diff options
| -rw-r--r-- | src/include/ndpi_api.h.in | 9 | ||||
| -rw-r--r-- | src/include/ndpi_typedefs.h | 6 | ||||
| -rw-r--r-- | src/lib/ndpi_main.c | 2 | ||||
| -rw-r--r-- | src/lib/ndpi_utils.c | 60 | ||||
| -rw-r--r-- | src/lib/protocols/snmp_proto.c | 13 | ||||
| -rw-r--r-- | tests/result/discord.pcap.out | 2 | ||||
| -rw-r--r-- | tests/result/dnscrypt-v2-doh.pcap.out | 6 | ||||
| -rw-r--r-- | tests/result/dtls_certificate.pcapng.out | 2 | ||||
| -rw-r--r-- | tests/result/gnutella.pcap.out | 2 | ||||
| -rw-r--r-- | tests/result/selfsigned.pcap.out | 2 | ||||
| -rw-r--r-- | tests/result/tls-rdn-extract.pcap.out | 2 |
11 files changed, 72 insertions, 34 deletions
diff --git a/src/include/ndpi_api.h.in b/src/include/ndpi_api.h.in index 9ad9bd7c2..c350159f0 100644 --- a/src/include/ndpi_api.h.in +++ b/src/include/ndpi_api.h.in @@ -99,6 +99,15 @@ extern "C" { u_int match_len, u_int32_t *num); /** + * Return the protocol error code of a given flow + * + * @par flow = the flow to analyze + * @return the error code or 0 otherwise + * + */ + u_int32_t ndpi_get_flow_error_code(struct ndpi_flow_struct *flow); + + /** * nDPI personal allocation and free functions **/ void * ndpi_malloc(size_t size); diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index 124347fb0..2644a73df 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -1300,6 +1300,12 @@ struct ndpi_flow_struct { char fingerprint[48]; char class_ident[48]; } dhcp; + + struct { + u_int8_t version; /* 0 = SNMPv1, 1 = SNMPv2c, 3 = SNMPv3 */ + u_int8_t primitive; /* GET, SET... */ + u_int8_t error_status; + } snmp; } protos; /*** ALL protocol specific 64 bit variables here ***/ diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 63a5cec89..ea148f117 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -113,7 +113,7 @@ static ndpi_risk_info ndpi_known_risks[] = { { NDPI_TLS_SELFSIGNED_CERTIFICATE, NDPI_RISK_HIGH, CLIENT_HIGH_RISK_PERCENTAGE }, { NDPI_TLS_OBSOLETE_VERSION, NDPI_RISK_HIGH, CLIENT_HIGH_RISK_PERCENTAGE }, { NDPI_TLS_WEAK_CIPHER, NDPI_RISK_HIGH, CLIENT_HIGH_RISK_PERCENTAGE }, - { NDPI_TLS_CERTIFICATE_EXPIRED, NDPI_RISK_HIGH, CLIENT_FAIR_RISK_PERCENTAGE }, + { NDPI_TLS_CERTIFICATE_EXPIRED, NDPI_RISK_HIGH, CLIENT_LOW_RISK_PERCENTAGE }, { NDPI_TLS_CERTIFICATE_MISMATCH, NDPI_RISK_HIGH, CLIENT_FAIR_RISK_PERCENTAGE }, { NDPI_HTTP_SUSPICIOUS_USER_AGENT, NDPI_RISK_HIGH, CLIENT_HIGH_RISK_PERCENTAGE }, { NDPI_HTTP_NUMERIC_IP_HOST, NDPI_RISK_LOW, CLIENT_FAIR_RISK_PERCENTAGE }, diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c index b9ffeb72f..2ecb5f0de 100644 --- a/src/lib/ndpi_utils.c +++ b/src/lib/ndpi_utils.c @@ -856,34 +856,30 @@ int ndpi_has_human_readeable_string(struct ndpi_detection_module_struct *ndpi_st /* ********************************** */ static const char* ndpi_get_flow_info_by_proto_id(struct ndpi_flow_struct const * const flow, - u_int16_t proto_id) -{ - switch (proto_id) - { - case NDPI_PROTOCOL_DNS: - case NDPI_PROTOCOL_HTTP: - return flow->host_server_name; - case NDPI_PROTOCOL_QUIC: - case NDPI_PROTOCOL_TLS: - if (flow->protos.tls_quic.hello_processed != 0) - { - return flow->host_server_name; - } - break; + u_int16_t proto_id) { + switch (proto_id) { + case NDPI_PROTOCOL_DNS: + case NDPI_PROTOCOL_HTTP: + return flow->host_server_name; + + case NDPI_PROTOCOL_QUIC: + case NDPI_PROTOCOL_TLS: + if (flow->protos.tls_quic.hello_processed != 0) + return flow->host_server_name; + break; } - + return NULL; } +/* ********************************** */ + const char* ndpi_get_flow_info(struct ndpi_flow_struct const * const flow, - ndpi_protocol const * const l7_protocol) -{ + ndpi_protocol const * const l7_protocol) { char const * const app_protocol_info = ndpi_get_flow_info_by_proto_id(flow, l7_protocol->app_protocol); - if (app_protocol_info != NULL) - { - return app_protocol_info; - } + if (app_protocol_info != NULL) + return app_protocol_info; return ndpi_get_flow_info_by_proto_id(flow, l7_protocol->master_protocol); } @@ -1788,7 +1784,7 @@ const char* ndpi_risk2str(ndpi_risk_enum risk) { return("Weak TLS Cipher"); case NDPI_TLS_CERTIFICATE_EXPIRED: - return("TLS Cert Expire"); + return("TLS Cert Expired"); case NDPI_TLS_CERTIFICATE_MISMATCH: return("TLS Cert Mismatch"); @@ -2436,6 +2432,23 @@ void ndpi_set_tls_cert_expire_days(struct ndpi_detection_module_struct *ndpi_str /* ******************************************* */ +u_int32_t ndpi_get_flow_error_code(struct ndpi_flow_struct *flow) { + switch(flow->detected_protocol_stack[0] /* app_protocol */) { + case NDPI_PROTOCOL_DNS: + return(flow->protos.dns.reply_code); + + case NDPI_PROTOCOL_HTTP: + return(flow->http.response_status_code); + + case NDPI_PROTOCOL_SNMP: + return(flow->protos.snmp.error_status); + } + + return(0); +} + +/* ******************************************* */ + int ndpi_vsnprintf(char * str, size_t size, char const * format, va_list va_args) { #ifdef WIN32 @@ -2457,6 +2470,8 @@ int ndpi_vsnprintf(char * str, size_t size, char const * format, va_list va_args #endif } +/* ******************************************* */ + int ndpi_snprintf(char * str, size_t size, char const * format, ...) { va_list va_args; @@ -2466,3 +2481,4 @@ int ndpi_snprintf(char * str, size_t size, char const * format, ...) va_end(va_args); return ret; } + diff --git a/src/lib/protocols/snmp_proto.c b/src/lib/protocols/snmp_proto.c index c4c2b95b9..07d5ce35f 100644 --- a/src/lib/protocols/snmp_proto.c +++ b/src/lib/protocols/snmp_proto.c @@ -97,11 +97,13 @@ void ndpi_search_snmp(struct ndpi_detection_module_struct *ndpi_struct, len = get_int(&packet->payload[1], packet->payload_packet_len - 1, &len_length); + flow->protos.snmp.version = packet->payload[1 + len_length + 2]; + if(len > 2 && 1 + len_length + len == packet->payload_packet_len && - (packet->payload[1 + len_length + 2] == 0 /* SNMPv1 */ || - packet->payload[1 + len_length + 2] == 1 /* SNMPv2c */ || - packet->payload[1 + len_length + 2] == 3 /* SNMPv3 */)) { + ((flow->protos.snmp.version == 0 /* SNMPv1 */) || + (flow->protos.snmp.version == 1 /* SNMPv2c */) || + (flow->protos.snmp.version == 3 /* SNMPv3 */))) { if(flow->extra_packets_func == NULL) { ndpi_int_snmp_add_connection(ndpi_struct, flow); @@ -125,6 +127,8 @@ void ndpi_search_snmp(struct ndpi_detection_module_struct *ndpi_struct, if(snmp_primitive_offset < packet->payload_packet_len) { u_int8_t snmp_primitive = packet->payload[snmp_primitive_offset] & 0xF; + flow->protos.snmp.primitive = snmp_primitive; + if(snmp_primitive == 2 /* Get Response */ && snmp_primitive_offset + 1 < packet->payload_packet_len) { offset = snmp_primitive_offset + 1; @@ -145,6 +149,8 @@ void ndpi_search_snmp(struct ndpi_detection_module_struct *ndpi_struct, flow->extra_packets_func = NULL; /* We're good now */ + flow->protos.snmp.error_status = error_status; + if(error_status != 0) ndpi_set_risk(ndpi_struct, flow, NDPI_ERROR_CODE_DETECTED); } @@ -152,6 +158,7 @@ void ndpi_search_snmp(struct ndpi_detection_module_struct *ndpi_struct, } } } + return; } } diff --git a/tests/result/discord.pcap.out b/tests/result/discord.pcap.out index 7b23359cf..b3732bde5 100644 --- a/tests/result/discord.pcap.out +++ b/tests/result/discord.pcap.out @@ -10,4 +10,4 @@ JA3 Host Stats: 1 10.0.2.15 1 - 1 TCP 10.0.2.15:42834 <-> 162.159.128.233:443 [proto: 91.58/TLS.Discord][Encrypted][Confidence: DPI][cat: Collaborative/15][3 pkts/451 bytes <-> 4 pkts/3257 bytes][Goodput ratio: 60/93][0.05 sec][Hostname/SNI: discord.com][ALPN: h2;http/1.1][bytes ratio: -0.757 (Download)][IAT c2s/s2c min/avg/max/stddev: 16/0 20/13 23/22 4/9][Pkt Len c2s/s2c min/avg/max/stddev: 74/58 150/814 230/1506 64/609][Risk: ** TLS Cert Expire **][Risk Score: 100][TLSv1.2][JA3C: 6f5e62edfa5933b1332ddf8b9fb3ef9d][ServerNames: discord.com,sni.cloudflaressl.com,*.discord.com][JA3S: 9ebc57def2efb523f25c77af13aa6d48][Issuer: C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3][Subject: C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com][Certificate SHA-1: 31:3B:70:94:D5:DF:90:78:9C:A0:74:26:20:24:E4:3D:92:A7:57:9D][Safari][Validity: 2021-01-19 00:00:00 - 2022-01-18 23:59:59][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,0,20,0,0,20,0,0,0,0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,0,0,0,0,0,20,0,0] + 1 TCP 10.0.2.15:42834 <-> 162.159.128.233:443 [proto: 91.58/TLS.Discord][Encrypted][Confidence: DPI][cat: Collaborative/15][3 pkts/451 bytes <-> 4 pkts/3257 bytes][Goodput ratio: 60/93][0.05 sec][Hostname/SNI: discord.com][ALPN: h2;http/1.1][bytes ratio: -0.757 (Download)][IAT c2s/s2c min/avg/max/stddev: 16/0 20/13 23/22 4/9][Pkt Len c2s/s2c min/avg/max/stddev: 74/58 150/814 230/1506 64/609][Risk: ** TLS Cert Expired **][Risk Score: 100][TLSv1.2][JA3C: 6f5e62edfa5933b1332ddf8b9fb3ef9d][ServerNames: discord.com,sni.cloudflaressl.com,*.discord.com][JA3S: 9ebc57def2efb523f25c77af13aa6d48][Issuer: C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3][Subject: C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com][Certificate SHA-1: 31:3B:70:94:D5:DF:90:78:9C:A0:74:26:20:24:E4:3D:92:A7:57:9D][Safari][Validity: 2021-01-19 00:00:00 - 2022-01-18 23:59:59][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,0,20,0,0,20,0,0,0,0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,0,0,0,0,0,20,0,0] diff --git a/tests/result/dnscrypt-v2-doh.pcap.out b/tests/result/dnscrypt-v2-doh.pcap.out index dfbefa01b..7b2a67879 100644 --- a/tests/result/dnscrypt-v2-doh.pcap.out +++ b/tests/result/dnscrypt-v2-doh.pcap.out @@ -16,12 +16,12 @@ JA3 Host Stats: 4 TCP 10.0.0.1:52028 <-> 45.76.113.31:8443 [proto: 91.196/TLS.DoH_DoT][Encrypted][Confidence: DPI][cat: Network/14][9 pkts/1438 bytes <-> 11 pkts/6319 bytes][Goodput ratio: 66/91][30.97 sec][Hostname/SNI: doh.seby.io][ALPN: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.629 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 4379/3404 30317/30002 10590/9405][Pkt Len c2s/s2c min/avg/max/stddev: 78/93 160/574 335/1464 75/564][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][TLSv1.3][JA3C: d0ee3237a14bbd89ca4d2b5356ab20ba][JA3S: f4febc55ea12b31ae17cfb7e614afda8][Firefox][Cipher: TLS_AES_128_GCM_SHA256][PLAIN TEXT (ffffffDDDDDD)][Plen Bins: 10,15,30,10,0,5,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,10,0,0,0] 5 TCP 10.0.0.1:57058 <-> 46.227.200.54:443 [proto: 91.196/TLS.DoH_DoT][Encrypted][Confidence: DPI][cat: Network/14][9 pkts/1445 bytes <-> 8 pkts/5948 bytes][Goodput