#netflow — Public Fediverse posts

DPI, ТСПУ и операторы: архитектура блокировки трафика в России

Когда смотришь на блокировки трафика со стороны пользователя, картина выглядит противоречиво: один и тот же сервис в разных сетях работает по-разному — где-то не открывается вовсе, где-то нестабилен, а где-то продолжает частично функционировать. При этом известно, что управление ограничениями централизовано. Возникает естественный вопрос: если политика едина, почему результат отличается? Причина в том, что речь идёт не об одной точке контроля, а о распределённой системе, где итоговое поведение формируется на пересечении трёх слоёв: централизованного управления, DPI/ТСПУ как контура распознавания и сети оператора как среды исполнения. Именно эта многослойность и объясняет наблюдаемую неравномерность. Что происходит дальше?

https://habr.com/ru/articles/1027012/

#dpi #тспу #анализ_трафика #сетевые_технологии #netflow #маршрутизация #информационная_безопасность #ркн #роскомнадзор #блокировки

running malcom but the old malcolm - need to image and install latest - sort of dread going from debian to ubuntu but if i image i can revert easily. maybe they figured out updating, i don't want github only updates.

anyways it is a good one to offer vs say security onion - they use the same components mostly, suricata, zeek, elastic, maybe he has a live iso like last time.

i think the reason to go to ubuntu is better newer drivers, bigger dev base? as long as it works - that is my concern, avoid dependency hell and breakage.

it is good with managing all the containers and space for /datastore #sigs #hashes #dpi #netflow #ntop-ng #tcp-replay #binaries #hashcat

@da_667 i would say go for the standalonelib? this would be a nice switch to use when building, more info is better #ntop-ng #netflow #logs

Using nDPI as a standalone library when building Suricata is a powerful way to transform it from a traditional signature-based IDS/IPS into a smarter, more context-aware network security monitoring system. The integration addresses several key limitations of Suricata by adding a dedicated, high-performance deep packet inspection (DPI) engine .

The table below summarizes the core reasons for this integration.
Reason Explanation Key Benefits
Massively Expanded Protocol Coverage Suricata natively supports ~20 protocols, while nDPI recognizes 450+ (including Cloud, IoT, and OT protocols) . Enables visibility into a wider range of applications and potential threats that Suricata would otherwise miss .
Enhanced Threat Detection Capabilities nDPI adds behavioral analysis and risk detection to Suricata's signature-based approach . Allows detection of anomalies like encrypted traffic on standard ports, self-signed certificates, and command-and-control (C2) channels hiding in plain sight .
More Powerful and Precise Rules The plugin introduces new rule keywords: ndpi-protocol and ndpi-risk . Enables writing rules based on detected application (e.g., TLS.YouTube) or specific risk (e.g., NDPI_BINARY_APPLICATION_TRANSFER), significantly reducing false positives .
Richer Contextual Metadata Suricata's logs (EVE JSON) can be augmented with protocol and metadata identified by nDPI . Provides security analysts with deeper insights for faster threat hunting and forensic analysis without needing full packet captures .
🛠️ How to Integrate nDPI with Suricata

nDPI is integrated as a plugin that is not built into Suricata by default. You need to explicitly enable it during compilation. The process, as outlined in the official Suricata documentation, involves two main steps :

Build Suricata with nDPI Support: When configuring your Suricata build from source, you must use the --enable-ndpi flag and point to your nDPI source code.
bash

./configure --enable-ndpi --with-ndpi=/path/to/your/nDPI/source

Load the Plugin: After installation, you need to ensure Suricata loads the nDPI plugin by adding its path to the suricata.yaml configuration file.
yaml

plugins:
- /usr/lib/suricata/ndpi.so

By building Suricata with the standalone nDPI library, you are essentially giving it a "second opinion" on network traffic. nDPI handles the heavy lifting of identifying countless applications and their potential risks, which then feeds directly into Suricata's core engine for alerting and logging. This makes your network defense far more robust and intelligent.

Would you like to see more detailed examples of Suricata rules that use the ndpi-protocol and ndpi-risk keywords?

my network upgrade proposal was framed by cisa alerts and best practice guidelines but also praxis - hopefully - they are doing a huge remodel so tackling network issue is good to do at same time. praxis in form of malcolm which keeps it basic - pcaps are in pcaps folder.
they have to get more input from stakeholders and also find out when fiber is available #network visibility #netflow #ntop-ng deb file #ndpi

check out our open source Zeek malware hunting tools at
https://dovehawk.io  that power the @cancyberorg foundation using @MISPProject and @Zeekurity #threatintel #pdns #netflow realtime hunting and dns/flow analyticspic.twitter.com/Xljo4i4r3K