aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--example/intrusion_detection.c2
-rw-r--r--example/ndpiReader.c26
-rw-r--r--example/reader_util.c2
-rw-r--r--src/include/ndpi_api.h.in33
-rw-r--r--src/include/ndpi_protocol_ids.h1
-rw-r--r--src/lib/ndpi_content_match.c.inc57
-rw-r--r--src/lib/ndpi_main.c147
-rw-r--r--src/lib/ndpi_serializer.c7
-rw-r--r--src/lib/protocols/dns.c3
-rw-r--r--src/lib/protocols/http.c2
-rw-r--r--src/lib/protocols/netbios.c5
-rw-r--r--src/lib/protocols/tls.c4
-rw-r--r--tests/pcap/anydesk.pcapbin0 -> 2906892 bytes
-rw-r--r--tests/pcap/googledns_android10.pcapbin0 -> 141430 bytes
-rw-r--r--tests/result/1kxun.pcap.out12
-rw-r--r--tests/result/anydesk.pcap.out9
-rw-r--r--tests/result/dns_exfiltration.pcap.out2
-rw-r--r--tests/result/googledns_android10.pcap.out16
-rw-r--r--tests/result/tor.pcap.out2
-rw-r--r--tests/result/weibo.pcap.out2
20 files changed, 253 insertions, 79 deletions
diff --git a/example/intrusion_detection.c b/example/intrusion_detection.c
index 7296c2d29..ef4189a56 100644
--- a/example/intrusion_detection.c
+++ b/example/intrusion_detection.c
@@ -1,7 +1,7 @@
/*
* intrusion_detection.c
*
- * Copyright (C) 2011-19 - ntop.org
+ * Copyright (C) 2011-20 - ntop.org
*
* This file is part of nDPI, an open source deep packet inspection
* library based on the OpenDPI and PACE technology by ipoque GmbH
diff --git a/example/ndpiReader.c b/example/ndpiReader.c
index 8ce4c6263..806a7dbaa 100644
--- a/example/ndpiReader.c
+++ b/example/ndpiReader.c
@@ -1,7 +1,7 @@
/*
* ndpiReader.c
*
- * Copyright (C) 2011-19 - ntop.org
+ * Copyright (C) 2011-20 - ntop.org
*
* nDPI is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
@@ -3050,7 +3050,20 @@ void test_lib() {
/* *********************************************** */
static void dgaUnitTest() {
- const char *s[] = {
+ const char *dga[] = {
+ "lbjamwptxz",
+ "l54c2e21e80ba5471be7a8402cffb98768.so",
+ "wdd7ee574106a84807a601beb62dd851f0.hk",
+ "jaa12148a5831a5af92aa1d8fe6059e276.ws",
+ "www.e6r5p57kbafwrxj3plz.com",
+ // "grdawgrcwegpjaoo.eu",
+ "mcfpeqbotiwxfxqu.eu",
+ "adgxwxhqsegnrsih.eu",
+ NULL
+ };
+
+ const char *non_dga[] = {
+ "mz.gov.pl",
"zoomam104zc.zoom.us",
"5CI_DOMBIN",
"ALICEGATE",
@@ -3093,9 +3106,12 @@ static void dgaUnitTest() {
assert(ndpi_str != NULL);
- for(i=0; s[i] != NULL; i++) {
- assert(ndpi_check_dga_name(ndpi_str, NULL, (char*)s[i]) == 0);
- }
+ for(i=0; dga[i] != NULL; i++)
+ assert(ndpi_check_dga_name(ndpi_str, NULL, (char*)dga[i]) == 1);
+
+ for(i=0; non_dga[i] != NULL; i++)
+ assert(ndpi_check_dga_name(ndpi_str, NULL, (char*)non_dga[i]) == 0);
+
ndpi_exit_detection_module(ndpi_str);
}
diff --git a/example/reader_util.c b/example/reader_util.c
index b4e2c943a..be2f49b4f 100644
--- a/example/reader_util.c
+++ b/example/reader_util.c
@@ -1,7 +1,7 @@
/*
* reader_util.c
*
- * Copyright (C) 2011-19 - ntop.org
+ * Copyright (C) 2011-20 - ntop.org
*
* This file is part of nDPI, an open source deep packet inspection
* library based on the OpenDPI and PACE technology by ipoque GmbH
diff --git a/src/include/ndpi_api.h.in b/src/include/ndpi_api.h.in
index 8f6738920..0b8ff24b5 100644
--- a/src/include/ndpi_api.h.in
+++ b/src/include/ndpi_api.h.in
@@ -280,13 +280,13 @@ extern "C" {
* (like SSL getting both client and server certificate even if we already know after
* seeing the client certificate what the protocol is)
*
- * @par ndpi_struct = the detection module
- * @par flow = pointer to the connection state machine
- * @par packet = unsigned char pointer to the Layer 3 (IP header)
- * @par packetlen = the length of the packet
- * @par current_tick = the current timestamp for the packet
- * @par src = pointer to the source subscriber state machine
- * @par dst = pointer to the destination subscriber state machine
+ * @par ndpi_struct = the detection module
+ * @par flow = pointer to the connection state machine
+ * @par packet = unsigned char pointer to the Layer 3 (IP header)
+ * @par packetlen = the length of the packet
+ * @par packet_time_ms = the current timestamp for the packet (expressed in msec)
+ * @par src = pointer to the source subscriber state machine
+ * @par dst = pointer to the destination subscriber state machine
* @return void
*
*/
@@ -294,7 +294,7 @@ extern "C" {
struct ndpi_flow_struct *flow,
const unsigned char *packet,
const unsigned short packetlen,
- const u_int64_t current_tick,
+ const u_int64_t packet_time_ms,
struct ndpi_id_struct *src,
struct ndpi_id_struct *dst);
@@ -302,13 +302,13 @@ extern "C" {
* Processes one packet and returns the ID of the detected protocol.
* This is the MAIN PACKET PROCESSING FUNCTION.
