diff options
| author | Toni Uhlig <matzeton@googlemail.com> | 2024-09-03 12:16:04 +0200 |
|---|---|---|
| committer | Toni Uhlig <matzeton@googlemail.com> | 2024-09-03 12:16:04 +0200 |
| commit | 0936ebc7bb3b042f0f6e330ed288bff8e26e619b (patch) | |
| tree | ee3adddcc2a647828f1ac718cccd256f974355c7 | |
| parent | 2d040247a77c96a8411477e8ad38c0e07a5e1b54 (diff) | |
Align serialized risk names to all others (first letter; uppercase letter)improve/risks-naming
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
22 files changed, 51 insertions, 51 deletions
diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c index 69129fa3e..cdec4c012 100644 --- a/src/lib/ndpi_utils.c +++ b/src/lib/ndpi_utils.c @@ -2083,19 +2083,19 @@ const char* ndpi_risk2str(ndpi_risk_enum risk) { return("TCP Connection Issues"); case NDPI_FULLY_ENCRYPTED: - return("Fully encrypted flow"); + return("Fully Encrypted Flow"); case NDPI_TLS_ALPN_SNI_MISMATCH: return("ALPN/SNI Mismatch"); case NDPI_MALWARE_HOST_CONTACTED: - return("Client contacted a malware host"); + return("Client Contacted A Malware Host"); case NDPI_BINARY_DATA_TRANSFER: - return("Binary file/data transfer (attempt)"); + return("Binary File/Data Transfer (Attempt)"); case NDPI_PROBING_ATTEMPT: - return("Probing attempt"); + return("Probing Attempt"); default: ndpi_snprintf(buf, sizeof(buf), "%d", (int)risk); diff --git a/tests/cfgs/caches_cfg/result/ookla.pcap.out b/tests/cfgs/caches_cfg/result/ookla.pcap.out index 9c82533f3..fe5199133 100644 --- a/tests/cfgs/caches_cfg/result/ookla.pcap.out +++ b/tests/cfgs/caches_cfg/result/ookla.pcap.out @@ -38,6 +38,6 @@ JA3 Host Stats: 1 TCP 192.168.1.128:35830 <-> 89.96.108.170:8080 [proto: 91/TLS][IP: 0/Unknown][Encrypted][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][21 pkts/21216 bytes <-> 8 pkts/1950 bytes][Goodput ratio: 93/72][0.32 sec][Hostname/SNI: spd-pub-mi-01-01.fastwebnet.it][(Advertised) ALPNs: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2][bytes ratio: 0.832 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 17/61 274/280 62/109][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 1010/244 1514/387 612/138][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Risk Info: Expected on port 443][TLSv1.3][JA3C: c279b0189edb9269da7bc43dea5e0c36][JA4: t13d1714h2_5b57614c22b0_8f66f9ee9c6c][JA3S: fcb2d4d0991292272fcb1e464eedfd43][Firefox][Cipher: TLS_AES_128_GCM_SHA256][Plen Bins: 0,0,4,0,0,0,0,4,9,0,9,0,0,0,0,0,4,0,0,13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,55,0,0] 2 TCP 192.168.1.128:48854 <-> 104.16.209.12:443 [proto: 91.191/TLS.Ookla][IP: 220/Cloudflare][Encrypted][Confidence: DPI][FPC: 220/Cloudflare, Confidence: IP address][DPI packets: 6][cat: Network/14][8 pkts/1620 bytes <-> 6 pkts/3818 bytes][Goodput ratio: 67/89][0.06 sec][Hostname/SNI: www.speedtest.net][(Advertised) ALPNs: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2][bytes ratio: -0.404 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 7/5 18/15 7/6][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 202/636 583/1514 181/646][TLSv1.3][JA3C: 579ccef312d18482fc42e2b822ca2430][JA4: t13d1715h2_5b57614c22b0_3d5424432f57][JA3S: eb1d94daa7e0344597e756a1fb6e7054][Firefox][Cipher: TLS_AES_128_GCM_SHA256][PLAIN TEXT (@oTAgOeedtest.net)][Plen Bins: 0,0,14,0,0,14,0,0,0,0,14,0,0,0,0,0,28,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,28,0,0] 3 TCP 192.168.1.7:51207 <-> 46.44.253.187:80 [proto: 7.191/HTTP.Ookla][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Network/14][12 pkts/2238 bytes <-> 8 pkts/2082 bytes][Goodput ratio: 64/74][5.33 sec][Hostname/SNI: massarosa-1.speedtest.welcomeitalia.it][bytes ratio: 0.036 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/4 528/47 5005/84 1493/28][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 186/260 430/523 168/194][URL: massarosa-1.speedtest.welcomeitalia.it/crossdomain.xml][StatusCode: 200][Content-Type: application/xml][Server: Apache/2.2.22 (Ubuntu)][User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/602.4.8 (KHTML, like Gecko) Version/10.0.3 Safari/602.4.8][Risk: ** HTTP Obsolete Server **][Risk Score: 50][Risk Info: Obsolete Apache server 2.2.22][PLAIN TEXT (GET /crossdomain.xml HTTP/1.1)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,12,75,0,0,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 4 TCP 192.168.1.192:51156 <-> 89.96.108.170:8080 [proto: 131/HTTP_Proxy][IP: 0/Unknown][ClearText][Confidence: Match by port][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 10][cat: Web/5][6 pkts/591 bytes <-> 4 pkts/1784 bytes][Goodput ratio: 32/85][0.05 sec][bytes ratio: -0.502 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 9/10 15/20 6/8][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 98/446 143/1514 31/617][Risk: ** Fully encrypted flow **][Risk Score: 50][PLAIN TEXT (gKRZvA)][Plen Bins: 0,40,40,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,0,0] + 4 TCP 192.168.1.192:51156 <-> 89.96.108.170:8080 [proto: 131/HTTP_Proxy][IP: 0/Unknown][ClearText][Confidence: Match by port][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 10][cat: Web/5][6 pkts/591 bytes <-> 4 pkts/1784 bytes][Goodput ratio: 32/85][0.05 sec][bytes ratio: -0.502 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 9/10 15/20 6/8][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 98/446 143/1514 31/617][Risk: ** Fully Encrypted Flow **][Risk Score: 50][PLAIN TEXT (gKRZvA)][Plen Bins: 0,40,40,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,0,0] 5 TCP 192.168.1.7:51215 <-> 46.44.253.187:8080 [proto: 191/Ookla][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Network/14][19 pkts/1421 bytes <-> 11 pkts/920 bytes][Goodput ratio: 11/20][0.80 sec][bytes ratio: 0.214 (Upload)][IAT c2s/s2c min/avg/max/stddev: 26/0 44/75 103/137 23/41][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 75/84 85/100 9/8][PLAIN TEXT ( 6HELLO 2.4 2016)][Plen Bins: 94,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 6 TCP 192.168.1.192:37790 <-> 185.157.229.246:8080 [proto: 191/Ookla][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Network/14][6 pkts/454 bytes <-> 4 pkts/317 bytes][Goodput ratio: 11/14][0.06 sec][bytes ratio: 0.178 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 12/5 46/9 17/4][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 76/79 106/108 14/17][PLAIN TEXT (HELLO 2.9 )][Plen Bins: 50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/default/result/1kxun.pcap.out b/tests/cfgs/default/result/1kxun.pcap.out index 96a8a1581..91d0fccea 100644 --- a/tests/cfgs/default/result/1kxun.pcap.out +++ b/tests/cfgs/default/result/1kxun.pcap.out @@ -163,7 +163,7 @@ JA3 Host Stats: 107 UDP 192.168.5.45:138 -> 192.168.255.255:138 [proto: 10.16/NetBIOS.SMBv1][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 10.16/NetBIOS.SMBv1, Confidence: DPI][DPI packets: 1][cat: System/18][3 pkts/648 bytes -> 0 pkts/0 bytes][Goodput ratio: 80/0][0.00 sec][Hostname/SNI: macbookair-e1d0][Risk: ** Unsafe Protocol **][Risk Score: 10][PLAIN TEXT ( ENEBEDECEPEPELEBEJ)][Plen Bins: 0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 108 TCP 192.168.2.126:54810 <-> 18.233.123.55:80 [proto: 7/HTTP][IP: 265/AmazonAWS][ClearText][Confidence: DPI][FPC: 7/HTTP, Confidence: DPI][DPI packets: 2][cat: Web/5][1 pkts/490 bytes <-> 1 pkts/141 bytes][Goodput ratio: 86/53][0.11 sec][Hostname/SNI: impression-east.liftoff.io][URL: impression-east.liftoff.io/mintegral/beacon?ad_group_id=143845&channel_id=117&creative_id=253640&auction_id=f84f54bf-31cd-43ff-bd27-526ccc6457da&origin=haggler-mintegral021][StatusCode: 200][User-Agent: Mozilla/5.0 (Linux; Android 11; sdk_gphone_x86 Build/RSR1.201013.001; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.106 Mobile Safari/537.36][PLAIN TEXT (GET /mintegral/beacon)][Plen Bins: 0,0,50,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 109 TCP 192.168.2.126:51888 -> 119.28.164.143:80 [proto: 7/HTTP][IP: 285/Tencent][ClearText][Confidence: DPI][FPC: 7/HTTP, Confidence: DPI][DPI packets: 1][cat: Web/5][1 pkts/571 bytes -> 0 pkts/0 bytes][Goodput ratio: 90/0][< 1 sec][Hostname/SNI: qzonestyle.gtimg.cn][URL: qzonestyle.gtimg.cn/qzone/openapi/qc-1.0.1.js][User-Agent: Mozilla/5.0 (Linux; Android 11; sdk_gphone_x86 Build/RSR1.201013.001; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.106 Mobile Safari/537.36][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (GET /qzone/openapi/qc)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 110 TCP 192.168.2.126:47230 <-> 161.117.13.29:80 [proto: 7.295/HTTP.1kxun][IP: 274/Alibaba][ClearText][Confidence: DPI][FPC: 7.295/HTTP.1kxun, Confidence: DPI][DPI packets: 2][cat: Download/7][1 pkts/223 bytes <-> 1 pkts/330 bytes][Goodput ratio: 70/80][0.18 sec][Hostname/SNI: kankan.1kxun.mobi][URL: kankan.1kxun.mobi/api.domain.conf][StatusCode: 200][Content-Type: application/octet-stream][Server: openresty/1.13.6.1][User-Agent: okhttp/3.10.0][Risk: ** Binary file/data transfer (attempt) **][Risk Score: 50][Risk Info: Found binary mime octet-stream][PLAIN TEXT (GET /api.domain.conf HTTP/1.1)][Plen Bins: 0,0,0,0,50,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 110 TCP 192.168.2.126:47230 <-> 161.117.13.29:80 [proto: 7.295/HTTP.1kxun][IP: 274/Alibaba][ClearText][Confidence: DPI][FPC: 7.295/HTTP.1kxun, Confidence: DPI][DPI packets: 2][cat: Download/7][1 pkts/223 bytes <-> 1 pkts/330 bytes][Goodput ratio: 70/80][0.18 sec][Hostname/SNI: kankan.1kxun.mobi][URL: kankan.1kxun.mobi/api.domain.conf][StatusCode: 200][Content-Type: application/octet-stream][Server: openresty/1.13.6.1][User-Agent: okhttp/3.10.0][Risk: ** Binary File/Data Transfer (Attempt) **][Risk Score: 50][Risk Info: Found binary mime octet-stream][PLAIN TEXT (GET /api.domain.conf HTTP/1.1)][Plen Bins: 0,0,0,0,50,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 111 UDP 192.168.115.8:137 -> 192.168.255.255:137 [proto: 10/NetBIOS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 10/NetBIOS, Confidence: DPI][DPI packets: 1][cat: System/18][6 pkts/552 bytes -> 0 pkts/0 bytes][Goodput ratio: 54/0][1.50 sec][Hostname/SNI: wpad][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 300/0 749/0 367/0][Pkt Len c2s/s2c min/avg/max/stddev: 92/0 92/0 92/0 0/0][PLAIN TEXT ( FHFAEBEECACACACACACACACACACACA)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 112 UDP 192.168.5.67:138 -> 192.168.255.255:138 [proto: 10.16/NetBIOS.SMBv1][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 10.16/NetBIOS.SMBv1, Confidence: DPI][DPI packets: 1][cat: System/18][2 pkts/549 bytes -> 0 pkts/0 bytes][Goodput ratio: 85/0][< 1 sec][Hostname/SNI: sanji-lifebook-][Risk: ** Unsafe Protocol **][Risk Score: 10][PLAIN TEXT ( FDEBEOEKEJ)][Plen Bins: 0,0,0,0,0,0,50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 113 UDP [fe80::406:55a8:6453:25dd]:546 -> [ff02::1:2]:547 [proto: 103/DHCPV6][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 103/DHCPV6, Confidence: DPI][DPI packets: 1][cat: Network/14][5 pkts/490 bytes -> 0 pkts/0 bytes][Goodput ratio: 37/0][15.56 sec][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/default/result/KakaoTalk_chat.pcap.out b/tests/cfgs/default/result/KakaoTalk_chat.pcap.out index a24b81e9f..d12805e32 100644 --- a/tests/cfgs/default/result/KakaoTalk_chat.pcap.out +++ b/tests/cfgs/default/result/KakaoTalk_chat.pcap.out @@ -49,7 +49,7 @@ JA3 Host Stats: 5 TCP 10.24.82.188:45213 <-> 31.13.68.84:443 [proto: 91.119/TLS.Facebook][IP: 119/Facebook][Encrypted][Confidence: DPI][FPC: 119/Facebook, Confidence: DNS][DPI packets: 13][cat: SocialNetwork/6][15 pkts/2508 bytes <-> 13 pkts/5053 bytes][Goodput ratio: 66/85][0.86 sec][bytes ratio: -0.337 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 71/71 489/365 131/103][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 167/389 899/1336 222/491][Risk: ** Obsolete TLS (v1.1 or older) **** Malicious Fingerpint **][Risk Score: 150][Risk Info: TLSv1 / dff8a0aa1c904aaea76c5bf624e88333][TLSv1][JA3C: dff8a0aa1c904aaea76c5bf624e88333][JA4: t10d350200_1f24bcc5f17d_33a13ba74d1c][ServerNames: *.facebook.com,facebook.com,*.fbsbx.com,*.fbcdn.net,*.xx.fbcdn.net,*.xy.fbcdn.net,fb.com,*.fb.com,*.facebookcorewwwi.onion,facebookcorewwwi.onion,*.fbcdn23dssr3jqnq.onion,fbcdn23dssr3jqnq.onion,*.fbsbx2q4mvcl63pw.onion,fbsbx2q4mvcl63pw.onion,*.m.facebook.com,*.messenger.com,messenger.com,*.m.facebookcorewwwi.onion,*.xx.fbcdn23dssr3jqnq.onion,xx.fbcdn23dssr3jqnq.onion,*.xy.fbcdn23dssr3jqnq.onion,xy.fbcdn23dssr3jqnq.onion,*.xz.fbcdn.net,xz.fbcdn.net,*.xz.fbcdn23dssr3jqnq.onion,xz.fbcdn23dssr3jqnq.onion,m.facebookcorewwwi.onion][JA3S: 6c13ac74a6f75099ef2480748e5d94d2][Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance CA-3][Subject: C=US, ST=CA, L=Menlo Park, O=Facebook, Inc., CN=*.facebook.com][Certificate SHA-1: A4:FB:65:F8:A1:57:FE:0D:C0:17:C1:B5:51:62:63:3A:18:73:A0:B4][Validity: 2014-08-28 00:00:00 - 2015-10-28 12:00:00][Cipher: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA][Plen Bins: 15,15,0,15,0,7,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,7,0,0,0,7,7,0,0,0,0,0,0,0,0,0,0,0,0,15,0,0,0,0,0,0,0] 6 TCP 10.24.82.188:35511 <-> 173.252.97.2:443 [proto: 91.119/TLS.Facebook][IP: 119/Facebook][Encrypted][Confidence: DPI][FPC: 119/Facebook, Confidence: IP address][DPI packets: 9][cat: SocialNetwork/6][18 pkts/2390 bytes <-> 18 pkts/4762 bytes][Goodput ratio: 57/79][28.98 sec][bytes ratio: -0.332 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 2050/118 26937/448 6904/127][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 133/265 578/1336 134/439][Risk: ** Obsolete TLS (v1.1 or older) **** Malicious Fingerpint **][Risk Score: 150][Risk Info: TLSv1 / dff8a0aa1c904aaea76c5bf624e88333][TLSv1][JA3C: dff8a0aa1c904aaea76c5bf624e88333][JA4: t10d350200_1f24bcc5f17d_33a13ba74d1c][ServerNames: *.facebook.com,facebook.com,*.fbsbx.com,*.fbcdn.net,*.xx.fbcdn.net,*.xy.fbcdn.net,fb.com,*.fb.com,*.facebookcorewwwi.onion,facebookcorewwwi.onion,*.fbcdn23dssr3jqnq.onion,fbcdn23dssr3jqnq.onion,*.fbsbx2q4mvcl63pw.onion,fbsbx2q4mvcl63pw.onion,*.m.facebook.com,*.messenger.com,messenger.com,*.m.facebookcorewwwi.onion,*.xx.fbcdn23dssr3jqnq.onion,xx.fbcdn23dssr3jqnq.onion,*.xy.fbcdn23dssr3jqnq.onion,xy.fbcdn23dssr3jqnq.onion,*.xz.fbcdn.net,xz.fbcdn.net,*.xz.fbcdn23dssr3jqnq.onion,xz.fbcdn23dssr3jqnq.onion,m.facebookcorewwwi.onion][JA3S: 6c13ac74a6f75099ef2480748e5d94d2][Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance CA-3][Subject: C=US, ST=CA, L=Menlo Park, O=Facebook, Inc., CN=*.facebook.com][Certificate SHA-1: A4:FB:65:F8:A1:57:FE:0D:C0:17:C1:B5:51:62:63:3A:18:73:A0:B4][Validity: 2014-08-28 00:00:00 - 2015-10-28 12:00:00][Cipher: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA][Plen Bins: 31,12,6,6,6,6,0,0,6,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,12,0,0,0,0,0,0,0] 7 TCP 10.24.82.188:37821 <-> 210.103.240.15:443 [proto: 91.193/TLS.KakaoTalk][IP: 0/Unknown][Encrypted][Confidence: DPI][FPC: 193/KakaoTalk, Confidence: DNS][DPI packets: 13][cat: Chat/9][13 pkts/2036 bytes <-> 14 pkts/5090 bytes][Goodput ratio: 63/84][11.34 sec][bytes ratio: -0.429 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1114/74 10357/172 3082/62][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 157/364 429/1336 152/451][Risk: ** Obsolete TLS (v1.1 or older) **** Weak TLS Cipher **** Malicious Fingerpint **][Risk Score: 250][Risk Info: TLSv1 / dff8a0aa1c904aaea76c5bf624e88333 / Cipher TLS_RSA_WITH_AES_128_CBC_SHA][TLSv1][JA3C: dff8a0aa1c904aaea76c5bf624e88333][JA4: t10d350200_1f24bcc5f17d_33a13ba74d1c][ServerNames: *.kakao.com][JA3S: 4192c0a946c5bd9b544b4656d9f624a4 (WEAK)][Issuer: C=US, O=Thawte, Inc., CN=Thawte SSL CA][Subject: C=KR, ST=Gyeonggi-do, L=Seongnam-si, O=Kakao Corp., CN=*.kakao.com][Certificate SHA-1: 0D:14:6D:8D:5E:EB:F5:F5:42:87:CD:AB:AE:A1:DC:AA:5A:76:6F:E4][Validity: 2014-04-18 00:00:00 - 2016-04-17 23:59:59][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,16,0,0,0,8,8,0,0,0,16,25,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0] - 8 TCP 10.24.82.188:51021 <-> 103.246.57.251:8080 [proto: 131/HTTP_Proxy][IP: 0/Unknown][ClearText][Confidence: Match by port][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 21][cat: Web/5][17 pkts/2231 bytes <-> 9 pkts/1695 bytes][Goodput ratio: 48/63][46.77 sec][bytes ratio: 0.137 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 50/36 2833/4340 12590/13131 4126/4407][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 131/188 657/274 136/75][Risk: ** Fully encrypted flow **][Risk Score: 50][Plen Bins: 13,13,27,0,27,6,6,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 8 TCP 10.24.82.188:51021 <-> 103.246.57.251:8080 [proto: 131/HTTP_Proxy][IP: 0/Unknown][ClearText][Confidence: Match by port][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 21][cat: Web/5][17 pkts/2231 bytes <-> 9 pkts/1695 bytes][Goodput ratio: 48/63][46.77 sec][bytes ratio: 0.137 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 50/36 2833/4340 12590/13131 4126/4407][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 131/188 657/274 136/75][Risk: ** Fully Encrypted Flow **][Risk Score: 50][Plen Bins: 13,13,27,0,27,6,6,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 9 TCP 139.150.0.125:443 <-> 10.24.82.188:46947 [proto: 91/TLS][IP: 0/Unknown][Encrypted][Confidence: Match by port][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 18][cat: Web/5][9 pkts/1737 bytes <-> 9 pkts/672 bytes][Goodput ratio: 71/25][24.52 sec][bytes ratio: 0.442 (Upload)][IAT c2s/s2c min/avg/max/stddev: 40/104 3456/3426 12765/12806 4427/4480][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 193/75 303/98 123/21][Plen Bins: 0,44,0,0,0,0,0,55,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 10 TCP 10.24.82.188:58964 <-> 54.255.253.199:5223 [proto: 91/TLS][IP: 265/AmazonAWS][Encrypted][Confidence: DPI][FPC: 265/AmazonAWS, Confidence: IP address][DPI packets: 6][cat: Web/5][3 pkts/290 bytes <-> 3 pkts/1600 bytes][Goodput ratio: 27/87][0.31 sec][bytes ratio: -0.693 (Download)][IAT c2s/s2c min/avg/max/stddev: 15/5 107/56 199/108 92/52][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 97/533 146/1456 35/652][Risk: ** Known Proto on Non Std Port **** Obsolete TLS (v1.1 or older) **][Risk Score: 150][Risk Info: TLSv1][TLSv1][JA3C: d9ce50c62ab1fd5932da3c6b6d406c65][JA4: t10d150000_e2ff6cb279ee_e3b0c44298fc][Plen Bins: 0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0] 11 TCP 10.24.82.188:37557 <-> 31.13.68.84:80 [proto: 7.119/HTTP.Facebook][IP: 119/Facebook][ClearText][Confidence: DPI][FPC: 119/Facebook, Confidence: DNS][DPI packets: 7][cat: SocialNetwork/6][5 pkts/487 bytes <-> 6 pkts/627 bytes][Goodput ratio: 38/45][21.97 sec][Hostname/SNI: www.facebook.com][bytes ratio: -0.126 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 40/40 115/102 264/210 106/77][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 97/104 243/339 73/105][URL: www.facebook.com/mobile/status.php][StatusCode: 204][User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 3W MIUI/V6.4.3.0.KXDMICB)][PLAIN TEXT (GET /mobile/status.php HTTP/1.1)][Plen Bins: 0,0,0,0,0,50,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/default/result/Oscar.pcap.out b/tests/cfgs/default/result/Oscar.pcap.out index 9802ad8c7..d957aba8f 100644 --- a/tests/cfgs/default/result/Oscar.pcap.out +++ b/tests/cfgs/default/result/Oscar.pcap.out @@ -26,4 +26,4 @@ TLS 71 9386 1 Safe 71 9386 1 - 1 TCP 10.30.29.3:63357 <-> 178.237.24.249:443 [proto: 91/TLS][IP: 0/Unknown][Encrypted][Confidence: Match by port][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 21][cat: Web/5][38 pkts/3580 bytes <-> 33 pkts/5806 bytes][Goodput ratio: 42/68][72.45 sec][bytes ratio: -0.237 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 2392/2607 58175/58215 10382/11142][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 94/176 369/1414 75/257][Risk: ** Fully encrypted flow **][Risk Score: 50][Plen Bins: 7,58,5,5,0,0,5,2,2,7,0,0,0,0,2,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0] + 1 TCP 10.30.29.3:63357 <-> 178.237.24.249:443 [proto: 91/TLS][IP: 0/Unknown][Encrypted][Confidence: Match by port][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 21][cat: Web/5][38 pkts/3580 bytes <-> 33 pkts/5806 bytes][Goodput ratio: 42/68][72.45 sec][bytes ratio: -0.237 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 2392/2607 58175/58215 10382/11142][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 94/176 369/1414 75/257][Risk: ** Fully Encrypted Flow **][Risk Score: 50][Plen Bins: 7,58,5,5,0,0,5,2,2,7,0,0,0,0,2,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0] diff --git a/tests/cfgs/default/result/custom_categories.pcapng.out b/tests/cfgs/default/result/custom_categories.pcapng.out index 8e9fb6d4f..ebc3255a2 100644 --- a/tests/cfgs/default/result/custom_categories.pcapng.out +++ b/tests/cfgs/default/result/custom_categories.pcapng.out @@ -28,5 +28,5 @@ Safe 1 346 1 Acceptable 84 14188 2 1 TCP [2001:db8:1::1]:64720 <-> [2001:db8:200::1]:20868 [proto: 92/SSH][IP: 0/Unknown][Encrypted][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 16][cat: Malware/100][32 pkts/3639 bytes <-> 30 pkts/6335 bytes][Goodput ratio: 24/59][5.34 sec][Hostname/SNI: SSH-1.5-1.2.26][bytes ratio: -0.270 (Download)][IAT c2s/s2c min/avg/max/stddev: 13/74 184/193 1212/1436 234/283][Pkt Len c2s/s2c min/avg/max/stddev: 86/86 114/211 250/1294 47/257][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Server: SSH-1.5-1.2.26][Plen Bins: 69,6,0,0,11,2,0,0,2,0,0,0,0,0,2,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0] - 2 TCP 172.26.219.44:58639 <-> 172.30.69.103:22 [proto: 92/SSH][IP: 0/Unknown][Encrypted][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 10][cat: Malware/100][11 pkts/2011 bytes <-> 11 pkts/2203 bytes][Goodput ratio: 63/67][0.11 sec][Hostname/SNI: SSH-1.99-OpenSSH_4.3][bytes ratio: -0.046 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 7/7 39/41 12/13][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 183/200 1026/770 270/223][Risk: ** SSH Obsolete Cli Vers/Cipher **** SSH Obsolete Ser Vers/Cipher **** Client contacted a malware host **][Risk Score: 300][Risk Info: Client contacted malware host / Found cipher arcfour128 / Found cipher arcfour128][HASSH-C: D6593B3202A30B2AA9793A00F8647A0A][Server: SSH-2.0-OpenSSH_6.1][HASSH-S: 500033A73A293E7C36743693D0D4596B][Plen Bins: 31,15,15,0,15,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 3 ESP [2a01:e34:ef6f:4340:94be:5dac:c20a:d2a0]:0 -> [2001:1670:8:40a6:a08e:332b:aa69:18dc]:0 [VLAN: 121][proto: 79/IPSec][IP: 0/Unknown][Encrypted][Confidence: DPI][FPC: 79/IPSec, Confidence: DPI][DPI packets: 1][cat: Malware/100][1 pkts/346 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unidirectional Traffic **** Client contacted a malware host **][Risk Score: 160][Risk Info: No server to client traffic / Client contacted malware host][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 2 TCP 172.26.219.44:58639 <-> 172.30.69.103:22 [proto: 92/SSH][IP: 0/Unknown][Encrypted][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 10][cat: Malware/100][11 pkts/2011 bytes <-> 11 pkts/2203 bytes][Goodput ratio: 63/67][0.11 sec][Hostname/SNI: SSH-1.99-OpenSSH_4.3][bytes ratio: -0.046 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 7/7 39/41 12/13][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 183/200 1026/770 270/223][Risk: ** SSH Obsolete Cli Vers/Cipher **** SSH Obsolete Ser Vers/Cipher **** Client Contacted A Malware Host **][Risk Score: 300][Risk Info: Client contacted malware host / Found cipher arcfour128 / Found cipher arcfour128][HASSH-C: D6593B3202A30B2AA9793A00F8647A0A][Server: SSH-2.0-OpenSSH_6.1][HASSH-S: 500033A73A293E7C36743693D0D4596B][Plen Bins: 31,15,15,0,15,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 3 ESP [2a01:e34:ef6f:4340:94be:5dac:c20a:d2a0]:0 -> [2001:1670:8:40a6:a08e:332b:aa69:18dc]:0 [VLAN: 121][proto: 79/IPSec][IP: 0/Unknown][Encrypted][Confidence: DPI][FPC: 79/IPSec, Confidence: DPI][DPI packets: 1][cat: Malware/100][1 pkts/346 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unidirectional Traffic **** Client Contacted A Malware Host **][Risk Score: 160][Risk Info: No server to client traffic / Client contacted malware host][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/default/result/dotenv.pcap.out b/tests/cfgs/default/result/dotenv.pcap.out index a10b112da..cdfbb1449 100644 --- a/tests/cfgs/default/result/dotenv.pcap.out +++ b/tests/cfgs/default/result/dotenv.pcap.out @@ -24,4 +24,4 @@ HTTP 10 993 1 Acceptable 10 993 1 - 1 TCP 192.168.2.198:51327 <-> 89.31.76.10:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Download/7][6 pkts/490 bytes <-> 4 pkts/503 bytes][Goodput ratio: 17/46][0.12 sec][Hostname/SNI: sevenpitaly.com][bytes ratio: -0.013 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 24/22 45/43 20/22][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 82/126 148/297 30/99][URL: sevenpitaly.com/.env][StatusCode: 406][Content-Type: application/octet-stream][Server: openresty][User-Agent: curl/8.4.0][Risk: ** Possible Exploit Attempt **** Error Code **** Binary file/data transfer (attempt) **][Risk Score: 210][Risk Info: URL starting with dot / HTTP Error Code 406 / Found binary mime octet-stream (attempt)][PLAIN TEXT (GET /.env HTTP/1.1)][Plen Bins: 0,0,50,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 1 TCP 192.168.2.198:51327 <-> 89.31.76.10:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Download/7][6 pkts/490 bytes <-> 4 pkts/503 bytes][Goodput ratio: 17/46][0.12 sec][Hostname/SNI: sevenpitaly.com][bytes ratio: -0.013 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 24/22 45/43 20/22][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 82/126 148/297 30/99][URL: sevenpitaly.com/.env][StatusCode: 406][Content-Type: application/octet-stream][Server: openresty][User-Agent: curl/8.4.0][Risk: ** Possible Exploit Attempt **** Error Code **** Binary File/Data Transfer (Attempt) **][Risk Score: 210][Risk Info: URL starting with dot / HTTP Error Code 406 / Found binary mime octet-stream (attempt)][PLAIN TEXT (GET /.env HTTP/1.1)][Plen Bins: 0,0,50,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/default/result/emotet.pcap.out b/tests/cfgs/default/result/emotet.pcap.out index 2e7242326..cee7d6833 100644 --- a/tests/cfgs/default/result/emotet.pcap.out +++ b/tests/cfgs/default/result/emotet.pcap.out @@ -34,7 +34,7 @@ JA3 Host Stats: 1 TCP 10.3.29.101:56309 <-> 104.161.127.22:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][21 pkts/1592 bytes <-> 37 pkts/48623 bytes][Goodput ratio: 28/96][0.61 sec][Hostname/SNI: fkl.co.ke][bytes ratio: -0.937 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 26/7 204/204 57/36][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 76/1314 500/1415 95/343][URL: fkl.co.ke/wp-content/Elw3kPvOsZxM5/][StatusCode: 200][Content-Type: text/html][Server: LiteSpeed][User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36 Edg/99.0.1150.55][PLAIN TEXT (GET /wp)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,2,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,95,0,0,0,0,0] 2 TCP 10.2.25.102:57309 <-> 193.252.22.84:587 [proto: 3/SMTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 19][cat: Email/3][23 pkts/16752 bytes <-> 27 pkts/1853 bytes][Goodput ratio: 93/21][8.35 sec][Hostname/SNI: opmta1mto02nd1][bytes ratio: 0.801 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 276/345 1205/3054 406/694][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 728/69 1514/214 702/33][PLAIN TEXT (220 opmta)][Plen Bins: 31,27,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,34,0,0] - 3 TCP 10.4.25.101:49797 <-> 77.105.36.156:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Download/7][5 pkts/452 bytes <-> 10 pkts/10518 bytes][Goodput ratio: 34/95][0.48 sec][Hostname/SNI: filmmogzivota.rs][bytes ratio: -0.918 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 159/37 292/171 121/64][Pkt Len c2s/s2c min/avg/max/stddev: 60/60 90/1052 206/1442 58/553][URL: filmmogzivota.rs/SpryAssets/gDR/][StatusCode: 200][Content-Type: application/x-msdownload][Server: Apache][User-Agent: vBKbaQgjyvRRbcgfvlsc][Filename: TfBXbg6gEAqeHioMEKOtCAAn73.dll][Risk: ** Binary App Transfer **** HTTP Susp User-Agent **** Binary file/data transfer (attempt) **][Risk Score: 300][Risk Info: UA vBKbaQgjyvRRbcgfvlsc / Found mime exe x-msdownload / File download TfBXbg6gEAqeHioMEKOtCAAn73.dll][PLAIN TEXT (GET /SpryAssets/gDR/ HTTP/1.1)][Plen Bins: 0,0,0,0,11,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0,0,0,0,0,0,0,0,66,0,0,0,0] - 4 TCP 10.4.20.102:54319 <-> 107.161.178.210:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 5][cat: Download/7][7 pkts/645 bytes <-> 7 pkts/8714 bytes][Goodput ratio: 35/96][0.38 sec][Hostname/SNI: gandhitoday.org][bytes ratio: -0.862 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 74/54 260/260 100/103][Pkt Len c2s/s2c min/avg/max/stddev: 60/62 92/1245 279/1442 76/483][URL: gandhitoday.org/video/6JvA8/][StatusCode: 200][Content-Type: application/x-msdownload][Server: Apache][User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko][Filename: EGh7x6aKN3ILP.dll][Risk: ** Binary App Transfer **** Binary file/data transfer (attempt) **][Risk Score: 200][Risk Info: Found mime exe x-msdownload / File download EGh7x6aKN3ILP.dll][PLAIN TEXT (GET /video/6J)][Plen Bins: 0,0,0,0,0,0,0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,85,0,0,0,0] + 3 TCP 10.4.25.101:49797 <-> 77.105.36.156:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Download/7][5 pkts/452 bytes <-> 10 pkts/10518 bytes][Goodput ratio: 34/95][0.48 sec][Hostname/SNI: filmmogzivota.rs][bytes ratio: -0.918 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 159/37 292/171 121/64][Pkt Len c2s/s2c min/avg/max/stddev: 60/60 90/1052 206/1442 58/553][URL: filmmogzivota.rs/SpryAssets/gDR/][StatusCode: 200][Content-Type: application/x-msdownload][Server: Apache][User-Agent: vBKbaQgjyvRRbcgfvlsc][Filename: TfBXbg6gEAqeHioMEKOtCAAn73.dll][Risk: ** Binary App Transfer **** HTTP Susp User-Agent **** Binary File/Data Transfer (Attempt) **][Risk Score: 300][Risk Info: UA vBKbaQgjyvRRbcgfvlsc / Found mime exe x-msdownload / File download TfBXbg6gEAqeHioMEKOtCAAn73.dll][PLAIN TEXT (GET /SpryAssets/gDR/ HTTP/1.1)][Plen Bins: 0,0,0,0,11,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0,0,0,0,0,0,0,0,66,0,0,0,0] + 4 TCP 10.4.20.102:54319 <-> 107.161.178.210:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 5][cat: Download/7][7 pkts/645 bytes <-> 7 pkts/8714 bytes][Goodput ratio: 35/96][0.38 sec][Hostname/SNI: gandhitoday.org][bytes ratio: -0.862 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 74/54 260/260 100/103][Pkt Len c2s/s2c min/avg/max/stddev: 60/62 92/1245 279/1442 76/483][URL: gandhitoday.org/video/6JvA8/][StatusCode: 200][Content-Type: application/x-msdownload][Server: Apache][User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko][Filename: EGh7x6aKN3ILP.dll][Risk: ** Binary App Transfer **** Binary File/Data Transfer (Attempt) **][Risk Score: 200][Risk Info: Found mime exe x-msdownload / File download EGh7x6aKN3ILP.dll][PLAIN TEXT (GET /video/6J)][Plen Bins: 0,0,0,0,0,0,0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,85,0,0,0,0] 5 TCP 10.4.25.101:49803 <-> 138.197.147.101:443 [proto: 91/TLS][IP: 0/Unknown][Encrypted][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][7 pkts/1130 bytes <-> 8 pkts/6240 bytes][Goodput ratio: 64/93][1.65 sec][bytes ratio: -0.693 (Download)][IAT c2s/s2c min/avg/max/stddev: 14/0 75/231 122/1117 39/400][Pkt Len c2s/s2c min/avg/max/stddev: 60/60 161/780 534/1442 161/663][Risk: ** Self-signed Cert **** TLS (probably) Not Carrying HTTPS **** Missing SNI TLS Extn **** Malicious Fingerpint **][Risk Score: 210][Risk Info: 51c64c77e60f3980eea90869b68c58a8 / No ALPN / SNI should always be present / C=GB, ST=London, L=London, O=Global Security, OU=I][TLSv1.2][JA3C: 51c64c77e60f3980eea90869b68c58a8][JA4: t12d190600_d83cc789557e_2dae41c691ec][JA3S: ec74a5c51106f0419184d0dd08fb05bc][Issuer: C=GB, ST=London, L=London, O=Global Security, OU=IT Department, CN=example.com][Subject: C=GB, ST=London, L=London, O=Global Security, OU=IT Department, CN=example.com][Certificate SHA-1: 43:A2:39:73:AC:4D:2C:15:7B:D6:4E:32:EA:22:11:B7:97:65:1A:93][Firefox][Validity: 2022-04-21 10:08:46 - 2023-04-21 10:08:46][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 0,0,12,0,12,0,0,12,0,0,0,0,0,0,0,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,51,0,0,0,0] 6 TCP 10.4.25.101:49804 <-> 138.197.147.101:443 [proto: 91/TLS][IP: 0/Unknown][Encrypted][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][10 pkts/1517 bytes <-> 7 pkts/1208 bytes][Goodput ratio: 61/66][48.61 sec][bytes ratio: 0.113 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 5997/806 44782/3012 14692/1274][Pkt Len c2s/s2c min/avg/max/stddev: 60/60 152/173 607/714 179/224][Risk: ** TLS (probably) Not Carrying HTTPS **** Missing SNI TLS Extn **** Malicious Fingerpint **][Risk Score: 110][Risk Info: 51c64c77e60f3980eea90869b68c58a8 / No ALPN / SNI should always be present][TLSv1.2][JA3C: 51c64c77e60f3980eea90869b68c58a8][JA4: t12d190600_d83cc789557e_2dae41c691ec][JA3S: fd4bc6cea4877646ccd62f0792ec0b62][Firefox][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 16,16,0,16,0,0,0,0,0,0,16,0,0,0,0,0,0,16,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/default/result/exe_download.pcap.out b/tests/cfgs/default/result/exe_download.pcap.out index 8154321ea..9bb636914 100644 --- a/tests/cfgs/default/result/exe_download.pcap.out +++ b/tests/cfgs/default/result/exe_download.pcap.out @@ -24,4 +24,4 @@ HTTP 20 14869 1 Acceptable 20 14869 1 - 1 TCP 10.9.25.101:49165 <-> 144.91.69.195:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Download/7][8 pkts/597 bytes <-> 12 pkts/14272 bytes][Goodput ratio: 26/95][0.76 sec][Hostname/SNI: 144.91.69.195][bytes ratio: -0.920 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 125/33 319/298 134/89][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 75/1189 207/1514 50/510][URL: 144.91.69.195/solar.php][StatusCode: 200][Content-Type: application/octet-stream][Server: nginx/1.10.3][User-Agent: pwtyyEKzNtGatwnJjmCcBLbOveCVpc][Filename: phn34ycjtghm.exe][Risk: ** Binary App Transfer **** HTTP Susp User-Agent **** HTTP/TLS/QUIC Numeric Hostname/SNI **** HTTP Obsolete Server **** Binary file/data transfer (attempt) **][Risk Score: 360][Risk Info: Found host 144.91.69.195 / UA pwtyyEKzNtGatwnJjmCcBLbOveCVpc / Obsolete nginx server 1.10.3 / Found binary mime octet-stream /][PLAIN TEXT (GET /solar.php HTTP/1.1)][Plen Bins: 0,0,0,0,9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,18,0,0,54,0,0,18,0,0] + 1 TCP 10.9.25.101:49165 <-> 144.91.69.195:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Download/7][8 pkts/597 bytes <-> 12 pkts/14272 bytes][Goodput ratio: 26/95][0.76 sec][Hostname/SNI: 144.91.69.195][bytes ratio: -0.920 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 125/33 319/298 134/89][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 75/1189 207/1514 50/510][URL: 144.91.69.195/solar.php][StatusCode: 200][Content-Type: application/octet-stream][Server: nginx/1.10.3][User-Agent: pwtyyEKzNtGatwnJjmCcBLbOveCVpc][Filename: phn34ycjtghm.exe][Risk: ** Binary App Transfer **** HTTP Susp User-Agent **** HTTP/TLS/QUIC Numeric Hostname/SNI **** HTTP Obsolete Server **** Binary File/Data Transfer (Attempt) **][Risk Score: 360][Risk Info: Found host 144.91.69.195 / UA pwtyyEKzNtGatwnJjmCcBLbOveCVpc / Obsolete nginx server 1.10.3 / Found binary mime octet-stream /][PLAIN TEXT (GET /solar.php HTTP/1.1)][Plen Bins: 0,0,0,0,9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,18,0,0,54,0,0,18,0,0] diff --git a/tests/cfgs/default/result/gnutella.pcap.out b/tests/cfgs/default/result/gnutella.pcap.out index cd99dc5ca..547062f59 100644 --- a/tests/cfgs/default/result/gnutella.pcap.out +++ b/tests/cfgs/default/result/gnutella.pcap.out @@ -63,7 +63,7 @@ JA3 Host Stats: 7 TCP 10.0.2.15:50330 <-> 69.118.162.229:46906 [proto: 7.35/HTTP.Gnutella][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Download/7][9 pkts/1011 bytes <-> 12 pkts/11017 bytes][Goodput ratio: 51/94][3.38 sec][Hostname/SNI: 69.118.162.229][bytes ratio: -0.832 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 388/240 1119/1115 493/448][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 112/918 567/1514 161/644][URL: 69.118.162.229:46906/gnutella/thex/v1?urn:tree:tiger/:3WMUS6WM2ZC7XIPRQDKXWHHJRV4IKYC4OX4ELCA&depth=9&ed2k=1][StatusCode: 200][Content-Type: application/dime][Server: Shareaza 2.7.10.2][User-Agent: gtk-gnutella/1.2.2 (2022-02-25; GTK2; Windows x64)][Risk: ** Known Proto on Non Std Port **** HTTP/TLS/QUIC Numeric Hostname/SNI **** Unsafe Protocol **** Susp Entropy **][Risk Score: 80][Risk Info: Found host 69.118.162.229 / Entropy: 5.691 (Executable?)][PLAIN TEXT (GET /gnutella/thex/v1)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0,0,0,0,11,0,0,0,0,0,0,0,0,0,0,0,0,0,22,0,0,0,0,0,0,0,0,55,0,0] 8 TCP 10.0.2.15:50248 <-> 109.214.154.216:6346 [proto: 35/Gnutella][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 4][cat: Download/7][45 pkts/3196 bytes <-> 54 pkts/8256 bytes][Goodput ratio: 24/65][522.53 sec][bytes ratio: -0.442 (Download)][IAT c2s/s2c min/avg/max/stddev: 2/1 12254/10032 54436/54424 15860/15019][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 71/153 358/1078 50/183][User-Agent: gtk-gnutella/1.2.2 (2022-02-25; GTK2; Windows x64)][Risk: ** Unsafe Protocol **][Risk Score: 10][PLAIN TEXT (GNUTELLA CONNECT/0.6)][Plen Bins: 56,1,12,5,3,1,1,7,3,1,3,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 9 TCP 10.0.2.15:50249 <-> 86.208.180.181:45883 [proto: 35/Gnutella][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 4][cat: Download/7][43 pkts/3087 bytes <-> 47 pkts/7704 bytes][Goodput ratio: 24/67][522.17 sec][bytes ratio: -0.428 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/1 11973/13240 47909/55396 14672/15777][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 72/164 357/1119 51/213][User-Agent: gtk-gnutella/1.2.2 (2022-02-25; GTK2; Windows x64)][Risk: ** Unsafe Protocol **][Risk Score: 10][PLAIN TEXT (GNUTELLA CONNECT/0.6)][Plen Bins: 57,0,4,6,4,4,4,2,6,2,2,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 10 TCP 10.0.2.15:50327 <-> 69.118.162.229:46906 [proto: 7.35/HTTP.Gnutella][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Media/1][5 pkts/815 bytes <-> 7 pkts/5620 bytes][Goodput ratio: 65/93][1.25 sec][Hostname/SNI: 69.118.162.229][bytes ratio: -0.747 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 416/228 1138/1123 513/447][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 163/803 587/1514 212/666][URL: 69.118.162.229:46906/uri-res/N2R?urn:sha1:LXIP2A72T5H3BU3GRUMZFYNU3OYDK6FI][StatusCode: 206][Content-Type: audio/mpeg][Server: Shareaza 2.7.10.2][User-Agent: gtk-gnutella/1.2.2 (2022-02-25; GTK2; Windows x64)][Filename: Nickelback%20-%20Hero%20(Spiderman%20soundtrack).mp3][Risk: ** Known Proto on Non Std Port **** HTTP/TLS/QUIC Numeric Hostname/SNI **** Unsafe Protocol **** Susp Entropy **** Binary file/data transfer (attempt) **][Risk Score: 130][Risk Info: Found host 69.118.162.229 / Entropy: 5.630 (Executable?) / File download Nickelback%20-%20Hero%20(Spiderman%20soundtrack).][PLAIN TEXT (GET /uri)][Plen Bins: 0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,51,0,0] + 10 TCP 10.0.2.15:50327 <-> 69.118.162.229:46906 [proto: 7.35/HTTP.Gnutella][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Media/1][5 pkts/815 bytes <-> 7 pkts/5620 bytes][Goodput ratio: 65/93][1.25 sec][Hostname/SNI: 69.118.162.229][bytes ratio: -0.747 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 416/228 1138/1123 513/447][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 163/803 587/1514 212/666][URL: 69.118.162.229:46906/uri-res/N2R?urn:sha1:LXIP2A72T5H3BU3GRUMZFYNU3OYDK6FI][StatusCode: 206][Content-Type: audio/mpeg][Server: Shareaza 2.7.10.2][User-Agent: gtk-gnutella/1.2.2 (2022-02-25; GTK2; Windows x64)][Filename: Nickelback%20-%20Hero%20(Spiderman%20soundtrack).mp3][Risk: ** Known Proto on Non Std Port **** HTTP/TLS/QUIC Numeric Hostname/SNI **** Unsafe Protocol **** Susp Entropy **** Binary File/Data Transfer (Attempt) **][Risk Score: 130][Risk Info: Found host 69.118.162.229 / Entropy: 5.630 (Executable?) / File download Nickelback%20-%20Hero%20(Spiderman%20soundtrack).][PLAIN TEXT (GET /uri)][Plen Bins: 0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,51,0,0] 11 UDP 10.0.2.15:28681 <-> 80.61.221.246:30577 [proto: 35/Gnutella][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 35/Gnutella, Confidence: DPI][DPI packets: 1][cat: Download/7][9 pkts/1185 bytes <-> 9 pkts/5195 bytes][Goodput ratio: 68/93][197.38 sec][bytes ratio: -0.629 (Download)][IAT c2s/s2c min/avg/max/stddev: 39/35 26439/26440 107210/107216 34356/34358][Pkt Len c2s/s2c min/avg/max/stddev: 70/148 132/577 274/769 53/274][Risk: ** Unsafe Protocol **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (u.GTKG)][Plen Bins: 5,5,33,11,0,0,0,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 12 UDP 10.0.2.15:28681 <-> 193.37.255.130:61616 [proto: 35/Gnutella][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 35/Gnutella, Confidence: DPI][DPI packets: 1][cat: Download/7][9 pkts/1185 bytes <-> 9 pkts/5176 bytes][Goodput ratio: 68/93][197.67 sec][bytes ratio: -0.627 (Download)][IAT c2s/s2c min/avg/max/stddev: 127/126 26488/26488 107228/107229 34539/34539][Pkt Len c2s/s2c min/avg/max/stddev: 70/129 132/575 274/769 53/277][Risk: ** Unsafe Protocol **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (u.GTKG)][Plen Bins: 5,5,39,5,0,0,0,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,34,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 