From 074e489fe3569d4d6d2ab9446373aa9ce53b68b4 Mon Sep 17 00:00:00 2001 From: Michael Scherer Date: Sun, 29 May 2016 10:09:07 +0200 Subject: Fix typo --- README.protocols | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.protocols b/README.protocols index 27d8c6408..1c77df15b 100644 --- a/README.protocols +++ b/README.protocols @@ -8,7 +8,7 @@ TCP 172.16.253.130:2021 <-> 75.147.140.249:443 [VLAN: 0][proto: 91/SSL][28 pkts/ TCP 172.16.253.130:2077 <-> 77.247.181.163:443 [VLAN: 0][proto: 91/SSL][136 pkts/94329 bytes][SSL client: www.fk4pprq42hsvl2wey.com] It can be detected by analyzing the SSL client certificate and checking the name that does not match to a real host in -addition of begin a bit weird. As doing DNS resolution is not a task for nDPI we let applications do and then recognize +addition of being a bit weird. As doing DNS resolution is not a task for nDPI we let applications do and then recognize SSL-tunnelled connections. See http://www.netresec.com/?page=Blog&month=2013-04&post=Detecting-TOR-Communication-in-Network-Traffic -- cgit v1.2.3