Fixed issue that prevented alt certificate names to be fully detected when ipAddress and rfc822Name were specified in certificates

author: Luca Deri <deri@ntop.org> 2021-12-07 14:45:42 +0100
committer: Luca Deri <deri@ntop.org> 2021-12-07 14:45:42 +0100
commit: 85b396ca43fbd68469600b1bbafa7289276d1a8c (patch)
tree: 3b476c4fce3767b007ce411f3528d0023bf6585c
parent: cefcc25b13f997ca84ac3b0ca7554ece178f4cc2 (diff)
4 files changed, 57 insertions, 38 deletions
diff --git a/src/lib/protocols/dns.c b/src/lib/protocols/dns.c
index eb5af5a34..f32143320 100644
--- a/src/lib/protocols/dns.c
+++ b/src/lib/protocols/dns.c
@@ -469,9 +469,8 @@ static void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, st
 
     ndpi_hostname_sni_set(flow, (const u_int8_t *)_hostname, j);
 
-    if (hostname_is_valid == 0) {
-      ndpi_set_risk(ndpi_struct, flow, NDPI_INVALID_CHARACTERS);
-    }
+    if (hostname_is_valid == 0)
+      ndpi_set_risk(ndpi_struct, flow, NDPI_INVALID_CHARACTERS);    
 
     if(j > 0) {
       ndpi_protocol_match_result ret_match;
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index a75e26eb2..da29466e8 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -241,7 +241,7 @@ static int extractRDNSequence(struct ndpi_packet_struct *packet,
   char *str;
   u_int len, j;
 
-  if (*rdnSeqBuf_offset >= rdnSeqBuf_len) {
+  if(*rdnSeqBuf_offset >= rdnSeqBuf_len) {
 #ifdef DEBUG_TLS
     printf("[TLS] %s() [buffer capacity reached][%u]\n",
            __FUNCTION__, rdnSeqBuf_len);
@@ -393,7 +393,7 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi
 
 	if(rdn_len && (flow->protos.tls_quic.issuerDN == NULL)) {
 	  flow->protos.tls_quic.issuerDN = ndpi_strdup(rdnSeqBuf);
-	  if (ndpi_is_printable_string(rdnSeqBuf, rdn_len) == 0) {
+	  if(ndpi_is_printable_string(rdnSeqBuf, rdn_len) == 0) {
 	    ndpi_set_risk(ndpi_struct, flow, NDPI_INVALID_CHARACTERS);
 	  }
 	}
@@ -463,7 +463,7 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi
 	      }
 	    }
 
-	    if (flow->protos.tls_quic.notBefore > TLS_LIMIT_DATE)
+	    if(flow->protos.tls_quic.notBefore > TLS_LIMIT_DATE)
 	      if((flow->protos.tls_quic.notAfter-flow->protos.tls_quic.notBefore) > TLS_THRESHOLD)
 		ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_CERT_VALIDITY_TOO_LONG); /* Certificate validity longer than 13 months*/
 
@@ -499,7 +499,13 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi
 	    i++;
 
 	    while(i < packet->payload_packet_len) {
-	      if(packet->payload[i] == 0x82) {
+	      u_int8_t general_name_type = packet->payload[i];
+	      
+	      if((general_name_type == 0x81)    /* rfc822Name */
+		 || (general_name_type == 0x82) /* dNSName    */
+		 || (general_name_type == 0x87) /* ipAddress  */
+		 )
+		{
 		if((i < (packet->payload_packet_len - 1))
 		   && ((i + packet->payload[i + 1] + 2) < packet->payload_packet_len)) {
 		  u_int8_t len = packet->payload[i + 1];
@@ -513,9 +519,24 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi
 		     || ((i+len) > packet->payload_packet_len))
 		    break;
 
-		  strncpy(dNSName, (const char*)&packet->payload[i], len);
-		  dNSName[len] = '\0';
-
+		  if(general_name_type == 0x87) {
+		    if(len == 4 /* IPv4 */) {
+		      snprintf(dNSName, sizeof(dNSName), "%u.%u.%u.%u",
+			       packet->payload[i] & 0xFF,
+			       packet->payload[i+1] & 0xFF,
+			       packet->payload[i+2] & 0xFF,
+			       packet->payload[i+3] & 0xFF);
+		    } else {
+		      /* 
+			 TODO add IPv6 support when able to have 
+			 a pcap file for coding
+		      */
+		    }
+		  } else {
+		    strncpy(dNSName, (const char*)&packet->payload[i], len);
+		    dNSName[len] = '\0';
+		  }
+		  
 		  cleanupServerName(dNSName, len);
 
