diff options
| -rw-r--r-- | src/lib/ndpi_main.c | 3 | ||||
| -rw-r--r-- | tests/result/dnscrypt-v2-doh.pcap.out | 2 | ||||
| -rw-r--r-- | tests/result/nintendo.pcap.out | 7 | ||||
| -rw-r--r-- | tests/result/quic.pcap.out | 2 | ||||
| -rw-r--r-- | tests/result/reddit.pcap.out | 6 | ||||
| -rw-r--r-- | tests/result/youtube_quic.pcap.out | 2 |
6 files changed, 12 insertions, 10 deletions
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 901c9c579..4b5f38101 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -7286,6 +7286,9 @@ uint8_t ndpi_connection_tracking(struct ndpi_detection_module_struct *ndpi_str, if(!name) return(0); + if(flow && (flow->packet.detected_protocol_stack[1] != NDPI_PROTOCOL_UNKNOWN)) + return(0); /* Ignore DGA check for protocols already fully detected */ + #ifdef DGA_DEBUG printf("[DGA] %s\n", name); #endif diff --git a/tests/result/dnscrypt-v2-doh.pcap.out b/tests/result/dnscrypt-v2-doh.pcap.out index 2b6ad21ad..39665ff58 100644 --- a/tests/result/dnscrypt-v2-doh.pcap.out +++ b/tests/result/dnscrypt-v2-doh.pcap.out @@ -11,7 +11,7 @@ JA3 Host Stats: 4 TCP 10.0.0.1:52028 <-> 45.76.113.31:8443 [proto: 91.196/TLS.DoH_DoT][cat: Network/14][9 pkts/1438 bytes <-> 11 pkts/6319 bytes][Goodput ratio: 66/91][30.97 sec][ALPN: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.629 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 4379/3404 30317/30002 10590/9405][Pkt Len c2s/s2c min/avg/max/stddev: 78/93 160/574 335/1464 75/564][Risk: ** Known protocol on non standard port **][TLSv1.3][Client: doh.seby.io][JA3C: d0ee3237a14bbd89ca4d2b5356ab20ba][JA3S: f4febc55ea12b31ae17cfb7e614afda8][Cipher: TLS_AES_128_GCM_SHA256][PLAIN TEXT (ffffffDDDDDD)][Plen Bins: 10,15,30,10,0,5,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,10,0,0,0] 5 TCP 10.0.0.1:57058 <-> 46.227.200.54:443 [proto: 91.196/TLS.DoH_DoT][cat: Network/14][9 pkts/1445 bytes <-> 8 pkts/5948 bytes][Goodput ratio: 66/93][30.13 sec][ALPN: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.609 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 4304/5014 30049/30000 10511/11174][Pkt Len c2s/s2c min/avg/max/stddev: 78/89 161/744 339/2958 74/935][TLSv1.3][Client: rdns.faelix.net][JA3C: d0ee3237a14bbd89ca4d2b5356ab20ba][JA3S: 15af977ce25de452b96affa2addb1036][Cipher: TLS_AES_256_GCM_SHA384][Plen Bins: 12,12,25,12,0,5,5,0,5,0,5,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,5] 6 TCP 10.0.0.1:55322 <-> 185.134.196.55:443 [proto: 91.196/TLS.DoH_DoT][cat: Network/14][10 pkts/1532 bytes <-> 7 pkts/5815 bytes][Goodput ratio: 65/93][16.35 sec][ALPN: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.583 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 2039/3262 16237/16242 5366/6490][Pkt Len c2s/s2c min/avg/max/stddev: 78/78 153/831 339/2958 74/969][TLSv1.3][Client: rdns.faelix.net][JA3C: d0ee3237a14bbd89ca4d2b5356ab20ba][JA3S: 15af977ce25de452b96affa2addb1036][Cipher: TLS_AES_256_GCM_SHA384][Plen Bins: 18,5,25,12,0,5,5,0,5,0,5,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,5] - 7 TCP 10.0.0.1:38186 <-> 185.43.135.1:443 [proto: 91.196/TLS.DoH_DoT][cat: Network/14][11 pkts/1728 bytes <-> 13 pkts/5220 bytes][Goodput ratio: 66/87][10.17 sec][ALPN: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.503 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1263/1013 10000/10000 3302/2996][Pkt Len c2s/s2c min/avg/max/stddev: 85/92 157/402 335/3057 70/784][Risk: ** TLS Expired Certificate **** Suspicious DGA domain name **][TLSv1.2][Client: odvr.nic.cz][JA3C: d0ee3237a14bbd89ca4d2b5356ab20ba][ServerNames: odvr.nic.cz][JA3S: 1089ea6f0461a29006cc96dfe7a11d80][Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3][Subject: CN=odvr.nic.cz][Certificate SHA-1: 15:57:4E:06:5B:3D:23:22:EF:BC:2E:5B:A3:3E:A5:76:BD:14:01:4B][Validity: 2020-08-03 06:53:50 - 2020-11-01 06:53:50][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][PLAIN TEXT (DDDDDDffffff)][Plen Bins: 4,51,12,12,0,4,0,0,4,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4] + 7 TCP 10.0.0.1:38186 <-> 185.43.135.1:443 [proto: 91.196/TLS.DoH_DoT][cat: Network/14][11 pkts/1728 bytes <-> 13 pkts/5220 bytes][Goodput ratio: 66/87][10.17 sec][ALPN: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.503 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1263/1013 10000/10000 3302/2996][Pkt Len c2s/s2c min/avg/max/stddev: 85/92 157/402 335/3057 70/784][Risk: ** TLS Expired Certificate **][TLSv1.2][Client: odvr.nic.cz][JA3C: d0ee3237a14bbd89ca4d2b5356ab20ba][ServerNames: odvr.nic.cz][JA3S: 1089ea6f0461a29006cc96dfe7a11d80][Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3][Subject: CN=odvr.nic.cz][Certificate SHA-1: 15:57:4E:06:5B:3D:23:22:EF:BC:2E:5B:A3:3E:A5:76:BD:14:01:4B][Validity: 2020-08-03 06:53:50 - 2020-11-01 06:53:50][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][PLAIN TEXT (DDDDDDffffff)][Plen Bins: 4,51,12,12,0,4,0,0,4,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4] 8 TCP 10.0.0.1:55962 <-> 51.158.147.50:443 [proto: 91.196/TLS.DoH_DoT][cat: Network/14][10 pkts/1540 bytes <-> 7 pkts/5403 bytes][Goodput ratio: 65/93][23.03 sec][ALPN: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.556 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 2879/17 22962/28 7591/14][Pkt Len c2s/s2c min/avg/max/stddev: 78/102 154/772 344/3185 77/1040][TLSv1.3][Client: resolver-eu.lelux.fi][JA3C: d0ee3237a14bbd89ca4d2b5356ab20ba][JA3S: f4febc55ea12b31ae17cfb7e614afda8][Cipher: TLS_AES_128_GCM_SHA256][Plen Bins: 11,11,37,11,0,5,0,0,0,5,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5] 9 TCP 10.0.0.1:60026 <-> 195.30.94.28:443 [proto: 91.196/TLS.DoH_DoT][cat: Network/14][9 pkts/1455 bytes <-> 6 pkts/5347 bytes][Goodput ratio: 67/94][10.04 sec][ALPN: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.572 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/1 1434/37 9925/63 3467/26][Pkt Len c2s/s2c min/avg/max/stddev: 78/89 162/891 337/2958 74/961][TLSv1.3][Client: doh.ffmuc.net][JA3C: d0ee3237a14bbd89ca4d2b5356ab20ba][JA3S: 15af977ce25de452b96affa2addb1036][Cipher: TLS_AES_256_GCM_SHA384][Plen Bins: 13,6,20,13,0,6,0,0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6] 10 TCP 10.0.0.1:40938 <-> 172.104.93.80:443 [proto: 91.196/TLS.DoH_DoT][cat: Network/14][10 pkts/1523 bytes <-> 6 pkts/5217 bytes][Goodput ratio: 65/94][22.42 sec][ALPN: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.548 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 2778/5507 21637/21834 7129/9427][Pkt Len c2s/s2c min/avg/max/stddev: 78/78 152/870 335/2248 74/759][TLSv1.3][Client: jp.tiar.app][JA3C: d0ee3237a14bbd89ca4d2b5356ab20ba][JA3S: 475c9302dc42b2751db9edcac3b74891][Cipher: TLS_CHACHA20_POLY1305_SHA256][PLAIN TEXT (ffffffDDDDDD)][Plen Bins: 18,6,18,12,0,6,0,0,12,0,0,0,0,6,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,6] diff --git a/tests/result/nintendo.pcap.out b/tests/result/nintendo.pcap.out index 858c109ce..ec5cd5835 100644 --- a/tests/result/nintendo.pcap.out +++ b/tests/result/nintendo.pcap.out @@ -1,6 +1,5 @@ ICMP 30 2100 2 -Tor 41 15462 2 -Nintendo 846 304426 9 +Nintendo 887 319888 11 Amazon 79 11165 8 JA3 Host Stats: @@ -12,8 +11,8 @@ JA3 Host Stats: 2 UDP 192.168.12.114:55915 <-> 93.237.131.235:56066 [proto: 173/Nintendo][cat: Game/8][122 pkts/48332 bytes <-> 35 pkts/5026 bytes][Goodput ratio: 89/71][5.68 sec][bytes ratio: 0.812 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 45/77 607/506 66/117][Pkt Len c2s/s2c min/avg/max/stddev: 102/102 396/144 1254/886 210/128][Plen Bins: 0,5,35,3,1,0,0,0,0,0,0,0,0,51,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0] 3 UDP 192.168.12.114:55915 <-> 81.61.158.138:51769 [proto: 173/Nintendo][cat: Game/8][122 pkts/46476 bytes <-> 38 pkts/5268 bytes][Goodput ratio: 89/70][5.49 sec][bytes ratio: 0.796 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 40/76 313/318 40/84][Pkt Len c2s/s2c min/avg/max/stddev: 102/102 381/139 886/886 193/124][PLAIN TEXT (FutwCa)][Plen Bins: 0,7,38,1,1,0,0,0,0,0,0,0,0,47,2,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 4 TCP 54.187.10.185:443 <-> 192.168.12.114:48328 [proto: 91.178/TLS.Amazon][cat: Web/5][34 pkts/4466 bytes <-> 20 pkts/4021 bytes][Goodput ratio: 50/67][21.54 sec][bytes ratio: 0.052 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/4 728/1409 14019/13944 2636/3582][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 131/201 400/983 86/219][Plen Bins: 0,58,5,15,0,2,0,8,0,2,2,0,2,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 5 TCP 192.168.12.114:41517 <-> 54.192.27.217:443 [proto: 91.163/TLS.Tor][cat: Game/8][11 pkts/2898 bytes <-> 10 pkts/4865 bytes][Goodput ratio: 75/86][0.56 sec][bytes ratio: -0.253 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 65/54 287/250 89/82][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 263/486 1414/1414 387/570][Risk: ** TLS (probably) not carrying HTTPS **** Suspicious DGA domain name **** Unsafe Protocol **][TLSv1.2][Client: e0d67c509fb203858ebcb2fe3f88c2aa.baas.nintendo.com][JA3C: 200a99534ce50d35cf40cc3cce4c69b5][ServerNames: *.baas.nintendo.com,baas.nintendo.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA][Subject: C=JP, ST=Kyoto, L=Minami-ku, O=Nintendo Co., Ltd., CN=*.baas.nintendo.com][Certificate SHA-1: 8A:0A:1D:D3:A8:96:7A:55:C5:75:B2:2B:3E:45:15:54:0A:B0:FC:94][Validity: 2015-08-12 00:00:00 - 2018-08-15 12:00:00][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 10,10,0,10,0,0,10,0,0,10,0,0,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,0,0,0,30,0,0,0,0,0] - 6 TCP 192.168.12.114:31329 <-> 54.192.27.8:443 [proto: 91.163/TLS.Tor][cat: Game/8][10 pkts/2833 bytes <-> 10 pkts/4866 bytes][Goodput ratio: 76/86][0.51 sec][bytes ratio: -0.264 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 57/47 243/198 76/65][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 283/487 1414/1414 401/570][Risk: ** TLS (probably) not carrying HTTPS **** Suspicious DGA domain name **** Unsafe Protocol **][TLSv1.2][Client: e0d67c509fb203858ebcb2fe3f88c2aa.baas.nintendo.com][JA3C: 200a99534ce50d35cf40cc3cce4c69b5][ServerNames: *.baas.nintendo.com,baas.nintendo.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA][Subject: C=JP, ST=Kyoto, L=Minami-ku, O=Nintendo Co., Ltd., CN=*.baas.nintendo.com][Certificate SHA-1: 8A:0A:1D:D3:A8:96:7A:55:C5:75:B2:2B:3E:45:15:54:0A:B0:FC:94][Validity: 2015-08-12 00:00:00 - 2018-08-15 12:00:00][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 10,10,0,10,0,0,10,0,0,10,0,0,0,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,0,0,0,30,0,0,0,0,0] + 5 TCP 192.168.12.114:41517 <-> 54.192.27.217:443 [proto: 91.173/TLS.Nintendo][cat: Game/8][11 pkts/2898 bytes <-> 10 pkts/4865 bytes][Goodput ratio: 75/86][0.56 sec][bytes ratio: -0.253 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 65/54 287/250 89/82][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 263/486 1414/1414 387/570][Risk: ** TLS (probably) not carrying HTTPS **][TLSv1.2][Client: e0d67c509fb203858ebcb2fe3f88c2aa.baas.nintendo.com][JA3C: 200a99534ce50d35cf40cc3cce4c69b5][ServerNames: *.baas.nintendo.com,baas.nintendo.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA][Subject: C=JP, ST=Kyoto, L=Minami-ku, O=Nintendo Co., Ltd., CN=*.baas.nintendo.com][Certificate SHA-1: 8A:0A:1D:D3:A8:96:7A:55:C5:75:B2:2B:3E:45:15:54:0A:B0:FC:94][Validity: 2015-08-12 00:00:00 - 2018-08-15 12:00:00][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 10,10,0,10,0,0,10,0,0,10,0,0,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,0,0,0,30,0,0,0,0,0] + 6 TCP 192.168.12.114:31329 <-> 54.192.27.8:443 [proto: 91.173/TLS.Nintendo][cat: Game/8][10 pkts/2833 bytes <-> 10 pkts/4866 bytes][Goodput ratio: 76/86][0.51 sec][bytes ratio: -0.264 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 57/47 243/198 76/65][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 283/487 1414/1414 401/570][Risk: ** TLS (probably) not carrying HTTPS **][TLSv1.2][Client: e0d67c509fb203858ebcb2fe3f88c2aa.baas.nintendo.com][JA3C: 200a99534ce50d35cf40cc3cce4c69b5][ServerNames: *.baas.nintendo.com,baas.nintendo.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA][Subject: C=JP, ST=Kyoto, L=Minami-ku, O=Nintendo Co., Ltd., CN=*.baas.nintendo.com][Certificate SHA-1: 8A:0A:1D:D3:A8:96:7A:55:C5:75:B2:2B:3E:45:15:54:0A:B0:FC:94][Validity: 2015-08-12 00:00:00 - 2018-08-15 12:00:00][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 10,10,0,10,0,0,10,0,0,10,0,0,0,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,0,0,0,30,0,0,0,0,0] 7 UDP 192.168.12.114:52119 <-> 91.8.243.35:49432 [proto: 173/Nintendo][cat: Game/8][23 pkts/2682 bytes <-> 16 pkts/3408 bytes][Goodput ratio: 64/80][4.86 sec][bytes ratio: -0.119 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 232/89 514/507 225/142][Pkt Len c2s/s2c min/avg/max/stddev: 102/102 117/213 230/854 27/243][Plen Bins: 0,41,43,5,2,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 8 UDP 192.168.12.114:52119 <-> 109.21.255.11:50251 [proto: 173/Nintendo][cat: Game/8][8 pkts/1024 bytes <-> 8 pkts/1024 bytes][Goodput ratio: 67/67][1.28 sec][bytes ratio: 0.000 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 39/58 119/111 274/242 89/65][Pkt Len c2s/s2c min/avg/max/stddev: 102/102 128/128 198/198 41/41][Plen Bins: 0,62,12,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 9 UDP 192.168.12.114:52119 <-> 134.3.248.25:56955 [proto: 173/Nintendo][cat: Game/8][8 pkts/1040 bytes <-> 7 pkts/922 bytes][Goodput ratio: 68/68][1.15 sec][bytes ratio: 0.060 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 9/17 108/127 288/286 109/90][Pkt Len c2s/s2c min/avg/max/stddev: 102/102 130/132 198/198 40/42][Plen Bins: 0,53,20,0,26,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/result/quic.pcap.out b/tests/result/quic.pcap.out index 92df889c6..7e45d1566 100644 --- a/tests/result/quic.pcap.out +++ b/tests/result/quic.pcap.out @@ -11,5 +11,5 @@ QUIC 6 7072 1 6 UDP 192.168.1.105:55934 <-> 216.58.201.238:443 [proto: 188.124/QUIC.YouTube][cat: Media/1][2 pkts/2784 bytes <-> 2 pkts/2784 bytes][Goodput ratio: 97/97][0.09 sec][User-Agent: Chrome/49.0.2623.87 Linux x86_64][Client: s.ytimg.com][PLAIN TEXT (s.ytimg.com)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0] 7 UDP 192.168.1.105:45669 <-> 172.217.16.4:443 [proto: 188.126/QUIC.Google][cat: Web/5][3 pkts/1550 bytes <-> 2 pkts/2784 bytes][Goodput ratio: 92/97][0.16 sec][User-Agent: Chrome/49.0.2623.87 Linux x86_64][Client: www.google.com][PLAIN TEXT (www.google.comO)][Plen Bins: 0,40,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,60,0,0,0,0,0] 8 UDP 192.168.1.105:48445 <-> 216.58.214.110:443 [proto: 188.124/QUIC.YouTube][cat: Media/1][2 pkts/1471 bytes <-> 1 pkts/1392 bytes][Goodput ratio: 94/97][0.10 sec][User-Agent: Chrome/49.0.2623.87 Linux x86_64][Client: i.ytimg.com][PLAIN TEXT (i.ytimg.com)][Plen Bins: 0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,66,0,0,0,0,0] - 9 UDP 192.168.1.105:53817 <-> 216.58.210.225:443 [proto: 188.124/QUIC.YouTube][cat: Media/1][1 pkts/1392 bytes <-> 1 pkts/1392 bytes][Goodput ratio: 97/97][0.08 sec][User-Agent: Chrome/49.0.2623.87 Linux x86_64][Risk: ** Suspicious DGA domain name **][Client: yt3.ggpht.com][PLAIN TEXT (yt3.ggpht.com)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0] + 9 UDP 192.168.1.105:53817 <-> 216.58.210.225:443 [proto: 188.124/QUIC.YouTube][cat: Media/1][1 pkts/1392 bytes <-> 1 pkts/1392 bytes][Goodput ratio: 97/97][0.08 sec][User-Agent: Chrome/49.0.2623.87 Linux x86_64][Client: yt3.ggpht.com][PLAIN TEXT (yt3.ggpht.com)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0] 10 UDP 192.168.1.105:40461 <-> 172.217.16.3:443 [proto: 126/Google][cat: Web/5][2 pkts/241 bytes <-> 1 pkts/123 bytes][Goodput ratio: 65/65][0.09 sec][Plen Bins: 0,33,33,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/result/reddit.pcap.out b/tests/result/reddit.pcap.out index 378ef8302..b08f41024 100644 --- a/tests/result/reddit.pcap.out +++ b/tests/result/reddit.pcap.out @@ -1,8 +1,8 @@ TLS 581 374826 14 Twitter 863 686585 3 -YouTube 810 942020 2 +YouTube 881 966947 3 Google 618 334683 13 -Tor 102 34312 2 +Tor 31 9385 1 Amazon 100 59185 2 Reddit 8337 9059073 20 GoogleServices 271 87487 4 @@ -28,7 +28,7 @@ JA3 Host Stats: 14 TCP [2a01:cb01:2049:8b07:991d:ec85:28df:f629]:43492 <-> [64:ff9b::df9:21c6]:443 [proto: 91.178/TLS.Amazon][cat: Web/5][32 pkts/4130 bytes <-> 41 pkts/43404 bytes][Goodput ratio: 33/92][3.33 sec][ALPN: h2;http/1.1][TLS Supported Versions: GREASE;TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.826 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 124/83 2442/2482 493/425][Pkt Len c2s/s2c min/avg/max/stddev: 86/86 129/1059 603/2862 111/716][TLSv1.3][Client: c.amazon-adsystem.com][JA3C: b32309a26951912be7dba376398abc3b][JA3S: f4febc55ea12b31ae17cfb7e614afda8][Cipher: TLS_AES_128_GCM_SHA256][Plen Bins: 5,0,7,2,2,0,0,2,2,5,2,0,0,0,0,0,2,2,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,60,0,0,0,5] 15 TCP [2a01:cb01:2049:8b07:991d:ec85:28df:f629]:36964 <-> [2a00:1450:4007:80f::2001]:443 [proto: 91.126/TLS.Google][cat: Web/5][32 pkts/4373 bytes <-> 53 pkts/40038 bytes][Goodput ratio: 37/89][0.36 sec][ALPN: h2;http/1.1][TLS Supported Versions: GREASE;TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.803 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 6/5 45/138 11/21][Pkt Len c2s/s2c min/avg/max/stddev: 86/86 137/755 603/2556 117/617][TLSv1.3][Client: tpc.googlesyndication.com][JA3C: b32309a26951912be7dba376398abc3b][JA3S: eb1d94daa7e0344597e756a1fb6e7054][Cipher: TLS_AES_128_GCM_SHA256][Plen Bins: 3,8,3,0,8,3,1,6,1,3,1,0,1,1,1,0,1,0,1,0,0,0,0,0,1,1,0,0,1,1,0,0,0,0,0,0,1,41,0,0,0,0,0,0,0,0,0,3] 16 TCP [2a01:cb01:2049:8b07:991d:ec85:28df:f629]:39520 <-> [2a00:1450:4007:816::2008]:443 [proto: 91/TLS][cat: Web/5][33 pkts/3852 bytes <-> 36 pkts/38105 bytes][Goodput ratio: 26/92][0.21 sec][ALPN: h2;http/1.1][TLS Supported Versions: GREASE;TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.816 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 6/4 43/38 12/10][Pkt Len c2s/s2c min/avg/max/stddev: 86/86 117/1058 603/2502 99/724][TLSv1.3][Client: www.googletagmanager.com][JA3C: b32309a26951912be7dba376398abc3b][JA3S: eb1d94daa7e0344597e756a1fb6e7054][Cipher: TLS_AES_128_GCM_SHA256][Plen Bins: 8,2,5,0,0,0,0,0,2,0,0,0,0,0,5,0,5,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,54,0,0,0,0,0,0,0,0,0,14] - 17 TCP [2a01:cb01:2049:8b07:991d:ec85:28df:f629]:58122 <-> [2a00:1450:4007:805::2001]:443 [proto: 91.163/TLS.Tor][cat: Media/1][34 pkts/4406 bytes <-> 37 pkts/20521 bytes][Goodput ratio: 33/84][9.61 sec][ALPN: h2;http/1.1][TLS Supported Versions: GREASE;TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.646 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 352/8 9266/68 1748/18][Pkt Len c2s/s2c min/avg/max/stddev: 86/86 130/555 603/1294 104/520][Risk: ** Suspicious DGA domain name **** Unsafe Protocol **][TLSv1.3][Client: yt3.ggpht.com][JA3C: b32309a26951912be7dba376398abc3b][JA3S: eb1d94daa7e0344597e756a1fb6e7054][Cipher: TLS_AES_128_GCM_SHA256][Plen Bins: 5,17,5,17,0,0,0,0,2,0,2,0,2,2,0,2,5,0,2,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,32,0,0,0,0,0,0,0,0,0,0] + 17 TCP [2a01:cb01:2049:8b07:991d:ec85:28df:f629]:58122 <-> [2a00:1450:4007:805::2001]:443 [proto: 91.124/TLS.YouTube][cat: Media/1][34 pkts/4406 bytes <-> 37 pkts/20521 bytes][Goodput ratio: 33/84][9.61 sec][ALPN: h2;http/1.1][TLS Supported Versions: GREASE;TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.646 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 352/8 9266/68 1748/18][Pkt Len c2s/s2c min/avg/max/stddev: 86/86 130/555 603/1294 104/520][TLSv1.3][Client: yt3.ggpht.com][JA3C: b32309a26951912be7dba376398abc3b][JA3S: eb1d94daa7e0344597e756a1fb6e7054][Cipher: TLS_AES_128_GCM_SHA256][Plen Bins: 5,17,5,17,0,0,0,0,2,0,2,0,2,2,0,2,5,0,2,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,32,0,0,0,0,0,0,0,0,0,0] 18 TCP [2a01:cb01:2049:8b07:991d:ec85:28df:f629]:48648 <-> [2620:116:800d:21:f916:5049:f87f:108e]:443 [proto: 91/TLS][cat: Web/5][22 pkts/3573 bytes <-> 22 pkts/14972 bytes][Goodput ratio: 47/87][0.65 sec][ALPN: h2;http/1.1][TLS Supported Versions: GREASE;TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.615 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 21/11 94/78 32/20][Pkt Len c2s/s2c min/avg/max/stddev: 86/86 162/681 603/1474 142/625][TLSv1.2][Client: secure.quantserve.com][JA3C: b32309a26951912be7dba376398abc3b][ServerNames: *.quantserve.com,*.quantcount.com,*.apextag.com,quantserve.com,quantcount.com,apextag.com][JA3S: b898351eb5e266aefd3723d466935494][Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA][Subject: C=US, ST=California, L=San Francisco, O=Quantcast Corporation, CN=*.quantserve.com][Certificate SHA-1: 3A:30:B1:4A:CE:62:AF:55:B1:89:FF:0C:CB:69:E3:80:CB:B0:91:90][Validity: 2020-10-02 00:00:00 - 2021-10-07 12:00:00][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,9,4,9,0,0,0,0,14,0,0,4,4,0,0,0,4,0,9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,40,0,0,0,0] 19 TCP [2a01:cb01:2049:8b07:991d:ec85:28df:f629]:57282 <-> [2a00:1450:4007:805::2004]:443 [proto: 91.126/TLS.Google][cat: Web/5][20 pkts/2757 bytes <-> 19 pkts/11579 bytes][Goodput ratio: 37/86][0.21 sec][ALPN: h2;http/1.1][TLS Supported Versions: GREASE;TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.615 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 9/9 62/67 19/20][Pkt Len c2s/s2c min/avg/max/stddev: 86/86 138/609 603/1294 125/544][TLSv1.3][Client: www.google.com][JA3C: b32309a26951912be7dba376398abc3b][JA3S: eb1d94daa7e0344597e756a1fb6e7054][Cipher: TLS_AES_128_GCM_SHA256][Plen Bins: 5,11,11,0,0,0,11,0,5,0,0,0,0,5,0,0,5,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,39,0,0,0,0,0,0,0,0,0,0] 20 TCP [2a01:cb01:2049:8b07:991d:ec85:28df:f629]:56592 <-> [64:ff9b::9765:798c]:443 [proto: 91.205/TLS.Reddit][cat: SocialNetwork/6][19 pkts/2787 bytes <-> 18 pkts/10331 bytes][Goodput ratio: 41/85][0.20 sec][ALPN: h2;http/1.1][TLS Supported Versions: GREASE;TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.575 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 11/7 52/50 19/17][Pkt Len c2s/s2c min/avg/max/stddev: 86/86 147/574 603/1134 131/477][TLSv1.2][Client: emoji.redditmedia.com][JA3C: b32309a26951912be7dba376398abc3b][ServerNames: *.redditmedia.com,redditmedia.com][JA3S: 16c0b3e6a7b8173c16d944cfeaeee9cf][Issuer: C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA][Subject: C=US, ST=California, L=San Francisco, O=Reddit Inc., CN=*.redditmedia.com][Certificate SHA-1: 96:A3:77:56:81:79:10:5C:E8:7F:F0:33:D2:7E:1C:45:08:2C:25:85][Validity: 2020-07-27 00:00:00 - 2021-01-23 12:00:00][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,5,18,5,0,0,0,0,5,5,0,0,0,0,0,0,11,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,43,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/result/youtube_quic.pcap.out b/tests/result/youtube_quic.pcap.out index ae027b611..d78b01871 100644 --- a/tests/result/youtube_quic.pcap.out +++ b/tests/result/youtube_quic.pcap.out @@ -1,6 +1,6 @@ YouTube 258 178495 1 Google 31 13144 2 - 1 UDP 192.168.1.7:56074 <-> 216.58.198.33:443 [proto: 188.124/QUIC.YouTube][cat: Media/1][113 pkts/16111 bytes <-> 145 pkts/162384 bytes][Goodput ratio: 71/96][3.12 sec][bytes ratio: -0.819 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 9/5 70/69 15/12][Pkt Len c2s/s2c min/avg/max/stddev: 77/73 143/1120 1392/1392 176/437][User-Agent: beta Chrome/57.0.2987.98 Intel Mac OS X 10_12_3][Risk: ** Suspicious DGA domain name **][Client: yt3.ggpht.com][PLAIN TEXT (yt3.ggpht.com)][Plen Bins: 0,31,1,12,8,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,1,0,0,41,0,0,0,0,0] + 1 UDP 192.168.1.7:56074 <-> 216.58.198.33:443 [proto: 188.124/QUIC.YouTube][cat: Media/1][113 pkts/16111 bytes <-> 145 pkts/162384 bytes][Goodput ratio: 71/96][3.12 sec][bytes ratio: -0.819 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 9/5 70/69 15/12][Pkt Len c2s/s2c min/avg/max/stddev: 77/73 143/1120 1392/1392 176/437][User-Agent: beta Chrome/57.0.2987.98 Intel Mac OS X 10_12_3][Client: yt3.ggpht.com][PLAIN TEXT (yt3.ggpht.com)][Plen Bins: 0,31,1,12,8,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,1,0,0,41,0,0,0,0,0] 2 UDP 192.168.1.7:53859 <-> 216.58.205.66:443 [proto: 188.126/QUIC.Google][cat: Web/5][9 pkts/3929 bytes <-> 9 pkts/4736 bytes][Goodput ratio: 90/92][0.44 sec][bytes ratio: -0.093 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/5 36/37 114/158 48/52][Pkt Len c2s/s2c min/avg/max/stddev: 80/69 437/526 1392/1392 524/546][User-Agent: beta Chrome/57.0.2987.98 Intel Mac OS X 10_12_3][Client: googleads.g.doubleclick.net][PLAIN TEXT (googleads.g.doubleclick.net)][Plen Bins: 16,39,0,0,0,0,0,0,0,5,5,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,22,0,0,0,0,0] 3 UDP 192.168.1.7:54997 <-> 216.58.205.66:443 [proto: 188.126/QUIC.Google][cat: Web/5][7 pkts/2312 bytes <-> 6 pkts/2167 bytes][Goodput ratio: 87/88][0.56 sec][bytes ratio: 0.032 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/8 40/17 89/44 35/17][Pkt Len c2s/s2c min/avg/max/stddev: 80/72 330/361 1392/1392 449/479][User-Agent: beta Chrome/57.0.2987.98 Intel Mac OS X 10_12_3][Client: pagead2.googlesyndication.com][PLAIN TEXT (pagead2.googlesyndication.com)][Plen Bins: 23,30,7,0,7,0,0,0,0,0,0,0,15,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,15,0,0,0,0,0] |