tunnelbear: improve detection over wireguard (#2485)

See #2484
author: Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> 2024-07-01 08:20:18 +0200
committer: GitHub <noreply@github.com> 2024-07-01 08:20:18 +0200
commit: fc334d56c4e571c831ce9ddd64f40c04ecf25fce (patch)
tree: e9941c5c8adf95e612ee40418adc5da435922c66
parent: 4f05d214413d120909a84e224dd30499ef005da6 (diff)
3 files changed, 30 insertions, 17 deletions
diff --git a/src/lib/protocols/wireguard.c b/src/lib/protocols/wireguard.c
index 16ef5aca4..86e457872 100644
--- a/src/lib/protocols/wireguard.c
+++ b/src/lib/protocols/wireguard.c
@@ -91,8 +91,15 @@ static void ndpi_search_wireguard(struct ndpi_detection_module_struct *ndpi_stru
    * 2) Handshake Response (92 bytes)
    * 3) Cookie Reply (64 bytes)
    * 4) Transport Data (variable length, min 32 bytes)
+   *
+   *
+   * TunnelBear VPN uses slightly different handshake packets: the format seems the same,
+   * but the length is different (204/100). Not sure why and I don't know if it is some
+   * kind of generic "obfuscation" attempt, used also by other apps. For the time being,
+   * classify this kind of traffic as Wireguard/TunnelBear
    */
-  if (message_type == WG_TYPE_HANDSHAKE_INITIATION && packet->payload_packet_len == 148) {
+  if (message_type == WG_TYPE_HANDSHAKE_INITIATION &&
+      (packet->payload_packet_len == 148 || packet->payload_packet_len == 204)) {
     u_int32_t sender_index = get_u_int32_t(payload, 4);
     /*
      * We always start a new detection stage on a handshake initiation.
@@ -106,7 +113,8 @@ static void ndpi_search_wireguard(struct ndpi_detection_module_struct *ndpi_stru
       return;
     } 
     /* need more packets before deciding */
-  } else if (message_type == WG_TYPE_HANDSHAKE_RESPONSE && packet->payload_packet_len == 92) {
+  } else if (message_type == WG_TYPE_HANDSHAKE_RESPONSE &&
+             (packet->payload_packet_len == 92 || packet->payload_packet_len == 100)) {
     if (flow->l4.udp.wireguard_stage == 2 - packet->packet_direction) {
       /*
        * This means we are probably processing a handshake response to a handshake
@@ -116,7 +124,10 @@ static void ndpi_search_wireguard(struct ndpi_detection_module_struct *ndpi_stru
       u_int32_t receiver_index = get_u_int32_t(payload, 8);
 
       if (receiver_index == flow->l4.udp.wireguard_peer_index[1 - packet->packet_direction]) {
-        ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_WIREGUARD, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);
+        if(packet->payload_packet_len == 100)
+          ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TUNNELBEAR, NDPI_PROTOCOL_WIREGUARD, NDPI_CONFIDENCE_DPI);
+        else
+          ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_WIREGUARD, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);
       } else {
         NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
       }
diff --git a/tests/cfgs/default/pcap/tunnelbear.pcap b/tests/cfgs/default/pcap/tunnelbear.pcap
index a28852a1f..ec8bba3b1 100644
--- a/tests/cfgs/default/pcap/tunnelbear.pcap
+++ b/tests/cfgs/default/pcap/tunnelbear.pcap
diff --git a/tests/cfgs/default/result/tunnelbear.pcap.out b/tests/cfgs/default/result/tunnelbear.pcap.out
index b9759a95e..33b572a04 100644
--- a/tests/cfgs/default/result/tunnelbear.pcap.out
+++ b/tests/cfgs/default/result/tunnelbear.pcap.out
@@ -1,9 +1,10 @@
 Guessed flow protos:	1
 
 DPI Packets (TCP):	125	(5.95 pkts/flow)
+DPI Packets (UDP):	2	(2.00 pkts/flow)
 Confidence Match by port    : 1 (flows)
-Confidence DPI              : 20 (flows)
-Num dissector calls: 22 (1.05 diss/flow)
+Confidence DPI              : 21 (flows)
+Num dissector calls: 165 (7.50 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/3/0 (insert/search/found)
