Introducing nProbe Cento 1.14

Posted · Add Comment

This is to announce a new release of the ntop’s 100 Gbit probe, nProbe Cento 1.14.

In this version we have integrated the latest features from nDPI, the ntop’s Deep-Packet-Inspection engine, that is now 2.5x faster than the previous version. Flows are enriched with Flow Risks, which represents a set of issues detected by nDPI, and a Flow Score, which is computed based on the risks severity, to indicates how bad is each flow.

The flow dump has also been improved by adding the Community ID (a flow identifier which is becoming a standard in the IDSs world) and extended HTTP and DNS metadata.

This release also introduces performance optimizations and a few bug fixes, mainly related to memory leaks.

Changelog

New Features

  • Add support for dumping HTTP/DNS flow information to text files (–http-dump-dir and –dns-dump-dir options)
  • Add dump of Flow Risk and Score
  • Add Community ID export when dumping to text files
  • Add support for burst capture (when supported by the PF_RING interface) to improve capture performance
  • IDS mode (cento-ids):
    • Add ability (–local-processing option) to select traffic that should be processed locally by cento vs traffic that should be forwarded to the egress queues for processing by third party applications
    • Add option (–balanced-egress-type <type>) to select the distribution function when load balancing traffic to egress queues

Improvements

  • Optimize JSON serialization by using the nDPI serializer
  • Rework hosts data structures implementation (Radix Tree)
  • Improve packet processing statistics
  • IDS mode (cento-ids):
    • Optimize number of packets necessary to decide about egress
    • Check both master and application L7 protocol when filtering, with precedence to application protocol
    • Add –egress-queue-len parameter to control the queue size on egress

Fixes

  • Fix memory leaks
  • Fix buffer-overflow on decoded URLs
  • Fix and improve hostnames lookup (automa)
  • Fix format of exported metadata for flows with unknown L7 protocol
  • Fix sanity checks on egress packets (avoid corruptions)
  • Fix initialisation of IP filters (IDS mode)
  • Fix partial DPI guess on exported flows
  • Fix client/server information in dumped flow information
  • Fix v6 flows handling
  • Fix to avoid creation of empty files when dumping to disk
  • Fix to avoid dumping TCP flags in non TCP flows
  • Fix some counters wrapping at 32 bit

Misc

  • Change installed binaries path from /usr/local/bin to /usr/bin