ratio: 66/93][30.13 sec][Hostname/SNI: rdns.faelix.net][ALPN: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.609 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 4304/5014 30049/30000 10511/11174][Pkt Len c2s/s2c min/avg/max/stddev: 78/89 161/744 339/2958 74/935][TLSv1.3][JA3C: d0ee3237a14bbd89ca4d2b5356ab20ba][JA3S: 15af977ce25de452b96affa2addb1036][Firefox][Cipher: TLS_AES_256_GCM_SHA384][Plen Bins: 12,12,25,12,0,5,5,0,5,0,5,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,5] 6 TCP 10.0.0.1:55322 <-> 185.134.196.55:443 [proto: 91.196/TLS.DoH_DoT][Encrypted][Confidence: DPI][cat: Network/14][10 pkts/1532 bytes <-> 7 pkts/5815 bytes][Goodput ratio: 65/93][16.35 sec][Hostname/SNI: rdns.faelix.net][ALPN: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.583 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 2039/3262 16237/16242 5366/6490][Pkt Len c2s/s2c min/avg/max/stddev: 78/78 153/831 339/2958 74/969][TLSv1.3][JA3C: d0ee3237a14bbd89ca4d2b5356ab20ba][JA3S: 15af977ce25de452b96affa2addb1036][Firefox][Cipher: TLS_AES_256_GCM_SHA384][Plen Bins: 18,5,25,12,0,5,5,0,5,0,5,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,5] - 7 TCP 10.0.0.1:38186 <-> 185.43.135.1:443 [proto: 91.196/TLS.DoH_DoT][Encrypted][Confidence: DPI][cat: Network/14][11 pkts/1728 bytes <-> 13 pkts/5220 bytes][Goodput ratio: 66/87][10.17 sec][Hostname/SNI: odvr.nic.cz][ALPN: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.503 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1263/1013 10000/10000 3302/2996][Pkt Len c2s/s2c min/avg/max/stddev: 85/92 157/402 335/3057 70/784][Risk: ** TLS Cert Expire **][Risk Score: 100][TLSv1.2][JA3C: d0ee3237a14bbd89ca4d2b5356ab20ba][ServerNames: odvr.nic.cz][JA3S: 1089ea6f0461a29006cc96dfe7a11d80][Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3][Subject: CN=odvr.nic.cz][Certificate SHA-1: 15:57:4E:06:5B:3D:23:22:EF:BC:2E:5B:A3:3E:A5:76:BD:14:01:4B][Firefox][Validity: 2020-08-03 06:53:50 - 2020-11-01 06:53:50][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][PLAIN TEXT (DDDDDDffffff)][Plen Bins: 4,51,12,12,0,4,0,0,4,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4] + 7 TCP 10.0.0.1:38186 <-> 185.43.135.1:443 [proto: 91.196/TLS.DoH_DoT][Encrypted][Confidence: DPI][cat: Network/14][11 pkts/1728 bytes <-> 13 pkts/5220 bytes][Goodput ratio: 66/87][10.17 sec][Hostname/SNI: odvr.nic.cz][ALPN: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.503 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1263/1013 10000/10000 3302/2996][Pkt Len c2s/s2c min/avg/max/stddev: 85/92 157/402 335/3057 70/784][Risk: ** TLS Cert Expired **][Risk Score: 100][TLSv1.2][JA3C: d0ee3237a14bbd89ca4d2b5356ab20ba][ServerNames: odvr.nic.cz][JA3S: 1089ea6f0461a29006cc96dfe7a11d80][Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3][Subject: CN=odvr.nic.cz][Certificate SHA-1: 15:57:4E:06:5B:3D:23:22:EF:BC:2E:5B:A3:3E:A5:76:BD:14:01:4B][Firefox][Validity: 2020-08-03 06:53:50 - 2020-11-01 06:53:50][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][PLAIN TEXT (DDDDDDffffff)][Plen Bins: 4,51,12,12,0,4,0,0,4,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4] 8 TCP 10.0.0.1:55962 <-> 51.158.147.50:443 [proto: 91.196/TLS.DoH_DoT][Encrypted][Confidence: DPI][cat: Network/14][10 pkts/1540 bytes <-> 7 pkts/5403 bytes][Goodput ratio: 65/93][23.03 sec][Hostname/SNI: resolver-eu.lelux.fi][ALPN: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.556 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 2879/17 22962/28 7591/14][Pkt Len c2s/s2c min/avg/max/stddev: 78/102 154/772 344/3185 77/1040][TLSv1.3][JA3C: d0ee3237a14bbd89ca4d2b5356ab20ba][JA3S: f4febc55ea12b31ae17cfb7e614afda8][Firefox][Cipher: TLS_AES_128_GCM_SHA256][Plen Bins: 11,11,37,11,0,5,0,0,0,5,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5] 9 TCP 10.0.0.1:60026 <-> 195.30.94.28:443 [proto: 91.196/TLS.DoH_DoT][Encrypted][Confidence: DPI][cat: Network/14][9 pkts/1455 bytes <-> 6 pkts/5347 bytes][Goodput ratio: 67/94][10.04 sec][Hostname/SNI: doh.ffmuc.net][ALPN: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.572 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/1 1434/37 9925/63 3467/26][Pkt Len c2s/s2c min/avg/max/stddev: 78/89 162/891 337/2958 74/961][TLSv1.3][JA3C: d0ee3237a14bbd89ca4d2b5356ab20ba][JA3S: 15af977ce25de452b96affa2addb1036][Firefox][Cipher: TLS_AES_256_GCM_SHA384][Plen Bins: 13,6,20,13,0,6,0,0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6] 10 TCP 10.0.0.1:40938 <-> 172.104.93.80:443 [proto: 91.196/TLS.DoH_DoT][Encrypted][Confidence: DPI][cat: Network/14][10 pkts/1523 bytes <-> 6 pkts/5217 bytes][Goodput ratio: 65/94][22.42 sec][Hostname/SNI: jp.tiar.app][ALPN: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.548 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 2778/5507 21637/21834 7129/9427][Pkt Len c2s/s2c min/avg/max/stddev: 78/78 152/870 335/2248 74/759][TLSv1.3][JA3C: d0ee3237a14bbd89ca4d2b5356ab20ba][JA3S: 475c9302dc42b2751db9edcac3b74891][Firefox][Cipher: TLS_CHACHA20_POLY1305_SHA256][PLAIN TEXT (ffffffDDDDDD)][Plen Bins: 18,6,18,12,0,6,0,0,12,0,0,0,0,6,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,6] 11 TCP 10.0.0.1:46658 <-> 185.233.106.232:443 [proto: 