aboutsummaryrefslogtreecommitdiff
path: root/tests/cfgs/caches_cfg
diff options
context:
space:
mode:
authorNardi Ivan <nardi.ivan@gmail.com>2024-02-23 22:30:54 +0100
committerIvan Nardi <12729895+IvanNardi@users.noreply.github.com>2024-02-26 09:26:21 +0100
commited5ba179f6461fff2a586e3f1a95e5e392c5b540 (patch)
tree7993934773c14eba187d0e185e25114c5e620e94 /tests/cfgs/caches_cfg
parentc95e8c184e7e28915bf37aa623e4886fd720aba0 (diff)
Telegram: improve identification
Follow up of 31c706c3dbbf0afc4c8e0a6d0bb6f20796296549 and 75485e177ccc4fafcc62dd46c6917d5b735cf7d2. Allow fast classification by ip, but give time to other dissectors to kick in (for example, the TLS code for the Telegram Web flows). Even if we don't classify it anymore at the very first packet (i.e. SYN) we fully classify Telegram traffic at the first packet with payload, as *any* other protocol. This way, we always have the proper category, the proper confidence for the UDP flows and we don't overwrite previous classifications (TLS or ICMP) Remove old and stale identification logic for TCP flows
Diffstat (limited to 'tests/cfgs/caches_cfg')
-rw-r--r--tests/cfgs/caches_cfg/result/teams.pcap.out14
1 files changed, 7 insertions, 7 deletions
diff --git a/tests/cfgs/caches_cfg/result/teams.pcap.out b/tests/cfgs/caches_cfg/result/teams.pcap.out
index b110a4f33..632cd2fb2 100644
--- a/tests/cfgs/caches_cfg/result/teams.pcap.out
+++ b/tests/cfgs/caches_cfg/result/teams.pcap.out
@@ -1,19 +1,19 @@
-Guessed flow protos: 1
+Guessed flow protos: 2
-DPI Packets (TCP): 335 (7.98 pkts/flow)
+DPI Packets (TCP): 337 (8.02 pkts/flow)
DPI Packets (UDP): 74 (1.85 pkts/flow)
DPI Packets (other): 1 (1.00 pkts/flow)
Confidence Unknown : 1 (flows)
Confidence Match by port : 1 (flows)
+Confidence DPI (partial) : 1 (flows)
Confidence DPI : 80 (flows)
-Confidence Match by IP : 1 (flows)
Num dissector calls: 536 (6.46 diss/flow)
LRU cache ookla: 0/0/0 (insert/search/found)
-LRU cache bittorrent: 0/6/0 (insert/search/found)
+LRU cache bittorrent: 0/9/0 (insert/search/found)
LRU cache zoom: 0/0/0 (insert/search/found)
LRU cache stun: 24/0/0 (insert/search/found)
LRU cache tls_cert: 0/4/0 (insert/search/found)
-LRU cache mining: 0/2/0 (insert/search/found)
+LRU cache mining: 0/3/0 (insert/search/found)
LRU cache msteams: 25/19/9 (insert/search/found)
LRU cache stun_zoom: 0/1/0 (insert/search/found)
Automa host: 85/71 (search/found)
@@ -21,7 +21,7 @@ Automa domain: 85/0 (search/found)
Automa tls cert: 0/0 (search/found)
Automa risk mask: 24/1 (search/found)
Automa common alpns: 67/67 (search/found)
-Patricia risk mask: 78/0 (search/found)
+Patricia risk mask: 80/0 (search/found)
Patricia risk mask IPv6: 0/0 (search/found)
Patricia risk: 1/0 (search/found)
Patricia risk IPv6: 0/0 (search/found)
@@ -134,7 +134,7 @@ JA3 Host Stats:
77 UDP 192.168.1.6:62863 <-> 192.168.1.1:53 [proto: 5.250/DNS.Teams][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/103 bytes <-> 1 pkts/158 bytes][Goodput ratio: 59/73][0.07 sec][Hostname/SNI: emea.ng.msg.teams-msgapi.trafficmanager.net][52.114.108.8][PLAIN TEXT (msgapi)][Plen Bins: 0,50,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
78 UDP 192.168.1.6:56634 <-> 192.168.1.1:53 [proto: 5.140/DNS.Apple][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/89 bytes <-> 1 pkts/142 bytes][Goodput ratio: 52/70][0.03 sec][Hostname/SNI: captive.apple.com.edgekey.net][23.50.158.88][PLAIN TEXT (captive)][Plen Bins: 0,50,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
79 UDP 192.168.1.6:60813 <-> 192.168.1.1:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/93 bytes <-> 1 pkts/109 bytes][Goodput ratio: 54/61][0.01 sec][Hostname/SNI: skypedataprdcolneu04.cloudapp.net][52.114.77.33][PLAIN TEXT (skypedataprdcolneu04)][Plen Bins: 0,50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
- 80 TCP 192.168.1.6:58533 -> 149.154.167.91:443 [proto: 185/Telegram][IP: 185/Telegram][Encrypted][Confidence: Match by IP][DPI packets: 1][3 pkts/186 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][4.29 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+ 80 TCP 192.168.1.6:58533 -> 149.154.167.91:443 [proto: 185/Telegram][IP: 185/Telegram][Encrypted][Confidence: DPI (partial)][DPI packets: 3][cat: Chat/9][3 pkts/186 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][4.29 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
81 ICMP 93.71.110.205:0 -> 192.168.1.6:0 [proto: 81/ICMP][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Network/14][2 pkts/140 bytes -> 0 pkts/0 bytes][Goodput ratio: 40/0][0.01 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
82 UDP 192.168.1.112:57621 -> 192.168.1.255:57621 [proto: 156/Spotify][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 1][cat: Music/25][1 pkts/82 bytes -> 0 pkts/0 bytes][Goodput ratio: 48/0][< 1 sec][PLAIN TEXT (SpotUdp)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
Powered by cgit, Themed by Ted Yin.