Improved DGA detection

author: Luca Deri <deri@ntop.org> 2023-01-12 10:06:31 +0100
committer: Luca Deri <deri@ntop.org> 2023-01-12 10:06:31 +0100
commit: 1f7c57deff9debbda3d26be906e067dcf73ce1f9 (patch)
tree: 091ed5cf727c9cb9388d7b2628a0b33df8a11167 /tests/result
parent: a944514ddec73f79704f55aab1423e39f4ce7a03 (diff)
7 files changed, 8 insertions, 8 deletions
diff --git a/tests/result/1kxun.pcap.out b/tests/result/1kxun.pcap.out
index 7947eb95a..e04ef9a45 100644
--- a/tests/result/1kxun.pcap.out
+++ b/tests/result/1kxun.pcap.out
@@ -14,7 +14,7 @@ LRU cache tls_cert:   0/8/0 (insert/search/found)
 LRU cache mining:     0/20/0 (insert/search/found)
 LRU cache msteams:    0/0/0 (insert/search/found)
 LRU cache stun_zoom:  0/14/0 (insert/search/found)
-Automa host:          164/72 (search/found)
+Automa host:          161/72 (search/found)
 Automa domain:        156/0 (search/found)
 Automa tls cert:      0/0 (search/found)
 Automa risk mask:     22/0 (search/found)
diff --git a/tests/result/anyconnect-vpn.pcap.out b/tests/result/anyconnect-vpn.pcap.out
index 74b455c6d..8433e85e6 100644
--- a/tests/result/anyconnect-vpn.pcap.out
+++ b/tests/result/anyconnect-vpn.pcap.out
@@ -15,7 +15,7 @@ LRU cache tls_cert:   0/11/0 (insert/search/found)
 LRU cache mining:     0/10/0 (insert/search/found)
 LRU cache msteams:    0/0/0 (insert/search/found)
 LRU cache stun_zoom:  0/1/0 (insert/search/found)
-Automa host:          70/13 (search/found)
+Automa host:          69/13 (search/found)
 Automa domain:        69/0 (search/found)
 Automa tls cert:      4/0 (search/found)
 Automa risk mask:     10/0 (search/found)
diff --git a/tests/result/mpeg-dash.pcap.out b/tests/result/mpeg-dash.pcap.out
index 17a1f47f5..2eea6806a 100644
--- a/tests/result/mpeg-dash.pcap.out
+++ b/tests/result/mpeg-dash.pcap.out
@@ -14,7 +14,7 @@ LRU cache stun_zoom:  0/0/0 (insert/search/found)
 Automa host:          3/0 (search/found)
 Automa domain:        3/0 (search/found)
 Automa tls cert:      0/0 (search/found)
-Automa risk mask:     1/0 (search/found)
+Automa risk mask:     0/0 (search/found)
 Automa common alpns:  0/0 (search/found)
 Patricia risk mask:   8/0 (search/found)
 Patricia risk:        0/0 (search/found)
@@ -22,7 +22,7 @@ Patricia protocols:   5/3 (search/found)
 
