diff options
| author | Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> | 2025-01-31 16:26:53 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2025-01-31 16:26:53 +0100 |
| commit | cf8f761b936c11b8fbfdcaa5fde5d45513d712b1 (patch) | |
| tree | 68da6a9fc25d20645174b9e21b7599d4eb3c4fe8 | |
| parent | 0bcd04e9e079437a63f41ac362d286f68c5450cb (diff) | |
HTTP: add configuration for some metadata (#2704)
Extend file configuration for just subclassification.
| -rw-r--r-- | doc/configuration_parameters.md | 5 | ||||
| -rw-r--r-- | example/only_classification.conf | 2 | ||||
| -rw-r--r-- | fuzz/fuzz_config.cpp | 25 | ||||
| -rw-r--r-- | src/include/ndpi_private.h | 6 | ||||
| -rw-r--r-- | src/lib/ndpi_main.c | 6 | ||||
| -rw-r--r-- | src/lib/protocols/http.c | 58 | ||||
| l--------- | tests/cfgs/classification_only/pcap/http-basic-auth.pcap | 1 | ||||
| l--------- | tests/cfgs/classification_only/pcap/http-pwd.pcapng | 1 | ||||
| l--------- | tests/cfgs/classification_only/pcap/http_auth.pcap | 1 | ||||
| -rw-r--r-- | tests/cfgs/classification_only/result/http-basic-auth.pcap.out | 54 | ||||
| -rw-r--r-- | tests/cfgs/classification_only/result/http-pwd.pcapng.out | 27 | ||||
| -rw-r--r-- | tests/cfgs/classification_only/result/http_auth.pcap.out | 27 |
12 files changed, 196 insertions, 17 deletions
diff --git a/doc/configuration_parameters.md b/doc/configuration_parameters.md index faa02f7b3..8a9cc67c3 100644 --- a/doc/configuration_parameters.md +++ b/doc/configuration_parameters.md @@ -28,6 +28,11 @@ List of the supported configuration options: | NULL | "lru.$CACHE_NAME.size" | See description | 0 | 16777215 | Set the size (in number of elements) of the specified LRU cache (0 = the cache is disabled). The keyword "$CACHE_NAME" is a placeholder for the cache name and the possible values are: ookla, bittorrent, stun, tls_cert, mining, msteams, fpc_dns. The default value is "32768" for the bittorrent cache and "1024" for all the other caches | | NULL | "lru.$CACHE_NAME.ttl" | See description | 0 | 16777215 | Set the TTL (in seconds) for the elements of the specified LRU cache (0 = the elements never explicitly expire). The keyword "$CACHE_NAME" is a placeholder for the cache name and the possible values are: ookla, bittorrent, stun, tls_cert, mining, msteams, fpc_dns. The default value is "120" for the ookla cache, "60" for the msteams and fpc_dns caches and "0" for all the other caches | | NULL | "lru.$CACHE_NAME.scope" | 0 | 0 | 1 | Set the scope of the specified LRU cache (0 = the cache is local, 1 = the cache is global). The keyword "$CACHE_NAME" is a placeholder for the cache name and the possible values are: ookla, bittorrent, stun, tls_cert, mining, msteams, fpc_dns. The global scope con be set only if a global context has been initialized | +| "http" | "metadata.request_content_type" | enable | NULL | NULL | Enable/disable export of Request Content Type header for HTTP flows. | +| "http" | "metadata.referer" | enable | NULL | NULL | Enable/disable export of Referer header for HTTP flows. | +| "http" | "metadata.host" | enable | NULL | NULL | Enable/disable export of Host header for HTTP flows. | +| "http" | "metadata.username" | enable | NULL | NULL | Enable/disable export of (cleartext) username metadata for HTTP flows. | +| "http" | "metadata.password" | enable | NULL | NULL | Enable/disable export of (cleartext) password metadata for HTTP flows. | | "tls" | "certificate_expiration_threshold" | 30 | 0 | 365 | The threshold (in days) used to trigger the `NDPI_TLS_CERTIFICATE_ABOUT_TO_EXPIRE` flow risk | | "tls" | "application_blocks_tracking" | disable | NULL | NULL | Enable/disable processing of TLS Application Blocks (post handshake) to extract statistical information about the flow | | "tls " | "dpi.heuristics", | 0x00 | 0x00 | 0x07 | Enable/disable some heuristics to detect encrypted/obfuscated/proxied TLS flows. The value is a bitmask. Values: 0x0 = disabled; 0x01 = enable basic detection (i.e. encrypted TLS without any encapsulation); 0x02 = enable detection over TLS (i.e. TLS-in-TLS); 0x04 = enable detection over HTTP (i.e. TLS-over-WebSocket). If enabled, some false positives are expected. See: https://www.usenix.org/conference/usenixsecurity24/presentation/xue-fingerprinting | diff --git a/example/only_classification.conf