*
- * @par ndpi_struct = the detection module
- * @par flow = pointer to the connection state machine
- * @par packet = unsigned char pointer to the Layer 3 (IP header)
- * @par packetlen = the length of the packet
- * @par current_tick = the current timestamp for the packet
- * @par src = pointer to the source subscriber state machine
- * @par dst = pointer to the destination subscriber state machine
+ * @par ndpi_struct = the detection module
+ * @par flow = pointer to the connection state machine
+ * @par packet = unsigned char pointer to the Layer 3 (IP header)
+ * @par packetlen = the length of the packet
+ * @par packet_time_ms = the current timestamp for the packet (expressed in msec)
+ * @par src = pointer to the source subscriber state machine
+ * @par dst = pointer to the destination subscriber state machine
* @return the detected ID of the protocol
*
*/
@@ -316,7 +316,7 @@ extern "C" {
struct ndpi_flow_struct *flow,
const unsigned char *packet,
const unsigned short packetlen,
- const u_int64_t current_tick,
+ const u_int64_t packet_time_ms,
struct ndpi_id_struct *src,
struct ndpi_id_struct *dst);
/**
@@ -991,6 +991,7 @@ extern "C" {
u_int32_t ndpi_serializer_get_buffer_len(ndpi_serializer *serializer);
u_int32_t ndpi_serializer_get_internal_buffer_size(ndpi_serializer *serializer);
int ndpi_serializer_set_buffer_len(ndpi_serializer *serializer, u_int32_t l);
+ ndpi_serialization_format ndpi_serializer_get_format(ndpi_serializer *serializer);
void ndpi_serializer_set_csv_separator(ndpi_serializer *serializer, char separator);
char* ndpi_serializer_get_header(ndpi_serializer *serializer, u_int32_t *buffer_len);
diff --git a/src/include/ndpi_protocol_ids.h b/src/include/ndpi_protocol_ids.h
index e2951ec22..01f54c0f9 100644
--- a/src/include/ndpi_protocol_ids.h
+++ b/src/include/ndpi_protocol_ids.h
@@ -281,6 +281,7 @@ typedef enum {
NDPI_PROTOCOL_S7COMM = 249,
NDPI_PROTOCOL_MSTEAMS = 250,
NDPI_PROTOCOL_WEBSOCKET = 251, /* Leonn Paiva <leonn.paiva@gmail.com> */
+ NDPI_PROTOCOL_ANYDESK = 252, /* Toni Uhlig <matzeton@googlemail.com> */
#ifdef CUSTOM_NDPI_PROTOCOLS
#include "../../../nDPI-custom/custom_ndpi_protocol_ids.h"
diff --git a/src/lib/ndpi_content_match.c.inc b/src/lib/ndpi_content_match.c.inc
index 148ee9443..7828c50f7 100644
--- a/src/lib/ndpi_content_match.c.inc
+++ b/src/lib/ndpi_content_match.c.inc
@@ -8390,6 +8390,14 @@ static ndpi_network host_protocol_list[] = {
{ 0xD0163900 /* 208.22.57.0/24 */, 24, NDPI_PROTOCOL_BLOOMBERG },
{ 0x45BFC000 /* 69.191.192.0/18 */, 18, NDPI_PROTOCOL_BLOOMBERG },
+ /* AnyDesk */
+ { 0x3353EF8E /* 51.83.239.142/31 */, 31, NDPI_PROTOCOL_ANYDESK },
+ { 0x3353EF90 /* 51.83.239.144/31 */, 31, NDPI_PROTOCOL_ANYDESK },
+ { 0x3353EEC8 /* 51.83.238.200/29 */, 29, NDPI_PROTOCOL_ANYDESK },
+ { 0x3353EED0 /* 51.83.238.208/29 */, 29, NDPI_PROTOCOL_ANYDESK },
+ { 0x3353EED8 /* 51.83.238.216/30 */, 30, NDPI_PROTOCOL_ANYDESK },
+ { 0x3353EEDC /* 51.83.238.220/31 */, 31, NDPI_PROTOCOL_ANYDESK },
+
/*
Microsoft
@@ -9127,6 +9135,8 @@ static ndpi_protocol_match host_match[] =
{ "brasilbandalarga.com.br", "EAQ", NDPI_PROTOCOL_EAQ, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE },
{ ".eaqbr.com.br", "EAQ", NDPI_PROTOCOL_EAQ, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE },
+ { ".net.anydesk.com", "AnyDesk", NDPI_PROTOCOL_ANYDESK, NDPI_PROTOCOL_CATEGORY_REMOTE_ACCESS, NDPI_PROTOCOL_ACCEPTABLE },
+
{ NULL, NULL, NDPI_PROTOCOL_UNKNOWN, NDPI_PROTOCOL_CATEGORY_UNSPECIFIED, NDPI_PROTOCOL_SAFE }
};
@@ -9223,6 +9233,10 @@ static ndpi_category_match category_match[] = {
word or just random chars.
http://www3.nd.edu/~busiforc/handouts/cryptography/Letter%20Frequencies.html
+
+ DGA Datasets
+ - https://data.netlab.360.com/dga/
+ - https://github.com/baderj/domain_generation_algorithms
*/
static const char *ndpi_en_bigrams[] = {
@@ -9263,6 +9277,49 @@ static const char *ndpi_en_bigrams[] = {
/* ******************************************************************** */
+static const char *ndpi_en_popular_bigrams[] = {
+ "th", "he", "in", "er", "an", "re", "on", "at", "en", "nd", "ti", "es", "or", "te", "of", "ed", "is", "it",
+ "al", "ar", "st", "to", "nt", "ng", "se", "ha", "as", "ou", "io", "le", "ve", "co", "me", "de", "hi", "ri",
+ "ro", "ic", "ne", "ea", "ra", "ce", "li", "ch", "ll", "be", "ma", "si", "om", "ur", "ca", "el", "ta", "la",
+ "ns", "di", "fo", "ho", "pe", "ec", "pr", "no", "ct", "us", "ac", "ot", "il", "tr", "ly", "nc", "et", "ut",
+ "ss", "so", "rs", "un", "lo", "wa", "ge", "ie", "wh", "ee", "wi", "em", "ad", "ol", "rt", "po", "we", "na",
+ "ul", "ni", "ts", "mo", "ow", "pa", "im", "mi", "ai", "sh", "ir", "su", "id", "os", "iv", "ia", "am", "fi",
+ "ci", "vi", "pl", "ig", "tu", "ev", "ld", "ry", "mp", "fe", "bl", "ab", "gh", "ty", "op", "wo", "sa", "ay",
+ "ex", "ke", "fr", "oo", "av", "ag", "if", "ap", "gr", "od", "bo", "sp", "rd", "do", "uc", "bu", "ei", "ov",
+ "by", "rm", "ep", "tt", "oc", "fa", "ef", "cu", "rn", "sc", "gi", "da", "yo", "cr", "cl", "du", "ga", "qu",
+ "ue", "ff", "ba", "ey", "ls", "va", "um", "pp", "ua", "up", "lu", "go", "ht", "ru", "ug", "ds", "lt", "pi",
+ "rc", "rr", "eg", "au", "ck", "ew", "mu", "br", "bi", "pt", "ak", "pu", "ui", "rg", "ib", "tl", "ny", "ki",
+ "rk", "ys", "ob", "mm", "fu", "ph", "og", "ms", "ye", "ud", "mb", "ip", "ub", "oi", "rl", "gu", "dr", "hr",
+ "cc", "tw", "ft", "wn", "nu", "af", "hu", "nn", "eo", "vo", "rv", "nf", "xp", "gn", "sm", "fl", "iz", "ok",
+ "nl", "my", "gl", "aw", "ju", "oa", "eq", "sy", "sl", "ps", "jo", "lf", "nv", "je", "nk", "kn", "gs", "dy",
