Get rid of RDP false positives (#2161)

* Get rid of false positives in the RDP protocol dissector * Remove kludge for RDP * RDP: improve detection --------- Co-authored-by: 0xA50C1A1 <mage.wizard88@gmail.com> Co-authored-by: Nardi Ivan <nardi.ivan@gmail.com>
author: Vladimir Gavrilov <105977161+0xA50C1A1@users.noreply.github.com> 2023-11-23 11:35:43 +0300
committer: GitHub <noreply@github.com> 2023-11-23 09:35:43 +0100
commit: fbae51ae9de3cd4c22664e25ec29d73abe64adfc (patch)
tree: 84a50d8225953660e71719910ea3783c905216e7 /tests
parent: 5c8c5c90c2b0d34a3e528c7271de7ac5c131a027 (diff)
4 files changed, 56 insertions, 0 deletions
diff --git a/tests/cfgs/default/pcap/rdp3.pcap b/tests/cfgs/default/pcap/rdp3.pcap
new file mode 100644
index 000000000..9a1ed4cbf
--- /dev/null
+++ b/tests/cfgs/default/pcap/rdp3.pcap
diff --git a/tests/cfgs/default/pcap/s7comm-plus.pcap b/tests/cfgs/default/pcap/s7comm-plus.pcap
new file mode 100644
index 000000000..8dfb033ce
--- /dev/null
+++ b/tests/cfgs/default/pcap/s7comm-plus.pcap
diff --git a/tests/cfgs/default/result/rdp3.pcap.out b/tests/cfgs/default/result/rdp3.pcap.out
new file mode 100644
index 000000000..d7f61a572
--- /dev/null
+++ b/tests/cfgs/default/result/rdp3.pcap.out
@@ -0,0 +1,28 @@
+Guessed flow protos:	0
+
+DPI Packets (TCP):	4	(4.00 pkts/flow)
+Confidence DPI              : 1 (flows)
+Num dissector calls: 1 (1.00 diss/flow)
+LRU cache ookla:      0/0/0 (insert/search/found)
+LRU cache bittorrent: 0/0/0 (insert/search/found)
+LRU cache zoom:       0/0/0 (insert/search/found)
+LRU cache stun:       0/0/0 (insert/search/found)
+LRU cache tls_cert:   0/0/0 (insert/search/found)
+LRU cache mining:     0/0/0 (insert/search/found)
+LRU cache msteams:    0/0/0 (insert/search/found)
+LRU cache stun_zoom:  0/0/0 (insert/search/found)
+Automa host:          0/0 (search/found)
+Automa domain:        0/0 (search/found)
+Automa tls cert:      0/0 (search/found)
+Automa risk mask:     0/0 (search/found)
+Automa common alpns:  0/0 (search/found)
+Patricia risk mask:   0/0 (search/found)
+Patricia risk mask IPv6: 0/0 (search/found)
+Patricia risk:        0/0 (search/found)
+Patricia risk IPv6:   0/0 (search/found)
+Patricia protocols:   2/0 (search/found)
+Patricia protocols IPv6: 0/0 (search/found)
+
+RDP	30	4151	1
+
+	1	TCP 10.150.9.21:1685 <-> 10.157.4.161:3389 [proto: 88/RDP][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 4][cat: RemoteAccess/12][17 pkts/2567 bytes <-> 13 pkts/1584 bytes][Goodput ratio: 63/54][0.67 sec][bytes ratio: 0.237 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/1 44/54 234/331 66/93][Pkt Len c2s/s2c min/avg/max/stddev: 60/60 151/122 573/440 162/126][Risk: ** Desktop/File Sharing **][Risk Score: 10][Risk Info: Found RDP][PLAIN TEXT (Cookie)][Plen Bins: 59,16,4,0,0,0,0,0,0,0,4,0,12,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
diff --git a/tests/cfgs/default/result/s7comm-plus.pcap.out b/tests/cfgs/default/result/s7comm-plus.pcap.out
new file mode 100644
index 000000000..4b34c344e
--- /dev/null
+++ b/tests/cfgs/default/result/s7comm-plus.pcap.out
@@ -0,0 +1,28 @@
+Guessed flow protos:	0
+
+DPI Packets (TCP):	6	(6.00 pkts/flow)
+Confidence DPI              : 1 (flows)
+Num dissector calls: 1 (1.00 diss/flow)
+LRU cache ookla:      0/0/0 (insert/search/found)
+LRU cache bittorrent: 0/0/0 (insert/search/found)
+LRU cache zoom:       0/0/0 (insert/search/found)
+LRU cache stun:       0/0/0 (insert/search/found)
+LRU cache tls_cert:   0/0/0 (insert/search/found)
+LRU cache mining:     0/0/0 (insert/search/found)
+LRU cache msteams:    0/0/0 (insert/search/found)
+LRU cache stun_zoom:  0/0/0 (insert/search/found)
+Automa host:          0/0 (search/found)
+Automa domain:        0/0 (search/found)
+Automa tls cert:      0/0 (search/found)
+Automa risk mask:     0/0 (search/found)
+Automa common alpns:  0/0 (search/found)
+Patricia risk mask:   0/0 (search/found)
+Patricia risk mask IPv6: 0/0 (search/found)
+Patricia risk:        0/0 (search/found)
+Patricia risk IPv6:   0/0 (search/found)
+Patricia protocols:   4/0 (search/found)
+Patricia protocols IPv6: 0/0 (search/found)
+
+s7comm	79	10271	1
+
+	1	TCP 192.168.25.177:53162 <-> 192.168.25.131:102 [proto: 249/s7comm][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 6][cat: Network/14][54 pkts/6194 bytes <-> 25 pkts/4077 bytes][Goodput ratio: 53/65][7.11 sec][bytes ratio: 0.206 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 122/276 995/964 315/396][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 115/163 395/351 76/132][PLAIN TEXT (SIMATIC)][Plen Bins: 42,6,28,3,1,0,3,0,0,12,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
author	Vladimir Gavrilov <105977161+0xA50C1A1@users.noreply.github.com>	2023-11-23 11:35:43 +0300
committer	GitHub <noreply@github.com>	2023-11-23 09:35:43 +0100
commit	fbae51ae9de3cd4c22664e25ec29d73abe64adfc (patch)
tree	84a50d8225953660e71719910ea3783c905216e7 /tests
parent	5c8c5c90c2b0d34a3e528c7271de7ac5c131a027 (diff)