b/example/only_classification.conf index e53b569e8..6c2af39dd 100644 --- a/example/only_classification.conf +++ b/example/only_classification.conf @@ -12,6 +12,8 @@ --cfg=sip,metadata.attribute.from,0 --cfg=sip,metadata.attribute.to,0 #STUN --cfg=stun,metadata.attribute.mapped_address,0 --cfg=stun,metadata.attribute.peer_address,0 --cfg=stun,metadata.attribute.relayed_address,0 --cfg=stun,metadata.attribute.response_origin,0 --cfg=stun,metadata.attribute.other_address,0 +#HTTP +--cfg=http,metadata.request_content_type,0 --cfg=http,metadata.referer,0 --cfg=http,metadata.host,0 --cfg=http,metadata.username,0 --cfg=http,metadata.password,0 #DNS:we need only the request for sub-classification --cfg=dns,process_response,0 #Note that this option has an huge impact on FPC! diff --git a/fuzz/fuzz_config.cpp b/fuzz/fuzz_config.cpp index 4902bd2f2..e3e480e5b 100644 --- a/fuzz/fuzz_config.cpp +++ b/fuzz/fuzz_config.cpp @@ -119,6 +119,31 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { } if(fuzzed_data.ConsumeBool()) { + value = fuzzed_data.ConsumeIntegralInRange(0, 1 + 1); + snprintf(cfg_value, sizeof(cfg_value), "%d", value); + ndpi_set_config(ndpi_info_mod, "http", "metadata.request_content_type", cfg_value); + } + if(fuzzed_data.ConsumeBool()) { + value = fuzzed_data.ConsumeIntegralInRange(0, 1 + 1); + snprintf(cfg_value, sizeof(cfg_value), "%d", value); + ndpi_set_config(ndpi_info_mod, "http", "metadata.referer", cfg_value); + } + if(fuzzed_data.ConsumeBool()) { + value = fuzzed_data.ConsumeIntegralInRange(0, 1 + 1); + snprintf(cfg_value, sizeof(cfg_value), "%d", value); + ndpi_set_config(ndpi_info_mod, "http", "metadata.host", cfg_value); + } + if(fuzzed_data.ConsumeBool()) { + value = fuzzed_data.ConsumeIntegralInRange(0, 1 + 1); + snprintf(cfg_value, sizeof(cfg_value), "%d", value); + ndpi_set_config(ndpi_info_mod, "http", "metadata.username", cfg_value); + } + if(fuzzed_data.ConsumeBool()) { + value = fuzzed_data.ConsumeIntegralInRange(0, 1 + 1); + snprintf(cfg_value, sizeof(cfg_value), "%d", value); + ndpi_set_config(ndpi_info_mod, "http", "metadata.password", cfg_value); + } + if(fuzzed_data.ConsumeBool()) { value = fuzzed_data.ConsumeIntegralInRange(0, 365 + 1); snprintf(cfg_value, sizeof(cfg_value), "%d", value); ndpi_set_config(ndpi_info_mod, "tls", "certificate_expiration_threshold", cfg_value); diff --git a/src/include/ndpi_private.h b/src/include/ndpi_private.h index 092502ab7..fc422f630 100644 --- a/src/include/ndpi_private.h +++ b/src/include/ndpi_private.h @@ -238,6 +238,12 @@ struct ndpi_detection_module_config_struct { /* Protocols */ + int http_request_content_type_enabled; + int http_referer_enabled; + int http_host_enabled; + int http_username_enabled; + int http_password_enabled; + int tls_certificate_expire_in_x_days; int tls_app_blocks_tracking_enabled; int tls_heuristics; diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 480e5f644..105d3a434 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -11588,6 +11588,12 @@ static const struct cfg_param { } cfg_params[] = { /* Per-protocol parameters */ + { "http", "metadata.request_content_type", "enable", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(http_request_content_type_enabled), NULL }, + { "http", "metadata.referer", "enable", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(http_referer_enabled), NULL }, + { "http", "metadata.host", "enable", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(http_host_enabled), NULL }, + { "http", "metadata.username", "enable", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(http_username_enabled), NULL }, + { "http", "metadata.password", "enable", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(http_password_enabled), NULL }, + { "tls", "certificate_expiration_threshold", "30", "0", "365", CFG_PARAM_INT, __OFF(tls_certificate_expire_in_x_days), NULL }, { "tls", "application_blocks_tracking", "disable", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(tls_app_blocks_tracking_enabled), NULL }, { "tls", "dpi.heuristics", "0x00", "0", "0x07", CFG_PARAM_INT, __OFF(tls_heuristics), NULL }, diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c index 5c611d8d8..ffc0b9213 100644 --- a/src/lib/protocols/http.c +++ b/src/lib/protocols/http.c @@ -647,7 +647,8 @@ static void ndpi_http_parse_subprotocol(struct ndpi_detection_module_struct *ndp if(flow->http.first_payload_after_header_observed == 0) { /* Skip the last part of the HTTP request */ flow->http.first_payload_after_header_observed = 1; - } else if(flow->http.is_form && (packet->payload_packet_len > 0)) { + } else if(flow->http.is_form && (packet->payload_packet_len > 0) && + (ndpi_struct->cfg.http_username_enabled || ndpi_struct->cfg.http_password_enabled)) { /* Response payload */ char *dup = ndpi_strndup((const char *)packet->payload, packet->payload_packet_len); @@ -664,9 +665,9 @@ static void ndpi_http_parse_subprotocol(struct ndpi_detection_module_struct *ndp break; if((strcmp(key, "user") == 0) || (strcmp(key, "username") == 0)) { - if(!flow->http.username) flow->http.username = ndpi_strdup(value); + if(!flow->http.username && ndpi_struct->cfg.http_username_enabled) flow->http.username = ndpi_strdup(value); } else if((strcmp(key, "pwd") == 0) || (strcmp(key, "password") == 0)) { - if(!flow->http.password) flow->http.password = ndpi_strdup(value); + if(!flow->http.password && ndpi_struct->cfg.http_password_enabled) flow->http.password = ndpi_strdup(value); ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS, "Found password"); } @@ -1025,7 +1026,8 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ } } - if(packet->authorization_line.ptr != NULL) { + if(packet->authorization_line.ptr != NULL && + (ndpi_struct->cfg.http_username_enabled || ndpi_struct->cfg.http_password_enabled)) { const char *a = NULL, *b = NULL; NDPI_LOG_DBG2(ndpi_struct, "Authorization line found %.*s\n", @@ -1048,8 +1050,10 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ if(double_dot) { double_dot[0] = '\0'; - flow->http.username = ndpi_strdup((char*)content); - flow->http.password = ndpi_strdup(&double_dot[1]); + if(ndpi_struct->cfg.http_username_enabled) + flow->http.username = ndpi_strdup((char*)content); + if(ndpi_struct->cfg.http_password_enabled) + flow->http.password = ndpi_strdup(&double_dot[1]); } ndpi_free(content); @@ -1063,10 +1067,12 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ } if((packet->referer_line.ptr != NULL) && (flow->http.referer == NULL)) - flow->http.referer = ndpi_strndup((const char *)packet->referer_line.ptr, packet->referer_line.len); + if(ndpi_struct->cfg.http_referer_enabled) + flow->http.referer = ndpi_strndup((const char *)packet->referer_line.ptr, packet->referer_line.len); if((packet->host_line.ptr != NULL) && (flow->http.host == NULL)) - flow->http.host = ndpi_strndup((const char *)packet->host_line.ptr, packet->host_line.len); + if(ndpi_struct->cfg.http_host_enabled) + flow->http.host = ndpi_strndup((const char *)packet->host_line.ptr, packet->host_line.len); if(packet->content_line.ptr != NULL) { NDPI_LOG_DBG2(ndpi_struct, "Content Type line found %.*s\n", @@ -1075,16 +1081,18 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ if(flow->http.response_status_code == 0) { /* Request */ if((flow->http.request_content_type == NULL) && (packet->content_line.len > 0)) { - int len = packet->content_line.len + 1; - - flow->http.request_content_type = ndpi_malloc(len); - if(flow->http.request_content_type) { - strncpy(flow->http.request_content_type, (char*)packet->content_line.ptr, - packet->content_line.len); - flow->http.request_content_type[packet->content_line.len] = '\0'; + if(ndpi_struct->cfg.http_request_content_type_enabled) { + int len = packet->content_line.len + 1; + + flow->http.request_content_type = ndpi_malloc(len); + if(flow->http.request_content_type) { + strncpy(flow->http.request_content_type, (char*)packet->content_line.ptr, + packet->content_line.len); + flow->http.request_content_type[packet->content_line.len] = '\0'; + } } - if(ndpi_strnstr(flow->http.request_content_type, "x-www-form-urlencoded", packet->content_line.len)) + if(ndpi_strnstr((char*)packet->content_line.ptr, "x-www-form-urlencoded", packet->content_line.len)) flow->http.is_form = 1; } } else { @@ -1490,7 +1498,7 @@ static void reset(struct ndpi_detection_module_struct *ndpi_struct, NDPI_LOG_DBG2(ndpi_struct, "Reset status and risks\n"); - /* Reset everthing in flow->http. + /* Reset everything in flow->http. TODO: Could we be smarter? Probably some info don't change across different req-res transactions... */ @@ -1517,6 +1525,14 @@ static void reset(struct ndpi_detection_module_struct *ndpi_struct, ndpi_free(flow->http.server); flow->http.server = NULL; } + if(flow->http.referer) { + ndpi_free(flow->http.referer); + flow->http.referer = NULL; + } + if(flow->http.host) { + ndpi_free(flow->http.host); + flow->http.host = NULL; + } if(flow->http.detected_os) { ndpi_free(flow->http.detected_os); flow->http.detected_os = NULL; @@ -1529,6 +1545,14 @@ static void reset(struct ndpi_detection_module_struct *ndpi_struct, ndpi_free(flow->http.filename); flow->http.filename = NULL; } + if(flow->http.username) { + ndpi_free(flow->http.username); + flow->http.username = NULL; + } + if(flow->http.password) { + ndpi_free(flow->http.password); + flow->http.password = NULL; + } /* Reset flow risks. We should reset only those risks triggered by the previous HTTP response... */ diff --git a/tests/cfgs/classification_only/pcap/http-basic-auth.pcap b/tests/cfgs/classification_only/pcap/http-basic-auth.pcap new file mode 120000 index 000000000..23dffb6f4 --- /dev/null +++ b/tests/cfgs/classification_only/pcap/http-basic-auth.pcap @@ -0,0 +1 @@ +../../default/pcap/http-basic-auth.pcap
\ No newline at end of file diff --git a/tests/cfgs/classification_only/pcap/http-pwd.pcapng b/tests/cfgs/classification_only/pcap/http-pwd.pcapng new file mode 120000 index 000000000..3dd645442 --- /dev/null +++ b/tests/cfgs/classification_only/pcap/http-pwd.pcapng @@ -0,0 +1 @@ +../../default/pcap/http-pwd.pcapng
\ No newline at end of file diff --git a/tests/cfgs/classification_only/pcap/http_auth.pcap b/tests/cfgs/classification_only/pcap/http_auth.pcap new file mode 120000 index 000000000..0b9f1cb91 --- /dev/null +++ b/tests/cfgs/classification_only/pcap/http_auth.pcap @@ -0,0 +1 @@ +../../default/pcap/http_auth.pcap
\ No newline at end of file diff --git a/tests/cfgs/classification_only/result/http-basic-auth.pcap.out b/tests/cfgs/classification_only/result/http-basic-auth.pcap.out new file mode 100644 index 000000000..2515ae388 --- /dev/null +++ b/tests/cfgs/classification_only/result/http-basic-auth.pcap.out @@ -0,0 +1,54 @@ +Guessed flow protos: 9 + +DPI Packets (TCP): 183 (7.32 pkts/flow) +Confidence Match by port : 9 (flows) +Confidence DPI : 16 (flows) +Num dissector calls: 256 (10.24 diss/flow) +LRU cache ookla: 0/0/0 (insert/search/found) +LRU cache bittorrent: 0/27/0 (insert/search/found) +LRU cache stun: 0/0/0 (insert/search/found) +LRU cache tls_cert: 0/0/0 (insert/search/found) +LRU cache mining: 0/9/0 (insert/search/found) +LRU cache msteams: 0/0/0 (insert/search/found) +LRU cache fpc_dns: 0/25/0 (insert/search/found) +Automa host: 16/0 (search/found) +Automa domain: 16/0 (search/found) +Automa tls cert: 0/0 (search/found) +Automa risk mask: 0/0 (search/found) +Automa common alpns: 0/0 (search/found) +Patricia risk mask: 0/0 (search/found) +Patricia risk mask IPv6: 0/0 (search/found) +Patricia risk: 0/0 (search/found) +Patricia risk IPv6: 0/0 (search/found) +Patricia protocols: 50/0 (search/found) +Patricia protocols IPv6: 0/0 (search/found) + +HTTP 688 353898 25 + +Acceptable 688 353898 25 + + 1 TCP 192.168.0.4:54340 <-> 192.254.189.169:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][58 pkts/9591 bytes <-> 74 pkts/74782 bytes][Goodput ratio: 60/93][20.90 sec][Hostname/SNI: browserspy.dk][bytes ratio: -0.773 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 397/166 4647/4811 1045/722][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 165/1011 805/1514 248/628][URL: browserspy.dk/theme/default.css][StatusCode: 304][Server: Apache][User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36][PLAIN TEXT (GET /theme/default.css HTTP/1.1)][Plen Bins: 0,0,5,0,4,0,4,2,2,2,0,1,0,0,0,0,0,2,1,0,0,0,8,2,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,63,0,0] + 2 TCP 192.168.0.4:54338 <-> 192.254.189.169:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 8][cat: Web/5][31 pkts/4999 bytes <-> 40 pkts/37974 bytes][Goodput ratio: 59/93][17.45 sec][Hostname/SNI: browserspy.dk][bytes ratio: -0.767 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 716/350 5396/5591 1514/1171][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 161/949 805/1514 246/645][URL: browserspy.dk/password-ok.php][StatusCode: 401][Content-Type: text/html][Server: Apache][User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36][PLAIN TEXT (GET /password)][Plen Bins: 