+ "hy", "ze", "ks", "xt", "bs", "ik", "dd", "cy", "rp", "sk", "xi", "oe", "oy", "ws", "lv", "dl", "rf", "eu",
+ "dg", "wr", "xa", "yi", "nm", "eb", "rb", "tm", "xc", "eh", "tc", "gy", "ja", "hn", "yp", "za", "gg", "ym",
+ "sw", "bj", "lm", "cs", "ii", "ix", "xe", "oh", "lk", "dv", "lp", "ax", "ox", "uf", "dm", "iu", "sf", "bt",
+ "ka", "yt", "ek", "pm", "ya", "gt", "wl", "rh", "yl", "hs", "ah", "yc", "yn", "rw", "hm", "lw", "hl", "ae",
+ "zi", "az", "lc", "py", "aj", "iq", "nj", "bb", "nh", "uo", "kl", "lr", "tn", "gm", "sn", "nr", "fy", "mn",
+ "dw", "sb", "yr", "dn", "sq", "zo", "oj", "yd", "lb", "wt", "lg", "ko", "np", "sr", "nq", "ky", "ln", "nw",
+ "tf", "fs", "cq", "dh", "sd", "vy", "dj", "hw", "xu", "ao", "ml", "uk", "uy", "ej", "ez", "hb", "nz", "nb",
+ "mc", "yb", "tp", "xh", "ux", "tz", "bv", "mf", "wd", "oz", "yw", "kh", "gd", "bm", "mr", "ku", "uv", "dt",
+ "hd", "aa", "xx", "df", "db", "ji", "kr", "xo", "cm", "zz", "nx", "yg", "xy", "kg", "tb", "dc", "bd", "sg",
+ "wy", "zy", "aq", "hf", "cd", "vu", "kw", "zu", "bn", "ih", "tg", "xv", "uz", "bc", "xf", "yz", "km", "dp",
+ "lh", "wf", "kf", "pf", "cf", "mt", "yu", "cp", "pb", "td", "zl", "sv", "hc", "mg", "pw", "gf", "pd", "pn",
+ "pc", "rx", "tv", "ij", "wm", "uh", "wk", "wb", "bh", "oq", "kt", "rq", "kb", "cg", "vr", "cn", "pk", "uu",
+ "yf", "wp", "cz", "kp", "dq", "wu", "fm", "wc", "md", "kd", "zh", "gw", "rz", "cb", "iw", "xl", "hp", "mw",
+ "vs", "fc", "rj", "bp", "mh", "hh", "yh", "uj", "fg", "fd", "gb", "pg", "tk", "kk", "hq", "fn", "lz", "vl",
+ "gp", "hz", "dk", "yk", "qi", "lx", "vd", "zs", "bw", "xq", "mv", "uw", "hg", "fb", "sj", "ww", "gk", "uq",
+ "bg", "sz", "jr", "ql", "zt", "hk", "vc", "xm", "gc", "fw", "pz", "kc", "hv", "xw", "zw", "fp", "iy", "pv",
+ "vt", "jp", "cv", "zb", "vp", "zr", "fh", "yv", "zg", "zm", "zv", "qs", "kv", "vn", "zn", "qa", "yx", "jn",
+ "bf", "mk", "cw", "jm", "lq", "jh", "kj", "jc", "gz", "js", "tx", "fk", "jl", "vm", "lj", "tj", "jj", "cj",
+ "vg", "mj", "jt", "pj", "wg", "vh", "bk", "vv", "jd", "tq", "vb", "jf", "dz", "xb", "jb", "zc", "fj", "yy",
+ "qn", "xs", "qr", "jk", "jv", "qq", "xn", "vf", "px", "zd", "qt", "zp", "qo", "dx", "hj", "gv", "jw", "qc",
+ "jy", "gj", "qb", "pq", "jg", "bz", "mx", "qm", "mz", "qf", "wj", "zq", "xr", "zk", "cx", "fx", "fv", "bx",
+ "vw", "vj", "mq", "qv", "zf", "qe", "yj", "gx", "kx", "xg", "qd", "xj", "sx", "vz", "vx", "wv", "yq", "bq",
+ "gq", "vk", "zj", "xk", "qp", "hx", "fz", "qh", "qj", "jz", "vq", "kq", "xd", "qw", "jx", "qx", "kz", "wx",
+ "fq", "xz", "zx", "jq", "qg", "qk", "qy", "qz", "wq", "wz", NULL
+ };
+
+/* ******************************************************************** */
+
static const char *ndpi_en_impossible_bigrams[] = {
"bk", "bq", "bx", "cb", "cf", "cg", "cj", "cp", "cv", "cw", "cx", "dx", "fk", "fq", "fv", "fx", /* "ee", removed it can be found in 'meeting' */
"fz", "gq", "gv", "gx", "hh", "hk", "hv", "hx", "hz", "iy", "jb", /* "jc", jcrew.com */ "jd", "jf", "jg", "jh", "jk",
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index 59780d288..a945573a1 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -131,7 +131,7 @@ void *ndpi_realloc(void *ptr, size_t old_size, size_t new_size) {
/* ****************************************** */
char *ndpi_strdup(const char *s) {
- if( s == NULL ){
+ if(s == NULL ){
return NULL;
}
@@ -571,9 +571,14 @@ static void init_string_based_protocols(struct ndpi_detection_module_struct *ndp
// ac_automata_display(ndpi_str->host_automa.ac_automa, 'n');
#endif
+#if 1
for (i = 0; ndpi_en_bigrams[i] != NULL; i++)
ndpi_string_to_automa(ndpi_str, &ndpi_str->bigrams_automa, (char *) ndpi_en_bigrams[i], 1, 1, 1, 0);
-
+#else
+ for (i = 0; ndpi_en_popular_bigrams[i] != NULL; i++)
+ ndpi_string_to_automa(ndpi_str, &ndpi_str->bigrams_automa, (char *) ndpi_en_popular_bigrams[i], 1, 1, 1, 0);
+#endif
+
for (i = 0; ndpi_en_impossible_bigrams[i] != NULL; i++)
ndpi_string_to_automa(ndpi_str, &ndpi_str->impossible_bigrams_automa, (char *) ndpi_en_impossible_bigrams[i], 1,
1, 1, 0);
@@ -1476,6 +1481,11 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp
no_master, "WebSocket", NDPI_PROTOCOL_CATEGORY_WEB,
ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
+ ndpi_set_proto_defaults(ndpi_str, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_ANYDESK,
+ 1 /* no subprotocol */, no_master,
+ no_master, "AnyDesk", NDPI_PROTOCOL_CATEGORY_REMOTE_ACCESS,
+ ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
+ ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
#ifdef CUSTOM_NDPI_PROTOCOLS
#include "../../../nDPI-custom/custom_ndpi_main.c"
@@ -4367,6 +4377,13 @@ static void ndpi_reconcile_protocols(struct ndpi_detection_module_struct *ndpi_s
Skype for a host doing MS Teams means MS Teams
(MS Teams uses Skype as transport protocol for voice/video)
*/
+
+ if(flow) {
+ /* Do not go for DNS when there is an application protocol. Example DNS.Apple */
+ if((flow->detected_protocol_stack[1] != NDPI_PROTOCOL_UNKNOWN)
+ && (flow->detected_protocol_stack[0] /* app */ != flow->detected_protocol_stack[1] /* major */))
+ NDPI_CLR_BIT(flow->risk, NDPI_SUSPICIOUS_DGA_DOMAIN);
+ }
switch(ret->app_protocol) {
case NDPI_PROTOCOL_MSTEAMS:
@@ -6078,8 +6095,12 @@ int ndpi_match_bigram(struct ndpi_detection_module_struct *ndpi_str,
return(-1);
if(!automa->ac_automa_finalized) {
+#if 1
+ ndpi_finalize_initalization(ndpi_str);
+#else
printf("[%s:%d] [NDPI] Internal error: please call ndpi_finalize_initalization()\n", __FILE__, __LINE__);
return(0); /* No matches */
+#endif
}
