diff options
| author | Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> | 2024-01-08 17:04:12 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-01-08 17:04:12 +0100 |
| commit | 8321b795392591b88f053c3ad0e62e435a8ca728 (patch) | |
| tree | f8e90ae5aca567206351b4e6672d260c33c2dfb0 | |
| parent | ce08291ccdd2cdcb65f83f97a0fff464310094c1 (diff) | |
Make some test traces smaller (#2243)
Having smaller traces help fuzzing: we want the fuzzers to mutate
"interesting" packets analyzed by nDPI, i.e. the first packets of each
flows.
Try hard to keep the same classification and extraction capabilities
26 files changed, 81 insertions, 88 deletions
diff --git a/tests/cfgs/default/pcap/bitcoin.pcap b/tests/cfgs/default/pcap/bitcoin.pcap Binary files differindex ce62ed779..8158620ec 100644 --- a/tests/cfgs/default/pcap/bitcoin.pcap +++ b/tests/cfgs/default/pcap/bitcoin.pcap diff --git a/tests/cfgs/default/pcap/emotet.pcap b/tests/cfgs/default/pcap/emotet.pcap Binary files differindex 9d19e10d0..d1e08f5a1 100644 --- a/tests/cfgs/default/pcap/emotet.pcap +++ b/tests/cfgs/default/pcap/emotet.pcap diff --git a/tests/cfgs/default/pcap/exe_download.pcap b/tests/cfgs/default/pcap/exe_download.pcap Binary files differindex 64d97f5ea..727de19d0 100644 --- a/tests/cfgs/default/pcap/exe_download.pcap +++ b/tests/cfgs/default/pcap/exe_download.pcap diff --git a/tests/cfgs/default/pcap/exe_download_as_png.pcap b/tests/cfgs/default/pcap/exe_download_as_png.pcap Binary files differindex 36f81e241..1d558f22d 100644 --- a/tests/cfgs/default/pcap/exe_download_as_png.pcap +++ b/tests/cfgs/default/pcap/exe_download_as_png.pcap diff --git a/tests/cfgs/default/pcap/ftp.pcap b/tests/cfgs/default/pcap/ftp.pcap Binary files differindex 0bbc7d16f..6b3fb1be4 100644 --- a/tests/cfgs/default/pcap/ftp.pcap +++ b/tests/cfgs/default/pcap/ftp.pcap diff --git a/tests/cfgs/default/pcap/ip_fragmented_garbage.pcap b/tests/cfgs/default/pcap/ip_fragmented_garbage.pcap Binary files differindex 5536f4b8d..ee8a164c5 100644 --- a/tests/cfgs/default/pcap/ip_fragmented_garbage.pcap +++ b/tests/cfgs/default/pcap/ip_fragmented_garbage.pcap diff --git a/tests/cfgs/default/pcap/ipsec_isakmp_esp.pcap b/tests/cfgs/default/pcap/ipsec_isakmp_esp.pcap Binary files differindex 6b60581ac..fb4688ded 100644 --- a/tests/cfgs/default/pcap/ipsec_isakmp_esp.pcap +++ b/tests/cfgs/default/pcap/ipsec_isakmp_esp.pcap diff --git a/tests/cfgs/default/pcap/malware.pcap b/tests/cfgs/default/pcap/malware.pcap Binary files differindex afa8bd0f0..0633133bb 100644 --- a/tests/cfgs/default/pcap/malware.pcap +++ b/tests/cfgs/default/pcap/malware.pcap diff --git a/tests/cfgs/default/pcap/pps.pcap b/tests/cfgs/default/pcap/pps.pcap Binary files differindex f85544f36..70e2572f4 100644 --- a/tests/cfgs/default/pcap/pps.pcap +++ b/tests/cfgs/default/pcap/pps.pcap diff --git a/tests/cfgs/default/pcap/skinny.pcap b/tests/cfgs/default/pcap/skinny.pcap Binary files differindex cda98c63a..94c92ae0d 100644 --- a/tests/cfgs/default/pcap/skinny.pcap +++ b/tests/cfgs/default/pcap/skinny.pcap diff --git a/tests/cfgs/default/pcap/skype.pcap b/tests/cfgs/default/pcap/skype.pcap Binary files differindex d8c85f508..289e1b358 100644 --- a/tests/cfgs/default/pcap/skype.pcap +++ b/tests/cfgs/default/pcap/skype.pcap diff --git a/tests/cfgs/default/pcap/skype_no_unknown.pcap b/tests/cfgs/default/pcap/skype_no_unknown.pcap Binary files differindex 5266bca6f..86fdf207c 100644 --- a/tests/cfgs/default/pcap/skype_no_unknown.pcap +++ b/tests/cfgs/default/pcap/skype_no_unknown.pcap diff --git a/tests/cfgs/default/pcap/zoom2.pcap b/tests/cfgs/default/pcap/zoom2.pcap Binary files differindex 73897f218..1102b57a0 100644 --- a/tests/cfgs/default/pcap/zoom2.pcap +++ b/tests/cfgs/default/pcap/zoom2.pcap diff --git a/tests/cfgs/default/result/bitcoin.pcap.out b/tests/cfgs/default/result/bitcoin.pcap.out index c23ff87c2..c01584b52 100644 --- a/tests/cfgs/default/result/bitcoin.pcap.out +++ b/tests/cfgs/default/result/bitcoin.pcap.out @@ -21,13 +21,13 @@ Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 12/0 (search/found) Patricia protocols IPv6: 0/0 (search/found) -BITCOIN 637 581074 6 +BITCOIN 529 426544 6 -Acceptable 637 581074 6 +Acceptable 529 426544 6 - 1 TCP 192.168.1.142:55328 <-> 69.118.54.122:8333 [proto: 343/BITCOIN][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Crypto_Currency/106][2 pkts/281 bytes <-> 137 pkts/191029 bytes][Goodput ratio: 53/95][330.56 sec][bytes ratio: -0.997 (Download)][IAT c2s/s2c min/avg/max/stddev: 141657/0 141657/2644 141657/76010 0/11325][Pkt Len c2s/s2c min/avg/max/stddev: 110/86 140/1394 171/1514 30/378][PLAIN TEXT (version)][Plen Bins: 0,6,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,92,0,0] - 2 TCP 192.168.1.142:55348 <-> 74.89.181.229:8333 [proto: 343/BITCOIN][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Crypto_Currency/106][55 pkts/28663 bytes <-> 117 pkts/134830 bytes][Goodput ratio: 87/94][1491.26 sec][bytes ratio: -0.649 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 21789/4882 100110/64236 26995/11546][Pkt Len c2s/s2c min/avg/max/stddev: 110/86 521/1152 1514/1514 578/589][PLAIN TEXT (version)][Plen Bins: 0,32,0,4,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,59,0,0] - 3 TCP 192.168.1.142:55383 <-> 66.68.83.22:8333 [proto: 343/BITCOIN][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Crypto_Currency/106][65 pkts/45271 bytes <-> 96 pkts/70339 bytes][Goodput ratio: 91/91][1337.01 sec][bytes ratio: -0.217 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 18993/12001 134322/105866 27575/21527][Pkt Len c2s/s2c min/avg/max/stddev: 110/86 696/733 1514/1514 637/653][PLAIN TEXT (version)][Plen Bins: 0,47,0,4,0,0,0,0,5,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,40,0,0] - 4 TCP 192.168.1.142:55400 <-> 195.218.16.178:8333 [proto: 343/BITCOIN][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Crypto_Currency/106][47 pkts/26824 bytes <-> 72 pkts/55927 bytes][Goodput ratio: 88/92][1107.93 sec][bytes ratio: -0.352 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 22661/13162 91604/95856 25520/24264][Pkt Len c2s/s2c min/avg/max/stddev: 110/86 571/777 1514/1514 606/673][PLAIN TEXT (version)][Plen Bins: 0,53,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,39,0,0] + 1 TCP 192.168.1.142:55348 <-> 74.89.181.229:8333 [proto: 343/BITCOIN][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Crypto_Currency/106][55 pkts/28663 bytes <-> 117 pkts/134830 bytes][Goodput ratio: 87/94][1491.26 sec][bytes ratio: -0.649 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 21789/4882 100110/64236 26995/11546][Pkt Len c2s/s2c min/avg/max/stddev: 110/86 521/1152 1514/1514 578/589][PLAIN TEXT (version)][Plen Bins: 0,32,0,4,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,59,0,0] + 2 TCP 192.168.1.142:55383 <-> 66.68.83.22:8333 [proto: 343/BITCOIN][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Crypto_Currency/106][65 pkts/45271 bytes <-> 96 pkts/70339 bytes][Goodput ratio: 91/91][1337.01 sec][bytes ratio: -0.217 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 18993/12001 134322/105866 27575/21527][Pkt Len c2s/s2c min/avg/max/stddev: 110/86 696/733 1514/1514 637/653][PLAIN TEXT (version)][Plen Bins: 0,47,0,4,0,0,0,0,5,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,40,0,0] + 3 TCP 192.168.1.142:55400 <-> 195.218.16.178:8333 [proto: 343/BITCOIN][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Crypto_Currency/106][47 pkts/26824 bytes <-> 72 pkts/55927 bytes][Goodput ratio: 88/92][1107.93 sec][bytes ratio: -0.352 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 22661/13162 91604/95856 25520/24264][Pkt Len c2s/s2c min/avg/max/stddev: 110/86 571/777 1514/1514 606/673][PLAIN TEXT (version)][Plen Bins: 0,53,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,39,0,0] + 4 TCP 192.168.1.142:55328 <-> 69.118.54.122:8333 [proto: 343/BITCOIN][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Crypto_Currency/106][2 pkts/281 bytes <-> 29 pkts/36499 bytes][Goodput ratio: 53/95][144.50 sec][bytes ratio: -0.985 (Download)][IAT c2s/s2c min/avg/max/stddev: 141657/0 141657/5777 141657/71059 0/15957][Pkt Len c2s/s2c min/avg/max/stddev: 110/86 140/1259 171/1514 30/524][PLAIN TEXT (version)][Plen Bins: 3,12,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,75,0,0] 5 TCP 192.168.1.142:55317 <-> 188.165.213.169:8333 [proto: 343/BITCOIN][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Crypto_Currency/106][16 pkts/21673 bytes <-> 3 pkts/1771 bytes][Goodput ratio: 95/89][1.27 sec][bytes ratio: 0.849 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/136 90/212 655/289 169/76][Pkt Len c2s/s2c min/avg/max/stddev: 171/86 1355/590 1514/1514 369/654][PLAIN TEXT (version)][Plen Bins: 5,0,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,74,0,0] 6 TCP 192.168.1.142:55487 <-> 184.58.165.119:8333 [proto: 343/BITCOIN][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Crypto_Currency/106][24 pkts/3082 bytes <-> 3 pkts/1384 bytes][Goodput ratio: 49/86][506.07 sec][bytes ratio: 0.380 (Upload)][IAT c2s/s2c min/avg/max/stddev: 238/256 21944/256 75340/256 19965/0][Pkt Len c2s/s2c min/avg/max/stddev: 121/86 128/461 171/1127 12/472][PLAIN TEXT (version)][Plen Bins: 3,82,0,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/default/result/emotet.pcap.out b/tests/cfgs/default/result/emotet.pcap.out index 60c238e39..818fc6b6b 100644 --- a/tests/cfgs/default/result/emotet.pcap.out +++ b/tests/cfgs/default/result/emotet.pcap.out @@ -21,21 +21,21 @@ Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 12/0 (search/found) Patricia protocols IPv6: 0/0 (search/found) -SMTP 626 438465 1 -HTTP 1601 1581542 3 -TLS 153 107018 2 +SMTP 50 18605 1 +HTTP 87 70544 3 +TLS 32 10095 2 -Safe 153 107018 2 -Acceptable 2227 2020007 4 +Safe 32 10095 2 +Acceptable 137 89149 4 JA3 