mirror of
https://github.com/outbackdingo/nDPId.git
synced 2026-01-27 10:19:45 +00:00
flow-info.py: Set min risk severity required to print a risk.
* ReadMe update Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
This commit is contained in:
Toni Uhlig
20
README.md
20
README.md
@@ -81,9 +81,9 @@ JSON messages streamed by both `nDPId` and `nDPIsrvd` are presented with:
|
||||
as with the following example:
|
||||
|
||||
```text
|
||||
01223{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":12,"packet_id":307,"source":"wlan0",[...]}
|
||||
00458{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":11,"packet_id":324,"source":"wlan0",[...]]}
|
||||
00572{"flow_event_id":1,"flow_event_name":"new","thread_id":11,"packet_id":324,"source":"wlan0",[...]}
|
||||
01223{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":12,"packet_id":307,"source":"wlan0", ...snip...}
|
||||
00458{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":11,"packet_id":324,"source":"wlan0", ...snip...}
|
||||
00572{"flow_event_id":1,"flow_event_name":"new","thread_id":11,"packet_id":324,"source":"wlan0", ...snip...}
|
||||
```
|
||||
|
||||
The full stream of `nDPId` generated JSON-events can be retrieved directly from `nDPId`, without relying on `nDPIsrvd`, by providing a properly managed UNIX-socket.
|
||||
@@ -158,7 +158,8 @@ Detailed JSON-schema is available [here](schema/flow_event_schema.json). Also, a
|
||||
|
||||
A flow can have three different states while it is been tracked by `nDPId`.
|
||||
|
||||
1. skipped: the flow will be tracked, but no detection will happen to safe memory. See command line argument `-I` and `-E`
|
||||
1. skipped: the flow will be tracked, but no detection will happen to reduce memory usage.
|
||||
See command line argument `-I` and `-E`
|
||||
2. finished: detection finished and the memory used for the detection is freed
|
||||
3. info: detection is in progress and all flow memory required for `libnDPI` is allocated (this state consumes most memory)
|
||||
|
||||
@@ -276,11 +277,6 @@ And why not a flow-info example?
|
||||
./examples/py-flow-info/flow-info.py
|
||||
```
|
||||
|
||||
or
|
||||
```shell
|
||||
./nDPIsrvd-json-dump
|
||||
```
|
||||
|
||||
or anything below `./examples`.
|
||||
|
||||
# nDPId tuning
|
||||
@@ -297,7 +293,7 @@ Format: `subopt` (unit, comment): description
|
||||
* `max-reader-threads` (N, safe): amount of packet processing threads, every thread can have a max. of `max-flows-per-thread` flows
|
||||
* `daemon-status-interval` (ms, safe): specifies how often daemon event `status` is generated
|
||||
* `compression-scan-interval` (ms, untested): specifies how often `nDPId` scans for inactive flows ready for compression
|
||||
* `compression-flow-inactivity` (ms, untested): the shortest period of time elapsed before `nDPId` considers compressing a flow that neither sent nor received any data
|
||||
* `compression-flow-inactivity` (ms, untested): the shortest period of time elapsed before `nDPId` considers compressing a flow (e.g. nDPI flow struct) that neither sent nor received any data
|
||||
* `flow-scan-interval` (ms, safe): min. amount of time after which `nDPId` scans for idle or long-lasting flows
|
||||
* `generic-max-idle-time` (ms, untested): time after which a non TCP/UDP/ICMP flow times out
|
||||
* `icmp-max-idle-time` (ms, untested): time after which an ICMP flow times out
|
||||
@@ -327,14 +323,12 @@ Alternatively you can run some integration tests manually:
|
||||
|
||||
e.g.:
|
||||
|
||||
`./test/run_tests.sh [${HOME}/git/nDPI] [${HOME}/git/nDPId/build/nDPId-test]`
|
||||
`./test/run_tests.sh "${HOME}/git/nDPI "${HOME}/git/nDPId/build/nDPId-test"`
|
||||
|
||||
Remember that all test results are tied to a specific libnDPI commit hash
|
||||
as part of the `git submodule`. Using `test/run_tests.sh` for other commit hashes
|
||||
will most likely result in PCAP diffs.
|
||||
|
||||
Why not use `examples/py-flow-dashboard/flow-dash.py` to visualize nDPId's output.
|
||||
|
||||
# Contributors
|
||||
|
||||
Special thanks to Damiano Verzulli ([@verzulli](https://github.com/verzulli)) from [GARRLab](https://www.garrlab.it) for providing server and test infrastructure.
|
||||
|
||||
@@ -408,7 +408,10 @@ def onJsonLineRecvd(json_dict, instance, current_flow, global_user_data):
|
||||
else:
|
||||
color = ''
|
||||
|
||||
next_lines[0] = '{}{}{}: {}'.format(color, 'RISK', TermColor.END, next_lines[0][:-2])
|
||||
if severity >= args.min_risk_severity:
|
||||
next_lines[0] = '{}{}{}: {}'.format(color, 'RISK', TermColor.END, next_lines[0][:-2])
|
||||
else:
|
||||
del next_lines[0]
|
||||
|
||||
line_suffix = ''
|
||||
flow_event_name = ''
|
||||
@@ -594,6 +597,7 @@ if __name__ == '__main__':
|
||||
argparser.add_argument('--ignore-category', action='append', help='Ignore printing lines with a certain category.')
|
||||
argparser.add_argument('--ignore-breed', action='append', help='Ignore printing lines with a certain breed.')
|
||||
argparser.add_argument('--ignore-hostname', action='append', help='Ignore printing lines with a certain hostname.')
|
||||
argparser.add_argument('--min-risk-severity', action='store', type=int, default=0, help='Print only risks with a risk severity greater or equal to the given argument')
|
||||
args = argparser.parse_args()
|
||||
|
||||
if args.no_color is True:
|
||||
|
||||
Reference in New Issue
Block a user