mirror of https://github.com/OISF/suricata
You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
50 lines
1.3 KiB
ReStructuredText
50 lines
1.3 KiB
ReStructuredText
nDPI Risk Keyword
|
|
=================
|
|
|
|
ndpi-risk
|
|
---------
|
|
|
|
Match on the flow risks detected by nDPI. Risks are potential issues detected
|
|
by nDPI during the packet dissection and include:
|
|
|
|
- Known Proto on Non Std Port
|
|
- Binary App Transfer
|
|
- Self-signed Certificate
|
|
- Susp DGA Domain name
|
|
- Malware host contacted
|
|
- and many other...
|
|
|
|
Suricata should be compiled with the nDPI support and the ``ndpi``
|
|
plugin must be loaded before it can be used.
|
|
|
|
Example of configuring Suricata to be compiled with nDPI support:
|
|
|
|
.. code-block:: console
|
|
|
|
./configure --enable-ndpi --with-ndpi=/home/user/nDPI
|
|
|
|
Example of suricata.yaml configuration file to load the ``ndpi`` plugin::
|
|
|
|
plugins:
|
|
- /usr/lib/suricata/ndpi.so
|
|
|
|
Syntax::
|
|
|
|
ndpi-risk:[!]<risk>;
|
|
|
|
Where risk is one (or multiple comma-separated) of the risk codes supported by
|
|
nDPI (e.g. NDPI_BINARY_APPLICATION_TRANSFER). Please check ndpiReader -H for the
|
|
full list.
|
|
|
|
Examples::
|
|
|
|
ndpi-risk:NDPI_BINARY_APPLICATION_TRANSFER;
|
|
ndpi-risk:NDPI_TLS_OBSOLETE_VERSION,NDPI_TLS_WEAK_CIPHER;
|
|
|
|
Here is an example of a rule matching HTTP traffic transferring a binary application:
|
|
|
|
.. container:: example-rule
|
|
|
|
alert tcp any any -> any any (msg:"Binary application transfer over HTTP"; ndpi-protocol:HTTP; ndpi-risk:NDPI_BINARY_APPLICATION_TRANSFER; sid:1;)
|
|
|