diff options
| author | Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> | 2021-10-05 09:35:04 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-10-05 09:35:04 +0200 |
| commit | c1e794366f303495ceb9de4403648a7ae81f84c9 (patch) | |
| tree | 9850e8ba31a91f4bb1cbc33a3262751794672300 /tests/result/whois.pcapng.out | |
| parent | bb7aff6526e47ad42c61cc25a6108014cb1a84ce (diff) | |
WHOIS: enhance detection, avoiding false positives (#1320)
We are interested only in the domain name required, not in the long reply.
Diffstat (limited to 'tests/result/whois.pcapng.out')
| -rw-r--r-- | tests/result/whois.pcapng.out | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/tests/result/whois.pcapng.out b/tests/result/whois.pcapng.out new file mode 100644 index 000000000..8504e89ee --- /dev/null +++ b/tests/result/whois.pcapng.out @@ -0,0 +1,15 @@ +Guessed flow protos: 1 + +DPI Packets (TCP): 16 (5.33 pkts/flow) + +TLS 7 2046 1 +Whois-DAS 16 4294 2 + +JA3 Host Stats: + IP Address # JA3C + 1 10.17.34.139 1 + + + 1 TCP 192.30.45.30:43 -> 10.160.63.128:53217 [VLAN: 1908][proto: 170/Whois-DAS][ClearText][cat: Network/14][5 pkts/3410 bytes -> 0 pkts/0 bytes][Goodput ratio: 91/0][0.33 sec][PLAIN TEXT ( Domain Name)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,66,0,0,0,0,0,0,0,0,0,0] + 2 TCP 10.17.34.139:64016 <-> 10.17.51.8:4343 [VLAN: 1603][proto: 91/TLS][Encrypted][cat: Web/5][4 pkts/628 bytes <-> 3 pkts/1418 bytes][Goodput ratio: 54/86][0.24 sec][ALPN: h2;http/1.1][bytes ratio: -0.386 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/229 74/229 222/229 105/0][Pkt Len c2s/s2c min/avg/max/stddev: 86/70 157/473 228/1278 71/569][Risk: ** Known protocol on non standard port **** SNI TLS extension was missing **][Risk Score: 60][TLSv1.2][JA3C: 5f48063f9f3a827056ccdabadcc3886a][JA3S: 649d6810e8392f63dc311eecb6b7098b][Issuer: CN=10.17.51.7][Subject: CN=10.17.51.7, CN=10.17.51.7][Certificate SHA-1: DD:4E:28:9B:08:C1:D5:63:D1:B6:FC:DD:FD:91:A9:D4:E3:A8:7F:D5][Firefox][Validity: 2017-11-14 08:00:00 - 2022-11-13 08:00:00][Cipher: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384][Plen Bins: 0,0,0,0,0,66,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0] + 3 TCP 10.0.2.15:44188 <-> 192.0.47.59:43 [proto: 170/Whois-DAS][ClearText][cat: Network/14][6 pkts/357 bytes <-> 5 pkts/527 bytes][Goodput ratio: 4/44][0.30 sec][Host: example.com][bytes ratio: -0.192 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/119 60/60 120/119 50/60][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 60/105 74/287 8/91][PLAIN TEXT (example.com)][Plen Bins: 50,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] |