diff options
| author | Luca Deri <deri@ntop.org> | 2021-02-18 21:46:40 +0100 |
|---|---|---|
| committer | Luca Deri <deri@ntop.org> | 2021-02-18 21:47:09 +0100 |
| commit | a2c5adc374db1ccc6c446ce1b616fffdeda4430b (patch) | |
| tree | f24c6ec5a846b3075551653833727269c6ab177a | |
| parent | fb4cdecb688917536649cd2562e400f261fe8d43 (diff) | |
Improved nDPI string matching algorithm
| -rw-r--r-- | src/lib/ndpi_content_match.c.inc | 11 | ||||
| -rw-r--r-- | src/lib/ndpi_main.c | 140 | ||||
| -rw-r--r-- | tests/result/teams.pcap.out | 5 | ||||
| -rw-r--r-- | tests/result/wechat.pcap.out | 16 |
4 files changed, 108 insertions, 64 deletions
diff --git a/src/lib/ndpi_content_match.c.inc b/src/lib/ndpi_content_match.c.inc index 24b402a2c..1f96baacb 100644 --- a/src/lib/ndpi_content_match.c.inc +++ b/src/lib/ndpi_content_match.c.inc @@ -8505,6 +8505,7 @@ static ndpi_protocol_match host_match[] = { ".push.apple.com", "ApplePush", NDPI_PROTOCOL_APPLE_PUSH, NDPI_PROTOCOL_CATEGORY_CLOUD, NDPI_PROTOCOL_SAFE }, { "push-apple.com", "ApplePush", NDPI_PROTOCOL_APPLE_PUSH, NDPI_PROTOCOL_CATEGORY_CLOUD, NDPI_PROTOCOL_SAFE }, { ".icloud.com", "AppleiCloud", NDPI_PROTOCOL_APPLE_ICLOUD, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE }, + { ".icloud.com.", "AppleiCloud", NDPI_PROTOCOL_APPLE_ICLOUD, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE }, /* icloud.com.akadns.net */ { ".me.com", "AppleiCloud", NDPI_PROTOCOL_APPLE_ICLOUD, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE }, { ".icloud-content.com", "AppleiCloud", NDPI_PROTOCOL_APPLE_ICLOUD, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE }, { "iosapps.itunes.apple.com", "AppleStore", NDPI_PROTOCOL_APPLESTORE, NDPI_PROTOCOL_CATEGORY_SW_UPDATE, NDPI_PROTOCOL_SAFE }, /* iOS */ @@ -8528,8 +8529,8 @@ static ndpi_protocol_match host_match[] = { "e1800.d.akamaiedge.net", "Playstation", NDPI_PROTOCOL_PLAYSTATION, NDPI_PROTOCOL_CATEGORY_GAME, NDPI_PROTOCOL_FUN }, { "e1879.e7.akamaiedge.net", "Playstation", NDPI_PROTOCOL_PLAYSTATION, NDPI_PROTOCOL_CATEGORY_GAME, NDPI_PROTOCOL_FUN }, - { ".cnn.c", "CNN", NDPI_PROTOCOL_CNN, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_SAFE }, - { ".cnn.net", "CNN", NDPI_PROTOCOL_CNN, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_SAFE }, + { ".cnn.com", "CNN", NDPI_PROTOCOL_CNN, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_SAFE }, + { ".cnn.net", "CNN", NDPI_PROTOCOL_CNN, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_SAFE }, { ".dropbox.com", "DropBox", NDPI_PROTOCOL_DROPBOX, NDPI_PROTOCOL_CATEGORY_CLOUD, NDPI_PROTOCOL_ACCEPTABLE }, { ".dropboxstatic.com", "DropBox", NDPI_PROTOCOL_DROPBOX, NDPI_PROTOCOL_CATEGORY_CLOUD, NDPI_PROTOCOL_ACCEPTABLE }, @@ -8549,7 +8550,7 @@ static ndpi_protocol_match host_match[] = { "instagram.", "Instagram", NDPI_PROTOCOL_INSTAGRAM, NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, NDPI_PROTOCOL_FUN }, { ".cdninstagram.com", "Instagram", NDPI_PROTOCOL_INSTAGRAM, NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, NDPI_PROTOCOL_FUN }, - { "igcdn-photos-", "Instagram", NDPI_PROTOCOL_INSTAGRAM, NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, NDPI_PROTOCOL_FUN }, + { "igcdn-photos-", "Instagram", NDPI_PROTOCOL_INSTAGRAM, NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, NDPI_PROTOCOL_FUN }, { "instagramimages-", "Instagram", NDPI_PROTOCOL_INSTAGRAM, NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, NDPI_PROTOCOL_FUN }, { "instagramstatic-", "Instagram", NDPI_PROTOCOL_INSTAGRAM, NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, NDPI_PROTOCOL_FUN }, @@ -8596,10 +8597,11 @@ static ndpi_protocol_match host_match[] = https://github.com/curl/curl/wiki/DNS-over-HTTPS */ { "dns.google", "DoH_DoT", NDPI_PROTOCOL_DOH_DOT, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE }, + { "dns.google.com", "DoH_DoT", NDPI_PROTOCOL_DOH_DOT, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE }, { "mozilla.cloudflare-dns.com", "DoH_DoT", NDPI_PROTOCOL_DOH_DOT, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE }, /* Firefox */ { "cloudflare-dns.com", "DoH_DoT", NDPI_PROTOCOL_DOH_DOT, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE }, { "commons.host", "DoH_DoT", NDPI_PROTOCOL_DOH_DOT, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE }, - { "doh.li", "DoH_DoT", NDPI_PROTOCOL_DOH_DOT, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE }, + { "doh.libredns.gr", "DoH_DoT", NDPI_PROTOCOL_DOH_DOT, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE }, { "dns9.quad9.net", "DoH_DoT", NDPI_PROTOCOL_DOH_DOT, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE }, { "doh.opendns.com", "DoH_DoT", NDPI_PROTOCOL_DOH_DOT, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE }, { "doh.dns.sb", "DoH_DoT", NDPI_PROTOCOL_DOH_DOT, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE }, @@ -9152,6 +9154,7 @@ static ndpi_category_match category_match[] = { /* https://success.tanaza.com/s/article/How-Automatic-Detection-of-Captive-Portal-works */ { "captive.apple.com", NDPI_PROTOCOL_CATEGORY_CONNECTIVITY_CHECK }, + { "captive.apple.com.", NDPI_PROTOCOL_CATEGORY_CONNECTIVITY_CHECK }, /* apple.com.edgekey.net */ { "thinkdifferent.us", NDPI_PROTOCOL_CATEGORY_CONNECTIVITY_CHECK }, { "airport.us", NDPI_PROTOCOL_CATEGORY_CONNECTIVITY_CHECK }, { "gsp1.apple.com", NDPI_PROTOCOL_CATEGORY_CONNECTIVITY_CHECK }, diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 1c69848c6..d2a0dbee2 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -450,36 +450,75 @@ static int removeDefaultPort(ndpi_port_range *range, ndpi_proto_defaults_t *def, /* ****************************************************** */ +/* + This is a function used to see if we need to + add a trailer $ in case the string is complete + or is a string that can be matched in the + middle of a domain name + + Example: + microsoft.com -> microsoft.com$ + apple. -> apple. +*/ +static u_int8_t ndpi_is_middle_string_char(char c) { + switch(c) { + case '.': + case '-': + case '$': /* Do not add a double $$ */ + return(1); + break; + + default: + return(0); + } +} + +/* ****************************************************** */ + static int ndpi_string_to_automa(struct ndpi_detection_module_struct *ndpi_str, ndpi_automa *automa, char *value, u_int16_t protocol_id, ndpi_protocol_category_t category, ndpi_protocol_breed_t