File: ndpi.rst

package info (click to toggle)
suricata 1%3A8.0.1-3
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 240,704 kB
  • sloc: ansic: 357,736; python: 8,721; sh: 5,043; makefile: 2,411; perl: 570; php: 170
file content (103 lines) | stat: -rw-r--r-- 2,724 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
 
.. role:: example-rule-emphasis

nDPI
####

Installation
************

Before using nDPI, Suricata must be built with nDPI support, for
example:

.. code-block:: console

  ./configure --enable-ndpi --with-ndpi=/home/user/src/nDPI

Then make sure the plugin is loaded in your ``suricata.yaml``:

.. code-block:: yaml

  plugins:
    - /usr/lib/suricata/ndpi.so

Which should also be present in the default configuration file after
building Suricata with nDPI support.

For more information on nDPI, see
https://www.ntop.org/products/deep-packet-inspection/ndpi/.

Keywords
********

Once the nDPI plugin is loaded, the following keyword are available:

- ``ndpi-protocol``
- ``ndpi-risk``

``ndpi-protocol``
=================

Match on the Layer-7 protocol detected by nDPI.

Note that rules using the ``ndpi-protocol`` should check if the
``ndpi-protocol`` keyword exists with ``requires``, for example::

  requires: keyword ndpi-protocol

Syntax::

    ndpi-protocol:[!]<protocol>;

Where `<protocol>` is one of the application protocols detected by
nDPI.  Plase check `ndpiReader -H` for the full list.  It is possible
to specify the transport protocol, the application protocol, or both
(dot-separated).

Examples::

    ndpi-protocol:HTTP;
    ndpi-protocol:!TLS;
    ndpi-protocol:TLS.YouTube;

Here is an example of a rule matching TLS traffic on port 53:

.. container:: example-rule

    alert tcp any any -> any 53 (msg:"TLS traffic over DNS standard port"; :example-rule-emphasis:`requires:keyword ndpi-protocol; ndpi-protocol:TLS;` sid:1;)

``ndpi-risk``
=============

Match on the flow risks detected by nDPI. Risks are potential issues
detected by nDPI during the packet dissection and include:

- Known protocol on non-standard port
- Binary application transfer
- Self-signed certificate
- Suspected DGA Domain name
- Malware host contacted
- and many others...

Additionally, rules using the ``ndpi-risk`` keyword should check if
the keyword exists using the ``requires`` keyword, for example::

  requires: keyword ndpi-risk

Syntax::

    ndpi-risk:[!]<risk>;

Where risk is one (or multiple comma-separated) of the risk codes
supported by nDPI (e.g. NDPI_BINARY_APPLICATION_TRANSFER). Please
check ``ndpiReader -H`` for the full list.

Examples::

    ndpi-risk:NDPI_BINARY_APPLICATION_TRANSFER;
    ndpi-risk:NDPI_TLS_OBSOLETE_VERSION,NDPI_TLS_WEAK_CIPHER;

Here is an example of a rule matching HTTP traffic transferring a binary application:

.. container:: example-rule

    alert tcp any any -> any any (msg:"Binary application transfer over HTTP"; :example-rule-emphasis:`requires:keyword ndpi-protocol, keyword ndpi-risk; ndpi-protocol:HTTP; ndpi-risk:NDPI_BINARY_APPLICATION_TRANSFER;` sid:1;)