Added risk for detecting on PQC flows

Author: lucaderi

doc/flow_risks.rst

@@ -352,3 +352,9 @@ This risk is triggered when a connection is likely using some obfuscation techni
 NDPI_SLOW_DOS
 =======================
 This risk is triggered when a TCP connection is likely subject to slow DoS attacks
+
+.. _Risk 058:
+
+NDPI_NON_OQC
+============
+This risk is triggered when an encrypted stream (e.g. TLS, QUIC, SSH, IPSEC) is not using post-quantum cryptography algorithms.

src/include/ndpi_typedefs.h

@@ -170,6 +170,7 @@ typedef enum {
   NDPI_PROBING_ATTEMPT,        /* Probing attempt (e.g. TCP connection with no data exchanged or unidirection traffic for bidirectional flows such as SSH) */
   NDPI_OBFUSCATED_TRAFFIC,
   NDPI_SLOW_DOS,
+  NDPI_NON_PQC,                /* Set in case an encryped traffic stream does not comply with post-quantum encryotion */
   /* Before allocating a new risk here, check if there are FREE entries above */
 
   /* Leave this as last member */

src/lib/ndpi_main.c

@@ -220,6 +220,7 @@ static ndpi_risk_info ndpi_known_risks[] = {
   { NDPI_PROBING_ATTEMPT,                       NDPI_RISK_MEDIUM, CLIENT_FAIR_RISK_PERCENTAGE, NDPI_CLIENT_ACCOUNTABLE },
   { NDPI_OBFUSCATED_TRAFFIC,                    NDPI_RISK_HIGH,   CLIENT_HIGH_RISK_PERCENTAGE, NDPI_BOTH_ACCOUNTABLE   },
   { NDPI_SLOW_DOS,                              NDPI_RISK_HIGH,   CLIENT_HIGH_RISK_PERCENTAGE, NDPI_CLIENT_ACCOUNTABLE },
+  { NDPI_NON_PQC,                               NDPI_RISK_MEDIUM, CLIENT_FAIR_RISK_PERCENTAGE, NDPI_BOTH_ACCOUNTABLE   },
 
   /* Leave this as last member */
   { NDPI_MAX_RISK,                              NDPI_RISK_LOW,    CLIENT_FAIR_RISK_PERCENTAGE, NDPI_NO_ACCOUNTABILITY   }

src/lib/ndpi_utils.c

@@ -2734,6 +2734,9 @@ const char* ndpi_risk2str(ndpi_risk_enum risk) {
   case NDPI_SLOW_DOS:
     return("(Possible) Slow DoS");
 
+  case NDPI_NON_PQC:
+    return("Non PQC Compliant Flow");
+
   default:
     ndpi_snprintf(buf, sizeof(buf), "%d", (int)risk);
     return(buf);
@@ -2862,6 +2865,8 @@ const char* ndpi_risk2code(ndpi_risk_enum risk) {
     return STRINGIFY(NDPI_OBFUSCATED_TRAFFIC);
   case NDPI_SLOW_DOS:
     return STRINGIFY(NDPI_SLOW_DOS);
+  case NDPI_NON_PQC:
+    return STRINGIFY(NDPI_NON_PQC);
 
   default:
     return("Unknown risk");
@@ -2987,6 +2992,8 @@ ndpi_risk_enum ndpi_code2risk(const char* risk) {
     return(NDPI_OBFUSCATED_TRAFFIC);
   else if(strcmp(STRINGIFY(NDPI_SLOW_DOS), risk) == 0)
     return(NDPI_SLOW_DOS);
+  else if(strcmp(STRINGIFY(NDPI_NON_PQC), risk) == 0)
+    return(NDPI_NON_PQC);
   else
     return(NDPI_MAX_RISK);
 }
@@ -3130,7 +3137,8 @@ const char *ndpi_risk_shortnames[NDPI_MAX_RISK] = {
   "binary_data_transfer",
   "probing",
   "obfuscated",
-  "slow_DoS"
+  "slow_DoS",
+  "non_PQC"
 };
 
 /* ******************************************************************** */

wireshark/ndpi.lua

@@ -141,6 +141,7 @@ flow_risks[54] = ProtoField.bool("ndpi.flow_risk.binary_data_transfer", "Attempt
 flow_risks[55] = ProtoField.bool("ndpi.flow_risk.probing_attempt", "Probing attempt", num_bits_flow_risks, nil, bit(55), "nDPI Flow Risk: probing attempt")
 flow_risks[56] = ProtoField.bool("ndpi.flow_risk.obfuscated_traffic", "Obfuscated Traffic", num_bits_flow_risks, nil, bit(56), "nDPI Flow Risk: obfuscated traffic")
 flow_risks[57] = ProtoField.bool("ndpi.flow_risk.slow_dos", "Slow DoS", num_bits_flow_risks, nil, bit(56), "nDPI Flow Risk: slow DoS attempt")
+flow_risks[57] = ProtoField.bool("ndpi.flow_risk.non_pqc", "Non PQC", num_bits_flow_risks, nil, bit(56), "nDPI Flow Risk: non PQC traffic)
 
 -- Last one: keep in sync the bitmask when adding new risks!!
 flow_risks[64] = ProtoField.new("Unused", "ndpi.flow_risk.unused", ftypes.UINT64, nil, base.HEX, bit(64) - bit(57))