Update host content list match (#1633)

Improve classifications of Outlook, Cachefly, Cloudflare, Tiktok and Cybersecurity.
author: Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> 2022-07-04 13:21:11 +0200
committer: GitHub <noreply@github.com> 2022-07-04 13:21:11 +0200
commit: 44459895889042e8d4e434c2f2b5cdece15a5728 (patch)
tree: b7a6b7fbfee816ad166ce4b5a8b0d77c36238758
parent: a1de0285ebfd13236b3488a6ee5b82963b946b1b (diff)
3 files changed, 19 insertions, 4 deletions
diff --git a/src/lib/ndpi_content_match.c.inc b/src/lib/ndpi_content_match.c.inc
index db535fa81..f8d5bcfe3 100644
--- a/src/lib/ndpi_content_match.c.inc
+++ b/src/lib/ndpi_content_match.c.inc
@@ -1091,6 +1091,7 @@ static ndpi_protocol_match host_match[] =
    { ".goog",                               "Google",        NDPI_PROTOCOL_GOOGLE, NDPI_PROTOCOL_CATEGORY_CLOUD, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_DEFAULT_LEVEL },
 
    { "mail.outlook.com",                   "Outlook",          NDPI_PROTOCOL_MS_OUTLOOK, NDPI_PROTOCOL_CATEGORY_MAIL, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL },
+   { "hotmail.com",                        "Outlook",          NDPI_PROTOCOL_MS_OUTLOOK, NDPI_PROTOCOL_CATEGORY_MAIL, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL },
 
    { ".last.fm",                            "LastFM",           NDPI_PROTOCOL_LASTFM, NDPI_PROTOCOL_CATEGORY_MUSIC, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_DEFAULT_LEVEL },
 
@@ -1343,10 +1344,7 @@ static ndpi_protocol_match host_match[] =
    { "office.live.com",                         "Microsoft365",    NDPI_PROTOCOL_MICROSOFT_365, NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL },
    { ".onenote.",                               "Microsoft365",    NDPI_PROTOCOL_MICROSOFT_365, NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL },
 
-   /* http://www.urlquery.net/report.php?id=1453233646161 */
-   { "lifedom.top",                                "Cloudflare",       NDPI_PROTOCOL_CLOUDFLARE, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL },
-   { "coby.ns.cloudflare.com",      "Cloudflare",       NDPI_PROTOCOL_CLOUDFLARE, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL },
-   { "amanda.ns.cloudflare.com",  "Cloudflare",       NDPI_PROTOCOL_CLOUDFLARE, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL },
+   { "cloudflare.com",      "Cloudflare",       NDPI_PROTOCOL_CLOUDFLARE, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL },
 
    { "d295hzzivaok4k.cloudfront.net","OpenDNS",      NDPI_PROTOCOL_OPENDNS, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL },
    { ".opendns.com",                                  "OpenDNS",      NDPI_PROTOCOL_OPENDNS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL },
@@ -1462,6 +1460,7 @@ static ndpi_protocol_match host_match[] =
    { ".tik-tokcdn.com",                       "TikTok",           NDPI_PROTOCOL_TIKTOK, NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_DEFAULT_LEVEL },
    { "v19.byteicdn.com",                      "TikTok",           NDPI_PROTOCOL_TIKTOK, NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_DEFAULT_LEVEL },
    { "v16m.byteicdn.com",                     "TikTok",           NDPI_PROTOCOL_TIKTOK, NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_DEFAULT_LEVEL },
+   { ".tiktokcdn-us.com",                     "TikTok",           NDPI_PROTOCOL_TIKTOK, NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_DEFAULT_LEVEL },
 
    { "brasilbandalarga.com.br",     "EAQ",              NDPI_PROTOCOL_EAQ, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL },
    { ".eaqbr.com.br",                       "EAQ",              NDPI_PROTOCOL_EAQ, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL },
@@ -1602,6 +1601,7 @@ static ndpi_protocol_match host_match[] =
    { "avira.com",                        "Cybersec", NDPI_PROTOCOL_CYBERSECURITY, NDPI_PROTOCOL_CATEGORY_CYBERSECURITY, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_DEFAULT_LEVEL },
    { "pandasecurity.com",                "Cybersec", NDPI_PROTOCOL_CYBERSECURITY, NDPI_PROTOCOL_CATEGORY_CYBERSECURITY, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_DEFAULT_LEVEL },
    { "avast.com",                        "Cybersec", NDPI_PROTOCOL_CYBERSECURITY, NDPI_PROTOCOL_CATEGORY_CYBERSECURITY, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_DEFAULT_LEVEL },
+   { ".avcdn.net",                       "Cybersec", NDPI_PROTOCOL_CYBERSECURITY, NDPI_PROTOCOL_CATEGORY_CYBERSECURITY, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_DEFAULT_LEVEL },
    { "malwarebytes.com",                 "Cybersec", NDPI_PROTOCOL_CYBERSECURITY, NDPI_PROTOCOL_CATEGORY_CYBERSECURITY, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_DEFAULT_LEVEL },
    { "trendmicro.com",                   "Cybersec", NDPI_PROTOCOL_CYBERSECURITY, NDPI_PROTOCOL_CATEGORY_CYBERSECURITY, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_DEFAULT_LEVEL },
    { ".eset.com",                        "Cybersec", NDPI_PROTOCOL_CYBERSECURITY, NDPI_PROTOCOL_CATEGORY_CYBERSECURITY, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_DEFAULT_LEVEL },
@@ -1700,6 +1700,8 @@ static ndpi_protocol_match host_match[] =
    { "psiphon3.net",           "Psiphon", NDPI_PROTOCOL_PSIPHON, NDPI_PROTOCOL_CATEGORY_VPN, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL },
    { ".psiphon3.net",          "Psiphon", NDPI_PROTOCOL_PSIPHON, NDPI_PROTOCOL_CATEGORY_VPN, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL },
 
