From c4ac53a03fa1fbfd5a5d7fea507cfcbe5b307914 Mon Sep 17 00:00:00 2001
From: Luca Deri <deri@ntop.org>
Date: Thu, 23 Dec 2021 21:30:16 +0100
Subject: Added support for Log4J/Log4Shell detection in nDPI via a new flow
 risk named NDPI_POSSIBLE_EXPLOIT

---
 wireshark/ndpi.lua | 1 +
 1 file changed, 1 insertion(+)

(limited to 'wireshark/ndpi.lua')

diff --git a/wireshark/ndpi.lua b/wireshark/ndpi.lua
index dce26f1d9..28e4fce8e 100644
--- a/wireshark/ndpi.lua
+++ b/wireshark/ndpi.lua
@@ -78,6 +78,7 @@ flow_risks[36] = ProtoField.bool("ndpi.flow_risk.clear_text_credentials", "Cleat
 flow_risks[37] = ProtoField.bool("ndpi.flow_risk.dns_large_packet", "DNS large packet", num_bits_flow_risks, nil, bit(5), "nDPI Flow Risk: DNS packet is larger than 512 bytes")
 flow_risks[38] = ProtoField.bool("ndpi.flow_risk.dns_fragmented", "DNS fragmented", num_bits_flow_risks, nil, bit(6), "nDPI Flow Risk: DNS message is fragmented")
 flow_risks[39] = ProtoField.bool("ndpi.flow_risk.invalid_characters", "Invalid characters", num_bits_flow_risks, nil, bit(7), "nDPI Flow Risk: Text contains non-printable characters")
+flow_risks[40] = ProtoField.bool("ndpi.flow_risk.possible_exploit", "Possible Exploit", num_bits_flow_risks, nil, bit(8), "nDPI Flow Risk: Possible exploit detected")
 
 -- Last one: keep in sync the bitmask when adding new risks!!
 flow_risks[64] = ProtoField.new("Unused", "ndpi.flow_risk.unused", ftypes.UINT32, nil, base.HEX, bit(32) - bit(8))
-- 
cgit v1.2.3