nDPI Flow Risk feature

[netcons]

Hi Vitaly,

Thanks for all your work on ndpi-netfilter ! Would it be possible to include the nDPI Flow Risk feature in the Netfilter module? As listed by "ndpiReader -a 2"

Thanks

[vel21ripn]

"Flow Risk feature" is a 32 bit value (bitmap). It is not difficult to export it to /proc/net/xt_ndpi/flow. I plan to finish disabling protocols first.

[netcons]

Thank you

[aldaihanabdullah3]

Hello Vitaly,

I am working on exposing the risk to /proc/net/xt_ndpi/flow along with catogary and breed. Could you give me some guidance on how to do this properly ?

[vel21ripn]

I planned to export "risk" as a hexadecimal number (similar to "level").

[vel21ripn]

See commit 2fc0c86e58d56c8f9c5da3883a09732fc902e5e7

[netcons]

Big thanks Vitaly! Seems _NDPI_RISKY_ASN, NDPI_RISKY_DOMAIN, NDPI_MALICIOUS_JA3 & NDPI_MALICIOUS_SHA1CERTIFICATE are lists, Any pointers on how to populate them?

[vel21ripn]

At the moment - no way. I completely forgot that some risks had their own datasets. I think the problem can be solved by adding the risk datasets to proc/net/xt_ndpi/host_proto and tweaking the nDPI code a bit. I will do this after merging with nDPI/dev.

[vel21ripn]

So far I see a problem with NDPI_RISKY_ASN. You have to get it from somewhere and store it somewhere. This can be done later.

[netcons]

Duplicate functionality here: -m ndpi --ja3c bad_ctcl -j DROP vs -m npdi --risk 28 -j DROP

Large datasets more efficient using a rule per set, with --risk. vs a rule for each element in a set, with --ja3c.

[vel21ripn]

Duplicate functionality here:
-m ndpi --ja3c bad_ctcl -j DROP
vs
-m npdi --risk 28 -j DROP

There is no difference for filtering, but there is a difference for collecting data.

Now we need to solve the problem described in PR 1946 as it affects TLS detection.