diff options
| author | Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> | 2022-01-11 15:23:39 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-01-11 15:23:39 +0100 |
| commit | 3a087e951d96f509c75344ad6791591e10e4f1cd (patch) | |
| tree | e1c83179768f1445610bf060917700f17fce908f /tests/result/tls_torrent.pcapng.out | |
| parent | a2916d2e4c19aff56979b1dafa7edd0c7d3c17fe (diff) | |
Add a "confidence" field about the reliability of the classification. (#1395)
As a general rule, the higher the confidence value, the higher the
"reliability/precision" of the classification.
In other words, this new field provides an hint about "how" the flow
classification has been obtained.
For example, the application may want to ignore classification "by-port"
(they are not real DPI classifications, after all) or give a second
glance at flows classified via LRU caches (because of false positives).
Setting only one value for the confidence field is a bit tricky: more
work is probably needed in the next future to tweak/fix/improve the logic.
Diffstat (limited to 'tests/result/tls_torrent.pcapng.out')
| -rw-r--r-- | tests/result/tls_torrent.pcapng.out | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/tests/result/tls_torrent.pcapng.out b/tests/result/tls_torrent.pcapng.out index 8534da1d5..2f194b956 100644 --- a/tests/result/tls_torrent.pcapng.out +++ b/tests/result/tls_torrent.pcapng.out @@ -1,6 +1,7 @@ Guessed flow protos: 0 DPI Packets (TCP): 7 (7.00 pkts/flow) +Confidence DPI : 1 (flows) BitTorrent 7 6308 1 @@ -9,4 +10,4 @@ JA3 Host Stats: 1 10.10.10.1 1 - 1 TCP 10.10.10.1:443 <-> 192.168.0.1:58842 [proto: 91.37/TLS.BitTorrent][Encrypted][cat: Download/7][6 pkts/5922 bytes <-> 1 pkts/386 bytes][Goodput ratio: 94/86][0.16 sec][Hostname/SNI: web.utorrent.com][bytes ratio: 0.878 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 32/0 147/0 58/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/386 987/386 1454/386 651/0][Risk: ** TLS (probably) not carrying HTTPS **** Possibly Malicious JA3 Fingerprint **][Risk Score: 60][TLSv1.2][JA3C: fd80fa9c6120cdeea8520510f3c644ac][ServerNames: *.utorrent.com,utorrent.com][JA3S: 6f84bbe9810ec4ea9061cc1a02eaf83c][Issuer: C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2][Subject: CN=*.utorrent.com][Certificate SHA-1: E4:8F:E4:15:C7:D0:B7:EA:E6:F6:B1:B4:40:F0:13:D1:5E:7F:64:E8][Firefox][Validity: 2021-09-27 07:16:05 - 2022-09-24 22:26:57][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,0,0,0,0,0,0,0,0,0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,60,0,0,0,0] + 1 TCP 10.10.10.1:443 <-> 192.168.0.1:58842 [proto: 91.37/TLS.BitTorrent][Encrypted][Confidence: DPI][cat: Download/7][6 pkts/5922 bytes <-> 1 pkts/386 bytes][Goodput ratio: 94/86][0.16 sec][Hostname/SNI: web.utorrent.com][bytes ratio: 0.878 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 32/0 147/0 58/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/386 987/386 1454/386 651/0][Risk: ** TLS (probably) not carrying HTTPS **** Possibly Malicious JA3 Fingerprint **][Risk Score: 60][TLSv1.2][JA3C: fd80fa9c6120cdeea8520510f3c644ac][ServerNames: *.utorrent.com,utorrent.com][JA3S: 6f84bbe9810ec4ea9061cc1a02eaf83c][Issuer: C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2][Subject: CN=*.utorrent.com][Certificate SHA-1: E4:8F:E4:15:C7:D0:B7:EA:E6:F6:B1:B4:40:F0:13:D1:5E:7F:64:E8][Firefox][Validity: 2021-09-27 07:16:05 - 2022-09-24 22:26:57][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,0,0,0,0,0,0,0,0,0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,60,0,0,0,0] |