 LRU cache stun:       0/0/0 (insert/search/found)
@@ -15,11 +16,11 @@ Automa domain:        22/0 (search/found)
 Automa tls cert:      1/0 (search/found)
 Automa risk mask:     2/0 (search/found)
 Automa common alpns:  32/32 (search/found)
-Patricia risk mask:   6/0 (search/found)
+Patricia risk mask:   8/0 (search/found)
 Patricia risk mask IPv6: 0/0 (search/found)
 Patricia risk:        0/0 (search/found)
 Patricia risk IPv6:   0/0 (search/found)
-Patricia protocols:   23/19 (search/found)
+Patricia protocols:   25/19 (search/found)
 Patricia protocols IPv6: 0/0 (search/found)
 
 DNS	5	306	1
@@ -27,10 +28,10 @@ TLS	24	9110	1
 ADS_Analytic_Track	34	13737	2
 FacebookMessenger	18	5263	1
 GoogleServices	15	2661	1
-TunnelBear	325	84150	15
+TunnelBear	337	86766	16
 
 Safe                            24 9110          1            
-Acceptable                     363 92380         18           
+Acceptable                     375 94996         19           
 Tracker/Ads                     34 13737         2            
 
 JA3 Host Stats: 
@@ -52,11 +53,12 @@ JA3 Host Stats:
 	11	TCP 10.8.0.1:60224 <-> 157.240.7.32:443 [proto: 91.157/TLS.FacebookMessenger][IP: 119/Facebook][Encrypted][Confidence: DPI][DPI packets: 6][cat: Chat/9][9 pkts/1320 bytes <-> 9 pkts/3943 bytes][Goodput ratio: 62/88][0.75 sec][Hostname/SNI: mqtt-mini.facebook.com][TLS Supported Versions: TLSv1.3;TLSv1.3 (Fizz)][bytes ratio: -0.498 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 107/92 386/335 131/108][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 147/438 575/2814 167/854][Risk: ** TLS (probably) Not Carrying HTTPS **][Risk Score: 10][Risk Info: No ALPN][TLSv1.3][JA3C: 82932b3c6398511df186dfc9416db2d4][JA4: t00d010700_0f2cb44170f4_8e1d4e45f8f1][JA3S: f4febc55ea12b31ae17cfb7e614afda8][Cipher: TLS_AES_128_GCM_SHA256][Plen Bins: 25,12,0,0,0,12,0,12,0,0,0,0,0,0,0,12,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12]
 	12	TCP 10.8.0.1:45126 <-> 104.17.115.40:443 [proto: 91.299/TLS.TunnelBear][IP: 220/Cloudflare][Encrypted][Confidence: DPI][DPI packets: 6][cat: VPN/2][16 pkts/3179 bytes <-> 16 pkts/2058 bytes][Goodput ratio: 72/58][0.56 sec][Hostname/SNI: api.polargrizzly.com][(Advertised) ALPNs: h2;http/1.1][(Negotiated) ALPN: h2][bytes ratio: 0.214 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 26/29 107/57 34/24][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 199/129 590/803 207/183][TLSv1.2][JA3C: e9ec38c2b40ff3e300e9975dd7619902][JA4: t12d1210h2_d34a8e72043a_f88f2b2eb673][JA3S: 5badad76fbdd6e8b6296e2e9f4024401][Safari][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256][Plen Bins: 7,24,7,0,7,7,0,0,7,0,7,0,0,0,0,0,24,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	13	TCP 10.8.0.1:47046 <-> 74.125.200.188:5228 [proto: 91.239/TLS.GoogleServices][IP: 126/Google][Encrypted][Confidence: DPI][DPI packets: 6][cat: Web/5][8 pkts/1433 bytes <-> 7 pkts/1228 bytes][Goodput ratio: 68/69][0.45 sec][Hostname/SNI: mtalk.google.com][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: 0.077 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/3 50/79 243/193 88/64][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 179/175 587/583 197/182][Risk: ** Known Proto on Non Std Port **** TLS (probably) Not Carrying HTTPS **][Risk Score: 60][Risk Info: No ALPN][TLSv1.3][JA3C: 58e34c2965c9f3fa4919d58deef1f49e][JA4: t13d171200_5b57614c22b0_352634941f3a][JA3S: 2b0648ab686ee45e0e7c35fcfb0eea7e][Safari][Cipher: TLS_AES_128_GCM_SHA256][Plen Bins: 0,0,16,16,0,0,16,0,0,0,0,0,16,0,0,0,34,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	14	TCP 10.8.0.1:33846 <-> 104.17.114.40:443 [proto: 91.299/TLS.TunnelBear][IP: 220/Cloudflare][Encrypted][Confidence: DPI][DPI packets: 6][cat: VPN/2][10 pkts/1298 bytes <-> 9 pkts/642 bytes][Goodput ratio: 57/24][0.37 sec][Hostname/SNI: api.polargrizzly.com][(Advertised) ALPNs: h2;http/1.1][(Negotiated) ALPN: h2][bytes ratio: 0.338 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 46/58 339/331 111/122][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 130/71 571/210 150/49][TLSv1.2][JA3C: e9ec38c2b40ff3e300e9975dd7619902][JA4: t12d1210h2_d34a8e72043a_f88f2b2eb673][JA3S: 5badad76fbdd6e8b6296e2e9f4024401][Safari][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256][Plen Bins: 16,34,16,0,16,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	15	TCP 10.8.0.1:45124 <-> 104.17.115.40:443 [proto: 91.299/TLS.TunnelBear][IP: 220/Cloudflare][Encrypted][Confidence: DPI][DPI packets: 6][cat: VPN/2][9 pkts/1244 bytes <-> 8 pkts/588 bytes][Goodput ratio: 59/26][0.42 sec][Hostname/SNI: api.polargrizzly.com][(Advertised) ALPNs: h2;http/1.1][(Negotiated) ALPN: h2][bytes ratio: 0.358 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/4 53/90 192/193 68/71][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 138/74 571/210 162/52][TLSv1.2][JA3C: e9ec38c2b40ff3e300e9975dd7619902][JA4: t12d1210h2_d34a8e72043a_f88f2b2eb673][JA3S: 5badad76fbdd6e8b6296e2e9f4024401][Safari][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,25,0,0,25,25,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	16	TCP 10.158.132.91:38398 -> 104.17.114.40:443 [proto: 91.299/TLS.TunnelBear][IP: 220/Cloudflare][Encrypted][Confidence: DPI][DPI packets: 5][cat: VPN/2][5 pkts/1821 bytes -> 0 pkts/0 bytes][Goodput ratio: 85/0][0.46 sec][Hostname/SNI: api.polargrizzly.com][(Advertised) ALPNs: h2;http/1.1][Risk: ** Unidirectional Traffic **** Probing attempt **][Risk Score: 60][Risk Info: No server to client traffic / TCP connection with unidirectional traffic][TLSv1.2][JA3C: e9ec38c2b40ff3e300e9975dd7619902][JA4: t12d1210h2_d34a8e72043a_f88f2b2eb673][Safari][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	17	TCP 10.8.0.1:33838 <-> 104.17.114.40:443 [proto: 91.299/TLS.TunnelBear][IP: 220/Cloudflare][Encrypted][Confidence: DPI][DPI packets: 6][cat: VPN/2][8 pkts/1190 bytes <-> 7 pkts/603 bytes][Goodput ratio: 62/37][0.45 sec][Hostname/SNI: api.polargrizzly.com][(Advertised) ALPNs: h2;http/1.1][(Negotiated) ALPN: h2][bytes ratio: 0.327 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 75/84 359/350 129/135][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 149/86 571/210 164/56][TLSv1.2][JA3C: e9ec38c2b40ff3e300e9975dd7619902][JA4: t12d1210h2_d34a8e72043a_f88f2b2eb673][JA3S: 5badad76fbdd6e8b6296e2e9f4024401][Safari][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,34,16,16,16,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	18	TCP 10.8.0.1:33842 <-> 104.17.114.40:443 [proto: 91.299/TLS.TunnelBear][IP: 220/Cloudflare][Encrypted][Confidence: DPI][DPI packets: 6][cat: VPN/2][8 pkts/1190 bytes <-> 7 pkts/603 bytes][Goodput ratio: 62/37][0.45 sec][Hostname/SNI: api.polargrizzly.com][(Advertised) ALPNs: h2;http/1.1][(Negotiated) ALPN: h2][bytes ratio: 0.327 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/2 74/85 340/331 122/125][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 149/86 571/210 164/56][TLSv1.2][JA3C: e9ec38c2b40ff3e300e9975dd7619902][JA4: t12d1210h2_d34a8e72043a_f88f2b2eb673][JA3S: 5badad76fbdd6e8b6296e2e9f4024401][Safari][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,34,16,16,16,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	19	TCP 10.8.0.1:33848 <-> 104.17.114.40:443 [proto: 91.299/TLS.TunnelBear][IP: 220/Cloudflare][Encrypted][Confidence: DPI][DPI packets: 6][cat: VPN/2][8 pkts/1190 bytes <-> 7 pkts/603 bytes][Goodput ratio: 62/37][0.43 