Host Stats: IP Address # JA3C 1 10.4.25.101 1 - 1 TCP 10.4.20.102:54319 <-> 107.161.178.210:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 5][cat: Download/7][272 pkts/16545 bytes <-> 557 pkts/800118 bytes][Goodput ratio: 1/96][9.12 sec][Hostname/SNI: gandhitoday.org][bytes ratio: -0.959 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 26/11 2171/1215 155/59][Pkt Len c2s/s2c min/avg/max/stddev: 60/60 61/1436 279/1442 13/84][URL: gandhitoday.org/video/6JvA8/][StatusCode: 200][Content-Type: application/x-msdownload][Server: Apache][User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko][Filename: EGh7x6aKN3ILP.dll][Risk: ** Binary App Transfer **][Risk Score: 150][Risk Info: Found mime exe x-msdownload][PLAIN TEXT (GET /video/6J)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0] - 2 TCP 10.4.25.101:49797 <-> 77.105.36.156:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 6][cat: Download/7][169 pkts/10292 bytes <-> 395 pkts/565664 bytes][Goodput ratio: 1/96][1.99 sec][Hostname/SNI: filmmogzivota.rs][bytes ratio: -0.964 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 12/4 292/171 38/19][Pkt Len c2s/s2c min/avg/max/stddev: 60/60 61/1432 206/1442 11/107][URL: filmmogzivota.rs/SpryAssets/gDR/][StatusCode: 200][Content-Type: application/x-msdownload][Server: Apache][User-Agent: vBKbaQgjyvRRbcgfvlsc][Filename: TfBXbg6gEAqeHioMEKOtCAAn73.dll][Risk: ** Binary App Transfer **** HTTP Susp User-Agent **][Risk Score: 250][Risk Info: UA vBKbaQgjyvRRbcgfvlsc / Found mime exe x-msdownload][PLAIN TEXT (GET /SpryAssets/gDR/ HTTP/1.1)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0] - 3 TCP 10.2.25.102:57309 <-> 193.252.22.84:587 [proto: 3/SMTP][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 19][cat: Email/3][303 pkts/420177 bytes <-> 323 pkts/18288 bytes][Goodput ratio: 96/5][19.04 sec][Hostname/SNI: opmta1mto02nd1][bytes ratio: 0.917 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 26/66 1205/3211 138/351][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 1387/57 1514/214 400/13][PLAIN TEXT (220 opmta)][Plen Bins: 7,9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,83,0,0] - 4 TCP 10.3.29.101:56309 <-> 104.161.127.22:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 6][cat: Web/5][72 pkts/4883 bytes <-> 136 pkts/184040 bytes][Goodput ratio: 20/96][11.81 sec][Hostname/SNI: fkl.co.ke][bytes ratio: -0.948 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 224/98 7597/7597 1122/760][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 68/1353 591/1415 81/273][URL: fkl.co.ke/wp-content/Elw3kPvOsZxM5/][StatusCode: 200][Content-Type: text/html][Server: LiteSpeed][User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36 Edg/99.0.1150.55][PLAIN TEXT (GET /wp)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0] - 5 TCP 10.4.25.101:49803 <-> 138.197.147.101:443 [proto: 91/TLS][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 6][cat: Web/5][61 pkts/4478 bytes <-> 75 pkts/99815 bytes][Goodput ratio: 16/96][28.39 sec][bytes ratio: -0.914 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 600/30 23191/1117 3362/144][Pkt Len c2s/s2c min/avg/max/stddev: 60/60 73/1331 534/1442 63/364][Risk: ** Self-signed Cert **** TLS (probably) Not Carrying HTTPS **** Missing SNI TLS Extn **** Malicious JA3 Fingerp. **][Risk Score: 210][Risk Info: 51c64c77e60f3980eea90869b68c58a8 / No ALPN / C=GB, ST=London, L=London, O=Global Security, OU=IT Department, CN=example.com][TLSv1.2][JA3C: 51c64c77e60f3980eea90869b68c58a8][JA4: t12d190600_d83cc789557e_2dae41c691ec][JA3S: ec74a5c51106f0419184d0dd08fb05bc][Issuer: C=GB, ST=London, L=London, O=Global Security, OU=IT Department, CN=example.com][Subject: C=GB, ST=London, L=London, O=Global Security, OU=IT Department, CN=example.com][Certificate SHA-1: 43:A2:39:73:AC:4D:2C:15:7B:D6:4E:32:EA:22:11:B7:97:65:1A:93][Firefox][Validity: 2022-04-21 10:08:46 - 2023-04-21 10:08:46][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 1,0,1,0,1,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,93,0,0,0,0] + 1 TCP 10.3.29.101:56309 <-> 104.161.127.22:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 6][cat: Web/5][21 pkts/1592 bytes <-> 37 pkts/48623 bytes][Goodput ratio: 28/96][0.61 sec][Hostname/SNI: fkl.co.ke][bytes ratio: -0.937 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 26/7 204/204 57/36][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 76/1314 500/1415 95/343][URL: fkl.co.ke/wp-content/Elw3kPvOsZxM5/][StatusCode: 200][Content-Type: text/html][Server: LiteSpeed][User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36 Edg/99.0.1150.55][PLAIN TEXT (GET /wp)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,2,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,95,0,0,0,0,0] + 2 TCP 10.2.25.102:57309 <-> 193.252.22.84:587 [proto: 3/SMTP][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 19][cat: Email/3][23 pkts/16752 bytes <-> 27 pkts/1853 bytes][Goodput ratio: 93/21][8.35 sec][Hostname/SNI: opmta1mto02nd1][bytes ratio: 0.801 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 276/345 1205/3054 406/694][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 728/69 1514/214 702/33][PLAIN TEXT (220 opmta)][Plen Bins: 31,27,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,34,0,0] + 3 TCP 10.4.25.101:49797 <-> 77.105.36.156:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 6][cat: Download/7][5 pkts/452 bytes <-> 10 pkts/10518 bytes][Goodput ratio: 34/95][0.48 sec][Hostname/SNI: filmmogzivota.rs][bytes ratio: -0.918 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 159/37 292/171 121/64][Pkt Len c2s/s2c min/avg/max/stddev: 60/60 90/1052 206/1442 58/553][URL: filmmogzivota.rs/SpryAssets/gDR/][StatusCode: 200][Content-Type: application/x-msdownload][Server: Apache][User-Agent: vBKbaQgjyvRRbcgfvlsc][Filename: TfBXbg6gEAqeHioMEKOtCAAn73.dll][Risk: ** Binary App Transfer **** HTTP Susp User-Agent **][Risk Score: 250][Risk Info: UA vBKbaQgjyvRRbcgfvlsc / Found mime exe x-msdownload][PLAIN TEXT (GET /SpryAssets/gDR/ HTTP/1.1)][Plen Bins: 0,0,0,0,11,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0,0,0,0,0,0,0,0,66,0,0,0,0] + 4 TCP 10.4.20.102:54319 <-> 107.161.178.210:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 5][cat: Download/7][7 pkts/645 bytes <-> 7 pkts/8714 bytes][Goodput ratio: 35/96][0.38 sec][Hostname/SNI: gandhitoday.org][bytes ratio: -0.862 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 74/54 260/260 100/103][Pkt Len c2s/s2c min/avg/max/stddev: 60/62 92/1245 279/1442 76/483][URL: gandhitoday.org/video/6JvA8/][StatusCode: 200][Content-Type: application/x-msdownload][Server: Apache][User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko][Filename: EGh7x6aKN3ILP.dll][Risk: ** Binary App Transfer **][Risk Score: 150][Risk Info: Found mime exe x-msdownload][PLAIN TEXT (GET /video/6J)][Plen Bins: 0,0,0,0,0,0,0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,85,0,0,0,0] + 5 TCP 10.4.25.101:49803 <-> 138.197.147.101:443 [proto: 91/TLS][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 6][cat: Web/5][7 pkts/1130 bytes <-> 8 pkts/6240 bytes][Goodput ratio: 64/93][1.65 sec][bytes ratio: -0.693 (Download)][IAT c2s/s2c min/avg/max/stddev: 14/0 75/231 122/1117 39/400][Pkt Len c2s/s2c min/avg/max/stddev: 60/60 161/780 534/1442 161/663][Risk: ** Self-signed Cert **** TLS (probably) Not Carrying HTTPS **** Missing SNI TLS Extn **** Malicious JA3 Fingerp. **][Risk Score: 210][Risk Info: 51c64c77e60f3980eea90869b68c58a8 / No ALPN / C=GB, ST=London, L=London, O=Global Security, OU=IT Department, CN=example.com][TLSv1.2][JA3C: 51c64c77e60f3980eea90869b68c58a8][JA4: t12d190600_d83cc789557e_2dae41c691ec][JA3S: ec74a5c51106f0419184d0dd08fb05bc][Issuer: C=GB, ST=London, L=London, O=Global Security, OU=IT Department, CN=example.com][Subject: C=GB, ST=London, L=London, O=Global Security, OU=IT Department, CN=example.com][Certificate SHA-1: 43:A2:39:73:AC:4D:2C:15:7B:D6:4E:32:EA:22:11:B7:97:65:1A:93][Firefox][Validity: 2022-04-21 10:08:46 - 2023-04-21 10:08:46][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 0,0,12,0,12,0,0,12,0,0,0,0,0,0,0,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,51,0,0,0,0] 6 TCP 10.4.25.101:49804 <-> 138.197.147.101:443 [proto: 91/TLS][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 6][cat: Web/5][10 pkts/1517 bytes <-> 7 pkts/1208 bytes][Goodput ratio: 61/66][48.61 sec][bytes ratio: 0.113 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 5997/806 44782/3012 14692/1274][Pkt Len c2s/s2c min/avg/max/stddev: 60/60 152/173 607/714 179/224][Risk: ** TLS (probably) Not Carrying HTTPS **** Missing SNI TLS Extn **** Malicious JA3 Fingerp. **][Risk Score: 110][Risk Info: 51c64c77e60f3980eea90869b68c58a8 / No ALPN][TLSv1.2][JA3C: 51c64c77e60f3980eea90869b68c58a8][JA4: t12d190600_d83cc789557e_2dae41c691ec][JA3S: fd4bc6cea4877646ccd62f0792ec0b62][Firefox][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 16,16,0,16,0,0,0,0,0,0,16,0,0,0,0,0,0,16,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/default/result/exe_download.pcap.out b/tests/cfgs/default/result/exe_download.pcap.out index 940890002..79bccf3a7 100644 --- a/tests/cfgs/default/result/exe_download.pcap.out +++ b/tests/cfgs/default/result/exe_download.pcap.out @@ -21,8 +21,8 @@ Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 2/0 (search/found) Patricia protocols IPv6: 0/0 (search/found) -HTTP 703 717463 1 +HTTP 20 14869 1 -Acceptable 703 717463 1 +Acceptable 20 14869 1 - 1 TCP 10.9.25.101:49165 <-> 144.91.69.195:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 6][cat: Download/7][203 pkts/11127 bytes <-> 500 pkts/706336 bytes][Goodput ratio: 1/96][5.18 sec][Hostname/SNI: 144.91.69.195][bytes ratio: -0.969 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 23/9 319/365 