ndpi: ndpi as a plugin - v5 #12423
ndpi: ndpi as a plugin - v5 #12423
Conversation
- Download and build nDPI - Enable nDPI during Suricata ./configure - Test that the plugin was built and installed
The format is left free-form, as its controled by a plugin.
By adding no_mangle to non-pub functions they enter the global name space and can conflict with other functions. In this case another sha library used by a plugin. Related ticket: https://redmine.openinfosecfoundation.org/issues/7498
The eve callback in ndpi requires a flow, so bail earlier if there is no flow.
Split DetectHelperKeywordRegister into 2 functions, one for acquiring a new keyword ID, and another to perform the registration. This makes it easier to do the traditional C keyword initialization with a dynamic ID.
jasonish
requested review from
jufajardini,
victorjulien and
a team
as code owners
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #12423 +/- ##
==========================================
- Coverage 80.63% 80.63% -0.01%
==========================================
Files 918 918
Lines 258696 258696
==========================================
- Hits 208598 208587 -11
- Misses 50098 50109 +11
Flags with carried forward coverage won't be shown. Click here to find out more. |
|
Information: QA ran without warnings. Pipeline 24257 |
| Suricata should be compiled with the nDPI support and the ``ndpi`` | ||
| plugin must be loaded before it can be used. | ||
|
|
||
| Example of configuring Suricata to be compiled with nDPI support: |
There was a problem hiding this comment.
would be good to mention the requires rule support here as well I think
| - Malware host contacted | ||
| - and many other... | ||
|
|
||
| Suricata should be compiled with the nDPI support and the ``ndpi`` |
| flowctx->detection_completed = 1; | ||
| } | ||
| } else { | ||
| u_int16_t max_num_pkts = (f->proto == IPPROTO_UDP) ? 8 : 24; |
| u_int16_t max_num_pkts = (f->proto == IPPROTO_UDP) ? 8 : 24; | ||
|
|
||
| if ((f->todstpktcnt + f->tosrcpktcnt) > max_num_pkts) { | ||
| u_int8_t proto_guessed; |
There was a problem hiding this comment.
uint8_t
Needs a full scan for the u_ variant of int types. We use the one w/o underscore.
| struct NdpiFlowContext { | ||
| struct ndpi_flow_struct *ndpi_flow; | ||
| ndpi_protocol detected_l7_protocol; | ||
| uint8_t detection_completed; |
There was a problem hiding this comment.
used as a bool, so should be a bool
| { | ||
| DetectnDPIProtocolData *data = NULL; | ||
|
|
||
| data = DetectnDPIProtocolParse(arg, s->init_data->negated); |
| SCReturnInt(0); | ||
| } | ||
|
|
||
| r = ((flowctx->ndpi_flow->risk & data->risk_mask) == data->risk_mask); |
| { | ||
| DetectnDPIRiskData *data = NULL; | ||
|
|
||
| data = DetectnDPIRiskParse(arg, s->init_data->negated); |
| struct NdpiFlowContext *flowctx = FlowGetStorageById(f, flow_storage_id); | ||
| ndpi_serializer serializer; | ||
| char *buffer; | ||
| u_int32_t buffer_len; |
| FlowSetStorageById(f, flow_storage_id, flowctx); | ||
| } | ||
|
|
||
| static void OnFlowUpdate(ThreadVars *tv, Flow *f, Packet *p, void *_data) |
There was a problem hiding this comment.
is it a problem that this gets the raw data in the order as it comes in? So there will be no stream reassembly, reordering and normalization of any of the data sent to ndpi.
There was a problem hiding this comment.
Getting data as it comes in is fine for ndpi
|
Ping @cardigliano, can you take a look at these issues? I think the "integration" is more or less complete with this PR, just some code items to deal with in the implementation of the plugin. |
|
I fixed the issues in our branch |
Previous PR: #12412
Changes:
Outstanding comment from previous PR: