diff options
| author | Luca Deri <deri@ntop.org> | 2024-10-31 21:20:26 +0100 |
|---|---|---|
| committer | Luca Deri <deri@ntop.org> | 2024-10-31 21:20:46 +0100 |
| commit | 412ca8700fc53da705c6aa386c736a400279a614 (patch) | |
| tree | 39ada41ae2b12ea7abf4e1243a4ae5f73d8bf3c3 | |
| parent | bcc1874e581de9d59514248a27f525cb56a0ec31 (diff) | |
Added HTTP credentials extraction
| -rw-r--r-- | example/Makefile.in | 2 | ||||
| -rw-r--r-- | example/ndpiReader.c | 33 | ||||
| -rw-r--r-- | example/reader_util.c | 3 | ||||
| -rw-r--r-- | example/reader_util.h | 2 | ||||
| -rw-r--r-- | src/include/ndpi_api.h | 1 | ||||
| -rw-r--r-- | src/include/ndpi_typedefs.h | 3 | ||||
| -rw-r--r-- | src/lib/ndpi_main.c | 11 | ||||
| -rw-r--r-- | src/lib/ndpi_utils.c | 13 | ||||
| -rw-r--r-- | src/lib/protocols/http.c | 74 | ||||
| -rw-r--r-- | tests/cfgs/default/pcap/http-basic-auth.pcap | bin | 0 -> 364930 bytes | |||
| -rw-r--r-- | tests/cfgs/default/pcap/http-pwd.pcapng | bin | 0 -> 2688 bytes | |||
| -rw-r--r-- | tests/cfgs/default/result/fuzz-2006-09-29-28586.pcap.out | 2 | ||||
| -rw-r--r-- | tests/cfgs/default/result/http-basic-auth.pcap.out | 54 | ||||
| -rw-r--r-- | tests/cfgs/default/result/http-pwd.pcapng.out | 27 | ||||
| -rw-r--r-- | tests/cfgs/default/result/http_auth.pcap.out | 2 |
15 files changed, 205 insertions, 22 deletions
diff --git a/example/Makefile.in b/example/Makefile.in index 06e8958b5..707dbfb19 100644 --- a/example/Makefile.in +++ b/example/Makefile.in @@ -15,7 +15,7 @@ SRCHOME=../src ifneq ($(OS),Windows_NT) CFLAGS+=-fPIC -DPIC endif -CFLAGS+=-I$(SRCHOME)/include @NDPI_CFLAGS@ @PCAP_INC@ @GPROF_CFLAGS@ +CFLAGS+=-I$(SRCHOME)/include @NDPI_CFLAGS@ @PCAP_INC@ @GPROF_CFLAGS@ @CUSTOM_NDPI@ LDFLAGS+=@NDPI_LDFLAGS@ LIBNDPI=$(SRCHOME)/lib/libndpi.a LIBS=$(LIBNDPI) @PCAP_LIB@ @ADDITIONAL_LIBS@ @LIBS@ @GPROF_LIBS@ diff --git a/example/ndpiReader.c b/example/ndpiReader.c index 65ddb4ca3..4144a81ea 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -94,6 +94,10 @@ static char* ip_port_to_check = NULL; static u_int8_t ignore_vlanid = 0; FILE *fingerprint_fp = NULL; /**< for flow fingerprint export */ +#ifdef CUSTOM_NDPI_PROTOCOLS +#include "../../nDPI-custom/ndpiReader_defs.c" +#endif + /** User preferences **/ char *addr_dump_path = NULL; u_int8_t enable_realtime_output = 0, enable_protocol_guess = NDPI_GIVEUP_GUESS_BY_PORT | NDPI_GIVEUP_GUESS_BY_IP, enable_payload_analyzer = 0, num_bin_clusters = 0, extcap_exit = 0; @@ -815,6 +819,8 @@ static struct option longopts[] = { {0, 0, 0, 0} }; +static const char* longopts_short = "a:Ab:B:e:E:c:C:dDFf:g:G:i:Ij:k:K:S:hHp:pP:l:L:r:Rs:tu:v:V:n:rp:x:X:w:q0123:456:7:89:m:MN:T:U:"; + /* ********************************** */ void extcap_interfaces() { @@ -1102,9 +1108,7 @@ static void parseOptions(int argc, char **argv) { } #endif - while((opt = getopt_long(argc, argv, - "a:Ab:B:e:E:c:C:dDFf:g:G:i:Ij:k:K:S:hHp:pP:l:L:r:Rs:tu:v:V:n:rp:x:X:w:q0123:456:7:89:m:MN:T:U:", - longopts, &option_idx)) != EOF) { + while((opt = getopt_long(argc, argv, longopts_short, longopts, &option_idx)) != EOF) { #ifdef DEBUG_TRACE if(trace) fprintf(trace, " #### Handling option -%c [%s] #### \n", opt, optarg ? optarg : ""); #endif @@ -1886,6 +1890,9 @@ static void printFlow(u_int32_t id, struct ndpi_flow_info *flow, u_int16_t threa if(flow->telnet.username) fprintf(out, "[Username: %s]", flow->telnet.username); if(flow->telnet.password) fprintf(out, "[Password: %s]", flow->telnet.password); + if(flow->http.username[0]) fprintf(out, "[Username: %s]", flow->http.username); + if(flow->http.password[0]) fprintf(out, "[Password: %s]", flow->http.password); + if(flow->host_server_name[0] != '\0') fprintf(out, "[Hostname/SNI: %s]", flow->host_server_name); switch (flow->info_type) @@ -2292,6 +2299,10 @@ static void printFlowSerialized(struct ndpi_flow_info *flow) } fprintf(serialization_fp, "%.*s\n", (int)json_str_len, json_str); + +#ifdef CUSTOM_NDPI_PROTOCOLS +#include "../../nDPI-custom/ndpiReader_flow_serialize.c" +#endif } /* ********************************** */ @@ -3901,10 +3912,8 @@ static void printFlowsStats() { } } - for(i=0; i<num_flows; i++) - { - printFlowSerialized(all_flows[i].flow); - } + for(i=0; i<num_flows; i++) + printFlowSerialized(all_flows[i].flow); } ndpi_free(all_flows); @@ -6601,12 +6610,14 @@ int main(int argc, char **argv) { if(getenv("AHO_DEBUG")) ac_automata_enable_debug(1); + parseOptions(argc, argv); if(domain_to_check) { ndpiCheckHostStringMatch(domain_to_check); exit(0); } + if(ip_port_to_check) { ndpiCheckIPMatch(ip_port_to_check); exit(0); @@ -6620,6 +6631,10 @@ int main(int argc, char **argv) { num_bin_clusters = 1; } +#ifdef CUSTOM_NDPI_PROTOCOLS +#include "../../nDPI-custom/ndpiReader_init.c" +#endif + if(!quiet_mode) { printf("\n-----------------------------------------------------------\n" "* NOTE: This is demo app to show *some* nDPI features.