ac_input_text.astring = bigram_to_match, ac_input_text.length = 2;
@@ -6478,79 +6499,123 @@ void ndpi_md5(const u_char *data, size_t data_len, u_char hash[16]) {
static int enough(int a, int b) {
u_int8_t percentage = 20;
-
+
if(b == 0) return(0);
if(a == 0) return(1);
- if(b > ((a*percentage)/100)) return(1);
-
+ if(b > (((a+1)*percentage)/100)) return(1);
+
return(0);
}
/* ******************************************************************** */
+// #define DGA_DEBUG 1
+
int ndpi_check_dga_name(struct ndpi_detection_module_struct *ndpi_str,
struct ndpi_flow_struct *flow,
char *name) {
- int len = strlen(name), rc = 0;
-
+ int len, rc = 0;
+
+ len = strlen(name);
+
if(len >= 5) {
- int i, j, num_found = 0, num_impossible = 0, num_bigram_checks = 0;
- char tmp[128];
+ int i, j, num_found = 0, num_impossible = 0, num_bigram_checks = 0, num_digits = 0, num_vowels = 0, num_words = 0;
+ char tmp[128], *word, *tok_tmp;
len = snprintf(tmp, sizeof(tmp)-1, "%s", name);
if(len < 0) return(0);
-
+
for(i=0, j=0; (i<len) && (j<(sizeof(tmp)-1)); i++) {
- if(isdigit(name[i]))
- continue;
- else
tmp[j++] = tolower(name[i]);
}
+ tmp[j] = '\0';
len = j;
-
- for(i = 0; tmp[i+1] != '\0'; i++) {
- if(isdigit(tmp[i])) continue;
+
+ for(word = strtok_r(tmp, ".", &tok_tmp); ; word = strtok_r(NULL, ".", &tok_tmp)) {
+ if(!word) break;
+
+ num_words++;
+
+ if(strlen(word) < 3) continue;
+
+#ifdef DGA_DEBUG
+ printf("-> %s [%s][len: %u]\n", word, name, (unsigned int)strlen(word));
+#endif
+
+ for(i = 0; word[i+1] != '\0'; i++) {
+ if(isdigit(word[i])) {
+ num_digits++;
+
+ // if(!isdigit(word[i+1])) num_impossible++;
+
+ continue;
+ }
- switch(tmp[i]) {
- case '-':
- case ':':
- case '.':
- continue;
- break;
- }
+ switch(word[i]) {
+ case '_':
+ case '-':
+ case ':':
+ continue;
+ break;
+
+ case '.':
+ continue;
+ break;
+ }
- if(isdigit(tmp[i+1])) continue;
-
- num_bigram_checks++;
+ switch(word[i]) {
+ case 'a':
+ case 'e':
+ case 'i':
+ case 'o':
+ case 'u':
+ num_vowels++;
+ break;
+ }
+
+ if(isdigit(word[i+1])) {
+ num_digits++;
+ // num_impossible++;
+ continue;
+ }
+
+ num_bigram_checks++;
- if(ndpi_match_bigram(ndpi_str, &ndpi_str->bigrams_automa, &tmp[i])) {
- num_found++;
- } else if(ndpi_match_bigram(ndpi_str,
- &ndpi_str->impossible_bigrams_automa,
- &tmp[i])) {
+ if(ndpi_match_bigram(ndpi_str, &ndpi_str->bigrams_automa, &word[i])) {
+ num_found++;
+ } else {
+ if(ndpi_match_bigram(ndpi_str,
+ &ndpi_str->impossible_bigrams_automa,
+ &word[i])) {
#ifdef DGA_DEBUG
- printf("IMPOSSIBLE %s\n", &tmp[i]);
+ printf("IMPOSSIBLE %s\n", &word[i]);
#endif
- num_impossible++;
- }
- }
+ num_impossible++;
+ }
+ }
+ } /* for */
+ } /* for */
+#ifdef DGA_DEBUG
+ printf("[num_found: %u][num_impossible: %u][num_digits: %u][num_bigram_checks: %u][num_vowels: %u/%u]\n",
+ num_found, num_impossible, num_digits, num_bigram_checks, num_vowels, j-num_vowels);
+#endif
+
if(num_bigram_checks
- && ((num_found == 0)
- || (enough(num_found, num_impossible))))
- rc = 1;
+ && ((num_found == 0) || ((num_digits > 5) && (num_words <= 3)) || enough(num_found, num_impossible)))
+ rc = 1;
if(rc && flow)
NDPI_SET_BIT(flow->risk, NDPI_SUSPICIOUS_DGA_DOMAIN);
#ifdef DGA_DEBUG
if(rc)
- printf("DGA %s [%s][num_found: %u][num_impossible: %u]\n",
- tmp, name, num_found, num_impossible);
+ printf("DGA %s [num_found: %u][num_impossible: %u]\n",
+ name, num_found, num_impossible);
#endif
}
-
+
return(rc);
}
diff --git a/src/lib/ndpi_serializer.c b/src/lib/ndpi_serializer.c
index 4e4e51f0d..87b2c06a8 100644
--- a/src/lib/ndpi_serializer.c
+++ b/src/lib/ndpi_serializer.c
@@ -364,6 +364,13 @@ char* ndpi_serializer_get_header(ndpi_serializer *_serializer, u_int32_t *buffer
/* ********************************** */
+ndpi_serialization_format ndpi_serializer_get_format(ndpi_serializer *_serializer) {
+ ndpi_private_serializer *serializer = (ndpi_private_serializer*)_serializer;
+ return serializer->fmt;
+}
+
+/* ********************************** */
+
void ndpi_serializer_set_csv_separator(ndpi_serializer *_serializer, char separator) {
ndpi_private_serializer *serializer = (ndpi_private_serializer*)_serializer;
diff --git a/src/lib/protocols/dns.c b/src/lib/protocols/dns.c
index 099f343e4..897fb1e4b 100644
--- a/src/lib/protocols/dns.c
+++ b/src/lib/protocols/dns.c
@@ -294,11 +294,12 @@ static void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, st
}
flow->host_server_name[j] = '\0';
- ndpi_check_dga_name(ndpi_struct, flow, (char*)flow->host_server_name);
if(j > 0) {
ndpi_protocol_match_result ret_match;
+ ndpi_check_dga_name(ndpi_struct, flow, (char*)flow->host_server_name);
+
ret.app_protocol = ndpi_match_host_subprotocol(ndpi_struct, flow,
(char *)flow->host_server_name,
strlen((const char*)flow->host_server_name),
diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c
index a896c6214..7d54d1470 100644
--- a/src/lib/protocols/http.c
+++ b/src/lib/protocols/http.c
@@ -450,7 +450,7 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_
flow->host_server_name[len] = '\0';
flow->extra_packets_func = NULL; /* We're good now */
- ndpi_check_dga_name(ndpi_struct, flow, (char*)flow->host_server_name);
+ if(len > 0) ndpi_check_dga_name(ndpi_struct, flow, (char*)flow->host_server_name);
flow->server_id = flow->dst;
if(packet->forwarded_line.ptr) {
diff --git a/src/lib/protocols/netbios.c b/src/lib/protocols/netbios.c
index c396a392b..66224557a 100644
--- a/src/lib/protocols/netbios.c
+++ b/src/lib/protocols/netbios.c
@@ -80,8 +80,9 @@ static void ndpi_int_netbios_add_connection(struct ndpi_detection_module_struct
char name[64];
