diff options
| author | Luca Deri <deri@ntop.org> | 2021-03-19 22:20:52 +0100 |
|---|---|---|
| committer | Luca Deri <deri@ntop.org> | 2021-03-19 22:20:52 +0100 |
| commit | e2c3445a204c39c152bd3ae93a73f0cf2e57d286 (patch) | |
| tree | f83ee334359cd7fe278ff9359f09cfec0219ad00 | |
| parent | 61f7ec1696b7c12faa96ff35698ad7d468f2837b (diff) | |
Reworked JA3
| -rw-r--r-- | src/lib/protocols/tls.c | 286 | ||||
| -rw-r--r-- | tests/result/alexa-app.pcapng.out | 94 | ||||
| -rw-r--r-- | tests/result/dtls_certificate_fragments.pcap.out | 2 |
3 files changed, 235 insertions, 147 deletions
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index 50a96749b..ee7d5a65c 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -1,5 +1,5 @@ /* - * tls.c - SSL/TLS/DTLS dissector + * tls.c - TLS/TLS/DTLS dissector * * Copyright (C) 2016-21 - ntop.org * @@ -47,6 +47,34 @@ extern int is_version_with_var_int_transport_params(uint32_t version); /* #define DEBUG_FINGERPRINT 1 */ /* #define DEBUG_ENCRYPTED_SNI 1 */ +/* **************************************** */ + +/* https://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967 */ + +#define JA3_STR_LEN 1024 +#define MAX_NUM_JA3 512 +#define MAX_JA3_STRLEN 256 + +union ja3_info { + struct { + u_int16_t tls_handshake_version; + u_int16_t num_cipher, cipher[MAX_NUM_JA3]; + u_int16_t num_tls_extension, tls_extension[MAX_NUM_JA3]; + u_int16_t num_elliptic_curve, elliptic_curve[MAX_NUM_JA3]; + u_int16_t num_elliptic_curve_point_format, elliptic_curve_point_format[MAX_NUM_JA3]; + char signature_algorithms[MAX_JA3_STRLEN], supported_versions[MAX_JA3_STRLEN], alpn[MAX_JA3_STRLEN]; + } client; + + struct { + u_int16_t tls_handshake_version; + u_int16_t num_cipher, cipher[MAX_NUM_JA3]; + u_int16_t num_tls_extension, tls_extension[MAX_NUM_JA3]; + u_int16_t tls_supported_version; + u_int16_t num_elliptic_curve_point_format, elliptic_curve_point_format[MAX_NUM_JA3]; + char alpn[MAX_JA3_STRLEN]; + } server; /* Used for JA3+ */ +}; + /* NOTE @@ -87,7 +115,7 @@ static u_int32_t ndpi_tls_refine_master_protocol(struct ndpi_detection_module_st case NDPI_PROTOCOL_TLS: { /* - In case of SSL there are probably sub-protocols + In case of TLS there are probably sub-protocols such as IMAPS that can be otherwise detected */ u_int16_t sport = ntohs(packet->tcp->source); @@ -1006,27 +1034,10 @@ static void ndpi_int_tls_add_connection(struct ndpi_detection_module_struct *ndp /* **************************************** */ -/* https://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967 */ - -#define JA3_STR_LEN 1024 -#define MAX_NUM_JA3 512 -#define MAX_JA3_STRLEN 256 - -struct ja3_info { - u_int16_t tls_handshake_version; - u_int16_t num_cipher, cipher[MAX_NUM_JA3]; - u_int16_t num_tls_extension, tls_extension[MAX_NUM_JA3]; - u_int16_t num_elliptic_curve, elliptic_curve[MAX_NUM_JA3]; - u_int16_t num_elliptic_curve_point_format, elliptic_curve_point_format[MAX_NUM_JA3]; - char signature_algorithms[MAX_JA3_STRLEN], supported_versions[MAX_JA3_STRLEN], alpn[MAX_JA3_STRLEN]; -}; - -/* **************************************** */ - int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, uint32_t quic_version) { struct ndpi_packet_struct *packet = &flow->packet; - struct ja3_info ja3; + union ja3_info ja3; u_int8_t invalid_ja3 = 0; u_int16_t tls_version, ja3_str_len; char ja3_str[JA3_STR_LEN]; @@ -1040,7 +1051,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, int is_dtls = packet->udp && (!is_quic); #ifdef DEBUG_TLS - printf("SSL %s() called\n", __FUNCTION__); + printf("TLS %s() called\n", __FUNCTION__); #endif memset(&ja3, 0, sizeof(ja3)); @@ -1063,23 +1074,22 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, session_id_len = packet->payload[base_offset]; #ifdef DEBUG_TLS - printf("SSL [len: %u][handshake_type: %02X]\n", packet->payload_packet_len, handshake_type); + printf("TLS [len: %u][handshake_type: %02X]\n", packet->payload_packet_len, handshake_type); #endif tls_version = ntohs(*((u_int16_t*)&packet->payload[version_offset])); - flow->protos.tls_quic_stun.tls_quic.ssl_version = ja3.tls_handshake_version = tls_version; - if(flow->protos.tls_quic_stun.tls_quic.ssl_version < 0x0302) /* TLSv1.1 */ - ndpi_set_risk(flow, NDPI_TLS_OBSOLETE_VERSION); if(handshake_type == 0x02 /* Server Hello */) { int i, rc; + ja3.server.tls_handshake_version = tls_version; + #ifdef DEBUG_TLS - printf("SSL Server Hello [version: 0x%04X]\n", tls_version); + printf("TLS Server Hello [version: 0x%04X]\n", tls_version); #endif /* - The server hello decides about the SSL version of this flow + The server hello decides about the TLS version of this flow https://networkengineering.stackexchange.com/questions/55752/why-does-wireshark-show-version-tls-1-2-here-instead-of-tls-1-3 */ if(packet->udp) @@ -1092,14 +1102,14 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, if((offset+3) > packet->payload_packet_len) return(0); /* Not found */ - ja3.num_cipher = 1, ja3.cipher[0] = ntohs(*((u_int16_t*)&packet->payload[offset])); - if((flow->protos.tls_quic_stun.tls_quic.server_unsafe_cipher = ndpi_is_safe_ssl_cipher(ja3.cipher[0])) == 1) + ja3.server.num_cipher = 1, ja3.server.cipher[0] = ntohs(*((u_int16_t*)&packet->payload[offset])); + if((flow->protos.tls_quic_stun.tls_quic.server_unsafe_cipher = ndpi_is_safe_ssl_cipher(ja3.server.cipher[0])) == 1) ndpi_set_risk(flow, NDPI_TLS_WEAK_CIPHER); - flow->protos.tls_quic_stun.tls_quic.server_cipher = ja3.cipher[0]; + flow->protos.tls_quic_stun.tls_quic.server_cipher = ja3.server.cipher[0]; #ifdef DEBUG_TLS - printf("TLS [server][session_id_len: %u][cipher: %04X]\n", session_id_len, ja3.cipher[0]); + printf("TLS [server][session_id_len: %u][cipher: %04X]\n", session_id_len, ja3.server.cipher[0]); #endif offset += 2 + 1; @@ -1122,8 +1132,8 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, extension_id = ntohs(*((u_int16_t*)&packet->payload[offset])); extension_len = ntohs(*((u_int16_t*)&packet->payload[offset+2])); - if(ja3.num_tls_extension < MAX_NUM_JA3) - ja3.tls_extension[ja3.num_tls_extension++] = extension_id; + if(ja3.server.num_tls_extension < MAX_NUM_JA3) + ja3.server.tls_extension[ja3.server.num_tls_extension++] = extension_id; #ifdef DEBUG_TLS printf("TLS [server][extension_id: %u/0x%04X][len: %u]\n", @@ -1138,17 +1148,95 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, printf("TLS [server] [TLS version: 0x%04X]\n", tls_version); #endif - flow->protos.tls_quic_stun.tls_quic.ssl_version = tls_version; + flow->protos.tls_quic_stun.tls_quic.ssl_version = ja3.server.tls_supported_version = tls_version; } - } + } else if(extension_id == 16 /* application_layer_protocol_negotiation (ALPN) */) { + u_int16_t s_offset = offset+4; + u_int16_t tot_alpn_len = ntohs(*((u_int16_t*)&packet->payload[s_offset])); + char alpn_str[256]; + u_int8_t alpn_str_len = 0, i; + +#ifdef DEBUG_TLS + printf("Server TLS [ALPN: block_len=%u/len=%u]\n", extension_len, tot_alpn_len); +#endif + s_offset += 2; + tot_alpn_len += s_offset; + + while(s_offset < tot_alpn_len && s_offset < total_len) { + u_int8_t alpn_i, alpn_len = packet->payload[s_offset++]; + + if((s_offset + alpn_len) <= tot_alpn_len) { +#ifdef DEBUG_TLS + printf("Server TLS [ALPN: %u]\n", alpn_len); +#endif + + if((alpn_str_len+alpn_len+1) < (sizeof(alpn_str)-1)) { + if(alpn_str_len > 0) { + alpn_str[alpn_str_len] = ','; + alpn_str_len++; + } + + for(alpn_i=0; alpn_i<alpn_len; alpn_i++) + alpn_str[alpn_str_len+alpn_i] = packet->payload[s_offset+alpn_i]; + + s_offset += alpn_len, alpn_str_len += alpn_len;; + } else + break; + } else + break; + } /* while */ + + alpn_str[alpn_str_len] = '\0'; + +#ifdef DEBUG_TLS + printf("Server TLS [ALPN: %s][len: %u]\n", alpn_str, alpn_str_len); +#endif + if(flow->protos.tls_quic_stun.tls_quic.alpn == NULL) + flow->protos.tls_quic_stun.tls_quic.alpn = ndpi_strdup(alpn_str); + + snprintf(ja3.server.alpn, sizeof(ja3.server.alpn), "%s", alpn_str); + + /* Replace , with - as in JA3 */ + for(i=0; ja3.server.alpn[i] != '\0'; i++) + if(ja3.server.alpn[i] == ',') ja3.server.alpn[i] = '-'; + } else if(extension_id == 11 /* ec_point_formats groups */) { + u_int16_t s_offset = offset+4 + 1; + +#ifdef DEBUG_TLS + printf("Server TLS [EllipticCurveFormat: len=%u]\n", extension_len); +#endif + if((s_offset+extension_len-1) <= total_len) { + for(i=0; i<extension_len-1; i++) { + u_int8_t s_group = packet->payload[s_offset+i]; + +#ifdef DEBUG_TLS + printf("Server TLS [EllipticCurveFormat: %u]\n", s_group); +#endif + + if(ja3.server.num_elliptic_curve_point_format < MAX_NUM_JA3) + ja3.server.elliptic_curve_point_format[ja3.server.num_elliptic_curve_point_format++] = s_group; + else { + invalid_ja3 = 1; +#ifdef DEBUG_TLS + printf("Server TLS Invalid num elliptic %u\n", ja3.server.num_elliptic_curve_point_format); +#endif + } + } + } else { + invalid_ja3 = 1; +#ifdef DEBUG_TLS + printf("Server TLS Invalid len %u vs %u\n", s_offset+extension_len, total_len); +#endif + } + } i += 4 + extension_len, offset += 4 + extension_len; - } + } /* for */ - ja3_str_len = snprintf(ja3_str, sizeof(ja3_str), "%u,", ja3.tls_handshake_version); + ja3_str_len = snprintf(ja3_str, sizeof(ja3_str), "%u,", ja3.server.tls_handshake_version); - for(i=0; i<ja3.num_cipher; i++) { - rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u", (i > 0) ? "-" : "", ja3.cipher[i]); + for(i=0; i<ja3.server.num_cipher; i++) { + rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u", (i > 0) ? "-" : "", ja3.server.cipher[i]); if(rc <= 0) break; else ja3_str_len += rc; } @@ -1158,17 +1246,13 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, /* ********** */ - for(i=0; i<ja3.num_tls_extension; i++) { - int rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u", (i > 0) ? "-" : "", ja3.tls_extension[i]); + for(i=0; i<ja3.server.num_tls_extension; i++) { + int rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u", (i > 0) ? "-" : "", ja3.server.tls_extension[i]); if(rc <= 0) break; else ja3_str_len += rc; } #ifdef DEBUG_TLS - printf("TLS [server] %s\n", ja3_str); -#endif - -#ifdef DEBUG_TLS printf("[JA3] Server: %s \n", ja3_str); #endif @@ -1189,6 +1273,10 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, u_int16_t cipher_len, cipher_offset; u_int8_t cookie_len = 0; + flow->protos.tls_quic_stun.tls_quic.ssl_version = ja3.client.tls_handshake_version = tls_version; + if(flow->protos.tls_quic_stun.tls_quic.ssl_version < 0x0302) /* TLSv1.1 */ + ndpi_set_risk(flow, NDPI_TLS_OBSOLETE_VERSION); + if((session_id_len+base_offset+3) > packet->payload_packet_len) return(0); /* Not found */ @@ -1207,7 +1295,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, } #ifdef DEBUG_TLS - printf("Client SSL [client cipher_len: %u][tls_version: 0x%04X]\n", cipher_len, tls_version); + printf("Client TLS [client cipher_len: %u][tls_version: 0x%04X]\n", cipher_len, tls_version); #endif if((cipher_offset+cipher_len) <= total_len) { @@ -1215,7 +1303,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, u_int16_t *id = (u_int16_t*)&packet->payload[cipher_offset+i]; #ifdef DEBUG_TLS - printf("Client SSL [cipher suite: %u/0x%04X] [%d/%u]\n", ntohs(*id), ntohs(*id), i, cipher_len); + printf("Client TLS [cipher suite: %u/0x%04X] [%d/%u]\n", ntohs(*id), ntohs(*id), i, cipher_len); #endif if((*id == 0) || (packet->payload[cipher_offset+i] != packet->payload[cipher_offset+i+1])) { /* @@ -1223,12 +1311,12 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, https://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967 */ - if(ja3.num_cipher < MAX_NUM_JA3) - ja3.cipher[ja3.num_cipher++] = ntohs(*id); + if(ja3.client.num_cipher < MAX_NUM_JA3) + ja3.client.cipher[ja3.client.num_cipher++] = ntohs(*id); else { invalid_ja3 = 1; #ifdef DEBUG_TLS - printf("Client SSL Invalid cipher %u\n", ja3.num_cipher); + printf("Client TLS Invalid cipher %u\n", ja3.client.num_cipher); #endif } } @@ -1238,7 +1326,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, } else { invalid_ja3 = 1; #ifdef DEBUG_TLS - printf("Client SSL Invalid len %u vs %u\n", (cipher_offset+cipher_len), total_len); + printf("Client TLS Invalid len %u vs %u\n", (cipher_offset+cipher_len), total_len); #endif } @@ -1253,7 +1341,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, offset++; #ifdef DEBUG_TLS - printf("Client SSL [compression_len: %u]\n", compression_len); + printf("Client TLS [compression_len: %u]\n", compression_len); #endif // offset += compression_len + 3; @@ -1264,7 +1352,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, offset += 2; #ifdef DEBUG_TLS - printf("Client SSL [extensions_len: %u]\n", extensions_len); + printf("Client TLS [extensions_len: %u]\n", extensions_len); #endif if((extensions_len+offset) <= total_len) { @@ -1283,18 +1371,18 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, extension_offset += 2; #ifdef DEBUG_TLS - printf("Client SSL [extension_id: %u][extension_len: %u]\n", extension_id, extension_len); + printf("Client TLS [extension_id: %u][extension_len: %u]\n", extension_id, extension_len); #endif if((extension_id == 0) || (packet->payload[extn_off] != packet->payload[extn_off+1])) { /* Skip GREASE */ - if(ja3.num_tls_extension < MAX_NUM_JA3) - ja3.tls_extension[ja3.num_tls_extension++] = extension_id; + if(ja3.client.num_tls_extension < MAX_NUM_JA3) + ja3.client.tls_extension[ja3.client.num_tls_extension++] = extension_id; else { invalid_ja3 = 1; #ifdef DEBUG_TLS - printf("Client SSL Invalid extensions %u\n", ja3.num_tls_extension); + printf("Client TLS Invalid extensions %u\n", ja3.client.num_tls_extension); #endif } } @@ -1361,7 +1449,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, u_int16_t s_offset = offset+extension_offset + 2; #ifdef DEBUG_TLS - printf("Client SSL [EllipticCurveGroups: len=%u]\n", extension_len); + printf("Client TLS [EllipticCurveGroups: len=%u]\n", extension_len); #endif if((s_offset+extension_len-2) <= total_len) { @@ -1369,16 +1457,16 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, u_int16_t s_group = ntohs(*((u_int16_t*)&packet->payload[s_offset+i])); #ifdef DEBUG_TLS - printf("Client SSL [EllipticCurve: %u/0x%04X]\n", s_group, s_group); + printf("Client TLS [EllipticCurve: %u/0x%04X]\n", s_group, s_group); #endif if((s_group == 0) || (packet->payload[s_offset+i] != packet->payload[s_offset+i+1])) { /* Skip GREASE */ - if(ja3.num_elliptic_curve < MAX_NUM_JA3) - ja3.elliptic_curve[ja3.num_elliptic_curve++] = s_group; + if(ja3.client.num_elliptic_curve < MAX_NUM_JA3) + ja3.client.elliptic_curve[ja3.client.num_elliptic_curve++] = s_group; else { invalid_ja3 = 1; #ifdef DEBUG_TLS - printf("Client SSL Invalid num elliptic %u\n", ja3.num_elliptic_curve); + printf("Client TLS Invalid num elliptic %u\n", ja3.client.num_elliptic_curve); #endif } } @@ -1388,36 +1476,36 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, } else { invalid_ja3 = 1; #ifdef DEBUG_TLS - printf("Client SSL Invalid len %u vs %u\n", (s_offset+extension_len-1), total_len); + printf("Client TLS Invalid len %u vs %u\n", (s_offset+extension_len-1), total_len); #endif } } else if(extension_id == 11 /* ec_point_formats groups */) { u_int16_t s_offset = offset+extension_offset + 1; #ifdef DEBUG_TLS - printf("Client SSL [EllipticCurveFormat: len=%u]\n", extension_len); + printf("Client TLS [EllipticCurveFormat: len=%u]\n", extension_len); #endif if((s_offset+extension_len-1) <= total_len) { for(i=0; i<extension_len-1; i++) { u_int8_t s_group = packet->payload[s_offset+i]; #ifdef DEBUG_TLS - printf("Client SSL [EllipticCurveFormat: %u]\n", s_group); + printf("Client TLS [EllipticCurveFormat: %u]\n", s_group); #endif - if(ja3.num_elliptic_curve_point_format < MAX_NUM_JA3) - ja3.elliptic_curve_point_format[ja3.num_elliptic_curve_point_format++] = s_group; + if(ja3.client.num_elliptic_curve_point_format < MAX_NUM_JA3) + ja3.client.elliptic_curve_point_format[ja3.client.num_elliptic_curve_point_format++] = s_group; else { invalid_ja3 = 1; #ifdef DEBUG_TLS - printf("Client SSL Invalid num elliptic %u\n", ja3.num_elliptic_curve_point_format); + printf("Client TLS Invalid num elliptic %u\n", ja3.client.num_elliptic_curve_point_format); #endif } } } else { invalid_ja3 = 1; #ifdef DEBUG_TLS - printf("Client SSL Invalid len %u vs %u\n", s_offset+extension_len, total_len); + printf("Client TLS Invalid len %u vs %u\n", s_offset+extension_len, total_len); #endif } } else if(extension_id == 13 /* signature algorithms */) { @@ -1425,22 +1513,22 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, u_int16_t tot_signature_algorithms_len = ntohs(*((u_int16_t*)&packet->payload[s_offset])); #ifdef DEBUG_TLS - printf("Client SSL [SIGNATURE_ALGORITHMS: block_len=%u/len=%u]\n", extension_len, tot_signature_algorithms_len); + printf("Client TLS [SIGNATURE_ALGORITHMS: block_len=%u/len=%u]\n", extension_len, tot_signature_algorithms_len); #endif s_offset += 2; - tot_signature_algorithms_len = ndpi_min((sizeof(ja3.signature_algorithms) / 2) - 1, tot_signature_algorithms_len); + tot_signature_algorithms_len = ndpi_min((sizeof(ja3.client.signature_algorithms) / 2) - 1, tot_signature_algorithms_len); for(i=0; i<tot_signature_algorithms_len; i++) { - int rc = snprintf(&ja3.signature_algorithms[i*2], sizeof(ja3.signature_algorithms)-i*2, "%02X", packet->payload[s_offset+i]); + int rc = snprintf(&ja3.client.signature_algorithms[i*2], sizeof(ja3.client.signature_algorithms)-i*2, "%02X", packet->payload[s_offset+i]); if(rc < 0) break; } - ja3.signature_algorithms[i*2] = '\0'; + ja3.client.signature_algorithms[i*2] = '\0'; #ifdef DEBUG_TLS - printf("Client SSL [SIGNATURE_ALGORITHMS: %s]\n", ja3.signature_algorithms); + printf("Client TLS [SIGNATURE_ALGORITHMS: %s]\n", ja3.client.signature_algorithms); #endif } else if(extension_id == 16 /* application_layer_protocol_negotiation */) { u_int16_t s_offset = offset+extension_offset; @@ -1449,7 +1537,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, u_int8_t alpn_str_len = 0, i; #ifdef DEBUG_TLS - printf("Client SSL [ALPN: block_len=%u/len=%u]\n", extension_len, tot_alpn_len); + printf("Client