mining: a better identification logic (#2221)

It is quite simple (and not so efficient) but it should fix all the false positives reported in #2216. Add support for Ethereum mining. Merge all the mining traces. Remove duplicated function. Close #2216
author: Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> 2023-12-20 10:46:57 +0100
committer: GitHub <noreply@github.com> 2023-12-20 10:46:57 +0100
commit: 8aa09f9c994bd234e17b4f4ad8b6808e2561c4d6 (patch)
tree: 819fe1a0e083f92cf0e06027a241fc6e700a3ed8 /tests
parent: 308b2663333387008cd2331d99a5a75b0a343f53 (diff)
5 files changed, 29 insertions, 53 deletions
diff --git a/tests/cfgs/default/pcap/monero-mining.pcap b/tests/cfgs/default/pcap/mining.pcapng
index 67d796882..b3c92217a 100644
--- a/tests/cfgs/default/pcap/monero-mining.pcap
+++ b/tests/cfgs/default/pcap/mining.pcapng
diff --git a/tests/cfgs/default/pcap/zcash.pcap b/tests/cfgs/default/pcap/zcash.pcap
deleted file mode 100644
index 213585dbd..000000000
--- a/tests/cfgs/default/pcap/zcash.pcap
+++ /dev/null
diff --git a/tests/cfgs/default/result/mining.pcapng.out b/tests/cfgs/default/result/mining.pcapng.out
new file mode 100644
index 000000000..dfb1cbe83
--- /dev/null
+++ b/tests/cfgs/default/result/mining.pcapng.out
@@ -0,0 +1,29 @@
+DPI Packets (TCP):	17	(4.25 pkts/flow)
+Confidence DPI              : 4 (flows)
+Num dissector calls: 105 (26.25 diss/flow)
+LRU cache ookla:      0/0/0 (insert/search/found)
+LRU cache bittorrent: 0/0/0 (insert/search/found)
+LRU cache zoom:       0/0/0 (insert/search/found)
+LRU cache stun:       0/0/0 (insert/search/found)
+LRU cache tls_cert:   0/0/0 (insert/search/found)
+LRU cache mining:     4/0/0 (insert/search/found)
+LRU cache msteams:    0/0/0 (insert/search/found)
+LRU cache stun_zoom:  0/0/0 (insert/search/found)
+Automa host:          0/0 (search/found)
+Automa domain:        0/0 (search/found)
+Automa tls cert:      0/0 (search/found)
+Automa risk mask:     0/0 (search/found)
+Automa common alpns:  0/0 (search/found)
+Patricia risk mask:   0/0 (search/found)
+Patricia risk mask IPv6: 0/0 (search/found)
+Patricia risk:        1/0 (search/found)
+Patricia risk IPv6:   0/0 (search/found)
+Patricia protocols:   8/0 (search/found)
+Patricia protocols IPv6: 0/0 (search/found)
+
+Mining	673	219078	4
+
+	1	TCP 192.168.2.148:46838 <-> 94.23.199.191:3333 [proto: 42/Mining][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 4][cat: Mining/99][159 pkts/143155 bytes <-> 113 pkts/13204 bytes][Goodput ratio: 93/43][1091.42 sec][currency: ZCash][bytes ratio: 0.831 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 7234/8131 71734/71815 15224/15291][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 900/117 1514/376 709/99][Risk: ** Unsafe Protocol **][Risk Score: 10][PLAIN TEXT (method)][Plen Bins: 28,2,0,1,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,29,29,0,0]
+	2	TCP 147.229.13.222:49307 <-> 185.71.66.39:9999 [proto: 42/Mining][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 5][cat: Mining/99][112 pkts/10941 bytes <-> 97 pkts/20817 bytes][Goodput ratio: 45/74][295.93 sec][currency: Ethereum][bytes ratio: -0.311 (Download)][IAT c2s/s2c min/avg/max/stddev: 8/0 2992/2893 9784/10017 3265/3384][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 98/215 259/297 57/112][Risk: ** Unsafe Protocol **][Risk Score: 10][PLAIN TEXT (worker)][Plen Bins: 0,1,28,0,12,0,0,58,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	3	TCP 192.168.2.92:55190 <-> 178.32.196.217:9050 [proto: 42/Mining][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 4][cat: Mining/99][83 pkts/11785 bytes <-> 62 pkts/8859 bytes][Goodput ratio: 53/53][1154.54 sec][currency: ZCash/Monero][bytes ratio: 0.142 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 15953/19141 60205/60205 20621/20751][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 142/143 326/369 91/88][Risk: ** Unsafe Protocol **][Risk Score: 10][PLAIN TEXT (method)][Plen Bins: 0,40,0,0,0,44,0,13,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	4	TCP 192.168.2.148:53846 <-> 116.211.167.195:3333 [proto: 42/Mining][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 4][cat: Mining/99][24 pkts/4455 bytes <-> 23 pkts/5862 bytes][Goodput ratio: 70/78][1065.16 sec][currency: ZCash][bytes ratio: -0.136 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 46166/51528 195463/195463 61020/65306][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 186/255 1498/364 395/138][Risk: ** Unsafe Protocol **][Risk Score: 10][PLAIN TEXT (method)][Plen Bins: 4,13,4,8,0,0,0,0,0,61,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,4,0,0]