\n" @@ -6656,6 +6671,10 @@ int main(int argc, char **argv) { ndpi_free(cfgs[i].value); } +#ifdef CUSTOM_NDPI_PROTOCOLS +#include "../../nDPI-custom/ndpiReader_term.c" +#endif + #ifdef DEBUG_TRACE if(trace) fclose(trace); #endif diff --git a/example/reader_util.c b/example/reader_util.c index 6c463fdbb..d230c9337 100644 --- a/example/reader_util.c +++ b/example/reader_util.c @@ -1613,12 +1613,15 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl if(flow->ndpi_flow->http.url != NULL) { ndpi_snprintf(flow->http.url, sizeof(flow->http.url), "%s", flow->ndpi_flow->http.url); } + flow->http.response_status_code = flow->ndpi_flow->http.response_status_code; ndpi_snprintf(flow->http.content_type, sizeof(flow->http.content_type), "%s", flow->ndpi_flow->http.content_type ? flow->ndpi_flow->http.content_type : ""); ndpi_snprintf(flow->http.server, sizeof(flow->http.server), "%s", flow->ndpi_flow->http.server ? flow->ndpi_flow->http.server : ""); ndpi_snprintf(flow->http.request_content_type, sizeof(flow->http.request_content_type), "%s", flow->ndpi_flow->http.request_content_type ? flow->ndpi_flow->http.request_content_type : ""); ndpi_snprintf(flow->http.nat_ip, sizeof(flow->http.nat_ip), "%s", flow->ndpi_flow->http.nat_ip ? flow->ndpi_flow->http.nat_ip : ""); ndpi_snprintf(flow->http.filename, sizeof(flow->http.filename), "%s", flow->ndpi_flow->http.filename ? flow->ndpi_flow->http.filename : ""); + ndpi_snprintf(flow->http.username, sizeof(flow->http.username), "%s", flow->ndpi_flow->http.username ? flow->ndpi_flow->http.username : ""); + ndpi_snprintf(flow->http.password, sizeof(flow->http.password), "%s", flow->ndpi_flow->http.password ? flow->ndpi_flow->http.password : ""); } ndpi_snprintf(flow->http.user_agent, diff --git a/example/reader_util.h b/example/reader_util.h index eea3ce454..9a847cb13 100644 --- a/example/reader_util.h +++ b/example/reader_util.h @@ -308,7 +308,7 @@ typedef struct ndpi_flow_info { struct { char url[256], request_content_type[64], content_type[64], - user_agent[256], server[128], nat_ip[32], filename[256]; + user_agent[256], server[128], nat_ip[32], username[64], password[64], filename[256]; u_int response_status_code; } http; diff --git a/src/include/ndpi_api.h b/src/include/ndpi_api.h index d304ceb5d..ae5679e71 100644 --- a/src/include/ndpi_api.h +++ b/src/include/ndpi_api.h @@ -109,6 +109,7 @@ extern "C" { void * ndpi_calloc(unsigned long count, size_t size); void * ndpi_realloc(void *ptr, size_t old_size, size_t new_size); char * ndpi_strdup(const char *s); + char * ndpi_strndup(const char *s, size_t size); void ndpi_free(void *ptr); void * ndpi_flow_malloc(size_t size); void ndpi_flow_free(void *ptr); diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index 4dfddc5f0..dc3f110ce 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -1349,12 +1349,13 @@ struct ndpi_flow_struct { struct { ndpi_http_method method; u_int8_t request_version; /* 0=1.0 and 1=1.1. Create an enum for this? */ - u_int8_t websocket:1, _pad:7; + u_int8_t websocket:1, request_header_observed:1, first_payload_after_header_observed:1, is_form:1, _pad:4; u_int16_t response_status_code; /* 200, 404, etc. */ char *url, *content_type /* response */, *request_content_type /* e.g. for POST */, *user_agent, *server; char *detected_os; /* Via HTTP/QUIC User-Agent */ char *nat_ip; /* Via HTTP X-Forwarded-For */ char *filename; /* Via HTTP Content-Disposition */ + char *username, *password; } http; ndpi_multimedia_flow_type flow_multimedia_type; diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 98873e959..700016378 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -6762,6 +6762,12 @@ void ndpi_free_flow_data(struct ndpi_flow_struct* flow) { if(flow->http.filename) ndpi_free(flow->http.filename); + if(flow->http.username) + ndpi_free(flow->http.username); + + if(flow->http.password) + ndpi_free(flow->http.password); + if(flow->kerberos_buf.pktbuf) ndpi_free(flow->kerberos_buf.pktbuf); @@ -9333,6 +9339,8 @@ void ndpi_parse_packet_line_info(struct ndpi_detection_module_struct *ndpi_str, if((packet->payload[a] == 0x0d) && (packet->payload[a+1] == 0x0a)) { /* If end of line char sequence CR+NL "\r\n", process line */ + flow->http.request_header_observed = 1; + if(((a + 3) < packet->payload_packet_len) && (packet->payload[a+2] == 0x0d) && (packet->payload[a+3] == 0x0a)) { @@ -9401,8 +9409,7 @@ void ndpi_parse_packet_line_info_any(struct ndpi_detection_module_struct *ndpi_s for(a = 0; a < end; a++) { if(packet->payload[a] == 0x0a) { - packet->line[packet->parsed_lines].len = (u_int16_t)( - ((size_t) &packet->payload[a]) - ((size_t) packet->line[packet->parsed_lines].ptr)); + packet->line[packet->parsed_lines].len = (u_int16_t)(((size_t) &packet->payload[a]) - ((size_t) packet->line[packet->parsed_lines].ptr)); if(a > 0 && packet->payload[a - 1] == 0x0d) packet->line[packet->parsed_lines].len--; diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c index 86aee7c7f..782f85f16 100644 --- a/src/lib/ndpi_utils.c +++ b/src/lib/ndpi_utils.c @@ -3885,3 +3885,16 @@ const char* ndpi_print_os_hint(u_int8_t os_hint) { return("Unknown"); } + +/* ************************************************************** */ + +char* ndpi_strndup(const char *s, size_t size) { + char *ret = (char*)ndpi_malloc(size+1); + + if(ret == NULL) return(NULL); + + memcpy(ret, s, size); + ret[size] = '\0'; + + return(ret); +} diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c index cb146fcc0..1c468165c 100644 --- a/src/lib/protocols/http.c +++ b/src/lib/protocols/http.c @@ -108,7 +108,7 @@ static void ndpi_analyze_content_signature(struct ndpi_detection_module_struct * - ndpi_search_portable_executable - ndpi_search_shellscript */ - + if((flow->initial_binary_bytes_len >= 2) && (flow->initial_binary_bytes[0] == 0x4D) && (flow->initial_binary_bytes[1] == 0x5A)) set_risk = 1, msg = "Found DOS/Windows Exe"; /* Win executable */ else if((flow->initial_binary_bytes_len >= 4) && (flow->initial_binary_bytes[0] == 0x7F) && (flow->initial_binary_bytes[1] == 'E') @@ -224,12 +224,11 @@ static void ndpi_validate_http_content(struct ndpi_detection_module_struct *ndpi len = packet->payload_packet_len - (double_ret - packet->payload); - if(ndpi_strnstr((const char *)packet->content_line.ptr, "text/", packet->content_line.len) + if(flow->http.is_form + || ndpi_strnstr((const char *)packet->content_line.ptr, "text/", packet->content_line.len) || ndpi_strnstr((const