Added Psiphon detection patterns. See #566 and #1099.add/psiphon3

 * The traces are not up to date, but this is the best we got so far.

Signed-off-by: Toni Uhlig <matzeton@googlemail.com>

1 files changed, 13 insertions, 0 deletions

diff --git a/tests/result/psiphon3.pcap.out b/tests/result/psiphon3.pcap.out
new file mode 100644
index 000000000..f47e480fe
--- /dev/null
+++ b/tests/result/psiphon3.pcap.out
@@ -0,0 +1,13 @@
+Guessed flow protos:	0
+
+DPI Packets (TCP):	12	(12.00 pkts/flow)
+Confidence DPI              : 1 (flows)
+
+Psiphon	62	11818	1
+
+JA3 Host Stats: 
+		 IP Address                  	 # JA3C     
+	1	 192.168.0.103            	 1      
+
+
+	1	TCP 192.168.0.103:40557 <-> 104.18.151.190:443 [proto: 91.303/TLS.Psiphon][Encrypted][Confidence: DPI][cat: VPN/2][32 pkts/5020 bytes <-> 30 pkts/6798 bytes][Goodput ratio: 74/82][0.72 sec][ALPN: h2;http/1.1][bytes ratio: -0.150 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 24/4 501/41 98/9][Pkt Len c2s/s2c min/avg/max/stddev: 40/40 157/227 1048/1500 249/417][Risk: ** Missing SNI TLS Extn **][Risk Score: 50][Risk Info: No client to server traffic][TLSv1.2][JA3C: 2d703033628575a99d44820c43b84876][ServerNames: sni.cloudflaressl.com,psiphon3.net,*.psiphon3.net][JA3S: eca9b8f0f3eae50309eaf901cb822d9b][Issuer: C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3][Subject: C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com][Certificate SHA-1: 49:30:DE:8F:B7:AF:C3:76:40:09:44:15:B4:6B:D9:8F:BE:0C:6B:0C][Firefox][Validity: 2020-08-09 00:00:00 - 2021-08-09 12:00:00][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256][Plen Bins: 7,24,24,0,0,7,0,0,7,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,7,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0]