13 UDP 10.0.2.15:28681 <-> 103.232.107.100:43508 [proto: 35/Gnutella][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 35/Gnutella, Confidence: DPI][DPI packets: 1][cat: Download/7][9 pkts/1157 bytes <-> 8 pkts/4890 bytes][Goodput ratio: 67/93][230.22 sec][bytes ratio: -0.617 (Download)][IAT c2s/s2c min/avg/max/stddev: 4875/4875 31136/30836 107031/107033 32420/35010][Pkt Len c2s/s2c min/avg/max/stddev: 70/128 129/611 274/769 56/273][Risk: ** Unsafe Protocol **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (u.GTKG)][Plen Bins: 11,0,42,5,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,36,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] @@ -84,7 +84,7 @@ JA3 Host Stats: 28 UDP 10.0.2.15:28681 <-> 45.31.152.112:26851 [proto: 35/Gnutella][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 35/Gnutella, Confidence: DPI][DPI packets: 1][cat: Download/7][6 pkts/836 bytes <-> 5 pkts/3224 bytes][Goodput ratio: 70/93][186.46 sec][bytes ratio: -0.588 (Download)][IAT c2s/s2c min/avg/max/stddev: 7100/7142 19000/19000 44374/44331 14989/14962][Pkt Len c2s/s2c min/avg/max/stddev: 70/148 139/645 274/769 63/248][Risk: ** Unsafe Protocol **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (u.GTKG)][Plen Bins: 9,0,36,9,0,0,0,9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,36,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 29 UDP 10.0.2.15:28681 <-> 96.65.68.194:35481 [proto: 35/Gnutella][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 35/Gnutella, Confidence: DPI][DPI packets: 1][cat: Download/7][6 pkts/836 bytes <-> 5 pkts/3224 bytes][Goodput ratio: 70/93][197.61 sec][bytes ratio: -0.588 (Download)][IAT c2s/s2c min/avg/max/stddev: 5017/5014 21044/21044 46304/46310 15712/15715][Pkt Len c2s/s2c min/avg/max/stddev: 70/148 139/645 274/769 63/248][Risk: ** Unsafe Protocol **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (client)][Plen Bins: 9,0,36,9,0,0,0,9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,36,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 30 UDP 10.0.2.15:28681 <-> 181.84.178.16:60262 [proto: 35/Gnutella][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 35/Gnutella, Confidence: DPI][DPI packets: 1][cat: Download/7][5 pkts/766 bytes <-> 5 pkts/3224 bytes][Goodput ratio: 72/93][84.70 sec][bytes ratio: -0.616 (Download)][IAT c2s/s2c min/avg/max/stddev: 5114/5194 21079/21064 46304/46263 15704/15629][Pkt Len c2s/s2c min/avg/max/stddev: 123/148 153/645 274/769 60/248][Risk: ** Unsafe Protocol **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (client)][Plen Bins: 0,0,40,10,0,0,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,40,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 31 TCP 10.0.2.15:50328 <-> 189.147.72.83:26108 [proto: 7.35/HTTP.Gnutella][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Media/1][4 pkts/766 bytes <-> 5 pkts/2826 bytes][Goodput ratio: 70/90][1.41 sec][Hostname/SNI: 189.147.72.83][bytes ratio: -0.573 (Download)][IAT c2s/s2c min/avg/max/stddev: 1/0 470/304 1214/1208 532/522][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 192/565 592/1514 231/558][URL: 189.147.72.83:26108/uri-res/N2R?urn:sha1:LXIP2A72T5H3BU3GRUMZFYNU3OYDK6FI][StatusCode: 206][Content-Type: audio/mpeg][Server: Shareaza 2.7.10.2][User-Agent: gtk-gnutella/1.2.2 (2022-02-25; GTK2; Windows x64)][Filename: Nickelback%20-%20Hero%20(Spiderman%20soundtrack).mp3][Risk: ** Known Proto on Non Std Port **** HTTP/TLS/QUIC Numeric Hostname/SNI **** Unsafe Protocol **** Susp Entropy **** Binary file/data transfer (attempt) **][Risk Score: 130][Risk Info: Found host 189.147.72.83 / Entropy: 5.619 (Executable?) / File download Nickelback%20-%20Hero%20(Spiderman%20soundtrack).][PLAIN TEXT (GET /uri)][Plen Bins: 0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0] + 31 TCP 10.0.2.15:50328 <-> 189.147.72.83:26108 [proto: 7.35/HTTP.Gnutella][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Media/1][4 pkts/766 bytes <-> 5 pkts/2826 bytes][Goodput ratio: 70/90][1.41 sec][Hostname/SNI: 189.147.72.83][bytes ratio: -0.573 (Download)][IAT c2s/s2c min/avg/max/stddev: 1/0 470/304 1214/1208 532/522][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 192/565 592/1514 231/558][URL: 189.147.72.83:26108/uri-res/N2R?urn:sha1:LXIP2A72T5H3BU3GRUMZFYNU3OYDK6FI][StatusCode: 206][Content-Type: audio/mpeg][Server: Shareaza 2.7.10.2][User-Agent: gtk-gnutella/1.2.2 (2022-02-25; GTK2; Windows x64)][Filename: Nickelback%20-%20Hero%20(Spiderman%20soundtrack).mp3][Risk: ** Known Proto on Non Std Port **** HTTP/TLS/QUIC Numeric Hostname/SNI **** Unsafe Protocol **** Susp Entropy **** Binary File/Data Transfer (Attempt) **][Risk Score: 130][Risk Info: Found host 189.147.72.83 / Entropy: 5.619 (Executable?) / File download Nickelback%20-%20Hero%20(Spiderman%20soundtrack).][PLAIN TEXT (GET /uri)][Plen Bins: 0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0] 32 UDP 10.0.2.15:28681 <-> 80.7.252.192:6888 [proto: 35/Gnutella][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 35/Gnutella, Confidence: DPI][DPI packets: 1][cat: Download/7][6 pkts/844 bytes <-> 5 pkts/2741 bytes][Goodput ratio: 70/92][170.75 sec][bytes ratio: -0.529 (Download)][IAT c2s/s2c min/avg/max/stddev: 1605/1482 42670/42669 111028/111025 42886/42893][Pkt Len c2s/s2c min/avg/max/stddev: 98/148 141/548 274/769 61/274][Risk: ** Unsafe Protocol **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (.LGTKG)][Plen Bins: 0,18,27,9,0,0,0,18,0,0,0,0,0,0,0,0,0,0,0,0,0,0,27,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 33 UDP 10.0.2.15:28681 <-> 94.54.66.82:63637 [proto: 35/Gnutella][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 35/Gnutella, Confidence: DPI][DPI packets: 1][cat: Download/7][5 pkts/537 bytes <-> 5 pkts/2722 bytes][Goodput ratio: 61/92][192.07 sec][bytes ratio: -0.670 (Download)][IAT c2s/s2c min/avg/max/stddev: 168/360 47931/46734 147616/141167 58240/55279][Pkt Len c2s/s2c min/avg/max/stddev: 70/130 107/544 123/769 21/279][Risk: ** Unsafe Protocol **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (u.GTKG)][Plen Bins: 10,10,40,0,0,0,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,30,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 34 UDP 10.0.2.15:28681 <-> 96.236.205.7:34794 [proto: 35/Gnutella][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 35/Gnutella, Confidence: DPI][DPI packets: 1][cat: Download/7][5 pkts/537 bytes <-> 5 pkts/2721 bytes][Goodput ratio: 61/92][191.79 sec][bytes ratio: -0.670 (Download)][IAT c2s/s2c min/avg/max/stddev: 123/120 47920/47919 147559/147561 58219/58220][Pkt Len c2s/s2c min/avg/max/stddev: 70/129 107/544 123/769 21/280][Risk: ** Unsafe Protocol **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (u.GTKG)][Plen Bins: 10,10,40,0,0,0,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,30,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/default/result/malware.pcap.out b/tests/cfgs/default/result/malware.pcap.out index 413b580c5..c1bc4f42b 100644 --- a/tests/cfgs/default/result/malware.pcap.out +++ b/tests/cfgs/default/result/malware.pcap.out @@ -43,5 +43,5 @@ JA3 Host Stats: 2 TCP 192.168.7.7:35236 <-> 67.215.92.210:443 [proto: 91/TLS][IP: 0/Unknown][Encrypted][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 10][cat: Malware/100][11 pkts/1280 bytes <-> 9 pkts/5860 bytes][Goodput ratio: 53/91][0.64 sec][Hostname/SNI: www.internetbadguys.com][(Advertised) ALPNs: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.641 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 71/75 240/249 99/103][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 116/651 571/1514 148/644][Risk: ** TLS Cert Mismatch **][Risk Score: 100][Risk Info: www.internetbadguys.com vs api.opendns.com,branded-login.opendns.com,cachecheck.opendns.com,community.opendns.com,dashboard2.o][TLSv1.2][JA3C: b20b44b18b853ef29ab773e921b03422][JA4: t13d1814h2_29a2cd9e9f10_d267a5f792d4][ServerNames: api.opendns.com,branded-login.opendns.com,cachecheck.opendns.com,community.opendns.com,dashboard2.opendns.com,dashboard.opendns.com,dashboard-ipv4.opendns.com,msp-login.opendns.com,api-ipv4.opendns.com,api-ipv6.opendns.com,authz.api.opendns.com,domain.opendns.com,help.vpn.opendns.com,ideabank.opendns.com,login.opendns.com,netgear.opendns.com,reseller-login.opendns.com,images.opendns.com,images-using.opendns.com,store.opendns.com,signup.opendns.com,twilio.opendns.com,updates.opendns.com,shared.opendns.com,tools.opendns.com,cache.opendns.com,api.umbrella.com,branded-login.umbrella.com,cachecheck.umbrella.com,community.umbrella.com,dashboard2.umbrella.com,dashboard.umbrella.com,dashboard-ipv4.umbrella.com,msp-login.umbrella.com,api-ipv4.umbrella.com,api-ipv6.umbrella.com,authz.api.umbrella.com,domain.umbrella.com,help.vpn.umbrella.com,ideabank.umbrella.com,login.umbrella.com,netgear.umbrella.com,reseller-login.umbrella.com,images.umbrella.com,images-using.umbrella.com,store.umbrella.com,signup.umbrella.com,twilio.umbrella.com,updates.umbrella.com,shared.umbrella.com,tools.umbrella.com,cache.umbrella.com][JA3S: 0c0aff9ccea5e7e1de5c3a0069d103f3][Issuer: C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA][Subject: C=US, ST=California, L=San Francisco, O=OpenDNS, Inc., CN=api.opendns.com][Certificate SHA-1: 21:B4:CF:84:13:3A:21:A4:B0:02:63:76:39:84:EA:ED:27:EE:51:7C][Firefox][Validity: 2018-04-26 00:00:00 - 2020-07-29 00:00:00][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 12,0,0,12,0,0,0,0,12,0,0,0,0,0,0,0,12,0,0,0,0,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,38,0,0] 3 TCP 192.168.7.7:48394 <-> 67.215.92.210:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 7/HTTP, Confidence: DPI][DPI packets: 2][cat: Malware/100][1 pkts/383 bytes <-> 1 pkts/98 bytes][Goodput ratio: 86/44][0.21 sec][Hostname/SNI: www.internetbadguys.com][URL: www.internetbadguys.com/][User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0][PLAIN TEXT (GET / HTTP/1.1)][Plen Bins: 0,50,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 4 UDP 192.168.7.7:42370 <-> 1.1.1.1:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/106 bytes <-> 1 pkts/110 bytes][Goodput ratio: 60/61][0.02 sec][Hostname/SNI: www.internetbadguys.com][67.215.92.210][PLAIN TEXT (internetbadguys)][Plen Bins: 0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 5 ICMP 192.168.7.7:0 -> 144.139.247.220:0 [proto: 81/ICMP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 81/ICMP, Confidence: DPI][DPI packets: 1][cat: Malware/100][1 pkts/98 bytes -> 0 pkts/0 bytes][Goodput ratio: 57/0][< 1 sec][Risk: ** Susp Entropy **** Unidirectional Traffic **** Client contacted a malware host **][Risk Score: 170][Risk Info: No server to client traffic / Entropy: 5.298 (Executable?) / Client contacted malware host][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 6 TCP 192.168.7.7:33706 -> 144.139.247.220:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: Match by port][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 1][cat: Malware/100][1 pkts/66 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unidirectional Traffic **** Client contacted a malware host **][Risk Score: 160][Risk Info: No server to client traffic / Client contacted malware host][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 5 ICMP 192.168.7.7:0 -> 144.139.247.220:0 [proto: 81/ICMP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 81/ICMP, Confidence: DPI][DPI packets: 1][cat: Malware/100][1 pkts/98 bytes -> 0 pkts/0 bytes][Goodput ratio: 57/0][< 1 sec][Risk: ** Susp Entropy **** Unidirectional Traffic **** Client Contacted A Malware Host **][Risk Score: 170][Risk Info: No server to client traffic / Entropy: 5.298 (Executable?) / Client contacted malware host][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 6 TCP 192.168.7.7:33706 -> 144.139.247.220:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: Match by port][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 1][cat: Malware/100][1 pkts/66 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unidirectional Traffic **** Client Contacted A Malware Host **][Risk Score: 160][Risk Info: No server to client traffic / Client contacted malware host][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/default/result/mongo_false_positive.pcapng.out b/tests/cfgs/default/result/mongo_false_positive.pcapng.out index 080e87ce5..c03aa5668 100644 --- a/tests/cfgs/default/result/mongo_false_positive.pcapng.out +++ b/tests/cfgs/default/result/mongo_false_positive.pcapng.out @@ -26,4 +26,4 @@ TLS 26 12163 1 Safe 26 12163 1 - 1 TCP 188.75.184.20:49542 <-> 251.182.120.32:443 [proto: 91/TLS][IP: 0/Unknown][Encrypted][Confidence: Match by port][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 14][cat: Web/5][13 pkts/9962 bytes <-> 13 pkts/2201 bytes][Goodput ratio: 93/67][84.45 sec][bytes ratio: 0.638 (Upload)][IAT c2s/s2c min/avg/max/stddev: 186/186 7406/5844 21467/15787 7157/5701][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 766/169 1328/189 433/46][Risk: ** Fully encrypted flow **][Risk Score: 50][Plen Bins: 0,0,0,0,51,0,0,0,0,9,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,9,9,0,0,0,4,0,0,4,0,4,0,0,0,0,0,0,0,0] + 1 TCP 188.75.184.20:49542 <-> 251.182.120.32:443 [proto: 91/TLS][IP: 0/Unknown][Encrypted][Confidence: Match by port][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 14][cat: Web/5][13 pkts/9962 bytes <-> 13 pkts/2201 bytes][Goodput ratio: 93/67][84.45 sec][bytes ratio: 0.638 (Upload)][IAT c2s/s2c min/avg/max/stddev: 186/186 7406/5844 21467/15787 7157/5701][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 766/169 1328/189 433/46][Risk: ** Fully Encrypted Flow **][Risk Score: 50][Plen Bins: 0,0,0,0,51,0,0,0,0,9,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,9,9,0,0,0,4,0,0,4,0,4,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/default/result/netflix.pcap.out b/tests/cfgs/default/result/netflix.pcap.out index c4dbff617..3b392b8e0 100644 --- a/tests/cfgs/default/result/netflix.pcap.out +++ b/tests/cfgs/default/result/netflix.pcap.out @@ -41,29 +41,29 @@ JA3 Host Stats: 1 192.168.1.7 4 - 1 TCP 192.168.1.7:53171 <-> 23.246.3.140:80 [proto: 7/HTTP][IP: 133/NetFlix][ClearText][Confidence: DPI][FPC: 133/NetFlix, Confidence: IP address][DPI packets: 5][cat: Download/7][21 pkts/1868 bytes <-> 34 pkts/45139 bytes][Goodput ratio: 19/95][2.09 sec][Hostname/SNI: 23.246.3.140][bytes ratio: -0.921 (Download)][IAT c2s/s2c min/avg/max/stddev: 5/2 70/47 708/633 171/121][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 89/1328 420/1514 75/457][URL: 23.246.3.140/range/0-65535?o=AQEfKq2oMrLRiWL-p-VeIZ6WKRq-X6LMvaLqgxWBCuFbh09MpreORUUOO5Tx1683HPnLY6BPjN_9mlDuYihGZoXu9u0ozH8RFioBN_JDNiRscidjvoSdWmlyZgPNansW0lkBr4X81HvloOi8BS_exVSPhMyJQTB5bg&v=3&e=1484347850&t=-8u4vlcPuFqcOLnLyb9DDtK-bB4&random=357509657][StatusCode: 200][Content-Type: application/octet-stream][Server: nginx][User-Agent: netflix-ios-app][Risk: ** HTTP/TLS/QUIC Numeric Hostname/SNI **** Binary file/data transfer (attempt) **][Risk Score: 60][Risk Info: Found host 23.246.3.140 / Found binary mime octet-stream][PLAIN TEXT (GET /range/0)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,90,0,0] + 1 TCP 192.168.1.7:53171 <-> 23.246.3.140:80 [proto: 7/HTTP][IP: 133/NetFlix][ClearText][Confidence: DPI][FPC: 133/NetFlix, Confidence: IP address][DPI packets: 5][cat: Download/7][21 pkts/1868 bytes <-> 34 pkts/45139 bytes][Goodput ratio: 19/95][2.09 sec][Hostname/SNI: 23.246.3.140][bytes ratio: -0.921 (Download)][IAT c2s/s2c min/avg/max/stddev: 5/2 70/47 708/633 171/121][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 89/1328 420/1514 75/457][URL: 23.246.3.140/range/0-65535?o=AQEfKq2oMrLRiWL-p-VeIZ6WKRq-X6LMvaLqgxWBCuFbh09MpreORUUOO5Tx1683HPnLY6BPjN_9mlDuYihGZoXu9u0ozH8RFioBN_JDNiRscidjvoSdWmlyZgPNansW0lkBr4X81HvloOi8BS_exVSPhMyJQTB5bg&v=3&e=1484347850&t=-8u4vlcPuFqcOLnLyb9DDtK-bB4&random=357509657][StatusCode: 200][Content-Type: application/octet-stream][Server: nginx][User-Agent: netflix-ios-app][Risk: ** HTTP/TLS/QUIC Numeric Hostname/SNI **** Binary File/Data Transfer (Attempt) **][Risk Score: 60][Risk Info: Found host 23.246.3.140 / Found binary mime octet-stream][PLAIN TEXT (GET /range/0)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,90,0,0] 2 TCP 192.168.1.7:53148 <-> 184.25.204.25:80 [proto: 7.133/HTTP.NetFlix][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 133/NetFlix, Confidence: DNS][DPI packets: 6][cat: Video/26][31 pkts/2893 bytes <-> 32 pkts/44112 bytes][Goodput ratio: 17/95][42.46 sec][Hostname/SNI: art-2.nflximg.net][bytes ratio: -0.877 (Download)][IAT c2s/s2c min/avg/max/stddev: 11/0 425/43 3643/161 850/35][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 93/1378 312/1514 59/421][URL: art-2.nflximg.net/af7a5/362643424e775d0393ddb46e145c2375367af7a5.webp][StatusCode: 200][Content-Type: image/webp][Server: AmazonS3][User-Agent: Argo/9.1.0 (iPhone; iOS 10.2; Scale/2.00)][PLAIN TEXT (GET /af)][Plen Bins: 0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,93,0,0] - 3 TCP 192.168.1.7:53163 <-> 23.246.11.145:80 [proto: 7/HTTP][IP: 133/NetFlix][ClearText][Confidence: DPI][FPC: 133/NetFlix, Confidence: IP address][DPI packets: 5][cat: Download/7][21 pkts/1826 bytes <-> 32 pkts/43179 bytes][Goodput ratio: 19/95][1.58 sec][Hostname/SNI: 23.246.11.145][bytes ratio: -0.919 (Download)][IAT c2s/s2c min/avg/max/stddev: 3/4 53/52 354/582 87/111][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 87/1349 422/1514 75/443][URL: 23.246.11.145/range/0-65535?o=AQEfKq2oMrLRiWL-p-VeIZ6WKRq-X6LMvaLqgxWBCuFbh09MpreORUUOO5Tx1683HPnLY6BPjN_9mlDuYihGZoXu9u0ozH8RFioBN_JDNiRscidjvoSdWmlyZgPNansW0lkBr4X81HvloOi8BS_exVSPhMyJQTB5bg&v=3&e=1484347850&t=5xfYVtna3GdYXL71uNs6DZ-X84Y&random=39307082][StatusCode: 200][Content-Type: application/octet-stream][Server: nginx][User-Agent: netflix-ios-app][Risk: ** HTTP/TLS/QUIC Numeric Hostname/SNI **** Binary file/data transfer (attempt) **][Risk Score: 60][Risk Info: Found host 23.246.11.145 / Found binary mime octet-stream][PLAIN TEXT (GET /range/0)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,93,0,0] + 3 TCP 192.168.1.7:53163 <-> 23.246.11.145:80 [proto: 7/HTTP][IP: 133/NetFlix][ClearText][Confidence: DPI][FPC: 133/NetFlix, Confidence: IP address][DPI packets: 5][cat: Download/7][21 pkts/1826 bytes <-> 32 pkts/43179 bytes][Goodput ratio: 19/95][1.58 sec][Hostname/SNI: 23.246.11.145][bytes ratio: -0.919 (Download)][IAT c2s/s2c min/avg/max/stddev: 3/4 53/52 354/582 87/111][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 87/1349 422/1514 75/443][URL: 23.246.11.145/range/0-65535?o=AQEfKq2oMrLRiWL-p-VeIZ6WKRq-X6LMvaLqgxWBCuFbh09MpreORUUOO5Tx1683HPnLY6BPjN_9mlDuYihGZoXu9u0ozH8RFioBN_JDNiRscidjvoSdWmlyZgPNansW0lkBr4X81HvloOi8BS_exVSPhMyJQTB5bg&v=3&e=1484347850&t=5xfYVtna3GdYXL71uNs6DZ-X84Y&random=39307082][StatusCode: 200][Content-Type: application/octet-stream][Server: nginx][User-Agent: netflix-ios-app][Risk: ** HTTP/TLS/QUIC Numeric Hostname/SNI **** Binary File/Data Transfer (Attempt) **][Risk Score: 60][Risk Info: Found host 23.246.11.145 / Found binary mime octet-stream][PLAIN TEXT (GET /range/0)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,93,0,0] 4 TCP 192.168.1.7:53133 <-> 52.89.39.139:443 [proto: 91.133/TLS.NetFlix][IP: 265/AmazonAWS][Encrypted][Confidence: DPI][FPC: 133/NetFlix, Confidence: DNS][DPI packets: 7][cat: Video/26][30 pkts/6328 bytes <-> 39 pkts/37610 bytes][Goodput ratio: 69/93][38.50 sec][Hostname/SNI: api-global.netflix.com][bytes ratio: -0.712 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1640/1232 30390/30443 6288/5475][Pkt Len c2s/s2c min/avg/max/stddev: 60/66 211/964 1514/1514 376/637][Risk: ** TLS (probably) Not Carrying HTTPS **][Risk Score: 10][Risk Info: No ALPN][TLSv1.2][JA3C: 7e72698146290dd68239f788a452e7d8][JA4: t12d190700_b5dc49c6fcca_3304d8368043][ServerNames: api-latam.netflix.com,htmltvui.netflix.com,api-eu.netflix.com,uiboot.netflix.com,api-global.netflix.com,api-user.netflix.com,api-us.netflix.com,api.