char *)packet->content_line.ptr, "/json", packet->content_line.len) - || ndpi_strnstr((const char *)packet->content_line.ptr, "x-www-form-urlencoded", packet->content_line.len) ) { /* This is supposed to be a human-readeable text file */ - packet->http_check_content = 1; if(len >= 8 /* 4 chars for \r\n\r\n and at least 4 charts for content guess */) { @@ -462,6 +461,7 @@ static void setHttpUserAgent(struct ndpi_flow_struct *flow, char *ua) { else if(!strcmp(ua, "Windows NT 6.2")) ua = "Windows 8"; else if(!strcmp(ua, "Windows NT 6.3")) ua = "Windows 8.1"; else if(!strcmp(ua, "Windows NT 10.0")) ua = "Windows 10"; + else if(!strcmp(ua, "Windows NT 11.0")) ua = "Windows 11"; /* Good reference for future implementations: * https://github.com/ua-parser/uap-core/blob/master/regexes.yaml */ @@ -641,6 +641,42 @@ static void ndpi_http_parse_subprotocol(struct ndpi_detection_module_struct *ndp flow->http.user_agent && strstr(flow->http.user_agent, "Valve/Steam HTTP Client")) { ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_STEAM, master_protocol, NDPI_CONFIDENCE_DPI); } + + + if(flow->http.request_header_observed) { + if(flow->http.first_payload_after_header_observed == 0) { + /* Skip the last part of the HTTP request */ + flow->http.first_payload_after_header_observed = 1; + } else if(flow->http.is_form && (packet->payload_packet_len > 0)) { + /* Response payload */ + char *dup = ndpi_strndup((const char *)packet->payload, packet->payload_packet_len); + + if(dup) { + char *key, *value, *tmp; + + key = strtok_r(dup, "=", &tmp); + + while((key != NULL) + && ((flow->http.username == NULL) || (flow->http.password == NULL))) { + value = strtok_r(NULL, "&", &tmp); + + if(!value) + break; + + if((strcmp(key, "user") == 0) || (strcmp(key, "username") == 0)) { + if(!flow->http.username) flow->http.username = ndpi_strdup(value); + } else if((strcmp(key, "pwd") == 0) || (strcmp(key, "password") == 0)) { + if(!flow->http.password) flow->http.password = ndpi_strdup(value); + ndpi_set_risk(flow, NDPI_CLEAR_TEXT_CREDENTIALS, "Found password"); + } + + key = strtok_r(NULL, "=", &tmp); + } + + ndpi_free(dup); + } + } + } } /* ************************************************************* */ @@ -986,13 +1022,32 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ } if(packet->authorization_line.ptr != NULL) { + const char *a = NULL, *b = NULL; + NDPI_LOG_DBG2(ndpi_struct, "Authorization line found %.*s\n", packet->authorization_line.len, packet->authorization_line.ptr); - if(ndpi_strncasestr((const char*)packet->authorization_line.ptr, - "Basic", packet->authorization_line.len) - || ndpi_strncasestr((const char*)packet->authorization_line.ptr, - "Digest", packet->authorization_line.len)) { + if((a = ndpi_strncasestr((const char*)packet->authorization_line.ptr, + "Basic", packet->authorization_line.len)) + || (b = ndpi_strncasestr((const char*)packet->authorization_line.ptr, + "Digest", packet->authorization_line.len))) { + size_t content_len; + u_int len = b ? 7 : 6; + u_char *content = ndpi_base64_decode((const u_char*)&packet->authorization_line.ptr[len], + packet->authorization_line.len - len, &content_len); + + if(content != NULL) { + char *double_dot = strchr((char*)content, ':'); + + if(double_dot) { + double_dot[0] = '\0'; + flow->http.username = ndpi_strdup((char*)content); + flow->http.password = ndpi_strdup(&double_dot[1]); + } + + ndpi_free(content); + } + ndpi_set_risk(flow, NDPI_CLEAR_TEXT_CREDENTIALS, "Found credentials in HTTP Auth Line"); } @@ -1013,6 +1068,9 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ packet->content_line.len); flow->http.request_content_type[packet->content_line.len] = '\0'; } + + if(ndpi_strnstr(flow->http.request_content_type, "x-www-form-urlencoded", packet->content_line.len)) + flow->http.is_form = 1; } } else { /* Response */ diff --git a/tests/cfgs/default/pcap/http-basic-auth.pcap b/tests/cfgs/default/pcap/http-basic-auth.pcap Binary files differnew file mode 100644 index 000000000..d6c17bebb --- /dev/null +++ b/tests/cfgs/default/pcap/http-basic-auth.pcap diff --git a/tests/cfgs/default/pcap/http-pwd.pcapng b/tests/cfgs/default/pcap/http-pwd.pcapng Binary files differnew file mode 100644 index 000000000..7b926d994 --- /dev/null +++ b/tests/cfgs/default/pcap/http-pwd.pcapng diff --git a/tests/cfgs/default/result/fuzz-2006-09-29-28586.pcap.out b/tests/cfgs/default/result/fuzz-2006-09-29-28586.pcap.out index f4d242f6a..4b6306ff6 100644 --- a/tests/cfgs/default/result/fuzz-2006-09-29-28586.pcap.out +++ b/tests/cfgs/default/result/fuzz-2006-09-29-28586.pcap.out @@ -34,7 +34,7 @@ Unrated 3 655 3 1 TCP 172.20.3.13:80 <-> 172.20.3.5:2601 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 11][cat: Web/5][3 pkts/166 bytes <-> 8 pkts/6283 bytes][Goodput ratio: 0/93][11.25 sec][bytes ratio: -0.949 (Download)][IAT c2s/s2c min/avg/max/stddev: 104/0 5626/0 11147/0 5522/0][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 55/785 58/1514 2/725][Req Content-Type: application/vnd.wap.mms-message][User-Agent: SonyEricssonT68/R201A][PLAIN TEXT (POST /servlets/mms HTTP/1.1)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0] 2 TCP 172.20.3.5:2606 <-> 172.20.3.13:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 12][cat: Web/5][8 pkts/2287 bytes <-> 5 pkts/2963 bytes][Goodput ratio: 80/91][11.18 sec][Hostname/SNI: 172.20.3.13][bytes ratio: -0.129 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 58/58 177/172 83/81][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 286/593 1514/1514 478/662][URL: 172.20.3.13/servlets/mms?message-id=189301][Risk: ** HTTP Susp User-Agent **** HTTP/TLS/QUIC Numeric Hostname/SNI **][Risk Score: 110][Risk Info: Found host 172.20.3.13 / Empty or missing User-Agent][TCP Fingerprint: 2_128_8192_6bbe28597824/Unknown][PLAIN TEXT (GET /servlets/mms)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,50,0,0] 3 TCP 172.20.3.5:2604 <-> 172.20.3.13:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][5 pkts/1754 bytes <-> 4 pkts/583 bytes][Goodput ratio: 83/62][11.17 sec][Hostname/SNI: 172.20.3.13][bytes ratio: 0.501 (Upload)][IAT c2s/s2c min/avg/max/stddev: 307/81 2793/3724 10864/10997 4662/5143][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 351/146 1514/417 582/157][URL: 172.20.3.13/servlets/mms?message-id=189001][StatusCode: 200][Server: Resin/2.0.1][User-Agent: SonyEricssonT68/R201A][Risk: ** HTTP/TLS/QUIC Numeric Hostname/SNI **][Risk Score: 10][Risk Info: Found host 172.20.3.13][TCP Fingerprint: 2_128_8192_6bbe28597824/Unknown][PLAIN TEXT (GET /servlets/mms)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0] - 4 TCP 172.20.3.13:53132 <-> 172.20.3.5:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 12][cat: Web/5][9 pkts/1650 bytes <-> 4 pkts/240 bytes][Goodput ratio: 70/0][5.14 sec][Hostname/SNI: %s][bytes ratio: 0.746 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/1 734/1 4911/1 1706/0][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 183/60 894/60 270/0][URL: %s][Req Content-Type: multipart/related][User-Agent: MMS-Relay-DeliveryInitiator][Risk: ** Clear-Text Credentials **** Non-Printable/Invalid Chars Detected **** Possible Exploit Attempt **][Risk Score: 350][Risk Info: Found credentials in HTTP Auth Line / Invalid host %s / Suspicious hostname: attack ?][TCP Fingerprint: 2_64_33580_4ba1d4d16cb9/Unknown][PLAIN TEXT (POST /ppgctrl/ppgcontrollogic.d)][Plen Bins: 0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 4 TCP 172.20.3.13:53132 <-> 172.20.3.5:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 12][cat: Web/5][9 pkts/1650 bytes <-> 4 pkts/240 bytes][Goodput ratio: 70/0][5.14 sec][Username: lmc_w][Password: Test1234][Hostname/SNI: %s][bytes ratio: 0.746 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/1 734/1 4911/1 1706/0][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 183/60 894/60 270/0][URL: %s][Req Content-Type: multipart/related][User-Agent: MMS-Relay-DeliveryInitiator][Risk: ** Clear-Text Credentials **** Non-Printable/Invalid Chars Detected **** Possible Exploit Attempt **][Risk Score: 350][Risk Info: Found credentials in HTTP Auth Line / Invalid host %s / Suspicious hostname: attack ?][TCP Fingerprint: 2_64_33580_4ba1d4d16cb9/Unknown][PLAIN TEXT (POST /ppgctrl/ppgcontrollogic.d)][Plen Bins: 0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 5 TCP 172.20.3.5:2602 <-> 172.20.3.13:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 7/HTTP, Confidence: DPI][DPI packets: 3][cat: Web/5][4 pkts/942 bytes <-> 4 pkts/703 bytes][Goodput ratio: 75/69][11.10 sec][Hostname/SNI: 172.20.3.13][bytes ratio: 0.145 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/106 3699/5548 10844/10989 5054/5442][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 236/176 762/541 304/211][URL: 172.20.3.13.servlets/mms][StatusCode: 200][Req Content-Type: application/xml][Content-Type: application/xml][Server: Resin/2.0.1][Risk: ** HTTP Susp User-Agent **** HTTP/TLS/QUIC Numeric Hostname/SNI **][Risk Score: 110][Risk Info: Found host 172.20.3.13 / Empty or missing User-Agent][PLAIN TEXT (POST .servlets/mms HTTP/1.1)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 6 TCP 172.20.3.13:53136 <-> 172.20.3.5:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 4][cat: Web/5][5 pkts/586 bytes <-> 6 pkts/999 bytes][Goodput ratio: 54/66][5.21 sec][Hostname/SNI: 172.20.3.5][bytes ratio: -0.261 (Download)][IAT c2s/s2c min/avg/max/stddev: 1/96 1737/1302 4910/5010 2247/2141][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 117/166 370/481 126/150][StatusCode: 100][Req Content-Type: multipart/related][Server: Microsoft-IIS/4.0][User-Agent: MMS-Relay-DeliveryInitiator][PLAIN TEXT (POST /ppgctrl/ppgcon)][Plen Bins: 0,0,25,0,25,0,0,0,0,25,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 7 TCP 172.20.3.5:9587 -> 172.20.3.13:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 7/HTTP, Confidence: DPI][DPI packets: 1][cat: Web/5][1 pkts/1514 bytes -> 0 pkts/0 bytes][Goodput ratio: 96/0][< 1 sec][Risk: ** HTTP Susp User-Agent **** Unidirectional Traffic **][Risk Score: 110][Risk Info: No server to client traffic / Empty or missing User-Agent][PLAIN TEXT (POST /servlets/mms HTTP/)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0] diff --git a/tests/cfgs/default/result/http-basic-auth.pcap.out b/tests/cfgs/default/result/http-basic-auth.pcap.out new file mode 100644 index 000000000..b239f626a --- /dev/null +++ b/tests/cfgs/default/result/http-basic-auth.pcap.out @@ -0,0 +1,54 @@ +Guessed flow protos: 9 + +DPI Packets (TCP): 183 (7.32 pkts/flow) +Confidence Match by port : 9 (flows) +Confidence DPI : 16 (flows) +Num dissector calls: 240 (9.60 diss/flow) +LRU cache ookla: 0/0/0 (insert/search/found) +LRU cache bittorrent: 0/27/0 (insert/search/found) +LRU cache stun: 0/0/0 (insert/search/found) +LRU cache tls_cert: 0/0/0 (insert/search/found) +LRU cache mining: 0/9/0 (insert/search/found) +LRU cache msteams: 0/0/0 (insert/search/found) +LRU cache fpc_dns: 0/25/0 (insert/search/found) +Automa host: 16/0 (search/found) +Automa domain: 16/0 (search/found) +Automa tls cert: 0/0 (search/found) +Automa risk mask: 0/0 (search/found) +Automa common alpns: 0/0 (search/found) +Patricia risk mask: 0/0 (search/found) +Patricia risk mask IPv6: 