config: allow configuration of guessing algorithms

author: Nardi Ivan <nardi.ivan@gmail.com> 2024-01-10 11:46:57 +0100
committer: Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> 2024-01-18 10:21:24 +0100
commit: 0712d496fe63fd16f8e943a438c57f75d8cae880 (patch)
tree: 5102d4c3de8250cd16f52658de3f0dad55554c7c
parent: 6c85f10cd5a29346522ad647a38066f0cc44e5a7 (diff)
18 files changed, 140 insertions, 23 deletions
diff --git a/doc/configuration_parameters.md b/doc/configuration_parameters.md
index 77fa5b962..b0c2c35e1 100644
--- a/doc/configuration_parameters.md
+++ b/doc/configuration_parameters.md
@@ -11,6 +11,7 @@ TODO
 | NULL         | "tcp_ack_payload_heuristic.enable"        | 0             | NULL      | NULL      | In some networks, there are some anomalous TCP flows where the smallest ACK packets have some kind of zero padding. It looks like the IP and TCP headers in those frames wrongly consider the 0x00 Ethernet padding bytes as part of the TCP payload. While this kind of packets is perfectly valid per-se, in some conditions they might be treated by the TCP reassembler logic as (partial) overlaps, deceiving the classification engine. This parameter enable/disable an heuristic to detect these packets and to ignore them, allowing correct detection/classification. See #1946 for other details |
 | NULL         | "fully_encrypted_heuristic.enable"        | 1             | NULL      | NULL      | Enable/disable an heuristic to detect fully encrypted sessions, i.e. flows where every bytes of the payload is encrypted in an attempt to “look like nothing”. This heuristic only analyzes the first packet of the flow. See: https://www.usenix.org/system/files/sec23fall-prepub-234-wu-mingshi.pdf |
 | NULL         | "libgcrypt.init"                          | 1             | NULL      | NULL      | Enable/disable initialization of libgcrypt. When using the external libgcrypt (instead of the internal crypto code) the libgcrypt runtime must be initialized. If, for whatever reasons, the application alread does it, nDPI must be told to skip it. Note that, by default, nDPI uses the crypto code and not libgcrypt: in that case this parameter is ignored |
+| NULL         | "guess_on_giveup"                         | 0x03          | 0x00      | 0x03      | Tell the library to guess flow classification, if any DPI algorithms/logics fail.  The value is a bitmask. Values: 0x0 = disabled; 0x01 = enable guessing by port; 0x02 = enable guessing by ip |
 | NULL         | "flow_risk_lists.load"                    | 1             | NULL      | NULL      | Enable/disable loading of every IP addresses lists used to check any flow risks |
 | NULL         | "flow_risk.anonymous_subscriber.list.icloudprivaterelay.load" | 1             | NULL      | NULL      | Enable/disable loading of internal iCouldPrivateRealy IP address list used to check `NDPI_ANONYMOUS_SUBSCRIBER` flow risk |
 | NULL         | "flow_risk.anonymous_subscriber.list.protonvpn.load"          | 1             | NULL      | NULL      | Enable/disable loading of internal IP address list of ProtonVPN exit nodes used to check `NDPI_ANONYMOUS_SUBSCRIBER` flow risk  |
diff --git a/example/ndpiReader.c b/example/ndpiReader.c
index d2c37c2af..7aa0d2ae6 100644
--- a/example/ndpiReader.c
+++ b/example/ndpiReader.c
@@ -92,7 +92,7 @@ static char* domain_to_check = NULL;
 static char* ip_port_to_check = NULL;
 static u_int8_t ignore_vlanid = 0;
 /** User preferences **/
-u_int8_t enable_realtime_output = 0, enable_protocol_guess = 1, enable_payload_analyzer = 0, num_bin_clusters = 0, extcap_exit = 0;
+u_int8_t enable_realtime_output = 0, enable_protocol_guess = NDPI_GIVEUP_GUESS_BY_PORT | NDPI_GIVEUP_GUESS_BY_IP, enable_payload_analyzer = 0, num_bin_clusters = 0, extcap_exit = 0;
 u_int8_t verbose = 0, enable_flow_stats = 0;
 
 struct cfg {
@@ -557,7 +557,7 @@ static void help(u_int long_help) {
          "                            | 0 - List known protocols\n"
          "                            | 1 - List known categories\n"
          "                            | 2 - List known risks\n"
-         "  -d                        | Disable protocol guess and use only DPI\n"
+         "  -d                        | Disable protocol guess (by ip and by port) and use only DPI. It is a shortcut to --cfg=,NULL,guess_on_giveup,0\n"
          "  -e <len>                  | Min human readeable string match len. Default %u\n"
          "  -q                        | Quiet mode\n"
          "  -F                        | Enable flow stats\n"
@@ -1021,6 +1021,10 @@ static void parseOptions(int argc, char **argv) {
 
     case 'd':
       enable_protocol_guess = 0;
+      if(reader_add_cfg(NULL, "guess_on_giveup", "0", 1) == 1) {
+        printf("Invalid parameter [%s] [num:%d/%d]\n", optarg, num_cfgs, MAX_NUM_CFGS);
+        exit(1);
+      }
       break;
 
     case 'D':
@@ -2180,7 +2184,7 @@ static void node_proto_guess_walker(const void *node, ndpi_VISIT which, int dept
 
       malloc_size_stats = 1;
       flow->detected_protocol = ndpi_detection_giveup(ndpi_thread_info[0].workflow->ndpi_struct,
-                                                      flow->ndpi_flow, enable_protocol_guess, &proto_guessed);
+                                                      flow->ndpi_flow, &proto_guessed);
       malloc_size_stats = 0;
 
       if(proto_guessed) ndpi_thread_info[thread_id].workflow->stats.guessed_flow_protocols++;
diff --git a/example/ndpiSimpleIntegration.c b/example/ndpiSimpleIntegration.c
index 2cc18057f..edc37090c 100644
--- a/example/ndpiSimpleIntegration.c
+++ b/example/ndpiSimpleIntegration.c
@@ -880,7 +880,7 @@ static void ndpi_process_packet(uint8_t * const args,
     flow_to_process->guessed_protocol =
       ndpi_detection_giveup(workflow->ndpi_struct,
 			    flow_to_process->ndpi_flow,
-			    1, &protocol_was_guessed);
+			    &protocol_was_guessed);
     if (protocol_was_guessed != 0) {
       printf("[%8llu, %d, %4d][GUESSED] protocol: %s | app protocol: %s | category: %s\n",
 	     workflow->packets_captured,
diff --git a/example/reader_util.c b/example/reader_util.c
index 9f8a76c1c..0fe629ac6 100644
--- a/example/reader_util.c
+++ b/example/reader_util.c
@@ -73,7 +73,7 @@
 #include "reader_util.h"
 #include "ndpi_classify.h"
 
-extern u_int8_t enable_protocol_guess, enable_flow_stats, enable_payload_analyzer;
+extern u_int8_t enable_flow_stats, enable_payload_analyzer;
 extern u_int8_t verbose, human_readeable_string_len;
 extern u_int8_t max_num_udp_dissected_pkts /* 24 */, max_num_tcp_dissected_pkts /* 80 */;
 static u_int32_t flow_id = 0;
@@ -1729,7 +1729,7 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow,
 	  u_int8_t proto_guessed;
 
 	  flow->detected_protocol = ndpi_detection_giveup(workflow->ndpi_struct, flow->ndpi_flow,
-							  enable_protocol_guess, &proto_guessed);
+							  &proto_guessed);
 	  if(proto_guessed) workflow->stats.guessed_flow_protocols++;
 	}
 
diff --git a/fuzz/fuzz_config.cpp b/fuzz/fuzz_config.cpp
index 93bff3313..5c79ede4c 100644
--- a/fuzz/fuzz_config.cpp
+++ b/fuzz/fuzz_config.cpp
@@ -195,6 +195,11 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
     ndpi_set_config(ndpi_info_mod, NULL, "libgcrypt.init", cfg_value);
   }
   if(fuzzed_data.ConsumeBool()) {
+    value = fuzzed_data.ConsumeIntegralInRange(0, 0x03 + 1);
+    sprintf(cfg_value, "%d", value);
+    ndpi_set_config(ndpi_info_mod, NULL, "guess_on_giveup", cfg_value);
+  }
+  if(fuzzed_data.ConsumeBool()) {
     value = fuzzed_data.ConsumeIntegralInRange(0, 1 + 1);
     sprintf(cfg_value, "%d", value);
     ndpi_set_config(ndpi_info_mod, NULL, "flow_risk_lists.load", cfg_value);
@@ -214,7 +219,11 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
     sprintf(cfg_value, "%d", value);
     ndpi_set_config(ndpi_info_mod, NULL, "flow_risk.crawler_bot.list.load", cfg_value);
   }
-
+  if(fuzzed_data.ConsumeBool()) {
+    value = fuzzed_data.ConsumeIntegralInRange(0, 3 + 1);
+    sprintf(cfg_value, "%d", value);
+    ndpi_set_config(ndpi_info_mod, NULL, "log.level", cfg_value);
+  }
   if(fuzzed_data.ConsumeBool()) {
     value = fuzzed_data.ConsumeIntegralInRange(0, 16777215 / 2); /* max / 2 instead of max + 1 to avoid oom on oss-fuzzer */
     sprintf(cfg_value, "%d", value);
@@ -344,7 +353,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
   std::vector<uint8_t>pkt = fuzzed_data.ConsumeRemainingBytes<uint8_t>();
 