0,0,5,0,5,0,5,0,2,2,0,0,0,0,0,2,0,0,0,2,0,0,5,5,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,62,0,0] + 3 TCP 192.168.0.4:54584 <-> 192.254.189.169:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][27 pkts/3947 bytes <-> 36 pkts/37139 bytes][Goodput ratio: 55/94][15.57 sec][Hostname/SNI: browserspy.dk][bytes ratio: -0.808 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 502/211 4249/2440 1050/592][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 146/1032 797/1514 225/628][URL: browserspy.dk/pics/logo.png][StatusCode: 304][Server: Apache][User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36][PLAIN TEXT (GET /pics/logo.png HTTP/1.1)][Plen Bins: 0,0,6,0,3,0,3,0,3,0,0,0,0,0,0,0,0,3,0,0,0,0,12,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,66,0,0] + 4 TCP 192.168.0.4:54505 <-> 192.254.189.169:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][27 pkts/3165 bytes <-> 36 pkts/37069 bytes][Goodput ratio: 43/94][10.97 sec][Hostname/SNI: browserspy.dk][bytes ratio: -0.843 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 298/138 2784/2976 683/551][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 117/1030 775/1514 180/625][URL: browserspy.dk/password.php][StatusCode: 200][Content-Type: text/html][Server: Apache][User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36][PLAIN TEXT (GET /password.php HTTP/1.1)][Plen Bins: 0,0,6,0,0,0,6,3,3,3,0,0,0,0,0,0,0,3,0,0,3,0,3,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,66,0,0] + 5 TCP 192.168.0.4:54506 <-> 192.254.189.169:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 8][cat: Web/5][16 pkts/1711 bytes <-> 20 pkts/21882 bytes][Goodput ratio: 38/94][18.69 sec][Hostname/SNI: browserspy.dk][bytes ratio: -0.855 (Download)][IAT c2s/s2c min/avg/max/stddev: 3/2 1542/885 9336/9536 2720/2475][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 107/1094 709/1514 155/644][URL: browserspy.dk/?_=1381844104551][StatusCode: 200][Content-Type: text/html][Server: Apache][User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36][PLAIN TEXT (yGET /)][Plen Bins: 0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,87,0,0] + 6 TCP 192.168.0.4:54318 <-> 192.254.189.169:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 8][cat: Web/5][15 pkts/1737 bytes <-> 20 pkts/19002 bytes][Goodput ratio: 42/93][15.29 sec][Hostname/SNI: browserspy.dk][bytes ratio: -0.832 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1372/588 7743/7938 2428/1969][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 116/950 801/1514 183/656][URL: browserspy.dk/password-ok.php][StatusCode: 401][Content-Type: text/html][Server: Apache][User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36][PLAIN TEXT (GET /password)][Plen Bins: 0,0,6,0,0,0,6,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,6,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,69,0,0] + 7 TCP 192.168.0.4:54337 <-> 192.254.189.169:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][14 pkts/1675 bytes <-> 19 pkts/18899 bytes][Goodput ratio: 44/93][7.10 sec][Hostname/SNI: browserspy.dk][bytes ratio: -0.837 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 204/31 1269/206 376/69][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 120/995 805/1514 190/642][URL: browserspy.dk/password-ok.php][StatusCode: 401][Content-Type: text/html][Server: Apache][User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36][PLAIN TEXT (GET /password)][Plen Bins: 0,0,6,0,0,0,6,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,6,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,69,0,0] + 8 TCP 192.168.0.4:54317 <-> 192.254.189.169:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][14 pkts/1636 bytes <-> 19 pkts/18925 bytes][Goodput ratio: 43/93][9.56 sec][Hostname/SNI: browserspy.dk][bytes ratio: -0.841 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 454/33 3673/227 1082/74][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 117/996 766/1514 180/642][URL: browserspy.dk/password-ok.php][StatusCode: 401][Content-Type: text/html][Server: Apache][User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36][PLAIN TEXT (GET /password)][Plen Bins: 0,0,6,0,0,0,6,0,0,0,0,0,0,0,0,6,0,0,0,0,0,6,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,69,0,0] + 9 TCP 192.168.0.4:54487 <-> 192.254.189.169:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][15 