49/37][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 55/1413 207/1514 11/134][URL: 144.91.69.195/solar.php][StatusCode: 200][Content-Type: application/octet-stream][Server: nginx/1.10.3][User-Agent: pwtyyEKzNtGatwnJjmCcBLbOveCVpc][Filename: phn34ycjtghm.exe][Risk: ** Binary App Transfer **** HTTP Susp User-Agent **** HTTP/TLS/QUIC Numeric Hostname/SNI **** HTTP Obsolete Server **][Risk Score: 310][Risk Info: Found host 144.91.69.195 / UA pwtyyEKzNtGatwnJjmCcBLbOveCVpc / Obsolete nginx server 1.10.3 / Found mime exe octet-stream][PLAIN TEXT (GET /solar.php HTTP/1.1)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,2,0,0,7,0,0,63,0,0,24,0,0] + 1 TCP 10.9.25.101:49165 <-> 144.91.69.195:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 6][cat: Download/7][8 pkts/597 bytes <-> 12 pkts/14272 bytes][Goodput ratio: 26/95][0.76 sec][Hostname/SNI: 144.91.69.195][bytes ratio: -0.920 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 125/33 319/298 134/89][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 75/1189 207/1514 50/510][URL: 144.91.69.195/solar.php][StatusCode: 200][Content-Type: application/octet-stream][Server: nginx/1.10.3][User-Agent: pwtyyEKzNtGatwnJjmCcBLbOveCVpc][Filename: phn34ycjtghm.exe][Risk: ** Binary App Transfer **** HTTP Susp User-Agent **** HTTP/TLS/QUIC Numeric Hostname/SNI **** HTTP Obsolete Server **][Risk Score: 310][Risk Info: Found host 144.91.69.195 / UA pwtyyEKzNtGatwnJjmCcBLbOveCVpc / Obsolete nginx server 1.10.3 / Found mime exe octet-stream][PLAIN TEXT (GET /solar.php HTTP/1.1)][Plen Bins: 0,0,0,0,9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,18,0,0,54,0,0,18,0,0] diff --git a/tests/cfgs/default/result/exe_download_as_png.pcap.out b/tests/cfgs/default/result/exe_download_as_png.pcap.out index bd6ee97a2..e5c6b1a7d 100644 --- a/tests/cfgs/default/result/exe_download_as_png.pcap.out +++ b/tests/cfgs/default/result/exe_download_as_png.pcap.out @@ -21,8 +21,8 @@ Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 2/0 (search/found) Patricia protocols IPv6: 0/0 (search/found) -HTTP 534 529449 1 +HTTP 100 94225 1 -Acceptable 534 529449 1 +Acceptable 100 94225 1 - 1 TCP 10.9.25.101:49197 <-> 185.98.87.185:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 6][cat: Web/5][163 pkts/9113 bytes <-> 371 pkts/520336 bytes][Goodput ratio: 3/96][69.52 sec][Hostname/SNI: 185.98.87.185][bytes ratio: -0.966 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 623/25 60010/4824 5733/276][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 56/1403 204/1514 16/164][URL: 185.98.87.185/tablone.png][StatusCode: 200][Content-Type: image/png][Server: nginx/1.10.3][User-Agent: WinHTTP loader/1.0][Risk: ** Binary App Transfer **** HTTP/TLS/QUIC Numeric Hostname/SNI **** HTTP Obsolete Server **][Risk Score: 210][Risk Info: Found host 185.98.87.185 / Obsolete nginx server 1.10.3 / Found Windows Exe][PLAIN TEXT (GET /tablone.png HTTP/1.1)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,10,0,0,71,0,0,16,0,0] + 1 TCP 10.9.25.101:49197 <-> 185.98.87.185:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 6][cat: Web/5][33 pkts/1943 bytes <-> 67 pkts/92282 bytes][Goodput ratio: 8/96][1.90 sec][Hostname/SNI: 185.98.87.185][bytes ratio: -0.959 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 53/14 613/612 145/81][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 59/1377 203/1514 26/239][URL: 185.98.87.185/tablone.png][StatusCode: 200][Content-Type: image/png][Server: nginx/1.10.3][User-Agent: WinHTTP loader/1.0][Risk: ** Binary App Transfer **** HTTP/TLS/QUIC Numeric Hostname/SNI **** HTTP Obsolete Server **][Risk Score: 210][Risk Info: Found host 185.98.87.185 / Obsolete nginx server 1.10.3 / Found Windows Exe][PLAIN TEXT (GET /tablone.png HTTP/1.1)][Plen Bins: 0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,6,0,0,73,0,0,15,0,0] diff --git a/tests/cfgs/default/result/ftp.pcap.out b/tests/cfgs/default/result/ftp.pcap.out index 0eed0abea..984f0019e 100644 --- a/tests/cfgs/default/result/ftp.pcap.out +++ b/tests/cfgs/default/result/ftp.pcap.out @@ -22,17 +22,17 @@ Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 6/0 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Unknown 1115 1122198 1 +Unknown 132 118184 1 FTP_CONTROL 68 5571 1 FTP_DATA 9 1819 1 Acceptable 9 1819 1 Unsafe 68 5571 1 -Unrated 1115 1122198 1 +Unrated 132 118184 1 1 TCP 192.168.1.212:50694 <-> 90.130.70.73:21 [proto: 1/FTP_CONTROL][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 12][cat: Download/7][41 pkts/2892 bytes <-> 27 pkts/2679 bytes][Goodput ratio: 6/33][8.48 sec][User: anonymous][Pwd: NcFTP@][bytes ratio: 0.038 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 236/108 4743/1377 849/305][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 71/99 96/307 7/45][Risk: ** Unsafe Protocol **** Clear-Text Credentials **][Risk Score: 110][Risk Info: Found FTP username (anonymous)][PLAIN TEXT (vsFTPd 3.0.3)][Plen Bins: 74,18,5,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 2 TCP 192.168.1.212:50695 <-> 90.130.70.73:25685 [proto: 175/FTP_DATA][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 4][cat: Download/7][5 pkts/342 bytes <-> 4 pkts/1477 bytes][Goodput ratio: 0/82][0.09 sec][bytes ratio: -0.624 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/28 14/28 29/29 14/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 68/369 78/1271 5/521][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][PLAIN TEXT ( 1 0 0 1073741)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0] Undetected flows: - 1 TCP 192.168.1.212:50696 <-> 90.130.70.73:24523 [proto: 0/Unknown][IP: 0/Unknown][ClearText][Confidence: Unknown][DPI packets: 23][380 pkts/25104 bytes <-> 735 pkts/1097094 bytes][Goodput ratio: 0/96][0.33 sec][bytes ratio: -0.955 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 0/0 29/29 2/2][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 66/1493 78/1506 1/135][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0] + 1 TCP 192.168.1.212:50696 <-> 90.130.70.73:24523 [proto: 0/Unknown][IP: 0/Unknown][ClearText][Confidence: Unknown][DPI packets: 23][54 pkts/3588 bytes <-> 78 pkts/114596 bytes][Goodput ratio: 0/95][0.15 sec][bytes ratio: -0.939 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 2/1 29/29 6/4][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 66/1469 78/1506 2/227][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0] diff --git a/tests/cfgs/default/result/ip_fragmented_garbage.pcap.out b/tests/cfgs/default/result/ip_fragmented_garbage.pcap.out index 312eca79e..c2cb6effe 100644 --- a/tests/cfgs/default/result/ip_fragmented_garbage.pcap.out +++ b/tests/cfgs/default/result/ip_fragmented_garbage.pcap.out @@ -1,4 +1,4 @@ -DPI Packets (TCP): 29 (29.00 pkts/flow) +DPI Packets (TCP): 4 (4.00 pkts/flow) Confidence Unknown : 1 (flows) Num dissector calls: 0 (0.00 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) @@ -21,11 +21,11 @@ Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 0/0 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Unknown 29 1566 1 +Unknown 4 216 1 -Unrated 29 1566 1 +Unrated 4 216 1 Undetected flows: - 1 TCP 10.0.0.2:0 -> 10.128.0.2:0 [proto: 0/Unknown][IP: 0/Unknown][ClearText][Confidence: Unknown][DPI packets: 29][29 pkts/1566 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][8.51 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 302/0 304/0 305/0 1/0][Pkt Len c2s/s2c min/avg/max/stddev: 54/0 54/0 54/0 0/0][PLAIN TEXT (hdflkda)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 1 TCP 10.0.0.2:0 -> 10.128.0.2:0 [proto: 0/Unknown][IP: 0/Unknown][ClearText][Confidence: Unknown][DPI packets: 4][4 pkts/216 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][0.91 sec][PLAIN TEXT (hdflkda)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/default/result/ipsec_isakmp_esp.pcap.out b/tests/cfgs/default/result/ipsec_isakmp_esp.pcap.out index 637c771dd..cc7ed1fa9 100644 --- a/tests/cfgs/default/result/ipsec_isakmp_esp.pcap.out +++ b/tests/cfgs/default/result/ipsec_isakmp_esp.pcap.out @@ -21,18 +21,18 @@ Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 48/0 (search/found) Patricia protocols IPv6: 0/0 (search/found) -IPSec 1080 580682 24 +IPSec 834 451722 24 -Safe 1080 580682 24 +Safe 834 451722 24 - 1 UDP 192.168.2.100:14500 <-> 109.237.187.227:4500 [proto: 79/IPSec][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 1][cat: VPN/2][133 pkts/90074 bytes <-> 158 pkts/61560 bytes][Goodput ratio: 94/89][< 1 sec][bytes ratio: 0.188 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 224588/183284 12245008/12245090 1295597/1170056][Pkt Len c2s/s2c min/avg/max/stddev: 122/82 677/390 1374/1374 512/393][PLAIN TEXT (@EmPAT)][Plen Bins: 0,0,14,14,24,0,7,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,7,0,0,5,0,0,0,7,0,0,0,0,0,0,0,0,12,0,0,0,0,0,0] - 2 UDP 192.168.2.100:14500 <-> 109.237.187.130:4500 [proto: 79/IPSec][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 1][cat: VPN/2][37 pkts/23230 bytes <-> 53 pkts/36862 bytes][Goodput ratio: 93/94][< 1 sec][bytes ratio: -0.227 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 51181/32575 761601/761794 163164/132507][Pkt Len c2s/s2c min/avg/max/stddev: 138/122 628/696 1374/1374 489/539][PLAIN TEXT (H.P.RE)][Plen Bins: 0,0,6,13,20,0,6,0,0,0,0,0,0,6,0,0,0,0,1,0,0,0,0,0,0,6,0,0,0,0,0,0,12,0,0,0,0,0,0,0,6,20,0,0,0,0,0,0] - 3 UDP 192.168.2.100:10500 <-> 109.237.187.227:500 [proto: 79/IPSec][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 1][cat: VPN/2][54 pkts/44820 bytes <-> 53 pkts/11118 bytes][Goodput ratio: 95/80][< 1 sec][bytes ratio: 0.602 (Upload)][IAT c2s/s2c min/avg/max/stddev: 28/27 689892/698588 12245747/12245747 1998175/2019137][Pkt Len c2s/s2c min/avg/max/stddev: 818/94 830/210 842/330 12/118][PLAIN TEXT (rMpKau6)][Plen Bins: 0,25,0,0,0,0,0,0,0,24,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 