   ndpi_detection_process_packet(ndpi_info_mod, &flow, pkt.data(), pkt.size(), 0, &input_info);
-  p = ndpi_detection_giveup(ndpi_info_mod, &flow, 1, &protocol_was_guessed);
+  p = ndpi_detection_giveup(ndpi_info_mod, &flow, &protocol_was_guessed);
 
   assert(p.master_protocol == ndpi_get_flow_masterprotocol(ndpi_info_mod, &flow));
   assert(p.app_protocol == ndpi_get_flow_appprotocol(ndpi_info_mod, &flow));
diff --git a/fuzz/fuzz_ndpi_reader.c b/fuzz/fuzz_ndpi_reader.c
index 7733b690f..2c524a8ac 100644
--- a/fuzz/fuzz_ndpi_reader.c
+++ b/fuzz/fuzz_ndpi_reader.c
@@ -12,7 +12,7 @@ struct ndpi_workflow_prefs *prefs = NULL;
 struct ndpi_workflow *workflow = NULL;
 
 u_int32_t current_ndpi_memory = 0, max_ndpi_memory = 0;
-u_int8_t enable_protocol_guess = 1, enable_payload_analyzer = 0;
+u_int8_t enable_payload_analyzer = 0;
 u_int8_t enable_flow_stats = 1;
 u_int8_t human_readeable_string_len = 5;
 u_int8_t max_num_udp_dissected_pkts = 16 /* 8 is enough for most protocols, Signal requires more */, max_num_tcp_dissected_pkts = 80 /* due to telnet */;
diff --git a/fuzz/fuzz_process_packet.c b/fuzz/fuzz_process_packet.c
index 3f0694cf9..2098f4fd1 100644
--- a/fuzz/fuzz_process_packet.c
+++ b/fuzz/fuzz_process_packet.c
@@ -23,7 +23,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
   ndpi_protocol detected_protocol =
     ndpi_detection_process_packet(ndpi_info_mod, &ndpi_flow, Data, Size, 0, NULL);
   ndpi_protocol guessed_protocol =
-    ndpi_detection_giveup(ndpi_info_mod, &ndpi_flow, 1, &protocol_was_guessed);
+    ndpi_detection_giveup(ndpi_info_mod, &ndpi_flow, &protocol_was_guessed);
 
   ndpi_reset_serializer(&json_serializer);
   ndpi_reset_serializer(&csv_serializer);
diff --git a/fuzz/fuzz_readerutils_parseprotolist.cpp b/fuzz/fuzz_readerutils_parseprotolist.cpp
index c80ae8340..f4e7f0485 100644
--- a/fuzz/fuzz_readerutils_parseprotolist.cpp
+++ b/fuzz/fuzz_readerutils_parseprotolist.cpp
@@ -6,10 +6,8 @@
 #include <stdio.h>
 #include "fuzzer/FuzzedDataProvider.h"
 
-char *_debug_protocols;
-int nDPI_LogLevel = 0;
 u_int32_t current_ndpi_memory = 0, max_ndpi_memory = 0;
-u_int8_t enable_protocol_guess = 1, enable_payload_analyzer = 0;
+u_int8_t enable_payload_analyzer = 0;
 u_int8_t enable_flow_stats = 0;
 u_int8_t human_readeable_string_len = 5;
 u_int8_t max_num_udp_dissected_pkts = 16 /* 8 is enough for most protocols, Signal requires more */, max_num_tcp_dissected_pkts = 80 /* due to telnet */;
diff --git a/fuzz/fuzz_readerutils_workflow.cpp b/fuzz/fuzz_readerutils_workflow.cpp
index ed5238f75..d4d747374 100644
--- a/fuzz/fuzz_readerutils_workflow.cpp
+++ b/fuzz/fuzz_readerutils_workflow.cpp
@@ -9,7 +9,7 @@
 extern u_int8_t enable_doh_dot_detection;
 
 u_int32_t current_ndpi_memory = 0, max_ndpi_memory = 0;
-u_int8_t enable_protocol_guess = 1, enable_payload_analyzer = 0;
+u_int8_t enable_payload_analyzer = 0;
 u_int8_t enable_flow_stats = 0;
 u_int8_t human_readeable_string_len = 5;
 u_int8_t max_num_udp_dissected_pkts = 16 /* 8 is enough for most protocols, Signal requires more */, max_num_tcp_dissected_pkts = 80 /* due to telnet */;
diff --git a/python/ndpi/ndpi.py b/python/ndpi/ndpi.py
index 743b7a805..32d6ea595 100644
--- a/python/ndpi/ndpi.py
+++ b/python/ndpi/ndpi.py
@@ -57,10 +57,9 @@ class NDPI(object):
                              app_protocol=p.app_protocol,
                              category=p.category)
 
-    def giveup(self, flow, enable_guess=True):
+    def giveup(self, flow):
         p = lib.ndpi_detection_giveup(self._detection_module,
                                       flow.C,
-                                      enable_guess,
                                       ffi.new("uint8_t*", 0))
         return ndpi_protocol(C=p,
                              master_protocol=p.master_protocol,
diff --git a/python/ndpi/ndpi_build.py b/python/ndpi/ndpi_build.py
index 6c07731f4..a2af30716 100644
--- a/python/ndpi/ndpi_build.py
+++ b/python/ndpi/ndpi_build.py
@@ -60,7 +60,6 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct
                                             const struct ndpi_flow_input_info *input_info);
 ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_struct,
                                     struct ndpi_flow_struct *flow,
-                                    u_int8_t enable_guess,
                                     u_int8_t *protocol_was_guessed);
 void ndpi_py_setup_detection_module(struct ndpi_detection_module_struct *mod);
 struct ndpi_flow_struct * ndpi_py_initialize_flow(void);
diff --git a/src/include/ndpi_api.h b/src/include/ndpi_api.h
index 818228aac..ce94df0d5 100644
--- a/src/include/ndpi_api.h
+++ b/src/include/ndpi_api.h
@@ -290,14 +290,12 @@ extern "C" {
    *
    * @par    ndpi_struct  = the detection module
    * @par    flow         = the flow given for the detection module
-   * @par    enable_guess = guess protocol if unknown
    * @par    protocol_was_guessed = 1 if the protocol was guesses (requires enable_guess = 1), 0 otherwise
    * @return the detected protocol even if the flow is not completed;
    *
    */
   ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_struct,
 				      struct ndpi_flow_struct *flow,
-				      u_int8_t enable_guess,
 				      u_int8_t *protocol_was_guessed);
 
   /**
diff --git a/src/include/ndpi_private.h b/src/include/ndpi_private.h
index 282deba2d..ed246c01f 100644
--- a/src/include/ndpi_private.h
+++ b/src/include/ndpi_private.h
@@ -167,6 +167,7 @@ struct ndpi_detection_module_config_struct {
   int fully_encrypted_heuristic;
   int track_payload_enabled;
   int libgcrypt_init;
+  int guess_on_giveup;
 
   char filename_config[CFG_MAX_LEN];
 
diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h
index 7fc5ce0de..0e8f7a25c 100644
--- a/src/include/ndpi_typedefs.h
+++ b/src/include/ndpi_typedefs.h
@@ -761,6 +761,8 @@ struct ndpi_lru_cache {
   struct ndpi_lru_cache_entry *entries;
 };
 
+#define NDPI_GIVEUP_GUESS_BY_PORT	0x01
+#define NDPI_GIVEUP_GUESS_BY_IP		0x02
 
 /* Aggressiveness values */
 
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index b22b6c68e..316b25ac2 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -7377,7 +7377,7 @@ static void ndpi_check_tcp_flags(struct ndpi_detection_module_struct *ndpi_str,
 /* ********************************************************************************* */
 
 ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_flow_struct *flow,
-				    u_int8_t enable_guess, u_int8_t *protocol_was_guessed) {
+				    u_int8_t *protocol_was_guessed) {
   ndpi_protocol ret = NDPI_PROTOCOL_NULL;
   u_int16_t cached_proto;
 
@@ -7448,7 +7448,8 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st
   }
 
   /* Classification by-port */
-  if(enable_guess && ret.app_protocol == NDPI_PROTOCOL_UNKNOWN) {
+  if((ndpi_str->cfg.guess_on_giveup & NDPI_GIVEUP_GUESS_BY_PORT) &&
+     ret.app_protocol == NDPI_PROTOCOL_UNKNOWN) {
 
     /* Ignore guessed protocol if they have been discarded */
     if(flow->guessed_protocol_id != NDPI_PROTOCOL_UNKNOWN &&
@@ -7464,7 +7465,8 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st
   }
 
