Environment:

OS name: CentOs Linux
OS version:7
Architecture: amd64
nprobe version/revision: 10.2.230221

What happened:

Following ntop/ntopng#6905 issue, we're observing a similar behavior to the one reported: doing on nprobe an exclusion using protos file, only some alert is actually muted. I'm giving you an example for clarity: traffic to [...].amazontrust.com/[...] was generating both ndpi_error_code_detected and ndpi_http_suspicious_user_agent alerts, so we put host_risk_mask:".amazontrust.com"=0 on the protos file on nprobe. After that we stopped receiving ndpi_error_code_detected, but ndpi_http_suspicious_user_agent ones are still coming.

(original issue ntop/ntopng#7349)

nprobe -i ~/nDPI/tests/pcap/zoom2.pcap -T "IPV4_SRC_ADDR %IPV4_DST_ADDR %INPUT_SNMP %OUTPUT_SNMP %IN_PKTS %IN_BYTES %FIRST_SWITCHED %LAST_SWITCHED %L4_SRC_PORT %L4_DST_PORT %TCP_FLAGS %PROTOCOL %L7_PROTO_RISK %L7_INFO" -P /tmp/ -b 2
produces

IPV4_DST_ADDR|INPUT_SNMP|OUTPUT_SNMP|IN_PKTS|IN_BYTES|FIRST_SWITCHED|LAST_SWITCHED|L4_SRC_PORT|L4_DST_PORT|TCP_FLAGS|PROTOCOL|L7_PROTO_RISK|L7_INFO
144.195.73.154|0|0|12|2875|1680021433|1680021433|50076|443|26|6|32768|zoomsjccv154mmr.sjc.zoom.us
192.168.1.178|0|0|8|5408|1680021433|1680021433|443|50076|26|6|32768|zoomsjccv154mmr.sjc.zoom.us

Adding "--ndpi-custom-protos ./protos.txt"

$ cat protos.txt
host_risk_mask:".zoom.us"=0

produces

IPV4_DST_ADDR|INPUT_SNMP|OUTPUT_SNMP|IN_PKTS|IN_BYTES|FIRST_SWITCHED|LAST_SWITCHED|L4_SRC_PORT|L4_DST_PORT|TCP_FLAGS|PROTOCOL|L7_PROTO_RISK|L7_INFO
144.195.73.154|0|0|12|2875|1680021487|1680021487|50076|443|26|6|0|zoomsjccv154mmr.sjc.zoom.us
192.168.1.178|0|0|8|5408|1680021487|1680021487|443|50076|26|6|0|zoomsjccv154mmr.sjc.zoom.us

It works!

Hello Luca,
I did the same tests using my captured data and I can ensure you the problem is still there.
Since it's production traffic, I'd like not to share it here. Please let me know how can I send it to you.

Many thanks