diff --git a/example/intrusion_detection.c b/example/intrusion_detection.c
deleted file mode 100644
index 3484f4aaed6..00000000000
--- a/example/intrusion_detection.c
+++ /dev/null
@@ -1,463 +0,0 @@
-/*
- * intrusion_detection.c
- *
- * Copyright (C) 2011-22 - ntop.org
- *
- * This file is part of nDPI, an open source deep packet inspection
- * library based on the OpenDPI and PACE technology by ipoque GmbH
- *
- * nDPI is free software: you can redistribute it and/or modify
- * it under the terms of the GNU Lesser General Public License as published by
- * the Free Software Foundation, either version 3 of the License, or
- * (at your option) any later version.
- *
- * nDPI is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public License
- * along with nDPI. If not, see .
- *
- */
-
-#include "intrusion_detection.h"
-
-double normalize(ndpi_norm_value* tresholds){
- if(tresholds->upper_bound != tresholds->lower_bound){
- tresholds->norm_value = (tresholds->value - tresholds->lower_bound) / (tresholds->upper_bound - tresholds->lower_bound);
- }else{
- if(tresholds->value > tresholds->upper_bound){
- tresholds->norm_value = 1 + (tresholds->value - tresholds->lower_bound) / tresholds->upper_bound;
- }else{
- tresholds->norm_value = 1 - (tresholds->value - tresholds->lower_bound) / tresholds->upper_bound;
- }
-
- }
- if(tresholds->norm_value >= 0){
- return tresholds->norm_value * tresholds->weight;
- }
- else{
- return (1 - tresholds->norm_value) * tresholds->weight;
- }
-}
-
-double get_flow_score(ndpi_norm_value* scores, int n_metrics){
- double flow_score = 0;
- int i;
- for(i=0; ipktlen_c_to_s);
-
- /* pktlen_s_to_c_max */
- i++;
- scores[i].lower_bound = 90.0;
- scores[i].upper_bound = 2974.0;
- scores[i].weight = 0.21073785073559176;
- scores[i].value = ndpi_data_max(flow->pktlen_s_to_c);
-
- /* pktlen_s_to_c_avg */
- i++;
- scores[i].lower_bound = 72.7;
- scores[i].upper_bound = 1130.4199999999996;
- scores[i].weight = 0.21257330032661592;
- scores[i].value = ndpi_data_average(flow->pktlen_s_to_c);
-
- /* pktlen_s_to_c_stddev */
- i++;
- scores[i].lower_bound = 0.0;
- scores[i].upper_bound = 906.0;
- scores[i].weight = 0.20990954527912953;
- scores[i].value = ndpi_data_stddev(flow->pktlen_s_to_c);
-
- /* fin */
- i++;
- scores[i].lower_bound = 0.0;
- scores[i].upper_bound = 2.0;
- scores[i].weight = 0.07710300166602348;
- scores[i].value = flow->fin_count;
-
- /* s_to_c_fin */
- i++;
- scores[i].lower_bound = 0.0;
- scores[i].upper_bound = 2.0;
- scores[i].weight = 0.07710300166602348;
- scores[i].value = flow->dst2src_fin_count;
-
- // sum = 1.0
- double flow_score = get_flow_score(scores, n_metrics);
- free(scores);
- return flow_score;
-}
-
-double Dos_goldeneye_score(struct ndpi_flow_info* flow){
- int n_metrics = 6;
- ndpi_norm_value* scores = malloc(n_metrics * sizeof(ndpi_norm_value));
- /* pktlen_s_to_c_max */
- int i = 0;
- scores[i].lower_bound = 74.0;
- scores[i].upper_bound = 3292.6699999999764;
- scores[i].weight = 0.3123007140611667;
- scores[i].value = ndpi_data_max(flow->pktlen_s_to_c);
- /* pktlen_s_to_c_avg */
- i++;
- scores[i].lower_bound = 68.7;
- scores[i].upper_bound = 1354.0569999999987;
- scores[i].weight = 0.23802038891633356;
- scores[i].value = ndpi_data_average(flow->pktlen_s_to_c);
-
- /* pktlen_s_to_c_stddev */
- i++;
- scores[i].lower_bound = 0.0;
- scores[i].upper_bound = 959.4469999999993;
- scores[i].weight = 0.3111779763775991;
- scores[i].value = ndpi_data_stddev(flow->pktlen_s_to_c);
-
- /* syn */
- i++;
- scores[i].lower_bound = 0.0;
- scores[i].upper_bound = 2.0;
- scores[i].weight = 0.0464364305923564;
- scores[i].value = flow->syn_count;
-
- /* c_to_s_syn */
- i++;
- scores[i].lower_bound = 0.0;
- scores[i].upper_bound = 1.0;
- scores[i].weight = 0.04562805946018772;
- scores[i].value = flow->src2dst_syn_count;
-
- /* s_to_c_syn */
- i++;
- scores[i].lower_bound = 0.0;
- scores[i].upper_bound = 2.0;
- scores[i].weight = 0.0464364305923564;
- scores[i].value = flow->dst2src_syn_count;
-
- // sum = 0.9999999999999998
- double flow_score = get_flow_score(scores, n_metrics);
- free(scores);
- return flow_score;
-}
-
-double Dos_hulk_score(struct ndpi_flow_info* flow){
- double f = (double)flow->first_seen_ms/1000.0, l = (double)flow->last_seen_ms/1000.0;
- int n_metrics = 6;
- ndpi_norm_value* scores = malloc(n_metrics * sizeof(ndpi_norm_value));
- /* duration */
- int i = 0;
- scores[i].lower_bound = 0.0;
- scores[i].upper_bound = 539.40668006422;