TLS [ALPN: block_len=%u/len=%u]\n", extension_len, tot_alpn_len); #endif s_offset += 2; tot_alpn_len += s_offset; @@ -1459,7 +1547,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, if((s_offset + alpn_len) <= tot_alpn_len) { #ifdef DEBUG_TLS - printf("Client SSL [ALPN: %u]\n", alpn_len); + printf("Client TLS [ALPN: %u]\n", alpn_len); #endif if((alpn_str_len+alpn_len+1) < (sizeof(alpn_str)-1)) { @@ -1481,16 +1569,16 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, alpn_str[alpn_str_len] = '\0'; #ifdef DEBUG_TLS - printf("Client SSL [ALPN: %s][len: %u]\n", alpn_str, alpn_str_len); + printf("Client TLS [ALPN: %s][len: %u]\n", alpn_str, alpn_str_len); #endif if(flow->protos.tls_quic_stun.tls_quic.alpn == NULL) flow->protos.tls_quic_stun.tls_quic.alpn = ndpi_strdup(alpn_str); - snprintf(ja3.alpn, sizeof(ja3.alpn), "%s", alpn_str); + snprintf(ja3.client.alpn, sizeof(ja3.client.alpn), "%s", alpn_str); /* Replace , with - as in JA3 */ - for(i=0; ja3.alpn[i] != '\0'; i++) - if(ja3.alpn[i] == ',') ja3.alpn[i] = '-'; + for(i=0; ja3.client.alpn[i] != '\0'; i++) + if(ja3.client.alpn[i] == ',') ja3.client.alpn[i] = '-'; } else if(extension_id == 43 /* supported versions */) { u_int16_t s_offset = offset+extension_offset; @@ -1499,7 +1587,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, u_int8_t version_str_len = 0; version_str[0] = 0; #ifdef DEBUG_TLS - printf("Client SSL [TLS version len: %u]\n", version_len); + printf("Client TLS [TLS version len: %u]\n", version_len); #endif if(version_len == (extension_len-1)) { @@ -1514,7 +1602,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, u_int8_t unknown_tls_version; #ifdef DEBUG_TLS - printf("Client SSL [TLS version: %s/0x%04X]\n", + printf("Client TLS [TLS version: %s/0x%04X]\n", ndpi_ssl_version2str(flow, tls_version, &unknown_tls_version), tls_version); #endif @@ -1528,8 +1616,8 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, else version_str_len += rc; - rc = snprintf(&ja3.supported_versions[supported_versions_offset], - sizeof(ja3.supported_versions)-supported_versions_offset, + rc = snprintf(&ja3.client.supported_versions[supported_versions_offset], + sizeof(ja3.client.supported_versions)-supported_versions_offset, "%s%04X", (j > 0) ? "-" : "", tls_version); if(rc > 0) @@ -1538,7 +1626,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, } #ifdef DEBUG_TLS - printf("Client SSL [SUPPORTED_VERSIONS: %s]\n", ja3.supported_versions); + printf("Client TLS [SUPPORTED_VERSIONS: %s]\n", ja3.client.supported_versions); #endif if(flow->protos.tls_quic_stun.tls_quic.tls_supported_versions == NULL) @@ -1572,7 +1660,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, if((e_offset+e_sni_len-extension_len-initial_offset) >= 0 && e_offset+e_sni_len < packet->payload_packet_len) { #ifdef DEBUG_ENCRYPTED_SNI - printf("Client SSL [Encrypted Server Name len: %u]\n", e_sni_len); + printf("Client TLS [Encrypted Server Name len: %u]\n", e_sni_len); #endif if(flow->protos.tls_quic_stun.tls_quic.encrypted_sni.esni == NULL) { @@ -1635,7 +1723,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, } #ifdef DEBUG_TLS - printf("Client SSL [QUIC TP: Param 0x%x Len %d]\n", (int)param_type, (int)param_len); + printf("Client TLS [QUIC TP: Param 0x%x Len %d]\n", (int)param_type, (int)param_len); #endif if(s_offset+param_len > final_offset) break; @@ -1655,7 +1743,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, extension_offset += extension_len; /* Move to the next extension */ #ifdef DEBUG_TLS - printf("Client SSL [extension_offset/len: %u/%u]\n", extension_offset, extension_len); + printf("Client TLS [extension_offset/len: %u/%u]\n", extension_offset, extension_len); #endif } /* while */ @@ -1663,11 +1751,11 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, int rc; compute_ja3c: - ja3_str_len = snprintf(ja3_str, sizeof(ja3_str), "%u,", ja3.tls_handshake_version); + ja3_str_len = snprintf(ja3_str, sizeof(ja3_str), "%u,", ja3.client.tls_handshake_version); - for(i=0; i<ja3.num_cipher; i++) { + for(i=0; i<ja3.client.num_cipher; i++) { rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u", - (i > 0) ? "-" : "", ja3.cipher[i]); + (i > 0) ? "-" : "", ja3.client.cipher[i]); if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc; else break; } @@ -1676,9 +1764,9 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, /* ********** */ - for(i=0; i<ja3.num_tls_extension; i++) { + for(i=0; i<ja3.client.num_tls_extension; i++) { rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u", - (i > 0) ? "-" : "", ja3.tls_extension[i]); + (i > 0) ? "-" : "", ja3.client.tls_extension[i]); if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc; else break; } @@ -1687,24 +1775,24 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, /* ********** */ - for(i=0; i<ja3.num_elliptic_curve; i++) { + for(i=0; i<ja3.client.num_elliptic_curve; i++) { rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u", - (i > 0) ? "-" : "", ja3.elliptic_curve[i]); + (i > 0) ? "-" : "", ja3.client.elliptic_curve[i]); if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc; else break; } rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, ","); if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc; - for(i=0; i<ja3.num_elliptic_curve_point_format; i++) { + for(i=0; i<ja3.client.num_elliptic_curve_point_format; i++) { rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u", - (i > 0) ? "-" : "", ja3.elliptic_curve_point_format[i]); + (i > 0) ? "-" : "", ja3.client.elliptic_curve_point_format[i]); if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc; else break; } if(ndpi_struct->enable_ja3_plus) { rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, - ",%s,%s,%s", ja3.signature_algorithms, ja3.supported_versions, ja3.alpn); + ",%s,%s,%s", ja3.client.signature_algorithms, ja3.client.supported_versions, ja3.client.alpn); if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc; } @@ -1766,7 +1854,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, #endif } } else if(offset == total_len) { - /* SSL does not have extensions etc */ + /* TLS does not have extensions etc */ goto compute_ja3c; } } else { diff --git a/tests/result/alexa-app.pcapng.out b/tests/result/alexa-app.pcapng.out index b47ee2a09..87a3c740f 100644 --- a/tests/result/alexa-app.pcapng.out +++ b/tests/result/alexa-app.pcapng.out @@ -19,15 +19,15 @@ JA3 Host Stats: 1 TCP 172.16.42.216:41913 <-> 52.84.62.115:443 [proto: 91.240/TLS.AmazonVideo][cat: Video/26][174 pkts/22371 bytes <-> 176 pkts/251141 bytes][Goodput ratio: 41/95][2.06 sec][ALPN: h2;http/1.1][bytes ratio: -0.836 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 10/2 843/74 74/9][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 129/1427 1356/1514 247/317][Risk: ** Possibly Malicious JA3 Fingerprint **][TLSv1.2][Client: images-na.ssl-images-amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][ServerNames: images-na.ssl-images-amazon.com,images-eu.ssl-images-amazon.com,images-fe.ssl-images-amazon.com,m.media-amazon.com][JA3S: 76cc3e2d3028143b23ec18e27dbd7ca9][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=Images-na.ssl-images-amazon.com][Certificate SHA-1: 39:3D:27:B3:4D:FA:B4:04:AB:48:7F:5C:CB:A9:9A:95:F5:22:2A:52][Validity: 2016-09-23 00:00:00 - 2017-10-26 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,95,0,0] 2 TCP 172.16.42.216:54411 <-> 52.85.209.216:443 [proto: 91.178/TLS.Amazon][cat: Web/5][40 pkts/9869 bytes <-> 38 pkts/36764 bytes][Goodput ratio: 73/93][4.46 sec][ALPN: h2;http/1.1][bytes ratio: -0.577 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 89/33 1629/317 305/68][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 247/967 1514/1514 433/642][Risk: ** Possibly Malicious JA3 Fingerprint **][TLSv1.2][Client: www.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][ServerNames: amazon.com,amzn.com,uedata.amazon.com,us.amazon.com,www.amazon.com,www.amzn.com,corporate.amazon.com,buybox.amazon.com,iphone.amazon.com,yp.amazon.com,home.amazon.com,origin-www.amazon.com][JA3S: 76cc3e2d3028143b23ec18e27dbd7ca9][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=www.amazon.com][Certificate SHA-1: EF:14:6C:F1:5C:4A:F8:4D:BA:83:C2:1E:6C:5B:ED:C4:FA:34:1C:3E][Validity: 2016-10-31 00:00:00 - 2017-12-31 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,2,0,2,0,0,2,2,0,0,0,2,2,0,0,0,0,0,0,0,0,0,2,2,0,0,0,0,0,0,0,0,8,2,0,2,0,0,0,0,0,0,0,0,0,69,0,0] 3 TCP 172.16.42.216:41828 <-> 52.85.209.143:443 [proto: 91.178/TLS.Amazon][cat: Web/5][31 pkts/13163 bytes <-> 34 pkts/25939 bytes][Goodput ratio: 84/91][3.25 sec][ALPN: h2;http/1.1][bytes ratio: -0.327 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 111/38 1832/535 365/102][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 425/763 1514/1514 587/629][Risk: ** Possibly Malicious JA3 Fingerprint **][TLSv1.2][Client: www.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][ServerNames: amazon.com,amzn.com,uedata.amazon.com,us.amazon.com,www.amazon.com,www.amzn.com,corporate.amazon.com,buybox.amazon.com,iphone.amazon.com,yp.amazon.com,home.amazon.com,origin-www.amazon.com][JA3S: 76cc3e2d3028143b23ec18e27dbd7ca9][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=www.amazon.com][Certificate SHA-1: EF:14:6C:F1:5C:4A:F8:4D:BA:83:C2:1E:6C:5B:ED:C4:FA:34:1C:3E][Validity: 2016-10-31 00:00:00 - 2017-12-31 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 2,2,2,8,0,0,2,2,2,0,2,0,0,2,0,0,2,0,0,2,0,2,5,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,53,0,0] - 4 TCP 172.16.42.216:40856 <-> 54.239.29.253:443 [proto: 91.178/TLS.Amazon][cat: Web/5][47 pkts/4785 bytes <-> 51 pkts/31984 bytes][Goodput ratio: 47/91][2.59 sec][ALPN: h2;http/1.1][bytes ratio: -0.740 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 65/13 1811/246 293/44][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 102/627 1514/1514 218/316][Risk: ** Obsolete TLS version (< 1.1) **** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][TLSv1][Client: skills-store.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][ServerNames: skills-store.amazon.com][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=skills-store.amazon.com][Certificate SHA-1: 2A:40:0E:E9:9A:EC:7C:0D:40:AA:C9:C5:66:67:00:B8:3E:90:DC:B2][Validity: 2016-05-14 00:00:00 - 2017-05-15 23:59:59][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,3,0,0,0,0,1,1,0,0,1,0,0,1,0,0,0,80,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,1,0,0,0,0,0,0,7,0,0] + 4 TCP 172.16.42.216:40856 <-> 54.239.29.253:443 [proto: 91.178/TLS.Amazon][cat: Web/5][47 pkts/4785 bytes <-> 51 pkts/31984 bytes][Goodput ratio: 47/91][2.59 sec][ALPN: h2;http/1.1][bytes ratio: -0.740 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 65/13 1811/246 293/44][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 102/627 1514/1514 218/316][Risk: ** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][TLSv1.2][Client: skills-store.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][ServerNames: skills-store.amazon.com][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=skills-store.amazon.com][Certificate SHA-1: 2A:40:0E:E9:9A:EC:7C:0D:40:AA:C9:C5:66:67:00:B8:3E:90:DC:B2][Validity: 2016-05-14 00:00:00 - 2017-05-15 23:59:59][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,3,0,0,0,0,1,1,0,0,1,0,0,1,0,0,0,80,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,1,0,0,0,0,0,0,7,0,0] 5 TCP 172.16.42.216:51986 <-> 52.84.63.56:80 [proto: 7.178/HTTP.Amazon][cat: Web/5][31 pkts/3707 bytes <-> 28 pkts/31731 bytes][Goodput ratio: 44/94][1.26 sec][Host: ecx.images-amazon.com][bytes ratio: -0.791 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 32/21 364/286 86/68][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 120/1133 613/1514 162/585][URL: ecx.images-amazon.com/images/I/81diFQyVjHL._SL210_QL95_.png][StatusCode: 200][Content-Type: image/jpeg][User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; LGLS751 Build/LMY47V; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/56.0.292][PLAIN TEXT (GET /images/I/81diF)][Plen Bins: 3,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,3,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,3,68,0,0] 6 TCP 172.16.42.216:51995 <-> 52.84.63.56:80 [proto: 7.178/HTTP.Amazon][cat: Web/5][22 pkts/2590 bytes <-> 25 pkts/31047 bytes][Goodput ratio: 42/95][1.13 sec][Host: ecx.images-amazon.com][bytes ratio: -0.846 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 54/42 536/536 126/120][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 118/1242 613/1514 157/474][URL: ecx.images-amazon.com/images/I/5100jxqrQhL._SL210_QL95_.png][StatusCode: 200][Content-Type: image/jpeg][User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; LGLS751 Build/LMY47V; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/56.0.292][PLAIN TEXT (GET /images/I/5100j)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,12,0,0,0,0,0,0,0,0,8,0,0,0,4,0,0,0,0,67,0,0] 7 TCP 172.16.42.216:51992 <-> 52.84.63.56:80 [proto: 7.178/HTTP.Amazon][cat: Web/5][27 pkts/3443 bytes <-> 24 pkts/29237 bytes][Goodput ratio: 48/95][1.13 sec][Host: ecx.images-amazon.com][bytes ratio: -0.789 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 36/6 368/110 98/25][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 128/1218 613/1514 172/546][URL: ecx.images-amazon.com/images/I/71nqwmwmRlL._SL210_QL95_.png][StatusCode: 200][Content-Type: image/jpeg][User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; LGLS751 Build/LMY47V; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/56.0.292][PLAIN TEXT (GET /images/I/71nqwmwmRlL.)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0,0,0,74,0,0] 8 TCP 172.16.42.216:41691 <-> 54.239.29.146:443 [proto: 91.178/TLS.Amazon][cat: Web/5][28 pkts/5292 bytes <-> 28 pkts/24601 bytes][Goodput ratio: 71/94][100.86 sec][bytes ratio: -0.646 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 37/78 293/443 72/134][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 189/879 1514/1514 381/687][Risk: ** TLS (probably) not carrying HTTPS **][TLSv1.2][Client: api.amazon.com][JA3C: bdf21e38e1f69776df407235625e75e2][ServerNames: api.amazon.com,wsync.us-east-1.amazon.com][JA3S: 303951d4c50efb2e991652225a6f02b1][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=api.amazon.com][Certificate SHA-1: 1D:A3:CD:C3:06:9E:9B:A0:61:1E:1A:75:55:C1:A8:B0:DC:F8:75:2D][Validity: 2016-09-05 00:00:00 - 2017-09-23 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,3,0,3,0,15,3,0,0,0,0,0,3,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,68,0,0] 9 TCP 172.16.42.216:38483 <-> 52.85.209.143:443 [proto: 91.178/TLS.Amazon][cat: Web/5][32 pkts/3796 bytes <-> 30 pkts/25146 bytes][Goodput ratio: 44/92][0.66 sec][bytes ratio: -0.738 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 16/19 227/241 45/48][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 119/838 732/1514 163/608][Risk: ** TLS (probably) not carrying HTTPS **** SNI TLS extension was missing **][TLSv1.2][JA3C: 36e9ceaa96dd810482573844f78a063f][ServerNames: amazon.com,amzn.com,uedata.amazon.com,us.amazon.com,www.amazon.com,www.amzn.com,corporate.amazon.com,buybox.amazon.com,iphone.amazon.com,yp.amazon.com,home.amazon.com,origin-www.amazon.com][JA3S: 303951d4c50efb2e991652225a6f02b1][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=www.amazon.com][Certificate SHA-1: EF:14:6C:F1:5C:4A:F8:4D:BA:83:C2:1E:6C:5B:ED:C4:FA:34:1C:3E][Validity: 2016-10-31 00:00:00 - 2017-12-31 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,12,3,6,0,0,6,0,0,0,0,3,3,0,0,3,0,3,0,0,6,3,0,3,0,0,3,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,40,0,0] 10 TCP 172.16.42.216:34034 <-> 54.239.24.186:443 [proto: 91.178/TLS.Amazon][cat: Web/5][24 pkts/22786 bytes <-> 19 pkts/2185 bytes][Goodput ratio: 94/49][1.87 sec][ALPN: h2;http/1.1][bytes ratio: 0.825 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 65/76 511/512 132/142][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 949/115 1514/564 678/140][Risk: ** Possibly Malicious JA3 Fingerprint **][TLSv1.2][Client: mobileanalytics.us-east-1.amazonaws.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: d199ba0af2b08e204c73d6d81a1fd260][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][PLAIN TEXT (Km/eGEanalytics.us)][Plen Bins: 4,4,0,0,4,0,0,0,4,0,0,0,4,0,0,4,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,65,0,0] - 11 TCP 172.16.42.216:45703 <-> 52.94.232.134:443 [proto: 91.178/TLS.Amazon][cat: Web/5][32 pkts/18086 bytes <-> 24 pkts/6391 bytes][Goodput ratio: 90/78][13.18 sec][ALPN: h2;http/1.1][bytes ratio: 0.478 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 478/297 3544/1485 870/399][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 565/266 1514/731 644/259][Risk: ** Obsolete TLS version (< 1.1) **** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][TLSv1][Client: pitangui.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][PLAIN TEXT (xlzyWEui.amazon.com)][Plen Bins: 0,6,3,0,6,9,6,3,3,0,0,0,0,0,0,12,6,3,0,3,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0] - 12 TCP 172.16.42.216:45710 <-> 52.94.232.134:443 [proto: 91.178/TLS.Amazon][cat: Web/5][26 pkts/13063 bytes <-> 23 pkts/8561 bytes][Goodput ratio: 89/85][10.20 sec][ALPN: h2;http/1.1][bytes ratio: 0.208 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 464/535 3346/6303 892/1474][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 502/372 1514/1514 619/511][Risk: ** Obsolete TLS version (< 1.1) **** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][TLSv1][Client: pitangui.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 3,7,3,3,7,3,3,11,0,0,0,0,0,0,0,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,41,0,0] + 11 TCP 172.16.42.216:45703 <-> 52.94.232.134:443 [proto: 91.178/TLS.Amazon][cat: Web/5][32 pkts/18086 bytes <-> 24 pkts/6391 bytes][Goodput ratio: 90/78][13.18 sec][ALPN: h2;http/1.1][bytes ratio: 0.478 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 478/297 3544/1485 870/399][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 565/266 1514/731 644/259][Risk: ** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][TLSv1.2][Client: pitangui.