1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
|
Guessed flow protos: 1
DPI Packets (TCP): 43 (5.38 pkts/flow)
DPI Packets (UDP): 3 (1.00 pkts/flow)
Confidence Match by port : 1 (flows)
Confidence DPI : 10 (flows)
Num dissector calls: 50 (4.55 diss/flow)
LRU cache ookla: 0/0/0 (insert/search/found)
LRU cache bittorrent: 0/3/0 (insert/search/found)
LRU cache stun: 0/0/0 (insert/search/found)
LRU cache tls_cert: 0/8/0 (insert/search/found)
LRU cache mining: 0/1/0 (insert/search/found)
LRU cache msteams: 0/1/0 (insert/search/found)
Automa host: 7/0 (search/found)
Automa domain: 7/0 (search/found)
Automa tls cert: 4/0 (search/found)
Automa risk mask: 7/0 (search/found)
Automa common alpns: 0/0 (search/found)
Patricia risk mask: 16/0 (search/found)
Patricia risk mask IPv6: 0/0 (search/found)
Patricia risk: 0/0 (search/found)
Patricia risk IPv6: 1/0 (search/found)
Patricia protocols: 19/1 (search/found)
Patricia protocols IPv6: 2/0 (search/found)
SMBv1 1 252 1
TLS 220 93832 5
DHCPV6 6 906 1
Dropbox 10 1860 1
Tor 112 39736 3
Safe 220 93832 5
Acceptable 16 2766 2
Potentially Dangerous 112 39736 3
Dangerous 1 252 1
JA3 Host Stats:
IP Address # JA3C
1 192.168.1.252 1
1 TCP 192.168.1.252:51110 <-> 91.143.93.242:443 [proto: 91/TLS][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 6][cat: Web/5][62 pkts/22715 bytes <-> 79 pkts/45823 bytes][Goodput ratio: 84/91][109.04 sec][Hostname/SNI: www.ct7ctrgb6cr7.com][bytes ratio: -0.337 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 2212/966 44777/37995 8343/4770][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 366/580 1514/1514 350/568][Risk: ** Obsolete TLS (v1.1 or older) **** TLS Cert About To Expire **][Risk Score: 150][Risk Info: TLSv1 / 03/Oct/2013 00:00:00 - 18/Nov/2013 23:59:59][TLSv1][JA3C: 581a3c7f54555512b8cd16e87dfe165b][JA4: t10d360300_77f462745360_33a13ba74d1c][JA3S: 184d532a16876b78846ae6a03f654890][Issuer: CN=www.xkgk7fdx362yyyxib.com][Subject: CN=www.g6ghvisevf3ibuu5.net][Certificate SHA-1: 94:F9:FF:E2:7F:DB:1F:B8:19:65:20:6F:F6:DE:B6:A5:D5:AF:14:C7][Validity: 2013-10-03 00:00:00 - 2013-11-18 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 2,1,1,1,1,0,1,0,0,3,0,0,0,0,0,0,2,0,58,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,1,0,1,0,22,0,0]
2 TCP 192.168.1.252:51112 <-> 38.229.70.53:443 [proto: 91.163/TLS.Tor][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 6][cat: VPN/2][17 pkts/6724 bytes <-> 23 pkts/9350 bytes][Goodput ratio: 86/87][59.08 sec][Hostname/SNI: www.q4cyamnc6mtokjurvdclt.com][bytes ratio: -0.163 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 4368/3086 30770/31166 9469/8183][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 396/407 640/1514 266/451][Risk: ** Obsolete TLS (v1.1 or older) **** Susp DGA Domain name **** Unsafe Protocol **][Risk Score: 210][Risk Info: TLSv1 / q4cyamnc6mtokjurvdclt.com][TLSv1][JA3C: 581a3c7f54555512b8cd16e87dfe165b][JA4: t10d360300_77f462745360_33a13ba74d1c][JA3S: e1691a31bfe345d2692da75636ddfb00][Issuer: CN=www.gg562izcxdvqdk.com][Subject: CN=www.fcsyvnlemwxv5p.net][Certificate SHA-1: C1:93:18:2C:A3:1D:AC:5F:C7:DE:17:8A:4E:B1:E8:13:BB:08:73:3A][Validity: 2013-09-15 00:00:00 - 2014-02-21 23:59:59][Cipher: TLS_DHE_RSA_WITH_AES_256_CBC_SHA][Plen Bins: 0,4,8,0,0,0,4,4,0,0,0,0,0,0,0,0,0,0,67,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0]