 #if DEBUG_TLS
@@ -523,9 +544,8 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi
 			 flow->host_server_name, len,
 			 packet->payload_packet_len-i-len);
 #endif
-		  if (ndpi_is_printable_string(dNSName, len) == 0) {
-		    ndpi_set_risk(ndpi_struct, flow, NDPI_INVALID_CHARACTERS);
-		  }
+		  if(ndpi_is_printable_string(dNSName, len) == 0)
+		    ndpi_set_risk(ndpi_struct, flow, NDPI_INVALID_CHARACTERS);		  
 
 		  if(matched_name == 0) {
 #if DEBUG_TLS
@@ -536,13 +556,13 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi
 
 		    if(flow->host_server_name[0] == '\0') {
 		      matched_name = 1;	/* No SNI */
-		    } else if (dNSName[0] == '*') {
+		    } else if(dNSName[0] == '*') {
 		      char * label = strstr(flow->host_server_name, &dNSName[1]);
 
-		      if (label != NULL) {
+		      if(label != NULL) {
 		        char * first_dot = strchr(flow->host_server_name, '.');
 
-			if (first_dot == NULL || first_dot >= label) {
+			if(first_dot == NULL || first_dot >= label) {
                           matched_name = 1;
 			}
                       }
@@ -739,7 +759,7 @@ int processCertificate(struct ndpi_detection_module_struct *ndpi_struct,
       printf("[TLS] SHA-1: %s\n", sha1_str);
 #endif
 
-      if (ndpi_struct->malicious_sha1_automa.ac_automa != NULL) {
+      if(ndpi_struct->malicious_sha1_automa.ac_automa != NULL) {
         u_int16_t rc1 = ndpi_match_string(ndpi_struct->malicious_sha1_automa.ac_automa, sha1_str);
 
         if(rc1 > 0)
@@ -801,7 +821,7 @@ static int processTLSBlock(struct ndpi_detection_module_struct *ndpi_struct,
      * ndpi_int_tls_add_connection has been called */
     if(flow->protos.tls_quic.hello_processed) {
       ret = processCertificate(ndpi_struct, flow);
-      if (ret != 1) {
+      if(ret != 1) {
 #ifdef DEBUG_TLS
         printf("[TLS] Error processing certificate: %d\n", ret);
 #endif
@@ -1023,7 +1043,7 @@ static int ndpi_search_tls_udp(struct ndpi_detection_module_struct *ndpi_struct,
 #ifdef DEBUG_TLS
     printf("[TLS] DTLS block len: %d\n", block_len);
 #endif
-    if (block_len == 0 || (processed + block_len + 12 >= p_len)) {
+    if(block_len == 0 || (processed + block_len + 12 >= p_len)) {
 #ifdef DEBUG_TLS
       printf("[TLS] DTLS invalid block len %d (processed %d, p_len %d)\n",
              block_len, processed, p_len);
@@ -1033,7 +1053,7 @@ static int ndpi_search_tls_udp(struct ndpi_detection_module_struct *ndpi_struct,
     }
     /* We process only handshake msgs */
     if(block[0] == 0x16) {
-      if (processed + block_len + 13 > p_len) {
+      if(processed + block_len + 13 > p_len) {
 #ifdef DEBUG_TLS
         printf("[TLS] DTLS invalid len %d %d %d\n", processed, block_len, p_len);
 #endif
@@ -1041,7 +1061,7 @@ static int ndpi_search_tls_udp(struct ndpi_detection_module_struct *ndpi_struct,
         break;
      }
       /* TODO: handle (certificate) fragments */
-      if (block_len > 16) {
+      if(block_len > 16) {
         handshake_len = (block[14] << 16) + (block[15] << 8) + block[16];
         if((handshake_len + 12) != block_len) {
 #ifdef DEBUG_TLS
@@ -1165,7 +1185,7 @@ static void checkExtensions(struct ndpi_detection_module_struct *ndpi_struct,
 {
   struct ndpi_packet_struct const * const packet = &ndpi_struct->packet;
 