u_int off = flow->packet.payload[12] == 0x20 ? 12 : 14;
- if((off < flow->packet.payload_packet_len) &&
- ndpi_netbios_name_interpret((char*)&flow->packet.payload[off], flow->packet.payload_packet_len - off, name, sizeof(name)) > 0) {
+ if((off < flow->packet.payload_packet_len)
+ && ndpi_netbios_name_interpret((char*)&flow->packet.payload[off],
+ flow->packet.payload_packet_len - off, name, sizeof(name)) > 0) {
snprintf((char*)flow->host_server_name, sizeof(flow->host_server_name)-1, "%s", name);
ndpi_check_dga_name(ndpi_struct, flow, (char*)flow->host_server_name);
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index c8a0e43b2..eac9e0f77 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -1208,14 +1208,14 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
printf("Client SSL [ALPN: %u]\n", alpn_len);
#endif
- if((alpn_str_len+alpn_len+1) < sizeof(alpn_str)) {
+ if((alpn_str_len+alpn_len+1) < (sizeof(alpn_str)-1)) {
if(alpn_str_len > 0) {
alpn_str[alpn_str_len] = ',';
alpn_str_len++;
}
for(alpn_i=0; alpn_i<alpn_len; alpn_i++)
- alpn_str[alpn_str_len+alpn_i] = packet->payload[s_offset+alpn_i];
+ alpn_str[alpn_str_len+alpn_i] = packet->payload[s_offset+alpn_i];
s_offset += alpn_len, alpn_str_len += alpn_len;;
} else
diff --git a/tests/pcap/anydesk.pcap b/tests/pcap/anydesk.pcap
new file mode 100644
index 000000000..8b9c70352
--- /dev/null
+++ b/tests/pcap/anydesk.pcap
Binary files differ
diff --git a/tests/pcap/googledns_android10.pcap b/tests/pcap/googledns_android10.pcap
new file mode 100644
index 000000000..1e24c48af
--- /dev/null
+++ b/tests/pcap/googledns_android10.pcap
Binary files differ
diff --git a/tests/result/1kxun.pcap.out b/tests/result/1kxun.pcap.out
index ab0282e92..8c4ae196e 100644
--- a/tests/result/1kxun.pcap.out
+++ b/tests/result/1kxun.pcap.out
@@ -82,9 +82,9 @@ JA3 Host Stats:
60 UDP [fe80::9bd:81dd:2fdc:5750]:61548 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/190 bytes -> 0 pkts/0 bytes][Goodput ratio: 35/0][0.41 sec][Host: caesar-thinkpad][PLAIN TEXT (caesar)]
61 UDP [fe80::9bd:81dd:2fdc:5750]:64568 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/190 bytes -> 0 pkts/0 bytes][Goodput ratio: 35/0][0.41 sec][Host: caesar-thinkpad][PLAIN TEXT (caesar)]
62 UDP 192.168.5.45:137 -> 192.168.255.255:137 [proto: 10/NetBIOS][cat: System/18][2 pkts/184 bytes -> 0 pkts/0 bytes][Goodput ratio: 54/0][1.02 sec][Host: nasfile][PLAIN TEXT ( EOEBFDEGEJEMEFCACACACACACACACA)]
- 63 UDP [fe80::e98f:bae2:19f7:6b0f]:51451 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/184 bytes -> 0 pkts/0 bytes][Goodput ratio: 32/0][0.41 sec][Host: ____________][Risk: ** Suspicious DGA domain name **]
- 64 UDP [fe80::e98f:bae2:19f7:6b0f]:54888 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/184 bytes -> 0 pkts/0 bytes][Goodput ratio: 32/0][0.10 sec][Host: ____________][Risk: ** Suspicious DGA domain name **]
- 65 UDP [fe80::e98f:bae2:19f7:6b0f]:58779 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/184 bytes -> 0 pkts/0 bytes][Goodput ratio: 32/0][0.41 sec][Host: ____________][Risk: ** Suspicious DGA domain name **]
+ 63 UDP [fe80::e98f:bae2:19f7:6b0f]:51451 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/184 bytes -> 0 pkts/0 bytes][Goodput ratio: 32/0][0.41 sec][Host: ____________]
+ 64 UDP [fe80::e98f:bae2:19f7:6b0f]:54888 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/184 bytes -> 0 pkts/0 bytes][Goodput ratio: 32/0][0.10 sec][Host: ____________]
+ 65 UDP [fe80::e98f:bae2:19f7:6b0f]:58779 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/184 bytes -> 0 pkts/0 bytes][Goodput ratio: 32/0][0.41 sec][Host: ____________]
66 UDP [fe80::e034:7be:d8f9:6197]:49766 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/182 bytes -> 0 pkts/0 bytes][Goodput ratio: 32/0][0.41 sec][Host: charming-pc][PLAIN TEXT (charming)]
67 UDP [fe80::5d92:62a8:ebde:1319]:49735 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/178 bytes -> 0 pkts/0 bytes][Goodput ratio: 30/0][0.10 sec][Host: wangs-ltw]
68 UDP [fe80::5d92:62a8:ebde:1319]:58468 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/178 bytes -> 0 pkts/0 bytes][Goodput ratio: 30/0][0.10 sec][Host: wangs-ltw]
@@ -98,9 +98,9 @@ JA3 Host Stats:
76 UDP [fe80::edf5:240a:c8c0:8312]:61603 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/172 bytes -> 0 pkts/0 bytes][Goodput ratio: 28/0][0.41 sec][Host: ro_x1c]
77 UDP 192.168.5.49:61548 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/150 bytes -> 0 pkts/0 bytes][Goodput ratio: 44/0][0.41 sec][Host: caesar-thinkpad][PLAIN TEXT (caesar)]
78 UDP 192.168.5.49:64568 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/150 bytes -> 0 pkts/0 bytes][Goodput ratio: 44/0][0.41 sec][Host: caesar-thinkpad][PLAIN TEXT (caesar)]
- 79 UDP 192.168.3.95:51451 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/144 bytes -> 0 pkts/0 bytes][Goodput ratio: 41/0][0.41 sec][Host: ____________][Risk: ** Suspicious DGA domain name **]
- 80 UDP 192.168.3.95:54888 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/144 bytes -> 0 pkts/0 bytes][Goodput ratio: 41/0][0.10 sec][Host: ____________][Risk: ** Suspicious DGA domain name **]
- 81 UDP 192.168.3.95:58779 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/144 bytes -> 0 pkts/0 bytes][Goodput ratio: 41/0][0.41 sec][Host: ____________][Risk: ** Suspicious DGA domain name **]
+ 79 UDP 192.168.3.95:51451 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/144 bytes -> 0 pkts/0 bytes][Goodput ratio: 41/0][0.41 sec][Host: ____________]
+ 80 UDP 192.168.3.95:54888 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/144 bytes -> 0 pkts/0 bytes][Goodput ratio: 41/0][0.10 sec][Host: ____________]
