diff options
| author | Luca Deri <deri@ntop.org> | 2022-01-09 18:47:47 +0100 |
|---|---|---|
| committer | Luca Deri <deri@ntop.org> | 2022-01-09 18:47:47 +0100 |
| commit | 708d4ea33a4734eba7d3b3738115a2ae7e13ba67 (patch) | |
| tree | 92f30468a85739ea4467e1beba2c1bba082c902c | |
| parent | bf69321a29699776f24b74e71c5dc3c80ede161b (diff) | |
Improved user agent analysis
| -rw-r--r-- | example/reader_util.h | 2 | ||||
| -rw-r--r-- | src/lib/protocols/http.c | 40 | ||||
| -rw-r--r-- | tests/result/alexa-app.pcapng.out | 34 | ||||
| -rw-r--r-- | tests/result/ocs.pcap.out | 2 | ||||
| -rw-r--r-- | tests/result/quickplay.pcap.out | 16 |
5 files changed, 52 insertions, 42 deletions
diff --git a/example/reader_util.h b/example/reader_util.h index 83cb714f9..89bdd382c 100644 --- a/example/reader_util.h +++ b/example/reader_util.h @@ -225,7 +225,7 @@ typedef struct ndpi_flow_info { } ssh_tls; struct { - char url[256], request_content_type[64], content_type[64], user_agent[128]; + char url[256], request_content_type[64], content_type[64], user_agent[256]; u_int response_status_code; } http; diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c index 7a6fa1078..99a49ab2d 100644 --- a/src/lib/protocols/http.c +++ b/src/lib/protocols/http.c @@ -421,26 +421,36 @@ static void ndpi_http_parse_subprotocol(struct ndpi_detection_module_struct *ndp static void ndpi_check_user_agent(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, char *ua) { - int log4j_exploit = -1; + u_int len; - if((!ua) || (ua[0] == '\0')) return; - - if((strlen(ua) < 4) - || (!strncmp(ua, "test", 4)) - || (!strncmp(ua, "<?", 2)) - || strchr(ua, '{') - || strchr(ua, '}') - || (!(log4j_exploit = strncmp(ua, "jndi:ldap://", 12))) /* Log4J */ - // || ndpi_check_dga_name(ndpi_struct, NULL, ua, 0) - // || ndpi_match_bigram(ndpi_struct, &ndpi_struct->impossible_bigrams_automa, ua) - ) { + if((!ua) || (ua[0] == '\0')) + return; + else + len = strlen(ua); + + if( + (!strncmp(ua, "<?", 2)) + || strchr(ua, '$') + || strstr(ua, "://") // || (!strncmp(ua, "jndi:ldap://", 12)) /* Log4J */ + // || ndpi_check_dga_name(ndpi_struct, NULL, ua, 0) + // || ndpi_match_bigram(ndpi_struct, &ndpi_struct->impossible_bigrams_automa, ua) + ) { + ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_USER_AGENT); + + ndpi_set_risk(ndpi_struct, flow, NDPI_POSSIBLE_EXPLOIT); + } else if( + (len < 4) /* Too short */ + || (len > 256) /* Too long */ + || (!strncmp(ua, "test", 4)) + || strchr(ua, '{') + || strchr(ua, '}') + ) { ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_USER_AGENT); - - if(log4j_exploit == 0) /* Log4J exploit */ - ndpi_set_risk(ndpi_struct, flow, NDPI_POSSIBLE_EXPLOIT); } } +/* ************************************************************* */ + int http_process_user_agent(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, const u_int8_t *ua_ptr, u_int16_t ua_ptr_len) { diff --git a/tests/result/alexa-app.pcapng.out b/tests/result/alexa-app.pcapng.out index 4b7c93d52..ac981e571 100644 --- a/tests/result/alexa-app.pcapng.out +++ b/tests/result/alexa-app.pcapng.out @@ -26,9 +26,9 @@ JA3 Host Stats: 2 TCP 172.16.42.216:54411 <-> 52.85.209.216:443 [proto: 91.178/TLS.Amazon][Encrypted][cat: Web/5][40 pkts/9869 bytes <-> 38 pkts/36764 bytes][Goodput ratio: 73/93][4.46 sec][Hostname/SNI: www.amazon.com][ALPN: h2;http/1.1][bytes ratio: -0.577 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 89/33 1629/317 305/68][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 247/967 1514/1514 433/642][Risk: ** Possibly Malicious JA3 Fingerprint **][Risk Score: 50][TLSv1.2][JA3C: d551fafc4f40f1dec2bb45980bfa9492][ServerNames: amazon.com,amzn.com,uedata.amazon.com,us.amazon.com,www.amazon.com,www.amzn.com,corporate.amazon.com,buybox.amazon.com,iphone.amazon.com,yp.amazon.com,home.amazon.com,origin-www.amazon.com][JA3S: 76cc3e2d3028143b23ec18e27dbd7ca9][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=www.amazon.com][Certificate SHA-1: EF:14:6C:F1:5C:4A:F8:4D:BA:83:C2:1E:6C:5B:ED:C4:FA:34:1C:3E][Validity: 2016-10-31 00:00:00 - 2017-12-31 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,2,0,2,0,0,2,2,0,0,0,2,2,0,0,0,0,0,0,0,0,0,2,2,0,0,0,0,0,0,0,0,8,2,0,2,0,0,0,0,0,0,0,0,0,69,0,0] 3 TCP 172.16.42.216:41828 <-> 52.85.209.143:443 [proto: 91.178/TLS.Amazon][Encrypted][cat: Web/5][31 pkts/13163 bytes <-> 34 pkts/25939 bytes][Goodput ratio: 84/91][3.25 sec][Hostname/SNI: www.amazon.com][ALPN: h2;http/1.1][bytes ratio: -0.327 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 111/38 1832/535 365/102][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 425/763 1514/1514 587/629][Risk: ** Possibly Malicious JA3 Fingerprint **][Risk Score: 50][TLSv1.2][JA3C: d551fafc4f40f1dec2bb45980bfa9492][ServerNames: amazon.com,amzn.com,uedata.amazon.com,us.amazon.com,www.amazon.com,www.amzn.com,corporate.amazon.com,buybox.amazon.com,iphone.amazon.com,yp.amazon.com,home.amazon.com,origin-www.amazon.com][JA3S: 76cc3e2d3028143b23ec18e27dbd7ca9][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=www.amazon.com][Certificate SHA-1: EF:14:6C:F1:5C:4A:F8:4D:BA:83:C2:1E:6C:5B:ED:C4:FA:34:1C:3E][Validity: 2016-10-31 00:00:00 - 2017-12-31 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 2,2,2,8,0,0,2,2,2,0,2,0,0,2,0,0,2,0,0,2,0,2,5,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,53,0,0] 4 TCP 172.16.42.216:40856 <-> 54.239.29.253:443 [proto: 91.178/TLS.Amazon][Encrypted][cat: Web/5][47 pkts/4785 bytes <-> 51 pkts/31984 bytes][Goodput ratio: 47/91][2.59 sec][Hostname/SNI: skills-store.amazon.com][ALPN: h2;http/1.1][bytes ratio: -0.740 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 65/13 1811/246 293/44][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 102/627 1514/1514 218/316][Risk: ** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][Risk Score: 150][TLSv1.2][JA3C: d551fafc4f40f1dec2bb45980bfa9492][ServerNames: skills-store.amazon.com][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=skills-store.amazon.com][Certificate SHA-1: 2A:40:0E:E9:9A:EC:7C:0D:40:AA:C9:C5:66:67:00:B8:3E:90:DC:B2][Validity: 2016-05-14 00:00:00 - 2017-05-15 23:59:59][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,3,0,0,0,0,1,1,0,0,1,0,0,1,0,0,0,80,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,1,0,0,0,0,0,0,7,0,0] - 5 TCP 172.16.42.216:51986 <-> 52.84.63.56:80 [proto: 7.178/HTTP.Amazon][ClearText][cat: Web/5][31 pkts/3707 bytes <-> 28 pkts/31731 bytes][Goodput ratio: 44/94][1.26 sec][Hostname/SNI: ecx.images-amazon.com][bytes ratio: -0.791 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 32/21 364/286 86/68][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 120/1133 613/1514 162/585][URL: ecx.images-amazon.com/images/I/81diFQyVjHL._SL210_QL95_.png][StatusCode: 200][Content-Type: image/jpeg][User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; LGLS751 Build/LMY47V; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/56.0.292][PLAIN TEXT (GET /images/I/81diF)][Plen Bins: 3,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,3,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,3,68,0,0] - 6 TCP 172.16.42.216:51995 <-> 52.84.63.56:80 [proto: 7.178/HTTP.Amazon][ClearText][cat: Web/5][22 pkts/2590 bytes <-> 25 pkts/31047 bytes][Goodput ratio: 42/95][1.13 sec][Hostname/SNI: ecx.images-amazon.com][bytes ratio: -0.846 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 54/42 536/536 126/120][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 118/1242 613/1514 157/474][URL: ecx.images-amazon.com/images/I/5100jxqrQhL._SL210_QL95_.png][StatusCode: 200][Content-Type: image/jpeg][User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; LGLS751 Build/LMY47V; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/56.0.292][PLAIN TEXT (GET /images/I/5100j)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,12,0,0,0,0,0,0,0,0,8,0,0,0,4,0,0,0,0,67,0,0] - 7 TCP 172.16.42.216:51992 <-> 52.84.63.56:80 [proto: 7.178/HTTP.Amazon][ClearText][cat: Web/5][27 pkts/3443 bytes <-> 24 pkts/29237 bytes][Goodput ratio: 48/95][1.13 sec][Hostname/SNI: ecx.images-amazon.com][bytes ratio: -0.789 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 36/6 368/110 98/25][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 128/1218 613/1514 172/546][URL: ecx.images-amazon.com/images/I/71nqwmwmRlL._SL210_QL95_.png][StatusCode: 200][Content-Type: image/jpeg][User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; LGLS751 Build/LMY47V; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/56.0.292][PLAIN TEXT (GET /images/I/71nqwmwmRlL.)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0,0,0,74,0,0] + 5 TCP 172.16.42.216:51986 <-> 52.84.63.56:80 [proto: 7.178/HTTP.Amazon][ClearText][cat: Web/5][31 pkts/3707 bytes <-> 28 pkts/31731 bytes][Goodput ratio: 44/94][1.26 sec][Hostname/SNI: ecx.images-amazon.com][bytes ratio: -0.791 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 32/21 364/286 86/68][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 120/1133 613/1514 162/585][URL: ecx.images-amazon.com/images/I/81diFQyVjHL._SL210_QL95_.png][StatusCode: 200][Content-Type: image/jpeg][User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; LGLS751 Build/LMY47V; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/56.0.2924.87 Mobile Safari/537.36 PitanguiBridge/1.16.4.5-[MANUFACTURER=LGE][RELEASE=5.1.1][BRAND=lge][SDK=22][MODEL=LGLS751]][PLAIN TEXT (GET /images/I/81diF)][Plen Bins: 3,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,3,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,3,68,0,0] + 6 TCP 172.16.42.216:51995 <-> 52.84.63.56:80 [proto: 7.178/HTTP.Amazon][ClearText][cat: Web/5][22 pkts/2590 bytes <-> 25 pkts/31047 bytes][Goodput ratio: 42/95][1.13 sec][Hostname/SNI: ecx.images-amazon.com][bytes ratio: -0.846 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 54/42 536/536 126/120][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 118/1242 613/1514 157/474][URL: ecx.images-amazon.com/images/I/5100jxqrQhL._SL210_QL95_.png][StatusCode: 200][Content-Type: image/jpeg][User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; LGLS751 Build/LMY47V; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/56.0.2924.87 Mobile Safari/537.36 PitanguiBridge/1.16.4.5-[MANUFACTURER=LGE][RELEASE=5.1.1][BRAND=lge][SDK=22][MODEL=LGLS751]][PLAIN TEXT (GET /images/I/5100j)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,12,0,0,0,0,0,0,0,0,8,0,0,0,4,0,0,0,0,67,0,0] + 7 TCP 172.16.42.216:51992 <-> 52.84.63.56:80 [proto: 7.178/HTTP.Amazon][ClearText][cat: Web/5][27 pkts/3443 bytes <-> 24 pkts/29237 bytes][Goodput ratio: 48/95][1.13 sec][Hostname/SNI: ecx.images-amazon.com][bytes ratio: -0.789 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 36/6 368/110 98/25][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 128/1218 613/1514 172/546][URL: ecx.images-amazon.com/images/I/71nqwmwmRlL._SL210_QL95_.png][StatusCode: 200][Content-Type: image/jpeg][User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; LGLS751 Build/LMY47V; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/56.0.2924.87 Mobile Safari/537.36 PitanguiBridge/1.16.4.5-[MANUFACTURER=LGE][RELEASE=5.1.1][BRAND=lge][SDK=22][MODEL=LGLS751]][PLAIN TEXT (GET /images/I/71nqwmwmRlL.)