Implementation of flow risk eception (work in progress)

1 files changed, 56 insertions, 28 deletions

diff --git a/src/include/ndpi_api.h.in b/src/include/ndpi_api.h.in
index df545a165..8be91b89d 100644
--- a/src/include/ndpi_api.h.in
+++ b/src/include/ndpi_api.h.in
@@ -50,9 +50,9 @@ extern "C" {
   /*
     In case a custom DGA function is used, the fucntion
     below must be overwritten,
-   */
+  */
   extern ndpi_custom_dga_predict_fctn ndpi_dga_function;
-  
+
   /**
    * Check if a string is encoded with punycode
    * ( https://tools.ietf.org/html/rfc3492 )
@@ -276,7 +276,7 @@ extern "C" {
   void ndpi_set_protocol_detection_bitmask2(struct ndpi_detection_module_struct *ndpi_struct,
 					    const NDPI_PROTOCOL_BITMASK * detection_bitmask);
 
-    /**
+  /**
    *  Function to be called before we give up with detection for a given flow.
    *  This function reduces the NDPI_UNKNOWN_PROTOCOL detection
    *
@@ -375,7 +375,7 @@ extern "C" {
    * @par    l4_protocol_return = protocol of the layer 4 data if return value == 0, undefined otherwise
    * @par    flags = limit operation on ipv4 or ipv6 packets. Possible values: NDPI_DETECTION_ONLY_IPV4 - NDPI_DETECTION_ONLY_IPV6 - 0 (any)
    * @return 0 if layer 4 data could be found correctly;
-             else != 0
+   else != 0
    *
    */
   u_int8_t ndpi_detection_get_l4(const u_int8_t *l3, u_int16_t l3_len, const u_int8_t **l4_return, u_int16_t *l4_len_return,
@@ -489,9 +489,9 @@ extern "C" {
    *
    */
   void ndpi_exclude_protocol(struct ndpi_detection_module_struct *ndpi_struct,
-				  struct ndpi_flow_struct *flow,
-				  u_int16_t master_protocol_id,
-				  const char *_file, const char *_func,int _line);
+			     struct ndpi_flow_struct *flow,
+			     u_int16_t master_protocol_id,
+			     const char *_file, const char *_func,int _line);
   /**
    * Check if the string -bigram_to_match- match with a bigram of -automa-
    *
@@ -705,7 +705,29 @@ extern "C" {
   int ndpi_load_protocols_file(struct ndpi_detection_module_struct *ndpi_mod,
 			       const char* path);
 
- /**
+  /**
+   * Add an IP-address based risk mask
+   *
+   * @par     ndpi_mod = the detection module
+   * @par     ip       = the IP address for which you wanna set the mask
+   * @par     mask     = the IP risk mask
+   * @return  0 if the rule is loaded correctly;
+   *          -1 else
+   */
+  int ndpi_add_ip_risk_mask(struct ndpi_detection_module_struct *ndpi_mod, char *ip, ndpi_risk mask);
+
+  /**
+   * Add a host-address based risk mask
+   *
+   * @par     ndpi_mod = the detection module
+   * @par     host     = the hostname/domain for which you wanna set the mask
+   * @par     mask     = the host risk mask
+   * @return  0 if the rule is loaded correctly;
+   *          -1 else
+   */
+  int ndpi_add_host_risk_mask(struct ndpi_detection_module_struct *ndpi_mod, char *host, ndpi_risk mask);
+
+  /**
    * Read a file and load the categories
    *
    * @par     ndpi_mod = the detection module
@@ -715,7 +737,7 @@ extern "C" {
    */
   int ndpi_load_categories_file(struct ndpi_detection_module_struct *ndpi_str, const char* path);
 
- /**
+  /**
    * Read a file and load the list of risky domains
    *
    * @par     ndpi_mod = the detection module
@@ -725,7 +747,7 @@ extern "C" {
    */
   int ndpi_load_risk_domain_file(struct ndpi_detection_module_struct *ndpi_str, const char* path);
 
- /**
+  /**
    * Read a file and load the list of malicious JA3 signatures
    *
    * @par     ndpi_mod = the detection module
@@ -771,7 +793,7 @@ extern "C" {
   void ndpi_set_automa(struct ndpi_detection_module_struct *ndpi_struct,
 		       void* automa);
 
-/* NDPI_PROTOCOL_HTTP */
+  /* NDPI_PROTOCOL_HTTP */
   /**
    * Retrieve information for HTTP flows
    *
@@ -779,7 +801,7 @@ extern "C" {
    * @par     flow     = the detected flow
    * @return  the HTTP method information about the flow
    *
-  */
+   */
   ndpi_http_method ndpi_get_http_method(struct ndpi_detection_module_struct *ndpi_mod,
 					struct ndpi_flow_struct *flow);
 