4 UDP 192.168.2.100:14500 <-> 109.237.187.195:4500 [proto: 79/IPSec][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 1][cat: VPN/2][42 pkts/30020 bytes <-> 48 pkts/21472 bytes][Goodput ratio: 94/91][15275.72 sec][bytes ratio: 0.166 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 85008/72283 1429414/1429546 288620/266457][Pkt Len c2s/s2c min/avg/max/stddev: 138/122 715/447 1374/1374 518/432][PLAIN TEXT (@yIwAf)][Plen Bins: 0,0,8,13,26,0,6,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,6,0,4,2,0,0,0,6,0,0,0,0,0,0,0,0,19,0,0,0,0,0,0] - 5 UDP 192.168.2.100:14500 <-> 109.237.187.193:4500 [proto: 79/IPSec][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 1][cat: VPN/2][43 pkts/32226 bytes <-> 47 pkts/14246 bytes][Goodput ratio: 94/86][18892.62 sec][bytes ratio: 0.387 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 66479/485440637135486976 1521662/18446744073664032328 281113/0][Pkt Len c2s/s2c min/avg/max/stddev: 138/122 749/303 1374/1070 516/284][PLAIN TEXT (@7Ac9 )][Plen Bins: 0,0,12,13,27,0,6,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,6,0,0,7,0,0,0,5,0,0,0,0,0,0,0,0,14,0,0,0,0,0,0] - 6 UDP 192.168.2.100:14500 <-> 109.237.187.225:4500 [proto: 79/IPSec][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 1][cat: VPN/2][34 pkts/24848 bytes <-> 41 pkts/17850 bytes][Goodput ratio: 94/90][11474.04 sec][bytes ratio: 0.164 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 55649/558992261317132288 1440343/18446744073651596977 276939/0][Pkt Len c2s/s2c min/avg/max/stddev: 138/122 731/435 1374/1374 517/426][Risk: ** Malformed Packet **][Risk Score: 10][Risk Info: No server to client traffic / Invalid IPSec/ISAKMP Header][PLAIN TEXT (17Uv 2)][Plen Bins: 0,0,9,13,26,0,6,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,6,0,4,2,0,0,0,6,0,0,0,0,0,0,0,0,18,0,0,0,0,0,0] - 7 UDP 192.168.2.100:14500 <-> 109.237.187.194:4500 [proto: 79/IPSec][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 1][cat: VPN/2][22 pkts/15216 bytes <-> 23 pkts/8650 bytes][Goodput ratio: 94/89][13749.36 sec][bytes ratio: 0.275 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 60292/56941 1020541/1007809 240062/230637][Pkt Len c2s/s2c min/avg/max/stddev: 138/122 692/376 1374/1374 518/361][Plen Bins: 0,0,8,13,29,0,6,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,6,0,2,6,0,0,0,4,0,0,0,0,0,0,0,0,15,0,0,0,0,0,0] - 8 UDP 192.168.2.100:14500 <-> 109.237.187.131:4500 [proto: 79/IPSec][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 1][cat: VPN/2][21 pkts/15042 bytes <-> 24 pkts/7632 bytes][Goodput ratio: 94/87][10912.86 sec][bytes ratio: 0.327 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 27756/24780 439840/418574 106400/93007][Pkt Len c2s/s2c min/avg/max/stddev: 138/122 716/318 1374/1070 518/302][PLAIN TEXT (90dItt)][Plen Bins: 0,0,13,13,27,0,6,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,6,0,0,6,0,0,0,6,0,0,0,0,0,0,0,0,13,0,0,0,0,0,0] + 1 UDP 192.168.2.100:14500 <-> 109.237.187.130:4500 [proto: 79/IPSec][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 1][cat: VPN/2][37 pkts/23230 bytes <-> 53 pkts/36862 bytes][Goodput ratio: 93/94][< 1 sec][bytes ratio: -0.227 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 51181/32575 761601/761794 163164/132507][Pkt Len c2s/s2c min/avg/max/stddev: 138/122 628/696 1374/1374 489/539][PLAIN TEXT (H.P.RE)][Plen Bins: 0,0,6,13,20,0,6,0,0,0,0,0,0,6,0,0,0,0,1,0,0,0,0,0,0,6,0,0,0,0,0,0,12,0,0,0,0,0,0,0,6,20,0,0,0,0,0,0] + 2 UDP 192.168.2.100:10500 <-> 109.237.187.227:500 [proto: 79/IPSec][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 1][cat: VPN/2][54 pkts/44820 bytes <-> 53 pkts/11118 bytes][Goodput ratio: 95/80][< 1 sec][bytes ratio: 0.602 (Upload)][IAT c2s/s2c min/avg/max/stddev: 28/27 689892/698588 12245747/12245747 1998175/2019137][Pkt Len c2s/s2c min/avg/max/stddev: 818/94 830/210 842/330 12/118][PLAIN TEXT (rMpKau6)][Plen Bins: 0,25,0,0,0,0,0,0,0,24,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 3 UDP 192.168.2.100:14500 <-> 109.237.187.195:4500 [proto: 79/IPSec][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 1][cat: VPN/2][42 pkts/30020 bytes <-> 48 pkts/21472 bytes][Goodput ratio: 94/91][15275.72 sec][bytes ratio: 0.166 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 85008/72283 1429414/1429546 288620/266457][Pkt Len c2s/s2c min/avg/max/stddev: 138/122 715/447 1374/1374 518/432][PLAIN TEXT (@yIwAf)][Plen Bins: 0,0,8,13,26,0,6,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,6,0,4,2,0,0,0,6,0,0,0,0,0,0,0,0,19,0,0,0,0,0,0] + 4 UDP 192.168.2.100:14500 <-> 109.237.187.193:4500 [proto: 79/IPSec][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 1][cat: VPN/2][43 pkts/32226 bytes <-> 47 pkts/14246 bytes][Goodput ratio: 94/86][18892.62 sec][bytes ratio: 0.387 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 66479/485440637135486976 1521662/18446744073664032328 281113/0][Pkt Len c2s/s2c min/avg/max/stddev: 138/122 749/303 1374/1070 516/284][PLAIN TEXT (@7Ac9 )][Plen Bins: 0,0,12,13,27,0,6,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,6,0,0,7,0,0,0,5,0,0,0,0,0,0,0,0,14,0,0,0,0,0,0] + 5 UDP 192.168.2.100:14500 <-> 109.237.187.225:4500 [proto: 79/IPSec][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 1][cat: VPN/2][34 pkts/24848 bytes <-> 41 pkts/17850 bytes][Goodput ratio: 94/90][11474.04 sec][bytes ratio: 0.164 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 55649/558992261317132288 1440343/18446744073651596977 276939/0][Pkt Len c2s/s2c min/avg/max/stddev: 138/122 731/435 1374/1374 517/426][Risk: ** Malformed Packet **][Risk Score: 10][Risk Info: No server to client traffic / Invalid IPSec/ISAKMP Header][PLAIN TEXT (17Uv 2)][Plen Bins: 0,0,9,13,26,0,6,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,6,0,4,2,0,0,0,6,0,0,0,0,0,0,0,0,18,0,0,0,0,0,0] + 6 UDP 192.168.2.100:14500 <-> 109.237.187.194:4500 [proto: 79/IPSec][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 1][cat: VPN/2][22 pkts/15216 bytes <-> 23 pkts/8650 bytes][Goodput ratio: 94/89][13749.36 sec][bytes ratio: 0.275 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 60292/56941 1020541/1007809 240062/230637][Pkt Len c2s/s2c min/avg/max/stddev: 138/122 692/376 1374/1374 518/361][Plen Bins: 0,0,8,13,29,0,6,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,6,0,2,6,0,0,0,4,0,0,0,0,0,0,0,0,15,0,0,0,0,0,0] + 7 UDP 192.168.2.100:14500 <-> 109.237.187.131:4500 [proto: 79/IPSec][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 1][cat: VPN/2][21 pkts/15042 bytes <-> 24 pkts/7632 bytes][Goodput ratio: 94/87][10912.86 sec][bytes ratio: 0.327 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 27756/24780 439840/418574 106400/93007][Pkt Len c2s/s2c min/avg/max/stddev: 138/122 716/318 1374/1070 518/302][PLAIN TEXT (90dItt)][Plen Bins: 0,0,13,13,27,0,6,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,6,0,0,6,0,0,0,6,0,0,0,0,0,0,0,0,13,0,0,0,0,0,0] + 8 UDP 192.168.2.100:14500 <-> 109.237.187.227:4500 [proto: 79/IPSec][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 1][cat: VPN/2][21 pkts/15042 bytes <-> 24 pkts/7632 bytes][Goodput ratio: 94/87][< 1 sec][bytes ratio: 0.327 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 31247/27702 496263/483419 120067/107511][Pkt Len c2s/s2c min/avg/max/stddev: 138/122 716/318 1374/1070 518/302][PLAIN TEXT (@EmPAT)][Plen Bins: 0,0,13,13,27,0,6,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,6,0,0,6,0,0,0,6,0,0,0,0,0,0,0,0,13,0,0,0,0,0,0] 9 UDP 192.168.2.100:10500 <-> 109.237.187.195:500 [proto: 79/IPSec][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 1][cat: VPN/2][18 pkts/14940 bytes <-> 18 pkts/3816 bytes][Goodput ratio: 95/80][15261.44 sec][bytes ratio: 0.593 (Upload)][IAT c2s/s2c min/avg/max/stddev: 36/36 192067/1317624635595948032 998367/18446744073696444249 327148/0][Pkt Len c2s/s2c min/avg/max/stddev: 818/94 830/212 842/330 12/118][Plen Bins: 0,25,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 10 UDP 192.168.2.100:10500 <-> 109.237.187.193:500 [proto: 79/IPSec][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 1][cat: VPN/2][16 pkts/13280 bytes <-> 16 pkts/3392 bytes][Goodput ratio: 95/80][18889.28 sec][bytes ratio: 0.593 (Upload)][IAT c2s/s2c min/avg/max/stddev: 39/37 306418/1537228718622113792 1523984/18446744073664046406 469614/0][Pkt Len c2s/s2c min/avg/max/stddev: 818/94 830/212 842/330 12/118][Plen Bins: 0,25,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 11 UDP 192.168.2.100:10500 <-> 109.237.187.130:500 [proto: 79/IPSec][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 1][cat: VPN/2][12 pkts/9960 bytes <-> 12 pkts/2544 bytes][Goodput ratio: 95/80][< 1 sec][bytes ratio: 0.593 (Upload)][IAT c2s/s2c min/avg/max/stddev: 35/35 252278/252277 1325428/1325428 408560/408559][Pkt Len c2s/s2c min/avg/max/stddev: 818/94 830/212 842/330 12/118][Plen Bins: 0,25,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/default/result/malware.pcap.out b/tests/cfgs/default/result/malware.pcap.out index aa3483581..582ce4242 100644 --- a/tests/cfgs/default/result/malware.pcap.out +++ b/tests/cfgs/default/result/malware.pcap.out @@ -29,9 +29,9 @@ Patricia protocols IPv6: 0/0 (search/found) DNS 2 216 1 HTTP 3 547 2 ICMP 1 98 1 -TLS 843 577251 2 +TLS 94 60194 2 -Safe 843 577251 2 +Safe 94 60194 2 Acceptable 6 861 4 JA3 Host Stats: @@ -40,7 +40,7 @@ JA3 Host Stats: 2 192.168.7.7 1 - 1 TCP 192.168.0.20:41240 <-> 193.109.85.123:443 [proto: 91/TLS][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 13][cat: Malware/100][320 pkts/26467 bytes <-> 503 pkts/543644 bytes][Goodput ratio: 17/95][1.82 sec][Hostname/SNI: hobbeach.com][(Advertised) ALPNs: h2;http/1.1][(Negotiated) ALPN: http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2][bytes ratio: -0.907 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 5/4 159/269 