diff options
| author | Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> | 2023-01-18 07:19:44 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-01-18 07:19:44 +0100 |
| commit | de24206adccf2347addc05d6d62b3bf743fef411 (patch) | |
| tree | 925b6e769f41746269ccd6617eb970efd0ea11c9 /tests/result | |
| parent | 97014c53f3855b657ad876df2d1e5954ae52a075 (diff) | |
POP3: improve detection (#1856)
Diffstat (limited to 'tests/result')
| -rw-r--r-- | tests/result/pop3.pcap.out | 21 | ||||
| -rw-r--r-- | tests/result/pop3_stls.pcap.out | 4 |
2 files changed, 15 insertions, 10 deletions
diff --git a/tests/result/pop3.pcap.out b/tests/result/pop3.pcap.out index 3842932b3..f276fa6a8 100644 --- a/tests/result/pop3.pcap.out +++ b/tests/result/pop3.pcap.out @@ -1,8 +1,8 @@ -Guessed flow protos: 0 +Guessed flow protos: 2 -DPI Packets (TCP): 10 (10.00 pkts/flow) -Confidence DPI : 1 (flows) -Num dissector calls: 169 (169.00 diss/flow) +DPI Packets (TCP): 83 (13.83 pkts/flow) +Confidence DPI : 6 (flows) +Num dissector calls: 1098 (183.00 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/0/0 (insert/search/found) LRU cache zoom: 0/0/0 (insert/search/found) @@ -16,10 +16,15 @@ Automa domain: 0/0 (search/found) Automa tls cert: 0/0 (search/found) Automa risk mask: 0/0 (search/found) Automa common alpns: 0/0 (search/found) -Patricia risk mask: 2/0 (search/found) +Patricia risk mask: 14/0 (search/found) Patricia risk: 2/0 (search/found) -Patricia protocols: 2/0 (search/found) +Patricia protocols: 14/0 (search/found) -POP3 31 3915 1 +POP3 144 31172 6 - 1 TCP 143.225.229.181:35287 <-> 74.208.5.28:110 [proto: 2/POP3][IP: 0/Unknown][ClearText][Confidence: DPI][cat: Email/3][18 pkts/1269 bytes <-> 13 pkts/2646 bytes][Goodput ratio: 6/67][27.32 sec][User: cicciopernacchio@mail.com][Pwd: pippozzo][bytes ratio: -0.352 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1792/2973 5526/5668 2204/2427][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 70/204 98/1514 8/379][Risk: ** Unsafe Protocol **** Clear-Text Credentials **][Risk Score: 110][Risk Info: Found username (cicciopernacchio@mail.com)][PLAIN TEXT (OK POP server ready H migmxus)][Plen Bins: 60,20,13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0] + 1 TCP 192.168.0.4:26383 <-> 212.227.15.166:110 [proto: 2/POP3][IP: 0/Unknown][ClearText][Confidence: DPI][cat: Email/3][22 pkts/1338 bytes <-> 30 pkts/21359 bytes][Goodput ratio: 10/92][1.26 sec][bytes ratio: -0.882 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 59/41 97/111 37/39][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 61/712 120/1514 14/680][Risk: ** Unsafe Protocol **][Risk Score: 10][PLAIN TEXT (OK POP server ready H mimap)][Plen Bins: 47,5,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,2,0,0,2,0,0,0,0,0,0,0,30,0,0] + 2 TCP 143.225.229.181:35287 <-> 74.208.5.28:110 [proto: 2/POP3][IP: 0/Unknown][ClearText][Confidence: DPI][cat: Email/3][18 pkts/1269 bytes <-> 13 pkts/2646 bytes][Goodput ratio: 6/67][27.32 sec][User: cicciopernacchio@mail.com][Pwd: pippozzo][bytes ratio: -0.352 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1792/2973 5526/5668 2204/2427][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 70/204 98/1514 8/379][Risk: ** Unsafe Protocol **** Clear-Text Credentials **][Risk Score: 110][Risk Info: Found username (cicciopernacchio@mail.com)][PLAIN TEXT (OK POP server ready H migmxus)][Plen Bins: 60,20,13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0] + 3 TCP 192.168.0.4:26308 <-> 212.227.15.166:110 [proto: 2/POP3][IP: 0/Unknown][ClearText][Confidence: DPI][cat: Email/3][9 pkts/594 bytes <-> 10 pkts/881 bytes][Goodput ratio: 16/34][0.59 sec][bytes ratio: -0.195 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 29/0 64/64 81/88 18/29][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 66/88 120/145 20/32][Risk: ** Unsafe Protocol **][Risk Score: 10][PLAIN TEXT (OK POP server ready H mimap)][Plen Bins: 63,9,27,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 4 TCP 192.168.0.4:26284 <-> 212.227.15.166:110 [proto: 2/POP3][IP: 0/Unknown][ClearText][Confidence: DPI][cat: Email/3][9 pkts/596 bytes <-> 9 pkts/735 bytes][Goodput ratio: 14/28][3.52 sec][bytes ratio: -0.104 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 33/1 484/65 2995/98 1025/32][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 66/82 116/145 18/27][Risk: ** Unsafe Protocol **][Risk Score: 10][PLAIN TEXT (OK POP server ready H mimap)][Plen Bins: 66,22,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 5 TCP 192.168.0.4:26272 <-> 212.227.15.166:110 [proto: 2/POP3][IP: 0/Unknown][ClearText][Confidence: DPI][cat: Email/3][6 pkts/348 bytes <-> 6 pkts/529 bytes][Goodput ratio: 3/33][0.21 sec][bytes ratio: -0.206 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/1 40/32 65/48 24/22][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 58/88 66/145 4/31][Risk: ** Unsafe Protocol **][Risk Score: 10][PLAIN TEXT (OK POP server ready H mimap)][Plen Bins: 60,20,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 6 TCP 192.168.0.4:26304 <-> 212.227.15.166:110 [proto: 2/POP3][IP: 0/Unknown][ClearText][Confidence: DPI][cat: Email/3][6 pkts/348 bytes <-> 6 pkts/529 bytes][Goodput ratio: 3/33][0.25 sec][bytes ratio: -0.206 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/1 44/43 73/81 27/33][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 58/88 66/145 4/31][Risk: ** Unsafe Protocol **][Risk Score: 10][PLAIN TEXT (OK POP server ready H mimap)][Plen Bins: 60,20,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/result/pop3_stls.pcap.out b/tests/result/pop3_stls.pcap.out index b7ce73eb4..45750256a 100644 --- a/tests/result/pop3_stls.pcap.out +++ b/tests/result/pop3_stls.pcap.out @@ -2,7 +2,7 @@ Guessed flow protos: 0 DPI Packets (TCP): 18 (18.00 pkts/flow) Confidence DPI : 1 (flows) -Num dissector calls: 219 (219.00 diss/flow) +Num dissector calls: 185 (185.00 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/0/0 (insert/search/found) LRU cache zoom: 0/0/0 (insert/search/found) @@ -27,4 +27,4 @@ JA3 Host Stats: 1 192.168.20.18 1 - 1 TCP 192.168.20.18:50583 <-> 72.249.41.52:110 [proto: 23/POPS][IP: 0/Unknown][Encrypted][Confidence: DPI][cat: Email/3][23 pkts/2059 bytes <-> 30 pkts/9130 bytes][Goodput ratio: 39/82][5.43 sec][Hostname/SNI: pop.lavabit.com][bytes ratio: -0.632 (Download)][IAT c2s/s2c min/avg/max/stddev: 6/0 273/202 2072/2002 508/432][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 90/304 368/1514 69/480][Risk: ** Known Proto on Non Std Port **** Obsolete TLS (v1.1 or older) **][Risk Score: 150][Risk Info: Expected on port 995 / TLSv1][TLSv1][JA3C: 207409c2b30e670ca50e1eac016a4831][ServerNames: *.lavabit.com,lavabit.com][JA3S: 6b96cf9c27b0223177b0e9f135fe4899 (INSECURE)][Issuer: C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certificates.godaddy.com/repository, CN=Go Daddy Secure Certification Authority][Subject: O=*.lavabit.com, OU=Domain Control Validated, CN=*.lavabit.com][Certificate SHA-1: 1D:14:60:3D:5E:0F:A2:EB:61:C5:27:F8:A4:26:80:B3:E5:BB:A2:B2][Validity: 2012-02-17 04:07:46 - 2017-02-17 04:07:46][Cipher: TLS_RSA_WITH_RC4_128_SHA][PLAIN TEXT (ERR Unrecognized command.)][Plen Bins: 34,37,2,2,2,5,0,2,0,2,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0] + 1 TCP 192.168.20.18:50583 <-> 72.249.41.52:110 [proto: 23/POPS][IP: 0/Unknown][Encrypted][Confidence: DPI][cat: Email/3][23 pkts/2059 bytes <-> 30 pkts/9130 bytes][Goodput ratio: 39/82][5.43 sec][Hostname/SNI: pop.lavabit.com][bytes ratio: -0.632 (Download)][IAT c2s/s2c min/avg/max/stddev: 6/0 273/202 2072/2002 508/432][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 90/304 368/1514 69/480][Risk: ** Obsolete TLS (v1.1 or older) **** Unsafe Protocol **][Risk Score: 110][Risk Info: TLSv1][TLSv1][JA3C: 207409c2b30e670ca50e1eac016a4831][ServerNames: *.lavabit.com,lavabit.com][JA3S: 6b96cf9c27b0223177b0e9f135fe4899 (INSECURE)][Issuer: C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certificates.godaddy.com/repository, CN=Go Daddy Secure Certification Authority][Subject: O=*.lavabit.com, OU=Domain Control Validated, CN=*.lavabit.com][Certificate SHA-1: 1D:14:60:3D:5E:0F:A2:EB:61:C5:27:F8:A4:26:80:B3:E5:BB:A2:B2][Validity: 2012-02-17 04:07:46 - 2017-02-17 04:07:46][Cipher: TLS_RSA_WITH_RC4_128_SHA][PLAIN TEXT (ERR Unrecognized command.)][Plen Bins: 34,37,2,2,2,5,0,2,0,2,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0] |