fuzz: improve fuzzing coverage (#2474)

Remove some code never triggered AFP: the removed check is included in the following one MQTT: fix flags extraction
author: Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> 2024-06-17 13:45:47 +0200
committer: GitHub <noreply@github.com> 2024-06-17 13:45:47 +0200
commit: 26cc1f131f2576a49a3b9c43cd4b787b067b3f5a (patch)
tree: 90fc819791daee5fafb3372fa0e2f9b75b4368b5
parent: a35fae6b75924394ddbf7df4fc5a6eb114cf76d6 (diff)
19 files changed, 97 insertions, 66 deletions
diff --git a/example/reader_util.c b/example/reader_util.c
index a6c472b3f..72e1843ae 100644
--- a/example/reader_util.c
+++ b/example/reader_util.c
@@ -1353,7 +1353,7 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl
                        flow->detected_protocol,
                        &flow->ndpi_flow_serializer) != 0) {
       LOG(NDPI_LOG_ERROR, "flow2json failed\n");
-      exit(-1);
+      return;
     }
     
     ndpi_serialize_string_uint32(&flow->ndpi_flow_serializer, "detection_completed", flow->detection_completed);
diff --git a/fuzz/corpus/fuzz_serialization/b524f7bc777b60fa186852b7db1c961841e54205 b/fuzz/corpus/fuzz_serialization/b524f7bc777b60fa186852b7db1c961841e54205
deleted file mode 100644
index 7b17c6549..000000000
--- a/fuzz/corpus/fuzz_serialization/b524f7bc777b60fa186852b7db1c961841e54205
+++ /dev/null
diff --git a/fuzz/fuzz_alg_shoco.cpp b/fuzz/fuzz_alg_shoco.cpp
index 40fe0f0f4..68d262660 100644
--- a/fuzz/fuzz_alg_shoco.cpp
+++ b/fuzz/fuzz_alg_shoco.cpp
@@ -1,5 +1,6 @@
 #include <stdint.h>
 #include "shoco.h"
+#include "ndpi_api.h"
 #include "fuzzer/FuzzedDataProvider.h"
 
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
@@ -7,16 +8,25 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
   const char *in;
   size_t in_len, out_len;
   char out[8192], orig[8192];
+  int higher_level_api;
 
   /* No memory allocations involved */
 
+  higher_level_api = fuzzed_data.ConsumeBool();
+
   std::string s = fuzzed_data.ConsumeRemainingBytesAsString().c_str();
   in = s.c_str();
   in_len = strlen(in);
 
-  out_len = shoco_compress(in, in_len, out, sizeof(out));
-  if(out_len <= sizeof(out)) /* No error */
-    shoco_decompress(out, out_len, orig, sizeof(orig));
+  if(!higher_level_api) {
+    out_len = shoco_compress(in, in_len, out, sizeof(out));
+    if(out_len <= sizeof(out)) /* No error */
+      shoco_decompress(out, out_len, orig, sizeof(orig));
+  } else {
+    out_len = ndpi_compress_str(in, in_len, out, sizeof(out));
+    if(out_len != 0) /* No error */
+      ndpi_decompress_str(out, out_len, orig, sizeof(orig));
+  }
 
   return 0;
 }
diff --git a/fuzz/fuzz_config.cpp b/fuzz/fuzz_config.cpp
index 4034874f1..edfa42ceb 100644
--- a/fuzz/fuzz_config.cpp
+++ b/fuzz/fuzz_config.cpp
@@ -518,6 +518,12 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
   ndpi_severity2str(static_cast<ndpi_risk_severity>(fuzzed_data.ConsumeIntegral<u_int8_t>()));
   ndpi_risk2score(static_cast<ndpi_risk_enum>(fuzzed_data.ConsumeIntegral<u_int64_t>()), &unused1, &unused2);
   ndpi_http_method2str(static_cast<ndpi_http_method>(fuzzed_data.ConsumeIntegral<u_int8_t>()));
+  ndpi_confidence_get_name(static_cast<ndpi_confidence_t>(fuzzed_data.ConsumeIntegral<u_int8_t>()));
+  ndpi_get_proto_breed_name(static_cast<ndpi_protocol_breed_t>(fuzzed_data.ConsumeIntegral<u_int8_t>()));
+  ndpi_get_l4_proto_name(static_cast<ndpi_l4_proto_info>(fuzzed_data.ConsumeIntegral<u_int8_t>()));
+
+  char buf2[16];
+  ndpi_entropy2str(fuzzed_data.ConsumeFloatingPoint<float>(), fuzzed_data.ConsumeBool() ? buf2 : NULL, sizeof(buf2));
 
