Add ndpi integration

doc/userguide/rules/index.rst

@@ -38,6 +38,8 @@ Suricata Rules
    smtp-keywords
    websocket-keywords
    app-layer
+   ndpi-protocol
+   ndpi-risk
    xbits
    noalert
    thresholding

doc/userguide/rules/ndpi-protocol.rst

@@ -0,0 +1,35 @@
+nDPI Protocol Keyword
+=====================
+
+ndpi-protocol
+-------------
+
+Match on the Layer-7 protocol detected by nDPI.
+
+This requires Suricata to be compiled with nDPI support:
+
+.. code-block:: console
+
+    ./configure --enable-ndpi --with-ndpi=/home/user/nDPI
+
+Syntax::
+
+    ndpi-protocol:[!]<protocol>;
+
+Where protocol is one of the application protocols detected by nDPI.
+Plase check ndpiReader -H for the full list.
+It is possible to specify the transport protocol, the application
+protocol, or both (dot-separated).
+
+Examples::
+
+    ndpi-protocol:HTTP;
+    ndpi-protocol:!TLS;
+    ndpi-protocol:TLS.YouTube;
+
+Here is an example of a rule matching TLS traffic on port 53:
+
+.. container:: example-rule
+
+    alert tcp any any -> any 53 (msg:"TLS traffic over DNS standard port"; ndpi-protocol:TLS; sid:1;)
+

doc/userguide/rules/ndpi-risk.rst

@@ -0,0 +1,41 @@
+nDPI Risk Keyword
+=================
+
+ndpi-risk
+---------
+
+Match on the flow risks detected by nDPI. Risks are potential issues detected
+by nDPI during the packet dissection and include:
+
+- Known Proto on Non Std Port
+- Binary App Transfer
+- Self-signed Certificate
+- Susp DGA Domain name
+- Malware host contacted
+- and many other...
+
+This requires Suricata to be compiled with nDPI support:
+
+.. code-block:: console
+
+    ./configure --enable-ndpi --with-ndpi=/home/user/nDPI
+
+Syntax::
+
+    ndpi-risk:[!]<risk>;
+
+Where risk is one (or multiple comma-separated) of the risk codes supported by
+nDPI (e.g. NDPI_BINARY_APPLICATION_TRANSFER). Please check ndpiReader -H for the
+full list.
+
+Examples::
+
+    ndpi-risk:NDPI_BINARY_APPLICATION_TRANSFER;
+    ndpi-risk:NDPI_TLS_OBSOLETE_VERSION,NDPI_TLS_WEAK_CIPHER;
+
+Here is an example of a rule matching HTTP traffic transferring a binary application:
+
+.. container:: example-rule
+
+    alert tcp any any -> any any (msg:"Binary application transfer over HTTP"; ndpi-protocol:HTTP; ndpi-risk:NDPI_BINARY_APPLICATION_TRANSFER; sid:1;)
+

src/detect-ndpi-protocol.c

@@ -238,7 +238,7 @@ void DetectnDPIProtocolRegister(void)
 {
     sigmatch_table[DETECT_NDPI_PROTOCOL].name = "ndpi-protocol";
     sigmatch_table[DETECT_NDPI_PROTOCOL].desc = "match on the detected nDPI protocol";
-    sigmatch_table[DETECT_NDPI_PROTOCOL].url = "/rules/index.html";
+    sigmatch_table[DETECT_NDPI_PROTOCOL].url = "/rules/ndpi-protocol.html";
     sigmatch_table[DETECT_NDPI_PROTOCOL].Match = DetectnDPIProtocolPacketMatch;
     sigmatch_table[DETECT_NDPI_PROTOCOL].Setup = DetectnDPIProtocolSetup;
     sigmatch_table[DETECT_NDPI_PROTOCOL].Free = DetectnDPIProtocolFree;

src/detect-ndpi-risk.c

@@ -237,7 +237,7 @@ void DetectnDPIRiskRegister(void)
 {
     sigmatch_table[DETECT_NDPI_RISK].name = "ndpi-risk";
     sigmatch_table[DETECT_NDPI_RISK].desc = "match on the detected nDPI risk";
-    sigmatch_table[DETECT_NDPI_RISK].url = "/rules/index.html";
+    sigmatch_table[DETECT_NDPI_RISK].url = "/rules/ndpi-risk.html";
     sigmatch_table[DETECT_NDPI_RISK].Match = DetectnDPIRiskPacketMatch;
     sigmatch_table[DETECT_NDPI_RISK].Setup = DetectnDPIRiskSetup;
     sigmatch_table[DETECT_NDPI_RISK].Free = DetectnDPIRiskFree;