-  if (extension_payload_offset + extension_len > packet->payload_packet_len)
+  if(extension_payload_offset + extension_len > packet->payload_packet_len)
   {
 #ifdef DEBUG_TLS
     printf("[TLS] extension length exceeds remaining packet length: %u > %u.\n",
@@ -1192,18 +1212,18 @@ static void checkExtensions(struct ndpi_detection_module_struct *ndpi_struct,
                                                   sizeof(allowed_non_iana_extensions[0]);
 
   /* see: https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml */
-  if (extension_id > 59 && extension_id != 65281)
+  if(extension_id > 59 && extension_id != 65281)
   {
     u_int8_t extension_found = 0;
     for (size_t i = 0; i < allowed_non_iana_extensions_size; ++i)
     {
-      if (allowed_non_iana_extensions[i] == extension_id)
+      if(allowed_non_iana_extensions[i] == extension_id)
       {
         extension_found = 1;
         break;
       }
     }
-    if (extension_found == 0)
+    if(extension_found == 0)
     {
 #ifdef DEBUG_TLS
       printf("[TLS] suspicious extension id: %u\n", extension_id);
@@ -1214,9 +1234,9 @@ static void checkExtensions(struct ndpi_detection_module_struct *ndpi_struct,
   }
 
   /* Check for DTLS-only extensions. */
-  if (is_dtls == 0)
+  if(is_dtls == 0)
   {
-    if (extension_id == 53 || extension_id == 54)
+    if(extension_id == 53 || extension_id == 54)
     {
 #ifdef DEBUG_TLS
       printf("[TLS] suspicious DTLS-only extension id: %u\n", extension_id);
@@ -1335,7 +1355,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
 
 	extension_id  = ntohs(*((u_int16_t*)&packet->payload[offset]));
 	extension_len = ntohs(*((u_int16_t*)&packet->payload[offset+2]));
-	if (offset+4+extension_len > packet->payload_packet_len) {
+	if(offset+4+extension_len > packet->payload_packet_len) {
 	  break;
 	}
 
@@ -1371,7 +1391,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
 	  s_offset += 2;
 	  tot_alpn_len += s_offset;
 
-	  if (tot_alpn_len > packet->payload_packet_len)
+	  if(tot_alpn_len > packet->payload_packet_len)
 	    return 0;
 
 	  while(s_offset < tot_alpn_len && s_offset < total_len) {
@@ -1409,7 +1429,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
 #ifdef DEBUG_TLS
 	  printf("Server TLS [ALPN: %s][len: %u]\n", alpn_str, alpn_str_len);
 #endif
-	  if (ndpi_is_printable_string(alpn_str, alpn_str_len) == 0)
+	  if(ndpi_is_printable_string(alpn_str, alpn_str_len) == 0)
 	    ndpi_set_risk(ndpi_struct, flow, NDPI_INVALID_CHARACTERS);
 
 	  if(flow->protos.tls_quic.alpn == NULL)
@@ -1725,7 +1745,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
 #ifdef DEBUG_TLS
 		    printf("[TLS] SNI: [%s]\n", sni);
 #endif
-		    if (ndpi_is_printable_string(sni, sni_len) == 0)
+		    if(ndpi_is_printable_string(sni, sni_len) == 0)
 		    {
 		       ndpi_set_risk(ndpi_struct, flow, NDPI_INVALID_CHARACTERS);
 		    }
@@ -1938,7 +1958,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
 		       duplicate_found);
 #endif
 
-		if (i > 0 && i >= tot_signature_algorithms_len) {
+		if(i > 0 && i >= tot_signature_algorithms_len) {
 		  ja3.client.signature_algorithms[i*2 - 1] = '\0';
 		} else {
 		  ja3.client.signature_algorithms[i*2] = '\0';
@@ -2067,7 +2087,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
 