breed, - u_int8_t free_str_on_duplicate) { + u_int8_t free_str_on_duplicate, u_int8_t add_ends_with) { AC_PATTERN_t ac_pattern; AC_ERROR_t rc; - + char buf[96]; + u_int len, dot; + if((value == NULL) || (protocol_id >= (NDPI_MAX_SUPPORTED_PROTOCOLS + NDPI_MAX_NUM_CUSTOM_PROTOCOLS))) { NDPI_LOG_ERR(ndpi_str, "[NDPI] protoId=%d: INTERNAL ERROR\n", protocol_id); return(-1); } - if(automa->ac_automa == NULL) + if((automa->ac_automa == NULL) || (value == NULL)) return(-2); - ac_pattern.astring = value, ac_pattern.rep.number = protocol_id, - ac_pattern.rep.category = (u_int16_t) category, ac_pattern.rep.breed = (u_int16_t) breed; + len = strlen(value); + dot = len -1; + + if((!add_ends_with) || ndpi_is_middle_string_char(value[dot])) + ac_pattern.astring = value, ac_pattern.length = len; + else { + u_int mlen = sizeof(buf)-2; + + len = ndpi_min(len, mlen); + ac_pattern.length = snprintf(buf, mlen, "%s$", value); + ac_pattern.astring = ndpi_strdup(buf); + free_str_on_duplicate = 1; + } + + ac_pattern.rep.number = protocol_id, ac_pattern.rep.category = (u_int16_t) category, ac_pattern.rep.breed = (u_int16_t) breed; #ifdef MATCH_DEBUG - printf("Adding to automa [%s][protocol_id: %u][category: %u][breed: %u]\n", value, protocol_id, category, breed); + printf("Adding to automa [%s][protocol_id: %u][category: %u][breed: %u]\n", + ac_pattern.astring, protocol_id, category, breed); #endif - if(value == NULL) - ac_pattern.length = 0; - else - ac_pattern.length = strlen(ac_pattern.astring); - rc = ac_automata_add(((AC_AUTOMATA_t *) automa->ac_automa), &ac_pattern); - if(rc != ACERR_DUPLICATE_PATTERN && rc != ACERR_SUCCESS) + if((rc != ACERR_DUPLICATE_PATTERN) && (rc != ACERR_SUCCESS)) { + if(free_str_on_duplicate) ndpi_free(value); return(-2); - if(rc == ACERR_DUPLICATE_PATTERN && free_str_on_duplicate) + } + + if((rc == ACERR_DUPLICATE_PATTERN) && free_str_on_duplicate) ndpi_free(value); return(0); @@ -487,8 +526,10 @@ static int ndpi_string_to_automa(struct ndpi_detection_module_struct *ndpi_str, /* ****************************************************** */ -static int ndpi_add_host_url_subprotocol(struct ndpi_detection_module_struct *ndpi_str, char *_value, int protocol_id, - ndpi_protocol_category_t category, ndpi_protocol_breed_t breed) { +static int ndpi_add_host_url_subprotocol(struct ndpi_detection_module_struct *ndpi_str, + char *_value, int protocol_id, + ndpi_protocol_category_t category, + ndpi_protocol_breed_t breed) { int rv; char *value = ndpi_strdup(_value); @@ -499,7 +540,7 @@ static int ndpi_add_host_url_subprotocol(struct ndpi_detection_module_struct *nd NDPI_LOG_DBG2(ndpi_str, "[NDPI] Adding [%s][%d]\n", value, protocol_id); #endif - rv = ndpi_string_to_automa(ndpi_str, &ndpi_str->host_automa, value, protocol_id, category, breed, 1); + rv = ndpi_string_to_automa(ndpi_str, &ndpi_str->host_automa, value, protocol_id, category, breed, 1, 1); if(rv != 0) ndpi_free(value); @@ -509,15 +550,6 @@ static int ndpi_add_host_url_subprotocol(struct ndpi_detection_module_struct *nd /* ****************************************************** */ -#ifdef CODE_UNUSED -int ndpi_add_content_subprotocol(struct