diff options
| author | Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> | 2022-01-11 15:23:39 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-01-11 15:23:39 +0100 |
| commit | 3a087e951d96f509c75344ad6791591e10e4f1cd (patch) | |
| tree | e1c83179768f1445610bf060917700f17fce908f /tests/result/tls_port_80.pcapng.out | |
| parent | a2916d2e4c19aff56979b1dafa7edd0c7d3c17fe (diff) | |
Add a "confidence" field about the reliability of the classification. (#1395)
As a general rule, the higher the confidence value, the higher the
"reliability/precision" of the classification.
In other words, this new field provides an hint about "how" the flow
classification has been obtained.
For example, the application may want to ignore classification "by-port"
(they are not real DPI classifications, after all) or give a second
glance at flows classified via LRU caches (because of false positives).
Setting only one value for the confidence field is a bit tricky: more
work is probably needed in the next future to tweak/fix/improve the logic.
Diffstat (limited to 'tests/result/tls_port_80.pcapng.out')
| -rw-r--r-- | tests/result/tls_port_80.pcapng.out | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/tests/result/tls_port_80.pcapng.out b/tests/result/tls_port_80.pcapng.out index b5dfe05cf..3cc1b81c1 100644 --- a/tests/result/tls_port_80.pcapng.out +++ b/tests/result/tls_port_80.pcapng.out @@ -1,6 +1,7 @@ Guessed flow protos: 1 DPI Packets (TCP): 13 (13.00 pkts/flow) +Confidence DPI : 1 (flows) TLS 13 2439 1 @@ -9,4 +10,4 @@ JA3 Host Stats: 1 57.91.202.194 1 - 1 TCP 57.91.202.194:50541 <-> 132.49.141.56:80 [proto: 91/TLS][Encrypted][cat: Web/5][5 pkts/563 bytes <-> 8 pkts/1876 bytes][Goodput ratio: 43/72][14.65 sec][bytes ratio: -0.538 (Download)][IAT c2s/s2c min/avg/max/stddev: 1011/3433 2355/3433 3621/3433 1067/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 113/234 299/1414 93/446][Risk: ** Known protocol on non standard port **** TLS (probably) not carrying HTTPS **** SNI TLS extension was missing **][Risk Score: 110][TLSv1.2][JA3C: 3f2fba0262b1a22b739126dfb2fe7a7d][JA3S: 107030a763c7224285717ff1569a17f3][Firefox][Cipher: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384][PLAIN TEXT (AnyNet Root CA1 0)][Plen Bins: 0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0] + 1 TCP 57.91.202.194:50541 <-> 132.49.141.56:80 [proto: 91/TLS][Encrypted][Confidence: DPI][cat: Web/5][5 pkts/563 bytes <-> 8 pkts/1876 bytes][Goodput ratio: 43/72][14.65 sec][bytes ratio: -0.538 (Download)][IAT c2s/s2c min/avg/max/stddev: 1011/3433 2355/3433 3621/3433 1067/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 113/234 299/1414 93/446][Risk: ** Known protocol on non standard port **** TLS (probably) not carrying HTTPS **** SNI TLS extension was missing **][Risk Score: 110][TLSv1.2][JA3C: 3f2fba0262b1a22b739126dfb2fe7a7d][JA3S: 107030a763c7224285717ff1569a17f3][Firefox][Cipher: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384][PLAIN TEXT (AnyNet Root CA1 0)][Plen Bins: 0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0] |