91.196/TLS.DoH_DoT][Encrypted][Confidence: DPI][cat: Network/14][8 pkts/1437 bytes <-> 7 pkts/5154 bytes][Goodput ratio: 70/93][27.98 sec][Hostname/SNI: dns.dnshome.de][ALPN: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.564 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 4659/5583 27865/27889 10378/11153][Pkt Len c2s/s2c min/avg/max/stddev: 78/78 180/736 389/2958 111/936][TLSv1.3][JA3C: d0ee3237a14bbd89ca4d2b5356ab20ba][JA3S: 15af977ce25de452b96affa2addb1036][Firefox][Cipher: TLS_AES_256_GCM_SHA384][Plen Bins: 21,6,13,13,0,0,6,0,6,0,13,0,0,0,0,6,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6] - 12 TCP 10.0.0.1:35714 <-> 209.250.241.25:443 [proto: 91.196/TLS.DoH_DoT][Encrypted][Confidence: DPI][cat: Network/14][9 pkts/1516 bytes <-> 9 pkts/5023 bytes][Goodput ratio: 68/90][6.97 sec][Hostname/SNI: jarjar.meganerd.nl][ALPN: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.536 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 992/7 6894/26 2409/11][Pkt Len c2s/s2c min/avg/max/stddev: 85/92 168/558 342/2102 74/700][Risk: ** TLS Cert Expire **][Risk Score: 100][TLSv1.2][JA3C: d0ee3237a14bbd89ca4d2b5356ab20ba][ServerNames: jarjar.meganerd.nl][JA3S: 2464432ec440b95b36263230c3148d11][Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3][Subject: CN=jarjar.meganerd.nl][Certificate SHA-1: 17:C9:8C:F5:DD:1F:0E:0F:DC:C5:42:4F:ED:C4:CD:57:5A:5D:7A:4F][Firefox][Validity: 2020-07-14 23:47:21 - 2020-10-12 23:47:21][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][PLAIN TEXT (DDDDDDffffff)][Plen Bins: 5,28,23,11,0,5,0,0,0,5,5,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,5] + 12 TCP 10.0.0.1:35714 <-> 209.250.241.25:443 [proto: 91.196/TLS.DoH_DoT][Encrypted][Confidence: DPI][cat: Network/14][9 pkts/1516 bytes <-> 9 pkts/5023 bytes][Goodput ratio: 68/90][6.97 sec][Hostname/SNI: jarjar.meganerd.nl][ALPN: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.536 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 992/7 6894/26 2409/11][Pkt Len c2s/s2c min/avg/max/stddev: 85/92 168/558 342/2102 74/700][Risk: ** TLS Cert Expired **][Risk Score: 100][TLSv1.2][JA3C: d0ee3237a14bbd89ca4d2b5356ab20ba][ServerNames: jarjar.meganerd.nl][JA3S: 2464432ec440b95b36263230c3148d11][Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3][Subject: CN=jarjar.meganerd.nl][Certificate SHA-1: 17:C9:8C:F5:DD:1F:0E:0F:DC:C5:42:4F:ED:C4:CD:57:5A:5D:7A:4F][Firefox][Validity: 2020-07-14 23:47:21 - 2020-10-12 23:47:21][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][PLAIN TEXT (DDDDDDffffff)][Plen Bins: 5,28,23,11,0,5,0,0,0,5,5,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,5] 13 TCP 10.0.0.1:52386 <-> 51.15.124.208:443 [proto: 91.196/TLS.DoH_DoT][Encrypted][Confidence: DPI][cat: Network/14][10 pkts/1536 bytes <-> 8 pkts/4974 bytes][Goodput ratio: 65/91][16.18 sec][Hostname/SNI: dnsnl.alekberg.net][ALPN: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.528 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 2022/11 16115/27 5327/12][Pkt Len c2s/s2c min/avg/max/stddev: 78/85 154/622 342/2958 76/923][TLSv1.3][JA3C: d0ee3237a14bbd89ca4d2b5356ab20ba][JA3S: eb1d94daa7e0344597e756a1fb6e7054][Firefox][Cipher: TLS_AES_128_GCM_SHA256][PLAIN TEXT (DDDDDDffffff)][Plen Bins: 16,23,16,11,5,5,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5] 14 TCP 10.0.0.1:37530 <-> 167.114.220.125:453 [proto: 91.196/TLS.DoH_DoT][Encrypted][Confidence: DPI][cat: Network/14][10 pkts/1537 bytes <-> 10 pkts/4945 bytes][Goodput ratio: 65/89][17.40 sec][Hostname/SNI: dns1.dnscrypt.ca][ALPN: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.526 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 2161/2161 17071/17045 5636/5626][Pkt Len c2s/s2c min/avg/max/stddev: 78/78 154/494 340/3154 76/905][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][TLSv1.3][JA3C: d0ee3237a14bbd89ca4d2b5356ab20ba][JA3S: f4febc55ea12b31ae17cfb7e614afda8][Firefox][Cipher: TLS_AES_128_GCM_SHA256][PLAIN TEXT (ffffffDDDDDD)][Plen Bins: 15,30,20,10,0,5,0,0,5,0,0,0,0,0,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5] 15 TCP 10.0.0.1:59404 <-> 185.253.154.66:443 [proto: 91.196/TLS.DoH_DoT][Encrypted][Confidence: DPI][cat: Network/14][10 pkts/1536 bytes <-> 7 pkts/4898 bytes][Goodput ratio: 65/92][22.86 sec][Hostname/SNI: dnses.alekberg.net][ALPN: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.523 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 2857/18 22768/44 7526/21][Pkt Len c2s/s2c min/avg/max/stddev: 78/89 154/700 342/2958 76/962][TLSv1.3][JA3C: d0ee3237a14bbd89ca4d2b5356ab20ba][JA3S: eb1d94daa7e0344597e756a1fb6e7054][Firefox][Cipher: TLS_AES_128_GCM_SHA256][Plen Bins: 11,25,18,11,5,5,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5] @@ -39,7 +39,7 @@ JA3 Host Stats: 27 TCP 10.0.0.1:43718 <-> 146.255.56.98:443 [proto: 91.196/TLS.DoH_DoT][Encrypted][Confidence: DPI][cat: Network/14][10 pkts/1553 bytes <-> 6 pkts/4353 bytes][Goodput ratio: 65/92][30.17 sec][Hostname/SNI: doh.appliedprivacy.net][ALPN: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.474 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 3770/28 30000/76 9914/31][Pkt Len c2s/s2c min/avg/max/stddev: 78/60 155/726 346/2958 76/1013][TLSv1.3][JA3C: d0ee3237a14bbd89ca4d2b5356ab20ba][JA3S: 15af977ce25de452b96affa2addb1036][Firefox][Cipher: TLS_AES_256_GCM_SHA384][PLAIN TEXT (DDDDDDffffff)][Plen Bins: 18,6,25,12,0,6,6,0,0,6,6,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6] 28 TCP 10.0.0.1:33338 <-> 45.90.28.0:443 [proto: 91.196/TLS.DoH_DoT][Encrypted][Confidence: DPI][cat: Network/14][9 pkts/1448 bytes <-> 12 pkts/4333 bytes][Goodput ratio: 66/85][30.15 sec][Hostname/SNI: dns.nextdns.io][ALPN: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.499 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 4302/3342 30042/30000 10508/9425][Pkt Len c2s/s2c min/avg/max/stddev: 78/78 161/361 338/1506 76/508][TLSv1.3][JA3C: d0ee3237a14bbd89ca4d2b5356ab20ba][JA3S: f4febc55ea12b31ae17cfb7e614afda8][Firefox][Cipher: TLS_AES_128_GCM_SHA256][Plen Bins: 14,29,14,14,0,9,0,0,9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,4,0,0] 29 TCP 10.0.0.1:39214 <-> 104.28.0.106:443 [proto: 91.196/TLS.DoH_DoT][Encrypted][Confidence: DPI][cat: Network/14][10 pkts/1548 bytes <-> 8 pkts/4123 bytes][Goodput ratio: 65/90][30.16 sec][Hostname/SNI: doh.crypto.sx][ALPN: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.454 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 3768/16 30000/41 9915/17][Pkt Len c2s/s2c min/avg/max/stddev: 78/85 155/515 337/1506 75/486][TLSv1.3][JA3C: d0ee3237a14bbd89ca4d2b5356ab20ba][JA3S: eb1d94daa7e0344597e756a1fb6e7054][Firefox][Cipher: TLS_AES_128_GCM_SHA256][PLAIN TEXT (DDDDDDffffff)][Plen Bins: 23,5,23,5,5,5,0,0,5,5,0,5,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0] - 30 TCP 10.0.0.1:35742 <-> 209.250.241.25:443 [proto: 91.196/TLS.DoH_DoT][Encrypted][Confidence: DPI][cat: Network/14][7 pkts/1246 bytes <-> 7 pkts/4395 bytes][Goodput ratio: 70/91][8.59 sec][Hostname/SNI: jarjar.meganerd.nl][ALPN: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.558 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1692/30 8406/95 3357/35][Pkt Len c2s/s2c min/avg/max/stddev: 85/92 178/628 342/2102 82/772][Risk: ** TLS Cert Expire **][Risk Score: 100][TLSv1.2][JA3C: d0ee3237a14bbd89ca4d2b5356ab20ba][ServerNames: jarjar.meganerd.nl][JA3S: 2464432ec440b95b36263230c3148d11][Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3][Subject: CN=jarjar.meganerd.nl][Certificate SHA-1: 17:C9:8C:F5:DD:1F:0E:0F:DC:C5:42:4F:ED:C4:CD:57:5A:5D:7A:4F][Firefox][Validity: 2020-07-14 23:47:21 - 2020-10-12 23:47:21][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][PLAIN TEXT (DDDDDDffffff)][Plen Bins: 7,28,21,0,7,7,0,0,0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,7] + 30 TCP 10.0.0.1:35742 <-> 209.250.241.25:443 [proto: 91.196/TLS.DoH_DoT][Encrypted][Confidence: DPI][cat: Network/14][7 pkts/1246 bytes <-> 7 pkts/4395 bytes][Goodput ratio: 70/91][8.59 sec][Hostname/SNI: jarjar.meganerd.nl][ALPN: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.558 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1692/30 8406/95 3357/35][Pkt Len c2s/s2c min/avg/max/stddev: 85/92 178/628 342/2102 82/772][Risk: ** TLS Cert Expired **][Risk Score: 100][TLSv1.2][JA3C: d0ee3237a14bbd89ca4d2b5356ab20ba][ServerNames: jarjar.meganerd.nl][JA3S: 2464432ec440b95b36263230c3148d11][Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3][Subject: CN=jarjar.meganerd.nl][Certificate SHA-1: 17:C9:8C:F5:DD:1F:0E:0F:DC:C5:42:4F:ED:C4:CD:57:5A:5D:7A:4F][Firefox][Validity: 2020-07-14 23:47:21 - 2020-10-12 23:47:21][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][PLAIN TEXT (DDDDDDffffff)][Plen Bins: 7,28,21,0,7,7,0,0,0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,7] 31 TCP 10.0.0.1:44704 <-> 185.235.81.1:443 [proto: 91.196/TLS.DoH_DoT][Encrypted][Confidence: DPI][cat: Network/14][8 pkts/1243 bytes <-> 5 pkts/4229 bytes][Goodput ratio: 65/94][30.09 sec][Hostname/SNI: doh.dnslify.com][ALPN: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.546 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 5008/14 30000/22 11177/10][Pkt Len c2s/s2c min/avg/max/stddev: 78/78 155/846 339/3168 83/1174][TLSv1.3][JA3C: d0ee3237a14bbd89ca4d2b5356ab20ba][JA3S: 15af977ce25de452b96affa2addb1036][Firefox][Cipher: TLS_AES_256_GCM_SHA384][Plen Bins: 24,7,24,7,0,7,0,7,7,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7] 32 TCP 10.0.0.1:51846 <-> 9.9.9.10:443 [proto: 91.196/TLS.DoH_DoT][Encrypted][Confidence: DPI][cat: Network/14][7 pkts/1155 bytes <-> 5 pkts/4098 bytes][Goodput ratio: 67/93][30.09 sec][Hostname/SNI: dns10.quad9.net][ALPN: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.560 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 13/19 47/46 18/19][Pkt Len c2s/s2c min/avg/max/stddev: 78/119 165/820 339/3068 84/1136][TLSv1.3][JA3C: d0ee3237a14bbd89ca4d2b5356ab20ba][JA3S: 15af977ce25de452b96affa2addb1036][Firefox][Cipher: TLS_AES_256_GCM_SHA384][PLAIN TEXT (ffffffDDDDDD)][Plen Bins: 16,0,34,8,8,8,0,0,8,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8] 33 TCP 10.0.0.1:53674 <-> 139.99.222.72:443 [proto: 91.196/TLS.DoH_DoT][Encrypted][Confidence: DPI][cat: Network/14][2 pkts/421 bytes <-> 2 pkts/2872 bytes][Goodput ratio: 74/96][0.26 sec][Hostname/SNI: doh-2.seby.io][ALPN: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][TLSv1.3][JA3C: d0ee3237a14bbd89ca4d2b5356ab20ba][JA3S: f4febc55ea12b31ae17cfb7e614afda8][Firefox][Cipher: TLS_AES_128_GCM_SHA256][Plen Bins: 25,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,25,0,0,0] diff --git a/tests/result/dtls_certificate.pcapng.out b/tests/result/dtls_certificate.pcapng.out index 3c9782c97..3955162de 100644 --- a/tests/result/dtls_certificate.pcapng.out +++ b/tests/result/dtls_certificate.pcapng.out @@ -9,4 +9,4 @@ JA3 Host Stats: IP Address # JA3C - 1 UDP 191.62.60.190:443 -> 163.205.15.180:38876 [proto: 91.147/TLS.WindowsUpdate][Encrypted][Confidence: DPI][cat: SoftwareUpdate/19][1 pkts/1486 bytes -> 0 pkts/0 bytes][Goodput ratio: 97/0][< 1 sec][Risk: ** Known Proto on Non Std Port **** TLS Cert Expire **][Risk Score: 150][JA3S: 953c1507994f72697446de4eff6e300b][Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Update Secure Server CA 1][Subject: C=US, ST=Washington, L=Redmond, O=Microsoft, OU=DSP, CN=www.update.microsoft.com][Certificate SHA-1: D1:88:0F:51:C1:01:91:72:A1:A4:6E:69:F4:33:7F:FE:3E:C4:F0:39][Validity: 2017-02-27 12:00:00 - 2019-02-27 00:00:00][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][PLAIN TEXT (Washington1)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0] + 1 UDP 191.62.60.190:443 -> 163.205.15.180:38876 [proto: 91.147/TLS.WindowsUpdate][Encrypted][Confidence: DPI][cat: SoftwareUpdate/19][1 pkts/1486 bytes -> 0 pkts/0 bytes][Goodput ratio: 97/0][< 1 sec][Risk: ** Known Proto on Non Std Port **** TLS Cert Expired **][Risk Score: 150][JA3S: 953c1507994f72697446de4eff6e300b][Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Update Secure Server CA 1][Subject: C=US, ST=Washington, L=Redmond, O=Microsoft, OU=DSP, CN=www.update.microsoft.com][Certificate SHA-1: D1:88:0F:51:C1:01:91:72:A1:A4:6E:69:F4:33:7F:FE:3E:C4:F0:39][Validity: 2017-02-27 12:00:00 - 2019-02-27 00:00:00][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][PLAIN TEXT (Washington1)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0] diff --git a/tests/result/gnutella.pcap.out b/tests/result/gnutella.pcap.out index b248c0d83..7c634ebdb 100644 --- a/tests/result/gnutella.pcap.out +++ b/tests/result/gnutella.pcap.out @@ -57,7 +57,7 @@ JA3 Host Stats: 25 UDP 10.0.2.15:28681 <-> 89.75.52.19:46010 [proto: 35/Gnutella][ClearText][Confidence: DPI][cat: Download/7][7 pkts/939 bytes <-> 7 pkts/3639 bytes][Goodput ratio: 69/92][197.35 sec][bytes ratio: -0.590 (Download)][IAT c2s/s2c min/avg/max/stddev: 98/59 16969/16961 46205/46196 16968/16973][Pkt Len c2s/s2c min/avg/max/stddev: 70/130 134/520 274/769 60/291][Risk: ** Unsafe Protocol **][Risk Score: 10][PLAIN TEXT (.LGTKG)][Plen Bins: 7,7,35,7,0,0,0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,28,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 26 UDP 10.0.2.15:28681 <-> 203.220.198.244:1194 [proto: 35/Gnutella][ClearText][Confidence: DPI][cat: Download/7][7 pkts/939 bytes <-> 7 pkts/3509 bytes][Goodput ratio: 69/92][197.83 sec][bytes ratio: -0.578 (Download)][IAT c2s/s2c min/avg/max/stddev: 313/315 17988/17988 51261/51260 18094/18093][Pkt Len c2s/s2c min/avg/max/stddev: 70/130 134/501 274/769 60/309][Risk: ** Known Proto on Non Std Port **** Unsafe Protocol **][Risk Score: 60][PLAIN TEXT (client)][Plen Bins: 7,7,35,14,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,28,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 27 UDP 10.0.2.15:28681 <-> 46.128.114.107:6578 [proto: 35/Gnutella][ClearText][Confidence: DPI][cat: Download/7][7 pkts/939 bytes <-> 7 pkts/3501 bytes][Goodput ratio: 69/92][197.45 sec][bytes ratio: -0.577 (Download)][IAT c2s/s2c min/avg/max/stddev: 60/40 16942/16932 46247/46248 16994/16998][Pkt Len c2s/s2c min/avg/max/stddev: 70/128 134/500 274/769 60/311][Risk: ** Unsafe Protocol **][Risk Score: 10][PLAIN TEXT (client)][Plen Bins: 7,7,35,14,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,28,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 28 TCP 10.0.2.15:50314 <-> 80.7.252.192:6888 [proto: 91/TLS][Encrypted][Confidence: DPI][cat: Web/5][10 pkts/1582 bytes <-> 11 pkts/2813 bytes][Goodput ratio: 65/79][0.20 sec][bytes ratio: -0.280 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 19/17 69/69 25/25][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 158/256 663/1514 187/429][Risk: ** Known Proto on Non Std Port **** Self-signed Cert **** TLS Cert Expire **** TLS (probably) Not Carrying HTTPS **** Missing SNI TLS Extn **** TLS Cert Validity Too Long **][Risk Score: 360][TLSv1.2][JA3C: 6992dc627532d4fbccd43fb03d3bdeb4][JA3S: 1249fb68f48c0444718e4d3b48b27188][Issuer: CN=gtk-gnutella/1.2.1][Subject: CN=gtk-gnutella/1.2.1][Certificate SHA-1: E8:DD:F0:B2:FF:8C:27:5A:12:75:D4:AE:60:1B:D9:87:E8:FF:45:93][Firefox][Validity: 2021-12-05 22:34:00 - 2037-12-31 23:00:00][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 12,12,0,12,12,0,0,0,12,0,0,0,0,0,0,0,0,12,0,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,0] + 28 TCP 10.0.2.15:50314 <-> 80.7.252.192:6888 [proto: 91/TLS][Encrypted][Confidence: DPI][cat: Web/5][10 pkts/1582 bytes <-> 11 pkts/2813 bytes][Goodput ratio: 65/79][0.20 sec][bytes ratio: -0.280 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 19/17 69/69 