pkts/1711 bytes <-> 19 pkts/18579 bytes][Goodput ratio: 41/93][11.68 sec][Hostname/SNI: browserspy.dk][bytes ratio: -0.831 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 605/442 5841/6025 1661/1494][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 114/978 775/1514 177/643][URL: browserspy.dk/password.php][StatusCode: 200][Content-Type: text/html][Server: Apache][User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36][PLAIN TEXT (GET /password.php HTTP/1.1)][Plen Bins: 0,0,6,0,0,0,0,0,0,0,6,0,0,6,0,0,0,6,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,69,0,0] + 10 TCP 192.168.0.4:54580 <-> 192.254.189.169:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][13 pkts/1607 bytes <-> 16 pkts/18347 bytes][Goodput ratio: 46/94][5.90 sec][Hostname/SNI: browserspy.dk][bytes ratio: -0.839 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 552/73 4815/274 1427/102][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 124/1147 803/1514 196/623][URL: browserspy.dk/password-ok.php][StatusCode: 200][Content-Type: text/html][Server: Apache][User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36][PLAIN TEXT (GET /password)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,85,0,0] + 11 TCP 192.168.0.4:54342 <-> 192.254.189.169:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][10 pkts/2866 bytes <-> 7 pkts/881 bytes][Goodput ratio: 77/47][6.17 sec][Hostname/SNI: browserspy.dk][bytes ratio: 0.530 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/4 742/178 5018/292 1618/106][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 287/126 799/203 334/67][URL: browserspy.dk/pics/logo.png][StatusCode: 304][Server: Apache][User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36][PLAIN TEXT (GET /pics/logo.png HTTP/1.1)][Plen Bins: 0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 12 TCP 192.168.0.4:54341 <-> 192.254.189.169:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][10 pkts/2854 bytes <-> 7 pkts/881 bytes][Goodput ratio: 76/47][6.17 sec][Hostname/SNI: browserspy.dk][bytes ratio: 0.528 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/3 743/180 5025/271 1621/105][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 285/126 805/203 333/67][URL: browserspy.dk/js/jquery.js][StatusCode: 304][Server: Apache][User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36][PLAIN TEXT (GET /js/j)][Plen Bins: 0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 13 TCP 192.168.0.4:54582 <-> 192.254.189.169:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][6 pkts/1141 bytes <-> 5 pkts/475 bytes][Goodput ratio: 64/29][15.57 sec][Hostname/SNI: browserspy.dk][bytes ratio: 0.412 (Upload)][IAT c2s/s2c min/avg/max/stddev: 191/10 3074/330 9509/649 3703/320][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 190/95 799/203 272/54][URL: browserspy.dk/theme/default.css][StatusCode: 304][Server: Apache][User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36][PLAIN TEXT (GET /theme/default.css HTTP/1.1)][Plen Bins: 0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 14 TCP 192.168.0.4:54343 <-> 192.254.189.169:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][6 pkts/1140 bytes <-> 5 pkts/475 bytes][Goodput ratio: 64/29][6.17 sec][Hostname/SNI: browserspy.dk][bytes ratio: 0.412 (Upload)][IAT c2s/s2c min/avg/max/stddev: 211/0 1188/274 4948/548 1880/274][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 190/95 798/203 272/54][URL: browserspy.dk/pics/menunew.png][StatusCode: 304][Server: Apache][User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36][PLAIN TEXT (GET /pics/menunew.png HTTP/1.1)][Plen Bins: 0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 15 TCP 192.168.0.4:54581 <-> 192.254.189.169:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][6 pkts/1139 bytes <-> 5 pkts/475 bytes][Goodput ratio: 64/29][15.57 sec][Hostname/SNI: browserspy.dk][bytes ratio: 0.411 (Upload)][IAT c2s/s2c min/avg/max/stddev: 184/2 3074/326 9473/649 3698/324][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 190/95 797/203 272/54][URL: browserspy.dk/theme/reset.css][StatusCode: 304][Server: Apache][User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36][PLAIN TEXT (GET /theme/reset.css HTTP/1.1)][Plen Bins: 0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 16 TCP 