diff options
| author | Luca Deri <deri@ntop.org> | 2022-12-30 19:20:07 +0100 |
|---|---|---|
| committer | Luca Deri <deri@ntop.org> | 2022-12-30 19:20:07 +0100 |
| commit | 1735931f675eb9a70e3f2ea9dda9db8b6636f2bd (patch) | |
| tree | 0f0fc7286278ce457b967a0ecd4ed55f23f47dd0 | |
| parent | 8f91b8ba72e61eb15a3fdfcddd6339b2fae341be (diff) | |
Added NDPI_PERIODIC_FLOW flow risk to be used by apps based on nDPI
| -rw-r--r-- | doc/flow_risks.rst | 6 | ||||
| -rw-r--r-- | src/include/ndpi_typedefs.h | 3 | ||||
| -rw-r--r-- | src/lib/ndpi_main.c | 1 | ||||
| -rw-r--r-- | src/lib/ndpi_utils.c | 4 | ||||
| -rw-r--r-- | wireshark/ndpi.lua | 1 |
5 files changed, 14 insertions, 1 deletions
diff --git a/doc/flow_risks.rst b/doc/flow_risks.rst index 541b6d045..8d5cded34 100644 --- a/doc/flow_risks.rst +++ b/doc/flow_risks.rst @@ -291,3 +291,9 @@ risk is not triggered for multicast/broadcast destinations. NDPI_HTTP_OBSOLETE_SERVER =================================== This risk is generated whenever a HTTP server uses an obsolete HTTP server version. + +.. _Risk 048: + +NDPI_PERIODIC_FLOW +================== +This risk is generated whenever a flow is observed at a specific periodic pace (e.g. every 10 seconds). diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index 16612ce87..fde132e56 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -120,8 +120,9 @@ typedef enum { NDPI_UNIDIRECTIONAL_TRAFFIC, /* NOTE: as nDPI can detect a protocol with one packet, make sure your app will clear this risk if future packets (not sent to nDPI) are received in the opposite direction */ - NDPI_HTTP_OBSOLETE_SERVER, + NDPI_PERIODIC_FLOW, /* Set in case a flow repeats at a specific pace [used by apps on top of nDPI] */ + /* Leave this as last member */ NDPI_MAX_RISK /* must be <= 63 due to (**) */ } ndpi_risk_enum; diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 739010025..09bfe7be3 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -166,6 +166,7 @@ static ndpi_risk_info ndpi_known_risks[] = { { NDPI_ANONYMOUS_SUBSCRIBER, NDPI_RISK_MEDIUM, CLIENT_FAIR_RISK_PERCENTAGE, NDPI_CLIENT_ACCOUNTABLE }, { NDPI_UNIDIRECTIONAL_TRAFFIC, NDPI_RISK_LOW, CLIENT_FAIR_RISK_PERCENTAGE, NDPI_CLIENT_ACCOUNTABLE }, { NDPI_HTTP_OBSOLETE_SERVER, NDPI_RISK_MEDIUM, CLIENT_LOW_RISK_PERCENTAGE, NDPI_SERVER_ACCOUNTABLE }, + { NDPI_PERIODIC_FLOW, NDPI_RISK_LOW, CLIENT_LOW_RISK_PERCENTAGE, NDPI_CLIENT_ACCOUNTABLE }, /* Leave this as last member */ { NDPI_MAX_RISK, NDPI_RISK_LOW, CLIENT_FAIR_RISK_PERCENTAGE, NDPI_NO_ACCOUNTABILITY } diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c index 12313a0f7..e42e7d004 100644 --- a/src/lib/ndpi_utils.c +++ b/src/lib/ndpi_utils.c @@ -2044,6 +2044,10 @@ const char* ndpi_risk2str(ndpi_risk_enum risk) { return("HTTP Obsolete Server"); break; + case NDPI_PERIODIC_FLOW: + return("Periodic Flow"); + break; + default: ndpi_snprintf(buf, sizeof(buf), "%d", (int)risk); return(buf); diff --git a/wireshark/ndpi.lua b/wireshark/ndpi.lua index 307b68b22..9ddb12c9e 100644 --- a/wireshark/ndpi.lua +++ b/wireshark/ndpi.lua @@ -86,6 +86,7 @@ flow_risks[44] = ProtoField.bool("ndpi.flow_risk.crawler_bot", "Crawler/Bot Dete flow_risks[45] = ProtoField.bool("ndpi.flow_risk.anonymous_subscriber", "Anonymous Subscriber", num_bits_flow_risks, nil, bit(13), "nDPI Flow Risk: Anonymous Subscriber") flow_risks[46] = ProtoField.bool("ndpi.flow_risk.unidirectional_traffic", "Unidirectional Traffic", num_bits_flow_risks, nil, bit(14), "nDPI Flow Risk: Unidirectional Traffi") flow_risks[47] = ProtoField.bool("ndpi.flow_risk.http_obsolete_server", "Obsolete HTTP Server", num_bits_flow_risks, nil, bit(15), "nDPI Flow Risk: Obsolete HTTP Server") +flow_risks[48] = ProtoField.bool("ndpi.flow_risk.periodic_flow", "Periodic Flow", num_bits_flow_risks, nil, bit(16), "nDPI Flow Risk: Periodic Flow") -- Last one: keep in sync the bitmask when adding new risks!! |