 		/* Key Share Entry */
 		e_offset += 2; /* Group */
-		if (e_offset + 2 < packet->payload_packet_len) {
+		if(e_offset + 2 < packet->payload_packet_len) {
 		e_offset += ntohs(*((u_int16_t*)&packet->payload[e_offset])) + 2; /* Lenght */
 
 		if((e_offset+4) < packet->payload_packet_len) {
diff --git a/tests/result/dns_dot.pcap.out b/tests/result/dns_dot.pcap.out
index 036fc1784..c91f6a480 100644
--- a/tests/result/dns_dot.pcap.out
+++ b/tests/result/dns_dot.pcap.out
@@ -9,4 +9,4 @@ JA3 Host Stats:
 	1	 192.168.1.185            	 1      
 
 
-	1	TCP 192.168.1.185:58290 <-> 8.8.8.8:853 [proto: 91.196/TLS.DoH_DoT][Encrypted][cat: Network/14][14 pkts/1480 bytes <-> 10 pkts/4389 bytes][Goodput ratio: 37/85][3.01 sec][bytes ratio: -0.496 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 270/182 1596/1192 531/413][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 106/439 264/3135 53/903][Risk: ** Known protocol on non standard port **** TLS (probably) not carrying HTTPS **** SNI TLS extension was missing **][Risk Score: 110][TLSv1.2][JA3C: 4fe4099926d0acdc9b2fe4b02013659f][ServerNames: dns.google,*.dns.google.com,8888.google,dns.google.com,dns64.dns.google][JA3S: 2b341b88c742e940cfb485ce7d93dde7][Issuer: C=US, O=Google Trust Services, CN=GTS CA 1O1][Subject: C=US, ST=California, L=Mountain View, O=Google LLC, CN=dns.google][Certificate SHA-1: BE:73:46:2A:2E:FB:A9:E9:42:D0:71:10:1B:8C:BF:44:6A:5D:AD:53][Firefox][Validity: 2019-10-10 20:58:42 - 2020-01-02 20:58:42][Cipher: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256][Plen Bins: 23,7,23,15,0,7,7,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7]
+	1	TCP 192.168.1.185:58290 <-> 8.8.8.8:853 [proto: 91.196/TLS.DoH_DoT][Encrypted][cat: Network/14][14 pkts/1480 bytes <-> 10 pkts/4389 bytes][Goodput ratio: 37/85][3.01 sec][bytes ratio: -0.496 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 270/182 1596/1192 531/413][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 106/439 264/3135 53/903][Risk: ** Known protocol on non standard port **** TLS (probably) not carrying HTTPS **** SNI TLS extension was missing **][Risk Score: 110][TLSv1.2][JA3C: 4fe4099926d0acdc9b2fe4b02013659f][ServerNames: dns.google,*.dns.google.com,8888.google,dns.google.com,dns64.dns.google,dns64.dns.google,dns64.dns.google,dns64.dns.google,dns64.dns.google,8.8.4.4,8.8.8.8][JA3S: 2b341b88c742e940cfb485ce7d93dde7][Issuer: C=US, O=Google Trust Services, CN=GTS CA 1O1][Subject: C=US, ST=California, L=Mountain View, O=Google LLC, CN=dns.google][Certificate SHA-1: BE:73:46:2A:2E:FB:A9:E9:42:D0:71:10:1B:8C:BF:44:6A:5D:AD:53][Firefox][Validity: 2019-10-10 20:58:42 - 2020-01-02 20:58:42][Cipher: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256][Plen Bins: 23,7,23,15,0,7,7,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7]
diff --git a/tests/result/googledns_android10.pcap.out b/tests/result/googledns_android10.pcap.out
index 26a08ee0d..4e65c7f3a 100644
--- a/tests/result/googledns_android10.pcap.out
+++ b/tests/result/googledns_android10.pcap.out
@@ -11,11 +11,11 @@ JA3 Host Stats:
 	1	 192.168.1.159            	 2      
 