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=US, ST=California, L=los gatos, O=Netflix, Inc., OU=Ops, CN=api.netflix.com][Certificate SHA-1: FC:5B:F6:86:AE:E5:22:0D:60:0C:C3:DF:8F:02:80:3F:A3:60:0E:3C][Firefox][Validity: 2016-04-12 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 5,5,5,0,2,2,5,0,0,0,0,0,0,0,2,2,0,0,0,2,0,2,0,0,0,0,0,0,0,2,5,0,0,0,0,0,0,0,0,0,0,0,2,0,0,57,0,0] 5 TCP 192.168.1.7:53252 <-> 184.25.204.10:80 [proto: 7.133/HTTP.NetFlix][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Video/26][12 pkts/1221 bytes <-> 29 pkts/41018 bytes][Goodput ratio: 20/95][1.39 sec][Hostname/SNI: art-1.nflximg.net][bytes ratio: -0.942 (Download)][IAT c2s/s2c min/avg/max/stddev: 11/0 28/35 45/81 10/18][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 102/1414 311/1514 64/366][URL: art-1.nflximg.net/8b1fa/eaa1b78cd72ca4dbdcab527691d2fcab37c8b1fa.jpg][StatusCode: 200][Content-Type: image/jpeg][Server: AmazonS3][User-Agent: Argo/9.1.0 (iPhone; iOS 10.2; Scale/2.00)][PLAIN TEXT (GET /8b)][Plen Bins: 0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,96,0,0] - 6 TCP 192.168.1.7:53179 <-> 23.246.11.141:80 [proto: 7/HTTP][IP: 133/NetFlix][ClearText][Confidence: DPI][FPC: 133/NetFlix, Confidence: IP address][DPI packets: 5][cat: Download/7][31 pkts/2596 bytes <-> 29 pkts/37544 bytes][Goodput ratio: 14/95][7.33 sec][Hostname/SNI: 23.246.11.141][bytes ratio: -0.871 (Download)][IAT c2s/s2c min/avg/max/stddev: 2/0 267/77 1392/465 372/115][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 84/1295 424/1514 63/489][URL: 23.246.11.141/range/0-65535?o=AQEfKq2oMrLRiWL2puNQJJiXLBugGLjSseu23V2HX6kIiU9JpbCaBxxaIoz21qQNKuDUaOIZwdTlx23DMVxabbCwmvEluipDW2tvFMlhMRtwdhhVlbv9KGFabiu5KH0Slx0VjOK_wzThpPflHhWA4kW9gayYEWtjNNKe&v=3&e=1484347850&t=JqTg0NiANIn4-aRwn3uKtWdoQ7M&random=114897][StatusCode: 200][Content-Type: application/octet-stream][Server: nginx][User-Agent: netflix-ios-app][Risk: ** HTTP/TLS/QUIC Numeric Hostname/SNI **** Binary file/data transfer (attempt) **][Risk Score: 60][Risk Info: Found host 23.246.11.141 / Found binary mime octet-stream][PLAIN TEXT (czGET /range/0)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,89,0,0] + 6 TCP 192.168.1.7:53179 <-> 23.246.11.141:80 [proto: 7/HTTP][IP: 133/NetFlix][ClearText][Confidence: DPI][FPC: 133/NetFlix, Confidence: IP address][DPI packets: 5][cat: Download/7][31 pkts/2596 bytes <-> 29 pkts/37544 bytes][Goodput ratio: 14/95][7.33 sec][Hostname/SNI: 23.246.11.141][bytes ratio: -0.871 (Download)][IAT c2s/s2c min/avg/max/stddev: 2/0 267/77 1392/465 372/115][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 84/1295 424/1514 63/489][URL: 23.246.11.141/range/0-65535?o=AQEfKq2oMrLRiWL2puNQJJiXLBugGLjSseu23V2HX6kIiU9JpbCaBxxaIoz21qQNKuDUaOIZwdTlx23DMVxabbCwmvEluipDW2tvFMlhMRtwdhhVlbv9KGFabiu5KH0Slx0VjOK_wzThpPflHhWA4kW9gayYEWtjNNKe&v=3&e=1484347850&t=JqTg0NiANIn4-aRwn3uKtWdoQ7M&random=114897][StatusCode: 200][Content-Type: application/octet-stream][Server: nginx][User-Agent: netflix-ios-app][Risk: ** HTTP/TLS/QUIC Numeric Hostname/SNI **** Binary File/Data Transfer (Attempt) **][Risk Score: 60][Risk Info: Found host 23.246.11.141 / Found binary mime octet-stream][PLAIN TEXT (czGET /range/0)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,89,0,0] 7 TCP 192.168.1.7:53251 <-> 184.25.204.10:80 [proto: 7.133/HTTP.NetFlix][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Video/26][16 pkts/1558 bytes <-> 25 pkts/33413 bytes][Goodput ratio: 31/95][2.07 sec][Hostname/SNI: art-1.nflximg.net][bytes ratio: -0.911 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 166/94 1389/1416 394/300][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 97/1337 311/1514 81/428][URL: art-1.nflximg.net/4e36d/6289889020d6cc6dfb3038c35564a41e1ca4e36d.jpg][StatusCode: 200][Content-Type: image/jpeg][Server: AmazonS3][User-Agent: Argo/9.1.0 (iPhone; iOS 10.2; Scale/2.00)][PLAIN TEXT (GET /4e)][Plen Bins: 0,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,4,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,84,0,0] 8 TCP 192.168.1.7:53151 <-> 54.201.191.132:80 [proto: 7.133/HTTP.NetFlix][IP: 265/AmazonAWS][ClearText][Confidence: DPI][FPC: 133/NetFlix, Confidence: DNS][DPI packets: 10][cat: Video/26][15 pkts/3626 bytes <-> 26 pkts/29544 bytes][Goodput ratio: 72/94][31.31 sec][Hostname/SNI: appboot.netflix.com][bytes ratio: -0.781 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 3092/21 30728/135 9212/28][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 242/1136 1514/1514 405/584][URL: appboot.netflix.com/appboot/NFAPPL-02-][StatusCode: 200][Req Content-Type: application/x-www-form-urlencoded][Content-Type: application/x-msl+json][Server: appboot-:7001 i-0b273b4c40f4e78a3][User-Agent: Argo/900 CFNetwork/808.2.16 Darwin/16.3.0][PLAIN TEXT (POST /appboot/NFAPPL)][Plen Bins: 0,0,0,0,0,0,0,0,0,4,4,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,4,0,0,0,4,0,0,0,0,0,0,0,4,0,0,0,0,0,0,75,0,0] - 9 TCP 192.168.1.7:53182 <-> 23.246.11.141:80 [proto: 7/HTTP][IP: 133/NetFlix][ClearText][Confidence: DPI][FPC: 133/NetFlix, Confidence: IP address][DPI packets: 5][cat: Download/7][33 pkts/2732 bytes <-> 25 pkts/30064 bytes][Goodput ratio: 13/94][7.16 sec][Hostname/SNI: 23.246.11.141][bytes ratio: -0.833 (Download)][IAT c2s/s2c min/avg/max/stddev: 1/0 254/199 1162/1131 295/282][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 83/1203 424/1514 61/564][URL: 23.246.11.141/range/0-65535?o=AQEfKq2oMrLRiWL2puNQJZ2VKhqgGLjSseu23V2HX6kIiU9JpbCaBxxaIoz21qQNKuDUaOIZwdTlx23DMVxabbCwmvEluipDW2tvFMlhMRtwdhhVlbv9KGFabiu5KH0Slx0VjOK_wzTho_flHhWA4kW9gayYEWtjNNKe&v=3&e=1484347850&t=LQ7LyXSnZaXKEHAHaRRHk-S7dKE&random=420981][StatusCode: 200][Content-Type: application/octet-stream][Server: nginx][User-Agent: netflix-ios-app][Risk: ** HTTP/TLS/QUIC Numeric Hostname/SNI **** Binary file/data transfer (attempt) **][Risk Score: 60][Risk Info: Found host 23.246.11.141 / Found binary mime octet-stream][PLAIN TEXT (GET /range/0)][Plen Bins: 4,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,83,0,0] - 10 TCP 192.168.1.7:53173 <-> 23.246.11.133:80 [proto: 7/HTTP][IP: 133/NetFlix][ClearText][Confidence: DPI][FPC: 133/NetFlix, Confidence: IP address][DPI packets: 5][cat: Download/7][24 pkts/2041 bytes <-> 25 pkts/30064 bytes][Goodput ratio: 17/94][5.93 sec][Hostname/SNI: 23.246.11.133][bytes ratio: -0.873 (Download)][IAT c2s/s2c min/avg/max/stddev: 4/4 245/165 985/775 248/180][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 85/1203 423/1514 71/564][URL: 23.246.11.133/range/0-65535?o=AQEfKq2oMrLRiWL1ouVaJZ2bLBChGLjSseu23V2HX6kIiU9JpbCaBxxaIoz21qQNKuDUaOIZwdTlx23DMVxabbCwmvEluipDW2tvFMlhMRtwdhhVlbv9KGFabiu5KH0Slx0VjOK_wzThp_ngHhWA4kW9gayYEWtjNNKe&v=3&e=1484347850&t=SixKQmLLJNvShj-pfML-2h4QaqQ&random=727666][StatusCode: 200][Content-Type: application/octet-stream][Server: nginx][User-Agent: netflix-ios-app][Risk: ** HTTP/TLS/QUIC Numeric Hostname/SNI **** Binary file/data transfer (attempt) **][Risk Score: 60][Risk Info: Found host 23.246.11.133 / Found binary mime octet-stream][PLAIN TEXT (GET /range/0)][Plen Bins: 4,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,83,0,0] - 11 TCP 192.168.1.7:53175 <-> 23.246.11.141:80 [proto: 7/HTTP][IP: 133/NetFlix][ClearText][Confidence: DPI][FPC: 133/NetFlix, Confidence: IP address][DPI packets: 5][cat: Download/7][31 pkts/2571 bytes <-> 22 pkts/28042 bytes][Goodput ratio: 14/95][7.15 sec][Hostname/SNI: 23.246.11.141][bytes ratio: -0.832 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/4 265/326 1355/1382 337/387][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 83/1275 423/1514 62/517][URL: 23.246.11.141/range/0-65535?o=AQEfKq2oMrLRiWL2puNQJJ2TLhuiGLjSseu23V2HX6kIiU9JpbCaBxxaIoz21qQNKuDUaOIZwdTlx23DMVxabbCwmvEluipDW2tvFMlhMRtwdhhVlbv9KGFabiu5KH0Slx0VjOK_wzThpP7lHhWA4kW9gayYEWtjNNKe&v=3&e=1484347850&t=Dh278u2UpApOCGUj5RxV8azNWX8&random=323765][StatusCode: 200][Content-Type: application/octet-stream][Server: nginx][User-Agent: netflix-ios-app][Risk: ** HTTP/TLS/QUIC Numeric Hostname/SNI **** Binary file/data transfer (attempt) **][Risk Score: 60][Risk Info: Found host 23.246.11.141 / Found binary mime octet-stream][PLAIN TEXT (GET /range/0)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,90,0,0] + 9 TCP 192.168.1.7:53182 <-> 23.246.11.141:80 [proto: 7/HTTP][IP: 133/NetFlix][ClearText][Confidence: DPI][FPC: 133/NetFlix, Confidence: IP address][DPI packets: 5][cat: Download/7][33 pkts/2732 bytes <-> 25 pkts/30064 bytes][Goodput ratio: 13/94][7.16 sec][Hostname/SNI: 23.246.11.141][bytes ratio: -0.833 (Download)][IAT c2s/s2c min/avg/max/stddev: 1/0 254/199 1162/1131 295/282][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 83/1203 424/1514 61/564][URL: 23.246.11.141/range/0-65535?o=AQEfKq2oMrLRiWL2puNQJZ2VKhqgGLjSseu23V2HX6kIiU9JpbCaBxxaIoz21qQNKuDUaOIZwdTlx23DMVxabbCwmvEluipDW2tvFMlhMRtwdhhVlbv9KGFabiu5KH0Slx0VjOK_wzTho_flHhWA4kW9gayYEWtjNNKe&v=3&e=1484347850&t=LQ7LyXSnZaXKEHAHaRRHk-S7dKE&random=420981][StatusCode: 200][Content-Type: application/octet-stream][Server: nginx][User-Agent: netflix-ios-app][Risk: ** HTTP/TLS/QUIC Numeric Hostname/SNI **** Binary File/Data Transfer (Attempt) **][Risk Score: 60][Risk Info: Found host 23.246.11.141 / Found binary mime octet-stream][PLAIN TEXT (GET /range/0)][Plen Bins: 4,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,83,0,0] + 10 TCP 192.168.1.7:53173 <-> 23.246.11.133:80 [proto: 7/HTTP][IP: 133/NetFlix][ClearText][Confidence: DPI][FPC: 133/NetFlix, Confidence: IP address][DPI packets: 5][cat: Download/7][24 pkts/2041 bytes <-> 25 pkts/30064 bytes][Goodput ratio: 17/94][5.93 sec][Hostname/SNI: 23.246.11.133][bytes ratio: -0.873 (Download)][IAT c2s/s2c min/avg/max/stddev: 4/4 245/165 985/775 248/180][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 85/1203 423/1514 71/564][URL: 23.246.11.133/range/0-65535?o=AQEfKq2oMrLRiWL1ouVaJZ2bLBChGLjSseu23V2HX6kIiU9JpbCaBxxaIoz21qQNKuDUaOIZwdTlx23DMVxabbCwmvEluipDW2tvFMlhMRtwdhhVlbv9KGFabiu5KH0Slx0VjOK_wzThp_ngHhWA4kW9gayYEWtjNNKe&v=3&e=1484347850&t=SixKQmLLJNvShj-pfML-2h4QaqQ&random=727666][StatusCode: 200][Content-Type: application/octet-stream][Server: nginx][User-Agent: netflix-ios-app][Risk: ** HTTP/TLS/QUIC Numeric Hostname/SNI **** Binary File/Data Transfer (Attempt) **][Risk Score: 60][Risk Info: Found host 23.246.11.133 / Found binary mime octet-stream][PLAIN TEXT (GET /range/0)][Plen Bins: 4,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,83,0,0] + 11 TCP 192.168.1.7:53175 <-> 23.246.11.141:80 [proto: 7/HTTP][IP: 133/NetFlix][ClearText][Confidence: DPI][FPC: 133/NetFlix, Confidence: IP address][DPI packets: 5][cat: Download/7][31 pkts/2571 bytes <-> 22 pkts/28042 bytes][Goodput ratio: 14/95][7.15 sec][Hostname/SNI: 23.246.11.141][bytes ratio: -0.832 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/4 265/326 1355/1382 337/387][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 83/1275 423/1514 62/517][URL: 23.246.11.141/range/0-65535?o=AQEfKq2oMrLRiWL2puNQJJ2TLhuiGLjSseu23V2HX6kIiU9JpbCaBxxaIoz21qQNKuDUaOIZwdTlx23DMVxabbCwmvEluipDW2tvFMlhMRtwdhhVlbv9KGFabiu5KH0Slx0VjOK_wzThpP7lHhWA4kW9gayYEWtjNNKe&v=3&e=1484347850&t=Dh278u2UpApOCGUj5RxV8azNWX8&random=323765][StatusCode: 200][Content-Type: application/octet-stream][Server: nginx][User-Agent: netflix-ios-app][Risk: ** HTTP/TLS/QUIC Numeric Hostname/SNI **** Binary File/Data Transfer (Attempt) **][Risk Score: 60][Risk Info: Found host 23.246.11.141 / Found binary mime octet-stream][PLAIN TEXT (GET /range/0)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,90,0,0] 12 TCP 192.168.1.7:53239 <-> 52.41.30.5:443 [proto: 91.133/TLS.NetFlix][IP: 265/AmazonAWS][Encrypted][Confidence: DPI][FPC: 133/NetFlix, Confidence: DNS][DPI packets: 7][cat: Video/26][22 pkts/6384 bytes <-> 26 pkts/23277 bytes][Goodput ratio: 77/93][1.73 sec][Hostname/SNI: api-global.netflix.com][(Advertised) ALPNs: h2;h2-16;h2-15;h2-14;spdy/3.1;spdy/3;http/1.1][bytes ratio: -0.570 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 48/42 437/291 101/61][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 290/895 1514/1514 442/626][TLSv1.2][JA3C: d8bfad189bd26664e04570c104ee8418][JA4: t12d1910h2_b5dc49c6fcca_f44caba5725b][ServerNames: api-latam.netflix.com,htmltvui.netflix.com,api-eu.netflix.com,uiboot.netflix.com,api-global.netflix.com,api-user.netflix.com,api-us.netflix.com,api.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=US, ST=California, L=los gatos, O=Netflix, Inc., OU=Ops, CN=api.netflix.com][Certificate SHA-1: FC:5B:F6:86:AE:E5:22:0D:60:0C:C3:DF:8F:02:80:3F:A3:60:0E:3C][Firefox][Validity: 2016-04-12 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 3,10,3,0,0,0,3,0,0,0,0,0,3,6,0,0,3,0,0,3,0,3,0,3,0,0,0,0,0,0,3,0,3,0,0,0,0,0,0,0,0,0,0,3,0,47,0,0] - 13 TCP 192.168.1.7:53177 <-> 23.246.11.141:80 [proto: 7/HTTP][IP: 133/NetFlix][ClearText][Confidence: DPI][FPC: 133/NetFlix, Confidence: IP address][DPI packets: 5][cat: Download/7][32 pkts/2572 bytes <-> 23 pkts/26661 bytes][Goodput ratio: 14/94][7.05 sec][Hostname/SNI: 23.246.11.141][bytes ratio: -0.824 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 248/271 635/1046 213/317][Pkt Len c2s/s2c min/avg/max/stddev: 66/54 80/1159 426/1514 62/603][URL: 23.246.11.141/range/0-65535?o=AQEfKq2oMrLRiWL2puNQIpyTIBGjGLjSseu23V2HX6kIiU9JpbCaBxxaIoz21qQNKuDUaOIZwdTlx23DMVxabbCwmvEluipDW2tvFMlhMRtwdhhVlbv9KGFabiu5KH0Slx0VjOK_wzThp_biCFrUjHWqh5ipQCtzf4OVWQ&v=3&e=1484347850&t=8Z78vL2i9OzihCA3M1LinMYcMY4&random=2386][StatusCode: 200][Content-Type: application/octet-stream][Server: nginx][User-Agent: netflix-ios-app][Risk: ** HTTP/TLS/QUIC Numeric Hostname/SNI **** Binary file/data transfer (attempt) **][Risk Score: 60][Risk Info: Found host 23.246.11.141 / Found binary mime octet-stream][PLAIN TEXT (fGET /range/0)][Plen Bins: 0,5,0,0,0,0,0,0,0,0,0,5,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,80,0,0] - 14 TCP 192.168.1.7:53176 <-> 23.246.11.141:80 [proto: 7/HTTP][IP: 133/NetFlix][ClearText][Confidence: DPI][FPC: 133/NetFlix, Confidence: IP address][DPI packets: 5][cat: Download/7][36 pkts/3030 bytes <-> 21 pkts/25455 bytes][Goodput ratio: 12/95][8.05 sec][Hostname/SNI: 23.246.11.141][bytes ratio: -0.787 (Download)][IAT c2s/s2c min/avg/max/stddev: 5/4 258/237 1250/1203 331/381][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 84/1212 424/1514 58/551][URL: 23.246.11.141/range/0-65535?o=AQEfKq2oMrLRiWL2puNQJJqTIRqhGLjSseu23V2HX6kIiU9JpbCaBxxaIoz21qQNKuDUaOIZwdTlx23DMVxabbCwmvEluipDW2tvFMlhMRtwdhhVlbv9KGFabiu5KH0Slx0VjOK_wzThp_vlHhWA4kW9gayYEWtjNNKe&v=3&e=1484347850&t=TnP59JB1wb5UTOCr0m-KQU2kGPo&random=413473][StatusCode: 200][Content-Type: application/octet-stream][Server: nginx][User-Agent: netflix-ios-app][Risk: ** HTTP/TLS/QUIC Numeric Hostname/SNI **** Binary file/data transfer (attempt) **][Risk Score: 60][Risk Info: Found host 23.246.11.141 / Found binary mime octet-stream][PLAIN TEXT (GET /range/0)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,84,0,0] - 15 TCP 192.168.1.7:53180 <-> 23.246.11.141:80 [proto: 7/HTTP][IP: 133/NetFlix][ClearText][Confidence: DPI][FPC: 133/NetFlix, Confidence: IP address][DPI packets: 5][cat: Download/7][34 pkts/2864 bytes <-> 21 pkts/25456 bytes][Goodput ratio: 13/95][5.76 sec][Hostname/SNI: 23.246.11.141][bytes ratio: -0.798 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 168/223 1162/1317 246/337][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 84/1212 426/1514 60/551][URL: 23.246.11.141/range/0-65535?o=AQEfKq2oMrLRiWL2puNQJ5yTLBCkGLjSseu23V2HX6kIiU9JpbCaBxxaIoz21qQNKuDUaOIZwdTlx23DMVxabbCwmvEluipDW2tvFMlhMRtwdhhVlbv9KGFabiu5KH0Slx0VjOK_wzThp_3mCFrUjHWqh5ipQCtzf4OVWQ&v=3&e=1484347850&t=r5jtnnEcR8hDCkPImfEiWqWAjKk&random=1846][StatusCode: 200][Content-Type: application/octet-stream][Server: nginx][User-Agent: netflix-ios-app][Risk: ** HTTP/TLS/QUIC Numeric Hostname/SNI **** Binary file/data transfer (attempt) **][Risk Score: 60][Risk Info: Found host 23.246.11.141 / Found binary mime octet-stream][PLAIN TEXT (GET /range/0)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,84,0,0] - 16 TCP 192.168.1.7:53178 <-> 23.246.11.141:80 [proto: 7/HTTP][IP: 133/NetFlix][ClearText][Confidence: DPI][FPC: 133/NetFlix, Confidence: IP address][DPI packets: 5][cat: Download/7][30 pkts/2553 bytes <-> 22 pkts/25510 bytes][Goodput ratio: 14/94][7.56 sec][Hostname/SNI: 23.246.11.141][bytes ratio: -0.818 (Download)][IAT c2s/s2c min/avg/max/stddev: 3/4 298/146 1317/530 354/131][Pkt Len c2s/s2c min/avg/max/stddev: 66/54 85/1160 423/1514 63/590][URL: 23.246.11.141/range/0-65535?o=AQEfKq2oMrLRiWL2puNQJJmULRajGLjSseu23V2HX6kIiU9JpbCaBxxaIoz21qQNKuDUaOIZwdTlx23DMVxabbCwmvEluipDW2tvFMlhMRtwdhhVlbv9KGFabiu5KH0Slx0VjOK_wzThpfblHhWA4kW9gayYEWtjNNKe&v=3&e=1484347850&t=zezrDJDQvgO2TiYC1dT3imH4QC8&random=169467][StatusCode: 200][Content-Type: application/octet-stream][Server: nginx][User-Agent: netflix-ios-app][Risk: ** HTTP/TLS/QUIC Numeric Hostname/SNI **** Binary file/data transfer (attempt) **][Risk Score: 60][Risk Info: Found host 23.246.11.141 / Found binary mime octet-stream][PLAIN TEXT (GET /range/0)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,84,0,0] + 13 TCP 192.168.1.7:53177 <-> 23.246.11.141:80 [proto: 7/HTTP][IP: 133/NetFlix][ClearText][Confidence: DPI][FPC: 133/NetFlix, Confidence: IP address][DPI packets: 5][cat: Download/7][32 pkts/2572 bytes <-> 23 pkts/26661 bytes][Goodput ratio: 14/94][7.05 sec][Hostname/SNI: 23.246.11.141][bytes ratio: -0.824 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 248/271 635/1046 213/317][Pkt Len c2s/s2c min/avg/max/stddev: 66/54 80/1159 426/1514 62/603][URL: 23.246.11.141/range/0-65535?o=AQEfKq2oMrLRiWL2puNQIpyTIBGjGLjSseu23V2HX6kIiU9JpbCaBxxaIoz21qQNKuDUaOIZwdTlx23DMVxabbCwmvEluipDW2tvFMlhMRtwdhhVlbv9KGFabiu5KH0Slx0VjOK_wzThp_biCFrUjHWqh5ipQCtzf4OVWQ&v=3&e=1484347850&t=8Z78vL2i9OzihCA3M1LinMYcMY4&random=2386][StatusCode: 200][Content-Type: application/octet-stream][Server: nginx][User-Agent: netflix-ios-app][Risk: ** HTTP/TLS/QUIC Numeric Hostname/SNI **** Binary File/Data Transfer (Attempt) **][Risk Score: 60][Risk Info: Found host 23.246.11.141 / Found binary mime octet-stream][PLAIN TEXT (fGET /range/0)][Plen Bins: 0,5,0,0,0,0,0,0,0,0,0,5,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,80,0,0] + 14 TCP 192.168.1.7:53176 <-> 23.246.11.141:80 [proto: 7/HTTP][IP: 133/NetFlix][ClearText][Confidence: DPI][FPC: 133/NetFlix, Confidence: IP address][DPI packets: 5][cat: Download/7][36 pkts/3030 bytes <-> 21 pkts/25455 bytes][Goodput ratio: 12/95][8.05 sec][Hostname/SNI: 23.246.11.141][bytes ratio: -0.787 (Download)][IAT c2s/s2c min/avg/max/stddev: 5/4 258/237 1250/1203 331/381][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 84/1212 424/1514 58/551][URL: 23.246.11.141/range/0-65535?o=AQEfKq2oMrLRiWL2puNQJJqTIRqhGLjSseu23V2HX6kIiU9JpbCaBxxaIoz21qQNKuDUaOIZwdTlx23DMVxabbCwmvEluipDW2tvFMlhMRtwdhhVlbv9KGFabiu5KH0Slx0VjOK_wzThp_vlHhWA4kW9gayYEWtjNNKe&v=3&e=1484347850&t=TnP59JB1wb5UTOCr0m-KQU2kGPo&random=413473][StatusCode: 200][Content-Type: application/octet-stream][Server: nginx][User-Agent: netflix-ios-app][Risk: ** HTTP/TLS/QUIC Numeric Hostname/SNI **** Binary File/Data Transfer (Attempt) **][Risk Score: 60][Risk Info: Found host 23.246.11.141 / Found binary mime octet-stream][PLAIN TEXT (GET /range/0)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,84,0,0] + 15 TCP 192.168.1.7:53180 <-> 23.246.11.141:80 [proto: 7/HTTP][IP: 133/NetFlix][ClearText][Confidence: DPI][FPC: 133/NetFlix, Confidence: IP address][DPI packets: 5][cat: Download/7][34 pkts/2864 bytes <-> 21 pkts/25456 bytes][Goodput ratio: 13/95][5.76 sec][Hostname/SNI: 23.246.11.141][bytes ratio: -0.798 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 168/223 1162/1317 246/337][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 84/1212 426/1514 60/551][URL: 23.246.11.141/range/0-65535?o=AQEfKq2oMrLRiWL2puNQJ5yTLBCkGLjSseu23V2HX6kIiU9JpbCaBxxaIoz21qQNKuDUaOIZwdTlx23DMVxabbCwmvEluipDW2tvFMlhMRtwdhhVlbv9KGFabiu5KH0Slx0VjOK_wzThp_3mCFrUjHWqh5ipQCtzf4OVWQ&v=3&e=1484347850&t=r5jtnnEcR8hDCkPImfEiWqWAjKk&random=1846][StatusCode: 200][Content-Type: application/octet-stream][Server: nginx][User-Agent: netflix-ios-app][Risk: ** HTTP/TLS/QUIC Numeric Hostname/SNI **** Binary File/Data Transfer (Attempt) **][Risk Score: 60][Risk Info: Found host 23.246.11.141 / Found binary mime octet-stream][PLAIN TEXT (GET /range/0)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,84,0,0] + 16 TCP 192.168.1.7:53178 <-> 23.246.11.141:80 [proto: 7/HTTP][IP: 133/NetFlix][ClearText][Confidence: DPI][FPC: 133/NetFlix, Confidence: IP address][DPI packets: 5][cat: Download/7][30 pkts/2553 bytes <-> 22 pkts/25510 bytes][Goodput ratio: 14/94][7.56 sec][Hostname/SNI: 23.246.11.141][bytes ratio: -0.818 (Download)][IAT c2s/s2c min/avg/max/stddev: 3/4 298/146 1317/530 354/131][Pkt Len c2s/s2c min/avg/max/stddev: 66/54 85/1160 423/1514 63/590][URL: 23.246.11.141/range/0-65535?o=AQEfKq2oMrLRiWL2puNQJJmULRajGLjSseu23V2HX6kIiU9JpbCaBxxaIoz21qQNKuDUaOIZwdTlx23DMVxabbCwmvEluipDW2tvFMlhMRtwdhhVlbv9KGFabiu5KH0Slx0VjOK_wzThpfblHhWA4kW9gayYEWtjNNKe&v=3&e=1484347850&t=zezrDJDQvgO2TiYC1dT3imH4QC8&random=169467][StatusCode: 200][Content-Type: application/octet-stream][Server: nginx][User-Agent: netflix-ios-app][Risk: ** HTTP/TLS/QUIC Numeric Hostname/SNI **** Binary File/Data Transfer (Attempt) **][Risk Score: 60][Risk Info: Found host 23.246.11.141 / Found binary mime octet-stream][PLAIN TEXT (GET /range/0)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,84,0,0] 17 TCP 192.168.1.7:53203 <-> 52.37.36.252:443 [proto: 91.133/TLS.NetFlix][IP: 265/AmazonAWS][Encrypted][Confidence: DPI][FPC: 133/NetFlix, Confidence: DNS][DPI packets: 7][cat: Video/26][28 pkts/22704 bytes <-> 17 pkts/5248 bytes][Goodput ratio: 92/78][32.21 sec][Hostname/SNI: ichnaea.netflix.com][(Advertised) ALPNs: h2;h2-16;h2-15;h2-14;spdy/3.1;spdy/3;http/1.1][bytes ratio: 0.624 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 48/84 332/331 94/95][Pkt Len c2s/s2c min/avg/max/stddev: 60/66 811/309 1514/1514 700/493][TLSv1.2][JA3C: c07cb55f88702033a8f52c046d23e0b2][JA4: t12d1909h2_b5dc49c6fcca_2cdefc264be7][ServerNames: ichnaea.netflix.com,beacon.netflix.com,presentationtracking.netflix.com,nmtracking.netflix.com,customerevents.