diff options
| author | Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> | 2023-12-13 17:14:04 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-12-13 17:14:04 +0100 |
| commit | 193f28582bf19fc9b42c7ea2a0a07203c218c728 (patch) | |
| tree | 94cc1d984e27824948b9c57689273eeb40a7ce95 /tests | |
| parent | 8e14aac5e0670c281a35433e63c7cfa5634f72df (diff) | |
QUIC: add heuristic to detect unidirectional *G*QUIC flows (#2207)
Fix extraction of `flow->protos.tls_quic.quic_version` metadata.
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/cfgs/default/pcap/gquic_only_from_server.pcap | bin | 0 -> 40244 bytes | |||
| -rw-r--r-- | tests/cfgs/default/result/gquic_only_from_server.pcap.out | 28 | ||||
| -rw-r--r-- | tests/cfgs/default/result/radius_false_positive.pcapng.out | 16 |
3 files changed, 36 insertions, 8 deletions
diff --git a/tests/cfgs/default/pcap/gquic_only_from_server.pcap b/tests/cfgs/default/pcap/gquic_only_from_server.pcap Binary files differnew file mode 100644 index 000000000..a0c521b03 --- /dev/null +++ b/tests/cfgs/default/pcap/gquic_only_from_server.pcap diff --git a/tests/cfgs/default/result/gquic_only_from_server.pcap.out b/tests/cfgs/default/result/gquic_only_from_server.pcap.out new file mode 100644 index 000000000..7a0f0605c --- /dev/null +++ b/tests/cfgs/default/result/gquic_only_from_server.pcap.out @@ -0,0 +1,28 @@ +Guessed flow protos: 0 + +DPI Packets (UDP): 1 (1.00 pkts/flow) +Confidence DPI : 1 (flows) +Num dissector calls: 1 (1.00 diss/flow) +LRU cache ookla: 0/0/0 (insert/search/found) +LRU cache bittorrent: 0/0/0 (insert/search/found) +LRU cache zoom: 0/0/0 (insert/search/found) +LRU cache stun: 0/0/0 (insert/search/found) +LRU cache tls_cert: 0/0/0 (insert/search/found) +LRU cache mining: 0/0/0 (insert/search/found) +LRU cache msteams: 0/0/0 (insert/search/found) +LRU cache stun_zoom: 0/0/0 (insert/search/found) +Automa host: 0/0 (search/found) +Automa domain: 0/0 (search/found) +Automa tls cert: 0/0 (search/found) +Automa risk mask: 0/0 (search/found) +Automa common alpns: 0/0 (search/found) +Patricia risk mask: 2/0 (search/found) +Patricia risk mask IPv6: 0/0 (search/found) +Patricia risk: 0/0 (search/found) +Patricia risk IPv6: 0/0 (search/found) +Patricia protocols: 2/0 (search/found) +Patricia protocols IPv6: 0/0 (search/found) + +QUIC 30 39740 1 + + 1 UDP 213.202.7.26:443 -> 10.189.122.71:60524 [VLAN: 1508][proto: 188/QUIC][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 1][cat: Web/5][30 pkts/39740 bytes -> 0 pkts/0 bytes][Goodput ratio: 97/0][0.09 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 3/0 59/0 11/0][Pkt Len c2s/s2c min/avg/max/stddev: 69/0 1325/0 1396/0 275/0][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No client to server traffic][PLAIN TEXT (AESGCC20)][Plen Bins: 3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,93,0,0,0,0,0] diff --git a/tests/cfgs/default/result/radius_false_positive.pcapng.out b/tests/cfgs/default/result/radius_false_positive.pcapng.out index 7d0aa0535..9fc1b1750 100644 --- a/tests/cfgs/default/result/radius_false_positive.pcapng.out +++ b/tests/cfgs/default/result/radius_false_positive.pcapng.out @@ -1,16 +1,16 @@ -Guessed flow protos: 1 +Guessed flow protos: 0 -DPI Packets (UDP): 10 (10.00 pkts/flow) -Confidence Match by port : 1 (flows) -Num dissector calls: 205 (205.00 diss/flow) +DPI Packets (UDP): 1 (1.00 pkts/flow) +Confidence DPI : 1 (flows) +Num dissector calls: 1 (1.00 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) -LRU cache bittorrent: 0/3/0 (insert/search/found) +LRU cache bittorrent: 0/0/0 (insert/search/found) LRU cache zoom: 0/0/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) LRU cache tls_cert: 0/0/0 (insert/search/found) -LRU cache mining: 0/1/0 (insert/search/found) +LRU cache mining: 0/0/0 (insert/search/found) LRU cache msteams: 0/0/0 (insert/search/found) -LRU cache stun_zoom: 0/1/0 (insert/search/found) +LRU cache stun_zoom: 0/0/0 (insert/search/found) Automa host: 0/0 (search/found) Automa domain: 0/0 (search/found) Automa tls cert: 0/0 (search/found) @@ -25,4 +25,4 @@ Patricia protocols IPv6: 2/0 (search/found) QUIC 10 7479 1 - 1 UDP [2bc6:b5ac:cb3b:676b::18]:443 -> [3dba:3762:c186:e122:89b0:5170:a86c:ecff]:53129 [proto: 188/QUIC][IP: 0/Unknown][Encrypted][Confidence: Match by port][DPI packets: 10][cat: Web/5][10 pkts/7479 bytes -> 0 pkts/0 bytes][Goodput ratio: 92/0][0.34 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 38/0 290/0 90/0][Pkt Len c2s/s2c min/avg/max/stddev: 82/0 748/0 1292/0 549/0][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No client to server traffic][PLAIN TEXT (AESGCC20at)][Plen Bins: 20,0,0,0,0,0,20,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0] + 1 UDP [2bc6:b5ac:cb3b:676b::18]:443 -> [3dba:3762:c186:e122:89b0:5170:a86c:ecff]:53129 [proto: 188/QUIC][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 1][cat: Web/5][10 pkts/7479 bytes -> 0 pkts/0 bytes][Goodput ratio: 92/0][0.34 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 38/0 290/0 90/0][Pkt Len c2s/s2c min/avg/max/stddev: 82/0 748/0 1292/0 549/0][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No client to server traffic][PLAIN TEXT (AESGCC20at)][Plen Bins: 20,0,0,0,0,0,20,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0] |