Updated ESNI/SNI alarm generation prolicy

5 files changed, 24 insertions, 6 deletions

diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index 7f9e8d5c0..5c0cc5145 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -1539,7 +1539,9 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
 
 	    /* Add check for missing SNI */
 	    if((flow->protos.stun_ssl.ssl.client_requested_server_name[0] == 0)
-	       && (flow->protos.stun_ssl.ssl.ssl_version >= 0x0302) /* TLSv1.1 */) {
+	       && (flow->protos.stun_ssl.ssl.ssl_version >= 0x0302) /* TLSv1.1 */
+	       && (flow->protos.stun_ssl.ssl.encrypted_sni.esni == NULL) /* No ESNI */
+	       ) {
 	      /* This is a bit suspicious */
 	      NDPI_SET_BIT(flow->risk, NDPI_TLS_MISSING_SNI);
 	    }
diff --git a/tests/pcap/no_sni.pcap b/tests/pcap/no_sni.pcap
new file mode 100644
index 000000000..694952399
--- /dev/null
+++ b/tests/pcap/no_sni.pcap
diff --git a/tests/result/encrypted_sni.pcap.out b/tests/result/encrypted_sni.pcap.out
index c942d96fb..d5ea9ea2c 100644
--- a/tests/result/encrypted_sni.pcap.out
+++ b/tests/result/encrypted_sni.pcap.out
@@ -5,6 +5,6 @@ JA3 Host Stats:
 	1	 192.168.1.12             	 1      
 
 
-	1	TCP 192.168.1.12:49886 -> 104.27.129.77:443 [proto: 91.220/TLS.Cloudflare][cat: Web/5][1 pkts/770 bytes -> 0 pkts/0 bytes][Goodput ratio: 93/0][< 1 sec][ALPN: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][Risk: ** SNI TLS extension was missing **][TLSv1.2][JA3C: e5ef852e686954ba9fe060fbfa881e15][ESNI: 9624CB3C4E230827F78CF5BF640D22DEA33FCC598EA6A32D939905586FBE997B9E68661F8956D4893072E19DE24CD1FB88A9F71FC4CC01BAB5C914FDF96A647D671B5E89859BAEEAB122218688496DF4DF0C328C3D5F940B109CEB2A2743D5CBE3594288A229B8C7E2F88303E3FE1A26A89E5001F2BD936890FEF78F06E05ECC063A68BDB8C18DFAC114CF1FECDB8BE1FC2FEECB2315D27998D682B129FD1E3EB5D7985DCBDC452A1082CCC038E0BF69570FEFAC6BC6FB951F89B6792CADA76403C02CEB5DCE1CE6EDDD16D5F7FB6B85D2B92485448DE0088E421E83F1E28B267FBE3B59AE0496FB845213C271D4C5AC5E9E7E5F6A3072445307FCCEB7306710459991C40CC4DC1FC325154C7974DD780371397805456A19AE23EE88475C1DF07697B666][ESNI Cipher: TLS_AES_128_GCM_SHA256][PLAIN TEXT (http/1.1)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	2	TCP 192.168.1.12:49887 -> 104.16.125.175:443 [proto: 91.220/TLS.Cloudflare][cat: Web/5][1 pkts/770 bytes -> 0 pkts/0 bytes][Goodput ratio: 93/0][< 1 sec][ALPN: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][Risk: ** SNI TLS extension was missing **][TLSv1.2][JA3C: e5ef852e686954ba9fe060fbfa881e15][ESNI: B900004E39E84B98F5AE87B0A020EC49FED86F2B488B6AB28BDE9F957621F2774366DE90E65C4CA808668911624685EC4C6DC6C161A97CBE82281BC08427697AA3BE6A40E5F00ACF8B63E329317B0E4E85642D50AB8790E6197DA62D9F5B3239DCC59437797FE768A520C9D471FEABA1375DF61E4A39B09363CB109E7B24A793844896DDD16B6EE7DBE576D767161D782D7BF6FEC453A05A923D8D8E9BEFFC97E8E56C4F1AAB70FE99BC97819E1D908A5F3B3094F4BF25EB7A24A94FDBC3E107A423B8BB341F22900F7BBD87780E30B6ECF393FEB8FBFFEB54C79FA0673FE1AAD17B221D4BFF6450AA0CD4AF513066B66080B602147F3ACB7145A436C5689DA20BACB8BF9BABD851012556EC8F7BB9D74BFAAF25DCF4362A5775607C3CE5C2C29F183969][ESNI Cipher: TLS_AES_128_GCM_SHA256][PLAIN TEXT (http/1.1)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	3	TCP 192.168.1.12:49897 -> 104.22.71.197:443 [proto: 91.220/TLS.Cloudflare][cat: Web/5][1 pkts/770 bytes -> 0 pkts/0 bytes][Goodput ratio: 93/0][< 1 sec][ALPN: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][Risk: ** SNI TLS extension was missing **][TLSv1.2][JA3C: e5ef852e686954ba9fe060fbfa881e15][ESNI: CD69AC727FFAA0EA70A12AA46E71537EB99234B996818C913C72A0AC1184BFA5DD3B617E013E4CA092B2E9CFB78BCD8D33CBAF12A974DFB78E49B8BF9A57997418EF14C87830961E3C8480D2A4BF27D61D911CEF4300924A9F36105748BAED845FF585E40406545BB35C6DAAD7896433EC4DFD6B6F49728DA85D707DB7AC784F55A6658DC6ADE3087B1E46BBBEDFA44F3E8754B31A6BCF8519D291D3629805FA826E43799EA6E33021CF0A83CA05717B00F37D69841934F5B5BF254C6467888A592C38A3007DB3B7D5CBB8DB742B657F8F973C050BAA817AA571393CD8A4BC0B2312460A77DD0510F4BBCE43D53BCF334E4E8C7570255BBD17714403F4B6925434CD67F96FA9E05D700776810EEB5786B1C8188A4D73F8208B614B93284A8093929594BE][ESNI Cipher: TLS_AES_128_GCM_SHA256][PLAIN TEXT (http/1.1)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	1	TCP 192.168.1.12:49886 -> 104.27.129.77:443 [proto: 91.220/TLS.Cloudflare][cat: Web/5][1 pkts/770 bytes -> 0 pkts/0 bytes][Goodput ratio: 93/0][< 1 sec][ALPN: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][TLSv1.2][JA3C: e5ef852e686954ba9fe060fbfa881e15][ESNI: 9624CB3C4E230827F78CF5BF640D22DEA33FCC598EA6A32D939905586FBE997B9E68661F8956D4893072E19DE24CD1FB88A9F71FC4CC01BAB5C914FDF96A647D671B5E89859BAEEAB122218688496DF4DF0C328C3D5F940B109CEB2A2743D5CBE3594288A229B8C7E2F88303E3FE1A26A89E5001F2BD936890FEF78F06E05ECC063A68BDB8C18DFAC114CF1FECDB8BE1FC2FEECB2315D27998D682B129FD1E3EB5D7985DCBDC452A1082CCC038E0BF69570FEFAC6BC6FB951F89B6792CADA76403C02CEB5DCE1CE6EDDD16D5F7FB6B85D2B92485448DE0088E421E83F1E28B267FBE3B59AE0496FB845213C271D4C5AC5E9E7E5F6A3072445307FCCEB7306710459991C40CC4DC1FC325154C7974DD780371397805456A19AE23EE88475C1DF07697B666][ESNI Cipher: TLS_AES_128_GCM_SHA256][PLAIN TEXT (http/1.1)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	2	TCP 192.168.1.12:49887 -> 104.16.125.175:443 [proto: 91.220/TLS.Cloudflare][cat: Web/5][1 pkts/770 bytes -> 0 pkts/0 bytes][Goodput ratio: 93/0][< 1 sec][ALPN: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][TLSv1.2][JA3C: e5ef852e686954ba9fe060fbfa881e15][ESNI: B900004E39E84B98F5AE87B0A020EC49FED86F2B488B6AB28BDE9F957621F2774366DE90E65C4CA808668911624685EC4C6DC6C161A97CBE82281BC08427697AA3BE6A40E5F00ACF8B63E329317B0E4E85642D50AB8790E6197DA62D9F5B3239DCC59437797FE768A520C9D471FEABA1375DF61E4A39B09363CB109E7B24A793844896DDD16B6EE7DBE576D767161D782D7BF6FEC453A05A923D8D8E9BEFFC97E8E56C4F1AAB70FE99BC97819E1D908A5F3B3094F4BF25EB7A24A94FDBC3E107A423B8BB341F22900F7BBD87780E30B6ECF393FEB8FBFFEB54C79FA0673FE1AAD17B221D4BFF6450AA0CD4AF513066B66080B602147F3ACB7145A436C5689DA20BACB8BF9BABD851012556EC8F7BB9D74BFAAF25DCF4362A5775607C3CE5C2C29F183969][ESNI Cipher: TLS_AES_128_GCM_SHA256][PLAIN TEXT (http/1.1)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	3	TCP 192.168.1.12:49897 -> 104.22.71.197:443 [proto: 91.220/TLS.Cloudflare][cat: Web/5][1 pkts/770 bytes -> 0 pkts/0 bytes][Goodput ratio: 93/0][< 1 sec][ALPN: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][TLSv1.2][JA3C: e5ef852e686954ba9fe060fbfa881e15][ESNI: CD69AC727FFAA0EA70A12AA46E71537EB99234B996818C913C72A0AC1184BFA5DD3B617E013E4CA092B2E9CFB78BCD8D33CBAF12A974DFB78E49B8BF9A57997418EF14C87830961E3C8480D2A4BF27D61D911CEF4300924A9F36105748BAED845FF585E40406545BB35C6DAAD7896433EC4DFD6B6F49728DA85D707DB7AC784F55A6658DC6ADE3087B1E46BBBEDFA44F3E8754B31A6BCF8519D291D3629805FA826E43799EA6E33021CF0A83CA05717B00F37D69841934F5B5BF254C6467888A592C38A3007DB3B7D5CBB8DB742B657F8F973C050BAA817AA571393CD8A4BC0B2312460A77DD0510F4BBCE43D53BCF334E4E8C7570255BBD17714403F4B6925434CD67F96FA9E05D700776810EEB5786B1C8188A4D73F8208B614B93284A8093929594BE][ESNI Cipher: TLS_AES_128_GCM_SHA256][PLAIN TEXT (http/1.1)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
diff --git a/tests/result/no_sni.pcap.out b/tests/result/no_sni.pcap.out
new file mode 100644
index 000000000..2bc5ff724
--- /dev/null
+++ b/tests/result/no_sni.pcap.out
@@ -0,0 +1,16 @@
+DoH_DoT	268	31882	1
+Cloudflare	917	562254	7
+
+JA3 Host Stats: 
+		 IP Address                  	 # JA3C     
+	1	 192.168.1.119            	 4      
+
+
+	1	TCP 192.168.1.119:51612 <-> 104.16.124.96:443 [proto: 91.220/TLS.Cloudflare][cat: Web/5][393 pkts/33775 bytes <-> 392 pkts/495548 bytes][Goodput ratio: 19/96][3.69 sec][ALPN: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2][bytes ratio: -0.872 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 8/7 256/389 33/36][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 86/1264 1001/1514 72/1359][TLSv1.3][JA3C: 398991c398d60bfa0e3f00f8782dafc9][JA3S: 2b0648ab686ee45e0e7c35fcfb0eea7e][ESNI: 154F773223D0CF0FEF0A7775B0D958B67741380EE78600E440917D6766C09DF766B1C11F9A9FA708ECDE5D1E5DD45A2941D5D6233C0FC26FE91DA3FAED9C82F6BAFBAED593BCE2682784BE9A6867B21A06EBBCD3DB037837FA99CD0D3E117AB0E37E87BAFEA8E988492DFC2C5E824F330947430FBC6ED197B78052CF341C3E34CA15564EBD6B82760F41CDE5DC21FE0F0E65BF622F16105980BA244469375960B46EFCC4B55CBD5EE08279D532CE6E2301849DF8948C5E611F9E79DAB46BDDA36AC9B8B49F54447B5DA34DCD026899D2023B2CA2538610817B11ACF470248DC52231356612F9588CF5DFA616A946E009E8C4E4B79007616F4A375F381F1E6A8E5D3FD08A0DAD1439DFE3C5499520CC1DF322CE89EE48226D6DE2F68298A0D64153994A52][ESNI Cipher: TLS_AES_128_GCM_SHA256][Cipher: TLS_AES_128_GCM_SHA256][Plen Bins: 4,0,14,5,0,1,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,2,0,6,0,59,0,0]