 MpegDash	13	4669	4
 
-	1	TCP 10.84.1.81:60926 <-> 166.248.152.10:80 [proto: 7.291/HTTP.MpegDash][IP: 0/Unknown][ClearText][Confidence: DPI][cat: Media/1][2 pkts/456 bytes <-> 2 pkts/1520 bytes][Goodput ratio: 72/92][0.30 sec][Hostname/SNI: gdl.news-cdn.site][URL: gdl.news-cdn.site/as/bigo-ad-creatives/3s3/2lOTA7.mp4][StatusCode: 200][User-Agent: Mozilla/5.0 (Linux; Android 11; SM-A715F Build/RP1A.200720.012; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/89.0.4389.105 Mobile Safari/537.36][Risk: ** Suspicious DGA Domain name **][Risk Score: 100][Risk Info: gdl.news-cdn.site][PLAIN TEXT (GET /as/bigo)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0]
+	1	TCP 10.84.1.81:60926 <-> 166.248.152.10:80 [proto: 7.291/HTTP.MpegDash][IP: 0/Unknown][ClearText][Confidence: DPI][cat: Media/1][2 pkts/456 bytes <-> 2 pkts/1520 bytes][Goodput ratio: 72/92][0.30 sec][Hostname/SNI: gdl.news-cdn.site][URL: gdl.news-cdn.site/as/bigo-ad-creatives/3s3/2lOTA7.mp4][StatusCode: 200][User-Agent: Mozilla/5.0 (Linux; Android 11; SM-A715F Build/RP1A.200720.012; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/89.0.4389.105 Mobile Safari/537.36][PLAIN TEXT (GET /as/bigo)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0]
 	2	TCP 54.161.101.85:80 <-> 192.168.2.105:59144 [proto: 7.291/HTTP.MpegDash][IP: 265/AmazonAWS][ClearText][Confidence: DPI][cat: Media/1][2 pkts/1649 bytes <-> 2 pkts/323 bytes][Goodput ratio: 92/59][0.01 sec][Risk: ** HTTP Suspicious User-Agent **][Risk Score: 100][Risk Info: Empty or missing User-Agent][PLAIN TEXT (OHTTP/1.1 200 OK)][Plen Bins: 0,0,33,0,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0]
 	3	TCP 192.168.2.105:59142 <-> 54.161.101.85:80 [proto: 7.291/HTTP.MpegDash][IP: 265/AmazonAWS][ClearText][Confidence: DPI][cat: Media/1][3 pkts/390 bytes <-> 1 pkts/74 bytes][Goodput ratio: 47/0][0.10 sec][Hostname/SNI: livesim.dashif.org][URL: livesim.dashif.org/livesim/sts_1652783809/sid_40c11e12/chunkdur_1/ato_7/testpic4_8s/A48/init.mp4][StatusCode: 0][User-Agent: VLC/3.0.16 LibVLC/3.0.16][PLAIN TEXT (IGET /livesim/sts)][Plen Bins: 0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	4	TCP 192.168.2.105:59146 -> 54.161.101.85:80 [proto: 7.291/HTTP.MpegDash][IP: 265/AmazonAWS][ClearText][Confidence: DPI][cat: Media/1][1 pkts/257 bytes -> 0 pkts/0 bytes][Goodput ratio: 74/0][< 1 sec][Hostname/SNI: livesim.dashif.org][URL: livesim.dashif.org/livesim/sts_1652783809/sid_40c11e12/chunkdur_1/ato_7/testpic4_8s/V2400/206598099.m4s][StatusCode: 0][User-Agent: VLC/3.0.16 LibVLC/3.0.16][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (GET /livesim/sts)][Plen Bins: 0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
diff --git a/tests/result/skype_no_unknown.pcap.out b/tests/result/skype_no_unknown.pcap.out
index e5efef9e8..95ab1487f 100644
--- a/tests/result/skype_no_unknown.pcap.out
+++ b/tests/result/skype_no_unknown.pcap.out
@@ -15,7 +15,7 @@ LRU cache tls_cert:   1/2/0 (insert/search/found)
 LRU cache mining:     0/66/0 (insert/search/found)
 LRU cache msteams:    0/168/0 (insert/search/found)
 LRU cache stun_zoom:  0/0/0 (insert/search/found)
-Automa host:          135/121 (search/found)
+Automa host:          133/121 (search/found)
 Automa domain:        130/0 (search/found)
 Automa tls cert:      1/1 (search/found)
 Automa risk mask:     4/0 (search/found)
diff --git a/tests/result/telegram.pcap.out b/tests/result/telegram.pcap.out
index d5e97406f..5c3968188 100644
--- a/tests/result/telegram.pcap.out
+++ b/tests/result/telegram.pcap.out
@@ -12,7 +12,7 @@ LRU cache tls_cert:   0/0/0 (insert/search/found)
 LRU cache mining:     0/2/0 (insert/search/found)
 LRU cache msteams:    0/0/0 (insert/search/found)
 LRU cache stun_zoom:  0/2/0 (insert/search/found)
-Automa host:          41/13 (search/found)
+Automa host:          40/13 (search/found)
 Automa domain:        39/0 (search/found)
 Automa tls cert:      0/0 (search/found)
 Automa risk mask:     4/0 (search/found)
diff --git a/tests/result/tor.pcap.out b/tests/result/tor.pcap.out
index 7859e6670..3d3e1f81c 100644
--- a/tests/result/tor.pcap.out
+++ b/tests/result/tor.pcap.out
@@ -13,7 +13,7 @@ LRU cache tls_cert:   0/8/0 (insert/search/found)
 LRU cache mining:     0/1/0 (insert/search/found)
 LRU cache msteams:    0/0/0 (insert/search/found)
 LRU cache stun_zoom:  0/0/0 (insert/search/found)
-Automa host:          8/0 (search/found)
+Automa host:          7/0 (search/found)
 Automa domain:        7/0 (search/found)
 Automa tls cert:      4/0 (search/found)
 Automa risk mask:     6/0 (search/found)
diff --git a/tests/result/wechat.pcap.out b/tests/result/wechat.pcap.out
index cf167f77b..72a3f14fe 100644
--- a/tests/result/wechat.pcap.out
+++ b/tests/result/wechat.pcap.out
@@ -15,7 +15,7 @@ LRU cache tls_cert:   0/0/0 (insert/search/found)
 LRU cache mining:     0/26/0 (insert/search/found)
 LRU cache msteams:    0/0/0 (insert/search/found)
 LRU cache stun_zoom:  0/0/0 (insert/search/found)
-Automa host:          96/51 (search/found)
+Automa host:          95/51 (search/found)
 Automa domain:        94/0 (search/found)
 Automa tls cert:      0/0 (search/found)
 Automa risk mask:     29/0 (search/found)
author	Luca Deri <deri@ntop.org>	2023-01-12 10:06:31 +0100
committer	Luca Deri <deri@ntop.org>	2023-01-12 10:06:31 +0100
commit	1f7c57deff9debbda3d26be906e067dcf73ce1f9 (patch)
tree	091ed5cf727c9cb9388d7b2628a0b33df8a11167 /tests/result
parent	a944514ddec73f79704f55aab1423e39f4ce7a03 (diff)