   /* Basic code to try testing this "config" */
   bool_value = fuzzed_data.ConsumeBool();
@@ -545,7 +551,6 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
   ndpi_get_flow_ndpi_proto(&flow, &p2);
   ndpi_is_proto(p, NDPI_PROTOCOL_TLS);
   ndpi_http_method2str(flow.http.method);
-  ndpi_get_l4_proto_name(ndpi_get_l4_proto_info(ndpi_info_mod, p.app_protocol));
   ndpi_is_subprotocol_informative(p.app_protocol);
   ndpi_get_http_method(bool_value ? &flow : NULL);
   ndpi_get_http_url(&flow);
diff --git a/fuzz/fuzz_ds_ahocorasick.cpp b/fuzz/fuzz_ds_ahocorasick.cpp
index 949cc4b6d..5a61f0022 100644
--- a/fuzz/fuzz_ds_ahocorasick.cpp
+++ b/fuzz/fuzz_ds_ahocorasick.cpp
@@ -44,7 +44,10 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
   ac_automata_enable_debug(0);
 
   a = ac_automata_init(mc);
-  a2 = ndpi_init_automa();
+  if (fuzzed_data.ConsumeBool())
+    a2 = ndpi_init_automa();
+  else
+    a2 = ndpi_init_automa_domain();
 
   if (fuzzed_data.ConsumeBool())
     ac_automata_feature(a, AC_FEATURE_DEBUG);
diff --git a/fuzz/fuzz_ds_domain_classify.cpp b/fuzz/fuzz_ds_domain_classify.cpp
index 8e19b4725..a53c8d130 100644
--- a/fuzz/fuzz_ds_domain_classify.cpp
+++ b/fuzz/fuzz_ds_domain_classify.cpp
@@ -47,7 +47,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
   num_iteration = fuzzed_data.ConsumeIntegral<u_int8_t>();
   for (i = 0; i < num_iteration; i++) {
     value = fuzzed_data.ConsumeBytesAsString(fuzzed_data.ConsumeIntegral<u_int8_t>());
-    ndpi_domain_classify_hostname(ndpi_struct, d, &class_id, (char *)value.c_str());
+    ndpi_domain_classify_hostname(fuzzed_data.ConsumeBool() ? ndpi_struct : NULL, d, &class_id, (char *)value.c_str());
   }
   
   /* Search of an added entry */
diff --git a/fuzz/fuzz_gcrypt_cipher.cpp b/fuzz/fuzz_gcrypt_cipher.cpp
index 703e480a7..520133aae 100644
--- a/fuzz/fuzz_gcrypt_cipher.cpp
+++ b/fuzz/fuzz_gcrypt_cipher.cpp
@@ -6,6 +6,7 @@
 #define MBEDTLS_CHECK_RETURN_TYPICAL
 #define MBEDTLS_INTERNAL_VALIDATE_RET( cond, ret )  do { } while( 0 )
 #include "gcrypt/cipher.h"
+#include "gcrypt/error.h"
 #include "gcrypt/aes.h"
 
 extern int force_no_aesni;
@@ -56,10 +57,17 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
   mbedtls_cipher_info_get_type(ctx_e->cipher_info);
   mbedtls_cipher_info_get_name(ctx_e->cipher_info);
   mbedtls_cipher_info_has_variable_key_bitlen(ctx_e->cipher_info);
+  mbedtls_cipher_info_has_variable_iv_size(ctx_e->cipher_info);
   mbedtls_cipher_info_get_iv_size(ctx_e->cipher_info);
   mbedtls_cipher_info_get_block_size(ctx_e->cipher_info);
   mbedtls_cipher_get_cipher_mode(ctx_e);
+  mbedtls_cipher_get_iv_size(ctx_e);
+  mbedtls_cipher_get_type(ctx_e);
+  mbedtls_cipher_get_name(ctx_e);
+  mbedtls_cipher_get_key_bitlen(ctx_e);
+  mbedtls_cipher_get_operation(ctx_e);
   mbedtls_cipher_info_get_key_bitlen(ctx_e->cipher_info);
+  mbedtls_error_add(0, 0, NULL, 0);
 