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][PLAIN TEXT (xlzyWEui.amazon.com)][Plen Bins: 0,6,3,0,6,9,6,3,3,0,0,0,0,0,0,12,6,3,0,3,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0] + 12 TCP 172.16.42.216:45710 <-> 52.94.232.134:443 [proto: 91.178/TLS.Amazon][cat: Web/5][26 pkts/13063 bytes <-> 23 pkts/8561 bytes][Goodput ratio: 89/85][10.20 sec][ALPN: h2;http/1.1][bytes ratio: 0.208 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 464/535 3346/6303 892/1474][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 502/372 1514/1514 619/511][Risk: ** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][TLSv1.2][Client: pitangui.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 3,7,3,3,7,3,3,11,0,0,0,0,0,0,0,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,41,0,0] 13 TCP 172.16.42.216:54434 <-> 52.85.209.216:443 [proto: 91.178/TLS.Amazon][cat: Web/5][18 pkts/9106 bytes <-> 15 pkts/10708 bytes][Goodput ratio: 86/91][3.73 sec][ALPN: h2;http/1.1][bytes ratio: -0.081 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 17/241 96/1116 31/336][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 506/714 1514/1514 633/678][TLSv1.2][Client: www.amazon.com][JA3C: 5ee142340adf02ded757447e2ff78986][JA3S: d199ba0af2b08e204c73d6d81a1fd260][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][PLAIN TEXT (BhfsciOzon.com)][Plen Bins: 0,6,6,0,6,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,0,0,0,0,0,0,6,57,0,0] 14 TCP 172.16.42.216:41914 <-> 52.84.62.115:443 [proto: 91.240/TLS.AmazonVideo][cat: Video/26][20 pkts/6834 bytes <-> 15 pkts/11310 bytes][Goodput ratio: 80/91][0.96 sec][ALPN: h2;http/1.1][bytes ratio: -0.247 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 51/50 222/242 77/88][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 342/754 1351/1514 506/588][Risk: ** Possibly Malicious JA3 Fingerprint **][TLSv1.2][Client: images-na.ssl-images-amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][ServerNames: images-na.ssl-images-amazon.com,images-eu.ssl-images-amazon.com,images-fe.ssl-images-amazon.com,m.media-amazon.com][JA3S: 76cc3e2d3028143b23ec18e27dbd7ca9][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=Images-na.ssl-images-amazon.com][Certificate SHA-1: 39:3D:27:B3:4D:FA:B4:04:AB:48:7F:5C:CB:A9:9A:95:F5:22:2A:52][Validity: 2016-09-23 00:00:00 - 2017-10-26 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,10,0,5,0,0,5,0,10,0,0,0,0,0,10,0,0,0,0,0,0,5,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,5,15,0,0,0,0,27,0,0] 15 TCP 172.16.42.216:51997 <-> 52.84.63.56:80 [proto: 7.178/HTTP.Amazon][cat: Web/5][16 pkts/1611 bytes <-> 14 pkts/16206 bytes][Goodput ratio: 34/94][1.14 sec][Host: ecx.images-amazon.com][bytes ratio: -0.819 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 68/24 628/205 165/61][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 101/1158 613/1514 132/593][URL: ecx.images-amazon.com/images/I/61Tfp7ZVcoL._SL210_QL95_.png][StatusCode: 200][Content-Type: image/jpeg][User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; LGLS751 Build/LMY47V; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/56.0.292][PLAIN TEXT (GET /images/I/61Tfp)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,83,0,0] @@ -35,80 +35,80 @@ JA3 Host Stats: 17 TCP 172.16.42.216:44912 <-> 54.239.23.94:443 [proto: 91.178/TLS.Amazon][cat: Web/5][19 pkts/11483 bytes <-> 14 pkts/5858 bytes][Goodput ratio: 91/86][10.46 sec][ALPN: h2;http/1.1][bytes ratio: 0.324 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 552/875 3665/7470 1005/2334][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 604/418 1514/1514 650/593][Risk: ** Possibly Malicious JA3 Fingerprint **][TLSv1.2][Client: mobileanalytics.us-east-1.amazonaws.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][ServerNames: mobileanalytics.us-east-1.amazonaws.com][JA3S: 159d46e54a2c066ef95e656fdf034e1d][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=mobileanalytics.us-east-1.amazonaws.com][Certificate SHA-1: 87:AD:E9:2D:E8:42:F0:5C:3A:09:13:00:12:93:59:04:84:C3:E2:2D][Validity: 2016-05-31 00:00:00 - 2017-06-26 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,6,0,6,0,0,0,6,0,0,6,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,41,0,27,0,0] 18 TCP 172.16.42.216:51990 <-> 52.84.63.56:80 [proto: 7.178/HTTP.Amazon][cat: Web/5][15 pkts/1557 bytes <-> 13 pkts/15104 bytes][Goodput ratio: 35/94][1.25 sec][Host: ecx.images-amazon.com][bytes ratio: -0.813 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 88/21 682/138 190/45][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 104/1162 613/1514 136/600][URL: ecx.images-amazon.com/images/I/612xlaOI2NL._SL210_QL95_.png][StatusCode: 200][Content-Type: image/jpeg][User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; LGLS751 Build/LMY47V; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/56.0.292][PLAIN TEXT (tyGET /images/I/612)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,18,0,0,0,72,0,0] 19 TCP 172.16.42.216:51988 <-> 52.84.63.56:80 [proto: 7.178/HTTP.Amazon][cat: Web/5][15 pkts/1557 bytes <-> 13 pkts/14454 bytes][Goodput ratio: 35/94][1.26 sec][Host: ecx.images-amazon.com][bytes ratio: -0.806 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 77/27 681/154 186/53][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 104/1112 613/1514 136/592][URL: ecx.images-amazon.com/images/I/61oBTb+jZvL._SL210_QL95_.png][StatusCode: 200][Content-Type: image/jpeg][User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; LGLS751 Build/LMY47V; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/56.0.292][PLAIN TEXT (GET /images/I/61oBTb)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0,0,0,0,0,0,0,0,0,0,0,0,18,0,0,0,0,0,0,0,0,0,0,0,0,0,72,0,0] - 20 TCP 172.16.42.216:40871 <-> 54.239.29.253:443 [proto: 91.178/TLS.Amazon][cat: Web/5][20 pkts/7766 bytes <-> 21 pkts/8198 bytes][Goodput ratio: 86/86][3.82 sec][ALPN: h2;http/1.1][bytes ratio: -0.027 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 182/130 1403/1107 358/296][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 388/390 1514/1514 570/458][Risk: ** Obsolete TLS version (< 1.1) **** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][TLSv1][Client: skills-store.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][PLAIN TEXT (@zyJOU)][Plen Bins: 0,18,9,4,0,0,0,9,4,0,0,0,4,0,0,0,0,13,0,0,0,4,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,28,0,0] + 20 TCP 172.16.42.216:40871 <-> 54.239.29.253:443 [proto: 91.178/TLS.Amazon][cat: Web/5][20 pkts/7766 bytes <-> 21 pkts/8198 bytes][Goodput ratio: 86/86][3.82 sec][ALPN: h2;http/1.1][bytes ratio: -0.027 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 182/130 1403/1107 358/296][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 388/390 1514/1514 570/458][Risk: ** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][TLSv1.2][Client: skills-store.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][PLAIN TEXT (@zyJOU)][Plen Bins: 0,18,9,4,0,0,0,9,4,0,0,0,4,0,0,0,0,13,0,0,0,4,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,28,0,0] 21 TCP 172.16.42.216:41912 <-> 52.84.62.115:443 [proto: 91.240/TLS.AmazonVideo][cat: Video/26][16 pkts/3960 bytes <-> 14 pkts/11986 bytes][Goodput ratio: 73/92][0.96 sec][ALPN: h2;http/1.1][bytes ratio: -0.503 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 71/14 669/71 174/23][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 248/856 1340/1514 415/644][Risk: ** Possibly Malicious JA3 Fingerprint **][TLSv1.2][Client: images-na.ssl-images-amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][ServerNames: images-na.ssl-images-amazon.com,images-eu.ssl-images-amazon.com,images-fe.ssl-images-amazon.com,m.media-amazon.com][JA3S: 76cc3e2d3028143b23ec18e27dbd7ca9][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=Images-na.ssl-images-amazon.com][Certificate SHA-1: 39:3D:27:B3:4D:FA:B4:04:AB:48:7F:5C:CB:A9:9A:95:F5:22:2A:52][Validity: 2016-09-23 00:00:00 - 2017-10-26 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,6,0,18,0,0,6,0,6,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,12,0,0,0,0,0,38,0,0] 22 TCP 172.16.42.216:51985 <-> 52.84.63.56:80 [proto: 7.178/HTTP.Amazon][cat: Web/5][16 pkts/1623 bytes <-> 14 pkts/14282 bytes][Goodput ratio: 34/93][1.26 sec][Host: ecx.images-amazon.com][bytes ratio: -0.796 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 84/45 682/281 185/91][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 101/1020 613/1514 132/664][URL: ecx.images-amazon.com/images/I/51woiL9kgkL._SL210_QL95_.png][StatusCode: 200][Content-Type: image/jpeg][User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; LGLS751 Build/LMY47V; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/56.0.292][PLAIN TEXT (GET /images/I/51woiL9)][Plen Bins: 0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,75,0,0] 23 TCP 172.16.42.216:51996 <-> 52.84.63.56:80 [proto: 7.178/HTTP.Amazon][cat: Web/5][15 pkts/1545 bytes <-> 13 pkts/14178 bytes][Goodput ratio: 35/94][1.13 sec][Host: ecx.images-amazon.com][bytes ratio: -0.803 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 75/22 764/207 210/62][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 103/1091 613/1514 136/639][URL: ecx.images-amazon.com/images/I/81Ni5COup-L._SL210_QL95_.png][StatusCode: 200][Content-Type: image/jpeg][User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; LGLS751 Build/LMY47V; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/56.0.292][PLAIN TEXT (GET /images/I/81Ni5)][Plen Bins: 0,0,0,0,0,0,0,0,9,0,0,0,0,0,0,0,0,9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,81,0,0] 24 TCP 172.16.42.216:53682 <-> 54.239.22.185:443 [proto: 91.178/TLS.Amazon][cat: Web/5][16 pkts/10167 bytes <-> 13 pkts/5328 bytes][Goodput ratio: 91/86][163.85 sec][bytes ratio: 0.312 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 12603/417 159135/3907 42305/1164][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 635/410 1514/1514 644/520][Risk: ** TLS (probably) not carrying HTTPS **][TLSv1.2][Client: firs-ta-g7g.amazon.com][JA3C: bdf21e38e1f69776df407235625e75e2][ServerNames: firs-ta-g7g.amazon.com][JA3S: 303951d4c50efb2e991652225a6f02b1][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=firs-ta-g7g.amazon.com][Certificate SHA-1: A0:32:45:00:21:A0:00:56:62:BA:FE:E7:68:81:40:5F:68:7E:A6:86][Validity: 2016-11-25 00:00:00 - 2017-12-31 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,6,0,6,0,0,0,6,0,0,0,0,6,0,0,0,0,0,13,0,0,0,0,0,0,13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,47,0,0] - 25 TCP 172.16.42.216:45712 <-> 52.94.232.134:443 [proto: 91.178/TLS.Amazon][cat: Web/5][24 pkts/11240 bytes <-> 18 pkts/3909 bytes][Goodput ratio: 88/73][5.97 sec][ALPN: h2;http/1.1][bytes ratio: 0.484 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 271/206 1239/905 390/325][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 468/217 1514/715 608/241][Risk: ** Obsolete TLS version (< 1.1) **** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][TLSv1][Client: pitangui.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,10,5,5,0,10,10,5,0,0,0,0,0,0,5,5,5,0,5,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,30,0,0] - 26 TCP 172.16.42.216:40854 <-> 54.239.29.253:443 [proto: 91.178/TLS.Amazon][cat: Web/5][21 pkts/6285 bytes <-> 16 pkts/8842 bytes][Goodput ratio: 82/90][2.68 sec][ALPN: h2;http/1.1][bytes ratio: -0.169 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 146/106 1158/932 299/253][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 299/553 1514/1514 504/512][Risk: ** Obsolete TLS version (< 1.1) **** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][TLSv1][Client: skills-store.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][ServerNames: skills-store.amazon.com][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=skills-store.amazon.com][Certificate SHA-1: 2A:40:0E:E9:9A:EC:7C:0D:40:AA:C9:C5:66:67:00:B8:3E:90:DC:B2][Validity: 2016-05-14 00:00:00 - 2017-05-15 23:59:59][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,11,0,0,0,0,11,0,0,0,5,0,0,0,0,0,0,30,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,5,0,0,0,0,0,5,24,0,0] + 25 TCP 172.16.42.216:45712 <-> 52.94.232.134:443 [proto: 91.178/TLS.Amazon][cat: Web/5][24 pkts/11240 bytes <-> 18 pkts/3909 bytes][Goodput ratio: 88/73][5.97 sec][ALPN: h2;http/1.1][bytes ratio: 0.484 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 271/206 1239/905 390/325][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 468/217 1514/715 608/241][Risk: ** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][TLSv1.2][Client: pitangui.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,10,5,5,0,10,10,5,0,0,0,0,0,0,5,5,5,0,5,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,30,0,0] + 26 TCP 172.16.42.216:40854 <-> 54.239.29.253:443 [proto: 91.178/TLS.Amazon][cat: Web/5][21 pkts/6285 bytes <-> 16 pkts/8842 bytes][Goodput ratio: 82/90][2.68 sec][ALPN: h2;http/1.1][bytes ratio: -0.169 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 146/106 1158/932 299/253][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 299/553 1514/1514 504/512][Risk: ** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][TLSv1.2][Client: skills-store.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][ServerNames: skills-store.amazon.com][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=skills-store.amazon.com][Certificate SHA-1: 2A:40:0E:E9:9A:EC:7C:0D:40:AA:C9:C5:66:67:00:B8:3E:90:DC:B2][Validity: 2016-05-14 00:00:00 - 2017-05-15 23:59:59][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,11,0,0,0,0,11,0,0,0,5,0,0,0,0,0,0,30,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,5,0,0,0,0,0,5,24,0,0] 27 TCP 172.16.42.216:55242 <-> 52.85.209.197:443 [proto: 91.178/TLS.Amazon][cat: Web/5][18 pkts/6706 bytes <-> 20 pkts/8204 bytes][Goodput ratio: 82/84][123.38 sec][bytes ratio: -0.100 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 87/100 290/445 108/155][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 373/410 1514/1514 532/546][Risk: ** TLS (probably) not carrying HTTPS **][TLSv1.2][Client: www.amazon.com][JA3C: bdf21e38e1f69776df407235625e75e2][ServerNames: amazon.com,amzn.com,uedata.amazon.com,us.amazon.com,www.amazon.com,www.amzn.com,corporate.amazon.com,buybox.amazon.com,iphone.amazon.com,yp.amazon.com,home.amazon.com,origin-www.amazon.com][JA3S: 389ed42c02ebecc32e73aa31def07e14][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=www.amazon.com][Certificate SHA-1: EF:14:6C:F1:5C:4A:F8:4D:BA:83:C2:1E:6C:5B:ED:C4:FA:34:1C:3E][Validity: 2016-10-31 00:00:00 - 2017-12-31 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 15,15,0,5,0,0,5,10,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,5,0,0,10,0,0,21,0,0] - 28 TCP 172.16.42.216:50799 <-> 54.239.28.178:443 [proto: 91.178/TLS.Amazon][cat: Web/5][20 pkts/9329 bytes <-> 17 pkts/5540 bytes][Goodput ratio: 88/82][10.48 sec][ALPN: h2;http/1.1][bytes ratio: 0.255 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 636/760 7767/8001 1851/2099][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 466/326 1514/1514 612/473][Risk: ** Obsolete TLS version (< 1.1) **** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][TLSv1][Client: pitangui.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][ServerNames: pitangui.amazon.com,guipitan.amazon.com,alexa.amazon.com,echo.amazon.com,alexa.amazon.ca,guipitan.amazon.ca,alexa.amazon.co.jp,guipitan.amazon.co.jp,alexa.amazon.com.mx,guipitan.amazon.com.mx,alexa.amazon.com.br,guipitan.amazon.com.br,alexa.amazon.com.au,guipitan.amazon.com.au,alexa.amazon.cn,guipitan.amazon.cn][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=pitangui.amazon.com][Certificate SHA-1: 13:E9:3B:22:22:61:41:53:CA:B6:3A:AE:C8:B7:23:FB:A5:11:2F:24][Validity: 2017-01-12 00:00:00 - 2018-01-13 23:59:59][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,18,0,0,5,0,5,5,0,0,11,0,0,0,0,0,5,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,43,0,0] + 28 TCP 172.16.42.216:50799 <-> 54.239.28.178:443 [proto: 91.178/TLS.Amazon][cat: Web/5][20 pkts/9329 bytes <-> 17 pkts/5540 bytes][Goodput ratio: 88/82][10.48 sec][ALPN: h2;http/1.1][bytes ratio: 0.255 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 636/760 7767/8001 1851/2099][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 466/326 1514/1514 612/473][Risk: ** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][TLSv1.2][Client: pitangui.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][ServerNames: pitangui.amazon.com,guipitan.amazon.com,alexa.amazon.com,echo.amazon.com,alexa.amazon.ca,guipitan.amazon.ca,alexa.amazon.co.jp,guipitan.amazon.co.jp,alexa.amazon.com.mx,guipitan.amazon.com.mx,alexa.amazon.com.br,guipitan.amazon.com.br,alexa.amazon.com.au,guipitan.amazon.com.au,alexa.amazon.cn,guipitan.amazon.cn][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=pitangui.amazon.com][Certificate SHA-1: 13:E9:3B:22:22:61:41:53:CA:B6:3A:AE:C8:B7:23:FB:A5:11:2F:24][Validity: 2017-01-12 00:00:00 - 2018-01-13 23:59:59][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,18,0,0,5,0,5,5,0,0,11,0,0,0,0,0,5,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,43,0,0] 29 TCP 172.16.42.216:51993 <-> 52.84.63.56:80 [proto: 7.178/HTTP.Amazon][cat: Web/5][14 pkts/1479 bytes <-> 12 pkts/13075 bytes][Goodput ratio: 37/94][1.13 sec][Host: ecx.images-amazon.com][bytes ratio: -0.797 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 102/23 765/207 218/65][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 106/1090 613/1514 141/624][URL: ecx.images-amazon.com/images/I/61SZU-lPFNL._SL210_QL95_.png][StatusCode: 200][Content-Type: image/jpeg][User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; LGLS751 Build/LMY47V; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/56.0.292][PLAIN TEXT (GET /images/I/61S)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,80,0,0] 30 TCP 172.16.42.216:51987 <-> 52.84.63.56:80 [proto: 7.178/HTTP.Amazon][cat: Web/5][14 pkts/1491 bytes <-> 12 pkts/12826 bytes][Goodput ratio: 37/94][1.26 sec][Host: ecx.images-amazon.com][bytes ratio: -0.792 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 96/22 682/154 199/50][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 106/1069 613/1514 141/605][URL: ecx.images-amazon.com/images/I/71GcCNTb6kL._SL210_QL95_.png][StatusCode: 200][Content-Type: image/jpeg][User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; LGLS751 Build/LMY47V; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/56.0.292][PLAIN TEXT (GET /images/I/71GcCNTb6)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,0,0,0,0,0,0,0,0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,70,0,0] 31 TCP 172.16.42.216:34069 <-> 54.239.24.186:443 [proto: 91.178/TLS.Amazon][cat: Web/5][16 pkts/12799 bytes <-> 14 pkts/1381 bytes][Goodput ratio: 93/40][4.36 sec][ALPN: h2;http/1.1][bytes ratio: 0.805 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 256/126 2464/986 644/293][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 800/99 1514/449 707/105][Risk: ** Possibly Malicious JA3 Fingerprint **][TLSv1.2][Client: mobileanalytics.us-east-1.amazonaws.