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0,0,0,74,0,0] 8 TCP 172.16.42.216:41691 <-> 54.239.29.146:443 [proto: 91.178/TLS.Amazon][Encrypted][cat: Web/5][28 pkts/5292 bytes <-> 28 pkts/24601 bytes][Goodput ratio: 71/94][100.86 sec][Hostname/SNI: api.amazon.com][bytes ratio: -0.646 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 37/78 293/443 72/134][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 189/879 1514/1514 381/687][Risk: ** TLS (probably) not carrying HTTPS **][Risk Score: 10][TLSv1.2][JA3C: bdf21e38e1f69776df407235625e75e2][ServerNames: api.amazon.com,wsync.us-east-1.amazon.com][JA3S: 303951d4c50efb2e991652225a6f02b1][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=api.amazon.com][Certificate SHA-1: 1D:A3:CD:C3:06:9E:9B:A0:61:1E:1A:75:55:C1:A8:B0:DC:F8:75:2D][Firefox][Validity: 2016-09-05 00:00:00 - 2017-09-23 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,3,0,3,0,15,3,0,0,0,0,0,3,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,68,0,0] 9 TCP 172.16.42.216:38483 <-> 52.85.209.143:443 [proto: 91.178/TLS.Amazon][Encrypted][cat: Web/5][32 pkts/3796 bytes <-> 30 pkts/25146 bytes][Goodput ratio: 44/92][0.66 sec][bytes ratio: -0.738 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 16/19 227/241 45/48][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 119/838 732/1514 163/608][Risk: ** TLS (probably) not carrying HTTPS **** SNI TLS extension was missing **][Risk Score: 60][TLSv1.2][JA3C: 36e9ceaa96dd810482573844f78a063f][ServerNames: amazon.com,amzn.com,uedata.amazon.com,us.amazon.com,www.amazon.com,www.amzn.com,corporate.amazon.com,buybox.amazon.com,iphone.amazon.com,yp.amazon.com,home.amazon.com,origin-www.amazon.com][JA3S: 303951d4c50efb2e991652225a6f02b1][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=www.amazon.com][Certificate SHA-1: EF:14:6C:F1:5C:4A:F8:4D:BA:83:C2:1E:6C:5B:ED:C4:FA:34:1C:3E][Firefox][Validity: 2016-10-31 00:00:00 - 2017-12-31 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,12,3,6,0,0,6,0,0,0,0,3,3,0,0,3,0,3,0,0,6,3,0,3,0,0,3,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,40,0,0] 10 TCP 172.16.42.216:34034 <-> 54.239.24.186:443 [proto: 91.265/TLS.AmazonAWS][Encrypted][cat: Cloud/13][24 pkts/22786 bytes <-> 19 pkts/2185 bytes][Goodput ratio: 94/49][1.87 sec][Hostname/SNI: mobileanalytics.us-east-1.amazonaws.com][ALPN: h2;http/1.1][bytes ratio: 0.825 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 65/76 511/512 132/142][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 949/115 1514/564 678/140][Risk: ** Possibly Malicious JA3 Fingerprint **][Risk Score: 50][TLSv1.2][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: d199ba0af2b08e204c73d6d81a1fd260][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 4,4,0,0,4,0,0,0,4,0,0,0,4,0,0,4,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,65,0,0] @@ -36,22 +36,22 @@ JA3 Host Stats: 12 TCP 172.16.42.216:45710 <-> 52.94.232.134:443 [proto: 91.178/TLS.Amazon][Encrypted][cat: Web/5][26 pkts/13063 bytes <-> 23 pkts/8561 bytes][Goodput ratio: 89/85][10.20 sec][Hostname/SNI: pitangui.amazon.com][ALPN: h2;http/1.1][bytes ratio: 0.208 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 464/535 3346/6303 892/1474][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 502/372 1514/1514 619/511][Risk: ** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][Risk Score: 150][TLSv1.2][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 3,7,3,3,7,3,3,11,0,0,0,0,0,0,0,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,41,0,0] 13 TCP 172.16.42.216:54434 <-> 52.85.209.216:443 [proto: 91.178/TLS.Amazon][Encrypted][cat: Web/5][18 pkts/9106 bytes <-> 15 pkts/10708 bytes][Goodput ratio: 86/91][3.73 sec][Hostname/SNI: www.amazon.com][ALPN: h2;http/1.1][bytes ratio: -0.081 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 17/241 96/1116 31/336][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 506/714 1514/1514 633/678][TLSv1.2][JA3C: 5ee142340adf02ded757447e2ff78986][JA3S: d199ba0af2b08e204c73d6d81a1fd260][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,6,6,0,6,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,0,0,0,0,0,0,6,57,0,0] 14 TCP 172.16.42.216:41914 <-> 52.84.62.115:443 [proto: 91.178/TLS.Amazon][Encrypted][cat: Web/5][20 pkts/6834 bytes <-> 15 pkts/11310 bytes][Goodput ratio: 80/91][0.96 sec][Hostname/SNI: images-na.ssl-images-amazon.com][ALPN: h2;http/1.1][bytes ratio: -0.247 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 51/50 222/242 77/88][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 342/754 1351/1514 506/588][Risk: ** Possibly Malicious JA3 Fingerprint **][Risk Score: 50][TLSv1.2][JA3C: d551fafc4f40f1dec2bb45980bfa9492][ServerNames: images-na.ssl-images-amazon.com,images-eu.ssl-images-amazon.com,images-fe.ssl-images-amazon.com,m.media-amazon.com][JA3S: 76cc3e2d3028143b23ec18e27dbd7ca9][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=Images-na.ssl-images-amazon.com][Certificate SHA-1: 39:3D:27:B3:4D:FA:B4:04:AB:48:7F:5C:CB:A9:9A:95:F5:22:2A:52][Validity: 2016-09-23 00:00:00 - 2017-10-26 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,10,0,5,0,0,5,0,10,0,0,0,0,0,10,0,0,0,0,0,0,5,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,5,15,0,0,0,0,27,0,0] - 15 TCP 172.16.42.216:51997 <-> 52.84.63.56:80 [proto: 7.178/HTTP.Amazon][ClearText][cat: Web/5][16 pkts/1611 bytes <-> 14 pkts/16206 bytes][Goodput ratio: 34/94][1.14 sec][Hostname/SNI: ecx.images-amazon.com][bytes ratio: -0.819 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 68/24 628/205 165/61][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 101/1158 613/1514 132/593][URL: ecx.images-amazon.com/images/I/61Tfp7ZVcoL._SL210_QL95_.png][StatusCode: 200][Content-Type: image/jpeg][User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; LGLS751 Build/LMY47V; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/56.0.292][PLAIN TEXT (GET /images/I/61Tfp)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,83,0,0] - 16 TCP 172.16.42.216:51989 <-> 52.84.63.56:80 [proto: 7.178/HTTP.Amazon][ClearText][cat: Web/5][17 pkts/2771 bytes <-> 14 pkts/14992 bytes][Goodput ratio: 59/94][1.36 sec][Hostname/SNI: ecx.images-amazon.com][bytes ratio: -0.688 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 71/69 377/743 125/213][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 163/1071 613/1514 208/642][URL: ecx.images-amazon.com/images/I/71pwMKDRQIL._SL210_QL95_.png][StatusCode: 200][Content-Type: image/jpeg][User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; LGLS751 Build/LMY47V; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/56.0.292][PLAIN TEXT (zTGET /images/I/71pwMKDRQIL.)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,23,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,69,0,0] + 15 TCP 172.16.42.216:51997 <-> 52.84.63.56:80 [proto: 7.178/HTTP.Amazon][ClearText][cat: Web/5][16 pkts/1611 bytes <-> 14 pkts/16206 bytes][Goodput ratio: 34/94][1.14 sec][Hostname/SNI: ecx.images-amazon.com][bytes ratio: -0.819 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 68/24 628/205 165/61][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 101/1158 613/1514 132/593][URL: ecx.images-amazon.com/images/I/61Tfp7ZVcoL._SL210_QL95_.png][StatusCode: 200][Content-Type: image/jpeg][User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; LGLS751 Build/LMY47V; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/56.0.2924.87 Mobile Safari/537.36 PitanguiBridge/1.16.4.5-[MANUFACTURER=LGE][RELEASE=5.1.1][BRAND=lge][SDK=22][MODEL=LGLS751]][PLAIN TEXT (GET /images/I/61Tfp)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,83,0,0] + 16 TCP 172.16.42.216:51989 <-> 52.84.63.56:80 [proto: 7.178/HTTP.Amazon][ClearText][cat: Web/5][17 pkts/2771 bytes <-> 14 pkts/14992 bytes][Goodput ratio: 59/94][1.36 sec][Hostname/SNI: ecx.images-amazon.com][bytes ratio: -0.688 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 71/69 377/743 125/213][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 163/1071 613/1514 208/642][URL: ecx.images-amazon.com/images/I/71pwMKDRQIL._SL210_QL95_.png][StatusCode: 200][Content-Type: image/jpeg][User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; LGLS751 Build/LMY47V; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/56.0.2924.87 Mobile Safari/537.36 PitanguiBridge/1.16.4.5-[MANUFACTURER=LGE][RELEASE=5.1.1][BRAND=lge][SDK=22][MODEL=LGLS751]][PLAIN TEXT (zTGET /images/I/71pwMKDRQIL.)