   posix_memalign((void **)&ctx_e->cipher_ctx, 8, sizeof(mbedtls_aes_context));
   posix_memalign((void **)&ctx_d->cipher_ctx, 8, sizeof(mbedtls_aes_context));
diff --git a/fuzz/fuzz_ndpi_reader.c b/fuzz/fuzz_ndpi_reader.c
index 9d061e5ca..80ed16886 100644
--- a/fuzz/fuzz_ndpi_reader.c
+++ b/fuzz/fuzz_ndpi_reader.c
@@ -15,7 +15,7 @@ struct ndpi_global_context *g_ctx;
 u_int8_t enable_payload_analyzer = 0;
 u_int8_t enable_flow_stats = 1;
 u_int8_t human_readeable_string_len = 5;
-u_int8_t max_num_udp_dissected_pkts = 16 /* 8 is enough for most protocols, Signal requires more */, max_num_tcp_dissected_pkts = 80 /* due to telnet */;
+u_int8_t max_num_udp_dissected_pkts = 0, max_num_tcp_dissected_pkts = 0; /* Disable limits at application layer */;
 int malloc_size_stats = 0;
 
 extern void ndpi_report_payload_stats(FILE *out);
@@ -53,6 +53,8 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
 
     workflow = ndpi_workflow_init(prefs, NULL /* pcap handler will be set later */, 0, ndpi_serialization_format_json, g_ctx);
 
+    ndpi_workflow_set_flow_callback(workflow, NULL, NULL); /* No real callback */
+
     ndpi_set_config(workflow->ndpi_struct, NULL, "log.level", "3");
     ndpi_set_config(workflow->ndpi_struct, "all", "log", "1");
 
@@ -68,10 +70,12 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
     NDPI_BITMASK_SET_ALL(all);
     ndpi_set_protocol_detection_bitmask2(workflow->ndpi_struct, &all);
 
+    ndpi_set_config(workflow->ndpi_struct, NULL, "packets_limit_per_flow", "255");
     ndpi_set_config(workflow->ndpi_struct, NULL, "flow.track_payload", "1");
     ndpi_set_config(workflow->ndpi_struct, NULL, "tcp_ack_payload_heuristic", "1");
     ndpi_set_config(workflow->ndpi_struct, "tls", "application_blocks_tracking", "1");
     ndpi_set_config(workflow->ndpi_struct, "stun", "max_packets_extra_dissection", "255");
+    ndpi_set_config(workflow->ndpi_struct, "zoom", "max_packets_extra_dissection", "255");
     ndpi_set_config(workflow->ndpi_struct, "rtp", "search_for_stun", "1");
 
     ndpi_finalize_initialization(workflow->ndpi_struct);
diff --git a/fuzz/fuzz_serialization.cpp b/fuzz/fuzz_serialization.cpp
index d097c683c..5b5de9fe0 100644
--- a/fuzz/fuzz_serialization.cpp
+++ b/fuzz/fuzz_serialization.cpp
@@ -14,7 +14,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
   int rc;
   std::vector<char>d;
   char kbuf[32];
-  u_int32_t buffer_len;
+  u_int32_t buffer_len, kbuf_len;
 
   /* To allow memory allocation failures */
   fuzz_set_alloc_callbacks_and_seed(size);
@@ -66,19 +66,23 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
       ndpi_serialize_string_raw(&serializer, kbuf, d.data(), d.size());
     ndpi_serialize_string_boolean(&serializer, kbuf, fuzzed_data.ConsumeIntegral<int8_t>());
 