+	2	TCP 192.168.1.119:51606 <-> 104.16.249.249:443 [proto: 91.196/TLS.DoH_DoT][cat: Network/14][154 pkts/15322 bytes <-> 114 pkts/16560 bytes][Goodput ratio: 45/61][4.04 sec][ALPN: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2][bytes ratio: -0.039 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 25/9 918/180 109/25][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 99/145 670/736 65/115][TLSv1.3][Client: mozilla.cloudflare-dns.com][JA3C: 5dd472f5a4060141b8cfd05eecf10d11][JA3S: 2b0648ab686ee45e0e7c35fcfb0eea7e][Cipher: TLS_AES_128_GCM_SHA256][Plen Bins: 26,25,10,8,6,6,2,9,3,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	3	TCP 192.168.1.119:51637 <-> 104.22.72.170:443 [proto: 91.220/TLS.Cloudflare][cat: Web/5][19 pkts/2515 bytes <-> 16 pkts/6813 bytes][Goodput ratio: 58/87][0.58 sec][ALPN: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2][bytes ratio: -0.461 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 32/29 126/129 39/42][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 132/426 766/1514 169/513][TLSv1.3][JA3C: 16fcce72c01e54fab4ddabce048c0f5b][JA3S: eb1d94daa7e0344597e756a1fb6e7054][ESNI: BADE19F2B027949FC140E94EEB7DD59A2241568D071E94D82B0A30FD4AE0338795D6A38CC2278CB2B352A8CD65E9BC2D8033A555A10F0B41919F868242D5355CFD97E057107040600744D061FAFE56A4C7F69C7F851BD029BCAD13D2F7E153F64D47A71B517C885D217B2C1BE5948935196B1C2C08C68D50D5C1578129ADF9BC6A15DAF6C64DCA09970610B5F826C1C5D71B718A9908F61536792AA76BF455FFA3998ECFB4C43A1B90BEDD1FE0B8C7C212FBA65B53D75C7691752A754B4AC040C029F881D9A3CAA39C264166C83F4CCC947B2A8C77D5ABBFD5C72754F6202564C11C87FDE8A2679857A5BC46B74EAB76E69512BB91177C9AA424CE04E4C3E9865361B97B6EB5241AB4455F92D8300A526D7A0456F372F86B07B3178A2071FE9FDACEF78F][ESNI Cipher: TLS_AES_128_GCM_SHA256][Cipher: TLS_AES_128_GCM_SHA256][Plen Bins: 28,0,16,0,0,5,0,0,0,11,5,0,0,0,0,0,11,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0,0,5,0,0]
+	4	TCP 192.168.1.119:51635 <-> 104.17.198.37:443 [proto: 91.220/TLS.Cloudflare][cat: Web/5][12 pkts/1785 bytes <-> 11 pkts/4213 bytes][Goodput ratio: 62/85][0.56 sec][ALPN: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2][bytes ratio: -0.405 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 38/14 107/98 41/32][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 149/383 571/1514 159/503][TLSv1.3][Client: 951c558a-5e07-47ca-a0c0-225da1b33163.is-cf.help.every1dns.net][JA3C: 1fd36067223570569bbf156fece40978][JA3S: eb1d94daa7e0344597e756a1fb6e7054][Cipher: TLS_AES_128_GCM_SHA256][Plen Bins: 27,0,9,0,0,9,0,0,0,0,18,0,0,0,0,0,18,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0,0,0,0,0,0,9,0,0]