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,23,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,69,0,0] 17 TCP 172.16.42.216:44912 <-> 54.239.23.94:443 [proto: 91.265/TLS.AmazonAWS][Encrypted][cat: Cloud/13][19 pkts/11483 bytes <-> 14 pkts/5858 bytes][Goodput ratio: 91/86][10.46 sec][Hostname/SNI: mobileanalytics.us-east-1.amazonaws.com][ALPN: h2;http/1.1][bytes ratio: 0.324 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 552/875 3665/7470 1005/2334][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 604/418 1514/1514 650/593][Risk: ** Possibly Malicious JA3 Fingerprint **][Risk Score: 50][TLSv1.2][JA3C: d551fafc4f40f1dec2bb45980bfa9492][ServerNames: mobileanalytics.us-east-1.amazonaws.com][JA3S: 159d46e54a2c066ef95e656fdf034e1d][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=mobileanalytics.us-east-1.amazonaws.com][Certificate SHA-1: 87:AD:E9:2D:E8:42:F0:5C:3A:09:13:00:12:93:59:04:84:C3:E2:2D][Validity: 2016-05-31 00:00:00 - 2017-06-26 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,6,0,6,0,0,0,6,0,0,6,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,41,0,27,0,0] - 18 TCP 172.16.42.216:51990 <-> 52.84.63.56:80 [proto: 7.178/HTTP.Amazon][ClearText][cat: Web/5][15 pkts/1557 bytes <-> 13 pkts/15104 bytes][Goodput ratio: 35/94][1.25 sec][Hostname/SNI: ecx.images-amazon.com][bytes ratio: -0.813 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 88/21 682/138 190/45][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 104/1162 613/1514 136/600][URL: ecx.images-amazon.com/images/I/612xlaOI2NL._SL210_QL95_.png][StatusCode: 200][Content-Type: image/jpeg][User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; LGLS751 Build/LMY47V; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/56.0.292][PLAIN TEXT (tyGET /images/I/612)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,18,0,0,0,72,0,0] - 19 TCP 172.16.42.216:51988 <-> 52.84.63.56:80 [proto: 7.178/HTTP.Amazon][ClearText][cat: Web/5][15 pkts/1557 bytes <-> 13 pkts/14454 bytes][Goodput ratio: 35/94][1.26 sec][Hostname/SNI: ecx.images-amazon.com][bytes ratio: -0.806 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 77/27 681/154 186/53][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 104/1112 613/1514 136/592][URL: ecx.images-amazon.com/images/I/61oBTb+jZvL._SL210_QL95_.png][StatusCode: 200][Content-Type: image/jpeg][User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; LGLS751 Build/LMY47V; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/56.0.292][PLAIN TEXT (GET /images/I/61oBTb)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0,0,0,0,0,0,0,0,0,0,0,0,18,0,0,0,0,0,0,0,0,0,0,0,0,0,72,0,0] + 18 TCP 172.16.42.216:51990 <-> 52.84.63.56:80 [proto: 7.178/HTTP.Amazon][ClearText][cat: Web/5][15 pkts/1557 bytes <-> 13 pkts/15104 bytes][Goodput ratio: 35/94][1.25 sec][Hostname/SNI: ecx.images-amazon.com][bytes ratio: -0.813 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 88/21 682/138 190/45][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 104/1162 613/1514 136/600][URL: ecx.images-amazon.com/images/I/612xlaOI2NL._SL210_QL95_.png][StatusCode: 200][Content-Type: image/jpeg][User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; LGLS751 Build/LMY47V; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/56.0.2924.87 Mobile Safari/537.36 PitanguiBridge/1.16.4.5-[MANUFACTURER=LGE][RELEASE=5.1.1][BRAND=lge][SDK=22][MODEL=LGLS751]][PLAIN TEXT (tyGET /images/I/612)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,18,0,0,0,72,0,0] + 19 TCP 172.16.42.216:51988 <-> 52.84.63.56:80 [proto: 7.178/HTTP.Amazon][ClearText][cat: Web/5][15 pkts/1557 bytes <-> 13 pkts/14454 bytes][Goodput ratio: 35/94][1.26 sec][Hostname/SNI: ecx.images-amazon.com][bytes ratio: -0.806 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 77/27 681/154 186/53][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 104/1112 613/1514 136/592][URL: ecx.images-amazon.com/images/I/61oBTb+jZvL._SL210_QL95_.png][StatusCode: 200][Content-Type: image/jpeg][User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; LGLS751 Build/LMY47V; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/56.0.2924.87 Mobile Safari/537.36 PitanguiBridge/1.16.4.5-[MANUFACTURER=LGE][RELEASE=5.1.1][BRAND=lge][SDK=22][MODEL=LGLS751]][PLAIN TEXT (GET /images/I/61oBTb)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0,0,0,0,0,0,0,0,0,0,0,0,18,0,0,0,0,0,0,0,0,0,0,0,0,0,72,0,0] 20 TCP 172.16.42.216:40871 <-> 54.239.29.253:443 [proto: 91.178/TLS.Amazon][Encrypted][cat: Web/5][20 pkts/7766 bytes <-> 21 pkts/8198 bytes][Goodput ratio: 86/86][3.82 sec][Hostname/SNI: skills-store.amazon.com][ALPN: h2;http/1.1][bytes ratio: -0.027 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 182/130 1403/1107 358/296][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 388/390 1514/1514 570/458][Risk: ** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][Risk Score: 150][TLSv1.2][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,18,9,4,0,0,0,9,4,0,0,0,4,0,0,0,0,13,0,0,0,4,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,28,0,0] 21 TCP 172.16.42.216:41912 <-> 52.84.62.115:443 [proto: 91.178/TLS.Amazon][Encrypted][cat: Web/5][16 pkts/3960 bytes <-> 14 pkts/11986 bytes][Goodput ratio: 73/92][0.96 sec][Hostname/SNI: images-na.ssl-images-amazon.com][ALPN: h2;http/1.1][bytes ratio: -0.503 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 71/14 669/71 174/23][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 248/856 1340/1514 415/644][Risk: ** Possibly Malicious JA3 Fingerprint **][Risk Score: 50][TLSv1.2][JA3C: d551fafc4f40f1dec2bb45980bfa9492][ServerNames: images-na.ssl-images-amazon.com,images-eu.ssl-images-amazon.com,images-fe.ssl-images-amazon.com,m.media-amazon.com][JA3S: 76cc3e2d3028143b23ec18e27dbd7ca9][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=Images-na.ssl-images-amazon.com][Certificate SHA-1: 39:3D:27:B3:4D:FA:B4:04:AB:48:7F:5C:CB:A9:9A:95:F5:22:2A:52][Validity: 2016-09-23 00:00:00 - 2017-10-26 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,6,0,18,0,0,6,0,6,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,12,0,0,0,0,0,38,0,0] - 22 TCP 172.16.42.216:51985 <-> 52.84.63.56:80 [proto: 7.178/HTTP.Amazon][ClearText][cat: Web/5][16 pkts/1623 bytes <-> 14 pkts/14282 bytes][Goodput ratio: 34/93][1.26 sec][Hostname/SNI: ecx.images-amazon.com][bytes ratio: -0.796 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 84/45 682/281 185/91][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 101/1020 613/1514 132/664][URL: ecx.images-amazon.com/images/I/51woiL9kgkL._SL210_QL95_.png][StatusCode: 200][Content-Type: image/jpeg][User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; LGLS751 Build/LMY47V; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/56.0.292][PLAIN TEXT (GET /images/I/51woiL9)][Plen Bins: 0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,75,0,0] - 23 TCP 172.16.42.216:51996 <-> 52.84.63.56:80 [proto: 7.178/HTTP.Amazon][ClearText][cat: Web/5][15 pkts/1545 bytes <-> 13 pkts/14178 bytes][Goodput ratio: 35/94][1.13 sec][Hostname/SNI: ecx.images-amazon.com][bytes ratio: -0.803 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 75/22 764/207 210/62][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 103/1091 613/1514 136/639][URL: ecx.images-amazon.com/images/I/81Ni5COup-L._SL210_QL95_.png][StatusCode: 200][Content-Type: image/jpeg][User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; LGLS751 Build/LMY47V; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/56.0.292][PLAIN TEXT (GET /images/I/81Ni5)][Plen Bins: 0,0,0,0,0,0,0,0,9,0,0,0,0,0,0,0,0,9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,81,0,0] + 22 TCP 172.16.42.216:51985 <-> 52.84.63.56:80 [proto: 7.178/HTTP.Amazon][ClearText][cat: Web/5][16 pkts/1623 bytes <-> 14 pkts/14282 bytes][Goodput ratio: 34/93][1.26 sec][Hostname/SNI: ecx.images-amazon.com][bytes ratio: -0.796 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 84/45 682/281 185/91][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 101/1020 613/1514 132/664][URL: ecx.images-amazon.com/images/I/51woiL9kgkL._SL210_QL95_.png][StatusCode: 200][Content-Type: image/jpeg][User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; LGLS751 Build/LMY47V; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/56.0.2924.87 Mobile Safari/537.36 PitanguiBridge/1.16.4.5-[MANUFACTURER=LGE][RELEASE=5.1.1][BRAND=lge][SDK=22][MODEL=LGLS751]][PLAIN TEXT (GET /images/I/51woiL9)][Plen Bins: 0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,75,0,0] + 23 TCP 172.16.42.216:51996 <-> 52.84.63.56:80 [proto: 7.178/HTTP.Amazon][ClearText][cat: Web/5][15 pkts/1545 bytes <-> 13 pkts/14178 bytes][Goodput ratio: 35/94][1.13 sec][Hostname/SNI: ecx.images-amazon.com][bytes ratio: -0.803 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 75/22 764/207 210/62][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 103/1091 613/1514 136/639][URL: ecx.images-amazon.com/images/I/81Ni5COup-L._SL210_QL95_.png][StatusCode: 200][Content-Type: image/jpeg][User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; LGLS751 Build/LMY47V; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/56.0.2924.87 Mobile Safari/537.36 PitanguiBridge/1.16.4.5-[MANUFACTURER=LGE][RELEASE=5.1.1][BRAND=lge][SDK=22][MODEL=LGLS751]][PLAIN TEXT (GET /images/I/81Ni5)][Plen Bins: 0,0,0,0,0,0,0,0,9,0,0,0,0,0,0,0,0,9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,81,0,0] 24 TCP 172.16.42.216:53682 <-> 54.239.22.185:443 [proto: 91.178/TLS.Amazon][Encrypted][cat: Web/5][16 pkts/10167 bytes <-> 13 pkts/5328 bytes][Goodput ratio: 91/86][163.85 sec][Hostname/SNI: firs-ta-g7g.amazon.com][bytes ratio: 0.312 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 12603/417 159135/3907 42305/1164][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 635/410 1514/1514 644/520][Risk: ** TLS (probably) not carrying HTTPS **][Risk Score: 10][TLSv1.2][JA3C: bdf21e38e1f69776df407235625e75e2][ServerNames: firs-ta-g7g.amazon.com][JA3S: 303951d4c50efb2e991652225a6f02b1][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=firs-ta-g7g.amazon.com][Certificate SHA-1: A0:32:45:00:21:A0:00:56:62:BA:FE:E7:68:81:40:5F:68:7E:A6:86][Firefox][Validity: 2016-11-25 00:00:00 - 2017-12-31 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,6,0,6,0,0,0,6,0,0,0,0,6,0,0,0,0,0,13,0,0,0,0,0,0,13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,47,0,0] 25 TCP 172.16.42.216:45712 <-> 52.94.232.134:443 [proto: 91.178/TLS.Amazon][Encrypted][cat: Web/5][24 pkts/11240 bytes <-> 18 pkts/3909 bytes][Goodput ratio: 88/73][5.97 sec][Hostname/SNI: pitangui.amazon.com][ALPN: h2;http/1.1][bytes ratio: 0.484 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 271/206 1239/905 390/325][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 468/217 1514/715 608/241][Risk: ** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][Risk Score: 150][TLSv1.2][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,10,5,5,0,10,10,5,0,0,0,0,0,0,5,5,5,0,5,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,30,0,0] 26 TCP 172.16.42.216:40854 <-> 54.239.29.253:443 [proto: 91.178/TLS.Amazon][Encrypted][cat: Web/5][21 pkts/6285 bytes <-> 16 pkts/8842 bytes][Goodput ratio: 82/90][2.68 sec][Hostname/SNI: skills-store.amazon.com][ALPN: h2;http/1.1][bytes ratio: -0.169 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 146/106 1158/932 299/253][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 299/553 1514/1514 504/512][Risk: ** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][Risk Score: 150][TLSv1.2][JA3C: d551fafc4f40f1dec2bb45980bfa9492][ServerNames: skills-store.amazon.com][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=skills-store.amazon.com][Certificate SHA-1: 2A:40:0E:E9:9A:EC:7C:0D:40:AA:C9:C5:66:67:00:B8:3E:90:DC:B2][Validity: 2016-05-14 00:00:00 - 2017-05-15 23:59:59][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,11,0,0,0,0,11,0,0,0,5,0,0,0,0,0,0,30,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,5,0,0,0,0,0,5,24,0,0] 27 TCP 172.16.42.216:55242 <-> 52.85.209.197:443 [proto: 91.178/TLS.Amazon][Encrypted][cat: Web/5][18 pkts/6706 bytes <-> 20 pkts/8204 bytes][Goodput ratio: 82/84][123.38 sec][Hostname/SNI: www.amazon.com][bytes ratio: -0.100 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 87/100 290/445 108/155][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 373/410 1514/1514 532/546][Risk: ** TLS (probably) not carrying HTTPS **][Risk Score: 10][TLSv1.2][JA3C: bdf21e38e1f69776df407235625e75e2][ServerNames: amazon.com,amzn.com,uedata.amazon.com,us.amazon.com,www.amazon.com,www.amzn.com,corporate.amazon.com,buybox.amazon.com,iphone.amazon.com,yp.amazon.com,home.amazon.com,origin-www.amazon.com][JA3S: 389ed42c02ebecc32e73aa31def07e14][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=www.amazon.com][Certificate SHA-1: EF:14:6C:F1:5C:4A:F8:4D:BA:83:C2:1E:6C:5B:ED:C4:FA:34:1C:3E][Firefox][Validity: 2016-10-31 00:00:00 - 2017-12-31 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 15,15,0,5,0,0,5,10,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,5,0,0,10,0,0,21,0,0] 28 TCP 172.16.42.216:50799 <-> 54.239.28.178:443 [proto: 91.178/TLS.Amazon][Encrypted][cat: Web/5][20 pkts/9329 bytes <-> 17 pkts/5540 bytes][Goodput ratio: 88/82][10.48 sec][Hostname/SNI: pitangui.amazon.com][ALPN: h2;http/1.1][bytes ratio: 0.255 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 636/760 7767/8001 1851/2099][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 466/326 1514/1514 612/473][Risk: ** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][Risk Score: 150][TLSv1.2][JA3C: d551fafc4f40f1dec2bb45980bfa9492][ServerNames: pitangui.amazon.com,guipitan.amazon.com,alexa.amazon.com,echo.amazon.com,alexa.amazon.ca,guipitan.amazon.ca,alexa.amazon.co.jp,guipitan.amazon.co.jp,alexa.amazon.com.mx,guipitan.amazon.com.mx,alexa.amazon.com.br,guipitan.amazon.com.br,alexa.amazon.com.au,guipitan.amazon.com.au,alexa.amazon.cn,guipitan.amazon.cn][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=pitangui.amazon.com][Certificate SHA-1: 13:E9:3B:22:22:61:41:53:CA:B6:3A:AE:C8:B7:23:FB:A5:11:2F:24][Validity: 2017-01-12 00:00:00 - 2018-01-13 23:59:59][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,18,0,0,5,0,5,5,0,0,11,0,0,0,0,0,5,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,43,0,0] - 29 TCP 172.16.42.216:51993 <-> 52.84.63.56:80 [proto: 7.178/HTTP.Amazon][ClearText][cat: Web/5][14 pkts/1479 bytes <-> 12 pkts/13075 bytes][Goodput ratio: 37/94][1.13 sec][Hostname/SNI: ecx.images-amazon.com][bytes ratio: -0.797 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 102/23 765/207 218/65][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 106/1090 613/1514 141/624][URL: ecx.images-amazon.com/images/I/61SZU-lPFNL._SL210_QL95_.png][StatusCode: 200][Content-Type: image/jpeg][User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; LGLS751 Build/LMY47V; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/56.0.292][PLAIN TEXT (GET /images/I/61S)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,80,0,0] - 30 TCP 172.16.42.216:51987 <-> 52.84.63.56:80 [proto: 7.178/HTTP.Amazon][ClearText][cat: Web/5][14 pkts/1491 bytes <-> 12 pkts/12826 bytes][Goodput ratio: 37/94][1.26 sec][Hostname/SNI: ecx.images-amazon.com][bytes ratio: -0.792 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 96/22 682/154 199/50][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 106/1069 613/1514 141/605][URL: ecx.images-amazon.com/images/I/71GcCNTb6kL._SL210_QL95_.png][StatusCode: 200][Content-Type: image/jpeg][User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; LGLS751 Build/LMY47V; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/56.0.292][PLAIN TEXT (GET /images/I/71GcCNTb6)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,0,0,0,0,0,0,0,0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,70,0,0] + 29 TCP 172.16.42.216:51993 <-> 52.84.63.56:80 [proto: 7.178/HTTP.Amazon][ClearText][cat: Web/5][14 pkts/1479 bytes <-> 12 pkts/13075 bytes][Goodput ratio: 37/94][1.13 sec][Hostname/SNI: ecx.images-amazon.com][bytes ratio: -0.797 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 102/23 765/207 218/65][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 106/1090 613/1514 141/624][URL: ecx.images-amazon.com/images/I/61SZU-lPFNL._SL210_QL95_.png][StatusCode: 200][Content-Type: image/jpeg][User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; LGLS751 Build/LMY47V; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/56.0.2924.87 Mobile Safari/537.36 PitanguiBridge/1.16.4.5-[MANUFACTURER=LGE][RELEASE=5.1.1][BRAND=lge][SDK=22][MODEL=LGLS751]][PLAIN TEXT (GET /images/I/61S)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,80,0,0] + 30 TCP 172.16.42.216:51987 <-> 52.84.63.56:80 [proto: 7.178/HTTP.Amazon][ClearText][cat: Web/5][14 pkts/1491 bytes <-> 12 pkts/12826 bytes][Goodput ratio: 37/94][1.26 sec][Hostname/SNI: ecx.images-amazon.com][bytes ratio: -0.792 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 96/22 682/154 199/50][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 106/1069 613/1514 141/605][URL: ecx.images-amazon.com/images/I/71GcCNTb6kL._SL210_QL95_.png][StatusCode: 200][Content-Type: image/jpeg][User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; LGLS751 Build/LMY47V; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/56.0.2924.87 Mobile Safari/537.36 PitanguiBridge/1.16.4.5-[MANUFACTURER=LGE][RELEASE=5.1.1][BRAND=lge][SDK=22][MODEL=LGLS751]][PLAIN TEXT (GET /images/I/71GcCNTb6)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,0,0,0,0,0,0,0,0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,70,0,0] 31 TCP 172.16.42.216:34069 <-> 54.239.24.186:443 [proto: 91.265/TLS.AmazonAWS][Encrypted][cat: Cloud/13][16 pkts/12799 bytes <-> 14 pkts/1381 bytes][Goodput ratio: 93/40][4.36 sec][Hostname/SNI: mobileanalytics.us-east-1.amazonaws.com][ALPN: h2;http/1.1][bytes ratio: 0.805 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 256/126 2464/986 644/293][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 800/99 1514/449 707/105][Risk: ** Possibly Malicious JA3 Fingerprint **][Risk Score: 50][TLSv1.2][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: d199ba0af2b08e204c73d6d81a1fd260][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,8,0,0,8,0,0,0,8,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,59,0,0] 32 TCP 172.16.42.216:45711 <-> 52.94.232.134:443 [proto: 91.178/TLS.Amazon][Encrypted][cat: Web/5][22 pkts/11642 bytes <-> 11 pkts/2484 bytes][Goodput ratio: 89/74][21.11 sec][Hostname/SNI: pitangui.amazon.com][ALPN: h2;http/1.1][bytes ratio: 0.648 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/64 1023/2459 6019/9247 1749/3564][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 529/226 1514/955 611/323][Risk: ** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][Risk Score: 150][TLSv1.2][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,12,6,0,0,6,0,18,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,6,0,0,0,0,12,0,0,0,0,0,0,0,0,0,0,0,31,0,0] 33 TCP 172.16.42.216:42130 <-> 72.21.206.135:443 [proto: 91.178/TLS.Amazon][Encrypted][cat: Web/5][18 pkts/6237 bytes <-> 14 pkts/6594 bytes][Goodput ratio: 84/88][2.59 sec][Hostname/SNI: fls-na.amazon.com][ALPN: h2;http/1.1][bytes ratio: -0.028 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 164/169 783/785 225/244][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 346/471 1514/1514 494/576][Risk: ** Possibly Malicious JA3 Fingerprint **][Risk Score: 50][TLSv1.2][JA3C: d551fafc4f40f1dec2bb45980bfa9492][ServerNames: fls-na.amazon.ca,fls-na.amazon.com,fls-na.amazon.com.br,fls-na.amazon.com.mx][JA3S: 159d46e54a2c066ef95e656fdf034e1d][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=fls-na.amazon.com][Certificate SHA-1: 2F:16:23:0F:F8:49:12:18:49:55:48:DA:E6:59:D9:B3:BB:0E:41:8A][Validity: 2017-01-07 00:00:00 - 2018-01-30 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,6,0,6,0,0,20,0,0,6,0,0,0,13,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,34,0,0] @@ -67,7 +67,7 @@ JA3 Host Stats: 43 TCP 172.16.42.216:40864 <-> 54.239.29.253:443 [proto: 91.178/TLS.Amazon][Encrypted][cat: Web/5][15 pkts/2838 bytes <-> 16 pkts/7478 bytes][Goodput ratio: 71/88][4.06 sec][Hostname/SNI: skills-store.amazon.com][ALPN: h2;http/1.1][bytes ratio: -0.450 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 66/267 259/1771 98/509][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 189/467 1514/1514 363/499][Risk: ** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][Risk