-    if (fuzzed_data.ConsumeBool())
+    if (fuzzed_data.ConsumeBool()) {
       snprintf(kbuf, sizeof(kbuf), "%d", i); /* To trigger OPTIMIZE_NUMERIC_KEYS */
-    ndpi_serialize_binary_uint32(&serializer, kbuf, sizeof(kbuf), fuzzed_data.ConsumeIntegral<u_int32_t>());
-    ndpi_serialize_binary_int32(&serializer, kbuf, sizeof(kbuf), fuzzed_data.ConsumeIntegral<int32_t>());
-    ndpi_serialize_binary_uint64(&serializer, kbuf, sizeof(kbuf), fuzzed_data.ConsumeIntegral<u_int64_t>());
-    ndpi_serialize_binary_int64(&serializer, kbuf, sizeof(kbuf), fuzzed_data.ConsumeIntegral<int64_t>());
-    ndpi_serialize_binary_float(&serializer, kbuf, sizeof(kbuf), fuzzed_data.ConsumeFloatingPoint<float>(), "%f");
+      kbuf_len = strlen(kbuf);
+    } else {
+      kbuf_len = sizeof(kbuf);
+    }
+    ndpi_serialize_binary_uint32(&serializer, kbuf, kbuf_len, fuzzed_data.ConsumeIntegral<u_int32_t>());
+    ndpi_serialize_binary_int32(&serializer, kbuf, kbuf_len, fuzzed_data.ConsumeIntegral<int32_t>());
+    ndpi_serialize_binary_uint64(&serializer, kbuf, kbuf_len, fuzzed_data.ConsumeIntegral<u_int64_t>());
+    ndpi_serialize_binary_int64(&serializer, kbuf, kbuf_len, fuzzed_data.ConsumeIntegral<int64_t>());
+    ndpi_serialize_binary_float(&serializer, kbuf, kbuf_len, fuzzed_data.ConsumeFloatingPoint<float>(), "%f");
     if (fmt != ndpi_serialization_format_tlv)
-      ndpi_serialize_binary_double(&serializer, kbuf, sizeof(kbuf), fuzzed_data.ConsumeFloatingPoint<double>(), "%lf");
-    ndpi_serialize_binary_boolean(&serializer, kbuf, sizeof(kbuf), fuzzed_data.ConsumeIntegral<int8_t>());
+      ndpi_serialize_binary_double(&serializer, kbuf, kbuf_len, fuzzed_data.ConsumeFloatingPoint<double>(), "%lf");
+    ndpi_serialize_binary_boolean(&serializer, kbuf, kbuf_len, fuzzed_data.ConsumeIntegral<int8_t>());
     d = fuzzed_data.ConsumeBytes<char>(16);
     if (d.size())
-      ndpi_serialize_binary_binary(&serializer, kbuf, sizeof(kbuf), d.data(), d.size());
+      ndpi_serialize_binary_binary(&serializer, kbuf, kbuf_len, d.data(), d.size());
 
     if ((i & 0x3) == 0x3)
       ndpi_serialize_end_of_record(&serializer);
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index 7e70a7a56..a08a20650 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -4980,7 +4980,7 @@ int load_category_file_fd(struct ndpi_detection_module_struct *ndpi_str,
       continue;
     }
 
-    if(ndpi_load_category(ndpi_str, line, category_id, NULL) > 0)
+    if(ndpi_load_category(ndpi_str, line, category_id, NULL) >= 0)
       num_loaded++;
   }
 
diff --git a/src/lib/protocols/afp.c b/src/lib/protocols/afp.c
index 5b420f422..73d623457 100644
--- a/src/lib/protocols/afp.c
+++ b/src/lib/protocols/afp.c
@@ -62,20 +62,6 @@ static void ndpi_search_afp(struct ndpi_detection_module_struct *ndpi_struct, st
       return;
     }
 