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=US, ST=California, L=los gatos, O=Netflix, Inc., OU=Ops, CN=customerevents.netflix.com][Certificate SHA-1: 50:D6:DB:AF:1D:A3:83:52:E6:0E:15:8F:98:78:EE:2F:23:FD:E2:3F][Firefox][Validity: 2016-04-12 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 8,8,4,0,0,4,0,4,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,60,0,0] 18 TCP 192.168.1.7:53249 <-> 52.41.30.5:443 [proto: 91.133/TLS.NetFlix][IP: 265/AmazonAWS][Encrypted][Confidence: DPI][FPC: 133/NetFlix, Confidence: DNS][DPI packets: 6][cat: Video/26][25 pkts/5934 bytes <-> 27 pkts/19952 bytes][Goodput ratio: 72/91][0.86 sec][Hostname/SNI: api-global.netflix.com][bytes ratio: -0.542 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 31/33 266/316 64/70][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 237/739 1514/1514 407/542][Risk: ** TLS (probably) Not Carrying HTTPS **][Risk Score: 10][Risk Info: No ALPN][TLSv1.2][JA3C: 7e72698146290dd68239f788a452e7d8][JA4: t12d190700_b5dc49c6fcca_3304d8368043][JA3S: 303951d4c50efb2e991652225a6f02b1][Firefox][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 3,3,0,0,3,3,3,0,0,0,0,3,0,3,3,7,0,0,7,7,3,3,0,3,0,0,0,0,0,3,0,0,0,0,0,0,0,0,3,0,0,3,0,0,0,30,0,0] - 19 TCP 192.168.1.7:53174 <-> 23.246.11.141:80 [proto: 7/HTTP][IP: 133/NetFlix][ClearText][Confidence: DPI][FPC: 133/NetFlix, Confidence: IP address][DPI packets: 5][cat: Download/7][35 pkts/2920 bytes <-> 19 pkts/22428 bytes][Goodput ratio: 12/94][7.38 sec][Hostname/SNI: 23.246.11.141][bytes ratio: -0.770 (Download)][IAT c2s/s2c min/avg/max/stddev: 5/0 222/250 636/1132 227/337][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 83/1180 424/1514 59/570][URL: 23.246.11.141/range/0-65535?o=AQEfKq2oMrLRiWL2puNQJpmQIRekGLjSseu23V2HX6kIiU9JpbCaBxxaIoz21qQNKuDUaOIZwdTlx23DMVxabbCwmvEluipDW2tvFMlhMRtwdhhVlbv9KGFabiu5KH0Slx0VjOK_wzThrvnlHhWA4kW9gayYEWtjNNKe&v=3&e=1484347850&t=mQfOf90-RY2Gd2ii20KJpCcYQVk&random=134564][StatusCode: 200][Content-Type: application/octet-stream][Server: nginx][User-Agent: netflix-ios-app][Risk: ** HTTP/TLS/QUIC Numeric Hostname/SNI **** Binary file/data transfer (attempt) **][Risk Score: 60][Risk Info: Found host 23.246.11.141 / Found binary mime octet-stream][PLAIN TEXT (GET /range/0)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,11,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,83,0,0] - 20 TCP 192.168.1.7:53181 <-> 23.246.11.141:80 [proto: 7/HTTP][IP: 133/NetFlix][ClearText][Confidence: DPI][FPC: 133/NetFlix, Confidence: IP address][DPI packets: 5][cat: Download/7][34 pkts/2879 bytes <-> 20 pkts/22373 bytes][Goodput ratio: 12/94][8.26 sec][Hostname/SNI: 23.246.11.141][bytes ratio: -0.772 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 238/289 1152/1208 301/406][Pkt Len c2s/s2c min/avg/max/stddev: 66/54 85/1119 425/1514 60/614][URL: 23.246.11.141/range/0-65535?o=AQEfKq2oMrLRiWL2puNQLJ2TIBepGLjSseu23V2HX6kIiU9JpbCaBxxaIoz21qQNKuDUaOIZwdTlx23DMVxabbCwmvEluipDW2tvFMlhMRtwdhhVlbv9KGFabiu5KH0Slx0VjOK_wzThpPbiCFrUjHWqh5ipQCtzf4OVWQ&v=3&e=1484347850&t=tTXu3c6FnJtfi6z0IJp3hw8eDv8&random=1294][StatusCode: 200][Content-Type: application/octet-stream][Server: nginx][User-Agent: netflix-ios-app][Risk: ** HTTP/TLS/QUIC Numeric Hostname/SNI **** Binary file/data transfer (attempt) **][Risk Score: 60][Risk Info: Found host 23.246.11.141 / Found binary mime octet-stream][PLAIN TEXT (GET /range/0)][Plen Bins: 0,0,0,0,0,0,0,0,5,0,0,5,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,84,0,0] - 21 TCP 192.168.1.7:53217 <-> 23.246.11.141:80 [proto: 7/HTTP][IP: 133/NetFlix][ClearText][Confidence: DPI][FPC: 133/NetFlix, Confidence: IP address][DPI packets: 5][cat: Download/7][12 pkts/1831 bytes <-> 18 pkts/23224 bytes][Goodput ratio: 56/95][0.40 sec][Hostname/SNI: 23.246.11.141][bytes ratio: -0.854 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 13/22 30/71 10/19][Pkt Len c2s/s2c min/avg/max/stddev: 66/74 153/1290 584/1514 191/435][URL: 23.246.11.141/?o=AQEfKq2oMrLRiWL2puNQJJ2TLhuiGLjSseu23V2HX6kIiU9JpbCaBxxaIoz21qQNKuDUaOIZwdTlx23DMVxabbCwmvEluipDW2tvFMlhMRtwdhhVlbv9KGFabiu5KH0Slx0VjOK_wzThpP7lHhWA4kW9gayYEWtjNNKe&v=3&e=1484347850&t=Dh278u2UpApOCGUj5RxV8azNWX8][StatusCode: 206][Content-Type: application/octet-stream][Server: nginx][User-Agent: AppleCoreMedia/1.0.0.14C92 (iPhone; U; CPU OS 10_2 like Mac OS X; en_us)][Risk: ** HTTP/TLS/QUIC Numeric Hostname/SNI **** Binary file/data transfer (attempt) **][Risk Score: 60][Risk Info: Found host 23.246.11.141 / Found binary mime octet-stream][PLAIN TEXT (oMrLRiWL2)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,5,5,5,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,74,0,0] - 22 TCP 192.168.1.7:53172 <-> 23.246.11.133:80 [proto: 7/HTTP][IP: 133/NetFlix][ClearText][Confidence: DPI][FPC: 133/NetFlix, Confidence: IP address][DPI packets: 5][cat: Download/7][30 pkts/2610 bytes <-> 20 pkts/22422 bytes][Goodput ratio: 14/94][7.09 sec][Hostname/SNI: 23.246.11.133][bytes ratio: -0.791 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 255/290 811/1178 267/325][Pkt Len c2s/s2c min/avg/max/stddev: 66/54 87/1121 424/1514 63/611][URL: 23.246.11.133/range/0-65535?o=AQEfKq2oMrLRiWL1ouVaJpeQLBWjGLjSseu23V2HX6kIiU9JpbCaBxxaIoz21qQNKuDUaOIZwdTlx23DMVxabbCwmvEluipDW2tvFMlhMRtwdhhVlbv9KGFabiu5KH0Slx0VjOK_wzThp_7lHhWA4kW9gayYEWtjNNKe&v=3&e=1484347850&t=JfEef80K02ynIjLLoi-HZB1uQ10&random=247333][StatusCode: 200][Content-Type: application/octet-stream][Server: nginx][User-Agent: netflix-ios-app][Risk: ** HTTP/TLS/QUIC Numeric Hostname/SNI **** Binary file/data transfer (attempt) **][Risk Score: 60][Risk Info: Found host 23.246.11.133 / Found binary mime octet-stream][PLAIN TEXT (GET /range/0)][Plen Bins: 0,0,0,0,0,0,0,0,0,5,0,5,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,84,0,0] - 23 TCP 192.168.1.7:53183 <-> 23.246.3.140:80 [proto: 7/HTTP][IP: 133/NetFlix][ClearText][Confidence: DPI][FPC: 133/NetFlix, Confidence: IP address][DPI packets: 5][cat: Download/7][17 pkts/2227 bytes <-> 16 pkts/20481 bytes][Goodput ratio: 46/95][2.05 sec][Hostname/SNI: 23.246.3.140][bytes ratio: -0.804 (Download)][IAT c2s/s2c min/avg/max/stddev: 6/5 143/82 730/279 218/83][Pkt Len c2s/s2c min/avg/max/stddev: 66/74 131/1280 578/1514 162/436][URL: 23.246.3.140/?o=AQEfKq2oMrLRiWL-p-VeIZ6WKRq-X6LMvaLqgxWBCuFbh09MpreORUUOO5Tx1683HPnLY6BPjN_9mlDuYihGZoXu9u0ozH8RFioBN_JDNiRscidjvoSdWmlyZgPNansW0lkBr4X81HvloOi8BS_exVSPhMyJQTB5bg&v=3&e=1484347850&t=-8u4vlcPuFqcOLnLyb9DDtK-bB4][StatusCode: 206][Content-Type: application/octet-stream][Server: nginx][User-Agent: AppleCoreMedia/1.0.0.14C92 (iPhone; U; CPU OS 10_2 like Mac OS X; en_us)][Risk: ** HTTP/TLS/QUIC Numeric Hostname/SNI **** Binary file/data transfer (attempt) **][Risk Score: 60][Risk Info: Found host 23.246.3.140 / Found binary mime octet-stream][PLAIN TEXT (oMrLRiWL)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,5,5,5,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,73,0,0] + 19 TCP 192.168.1.7:53174 <-> 23.246.11.141:80 [proto: 7/HTTP][IP: 133/NetFlix][ClearText][Confidence: DPI][FPC: 133/NetFlix, Confidence: IP address][DPI packets: 5][cat: Download/7][35 pkts/2920 bytes <-> 19 pkts/22428 bytes][Goodput ratio: 12/94][7.38 sec][Hostname/SNI: 23.246.11.141][bytes ratio: -0.770 (Download)][IAT c2s/s2c min/avg/max/stddev: 5/0 222/250 636/1132 227/337][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 83/1180 424/1514 59/570][URL: 23.246.11.141/range/0-65535?o=AQEfKq2oMrLRiWL2puNQJpmQIRekGLjSseu23V2HX6kIiU9JpbCaBxxaIoz21qQNKuDUaOIZwdTlx23DMVxabbCwmvEluipDW2tvFMlhMRtwdhhVlbv9KGFabiu5KH0Slx0VjOK_wzThrvnlHhWA4kW9gayYEWtjNNKe&v=3&e=1484347850&t=mQfOf90-RY2Gd2ii20KJpCcYQVk&random=134564][StatusCode: 200][Content-Type: application/octet-stream][Server: nginx][User-Agent: netflix-ios-app][Risk: ** HTTP/TLS/QUIC Numeric Hostname/SNI **** Binary File/Data Transfer (Attempt) **][Risk Score: 60][Risk Info: Found host 23.246.11.141 / Found binary mime octet-stream][PLAIN TEXT (GET /range/0)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,11,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,83,0,0] + 20 TCP 192.168.1.7:53181 <-> 23.246.11.141:80 [proto: 7/HTTP][IP: 133/NetFlix][ClearText][Confidence: DPI][FPC: 133/NetFlix, Confidence: IP address][DPI packets: 5][cat: Download/7][34 pkts/2879 bytes <-> 20 pkts/22373 bytes][Goodput ratio: 12/94][8.26 sec][Hostname/SNI: 23.246.11.141][bytes ratio: -0.772 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 238/289 1152/1208 301/406][Pkt Len c2s/s2c min/avg/max/stddev: 66/54 85/1119 425/1514 60/614][URL: 23.246.11.141/range/0-65535?o=AQEfKq2oMrLRiWL2puNQLJ2TIBepGLjSseu23V2HX6kIiU9JpbCaBxxaIoz21qQNKuDUaOIZwdTlx23DMVxabbCwmvEluipDW2tvFMlhMRtwdhhVlbv9KGFabiu5KH0Slx0VjOK_wzThpPbiCFrUjHWqh5ipQCtzf4OVWQ&v=3&e=1484347850&t=tTXu3c6FnJtfi6z0IJp3hw8eDv8&random=1294][StatusCode: 200][Content-Type: application/octet-stream][Server: nginx][User-Agent: netflix-ios-app][Risk: ** HTTP/TLS/QUIC Numeric Hostname/SNI **** Binary File/Data Transfer (Attempt) **][Risk Score: 60][Risk Info: Found host 23.246.11.141 / Found binary mime octet-stream][PLAIN TEXT (GET /range/0)][Plen Bins: 0,0,0,0,0,0,0,0,5,0,0,5,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,84,0,0] + 21 TCP 192.168.1.7:53217 <-> 23.246.11.141:80 [proto: 7/HTTP][IP: 133/NetFlix][ClearText][Confidence: DPI][FPC: 133/NetFlix, Confidence: IP address][DPI packets: 5][cat: Download/7][12 pkts/1831 bytes <-> 18 pkts/23224 bytes][Goodput ratio: 56/95][0.40 sec][Hostname/SNI: 23.246.11.141][bytes ratio: -0.854 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 13/22 30/71 10/19][Pkt Len c2s/s2c min/avg/max/stddev: 66/74 153/1290 584/1514 191/435][URL: 23.246.11.141/?o=AQEfKq2oMrLRiWL2puNQJJ2TLhuiGLjSseu23V2HX6kIiU9JpbCaBxxaIoz21qQNKuDUaOIZwdTlx23DMVxabbCwmvEluipDW2tvFMlhMRtwdhhVlbv9KGFabiu5KH0Slx0VjOK_wzThpP7lHhWA4kW9gayYEWtjNNKe&v=3&e=1484347850&t=Dh278u2UpApOCGUj5RxV8azNWX8][StatusCode: 206][Content-Type: application/octet-stream][Server: nginx][User-Agent: AppleCoreMedia/1.0.0.14C92 (iPhone; U; CPU OS 10_2 like Mac OS X; en_us)][Risk: ** HTTP/TLS/QUIC Numeric Hostname/SNI **** Binary File/Data Transfer (Attempt) **][Risk Score: 60][Risk Info: Found host 23.246.11.141 / Found binary mime octet-stream][PLAIN TEXT (oMrLRiWL2)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,5,5,5,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,74,0,0] + 22 TCP 192.168.1.7:53172 <-> 23.246.11.133:80 [proto: 7/HTTP][IP: 133/NetFlix][ClearText][Confidence: DPI][FPC: 133/NetFlix, Confidence: IP address][DPI packets: 5][cat: Download/7][30 pkts/2610 bytes <-> 20 pkts/22422 bytes][Goodput ratio: 14/94][7.09 sec][Hostname/SNI: 23.246.11.133][bytes ratio: -0.791 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 255/290 811/1178 267/325][Pkt Len c2s/s2c min/avg/max/stddev: 66/54 87/1121 424/1514 63/611][URL: 23.246.11.133/range/0-65535?o=AQEfKq2oMrLRiWL1ouVaJpeQLBWjGLjSseu23V2HX6kIiU9JpbCaBxxaIoz21qQNKuDUaOIZwdTlx23DMVxabbCwmvEluipDW2tvFMlhMRtwdhhVlbv9KGFabiu5KH0Slx0VjOK_wzThp_7lHhWA4kW9gayYEWtjNNKe&v=3&e=1484347850&t=JfEef80K02ynIjLLoi-HZB1uQ10&random=247333][StatusCode: 200][Content-Type: application/octet-stream][Server: nginx][User-Agent: netflix-ios-app][Risk: ** HTTP/TLS/QUIC Numeric Hostname/SNI **** Binary File/Data Transfer (Attempt) **][Risk Score: 60][Risk Info: Found host 23.246.11.133 / Found binary mime octet-stream][PLAIN TEXT (GET /range/0)][Plen Bins: 0,0,0,0,0,0,0,0,0,5,0,5,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,84,0,0] + 23 TCP 192.168.1.7:53183 <-> 23.246.3.140:80 [proto: 7/HTTP][IP: 133/NetFlix][ClearText][Confidence: DPI][FPC: 133/NetFlix, Confidence: IP address][DPI packets: 5][cat: Download/7][17 pkts/2227 bytes <-> 16 pkts/20481 bytes][Goodput ratio: 46/95][2.05 sec][Hostname/SNI: 23.246.3.140][bytes ratio: -0.804 (Download)][IAT c2s/s2c min/avg/max/stddev: 6/5 143/82 730/279 218/83][Pkt Len c2s/s2c min/avg/max/stddev: 66/74 131/1280 578/1514 162/436][URL: 23.246.3.140/?o=AQEfKq2oMrLRiWL-p-VeIZ6WKRq-X6LMvaLqgxWBCuFbh09MpreORUUOO5Tx1683HPnLY6BPjN_9mlDuYihGZoXu9u0ozH8RFioBN_JDNiRscidjvoSdWmlyZgPNansW0lkBr4X81HvloOi8BS_exVSPhMyJQTB5bg&v=3&e=1484347850&t=-8u4vlcPuFqcOLnLyb9DDtK-bB4][StatusCode: 206][Content-Type: application/octet-stream][Server: nginx][User-Agent: AppleCoreMedia/1.0.0.14C92 (iPhone; U; CPU OS 10_2 like Mac OS X; en_us)][Risk: ** HTTP/TLS/QUIC Numeric Hostname/SNI **** Binary File/Data Transfer (Attempt) **][Risk Score: 60][Risk Info: Found host 23.246.3.140 / Found binary mime octet-stream][PLAIN TEXT (oMrLRiWL)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,5,5,5,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,73,0,0] 24 TCP 192.168.1.7:53202 <-> 54.191.17.51:443 [proto: 91.133/TLS.NetFlix][IP: 265/AmazonAWS][Encrypted][Confidence: DPI][FPC: 133/NetFlix, Confidence: DNS][DPI packets: 7][cat: Video/26][22 pkts/10686 bytes <-> 16 pkts/7850 bytes][Goodput ratio: 86/86][0.92 sec][Hostname/SNI: ios.nccp.netflix.com][bytes ratio: 0.153 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 46/54 282/127 72/35][Pkt Len c2s/s2c min/avg/max/stddev: 60/66 486/491 1514/1514 603/610][Risk: ** TLS (probably) Not Carrying HTTPS **][Risk Score: 10][Risk Info: No ALPN][TLSv1.2][JA3C: dc67ac8aaf8d7f69ecd6598135448f24][JA4: t12d910600_383454ac02f4_8587f467d9ea][ServerNames: *.nccp.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][Issuer: CN=Primary Certificate Authority (2009), ST=California, C=US, O=Netflix Inc, OU=Electronic Delivery, L=Los Gatos][Subject: CN=*.nccp.netflix.com, O=Netflix, Inc., OU=Operations, C=US, ST=California, L=Los Gatos][Certificate SHA-1: 97:F6:63:95:8F:F2:5E:E0:80:12:5A:FD:BF:B2:EB:FE:A2:FE:72:33][Firefox][Validity: 2001-01-17 20:32:09 - 2018-03-24 20:32:09][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 10,15,0,5,0,0,0,0,0,0,5,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,5,0,0,0,5,0,0,0,0,0,0,5,37,0,0] 25 TCP 192.168.1.7:53153 <-> 184.25.204.24:80 [proto: 7.133/HTTP.NetFlix][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Video/26][6 pkts/636 bytes <-> 13 pkts/16794 bytes][Goodput ratio: 34/95][0.87 sec][Hostname/SNI: tp.akam.nflximg.com][bytes ratio: -0.927 (Download)][IAT c2s/s2c min/avg/max/stddev: 2/27 41/71 80/192 29/49][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 106/1292 282/1514 79/521][URL: tp.akam.nflximg.com/tpa3/616/2041779616.bif][StatusCode: 200][Content-Type: text/plain][Server: Apache][User-Agent: Argo/900 CFNetwork/808.2.16 Darwin/16.3.0][Risk: ** HTTP Susp Content **][Risk Score: 100][Risk Info: Susp content 89424946][PLAIN TEXT (GET /tpa3/616/2041779616.bif HT)][Plen Bins: 0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,91,0,0] 26 TCP 192.168.1.7:53152 <-> 52.89.39.139:80 [proto: 7.133/HTTP.NetFlix][IP: 265/AmazonAWS][ClearText][Confidence: DPI][FPC: 133/NetFlix, Confidence: DNS][DPI packets: 12][cat: Video/26][14 pkts/10001 bytes <-> 13 pkts/6504 bytes][Goodput ratio: 91/87][31.72 sec][Hostname/SNI: api-global.netflix.com][bytes ratio: 0.212 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/5 2877/42 31088/123 8921/33][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 714/500 1514/1514 676/651][URL: api-global.netflix.com/msl/nrdjs/2.1.2][Req Content-Type: application/x-www-form-urlencoded][User-Agent: Argo/900 CFNetwork/808.2.16 Darwin/16.3.0][PLAIN TEXT (POST /msl/nrdjs/2.1.2 HTTP/1.1)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0,0,9,0,0,0,0,72,0,0] @@ -72,9 +72,9 @@ JA3 Host Stats: 29 TCP 192.168.1.7:53150 <-> 184.25.204.25:80 [proto: 7.133/HTTP.NetFlix][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 133/NetFlix, Confidence: DNS][DPI packets: 6][cat: Video/26][10 pkts/941 bytes <-> 11 pkts/12318 bytes][Goodput ratio: 26/94][32.06 sec][Hostname/SNI: art-2.nflximg.net][bytes ratio: -0.858 (Download)][IAT c2s/s2c min/avg/max/stddev: 1/0 4565/34 30963/63 10780/17][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 94/1120 311/1514 72/644][URL: art-2.nflximg.net/87b33/bed1223a0040fdc97bac4e906332e462c6e87b33.jpg][StatusCode: 200][Content-Type: image/jpeg][Server: AmazonS3][User-Agent: Argo/9.1.0 (iPhone; iOS 10.2; Scale/2.00)][PLAIN TEXT (GET /87)][Plen Bins: 0,0,0,0,0,0,0,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,88,0,0] 30 TCP 192.168.1.7:53149 <-> 184.25.204.25:80 [proto: 7.133/HTTP.NetFlix][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 133/NetFlix, Confidence: DNS][DPI packets: 6][cat: Video/26][6 pkts/653 bytes <-> 10 pkts/12252 bytes][Goodput ratio: 37/95][0.33 sec][Hostname/SNI: art-2.nflximg.net][bytes ratio: -0.899 (Download)][IAT c2s/s2c min/avg/max/stddev: 6/13 43/34 101/70 35/18][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 109/1225 311/1514 91/578][URL: art-2.nflximg.net/5758c/bb636e44b87ef854c331ed7b7b6e157e4945758c.jpg][StatusCode: 200][Content-Type: image/jpeg][Server: AmazonS3][User-Agent: Argo/9.1.0 (iPhone; iOS 10.2; Scale/2.00)][PLAIN TEXT (GET /5758)][Plen Bins: 0,0,0,0,0,0,0,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,88,0,0] 31 TCP 192.168.1.7:53119 <-> 54.69.204.241:443 [proto: 91.133/TLS.NetFlix][IP: 265/AmazonAWS][Encrypted][Confidence: DPI][FPC: 133/NetFlix, Confidence: DNS][DPI packets: 7][cat: Video/26][20 pkts/7639 bytes <-> 16 pkts/5235 bytes][Goodput ratio: 83/80][30.85 sec][Hostname/SNI: ichnaea.netflix.com][(Advertised) ALPNs: h2;h2-16;h2-15;h2-14;spdy/3.1;spdy/3;http/1.1][bytes ratio: 0.187 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 1923/16 30431/72 7361/24][Pkt Len c2s/s2c min/avg/max/stddev: 60/66 382/327 1514/1514 559/501][TLSv1.2][JA3C: c07cb55f88702033a8f52c046d23e0b2][JA4: t12d1909h2_b5dc49c6fcca_2cdefc264be7][ServerNames: ichnaea.netflix.com,beacon.netflix.com,presentationtracking.netflix.com,nmtracking.netflix.com,customerevents.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=US, ST=California, L=los gatos, O=Netflix, Inc., OU=Ops, CN=customerevents.netflix.com][Certificate SHA-1: 50:D6:DB:AF:1D:A3:83:52:E6:0E:15:8F:98:78:EE:2F:23:FD:E2:3F][Firefox][Validity: 2016-04-12 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 11,24,5,0,0,5,0,5,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,31,0,0] - 32 TCP 192.168.1.7:53184 <-> 23.246.11.141:80 [proto: 7/HTTP][IP: 133/NetFlix][ClearText][Confidence: DPI][FPC: 133/NetFlix, Confidence: IP address][DPI packets: 5][cat: Download/7][9 pkts/1658 bytes <-> 10 pkts/11113 bytes][Goodput ratio: 62/94][0.68 sec][Hostname/SNI: 23.246.11.141][bytes ratio: -0.740 (Download)][IAT c2s/s2c min/avg/max/stddev: 2/5 73/76 356/206 117/70][Pkt Len c2s/s2c min/avg/max/stddev: 66/74 184/1111 581/1514 211/518][URL: 23.246.11.141/?o=AQEfKq2oMrLRiWL2puNQJJqTIRqhGLjSseu23V2HX6kIiU9JpbCaBxxaIoz21qQNKuDUaOIZwdTlx23DMVxabbCwmvEluipDW2tvFMlhMRtwdhhVlbv9KGFabiu5KH0Slx0VjOK_wzThp_vlHhWA4kW9gayYEWtjNNKe&v=3&e=1484347850&t=TnP59JB1wb5UTOCr0m-KQU2kGPo][StatusCode: 206][Content-Type: application/octet-stream][Server: nginx][User-Agent: AppleCoreMedia/1.0.0.14C92 (iPhone; U; CPU OS 10_2 like Mac OS X; en_us)][Risk: ** HTTP/TLS/QUIC Numeric Hostname/SNI **** Binary file/data transfer (attempt) **][Risk Score: 60][Risk Info: Found host 23.246.11.141 / Found binary mime octet-stream][PLAIN TEXT (oMrLRiWL2)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,9,9,9,9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,54,0,0] + 32 TCP 192.168.1.7:53184 <-> 23.246.11.141:80 [proto: 7/HTTP][IP: 133/NetFlix][ClearText][Confidence: DPI][FPC: 133/NetFlix, Confidence: IP address][DPI packets: 5][cat: Download/7][9 pkts/1658 bytes <-> 10 pkts/11113 bytes][Goodput ratio: 62/94][0.68 sec][Hostname/SNI: 23.246.11.141][bytes ratio: -0.740 (Download)][IAT c2s/s2c min/avg/max/stddev: 2/5 73/76 356/206 117/70][Pkt Len c2s/s2c min/avg/max/stddev: 66/74 184/1111 581/1514 211/518][URL: 23.246.11.141/?o=AQEfKq2oMrLRiWL2puNQJJqTIRqhGLjSseu23V2HX6kIiU9JpbCaBxxaIoz21qQNKuDUaOIZwdTlx23DMVxabbCwmvEluipDW2tvFMlhMRtwdhhVlbv9KGFabiu5KH0Slx0VjOK_wzThp_vlHhWA4kW9gayYEWtjNNKe&v=3&e=1484347850&t=TnP59JB1wb5UTOCr0m-KQU2kGPo][StatusCode: 206][Content-Type: application/octet-stream][Server: nginx][User-Agent: AppleCoreMedia/1.0.0.14C92 (iPhone; U; CPU OS 10_2 like Mac OS X; en_us)][Risk: ** HTTP/TLS/QUIC Numeric Hostname/SNI **** Binary File/Data Transfer (Attempt) **][Risk Score: 60][Risk Info: Found host 23.246.11.141 / Found binary mime octet-stream][PLAIN TEXT (oMrLRiWL2)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,9,9,9,9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,54,0,0] 33 TCP 192.168.1.7:53118 <-> 54.69.204.241:443 [proto: 91.133/TLS.NetFlix][IP: 265/AmazonAWS][Encrypted][Confidence: DPI][FPC: 133/NetFlix, Confidence: DNS][DPI packets: 7][cat: Video/26][19 pkts/7588 bytes <-> 15 pkts/5140 bytes][Goodput ratio: 83/81][30.38 sec][Hostname/SNI: ichnaea.netflix.com][(Advertised) ALPNs: h2;h2-16;h2-15;h2-14;spdy/3.1;spdy/3;http/1.1][bytes ratio: 0.192 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 2017/14 30033/55 7488/20][Pkt Len c2s/s2c min/avg/max/stddev: 60/66 399/343 1514/1514 569/514][TLSv1.2][JA3C: c07cb55f88702033a8f52c046d23e0b2][JA4: t12d1909h2_b5dc49c6fcca_2cdefc264be7][ServerNames: ichnaea.netflix.com,beacon.netflix.com,presentationtracking.netflix.com,nmtracking.netflix.com,customerevents.