+ 81 UDP 192.168.3.95:58779 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/144 bytes -> 0 pkts/0 bytes][Goodput ratio: 41/0][0.41 sec][Host: ____________]
82 UDP 192.168.5.50:57143 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/142 bytes -> 0 pkts/0 bytes][Goodput ratio: 41/0][0.41 sec][Host: charming-pc][PLAIN TEXT (charming)]
83 UDP 192.168.5.50:62756 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/142 bytes -> 0 pkts/0 bytes][Goodput ratio: 41/0][0.41 sec][Host: charming-pc][PLAIN TEXT (charming)]
84 UDP 192.168.5.48:59797 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/140 bytes -> 0 pkts/0 bytes][Goodput ratio: 40/0][0.41 sec][Host: kasper-mac][PLAIN TEXT (Kasper)]
diff --git a/tests/result/anydesk.pcap.out b/tests/result/anydesk.pcap.out
new file mode 100644
index 000000000..d973bd9f4
--- /dev/null
+++ b/tests/result/anydesk.pcap.out
@@ -0,0 +1,9 @@
+AnyDesk 6963 2795460 2
+
+JA3 Host Stats:
+ IP Address # JA3C
+ 1 192.168.149.129 1
+
+
+ 1 TCP 192.168.149.129:43535 <-> 51.83.238.219:80 [proto: 91.252/TLS.AnyDesk][cat: RemoteAccess/12][2942 pkts/175103 bytes <-> 4001 pkts/2618640 bytes][Goodput ratio: 9/92][55.97 sec][bytes ratio: -0.875 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 19/14 7028/7028 153/126][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 60/654 1514/1514 50/618][Risk: ** Known protocol on non standard port **** TLS (probably) not carrying HTTPS **][TLSv1.2][JA3C: 201999283915cc31cee6b15472ef3332][JA3S: 107030a763c7224285717ff1569a17f3][Issuer: CN=AnyNet Root CA, O=philandro Software GmbH, C=DE][Subject: C=DE, O=philandro Software GmbH, CN=AnyNet Relay][Certificate SHA-1: 9E:08:D2:58:A9:02:CD:4F:E2:4A:26:B8:48:5C:43:0B:81:29:99:E3][Validity: 2018-11-18 02:14:23 - 2028-11-15 02:14:23][Cipher: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384]
+ 2 TCP 192.168.149.129:36351 <-> 51.83.239.144:80 [proto: 7.252/HTTP.AnyDesk][cat: RemoteAccess/12][10 pkts/792 bytes <-> 10 pkts/925 bytes][Goodput ratio: 32/38][45.83 sec][bytes ratio: -0.077 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 32/31 5700/5700 15000/15001 7162/7162][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 79/92 105/213 25/45]
diff --git a/tests/result/dns_exfiltration.pcap.out b/tests/result/dns_exfiltration.pcap.out
index 8083209bc..94b27bdb6 100644
--- a/tests/result/dns_exfiltration.pcap.out
+++ b/tests/result/dns_exfiltration.pcap.out
@@ -1,3 +1,3 @@
DNS 300 73545 1
- 1 UDP 192.168.220.56:56373 <-> 192.168.203.167:53 [proto: 5/DNS][cat: Network/14][150 pkts/32419 bytes <-> 150 pkts/41126 bytes][Goodput ratio: 81/85][59.99 sec][Host: dnscat.546b03f50000000000a6023ed4df184d6ac5c2628b47714fdee584fed739.5a03b5b1e1aa8f8fdb1bbe8d5e04952141f7d4f82c7e3b06dcc8b87fad7a.19e4d098dc8c618f8d81cfeb02][::][bytes ratio: -0.118 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 1/1 398/397 1035/1015 491/489][Pkt Len c2s/s2c min/avg/max/stddev: 101/148 216/274 300/386 97/97][PLAIN TEXT (dnscat)]
+ 1 UDP 192.168.220.56:56373 <-> 192.168.203.167:53 [proto: 5/DNS][cat: Network/14][150 pkts/32419 bytes <-> 150 pkts/41126 bytes][Goodput ratio: 81/85][59.99 sec][Host: dnscat.546b03f50000000000a6023ed4df184d6ac5c2628b47714fdee584fed739.5a03b5b1e1aa8f8fdb1bbe8d5e04952141f7d4f82c7e3b06dcc8b87fad7a.19e4d098dc8c618f8d81cfeb02][::][bytes ratio: -0.118 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 1/1 398/397 1035/1015 491/489][Pkt Len c2s/s2c min/avg/max/stddev: 101/148 216/274 300/386 97/97][Risk: ** Suspicious DGA domain name **][PLAIN TEXT (dnscat)]
diff --git a/tests/result/googledns_android10.pcap.out b/tests/result/googledns_android10.pcap.out
new file mode 100644
index 000000000..93f88626a
--- /dev/null
+++ b/tests/result/googledns_android10.pcap.out
@@ -0,0 +1,16 @@
+Google 12 896 3
+DoH_DoT 520 131998 5
+
+JA3 Host Stats:
+ IP Address # JA3C
+ 1 192.168.1.159 2
+
+
+ 1 TCP 192.168.1.159:48210 <-> 8.8.4.4:853 [proto: 91.196/TLS.DoH_DoT][cat: Network/14][121 pkts/19065 bytes <-> 120 pkts/45726 bytes][Goodput ratio: 58/83][72.27 sec][bytes ratio: -0.411 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 711/474 15173/5940 1940/1160][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 158/381 384/1484 93/280][Risk: ** Known protocol on non standard port **** TLS (probably) not carrying HTTPS **][TLSv1.2][Client: dns.google][JA3C: 2c776785ee603cc85d37df996bb90cc8][ServerNames: dns.google,*.dns.google.com,8888.google,dns.google.com,dns64.dns.google][JA3S: b44baa8a20901c5663b3a9664ba8a767][Issuer: C=US, O=Google Trust Services, CN=GTS CA 1O1][Subject: C=US, ST=California, L=Mountain View, O=Google LLC, CN=dns.google][Certificate SHA-1: 5B:59:09:FC:7D:50:E6:F7:D1:08:8E:57:42:A2:D8:AE:1F:03:FF:EC][Validity: 2020-05-26 15:20:02 - 2020-08-18 15:20:02][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
+ 2 TCP 192.168.1.159:48098 <-> 8.8.4.4:853 [proto: 91.196/TLS.DoH_DoT][cat: Network/14][68 pkts/9706 bytes <-> 65 pkts/18916 bytes][Goodput ratio: 54/77][117.95 sec][bytes ratio: -0.322 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 2097/1988 15177/15193 3804/3968][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 143/291 583/565 94/247][Risk: ** Known protocol on non standard port **** TLS (probably) not carrying HTTPS **][TLSv1.2][Client: dns.google][JA3C: b734f75d22aaff9866fbd5d27eef9106][JA3S: 1249fb68f48c0444718e4d3b48b27188][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