- scores[i].weight = 0.16666666666666666;
- scores[i].value = (l - f);
-
- /* src2dst_packets */
- i++;
- scores[i].lower_bound = 2.0;
- scores[i].upper_bound = 41.0;
- scores[i].weight = 0.16666666666666666;
- scores[i].value = flow->src2dst_packets;
-
- /* dst2src_packets */
- i++;
- scores[i].lower_bound = 2.0;
- scores[i].upper_bound = 45.0;
- scores[i].weight = 0.16666666666666666;
- scores[i].value = flow->dst2src_packets;
-
- /* src2dst_bytes */
- i++;
- scores[i].lower_bound = 146.0;
- scores[i].upper_bound = 6306.300000000001;
- scores[i].weight = 0.16666666666666666;
- scores[i].value = flow->src2dst_bytes;
-
- /* ack */
- i++;
- scores[i].lower_bound = 0.0;
- scores[i].upper_bound = 82.0;
- scores[i].weight = 0.16666666666666666;
- scores[i].value = flow->ack_count;
-
- /* syn */
- i++;
- scores[i].lower_bound = 0.0;
- scores[i].upper_bound = 2.0;
- scores[i].weight = 0.16666666666666666;
- scores[i].value = flow->syn_count;
-
- // sum = 0.9999999999999999
- double flow_score = get_flow_score(scores, n_metrics);
- free(scores);
- return flow_score;
-}
-
-double Dos_slow_score(struct ndpi_flow_info* flow){
- int n_metrics = 6;
- ndpi_norm_value* scores = malloc(n_metrics * sizeof(ndpi_norm_value));
- /* pktlen_s_to_c_max */
- int i = 0;
- scores[i].lower_bound = 90.0;
- scores[i].upper_bound = 3135.0;
- scores[i].weight = 0.1760747755022144;
- scores[i].value = ndpi_data_max(flow->pktlen_s_to_c);
-
- /* pktlen_s_to_c_avg */
- i++;
- scores[i].lower_bound = 80.37100000000001;
- scores[i].upper_bound = 1292.5900000000008;
- scores[i].weight = 0.17600137023171597;
- scores[i].value = ndpi_data_average(flow->pktlen_s_to_c);
-
- /* dst2src_bytes */
- i++;
- scores[i].lower_bound = 262.0;
- scores[i].upper_bound = 53227.80000000002;
- scores[i].weight = 0.16919914849886225;
- scores[i].value = flow->dst2src_bytes;
-
- /* syn */
- i++;
- scores[i].lower_bound = 0.0;
- scores[i].upper_bound = 2.0;
- scores[i].weight = 0.168000195747388;
- scores[i].value = flow->syn_count;
-
- /* c_to_s_syn */
- i++;
- scores[i].lower_bound = 0.0;
- scores[i].upper_bound = 1.0;
- scores[i].weight = 0.14272431427243143;
- scores[i].value = flow->src2dst_syn_count;
-
- /* s_to_c_syn */
- i++;
- scores[i].lower_bound = 0.0;
- scores[i].upper_bound = 2.0;
- scores[i].weight = 0.168000195747388;
- scores[i].value = flow->dst2src_syn_count;
-
- // sum = 1.0
- double flow_score = get_flow_score(scores, n_metrics);
- free(scores);
- return flow_score;
-}
-
-double Ftp_patator_score(struct ndpi_flow_info* flow){
- int n_metrics = 6;
- ndpi_norm_value* scores = malloc(n_metrics * sizeof(ndpi_norm_value));
- /* iat_flow_min */
- int i = 0;
- scores[i].lower_bound = 0.0;
- scores[i].upper_bound = 24.0;
- scores[i].weight = 0.002732919254658385;
- scores[i].value = ndpi_data_min(flow->iat_flow);
-
- /* pktlen_s_to_c_max */
- i++;
- scores[i].lower_bound = 90.0;
- scores[i].upper_bound = 3393.0;
- scores[i].weight = 0.007453416149068323;
- scores[i].value = ndpi_data_max(flow->pktlen_s_to_c);
-
- /* pktlen_s_to_c_avg */
- i++;
- scores[i].lower_bound = 81.3;
- scores[i].upper_bound = 1315.021;
- scores[i].weight = 0.9833540372670807;
- scores[i].value = ndpi_data_average(flow->pktlen_s_to_c);
-
- /* dst2src_bytes */
- i++;
- scores[i].lower_bound = 256.0;
- scores[i].upper_bound = 56434.0;
- scores[i].weight = 0.0034782608695652175;
- scores[i].value = flow->dst2src_bytes;
-
- /* fin */
- i++;
- scores[i].lower_bound = 0.0;
- scores[i].upper_bound = 2.0;
- scores[i].weight = 0.0014906832298136647;
- scores[i].value = flow->fin_count;
-
- /* rst */
- i++;
- scores[i].lower_bound = 0.0;
- scores[i].upper_bound = 2.0;
- scores[i].weight = 0.0014906832298136647;
- scores[i].value = flow->rst_count;
-
- // sum = 1.0
- double flow_score = get_flow_score(scores, n_metrics);
- free(scores);
- return flow_score;
-}
-
-double Hearthbleed_score(struct ndpi_flow_info* flow){
- double f = (double)flow->first_seen_ms/1000.0, l = (double)flow->last_seen_ms/1000.0;
- int n_metrics = 6;
- ndpi_norm_value* scores = malloc(n_metrics * sizeof(ndpi_norm_value));
- /* iat_flow_max */
- int i = 0;
- scores[i].lower_bound = 0.0;
- scores[i].upper_bound = 595213.3999999999;
- scores[i].weight = 0.16666666666666666;
- scores[i].value = ndpi_data_max(flow->iat_flow);
-
- /* iat_flow_stddev */
- i++;
- scores[i].lower_bound = 0.0;
- scores[i].upper_bound = 245377.74799999973;
- scores[i].weight = 0.16666666666666666;