sec][Hostname/SNI: api.polargrizzly.com][(Advertised) ALPNs: h2;http/1.1][(Negotiated) ALPN: h2][bytes ratio: 0.327 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 72/80 338/330 121/127][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 149/86 571/210 164/56][TLSv1.2][JA3C: e9ec38c2b40ff3e300e9975dd7619902][JA4: t12d1210h2_d34a8e72043a_f88f2b2eb673][JA3S: 5badad76fbdd6e8b6296e2e9f4024401][Safari][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,34,16,16,16,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	20	TCP 10.8.0.1:33858 <-> 104.17.114.40:443 [proto: 91.299/TLS.TunnelBear][IP: 220/Cloudflare][Encrypted][Confidence: DPI][DPI packets: 5][cat: VPN/2][3 pkts/699 bytes <-> 2 pkts/108 bytes][Goodput ratio: 74/0][0.01 sec][Hostname/SNI: api.polargrizzly.com][(Advertised) ALPNs: h2;http/1.1][Risk: ** Probing attempt **][Risk Score: 50][Risk Info: TCP connection with unidirectional traffic][TLSv1.2][JA3C: e9ec38c2b40ff3e300e9975dd7619902][JA4: t12d1210h2_d34a8e72043a_f88f2b2eb673][Safari][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	21	TCP 10.158.132.91:51120 <-> 8.8.8.8:53 [proto: 5/DNS][IP: 126/Google][ClearText][Confidence: Match by port][DPI packets: 5][cat: Network/14][3 pkts/198 bytes <-> 2 pkts/108 bytes][Goodput ratio: 0/0][0.00 sec][::][Risk: ** Probing attempt **][Risk Score: 50][Risk Info: TCP connection with unidirectional traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	14	UDP 10.0.2.15:57636 <-> 142.93.78.79:51820 [proto: 206.299/WireGuard.TunnelBear][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 2][cat: VPN/2][11 pkts/2474 bytes <-> 1 pkts/142 bytes][Goodput ratio: 81/70][0.38 sec][bytes ratio: 0.891 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 26/0 88/0 27/0][Pkt Len c2s/s2c min/avg/max/stddev: 74/142 225/142 602/142 183/0][Plen Bins: 0,8,42,8,16,0,8,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	15	TCP 10.8.0.1:33846 <-> 104.17.114.40:443 [proto: 91.299/TLS.TunnelBear][IP: 220/Cloudflare][Encrypted][Confidence: DPI][DPI packets: 6][cat: VPN/2][10 pkts/1298 bytes <-> 9 pkts/642 bytes][Goodput ratio: 57/24][0.37 sec][Hostname/SNI: api.polargrizzly.com][(Advertised) ALPNs: h2;http/1.1][(Negotiated) ALPN: h2][bytes ratio: 0.338 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 46/58 339/331 111/122][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 130/71 571/210 150/49][TLSv1.2][JA3C: e9ec38c2b40ff3e300e9975dd7619902][JA4: t12d1210h2_d34a8e72043a_f88f2b2eb673][JA3S: 5badad76fbdd6e8b6296e2e9f4024401][Safari][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256][Plen Bins: 16,34,16,0,16,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	16	TCP 10.8.0.1:45124 <-> 104.17.115.40:443 [proto: 91.299/TLS.TunnelBear][IP: 220/Cloudflare][Encrypted][Confidence: DPI][DPI packets: 6][cat: VPN/2][9 pkts/1244 bytes <-> 8 pkts/588 bytes][Goodput ratio: 59/26][0.42 sec][Hostname/SNI: api.polargrizzly.com][(Advertised) ALPNs: h2;http/1.1][(Negotiated) ALPN: h2][bytes ratio: 0.358 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/4 53/90 192/193 68/71][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 138/74 571/210 162/52][TLSv1.2][JA3C: e9ec38c2b40ff3e300e9975dd7619902][JA4: t12d1210h2_d34a8e72043a_f88f2b2eb673][JA3S: 5badad76fbdd6e8b6296e2e9f4024401][Safari][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,25,0,0,25,25,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	17	TCP 10.158.132.91:38398 -> 104.17.114.40:443 [proto: 91.299/TLS.TunnelBear][IP: 220/Cloudflare][Encrypted][Confidence: DPI][DPI packets: 5][cat: VPN/2][5 pkts/1821 bytes -> 0 pkts/0 bytes][Goodput ratio: 85/0][0.46 sec][Hostname/SNI: api.polargrizzly.com][(Advertised) ALPNs: h2;http/1.1][Risk: ** Unidirectional Traffic **** Probing attempt **][Risk Score: 60][Risk Info: No server to client traffic / TCP connection with unidirectional traffic][TLSv1.2][JA3C: e9ec38c2b40ff3e300e9975dd7619902][JA4: t12d1210h2_d34a8e72043a_f88f2b2eb673][Safari][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	18	TCP 10.8.0.1:33838 <-> 104.17.114.40:443 [proto: 91.299/TLS.TunnelBear][IP: 220/Cloudflare][Encrypted][Confidence: DPI][DPI packets: 6][cat: VPN/2][8 pkts/1190 bytes <-> 7 pkts/603 bytes][Goodput ratio: 62/37][0.45 sec][Hostname/SNI: api.polargrizzly.com][(Advertised) ALPNs: h2;http/1.1][(Negotiated) ALPN: h2][bytes ratio: 0.327 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 75/84 359/350 129/135][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 149/86 571/210 164/56][TLSv1.2][JA3C: e9ec38c2b40ff3e300e9975dd7619902][JA4: t12d1210h2_d34a8e72043a_f88f2b2eb673][JA3S: 5badad76fbdd6e8b6296e2e9f4024401][Safari][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,34,16,16,16,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	19	TCP 10.8.0.1:33842 <-> 104.17.114.40:443 [proto: 91.299/TLS.TunnelBear][IP: 220/Cloudflare][Encrypted][Confidence: DPI][DPI packets: 6][cat: VPN/2][8 pkts/1190 bytes <-> 7 pkts/603 bytes][Goodput ratio: 62/37][0.45 sec][Hostname/SNI: api.polargrizzly.com][(Advertised) ALPNs: h2;http/1.1][(Negotiated) ALPN: h2][bytes ratio: 0.327 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/2 74/85 340/331 122/125][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 149/86 571/210 164/56][TLSv1.2][JA3C: e9ec38c2b40ff3e300e9975dd7619902][JA4: t12d1210h2_d34a8e72043a_f88f2b2eb673][JA3S: 5badad76fbdd6e8b6296e2e9f4024401][Safari][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,34,16,16,16,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	20	TCP 10.8.0.1:33848 <-> 104.17.114.40:443 [proto: 91.299/TLS.TunnelBear][IP: 220/Cloudflare][Encrypted][Confidence: DPI][DPI packets: 6][cat: VPN/2][8 pkts/1190 bytes <-> 7 pkts/603 bytes][Goodput ratio: 62/37][0.43 sec][Hostname/SNI: api.polargrizzly.com][(Advertised) ALPNs: h2;http/1.1][(Negotiated) ALPN: h2][bytes ratio: 0.327 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 72/80 338/330 121/127][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 149/86 571/210 164/56][TLSv1.2][JA3C: e9ec38c2b40ff3e300e9975dd7619902][JA4: t12d1210h2_d34a8e72043a_f88f2b2eb673][JA3S: 5badad76fbdd6e8b6296e2e9f4024401][Safari][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,34,16,16,16,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	21	TCP 10.8.0.1:33858 <-> 104.17.114.40:443 [proto: 91.299/TLS.TunnelBear][IP: 220/Cloudflare][Encrypted][Confidence: DPI][DPI packets: 5][cat: VPN/2][3 pkts/699 bytes <-> 2 pkts/108 bytes][Goodput ratio: 74/0][0.01 sec][Hostname/SNI: api.polargrizzly.com][(Advertised) ALPNs: h2;http/1.1][Risk: ** Probing attempt **][Risk Score: 50][Risk Info: TCP connection with unidirectional traffic][TLSv1.2][JA3C: e9ec38c2b40ff3e300e9975dd7619902][JA4: t12d1210h2_d34a8e72043a_f88f2b2eb673][Safari][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	22	TCP 10.158.132.91:51120 <-> 8.8.8.8:53 [proto: 5/DNS][IP: 126/Google][ClearText][Confidence: Match by port][DPI packets: 5][cat: Network/14][3 pkts/198 bytes <-> 2 pkts/108 bytes][Goodput ratio: 0/0][0.00 sec][::][Risk: ** Probing attempt **][Risk Score: 50][Risk Info: TCP connection with unidirectional traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
author	Ivan Nardi <12729895+IvanNardi@users.noreply.github.com>	2024-07-01 08:20:18 +0200
committer	GitHub <noreply@github.com>	2024-07-01 08:20:18 +0200
commit	fc334d56c4e571c831ce9ddd64f40c04ecf25fce (patch)
tree	e9941c5c8adf95e612ee40418adc5da435922c66
parent	4f05d214413d120909a84e224dd30499ef005da6 (diff)