+	5	TCP 192.168.1.119:51636 <-> 104.17.198.37:443 [proto: 91.220/TLS.Cloudflare][cat: Web/5][12 pkts/1786 bytes <-> 11 pkts/4212 bytes][Goodput ratio: 62/85][0.56 sec][ALPN: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2][bytes ratio: -0.404 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 38/44 117/211 47/72][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 149/383 571/1514 159/503][TLSv1.3][Client: 951c558a-5e07-47ca-a0c0-225da1b33163.is-doh.help.every1dns.net][JA3C: 1fd36067223570569bbf156fece40978][JA3S: eb1d94daa7e0344597e756a1fb6e7054][Cipher: TLS_AES_128_GCM_SHA256][Plen Bins: 27,0,9,0,0,9,0,0,0,0,18,0,0,0,0,0,18,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0,0,0,0,0,0,9,0,0]
+	6	TCP 192.168.1.119:51638 <-> 104.22.72.170:443 [proto: 91.220/TLS.Cloudflare][cat: Web/5][12 pkts/1659 bytes <-> 10 pkts/3915 bytes][Goodput ratio: 59/85][0.56 sec][ALPN: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2][bytes ratio: -0.405 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 43/30 129/142 42/52][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 138/392 766/1514 196/550][TLSv1.3][JA3C: 16fcce72c01e54fab4ddabce048c0f5b][JA3S: eb1d94daa7e0344597e756a1fb6e7054][ESNI: 4BC224582D83D9B999D5A6A5C8CA5F7044ECCCB75B644BE507AF762431A6292DA0EFBEED632A2BC868756FF720C5BD83C345E60B3529B7BF7DA4DB25E657E0B126FFCD62BB1544D84A8D81FF78CE3E14BB03DC429F25D34982D42B00F7DCFCD6C0A6D91EAFA2B6A3338187DEB367AA29ED731C52FD0561923C1FF20AE22DA56551A91FEF05347C46D01C51DEEFD63A35801F1D9A11BB271EB163912E7E3C65E877D9637FA0ECBF83787F8D2AF237AAA43E3BC82BD98140C9A227A7EE1D8EB5DB3EC55D9C635A8A525D8ADC7E7C2261A235120A5BB10EC883C9D1956D1C4CB7D3B22B606E085082EE035C09B154074E031EA961651127B1E4F41A36851D026A40C6CDD36712E84A3AACDEDC40319883A9C1C13870A8CC10E79E6A84352D0681134CC97941][ESNI Cipher: TLS_AES_128_GCM_SHA256][Cipher: TLS_AES_128_GCM_SHA256][Plen Bins: 25,0,12,0,0,12,0,0,0,0,0,0,0,0,0,0,12,0,0,0,0,0,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,0,0,12,0,0]
+	7	TCP 192.168.1.119:51639 <-> 104.22.72.170:443 [proto: 91.220/TLS.Cloudflare][cat: Web/5][12 pkts/1659 bytes <-> 10 pkts/3915 bytes][Goodput ratio: 59/85][0.55 sec][ALPN: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2][bytes ratio: -0.405 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 44/27 126/129 43/47][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 138/392 766/1514 196/550][TLSv1.3][JA3C: 16fcce72c01e54fab4ddabce048c0f5b][JA3S: eb1d94daa7e0344597e756a1fb6e7054][ESNI: 