- scores[i].value = ndpi_data_stddev(flow->iat_flow);
-
- /* pktlen_s_to_c_max */
- i++;
- scores[i].lower_bound = 74.0;
- scores[i].upper_bound = 3380.0;
- scores[i].weight = 0.16666666666666666;
- scores[i].value = ndpi_data_max(flow->pktlen_s_to_c);
-
- /* pktlen_s_to_c_avg */
- i++;
- scores[i].lower_bound = 70.0;
- scores[i].upper_bound = 1344.6399999999996;
- scores[i].weight = 0.16666666666666666;
- scores[i].value = ndpi_data_average(flow->pktlen_s_to_c);
-
- /* pktlen_s_to_c_stddev */
- i++;
- scores[i].lower_bound = 0.0;
- scores[i].upper_bound = 944.6399999999996;
- scores[i].weight = 0.16666666666666666;
- scores[i].value = ndpi_data_stddev(flow->pktlen_s_to_c);
-
- /* duration */
- i++;
- scores[i].lower_bound = 0.0;
- scores[i].upper_bound = 711.6677598000391;
- scores[i].weight = 0.16666666666666666;
- scores[i].value = (l - f);
-
- // sum = 0.9999999999999999
- double flow_score = get_flow_score(scores, n_metrics);
- free(scores);
- return flow_score;
-}
-
-double Infiltration_score(struct ndpi_flow_info* flow){
- int n_metrics = 6;
- ndpi_norm_value* scores = malloc(n_metrics * sizeof(ndpi_norm_value));
- /* pktlen_c_to_s_max */
- int i = 0;
- scores[i].lower_bound = 72.0;
- scores[i].upper_bound = 1840.739999999998;
- scores[i].weight = 0.11937557392102846;
- scores[i].value = ndpi_data_max(flow->pktlen_c_to_s);
-
- /* pktlen_c_to_s_avg */
- i++;
- scores[i].lower_bound = 70.0;
- scores[i].upper_bound = 296.56599999999816;
- scores[i].weight = 0.12526782981328435;
- scores[i].value = ndpi_data_average(flow->pktlen_c_to_s);
-
- /* pktlen_s_to_c_max */
- i++;
- scores[i].lower_bound = 90.0;
- scores[i].upper_bound = 3496.1399999999776;
- scores[i].weight = 0.13927150290786652;
- scores[i].value = ndpi_data_max(flow->pktlen_s_to_c);
-
- /* pktlen_s_to_c_avg */
- i++;
- scores[i].lower_bound = 72.6;
- scores[i].upper_bound = 1367.7959999999991;
- scores[i].weight = 0.12182430364248545;
- scores[i].value = ndpi_data_average(flow->pktlen_s_to_c);
-
- /* src2dst_bytes */
- i++;
- scores[i].lower_bound = 144.0;
- scores[i].upper_bound = 7847.69999999999;
- scores[i].weight = 0.12059993878175697;
- scores[i].value = flow->src2dst_bytes;
-
- /* dst2src_bytes */
- i++;
- scores[i].lower_bound = 236.0;
- scores[i].upper_bound = 74486.7799999998;
- scores[i].weight = 0.3736608509335782;
- scores[i].value = flow->dst2src_bytes;
-
- // sum = 1.0
- double flow_score = get_flow_score(scores, n_metrics);
- free(scores);
- return flow_score;
-}
-
-double Ssh_patator_score(struct ndpi_flow_info* flow){
- int n_metrics = 6;
- ndpi_norm_value* scores = malloc(n_metrics * sizeof(ndpi_norm_value));
- /* fin */
- int i = 0;
- scores[i].lower_bound = 0.0;
- scores[i].upper_bound = 2.0;
- scores[i].weight = 0.0033738191632928477;
- scores[i].value = flow->fin_count;
-
- /* psh */
- i++;
- scores[i].lower_bound = 0.0;
- scores[i].upper_bound = 30.0;
- scores[i].weight = 0.33076923076923076;
- scores[i].value = flow->psh_count;
-
- /* c_to_s_syn */
- i++;
- scores[i].lower_bound = 0.0;
- scores[i].upper_bound = 1.0;
- scores[i].weight = 0.0004048582995951417;
- scores[i].value = flow->src2dst_syn_count;
-
- /* c_to_s_psh */
- i++;
- scores[i].lower_bound = 0.0;
- scores[i].upper_bound = 12.0;
- scores[i].weight = 0.33130904183535764;
- scores[i].value = flow->src2dst_psh_count;
-
- /* s_to_c_fin */
- i++;
- scores[i].lower_bound = 0.0;
- scores[i].upper_bound = 2.0;
- scores[i].weight = 0.0033738191632928477;
- scores[i].value = flow->dst2src_fin_count;
-
- /* s_to_c_psh */
- i++;
- scores[i].lower_bound = 0.0;
- scores[i].upper_bound = 30.0;
- scores[i].weight = 0.33076923076923076;
- scores[i].value = flow->dst2src_psh_count;
-
- // sum = 1.0
- double flow_score = get_flow_score(scores, n_metrics);
- free(scores);
- return flow_score;
-}
diff --git a/example/intrusion_detection.h b/example/intrusion_detection.h
deleted file mode 100644
index 635115ac088..00000000000
--- a/example/intrusion_detection.h
+++ /dev/null
@@ -1,69 +0,0 @@
-/*
- * intrusion_detection.h
- *
- * Copyright (C) 2011-22 - ntop.org
- *
- * This file is part of nDPI, an open source deep packet inspection
- * library based on the OpenDPI and PACE technology by ipoque GmbH
- *
- * nDPI is free software: you can redistribute it and/or modify
- * it under the terms of the GNU Lesser General Public License as published by
- * the Free Software Foundation, either version 3 of the License, or
- * (at your option) any later version.
