diff options
| author | Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> | 2022-07-10 17:08:37 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-07-10 17:08:37 +0200 |
| commit | df599e5effaf1a76a89a014a1f488b27fa88cc52 (patch) | |
| tree | fab830eacef22d1248590cd3f1e2726b8712ea05 /tests | |
| parent | 1fcd03a6b6b7dcf0b6306ab1b1112290d4351d65 (diff) | |
HTTP: improve detection of WindowsUpdate (#1658)
WindowsUpdate is also transported over HTTP, using a numeric IP as
hostname (some kinds of CDN?)
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/pcap/windowsupdate_over_http.pcap | bin | 0 -> 16319 bytes | |||
| -rw-r--r-- | tests/result/windowsupdate_over_http.pcap.out | 8 |
2 files changed, 8 insertions, 0 deletions
diff --git a/tests/pcap/windowsupdate_over_http.pcap b/tests/pcap/windowsupdate_over_http.pcap Binary files differnew file mode 100644 index 000000000..9a69c3dda --- /dev/null +++ b/tests/pcap/windowsupdate_over_http.pcap diff --git a/tests/result/windowsupdate_over_http.pcap.out b/tests/result/windowsupdate_over_http.pcap.out new file mode 100644 index 000000000..5fb1a34af --- /dev/null +++ b/tests/result/windowsupdate_over_http.pcap.out @@ -0,0 +1,8 @@ +Guessed flow protos: 0 + +DPI Packets (TCP): 6 (6.00 pkts/flow) +Confidence DPI : 1 (flows) + +WindowsUpdate 20 15975 1 + + 1 TCP 10.0.2.15:49815 <-> 151.99.72.125:80 [proto: 7.147/HTTP.WindowsUpdate][ClearText][Confidence: DPI][cat: Download/7][8 pkts/923 bytes <-> 12 pkts/15052 bytes][Goodput ratio: 52/96][0.02 sec][Hostname/SNI: 151.99.72.125][bytes ratio: -0.884 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 2/1 9/8 4/2][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 115/1254 533/1514 158/536][URL: 151.99.72.125/data/0783dedfb62fa709/msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/d1d060c0-7ece-4b96-9558-4bd0f2326040?P1=1652084683&P2=404&P3=2&P4=GtXnDMvssaTVZE%2bliGRNZPdTCGZcdK3lsfQhBycGI5on2dyQK7mRzg%2fAP%2fOuVTebtfWU%2bfL%2bVp][StatusCode: 206][Content-Type: application/octet-stream][User-Agent: Microsoft-Delivery-Optimization/10.0][Risk: ** Binary App Transfer **** HTTP Numeric IP Address **][Risk Score: 260][Risk Info: Found host 151.99.72.125 / Found mime exe octet-stream][PLAIN TEXT (GET /data/0783dedfb)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,18,72,0,0] |