@@ -790,7 +812,7 @@ extern "C" {
    * @par     flow     = the detected flow
    * @return  the HTTP method information about the flow
    *
-  */
+   */
   char* ndpi_get_http_url(struct ndpi_detection_module_struct *ndpi_mod,
 			  struct ndpi_flow_struct *flow);
 
@@ -801,11 +823,11 @@ extern "C" {
    * @par     flow     = the detected flow
    * @return  the HTTP method information about the flow
    *
-  */
+   */
   char* ndpi_get_http_content_type(struct ndpi_detection_module_struct *ndpi_mod,
 				   struct ndpi_flow_struct *flow);
 
-/* NDPI_PROTOCOL_TOR */
+  /* NDPI_PROTOCOL_TOR */
   /**
    * Check if the flow could be detected as TOR protocol
    *
@@ -876,16 +898,16 @@ extern "C" {
   int ndpi_match_string(void *_automa, char *string_to_match);
 
   int ndpi_load_ip_category(struct ndpi_detection_module_struct *ndpi_struct,
-				 const char *ip_address_and_mask, ndpi_protocol_category_t category);
+			    const char *ip_address_and_mask, ndpi_protocol_category_t category);
   int ndpi_load_hostname_category(struct ndpi_detection_module_struct *ndpi_struct,
-				 const char *name_to_add, ndpi_protocol_category_t category);
+				  const char *name_to_add, ndpi_protocol_category_t category);
   int ndpi_load_category(struct ndpi_detection_module_struct *ndpi_struct,
-				 const char *ip_or_name, ndpi_protocol_category_t category);
+			 const char *ip_or_name, ndpi_protocol_category_t category);
   int ndpi_enable_loaded_categories(struct ndpi_detection_module_struct *ndpi_struct);
   int ndpi_fill_ip_protocol_category(struct ndpi_detection_module_struct *ndpi_struct,
-				 u_int32_t saddr,
-				 u_int32_t daddr,
-				 ndpi_protocol *ret);
+				     u_int32_t saddr,
+				     u_int32_t daddr,
+				     ndpi_protocol *ret);
   int ndpi_match_custom_category(struct ndpi_detection_module_struct *ndpi_struct,
 				 char *name, u_int name_len, ndpi_protocol_category_t *id);
   void ndpi_fill_protocol_category(struct ndpi_detection_module_struct *ndpi_struct,
@@ -904,7 +926,7 @@ extern "C" {
 
   u_int16_t ndpi_get_lower_proto(ndpi_protocol proto);
   u_int16_t ndpi_get_upper_proto(ndpi_protocol proto);
-  
+
   ndpi_proto_defaults_t* ndpi_get_proto_defaults(struct ndpi_detection_module_struct *ndpi_mod);
   u_int ndpi_get_ndpi_num_supported_protocols(struct ndpi_detection_module_struct *ndpi_mod);
   u_int ndpi_get_ndpi_num_custom_protocols(struct ndpi_detection_module_struct *ndpi_mod);
@@ -1524,7 +1546,7 @@ extern "C" {
   ndpi_risk_info* ndpi_risk2severity(ndpi_risk_enum risk);
   u_int16_t ndpi_risk2score(ndpi_risk risk,
 			    u_int16_t *client_score, u_int16_t *server_score);
-  
+
   /* ******************************* */
 
   /* HyperLogLog cardinality estimator */
@@ -1571,14 +1593,20 @@ extern "C" {
   /* ******************************* */
 
   int ndpi_load_geoip(struct ndpi_detection_module_struct *ndpi_str,
-		       const char *ip_city_data, const char *ip_as_data);
-  void ndpi_free_geoip(struct ndpi_detection_module_struct *ndpi_str);  
+		      const char *ip_city_data, const char *ip_as_data);
+  void ndpi_free_geoip(struct ndpi_detection_module_struct *ndpi_str);
   int ndpi_get_geoip_asn(struct ndpi_detection_module_struct *ndpi_str,
 			 char *ip, u_int32_t *asn);
-int ndpi_get_geoip_country_continent(struct ndpi_detection_module_struct *ndpi_str, char *ip,
-				     char *country_code, u_int8_t country_code_len,
-				     char *continent, u_int8_t continent_len);
+  int ndpi_get_geoip_country_continent(struct ndpi_detection_module_struct *ndpi_str, char *ip,
+				       char *country_code, u_int8_t country_code_len,
+				       char *continent, u_int8_t continent_len);
+
+  /* ******************************* */
 
+  char* ndpi_get_flow_name(struct ndpi_flow_struct *flow);
+  
+  /* ******************************* */
+  
 #ifdef __cplusplus
 }
 #endif