- *
- * nDPI is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public License
- * along with nDPI. If not, see .
- *
- */
-
-#ifndef _INTRUSION_DETECTION_H_
-#define _INTRUSION_DETECTION_H_
-
-/*
- Code to detect attacks reported in
-
- https://www.unb.ca/cic/datasets/ids-2017.html
- https://www.unb.ca/cic/datasets/ids-2018.html
-*/
-
-#include
-#include
-#include "reader_util.h"
-#include "ndpi_api.h"
-
-typedef struct norm_values{
- double upper_bound;
- double lower_bound;
- double weight;
- double value;
- double norm_value;
-}ndpi_norm_value;
-
-double normalize(ndpi_norm_value* tresholds);
-
-double get_flow_score(ndpi_norm_value* scores, int n_metrics);
-
-/* ********************************** */
-
-double Ddos_score(struct ndpi_flow_info* flow);
-
-double Dos_goldeneye_score(struct ndpi_flow_info* flow);
-
-double Dos_hulk_score(struct ndpi_flow_info* flow);
-
-double Dos_slow_score(struct ndpi_flow_info* flow);
-
-double Ftp_patator_score(struct ndpi_flow_info* flow);
-
-double Hearthbleed_score(struct ndpi_flow_info* flow);
-
-double Infiltration_score(struct ndpi_flow_info* flow);
-
-double Ssh_patator_score(struct ndpi_flow_info* flow);
-
-#endif /* _INTRUSION_DETECTION_H_ */
diff --git a/example/ndpiReader.c b/example/ndpiReader.c
index a4f43b7297e..cf646c681fb 100644
--- a/example/ndpiReader.c
+++ b/example/ndpiReader.c
@@ -56,7 +56,6 @@
#include
#include "reader_util.h"
-#include "intrusion_detection.h"
#define ntohl64(x) ( ( (uint64_t)(ntohl( (uint32_t)((x << 32) >> 32) )) << 32) | ntohl( ((uint32_t)(x >> 32)) ) )
#define htonl64(x) ntohl64(x)
@@ -84,7 +83,7 @@ static char* domain_to_check = NULL;
static u_int8_t ignore_vlanid = 0;
/** User preferences **/
u_int8_t enable_protocol_guess = 1, enable_payload_analyzer = 0, num_bin_clusters = 0, extcap_exit = 0;
-u_int8_t verbose = 0, enable_joy_stats = 0;
+u_int8_t verbose = 0, enable_flow_stats = 0;
int nDPI_LogLevel = 0;
char *_debug_protocols = NULL;
u_int8_t human_readeable_string_len = 5;
@@ -332,29 +331,6 @@ void ndpiCheckHostStringMatch(char *testChar) {
*/
static void setupDetection(u_int16_t thread_id, pcap_t * pcap_handle);
-#if 0
-static void reduceBDbits(uint32_t *bd, unsigned int len) {
- int mask = 0;
- int shift = 0;
- unsigned int i = 0;
-
- for(i = 0; i < len; i++)
- mask = mask | bd[i];
-
- mask = mask >> 8;
- for(i = 0; i < 24 && mask; i++) {
- mask = mask >> 1;
- if (mask == 0) {
- shift = i+1;
- break;
- }
- }
-
- for(i = 0; i < len; i++)
- bd[i] = bd[i] >> shift;
-}
-#endif
-
/**
* @brief Get flow byte distribution mean and variance
*/
@@ -414,20 +390,7 @@ flowGetBDMeanandVariance(struct ndpi_flow_info* flow) {
}
}
- if(enable_joy_stats) {
-#if 0
- if(verbose > 1) {
- reduceBDbits(tmp, 256);
- array = tmp;
-
- fprintf(out, " [byte_dist: ");
- for(i = 0; i < 255; i++)
- fprintf(out, "%u,", (unsigned char)array[i]);
-
- fprintf(out, "%u]", (unsigned char)array[i]);
- }
-#endif
-
+ if(enable_flow_stats) {
/* Output the mean */
if(num_bytes != 0) {
double entropy = ndpi_flow_get_byte_count_entropy(array, num_bytes);
@@ -483,8 +446,7 @@ static void help(u_int long_help) {
" -d | Disable protocol guess and use only DPI\n"
" -e | Min human readeable string match len. Default %u\n"
" -q | Quiet mode\n"
- " -J | Display flow SPLT (sequence of packet length and time)\n"
