HTTP, QUIC, TLS: allow to disable sub-classification (#2533)

author: Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> 2024-09-03 12:35:45 +0200
committer: GitHub <noreply@github.com> 2024-09-03 12:35:45 +0200
commit: 338eedd05b034991f1960898ca7680e65d7901f6 (patch)
tree: 3f09e5d966c97382803c707abcf94f221e05aa24 /doc/configuration_parameters.md
parent: 2d040247a77c96a8411477e8ad38c0e07a5e1b54 (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/doc/configuration_parameters.md b/doc/configuration_parameters.md
index 590526868..207c0a3c4 100644
--- a/doc/configuration_parameters.md
+++ b/doc/configuration_parameters.md
@@ -29,6 +29,8 @@ TODO
 | "tls"        | "metadata.ja3c_fingerprint"               | enable        | NULL      | NULL      | Enable/disable computation and export of JA3C fingerprint for TLS flows. Note that if it is disable, the flow risk `NDPI_MALICIOUS_JA3` is not checked |
 | "tls"        | "metadata.ja3s_fingerprint"               | enable        | NULL      | NULL      | Enable/disable computation and export of JA3S fingerprint for TLS flows |
 | "tls"        | "metadata.ja4c_fingerprint"               | enable        | NULL      | NULL      | Enable/disable computation and export of JA4C fingerprint for TLS flows |
+| "tls"        | "subclassification"                       | enable        | NULL      | NULL      | Enable/disable sub-classification of TLS/DTLS flows |
+| "quic"       | "subclassification"                       | enable        | NULL      | NULL      | Enable/disable sub-classification of QUIC flows |
 | "smtp"       | "tls_dissection"                          | enable        | NULL      | NULL      | Enable/disable dissection of TLS packets in cleartext SMTP flows (because of opportunistic TLS, via STARTTLS msg) |
 | "imap"       | "tls_dissection"                          | enable        | NULL      | NULL      | Enable/disable dissection of TLS packets in cleartext IMAP flows (because of opportunistic TLS, via STARTTLS msg) |
 | "pop"        | "tls_dissection"                          | enable        | NULL      | NULL      | Enable/disable dissection of TLS packets in cleartext POP flows (because of opportunistic TLS, via STARTTLS msg) |
@@ -43,6 +45,7 @@ TODO
 | "dns"        | "subclassification"                       | enable        | NULL      | NULL      | Enable/disable sub-classification of DNS flows (via query/response domain name). If disabled, some flow risks are not checked |
 | "dns"        | "process_response"                        | enable        | NULL      | NULL      | Enable/disable processing of DNS responses. By default, DNS flows are fully classified after the first request/response pair (or after the first response, if the request is missing). If this parameter is disabled, the flows are fully classified after the first packet, i.e. usually after the first request; in that case, some flow risks are not checked and some metadata are not exported |
 | "http"       | "process_response"                        | enable        | NULL      | NULL      | Enable/disable processing of HTTP responses. By default, HTTP flows are usually fully classified after the first request/response pair. If this parameter is disabled, the flows are fully classified after the first request (or after the first response, if the request is missing); in that case, some flow risks are not checked and some metadata are not exported |
+| "http"       | "subclassification"                       | enable        | NULL      | NULL      | Enable/disable sub-classification of HTTP flows |
 | "ookla"      | "dpi.aggressiveness",                     | 0x01          | 0x00      | 0x01      | Detection aggressiveness for Ookla. The value is a bitmask. Values: 0x0 = disabled; 0x01 = enable heuristic for detection over TLS (via Ookla LRU cache) |
 | "zoom"       | "max_packets_extra_dissection"            | 4             | 0         | 255       | After a flow has been classified has Zoom, nDPI might analyse more packets to look for a sub-classification or for metadata. This parameter set the upper limit on the number of these packets  |
 | "rtp"        | "search_for_stun"                         | disable       | NULL      | NULL      | After a flow has been classified as RTP or RTCP, nDPI might analyse more packets to look for STUN/DTLS packets, i.e. to try to tell if this flow is a "pure" RTP/RTCP flow or if the RTP/RTCP packets are multiplexed with STUN/DTLS. Useful for proper (sub)classification when the beginning of the flows are not captured or if there are lost packets in the the captured traffic. If enabled, nDPI requires more packets to process for each RTP/RTCP flow. |
author	Ivan Nardi <12729895+IvanNardi@users.noreply.github.com>	2024-09-03 12:35:45 +0200
committer	GitHub <noreply@github.com>	2024-09-03 12:35:45 +0200
commit	338eedd05b034991f1960898ca7680e65d7901f6 (patch)
tree	3f09e5d966c97382803c707abcf94f221e05aa24 /doc/configuration_parameters.md
parent	2d040247a77c96a8411477e8ad38c0e07a5e1b54 (diff)