From 95ac8fd41a90e2aa8ddb61509160b8281ebb3ff8 Mon Sep 17 00:00:00 2001
From: Nardi Ivan <nardi.ivan@gmail.com>
Date: Mon, 23 Aug 2021 14:30:29 +0200
Subject: STUN: fix extraction of Realm attribute

While at it, improve detection of Facebook Messenger
---
 tests/pcap/stun_facebook.pcapng       | Bin 0 -> 13492 bytes
 tests/result/stun_facebook.pcapng.out |   7 +++++++
 2 files changed, 7 insertions(+)
 create mode 100644 tests/pcap/stun_facebook.pcapng
 create mode 100644 tests/result/stun_facebook.pcapng.out

(limited to 'tests')

diff --git a/tests/pcap/stun_facebook.pcapng b/tests/pcap/stun_facebook.pcapng
new file mode 100644
index 000000000..bb789c71d
Binary files /dev/null and b/tests/pcap/stun_facebook.pcapng differ
diff --git a/tests/result/stun_facebook.pcapng.out b/tests/result/stun_facebook.pcapng.out
new file mode 100644
index 000000000..bf7b1dd27
--- /dev/null
+++ b/tests/result/stun_facebook.pcapng.out
@@ -0,0 +1,7 @@
+Guessed flow protos:	0
+
+DPI Packets (UDP):	2	(2.00 pkts/flow)
+
+Messenger	75	10554	1
+
+	1	UDP 192.168.12.169:38123 <-> 31.13.86.54:40003 [proto: 78.157/STUN.Messenger][Encrypted][cat: VoIP/10][40 pkts/6134 bytes <-> 35 pkts/4420 bytes][Goodput ratio: 73/67][10.09 sec][Host: turner.facebook][bytes ratio: 0.162 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 260/331 6004/5997 1040/1126][Pkt Len c2s/s2c min/avg/max/stddev: 70/68 153/126 190/174 31/39][Risk: ** Known protocol on non standard port **][Risk Score: 10][PLAIN TEXT (unauthorized)][Plen Bins: 8,14,9,28,40,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-- 
cgit v1.2.3