- " | and BD (byte distribution). See https://github.com/cisco/joy\n"
+ " -F | Enable flow stats\n"
" -t | Dissect GTP/TZSP tunnels\n"
" -P :::: | Enable payload analysis:\n"
" | = min pattern len to search\n"
@@ -575,6 +537,7 @@ static struct option longopts[] = {
{ "csv-dump", required_argument, NULL, 'C'},
{ "interface", required_argument, NULL, 'i'},
{ "filter", required_argument, NULL, 'f'},
+ { "flow-stats", required_argument, NULL, 'F'},
{ "cpu-bind", required_argument, NULL, 'g'},
{ "loops", required_argument, NULL, 'l'},
{ "num-threads", required_argument, NULL, 'n'},
@@ -589,7 +552,6 @@ static struct option longopts[] = {
{ "ndpi-log-level", required_argument, NULL, 'V'},
{ "dbg-proto", required_argument, NULL, 'u'},
{ "help", no_argument, NULL, 'h'},
- { "joy", required_argument, NULL, 'J'},
{ "payload-analysis", required_argument, NULL, 'P'},
{ "result-path", required_argument, NULL, 'w'},
{ "quiet", no_argument, NULL, 'q'},
@@ -743,7 +705,6 @@ void printCSVHeader() {
if(!csv_fp) return;
fprintf(csv_fp, "#flow_id,protocol,first_seen,last_seen,duration,src_ip,src_port,dst_ip,dst_port,ndpi_proto_num,ndpi_proto,server_name_sni,");
- fprintf(csv_fp, "benign_score,dos_slow_score,dos_goldeneye_score,dos_hulk_score,ddos_score,hearthbleed_score,ftp_patator_score,ssh_patator_score,infiltration_score,");
fprintf(csv_fp, "c_to_s_pkts,c_to_s_bytes,c_to_s_goodput_bytes,s_to_c_pkts,s_to_c_bytes,s_to_c_goodput_bytes,");
fprintf(csv_fp, "data_ratio,str_data_ratio,c_to_s_goodput_ratio,s_to_c_goodput_ratio,");
@@ -777,7 +738,7 @@ void printCSVHeader() {
fprintf(csv_fp, "ssh_client_hassh,ssh_server_hassh,flow_info,plen_bins");
/* Joy */
- if(enable_joy_stats) {
+ if(enable_flow_stats) {
fprintf(csv_fp, ",byte_dist_mean,byte_dist_std,entropy,total_entropy");
}
@@ -822,7 +783,7 @@ static void parseOptions(int argc, char **argv) {
case 'a':
ndpi_generate_options(atoi(optarg));
break;
-
+
case 'b':
if((num_bin_clusters = atoi(optarg)) > 32)
num_bin_clusters = 32;
@@ -931,8 +892,8 @@ static void parseOptions(int argc, char **argv) {
help(1);
break;
- case 'J':
- enable_joy_stats = 1;
+ case 'F':
+ enable_flow_stats = 1;
break;
case 'P':
@@ -1073,7 +1034,7 @@ static void parseOptions(int argc, char **argv) {
if(num_cores > 1 && bind_mask != NULL) {
char *core_id = strtok(bind_mask, ":");
thread_id = 0;
-
+
while(core_id != NULL && thread_id < num_threads) {
core_affinity[thread_id++] = atoi(core_id) % num_cores;
core_id = strtok(NULL, ":");
@@ -1224,40 +1185,10 @@ static void printFlow(u_int32_t id, struct ndpi_flow_info *flow, u_int16_t threa
char buf_ver[16];
u_int i;
- double dos_ge_score;
- double dos_slow_score;
- double dos_hulk_score;
- double ddos_score;
-
- double hearthbleed_score;
-
- double ftp_patator_score;
- double ssh_patator_score;
-
- double inf_score;
-
if(csv_fp != NULL) {
float data_ratio = ndpi_data_ratio(flow->src2dst_bytes, flow->dst2src_bytes);
double f = (double)flow->first_seen_ms, l = (double)flow->last_seen_ms;
- /* PLEASE KEEP IN SYNC WITH printCSVHeader() */
- dos_ge_score = Dos_goldeneye_score(flow);
-
- dos_slow_score = Dos_slow_score(flow);
- dos_hulk_score = Dos_hulk_score(flow);
- ddos_score = Ddos_score(flow);
-
- hearthbleed_score = Hearthbleed_score(flow);
-
- ftp_patator_score = Ftp_patator_score(flow);
- ssh_patator_score = Ssh_patator_score(flow);
-
- inf_score = Infiltration_score(flow);