ndpi_detection_module_struct *ndpi_str, char *value, int protocol_id, - ndpi_protocol_category_t category, ndpi_protocol_breed_t breed) { - return(ndpi_string_to_automa(ndpi_str, &ndpi_str->content_automa, value, protocol_id, category, breed, 0)); -} -#endif - -/* ****************************************************** */ - /* NOTE @@ -550,7 +582,8 @@ void ndpi_init_protocol_match(struct ndpi_detection_module_struct *ndpi_str, ndp ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); } - ndpi_add_host_url_subprotocol(ndpi_str, match->string_to_match, match->protocol_id, match->protocol_category, + ndpi_add_host_url_subprotocol(ndpi_str, match->string_to_match, + match->protocol_id, match->protocol_category, match->protocol_breed); } @@ -588,15 +621,15 @@ static void init_string_based_protocols(struct ndpi_detection_module_struct *ndp #if 1 for (i = 0; ndpi_en_bigrams[i] != NULL; i++) - ndpi_string_to_automa(ndpi_str, &ndpi_str->bigrams_automa, (char *) ndpi_en_bigrams[i], 1, 1, 1, 0); + ndpi_string_to_automa(ndpi_str, &ndpi_str->bigrams_automa, (char *) ndpi_en_bigrams[i], 1, 1, 1, 0, 0); #else for (i = 0; ndpi_en_popular_bigrams[i] != NULL; i++) - ndpi_string_to_automa(ndpi_str, &ndpi_str->bigrams_automa, (char *) ndpi_en_popular_bigrams[i], 1, 1, 1, 0); + ndpi_string_to_automa(ndpi_str, &ndpi_str->bigrams_automa, (char *) ndpi_en_popular_bigrams[i], 1, 1, 1, 0, 0); #endif for (i = 0; ndpi_en_impossible_bigrams[i] != NULL; i++) ndpi_string_to_automa(ndpi_str, &ndpi_str->impossible_bigrams_automa, (char *) ndpi_en_impossible_bigrams[i], 1, - 1, 1, 0); + 1, 1, 0, 0); } /* ******************************************************************** */ @@ -4463,31 +4496,33 @@ uint8_t ndpi_connection_tracking(struct ndpi_detection_module_struct *ndpi_str, int ndpi_load_hostname_category(struct ndpi_detection_module_struct *ndpi_str, const char *name_to_add, ndpi_protocol_category_t category) { char *name; - + u_int len; + AC_PATTERN_t ac_pattern; + AC_ERROR_t rc; + if(name_to_add == NULL) return(-1); + else + len = strlen(name_to_add); - name = ndpi_strdup(name_to_add); - - if(name == NULL) + if((name = (char*)ndpi_malloc(len+3)) == NULL) return(-1); + memset(&ac_pattern, 0, sizeof(ac_pattern)); + ac_pattern.length = snprintf(name, len+2, "%s%s", name_to_add, + ndpi_is_middle_string_char(name_to_add[len-1]) ? "" : "$"); + #if 0 printf("===> %s() Loading %s as %u\n", __FUNCTION__, name, category); #endif - AC_PATTERN_t ac_pattern; - AC_ERROR_t rc; - - memset(&ac_pattern, 0, sizeof(ac_pattern)); - if(ndpi_str->custom_categories.hostnames_shadow.ac_automa == NULL) { ndpi_free(name); return(-1); } - ac_pattern.astring = name, ac_pattern.length = strlen(ac_pattern.astring); - ac_pattern.rep.number = (u_int32_t) category, ac_pattern.rep.category = category;; + ac_pattern.astring = name; + ac_pattern.rep.number = (u_int32_t) category, ac_pattern.rep.category = category; rc = ac_automata_add(ndpi_str->custom_categories.hostnames_shadow.ac_automa, &ac_pattern); if(rc != ACERR_DUPLICATE_PATTERN && rc != ACERR_SUCCESS) { @@ -6386,11 +6421,21 @@ uint8_t ndpi_connection_tracking(struct ndpi_detection_module_struct *ndpi_str, u_int16_t