Score: 150][TLSv1.2][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,20,6,0,0,0,6,13,0,0,0,0,0,0,0,0,0,26,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,20,0,0] 44 TCP 172.16.42.216:45693 <-> 52.94.232.134:443 [proto: 91.178/TLS.Amazon][Encrypted][cat: Web/5][15 pkts/4412 bytes <-> 13 pkts/5784 bytes][Goodput ratio: 81/87][4.69 sec][Hostname/SNI: pitangui.amazon.com][ALPN: h2;http/1.1][bytes ratio: -0.135 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 390/24 4145/80 1133/32][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 294/445 1514/1514 485/599][Risk: ** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][Risk Score: 150][TLSv1.2][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 7,15,7,0,7,0,7,7,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,40,0,0] 45 TCP 172.16.42.216:54427 <-> 52.85.209.216:443 [proto: 91.178/TLS.Amazon][Encrypted][cat: Web/5][13 pkts/8467 bytes <-> 8 pkts/1403 bytes][Goodput ratio: 90/62][1.35 sec][Hostname/SNI: www.amazon.com][ALPN: h2;http/1.1][bytes ratio: 0.716 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/12 109/125 514/453 157/165][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 651/175 1514/777 663/233][TLSv1.2][JA3C: 5ee142340adf02ded757447e2ff78986][JA3S: d199ba0af2b08e204c73d6d81a1fd260][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,11,0,0,11,0,0,0,0,0,0,0,0,0,0,0,11,0,0,0,0,0,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,22,0,0] - 46 TCP 172.16.42.216:51994 <-> 52.84.63.56:80 [proto: 7.178/HTTP.Amazon][ClearText][cat: Web/5][11 pkts/1293 bytes <-> 10 pkts/8334 bytes][Goodput ratio: 42/92][1.10 sec][Hostname/SNI: ecx.images-amazon.com][bytes ratio: -0.731 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 106/24 808/113 266/39][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 118/833 613/1514 157/652][URL: ecx.images-amazon.com/images/I/315y9IEXZSL._SL210_QL95_.png][StatusCode: 200][Content-Type: image/jpeg][User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; LGLS751 Build/LMY47V; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/56.0.292][PLAIN TEXT (GET /images/I/315)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0,0,0,0,0,0,0,0,0,0,28,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,57,0,0] + 46 TCP 172.16.42.216:51994 <-> 52.84.63.56:80 [proto: 7.178/HTTP.Amazon][ClearText][cat: Web/5][11 pkts/1293 bytes <-> 10 pkts/8334 bytes][Goodput ratio: 42/92][1.10 sec][Hostname/SNI: ecx.images-amazon.com][bytes ratio: -0.731 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 106/24 808/113 266/39][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 118/833 613/1514 157/652][URL: ecx.images-amazon.com/images/I/315y9IEXZSL._SL210_QL95_.png][StatusCode: 200][Content-Type: image/jpeg][User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; LGLS751 Build/LMY47V; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/56.0.2924.87 Mobile Safari/537.36 PitanguiBridge/1.16.4.5-[MANUFACTURER=LGE][RELEASE=5.1.1][BRAND=lge][SDK=22][MODEL=LGLS751]][PLAIN TEXT (GET /images/I/315)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0,0,0,0,0,0,0,0,0,0,28,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,57,0,0] 47 TCP 172.16.42.216:44001 <-> 176.32.101.52:443 [proto: 91.178/TLS.Amazon][Encrypted][cat: Web/5][22 pkts/4394 bytes <-> 19 pkts/5213 bytes][Goodput ratio: 72/79][101.63 sec][Hostname/SNI: dp-gw-na-js.amazon.com][bytes ratio: -0.085 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 5968/5788 80048/79926 19049/20563][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 200/274 1514/1514 303/442][Risk: ** TLS (probably) not carrying HTTPS **][Risk Score: 10][TLSv1.2][JA3C: 731bcada65b0a6f850bada3bdcd716d1][ServerNames: dp-gw-na.amazon.com,dp-gw-na-js.amazon.com,dp-gw-na.amazon.co.uk,dp-gw-na.amazon.de,dp-gw-na.amazon.co.jp,dp-gw-na.amazon.in][JA3S: fbe78c619e7ea20046131294ad087f05][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=dp-gw-na.amazon.com][Certificate SHA-1: 27:E5:06:34:82:69:BC:97:5E:28:A3:C1:5A:23:81:C7:E3:28:95:8C][Validity: 2016-09-24 00:00:00 - 2017-09-13 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 9,14,4,4,4,0,29,9,0,4,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0] 48 TCP 172.16.42.216:45714 <-> 52.94.232.134:443 [proto: 91.178/TLS.Amazon][Encrypted][cat: Web/5][17 pkts/7542 bytes <-> 10 pkts/1990 bytes][Goodput ratio: 88/71][18.45 sec][Hostname/SNI: pitangui.amazon.com][ALPN: h2;http/1.1][bytes ratio: 0.582 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 1317/1449 6762/8309 2110/3069][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 444/199 1514/699 598/247][Risk: ** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][Risk Score: 150][TLSv1.2][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,15,7,0,15,7,0,7,0,0,0,0,0,0,0,0,0,0,0,7,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,31,0,0] 49 TCP 172.16.42.216:38404 <-> 34.199.52.240:443 [proto: 91.265/TLS.AmazonAWS][Encrypted][cat: Cloud/13][15 pkts/3140 bytes <-> 12 pkts/6286 bytes][Goodput ratio: 69/87][1.00 sec][Hostname/SNI: cognito-identity.us-east-1.amazonaws.com][ALPN: h2;http/1.1][bytes ratio: -0.334 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 74/55 364/256 109/84][Pkt Len c2s/s2c min/avg/max/stddev: 54/66 209/524 950/1514 299/598][Risk: ** Possibly Malicious JA3 Fingerprint **][Risk Score: 50][TLSv1.2][JA3C: d551fafc4f40f1dec2bb45980bfa9492][ServerNames: cognito-identity.amazonaws.com,cognito-identity.us-east-1.amazonaws.com][JA3S: 303951d4c50efb2e991652225a6f02b1][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=cognito-identity.us-east-1.amazonaws.com][Certificate SHA-1: 56:17:8F:E9:45:10:32:78:FF:FD:E3:09:60:5A:B5:3B:8D:8C:F8:34][Validity: 2016-05-25 00:00:00 - 2017-06-22 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 8,16,0,8,0,0,0,0,8,0,0,0,0,0,0,8,8,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0] @@ -115,13 +115,13 @@ JA3 Host Stats: 91 TCP 172.16.42.216:45662 <-> 52.94.232.134:443 [proto: 91.178/TLS.Amazon][Encrypted][cat: Web/5][10 pkts/1956 bytes <-> 8 pkts/1439 bytes][Goodput ratio: 71/68][1.02 sec][Hostname/SNI: pitangui.amazon.com][ALPN: h2;http/1.1][bytes ratio: 0.152 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 125/16 711/63 224/24][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 196/180 1152/891 327/270][Risk: ** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][Risk Score: 150][TLSv1.2][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,34,16,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0] 92 TCP 172.16.42.216:45677 <-> 52.94.232.134:443 [proto: 91.178/TLS.Amazon][Encrypted][cat: Web/5][10 pkts/1988 bytes <-> 7 pkts/1379 bytes][Goodput ratio: 72/71][1.91 sec][Hostname/SNI: pitangui.amazon.com][ALPN: h2;http/1.1][bytes ratio: 0.181 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 202/62 1313/148 421/64][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 199/197 1184/891 336/285][Risk: ** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][Risk Score: 150][TLSv1.2][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,34,16,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0] 93 TCP 172.16.42.216:45709 <-> 52.94.232.134:443 [proto: 91.178/TLS.Amazon][Encrypted][cat: Web/5][11 pkts/1849 bytes <-> 9 pkts/1227 bytes][Goodput ratio: 67/57][6.32 sec][Hostname/SNI: pitangui.amazon.com][ALPN: h2;http/1.1][bytes ratio: 0.202 (Upload)][IAT c2s/s2c min/avg/max/stddev: 2/0 702/216 4375/1192 1340/437][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 168/136 752/619 205/173][Risk: ** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][Risk Score: 150][TLSv1.2][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,28,14,0,0,0,0,28,0,0,0,0,0,0,0,0,0,14,0,0,0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 94 TCP 172.16.42.216:49589 <-> 52.94.232.134:80 [proto: 7.110/HTTP.AmazonAlexa][ClearText][cat: VirtAssistant/32][7 pkts/2390 bytes <-> 4 pkts/419 bytes][Goodput ratio: 83/44][1.98 sec][Hostname/SNI: alexa.amazon.com][bytes ratio: 0.702 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1/0 383/224 1350/449 498/224][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 341/105 1050/237 448/76][URL: alexa.amazon.com/lib/bootstrap/img/glyphicons-halflings.png][StatusCode: 404][User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; LGLS751 Build/LMY47V; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/56.0.292][PLAIN TEXT (GET /lib/bootstrap/im)][Plen Bins: 0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,66,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 95 TCP 172.16.42.216:49572 <-> 52.94.232.134:80 [proto: 7.110/HTTP.AmazonAlexa][ClearText][cat: VirtAssistant/32][6 pkts/1152 bytes <-> 4 pkts/1582 bytes][Goodput ratio: 70/85][1.16 sec][Hostname/SNI: alexa.amazon.com][bytes ratio: -0.157 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 1/15 232/42 901/70 336/28][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 192/396 862/1400 300/580][URL: alexa.amazon.com/manifest/pitangui.appcache][StatusCode: 200][Content-Type: text/cache-manifest][User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; LGLS751 Build/LMY47V; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/56.0.292][PLAIN TEXT (GET /manifest/pitangui.appcache)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0] - 96 TCP 172.16.42.216:49606 <-> 52.94.232.134:80 [proto: 7.110/HTTP.AmazonAlexa][ClearText][cat: VirtAssistant/32][6 pkts/1124 bytes <-> 4 pkts/1582 bytes][Goodput ratio: 69/85][4.72 sec][Hostname/SNI: alexa.amazon.com][bytes ratio: -0.169 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/17 943/66 4438/116 1748/50][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 187/396 834/1400 289/580][URL: alexa.amazon.com/manifest/pitangui.appcache][StatusCode: 200][Content-Type: text/cache-manifest][User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; LGLS751 Build/LMY47V; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/56.0.292][PLAIN TEXT (GET /manifest/pitangui.appcache)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0] - 97 TCP 172.16.42.216:49613 <-> 52.94.232.134:80 [proto: 7.110/HTTP.AmazonAlexa][ClearText][cat: VirtAssistant/32][6 pkts/1124 bytes <-> 4 pkts/1582 bytes][Goodput ratio: 69/85][1.39 sec][Hostname/SNI: alexa.amazon.com][bytes ratio: -0.169 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/19 277/41 1181/63 453/22][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 187/396 834/1400 289/580][URL: alexa.amazon.com/manifest/pitangui.appcache][StatusCode: 200][Content-Type: text/cache-manifest][User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; LGLS751 Build/LMY47V; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/56.0.292][PLAIN TEXT (GET /manifest/pitangui.appcache)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0] + 94 TCP 172.16.42.216:49589 <-> 52.94.232.134:80 [proto: 7.110/HTTP.AmazonAlexa][ClearText][cat: VirtAssistant/32][7 pkts/2390 bytes <-> 4 pkts/419 bytes][Goodput ratio: 83/44][1.98 sec][Hostname/SNI: alexa.amazon.com][bytes ratio: 0.702 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1/0 383/224 1350/449 498/224][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 341/105 1050/237 448/76][URL: alexa.amazon.com/lib/bootstrap/img/glyphicons-halflings.png][StatusCode: 404][User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; LGLS751 Build/LMY47V; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/56.0.2924.87 Mobile Safari/537.36 PitanguiBridge/1.16.4.5-[MANUFACTURER=LGE][RELEASE=5.1.1][BRAND=lge][SDK=22][MODEL=LGLS751]][PLAIN TEXT (GET /lib/bootstrap/im)][Plen Bins: 0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,66,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 95 TCP 172.16.42.216:49572 <-> 52.94.232.134:80 [proto: 7.110/HTTP.AmazonAlexa][ClearText][cat: VirtAssistant/32][6 pkts/1152 bytes <-> 4 pkts/1582 bytes][Goodput ratio: 70/85][1.16 sec][Hostname/SNI: alexa.amazon.com][bytes ratio: -0.157 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 1/15 232/42 901/70 336/28][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 192/396 862/1400 300/580][URL: alexa.amazon.com/manifest/pitangui.appcache][StatusCode: 200][Content-Type: text/cache-manifest][User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; LGLS751 Build/LMY47V; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/56.0.2924.87 Mobile Safari/537.36][PLAIN TEXT (GET /manifest/pitangui.appcache)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0] + 96 TCP 172.16.42.216:49606 <-> 52.94.232.134:80 [proto: 7.110/HTTP.AmazonAlexa][ClearText][cat: VirtAssistant/32][6 pkts/1124 bytes <-> 4 pkts/1582 bytes][Goodput ratio: 69/85][4.72 sec][Hostname/SNI: alexa.amazon.com][bytes ratio: -0.169 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/17 943/66 4438/116 1748/50][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 187/396 834/1400 289/580][URL: alexa.amazon.com/manifest/pitangui.appcache][StatusCode: 200][Content-Type: text/cache-manifest][User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; LGLS751 Build/LMY47V; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/56.0.2924.87 Mobile Safari/537.36][PLAIN TEXT (GET /manifest/pitangui.appcache)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0] + 97 TCP 172.16.42.216:49613 <-> 52.94.232.134:80 [proto: 7.110/HTTP.AmazonAlexa][ClearText][cat: VirtAssistant/32][6 pkts/1124 bytes <-> 4 pkts/1582 bytes][Goodput ratio: 69/85][1.39 sec][Hostname/SNI: alexa.amazon.com][bytes ratio: -0.169 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/19 277/41 1181/63 453/22][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 187/396 834/1400 289/580][URL: alexa.amazon.com/manifest/pitangui.appcache][StatusCode: 200][Content-Type: text/cache-manifest][User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; LGLS751 Build/LMY47V; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/56.0.2924.87 Mobile Safari/537.36][PLAIN TEXT (GET /manifest/pitangui.appcache)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0] 98 TCP 172.16.42.216:42878 <-> 173.194.223.188:5228 [proto: 91.239/TLS.GoogleServices][Encrypted][cat: Web/5][8 pkts/1484 bytes <-> 9 pkts/1103 bytes][Goodput ratio: 63/45][0.44 sec][Hostname/SNI: mtalk.google.com][bytes ratio: 0.147 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 46/36 119/119 39/43][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 186/123 583/205 193/57][Risk: ** Known protocol on non standard port **** TLS (probably) not carrying HTTPS **][Risk Score: 60][TLSv1.2][JA3C: a5a59633017c3d696d2c69350e5fc004][JA3S: 9b1466fd60cadccb848e09c86e284265][Safari][Cipher: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256][Plen Bins: 12,12,0,38,12,0,0,0,0,0,0,12,0,0,0,0,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 99 TCP 172.16.42.216:58048 <-> 54.239.28.178:443 [proto: 91.265/TLS.AmazonAWS][Encrypted][cat: Cloud/13][10 pkts/1320 bytes <-> 9 pkts/1259 bytes][Goodput ratio: 58/58][0.27 sec][bytes ratio: 0.024 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 32/23 69/70 31/32][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 132/140 544/651 147/183][Risk: ** Obsolete TLS version (older than 1.2) **** Weak TLS cipher **][Risk Score: 200][TLSv1][JA3C: f8f5b71e02603b283e55b50d17ede861][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,42,14,0,0,14,0,0,0,0,0,0,0,0,0,14,0,0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 100 TCP 172.16.42.216:49630 <-> 52.94.232.134:80 [proto: 7.110/HTTP.AmazonAlexa][ClearText][cat: VirtAssistant/32][6 pkts/1340 bytes <-> 4 pkts/419 bytes][Goodput ratio: 74/44][5.51 sec][Hostname/SNI: alexa.amazon.com][bytes ratio: 0.524 (Upload)][IAT c2s/s2c min/avg/max/stddev: 23/0 1100/138 4406/275 1672/138][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 223/105 1050/237 370/76][URL: alexa.amazon.com/lib/bootstrap/img/glyphicons-halflings.png][StatusCode: 404][User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; LGLS751 Build/LMY47V; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/56.0.292][PLAIN TEXT (GET /lib/bootstrap/im)][Plen Bins: 0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 100 TCP 172.16.42.216:49630 <-> 52.94.232.134:80 [proto: 7.110/HTTP.AmazonAlexa][ClearText][cat: VirtAssistant/32][6 pkts/1340 bytes <-> 4 pkts/419 bytes][Goodput ratio: 74/44][5.51 sec][Hostname/SNI: alexa.amazon.com][bytes ratio: 0.524 (Upload)][IAT c2s/s2c min/avg/max/stddev: 23/0 1100/138 4406/275 1672/138][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 223/105 1050/237 370/76][URL: alexa.amazon.com/lib/bootstrap/img/glyphicons-halflings.png][StatusCode: 404][User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; LGLS751 Build/LMY47V; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/56.0.2924.87 Mobile Safari/537.36 PitanguiBridge/1.16.4.5-[MANUFACTURER=LGE][RELEASE=5.1.1][BRAND=lge][SDK=22][MODEL=LGLS751]][PLAIN TEXT (GET /lib/bootstrap/im)][Plen Bins: 0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 101 TCP 172.16.42.216:45697 <-> 52.94.232.134:443 [proto: 91.178/TLS.Amazon][Encrypted][cat: Web/5][9 pkts/1043 bytes <-> 5 pkts/428 bytes][Goodput ratio: 51/32][4.57 sec][Hostname/SNI: pitangui.amazon.com][ALPN: h2;http/1.1][bytes ratio: 0.418 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 68/182 298/364 98/182][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 116/86 293/139 96/32][Risk: ** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][Risk Score: 150][TLSv1.2][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,40,20,0,0,0,0,40,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 102 TCP 172.16.42.216:45683 <-> 52.94.232.134:443 [proto: 91.178/TLS.Amazon][Encrypted][cat: Web/5][9 pkts/804 bytes <-> 6 pkts/620 bytes][Goodput ratio: 37/44][1.83 sec][Hostname/SNI: pitangui.amazon.com][ALPN: h2;http/1.1][bytes ratio: 0.129 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 261/21 1643/62 565/29][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 89/103 293/192 74/49][Risk: ** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][Risk Score: 150][TLSv1.2][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,40,20,0,20,0,0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 103 TCP 172.16.42.216:45698 <-> 52.94.232.134:443 [proto: 91.178/TLS.Amazon][Encrypted][cat: Web/5][9 pkts/804 bytes <-> 6 pkts/620 bytes][Goodput ratio: 37/44][4.37 sec][Hostname/SNI: pitangui.amazon.com][ALPN: h2;http/1.1][bytes ratio: 0.129 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 624/21 4189/59 1456/27][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 89/103 293/192 74/49][Risk: ** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][Risk Score: 150][TLSv1.2][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,40,20,0,20,0,0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/result/ocs.pcap.out b/tests/result/ocs.pcap.out index 0eba757fb..bdc386460 100644 --- a/tests/result/ocs.pcap.out +++ b/tests/result/ocs.pcap.out @@ -22,7 +22,7 @@ JA3 Host Stats: 5 TCP 192.168.180.2:32946 -> 64.233.184.188:443 [proto: 91.239/TLS.GoogleServices][Encrypted][cat: Web/5][12 pkts/2212 bytes -> 0 pkts/0 bytes][Goodput ratio: 71/0][0.42 sec][Hostname/SNI: mtalk.google.com][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 39/0 75/0 26/0][Pkt Len c2s/s2c min/avg/max/stddev: 52/0 184/0 1287/0 339/0][Risk: ** TLS (probably) not carrying HTTPS **][Risk Score: 10][TLSv1.2][JA3C: 75edb912bc6f0a222ae3e3e47f5c89b1][Firefox][Plen Bins: 0,0,0,33,0,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0] 6 TCP 192.168.180.2:47803 -> 64.233.166.95:443 [proto: 91.126/TLS.Google][Encrypted][cat: Web/5][12 pkts/1608 bytes -> 0 pkts/0 bytes][Goodput ratio: 59/0][0.58 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 57/0 112/0 36/0][Pkt Len c2s/s2c min/avg/max/stddev: 52/0 134/0 649/0 166/0][Risk: ** Obsolete TLS version (older than 1.2) **][Risk Score: 100][TLSv1][JA3C: 5a236bfc3d18ddef1b1f2f4c9e765d66][Plen Bins: 0,25,0,0,25,25,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 7 TCP 192.168.180.2:41223 -> 216.58.208.46:443 [proto: 91.126/TLS.Google][Encrypted][cat: Web/5][13 pkts/1448 bytes -> 0 pkts/0 bytes][Goodput ratio: 50/0][0.81 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 49/0 103/0 38/0][Pkt Len c2s/s2c min/avg/max/stddev: 52/0 111/0 425/0 106/0][Risk: ** Obsolete TLS version (older than 1.2) **][Risk Score: 100][TLSv1][JA3C: 5a236bfc3d18ddef1b1f2f4c9e765d66][Plen Bins: 0,25,0,0,25,25,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 8 TCP 192.168.180.2:48250 -> 178.248.208.54:80 [proto: 7.218/HTTP.OCS][ClearText][cat: Media/1][6 pkts/1092 bytes -> 0 pkts/0 bytes][Goodput ratio: 71/0][1.36 sec][Hostname/SNI: ocu03.labgency.ws][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 272/0 1043/0 395/0][Pkt Len c2s/s2c min/avg/max/stddev: 52/0 182/0 824/0 287/0][URL: ocu03.labgency.ws/catalog/vod?v=3][StatusCode: 0][User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; fr-fr; GT-P7510 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/5][PLAIN TEXT (POST /catalog/vod)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 8 TCP 192.168.180.2:48250 -> 178.248.208.54:80 [proto: 7.218/HTTP.OCS][ClearText][cat: Media/1][6 pkts/1092 bytes -> 0 pkts/0 bytes][Goodput ratio: 71/0][1.36 sec][Hostname/SNI: ocu03.labgency.ws][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 272/0 1043/0 395/0][Pkt Len c2s/s2c min/avg/max/stddev: 52/0 182/0 824/0 287/0][URL: ocu03.labgency.ws/catalog/vod?v=3][StatusCode: 0][User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; fr-fr; GT-P7510 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30][PLAIN TEXT (POST /catalog/vod)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 9 TCP 192.168.180.2:44959 -> 137.135.129.206:80 [proto: 7.276/HTTP.Azure][ClearText][cat: Cloud/13][7 pkts/540 bytes -> 0 pkts/0 bytes][Goodput ratio: 31/0][1.18 sec][Hostname/SNI: api.eu01.capptain.com][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1/0 197/0 503/0 209/0][Pkt Len c2s/s2c min/avg/max/stddev: 52/0 77/0 136/0 37/0][URL: api.eu01.capptain.com/ip-to-country][StatusCode: 0][PLAIN TEXT (GET /ip)][Plen Bins: 0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 10 TCP 192.168.180.2:53356 -> 137.135.129.206:80 [proto: 7.276/HTTP.Azure][ClearText][cat: Cloud/13][6 pkts/479 bytes -> 0 pkts/0 bytes][Goodput ratio: 33/0][0.23 sec][Hostname/SNI: api.eu01.capptain.com][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 2/0 46/0 101/0 39/0][Pkt Len c2s/s2c min/avg/max/stddev: 52/0 80/0 211/0 59/0][URL: api.eu01.capptain.com/xmpp-disco?deviceid=f2c993d6218f5e22fe284b2e90c82f3b&push_on_device=true&appid=ocs000003][StatusCode: 0][PLAIN TEXT (GET /xmpp)][Plen Bins: 0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 11 TCP 192.168.180.2:46166 -> 137.135.131.52:5122 [proto: 276/Azure][Encrypted][cat: Cloud/13][6 pkts/360 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][31.08 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 998/0 6216/0 16046/0 5473/0][Pkt Len c2s/s2c min/avg/max/stddev: 60/0 60/0 60/0 0/0][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/result/quickplay.pcap.out b/tests/result/quickplay.pcap.out index 2b122930e..42fed307e 100644 --- a/tests/result/quickplay.pcap.out +++ b/tests/result/quickplay.pcap.out @@ -8,16 +8,16 @@ Facebook 6 1740 3 Google 2 378 1 AmazonAWS 2 1469 1 - 1 TCP 10.54.169.250:52009 <-> 120.28.35.40:80 [proto: 7/HTTP][ClearText][cat: Streaming/17][35 pkts/17902 bytes <-> 30 pkts/28000 bytes][Goodput ratio: 89/94][101.50 sec][Hostname/SNI: vod-singtelhawk.quickplay.com][bytes ratio: -0.220 (Download)][IAT c2s/s2c min/avg/max/stddev: 182/2021 3144/2862 23289/5776 4036/929][Pkt Len c2s/s2c min/avg/max/stddev: 500/76 511/933 587/1456 27/494][URL: vod-singtelhawk.quickplay.com/seg/vol1/s/Warner/qpmezzhawkdigitalcontagion2054033featureenglish20ltrt23976fps7834192/2015-02-02/STV80R192/qpmezz-Hawk_Digital_CONTAGION_2054033_FEATURE_ENGLISH_2_0_LTRT_23976fps_7834192.m2t_STV80R192-0020.ts][StatusCode: 0][User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; MI 3W Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobil][PLAIN TEXT (GET /seg/vol1/s/Warner/qpmezz)][Plen Bins: 3,0,0,3,1,1,0,0,0,1,0,0,0,49,1,1,7,0,1,0,0,0,0,0,3,0,0,0,3,1,0,0,0,1,1,0,3,3,0,0,0,0,0,13,0,0,0,0] - 2 TCP 10.54.169.250:52019 <-> 120.28.35.40:80 [proto: 7/HTTP][ClearText][cat: Streaming/17][14 pkts/7028 bytes <-> 11 pkts/12578 bytes][Goodput ratio: 89/95][109.64 sec][Hostname/SNI: vod-singtelhawk.quickplay.com][bytes ratio: -0.283 (Download)][IAT c2s/s2c min/avg/max/stddev: 1066/2163 7709/7600 23311/23043 9303/8905][Pkt Len c2s/s2c min/avg/max/stddev: 502/652 502/1143 502/1456 0/288][URL: vod-singtelhawk.quickplay.com/seg/vol1/s/Warner/qpmezzhawkdigitalcontagion2054033featureenglish20ltrt23976fps7834192/2015-02-02/STV510R360/qpmezz-Hawk_Digital_CONTAGION_2054033_FEATURE_ENGLISH_2_0_LTRT_23976fps_7834192.m2t_STV510R360-0055.ts][StatusCode: 0][User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; MI 3W Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobil][PLAIN TEXT (GET /seg/vol1/s/Warner/qpmezz)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,56,0,0,0,0,4,0,0,0,0,8,0,0,4,0,0,0,0,0,0,0,4,4,0,0,0,4,0,4,0,12,0,0,0,0] - 3 TCP 10.54.169.250:52017 <-> 120.28.35.40:80 [proto: 7/HTTP][ClearText][cat: Streaming/17][5 pkts/2510 bytes <-> 3 pkts/3522 bytes][Goodput ratio: 89/95][53.74 sec][Hostname/SNI: vod-singtelhawk.quickplay.com][bytes ratio: -0.168 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 2521/3055 13434/13894 23447/24732 10022/10838][Pkt Len c2s/s2c min/avg/max/stddev: 502/822 502/1174 502/1456 0/264][URL: vod-singtelhawk.quickplay.com/seg/vol1/s/Warner/qpmezzhawkdigitalcontagion2054033featureenglish20ltrt23976fps7834192/2015-02-02/STV510R360/qpmezz-Hawk_Digital_CONTAGION_2054033_FEATURE_ENGLISH_2_0_LTRT_23976fps_7834192.m2t_STV510R360-0048.ts][StatusCode: 0][User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; MI 3W Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobil][PLAIN TEXT (GET /seg/vol1/s/Warner/qpmezz)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,63,0,0,0,0,0,0,0,0,0,12,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,0,0,0,0,12,0,0,0,0] - 4 TCP 10.54.169.250:52018 <-> 120.28.35.40:80 [proto: 7/HTTP][ClearText][cat: Streaming/17][4 pkts/2008 bytes <-> 3 pkts/3040 bytes][Goodput ratio: 89/94][28.60 sec][Hostname/SNI: vod-singtelhawk.quickplay.com][bytes ratio: -0.204 (Download)][IAT c2s/s2c min/avg/max/stddev: 2241/2426 9534/3315 23958/4204 10200/889][Pkt Len c2s/s2c min/avg/max/stddev: 502/128 502/1013 502/1456 0/626][URL: vod-singtelhawk.quickplay.com/seg/vol1/s/Warner/qpmezzhawkdigitalcontagion2054033featureenglish20ltrt23976fps7834192/2015-02-02/STV510R360/qpmezz-Hawk_Digital_CONTAGION_2054033_FEATURE_ENGLISH_2_0_LTRT_23976fps_7834192.m2t_STV510R360-0052.ts][StatusCode: 0][User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; MI 3W Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobil][PLAIN TEXT (GET /seg/vol1/s/Warner/qpmezz)][Plen Bins: 0,0,14,0,0,0,0,0,0,0,0,0,0,57,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,28,0,0,0,0] - 5 TCP 10.54.169.250:52022 <-> 120.28.35.40:80 [proto: 7/HTTP][ClearText][cat: Streaming/17][4 pkts/2008 bytes <-> 3 pkts/2276 bytes][Goodput ratio: 89/93][10.17 sec][Hostname/SNI: vod-singtelhawk.quickplay.com][bytes ratio: -0.063 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 3284/3295 3390/3322 3535/3349 106/27][Pkt Len c2s/s2c min/avg/max/stddev: 502/188 502/759 502/1456 0/525][URL: vod-singtelhawk.quickplay.com/seg/vol1/s/Warner/qpmezzhawkdigitalcontagion2054033featureenglish20ltrt23976fps7834192/2015-02-02/STV510R360/qpmezz-Hawk_Digital_CONTAGION_2054033_FEATURE_ENGLISH_2_0_LTRT_23976fps_7834192.m2t_STV510R360-0068.ts][StatusCode: 0][User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; MI 3W Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobil][PLAIN TEXT (GET /seg/vol1/s/Warner/qpmezz)][Plen Bins: 0,0,0,0,14,0,0,0,0,0,0,0,0,57,0,0,0,0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0,0,0] + 1 TCP 10.54.169.250:52009 <-> 120.28.35.40:80 [proto: 7/HTTP][ClearText][cat: Streaming/17][35 pkts/17902 bytes <-> 30 pkts/28000 bytes][Goodput ratio: 89/94][101.50 sec][Hostname/SNI: vod-singtelhawk.quickplay.com][bytes ratio: -0.220 (Download)][IAT c2s/s2c min/avg/max/stddev: 182/2021 3144/2862 23289/5776 4036/929][Pkt Len c2s/s2c min/avg/max/stddev: 500/76 511/933 587/1456 27/494][URL: vod-singtelhawk.quickplay.com/seg/vol1/s/Warner/qpmezzhawkdigitalcontagion2054033featureenglish20ltrt23976fps7834192/2015-02-02/STV80R192/qpmezz-Hawk_Digital_CONTAGION_2054033_FEATURE_ENGLISH_2_0_LTRT_23976fps_7834192.m2t_STV80R192-0020.ts][StatusCode: 0][User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; MI 3W Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobile Safari/537.36][PLAIN TEXT (GET /seg/vol1/s/Warner/qpmezz)][Plen Bins: 3,0,0,3,1,1,0,0,0,1,0,0,0,49,1,1,7,0,1,0,0,0,0,0,3,0,0,0,3,1,0,0,0,1,1,0,3,3,0,0,0,0,0,13,0,0,0,0] + 2 TCP 10.54.169.250:52019 <-> 120.28.35.40:80 [proto: 7/HTTP][ClearText][cat: Streaming/17][14 pkts/7028 bytes <-> 11 pkts/12578 bytes][Goodput ratio: 89/95][109.64 sec][Hostname/SNI: vod-singtelhawk.quickplay.com][bytes ratio: -0.283 (Download)][IAT c2s/s2c min/avg/max/stddev: 1066/2163 7709/7600 23311/23043 9303/8905][Pkt Len c2s/s2c min/avg/max/stddev: 502/652 502/1143 502/1456 0/288][URL: vod-singtelhawk.quickplay.com/seg/vol1/s/Warner/qpmezzhawkdigitalcontagion2054033featureenglish20ltrt23976fps7834192/2015-02-02/STV510R360/qpmezz-Hawk_Digital_CONTAGION_2054033_FEATURE_ENGLISH_2_0_LTRT_23976fps_7834192.m2t_STV510R360-0055.ts][StatusCode: 0][User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; MI 3W Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobile Safari/537.36][PLAIN TEXT (GET /seg/vol1/s/Warner/qpmezz)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,56,0,0,0,0,4,0,0,0,0,8,0,0,4,0,0,0,0,0,0,0,4,4,0,0,0,4,0,4,0,12,0,0,0,0] + 3 TCP 10.54.169.250:52017 <-> 120.28.35.40:80 [proto: 7/HTTP][ClearText][cat: Streaming/17][5 pkts/2510 bytes <-> 3 pkts/3522 