3 TCP 192.168.1.252:51175 <-> 91.143.93.242:443 [proto: 91.163/TLS.Tor][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 6][cat: VPN/2][17 pkts/5489 bytes <-> 21 pkts/7031 bytes][Goodput ratio: 82/84][135.32 sec][Hostname/SNI: www.gfu7hbxpfp.com][bytes ratio: -0.123 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/1 10378/8441 132386/132736 35221/32094][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 323/335 640/1514 270/385][Risk: ** Obsolete TLS (v1.1 or older) **** Susp DGA Domain name **** Unsafe Protocol **** TLS Cert About To Expire **][Risk Score: 260][Risk Info: TLSv1 / gfu7hbxpfp.com / 03/Oct/2013 00:00:00 - 18/Nov/2013 23:59:59][TLSv1][JA3C: 581a3c7f54555512b8cd16e87dfe165b][JA4: t10d360300_77f462745360_33a13ba74d1c][JA3S: 184d532a16876b78846ae6a03f654890][Issuer: CN=www.xkgk7fdx362yyyxib.com][Subject: CN=www.g6ghvisevf3ibuu5.net][Certificate SHA-1: 94:F9:FF:E2:7F:DB:1F:B8:19:65:20:6F:F6:DE:B6:A5:D5:AF:14:C7][Validity: 2013-10-03 00:00:00 - 2013-11-18 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,5,5,5,5,0,5,0,0,0,0,0,0,0,0,0,0,0,65,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0]
4 TCP 192.168.1.252:51111 <-> 46.59.52.31:443 [proto: 91.163/TLS.Tor][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 6][cat: VPN/2][16 pkts/4858 bytes <-> 18 pkts/6284 bytes][Goodput ratio: 81/84][108.05 sec][Hostname/SNI: www.e6r5p57kbafwrxj3plz.com][bytes ratio: -0.128 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/3 6124/2564 71328/34353 19661/8817][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 304/349 640/1514 267/398][Risk: ** Obsolete TLS (v1.1 or older) **** Susp DGA Domain name **** Unsafe Protocol **][Risk Score: 210][Risk Info: TLSv1 / e6r5p57kbafwrxj3plz.com][TLSv1][JA3C: 581a3c7f54555512b8cd16e87dfe165b][JA4: t10d360300_77f462745360_33a13ba74d1c][JA3S: 184d532a16876b78846ae6a03f654890][Issuer: CN=www.gmvuy6mtjbxevwo3w.com][Subject: CN=www.bpcau5b3haif5els.net][Certificate SHA-1: 3A:B1:8A:6F:C3:F6:41:ED:77:D5:40:C3:85:79:8B:62:46:BC:65:9C][Validity: 2013-06-07 00:00:00 - 2014-02-07 00:00:00][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,5,5,5,5,0,5,0,0,0,0,0,0,0,0,0,0,0,63,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0]
5 TCP 192.168.1.252:51174 <-> 212.83.155.250:443 [proto: 91/TLS][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 6][cat: Web/5][16 pkts/3691 bytes <-> 16 pkts/6740 bytes][Goodput ratio: 75/87][135.27 sec][Hostname/SNI: www.t3i3ru.com][bytes ratio: -0.292 (Download)][IAT c2s/s2c min/avg/max/stddev: 1/2 11234/11261 72591/72890 25060/25130][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 231/421 640/1514 243/403][Risk: ** Obsolete TLS (v1.1 or older) **** TLS Cert About To Expire **][Risk Score: 150][Risk Info: TLSv1 / 11/Sep/2013 00:00:00 - 24/Nov/2013 23:59:59][TLSv1][JA3C: 581a3c7f54555512b8cd16e87dfe165b][JA4: t10d360300_77f462745360_33a13ba74d1c][JA3S: 184d532a16876b78846ae6a03f654890][Issuer: CN=www.wohgpas45j6ucw.com][Subject: CN=www.7d43ah2kikrabj.net][Certificate SHA-1: F9:1D:5F:89:8F:D8:58:1E:45:E7:9B:A6:FD:90:95:77:FF:DD:E8:1B][Validity: 2013-09-11 00:00:00 - 2013-11-24 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,5,11,0,5,0,5,0,0,0,0,0,0,0,0,0,0,0,61,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0]