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: d199ba0af2b08e204c73d6d81a1fd260][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][PLAIN TEXT (UGwp@manalytics.us)][Plen Bins: 0,8,0,0,8,0,0,0,8,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,59,0,0] - 32 TCP 172.16.42.216:45711 <-> 52.94.232.134:443 [proto: 91.178/TLS.Amazon][cat: Web/5][22 pkts/11642 bytes <-> 11 pkts/2484 bytes][Goodput ratio: 89/74][21.11 sec][ALPN: h2;http/1.1][bytes ratio: 0.648 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/64 1023/2459 6019/9247 1749/3564][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 529/226 1514/955 611/323][Risk: ** Obsolete TLS version (< 1.1) **** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][TLSv1][Client: pitangui.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][PLAIN TEXT (udgNToPi.amazon.com)][Plen Bins: 0,12,6,0,0,6,0,18,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,6,0,0,0,0,12,0,0,0,0,0,0,0,0,0,0,0,31,0,0] + 32 TCP 172.16.42.216:45711 <-> 52.94.232.134:443 [proto: 91.178/TLS.Amazon][cat: Web/5][22 pkts/11642 bytes <-> 11 pkts/2484 bytes][Goodput ratio: 89/74][21.11 sec][ALPN: h2;http/1.1][bytes ratio: 0.648 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/64 1023/2459 6019/9247 1749/3564][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 529/226 1514/955 611/323][Risk: ** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][TLSv1.2][Client: pitangui.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][PLAIN TEXT (udgNToPi.amazon.com)][Plen Bins: 0,12,6,0,0,6,0,18,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,6,0,0,0,0,12,0,0,0,0,0,0,0,0,0,0,0,31,0,0] 33 TCP 172.16.42.216:42130 <-> 72.21.206.135:443 [proto: 91.178/TLS.Amazon][cat: Web/5][18 pkts/6237 bytes <-> 14 pkts/6594 bytes][Goodput ratio: 84/88][2.59 sec][ALPN: h2;http/1.1][bytes ratio: -0.028 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 164/169 783/785 225/244][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 346/471 1514/1514 494/576][Risk: ** Possibly Malicious JA3 Fingerprint **][TLSv1.2][Client: fls-na.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][ServerNames: fls-na.amazon.ca,fls-na.amazon.com,fls-na.amazon.com.br,fls-na.amazon.com.mx][JA3S: 159d46e54a2c066ef95e656fdf034e1d][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=fls-na.amazon.com][Certificate SHA-1: 2F:16:23:0F:F8:49:12:18:49:55:48:DA:E6:59:D9:B3:BB:0E:41:8A][Validity: 2017-01-07 00:00:00 - 2018-01-30 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,6,0,6,0,0,20,0,0,6,0,0,0,13,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,34,0,0] 34 TCP 172.16.42.216:37551 <-> 54.239.24.180:443 [proto: 91.178/TLS.Amazon][cat: Web/5][17 pkts/10780 bytes <-> 14 pkts/1770 bytes][Goodput ratio: 91/53][5.05 sec][ALPN: h2;http/1.1][bytes ratio: 0.718 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 330/332 1326/1927 449/591][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 634/126 1514/449 657/137][Risk: ** Possibly Malicious JA3 Fingerprint **][TLSv1.2][Client: mobileanalytics.us-east-1.amazonaws.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: d199ba0af2b08e204c73d6d81a1fd260][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,7,0,0,7,0,0,7,21,0,0,0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,42,0,0] 35 TCP 172.16.42.216:47605 <-> 72.21.206.121:443 [proto: 91.178/TLS.Amazon][cat: Web/5][14 pkts/6459 bytes <-> 10 pkts/5934 bytes][Goodput ratio: 88/90][1.23 sec][ALPN: h2;http/1.1][bytes ratio: 0.042 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 99/73 444/289 147/105][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 461/593 1514/1514 580/631][Risk: ** Possibly Malicious JA3 Fingerprint **][TLSv1.2][Client: fls-na.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][ServerNames: fls-na.amazon.ca,fls-na.amazon.com,fls-na.amazon.com.br,fls-na.amazon.com.mx][JA3S: 159d46e54a2c066ef95e656fdf034e1d][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=fls-na.amazon.com][Certificate SHA-1: 2F:16:23:0F:F8:49:12:18:49:55:48:DA:E6:59:D9:B3:BB:0E:41:8A][Validity: 2017-01-07 00:00:00 - 2018-01-30 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,7,0,7,0,0,15,0,0,7,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,40,0,0] - 36 TCP 172.16.42.216:45661 <-> 52.94.232.134:443 [proto: 91.178/TLS.Amazon][cat: Web/5][18 pkts/5853 bytes <-> 14 pkts/6315 bytes][Goodput ratio: 83/87][2.50 sec][ALPN: h2;http/1.1][bytes ratio: -0.038 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 168/40 1015/176 274/60][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 325/451 1168/1514 442/528][Risk: ** Obsolete TLS version (< 1.1) **** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][TLSv1][Client: pitangui.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][ServerNames: pitangui.amazon.com,guipitan.amazon.com,alexa.amazon.com,echo.amazon.com,alexa.amazon.ca,guipitan.amazon.ca,alexa.amazon.co.jp,guipitan.amazon.co.jp,alexa.amazon.com.mx,guipitan.amazon.com.mx,alexa.amazon.com.br,guipitan.amazon.com.br,alexa.amazon.com.au,guipitan.amazon.com.au,alexa.amazon.cn,guipitan.amazon.cn][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=pitangui.amazon.com][Certificate SHA-1: 13:E9:3B:22:22:61:41:53:CA:B6:3A:AE:C8:B7:23:FB:A5:11:2F:24][Validity: 2017-01-12 00:00:00 - 2018-01-13 23:59:59][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,7,0,0,0,0,7,0,0,0,15,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,7,0,7,0,0,0,0,24,7,0,0,0,0,0,0,0,0,0,0,15,0,0] - 37 TCP 172.16.42.216:45715 <-> 52.94.232.134:443 [proto: 91.178/TLS.Amazon][cat: Web/5][18 pkts/10366 bytes <-> 11 pkts/1730 bytes][Goodput ratio: 90/63][22.60 sec][ALPN: h2;http/1.1][bytes ratio: 0.714 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 1160/2749 10810/15911 2672/5468][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 576/157 1514/555 667/178][Risk: ** Obsolete TLS version (< 1.1) **** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][TLSv1][Client: pitangui.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][PLAIN TEXT (33hJAHui.amazon.com)][Plen Bins: 0,14,7,7,0,0,7,7,0,0,0,0,0,0,7,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,42,0,0] + 36 TCP 172.16.42.216:45661 <-> 52.94.232.134:443 [proto: 91.178/TLS.Amazon][cat: Web/5][18 pkts/5853 bytes <-> 14 pkts/6315 bytes][Goodput ratio: 83/87][2.50 sec][ALPN: h2;http/1.1][bytes ratio: -0.038 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 168/40 1015/176 274/60][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 325/451 1168/1514 442/528][Risk: ** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][TLSv1.2][Client: pitangui.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][ServerNames: pitangui.amazon.com,guipitan.amazon.com,alexa.amazon.com,echo.amazon.com,alexa.amazon.ca,guipitan.amazon.ca,alexa.amazon.co.jp,guipitan.amazon.co.jp,alexa.amazon.com.mx,guipitan.amazon.com.mx,alexa.amazon.com.br,guipitan.amazon.com.br,alexa.amazon.com.au,guipitan.amazon.com.au,alexa.amazon.cn,guipitan.amazon.cn][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=pitangui.amazon.com][Certificate SHA-1: 13:E9:3B:22:22:61:41:53:CA:B6:3A:AE:C8:B7:23:FB:A5:11:2F:24][Validity: 2017-01-12 00:00:00 - 2018-01-13 23:59:59][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,7,0,0,0,0,7,0,0,0,15,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,7,0,7,0,0,0,0,24,7,0,0,0,0,0,0,0,0,0,0,15,0,0] + 37 TCP 172.16.42.216:45715 <-> 52.94.232.134:443 [proto: 91.178/TLS.Amazon][cat: Web/5][18 pkts/10366 bytes <-> 11 pkts/1730 bytes][Goodput ratio: 90/63][22.60 sec][ALPN: h2;http/1.1][bytes ratio: 0.714 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 1160/2749 10810/15911 2672/5468][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 576/157 1514/555 667/178][Risk: ** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][TLSv1.2][Client: pitangui.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][PLAIN TEXT (33hJAHui.amazon.com)][Plen Bins: 0,14,7,7,0,0,7,7,0,0,0,0,0,0,7,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,42,0,0] 38 TCP 172.16.42.216:42129 <-> 72.21.206.135:443 [proto: 91.178/TLS.Amazon][cat: Web/5][16 pkts/5899 bytes <-> 13 pkts/6114 bytes][Goodput ratio: 85/88][2.59 sec][ALPN: h2;http/1.1][bytes ratio: -0.018 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 177/19 1347/104 365/37][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 369/470 1514/1514 557/597][Risk: ** Possibly Malicious JA3 Fingerprint **][TLSv1.2][Client: fls-na.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][ServerNames: fls-na.amazon.ca,fls-na.amazon.com,fls-na.amazon.com.br,fls-na.amazon.com.mx][JA3S: 159d46e54a2c066ef95e656fdf034e1d][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=fls-na.amazon.com][Certificate SHA-1: 2F:16:23:0F:F8:49:12:18:49:55:48:DA:E6:59:D9:B3:BB:0E:41:8A][Validity: 2017-01-07 00:00:00 - 2018-01-30 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,8,0,8,0,0,8,0,0,16,0,0,0,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,51,0,0] - 39 TCP 172.16.42.216:45680 <-> 52.94.232.134:443 [proto: 91.178/TLS.Amazon][cat: Web/5][15 pkts/7129 bytes <-> 14 pkts/4292 bytes][Goodput ratio: 88/81][2.51 sec][ALPN: h2;http/1.1][bytes ratio: 0.248 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 202/95 1324/374 353/142][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 475/307 1248/891 523/370][Risk: ** Obsolete TLS version (< 1.1) **** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][TLSv1][Client: pitangui.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,14,7,0,0,0,0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,28,0,0,0,0,0,0,0,0,21,7,7,0,0,0,0,0,0,0,0,0,0] - 40 TCP 172.16.42.216:50797 <-> 54.239.28.178:443 [proto: 91.178/TLS.Amazon][cat: Web/5][14 pkts/5989 bytes <-> 11 pkts/4920 bytes][Goodput ratio: 87/87][10.17 sec][ALPN: h2;http/1.1][bytes ratio: 0.098 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 92/114 346/441 105/161][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 428/447 1514/1514 576/536][Risk: ** Obsolete TLS version (< 1.1) **** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][TLSv1][Client: pitangui.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][ServerNames: pitangui.amazon.com,guipitan.amazon.com,alexa.amazon.com,echo.amazon.com,alexa.amazon.ca,guipitan.amazon.ca,alexa.amazon.co.jp,guipitan.amazon.co.jp,alexa.amazon.com.mx,guipitan.amazon.com.mx,alexa.amazon.com.br,guipitan.amazon.com.br,alexa.amazon.com.au,guipitan.amazon.com.au,alexa.amazon.cn,guipitan.amazon.cn][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=pitangui.amazon.com][Certificate SHA-1: 13:E9:3B:22:22:61:41:53:CA:B6:3A:AE:C8:B7:23:FB:A5:11:2F:24][Validity: 2017-01-12 00:00:00 - 2018-01-13 23:59:59][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,7,0,7,0,0,15,0,0,0,15,0,0,0,7,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,39,0,0] + 39 TCP 172.16.42.216:45680 <-> 52.94.232.134:443 [proto: 91.178/TLS.Amazon][cat: Web/5][15 pkts/7129 bytes <-> 14 pkts/4292 bytes][Goodput ratio: 88/81][2.51 sec][ALPN: h2;http/1.1][bytes ratio: 0.248 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 202/95 1324/374 353/142][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 475/307 1248/891 523/370][Risk: ** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][TLSv1.2][Client: pitangui.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,14,7,0,0,0,0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,28,0,0,0,0,0,0,0,0,21,7,7,0,0,0,0,0,0,0,0,0,0] + 40 TCP 172.16.42.216:50797 <-> 54.239.28.178:443 [proto: 91.178/TLS.Amazon][cat: Web/5][14 pkts/5989 bytes <-> 11 pkts/4920 bytes][Goodput ratio: 87/87][10.17 sec][ALPN: h2;http/1.1][bytes ratio: 0.098 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 92/114 346/441 105/161][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 428/447 1514/1514 576/536][Risk: ** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][TLSv1.2][Client: pitangui.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][ServerNames: pitangui.amazon.com,guipitan.amazon.com,alexa.amazon.com,echo.amazon.com,alexa.amazon.ca,guipitan.amazon.ca,alexa.amazon.co.jp,guipitan.amazon.co.jp,alexa.amazon.com.mx,guipitan.amazon.com.mx,alexa.amazon.com.br,guipitan.amazon.com.br,alexa.amazon.com.au,guipitan.amazon.com.au,alexa.amazon.cn,guipitan.amazon.cn][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=pitangui.amazon.com][Certificate SHA-1: 13:E9:3B:22:22:61:41:53:CA:B6:3A:AE:C8:B7:23:FB:A5:11:2F:24][Validity: 2017-01-12 00:00:00 - 2018-01-13 23:59:59][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,7,0,7,0,0,15,0,0,0,15,0,0,0,7,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,39,0,0] 41 TCP 172.16.42.216:47606 <-> 72.21.206.121:443 [proto: 91.178/TLS.Amazon][cat: Web/5][14 pkts/4321 bytes <-> 14 pkts/6297 bytes][Goodput ratio: 82/87][0.75 sec][ALPN: h2;http/1.1][bytes ratio: -0.186 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 32/27 255/176 73/52][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 309/450 1514/1514 496/585][Risk: ** Possibly Malicious JA3 Fingerprint **][TLSv1.2][Client: fls-na.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][ServerNames: fls-na.amazon.ca,fls-na.amazon.com,fls-na.amazon.com.br,fls-na.amazon.com.mx][JA3S: 159d46e54a2c066ef95e656fdf034e1d][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=fls-na.amazon.com][Certificate SHA-1: 2F:16:23:0F:F8:49:12:18:49:55:48:DA:E6:59:D9:B3:BB:0E:41:8A][Validity: 2017-01-07 00:00:00 - 2018-01-30 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,7,15,15,0,0,7,0,0,0,0,0,0,7,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,39,0,0] 42 TCP 172.16.42.216:38757 <-> 54.239.28.178:443 [proto: 91.178/TLS.Amazon][cat: Web/5][13 pkts/6382 bytes <-> 8 pkts/3973 bytes][Goodput ratio: 89/89][2.80 sec][bytes ratio: 0.233 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 254/411 1240/2328 378/858][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 491/497 1344/1514 576/598][Risk: ** Obsolete TLS version (< 1.1) **** Weak TLS cipher **][TLSv1][JA3C: f8f5b71e02603b283e55b50d17ede861][ServerNames: pitangui.amazon.com,guipitan.amazon.com,alexa.amazon.com,echo.amazon.com,alexa.amazon.ca,guipitan.amazon.ca,alexa.amazon.co.jp,guipitan.amazon.co.jp,alexa.amazon.com.mx,guipitan.amazon.com.mx,alexa.amazon.com.br,guipitan.amazon.com.br,alexa.amazon.com.au,guipitan.amazon.com.au,alexa.amazon.cn,guipitan.amazon.cn][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=pitangui.amazon.com][Certificate SHA-1: 13:E9:3B:22:22:61:41:53:CA:B6:3A:AE:C8:B7:23:FB:A5:11:2F:24][Validity: 2017-01-12 00:00:00 - 2018-01-13 23:59:59][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,9,0,0,0,9,9,0,0,0,18,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,36,0,0,0,0,18,0,0] - 43 TCP 172.16.42.216:40864 <-> 54.239.29.253:443 [proto: 91.178/TLS.Amazon][cat: Web/5][15 pkts/2838 bytes <-> 16 pkts/7478 bytes][Goodput ratio: 71/88][4.06 sec][ALPN: h2;http/1.1][bytes ratio: -0.450 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 66/267 259/1771 98/509][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 189/467 1514/1514 363/499][Risk: ** Obsolete TLS version (< 1.1) **** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][TLSv1][Client: skills-store.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,20,6,0,0,0,6,13,0,0,0,0,0,0,0,0,0,26,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,20,0,0] - 44 TCP 172.16.42.216:45693 <-> 52.94.232.134:443 [proto: 91.178/TLS.Amazon][cat: Web/5][15 pkts/4412 bytes <-> 13 pkts/5784 bytes][Goodput ratio: 81/87][4.69 sec][ALPN: h2;http/1.1][bytes ratio: -0.135 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 390/24 4145/80 1133/32][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 294/445 1514/1514 485/599][Risk: ** Obsolete TLS version (< 1.1) **** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][TLSv1][Client: pitangui.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 7,15,7,0,7,0,7,7,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,40,0,0] + 43 TCP 172.16.42.216:40864 <-> 54.239.29.253:443 [proto: 91.178/TLS.Amazon][cat: Web/5][15 pkts/2838 bytes <-> 16 pkts/7478 bytes][Goodput ratio: 71/88][4.06 sec][ALPN: h2;http/1.1][bytes ratio: -0.450 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 66/267 259/1771 98/509][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 189/467 1514/1514 363/499][Risk: ** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][TLSv1.2][Client: skills-store.