diff options
| author | Toni Uhlig <matzeton@googlemail.com> | 2022-09-22 19:07:08 +0200 |
|---|---|---|
| committer | Toni Uhlig <matzeton@googlemail.com> | 2022-09-22 19:07:08 +0200 |
| commit | 9a28475bba88b711b7075b58473b7e5b5df1f393 (patch) | |
| tree | 73cdf56320f14b5fe0fbfb2e930cf7ea025f9117 /test/results/flow-info | |
| parent | 28971cd7647a79253000fb33e52b5d2129e5ba62 (diff) | |
Improved flown analyse event:
* store packet directions
* merged direction based IATs
* merged direction based PKTLENs
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
Diffstat (limited to 'test/results/flow-info')
162 files changed, 3540 insertions, 2360 deletions
diff --git a/test/results/flow-info/1kxun.pcap.out b/test/results/flow-info/1kxun.pcap.out index d37d56a59..af07ac0f0 100644 --- a/test/results/flow-info/1kxun.pcap.out +++ b/test/results/flow-info/1kxun.pcap.out @@ -70,40 +70,50 @@ detected: [....30] [ip4][..tcp] [..192.168.115.8][49602] -> [.106.187.35.246][...80] [HTTP.1kxun][Streaming][Fun] detected: [....31] [ip4][..tcp] [..192.168.115.8][49603] -> [.106.187.35.246][...80] [HTTP.1kxun][Streaming][Fun] analyse: [....29] [ip4][..tcp] [..192.168.115.8][49601] -> [.106.187.35.246][...80] [HTTP.1kxun][Streaming][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.056| 0.011| 0.020] - [IAT(c->s)...: 0.000| 0.056| 0.019| 0.025][IAT(s->c)...: 0.000| 0.052| 0.008| 0.017] - [PKTLEN(c->s): 54.000| 414.000| 128.400| 142.900][PKTLEN(s->c): 60.000|1314.000|1157.500| 397.500] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.056| 0.011| 0.020| 413.706| 0.000] + [PKTLEN......: 54.000| 1314.000| 835.900| 585.300|342554.800| 4.500] [BINS(c->s)..: 8,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,19,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,1,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,0,0,1,1,1,1,0,0,1,1,1,1,1,1] + [IATS........: 26,52106,52225,22,5484,34,48207,11555,801,69,59,49,273,37,27,28,464,56171,23,50473,3499,84,64,53877,45,17726,143,82,52,49,50,0] + [PKTLENS.....: 66,66,66,54,54,414,414,60,373,1314,1314,1314,1314,1314,1314,1314,1314,1314,54,54,1314,1314,1314,1314,54,54,1314,1314,1314,1314,1314,1314] analyse: [....30] [ip4][..tcp] [..192.168.115.8][49602] -> [.106.187.35.246][...80] [HTTP.1kxun][Streaming][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.066| 0.012| 0.024] - [IAT(c->s)...: 0.000| 0.066| 0.017| 0.027][IAT(s->c)...: 0.000| 0.065| 0.010| 0.022] - [PKTLEN(c->s): 54.000| 413.000| 115.800| 133.000][PKTLEN(s->c): 60.000|1314.000|1141.800| 413.700] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.066| 0.012| 0.024| 579.055| 0.000] + [PKTLEN......: 54.000| 1314.000| 757.100| 600.300|360321.400| 4.400] [BINS(c->s)..: 10,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,17,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,1,0,0,0,0,1,1,1,1,1,1,1,1,1,1,0,0,1,1,1,0,0,1,1,1,1,1,1,0,0] + [IATS........: 30,54573,54712,41,4152,56,64506,68,36,30,74,39,719,84,86,86,61743,22,885,65392,59,66248,63,504,2917,559,54,52,83,3871,32,0] + [PKTLENS.....: 66,66,66,54,54,413,413,60,373,1314,1314,1314,1314,1314,1314,1314,1314,54,54,1314,1314,1314,54,54,1314,1314,1314,1314,1314,1314,54,54] analyse: [....27] [ip4][..tcp] [..192.168.115.8][49599] -> [.106.187.35.246][...80] [HTTP.1kxun][Streaming][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.067| 0.012| 0.023] - [IAT(c->s)...: 0.000| 0.067| 0.017| 0.026][IAT(s->c)...: 0.000| 0.065| 0.010| 0.021] - [PKTLEN(c->s): 54.000| 415.000| 116.200| 133.700][PKTLEN(s->c): 60.000|1314.000|1141.800| 413.700] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.067| 0.012| 0.023| 544.113| 0.000] + [PKTLEN......: 54.000| 1314.000| 757.200| 600.200|360235.600| 4.400] [BINS(c->s)..: 10,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,17,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,1,0,0,0,0,1,1,1,1,0,0,1,1,1,1,1,1,0,0,1,1,1,1,1,0,0,1,1,1,1] + [IATS........: 36,53209,53269,23,4558,53,61521,40,293,57,57277,26,5093,104,312,45,266,88,5943,34,1372,65090,55,53,50,66840,34,3844,90,757,80,0] + [PKTLENS.....: 66,66,66,54,54,415,415,60,373,1314,1314,54,54,1314,1314,1314,1314,1314,1314,54,54,1314,1314,1314,1314,1314,54,54,1314,1314,1314,1314] analyse: [....32] [ip4][..tcp] [..192.168.115.8][49604] -> [.106.187.35.246][...80] [HTTP.1kxun][Streaming][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.096| 0.013| 0.026] - [IAT(c->s)...: 0.000| 0.096| 0.023| 0.034][IAT(s->c)...: 0.000| 0.072| 0.008| 0.021] - [PKTLEN(c->s): 54.000| 423.000| 202.200| 176.700][PKTLEN(s->c): 60.000|1314.000|1140.100| 398.700] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.096| 0.013| 0.026| 693.255| 0.000] + [PKTLEN......: 54.000| 1314.000| 847.000| 555.000|308021.300| 4.600] [BINS(c->s)..: 6,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,18,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,1,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,0,0,1,1,1,1,1,1,1,1,1,1,0,0] + [IATS........: 37,50730,50813,26,5716,35,60276,105,70,53,49,73,718,44,49,52,342,56283,26,72323,56,48,50,164,52,68,54,259,49,96474,55,0] + [PKTLENS.....: 66,66,66,54,54,414,414,60,373,1314,1314,1314,1314,1314,1314,1314,1314,1314,54,54,1314,1314,1314,1314,1314,1314,1314,1314,1314,932,423,423] analyse: [....28] [ip4][..tcp] [..192.168.115.8][49600] -> [.106.187.35.246][...80] [HTTP.1kxun][Streaming][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.142| 0.016| 0.032] - [IAT(c->s)...: 0.000| 0.142| 0.027| 0.045][IAT(s->c)...: 0.000| 0.085| 0.011| 0.024] - [PKTLEN(c->s): 54.000| 416.000| 128.800| 143.700][PKTLEN(s->c): 60.000|1314.000|1157.500| 397.500] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.142| 0.016| 0.032| 1046.271| 0.000] + [PKTLEN......: 54.000| 1314.000| 836.000| 585.200|342449.500| 4.500] [BINS(c->s)..: 8,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,19,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,1,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,1,0,0,1,1,1,1,1,0,0,1,1,1,1] + [IATS........: 54,51945,52076,32,5225,53,60454,877,31,40,63,40,400,73,48,50,170,85115,142000,23,40785,2483,129,70,65,43573,78,404,66,55,49,0] + [PKTLENS.....: 66,66,66,54,54,416,416,60,373,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,54,54,1314,1314,1314,1314,1314,54,54,1314,1314,1314,1314] new: [....35] [ip4][..udp] [...192.168.5.67][..138] -> [192.168.255.255][..138] detected: [....35] [ip4][..udp] [...192.168.5.67][..138] -> [192.168.255.255][..138] [NetBIOS.SMBv1][System][Dangerous] RISK: Unsafe Protocol @@ -112,12 +122,14 @@ detected: [....36] [ip4][..tcp] [..192.168.115.8][49605] -> [.106.185.35.110][...80] [HTTP.1kxun][Streaming][Fun] detected: [....37] [ip4][..tcp] [..192.168.115.8][49606] -> [.106.185.35.110][...80] [HTTP.1kxun][Streaming][Fun] analyse: [....37] [ip4][..tcp] [..192.168.115.8][49606] -> [.106.185.35.110][...80] [HTTP.1kxun][Streaming][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.147| 0.015| 0.033] - [IAT(c->s)...: 0.000| 0.147| 0.017| 0.040][IAT(s->c)...: 0.000| 0.110| 0.013| 0.027] - [PKTLEN(c->s): 54.000| 411.000| 106.700| 124.300][PKTLEN(s->c): 60.000|1314.000|1175.000| 393.200] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.147| 0.015| 0.033| 1100.854| 0.000] + [PKTLEN......: 54.000| 1314.000| 707.600| 612.000|374554.600| 4.300] [BINS(c->s)..: 12,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,1,0,0,0,0,1,1,1,0,0,1,1,1,1,0,0,1,1,1,0,0,1,1,0,0,1,1,1,1,1] + [IATS........: 56,37783,37994,70,1795,58,38952,109751,153,146838,45,329,66,113,56,463,29,236,62,115,388,44,244,36267,36544,26,410,130,482,92,113,0] + [PKTLENS.....: 66,66,66,54,54,411,411,60,1314,1314,54,54,1314,1314,1314,1314,54,54,1314,1314,1314,54,54,1314,1314,54,54,1314,1314,1314,1314,1314] new: [....38] [ip4][..tcp] [..192.168.115.8][49607] -> [218.244.135.170][.9099] detected: [....38] [ip4][..tcp] [..192.168.115.8][49607] -> [218.244.135.170][.9099] [HTTP][Web][Acceptable] RISK: Known Proto on Non Std Port, HTTP Numeric IP Address @@ -148,12 +160,14 @@ RISK: HTTP Numeric IP Address new: [....49] [ip4][..tcp] [..192.168.115.8][49613] -> [.183.131.48.144][...80] analyse: [....41] [ip4][..tcp] [..192.168.115.8][49609] -> [..42.120.51.152][.8080] [HTTP][Web][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.399| 0.070| 0.104] - [IAT(c->s)...: 0.000| 0.350| 0.066| 0.103][IAT(s->c)...: 0.000| 0.399| 0.076| 0.106] - [PKTLEN(c->s): 54.000| 499.000| 245.400| 193.100][PKTLEN(s->c): 60.000|1314.000| 538.800| 555.700] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.399| 0.070| 0.104|10878.943| 0.000] + [PKTLEN......: 54.000| 1314.000| 364.600| 410.300|168364.100| 4.200] [BINS(c->s)..: 9,0,0,0,0,0,0,4,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,1,0,0,0,0,1,1,0,0,0,0,1,1,1,0,0,1,1,1,0,0,0,0,1,1,0,0,1,1,0] + [IATS........: 50,76520,76599,25,1136,41,62341,85,61755,47,298859,73,398999,66467,177,166123,34,60273,507,89,60822,34,117112,46,178142,469,61984,45,102335,44259,349653,0] + [PKTLENS.....: 66,66,62,54,54,306,306,60,79,499,499,499,499,60,1314,1314,54,54,1314,1314,542,54,54,281,281,60,79,491,491,60,747,54] detected: [....49] [ip4][..tcp] [..192.168.115.8][49613] -> [.183.131.48.144][...80] [HTTP][Web][Acceptable] RISK: HTTP Numeric IP Address detection-update: [....49] [ip4][..tcp] [..192.168.115.8][49613] -> [.183.131.48.144][...80] [HTTP][Media][Acceptable] @@ -171,12 +185,14 @@ new: [....55] [ip4][..udp] [...192.168.5.16][...68] -> [..192.168.119.1][...67] detected: [....55] [ip4][..udp] [...192.168.5.16][...68] -> [..192.168.119.1][...67] [DHCP][Network][Acceptable] analyse: [....49] [ip4][..tcp] [..192.168.115.8][49613] -> [.183.131.48.144][...80] [HTTP][Media][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.863| 0.183| 0.253] - [IAT(c->s)...: 0.000| 0.863| 0.155| 0.262][IAT(s->c)...: 0.000| 0.666| 0.228| 0.231] - [PKTLEN(c->s): 54.000| 557.000| 105.500| 150.500][PKTLEN(s->c): 60.000|1078.000| 846.400| 406.300] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.863| 0.183| 0.253|63925.490| 0.000] + [PKTLEN......: 54.000| 1078.000| 383.300| 452.500|204736.500| 4.000] [BINS(c->s)..: 18,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,1,0,0,0,0,1,1,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,1,0,0,1,0,0] + [IATS........: 31,69271,69368,26,1928,34,67940,1399,6083,291,73959,37,665858,862765,47,408647,411020,37,251400,251827,47,336785,335976,58,329935,190,130781,55,599505,799208,58,0] + [PKTLENS.....: 66,66,60,54,54,557,557,60,335,1078,1078,54,54,1078,54,54,1078,54,54,1078,54,54,1078,54,54,1078,1078,54,54,1078,54,54] new: [....56] [ip4][..udp] [.59.120.208.218][50151] -> [255.255.255.255][.1947] new: [....57] [ip4][..tcp] [..192.168.115.8][49596] -> [..203.66.182.87][..443] [MIDSTREAM] new: [....58] [ip4][..tcp] [...192.168.5.16][53613] -> [.68.233.253.133][...80] [MIDSTREAM] @@ -316,12 +332,14 @@ update: [....10] [ip6][..udp] [..............fe80::edf5:240a:c8c0:8312][61603] -> [..............................ff02::1:3][.5355] [LLMNR][Network][Acceptable] update: [....13] [ip4][..udp] [..192.168.115.8][51458] -> [....224.0.0.252][.5355] [LLMNR][Network][Acceptable] analyse: [....31] [ip4][..tcp] [..192.168.115.8][49603] -> [.106.187.35.246][...80] [HTTP.1kxun][Streaming][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 45.001| 1.464| 7.949] - [IAT(c->s)...: 0.000| 45.001| 4.519| 13.494][IAT(s->c)...: 0.000| 0.069| 0.009| 0.022] - [PKTLEN(c->s): 54.000| 415.000| 121.900| 138.200][PKTLEN(s->c): 60.000|1314.000|1148.500| 404.800] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 45.001| 1.464| 7.949|63183326.806| 0.000] + [PKTLEN......: 54.000| 1314.000| 795.600| 593.200|351838.700| 4.500] [BINS(c->s)..: 9,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,17,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,1,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,0,0,1,1,1,1,1,1,1,1,1,0,0,0] + [IATS........: 34,54477,54551,26,4891,45,65495,70,68,364,89,71,208,46,29,27,25,61484,19,69006,62,56,48,731,52,51,51,454,70696,24,45001141,0] + [PKTLENS.....: 66,66,66,54,54,415,415,60,373,1314,1314,1314,1314,1314,1314,1314,1314,1314,54,54,1314,1314,1314,1314,1314,1314,1314,1314,1281,54,54,55] new: [...118] [ip4][..udp] [..192.168.0.104][..137] -> [192.168.255.255][..137] detected: [...118] [ip4][..udp] [..192.168.0.104][..137] -> [192.168.255.255][..137] [NetBIOS][System][Acceptable] new: [...119] [ip4][..udp] [...192.168.5.16][..123] -> [..17.253.26.125][..123] @@ -562,26 +580,32 @@ new: [...144] [ip4][..tcp] [..192.168.2.126][46212] -> [.172.105.121.82][...80] [MIDSTREAM] detected: [...144] [ip4][..tcp] [..192.168.2.126][46212] -> [.172.105.121.82][...80] [HTTP.1kxun][Streaming][Fun] analyse: [...142] [ip4][..tcp] [..192.168.2.126][46170] -> [.172.105.121.82][...80] [HTTP.1kxun][Streaming][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.895| 0.074| 0.190] - [IAT(c->s)...: 0.895| 0.895| 0.895| 0.000][IAT(s->c)...: 0.000| 0.372| 0.045| 0.111] - [PKTLEN(c->s): 274.000| 278.000| 276.000| 2.000][PKTLEN(s->c): 387.000|21666.000|4833.000|5678.800] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.895| 0.074| 0.190|35982.832| 0.000] + [PKTLEN......: 274.000|21666.000| 4548.200| 5608.100|31450230.000| 4.200] [BINS(c->s)..: 0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,16] + [DIRECTIONS..: 0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1,1,1,1,1,1] + [IATS........: 356191,54,308075,59,2442,3212,112,200163,56,36,29,26,27,25,1594,86,63,42,33,23,24,35,23,895343,371980,1,1344,81,1941,0,0,0] + [PKTLENS.....: 278,387,13026,14466,2946,2946,1506,7266,2946,1506,2946,2946,1506,1506,1506,1506,1506,4386,6338,2946,2946,1506,1506,1506,802,274,387,17346,21666,1506,4386,17346] analyse: [...139] [ip4][..tcp] [..192.168.2.126][60148] -> [.172.105.121.82][...80] [HTTP.1kxun][Streaming][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 4.661| 0.481| 1.215] - [IAT(c->s)...: 0.217| 4.661| 1.520| 1.830][IAT(s->c)...: 0.000| 4.604| 0.292| 0.951] - [PKTLEN(c->s): 268.000| 278.000| 273.800| 4.800][PKTLEN(s->c): 384.000|21666.000|5875.000|6417.900] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 4.661| 0.481| 1.215|1476638.409| 0.000] + [PKTLEN......: 268.000|21666.000| 4999.800| 6236.200|38890032.000| 4.100] [BINS(c->s)..: 0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,2,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,17] + [DIRECTIONS..: 0,1,1,0,1,1,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1,1,1,1,0,1,1,1] + [IATS........: 306055,4848,325793,248766,4660887,4604216,364,552,841,1047,367664,134,94,2523,311381,119,1695,102,878348,204467,1564,1050,216537,375544,43,1531,0,0,0,0,0,0] + [PKTLENS.....: 268,384,6298,268,384,5682,278,386,1506,1506,7266,2946,5826,2946,10146,2946,1506,5826,2946,1506,8706,1506,5768,277,386,20226,21666,15363,278,387,2946,21666] analyse: [...143] [ip4][..tcp] [..192.168.2.126][46200] -> [.172.105.121.82][...80] [HTTP.1kxun][Streaming][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.892| 0.092| 0.200] - [IAT(c->s)...: 0.892| 0.892| 0.892| 0.000][IAT(s->c)...: 0.000| 0.376| 0.061| 0.126] - [PKTLEN(c->s): 278.000| 278.000| 278.000| 0.000][PKTLEN(s->c): 386.000|21666.000|7390.700|6768.700] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.892| 0.092| 0.200|39932.170| 0.000] + [PKTLEN......: 278.000|21666.000| 6946.200| 6776.100|45915728.000| 4.300] [BINS(c->s)..: 0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,20] + [DIRECTIONS..: 0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1] + [IATS........: 348410,61,2586,311307,74,1916,87,90,200152,34,703,82,83,49,891560,375934,1624,82,2179,1527,332757,94,46,1896,46,1564,1588,0,0,0,0,0] + [PKTLENS.....: 278,386,1506,11586,1506,4386,2946,13026,7266,1506,1506,1506,1506,2946,2946,1506,4605,278,388,21666,2946,10146,11586,17346,7266,18786,5826,20226,1506,10146,11586,21666] new: [...145] [ip4][..tcp] [..192.168.2.126][35200] -> [...103.29.71.30][...80] [MIDSTREAM] detected: [...145] [ip4][..tcp] [..192.168.2.126][35200] -> [...103.29.71.30][...80] [HTTP.1kxun][Streaming][Fun] new: [...146] [ip4][..tcp] [..192.168.2.126][45380] -> [..161.117.13.29][...80] [MIDSTREAM] @@ -602,12 +626,14 @@ new: [...153] [ip4][..tcp] [..192.168.2.126][41390] -> [....18.64.79.37][...80] [MIDSTREAM] detected: [...153] [ip4][..tcp] [..192.168.2.126][41390] -> [....18.64.79.37][...80] [HTTP.Google][Web][Acceptable] analyse: [...146] [ip4][..tcp] [..192.168.2.126][45380] -> [..161.117.13.29][...80] [HTTP.1kxun][Streaming][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.409| 0.085| 0.132] - [IAT(c->s)...: 0.380| 0.409| 0.394| 0.014][IAT(s->c)...: 0.000| 0.380| 0.064| 0.108] - [PKTLEN(c->s): 490.000| 831.000| 607.700| 158.000][PKTLEN(s->c): 1267.000|8706.000|2823.700|2208.900] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.409| 0.085| 0.132|17528.007| 0.000] + [PKTLEN......: 490.000| 8706.000| 2615.900| 2200.300|4841425.000| 4.600] [BINS(c->s)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,16,0,12] + [DIRECTIONS..: 0,1,1,0,1,1,1,1,1,1,1,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1] + [IATS........: 380392,4573,408625,215737,457,986,1014,178521,331,482,379636,185383,1426,654,331743,5741,174159,6079,334,924,170502,413,6008,1070,341,710,169481,463,585,5307,422,0] + [PKTLENS.....: 831,1506,1267,502,1506,1506,7266,4386,1506,1506,2518,490,2946,8706,1506,2946,8706,2946,1506,1506,7266,1506,1506,2946,1506,1506,2946,1506,1506,2946,1506,1506] new: [...154] [ip4][..tcp] [..192.168.2.126][51888] -> [.119.28.164.143][...80] [MIDSTREAM] detected: [...154] [ip4][..tcp] [..192.168.2.126][51888] -> [.119.28.164.143][...80] [HTTP.Tencent][SocialNetwork][Acceptable] new: [...155] [ip4][..tcp] [..192.168.2.126][38354] -> [.142.250.186.34][...80] [MIDSTREAM] @@ -628,35 +654,43 @@ new: [...162] [ip4][..tcp] [..192.168.2.126][49396] -> [.14.136.136.108][...80] [MIDSTREAM] detected: [...162] [ip4][..tcp] [..192.168.2.126][49396] -> [.14.136.136.108][...80] [HTTP.1kxun][Streaming][Fun] analyse: [...157] [ip4][..tcp] [..192.168.2.126][49354] -> [.14.136.136.108][...80] [HTTP.1kxun][Streaming][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.832| 0.077| 0.179] - [IAT(c->s)...: 0.832| 0.832| 0.832| 0.000][IAT(s->c)...: 0.000| 0.414| 0.048| 0.103] - [PKTLEN(c->s): 592.000| 592.000| 592.000| 0.000][PKTLEN(s->c): 351.000|10146.000|3286.700|2484.500] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.832| 0.077| 0.179|32207.956| 0.000] + [PKTLEN......: 351.000|10146.000| 3118.200| 2492.500|6212617.000| 4.600] [BINS(c->s)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,16] + [DIRECTIONS..: 0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1,1,1,1,1,1,1,1,1,1,1,1] + [IATS........: 207030,367,1074,749,203546,401,538,843,360,1168,622,204026,463,1910,808,831841,413644,1524,1634,381,916,201620,415,562,974,897,365,0,0,0,0,0] + [PKTLENS.....: 592,351,1506,8706,2946,1506,1506,2946,1506,1506,5826,4386,1506,1506,1506,5826,2946,2946,3956,592,351,1506,8706,10146,5826,2946,1506,1506,2946,4386,4386,1506] detection-update: [...161] [ip4][..tcp] [..192.168.2.126][49412] -> [.14.136.136.108][...80] [HTTP.1kxun][Streaming][Fun] detection-update: [...160] [ip4][..tcp] [..192.168.2.126][49380] -> [.14.136.136.108][...80] [HTTP.1kxun][Streaming][Fun] analyse: [...159] [ip4][..tcp] [..192.168.2.126][49370] -> [.14.136.136.108][...80] [HTTP.1kxun][Streaming][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.877| 0.084| 0.182] - [IAT(c->s)...: 0.877| 0.877| 0.877| 0.000][IAT(s->c)...: 0.000| 0.237| 0.052| 0.091] - [PKTLEN(c->s): 580.000| 592.000| 586.000| 6.000][PKTLEN(s->c): 351.000|15906.000|2906.900|3087.700] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.877| 0.084| 0.182|33133.681| 0.000] + [PKTLEN......: 351.000|15906.000| 2761.900| 3042.000|9253906.000| 4.400] [BINS(c->s)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,17,0,10] + [DIRECTIONS..: 0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1,1,1,1,1,1] + [IATS........: 216812,1301,1174,217584,379,838,730,814,206371,3184,729,1431,202135,477,2906,412,436,624,742,876517,236517,1,2089,899,206105,416,0,0,0,0,0,0] + [PKTLENS.....: 580,351,1506,4386,1506,5826,1506,1506,1506,1506,1506,2946,1506,4386,2946,2946,8706,1506,1506,1506,1506,1506,1506,1506,1204,592,351,7266,15906,4386,1506,1506] analyse: [...160] [ip4][..tcp] [..192.168.2.126][49380] -> [.14.136.136.108][...80] [HTTP.1kxun][Streaming][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.887| 0.081| 0.181] - [IAT(c->s)...: 0.887| 0.887| 0.887| 0.000][IAT(s->c)...: 0.000| 0.238| 0.050| 0.090] - [PKTLEN(c->s): 580.000| 592.000| 586.000| 6.000][PKTLEN(s->c): 351.000|18786.000|3329.200|3784.500] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.887| 0.081| 0.181|32801.006| 0.000] + [PKTLEN......: 351.000|18786.000| 3157.800| 3724.000|13867893.000| 4.300] [BINS(c->s)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,17,0,11] + [DIRECTIONS..: 0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1,1,1,1,1,1,1,1,1,1,1] + [IATS........: 223740,209594,1687,207155,354,1309,724,462,462,1177,203967,420,1398,676,628,3543,886861,237591,464,978,2452,823,206716,876,409,919,651,0,0,0,0,0] + [PKTLENS.....: 580,2946,1506,1506,11586,1506,1506,2946,1506,1506,1506,7266,1506,1506,1506,1506,4386,1506,2946,4253,592,351,1506,8706,18786,1506,2946,1506,1506,5826,1506,1330] analyse: [...158] [ip4][..tcp] [..192.168.2.126][49372] -> [.14.136.136.108][...80] [HTTP.1kxun][Streaming][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.900| 0.119| 0.204] - [IAT(c->s)...: 0.407| 0.900| 0.654| 0.246][IAT(s->c)...: 0.000| 0.372| 0.073| 0.113] - [PKTLEN(c->s): 580.000| 592.000| 584.000| 5.700][PKTLEN(s->c): 351.000|18786.000|3984.800|4268.800] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.900| 0.119| 0.204|41414.242| 0.000] + [PKTLEN......: 351.000|18786.000| 3665.900| 4182.900|17496908.000| 4.300] [BINS(c->s)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,14] + [DIRECTIONS..: 0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1,1,1,1,1,1,1,1,1,0,1,1,1] + [IATS........: 205636,2121,1,224803,394,328,1444,193718,403,372,1728,1281,1888,225980,899707,237971,1,2439,199154,468,952,1305,407339,371504,1478,0,0,0,0,0,0,0] + [PKTLENS.....: 580,351,1506,4386,2946,4386,1506,1506,1506,1506,5826,1506,1506,1506,2946,4386,5826,3732,592,351,7266,15906,1506,1506,7266,1506,5826,654,580,351,7801,18786] new: [...163] [ip4][..tcp] [..192.168.2.126][44368] -> [..172.217.18.98][...80] [MIDSTREAM] detected: [...163] [ip4][..tcp] [..192.168.2.126][44368] -> [..172.217.18.98][...80] [HTTP.GoogleServices][Web][Acceptable] new: [...164] [ip4][..tcp] [..192.168.2.126][50140] -> [..161.117.13.29][...80] [MIDSTREAM] @@ -670,12 +704,14 @@ new: [...168] [ip4][..tcp] [..192.168.2.126][50176] -> [..161.117.13.29][...80] [MIDSTREAM] detected: [...168] [ip4][..tcp] [..192.168.2.126][50176] -> [..161.117.13.29][...80] [HTTP.1kxun][Streaming][Fun] analyse: [...150] [ip4][..tcp] [..192.168.2.126][45416] -> [..161.117.13.29][...80] [HTTP.1kxun][Streaming][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 6.045| 1.119| 2.029] - [IAT(c->s)...: 0.186| 6.045| 2.305| 2.460][IAT(s->c)...: 0.000| 5.959| 0.742| 1.706] - [PKTLEN(c->s): 500.000|1180.000| 900.200| 214.900][PKTLEN(s->c): 709.000|14466.000|3469.900|3207.100] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 6.045| 1.119| 2.029|4116996.948| 0.000] + [PKTLEN......: 500.000|14466.000| 2827.500| 2993.900|8963654.000| 4.400] [BINS(c->s)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,1,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,1,0,0,7,0,13] + [DIRECTIONS..: 0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1,0,1,0,1,0,1,0,1,1,0,1,1,1,0,1] + [IATS........: 188503,1,1404,179436,1430,692,418,2433,676,270050,61,644,3892849,3428911,186128,186289,192621,208977,367165,352334,5253796,5339015,3643,6045020,5959115,408,493,194856,189377,0,0,0] + [PKTLENS.....: 500,2946,2946,8706,2946,7266,1506,1506,14466,1506,2946,2946,7266,7266,4092,817,709,819,1525,821,1415,817,1530,1079,2946,1144,1169,1506,1506,1589,1180,1097] new: [...169] [ip4][..tcp] [..192.168.2.126][38326] -> [.172.105.121.82][...80] [MIDSTREAM] detected: [...169] [ip4][..tcp] [..192.168.2.126][38326] -> [.172.105.121.82][...80] [HTTP.1kxun][Streaming][Fun] new: [...170] [ip4][..tcp] [..192.168.2.126][38314] -> [.172.105.121.82][...80] [MIDSTREAM] @@ -683,19 +719,23 @@ new: [...171] [ip4][..tcp] [..192.168.2.126][38316] -> [.172.105.121.82][...80] [MIDSTREAM] detected: [...171] [ip4][..tcp] [..192.168.2.126][38316] -> [.172.105.121.82][...80] [HTTP.1kxun][Streaming][Fun] analyse: [...141] [ip4][..tcp] [..192.168.2.126][46184] -> [.172.105.121.82][...80] [HTTP.1kxun][Streaming][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 39.120| 3.011| 10.152] - [IAT(c->s)...: 0.393| 39.120| 13.465| 18.142][IAT(s->c)...: 0.000| 38.675| 1.705| 7.710] - [PKTLEN(c->s): 273.000| 278.000| 275.500| 2.500][PKTLEN(s->c): 386.000|23106.000|5905.000|6635.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 39.120| 3.011| 10.152|103072311.280| 0.000] + [PKTLEN......: 273.000|23106.000| 5201.300| 6479.700|41986288.000| 4.100] [BINS(c->s)..: 0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,7,0,16] + [DIRECTIONS..: 0,1,1,1,1,1,1,1,1,1,1,0,1,1,1,0,1,1,1,1,1,1,1,1,1,1,0,1,1,1,1,1] + [IATS........: 353699,3771,104,303718,4300,92,205833,106,880957,368900,1,5053,392939,352227,1591,70,2344,55,1451,285655,2146,39119714,38675191,1,2923,335353,3681,0,0,0,0,0] + [PKTLENS.....: 278,386,1506,1506,10146,2946,2946,23106,1506,1506,1172,273,386,18786,7757,278,387,1506,21666,4386,17346,4386,10146,5826,1506,5159,273,388,1506,11586,2946,2946] analyse: [...170] [ip4][..tcp] [..192.168.2.126][38314] -> [.172.105.121.82][...80] [HTTP.1kxun][Streaming][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 1.361| 0.129| 0.285] - [IAT(c->s)...: 1.361| 1.361| 1.361| 0.000][IAT(s->c)...: 0.000| 0.401| 0.077| 0.136] - [PKTLEN(c->s): 273.000| 273.000| 273.000| 0.000][PKTLEN(s->c): 388.000|15906.000|6429.300|5274.400] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 1.361| 0.129| 0.285|81120.911| 0.000] + [PKTLEN......: 273.000|15906.000| 6044.500| 5319.900|28301384.000| 4.400] [BINS(c->s)..: 0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,21] + [DIRECTIONS..: 0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1,1,1,1,1,1,1,1,1,1,1,1] + [IATS........: 326102,180,328843,179,2720,177591,469,1313,2855,118,155,777,2306,401346,1361476,293524,1,1093,2137,2758,88,201,2770,309632,1485,0,0,0,0,0,0,0] + [PKTLENS.....: 273,388,1506,1506,2946,7266,1506,8706,2946,15906,1506,1506,4386,13026,8706,2946,1506,15906,13200,273,388,1506,5826,15906,11586,10146,4386,14466,2946,2946,13026,4386] new: [...172] [ip4][..tcp] [..192.168.2.126][59324] -> [.104.117.221.10][...80] [MIDSTREAM] detected: [...172] [ip4][..tcp] [..192.168.2.126][59324] -> [.104.117.221.10][...80] [HTTP][Web][Acceptable] new: [...173] [ip4][..tcp] [..192.168.2.126][56094] -> [....3.72.69.158][...80] [MIDSTREAM] @@ -732,20 +772,24 @@ new: [...187] [ip4][..tcp] [..192.168.2.126][36660] -> [...18.64.103.30][...80] [MIDSTREAM] detected: [...187] [ip4][..tcp] [..192.168.2.126][36660] -> [...18.64.103.30][...80] [HTTP.AmazonAWS][Cloud][Acceptable] analyse: [...182] [ip4][..tcp] [..192.168.2.126][35664] -> [.....18.66.2.90][...80] [HTTP.AmazonAWS][Cloud][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.015| 0.003| 0.003] - [IAT(c->s)...: 0.000| 0.000| 0.000| 0.000][IAT(s->c)...: 0.000| 0.015| 0.003| 0.003] - [PKTLEN(c->s): 249.000| 249.000| 249.000| 0.000][PKTLEN(s->c): 797.000|7206.000|4235.400|1662.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.015| 0.003| 0.003| 10.814| 0.000] + [PKTLEN......: 249.000| 7206.000| 4110.800| 1776.800|3156934.000| 4.800] [BINS(c->s)..: 0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,27] + [DIRECTIONS..: 0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1] + [IATS........: 14880,612,571,2499,3579,106,930,2545,9210,1,87,6481,115,1571,2984,1607,79,1540,90,67,2792,6531,3088,2380,1844,2843,73,0,0,0,0,0] + [PKTLENS.....: 249,797,1494,2922,4350,4350,4350,4350,2922,1494,4350,4350,2922,4350,4350,2922,4350,5778,5778,5778,5778,4350,5778,1494,5778,4350,2922,7206,4350,7206,7206,2922] detection-update: [...187] [ip4][..tcp] [..192.168.2.126][36660] -> [...18.64.103.30][...80] [HTTP.AmazonAWS][Cloud][Acceptable] analyse: [...185] [ip4][..tcp] [..192.168.2.126][36640] -> [...18.64.103.30][...80] [HTTP.AmazonAWS][Cloud][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.021| 0.003| 0.005] - [IAT(c->s)...: 0.000| 0.000| 0.000| 0.000][IAT(s->c)...: 0.000| 0.021| 0.003| 0.005] - [PKTLEN(c->s): 563.000| 563.000| 563.000| 0.000][PKTLEN(s->c): 1494.000|5778.000|3566.900|1641.300] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.021| 0.003| 0.005| 24.604| 0.000] + [PKTLEN......: 563.000| 5778.000| 3473.000| 1697.900|2882863.000| 4.800] [BINS(c->s)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,1,21] + [DIRECTIONS..: 0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1] + [IATS........: 21003,154,129,3134,1686,3067,15801,2210,2030,2737,73,1485,603,2873,1573,1531,81,114,3525,1587,2816,10499,1437,55,1612,0,0,0,0,0,0,0] + [PKTLENS.....: 563,1494,1494,2922,1494,2922,1494,4350,4350,4350,2922,1494,4350,1494,4350,4350,4350,5778,5778,4350,1494,1494,1494,4350,5778,5778,3214,4202,5590,1538,5778,5778] new: [...188] [ip4][..tcp] [..192.168.2.126][37100] -> [..52.29.177.177][...80] [MIDSTREAM] detected: [...188] [ip4][..tcp] [..192.168.2.126][37100] -> [..52.29.177.177][...80] [HTTP.AmazonAWS][Cloud][Acceptable] new: [...189] [ip4][..tcp] [..192.168.2.126][42554] -> [...35.156.44.13][...80] [MIDSTREAM] diff --git a/test/results/flow-info/443-curl.pcap.out b/test/results/flow-info/443-curl.pcap.out index d491b56a7..98e036b74 100644 --- a/test/results/flow-info/443-curl.pcap.out +++ b/test/results/flow-info/443-curl.pcap.out @@ -6,11 +6,13 @@ detection-update: [.....1] [ip4][..tcp] [...192.168.1.13][55523] -> [.178.62.197.130][..443] [TLS.ntop][Network][Safe] detection-update: [.....1] [ip4][..tcp] [...192.168.1.13][55523] -> [.178.62.197.130][..443] [TLS.ntop][Network][Safe] analyse: [.....1] [ip4][..tcp] [...192.168.1.13][55523] -> [.178.62.197.130][..443] [TLS.ntop][Network][Safe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.784| 0.063| 0.190] - [IAT(c->s)...: 0.000| 0.784| 0.061| 0.188][IAT(s->c)...: 0.000| 0.784| 0.065| 0.193] - [PKTLEN(c->s): 66.000| 583.000| 119.600| 120.800][PKTLEN(s->c): 66.000|1506.000| 741.700| 666.100] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.784| 0.063| 0.190|36203.258| 0.000] + [PKTLEN......: 66.000| 1506.000| 411.200| 558.700|312115.000| 3.900] [BINS(c->s)..: 10,4,1,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 3,3,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,1,1,0,0,0,0,0,0,0,1,1,0,1,0,1,1,0,1,1,0,1] + [IATS........: 38692,38799,9627,47643,2769,1124,2,41874,4,11797,50900,31,39132,3,742,11,18,78,76,38549,8926,46564,784064,784044,367,123,462,127,121,240,248,0] + [PKTLENS.....: 78,74,66,583,66,1506,1506,197,66,66,192,117,123,66,66,119,122,108,133,104,66,104,66,281,66,1506,1506,66,1506,1062,66,1506] end: [.....1] [ip4][..tcp] [...192.168.1.13][55523] -> [.178.62.197.130][..443] [TLS.ntop][Network][Safe] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/443-firefox.pcap.out b/test/results/flow-info/443-firefox.pcap.out index 4bda4c57f..70327cc48 100644 --- a/test/results/flow-info/443-firefox.pcap.out +++ b/test/results/flow-info/443-firefox.pcap.out @@ -6,11 +6,13 @@ detection-update: [.....1] [ip4][..tcp] [...192.168.1.13][53096] -> [.178.62.197.130][..443] [TLS.ntop][Network][Safe] detection-update: [.....1] [ip4][..tcp] [...192.168.1.13][53096] -> [.178.62.197.130][..443] [TLS.ntop][Network][Safe] analyse: [.....1] [ip4][..tcp] [...192.168.1.13][53096] -> [.178.62.197.130][..443] [TLS.ntop][Network][Safe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 1.656| 0.130| 0.404] - [IAT(c->s)...: 0.000| 1.656| 0.144| 0.422][IAT(s->c)...: 0.000| 1.656| 0.119| 0.388] - [PKTLEN(c->s): 66.000| 583.000| 136.600| 139.000][PKTLEN(s->c): 66.000|1506.000| 882.200| 650.900] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 1.656| 0.130| 0.404|163175.268| 0.000] + [PKTLEN......: 66.000| 1506.000| 532.700| 610.400|372566.000| 4.100] [BINS(c->s)..: 11,0,1,0,0,1,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 4,1,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,1,1,0,0,0,0,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1] + [IATS........: 38504,38612,1822,40006,4099,93,2,42327,4,2052,40671,32,38677,3,193774,83,215,231092,9994,47033,1655690,50,1655693,186,15,177,176,149,321,109,243,0] + [PKTLENS.....: 78,74,66,583,66,1506,1506,140,66,66,151,332,115,66,66,235,312,96,66,96,66,1506,1506,66,1506,1030,66,1506,1506,66,1506,1030] end: [.....1] [ip4][..tcp] [...192.168.1.13][53096] -> [.178.62.197.130][..443] [TLS.ntop][Network][Safe] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/443-git.pcap.out b/test/results/flow-info/443-git.pcap.out index b7ad00650..458c142d5 100644 --- a/test/results/flow-info/443-git.pcap.out +++ b/test/results/flow-info/443-git.pcap.out @@ -6,11 +6,13 @@ detection-update: [.....1] [ip4][..tcp] [...192.168.1.13][55744] -> [...140.82.114.4][..443] [TLS.Github][Collaborative][Acceptable] detection-update: [.....1] [ip4][..tcp] [...192.168.1.13][55744] -> [...140.82.114.4][..443] [TLS.Github][Collaborative][Acceptable] analyse: [.....1] [ip4][..tcp] [...192.168.1.13][55744] -> [...140.82.114.4][..443] [TLS.Github][Collaborative][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.144| 0.033| 0.053] - [IAT(c->s)...: 0.000| 0.143| 0.032| 0.051][IAT(s->c)...: 0.000| 0.144| 0.034| 0.055] - [PKTLEN(c->s): 66.000| 583.000| 116.700| 128.900][PKTLEN(s->c): 74.000|1490.000| 618.300| 554.700] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.144| 0.033| 0.053| 2832.982| 0.000] + [PKTLEN......: 66.000| 1490.000| 351.800| 464.400|215710.400| 4.000] [BINS(c->s)..: 14,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 1,3,1,1,0,0,0,0,0,1,0,1,0,1,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,2,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,0,1,0,0,1,1,0,0,1,1,1,0,0,0,1,0,1,1,0,0,1,1,0] + [IATS........: 110467,110568,6595,119379,41,9,112809,2,11075,123994,112907,571,143502,5,142911,2,6496,2,14,6523,7,6,115,82,1242,13,1267,3,237,2,227,0] + [PKTLENS.....: 78,74,66,583,1490,1490,768,66,66,192,117,66,273,437,140,66,66,100,358,99,66,66,66,164,66,1465,622,66,66,1465,486,66] end: [.....1] [ip4][..tcp] [...192.168.1.13][55744] -> [...140.82.114.4][..443] [TLS.Github][Collaborative][Acceptable] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/443-opvn.pcap.out b/test/results/flow-info/443-opvn.pcap.out index 1561d5f38..0ef035a18 100644 --- a/test/results/flow-info/443-opvn.pcap.out +++ b/test/results/flow-info/443-opvn.pcap.out @@ -4,11 +4,13 @@ new: [.....1] [ip4][..tcp] [...192.168.1.84][52973] -> [.192.12.192.103][.1194] detected: [.....1] [ip4][..tcp] [...192.168.1.84][52973] -> [.192.12.192.103][.1194] [OpenVPN][VPN][Acceptable] analyse: [.....1] [ip4][..tcp] [...192.168.1.84][52973] -> [.192.12.192.103][.1194] [OpenVPN][VPN][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 1.161| 0.158| 0.364] - [IAT(c->s)...: 0.000| 1.161| 0.153| 0.362][IAT(s->c)...: 0.000| 1.123| 0.164| 0.367] - [PKTLEN(c->s): 66.000|1506.000| 269.600| 378.300][PKTLEN(s->c): 66.000|1506.000| 279.600| 438.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 1.161| 0.158| 0.364|132701.856| 0.000] + [PKTLEN......: 66.000| 1506.000| 274.300| 407.400|166005.600| 4.000] [BINS(c->s)..: 7,5,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0] [BINS(s->c)..: 8,3,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,1,0,1,0,1,0,0,0,1,1,0,1,0,0,1,0,0,1,0,1,1] + [IATS........: 21611,21701,1053819,1075076,968,22235,339,57386,57093,21241,11768,32975,174,239,20560,20491,9065,4,19997,11251,22162,19953,19952,207,21422,21230,137,58577,1160659,1122501,1313,0] + [PKTLENS.....: 78,74,66,110,66,122,66,118,66,387,66,1236,66,1506,118,69,118,1506,863,66,118,66,173,66,619,382,66,118,66,152,66,118] end: [.....1] [ip4][..tcp] [...192.168.1.84][52973] -> [.192.12.192.103][.1194] [OpenVPN][VPN][Acceptable] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/443-safari.pcap.out b/test/results/flow-info/443-safari.pcap.out index bb2abd53f..393c5e8f4 100644 --- a/test/results/flow-info/443-safari.pcap.out +++ b/test/results/flow-info/443-safari.pcap.out @@ -6,11 +6,13 @@ detection-update: [.....1] [ip4][..tcp] [...192.168.1.13][53031] -> [.178.62.197.130][..443] [TLS.ntop][Network][Safe] detection-update: [.....1] [ip4][..tcp] [...192.168.1.13][53031] -> [.178.62.197.130][..443] [TLS.ntop][Network][Safe] analyse: [.....1] [ip4][..tcp] [...192.168.1.13][53031] -> [.178.62.197.130][..443] [TLS.ntop][Network][Safe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.696| 0.070| 0.175] - [IAT(c->s)...: 0.000| 0.696| 0.068| 0.171][IAT(s->c)...: 0.000| 0.696| 0.073| 0.179] - [PKTLEN(c->s): 66.000| 394.000| 113.600| 89.600][PKTLEN(s->c): 66.000|1506.000| 721.700| 680.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.696| 0.070| 0.175|30530.335| 0.000] + [PKTLEN......: 66.000| 1506.000| 398.700| 559.600|313139.800| 3.900] [BINS(c->s)..: 11,3,1,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 5,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,1,1,0,0,0,0,0,0,0,1,1,1,0,1,1,0,1,0,1,0,1] + [IATS........: 38199,38303,1123,39767,4074,97,2,42774,4,225660,264285,31,38670,4,1586,32,19,43,88,40010,28,9938,48247,695603,124,695650,120,128,123,103,125,0] + [PKTLENS.....: 78,74,66,299,66,1506,1506,168,66,66,151,109,115,66,66,111,108,100,394,96,66,66,96,66,1506,1506,66,1506,66,1030,66,1506] idle: [.....1] [ip4][..tcp] [...192.168.1.13][53031] -> [.178.62.197.130][..443] [TLS.ntop][Network][Safe] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/6in4tunnel.pcap.out b/test/results/flow-info/6in4tunnel.pcap.out index 0cde2a076..dbb03f3fc 100644 --- a/test/results/flow-info/6in4tunnel.pcap.out +++ b/test/results/flow-info/6in4tunnel.pcap.out @@ -3,12 +3,14 @@ DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] new: [.....1] [ip4][...41] [....174.3.73.24] -> [.184.105.255.26] analyse: [.....1] [ip4][...41] [....174.3.73.24] -> [.184.105.255.26] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 1.005| 0.495| 0.455] - [IAT(c->s)...: 0.000| 1.002| 0.452| 0.445][IAT(s->c)...: 0.000| 1.005| 0.548| 0.461] - [PKTLEN(c->s): 106.000| 310.000| 152.200| 53.200][PKTLEN(s->c): 106.000|1911.000| 376.600| 550.800] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 1.005| 0.495| 0.455|206990.442| 0.000] + [PKTLEN......: 106.000| 1911.000| 250.400| 383.000|146712.700| 4.200] [BINS(c->s)..: 0,0,4,11,0,1,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,2,8,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1] + [DIRECTIONS..: 0,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,0,1,1,0,1,0,0,1,1,1,0,0,0,0] + [IATS........: 104776,780142,221063,1000457,1001744,1001146,1001712,1005120,1001052,1000771,1001064,1001072,1001370,999940,1001888,1003131,365420,1118,348987,4072,96728,99146,95730,758,97863,1021,105,98080,140,8789,539,0] + [PKTLENS.....: 138,138,200,138,138,138,138,138,138,138,138,138,138,138,138,138,138,133,133,273,261,114,114,106,310,106,1504,1911,106,106,268,159] not-detected: [.....1] [ip4][...41] [....174.3.73.24] -> [.184.105.255.26] [Unknown][Unrated] idle: [.....1] [ip4][...41] [....174.3.73.24] -> [.184.105.255.26] [Unknown][Unrated] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/FAX-Call-t38-CA-TDM-SIP-FB-1.pcap.out b/test/results/flow-info/FAX-Call-t38-CA-TDM-SIP-FB-1.pcap.out index 967dfa895..8a91118ca 100644 --- a/test/results/flow-info/FAX-Call-t38-CA-TDM-SIP-FB-1.pcap.out +++ b/test/results/flow-info/FAX-Call-t38-CA-TDM-SIP-FB-1.pcap.out @@ -10,29 +10,35 @@ new: [.....4] [ip4][..udp] [138.132.169.101][.5060] -> [192.168.100.219][.5060] detected: [.....4] [ip4][..udp] [138.132.169.101][.5060] -> [192.168.100.219][.5060] [SIP][VoIP][Acceptable] analyse: [.....1] [ip4][..udp] [....10.35.40.22][.2944] -> [.....10.23.1.42][.2944] [Megaco][VoIP][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 4.370| 1.692| 2.031] - [IAT(c->s)...: 0.000| 4.370| 1.748| 2.040][IAT(s->c)...: 0.000| 4.370| 1.639| 2.022] - [PKTLEN(c->s): 87.000| 376.000| 105.800| 69.800][PKTLEN(s->c): 101.000| 414.000| 231.900| 82.100] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 4.370| 1.692| 2.031|4125948.903| 0.000] + [PKTLEN......: 87.000| 414.000| 168.800| 98.900| 9786.300| 4.800] [BINS(c->s)..: 0,15,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,1,0,7,0,0,0,7,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,1,0,1,0,0,1,1,0,0,1,1] + [IATS........: 147,2580,146,4369720,177,4369379,142,4370170,85,4370186,150,4369866,79,4370149,291,4370036,88,4369436,150,3508424,3524296,204367,192966,657514,15,652477,151,4369658,82,4370196,609,0] + [PKTLENS.....: 87,87,292,164,87,87,292,164,87,87,292,164,87,87,292,164,87,87,292,164,376,414,94,101,88,88,293,165,88,88,293,165] new: [.....5] [ip4][..udp] [...10.35.60.100][15580] -> [.....10.23.1.52][16756] detected: [.....5] [ip4][..udp] [...10.35.60.100][15580] -> [.....10.23.1.52][16756] [RTP][Media][Acceptable] analyse: [.....5] [ip4][..udp] [...10.35.60.100][15580] -> [.....10.23.1.52][16756] [RTP][Media][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.001| 0.040| 0.020| 0.005] - [IAT(c->s)...: 0.001| 0.040| 0.020| 0.005][IAT(s->c)...: 0.000| 0.000| 0.000| 0.000] - [PKTLEN(c->s): 214.000| 214.000| 214.000| 0.000][PKTLEN(s->c): 0.000| 0.000| 0.000| 0.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.001| 0.040| 0.020| 0.005| 23.656| 0.000] + [PKTLEN......: 214.000| 214.000| 214.000| 0.000| 0.000| 5.000] [BINS(c->s)..: 0,0,0,0,0,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [IATS........: 20823,19142,39530,1438,19970,20000,19294,20526,19616,19873,20995,20283,18519,20415,19722,19948,20367,20228,19700,20355,19296,20527,20111,20020,19630,19979,19869,20276,20190,19810,19964,0] + [PKTLENS.....: 214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214] update: [.....1] [ip4][..udp] [....10.35.40.22][.2944] -> [.....10.23.1.42][.2944] [Megaco][VoIP][Acceptable] analyse: [.....3] [ip4][..udp] [....10.35.40.25][.5060] -> [...10.35.40.200][.5060] [SIP][VoIP][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 27.628| 2.809| 6.896] - [IAT(c->s)...: 0.000| 27.628| 2.903| 7.003][IAT(s->c)...: 0.000| 27.585| 2.721| 6.792] - [PKTLEN(c->s): 425.000| 923.000| 658.800| 215.100][PKTLEN(s->c): 304.000| 894.000| 551.900| 194.400] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 27.628| 2.809| 6.896|47549159.309| 0.000] + [PKTLEN......: 304.000| 923.000| 605.300| 211.900|44888.200| 4.900] [BINS(c->s)..: 0,0,0,0,0,0,0,0,0,0,0,2,4,2,0,0,0,0,0,0,0,0,0,2,0,2,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,0,0,0,0,0,2,0,2,0,0,4,2,0,2,0,0,0,0,0,0,0,2,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,1,1,1,1,1,1,0,0,1,1,0,0,0,0,1,1,0,0,1,1,0,0,1,1,1,1,0,0,0,0] + [IATS........: 1429,5975,263,162733,421,6673080,696,6843298,378,2041486,761,2040704,344,12449,653,131771,424,27628387,388,27585469,481,6913792,703,6841323,326,83992,388,88136,409,19767,961,0] + [PKTLENS.....: 919,919,304,304,488,488,825,825,452,452,894,894,425,425,793,793,493,493,460,460,572,572,846,846,364,364,475,475,452,452,923,923] update: [.....4] [ip4][..udp] [138.132.169.101][.5060] -> [192.168.100.219][.5060] [SIP][VoIP][Acceptable] update: [.....2] [ip4][..udp] [....10.35.60.72][.5060] -> [...10.35.60.100][.5060] [SIP][VoIP][Acceptable] update: [.....3] [ip4][..udp] [....10.35.40.25][.5060] -> [...10.35.40.200][.5060] [SIP][VoIP][Acceptable] diff --git a/test/results/flow-info/KakaoTalk_chat.pcap.out b/test/results/flow-info/KakaoTalk_chat.pcap.out index 90c8731eb..5edf2c461 100644 --- a/test/results/flow-info/KakaoTalk_chat.pcap.out +++ b/test/results/flow-info/KakaoTalk_chat.pcap.out @@ -103,12 +103,14 @@ detected: [....30] [ip4][..tcp] [...10.24.82.188][58927] -> [.54.255.253.199][.5223] [TLS.AmazonAWS][Cloud][Acceptable] RISK: Known Proto on Non Std Port analyse: [....26] [ip4][..tcp] [...10.24.82.188][43581] -> [....31.13.68.70][..443] [TLS.Facebook][SocialNetwork][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.174| 0.038| 0.043] - [IAT(c->s)...: 0.000| 0.124| 0.033| 0.039][IAT(s->c)...: 0.001| 0.174| 0.042| 0.047] - [PKTLEN(c->s): 56.000|1053.000| 212.800| 311.300][PKTLEN(s->c): 56.000|1336.000| 331.300| 442.100] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.174| 0.038| 0.043| 1891.518| 0.000] + [PKTLEN......: 56.000| 1336.000| 272.100| 386.900|149674.200| 3.900] [BINS(c->s)..: 10,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 7,3,0,1,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,1,1,0,0,0,1,1,1,1,0,0,0,0,0,0,1,0,1,0,1,1,1] + [IATS........: 36956,40344,305,47699,3998,72083,702,123993,153,15869,671,16632,152,12207,67230,35950,15778,732,105866,38147,60424,4517,92,3936,174316,67658,16785,16968,108490,672,81115,0] + [PKTLENS.....: 76,60,56,621,60,56,1336,174,56,56,1336,949,56,56,1053,56,314,113,101,56,56,109,846,103,93,101,56,477,56,56,56,56] new: [....31] [ip4][..tcp] [...10.24.82.188][42332] -> [.210.103.240.15][..443] [MIDSTREAM] new: [....32] [ip4][..tcp] [...10.24.82.188][37557] -> [....31.13.68.84][...80] detected: [....32] [ip4][..tcp] [...10.24.82.188][37557] -> [....31.13.68.84][...80] [HTTP.Facebook][SocialNetwork][Fun] @@ -116,12 +118,14 @@ detected: [....33] [ip4][..tcp] [...10.24.82.188][45213] -> [....31.13.68.84][..443] [TLS.Facebook][SocialNetwork][Fun] RISK: Obsolete TLS (v1.1 or older) analyse: [....15] [ip4][..tcp] [...10.24.82.188][35503] -> [...173.252.97.2][..443] - [min|max|avg|stddev] - [IAT(flow)...: 0.004| 3.803| 0.501| 0.832] - [IAT(c->s)...: 0.004| 3.803| 0.567| 0.983][IAT(s->c)...: 0.004| 2.320| 0.421| 0.590] - [PKTLEN(c->s): 56.000| 710.000| 152.100| 160.300][PKTLEN(s->c): 56.000|1336.000| 318.700| 484.700] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.004| 3.803| 0.501| 0.832|692202.045| 0.000] + [PKTLEN......: 56.000| 1336.000| 225.000| 352.300|124085.100| 3.900] [BINS(c->s)..: 11,0,1,1,1,2,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 9,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,1,0,0,1,0,1,0,1,1,0,1,0,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,0,0] + [IATS........: 995911,1037903,49316,6684,695526,683563,56000,2329864,2320373,251618,299011,4547,4395,4089,3723,105469,239411,242157,376495,82611,125763,244537,287323,18128,164581,238983,428131,146027,274079,3802978,24719,0] + [PKTLENS.....: 76,76,60,56,240,60,56,60,240,56,1336,56,1336,56,1043,56,178,56,103,56,710,56,85,56,358,56,99,56,196,56,83,132] detection-update: [....15] [ip4][..tcp] [...10.24.82.188][35503] -> [...173.252.97.2][..443] [TLS.Facebook][SocialNetwork][Fun] RISK: Obsolete TLS (v1.1 or older) new: [....34] [ip4][..tcp] [...10.24.82.188][35511] -> [...173.252.97.2][..443] @@ -142,12 +146,14 @@ new: [....37] [ip4][..tcp] [...10.24.82.188][49217] -> [.216.58.220.174][..443] [MIDSTREAM] detected: [....37] [ip4][..tcp] [...10.24.82.188][49217] -> [.216.58.220.174][..443] [TLS.Google][Web][Acceptable] analyse: [....34] [ip4][..tcp] [...10.24.82.188][35511] -> [...173.252.97.2][..443] [TLS.Facebook][SocialNetwork][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 27.031| 1.853| 6.601] - [IAT(c->s)...: 0.000| 26.938| 1.913| 6.690][IAT(s->c)...: 0.000| 27.031| 1.796| 6.517] - [PKTLEN(c->s): 56.000| 578.000| 142.400| 138.700][PKTLEN(s->c): 56.000|1336.000| 287.100| 461.100] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 27.031| 1.853| 6.601|43576507.498| 0.000] + [PKTLEN......: 56.000| 1336.000| 214.800| 348.100|121165.000| 3.900] [BINS(c->s)..: 10,0,1,1,1,1,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 11,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,0,0,0,0,1,1,0,0,1,1,0,0,0,1,1,1,0,1,0,0,0,1,1] + [IATS........: 41748,45806,2228,39459,11261,448395,183,2868,498749,183,122,36927,124176,229920,321990,23011,161804,229858,405273,183,57404,108246,75989,156006,245086,67993,69489,26937805,56885,27030701,8087,0] + [PKTLENS.....: 76,60,56,240,60,56,1336,1336,1043,56,56,56,178,56,103,56,578,56,85,56,215,328,56,56,94,56,85,56,83,132,56,56] update: [....19] [ip4][.icmp] [...10.24.82.188] -> [...10.188.191.1] [ICMP][Network][Acceptable] new: [....38] [ip4][..tcp] [...10.24.82.188][58964] -> [.54.255.253.199][.5223] detected: [....38] [ip4][..tcp] [...10.24.82.188][58964] -> [.54.255.253.199][.5223] [TLS.AmazonAWS][Cloud][Acceptable] diff --git a/test/results/flow-info/KakaoTalk_talk.pcap.out b/test/results/flow-info/KakaoTalk_talk.pcap.out index 49f336b08..796393a8e 100644 --- a/test/results/flow-info/KakaoTalk_talk.pcap.out +++ b/test/results/flow-info/KakaoTalk_talk.pcap.out @@ -33,37 +33,45 @@ new: [....13] [ip4][..udp] [...10.24.82.188][10268] -> [....1.201.1.174][23046] detected: [....13] [ip4][..udp] [...10.24.82.188][10268] -> [....1.201.1.174][23046] [RTP][Media][Acceptable] analyse: [....12] [ip4][..udp] [...10.24.82.188][11320] -> [....1.201.1.174][23044] [RTP][Media][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.389| 0.067| 0.073] - [IAT(c->s)...: 0.000| 0.104| 0.052| 0.049][IAT(s->c)...: 0.016| 0.389| 0.090| 0.095] - [PKTLEN(c->s): 99.000| 100.000| 99.100| 0.200][PKTLEN(s->c): 99.000| 192.000| 110.100| 25.800] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.389| 0.067| 0.073| 5302.569| 0.000] + [PKTLEN......: 99.000| 192.000| 103.200| 16.700| 278.800| 5.000] [BINS(c->s)..: 0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,9,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,0,0,0,0,0,0,1,0,0,1,1,0,0,1,0,1,1,0,0,1,1,0,0,1,1,0,1,0,0,1] + [IATS........: 2106,92,91278,244,98327,122,103547,389008,99365,152,41687,34149,94086,1190,99945,98542,31952,72327,100128,1037,27862,87799,99732,30,76142,16052,99243,84228,99884,1099,113099,0] + [PKTLENS.....: 100,99,99,99,99,99,99,99,123,99,99,192,115,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99] analyse: [....13] [ip4][..udp] [...10.24.82.188][10268] -> [....1.201.1.174][23046] [RTP][Media][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.004| 0.144| 0.063| 0.038] - [IAT(c->s)...: 0.032| 0.102| 0.057| 0.022][IAT(s->c)...: 0.004| 0.144| 0.071| 0.050] - [PKTLEN(c->s): 99.000| 192.000| 112.400| 26.300][PKTLEN(s->c): 99.000| 99.000| 99.000| 0.