Detect External Network Traffic
Internal network traffic is predefined in IPv4PrivateLan, which is used to configure defined ranges for private networks. IPv4PrivateLan can be used to ignore internal traffic that might otherwise create unnecessary noise in DPA rules. IPv4PrivateLan determines whether an IP address is off-site (not in the private LAN).
Private LAN ranges are defined as:
| LAN Begin | LAN End |
|---|---|
| 10.0.0.0 | 10.255.255.255 |
| 192.168.0.0 | 192.168.255.255 |
| 172.16.0.0 | 172.31.255.255 |
| 0.0.0.0 | 0.0.0.0 |
| 255.255.255.255 | 255.255.255.255 |
The following example shows how an IP address can be checked against the private LAN definition with the purpose of only running DPA logic on traffic going between external and internal nodes, while ignoring pure internal traffic.
This example runs as a Flow rule, but the functionality also works when run within packet rules.
function Flow_DetectExternalNetworkTraffic (dpiMsg, ruleEngine) require 'LOG' require 'IPv4PrivateLan' if (privateLan == nil) then privateLan = IPv4PrivateLan:new() end if IsFinalLongFlow(dpiMsg) or IsFinalShortFlow(dpiMsg) then local destip = GetDstIP4Int(dpiMsg) local srcip = GetSrcIP4Int(dpiMsg) if (privateLan:IsOffsiteIp(destip) or privateLan:IsOffsiteIp(srcip)) then EZINFO("External traffic detected, srcip: " .. GetSrcIP4String(dpiMsg) .. ", dstip: " .. GetDstIP4String(dpiMsg)) end endend |