ndpi_match_host_subprotocol(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_flow_struct *flow, char *string_to_match, u_int string_to_match_len, ndpi_protocol_match_result *ret_match, u_int16_t master_protocol_id) { - u_int16_t rc = ndpi_automa_match_string_subprotocol(ndpi_str, flow, string_to_match, string_to_match_len, - master_protocol_id, ret_match, 1); - ndpi_protocol_category_t id = ret_match->protocol_category; - - if(ndpi_get_custom_category_match(ndpi_str, string_to_match, string_to_match_len, &id) != -1) { + u_int16_t rc, buf_len, i; + ndpi_protocol_category_t id; + char buf[96]; + + buf_len = ndpi_min(string_to_match_len, sizeof(buf)-2); + for(i=0; i<buf_len; i++) buf[i] = tolower(string_to_match[i]); + buf[i++] = '$'; /* Add trailer $ */ + buf[i] = '\0'; + + rc = ndpi_automa_match_string_subprotocol(ndpi_str, flow, + buf, i, + master_protocol_id, ret_match, 1); + id = ret_match->protocol_category; + + if(ndpi_get_custom_category_match(ndpi_str, buf, i, &id) != -1) { /* if(id != -1) */ { flow->category = ret_match->protocol_category = id; rc = master_protocol_id; @@ -6405,7 +6450,7 @@ uint8_t ndpi_connection_tracking(struct ndpi_detection_module_struct *ndpi_str, int ndpi_match_hostname_protocol(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, u_int16_t master_protocol, char *name, u_int name_len) { ndpi_protocol_match_result ret_match; - u_int16_t subproto, what_len, i; + u_int16_t subproto, what_len; char *what; if((name_len > 2) && (name[0] == '*') && (name[1] == '.')) @@ -6413,9 +6458,6 @@ uint8_t ndpi_connection_tracking(struct ndpi_detection_module_struct *ndpi_str, else what = name, what_len = name_len; - /* Convert it first to lowercase: we assume meory is writable as in nDPI dissctors */ - for(i=0; i<name_len; i++) what[i] = tolower(what[i]); - subproto = ndpi_match_host_subprotocol(ndpi_struct, flow, what, what_len, &ret_match, master_protocol); if(subproto != NDPI_PROTOCOL_UNKNOWN) { diff --git a/tests/result/teams.pcap.out b/tests/result/teams.pcap.out index bdeb95416..d0bb3a753 100644 --- a/tests/result/teams.pcap.out +++ b/tests/result/teams.pcap.out @@ -1,5 +1,5 @@ Unknown 4 456 1 -DNS 14 1947 7 +DNS 16 2178 8 DHCP 7 2323 2 ntop 40 9816 3 SkypeCall 49 10800 4 @@ -7,7 +7,6 @@ ICMP 2 140 1 TLS 107 45011 5 Dropbox 18 11162 3 Skype 75 34993 4 -Apple 2 231 1 Spotify 1 82 1 Telegram 3 186 1 Microsoft 403 283797 11 @@ -96,7 +95,7 @@ JA3 Host Stats: 75 UDP 192.168.1.6:51033 <-> 192.168.1.1:53 [proto: 5.125/DNS.Skype][cat: VoIP/10][1 pkts/80 bytes <-> 1 pkts/182 bytes][Goodput ratio: 47/77][0.04 sec][Host: eu-api.asm.skype.com][52.114.75.69][PLAIN TEXT (trafficmanager)][Plen Bins: 0,50,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 76 UDP 192.168.1.6:51309 <-> 192.168.1.1:53 [proto: 5/DNS][cat: Network/14][1 pkts/93 bytes <-> 1 pkts/169 bytes][Goodput ratio: 54/75][0.01 sec][Host: skypedataprdcolneu04.cloudapp.net][::][Risk: ** Suspicious DGA domain name **][PLAIN TEXT (skypedataprdcolneu04)][Plen Bins: 0,50,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 77 UDP 192.168.1.6:62863 <-> 192.168.1.1:53 [proto: 5.250/DNS.Teams][cat: Collaborative/15][1 pkts/103 bytes <-> 1 pkts/158 bytes][Goodput ratio: 59/73][0.07 sec][Host: emea.ng.msg.teams-msgapi.trafficmanager.net][52.114.108.8][PLAIN TEXT (msgapi)][Plen Bins: 0,50,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 78 UDP 192.168.1.6:56634 <-> 192.168.1.1:53 [proto: 5.140/DNS.Apple][cat: ConnectivityCheck/30][1 pkts/89 bytes <-> 1 pkts/142 bytes][Goodput ratio: 52/70][0.03 sec][Host: captive.apple.com.edgekey.net][23.50.158.88][PLAIN TEXT (captive)][Plen Bins: 0,50,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 78 UDP 192.168.1.6:56634 <-> 192.168.1.1:53 [proto: 5/DNS][cat: ConnectivityCheck/30][1 pkts/89 bytes <-> 1 pkts/142 bytes][Goodput ratio: 52/70][0.03 sec][Host: captive.apple.com.edgekey.net][23.50.158.88][PLAIN TEXT (captive)][Plen Bins: 0,50,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 79 UDP 192.168.1.6:60813 <-> 192.168.1.1:53 [proto: 5/DNS][cat: Network/14][1 pkts/93 bytes <-> 1 pkts/109 bytes][Goodput ratio: 54/61][0.01 sec][Host: skypedataprdcolneu04.cloudapp.net][52.114.77.33][Risk: ** Suspicious DGA domain name **][PLAIN TEXT (skypedataprdcolneu04)][Plen Bins: 0,50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 80 TCP 192.168.1.6:58533 -> 149.154.167.91:443 [proto: 91.185/TLS.Telegram][cat: Chat/9][3 pkts/186 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][4.29 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 81 ICMP 93.71.110.205:0 -> 192.168.1.6:0 [proto: 81/ICMP][cat: Network/14][2 pkts/140 bytes -> 0 pkts/0 bytes][Goodput ratio: 40/0][0.01 sec][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/result/wechat.pcap.out b/tests/result/wechat.pcap.out index c9cebcb4e..93acd2b10 100644 --- a/tests/result/wechat.pcap.out +++ b/tests/result/wechat.pcap.out @@ -1,4 +1,4 @@ -DNS 6 494 3 +DNS 13 1075 8 HTTP 70 4620 8 MDNS 116 10672 4 NTP 1 90 1 @@ -9,9 +9,9 @@ QQ 26 9402 2 IGMP 24 1280 4 TLS 21 1209 3 ICMPV6 4 328 3 -Google 113 24811 15 +Google 110 24574 13 LLMNR 12 944 6 -WeChat 1251 606425 49 +WeChat 1247 606081 46 GoogleDocs 15 5114 2 JA3 Host Stats: @@ -96,13 +96,13 @@ JA3 Host Stats: 75 UDP [fe80::91f9:3df3:7436:6cd6]:50440 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/180 bytes -> 0 pkts/0 bytes][Goodput ratio: 31/0][0.01 sec][Host: lbjamwptxz][Risk: ** Suspicious DGA domain name **][PLAIN TEXT (lbjamwptx)][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 76 UDP [fe80::91f9:3df3:7436:6cd6]:49195 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/176 bytes -> 0 pkts/0 bytes][Goodput ratio: 29/0][0.01 sec][Host: cansaqcq][PLAIN TEXT (cansaqcq)][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 77 UDP [fe80::91f9:3df3:7436:6cd6]:50577 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/176 bytes -> 0 pkts/0 bytes][Goodput ratio: 29/0][0.01 sec][Host: mcztmpkc][PLAIN TEXT (mcztmpkc)][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 78 UDP 192.168.1.103:43705 -> 192.168.1.254:53 [proto: 5.197/DNS.WeChat][cat: Chat/9][2 pkts/172 bytes -> 0 pkts/0 bytes][Goodput ratio: 51/0][5.01 sec][Host: webpush.web.wechat.com.lan][::][PLAIN TEXT (webpush)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 78 UDP 192.168.1.103:43705 -> 192.168.1.254:53 [proto: 5/DNS][cat: Network/14][2 pkts/172 bytes -> 0 pkts/0 bytes][Goodput ratio: 51/0][5.01 sec][Host: webpush.web.wechat.com.lan][::][PLAIN TEXT (webpush)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 79 UDP 192.168.1.103:42856 -> 192.168.1.254:53 [proto: 5/DNS][cat: Network/14][2 pkts/170 bytes -> 0 pkts/0 bytes][Goodput ratio: 50/0][< 1 sec][Host: 1.debian.pool.ntp.org.lan][::][PLAIN TEXT (debian)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 80 UDP 192.168.1.103:45366 -> 192.168.1.254:53 [proto: 5.197/DNS.WeChat][cat: Chat/9][2 pkts/164 bytes -> 0 pkts/0 bytes][Goodput ratio: 48/0][2.46 sec][Host: webpush.web.wechat.com][::][PLAIN TEXT (webpush)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 81 UDP 192.168.1.103:56367 -> 192.168.1.254:53 [proto: 5.197/DNS.WeChat][cat: Chat/9][2 pkts/164 bytes -> 0 pkts/0 bytes][Goodput ratio: 48/0][5.01 sec][Host: webpush.web.wechat.com][::][PLAIN TEXT (webpush)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 82 UDP 192.168.1.103:41759 -> 192.168.1.254:53 [proto: 5/DNS][cat: Network/14][2 pkts/162 bytes -> 0 pkts/0 bytes][Goodput ratio: 48/0][< 1 sec][Host: 2.debian.pool.ntp.org][::][PLAIN TEXT (debian)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 83 UDP 192.168.1.103:44063 -> 192.168.1.254:53 [proto: 5/DNS][cat: Network/14][2 pkts/162 bytes -> 0 pkts/0 bytes][Goodput ratio: 48/0][< 1 sec][Host: 1.debian.pool.ntp.org][::][PLAIN TEXT (debian)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 84 UDP 192.168.1.103:42074 -> 192.168.1.254:53 [proto: 5.126/DNS.Google][cat: Web/5][2 pkts/158 bytes -> 0 pkts/0 bytes][Goodput ratio: 47/0][5.01 sec][Host: ssl.gstatic.com.lan][::][PLAIN TEXT (gstatic)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 84 UDP 192.168.1.103:42074 -> 192.168.1.254:53 [proto: 5/DNS][cat: Network/14][2 pkts/158 bytes -> 0 pkts/0 bytes][Goodput ratio: 47/0][5.01 sec][Host: ssl.gstatic.com.lan][::][PLAIN TEXT (gstatic)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 85 UDP 192.168.1.100:54124 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/140 bytes -> 0 pkts/0 bytes][Goodput ratio: 40/0][0.01 sec][Host: lbjamwptxz][Risk: ** Suspicious DGA domain name **][PLAIN TEXT (lbjamwptx)][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 86 UDP 192.168.1.100:49832 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/136 bytes -> 0 pkts/0 bytes][Goodput ratio: 38/0][0.01 sec][Host: cansaqcq][PLAIN TEXT (cansaqcq)][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 87 UDP 192.168.1.100:57401 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/136 bytes -> 0 pkts/0 bytes][Goodput ratio: 38/0][0.01 sec][Host: mcztmpkc][PLAIN TEXT (mcztmpkc)][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] @@ -113,12 +113,12 @@ JA3 Host Stats: 92 ICMPV6 [fe80::842:a3f3:a286:6c5b]:0 -> [ff02::2]:0 [proto: 102/ICMPV6][cat: Network/14][2 pkts/132 bytes -> 0 pkts/0 bytes][Goodput ratio: 6/0][1.43 sec][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 93 ICMPV6 [fe80::842:a3f3:a286:6c5b]:0 -> [ff02::16]:0 [proto: 102/ICMPV6][cat: Network/14][1 pkts/110 bytes -> 0 pkts/0 bytes][Goodput ratio: 43/0][< 1 