More information about the potential risk in flow

[ronygut]

Hi

I'm using the ftflow_pcap sample code and I can see that there is a code the generates JSON:
ndpi_flow2json(ndpi_struct, ndpi_flow,
k->ip_version, k->protocol, k->vlan_id,
ntohl(k->saddr.v4), ntohl(k->daddr.v4),
(struct ndpi_in6_addr*)&k->saddr.v6,
(struct ndpi_in6_addr*)&k->daddr.v6,
k->sport, k->dport,
ndpi_proto,
&serializer);

I can see for example that is generates the following JSON
Where can I see more information and documentation about what each field means?
Also how it is detected and how accurate is it?

{
"src_ip": "10.164.130.230",
"dest_ip": "10.164.255.255",
"src_port": 35328,
"dst_port": 35328,
"ip": 4,
"proto": "UDP",
"ndpi": {
"flow_risk": {
"22": {
"risk": "Unsafe Protocol",
"severity": "Low",
"risk_score": {
"total": 450,
"client": 345,
"server": 105
}
}
},
"confidence": {
"6": "DPI"
},
"proto": "NetBIOS.SMBv1",
"proto_id": "10.16",
"proto_by_ip": "Unknown",
"proto_by_ip_id": 0,
"encrypted": 0,
"breed": "Dangerous",
"category_id": 18,
"category": "System",
"hostname": "secrecy1"
}
}

[IvanNardi]

For the flow risks, you can look at:
https://www.ntop.org/guides/nDPI/flow_risks.html
https://github.com/ntop/ntopng/blob/dev/doc/src/remediations/ndpi_flow_risks.rst

[ronygut]

@IvanNardi the links you sent are description of the risks.
I'm looking for explanation about each field in the JSON.
risk_score
confidence
proto_id
encrypted
breed
etc...
What are the possible values?
Is there a document that explains about those fields and what are the possible values?

[IvanNardi]

Is there a document that explains about those fields and what are the possible values?

In general, no, AFAIK

Some information:
proto_id, breed, category and risk_score: take a look at the output of ndpiReader -H
confidence: https://github.com/ntop/nDPI/blob/dev/src/include/ndpi_typedefs.h#L1005