utoni
The server, client and total risk score do not translate to nDPI doc descriptions.
When inspecting the risk scoring values of low, medium, high, etc. These seem to be aligned to the nDPI result. However the server, client and total risk score do not translate to nDPI doc descriptions. These integers seem to be curated from a different scoring methodology. Have I missed a configuration detail?
package version: 1.7.0 nDPI version...: 4.11.0-4976-59ee1fe (statically linked) API version...: 11619 pcap version...: 1.10.1 (with TPACKET_V3) gcrypt version.: 1.8.6internal PF_RING version: 8.8.0
However the server, client and total risk score do not translate to nDPI doc descriptions.
Do you mean that you're missing missing any documentation or that the documentation differs from the expected results?
Here are a few examples: nDPI docs: https://www.ntop.org/products/deep-packet-inspection/ndpi/
Id Code: 22
Risk: NDPI_TLS_SUSPICIOUS_ESNI_USAGE Unsafe Protocol
Severity: Low
Score: 10
CliScore: 5
SrvScore: 5
nDPId scoring output: "ndpi": { "flow_risk": { "22": { "risk": "Unsafe Protocol", "severity": "Low", "risk_score": { "total": 450, "client": 345, "server": 105 } } },
nDPI docs:
Id Code: 46
Risk: NDPI_UNIDIRECTIONAL_TRAFFIC Unidirectional Traffic
Severity: Low
Score: 10
CliScore: 5
SrvScore: 5
nDPId scoring output: "ndpi": { "flow_risk": { "46": { "risk": "Unidirectional Traffic", "severity": "Low", "risk_score": { "total": 500, "client": 430, "server": 70 } } },
nDPI docs:
Id Code: 31
Risk: NDPI_TLS_UNCOMMON_ALPN Uncommon TLS ALPN
Severity: Medium
Score: 50
CliScore: 25
SrvScore: 25
nDPId scoring output: "ndpi": { "flow_risk": { "31": { "risk": "Uncommon TLS ALPN", "severity": "Medium", "risk_score": { "total": 610, "client": 485, "server": 125 } } },
nDPId retrieves the score from libnDPI. So maybe the documentation and implementation got out of sync.
Seems that flow_risk is correctly assigned, just the scoring is not aligned.
There might be a tiny bug within the risk aggregation in nDPId. Need to investigate..