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.004| 0.144| 0.063| 0.038| 1440.325| 0.000] + [PKTLEN......: 99.000| 192.000| 106.600| 20.800| 434.500| 5.000] [BINS(c->s)..: 0,13,2,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,0,1,0,0,1,1,0,0,1,1,0,1,0,0,1,1,0,1,1,0,0,1,0,0,1,1,0,0,0,1] + [IATS........: 36072,39245,140350,102021,35217,98114,7904,55847,41962,93445,6775,89905,91767,48217,40192,100067,12024,81512,89386,6988,84107,40741,87677,54901,38818,107880,4181,87555,68482,32257,143921,0] + [PKTLENS.....: 123,192,115,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,166,141,99] new: [....14] [ip4][..tcp] [...10.24.82.188][49217] -> [.216.58.220.174][..443] [MIDSTREAM] detected: [....14] [ip4][..tcp] [...10.24.82.188][49217] -> [.216.58.220.174][..443] [TLS.Google][Web][Acceptable] new: [....15] [ip4][..tcp] [..173.252.122.1][..443] -> [...10.24.82.188][52123] [MIDSTREAM] new: [....16] [ip4][..tcp] [...10.24.82.188][53974] -> [203.205.151.233][.8080] [MIDSTREAM] analyse: [.....6] [ip4][..tcp] [...10.24.82.188][32968] -> [..110.76.143.50][.8080] [TLS.KakaoTalk][Chat][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.002| 20.337| 1.801| 4.155] - [IAT(c->s)...: 0.002| 20.337| 2.259| 5.063][IAT(s->c)...: 0.005| 8.676| 1.245| 2.556] - [PKTLEN(c->s): 68.000| 814.000| 204.700| 177.400][PKTLEN(s->c): 68.000| 920.000| 288.900| 276.500] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.002| 20.337| 1.801| 4.155|17264411.673| 0.000] + [PKTLEN......: 68.000| 920.000| 241.500| 230.000|52885.800| 4.500] [BINS(c->s)..: 8,0,0,0,1,7,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 7,0,0,0,0,1,0,1,0,2,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,0,1,0,0,1,0,1,0,1,0,1,1,0,1,0,0,0,1,1,0,0] + [IATS........: 141571,151855,11750,244934,5676,231720,5279,268921,267944,260468,295685,6066894,6069489,2289,183686,177368,76049,36560,148072,8359650,8675995,4516,469818,147369,147094,2564,694885,724152,479767,20336762,1138366,0] + [PKTLENS.....: 76,76,68,210,68,920,68,394,302,814,574,68,782,68,238,366,68,68,238,68,254,68,238,68,366,68,238,238,68,80,254,254] analyse: [.....8] [ip4][..tcp] [...10.24.82.188][58857] -> [..110.76.143.50][.9001] [TLS.KakaoTalk][Chat][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 21.237| 2.444| 5.342] - [IAT(c->s)...: 0.000| 20.472| 2.198| 5.070][IAT(s->c)...: 0.000| 21.237| 2.744| 5.641] - [PKTLEN(c->s): 68.000| 862.000| 226.300| 229.600][PKTLEN(s->c): 68.000| 920.000| 319.400| 299.200] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 21.237| 2.444| 5.342|28541506.814| 0.000] + [PKTLEN......: 68.000| 920.000| 267.100| 266.400|70953.500| 4.400] [BINS(c->s)..: 9,0,0,0,1,5,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 7,0,0,0,0,0,0,1,0,2,0,1,0,0,0,0,0,0,0,0,1,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,0,0,1,0,1,0,0,1,1,0,0,0,1,1,0,0,1,0,1,0,1] + [IATS........: 148041,148315,14374,196289,3692,185608,22217,228394,215698,291656,316833,4536377,4872620,301514,147949,147858,122284,336243,8596588,8810699,73731,557586,700867,602508,20472016,917846,21237091,519257,336,183,1054260,0] + [PKTLENS.....: 76,76,68,210,68,920,68,394,302,766,734,68,862,846,68,366,68,238,68,366,68,238,238,68,80,254,254,430,68,68,68,80] new: [....17] [ip4][..tcp] [173.194.117.229][..443] -> [...10.24.82.188][38380] [MIDSTREAM] new: [....18] [ip4][..tcp] [.173.252.88.128][..443] -> [...10.24.82.188][59912] [MIDSTREAM] new: [....19] [ip4][..tcp] [...10.24.82.188][59954] -> [.173.252.88.128][..443] diff --git a/test/results/flow-info/Oscar.pcap.out b/test/results/flow-info/Oscar.pcap.out index 0479fe44d..aa00754b2 100644 --- a/test/results/flow-info/Oscar.pcap.out +++ b/test/results/flow-info/Oscar.pcap.out @@ -3,12 +3,14 @@ DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] new: [.....1] [ip4][..tcp] [.....10.30.29.3][63357] -> [.178.237.24.249][..443] analyse: [.....1] [ip4][..tcp] [.....10.30.29.3][63357] -> [.178.237.24.249][..443] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 58.215| 3.883| 14.268] - [IAT(c->s)...: 0.000| 58.176| 3.357| 13.300][IAT(s->c)...: 0.000| 58.215| 4.612| 15.479] - [PKTLEN(c->s): 54.000| 369.000| 115.200| 97.600][PKTLEN(s->c): 60.000|1414.000| 290.700| 372.100] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 58.215| 3.883| 14.268|203566836.875| 0.000] + [PKTLEN......: 54.000| 1414.000| 186.500| 263.300|69345.600| 4.200] [BINS(c->s)..: 11,4,0,1,0,0,1,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 6,1,1,0,0,0,0,1,0,1,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,0,1,0,0,1,0,0,1,1,0,0,1,0,1,0,1,0,0,1,0,0,1,1,0,0,1,0] + [IATS........: 28653,28776,8916,42424,33521,518,478,147,33511,33418,288,33636,843,34123,226,44565,44326,32783,32790,157,115,322,31348,31096,58175544,58215154,3,39626,1457397,1490083,502580,0] + [PKTLENS.....: 78,60,54,369,64,54,619,54,106,144,54,70,1414,351,54,80,60,166,511,54,284,54,266,60,349,90,60,92,54,92,60,90] guessed: [.....1] [ip4][..tcp] [.....10.30.29.3][63357] -> [.178.237.24.249][..443] [TLS][Web][Safe] detected: [.....1] [ip4][..tcp] [.....10.30.29.3][63357] -> [.178.237.24.249][..443] [TLS][Web][Safe] idle: [.....1] [ip4][..tcp] [.....10.30.29.3][63357] -> [.178.237.24.249][..443] [TLS][Web][Safe] diff --git a/test/results/flow-info/WebattackXSS.pcap.out b/test/results/flow-info/WebattackXSS.pcap.out index 1649e16f3..85f12758b 100644 --- a/test/results/flow-info/WebattackXSS.pcap.out +++ b/test/results/flow-info/WebattackXSS.pcap.out @@ -14,12 +14,14 @@ new: [.....7] [ip4][..tcp] [.....172.16.0.1][52220] -> [..192.168.10.50][...80] new: [.....8] [ip4][..tcp] [.....172.16.0.1][52222] -> [..192.168.10.50][...80] analyse: [.....5] [ip4][..tcp] [.....172.16.0.1][52200] -> [..192.168.10.50][...80] [HTTP][Web][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 2.805| 0.259| 0.699] - [IAT(c->s)...: 0.000| 2.804| 0.212| 0.639][IAT(s->c)...: 0.000| 2.805| 0.335| 0.779] - [PKTLEN(c->s): 66.000| 625.000| 215.000| 187.800][PKTLEN(s->c): 66.000|7992.000|1204.400|2089.100] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 2.805| 0.259| 0.699|488344.093| 0.000] + [PKTLEN......: 66.000| 7992.000| 586.000| 1374.100|1888110.100| 3.500] [BINS(c->s)..: 12,0,0,0,0,0,0,0,0,2,2,2,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 3,0,0,0,0,0,0,0,0,0,0,1,0,0,0,2,2,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,1] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,0,1,1,0,0,0,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1] + [IATS........: 124,911,4,880,1546,2266,23623,26506,34185,32207,1143,1040,156,926,221,412,39847,69861,111250,1094,61600,62698,1083,842694,846614,3833,131682,132698,1100,2804194,2805230,0] + [PKTLENS.....: 74,74,66,375,66,578,66,408,1198,431,807,454,1514,7992,66,66,66,66,377,571,66,407,571,66,625,429,66,423,587,66,66,66] new: [.....9] [ip4][..tcp] [.....172.16.0.1][52298] -> [..192.168.10.50][...80] detected: [.....9] [ip4][..tcp] [.....172.16.0.1][52298] -> [..192.168.10.50][...80] [HTTP][Web][Acceptable] RISK: HTTP Numeric IP Address @@ -27,12 +29,14 @@ new: [....11] [ip4][..tcp] [.....172.16.0.1][52318] -> [..192.168.10.50][...80] new: [....12] [ip4][..tcp] [.....172.16.0.1][52320] -> [..192.168.10.50][...80] analyse: [.....9] [ip4][..tcp] [.....172.16.0.1][52298] -> [..192.168.10.50][...80] [HTTP][Web][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.856| 0.080| 0.207] - [IAT(c->s)...: 0.000| 0.852| 0.065| 0.188][IAT(s->c)...: 0.000| 0.856| 0.103| 0.231] - [PKTLEN(c->s): 66.000| 625.000| 216.300| 189.300][PKTLEN(s->c): 66.000|4410.000|1311.500|1460.300] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.856| 0.080| 0.207|42651.251| 0.000] + [PKTLEN......: 66.000| 4410.000| 627.000| 1050.300|1103191.500| 3.800] [BINS(c->s)..: 12,0,0,0,0,0,0,0,0,2,2,2,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,1,0,0,0,2,1,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,3] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,1,1,0,0,0,0,1,0,0,1,0,0,1,0,0,1,0] + [IATS........: 152,921,4,863,1492,2144,20680,25919,42487,6012,44423,1321,232,1259,67,51,1208,273,437,68644,70522,37847,60433,98253,1091,851698,856251,4579,109710,139259,29522,0] + [PKTLENS.....: 74,74,66,375,66,578,66,408,1200,66,431,807,66,454,4410,4410,752,66,66,66,377,571,66,407,571,66,625,429,66,449,1870,66] detected: [....10] [ip4][..tcp] [.....172.16.0.1][52300] -> [..192.168.10.50][...80] [HTTP][Web][Acceptable] RISK: HTTP Numeric IP Address detected: [....11] [ip4][..tcp] [.....172.16.0.1][52318] -> [..192.168.10.50][...80] [HTTP][Web][Acceptable] @@ -74,12 +78,14 @@ new: [....45] [ip4][..tcp] [.....172.16.0.1][52978] -> [..192.168.10.50][...80] new: [....46] [ip4][..tcp] [.....172.16.0.1][53004] -> [..192.168.10.50][...80] analyse: [....41] [ip4][..tcp] [.....172.16.0.1][52910] -> [..192.168.10.50][...80] [HTTP][Web][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 3.809| 0.610| 0.941] - [IAT(c->s)...: 0.001| 3.808| 0.498| 0.866][IAT(s->c)...: 0.000| 3.809| 0.814| 1.032] - [PKTLEN(c->s): 66.000| 651.000| 296.900| 251.200][PKTLEN(s->c): 66.000|1935.000|1559.300| 703.400] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 3.809| 0.610| 0.941|885441.823| 0.000] + [PKTLEN......: 66.000| 1935.000| 730.800| 755.700|571022.800| 4.200] [BINS(c->s)..: 11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0] + [IATS........: 97,845,3808060,3808906,3088,3867,1010444,1014181,3805,246952,250608,3613,1037920,1041646,3765,265406,269174,3736,1020088,1024520,4409,240929,244611,3693,1033112,1036761,3674,252788,256472,3667,1006191,0] + [PKTLENS.....: 74,74,66,651,66,1933,66,449,1836,66,651,1934,66,449,1836,66,651,1935,66,449,1836,66,651,1934,66,449,1836,66,651,1932,66,449] new: [....47] [ip4][..tcp] [.....172.16.0.1][53018] -> [..192.168.10.50][...80] new: [....48] [ip4][..tcp] [.....172.16.0.1][53032] -> [..192.168.10.50][...80] new: [....49] [ip4][..tcp] [.....172.16.0.1][53058] -> [..192.168.10.50][...80] @@ -137,12 +143,14 @@ new: [....83] [ip4][..tcp] [.....172.16.0.1][53678] -> [..192.168.10.50][...80] new: [....84] [ip4][..tcp] [.....172.16.0.1][53692] -> [..192.168.10.50][...80] analyse: [....78] [ip4][..tcp] [.....172.16.0.1][53584] -> [..192.168.10.50][...80] [HTTP][Web][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 4.899| 0.653| 1.186] - [IAT(c->s)...: 0.001| 4.898| 0.513| 1.076][IAT(s->c)...: 0.000| 4.899| 0.909| 1.326] - [PKTLEN(c->s): 66.000| 651.000| 296.900| 251.200][PKTLEN(s->c): 66.000|1934.000|1550.300| 699.200] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 4.899| 0.653| 1.186|1406566.662| 0.000] + [PKTLEN......: 66.000| 1934.000| 727.700| 750.900|563862.600| 4.200] [BINS(c->s)..: 11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0] + [IATS........: 127,684,4897818,4898512,8582,9379,243178,246717,3562,1041173,1044833,3840,241167,245261,3969,1005489,1009493,3958,240995,244588,3615,1008862,1012541,3693,268328,273700,5337,1005565,1009604,4099,266047,0] + [PKTLENS.....: 74,74,66,449,66,1837,66,651,1933,66,449,1836,66,651,1934,66,449,1836,66,651,1932,66,449,1836,66,651,1933,66,449,1836,66,651] end: [....10] [ip4][..tcp] [.....172.16.0.1][52300] -> [..192.168.10.50][...80] [HTTP][Web][Acceptable] RISK: HTTP Numeric IP Address end: [....11] [ip4][..tcp] [.....172.16.0.1][52318] -> [..192.168.10.50][...80] [HTTP][Web][Acceptable] @@ -259,12 +267,14 @@ end: [....48] [ip4][..tcp] [.....172.16.0.1][53032] -> [..192.168.10.50][...80] new: [...119] [ip4][..tcp] [.....172.16.0.1][54362] -> [..192.168.10.50][...80] analyse: [...114] [ip4][..tcp] [.....172.16.0.1][54268] -> [..192.168.10.50][...80] [HTTP][Web][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 3.827| 0.609| 0.943] - [IAT(c->s)...: 0.001| 3.826| 0.497| 0.869][IAT(s->c)...: 0.000| 3.827| 0.811| 1.036] - [PKTLEN(c->s): 66.000| 651.000| 296.900| 251.200][PKTLEN(s->c): 66.000|1935.000|1559.200| 703.400] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 3.827| 0.609| 0.943|889903.972| 0.000] + [PKTLEN......: 66.000| 1935.000| 730.800| 755.600|570947.800| 4.200] [BINS(c->s)..: 11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0] + [IATS........: 107,901,3826349,3827235,3096,3895,1023011,1026934,3928,268230,273681,5427,1005208,1009216,4030,256246,259862,3614,1006897,1010591,3696,250084,253817,3763,1011263,1016096,4808,241019,244651,3645,1020517,0] + [PKTLENS.....: 74,74,66,651,66,1935,66,449,1836,66,651,1934,66,449,1836,66,651,1934,66,449,1836,66,651,1933,66,449,1836,66,651,1931,66,449] new: [...120] [ip4][..tcp] [.....172.16.0.1][54376] -> [..192.168.10.50][...80] new: [...121] [ip4][..tcp] [.....172.16.0.1][54390] -> [..192.168.10.50][...80] new: [...122] [ip4][..tcp] [.....172.16.0.1][54416] -> [..192.168.10.50][...80] @@ -376,12 +386,14 @@ new: [...156] [ip4][..tcp] [.....172.16.0.1][55024] -> [..192.168.10.50][...80] new: [...157] [ip4][..tcp] [.....172.16.0.1][55038] -> [..192.168.10.50][...80] analyse: [...152] [ip4][..tcp] [.....172.16.0.1][54956] -> [..192.168.10.50][...80] [HTTP][Web][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 3.643| 0.568| 0.904] - [IAT(c->s)...: 0.001| 3.642| 0.446| 0.827][IAT(s->c)...: 0.000| 3.643| 0.788| 0.991] - [PKTLEN(c->s): 66.000| 651.000| 296.900| 251.200][PKTLEN(s->c): 66.000|1935.000|1550.100| 699.100] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 3.643| 0.568| 0.904|816455.025| 0.000] + [PKTLEN......: 66.000| 1935.000| 727.700| 750.800|563712.500| 4.200] [BINS(c->s)..: 11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0] + [IATS........: 95,698,3641887,3642588,3124,4095,234104,238457,4183,1006077,1010963,4878,233120,236850,3778,1005601,1010652,5027,236201,239833,3605,1006827,1010500,3683,232616,236267,3614,1034871,1038879,4091,256266,0] + [PKTLENS.....: 74,74,66,449,66,1837,66,651,1933,66,449,1836,66,651,1929,66,449,1836,66,651,1935,66,449,1836,66,651,1933,66,449,1836,66,651] new: [...158] [ip4][..tcp] [.....172.16.0.1][55064] -> [..192.168.10.50][...80] new: [...159] [ip4][..tcp] [.....172.16.0.1][55078] -> [..192.168.10.50][...80] new: [...160] [ip4][..tcp] [.....172.16.0.1][55092] -> [..192.168.10.50][...80] @@ -489,12 +501,14 @@ new: [...194] [ip4][..tcp] [.....172.16.0.1][55700] -> [..192.168.10.50][...80] new: [...195] [ip4][..tcp] [.....172.16.0.1][55726] -> [..192.168.10.50][...80] analyse: [...190] [ip4][..tcp] [.....172.16.0.1][55632] -> [..192.168.10.50][...80] [HTTP][Web][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 3.785| 0.602| 0.936] - [IAT(c->s)...: 0.001| 3.784| 0.492| 0.861][IAT(s->c)...: 0.000| 3.785| 0.802| 1.028] - [PKTLEN(c->s): 66.000| 651.000| 296.900| 251.200][PKTLEN(s->c): 66.000|1935.000|1559.600| 703.600] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 3.785| 0.602| 0.936|875951.489| 0.000] + [PKTLEN......: 66.000| 1935.000| 730.900| 755.900|571323.500| 4.200] [BINS(c->s)..: 11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0] + [IATS........: 124,875,3784070,3784925,3065,3805,1003969,1007602,3694,223699,227380,3680,1007795,1011581,3778,255776,259460,3650,1007868,1011955,4221,230369,234793,4295,1037481,1041928,4473,238345,242041,3668,1009864,0] + [PKTLENS.....: 74,74,66,651,66,1935,66,449,1836,66,651,1934,66,449,1836,66,651,1935,66,449,1836,66,651,1934,66,449,1836,66,651,1934,66,449] new: [...196] [ip4][..tcp] [.....172.16.0.1][55740] -> [..192.168.10.50][...80] guessed: [...117] [ip4][..tcp] [.....172.16.0.1][54322] -> [..192.168.10.50][...80] [HTTP][Web][Acceptable] end: [...117] [ip4][..tcp] [.....172.16.0.1][54322] -> [..192.168.10.50][...80] @@ -619,12 +633,14 @@ guessed: [...158] [ip4][..tcp] [.....172.16.0.1][55064] -> [..192.168.10.50][...80] [HTTP][Web][Acceptable] end: [...158] [ip4][..tcp] [.....172.16.0.1][55064] -> [..192.168.10.50][...80] analyse: [...227] [ip4][..tcp] [.....172.16.0.1][56306] -> [..192.168.10.50][...80] [HTTP][Web][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 4.805| 0.635| 1.170] - [IAT(c->s)...: 0.001| 4.805| 0.547| 1.107][IAT(s->c)...: 0.000| 4.805| 0.757| 1.241] - [PKTLEN(c->s): 66.000| 651.000| 290.400| 245.600][PKTLEN(s->c): 66.000|1934.000|1322.200| 716.700] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 4.805| 0.635| 1.170|1368332.173| 0.000] + [PKTLEN......: 66.000| 1934.000| 709.600| 708.000|501313.900| 4.300] [BINS(c->s)..: 10,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,7] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,1,0,0,1,0,0,1,1,0,0,1,0,0,1,0,0,1] + [IATS........: 124,694,4804702,4805402,3052,3844,248597,252202,3707,1022416,1026219,3805,225184,229157,49,3959,1026815,1030902,4151,232536,236200,80,3611,1006031,1010739,4812,233237,236850,3621,1007952,1011661,0] + [PKTLENS.....: 74,74,66,449,66,1837,66,651,1934,66,449,1836,66,651,1514,486,66,449,1836,66,651,1514,486,66,449,1836,66,651,1934,66,449,1836] new: [...233] [ip4][..tcp] [.....172.16.0.1][56414] -> [..192.168.10.50][...80] new: [...234] [ip4][..tcp] [.....172.16.0.1][56428] -> [..192.168.10.50][...80] new: [...235] [ip4][..tcp] [.....172.16.0.1][56454] -> [..192.168.10.50][...80] @@ -739,12 +755,14 @@ new: [...270] [ip4][..tcp] [.....172.16.0.1][57076] -> [..192.168.10.50][...80] new: [...271] [ip4][..tcp] [.....172.16.0.1][57090] -> [..192.168.10.50][...80] analyse: [...265] [ip4][..tcp] [.....172.16.0.1][56994] -> [..192.168.10.50][...80] [HTTP][Web][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 3.819| 0.606| 0.944] - [IAT(c->s)...: 0.001| 3.818| 0.495| 0.869][IAT(s->c)...: 0.000| 3.819| 0.808| 1.038] - [PKTLEN(c->s): 66.000| 651.000| 296.900| 251.200][PKTLEN(s->c): 66.000|1934.000|1559.000| 703.300] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 3.819| 0.606| 0.944|891595.915| 0.000] + [PKTLEN......: 66.000| 1934.000| 730.700| 755.500|570797.200| 4.200] [BINS(c->s)..: 11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0] + [IATS........: 126,889,3818133,3818967,2889,3638,1026811,1031184,4412,231903,235642,3751,1006981,1010745,3756,236240,239931,3646,1008869,1012823,4179,228551,232759,4019,1040911,1048342,7412,251595,255221,3632,1017670,0] + [PKTLENS.....: 74,74,66,651,66,1933,66,449,1836,66,651,1933,66,449,1836,66,651,1933,66,449,1836,66,651,1934,66,449,1836,66,651,1932,66,449] new: [...272] [ip4][..tcp] [.....172.16.0.1][57116] -> [..192.168.10.50][...80] new: [...273] [ip4][..tcp] [.....172.16.0.1][57130] -> [..192.168.10.50][...80] new: [...274] [ip4][..tcp] [.....172.16.0.1][57144] -> [..192.168.10.50][...80] @@ -858,12 +876,14 @@ new: [...308] [ip4][..tcp] [.....172.16.0.1][57752] -> [..192.168.10.50][...80] new: [...309] [ip4][..tcp] [.....172.16.0.1][57778] -> [..192.168.10.50][...80] analyse: [...304] [ip4][..tcp] [.....172.16.0.1][57684] -> [..192.168.10.50][...80] [HTTP][Web][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 3.536| 0.567| 0.877] - [IAT(c->s)...: 0.001| 3.535| 0.445| 0.805][IAT(s->c)...: 0.000| 3.536| 0.788| 0.957] - [PKTLEN(c->s): 66.000| 651.000| 296.900| 251.200][PKTLEN(s->c): 66.000|1934.000|1550.300| 699.200] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 3.536| 0.567| 0.877|769788.412| 0.000] + [PKTLEN......: 66.000| 1934.000| 727.700| 750.900|563862.600| 4.200] [BINS(c->s)..: 11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0] + [IATS........: 126,910,3535287,3536204,3041,3865,353475,357566,4142,1009473,1013529,4051,235924,239646,3697,1007485,1011210,3722,236124,239766,3661,1007627,1011378,3776,240922,244715,3743,1011730,1015517,3791,232129,0] + [PKTLENS.....: 74,74,66,449,66,1837,66,651,1932,66,449,1836,66,651,1933,66,449,1836,66,651,1933,66,449,1836,66,651,1934,66,449,1836,66,651] new: [...310] [ip4][..tcp] [.....172.16.0.1][57792] -> [..192.168.10.50][...80] new: [...311] [ip4][..tcp] [.....172.16.0.1][57806] -> [..192.168.10.50][...80] guessed: [...231] [ip4][..tcp] [.....172.16.0.1][56374] -> [..192.168.10.50][...80] [HTTP][Web][Acceptable] @@ -991,12 +1011,14 @@ guessed: [...272] [ip4][..tcp] [.....172.16.0.1][57116] -> [..192.168.10.50][...80] [HTTP][Web][Acceptable] end: [...272] [ip4][..tcp] [.....172.16.0.1][57116] -> [..192.168.10.50][...80] analyse: [...342] [ip4][..tcp] [.....172.16.0.1][58360] -> [..192.168.10.50][...80] [HTTP][Web][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 3.810| 0.603| 0.941] - [IAT(c->s)...: 0.001| 3.809| 0.492| 0.866][IAT(s->c)...: 0.000| 3.810| 0.804| 1.034] - [PKTLEN(c->s): 66.000| 651.000| 296.900| 251.200][PKTLEN(s->c): 66.000|1935.000|1559.400| 703.500] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 3.810| 0.603| 0.941|884966.883| 0.000] + [PKTLEN......: 66.000| 1935.000| 730.800| 755.700|571097.900| 4.200] [BINS(c->s)..: 11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0] + [IATS........: 124,686,3808906,3809547,3416,4144,1007073,1011285,4302,225901,229521,3769,1021770,1025776,4116,233969,238478,4482,1006263,1010669,4325,238452,243200,4543,1006668,1011166,4498,253524,257102,3581,1008005,0] + [PKTLENS.....: 74,74,66,651,66,1934,66,449,1836,66,651,1934,66,449,1836,66,651,1933,66,449,1836,66,651,1933,66,449,1836,66,651,1935,66,449] new: [...348] [ip4][..tcp] [.....172.16.0.1][58468] -> [..192.168.10.50][...80] new: [...349] [ip4][..tcp] [.....172.16.0.1][58482] -> [..192.168.10.50][...80] new: [...350] [ip4][..tcp] [.....172.16.0.1][58496] -> [..192.168.10.50][...80] @@ -1110,12 +1132,14 @@ end: [...308] [ip4][..tcp] [.....172.16.0.1][57752] -> [..192.168.10.50][...80] new: [...385] [ip4][..tcp] [.....172.16.0.1][59124] -> [..192.168.10.50][...80] analyse: [...380] [ip4][..tcp] [.....172.16.0.1][59042] -> [..192.168.10.50][...80] [HTTP][Web][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 4.823| 0.637| 1.173] - [IAT(c->s)...: 0.001| 4.822| 0.494| 1.065][IAT(s->c)...: 0.000| 4.823| 0.897| 1.306] - [PKTLEN(c->s): 66.000| 651.000| 269.000| 242.700][PKTLEN(s->c): 66.000|1935.000|1550.600| 699.400] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 4.823| 0.637| 1.173|1374936.236| 0.000] + [PKTLEN......: 66.000| 1935.000| 709.600| 759.800|577334.100| 4.200] [BINS(c->s)..: 12,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0] + [IATS........: 143,1062,4821803,4822860,2874,5990,221999,227886,4985,1013,1004953,1011219,4071,265484,269299,3619,1019861,1023488,4016,238184,242252,4785,1005968,1010668,4015,237942,242400,5048,1010956,1015950,5036,0] + [PKTLENS.....: 74,74,66,449,66,1837,66,651,1935,66,66,449,1836,66,651,1933,66,449,1836,66,651,1935,66,449,1836,66,651,1933,66,449,1836,66] new: [...386] [ip4][..tcp] [.....172.16.0.1][59150] -> [..192.168.10.50][...80] new: [...387] [ip4][..tcp] [.....172.16.0.1][59164] -> [..192.168.10.50][...80] new: [...388] [ip4][..tcp] [.....172.16.0.1][59178] -> [..192.168.10.50][...80] @@ -1232,12 +1256,14 @@ new: [...423] [ip4][..tcp] [.....172.16.0.1][59812] -> [..192.168.10.50][...80] new: [...424] [ip4][..tcp] [.....172.16.0.1][59826] -> [..192.168.10.50][...80] analyse: [...419] [ip4][..tcp] [.....172.16.0.1][59732] -> [..192.168.10.50][...80] [HTTP][Web][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 3.767| 0.604| 0.933] - [IAT(c->s)...: 0.001| 3.766| 0.494| 0.860][IAT(s->c)...: 0.000| 3.767| 0.806| 1.024] - [PKTLEN(c->s): 66.000| 651.000| 296.900| 251.200][PKTLEN(s->c): 66.000|1935.000|1559.300| 703.400] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 3.767| 0.604| 0.933|871184.138| 0.000] + [PKTLEN......: 66.000| 1935.000| 730.800| 755.700|571022.800| 4.200] [BINS(c->s)..: 11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0] + [IATS........: 122,677,3766369,3767000,3476,4237,1039907,1045427,5545,227268,230918,3646,1037098,1040865,3812,252859,256647,3763,1024020,1027777,3716,237350,240983,3608,1007832,1011497,3720,234952,238656,3696,1007191,0] + [PKTLENS.....: 74,74,66,651,66,1934,66,449,1836,66,651,1932,66,449,1836,66,651,1935,66,449,1836,66,651,1933,66,449,1836,66,651,1934,66,449] new: [...425] [ip4][..tcp] [.....172.16.0.1][59852] -> [..192.168.10.50][...80] new: [...426] [ip4][..tcp] [.....172.16.0.1][59866] -> [..192.168.10.50][...80] guessed: [...346] [ip4][..tcp] [.....172.16.0.1][58440] -> [..192.168.10.50][...80] [HTTP][Web][Acceptable] @@ -1368,12 +1394,14 @@ end: [...389] [ip4][..tcp] [.....172.16.0.1][59192] -> [..192.168.10.50][...80] new: [...463] [ip4][..tcp] [.....172.16.0.1][60558] -> [..192.168.10.50][...80] analyse: [...458] [ip4][..tcp] [.....172.16.0.1][60464] -> [..192.168.10.50][...80] [HTTP][Web][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 3.582| 0.571| 0.887] - [IAT(c->s)...: 0.001| 3.581| 0.449| 0.813][IAT(s->c)...: 0.000| 3.582| 0.793| 0.969] - [PKTLEN(c->s): 66.000| 651.000| 296.900| 251.200][PKTLEN(s->c): 66.000|1934.000|1550.300| 699.200] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 3.582| 0.571| 0.887|786468.045| 0.000] + [PKTLEN......: 66.000| 1934.000| 727.700| 750.900|563862.700| 4.200] [BINS(c->s)..: 11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0] + [IATS........: 130,887,3581223,3582115,3304,4122,271038,275625,4605,1007486,1011252,3777,268863,273004,4125,1007482,1011640,4170,263574,267468,3888,1019754,1023735,4007,253226,261155,7923,1002871,1011773,8903,255870,0] + [PKTLENS.....: 74,74,66,449,66,1837,66,651,1933,66,449,1836,66,651,1934,66,449,1836,66,651,1931,66,449,1836,66,651,1934,66,449,1836,66,651] new: [...464] [ip4][..tcp] [.....172.16.0.1][60572] -> [..192.168.10.50][...80] new: [...465] [ip4][..tcp] [.....172.16.0.1][60598] -> [..192.168.10.50][...80] new: [...466] [ip4][..tcp] [.....172.16.0.1][60612] -> [..192.168.10.50][...80] @@ -1485,12 +1513,14 @@ new: [...500] [ip4][..tcp] [.....172.16.0.1][32988] -> [..192.168.10.50][...80] new: [...501] [ip4][..tcp] [.....172.16.0.1][33002] -> [..192.168.10.50][...80] analyse: [...495] [ip4][..tcp] [.....172.16.0.1][32906] -> [..192.168.10.50][...80] [HTTP][Web][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 3.862| 0.614| 0.953] - [IAT(c->s)...: 0.001| 3.861| 0.502| 0.878][IAT(s->c)...: 0.000| 3.862| 0.818| 1.046] - [PKTLEN(c->s): 66.000| 651.000| 296.900| 251.200][PKTLEN(s->c): 66.000|1935.000|1559.200| 703.400] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 3.862| 0.614| 0.953|908128.223| 0.000] + [PKTLEN......: 66.000| 1935.000| 730.800| 755.600|570948.000| 4.200] [BINS(c->s)..: 11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0] + [IATS........: 158,871,3861200,3861987,3248,3959,1007386,1010966,3670,256861,260494,3559,1018334,1021980,3614,243418,246972,3620,1033482,1037187,3726,244230,248333,4100,1037495,1041661,4162,261455,265110,3630,1039015,0] + [PKTLENS.....: 74,74,66,651,66,1934,66,449,1836,66,651,1934,66,449,1836,66,651,1934,66,449,1836,66,651,1930,66,449,1836,66,651,1935,66,449] new: [...502] [ip4][..tcp] [.....172.16.0.1][33028] -> [..192.168.10.50][...80] new: [...503] [ip4][..tcp] [.....172.16.0.1][33042] -> [..192.168.10.50][...80] new: [...504] [ip4][..tcp] [.....172.16.0.1][33068] -> [..192.168.10.50][...80] @@ -1606,12 +1636,14 @@ new: [...536] [ip4][..tcp] [.....172.16.0.1][33648] -> [..192.168.10.50][...80] new: [...537] [ip4][..tcp] [.....172.16.0.1][33674] -> [..192.168.10.50][...80] analyse: [...532] [ip4][..tcp] [.....172.16.0.1][33580] -> [..192.168.10.50][...80] [HTTP][Web][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 4.841| 0.651| 1.171] - [IAT(c->s)...: 0.001| 4.840| 0.511| 1.064][IAT(s->c)...: 0.000| 4.841| 0.906| 1.307] - [PKTLEN(c->s): 66.000| 651.000| 296.900| 251.200][PKTLEN(s->c): 66.000|1935.000|1550.500| 699.300] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 4.841| 0.651| 1.171|1372280.717| 0.000] + [PKTLEN......: 66.000| 1935.000| 727.800| 751.000|564013.300| 4.200] [BINS(c->s)..: 11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0] + [IATS........: 126,862,4839753,4840595,3674,4464,263225,266840,3672,1005298,1009118,3796,260614,264369,3758,1024972,1028663,3708,266053,269708,3666,1007636,1011884,4257,260865,265134,4231,1006690,1010841,4181,244813,0] + [PKTLENS.....: 74,74,66,449,66,1837,66,651,1933,66,449,1836,66,651,1935,66,449,1836,66,651,1932,66,449,1836,66,651,1934,66,449,1836,66,651] new: [...538] [ip4][..tcp] [.....172.16.0.1][33688] -> [..192.168.10.50][...80] new: [...539] [ip4][..tcp] [.....172.16.0.1][33702] -> [..192.168.10.50][...80] guessed: [...463] [ip4][..tcp] [.....172.16.0.1][60558] -> [..192.168.10.50][...80] [HTTP][Web][Acceptable] @@ -1721,12 +1753,14 @@ new: [...572] [ip4][..tcp] [.....172.16.0.1][34332] -> [..192.168.10.50][...80] new: [...573] [ip4][..tcp] [.....172.16.0.1][34346] -> [..192.168.10.50][...80] analyse: [...569] [ip4][..tcp] [.....172.16.0.1][34278] -> [..192.168.10.50][...80] [HTTP][Web][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 2.588| 0.498| 0.689] - [IAT(c->s)...: 0.000| 2.588| 0.386| 0.640][IAT(s->c)...: 0.000| 2.588| 0.702| 0.726] - [PKTLEN(c->s): 66.000| 651.000| 278.600| 253.400][PKTLEN(s->c): 66.000|1934.000|1558.800| 703.200] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 2.588| 0.498| 0.689|474371.129| 0.000] + [PKTLEN......: 66.000| 1934.000| 718.700| 762.800|581830.000| 4.200] [BINS(c->s)..: 12,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,0,1,0,0,1,0] + [IATS........: 171,739,2587661,2588369,3663,4498,1020517,1024859,4382,244684,248374,3703,1042345,1046980,4607,242309,245980,3660,1031191,1034926,3726,241353,245065,3596,495,1025211,1029311,3750,251257,255524,4221,0] + [PKTLENS.....: 74,74,66,651,66,1932,66,449,1836,66,651,1932,66,449,1836,66,651,1933,66,449,1836,66,651,1934,66,66,449,1836,66,651,1932,66] guessed: [...498] [ip4][..tcp] [.....172.16.0.1][32960] -> [..192.168.10.50][...80] [HTTP][Web][Acceptable] end: [...498] [ip4][..tcp] [.....172.16.0.1][32960] -> [..192.168.10.50][...80] guessed: [...499] [ip4][..tcp] [.....172.16.0.1][32974] -> [..192.168.10.50][...80] [HTTP][Web][Acceptable] @@ -1853,12 +1887,14 @@ new: [...611] [ip4][..tcp] [.....172.16.0.1][35034] -> [..192.168.10.50][...80] new: [...612] [ip4][..tcp] [.....172.16.0.1][35048] -> [..192.168.10.50][...80] analyse: [...606] [ip4][..tcp] [.....172.16.0.1][34940] -> [..192.168.10.50][...80] [HTTP][Web][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 4.897| 0.655| 1.187] - [IAT(c->s)...: 0.001| 4.896| 0.514| 1.077][IAT(s->c)...: 0.000| 4.897| 0.912| 1.325] - [PKTLEN(c->s): 66.000| 651.000| 296.900| 251.200][PKTLEN(s->c): 66.000|1934.000|1550.500| 699.300] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 4.897| 0.655| 1.187|1408178.323| 0.000] + [PKTLEN......: 66.000| 1934.000| 727.800| 751.000|564013.200| 4.200] [BINS(c->s)..: 11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0] + [IATS........: 168,874,4896388,4897215,3139,3939,250433,254530,4103,1006878,1011034,4128,267330,271177,3882,1007953,1011957,4030,246777,250412,3605,1038702,1042399,3673,241578,245223,3629,1046261,1049943,3750,242035,0] + [PKTLENS.....: 74,74,66,449,66,1837,66,651,1934,66,449,1836,66,651,1933,66,449,1836,66,651,1933,66,449,1836,66,651,1934,66,449,1836,66,651] new: [...613] [ip4][..tcp] [.....172.16.0.1][35074] -> [..192.168.10.50][...80] new: [...614] [ip4][..tcp] [.....172.16.0.1][35088] -> [..192.168.10.50][...80] new: [...615] [ip4][..tcp] [.....172.16.0.1][35114] -> [..192.168.10.50][...80] @@ -1967,12 +2003,14 @@ new: [...648] [ip4][..tcp] [.....172.16.0.1][35696] -> [..192.168.10.50][...80] new: [...649] [ip4][..tcp] [.....172.16.0.1][35722] -> [..192.168.10.50][...80] analyse: [...643] [ip4][..tcp] [.....172.16.0.1][35626] -> [..192.168.10.50][...80] [HTTP][Web][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 3.954| 0.620| 0.972] - [IAT(c->s)...: 0.001| 3.953| 0.506| 0.895][IAT(s->c)...: 0.000| 3.954| 0.826| 1.070] - [PKTLEN(c->s): 66.000| 651.000| 296.900| 251.200][PKTLEN(s->c): 66.000|1934.000|1559.000| 703.300] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 3.954| 0.620| 0.972|945707.024| 0.000] + [PKTLEN......: 66.000| 1934.000| 730.700| 755.500|570797.200| 4.200] [BINS(c->s)..: 11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0] + [IATS........: 124,706,3953188,3953842,3024,3763,1020630,1024309,3710,248238,252345,4156,1041683,1045979,4295,255096,258771,3649,1007135,1010804,3655,252666,256217,3575,1010481,1014239,3761,262869,266680,3784,1039870,0] + [PKTLENS.....: 74,74,66,651,66,1934,66,449,1836,66,651,1932,66,449,1836,66,651,1933,66,449,1836,66,651,1933,66,449,1836,66,651,1933,66,449] new: [...650] [ip4][..tcp] [.....172.16.0.1][35736] -> [..192.168.10.50][...80] new: [...651] [ip4][..tcp] [.....172.16.0.1][35762] -> [..192.168.10.50][...80] guessed: [...574] [ip4][..tcp] [.....172.16.0.1][34372] -> [..192.168.10.50][...80] [HTTP][Web][Acceptable] diff --git a/test/results/flow-info/aimini-http.pcap.out b/test/results/flow-info/aimini-http.pcap.out index 80c3c602d..c86a0a1ac 100644 --- a/test/results/flow-info/aimini-http.pcap.out +++ b/test/results/flow-info/aimini-http.pcap.out @@ -6,12 +6,14 @@ new: [.....2] [ip4][..tcp] [.....10.101.0.2][28502] -> [.....10.102.0.2][...80] detected: [.....2] [ip4][..tcp] [.....10.101.0.2][28502] -> [.....10.102.0.2][...80] [HTTP.Aimini][Download][Fun] analyse: [.....1] [ip4][..tcp] [.....10.101.0.2][28501] -> [.....10.102.0.2][...80] [HTTP.Aimini][Download][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.001| 0.000| 0.000] - [IAT(c->s)...: 0.000| 0.001| 0.000| 0.000][IAT(s->c)...: 0.000| 0.001| 0.000| 0.000] - [PKTLEN(c->s): 60.000|1514.000| 352.100| 516.000][PKTLEN(s->c): 62.000|1514.000|1216.700| 558.800] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.001| 0.000| 0.000| 0.129| 0.000] + [PKTLEN......: 60.000| 1514.000| 838.400| 690.000|476082.300| 4.400] [BINS(c->s)..: 10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0] + [DIRECTIONS..: 0,0,1,1,0,0,0,0,1,1,1,1,1,1,1,1,1,1,0,1,1,0,1,1,0,1,1,0,0,0,0,0] + [IATS........: 532,1116,414,1004,27,697,105,894,3,1,2,1,1,2,2,191,11,276,4,1,4,2,1,3,3,78,197,1,99,1148,1,0] + [PKTLENS.....: 62,62,62,62,60,649,60,649,1514,1514,1514,1514,1514,1514,1514,290,1514,1514,60,1514,1514,60,1514,1514,60,1514,290,60,60,60,1514,1514] new: [.....3] [ip4][..tcp] [.....10.101.0.2][28503] -> [.....10.102.0.2][...80] detected: [.....3] [ip4][..tcp] [.....10.101.0.2][28503] -> [.....10.102.0.2][...80] [HTTP.Aimini][Download][Fun] new: [.....4] [ip4][..tcp] [.....10.101.0.2][28504] -> [.....10.102.0.2][...80] diff --git a/test/results/flow-info/alexa-app.pcapng.out b/test/results/flow-info/alexa-app.pcapng.out index b1d0f884b..db6167c71 100644 --- a/test/results/flow-info/alexa-app.pcapng.out +++ b/test/results/flow-info/alexa-app.pcapng.out @@ -122,12 +122,14 @@ detection-update: [....38] [ip4][..tcp] [..172.16.42.216][54412] -> [..52.85.209.216][..443] [TLS.Amazon][Web][Acceptable] detection-update: [....38] [ip4][..tcp] [..172.16.42.216][54412] -> [..52.85.209.216][..443] [TLS.Amazon][Web][Acceptable] analyse: [....37] [ip4][..tcp] [..172.16.42.216][54411] -> [..52.85.209.216][..443] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.091| 0.022| 0.031] - [IAT(c->s)...: 0.000| 0.091| 0.027| 0.034][IAT(s->c)...: 0.000| 0.075| 0.019| 0.028] - [PKTLEN(c->s): 66.000|1096.000| 163.600| 265.200][PKTLEN(s->c): 66.000|1514.000| 929.400| 640.400] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.091| 0.022| 0.031| 964.249| 0.000] + [PKTLEN......: 66.000| 1514.000| 594.300| 637.000|405792.100| 4.100] [BINS(c->s)..: 11,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 4,1,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,9,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,1,0,0,0,0,0,0,1,0,1,1,1,0,1,1,1,1,1,1,1,0,0,0] + [IATS........: 46971,52965,277,73178,134,18906,393,341,423,88175,318,744,233,8121,32759,75313,63701,49446,70919,806,90510,2043,419,465,407,524,703,47,5315,294,1129,0] + [PKTLENS.....: 74,74,66,268,66,66,1514,1514,1514,833,66,66,66,66,192,1096,308,66,66,1514,1514,66,1514,1514,1514,464,1514,1126,100,66,66,66] detection-update: [....37] [ip4][..tcp] [..172.16.42.216][54411] -> [..52.85.209.216][..443] [TLS.Amazon][Web][Acceptable] detection-update: [....36] [ip4][..tcp] [..172.16.42.216][34019] -> [..54.239.24.186][..443] [TLS.AmazonAWS][Cloud][Acceptable] detection-update: [....36] [ip4][..tcp] [..172.16.42.216][34019] -> [..54.239.24.186][..443] [TLS.AmazonAWS][Cloud][Acceptable] @@ -135,12 +137,14 @@ detected: [....40] [ip4][..udp] [..172.16.42.216][43350] -> [....172.16.42.1][...53] [DNS.Amazon][Web][Acceptable] ERROR-EVENT: Unknown packet type analyse: [....28] [ip4][..tcp] [..172.16.42.216][45661] -> [..52.94.232.134][..443] [TLS.Amazon][Web][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 1.016| 0.161| 0.286] - [IAT(c->s)...: 0.000| 1.016| 0.147| 0.253][IAT(s->c)...: 0.000| 0.966| 0.178| 0.321] - [PKTLEN(c->s): 54.000|1168.000| 325.200| 441.600][PKTLEN(s->c): 60.000|1514.000| 451.100| 527.500] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 1.016| 0.161| 0.286|81844.249| 0.000] + [PKTLEN......: 54.000| 1514.000| 380.200| 485.100|235358.500| 4.000] [BINS(c->s)..: 12,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,1,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 7,1,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,0,0,1,1,0,0,1,1,0,0,0,1,1,0,0,1,1,0,0,1,0,1,0] + [IATS........: 55686,59305,1428,66601,358,70,64102,4784,271,2661,66908,3070,100753,8343,108356,5909,66864,500848,354092,941132,3002,88712,111843,176480,211,64686,9150,104205,1015894,966451,45639,0] + [PKTLENS.....: 74,62,54,261,1514,1514,399,54,54,54,380,60,113,54,1136,60,955,54,1120,1120,60,507,54,1168,60,891,54,54,60,54,60,54] detection-update: [....40] [ip4][..udp] [..172.16.42.216][43350] -> [....172.16.42.1][...53] [DNS.Amazon][Web][Acceptable] new: [....41] [ip4][..tcp] [..172.16.42.216][42129] -> [..72.21.206.135][..443] new: [....42] [ip4][..tcp] [..172.16.42.216][42130] -> [..72.21.206.135][..443] @@ -177,12 +181,14 @@ detection-update: [....42] [ip4][..tcp] [..172.16.42.216][42130] -> [..72.21.206.135][..443] [TLS.Amazon][Web][Acceptable] detection-update: [....42] [ip4][..tcp] [..172.16.42.216][42130] -> [..72.21.206.135][..443] [TLS.Amazon][Web][Acceptable] analyse: [....42] [ip4][..tcp] [..172.16.42.216][42130] -> [..72.21.206.135][..443] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.836| 0.167| 0.244] - [IAT(c->s)...: 0.000| 0.784| 0.152| 0.207][IAT(s->c)...: 0.000| 0.836| 0.185| 0.281] - [PKTLEN(c->s): 54.000|1514.000| 346.500| 493.600][PKTLEN(s->c): 60.000|1514.000| 471.000| 575.600] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.836| 0.167| 0.244|59552.047| 0.000] + [PKTLEN......: 54.000| 1514.000| 401.000| 534.600|285800.000| 3.900] [BINS(c->s)..: 10,0,0,1,0,0,3,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,2,0,0] [BINS(s->c)..: 7,1,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0] + [DIRECTIONS..: 0,1,0,0,1,0,0,1,1,1,1,1,0,0,0,0,0,0,1,0,1,1,1,0,0,0,1,1,0,0,1,0] + [IATS........: 54151,55408,518,50304,258867,520111,785264,3831,152,61,38,60785,290,133,140,52112,10967,286978,223908,2741,139187,177,171943,179936,143,402714,22375,216464,783828,835939,50504,0] + [PKTLENS.....: 74,62,54,259,60,259,259,60,1514,1514,1514,688,54,54,54,54,180,1514,105,482,60,60,480,54,1514,1210,60,357,54,54,60,54] detection-update: [....42] [ip4][..tcp] [..172.16.42.216][42130] -> [..72.21.206.135][..443] [TLS.Amazon][Web][Acceptable] new: [....50] [ip4][..tcp] [..172.16.42.216][45680] -> [..52.94.232.134][..443] detected: [....50] [ip4][..tcp] [..172.16.42.216][45680] -> [..52.94.232.134][..443] [TLS.Amazon][Web][Acceptable] @@ -205,12 +211,14 @@ detection-update: [....54] [ip4][..tcp] [..172.16.42.216][54427] -> [..52.85.209.216][..443] [TLS.Amazon][Web][Acceptable] detection-update: [....55] [ip4][..tcp] [..172.16.42.216][42143] -> [..72.21.206.135][..443] [TLS.Amazon][Web][Acceptable] analyse: [....52] [ip4][..tcp] [..172.16.42.216][34034] -> [..54.239.24.186][..443] [TLS.AmazonAWS][Cloud][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.352| 0.044| 0.079] - [IAT(c->s)...: 0.000| 0.352| 0.038| 0.081][IAT(s->c)...: 0.000| 0.295| 0.053| 0.075] - [PKTLEN(c->s): 54.000|1514.000|1031.400| 643.700][PKTLEN(s->c): 60.000| 564.000| 110.500| 136.800] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.352| 0.044| 0.079| 6215.196| 0.000] + [PKTLEN......: 54.000| 1514.000| 657.200| 676.900|458225.800| 4.200] [BINS(c->s)..: 4,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,11,0,0] [BINS(s->c)..: 11,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,0,1,1,0,0,0,0,0,0,0,0,0,1,1,1,0,1,1,0,0,1,1,0] + [IATS........: 57034,58621,1781,56791,4768,135,59291,267,22886,80040,5852,71839,321,148,565,303,201,1403,296,114,67763,34752,23901,352057,295338,129,57737,650,60553,128,59805,0] + [PKTLENS.....: 74,62,54,313,60,60,210,54,105,820,60,564,1514,1439,1514,1514,1514,1514,1514,1514,83,60,60,60,1514,60,60,1514,1514,60,60,1514] new: [....56] [ip4][..tcp] [..172.16.42.216][42144] -> [..72.21.206.135][..443] detected: [....56] [ip4][..tcp] [..172.16.42.216][42144] -> [..72.21.206.135][..443] [TLS.Amazon][Web][Acceptable] detection-update: [....56] [ip4][..tcp] [..172.16.42.216][42144] -> [..72.21.206.135][..443] [TLS.Amazon][Web][Acceptable] @@ -252,19 +260,23 @@ detection-update: [....65] [ip4][..tcp] [..172.16.42.216][41691] -> [..54.239.29.146][..443] [TLS.Amazon][Web][Acceptable] RISK: TLS (probably) Not Carrying HTTPS analyse: [....63] [ip4][..tcp] [..172.16.42.216][54434] -> [..52.85.209.216][..443] [TLS.Amazon][Web][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 2.897| 0.237| 0.560] - [IAT(c->s)...: 0.000| 2.897| 0.227| 0.703][IAT(s->c)...: 0.000| 1.117| 0.248| 0.347] - [PKTLEN(c->s): 66.000|1514.000| 531.800| 642.500][PKTLEN(s->c): 66.000|1514.000| 713.900| 677.700] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 2.897| 0.237| 0.560|313730.662| 0.000] + [PKTLEN......: 66.000| 1514.000| 617.100| 665.400|442821.700| 4.100] [BINS(c->s)..: 9,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,4,0,0] [BINS(s->c)..: 7,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,5,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,1] + [IATS........: 52937,67187,1048,63231,9607,59757,285,20918,462,225,155,1078,225,97487,133,7299,15901,484594,178,170,116007,306256,538314,1116565,2896813,279,153,126,123,583169,913790,0] + [PKTLENS.....: 74,74,66,583,66,222,66,117,1514,1514,139,1514,1514,1495,66,66,66,66,1514,1514,1223,1223,1514,1514,1514,66,78,78,78,78,66,66] analyse: [....65] [ip4][..tcp] [..172.16.42.216][41691] -> [..54.239.29.146][..443] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.486| 0.102| 0.138] - [IAT(c->s)...: 0.000| 0.293| 0.082| 0.091][IAT(s->c)...: 0.000| 0.486| 0.112| 0.155] - [PKTLEN(c->s): 54.000|1514.000| 397.600| 545.400][PKTLEN(s->c): 60.000|1514.000| 858.800| 692.600] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.486| 0.102| 0.138|19130.661| 0.000] + [PKTLEN......: 54.000| 1514.000| 700.300| 682.000|465082.800| 4.200] [BINS(c->s)..: 6,0,0,1,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0] [BINS(s->c)..: 6,1,0,0,0,2,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,0,0,0,0,1,0,0,0,1,0,1,1,1,1,1,1,1,1,1,1,1,1,1] + [IATS........: 92394,95354,2440,97381,1862,14105,301,61,113369,268,157,49644,132555,83310,183928,260,326122,293069,272379,138,443688,400,541,41,276469,199153,505,44,713,486056,423,0] + [PKTLENS.....: 74,62,54,275,60,60,1514,1514,464,54,54,54,180,105,54,1514,547,60,1514,60,60,1514,1514,1514,225,1514,1514,1514,225,1514,1514,1514] detection-update: [....65] [ip4][..tcp] [..172.16.42.216][41691] -> [..54.239.29.146][..443] [TLS.Amazon][Web][Acceptable] RISK: TLS (probably) Not Carrying HTTPS new: [....66] [ip4][..tcp] [..172.16.42.216][49606] -> [..52.94.232.134][...80] @@ -364,12 +376,14 @@ detected: [....89] [ip4][..tcp] [..172.16.42.216][45712] -> [..52.94.232.134][..443] [TLS.Amazon][Web][Acceptable] detected: [....93] [ip4][..tcp] [..172.16.42.216][49630] -> [..52.94.232.134][...80] [HTTP.AmazonAlexa][VirtAssistant][Acceptable] analyse: [....80] [ip4][..tcp] [..172.16.42.216][45703] -> [..52.94.232.134][..443] [TLS.Amazon][Web][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 1.570| 0.289| 0.417] - [IAT(c->s)...: 0.000| 1.570| 0.253| 0.411][IAT(s->c)...: 0.000| 1.486| 0.338| 0.420] - [PKTLEN(c->s): 54.000|1514.000| 488.200| 617.300][PKTLEN(s->c): 60.000| 731.000| 234.500| 245.400] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 1.570| 0.289| 0.417|173871.694| 0.000] + [PKTLEN......: 54.000| 1514.000| 385.100| 516.000|266233.000| 4.000] [BINS(c->s)..: 8,1,0,0,2,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0] [BINS(s->c)..: 7,1,1,0,0,0,0,0,0,0,0,0,0,0,0,2,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,0,0,1,1,0,1,1,0,0,0,1,1,0,0,0,1,0,0,1,1,1,0,0] + [IATS........: 325447,332868,307,247719,185,241306,284,257,23807,287,429915,65,1569527,1485936,352980,706902,73800,283,358821,365,256619,3724,240,956217,948562,95336,235551,1125,68,275387,23718,0] + [PKTLENS.....: 74,62,54,293,139,107,54,54,113,1514,188,60,60,188,60,731,54,1514,252,60,539,54,1514,220,539,54,1514,60,571,60,54,1514] detection-update: [....92] [ip4][..tcp] [..172.16.42.216][45715] -> [..52.94.232.134][..443] [TLS.Amazon][Web][Acceptable] RISK: Weak TLS Cipher detection-update: [....89] [ip4][..tcp] [..172.16.42.216][45712] -> [..52.94.232.134][..443] [TLS.Amazon][Web][Acceptable] @@ -386,21 +400,25 @@ new: [....97] [ip4][..tcp] [..172.16.42.216][41821] -> [...54.231.72.88][..443] detected: [....96] [ip4][..tcp] [..172.16.42.216][41820] -> [...54.231.72.88][..443] [TLS.AmazonAWS][Cloud][Acceptable] analyse: [....87] [ip4][..tcp] [..172.16.42.216][45710] -> [..52.94.232.134][..443] [TLS.Amazon][Web][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 1.192| 0.160| 0.282] - [IAT(c->s)...: 0.000| 1.162| 0.158| 0.284][IAT(s->c)...: 0.000| 1.192| 0.162| 0.280] - [PKTLEN(c->s): 54.000|1514.000| 508.900| 586.100][PKTLEN(s->c): 60.000|1147.000| 205.100| 290.