192.168.0.4:54583 <-> 192.254.189.169:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][6 pkts/1121 bytes <-> 5 pkts/475 bytes][Goodput ratio: 64/29][15.57 sec][Hostname/SNI: browserspy.dk][bytes ratio: 0.405 (Upload)][IAT c2s/s2c min/avg/max/stddev: 191/2 3074/332 9499/662 3700/330][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 187/95 779/203 265/54][URL: browserspy.dk/js/jquery.js][StatusCode: 304][Server: Apache][User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36][PLAIN TEXT (GET /js/j)][Plen Bins: 0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 17 TCP 192.168.0.4:54319 <-> 192.254.189.169:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: Match by port][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 9][cat: Web/5][5 pkts/342 bytes <-> 4 pkts/280 bytes][Goodput ratio: 0/0][12.83 sec][bytes ratio: 0.100 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 245/1181 3160/1181 10225/1181 4094/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 68/70 78/74 5/4][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 18 TCP 192.168.0.4:54320 <-> 192.254.189.169:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: Match by port][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 9][cat: Web/5][5 pkts/342 bytes <-> 4 pkts/280 bytes][Goodput ratio: 0/0][12.84 sec][bytes ratio: 0.100 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 246/1178 3161/1178 10229/1178 4096/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 68/70 78/74 5/4][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 19 TCP 192.168.0.4:54321 <-> 192.254.189.169:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: Match by port][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 9][cat: Web/5][5 pkts/342 bytes <-> 4 pkts/280 bytes][Goodput ratio: 0/0][12.84 sec][bytes ratio: 0.100 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 246/940 3160/940 10267/940 4123/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 68/70 78/74 5/4][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 20 TCP 192.168.0.4:54322 <-> 192.254.189.169:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: Match by port][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 9][cat: Web/5][5 pkts/342 bytes <-> 4 pkts/280 bytes][Goodput ratio: 0/0][12.84 sec][bytes ratio: 0.100 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 248/760 3160/760 10249/760 4122/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 68/70 78/74 5/4][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 21 TCP 192.168.0.4:54354 <-> 192.254.189.169:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: Match by port][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 9][cat: Web/5][5 pkts/342 bytes <-> 4 pkts/280 bytes][Goodput ratio: 0/0][14.68 sec][bytes ratio: 0.100 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 202/3082 3577/3082 10249/3082 3955/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 68/70 78/74 5/4][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 22 TCP 192.168.0.4:54507 <-> 192.254.189.169:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: Match by port][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 9][cat: Web/5][5 pkts/342 bytes <-> 4 pkts/280 bytes][Goodput ratio: 0/0][14.09 sec][bytes ratio: 0.100 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 204/2408 3474/2408 10240/2408 3970/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 68/70 78/74 5/4][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 23 TCP 192.168.0.4:54508 <-> 192.254.189.169:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: Match by port][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 9][cat: Web/5][5 pkts/342 bytes <-> 4 pkts/280 bytes][Goodput ratio: 0/0][14.09 sec][bytes ratio: 0.100 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 204/2410 3475/2410 10240/2410 3970/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 68/70 78/74 5/4][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 24 TCP 192.168.0.4:54509 <-> 192.254.189.169:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: Match by port][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 9][cat: Web/5][5 pkts/342 bytes <-> 4 pkts/280 bytes][Goodput ratio: 0/0][14.10 sec][bytes ratio: 0.100 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 204/2207 3474/2207 