21/21][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 83/1081 938/1506 100/655][TLSv1.2][JA3C: 9a7f6a45c84d90c9e8baecb0c9ae8dff][JA4: t13d1515h2_8daaf6152771_6a09c78d0dc2][JA3S: d154fcfa5bb4f0748e1dd1992c681104][ECH: version 0xfe0d][Firefox][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,97,0,0] + 1 TCP 192.168.0.20:41240 <-> 193.109.85.123:443 [proto: 91/TLS][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 13][cat: Malware/100][22 pkts/4006 bytes <-> 52 pkts/49048 bytes][Goodput ratio: 70/94][0.89 sec][Hostname/SNI: hobbeach.com][(Advertised) ALPNs: h2;http/1.1][(Negotiated) ALPN: http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2][bytes ratio: -0.849 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 53/18 159/269 55/55][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 182/943 847/1506 265/684][TLSv1.2][JA3C: 9a7f6a45c84d90c9e8baecb0c9ae8dff][JA4: t13d1515h2_8daaf6152771_6a09c78d0dc2][JA3S: d154fcfa5bb4f0748e1dd1992c681104][ECH: version 0xfe0d][Firefox][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 0,0,5,0,2,0,0,0,2,0,0,0,0,0,2,0,0,0,0,0,2,0,0,0,5,0,0,0,0,0,2,0,0,0,0,0,0,0,2,0,0,2,0,0,0,75,0,0] 2 TCP 192.168.7.7:35236 <-> 67.215.92.210:443 [proto: 91/TLS][IP: 225/OpenDNS][Encrypted][Confidence: DPI][DPI packets: 10][cat: Malware/100][11 pkts/1280 bytes <-> 9 pkts/5860 bytes][Goodput ratio: 53/91][0.64 sec][Hostname/SNI: www.internetbadguys.com][(Advertised) ALPNs: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.641 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 71/75 240/249 99/103][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 116/651 571/1514 148/644][Risk: ** TLS Cert Mismatch **][Risk Score: 100][Risk Info: www.internetbadguys.com vs api.opendns.com,branded-login.opendns.com,cachecheck.opendns.com,community.opendns.com,dashboard2.o][TLSv1.2][JA3C: b20b44b18b853ef29ab773e921b03422][JA4: t13d1814h2_29a2cd9e9f10_d267a5f792d4][ServerNames: api.opendns.com,branded-login.opendns.com,cachecheck.opendns.com,community.opendns.com,dashboard2.opendns.com,dashboard.opendns.com,dashboard-ipv4.opendns.com,msp-login.opendns.com,api-ipv4.opendns.com,api-ipv6.opendns.com,authz.api.opendns.com,domain.opendns.com,help.vpn.opendns.com,ideabank.opendns.com,login.opendns.com,netgear.opendns.com,reseller-login.opendns.com,images.opendns.com,images-using.opendns.com,store.opendns.com,signup.opendns.com,twilio.opendns.com,updates.opendns.com,shared.opendns.com,tools.opendns.com,cache.opendns.com,api.umbrella.com,branded-login.umbrella.com,cachecheck.umbrella.com,community.umbrella.com,dashboard2.umbrella.com,dashboard.umbrella.com,dashboard-ipv4.umbrella.com,msp-login.umbrella.com,api-ipv4.umbrella.com,api-ipv6.umbrella.com,authz.api.umbrella.com,domain.umbrella.com,help.vpn.umbrella.com,ideabank.umbrella.com,login.umbrella.com,netgear.umbrella.com,reseller-login.umbrella.com,images.umbrella.com,images-using.umbrella.com,store.umbrella.com,signup.umbrella.com,twilio.umbrella.com,updates.umbrella.com,shared.umbrella.com,tools.umbrella.com,cache.umbrella.com][JA3S: 0c0aff9ccea5e7e1de5c3a0069d103f3][Issuer: C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA][Subject: C=US, ST=California, L=San Francisco, O=OpenDNS, Inc., CN=api.opendns.com][Certificate SHA-1: 21:B4:CF:84:13:3A:21:A4:B0:02:63:76:39:84:EA:ED:27:EE:51:7C][Firefox][Validity: 2018-04-26 00:00:00 - 2020-07-29 00:00:00][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 12,0,0,12,0,0,0,0,12,0,0,0,0,0,0,0,12,0,0,0,0,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,38,0,0] 3 TCP 192.168.7.7:48394 <-> 67.215.92.210:80 [proto: 7/HTTP][IP: 225/OpenDNS][ClearText][Confidence: DPI][DPI packets: 2][cat: Malware/100][1 pkts/383 bytes <-> 1 pkts/98 bytes][Goodput ratio: 86/44][0.21 sec][Hostname/SNI: www.internetbadguys.com][URL: www.internetbadguys.com/][User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0][PLAIN TEXT (GET / HTTP/1.1)][Plen Bins: 0,50,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 4 UDP 192.168.7.7:42370 <-> 1.1.1.1:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/106 bytes <-> 1 pkts/110 bytes][Goodput ratio: 60/61][0.02 sec][Hostname/SNI: www.internetbadguys.com][67.215.92.210][PLAIN TEXT (internetbadguys)][Plen Bins: 0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/default/result/pps.pcap.out b/tests/cfgs/default/result/pps.pcap.out index 889abe897..faab54fd1 100644 --- a/tests/cfgs/default/result/pps.pcap.out +++ b/tests/cfgs/default/result/pps.pcap.out @@ -26,7 +26,7 @@ Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 211/3 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Unknown 980 377564 29 +Unknown 618 227656 29 HTTP 132 84242 45 SSDP 63 17143 10 PPStream 56 36585 20 @@ -36,7 +36,7 @@ Cybersec 28 29201 2 Safe 30 30294 3 Acceptable 195 101385 55 Fun 56 36585 20 -Unrated 980 377564 29 +Unrated 618 227656 29 1 TCP 192.168.115.8:50491 <-> 223.26.106.66:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 9][cat: Web/5][1 pkts/426 bytes <-> 26 pkts/33872 bytes][Goodput ratio: 87/96][0.02 sec][Hostname/SNI: 223.26.106.66][bytes ratio: -0.975 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 0/0 0/3 0/1][Pkt Len c2s/s2c min/avg/max/stddev: 426/1022 426/1303 426/1314 0/56][URL: 223.26.106.66/videos/v0/20160625/a5/bf/8de9bb946972a88589d1667862292130.f4v?key=07eef1821e2379d3136ffe16082185ba2&src=iqiyi.com&&tn=137719&uuid=76a3085a-57760844-de][User-Agent: QY-Player-Windows/2.0.102][Risk: ** HTTP/TLS/QUIC Numeric Hostname/SNI **][Risk Score: 10][Risk Info: Found host 223.26.106.66][PLAIN TEXT (GET /videos/v)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,93,0,0,0,0,0,0,0,0] 2 TCP 192.168.115.8:50486 <-> 77.234.40.96:80 [proto: 7.283/HTTP.Cybersec][IP: 307/AVAST][ClearText][Confidence: DPI][DPI packets: 9][cat: Download/7][11 pkts/11023 bytes <-> 12 pkts/14869 bytes][Goodput ratio: 95/96][13.04 sec][Hostname/SNI: bcu.ff.avast.com][bytes ratio: -0.149 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 68/0 307/0 127/0][Pkt Len c2s/s2c min/avg/max/stddev: 231/536 1002/1239 1314/1314 434/215][URL: bcu.ff.avast.com/bc2][StatusCode: 200][Req Content-Type: application/x-enc][Content-Type: application/octet-stream][Server: nginx/1.8.0][User-Agent: {D699054D-1699-47D2-9B2B-E96F438C1160}][Risk: ** Binary App Transfer **** HTTP Susp User-Agent **** HTTP Obsolete Server **][Risk Score: 300][Risk Info: Suspicious Log4J / Obsolete nginx server 1.8.0 / Found mime exe octet-stream][PLAIN TEXT (POST /bc2 HTTP/1.1)][Plen Bins: 0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,4,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,75,0,0,0,0,0,0,0,0] @@ -119,9 +119,9 @@ Unrated 980 377564 29 Undetected flows: - 1 UDP 1.173.5.226:22636 <-> 192.168.115.8:22793 [proto: 0/Unknown][IP: 0/Unknown][ClearText][Confidence: Unknown][DPI packets: 13][130 pkts/143912 bytes <-> 270 pkts/21334 bytes][Goodput ratio: 96/47][0.55 sec][bytes ratio: 0.742 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 4/1 17/19 5/4][Pkt Len c2s/s2c min/avg/max/stddev: 1107/79 1107/79 1109/81 0/0][PLAIN TEXT (lllllllh)][Plen Bins: 0,67,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 2 UDP 192.168.115.8:22793 <-> 114.42.0.158:7716 [proto: 0/Unknown][IP: 0/Unknown][ClearText][Confidence: Unknown][DPI packets: 13][229 pkts/18091 bytes <-> 109 pkts/120663 bytes][Goodput ratio: 47/96][0.54 sec][bytes ratio: -0.739 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 2/4 30/32 5/7][Pkt Len c2s/s2c min/avg/max/stddev: 79/1107 79/1107 79/1107 0/0][PLAIN TEXT (66666662)][Plen Bins: 0,67,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 3 UDP 118.171.15.56:5544 <-> 192.168.115.8:22793 [proto: 0/Unknown][IP: 0/Unknown][ClearText][Confidence: Unknown][DPI packets: 13][30 pkts/33210 bytes <-> 71 pkts/5609 bytes][Goodput ratio: 96/47][0.55 sec][bytes ratio: 0.711 (Upload)][IAT c2s/s2c min/avg/max/stddev: 2/0 17/7 25/25 7/9][Pkt Len c2s/s2c min/avg/max/stddev: 1107/79 1107/79 1107/79 0/0][PLAIN TEXT (YYYYYYY)][Plen Bins: 0,70,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,29,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 1 UDP 192.168.115.8:22793 <-> 114.42.0.158:7716 [proto: 0/Unknown][IP: 0/Unknown][ClearText][Confidence: Unknown][DPI packets: 13][229 pkts/18091 bytes <-> 109 pkts/120663 bytes][Goodput ratio: 47/96][0.54 sec][bytes ratio: -0.739 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 2/4 30/32 5/7][Pkt Len c2s/s2c min/avg/max/stddev: 79/1107 79/1107 79/1107 0/0][PLAIN TEXT (66666662)][Plen Bins: 0,67,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 2 UDP 118.171.15.56:5544 <-> 192.168.115.8:22793 [proto: 0/Unknown][IP: 0/Unknown][ClearText][Confidence: Unknown][DPI packets: 13][30 pkts/33210 bytes <-> 71 pkts/5609 bytes][Goodput ratio: 96/47][0.55 sec][bytes ratio: 0.711 (Upload)][IAT c2s/s2c min/avg/max/stddev: 2/0 17/7 25/25 7/9][Pkt Len c2s/s2c min/avg/max/stddev: 1107/79 1107/79 1107/79 0/0][PLAIN TEXT (YYYYYYY)][Plen Bins: 0,70,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,29,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 3 UDP 1.173.5.226:22636 <-> 192.168.115.8:22793 [proto: 0/Unknown][IP: 0/Unknown][ClearText][Confidence: Unknown][DPI packets: 13][12 pkts/13284 bytes <-> 26 pkts/2054 bytes][Goodput ratio: 96/47][0.04 sec][bytes ratio: 0.732 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1/0 2/1 11/11 3/2][Pkt Len c2s/s2c min/avg/max/stddev: 1107/79 1107/79 1107/79 0/0][PLAIN TEXT (lllllllh)][Plen Bins: 0,68,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,31,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 4 UDP 192.168.115.8:22793 <-> 219.228.107.156:1250 [proto: 0/Unknown][IP: 0/Unknown][ClearText][Confidence: Unknown][DPI packets: 13][34 pkts/2686 bytes <-> 11 pkts/12177 bytes][Goodput ratio: 47/96][0.51 sec][bytes ratio: -0.639 