From 1b3ef7d7b2dde9d58cb217d3d7fb6b14d6281153 Mon Sep 17 00:00:00 2001
From: Ivan Nardi <12729895+IvanNardi@users.noreply.github.com>
Date: Mon, 8 Apr 2024 10:24:51 +0200
Subject: STUN: improve extraction of Mapped-Address metadata (#2370)

Enable parsing of Mapped-Address attribute for all STUN flows: that
means that STUN classification might require more packets.

Add a configuration knob to enable/disable this feature.

Note that we can have (any) STUN metadata also for flows *not*
classified as STUN (because of DTLS).

Add support for ipv6.

Restore the correct extra dissection logic for Telegram flows.
---
 doc/configuration_parameters.md | 1 +
 1 file changed, 1 insertion(+)

(limited to 'doc')

diff --git a/doc/configuration_parameters.md b/doc/configuration_parameters.md
index 34dfdc771..ed583a872 100644
--- a/doc/configuration_parameters.md
+++ b/doc/configuration_parameters.md
@@ -33,6 +33,7 @@ TODO
 | "ftp"        | "tls_dissection"                          | enable        | NULL      | NULL      | Enable/disable dissection of TLS packets in cleartext FTP flows (because of opportunistic TLS, via AUTH TLS msg) |
 | "stun"       | "max_packets_extra_dissection"            | 4             | 0         | 255       | After a flow has been classified has STUN, nDPI might analyse more packets to look for a sub-classification or for metadata. This parameter set the upper limit on the number of these packets  |
 | "stun"       | "tls_dissection"                          | enable        | NULL      | NULL      | Enable/disable dissection of TLS packets multiplexed into STUN flows |
+| "stun"       | "metadata.attribute.mapped_address"       | enable        | NULL      | NULL      | Enable/disable extraction of (xor)-mapped-address attribute for STUN flows. If it is disabled, STUN classification might be significant faster |
 | "dns"        | "subclassification"                       | enable        | NULL      | NULL      | Enable/disable sub-classification of DNS flows (via query/response domain name). If disabled, some flow risks are not checked |
 | "dns"        | "process_response"                        | enable        | NULL      | NULL      | Enable/disable processing of DNS responses. By default, DNS flows are fully classified after the first request/response pair (or after the first response, if the request is missing). If this parameter is disabled, the flows are fully classified after the first packet, i.e. usually after the first request; in that case, some flow risks are not checked and some metadata are not exported |
 | "http"       | "process_response"                        | enable        | NULL      | NULL      | Enable/disable processing of HTTP responses. By default, HTTP flows are usually fully classified after the first request/response pair. If this parameter is disabled, the flows are fully classified after the first request (or after the first response, if the request is missing); in that case, some flow risks are not checked and some metadata are not exported |
-- 
cgit v1.2.3