0/0 (search/found) +Patricia risk: 0/0 (search/found) +Patricia risk IPv6: 0/0 (search/found) +Patricia protocols: 50/0 (search/found) +Patricia protocols IPv6: 0/0 (search/found) + +HTTP 688 353898 25 + +Acceptable 688 353898 25 + + 1 TCP 192.168.0.4:54340 <-> 192.254.189.169:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][58 pkts/9591 bytes <-> 74 pkts/74782 bytes][Goodput ratio: 60/93][20.90 sec][Username: test][Password: test][Hostname/SNI: browserspy.dk][bytes ratio: -0.773 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 397/166 4647/4811 1045/722][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 165/1011 805/1514 248/628][URL: browserspy.dk/theme/default.css][StatusCode: 304][Server: Apache][User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36][Risk: ** Clear-Text Credentials **][Risk Score: 100][Risk Info: Found credentials in HTTP Auth Line][TCP Fingerprint: 2_64_65535_09b18f059744/Unknown][PLAIN TEXT (GET /theme/default.css HTTP/1.1)][Plen Bins: 0,0,5,0,4,0,4,2,2,2,0,1,0,0,0,0,0,2,1,0,0,0,8,2,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,63,0,0] + 2 TCP 192.168.0.4:54338 <-> 192.254.189.169:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 8][cat: Web/5][31 pkts/4999 bytes <-> 40 pkts/37974 bytes][Goodput ratio: 59/93][17.45 sec][Username: test][Password: fail3][Hostname/SNI: browserspy.dk][bytes ratio: -0.767 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 716/350 5396/5591 1514/1171][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 161/949 805/1514 246/645][URL: browserspy.dk/password-ok.php][StatusCode: 401][Content-Type: text/html][Server: Apache][User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36][Risk: ** Clear-Text Credentials **** Error Code **][Risk Score: 110][Risk Info: Found credentials in HTTP Auth Line / HTTP Error Code 401][TCP Fingerprint: 2_64_65535_09b18f059744/Unknown][PLAIN TEXT (GET /password)][Plen Bins: 0,0,5,0,5,0,5,0,2,2,0,0,0,0,0,2,0,0,0,2,0,0,5,5,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,62,0,0] + 3 TCP 192.168.0.4:54584 <-> 192.254.189.169:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][27 pkts/3947 bytes <-> 36 pkts/37139 bytes][Goodput ratio: 55/94][15.57 sec][Username: test][Password: test][Hostname/SNI: browserspy.dk][bytes ratio: -0.808 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 502/211 4249/2440 1050/592][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 146/1032 797/1514 225/628][URL: browserspy.dk/pics/logo.png][StatusCode: 304][Server: Apache][User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36][Risk: ** Clear-Text Credentials **][Risk Score: 100][Risk Info: Found credentials in HTTP Auth Line][TCP Fingerprint: 2_64_65535_09b18f059744/Unknown][PLAIN TEXT (GET /pics/logo.png HTTP/1.1)][Plen Bins: 0,0,6,0,3,0,3,0,3,0,0,0,0,0,0,0,0,3,0,0,0,0,12,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,66,0,0] + 4 TCP 192.168.0.4:54505 <-> 192.254.189.169:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][27 pkts/3165 bytes <-> 36 pkts/37069 bytes][Goodput ratio: 43/94][10.97 sec][Username: test][Password: test][Hostname/SNI: browserspy.dk][bytes ratio: -0.843 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 298/138 2784/2976 683/551][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 117/1030 775/1514 180/625][URL: browserspy.dk/password.php][StatusCode: 200][Content-Type: text/html][Server: Apache][User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36][Risk: ** Clear-Text Credentials **][Risk Score: 100][Risk Info: Found credentials in HTTP Auth Line][TCP Fingerprint: 2_64_65535_09b18f059744/Unknown][PLAIN TEXT (GET /password.php HTTP/1.1)][Plen Bins: 0,0,6,0,0,0,6,3,3,3,0,0,0,0,0,0,0,3,0,0,3,0,3,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,66,0,0] + 5 TCP 192.168.0.4:54506 <-> 192.254.189.169:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 8][cat: Web/5][16 pkts/1711 bytes <-> 20 pkts/21882 bytes][Goodput ratio: 38/94][18.69 sec][Hostname/SNI: browserspy.dk][bytes ratio: -0.855 (Download)][IAT c2s/s2c min/avg/max/stddev: 3/2 1542/885 9336/9536 2720/2475][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 107/1094 709/1514 155/644][URL: browserspy.dk/?_=1381844104551][StatusCode: 200][Content-Type: text/html][Server: Apache][User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36][TCP Fingerprint: 2_64_65535_09b18f059744/Unknown][PLAIN TEXT (yGET /)][Plen Bins: 0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,87,0,0] + 6 TCP 192.168.0.4:54318 <-> 192.254.189.169:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 8][cat: Web/5][15 pkts/1737 bytes <-> 20 pkts/19002 bytes][Goodput ratio: 42/93][15.29 sec][Username: test][Password: fail][Hostname/SNI: browserspy.dk][bytes ratio: -0.832 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1372/588 7743/7938 2428/1969][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 116/950 801/1514 183/656][URL: browserspy.dk/password-ok.php][StatusCode: 401][Content-Type: text/html][Server: Apache][User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36][Risk: ** Clear-Text Credentials **** Error Code **][Risk Score: 110][Risk Info: Found credentials in HTTP Auth Line / HTTP Error Code 401][TCP Fingerprint: 2_64_65535_09b18f059744/Unknown][PLAIN TEXT (GET /password)][Plen Bins: 0,0,6,0,0,0,6,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,6,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,69,0,0] + 7 TCP 192.168.0.4:54337 <-> 192.254.189.169:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][14 pkts/1675 bytes <-> 19 pkts/18899 bytes][Goodput ratio: 44/93][7.10 sec][Username: test][Password: fail2][Hostname/SNI: browserspy.dk][bytes ratio: -0.837 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 204/31 1269/206 376/69][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 120/995 805/1514 190/642][URL: browserspy.dk/password-ok.php][StatusCode: 401][Content-Type: text/html][Server: Apache][User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36][Risk: ** Clear-Text Credentials **** Error Code **][Risk Score: 110][Risk Info: Found credentials in HTTP Auth Line / HTTP Error Code 401][TCP Fingerprint: 2_64_65535_09b18f059744/Unknown][PLAIN TEXT (GET /password)][Plen Bins: 0,0,6,0,0,0,6,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,6,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,69,0,0] + 8 TCP 192.168.0.4:54317 <-> 192.254.189.169:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][14 pkts/1636 bytes <-> 19 pkts/18925 bytes][Goodput ratio: 43/93][9.56 sec][Hostname/SNI: browserspy.dk][bytes ratio: -0.841 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 454/33 3673/227 1082/74][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 117/996 766/1514 180/642][URL: browserspy.dk/password-ok.php][StatusCode: 401][Content-Type: text/html][Server: Apache][User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36][Risk: ** Error Code **][Risk Score: 10][Risk Info: HTTP Error Code 401][TCP Fingerprint: 2_64_65535_09b18f059744/Unknown][PLAIN TEXT (GET /password)][Plen Bins: 0,0,6,0,0,0,6,0,0,0,0,0,0,0,0,6,0,0,0,0,0,6,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,69,0,0] + 9 TCP 192.168.0.4:54487 <-> 192.254.189.169:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][15 pkts/1711 bytes <-> 19 pkts/18579 bytes][Goodput ratio: 41/93][11.68 sec][Username: test][Password: test][Hostname/SNI: browserspy.dk][bytes ratio: -0.831 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 605/442 5841/6025 1661/1494][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 114/978 775/1514 177/643][URL: browserspy.dk/password.php][StatusCode: 200][Content-Type: text/html][Server: Apache][User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36][Risk: ** Clear-Text Credentials **][Risk Score: 100][Risk Info: Found credentials in HTTP Auth Line][TCP Fingerprint: 2_64_65535_09b18f059744/Unknown][PLAIN TEXT (GET /password.php HTTP/1.1)][Plen Bins: 0,0,6,0,0,0,0,0,0,0,6,0,0,6,0,0,0,6,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,69,0,0] + 10 TCP 192.168.0.4:54580 <-> 192.254.189.169:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][13 pkts/1607 bytes <-> 16 pkts/18347 bytes][Goodput ratio: 46/94][5.90 sec][Username: test][Password: test][Hostname/SNI: browserspy.dk][bytes ratio: -0.839 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 552/73 4815/274 1427/102][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 124/1147 803/1514 196/623][URL: browserspy.dk/password-ok.php][StatusCode: 200][Content-Type: text/html][Server: Apache][User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36][Risk: ** Clear-Text Credentials **][Risk Score: 100][Risk Info: Found credentials in HTTP Auth Line][TCP Fingerprint: 2_64_65535_09b18f059744/Unknown][PLAIN TEXT (GET /password)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,85,0,0] + 11 TCP 192.168.0.4:54342 <-> 192.254.189.169:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][10 pkts/2866 bytes <-> 7 pkts/881 bytes][Goodput ratio: 77/47][6.17 sec][Username: test][Password: test][Hostname/SNI: browserspy.dk][bytes ratio: 0.530 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/4 742/178 5018/292 1618/106][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 287/126 799/203 334/67][URL: browserspy.dk/pics/logo.png][StatusCode: 304][Server: Apache][User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36][Risk: ** Clear-Text Credentials **][Risk Score: 100][Risk Info: Found credentials in HTTP Auth Line][TCP Fingerprint: 2_64_65535_09b18f059744/Unknown][PLAIN TEXT (GET /pics/logo.png HTTP/1.1)][Plen Bins: 0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 12 TCP 192.168.0.4:54341 <-> 192.254.189.169:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][10 pkts/2854 bytes <-> 7 pkts/881 bytes][Goodput ratio: 76/47][6.17 sec][Username: test][Password: test][Hostname/SNI: browserspy.dk][bytes ratio: 0.528 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/3 743/180 5025/271 1621/105][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 285/126 805/203 333/67][URL: browserspy.dk/js/jquery.js][StatusCode: 304][Server: Apache][User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36][Risk: ** Clear-Text Credentials **][Risk Score: 100][Risk Info: Found credentials in HTTP Auth Line][TCP Fingerprint: 2_64_65535_09b18f059744/Unknown][PLAIN TEXT (GET /js/j)][Plen Bins: 0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 13 TCP 192.168.0.4:54582 <-> 192.254.189.169:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][6 pkts/1141 bytes <-> 5 pkts/475 bytes][Goodput ratio: 64/29][15.57 sec][Username: test][Password: test][Hostname/SNI: browserspy.dk][bytes ratio: 0.412 (Upload)][IAT c2s/s2c min/avg/max/stddev: 191/10 3074/330 9509/649 3703/320][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 190/95 799/203 272/54][URL: browserspy.dk/theme/default.css][StatusCode: 304][Server: Apache][User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36][Risk: ** Clear-Text Credentials **][Risk Score: 100][Risk Info: Found credentials in HTTP Auth Line][TCP Fingerprint: 2_64_65535_09b18f059744/Unknown][PLAIN TEXT (GET /theme/default.css HTTP/1.1)][Plen Bins: 0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 14 TCP 192.168.0.4:54343 <-> 