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=US, ST=California, L=los gatos, O=Netflix, Inc., OU=Ops, CN=customerevents.netflix.com][Certificate SHA-1: 50:D6:DB:AF:1D:A3:83:52:E6:0E:15:8F:98:78:EE:2F:23:FD:E2:3F][Firefox][Validity: 2016-04-12 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 12,18,6,0,0,6,0,6,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,31,0,0] - 34 TCP 192.168.1.7:53210 <-> 23.246.11.133:80 [proto: 7/HTTP][IP: 133/NetFlix][ClearText][Confidence: DPI][FPC: 133/NetFlix, Confidence: IP address][DPI packets: 5][cat: Download/7][8 pkts/1564 bytes <-> 9 pkts/9556 bytes][Goodput ratio: 65/94][0.27 sec][Hostname/SNI: 23.246.11.133][bytes ratio: -0.719 (Download)][IAT c2s/s2c min/avg/max/stddev: 3/5 26/29 45/41 14/13][Pkt Len c2s/s2c min/avg/max/stddev: 66/74 196/1062 581/1514 221/531][URL: 23.246.11.133/?o=AQEfKq2oMrLRiWL1ouVaJpeQLBWjGLjSseu23V2HX6kIiU9JpbCaBxxaIoz21qQNKuDUaOIZwdTlx23DMVxabbCwmvEluipDW2tvFMlhMRtwdhhVlbv9KGFabiu5KH0Slx0VjOK_wzThp_7lHhWA4kW9gayYEWtjNNKe&v=3&e=1484347850&t=JfEef80K02ynIjLLoi-HZB1uQ10][StatusCode: 206][Content-Type: application/octet-stream][Server: nginx][User-Agent: AppleCoreMedia/1.0.0.14C92 (iPhone; U; CPU OS 10_2 like Mac OS X; en_us)][Risk: ** HTTP/TLS/QUIC Numeric Hostname/SNI **** Binary file/data transfer (attempt) **][Risk Score: 60][Risk Info: Found host 23.246.11.133 / Found binary mime octet-stream][PLAIN TEXT (oMrLRiWL1)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,10,20,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0] + 34 TCP 192.168.1.7:53210 <-> 23.246.11.133:80 [proto: 7/HTTP][IP: 133/NetFlix][ClearText][Confidence: DPI][FPC: 133/NetFlix, Confidence: IP address][DPI packets: 5][cat: Download/7][8 pkts/1564 bytes <-> 9 pkts/9556 bytes][Goodput ratio: 65/94][0.27 sec][Hostname/SNI: 23.246.11.133][bytes ratio: -0.719 (Download)][IAT c2s/s2c min/avg/max/stddev: 3/5 26/29 45/41 14/13][Pkt Len c2s/s2c min/avg/max/stddev: 66/74 196/1062 581/1514 221/531][URL: 23.246.11.133/?o=AQEfKq2oMrLRiWL1ouVaJpeQLBWjGLjSseu23V2HX6kIiU9JpbCaBxxaIoz21qQNKuDUaOIZwdTlx23DMVxabbCwmvEluipDW2tvFMlhMRtwdhhVlbv9KGFabiu5KH0Slx0VjOK_wzThp_7lHhWA4kW9gayYEWtjNNKe&v=3&e=1484347850&t=JfEef80K02ynIjLLoi-HZB1uQ10][StatusCode: 206][Content-Type: application/octet-stream][Server: nginx][User-Agent: AppleCoreMedia/1.0.0.14C92 (iPhone; U; CPU OS 10_2 like Mac OS X; en_us)][Risk: ** HTTP/TLS/QUIC Numeric Hostname/SNI **** Binary File/Data Transfer (Attempt) **][Risk Score: 60][Risk Info: Found host 23.246.11.133 / Found binary mime octet-stream][PLAIN TEXT (oMrLRiWL1)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,10,20,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0] 35 TCP 192.168.1.7:53238 <-> 52.32.22.214:443 [proto: 91.133/TLS.NetFlix][IP: 265/AmazonAWS][Encrypted][Confidence: DPI][FPC: 133/NetFlix, Confidence: DNS][DPI packets: 7][cat: Video/26][17 pkts/5528 bytes <-> 14 pkts/5406 bytes][Goodput ratio: 80/83][3.15 sec][Hostname/SNI: ios.nccp.netflix.com][bytes ratio: 0.011 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 218/303 2449/2522 645/743][Pkt Len c2s/s2c min/avg/max/stddev: 60/66 325/386 1514/1514 478/534][Risk: ** TLS (probably) Not Carrying HTTPS **][Risk Score: 10][Risk Info: No ALPN][TLSv1.2][JA3C: dc67ac8aaf8d7f69ecd6598135448f24][JA4: t12d910600_383454ac02f4_8587f467d9ea][ServerNames: *.nccp.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][Issuer: CN=Primary Certificate Authority (2009), ST=California, C=US, O=Netflix Inc, OU=Electronic Delivery, L=Los Gatos][Subject: CN=*.nccp.netflix.com, O=Netflix, Inc., OU=Operations, C=US, ST=California, L=Los Gatos][Certificate SHA-1: 97:F6:63:95:8F:F2:5E:E0:80:12:5A:FD:BF:B2:EB:FE:A2:FE:72:33][Firefox][Validity: 2001-01-17 20:32:09 - 2018-03-24 20:32:09][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 13,21,6,6,0,0,0,6,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,6,0,0,0,0,0,0,6,0,0,0,0,21,0,0] 36 TCP 192.168.1.7:53116 <-> 52.32.196.36:443 [proto: 91.133/TLS.NetFlix][IP: 265/AmazonAWS][Encrypted][Confidence: DPI][FPC: 265/AmazonAWS, Confidence: IP address][DPI packets: 7][cat: Video/26][11 pkts/3220 bytes <-> 11 pkts/7133 bytes][Goodput ratio: 77/90][0.34 sec][Hostname/SNI: api-global.netflix.com][(Advertised) ALPNs: h2;h2-16;h2-15;h2-14;spdy/3.1;spdy/3;http/1.1][bytes ratio: -0.378 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 22/29 75/67 27/28][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 293/648 1514/1514 432/662][TLSv1.2][JA3C: c07cb55f88702033a8f52c046d23e0b2][JA4: t12d1909h2_b5dc49c6fcca_2cdefc264be7][ServerNames: api-latam.netflix.com,htmltvui.netflix.com,api-eu.netflix.com,uiboot.netflix.com,api-global.netflix.com,api-user.netflix.com,api-us.netflix.com,api.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=US, ST=California, L=los gatos, O=Netflix, Inc., OU=Ops, CN=api.netflix.com][Certificate SHA-1: FC:5B:F6:86:AE:E5:22:0D:60:0C:C3:DF:8F:02:80:3F:A3:60:0E:3C][Firefox][Validity: 2016-04-12 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 7,15,7,0,0,0,7,7,0,0,0,7,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,40,0,0] 37 TCP 192.168.1.7:53248 <-> 52.32.22.214:443 [proto: 91.133/TLS.NetFlix][IP: 265/AmazonAWS][Encrypted][Confidence: DPI][FPC: 133/NetFlix, Confidence: DNS][DPI packets: 7][cat: Video/26][12 pkts/5165 bytes <-> 10 pkts/5074 bytes][Goodput ratio: 84/87][0.34 sec][Hostname/SNI: ios.nccp.netflix.com][bytes ratio: 0.009 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 31/31 85/65 31/27][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 430/507 1514/1514 533/591][Risk: ** TLS (probably) Not Carrying HTTPS **][Risk Score: 10][Risk Info: No ALPN][TLSv1.2][JA3C: dc67ac8aaf8d7f69ecd6598135448f24][JA4: t12d910600_383454ac02f4_8587f467d9ea][ServerNames: *.nccp.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][Issuer: CN=Primary Certificate Authority (2009), ST=California, C=US, O=Netflix Inc, OU=Electronic Delivery, L=Los Gatos][Subject: CN=*.nccp.netflix.com, O=Netflix, Inc., OU=Operations, C=US, ST=California, L=Los Gatos][Certificate SHA-1: 97:F6:63:95:8F:F2:5E:E0:80:12:5A:FD:BF:B2:EB:FE:A2:FE:72:33][Firefox][Validity: 2001-01-17 20:32:09 - 2018-03-24 20:32:09][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,25,0,8,0,0,0,0,8,0,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,8,0,0,0,0,0,8,0,0,0,0,0,25,0,0] @@ -84,7 +84,7 @@ JA3 Host Stats: 41 TCP 192.168.1.7:53134 <-> 52.89.39.139:443 [proto: 91.133/TLS.NetFlix][IP: 265/AmazonAWS][Encrypted][Confidence: DPI][FPC: 133/NetFlix, Confidence: DNS][DPI packets: 6][cat: Video/26][14 pkts/3548 bytes <-> 11 pkts/4653 bytes][Goodput ratio: 74/84][30.77 sec][Hostname/SNI: api-global.netflix.com][bytes ratio: -0.135 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 29/22 143/79 43/29][Pkt Len c2s/s2c min/avg/max/stddev: 60/66 253/423 1514/1514 422/512][Risk: ** TLS (probably) Not Carrying HTTPS **][Risk Score: 10][Risk Info: No ALPN][TLSv1.2][JA3C: 7e72698146290dd68239f788a452e7d8][JA4: t12d190700_b5dc49c6fcca_3304d8368043][JA3S: 303951d4c50efb2e991652225a6f02b1][Firefox][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 18,9,0,0,9,0,9,0,0,0,0,0,9,0,0,0,0,0,9,0,0,0,0,0,0,0,0,0,9,0,0,0,0,0,0,0,0,0,0,9,0,0,0,0,0,18,0,0] 42 TCP 192.168.1.7:53115 <-> 52.32.196.36:443 [proto: 91.133/TLS.NetFlix][IP: 265/AmazonAWS][Encrypted][Confidence: DPI][FPC: 265/AmazonAWS, Confidence: IP address][DPI packets: 7][cat: Video/26][16 pkts/1657 bytes <-> 12 pkts/5005 bytes][Goodput ratio: 36/84][30.93 sec][Hostname/SNI: api-global.netflix.com][(Advertised) ALPNs: h2;h2-16;h2-15;h2-14;spdy/3.1;spdy/3;http/1.1][bytes ratio: -0.503 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 2373/20 30602/58 8149/26][Pkt Len c2s/s2c min/avg/max/stddev: 60/66 104/417 309/1514 78/548][TLSv1.2][JA3C: c07cb55f88702033a8f52c046d23e0b2][JA4: t12d1909h2_b5dc49c6fcca_2cdefc264be7][ServerNames: api-latam.netflix.com,htmltvui.netflix.com,api-eu.netflix.com,uiboot.netflix.com,api-global.netflix.com,api-user.netflix.com,api-us.netflix.com,api.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=US, ST=California, L=los gatos, O=Netflix, Inc., OU=Ops, CN=api.netflix.com][Certificate SHA-1: FC:5B:F6:86:AE:E5:22:0D:60:0C:C3:DF:8F:02:80:3F:A3:60:0E:3C][Firefox][Validity: 2016-04-12 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 15,23,15,0,0,0,7,15,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,15,0,0] 43 TCP 192.168.1.7:53141 <-> 104.86.97.179:443 [proto: 91.133/TLS.NetFlix][IP: 0/Unknown][Encrypted][Confidence: DPI][FPC: 133/NetFlix, Confidence: DNS][DPI packets: 9][cat: Video/26][19 pkts/2356 bytes <-> 8 pkts/4069 bytes][Goodput ratio: 46/87][0.12 sec][Hostname/SNI: art-s.nflximg.net][(Advertised) ALPNs: h2;h2-16;h2-15;h2-14;spdy/3.1;spdy/3;http/1.1][(Negotiated) ALPN: h2][bytes ratio: -0.267 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 6/7 26/21 9/8][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 124/509 293/1514 58/602][TLSv1.2][JA3C: c07cb55f88702033a8f52c046d23e0b2][JA4: t12d1909h2_b5dc49c6fcca_2cdefc264be7][ServerNames: secure.cdn.nflximg.net,*.nflxext.com,*.nflxvideo.net,*.nflxsearch.net,*.nrd.nflximg.net,*.nflximg.net][JA3S: ef6b224ce027c8e21e5a25d8a58255a3][Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4][Subject: C=US, ST=California, L=Los Gatos, O=Netflix, Inc., OU=Content Delivery Operations, CN=secure.cdn.nflximg.net][Certificate SHA-1: 0D:EF:D1:E6:29:11:1A:A5:88:B3:2F:04:65:D6:D7:AD:84:A2:52:26][Firefox][Validity: 2016-04-06 00:00:00 - 2017-04-05 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 5,28,39,0,5,0,0,5,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0] - 44 TCP 192.168.1.7:53164 <-> 23.246.10.139:80 [proto: 7/HTTP][IP: 133/NetFlix][ClearText][Confidence: DPI][FPC: 133/NetFlix, Confidence: IP address][DPI packets: 5][cat: Download/7][5 pkts/698 bytes <-> 5 pkts/5198 bytes][Goodput ratio: 51/93][0.08 sec][Hostname/SNI: 23.246.10.139][bytes ratio: -0.763 (Download)][IAT c2s/s2c min/avg/max/stddev: 5/1 18/14 35/35 11/13][Pkt Len c2s/s2c min/avg/max/stddev: 66/74 140/1040 422/1514 141/603][URL: 23.246.10.139/range/0-65535?o=AQEfKq2oMrLRiWL-p-VeIZ6WKRq-X6LMvaLqgxWBCuFbh09MpreORUUOO5Tx1683HPnLY6BPjN_9mlDuYihGZoXu9u0ozH8RFioBN_JDNiRscidjvoSdWmlyZgPNansW0lkBr4X81HvloOi8BS_exVSPhMyJQTB5bg&v=3&e=1484347850&t=-djGXIcbFBNzyfugqEWcrgtCpyY&random=34073607][StatusCode: 200][Content-Type: application/octet-stream][Server: nginx][User-Agent: netflix-ios-app][Risk: ** HTTP/TLS/QUIC Numeric Hostname/SNI **** Binary file/data transfer (attempt) **][Risk Score: 60][Risk Info: Found host 23.246.10.139 / Found binary mime octet-stream][PLAIN TEXT (GET /range/0)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,20,0,0,0,0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,60,0,0] + 44 TCP 192.168.1.7:53164 <-> 23.246.10.139:80 [proto: 7/HTTP][IP: 133/NetFlix][ClearText][Confidence: DPI][FPC: 133/NetFlix, Confidence: IP address][DPI packets: 5][cat: Download/7][5 pkts/698 bytes <-> 5 pkts/5198 bytes][Goodput ratio: 51/93][0.08 sec][Hostname/SNI: 23.246.10.139][bytes ratio: -0.763 (Download)][IAT c2s/s2c min/avg/max/stddev: 5/1 18/14 35/35 11/13][Pkt Len c2s/s2c min/avg/max/stddev: 66/74 140/1040 422/1514 141/603][URL: 23.246.10.139/range/0-65535?o=AQEfKq2oMrLRiWL-p-VeIZ6WKRq-X6LMvaLqgxWBCuFbh09MpreORUUOO5Tx1683HPnLY6BPjN_9mlDuYihGZoXu9u0ozH8RFioBN_JDNiRscidjvoSdWmlyZgPNansW0lkBr4X81HvloOi8BS_exVSPhMyJQTB5bg&v=3&e=1484347850&t=-djGXIcbFBNzyfugqEWcrgtCpyY&random=34073607][StatusCode: 200][Content-Type: application/octet-stream][Server: nginx][User-Agent: netflix-ios-app][Risk: ** HTTP/TLS/QUIC Numeric Hostname/SNI **** Binary File/Data Transfer (Attempt) **][Risk Score: 60][Risk Info: Found host 23.246.10.139 / Found binary mime octet-stream][PLAIN TEXT (GET /range/0)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,20,0,0,0,0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,60,0,0] 45 TCP 192.168.1.7:53250 <-> 52.41.30.5:443 [proto: 91.133/TLS.NetFlix][IP: 265/AmazonAWS][Encrypted][Confidence: DPI][FPC: 133/NetFlix, Confidence: DNS][DPI packets: 6][cat: Video/26][10 pkts/2830 bytes <-> 7 pkts/2484 bytes][Goodput ratio: 76/81][0.21 sec][Hostname/SNI: api-global.netflix.com][bytes ratio: 0.065 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 26/20 92/54 34/22][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 283/355 1450/1066 419/413][Risk: ** TLS (probably) Not Carrying HTTPS **][Risk Score: 10][Risk Info: No ALPN][TLSv1.2][JA3C: 7e72698146290dd68239f788a452e7d8][JA4: t12d190700_b5dc49c6fcca_3304d8368043][JA3S: 303951d4c50efb2e991652225a6f02b1][Firefox][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 12,12,0,0,12,0,12,0,0,0,0,0,0,0,0,0,12,0,0,0,0,0,0,0,0,0,0,12,0,0,0,12,0,0,0,0,0,0,0,0,0,0,0,12,0,0,0,0] 46 TCP 192.168.1.7:53117 <-> 52.32.196.36:443 [proto: 91.133/TLS.NetFlix][IP: 265/AmazonAWS][Encrypted][Confidence: DPI][FPC: 265/AmazonAWS, Confidence: IP address][DPI packets: 6][cat: Video/26][12 pkts/1294 bytes <-> 8 pkts/1723 bytes][Goodput ratio: 39/69][30.71 sec][Hostname/SNI: api-global.netflix.com][bytes ratio: -0.142 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 3064/6120 30486/30536 9141/12208][Pkt Len c2s/s2c min/avg/max/stddev: 60/66 108/215 309/989 83/296][Risk: ** TLS (probably) Not Carrying HTTPS **][Risk Score: 10][Risk Info: No ALPN][TLSv1.2][JA3C: 7e72698146290dd68239f788a452e7d8][JA4: t12d190700_b5dc49c6fcca_3304d8368043][JA3S: 303951d4c50efb2e991652225a6f02b1][Firefox][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 25,12,12,0,12,0,12,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 47 UDP 192.168.1.7:53776 -> 239.255.255.250:1900 [proto: 12/SSDP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 12/SSDP, Confidence: DPI][DPI packets: 1][cat: System/18][16 pkts/2648 bytes -> 0 pkts/0 bytes][Goodput ratio: 75/0][79.13 sec][Hostname/SNI: 239.255.255.250:1900][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 105/0 4588/0 14907/0 6547/0][Pkt Len c2s/s2c min/avg/max/stddev: 164/0 166/0 167/0 2/0][PLAIN TEXT (SEARCH )][Plen Bins: 0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/default/result/quickplay.pcap.out b/tests/cfgs/default/result/quickplay.pcap.out index e192c5554..61d68b854 100644 --- a/tests/cfgs/default/result/quickplay.pcap.out +++ b/tests/cfgs/default/result/quickplay.pcap.out @@ -41,10 +41,10 @@ Fun 18 6521 8 10 TCP 10.54.169.250:44256 <-> 120.28.5.41:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 7/HTTP, Confidence: DPI][DPI packets: 3][cat: Streaming/17][2 pkts/1086 bytes <-> 1 pkts/1225 bytes][Goodput ratio: 90/95][0.64 sec][Hostname/SNI: play-singtelhawk.quickplay.com][URL: play-singtelhawk.quickplay.com/vstb/playlist_5_6241_357.m3u8?action=145&appId=5006&carrierId=23&appVersion=1.0&contentId=6241&contentTypeId=3&deviceName=androidmobile&encodingId=357&drmId=4&drmVersion=1.5&delivery=5&prefLanguage=eng&webvtt=true&userid=091][User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; MI 3W Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobile Safari/537.36][PLAIN TEXT (GET /vstb/playlist)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,66,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,0,0] 11 TCP 10.54.169.250:56381 <-> 54.179.140.65:80 [proto: 7.287/HTTP.Xiaomi][IP: 265/AmazonAWS][ClearText][Confidence: DPI][FPC: 7.287/HTTP.Xiaomi, Confidence: DPI][DPI packets: 2][cat: Web/5][1 pkts/638 bytes <-> 1 pkts/831 bytes][Goodput ratio: 91/93][0.32 sec][Hostname/SNI: api.account.xiaomi.com][URL: api.account.xiaomi.com/pass/v2/safe/user/coreInfo?signature=u%2F73dEXBHbejev0ISNwnGyyfeTw%3D&userId=Mz5Xr5UXKuw83hxd6Yms2w%3D%3D][StatusCode: 200][Req Content-Type: application/x-www-form-urlencoded][Content-Type: application/json][Server: Tengine/2.0.1][User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 3W MIUI/V6.4.2.0.KXDMICB)][Risk: ** Susp Entropy **][Risk Score: 10][Risk Info: Entropy: 6.004 (Executable?)][PLAIN TEXT (GET /pass/v)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 12 TCP 10.54.169.250:54883 <-> 203.205.151.160:80 [proto: 131.48/HTTP_Proxy.QQ][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 131.48/HTTP_Proxy.QQ, Confidence: DPI][DPI packets: 3][cat: Chat/9][2 pkts/1192 bytes <-> 1 pkts/145 bytes][Goodput ratio: 91/61][2.08 sec][Hostname/SNI: hkextshort.weixin.qq.com][URL: http://hkextshort.weixin.qq.com/cgi-bin/micromsg-bin/mmsnssync][Req Content-Type: application/octet-stream][User-Agent: MicroMessenger Client][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Risk Info: Expected on port 8080,3128][PLAIN TEXT (POST http)][Plen Bins: 0,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,66,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 13 TCP 10.54.169.250:54885 <-> 203.205.151.160:80 [proto: 131.48/HTTP_Proxy.QQ][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 131.48/HTTP_Proxy.QQ, Confidence: DPI][DPI packets: 2][cat: Download/7][1 pkts/461 bytes <-> 2 pkts/522 bytes][Goodput ratio: 88/78][2.81 sec][Hostname/SNI: hkextshort.weixin.qq.com][URL: http://hkextshort.weixin.qq.com/cgi-bin/micromsg-bin/getcontactlabellist][StatusCode: 200][Req Content-Type: application/octet-stream][Content-Type: application/octet-stream][User-Agent: MicroMessenger Client][Filename: micromsgresp.dat][Risk: ** Known Proto on Non Std Port **** Binary file/data transfer (attempt) **][Risk Score: 100][Risk Info: Expected on port 8080,3128 / Found binary mime octet-stream][PLAIN TEXT (POST http)][Plen Bins: 0,0,0,0,0,0,66,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 14 TCP 10.54.169.250:35670 <-> 203.205.147.215:80 [proto: 131.48/HTTP_Proxy.QQ][IP: 285/Tencent][ClearText][Confidence: DPI][FPC: 131.48/HTTP_Proxy.QQ, Confidence: DPI][DPI packets: 2][cat: Download/7][1 pkts/681 bytes <-> 1 pkts/262 bytes][Goodput ratio: 92/78][0.14 sec][Hostname/SNI: hkminorshort.weixin.qq.com][URL: http://hkminorshort.weixin.qq.com/cgi-bin/micromsg-bin/rtkvreport][StatusCode: 200][Req Content-Type: application/octet-stream][Content-Type: application/octet-stream][User-Agent: MicroMessenger Client][Filename: micromsgresp.dat][Risk: ** Known Proto on Non Std Port **** Binary file/data transfer (attempt) **][Risk Score: 100][Risk Info: Expected on port 8080,3128 / Found binary mime octet-stream][PLAIN TEXT (POST http)][Plen Bins: 0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 15 TCP 10.54.169.250:42762 <-> 203.205.129.101:80 [proto: 131.48/HTTP_Proxy.QQ][IP: 285/Tencent][ClearText][Confidence: DPI][FPC: 131.48/HTTP_Proxy.QQ, Confidence: DPI][DPI packets: 2][cat: Download/7][1 pkts/616 bytes <-> 1 pkts/261 bytes][Goodput ratio: 91/78][0.37 sec][Hostname/SNI: hkextshort.weixin.qq.com][URL: http://hkextshort.weixin.qq.com/cgi-bin/micromsg-bin/androidgcmreg][StatusCode: 200][Req Content-Type: application/octet-stream][Content-Type: application/octet-stream][User-Agent: MicroMessenger Client][Filename: micromsgresp.dat][Risk: ** Known Proto on Non Std Port **** Binary file/data transfer (attempt) **][Risk Score: 100][Risk Info: Expected on port 8080,3128 / Found binary mime octet-stream][PLAIN TEXT (POST http)][Plen Bins: 0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 16 TCP 10.54.169.250:42761 <-> 203.205.129.101:80 [proto: 131.48/HTTP_Proxy.QQ][IP: 285/Tencent][ClearText][Confidence: DPI][FPC: 131.48/HTTP_Proxy.QQ, Confidence: DPI][DPI packets: 2][cat: Download/7][1 pkts/380 bytes <-> 1 pkts/261 bytes][Goodput ratio: 85/78][0.34 sec][Hostname/SNI: hkextshort.weixin.qq.com][URL: http://hkextshort.weixin.qq.com/cgi-bin/micromsg-bin/mmbatchemojidownload][StatusCode: 200][Req Content-Type: application/octet-stream][Content-Type: application/octet-stream][User-Agent: MicroMessenger Client][Filename: micromsgresp.dat][Risk: ** Known Proto on Non Std Port **** Binary file/data transfer (attempt) **][Risk Score: 100][Risk Info: Expected on port 8080,3128 / Found binary mime octet-stream][PLAIN TEXT (POST http)][Plen Bins: 0,0,0,0,0,0,50,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 13 TCP 10.54.169.250:54885 <-> 203.205.151.160:80 [proto: 131.48/HTTP_Proxy.QQ][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 131.48/HTTP_Proxy.QQ, Confidence: DPI][DPI packets: 2][cat: Download/7][1 pkts/461 bytes <-> 2 pkts/522 bytes][Goodput ratio: 88/78][2.81 sec][Hostname/SNI: hkextshort.weixin.qq.com][URL: http://hkextshort.weixin.qq.com/cgi-bin/micromsg-bin/getcontactlabellist][StatusCode: 200][Req Content-Type: application/octet-stream][Content-Type: application/octet-stream][User-Agent: MicroMessenger Client][Filename: micromsgresp.dat][Risk: ** Known Proto on Non Std Port **** Binary File/Data Transfer (Attempt) **][Risk Score: 100][Risk Info: Expected on port 8080,3128 / Found binary mime octet-stream][PLAIN TEXT (POST http)][Plen Bins: 0,0,0,0,0,0,66,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 14 TCP 10.54.169.250:35670 <-> 203.205.147.215:80 [proto: 131.48/HTTP_Proxy.QQ][IP: 285/Tencent][ClearText][Confidence: DPI][FPC: 131.48/HTTP_Proxy.QQ, Confidence: DPI][DPI packets: 2][cat: Download/7][1 pkts/681 bytes <-> 1 pkts/262 bytes][Goodput ratio: 92/78][0.14 sec][Hostname/SNI: hkminorshort.weixin.qq.com][URL: http://hkminorshort.weixin.qq.com/cgi-bin/micromsg-bin/rtkvreport][StatusCode: 200][Req Content-Type: application/octet-stream][Content-Type: application/octet-stream][User-Agent: MicroMessenger Client][Filename: micromsgresp.dat][Risk: ** Known Proto on Non Std Port **** Binary File/Data Transfer (Attempt) **][Risk Score: 100][Risk Info: Expected on port 8080,3128 / Found binary mime octet-stream][PLAIN TEXT (POST http)][Plen Bins: 0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 15 TCP 10.54.169.250:42762 <-> 203.205.129.101:80 [proto: 131.48/HTTP_Proxy.QQ][IP: 285/Tencent][ClearText][Confidence: DPI][FPC: 131.48/HTTP_Proxy.QQ, Confidence: DPI][DPI packets: 2][cat: Download/7][1 pkts/616 bytes <-> 1 pkts/261 bytes][Goodput ratio: 91/78][0.37 sec][Hostname/SNI: hkextshort.weixin.qq.com][URL: http://hkextshort.weixin.qq.com/cgi-bin/micromsg-bin/androidgcmreg][StatusCode: 200][Req Content-Type: application/octet-stream][Content-Type: application/octet-stream][User-Agent: MicroMessenger Client][Filename: micromsgresp.dat][Risk: ** Known Proto on Non Std Port **** Binary File/Data Transfer (Attempt) **][Risk Score: 100][Risk Info: Expected on port 8080,3128 / Found binary mime octet-stream][PLAIN TEXT (POST http)][Plen Bins: 0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 16 TCP 10.54.169.250:42761 <-> 203.205.129.101:80 [proto: 131.48/HTTP_Proxy.QQ][IP: 285/Tencent][ClearText][Confidence: DPI][FPC: 131.48/HTTP_Proxy.QQ, Confidence: DPI][DPI packets: 2][cat: Download/7][1 pkts/380 bytes <-> 1 pkts/261 bytes][Goodput ratio: 85/78][0.34 sec][Hostname/SNI: hkextshort.weixin.qq.com][URL: http://hkextshort.weixin.qq.com/cgi-bin/micromsg-bin/mmbatchemojidownload][StatusCode: 200][Req Content-Type: application/octet-stream][Content-Type: application/octet-stream][User-Agent: MicroMessenger Client][Filename: micromsgresp.dat][Risk: ** Known Proto on Non Std Port **** Binary File/Data Transfer (Attempt) **][Risk Score: 100][Risk Info: Expected on port 8080,3128 / Found binary mime octet-stream][PLAIN TEXT (POST http)][Plen Bins: 0,0,0,0,0,0,50,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 17 TCP 10.54.169.250:52285 <-> 173.252.74.22:80 [proto: 7.119/HTTP.Facebook][IP: 119/Facebook][ClearText][Confidence: DPI][FPC: 7.119/HTTP.Facebook, Confidence: DPI][DPI packets: 2][cat: SocialNetwork/6][1 pkts/243 bytes <-> 1 pkts/339 bytes][Goodput ratio: 77/83][0.46 sec][Hostname/SNI: www.facebook.com][URL: www.facebook.com/mobile/status.php][StatusCode: 204][User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 3W MIUI/V6.4.2.0.KXDMICB)][PLAIN TEXT (GET /mobile/status.php HTTP/1.1)][Plen Bins: 0,0,0,0,0,50,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 18 TCP 10.54.169.250:52288 <-> 173.252.74.22:80 [proto: 7.119/HTTP.Facebook][IP: 119/Facebook][ClearText][Confidence: DPI][FPC: 7.119/HTTP.Facebook, Confidence: DPI][DPI packets: 2][cat: SocialNetwork/6][1 pkts/243 bytes <-> 1 pkts/339 bytes][Goodput ratio: 77/83][0.46 sec][Hostname/SNI: www.facebook.com][URL: www.facebook.com/mobile/status.php][StatusCode: 204][User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 3W MIUI/V6.4.2.0.KXDMICB)][PLAIN TEXT (GET /mobile/status.php HTTP/1.1)][Plen Bins: 0,0,0,0,0,50,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 19 TCP 10.54.169.250:44793 <-> 31.13.68.49:80 [proto: 7.119/HTTP.Facebook][IP: 119/Facebook][ClearText][Confidence: DPI][FPC: 7.119/HTTP.Facebook, Confidence: DPI][DPI packets: 2][cat: SocialNetwork/6][1 pkts/237 bytes <-> 1 pkts/339 bytes][Goodput ratio: 76/83][0.34 sec][Hostname/SNI: www.facebook.com][URL: www.facebook.com/mobile/status.php][StatusCode: 204][User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.2; GT-I9505 Build/KOT49H)][PLAIN TEXT (GET /mobile/status.php HTTP/1.1)][Plen Bins: 0,0,0,0,0,50,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/default/result/shadowsocks.pcap.out b/tests/cfgs/default/result/shadowsocks.pcap.out index 3a02af840..25206e886 100644 --- a/tests/cfgs/default/result/shadowsocks.pcap.out +++ b/tests/cfgs/default/result/shadowsocks.pcap.out @@ -31,4 +31,4 @@ Unrated 15 68444 1 Undetected flows: - 1 TCP 127.0.0.1:44276 <-> 127.0.0.1:8388 [proto: 0/Unknown][IP: 0/Unknown][ClearText][Confidence: Unknown][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 15][8 pkts/641 bytes <-> 7 pkts/67803 bytes][Goodput ratio: 16/99][0.83 sec][bytes ratio: -0.981 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/163 103/165 334/334 122/118][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 80/9686 171/18151 34/8394][Risk: ** Fully encrypted flow **][Risk Score: 50][PLAIN TEXT (EBjATMT)][Plen Bins: 0,0,0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,80] + 1 TCP 127.0.0.1:44276 <-> 127.0.0.1:8388 [proto: 0/Unknown][IP: 0/Unknown][ClearText][Confidence: Unknown][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 15][8 pkts/641 bytes <-> 7 pkts/67803 bytes][Goodput ratio: 16/99][0.83 sec][bytes ratio: -0.981 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/163 103/165 334/334 122/118][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 80/9686 171/18151 34/8394][Risk: ** Fully Encrypted Flow **][Risk Score: 50][PLAIN TEXT (EBjATMT)][Plen Bins: 0,0,0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,80] diff --git a/tests/cfgs/default/result/starcraft_battle.pcap.out b/tests/cfgs/default/result/starcraft_battle.pcap.out index 0334c40b4..4dc8d775a 100644 --- a/tests/cfgs/default/result/starcraft_battle.pcap.out +++ b/tests/cfgs/default/result/starcraft_battle.pcap.out @@ -40,7 +40,7 @@ Safe 46 3071 14 Acceptable 506 304727 31 Fun 245 52374 7 - 1 TCP 192.168.1.100:3508 <-> 87.248.221.254:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Download/7][90 pkts/5059 bytes <-> 89 pkts/129145 bytes][Goodput ratio: 4/96][3.22 sec][Hostname/SNI: llnw.blizzard.com][bytes ratio: -0.925 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 45/3 2914/58 341/11][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 56/1451 241/1514 20/291][URL: llnw.blizzard.com/sc2-pod-retail/AF11CD00/EU/24621.direct/s2-36281-BA356DD57557728843CAF63A12C79AA3.mfil][StatusCode: 200][Content-Type: application/octet-stream][Server: Apache][User-Agent: Blizzard Web Client][Risk: ** Susp DGA Domain name **** Binary file/data transfer (attempt) **][Risk Score: 150][Risk Info: llnw.blizzard.com / Found binary mime octet-stream][PLAIN TEXT (GET /sc)][Plen Bins: 0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,97,0,0] + 1 TCP 192.168.1.100:3508 <-> 87.248.221.254:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Download/7][90 pkts/5059 bytes <-> 89 pkts/129145 bytes][Goodput ratio: 4/96][3.22 sec][Hostname/SNI: llnw.blizzard.com][bytes ratio: -0.925 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 45/3 2914/58 341/11][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 56/1451 241/1514 20/291][URL: llnw.blizzard.com/sc2-pod-retail/AF11CD00/EU/24621.direct/s2-36281-BA356DD57557728843CAF63A12C79AA3.mfil][StatusCode: 200][Content-Type: application/octet-stream][Server: Apache][User-Agent: Blizzard Web Client][Risk: ** Susp DGA Domain name **** Binary File/Data Transfer (Attempt) **][Risk Score: 150][Risk Info: llnw.blizzard.com / Found binary mime octet-stream][PLAIN TEXT (GET /sc)][Plen Bins: 0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,97,0,0] 2 TCP 192.168.1.100:3517 <-> 213.248.127.130:1119 [proto: 213/Starcraft][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 4][cat: Game/8][126 pkts/9157 bytes <-> 89 pkts/41021 bytes][Goodput ratio: 26/88][3.83 sec][bytes ratio: -0.635 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 30/37 1016/1086 104/133][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 73/461 249/1514 28/593][PLAIN TEXT (matteobracci1@gmail.com)][Plen Bins: 76,2,2,2,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,13,0,0] 3 TCP 192.168.1.100:3527 <-> 2.228.46.112:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][15 pkts/971 bytes <-> 26 pkts/36462 bytes][Goodput ratio: 15/96][0.10 sec][Hostname/SNI: bnetcmsus-a.akamaihd.net][bytes ratio: -0.948 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 7/3 33/34 13/9][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 65/1402 203/1514 37/387][URL: bnetcmsus-a.akamaihd.net/cms/bnet_thumbnail/gc/GCF1DHMH8FDY1434670037434.jpg][StatusCode: 200][Content-Type: image/jpeg][Server: Apache][User-Agent: Battle.net Web Client][PLAIN TEXT (GET /cms/bnet)][Plen Bins: 0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,96,0,0] 4 TCP 192.168.1.100:3528 <-> 2.228.46.112:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][11 pkts/755 bytes <-> 18 pkts/24350 bytes][Goodput ratio: 20/96][0.10 sec][Hostname/SNI: bnetcmsus-a.akamaihd.net][bytes ratio: -0.940 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 12/4 37/64 16/16][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 69/1353 203/1514 43/456][URL: bnetcmsus-a.akamaihd.net/cms/bnet_thumbnail/4j/4J7OUIISCLTQ1436943629210.jpg][StatusCode: 200][Content-Type: image/jpeg][Server: Apache][User-Agent: Battle.net Web Client][PLAIN TEXT (GET /cms/bnet)][Plen Bins: 0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,94,0,0] diff --git a/tests/cfgs/default/result/threema.pcap.out b/tests/cfgs/default/result/threema.pcap.out index 70c59bf22..fda7ae354 100644 --- a/tests/cfgs/default/result/threema.pcap.out +++ b/tests/cfgs/default/result/threema.pcap.out @@ -31,5 +31,5 @@ Fun 83 11578 6 2 TCP 192.168.2.100:50298 <-> 185.88.236.110:5222 [proto: 305/Threema][IP: 305/Threema][Encrypted][Confidence: DPI][FPC: 305/Threema, Confidence: IP address][DPI packets: 10][cat: Chat/9][10 pkts/2025 bytes <-> 5 pkts/548 bytes][Goodput ratio: 67/38][46.73 sec][bytes ratio: 0.574 (Upload)][IAT c2s/s2c min/avg/max/stddev: 3/31 5838/33 46525/38 15378/3][Pkt Len c2s/s2c min/avg/max/stddev: 66/74 202/110 510/146 167/24][Plen Bins: 0,44,11,0,0,11,0,0,0,11,0,11,0,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 3 TCP 192.168.2.100:50618 <-> 185.88.236.110:5222 [proto: 305/Threema][IP: 305/Threema][Encrypted][Confidence: DPI][FPC: 305/Threema, Confidence: IP address][DPI packets: 10][cat: Chat/9][9 pkts/879 bytes <-> 6 pkts/1079 bytes][Goodput ratio: 31/62][5.39 sec][bytes ratio: -0.102 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 1/28 52/1686 209/4996 67/2340][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 98/180 257/661 59/217][Plen Bins: 0,40,20,0,0,20,0,0,0,0,0,0,0,0,0,0,0,0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 4 TCP 192.168.2.100:50500 <-> 185.88.236.110:5222 [proto: 305/Threema][IP: 305/Threema][Encrypted][Confidence: DPI][FPC: 305/Threema, Confidence: IP address][DPI packets: 10][cat: Chat/9][8 pkts/813 bytes <-> 4 pkts/676 bytes][Goodput ratio: 34/60][61.48 sec][bytes ratio: 0.092 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 2/31 290/32 1612/32 591/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 102/169 257/390 61/131][Plen Bins: 0,40,20,0,0,20,0,0,0,0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 5 TCP 192.168.2.100:50718 <-> 185.88.236.110:5222 [proto: 305/Threema][IP: 305/Threema][Encrypted][Confidence: Match by IP][FPC: 305/Threema, Confidence: IP address][DPI packets: 13][cat: Chat/9][8 pkts/775 bytes <-> 5 pkts/472 bytes][Goodput ratio: 31/28][73.43 sec][bytes ratio: 0.243 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1/28 12233/29 73277/30 27300/1][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 97/94 257/146 62/33][Risk: ** Fully encrypted flow **][Risk Score: 50][Plen Bins: 0,50,25,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 6 TCP 192.168.2.100:50860 <-> 185.88.236.110:5222 [proto: 305/Threema][IP: 305/Threema][Encrypted][Confidence: Match by IP][FPC: 305/Threema, Confidence: IP address][DPI packets: 13][cat: Chat/9][8 pkts/775 bytes <-> 5 pkts/472 bytes][Goodput ratio: 31/28][60.00 sec][bytes ratio: 0.243 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1/29 9996/31 59845/33 22293/2][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 97/94 257/146 62/33][Risk: ** Fully encrypted flow **][Risk Score: 50][Plen Bins: 0,50,25,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 5 TCP 192.168.2.100:50718 <-> 185.88.236.110:5222 [proto: 305/Threema][IP: 305/Threema][Encrypted][Confidence: Match by IP][FPC: 305/Threema, Confidence: IP address][DPI packets: 13][cat: Chat/9][8 pkts/775 bytes <-> 5 pkts/472 bytes][Goodput ratio: 31/28][73.43 sec][bytes ratio: 0.243 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1/28 12233/29 73277/30 27300/1][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 97/94 257/146 62/33][Risk: ** Fully Encrypted Flow **][Risk Score: 50][Plen Bins: 0,50,25,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 6 TCP 192.168.2.100:50860 <-> 185.88.236.110:5222 [proto: 305/Threema][IP: 305/Threema][Encrypted][Confidence: Match by IP][FPC: 305/Threema, Confidence: IP address][DPI packets: 13][cat: Chat/9][8 pkts/775 bytes <-> 5 pkts/472 bytes][Goodput ratio: 31/28][60.00 sec][bytes ratio: 0.243 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1/29 9996/31 59845/33 22293/2][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 97/94 257/146 62/33][Risk: ** Fully Encrypted Flow **][Risk Score: 50][Plen Bins: 0,50,25,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/default/result/tls_certificate_too_long.pcap.out b/tests/cfgs/default/result/tls_certificate_too_long.pcap.out index 1e6c34176..af2431802 100644 --- a/tests/cfgs/default/result/tls_certificate_too_long.pcap.out +++ b/tests/cfgs/default/result/tls_certificate_too_long.pcap.out @@ -55,8 +55,8 @@ JA3 Host Stats: 8 TCP 192.168.1.121:53917 <-> 40.113.10.47:443 [proto: 91.212/TLS.Microsoft][IP: 276/Azure][Encrypted][Confidence: DPI][FPC: 212/Microsoft, Confidence: DNS][DPI packets: 7][cat: Cloud/13][6 pkts/865 bytes <-> 5 pkts/4143 bytes][Goodput ratio: 60/93][0.16 sec][Hostname/SNI: wdcp.microsoft.com][(Advertised) ALPNs: h2;http/1.1][(Negotiated) ALPN: h2][TLS Supported Versions: GREASE;TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.655 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 22/17 50/50 22/24][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 144/829 571/1502 191/652][Risk: ** TLS Cert Validity Too Long **][Risk Score: 50][Risk Info: TLS Cert lasts 455 days][TLSv1.2][JA3C: 656b9a2f4de6ed4909e157482860ab3d][JA4: t13d2613h2_2802a3db6c62_845d286b0d67][ServerNames: wdcp.microsoft.com,spynet2.microsoft.com,wdcpalt.microsoft.com,spynetalt.microsoft.com,*.cp.wd.microsoft.com][JA3S: 17e97216fa7f4ec8c43090c6eed97c25][Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Secure Server CA 2011][Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=wdcp.microsoft.com][Certificate SHA-1: 81:41:67:66:7E:A9:1B:AA:61:3D:DE:D1:41:E7:17:13:CE:C4:3B:22][Safari][Validity: 2020-12-10 19:38:28 - 2022-03-10 19:38:28][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0] 9 TCP 192.168.1.121:53918 <-> 40.113.10.47:443 [proto: 91.212/TLS.Microsoft][IP: 276/Azure][Encrypted][Confidence: DPI][FPC: 212/Microsoft, Confidence: DNS][DPI packets: 7][cat: Cloud/13][6 pkts/865 bytes <-> 5 pkts/4143 bytes][Goodput ratio: 60/93][0.16 sec][Hostname/SNI: wdcp.microsoft.com][(Advertised) ALPNs: h2;http/1.1][(Negotiated) ALPN: h2][TLS Supported Versions: GREASE;TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.655 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 21/17 51/51 23/24][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 144/829 571/1502 191/652][Risk: ** TLS Cert Validity Too Long **][Risk Score: 50][Risk Info: TLS Cert lasts 455 days][TLSv1.2][JA3C: 656b9a2f4de6ed4909e157482860ab3d][JA4: t13d2613h2_2802a3db6c62_845d286b0d67][ServerNames: wdcp.microsoft.com,spynet2.microsoft.com,wdcpalt.microsoft.com,spynetalt.microsoft.com,*.cp.wd.microsoft.com][JA3S: 17e97216fa7f4ec8c43090c6eed97c25][Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Secure Server CA 2011][Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=wdcp.microsoft.com][Certificate SHA-1: 81:41:67:66:7E:A9:1B:AA:61:3D:DE:D1:41:E7:17:13:CE:C4:3B:22][Safari][Validity: 2020-12-10 19:38:28 - 2022-03-10 19:38:28][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0] 10 TCP 192.168.1.121:53919 <-> 40.113.10.47:443 [proto: 91.212/TLS.Microsoft][IP: 276/Azure][Encrypted][Confidence: DPI][FPC: 212/Microsoft, Confidence: DNS][DPI packets: 7][cat: Cloud/13][6 pkts/865 bytes <-> 5 pkts/4143 bytes][Goodput ratio: 60/93][0.16 sec][Hostname/SNI: wdcp.microsoft.com][(Advertised) ALPNs: h2;http/1.1][(Negotiated) ALPN: h2][TLS Supported Versions: GREASE;TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.655 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 22/16 48/48 21/23][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 144/829 571/1502 191/652][Risk: ** TLS Cert Validity Too Long **][Risk Score: 50][Risk Info: TLS Cert lasts 455 days][TLSv1.2][JA3C: 656b9a2f4de6ed4909e157482860ab3d][JA4: t13d2613h2_2802a3db6c62_845d286b0d67][ServerNames: wdcp.microsoft.com,spynet2.microsoft.com,wdcpalt.microsoft.com,spynetalt.microsoft.com,*.cp.wd.microsoft.com][JA3S: 17e97216fa7f4ec8c43090c6eed97c25][Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Secure Server CA 2011][Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=wdcp.microsoft.com][Certificate SHA-1: 81:41:67:66:7E:A9:1B:AA:61:3D:DE:D1:41:E7:17:13:CE:C4:3B:22][Safari][Validity: 2020-12-10 19:38:28 - 2022-03-10 19:38:28][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0] - 11 TCP 192.168.1.121:53913 <-> 2.22.33.235:80 [proto: 7.212/HTTP.Microsoft][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 212/Microsoft, Confidence: DNS][DPI packets: 6][cat: Download/7][6 pkts/621 bytes <-> 5 pkts/2517 bytes][Goodput ratio: 34/87][0.04 sec][Hostname/SNI: www.microsoft.com][bytes ratio: -0.604 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 8/7 20/11 8/5][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 104/503 279/1502 79/576][URL: www.microsoft.com/pkiops/certs/MicSecSerCA2011_2011-10-18.crt][StatusCode: 200][Content-Type: application/octet-stream][User-Agent: com.apple.trustd/2.0][Risk: ** HTTP Susp Header **** Binary file/data transfer (attempt) **][Risk Score: 150][Risk Info: Found binary mime octet-stream / Found TLS_version: UNKNOWN][PLAIN TEXT (GET /pkiops/certs/MicSecSerCA)][Plen Bins: 0,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0,0] - 12 TCP 192.168.1.121:53912 <-> 2.22.33.235:80 [proto: 7.212/HTTP.Microsoft][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Download/7][6 pkts/619 bytes <-> 5 pkts/2282 bytes][Goodput ratio: 34/85][0.05 sec][Hostname/SNI: www.microsoft.com][bytes ratio: -0.573 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 8/7 21/11 8/5][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 103/456 277/1502 78/558][URL: www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt][StatusCode: 200][Content-Type: application/octet-stream][User-Agent: com.apple.trustd/2.0][Risk: ** HTTP Susp Header **** Binary file/data transfer (attempt) **][Risk Score: 150][Risk Info: Found binary mime octet-stream / Found TLS_version: UNKNOWN][PLAIN TEXT (GET /pki/certs/MicRooCerAut)][Plen Bins: 0,0,0,0,0,0,33,0,0,0,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0,0] + 11 TCP 192.168.1.121:53913 <-> 2.22.33.235:80 [proto: 7.212/HTTP.Microsoft][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 212/Microsoft, Confidence: DNS][DPI packets: 6][cat: Download/7][6 pkts/621 bytes <-> 5 pkts/2517 bytes][Goodput ratio: 34/87][0.04 sec][Hostname/SNI: www.microsoft.com][bytes ratio: -0.604 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 8/7 20/11 8/5][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 104/503 279/1502 79/576][URL: www.microsoft.com/pkiops/certs/MicSecSerCA2011_2011-10-18.crt][StatusCode: 200][Content-Type: application/octet-stream][User-Agent: com.apple.trustd/2.0][Risk: ** HTTP