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/30 15/46 45/68 18/14][Pkt Len c2s/s2c min/avg/max/stddev: 79/1107 79/1107 79/1107 0/0][PLAIN TEXT (CCCCCCC)][Plen Bins: 0,75,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,24,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 5 UDP 192.168.115.8:22793 <-> 222.197.138.12:6956 [proto: 0/Unknown][IP: 0/Unknown][ClearText][Confidence: Unknown][DPI packets: 13][30 pkts/2370 bytes <-> 10 pkts/10042 bytes][Goodput ratio: 47/96][0.54 sec][bytes ratio: -0.618 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/12 17/44 71/77 22/23][Pkt Len c2s/s2c min/avg/max/stddev: 79/61 79/1004 79/1125 0/314][PLAIN TEXT (hhhhhhhl)][Plen Bins: 2,75,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,22,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 6 UDP 192.168.115.8:22793 <-> 202.198.7.89:16039 [proto: 0/Unknown][IP: 0/Unknown][ClearText][Confidence: Unknown][DPI packets: 5][2 pkts/158 bytes <-> 3 pkts/3323 bytes][Goodput ratio: 47/96][0.22 sec][PLAIN TEXT (bTTTUQX)][Plen Bins: 0,40,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,60,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/default/result/skinny.pcap.out b/tests/cfgs/default/result/skinny.pcap.out index 95f2bff63..53fc829c3 100644 --- a/tests/cfgs/default/result/skinny.pcap.out +++ b/tests/cfgs/default/result/skinny.pcap.out @@ -1,8 +1,7 @@ -DPI Packets (TCP): 3 (1.00 pkts/flow) +DPI Packets (TCP): 2 (1.00 pkts/flow) DPI Packets (UDP): 15 (3.00 pkts/flow) -DPI Packets (other): 1 (1.00 pkts/flow) -Confidence DPI : 9 (flows) -Num dissector calls: 729 (81.00 diss/flow) +Confidence DPI : 7 (flows) +Num dissector calls: 727 (103.86 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/0/0 (insert/search/found) LRU cache zoom: 0/0/0 (insert/search/found) @@ -16,25 +15,22 @@ Automa domain: 0/0 (search/found) Automa tls cert: 0/0 (search/found) Automa risk mask: 0/0 (search/found) Automa common alpns: 0/0 (search/found) -Patricia risk mask: 18/0 (search/found) +Patricia risk mask: 14/0 (search/found) Patricia risk mask IPv6: 0/0 (search/found) Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) -Patricia protocols: 18/0 (search/found) +Patricia protocols: 14/0 (search/found) Patricia protocols IPv6: 0/0 (search/found) -ICMP 2 140 1 -RTP 2871 614394 5 -CiscoSkinny 94 10114 3 +RTP 135 28890 5 +CiscoSkinny 61 6964 2 -Acceptable 2967 624648 9 +Acceptable 196 35854 7 - 1 UDP 192.168.195.58:32144 <-> 192.168.195.50:17718 [proto: 87/RTP][IP: 0/Unknown][Stream Content: Audio][ClearText][Confidence: DPI][DPI packets: 3][cat: Media/1][730 pkts/156220 bytes <-> 712 pkts/152368 bytes][Goodput ratio: 80/80][7.28 sec][bytes ratio: 0.012 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 7/7 20/20 9/9][Pkt Len c2s/s2c min/avg/max/stddev: 214/214 214/214 214/214 0/0][PLAIN TEXT (zwwtvutz)][Plen Bins: 0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 2 UDP 192.168.195.58:32150 -> 192.168.193.24:9395 [proto: 87/RTP][IP: 0/Unknown][Stream Content: Audio][ClearText][Confidence: DPI][DPI packets: 3][cat: Media/1][365 pkts/78110 bytes -> 0 pkts/0 bytes][Goodput ratio: 80/0][7.28 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 19/0 20/0 20/0 0/0][Pkt Len c2s/s2c min/avg/max/stddev: 214/0 214/0 214/0 0/0][PLAIN TEXT (zwwtvutz)][Plen Bins: 0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 3 UDP 192.168.195.58:32152 -> 192.168.193.24:9396 [proto: 87/RTP][IP: 0/Unknown][Stream Content: Audio][ClearText][Confidence: DPI][DPI packets: 3][cat: Media/1][356 pkts/76184 bytes -> 0 pkts/0 bytes][Goodput ratio: 80/0][7.10 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 19/0 20/0 20/0 0/0][Pkt Len c2s/s2c min/avg/max/stddev: 214/0 214/0 214/0 0/0][PLAIN TEXT (wskptvv)][Plen Bins: 0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 4 UDP 192.168.195.50:17726 -> 192.168.193.24:9399 [proto: 87/RTP][IP: 0/Unknown][Stream Content: Audio][ClearText][Confidence: DPI][DPI packets: 3][cat: Media/1][355 pkts/75970 bytes -> 0 pkts/0 bytes][Goodput ratio: 80/0][7.08 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 19/0 20/0 20/0 0/0][Pkt Len c2s/s2c min/avg/max/stddev: 214/0 214/0 214/0 0/0][PLAIN TEXT (wskptvv)][Plen Bins: 0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 5 UDP 192.168.195.50:17732 -> 192.168.193.24:9400 [proto: 87/RTP][IP: 0/Unknown][Stream Content: Audio][ClearText][Confidence: DPI][DPI packets: 3][cat: Media/1][353 pkts/75542 bytes -> 0 pkts/0 bytes][Goodput ratio: 80/0][7.04 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 19/0 20/0 20/0 0/0][Pkt Len c2s/s2c min/avg/max/stddev: 214/0 214/0 214/0 0/0][PLAIN TEXT (xwwsvyux)][Plen Bins: 0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 6 TCP 192.168.195.58:49399 <-> 192.168.193.12:2000 [proto: 164/CiscoSkinny][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: VoIP/10][20 pkts/1628 bytes <-> 28 pkts/3570 bytes][Goodput ratio: 30/56][11.13 sec][bytes ratio: -0.374 (Download)][IAT c2s/s2c min/avg/max/stddev: 3/0 734/479 5931/5892 1663/1376][Pkt Len c2s/s2c min/avg/max/stddev: 60/60 81/128 242/378 41/88][PLAIN TEXT (RIX Meeting Room)][Plen Bins: 45,22,0,0,16,6,3,0,0,3,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 7 TCP 192.168.193.12:2000 <-> 192.168.195.50:51532 [proto: 164/CiscoSkinny][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: VoIP/10][24 pkts/3166 bytes <-> 20 pkts/1624 bytes][Goodput ratio: 58/30][22.92 sec][bytes ratio: 0.322 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/5 699/417 6999/3582 1749/1018][Pkt Len c2s/s2c min/avg/max/stddev: 60/60 132/81 546/242 116/41][PLAIN TEXT (RIX Meeting Room)][Plen Bins: 50,22,0,0,14,3,3,0,0,3,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 8 ICMP 192.168.195.50:0 -> 192.168.195.58:0 [proto: 81/ICMP][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Network/14][2 pkts/140 bytes -> 0 pkts/0 bytes][Goodput ratio: 40/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 9 TCP 192.168.195.58:50917 <-> 10.16.2.25:2000 [proto: 164/CiscoSkinny][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: VoIP/10][1 pkts/66 bytes <-> 1 pkts/60 bytes][Goodput ratio: 18/0][0.06 sec][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 1 UDP 192.168.195.58:32144 <-> 192.168.195.50:17718 [proto: 87/RTP][IP: 0/Unknown][Stream Content: Audio][ClearText][Confidence: DPI][DPI packets: 3][cat: Media/1][36 pkts/7704 bytes <-> 33 pkts/7062 bytes][Goodput ratio: 80/80][0.35 sec][bytes ratio: 0.043 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 7/7 20/20 9/9][Pkt Len c2s/s2c min/avg/max/stddev: 214/214 214/214 214/214 0/0][PLAIN TEXT (zwwtvutz)][Plen Bins: 0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 2 UDP 192.168.195.58:32150 -> 192.168.193.24:9395 [proto: 87/RTP][IP: 0/Unknown][Stream Content: Audio][ClearText][Confidence: DPI][DPI packets: 3][cat: Media/1][18 pkts/3852 bytes -> 0 pkts/0 bytes][Goodput ratio: 80/0][0.34 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 19/0 20/0 20/0 0/0][Pkt Len c2s/s2c min/avg/max/stddev: 214/0 214/0 214/0 0/0][PLAIN TEXT (zwwtvutz)][Plen Bins: 0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 3 TCP 192.168.195.58:49399 <-> 192.168.193.12:2000 [proto: 164/CiscoSkinny][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: VoIP/10][13 pkts/992 bytes <-> 20 pkts/2724 bytes][Goodput ratio: 25/59][3.85 sec][bytes ratio: -0.466 (Download)][IAT c2s/s2c min/avg/max/stddev: 5/0 416/234 3609/3559 1129/859][Pkt Len c2s/s2c min/avg/max/stddev: 60/60 76/136 106/378 20/85][PLAIN TEXT (RIX Meeting Room)][Plen Bins: 37,27,0,0,22,4,4,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 4 UDP 192.168.195.50:17726 -> 192.168.193.24:9399 [proto: 87/RTP][IP: 0/Unknown][Stream Content: Audio][ClearText][Confidence: DPI][DPI packets: 3][cat: Media/1][17 pkts/3638 bytes -> 0 pkts/0 bytes][Goodput ratio: 80/0][0.32 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 19/0 19/0 20/0 0/0][Pkt Len c2s/s2c min/avg/max/stddev: 214/0 214/0 214/0 0/0][PLAIN TEXT (wskptvv)][Plen Bins: 0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 5 UDP 192.168.195.58:32152 -> 192.168.193.24:9396 [proto: 87/RTP][IP: 0/Unknown][Stream Content: Audio][ClearText][Confidence: DPI][DPI packets: 3][cat: Media/1][16 pkts/3424 bytes -> 0 pkts/0 bytes][Goodput ratio: 80/0][0.30 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 19/0 20/0 20/0 0/0][Pkt Len c2s/s2c min/avg/max/stddev: 214/0 214/0 214/0 0/0][PLAIN TEXT (wskptvv)][Plen Bins: 0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 6 TCP 192.168.193.12:2000 <-> 192.168.195.50:51532 [proto: 164/CiscoSkinny][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: VoIP/10][15 pkts/2260 bytes <-> 13 pkts/988 bytes][Goodput ratio: 63/25][3.91 sec][bytes ratio: 0.392 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/13 324/385 3622/3582 995/1066][Pkt Len c2s/s2c min/avg/max/stddev: 60/60 151/76 546/106 124/20][PLAIN TEXT (RIX Meeting Room)][Plen Bins: 33,33,0,0,22,0,5,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 7 UDP 192.168.195.50:17732 -> 192.168.193.24:9400 [proto: 87/RTP][IP: 0/Unknown][Stream Content: Audio][ClearText][Confidence: DPI][DPI packets: 3][cat: Media/1][15 pkts/3210 bytes -> 0 pkts/0 bytes][Goodput ratio: 80/0][0.28 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 19/0 19/0 20/0 0/0][Pkt Len c2s/s2c min/avg/max/stddev: 214/0 214/0 214/0 0/0][PLAIN TEXT (xwwsvyux)][Plen Bins: 0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/default/result/skype.pcap.out b/tests/cfgs/default/result/skype.pcap.out index 256624b52..7559e6bcb 100644 --- a/tests/cfgs/default/result/skype.pcap.out +++ b/tests/cfgs/default/result/skype.pcap.out @@ -27,7 +27,7 @@ Patricia risk IPv6: 1/0 (search/found) Patricia protocols: 608/5 (search/found) Patricia protocols IPv6: 2/0 (search/found) -Unknown 1567 272044 59 +Unknown 1143 128169 59 