search

ntop / ntopng

Web-based Traffic and Security Network Traffic Monitoring
http://www.ntop.org
GNU General Public License v3.0
6.26k stars 656 forks source link

ndpi-protocols ipv6 rules not supported #8059

Closed dammeax closed 3 months ago

dammeax commented 11 months ago

Environment:

What happened: I'm trying to add protocol custom rules via protos.txt with the command parameter --ndpi-protocols. I cannot find documentation related to what are the rules supported in the protos.txt file, but I'm looking to add ipv6 rules. If I look at the file https://github.com/ntop/nDPI/blob/dev/example/protos.txt it shows quite a lot of ipv6 rules. Unfortunately when loading this example file I get the following erors:

27/Nov/2023 15:00:43 [applications.lua:17] [protos_utils.lua:148] WARNING: [protos.txt] Ignoring unknown filter 'nbpf' in rule: nbpf:"host 192.168.1.1 and port 80"@HomeRouter
27/Nov/2023 15:00:43 [applications.lua:17] [protos_utils.lua:152] WARNING: [protos.txt] Ignoring bad rule: ipv6:[3ffe:507:0:1:200:86ff:fe05:80da]@CustomProtocolD
27/Nov/2023 15:00:43 [applications.lua:17] [protos_utils.lua:152] WARNING: [protos.txt] Ignoring bad rule: ipv6:[247f:855b:5e16:3caf::]/64:100@CustomProtocolE
27/Nov/2023 15:00:43 [applications.lua:17] [protos_utils.lua:152] WARNING: [protos.txt] Ignoring bad rule: ipv6:[247f:855b:5e16:3caf::]/64@CustomProtocolF
27/Nov/2023 15:00:43 [applications.lua:17] [protos_utils.lua:152] WARNING: [protos.txt] Ignoring bad rule: ipv6:[fe80::76ac:b9ff:fe6c:c124]:12717@CustomProtocolG
27/Nov/2023 15:00:43 [applications.lua:17] [protos_utils.lua:152] WARNING: [protos.txt] Ignoring bad rule: ipv6:[fe80::76ac:b9ff:fe6c:c124]:12718@CustomProtocolH
27/Nov/2023 15:00:43 [applications.lua:17] [protos_utils.lua:148] WARNING: [protos.txt] Ignoring unknown filter 'ipv6' in rule: ipv6:www.ntop.org@ntop
27/Nov/2023 15:00:43 [applications.lua:17] [protos_utils.lua:156] WARNING: [protos.txt] Ignoring bad rule: ip_risk_mask:10.10.120.0/24=0
27/Nov/2023 15:00:43 [applications.lua:17] [protos_utils.lua:156] WARNING: [protos.txt] Ignoring bad rule: ip_risk_mask:10.196.157.228=0
27/Nov/2023 15:00:43 [applications.lua:17] [protos_utils.lua:156] WARNING: [protos.txt] Ignoring bad rule: ipv6_risk_mask:[fe80::356b:e047:3695:0]/112=0
27/Nov/2023 15:00:43 [applications.lua:17] [protos_utils.lua:156] WARNING: [protos.txt] Ignoring bad rule: ipv6_risk_mask:[fe80::7c0:e74e:87c3:5d93]=0
27/Nov/2023 15:00:43 [applications.lua:17] [protos_utils.lua:156] WARNING: [protos.txt] Ignoring bad rule: host_risk_mask:".home"=0
27/Nov/2023 15:00:43 [applications.lua:17] [protos_utils.lua:156] WARNING: [protos.txt] Ignoring bad rule: trusted_issuer_dn:"CN=813845657003339838, O=Code42, OU=TEST, ST=MN, C=US"

How did you reproduce it? docker run -it -p 3000:3000 -v /opt/protos.txt/proto.txt:/opt/protos.txt --network=host ntop/ntopng:stable -i test.pcap --ndpi-protocols /opt/protos.txt

then I go in the settings/Application and Categories menu

Are ipv6 rule supported?

djstarfox commented 4 months ago

I just tested this too, and sure enough... ipv6 rules don't work at all. :( ntopng: 01/Jul/2024 14:02:06 [startup.lua:123] [protos_utils.lua:147] WARNING: [protos.txt] Ignoring bad rule: ipv6:[2607:f8b0:4008:80e::200e]:443@QUIC=1024

MatteoBiscosi commented 3 months ago

Hi @djstarfox @dammeax the issue should be fixed in the latest ntopng dev version, added the support to the GUI too, so simply add the rule from the user interface