HTTP dynamic domain matching module? about ndpi HOT 10 CLOSED

I do not quite understand what I want to get in the end?
In version 1.7, this is most likely not done, but in the "2. +" branch, it probably makes sense to add a comparison for the domain name.

iptables .... -m ndpi --https --http-host .google.com ...

from ndpi.

@vel21ripn I am not talking about https but plain http(1.x) such as:

iptables .... -m ndpi --http --http-host .google.com ...
iptables .... -m ndpi --http --http-host .google.com ...
iptables .... -m ndpi --http --http-host test..google.com ...

Which basically will make admins life easier in general to handle a strict http\https access policy without going to the depth of a full http proxy installation.
It will also make iptables more modular then it is now.

The dream would be to be able to send something like the src ip and the current destination domain to some local in ram Filtering DB and the response will decide if the connection is allowed or not but it's a dream and requires from someone to put some cash on the it.

From what I remember suricata-ids have such a feature but it was so complex for me to install and configure that I left it and continued to work with a custom tproxy.

from ndpi.

I solved common problems with migration to dev-2.3, now I can try to add this functionality.

from ndpi.

I think, for this feature best functional is 'sets', like:

# create set
iptables -t mangle -A POSTROUTING -m ndpi --http-domain --set name0 -j DROP
iptables -t mangle -A PREROUTING -m ndpi --http-domain --set name0 -j DROP
# add domain
echo +google.com > /proc/net/ndpi_http_domain/name0
# delete domain
echo -google.com > /proc/net/ndpi_http_domain/name0
# add multiple domain
echo +google.com,google.co.jp > /proc/net/ndpi_http_domain/name0

This is just a copy-paste - functional was already implemented int aabc/ipt-ratelimit.

from ndpi.

@k0ste No! In "nDPI" there is a comparison for domains. You need to add the ability to override it without recompiling. It works with the ssl, http and dns protocols.

from ndpi.

Why this:

# Big list in magle
iptables -t mangle -A PREROUTING -m ndpi --domain --match google.com -j DROP
iptables -t mangle -A PREROUTING -m ndpi --domain --match google.cz -j DROP
iptables -t mangle -A PREROUTING -m ndpi --domain --match google.cn -j DROP

Better than this:

# one rule
iptables -t mangle -A PREROUTING -m ndpi --domain --set name0 -j DROP
# one management set
echo +google.com,google.cz,google.cn > /proc/net/ndpi_http_domain/name0

The case: I need to filter 3 different clients:

• first client have 500 domains in list;
• 2nd: 3500 domains;
• 3rd: 1000 domains.

All domains is different.

from ndpi.

All this is already in nDPI. You need to add an interface to load the list of domains.

from ndpi.

See 16d3ab3
I don't tested long domain names list.
Theoretically, the list of hosts can be changed during work, but I have not tried to do so yet. Rebuilding the search tree is a rather lengthy task.

from ndpi.

I changed the procedure for loading hostnames. Theoretically, there are no restrictions on the number of host names. Updates take place atomically.

from ndpi.

Commit 0b5ec1e fixed critical error.

from ndpi.