-    /*
-     * this will detect the OpenSession command of the Data Stream Interface (DSI) protocol
-     * which is exclusively used by the Apple Filing Protocol (AFP) on TCP/IP networks
-     */
-    if (packet->payload_packet_len >= 22 && get_u_int16_t(packet->payload, 0) == htons(0x0004) &&
-	get_u_int16_t(packet->payload, 2) == htons(0x0001) && get_u_int32_t(packet->payload, 4) == 0 &&
-	get_u_int32_t(packet->payload, 8) == htonl(packet->payload_packet_len - 16) &&
-	get_u_int32_t(packet->payload, 12) == 0 && get_u_int16_t(packet->payload, 16) == htons(0x0104)) {
-
-      NDPI_LOG_INFO(ndpi_struct, "found AFP: DSI OpenSession\n");
-      ndpi_int_afp_add_connection(ndpi_struct, flow);
-      return;
-    }
-
     if((h->flags <= 1)
        && ((h->command >= 1) && (h->command <= 8))
        && (h->reserved == 0)
diff --git a/src/lib/protocols/mqtt.c b/src/lib/protocols/mqtt.c
index c88844a09..ea2390d37 100644
--- a/src/lib/protocols/mqtt.c
+++ b/src/lib/protocols/mqtt.c
@@ -179,18 +179,13 @@ static void ndpi_search_mqtt(struct ndpi_detection_module_struct *ndpi_struct,
 	}
 	if (pt == PUBLISH) {
 		// payload CAN be zero bytes length (section 3.3.3 of MQTT standard)
-		u_int8_t qos = (u_int8_t) (flags & 0x06);
-		u_int8_t dup = (u_int8_t) (flags & 0x04);
+		u_int8_t qos = (u_int8_t) (flags & 0x06) >> 1;
+		u_int8_t dup = (u_int8_t) (flags & 0x08) >> 3;
 		if (qos > 2) { // qos values possible are 0,1,2
 			NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt invalid PUBLISH qos\n");
 			NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MQTT);
 			return;
 		}
-		if (dup > 1) { // dup flag possible 0,1
-			NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt invalid PUBLISH dup\n");
-			NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MQTT);
-			return;
-		}
 		if (qos == 0) {
 			if (dup != 0) {
 				NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt invalid PUBLISH qos0 and dup combination\n");
diff --git a/src/lib/protocols/ssdp.c b/src/lib/protocols/ssdp.c
index 3e18edf50..90ce4c04c 100644
--- a/src/lib/protocols/ssdp.c
+++ b/src/lib/protocols/ssdp.c
@@ -47,10 +47,7 @@ static void ssdp_parse_lines(struct ndpi_detection_module_struct
 
   /* Save host which provides a service if available */
   if (packet->host_line.ptr != NULL && packet->host_line.len > 0) {
-    if (ndpi_hostname_sni_set(flow, packet->host_line.ptr, packet->host_line.len, NDPI_HOSTNAME_NORM_ALL) == NULL)
-    {
-      NDPI_LOG_DBG2(ndpi_struct, "Could not set SSDP host\n");
-    }
+    ndpi_hostname_sni_set(flow, packet->host_line.ptr, packet->host_line.len, NDPI_HOSTNAME_NORM_ALL);
   }
 }
 
diff --git a/src/lib/protocols/thrift.c b/src/lib/protocols/thrift.c
index d9be27ca5..79ee6ebb5 100644
--- a/src/lib/protocols/thrift.c
+++ b/src/lib/protocols/thrift.c
@@ -83,9 +83,6 @@ static void ndpi_int_thrift_add_connection(struct ndpi_detection_module_struct *
     case NDPI_PROTOCOL_HTTP:
       NDPI_LOG_DBG(ndpi_struct, "found Apache Thrift HTTP\n");
       break;
-    default:
-      NDPI_LOG_DBG(ndpi_struct, "found Apache Thrift\n");
-      break;
   }
 
   ndpi_set_detected_protocol(ndpi_struct, flow,
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index ca23da4f8..2d8247d51 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -1032,10 +1032,6 @@ static int ndpi_search_tls_tcp(struct ndpi_detection_module_struct *ndpi_struct,
       break;
     }
 
