3. Flow Checks

The Flows Checks API is only available from the Flow Checks Hooks.

Functions

function getStatus()

Get the complete status bitmap of the flow, which includes all the current problems of the flow.

Returns

the flow status bitmap

function setStatus(table flow_status_type, int flow_score, int cli_score, int srv_score)

Set a bit into the flow status bitmap, effectively marking the flow as misbehaving.

Parameters

  • flow_status_type – the flow status to set. The possible values can be obtained by printing flow_consts.status_types

  • flow_score – the score (a quantitative indicator of the problem) to associate to this status

  • cli_score – the score increment on the client host.

  • srv_score – the score increment on the server host.

Returns

true if the flow status was updated, false if the flow status is unchanged.

function clearStatus(table flow_status_type)

Clear a bit into the flow status bitmap.

Parameters

flow_status_type – the flow status to clear. The possible values can be obtained by printing flow_consts.status_types

function triggerStatus(table flow_status_type, table status_info, int flow_score, int cli_score, int srv_score)

Set a bit into the flow status bitmap, and trigger an alert.

Parameters

  • flow_status_type – the flow status to set. The possible values can be obtained by printing flow_consts.status_types

  • status_info – a string message or lua table to associate to this status

  • flow_score – the score (a quantitative indicator of the problem) to associate to this status

  • cli_score – the score increment on the client host.

  • srv_score – the score increment on the server host.

function isStatusSet(int status_key)

Check if a a bit into the flow status bitmap is set.

Parameters

status_key – the numberic ID of the status, e.g. flow_consts.status_types.status_blacklisted.status_key

Returns

true if the provided status is set, false otherwise

function getFullInfo()

Get full information about the flow.

Note

This call is expensive and should be avoided. Use the other API methods when possible.

Returns

a table with flow information, see Flow::lua

function isClientUnicast()

Check if the client of the flow is a unicast IP address.

Returns

true if the client is unicast, false otherwise

function isServerUnicast()

Check if the server of the flow is a unicast IP address.

Returns

true if the server is unicast, false otherwise

function isUnicast()

Check if both the client and the server of the flow are unicast IP addresses.

Returns

true if the flow is unicast, false otherwise

function isRemoteToRemote()

Check if both the client and the server are remote hosts.

Returns

true if the flow is remote to remote, false otherwise

function isLocalToRemote()

Check if the client is a local host and the server is a remote host.

Returns

true if the flow is local to remote, false otherwise

function isRemoteToLocal()

Check if the client is a remote host and the server is a local host.

Returns

true if the flow is remote to local, false otherwise

function isLocal()

Check if both the client and the server are local hosts.

Returns

true if the flow is local, false otherwise

function isBlacklisted()

Check if the flow is blacklisted.

Returns

true if blacklisted, false otherwise

function isTwhOK()

Check if the flow is TCP and the three way handshake is completed.

Returns

true if the flow is TCP and the 3WH is completed, false otherwise

function isBidirectional()

Check if the flow has seen packets in both the directions.

Returns

true if the flow is bidirectional, false otherwise

function getKey()

Get the unique flow key.

Returns

the unique flow key.

function getFirstSeen()

Get the flow start Unix timestamp.

Returns

the flow first seen.

function getLastSeen()

Get the Unix timestamp of the last time traffic for the flow was seen.

Returns

the flow last seen.

function getDuration()

Get the total duration in seconds of the flow.

Returns

the flow duration.

function getPacketsSent()

Get the client to server packets sent.

Returns

the packets sent.

function getPacketsRcvd()

Get the client to server packets received.

Returns

the packets received.

function getPackets()

Get the total packets seen for the flow.

Returns

the total flow packets.

function getBytesSent()

Get the client to server bytes sent.

Returns

the bytes sent.

function getBytesRcvd()

Get the client to server bytes received.

Returns

the bytes received.

function getBytes()

Get the total bytes seen for the flow.

Returns

the total flow bytes.

function getGoodputBytes()

Get the total goodput bytes seen for the flow.

Returns

the total goodput flow bytes.

function getClientKey()

Get the unique key of the client.

Returns

the client key.

function getServerKey()

Get the unique key of the server.

Returns

the server key.

function getnDPICategoryName()

Get the detected nDPI category name of the flow.

Returns

the flow nDPI category name.

function getnDPIProtocolName()

Get the detected nDPI protocol name of the flow.

Returns

the flow nDPI protocol name.

function getnDPICategoryId()

Get the detected nDPI category ID of the flow.

Returns

the flow nDPI category ID.

function getnDPIMasterProtoId()

Get the detected nDPI master protocol ID of the flow.

Returns

the flow nDPI master protocol ID.

function getnDPIAppProtoId()

Get the detected nDPI application protocol ID of the flow.

Returns

the flow nDPI application protocol ID.

function getDnsQuery()

Get the DNS query of the flow.

Returns

the flow DNS query if found, an empty string otherwise.

function getClientCountry()

Get the client country code.

Returns

the client country code if detected, nil otherwise.

function getServerCountry()

Get the server country code.

Returns

the server country code if detected, nil otherwise.

function getTLSVersion()

Get the TLS version as number.

Returns

the TLS version number if detected, 0 otherwise.

function getnDPIMatchPacket()

Get the nDPI matching packet.

Returns

the lenght and payload of the packet matching nDPI

function getScore()

Get the total flow score (see flow.setStatus).

Returns

the flow score.

function isPassVerdict()

Check if the flow traffic is not blocked.

Note

This requires nEdge.

Returns

true if the flow traffic is not blocked, false otherwise.