Create a specific configuration for classification only (#2689)

In some scenarios, you might not be interested in flow metadata or flow-risks at all, but you might want only flow (sub-)classification. Examples: you only want to forward the traffic according to the classification or you are only interested in some protocol statistics. Create a new configuration file (for `ndpiReader`, but you can trivially adapt it for the library itself) allowing exactly that. You can use it via: `ndpiReader --conf=example/only_classification.conf ...` Note that this way, the nDPI overhead is lower because it might need less packets per flow: * TLS: nDPI processes only the CH (in most cases) and not also the SH and certificates * DNS: only the request is processed (instead of both request and response) We might extend the same "shortcut-logic" (stop processing the flow immediately when there is a final sub-classification) for others protocols. Add the configuration options to enable/disable the extraction of some TLS metadata.
2026-04-30 07:59:49 +00:00 · 2025-01-31 15:10:30 +01:00 · 2025-01-31 15:10:30 +01:00 · ecf0f8ace3
commit ecf0f8ace3
parent 41133638dc
38 changed files with 695 additions and 328 deletions
--- a/doc/configuration_parameters.md
+++ b/doc/configuration_parameters.md
@ -33,6 +33,14 @@ List of the supported configuration options:
 | "tls  "      | "dpi.heuristics",                         | 0x00          | 0x00      | 0x07      | Enable/disable some heuristics to detect encrypted/obfuscated/proxied TLS flows. The value is a bitmask. Values: 0x0 = disabled; 0x01 = enable basic detection (i.e. encrypted TLS without any encapsulation); 0x02 = enable detection over TLS (i.e. TLS-in-TLS); 0x04 = enable detection over HTTP (i.e. TLS-over-WebSocket). If enabled, some false positives are expected. See: https://www.usenix.org/conference/usenixsecurity24/presentation/xue-fingerprinting |
 | "tls  "      | "dpi.heuristics.max_packets_extra_dissection",  | 25            | 0         | 255       | If at least one TLS heuristics is enabled (see `tls,"dpi.heuristics"`, this parameter set the upper limit on the number of packets required/processed for each flow. Higher the value, lower the false positive rate but more packets are required by nDPI for processing. |
 | "tls"        | "metadata.sha1_fingerprint"               | enable        | NULL      | NULL      | Enable/disable computation and export of SHA1 fingerprint for TLS flows. Note that if it is disable, the flow risk `NDPI_MALICIOUS_SHA1_CERTIFICATE` is not checked |
+| "tls"        | "metadata.versions_supported"             | enable        | NULL      | NULL      | Enable/disable export of supported versions metadata for TLS flows |
+| "tls"        | "metadata.alpn_negotiated"                | enable        | NULL      | NULL      | Enable/disable export of negotiated ALPN metadata for TLS flows |
+| "tls"        | "metadata.cipher"                         | enable        | NULL      | NULL      | Enable/disable export of negotiated cipher metadata for TLS flows |
+| "tls"        | "metadata.cert_server_names"              | enable        | NULL      | NULL      | Enable/disable export of server names list from certificate for TLS flows |
+| "tls"        | "metadata.cert_validity"                  | enable        | NULL      | NULL      | Enable/disable export of certificate validity timestamps for TLS flows |
+| "tls"        | "metadata.cert_issuer"                    | enable        | NULL      | NULL      | Enable/disable export of certificate issuer metadata for TLS flows |
+| "tls"        | "metadata.cert_subject"                   | enable        | NULL      | NULL      | Enable/disable export of certificaste subject metadata for TLS flows |
+| "tls"        | "metadata.browser"                        | enable        | NULL      | NULL      | Enable/disable an heurstic to determine the broswer used to generate this TLS flows |
 | "tls"        | "metadata.ja3s_fingerprint"               | enable        | NULL      | NULL      | Enable/disable computation and export of JA3S fingerprint for TLS flows |
 | "tls"        | "metadata.ja4c_fingerprint"               | enable        | NULL      | NULL      | Enable/disable computation and export of JA4C fingerprint for TLS flows. Note that if it is disable, the flow risk `NDPI_MALICIOUS_FINGERPRINT` is not checked |
 | "tls"        | "metadata.ja4r_fingerprint"               | disable       | NULL      | NULL      | Enable/disable computation and export of JA4C fingerprint for TLS flows also in raw format |