- Update to version 4.0
New Features
* Add API for computing RSI (Relative Strenght Index)
* Add GeoIP support
* Add fragments management
* Add API for jitter calculation
* Add single exponential smoothing API
* Add timeseries forecasting support implementing Holt-Winters
with confidence interval
* Add support for MAC to radi tree and expose the full API to
applications
* Add JA3+, with ALPN and elliptic curve
* Add double exponential smoothing implementation
* Extended API for managing flow risks
* Add flow risk score
* New flow risks:
+ Desktop or File Sharing Session
+ HTTP suspicious content (useful for tracking trickbot)
+ Malicious JA3
+ Malicious SHA1
+ Risky domain
+ Risky AS
+ TLS Certificate Validity Too Long
+ TLS Suspicious Extension
New Supported Protocols and Services
* New protocols:
+ AmongUs
+ AVAST SecureDNS
+ CPHA (CheckPoint High Availability Protocol)
+ DisneyPlus
OBS-URL: https://build.opensuse.org/request/show/913748
OBS-URL: https://build.opensuse.org/package/show/server:monitoring/ndpi?expand=0&rev=23
- Drop not longer needed patches (fixed upstream)
* ndpi-fix-build.patch
* reproducible.patch
- Update to version 3.0
New Features
* nDPI now reports the protocol ASAP even when specific fields
have not yet been dissected because such packets have not yet
been observed. This is important for inline applications that
can immediately act on traffic. Applications that need full
dissection need to call the new API function
ndpi_extra_dissection_possible() to check if metadata dissection
has been completely performed or if there is more to read before
declaring it completed.
* TLS (formerly identified as SSL in nDPI v2.x) is now dissected
more deeply, certificate validity is extracted as well
certificate SHA-1.
* nDPIreader can now export data in CSV format with option -C
* Implemented Sequence of Packet Length and Time (SPLT) and Byte
Distribution (BD) as specified by Cisco Joy
(https://github.com/cisco/joy). This allows malware activities
on encrypted TLS streams.
* Available as library and in ndpiReader with option -J
* Promoted usage of protocol categories rather than protocol
identifiers in order to classify protocols. This allows
application protocols to be clustered in families and thus better
managed by users/developers rather than using hundred of
protocols unknown to most of the people.
* Added Inter-Arrival Time (IAT) calculation used to detect
protocol misbehaviour (e.g. slow-DoS detection)
* Added data analysis features for computign metrics such as
OBS-URL: https://build.opensuse.org/request/show/759184
OBS-URL: https://build.opensuse.org/package/show/server:monitoring/ndpi?expand=0&rev=13