+   { "cachefly.com",           "CacheFly", NDPI_PROTOCOL_CACHEFLY, NDPI_PROTOCOL_CATEGORY_CLOUD, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL },
+
 #ifdef CUSTOM_NDPI_PROTOCOLS
 #include "../../../nDPI-custom/custom_ndpi_content_match_host_match.c.inc"
 #endif
diff --git a/tests/pcap/cachefly.pcapng b/tests/pcap/cachefly.pcapng
new file mode 100644
index 000000000..7c0c7beeb
--- /dev/null
+++ b/tests/pcap/cachefly.pcapng
diff --git a/tests/result/cachefly.pcapng.out b/tests/result/cachefly.pcapng.out
new file mode 100644
index 000000000..107f767ed
--- /dev/null
+++ b/tests/result/cachefly.pcapng.out
@@ -0,0 +1,13 @@
+Guessed flow protos:	0
+
+DPI Packets (TCP):	6	(6.00 pkts/flow)
+Confidence DPI              : 1 (flows)
+
+Cachefly	6	6163	1
+
+JA3 Host Stats: 
+		 IP Address                  	 # JA3C     
+	1	 10.10.10.1               	 1      
+
+
+	1	TCP 10.10.10.1:443 <-> 192.168.0.1:43766 [proto: 91.289/TLS.Cachefly][Encrypted][Confidence: DPI][cat: Cloud/13][5 pkts/5580 bytes <-> 1 pkts/583 bytes][Goodput ratio: 94/89][0.35 sec][Hostname/SNI: apptv.cachefly.net][ALPN: h2;http/1.1][TLS Supported Versions: GREASE;TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: 0.811 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 88/0 351/0 152/0][Pkt Len c2s/s2c min/avg/max/stddev: 74/583 1116/583 1414/583 524/0][TLSv1.2][JA3C: cd08e31494f9531f560d64c695473da9][ServerNames: *.cachefly.net,get.taxcycle.com,books24x7.com,siteclosed.overdrive.com,c.adventurerv.net,download.acoustica.com,cdn.arstechnica.net,ocp.cscglobal.com,cdn-w.gettraffic.com,cf.cdn.poundstopocket.co.uk,cf.cdn.cashnetusa.com,cf.cdn.quickquid.co.uk,downloads.oncenter.com,cache.green1020.com,software.onthehub.com,code.murdoog.com,img.tradepub.com,images.overdrive.com,static.readyflowers.com,cdn.richrelevance.com,qastatic.richrelevance.net,cache.agilebits.com,cachefly.alfredapp.com,download.fosshub.com,cdncontent.skillsoftcompliance.com,cdnlibrary.qual.skillport.com,cdnlibrary.skillport.com,cdnlibrary.skillport.eu,cdnlibrary-otls.skillport.com,st-cdn01.net-perform.com,assets.yandycdn.com,cdn.nexternal.com,www.workcred.org,img.sedoparking.com,www.standardsboostbusiness.org,cdn.sparklingsociety.net,smartupdate1.centralpointnow.com,cdn.edgeuno.com,downloads.pdf-xchange.com,cachefly.kinematics.com,cachefly.discoverinspire.com,static.volotea.com,*.cachefly.com,*.pluralsight.com,*.cdn.overdrive.com,*.contentreserve.com,*.listen.overdrivechina.cn,*.od-cdn.com,*.overdrivechina.cn,*.read.overdrivechina.cn,*.rbxcdn.com,*.books24x7.com,*.ansi.org,*.livee.com,cachefly.net][JA3S: 8d2a028aa94425f76ced7826b1f39039][Issuer: C=BE, O=GlobalSign nv-sa, CN=GlobalSign RSA OV SSL CA 2018][Subject: C=US, ST=Illinois, L=Chicago, O=Cachenetworks, LLC, CN=*.cachefly.net][Certificate SHA-1: 14:84:4F:1F:E8:A1:78:8A:12:27:36:B8:42:AB:42:52:FC:3B:C4:BA][Chrome][Validity: 2021-10-18 20:21:03 - 2022-11-19 20:21:03][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,0,0,0,0,60,0,0,0,0,0]
author	Ivan Nardi <12729895+IvanNardi@users.noreply.github.com>	2022-07-04 13:21:11 +0200
committer	GitHub <noreply@github.com>	2022-07-04 13:21:11 +0200
commit	44459895889042e8d4e434c2f2b5cdece15a5728 (patch)
tree	b7a6b7fbfee816ad166ce4b5a8b0d77c36238758
parent	a1de0285ebfd13236b3488a6ee5b82963b946b1b (diff)