From ecf0f8ace3d95703dc88450e333dd44c842ddcb9 Mon Sep 17 00:00:00 2001 From: Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> Date: Fri, 31 Jan 2025 15:10:30 +0100 Subject: Create a specific configuration for classification only (#2689) In some scenarios, you might not be interested in flow metadata or flow-risks at all, but you might want only flow (sub-)classification. Examples: you only want to forward the traffic according to the classification or you are only interested in some protocol statistics. Create a new configuration file (for `ndpiReader`, but you can trivially adapt it for the library itself) allowing exactly that. You can use it via: `ndpiReader --conf=example/only_classification.conf ...` Note that this way, the nDPI overhead is lower because it might need less packets per flow: * TLS: nDPI processes only the CH (in most cases) and not also the SH and certificates * DNS: only the request is processed (instead of both request and response) We might extend the same "shortcut-logic" (stop processing the flow immediately when there is a final sub-classification) for others protocols. Add the configuration options to enable/disable the extraction of some TLS metadata. --- doc/configuration_parameters.md | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'doc') diff --git a/doc/configuration_parameters.md b/doc/configuration_parameters.md index 6cfa62101..faa02f7b3 100644 --- a/doc/configuration_parameters.md +++ b/doc/configuration_parameters.md @@ -33,6 +33,14 @@ List of the supported configuration options: | "tls " | "dpi.heuristics", | 0x00 | 0x00 | 0x07 | Enable/disable some heuristics to detect encrypted/obfuscated/proxied TLS flows. The value is a bitmask. Values: 0x0 = disabled; 0x01 = enable basic detection (i.e. encrypted TLS without any encapsulation); 0x02 = enable detection over TLS (i.e. TLS-in-TLS); 0x04 = enable detection over HTTP (i.e. TLS-over-WebSocket). If enabled, some false positives are expected. See: https://www.usenix.org/conference/usenixsecurity24/presentation/xue-fingerprinting | | "tls " | "dpi.heuristics.max_packets_extra_dissection", | 25 | 0 | 255 | If at least one TLS heuristics is enabled (see `tls,"dpi.heuristics"`, this parameter set the upper limit on the number of packets required/processed for each flow. Higher the value, lower the false positive rate but more packets are required by nDPI for processing. | | "tls" | "metadata.sha1_fingerprint" | enable | NULL | NULL | Enable/disable computation and export of SHA1 fingerprint for TLS flows. Note that if it is disable, the flow risk `NDPI_MALICIOUS_SHA1_CERTIFICATE` is not checked | +| "tls" | "metadata.versions_supported" | enable | NULL | NULL | Enable/disable export of supported versions metadata for TLS flows | +| "tls" | "metadata.alpn_negotiated" | enable | NULL | NULL | Enable/disable export of negotiated ALPN metadata for TLS flows | +| "tls" | "metadata.cipher" | enable | NULL | NULL | Enable/disable export of negotiated cipher metadata for TLS flows | +| "tls" | "metadata.cert_server_names" | enable | NULL | NULL | Enable/disable export of server names list from certificate for TLS flows | +| "tls" | "metadata.cert_validity" | enable | NULL | NULL | Enable/disable export of certificate validity timestamps for TLS flows | +| "tls" | "metadata.cert_issuer" | enable | NULL | NULL | Enable/disable export of certificate issuer metadata for TLS flows | +| "tls" | "metadata.cert_subject" | enable | NULL | NULL | Enable/disable export of certificaste subject metadata for TLS flows | +| "tls" | "metadata.browser" | enable | NULL | NULL | Enable/disable an heurstic to determine the broswer used to generate this TLS flows | | "tls" | "metadata.ja3s_fingerprint" | enable | NULL | NULL | Enable/disable computation and export of JA3S fingerprint for TLS flows | | "tls" | "metadata.ja4c_fingerprint" | enable | NULL | NULL | Enable/disable computation and export of JA4C fingerprint for TLS flows. Note that if it is disable, the flow risk `NDPI_MALICIOUS_FINGERPRINT` is not checked | | "tls" | "metadata.ja4r_fingerprint" | disable | NULL | NULL | Enable/disable computation and export of JA4C fingerprint for TLS flows also in raw format | -- cgit v1.2.3