+ 3 TCP 192.168.1.159:48048 <-> 8.8.4.4:853 [proto: 91.196/TLS.DoH_DoT][cat: Network/14][52 pkts/7375 bytes <-> 52 pkts/20720 bytes][Goodput ratio: 53/83][41.01 sec][bytes ratio: -0.475 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 882/623 15271/15287 2537/2442][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 142/398 384/1484 84/406][Risk: ** Known protocol on non standard port **** TLS (probably) not carrying HTTPS **][TLSv1.2][Client: dns.google][JA3C: 2c776785ee603cc85d37df996bb90cc8][ServerNames: dns.google,*.dns.google.com,8888.google,dns.google.com,dns64.dns.google][JA3S: b44baa8a20901c5663b3a9664ba8a767][Issuer: C=US, O=Google Trust Services, CN=GTS CA 1O1][Subject: C=US, ST=California, L=Mountain View, O=Google LLC, CN=dns.google][Certificate SHA-1: 5B:59:09:FC:7D:50:E6:F7:D1:08:8E:57:42:A2:D8:AE:1F:03:FF:EC][Validity: 2020-05-26 15:20:02 - 2020-08-18 15:20:02][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
+ 4 TCP 192.168.1.159:48044 <-> 8.8.4.4:853 [proto: 91.196/TLS.DoH_DoT][cat: Network/14][11 pkts/1097 bytes <-> 10 pkts/4148 bytes][Goodput ratio: 33/84][0.12 sec][bytes ratio: -0.582 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 12/9 34/19 13/8][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 100/415 220/1484 51/544][Risk: ** Known protocol on non standard port **** TLS (probably) not carrying HTTPS **][TLSv1.2][Client: dns.google][JA3C: 2c776785ee603cc85d37df996bb90cc8][ServerNames: dns.google,*.dns.google.com,8888.google,dns.google.com,dns64.dns.google][JA3S: b44baa8a20901c5663b3a9664ba8a767][Issuer: C=US, O=Google Trust Services, CN=GTS CA 1O1][Subject: C=US, ST=California, L=Mountain View, O=Google LLC, CN=dns.google][Certificate SHA-1: 5B:59:09:FC:7D:50:E6:F7:D1:08:8E:57:42:A2:D8:AE:1F:03:FF:EC][Validity: 2020-05-26 15:20:02 - 2020-08-18 15:20:02][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
+ 5 TCP 192.168.1.159:56024 <-> 8.8.8.8:853 [proto: 91.196/TLS.DoH_DoT][cat: Network/14][11 pkts/1097 bytes <-> 10 pkts/4148 bytes][Goodput ratio: 33/84][0.14 sec][bytes ratio: -0.582 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 15/12 46/31 17/11][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 100/415 220/1484 51/544][Risk: ** Known protocol on non standard port **** TLS (probably) not carrying HTTPS **][TLSv1.2][Client: dns.google][JA3C: 2c776785ee603cc85d37df996bb90cc8][ServerNames: dns.google,*.dns.google.com,8888.google,dns.google.com,dns64.dns.google][JA3S: b44baa8a20901c5663b3a9664ba8a767][Issuer: C=US, O=Google Trust Services, CN=GTS CA 1O1][Subject: C=US, ST=California, L=Mountain View, O=Google LLC, CN=dns.google][Certificate SHA-1: 5B:59:09:FC:7D:50:E6:F7:D1:08:8E:57:42:A2:D8:AE:1F:03:FF:EC][Validity: 2020-05-26 15:20:02 - 2020-08-18 15:20:02][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
+ 6 ICMP 192.168.1.159:0 <-> 8.8.8.8:0 [proto: 81.126/ICMP.Google][cat: Network/14][2 pkts/196 bytes <-> 2 pkts/196 bytes][Goodput ratio: 57/57][0.99 sec]
+ 7 TCP 8.8.8.8:853 <-> 192.168.1.159:55856 [proto: 196.126/DoH_DoT.Google][cat: Web/5][5 pkts/330 bytes <-> 1 pkts/54 bytes][Goodput ratio: 0/0][1.80 sec][bytes ratio: 0.719 (Upload)][IAT c2s/s2c min/avg/max/stddev: 223/0 449/0 911/0 281/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/54 66/54 66/54 0/0]
+ 8 TCP 8.8.4.4:853 <-> 192.168.1.159:47968 [proto: 196.126/DoH_DoT.Google][cat: Web/5][1 pkts/66 bytes <-> 1 pkts/54 bytes][Goodput ratio: 0/0][0.09 sec]
diff --git a/tests/result/tor.pcap.out b/tests/result/tor.pcap.out
index 0477f0c60..d7054f6a5 100644
--- a/tests/result/tor.pcap.out
+++ b/tests/result/tor.pcap.out
@@ -13,7 +13,7 @@ JA3 Host Stats:
2 TCP 192.168.1.252:51112 <-> 38.229.70.53:443 [proto: 91.163/TLS.Tor][cat: VPN/2][580 pkts/145960 bytes <-> 996 pkts/1242832 bytes][Goodput ratio: 77/96][106.13 sec][bytes ratio: -0.790 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 202/109 30770/31166 1830/1316][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 252/1248 1514/1514 355/507][Risk: ** Obsolete TLS version (< 1.1) **][TLSv1][Client: www.q4cyamnc6mtokjurvdclt.com][JA3C: 581a3c7f54555512b8cd16e87dfe165b][JA3S: e1691a31bfe345d2692da75636ddfb00][Issuer: CN=www.gg562izcxdvqdk.com][Subject: CN=www.fcsyvnlemwxv5p.net][Certificate SHA-1: C1:93:18:2C:A3:1D:AC:5F:C7:DE:17:8A:4E:B1:E8:13:BB:08:73:3A][Validity: 2013-09-15 00:00:00 - 2014-02-21 23:59:59][Cipher: TLS_DHE_RSA_WITH_AES_256_CBC_SHA]
3 TCP 192.168.1.252:51110 <-> 91.143.93.242:443 [proto: 91/TLS][cat: Web/5][62 pkts/22715 bytes <-> 79 pkts/45823 bytes][Goodput ratio: 84/91][109.04 sec][bytes ratio: -0.337 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 2212/966 44777/37995 8343/4770][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 366/580 1514/1514 350/568][Risk: ** Obsolete TLS version (< 1.1) **][TLSv1][Client: www.ct7ctrgb6cr7.com][JA3C: 581a3c7f54555512b8cd16e87dfe165b][JA3S: 184d532a16876b78846ae6a03f654890][Issuer: CN=www.xkgk7fdx362yyyxib.com][Subject: CN=www.g6ghvisevf3ibuu5.net][Certificate SHA-1: 94:F9:FF:E2:7F:DB:1F:B8:19:65:20:6F:F6:DE:B6:A5:D5:AF:14:C7][Validity: 2013-10-03 00:00:00 - 2013-11-18 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]
4 TCP 192.168.1.252:51175 <-> 91.143.93.242:443 [proto: 91/TLS][cat: Web/5][17 pkts/5489 bytes <-> 21 pkts/7031 bytes][Goodput ratio: 82/84][135.32 sec][bytes ratio: -0.123 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/1 10378/8441 132386/132736 35221/32094][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 323/335 640/1514 270/385][Risk: ** Obsolete TLS version (< 1.1) **][TLSv1][Client: www.gfu7hbxpfp.com][JA3C: 581a3c7f54555512b8cd16e87dfe165b][JA3S: 184d532a16876b78846ae6a03f654890][Issuer: CN=www.xkgk7fdx362yyyxib.com][Subject: CN=www.g6ghvisevf3ibuu5.net][Certificate SHA-1: 94:F9:FF:E2:7F:DB:1F:B8:19:65:20:6F:F6:DE:B6:A5:D5:AF:14:C7][Validity: 2013-10-03 00:00:00 - 2013-11-18 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]
