionally linked in Suricata
with configure flags (e.g. configure --enable-ndpi --with-ndpi=/home/user/nDPI).


Related issues 2 (2 open0 closed)

Related to Suricata - Feature #7319: flow: add user registerable flow initialization callbackIn ProgressJason IshActions
Related to Suricata - Feature #7320: flow: add user registerable flow update callbacksIn ProgressJason IshActions
Actions

Also available in: Atom PDF