10236/2207 3958/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 68/70 78/74 5/4][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 25 TCP 192.168.0.4:54596 <-> 192.254.189.169:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: Match by port][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 9][cat: Web/5][5 pkts/342 bytes <-> 4 pkts/280 bytes][Goodput ratio: 0/0][15.49 sec][bytes ratio: 0.100 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 194/3741 3824/3741 10228/3741 3889/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 68/70 78/74 5/4][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/classification_only/result/http-pwd.pcapng.out b/tests/cfgs/classification_only/result/http-pwd.pcapng.out new file mode 100644 index 000000000..6b0d85749 --- /dev/null +++ b/tests/cfgs/classification_only/result/http-pwd.pcapng.out @@ -0,0 +1,27 @@ +DPI Packets (TCP): 9 (9.00 pkts/flow) +Confidence DPI : 1 (flows) +Num dissector calls: 16 (16.00 diss/flow) +LRU cache ookla: 0/0/0 (insert/search/found) +LRU cache bittorrent: 0/0/0 (insert/search/found) +LRU cache stun: 0/0/0 (insert/search/found) +LRU cache tls_cert: 0/0/0 (insert/search/found) +LRU cache mining: 0/0/0 (insert/search/found) +LRU cache msteams: 0/0/0 (insert/search/found) +LRU cache fpc_dns: 0/0/0 (insert/search/found) +Automa host: 1/0 (search/found) +Automa domain: 1/0 (search/found) +Automa tls cert: 0/0 (search/found) +Automa risk mask: 0/0 (search/found) +Automa common alpns: 0/0 (search/found) +Patricia risk mask: 0/0 (search/found) +Patricia risk mask IPv6: 0/0 (search/found) +Patricia risk: 0/0 (search/found) +Patricia risk IPv6: 0/0 (search/found) +Patricia protocols: 2/0 (search/found) +Patricia protocols IPv6: 0/0 (search/found) + +ntop 14 1805 1 + +Safe 14 1805 1 + + 1 TCP 127.0.0.1:56451 <-> 127.0.0.1:3000 [proto: 7.26/HTTP.ntop][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 9][cat: Web/5][7 pkts/1151 bytes <-> 7 pkts/654 bytes][Goodput ratio: 65/38][0.00 sec][Hostname/SNI: localhost][bytes ratio: 0.275 (Upload)][IAT c2s/s2c min/avg/max/stddev: 4/4 1/1 4/4 2/2][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 164/93 747/306 239/87][URL: localhost:3000/authorize.html][StatusCode: 302][Server: ntopng 6.3.241001 (arm64)][User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.1 Safari/605.1.15][PLAIN TEXT (XPOST /authorize.html HTTP/1.1)][Plen Bins: 0,33,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/classification_only/result/http_auth.pcap.out b/tests/cfgs/classification_only/result/http_auth.pcap.out new file mode 100644 index 000000000..51a0ec1bf --- /dev/null +++ b/tests/cfgs/classification_only/result/http_auth.pcap.out @@ -0,0 +1,27 @@ +DPI Packets (TCP): 6 (6.00 pkts/flow) +Confidence DPI : 1 (flows) +Num dissector calls: 16 (16.00 diss/flow) +LRU cache ookla: 0/0/0 (insert/search/found) +LRU cache bittorrent: 0/0/0 (insert/search/found) +LRU cache stun: 0/0/0 (insert/search/found) +LRU cache tls_cert: 0/0/0 (insert/search/found) +LRU cache mining: 0/0/0 (insert/search/found) +LRU cache msteams: 0/0/0 (insert/search/found) +LRU cache fpc_dns: 0/1/0 (insert/search/found) +Automa host: 1/0 (search/found) +Automa domain: 1/0 (search/found) +Automa tls cert: 0/0 (search/found) +Automa risk mask: 0/0 (search/found) +Automa common alpns: 0/0 (search/found) +Patricia risk mask: 0/0 (search/found) +Patricia risk mask IPv6: 0/0 (search/found) +Patricia risk: 0/0 (search/found) +Patricia risk IPv6: 0/0 (search/found) +Patricia protocols: 2/0 (search/found) +Patricia protocols IPv6: 0/0 (search/found) + +HTTP 33 20574 1 + +Acceptable 33 20574 1 + + 1 TCP 192.168.0.4:54337 <-> 192.254.189.169:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][14 pkts/1675 bytes <-> 19 pkts/18899 bytes][Goodput ratio: 44/93][7.10 sec][Hostname/SNI: browserspy.dk][bytes ratio: -0.837 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 204/31 1269/206 376/69][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 120/995 805/1514 190/642][URL: browserspy.dk/password-ok.php][StatusCode: 401][Content-Type: text/html][Server: Apache][User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36][PLAIN TEXT (GET /password)][Plen Bins: 0,0,6,0,0,0,6,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,6,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,69,0,0] |