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 1.192| 0.160| 0.282|79548.359| 0.000] + [PKTLEN......: 54.000| 1514.000| 357.000| 486.700|236894.100| 4.000] [BINS(c->s)..: 4,1,0,1,1,1,1,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0] [BINS(s->c)..: 10,1,1,0,1,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,0,1,1,1,0,1,1,0,0,0,1,0,1,1,1,0,0,1,1,0,0,0,1,1,1,0,0,1] + [IATS........: 214415,219069,3661,1161828,1191626,138,43,75944,170423,352,118993,9705,7936,105518,89968,79074,135403,22399,255382,307,202303,1216,199697,125,147,204784,30,11403,221917,129,253154,0] + [PKTLENS.....: 74,62,54,293,293,60,139,107,54,60,192,54,113,1514,60,220,60,60,1147,1514,268,60,555,1514,284,176,60,60,539,1514,204,60] detection-update: [....96] [ip4][..tcp] [..172.16.42.216][41820] -> [...54.231.72.88][..443] [TLS.AmazonAWS][Cloud][Acceptable] detection-update: [....96] [ip4][..tcp] [..172.16.42.216][41820] -> [...54.231.72.88][..443] [TLS.AmazonAWS][Cloud][Acceptable] analyse: [....89] [ip4][..tcp] [..172.16.42.216][45712] -> [..52.94.232.134][..443] [TLS.Amazon][Web][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 1.080| 0.209| 0.303] - [IAT(c->s)...: 0.000| 1.006| 0.189| 0.280][IAT(s->c)...: 0.000| 1.080| 0.234| 0.328] - [PKTLEN(c->s): 54.000|1514.000| 519.700| 621.700][PKTLEN(s->c): 60.000| 715.000| 187.900| 225.900] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 1.080| 0.209| 0.303|92031.574| 0.000] + [PKTLEN......: 54.000| 1514.000| 374.500| 516.500|266795.300| 3.900] [BINS(c->s)..: 7,1,0,0,0,2,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0] [BINS(s->c)..: 9,1,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,1,0,0,1,0,1,1,0,0,0,0,0,1,1,1,1,0,0,1,1,0,0,1,1,0,0,0,1,0,1] + [IATS........: 1005698,1080313,210230,18680,169715,18028,104975,95,107187,277,11694,34788,143,215183,306,69,21708,195595,278,202797,728,212905,264,205823,10952,236264,754701,277,888900,405375,377261,0] + [PKTLENS.....: 74,74,62,54,293,62,54,139,107,54,54,113,1514,268,60,60,60,555,1514,220,60,715,1514,252,60,571,54,1514,220,60,1514,60] new: [....98] [ip4][..udp] [..172.16.42.216][41639] -> [....172.16.42.1][...53] detected: [....98] [ip4][..udp] [..172.16.42.216][41639] -> [....172.16.42.1][...53] [DNS.Amazon][Web][Acceptable] detection-update: [....98] [ip4][..udp] [..172.16.42.216][41639] -> [....172.16.42.1][...53] [DNS.Amazon][Web][Acceptable] @@ -446,33 +464,41 @@ detection-update: [...107] [ip4][..tcp] [..172.16.42.216][40856] -> [..54.239.29.253][..443] [TLS.Amazon][Web][Acceptable] RISK: Weak TLS Cipher analyse: [...107] [ip4][..tcp] [..172.16.42.216][40856] -> [..54.239.29.253][..443] [TLS.Amazon][Web][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.326| 0.037| 0.075] - [IAT(c->s)...: 0.000| 0.326| 0.058| 0.097][IAT(s->c)...: 0.000| 0.247| 0.028| 0.059] - [PKTLEN(c->s): 54.000|1514.000| 258.300| 413.000][PKTLEN(s->c): 60.000|1514.000| 717.200| 451.500] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.326| 0.037| 0.075| 5555.152| 0.000] + [PKTLEN......: 54.000| 1514.000| 559.400| 489.800|239933.900| 4.400] [BINS(c->s)..: 7,0,0,0,0,0,1,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0] [BINS(s->c)..: 3,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,1,0,0,0,0,0,0,3,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,1,1,0,0,1,1,1,1,1,0,0,1,1,1,1,1,1,1,1,1,1,0,1] + [IATS........: 55943,57350,1409,113314,370,112296,148,3166,65706,1386,70006,242,85334,246615,142,48,84,325585,285,3839,797,233,347,98,286,299,648,356,1116,6749,1201,0] + [PKTLENS.....: 74,62,54,265,1514,1289,54,54,380,60,113,1514,284,60,1035,603,603,603,54,54,1514,1514,755,1115,603,603,603,603,603,603,54,603] analyse: [...105] [ip4][..tcp] [..172.16.42.216][40854] -> [..54.239.29.253][..443] [TLS.Amazon][Web][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.933| 0.089| 0.198] - [IAT(c->s)...: 0.000| 0.639| 0.087| 0.163][IAT(s->c)...: 0.000| 0.933| 0.092| 0.230] - [PKTLEN(c->s): 54.000|1514.000| 357.000| 544.000][PKTLEN(s->c): 60.000|1514.000| 585.500| 512.300] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.933| 0.089| 0.198|39194.591| 0.000] + [PKTLEN......: 54.000| 1514.000| 464.100| 541.500|293230.800| 4.100] [BINS(c->s)..: 11,0,0,0,0,0,2,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0] [BINS(s->c)..: 4,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,1,1,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,1,1,0,0,0,1,0,0,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0] + [IATS........: 109911,111642,1568,102004,158,101584,303,1866,56194,150,87519,19070,7646,147913,304065,639361,932653,32742,136,49,686,68,38,318,579,110731,248,1820,214,123,120,0] + [PKTLENS.....: 74,62,54,265,1514,1289,54,54,380,60,113,54,1514,268,60,1514,1514,60,1035,603,603,603,603,603,1483,91,54,54,54,54,54,54] analyse: [....88] [ip4][..tcp] [..172.16.42.216][45711] -> [..52.94.232.134][..443] [TLS.Amazon][Web][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 9.247| 1.357| 2.197] - [IAT(c->s)...: 0.000| 6.020| 1.049| 1.691][IAT(s->c)...: 0.000| 9.247| 1.919| 2.813] - [PKTLEN(c->s): 54.000|1514.000| 551.800| 616.700][PKTLEN(s->c): 60.000| 955.000| 225.800| 322.700] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 9.247| 1.357| 2.197|4827473.510| 0.000] + [PKTLEN......: 54.000| 1514.000| 439.800| 556.200|309356.400| 4.000] [BINS(c->s)..: 9,1,0,0,0,1,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,5,0,0] [BINS(s->c)..: 7,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,1,1,0,0,0,0,0,1,1,0,0,0,1,0,0,0,0,0,1,0,1,1,0,0,0,1,1,0,0,1] + [IATS........: 992408,1100523,1068,243574,812,17238,3008616,6019841,9247029,138,67248,300,303,66691,669495,281,275185,528033,1079938,2835215,349963,114629,72089,219293,5051089,276,5193864,64990,174211,2275400,2411210,0] + [PKTLENS.....: 74,74,62,62,54,54,293,293,293,139,107,54,54,113,60,1514,1132,1514,1514,1514,60,1132,60,955,54,1514,236,60,859,54,54,60] analyse: [....99] [ip4][..tcp] [..172.16.42.216][44001] -> [..176.32.101.52][..443] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 19.096| 0.770| 3.358] - [IAT(c->s)...: 0.000| 19.096| 1.344| 4.593][IAT(s->c)...: 0.000| 0.973| 0.158| 0.262] - [PKTLEN(c->s): 54.000|1514.000| 240.400| 333.700][PKTLEN(s->c): 60.000|1514.000| 328.100| 483.100] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 19.096| 0.770| 3.358|11273140.961| 0.000] + [PKTLEN......: 54.000| 1514.000| 281.500| 412.900|170449.200| 4.000] [BINS(c->s)..: 7,0,1,1,0,0,5,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0] [BINS(s->c)..: 8,1,0,0,1,0,1,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,0,0,0,1,1,1,1,0,0,0,1,1,0,1,0,0,1,1,1,0,0] + [IATS........: 123577,127990,5388,470526,584,630,42,1232537,1463,5048,697,664,10016,973197,496,53,32,190922,73204,348,171867,142,116971,408177,413652,66693,140934,83299,138,166304,19096185,0] + [PKTLENS.....: 74,62,54,246,60,1514,1514,536,246,246,54,54,54,180,60,60,60,99,54,1514,290,60,212,118,292,247,246,60,60,272,54,356] detection-update: [....99] [ip4][..tcp] [..172.16.42.216][44001] -> [..176.32.101.52][..443] [TLS.Amazon][Web][Acceptable] RISK: TLS (probably) Not Carrying HTTPS new: [...108] [ip4][..udp] [..172.16.42.216][20922] -> [....172.16.42.1][...53] @@ -535,23 +561,27 @@ detected: [...121] [ip4][..tcp] [..172.16.42.216][51987] -> [....52.84.63.56][...80] [HTTP.Amazon][Web][Acceptable] detected: [...124] [ip4][..tcp] [..172.16.42.216][51990] -> [....52.84.63.56][...80] [HTTP.Amazon][Web][Acceptable] analyse: [...120] [ip4][..tcp] [..172.16.42.216][51986] -> [....52.84.63.56][...80] [HTTP.Amazon][Web][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.295| 0.052| 0.098] - [IAT(c->s)...: 0.000| 0.287| 0.050| 0.094][IAT(s->c)...: 0.000| 0.295| 0.053| 0.101] - [PKTLEN(c->s): 66.000| 613.000| 163.700| 208.000][PKTLEN(s->c): 66.000|1514.000|1117.900| 574.100] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.295| 0.052| 0.098| 9533.209| 0.000] + [PKTLEN......: 66.000| 1514.000| 611.000| 635.800|404189.900| 4.200] [BINS(c->s)..: 14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,1,1,1,0,0,1,1,0,0,0,0,0,0,0,0,0,1,0,1,1,1,0,0] + [IATS........: 57953,60331,1632,154699,385,386,415,483,524,207,360,156722,299,4146,127,3380,248,131,172,143,126,121,6987,268261,295198,18253,286273,480,356,286588,4334,0] + [PKTLENS.....: 74,74,66,613,66,1514,1514,1514,1514,1514,1514,1514,66,66,1514,441,66,66,66,66,66,66,66,613,613,441,78,606,1514,1514,66,66] new: [...125] [ip4][..tcp] [..172.16.42.216][40871] -> [..54.239.29.253][..443] detected: [...125] [ip4][..tcp] [..172.16.42.216][40871] -> [..54.239.29.253][..443] [TLS.Amazon][Web][Acceptable] detection-update: [...125] [ip4][..tcp] [..172.16.42.216][40871] -> [..54.239.29.253][..443] [TLS.Amazon][Web][Acceptable] RISK: Weak TLS Cipher analyse: [...125] [ip4][..tcp] [..172.16.42.216][40871] -> [..54.239.29.253][..443] [TLS.Amazon][Web][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 1.107| 0.141| 0.257] - [IAT(c->s)...: 0.000| 0.707| 0.146| 0.216][IAT(s->c)...: 0.000| 1.107| 0.137| 0.286] - [PKTLEN(c->s): 54.000|1514.000| 499.700| 619.000][PKTLEN(s->c): 60.000|1514.000| 394.900| 487.200] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 1.107| 0.141| 0.257|65864.266| 0.000] + [PKTLEN......: 54.000| 1514.000| 444.000| 555.400|308431.600| 4.000] [BINS(c->s)..: 7,1,0,0,0,0,0,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0] [BINS(s->c)..: 6,2,2,1,0,0,0,0,0,0,0,0,1,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,0,0,0,1,1,0,0,1,1,1,1,1,1,1,0,0,0,0,0,1,1,1,1] + [IATS........: 111073,112352,831,179894,143,45,179940,2913,265,3255,516,135136,162,170164,502171,1107068,16816,231,180,41,28,24,706579,352,9657,355942,325,629177,147816,149,54,0] + [PKTLENS.....: 74,62,54,297,60,139,107,54,54,113,1514,300,60,60,1514,1514,60,1514,135,1514,167,443,91,54,54,54,1514,332,60,1035,603,603] new: [...126] [ip4][..tcp] [..172.16.42.216][51992] -> [....52.84.63.56][...80] new: [...127] [ip4][..tcp] [..172.16.42.216][51993] -> [....52.84.63.56][...80] new: [...128] [ip4][..tcp] [..172.16.42.216][51994] -> [....52.84.63.56][...80] @@ -565,12 +595,14 @@ detected: [...130] [ip4][..tcp] [..172.16.42.216][51996] -> [....52.84.63.56][...80] [HTTP.Amazon][Web][Acceptable] detected: [...131] [ip4][..tcp] [..172.16.42.216][51997] -> [....52.84.63.56][...80] [HTTP.Amazon][Web][Acceptable] analyse: [...129] [ip4][..tcp] [..172.16.42.216][51995] -> [....52.84.63.56][...80] [HTTP.Amazon][Web][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.179| 0.023| 0.044] - [IAT(c->s)...: 0.000| 0.179| 0.026| 0.053][IAT(s->c)...: 0.000| 0.113| 0.021| 0.035] - [PKTLEN(c->s): 66.000| 613.000| 140.300| 185.500][PKTLEN(s->c): 66.000|1514.000|1301.900| 459.300] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.179| 0.023| 0.044| 1924.322| 0.000] + [PKTLEN......: 66.000| 1514.000| 757.400| 681.300|464196.800| 4.300] [BINS(c->s)..: 13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,1,0,0,0,0,12,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0,0,0,1,1,0,1,1,1,1,0] + [IATS........: 31287,34141,578,113361,46407,49,49,50,45,46,11194,1598,7176,179149,121,126,120,120,142,3369,257,407,4520,99192,277,120761,46881,156,255,789,17484,0] + [PKTLENS.....: 74,74,66,613,66,1514,1514,1514,1514,1514,1514,1514,1237,1237,66,66,66,66,66,66,66,66,78,613,1514,1514,66,1514,1350,1514,1514,66] update: [....27] [ip4][..udp] [..172.16.42.216][54886] -> [....172.16.42.1][...53] [DNS.Amazon][Web][Acceptable] update: [....14] [ip4][.icmp] [....172.16.42.1] -> [..172.16.42.216] [ICMP][Network][Acceptable] update: [....21] [ip4][..udp] [..172.16.42.216][41030] -> [....172.16.42.1][...53] [DNS.AmazonAlexa][VirtAssistant][Acceptable] @@ -588,12 +620,14 @@ update: [....19] [ip4][..udp] [..172.16.42.216][.7358] -> [....172.16.42.1][...53] [DNS.Amazon][Web][Acceptable] update: [....17] [ip4][..udp] [..172.16.42.216][19967] -> [....172.16.42.1][...53] [DNS.Amazon][Web][Acceptable] analyse: [...126] [ip4][..tcp] [..172.16.42.216][51992] -> [....52.84.63.56][...80] [HTTP.Amazon][Web][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.511| 0.042| 0.110] - [IAT(c->s)...: 0.000| 0.369| 0.039| 0.093][IAT(s->c)...: 0.000| 0.511| 0.045| 0.124] - [PKTLEN(c->s): 66.000| 613.000| 169.800| 212.900][PKTLEN(s->c): 66.000|1514.000|1217.400| 555.800] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.511| 0.042| 0.110|12114.281| 0.000] + [PKTLEN......: 66.000| 1514.000| 693.600| 671.900|451493.000| 4.200] [BINS(c->s)..: 13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,11,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,1,1,1,1,1,0,0,0,0,1,1,0,0,0,0,0,0,0,1,0,0,1,1] + [IATS........: 24956,26298,431,110222,135,214,308,354,363,1114,487,409,385,114928,244,126,125,3452,97,26252,252,149,120,119,152,4719,62468,45133,368811,510931,416,0] + [PKTLENS.....: 74,74,66,613,66,66,1514,1514,1514,1514,1514,1514,1514,1514,66,66,66,66,1514,1309,66,66,66,66,66,66,613,1309,78,613,1514,1514] new: [...132] [ip4][..tcp] [..172.16.42.216][40878] -> [..54.239.29.253][..443] detected: [...132] [ip4][..tcp] [..172.16.42.216][40878] -> [..54.239.29.253][..443] [TLS.Amazon][Web][Acceptable] detection-update: [...132] [ip4][..tcp] [..172.16.42.216][40878] -> [..54.239.29.253][..443] [TLS.Amazon][Web][Acceptable] @@ -605,12 +639,14 @@ idle: [.....2] [ip6][icmp6] [.....................................::] -> [...............................ff02::16] [ICMPV6][Network][Acceptable] idle: [.....1] [ip6][icmp6] [.....................................::] -> [......................ff02::1:ffd3:fbc2] [ICMPV6][Network][Acceptable] analyse: [....16] [ip4][..tcp] [..172.16.42.216][55242] -> [..52.85.209.197][..443] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 120.003| 3.968| 21.185] - [IAT(c->s)...: 0.002| 0.290| 0.108| 0.116][IAT(s->c)...: 0.000| 120.003| 7.148| 28.214] - [PKTLEN(c->s): 66.000|1514.000| 431.500| 564.700][PKTLEN(s->c): 66.000|1514.000| 467.300| 574.100] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 120.003| 3.968| 21.185|448816230.695| 0.000] + [PKTLEN......: 66.000| 1514.000| 450.500| 570.000|324877.800| 4.000] [BINS(c->s)..: 9,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,1,0,0] [BINS(s->c)..: 7,3,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,3,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,0,1,0,0,0,1,1,1,1,1,0,0,0,0,1,1,1,1,0,1,1] + [IATS........: 77142,79508,13198,60889,401,551,135,48584,1797,3570,177758,227426,44512,20026,267154,445550,122636,142,45,33,282451,8709,270484,1626,407007,145,164075,140,290013,120002762,69,0] + [PKTLENS.....: 74,74,66,287,66,1514,1514,640,66,66,66,192,308,66,1430,1430,66,1514,314,110,100,66,66,1514,1017,66,66,1329,100,66,97,66] detection-update: [....16] [ip4][..tcp] [..172.16.42.216][55242] -> [..52.85.209.197][..443] [TLS.Amazon][Web][Acceptable] RISK: TLS (probably) Not Carrying HTTPS new: [...134] [ip4][..tcp] [..172.16.42.216][45751] -> [..52.94.232.134][..443] @@ -723,12 +759,14 @@ detection-update: [...146] [ip4][..udp] [..172.16.42.216][59908] -> [....172.16.42.1][...53] [DNS.AmazonAlexa][VirtAssistant][Acceptable] new: [...147] [ip4][..tcp] [..172.16.42.216][38757] -> [..54.239.28.178][..443] analyse: [...142] [ip4][..tcp] [..172.16.42.216][50799] -> [..54.239.28.178][..443] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 8.001| 0.664| 1.905] - [IAT(c->s)...: 0.000| 7.767| 0.606| 1.800][IAT(s->c)...: 0.000| 8.001| 0.735| 2.024] - [PKTLEN(c->s): 54.000|1514.000| 512.300| 628.500][PKTLEN(s->c): 60.000|1514.000| 344.100| 507.600] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 8.001| 0.664| 1.905|3629965.115| 0.000] + [PKTLEN......: 54.000| 1514.000| 438.700| 584.700|341856.600| 3.900] [BINS(c->s)..: 9,0,0,0,1,0,1,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0] [BINS(s->c)..: 8,2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,0,0,1,1,0,0,1,0,1,0,0,1,1,0,0,0,1,0,1,0,1,1,0] + [IATS........: 133822,140403,3233,141605,1309,112,137230,287,136,2714,82197,163,95708,410,359058,405413,633638,688626,100774,373131,50752,202632,7767064,1576,8001087,353783,410110,314766,108314,179,84048,0] + [PKTLENS.....: 74,62,54,261,1514,1514,399,54,54,54,380,60,113,1514,204,60,1514,113,54,1514,60,683,54,1514,300,60,54,60,1514,60,60,54] detection-update: [...142] [ip4][..tcp] [..172.16.42.216][50799] -> [..54.239.28.178][..443] [TLS.Amazon][Web][Acceptable] RISK: Weak TLS Cipher detected: [...147] [ip4][..tcp] [..172.16.42.216][38757] -> [..54.239.28.178][..443] [TLS.AmazonAWS][Cloud][Acceptable] @@ -753,12 +791,14 @@ detection-update: [...151] [ip4][..tcp] [..172.16.42.216][49067] -> [..216.58.194.78][..443] [TLS.PlayStore][SoftwareUpdate][Safe] RISK: TLS (probably) Not Carrying HTTPS analyse: [...149] [ip4][..tcp] [..172.16.42.216][41828] -> [..52.85.209.143][..443] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.106| 0.022| 0.031] - [IAT(c->s)...: 0.000| 0.102| 0.025| 0.032][IAT(s->c)...: 0.000| 0.106| 0.020| 0.030] - [PKTLEN(c->s): 66.000|1514.000| 337.500| 494.700][PKTLEN(s->c): 66.000|1514.000| 718.200| 628.200] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.106| 0.022| 0.031| 964.869| 0.000] + [PKTLEN......: 66.000| 1514.000| 539.800| 600.400|360465.600| 4.100] [BINS(c->s)..: 9,0,0,2,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0] [BINS(s->c)..: 5,0,1,1,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,0,0,0,0,0,0,0,1,0,0,1,1,1,0,1,1,1,1,1,1,0,1,0] + [IATS........: 42665,43661,659,44970,3982,526,602,251,50626,787,253,1113,7308,12716,306,65597,42616,4166,48889,363,25248,76421,105973,250,551,581,305,49,101959,2918,1893,0] + [PKTLENS.....: 74,74,66,268,66,1514,1514,1514,833,66,66,66,66,192,1514,781,78,192,1514,78,320,66,66,1514,1514,1514,697,608,143,66,163,66] detection-update: [...149] [ip4][..tcp] [..172.16.42.216][41828] -> [..52.85.209.143][..443] [TLS.Amazon][Web][Acceptable] new: [...152] [ip4][..udp] [..172.16.42.216][.4612] -> [....172.16.42.1][...53] detected: [...152] [ip4][..udp] [..172.16.42.216][.4612] -> [....172.16.42.1][...53] [DNS.Amazon][Web][Acceptable] @@ -813,41 +853,49 @@ detection-update: [...157] [ip4][..tcp] [..172.16.42.216][38483] -> [..52.85.209.143][..443] [TLS.Amazon][Web][Acceptable] RISK: TLS (probably) Not Carrying HTTPS, Missing SNI TLS Extn analyse: [...154] [ip4][..tcp] [..172.16.42.216][41913] -> [...52.84.62.115][..443] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.262| 0.033| 0.059] - [IAT(c->s)...: 0.000| 0.217| 0.033| 0.053][IAT(s->c)...: 0.000| 0.262| 0.033| 0.064] - [PKTLEN(c->s): 66.000|1343.000| 402.200| 532.800][PKTLEN(s->c): 66.000|1514.000| 859.900| 626.500] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.262| 0.033| 0.059| 3460.134| 0.000] + [PKTLEN......: 66.000| 1514.000| 631.000| 624.900|390532.600| 4.200] [BINS(c->s)..: 10,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,2,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,3,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,0,0,0,0,0,1,0,1,1,1,1,0,0,0,0,1,1,0,0,1,0,1,1] + [IATS........: 16682,17944,1581,27330,5292,477,511,279,32463,293,12932,291,133,38969,52766,61918,541,272,54,35117,659,5109,216850,261773,199,39363,7450,74173,66612,42132,427,0] + [PKTLENS.....: 74,74,66,285,66,1514,1514,1514,764,66,66,66,66,192,324,1343,1514,1514,770,100,66,66,1308,1308,862,100,66,1319,100,78,1514,1514] detection-update: [...154] [ip4][..tcp] [..172.16.42.216][41913] -> [...52.84.62.115][..443] [TLS.Amazon][Web][Acceptable] analyse: [...157] [ip4][..tcp] [..172.16.42.216][38483] -> [..52.85.209.143][..443] [TLS.Amazon][Web][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.241| 0.031| 0.057] - [IAT(c->s)...: 0.000| 0.227| 0.047| 0.066][IAT(s->c)...: 0.000| 0.241| 0.025| 0.052] - [PKTLEN(c->s): 66.000| 732.000| 233.200| 257.200][PKTLEN(s->c): 66.000|1514.000| 816.800| 591.700] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.241| 0.031| 0.057| 3274.655| 0.000] + [PKTLEN......: 66.000| 1514.000| 634.400| 578.400|334504.200| 4.400] [BINS(c->s)..: 6,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 3,2,0,1,0,0,1,0,0,0,0,1,1,0,0,1,0,1,0,0,0,0,0,1,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,0,1,0,0,1,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1] + [IATS........: 33996,35089,2227,37919,5059,483,236,42863,280,131,30800,68825,38426,227149,241435,50068,58385,55537,3754,2000,4418,1636,659,7796,67,79,9049,341,3084,756,10250,0] + [PKTLENS.....: 74,74,66,260,66,1514,1514,632,66,66,66,192,117,732,732,117,78,66,1110,441,270,829,919,455,1514,191,571,1514,1514,1514,1514,1514] new: [...158] [ip4][..udp] [..172.16.42.216][.2707] -> [....172.16.42.1][...53] detected: [...158] [ip4][..udp] [..172.16.42.216][.2707] -> [....172.16.42.1][...53] [DNS.Amazon][Web][Acceptable] analyse: [...155] [ip4][..tcp] [..172.16.42.216][41914] -> [...52.84.62.115][..443] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.264| 0.057| 0.086] - [IAT(c->s)...: 0.000| 0.222| 0.053| 0.076][IAT(s->c)...: 0.000| 0.264| 0.063| 0.096] - [PKTLEN(c->s): 66.000|1351.000| 371.700| 524.400][PKTLEN(s->c): 66.000|1514.000| 770.600| 605.600] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.264| 0.057| 0.086| 7393.244| 0.000] + [PKTLEN......: 66.000| 1514.000| 546.200| 595.200|354289.100| 4.200] [BINS(c->s)..: 12,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,3,0,0,0,0,0,0,0] [BINS(s->c)..: 2,2,0,0,0,0,0,0,2,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,0,0,0,0,0,1,0,1,0,0,0,1,1,1,0,0,0,0,1,1,1,0,0] + [IATS........: 22841,23998,943,22793,6583,564,615,276,39690,124,146,157,6771,37572,46160,226745,213104,3861,222252,264056,50,55344,103406,128,10396,183950,242536,953,71,38628,142,0] + [PKTLENS.....: 74,74,66,285,66,1514,1514,1514,764,66,66,66,66,192,324,1351,324,78,1351,1351,944,100,100,66,66,78,1336,1514,1514,522,66,66] detection-update: [...155] [ip4][..tcp] [..172.16.42.216][41914] -> [...52.84.62.115][..443] [TLS.Amazon][Web][Acceptable] detection-update: [...158] [ip4][..udp] [..172.16.42.216][.2707] -> [....172.16.42.1][...53] [DNS.Amazon][Web][Acceptable] new: [...159] [ip4][..tcp] [..172.16.42.216][47605] -> [..72.21.206.121][..443] detected: [...159] [ip4][..tcp] [..172.16.42.216][47605] -> [..72.21.206.121][..443] [TLS.Amazon][Web][Acceptable] new: [...160] [ip4][..tcp] [..172.16.42.216][47606] -> [..72.21.206.121][..443] analyse: [...145] [ip4][..tcp] [..172.16.42.216][44912] -> [...54.239.23.94][..443] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 7.471| 0.614| 1.478] - [IAT(c->s)...: 0.000| 3.665| 0.505| 0.954][IAT(s->c)...: 0.000| 7.471| 0.747| 1.923] - [PKTLEN(c->s): 54.000|1514.000| 634.900| 654.900][PKTLEN(s->c): 60.000|1514.000| 418.400| 592.600] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 7.471| 0.614| 1.478|2183643.136| 0.000] + [PKTLEN......: 54.000| 1514.000| 540.200| 637.500|406420.100| 4.000] [BINS(c->s)..: 8,0,0,1,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,1,0,0] [BINS(s->c)..: 9,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,1,1,0,0,0,0,0,0,1,1,1,1,0,0,0,0,0,0,1,0,1,1] + [IATS........: 168457,171158,1511,108893,4406,1671,697,112679,290,4146,167,6217,127,10389,13091,1079,255,290409,42,32,60,299358,743,529311,1065924,2114234,3665356,7470598,595200,595070,1817122,0] + [PKTLENS.....: 74,62,54,281,60,60,1514,1514,54,54,1514,669,54,54,180,1514,1438,374,60,60,105,60,54,1438,1438,1438,1438,54,60,1438,60,60] detection-update: [...145] [ip4][..tcp] [..172.16.42.216][44912] -> [...54.239.23.94][..443] [TLS.AmazonAWS][Cloud][Acceptable] detected: [...160] [ip4][..tcp] [..172.16.42.216][47606] -> [..72.21.206.121][..443] [TLS.Amazon][Web][Acceptable] detection-update: [...159] [ip4][..tcp] [..172.16.42.216][47605] -> [..72.21.206.121][..443] [TLS.Amazon][Web][Acceptable] diff --git a/test/results/flow-info/amqp.pcap.out b/test/results/flow-info/amqp.pcap.out index cf392e64a..8e7590346 100644 --- a/test/results/flow-info/amqp.pcap.out +++ b/test/results/flow-info/amqp.pcap.out @@ -8,12 +8,14 @@ detected: [.....3] [ip4][..tcp] [......127.0.0.1][44206] -> [......127.0.1.1][.5672] [AMQP][RPC][Acceptable] detected: [.....2] [ip4][..tcp] [......127.0.1.1][.5672] -> [......127.0.0.1][44204] [AMQP][RPC][Acceptable] analyse: [.....1] [ip4][..tcp] [......127.0.0.1][44205] -> [......127.0.1.1][.5672] [AMQP][RPC][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 2.002| 0.224| 0.537] - [IAT(c->s)...: 0.000| 2.002| 0.232| 0.544][IAT(s->c)...: 0.000| 2.002| 0.217| 0.530] - [PKTLEN(c->s): 103.000| 395.000| 198.100| 105.200][PKTLEN(s->c): 66.000| 66.000| 66.000| 0.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 2.002| 0.224| 0.537|287986.745| 0.000] + [PKTLEN......: 66.000| 395.000| 132.000| 99.500| 9895.700| 4.700] [BINS(c->s)..: 0,6,0,5,0,0,1,0,1,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1] + [IATS........: 31,198,177,103,103,2001663,2001684,188,167,98,97,1032593,1032598,113,109,94,93,11037,11041,111,108,94,93,17674,17676,105,104,99,99,412703,412706,0] + [PKTLENS.....: 107,66,162,66,369,66,107,66,162,66,369,66,104,66,162,66,395,66,103,66,162,66,271,66,105,66,162,66,325,66,104,66] idle: [.....2] [ip4][..tcp] [......127.0.1.1][.5672] -> [......127.0.0.1][44204] [AMQP][RPC][Acceptable] idle: [.....1] [ip4][..tcp] [......127.0.0.1][44205] -> [......127.0.1.1][.5672] [AMQP][RPC][Acceptable] idle: [.....3] [ip4][..tcp] [......127.0.0.1][44206] -> [......127.0.1.1][.5672] [AMQP][RPC][Acceptable] diff --git a/test/results/flow-info/android.pcap.out b/test/results/flow-info/android.pcap.out index a1e00193a..bc4500a3c 100644 --- a/test/results/flow-info/android.pcap.out +++ b/test/results/flow-info/android.pcap.out @@ -168,12 +168,14 @@ detected: [....60] [ip4][..udp] [...192.168.2.16][39760] -> [....192.168.2.1][...53] [DNS.GoogleServices][Web][Acceptable] detected: [....58] [ip4][..tcp] [...192.168.2.16][43646] -> [..172.217.20.76][..443] [TLS.DataSaver][Web][Fun] analyse: [....42] [ip4][..tcp] [...192.168.2.16][32996] -> [.216.239.38.120][..443] [TLS.Google][Web][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.405| 0.048| 0.104] - [IAT(c->s)...: 0.000| 0.387| 0.047| 0.099][IAT(s->c)...: 0.000| 0.405| 0.050| 0.109] - [PKTLEN(c->s): 66.000| 578.000| 114.600| 124.700][PKTLEN(s->c): 66.000|1484.000| 788.400| 626.900] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.405| 0.048| 0.104|10866.215| 0.000] + [PKTLEN......: 66.000| 1484.000| 430.500| 552.700|305506.200| 4.000] [BINS(c->s)..: 13,1,1,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 4,1,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,5,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,0,1,0,0,1,0,1,1,0,1,1,1,1,0,1,1,1,0,0,0,0,0,0] + [IATS........: 13673,15022,32725,47474,16568,3,34518,282,386517,404574,19668,197623,221096,19209,15019,27735,41804,1657,22,36,1002,1575,133,18,9,1204,14,1169,2703,19,10,0] + [PKTLENS.....: 74,74,66,246,66,1484,1202,66,66,159,358,66,578,66,100,66,655,66,1484,1484,1421,1484,66,1484,396,102,66,66,66,66,66,66] detection-update: [....59] [ip4][..tcp] [...192.168.2.16][33014] -> [.216.239.38.120][..443] [TLS.Google][Web][Acceptable] detection-update: [....55] [ip4][..tcp] [...192.168.2.16][51944] -> [.172.217.21.202][..443] [TLS.DataSaver][Web][Fun] detection-update: [....60] [ip4][..udp] [...192.168.2.16][39760] -> [....192.168.2.1][...53] [DNS.GoogleServices][Web][Acceptable] diff --git a/test/results/flow-info/anyconnect-vpn.pcap.out b/test/results/flow-info/anyconnect-vpn.pcap.out index 3dbd9d25e..28061e313 100644 --- a/test/results/flow-info/anyconnect-vpn.pcap.out +++ b/test/results/flow-info/anyconnect-vpn.pcap.out @@ -44,12 +44,14 @@ detection-update: [....15] [ip4][..tcp] [.....10.0.0.227][56919] -> [....8.37.102.91][..443] [TLS][Web][Safe] RISK: Weak TLS Cipher, Missing SNI TLS Extn analyse: [....15] [ip4][..tcp] [.....10.0.0.227][56919] -> [....8.37.102.91][..443] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.072| 0.022| 0.022] - [IAT(c->s)...: 0.000| 0.045| 0.023| 0.020][IAT(s->c)...: 0.000| 0.072| 0.021| 0.023] - [PKTLEN(c->s): 66.000|1514.000| 422.600| 556.700][PKTLEN(s->c): 66.000|1514.000| 597.800| 627.100] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.072| 0.022| 0.022| 465.545| 0.000] + [PKTLEN......: 66.000| 1514.000| 504.700| 597.200|356597.600| 4.000] [BINS(c->s)..: 11,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,2,0,0] [BINS(s->c)..: 6,1,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,4,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,1,0,0,1,1,0,0,0,0,0,1,1,0,1,1,0,0,1,1,1,1,0,0,0] + [IATS........: 39490,39550,431,43733,1217,44517,40926,4,40928,1,38216,8,38254,1,33217,1,71520,5,38273,6102,35094,41225,217,42300,2869,5,1,44938,58,0,0,0] + [PKTLENS.....: 78,70,66,233,66,1514,66,1514,1514,66,66,1514,1181,66,66,1514,1514,1333,66,66,677,66,141,66,1175,66,359,711,119,66,66,66] detection-update: [....15] [ip4][..tcp] [.....10.0.0.227][56919] -> [....8.37.102.91][..443] [TLS][Web][Safe] RISK: Weak TLS Cipher, Missing SNI TLS Extn new: [....16] [ip4][..udp] [.....10.0.0.227][63107] -> [....75.75.76.76][...53] @@ -108,12 +110,14 @@ detection-update: [....35] [ip4][..udp] [.....10.0.0.227][59222] -> [....75.75.75.75][...53] [DNS][Network][Acceptable] detection-update: [....36] [ip4][..udp] [.....10.0.0.227][57017] -> [....75.75.75.75][...53] [DNS][Network][Acceptable] analyse: [....30] [ip4][..tcp] [.....10.0.0.227][56921] -> [....8.37.96.194][.4287] [TLS][Web][Safe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.385| 0.079| 0.122] - [IAT(c->s)...: 0.000| 0.358| 0.081| 0.117][IAT(s->c)...: 0.002| 0.385| 0.078| 0.126] - [PKTLEN(c->s): 66.000|1261.000| 250.700| 328.900][PKTLEN(s->c): 66.000|1434.000| 347.300| 483.300] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.385| 0.079| 0.122|14784.686| 0.000] + [PKTLEN......: 66.000| 1434.000| 299.000| 416.200|173206.900| 4.000] [BINS(c->s)..: 9,2,0,0,1,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 8,2,1,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,1,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,1,0,0,1,1,0,0,1,1] + [IATS........: 28537,28596,272,35158,11581,46466,4231,33144,2963,31899,1468,30539,1730,30777,254948,281121,5133,31326,314965,342213,26303,53543,25788,25778,4801,30501,2712,28408,358152,384774,2066,0] + [PKTLENS.....: 78,78,66,214,66,1374,66,1261,66,117,66,510,66,477,66,377,66,181,66,791,66,1434,66,1174,66,128,66,136,66,124,66,124] new: [....37] [ip4][..tcp] [.....10.0.0.227][56881] -> [.162.222.43.153][..443] [MIDSTREAM] new: [....38] [ip4][..tcp] [.....10.0.0.227][56929] -> [....8.37.102.91][..443] detected: [....38] [ip4][..tcp] [.....10.0.0.227][56929] -> [....8.37.102.91][..443] [TLS][Web][Safe] @@ -123,12 +127,14 @@ detection-update: [....38] [ip4][..tcp] [.....10.0.0.227][56929] -> [....8.37.102.91][..443] [TLS][Web][Safe] RISK: Weak TLS Cipher, TLS (probably) Not Carrying HTTPS, Missing SNI TLS Extn analyse: [....38] [ip4][..tcp] [.....10.0.0.227][56929] -> [....8.37.102.91][..443] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.138| 0.027| 0.033] - [IAT(c->s)...: 0.000| 0.097| 0.033| 0.029][IAT(s->c)...: 0.000| 0.138| 0.022| 0.035] - [PKTLEN(c->s): 66.000|1031.000| 164.900| 249.400][PKTLEN(s->c): 66.000|1514.000| 854.600| 666.400] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.138| 0.027| 0.033| 1098.419| 0.000] + [PKTLEN......: 66.000| 1514.000| 531.300| 619.300|383541.000| 4.100] [BINS(c->s)..: 12,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 3,0,1,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,8,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,1,0,0,1,1,0,0,0,1,0,0,1,1,1,1,1,1,1,1,1,0,0,0,0] + [IATS........: 42362,42438,1999,46916,1210,46124,40336,4,40344,1,37231,6,37243,1,97159,138032,40854,1159,43270,9027,4,1,1,9,1,1,51168,0,0,0,0,0] + [PKTLENS.....: 78,70,66,218,66,1514,66,1514,1514,66,66,1514,1181,66,66,420,141,66,1031,66,1514,223,1514,223,1514,223,1514,223,66,66,66,66] detection-update: [....38] [ip4][..tcp] [.....10.0.0.227][56929] -> [....8.37.102.91][..443] [TLS][Web][Safe] RISK: Weak TLS Cipher, TLS (probably) Not Carrying HTTPS, Missing SNI TLS Extn new: [....39] [ip4][..tcp] [.....10.0.0.227][56865] -> [.....10.0.0.149][.8008] [MIDSTREAM] @@ -185,12 +191,14 @@ detection-update: [....58] [ip4][..udp] [.....10.0.0.227][54107] -> [....8.37.102.91][..443] [DTLS][Web][Safe] RISK: Obsolete TLS (v1.1 or older) analyse: [....58] [ip4][..udp] [.....10.0.0.227][54107] -> [....8.37.102.91][..443] [DTLS][Web][Safe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.047| 0.016| 0.019] - [IAT(c->s)...: 0.000| 0.047| 0.016| 0.018][IAT(s->c)...: 0.000| 0.047| 0.015| 0.019] - [PKTLEN(c->s): 135.000| 199.000| 168.000| 16.800][PKTLEN(s->c): 90.000| 407.000| 258.100| 75.200] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.047| 0.016| 0.019| 352.973| 0.000] + [PKTLEN......: 90.000| 407.000| 213.100| 70.700| 5001.800| 4.900] [BINS(c->s)..: 0,0,1,11,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,1,0,0,2,5,1,2,2,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,1,0,0,0,0,1,1,1,1,1,0,0,1,1,1,1,0,0,1,0,1,0,1,0,1,0,0,0,1] + [IATS........: 43486,43887,46602,46963,13778,22397,136,45366,3,1,180,3,8893,184,3220,4,34551,3,41128,530,5716,3654,11825,10035,4233,4600,46982,47070,168,405,3845,0] + [PKTLENS.....: 141,90,161,230,135,167,167,167,263,215,215,215,199,151,167,359,311,183,231,167,167,311,167,279,199,407,199,279,167,183,183,343] new: [....60] [ip4][..udp] [.....10.0.0.227][52595] -> [.......10.0.0.1][..192] new: [....61] [ip4][..udp] [.....10.0.0.151][.1900] -> [.....10.0.0.227][57547] detected: [....61] [ip4][..udp] [.....10.0.0.151][.1900] -> [.....10.0.0.227][57547] [SSDP][System][Acceptable] diff --git a/test/results/flow-info/anydesk.pcapng.out b/test/results/flow-info/anydesk.pcapng.out index 516685020..47d9c7b5f 100644 --- a/test/results/flow-info/anydesk.pcapng.out +++ b/test/results/flow-info/anydesk.pcapng.out @@ -12,12 +12,14 @@ detection-update: [.....2] [ip4][..tcp] [192.168.149.129][43535] -> [..51.83.238.219][...80] [TLS.AnyDesk][RemoteAccess][Acceptable] RISK: Known Proto on Non Std Port, TLS (probably) Not Carrying HTTPS, Missing SNI TLS Extn, Desktop/File Sharing analyse: [.....2] [ip4][..tcp] [192.168.149.129][43535] -> [..51.83.238.219][...80] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 1.603| 0.177| 0.394] - [IAT(c->s)...: 0.000| 1.216| 0.138| 0.310][IAT(s->c)...: 0.000| 1.603| 0.208| 0.450] - [PKTLEN(c->s): 54.000|1514.000| 435.100| 567.000][PKTLEN(s->c): 60.000|1514.000| 381.600| 543.300] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 1.603| 0.177| 0.394|155451.113| 0.000] + [PKTLEN......: 54.000| 1514.000| 406.700| 555.200|308238.000| 3.900] [BINS(c->s)..: 8,0,1,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,2,0,0] [BINS(s->c)..: 9,2,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,2,0,0,0,0,1,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,0,0,1,1,0,1,0,0,1,1,0,0,1,1,0,0,0,1,1,1,1,1] + [IATS........: 164805,164917,612,1082,165028,165426,485,455,339,338,1756,2021,164886,165169,210,191,219,307,218569,218677,606,928,1215453,1216321,7,87,855,7,2,1602919,62,0] + [PKTLENS.....: 74,60,54,317,60,1354,54,1354,54,60,54,1148,60,105,54,94,54,200,60,200,54,125,60,133,1514,1514,1256,60,60,60,1514,1194] detection-update: [.....2] [ip4][..tcp] [192.168.149.129][43535] -> [..51.83.238.219][...80] [TLS.AnyDesk][RemoteAccess][Acceptable] RISK: Known Proto on Non Std Port, TLS (probably) Not Carrying HTTPS, Missing SNI TLS Extn, Desktop/File Sharing DAEMON-EVENT: [Processed: 6963 pkts][ZLib][compressions: 0|diff: 0 / 0] @@ -43,12 +45,14 @@ detection-update: [.....6] [ip4][..tcp] [..192.168.1.178][52039] -> [..192.168.1.187][.7070] [TLS.AnyDesk][RemoteAccess][Acceptable] RISK: Known Proto on Non Std Port, Weak TLS Cipher, TLS (probably) Not Carrying HTTPS, Missing SNI TLS Extn, Desktop/File Sharing analyse: [.....5] [ip4][..tcp] [..192.168.1.187][54164] -> [..192.168.1.178][.7070] [TLS.AnyDesk][RemoteAccess][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 3.022| 0.471| 0.869] - [IAT(c->s)...: 0.000| 2.967| 0.489| 0.871][IAT(s->c)...: 0.000| 3.022| 0.454| 0.866] - [PKTLEN(c->s): 54.000|3980.000| 462.900|1028.200][PKTLEN(s->c): 60.000|1514.000| 209.500| 377.600] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 3.022| 0.471| 0.869|754614.927| 0.000] + [PKTLEN......: 54.000| 3980.000| 320.300| 747.400|558552.100| 3.200] [BINS(c->s)..: 6,4,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,1] [BINS(s->c)..: 11,3,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,1,1,1,0,0,1,1,0,1,1,0,0,1,1,1,0,1,1,0,0,1,0] + [IATS........: 491,529,333,431,328,10474,10878,39566,40320,8749,9516,516873,517463,1553,27804,26175,2358,56316,902900,957284,1754245,1753698,16355,71246,2966766,3021750,4006,0,0,0,0,0] + [PKTLENS.....: 66,66,54,299,60,60,1514,197,54,1340,60,968,94,54,101,60,89,88,60,88,54,3980,60,60,60,93,60,155,54,113,60,130] DAEMON-EVENT: [Processed: 9484 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 4 / 6|skipped: 0|!detected: 0|guessed: 0|detection-updates: 7|updates: 0] new: [.....7] [ip4][..tcp] [..192.168.1.128][48260] -> [195.181.174.176][..443] @@ -59,12 +63,14 @@ detection-update: [.....7] [ip4][..tcp] [..192.168.1.128][48260] -> [195.181.174.176][..443] [TLS.AnyDesk][RemoteAccess][Acceptable] RISK: Missing SNI TLS Extn, Desktop/File Sharing analyse: [.....7] [ip4][..tcp] [..192.168.1.128][48260] -> [195.181.174.176][..443] [TLS.AnyDesk][RemoteAccess][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 8.445| 0.583| 2.064] - [IAT(c->s)...: 0.000| 8.428| 0.592| 2.095][IAT(s->c)...: 0.000| 8.445| 0.575| 2.034] - [PKTLEN(c->s): 66.000|1514.000| 430.100| 552.300][PKTLEN(s->c): 66.000|1514.000| 255.800| 413.300] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 8.445| 0.583| 2.064|4258557.067| 0.000] + [PKTLEN......: 66.000| 1514.000| 342.900| 495.500|245485.500| 3.900] [BINS(c->s)..: 8,0,2,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,2,0,0] [BINS(s->c)..: 7,4,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,0,1,0,1,0,0,1,1,0,0,1,1,0,0,0,1,1,1,1,0,0,1,1] + [IATS........: 17715,17815,909,17821,3430,20304,88,41,3772,21850,18137,104,44,888,64188,13442,76786,1527,18418,206643,224790,16,4,18683,18,62779,11,80221,8427892,8444631,313993,0] + [PKTLENS.....: 74,74,66,355,66,1514,66,1146,66,1160,117,66,106,66,213,66,212,66,151,66,159,1514,1514,1287,66,66,106,104,66,151,66,159] end: [.....6] [ip4][..tcp] [..192.168.1.178][52039] -> [..192.168.1.187][.7070] idle: [.....5] [ip4][..tcp] [..192.168.1.187][54164] -> [..192.168.1.178][.7070] [TLS.AnyDesk][RemoteAccess][Acceptable] RISK: Known Proto on Non Std Port, TLS (probably) Not Carrying HTTPS, Missing SNI TLS Extn, Desktop/File Sharing diff --git a/test/results/flow-info/bad-dns-traffic.pcap.out b/test/results/flow-info/bad-dns-traffic.pcap.out index 04e10c0d4..5c26327f2 100644 --- a/test/results/flow-info/bad-dns-traffic.pcap.out +++ b/test/results/flow-info/bad-dns-traffic.pcap.out @@ -22,12 +22,14 @@ detection-update: [.....2] [ip4][..udp] [..192.168.43.91][56354] -> [........4.2.2.4][...53] [DNS][Network][Acceptable] RISK: Suspicious DGA Domain name, Risky Domain Name analyse: [.....2] [ip4][..udp] [..192.168.43.91][56354] -> [........4.2.2.4][...53] [DNS][Network][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.063| 4.102| 1.074| 0.689] - [IAT(c->s)...: 0.073| 1.042| 0.918| 0.283][IAT(s->c)...: 0.063| 4.102| 1.290| 0.970] - [PKTLEN(c->s): 95.000| 290.000| 115.300| 44.400][PKTLEN(s->c): 126.000| 323.000| 149.500| 52.200] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.063| 4.102| 1.074| 0.689|474850.951| 0.000] + [PKTLEN......: 95.000| 323.000| 129.200| 50.600| 2560.600| 4.900] [BINS(c->s)..: 0,13,5,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,10,1,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,0,0,0,1,0,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,0,1,0,1] + [IATS........: 1006460,1005839,1008074,1008541,4101854,73173,63089,1023925,1006666,2080907,1018755,962463,1014062,1012614,1013561,1040293,1038247,1060225,1011738,991100,1041523,1066575,1017786,982256,1029549,1026193,1027755,1007446,2080430,166358,305851,0] + [PKTLENS.....: 133,133,133,133,133,164,95,130,95,95,126,95,128,95,130,95,128,95,128,95,126,95,128,95,130,95,128,95,95,174,290,323] update: [.....1] [ip4][..udp] [..192.168.43.91][35966] -> [........4.2.2.4][...53] [DNS][Network][Acceptable] RISK: Suspicious DGA Domain name, Risky Domain Name update: [.....2] [ip4][..udp] [..192.168.43.91][56354] -> [........4.2.2.4][...53] [DNS][Network][Acceptable] diff --git a/test/results/flow-info/bitcoin.pcap.out b/test/results/flow-info/bitcoin.pcap.out index 764935325..53a7a290e 100644 --- a/test/results/flow-info/bitcoin.pcap.out +++ b/test/results/flow-info/bitcoin.pcap.out @@ -8,44 +8,52 @@ detected: [.....2] [ip4][..tcp] [..192.168.1.142][55328] -> [..69.118.54.122][.8333] [Mining][Mining][Unsafe] RISK: Unsafe Protocol analyse: [.....2] [ip4][..tcp] [..192.168.1.142][55328] -> [..69.118.54.122][.8333] [Mining][Mining][Unsafe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 141.657| 9.231| 28.185] - [IAT(c->s)...: 141.657| 141.657| 141.657| 0.000][IAT(s->c)...: 0.000| 71.060| 4.817| 14.725] - [PKTLEN(c->s): 110.000| 171.000| 140.500| 30.500][PKTLEN(s->c): 86.000|1514.000|1267.100| 517.100] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 141.657| 9.231| 28.185|794377756.606| 0.000] + [PKTLEN......: 86.000| 1514.000| 1196.700| 570.200|325114.200| 4.800] [BINS(c->s)..: 0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 1,3,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,24,0,0] + [DIRECTIONS..: 0,1,1,1,1,1,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1] + [IATS........: 52705,59165,36072737,6972560,71059721,141657328,28238337,91,32968,6,2,1933055,1,2,1,2,4527,16790,273,4103,461,12118,1136,339,10616,15667,2671,6,3102,4098,7913,0] + [PKTLENS.....: 171,171,86,127,121,127,110,1514,1514,1514,1514,1045,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514] new: [.....3] [ip4][..tcp] [..192.168.1.142][55348] -> [..74.89.181.229][.8333] [MIDSTREAM] detected: [.....3] [ip4][..tcp] [..192.168.1.142][55348] -> [..74.89.181.229][.8333] [Mining][Mining][Unsafe] RISK: Unsafe Protocol analyse: [.....3] [ip4][..tcp] [..192.168.1.142][55348] -> [..74.89.181.229][.8333] [Mining][Mining][Unsafe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 100.111| 6.495| 19.445] - [IAT(c->s)...: 0.312| 100.111| 50.211| 49.900][IAT(s->c)...: 0.000| 39.766| 3.480| 9.569] - [PKTLEN(c->s): 110.000| 171.000| 134.000| 26.500][PKTLEN(s->c): 86.000|1514.000|1276.400| 520.700] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 100.111| 6.495| 19.445|378100231.700| 0.000] + [PKTLEN......: 86.000| 1514.000| 1169.300| 597.200|356626.800| 4.700] [BINS(c->s)..: 0,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 1,2,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,24,0,0] + [DIRECTIONS..: 0,1,1,1,1,1,0,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1] + [IATS........: 59193,103209,9823152,39766075,21773202,100110670,311562,29237037,27,63547,5,128,1815,36336,73,10069,11,2188,6,22497,6,36,5434,1881,16669,98,3307,3200,88,2587,1046,0] + [PKTLENS.....: 171,171,86,182,121,121,110,121,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514] new: [.....4] [ip4][..tcp] [..192.168.1.142][55383] -> [....66.68.83.22][.8333] [MIDSTREAM] detected: [.....4] [ip4][..tcp] [..192.168.1.142][55383] -> [....66.68.83.22][.8333] [Mining][Mining][Unsafe] RISK: Unsafe Protocol DAEMON-EVENT: [Processed: 214 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 4 / 4|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] analyse: [.....4] [ip4][..tcp] [..192.168.1.142][55383] -> [....66.68.83.22][.8333] [Mining][Mining][Unsafe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 134.322| 8.966| 25.482] - [IAT(c->s)...: 0.000| 134.322| 16.848| 44.401][IAT(s->c)...: 0.000| 45.583| 6.224| 12.662] - [PKTLEN(c->s): 110.000|1514.000|1077.300| 619.900][PKTLEN(s->c): 86.000|1514.000|1094.400| 634.600] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 134.322| 8.966| 25.482|649325705.167| 0.000] + [PKTLEN......: 86.000| 1514.000| 1089.600| 630.500|397582.100| 4.700] [BINS(c->s)..: 0,1,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0] [BINS(s->c)..: 1,4,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0] + [DIRECTIONS..: 0,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1] + [IATS........: 62318,90510,14042384,39643167,11451980,9238604,22700384,134322478,190526,216456,52,56784,49,15,11,45582876,5468,2949,79677,2390,56420,14875,38291,1106,29429,10233,41403,43,29590,11803,15753,0] + [PKTLENS.....: 171,171,86,127,127,127,182,127,110,1514,1514,1514,1514,1514,1514,331,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514] new: [.....5] [ip4][..tcp] [..192.168.1.142][55400] -> [.195.218.16.178][.8333] [MIDSTREAM] detected: [.....5] [ip4][..tcp] [..192.168.1.142][55400] -> [.195.218.16.178][.8333] [Mining][Mining][Unsafe] RISK: Unsafe Protocol analyse: [.....5] [ip4][..tcp] [..192.168.1.142][55400] -> [.195.218.16.178][.8333] [Mining][Mining][Unsafe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 41.186| 2.780| 7.976] - [IAT(c->s)...: 0.000| 41.186| 8.435| 16.376][IAT(s->c)...: 0.002| 17.195| 1.693| 4.116] - [PKTLEN(c->s): 110.000|1514.000|1037.000| 635.500][PKTLEN(s->c): 86.000|1514.000|1139.800| 616.700] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 41.186| 2.780| 7.976|63609669.419| 0.000] + [PKTLEN......: 86.000| 1514.000| 1120.500| 621.500|386298.000| 4.700] [BINS(c->s)..: 0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,3,0,0] [BINS(s->c)..: 1,5,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,19,0,0] + [DIRECTIONS..: 0,1,1,1,1,1,1,1,0,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1] + [IATS........: 128208,113258,17195103,11450771,3438749,6775,2755264,41186439,319900,321845,34,347450,8283500,31885,35035,52689,19022,36630,49289,41130,63903,2317,29070,27748,37436,32734,49198,24571,33724,41084,34074,0] + [PKTLENS.....: 171,171,86,121,121,121,121,127,110,1514,1514,1514,1399,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514] DAEMON-EVENT: [Processed: 494 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 5 / 5|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] new: [.....6] [ip4][..tcp] [..192.168.1.142][55487] -> [.184.58.165.119][.8333] [MIDSTREAM] diff --git a/test/results/flow-info/bittorrent.pcap.out b/test/results/flow-info/bittorrent.pcap.out index d58d8fff2..63c92cfce 100644 --- a/test/results/flow-info/bittorrent.pcap.out +++ b/test/results/flow-info/bittorrent.pcap.out @@ -64,12 +64,14 @@ detected: [....21] [ip4][..tcp] [....192.168.1.3][52922] -> [..95.237.193.34][11321] [BitTorrent][Download][Acceptable] RISK: Known Proto on Non Std Port analyse: [....17] [ip4][..tcp] [....192.168.1.3][52915] -> [..198.100.146.9][60163] [BitTorrent][Download][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.012| 0.920| 0.247| 0.229] - [IAT(c->s)...: 0.012| 0.780| 0.345| 0.226][IAT(s->c)...: 0.013| 0.920| 0.193| 0.212] - [PKTLEN(c->s): 83.000| 242.000| 142.300| 59.300][PKTLEN(s->c): 80.000|1506.000|1092.800| 551.900] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.012| 0.920| 0.247| 0.229|52345.696| 0.000] + [PKTLEN......: 80.000| 1506.000| 736.400| 635.200|403438.900| 4.400] [BINS(c->s)..: 5,1,1,1,3,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 1,1,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,12,0,0] + [DIRECTIONS..: 0,1,1,0,1,0,1,0,1,0,1,0,1,0,0,1,0,0,1,1,1,1,1,1,0,1,1,1,1,0,1,1] + [IATS........: 176832,184047,360999,337345,477634,919975,779765,619481,619422,156869,158080,151021,161242,12043,185627,163549,148908,165750,153542,19235,148725,12813,146117,495893,130312,32142,133808,27318,421482,129521,27423,0] + [PKTLENS.....: 134,146,625,242,80,190,104,100,1506,83,1180,83,623,95,83,403,83,202,623,1506,1506,1506,1506,1506,202,1506,1506,1506,1506,211,1506,1506] new: [....22] [ip4][..tcp] [....192.168.1.3][52927] -> [.83.216.184.241][51413] [MIDSTREAM] detected: [....22] [ip4][..tcp] [....192.168.1.3][52927] -> [.83.216.184.241][51413] [BitTorrent][Download][Acceptable] new: [....23] [ip4][..tcp] [....192.168.1.3][52926] -> [..93.65.249.100][31336] [MIDSTREAM] diff --git a/test/results/flow-info/bittorrent_utp.pcap.out b/test/results/flow-info/bittorrent_utp.pcap.out index b789180e7..8b0df6133 100644 --- a/test/results/flow-info/bittorrent_utp.pcap.out +++ b/test/results/flow-info/bittorrent_utp.pcap.out @@ -5,12 +5,14 @@ detected: [.....1] [ip4][..udp] [..82.243.113.43][64969] -> [....192.168.1.5][40959] [BitTorrent][Download][Acceptable] RISK: Known Proto on Non Std Port analyse: [.....1] [ip4][..udp] [..82.243.113.43][64969] -> [....192.168.1.5][40959] [BitTorrent][Download][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.001| 5.430| 0.412| 1.202] - [IAT(c->s)...: 0.001| 4.392| 0.378| 1.031][IAT(s->c)...: 0.012| 5.430| 0.453| 1.381] - [PKTLEN(c->s): 62.000|1514.000| 827.700| 634.300][PKTLEN(s->c): 62.000| 519.000| 104.300| 116.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.001| 5.430| 0.412| 1.202|1445669.503| 0.000] + [PKTLEN......: 62.000| 1514.000| 511.200| 600.800|360942.700| 4.100] [BINS(c->s)..: 3,0,0,3,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0] [BINS(s->c)..: 11,1,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,0,1,0,1,1,0,1,0,0,1,0,0,1,0,1,0,1,0,1,1,0,1,0,1,0,1,1,0,0,0] + [IATS........: 4392194,1037924,5430275,116819,116920,100471,240441,139898,4463,110556,115010,959,58628,60551,88152,88141,37493,37665,24480,24365,43679,55465,11575,11793,11863,53659,52777,104119,173318,8337,17540,0] + [PKTLENS.....: 146,146,62,72,252,519,62,62,117,271,62,62,146,1514,68,1514,68,1514,68,1514,68,96,1514,68,1514,68,1514,62,62,1051,1051,1051] idle: [.....1] [ip4][..udp] [..82.243.113.43][64969] -> [....192.168.1.5][40959] [BitTorrent][Download][Acceptable] RISK: Known Proto on Non Std Port DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/bot.pcap.out b/test/results/flow-info/bot.pcap.out index 7b9e5e2ab..f6488ea40 100644 --- a/test/results/flow-info/bot.pcap.out +++ b/test/results/flow-info/bot.pcap.out @@ -4,11 +4,13 @@ new: [.....1] [ip4][..tcp] [...40.77.167.36][64768] -> [...89.31.72.220][...80] detected: [.....1] [ip4][..tcp] [...40.77.167.36][64768] -> [...89.31.72.220][...80] [HTTP.Azure][Cloud][Acceptable] analyse: [.....1] [ip4][..tcp] [...40.77.167.36][64768] -> [...89.31.72.220][...80] [HTTP.Azure][Cloud][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.114| 0.014| 0.036] - [IAT(c->s)...: 0.000| 0.114| 0.037| 0.052][IAT(s->c)...: 0.000| 0.107| 0.009| 0.029] - [PKTLEN(c->s): 64.000| 374.000| 108.600| 108.400][PKTLEN(s->c): 64.000|1498.000|1383.400| 388.800] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.114| 0.014| 0.036| 1309.010| 0.000] + [PKTLEN......: 64.000| 1498.000| 1104.500| 631.200|398369.000| 4.600] [BINS(c->s)..: 6,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,23,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,1,1,1,1,1,1,0,0,1,1,1,1,1,1,1,1,1,1,1,1,0,0,1] + [IATS........: 409,106526,4,106682,7609,64,117,61,7,4,842,8,6,4,114244,282,105363,69,4,6,123,5,6,4,232,8,61,8,763,123,465,0] + [PKTLENS.....: 66,66,64,374,64,1498,1498,1498,1498,1498,1498,1498,1498,1498,1498,64,64,1498,1498,1498,1498,1498,1498,1498,1498,1498,1498,1498,1498,64,64,1498] end: [.....1] [ip4][..tcp] [...40.77.167.36][64768] -> [...89.31.72.220][...80] [HTTP.Azure][Cloud][Acceptable] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/capwap.pcap.out b/test/results/flow-info/capwap.pcap.out index acaa9a5a1..b1c245823 100644 --- a/test/results/flow-info/capwap.pcap.out +++ b/test/results/flow-info/capwap.pcap.out @@ -17,23 +17,27 @@ detected: [.....4] [ip4][..udp] [...192.168.10.9][.5246] -> [..192.168.10.10][12380] [CAPWAP][Network][Acceptable] update: [.....1] [ip4][..udp] [...192.168.10.9][.5246] -> [..192.168.10.10][12379] [CAPWAP][Network][Acceptable] analyse: [.....4] [ip4][..udp] [...192.168.10.9][.5246] -> [..192.168.10.10][12380] [CAPWAP][Network][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 10.093| 0.751| 2.532] - [IAT(c->s)...: 0.000| 10.093| 0.681| 2.432][IAT(s->c)...: 0.000| 9.998| 0.838| 2.646] - [PKTLEN(c->s): 106.000|1499.000| 546.600| 501.400][PKTLEN(s->c): 115.000|1499.000| 473.200| 463.600] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 10.093| 0.751| 2.532|6409154.986| 0.000] + [PKTLEN......: 106.000| 1499.000| 512.200| 485.400|235625.000| 4.400] [BINS(c->s)..: 0,0,5,3,0,0,0,0,0,1,0,0,0,1,0,0,0,2,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,2,0,0] [BINS(s->c)..: 0,0,1,6,1,0,0,0,1,0,0,1,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0] + [DIRECTIONS..: 0,0,1,0,1,0,0,0,1,1,1,1,1,0,1,0,0,1,1,0,0,1,0,0,1,1,0,0,1,0,1,0] + [IATS........: 760,9998434,10093423,96372,2625,2,127,182379,1,94,314122,135275,2746,249,111759,1,157255,1,325739,280124,1,39490,1,39481,264,2133,995,502,500,0,0,0] + [PKTLENS.....: 156,156,115,106,147,590,590,360,590,590,179,329,420,137,1499,1499,1499,1451,1035,1451,475,155,123,139,155,139,123,891,155,123,139,875] new: [.....5] [ip4][..udp] [..192.168.10.10][12380] -> [...192.168.10.9][.5247] detected: [.....5] [ip4][..udp] [..192.168.10.10][12380] -> [...192.168.10.9][.5247] [CAPWAP][Network][Acceptable] update: [.....2] [ip4][..udp] [..192.168.10.10][49259] -> [255.255.255.255][...53] ERROR-EVENT: Unknown packet type analyse: [.....5] [ip4][..udp] [..192.168.10.10][12380] -> [...192.168.10.9][.5247] [CAPWAP][Network][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.500| 4.000| 1.016| 0.875] - [IAT(c->s)...: 0.500| 4.000| 1.016| 0.875][IAT(s->c)...: 0.000| 0.000| 0.000| 0.000] - [PKTLEN(c->s): 122.000| 325.000| 195.400| 58.400][PKTLEN(s->c): 0.000| 0.000| 0.000| 0.