   /* Classification by-ip, as last effort */
-  if(ret.app_protocol == NDPI_PROTOCOL_UNKNOWN &&
+  if((ndpi_str->cfg.guess_on_giveup & NDPI_GIVEUP_GUESS_BY_IP) &&
+     ret.app_protocol == NDPI_PROTOCOL_UNKNOWN &&
      flow->guessed_protocol_id_by_ip != NDPI_PROTOCOL_UNKNOWN) {
 
       ndpi_set_detected_protocol(ndpi_str, flow,
@@ -7929,7 +7931,7 @@ static int ndpi_do_guess(struct ndpi_detection_module_struct *ndpi_str, struct n
       if(flow->guessed_protocol_id_by_ip != NDPI_PROTOCOL_UNKNOWN) {
         u_int8_t protocol_was_guessed;
 
-        *ret = ndpi_detection_giveup(ndpi_str, flow, 0, &protocol_was_guessed);
+        *ret = ndpi_detection_giveup(ndpi_str, flow, &protocol_was_guessed);
       }
 
       ndpi_fill_protocol_category(ndpi_str, flow, ret);
@@ -10795,6 +10797,7 @@ static const struct cfg_param {
   { NULL,            "tcp_ack_payload_heuristic.enable",        "0", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(tcp_ack_paylod_heuristic) },
   { NULL,            "fully_encrypted_heuristic.enable",        "1", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(fully_encrypted_heuristic) },
   { NULL,            "libgcrypt.init",                          "1", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(libgcrypt_init), },
+  { NULL,            "guess_on_giveup",                         "0x3", "0", "3", CFG_PARAM_INT, __OFF(guess_on_giveup) },
 
   { NULL,            "flow_risk_lists.load",                    "1", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(flow_risk_lists_enabled)},
 