Susp Header **** Binary File/Data Transfer (Attempt) **][Risk Score: 150][Risk Info: Found binary mime octet-stream / Found TLS_version: UNKNOWN][PLAIN TEXT (GET /pkiops/certs/MicSecSerCA)][Plen Bins: 0,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0,0] + 12 TCP 192.168.1.121:53912 <-> 2.22.33.235:80 [proto: 7.212/HTTP.Microsoft][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Download/7][6 pkts/619 bytes <-> 5 pkts/2282 bytes][Goodput ratio: 34/85][0.05 sec][Hostname/SNI: www.microsoft.com][bytes ratio: -0.573 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 8/7 21/11 8/5][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 103/456 277/1502 78/558][URL: www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt][StatusCode: 200][Content-Type: application/octet-stream][User-Agent: com.apple.trustd/2.0][Risk: ** HTTP Susp Header **** Binary File/Data Transfer (Attempt) **][Risk Score: 150][Risk Info: Found binary mime octet-stream / Found TLS_version: UNKNOWN][PLAIN TEXT (GET /pki/certs/MicRooCerAut)][Plen Bins: 0,0,0,0,0,0,33,0,0,0,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0,0] 13 UDP 192.168.1.121:52251 <-> 8.8.8.8:53 [proto: 5/DNS][IP: 126/Google][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 5][cat: Network/14][8 pkts/767 bytes <-> 8 pkts/1085 bytes][Goodput ratio: 56/69][1.01 sec][Hostname/SNI: 60.21.149.52.in-addr.arpa][::][bytes ratio: -0.172 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 165/2 988/5 368/2][Pkt Len c2s/s2c min/avg/max/stddev: 80/86 96/136 132/196 21/42][Risk: ** Error Code **][Risk Score: 10][Risk Info: DNS Error Code NXDOMAIN][PLAIN TEXT (msnhst)][Plen Bins: 0,57,18,12,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 14 UDP 192.168.1.121:51998 <-> 8.8.8.8:53 [proto: 5/DNS][IP: 126/Google][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 3][cat: Network/14][3 pkts/255 bytes <-> 3 pkts/449 bytes][Goodput ratio: 50/72][1.02 sec][Hostname/SNI: 235.33.22.2.in-addr.arpa][::][bytes ratio: -0.276 (Download)][IAT c2s/s2c min/avg/max/stddev: 999/996 500/498 999/996 500/498][Pkt Len c2s/s2c min/avg/max/stddev: 84/131 85/150 86/171 1/16][PLAIN TEXT (deploy)][Plen Bins: 0,51,16,16,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 15 UDP 192.168.1.121:5353 -> 192.168.1.139:5353 [proto: 8/MDNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 8/MDNS, Confidence: DPI][DPI packets: 1][cat: Network/14][1 pkts/383 bytes -> 0 pkts/0 bytes][Goodput ratio: 89/0][< 1 sec][Hostname/SNI: _companion-link._tcp.local][_companion-link._tcp.local][PLAIN TEXT (companion)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/default/result/waze.pcap.out b/tests/cfgs/default/result/waze.pcap.out index 17b3c86fb..6bad41751 100644 --- a/tests/cfgs/default/result/waze.pcap.out +++ b/tests/cfgs/default/result/waze.pcap.out @@ -42,7 +42,7 @@ JA3 Host Stats: 1 TCP 10.8.0.1:36100 <-> 46.51.173.182:443 [proto: 91.135/TLS.Waze][IP: 265/AmazonAWS][Encrypted][Confidence: DPI][FPC: 265/AmazonAWS, Confidence: IP address][DPI packets: 6][cat: Web/5][52 pkts/10860 bytes <-> 55 pkts/74852 bytes][Goodput ratio: 74/96][19.68 sec][bytes ratio: -0.747 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 288/329 3806/5018 686/820][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 209/1361 590/17258 183/3378][Risk: ** Obsolete TLS (v1.1 or older) **** Weak TLS Cipher **][Risk Score: 200][Risk Info: TLSv1 / Cipher TLS_RSA_WITH_AES_256_CBC_SHA][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][JA4: t10d320300_771403ec58f7_a875e5012fde][ServerNames: *.world.waze.com][JA3S: 714ac86d50db68420429ca897688f5f3 (WEAK)][Issuer: C=US, O=Google Inc, CN=Google Internet Authority G2][Subject: C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.world.waze.com][Certificate SHA-1: 30:50:FA:42:94:E4:1A:34:9B:23:55:CB:7B:F2:0D:76:FA:1C:58:4B][Validity: 2014-11-06 16:09:20 - 2015-11-06 16:09:20][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA][Plen Bins: 0,5,0,0,21,1,5,3,3,1,10,1,0,0,0,0,14,0,0,0,0,0,1,0,1,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,23] - 2 TCP 10.8.0.1:54915 <-> 65.39.128.135:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Download/7][19 pkts/1309 bytes <-> 18 pkts/61896 bytes][Goodput ratio: 20/98][5.27 sec][Hostname/SNI: xtra1.gpsonextra.net][bytes ratio: -0.959 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/1 321/373 3680/3677 903/960][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 69/3439 317/11833 59/3468][URL: xtra1.gpsonextra.net/xtra2.bin][StatusCode: 200][Content-Type: application/octet-stream][Server: Cherokee][User-Agent: Android][Risk: ** Binary file/data transfer (attempt) **][Risk Score: 50][Risk Info: Found binary mime octet-stream][PLAIN TEXT (GET /xtra)][Plen Bins: 0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,21,0,0,0,0,71] + 2 TCP 10.8.0.1:54915 <-> 65.39.128.135:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Download/7][19 pkts/1309 bytes <-> 18 pkts/61896 bytes][Goodput ratio: 20/98][5.27 sec][Hostname/SNI: xtra1.gpsonextra.net][bytes ratio: -0.959 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/1 321/373 3680/3677 903/960][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 69/3439 317/11833 59/3468][URL: xtra1.gpsonextra.net/xtra2.bin][StatusCode: 200][Content-Type: application/octet-stream][Server: Cherokee][User-Agent: Android][Risk: ** Binary File/Data Transfer (Attempt) **][Risk Score: 50][Risk Info: Found binary mime octet-stream][PLAIN TEXT (GET /xtra)][Plen Bins: 0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,21,0,0,0,0,71] 3 TCP 10.8.0.1:39021 <-> 52.17.114.219:443 [proto: 91.135/TLS.Waze][IP: 265/AmazonAWS][Encrypted][Confidence: DPI][FPC: 265/AmazonAWS, Confidence: IP address][DPI packets: 8][cat: Web/5][17 pkts/1962 bytes <-> 16 pkts/56934 bytes][Goodput ratio: 52/98][2.64 sec][bytes ratio: -0.933 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 155/189 387/415 137/131][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 115/3558 590/21942 132/6125][Risk: ** Obsolete TLS (v1.1 or older) **][Risk Score: 100][Risk Info: TLSv1][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][JA4: t10d320300_771403ec58f7_a875e5012fde][ServerNames: *.world.waze.com][JA3S: 39f74f5618836d3c5f7dcccc9f67ba75][Issuer: C=US, O=Google Inc, CN=Google Internet Authority G2][Subject: C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.world.waze.com][Certificate SHA-1: 30:50:FA:42:94:E4:1A:34:9B:23:55:CB:7B:F2:0D:76:FA:1C:58:4B][Validity: 2014-11-06 16:09:20 - 2015-11-06 16:09:20][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 7,0,0,0,15,7,0,7,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,15,0,0,0,0,39] 4 TCP 10.8.0.1:36312 <-> 176.34.186.180:443 [proto: 91.135/TLS.Waze][IP: 265/AmazonAWS][Encrypted][Confidence: DPI][FPC: 265/AmazonAWS, Confidence: IP address][DPI packets: 8][cat: Web/5][17 pkts/2176 bytes <-> 15 pkts/42443 bytes][Goodput ratio: 57/98][3.70 sec][bytes ratio: -0.902 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 218/126 1449/293 383/116][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 128/2830 590/11186 147/3901][Risk: ** Obsolete TLS (v1.1 or older) **][Risk Score: 100][Risk Info: TLSv1][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][JA4: t10d320300_771403ec58f7_a875e5012fde][ServerNames: *.world.waze.com][JA3S: 39f74f5618836d3c5f7dcccc9f67ba75][Issuer: C=US, O=Google Inc, CN=Google Internet Authority G2][Subject: C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.world.waze.com][Certificate SHA-1: 30:50:FA:42:94:E4:1A:34:9B:23:55:CB:7B:F2:0D:76:FA:1C:58:4B][Validity: 2014-11-06 16:09:20 - 2015-11-06 16:09:20][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,7,0,0,7,7,0,7,0,0,7,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,21,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,35] 5 TCP 10.8.0.1:36316 <-> 176.34.186.180:443 [proto: 91.135/TLS.Waze][IP: 265/AmazonAWS][Encrypted][Confidence: DPI][FPC: 265/AmazonAWS, Confidence: IP address][DPI packets: 6][cat: Web/5][15 pkts/1540 bytes <-> 13 pkts/26346 bytes][Goodput ratio: 46/97][3.22 sec][bytes ratio: -0.890 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 237/155 1289/609 359/182][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 103/2027 411/8150 98/2612][Risk: ** Obsolete TLS (v1.1 or older) **][Risk Score: 100][Risk Info: TLSv1][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][JA4: t10d320300_771403ec58f7_a875e5012fde][ServerNames: *.world.waze.com][JA3S: 39f74f5618836d3c5f7dcccc9f67ba75][Issuer: C=US, O=Google Inc, CN=Google Internet Authority G2][Subject: C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.world.waze.com][Certificate SHA-1: 30:50:FA:42:94:E4:1A:34:9B:23:55:CB:7B:F2:0D:76:FA:1C:58:4B][Validity: 2014-11-06 16:09:20 - 2015-11-06 16:09:20][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,8,0,0,8,8,0,8,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33] diff --git a/tests/cfgs/default/result/windowsupdate_over_http.pcap.out b/tests/cfgs/default/result/windowsupdate_over_http.pcap.out index 8e5b7b0d5..d6db9f6f4 100644 --- a/tests/cfgs/default/result/windowsupdate_over_http.pcap.out +++ b/tests/cfgs/default/result/windowsupdate_over_http.pcap.out @@ -24,4 +24,4 @@ WindowsUpdate 20 15975 1 Safe 20 15975 1 - 1 TCP 10.0.2.15:49815 <-> 151.99.72.125:80 [proto: 7.147/HTTP.WindowsUpdate][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Download/7][8 pkts/923 bytes <-> 12 pkts/15052 bytes][Goodput ratio: 52/96][0.02 sec][Hostname/SNI: 151.99.72.125][bytes ratio: -0.884 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 2/1 9/8 4/2][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 115/1254 533/1514 158/536][URL: 151.99.72.125/data/0783dedfb62fa709/msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/d1d060c0-7ece-4b96-9558-4bd0f2326040?P1=1652084683&P2=404&P3=2&P4=GtXnDMvssaTVZE%2bliGRNZPdTCGZcdK3lsfQhBycGI5on2dyQK7mRzg%2fAP%2fOuVTebtfWU%2bfL%2bVp][StatusCode: 206][Content-Type: application/octet-stream][Server: nginx][User-Agent: Microsoft-Delivery-Optimization/10.0][Risk: ** HTTP/TLS/QUIC Numeric Hostname/SNI **** Binary file/data transfer (attempt) **][Risk Score: 60][Risk Info: Found host 151.99.72.125 / Found binary mime octet-stream][PLAIN TEXT (GET /data/0783dedfb)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,18,72,0,0] + 1 TCP 10.0.2.15:49815 <-> 151.99.72.125:80 [proto: 7.147/HTTP.WindowsUpdate][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Download/7][8 pkts/923 bytes <-> 12 pkts/15052 bytes][Goodput ratio: 52/96][0.02 sec][Hostname/SNI: 151.99.72.125][bytes ratio: -0.884 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 2/1 9/8 4/2][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 115/1254 533/1514 158/536][URL: 151.99.72.125/data/0783dedfb62fa709/msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/d1d060c0-7ece-4b96-9558-4bd0f2326040?P1=1652084683&P2=404&P3=2&P4=GtXnDMvssaTVZE%2bliGRNZPdTCGZcdK3lsfQhBycGI5on2dyQK7mRzg%2fAP%2fOuVTebtfWU%2bfL%2bVp][StatusCode: 206][Content-Type: application/octet-stream][Server: nginx][User-Agent: Microsoft-Delivery-Optimization/10.0][Risk: ** HTTP/TLS/QUIC Numeric Hostname/SNI **** Binary File/Data Transfer (Attempt) **][Risk Score: 60][Risk Info: Found host 151.99.72.125 / Found binary mime octet-stream][PLAIN TEXT (GET /data/0783dedfb)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,18,72,0,0] diff --git a/tests/cfgs/enable_payload_stat/result/1kxun.pcap.out b/tests/cfgs/enable_payload_stat/result/1kxun.pcap.out index 620d62c8d..08a6a0d7d 100644 --- a/tests/cfgs/enable_payload_stat/result/1kxun.pcap.out +++ b/tests/cfgs/enable_payload_stat/result/1kxun.pcap.out @@ -192,7 +192,7 @@ JA3 Host Stats: 107 UDP 192.168.5.45:138 -> 192.168.255.255:138 [flowId: 69][proto: 10.16/NetBIOS.SMBv1][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 10.16/NetBIOS.SMBv1, Confidence: DPI][DPI packets: 1][cat: System/18][3 pkts/648 bytes -> 0 pkts/0 bytes][Goodput ratio: 80/0][0.00 sec][Hostname/SNI: macbookair-e1d0][Risk: ** Unsafe Protocol **][Risk Score: 10][PLAIN TEXT ( ENEBEDECEPEPELEBEJ)][Plen Bins: 0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 108 TCP 192.168.2.126:54810 <-> 18.233.123.55:80 [flowId: 191][proto: 7/HTTP][IP: 265/AmazonAWS][ClearText][Confidence: DPI][FPC: 7/HTTP, Confidence: DPI][DPI packets: 2][cat: Web/5][1 pkts/490 bytes <-> 1 pkts/141 bytes][Goodput ratio: 86/53][0.11 sec][Hostname/SNI: impression-east.liftoff.io][URL: impression-east.liftoff.io/mintegral/beacon?ad_group_id=143845&channel_id=117&creative_id=253640&auction_id=f84f54bf-31cd-43ff-bd27-526ccc6457da&origin=haggler-mintegral021][StatusCode: 200][User-Agent: Mozilla/5.0 (Linux; Android 11; sdk_gphone_x86 Build/RSR1.201013.001; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.106 Mobile Safari/537.36][PLAIN TEXT (GET /mintegral/beacon)][Plen Bins: 0,0,50,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 109 TCP 192.168.2.126:51888 -> 119.28.164.143:80 [flowId: 153][proto: 7/HTTP][IP: 285/Tencent][ClearText][Confidence: DPI][FPC: 7/HTTP, Confidence: DPI][DPI packets: 1][cat: Web/5][1 pkts/571 bytes -> 0 pkts/0 bytes][Goodput ratio: 90/0][< 1 sec][Hostname/SNI: qzonestyle.gtimg.cn][URL: qzonestyle.gtimg.cn/qzone/openapi/qc-1.0.1.js][User-Agent: Mozilla/5.0 (Linux; Android 11; sdk_gphone_x86 Build/RSR1.201013.001; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.106 Mobile Safari/537.36][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (GET /qzone/openapi/qc)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 110 TCP 192.168.2.126:47230 <-> 161.117.13.29:80 [flowId: 132][proto: 7.295/HTTP.1kxun][IP: 274/Alibaba][ClearText][Confidence: DPI][FPC: 7.295/HTTP.1kxun, Confidence: DPI][DPI packets: 2][cat: Download/7][1 pkts/223 bytes <-> 1 pkts/330 bytes][Goodput ratio: 70/80][0.18 sec][Hostname/SNI: kankan.1kxun.mobi][URL: kankan.1kxun.mobi/api.domain.conf][StatusCode: 200][Content-Type: application/octet-stream][Server: openresty/1.13.6.1][User-Agent: okhttp/3.10.0][Risk: ** Binary file/data transfer (attempt) **][Risk Score: 50][Risk Info: Found binary mime octet-stream][PLAIN TEXT (GET /api.domain.conf HTTP/1.1)][Plen Bins: 0,0,0,0,50,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 110 TCP 192.168.2.126:47230 <-> 161.117.13.29:80 [flowId: 132][proto: 7.295/HTTP.1kxun][IP: 274/Alibaba][ClearText][Confidence: DPI][FPC: 7.295/HTTP.1kxun, Confidence: DPI][DPI packets: 2][cat: Download/7][1 pkts/223 bytes <-> 1 pkts/330 bytes][Goodput ratio: 70/80][0.18 sec][Hostname/SNI: kankan.1kxun.mobi][URL: kankan.1kxun.mobi/api.domain.conf][StatusCode: 200][Content-Type: application/octet-stream][Server: openresty/1.13.6.1][User-Agent: okhttp/3.10.0][Risk: ** Binary File/Data Transfer (Attempt) **][Risk Score: 50][Risk Info: Found binary mime octet-stream][PLAIN TEXT (GET /api.domain.conf HTTP/1.1)][Plen Bins: 0,0,0,0,50,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 111 UDP 192.168.115.8:137 -> 192.168.255.255:137 [flowId: 17][proto: 10/NetBIOS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 10/NetBIOS, Confidence: DPI][DPI packets: 1][cat: System/18][6 pkts/552 bytes -> 0 pkts/0 bytes][Goodput ratio: 54/0][1.50 sec][Hostname/SNI: wpad][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 300/0 749/0 367/0][Pkt Len c2s/s2c min/avg/max/stddev: 92/0 92/0 92/0 0/0][PLAIN TEXT ( FHFAEBEECACACACACACACACACACACA)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 112 UDP 192.168.5.67:138 -> 192.168.255.255:138 [flowId: 34][proto: 10.16/NetBIOS.SMBv1][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 10.16/NetBIOS.SMBv1, Confidence: DPI][DPI packets: 1][cat: System/18][2 pkts/549 bytes -> 0 pkts/0 bytes][Goodput ratio: 85/0][< 1 sec][Hostname/SNI: sanji-lifebook-][Risk: ** Unsafe Protocol **][Risk Score: 10][PLAIN TEXT ( FDEBEOEKEJ)][Plen Bins: 0,0,0,0,0,0,50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 113 UDP [fe80::406:55a8:6453:25dd]:546 -> [ff02::1:2]:547 [flowId: 8][proto: 103/DHCPV6][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 103/DHCPV6, Confidence: DPI][DPI packets: 1][cat: Network/14][5 pkts/490 bytes -> 0 pkts/0 bytes][Goodput ratio: 37/0][15.56 sec][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/ip_lists_disable/result/1kxun.pcap.out b/tests/cfgs/ip_lists_disable/result/1kxun.pcap.out index 2e68bfb77..9fafad21d 100644 --- a/tests/cfgs/ip_lists_disable/result/1kxun.pcap.out +++ b/tests/cfgs/ip_lists_disable/result/1kxun.pcap.out @@ -163,7 +163,7 @@ JA3 Host Stats: 107 UDP 192.168.5.45:138 -> 192.168.255.255:138 [proto: 10.16/NetBIOS.SMBv1][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 10.16/NetBIOS.SMBv1, Confidence: DPI][DPI packets: 1][cat: System/18][3 pkts/648 bytes -> 0 pkts/0 bytes][Goodput ratio: 80/0][0.00 sec][Hostname/SNI: macbookair-e1d0][Risk: ** Unsafe Protocol **][Risk Score: 10][PLAIN TEXT ( ENEBEDECEPEPELEBEJ)][Plen Bins: 0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 108 TCP 192.168.2.126:54810 <-> 18.233.123.55:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 7/HTTP, Confidence: DPI][DPI packets: 2][cat: Web/5][1 pkts/490 bytes <-> 1 pkts/141 bytes][Goodput ratio: 86/53][0.11 sec][Hostname/SNI: impression-east.liftoff.io][URL: impression-east.liftoff.io/mintegral/beacon?ad_group_id=143845&channel_id=117&creative_id=253640&auction_id=f84f54bf-31cd-43ff-bd27-526ccc6457da&origin=haggler-mintegral021][StatusCode: 200][User-Agent: Mozilla/5.0 (Linux; Android 11; sdk_gphone_x86 Build/RSR1.201013.001; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.106 Mobile Safari/537.36][PLAIN TEXT (GET /mintegral/beacon)][Plen Bins: 0,0,50,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 109 TCP 192.168.2.126:51888 -> 119.28.164.143:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 7/HTTP, Confidence: DPI][DPI packets: 1][cat: Web/5][1 pkts/571 bytes -> 0 pkts/0 bytes][Goodput ratio: 90/0][< 1 sec][Hostname/SNI: qzonestyle.gtimg.cn][URL: qzonestyle.gtimg.cn/qzone/openapi/qc-1.0.1.js][User-Agent: Mozilla/5.0 (Linux; Android 11; sdk_gphone_x86 Build/RSR1.201013.001; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.106 Mobile Safari/537.36][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (GET /qzone/openapi/qc)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 110 TCP 192.168.2.126:47230 <-> 161.117.13.29:80 [proto: 7.295/HTTP.1kxun][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 7.295/HTTP.1kxun, Confidence: DPI][DPI packets: 2][cat: Download/7][1 pkts/223 bytes <-> 1 pkts/330 bytes][Goodput ratio: 70/80][0.18 sec][Hostname/SNI: kankan.1kxun.mobi][URL: kankan.1kxun.mobi/api.domain.conf][StatusCode: 200][Content-Type: application/octet-stream][Server: openresty/1.13.6.1][User-Agent: okhttp/3.10.0][Risk: ** Binary file/data transfer (attempt) **][Risk Score: 50][Risk Info: Found binary mime octet-stream][PLAIN TEXT (GET /api.domain.conf HTTP/1.1)][Plen Bins: 0,0,0,0,50,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 110 TCP 192.168.2.126:47230 <-> 161.117.13.29:80 [proto: 7.295/HTTP.1kxun][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 7.295/HTTP.1kxun, Confidence: DPI][DPI packets: 2][cat: Download/7][1 pkts/223 bytes <-> 1 pkts/330 bytes][Goodput ratio: 70/80][0.18 sec][Hostname/SNI: kankan.1kxun.mobi][URL: kankan.1kxun.mobi/api.domain.conf][StatusCode: 200][Content-Type: application/octet-stream][Server: openresty/1.13.6.1][User-Agent: okhttp/3.10.0][Risk: ** Binary File/Data Transfer (Attempt) **][Risk Score: 50][Risk Info: Found binary mime octet-stream][PLAIN TEXT (GET /api.domain.conf HTTP/1.1)][Plen Bins: 0,0,0,0,50,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 111 UDP 192.168.115.8:137 -> 192.168.255.255:137 [proto: 10/NetBIOS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 10/NetBIOS, Confidence: DPI][DPI packets: 1][cat: System/18][6 pkts/552 bytes -> 0 pkts/0 bytes][Goodput ratio: 54/0][1.50 sec][Hostname/SNI: wpad][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 300/0 749/0 367/0][Pkt Len c2s/s2c min/avg/max/stddev: 92/0 92/0 92/0 0/0][PLAIN TEXT ( FHFAEBEECACACACACACACACACACACA)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 112 UDP 192.168.5.67:138 -> 192.168.255.255:138 [proto: 10.16/NetBIOS.SMBv1][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 10.16/NetBIOS.SMBv1, Confidence: DPI][DPI packets: 1][cat: System/18][2 pkts/549 bytes -> 0 pkts/0 bytes][Goodput ratio: 85/0][< 1 sec][Hostname/SNI: sanji-lifebook-][Risk: ** Unsafe Protocol **][Risk Score: 10][PLAIN TEXT ( FDEBEOEKEJ)][Plen Bins: 0,0,0,0,0,0,50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 113 UDP [fe80::406:55a8:6453:25dd]:546 -> [ff02::1:2]:547 [proto: 103/DHCPV6][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 103/DHCPV6, Confidence: DPI][DPI packets: 1][cat: Network/14][5 pkts/490 bytes -> 0 pkts/0 bytes][Goodput ratio: 37/0][15.56 sec][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] |