 
-	1	TCP 192.168.1.159:48210 <-> 8.8.4.4:853 [proto: 91.196/TLS.DoH_DoT][Encrypted][cat: Network/14][121 pkts/19065 bytes <-> 120 pkts/45726 bytes][Goodput ratio: 58/83][72.27 sec][Hostname/SNI: dns.google][bytes ratio: -0.411 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 711/474 15173/5940 1940/1160][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 158/381 384/1484 93/280][Risk: ** TLS (probably) not carrying HTTPS **][Risk Score: 10][TLSv1.2][JA3C: 2c776785ee603cc85d37df996bb90cc8][ServerNames: dns.google,*.dns.google.com,8888.google,dns.google.com,dns64.dns.google][JA3S: b44baa8a20901c5663b3a9664ba8a767][Issuer: C=US, O=Google Trust Services, CN=GTS CA 1O1][Subject: C=US, ST=California, L=Mountain View, O=Google LLC, CN=dns.google][Certificate SHA-1: 5B:59:09:FC:7D:50:E6:F7:D1:08:8E:57:42:A2:D8:AE:1F:03:FF:EC][Safari][Validity: 2020-05-26 15:20:02 - 2020-08-18 15:20:02][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,0,0,0,42,0,0,0,0,5,0,0,0,0,0,51,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0]
+	1	TCP 192.168.1.159:48210 <-> 8.8.4.4:853 [proto: 91.196/TLS.DoH_DoT][Encrypted][cat: Network/14][121 pkts/19065 bytes <-> 120 pkts/45726 bytes][Goodput ratio: 58/83][72.27 sec][Hostname/SNI: dns.google][bytes ratio: -0.411 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 711/474 15173/5940 1940/1160][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 158/381 384/1484 93/280][Risk: ** TLS (probably) not carrying HTTPS **][Risk Score: 10][TLSv1.2][JA3C: 2c776785ee603cc85d37df996bb90cc8][ServerNames: dns.google,*.dns.google.com,8888.google,dns.google.com,dns64.dns.google,dns64.dns.google,dns64.dns.google,dns64.dns.google,dns64.dns.google,8.8.4.4,8.8.8.8][JA3S: b44baa8a20901c5663b3a9664ba8a767][Issuer: C=US, O=Google Trust Services, CN=GTS CA 1O1][Subject: C=US, ST=California, L=Mountain View, O=Google LLC, CN=dns.google][Certificate SHA-1: 5B:59:09:FC:7D:50:E6:F7:D1:08:8E:57:42:A2:D8:AE:1F:03:FF:EC][Safari][Validity: 2020-05-26 15:20:02 - 2020-08-18 15:20:02][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,0,0,0,42,0,0,0,0,5,0,0,0,0,0,51,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0]
 	2	TCP 192.168.1.159:48098 <-> 8.8.4.4:853 [proto: 91.196/TLS.DoH_DoT][Encrypted][cat: Network/14][68 pkts/9706 bytes <-> 65 pkts/18916 bytes][Goodput ratio: 54/77][117.95 sec][Hostname/SNI: dns.google][bytes ratio: -0.322 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 2097/1988 15177/15193 3804/3968][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 143/291 583/565 94/247][Risk: ** TLS (probably) not carrying HTTPS **][Risk Score: 10][TLSv1.2][JA3C: b734f75d22aaff9866fbd5d27eef9106][JA3S: 1249fb68f48c0444718e4d3b48b27188][Safari][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 1,1,0,0,49,0,0,0,0,0,0,0,0,0,0,47,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	3	TCP 192.168.1.159:48048 <-> 8.8.4.4:853 [proto: 91.196/TLS.DoH_DoT][Encrypted][cat: Network/14][52 pkts/7375 bytes <-> 52 pkts/20720 bytes][Goodput ratio: 53/83][41.01 sec][Hostname/SNI: dns.google][bytes ratio: -0.475 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 882/623 15271/15287 2537/2442][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 142/398 384/1484 84/406][Risk: ** TLS (probably) not carrying HTTPS **][Risk Score: 10][TLSv1.2][JA3C: 2c776785ee603cc85d37df996bb90cc8][ServerNames: dns.google,*.dns.google.com,8888.google,dns.google.com,dns64.dns.google][JA3S: b44baa8a20901c5663b3a9664ba8a767][Issuer: C=US, O=Google Trust Services, CN=GTS CA 1O1][Subject: C=US, ST=California, L=Mountain View, O=Google LLC, CN=dns.google][Certificate SHA-1: 5B:59:09:FC:7D:50:E6:F7:D1:08:8E:57:42:A2:D8:AE:1F:03:FF:EC][Safari][Validity: 2020-05-26 15:20:02 - 2020-08-18 15:20:02][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 1,0,1,0,44,0,0,1,0,3,0,0,0,0,0,40,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,3,0,0,0]