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,20,6,0,0,0,6,13,0,0,0,0,0,0,0,0,0,26,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,20,0,0] + 44 TCP 172.16.42.216:45693 <-> 52.94.232.134:443 [proto: 91.178/TLS.Amazon][cat: Web/5][15 pkts/4412 bytes <-> 13 pkts/5784 bytes][Goodput ratio: 81/87][4.69 sec][ALPN: h2;http/1.1][bytes ratio: -0.135 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 390/24 4145/80 1133/32][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 294/445 1514/1514 485/599][Risk: ** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][TLSv1.2][Client: pitangui.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 7,15,7,0,7,0,7,7,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,40,0,0] 45 TCP 172.16.42.216:54427 <-> 52.85.209.216:443 [proto: 91.178/TLS.Amazon][cat: Web/5][13 pkts/8467 bytes <-> 8 pkts/1403 bytes][Goodput ratio: 90/62][1.35 sec][ALPN: h2;http/1.1][bytes ratio: 0.716 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/12 109/125 514/453 157/165][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 651/175 1514/777 663/233][TLSv1.2][Client: www.amazon.com][JA3C: 5ee142340adf02ded757447e2ff78986][JA3S: d199ba0af2b08e204c73d6d81a1fd260][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][PLAIN TEXT (KwnVVYUzon.com)][Plen Bins: 0,11,0,0,11,0,0,0,0,0,0,0,0,0,0,0,11,0,0,0,0,0,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,22,0,0] 46 TCP 172.16.42.216:51994 <-> 52.84.63.56:80 [proto: 7.178/HTTP.Amazon][cat: Web/5][11 pkts/1293 bytes <-> 10 pkts/8334 bytes][Goodput ratio: 42/92][1.10 sec][Host: ecx.images-amazon.com][bytes ratio: -0.731 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 106/24 808/113 266/39][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 118/833 613/1514 157/652][URL: ecx.images-amazon.com/images/I/315y9IEXZSL._SL210_QL95_.png][StatusCode: 200][Content-Type: image/jpeg][User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; LGLS751 Build/LMY47V; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/56.0.292][PLAIN TEXT (GET /images/I/315)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0,0,0,0,0,0,0,0,0,0,28,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,57,0,0] 47 TCP 172.16.42.216:44001 <-> 176.32.101.52:443 [proto: 91.178/TLS.Amazon][cat: Web/5][22 pkts/4394 bytes <-> 19 pkts/5213 bytes][Goodput ratio: 72/79][101.63 sec][bytes ratio: -0.085 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 5968/5788 80048/79926 19049/20563][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 200/274 1514/1514 303/442][Risk: ** TLS (probably) not carrying HTTPS **][TLSv1.2][Client: dp-gw-na-js.amazon.com][JA3C: 731bcada65b0a6f850bada3bdcd716d1][ServerNames: dp-gw-na.amazon.com,dp-gw-na-js.amazon.com,dp-gw-na.amazon.co.uk,dp-gw-na.amazon.de,dp-gw-na.amazon.co.jp,dp-gw-na.amazon.in][JA3S: fbe78c619e7ea20046131294ad087f05][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=dp-gw-na.amazon.com][Certificate SHA-1: 27:E5:06:34:82:69:BC:97:5E:28:A3:C1:5A:23:81:C7:E3:28:95:8C][Validity: 2016-09-24 00:00:00 - 2017-09-13 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 9,14,4,4,4,0,29,9,0,4,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0] - 48 TCP 172.16.42.216:45714 <-> 52.94.232.134:443 [proto: 91.178/TLS.Amazon][cat: Web/5][17 pkts/7542 bytes <-> 10 pkts/1990 bytes][Goodput ratio: 88/71][18.45 sec][ALPN: h2;http/1.1][bytes ratio: 0.582 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 1317/1449 6762/8309 2110/3069][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 444/199 1514/699 598/247][Risk: ** Obsolete TLS version (< 1.1) **** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][TLSv1][Client: pitangui.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][PLAIN TEXT (hE10XNoi.amazon.com)][Plen Bins: 0,15,7,0,15,7,0,7,0,0,0,0,0,0,0,0,0,0,0,7,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,31,0,0] + 48 TCP 172.16.42.216:45714 <-> 52.94.232.134:443 [proto: 91.178/TLS.Amazon][cat: Web/5][17 pkts/7542 bytes <-> 10 pkts/1990 bytes][Goodput ratio: 88/71][18.45 sec][ALPN: h2;http/1.1][bytes ratio: 0.582 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 1317/1449 6762/8309 2110/3069][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 444/199 1514/699 598/247][Risk: ** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][TLSv1.2][Client: pitangui.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][PLAIN TEXT (hE10XNoi.amazon.com)][Plen Bins: 0,15,7,0,15,7,0,7,0,0,0,0,0,0,0,0,0,0,0,7,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,31,0,0] 49 TCP 172.16.42.216:38404 <-> 34.199.52.240:443 [proto: 91.178/TLS.Amazon][cat: Web/5][15 pkts/3140 bytes <-> 12 pkts/6286 bytes][Goodput ratio: 69/87][1.00 sec][ALPN: h2;http/1.1][bytes ratio: -0.334 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 74/55 364/256 109/84][Pkt Len c2s/s2c min/avg/max/stddev: 54/66 209/524 950/1514 299/598][Risk: ** Possibly Malicious JA3 Fingerprint **][TLSv1.2][Client: cognito-identity.us-east-1.amazonaws.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][ServerNames: cognito-identity.amazonaws.com,cognito-identity.us-east-1.amazonaws.com][JA3S: 303951d4c50efb2e991652225a6f02b1][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=cognito-identity.us-east-1.amazonaws.com][Certificate SHA-1: 56:17:8F:E9:45:10:32:78:FF:FD:E3:09:60:5A:B5:3B:8D:8C:F8:34][Validity: 2016-05-25 00:00:00 - 2017-06-22 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 8,16,0,8,0,0,0,0,8,0,0,0,0,0,0,8,8,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0] 50 TCP 172.16.42.216:34074 <-> 54.239.24.186:443 [proto: 91.178/TLS.Amazon][cat: Web/5][13 pkts/7594 bytes <-> 9 pkts/1081 bytes][Goodput ratio: 90/51][6.86 sec][ALPN: h2;http/1.1][bytes ratio: 0.751 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 679/185 5262/894 1550/320][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 584/120 1514/449 627/125][Risk: ** Possibly Malicious JA3 Fingerprint **][TLSv1.2][Client: mobileanalytics.us-east-1.amazonaws.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: d199ba0af2b08e204c73d6d81a1fd260][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][PLAIN TEXT (ROz@SCanalytics.us)][Plen Bins: 0,11,0,0,11,0,0,0,11,0,0,0,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,22,0,0,0,0,0,0,22,0,11,0,0] 51 TCP 172.16.42.216:34019 <-> 54.239.24.186:443 [proto: 91.178/TLS.Amazon][cat: Web/5][14 pkts/2122 bytes <-> 11 pkts/6182 bytes][Goodput ratio: 63/90][0.64 sec][ALPN: h2;http/1.1][bytes ratio: -0.489 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 50/71 277/343 78/116][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 152/562 820/1514 202/618][Risk: ** Possibly Malicious JA3 Fingerprint **][TLSv1.2][Client: mobileanalytics.us-east-1.amazonaws.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][ServerNames: mobileanalytics.us-east-1.amazonaws.com][JA3S: 159d46e54a2c066ef95e656fdf034e1d][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=mobileanalytics.us-east-1.amazonaws.com][Certificate SHA-1: 87:AD:E9:2D:E8:42:F0:5C:3A:09:13:00:12:93:59:04:84:C3:E2:2D][Validity: 2016-05-31 00:00:00 - 2017-06-26 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,10,0,10,0,0,0,20,0,0,0,0,0,0,0,10,0,0,0,10,0,0,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,30,0,0] 52 TCP 172.16.42.216:34033 <-> 54.239.24.186:443 [proto: 91.178/TLS.Amazon][cat: Web/5][14 pkts/6517 bytes <-> 11 pkts/1705 bytes][Goodput ratio: 88/62][1.91 sec][ALPN: h2;http/1.1][bytes ratio: 0.585 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 144/57 1221/225 342/79][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 466/155 1514/564 535/173][Risk: ** Possibly Malicious JA3 Fingerprint **][TLSv1.2][Client: mobileanalytics.us-east-1.amazonaws.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: d199ba0af2b08e204c73d6d81a1fd260][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,10,0,0,10,0,0,0,10,0,0,0,10,0,0,10,0,0,0,0,0,0,0,10,0,10,0,0,0,0,0,10,0,0,0,0,0,0,0,0,0,0,0,10,0,10,0,0] - 53 TCP 172.16.42.216:40853 <-> 54.239.29.253:443 [proto: 91.178/TLS.Amazon][cat: Web/5][12 pkts/2895 bytes <-> 11 pkts/5277 bytes][Goodput ratio: 77/88][2.68 sec][ALPN: h2;http/1.1][bytes ratio: -0.291 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 54/37 137/137 61/49][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 241/480 1514/1514 399/596][Risk: ** Obsolete TLS version (< 1.1) **** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][TLSv1][Client: skills-store.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][ServerNames: skills-store.amazon.com][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=skills-store.amazon.com][Certificate SHA-1: 2A:40:0E:E9:9A:EC:7C:0D:40:AA:C9:C5:66:67:00:B8:3E:90:DC:B2][Validity: 2016-05-14 00:00:00 - 2017-05-15 23:59:59][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,18,0,9,0,0,9,9,0,9,9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0,0,0,0,0,27,0,0] - 54 TCP 172.16.42.216:45696 <-> 52.94.232.134:443 [proto: 91.178/TLS.Amazon][cat: Web/5][14 pkts/7016 bytes <-> 9 pkts/1115 bytes][Goodput ratio: 89/53][4.57 sec][ALPN: h2;http/1.1][bytes ratio: 0.726 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 124/196 591/1077 175/395][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 501/124 1514/507 644/138][Risk: ** Obsolete TLS version (< 1.1) **** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][TLSv1][Client: pitangui.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,20,10,10,0,0,0,10,0,0,0,0,0,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,40,0,0] - 55 TCP 172.16.42.216:45673 <-> 52.94.232.134:443 [proto: 91.178/TLS.Amazon][cat: Web/5][14 pkts/4512 bytes <-> 12 pkts/3341 bytes][Goodput ratio: 83/79][2.23 sec][ALPN: h2;http/1.1][bytes ratio: 0.149 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 187/31 1612/164 452/54][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 322/278 1232/891 463/354][Risk: ** Obsolete TLS version (< 1.1) **** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][TLSv1][Client: pitangui.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][PLAIN TEXT (MBID oWF.amazon.com)][Plen Bins: 0,20,10,0,0,0,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,30,0,0,0,0,0,0,0,0,20,10,0,0,0,0,0,0,0,0,0,0,0] + 53 TCP 172.16.42.216:40853 <-> 54.239.29.253:443 [proto: 91.178/TLS.Amazon][cat: Web/5][12 pkts/2895 bytes <-> 11 pkts/5277 bytes][Goodput ratio: 77/88][2.68 sec][ALPN: h2;http/1.1][bytes ratio: -0.291 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 54/37 137/137 61/49][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 241/480 1514/1514 399/596][Risk: ** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][TLSv1.2][Client: skills-store.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][ServerNames: skills-store.amazon.com][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=skills-store.amazon.com][Certificate SHA-1: 2A:40:0E:E9:9A:EC:7C:0D:40:AA:C9:C5:66:67:00:B8:3E:90:DC:B2][Validity: 2016-05-14 00:00:00 - 2017-05-15 23:59:59][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,18,0,9,0,0,9,9,0,9,9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0,0,0,0,0,27,0,0] + 54 TCP 172.16.42.216:45696 <-> 52.94.232.134:443 [proto: 91.178/TLS.Amazon][cat: Web/5][14 pkts/7016 bytes <-> 9 pkts/1115 bytes][Goodput ratio: 89/53][4.57 sec][ALPN: h2;http/1.1][bytes ratio: 0.726 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 124/196 591/1077 175/395][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 501/124 1514/507 644/138][Risk: ** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][TLSv1.2][Client: pitangui.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,20,10,10,0,0,0,10,0,0,0,0,0,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,40,0,0] + 55 TCP 172.16.42.216:45673 <-> 52.94.232.134:443 [proto: 91.178/TLS.Amazon][cat: Web/5][14 pkts/4512 bytes <-> 12 pkts/3341 bytes][Goodput ratio: 83/79][2.23 sec][ALPN: h2;http/1.1][bytes ratio: 0.149 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 187/31 1612/164 452/54][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 322/278 1232/891 463/354][Risk: ** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][TLSv1.2][Client: pitangui.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][PLAIN TEXT (MBID oWF.amazon.com)][Plen Bins: 0,20,10,0,0,0,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,30,0,0,0,0,0,0,0,0,20,10,0,0,0,0,0,0,0,0,0,0,0] 56 TCP 172.16.42.216:49067 <-> 216.58.194.78:443 [proto: 91.228/TLS.PlayStore][cat: SoftwareUpdate/19][10 pkts/2508 bytes <-> 9 pkts/5344 bytes][Goodput ratio: 73/89][0.36 sec][bytes ratio: -0.361 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 44/34 137/93 40/41][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 251/594 1434/1484 402/587][Risk: ** TLS (probably) not carrying HTTPS **][TLSv1.2][Client: android.clients.google.com][JA3C: 5bf38a5cbf896cd31eeef4d6ad1503e1][ServerNames: *.google.com,*.android.com,*.appengine.google.com,*.cloud.google.com,*.gcp.gvt2.com,*.google-analytics.com,*.google.ca,*.google.cl,*.google.co.in,*.google.co.jp,*.google.co.uk,*.google.com.ar,*.google.com.au,*.google.com.br,*.google.com.co,*.google.com.mx,*.google.com.tr,*.google.com.vn,*.google.de,*.google.es,*.google.fr,*.google.hu,*.google.it,*.google.nl,*.google.pl,*.google.pt,*.googleadapis.com,*.googleapis.cn,*.googlecommerce.com,*.googlevideo.com,*.gstatic.cn,*.gstatic.com,*.gvt1.com,*.gvt2.com,*.metric.gstatic.com,*.urchin.com,*.url.google.com,*.youtube-nocookie.com,*.youtube.com,*.youtubeeducation.com,*.ytimg.com,android.clients.google.com,android.com,developer.android.google.cn,g.co,goo.gl,google-analytics.com,google.com,googlecommerce.com,urchin.com,www.goo.gl,youtu.be,youtube.com,youtubeeducation.com][JA3S: 9b1466fd60cadccb848e09c86e284265][Issuer: C=US, O=Google Inc, CN=Google Internet Authority G2][Subject: C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.google.com][Certificate SHA-1: 54:A0:1E:03:FF:CB:33:BC:9D:65:DC:D7:BF:6B:04:2B:F9:F3:D5:42][Validity: 2017-03-22 17:02:50 - 2017-06-14 16:17:00][Cipher: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256][Plen Bins: 0,10,10,0,0,10,10,0,0,10,0,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,0,0,0,10,0,20,0,0,0] - 57 TCP 172.16.42.216:45674 <-> 52.94.232.134:443 [proto: 91.178/TLS.Amazon][cat: Web/5][12 pkts/4436 bytes <-> 12 pkts/3341 bytes][Goodput ratio: 85/79][2.20 sec][ALPN: h2;http/1.1][bytes ratio: 0.141 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 226/36 1612/118 492/51][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 370/278 1248/891 490/354][Risk: ** Obsolete TLS version (< 1.1) **** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][TLSv1][Client: pitangui.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,20,10,0,0,0,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,30,0,0,0,0,0,0,0,0,20,0,10,0,0,0,0,0,0,0,0,0,0] - 58 TCP 172.16.42.216:50796 <-> 54.239.28.178:443 [proto: 91.178/TLS.Amazon][cat: Web/5][10 pkts/2719 bytes <-> 8 pkts/4869 bytes][Goodput ratio: 79/91][0.73 sec][ALPN: h2;http/1.1][bytes ratio: -0.283 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 91/73 260/241 97/100][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 272/609 1514/1514 428/624][Risk: ** Obsolete TLS version (< 1.1) **** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][TLSv1][Client: pitangui.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][ServerNames: pitangui.amazon.com,guipitan.amazon.com,alexa.amazon.com,echo.amazon.com,alexa.amazon.ca,guipitan.amazon.ca,alexa.amazon.co.jp,guipitan.amazon.co.jp,alexa.amazon.com.mx,guipitan.amazon.com.mx,alexa.amazon.com.br,guipitan.amazon.com.br,alexa.amazon.com.au,guipitan.amazon.com.au,alexa.amazon.cn,guipitan.amazon.cn][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=pitangui.amazon.com][Certificate SHA-1: 13:E9:3B:22:22:61:41:53:CA:B6:3A:AE:C8:B7:23:FB:A5:11:2F:24][Validity: 2017-01-12 00:00:00 - 2018-01-13 23:59:59][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,11,0,0,0,11,11,0,0,0,22,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0,0,0,0,0,0,0,0,0,33,0,0] + 57 TCP 172.16.42.216:45674 <-> 52.94.232.134:443 [proto: 91.178/TLS.Amazon][cat: Web/5][12 pkts/4436 bytes <-> 12 pkts/3341 bytes][Goodput ratio: 85/79][2.20 sec][ALPN: h2;http/1.1][bytes ratio: 0.141 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 226/36 1612/118 492/51][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 370/278 1248/891 490/354][Risk: ** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][TLSv1.2][Client: pitangui.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,20,10,0,0,0,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,30,0,0,0,0,0,0,0,0,20,0,10,0,0,0,0,0,0,0,0,0,0] + 58 TCP 172.16.42.216:50796 <-> 54.239.28.178:443 [proto: 91.178/TLS.Amazon][cat: Web/5][10 pkts/2719 bytes <-> 8 pkts/4869 bytes][Goodput ratio: 79/91][0.73 sec][ALPN: h2;http/1.1][bytes ratio: -0.283 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 91/73 260/241 97/100][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 272/609 1514/1514 428/624][Risk: ** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][TLSv1.2][Client: pitangui.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][ServerNames: pitangui.amazon.com,guipitan.amazon.com,alexa.amazon.com,echo.amazon.com,alexa.amazon.ca,guipitan.amazon.ca,alexa.amazon.co.jp,guipitan.amazon.co.jp,alexa.amazon.com.mx,guipitan.amazon.com.mx,alexa.amazon.com.br,guipitan.amazon.com.br,alexa.amazon.com.au,guipitan.amazon.com.au,alexa.amazon.cn,guipitan.amazon.cn][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=pitangui.amazon.com][Certificate SHA-1: 13:E9:3B:22:22:61:41:53:CA:B6:3A:AE:C8:B7:23:FB:A5:11:2F:24][Validity: 2017-01-12 00:00:00 - 2018-01-13 23:59:59][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,11,0,0,0,11,11,0,0,0,22,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0,0,0,0,0,0,0,0,0,33,0,0] 59 TCP 172.16.42.216:38363 <-> 34.199.52.240:443 [proto: 91.178/TLS.Amazon][cat: Web/5][14 pkts/2676 bytes <-> 10 pkts/4624 bytes][Goodput ratio: 66/85][0.81 sec][ALPN: h2;http/1.1][bytes ratio: -0.267 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 68/88 265/375 77/136][Pkt Len c2s/s2c min/avg/max/stddev: 54/66 191/462 773/1514 246/556][Risk: ** Possibly Malicious JA3 Fingerprint **][TLSv1.2][Client: cognito-identity.us-east-1.amazonaws.