25/25][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 158/256 663/1514 187/429][Risk: ** Known Proto on Non Std Port **** Self-signed Cert **** TLS Cert Expired **** TLS (probably) Not Carrying HTTPS **** Missing SNI TLS Extn **** TLS Cert Validity Too Long **][Risk Score: 360][TLSv1.2][JA3C: 6992dc627532d4fbccd43fb03d3bdeb4][JA3S: 1249fb68f48c0444718e4d3b48b27188][Issuer: CN=gtk-gnutella/1.2.1][Subject: CN=gtk-gnutella/1.2.1][Certificate SHA-1: E8:DD:F0:B2:FF:8C:27:5A:12:75:D4:AE:60:1B:D9:87:E8:FF:45:93][Firefox][Validity: 2021-12-05 22:34:00 - 2037-12-31 23:00:00][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 12,12,0,12,12,0,0,0,12,0,0,0,0,0,0,0,0,12,0,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,0] 29 UDP 10.0.2.15:28681 <-> 45.31.152.112:26851 [proto: 35/Gnutella][ClearText][Confidence: DPI][cat: Download/7][6 pkts/836 bytes <-> 5 pkts/3224 bytes][Goodput ratio: 70/93][186.46 sec][bytes ratio: -0.588 (Download)][IAT c2s/s2c min/avg/max/stddev: 7100/7142 19000/19000 44374/44331 14989/14962][Pkt Len c2s/s2c min/avg/max/stddev: 70/148 139/645 274/769 63/248][Risk: ** Unsafe Protocol **][Risk Score: 10][PLAIN TEXT (u.GTKG)][Plen Bins: 9,0,36,9,0,0,0,9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,36,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 30 UDP 10.0.2.15:28681 <-> 96.65.68.194:35481 [proto: 35/Gnutella][ClearText][Confidence: DPI][cat: Download/7][6 pkts/836 bytes <-> 5 pkts/3224 bytes][Goodput ratio: 70/93][197.61 sec][bytes ratio: -0.588 (Download)][IAT c2s/s2c min/avg/max/stddev: 5017/5014 21044/21044 46304/46310 15712/15715][Pkt Len c2s/s2c min/avg/max/stddev: 70/148 139/645 274/769 63/248][Risk: ** Unsafe Protocol **][Risk Score: 10][PLAIN TEXT (client)][Plen Bins: 9,0,36,9,0,0,0,9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,36,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 31 UDP 10.0.2.15:28681 <-> 181.84.178.16:60262 [proto: 35/Gnutella][ClearText][Confidence: DPI][cat: Download/7][5 pkts/766 bytes <-> 5 pkts/3224 bytes][Goodput ratio: 72/93][84.70 sec][bytes ratio: -0.616 (Download)][IAT c2s/s2c min/avg/max/stddev: 5114/5194 21079/21064 46304/46263 15704/15629][Pkt Len c2s/s2c min/avg/max/stddev: 123/148 153/645 274/769 60/248][Risk: ** Unsafe Protocol **][Risk Score: 10][PLAIN TEXT (client)][Plen Bins: 0,0,40,10,0,0,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,40,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/result/selfsigned.pcap.out b/tests/result/selfsigned.pcap.out index e002a6ed7..c1e28a8b7 100644 --- a/tests/result/selfsigned.pcap.out +++ b/tests/result/selfsigned.pcap.out @@ -10,4 +10,4 @@ JA3 Host Stats: 1 127.0.0.1 1 - 1 TCP 127.0.0.1:51607 <-> 127.0.0.1:3001 [proto: 91.26/TLS.ntop][Encrypted][Confidence: DPI][cat: Network/14][10 pkts/1421 bytes <-> 10 pkts/2345 bytes][Goodput ratio: 60/76][0.05 sec][Hostname/SNI: localhost][ALPN: h2;http/1.1][bytes ratio: -0.245 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 5/7 32/32 10/11][Pkt Len c2s/s2c min/avg/max/stddev: 56/44 142/234 573/1413 156/408][Risk: ** Known Proto on Non Std Port **** Self-signed Cert **** TLS Cert Expire **][Risk Score: 250][TLSv1.2][JA3C: 2a26b1a62e40d25d4de3babc9d532f30][JA3S: 0debd3853f330c574b05e0b6d882dc27][Issuer: C=IT, ST=Some-State, O=ntop.org][Subject: C=IT, ST=Some-State, O=ntop.org][Certificate SHA-1: AF:CC:98:49:F2:00:0E:05:21:18:6C:77:5F:2A:CF:10:44:6E:D8:8B][Firefox][Validity: 2015-10-10 15:55:47 - 2016-10-09 15:55:47][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 14,14,0,14,0,0,14,0,0,0,0,14,0,0,0,0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0,0,0,0] + 1 TCP 127.0.0.1:51607 <-> 127.0.0.1:3001 [proto: 91.26/TLS.ntop][Encrypted][Confidence: DPI][cat: Network/14][10 pkts/1421 bytes <-> 10 pkts/2345 bytes][Goodput ratio: 60/76][0.05 sec][Hostname/SNI: localhost][ALPN: h2;http/1.1][bytes ratio: -0.245 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 5/7 32/32 10/11][Pkt Len c2s/s2c min/avg/max/stddev: 56/44 142/234 573/1413 156/408][Risk: ** Known Proto on Non Std Port **** Self-signed Cert **** TLS Cert Expired **][Risk Score: 250][TLSv1.2][JA3C: 2a26b1a62e40d25d4de3babc9d532f30][JA3S: 0debd3853f330c574b05e0b6d882dc27][Issuer: C=IT, ST=Some-State, O=ntop.org][Subject: C=IT, ST=Some-State, O=ntop.org][Certificate SHA-1: AF:CC:98:49:F2:00:0E:05:21:18:6C:77:5F:2A:CF:10:44:6E:D8:8B][Firefox][Validity: 2015-10-10 15:55:47 - 2016-10-09 15:55:47][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 14,14,0,14,0,0,14,0,0,0,0,14,0,0,0,0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0,0,0,0] diff --git a/tests/result/tls-rdn-extract.pcap.out b/tests/result/tls-rdn-extract.pcap.out index 60098fdfe..75e89235b 100644 --- a/tests/result/tls-rdn-extract.pcap.out +++ b/tests/result/tls-rdn-extract.pcap.out @@ -10,4 +10,4 @@ JA3 Host Stats: 1 10.0.0.1 1 - 1 TCP 10.0.0.1:31337 <-> 213.199.149.251:443 [proto: 91.212/TLS.Microsoft][Encrypted][Confidence: DPI][cat: Web/5][1 pkts/181 bytes <-> 5 pkts/7024 bytes][Goodput ratio: 70/96][< 1 sec][Hostname/SNI: ads1.msads.net][bytes ratio: -0.950 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 0/0 0/0 0/0][Pkt Len c2s/s2c min/avg/max/stddev: 181/968 181/1405 181/1514 0/218][Risk: ** Obsolete TLS (v1.1 or older) **** Weak TLS Cipher **** TLS Cert Expire **][Risk Score: 300][TLSv1][JA3C: 2201d8e006f8f005a6b415f61e677532][ServerNames: *.vo.msecnd.net,*.officeapps.live.com,*.msads.net,*.ads2.msads.net,*.stc.s-msn.com,cdn.dc2files.