sec][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 94 UDP 192.168.1.103:37578 -> 193.204.114.233:123 [proto: 9/NTP][cat: System/18][1 pkts/90 bytes -> 0 pkts/0 bytes][Goodput ratio: 53/0][< 1 sec][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 95 UDP 192.168.1.103:44346 -> 192.168.1.254:53 [proto: 5.197/DNS.WeChat][cat: Chat/9][1 pkts/86 bytes -> 0 pkts/0 bytes][Goodput ratio: 51/0][< 1 sec][Host: webpush.web.wechat.com.lan][::][PLAIN TEXT (webpush)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 96 UDP 192.168.1.103:53515 -> 192.168.1.254:53 [proto: 5.197/DNS.WeChat][cat: Chat/9][1 pkts/86 bytes -> 0 pkts/0 bytes][Goodput ratio: 51/0][< 1 sec][Host: webpush.web.wechat.com.lan][::][PLAIN TEXT (webpush)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 95 UDP 192.168.1.103:44346 -> 192.168.1.254:53 [proto: 5/DNS][cat: Network/14][1 pkts/86 bytes -> 0 pkts/0 bytes][Goodput ratio: 51/0][< 1 sec][Host: webpush.web.wechat.com.lan][::][PLAIN TEXT (webpush)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 96 UDP 192.168.1.103:53515 -> 192.168.1.254:53 [proto: 5/DNS][cat: Network/14][1 pkts/86 bytes -> 0 pkts/0 bytes][Goodput ratio: 51/0][< 1 sec][Host: webpush.web.wechat.com.lan][::][PLAIN TEXT (webpush)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 97 ICMPV6 [::]:0 -> [ff02::1:ff86:6c5b]:0 [proto: 102/ICMPV6][cat: Network/14][1 pkts/86 bytes -> 0 pkts/0 bytes][Goodput ratio: 28/0][< 1 sec][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 98 UDP 192.168.1.103:33915 -> 192.168.1.254:53 [proto: 5.197/DNS.WeChat][cat: Chat/9][1 pkts/82 bytes -> 0 pkts/0 bytes][Goodput ratio: 48/0][< 1 sec][Host: webpush.web.wechat.com][::][PLAIN TEXT (webpush)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 99 UDP 192.168.1.103:43317 -> 192.168.1.254:53 [proto: 5.197/DNS.WeChat][cat: Chat/9][1 pkts/82 bytes -> 0 pkts/0 bytes][Goodput ratio: 48/0][< 1 sec][Host: webpush.web.wechat.com][::][PLAIN TEXT (webpush)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 100 UDP 192.168.1.103:58165 -> 192.168.1.254:53 [proto: 5.197/DNS.WeChat][cat: Chat/9][1 pkts/82 bytes -> 0 pkts/0 bytes][Goodput ratio: 48/0][< 1 sec][Host: webpush.web.wechat.com][::][PLAIN TEXT (webpush)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 101 UDP 192.168.1.103:59567 -> 192.168.1.254:53 [proto: 5.126/DNS.Google][cat: Web/5][1 pkts/79 bytes -> 0 pkts/0 bytes][Goodput ratio: 46/0][< 1 sec][Host: ssl.gstatic.com.lan][::][PLAIN TEXT (gstatic)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 101 UDP 192.168.1.103:59567 -> 192.168.1.254:53 [proto: 5/DNS][cat: Network/14][1 pkts/79 bytes -> 0 pkts/0 bytes][Goodput ratio: 46/0][< 1 sec][Host: ssl.gstatic.com.lan][::][PLAIN TEXT (gstatic)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 102 UDP 192.168.1.103:42589 -> 192.168.1.254:53 [proto: 5.126/DNS.Google][cat: Web/5][1 pkts/75 bytes -> 0 pkts/0 bytes][Goodput ratio: 43/0][< 1 sec][Host: ssl.gstatic.com][::][PLAIN TEXT (gstatic)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 103 IGMP 192.168.1.108:0 -> 224.0.0.22:0 [proto: 82/IGMP][cat: Network/14][1 pkts/54 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] |