diff --git a/tests/cfgs/guessing_disable/config.txt b/tests/cfgs/guessing_disable/config.txt
new file mode 100644
index 000000000..2838468eb
--- /dev/null
+++ b/tests/cfgs/guessing_disable/config.txt
@@ -0,0 +1 @@
+-d
diff --git a/tests/cfgs/guessing_disable/pcap/webex.pcap b/tests/cfgs/guessing_disable/pcap/webex.pcap
new file mode 120000
index 000000000..62642efaa
--- /dev/null
+++ b/tests/cfgs/guessing_disable/pcap/webex.pcap
@@ -0,0 +1 @@
+../../default/pcap/webex.pcap
+\ No newline at end of file
diff --git a/tests/cfgs/guessing_disable/result/webex.pcap.out b/tests/cfgs/guessing_disable/result/webex.pcap.out
new file mode 100644
index 000000000..df710f7a5
--- /dev/null
+++ b/tests/cfgs/guessing_disable/result/webex.pcap.out
@@ -0,0 +1,101 @@
+DPI Packets (TCP):	395	(7.18 pkts/flow)
+DPI Packets (UDP):	14	(7.00 pkts/flow)
+Confidence Unknown          : 4 (flows)
+Confidence DPI              : 53 (flows)
+Num dissector calls: 290 (5.09 diss/flow)
+LRU cache ookla:      0/0/0 (insert/search/found)
+LRU cache bittorrent: 0/12/0 (insert/search/found)
+LRU cache zoom:       0/0/0 (insert/search/found)
+LRU cache stun:       0/0/0 (insert/search/found)
+LRU cache tls_cert:   0/75/0 (insert/search/found)
+LRU cache mining:     0/4/0 (insert/search/found)
+LRU cache msteams:    0/0/0 (insert/search/found)
+LRU cache stun_zoom:  0/1/0 (insert/search/found)
+Automa host:          44/30 (search/found)
+Automa domain:        44/0 (search/found)
+Automa tls cert:      1/0 (search/found)
+Automa risk mask:     1/0 (search/found)
+Automa common alpns:  0/0 (search/found)
+Patricia risk mask:   92/0 (search/found)
+Patricia risk mask IPv6: 0/0 (search/found)
+Patricia risk:        0/0 (search/found)
+Patricia risk IPv6:   0/0 (search/found)
+Patricia protocols:   78/54 (search/found)
+Patricia protocols IPv6: 0/0 (search/found)
+
+Unknown	25	1701	4
+HTTP	22	3182	2
+TLS	250	28977	20
+SIP	22	15356	1
+Google	17	6375	1
+Webex	774	499515	29
+
+Safe                           250 28977         20           
+Acceptable                     835 524428        33           
+Unrated                         25 1701          4            
+
+JA3 Host Stats: 
+		 IP Address                  	 # JA3C     
+	1	 10.8.0.1                 	 6      
+
+
+	1	TCP 10.8.0.1:41348 <-> 64.68.105.103:443 [proto: 91.141/TLS.Webex][IP: 141/Webex][Encrypted][Confidence: DPI][DPI packets: 6][cat: VoIP/10][28 pkts/4815 bytes <-> 28 pkts/104881 bytes][Goodput ratio: 68/99][2.76 sec][Hostname/SNI: radcom.webex.com][bytes ratio: -0.912 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 112/101 455/404 117/100][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 172/3746 590/18020 206/4700][Risk: ** TLS (probably) Not Carrying HTTPS **][Risk Score: 10][Risk Info: No ALPN][TLSv1.2][JA3C: f9010d8c34749bdf7659b52227e6f91b][JA4: t12d280600_519b4837d290_570a46b37db9][JA3S: c253ec3ad88e42f8da4032682892f9a0 (INSECURE)][Firefox][Cipher: TLS_RSA_WITH_RC4_128_MD5][Plen Bins: 0,3,0,0,3,0,0,3,0,0,0,0,0,0,11,0,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,22,0,0,0,0,45]
+	2	TCP 10.8.0.1:41346 <-> 64.68.105.103:443 [proto: 91.141/TLS.Webex][IP: 141/Webex][Encrypted][Confidence: DPI][DPI packets: 8][cat: VoIP/10][48 pkts/11540 bytes <-> 47 pkts/80696 bytes][Goodput ratio: 77/97][5.52 sec][Hostname/SNI: radcom.webex.com][bytes ratio: -0.750 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 104/138 1189/1223 220/218][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 240/1717 590/17734 233/3587][Risk: ** TLS (probably) Not Carrying HTTPS **][Risk Score: 10][Risk Info: No ALPN][TLSv1.2][JA3C: f9010d8c34749bdf7659b52227e6f91b][JA4: t12d280600_519b4837d290_570a46b37db9][ServerNames: *.webex.com][JA3S: c253ec3ad88e42f8da4032682892f9a0 (INSECURE)][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=us, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=CSG, CN=*.webex.com][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Firefox][Validity: 2015-04-10 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_RSA_WITH_RC4_128_MD5][Plen Bins: 0,2,4,0,0,0,2,0,4,2,0,0,0,2,4,2,24,0,0,0,0,0,2,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,22,0,0,0,0,24]
+	3	TCP 10.8.0.1:41358 <-> 64.68.105.103:443 [proto: 91.141/TLS.Webex][IP: 141/Webex][Encrypted][Confidence: DPI][DPI packets: 8][cat: VoIP/10][19 pkts/2005 bytes <-> 19 pkts/40477 bytes][Goodput ratio: 48/97][2.62 sec][bytes ratio: -0.906 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 144/154 1031/979 260/240][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 106/2130 590/8901 135/2682][Risk: ** Obsolete TLS (v1.1 or older) **** Weak TLS Cipher **][Risk Score: 200][Risk Info: TLSv1 / Cipher TLS_RSA_WITH_AES_256_CBC_SHA][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][JA4: t10d020200_f2d8273d9564_18d1e47e0978][ServerNames: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=us, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=CSG, CN=*.webex.com][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2015-04-10 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA][Plen Bins: 0,16,0,0,5,0,0,0,0,0,5,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,34,0,0,0,0,34]
+	4	TCP 10.8.0.1:51194 <-> 62.109.224.120:443 [proto: 91.141/TLS.Webex][IP: 141/Webex][Encrypted][Confidence: DPI][DPI packets: 6][cat: VoIP/10][12 pkts/1531 bytes <-> 12 pkts/34357 bytes][Goodput ratio: 56/98][3.76 sec][bytes ratio: -0.915 (Download)][IAT c2s/s2c min/avg/max/stddev: 1/5 383/399 1876/1875 577/571][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 128/2863 528/14373 150/4304][Risk: ** Obsolete TLS (v1.1 or older) **** Weak TLS Cipher **][Risk Score: 200][Risk Info: TLSv1 / Cipher TLS_RSA_WITH_AES_256_CBC_SHA][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][JA4: t10d020200_f2d8273d9564_18d1e47e0978][ServerNames: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=us, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=CSG, CN=*.webex.com][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2015-04-10 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA][Plen Bins: 0,18,0,0,9,9,0,0,0,0,9,0,0,0,9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,45]
+	5	TCP 10.8.0.1:51155 <-> 62.109.224.120:443 [proto: 91.141/TLS.Webex][IP: 141/Webex][Encrypted][Confidence: DPI][DPI packets: 6][cat: VoIP/10][21 pkts/2017 bytes <-> 22 pkts/32272 bytes][Goodput ratio: 43/96][5.83 sec][bytes ratio: -0.882 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/3 347/332 2165/2214 528/526][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 96/1467 528/10581 119/2498][Risk: ** Obsolete TLS (v1.1 or older) **** Weak TLS Cipher **][Risk Score: 200][Risk Info: TLSv1 / Cipher TLS_RSA_WITH_AES_256_CBC_SHA][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][JA4: t10d020200_f2d8273d9564_18d1e47e0978][ServerNames: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=us, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=CSG, CN=*.webex.com][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2015-04-10 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA][PLAIN TEXT (sTTjbc)][Plen Bins: 0,9,4,4,0,4,9,4,0,9,9,0,0,0,4,4,0,4,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25]
+	6	TCP 10.8.0.1:41354 <-> 64.68.105.103:443 [proto: 91.141/TLS.Webex][IP: 141/Webex][Encrypted][Confidence: DPI][DPI packets: 8][cat: VoIP/10][13 pkts/2145 bytes <-> 13 pkts/24239 bytes][Goodput ratio: 66/97][1.48 sec][bytes ratio: -0.837 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 108/139 519/469 176/158][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 165/1865 590/8448 193/2711][Risk: ** Obsolete TLS (v1.1 or older) **** Weak TLS Cipher **][Risk Score: 200][Risk Info: TLSv1 / Cipher TLS_RSA_WITH_AES_256_CBC_SHA][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][JA4: t10d020200_f2d8273d9564_18d1e47e0978][ServerNames: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=us, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=CSG, CN=*.webex.com][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2015-04-10 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA][Plen Bins: 0,18,0,0,0,0,0,0,0,0,9,0,0,0,0,9,9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,18,0,0,0,0,36]
+	7	TCP 10.8.0.1:51154 <-> 62.109.224.120:443 [proto: 91.141/TLS.Webex][IP: 141/Webex][Encrypted][Confidence: DPI][DPI packets: 6][cat: VoIP/10][55 pkts/12583 bytes <-> 50 pkts/6703 bytes][Goodput ratio: 76/60][68.57 sec][bytes ratio: 0.305 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 1424/790 16039/7189 2911/1473][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 229/134 590/3961 154/547][Risk: ** Obsolete TLS (v1.1 or older) **** Weak TLS Cipher **][Risk Score: 200][Risk Info: TLSv1 / Cipher TLS_RSA_WITH_AES_256_CBC_SHA][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][JA4: t10d020200_f2d8273d9564_18d1e47e0978][ServerNames: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=us, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=CSG, CN=*.webex.com][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2015-04-10 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA][Plen Bins: 0,5,40,16,1,11,3,1,0,0,5,0,3,0,0,1,9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1]
