Mohammadreza
I have looked at opendpi over the week-end. It looks interesting
although it is all coded in C, whereas I would have expected some sort
of configuration file to make it less "static". I'm not sure if a kernel
module is the best option, or if it make more sense to have a user-space
application based on it.
On my side what I am doing is enhance nprobe by removing the netflow
stuff, and adding a better DPI module than what I have today. This would
allow me to decide, per-flow, what protocol is passing on a given flow.
This is the base for a L7 firewall that relies on content rather than on
ports. For this solution I have decided to start in user-space rather
than in kernel because it's easier at least initially. On my side I am
evaluating the use of
http://www.tma-portal.eu/wp-content/uploads/2011/06/2tmaschool_aceto.pdf
<http://unina.academia.edu/AntonioPescape/Papers/808031/PortLoad_taking_the_best_of_two_worlds_in_traffic_classification>
that is slimmer than OpenDPI and configurable/extensible. I don't yet
have a prototype to share, but I would like this effort to also become
the new engine for ntop.
Regards Luca
On 10/09/2011 07:55 PM, Mohammadreza Roohian wrote:
open source version: www.opendpi.org
It's commercial version is available at: www.ipoque.com
It's a software library using deep packet inspection technology including
pattern matching, behavioral and statistical analysis to reliably detect
protocols and applications in the network.
As for a test I want to use it to make a Layer7 firewall. So, I will need to
add pfring rules based on opendpi output and block some part of the traffic.
What could be a better design for that as I know adding plugins will slow
pfring down and patching it might also be problematic.
_______________________________________________
Ntop-dev mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop-dev
_______________________________________________
Ntop-dev mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop-dev