- 5 TCP 192.168.1.252:51111 <-> 46.59.52.31:443 [proto: 91/TLS][cat: Web/5][16 pkts/4858 bytes <-> 18 pkts/6284 bytes][Goodput ratio: 81/84][108.05 sec][bytes ratio: -0.128 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/3 6124/2564 71328/34353 19661/8817][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 304/349 640/1514 267/398][Risk: ** Obsolete TLS version (< 1.1) **][TLSv1][Client: www.e6r5p57kbafwrxj3plz.com][JA3C: 581a3c7f54555512b8cd16e87dfe165b][JA3S: 184d532a16876b78846ae6a03f654890][Issuer: CN=www.gmvuy6mtjbxevwo3w.com][Subject: CN=www.bpcau5b3haif5els.net][Certificate SHA-1: 3A:B1:8A:6F:C3:F6:41:ED:77:D5:40:C3:85:79:8B:62:46:BC:65:9C][Validity: 2013-06-07 00:00:00 - 2014-02-07 00:00:00][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]
+ 5 TCP 192.168.1.252:51111 <-> 46.59.52.31:443 [proto: 91/TLS][cat: Web/5][16 pkts/4858 bytes <-> 18 pkts/6284 bytes][Goodput ratio: 81/84][108.05 sec][bytes ratio: -0.128 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/3 6124/2564 71328/34353 19661/8817][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 304/349 640/1514 267/398][Risk: ** Obsolete TLS version (< 1.1) **** Suspicious DGA domain name **][TLSv1][Client: www.e6r5p57kbafwrxj3plz.com][JA3C: 581a3c7f54555512b8cd16e87dfe165b][JA3S: 184d532a16876b78846ae6a03f654890][Issuer: CN=www.gmvuy6mtjbxevwo3w.com][Subject: CN=www.bpcau5b3haif5els.net][Certificate SHA-1: 3A:B1:8A:6F:C3:F6:41:ED:77:D5:40:C3:85:79:8B:62:46:BC:65:9C][Validity: 2013-06-07 00:00:00 - 2014-02-07 00:00:00][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]
6 TCP 192.168.1.252:51174 <-> 212.83.155.250:443 [proto: 91/TLS][cat: Web/5][16 pkts/3691 bytes <-> 16 pkts/6740 bytes][Goodput ratio: 75/87][135.27 sec][bytes ratio: -0.292 (Download)][IAT c2s/s2c min/avg/max/stddev: 1/2 11234/11261 72591/72890 25060/25130][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 231/421 640/1514 243/403][Risk: ** Obsolete TLS version (< 1.1) **][TLSv1][Client: www.t3i3ru.com][JA3C: 581a3c7f54555512b8cd16e87dfe165b][JA3S: 184d532a16876b78846ae6a03f654890][Issuer: CN=www.wohgpas45j6ucw.com][Subject: CN=www.7d43ah2kikrabj.net][Certificate SHA-1: F9:1D:5F:89:8F:D8:58:1E:45:E7:9B:A6:FD:90:95:77:FF:DD:E8:1B][Validity: 2013-09-11 00:00:00 - 2013-11-24 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]
7 TCP 192.168.1.252:51185 <-> 62.210.137.230:443 [proto: 91.163/TLS.Tor][cat: VPN/2][15 pkts/3634 bytes <-> 14 pkts/6027 bytes][Goodput ratio: 76/87][74.24 sec][bytes ratio: -0.248 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/15 6155/6464 63835/63837 17571/19124][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 242/430 640/1514 247/416][Risk: ** Obsolete TLS version (< 1.1) **][TLSv1][Client: www.6gyip7tqim7sieb.com][JA3C: 581a3c7f54555512b8cd16e87dfe165b][JA3S: 184d532a16876b78846ae6a03f654890][Issuer: CN=www.a3uycdf3rn5md.com][Subject: CN=www.l7xvysfnvkb.net][Certificate SHA-1: EE:86:E7:21:36:93:23:30:DB:A0:09:48:55:16:CB:A8:E9:DA:01:D0][Validity: 2013-11-02 00:00:00 - 2014-02-17 00:00:00][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]
8 UDP 192.168.1.1:17500 -> 192.168.1.255:17500 [proto: 121/Dropbox][cat: Cloud/13][10 pkts/1860 bytes -> 0 pkts/0 bytes][Goodput ratio: 77/0][600.89 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 30033/0 66765/0 360548/0 103868/0][Pkt Len c2s/s2c min/avg/max/stddev: 186/0 186/0 186/0 0/0][PLAIN TEXT ( 676879976)]
diff --git a/tests/result/weibo.pcap.out b/tests/result/weibo.pcap.out
index e11aa8ed3..f90ce31de 100644
--- a/tests/result/weibo.pcap.out
+++ b/tests/result/weibo.pcap.out
@@ -28,7 +28,7 @@ JA3 Host Stats:
16 UDP 192.168.1.105:51440 <-> 192.168.1.1:53 [proto: 5/DNS][cat: Network/14][1 pkts/72 bytes <-> 1 pkts/171 bytes][Goodput ratio: 41/75][0.19 sec][Host: g.alicdn.com][47.89.65.229][PLAIN TEXT (alicdn)]
17 UDP 192.168.1.105:33822 <-> 192.168.1.1:53 [proto: 5/DNS][cat: Network/14][1 pkts/76 bytes <-> 1 pkts/166 bytes][Goodput ratio: 44/74][0.47 sec][Host: login.taobao.com][140.205.170.63][PLAIN TEXT (taobao)]
18 UDP 192.168.1.105:18035 <-> 192.168.1.1:53 [proto: 5.200/DNS.Sina(Weibo)][cat: SocialNetwork/6][1 pkts/81 bytes <-> 1 pkts/159 bytes][Goodput ratio: 48/73][0.11 sec][Host: u1.img.mobile.sina.cn][222.73.28.96][PLAIN TEXT (mobile)]
- 19 UDP 192.168.1.105:50640 <-> 192.168.1.1:53 [proto: 5/DNS][cat: Network/14][1 pkts/77 bytes <-> 1 pkts/157 bytes][Goodput ratio: 45/73][0.47 sec][Host: acjstb.aliyun.com][42.156.184.19][Risk: ** Suspicious DGA domain name **][PLAIN TEXT (alibabadns)]
+ 19 UDP 192.168.1.105:50640 <-> 192.168.1.1:53 [proto: 5/DNS][cat: Network/14][1 pkts/77 bytes <-> 1 pkts/157 bytes][Goodput ratio: 45/73][0.47 sec][Host: acjstb.aliyun.com][42.156.184.19][PLAIN TEXT (alibabadns)]
20 UDP 192.168.1.105:7148 <-> 192.168.1.1:53 [proto: 5.200/DNS.Sina(Weibo)][cat: SocialNetwork/6][1 pkts/73 bytes <-> 1 pkts/142 bytes][Goodput ratio: 42/70][0.06 sec][Host: www.weibo.com][93.188.134.137]
21 TCP 192.168.1.105:35808 <-> 93.188.134.246:80 [proto: 7/HTTP][cat: Web/5][2 pkts/140 bytes <-> 1 pkts/74 bytes][Goodput ratio: 0/0][0.06 sec]
22 TCP 192.168.1.105:50831 <-> 47.89.65.229:443 [proto: 91/TLS][cat: Web/5][2 pkts/128 bytes <-> 1 pkts/66 bytes][Goodput ratio: 0/0][0.22 sec]
Powered by cgit, Themed by Ted Yin.