-
- double benign_score = dos_ge_score < 1 && dos_slow_score < 1 && \
- dos_hulk_score < 1 && ddos_score < 1 && hearthbleed_score < 1 && \
- ftp_patator_score < 1 && ssh_patator_score < 1 && inf_score < 1 ? 1.1 : 0;
-
fprintf(csv_fp, "%u,%u,%.3f,%.3f,%.3f,%s,%u,%s,%u,",
flow->flow_id,
flow->protocol,
@@ -1276,11 +1207,6 @@ static void printFlow(u_int32_t id, struct ndpi_flow_info *flow, u_int16_t threa
flow->detected_protocol, buf, sizeof(buf)),
flow->host_server_name);
- fprintf(csv_fp, "%.4lf,%.4lf,%.4lf,%.4lf,%.4lf,%.4lf,%.4lf,%.4lf,%.4lf,", \
- benign_score, dos_slow_score, dos_ge_score, dos_hulk_score, \
- ddos_score, hearthbleed_score, ftp_patator_score, \
- ssh_patator_score, inf_score);
-
fprintf(csv_fp, "%u,%llu,%llu,", flow->src2dst_packets,
(long long unsigned int) flow->src2dst_bytes, (long long unsigned int) flow->src2dst_goodput_bytes);
fprintf(csv_fp, "%u,%llu,%llu,", flow->dst2src_packets,
@@ -1347,7 +1273,7 @@ static void printFlow(u_int32_t id, struct ndpi_flow_info *flow, u_int16_t threa
}
if((verbose != 1) && (verbose != 2)) {
- if(csv_fp && enable_joy_stats) {
+ if(csv_fp && enable_flow_stats) {
flowGetBDMeanandVariance(flow);
}
@@ -1377,7 +1303,7 @@ static void printFlow(u_int32_t id, struct ndpi_flow_info *flow, u_int16_t threa
if(enable_payload_analyzer) fprintf(out, "[flowId: %u]", flow->flow_id);
}
- if(enable_joy_stats) {
+ if(enable_flow_stats) {
/* Print entropy values for monitored flows. */
flowGetBDMeanandVariance(flow);
fflush(out);
@@ -1400,7 +1326,7 @@ static void printFlow(u_int32_t id, struct ndpi_flow_info *flow, u_int16_t threa
ndpi_is_encrypted_proto(ndpi_thread_info[thread_id].workflow->ndpi_struct, flow->detected_protocol) ? "Encrypted" : "ClearText");
fprintf(out, "[Confidence: %s]", ndpi_confidence_get_name(flow->confidence));
-
+
if(flow->detected_protocol.category != 0)
fprintf(out, "[cat: %s/%u]",
ndpi_category_get_name(ndpi_thread_info[thread_id].workflow->ndpi_struct,
@@ -1483,7 +1409,7 @@ static void printFlow(u_int32_t id, struct ndpi_flow_info *flow, u_int16_t threa
fprintf(out, "[Risk Score: %u]", ndpi_risk2score(flow->risk, &cli_score, &srv_score));
}
-
+
if(flow->ssh_tls.ssl_version != 0) fprintf(out, "[%s]", ndpi_ssl_version2str(buf_ver, sizeof(buf_ver), flow->ssh_tls.ssl_version, &known_tls));
if(flow->ssh_tls.client_hassh[0] != '\0') fprintf(out, "[HASSH-C: %s]", flow->ssh_tls.client_hassh);
@@ -1523,7 +1449,7 @@ static void printFlow(u_int32_t id, struct ndpi_flow_info *flow, u_int16_t threa
if(flow->ssh_tls.browser_heuristics.is_firefox_tls) fprintf(out, "[Firefox]");
if(flow->ssh_tls.browser_heuristics.is_chrome_tls) fprintf(out, "[Chrome]");
#endif
-
+
if(flow->ssh_tls.notBefore && flow->ssh_tls.notAfter) {
char notBefore[32], notAfter[32];
struct tm a, b;
@@ -3410,7 +3336,7 @@ static void ndpi_process_packet(u_char *args,
u_int32_t *crc, delta = sizeof(struct ndpi_packet_trailer) + 4 /* ethernet trailer */;
struct ndpi_packet_trailer *trailer;
u_int16_t cli_score, srv_score;
-
+
memcpy(&h, header, sizeof(h));
if(h.caplen > (sizeof(extcap_buf)-sizeof(struct ndpi_packet_trailer) - 4)) {
@@ -3770,12 +3696,12 @@ static void dgaUnitTest() {
if(debug) printf("Checking non DGA %s\n", non_dga[i]);
assert(ndpi_check_dga_name(ndpi_str, NULL, (char*)non_dga[i], 1) == 0);
}
-
+
for(i=0; dga[i] != NULL; i++) {
