More information about the potential risk in flow

[ronygut]

Hi

I'm using the ftflow_pcap sample code and I can see that there is a code the generates JSON: ndpi_flow2json(ndpi_struct, ndpi_flow, k->ip_version, k->protocol, k->vlan_id, ntohl(k->saddr.v4), ntohl(k->daddr.v4), (struct ndpi_in6_addr)&k->saddr.v6, (struct ndpi_in6_addr)&k->daddr.v6, k->sport, k->dport, ndpi_proto, &serializer);

I can see for example that is generates the following JSON Where can I see more information and documentation about what each field means? Also how it is detected and how accurate is it?

{ "src_ip": "10.164.130.230", "dest_ip": "10.164.255.255", "src_port": 35328, "dst_port": 35328, "ip": 4, "proto": "UDP", "ndpi": { "flow_risk": { "22": { "risk": "Unsafe Protocol", "severity": "Low", "risk_score": { "total": 450, "client": 345, "server": 105 } } }, "confidence": { "6": "DPI" }, "proto": "NetBIOS.SMBv1", "proto_id": "10.16", "proto_by_ip": "Unknown", "proto_by_ip_id": 0, "encrypted": 0, "breed": "Dangerous", "category_id": 18, "category": "System", "hostname": "secrecy1" } }

[IvanNardi]

For the flow risks, you can look at: https://www.ntop.org/guides/nDPI/flow_risks.html https://github.com/ntop/ntopng/blob/dev/doc/src/remediations/ndpi_flow_risks.rst

[ronygut]

@IvanNardi the links you sent are description of the risks. I'm looking for explanation about each field in the JSON. risk_score confidence proto_id encrypted breed etc... What are the possible values? Is there a document that explains about those fields and what are the possible values?

[IvanNardi]

Is there a document that explains about those fields and what are the possible values?

In general, no, AFAIK

Some information: proto_id, breed, category and risk_score: take a look at the output of ndpiReader -H confidence: https://github.com/ntop/nDPI/blob/dev/src/include/ndpi_typedefs.h#L1005