-	4	TCP 192.168.1.159:48044 <-> 8.8.4.4:853 [proto: 91.196/TLS.DoH_DoT][Encrypted][cat: Network/14][11 pkts/1097 bytes <-> 10 pkts/4148 bytes][Goodput ratio: 33/84][0.12 sec][Hostname/SNI: dns.google][bytes ratio: -0.582 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 12/9 34/19 13/8][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 100/415 220/1484 51/544][Risk: ** TLS (probably) not carrying HTTPS **][Risk Score: 10][TLSv1.2][JA3C: 2c776785ee603cc85d37df996bb90cc8][ServerNames: dns.google,*.dns.google.com,8888.google,dns.google.com,dns64.dns.google][JA3S: b44baa8a20901c5663b3a9664ba8a767][Issuer: C=US, O=Google Trust Services, CN=GTS CA 1O1][Subject: C=US, ST=California, L=Mountain View, O=Google LLC, CN=dns.google][Certificate SHA-1: 5B:59:09:FC:7D:50:E6:F7:D1:08:8E:57:42:A2:D8:AE:1F:03:FF:EC][Safari][Validity: 2020-05-26 15:20:02 - 2020-08-18 15:20:02][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 11,0,22,11,11,0,0,11,0,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,22,0,0,0]
-	5	TCP 192.168.1.159:56024 <-> 8.8.8.8:853 [proto: 91.196/TLS.DoH_DoT][Encrypted][cat: Network/14][11 pkts/1097 bytes <-> 10 pkts/4148 bytes][Goodput ratio: 33/84][0.14 sec][Hostname/SNI: dns.google][bytes ratio: -0.582 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 15/12 46/31 17/11][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 100/415 220/1484 51/544][Risk: ** TLS (probably) not carrying HTTPS **][Risk Score: 10][TLSv1.2][JA3C: 2c776785ee603cc85d37df996bb90cc8][ServerNames: dns.google,*.dns.google.com,8888.google,dns.google.com,dns64.dns.google][JA3S: b44baa8a20901c5663b3a9664ba8a767][Issuer: C=US, O=Google Trust Services, CN=GTS CA 1O1][Subject: C=US, ST=California, L=Mountain View, O=Google LLC, CN=dns.google][Certificate SHA-1: 5B:59:09:FC:7D:50:E6:F7:D1:08:8E:57:42:A2:D8:AE:1F:03:FF:EC][Safari][Validity: 2020-05-26 15:20:02 - 2020-08-18 15:20:02][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 11,0,22,11,11,0,0,11,0,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,22,0,0,0]
+	3	TCP 192.168.1.159:48048 <-> 8.8.4.4:853 [proto: 91.196/TLS.DoH_DoT][Encrypted][cat: Network/14][52 pkts/7375 bytes <-> 52 pkts/20720 bytes][Goodput ratio: 53/83][41.01 sec][Hostname/SNI: dns.google][bytes ratio: -0.475 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 882/623 15271/15287 2537/2442][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 142/398 384/1484 84/406][Risk: ** TLS (probably) not carrying HTTPS **][Risk Score: 10][TLSv1.2][JA3C: 2c776785ee603cc85d37df996bb90cc8][ServerNames: dns.google,*.dns.google.com,8888.google,dns.google.com,dns64.dns.google,dns64.dns.google,dns64.dns.google,dns64.dns.google,dns64.dns.google,8.8.4.4,8.8.8.8][JA3S: b44baa8a20901c5663b3a9664ba8a767][Issuer: C=US, O=Google Trust Services, CN=GTS CA 1O1][Subject: C=US, ST=California, L=Mountain View, O=Google LLC, CN=dns.google][Certificate SHA-1: 5B:59:09:FC:7D:50:E6:F7:D1:08:8E:57:42:A2:D8:AE:1F:03:FF:EC][Safari][Validity: 2020-05-26 15:20:02 - 2020-08-18 15:20:02][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 1,0,1,0,44,0,0,1,0,3,0,0,0,0,0,40,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,3,0,0,0]