+	8	UDP 10.8.0.1:64538 -> 172.16.1.75:5060 [proto: 100/SIP][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: VoIP/10][22 pkts/15356 bytes -> 0 pkts/0 bytes][Goodput ratio: 94/0][95.92 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1008/0 4783/0 32494/0 6932/0][Pkt Len c2s/s2c min/avg/max/stddev: 698/0 698/0 698/0 0/0][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (REGISTER sip)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	9	TCP 10.8.0.1:51857 <-> 62.109.229.158:443 [proto: 91.141/TLS.Webex][IP: 141/Webex][Encrypted][Confidence: DPI][DPI packets: 6][cat: VoIP/10][29 pkts/4559 bytes <-> 21 pkts/5801 bytes][Goodput ratio: 65/80][21.38 sec][bytes ratio: -0.120 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 796/452 6005/3010 1691/778][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 157/276 432/3961 108/830][Risk: ** Obsolete TLS (v1.1 or older) **** Weak TLS Cipher **][Risk Score: 200][Risk Info: TLSv1 / Cipher TLS_RSA_WITH_AES_128_CBC_SHA][TLSv1][JA3C: 64ea4359ad4b496db653a3f30f7073e6][JA4: t10d440400_e56d601e95ee_282f11336259][ServerNames: *.webex.com][JA3S: 4192c0a946c5bd9b544b4656d9f624a4 (WEAK)][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=us, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=CSG, CN=*.webex.com][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2015-04-10 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,13,17,13,4,4,30,0,0,0,4,4,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4]
+	10	TCP 10.8.0.1:46211 <-> 54.241.32.14:443 [proto: 91/TLS][IP: 265/AmazonAWS][Encrypted][Confidence: DPI][DPI packets: 14][cat: Web/5][16 pkts/1984 bytes <-> 14 pkts/7584 bytes][Goodput ratio: 55/90][41.17 sec][Hostname/SNI: api.crittercism.com][bytes ratio: -0.585 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 3166/655 34507/5259 9151/1546][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 124/542 590/1502 149/614][Risk: ** Obsolete TLS (v1.1 or older) **][Risk Score: 100][Risk Info: TLSv1][TLSv1][JA3C: 54ae5fcb0159e2ddf6a50e149221c7c7][JA4: t10d350400_1f24bcc5f17d_a875e5012fde][ServerNames: *.crittercism.com,crittercism.com][JA3S: c800cea031c10ffe47e1d72c9264577a (INSECURE)][Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA][Subject: OU=Domain Control Validated, OU=PositiveSSL Wildcard, CN=*.crittercism.com][Certificate SHA-1: 68:8B:FC:77:1E:CA:80:33:0C:A9:0E:29:A6:E4:0D:FC:3A:AE:43:18][Validity: 2015-01-14 00:00:00 - 2020-01-13 23:59:59][Cipher: TLS_RSA_WITH_RC4_128_MD5][Plen Bins: 8,8,8,0,0,0,8,8,0,8,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0,8,0,0,0,0,16,0,8,0,0]
+	11	TCP 10.8.0.1:41386 <-> 64.68.105.103:443 [proto: 91.141/TLS.Webex][IP: 141/Webex][Encrypted][Confidence: DPI][DPI packets: 6][cat: VoIP/10][9 pkts/1417 bytes <-> 8 pkts/6984 bytes][Goodput ratio: 64/94][3.96 sec][bytes ratio: -0.663 (Download)][IAT c2s/s2c min/avg/max/stddev: 1/2 523/352 2070/1020 730/365][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 157/873 576/3993 179/1444][Risk: ** Obsolete TLS (v1.1 or older) **** Weak TLS Cipher **][Risk Score: 200][Risk Info: TLSv1 / Cipher TLS_RSA_WITH_AES_256_CBC_SHA][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][JA4: t10d020200_f2d8273d9564_18d1e47e0978][ServerNames: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=us, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=CSG, CN=*.webex.com][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2015-04-10 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA][Plen Bins: 0,33,0,0,0,0,0,0,0,0,16,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33]
+	12	TCP 10.8.0.1:41419 <-> 64.68.105.103:443 [proto: 91.141/TLS.Webex][IP: 141/Webex][Encrypted][Confidence: DPI][DPI packets: 6][cat: VoIP/10][7 pkts/1309 bytes <-> 7 pkts/6930 bytes][Goodput ratio: 70/95][1.07 sec][bytes ratio: -0.682 (Download)][IAT c2s/s2c min/avg/max/stddev: 4/51 160/195 357/356 154/126][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 187/990 576/3993 192/1508][Risk: ** Obsolete TLS (v1.1 or older) **** Weak TLS Cipher **][Risk Score: 200][Risk Info: TLSv1 / Cipher TLS_RSA_WITH_AES_256_CBC_SHA][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][JA4: t10d020200_f2d8273d9564_18d1e47e0978][ServerNames: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=us, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=CSG, CN=*.webex.com][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2015-04-10 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA][Plen Bins: 0,33,0,0,0,0,0,0,0,0,16,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33]
+	13	TCP 10.8.0.1:52730 <-> 173.243.4.76:443 [proto: 91.141/TLS.Webex][IP: 141/Webex][Encrypted][Confidence: DPI][DPI packets: 8][cat: VoIP/10][9 pkts/1369 bytes <-> 8 pkts/6621 bytes][Goodput ratio: 63/93][3.00 sec][bytes ratio: -0.657 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/1 385/312 2171/1116 743/396][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 152/828 528/2974 166/1099][Risk: ** Obsolete TLS (v1.1 or older) **** Weak TLS Cipher **][Risk Score: 200][Risk Info: TLSv1 / Cipher TLS_RSA_WITH_AES_256_CBC_SHA][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][JA4: t10d020200_f2d8273d9564_18d1e47e0978][ServerNames: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=us, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=CSG, CN=*.webex.com][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2015-04-10 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA][Plen Bins: 0,28,0,0,0,0,0,0,0,0,14,0,0,0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,28]
+	14	TCP 10.8.0.1:44492 <-> 64.68.104.140:443 [proto: 91.141/TLS.Webex][IP: 141/Webex][Encrypted][Confidence: DPI][DPI packets: 8][cat: VoIP/10][9 pkts/1369 bytes <-> 8 pkts/6600 bytes][Goodput ratio: 63/93][3.01 sec][bytes ratio: -0.656 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/16 386/312 2179/1125 746/385][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 152/825 528/2633 166/1028][Risk: ** Obsolete TLS (v1.1 or older) **** Weak TLS Cipher **][Risk Score: 200][Risk Info: TLSv1 / Cipher TLS_RSA_WITH_AES_256_CBC_SHA][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][JA4: t10d020200_f2d8273d9564_18d1e47e0978][ServerNames: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=us, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=CSG, CN=*.webex.com][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2015-04-10 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA][Plen Bins: 0,28,0,0,0,0,0,0,0,0,14,0,0,0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0,0,0,28]
+	15	TCP 10.8.0.1:45814 <-> 62.109.231.3:443 [proto: 91.141/TLS.Webex][IP: 141/Webex][Encrypted][Confidence: DPI][DPI packets: 8][cat: VoIP/10][8 pkts/1315 bytes <-> 8 pkts/6653 bytes][Goodput ratio: 66/93][0.78 sec][bytes ratio: -0.670 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/1 97/110 277/276 117/105][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 164/832 528/2581 172/1033][Risk: ** Obsolete TLS (v1.1 or older) **** Weak TLS Cipher **][Risk Score: 200][Risk Info: TLSv1 / Cipher TLS_RSA_WITH_AES_256_CBC_SHA][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][JA4: t10d020200_f2d8273d9564_18d1e47e0978][ServerNames: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=us, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=CSG, CN=*.webex.com][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2015-04-10 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA][Plen Bins: 0,28,0,0,0,0,0,0,0,0,14,0,0,0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0,0,28]
+	16	TCP 10.8.0.1:47498 <-> 209.197.222.159:443 [proto: 91.141/TLS.Webex][IP: 141/Webex][Encrypted][Confidence: DPI][DPI packets: 6][cat: VoIP/10][7 pkts/1261 bytes <-> 7 pkts/6535 bytes][Goodput ratio: 68/94][3.10 sec][bytes ratio: -0.677 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/1 546/396 2119/1071 812/386][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 180/934 528/3961 179/1447][Risk: ** Obsolete TLS (v1.1 or older) **** Weak TLS Cipher **][Risk Score: 200][Risk Info: TLSv1 / Cipher TLS_RSA_WITH_AES_256_CBC_SHA][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][JA4: t10d020200_f2d8273d9564_18d1e47e0978][ServerNames: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=us, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=CSG, CN=*.webex.com][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2015-04-10 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA][Plen Bins: 0,33,0,0,0,0,0,0,0,0,16,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33]
+	17	TCP 10.8.0.1:57647 <-> 64.68.121.153:443 [proto: 91.141/TLS.Webex][IP: 141/Webex][Encrypted][Confidence: DPI][DPI packets: 6][cat: VoIP/10][7 pkts/1261 bytes <-> 7 pkts/6535 bytes][Goodput ratio: 68/94][3.09 sec][bytes ratio: -0.677 (Download)][IAT c2s/s2c min/avg/max/stddev: 1/1 545/396 2066/1021 793/377][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 180/934 528/3961 179/1447][Risk: ** Obsolete TLS (v1.1 or older) **** Weak TLS Cipher **][Risk Score: 200][Risk Info: TLSv1 / Cipher TLS_RSA_WITH_AES_256_CBC_SHA][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][JA4: t10d020200_f2d8273d9564_18d1e47e0978][ServerNames: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=us, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=CSG, CN=*.webex.com][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2015-04-10 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA][Plen Bins: 0,33,0,0,0,0,0,0,0,0,16,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33]
+	18	TCP 10.8.0.1:37129 <-> 64.68.105.98:443 [proto: 91.141/TLS.Webex][IP: 141/Webex][Encrypted][Confidence: DPI][DPI packets: 6][cat: VoIP/10][9 pkts/1369 bytes <-> 9 pkts/5838 bytes][Goodput ratio: 63/92][4.04 sec][bytes ratio: -0.620 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/1 534/640 3074/2046 1048/713][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 152/649 528/3993 166/1255][Risk: ** Obsolete TLS (v1.1 or older) **** Weak TLS Cipher **][Risk Score: 200][Risk Info: TLSv1 / Cipher TLS_RSA_WITH_AES_256_CBC_SHA][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][JA4: t10d020200_f2d8273d9564_18d1e47e0978][ServerNames: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=us, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=CSG, CN=*.webex.com][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2015-04-10 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA][Plen Bins: 0,34,0,0,0,0,0,0,0,0,16,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,16]
