diff options
| author | Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> | 2023-07-26 09:09:12 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-07-26 09:09:12 +0200 |
| commit | 3326fa258ec92e553e39fc8a1bfa3921dc81f15c (patch) | |
| tree | fcd0e725b7b5a8d13db1654a9b0864651c642f00 /tests/cfgs/default/result/Oscar.pcap.out | |
| parent | 2b230e28e0612e8654ad617534deb9aaaabd51b7 (diff) | |
Add an heuristic to detect fully encrypted flows (#2058)
A fully encrypted session is a flow where every bytes of the
payload is encrypted in an attempt to “look like nothing”.
The heuristic needs only the very first packet of the flow.
See: https://www.usenix.org/system/files/sec23fall-prepub-234-wu-mingshi.pdf
A basic, but generic, inplementation of the popcpunt alg has been added
Diffstat (limited to 'tests/cfgs/default/result/Oscar.pcap.out')
| -rw-r--r-- | tests/cfgs/default/result/Oscar.pcap.out | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/tests/cfgs/default/result/Oscar.pcap.out b/tests/cfgs/default/result/Oscar.pcap.out index 806da8de6..dfcf6902f 100644 --- a/tests/cfgs/default/result/Oscar.pcap.out +++ b/tests/cfgs/default/result/Oscar.pcap.out @@ -16,10 +16,10 @@ Automa domain: 0/0 (search/found) Automa tls cert: 0/0 (search/found) Automa risk mask: 0/0 (search/found) Automa common alpns: 0/0 (search/found) -Patricia risk mask: 0/0 (search/found) +Patricia risk mask: 2/0 (search/found) Patricia risk: 0/0 (search/found) Patricia protocols: 2/0 (search/found) TLS 71 9386 1 - 1 TCP 10.30.29.3:63357 <-> 178.237.24.249:443 [proto: 91/TLS][IP: 0/Unknown][Encrypted][Confidence: Match by port][DPI packets: 21][cat: Web/5][38 pkts/3580 bytes <-> 33 pkts/5806 bytes][Goodput ratio: 42/68][72.45 sec][bytes ratio: -0.237 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 2392/2607 58175/58215 10382/11142][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 94/176 369/1414 75/257][Plen Bins: 7,58,5,5,0,0,5,2,2,7,0,0,0,0,2,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0] + 1 TCP 10.30.29.3:63357 <-> 178.237.24.249:443 [proto: 91/TLS][IP: 0/Unknown][Encrypted][Confidence: Match by port][DPI packets: 21][cat: Web/5][38 pkts/3580 bytes <-> 33 pkts/5806 bytes][Goodput ratio: 42/68][72.45 sec][bytes ratio: -0.237 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 2392/2607 58175/58215 10382/11142][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 94/176 369/1414 75/257][Risk: ** Fully encrypted flow **][Risk Score: 50][Plen Bins: 7,58,5,5,0,0,5,2,2,7,0,0,0,0,2,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0] |