bytes][Goodput ratio: 89/95][53.74 sec][Hostname/SNI: vod-singtelhawk.quickplay.com][bytes ratio: -0.168 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 2521/3055 13434/13894 23447/24732 10022/10838][Pkt Len c2s/s2c min/avg/max/stddev: 502/822 502/1174 502/1456 0/264][URL: vod-singtelhawk.quickplay.com/seg/vol1/s/Warner/qpmezzhawkdigitalcontagion2054033featureenglish20ltrt23976fps7834192/2015-02-02/STV510R360/qpmezz-Hawk_Digital_CONTAGION_2054033_FEATURE_ENGLISH_2_0_LTRT_23976fps_7834192.m2t_STV510R360-0048.ts][StatusCode: 0][User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; MI 3W Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobile Safari/537.36][PLAIN TEXT (GET /seg/vol1/s/Warner/qpmezz)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,63,0,0,0,0,0,0,0,0,0,12,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,0,0,0,0,12,0,0,0,0] + 4 TCP 10.54.169.250:52018 <-> 120.28.35.40:80 [proto: 7/HTTP][ClearText][cat: Streaming/17][4 pkts/2008 bytes <-> 3 pkts/3040 bytes][Goodput ratio: 89/94][28.60 sec][Hostname/SNI: vod-singtelhawk.quickplay.com][bytes ratio: -0.204 (Download)][IAT c2s/s2c min/avg/max/stddev: 2241/2426 9534/3315 23958/4204 10200/889][Pkt Len c2s/s2c min/avg/max/stddev: 502/128 502/1013 502/1456 0/626][URL: vod-singtelhawk.quickplay.com/seg/vol1/s/Warner/qpmezzhawkdigitalcontagion2054033featureenglish20ltrt23976fps7834192/2015-02-02/STV510R360/qpmezz-Hawk_Digital_CONTAGION_2054033_FEATURE_ENGLISH_2_0_LTRT_23976fps_7834192.m2t_STV510R360-0052.ts][StatusCode: 0][User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; MI 3W Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobile Safari/537.36][PLAIN TEXT (GET /seg/vol1/s/Warner/qpmezz)][Plen Bins: 0,0,14,0,0,0,0,0,0,0,0,0,0,57,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,28,0,0,0,0] + 5 TCP 10.54.169.250:52022 <-> 120.28.35.40:80 [proto: 7/HTTP][ClearText][cat: Streaming/17][4 pkts/2008 bytes <-> 3 pkts/2276 bytes][Goodput ratio: 89/93][10.17 sec][Hostname/SNI: vod-singtelhawk.quickplay.com][bytes ratio: -0.063 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 3284/3295 3390/3322 3535/3349 106/27][Pkt Len c2s/s2c min/avg/max/stddev: 502/188 502/759 502/1456 0/525][URL: vod-singtelhawk.quickplay.com/seg/vol1/s/Warner/qpmezzhawkdigitalcontagion2054033featureenglish20ltrt23976fps7834192/2015-02-02/STV510R360/qpmezz-Hawk_Digital_CONTAGION_2054033_FEATURE_ENGLISH_2_0_LTRT_23976fps_7834192.m2t_STV510R360-0068.ts][StatusCode: 0][User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; MI 3W Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobile Safari/537.36][PLAIN TEXT (GET /seg/vol1/s/Warner/qpmezz)][Plen Bins: 0,0,0,0,14,0,0,0,0,0,0,0,0,57,0,0,0,0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0,0,0] 6 TCP 10.54.169.250:50669 <-> 120.28.35.41:80 [proto: 7/HTTP][ClearText][cat: Streaming/17][2 pkts/844 bytes <-> 2 pkts/2836 bytes][Goodput ratio: 87/96][9.29 sec][Hostname/SNI: api-singtelhawk.quickplay.com][URL: api-singtelhawk.quickplay.com/solr/RestApiSingTel_PH/restapi/categories/HUD?apiKey=qwerty&device=androidmobile&locale=eng&network=WIFI&pageNumber=1&pageSize=50][StatusCode: 200][User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 3W MIUI/V6.4.2.0.KXDMICB)][PLAIN TEXT (GET /solr/RestApiSingTel)][Plen Bins: 0,0,0,0,0,0,0,0,0,25,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,25,0,0,0,0] 7 TCP 10.54.169.250:50668 <-> 120.28.35.41:80 [proto: 7/HTTP][ClearText][cat: Streaming/17][2 pkts/733 bytes <-> 2 pkts/2627 bytes][Goodput ratio: 85/96][9.24 sec][Hostname/SNI: api-singtelhawk.quickplay.com][URL: api-singtelhawk.quickplay.com/solr/RestApiSingTel_PH/restapi/categories/HUD?apiKey=qwerty&device=androidmobile&locale=eng&network=WIFI&pageNumber=1&pageSize=50][StatusCode: 200][User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 3W MIUI/V6.4.2.0.KXDMICB)][PLAIN TEXT (GET /solr/RestApiSingTel)][Plen Bins: 0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,25,0,0,0,0,0,0] - 8 TCP 10.54.169.250:52021 <-> 120.28.35.40:80 [proto: 7/HTTP][ClearText][cat: Streaming/17][3 pkts/1506 bytes <-> 1 pkts/1248 bytes][Goodput ratio: 89/95][27.01 sec][Hostname/SNI: vod-singtelhawk.quickplay.com][URL: vod-singtelhawk.quickplay.com/seg/vol1/s/Warner/qpmezzhawkdigitalcontagion2054033featureenglish20ltrt23976fps7834192/2015-02-02/STV510R360/qpmezz-Hawk_Digital_CONTAGION_2054033_FEATURE_ENGLISH_2_0_LTRT_23976fps_7834192.m2t_STV510R360-0066.ts][StatusCode: 0][User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; MI 3W Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobil][PLAIN TEXT (GET /seg/vol1/s/Warner/qpmezz)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,75,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0] - 9 TCP 10.54.169.250:52007 <-> 120.28.35.40:80 [proto: 7/HTTP][ClearText][cat: Streaming/17][3 pkts/1583 bytes <-> 1 pkts/1152 bytes][Goodput ratio: 89/95][2.46 sec][Hostname/SNI: vod-singtelhawk.quickplay.com][URL: vod-singtelhawk.quickplay.com/seg/vol1/s/Warner/qpmezzhawkdigitalcontagion2054033featureenglish20ltrt23976fps7834192/2015-02-02/STV80R192/qpmezz-Hawk_Digital_CONTAGION_2054033_FEATURE_ENGLISH_2_0_LTRT_23976fps_7834192.m2t_STV80R192-index.m3u8?e=1428999699][StatusCode: 0][User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; MI 3W Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobil][PLAIN TEXT (GET /seg/vol1/s/Warner/qpmezz)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0] - 10 TCP 10.54.169.250:44256 <-> 120.28.5.41:80 [proto: 7/HTTP][ClearText][cat: Streaming/17][2 pkts/1086 bytes <-> 1 pkts/1225 bytes][Goodput ratio: 90/95][0.64 sec][Hostname/SNI: play-singtelhawk.quickplay.com][URL: play-singtelhawk.quickplay.com/vstb/playlist_5_6241_357.m3u8?action=145&appId=5006&carrierId=23&appVersion=1.0&contentId=6241&contentTypeId=3&deviceName=androidmobile&encodingId=357&drmId=4&drmVersion=1.5&delivery=5&prefLanguage=eng&webvtt=true&userid=091][StatusCode: 0][User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; MI 3W Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobil][PLAIN TEXT (GET /vstb/playlist)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,66,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,0,0] + 8 TCP 10.54.169.250:52021 <-> 120.28.35.40:80 [proto: 7/HTTP][ClearText][cat: Streaming/17][3 pkts/1506 bytes <-> 1 pkts/1248 bytes][Goodput ratio: 89/95][27.01 sec][Hostname/SNI: vod-singtelhawk.quickplay.com][URL: vod-singtelhawk.quickplay.com/seg/vol1/s/Warner/qpmezzhawkdigitalcontagion2054033featureenglish20ltrt23976fps7834192/2015-02-02/STV510R360/qpmezz-Hawk_Digital_CONTAGION_2054033_FEATURE_ENGLISH_2_0_LTRT_23976fps_7834192.m2t_STV510R360-0066.ts][StatusCode: 0][User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; MI 3W Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobile Safari/537.36][PLAIN TEXT (GET /seg/vol1/s/Warner/qpmezz)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,75,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0] + 9 TCP 10.54.169.250:52007 <-> 120.28.35.40:80 [proto: 7/HTTP][ClearText][cat: Streaming/17][3 pkts/1583 bytes <-> 1 pkts/1152 bytes][Goodput ratio: 89/95][2.46 sec][Hostname/SNI: vod-singtelhawk.quickplay.com][URL: vod-singtelhawk.quickplay.com/seg/vol1/s/Warner/qpmezzhawkdigitalcontagion2054033featureenglish20ltrt23976fps7834192/2015-02-02/STV80R192/qpmezz-Hawk_Digital_CONTAGION_2054033_FEATURE_ENGLISH_2_0_LTRT_23976fps_7834192.m2t_STV80R192-index.m3u8?e=1428999699][StatusCode: 0][User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; MI 3W Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobile Safari/537.36][PLAIN TEXT (GET /seg/vol1/s/Warner/qpmezz)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0] + 10 TCP 10.54.169.250:44256 <-> 120.28.5.41:80 [proto: 7/HTTP][ClearText][cat: Streaming/17][2 pkts/1086 bytes <-> 1 pkts/1225 bytes][Goodput ratio: 90/95][0.64 sec][Hostname/SNI: play-singtelhawk.quickplay.com][URL: play-singtelhawk.quickplay.com/vstb/playlist_5_6241_357.m3u8?action=145&appId=5006&carrierId=23&appVersion=1.0&contentId=6241&contentTypeId=3&deviceName=androidmobile&encodingId=357&drmId=4&drmVersion=1.5&delivery=5&prefLanguage=eng&webvtt=true&userid=091][StatusCode: 0][User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; MI 3W Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobile Safari/537.36][PLAIN TEXT (GET /vstb/playlist)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,66,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,0,0] 11 TCP 10.54.169.250:56381 <-> 54.179.140.65:80 [proto: 7.265/HTTP.AmazonAWS][ClearText][cat: Cloud/13][1 pkts/638 bytes <-> 1 pkts/831 bytes][Goodput ratio: 91/93][0.32 sec][Hostname/SNI: api.account.xiaomi.com][URL: api.account.xiaomi.com/pass/v2/safe/user/coreInfo?signature=u%2F73dEXBHbejev0ISNwnGyyfeTw%3D&userId=Mz5Xr5UXKuw83hxd6Yms2w%3D%3D][StatusCode: 200][Req Content-Type: application/x-www-form-urlencoded][User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 3W MIUI/V6.4.2.0.KXDMICB)][PLAIN TEXT (GET /pass/v)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 12 TCP 10.54.169.250:54883 <-> 203.205.151.160:80 [proto: 7.48/HTTP.QQ][ClearText][cat: Chat/9][2 pkts/1192 bytes <-> 1 pkts/145 bytes][Goodput ratio: 91/61][2.08 sec][Hostname/SNI: hkextshort.weixin.qq.com][URL: http://hkextshort.weixin.qq.com/cgi-bin/micromsg-bin/mmsnssync][StatusCode: 0][Req Content-Type: application/octet-stream][User-Agent: MicroMessenger Client][PLAIN TEXT (POST http)][Plen Bins: 0,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,66,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 13 TCP 10.54.169.250:54885 <-> 203.205.151.160:80 [proto: 7.48/HTTP.QQ][ClearText][cat: Chat/9][1 pkts/461 bytes <-> 2 pkts/522 bytes][Goodput ratio: 88/78][2.81 sec][Hostname/SNI: hkextshort.weixin.qq.com][URL: http://hkextshort.weixin.qq.com/cgi-bin/micromsg-bin/getcontactlabellist][StatusCode: 200][Req Content-Type: application/octet-stream][User-Agent: MicroMessenger Client][PLAIN TEXT (POST http)][Plen Bins: 0,0,0,0,0,0,66,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] |