-    if(len == 0) {
-      something_went_wrong = 1;
-      break;
-    }
 
 #ifdef DEBUG_TLS_MEMORY
     printf("[TLS Mem] Processing %u bytes message\n", len);
@@ -1638,7 +1634,6 @@ static bool is_grease_version(u_int16_t version) {
   case 0xeaea:
   case 0xfafa:
     return(true);
-    break;
     
   default:
     return(false);
diff --git a/tests/cfgs/default/pcap/netbios.pcap b/tests/cfgs/default/pcap/netbios.pcap
index 1e8ee3920..b143112fd 100644
--- a/tests/cfgs/default/pcap/netbios.pcap
+++ b/tests/cfgs/default/pcap/netbios.pcap
diff --git a/tests/cfgs/default/pcap/pgsql2.pcapng b/tests/cfgs/default/pcap/pgsql2.pcapng
new file mode 100644
index 000000000..3ff361623
--- /dev/null
+++ b/tests/cfgs/default/pcap/pgsql2.pcapng
diff --git a/tests/cfgs/default/result/netbios.pcap.out b/tests/cfgs/default/result/netbios.pcap.out
index 3f59e3a00..1934e8825 100644
--- a/tests/cfgs/default/result/netbios.pcap.out
+++ b/tests/cfgs/default/result/netbios.pcap.out
@@ -1,10 +1,10 @@
 Guessed flow protos:	1
 
-DPI Packets (TCP):	2	(2.00 pkts/flow)
+DPI Packets (TCP):	3	(1.50 pkts/flow)
 DPI Packets (UDP):	14	(1.00 pkts/flow)
 Confidence Match by port    : 1 (flows)
-Confidence DPI              : 14 (flows)
-Num dissector calls: 164 (10.93 diss/flow)
+Confidence DPI              : 15 (flows)
+Num dissector calls: 165 (10.31 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/3/0 (insert/search/found)
 LRU cache stun:       0/0/0 (insert/search/found)
@@ -16,17 +16,17 @@ Automa domain:        0/0 (search/found)
 Automa tls cert:      0/0 (search/found)
 Automa risk mask:     5/0 (search/found)
 Automa common alpns:  0/0 (search/found)
-Patricia risk mask:   12/0 (search/found)
+Patricia risk mask:   14/0 (search/found)
 Patricia risk mask IPv6: 0/0 (search/found)
 Patricia risk:        0/0 (search/found)
 Patricia risk IPv6:   0/0 (search/found)
-Patricia protocols:   30/0 (search/found)
+Patricia protocols:   32/0 (search/found)
 Patricia protocols IPv6: 0/0 (search/found)
 
-NetBIOS	258	24196	13
+NetBIOS	259	24326	14
 SMBv1	2	486	2
 
-Acceptable                     258 24196         13           
+Acceptable                     259 24326         14           
 Dangerous                        2 486           2            
 
