Configuring nDPI Flow Risk Exceptions

Posted · Add Comment

One of the newest features of nDPI 4 is the ability to identify flow risks. Unfortunately sometimes you need to add exceptions as some of those risks, while correct, need to be ignored. Examples include:

  • An old device that is speaking an outdate TLS version but that you cannot upgrade, and that you have done your best to protect.
  • A host name that looks like a DGA but that it isn’t.
  • A service running on a non-standard port but that works perfectly as is.

In order to address the need to specify exceptions to nDPI identified flow risks, you can define a mask for turning off specific flow risks for selected IP addresses (CIDR is supported) and hostnames. nDPI allows you to specify a file where you can define custom protocols (please note that tools like ndpiReader, ntopng and nprobe all support custom protocols via this configuration file).

ip_risk_mask:192.168.1.0/24=0
ip_risk_mask:10.196.157.228=0
host_risk_mask:".local"=0
host_risk_mask:".msftconnecttest.com"=0

The syntax is pretty straightforward:

  • Token name: either ip_risk_mask (for IP addresses) or host_risk_mask (for hostnames).
  • Mask: the flow risk identified is put in AND with this mask before output. Note that in the above example a 0 mask is used meaning that no risks will be generated for the IPs specified (either flow source or destination) or for hostnames matching the names.

For instance the above examples silence flow risks for the specific hosts 192.168.1.0/24 and 10.196.157.228, as well for all hostnames ending with .local or .msftconnecttest.com.

You can define multiple rules, one per line, and nDPI will honour your choice. No more unwanted flow risk alerts.

Enjoy!