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.500| 4.000| 1.016| 0.875|765810.835| 0.000] + [PKTLEN......: 122.000| 325.000| 195.400| 58.400| 3415.700| 4.900] [BINS(c->s)..: 0,0,6,7,2,9,2,5,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [IATS........: 499983,500014,499872,2999961,499995,500031,499980,499982,499890,499986,499975,499998,499999,999998,999993,500014,2999827,1000005,999991,500032,1999814,500016,499990,999989,500017,1499983,499857,1999983,999996,999993,3999845,0] + [PKTLENS.....: 122,209,296,151,238,151,122,209,325,151,122,122,151,296,151,209,209,296,151,209,122,267,180,209,209,209,267,151,122,209,238,180] update: [.....3] [ip4][..udp] [..192.168.10.10][12380] -> [255.255.255.255][.5246] [CAPWAP][Network][Acceptable] update: [.....1] [ip4][..udp] [...192.168.10.9][.5246] -> [..192.168.10.10][12379] [CAPWAP][Network][Acceptable] update: [.....4] [ip4][..udp] [...192.168.10.9][.5246] -> [..192.168.10.10][12380] [CAPWAP][Network][Acceptable] diff --git a/test/results/flow-info/cassandra.pcap.out b/test/results/flow-info/cassandra.pcap.out index fa95c5094..d41299483 100644 --- a/test/results/flow-info/cassandra.pcap.out +++ b/test/results/flow-info/cassandra.pcap.out @@ -6,19 +6,23 @@ new: [.....2] [ip4][..tcp] [......127.0.0.1][46537] -> [......127.0.0.1][.9042] detected: [.....2] [ip4][..tcp] [......127.0.0.1][46537] -> [......127.0.0.1][.9042] [Cassandra][Database][Acceptable] analyse: [.....1] [ip4][..tcp] [......127.0.0.1][46536] -> [......127.0.0.1][.9042] [Cassandra][Database][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 26.002| 1.755| 6.369] - [IAT(c->s)...: 0.000| 26.002| 1.700| 6.281][IAT(s->c)...: 0.000| 25.963| 1.813| 6.461] - [PKTLEN(c->s): 66.000| 387.000| 121.600| 77.900][PKTLEN(s->c): 66.000|25214.000|4025.500|8138.300] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 26.002| 1.755| 6.369|40566842.720| 0.000] + [PKTLEN......: 66.000|25214.000| 1951.600| 5902.900|34844344.000| 2.100] [BINS(c->s)..: 9,2,3,2,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 4,2,2,1,0,1,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,0,1,0,1,0,0,1,0,1,1,0,1,1,0,1,0,0,1,0,1,0] + [IATS........: 11,19,249,264,5672,5686,233,620,1533,1593,1631,2318,1136,3494,3539,2825,4760,1891,1781,667,2471,2015,1427,3423,25963183,26002233,1164047,1204436,1335,2304,5708,0] + [PKTLENS.....: 74,74,66,75,66,127,66,97,75,124,75,167,182,193,11145,66,119,557,387,380,257,66,21816,25214,66,124,66,140,147,139,144,157] analyse: [.....2] [ip4][..tcp] [......127.0.0.1][46537] -> [......127.0.0.1][.9042] [Cassandra][Database][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 25.937| 2.293| 6.507] - [IAT(c->s)...: 0.000| 25.897| 2.200| 6.235][IAT(s->c)...: 0.000| 25.937| 2.407| 6.821] - [PKTLEN(c->s): 66.000| 291.000| 110.600| 58.800][PKTLEN(s->c): 66.000|11512.000| 923.800|2937.200] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 25.937| 2.293| 6.507|42345709.961| 0.000] + [PKTLEN......: 66.000|11512.000| 466.300| 1984.700|3939065.000| 1.900] [BINS(c->s)..: 10,2,4,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 8,2,2,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,0,0,1,1,0,1,0,1,1,1,0,0,1,0,0,1,0,0,1,0,0] + [IATS........: 13,21,671,688,5291,5315,288,749,1660,4537,3374,25897068,25937061,6031,46634,674,28,18,1162,1117,2315,1239,3343,41722,7689860,7730331,832,186,642,40128,3670158,0] + [PKTLENS.....: 74,74,66,75,66,127,66,97,75,140,11512,66,201,66,113,140,66,139,66,147,144,66,157,289,66,113,94,66,101,94,66,291] end: [.....1] [ip4][..tcp] [......127.0.0.1][46536] -> [......127.0.0.1][.9042] [Cassandra][Database][Acceptable] end: [.....2] [ip4][..tcp] [......127.0.0.1][46537] -> [......127.0.0.1][.9042] [Cassandra][Database][Acceptable] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/check_mk_new.pcap.out b/test/results/flow-info/check_mk_new.pcap.out index b6d0a92a4..2dedf5f40 100644 --- a/test/results/flow-info/check_mk_new.pcap.out +++ b/test/results/flow-info/check_mk_new.pcap.out @@ -4,11 +4,13 @@ new: [.....1] [ip4][..tcp] [.192.168.100.22][58998] -> [.192.168.100.50][.6556] detected: [.....1] [ip4][..tcp] [.192.168.100.22][58998] -> [.192.168.100.50][.6556] [CHECKMK][DataTransfer][Acceptable] analyse: [.....1] [ip4][..tcp] [.192.168.100.22][58998] -> [.192.168.100.50][.6556] [CHECKMK][DataTransfer][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.002| 0.001| 0.001] - [IAT(c->s)...: 0.000| 0.002| 0.001| 0.001][IAT(s->c)...: 0.000| 0.002| 0.001| 0.001] - [PKTLEN(c->s): 66.000| 74.000| 66.500| 1.900][PKTLEN(s->c): 67.000| 568.000| 152.500| 153.600] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.002| 0.001| 0.001| 0.660| 0.000] + [PKTLEN......: 66.000| 568.000| 109.500| 116.800|13650.400| 4.500] [BINS(c->s)..: 16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 12,0,1,0,0,0,0,0,1,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1] + [IATS........: 27,188,2128,2061,102,68,67,104,1865,1834,72,90,1254,1242,147,158,91,94,1228,1205,176,172,1964,1988,1810,1805,1867,1907,699,663,119,0] + [PKTLENS.....: 74,74,66,81,66,331,66,76,66,67,66,75,66,568,66,75,66,84,66,477,66,82,66,82,66,83,66,79,66,131,66,75] end: [.....1] [ip4][..tcp] [.192.168.100.22][58998] -> [.192.168.100.50][.6556] [CHECKMK][DataTransfer][Acceptable] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/chrome.pcap.out b/test/results/flow-info/chrome.pcap.out index 476ceb9b0..73ad7d9ca 100644 --- a/test/results/flow-info/chrome.pcap.out +++ b/test/results/flow-info/chrome.pcap.out @@ -7,12 +7,14 @@ new: [.....2] [ip4][..tcp] [..192.168.1.178][64394] -> [...146.48.58.18][..443] detected: [.....2] [ip4][..tcp] [..192.168.1.178][64394] -> [...146.48.58.18][..443] [TLS][Web][Safe] analyse: [.....1] [ip4][..tcp] [..192.168.1.178][64393] -> [...146.48.58.18][..443] [TLS][Web][Safe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.629| 0.057| 0.154] - [IAT(c->s)...: 0.000| 0.629| 0.067| 0.166][IAT(s->c)...: 0.000| 0.628| 0.050| 0.145] - [PKTLEN(c->s): 66.000| 816.000| 209.600| 263.400][PKTLEN(s->c): 66.000|1506.000| 938.200| 652.600] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.629| 0.057| 0.154|23802.585| 0.000] + [PKTLEN......: 66.000| 1506.000| 619.400| 632.900|400560.700| 4.200] [BINS(c->s)..: 10,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 5,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,9,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,0,0,0,1,1,1,1,0,0,1,1,0,1,1,0,1,1,0,0,0,1,1,1] + [IATS........: 28765,28872,339,29774,6968,212,36564,499,471,13592,322,42282,28,185,11,28620,3,627868,1163,629043,92,171,257,86,255,319,1121,131143,160052,5604,100,0] + [PKTLENS.....: 78,74,66,583,66,1506,1506,66,772,66,146,816,66,66,369,369,66,66,1506,1506,66,1506,1506,66,1506,1485,66,66,717,66,1506,1506] detection-update: [.....2] [ip4][..tcp] [..192.168.1.178][64394] -> [...146.48.58.18][..443] [TLS][Web][Safe] new: [.....3] [ip4][..tcp] [..192.168.1.178][64408] -> [...146.48.58.18][..443] new: [.....4] [ip4][..tcp] [..192.168.1.178][64409] -> [...146.48.58.18][..443] @@ -23,48 +25,58 @@ detected: [.....5] [ip4][..tcp] [..192.168.1.178][64410] -> [...146.48.58.18][..443] [TLS][Web][Safe] detected: [.....6] [ip4][..tcp] [..192.168.1.178][64411] -> [...146.48.58.18][..443] [TLS][Web][Safe] analyse: [.....2] [ip4][..tcp] [..192.168.1.178][64394] -> [...146.48.58.18][..443] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.469| 0.038| 0.110] - [IAT(c->s)...: 0.000| 0.442| 0.042| 0.112][IAT(s->c)...: 0.000| 0.469| 0.035| 0.109] - [PKTLEN(c->s): 66.000| 783.000| 209.200| 272.300][PKTLEN(s->c): 66.000|1506.000|1003.300| 636.500] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.469| 0.038| 0.110|12173.627| 0.000] + [PKTLEN......: 66.000| 1506.000| 631.100| 638.000|407026.800| 4.200] [BINS(c->s)..: 11,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 4,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,1,0,0,1,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,0,1,0,0] + [IATS........: 28488,28560,612,28383,2758,30530,2041,28373,116,26422,441785,468764,1748,1393,30158,119,111,182,125,120,237,134,128,266,240,251,495,806,26027,25276,1809,0] + [PKTLENS.....: 78,74,66,701,66,326,66,146,66,369,66,783,66,1506,1506,66,1506,1506,66,1506,1506,66,1506,1506,66,1506,1506,66,66,1029,66,770] detection-update: [.....2] [ip4][..tcp] [..192.168.1.178][64394] -> [...146.48.58.18][..443] [TLS][Web][Safe] detection-update: [.....4] [ip4][..tcp] [..192.168.1.178][64409] -> [...146.48.58.18][..443] [TLS][Web][Safe] detection-update: [.....3] [ip4][..tcp] [..192.168.1.178][64408] -> [...146.48.58.18][..443] [TLS][Web][Safe] detection-update: [.....6] [ip4][..tcp] [..192.168.1.178][64411] -> [...146.48.58.18][..443] [TLS][Web][Safe] detection-update: [.....5] [ip4][..tcp] [..192.168.1.178][64410] -> [...146.48.58.18][..443] [TLS][Web][Safe] analyse: [.....6] [ip4][..tcp] [..192.168.1.178][64411] -> [...146.48.58.18][..443] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.035| 0.006| 0.011] - [IAT(c->s)...: 0.000| 0.035| 0.006| 0.012][IAT(s->c)...: 0.000| 0.028| 0.006| 0.011] - [PKTLEN(c->s): 66.000| 820.000| 195.300| 259.000][PKTLEN(s->c): 66.000|1506.000| 890.100| 638.500] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.035| 0.006| 0.011| 126.441| 0.000] + [PKTLEN......: 66.000| 1506.000| 542.700| 598.400|358096.100| 4.100] [BINS(c->s)..: 12,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 4,0,0,0,0,0,0,0,0,2,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,0,1,1,1,0,1,0,1,1,0,0,1,1,0,1,1,1,0,0,0,0] + [IATS........: 26769,26817,1326,28249,6762,1293,14,34983,12,374,291,27566,2,26902,1379,1360,1118,15,1124,130,231,245,356,130,118,13,252,11,746,1742,0,0] + [PKTLENS.....: 78,74,66,583,66,1506,1506,772,66,66,146,772,66,369,66,66,369,66,1506,1506,66,66,1506,1506,66,1506,1506,412,66,66,66,820] detection-update: [.....6] [ip4][..tcp] [..192.168.1.178][64411] -> [...146.48.58.18][..443] [TLS][Web][Safe] analyse: [.....4] [ip4][..tcp] [..192.168.1.178][64409] -> [...146.48.58.18][..443] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.031| 0.008| 0.012] - [IAT(c->s)...: 0.000| 0.031| 0.010| 0.013][IAT(s->c)...: 0.000| 0.029| 0.006| 0.011] - [PKTLEN(c->s): 66.000| 772.000| 176.200| 240.200][PKTLEN(s->c): 66.000|1506.000|1081.300| 629.500] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.031| 0.008| 0.012| 146.160| 0.000] + [PKTLEN......: 66.000| 1506.000| 713.600| 675.500|456346.800| 4.300] [BINS(c->s)..: 10,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 4,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,13,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,1,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,0,1,1,0,1,1] + [IATS........: 29278,29334,864,29011,2497,30653,580,334,26242,1058,2318,28687,1760,236,1984,377,499,883,126,124,243,136,114,251,129,941,26868,117,26169,1503,132,0] + [PKTLENS.....: 78,74,66,701,66,326,66,146,772,66,66,369,66,1506,1506,66,1506,1506,66,1506,1506,66,1506,1506,66,1506,66,1506,1506,66,1506,1506] detection-update: [.....4] [ip4][..tcp] [..192.168.1.178][64409] -> [...146.48.58.18][..443] [TLS][Web][Safe] analyse: [.....5] [ip4][..tcp] [..192.168.1.178][64410] -> [...146.48.58.18][..443] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.038| 0.007| 0.012] - [IAT(c->s)...: 0.000| 0.038| 0.008| 0.013][IAT(s->c)...: 0.000| 0.030| 0.007| 0.011] - [PKTLEN(c->s): 66.000| 772.000| 159.900| 215.300][PKTLEN(s->c): 66.000|1506.000|1019.300| 629.500] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.038| 0.007| 0.012| 150.077| 0.000] + [PKTLEN......: 66.000| 1506.000| 643.300| 651.900|424923.800| 4.200] [BINS(c->s)..: 11,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 4,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,1,1,0,1,1,0,1,1,0,1,0,1,0,1] + [IATS........: 28686,28726,1295,29880,9620,122,15,38324,11,451,233,27995,116,117,14,27547,3,1242,1253,2514,126,125,241,123,122,245,249,230,376,396,25266,0] + [PKTLENS.....: 78,74,66,583,66,1506,1506,772,66,66,146,772,66,66,369,369,66,66,1506,1506,66,1506,1506,66,1506,1506,66,1506,66,1506,66,1506] detection-update: [.....5] [ip4][..tcp] [..192.168.1.178][64410] -> [...146.48.58.18][..443] [TLS][Web][Safe] analyse: [.....3] [ip4][..tcp] [..192.168.1.178][64408] -> [...146.48.58.18][..443] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.032| 0.008| 0.013] - [IAT(c->s)...: 0.000| 0.031| 0.009| 0.013][IAT(s->c)...: 0.000| 0.032| 0.007| 0.013] - [PKTLEN(c->s): 66.000| 775.000| 208.800| 271.400][PKTLEN(s->c): 66.000|1506.000| 989.800| 638.300] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.032| 0.008| 0.013| 163.814| 0.000] + [PKTLEN......: 66.000| 1506.000| 623.700| 634.700|402848.700| 4.200] [BINS(c->s)..: 11,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 4,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,1,1,1,0,1,1,0,1,0,1,0,1,1,0,1,1,0,1,0,1,1,0,0] + [IATS........: 29778,29819,1050,30027,2482,31460,377,194,32013,8,1,31458,983,109,1078,130,153,122,98,131,118,249,502,124,630,126,1459,27278,100,26052,4586,0] + [PKTLENS.....: 78,74,66,701,66,326,66,146,772,66,369,66,66,1506,1506,66,1506,66,1506,66,1506,1506,66,1506,1506,66,1506,66,1506,799,66,775] detection-update: [.....3] [ip4][..tcp] [..192.168.1.178][64408] -> [...146.48.58.18][..443] [TLS][Web][Safe] end: [.....1] [ip4][..tcp] [..192.168.1.178][64393] -> [...146.48.58.18][..443] [TLS][Web][Safe] end: [.....2] [ip4][..tcp] [..192.168.1.178][64394] -> [...146.48.58.18][..443] [TLS][Web][Safe] diff --git a/test/results/flow-info/citrix.pcap.out b/test/results/flow-info/citrix.pcap.out index 509734341..f0b34aeea 100644 --- a/test/results/flow-info/citrix.pcap.out +++ b/test/results/flow-info/citrix.pcap.out @@ -2,11 +2,13 @@ new: [.....1] [ip4][..tcp] [.......21.0.0.8][45225] -> [.......22.0.0.7][.1494] detected: [.....1] [ip4][..tcp] [.......21.0.0.8][45225] -> [.......22.0.0.7][.1494] [Citrix][Network][Acceptable] analyse: [.....1] [ip4][..tcp] [.......21.0.0.8][45225] -> [.......22.0.0.7][.1494] [Citrix][Network][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.056| 0.005| 0.012] - [IAT(c->s)...: 0.000| 0.046| 0.003| 0.009][IAT(s->c)...: 0.002| 0.056| 0.015| 0.021] - [PKTLEN(c->s): 64.000| 401.000| 120.300| 66.300][PKTLEN(s->c): 64.000| 142.000| 82.000| 30.400] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.056| 0.005| 0.012| 154.959| 0.000] + [PKTLEN......: 64.000| 401.000| 114.300| 63.600| 4041.600| 4.800] [BINS(c->s)..: 5,18,1,0,1,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 4,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0] + [IATS........: 2099,2106,6093,6094,4120,7122,1007,6,6,6,6,1006,1007,7,5,13,6,1007,6,5,2009,7,5,6,5,1007,5,56256,46119,4116,4114,0] + [PKTLENS.....: 64,64,64,64,64,76,212,121,101,102,105,401,97,225,109,147,117,111,109,117,112,97,97,97,114,117,111,109,142,64,64,64] idle: [.....1] [ip4][..tcp] [.......21.0.0.8][45225] -> [.......22.0.0.7][.1494] [Citrix][Network][Acceptable] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/coap_mqtt.pcap.out b/test/results/flow-info/coap_mqtt.pcap.out index d375ccad0..cfef7ccf2 100644 --- a/test/results/flow-info/coap_mqtt.pcap.out +++ b/test/results/flow-info/coap_mqtt.pcap.out @@ -46,67 +46,83 @@ detected: [....13] [ip4][..tcp] [.192.168.56.101][17501] -> [...192.168.56.1][53524] [MQTT][RPC][Acceptable] RISK: Known Proto on Non Std Port analyse: [....11] [ip4][..tcp] [...192.168.56.1][53528] -> [.192.168.56.101][17501] [MQTT][RPC][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 4.439| 0.304| 1.061] - [IAT(c->s)...: 0.000| 4.242| 0.335| 1.085][IAT(s->c)...: 0.000| 4.439| 0.278| 1.040] - [PKTLEN(c->s): 60.000| 114.000| 76.300| 23.100][PKTLEN(s->c): 54.000| 140.000| 76.300| 35.200] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 4.439| 0.304| 1.061|1125807.423| 0.000] + [PKTLEN......: 54.000| 140.000| 76.300| 30.100| 907.000| 4.900] [BINS(c->s)..: 11,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 13,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,1,0,0,1,0,1,0,1,0,1,1,1,0,0,1,0,1,1,1,0,0,1] + [IATS........: 72,248,4635,4859,1038,9311,9054,2795,3496,481,2352,21820,23421,198700,4438876,4242440,38504,37941,469,2294,62501,64983,1232,38696,37823,527,2778,66747,69695,1087,39395,0] + [PKTLENS.....: 66,66,60,73,54,58,114,58,69,59,138,60,114,58,60,140,60,54,114,54,58,140,60,60,54,114,54,58,140,60,60,54] analyse: [.....9] [ip4][..tcp] [...192.168.56.1][53522] -> [.192.168.56.101][17501] [MQTT][RPC][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 27.506| 1.802| 6.725] - [IAT(c->s)...: 0.001| 27.310| 2.149| 7.264][IAT(s->c)...: 0.000| 27.506| 1.552| 6.295] - [PKTLEN(c->s): 60.000| 114.000| 75.400| 24.400][PKTLEN(s->c): 54.000| 140.000| 78.900| 37.900] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 27.506| 1.802| 6.725|45219399.598| 0.000] + [PKTLEN......: 54.000| 140.000| 77.400| 32.800| 1072.600| 4.900] [BINS(c->s)..: 10,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 13,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,1,0,1,0,1,1,1,0,0,1,0,1,1,1,0,0,1,0,1,1,1,0,0,1,0,1,1,1,0] + [IATS........: 709,199149,27505948,27310358,42735,39960,130,529,60417,61165,1588,38934,37729,553,2947,66282,69491,1247,39646,39140,1019,2437,62744,65305,1790,40465,38726,170,6175,66713,73088,0] + [PKTLENS.....: 60,56,60,140,60,54,114,54,58,140,60,60,54,114,54,58,140,60,60,54,114,54,58,140,60,60,54,114,54,58,140,60] analyse: [....10] [ip4][..tcp] [...192.168.56.1][53523] -> [.192.168.56.101][17501] [MQTT][RPC][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 13.151| 0.876| 3.198] - [IAT(c->s)...: 0.001| 12.952| 1.045| 3.438][IAT(s->c)...: 0.000| 13.151| 0.755| 3.007] - [PKTLEN(c->s): 60.000| 114.000| 75.400| 24.400][PKTLEN(s->c): 54.000| 140.000| 78.900| 37.900] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 13.151| 0.876| 3.198|10225378.656| 0.000] + [PKTLEN......: 54.000| 140.000| 77.400| 32.800| 1072.600| 4.900] [BINS(c->s)..: 10,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 13,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,1,0,1,0,1,1,1,0,0,1,0,1,1,1,0,0,1,0,1,1,1,0,0,1,0,1,1,1,0] + [IATS........: 404,199934,13150790,12952309,38608,37989,477,2148,62571,64954,1016,38807,38093,501,2594,66803,69615,1179,39541,39110,979,2406,62938,65497,773,40198,39480,237,5592,67477,73236,0] + [PKTLENS.....: 60,56,60,140,60,54,114,54,58,140,60,60,54,114,54,58,140,60,60,54,114,54,58,140,60,60,54,114,54,58,140,60] analyse: [....13] [ip4][..tcp] [.192.168.56.101][17501] -> [...192.168.56.1][53524] [MQTT][RPC][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.074| 0.031| 0.027] - [IAT(c->s)...: 0.000| 0.067| 0.028| 0.026][IAT(s->c)...: 0.001| 0.074| 0.034| 0.027] - [PKTLEN(c->s): 54.000| 140.000| 78.800| 38.000][PKTLEN(s->c): 60.000| 114.000| 79.300| 25.900] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.074| 0.031| 0.027| 714.536| 0.000] + [PKTLEN......: 54.000| 140.000| 79.000| 33.200| 1105.200| 4.900] [BINS(c->s)..: 13,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 9,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,1,0,0,0,1,1,0,1,0,0,0,1,1,0,1,0,0,0,1,1,0,1,0,0,0,1,1,0,1] + [IATS........: 1998,38598,37069,480,2447,62266,64859,841,38683,38127,461,2290,67273,69748,665,39428,39498,931,2251,63248,65640,1623,40275,38699,156,6124,67250,73508,2463,42357,39863,0] + [PKTLENS.....: 140,60,54,114,54,58,140,60,60,54,114,54,58,140,60,60,54,114,54,58,140,60,60,54,114,54,58,140,60,60,54,114] new: [....14] [ip4][..udp] [...192.168.56.1][50318] -> [.192.168.56.101][17500] detected: [....14] [ip4][..udp] [...192.168.56.1][50318] -> [.192.168.56.101][17500] [Dropbox][Cloud][Acceptable] analyse: [....12] [ip4][..udp] [...192.168.56.1][50311] -> [.192.168.56.101][17500] [Dropbox][Cloud][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.002| 0.118| 0.106| 0.019] - [IAT(c->s)...: 0.104| 0.118| 0.110| 0.003][IAT(s->c)...: 0.002| 0.116| 0.103| 0.026] - [PKTLEN(c->s): 136.000| 143.000| 138.100| 2.100][PKTLEN(s->c): 59.000| 66.000| 61.100| 2.100] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.002| 0.118| 0.106| 0.019| 373.406| 0.000] + [PKTLEN......: 59.000| 143.000| 99.600| 38.600| 1486.700| 4.900] [BINS(c->s)..: 0,0,8,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1] + [IATS........: 1824,103882,104036,108951,108450,105413,105949,113800,113717,106838,107131,109410,109028,108906,115953,117757,112312,110612,110806,109887,107946,108022,108009,113116,114023,110812,110429,107359,111248,109470,105114,0] + [PKTLENS.....: 138,61,137,60,136,59,143,66,139,62,136,59,138,61,138,61,140,63,137,60,138,61,137,60,137,60,137,60,143,66,136,59] new: [....15] [ip4][..udp] [...192.168.56.1][50312] -> [.192.168.56.101][17500] detected: [....15] [ip4][..udp] [...192.168.56.1][50312] -> [.192.168.56.101][17500] [Dropbox][Cloud][Acceptable] analyse: [....14] [ip4][..udp] [...192.168.56.1][50318] -> [.192.168.56.101][17500] [Dropbox][Cloud][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.002| 0.128| 0.112| 0.021] - [IAT(c->s)...: 0.106| 0.128| 0.115| 0.006][IAT(s->c)...: 0.002| 0.126| 0.108| 0.028] - [PKTLEN(c->s): 137.000| 142.000| 139.000| 1.800][PKTLEN(s->c): 60.000| 65.000| 62.000| 1.800] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.002| 0.128| 0.112| 0.021| 434.412| 0.000] + [PKTLEN......: 60.000| 142.000| 100.500| 38.500| 1485.600| 4.900] [BINS(c->s)..: 0,0,6,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1] + [IATS........: 2441,112948,114313,107773,108080,108005,107995,109511,111427,119112,118338,116979,117004,127663,125063,114041,112993,120228,120931,111475,111310,105608,107791,113820,112048,122618,125498,112978,109966,123530,125708,0] + [PKTLENS.....: 137,60,141,64,140,63,142,65,137,60,139,62,140,63,139,62,137,60,138,61,142,65,140,63,137,60,137,60,137,60,141,64] new: [....16] [ip4][..udp] [...192.168.56.1][50319] -> [.192.168.56.101][17500] detected: [....16] [ip4][..udp] [...192.168.56.1][50319] -> [.192.168.56.101][17500] [Dropbox][Cloud][Acceptable] analyse: [....15] [ip4][..udp] [...192.168.56.1][50312] -> [.192.168.56.101][17500] [Dropbox][Cloud][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.001| 0.131| 0.117| 0.022] - [IAT(c->s)...: 0.105| 0.131| 0.121| 0.008][IAT(s->c)...: 0.001| 0.131| 0.113| 0.030] - [PKTLEN(c->s): 137.000| 143.000| 139.800| 1.800][PKTLEN(s->c): 60.000| 66.000| 62.800| 1.800] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.001| 0.131| 0.117| 0.022| 500.202| 0.000] + [PKTLEN......: 60.000| 143.000| 101.200| 38.500| 1485.300| 4.900] [BINS(c->s)..: 0,0,3,13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1] + [IATS........: 1319,105009,107122,122637,124565,114853,120385,119749,111541,123867,122956,105381,109394,122887,120099,118036,119438,130107,131359,131277,128951,120148,121275,112275,114829,128910,125477,127969,127046,125146,128537,0] + [PKTLENS.....: 139,62,143,66,139,62,140,63,140,63,137,60,137,60,137,60,142,65,140,63,141,64,139,62,139,62,142,65,141,64,140,63] analyse: [....16] [ip4][..udp] [...192.168.56.1][50319] -> [.192.168.56.101][17500] [Dropbox][Cloud][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.005| 0.172| 0.127| 0.026] - [IAT(c->s)...: 0.107| 0.172| 0.131| 0.015][IAT(s->c)...: 0.005| 0.165| 0.123| 0.033] - [PKTLEN(c->s): 136.000| 143.000| 139.600| 2.200][PKTLEN(s->c): 59.000| 66.000| 62.600| 2.200] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.005| 0.172| 0.127| 0.026| 689.813| 0.000] + [PKTLEN......: 59.000| 143.000| 101.100| 38.600| 1487.100| 4.900] [BINS(c->s)..: 0,0,4,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1] + [IATS........: 5091,140506,139383,127325,129287,138036,134456,137698,141222,137865,138593,132603,133311,132101,136834,172321,164608,137809,136671,122327,121648,117128,118696,128848,133217,115516,110107,123592,124533,106749,105564,0] + [PKTLENS.....: 141,64,142,65,137,60,137,60,140,63,137,60,136,59,141,64,139,62,143,66,140,63,138,61,139,62,143,66,138,61,142,65] idle: [....12] [ip4][..udp] [...192.168.56.1][50311] -> [.192.168.56.101][17500] [Dropbox][Cloud][Acceptable] idle: [....15] [ip4][..udp] [...192.168.56.1][50312] -> [.192.168.56.101][17500] [Dropbox][Cloud][Acceptable] idle: [....14] [ip4][..udp] [...192.168.56.1][50318] -> [.192.168.56.101][17500] [Dropbox][Cloud][Acceptable] diff --git a/test/results/flow-info/collectd.pcap.out b/test/results/flow-info/collectd.pcap.out index e25df5830..b39bb79d4 100644 --- a/test/results/flow-info/collectd.pcap.out +++ b/test/results/flow-info/collectd.pcap.out @@ -34,12 +34,14 @@ update: [.....7] [ip4][..udp] [......127.0.0.1][35988] -> [......127.0.0.1][25826] [collectd][System][Acceptable] update: [.....7] [ip4][..udp] [......127.0.0.1][35988] -> [......127.0.0.1][25826] [collectd][System][Acceptable] analyse: [.....7] [ip4][..udp] [......127.0.0.1][35988] -> [......127.0.0.1][25826] [collectd][System][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 10.000| 8.710| 3.352] - [IAT(c->s)...: 0.000| 10.000| 8.710| 3.352][IAT(s->c)...: 0.000| 0.000| 0.000| 0.000] - [PKTLEN(c->s): 1353.000|1388.000|1371.600| 10.800][PKTLEN(s->c): 0.000| 0.000| 0.000| 0.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 10.000| 8.710| 3.352|11236716.577| 0.000] + [PKTLEN......: 1353.000| 1388.000| 1371.600| 10.800| 116.600| 5.000] [BINS(c->s)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,26,4,0,0,0,0,0] [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [IATS........: 9999043,10000474,9999533,9999908,9999948,529,9999990,10000110,9999700,10000036,9999885,10000020,417,9999778,9999931,10000097,9999852,9999817,10000085,761,9999588,9999630,10000163,10000066,9999926,9999713,640,10000064,9999244,10000446,9999890,0] + [PKTLENS.....: 1385,1365,1371,1361,1365,1355,1369,1388,1379,1385,1386,1380,1386,1368,1375,1376,1353,1371,1368,1353,1365,1364,1367,1370,1384,1361,1381,1383,1388,1355,1359,1376] update: [.....7] [ip4][..udp] [......127.0.0.1][35988] -> [......127.0.0.1][25826] [collectd][System][Acceptable] update: [.....7] [ip4][..udp] [......127.0.0.1][35988] -> [......127.0.0.1][25826] [collectd][System][Acceptable] new: [.....8] [ip4][..udp] [......127.0.0.1][36832] -> [......127.0.0.1][25826] diff --git a/test/results/flow-info/dnp3.pcap.out b/test/results/flow-info/dnp3.pcap.out index b55172708..5846bb6cf 100644 --- a/test/results/flow-info/dnp3.pcap.out +++ b/test/results/flow-info/dnp3.pcap.out @@ -4,58 +4,68 @@ new: [.....1] [ip4][..tcp] [.......10.0.0.8][.2789] -> [.......10.0.0.3][20000] detected: [.....1] [ip4][..tcp] [.......10.0.0.8][.2789] -> [.......10.0.0.3][20000] [DNP3][IoT-Scada][Acceptable] analyse: [.....1] [ip4][..tcp] [.......10.0.0.8][.2789] -> [.......10.0.0.3][20000] [DNP3][IoT-Scada][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 120.146| 12.647| 35.851] - [IAT(c->s)...: 0.000| 120.146| 20.567| 44.545][IAT(s->c)...: 0.000| 3.043| 0.767| 1.314] - [PKTLEN(c->s): 60.000| 79.000| 66.300| 7.700][PKTLEN(s->c): 60.000| 71.000| 66.000| 5.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 120.146| 12.647| 35.851|1285324797.903| 0.000] + [PKTLEN......: 60.000| 79.000| 66.200| 6.800| 46.800| 5.000] [BINS(c->s)..: 20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,0,1,1,1,0,0,0,1,1,1,0,0,0,0,0,0,0,0,0,1,1,1,1,1,1,0,0,0,0,0] + [IATS........: 201,411,1564,151649,2891882,795,3043080,21210,212002,120145678,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [PKTLENS.....: 62,62,62,62,62,62,60,60,60,71,71,71,60,60,60,69,69,69,79,79,79,60,60,60,71,71,71,60,60,60,78,78] DAEMON-EVENT: [Processed: 39 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 1 / 1|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] new: [.....2] [ip4][..tcp] [.......10.0.0.8][.2803] -> [.......10.0.0.3][20000] detected: [.....2] [ip4][..tcp] [.......10.0.0.8][.2803] -> [.......10.0.0.3][20000] [DNP3][IoT-Scada][Acceptable] analyse: [.....2] [ip4][..tcp] [.......10.0.0.8][.2803] -> [.......10.0.0.3][20000] [DNP3][IoT-Scada][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 17.487| 5.095| 6.400] - [IAT(c->s)...: 0.000| 17.203| 5.095| 6.326][IAT(s->c)...: 0.000| 17.487| 5.095| 6.474] - [PKTLEN(c->s): 60.000| 78.000| 66.300| 8.300][PKTLEN(s->c): 60.000| 71.000| 62.800| 4.400] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 17.487| 5.095| 6.400|40966232.736| 0.000] + [PKTLEN......: 60.000| 78.000| 64.800| 7.100| 50.000| 5.000] [BINS(c->s)..: 18,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,0,1,1,1,0,0,0,1,1,1,0,0,0,0,0,0,1,1,1,0,0,0,1,1,1,0,0,0,1,1] + [IATS........: 174,378,1487,181225,17203302,17487311,4814054,4907006,3276812,3079947,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [PKTLENS.....: 62,62,62,62,62,62,60,60,60,71,71,71,60,60,60,78,78,78,60,60,60,78,78,78,60,60,60,60,60,60,60,60] DAEMON-EVENT: [Processed: 78 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 2 / 2|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] new: [.....3] [ip4][..tcp] [.......10.0.0.8][.2828] -> [.......10.0.0.3][20000] detected: [.....3] [ip4][..tcp] [.......10.0.0.8][.2828] -> [.......10.0.0.3][20000] [DNP3][IoT-Scada][Acceptable] end: [.....2] [ip4][..tcp] [.......10.0.0.8][.2803] -> [.......10.0.0.3][20000] [DNP3][IoT-Scada][Acceptable] analyse: [.....3] [ip4][..tcp] [.......10.0.0.8][.2828] -> [.......10.0.0.3][20000] [DNP3][IoT-Scada][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 82.989| 8.549| 24.817] - [IAT(c->s)...: 0.000| 82.989| 14.056| 30.830][IAT(s->c)...: 0.000| 1.141| 0.288| 0.493] - [PKTLEN(c->s): 60.000| 79.000| 66.300| 7.700][PKTLEN(s->c): 60.000| 71.000| 66.000| 5.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 82.989| 8.549| 24.817|615875493.233| 0.000] + [PKTLEN......: 60.000| 79.000| 66.200| 6.800| 46.800| 5.000] [BINS(c->s)..: 20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,0,1,1,1,0,0,0,1,1,1,0,0,0,0,0,0,0,0,0,1,1,1,1,1,1,0,0,0,0,0] + [IATS........: 167,372,1487,144969,996855,774,1141407,10263,204144,82989444,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [PKTLENS.....: 62,62,62,62,62,62,60,60,60,71,71,71,60,60,60,69,69,69,79,79,79,60,60,60,71,71,71,60,60,60,78,78] DAEMON-EVENT: [Processed: 216 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 2 / 3|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] new: [.....4] [ip4][..tcp] [.......10.0.0.9][.1080] -> [.......10.0.0.3][20000] idle: [.....1] [ip4][..tcp] [.......10.0.0.8][.2789] -> [.......10.0.0.3][20000] [DNP3][IoT-Scada][Acceptable] detected: [.....4] [ip4][..tcp] [.......10.0.0.9][.1080] -> [.......10.0.0.3][20000] [DNP3][IoT-Scada][Acceptable] analyse: [.....4] [ip4][..tcp] [.......10.0.0.9][.1080] -> [.......10.0.0.3][20000] [DNP3][IoT-Scada][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 75.076| 22.122| 29.810] - [IAT(c->s)...: 0.000| 75.029| 22.114| 29.776][IAT(s->c)...: 0.000| 75.076| 22.129| 29.843] - [PKTLEN(c->s): 60.000| 72.000| 63.800| 4.800][PKTLEN(s->c): 62.000| 77.000| 70.400| 5.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 75.076| 22.122| 29.810|888614640.681| 0.000] + [PKTLEN......: 60.000| 77.000| 66.700| 5.900| 34.500| 5.000] [BINS(c->s)..: 18,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,0,1,1,1,0,0,0,0,0,0,1,1,1,1,1,1,0,0,0,1,1,1,0,0,0,0,0,0,1,1] + [IATS........: 172,422,75028631,75076356,533,48219,553,153041,35338826,35569788,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [PKTLENS.....: 62,62,62,62,62,62,60,60,60,69,69,69,71,71,71,71,71,71,60,60,60,77,77,77,60,60,60,72,72,72,71,71] DAEMON-EVENT: [Processed: 351 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 2 / 4|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] new: [.....5] [ip4][..tcp] [.......10.0.0.8][.1086] -> [.......10.0.0.3][20000] detected: [.....5] [ip4][..tcp] [.......10.0.0.8][.1086] -> [.......10.0.0.3][20000] [DNP3][IoT-Scada][Acceptable] analyse: [.....5] [ip4][..tcp] [.......10.0.0.8][.1086] -> [.......10.0.0.3][20000] [DNP3][IoT-Scada][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 2.639| 0.563| 1.000] - [IAT(c->s)...: 0.000| 2.471| 0.481| 0.894][IAT(s->c)...: 0.000| 2.639| 0.685| 1.129] - [PKTLEN(c->s): 60.000| 79.000| 66.200| 7.600][PKTLEN(s->c): 60.000| 71.000| 66.000| 5.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 2.639| 0.563| 1.000|999705.674| 0.000] + [PKTLEN......: 60.000| 79.000| 66.200| 6.800| 46.100| 5.000] [BINS(c->s)..: 20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,0,1,1,1,0,0,0,1,1,1,0,0,0,0,0,0,0,0,0,1,1,1,1,1,1,0,0,0,0,0] + [IATS........: 139,330,1310,168563,2471106,796,2639445,99801,232167,15277,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [PKTLENS.....: 62,62,62,62,62,62,60,60,60,71,71,71,60,60,60,69,69,69,78,78,78,60,60,60,71,71,71,60,60,60,79,79] idle: [.....3] [ip4][..tcp] [.......10.0.0.8][.2828] -> [.......10.0.0.3][20000] [DNP3][IoT-Scada][Acceptable] DAEMON-EVENT: [Processed: 444 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 2 / 5|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] @@ -69,23 +79,27 @@ detected: [.....7] [ip4][..tcp] [.......10.0.0.8][.1184] -> [.......10.0.0.3][20000] [DNP3][IoT-Scada][Acceptable] idle: [.....5] [ip4][..tcp] [.......10.0.0.8][.1086] -> [.......10.0.0.3][20000] [DNP3][IoT-Scada][Acceptable] analyse: [.....7] [ip4][..tcp] [.......10.0.0.8][.1184] -> [.......10.0.0.3][20000] [DNP3][IoT-Scada][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 9.488| 2.471| 3.592] - [IAT(c->s)...: 0.000| 9.227| 2.069| 3.330][IAT(s->c)...: 0.000| 9.488| 3.076| 3.876] - [PKTLEN(c->s): 60.000| 78.000| 65.700| 8.100][PKTLEN(s->c): 62.000| 71.000| 68.800| 3.900] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 9.488| 2.471| 3.592|12904304.738| 0.000] + [PKTLEN......: 60.000| 78.000| 66.800| 7.000| 48.700| 5.000] [BINS(c->s)..: 20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,0,1,1,1,0,0,0,1,1,1,0,0,0,0,0,0,1,1,1,0,0,0,0,0,0,1,1,1,0,0] + [IATS........: 157,360,1427,192830,9226978,9487840,187102,2636386,2814075,167839,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [PKTLENS.....: 62,62,62,62,62,62,60,60,60,71,71,71,60,60,60,78,78,78,71,71,71,60,60,60,78,78,78,71,71,71,60,60] DAEMON-EVENT: [Processed: 504 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 2 / 7|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 1] new: [.....8] [ip4][..tcp] [.......10.0.0.9][.1084] -> [.......10.0.0.3][20000] detected: [.....8] [ip4][..tcp] [.......10.0.0.9][.1084] -> [.......10.0.0.3][20000] [DNP3][IoT-Scada][Acceptable] analyse: [.....8] [ip4][..tcp] [.......10.0.0.9][.1084] -> [.......10.0.0.3][20000] [DNP3][IoT-Scada][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 3.963| 1.541| 1.422] - [IAT(c->s)...: 0.000| 3.672| 1.541| 1.367][IAT(s->c)...: 0.000| 3.963| 1.541| 1.475] - [PKTLEN(c->s): 60.000| 78.000| 66.300| 8.300][PKTLEN(s->c): 60.000| 71.000| 62.800| 4.400] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 3.963| 1.541| 1.422|2023320.715| 0.000] + [PKTLEN......: 60.000| 78.000| 64.800| 7.100| 50.000| 5.000] [BINS(c->s)..: 18,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,0,1,1,1,0,0,0,1,1,1,0,0,0,0,0,0,1,1,1,0,0,0,1,1,1,0,0,0,1,1] + [IATS........: 199,410,1542,125290,3672101,3963212,1744251,1702440,2163787,2038609,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [PKTLENS.....: 62,62,62,62,62,62,60,60,60,71,71,71,60,60,60,78,78,78,60,60,60,78,78,78,60,60,60,60,60,60,60,60] end: [.....8] [ip4][..tcp] [.......10.0.0.9][.1084] -> [.......10.0.0.3][20000] [DNP3][IoT-Scada][Acceptable] idle: [.....6] [ip4][..tcp] [.......10.0.0.8][.1159] -> [.......10.0.0.3][20000] [DNP3][IoT-Scada][Acceptable] idle: [.....7] [ip4][..tcp] [.......10.0.0.8][.1184] -> [.......10.0.0.3][20000] [DNP3][IoT-Scada][Acceptable] diff --git a/test/results/flow-info/dns-tunnel-iodine.pcap.out b/test/results/flow-info/dns-tunnel-iodine.pcap.out index 6751191d3..4e1c8a32e 100644 --- a/test/results/flow-info/dns-tunnel-iodine.pcap.out +++ b/test/results/flow-info/dns-tunnel-iodine.pcap.out @@ -6,12 +6,14 @@ detection-update: [.....1] [ip4][..udp] [......10.0.2.30][44639] -> [......10.0.2.20][...53] [DNS][Network][Acceptable] RISK: Suspicious DNS Traffic analyse: [.....1] [ip4][..udp] [......10.0.2.30][44639] -> [......10.0.2.20][...53] [DNS][Network][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 1.003| 0.162| 0.368] - [IAT(c->s)...: 0.000| 1.003| 0.279| 0.449][IAT(s->c)...: 0.000| 0.006| 0.001| 0.001] - [PKTLEN(c->s): 82.000| 323.000| 198.200| 107.600][PKTLEN(s->c): 93.000|1476.000| 317.400| 420.400] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 1.003| 0.162| 0.368|135658.824| 0.000] + [PKTLEN......: 82.000| 1476.000| 246.600| 286.600|82112.700| 4.400] [BINS(c->s)..: 0,6,4,1,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,4,1,3,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0] + [DIRECTIONS..: 0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,0,0,0,0,0] + [IATS........: 93,897,1083,5795,5715,411,342,245,227,219,217,216,215,213,212,209,230,282,586,445,177,314,494,447,227,245,1001664,1002291,1001465,1002966,1002454,0] + [PKTLENS.....: 82,103,103,144,88,137,123,166,132,184,138,196,118,156,134,188,88,96,88,95,88,93,323,1092,323,1476,323,323,323,323,323,323] idle: [.....1] [ip4][..udp] [......10.0.2.30][44639] -> [......10.0.2.20][...53] [DNS][Network][Acceptable] RISK: Suspicious DNS Traffic DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/dns_doh.pcap.out b/test/results/flow-info/dns_doh.pcap.out index 8dbb3a682..2ccc39c63 100644 --- a/test/results/flow-info/dns_doh.pcap.out +++ b/test/results/flow-info/dns_doh.pcap.out @@ -5,11 +5,13 @@ detected: [.....1] [ip4][..tcp] [....172.20.10.4][49877] -> [.104.16.248.249][..443] [TLS.DoH_DoT][Network][Fun] detection-update: [.....1] [ip4][..tcp] [....172.20.10.4][49877] -> [.104.16.248.249][..443] [TLS.DoH_DoT][Network][Fun] analyse: [.....1] [ip4][..tcp] [....172.20.10.4][49877] -> [.104.16.248.249][..443] [TLS.DoH_DoT][Network][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.535| 0.064| 0.132] - [IAT(c->s)...: 0.000| 0.535| 0.058| 0.128][IAT(s->c)...: 0.000| 0.525| 0.070| 0.135] - [PKTLEN(c->s): 54.000| 571.000| 134.400| 124.200][PKTLEN(s->c): 54.000|1354.000| 355.000| 444.600] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.535| 0.064| 0.132|17379.013| 0.000] + [PKTLEN......: 54.000| 1354.000| 230.900| 327.300|107137.200| 4.100] [BINS(c->s)..: 9,2,3,1,0,1,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 8,0,0,0,0,0,1,0,0,0,1,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,1,0,0,0,0,0,1,1,1,1,0,0,0,0,1,0,0,0,0,1,1,1,1] + [IATS........: 87116,87208,1808,92218,5,2,90426,511,1485,930,26074,858,110,91,102733,7825,6,1,83431,1,17900,147557,535341,708,88830,66,525420,6,10702,6,0,0] + [PKTLENS.....: 78,66,54,571,54,1354,1354,54,54,503,54,118,224,297,133,54,591,404,85,54,54,54,85,54,116,147,116,157,54,54,258,85] idle: [.....1] [ip4][..tcp] [....172.20.10.4][49877] -> [.104.16.248.249][..443] [TLS.DoH_DoT][Network][Fun] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/dns_exfiltration.pcap.out b/test/results/flow-info/dns_exfiltration.pcap.out index ddb3916a7..567150b77 100644 --- a/test/results/flow-info/dns_exfiltration.pcap.out +++ b/test/results/flow-info/dns_exfiltration.pcap.out @@ -7,12 +7,14 @@ detection-update: [.....1] [ip4][..udp] [.192.168.220.56][56373] -> [192.168.203.167][...53] [DNS][Network][Acceptable] RISK: Suspicious DGA Domain name, Risky Domain Name analyse: [.....1] [ip4][..udp] [.192.168.220.56][56373] -> [192.168.203.167][...53] [DNS][Network][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.004| 1.036| 0.914| 0.282] - [IAT(c->s)...: 0.005| 1.036| 0.944| 0.251][IAT(s->c)...: 0.004| 1.016| 0.885| 0.305] - [PKTLEN(c->s): 101.000| 215.000| 114.400| 31.200][PKTLEN(s->c): 148.000| 386.000| 178.400| 63.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.004| 1.036| 0.914| 0.282|79410.348| 0.000] + [PKTLEN......: 101.000| 386.000| 146.400| 59.100| 3497.900| 4.900] [BINS(c->s)..: 0,13,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,13,1,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1] + [IATS........: 170631,1035526,866477,1015270,1015599,4647,3976,1009971,1010376,1009201,1009121,1008475,1008435,1009499,1009380,1008042,1008120,1008655,1008570,1009773,1009797,1009990,1010112,1008960,1008939,1008465,1008353,1007666,1007763,1008795,1008694,0] + [PKTLENS.....: 215,386,166,286,136,193,101,148,101,148,101,156,101,148,101,158,101,158,101,156,101,148,101,158,101,158,101,158,101,148,101,148] update: [.....1] [ip4][..udp] [.192.168.220.56][56373] -> [192.168.203.167][...53] [DNS][Network][Acceptable] RISK: Suspicious DGA Domain name, Risky Domain Name idle: [.....1] [ip4][..udp] [.192.168.220.56][56373] -> [192.168.203.167][...53] [DNS][Network][Acceptable] diff --git a/test/results/flow-info/doq_adguard.pcapng.out b/test/results/flow-info/doq_adguard.pcapng.out index 25ff51f94..57437d0e4 100644 --- a/test/results/flow-info/doq_adguard.pcapng.out +++ b/test/results/flow-info/doq_adguard.pcapng.out @@ -4,11 +4,13 @@ new: [.....1] [ip4][..udp] [.192.168.12.169][41070] -> [...94.140.14.14][..784] detected: [.....1] [ip4][..udp] [.192.168.12.169][41070] -> [...94.140.14.14][..784] [QUIC.DoH_DoT][Network][Fun] analyse: [.....1] [ip4][..udp] [.192.168.12.169][41070] -> [...94.140.14.14][..784] [QUIC.DoH_DoT][Network][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 1.885| 0.161| 0.453] - [IAT(c->s)...: 0.000| 1.830| 0.165| 0.456][IAT(s->c)...: 0.000| 1.885| 0.157| 0.450] - [PKTLEN(c->s): 73.000|1274.000| 253.800| 388.300][PKTLEN(s->c): 83.000|1294.000| 659.900| 560.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 1.885| 0.161| 0.453|205274.628| 0.000] + [PKTLEN......: 73.000| 1294.000| 456.800| 522.900|273444.500| 4.100] [BINS(c->s)..: 4,8,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,5,0,0,2,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,2,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,1,1,1,0,0,1,1,1,1,1,1,0,0,0,0,1,1,0,0,0,1,1,0,1,0,0,0,0,1] + [IATS........: 36477,41681,43201,66,19,41861,6662,38406,6603,58707,16,206479,12,419140,55,727,29151,153173,67,8229,73,10468,39556,83,37026,44980,51489,1830423,63,12,1885270,0] + [PKTLENS.....: 1274,182,1274,1294,1294,1284,97,98,198,95,1284,1284,1284,1284,269,73,97,98,83,306,154,100,73,83,437,73,84,73,101,103,103,83] idle: [.....1] [ip4][..udp] [.192.168.12.169][41070] -> [...94.140.14.14][..784] [QUIC.DoH_DoT][Network][Fun] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/dos_win98_smb_netbeui.pcap.out b/test/results/flow-info/dos_win98_smb_netbeui.pcap.out index 02f024712..1d46a64e2 100644 --- a/test/results/flow-info/dos_win98_smb_netbeui.pcap.out +++ b/test/results/flow-info/dos_win98_smb_netbeui.pcap.out @@ -179,12 +179,14 @@ ERROR-EVENT: Unknown packet type ERROR-EVENT: Unknown packet type analyse: [.....3] [ip4][..udp] [192.168.239.129][..137] -> [192.168.239.255][..137] [NetBIOS][System][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 96.434| 4.235| 17.262] - [IAT(c->s)...: 0.000| 96.434| 4.235| 17.262][IAT(s->c)...: 0.000| 0.000| 0.000| 0.000] - [PKTLEN(c->s): 110.000| 110.000| 110.000| 0.000][PKTLEN(s->c): 0.000| 0.000| 0.000| 0.