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][ServerNames: cognito-identity.amazonaws.com,cognito-identity.us-east-1.amazonaws.com][JA3S: 303951d4c50efb2e991652225a6f02b1][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=cognito-identity.us-east-1.amazonaws.com][Certificate SHA-1: 56:17:8F:E9:45:10:32:78:FF:FD:E3:09:60:5A:B5:3B:8D:8C:F8:34][Validity: 2016-05-25 00:00:00 - 2017-06-22 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 10,10,0,10,0,0,0,10,0,0,0,0,0,0,10,10,0,0,0,0,0,0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,0,0] - 60 TCP 172.16.42.216:59698 <-> 52.94.232.134:443 [proto: 91.178/TLS.Amazon][cat: Web/5][13 pkts/2372 bytes <-> 10 pkts/4572 bytes][Goodput ratio: 70/88][105.04 sec][bytes ratio: -0.317 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 10450/383 99710/1530 29779/579][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 182/457 1184/1514 305/547][Risk: ** Obsolete TLS version (< 1.1) **** Weak TLS cipher **** TLS (probably) not carrying HTTPS **** SNI TLS extension was missing **][TLSv1][JA3C: 36e9ceaa96dd810482573844f78a063f][ServerNames: pitangui.amazon.com,guipitan.amazon.com,alexa.amazon.com,echo.amazon.com,alexa.amazon.ca,guipitan.amazon.ca,alexa.amazon.co.jp,guipitan.amazon.co.jp,alexa.amazon.com.mx,guipitan.amazon.com.mx,alexa.amazon.com.br,guipitan.amazon.com.br,alexa.amazon.com.au,guipitan.amazon.com.au,alexa.amazon.cn,guipitan.amazon.cn][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=pitangui.amazon.com][Certificate SHA-1: 13:E9:3B:22:22:61:41:53:CA:B6:3A:AE:C8:B7:23:FB:A5:11:2F:24][Validity: 2017-01-12 00:00:00 - 2018-01-13 23:59:59][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,11,0,0,0,0,11,0,0,0,44,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0,0,0,0,0,0,0,0,22,0,0] + 60 TCP 172.16.42.216:59698 <-> 52.94.232.134:443 [proto: 91.178/TLS.Amazon][cat: Web/5][13 pkts/2372 bytes <-> 10 pkts/4572 bytes][Goodput ratio: 70/88][105.04 sec][bytes ratio: -0.317 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 10450/383 99710/1530 29779/579][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 182/457 1184/1514 305/547][Risk: ** Weak TLS cipher **** TLS (probably) not carrying HTTPS **** SNI TLS extension was missing **][TLSv1.2][JA3C: 36e9ceaa96dd810482573844f78a063f][ServerNames: pitangui.amazon.com,guipitan.amazon.com,alexa.amazon.com,echo.amazon.com,alexa.amazon.ca,guipitan.amazon.ca,alexa.amazon.co.jp,guipitan.amazon.co.jp,alexa.amazon.com.mx,guipitan.amazon.com.mx,alexa.amazon.com.br,guipitan.amazon.com.br,alexa.amazon.com.au,guipitan.amazon.com.au,alexa.amazon.cn,guipitan.amazon.cn][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=pitangui.amazon.com][Certificate SHA-1: 13:E9:3B:22:22:61:41:53:CA:B6:3A:AE:C8:B7:23:FB:A5:11:2F:24][Validity: 2017-01-12 00:00:00 - 2018-01-13 23:59:59][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,11,0,0,0,0,11,0,0,0,44,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0,0,0,0,0,0,0,0,22,0,0] 61 TCP 172.16.42.216:41825 <-> 54.231.72.88:443 [proto: 91.178/TLS.Amazon][cat: Web/5][15 pkts/1901 bytes <-> 14 pkts/5033 bytes][Goodput ratio: 56/84][6.82 sec][ALPN: h2;http/1.1][bytes ratio: -0.452 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 533/614 5996/5956 1648/1782][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 127/360 752/1486 180/458][Risk: ** Possibly Malicious JA3 Fingerprint **][TLSv1.2][Client: s3-external-2.amazonaws.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][ServerNames: s3-external-1.amazonaws.com,*.s3-external-1.amazonaws.com,s3-external-2.amazonaws.com,*.s3-external-2.amazonaws.com,*.s3.amazonaws.com][JA3S: ea615e28cb25adfb2f261151eab3314f][Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Baltimore CA-2 G2][Subject: C=US, ST=Washington, L=Seattle, O=Amazon.com Inc., CN=*.s3-external-1.amazonaws.com][Certificate SHA-1: C0:51:D8:FA:6B:58:94:F2:3E:4E:7D:B2:36:5F:02:E4:F0:3F:54:FF][Validity: 2016-07-18 00:00:00 - 2017-10-26 12:00:00][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 24,7,7,7,0,0,0,7,0,0,7,0,0,7,0,0,0,0,0,0,7,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,7,0,0,0] 62 TCP 172.16.42.216:42143 <-> 72.21.206.135:443 [proto: 91.178/TLS.Amazon][cat: Web/5][12 pkts/5873 bytes <-> 10 pkts/1049 bytes][Goodput ratio: 89/44][1.37 sec][ALPN: h2;http/1.1][bytes ratio: 0.697 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 144/88 483/524 177/179][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 489/105 1514/357 610/95][Risk: ** Possibly Malicious JA3 Fingerprint **][TLSv1.2][Client: fls-na.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: d199ba0af2b08e204c73d6d81a1fd260][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,12,0,0,12,0,0,12,0,12,0,0,0,0,0,0,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,38,0,0] 63 TCP 172.16.42.216:42148 <-> 72.21.206.135:443 [proto: 91.178/TLS.Amazon][cat: Web/5][13 pkts/5805 bytes <-> 8 pkts/1017 bytes][Goodput ratio: 88/54][0.57 sec][ALPN: h2;http/1.1][bytes ratio: 0.702 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 50/13 245/65 75/26][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 447/127 1514/445 591/130][Risk: ** Possibly Malicious JA3 Fingerprint **][TLSv1.2][Client: fls-na.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: d199ba0af2b08e204c73d6d81a1fd260][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,11,0,0,22,0,0,11,11,0,0,0,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0] 64 TCP 172.16.42.216:54412 <-> 52.85.209.216:443 [proto: 91.178/TLS.Amazon][cat: Web/5][10 pkts/996 bytes <-> 7 pkts/5823 bytes][Goodput ratio: 33/92][0.38 sec][ALPN: h2;http/1.1][bytes ratio: -0.708 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 47/18 101/86 45/34][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 100/832 268/1514 67/636][Risk: ** Possibly Malicious JA3 Fingerprint **][TLSv1.2][Client: www.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][ServerNames: amazon.com,amzn.com,uedata.amazon.com,us.amazon.com,www.amazon.com,www.amzn.com,corporate.amazon.com,buybox.amazon.com,iphone.amazon.com,yp.amazon.com,home.amazon.com,origin-www.amazon.com][JA3S: 76cc3e2d3028143b23ec18e27dbd7ca9][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=www.amazon.com][Certificate SHA-1: EF:14:6C:F1:5C:4A:F8:4D:BA:83:C2:1E:6C:5B:ED:C4:FA:34:1C:3E][Validity: 2016-10-31 00:00:00 - 2017-12-31 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,0,0,14,0,0,14,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,42,0,0] 65 TCP 172.16.42.216:41820 <-> 54.231.72.88:443 [proto: 91.178/TLS.Amazon][cat: Web/5][14 pkts/1817 bytes <-> 13 pkts/4948 bytes][Goodput ratio: 57/85][3.94 sec][ALPN: h2;http/1.1][bytes ratio: -0.463 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 314/42 2864/196 810/79][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 130/381 754/1486 184/469][Risk: ** Possibly Malicious JA3 Fingerprint **][TLSv1.2][Client: s3-external-2.amazonaws.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][ServerNames: s3-external-1.amazonaws.com,*.s3-external-1.amazonaws.com,s3-external-2.amazonaws.com,*.s3-external-2.amazonaws.com,*.s3.amazonaws.com][JA3S: ea615e28cb25adfb2f261151eab3314f][Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Baltimore CA-2 G2][Subject: C=US, ST=Washington, L=Seattle, O=Amazon.com Inc., CN=*.s3-external-1.amazonaws.com][Certificate SHA-1: C0:51:D8:FA:6B:58:94:F2:3E:4E:7D:B2:36:5F:02:E4:F0:3F:54:FF][Validity: 2016-07-18 00:00:00 - 2017-10-26 12:00:00][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 16,8,8,8,0,0,8,0,0,0,8,0,0,8,0,0,0,0,0,0,8,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0,0,0,8,0,0,0] - 66 TCP 172.16.42.216:45732 <-> 52.94.232.134:443 [proto: 91.178/TLS.Amazon][cat: Web/5][13 pkts/5614 bytes <-> 8 pkts/1103 bytes][Goodput ratio: 87/58][6.02 sec][ALPN: h2;http/1.1][bytes ratio: 0.672 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 591/663 2868/3089 977/1214][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 432/138 1514/555 598/160][Risk: ** Obsolete TLS version (< 1.1) **** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][TLSv1][Client: pitangui.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][PLAIN TEXT (Kf.e08ui.amazon.com)][Plen Bins: 0,22,11,0,0,0,11,11,0,0,0,0,0,0,0,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0] - 67 TCP 172.16.42.216:45694 <-> 52.94.232.134:443 [proto: 91.178/TLS.Amazon][cat: Web/5][11 pkts/1845 bytes <-> 9 pkts/4385 bytes][Goodput ratio: 67/88][4.64 sec][ALPN: h2;http/1.1][bytes ratio: -0.408 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 515/26 4284/78 1333/34][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 168/487 752/1514 212/577][Risk: ** Obsolete TLS version (< 1.1) **** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][TLSv1][Client: pitangui.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][ServerNames: pitangui.amazon.com,guipitan.amazon.com,alexa.amazon.com,echo.amazon.com,alexa.amazon.ca,guipitan.amazon.ca,alexa.amazon.co.jp,guipitan.amazon.co.jp,alexa.amazon.com.mx,guipitan.amazon.com.mx,alexa.amazon.com.br,guipitan.amazon.com.br,alexa.amazon.com.au,guipitan.amazon.com.au,alexa.amazon.cn,guipitan.amazon.cn][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=pitangui.amazon.com][Certificate SHA-1: 13:E9:3B:22:22:61:41:53:CA:B6:3A:AE:C8:B7:23:FB:A5:11:2F:24][Validity: 2017-01-12 00:00:00 - 2018-01-13 23:59:59][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,12,0,0,0,0,12,0,0,0,25,0,0,0,0,0,0,12,0,0,0,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0] + 66 TCP 172.16.42.216:45732 <-> 52.94.232.134:443 [proto: 91.178/TLS.Amazon][cat: Web/5][13 pkts/5614 bytes <-> 8 pkts/1103 bytes][Goodput ratio: 87/58][6.02 sec][ALPN: h2;http/1.1][bytes ratio: 0.672 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 591/663 2868/3089 977/1214][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 432/138 1514/555 598/160][Risk: ** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][TLSv1.2][Client: pitangui.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][PLAIN TEXT (Kf.e08ui.amazon.com)][Plen Bins: 0,22,11,0,0,0,11,11,0,0,0,0,0,0,0,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0] + 67 TCP 172.16.42.216:45694 <-> 52.94.232.134:443 [proto: 91.178/TLS.Amazon][cat: Web/5][11 pkts/1845 bytes <-> 9 pkts/4385 bytes][Goodput ratio: 67/88][4.64 sec][ALPN: h2;http/1.1][bytes ratio: -0.408 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 515/26 4284/78 1333/34][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 168/487 752/1514 212/577][Risk: ** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][TLSv1.2][Client: pitangui.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][ServerNames: pitangui.amazon.com,guipitan.amazon.com,alexa.amazon.com,echo.amazon.com,alexa.amazon.ca,guipitan.amazon.ca,alexa.amazon.co.jp,guipitan.amazon.co.jp,alexa.amazon.com.mx,guipitan.amazon.com.mx,alexa.amazon.com.br,guipitan.amazon.com.br,alexa.amazon.com.au,guipitan.amazon.com.au,alexa.amazon.cn,guipitan.amazon.cn][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=pitangui.amazon.com][Certificate SHA-1: 13:E9:3B:22:22:61:41:53:CA:B6:3A:AE:C8:B7:23:FB:A5:11:2F:24][Validity: 2017-01-12 00:00:00 - 2018-01-13 23:59:59][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,12,0,0,0,0,12,0,0,0,25,0,0,0,0,0,0,12,0,0,0,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0] 68 TCP 172.16.42.216:34053 <-> 54.239.24.186:443 [proto: 91.178/TLS.Amazon][cat: Web/5][11 pkts/4927 bytes <-> 9 pkts/1231 bytes][Goodput ratio: 88/57][2.15 sec][ALPN: h2;http/1.1][bytes ratio: 0.600 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 236/131 950/512 322/198][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 448/137 1514/449 584/126][Risk: ** Possibly Malicious JA3 Fingerprint **][TLSv1.2][Client: mobileanalytics.us-east-1.amazonaws.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: d199ba0af2b08e204c73d6d81a1fd260][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,12,0,0,25,0,0,0,12,0,0,0,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,0,0,0,0,0,12,0,12,0,0] - 69 TCP 172.16.42.216:50800 <-> 54.239.28.178:443 [proto: 91.178/TLS.Amazon][cat: Web/5][9 pkts/1769 bytes <-> 8 pkts/4341 bytes][Goodput ratio: 71/90][0.63 sec][ALPN: h2;http/1.1][bytes ratio: -0.421 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 89/41 233/155 85/58][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 197/543 784/1514 236/591][Risk: ** Obsolete TLS version (< 1.1) **** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][TLSv1][Client: pitangui.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][ServerNames: pitangui.amazon.com,guipitan.amazon.com,alexa.amazon.com,echo.amazon.com,alexa.amazon.ca,guipitan.amazon.ca,alexa.amazon.co.jp,guipitan.amazon.co.jp,alexa.amazon.com.mx,guipitan.amazon.com.mx,alexa.amazon.com.br,guipitan.amazon.com.br,alexa.amazon.com.au,guipitan.amazon.com.au,alexa.amazon.cn,guipitan.amazon.cn][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=pitangui.amazon.com][Certificate SHA-1: 13:E9:3B:22:22:61:41:53:CA:B6:3A:AE:C8:B7:23:FB:A5:11:2F:24][Validity: 2017-01-12 00:00:00 - 2018-01-13 23:59:59][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,12,0,0,0,0,12,0,0,0,25,0,0,0,0,0,0,12,0,0,0,0,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0] + 69 TCP 172.16.42.216:50800 <-> 54.239.28.178:443 [proto: 91.178/TLS.Amazon][cat: Web/5][9 pkts/1769 bytes <-> 8 pkts/4341 bytes][Goodput ratio: 71/90][0.63 sec][ALPN: h2;http/1.1][bytes ratio: -0.421 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 89/41 233/155 85/58][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 197/543 784/1514 236/591][Risk: ** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][TLSv1.2][Client: pitangui.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][ServerNames: pitangui.amazon.com,guipitan.amazon.com,alexa.amazon.com,echo.amazon.com,alexa.amazon.ca,guipitan.amazon.ca,alexa.amazon.co.jp,guipitan.amazon.co.jp,alexa.amazon.com.mx,guipitan.amazon.com.mx,alexa.amazon.com.br,guipitan.amazon.com.br,alexa.amazon.com.au,guipitan.amazon.com.au,alexa.amazon.cn,guipitan.amazon.cn][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=pitangui.amazon.com][Certificate SHA-1: 13:E9:3B:22:22:61:41:53:CA:B6:3A:AE:C8:B7:23:FB:A5:11:2F:24][Validity: 2017-01-12 00:00:00 - 2018-01-13 23:59:59][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,12,0,0,0,0,12,0,0,0,25,0,0,0,0,0,0,12,0,0,0,0,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0] 70 TCP 172.16.42.216:33556 <-> 52.94.232.0:443 [proto: 91.178/TLS.Amazon][cat: Web/5][10 pkts/1505 bytes <-> 9 pkts/4591 bytes][Goodput ratio: 63/89][141.56 sec][bytes ratio: -0.506 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 76/52 174/172 68/74][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 150/510 642/1514 180/582][Risk: ** TLS (probably) not carrying HTTPS **][TLSv1.2][Client: mads.amazon-adsystem.com][JA3C: bdf21e38e1f69776df407235625e75e2][ServerNames: mads.amazon-adsystem.com,mads.amazon.com][JA3S: 303951d4c50efb2e991652225a6f02b1][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=mads.amazon.com][Certificate SHA-1: E0:2E:BD:D6:46:9B:05:03:93:CC:A7:28:7A:F4:57:9C:EB:40:8F:AB][Validity: 2016-09-23 00:00:00 - 2017-10-22 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,12,0,12,0,0,0,12,0,0,0,0,12,0,0,0,0,0,12,0,0,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0] - 71 TCP 172.16.42.216:45695 <-> 52.94.232.134:443 [proto: 91.178/TLS.Amazon][cat: Web/5][13 pkts/4352 bytes <-> 10 pkts/1702 bytes][Goodput ratio: 83/66][4.61 sec][ALPN: h2;http/1.1][bytes ratio: 0.438 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 51/36 165/70 55/29][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 335/170 1514/555 510/190][Risk: ** Obsolete TLS version (< 1.1) **** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][TLSv1][Client: pitangui.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][PLAIN TEXT (/chPAoui.amazon.com)][Plen Bins: 0,20,10,0,0,0,20,10,0,0,0,0,0,0,0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,0,0] - 72 TCP 172.16.42.216:45688 <-> 52.94.232.134:443 [proto: 91.178/TLS.Amazon][cat: Web/5][12 pkts/4484 bytes <-> 8 pkts/1439 bytes][Goodput ratio: 85/68][0.83 sec][ALPN: h2;http/1.1][bytes ratio: 0.514 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 82/34 462/65 131/27][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 374/180 1514/891 537/270][Risk: ** Obsolete TLS version (< 1.1) **** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][TLSv1][Client: pitangui.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,25,12,0,0,0,0,12,0,0,0,0,0,0,0,0,0,0,12,0,0,0,0,0,0,0,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0] + 71 TCP 172.16.42.216:45695 <-> 52.94.232.134:443 [proto: 91.178/TLS.Amazon][cat: Web/5][13 pkts/4352 bytes <-> 10 pkts/1702 bytes][Goodput ratio: 83/66][4.61 sec][ALPN: h2;http/1.1][bytes ratio: 0.438 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 51/36 165/70 55/29][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 335/170 1514/555 510/190][Risk: ** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][TLSv1.2][Client: pitangui.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][PLAIN TEXT (/chPAoui.amazon.com)][Plen Bins: 0,20,10,0,0,0,20,10,0,0,0,0,0,0,0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,0,0] + 72 TCP 172.16.42.216:45688 <-> 52.94.232.134:443 [proto: 91.178/TLS.Amazon][cat: Web/5][12 pkts/4484 bytes <-> 8 pkts/1439 bytes][Goodput ratio: 85/68][0.83 sec][ALPN: h2;http/1.1][bytes ratio: 0.514 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 82/34 462/65 131/27][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 374/180 1514/891 537/270][Risk: ** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][TLSv1.2][Client: pitangui.