1A5D1DCC8C47DD46E21570FFB62F999CD85F69983DF08FC0E944E15E9520556C5462F5110EE1FC34F93862ADD6B2DE6FD479263028F82157273B3A728443CE0A259E50F657019E02DD9BB408C7297C541B756A55769B88C04FBF268F677EEBC074CEB1D905770D67E6663B392CF09E80086661BD59F640035FEF65DEF6B93654AD359D9514C4236BBF9F565D299224475DEA5D1813F7AF1CF9A4402AB0ADB1DD2D3075ECE78A216DE6E88A82E89F72BDB3EC3B26604D6433FF5EF71C15FC7E3E624ECC15C1644AC4CF839119636965184DAF8FC115C6C09260306FCE2024D360636EFB39AACB9DCE54226E847B6356F1A2FCA88222266CC21D575EFFBF9FE0F553D99B1AE564AA7A001DA3C775FFE19DCFF96A1814AAF8554B871926B6582467FDA05224][ESNI Cipher: TLS_AES_128_GCM_SHA256][Cipher: TLS_AES_128_GCM_SHA256][Plen Bins: 25,0,12,0,0,12,0,0,0,0,0,0,0,0,0,0,12,0,0,0,0,0,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,0,0,12,0,0]
+	8	TCP 192.168.1.119:51331 <-> 104.16.249.249:443 [proto: 91.220/TLS.Cloudflare][cat: Web/5][4 pkts/279 bytes <-> 3 pkts/180 bytes][Goodput ratio: 22/0][0.12 sec][bytes ratio: 0.216 (Upload)][IAT c2s/s2c min/avg/max/stddev: 119/0 40/0 119/0 56/0][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 70/60 93/60 17/0][Plen Bins: 50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
diff --git a/tests/result/tls-esni-fuzzed.pcap.out b/tests/result/tls-esni-fuzzed.pcap.out
index 48799ba4f..843b8fc4a 100644
--- a/tests/result/tls-esni-fuzzed.pcap.out
+++ b/tests/result/tls-esni-fuzzed.pcap.out
@@ -5,6 +5,6 @@ JA3 Host Stats:
 	1	 192.168.1.12             	 1      
 
 
-	1	TCP 192.168.1.12:49886 -> 104.27.129.77:443 [proto: 91.220/TLS.Cloudflare][cat: Web/5][1 pkts/770 bytes -> 0 pkts/0 bytes][Goodput ratio: 93/0][< 1 sec][ALPN: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][Risk: ** SNI TLS extension was missing **][TLSv1.2][JA3C: e5ef852e686954ba9fe060fbfa881e15][ESNI: 9624CB3C4E230827F78CF5BF640D22DEA33FCC598EA6A32D939905586FBE997B9E68661F8956D4893072E19DE24CD1FB88A9F71FC4CC01BAB5C914FDF96A647D671B5E89859BAEEAB122218688496DF4DF0C328C3D5F940B109CEB2A2743D5CBE3594288A229B8C7E2F88303E3FE1A26A89E5001F2BD936890FEF78F06E05ECC063A68BDB8C18DFAC114CF1FECDB8BE1FC2FEECB2315D27998D682B129FD1E3EB5D7985DCBDC452A1082CCC038E0BF69570FEFAC6BC6FB951F89B6792CADA76403C02CEB5DCE1CE6EDDD16D5F7FB6B85D2B92485448DE0088E421E83F1E28B267FBE3B59AE0496FB845213C271D4C5AC5E9E7E5F6A3072445307FCCEB7306710459991C40CC4DC1FC325154C7974DD780371397805456A19AE23EE88475C1DF07697B666][ESNI Cipher: TLS_AES_128_GCM_SHA256][PLAIN TEXT (http/1.1)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	2	TCP 192.168.1.12:49887 -> 104.16.125.175:443 [proto: 91.220/TLS.Cloudflare][cat: Web/5][1 pkts/770 bytes -> 0 pkts/0 bytes][Goodput ratio: 93/0][< 1 sec][ALPN: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][Risk: ** SNI TLS extension was missing **][TLSv1.2][JA3C: e5ef852e686954ba9fe060fbfa881e15][ESNI: B900004E39E84B98F5AE87B0A020EC49FED86F2B488B6AB28BDE9F957621F2774366DE90E65C4CA808668911624685EC4C6DC6C161A97CBE82281BC08427697AA3BE6A40E5F00ACF8B63E329317B0E4E85642D50AB8790E6197DA62D9F5B3239DCC59437797FE768A520C9D471FEABA1375DF61E4A39B09363CB109E7B24A793844896DDD16B6EE7DBE576D767161D782D7BF6FEC453A05A923D8D8E9BEFFC97E8E56C4F1AAB70FE99BC97819E1D908A5F3B3094F4BF25EB7A24A94FDBC3E107A423B8BB341F22900F7BBD87780E30B6ECF393FEB8FBFFEB54C79FA0673FE1AAD17B221D4BFF6450AA0CD4AF513066B66080B602147F3ACB7145A436C5689DA20BACB8BF9BABD851012556EC8F7BB9D74BFAAF25DCF4362A5775607C3CE5C2C29F183969][ESNI Cipher: TLS_AES_128_GCM_SHA256][PLAIN TEXT (http/1.1)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	1	TCP 192.168.1.12:49886 -> 104.27.129.77:443 [proto: 91.220/TLS.Cloudflare][cat: Web/5][1 pkts/770 bytes -> 0 pkts/0 bytes][Goodput ratio: 93/0][< 1 sec][ALPN: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][TLSv1.2][JA3C: e5ef852e686954ba9fe060fbfa881e15][ESNI: 9624CB3C4E230827F78CF5BF640D22DEA33FCC598EA6A32D939905586FBE997B9E68661F8956D4893072E19DE24CD1FB88A9F71FC4CC01BAB5C914FDF96A647D671B5E89859BAEEAB122218688496DF4DF0C328C3D5F940B109CEB2A2743D5CBE3594288A229B8C7E2F88303E3FE1A26A89E5001F2BD936890FEF78F06E05ECC063A68BDB8C18DFAC114CF1FECDB8BE1FC2FEECB2315D27998D682B129FD1E3EB5D7985DCBDC452A1082CCC038E0BF69570FEFAC6BC6FB951F89B6792CADA76403C02CEB5DCE1CE6EDDD16D5F7FB6B85D2B92485448DE0088E421E83F1E28B267FBE3B59AE0496FB845213C271D4C5AC5E9E7E5F6A3072445307FCCEB7306710459991C40CC4DC1FC325154C7974DD780371397805456A19AE23EE88475C1DF07697B666][ESNI Cipher: TLS_AES_128_GCM_SHA256][PLAIN TEXT (http/1.1)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	2	TCP 192.168.1.12:49887 -> 104.16.125.175:443 [proto: 91.220/TLS.Cloudflare][cat: Web/5][1 pkts/770 bytes -> 0 pkts/0 bytes][Goodput ratio: 93/0][< 1 sec][ALPN: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][TLSv1.2][JA3C: e5ef852e686954ba9fe060fbfa881e15][ESNI: B900004E39E84B98F5AE87B0A020EC49FED86F2B488B6AB28BDE9F957621F2774366DE90E65C4CA808668911624685EC4C6DC6C161A97CBE82281BC08427697AA3BE6A40E5F00ACF8B63E329317B0E4E85642D50AB8790E6197DA62D9F5B3239DCC59437797FE768A520C9D471FEABA1375DF61E4A39B09363CB109E7B24A793844896DDD16B6EE7DBE576D767161D782D7BF6FEC453A05A923D8D8E9BEFFC97E8E56C4F1AAB70FE99BC97819E1D908A5F3B3094F4BF25EB7A24A94FDBC3E107A423B8BB341F22900F7BBD87780E30B6ECF393FEB8FBFFEB54C79FA0673FE1AAD17B221D4BFF6450AA0CD4AF513066B66080B602147F3ACB7145A436C5689DA20BACB8BF9BABD851012556EC8F7BB9D74BFAAF25DCF4362A5775607C3CE5C2C29F183969][ESNI Cipher: TLS_AES_128_GCM_SHA256][PLAIN TEXT (http/1.1)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	3	TCP 192.168.1.12:49897 -> 104.22.71.197:443 [proto: 91.220/TLS.Cloudflare][cat: Web/5][1 pkts/770 bytes -> 0 pkts/0 bytes][Goodput ratio: 93/0][< 1 sec][ALPN: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][Risk: ** SNI TLS extension was missing **][TLSv1.2][JA3C: e5ef852e686954ba9fe060fbfa881e15][PLAIN TEXT (http/1.1)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]