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 96.434| 4.235| 17.262|297969697.948| 0.000] + [PKTLEN......: 110.000| 110.000| 110.000| 0.000| 0.000| 5.000] [BINS(c->s)..: 0,0,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [IATS........: 471,72,38984,710235,79,43,39467,709823,84,47,40333,710082,133,63,40024,760697,749893,749148,750102,96434388,763919,759984,756024,755162,752213,756593,760022,22000853,749883,749867,755005,0] + [PKTLENS.....: 110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110] idle: [.....2] [ip4][.icmp] [192.168.239.129] -> [......224.0.0.2] [ICMP][Network][Acceptable] idle: [.....3] [ip4][..udp] [192.168.239.129][..137] -> [192.168.239.255][..137] [NetBIOS][System][Acceptable] idle: [.....1] [ip4][..udp] [192.168.239.129][..137] -> [..192.168.239.2][..137] [NetBIOS][System][Acceptable] diff --git a/test/results/flow-info/drda_db2.pcap.out b/test/results/flow-info/drda_db2.pcap.out index 99e95f498..6a2be62ac 100644 --- a/test/results/flow-info/drda_db2.pcap.out +++ b/test/results/flow-info/drda_db2.pcap.out @@ -4,11 +4,13 @@ new: [.....1] [ip4][..tcp] [..192.168.106.1][.4847] -> [192.168.106.128][50000] detected: [.....1] [ip4][..tcp] [..192.168.106.1][.4847] -> [192.168.106.128][50000] [DRDA][Database][Acceptable] analyse: [.....1] [ip4][..tcp] [..192.168.106.1][.4847] -> [192.168.106.128][50000] [DRDA][Database][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 17.986| 1.315| 4.366] - [IAT(c->s)...: 0.001| 17.828| 1.279| 4.282][IAT(s->c)...: 0.000| 17.986| 1.354| 4.454] - [PKTLEN(c->s): 54.000| 717.000| 176.300| 177.000][PKTLEN(s->c): 54.000| 684.000| 220.400| 202.400] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 17.986| 1.315| 4.366|19063346.561| 0.000] + [PKTLEN......: 54.000| 717.000| 197.000| 190.600|36335.200| 4.400] [BINS(c->s)..: 10,0,1,0,0,1,0,1,2,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 5,4,0,1,0,0,0,1,0,0,0,0,2,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,1,0,0,1,1,0,1,0,0,1,0,1,0,1,0,1,0,1,0,0,1,0,1,0] + [IATS........: 489,527,117332,117692,728,9146,43443,966142,1129664,349281,477633,7546,71563,64394,182669,413229,622408,30275,5528,2591,521,1606,2014,1552,1127,154254,17828332,17986057,9928,7015,168439,0] + [PKTLENS.....: 62,62,54,229,54,161,318,54,295,54,717,54,524,64,108,54,296,684,144,65,64,108,322,455,64,108,54,383,466,64,108,54] end: [.....1] [ip4][..tcp] [..192.168.106.1][.4847] -> [192.168.106.128][50000] [DRDA][Database][Acceptable] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/dropbox.pcap.out b/test/results/flow-info/dropbox.pcap.out index 11d4b8f6e..b96ade025 100644 --- a/test/results/flow-info/dropbox.pcap.out +++ b/test/results/flow-info/dropbox.pcap.out @@ -6,37 +6,45 @@ new: [.....2] [ip4][..udp] [...192.168.56.1][50318] -> [.192.168.56.101][17500] detected: [.....2] [ip4][..udp] [...192.168.56.1][50318] -> [.192.168.56.101][17500] [Dropbox][Cloud][Acceptable] analyse: [.....1] [ip4][..udp] [...192.168.56.1][50311] -> [.192.168.56.101][17500] [Dropbox][Cloud][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.002| 0.118| 0.106| 0.019] - [IAT(c->s)...: 0.104| 0.118| 0.110| 0.003][IAT(s->c)...: 0.002| 0.116| 0.103| 0.026] - [PKTLEN(c->s): 136.000| 143.000| 138.100| 2.100][PKTLEN(s->c): 59.000| 66.000| 61.100| 2.100] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.002| 0.118| 0.106| 0.019| 373.406| 0.000] + [PKTLEN......: 59.000| 143.000| 99.600| 38.600| 1486.700| 4.900] [BINS(c->s)..: 0,0,8,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1] + [IATS........: 1824,103882,104036,108951,108450,105413,105949,113800,113717,106838,107131,109410,109028,108906,115953,117757,112312,110612,110806,109887,107946,108022,108009,113116,114023,110812,110429,107359,111248,109470,105114,0] + [PKTLENS.....: 138,61,137,60,136,59,143,66,139,62,136,59,138,61,138,61,140,63,137,60,138,61,137,60,137,60,137,60,143,66,136,59] new: [.....3] [ip4][..udp] [...192.168.56.1][50312] -> [.192.168.56.101][17500] detected: [.....3] [ip4][..udp] [...192.168.56.1][50312] -> [.192.168.56.101][17500] [Dropbox][Cloud][Acceptable] analyse: [.....2] [ip4][..udp] [...192.168.56.1][50318] -> [.192.168.56.101][17500] [Dropbox][Cloud][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.002| 0.128| 0.112| 0.021] - [IAT(c->s)...: 0.106| 0.128| 0.115| 0.006][IAT(s->c)...: 0.002| 0.126| 0.108| 0.028] - [PKTLEN(c->s): 137.000| 142.000| 139.000| 1.800][PKTLEN(s->c): 60.000| 65.000| 62.000| 1.800] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.002| 0.128| 0.112| 0.021| 434.412| 0.000] + [PKTLEN......: 60.000| 142.000| 100.500| 38.500| 1485.600| 4.900] [BINS(c->s)..: 0,0,6,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1] + [IATS........: 2441,112948,114313,107773,108080,108005,107995,109511,111427,119112,118338,116979,117004,127663,125063,114041,112993,120228,120931,111475,111310,105608,107791,113820,112048,122618,125498,112978,109966,123530,125708,0] + [PKTLENS.....: 137,60,141,64,140,63,142,65,137,60,139,62,140,63,139,62,137,60,138,61,142,65,140,63,137,60,137,60,137,60,141,64] new: [.....4] [ip4][..udp] [...192.168.56.1][50319] -> [.192.168.56.101][17500] detected: [.....4] [ip4][..udp] [...192.168.56.1][50319] -> [.192.168.56.101][17500] [Dropbox][Cloud][Acceptable] analyse: [.....3] [ip4][..udp] [...192.168.56.1][50312] -> [.192.168.56.101][17500] [Dropbox][Cloud][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.001| 0.131| 0.117| 0.022] - [IAT(c->s)...: 0.105| 0.131| 0.121| 0.008][IAT(s->c)...: 0.001| 0.131| 0.113| 0.030] - [PKTLEN(c->s): 137.000| 143.000| 139.800| 1.800][PKTLEN(s->c): 60.000| 66.000| 62.800| 1.800] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.001| 0.131| 0.117| 0.022| 500.202| 0.000] + [PKTLEN......: 60.000| 143.000| 101.200| 38.500| 1485.300| 4.900] [BINS(c->s)..: 0,0,3,13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1] + [IATS........: 1319,105009,107122,122637,124565,114853,120385,119749,111541,123867,122956,105381,109394,122887,120099,118036,119438,130107,131359,131277,128951,120148,121275,112275,114829,128910,125477,127969,127046,125146,128537,0] + [PKTLENS.....: 139,62,143,66,139,62,140,63,140,63,137,60,137,60,137,60,142,65,140,63,141,64,139,62,139,62,142,65,141,64,140,63] analyse: [.....4] [ip4][..udp] [...192.168.56.1][50319] -> [.192.168.56.101][17500] [Dropbox][Cloud][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.005| 0.172| 0.127| 0.026] - [IAT(c->s)...: 0.107| 0.172| 0.131| 0.015][IAT(s->c)...: 0.005| 0.165| 0.123| 0.033] - [PKTLEN(c->s): 136.000| 143.000| 139.600| 2.200][PKTLEN(s->c): 59.000| 66.000| 62.600| 2.200] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.005| 0.172| 0.127| 0.026| 689.813| 0.000] + [PKTLEN......: 59.000| 143.000| 101.100| 38.600| 1487.100| 4.900] [BINS(c->s)..: 0,0,4,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1] + [IATS........: 5091,140506,139383,127325,129287,138036,134456,137698,141222,137865,138593,132603,133311,132101,136834,172321,164608,137809,136671,122327,121648,117128,118696,128848,133217,115516,110107,123592,124533,106749,105564,0] + [PKTLENS.....: 141,64,142,65,137,60,137,60,140,63,137,60,136,59,141,64,139,62,143,66,140,63,138,61,139,62,143,66,138,61,142,65] DAEMON-EVENT: [Processed: 800 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 4 / 4|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] new: [.....5] [ip4][..udp] [..192.168.1.105][55407] -> [..192.168.1.254][...53] diff --git a/test/results/flow-info/emotet.pcap.out b/test/results/flow-info/emotet.pcap.out index c206017cf..a0958470a 100644 --- a/test/results/flow-info/emotet.pcap.out +++ b/test/results/flow-info/emotet.pcap.out @@ -4,23 +4,27 @@ new: [.....1] [ip4][..tcp] [....10.2.25.102][57309] -> [..193.252.22.84][..587] detected: [.....1] [ip4][..tcp] [....10.2.25.102][57309] -> [..193.252.22.84][..587] [SMTP][Email][Acceptable] analyse: [.....1] [ip4][..tcp] [....10.2.25.102][57309] -> [..193.252.22.84][..587] [SMTP][Email][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 3.056| 0.539| 0.774] - [IAT(c->s)...: 0.000| 3.056| 0.696| 0.816][IAT(s->c)...: 0.000| 3.055| 0.439| 0.729] - [PKTLEN(c->s): 54.000| 752.000| 124.000| 181.800][PKTLEN(s->c): 54.000| 214.000| 74.800| 37.700] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 3.056| 0.539| 0.774|599161.176| 0.000] + [PKTLEN......: 54.000| 752.000| 94.800| 121.900|14849.500| 4.500] [BINS(c->s)..: 8,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 14,4,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,1,0,1,1,0,1,1,0,1,0,1,1,0,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,0] + [IATS........: 749523,749719,1106307,1106777,773,369838,370621,895,325625,326244,506,323,737,841210,842439,907,363,438,3054676,3056402,1628,247201,247778,521,1205120,1205575,420,442964,443628,704,254,0] + [PKTLENS.....: 66,58,54,108,75,54,214,66,54,72,86,54,56,54,72,70,54,56,54,94,91,54,100,87,54,101,60,54,62,93,54,752] DAEMON-EVENT: [Processed: 626 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 1 / 1|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] new: [.....2] [ip4][..tcp] [....10.3.29.101][56309] -> [.104.161.127.22][...80] detected: [.....2] [ip4][..tcp] [....10.3.29.101][56309] -> [.104.161.127.22][...80] [HTTP][Web][Acceptable] analyse: [.....2] [ip4][..tcp] [....10.3.29.101][56309] -> [.104.161.127.22][...80] [HTTP][Web][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.204| 0.029| 0.060] - [IAT(c->s)...: 0.000| 0.204| 0.041| 0.068][IAT(s->c)...: 0.000| 0.204| 0.022| 0.054] - [PKTLEN(c->s): 54.000| 500.000| 92.200| 123.000][PKTLEN(s->c): 54.000|1415.000|1279.100| 407.700] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.204| 0.029| 0.060| 3581.477| 0.000] + [PKTLEN......: 54.000| 1415.000| 834.000| 663.100|439751.800| 4.400] [BINS(c->s)..: 11,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,18,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0] + [IATS........: 115764,115896,335,518,204207,77,204389,352,224,565,217,228,441,212,496,705,246,220,470,115050,221,115302,340,251,573,9235,226,9483,474,242,690,0] + [PKTLENS.....: 66,58,54,500,54,1415,1415,54,1415,1415,54,1415,1415,54,1415,1415,54,1415,1415,54,1415,1415,54,1415,1415,54,1415,1415,54,1415,1415,54] end: [.....1] [ip4][..tcp] [....10.2.25.102][57309] -> [..193.252.22.84][..587] [SMTP][Email][Acceptable] DAEMON-EVENT: [Processed: 834 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 1 / 2|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] @@ -29,12 +33,14 @@ detection-update: [.....3] [ip4][..tcp] [....10.4.20.102][54319] -> [107.161.178.210][...80] [HTTP][Web][Acceptable] RISK: Binary App Transfer analyse: [.....3] [ip4][..tcp] [....10.4.20.102][54319] -> [107.161.178.210][...80] [HTTP][Web][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.261| 0.031| 0.066] - [IAT(c->s)...: 0.000| 0.260| 0.030| 0.065][IAT(s->c)...: 0.000| 0.261| 0.032| 0.067] - [PKTLEN(c->s): 60.000| 279.000| 73.200| 51.500][PKTLEN(s->c): 62.000|1442.000|1350.000| 344.200] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.261| 0.031| 0.066| 4320.020| 0.000] + [PKTLEN......: 60.000| 1442.000| 671.700| 680.400|462891.900| 4.100] [BINS(c->s)..: 16,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,0,1,0,1,0,1,1,0,1,0,1,0,1,0,1,0,0,1,0,1,0,1,0,1,0,1,0] + [IATS........: 97254,97549,387,260940,260431,3204,3158,9543,9466,6236,69,6255,124,124,128,201,123,50,174,174,40,2646,2680,60630,60713,9884,9822,15114,15099,12868,12932,0] + [PKTLENS.....: 66,62,60,279,1442,60,1442,60,1442,60,1442,1442,60,1442,60,1442,60,1442,60,1442,60,60,1442,60,1442,60,1442,60,1442,60,1442,60] end: [.....2] [ip4][..tcp] [....10.3.29.101][56309] -> [.104.161.127.22][...80] [HTTP][Web][Acceptable] DAEMON-EVENT: [Processed: 1663 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 1 / 3|skipped: 0|!detected: 0|guessed: 0|detection-updates: 1|updates: 0] @@ -44,12 +50,14 @@ detection-update: [.....4] [ip4][..tcp] [....10.4.25.101][49797] -> [..77.105.36.156][...80] [HTTP][Download][Acceptable] RISK: Binary App Transfer, HTTP Suspicious User-Agent analyse: [.....4] [ip4][..tcp] [....10.4.25.101][49797] -> [..77.105.36.156][...80] [HTTP][Download][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.292| 0.042| 0.080] - [IAT(c->s)...: 0.000| 0.292| 0.073| 0.105][IAT(s->c)...: 0.000| 0.184| 0.030| 0.062] - [PKTLEN(c->s): 60.000| 206.000| 75.200| 43.600][PKTLEN(s->c): 60.000|1442.000|1264.600| 420.200] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.292| 0.042| 0.080| 6342.811| 0.000] + [PKTLEN......: 60.000| 1442.000| 892.900| 652.600|425943.000| 4.500] [BINS(c->s)..: 9,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,18,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,1,1,1,1,0,1,1,1,0,1,1,1,0,1,1,1,0,1,1,1,1,0,0] + [IATS........: 184236,184528,232,171817,120639,81,116,292217,2662,111,117,90,2892,2739,117,70,3040,164670,68,120,164820,2817,118,71,3042,2918,68,119,165,3158,56,0] + [PKTLENS.....: 66,66,60,206,60,626,1442,1442,60,1442,1442,1442,1114,60,1442,1442,1442,60,1442,1442,1442,60,1442,1442,1442,60,1442,1442,1442,1442,60,60] end: [.....3] [ip4][..tcp] [....10.4.20.102][54319] -> [107.161.178.210][...80] [HTTP][Web][Acceptable] RISK: Binary App Transfer new: [.....5] [ip4][..tcp] [....10.4.25.101][49803] -> [138.197.147.101][..443] @@ -58,12 +66,14 @@ detection-update: [.....5] [ip4][..tcp] [....10.4.25.101][49803] -> [138.197.147.101][..443] [TLS][Web][Safe] RISK: Self-signed Cert, TLS (probably) Not Carrying HTTPS, Missing SNI TLS Extn analyse: [.....5] [ip4][..tcp] [....10.4.25.101][49803] -> [138.197.147.101][..443] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 1.263| 0.117| 0.292] - [IAT(c->s)...: 0.000| 1.263| 0.146| 0.340][IAT(s->c)...: 0.000| 1.117| 0.097| 0.253] - [PKTLEN(c->s): 60.000| 534.000| 115.100| 122.800][PKTLEN(s->c): 60.000|1442.000|1147.800| 551.200] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 1.263| 0.117| 0.292|85184.340| 0.000] + [PKTLEN......: 60.000| 1442.000| 696.000| 663.200|439900.200| 4.200] [BINS(c->s)..: 11,0,1,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 3,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,0,1,1,1,1,0,0,1,1,0,1,1,0,1,1,1,1,0,0,0,1,1] + [IATS........: 109372,109625,14139,123772,13228,122858,52674,132935,80275,6518,151937,1117119,71,165,1262510,58,2900,71,3072,96890,117,96947,3054,71,165,71,3262,116,2919,118,0,0] + [PKTLENS.....: 66,66,60,203,60,1432,60,147,296,60,534,60,1442,1442,1442,60,60,1442,1442,66,1442,1442,74,1442,1442,1442,1442,74,74,74,1442,1442] detection-update: [.....5] [ip4][..tcp] [....10.4.25.101][49803] -> [138.197.147.101][..443] [TLS][Web][Safe] RISK: Self-signed Cert, TLS (probably) Not Carrying HTTPS, Missing SNI TLS Extn new: [.....6] [ip4][..tcp] [....10.4.25.101][49804] -> [138.197.147.101][..443] diff --git a/test/results/flow-info/ethereum.pcap.out b/test/results/flow-info/ethereum.pcap.out index da49d9cab..c7e6114e6 100644 --- a/test/results/flow-info/ethereum.pcap.out +++ b/test/results/flow-info/ethereum.pcap.out @@ -56,22 +56,26 @@ detected: [....26] [ip4][..udp] [..192.168.1.184][30303] -> [...128.0.51.140][30303] [Mining][Mining][Unsafe] RISK: Unsafe Protocol analyse: [....13] [ip4][..tcp] [..192.168.1.184][56615] -> [.35.158.244.151][30303] [Mining][Mining][Unsafe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.063| 0.008| 0.018] - [IAT(c->s)...: 0.000| 0.062| 0.005| 0.016][IAT(s->c)...: 0.000| 0.063| 0.012| 0.021] - [PKTLEN(c->s): 66.000| 561.000| 101.600| 106.200][PKTLEN(s->c): 60.000| 514.000| 112.200| 127.500] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.063| 0.008| 0.018| 335.828| 0.000] + [PKTLEN......: 60.000| 561.000| 105.200| 114.100|13011.400| 4.500] [BINS(c->s)..: 17,2,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 9,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,1,0,1,0,1,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1] + [IATS........: 42899,42982,2208,63466,818,46,62123,6,373,313,356,354,126,10,127,6,123,159,339,3,86,17,41,85,11,59,21,32,10,27626,14,0] + [PKTLENS.....: 78,74,66,561,66,514,98,66,66,67,66,68,66,79,82,66,66,66,66,98,67,190,69,82,98,67,68,79,82,66,60,60] new: [....27] [ip4][..tcp] [..192.168.1.184][56630] -> [..40.67.144.128][30303] detected: [....24] [ip4][..tcp] [..192.168.1.184][56628] -> [....3.209.45.79][30303] [Mining][Mining][Unsafe] RISK: Unsafe Protocol analyse: [....22] [ip4][..tcp] [..192.168.1.184][56626] -> [178.128.195.220][30303] [Mining][Mining][Unsafe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.063| 0.009| 0.019] - [IAT(c->s)...: 0.000| 0.063| 0.007| 0.017][IAT(s->c)...: 0.000| 0.063| 0.012| 0.021] - [PKTLEN(c->s): 66.000| 612.000| 121.900| 128.500][PKTLEN(s->c): 66.000| 470.000| 121.700| 112.700] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.063| 0.009| 0.019| 355.411| 0.000] + [PKTLEN......: 66.000| 612.000| 121.800| 122.800|15078.800| 4.500] [BINS(c->s)..: 14,3,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 9,1,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,0,1] + [IATS........: 42941,42985,1880,62851,2026,2,12,7,1,62996,2,23,5,115,83,3,1324,29,68,8,50,438,29,39,9,101,32217,29,13,30178,778,0] + [PKTLENS.....: 78,74,66,612,66,470,98,67,222,69,66,66,66,66,82,66,66,98,67,190,69,82,98,67,114,81,82,78,78,78,338,78] detected: [.....9] [ip4][..tcp] [..192.168.1.184][56612] -> [...66.42.82.246][30303] [Mining][Mining][Unsafe] RISK: Unsafe Protocol detected: [....25] [ip4][..tcp] [..192.168.1.184][56629] -> [....51.38.60.79][30303] [Mining][Mining][Unsafe] @@ -84,12 +88,14 @@ detected: [....11] [ip4][..tcp] [..192.168.1.184][56611] -> [..104.42.217.25][30303] [Mining][Mining][Unsafe] RISK: Unsafe Protocol analyse: [....23] [ip4][..tcp] [..192.168.1.184][56627] -> [..34.255.23.113][30303] [Mining][Mining][Unsafe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.070| 0.011| 0.024] - [IAT(c->s)...: 0.000| 0.070| 0.007| 0.020][IAT(s->c)...: 0.000| 0.070| 0.018| 0.029] - [PKTLEN(c->s): 66.000| 578.000| 102.400| 109.700][PKTLEN(s->c): 60.000| 468.000| 108.000| 114.300] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.070| 0.011| 0.024| 583.849| 0.000] + [PKTLEN......: 60.000| 578.000| 104.300| 111.300|12394.700| 4.500] [BINS(c->s)..: 17,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 9,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,1,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1] + [IATS........: 70028,70198,1425,62112,2103,2,2,32,23,22,62731,3,15,11,2,8,85,118,636,45,106,25,18,64,32,95,10,50,9,63729,37,0] + [PKTLENS.....: 78,74,66,578,66,468,98,67,68,79,82,66,66,66,66,66,66,66,66,98,67,190,69,82,98,67,68,79,82,66,60,60] new: [....31] [ip4][..udp] [..192.168.1.184][30303] -> [..111.229.0.180][20182] detected: [....31] [ip4][..udp] [..192.168.1.184][30303] -> [..111.229.0.180][20182] [Mining][Mining][Unsafe] RISK: Unsafe Protocol @@ -101,12 +107,14 @@ detected: [....15] [ip4][..tcp] [..192.168.1.184][56618] -> [.52.231.165.108][30303] [Mining][Mining][Unsafe] RISK: Unsafe Protocol analyse: [....25] [ip4][..tcp] [..192.168.1.184][56629] -> [....51.38.60.79][30303] [Mining][Mining][Unsafe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.073| 0.008| 0.018] - [IAT(c->s)...: 0.000| 0.043| 0.005| 0.013][IAT(s->c)...: 0.000| 0.073| 0.012| 0.023] - [PKTLEN(c->s): 66.000| 487.000| 101.400| 95.100][PKTLEN(s->c): 60.000| 406.000| 95.400| 90.500] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.073| 0.008| 0.018| 321.083| 0.000] + [PKTLEN......: 60.000| 487.000| 99.000| 93.300| 8701.200| 4.600] [BINS(c->s)..: 15,2,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 11,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,1,1,1] + [IATS........: 36441,36500,1495,43967,497,46,63,13,18,43065,4,1,1,17,703,21,64,47,32,88,50,77,17,30,32,72892,13,7,734,1,12,0] + [PKTLENS.....: 78,74,66,487,66,406,98,67,68,95,66,66,66,66,66,98,67,190,69,82,98,67,68,79,82,66,66,60,60,60,60,60] detected: [....16] [ip4][..tcp] [..192.168.1.184][56620] -> [191.234.162.198][30303] [Mining][Mining][Unsafe] RISK: Unsafe Protocol detected: [....30] [ip4][..tcp] [..192.168.1.184][56633] -> [.82.145.220.249][30303] [Mining][Mining][Unsafe] @@ -126,19 +134,23 @@ detected: [....17] [ip4][..tcp] [..192.168.1.184][56621] -> [..52.187.207.27][30303] [Mining][Mining][Unsafe] RISK: Unsafe Protocol analyse: [....28] [ip4][..tcp] [..192.168.1.184][56632] -> [...51.38.81.180][30303] [Mining][Mining][Unsafe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.079| 0.012| 0.027] - [IAT(c->s)...: 0.000| 0.079| 0.007| 0.022][IAT(s->c)...: 0.000| 0.078| 0.020| 0.032] - [PKTLEN(c->s): 66.000| 545.000| 100.800| 102.900][PKTLEN(s->c): 60.000| 505.000| 111.400| 124.900] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.079| 0.012| 0.027| 705.641| 0.000] + [PKTLEN......: 60.000| 545.000| 104.400| 111.100|12335.600| 4.500] [BINS(c->s)..: 17,2,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 9,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,1,1,1,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1] + [IATS........: 68454,68561,1411,78125,1877,68,78584,38,219,12,4,177,15,1,106,11,115,2,426,13,74,15,66,39,30,87,16,26,26,67245,39,0] + [PKTLENS.....: 78,74,66,545,66,505,98,66,66,67,68,79,66,66,66,82,66,66,66,98,67,190,69,82,98,67,68,79,82,66,60,60] analyse: [....30] [ip4][..tcp] [..192.168.1.184][56633] -> [.82.145.220.249][30303] [Mining][Mining][Unsafe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.077| 0.012| 0.026] - [IAT(c->s)...: 0.000| 0.076| 0.010| 0.025][IAT(s->c)...: 0.000| 0.077| 0.014| 0.028] - [PKTLEN(c->s): 66.000| 508.000| 106.800| 104.400][PKTLEN(s->c): 60.000| 488.000| 94.500| 105.900] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.077| 0.012| 0.026| 688.970| 0.000] + [PKTLEN......: 60.000| 508.000| 101.100| 105.300|11090.000| 4.600] [BINS(c->s)..: 13,2,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 12,2,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1] + [IATS........: 74179,74294,1198,77251,76054,663,12,594,2,179,16,57,19,60,67,15,72,28,42,24,51962,31,247,15,13,11,81,2,10,6,105,0] + [PKTLENS.....: 78,74,66,508,488,66,98,98,66,66,98,67,190,69,82,98,67,68,79,82,66,60,60,60,60,60,60,60,60,60,60,60] new: [....35] [ip4][..tcp] [..192.168.1.184][56637] -> [.35.233.197.131][30303] new: [....36] [ip4][..tcp] [..192.168.1.184][56638] -> [209.250.240.205][30303] new: [....37] [ip4][..udp] [..192.168.1.184][30303] -> [.35.180.246.169][30301] @@ -148,12 +160,14 @@ detected: [....33] [ip4][..tcp] [..192.168.1.184][56634] -> [..159.203.84.31][30303] [Mining][Mining][Unsafe] RISK: Unsafe Protocol analyse: [....24] [ip4][..tcp] [..192.168.1.184][56628] -> [....3.209.45.79][30303] [Mining][Mining][Unsafe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.164| 0.023| 0.053] - [IAT(c->s)...: 0.000| 0.163| 0.015| 0.045][IAT(s->c)...: 0.000| 0.164| 0.038| 0.062] - [PKTLEN(c->s): 66.000| 461.000| 96.800| 85.700][PKTLEN(s->c): 60.000| 536.000| 114.700| 133.600] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.164| 0.023| 0.053| 2778.035| 0.000] + [PKTLEN......: 60.000| 536.000| 103.000| 105.000|11031.500| 4.600] [BINS(c->s)..: 17,2,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 9,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,1,0,0,1,1,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1] + [IATS........: 134408,134510,2041,164457,730,163149,164,16,91,13,125,16,10,133,2,2,198,213,439,13,62,28,71,55,19,91,9,24,22,112857,28,0] + [PKTLENS.....: 78,74,66,461,66,536,66,98,67,66,66,68,79,82,66,66,66,66,66,98,67,190,69,82,98,67,68,79,82,66,66,60] detected: [....36] [ip4][..tcp] [..192.168.1.184][56638] -> [209.250.240.205][30303] [Mining][Mining][Unsafe] RISK: Unsafe Protocol detected: [....34] [ip4][..tcp] [..192.168.1.184][56635] -> [.162.228.29.160][30303] [Mining][Mining][Unsafe] @@ -162,22 +176,26 @@ new: [....40] [ip4][..tcp] [..192.168.1.184][56642] -> [..178.62.10.218][30303] new: [....41] [ip4][..tcp] [..192.168.1.184][56643] -> [..178.62.29.183][30303] analyse: [....36] [ip4][..tcp] [..192.168.1.184][56638] -> [209.250.240.205][30303] [Mining][Mining][Unsafe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.043| 0.007| 0.014] - [IAT(c->s)...: 0.000| 0.043| 0.006| 0.013][IAT(s->c)...: 0.000| 0.041| 0.009| 0.015] - [PKTLEN(c->s): 66.000| 481.000| 115.300| 95.500][PKTLEN(s->c): 66.000| 560.000| 127.800| 135.600] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.043| 0.007| 0.014| 203.606| 0.000] + [PKTLEN......: 66.000| 560.000| 120.000| 112.400|12624.200| 4.600] [BINS(c->s)..: 13,3,0,2,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 9,1,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,0,0,0,1,1,1,0,0,0,1,0,0,0,0,0,0,1,1,1,1,0,0,1] + [IATS........: 32588,32677,1133,41248,3045,43142,1077,15,57,29,33,2220,3,33,1051,3,12,110,51,429,10,11,17,141,33844,34,22,20,33327,11,92,0] + [PKTLENS.....: 78,74,66,481,66,560,66,98,67,190,69,82,98,67,209,66,66,66,82,66,98,67,114,81,82,78,78,78,78,226,178,66] new: [....42] [ip4][..tcp] [..192.168.1.184][56644] -> [..13.230.108.42][30303] detected: [....39] [ip4][..tcp] [..192.168.1.184][56641] -> [.144.91.120.135][30303] [Mining][Mining][Unsafe] RISK: Unsafe Protocol analyse: [....27] [ip4][..tcp] [..192.168.1.184][56630] -> [..40.67.144.128][30303] [Mining][Mining][Unsafe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.158| 0.021| 0.049] - [IAT(c->s)...: 0.000| 0.158| 0.016| 0.044][IAT(s->c)...: 0.000| 0.158| 0.027| 0.053] - [PKTLEN(c->s): 66.000| 497.000| 103.900| 99.500][PKTLEN(s->c): 60.000| 489.000| 97.900| 109.100] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.158| 0.021| 0.049| 2374.200| 0.000] + [PKTLEN......: 60.000| 497.000| 101.300| 103.800|10779.300| 4.600] [BINS(c->s)..: 14,2,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 12,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1] + [IATS........: 158073,158141,1927,112688,964,45,111769,2,97,24,66,10,893,34,92,13,26,143,3,148,30,48,25,111098,32,825,2,26,2,1,16,0] + [PKTLENS.....: 78,74,66,497,66,489,98,66,66,82,82,66,66,98,67,190,69,82,98,67,68,79,82,66,60,60,60,60,60,60,60,60] new: [....43] [ip4][..tcp] [..192.168.1.184][56645] -> [.185.219.133.62][30303] detected: [....38] [ip4][..tcp] [..192.168.1.184][56639] -> [.18.219.167.159][30303] [Mining][Mining][Unsafe] RISK: Unsafe Protocol @@ -190,30 +208,36 @@ RISK: Unsafe Protocol new: [....45] [ip4][..tcp] [..192.168.1.184][56647] -> [.182.162.161.61][30303] analyse: [....11] [ip4][..tcp] [..192.168.1.184][56611] -> [..104.42.217.25][30303] [Mining][Mining][Unsafe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.202| 0.031| 0.071] - [IAT(c->s)...: 0.000| 0.201| 0.020| 0.059][IAT(s->c)...: 0.000| 0.202| 0.052| 0.085] - [PKTLEN(c->s): 66.000| 556.000| 101.300| 105.100][PKTLEN(s->c): 60.000| 533.000| 114.500| 132.700] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.202| 0.031| 0.071| 5088.628| 0.000] + [PKTLEN......: 60.000| 556.000| 105.800| 115.500|13350.200| 4.500] [BINS(c->s)..: 17,2,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 9,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,1,0,1,1,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1] + [IATS........: 194951,195066,1242,202293,279,25,201303,2,92,53,99,12,102,9,99,103,126,125,566,17,55,13,75,43,16,62,14,42,23,175388,354,0] + [PKTLENS.....: 78,74,66,556,66,533,98,66,66,67,66,68,79,66,66,82,66,66,66,98,67,190,69,82,98,67,68,79,82,66,66,60] detected: [....44] [ip4][..tcp] [..192.168.1.184][56646] -> [..172.105.94.62][30303] [Mining][Mining][Unsafe] RISK: Unsafe Protocol analyse: [....33] [ip4][..tcp] [..192.168.1.184][56634] -> [..159.203.84.31][30303] [Mining][Mining][Unsafe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.109| 0.018| 0.040] - [IAT(c->s)...: 0.000| 0.109| 0.011| 0.033][IAT(s->c)...: 0.000| 0.109| 0.030| 0.048] - [PKTLEN(c->s): 66.000| 637.000| 105.200| 121.900][PKTLEN(s->c): 60.000| 579.000| 118.100| 146.100] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.109| 0.018| 0.040| 1575.808| 0.000] + [PKTLEN......: 60.000| 637.000| 109.600| 130.900|17130.100| 4.400] [BINS(c->s)..: 17,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 9,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,0,0,0,1,0,1,0,1,0,1,1,0,0,0,1,0,0,0,0,0,0,1,1] + [IATS........: 107626,107678,1475,109033,1825,109385,687,13,52,13,68,1028,198,109,79,136,133,112,7,116,2,80,130,42,5,71,30,33,21,107121,13,0] + [PKTLENS.....: 78,74,66,637,66,579,66,98,67,190,69,82,98,66,67,66,68,66,79,82,66,66,98,66,67,66,68,79,82,66,60,60] new: [....46] [ip4][..tcp] [..192.168.1.184][56650] -> [.35.228.250.140][30303] new: [....47] [ip4][..tcp] [..192.168.1.184][56651] -> [..138.201.12.87][30303] analyse: [....41] [ip4][..tcp] [..192.168.1.184][56643] -> [..178.62.29.183][30303] [Mining][Mining][Unsafe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.049| 0.009| 0.018] - [IAT(c->s)...: 0.000| 0.049| 0.007| 0.017][IAT(s->c)...: 0.000| 0.047| 0.012| 0.019] - [PKTLEN(c->s): 66.000| 535.000| 104.400| 102.700][PKTLEN(s->c): 66.000| 384.000| 110.900| 88.900] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.049| 0.009| 0.018| 316.609| 0.000] + [PKTLEN......: 66.000| 535.000| 106.900| 97.800| 9570.500| 4.600] [BINS(c->s)..: 15,3,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 8,2,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,1,0,1,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,1,0,1,1] + [IATS........: 44428,44545,1146,47405,2629,34,48881,2,106,60,120,15,121,3,107,116,574,31,61,16,57,386,11,31,13,50,43304,549,42693,151,10,0] + [PKTLENS.....: 78,74,66,535,66,384,98,66,66,67,66,191,68,66,66,82,66,98,67,190,69,82,98,67,114,81,82,66,98,66,67,70] new: [....48] [ip4][..tcp] [..192.168.1.184][56652] -> [..176.9.136.209][30303] detected: [....47] [ip4][..tcp] [..192.168.1.184][56651] -> [..138.201.12.87][30303] [Mining][Mining][Unsafe] RISK: Unsafe Protocol @@ -222,95 +246,117 @@ detected: [....50] [ip4][..udp] [..192.168.1.184][30303] -> [.18.219.167.159][30303] [Mining][Mining][Unsafe] RISK: Unsafe Protocol analyse: [....43] [ip4][..tcp] [..192.168.1.184][56645] -> [.185.219.133.62][30303] [Mining][Mining][Unsafe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.052| 0.010| 0.019] - [IAT(c->s)...: 0.000| 0.052| 0.008| 0.018][IAT(s->c)...: 0.000| 0.050| 0.012| 0.020] - [PKTLEN(c->s): 66.000| 476.000| 101.500| 90.400][PKTLEN(s->c): 66.000| 448.000| 118.600| 107.800] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.052| 0.010| 0.019| 354.234| 0.000] + [PKTLEN......: 66.000| 476.000| 107.900| 97.700| 9536.300| 4.600] [BINS(c->s)..: 15,3,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 8,2,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,1,0,0,0,0,1,0,1,0,1,0,1,0,0,0,0,0,0,1,1,1,0,1] + [IATS........: 47219,47359,1594,49528,3728,51634,828,16,1020,92,14,1,37,127,71,134,135,105,102,138,138,353,12,12,16,83,45623,1100,32,46342,115,0] + [PKTLENS.....: 78,74,66,476,66,448,66,98,67,98,190,66,69,82,67,66,222,66,69,66,82,66,98,67,114,81,82,66,66,98,66,67] new: [....51] [ip4][..tcp] [..192.168.1.184][56655] -> [.202.112.28.106][30303] detected: [....48] [ip4][..tcp] [..192.168.1.184][56652] -> [..176.9.136.209][30303] [Mining][Mining][Unsafe] RISK: Unsafe Protocol detected: [....46] [ip4][..tcp] [..192.168.1.184][56650] -> [.35.228.250.140][30303] [Mining][Mining][Unsafe] RISK: Unsafe Protocol analyse: [....15] [ip4][..tcp] [..192.168.1.184][56618] -> [.52.231.165.108][30303] [Mining][Mining][Unsafe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.262| 0.038| 0.087] - [IAT(c->s)...: 0.000| 0.262| 0.024| 0.073][IAT(s->c)...: 0.000| 0.262| 0.063| 0.104] - [PKTLEN(c->s): 66.000| 516.000| 99.400| 96.900][PKTLEN(s->c): 60.000| 519.000| 113.200| 128.700] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.262| 0.038| 0.087| 7588.779| 0.000] + [PKTLEN......: 60.000| 519.000| 104.200| 109.100|11904.300| 4.600] [BINS(c->s)..: 17,2,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 9,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,1,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1] + [IATS........: 261712,261804,1508,222767,73,3,23,221290,9,6,194,11,189,20,102,10,88,9,563,27,71,35,50,54,29,73,9,29,34,211443,15,0] + [PKTLENS.....: 78,74,66,516,66,519,98,67,66,66,66,68,79,66,66,82,66,66,66,98,67,190,69,82,98,67,68,79,82,66,66,60] analyse: [....16] [ip4][..tcp] [..192.168.1.184][56620] -> [191.234.162.198][30303] [Mining][Mining][Unsafe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.263| 0.038| 0.087] - [IAT(c->s)...: 0.000| 0.263| 0.024| 0.073][IAT(s->c)...: 0.000| 0.263| 0.063| 0.104] - [PKTLEN(c->s): 66.000| 578.000| 102.400| 109.700][PKTLEN(s->c): 60.000| 525.000| 113.200| 130.700] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.263| 0.038| 0.087| 7624.721| 0.000] + [PKTLEN......: 60.000| 578.000| 106.100| 117.400|13788.700| 4.500] [BINS(c->s)..: 17,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 9,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,1,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1] + [IATS........: 263094,263164,1256,221848,245,3,9,220800,8,13,125,15,115,10,130,9,138,8,711,8,50,43,2,70,7,75,9,33,11,212620,221,0] + [PKTLENS.....: 78,74,66,578,66,525,98,67,66,66,66,68,79,66,66,82,66,66,66,98,67,190,69,82,98,67,68,79,82,66,60,60] detected: [....49] [ip4][..tcp] [..192.168.1.184][56654] -> [..85.214.108.52][30303] [Mining][Mining][Unsafe] RISK: Unsafe Protocol new: [....52] [ip4][..tcp] [..192.168.1.184][56657] -> [.138.75.171.190][30303] new: [....53] [ip4][..tcp] [..192.168.1.184][56658] -> [.157.230.152.87][30303] analyse: [....47] [ip4][..tcp] [..192.168.1.184][56651] -> [..138.201.12.87][30303] [Mining][Mining][Unsafe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.037| 0.006| 0.012] - [IAT(c->s)...: 0.000| 0.037| 0.004| 0.011][IAT(s->c)...: 0.000| 0.034| 0.007| 0.013] - [PKTLEN(c->s): 66.000| 483.000| 103.200| 96.400][PKTLEN(s->c): 60.000| 393.000| 91.500| 84.400] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.037| 0.006| 0.012| 148.778| 0.000] + [PKTLEN......: 60.000| 483.000| 98.100| 91.500| 8376.200| 4.600] [BINS(c->s)..: 14,2,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 12,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1] + [IATS........: 32598,32641,1212,33881,3882,36541,367,364,134,135,131,136,417,10,43,12,102,2,13,40,18,46,15,31120,114,13,120,11,562,50,11,0] + [PKTLENS.....: 78,74,66,483,66,393,66,98,66,82,66,82,66,98,67,190,69,82,98,67,68,79,82,66,66,60,60,60,60,60,60,60] analyse: [....44] [ip4][..tcp] [..192.168.1.184][56646] -> [..172.105.94.62][30303] [Mining][Mining][Unsafe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.116| 0.012| 0.026] - [IAT(c->s)...: 0.000| 0.116| 0.010| 0.026][IAT(s->c)...: 0.000| 0.091| 0.016| 0.025] - [PKTLEN(c->s): 66.000| 540.000| 107.100| 103.100][PKTLEN(s->c): 66.000| 398.000| 131.700| 115.300] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.116| 0.012| 0.026| 687.065| 0.000] + [PKTLEN......: 66.000| 540.000| 116.300| 108.500|11769.500| 4.600] [BINS(c->s)..: 14,4,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 9,0,0,0,0,0,1,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,0,0,0,1,0,0,0,0,0,1,0,1,1,1,1,1,1,0,0,1,0,0,0] + [IATS........: 25501,25603,1194,25860,91412,116020,834,13,59,13,31,24470,23554,429,12,15,16,655,121,709,21,11,5,23284,18,24097,248,344,46,20,10,0] + [PKTLENS.....: 78,74,66,540,66,398,66,98,67,190,69,82,306,66,98,67,114,81,66,82,66,66,66,66,274,66,66,98,66,67,69,78] analyse: [....48] [ip4][..tcp] [..192.168.1.184][56652] -> [..176.9.136.209][30303] [Mining][Mining][Unsafe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.035| 0.006| 0.012] - [IAT(c->s)...: 0.000| 0.035| 0.004| 0.011][IAT(s->c)...: 0.000| 0.034| 0.007| 0.013] - [PKTLEN(c->s): 66.000| 597.000| 109.500| 121.600][PKTLEN(s->c): 60.000| 494.000| 98.300| 110.300] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.035| 0.006| 0.012| 149.558| 0.000] + [PKTLEN......: 60.000| 597.000| 104.600| 116.900|13676.100| 4.500] [BINS(c->s)..: 14,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 12,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1] + [IATS........: 32769,32829,1344,33937,2357,34994,270,193,122,12,123,10,417,12,70,10,89,1,14,53,11,44,42,32625,14,112,124,133,12,7,92,0] + [PKTLENS.....: 78,74,66,597,66,494,66,98,66,82,82,66,66,98,67,190,69,82,98,67,68,79,82,66,60,60,60,60,60,60,60,60] new: [....54] [ip4][..tcp] [..192.168.1.184][56660] -> [...51.161.23.12][30303] new: [....55] [ip4][..tcp] [..192.168.1.184][56661] -> [....52.9.128.68][30303] new: [....56] [ip4][..tcp] [..192.168.1.184][56662] -> [..35.229.232.19][30303] new: [....57] [ip4][..tcp] [..192.168.1.184][56663] -> [124.217.235.180][30303] analyse: [....34] [ip4][..tcp] [..192.168.1.184][56635] -> [.162.228.29.160][30303] [Mining][Mining][Unsafe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.159| 0.026| 0.057] - [IAT(c->s)...: 0.000| 0.159| 0.016| 0.048][IAT(s->c)...: 0.000| 0.158| 0.043| 0.068] - [PKTLEN(c->s): 66.000| 479.000| 97.700| 89.400][PKTLEN(s->c): 60.000| 471.000| 108.800| 115.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.159| 0.026| 0.057| 3248.179| 0.000] + [PKTLEN......: 60.000| 479.000| 101.500| 99.100| 9815.100| 4.600] [BINS(c->s)..: 17,2,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 9,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,0,0,0,1,1,0,0,1,1,0,0,1,0,0,0,0,0,0,0,1,0,1,1] + [IATS........: 157669,157791,1578,152892,8130,159357,1177,13,61,20,78,1877,13,527,1,123,12,130,3,101,114,166,3,78,34,46,32,749,390,149661,614,0] + [PKTLENS.....: 78,74,66,479,66,471,66,98,67,190,69,82,98,67,66,66,68,79,66,66,82,66,98,67,68,79,82,66,66,66,66,60] analyse: [....38] [ip4][..tcp] [..192.168.1.184][56639] -> [.18.219.167.159][30303] [Mining][Mining][Unsafe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.131| 0.020| 0.046] - [IAT(c->s)...: 0.000| 0.131| 0.013| 0.039][IAT(s->c)...: 0.000| 0.131| 0.031| 0.054] - [PKTLEN(c->s): 66.000| 587.000| 104.700| 114.000][PKTLEN(s->c): 60.000| 556.000| 110.800| 134.700] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.131| 0.020| 0.046| 2133.935| 0.000] + [PKTLEN......: 60.000| 587.000| 107.000| 122.200|14931.500| 4.500] [BINS(c->s)..: 16,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 10,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,1,0,0,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,1] + [IATS........: 130846,130950,1277,122765,1253,122671,155,10,149,9,88,86,123,126,124,123,256,9,49,17,28,59,7,51,29,22,20,121098,33,23,22,0] + [PKTLENS.....: 78,74,66,587,66,556,66,98,67,66,66,81,66,82,66,66,66,98,67,190,69,82,98,67,68,79,82,66,60,60,60,60] analyse: [....46] [ip4][..tcp] [..192.168.1.184][56650] -> [.35.228.250.140][30303] [Mining][Mining][Unsafe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.057| 0.011| 0.022] - [IAT(c->s)...: 0.000| 0.057| 0.009| 0.021][IAT(s->c)...: 0.000| 0.057| 0.015| 0.024] - [PKTLEN(c->s): 66.000| 528.000| 104.100| 101.300][PKTLEN(s->c): 66.000| 508.000| 131.500| 120.500] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.057| 0.011| 0.022| 493.706| 0.000] + [PKTLEN......: 66.000| 528.000| 114.400| 109.700|12030.800| 4.600] [BINS(c->s)..: 15,3,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 7,2,1,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,1,1,1,0,0,1,1] + [IATS........: 56823,56925,1602,56390,2342,57129,531,462,124,8,117,8,162,10,51,23,20,1132,926,430,2,33,26,92,56511,32,22,55939,9,1784,32,0] + [PKTLENS.....: 78,74,66,528,66,508,66,98,66,209,67,66,66,98,67,190,69,82,82,66,98,67,114,81,82,66,98,148,66,66,96,66] analyse: [....18] [ip4][..tcp] [..192.168.1.184][56622] -> [..18.138.108.67][30303] [Mining][Mining][Unsafe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.300| 0.044| 0.100] - [IAT(c->s)...: 0.000| 0.300| 0.028| 0.083][IAT(s->c)...: 0.000| 0.300| 0.073| 0.120] - [PKTLEN(c->s): 66.000| 597.000| 103.300| 113.600][PKTLEN(s->c): 60.000| 384.000| 100.400| 90.300] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.300| 0.044| 0.100|10075.352| 0.000] + [PKTLEN......: 60.000| 597.000| 102.300| 106.200|11275.500| 4.600] [BINS(c->s)..: 17,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 9,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,1,0,1,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1] + [IATS........: 300373,300415,1705,253379,743,11,252408,10,126,124,122,12,120,7,112,11,115,13,362,33,90,11,17,64,29,59,24,45,44,252812,30,0] + [PKTLENS.....: 78,74,66,597,66,384,98,66,66,67,66,68,79,66,66,82,66,66,66,98,67,190,69,82,98,67,68,79,82,66,60,60] analyse: [....19] [ip4][..tcp] [..192.168.1.184][56623] -> [...18.138.81.28][30303] [Mining][Mining][Unsafe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.308| 0.045| 0.103] - [IAT(c->s)...: 0.000| 0.308| 0.029| 0.085][IAT(s->c)...: 0.000| 0.308| 0.075| 0.123] - [PKTLEN(c->s): 66.000| 537.000| 100.400| 101.200][PKTLEN(s->c): 60.000| 488.000| 110.400| 119.800] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.308| 0.045| 0.103|10532.101| 0.000] + [PKTLEN......: 60.000| 537.000| 103.800| 108.100|11684.800| 4.600] [BINS(c->s)..: 17,2,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 9,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,1] + [IATS........: 308002,308079,2079,260252,1619,259755,495,482,122,10,122,8,118,9,119,17,140,15,66,21,45,75,23,49,39,20,18,2347,1915,254515,36,0] + [PKTLENS.....: 78,74,66,537,66,488,66,98,66,67,68,66,66,79,82,66,66,98,67,190,69,82,98,67,68,79,82,66,66,66,66,60] new: [....58] [ip4][..udp] [183.129.242.164][.1024] -> [..192.168.1.184][30303] detected: [....58] [ip4][..udp] [183.129.242.164][.1024] -> [..192.168.1.184][30303] [Mining][Mining][Unsafe] RISK: Unsafe Protocol @@ -319,12 +365,14 @@ detected: [....53] [ip4][..tcp] [..192.168.1.184][56658] -> [.157.230.152.87][30303] [Mining][Mining][Unsafe] RISK: Unsafe Protocol analyse: [....10] [ip4][..tcp] [..192.168.1.184][56610] -> [..165.22.107.33][30303] [Mining][Mining][Unsafe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.339| 0.050| 0.114] - [IAT(c->s)...: 0.000| 0.339| 0.032| 0.094][IAT(s->c)...: 0.000| 0.339| 0.083| 0.136] - [PKTLEN(c->s): 66.000| 640.000| 105.300| 122.500][PKTLEN(s->c): 60.000| 462.000| 107.500| 112.600] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.339| 0.050| 0.114|12910.542| 0.000] + [PKTLEN......: 60.000| 640.000| 106.100| 119.200|14212.100| 4.500] [BINS(c->s)..: 17,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 9,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,1,0,0,0,0,1,1,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,1,1] + [IATS........: 339196,339297,1296,287250,2535,288430,1006,11,1005,14,2,8,122,6,111,4,2,12,35,118,61,115,34,101,31,26,56,616,251,285614,33,0] + [PKTLENS.....: 78,74,66,640,66,462,66,98,67,66,66,98,67,68,79,190,66,69,66,82,82,66,98,67,68,79,82,66,66,66,60,60] detected: [....55] [ip4][..tcp] [..192.168.1.184][56661] -> [....52.9.128.68][30303] [Mining][Mining][Unsafe] RISK: Unsafe Protocol new: [....59] [ip4][..udp] [..192.168.1.184][30303] -> [.202.112.28.106][30303] @@ -335,12 +383,14 @@ detected: [....52] [ip4][..tcp] [..192.168.1.184][56657] -> [.138.75.171.190][30303] [Mining][Mining][Unsafe] RISK: Unsafe Protocol analyse: [....17] [ip4][..tcp] [..192.168.1.184][56621] -> [..52.187.207.27][30303] [Mining][Mining][Unsafe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.355| 0.054| 0.122] - [IAT(c->s)...: 0.000| 0.355| 0.034| 0.101][IAT(s->c)...: 0.000| 0.355| 0.090| 0.146] - [PKTLEN(c->s): 66.000| 591.000| 103.000| 112.400][PKTLEN(s->c): 60.000| 517.000| 113.000| 128.200] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.355| 0.054| 0.122|14890.530| 0.000] + [PKTLEN......: 60.000| 591.000| 106.400| 118.100|13953.700| 4.500] [BINS(c->s)..: 17,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 9,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,0,1,0,1,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1] + [IATS........: 354503,354597,1517,316901,1340,316735,173,101,119,114,122,127,128,12,120,9,115,122,283,10,68,11,22,44,44,48,7,18,49,313859,305,0] + [PKTLENS.....: 78,74,66,591,66,517,66,98,66,67,66,68,66,79,82,66,66,66,66,98,67,190,69,82,98,67,68,79,82,66,66,60] new: [....60] [ip4][..udp] [..192.168.1.184][30303] -> [..106.12.39.168][30333] detected: [....60] [ip4][..udp] [..192.168.1.184][30303] -> [..106.12.39.168][30333] [Mining][Mining][Unsafe] RISK: Unsafe Protocol @@ -357,21 +407,25 @@ detected: [....57] [ip4][..tcp] [..192.168.1.184][56663] -> [124.217.235.180][30303] [Mining][Mining][Unsafe] RISK: Unsafe Protocol analyse: [....54] [ip4][..tcp] [..192.168.1.184][56660] -> [...51.161.23.12][30303] [Mining][Mining][Unsafe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.147| 0.028| 0.054] - [IAT(c->s)...: 0.000| 0.147| 0.022| 0.051][IAT(s->c)...: 0.000| 0.142| 0.036| 0.059] - [PKTLEN(c->s): 66.000| 639.000| 109.700| 124.700][PKTLEN(s->c): 66.000| 487.000| 121.800| 117.200] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.147| 0.028| 0.054| 2939.853| 0.000] + [PKTLEN......: 66.000| 639.000| 114.200| 122.100|14898.100| 4.500] [BINS(c->s)..: 15,3,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 8,2,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,0,0,0,1,0,1,0,1,1,1,0,0,0,0,0,0,0,0,1,1,1,0,1] + [IATS........: 139345,139431,1667,141731,7248,147323,778,15,57,13,65,6714,5782,300,242,748,13,7,750,26,2,438,13,27,43,49,129951,188,824,130452,297,0] + [PKTLENS.....: 78,74,66,639,66,487,66,98,67,190,69,82,98,66,67,66,216,75,82,66,66,66,98,67,114,81,82,66,66,98,66,67] new: [....63] [ip4][..tcp] [..192.168.1.184][56672] -> [139.162.255.210][30303] new: [....64] [ip4][..tcp] [..192.168.1.184][56673] -> [..78.47.147.155][30303] analyse: [....62] [ip4][..tcp] [..192.168.1.184][56671] -> [..86.107.243.62][30303] [Mining][Mining][Unsafe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.039| 0.010| 0.016] - [IAT(c->s)...: 0.000| 0.039| 0.006| 0.014][IAT(s->c)...: 0.000| 0.039| 0.019| 0.018] - [PKTLEN(c->s): 66.000| 606.000| 105.200| 107.600][PKTLEN(s->c): 66.000| 430.000| 168.500| 136.600] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.039| 0.010| 0.016| 256.751| 0.000] + [PKTLEN......: 66.000| 606.000| 121.000| 118.700|14100.300| 4.600] [BINS(c->s)..: 17,5,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 5,0,0,0,0,0,1,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,0,0,0,1,0,1,1,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0] + [IATS........: 39074,39189,1465,38437,362,37288,763,13,47,10,88,39176,38284,307,256,561,11,34,20,89,30734,30582,269,187,28,20,37,34,54,6,63,0] + [PKTLENS.....: 78,74,66,606,66,430,66,98,67,190,69,82,306,66,66,66,98,67,114,81,82,274,66,66,98,67,69,78,82,98,67,70] new: [....65] [ip4][..tcp] [..192.168.1.184][56674] -> [...94.68.55.162][30303] detected: [....63] [ip4][..tcp] [..192.168.1.184][56672] -> [139.162.255.210][30303] [Mining][Mining][Unsafe] RISK: Unsafe Protocol @@ -381,30 +435,36 @@ detected: [....66] [ip4][..tcp] [..192.168.1.184][56675] -> [..35.235.37.216][30303] [Mining][Mining][Unsafe] RISK: Unsafe Protocol analyse: [....53] [ip4][..tcp] [..192.168.1.184][56658] -> [.157.230.152.87][30303] [Mining][Mining][Unsafe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.184| 0.035| 0.071] - [IAT(c->s)...: 0.000| 0.183| 0.029| 0.066][IAT(s->c)...: 0.000| 0.184| 0.045| 0.078] - [PKTLEN(c->s): 66.000| 649.000| 110.200| 127.000][PKTLEN(s->c): 66.000| 457.000| 120.700| 110.100] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.184| 0.035| 0.071| 5044.452| 0.000] + [PKTLEN......: 66.000| 649.000| 114.100| 121.000|14650.900| 4.500] [BINS(c->s)..: 15,3,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 8,2,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,0,1,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,1,1,1,0] + [IATS........: 179302,179369,1797,184362,177,182759,106,62,111,97,367,12,367,8,114,117,157,11,64,17,19,306,10,10,14,156,176481,904,995,9,177632,0] + [PKTLENS.....: 78,74,66,649,66,457,66,98,66,67,66,227,80,66,66,82,66,98,67,190,69,82,98,67,125,70,82,66,66,98,67,66] detected: [....65] [ip4][..tcp] [..192.168.1.184][56674] -> [...94.68.55.162][30303] [Mining][Mining][Unsafe] RISK: Unsafe Protocol new: [....67] [ip4][..tcp] [..192.168.1.184][56678] -> [..13.251.14.199][30303] analyse: [....63] [ip4][..tcp] [..192.168.1.184][56672] -> [139.162.255.210][30303] [Mining][Mining][Unsafe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.042| 0.007| 0.015] - [IAT(c->s)...: 0.000| 0.042| 0.005| 0.013][IAT(s->c)...: 0.000| 0.042| 0.009| 0.017] - [PKTLEN(c->s): 66.000| 452.000| 101.400| 89.600][PKTLEN(s->c): 60.000| 422.000| 93.600| 91.800] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.042| 0.007| 0.015| 228.263| 0.000] + [PKTLEN......: 60.000| 452.000| 98.000| 90.700| 8221.200| 4.600] [BINS(c->s)..: 14,2,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 12,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1] + [IATS........: 41413,41460,1312,42383,1046,42119,204,192,363,356,369,368,205,23,58,13,64,62,24,80,8,25,33,39148,1363,11,132,116,14,104,121,0] + [PKTLENS.....: 78,74,66,452,66,422,66,98,66,82,66,82,66,98,67,190,69,82,98,67,68,79,82,66,66,60,60,60,60,60,60,60] new: [....68] [ip4][..tcp] [..192.168.1.184][56679] -> [..35.228.158.52][30303] analyse: [....55] [ip4][..tcp] [..192.168.1.184][56661] -> [....52.9.128.68][30303] [Mining][Mining][Unsafe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.194| 0.037| 0.074] - [IAT(c->s)...: 0.000| 0.194| 0.030| 0.069][IAT(s->c)...: 0.000| 0.194| 0.048| 0.082] - [PKTLEN(c->s): 66.000| 538.000| 104.600| 103.300][PKTLEN(s->c): 66.000| 494.000| 130.300| 116.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.194| 0.037| 0.074| 5538.541| 0.000] + [PKTLEN......: 66.000| 538.000| 114.200| 109.000|11872.900| 4.600] [BINS(c->s)..: 15,3,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 7,2,1,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,1,1,1,0,1,0,1,1,0] + [IATS........: 179215,179258,1530,193512,372,17,192344,9,225,230,714,12,52,18,61,2845,2062,406,9,21,19,104,193755,151,777,194120,128,66,1119,26,1161,0] + [PKTLENS.....: 78,74,66,538,66,494,98,66,66,198,66,98,67,190,69,82,94,66,98,67,114,81,82,66,66,98,66,147,66,97,66,66] new: [....69] [ip4][..tcp] [..192.168.1.184][56680] -> [...138.59.17.58][30303] new: [....70] [ip4][..tcp] [..192.168.1.184][56681] -> [207.180.206.216][30303] detected: [....68] [ip4][..tcp] [..192.168.1.184][56679] -> [..35.228.158.52][30303] [Mining][Mining][Unsafe] @@ -415,20 +475,24 @@ detected: [....70] [ip4][..tcp] [..192.168.1.184][56681] -> [207.180.206.216][30303] [Mining][Mining][Unsafe] RISK: Unsafe Protocol analyse: [....65] [ip4][..tcp] [..192.168.1.184][56674] -> [...94.68.55.162][30303] [Mining][Mining][Unsafe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.075| 0.014| 0.028] - [IAT(c->s)...: 0.000| 0.075| 0.012| 0.026][IAT(s->c)...: 0.000| 0.075| 0.018| 0.031] - [PKTLEN(c->s): 66.000| 613.000| 108.300| 119.200][PKTLEN(s->c): 66.000| 570.000| 136.700| 136.800] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.075| 0.014| 0.028| 803.714| 0.000] + [PKTLEN......: 66.000| 613.000| 119.000| 126.800|16079.300| 4.500] [BINS(c->s)..: 15,3,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 7,2,1,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,1,1,1,0,1,1,0,0,1] + [IATS........: 71269,71376,1312,75129,983,32,74778,28,135,90,486,477,192,27,65,15,66,252,9,12,16,87,69614,777,19,69699,729,15,730,7,115,0] + [PKTLENS.....: 78,74,66,613,66,570,98,66,66,209,66,83,66,98,67,190,69,82,98,67,114,81,82,66,66,98,66,148,96,66,66,66] new: [....72] [ip4][..tcp] [..192.168.1.184][56684] -> [...51.83.237.44][30303] analyse: [....52] [ip4][..tcp] [..192.168.1.184][56657] -> [.138.75.171.190][30303] [Mining][Mining][Unsafe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.263| 0.042| 0.096] - [IAT(c->s)...: 0.000| 0.263| 0.033| 0.086][IAT(s->c)...: 0.000| 0.261| 0.052| 0.104] - [PKTLEN(c->s): 66.000| 605.000| 112.500| 126.500][PKTLEN(s->c): 60.000| 525.000| 97.400| 115.