*.livefilestore-int.com,cdn.*.livefilestore.com,*.marketplace.windowsmobile.com,*.marketplace.windowsmobile-int.com,*.marketplace.windowsmobile-perf.com,*.stj.s-msn.com,ajax.microsoft.com,*.microsoft-sbs-domains.com,*.live.net,*.msn.com,*.msn-int.com,*.f1ds.shared.live-int.com,*.f1ds.wlxrs-int.com,*.shared.live-int.com,*.shared.live.com,*.microsoft.com,*.live.com,*.live-int.com,*.wlxrs.com,*.wlxrs-int.com,*.st.s-msn.com,*.stb.s-msn.com,images.moxy.windowsphone-int.com,*.wlxrsu-int.com,images.partner.windowsphone-int.com,images.partner.windowsphone.com,*.jp.msn.com,*.c3scs.jp.msn.com,*.aspnetcdn.com,*.hotmail.com,*.partner-df.windowsphone-int.com,*.s-msn.com,*.live-int.net,*.windowsphone-int.com,*.windowsphone.com,*.partner-pc.windowsphone-int.com,*.manage.microsoft.com][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Issuer: CN=Microsoft Secure Server Authority][Subject: C=US, L=Redmond, O=Microsoft, OU=GFS, CN=*.officeapps.live.com, CN=*.msads.net, CN=*.ads2.msads.net, CN=*.stc.s-msn.com, CN=cdn.dc2files.*.livefilestore-int.com, CN=cdn.*.livefilestore.com, CN=*.marketplace.windowsmobile.com, CN=*.marketplace.windowsmobile-int.com, CN=*.marketplace.windowsmobile-perf.com, CN=*.stj.s-msn.com, CN=ajax.microsoft.com, CN=*.microsoft-sbs-domains.com, CN=*.live.net, CN=*.msn.com, CN=*.msn-int.com, CN=*.f1ds.shared.live-int.com, CN=*.f1ds.wlxrs-int.com, CN=*.shared.live-int.com, CN=*.shared.live.com, CN=*.microsoft.com, CN=*.live.com, CN=*.live-int.com, CN=*.wlxrs.com, CN=*.wlxrs-int.com, CN=*.st.s-msn.com, CN=*.stb.s-msn.com, CN=images.moxy.windowsphone-int.com, CN=*.wlxrsu-int.com, CN=images.partner.windowsphone-int.com, CN=images.partner.windowsphone.com, CN=*.jp.msn.com, CN=*.c3scs.jp.msn.com, CN=*.aspnetcdn.com, CN=*.hotmail.com, CN=*.partner-df.windowsphone-int.com, CN=*.s-msn.com, CN=*.live-int.net, CN=*.windowsphone-int.com, CN=*.windowsphone.com, CN=*.partner-pc.windowsphone-int.com, CN=*.manage.microsoft.com, CN=*.vo.msecnd.net][Certificate SHA-1: FF:BF:9A:69:8F:C8:44:FF:89:F2:61:49:A7:D1:9A:98:DE:32:84:3B][Validity: 2011-10-21 16:42:03 - 2013-10-20 16:42:03][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,67,0,0] + 1 TCP 10.0.0.1:31337 <-> 213.199.149.251:443 [proto: 91.212/TLS.Microsoft][Encrypted][Confidence: DPI][cat: Web/5][1 pkts/181 bytes <-> 5 pkts/7024 bytes][Goodput ratio: 70/96][< 1 sec][Hostname/SNI: ads1.msads.net][bytes ratio: -0.950 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 0/0 0/0 0/0][Pkt Len c2s/s2c min/avg/max/stddev: 181/968 181/1405 181/1514 0/218][Risk: ** Obsolete TLS (v1.1 or older) **** Weak TLS Cipher **** TLS Cert Expired **][Risk Score: 300][TLSv1][JA3C: 2201d8e006f8f005a6b415f61e677532][ServerNames: *.vo.msecnd.net,*.officeapps.live.com,*.msads.net,*.ads2.msads.net,*.stc.s-msn.com,cdn.dc2files.*.livefilestore-int.com,cdn.*.livefilestore.com,*.marketplace.windowsmobile.com,*.marketplace.windowsmobile-int.com,*.marketplace.windowsmobile-perf.com,*.stj.s-msn.com,ajax.microsoft.com,*.microsoft-sbs-domains.com,*.live.net,*.msn.com,*.msn-int.com,*.f1ds.shared.live-int.com,*.f1ds.wlxrs-int.com,*.shared.live-int.com,*.shared.live.com,*.microsoft.com,*.live.com,*.live-int.com,*.wlxrs.com,*.wlxrs-int.com,*.st.s-msn.com,*.stb.s-msn.com,images.moxy.windowsphone-int.com,*.wlxrsu-int.com,images.partner.windowsphone-int.com,images.partner.windowsphone.com,*.jp.msn.com,*.c3scs.jp.msn.com,*.aspnetcdn.com,*.hotmail.com,*.partner-df.windowsphone-int.com,*.s-msn.com,*.live-int.net,*.windowsphone-int.com,*.windowsphone.com,*.partner-pc.windowsphone-int.com,*.manage.microsoft.com][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Issuer: CN=Microsoft Secure Server Authority][Subject: C=US, L=Redmond, O=Microsoft, OU=GFS, CN=*.officeapps.live.com, CN=*.msads.net, CN=*.ads2.msads.net, CN=*.stc.s-msn.com, CN=cdn.dc2files.*.livefilestore-int.com, CN=cdn.*.livefilestore.com, CN=*.marketplace.windowsmobile.com, CN=*.marketplace.windowsmobile-int.com, CN=*.marketplace.windowsmobile-perf.com, CN=*.stj.s-msn.com, CN=ajax.microsoft.com, CN=*.microsoft-sbs-domains.com, CN=*.live.net, CN=*.msn.com, CN=*.msn-int.com, CN=*.f1ds.shared.live-int.com, CN=*.f1ds.wlxrs-int.com, CN=*.shared.live-int.com, CN=*.shared.live.com, CN=*.microsoft.com, CN=*.live.com, CN=*.live-int.com, CN=*.wlxrs.com, CN=*.wlxrs-int.com, CN=*.st.s-msn.com, CN=*.stb.s-msn.com, CN=images.moxy.windowsphone-int.com, CN=*.wlxrsu-int.com, CN=images.partner.windowsphone-int.com, CN=images.partner.windowsphone.com, CN=*.jp.msn.com, CN=*.c3scs.jp.msn.com, CN=*.aspnetcdn.com, CN=*.hotmail.com, CN=*.partner-df.windowsphone-int.com, CN=*.s-msn.com, CN=*.live-int.net, CN=*.windowsphone-int.com, CN=*.windowsphone.com, CN=*.partner-pc.windowsphone-int.com, CN=*.manage.microsoft.com, CN=*.vo.msecnd.net][Certificate SHA-1: FF:BF:9A:69:8F:C8:44:FF:89:F2:61:49:A7:D1:9A:98:DE:32:84:3B][Validity: 2011-10-21 16:42:03 - 2013-10-20 16:42:03][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,67,0,0] |