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,25,12,0,0,0,0,12,0,0,0,0,0,0,0,0,0,0,12,0,0,0,0,0,0,0,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0] 73 TCP 172.16.42.216:42144 <-> 72.21.206.135:443 [proto: 91.178/TLS.Amazon][cat: Web/5][12 pkts/4652 bytes <-> 11 pkts/1197 bytes][Goodput ratio: 86/46][1.06 sec][ALPN: h2;http/1.1][bytes ratio: 0.591 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 40/17 110/64 38/24][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 388/109 1514/445 525/115][Risk: ** Possibly Malicious JA3 Fingerprint **][TLSv1.2][Client: fls-na.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: d199ba0af2b08e204c73d6d81a1fd260][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,12,0,0,12,0,0,12,12,0,0,0,12,0,0,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0] 74 TCP 172.16.42.216:34041 <-> 54.239.24.186:443 [proto: 91.178/TLS.Amazon][cat: Web/5][11 pkts/4772 bytes <-> 8 pkts/1021 bytes][Goodput ratio: 87/54][0.71 sec][ALPN: h2;http/1.1][bytes ratio: 0.648 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 78/15 402/57 120/22][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 434/128 1514/449 567/131][Risk: ** Possibly Malicious JA3 Fingerprint **][TLSv1.2][Client: mobileanalytics.us-east-1.amazonaws.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: d199ba0af2b08e204c73d6d81a1fd260][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][PLAIN TEXT (BWypJJanalytics.us)][Plen Bins: 0,14,0,0,14,0,0,0,14,0,0,0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0,0,0,0,0,0,0,0,0,0,14,0,14,0,0] - 75 TCP 172.16.42.216:45730 <-> 52.94.232.134:443 [proto: 91.178/TLS.Amazon][cat: Web/5][12 pkts/4052 bytes <-> 8 pkts/1695 bytes][Goodput ratio: 83/73][2.11 sec][ALPN: h2;http/1.1][bytes ratio: 0.410 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 211/94 922/264 266/97][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 338/212 1514/1147 531/355][Risk: ** Obsolete TLS version (< 1.1) **** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][TLSv1][Client: pitangui.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,25,12,0,0,12,0,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,0,0,0,0,0,0,0,0,0,25,0,0] - 76 TCP 172.16.42.216:45676 <-> 52.94.232.134:443 [proto: 91.178/TLS.Amazon][cat: Web/5][12 pkts/3258 bytes <-> 10 pkts/2390 bytes][Goodput ratio: 79/76][1.93 sec][ALPN: h2;http/1.1][bytes ratio: 0.154 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 199/75 1078/275 321/99][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 272/239 1200/891 420/327][Risk: ** Obsolete TLS version (< 1.1) **** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][TLSv1][Client: pitangui.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][PLAIN TEXT (AsNZYcTz.amazon.com)][Plen Bins: 0,25,12,0,0,0,0,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0] - 77 TCP 172.16.42.216:45704 <-> 52.94.232.134:443 [proto: 91.178/TLS.Amazon][cat: Web/5][14 pkts/4417 bytes <-> 9 pkts/1227 bytes][Goodput ratio: 82/57][2.65 sec][ALPN: h2;http/1.1][bytes ratio: 0.565 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 100/113 506/431 150/168][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 316/136 1514/619 495/173][Risk: ** Obsolete TLS version (< 1.1) **** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][TLSv1][Client: pitangui.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,30,10,0,0,20,0,10,0,0,0,0,0,0,0,0,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,0,0] - 78 TCP 172.16.42.216:45728 <-> 52.94.232.134:443 [proto: 91.178/TLS.Amazon][cat: Web/5][12 pkts/4052 bytes <-> 8 pkts/1119 bytes][Goodput ratio: 83/58][2.13 sec][ALPN: h2;http/1.1][bytes ratio: 0.567 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 213/90 941/264 271/100][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 338/140 1514/571 531/165][Risk: ** Obsolete TLS version (< 1.1) **** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][TLSv1][Client: pitangui.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,25,12,0,0,12,0,12,0,0,0,0,0,0,0,0,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0] - 79 TCP 172.16.42.216:40878 <-> 54.239.29.253:443 [proto: 91.178/TLS.Amazon][cat: Web/5][13 pkts/2948 bytes <-> 10 pkts/1947 bytes][Goodput ratio: 75/70][6.35 sec][ALPN: h2;http/1.1][bytes ratio: 0.204 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 406/60 3799/294 1132/105][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 227/195 1514/1147 385/320][Risk: ** Obsolete TLS version (< 1.1) **** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][TLSv1][Client: skills-store.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,22,11,0,22,0,0,11,0,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0,0,0,0,0,0,0,0,0,11,0,0] + 75 TCP 172.16.42.216:45730 <-> 52.94.232.134:443 [proto: 91.178/TLS.Amazon][cat: Web/5][12 pkts/4052 bytes <-> 8 pkts/1695 bytes][Goodput ratio: 83/73][2.11 sec][ALPN: h2;http/1.1][bytes ratio: 0.410 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 211/94 922/264 266/97][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 338/212 1514/1147 531/355][Risk: ** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][TLSv1.2][Client: pitangui.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,25,12,0,0,12,0,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,0,0,0,0,0,0,0,0,0,25,0,0] + 76 TCP 172.16.42.216:45676 <-> 52.94.232.134:443 [proto: 91.178/TLS.Amazon][cat: Web/5][12 pkts/3258 bytes <-> 10 pkts/2390 bytes][Goodput ratio: 79/76][1.93 sec][ALPN: h2;http/1.1][bytes ratio: 0.154 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 199/75 1078/275 321/99][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 272/239 1200/891 420/327][Risk: ** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][TLSv1.2][Client: pitangui.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][PLAIN TEXT (AsNZYcTz.amazon.com)][Plen Bins: 0,25,12,0,0,0,0,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0] + 77 TCP 172.16.42.216:45704 <-> 52.94.232.134:443 [proto: 91.178/TLS.Amazon][cat: Web/5][14 pkts/4417 bytes <-> 9 pkts/1227 bytes][Goodput ratio: 82/57][2.65 sec][ALPN: h2;http/1.1][bytes ratio: 0.565 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 100/113 506/431 150/168][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 316/136 1514/619 495/173][Risk: ** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][TLSv1.2][Client: pitangui.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,30,10,0,0,20,0,10,0,0,0,0,0,0,0,0,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,0,0] + 78 TCP 172.16.42.216:45728 <-> 52.94.232.134:443 [proto: 91.178/TLS.Amazon][cat: Web/5][12 pkts/4052 bytes <-> 8 pkts/1119 bytes][Goodput ratio: 83/58][2.13 sec][ALPN: h2;http/1.1][bytes ratio: 0.567 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 213/90 941/264 271/100][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 338/140 1514/571 531/165][Risk: ** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][TLSv1.2][Client: pitangui.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,25,12,0,0,12,0,12,0,0,0,0,0,0,0,0,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0] + 79 TCP 172.16.42.216:40878 <-> 54.239.29.253:443 [proto: 91.178/TLS.Amazon][cat: Web/5][13 pkts/2948 bytes <-> 10 pkts/1947 bytes][Goodput ratio: 75/70][6.35 sec][ALPN: h2;http/1.1][bytes ratio: 0.204 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 406/60 3799/294 1132/105][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 227/195 1514/1147 385/320][Risk: ** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][TLSv1.2][Client: skills-store.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,22,11,0,22,0,0,11,0,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0,0,0,0,0,0,0,0,0,11,0,0] 80 TCP 172.16.42.216:37113 <-> 52.94.232.134:443 [proto: 91.178/TLS.Amazon][cat: Web/5][13 pkts/3881 bytes <-> 11 pkts/979 bytes][Goodput ratio: 81/34][101.19 sec][bytes ratio: 0.597 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 9975/51 99124/160 29716/50][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 299/89 1514/251 520/57][Risk: ** Obsolete TLS version (< 1.1) **** Weak TLS cipher **][TLSv1][JA3C: f8f5b71e02603b283e55b50d17ede861][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 12,25,12,0,0,12,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0] - 81 TCP 172.16.42.216:45687 <-> 52.94.232.134:443 [proto: 91.178/TLS.Amazon][cat: Web/5][11 pkts/3204 bytes <-> 8 pkts/1439 bytes][Goodput ratio: 81/68][1.60 sec][ALPN: h2;http/1.1][bytes ratio: 0.380 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 175/92 839/363 256/141][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 291/180 1200/891 434/270][Risk: ** Obsolete TLS version (< 1.1) **** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][TLSv1][Client: pitangui.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,28,14,0,0,0,0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0,0,0,0,0,0,0,28,0,0,0,0,0,0,0,0,0,0,0,0] + 81 TCP 172.16.42.216:45687 <-> 52.94.232.134:443 [proto: 91.178/TLS.Amazon][cat: Web/5][11 pkts/3204 bytes <-> 8 pkts/1439 bytes][Goodput ratio: 81/68][1.60 sec][ALPN: h2;http/1.1][bytes ratio: 0.380 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 175/92 839/363 256/141][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 291/180 1200/891 434/270][Risk: ** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][TLSv1.2][Client: pitangui.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,28,14,0,0,0,0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0,0,0,0,0,0,0,28,0,0,0,0,0,0,0,0,0,0,0,0] 82 TCP 172.16.42.216:38364 <-> 34.199.52.240:443 [proto: 91.178/TLS.Amazon][cat: Web/5][10 pkts/1839 bytes <-> 8 pkts/2676 bytes][Goodput ratio: 65/80][4.64 sec][ALPN: h2;http/1.1][bytes ratio: -0.185 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 568/909 4291/4349 1408/1720][Pkt Len c2s/s2c min/avg/max/stddev: 54/66 184/334 950/1514 267/475][Risk: ** Possibly Malicious JA3 Fingerprint **][TLSv1.2][Client: cognito-identity.us-east-1.amazonaws.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: 303951d4c50efb2e991652225a6f02b1][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 14,14,0,0,14,0,0,0,14,0,0,0,0,0,0,0,14,0,0,0,0,0,0,0,0,0,0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0] 83 TCP 172.16.42.216:39750 <-> 52.94.232.134:443 [proto: 91.178/TLS.Amazon][cat: Web/5][11 pkts/3427 bytes <-> 8 pkts/990 bytes][Goodput ratio: 82/54][10.86 sec][bytes ratio: 0.552 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 1171/307 7806/676 2441/248][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 312/124 1344/251 489/78][Risk: ** Obsolete TLS version (< 1.1) **** Weak TLS cipher **][TLSv1][JA3C: f8f5b71e02603b283e55b50d17ede861][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,25,12,0,0,12,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0] - 84 TCP 172.16.42.216:45750 <-> 52.94.232.134:443 [proto: 91.178/TLS.Amazon][cat: Web/5][11 pkts/2308 bytes <-> 9 pkts/1786 bytes][Goodput ratio: 73/71][14.18 sec][ALPN: h2;http/1.1][bytes ratio: 0.128 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 1574/1261 6636/6789 2408/2485][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 210/198 752/619 264/226][Risk: ** Obsolete TLS version (< 1.1) **** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][TLSv1][Client: pitangui.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,25,12,0,0,0,0,12,0,0,0,0,0,0,0,0,0,25,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 85 TCP 172.16.42.216:45751 <-> 52.94.232.134:443 [proto: 91.178/TLS.Amazon][cat: Web/5][12 pkts/2858 bytes <-> 9 pkts/1147 bytes][Goodput ratio: 77/54][5.53 sec][ALPN: h2;http/1.1][bytes ratio: 0.427 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 576/51 3507/307 1076/114][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 238/127 1514/539 396/148][Risk: ** Obsolete TLS version (< 1.1) **** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][TLSv1][Client: pitangui.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,25,12,0,0,0,25,12,0,0,0,0,0,0,0,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,0] - 86 TCP 172.16.42.216:45752 <-> 52.94.232.134:443 [proto: 91.178/TLS.Amazon][cat: Web/5][11 pkts/2554 bytes <-> 7 pkts/1347 bytes][Goodput ratio: 76/70][6.39 sec][ALPN: h2;http/1.1][bytes ratio: 0.309 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 710/47 5318/161 1636/67][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 232/192 1514/859 413/274][Risk: ** Obsolete TLS version (< 1.1) **** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][TLSv1][Client: pitangui.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,28,14,0,0,14,0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0] - 87 TCP 172.16.42.216:45729 <-> 52.94.232.134:443 [proto: 91.178/TLS.Amazon][cat: Web/5][11 pkts/2634 bytes <-> 8 pkts/1167 bytes][Goodput ratio: 77/60][2.03 sec][ALPN: h2;http/1.1][bytes ratio: 0.386 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 225/87 1171/213 351/79][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 239/146 1514/619 414/181][Risk: ** Obsolete TLS version (< 1.1) **** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][TLSv1][Client: pitangui.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,28,14,0,0,0,0,14,14,0,0,0,0,0,0,0,0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0] - 88 TCP 172.16.42.216:45731 <-> 52.94.232.134:443 [proto: 91.178/TLS.Amazon][cat: Web/5][11 pkts/2586 bytes <-> 8 pkts/1103 bytes][Goodput ratio: 76/58][2.10 sec][ALPN: h2;http/1.1][bytes ratio: 0.402 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 232/44 1171/139 350/57][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 235/138 1514/555 413/160][Risk: ** Obsolete TLS version (< 1.1) **** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][TLSv1][Client: pitangui.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,28,14,0,0,0,14,14,0,0,0,0,0,0,0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0] - 89 TCP 172.16.42.216:45705 <-> 52.94.232.134:443 [proto: 91.178/TLS.Amazon][cat: Web/5][11 pkts/2522 bytes <-> 8 pkts/1151 bytes][Goodput ratio: 76/60][2.65 sec][ALPN: h2;http/1.1][bytes ratio: 0.373 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 294/123 899/429 317/169][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 229/144 1514/603 413/176][Risk: ** Obsolete TLS version (< 1.1) **** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][TLSv1][Client: pitangui.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,28,14,0,14,0,0,14,0,0,0,0,0,0,0,0,0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0] - 90 TCP 172.16.42.216:45663 <-> 52.94.232.134:443 [proto: 91.178/TLS.Amazon][cat: Web/5][10 pkts/1988 bytes <-> 8 pkts/1439 bytes][Goodput ratio: 72/68][1.00 sec][ALPN: h2;http/1.1][bytes ratio: 0.160 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 120/18 711/52 226/22][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 199/180 1184/891 336/270][Risk: ** Obsolete TLS version (< 1.1) **** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][TLSv1][Client: pitangui.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,34,16,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0] - 91 TCP 172.16.42.216:45662 <-> 52.94.232.134:443 [proto: 91.178/TLS.Amazon][cat: Web/5][10 pkts/1956 bytes <-> 8 pkts/1439 bytes][Goodput ratio: 71/68][1.02 sec][ALPN: h2;http/1.1][bytes ratio: 0.152 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 125/16 711/63 224/24][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 196/180 1152/891 327/270][Risk: ** Obsolete TLS version (< 1.1) **** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][TLSv1][Client: pitangui.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,34,16,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0] - 92 TCP 172.16.42.216:45677 <-> 52.94.232.134:443 [proto: 91.178/TLS.Amazon][cat: Web/5][10 pkts/1988 bytes <-> 7 pkts/1379 bytes][Goodput ratio: 72/71][1.91 sec][ALPN: h2;http/1.1][bytes ratio: 0.181 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 202/62 1313/148 421/64][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 199/197 1184/891 336/285][Risk: ** Obsolete TLS version (< 1.1) **** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][TLSv1][Client: pitangui.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,34,16,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0] - 93 TCP 172.16.42.216:45709 <-> 52.94.232.134:443 [proto: 91.178/TLS.Amazon][cat: Web/5][11 pkts/1849 bytes <-> 9 pkts/1227 bytes][Goodput ratio: 67/57][6.32 sec][ALPN: h2;http/1.1][bytes ratio: 0.202 (Upload)][IAT c2s/s2c min/avg/max/stddev: 2/0 702/216 4375/1192 1340/437][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 168/136 752/619 205/173][Risk: ** Obsolete TLS version (< 1.1) **** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][TLSv1][Client: pitangui.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,28,14,0,0,0,0,28,0,0,0,0,0,0,0,0,0,14,0,0,0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 84 TCP 172.16.42.216:45750 <-> 52.94.232.134:443 [proto: 91.178/TLS.Amazon][cat: Web/5][11 pkts/2308 bytes <-> 9 pkts/1786 bytes][Goodput ratio: 73/71][14.18 sec][ALPN: h2;http/1.1][bytes ratio: 0.128 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 1574/1261 6636/6789 2408/2485][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 210/198 752/619 264/226][Risk: ** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][TLSv1.2][Client: pitangui.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,25,12,0,0,0,0,12,0,0,0,0,0,0,0,0,0,25,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 85 TCP 172.16.42.216:45751 <-> 52.94.232.134:443 [proto: 91.178/TLS.Amazon][cat: Web/5][12 pkts/2858 bytes <-> 9 pkts/1147 bytes][Goodput ratio: 77/54][5.53 sec][ALPN: h2;http/1.1][bytes ratio: 0.427 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 576/51 3507/307 1076/114][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 238/127 1514/539 396/148][Risk: ** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][TLSv1.2][Client: pitangui.