+	19	TCP 10.8.0.1:51370 <-> 64.68.105.97:443 [proto: 91.141/TLS.Webex][IP: 141/Webex][Encrypted][Confidence: DPI][DPI packets: 8][cat: VoIP/10][8 pkts/1315 bytes <-> 8 pkts/5784 bytes][Goodput ratio: 66/93][2.90 sec][bytes ratio: -0.630 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/5 433/304 2119/1065 772/366][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 164/723 528/2633 172/919][Risk: ** Obsolete TLS (v1.1 or older) **** Weak TLS Cipher **][Risk Score: 200][Risk Info: TLSv1 / Cipher TLS_RSA_WITH_AES_256_CBC_SHA][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][JA4: t10d020200_f2d8273d9564_18d1e47e0978][ServerNames: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=us, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=CSG, CN=*.webex.com][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2015-04-10 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA][Plen Bins: 0,28,0,0,0,0,0,0,0,0,14,0,0,0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,28,0,0,0,0,14]
+	20	TCP 10.8.0.1:55669 <-> 173.243.0.110:443 [proto: 91.141/TLS.Webex][IP: 141/Webex][Encrypted][Confidence: DPI][DPI packets: 8][cat: VoIP/10][11 pkts/1830 bytes <-> 12 pkts/4811 bytes][Goodput ratio: 66/87][1.15 sec][bytes ratio: -0.449 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 113/139 555/553 189/186][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 166/401 590/2581 167/758][Risk: ** Obsolete TLS (v1.1 or older) **** Weak TLS Cipher **][Risk Score: 200][Risk Info: TLSv1 / Cipher TLS_RSA_WITH_AES_256_CBC_SHA][TLSv1][JA3C: 64ea4359ad4b496db653a3f30f7073e6][JA4: t10d440400_e56d601e95ee_282f11336259][ServerNames: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=us, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=CSG, CN=*.webex.com][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2015-04-10 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA][Plen Bins: 0,22,0,0,11,11,11,0,0,0,11,0,0,0,0,0,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0,0,11]
+	21	TCP 10.8.0.1:55665 <-> 173.243.0.110:443 [proto: 91.141/TLS.Webex][IP: 141/Webex][Encrypted][Confidence: DPI][DPI packets: 6][cat: VoIP/10][11 pkts/1798 bytes <-> 11 pkts/4757 bytes][Goodput ratio: 66/87][1.40 sec][bytes ratio: -0.451 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 127/190 512/509 170/160][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 163/432 590/3961 167/1117][Risk: ** Obsolete TLS (v1.1 or older) **** Weak TLS Cipher **][Risk Score: 200][Risk Info: TLSv1 / Cipher TLS_RSA_WITH_AES_256_CBC_SHA][TLSv1][JA3C: 64ea4359ad4b496db653a3f30f7073e6][JA4: t10d440400_e56d601e95ee_282f11336259][ServerNames: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=us, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=CSG, CN=*.webex.com][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2015-04-10 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA][Plen Bins: 0,25,0,12,0,12,12,0,0,0,12,0,0,0,0,0,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12]
+	22	TCP 10.8.0.1:55671 <-> 173.243.0.110:443 [proto: 91.141/TLS.Webex][IP: 141/Webex][Encrypted][Confidence: DPI][DPI packets: 6][cat: VoIP/10][11 pkts/1798 bytes <-> 11 pkts/4757 bytes][Goodput ratio: 66/87][1.32 sec][bytes ratio: -0.451 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 118/180 470/468 157/151][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 163/432 590/3961 167/1117][Risk: ** Obsolete TLS (v1.1 or older) **** Weak TLS Cipher **][Risk Score: 200][Risk Info: TLSv1 / Cipher TLS_RSA_WITH_AES_256_CBC_SHA][TLSv1][JA3C: 64ea4359ad4b496db653a3f30f7073e6][JA4: t10d440400_e56d601e95ee_282f11336259][ServerNames: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=us, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=CSG, CN=*.webex.com][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2015-04-10 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA][Plen Bins: 0,25,0,12,0,12,12,0,0,0,12,0,0,0,0,0,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12]
+	23	TCP 10.8.0.1:55687 <-> 173.243.0.110:443 [proto: 91.141/TLS.Webex][IP: 141/Webex][Encrypted][Confidence: DPI][DPI packets: 6][cat: VoIP/10][11 pkts/1798 bytes <-> 11 pkts/4757 bytes][Goodput ratio: 66/87][4.59 sec][bytes ratio: -0.451 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/1 305/639 1712/1786 557/738][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 163/432 590/3961 167/1117][Risk: ** Obsolete TLS (v1.1 or older) **** Weak TLS Cipher **][Risk Score: 200][Risk Info: TLSv1 / Cipher TLS_RSA_WITH_AES_256_CBC_SHA][TLSv1][JA3C: 64ea4359ad4b496db653a3f30f7073e6][JA4: t10d440400_e56d601e95ee_282f11336259][ServerNames: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=us, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=CSG, CN=*.webex.com][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2015-04-10 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA][Plen Bins: 0,25,0,12,0,12,12,0,0,0,12,0,0,0,0,0,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12]
+	24	TCP 10.8.0.1:43433 <-> 216.58.208.40:443 [proto: 91.126/TLS.Google][IP: 126/Google][Encrypted][Confidence: DPI][DPI packets: 6][cat: Advertisement/101][9 pkts/1540 bytes <-> 8 pkts/4835 bytes][Goodput ratio: 67/91][3.85 sec][Hostname/SNI: ssl.google-analytics.com][bytes ratio: -0.517 (Download)][IAT c2s/s2c min/avg/max/stddev: 1/1 389/621 1225/1224 477/511][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 171/604 590/3751 168/1199][Risk: ** TLS (probably) Not Carrying HTTPS **][Risk Score: 10][Risk Info: No ALPN][TLSv1.2][JA3C: 75edb912bc6f0a222ae3e3e47f5c89b1][JA4: t12d200500_6e20beb92e8e_c70a3c84db07][ServerNames: *.google-analytics.com,app-measurement.com,google-analytics.com,googletagmanager.com,service.urchin.com,ssl.google-analytics.com,urchin.com,www.google-analytics.com,www.googletagmanager.com][JA3S: 389ed42c02ebecc32e73aa31def07e14][Issuer: C=US, O=Google Inc, CN=Google Internet Authority G2][Subject: C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.google-analytics.com][Certificate SHA-1: E0:F0:1E:71:F2:B5:D9:2D:F7:4E:8F:CB:10:37:17:7C:0C:C4:07:9D][Firefox][Validity: 2015-09-29 19:00:07 - 2015-12-28 00:00:00][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,0,0,14,14,0,0,14,14,0,0,0,0,14,0,0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14]
+	25	TCP 10.8.0.1:51646 <-> 114.29.204.49:443 [proto: 91.141/TLS.Webex][IP: 141/Webex][Encrypted][Confidence: DPI][DPI packets: 8][cat: VoIP/10][9 pkts/895 bytes <-> 8 pkts/4398 bytes][Goodput ratio: 43/90][3.11 sec][bytes ratio: -0.662 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/1 263/413 1025/1231 416/511][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 99/550 380/2581 101/889][Risk: ** Obsolete TLS (v1.1 or older) **** Weak TLS Cipher **][Risk Score: 200][Risk Info: TLSv1 / Cipher TLS_RSA_WITH_AES_256_CBC_SHA][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][JA4: t10d020200_f2d8273d9564_18d1e47e0978][ServerNames: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=us, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=CSG, CN=*.webex.com][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2015-04-10 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA][Plen Bins: 0,40,0,0,0,0,0,0,0,0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,0,0,0,20]
+	26	TCP 10.8.0.1:52219 <-> 64.68.121.100:443 [proto: 91.141/TLS.Webex][IP: 141/Webex][Encrypted][Confidence: DPI][DPI packets: 6][cat: VoIP/10][8 pkts/841 bytes <-> 7 pkts/4376 bytes][Goodput ratio: 46/91][4.09 sec][bytes ratio: -0.678 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/10 301/484 1105/1237 425/496][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 105/625 380/3993 106/1375][Risk: ** Obsolete TLS (v1.1 or older) **** Weak TLS Cipher **][Risk Score: 200][Risk Info: TLSv1 / Cipher TLS_RSA_WITH_AES_256_CBC_SHA][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][JA4: t10d020200_f2d8273d9564_18d1e47e0978][ServerNames: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=us, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=CSG, CN=*.webex.com][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2015-04-10 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA][Plen Bins: 0,50,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25]
+	27	TCP 10.8.0.1:55969 <-> 64.68.121.99:443 [proto: 91.141/TLS.Webex][IP: 141/Webex][Encrypted][Confidence: DPI][DPI packets: 6][cat: VoIP/10][8 pkts/841 bytes <-> 7 pkts/4376 bytes][Goodput ratio: 46/91][4.08 sec][bytes ratio: -0.678 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/7 299/483 1096/1238 423/498][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 105/625 380/3993 106/1375][Risk: ** Obsolete TLS (v1.1 or older) **** Weak TLS Cipher **][Risk Score: 200][Risk Info: TLSv1 / Cipher TLS_RSA_WITH_AES_256_CBC_SHA][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][JA4: t10d020200_f2d8273d9564_18d1e47e0978][ServerNames: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=us, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=CSG, CN=*.webex.com][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2015-04-10 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA][Plen Bins: 0,50,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25]