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.263| 0.042| 0.096| 9182.918| 0.000] + [PKTLEN......: 60.000| 605.000| 105.400| 121.500|14755.200| 4.500] [BINS(c->s)..: 13,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 12,2,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1,1,1] + [IATS........: 259670,259779,1313,261414,3049,263115,462,422,253,247,161,10,63,22,41,100,13,84,18,22,24,260103,45,20,93,122,13,668,28,8,8,0] + [PKTLENS.....: 78,74,66,605,66,525,66,98,66,98,66,98,67,190,69,82,98,67,68,79,82,66,60,60,60,60,60,60,60,60,60,60] new: [....73] [ip4][..tcp] [..192.168.1.184][56685] -> [...88.99.93.219][30303] detected: [....72] [ip4][..tcp] [..192.168.1.184][56684] -> [...51.83.237.44][30303] [Mining][Mining][Unsafe] RISK: Unsafe Protocol @@ -442,12 +506,14 @@ detected: [....74] [ip4][..tcp] [..192.168.1.184][56686] -> [.206.189.107.35][30303] [Mining][Mining][Unsafe] RISK: Unsafe Protocol analyse: [....64] [ip4][..tcp] [..192.168.1.184][56673] -> [..78.47.147.155][30303] [Mining][Mining][Unsafe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.286| 0.027| 0.065] - [IAT(c->s)...: 0.000| 0.286| 0.019| 0.060][IAT(s->c)...: 0.000| 0.247| 0.046| 0.073] - [PKTLEN(c->s): 66.000| 633.000| 108.400| 114.800][PKTLEN(s->c): 66.000| 413.000| 162.300| 125.600] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.286| 0.027| 0.065| 4262.303| 0.000] + [PKTLEN......: 66.000| 633.000| 123.600| 120.400|14503.600| 4.600] [BINS(c->s)..: 16,5,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 5,0,1,0,0,0,1,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,1,1,1,1,0,0,0,0,0,0,1,0,0] + [IATS........: 40373,40438,1542,40906,246535,285939,40615,40605,699,30,144,12,23,360,16,18,29,110,39411,235,883,650,39691,157,36,21,17,63,1098,839,216,0] + [PKTLENS.....: 78,74,66,633,66,306,78,413,66,98,67,190,69,82,98,67,114,81,82,66,66,66,130,66,98,67,69,78,82,274,66,98] end: [....52] [ip4][..tcp] [..192.168.1.184][56657] -> [.138.75.171.190][30303] [Mining][Mining][Unsafe] RISK: Unsafe Protocol idle: [....69] [ip4][..tcp] [..192.168.1.184][56680] -> [...138.59.17.58][30303] [Mining][Mining][Unsafe] diff --git a/test/results/flow-info/exe_download.pcap.out b/test/results/flow-info/exe_download.pcap.out index 84fa06cfd..68b804d98 100644 --- a/test/results/flow-info/exe_download.pcap.out +++ b/test/results/flow-info/exe_download.pcap.out @@ -7,12 +7,14 @@ detection-update: [.....1] [ip4][..tcp] [....10.9.25.101][49165] -> [..144.91.69.195][...80] [HTTP][Download][Acceptable] RISK: Binary App Transfer, HTTP Suspicious User-Agent, HTTP Numeric IP Address analyse: [.....1] [ip4][..tcp] [....10.9.25.101][49165] -> [..144.91.69.195][...80] [HTTP][Download][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.320| 0.062| 0.115] - [IAT(c->s)...: 0.000| 0.320| 0.096| 0.123][IAT(s->c)...: 0.000| 0.319| 0.046| 0.107] - [PKTLEN(c->s): 54.000| 207.000| 69.000| 43.800][PKTLEN(s->c): 54.000|1514.000|1287.300| 411.600] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.320| 0.062| 0.115|13236.602| 0.000] + [PKTLEN......: 54.000| 1514.000| 868.500| 668.400|446708.300| 4.400] [BINS(c->s)..: 10,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,2,0,0,8,0,0,7,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,1,0,1,1,1,0,1,1,1,0,0,1,1,1,1,0,1,0,1,1,1,1,0] + [IATS........: 319320,319527,656,1120,298136,10,298579,1555,147,1842,2428,2695,9,4969,246,28639,114,28917,100748,305805,34,11,94,205204,207,207,651,10,7,7,727,0] + [PKTLENS.....: 66,58,54,207,54,1514,1322,54,1418,1418,54,1418,1514,1302,54,1418,1418,1418,54,54,1514,1514,1226,1418,54,1418,54,1514,1514,1514,1130,54] end: [.....1] [ip4][..tcp] [....10.9.25.101][49165] -> [..144.91.69.195][...80] [HTTP][Download][Acceptable] RISK: Binary App Transfer, HTTP Suspicious User-Agent, HTTP Numeric IP Address DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/exe_download_as_png.pcap.out b/test/results/flow-info/exe_download_as_png.pcap.out index 827a01790..629485974 100644 --- a/test/results/flow-info/exe_download_as_png.pcap.out +++ b/test/results/flow-info/exe_download_as_png.pcap.out @@ -7,12 +7,14 @@ detection-update: [.....1] [ip4][..tcp] [....10.9.25.101][49197] -> [..185.98.87.185][...80] [HTTP][Web][Acceptable] RISK: Binary App Transfer, HTTP Numeric IP Address analyse: [.....1] [ip4][..tcp] [....10.9.25.101][49197] -> [..185.98.87.185][...80] [HTTP][Web][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.613| 0.094| 0.193] - [IAT(c->s)...: 0.000| 0.613| 0.144| 0.225][IAT(s->c)...: 0.000| 0.613| 0.070| 0.170] - [PKTLEN(c->s): 54.000| 203.000| 68.600| 42.600][PKTLEN(s->c): 54.000|1514.000|1288.300| 400.900] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.613| 0.094| 0.193|37090.865| 0.000] + [PKTLEN......: 54.000| 1514.000| 869.000| 664.600|441668.300| 4.400] [BINS(c->s)..: 10,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,17,0,0,1,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,1,0,1,1,0,1,1,0,1,1] + [IATS........: 400153,400486,228,717,612677,12,613012,424,482,834,426,507,936,1134,423,1552,361,732,1082,417726,1390,103,419479,654,405,941,2596,154,2784,26602,344,0] + [PKTLENS.....: 66,58,54,203,54,1514,1322,54,1418,1418,54,1418,1418,54,1418,1418,54,1418,1418,54,1418,1418,1418,54,1418,1418,54,1418,1418,54,1418,1418] end: [.....1] [ip4][..tcp] [....10.9.25.101][49197] -> [..185.98.87.185][...80] [HTTP][Web][Acceptable] RISK: Binary App Transfer, HTTP Numeric IP Address DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/facebook.pcap.out b/test/results/flow-info/facebook.pcap.out index 2720141ad..96accfafa 100644 --- a/test/results/flow-info/facebook.pcap.out +++ b/test/results/flow-info/facebook.pcap.out @@ -9,12 +9,14 @@ detected: [.....2] [ip4][..tcp] [..192.168.43.18][44614] -> [....31.13.86.36][..443] [TLS.Facebook][SocialNetwork][Fun] detection-update: [.....2] [ip4][..tcp] [..192.168.43.18][44614] -> [....31.13.86.36][..443] [TLS.Facebook][SocialNetwork][Fun] analyse: [.....2] [ip4][..tcp] [..192.168.43.18][44614] -> [....31.13.86.36][..443] [TLS.Facebook][SocialNetwork][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.155| 0.037| 0.058] - [IAT(c->s)...: 0.000| 0.155| 0.044| 0.061][IAT(s->c)...: 0.000| 0.155| 0.032| 0.055] - [PKTLEN(c->s): 66.000| 583.000| 137.400| 157.900][PKTLEN(s->c): 66.000|1454.000| 904.800| 625.900] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.155| 0.037| 0.058| 3352.274| 0.000] + [PKTLEN......: 66.000| 1454.000| 569.100| 613.300|376153.100| 4.200] [BINS(c->s)..: 10,2,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,2,1,0,1,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0] + [IATS........: 132117,132136,193,154701,485,154982,244,3282,129361,125921,442,418,797,119231,4520,123730,627,605,1230,4940,621,5568,8878,7797,16680,916,530,1441,790,657,1444,0] + [PKTLENS.....: 74,74,66,583,66,212,66,117,452,147,104,104,108,66,1454,445,66,1454,590,66,1454,1454,66,1454,1454,66,1454,1454,66,1454,1454,66] idle: [.....1] [ip4][..tcp] [..192.168.43.18][52066] -> [..66.220.156.68][..443] idle: [.....2] [ip4][..tcp] [..192.168.43.18][44614] -> [....31.13.86.36][..443] [TLS.Facebook][SocialNetwork][Fun] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/fastcgi.pcap.out b/test/results/flow-info/fastcgi.pcap.out index 97b96369c..c41285a9f 100644 --- a/test/results/flow-info/fastcgi.pcap.out +++ b/test/results/flow-info/fastcgi.pcap.out @@ -4,11 +4,13 @@ new: [.....1] [ip4][..tcp] [.......10.0.0.9][38254] -> [......10.0.0.11][.9000] detected: [.....1] [ip4][..tcp] [.......10.0.0.9][38254] -> [......10.0.0.11][.9000] [FastCGI][Network][Safe] analyse: [.....1] [ip4][..tcp] [.......10.0.0.9][38254] -> [......10.0.0.11][.9000] [FastCGI][Network][Safe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 2.020| 0.130| 0.496] - [IAT(c->s)...: 0.000| 2.020| 0.135| 0.504][IAT(s->c)...: 0.000| 2.020| 0.126| 0.489] - [PKTLEN(c->s): 66.000|1121.000| 134.900| 254.600][PKTLEN(s->c): 66.000|1514.000| 971.500| 700.400] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 2.020| 0.130| 0.496|246254.469| 0.000] + [PKTLEN......: 66.000| 1514.000| 553.200| 672.800|452637.900| 3.900] [BINS(c->s)..: 15,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0] + [DIRECTIONS..: 0,1,0,0,0,0,1,0,0,1,1,1,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1] + [IATS........: 169,226,42,67,15,217,77,12,83,12,48,16,2019881,2020143,186,63,52,55,94,90,42,33,32,28,26,27,50,53,34,34,32,0] + [PKTLENS.....: 74,74,66,82,1121,74,66,74,74,66,66,66,66,1514,66,1514,66,1514,66,1514,66,1514,66,1514,66,1514,66,1514,66,1514,66,1514] end: [.....1] [ip4][..tcp] [.......10.0.0.9][38254] -> [......10.0.0.11][.9000] [FastCGI][Network][Safe] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/firefox.pcap.out b/test/results/flow-info/firefox.pcap.out index 2595a52ba..43d7d24db 100644 --- a/test/results/flow-info/firefox.pcap.out +++ b/test/results/flow-info/firefox.pcap.out @@ -6,12 +6,14 @@ detection-update: [.....1] [ip4][..tcp] [..192.168.1.178][51577] -> [...146.48.58.18][..443] [TLS][Web][Safe] new: [.....2] [ip4][..tcp] [..192.168.1.178][51583] -> [...146.48.58.18][..443] analyse: [.....1] [ip4][..tcp] [..192.168.1.178][51577] -> [...146.48.58.18][..443] [TLS][Web][Safe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.577| 0.067| 0.148] - [IAT(c->s)...: 0.000| 0.577| 0.079| 0.157][IAT(s->c)...: 0.000| 0.575| 0.058| 0.141] - [PKTLEN(c->s): 66.000| 583.000| 163.100| 174.000][PKTLEN(s->c): 66.000|1506.000| 938.200| 652.600] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.577| 0.067| 0.148|21926.652| 0.000] + [PKTLEN......: 66.000| 1506.000| 599.100| 633.000|400627.700| 4.200] [BINS(c->s)..: 10,0,1,0,0,0,0,0,0,0,0,1,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 5,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,9,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,0,0,0,1,1,1,1,0,0,1,1,0,1,1,0,1,1,0,0,0,1,1,1] + [IATS........: 26706,26798,1311,27344,5752,45,31822,499,455,210977,313,236002,29,1309,26,26092,3,575380,1218,576607,259,117,346,122,123,243,1357,145807,171406,2874,1353,0] + [PKTLENS.....: 78,74,66,583,66,1506,1506,66,772,66,146,452,66,66,369,369,66,66,1506,1506,66,1506,1506,66,1506,1485,66,66,431,66,1506,1506] new: [.....3] [ip4][..tcp] [..192.168.1.178][51588] -> [...146.48.58.18][..443] detected: [.....2] [ip4][..tcp] [..192.168.1.178][51583] -> [...146.48.58.18][..443] [TLS][Web][Safe] detected: [.....3] [ip4][..tcp] [..192.168.1.178][51588] -> [...146.48.58.18][..443] [TLS][Web][Safe] @@ -21,49 +23,59 @@ new: [.....5] [ip4][..tcp] [..192.168.1.178][51600] -> [...146.48.58.18][..443] new: [.....6] [ip4][..tcp] [..192.168.1.178][51601] -> [...146.48.58.18][..443] analyse: [.....2] [ip4][..tcp] [..192.168.1.178][51583] -> [...146.48.58.18][..443] [TLS][Web][Safe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.231| 0.023| 0.053] - [IAT(c->s)...: 0.000| 0.204| 0.030| 0.054][IAT(s->c)...: 0.000| 0.231| 0.019| 0.051] - [PKTLEN(c->s): 66.000| 746.000| 181.600| 208.100][PKTLEN(s->c): 66.000|1506.000| 981.100| 649.300] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.231| 0.023| 0.053| 2771.897| 0.000] + [PKTLEN......: 66.000| 1506.000| 656.300| 649.700|422101.600| 4.200] [BINS(c->s)..: 9,0,1,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 5,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,1,1,0,1,1,1,0,0,1,1,1,1,0,1,0,1,1,0,1,1,1,1,0] + [IATS........: 34406,34489,3261,32258,1506,30479,4158,18595,31638,14,8894,18473,2988,120,21557,203508,231008,997,180,13,28684,187,199,924,71,1013,133,374,19,9,500,0] + [PKTLENS.....: 78,74,66,746,66,326,66,146,416,66,369,66,66,1506,1042,66,447,66,1506,1506,1506,66,1506,66,1506,1506,66,1506,1506,1506,1506,66] detected: [.....5] [ip4][..tcp] [..192.168.1.178][51600] -> [...146.48.58.18][..443] [TLS][Web][Safe] detected: [.....4] [ip4][..tcp] [..192.168.1.178][51599] -> [...146.48.58.18][..443] [TLS][Web][Safe] detected: [.....6] [ip4][..tcp] [..192.168.1.178][51601] -> [...146.48.58.18][..443] [TLS][Web][Safe] analyse: [.....3] [ip4][..tcp] [..192.168.1.178][51588] -> [...146.48.58.18][..443] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.221| 0.023| 0.050] - [IAT(c->s)...: 0.000| 0.196| 0.028| 0.050][IAT(s->c)...: 0.000| 0.221| 0.020| 0.051] - [PKTLEN(c->s): 66.000| 746.000| 173.800| 203.200][PKTLEN(s->c): 66.000|1506.000| 972.200| 662.900] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.221| 0.023| 0.050| 2549.799| 0.000] + [PKTLEN......: 66.000| 1506.000| 622.900| 649.700|422127.900| 4.200] [BINS(c->s)..: 10,0,1,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 5,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,10,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0] + [IATS........: 27372,27441,16192,42139,1225,27152,10064,34749,19,24715,195798,221390,1843,27432,3443,28677,1090,241,26560,1009,109,1111,130,120,236,127,123,253,261,233,512,0] + [PKTLENS.....: 78,74,66,746,66,326,66,146,66,369,66,433,66,1406,66,436,66,1506,1506,66,1506,1506,66,1506,1506,66,1506,1506,66,1506,1506,66] detection-update: [.....3] [ip4][..tcp] [..192.168.1.178][51588] -> [...146.48.58.18][..443] [TLS][Web][Safe] detection-update: [.....5] [ip4][..tcp] [..192.168.1.178][51600] -> [...146.48.58.18][..443] [TLS][Web][Safe] detection-update: [.....4] [ip4][..tcp] [..192.168.1.178][51599] -> [...146.48.58.18][..443] [TLS][Web][Safe] detection-update: [.....6] [ip4][..tcp] [..192.168.1.178][51601] -> [...146.48.58.18][..443] [TLS][Web][Safe] analyse: [.....5] [ip4][..tcp] [..192.168.1.178][51600] -> [...146.48.58.18][..443] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.030| 0.007| 0.010] - [IAT(c->s)...: 0.000| 0.028| 0.008| 0.010][IAT(s->c)...: 0.000| 0.030| 0.007| 0.011] - [PKTLEN(c->s): 66.000| 746.000| 142.100| 186.000][PKTLEN(s->c): 66.000|1506.000|1031.400| 647.500] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.030| 0.007| 0.010| 104.605| 0.000] + [PKTLEN......: 66.000| 1506.000| 614.500| 660.200|435829.600| 4.100] [BINS(c->s)..: 12,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 4,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,1,1,0,1,1,1,0,1,0,1,0,1,0,1,0,1,1,0,0,1,1,0,1] + [IATS........: 26761,26832,3278,29208,2415,28362,2863,12850,29597,2,13859,11433,1695,114,13236,128,293,994,822,122,164,127,63,168,80,256,81,263,11998,12186,128,0] + [PKTLENS.....: 78,74,66,746,66,326,66,146,436,66,369,66,66,1506,1506,66,1506,66,1506,66,1506,66,1506,66,1506,1506,66,66,1506,1506,66,1506] detection-update: [.....5] [ip4][..tcp] [..192.168.1.178][51600] -> [...146.48.58.18][..443] [TLS][Web][Safe] analyse: [.....4] [ip4][..tcp] [..192.168.1.178][51599] -> [...146.48.58.18][..443] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.046| 0.009| 0.012] - [IAT(c->s)...: 0.000| 0.028| 0.010| 0.011][IAT(s->c)...: 0.000| 0.046| 0.008| 0.014] - [PKTLEN(c->s): 66.000| 746.000| 142.100| 186.000][PKTLEN(s->c): 66.000|1506.000| 989.800| 638.300] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.046| 0.009| 0.012| 154.305| 0.000] + [PKTLEN......: 66.000| 1506.000| 592.400| 641.500|411570.000| 4.100] [BINS(c->s)..: 12,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 4,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,1,1,0,1,1,1,0,1,0,1,0,1,0,1,0,1,1,0,1,0,1,1,0] + [IATS........: 28117,28187,5501,31657,1076,27239,20259,3957,45603,1275,22621,2846,3133,147,6125,104,193,162,80,94,95,129,121,148,217,366,254,1527,18636,26,17416,0] + [PKTLENS.....: 78,74,66,746,66,326,66,146,436,66,369,66,66,1506,1506,66,1506,66,1506,66,1506,66,1506,66,1506,1506,66,1506,66,1506,799,66] detection-update: [.....4] [ip4][..tcp] [..192.168.1.178][51599] -> [...146.48.58.18][..443] [TLS][Web][Safe] analyse: [.....6] [ip4][..tcp] [..192.168.1.178][51601] -> [...146.48.58.18][..443] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.037| 0.010| 0.013] - [IAT(c->s)...: 0.000| 0.036| 0.011| 0.012][IAT(s->c)...: 0.000| 0.037| 0.009| 0.014] - [PKTLEN(c->s): 66.000| 746.000| 167.400| 199.200][PKTLEN(s->c): 66.000|1506.000| 882.300| 669.200] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.037| 0.010| 0.013| 180.101| 0.000] + [PKTLEN......: 66.000| 1506.000| 547.200| 619.500|383804.700| 4.100] [BINS(c->s)..: 11,0,1,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 5,0,0,0,0,0,0,0,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,1,1,0,1,1,1,0,1,1,0,1,1,1,0,0,0,0,1,1,1,0,0,1] + [IATS........: 28631,28716,7742,37388,1480,31124,2184,12981,31005,84,15910,15394,488,119,15971,252,383,635,139,236,17,375,2,151,475,36484,124,120,36112,183,377,0] + [PKTLENS.....: 78,74,66,746,66,326,66,146,436,66,369,66,66,1506,1506,66,1506,1506,66,1506,1506,412,66,66,66,445,66,1506,1506,66,66,1506] detection-update: [.....6] [ip4][..tcp] [..192.168.1.178][51601] -> [...146.48.58.18][..443] [TLS][Web][Safe] idle: [.....1] [ip4][..tcp] [..192.168.1.178][51577] -> [...146.48.58.18][..443] [TLS][Web][Safe] idle: [.....2] [ip4][..tcp] [..192.168.1.178][51583] -> [...146.48.58.18][..443] [TLS][Web][Safe] diff --git a/test/results/flow-info/fix.pcap.out b/test/results/flow-info/fix.pcap.out index e41f3ca79..7e9d6815f 100644 --- a/test/results/flow-info/fix.pcap.out +++ b/test/results/flow-info/fix.pcap.out @@ -14,32 +14,38 @@ new: [.....6] [ip4][..tcp] [.....8.17.22.31][.4000] -> [...192.168.0.20][47962] [MIDSTREAM] detected: [.....6] [ip4][..tcp] [.....8.17.22.31][.4000] -> [...192.168.0.20][47962] [FIX][RPC][Safe] analyse: [.....3] [ip4][..tcp] [..208.245.107.3][.4000] -> [...192.168.0.20][45578] [FIX][RPC][Safe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.315| 0.065| 0.068] - [IAT(c->s)...: 0.004| 0.315| 0.067| 0.068][IAT(s->c)...: 0.000| 0.315| 0.063| 0.068] - [PKTLEN(c->s): 54.000| 511.000| 149.100| 106.800][PKTLEN(s->c): 60.000| 140.000| 65.000| 19.400] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.315| 0.065| 0.068| 4636.039| 0.000] + [PKTLEN......: 54.000| 511.000| 107.100| 87.500| 7658.200| 4.700] [BINS(c->s)..: 4,6,1,1,1,2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 15,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1] + [IATS........: 170,209,52428,3585,93980,87569,49399,50741,50707,52796,52875,49653,49630,49737,49707,49456,49402,49750,49791,49981,50005,49926,49930,49589,49596,49797,49760,50218,50168,314891,314954,0] + [PKTLENS.....: 93,60,140,169,54,60,511,60,230,60,233,60,143,60,110,60,185,60,112,60,81,60,106,60,81,60,89,60,108,60,81,60] new: [.....7] [ip4][..tcp] [..208.245.107.3][.4000] -> [...192.168.0.20][38652] [MIDSTREAM] detected: [.....7] [ip4][..tcp] [..208.245.107.3][.4000] -> [...192.168.0.20][38652] [FIX][RPC][Safe] new: [.....8] [ip4][..tcp] [.....8.17.22.31][.4000] -> [...192.168.0.20][40918] [MIDSTREAM] detected: [.....8] [ip4][..tcp] [.....8.17.22.31][.4000] -> [...192.168.0.20][40918] [FIX][RPC][Safe] analyse: [.....2] [ip4][..tcp] [.....8.17.22.31][.4000] -> [...192.168.0.20][47968] [FIX][RPC][Safe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.300| 0.091| 0.084] - [IAT(c->s)...: 0.000| 0.300| 0.094| 0.084][IAT(s->c)...: 0.000| 0.300| 0.088| 0.084] - [PKTLEN(c->s): 66.000| 135.000| 100.600| 15.800][PKTLEN(s->c): 66.000| 153.000| 71.400| 21.100] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.300| 0.091| 0.084| 7079.807| 0.000] + [PKTLEN......: 66.000| 153.000| 86.000| 23.600| 558.300| 4.900] [BINS(c->s)..: 6,8,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 15,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,1,0,1,0,1,0,1,0,0,1,1,1,0,0,1,0,1,0,1,0,1,0,1] + [IATS........: 147,100141,123,100163,124,100018,123,100053,25,99913,99995,100225,100166,100788,100836,300170,29,300186,26,222,17881,82390,142005,200503,158539,99966,99944,398,386,200212,200256,0] + [PKTLENS.....: 96,66,101,92,66,66,101,100,66,66,92,66,135,66,91,66,105,135,66,66,153,66,105,66,101,66,101,66,90,66,98,66] new: [.....9] [ip4][..tcp] [..208.245.107.3][.4000] -> [...192.168.0.20][38646] [MIDSTREAM] detected: [.....9] [ip4][..tcp] [..208.245.107.3][.4000] -> [...192.168.0.20][38646] [FIX][RPC][Safe] analyse: [.....1] [ip4][..tcp] [.....8.17.22.31][.4000] -> [...192.168.0.20][43594] [FIX][RPC][Safe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.291| 0.178| 0.113] - [IAT(c->s)...: 0.000| 0.251| 0.184| 0.108][IAT(s->c)...: 0.000| 0.291| 0.172| 0.117] - [PKTLEN(c->s): 66.000| 254.000| 148.100| 45.100][PKTLEN(s->c): 66.000| 151.000| 71.300| 20.600] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.291| 0.178| 0.113|12753.578| 0.000] + [PKTLEN......: 66.000| 254.000| 109.700| 52.000| 2700.500| 4.800] [BINS(c->s)..: 2,4,3,5,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 15,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,1,0,0,1,1,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,0,1,1,0,1,0,1,0,1] + [IATS........: 209,293,265,250589,114,250615,24,223,18233,232135,291268,250073,208970,250691,250733,250586,250560,250658,250654,250671,250658,250632,30,250660,26,251471,251453,249735,249759,250325,250315,0] + [PKTLENS.....: 152,66,91,66,105,152,66,66,151,66,169,66,169,66,186,66,169,66,169,66,118,66,254,113,66,66,135,66,203,66,118,66] new: [....10] [ip4][..tcp] [..208.245.107.3][.4000] -> [...192.168.0.20][39094] [MIDSTREAM] detected: [....10] [ip4][..tcp] [..208.245.107.3][.4000] -> [...192.168.0.20][39094] [FIX][RPC][Safe] new: [....11] [ip4][..tcp] [..217.192.86.32][.4000] -> [...192.168.0.20][53330] [MIDSTREAM] @@ -47,19 +53,23 @@ new: [....12] [ip4][..tcp] [.....8.17.22.31][.4000] -> [...192.168.0.20][40928] [MIDSTREAM] detected: [....12] [ip4][..tcp] [.....8.17.22.31][.4000] -> [...192.168.0.20][40928] [FIX][RPC][Safe] analyse: [.....5] [ip4][..tcp] [..208.245.107.3][.4000] -> [...192.168.0.20][45584] [FIX][RPC][Safe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 5.507| 0.699| 1.281] - [IAT(c->s)...: 0.046| 5.507| 0.721| 1.296][IAT(s->c)...: 0.000| 5.507| 0.678| 1.266] - [PKTLEN(c->s): 54.000| 93.000| 85.100| 11.800][PKTLEN(s->c): 60.000| 141.000| 70.100| 26.600] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 5.507| 0.699| 1.281|1640706.605| 0.000] + [PKTLEN......: 54.000| 141.000| 77.600| 21.900| 481.200| 4.900] [BINS(c->s)..: 2,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 14,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,1,0,1,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,1,0,0,1] + [IATS........: 168,500717,500699,200419,200471,184,89723,210661,340264,500679,460548,5507291,5507323,600979,600971,400442,400455,700964,700990,400404,400386,600557,600559,400806,400807,600830,600822,215,54314,45693,140268,0] + [PKTLENS.....: 89,60,89,60,93,60,141,54,89,60,89,60,89,60,89,60,89,60,89,60,89,60,89,60,89,60,93,60,140,54,89,60] analyse: [.....8] [ip4][..tcp] [.....8.17.22.31][.4000] -> [...192.168.0.20][40918] [FIX][RPC][Safe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 4.175| 1.332| 1.132] - [IAT(c->s)...: 0.022| 4.175| 1.376| 1.120][IAT(s->c)...: 0.000| 4.175| 1.290| 1.143] - [PKTLEN(c->s): 66.000| 147.000| 106.700| 19.500][PKTLEN(s->c): 66.000| 151.000| 76.600| 28.100] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 4.175| 1.332| 1.132|1282462.056| 0.000] + [PKTLEN......: 66.000| 151.000| 91.700| 28.500| 811.200| 4.900] [BINS(c->s)..: 2,13,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 14,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,1,0,1,0,1,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,1,0,0,1,0,1,0,1] + [IATS........: 110,1093319,1093395,599016,598995,1546128,1546141,239,22763,2072709,2137804,913298,870712,442005,442027,3366066,3366054,1195438,1195405,437653,437695,1550229,1550211,211,22417,1711389,1774342,1498173,1457475,4175061,4175010,0] + [PKTLENS.....: 105,66,126,66,105,66,105,66,151,66,105,66,105,66,126,66,105,66,126,66,105,66,105,66,151,66,105,66,147,66,105,66] idle: [.....3] [ip4][..tcp] [..208.245.107.3][.4000] -> [...192.168.0.20][45578] [FIX][RPC][Safe] idle: [.....5] [ip4][..tcp] [..208.245.107.3][.4000] -> [...192.168.0.20][45584] [FIX][RPC][Safe] idle: [.....8] [ip4][..tcp] [.....8.17.22.31][.4000] -> [...192.168.0.20][40918] [FIX][RPC][Safe] diff --git a/test/results/flow-info/fix2.pcap.out b/test/results/flow-info/fix2.pcap.out index b8b071d5b..7b66cbe1a 100644 --- a/test/results/flow-info/fix2.pcap.out +++ b/test/results/flow-info/fix2.pcap.out @@ -6,19 +6,23 @@ detected: [.....1] [ip4][..tcp] [.....10.101.0.2][34962] -> [.....10.102.0.2][.1024] [FIX][RPC][Safe] detected: [.....2] [ip4][..tcp] [.....10.101.0.2][34963] -> [.....10.102.0.9][.1024] [FIX][RPC][Safe] analyse: [.....1] [ip4][..tcp] [.....10.101.0.2][34962] -> [.....10.102.0.2][.1024] [FIX][RPC][Safe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.001| 0.000| 0.000] - [IAT(c->s)...: 0.000| 0.001| 0.000| 0.000][IAT(s->c)...: 0.000| 0.001| 0.000| 0.000] - [PKTLEN(c->s): 60.000| 160.000| 104.900| 45.000][PKTLEN(s->c): 60.000| 174.000| 107.800| 47.900] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.001| 0.000| 0.000| 0.026| 0.000] + [PKTLEN......: 60.000| 174.000| 106.600| 46.700| 2179.900| 4.900] [BINS(c->s)..: 7,0,4,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 9,0,3,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,0,1,0,1,1,0,1,0,1,1,1,0,1,0,1,0,1,0,1,0,1,1,1,0,1,0,1] + [IATS........: 641,652,12,92,71,9,33,29,203,208,31,32,5,2,23,28,2,2,8,8,11,13,25,23,5,4,9,5,7,5,0,0] + [PKTLENS.....: 62,62,60,139,62,60,147,144,60,152,144,152,146,60,60,147,60,60,60,152,60,174,157,174,60,60,60,60,157,147,160,152] analyse: [.....2] [ip4][..tcp] [.....10.101.0.2][34963] -> [.....10.102.0.9][.1024] [FIX][RPC][Safe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.001| 0.000| 0.000] - [IAT(c->s)...: 0.000| 0.001| 0.000| 0.000][IAT(s->c)...: 0.000| 0.001| 0.000| 0.000] - [PKTLEN(c->s): 60.000| 160.000| 111.100| 44.400][PKTLEN(s->c): 60.000| 174.000| 102.100| 46.900] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.001| 0.000| 0.000| 0.020| 0.000] + [PKTLEN......: 60.000| 174.000| 106.000| 46.100| 2122.500| 4.900] [BINS(c->s)..: 6,0,5,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 10,0,3,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,0,1,1,0,0,1,1,1,0,1,1,0,1,0,1,0,1,0,1,1,1,0,1,0,1,1,0] + [IATS........: 568,570,2,146,145,106,1,105,2,16,6,26,48,7,14,19,2,2,18,19,48,49,27,12,37,4,6,27,25,0,0,0] + [PKTLENS.....: 62,62,60,139,147,144,152,62,60,144,60,60,152,146,60,147,60,152,60,174,157,147,160,60,60,60,160,162,144,60,60,60] end: [.....1] [ip4][..tcp] [.....10.101.0.2][34962] -> [.....10.102.0.2][.1024] [FIX][RPC][Safe] end: [.....2] [ip4][..tcp] [.....10.101.0.2][34963] -> [.....10.102.0.9][.1024] [FIX][RPC][Safe] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/forticlient.pcap.out b/test/results/flow-info/forticlient.pcap.out index 0615cfa17..903b3875b 100644 --- a/test/results/flow-info/forticlient.pcap.out +++ b/test/results/flow-info/forticlient.pcap.out @@ -37,12 +37,14 @@ detection-update: [.....5] [ip4][..tcp] [..192.168.1.178][61820] -> [....82.81.46.13][10443] [TLS.FortiClient][VPN][Safe] RISK: Known Proto on Non Std Port, TLS (probably) Not Carrying HTTPS analyse: [.....5] [ip4][..tcp] [..192.168.1.178][61820] -> [....82.81.46.13][10443] [TLS.FortiClient][VPN][Safe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.495| 0.071| 0.112] - [IAT(c->s)...: 0.000| 0.430| 0.061| 0.095][IAT(s->c)...: 0.000| 0.495| 0.085| 0.129] - [PKTLEN(c->s): 66.000| 596.000| 163.700| 146.600][PKTLEN(s->c): 66.000|1506.000| 418.000| 468.800] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.495| 0.071| 0.112|12454.003| 0.000] + [PKTLEN......: 66.000| 1506.000| 267.000| 343.000|117623.000| 4.200] [BINS(c->s)..: 9,4,1,0,1,0,0,0,0,3,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 3,5,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,1,0,0,1,0,0,1,0,0,0,1,1,0,1,0,0,0,0,1,0,0,1,1] + [IATS........: 62553,62662,2345,64550,19935,1929,84016,11197,85323,74192,429584,495036,65428,84550,160241,75696,71555,6274,142878,591,65604,251,221,2934,4011,39,64164,57249,427,3990,89,0] + [PKTLENS.....: 78,74,66,379,66,1506,1047,66,224,308,66,596,841,66,362,937,66,357,113,66,113,66,113,66,113,131,117,113,66,113,125,125] end: [.....1] [ip4][..tcp] [..192.168.1.178][61805] -> [....82.81.46.13][10443] end: [.....2] [ip4][..tcp] [..192.168.1.178][61806] -> [....82.81.46.13][10443] end: [.....3] [ip4][..tcp] [..192.168.1.178][61811] -> [....82.81.46.13][10443] diff --git a/test/results/flow-info/ftp-start-tls.pcap.out b/test/results/flow-info/ftp-start-tls.pcap.out index 8dd6da2a5..17c46ad5f 100644 --- a/test/results/flow-info/ftp-start-tls.pcap.out +++ b/test/results/flow-info/ftp-start-tls.pcap.out @@ -11,12 +11,14 @@ detection-update: [.....1] [ip4][..tcp] [...10.238.26.36][62092] -> [...10.220.50.76][...21] [FTPS][Download][Unsafe] RISK: Weak TLS Cipher, TLS (probably) Not Carrying HTTPS, Unsafe Protocol, Missing SNI TLS Extn analyse: [.....1] [ip4][..tcp] [...10.238.26.36][62092] -> [...10.220.50.76][...21] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.040| 0.005| 0.010] - [IAT(c->s)...: 0.001| 0.035| 0.009| 0.011][IAT(s->c)...: 0.000| 0.040| 0.003| 0.009] - [PKTLEN(c->s): 60.000| 384.000| 123.700| 101.500][PKTLEN(s->c): 60.000| 566.000| 195.000| 179.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.040| 0.005| 0.010| 91.331| 0.000] + [PKTLEN......: 60.000| 566.000| 174.900| 164.200|26956.400| 4.500] [BINS(c->s)..: 4,3,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 8,2,7,0,0,0,2,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,1,0,1,1,0,1,1,1,1,0,1,1,1,1,1,1,1,1,0,0,1,1,0,1,1,0,1,1,0,1] + [IATS........: 415,134,1253,15030,72,17807,3947,60,788,5,4347,3279,113,1027,2,8,2,118,3,2582,8520,40376,68,34737,4456,749,2222,1775,305,2738,2203,0] + [PKTLENS.....: 60,60,60,60,127,127,64,60,60,85,85,204,60,60,566,566,269,566,566,269,60,384,105,105,91,136,136,91,136,136,99,144] detection-update: [.....1] [ip4][..tcp] [...10.238.26.36][62092] -> [...10.220.50.76][...21] [FTPS][Download][Unsafe] RISK: Weak TLS Cipher, TLS (probably) Not Carrying HTTPS, Unsafe Protocol, Missing SNI TLS Extn idle: [.....1] [ip4][..tcp] [...10.238.26.36][62092] -> [...10.220.50.76][...21] [FTPS][Download][Unsafe] diff --git a/test/results/flow-info/ftp.pcap.out b/test/results/flow-info/ftp.pcap.out index 27db56659..1ebe0366e 100644 --- a/test/results/flow-info/ftp.pcap.out +++ b/test/results/flow-info/ftp.pcap.out @@ -5,23 +5,27 @@ detected: [.....1] [ip4][..tcp] [..192.168.1.212][50694] -> [...90.130.70.73][...21] [FTP_CONTROL][Download][Unsafe] RISK: Unsafe Protocol analyse: [.....1] [ip4][..tcp] [..192.168.1.212][50694] -> [...90.130.70.73][...21] [FTP_CONTROL][Download][Unsafe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.090| 0.019| 0.021] - [IAT(c->s)...: 0.000| 0.090| 0.017| 0.023][IAT(s->c)...: 0.000| 0.069| 0.022| 0.018] - [PKTLEN(c->s): 66.000| 96.000| 71.400| 8.000][PKTLEN(s->c): 66.000| 307.000| 104.600| 58.900] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.090| 0.019| 0.021| 426.190| 0.000] + [PKTLEN......: 66.000| 307.000| 85.900| 42.700| 1824.000| 4.900] [BINS(c->s)..: 18,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 8,4,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,0,1,0,1,0,0,1,0,0,1] + [IATS........: 27412,27520,29008,29012,526,27660,315,27401,217,69061,21193,90047,306,27070,21,26780,133,26972,64,26857,6,275,27478,27261,90,29,651,27147,26517,90,26761,0] + [PKTLENS.....: 78,74,66,86,66,82,66,100,66,79,66,89,66,71,66,100,66,72,81,131,66,66,77,110,66,307,66,96,88,66,71,100] new: [.....2] [ip4][..tcp] [..192.168.1.212][50695] -> [...90.130.70.73][25685] detected: [.....2] [ip4][..tcp] [..192.168.1.212][50695] -> [...90.130.70.73][25685] [FTP_DATA][Download][Acceptable] RISK: Known Proto on Non Std Port new: [.....3] [ip4][..tcp] [..192.168.1.212][50696] -> [...90.130.70.73][24523] analyse: [.....3] [ip4][..tcp] [..192.168.1.212][50696] -> [...90.130.70.73][24523] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.030| 0.006| 0.011] - [IAT(c->s)...: 0.000| 0.030| 0.008| 0.012][IAT(s->c)...: 0.000| 0.030| 0.005| 0.010] - [PKTLEN(c->s): 66.000| 78.000| 67.800| 4.300][PKTLEN(s->c): 66.000|1506.000|1354.800| 440.700] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.030| 0.006| 0.011| 123.407| 0.000] + [PKTLEN......: 66.000| 1506.000| 832.000| 717.500|514855.000| 4.300] [BINS(c->s)..: 13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,17,0,0] + [DIRECTIONS..: 0,1,0,1,0,1,0,1,0,1,1,0,1,0,1,1,1,0,0,1,1,0,1,0,1,1,1,0,1,0,1,1] + [IATS........: 28770,28814,29579,29566,281,284,597,608,340,458,790,363,375,64,327,2,379,43,300,27513,27767,195,211,1702,115,4,1805,1866,1903,218,1796,0] + [PKTLENS.....: 78,74,66,1506,78,1506,66,1506,66,1506,1506,66,1506,66,1506,1506,1506,66,66,1506,1506,66,1506,66,1506,1506,66,66,1506,66,1506,1506] not-detected: [.....3] [ip4][..tcp] [..192.168.1.212][50696] -> [...90.130.70.73][24523] [Unknown][Unrated] end: [.....3] [ip4][..tcp] [..192.168.1.212][50696] -> [...90.130.70.73][24523] [Unknown][Unrated] end: [.....1] [ip4][..tcp] [..192.168.1.212][50694] -> [...90.130.70.73][...21] [FTP_CONTROL][Download][Unsafe] diff --git a/test/results/flow-info/fuzz-2006-06-26-2594.pcap.out b/test/results/flow-info/fuzz-2006-06-26-2594.pcap.out index d0919265e..abeebc13f 100644 --- a/test/results/flow-info/fuzz-2006-06-26-2594.pcap.out +++ b/test/results/flow-info/fuzz-2006-06-26-2594.pcap.out @@ -519,12 +519,14 @@ detection-update: [...111] [ip4][..udp] [....192.168.1.2][.2757] -> [....192.168.1.1][...53] [DNS][Network][Acceptable] RISK: Malformed Packet analyse: [.....1] [ip4][..udp] [....192.168.1.2][..137] -> [..192.168.1.255][..137] [NetBIOS][System][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.742| 47.495| 20.018| 22.628] - [IAT(c->s)...: 0.742| 47.495| 20.018| 22.628][IAT(s->c)...: 0.000| 0.000| 0.000| 0.000] - [PKTLEN(c->s): 92.000| 92.000| 92.000| 0.000][PKTLEN(s->c): 0.000| 0.000| 0.000| 0.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.742| 47.495| 20.018| 22.628|512023754.441| 0.000] + [PKTLEN......: 92.000| 92.000| 92.000| 0.000| 0.000| 5.000] [BINS(c->s)..: 0,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [IATS........: 746308,47494748,744583,751092,46512252,745680,46548540,1500555,45837567,749435,751083,46756478,741823,751085,45987992,749213,47479804,47268139,749384,47257959,751080,46297871,749788,46627979,750158,751078,45907667,749430,751084,46347688,750041,0] + [PKTLENS.....: 92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92] idle: [....76] [ip4][..udp] [..192.168.130.1][...53] -> [....192.168.1.2][.2741] [DNS][Network][Acceptable] idle: [....75] [ip4][..udp] [....192.168.1.2][.2741] -> [....192.168.1.1][...53] update: [....58] [ip4][..120] [....192.168.1.2] -> [..212.242.33.35] @@ -959,12 +961,14 @@ detected: [...165] [ip4][..udp] [....192.168.1.2][.2788] -> [....192.168.1.1][...53] [DNS][Network][Acceptable] new: [...166] [ip4][....0] [....192.168.1.1] -> [....192.168.1.2] analyse: [....12] [ip4][..udp] [..212.242.33.35][.5060] -> [....192.168.1.2][.5060] [SIP][VoIP][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.026| 279.042| 51.474| 59.389] - [IAT(c->s)...: 0.026| 279.042| 77.239| 86.753][IAT(s->c)...: 0.227| 167.525| 40.934| 38.839] - [PKTLEN(c->s): 348.000| 635.000| 501.500| 76.400][PKTLEN(s->c): 47.000|1118.000| 326.300| 339.700] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.026| 279.042| 51.474| 59.389|3527099352.613| 0.000] + [PKTLEN......: 47.000| 1118.000| 381.000| 296.200|87757.200| 4.500] [BINS(c->s)..: 0,0,0,0,0,0,0,0,0,1,1,0,0,1,1,5,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 12,0,0,0,0,0,0,0,0,0,2,0,0,1,1,0,0,0,0,0,0,4,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,1,0,1,0,1,0,0,1,0,0,1,1,1,1,1,1,1,1,1,0,1,1,1,0,1,1,1,1,1,1] + [IATS........: 17474795,107207461,89874891,17280679,167478647,167525220,17335822,73902652,91241081,17333170,25935,17724998,29031776,29092737,68237242,29272359,29031830,29031631,29031476,18604480,279041814,227102,15287489,17115049,32679444,257340,76383084,29031077,58063525,24495477,17375114,0] + [PKTLENS.....: 528,388,509,528,722,528,722,533,528,722,348,512,47,47,47,47,47,47,47,47,867,635,382,47,1118,487,377,47,47,47,480,715] ERROR-EVENT: Unknown packet type ERROR-EVENT: nDPI IPv4/L4 payload detection failed new: [...167] [ip4][..udp] [....192.168.1.2][.2789] -> [....192.168.1.1][...53] diff --git a/test/results/flow-info/fuzz-2020-02-16-11740.pcap.out b/test/results/flow-info/fuzz-2020-02-16-11740.pcap.out index 0aa90ad6e..9844a484c 100644 --- a/test/results/flow-info/fuzz-2020-02-16-11740.pcap.out +++ b/test/results/flow-info/fuzz-2020-02-16-11740.pcap.out @@ -69,12 +69,14 @@ ERROR-EVENT: nDPI IPv4/L4 payload detection failed idle: [.....5] [ip4][..udp] [....10.12.64.30][29200] -> [..198.226.25.53][.1813] [Radius][Network][Acceptable] analyse: [.....3] [ip4][..udp] [....10.12.64.30][29200] -> [..198.226.25.53][.1812] [Radius][Network][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.155| 612.411| 61.128| 140.850] - [IAT(c->s)...: 0.187| 612.411| 55.957| 151.358][IAT(s->c)...: 0.155| 452.628| 67.407| 126.643] - [PKTLEN(c->s): 697.000| 745.000| 723.000| 21.900][PKTLEN(s->c): 179.000| 318.000| 227.400| 45.200] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.155| 612.411| 61.128| 140.850|19838793242.640| 0.000] + [PKTLEN......: 179.000| 745.000| 506.200| 248.200|61618.100| 4.800] [BINS(c->s)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,0,4,3,5,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,1,1,1,0,1,0,1,0,1,0,0,0,0,1,1,0,0,1,0,1,0,1,0,0,0,1,0,1,0,0] + [IATS........: 155168,452627740,595449,114837328,612411195,44261470,205164,4046522,4037802,201918,4553249,187053,43562433,202627,48502104,3244519,3442366,3335821,3536360,209147,201397,255983176,256164296,599645,6262990,492548,7309633,8000538,8015324,522347,7260933,0] + [PKTLENS.....: 697,257,239,318,239,745,179,697,179,697,206,745,697,745,697,206,179,697,745,179,697,206,745,239,725,745,725,318,745,239,725,745] ERROR-EVENT: Unknown L3 protocol new: [....13] [ip4][..udp] [..198.162.25.53][.1810] -> [....10.12.64.30][29200] ERROR-EVENT: Unknown packet type diff --git a/test/results/flow-info/git.pcap.out b/test/results/flow-info/git.pcap.out index ed5b3f85b..15a93426a 100644 --- a/test/results/flow-info/git.pcap.out +++ b/test/results/flow-info/git.pcap.out @@ -4,11 +4,13 @@ new: [.....1] [ip4][..tcp] [...192.168.0.77][47991] -> [...5.153.231.21][.9418] detected: [.....1] [ip4][..tcp] [...192.168.0.77][47991] -> [...5.153.231.21][.9418] [Git][Collaborative][Safe] analyse: [.....1] [ip4][..tcp] [...192.168.0.77][47991] -> [...5.153.231.21][.9418] [Git][Collaborative][Safe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.100| 0.025| 0.029] - [IAT(c->s)...: 0.000| 0.100| 0.032| 0.033][IAT(s->c)...: 0.000| 0.058| 0.020| 0.024] - [PKTLEN(c->s): 66.000| 593.000| 113.200| 139.700][PKTLEN(s->c): 66.000|2946.000|1109.800| 769.300] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.100| 0.025| 0.029| 818.762| 0.000] + [PKTLEN......: 66.000| 2946.000| 704.900| 773.900|598945.800| 4.100] [BINS(c->s)..: 11,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 5,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,1] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,0,1,0,1,1,1,0,1,1,0,1,1,0,1,0,1,1,0,1,1,0,1,1] + [IATS........: 57902,57964,60,56073,43848,99851,54739,54730,537,49455,48900,45519,29,17836,63404,1849,203,2031,860,202,1063,209,208,710,439,1139,50571,205,50785,547,651,0] + [PKTLENS.....: 74,74,66,135,66,267,66,962,66,593,66,75,66,74,1506,66,1506,1506,66,1506,1506,66,2946,66,1506,1506,66,1506,1506,66,1506,1506] end: [.....1] [ip4][..tcp] [...192.168.0.77][47991] -> [...5.153.231.21][.9418] [Git][Collaborative][Safe] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/gnutella.pcap.out b/test/results/flow-info/gnutella.pcap.out index 4970fd9cc..87a576c6b 100644 --- a/test/results/flow-info/gnutella.pcap.out +++ b/test/results/flow-info/gnutella.pcap.out @@ -575,26 +575,32 @@ detected: [...327] [ip4][..udp] [......10.0.2.15][28681] -> [...84.28.53.225][44859] [Gnutella][Download][Potentially Dangerous] RISK: Unsafe Protocol analyse: [...239] [ip4][..tcp] [......10.0.2.15][50285] -> [..75.133.101.93][52367] [Gnutella][Download][Potentially Dangerous] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 8.796| 0.767| 2.113] - [IAT(c->s)...: 0.000| 8.738| 0.986| 2.349][IAT(s->c)...: 0.000| 8.796| 0.629| 1.937] - [PKTLEN(c->s): 54.000| 653.000| 134.600| 170.500][PKTLEN(s->c): 54.000|1514.000| 620.600| 539.800] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 8.796| 0.767| 2.113|4465727.373| 0.000] + [PKTLEN......: 54.000| 1514.000| 423.200| 491.700|241767.600| 4.100] [BINS(c->s)..: 9,2,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 6,0,0,0,1,0,0,0,0,0,0,1,1,0,0,0,0,0,4,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,1,1,0,0,1,1,0,0,1,1,1,0,1,1,0,1,1,0,1,1,0,1] + [IATS........: 111774,112031,223,580,122233,123811,1735,510239,510348,125373,7027,133055,508500,509079,643423,701863,8737919,8796467,643884,78,644721,118605,2969,121592,121581,84,121516,120907,68,120959,117511,0] + [PKTLENS.....: 66,58,54,653,54,666,104,54,367,54,196,437,54,82,54,463,54,100,54,1514,1066,54,654,1502,54,1514,642,54,1514,642,54,654] analyse: [...238] [ip4][..tcp] [......10.0.2.15][50284] -> [.104.156.226.72][53258] [Gnutella][Download][Potentially Dangerous] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 8.218| 0.797| 1.971] - [IAT(c->s)...: 0.000| 8.176| 0.824| 1.993][IAT(s->c)...: 0.000| 8.218| 0.772| 1.949] - [PKTLEN(c->s): 54.000| 654.000| 121.100| 156.500][PKTLEN(s->c): 54.000|1078.000| 472.000| 453.400] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 8.218| 0.797| 1.971|3884024.594| 0.000] + [PKTLEN......: 54.000| 1078.000| 296.600| 381.800|145784.600| 4.000] [BINS(c->s)..: 12,2,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 8,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,1,0,0,1,1,0,0,1,1,0,1,0,1,0,1,0,1,0,0,1,0,1] + [IATS........: 128313,128710,372,938,178629,178799,1,501219,501471,98390,140683,469376,511641,1190983,1233531,8175797,8218469,772334,828075,95677,89547,96875,110099,405396,409608,95445,89124,2830,63380,645,642,0] + [PKTLENS.....: 66,58,54,654,54,682,104,54,367,54,588,54,82,54,456,54,100,54,1078,54,1078,54,1078,54,1078,54,1078,54,69,54,64,54] analyse: [...288] [ip4][..tcp] [......10.0.2.15][50312] -> [104.238.172.250][23548] [Gnutella][Download][Potentially Dangerous] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 8.692| 0.666| 2.111] - [IAT(c->s)...: 0.000| 8.644| 0.688| 2.136][IAT(s->c)...: 0.000| 8.692| 0.645| 2.087] - [PKTLEN(c->s): 54.000| 655.000| 124.400| 155.500][PKTLEN(s->c): 54.000| 682.000| 147.200| 182.700] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 8.692| 0.666| 2.111|4456211.546| 0.000] + [PKTLEN......: 54.000| 682.000| 135.800| 170.000|28912.700| 4.200] [BINS(c->s)..: 12,2,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 12,0,0,0,1,0,0,0,0,0,1,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,1,1,0,0,1,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0] + [IATS........: 30928,31210,439,818,29157,31647,2471,501745,502012,17074,17362,35097,479690,480352,544167,592641,8643736,8692014,619,570,563,598,427,387,461,428,346,360,379,396,439,0] + [PKTLENS.....: 66,58,54,655,54,682,104,54,367,54,196,384,54,81,54,441,54,108,54,64,54,64,54,64,54,64,54,64,54,64,54,64] new: [...328] [ip4][..udp] [......10.0.2.15][28681] -> [.203.220.105.27][19260] detected: [...328] [ip4][..udp] [......10.0.2.15][28681] -> [.203.220.105.27][19260] [Gnutella][Download][Potentially Dangerous] RISK: Unsafe Protocol @@ -637,19 +643,23 @@ detected: [...336] [ip4][..udp] [......10.0.2.15][28681] -> [...80.7.252.192][.6888] [Gnutella][Download][Potentially Dangerous] RISK: Unsafe Protocol analyse: [...333] [ip4][..tcp] [......10.0.2.15][50327] -> [.69.118.162.229][46906] [HTTP.Gnutella][Media][Potentially Dangerous] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 1.139| 0.307| 0.464] - [IAT(c->s)...: 0.000| 1.139| 0.472| 0.503][IAT(s->c)...: 0.000| 1.123| 0.240| 0.428] - [PKTLEN(c->s): 54.000| 587.000| 108.500| 159.500][PKTLEN(s->c): 54.000|1514.000|1205.600| 506.300] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 1.139| 0.307| 0.464|214847.930| 0.000] + [PKTLEN......: 54.000| 1514.000| 862.800| 665.400|442787.600| 4.400] [BINS(c->s)..: 9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,15,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,1,1,0,1,1,1,1,0,0,1,1,1,0,1,0,1,1,1,1,0,1,1,1] + [IATS........: 108990,109470,822,1560,1123233,14904,1138736,509,4088,37,4418,993404,175,19,291,993807,142,988894,159,41,989074,4759,4845,1004141,96,26,62,1004324,1027632,5162,84,0] + [PKTLENS.....: 66,58,54,587,54,848,1514,54,1514,1514,118,54,1514,1514,1514,912,54,54,1514,1514,1514,54,912,54,1514,1514,1514,912,54,1514,1514,1514] analyse: [...276] [ip4][..tcp] [......10.0.2.15][50300] -> [..188.61.52.183][11852] [Gnutella][Download][Potentially Dangerous] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 13.802| 1.828| 3.934] - [IAT(c->s)...: 0.003| 13.802| 2.027| 3.989][IAT(s->c)...: 0.000| 13.761| 1.641| 3.873] - [PKTLEN(c->s): 54.000| 653.000| 160.800| 163.500][PKTLEN(s->c): 54.000|1514.000| 265.100| 375.