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,25,12,0,0,0,25,12,0,0,0,0,0,0,0,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,0] + 86 TCP 172.16.42.216:45752 <-> 52.94.232.134:443 [proto: 91.178/TLS.Amazon][cat: Web/5][11 pkts/2554 bytes <-> 7 pkts/1347 bytes][Goodput ratio: 76/70][6.39 sec][ALPN: h2;http/1.1][bytes ratio: 0.309 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 710/47 5318/161 1636/67][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 232/192 1514/859 413/274][Risk: ** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][TLSv1.2][Client: pitangui.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,28,14,0,0,14,0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0] + 87 TCP 172.16.42.216:45729 <-> 52.94.232.134:443 [proto: 91.178/TLS.Amazon][cat: Web/5][11 pkts/2634 bytes <-> 8 pkts/1167 bytes][Goodput ratio: 77/60][2.03 sec][ALPN: h2;http/1.1][bytes ratio: 0.386 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 225/87 1171/213 351/79][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 239/146 1514/619 414/181][Risk: ** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][TLSv1.2][Client: pitangui.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,28,14,0,0,0,0,14,14,0,0,0,0,0,0,0,0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0] + 88 TCP 172.16.42.216:45731 <-> 52.94.232.134:443 [proto: 91.178/TLS.Amazon][cat: Web/5][11 pkts/2586 bytes <-> 8 pkts/1103 bytes][Goodput ratio: 76/58][2.10 sec][ALPN: h2;http/1.1][bytes ratio: 0.402 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 232/44 1171/139 350/57][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 235/138 1514/555 413/160][Risk: ** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][TLSv1.2][Client: pitangui.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,28,14,0,0,0,14,14,0,0,0,0,0,0,0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0] + 89 TCP 172.16.42.216:45705 <-> 52.94.232.134:443 [proto: 91.178/TLS.Amazon][cat: Web/5][11 pkts/2522 bytes <-> 8 pkts/1151 bytes][Goodput ratio: 76/60][2.65 sec][ALPN: h2;http/1.1][bytes ratio: 0.373 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 294/123 899/429 317/169][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 229/144 1514/603 413/176][Risk: ** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][TLSv1.2][Client: pitangui.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,28,14,0,14,0,0,14,0,0,0,0,0,0,0,0,0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0] + 90 TCP 172.16.42.216:45663 <-> 52.94.232.134:443 [proto: 91.178/TLS.Amazon][cat: Web/5][10 pkts/1988 bytes <-> 8 pkts/1439 bytes][Goodput ratio: 72/68][1.00 sec][ALPN: h2;http/1.1][bytes ratio: 0.160 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 120/18 711/52 226/22][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 199/180 1184/891 336/270][Risk: ** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][TLSv1.2][Client: pitangui.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,34,16,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0] + 91 TCP 172.16.42.216:45662 <-> 52.94.232.134:443 [proto: 91.178/TLS.Amazon][cat: Web/5][10 pkts/1956 bytes <-> 8 pkts/1439 bytes][Goodput ratio: 71/68][1.02 sec][ALPN: h2;http/1.1][bytes ratio: 0.152 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 125/16 711/63 224/24][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 196/180 1152/891 327/270][Risk: ** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][TLSv1.2][Client: pitangui.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,34,16,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0] + 92 TCP 172.16.42.216:45677 <-> 52.94.232.134:443 [proto: 91.178/TLS.Amazon][cat: Web/5][10 pkts/1988 bytes <-> 7 pkts/1379 bytes][Goodput ratio: 72/71][1.91 sec][ALPN: h2;http/1.1][bytes ratio: 0.181 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 202/62 1313/148 421/64][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 199/197 1184/891 336/285][Risk: ** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][TLSv1.2][Client: pitangui.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,34,16,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0] + 93 TCP 172.16.42.216:45709 <-> 52.94.232.134:443 [proto: 91.178/TLS.Amazon][cat: Web/5][11 pkts/1849 bytes <-> 9 pkts/1227 bytes][Goodput ratio: 67/57][6.32 sec][ALPN: h2;http/1.1][bytes ratio: 0.202 (Upload)][IAT c2s/s2c min/avg/max/stddev: 2/0 702/216 4375/1192 1340/437][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 168/136 752/619 205/173][Risk: ** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][TLSv1.2][Client: pitangui.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,28,14,0,0,0,0,28,0,0,0,0,0,0,0,0,0,14,0,0,0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 94 TCP 172.16.42.216:49589 <-> 52.94.232.134:80 [proto: 7.110/HTTP.AmazonAlexa][cat: VirtualAssistant/32][7 pkts/2390 bytes <-> 4 pkts/419 bytes][Goodput ratio: 83/44][1.98 sec][Host: alexa.amazon.com][bytes ratio: 0.702 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1/0 383/224 1350/449 498/224][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 341/105 1050/237 448/76][URL: alexa.amazon.com/lib/bootstrap/img/glyphicons-halflings.png][StatusCode: 404][User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; LGLS751 Build/LMY47V; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/56.0.292][PLAIN TEXT (GET /lib/bootstrap/im)][Plen Bins: 0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,66,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 95 TCP 172.16.42.216:49572 <-> 52.94.232.134:80 [proto: 7.110/HTTP.AmazonAlexa][cat: VirtualAssistant/32][6 pkts/1152 bytes <-> 4 pkts/1582 bytes][Goodput ratio: 70/85][1.16 sec][Host: alexa.amazon.com][bytes ratio: -0.157 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 1/15 232/42 901/70 336/28][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 192/396 862/1400 300/580][URL: alexa.amazon.com/manifest/pitangui.appcache][StatusCode: 200][Content-Type: text/cache-manifest][User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; LGLS751 Build/LMY47V; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/56.0.292][PLAIN TEXT (GET /manifest/pitangui.appcache)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0] 96 TCP 172.16.42.216:49606 <-> 52.94.232.134:80 [proto: 7.110/HTTP.AmazonAlexa][cat: VirtualAssistant/32][6 pkts/1124 bytes <-> 4 pkts/1582 bytes][Goodput ratio: 69/85][4.72 sec][Host: alexa.amazon.com][bytes ratio: -0.169 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/17 943/66 4438/116 1748/50][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 187/396 834/1400 289/580][URL: alexa.amazon.com/manifest/pitangui.appcache][StatusCode: 200][Content-Type: text/cache-manifest][User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; LGLS751 Build/LMY47V; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/56.0.292][PLAIN TEXT (GET /manifest/pitangui.appcache)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0] @@ -116,11 +116,11 @@ JA3 Host Stats: 98 TCP 172.16.42.216:42878 <-> 173.194.223.188:5228 [proto: 91.239/TLS.GoogleServices][cat: Web/5][8 pkts/1484 bytes <-> 9 pkts/1103 bytes][Goodput ratio: 63/45][0.44 sec][bytes ratio: 0.147 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 46/36 119/119 39/43][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 186/123 583/205 193/57][Risk: ** Known protocol on non standard port **** TLS (probably) not carrying HTTPS **][TLSv1.2][Client: mtalk.google.com][JA3C: a5a59633017c3d696d2c69350e5fc004][JA3S: 9b1466fd60cadccb848e09c86e284265][Cipher: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256][Plen Bins: 12,12,0,38,12,0,0,0,0,0,0,12,0,0,0,0,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 99 TCP 172.16.42.216:58048 <-> 54.239.28.178:443 [proto: 91.178/TLS.Amazon][cat: Web/5][10 pkts/1320 bytes <-> 9 pkts/1259 bytes][Goodput ratio: 58/58][0.27 sec][bytes ratio: 0.024 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 32/23 69/70 31/32][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 132/140 544/651 147/183][Risk: ** Obsolete TLS version (< 1.1) **** Weak TLS cipher **][TLSv1][JA3C: f8f5b71e02603b283e55b50d17ede861][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,42,14,0,0,14,0,0,0,0,0,0,0,0,0,14,0,0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 100 TCP 172.16.42.216:49630 <-> 52.94.232.134:80 [proto: 7.110/HTTP.AmazonAlexa][cat: VirtualAssistant/32][6 pkts/1340 bytes <-> 4 pkts/419 bytes][Goodput ratio: 74/44][5.51 sec][Host: alexa.amazon.com][bytes ratio: 0.524 (Upload)][IAT c2s/s2c min/avg/max/stddev: 23/0 1100/138 4406/275 1672/138][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 223/105 1050/237 370/76][URL: alexa.amazon.com/lib/bootstrap/img/glyphicons-halflings.png][StatusCode: 404][User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; LGLS751 Build/LMY47V; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/56.0.292][PLAIN TEXT (GET /lib/bootstrap/im)][Plen Bins: 0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 101 TCP 172.16.42.216:45697 <-> 52.94.232.134:443 [proto: 91.178/TLS.Amazon][cat: Web/5][9 pkts/1043 bytes <-> 5 pkts/428 bytes][Goodput ratio: 51/32][4.57 sec][ALPN: h2;http/1.1][bytes ratio: 0.418 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 68/182 298/364 98/182][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 116/86 293/139 96/32][Risk: ** Obsolete TLS version (< 1.1) **** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][TLSv1][Client: pitangui.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,40,20,0,0,0,0,40,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 102 TCP 172.16.42.216:45683 <-> 52.94.232.134:443 [proto: 91.178/TLS.Amazon][cat: Web/5][9 pkts/804 bytes <-> 6 pkts/620 bytes][Goodput ratio: 37/44][1.83 sec][ALPN: h2;http/1.1][bytes ratio: 0.129 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 261/21 1643/62 565/29][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 89/103 293/192 74/49][Risk: ** Obsolete TLS version (< 1.1) **** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][TLSv1][Client: pitangui.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,40,20,0,20,0,0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 103 TCP 172.16.42.216:45698 <-> 52.94.232.134:443 [proto: 91.178/TLS.Amazon][cat: Web/5][9 pkts/804 bytes <-> 6 pkts/620 bytes][Goodput ratio: 37/44][4.37 sec][ALPN: h2;http/1.1][bytes ratio: 0.129 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 624/21 4189/59 1456/27][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 89/103 293/192 74/49][Risk: ** Obsolete TLS version (< 1.1) **** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][TLSv1][Client: pitangui.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,40,20,0,20,0,0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 104 TCP 172.16.42.216:45678 <-> 52.94.232.134:443 [proto: 91.178/TLS.Amazon][cat: Web/5][8 pkts/750 bytes <-> 6 pkts/488 bytes][Goodput ratio: 40/28][1.91 sec][ALPN: h2;http/1.1][bytes ratio: 0.212 (Upload)][IAT c2s/s2c min/avg/max/stddev: 3/0 48/38 103/102 37/45][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 94/81 293/139 78/31][Risk: ** Obsolete TLS version (< 1.1) **** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][TLSv1][Client: pitangui.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,50,25,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 105 TCP 172.16.42.216:45679 <-> 52.94.232.134:443 [proto: 91.178/TLS.Amazon][cat: Web/5][8 pkts/750 bytes <-> 5 pkts/428 bytes][Goodput ratio: 40/32][1.90 sec][ALPN: h2;http/1.1][bytes ratio: 0.273 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 44/87 101/159 37/66][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 94/86 293/139 78/32][Risk: ** Obsolete TLS version (< 1.1) **** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][TLSv1][Client: pitangui.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,50,25,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 101 TCP 172.16.42.216:45697 <-> 52.94.232.134:443 [proto: 91.178/TLS.Amazon][cat: Web/5][9 pkts/1043 bytes <-> 5 pkts/428 bytes][Goodput ratio: 51/32][4.57 sec][ALPN: h2;http/1.1][bytes ratio: 0.418 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 68/182 298/364 98/182][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 116/86 293/139 96/32][Risk: ** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][TLSv1.2][Client: pitangui.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,40,20,0,0,0,0,40,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 102 TCP 172.16.42.216:45683 <-> 52.94.232.134:443 [proto: 91.178/TLS.Amazon][cat: Web/5][9 pkts/804 bytes <-> 6 pkts/620 bytes][Goodput ratio: 37/44][1.83 sec][ALPN: h2;http/1.1][bytes ratio: 0.129 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 261/21 1643/62 565/29][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 89/103 293/192 74/49][Risk: ** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][TLSv1.2][Client: pitangui.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,40,20,0,20,0,0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 103 TCP 172.16.42.216:45698 <-> 52.94.232.134:443 [proto: 91.178/TLS.Amazon][cat: Web/5][9 pkts/804 bytes <-> 6 pkts/620 bytes][Goodput ratio: 37/44][4.37 sec][ALPN: h2;http/1.1][bytes ratio: 0.129 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 624/21 4189/59 1456/27][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 89/103 293/192 74/49][Risk: ** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][TLSv1.2][Client: pitangui.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,40,20,0,20,0,0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 104 TCP 172.16.42.216:45678 <-> 52.94.232.134:443 [proto: 91.178/TLS.Amazon][cat: Web/5][8 pkts/750 bytes <-> 6 pkts/488 bytes][Goodput ratio: 40/28][1.91 sec][ALPN: h2;http/1.1][bytes ratio: 0.212 (Upload)][IAT c2s/s2c min/avg/max/stddev: 3/0 48/38 103/102 37/45][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 94/81 293/139 78/31][Risk: ** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][TLSv1.2][Client: pitangui.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,50,25,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 105 TCP 172.16.42.216:45679 <-> 52.94.232.134:443 [proto: 91.178/TLS.Amazon][cat: Web/5][8 pkts/750 bytes <-> 5 pkts/428 bytes][Goodput ratio: 40/32][1.90 sec][ALPN: h2;http/1.1][bytes ratio: 0.273 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 44/87 101/159 37/66][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 94/86 293/139 78/32][Risk: ** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][TLSv1.2][Client: pitangui.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,50,25,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 106 TCP 172.16.42.216:35540 <-> 172.217.9.142:80 [proto: 7.126/HTTP.Google][cat: ConnectivityCheck/30][4 pkts/460 bytes <-> 3 pkts/289 bytes][Goodput ratio: 41/29][0.09 sec][Host: connectivitycheck.android.com][bytes ratio: 0.228 (Upload)][IAT c2s/s2c min/avg/max/stddev: 2/0 30/24 45/48 20/24][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 115/96 254/149 80/37][URL: connectivitycheck.android.com/generate_204][StatusCode: 204][User-Agent: Dalvik/2.1.0 (Linux; U; Android 5.1.1; LGLS751 Build/LMY47V)][PLAIN TEXT (GET /generate)][Plen Bins: 0,0,50,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 107 TCP 172.16.42.216:60246 <-> 172.217.9.142:80 [proto: 7.126/HTTP.Google][cat: ConnectivityCheck/30][4 pkts/460 bytes <-> 3 pkts/289 bytes][Goodput ratio: 41/29][0.14 sec][Host: connectivitycheck.android.com][bytes ratio: 0.228 (Upload)][IAT c2s/s2c min/avg/max/stddev: 3/8 45/48 94/89 37/40][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 115/96 254/149 80/37][URL: connectivitycheck.android.com/generate_204][StatusCode: 204][User-Agent: Dalvik/2.1.0 (Linux; U; Android 5.1.1; LGLS751 Build/LMY47V)][PLAIN TEXT (GET /generate)][Plen Bins: 0,0,50,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 108 UDP 0.0.0.0:68 -> 255.255.255.255:67 [proto: 18/DHCP][cat: Network/14][2 pkts/714 bytes -> 0 pkts/0 bytes][Goodput ratio: 88/0][< 1 sec][Host: android-1c1335ec95a27318][DHCP Fingerprint: 1,33,3,6,15,26,28][PLAIN TEXT (android)][Plen Bins: 0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/result/dtls_certificate_fragments.pcap.out b/tests/result/dtls_certificate_fragments.pcap.out index e9461e6c9..c345e8c77 100644 --- a/tests/result/dtls_certificate_fragments.pcap.out +++ b/tests/result/dtls_certificate_fragments.pcap.out @@ -5,4 +5,4 @@ JA3 Host Stats: 1 10.186.198.149 1 - 1 UDP 10.186.198.149:39347 <-> 35.210.59.134:44443 [proto: 30/DTLS][cat: Web/5][11 pkts/2624 bytes <-> 9 pkts/3354 bytes][Goodput ratio: 82/89][2.92 sec][bytes ratio: -0.122 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 324/76 2179/186 659/75][Pkt Len c2s/s2c min/avg/max/stddev: 167/90 239/373 416/1454 97/388][Risk: ** Weak TLS cipher **** TLS (probably) not carrying HTTPS **** SNI TLS extension was missing **][DTLSv1.0][JA3C: 3c3d129780d0066cd8936a6291a8d44f][JA3S: d45798bc098cd930de7eb2f5f866e994 (WEAK)][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA][PLAIN TEXT (Opera Software ASA1)][Plen Bins: 0,5,0,35,5,10,10,0,10,10,5,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0] + 1 UDP 10.186.198.149:39347 <-> 35.210.59.134:44443 [proto: 30/DTLS][cat: Web/5][11 pkts/2624 bytes <-> 9 pkts/3354 bytes][Goodput ratio: 82/89][2.92 sec][bytes ratio: -0.122 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 324/76 2179/186 659/75][Pkt Len c2s/s2c min/avg/max/stddev: 167/90 239/373 416/1454 97/388][Risk: ** Weak TLS cipher **** TLS (probably) not carrying HTTPS **** SNI TLS extension was missing **][DTLSv1.2][JA3C: 3c3d129780d0066cd8936a6291a8d44f][JA3S: d45798bc098cd930de7eb2f5f866e994 (WEAK)][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA][PLAIN TEXT (Opera Software ASA1)][Plen Bins: 0,5,0,35,5,10,10,0,10,10,5,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0] |