Create a specific configuration for classification only (#2689)

In some scenarios, you might not be interested in flow metadata or flow-risks at all, but you might want only flow (sub-)classification. Examples: you only want to forward the traffic according to the classification or you are only interested in some protocol statistics. Create a new configuration file (for `ndpiReader`, but you can trivially adapt it for the library itself) allowing exactly that. You can use it via: `ndpiReader --conf=example/only_classification.conf ...` Note that this way, the nDPI overhead is lower because it might need less packets per flow: * TLS: nDPI processes only the CH (in most cases) and not also the SH and certificates * DNS: only the request is processed (instead of both request and response) We might extend the same "shortcut-logic" (stop processing the flow immediately when there is a final sub-classification) for others protocols. Add the configuration options to enable/disable the extraction of some TLS metadata.
author: Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> 2025-01-31 15:10:30 +0100
committer: GitHub <noreply@github.com> 2025-01-31 15:10:30 +0100
commit: ecf0f8ace3d95703dc88450e333dd44c842ddcb9 (patch)
tree: 8b91df0db172c56a86061761ab257bd926bba35d /doc
parent: 41133638dc303be1717462876814a6102669757c (diff)
1 files changed, 8 insertions, 0 deletions
diff --git a/doc/configuration_parameters.md b/doc/configuration_parameters.md
index 6cfa62101..faa02f7b3 100644
--- a/doc/configuration_parameters.md
+++ b/doc/configuration_parameters.md
@@ -33,6 +33,14 @@ List of the supported configuration options:
 | "tls  "      | "dpi.heuristics",                         | 0x00          | 0x00      | 0x07      | Enable/disable some heuristics to detect encrypted/obfuscated/proxied TLS flows. The value is a bitmask. Values: 0x0 = disabled; 0x01 = enable basic detection (i.e. encrypted TLS without any encapsulation); 0x02 = enable detection over TLS (i.e. TLS-in-TLS); 0x04 = enable detection over HTTP (i.e. TLS-over-WebSocket). If enabled, some false positives are expected. See: https://www.usenix.org/conference/usenixsecurity24/presentation/xue-fingerprinting |
 | "tls  "      | "dpi.heuristics.max_packets_extra_dissection",  | 25            | 0         | 255       | If at least one TLS heuristics is enabled (see `tls,"dpi.heuristics"`, this parameter set the upper limit on the number of packets required/processed for each flow. Higher the value, lower the false positive rate but more packets are required by nDPI for processing. |
 | "tls"        | "metadata.sha1_fingerprint"               | enable        | NULL      | NULL      | Enable/disable computation and export of SHA1 fingerprint for TLS flows. Note that if it is disable, the flow risk `NDPI_MALICIOUS_SHA1_CERTIFICATE` is not checked |
+| "tls"        | "metadata.versions_supported"             | enable        | NULL      | NULL      | Enable/disable export of supported versions metadata for TLS flows |
+| "tls"        | "metadata.alpn_negotiated"                | enable        | NULL      | NULL      | Enable/disable export of negotiated ALPN metadata for TLS flows |
+| "tls"        | "metadata.cipher"                         | enable        | NULL      | NULL      | Enable/disable export of negotiated cipher metadata for TLS flows |
+| "tls"        | "metadata.cert_server_names"              | enable        | NULL      | NULL      | Enable/disable export of server names list from certificate for TLS flows |
+| "tls"        | "metadata.cert_validity"                  | enable        | NULL      | NULL      | Enable/disable export of certificate validity timestamps for TLS flows |
+| "tls"        | "metadata.cert_issuer"                    | enable        | NULL      | NULL      | Enable/disable export of certificate issuer metadata for TLS flows |
+| "tls"        | "metadata.cert_subject"                   | enable        | NULL      | NULL      | Enable/disable export of certificaste subject metadata for TLS flows |
+| "tls"        | "metadata.browser"                        | enable        | NULL      | NULL      | Enable/disable an heurstic to determine the broswer used to generate this TLS flows |
 | "tls"        | "metadata.ja3s_fingerprint"               | enable        | NULL      | NULL      | Enable/disable computation and export of JA3S fingerprint for TLS flows |
 | "tls"        | "metadata.ja4c_fingerprint"               | enable        | NULL      | NULL      | Enable/disable computation and export of JA4C fingerprint for TLS flows. Note that if it is disable, the flow risk `NDPI_MALICIOUS_FINGERPRINT` is not checked |
 | "tls"        | "metadata.ja4r_fingerprint"               | disable       | NULL      | NULL      | Enable/disable computation and export of JA4C fingerprint for TLS flows also in raw format |
author	Ivan Nardi <12729895+IvanNardi@users.noreply.github.com>	2025-01-31 15:10:30 +0100
committer	GitHub <noreply@github.com>	2025-01-31 15:10:30 +0100
commit	ecf0f8ace3d95703dc88450e333dd44c842ddcb9 (patch)
tree	8b91df0db172c56a86061761ab257bd926bba35d /doc
parent	41133638dc303be1717462876814a6102669757c (diff)