if(debug) printf("Checking DGA %s\n", non_dga[i]);
assert(ndpi_check_dga_name(ndpi_str, NULL, (char*)dga[i], 1) == 1);
}
-
+
ndpi_exit_detection_module(ndpi_str);
}
@@ -4402,7 +4328,7 @@ void compressedBitmapUnitTest() {
char *buf;
ndpi_bitmap_iterator *it;
u_int32_t value;
-
+
for(i=0; i<1000; i++) {
u_int32_t v = rand();
@@ -4424,10 +4350,10 @@ void compressedBitmapUnitTest() {
while(ndpi_bitmap_iterator_next(it, &value)) {
if(trace) printf("%u ", value);
}
-
+
if(trace) printf("\n");
ndpi_bitmap_iterator_free(it);
-
+
ndpi_free(buf);
ndpi_bitmap_free(b);
ndpi_bitmap_free(b1);
@@ -4464,7 +4390,7 @@ int original_main(int argc, char **argv) {
printf("nDPI Library version mismatch: please make sure this code and the nDPI library are in sync\n");
return(-1);
}
-
+
if(!skip_unit_tests) {
#ifndef DEBUG_TRACE
/* Skip tests when debugging */
@@ -4498,7 +4424,7 @@ int original_main(int argc, char **argv) {
compressedBitmapUnitTest();
#endif
}
-
+
gettimeofday(&startup_time, NULL);
memset(ndpi_thread_info, 0, sizeof(ndpi_thread_info));
@@ -4542,7 +4468,7 @@ int original_main(int argc, char **argv) {
if(ndpi_info_mod) ndpi_exit_detection_module(ndpi_info_mod);
if(csv_fp) fclose(csv_fp);
ndpi_free(_debug_protocols);
-
+
#ifdef DEBUG_TRACE
if(trace) fclose(trace);
#endif
diff --git a/example/reader_util.c b/example/reader_util.c
index 76729c4c6c3..7ca60214145 100644
--- a/example/reader_util.c
+++ b/example/reader_util.c
@@ -69,7 +69,7 @@
#include "reader_util.h"
#include "ndpi_classify.h"
-extern u_int8_t enable_protocol_guess, enable_joy_stats, enable_payload_analyzer;
+extern u_int8_t enable_protocol_guess, enable_flow_stats, enable_payload_analyzer;
extern u_int8_t verbose, human_readeable_string_len;
extern u_int8_t max_num_udp_dissected_pkts /* 24 */, max_num_tcp_dissected_pkts /* 80 */;
static u_int32_t flow_id = 0;
@@ -855,7 +855,7 @@ static struct ndpi_flow_info *get_ndpi_flow_info(struct ndpi_workflow * workflow
#else
ndpi_init_bin(&newflow->payload_len_bin, ndpi_bin_family8, PLEN_NUM_BINS);
#endif
-
+
if(version == IPVERSION) {
inet_ntop(AF_INET, &newflow->src_ip, newflow->src_name, sizeof(newflow->src_name));
inet_ntop(AF_INET, &newflow->dst_ip, newflow->dst_name, sizeof(newflow->dst_name));
@@ -913,7 +913,7 @@ static struct ndpi_flow_info *get_ndpi_flow_info(struct ndpi_workflow * workflow
*src = newflow->src_id, *dst = newflow->dst_id;
- if(enable_joy_stats) {
+ if(enable_flow_stats) {
newflow->entropy = ndpi_calloc(1, sizeof(struct ndpi_entropy));
newflow->last_entropy = ndpi_calloc(1, sizeof(struct ndpi_entropy));
newflow->entropy->src2dst_pkt_len[newflow->entropy->src2dst_pkt_count] = l4_data_len;
@@ -953,7 +953,7 @@ static struct ndpi_flow_info *get_ndpi_flow_info(struct ndpi_workflow * workflow
else
*src = rflow->dst_id, *dst = rflow->src_id, *src_to_dst_direction = 0, rflow->bidirectional = 1;
}
- if(enable_joy_stats) {
+ if(enable_flow_stats) {
if(src_to_dst_direction) {
if(rflow->entropy->src2dst_pkt_count < max_num_packets_per_flow) {
rflow->entropy->src2dst_pkt_len[rflow->entropy->src2dst_pkt_count] = l4_data_len;
@@ -1046,10 +1046,10 @@ void correct_csv_data_field(char* data) {
/* ****************************************************** */
-u_int8_t plen2slot(u_int16_t plen) {
- /*
+u_int8_t plen2slot(u_int16_t plen) {
+ /*
Slots [32 bytes lenght]
- 0..31, 32..63 ...
+ 0..31, 32..63 ...
