From d59f0327a592d6cedfdd29eacb5356abdda9388d Mon Sep 17 00:00:00 2001 From: Toni Date: Mon, 7 Feb 2022 18:05:23 +0100 Subject: Improved MDNS/LLMNR detection. (#1437) * Checking for port 5353/5355 is not enough. * Added additional multicast address and header checks. Signed-off-by: Toni Uhlig --- tests/result/dnscrypt-v2.pcap.out | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 tests/result/dnscrypt-v2.pcap.out (limited to 'tests/result') diff --git a/tests/result/dnscrypt-v2.pcap.out b/tests/result/dnscrypt-v2.pcap.out new file mode 100644 index 000000000..5b0cd7915 --- /dev/null +++ b/tests/result/dnscrypt-v2.pcap.out @@ -0,0 +1,10 @@ +Guessed flow protos: 0 + +DPI Packets (UDP): 6 (2.00 pkts/flow) +Confidence DPI : 3 (flows) + +DNScrypt 6 4300 3 + + 1 UDP 127.0.0.1:50893 <-> 127.0.0.2:5353 [proto: 208/DNScrypt][Encrypted][Confidence: DPI][cat: Network/14][1 pkts/1130 bytes <-> 1 pkts/410 bytes][Goodput ratio: 96/90][0.01 sec][Risk: ** Known Protocol on Non Standard Port **][Risk Score: 50][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0] + 2 UDP 127.0.0.1:38650 <-> 127.0.0.2:5353 [proto: 208/DNScrypt][Encrypted][Confidence: DPI][cat: Network/14][1 pkts/1130 bytes <-> 1 pkts/282 bytes][Goodput ratio: 96/85][0.01 sec][Risk: ** Known Protocol on Non Standard Port **][Risk Score: 50][Plen Bins: 0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0] + 3 UDP 127.0.0.1:42883 <-> 127.0.0.2:5353 [proto: 208/DNScrypt][Encrypted][Confidence: DPI][cat: Network/14][1 pkts/1130 bytes <-> 1 pkts/218 bytes][Goodput ratio: 96/80][0.01 sec][Risk: ** Known Protocol on Non Standard Port **][Risk Score: 50][Plen Bins: 0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0] -- cgit v1.2.3