+	4	TCP 192.168.1.159:48044 <-> 8.8.4.4:853 [proto: 91.196/TLS.DoH_DoT][Encrypted][cat: Network/14][11 pkts/1097 bytes <-> 10 pkts/4148 bytes][Goodput ratio: 33/84][0.12 sec][Hostname/SNI: dns.google][bytes ratio: -0.582 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 12/9 34/19 13/8][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 100/415 220/1484 51/544][Risk: ** TLS (probably) not carrying HTTPS **][Risk Score: 10][TLSv1.2][JA3C: 2c776785ee603cc85d37df996bb90cc8][ServerNames: dns.google,*.dns.google.com,8888.google,dns.google.com,dns64.dns.google,dns64.dns.google,dns64.dns.google,dns64.dns.google,dns64.dns.google,8.8.4.4,8.8.8.8][JA3S: b44baa8a20901c5663b3a9664ba8a767][Issuer: C=US, O=Google Trust Services, CN=GTS CA 1O1][Subject: C=US, ST=California, L=Mountain View, O=Google LLC, CN=dns.google][Certificate SHA-1: 5B:59:09:FC:7D:50:E6:F7:D1:08:8E:57:42:A2:D8:AE:1F:03:FF:EC][Safari][Validity: 2020-05-26 15:20:02 - 2020-08-18 15:20:02][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 11,0,22,11,11,0,0,11,0,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,22,0,0,0]
+	5	TCP 192.168.1.159:56024 <-> 8.8.8.8:853 [proto: 91.196/TLS.DoH_DoT][Encrypted][cat: Network/14][11 pkts/1097 bytes <-> 10 pkts/4148 bytes][Goodput ratio: 33/84][0.14 sec][Hostname/SNI: dns.google][bytes ratio: -0.582 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 15/12 46/31 17/11][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 100/415 220/1484 51/544][Risk: ** TLS (probably) not carrying HTTPS **][Risk Score: 10][TLSv1.2][JA3C: 2c776785ee603cc85d37df996bb90cc8][ServerNames: dns.google,*.dns.google.com,8888.google,dns.google.com,dns64.dns.google,dns64.dns.google,dns64.dns.google,dns64.dns.google,dns64.dns.google,8.8.4.4,8.8.8.8][JA3S: b44baa8a20901c5663b3a9664ba8a767][Issuer: C=US, O=Google Trust Services, CN=GTS CA 1O1][Subject: C=US, ST=California, L=Mountain View, O=Google LLC, CN=dns.google][Certificate SHA-1: 5B:59:09:FC:7D:50:E6:F7:D1:08:8E:57:42:A2:D8:AE:1F:03:FF:EC][Safari][Validity: 2020-05-26 15:20:02 - 2020-08-18 15:20:02][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 11,0,22,11,11,0,0,11,0,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,22,0,0,0]
 	6	ICMP 192.168.1.159:0 <-> 8.8.8.8:0 [proto: 81.126/ICMP.Google][ClearText][cat: Network/14][2 pkts/196 bytes <-> 2 pkts/196 bytes][Goodput ratio: 57/57][0.99 sec][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	7	TCP 8.8.8.8:853 <-> 192.168.1.159:55856 [proto: 196.126/DoH_DoT.Google][Encrypted][cat: Web/5][5 pkts/330 bytes <-> 1 pkts/54 bytes][Goodput ratio: 0/0][1.80 sec][bytes ratio: 0.719 (Upload)][IAT c2s/s2c min/avg/max/stddev: 223/0 449/0 911/0 281/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/54 66/54 66/54 0/0][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	8	TCP 8.8.4.4:853 <-> 192.168.1.159:47968 [proto: 196.126/DoH_DoT.Google][Encrypted][cat: Web/5][1 pkts/66 bytes <-> 1 pkts/54 bytes][Goodput ratio: 0/0][0.09 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
author	Luca Deri <deri@ntop.org>	2021-12-07 14:45:42 +0100
committer	Luca Deri <deri@ntop.org>	2021-12-07 14:45:42 +0100
commit	85b396ca43fbd68469600b1bbafa7289276d1a8c (patch)
tree	3b476c4fce3767b007ce411f3528d0023bf6585c
parent	cefcc25b13f997ca84ac3b0ca7554ece178f4cc2 (diff)