DNS 2 267 1 MDNS 8 1736 2 NTP 2 180 1 @@ -37,25 +37,25 @@ ICMP 8 656 1 IGMP 5 258 4 TLS 474 53625 33 Dropbox 22 11968 4 -Skype_Teams 613 222206 31 +Skype_Teams 262 41129 31 AppleiCloud 88 20520 2 Spotify 5 430 1 Microsoft 14 1302 2 NAT-PMP 8 432 2 Safe 488 54927 35 -Acceptable 1009 307083 198 +Acceptable 658 126006 198 Fun 5 430 1 -Unrated 1567 272044 59 +Unrated 1143 128169 59 JA3 Host Stats: IP Address # JA3C 1 192.168.1.34 3 - 1 TCP 192.168.1.34:50028 <-> 157.56.126.211:443 [proto: 91.125/TLS.Skype_Teams][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 9][cat: VoIP/10][187 pkts/42539 bytes <-> 200 pkts/155551 bytes][Goodput ratio: 71/92][166.18 sec][bytes ratio: -0.571 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1002/608 30166/30261 4602/3439][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 227/778 1506/1506 423/553][Risk: ** Obsolete TLS (v1.1 or older) **][Risk Score: 100][Risk Info: TLSv1][TLSv1][JA3C: 06207a1730b5deeb207b0556e102ded2][JA4: t10d230000_9b3242b70dbd_e3b0c44298fc][ServerNames: *.gateway.messenger.live.com,*.beta.gateway.edge.messenger.live.com,*.by2.gateway.edge.messenger.live.com,*.sn1.gateway.edge.messenger.live.com][JA3S: 5e4e5596180ebd0ac0317125ee490707][Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT SSL SHA2][Subject: CN=*.gateway.messenger.live.com][Certificate SHA-1: 95:C4:07:41:85:D4:EF:AA:D9:1F:0F:1F:3C:08:BF:8E:8B:D0:90:51][Validity: 2014-10-27 22:51:07 - 2016-10-26 22:51:07][Cipher: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA][Plen Bins: 19,1,2,5,0,1,2,0,0,3,0,1,0,1,0,0,0,1,1,0,0,0,2,0,1,0,0,12,2,1,0,0,0,0,0,0,2,0,0,0,2,4,0,0,0,30,0,0] - 2 UDP 192.168.0.254:1025 -> 239.255.255.250:1900 [proto: 12/SSDP][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: System/18][79 pkts/29479 bytes -> 0 pkts/0 bytes][Goodput ratio: 89/0][160.13 sec][Hostname/SNI: 239.255.255.250:1900][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 1136/0 19950/0 4579/0][Pkt Len c2s/s2c min/avg/max/stddev: 327/0 373/0 405/0 29/0][PLAIN TEXT (NOTIFY )][Plen Bins: 0,0,0,0,0,0,0,0,8,30,18,42,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 3 TCP 192.168.1.34:50128 <-> 17.172.100.36:443 [proto: 91.143/TLS.AppleiCloud][IP: 140/Apple][Encrypted][Confidence: DPI][DPI packets: 7][cat: Web/5][43 pkts/9635 bytes <-> 43 pkts/10651 bytes][Goodput ratio: 76/77][46.31 sec][Hostname/SNI: p05-keyvalueservice.icloud.com][bytes ratio: -0.050 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 115/85 899/1012 250/251][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 224/248 680/1494 261/324][Risk: ** TLS (probably) Not Carrying HTTPS **][Risk Score: 10][Risk Info: No ALPN][TLSv1.2][JA3C: 799135475da362592a4be9199d258726][JA4: t12d370500_07a749158664_d075105c1994][JA3S: c253ec3ad88e42f8da4032682892f9a0 (INSECURE)][Cipher: TLS_RSA_WITH_RC4_128_MD5][Plen Bins: 16,20,2,0,0,0,0,2,0,0,14,0,0,0,0,4,2,7,7,16,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,2,0,0] + 1 UDP 192.168.0.254:1025 -> 239.255.255.250:1900 [proto: 12/SSDP][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: System/18][79 pkts/29479 bytes -> 0 pkts/0 bytes][Goodput ratio: 89/0][160.13 sec][Hostname/SNI: 239.255.255.250:1900][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 1136/0 19950/0 4579/0][Pkt Len c2s/s2c min/avg/max/stddev: 327/0 373/0 405/0 29/0][PLAIN TEXT (NOTIFY )][Plen Bins: 0,0,0,0,0,0,0,0,8,30,18,42,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 2 TCP 192.168.1.34:50128 <-> 17.172.100.36:443 [proto: 91.143/TLS.AppleiCloud][IP: 140/Apple][Encrypted][Confidence: DPI][DPI packets: 7][cat: Web/5][43 pkts/9635 bytes <-> 43 pkts/10651 bytes][Goodput ratio: 76/77][46.31 sec][Hostname/SNI: p05-keyvalueservice.icloud.com][bytes ratio: -0.050 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 115/85 899/1012 250/251][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 224/248 680/1494 261/324][Risk: ** TLS (probably) Not Carrying HTTPS **][Risk Score: 10][Risk Info: No ALPN][TLSv1.2][JA3C: 799135475da362592a4be9199d258726][JA4: t12d370500_07a749158664_d075105c1994][JA3S: c253ec3ad88e42f8da4032682892f9a0 (INSECURE)][Cipher: TLS_RSA_WITH_RC4_128_MD5][Plen Bins: 16,20,2,0,0,0,0,2,0,0,14,0,0,0,0,4,2,7,7,16,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,2,0,0] + 3 TCP 192.168.1.34:50028 <-> 157.56.126.211:443 [proto: 91.125/TLS.Skype_Teams][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 9][cat: VoIP/10][22 pkts/9514 bytes <-> 14 pkts/7499 bytes][Goodput ratio: 85/88][1.29 sec][bytes ratio: 0.118 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 59/66 288/115 83/44][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 432/536 1506/1506 527/559][Risk: ** Obsolete TLS (v1.1 or older) **][Risk Score: 100][Risk Info: TLSv1][TLSv1][JA3C: 06207a1730b5deeb207b0556e102ded2][JA4: t10d230000_9b3242b70dbd_e3b0c44298fc][ServerNames: *.gateway.messenger.live.com,*.beta.gateway.edge.messenger.live.com,*.by2.gateway.edge.messenger.live.com,*.sn1.gateway.edge.messenger.live.com][JA3S: 5e4e5596180ebd0ac0317125ee490707][Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT SSL SHA2][Subject: CN=*.gateway.messenger.live.com][Certificate SHA-1: 95:C4:07:41:85:D4:EF:AA:D9:1F:0F:1F:3C:08:BF:8E:8B:D0:90:51][Validity: 2014-10-27 22:51:07 - 2016-10-26 22:51:07][Cipher: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA][Plen Bins: 8,8,4,8,0,8,8,4,0,0,0,0,0,0,0,0,4,4,0,4,0,4,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,25,0,0] 4 UDP 192.168.1.92:50084 -> 239.255.255.250:1900 [proto: 12/SSDP][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: System/18][14 pkts/7281 bytes -> 0 pkts/0 bytes][Goodput ratio: 92/0][6.11 sec][Hostname/SNI: 239.255.255.250:1900][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 508/0 3090/0 1136/0][Pkt Len c2s/s2c min/avg/max/stddev: 475/0 520/0 555/0 31/0][PLAIN TEXT (NOTIFY )][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,35,0,42,21,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 5 TCP 108.160.170.46:443 <-> 192.168.1.34:49445 [proto: 91/TLS][IP: 121/Dropbox][Encrypted][Confidence: DPI][DPI packets: 3][cat: Web/5][8 pkts/1636 bytes <-> 8 pkts/4344 bytes][Goodput ratio: 68/88][141.04 sec][bytes ratio: -0.453 (Download)][IAT c2s/s2c min/avg/max/stddev: 141/2 23483/23483 53811/53950 23773/23909][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 204/543 343/1020 138/477][Plen Bins: 0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 6 TCP 192.168.1.34:50131 <-> 212.161.8.36:13392 [proto: 91/TLS][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 14][cat: Web/5][11 pkts/4406 bytes <-> 8 pkts/705 bytes][Goodput ratio: 83/26][0.60 sec][bytes ratio: 0.724 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 57/29 343/72 105/31][Pkt Len c2s/s2c min/avg/max/stddev: 66/60 401/88 1506/237 547/56][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Plen Bins: 55,0,0,0,0,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,22,0,0,0,0,0,0,0,0,0,0,11,0,0] @@ -290,7 +290,7 @@ JA3 Host Stats: Undetected flows: - 1 TCP 192.168.1.34:50108 <-> 157.56.52.28:40009 [proto: 0/Unknown][IP: 0/Unknown][ClearText][Confidence: Unknown][DPI packets: 26][231 pkts/60232 bytes <-> 241 pkts/104395 bytes][Goodput ratio: 75/85][96.43 sec][bytes ratio: -0.268 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 448/357 8300/8646 1136/1099][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 261/433 1506/1506 343/569][Risk: ** Fully encrypted flow **][Risk Score: 50][PLAIN TEXT ( 0sKWL)][Plen Bins: 23,10,3,3,8,3,1,0,1,1,1,0,1,0,0,1,0,0,1,1,1,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,1,0,0,0,0,0,0,1,0,19,0,0] + 1 TCP 192.168.1.34:50108 <-> 157.56.52.28:40009 [proto: 0/Unknown][IP: 0/Unknown][ClearText][Confidence: Unknown][DPI packets: 26][22 pkts/5289 bytes <-> 26 pkts/15463 bytes][Goodput ratio: 72/89][3.32 sec][bytes ratio: -0.490 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 164/130 964/761 219/162][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 240/595 887/1506 246/642][Risk: ** Fully encrypted flow **][Risk Score: 50][Plen Bins: 16,12,6,0,3,3,3,0,0,3,0,0,3,0,3,3,0,3,0,6,0,0,0,0,0,3,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0] 2 TCP 192.168.1.34:50119 <-> 86.31.35.30:59621 [proto: 0/Unknown][IP: 0/Unknown][ClearText][Confidence: Unknown][DPI packets: 20][62 pkts/6941 bytes <-> 38 pkts/5325 bytes][Goodput ratio: 41/53][93.11 sec][bytes ratio: 0.132 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 1594/2643 30032/29763 5977/7489][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 112/140 820/1249 115/201][Risk: ** Fully encrypted flow **][Risk Score: 50][Plen Bins: 48,30,5,3,0,5,0,0,0,1,0,1,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0] 3 TCP 192.168.1.34:50117 <-> 71.238.7.203:18767 [proto: 0/Unknown][IP: 0/Unknown][ClearText][Confidence: Unknown][DPI packets: 22][24 pkts/3136 bytes <-> 19 pkts/2618 bytes][Goodput ratio: 49/52][40.10 sec][bytes ratio: 0.090 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 721/974 9065/8704 2022/2286][Pkt Len c2s/s2c min/avg/max/stddev: 66/60 131/138 843/1090 185/226][Risk: ** Fully encrypted flow **][Risk Score: 50][Plen Bins: 47,26,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 4 TCP 192.168.1.34:50121 <-> 81.83.77.141:17639 [proto: 0/Unknown][IP: 0/Unknown][ClearText][Confidence: Unknown][DPI packets: 20][24 pkts/3101 bytes <-> 16 pkts/2508 bytes][Goodput ratio: 49/58][36.07 sec][bytes ratio: 0.106 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/60 1721/2873 24826/24826 5468/6805][Pkt Len c2s/s2c min/avg/max/stddev: 54/66 129/157 819/1190 181/267][Risk: ** Fully encrypted flow **][Risk Score: 50][Plen Bins: 50,36,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/default/result/skype_no_unknown.pcap.out b/tests/cfgs/default/result/skype_no_unknown.pcap.out