diff --git a/tests/cfgs/default/result/monero-mining.pcap.out b/tests/cfgs/default/result/monero-mining.pcap.out
deleted file mode 100644
index 68b861443..000000000
--- a/tests/cfgs/default/result/monero-mining.pcap.out
+++ /dev/null
@@ -1,27 +0,0 @@
-DPI Packets (TCP):	8	(4.00 pkts/flow)
-Confidence DPI              : 2 (flows)
-Num dissector calls: 52 (26.00 diss/flow)
-LRU cache ookla:      0/0/0 (insert/search/found)
-LRU cache bittorrent: 0/0/0 (insert/search/found)
-LRU cache zoom:       0/0/0 (insert/search/found)
-LRU cache stun:       0/0/0 (insert/search/found)
-LRU cache tls_cert:   0/0/0 (insert/search/found)
-LRU cache mining:     2/0/0 (insert/search/found)
-LRU cache msteams:    0/0/0 (insert/search/found)
-LRU cache stun_zoom:  0/0/0 (insert/search/found)
-Automa host:          0/0 (search/found)
-Automa domain:        0/0 (search/found)
-Automa tls cert:      0/0 (search/found)
-Automa risk mask:     0/0 (search/found)
-Automa common alpns:  0/0 (search/found)
-Patricia risk mask:   0/0 (search/found)
-Patricia risk mask IPv6: 0/0 (search/found)
-Patricia risk:        0/0 (search/found)
-Patricia risk IPv6:   0/0 (search/found)
-Patricia protocols:   4/0 (search/found)
-Patricia protocols IPv6: 0/0 (search/found)
-
-Mining	319	166676	2
-
-	1	TCP 192.168.2.148:46838 <-> 94.23.199.191:3333 [proto: 42/Mining][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 4][cat: Mining/99][159 pkts/143155 bytes <-> 113 pkts/13204 bytes][Goodput ratio: 93/43][1091.42 sec][currency: ZCash/Monero][bytes ratio: 0.831 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 7234/8131 71734/71815 15224/15291][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 900/117 1514/376 709/99][Risk: ** Unsafe Protocol **][Risk Score: 10][PLAIN TEXT (method)][Plen Bins: 28,2,0,1,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,29,29,0,0]
-	2	TCP 192.168.2.148:53846 <-> 116.211.167.195:3333 [proto: 42/Mining][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 4][cat: Mining/99][24 pkts/4455 bytes <-> 23 pkts/5862 bytes][Goodput ratio: 70/78][1065.16 sec][currency: ZCash/Monero][bytes ratio: -0.136 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 46166/51528 195463/195463 61020/65306][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 186/255 1498/364 395/138][Risk: ** Unsafe Protocol **][Risk Score: 10][PLAIN TEXT (method)][Plen Bins: 4,13,4,8,0,0,0,0,0,61,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,4,0,0]
diff --git a/tests/cfgs/default/result/zcash.pcap.out b/tests/cfgs/default/result/zcash.pcap.out
deleted file mode 100644
index 8bb6a2875..000000000
--- a/tests/cfgs/default/result/zcash.pcap.out
+++ /dev/null
@@ -1,26 +0,0 @@
-DPI Packets (TCP):	4	(4.00 pkts/flow)
-Confidence DPI              : 1 (flows)
-Num dissector calls: 26 (26.00 diss/flow)
-LRU cache ookla:      0/0/0 (insert/search/found)
-LRU cache bittorrent: 0/0/0 (insert/search/found)
-LRU cache zoom:       0/0/0 (insert/search/found)
-LRU cache stun:       0/0/0 (insert/search/found)
-LRU cache tls_cert:   0/0/0 (insert/search/found)
-LRU cache mining:     1/0/0 (insert/search/found)
-LRU cache msteams:    0/0/0 (insert/search/found)
-LRU cache stun_zoom:  0/0/0 (insert/search/found)
-Automa host:          0/0 (search/found)
-Automa domain:        0/0 (search/found)
-Automa tls cert:      0/0 (search/found)
-Automa risk mask:     0/0 (search/found)
-Automa common alpns:  0/0 (search/found)
-Patricia risk mask:   0/0 (search/found)
-Patricia risk mask IPv6: 0/0 (search/found)
-Patricia risk:        0/0 (search/found)
-Patricia risk IPv6:   0/0 (search/found)
-Patricia protocols:   2/0 (search/found)
-Patricia protocols IPv6: 0/0 (search/found)
-
-Mining	145	20644	1
-
-	1	TCP 192.168.2.92:55190 <-> 178.32.196.217:9050 [proto: 42/Mining][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 4][cat: Mining/99][83 pkts/11785 bytes <-> 62 pkts/8859 bytes][Goodput ratio: 53/53][1154.54 sec][currency: ZCash/Monero][bytes ratio: 0.142 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 15953/19141 60205/60205 20621/20751][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 142/143 326/369 91/88][Risk: ** Unsafe Protocol **][Risk Score: 10][PLAIN TEXT (method)][Plen Bins: 0,40,0,0,0,44,0,13,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
author	Ivan Nardi <12729895+IvanNardi@users.noreply.github.com>	2023-12-20 10:46:57 +0100
committer	GitHub <noreply@github.com>	2023-12-20 10:46:57 +0100
commit	8aa09f9c994bd234e17b4f4ad8b6808e2561c4d6 (patch)
tree	819fe1a0e083f92cf0e06027a241fc6e700a3ed8 /tests
parent	308b2663333387008cd2331d99a5a75b0a343f53 (diff)