6 TCP 192.168.1.252:51185 <-> 62.210.137.230:443 [proto: 91/TLS][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 6][cat: Web/5][15 pkts/3634 bytes <-> 14 pkts/6027 bytes][Goodput ratio: 76/87][74.24 sec][Hostname/SNI: www.6gyip7tqim7sieb.com][bytes ratio: -0.248 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/15 6155/6464 63835/63837 17571/19124][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 242/430 640/1514 247/416][Risk: ** Obsolete TLS (v1.1 or older) **][Risk Score: 100][Risk Info: TLSv1][TLSv1][JA3C: 581a3c7f54555512b8cd16e87dfe165b][JA4: t10d360300_77f462745360_33a13ba74d1c][JA3S: 184d532a16876b78846ae6a03f654890][Issuer: CN=www.a3uycdf3rn5md.com][Subject: CN=www.l7xvysfnvkb.net][Certificate SHA-1: EE:86:E7:21:36:93:23:30:DB:A0:09:48:55:16:CB:A8:E9:DA:01:D0][Validity: 2013-11-02 00:00:00 - 2014-02-17 00:00:00][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,6,12,0,6,0,6,0,0,0,0,0,0,0,0,0,0,0,57,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0]
7 TCP 192.168.1.252:51176 <-> 38.229.70.53:443 [proto: 91/TLS][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 6][cat: Web/5][8 pkts/2110 bytes <-> 9 pkts/3032 bytes][Goodput ratio: 78/84][1.04 sec][Hostname/SNI: www.jmts2id.com][bytes ratio: -0.179 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 106/119 195/192 76/66][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 264/337 640/1514 230/504][Risk: ** Obsolete TLS (v1.1 or older) **][Risk Score: 100][Risk Info: TLSv1][TLSv1][JA3C: 581a3c7f54555512b8cd16e87dfe165b][JA4: t10d360300_77f462745360_33a13ba74d1c][JA3S: e1691a31bfe345d2692da75636ddfb00][Issuer: CN=www.gg562izcxdvqdk.com][Subject: CN=www.fcsyvnlemwxv5p.net][Certificate SHA-1: C1:93:18:2C:A3:1D:AC:5F:C7:DE:17:8A:4E:B1:E8:13:BB:08:73:3A][Validity: 2013-09-15 00:00:00 - 2014-02-21 23:59:59][Cipher: TLS_DHE_RSA_WITH_AES_256_CBC_SHA][Plen Bins: 0,11,22,0,0,0,22,0,0,0,0,0,0,0,0,0,0,0,22,0,0,0,0,0,0,0,0,0,0,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0]
8 UDP 192.168.1.1:17500 -> 192.168.1.255:17500 [proto: 121/Dropbox][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Cloud/13][10 pkts/1860 bytes -> 0 pkts/0 bytes][Goodput ratio: 77/0][600.89 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 30033/0 66765/0 360548/0 103868/0][Pkt Len c2s/s2c min/avg/max/stddev: 186/0 186/0 186/0 0/0][PLAIN TEXT ( 676879976)][Plen Bins: 0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
9 UDP [fe80::c583:1972:5728:7323]:546 -> [ff02::1:2]:547 [proto: 103/DHCPV6][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Network/14][6 pkts/906 bytes -> 0 pkts/0 bytes][Goodput ratio: 59/0][31.41 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1227/0 6282/0 16006/0 5400/0][Pkt Len c2s/s2c min/avg/max/stddev: 151/0 151/0 151/0 0/0][PLAIN TEXT (Endian)][Plen Bins: 0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
10 UDP 192.168.1.252:138 -> 192.168.1.255:138 [proto: 10.16/NetBIOS.SMBv1][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: System/18][1 pkts/252 bytes -> 0 pkts/0 bytes][Goodput ratio: 83/0][< 1 sec][Hostname/SNI: endian-pc][Risk: ** Unsafe Protocol **][Risk Score: 10][PLAIN TEXT ( EFEOEEEJEBEOCNFAEDCACACACACACA)][Plen Bins: 0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
11 TCP 192.168.1.252:51104 -> 157.56.30.46:443 [proto: 91/TLS][IP: 276/Azure][Encrypted][Confidence: Match by port][DPI packets: 1][cat: Web/5][1 pkts/60 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unidirectional Traffic **** Probing attempt **][Risk Score: 60][Risk Info: No server to client traffic / TCP connection with unidirectional traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
|