index 1fcb62032..4c2116287 100644 --- a/tests/cfgs/default/result/skype_no_unknown.pcap.out +++ b/tests/cfgs/default/result/skype_no_unknown.pcap.out @@ -38,11 +38,11 @@ ICMP 4 328 1 IGMP 4 226 4 TLS 474 102723 29 Dropbox 8 4352 4 -Skype_Teams 518 198936 25 +Skype_Teams 220 49687 25 NAT-PMP 4 216 1 Safe 474 102723 29 -Acceptable 754 231749 191 +Acceptable 456 82500 191 Dangerous 5 1100 3 Unrated 846 152252 44 @@ -51,7 +51,7 @@ JA3 Host Stats: 1 192.168.1.34 3 - 1 TCP 192.168.1.34:51230 <-> 157.56.126.211:443 [proto: 91.125/TLS.Skype_Teams][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 9][cat: VoIP/10][166 pkts/39042 bytes <-> 182 pkts/142645 bytes][Goodput ratio: 72/92][51.22 sec][bytes ratio: -0.570 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 370/331 45360/45460 3946/3736][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 235/784 1506/1506 433/565][Risk: ** Obsolete TLS (v1.1 or older) **][Risk Score: 100][Risk Info: TLSv1][TLSv1][JA3C: 06207a1730b5deeb207b0556e102ded2][JA4: t10d230000_9b3242b70dbd_e3b0c44298fc][ServerNames: *.gateway.messenger.live.com,*.beta.gateway.edge.messenger.live.com,*.by2.gateway.edge.messenger.live.com,*.sn1.gateway.edge.messenger.live.com][JA3S: 5e4e5596180ebd0ac0317125ee490707][Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT SSL SHA2][Subject: CN=*.gateway.messenger.live.com][Certificate SHA-1: 95:C4:07:41:85:D4:EF:AA:D9:1F:0F:1F:3C:08:BF:8E:8B:D0:90:51][Validity: 2014-10-27 22:51:07 - 2016-10-26 22:51:07][Cipher: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA][Plen Bins: 19,2,1,5,0,1,2,0,0,3,0,0,0,1,0,0,0,1,1,0,0,1,1,0,1,0,1,10,1,1,0,0,0,0,0,0,2,0,0,0,3,5,0,0,0,30,0,0] + 1 TCP 192.168.1.34:51230 <-> 157.56.126.211:443 [proto: 91.125/TLS.Skype_Teams][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 9][cat: VoIP/10][32 pkts/24574 bytes <-> 18 pkts/7864 bytes][Goodput ratio: 91/85][1.62 sec][bytes ratio: 0.515 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 43/71 286/289 72/75][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 768/437 1506/1506 662/527][Risk: ** Obsolete TLS (v1.1 or older) **][Risk Score: 100][Risk Info: TLSv1][TLSv1][JA3C: 06207a1730b5deeb207b0556e102ded2][JA4: t10d230000_9b3242b70dbd_e3b0c44298fc][ServerNames: *.gateway.messenger.live.com,*.beta.gateway.edge.messenger.live.com,*.by2.gateway.edge.messenger.live.com,*.sn1.gateway.edge.messenger.live.com][JA3S: 5e4e5596180ebd0ac0317125ee490707][Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT SSL SHA2][Subject: CN=*.gateway.messenger.live.com][Certificate SHA-1: 95:C4:07:41:85:D4:EF:AA:D9:1F:0F:1F:3C:08:BF:8E:8B:D0:90:51][Validity: 2014-10-27 22:51:07 - 2016-10-26 22:51:07][Cipher: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA][PLAIN TEXT (cQyScM)][Plen Bins: 5,5,2,8,0,5,5,2,0,0,0,0,0,0,0,0,2,2,0,2,0,2,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,50,0,0] 2 TCP 192.168.1.34:51227 <-> 17.172.100.36:443 [proto: 91/TLS][IP: 140/Apple][Encrypted][Confidence: DPI][DPI packets: 5][cat: Web/5][38 pkts/9082 bytes <-> 38 pkts/10499 bytes][Goodput ratio: 77/80][68.36 sec][bytes ratio: -0.072 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 2273/323 55625/8255 10014/1510][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 239/276 680/1494 273/358][Plen Bins: 16,16,0,0,0,0,0,0,0,0,16,0,0,0,0,5,2,5,13,16,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,2,0,0] 3 TCP 192.168.1.34:51307 <-> 149.13.32.15:13392 [proto: 91/TLS][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 16][cat: Web/5][19 pkts/16968 bytes <-> 7 pkts/531 bytes][Goodput ratio: 93/13][10.40 sec][bytes ratio: 0.939 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 625/19 4127/44 1113/18][Pkt Len c2s/s2c min/avg/max/stddev: 66/60 893/76 1506/123 670/20][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Plen Bins: 27,5,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,5,0,0,0,0,0,0,51,0,0] 4 TCP 192.168.1.34:51312 <-> 149.13.32.15:13392 [proto: 91/TLS][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 16][cat: Web/5][18 pkts/15111 bytes <-> 7 pkts/531 bytes][Goodput ratio: 92/13][6.05 sec][bytes ratio: 0.932 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 377/19 2072/42 642/17][Pkt Len c2s/s2c min/avg/max/stddev: 66/60 840/76 1506/123 681/20][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Plen Bins: 23,5,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,48,0,0] diff --git a/tests/cfgs/default/result/zoom2.pcap.out b/tests/cfgs/default/result/zoom2.pcap.out index c106b7a91..28324a31e 100644 --- a/tests/cfgs/default/result/zoom2.pcap.out +++ b/tests/cfgs/default/result/zoom2.pcap.out @@ -1,8 +1,7 @@ DPI Packets (TCP): 8 (8.00 pkts/flow) DPI Packets (UDP): 15 (5.00 pkts/flow) -DPI Packets (other): 1 (1.00 pkts/flow) -Confidence DPI : 5 (flows) -Num dissector calls: 536 (107.20 diss/flow) +Confidence DPI : 4 (flows) +Num dissector calls: 535 (133.75 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/0/0 (insert/search/found) LRU cache zoom: 1/0/0 (insert/search/found) @@ -16,25 +15,23 @@ Automa domain: 1/0 (search/found) Automa tls cert: 0/0 (search/found) Automa risk mask: 0/0 (search/found) Automa common alpns: 0/0 (search/found) -Patricia risk mask: 2/0 (search/found) +Patricia risk mask: 0/0 (search/found) Patricia risk mask IPv6: 0/0 (search/found) Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) -Patricia protocols: 5/5 (search/found) +Patricia protocols: 4/4 (search/found) Patricia protocols IPv6: 0/0 (search/found) -ICMP 6 420 1 -Zoom 2508 652095 4 +Zoom 342 112658 4 -Acceptable 2514 652515 5 +Acceptable 342 112658 4 JA3 Host Stats: IP Address # JA3C 1 192.168.1.178 1 - 1 UDP 192.168.1.178:58117 <-> 144.195.73.154:8801 [proto: 338.189/SRTP.Zoom][IP: 189/Zoom][Encrypted][Confidence: DPI][DPI packets: 5][cat: Video/26][1283 pkts/302584 bytes <-> 947 pkts/159626 bytes][Goodput ratio: 82/75][39.98 sec][bytes ratio: 0.309 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 28/36 141/131 26/34][Pkt Len c2s/s2c min/avg/max/stddev: 106/60 236/169 376/369 87/64][PLAIN TEXT (replace)][Plen Bins: 0,1,64,18,7,0,0,4,3,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 2 UDP 192.168.1.178:60653 <-> 144.195.73.154:8801 [proto: 338.189/SRTP.Zoom][IP: 189/Zoom][Encrypted][Confidence: DPI][DPI packets: 5][cat: Video/26][43 pkts/41804 bytes <-> 128 pkts/129769 bytes][Goodput ratio: 96/96][1.32 sec][bytes ratio: -0.513 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 19/9 101/100 25/11][Pkt Len c2s/s2c min/avg/max/stddev: 165/60 972/1014 1078/1279 292/263][PLAIN TEXT (replace)][Plen Bins: 1,3,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,85,0,1,0,0,5,0,0,0,0,0,0,0,0,0,0] + 1 UDP 192.168.1.178:60653 <-> 144.195.73.154:8801 [proto: 338.189/SRTP.Zoom][IP: 189/Zoom][Encrypted][Confidence: DPI][DPI packets: 5][cat: Video/26][7 pkts/2996 bytes <-> 66 pkts/64200 bytes][Goodput ratio: 90/96][0.82 sec][bytes ratio: -0.911 (Download)][IAT c2s/s2c min/avg/max/stddev: 12/0 72/10 101/100 36/15][Pkt Len c2s/s2c min/avg/max/stddev: 165/60 428/973 1078/1078 411/306][PLAIN TEXT (replace)][Plen Bins: 2,6,0,2,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,85,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 2 UDP 192.168.1.178:58117 <-> 144.195.73.154:8801 [proto: 338.189/SRTP.Zoom][IP: 189/Zoom][Encrypted][Confidence: DPI][DPI packets: 5][cat: Video/26][64 pkts/9307 bytes <-> 98 pkts/17843 bytes][Goodput ratio: 71/77][4.02 sec][bytes ratio: -0.314 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 58/36 141/131 42/37][Pkt Len c2s/s2c min/avg/max/stddev: 106/60 145/182 209/368 23/79][PLAIN TEXT (replace)][Plen Bins: 1,3,44,26,10,1,0,5,6,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 3 UDP 192.168.1.178:57953 <-> 144.195.73.154:8801 [proto: 338.189/SRTP.Zoom][IP: 189/Zoom][Stream Content: Screen Sharing][Encrypted][Confidence: DPI][DPI packets: 5][cat: Video/26][43 pkts/5229 bytes <-> 44 pkts/4520 bytes][Goodput ratio: 65/59][39.68 sec][bytes ratio: 0.073 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 941/849 3580/3749 1440/1522][Pkt Len c2s/s2c min/avg/max/stddev: 69/60 122/103 185/133 41/28][PLAIN TEXT (replace)][Plen Bins: 35,2,43,13,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 4 TCP 192.168.1.178:50076 <-> 144.195.73.154:443 [proto: 91.189/TLS.Zoom][IP: 189/Zoom][Encrypted][Confidence: DPI][DPI packets: 8][cat: Video/26][12 pkts/3043 bytes <-> 8 pkts/5520 bytes][Goodput ratio: 74/90][0.73 sec][Hostname/SNI: zoomsjccv154mmr.sjc.zoom.us][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.289 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 72/58 175/174 83/82][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 254/690 1506/1506 404/622][Risk: ** TLS (probably) Not Carrying HTTPS **][Risk Score: 10][Risk Info: No ALPN][TLSv1.2][JA3C: 832952db10f1453442636675bed2702b][JA4: t13d141200_ad449869e501_07d3b7c743d3][ServerNames: *.sjc.zoom.us][JA3S: 8aca82d60194883e764ab2743e60c380][Issuer: C=US, O=DigiCert Inc, CN=DigiCert TLS RSA SHA256 2020 CA1][Subject: C=US, ST=California, L=San Jose, O=Zoom Video Communications, Inc., CN=*.sjc.zoom.us][Certificate SHA-1: 43:42:0A:34:FD:F6:7A:FC:E9:C1:95:D8:E0:79:7E:17:B9:65:B0:A7][Firefox][Validity: 2021-04-13 00:00:00 - 2022-04-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 0,10,10,10,10,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,0,0,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,0,0,0,30,0,0] - 5 ICMP 192.168.1.178:0 -> 144.195.73.154:0 [proto: 81/ICMP][IP: 189/Zoom][ClearText][Confidence: DPI][DPI packets: 1][cat: Network/14][6 pkts/420 bytes -> 0 pkts/0 bytes][Goodput ratio: 40/0][0.15 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 19/0 30/0 73/0 21/0][Pkt Len c2s/s2c min/avg/max/stddev: 70/0 70/0 70/0 0/0][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] |