+	28	TCP 10.8.0.1:49048 <-> 23.44.253.243:443 [proto: 91.141/TLS.Webex][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 6][cat: VoIP/10][7 pkts/1181 bytes <-> 7 pkts/4021 bytes][Goodput ratio: 66/91][0.77 sec][bytes ratio: -0.546 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/9 125/129 463/394 174/138][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 169/574 448/2957 158/989][Risk: ** Obsolete TLS (v1.1 or older) **** Weak TLS Cipher **][Risk Score: 200][Risk Info: TLSv1 / Cipher TLS_RSA_WITH_AES_256_CBC_SHA][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][JA4: t10d020200_f2d8273d9564_18d1e47e0978][ServerNames: www.webex.com.au,www.webex.ca,www.webex.de,www.webex.com.hk,www.webex.co.in,www.webex.co.it,www.webex.co.jp,www.webex.com.mx,www.webex.co.uk,m.webex.com,signup.webex.com,signup.webex.co.uk,signup.webex.de,mytrial.webex.com,mytrial.webex.com.mx,mytrial.webex.co.in,mytrial.webex.com.au,mytrial.webex.co.jp,support.webex.com,howdoi.webex.com,kb.webex.com,myresources.webex.com,invoices.webex.com,try.webex.com,buyonline.webex.com,buyonline.webex.de,buyonline.webex.co.uk,tempbol.webex.com,tempsupport.webex.com,www.webex.com,webex.com][JA3S: 714ac86d50db68420429ca897688f5f3 (WEAK)][Issuer: C=US, O=GeoTrust, Inc., CN=GeoTrust SSL CA][Subject: C=US, ST=California, L=San Jose, O=Cisco Systems, OU=IT, CN=www.webex.com][Certificate SHA-1: EE:CE:24:B7:67:4D:F0:3F:16:80:F8:DC:E3:53:45:5F:3E:41:25:CD][Validity: 2014-12-18 08:27:59 - 2016-02-19 21:32:06][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA][Plen Bins: 0,16,0,0,0,0,0,16,0,0,16,0,16,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16]
+	29	TCP 10.8.0.1:47116 <-> 114.29.202.139:443 [proto: 91.141/TLS.Webex][IP: 141/Webex][Encrypted][Confidence: DPI][DPI packets: 8][cat: VoIP/10][7 pkts/461 bytes <-> 6 pkts/4231 bytes][Goodput ratio: 14/92][4.09 sec][bytes ratio: -0.803 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/14 596/745 1927/1038 776/424][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 66/705 117/2896 22/1054][Risk: ** Obsolete TLS (v1.1 or older) **** Weak TLS Cipher **][Risk Score: 200][Risk Info: TLSv1 / Cipher TLS_RSA_WITH_AES_256_CBC_SHA][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][JA4: t10d020200_f2d8273d9564_18d1e47e0978][ServerNames: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=us, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=CSG, CN=*.webex.com][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2015-04-10 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA][Plen Bins: 0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,33]
+	30	TCP 10.8.0.1:47841 <-> 114.29.200.11:443 [proto: 91.141/TLS.Webex][IP: 141/Webex][Encrypted][Confidence: DPI][DPI packets: 6][cat: VoIP/10][6 pkts/407 bytes <-> 5 pkts/4177 bytes][Goodput ratio: 15/94][4.08 sec][bytes ratio: -0.822 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/2 1018/992 2975/1922 1214/785][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 68/835 117/3961 23/1563][Risk: ** Obsolete TLS (v1.1 or older) **** Weak TLS Cipher **][Risk Score: 200][Risk Info: TLSv1 / Cipher TLS_RSA_WITH_AES_256_CBC_SHA][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][JA4: t10d020200_f2d8273d9564_18d1e47e0978][ServerNames: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=us, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=CSG, CN=*.webex.com][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2015-04-10 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA][Plen Bins: 0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50]
+	31	TCP 10.8.0.1:33551 <-> 80.74.110.68:443 [proto: 91/TLS][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 6][cat: Web/5][10 pkts/1465 bytes <-> 11 pkts/1065 bytes][Goodput ratio: 62/44][0.54 sec][bytes ratio: 0.158 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 77/77 283/252 98/86][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 146/97 590/396 161/102][Risk: ** Obsolete TLS (v1.1 or older) **** Malicious JA3 Fingerp. **][Risk Score: 150][Risk Info: TLSv1 / dff8a0aa1c904aaea76c5bf624e88333][TLSv1][JA3C: dff8a0aa1c904aaea76c5bf624e88333][JA4: t10d350200_1f24bcc5f17d_33a13ba74d1c][JA3S: 6dfe5eb347aa509fc445e5628d467a2b (INSECURE)][Cipher: TLS_RSA_WITH_RC4_128_MD5][Plen Bins: 14,14,14,0,14,0,14,0,0,0,14,0,0,0,0,0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	32	TCP 10.8.0.1:33553 <-> 80.74.110.68:443 [proto: 91/TLS][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 6][cat: Web/5][10 pkts/1388 bytes <-> 10 pkts/1087 bytes][Goodput ratio: 60/50][13.16 sec][bytes ratio: 0.122 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 1644/1879 10453/11491 3421/3952][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 139/109 590/472 163/127][Risk: ** Obsolete TLS (v1.1 or older) **** Malicious JA3 Fingerp. **][Risk Score: 150][Risk Info: TLSv1 / dff8a0aa1c904aaea76c5bf624e88333][TLSv1][JA3C: dff8a0aa1c904aaea76c5bf624e88333][JA4: t10d350200_1f24bcc5f17d_33a13ba74d1c][JA3S: 6dfe5eb347aa509fc445e5628d467a2b (INSECURE)][Cipher: TLS_RSA_WITH_RC4_128_MD5][Plen Bins: 28,14,0,0,14,0,14,0,0,0,0,0,0,14,0,0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	33	TCP 10.8.0.1:33512 <-> 80.74.110.68:443 [proto: 91/TLS][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 6][cat: Web/5][9 pkts/1357 bytes <-> 9 pkts/615 bytes][Goodput ratio: 63/21][59.53 sec][bytes ratio: 0.376 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 8504/9920 59268/59268 20725/22069][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 151/68 590/183 168/41][Risk: ** Obsolete TLS (v1.1 or older) **** Malicious JA3 Fingerp. **][Risk Score: 150][Risk Info: TLSv1 / dff8a0aa1c904aaea76c5bf624e88333][TLSv1][JA3C: dff8a0aa1c904aaea76c5bf624e88333][JA4: t10d350200_1f24bcc5f17d_33a13ba74d1c][JA3S: 6dfe5eb347aa509fc445e5628d467a2b (INSECURE)][Cipher: TLS_RSA_WITH_RC4_128_MD5][Plen Bins: 16,34,0,0,16,0,16,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	34	TCP 10.8.0.1:33554 <-> 80.74.110.68:443 [proto: 91/TLS][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 6][cat: Web/5][9 pkts/1357 bytes <-> 9 pkts/615 bytes][Goodput ratio: 63/21][13.15 sec][bytes ratio: 0.376 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1/1 1877/2190 12884/12885 4494/4783][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 151/68 590/183 168/41][Risk: ** Obsolete TLS (v1.1 or older) **** Malicious JA3 Fingerp. **][Risk Score: 150][Risk Info: TLSv1 / dff8a0aa1c904aaea76c5bf624e88333][TLSv1][JA3C: dff8a0aa1c904aaea76c5bf624e88333][JA4: t10d350200_1f24bcc5f17d_33a13ba74d1c][JA3S: 6dfe5eb347aa509fc445e5628d467a2b (INSECURE)][Cipher: TLS_RSA_WITH_RC4_128_MD5][Plen Bins: 16,34,0,0,16,0,16,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	35	TCP 10.8.0.1:59756 <-> 78.46.237.91:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 8][cat: Web/5][6 pkts/970 bytes <-> 6 pkts/821 bytes][Goodput ratio: 64/60][41.15 sec][Hostname/SNI: cp.pushwoosh.com][bytes ratio: 0.083 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 8230/114 40802/243 16286/100][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 162/137 590/551 194/185][URL: cp.pushwoosh.com/json/1.3/registerDevice][StatusCode: 200][Req Content-Type: application/json][Content-Type: application/json][Server: nginx/1.6.3][User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.2; LG-D855 Build/KVT49L.A1412087656)][Risk: ** HTTP Obsolete Server **][Risk Score: 50][Risk Info: Obsolete nginx server 1.6.3][PLAIN TEXT (POST /j)][Plen Bins: 0,0,33,0,0,0,0,0,0,0,0,0,0,0,0,33,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	36	TCP 10.8.0.1:33559 <-> 80.74.110.68:443 [proto: 91/TLS][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 6][cat: Web/5][7 pkts/1280 bytes <-> 6 pkts/453 bytes][Goodput ratio: 69/28][1.57 sec][bytes ratio: 0.477 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 314/390 1555/1504 621/643][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 183/76 590/183 180/48][Risk: ** Obsolete TLS (v1.1 or older) **** Malicious JA3 Fingerp. **][Risk Score: 150][Risk Info: TLSv1 / dff8a0aa1c904aaea76c5bf624e88333][TLSv1][JA3C: dff8a0aa1c904aaea76c5bf624e88333][JA4: t10d350200_1f24bcc5f17d_33a13ba74d1c][JA3S: 6dfe5eb347aa509fc445e5628d467a2b (INSECURE)][Cipher: TLS_RSA_WITH_RC4_128_MD5][Plen Bins: 0,20,20,0,20,0,20,0,0,0,0,0,0,0,0,0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	37	TCP 10.8.0.1:59757 <-> 78.46.237.91:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 6][cat: Web/5][5 pkts/624 bytes <-> 5 pkts/767 bytes][Goodput ratio: 53/65][41.15 sec][Hostname/SNI: cp.pushwoosh.com][bytes ratio: -0.103 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 5/105 10286/13713 40778/40779 17605/19138][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 125/153 388/551 132/199][URL: cp.pushwoosh.com/json/1.3/applicationOpen][StatusCode: 200][Req Content-Type: application/json][Content-Type: application/json][Server: nginx/1.6.3][User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.2; LG-D855 Build/KVT49L.A1412087656)][Risk: ** HTTP Obsolete Server **][Risk Score: 50][Risk Info: Obsolete nginx server 1.6.3][PLAIN TEXT (POST /j)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	38	TCP 10.8.0.1:41350 <-> 64.68.105.103:443 [proto: 91.141/TLS.Webex][IP: 141/Webex][Encrypted][Confidence: DPI][DPI packets: 8][cat: VoIP/10][6 pkts/614 bytes <-> 5 pkts/399 bytes][Goodput ratio: 44/32][0.51 sec][Hostname/SNI: radcom.webex.com][bytes ratio: 0.212 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/4 101/149 442/392 172/173][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 102/80 281/146 81/36][Risk: ** TLS (probably) Not Carrying HTTPS **][Risk Score: 10][Risk Info: No ALPN][TLSv1.2][JA3C: f9010d8c34749bdf7659b52227e6f91b][JA4: t12d280600_519b4837d290_570a46b37db9][JA3S: c253ec3ad88e42f8da4032682892f9a0 (INSECURE)][Firefox][Cipher: TLS_RSA_WITH_RC4_128_MD5][Plen Bins: 0,50,25,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	39	TCP 10.8.0.1:41351 <-> 64.68.105.103:443 [proto: 91.141/TLS.Webex][IP: 141/Webex][Encrypted][Confidence: DPI][DPI packets: 6][cat: VoIP/10][5 pkts/560 bytes <-> 4 pkts/345 bytes][Goodput ratio: 48/37][0.45 sec][Hostname/SNI: radcom.webex.com][bytes ratio: 0.238 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/1 112/148 444/442 192/208][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 112/86 281/183 86/56][Risk: ** TLS (probably) Not Carrying HTTPS **][Risk Score: 10][Risk Info: No ALPN][TLSv1.2][JA3C: f9010d8c34749bdf7659b52227e6f91b][JA4: t12d280600_519b4837d290_570a46b37db9][JA3S: c253ec3ad88e42f8da4032682892f9a0 (INSECURE)][Firefox][Cipher: TLS_RSA_WITH_RC4_128_MD5][Plen Bins: 0,33,0,0,33,0,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	40	TCP 10.8.0.1:51190 <-> 62.109.224.120:443 [proto: 91/TLS][IP: 141/Webex][Encrypted][Confidence: DPI][DPI packets: 11][cat: Web/5][7 pkts/501 bytes <-> 4 pkts/216 bytes][Goodput ratio: 13/0][2.03 sec][bytes ratio: 0.397 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/1 405/1 1009/1 490/0][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 72/54 117/54 21/0][Risk: ** Obsolete TLS (v1.1 or older) **][Risk Score: 100][Risk Info: TLSv1][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][JA4: t10d020200_f2d8273d9564_18d1e47e0978][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	41	TCP 10.8.0.1:37139 <-> 64.68.105.98:443 [proto: 91/TLS][IP: 141/Webex][Encrypted][Confidence: DPI][DPI packets: 11][cat: Web/5][6 pkts/427 bytes <-> 5 pkts/270 bytes][Goodput ratio: 15/0][5.40 sec][bytes ratio: 0.225 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/24 1079/2662 5297/5301 2109/2638][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 71/54 117/54 22/0][Risk: ** Obsolete TLS (v1.1 or older) **][Risk Score: 100][Risk Info: TLSv1][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][JA4: t10d020200_f2d8273d9564_18d1e47e0978][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	42	TCP 10.8.0.1:41394 <-> 64.68.105.103:443 [proto: 91/TLS][IP: 141/Webex][Encrypted][Confidence: DPI][DPI packets: 11][cat: Web/5][6 pkts/427 bytes <-> 5 pkts/270 bytes][Goodput ratio: 15/0][12.04 sec][bytes ratio: 0.225 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/11 2407/5982 11950/11953 4771/5971][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 71/54 117/54 22/0][Risk: ** Obsolete TLS (v1.1 or older) **][Risk Score: 100][Risk Info: TLSv1][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][JA4: t10d020200_f2d8273d9564_18d1e47e0978][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	43	TCP 10.8.0.1:41757 <-> 114.29.213.212:443 [proto: 91/TLS][IP: 141/Webex][Encrypted][Confidence: DPI][DPI packets: 11][cat: Web/5][6 pkts/427 bytes <-> 5 pkts/270 bytes][Goodput ratio: 15/0][5.42 sec][bytes ratio: 0.225 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/39 1083/2667 5292/5295 2105/2628][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 71/54 117/54 22/0][Risk: ** Obsolete TLS (v1.1 or older) **][Risk Score: 100][Risk Info: TLSv1][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][JA4: t10d020200_f2d8273d9564_18d1e47e0978][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	44	TCP 10.8.0.1:47135 <-> 114.29.202.139:443 [proto: 91/TLS][IP: 141/Webex][Encrypted][Confidence: DPI][DPI packets: 11][cat: Web/5][6 pkts/427 bytes <-> 5 pkts/270 bytes][Goodput ratio: 15/0][5.43 sec][bytes ratio: 0.225 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/48 1085/2670 5289/5293 2102/2622][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 71/54 117/54 22/0][Risk: ** Obsolete TLS (v1.1 or older) **][Risk Score: 100][Risk Info: TLSv1][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][JA4: t10d020200_f2d8273d9564_18d1e47e0978][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	45	TCP 10.8.0.1:51134 <-> 62.109.224.120:443 [proto: 91/TLS][IP: 141/Webex][Encrypted][Confidence: DPI][DPI packets: 11][cat: Web/5][6 pkts/427 bytes <-> 5 pkts/270 bytes][Goodput ratio: 15/0][30.04 sec][bytes ratio: 0.225 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/7 6007/14985 29960/29963 11976/14978][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 71/54 117/54 22/0][Risk: ** Obsolete TLS (v1.1 or older) **][Risk Score: 100][Risk Info: TLSv1][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][JA4: t10d020200_f2d8273d9564_18d1e47e0978][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	46	TCP 10.8.0.1:51135 <-> 62.109.224.120:443 [proto: 91/TLS][IP: 141/Webex][Encrypted][Confidence: DPI][DPI packets: 11][cat: Web/5][6 pkts/427 bytes <-> 5 pkts/270 bytes][Goodput ratio: 15/0][30.03 sec][bytes ratio: 0.225 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/3 6007/14984 29964/29966 11979/14982][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 71/54 117/54 22/0][Risk: ** Obsolete TLS (v1.1 or older) **][Risk Score: 100][Risk Info: TLSv1][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][JA4: t10d020200_f2d8273d9564_18d1e47e0978][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	47	TCP 10.8.0.1:51676 <-> 114.29.204.49:443 [proto: 91/TLS][IP: 141/Webex][Encrypted][Confidence: DPI][DPI packets: 11][cat: Web/5][6 pkts/427 bytes <-> 5 pkts/270 bytes][Goodput ratio: 15/0][5.41 sec][bytes ratio: 0.225 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/32 1080/2665 5295/5298 2107/2633][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 71/54 117/54 22/0][Risk: ** Obsolete TLS (v1.1 or older) **][Risk Score: 100][Risk Info: TLSv1][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][JA4: t10d020200_f2d8273d9564_18d1e47e0978][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	48	TCP 10.8.0.1:33511 <-> 80.74.110.68:443 [proto: 91/TLS][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 8][cat: Web/5][4 pkts/452 bytes <-> 4 pkts/216 bytes][Goodput ratio: 48/0][59.48 sec][bytes ratio: 0.353 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/22 19827/29739 59456/59456 28022/29717][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 113/54 270/54 91/0][Risk: ** Obsolete TLS (v1.1 or older) **** Malicious JA3 Fingerp. **][Risk Score: 150][Risk Info: TLSv1 / dff8a0aa1c904aaea76c5bf624e88333][TLSv1][JA3C: dff8a0aa1c904aaea76c5bf624e88333][JA4: t10d350200_1f24bcc5f17d_33a13ba74d1c][Plen Bins: 0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	49	TCP 10.8.0.1:51833 <-> 62.109.229.158:443 [proto: 91/TLS][IP: 141/Webex][Encrypted][Confidence: DPI][DPI packets: 8][cat: Web/5][4 pkts/423 bytes <-> 4 pkts/216 bytes][Goodput ratio: 44/0][15.00 sec][bytes ratio: 0.324 (Upload)][IAT c2s/s2c min/avg/max/stddev: 5/51 4998/7496 14940/14942 7030/7446][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 106/54 241/54 79/0][Risk: ** Obsolete TLS (v1.1 or older) **][Risk Score: 100][Risk Info: TLSv1][TLSv1][JA3C: 64ea4359ad4b496db653a3f30f7073e6][JA4: t10d440400_e56d601e95ee_282f11336259][Plen Bins: 0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	50	TCP 10.8.0.1:51839 <-> 62.109.229.158:443 [proto: 91/TLS][IP: 141/Webex][Encrypted][Confidence: DPI][DPI packets: 8][cat: Web/5][4 pkts/423 bytes <-> 4 pkts/216 bytes][Goodput ratio: 44/0][15.14 sec][bytes ratio: 0.324 (Upload)][IAT c2s/s2c min/avg/max/stddev: 2/50 5044/7566 15081/15081 7097/7515][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 106/54 241/54 79/0][Risk: ** Obsolete TLS (v1.1 or older) **][Risk Score: 100][Risk Info: TLSv1][TLSv1][JA3C: 64ea4359ad4b496db653a3f30f7073e6][JA4: t10d440400_e56d601e95ee_282f11336259][Plen Bins: 0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	51	TCP 10.8.0.1:41726 <-> 114.29.213.212:443 [proto: 91/TLS][IP: 141/Webex][Encrypted][Confidence: DPI][DPI packets: 8][cat: Web/5][4 pkts/299 bytes <-> 4 pkts/216 bytes][Goodput ratio: 21/0][2.09 sec][bytes ratio: 0.161 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 3/3 695/1040 2078/2078 978/1038][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 75/54 117/54 26/0][Risk: ** Obsolete TLS (v1.1 or older) **][Risk Score: 100][Risk Info: TLSv1][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][JA4: t10d020200_f2d8273d9564_18d1e47e0978][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	52	TCP 10.8.0.1:51195 <-> 62.109.224.120:443 [proto: 91/TLS][IP: 141/Webex][Encrypted][Confidence: DPI][DPI packets: 5][cat: Web/5][3 pkts/245 bytes <-> 2 pkts/108 bytes][Goodput ratio: 26/0][0.01 sec][Risk: ** Obsolete TLS (v1.1 or older) **][Risk Score: 100][Risk Info: TLSv1][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][JA4: t10d020200_f2d8273d9564_18d1e47e0978][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	53	TCP 10.133.206.47:33459 <-> 80.74.110.68:443 [proto: 91/TLS][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 1][cat: Web/5][3 pkts/209 bytes <-> 2 pkts/108 bytes][Goodput ratio: 11/0][0.06 sec][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+
+
+Undetected flows:
+	1	UDP 10.8.0.1:51772 <-> 62.109.229.158:9000 [proto: 0/Unknown][IP: 141/Webex][ClearText][Confidence: Unknown][DPI packets: 13][14 pkts/1071 bytes <-> 2 pkts/100 bytes][Goodput ratio: 45/16][20.24 sec][bytes ratio: 0.829 (Upload)][IAT c2s/s2c min/avg/max/stddev: 122/117 1602/117 8966/117 2266/0][Pkt Len c2s/s2c min/avg/max/stddev: 47/50 76/50 84/50 14/0][Plen Bins: 31,68,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	2	TCP 10.8.0.1:51859 <-> 62.109.229.158:443 [proto: 0/Unknown][IP: 141/Webex][ClearText][Confidence: Unknown][DPI packets: 3][2 pkts/128 bytes <-> 1 pkts/54 bytes][Goodput ratio: 0/0][1.00 sec][Risk: ** TCP Connection Issues **][Risk Score: 50][Risk Info: Connection refused (client)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	3	TCP 10.133.206.47:54651 <-> 185.63.147.10:443 [proto: 0/Unknown][IP: 0/Unknown][ClearText][Confidence: Unknown][DPI packets: 3][1 pkts/66 bytes <-> 2 pkts/108 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	4	TCP 10.133.206.47:59447 <-> 107.20.242.44:443 [proto: 0/Unknown][IP: 265/AmazonAWS][ClearText][Confidence: Unknown][DPI packets: 3][1 pkts/66 bytes <-> 2 pkts/108 bytes][Goodput ratio: 0/0][0.00 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
author	Nardi Ivan <nardi.ivan@gmail.com>	2024-01-10 11:46:57 +0100
committer	Ivan Nardi <12729895+IvanNardi@users.noreply.github.com>	2024-01-18 10:21:24 +0100
commit	0712d496fe63fd16f8e943a438c57f75d8cae880 (patch)
tree	5102d4c3de8250cd16f52658de3f0dad55554c7c
parent	6c85f10cd5a29346522ad647a38066f0cc44e5a7 (diff)