Add ndpi integration #11671
Add ndpi integration #11671
Conversation
Add configure --enable-ndpi and --with-ndpi params Add nDPI metadata export in alerts/netflow (Eve JSON) Add ndpi-protocol signature match Add ndpi-risk signature match
cardigliano
requested review from
jufajardini,
victorjulien and
a team
as code owners
|
NOTE: This PR may contain new authors. |
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #11671 +/- ##
==========================================
+ Coverage 82.61% 82.63% +0.02%
==========================================
Files 919 919
Lines 248997 249003 +6
==========================================
+ Hits 205717 205773 +56
+ Misses 43280 43230 -50
Flags with carried forward coverage won't be shown. Click here to find out more. |
|
Thanks for the submission. Could you please create a ticket that discusses this feature, the benefits, etc. |
I created https://redmine.openinfosecfoundation.org/issues/7231 |
|
My big question is how could this work as a plugin ? |
| @@ -580,6 +580,10 @@ typedef struct Packet_ | |||
| uint8_t *payload; | |||
| uint16_t payload_len; | |||
|
|
|||
| #ifdef HAVE_NDPI | |||
| uint16_t ip_len; | |||
There was a problem hiding this comment.
I guess we can avoid to store this, and recompute it based on the total packet length and offset of ip header...
There was a problem hiding this comment.
Yeah, we'll want to get rid of additional #ifdef here as well for the move to a plugin.
| @@ -503,6 +503,12 @@ typedef struct Flow_ | |||
| uint64_t todstbytecnt; | |||
| uint64_t tosrcbytecnt; | |||
|
|
|||
| #ifdef HAVE_NDPI | |||
There was a problem hiding this comment.
Could this somehow go into the storage section below ?
There was a problem hiding this comment.
Perhaps by using FlowStorageRegister and friends? Example usage in app-layer-expectation.c.
| @@ -387,6 +387,41 @@ void FlowHandlePacketUpdate(Flow *f, Packet *p, ThreadVars *tv, DecodeThreadVars | |||
| { | |||
| SCLogDebug("packet %"PRIu64" -- flow %p", p->pcap_cnt, f); | |||
|
|
|||
| #ifdef HAVE_NDPI | |||
| if (tv->ndpi_struct && f->ndpi_flow && (!f->detection_completed) && (p->ip_len > 0)) { | |||
There was a problem hiding this comment.
So, we would need a hook here in FlowHandlePacketUpdate for every packet...
| JsonBuilder *JsonBuildFileInfoRecord( | ||
| const Packet *p, const File *ff, void *tx, const uint64_t tx_id, const bool stored, | ||
| uint8_t dir, HttpXFFCfg *xff_cfg, OutputJsonCtx *eve_ctx | ||
| #ifdef HAVE_NDPI |
There was a problem hiding this comment.
I guess we could accept this for every case (even if it unused in most cases)
| @@ -27,5 +27,8 @@ | |||
| void JsonFlowLogRegister(void); | |||
| void EveAddFlow(Flow *f, JsonBuilder *js); | |||
| void EveAddAppProto(Flow *f, JsonBuilder *js); | |||
| #ifdef HAVE_NDPI | |||
| void EveAddnDPIProto(Flow *f, JsonBuilder *js, ThreadVars *tv); | |||
| @@ -135,6 +135,10 @@ typedef struct ThreadVars_ { | |||
| struct FlowQueue_ *flow_queue; | |||
| bool break_loop; | |||
|
|
|||
| #ifdef HAVE_NDPI | |||
| struct ndpi_detection_module_struct *ndpi_struct; | |||
There was a problem hiding this comment.
Hmm... I do not know about this one... (how we could make it work as a plugin)
There was a problem hiding this comment.
could just use thread_local?
| @@ -120,4 +120,7 @@ OutputJsonThreadCtx *CreateEveThreadCtx(ThreadVars *t, OutputJsonCtx *ctx); | |||
| void FreeEveThreadCtx(OutputJsonThreadCtx *ctx); | |||
| void JSONFormatAndAddMACAddr(JsonBuilder *js, const char *key, const uint8_t *val, bool is_array); | |||
|
|
|||
| #ifdef HAVE_NDPI | |||
| void ndpiJsonBuilder(Flow *f, JsonBuilder *js, ThreadVars *tv); | |||
There was a problem hiding this comment.
And we would need to hook into logging...
We are open to both a plugin and native support. The latter is the best IMHO as it enables all users to exploit it, but if a plugin is just a packaging detail fine for me. Just let us know what we can do to expedite your decision as we would like to push additional features after this PR is likely merged. |
There was a problem hiding this comment.
After some discussion on our side, we'd like to help where we can to make this a plugin a.s.a.p. This will require some work on our side as we don't have all the support required yet, but this PR does help identify where we need to provide the hooks.
On your end could you:
- see about using thread local storage
- remove the additional fields from the header and see about using the storage apis
- register and
ndpifeature so rules can conditinally use this
On our side we'll closely review this for the hooks that are needed and prepare a PR from our side.
I think this would be a plugin we'll bundle with Suricata though, so the user experience won't be much different than it is with this PR.
|
Hi @jasonish do you have some updates to share? We're ready to move forward with the plugin development as soon as you're ready. Thanks |
| #ifdef HAVE_NDPI | ||
|
|
||
| static void ndpiJsonBuilderTLSQUIC(Flow *f, JsonBuilder *js, ThreadVars *tv) | ||
| { |
There was a problem hiding this comment.
Should we move these ndpi-related changes to their own file?
There was a problem hiding this comment.
nit: naming convention: s/n/N ?
| ndpi_set_protocol_detection_bitmask2(tv->ndpi_struct, &protos); | ||
| ndpi_finalize_initialization(tv->ndpi_struct); | ||
|
|
||
| /* printf("%s - ndpi_init_detection_module()\n", __FUNCTION__); */ |
There was a problem hiding this comment.
Is keeping these necessary? If yes, couldn't they be changed to SCLogDebug statements?
| - Self-signed Certificate | ||
| - Susp DGA Domain name | ||
| - Malware host contacted | ||
| - and many other... |
There was a problem hiding this comment.
Q: Should we add any a reference here for what was consulted to define those and where people could check them, or isn't this necessary?
There was a problem hiding this comment.
Make sure these boxes are signed before submitting your Pull Request -- thank you.
https://docs.suricata.io/en/latest/devguide/contributing/contribution-process.html
https://suricata.io/about/contribution-agreement/ (note: this is only required once)
Describe changes: