diff options
Diffstat (limited to 'tests/cfgs/tls_heuristics_enabled')
5 files changed, 78 insertions, 55 deletions
diff --git a/tests/cfgs/tls_heuristics_enabled/result/tls_heur__shadowsocks-tcp.pcapng.out b/tests/cfgs/tls_heuristics_enabled/result/tls_heur__shadowsocks-tcp.pcapng.out index fe965a015..cf8e83ebf 100644 --- a/tests/cfgs/tls_heuristics_enabled/result/tls_heur__shadowsocks-tcp.pcapng.out +++ b/tests/cfgs/tls_heuristics_enabled/result/tls_heur__shadowsocks-tcp.pcapng.out @@ -2,18 +2,18 @@ DPI Packets (TCP): 27 (9.00 pkts/flow) DPI Packets (UDP): 3 (3.00 pkts/flow) Confidence DPI : 3 (flows) Confidence DPI (aggressive) : 1 (flows) -Num dissector calls: 414 (103.50 diss/flow) +Num dissector calls: 406 (101.50 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/3/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) LRU cache tls_cert: 0/0/0 (insert/search/found) LRU cache mining: 0/0/0 (insert/search/found) LRU cache msteams: 0/0/0 (insert/search/found) -LRU cache fpc_dns: 1/3/0 (insert/search/found) +LRU cache fpc_dns: 8/3/0 (insert/search/found) Automa host: 4/4 (search/found) Automa domain: 4/0 (search/found) Automa tls cert: 0/0 (search/found) -Automa risk mask: 1/0 (search/found) +Automa risk mask: 0/0 (search/found) Automa common alpns: 2/2 (search/found) Patricia risk mask: 2/0 (search/found) Patricia risk mask IPv6: 0/0 (search/found) @@ -22,13 +22,18 @@ Patricia risk IPv6: 1/0 (search/found) Patricia protocols: 6/0 (search/found) Patricia protocols IPv6: 1/1 (search/found) +DNS 4 772 1 TLS 25 22923 1 -YouTube 45 36920 2 +YouTube 41 36148 1 SOCKS 30 21330 1 Safe 25 22923 1 -Acceptable 30 21330 1 -Fun 45 36920 2 +Acceptable 34 22102 2 +Fun 41 36148 1 + +Media 41 36148 1 +Web 55 44253 2 +Network 4 772 1 JA Host Stats: IP Address # JA4C @@ -36,6 +41,6 @@ JA Host Stats: 1 TCP [2001:b07:a3d:c112:8628:88aa:8b00:913c]:45334 <-> [2a00:1450:4002:416::200e]:443 [proto: 91.124/TLS.YouTube][IP: 126/Google][Encrypted][Confidence: DPI][FPC: 126/Google, Confidence: IP address][DPI packets: 6][cat: Media/1][20 pkts/2589 bytes <-> 21 pkts/33559 bytes][Goodput ratio: 32/94][0.12 sec][Hostname/SNI: www.youtube.com][(Advertised) ALPNs: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2][bytes ratio: -0.857 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 8/6 46/49 14/13][Pkt Len c2s/s2c min/avg/max/stddev: 88/88 129/1598 605/6128 124/1604][TCP Fingerprint: 2_64_65320_5c453b01be6e/Unknown][TLSv1.3][JA4: t13d3113h2_e8f1e7e78f70_ce5650b735ce][JA3S: 907bf3ecef1c987c889946b737b43de8][Firefox][Cipher: TLS_AES_256_GCM_SHA384][Plen Bins: 9,0,0,0,0,0,4,0,4,0,0,0,0,0,0,0,4,4,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,56,0,0,0,0,0,0,0,0,0,13] - 2 TCP 127.0.0.1:40164 <-> 127.0.0.1:1234 [proto: 91/TLS][IP: 0/Unknown][Encrypted][Confidence: DPI (aggressive)][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 15][cat: Web/5][14 pkts/2036 bytes <-> 11 pkts/20887 bytes][Goodput ratio: 53/96][0.17 sec][bytes ratio: -0.822 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 16/21 52/52 19/20][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 145/1899 704/7496 163/2354][Risk: ** Known Proto on Non Std Port **** Obfuscated Traffic **][Risk Score: 150][Risk Info: Obfuscated TLS traffic / Expected on port 443][TCP Fingerprint: 2_64_65495_db1b9381215d/Unknown][Plen Bins: 0,0,15,7,15,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,15,7,0,0,0,0,0,0,0,23] + 2 TCP 127.0.0.1:40164 <-> 127.0.0.1:1234 [proto: 91/TLS][IP: 0/Unknown][Encrypted][Confidence: DPI (aggressive)][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 15][cat: Web/5][14 pkts/2036 bytes <-> 11 pkts/20887 bytes][Goodput ratio: 53/96][0.17 sec][bytes ratio: -0.822 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 16/21 52/52 19/20][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 145/1899 704/7496 163/2354][Risk: ** Known Proto on Non Std Port **** Susp Entropy **** Obfuscated Traffic **][Risk Score: 160][Risk Info: Obfuscated TLS traffic / Entropy: 6.504 (Executable?) / Expected on port 443][TCP Fingerprint: 2_64_65495_db1b9381215d/Unknown][Plen Bins: 0,0,15,7,15,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,15,7,0,0,0,0,0,0,0,23] 3 TCP 127.0.0.1:44424 <-> 127.0.0.1:1080 [proto: 172/SOCKS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][18 pkts/2079 bytes <-> 12 pkts/19251 bytes][Goodput ratio: 41/96][0.15 sec][bytes ratio: -0.805 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 9/7 46/50 16/15][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 116/1604 585/9955 117/2915][TCP Fingerprint: 2_64_65495_db1b9381215d/Unknown][PLAIN TEXT (www.youtube.com)][Plen Bins: 37,24,5,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,5,0,0,0,0,0,0,0,11] - 4 UDP 127.0.0.1:41182 <-> 127.0.0.53:53 [proto: 5.124/DNS.YouTube][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5.124/DNS.YouTube, Confidence: DPI][DPI packets: 3][cat: Network/14][2 pkts/176 bytes <-> 2 pkts/596 bytes][Goodput ratio: 50/85][0.00 sec][Hostname/SNI: www.youtube.com][216.58.204.142][PLAIN TEXT (youtube)][Plen Bins: 0,50,0,0,0,25,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 4 UDP 127.0.0.1:41182 <-> 127.0.0.53:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 3][cat: Network/14][2 pkts/176 bytes <-> 2 pkts/596 bytes][Goodput ratio: 50/85][0.00 sec][Hostname/SNI: www.youtube.com][216.58.204.142][DNS Id: 0x2c27][PLAIN TEXT (youtube)][Plen Bins: 0,50,0,0,0,25,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/tls_heuristics_enabled/result/tls_heur__trojan-tcp-tls.pcapng.out b/tests/cfgs/tls_heuristics_enabled/result/tls_heur__trojan-tcp-tls.pcapng.out index b41c9156d..867ffa494 100644 --- a/tests/cfgs/tls_heuristics_enabled/result/tls_heur__trojan-tcp-tls.pcapng.out +++ b/tests/cfgs/tls_heuristics_enabled/result/tls_heur__trojan-tcp-tls.pcapng.out @@ -9,27 +9,31 @@ LRU cache stun: 0/0/0 (insert/search/found) LRU cache tls_cert: 0/2/0 (insert/search/found) LRU cache mining: 0/0/0 (insert/search/found) LRU cache msteams: 0/0/0 (insert/search/found) -LRU cache fpc_dns: 3/3/1 (insert/search/found) +LRU cache fpc_dns: 18/3/1 (insert/search/found) Automa host: 17/8 (search/found) Automa domain: 17/0 (search/found) Automa tls cert: 0/0 (search/found) -Automa risk mask: 7/0 (search/found) +Automa risk mask: 0/0 (search/found) Automa common alpns: 4/4 (search/found) -Patricia risk mask: 14/0 (search/found) +Patricia risk mask: 0/0 (search/found) Patricia risk mask IPv6: 0/0 (search/found) Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 19/1 (search/found) Patricia protocols IPv6: 0/0 (search/found) -DNS 8 680 4 +DNS 16 2257 7 TLS 25 11617 1 -YouTube 40 17498 4 +YouTube 32 15921 1 SOCKS 27 9979 1 Safe 25 11617 1 -Acceptable 35 10659 5 -Fun 40 17498 4 +Acceptable 43 12236 8 +Fun 32 15921 1 + +Media 32 15921 1 +Web 52 21596 2 +Network 16 2257 7 JA Host Stats: IP Address # JA4C @@ -38,12 +42,12 @@ JA Host Stats: 1 TCP 192.168.1.183:58730 <-> 142.250.180.142:443 [proto: 91.124/TLS.YouTube][IP: 126/Google][Encrypted][Confidence: DPI][FPC: 124/YouTube, Confidence: DNS][DPI packets: 6][cat: Media/1][17 pkts/1985 bytes <-> 15 pkts/13936 bytes][Goodput ratio: 41/93][0.11 sec][Hostname/SNI: www.youtube.com][(Advertised) ALPNs: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2][bytes ratio: -0.751 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 5/9 31/70 9/20][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 117/929 585/1468 126/632][TCP Fingerprint: 2_64_64240_2e3cee914fc1/Linux][TLSv1.3][JA4: t13d3113h2_e8f1e7e78f70_ce5650b735ce][JA3S: 907bf3ecef1c987c889946b737b43de8][Firefox][Cipher: TLS_AES_256_GCM_SHA384][Plen Bins: 18,0,6,0,0,0,6,0,0,0,0,0,0,0,0,0,6,0,0,0,6,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,51,0,0,0,0] - 2 TCP 127.0.0.1:41796 <-> 127.0.0.1:1234 [proto: 91/TLS][IP: 0/Unknown][Encrypted][Confidence: DPI (aggressive)][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 23][cat: Web/5][13 pkts/2233 bytes <-> 12 pkts/9384 bytes][Goodput ratio: 60/91][0.14 sec][Hostname/SNI: test.lan][(Advertised) ALPNs: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2][bytes ratio: -0.616 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 11/6 46/30 15/11][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 172/782 675/2138 165/744][Risk: ** Known Proto on Non Std Port **** Obfuscated Traffic **][Risk Score: 150][Risk Info: Expected on port 443 / Obfuscated TLS-in-TLS traffic][TCP Fingerprint: 2_64_65495_db1b9381215d/Unknown][TLSv1.3][JA4: t13d1911h2_9dc949149365_e7c285222651][JA3S: f4febc55ea12b31ae17cfb7e614afda8][Firefox][Cipher: TLS_AES_128_GCM_SHA256][Plen Bins: 0,13,13,6,6,0,0,0,6,0,0,0,0,0,6,0,0,0,6,0,6,0,0,0,0,0,0,6,0,0,0,0,0,0,0,6,0,6,0,0,0,0,0,0,0,0,0,13] + 2 TCP 127.0.0.1:41796 <-> 127.0.0.1:1234 [proto: 91/TLS][IP: 0/Unknown][Encrypted][Confidence: DPI (aggressive)][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 23][cat: Web/5][13 pkts/2233 bytes <-> 12 pkts/9384 bytes][Goodput ratio: 60/91][0.14 sec][Hostname/SNI: test.lan][(Advertised) ALPNs: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2][bytes ratio: -0.616 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 11/6 46/30 15/11][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 172/782 675/2138 165/744][Risk: ** Known Proto on Non Std Port **** Obfuscated Traffic **][Risk Score: 150][Risk Info: Obfuscated TLS-in-TLS traffic / Expected on port 443][TCP Fingerprint: 2_64_65495_db1b9381215d/Unknown][TLSv1.3][JA4: t13d1911h2_9dc949149365_e7c285222651][JA3S: f4febc55ea12b31ae17cfb7e614afda8][Firefox][Cipher: TLS_AES_128_GCM_SHA256][Plen Bins: 0,13,13,6,6,0,0,0,6,0,0,0,0,0,6,0,0,0,6,0,6,0,0,0,0,0,0,6,0,0,0,0,0,0,0,6,0,6,0,0,0,0,0,0,0,0,0,13] 3 TCP 127.0.0.1:60654 <-> 127.0.0.1:1080 [proto: 172/SOCKS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][17 pkts/1999 bytes <-> 10 pkts/7980 bytes][Goodput ratio: 42/91][0.19 sec][bytes ratio: -0.599 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 9/7 46/43 16/15][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 118/798 585/4164 119/1276][TCP Fingerprint: 2_64_65495_db1b9381215d/Unknown][PLAIN TEXT (www.youtube.com)][Plen Bins: 37,25,6,0,0,0,0,0,0,0,0,0,0,0,6,0,6,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12] - 4 UDP 127.0.0.1:52786 <-> 127.0.0.53:53 [proto: 5.124/DNS.YouTube][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5.124/DNS.YouTube, Confidence: DPI][DPI packets: 3][cat: Network/14][2 pkts/176 bytes <-> 2 pkts/468 bytes][Goodput ratio: 50/81][0.03 sec][Hostname/SNI: www.youtube.com][142.250.180.142][PLAIN TEXT (youtube)][Plen Bins: 0,50,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 5 UDP 192.168.1.183:46451 <-> 192.168.1.253:53 [proto: 5.124/DNS.YouTube][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5.124/DNS.YouTube, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/88 bytes <-> 1 pkts/413 bytes][Goodput ratio: 49/89][0.03 sec][Hostname/SNI: www.youtube.com][142.250.180.142][PLAIN TEXT (youtube)][Plen Bins: 0,50,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 6 UDP 192.168.1.183:54260 <-> 192.168.1.253:53 [proto: 5.124/DNS.YouTube][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5.124/DNS.YouTube, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/88 bytes <-> 1 pkts/344 bytes][Goodput ratio: 49/87][0.03 sec][Hostname/SNI: www.youtube.com][2a00:1450:4002:411::200e][PLAIN TEXT (youtube)][Plen Bins: 0,50,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 7 UDP 127.0.0.1:53154 <-> 127.0.0.53:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/81 bytes <-> 1 pkts/97 bytes][Goodput ratio: 45/54][0.00 sec][Hostname/SNI: test.lan][127.0.0.1][Risk: ** Minor Issues **][Risk Score: 10][Risk Info: DNS Record with zero TTL][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 8 UDP 192.168.1.183:39434 <-> 192.168.1.253:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/81 bytes <-> 1 pkts/97 bytes][Goodput ratio: 45/54][0.00 sec][Hostname/SNI: test.lan][127.0.0.1][Risk: ** Minor Issues **][Risk Score: 10][Risk Info: DNS Record with zero TTL][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 9 UDP 127.0.0.1:56496 <-> 127.0.0.53:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/81 bytes <-> 1 pkts/81 bytes][Goodput ratio: 45/45][0.00 sec][Hostname/SNI: test.lan][0.0.0.0][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 10 UDP 192.168.1.183:38613 <-> 192.168.1.253:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/81 bytes <-> 1 pkts/81 bytes][Goodput ratio: 45/45][< 1 sec][Hostname/SNI: test.lan][0.0.0.0][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 4 UDP 127.0.0.1:52786 <-> 127.0.0.53:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 3][cat: Network/14][2 pkts/176 bytes <-> 2 pkts/468 bytes][Goodput ratio: 50/81][0.03 sec][Hostname/SNI: www.youtube.com][142.250.180.142][DNS Id: 0xbe79][PLAIN TEXT (youtube)][Plen Bins: 0,50,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 5 UDP 192.168.1.183:46451 <-> 192.168.1.253:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/88 bytes <-> 1 pkts/413 bytes][Goodput ratio: 49/89][0.03 sec][Hostname/SNI: www.youtube.com][142.250.180.142][DNS Id: 0x7aab][PLAIN TEXT (youtube)][Plen Bins: 0,50,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 6 UDP 192.168.1.183:54260 <-> 192.168.1.253:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/88 bytes <-> 1 pkts/344 bytes][Goodput ratio: 49/87][0.03 sec][Hostname/SNI: www.youtube.com][2a00:1450:4002:411::200e][DNS Id: 0xaf9b][PLAIN TEXT (youtube)][Plen Bins: 0,50,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 7 UDP 127.0.0.1:53154 <-> 127.0.0.53:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/81 bytes <-> 1 pkts/97 bytes][Goodput ratio: 45/54][0.00 sec][Hostname/SNI: test.lan][127.0.0.1][DNS Id: 0xe3bc][Risk: ** Minor Issues **][Risk Score: 10][Risk Info: DNS Record with zero TTL][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 8 UDP 192.168.1.183:39434 <-> 192.168.1.253:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/81 bytes <-> 1 pkts/97 bytes][Goodput ratio: 45/54][0.00 sec][Hostname/SNI: test.lan][127.0.0.1][DNS Id: 0xce7d][Risk: ** Minor Issues **][Risk Score: 10][Risk Info: DNS Record with zero TTL][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 9 UDP 127.0.0.1:56496 <-> 127.0.0.53:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/81 bytes <-> 1 pkts/81 bytes][Goodput ratio: 45/45][0.00 sec][Hostname/SNI: test.lan][0.0.0.0][DNS Id: 0xe2c3][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 10 UDP 192.168.1.183:38613 <-> 192.168.1.253:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/81 bytes <-> 1 pkts/81 bytes][Goodput ratio: 45/45][< 1 sec][Hostname/SNI: test.lan][0.0.0.0][DNS Id: 0x59d3][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/tls_heuristics_enabled/result/tls_heur__vmess-tcp-tls.pcapng.out b/tests/cfgs/tls_heuristics_enabled/result/tls_heur__vmess-tcp-tls.pcapng.out index a6bb48f96..235ec8bdf 100644 --- a/tests/cfgs/tls_heuristics_enabled/result/tls_heur__vmess-tcp-tls.pcapng.out +++ b/tests/cfgs/tls_heuristics_enabled/result/tls_heur__vmess-tcp-tls.pcapng.out @@ -9,27 +9,31 @@ LRU cache stun: 0/0/0 (insert/search/found) LRU cache tls_cert: 0/2/0 (insert/search/found) LRU cache mining: 0/0/0 (insert/search/found) LRU cache msteams: 0/0/0 (insert/search/found) -LRU cache fpc_dns: 3/3/1 (insert/search/found) +LRU cache fpc_dns: 20/3/1 (insert/search/found) Automa host: 17/8 (search/found) Automa domain: 17/0 (search/found) Automa tls cert: 0/0 (search/found) -Automa risk mask: 7/0 (search/found) +Automa risk mask: 0/0 (search/found) Automa common alpns: 4/4 (search/found) -Patricia risk mask: 14/0 (search/found) +Patricia risk mask: 0/0 (search/found) Patricia risk mask IPv6: 0/0 (search/found) Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 19/1 (search/found) Patricia protocols IPv6: 0/0 (search/found) -DNS 8 680 4 +DNS 16 2006 7 TLS 30 14152 1 -YouTube 34 22317 4 +YouTube 26 20991 1 SOCKS 28 10046 1 Safe 30 14152 1 -Acceptable 36 10726 5 -Fun 34 22317 4 +Acceptable 44 12052 8 +Fun 26 20991 1 + +Media 26 20991 1 +Web 58 24198 2 +Network 16 2006 7 JA Host Stats: IP Address # JA4C @@ -38,12 +42,12 @@ JA Host Stats: 1 TCP 192.168.1.183:58612 <-> 216.58.204.142:443 [proto: 91.124/TLS.YouTube][IP: 126/Google][Encrypted][Confidence: DPI][FPC: 124/YouTube, Confidence: DNS][DPI packets: 6][cat: Media/1][11 pkts/1577 bytes <-> 15 pkts/19414 bytes][Goodput ratio: 52/95][0.10 sec][Hostname/SNI: www.youtube.com][(Advertised) ALPNs: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2][bytes ratio: -0.850 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 12/8 74/66 24/18][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 143/1294 585/6668 151/1565][TCP Fingerprint: 2_64_64240_2e3cee914fc1/Linux][TLSv1.3][JA4: t13d3113h2_e8f1e7e78f70_ce5650b735ce][JA3S: 907bf3ecef1c987c889946b737b43de8][Firefox][Cipher: TLS_AES_256_GCM_SHA384][Plen Bins: 12,6,6,0,0,0,6,0,0,0,0,0,0,0,0,0,6,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,44,0,0,0,6] - 2 TCP 127.0.0.1:57874 <-> 127.0.0.1:1234 [proto: 91/TLS][IP: 0/Unknown][Encrypted][Confidence: DPI (aggressive)][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 24][cat: Web/5][16 pkts/2501 bytes <-> 14 pkts/11651 bytes][Goodput ratio: 56/92][0.16 sec][Hostname/SNI: test.lan][(Advertised) ALPNs: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2][bytes ratio: -0.647 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 10/12 40/74 14/22][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 156/832 731/2138 166/797][Risk: ** Known Proto on Non Std Port **** Obfuscated Traffic **][Risk Score: 150][Risk Info: Expected on port 443 / Obfuscated TLS-in-TLS traffic][TCP Fingerprint: 2_64_64240_2e3cee914fc1/Linux][TLSv1.3][JA4: t13d1911h2_9dc949149365_e7c285222651][JA3S: f4febc55ea12b31ae17cfb7e614afda8][Firefox][Cipher: TLS_AES_128_GCM_SHA256][Plen Bins: 5,12,12,5,5,0,0,0,5,0,0,0,0,0,0,0,5,0,0,0,5,5,0,0,0,0,0,5,0,0,0,0,0,0,0,5,0,5,0,0,0,0,0,0,0,0,0,19] + 2 TCP 127.0.0.1:57874 <-> 127.0.0.1:1234 [proto: 91/TLS][IP: 0/Unknown][Encrypted][Confidence: DPI (aggressive)][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 24][cat: Web/5][16 pkts/2501 bytes <-> 14 pkts/11651 bytes][Goodput ratio: 56/92][0.16 sec][Hostname/SNI: test.lan][(Advertised) ALPNs: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2][bytes ratio: -0.647 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 10/12 40/74 14/22][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 156/832 731/2138 166/797][Risk: ** Known Proto on Non Std Port **** Obfuscated Traffic **][Risk Score: 150][Risk Info: Obfuscated TLS-in-TLS traffic / Expected on port 443][TCP Fingerprint: 2_64_64240_2e3cee914fc1/Linux][TLSv1.3][JA4: t13d1911h2_9dc949149365_e7c285222651][JA3S: f4febc55ea12b31ae17cfb7e614afda8][Firefox][Cipher: TLS_AES_128_GCM_SHA256][Plen Bins: 5,12,12,5,5,0,0,0,5,0,0,0,0,0,0,0,5,0,0,0,5,5,0,0,0,0,0,5,0,0,0,0,0,0,0,5,0,5,0,0,0,0,0,0,0,0,0,19] 3 TCP 127.0.0.1:40136 <-> 127.0.0.1:1080 [proto: 172/SOCKS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][17 pkts/1999 bytes <-> 11 pkts/8047 bytes][Goodput ratio: 42/91][0.14 sec][bytes ratio: -0.602 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 8/1 40/4 14/2][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 118/732 585/2612 119/967][TCP Fingerprint: 2_64_64240_2e3cee914fc1/Linux][PLAIN TEXT (www.youtube.com)][Plen Bins: 37,25,6,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,18] - 4 UDP 127.0.0.1:46548 <-> 127.0.0.53:53 [proto: 5.124/DNS.YouTube][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5.124/DNS.YouTube, Confidence: DPI][DPI packets: 3][cat: Network/14][2 pkts/176 bytes <-> 2 pkts/484 bytes][Goodput ratio: 50/82][0.00 sec][Hostname/SNI: www.youtube.com][216.58.204.142][PLAIN TEXT (youtube)][Plen Bins: 0,50,0,0,0,25,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 5 UDP 192.168.1.183:49817 <-> 192.168.1.253:53 [proto: 5.124/DNS.YouTube][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5.124/DNS.YouTube, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/88 bytes <-> 1 pkts/253 bytes][Goodput ratio: 49/82][0.00 sec][Hostname/SNI: www.youtube.com][216.58.204.142][PLAIN TEXT (youtube)][Plen Bins: 0,50,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 6 UDP 192.168.1.183:41933 <-> 192.168.1.253:53 [proto: 5.124/DNS.YouTube][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5.124/DNS.YouTube, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/88 bytes <-> 1 pkts/237 bytes][Goodput ratio: 49/81][0.00 sec][Hostname/SNI: www.youtube.com][2a00:1450:4002:410::200e][PLAIN TEXT (youtube)][Plen Bins: 0,50,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 7 UDP 127.0.0.1:45262 <-> 127.0.0.53:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/81 bytes <-> 1 pkts/97 bytes][Goodput ratio: 45/54][0.00 sec][Hostname/SNI: test.lan][127.0.0.1][Risk: ** Minor Issues **][Risk Score: 10][Risk Info: DNS Record with zero TTL][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 8 UDP 192.168.1.183:42485 <-> 192.168.1.253:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/81 bytes <-> 1 pkts/97 bytes][Goodput ratio: 45/54][0.00 sec][Hostname/SNI: test.lan][127.0.0.1][Risk: ** Minor Issues **][Risk Score: 10][Risk Info: DNS Record with zero TTL][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 9 UDP 127.0.0.1:50125 <-> 127.0.0.53:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/81 bytes <-> 1 pkts/81 bytes][Goodput ratio: 45/45][0.00 sec][Hostname/SNI: test.lan][0.0.0.0][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 10 UDP 192.168.1.183:58009 <-> 192.168.1.253:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/81 bytes <-> 1 pkts/81 bytes][Goodput ratio: 45/45][< 1 sec][Hostname/SNI: test.lan][0.0.0.0][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 4 UDP 127.0.0.1:46548 <-> 127.0.0.53:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 3][cat: Network/14][2 pkts/176 bytes <-> 2 pkts/484 bytes][Goodput ratio: 50/82][0.00 sec][Hostname/SNI: www.youtube.com][216.58.204.142][DNS Id: 0xedd1][PLAIN TEXT (youtube)][Plen Bins: 0,50,0,0,0,25,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 5 UDP 192.168.1.183:49817 <-> 192.168.1.253:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/88 bytes <-> 1 pkts/253 bytes][Goodput ratio: 49/82][0.00 sec][Hostname/SNI: www.youtube.com][216.58.204.142][DNS Id: 0xc48a][PLAIN TEXT (youtube)][Plen Bins: 0,50,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 6 UDP 192.168.1.183:41933 <-> 192.168.1.253:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/88 bytes <-> 1 pkts/237 bytes][Goodput ratio: 49/81][0.00 sec][Hostname/SNI: www.youtube.com][2a00:1450:4002:410::200e][DNS Id: 0x8b5c][PLAIN TEXT (youtube)][Plen Bins: 0,50,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 7 UDP 127.0.0.1:45262 <-> 127.0.0.53:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/81 bytes <-> 1 pkts/97 bytes][Goodput ratio: 45/54][0.00 sec][Hostname/SNI: test.lan][127.0.0.1][DNS Id: 0xfd5c][Risk: ** Minor Issues **][Risk Score: 10][Risk Info: DNS Record with zero TTL][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 8 UDP 192.168.1.183:42485 <-> 192.168.1.253:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/81 bytes <-> 1 pkts/97 bytes][Goodput ratio: 45/54][0.00 sec][Hostname/SNI: test.lan][127.0.0.1][DNS Id: 0xc19d][Risk: ** Minor Issues **][Risk Score: 10][Risk Info: DNS Record with zero TTL][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 9 UDP 127.0.0.1:50125 <-> 127.0.0.53:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/81 bytes <-> 1 pkts/81 bytes][Goodput ratio: 45/45][0.00 sec][Hostname/SNI: test.lan][0.0.0.0][DNS Id: 0xea6f][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 10 UDP 192.168.1.183:58009 <-> 192.168.1.253:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/81 bytes <-> 1 pkts/81 bytes][Goodput ratio: 45/45][< 1 sec][Hostname/SNI: test.lan][0.0.0.0][DNS Id: 0x4303][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/tls_heuristics_enabled/result/tls_heur__vmess-tcp.pcapng.out b/tests/cfgs/tls_heuristics_enabled/result/tls_heur__vmess-tcp.pcapng.out index 060437ace..6b0e7896d 100644 --- a/tests/cfgs/tls_heuristics_enabled/result/tls_heur__vmess-tcp.pcapng.out +++ b/tests/cfgs/tls_heuristics_enabled/result/tls_heur__vmess-tcp.pcapng.out @@ -2,33 +2,38 @@ DPI Packets (TCP): 35 (11.67 pkts/flow) DPI Packets (UDP): 3 (3.00 pkts/flow) Confidence DPI : 3 (flows) Confidence DPI (aggressive) : 1 (flows) -Num dissector calls: 427 (106.75 diss/flow) +Num dissector calls: 417 (104.25 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/3/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) LRU cache tls_cert: 0/0/0 (insert/search/found) LRU cache mining: 0/0/0 (insert/search/found) LRU cache msteams: 0/0/0 (insert/search/found) -LRU cache fpc_dns: 1/3/0 (insert/search/found) +LRU cache fpc_dns: 16/3/0 (insert/search/found) Automa host: 4/4 (search/found) Automa domain: 4/0 (search/found) Automa tls cert: 0/0 (search/found) -Automa risk mask: 1/0 (search/found) +Automa risk mask: 0/0 (search/found) Automa common alpns: 2/2 (search/found) -Patricia risk mask: 2/0 (search/found) +Patricia risk mask: 0/0 (search/found) Patricia risk mask IPv6: 0/0 (search/found) Patricia risk: 0/0 (search/found) Patricia risk IPv6: 1/0 (search/found) Patricia protocols: 6/0 (search/found) Patricia protocols IPv6: 1/1 (search/found) +DNS 4 900 1 TLS 29 22543 1 -YouTube 41 25855 2 +YouTube 37 24955 1 SOCKS 30 21345 1 Safe 29 22543 1 -Acceptable 30 21345 1 -Fun 41 25855 2 +Acceptable 34 22245 2 +Fun 37 24955 1 + +Media 37 24955 1 +Web 59 43888 2 +Network 4 900 1 JA Host Stats: IP Address # JA4C @@ -38,4 +43,4 @@ JA Host Stats: 1 TCP [2001:b07:a3d:c112:8628:88aa:8b00:913c]:48302 <-> [2a00:1450:4006:80d::200e]:443 [proto: 91.124/TLS.YouTube][IP: 126/Google][Encrypted][Confidence: DPI][FPC: 126/Google, Confidence: IP address][DPI packets: 8][cat: Media/1][19 pkts/2517 bytes <-> 18 pkts/22438 bytes][Goodput ratio: 33/93][2.20 sec][Hostname/SNI: www.youtube.com][(Advertised) ALPNs: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2][bytes ratio: -0.798 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 146/10 1024/77 344/20][Pkt Len c2s/s2c min/avg/max/stddev: 88/88 132/1247 605/2504 117/854][TCP Fingerprint: 2_64_65320_5c453b01be6e/Unknown][TLSv1.3][JA4: t13d3113h2_e8f1e7e78f70_ce5650b735ce][JA3S: 907bf3ecef1c987c889946b737b43de8][Firefox][Cipher: TLS_AES_256_GCM_SHA384][Plen Bins: 10,5,5,0,5,0,0,5,0,0,0,0,0,0,0,0,5,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,30,0,5,0,0,0,0,0,0,0,25] 2 TCP 127.0.0.1:40818 <-> 127.0.0.1:1234 [proto: 91/TLS][IP: 0/Unknown][Encrypted][Confidence: DPI (aggressive)][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 21][cat: Web/5][13 pkts/2126 bytes <-> 16 pkts/20417 bytes][Goodput ratio: 58/95][2.27 sec][bytes ratio: -0.811 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 225/171 2079/2079 619/551][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 164/1276 749/4794 178/1603][Risk: ** Known Proto on Non Std Port **** Obfuscated Traffic **][Risk Score: 150][Risk Info: Obfuscated TLS traffic / Expected on port 443][TCP Fingerprint: 2_64_65495_db1b9381215d/Unknown][Plen Bins: 0,0,6,20,13,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,6,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,34] 3 TCP 127.0.0.1:37218 <-> 127.0.0.1:1080 [proto: 172/SOCKS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][15 pkts/1875 bytes <-> 15 pkts/19470 bytes][Goodput ratio: 45/95][2.27 sec][bytes ratio: -0.824 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 185/178 2080/2039 572/561][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 125/1298 585/7183 125/2425][TCP Fingerprint: 2_64_65495_db1b9381215d/Unknown][PLAIN TEXT (www.youtube.com)][Plen Bins: 34,26,6,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20] - 4 UDP 127.0.0.1:35957 <-> 127.0.0.53:53 [proto: 5.124/DNS.YouTube][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5.124/DNS.YouTube, Confidence: DPI][DPI packets: 3][cat: Network/14][2 pkts/176 bytes <-> 2 pkts/724 bytes][Goodput ratio: 50/88][0.00 sec][Hostname/SNI: www.youtube.com][172.217.18.46][PLAIN TEXT (youtube)][Plen Bins: 0,50,0,0,0,25,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 4 UDP 127.0.0.1:35957 <-> 127.0.0.53:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 3][cat: Network/14][2 pkts/176 bytes <-> 2 pkts/724 bytes][Goodput ratio: 50/88][0.00 sec][Hostname/SNI: www.youtube.com][172.217.18.46][DNS Id: 0xdd23][PLAIN TEXT (youtube)][Plen Bins: 0,50,0,0,0,25,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/tls_heuristics_enabled/result/tls_heur__vmess-websocket.pcapng.out b/tests/cfgs/tls_heuristics_enabled/result/tls_heur__vmess-websocket.pcapng.out index 875fe3a8d..b75e7e277 100644 --- a/tests/cfgs/tls_heuristics_enabled/result/tls_heur__vmess-websocket.pcapng.out +++ b/tests/cfgs/tls_heuristics_enabled/result/tls_heur__vmess-websocket.pcapng.out @@ -2,32 +2,37 @@ DPI Packets (TCP): 31 (10.33 pkts/flow) DPI Packets (UDP): 2 (2.00 pkts/flow) Confidence DPI : 3 (flows) Confidence DPI (aggressive) : 1 (flows) -Num dissector calls: 183 (45.75 diss/flow) +Num dissector calls: 179 (44.75 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/0/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) LRU cache tls_cert: 0/0/0 (insert/search/found) LRU cache mining: 0/0/0 (insert/search/found) LRU cache msteams: 0/0/0 (insert/search/found) -LRU cache fpc_dns: 1/3/1 (insert/search/found) +LRU cache fpc_dns: 8/3/1 (insert/search/found) Automa host: 4/3 (search/found) Automa domain: 4/0 (search/found) Automa tls cert: 0/0 (search/found) -Automa risk mask: 2/0 (search/found) +Automa risk mask: 1/0 (search/found) Automa common alpns: 2/2 (search/found) -Patricia risk mask: 4/0 (search/found) +Patricia risk mask: 2/0 (search/found) Patricia risk mask IPv6: 0/0 (search/found) Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 7/1 (search/found) Patricia protocols IPv6: 0/0 (search/found) -YouTube 32 24681 2 +DNS 4 772 1 +YouTube 28 23909 1 SOCKS 33 21475 1 WebSocket 35 22912 1 -Acceptable 68 44387 2 -Fun 32 24681 2 +Acceptable 72 45159 3 +Fun 28 23909 1 + +Media 28 23909 1 +Web 68 44387 2 +Network 4 772 1 JA Host Stats: IP Address # JA4C @@ -35,6 +40,6 @@ JA Host Stats: 1 TCP 192.168.1.183:51390 <-> 142.250.180.142:443 [proto: 91.124/TLS.YouTube][IP: 126/Google][Encrypted][Confidence: DPI][FPC: 124/YouTube, Confidence: DNS][DPI packets: 6][cat: Media/1][11 pkts/1577 bytes <-> 17 pkts/22332 bytes][Goodput ratio: 52/95][0.14 sec][Hostname/SNI: www.youtube.com][(Advertised) ALPNs: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2][bytes ratio: -0.868 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 16/9 81/74 26/19][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 143/1314 585/6668 160/1472][TCP Fingerprint: 2_64_64240_2e3cee914fc1/Linux][TLSv1.3][JA4: t13d3113h2_e8f1e7e78f70_ce5650b735ce][JA3S: 907bf3ecef1c987c889946b737b43de8][Firefox][Cipher: TLS_AES_256_GCM_SHA384][Plen Bins: 18,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,5,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,55,0,0,0,5] - 2 TCP 127.0.0.1:33702 <-> 127.0.0.1:1234 [proto: 7.251/HTTP.WebSocket][IP: 0/Unknown][ClearText][Confidence: DPI (aggressive)][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 19][cat: Web/5][19 pkts/2630 bytes <-> 16 pkts/20282 bytes][Goodput ratio: 51/95][0.17 sec][Hostname/SNI: 127.0.0.1][bytes ratio: -0.770 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 8/7 52/76 16/21][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 138/1268 767/2120 172/862][URL: 127.0.0.1:1234/][StatusCode: 101][User-Agent: Go-http-client/1.1][Risk: ** Known Proto on Non Std Port **** HTTP/TLS/QUIC Numeric Hostname/SNI **** Obfuscated Traffic **][Risk Score: 160][Risk Info: Found host 127.0.0.1 / Expected on port 80 / Obfuscated TLS-in-HTTP-WebSocket traffic][TCP Fingerprint: 2_64_65495_db1b9381215d/Unknown][PLAIN TEXT (GET / HTTP/1.1)][Plen Bins: 0,0,11,0,5,5,0,0,0,0,0,5,0,0,5,0,0,0,0,0,5,11,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,45] + 2 TCP 127.0.0.1:33702 <-> 127.0.0.1:1234 [proto: 7.251/HTTP.WebSocket][IP: 0/Unknown][ClearText][Confidence: DPI (aggressive)][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 19][cat: Web/5][19 pkts/2630 bytes <-> 16 pkts/20282 bytes][Goodput ratio: 51/95][0.17 sec][Hostname/SNI: 127.0.0.1][bytes ratio: -0.770 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 8/7 52/76 16/21][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 138/1268 767/2120 172/862][URL: 127.0.0.1:1234/][StatusCode: 101][User-Agent: Go-http-client/1.1][Risk: ** Known Proto on Non Std Port **** HTTP/TLS/QUIC Numeric Hostname/SNI **** Obfuscated Traffic **][Risk Score: 160][Risk Info: Obfuscated TLS-in-HTTP-WebSocket traffic / Found host 127.0.0.1 / Expected on port 80][TCP Fingerprint: 2_64_65495_db1b9381215d/Unknown][PLAIN TEXT (GET / HTTP/1.1)][Plen Bins: 0,0,11,0,5,5,0,0,0,0,0,5,0,0,5,0,0,0,0,0,5,11,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,45] 3 TCP 127.0.0.1:44532 <-> 127.0.0.1:1080 [proto: 172/SOCKS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][20 pkts/2203 bytes <-> 13 pkts/19272 bytes][Goodput ratio: 38/95][0.17 sec][bytes ratio: -0.795 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 10/10 44/82 16/26][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 110/1482 585/4000 112/1624][TCP Fingerprint: 2_64_65495_db1b9381215d/Unknown][PLAIN TEXT (www.youtube.com)][Plen Bins: 31,21,5,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,5,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,26] - 4 UDP 127.0.0.1:39646 <-> 127.0.0.53:53 [proto: 5.124/DNS.YouTube][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5.124/DNS.YouTube, Confidence: DPI][DPI packets: 2][cat: Network/14][2 pkts/176 bytes <-> 2 pkts/596 bytes][Goodput ratio: 50/85][0.00 sec][Hostname/SNI: www.youtube.com][142.250.180.142][PLAIN TEXT (youtube)][Plen Bins: 0,50,0,0,0,25,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 4 UDP 127.0.0.1:39646 <-> 127.0.0.53:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][2 pkts/176 bytes <-> 2 pkts/596 bytes][Goodput ratio: 50/85][0.00 sec][Hostname/SNI: www.youtube.com][142.250.180.142][DNS Id: 0x8eca][PLAIN TEXT (youtube)][Plen Bins: 0,50,0,0,0,25,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] |