192.254.189.169:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][6 pkts/1140 bytes <-> 5 pkts/475 bytes][Goodput ratio: 64/29][6.17 sec][Username: test][Password: test][Hostname/SNI: browserspy.dk][bytes ratio: 0.412 (Upload)][IAT c2s/s2c min/avg/max/stddev: 211/0 1188/274 4948/548 1880/274][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 190/95 798/203 272/54][URL: browserspy.dk/pics/menunew.png][StatusCode: 304][Server: Apache][User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36][Risk: ** Clear-Text Credentials **][Risk Score: 100][Risk Info: Found credentials in HTTP Auth Line][TCP Fingerprint: 2_64_65535_09b18f059744/Unknown][PLAIN TEXT (GET /pics/menunew.png HTTP/1.1)][Plen Bins: 0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 15 TCP 192.168.0.4:54581 <-> 192.254.189.169:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][6 pkts/1139 bytes <-> 5 pkts/475 bytes][Goodput ratio: 64/29][15.57 sec][Username: test][Password: test][Hostname/SNI: browserspy.dk][bytes ratio: 0.411 (Upload)][IAT c2s/s2c min/avg/max/stddev: 184/2 3074/326 9473/649 3698/324][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 190/95 797/203 272/54][URL: browserspy.dk/theme/reset.css][StatusCode: 304][Server: Apache][User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36][Risk: ** Clear-Text Credentials **][Risk Score: 100][Risk Info: Found credentials in HTTP Auth Line][TCP Fingerprint: 2_64_65535_09b18f059744/Unknown][PLAIN TEXT (GET /theme/reset.css HTTP/1.1)][Plen Bins: 0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 16 TCP 192.168.0.4:54583 <-> 192.254.189.169:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][6 pkts/1121 bytes <-> 5 pkts/475 bytes][Goodput ratio: 64/29][15.57 sec][Username: test][Password: test][Hostname/SNI: browserspy.dk][bytes ratio: 0.405 (Upload)][IAT c2s/s2c min/avg/max/stddev: 191/2 3074/332 9499/662 3700/330][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 187/95 779/203 265/54][URL: browserspy.dk/js/jquery.js][StatusCode: 304][Server: Apache][User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36][Risk: ** Clear-Text Credentials **][Risk Score: 100][Risk Info: Found credentials in HTTP Auth Line][TCP Fingerprint: 2_64_65535_09b18f059744/Unknown][PLAIN TEXT (GET /js/j)][Plen Bins: 0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 17 TCP 192.168.0.4:54319 <-> 192.254.189.169:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: Match by port][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 9][cat: Web/5][5 pkts/342 bytes <-> 4 pkts/280 bytes][Goodput ratio: 0/0][12.83 sec][bytes ratio: 0.100 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 245/1181 3160/1181 10225/1181 4094/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 68/70 78/74 5/4][TCP Fingerprint: 2_64_65535_09b18f059744/Unknown][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 18 TCP 192.168.0.4:54320 <-> 192.254.189.169:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: Match by port][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 9][cat: Web/5][5 pkts/342 bytes <-> 4 pkts/280 bytes][Goodput ratio: 0/0][12.84 sec][bytes ratio: 0.100 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 246/1178 3161/1178 10229/1178 4096/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 68/70 78/74 5/4][TCP Fingerprint: 2_64_65535_09b18f059744/Unknown][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 19 TCP 192.168.0.4:54321 <-> 192.254.189.169:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: Match by port][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 9][cat: Web/5][5 pkts/342 bytes <-> 4 pkts/280 bytes][Goodput ratio: 0/0][12.84 sec][bytes ratio: 0.100 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 246/940 3160/940 10267/940 4123/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 68/70 78/74 5/4][TCP Fingerprint: 2_64_65535_09b18f059744/Unknown][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 20 TCP 192.168.0.4:54322 <-> 192.254.189.169:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: Match by port][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 9][cat: Web/5][5 pkts/342 bytes <-> 4 pkts/280 bytes][Goodput ratio: 0/0][12.84 sec][bytes ratio: 0.100 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 248/760 3160/760 10249/760 4122/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 68/70 78/74 5/4][TCP Fingerprint: 2_64_65535_09b18f059744/Unknown][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 21 TCP 192.168.0.4:54354 <-> 192.254.189.169:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: Match by port][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 9][cat: Web/5][5 pkts/342 bytes <-> 4 pkts/280 bytes][Goodput ratio: 0/0][14.68 sec][bytes ratio: 0.100 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 202/3082 3577/3082 10249/3082 3955/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 68/70 78/74 5/4][TCP Fingerprint: 2_64_65535_09b18f059744/Unknown][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 22 TCP 192.168.0.4:54507 <-> 192.254.189.169:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: Match by port][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 9][cat: Web/5][5 pkts/342 bytes <-> 4 pkts/280 bytes][Goodput ratio: 0/0][14.09 sec][bytes ratio: 0.100 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 204/2408 3474/2408 10240/2408 3970/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 68/70 78/74 5/4][TCP Fingerprint: 2_64_65535_09b18f059744/Unknown][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 23 TCP 192.168.0.4:54508 <-> 192.254.189.169:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: Match by port][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 9][cat: Web/5][5 pkts/342 bytes <-> 4 pkts/280 bytes][Goodput ratio: 0/0][14.09 sec][bytes ratio: 0.100 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 204/2410 3475/2410 10240/2410 3970/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 68/70 78/74 5/4][TCP Fingerprint: 2_64_65535_09b18f059744/Unknown][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 24 TCP 192.168.0.4:54509 <-> 192.254.189.169:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: Match by port][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 9][cat: Web/5][5 pkts/342 bytes <-> 4 pkts/280 bytes][Goodput ratio: 0/0][14.10 sec][bytes ratio: 0.100 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 204/2207 3474/2207 10236/2207 3958/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 68/70 78/74 5/4][TCP Fingerprint: 2_64_65535_09b18f059744/Unknown][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 25 TCP 192.168.0.4:54596 <-> 192.254.189.169:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: Match by port][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 9][cat: Web/5][5 pkts/342 bytes <-> 4 pkts/280 bytes][Goodput ratio: 0/0][15.49 sec][bytes ratio: 0.100 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 194/3741 3824/3741 10228/3741 3889/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 68/70 78/74 5/4][TCP Fingerprint: 2_64_65535_09b18f059744/Unknown][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/default/result/http-pwd.pcapng.out b/tests/cfgs/default/result/http-pwd.pcapng.out new file mode 100644 index 000000000..ff3688c3d --- /dev/null +++ b/tests/cfgs/default/result/http-pwd.pcapng.out @@ -0,0 +1,27 @@ +DPI Packets (TCP): 9 (9.00 pkts/flow) +Confidence DPI : 1 (flows) +Num dissector calls: 15 (15.00 diss/flow) +LRU cache ookla: 0/0/0 (insert/search/found) +LRU cache bittorrent: 0/0/0 (insert/search/found) +LRU cache stun: 0/0/0 (insert/search/found) +LRU cache tls_cert: 0/0/0 (insert/search/found) +LRU cache mining: 0/0/0 (insert/search/found) +LRU cache msteams: 0/0/0 (insert/search/found) +LRU cache fpc_dns: 0/0/0 (insert/search/found) +Automa host: 1/0 (search/found) +Automa domain: 1/0 (search/found) +Automa tls cert: 0/0 (search/found) +Automa risk mask: 1/0 (search/found) +Automa common alpns: 0/0 (search/found) +Patricia risk mask: 2/0 (search/found) +Patricia risk mask IPv6: 0/0 (search/found) +Patricia risk: 0/0 (search/found) +Patricia risk IPv6: 0/0 (search/found) +Patricia protocols: 2/0 (search/found) +Patricia protocols IPv6: 0/0 (search/found) + +ntop 14 1805 1 + +Safe 14 1805 1 + + 1 TCP 127.0.0.1:56451 <-> 127.0.0.1:3000 [proto: 7.26/HTTP.ntop][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 9][cat: Web/5][7 pkts/1151 bytes <-> 7 pkts/654 bytes][Goodput ratio: 65/38][0.00 sec][Username: admin][Password: adminpwd][Hostname/SNI: localhost][bytes ratio: 0.275 (Upload)][IAT c2s/s2c min/avg/max/stddev: 4/4 1/1 4/4 2/2][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 164/93 747/306 239/87][URL: localhost:3000/authorize.html][StatusCode: 302][Req Content-Type: application/x-www-form-urlencoded][Server: ntopng 6.3.241001 (arm64)][User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.1 Safari/605.1.15][Risk: ** Clear-Text Credentials **][Risk Score: 100][Risk Info: Found password][TCP Fingerprint: 2_64_65535_99a660d3e328/Unknown][PLAIN TEXT (XPOST /authorize.html HTTP/1.1)][Plen Bins: 0,33,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/default/result/http_auth.pcap.out b/tests/cfgs/default/result/http_auth.pcap.out index 056f630f1..19b9f0c97 100644 --- a/tests/cfgs/default/result/http_auth.pcap.out +++ b/tests/cfgs/default/result/http_auth.pcap.out @@ -24,4 +24,4 @@ HTTP 33 20574 1 Acceptable 33 20574 1 - 1 TCP 192.168.0.4:54337 <-> 192.254.189.169:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][14 pkts/1675 bytes <-> 19 pkts/18899 bytes][Goodput ratio: 44/93][7.10 sec][Hostname/SNI: browserspy.dk][bytes ratio: -0.837 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 204/31 1269/206 376/69][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 120/995 805/1514 190/642][URL: browserspy.dk/password-ok.php][StatusCode: 401][Content-Type: text/html][Server: Apache][User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36][Risk: ** Clear-Text Credentials **** Error Code **][Risk Score: 110][Risk Info: Found credentials in HTTP Auth Line / HTTP Error Code 401][TCP Fingerprint: 2_64_65535_09b18f059744/Unknown][PLAIN TEXT (GET /password)][Plen Bins: 0,0,6,0,0,0,6,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,6,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,69,0,0] + 1 TCP 192.168.0.4:54337 <-> 192.254.189.169:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][14 pkts/1675 bytes <-> 19 pkts/18899 bytes][Goodput ratio: 44/93][7.10 sec][Username: test][Password: fail2][Hostname/SNI: browserspy.dk][bytes ratio: -0.837 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 204/31 1269/206 376/69][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 120/995 805/1514 190/642][URL: browserspy.dk/password-ok.php][StatusCode: 401][Content-Type: text/html][Server: Apache][User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36][Risk: ** Clear-Text Credentials **** Error Code **][Risk Score: 110][Risk Info: Found credentials in HTTP Auth Line / HTTP Error Code 401][TCP Fingerprint: 2_64_65535_09b18f059744/Unknown][PLAIN TEXT (GET /password)][Plen Bins: 0,0,6,0,0,0,6,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,6,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,69,0,0] |