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 13.802| 1.828| 3.934|15478358.540| 0.000] + [PKTLEN......: 54.000| 1514.000| 212.900| 294.000|86413.100| 4.100] [BINS(c->s)..: 8,1,2,1,1,0,0,0,1,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 8,1,1,0,1,1,0,0,0,0,1,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,1,1,0,0,1,1,0,1,0,0,1,1,0,1,0,0,1,1,0,0,1,0] + [IATS........: 17190,17418,3506,3946,14197,14999,687,2797,2855,25798,49,26144,8990,9323,15893,71757,495574,483536,221196,265159,15579,77266,487598,467678,9468962,9510672,13760964,13801588,1593559,1633954,4140974,0] + [PKTLENS.....: 66,58,54,653,54,713,125,54,318,54,1514,194,54,180,54,105,54,233,54,418,54,401,54,521,54,129,54,125,54,190,54,115] update: [...134] [ip4][..udp] [......10.0.2.15][28681] -> [...78.231.73.14][.6346] update: [...128] [ip4][..udp] [......10.0.2.15][28681] -> [..77.141.219.27][37580] update: [...114] [ip4][..udp] [......10.0.2.15][28681] -> [....86.23.75.69][.6346] @@ -736,12 +746,14 @@ detected: [...344] [ip4][..udp] [......10.0.2.15][28681] -> [.207.38.163.228][.6778] [Gnutella][Download][Potentially Dangerous] RISK: Unsafe Protocol analyse: [...334] [ip4][..tcp] [......10.0.2.15][50328] -> [..189.147.72.83][26108] [HTTP.Gnutella][Media][Potentially Dangerous] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 1.215| 0.581| 0.506] - [IAT(c->s)...: 0.002| 1.215| 0.850| 0.383][IAT(s->c)...: 0.000| 1.209| 0.453| 0.507] - [PKTLEN(c->s): 54.000| 592.000| 104.000| 154.400][PKTLEN(s->c): 54.000|1514.000|1147.900| 453.900] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 1.215| 0.581| 0.506|255907.955| 0.000] + [PKTLEN......: 54.000| 1514.000| 789.100| 623.900|389219.000| 4.400] [BINS(c->s)..: 10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,9,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1] + [IATS........: 193649,195345,1788,3675,1208824,5559,69,1214808,993314,122,993548,1040345,116,1040488,1001310,128,1001514,998194,120,998177,1008259,218,1008532,1046807,141,1046873,1000209,118,1000330,1013376,42,0] + [PKTLENS.....: 66,58,54,592,54,860,1514,340,54,1514,1146,54,1514,1146,54,1514,1146,54,1514,1146,54,1514,1146,54,1514,1146,54,1514,1146,54,1514,1146] new: [...345] [ip4][..tcp] [......10.0.2.15][50330] -> [.69.118.162.229][46906] detected: [...345] [ip4][..tcp] [......10.0.2.15][50330] -> [.69.118.162.229][46906] [HTTP.Gnutella][Download][Potentially Dangerous] RISK: Known Proto on Non Std Port, HTTP Numeric IP Address, Unsafe Protocol @@ -831,12 +843,14 @@ new: [...351] [ip4][..udp] [......10.0.2.15][28681] -> [..187.37.87.189][.6346] new: [...352] [ip4][..udp] [......10.0.2.15][28681] -> [.176.191.49.159][.6346] analyse: [....93] [ip4][..tcp] [......10.0.2.15][50248] -> [109.214.154.216][.6346] [Gnutella][Download][Potentially Dangerous] - [min|max|avg|stddev] - [IAT(flow)...: 0.001| 22.685| 3.465| 6.256] - [IAT(c->s)...: 0.003| 22.634| 3.523| 6.232][IAT(s->c)...: 0.001| 22.685| 3.423| 6.272] - [PKTLEN(c->s): 54.000| 358.000| 105.200| 80.300][PKTLEN(s->c): 54.000|1078.000| 188.700| 275.600] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.001| 22.685| 3.465| 6.256|39132462.055| 0.000] + [PKTLEN......: 54.000| 1078.000| 152.200| 217.400|47264.800| 4.200] [BINS(c->s)..: 9,0,2,2,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 12,0,2,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,1,1,0,1,1,0,0,1,0,1,1,1,0,1,0,0,1,1,0,0,1,0,1,1] + [IATS........: 399865,400165,2576,3065,879170,880284,1091,343284,15848,359592,3003,2180,5087,145122,145627,10048654,10048652,469496,2676,472723,3557750,3604090,6175326,6222212,413766,464528,22633783,22684647,605343,604983,15818919,0] + [PKTLENS.....: 66,58,54,358,54,337,157,54,132,776,54,67,72,54,163,54,118,54,1078,59,54,136,54,84,54,227,54,66,54,137,54,76] new: [...353] [ip4][..udp] [......10.0.2.15][28681] -> [195.181.151.217][25282] new: [...354] [ip4][..udp] [......10.0.2.15][28681] -> [.80.236.247.120][.1032] new: [...355] [ip4][..udp] [......10.0.2.15][28681] -> [.181.118.53.212][29998] @@ -1157,12 +1171,14 @@ update: [...204] [ip4][..udp] [......10.0.2.15][28681] -> [..84.126.240.32][45313] update: [...202] [ip4][..udp] [......10.0.2.15][28681] -> [.176.134.139.39][.6346] analyse: [....94] [ip4][..tcp] [......10.0.2.15][50249] -> [.86.208.180.181][45883] [Gnutella][Download][Potentially Dangerous] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 55.455| 7.491| 14.262] - [IAT(c->s)...: 0.000| 55.455| 7.758| 14.427][IAT(s->c)...: 0.001| 55.397| 7.241| 14.101] - [PKTLEN(c->s): 54.000| 357.000| 99.300| 76.500][PKTLEN(s->c): 54.000|1119.000| 242.500| 321.700] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 55.455| 7.491| 14.262|203411798.622| 0.000] + [PKTLEN......: 54.000| 1119.000| 170.900| 244.600|59812.500| 4.100] [BINS(c->s)..: 11,0,2,2,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 10,0,0,0,1,1,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,1,0,0,1,0,1,1,0,1,0,0,1,1,0,0,1,0,1,1,1,0,1,0,0] + [IATS........: 106993,107336,276,805,178388,179820,1439,41004,98031,375723,432936,10046845,10046768,42293,94463,6595038,6594815,3591919,3643921,39217,93460,24009088,24063297,605105,604823,14641110,23768,14665256,55396943,55455380,453178,0] + [PKTLENS.....: 66,58,54,357,54,337,157,54,926,54,163,54,118,54,1119,54,214,54,84,54,203,54,66,54,137,54,78,503,54,64,54,63] end: [....35] [ip4][..tcp] [......10.0.2.15][50196] -> [...218.250.6.59][12556] [Gnutella][Download][Potentially Dangerous] RISK: Unsafe Protocol end: [....46] [ip4][..tcp] [......10.0.2.15][50206] -> [175.181.156.244][.8255] [Gnutella][Download][Potentially Dangerous] diff --git a/test/results/flow-info/googledns_android10.pcap.out b/test/results/flow-info/googledns_android10.pcap.out index d2e3760b6..97dfff593 100644 --- a/test/results/flow-info/googledns_android10.pcap.out +++ b/test/results/flow-info/googledns_android10.pcap.out @@ -24,12 +24,14 @@ detection-update: [.....4] [ip4][..tcp] [..192.168.1.159][48048] -> [........8.8.4.4][..853] [TLS.DoH_DoT][Network][Fun] RISK: TLS (probably) Not Carrying HTTPS analyse: [.....4] [ip4][..tcp] [..192.168.1.159][48048] -> [........8.8.4.4][..853] [TLS.DoH_DoT][Network][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.447| 0.072| 0.122] - [IAT(c->s)...: 0.000| 0.387| 0.074| 0.114][IAT(s->c)...: 0.000| 0.447| 0.069| 0.128] - [PKTLEN(c->s): 66.000| 225.000| 131.600| 75.000][PKTLEN(s->c): 66.000|1484.000| 432.900| 451.100] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.447| 0.072| 0.122|14825.912| 0.000] + [PKTLEN......: 66.000| 1484.000| 282.200| 356.700|127227.700| 4.200] [BINS(c->s)..: 9,0,1,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 7,0,0,0,0,0,0,1,0,1,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,0,1,0,1,0,1,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0] + [IATS........: 12824,14641,349,14827,16165,1147,99,31089,1039,512,12517,28602,36858,41216,19219,12546,6221,5033,24265,307087,326211,13788,74283,386701,447414,5048,23824,155667,173706,5036,23182,0] + [PKTLENS.....: 74,74,66,220,66,1484,1484,305,66,66,66,159,358,225,66,225,565,66,565,66,225,66,565,66,225,66,565,66,225,66,565,66] new: [.....5] [ip4][.icmp] [..192.168.1.159] -> [........8.8.8.8] detected: [.....5] [ip4][.icmp] [..192.168.1.159] -> [........8.8.8.8] [ICMP][Network][Acceptable] new: [.....6] [ip4][..tcp] [........8.8.4.4][..853] -> [..192.168.1.159][47968] [MIDSTREAM] @@ -40,12 +42,14 @@ detection-update: [.....7] [ip4][..tcp] [..192.168.1.159][48098] -> [........8.8.4.4][..853] [TLS.DoH_DoT][Network][Fun] RISK: TLS (probably) Not Carrying HTTPS analyse: [.....7] [ip4][..tcp] [..192.168.1.159][48098] -> [........8.8.4.4][..853] [TLS.DoH_DoT][Network][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 1.254| 0.185| 0.342] - [IAT(c->s)...: 0.001| 1.234| 0.191| 0.338][IAT(s->c)...: 0.000| 1.254| 0.180| 0.345] - [PKTLEN(c->s): 66.000| 583.000| 161.600| 131.200][PKTLEN(s->c): 66.000| 565.000| 262.800| 236.600] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 1.254| 0.185| 0.342|116761.002| 0.000] + [PKTLEN......: 66.000| 583.000| 212.200| 197.900|39161.300| 4.400] [BINS(c->s)..: 8,1,0,0,6,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 9,0,0,0,1,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,0,1,0,1,1] + [IATS........: 12746,14119,899,14919,79,14194,1137,19603,19131,13753,1318,58447,651251,714961,3808,23304,1234142,1253719,12532,32716,484043,503710,3783,30780,265369,292430,20267,12603,11759,7400,12615,0] + [PKTLENS.....: 74,74,66,583,66,213,66,117,66,225,66,565,66,225,66,565,66,225,66,565,66,225,66,565,66,225,66,225,565,66,66,565] update: [.....5] [ip4][.icmp] [..192.168.1.159] -> [........8.8.8.8] [ICMP][Network][Acceptable] idle: [.....5] [ip4][.icmp] [..192.168.1.159] -> [........8.8.8.8] [ICMP][Network][Acceptable] guessed: [.....1] [ip4][..tcp] [........8.8.8.8][..853] -> [..192.168.1.159][55856] [DoH_DoT.Google][Web][Acceptable] @@ -64,12 +68,14 @@ detection-update: [.....8] [ip4][..tcp] [..192.168.1.159][48210] -> [........8.8.4.4][..853] [TLS.DoH_DoT][Network][Fun] RISK: TLS (probably) Not Carrying HTTPS analyse: [.....8] [ip4][..tcp] [..192.168.1.159][48210] -> [........8.8.4.4][..853] [TLS.DoH_DoT][Network][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 5.704| 0.390| 1.388] - [IAT(c->s)...: 0.000| 5.641| 0.402| 1.400][IAT(s->c)...: 0.000| 5.704| 0.378| 1.375] - [PKTLEN(c->s): 66.000| 225.000| 131.600| 75.000][PKTLEN(s->c): 66.000|1484.000| 432.900| 451.100] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 5.704| 0.390| 1.388|1925240.193| 0.000] + [PKTLEN......: 66.000| 1484.000| 282.200| 356.700|127227.700| 4.200] [BINS(c->s)..: 9,0,1,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 7,0,0,0,0,0,0,1,0,1,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,0,1,0,1,1,0,0,1,0,1,0,1,1,0,0,1,0,1,0,1,1] + [IATS........: 14386,41870,9180,49912,17551,119,78,32502,535,103,15369,30822,15661,19948,22571,85476,5640736,5703762,20528,7552,6167,13685,17563,31103,85377,103703,33240,18803,6257,16181,17586,0] + [PKTLENS.....: 74,74,66,220,66,1484,1484,305,66,66,66,159,358,225,66,565,66,225,66,225,565,66,66,565,66,225,66,225,565,66,66,565] end: [.....7] [ip4][..tcp] [..192.168.1.159][48098] -> [........8.8.4.4][..853] [TLS.DoH_DoT][Network][Fun] RISK: TLS (probably) Not Carrying HTTPS idle: [.....8] [ip4][..tcp] [..192.168.1.159][48210] -> [........8.8.4.4][..853] [TLS.DoH_DoT][Network][Fun] diff --git a/test/results/flow-info/http-manipulated.pcap.out b/test/results/flow-info/http-manipulated.pcap.out index 0b295c277..3c8b1055d 100644 --- a/test/results/flow-info/http-manipulated.pcap.out +++ b/test/results/flow-info/http-manipulated.pcap.out @@ -10,12 +10,14 @@ detected: [.....2] [ip4][..tcp] [...192.168.0.20][33684] -> [....192.168.0.7][.8080] [HTTP][Web][Acceptable] RISK: Known Proto on Non Std Port analyse: [.....2] [ip4][..tcp] [...192.168.0.20][33684] -> [....192.168.0.7][.8080] [HTTP][Web][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.073| 0.005| 0.018] - [IAT(c->s)...: 0.000| 0.073| 0.005| 0.018][IAT(s->c)...: 0.000| 0.073| 0.005| 0.018] - [PKTLEN(c->s): 54.000| 440.000| 99.800| 119.300][PKTLEN(s->c): 60.000|5894.000|2829.100|1943.500] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.073| 0.005| 0.018| 320.351| 0.000] + [PKTLEN......: 54.000| 5894.000| 1464.400| 1938.500|3757919.200| 3.800] [BINS(c->s)..: 14,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,10] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1] + [IATS........: 227,236,111,336,193,414,72850,73065,187,402,51,53,13,9,38,39,116,116,52,52,10,8,43,47,49,47,9,7,46,48,49,0] + [PKTLENS.....: 66,66,54,440,60,631,54,389,60,2974,54,4434,54,2974,54,4434,54,1514,54,4434,54,2974,54,4434,54,1514,54,5894,54,5894,54,2974] end: [.....1] [ip4][..tcp] [...192.168.0.20][33632] -> [....192.168.0.7][.8080] [HTTP][Web][Acceptable] RISK: Known Proto on Non Std Port end: [.....2] [ip4][..tcp] [...192.168.0.20][33684] -> [....192.168.0.7][.8080] [HTTP][Web][Acceptable] diff --git a/test/results/flow-info/http_auth.pcap.out b/test/results/flow-info/http_auth.pcap.out index 2d2b74373..a141ee0c3 100644 --- a/test/results/flow-info/http_auth.pcap.out +++ b/test/results/flow-info/http_auth.pcap.out @@ -4,11 +4,13 @@ new: [.....1] [ip4][..tcp] [....192.168.0.4][54337] -> [192.254.189.169][...80] detected: [.....1] [ip4][..tcp] [....192.168.0.4][54337] -> [192.254.189.169][...80] [HTTP][Web][Acceptable] analyse: [.....1] [ip4][..tcp] [....192.168.0.4][54337] -> [192.254.189.169][...80] [HTTP][Web][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 4.862| 0.405| 1.194] - [IAT(c->s)...: 0.000| 4.862| 0.532| 1.295][IAT(s->c)...: 0.001| 4.862| 0.314| 1.106] - [PKTLEN(c->s): 66.000| 805.000| 119.600| 190.100][PKTLEN(s->c): 66.000|1514.000|1046.300| 619.600] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 4.862| 0.405| 1.194|1424465.723| 0.000] + [PKTLEN......: 66.000| 1514.000| 640.900| 665.600|443042.200| 4.200] [BINS(c->s)..: 13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 3,0,1,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,0,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,0,1,0,0] + [IATS........: 180032,180140,139,193993,206403,1322,401505,596,594,735,724,4027,4555,8666,4603,3019,7560,3303,5323,8621,158972,3971,162953,3627,4243,7859,2612,2607,4861805,4861829,1269016,0] + [PKTLENS.....: 78,74,66,805,66,1514,551,66,145,66,288,66,1514,1514,66,1514,1514,66,1514,1514,66,1514,1514,66,1514,1514,66,989,66,66,66,66] end: [.....1] [ip4][..tcp] [....192.168.0.4][54337] -> [192.254.189.169][...80] [HTTP][Web][Acceptable] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/http_connect.pcap.out b/test/results/flow-info/http_connect.pcap.out index faea4f54f..db6b911a9 100644 --- a/test/results/flow-info/http_connect.pcap.out +++ b/test/results/flow-info/http_connect.pcap.out @@ -10,19 +10,23 @@ detected: [.....3] [ip4][..tcp] [..192.168.1.146][35968] -> [..151.101.2.132][..443] [TLS][Web][Safe] detection-update: [.....3] [ip4][..tcp] [..192.168.1.146][35968] -> [..151.101.2.132][..443] [TLS][Web][Safe] analyse: [.....3] [ip4][..tcp] [..192.168.1.146][35968] -> [..151.101.2.132][..443] [TLS][Web][Safe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.016| 0.003| 0.005] - [IAT(c->s)...: 0.000| 0.016| 0.003| 0.005][IAT(s->c)...: 0.000| 0.015| 0.003| 0.005] - [PKTLEN(c->s): 66.000| 583.000| 133.400| 165.400][PKTLEN(s->c): 66.000|1450.000| 992.600| 625.700] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.016| 0.003| 0.005| 23.691| 0.000] + [PKTLEN......: 66.000| 1450.000| 563.000| 627.700|394029.600| 4.100] [BINS(c->s)..: 13,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 4,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,0,1,0,0,0,1,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1] + [IATS........: 8850,8886,2829,11347,7507,16011,65,50,21,19,18,33,7291,458,15010,14,4004,11279,678,666,42,41,26,25,27,27,115,115,31,32,149,0] + [PKTLENS.....: 74,74,66,583,66,1450,66,1450,66,1450,66,985,66,130,555,66,66,125,66,1450,66,1450,66,1450,66,1450,66,1450,66,1450,66,1450] analyse: [.....1] [ip4][..tcp] [..192.168.1.103][.1714] -> [..192.168.1.146][.8080] [HTTP_Connect][Web][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.053| 0.007| 0.013] - [IAT(c->s)...: 0.000| 0.050| 0.008| 0.013][IAT(s->c)...: 0.000| 0.053| 0.006| 0.012] - [PKTLEN(c->s): 60.000| 571.000| 165.000| 145.200][PKTLEN(s->c): 54.000|5590.000|1317.100|1980.800] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.053| 0.007| 0.013| 164.772| 0.000] + [PKTLEN......: 54.000| 5590.000| 813.000| 1594.600|2542806.200| 3.300] [BINS(c->s)..: 7,0,2,0,1,1,1,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 9,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,4] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,1,0,0,1,0,1,0,1,1,1,1,1,0,0,1,0,1,1,1,0,0,1,0,1] + [IATS........: 32,2664,352,3052,9578,12352,2730,16207,17263,6110,7163,474,478,42,22,11387,743,133,163,12593,29,193,4,101,98,705,4022,50186,53379,1210,1208,0] + [PKTLENS.....: 66,66,60,257,54,130,571,54,5125,60,118,54,224,54,373,54,113,5590,2822,1438,85,60,54,60,5590,1438,963,60,187,54,129,54] idle: [.....2] [ip4][..udp] [..192.168.1.146][47767] -> [....192.168.1.2][...53] [DNS][Network][Acceptable] idle: [.....3] [ip4][..tcp] [..192.168.1.146][35968] -> [..151.101.2.132][..443] [TLS][Web][Safe] idle: [.....1] [ip4][..tcp] [..192.168.1.103][.1714] -> [..192.168.1.146][.8080] [HTTP_Connect][Web][Acceptable] diff --git a/test/results/flow-info/http_ipv6.pcap.out b/test/results/flow-info/http_ipv6.pcap.out index f91ac7121..cd6dd371c 100644 --- a/test/results/flow-info/http_ipv6.pcap.out +++ b/test/results/flow-info/http_ipv6.pcap.out @@ -9,12 +9,14 @@ new: [.....4] [ip6][..tcp] [........2a00:d40:1:3:7aac:c0ff:fea7:d4c][58660] -> [...............2a00:1450:4006:803::2008][..443] [MIDSTREAM] new: [.....5] [ip6][..udp] [........2a00:d40:1:3:7aac:c0ff:fea7:d4c][55145] -> [.................2a00:1450:400b:c02::5f][..443] analyse: [.....3] [ip6][..udp] [........2a00:d40:1:3:7aac:c0ff:fea7:d4c][45931] -> [...............2a00:1450:4001:803::1017][..443] [QUIC.Google][Web][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.002| 6.009| 0.604| 1.486] - [IAT(c->s)...: 0.026| 6.009| 0.617| 1.462][IAT(s->c)...: 0.002| 6.009| 0.590| 1.511] - [PKTLEN(c->s): 99.000|1412.000| 300.700| 378.600][PKTLEN(s->c): 91.000|1412.000| 385.700| 368.200] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.002| 6.009| 0.604| 1.486|2208638.173| 0.000] + [PKTLEN......: 91.000| 1412.000| 340.600| 376.200|141514.900| 4.300] [BINS(c->s)..: 0,9,0,0,0,1,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0] [BINS(s->c)..: 2,6,0,0,0,0,0,0,0,0,0,0,0,0,0,1,3,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,0,1,0,1,1,0,0,1,0,1,1,0,0,1,1,0,0,1,1,0,0] + [IATS........: 25363,26190,172445,219452,15689,87208,38758,110203,47003,1512,26672,45844,1752482,1778725,6798,78256,246614,318052,6008829,6008710,4760,76866,102599,174483,2367,73860,70885,142482,2922,74310,992388,0] + [PKTLENS.....: 1412,1412,99,1216,94,674,102,252,94,102,581,102,91,257,94,637,105,102,94,262,91,589,105,263,94,586,102,264,94,561,102,265] new: [.....6] [ip6][..tcp] [........2a00:d40:1:3:7aac:c0ff:fea7:d4c][37486] -> [................2a03:b0c0:3:d0::70:1001][..443] new: [.....7] [ip6][..tcp] [........2a00:d40:1:3:7aac:c0ff:fea7:d4c][37488] -> [................2a03:b0c0:3:d0::70:1001][..443] detected: [.....6] [ip6][..tcp] [........2a00:d40:1:3:7aac:c0ff:fea7:d4c][37486] -> [................2a03:b0c0:3:d0::70:1001][..443] [TLS.ntop][Network][Safe] diff --git a/test/results/flow-info/iax.pcap.out b/test/results/flow-info/iax.pcap.out index bab1b911f..415805ccf 100644 --- a/test/results/flow-info/iax.pcap.out +++ b/test/results/flow-info/iax.pcap.out @@ -4,11 +4,13 @@ new: [.....1] [ip4][..udp] [...82.110.36.84][.4569] -> [..192.168.2.120][.4566] detected: [.....1] [ip4][..udp] [...82.110.36.84][.4569] -> [..192.168.2.120][.4566] [IAX][VoIP][Acceptable] analyse: [.....1] [ip4][..udp] [...82.110.36.84][.4569] -> [..192.168.2.120][.4566] [IAX][VoIP][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.001| 0.051| 0.019| 0.011] - [IAT(c->s)...: 0.001| 0.043| 0.019| 0.009][IAT(s->c)...: 0.002| 0.051| 0.019| 0.018] - [PKTLEN(c->s): 60.000| 214.000| 186.400| 48.400][PKTLEN(s->c): 54.000| 214.000| 116.400| 76.500] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.001| 0.051| 0.019| 0.011| 120.322| 0.000] + [PKTLEN......: 54.000| 214.000| 175.500| 59.500| 3538.200| 4.900] [BINS(c->s)..: 3,0,1,0,0,23,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 3,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,1,0,1,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [IATS........: 2173,5097,7653,24399,24352,24724,16912,51403,9638,12261,14097,6869,22758,16765,31325,17887,20048,11489,43190,21320,13940,17067,22553,948,20517,34133,6854,21003,19904,17982,29140,0] + [PKTLENS.....: 108,54,54,60,54,60,206,214,214,60,206,206,206,206,206,206,206,206,206,206,206,206,206,206,206,206,206,206,206,206,206,206] idle: [.....1] [ip4][..udp] [...82.110.36.84][.4569] -> [..192.168.2.120][.4566] [IAX][VoIP][Acceptable] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/icmp-tunnel.pcap.out b/test/results/flow-info/icmp-tunnel.pcap.out index 486abc5e2..470787e6a 100644 --- a/test/results/flow-info/icmp-tunnel.pcap.out +++ b/test/results/flow-info/icmp-tunnel.pcap.out @@ -5,12 +5,14 @@ detected: [.....1] [ip4][.icmp] [192.168.154.131] -> [192.168.154.132] [ICMP][Network][Acceptable] RISK: Malformed Packet analyse: [.....1] [ip4][.icmp] [192.168.154.131] -> [192.168.154.132] [ICMP][Network][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.999| 13.999| 1.420| 2.297] - [IAT(c->s)...: 0.999| 1.001| 1.000| 0.001][IAT(s->c)...: 1.001| 13.999| 2.445| 4.085] - [PKTLEN(c->s): 126.000| 126.000| 126.000| 0.000][PKTLEN(s->c): 126.000| 126.000| 126.000| 0.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.999| 13.999| 1.420| 2.297|5274800.751| 0.000] + [PKTLEN......: 126.000| 126.000| 126.000| 0.000| 0.000| 5.000] [BINS(c->s)..: 0,0,23,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1] + [IATS........: 998770,1000036,1000056,999983,1000051,1000074,1000009,1000032,1000047,1000127,999991,999982,1000043,999922,13999352,1001250,1001214,1000977,1001002,1001107,1001081,1000973,1000923,1000944,1000921,1001115,1001144,1001036,1001015,1001004,1001005,0] + [PKTLENS.....: 126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126] update: [.....1] [ip4][.icmp] [192.168.154.131] -> [192.168.154.132] [ICMP][Network][Acceptable] RISK: Malformed Packet update: [.....1] [ip4][.icmp] [192.168.154.131] -> [192.168.154.132] [ICMP][Network][Acceptable] diff --git a/test/results/flow-info/iec60780-5-104.pcap.out b/test/results/flow-info/iec60780-5-104.pcap.out index b4c2a2017..e51833940 100644 --- a/test/results/flow-info/iec60780-5-104.pcap.out +++ b/test/results/flow-info/iec60780-5-104.pcap.out @@ -21,11 +21,13 @@ end: [.....4] [ip4][..tcp] [.172.27.248.109][.1572] -> [..172.27.248.79][.2404] [IEC60870][IoT-Scada][Acceptable] end: [.....5] [ip4][..tcp] [.172.27.248.109][.1577] -> [..172.27.248.79][.2404] [IEC60870][IoT-Scada][Acceptable] analyse: [.....6] [ip4][..tcp] [.172.27.248.109][.1578] -> [..172.27.248.79][.2404] [IEC60870][IoT-Scada][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 32.516| 11.085| 10.877] - [IAT(c->s)...: 0.000| 32.485| 9.540| 10.735][IAT(s->c)...: 0.000| 32.516| 13.224| 10.709] - [PKTLEN(c->s): 60.000| 70.000| 62.200| 4.000][PKTLEN(s->c): 54.000| 118.000| 70.500| 16.100] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 32.516| 11.085| 10.877|118310385.484| 0.000] + [PKTLEN......: 54.000| 118.000| 65.600| 11.500| 132.400| 5.000] [BINS(c->s)..: 19,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 12,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,0,1,0,0,1,0,0,1,0,0,1,0,1,0,0,1,1,0,0,1,0,1,0,1,0,0,1] + [IATS........: 133,283,1182,4289,153898,32516052,32485009,17329020,17462619,171223,19844571,20033163,171510,19860294,20118307,25436246,25352045,204330,19828922,20215237,5341755,5765246,10455867,10671339,13934,15202,139861,131307,218735,19641453,20056039,0] + [PKTLENS.....: 62,62,60,60,60,60,70,60,70,118,60,60,70,60,60,54,70,76,60,60,54,70,60,70,76,70,76,60,77,60,60,54] end: [.....6] [ip4][..tcp] [.172.27.248.109][.1578] -> [..172.27.248.79][.2404] [IEC60870][IoT-Scada][Acceptable] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/imap-starttls.pcap.out b/test/results/flow-info/imap-starttls.pcap.out index e0caddc15..d9e9739ce 100644 --- a/test/results/flow-info/imap-starttls.pcap.out +++ b/test/results/flow-info/imap-starttls.pcap.out @@ -11,12 +11,14 @@ detection-update: [.....1] [ip4][..tcp] [..192.168.17.53][49640] -> [.212.227.17.186][..143] [IMAPS][Email][Safe] RISK: Known Proto on Non Std Port, TLS (probably) Not Carrying HTTPS, Missing SNI TLS Extn analyse: [.....1] [ip4][..tcp] [..192.168.17.53][49640] -> [.212.227.17.186][..143] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 1.678| 0.188| 0.378] - [IAT(c->s)...: 0.000| 1.487| 0.166| 0.343][IAT(s->c)...: 0.000| 1.678| 0.215| 0.416] - [PKTLEN(c->s): 54.000| 372.000| 85.300| 75.500][PKTLEN(s->c): 60.000|1514.000| 459.900| 570.900] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 1.678| 0.188| 0.378|143010.873| 0.000] + [PKTLEN......: 54.000| 1514.000| 249.200| 424.600|180326.200| 3.700] [BINS(c->s)..: 15,1,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 5,2,1,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0] + [DIRECTIONS..: 0,1,0,1,0,0,1,1,0,0,1,1,0,0,1,1,0,1,1,0,0,0,1,0,0,1,1,0,0,0,0,1] + [IATS........: 189790,189950,188317,188305,133,192463,259,192553,155,186504,9,186418,431,197380,166,197053,2043,207,2163,90,3747,191586,187876,1486951,1677753,168,190848,49,279,1,189432,0] + [PKTLENS.....: 78,66,54,325,54,68,60,281,54,66,86,60,54,372,1514,1514,54,1514,636,54,54,180,105,54,93,133,85,54,54,85,54,60] detection-update: [.....1] [ip4][..tcp] [..192.168.17.53][49640] -> [.212.227.17.186][..143] [IMAPS][Email][Safe] RISK: Known Proto on Non Std Port, TLS (probably) Not Carrying HTTPS, Missing SNI TLS Extn end: [.....1] [ip4][..tcp] [..192.168.17.53][49640] -> [.212.227.17.186][..143] [IMAPS][Email][Safe] diff --git a/test/results/flow-info/imap.pcap.out b/test/results/flow-info/imap.pcap.out index eeedb9f3c..c5f535f48 100644 --- a/test/results/flow-info/imap.pcap.out +++ b/test/results/flow-info/imap.pcap.out @@ -5,12 +5,14 @@ detected: [.....1] [ip4][..tcp] [......10.40.4.2][46045] -> [......10.40.3.2][..143] [IMAP][Email][Unsafe] RISK: Unsafe Protocol analyse: [.....1] [ip4][..tcp] [......10.40.4.2][46045] -> [......10.40.3.2][..143] [IMAP][Email][Unsafe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 4.331| 0.295| 1.060] - [IAT(c->s)...: 0.000| 4.330| 0.254| 0.989][IAT(s->c)...: 0.000| 4.331| 0.351| 1.149] - [PKTLEN(c->s): 66.000| 139.000| 75.800| 17.500][PKTLEN(s->c): 74.000| 762.000| 174.400| 181.200] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 4.331| 0.295| 1.060|1123749.069| 0.000] + [PKTLEN......: 66.000| 762.000| 115.900| 125.900|15857.500| 4.600] [BINS(c->s)..: 18,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 5,4,1,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,1,0,0,1,0,1,0,0,1,0,0,1,0,1,0,0,1,0,1,0,0,1,0,1,0,0,1,0,1] + [IATS........: 126,150,12887,12906,231,444,36852,36794,135,4330018,4331408,1394,16846,17272,39867,39540,93,199,596,39710,39393,88,905,1344,39009,38693,107,104,10836,47768,37190,0] + [PKTLENS.....: 74,74,66,108,66,85,131,66,98,66,92,93,66,86,87,66,123,66,86,87,66,123,66,87,78,66,325,66,139,178,66,762] idle: [.....1] [ip4][..tcp] [......10.40.4.2][46045] -> [......10.40.3.2][..143] [IMAP][Email][Unsafe] RISK: Unsafe Protocol DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/imo.pcap.out b/test/results/flow-info/imo.pcap.out index 6b9a37416..fa01a84a9 100644 --- a/test/results/flow-info/imo.pcap.out +++ b/test/results/flow-info/imo.pcap.out @@ -6,19 +6,23 @@ new: [.....2] [ip4][..udp] [.192.168.12.169][49207] -> [....93.33.47.58][57604] detected: [.....2] [ip4][..udp] [.192.168.12.169][49207] -> [....93.33.47.58][57604] [IMO][VoIP][Acceptable] analyse: [.....2] [ip4][..udp] [.192.168.12.169][49207] -> [....93.33.47.58][57604] [IMO][VoIP][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.464| 0.060| 0.120] - [IAT(c->s)...: 0.000| 0.464| 0.075| 0.145][IAT(s->c)...: 0.000| 0.379| 0.045| 0.090] - [PKTLEN(c->s): 43.000| 142.000| 57.100| 22.000][PKTLEN(s->c): 43.000| 149.000| 56.900| 24.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.464| 0.060| 0.120|14499.616| 0.000] + [PKTLEN......: 43.000| 149.000| 57.000| 23.000| 529.800| 4.900] [BINS(c->s)..: 15,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 15,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,1,0,0,0,0,0,1,1,1,1,1,1,0,1,1,1,1,1,0,0,0,0,0,1,0,1,0,1,0,0] + [IATS........: 36207,20915,69195,11193,10953,10897,11928,60266,17574,7210,47,9880,379036,463846,100219,9477,9867,20901,22,106515,270,209,156,89,19549,7836,19677,23241,7950,3744,407480,0] + [PKTLENS.....: 43,43,149,52,52,52,52,52,52,52,52,52,52,43,142,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52] analyse: [.....1] [ip4][..udp] [.192.168.12.169][49207] -> [.185.155.137.30][36535] [IMO][VoIP][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 1.003| 0.138| 0.306] - [IAT(c->s)...: 0.000| 1.003| 0.133| 0.300][IAT(s->c)...: 0.000| 1.003| 0.144| 0.312] - [PKTLEN(c->s): 224.000|1266.000| 736.500| 500.800][PKTLEN(s->c): 52.000| 266.000| 90.000| 60.900] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 1.003| 0.138| 0.306|93428.728| 0.000] + [PKTLEN......: 52.000| 1266.000| 433.400| 488.900|239046.100| 4.200] [BINS(c->s)..: 0,0,0,0,0,2,5,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 10,0,1,3,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,1,1,0,0,0,0,0,0,0,0,1,1,1,0,1,0,0,1,1,1,1,1,0,1,0,1,0,1,0,1] + [IATS........: 396,41304,49,43405,10843,2151,275,10533,8077,9421,9986,55709,51,24,9743,18469,13472,314,9827,9743,9558,13513,46,69283,127192,99850,16582,835382,861703,1002796,1002553,0] + [PKTLENS.....: 242,371,53,160,1266,1266,224,242,1266,1266,1266,1266,122,266,53,1266,52,1266,242,52,52,52,52,53,226,139,361,138,242,53,242,53] idle: [.....2] [ip4][..udp] [.192.168.12.169][49207] -> [....93.33.47.58][57604] [IMO][VoIP][Acceptable] idle: [.....1] [ip4][..udp] [.192.168.12.169][49207] -> [.185.155.137.30][36535] [IMO][VoIP][Acceptable] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/instagram.pcap.out b/test/results/flow-info/instagram.pcap.out index dec96585a..8aec57bec 100644 --- a/test/results/flow-info/instagram.pcap.out +++ b/test/results/flow-info/instagram.pcap.out @@ -9,12 +9,14 @@ detection-update: [.....1] [ip4][..tcp] [..192.168.0.103][56382] -> [..173.252.107.4][..443] [TLS.Instagram][SocialNetwork][Fun] RISK: Obsolete TLS (v1.1 or older) analyse: [.....2] [ip4][..tcp] [..192.168.0.103][33936] -> [....31.13.93.52][..443] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 1.572| 0.136| 0.382] - [IAT(c->s)...: 0.000| 1.523| 0.141| 0.383][IAT(s->c)...: 0.000| 1.572| 0.132| 0.381] - [PKTLEN(c->s): 66.000|1431.000| 213.600| 396.000][PKTLEN(s->c): 66.000|1464.000|1151.300| 534.100] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 1.572| 0.136| 0.382|146017.665| 0.000] + [PKTLEN......: 66.000| 1464.000| 682.500| 663.900|440818.000| 4.200] [BINS(c->s)..: 14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,11,0,0,0,0] + [DIRECTIONS..: 0,1,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0] + [IATS........: 88898,75897,164978,1522736,1572479,340302,390014,2197,2137,122,91,92,92,91,91,61,61,92,92,61,91,91,61,92,92,29907,29999,733,671,702,672,0] + [PKTLENS.....: 1431,66,679,66,1063,66,1464,66,209,66,1464,66,1297,66,1464,66,1464,66,1464,66,1464,66,1464,66,1464,66,1464,66,1464,66,1464,66] detection-update: [.....2] [ip4][..tcp] [..192.168.0.103][33936] -> [....31.13.93.52][..443] [TLS.Facebook][SocialNetwork][Fun] new: [.....3] [ip4][..tcp] [..192.168.0.103][38816] -> [...46.33.70.160][...80] [MIDSTREAM] detected: [.....3] [ip4][..tcp] [..192.168.0.103][38816] -> [...46.33.70.160][...80] [HTTP.Instagram][SocialNetwork][Fun] @@ -25,29 +27,35 @@ new: [.....6] [ip4][..tcp] [..192.168.0.103][57965] -> [...82.85.26.185][...80] [MIDSTREAM] detected: [.....6] [ip4][..tcp] [..192.168.0.103][57965] -> [...82.85.26.185][...80] [HTTP.Instagram][SocialNetwork][Fun] analyse: [.....3] [ip4][..tcp] [..192.168.0.103][38816] -> [...46.33.70.160][...80] [HTTP.Instagram][SocialNetwork][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.033| 0.003| 0.008] - [IAT(c->s)...: 0.000| 0.033| 0.010| 0.012][IAT(s->c)...: 0.000| 0.033| 0.002| 0.006] - [PKTLEN(c->s): 66.000| 326.000| 109.300| 96.900][PKTLEN(s->c): 1484.000|1484.000|1484.000| 0.400] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.033| 0.003| 0.008| 64.366| 0.000] + [PKTLEN......: 66.000| 1484.000| 1226.200| 538.200|289645.800| 4.800] [BINS(c->s)..: 5,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,26,0,0,0] + [DIRECTIONS..: 0,1,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1,0,1,0,1,1,1,1,1,1,0,1] + [IATS........: 32685,33112,763,702,1770,2075,61,30,336,366,672,610,610,611,610,641,610,611,10956,1922,1953,366,305,794,1068,458,457,428,824,4059,488,0] + [PKTLENS.....: 326,1484,66,1484,1484,1484,1484,1484,1484,1484,1484,1484,1484,1484,1484,1484,1484,1484,1484,66,1484,66,1484,66,1484,1484,1484,1484,1484,1484,66,1484] analyse: [.....4] [ip4][..tcp] [..192.168.0.103][57936] -> [...82.85.26.162][...80] [HTTP.Instagram][SocialNetwork][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.112| 0.011| 0.030] - [IAT(c->s)...: 0.000| 0.112| 0.013| 0.031][IAT(s->c)...: 0.000| 0.111| 0.010| 0.028] - [PKTLEN(c->s): 66.000| 319.000| 82.900| 63.100][PKTLEN(s->c): 186.000|1484.000|1405.400| 305.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.112| 0.011| 0.030| 883.414| 0.000] + [PKTLEN......: 66.000| 1484.000| 785.400| 697.700|486813.200| 4.300] [BINS(c->s)..: 14,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,15,0,0,0] + [DIRECTIONS..: 0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,1,0,0,1,1,1,0,1,0,1] + [IATS........: 56793,57068,1160,977,610,610,428,397,457,457,672,702,1281,1282,1160,1160,488,457,428,458,111480,31,111969,336,1343,61,30,1038,885,793,519,0] + [PKTLENS.....: 319,1484,66,1445,66,1484,66,1484,66,1484,66,1484,66,186,66,1484,66,1484,66,1484,66,1484,1484,66,66,1484,1484,1484,66,1484,66,1484] detection-update: [.....6] [ip4][..tcp] [..192.168.0.103][57965] -> [...82.85.26.185][...80] [HTTP.Instagram][SocialNetwork][Fun] detection-update: [.....5] [ip4][..tcp] [..192.168.0.103][44379] -> [...82.85.26.186][...80] [HTTP.Instagram][SocialNetwork][Fun] new: [.....7] [ip4][..tcp] [..192.168.0.103][33976] -> [....77.67.29.17][...80] [MIDSTREAM] analyse: [.....5] [ip4][..tcp] [..192.168.0.103][44379] -> [...82.85.26.186][...80] [HTTP.Instagram][SocialNetwork][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.372| 0.037| 0.093] - [IAT(c->s)...: 0.000| 0.310| 0.041| 0.089][IAT(s->c)...: 0.000| 0.372| 0.033| 0.095] - [PKTLEN(c->s): 66.000| 325.000| 111.700| 84.700][PKTLEN(s->c): 1474.000|1484.000|1483.400| 2.400] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.372| 0.037| 0.093| 8582.227| 0.000] + [PKTLEN......: 66.000| 1484.000| 840.400| 686.900|471900.100| 4.400] [BINS(c->s)..: 13,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,17,0,0,0] + [DIRECTIONS..: 0,1,0,1,1,0,0,1,1,0,0,1,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,1] + [IATS........: 185486,185853,397,519,640,61,1434,61,1404,61,580,733,1434,61,310272,372071,63232,2166,2198,336,305,549,427,733,793,580,519,519,519,1007,976,0] + [PKTLENS.....: 325,1484,94,1484,1484,94,94,1484,1484,94,94,1484,94,1484,1484,325,1484,66,1484,66,1474,66,1484,66,1484,66,1484,66,1484,66,1484,1484] new: [.....8] [ip4][..tcp] [..192.168.0.103][37350] -> [...82.85.26.153][...80] [MIDSTREAM] detected: [.....8] [ip4][..tcp] [..192.168.0.103][37350] -> [...82.85.26.153][...80] [HTTP.Instagram][SocialNetwork][Fun] new: [.....9] [ip4][..udp] [..192.168.0.106][17500] -> [255.255.255.255][17500] @@ -65,12 +73,14 @@ detected: [....15] [ip4][..tcp] [..192.168.0.103][33763] -> [....31.13.93.52][..443] [TLS.Facebook][SocialNetwork][Fun] new: [....16] [ip4][..tcp] [..192.168.0.103][38817] -> [...46.33.70.160][...80] [MIDSTREAM] analyse: [.....7] [ip4][..tcp] [..192.168.0.103][33976] -> [....77.67.29.17][...80] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 7.322| 0.237| 1.293] - [IAT(c->s)...: 0.000| 7.322| 0.612| 2.023][IAT(s->c)...: 0.000| 0.004| 0.001| 0.001] - [PKTLEN(c->s): 66.000| 66.000| 66.000| 0.000][PKTLEN(s->c): 1337.000|1484.000|1476.300| 32.800] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 7.322| 0.237| 1.293|1672842.314| 0.000] + [PKTLEN......: 66.000| 1484.000| 903.300| 693.100|480370.200| 4.400] [BINS(c->s)..: 13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,18,0,0,0] + [DIRECTIONS..: 0,0,1,1,0,1,1,1,1,0,0,1,1,1,1,0,0,1,1,0,1,1,1,0,1,0,1,1,1,0,0,0] + [IATS........: 183,854,1526,2655,488,367,335,397,1495,519,1160,1800,61,31,2258,92,3204,427,3571,1038,549,367,1953,885,885,671,3632,61,4699,183,7321503,0] + [PKTLENS.....: 66,66,1484,1484,66,1484,1484,1484,1484,66,66,1484,1484,1484,1484,66,66,1484,1484,66,1484,1484,1484,66,1484,66,1484,1484,1337,66,66,66] guessed: [.....7] [ip4][..tcp] [..192.168.0.103][33976] -> [....77.67.29.17][...80] [HTTP][Web][Acceptable] detected: [.....7] [ip4][..tcp] [..192.168.0.103][33976] -> [....77.67.29.17][...80] [HTTP][Web][Acceptable] new: [....17] [ip4][..udp] [..192.168.0.103][51219] -> [........8.8.8.8][...53] @@ -117,20 +127,24 @@ new: [....27] [ip4][..tcp] [..192.168.0.103][58053] -> [...82.85.26.162][...80] [MIDSTREAM] detected: [....27] [ip4][..tcp] [..192.168.0.103][58053] -> [...82.85.26.162][...80] [HTTP.Instagram][SocialNetwork][Fun] analyse: [....26] [ip4][..tcp] [..192.168.0.103][58052] -> [...82.85.26.162][...80] [HTTP.Instagram][SocialNetwork][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.062| 0.005| 0.015] - [IAT(c->s)...: 0.000| 0.062| 0.005| 0.016][IAT(s->c)...: 0.000| 0.061| 0.004| 0.014] - [PKTLEN(c->s): 66.000| 326.000| 83.300| 64.900][PKTLEN(s->c): 396.000|1484.000|1419.500| 255.900] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.062| 0.005| 0.015| 225.668| 0.000] + [PKTLEN......: 66.000| 1484.000| 793.200| 693.800|481326.300| 4.300] [BINS(c->s)..: 14,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0] + [DIRECTIONS..: 0,1,1,1,0,0,0,1,0,1,0,1,1,1,0,0,0,1,1,1,0,0,1,0,0,1,0,1,0,1,1,1] + [IATS........: 61310,214,427,62164,336,336,1434,671,916,885,1556,61,61,1618,61,61,1312,92,30,1312,61,92,31,61,519,549,2411,2441,1373,61,31,0] + [PKTLENS.....: 326,1484,1484,1475,66,66,66,1484,66,1484,66,1484,1484,1484,66,66,66,1484,1484,1484,66,66,1484,66,66,1484,66,1484,66,396,1484,1484] new: [....28] [ip4][..tcp] [....31.13.86.52][...80] -> [..192.168.0.103][58216] [MIDSTREAM] analyse: [....28] [ip4][..tcp] [....31.13.86.52][...80] -> [..192.168.0.103][58216] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.002| 0.001| 0.001] - [IAT(c->s)...: 0.000| 0.002| 0.001| 0.001][IAT(s->c)...: 0.000| 0.002| 0.001| 0.001] - [PKTLEN(c->s): 1464.000|1464.000|1464.000| 0.000][PKTLEN(s->c): 66.000| 66.000| 66.000| 0.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.002| 0.001| 0.001| 0.353| 0.000] + [PKTLEN......: 66.000| 1464.000| 983.400| 664.000|440886.100| 4.500] [BINS(c->s)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,21,0,0,0,0] [BINS(s->c)..: 11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,1,0,0,1,0,0,0,1,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0] + [IATS........: 367,1465,1587,519,458,824,1465,61,30,1648,2198,2075,366,213,641,367,1312,1678,488,214,610,641,1037,1679,336,488,915,794,335,977,672,0] + [PKTLENS.....: 1464,66,1464,66,1464,1464,66,1464,1464,1464,66,1464,66,1464,1464,66,1464,1464,66,1464,1464,66,1464,1464,66,1464,1464,66,1464,1464,66,1464] guessed: [....28] [ip4][..tcp] [....31.13.86.52][...80] -> [..192.168.0.103][58216] [HTTP.Facebook][SocialNetwork][Fun] detected: [....28] [ip4][..tcp] [....31.13.86.52][...80] -> [..192.168.0.103][58216] [HTTP.Facebook][SocialNetwork][Fun] update: [....14] [ip4][.icmp] [..192.168.0.103] -> [..192.168.0.103] [ICMP][Network][Acceptable] @@ -143,12 +157,14 @@ new: [....31] [ip4][..udp] [..192.168.0.103][27124] -> [........8.8.8.8][...53] detected: [....31] [ip4][..udp] [..192.168.0.103][27124] -> [........8.8.8.8][...53] [DNS.Instagram][SocialNetwork][Fun] analyse: [....29] [ip4][..tcp] [....2.22.236.51][...80] -> [..192.168.0.103][44151] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.004| 0.001| 0.001] - [IAT(c->s)...: 0.000| 0.004| 0.001| 0.001][IAT(s->c)...: 0.000| 0.004| 0.001| 0.001] - [PKTLEN(c->s): 1484.000|1484.000|1484.000| 0.000][PKTLEN(s->c): 66.000| 66.000| 66.000| 0.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.004| 0.001| 0.001| 1.362| 0.000] + [PKTLEN......: 66.000| 1484.000| 819.300| 707.600|500717.400| 4.300] [BINS(c->s)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,17,0,0,0] [BINS(s->c)..: 15,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,0,1,1,0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,0] + [IATS........: 122,2106,427,3387,31,3174,2289,427,946,1892,213,2563,1831,3785,61,3846,183,1342,1312,367,183,213,275,519,519,885,854,2075,2106,2014,61,0] + [PKTLENS.....: 1484,66,1484,1484,66,66,1484,66,1484,1484,66,66,1484,66,1484,1484,66,66,1484,66,1484,66,1484,66,1484,66,1484,66,1484,66,1484,1484] guessed: [....29] [ip4][..tcp] [....2.22.236.51][...80] -> [..192.168.0.103][44151] [HTTP][Web][Acceptable] detected: [....29] [ip4][..tcp] [....2.22.236.51][...80] -> [..192.168.0.103][44151] [HTTP][Web][Acceptable] new: [....32] [ip4][..tcp] [...46.33.70.150][...80] -> [..192.168.0.103][40855] @@ -158,12 +174,14 @@ detected: [....33] [ip4][..tcp] [...192.168.2.17][49355] -> [....31.13.86.52][..443] [TLS.Instagram][SocialNetwork][Fun] detection-update: [....33] [ip4][..tcp] [...192.168.2.17][49355] -> [....31.13.86.52][..443] [TLS.Instagram][SocialNetwork][Fun] analyse: [....33] [ip4][..tcp] [...192.168.2.17][49355] -> [....31.13.86.52][..443] [TLS.Instagram][SocialNetwork][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.017| 0.003| 0.006] - [IAT(c->s)...: 0.000| 0.017| 0.004| 0.006][IAT(s->c)...: 0.000| 0.017| 0.003| 0.005] - [PKTLEN(c->s): 66.000| 564.000| 122.900| 135.300][PKTLEN(s->c): 66.000|1454.000|1055.600| 578.200] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.017| 0.003| 0.006| 31.659| 0.000] + [PKTLEN......: 66.000| 1454.000| 647.500| 640.400|410152.900| 4.200] [BINS(c->s)..: 11,0,1,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 3,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,0,1,1,1,0,1,1,0,1,1,1,1,1,1,1,1,0,0,0,0,0] + [IATS........: 12399,14597,58,14624,1725,26,7,16760,58,2044,498,16542,723,227,12497,604,464,936,285,275,177,245,128,170,272,201,2390,75,1564,117,147,0] + [PKTLENS.....: 78,74,66,288,66,1454,1454,369,66,66,130,564,259,696,89,66,1454,1454,66,1454,1454,1454,1454,1454,1454,1454,1454,66,66,66,66,66] new: [....34] [ip4][..tcp] [...192.168.2.17][49357] -> [....31.13.86.52][..443] new: [....35] [ip4][..tcp] [...192.168.2.17][49358] -> [....31.13.86.52][..443] new: [....36] [ip4][..tcp] [...192.168.2.17][49359] -> [....31.13.86.52][..443] @@ -174,19 +192,23 @@ detection-update: [....35] [ip4][..tcp] [...192.168.2.17][49358] -> [....31.13.86.52][..443] [TLS.Instagram][SocialNetwork][Fun] detection-update: [....36] [ip4][..tcp] [...192.168.2.17][49359] -> [....31.13.86.52][..443] [TLS.Instagram][SocialNetwork][Fun] analyse: [....36] [ip4][..tcp] [...192.168.2.17][49359] -> [....31.13.86.52][..443] [TLS.Instagram][SocialNetwork][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.159| 0.012| 0.037] - [IAT(c->s)...: 0.000| 0.143| 0.013| 0.036][IAT(s->c)...: 0.000| 0.159| 0.012| 0.037] - [PKTLEN(c->s): 66.000| 637.000| 172.600| 200.300][PKTLEN(s->c): 66.000|1454.000| 858.100| 596.900] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.159| 0.012| 0.037| 1346.646| 0.000] + [PKTLEN......: 66.000| 1454.000| 536.800| 570.200|325102.600| 4.200] [BINS(c->s)..: 11,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 3,1,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,0,1,1,1,1,1,1,1,0,1,1,1,1,1,0,0,0,0,0,0,0,1,0,1,0,0,1,1] + [IATS........: 12015,14119,556,167,14869,68,308,601,354,271,107,13997,388,138,112,165,226,1385,108,1160,122,114,5,489,10627,8948,1625,2191,142763,158859,395,0] + [PKTLENS.....: 78,74,66,485,579,66,66,288,699,1454,1454,1454,66,1454,1454,1454,720,1454,150,66,66,66,66,66,66,100,66,244,66,637,699,1454] analyse: [....35] [ip4][..tcp] [...192.168.2.17][49358] -> [....31.13.86.52][..443] [TLS.Instagram][SocialNetwork][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.157| 0.021| 0.045] - [IAT(c->s)...: 0.000| 0.157| 0.019| 0.042][IAT(s->c)...: 0.000| 0.156| 0.023| 0.048] - [PKTLEN(c->s): 66.000| 654.000| 224.600| 239.400][PKTLEN(s->c): 66.000|1454.000| 771.400| 614.300] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.157| 0.021| 0.045| 2047.640| 0.000] + [PKTLEN......: 66.000| 1454.000| 532.200| 557.600|310915.100| 4.200] [BINS(c->s)..: 9,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 5,1,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,0,1,1,1,0,0,1,0,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,1,1,1,1,1] + [IATS........: 11078,12229,3431,138,15990,219,497,12957,479,11770,12042,155644,475,129,254,92,123,275,7,156515,111,123,122,255,2699,48704,55896,8249,149165,503,16,0] + [PKTLENS.....: 78,74,66,485,595,66,66,288,66,150,244,66,840,1454,1454,1454,1454,1057,1454,100,66,66,66,66,66,654,654,66,66,841,1454,1454] idle: [.....8] [ip4][..tcp] [..192.168.0.103][37350] -> [...82.85.26.153][...80] idle: [....22] [ip4][..tcp] [..192.168.0.103][41181] -> [...82.85.26.154][..443] idle: [....23] [ip4][..tcp] [..192.168.0.103][41182] -> [...82.85.26.154][..443] @@ -232,26 +254,32 @@ detection-update: [....37] [ip4][..tcp] [...192.168.2.17][49360] -> [....31.13.86.52][..443] [TLS.Instagram][SocialNetwork][Fun] detection-update: [....38] [ip4][..tcp] [...192.168.2.17][49361] -> [....31.13.86.52][..443] [TLS.Instagram][SocialNetwork][Fun] analyse: [....37] [ip4][..tcp] [...192.168.2.17][49360] -> [....31.13.86.52][..443] [TLS.Instagram][SocialNetwork][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.016| 0.003| 0.005] - [IAT(c->s)...: 0.000| 0.014| 0.003| 0.005][IAT(s->c)...: 0.000| 0.016| 0.002| 0.005] - [PKTLEN(c->s): 66.000| 592.000| 151.500| 173.100][PKTLEN(s->c): 66.000|1454.000|1081.900| 582.300] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.016| 0.003| 0.005| 22.312| 0.000] + [PKTLEN......: 66.000| 1454.000| 733.000| 652.700|426025.800| 4.300] [BINS(c->s)..: 9,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 4,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,0,1,1,1,1,0,1,0,1,1,1,1,1,0,1,1,0,0,0,0,0,1,1,1,1,1,1,1] + [IATS........: 11840,12942,2760,70,16353,27,401,1108,14120,264,633,553,236,305,380,53,1148,300,94,1743,117,248,13,105,10046,132,1375,75,1411,144,201,0] + [PKTLENS.....: 78,74,66,470,592,66,66,288,699,66,89,150,1454,1454,1454,1454,1454,66,1454,1454,66,66,66,66,66,1454,1454,1454,1454,1454,1454,1454] analyse: [....34] [ip4][..tcp] [...192.168.2.17][49357] -> [....31.13.86.52][..443] [TLS.Instagram][SocialNetwork][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 10.470| 0.692| 2.561] - [IAT(c->s)...: 0.000| 10.413| 0.763| 2.677][IAT(s->c)...: 0.000| 10.470| 0.633| 2.459] - [PKTLEN(c->s): 66.000| 663.000| 211.500| 230.100][PKTLEN(s->c): 66.000|1454.000| 706.900| 603.400] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 10.470| 0.692| 2.561|6557671.096| 0.000] + [PKTLEN......: 66.000| 1454.000| 474.700| 528.600|279392.300| 4.200] [BINS(c->s)..: 10,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 5,1,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,0,1,1,1,0,0,1,0,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0,1,1,1] + [IATS........: 11096,12433,1241,548,13252,614,103,14204,568,14367,12466,169576,258,200,98,307,55,169,229,6,169709,106,1819,218,113,542,10413415,52212,10469815,9752,75862,0] + [PKTLENS.....: 78,74,66,485,663,66,66,288,66,150,244,66,839,1454,1454,1454,1454,1454,642,1454,100,66,66,66,66,66,66,601,601,66,66,842] analyse: [....38] [ip4][..tcp] [...192.168.2.17][49361] -> [....31.13.86.52][..443] [TLS.Instagram][SocialNetwork][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.132| 0.012| 0.032] - [IAT(c->s)...: 0.000| 0.130| 0.013| 0.033][IAT(s->c)...: 0.000| 0.132| 0.010| 0.031] - [PKTLEN(c->s): 66.000| 592.000| 134.400| 158.500][PKTLEN(s->c): 66.000|1454.000| 953.400| 621.200] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.132| 0.012| 0.032| 1010.732| 0.000] + [PKTLEN......: 66.000| 1454.000| 569.500| 619.500|383805.700| 4.100] [BINS(c->s)..: 12,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 4,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,0,1,1,1,0,0,1,0,1,1,1,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0] + [IATS........: 12123,13295,2535,457,15987,6,842,13996,1396,14470,16133,131670,10,876,193,264,9,116,291,177,158,249,254,129919,113,139,2594,71,83,9,41,0] + [PKTLENS.....: 78,74,66,470,592,66,66,288,66,150,244,66,840,89,1454,1454,1454,1454,1454,1454,1454,1454,1454,1454,66,66,66,66,66,66,66,66] end: [....33] [ip4][..tcp] [...192.168.2.17][49355] -> [....31.13.86.52][..443] [TLS.Instagram][SocialNetwork][Fun] end: [....34] [ip4][..tcp] [...192.168.2.17][49357] -> [....31.13.86.52][..443] [TLS.Instagram][SocialNetwork][Fun] end: [....35] [ip4][..tcp] [...192.168.2.17][49358] -> [....31.13.86.52][..443] [TLS.Instagram][SocialNetwork][Fun] diff --git a/test/results/flow-info/iphone.pcap.out b/test/results/flow-info/iphone.pcap.out index 27fc54ba6..49c97d903 100644 --- a/test/results/flow-info/iphone.pcap.out +++ b/test/results/flow-info/iphone.pcap.out @@ -134,36 +134,44 @@ detected: [....48] [ip4][..udp] [...192.168.2.17][65079] -> [....192.168.2.1][...53] [DNS.AppleiTunes][Streaming][Fun] detection-update: [....48] [ip4][..udp] [...192.168.2.17][65079] -> [....192.168.2.1][...53] [DNS.AppleiTunes][Streaming][Fun] analyse: [....29] [ip4][..tcp] [...192.168.2.17][50580] -> [..17.248.176.75][..443] [TLS.AppleiCloud][Web][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.686| 0.087| 0.170] - [IAT(c->s)...: 0.000| 0.651| 0.079| 0.157][IAT(s->c)...: 0.000| 0.686| 0.096| 0.185] - [PKTLEN(c->s): 66.000|1090.000| 216.400| 260.400][PKTLEN(s->c): 66.000|1506.000| 463.900| 573.400] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.686| 0.087| 0.170|29013.449| 0.000] + [PKTLEN......: 66.000| 1506.000| 324.700| 443.900|197074.700| 4.000] [BINS(c->s)..: 8,4,1,0,1,0,0,0,0,0,0,2,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 6,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,1,1,1,1,0,1,1,0] + [IATS........: 33952,135750,186,135485,2092,235,8690,6,162529,885,167358,319355,36,34737,102,651125,555,14,127,59,44,145,155,686219,30,1215,16,33741,32499,122595,156547,0] + [PKTLENS.....: 78,74,66,583,66,1506,1506,1506,580,66,66,159,117,135,66,66,119,116,108,1090,438,104,200,438,66,104,66,66,66,66,637,66] new: [....49] [ip4][..tcp] [...192.168.2.17][50587] -> [...92.123.77.26][..443] detected: [....49] [ip4][..tcp] [...192.168.2.17][50587] -> [...92.123.77.26][..443] [TLS.AppleiTunes][Streaming][Fun] detection-update: [....49] [ip4][..tcp] [...192.168.2.17][50587] -> [...92.123.77.26][..443] [TLS.AppleiTunes][Streaming][Fun] analyse: [....45] [ip4][..tcp] [...192.168.2.17][50584] -> [..17.248.176.75][..443] [TLS.AppleiCloud][Web][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.655| 0.067| 0.146] - [IAT(c->s)...: 0.000| 0.511| 0.060| 0.125][IAT(s->c)...: 0.000| 0.655| 0.076| 0.168] - [PKTLEN(c->s): 54.000|1084.000| 190.100| 257.400][PKTLEN(s->c): 66.000|1506.000| 472.000| 576.600] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.655| 0.067| 0.146|21410.738| 0.000] + [PKTLEN......: 54.000| 1506.000| 313.400| 449.800|202280.400| 3.900] [BINS(c->s)..: 9,5,1,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 6,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,0,0,0,1,1,0,0,0,0,0,0,0,0,0,1,1,1,1,0,1,0,0,1] + [IATS........: 34116,36074,120,34743,1609,104,2287,55,140235,397,7279,143339,13,33865,58,1492,19,11,252,423,44,150,34850,6,1213,30,128241,155238,167955,510701,654765,0] + [PKTLENS.....: 78,74,66,583,66,1506,1506,1506,580,66,66,159,117,135,66,66,119,116,108,1084,104,450,104,66,104,66,66,66,750,66,54,66] analyse: [....49] [ip4][..tcp] [...192.168.2.17][50587] -> [...92.123.77.26][..443] [TLS.AppleiTunes][Streaming][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.147| 0.026| 0.045] - [IAT(c->s)...: 0.000| 0.146| 0.021| 0.043][IAT(s->c)...: 0.000| 0.147| 0.031| 0.046] - [PKTLEN(c->s): 66.000|1506.000| 258.800| 374.300][PKTLEN(s->c): 66.000|1506.000| 435.500| 537.