 	1	UDP 10.0.4.131:137 -> 10.0.5.255:137 [proto: 10/NetBIOS][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: System/18][181 pkts/16652 bytes -> 0 pkts/0 bytes][Goodput ratio: 54/0][59.62 sec][Hostname/SNI: xstream_hy][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 10/0 328/0 929/0 225/0][Pkt Len c2s/s2c min/avg/max/stddev: 92/0 92/0 92/0 0/0][PLAIN TEXT ( FIFDFEFCEFEBENFPEIFJ)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
@@ -37,10 +37,11 @@ Dangerous                        2 486           2
 	6	UDP 10.0.5.9:138 -> 10.0.5.255:138 [proto: 10.16/NetBIOS.SMBv1][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: System/18][1 pkts/243 bytes -> 0 pkts/0 bytes][Goodput ratio: 82/0][< 1 sec][Hostname/SNI: nvr9][Risk: ** Unsafe Protocol **][Risk Score: 10][PLAIN TEXT ( EOFGFCDJ)][Plen Bins: 0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	7	UDP 10.0.5.93:138 -> 10.0.5.255:138 [proto: 10.16/NetBIOS.SMBv1][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: System/18][1 pkts/243 bytes -> 0 pkts/0 bytes][Goodput ratio: 82/0][< 1 sec][Hostname/SNI: bowie][Risk: ** Unsafe Protocol **][Risk Score: 10][PLAIN TEXT ( ECEPFHEJEFCACACACACACACACACACA)][Plen Bins: 0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	8	UDP 10.0.4.101:137 -> 10.0.5.255:137 [proto: 10/NetBIOS][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: System/18][2 pkts/184 bytes -> 0 pkts/0 bytes][Goodput ratio: 54/0][18.05 sec][Hostname/SNI: muli][PLAIN TEXT ( ENFFEMEJ)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	9	TCP 10.0.4.24:139 <-> 10.0.4.131:1398 [proto: 10/NetBIOS][IP: 0/Unknown][ClearText][Confidence: Match by port][DPI packets: 2][cat: System/18][1 pkts/60 bytes <-> 1 pkts/60 bytes][Goodput ratio: 2/0][< 1 sec][Risk: ** Probing attempt **][Risk Score: 50][Risk Info: TCP connection with unidirectional traffic][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	10	UDP 10.0.4.24:137 -> 10.0.4.165:137 [proto: 10/NetBIOS][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: System/18][1 pkts/104 bytes -> 0 pkts/0 bytes][Goodput ratio: 59/0][< 1 sec][Hostname/SNI: gunnar][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT ( EHFFEOEOEBFCCACACACACACACACACA)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	11	UDP 10.0.5.1:137 -> 10.0.4.24:137 [proto: 10/NetBIOS][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: System/18][1 pkts/104 bytes -> 0 pkts/0 bytes][Goodput ratio: 59/0][< 1 sec][Hostname/SNI: guru][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT ( EHFFFC)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	12	UDP 10.0.4.14:137 -> 10.0.5.255:137 [proto: 10/NetBIOS][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: System/18][1 pkts/92 bytes -> 0 pkts/0 bytes][Goodput ratio: 54/0][< 1 sec][Hostname/SNI: guru][PLAIN TEXT ( EHFFFC)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	13	UDP 10.0.4.24:137 -> 10.0.5.255:137 [proto: 10/NetBIOS][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: System/18][1 pkts/92 bytes -> 0 pkts/0 bytes][Goodput ratio: 54/0][< 1 sec][Hostname/SNI: guru][PLAIN TEXT ( EHFFFC)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	14	UDP 10.0.4.66:137 -> 10.0.5.255:137 [proto: 10/NetBIOS][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: System/18][1 pkts/92 bytes -> 0 pkts/0 bytes][Goodput ratio: 54/0][< 1 sec][Hostname/SNI: guru][PLAIN TEXT ( EHFFFC)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	15	UDP 10.0.4.165:137 -> 10.0.5.255:137 [proto: 10/NetBIOS][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: System/18][1 pkts/92 bytes -> 0 pkts/0 bytes][Goodput ratio: 54/0][< 1 sec][Hostname/SNI: gunnar][PLAIN TEXT ( EHFFEOEOEBFCCACACACACACACACACA)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	9	TCP 10.19.71.184:55489 -> 10.17.113.129:139 [VLAN: 2308][proto: 10/NetBIOS][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: System/18][1 pkts/130 bytes -> 0 pkts/0 bytes][Goodput ratio: 55/0][< 1 sec][Risk: ** Unidirectional Traffic **** Probing attempt **][Risk Score: 60][Risk Info: No server to client traffic / TCP connection with unidirectional traffic][PLAIN TEXT (D EJECEJEGEIFBDBDBFHFDDADCDDCAC)][Plen Bins: 0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	10	TCP 10.0.4.24:139 <-> 10.0.4.131:1398 [proto: 10/NetBIOS][IP: 0/Unknown][ClearText][Confidence: Match by port][DPI packets: 2][cat: System/18][1 pkts/60 bytes <-> 1 pkts/60 bytes][Goodput ratio: 2/0][< 1 sec][Risk: ** Probing attempt **][Risk Score: 50][Risk Info: TCP connection with unidirectional traffic][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	11	UDP 10.0.4.24:137 -> 10.0.4.165:137 [proto: 10/NetBIOS][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: System/18][1 pkts/104 bytes -> 0 pkts/0 bytes][Goodput ratio: 59/0][< 1 sec][Hostname/SNI: gunnar][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT ( EHFFEOEOEBFCCACACACACACACACACA)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	12	UDP 10.0.5.1:137 -> 10.0.4.24:137 [proto: 10/NetBIOS][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: System/18][1 pkts/104 bytes -> 0 pkts/0 bytes][Goodput ratio: 59/0][< 1 sec][Hostname/SNI: guru][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT ( EHFFFC)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	13	UDP 10.0.4.14:137 -> 10.0.5.255:137 [proto: 10/NetBIOS][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: System/18][1 pkts/92 bytes -> 0 pkts/0 bytes][Goodput ratio: 54/0][< 1 sec][Hostname/SNI: guru][PLAIN TEXT ( EHFFFC)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	14	UDP 10.0.4.24:137 -> 10.0.5.255:137 [proto: 10/NetBIOS][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: System/18][1 pkts/92 bytes -> 0 pkts/0 bytes][Goodput ratio: 54/0][< 1 sec][Hostname/SNI: guru][PLAIN TEXT ( EHFFFC)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	15	UDP 10.0.4.66:137 -> 10.0.5.255:137 [proto: 10/NetBIOS][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: System/18][1 pkts/92 bytes -> 0 pkts/0 bytes][Goodput ratio: 54/0][< 1 sec][Hostname/SNI: guru][PLAIN TEXT ( EHFFFC)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	16	UDP 10.0.4.165:137 -> 10.0.5.255:137 [proto: 10/NetBIOS][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: System/18][1 pkts/92 bytes -> 0 pkts/0 bytes][Goodput ratio: 54/0][< 1 sec][Hostname/SNI: gunnar][PLAIN TEXT ( EHFFEOEOEBFCCACACACACACACACACA)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
diff --git a/tests/cfgs/default/result/pgsql2.pcapng.out b/tests/cfgs/default/result/pgsql2.pcapng.out
new file mode 100644
index 000000000..c8d4fc837
--- /dev/null
+++ b/tests/cfgs/default/result/pgsql2.pcapng.out
@@ -0,0 +1,26 @@
+DPI Packets (TCP):	6	(6.00 pkts/flow)
+Confidence DPI              : 1 (flows)
+Num dissector calls: 157 (157.00 diss/flow)
+LRU cache ookla:      0/0/0 (insert/search/found)
+LRU cache bittorrent: 0/0/0 (insert/search/found)
+LRU cache stun:       0/0/0 (insert/search/found)
+LRU cache tls_cert:   0/0/0 (insert/search/found)
+LRU cache mining:     0/0/0 (insert/search/found)
+LRU cache msteams:    0/0/0 (insert/search/found)
+Automa host:          0/0 (search/found)
+Automa domain:        0/0 (search/found)
+Automa tls cert:      0/0 (search/found)
+Automa risk mask:     0/0 (search/found)
+Automa common alpns:  0/0 (search/found)
+Patricia risk mask:   0/0 (search/found)
+Patricia risk mask IPv6: 0/0 (search/found)
+Patricia risk:        0/0 (search/found)
+Patricia risk IPv6:   0/0 (search/found)
+Patricia protocols:   2/0 (search/found)
+Patricia protocols IPv6: 0/0 (search/found)
+
+PostgreSQL	19	3076	1
+
+Acceptable                      19 3076          1            
+
+	1	TCP 10.220.20.67:58574 <-> 10.220.20.67:60102 [proto: 19/PostgreSQL][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 6][cat: Database/11][10 pkts/1252 bytes <-> 9 pkts/1824 bytes][Goodput ratio: 64/78][0.01 sec][bytes ratio: -0.186 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 1/1 2/2 1/1][Pkt Len c2s/s2c min/avg/max/stddev: 44/44 125/203 372/1360 119/410][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Plen Bins: 25,0,12,25,0,0,0,0,0,12,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,0,0,0,0,0]
author	Ivan Nardi <12729895+IvanNardi@users.noreply.github.com>	2024-06-17 13:45:47 +0200
committer	GitHub <noreply@github.com>	2024-06-17 13:45:47 +0200
commit	26cc1f131f2576a49a3b9c43cd4b787b067b3f5a (patch)
tree	90fc819791daee5fafb3372fa0e2f9b75b4368b5
parent	a35fae6b75924394ddbf7df4fc5a6eb114cf76d6 (diff)