*/
if(plen > PLEN_MAX)
@@ -1202,7 +1202,7 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl
}
flow->ssh_tls.browser_heuristics = flow->ndpi_flow->protos.tls_quic.browser_heuristics;
-
+
if(flow->ndpi_flow->protos.tls_quic.alpn) {
if((flow->ssh_tls.tls_alpn = ndpi_strdup(flow->ndpi_flow->protos.tls_quic.alpn)) != NULL)
correct_csv_data_field(flow->ssh_tls.tls_alpn);
@@ -1210,7 +1210,7 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl
if(flow->ndpi_flow->protos.tls_quic.issuerDN)
flow->ssh_tls.tls_issuerDN = strdup(flow->ndpi_flow->protos.tls_quic.issuerDN);
-
+
if(flow->ndpi_flow->protos.tls_quic.subjectDN)
flow->ssh_tls.tls_subjectDN = strdup(flow->ndpi_flow->protos.tls_quic.subjectDN);
@@ -1218,7 +1218,7 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl
flow->ssh_tls.encrypted_sni.esni = strdup(flow->ndpi_flow->protos.tls_quic.encrypted_sni.esni);
flow->ssh_tls.encrypted_sni.cipher_suite = flow->ndpi_flow->protos.tls_quic.encrypted_sni.cipher_suite;
}
-
+
if(flow->ssh_tls.tls_supported_versions) {
if((flow->ssh_tls.tls_supported_versions = ndpi_strdup(flow->ndpi_flow->protos.tls_quic.tls_supported_versions)) != NULL)
correct_csv_data_field(flow->ssh_tls.tls_supported_versions);
@@ -1246,14 +1246,14 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl
snprintf(flow->info, sizeof(flow->info), "ALPN: %s",
flow->ndpi_flow->protos.tls_quic.alpn);
}
-
+
if(enable_doh_dot_detection) {
/* For TLS we use TLS block lenght instead of payload lenght */
ndpi_reset_bin(&flow->payload_len_bin);
-
+
for(i=0; indpi_flow->l4.tcp.tls.num_tls_blocks; i++) {
u_int16_t len = abs(flow->ndpi_flow->l4.tcp.tls.tls_application_blocks_len[i]);
-
+
/* printf("[TLS_LEN] %u\n", len); */
ndpi_inc_bin(&flow->payload_len_bin, plen2slot(len), 1);
}
@@ -1280,7 +1280,7 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl
*/
static void
ndpi_clear_entropy_stats(struct ndpi_flow_info *flow) {
- if(enable_joy_stats) {
+ if(enable_flow_stats) {
if(flow->entropy->src2dst_pkt_count + flow->entropy->dst2src_pkt_count == max_num_packets_per_flow) {
memcpy(flow->last_entropy, flow->entropy, sizeof(struct ndpi_entropy));
memset(flow->entropy, 0x00, sizeof(struct ndpi_entropy));
@@ -1358,7 +1358,7 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow,
struct ndpi_proto nproto = NDPI_PROTOCOL_NULL;
if(workflow->prefs.ignore_vlanid)
- vlan_id = 0;
+ vlan_id = 0;
if(iph)
flow = get_ndpi_flow_info(workflow, IPVERSION, vlan_id,
@@ -1432,7 +1432,7 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow,
if(payload_len && (flow->src2dst_packets < MAX_NUM_BIN_PKTS))
ndpi_inc_bin(&flow->payload_len_bin_src2dst, plen2slot(payload_len));
#endif
- } else {
+ } else {
if(flow->dst2src_last_pkt_time.tv_sec && (!begin_or_end_tcp)) {
ndpi_timer_sub(&when, &flow->dst2src_last_pkt_time, &tdiff);
@@ -1467,7 +1467,7 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow,
payload, payload_len,
workflow->stats.ip_packet_count);
- if(enable_joy_stats) {
+ if(enable_flow_stats) {
/* Update BD, distribution and mean. */
ndpi_flow_update_byte_count(flow, payload, payload_len, src_to_dst_direction);
ndpi_flow_update_byte_dist_mean_var(flow, payload, payload_len, src_to_dst_direction);
@@ -1506,7 +1506,7 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow,
memset(&flow->dst2src_last_pkt_time, '\0', sizeof(flow->dst2src_last_pkt_time));
memset(&flow->flow_last_pkt_time, '\0', sizeof(flow->flow_last_pkt_time));
}
-
+
if((human_readeable_string_len != 0) && (!flow->has_human_readeable_strings)) {
u_int8_t skip = 0;
@@ -1562,7 +1562,7 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow,
flow->detected_protocol = ndpi_detection_process_packet(workflow->ndpi_struct, ndpi_flow,
iph ? (uint8_t *)iph : (uint8_t *)iph6,
ipsize, time_ms, src, dst);
-
+
if(enough_packets || (flow->detected_protocol.app_protocol != NDPI_PROTOCOL_UNKNOWN)) {
if((!enough_packets)
&& ndpi_extra_dissection_possible(workflow->ndpi_struct, ndpi_flow))
@@ -1600,9 +1600,9 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow,
}
}
#endif
-
+
*flow_risk = flow->risk;
-
+
return(flow->detected_protocol);
}
@@ -1686,7 +1686,7 @@ struct ndpi_proto ndpi_workflow_process_packet(struct ndpi_workflow * workflow,
u_int8_t vlan_packet = 0;
*flow_risk = 0 /* NDPI_NO_RISK */;
-
+
/* Increment raw packet counter */
workflow->stats.raw_packet_count++;
@@ -1946,7 +1946,7 @@ struct ndpi_proto ndpi_workflow_process_packet(struct ndpi_workflow * workflow,
} else if(iph->version == 6) {
if(header->caplen < ip_offset + sizeof(struct ndpi_ipv6hdr))
return(nproto); /* Too short for IPv6 header*/
-
+
iph6 = (struct ndpi_ipv6hdr *)&packet[ip_offset];
proto = iph6->ip6_hdr.ip6_un1_nxt;
ip_len = ntohs(iph6->ip6_hdr.ip6_un1_plen);
@@ -1983,7 +1983,7 @@ struct ndpi_proto ndpi_workflow_process_packet(struct ndpi_workflow * workflow,
"\n\nWARNING: only IPv4/IPv6 packets are supported in this demo (nDPI supports both IPv4 and IPv6), all other packets will be discarded\n\n");
ipv4_warning_used = 1;
}
-
+
workflow->stats.total_discarded_bytes += header->len;
return(nproto);
}