ARRAY NTB XML
  • ARRAY NTB XML
    • Element <run>
    • Element <filter>
      • Element <find>
    • Element <output>
    • Element <chain>
    • Element <script>
    • Element <action>
    • Element <input>
    • Schema
  • Case Study
    • Mirror
    • Inline & Bypass
    • Load Balance
    • Packet Stripping
    • Packet Editing
    • Packet Tagging
    • Packet Reply
    • Packet > File
    • Tunnel
    • Bandwidth Control
    • Snort Rule > ARRAY NTB XML
    • Offload
    • Service Chain
    • Block Gmail
    • Block Specific Country
    • Block/Detect black list
    • Mobile Edge Computing Breakout
    • L2 GRE Breakout
    • VXLAN Breakout
    • VXLAN Encapsulation
    • L2 Switch Like
    • L3 Switch NAT Breakout
  • Reference
    • TW IP
Powered by GitBook
On this page
  • Only send TCP/UDP 443 first 20 packets to analysis device
  • Remove Youtube/Netflix/tiktok/Teams/Zoom/WebEx/Spotify streaming
  1. Case Study

Offload

Offload network analysis device

Only send TCP/UDP 443 first 20 packets to analysis device

<run>
  <filter id="1" maxPackets="20" sessionBase="no">
    <or>
      <find name="tcp.port" relation="==" content="443"/>
      <find name="udp.port" relation="==" content="443"/>
    </or>
  </filter>
  <chain>
    <in>P1</in>
    <fid>F1</fid>
    <out>P2</out>
  </chain>
</run>

Remove Youtube/Netflix/tiktok/Teams/Zoom/WebEx/Spotify streaming

Reference

  • https://github.com/ntop/nDPI/blob/dev/src/lib/ndpi_content_match.c.inc

  • https://github.com/boychongzen18/Bug-Host-All-Operator

<run>
  <filter id="1">
    <or>
      <!-- youtube -->
      <find name="ssl.server_name" relation="==" content="upload.youtube.com"/>
      <find name="ssl.server_name" relation="==" content="youtubei.googleapis.com"/>
      <find name="ssl.server_name" relation="==" content="youtu.be"/>
      <find name="ssl.server_name" relation="==" content="yt3.ggpht.com"/>
      <!-- netflix -->
      <find name="ssl.server_name" relation="==" content="netflix.com"/>
      <find name="ssl.server_name" relation="==" content="nflxext.com"/>
      <find name="ssl.server_name" relation="==" content="nflximg.com"/>
      <find name="ssl.server_name" relation="==" content="nflximg.net"/>
      <find name="ssl.server_name" relation="==" content="nflxvideo.net"/>
      <find name="ssl.server_name" relation="==" content="nflxso.net"/>
      <find name="ssl.server_name" relation="==" content="fast.com"/> 
      <!-- Teams -->
      <find name="ssl.server_name" relation="==" content="teams.microsoft.com"/>
      <find name="ssl.server_name" relation="==" content="teams.microsoft.us"/>
      <find name="ssl.server_name" relation="==" content="teams.skype.com"/>
      <find name="ssl.server_name" relation="==" content="-teams.cloudapp.net"/>
      <find name="ssl.server_name" relation="==" content="teams.trafficmanager.net"/>
      <find name="ssl.server_name" relation="==" content="teams-msgapi.trafficmanager.net"/>
      <find name="ssl.server_name" relation="==" content="teams.office.net"/>
      <find name="ssl.server_name" relation="==" content="teams.office.com"/>
      <!-- Spotify -->
      <find name="ssl.server_name" relation="==" content="spotifycdn.net"/>
      <find name="ssl.server_name" relation="==" content="spotifycdn.com"/>
      <find name="ssl.server_name" relation="==" content="audio4-ak-spotify-com.akamaized.net"/>
      <find name="ssl.server_name" relation="==" content="audio-ak-spotify-com.akamaized.net"/>
      <find name="ssl.server_name" relation="==" content="heads-ak-spotify-com.akamaized.net"/>
      <find name="ssl.server_name" relation="==" content="spotify-com.akamaized.net"/>
      <find name="ssl.server_name" relation="==" content="spotify.com.edgesuite.net"/>
      <find name="ssl.server_name" relation="==" content="spotify.map.fastly.net"/>
      <find name="ssl.server_name" relation="==" content="spotify.edgekey.net"/>
      <find name="ssl.server_name" relation="==" content="spotify.demdex.net"/>
      <!-- tiktok -->
      <find name="ssl.server_name" relation="==" content="tiktok.com"/>
    </or>
  </filter>
  <filter id="2">
    <or>
      <!-- youtube -->
      <find name="ssl.server_name_public_suffix" relation="==" content="*.googlevideo.com"/>
      <find name="ssl.server_name_public_suffix" relation="==" content="*.ytimg.com"/>
      <find name="ssl.server_name_public_suffix" relation="==" content="*.youtube-ui.l.google.com"/>
      <find name="ssl.server_name_public_suffix" relation="==" content="*.youtubeeducation.com"/>
      <!-- Zoom -->
      <find name="ssl.server_name_public_suffix" relation="==" content="*.zoom.us"/>
      <!-- WebEx -->
      <find name="ssl.server_name_public_suffix" relation="==" content="*.webex.com"/>
      <!-- Spotify -->
      <find name="ssl.server_name_public_suffix" relation="==" content="*.spotify.com"/>
      <find name="ssl.server_name_public_suffix" relation="==" content="*.scdn.co"/>
      <find name="ssl.server_name_public_suffix" relation="==" content="*.pscdn.co"/>
      <find name="ssl.server_name_public_suffix" relation="==" content="*.spotilocal.com"/> 
      <!-- tiktok -->
      <find name="ssl.server_name_public_suffix" relation="==" content="*.tiktok.com"/>
      <find name="ssl.server_name_public_suffix" relation="==" content="*.tiktokcdn.com"/>
    </or>
  </filter>
  <chain>
    <in>P0</in>
    <fid>F1,F2</fid>
    <out>0</out>
    <next type="notmatch">
      <out>P1</out>
    </next>
  </chain>
</run>
PreviousSnort Rule > ARRAY NTB XMLNextService Chain

Last updated 1 year ago