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.147| 0.026| 0.045| 1989.449| 0.000] + [PKTLEN......: 66.000| 1506.000| 336.100| 461.100|212650.100| 4.000] [BINS(c->s)..: 10,3,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0] [BINS(s->c)..: 6,1,1,0,0,0,0,0,2,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,2,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,0,0,0,0,1,1,0,0,0,0,0,0,0,0,1,1,1,0,0,1,1,0,1] + [IATS........: 33256,146084,75,147307,1403,159,73,18,38616,19,50,10855,46914,12516,120151,44,4,168,1146,109,1513,467,107361,13,1221,31041,492,3663,24,4467,82566,0] + [PKTLENS.....: 78,74,66,583,66,1506,1506,1282,456,66,66,66,146,353,353,112,109,101,1506,566,832,66,66,66,136,66,66,97,66,101,66,66] analyse: [....38] [ip4][..tcp] [...192.168.2.17][50581] -> [..17.248.185.87][..443] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.804| 0.109| 0.185] - [IAT(c->s)...: 0.000| 0.656| 0.090| 0.155][IAT(s->c)...: 0.000| 0.804| 0.140| 0.221] - [PKTLEN(c->s): 66.000|1506.000| 727.200| 656.400][PKTLEN(s->c): 66.000|1506.000| 748.100| 684.800] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.804| 0.109| 0.185|34306.707| 0.000] + [PKTLEN......: 66.000| 1506.000| 735.000| 667.300|445284.800| 4.300] [BINS(c->s)..: 8,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,7,0,0] [BINS(s->c)..: 5,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,4,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,1,0,0,0,0,0,1,0,0,0,1,1,0,0,0,0,0,1,1,0,0,0,0] + [IATS........: 145952,170980,359,171301,2704,133,11131,1277,11157,179655,19,50,112,15556,168247,146405,161443,749,308681,51490,198168,655712,185,186,293,803512,1267,180253,328,297,245,0] + [PKTLENS.....: 78,74,66,583,66,1506,1506,1506,1506,1488,66,66,66,66,159,117,66,1183,358,66,1010,66,1178,1506,1506,1506,66,66,1506,1506,1506,1506] detection-update: [....38] [ip4][..tcp] [...192.168.2.17][50581] -> [..17.248.185.87][..443] [TLS.AppleiCloud][Web][Acceptable] new: [....50] [ip4][..udp] [...192.168.2.17][63677] -> [....192.168.2.1][...53] detected: [....50] [ip4][..udp] [...192.168.2.17][63677] -> [....192.168.2.1][...53] [DNS.AppleiTunes][Streaming][Fun] diff --git a/test/results/flow-info/ipp.pcap.out b/test/results/flow-info/ipp.pcap.out index 56dd5ded0..3165d60be 100644 --- a/test/results/flow-info/ipp.pcap.out +++ b/test/results/flow-info/ipp.pcap.out @@ -8,12 +8,14 @@ detected: [.....2] [ip4][..tcp] [....10.10.10.49][55342] -> [...10.10.10.251][..631] [HTTP.IPP][System][Acceptable] RISK: Known Proto on Non Std Port, HTTP Numeric IP Address analyse: [.....2] [ip4][..tcp] [....10.10.10.49][55342] -> [...10.10.10.251][..631] [HTTP.IPP][System][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.009| 0.004| 0.004] - [IAT(c->s)...: 0.000| 0.009| 0.003| 0.003][IAT(s->c)...: 0.001| 0.009| 0.006| 0.003] - [PKTLEN(c->s): 66.000|2962.000|1331.700| 799.700][PKTLEN(s->c): 66.000| 91.000| 69.000| 7.300] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.009| 0.004| 0.004| 12.440| 0.000] + [PKTLEN......: 66.000| 2962.000| 897.700| 882.800|779357.900| 4.200] [BINS(c->s)..: 3,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,2,1,1,1,0,1,0,9] [BINS(s->c)..: 11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,0,1,1,0,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1] + [IATS........: 709,735,61,34,3567,1615,5071,72,15,5799,5726,12,3653,3625,5,7253,7252,7,8848,8850,9,9119,9104,8,7245,7239,6,7601,7598,8,7210,0] + [PKTLENS.....: 74,74,66,210,214,66,91,66,2962,1514,66,2962,1586,66,1442,1610,66,1418,1634,66,1394,1658,66,1370,1682,66,1346,1706,66,1322,1730,66] new: [.....3] [ip4][..tcp] [....10.10.10.49][55343] -> [...10.10.10.251][..631] detected: [.....3] [ip4][..tcp] [....10.10.10.49][55343] -> [...10.10.10.251][..631] [HTTP.IPP][System][Acceptable] RISK: Known Proto on Non Std Port, HTTP Numeric IP Address diff --git a/test/results/flow-info/ipsec_isakmp_esp.pcap.out b/test/results/flow-info/ipsec_isakmp_esp.pcap.out index acb3c0bae..240657cf7 100644 --- a/test/results/flow-info/ipsec_isakmp_esp.pcap.out +++ b/test/results/flow-info/ipsec_isakmp_esp.pcap.out @@ -12,12 +12,14 @@ update: [.....1] [ip4][..udp] [..192.168.2.100][14500] -> [109.237.187.193][.4500] [IPSec][VPN][Safe] update: [.....2] [ip4][..udp] [..192.168.2.100][10500] -> [109.237.187.193][..500] [IPSec][VPN][Safe] analyse: [.....1] [ip4][..udp] [..192.168.2.100][14500] -> [109.237.187.193][.4500] [IPSec][VPN][Safe] - [min|max|avg|stddev] - [IAT(flow)...: 0.001| 662.067| 87.057| 203.164] - [IAT(c->s)...: 0.001| 661.960| 90.678| 207.585][IAT(s->c)...: 0.004| 662.067| 83.714| 198.937] - [PKTLEN(c->s): 138.000|1374.000| 814.200| 488.500][PKTLEN(s->c): 122.000|1070.000| 270.000| 229.400] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.001| 662.067| 87.057| 203.164|41275511887.888| 0.000] + [PKTLEN......: 122.000| 1374.000| 542.100| 468.700|219671.500| 4.500] [BINS(c->s)..: 0,0,0,4,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0] [BINS(s->c)..: 0,0,3,0,7,0,3,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,1,0,1,0,0,0,0,1,1,1,0,1,0,1,0,1,0,1,0,0,0,1,1,1,1,0,1,0,1] + [IATS........: 122000,677000,771000,222000,34000,2372000,1000,23000,2387000,22000,24000,661960000,662067000,681000,743000,195000,34000,407000,421000,4000,138000,188000,12771000,421390000,408766000,0,0,0,0,0,0,0] + [PKTLENS.....: 858,250,154,122,138,458,1374,1374,942,1374,174,174,174,942,174,858,250,154,122,138,458,1374,1374,942,174,174,174,1070,174,122,858,250] update: [.....1] [ip4][..udp] [..192.168.2.100][14500] -> [109.237.187.193][.4500] [IPSec][VPN][Safe] update: [.....2] [ip4][..udp] [..192.168.2.100][10500] -> [109.237.187.193][..500] [IPSec][VPN][Safe] DAEMON-EVENT: [Processed: 61 pkts][ZLib][compressions: 0|diff: 0 / 0] @@ -116,19 +118,23 @@ new: [....24] [ip4][..udp] [..192.168.2.100][14500] -> [109.237.187.227][.4500] detected: [....24] [ip4][..udp] [..192.168.2.100][14500] -> [109.237.187.227][.4500] [IPSec][VPN][Safe] analyse: [....24] [ip4][..udp] [..192.168.2.100][14500] -> [109.237.187.227][.4500] [IPSec][VPN][Safe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.000| 0.000| 0.000] - [IAT(c->s)...: 0.000| 0.000| 0.000| 0.000][IAT(s->c)...: 0.000| 0.000| 0.000| 0.000] - [PKTLEN(c->s): 138.000|1374.000| 725.700| 502.000][PKTLEN(s->c): 122.000|1070.000| 314.000| 293.200] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.000| 0.000| 0.000| 0.000| 0.000] + [PKTLEN......: 122.000| 1374.000| 507.000| 453.900|206039.000| 4.500] [BINS(c->s)..: 0,0,0,4,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0] [BINS(s->c)..: 0,0,4,0,6,0,3,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,1,0,1,0,0,0,1,1,1,1,0,1,0,1,0,1,0,1,0,0,0,1,1,1,1,0,1,0,1] + [IATS........: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [PKTLENS.....: 858,250,154,122,138,458,1374,1374,942,174,174,174,1070,174,122,858,250,154,122,138,458,1374,1374,942,174,174,174,1070,174,122,858,250] analyse: [....23] [ip4][..udp] [..192.168.2.100][10500] -> [109.237.187.227][..500] [IPSec][VPN][Safe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.000| 0.000| 0.000] - [IAT(c->s)...: 0.000| 0.000| 0.000| 0.000][IAT(s->c)...: 0.000| 0.000| 0.000| 0.000] - [PKTLEN(c->s): 818.000| 842.000| 830.000| 12.000][PKTLEN(s->c): 94.000| 330.000| 212.000| 118.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.000| 0.000| 0.000| 0.000| 0.000] + [PKTLEN......: 94.000| 842.000| 521.000| 320.200|102515.000| 4.700] [BINS(c->s)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,8,0,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1] + [IATS........: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [PKTLENS.....: 818,94,842,330,818,94,842,330,818,94,842,330,818,94,842,330,818,94,842,330,818,94,842,330,818,94,842,330,818,94,842,330] new: [....25] [ip4][..udp] [..192.168.2.100][10500] -> [109.237.187.226][..500] detected: [....25] [ip4][..udp] [..192.168.2.100][10500] -> [109.237.187.226][..500] [IPSec][VPN][Safe] new: [....26] [ip4][..udp] [..192.168.2.100][14500] -> [109.237.187.226][.4500] @@ -138,12 +144,14 @@ new: [....28] [ip4][..udp] [..192.168.2.100][14500] -> [109.237.187.130][.4500] detected: [....28] [ip4][..udp] [..192.168.2.100][14500] -> [109.237.187.130][.4500] [IPSec][VPN][Safe] analyse: [....28] [ip4][..udp] [..192.168.2.100][14500] -> [109.237.187.130][.4500] [IPSec][VPN][Safe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.000| 0.000| 0.000] - [IAT(c->s)...: 0.000| 0.000| 0.000| 0.000][IAT(s->c)...: 0.000| 0.000| 0.000| 0.000] - [PKTLEN(c->s): 138.000|1374.000| 645.700| 480.400][PKTLEN(s->c): 122.000|1374.000| 678.600| 531.400] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.000| 0.000| 0.000| 0.000| 0.000] + [PKTLEN......: 122.000| 1374.000| 665.200| 511.600|261688.400| 4.500] [BINS(c->s)..: 0,0,0,4,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0] [BINS(s->c)..: 0,0,2,0,4,0,3,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,2,4,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,1,0,1,0,0,1,1,1,0,1,1,1,0,1,0,1,0,1,0,0,1,1,1,0,1,1,1,0,1] + [IATS........: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [PKTLENS.....: 858,250,154,122,138,458,1374,1070,174,174,1070,174,1374,1374,1326,858,250,154,122,138,458,1374,1070,174,174,1070,174,1374,1374,1326,858,250] new: [....29] [ip4][..udp] [..192.168.2.100][42593] -> [109.237.187.193][.4500] detected: [....29] [ip4][..udp] [..192.168.2.100][42593] -> [109.237.187.193][.4500] [IPSec][VPN][Safe] new: [....30] [ip4][..udp] [..192.168.2.100][42593] -> [109.237.187.193][..500] @@ -161,19 +169,23 @@ new: [....36] [ip4][..udp] [..192.168.2.100][10500] -> [109.237.187.195][..500] detected: [....36] [ip4][..udp] [..192.168.2.100][10500] -> [109.237.187.195][..500] [IPSec][VPN][Safe] analyse: [....34] [ip4][..udp] [..192.168.2.100][14500] -> [109.237.187.195][.4500] [IPSec][VPN][Safe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.000| 0.000| 0.000] - [IAT(c->s)...: 0.000| 0.000| 0.000| 0.000][IAT(s->c)...: 0.000| 0.000| 0.000| 0.000] - [PKTLEN(c->s): 138.000|1374.000| 723.600| 501.100][PKTLEN(s->c): 122.000|1374.000| 461.300| 438.300] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.000| 0.000| 0.000| 0.000| 0.000] + [PKTLEN......: 122.000| 1374.000| 584.200| 486.800|236933.900| 4.500] [BINS(c->s)..: 0,0,0,4,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0] [BINS(s->c)..: 0,0,2,0,6,0,3,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,1,0,1,0,0,0,1,1,1,1,0,1,0,1,0,1,0,1,0,0,0,1,1,1,1,0,1,0,1] + [IATS........: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [PKTLENS.....: 858,250,154,122,138,458,1374,1374,926,174,174,174,1070,174,1374,858,250,154,122,138,458,1374,1374,926,174,174,174,1070,174,1374,858,250] analyse: [....18] [ip4][..udp] [..192.168.2.100][14500] -> [109.237.187.225][.4500] [IPSec][VPN][Safe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.000| 0.000| 0.000] - [IAT(c->s)...: 0.000| 0.000| 0.000| 0.000][IAT(s->c)...: 0.000| 0.000| 0.000| 0.000] - [PKTLEN(c->s): 138.000|1374.000| 724.700| 501.600][PKTLEN(s->c): 122.000|1374.000| 387.600| 380.100] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.000| 0.000| 0.000| 0.000| 0.000] + [PKTLEN......: 122.000| 1374.000| 545.600| 472.200|222978.400| 4.500] [BINS(c->s)..: 0,0,0,4,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0] [BINS(s->c)..: 0,0,3,0,6,0,3,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,1,0,1,0,0,0,1,1,1,1,0,1,0,1,0,1,0,1,0,0,0,1,1,1,1,0,1,0,1] + [IATS........: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [PKTLENS.....: 858,250,154,122,138,458,1374,1374,942,174,174,174,1070,174,122,858,250,154,122,138,458,1374,1374,926,174,174,174,1070,174,1374,858,250] idle: [....28] [ip4][..udp] [..192.168.2.100][14500] -> [109.237.187.130][.4500] [IPSec][VPN][Safe] idle: [....20] [ip4][..udp] [..192.168.2.100][14500] -> [109.237.187.131][.4500] [IPSec][VPN][Safe] idle: [....26] [ip4][..udp] [..192.168.2.100][14500] -> [109.237.187.226][.4500] [IPSec][VPN][Safe] diff --git a/test/results/flow-info/jabber.pcap.out b/test/results/flow-info/jabber.pcap.out index 921c64365..cade853f9 100644 --- a/test/results/flow-info/jabber.pcap.out +++ b/test/results/flow-info/jabber.pcap.out @@ -4,21 +4,25 @@ new: [.....1] [ip4][..tcp] [....172.16.0.62][57094] -> [...172.16.1.138][.5222] detected: [.....1] [ip4][..tcp] [....172.16.0.62][57094] -> [...172.16.1.138][.5222] [Jabber][Web][Acceptable] analyse: [.....1] [ip4][..tcp] [....172.16.0.62][57094] -> [...172.16.1.138][.5222] [Jabber][Web][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.338| 0.039| 0.084] - [IAT(c->s)...: 0.000| 0.338| 0.038| 0.084][IAT(s->c)...: 0.000| 0.337| 0.040| 0.085] - [PKTLEN(c->s): 66.000| 404.000| 121.400| 88.700][PKTLEN(s->c): 66.000| 445.000| 165.500| 115.600] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.338| 0.039| 0.084| 7085.730| 0.000] + [PKTLEN......: 66.000| 445.000| 142.100| 104.500|10930.100| 4.700] [BINS(c->s)..: 11,1,0,3,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 7,1,0,1,1,3,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,0,1,1,0,1,0,0,1,0,0,1,1,0,0,1,1,0,0,1,1,0,1,0,0,1,1,0] + [IATS........: 444,511,417,828,400,374,12411,12818,2412,2410,348,1979,1627,218,40781,36965,77519,220,613,337303,337747,374,834,51093,51498,6383,6386,306,844,109053,109606,0] + [PKTLENS.....: 78,74,66,88,66,182,66,245,66,351,66,228,226,66,404,66,186,66,118,66,117,66,182,66,245,66,445,66,189,66,198,66] new: [.....2] [ip4][..tcp] [....172.16.0.62][57122] -> [...172.16.1.138][.5222] detected: [.....2] [ip4][..tcp] [....172.16.0.62][57122] -> [...172.16.1.138][.5222] [Jabber][Web][Acceptable] analyse: [.....2] [ip4][..tcp] [....172.16.0.62][57122] -> [...172.16.1.138][.5222] [Jabber][Web][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.337| 0.038| 0.085] - [IAT(c->s)...: 0.000| 0.337| 0.037| 0.085][IAT(s->c)...: 0.000| 0.336| 0.039| 0.085] - [PKTLEN(c->s): 66.000| 404.000| 121.400| 88.700][PKTLEN(s->c): 66.000| 445.000| 165.400| 115.500] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.337| 0.038| 0.085| 7210.629| 0.000] + [PKTLEN......: 66.000| 445.000| 142.000| 104.500|10917.300| 4.700] [BINS(c->s)..: 11,1,0,3,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 7,1,0,1,1,3,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,0,1,1,0,1,0,0,1,0,0,1,1,0,0,1,1,0,0,1,1,0,1,0,0,1,1,0] + [IATS........: 690,749,72,451,362,328,190,509,138,134,177,1433,1288,169,39805,40983,80676,197,580,336438,336798,280,830,51170,51717,134,126,305,762,115132,115569,0] + [PKTLENS.....: 78,74,66,88,66,182,66,243,66,351,66,228,226,66,404,66,186,66,118,66,117,66,182,66,245,66,445,66,189,66,198,66] new: [.....3] [ip4][..tcp] [....172.16.0.62][57126] -> [...172.16.1.138][.5222] [MIDSTREAM] detected: [.....3] [ip4][..tcp] [....172.16.0.62][57126] -> [...172.16.1.138][.5222] [Jabber][Web][Acceptable] new: [.....4] [ip4][..tcp] [....172.16.0.62][57129] -> [...172.16.1.138][.5222] [MIDSTREAM] @@ -34,12 +38,14 @@ DAEMON-EVENT: [Processed: 243 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 4 / 6|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] analyse: [.....6] [ip4][..tcp] [....172.16.0.62][57149] -> [...172.16.1.138][.5222] [Jabber][Web][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 600.488| 42.007| 147.105] - [IAT(c->s)...: 0.000| 600.484| 38.300| 140.969][IAT(s->c)...: 0.000| 600.488| 46.510| 154.108] - [PKTLEN(c->s): 66.000| 305.000| 126.300| 77.600][PKTLEN(s->c): 66.000| 529.000| 214.300| 140.200] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 600.488| 42.007| 147.105|21639823353.709| 0.000] + [PKTLEN......: 66.000| 529.000| 164.800| 117.900|13893.800| 4.700] [BINS(c->s)..: 9,4,0,0,2,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 4,0,0,5,0,0,3,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,1,0,0,0,1,0,0,1,0,0,1,1,0,0,1,0,0,1,0,1,1,0,0,1,0,1,1,0,0,1] + [IATS........: 5033,2,5089,3,217021,217977,974,3684463,3688323,3876,600484177,600487770,3,3561,6,1107,1119,7791,47498,39730,447,62982,63440,253,504,186,80,2,90,46583978,46623992,0] + [PKTLENS.....: 305,474,186,66,66,248,529,66,248,193,66,216,270,172,120,66,286,66,114,66,114,66,288,66,114,167,66,66,171,66,201,66] DAEMON-EVENT: [Processed: 270 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 4 / 6|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] new: [.....7] [ip4][..tcp] [...192.168.58.1][53460] -> [.192.168.58.153][.5222] diff --git a/test/results/flow-info/kismet.pcap.out b/test/results/flow-info/kismet.pcap.out index 792e212b7..0dab67917 100644 --- a/test/results/flow-info/kismet.pcap.out +++ b/test/results/flow-info/kismet.pcap.out @@ -4,11 +4,13 @@ new: [.....1] [ip4][..tcp] [......127.0.0.1][34065] -> [......127.0.0.1][.2501] detected: [.....1] [ip4][..tcp] [......127.0.0.1][34065] -> [......127.0.0.1][.2501] [Kismet][Network][Acceptable] analyse: [.....1] [ip4][..tcp] [......127.0.0.1][34065] -> [......127.0.0.1][.2501] [Kismet][Network][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 1.100| 0.836| 0.406] - [IAT(c->s)...: 0.000| 1.100| 0.828| 0.410][IAT(s->c)...: 0.000| 1.100| 0.845| 0.402] - [PKTLEN(c->s): 54.000|1099.000| 120.100| 252.800][PKTLEN(s->c): 54.000| 253.000| 165.800| 53.700] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 1.100| 0.836| 0.406|165002.641| 0.000] + [PKTLEN......: 54.000| 1099.000| 142.900| 184.200|33913.200| 4.400] [BINS(c->s)..: 15,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 3,0,1,0,11,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,1,0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1] + [IATS........: 28,42,208,235,399947,399927,615244,615286,399575,399620,1099784,1099782,1099835,1099834,1099815,1099816,1099834,1099831,1099838,1099839,1099849,1099852,1099837,1099839,1099821,1099818,1099833,1099833,1099842,1099843,1099828,0] + [PKTLENS.....: 66,66,54,253,54,72,54,1099,54,129,54,189,54,189,54,189,54,189,54,189,54,189,54,189,54,189,54,189,54,189,54,189] idle: [.....1] [ip4][..tcp] [......127.0.0.1][34065] -> [......127.0.0.1][.2501] [Kismet][Network][Acceptable] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/kontiki.pcap.out b/test/results/flow-info/kontiki.pcap.out index f0efbc4ac..1baa4adc8 100644 --- a/test/results/flow-info/kontiki.pcap.out +++ b/test/results/flow-info/kontiki.pcap.out @@ -18,12 +18,14 @@ new: [.....8] [ip4][.icmp] [...4.79.219.125] -> [....10.25.32.59] detected: [.....8] [ip4][.icmp] [...4.79.219.125] -> [....10.25.32.59] [ICMP][Network][Acceptable] analyse: [.....3] [ip4][..udp] [....10.25.32.59][19948] -> [..64.200.148.86][.8888] [Kontiki][Media][Potentially Dangerous] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.608| 0.045| 0.118] - [IAT(c->s)...: 0.003| 0.212| 0.078| 0.088][IAT(s->c)...: 0.000| 0.608| 0.032| 0.126] - [PKTLEN(c->s): 46.000| 259.000| 101.100| 79.400][PKTLEN(s->c): 70.000|1283.000|1144.500| 355.200] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.608| 0.045| 0.118|13931.400| 0.000] + [PKTLEN......: 46.000| 1283.000| 818.400| 568.000|322604.600| 4.500] [BINS(c->s)..: 7,0,1,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 1,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,19,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,0,0,1,0,1,0,1,0,1,1,1,1,0,1,1,1,1,1,0,1,1,1,1,1,1,0,1,1,1,1] + [IATS........: 198615,212422,193796,607738,3074,5780,31191,29960,8831,9093,72,244,17,19380,18261,96,127,127,114,15289,14893,16,235,114,13,97,15924,15357,18,115,125,0] + [PKTLENS.....: 46,46,46,62,70,259,513,246,218,132,1283,1283,1283,1283,58,1283,1283,1283,1283,1283,58,1283,1283,1283,1283,1283,1283,58,1283,1283,1283,1283] idle: [.....8] [ip4][.icmp] [...4.79.219.125] -> [....10.25.32.59] [ICMP][Network][Acceptable] idle: [.....7] [ip4][.icmp] [216.168.241.157] -> [....10.25.32.59] [ICMP][Network][Acceptable] idle: [.....3] [ip4][..udp] [....10.25.32.59][19948] -> [..64.200.148.86][.8888] [Kontiki][Media][Potentially Dangerous] diff --git a/test/results/flow-info/log4j-webapp-exploit.pcap.out b/test/results/flow-info/log4j-webapp-exploit.pcap.out index 685b46c97..7774f28d6 100644 --- a/test/results/flow-info/log4j-webapp-exploit.pcap.out +++ b/test/results/flow-info/log4j-webapp-exploit.pcap.out @@ -18,12 +18,14 @@ ERROR-EVENT: Unknown L3 protocol ERROR-EVENT: Unknown L3 protocol analyse: [.....4] [ip4][..tcp] [..172.16.238.10][55408] -> [....10.10.10.31][.9001] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 7.289| 0.474| 1.790] - [IAT(c->s)...: 0.000| 7.289| 0.459| 1.763][IAT(s->c)...: 0.000| 7.289| 0.490| 1.817] - [PKTLEN(c->s): 68.000| 76.000| 70.200| 2.000][PKTLEN(s->c): 68.000| 76.000| 68.700| 2.100] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 7.289| 0.474| 1.790|3202664.366| 0.000] + [PKTLEN......: 68.000| 76.000| 69.500| 2.200| 4.600| 5.000] [BINS(c->s)..: 17,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 15,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0] + [IATS........: 143,183,7288581,7288582,60489,60668,256,174,116,102,89,87,86,86,151,159,99,144,121,87,73,51,50,48,47,46,47,47,47,46,81,0] + [PKTLENS.....: 76,76,68,71,68,69,68,69,68,69,68,69,68,69,68,69,68,69,68,71,68,73,68,71,68,71,68,71,68,71,68,71] not-detected: [.....4] [ip4][..tcp] [..172.16.238.10][55408] -> [....10.10.10.31][.9001] [Unknown][Unrated] new: [.....5] [ip4][..tcp] [..172.16.238.10][57742] -> [..172.16.238.11][.1389] detected: [.....5] [ip4][..tcp] [..172.16.238.10][57742] -> [..172.16.238.11][.1389] [LDAP][System][Acceptable] diff --git a/test/results/flow-info/long_tls_certificate.pcap.out b/test/results/flow-info/long_tls_certificate.pcap.out index 703712c43..a43438a5d 100644 --- a/test/results/flow-info/long_tls_certificate.pcap.out +++ b/test/results/flow-info/long_tls_certificate.pcap.out @@ -6,12 +6,14 @@ detection-update: [.....1] [ip4][..tcp] [...192.168.1.60][55333] -> [.106.15.100.123][..443] [TLS.Alibaba][Web][Acceptable] detection-update: [.....1] [ip4][..tcp] [...192.168.1.60][55333] -> [.106.15.100.123][..443] [TLS.Alibaba][Web][Acceptable] analyse: [.....1] [ip4][..tcp] [...192.168.1.60][55333] -> [.106.15.100.123][..443] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.371| 0.087| 0.130] - [IAT(c->s)...: 0.000| 0.371| 0.076| 0.125][IAT(s->c)...: 0.000| 0.371| 0.099| 0.135] - [PKTLEN(c->s): 54.000| 571.000| 110.800| 119.800][PKTLEN(s->c): 60.000|1506.000| 695.000| 663.100] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.371| 0.087| 0.130|17024.252| 0.000] + [PKTLEN......: 54.000| 1506.000| 384.700| 546.600|298744.200| 3.800] [BINS(c->s)..: 10,4,1,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 5,1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,1,0,1,0,1,0,0,1,0,1,1,0,0,0,0,0,0,0,1,0,1,1,1] + [IATS........: 370788,370939,9373,360927,2844,76,70,354425,123,125,124,131,8073,8089,5763,200299,194564,174299,34,174324,4,2275,71,66,101,117,94097,91476,274609,24,6,0] + [PKTLENS.....: 78,78,54,571,60,1506,1506,1506,54,1506,54,1104,54,1104,66,180,1506,66,105,123,54,54,107,110,96,128,92,123,66,66,66,66] detection-update: [.....1] [ip4][..tcp] [...192.168.1.60][55333] -> [.106.15.100.123][..443] [TLS.Alibaba][Web][Acceptable] end: [.....1] [ip4][..tcp] [...192.168.1.60][55333] -> [.106.15.100.123][..443] [TLS.Alibaba][Web][Acceptable] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/modbus.pcap.out b/test/results/flow-info/modbus.pcap.out index cd1845f31..e932b563d 100644 --- a/test/results/flow-info/modbus.pcap.out +++ b/test/results/flow-info/modbus.pcap.out @@ -4,11 +4,13 @@ new: [.....1] [ip4][..tcp] [192.168.110.131][.2074] -> [192.168.110.138][..502] [MIDSTREAM] detected: [.....1] [ip4][..tcp] [192.168.110.131][.2074] -> [192.168.110.138][..502] [Modbus][IoT-Scada][Acceptable] analyse: [.....1] [ip4][..tcp] [192.168.110.131][.2074] -> [192.168.110.138][..502] [Modbus][IoT-Scada][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.001| 1.014| 0.452| 0.497] - [IAT(c->s)...: 0.001| 1.014| 0.467| 0.498][IAT(s->c)...: 0.001| 1.014| 0.438| 0.496] - [PKTLEN(c->s): 66.000| 66.000| 66.000| 0.000][PKTLEN(s->c): 65.000| 65.000| 65.000| 0.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.001| 1.014| 0.452| 0.497|247304.159| 0.000] + [PKTLEN......: 65.000| 66.000| 65.500| 0.500| 0.200| 5.000] [BINS(c->s)..: 16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1] + [IATS........: 1135,1208,905,1013603,1014211,1539,891,986516,986873,1217,900,1000224,1000513,1187,905,1000230,1000558,1232,911,1000222,1000609,1645,915,999845,1000447,1173,835,1000242,1000645,1238,912,0] + [PKTLENS.....: 66,65,66,65,66,65,66,65,66,65,66,65,66,65,66,65,66,65,66,65,66,65,66,65,66,65,66,65,66,65,66,65] idle: [.....1] [ip4][..tcp] [192.168.110.131][.2074] -> [192.168.110.138][..502] [Modbus][IoT-Scada][Acceptable] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/monero.pcap.out b/test/results/flow-info/monero.pcap.out index a757001f8..9813eb91e 100644 --- a/test/results/flow-info/monero.pcap.out +++ b/test/results/flow-info/monero.pcap.out @@ -8,19 +8,23 @@ detected: [.....2] [ip4][..tcp] [..192.168.2.148][53846] -> [116.211.167.195][.3333] [Mining][Mining][Unsafe] RISK: Known Proto on Non Std Port, Unsafe Protocol analyse: [.....1] [ip4][..tcp] [..192.168.2.148][46838] -> [..94.23.199.191][.3333] [Mining][Mining][Unsafe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 71.693| 7.500| 18.614] - [IAT(c->s)...: 0.000| 71.570| 7.263| 18.348][IAT(s->c)...: 0.000| 71.693| 7.753| 18.889] - [PKTLEN(c->s): 66.000|1514.000| 589.200| 677.100][PKTLEN(s->c): 66.000| 376.000| 127.500| 102.300] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 71.693| 7.500| 18.614|346464978.993| 0.000] + [PKTLEN......: 66.000| 1514.000| 372.800| 549.100|301531.900| 3.800] [BINS(c->s)..: 8,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,3,0,0] [BINS(s->c)..: 10,2,0,1,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,0,1,1,1,0,0,0,1,1,0,1,0,0,0,1,1] + [IATS........: 80304,80325,101,83178,13,83088,126,80997,13,80884,278,117985,882322,1042483,71569648,189,71693099,19,725,81617,32242169,176,32323370,1466,82454,7432953,7432942,3511834,196,3592651,986,0] + [PKTLENS.....: 74,74,66,164,66,128,66,161,104,185,66,126,66,376,66,1514,1496,66,66,91,66,1514,1496,66,91,66,376,66,1514,1496,66,91] analyse: [.....2] [ip4][..tcp] [..192.168.2.148][53846] -> [116.211.167.195][.3333] [Mining][Mining][Unsafe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 170.525| 32.857| 51.784] - [IAT(c->s)...: 0.000| 170.525| 31.821| 51.289][IAT(s->c)...: 0.000| 170.525| 33.963| 52.285] - [PKTLEN(c->s): 54.000|1498.000| 239.100| 458.600][PKTLEN(s->c): 60.000| 364.000| 235.900| 139.500] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 170.525| 32.857| 51.784|2681624034.542| 0.000] + [PKTLEN......: 54.000| 1498.000| 237.600| 347.600|120860.400| 4.100] [BINS(c->s)..: 12,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0] [BINS(s->c)..: 4,2,0,1,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,0,0,1] + [IATS........: 308120,308161,177,308150,13,308019,704,308743,11,308008,83,346736,653907,1043085,114411206,114368750,308565,308538,36863210,36863172,20419867,20419875,170525387,170525395,113243496,113243486,35871285,35871309,15564630,176,15873525,0] + [PKTLENS.....: 74,66,54,152,60,116,54,147,92,173,54,114,60,364,54,364,54,364,54,364,54,364,54,364,54,364,54,364,54,1498,1486,60] DAEMON-EVENT: [Processed: 198 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 2 / 2|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] idle: [.....2] [ip4][..tcp] [..192.168.2.148][53846] -> [116.211.167.195][.3333] [Mining][Mining][Unsafe] diff --git a/test/results/flow-info/nest_log_sink.pcap.out b/test/results/flow-info/nest_log_sink.pcap.out index 9961c617b..aa30aa1e7 100644 --- a/test/results/flow-info/nest_log_sink.pcap.out +++ b/test/results/flow-info/nest_log_sink.pcap.out @@ -5,12 +5,14 @@ DAEMON-EVENT: [Processed: 30 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 1 / 1|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] analyse: [.....1] [ip4][..tcp] [.192.168.242.15][63340] -> [..35.174.82.237][11095] - [min|max|avg|stddev] - [IAT(flow)...: 0.061| 60.122| 38.821| 28.558] - [IAT(c->s)...: 0.204| 60.072| 40.113| 28.101][IAT(s->c)...: 0.061| 60.122| 37.610| 28.928] - [PKTLEN(c->s): 60.000| 60.000| 60.000| 0.000][PKTLEN(s->c): 54.000| 54.000| 54.000| 0.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.061| 60.122| 38.821| 28.558|815563555.209| 0.000] + [PKTLEN......: 54.000| 60.000| 57.000| 3.000| 9.000| 5.000] [BINS(c->s)..: 16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,1,1,0,0,1,0,1,1,0,0,1,0,1,1,0,0,1,0,1,1,0,0,1,0,1,1,0,0,1] + [IATS........: 60807,60066531,60070988,444607,512208,60052382,60122070,60064103,60058548,139368,204086,59876012,59944753,60065849,60071735,305546,379257,59710128,59782330,60066153,60065042,470660,541865,60021230,60097006,60071977,60059874,163527,227320,59833996,59896720,0] + [PKTLENS.....: 60,54,60,54,54,60,60,54,60,54,54,60,60,54,60,54,54,60,60,54,60,54,54,60,60,54,60,54,54,60,60,54] guessed: [.....1] [ip4][..tcp] [.192.168.242.15][63340] -> [..35.174.82.237][11095] [NestLogSink.AmazonAWS][Cloud][Acceptable] detected: [.....1] [ip4][..tcp] [.192.168.242.15][63340] -> [..35.174.82.237][11095] [NestLogSink.AmazonAWS][Cloud][Acceptable] DAEMON-EVENT: [Processed: 60 pkts][ZLib][compressions: 0|diff: 0 / 0] @@ -21,24 +23,28 @@ new: [.....3] [ip4][..tcp] [.192.168.242.15][63342] -> [.35.188.154.186][11095] detected: [.....3] [ip4][..tcp] [.192.168.242.15][63342] -> [.35.188.154.186][11095] [NestLogSink][Cloud][Acceptable] analyse: [.....3] [ip4][..tcp] [.192.168.242.15][63342] -> [.35.188.154.186][11095] [NestLogSink][Cloud][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 1.491| 0.199| 0.354] - [IAT(c->s)...: 0.008| 1.347| 0.194| 0.327][IAT(s->c)...: 0.000| 1.491| 0.205| 0.380] - [PKTLEN(c->s): 60.000| 585.000| 361.500| 210.400][PKTLEN(s->c): 54.000| 733.000| 136.300| 161.200] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 1.491| 0.199| 0.354|125081.829| 0.000] + [PKTLEN......: 54.000| 733.000| 255.900| 219.800|48330.300| 4.500] [BINS(c->s)..: 4,1,1,0,0,0,0,0,0,0,0,0,0,0,10,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 4,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,0,1,0] + [IATS........: 69743,72197,635648,708301,5274,110825,1347393,1490586,118042,84290,55,88866,80271,82780,83378,79961,79977,80201,79559,79635,80946,81395,80711,79963,79339,79335,79882,72223,8456,80008,81752,0] + [PKTLENS.....: 60,58,60,585,54,733,60,106,54,124,54,111,509,109,509,109,509,109,509,109,509,109,509,109,509,109,509,109,60,509,109,509] new: [.....4] [ip4][..tcp] [.192.168.242.15][63343] -> [..35.174.82.237][11095] detected: [.....4] [ip4][..tcp] [.192.168.242.15][63343] -> [..35.174.82.237][11095] [NestLogSink][Cloud][Acceptable] new: [.....5] [ip4][..tcp] [.192.168.242.15][63344] -> [.35.188.154.186][11095] detected: [.....5] [ip4][..tcp] [.192.168.242.15][63344] -> [.35.188.154.186][11095] [NestLogSink][Cloud][Acceptable] update: [.....2] [ip4][..udp] [.192.168.242.15][52849] -> [..192.168.242.1][...53] [DNS][Network][Acceptable] analyse: [.....4] [ip4][..tcp] [.192.168.242.15][63343] -> [..35.174.82.237][11095] [NestLogSink][Cloud][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.007| 60.078| 8.258| 19.898] - [IAT(c->s)...: 0.007| 60.064| 7.986| 19.625][IAT(s->c)...: 0.016| 60.078| 8.548| 20.182] - [PKTLEN(c->s): 60.000| 585.000| 171.400| 155.600][PKTLEN(s->c): 54.000| 731.000| 192.000| 212.600] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.007| 60.078| 8.258| 19.898|395938807.939| 0.000] + [PKTLEN......: 54.000| 731.000| 181.000| 184.800|34140.600| 4.400] [BINS(c->s)..: 9,1,0,1,0,3,0,0,0,1,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 7,2,0,0,1,3,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,1,0,1,0,0,1,0,1,0,1,0,1,0,0,1,0,0,1,0,1,1] + [IATS........: 64103,66685,638775,711013,16458,201353,1246735,1463240,104910,69439,22020,94707,71220,78130,7081,87220,75789,84472,84342,76407,307337,280726,43263,5019615,5092313,178784,59560541,59727665,60063791,60077555,375945,0] + [PKTLENS.....: 60,58,60,585,54,731,60,106,54,458,54,114,176,683,60,234,220,234,204,234,215,60,215,60,346,116,60,60,54,60,54,54] end: [.....1] [ip4][..tcp] [.192.168.242.15][63340] -> [..35.174.82.237][11095] [NestLogSink.AmazonAWS][Cloud][Acceptable] end: [.....3] [ip4][..tcp] [.192.168.242.15][63342] -> [.35.188.154.186][11095] [NestLogSink][Cloud][Acceptable] end: [.....5] [ip4][..tcp] [.192.168.242.15][63344] -> [.35.188.154.186][11095] [NestLogSink][Cloud][Acceptable] @@ -56,12 +62,14 @@ new: [.....7] [ip4][..tcp] [.192.168.242.15][63345] -> [.35.188.154.186][11095] detected: [.....7] [ip4][..tcp] [.192.168.242.15][63345] -> [.35.188.154.186][11095] [NestLogSink][Cloud][Acceptable] analyse: [.....7] [ip4][..tcp] [.192.168.242.15][63345] -> [.35.188.154.186][11095] [NestLogSink][Cloud][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 1.478| 0.186| 0.338] - [IAT(c->s)...: 0.012| 1.167| 0.181| 0.293][IAT(s->c)...: 0.000| 1.478| 0.192| 0.380] - [PKTLEN(c->s): 60.000| 584.000| 361.400| 210.400][PKTLEN(s->c): 54.000| 732.000| 136.300| 161.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 1.478| 0.186| 0.338|114146.574| 0.000] + [PKTLEN......: 54.000| 732.000| 255.900| 219.700|48280.000| 4.500] [BINS(c->s)..: 4,1,1,0,0,0,0,0,0,0,0,0,0,0,10,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 4,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,0,1,0] + [IATS........: 61003,66332,638637,696721,5239,274658,1166948,1477502,96252,57032,33,69584,64878,63516,66188,66283,63911,64139,63928,63783,65164,65050,63165,63274,64227,64111,63788,54150,11824,65153,63500,0] + [PKTLENS.....: 60,58,60,584,54,732,60,106,54,124,54,111,509,109,509,109,509,109,509,109,509,109,509,109,509,109,509,109,60,509,109,509] new: [.....8] [ip4][..tcp] [.192.168.242.15][63346] -> [..35.174.82.237][11095] detected: [.....8] [ip4][..tcp] [.192.168.242.15][63346] -> [..35.174.82.237][11095] [NestLogSink][Cloud][Acceptable] new: [.....9] [ip4][..tcp] [.192.168.242.15][63347] -> [.35.188.154.186][11095] @@ -72,12 +80,14 @@ end: [.....9] [ip4][..tcp] [.192.168.242.15][63347] -> [.35.188.154.186][11095] [NestLogSink][Cloud][Acceptable] update: [.....6] [ip4][..udp] [.192.168.242.15][52849] -> [..192.168.242.1][...53] [DNS][Network][Acceptable] analyse: [.....8] [ip4][..tcp] [.192.168.242.15][63346] -> [..35.174.82.237][11095] [NestLogSink][Cloud][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.007| 60.066| 10.038| 21.842] - [IAT(c->s)...: 0.007| 60.066| 10.906| 22.620][IAT(s->c)...: 0.015| 60.064| 8.984| 20.809] - [PKTLEN(c->s): 60.000| 585.000| 165.200| 153.300][PKTLEN(s->c): 54.000| 731.000| 190.400| 219.900] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.007| 60.066| 10.038| 21.842|477077551.710| 0.000] + [PKTLEN......: 54.000| 731.000| 176.200| 185.800|34538.800| 4.400] [BINS(c->s)..: 10,1,0,1,0,3,0,0,0,1,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 7,2,0,0,1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,1,0,1,0,0,1,0,1,0,1,0,0,1,0,0,1,0,1,1,0,0] + [IATS........: 66203,68921,634989,702416,15391,245970,1210603,1481601,108755,76207,16822,97423,70982,72827,6654,85865,79238,75829,75050,77170,97357,2619475,2881135,371772,59569035,59778516,60065954,60063694,377489,447329,59622627,0] + [PKTLENS.....: 60,58,60,585,54,731,60,106,54,458,54,114,176,683,60,234,220,234,204,234,215,60,346,116,60,60,54,60,54,54,60,60] idle: [.....6] [ip4][..udp] [.192.168.242.15][52849] -> [..192.168.242.1][...53] [DNS][Network][Acceptable] DAEMON-EVENT: [Processed: 424 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 1 / 9|skipped: 0|!detected: 0|guessed: 1|detection-updates: 2|updates: 4] @@ -89,12 +99,14 @@ new: [....11] [ip4][..tcp] [.192.168.242.15][63348] -> [.35.188.154.186][11095] detected: [....11] [ip4][..tcp] [.192.168.242.15][63348] -> [.35.188.154.186][11095] [NestLogSink][Cloud][Acceptable] analyse: [....11] [ip4][..tcp] [.192.168.242.15][63348] -> [.35.188.154.186][11095] [NestLogSink][Cloud][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 1.475| 0.185| 0.337] - [IAT(c->s)...: 0.011| 1.167| 0.180| 0.293][IAT(s->c)...: 0.000| 1.475| 0.191| 0.379] - [PKTLEN(c->s): 60.000| 584.000| 361.400| 210.400][PKTLEN(s->c): 54.000| 732.000| 136.300| 161.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 1.475| 0.185| 0.337|113653.596| 0.000] + [PKTLEN......: 54.000| 732.000| 255.900| 219.700|48280.000| 4.500] [BINS(c->s)..: 4,1,1,0,0,0,0,0,0,0,0,0,0,0,10,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 4,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,0,1,0] + [IATS........: 56837,63375,631089,692531,4988,275292,1167126,1475007,94881,56956,41,68349,63598,63560,63263,63527,64323,71144,70310,64275,64470,63960,64294,64276,63689,63201,62870,53104,10769,65047,64005,0] + [PKTLENS.....: 60,58,60,584,54,732,60,106,54,124,54,111,509,109,509,109,509,109,509,109,509,109,509,109,509,109,509,109,60,509,109,509] new: [....12] [ip4][..tcp] [.192.168.242.15][63349] -> [..35.174.82.237][11095] detected: [....12] [ip4][..tcp] [.192.168.242.15][63349] -> [..35.174.82.237][11095] [NestLogSink][Cloud][Acceptable] update: [....10] [ip4][..udp] [.192.168.242.15][52849] -> [..192.168.242.1][...53] [DNS][Network][Acceptable] @@ -103,12 +115,14 @@ update: [....10] [ip4][..udp] [.192.168.242.15][52849] -> [..192.168.242.1][...53] [DNS][Network][Acceptable] idle: [....10] [ip4][..udp] [.192.168.242.15][52849] -> [..192.168.242.1][...53] [DNS][Network][Acceptable] analyse: [....12] [ip4][..tcp] [.192.168.242.15][63349] -> [..35.174.82.237][11095] [NestLogSink][Cloud][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.004| 60.116| 15.667| 26.142] - [IAT(c->s)...: 0.004| 60.108| 15.170| 25.868][IAT(s->c)...: 0.015| 60.116| 16.198| 26.420] - [PKTLEN(c->s): 60.000| 584.000| 149.300| 140.600][PKTLEN(s->c): 54.000| 732.000| 170.300| 217.300] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.004| 60.116| 15.667| 26.142|683403720.524| 0.000] + [PKTLEN......: 54.000| 732.000| 159.100| 181.000|32752.900| 4.300] [BINS(c->s)..: 10,1,0,1,0,2,1,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 9,2,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,1,0,1,0,0,1,0,0,1,0,1,0,0,1,0,1,0,1,0,1,1] + [IATS........: 65118,68086,678411,747347,17507,94704,1396423,1507704,104371,70568,14503,87690,68949,72988,7038,83601,72569,4297,74338,110547,112155,137112,59606094,59757940,60076789,60061094,60093385,60092412,60108066,60116188,184155,0] + [PKTLENS.....: 60,58,60,584,54,732,60,106,54,258,54,114,176,683,60,234,204,60,234,215,346,116,60,60,54,60,54,60,54,60,54,54] DAEMON-EVENT: [Processed: 562 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 1 / 12|skipped: 0|!detected: 0|guessed: 1|detection-updates: 3|updates: 6] new: [....13] [ip4][..tcp] [.192.168.242.15][63350] -> [..35.174.82.237][11095] @@ -120,20 +134,24 @@ new: [....15] [ip4][..tcp] [.192.168.242.15][63351] -> [.35.188.154.186][11095] detected: [....15] [ip4][..tcp] [.192.168.242.15][63351] -> [.35.188.154.186][11095] [NestLogSink][Cloud][Acceptable] analyse: [....15] [ip4][..tcp] [.192.168.242.15][63351] -> [.35.188.154.186][11095] [NestLogSink][Cloud][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 1.484| 0.189| 0.353] - [IAT(c->s)...: 0.005| 1.320| 0.183| 0.325][IAT(s->c)...: 0.000| 1.484| 0.195| 0.380] - [PKTLEN(c->s): 60.000| 584.000| 361.400| 210.400][PKTLEN(s->c): 54.000| 733.000| 136.300| 161.200] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 1.484| 0.189| 0.353|124509.217| 0.000] + [PKTLEN......: 54.000| 733.000| 255.900| 219.800|48309.800| 4.500] [BINS(c->s)..: 4,1,1,0,0,0,0,0,0,0,0,0,0,0,10,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 4,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,0,1,0] + [IATS........: 55511,58104,637607,698601,8299,132470,1319785,1484002,100866,62363,34,73666,66291,66062,64356,70801,72468,66245,63705,65435,67073,65571,63470,63974,64872,66987,66191,76434,5185,82369,64364,0] + [PKTLENS.....: 60,58,60,584,54,733,60,106,54,124,54,111,509,109,509,109,509,109,509,109,509,109,509,109,509,109,509,109,60,509,109,509] new: [....16] [ip4][..tcp] [.192.168.242.15][63352] -> [..35.174.82.237][11095] analyse: [....13] [ip4][..tcp] [.192.168.242.15][63350] -> [..35.174.82.237][11095] [NestLogSink][Cloud][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.001| 60.156| 9.910| 20.689] - [IAT(c->s)...: 0.001| 60.124| 9.034| 19.939][IAT(s->c)...: 0.016| 60.156| 10.975| 21.517] - [PKTLEN(c->s): 60.000| 585.000| 147.500| 137.000][PKTLEN(s->c): 54.000| 731.000| 178.500| 222.500] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.001| 60.156| 9.910| 20.689|428051338.887| 0.000] + [PKTLEN......: 54.000| 731.000| 161.100| 180.100|32452.700| 4.400] [BINS(c->s)..: 10,2,0,1,0,2,1,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 8,2,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,1,0,1,0,0,1,0,1,0,0,1,0,0,1,1,0,0,1,0,0,1] + [IATS........: 68635,72232,634362,701888,15937,150934,1314255,1491295,109213,70989,18037,93450,70186,72141,7151,80030,74076,77118,76505,41618,115484,208508,59946855,60155801,60057740,60124304,30586012,30652885,66856,1252,68314,0] + [PKTLENS.....: 60,58,60,585,54,731,60,106,54,258,54,114,176,683,60,234,204,234,215,60,346,116,60,60,54,54,60,116,54,60,60,54] detected: [....16] [ip4][..tcp] [.192.168.242.15][63352] -> [..35.174.82.237][11095] [NestLogSink][Cloud][Acceptable] new: [....17] [ip4][..tcp] [.192.168.242.15][63353] -> [.35.188.154.186][11095] detected: [....17] [ip4][..tcp] [.192.168.242.15][63353] -> [.35.188.154.186][11095] [NestLogSink][Cloud][Acceptable] @@ -143,12 +161,14 @@ end: [....17] [ip4][..tcp] [.192.168.242.15][63353] -> [.35.188.154.186][11095] [NestLogSink][Cloud][Acceptable] update: [....14] [ip4][..udp] [.192.168.242.15][52849] -> [..192.168.242.1][...53] [DNS][Network][Acceptable] analyse: [....16] [ip4][..tcp] [.192.168.242.15][63352] -> [..35.174.82.237][11095] [NestLogSink][Cloud][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.005| 60.173| 10.045| 21.954] - [IAT(c->s)...: 0.005| 60.173| 10.926| 22.764][IAT(s->c)...: 0.018| 60.107| 8.974| 20.878] - [PKTLEN(c->s): 60.000| 586.000| 165.200| 153.500][PKTLEN(s->c): 54.000| 730.000| 190.300| 219.700] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.005| 60.173| 10.045| 21.954|481957439.865| 0.000] + [PKTLEN......: 54.000| 730.000| 176.200| 185.800|34529.800| 4.400] [BINS(c->s)..: 10,1,0,1,0,3,0,0,0,1,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 7,2,0,0,1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,1,0,1,0,0,1,0,1,0,1,0,0,1,0,0,1,0,1,0,1,0] + [IATS........: 65322,67761,637540,709814,18708,293379,1174542,1481999,109107,72201,17976,90820,70287,73214,8669,96471,87696,75885,78977,77415,126677,2595650,2731016,150399,59910787,60056830,60173109,60107028,4658,60634,60165330,0] + [PKTLENS.....: 60,58,60,586,54,730,60,106,54,458,54,114,176,683,60,234,220,234,204,234,215,60,346,116,60,60,54,60,54,60,54,60] idle: [....14] [ip4][..udp] [.192.168.242.15][52849] -> [..192.168.242.1][...53] [DNS][Network][Acceptable] DAEMON-EVENT: [Processed: 713 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 1 / 17|skipped: 0|!detected: 0|guessed: 1|detection-updates: 4|updates: 8] diff --git a/test/results/flow-info/netbios.pcap.out b/test/results/flow-info/netbios.pcap.out index 890550ea9..bf855bd92 100644 --- a/test/results/flow-info/netbios.pcap.out +++ b/test/results/flow-info/netbios.pcap.out @@ -10,12 +10,14 @@ RISK: Unsafe Protocol new: [.....4] [ip4][..tcp] [......10.0.4.24][..139] -> [.....10.0.4.131][.1398] [MIDSTREAM] analyse: [.....1] [ip4][..udp] [.....10.0.4.131][..137] -> [.....10.0.5.255][..137] [NetBIOS][System][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.014| 0.750| 0.325| 0.215] - [IAT(c->s)...: 0.014| 0.750| 0.325| 0.215][IAT(s->c)...: 0.000| 0.000| 0.000| 0.000] - [PKTLEN(c->s): 92.000| 92.000| 92.000| 0.000][PKTLEN(s->c): 0.000| 0.000| 0.000| 0.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.014| 0.750| 0.325| 0.215|46083.158| 0.000] + [PKTLEN......: 92.000| 92.000| 92.000| 0.000| 0.000| 5.000] [BINS(c->s)..: 0,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [IATS........: 471274,14022,264705,470792,80220,113829,555812,80046,113289,146849,489849,113312,146439,749995,33651,749542,308595,441426,307586,628917,121033,628920,470970,278997,470688,458539,291466,334217,123758,93119,532865,0] + [PKTLENS.....: 92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92] new: [.....5] [ip4][..udp] [......10.0.1.87][57836] -> [......10.0.4.24][..137] detected: [.....5] [ip4][..udp] [......10.0.1.87][57836] -> [......10.0.4.24][..137] [NetBIOS][System][Acceptable] new: [.....6] [ip4][..udp] [.....10.0.4.101][..137] -> [.....10.0.5.255][..137] @@ -38,12 +40,14 @@ new: [....14] [ip4][..udp] [......10.0.4.14][..137] -> [.....10.0.5.255][..137] detected: [....14] [ip4][..udp] [......10.0.4.14][..137] -> [.....10.0.5.255][..137] [NetBIOS][System][Acceptable] analyse: [.....2] [ip4][..udp] [.....10.0.5.233][..137] -> [.....10.0.5.255][..137] [NetBIOS][System][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.749| 1.516| 0.995| 0.356] - [IAT(c->s)...: 0.749| 1.516| 0.995| 0.356][IAT(s->c)...: 0.000| 0.000| 0.000| 0.000] - [PKTLEN(c->s): 92.000| 92.000| 92.000| 0.000][PKTLEN(s->c): 0.000| 0.000| 0.000| 0.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.749| 1.516| 0.995| 0.356|126784.610| 0.000] + [PKTLEN......: 92.000| 92.000| 92.000| 0.000| 0.000| 5.000] [BINS(c->s)..: 0,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [IATS........: 749395,750108,1510862,749350,750084,1512101,749146,750073,1513657,749593,750165,1509201,749922,750117,1511084,749128,750100,1515990,749246,750060,1507974,749281,750095,1513465,749807,750021,1513052,749194,750091,1506879,749381,0] + [PKTLENS.....: 92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92] new: [....15] [ip4][..udp] [......10.0.1.87][57921] -> [......10.0.4.24][..137] detected: [....15] [ip4][..udp] [......10.0.1.87][57921] -> [......10.0.4.24][..137] [NetBIOS][System][Acceptable] update: [.....1] [ip4][..udp] [.....10.0.4.131][..137] -> [.....10.0.5.255][..137] [NetBIOS][System][Acceptable] diff --git a/test/results/flow-info/netflix.pcap.out b/test/results/flow-info/netflix.pcap.out index 5556a2ef0..8ac32ab5b 100644 --- a/test/results/flow-info/netflix.pcap.out +++ b/test/results/flow-info/netflix.pcap.out @@ -34,19 +34,23 @@ detection-update: [.....8] [ip4][..tcp] [....192.168.1.7][53117] -> [...52.32.196.36][..443] [TLS.NetFlix][Video][Fun] RISK: TLS (probably) Not Carrying HTTPS analyse: [.....4] [ip4][..tcp] [....192.168.1.7][53105] -> [..54.69.204.241][..443] [TLS.NetFlix][Video][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.364| 0.040| 0.082] - [IAT(c->s)...: 0.000| 0.311| 0.036| 0.073][IAT(s->c)...: 0.000| 0.364| 0.044| 0.092] - [PKTLEN(c->s): 66.000| 422.000| 159.200| 137.400][PKTLEN(s->c): 66.000|1514.000| 433.600| 541.500] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.364| 0.040| 0.082| 6699.630| 0.000] + [PKTLEN......: 66.000| 1514.000| 279.200| 396.800|157454.800| 4.000] [BINS(c->s)..: 11,1,1,0,0,0,1,0,0,2,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 5,4,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,0,0,0,0,1,1,0,0,0,1,1,0,1,0,0,0,1,1,1,1,0,0,0] + [IATS........: 46025,48575,597,54003,1611,989,54938,11050,13463,9437,301,377,58747,4648,50832,1878,237,59545,562,62143,8477,4734,310931,590,363670,5842,131,72,58058,152,137,0] + [PKTLENS.....: 78,74,66,274,66,1514,1514,66,229,66,141,72,111,66,117,66,422,376,66,1006,66,126,66,422,375,66,1006,121,100,66,66,66] analyse: [.....7] [ip4][..tcp] [....192.168.1.7][53116] -> [...52.32.196.36][..443] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.200| 0.035| 0.048] - [IAT(c->s)...: 0.000| 0.141| 0.032| 0.045][IAT(s->c)...: 0.000| 0.200| 0.038| 0.050] - [PKTLEN(c->s): 66.000|1514.000| 324.400| 464.000][PKTLEN(s->c): 66.000|1514.000| 581.300| 619.400] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.200| 0.035| 0.048| 2263.883| 0.000] + [PKTLEN......: 66.000| 1514.000| 444.800| 557.400|310647.700| 4.000] [BINS(c->s)..: 10,1,1,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0] [BINS(s->c)..: 5,2,0,0,0,0,2,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,4,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,0,0,0,0,1,1,0,0,0,1,1,1,1,0,1,0,1,0,1,0,0,0,1] + [IATS........: 45497,51828,277,66352,510,13769,75518,25611,26489,15622,271,195,60990,421,44123,5113,191,57731,67780,234,2712,130987,13830,8367,10032,8058,2353,2270,141147,1238,199917,0] + [PKTLENS.....: 78,74,66,298,66,1514,1514,66,259,66,141,72,111,66,117,66,1514,742,66,1514,429,1514,66,1130,66,275,66,115,66,1450,581,66] detection-update: [.....7] [ip4][..tcp] [....192.168.1.7][53116] -> [...52.32.196.36][..443] [TLS.NetFlix][Video][Fun] new: [.....9] [ip4][..tcp] [....192.168.1.7][53118] -> [..54.69.204.241][..443] detected: [.....9] [ip4][..tcp] [....192.168.1.7][53118] -> [..54.69.204.241][..443] [TLS.NetFlix][Video][Fun] @@ -83,12 +87,14 @@ detection-update: [....16] [ip4][..tcp] [....192.168.1.7][53134] -> [...52.89.39.139][..443] [TLS.NetFlix][Video][Fun] RISK: TLS (probably) Not Carrying HTTPS analyse: [....15] [ip4][..tcp] [....192.168.1.7][53133] -> [...52.89.39.139][..443] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.350| 0.041| 0.077] - [IAT(c->s)...: 0.000| 0.350| 0.043| 0.085][IAT(s->c)...: 0.000| 0.291| 0.040| 0.069] - [PKTLEN(c->s): 66.000|1514.000| 216.900| 368.100][PKTLEN(s->c): 66.000|1514.000| 871.600| 667.300] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.350| 0.041| 0.077| 5966.970| 0.000] + [PKTLEN......: 66.000| 1514.000| 544.200| 630.500|397553.600| 4.100] [BINS(c->s)..: 11,1,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0] [BINS(s->c)..: 4,1,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,7,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,0,0,0,0,1,1,0,0,0,1,1,1,0,1,1,0,1,0,1,0,1,1,0] + [IATS........: 50833,52103,3892,68860,549,14675,80527,16948,16635,16128,355,222,66675,773,50716,3176,284,61420,291182,143,350146,11846,12750,24110,12460,12309,13854,13662,2679,13302,16338,0] + [PKTLENS.....: 78,74,66,274,66,1514,1514,66,259,66,141,72,111,66,117,66,1514,686,66,1514,1514,66,1514,1416,66,1514,66,251,66,1514,1033,66] detection-update: [....15] [ip4][..tcp] [....192.168.1.7][53133] -> [...52.89.39.139][..443] [TLS.NetFlix][Video][Fun] RISK: TLS (probably) Not Carrying HTTPS new: [....17] [ip4][..udp] [....192.168.1.7][57719] -> [....192.168.1.1][...53] @@ -99,19 +105,23 @@ detection-update: [....18] [ip4][..tcp] [....192.168.1.7][53141] -> [..104.86.97.179][..443] [TLS.NetFlix][Video][Fun] detection-update: [....18] [ip4][..tcp] [....192.168.1.7][53141] -> [..104.86.97.179][..443] [TLS.NetFlix][Video][Fun] analyse: [....18] [ip4][..tcp] [....192.168.1.7][53141] -> [..104.86.97.179][..443] [TLS.NetFlix][Video][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.040| 0.008| 0.010] - [IAT(c->s)...: 0.000| 0.026| 0.006| 0.008][IAT(s->c)...: 0.000| 0.040| 0.012| 0.013] - [PKTLEN(c->s): 66.000| 293.000| 120.300| 56.600][PKTLEN(s->c): 66.000|1514.000| 553.900| 607.800] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.040| 0.008| 0.010| 109.761| 0.000] + [PKTLEN......: 66.000| 1514.000| 269.300| 414.200|171525.600| 4.000] [BINS(c->s)..: 8,5,6,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 3,2,1,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,1,0,1,0,1,1,0] + [IATS........: 11378,14427,1674,21129,2857,316,24018,10358,7406,16914,385,833,30795,4734,18083,26013,249,318,147,231,142,435,4518,193,40245,7107,5353,4161,461,364,1965,0] + [PKTLENS.....: 78,74,66,293,66,1514,1514,66,584,66,141,72,111,66,117,66,119,116,108,214,155,155,155,155,154,134,66,104,104,406,1514,66] analyse: [....14] [ip4][..tcp] [....192.168.1.7][53132] -> [...52.89.39.139][..443] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 7.508| 0.502| 1.826] - [IAT(c->s)...: 0.000| 7.402| 0.482| 1.787][IAT(s->c)...: 0.001| 7.508| 0.523| 1.867] - [PKTLEN(c->s): 66.000|1514.000| 335.900| 480.200][PKTLEN(s->c): 66.000|1514.000| 414.500| 560.100] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 7.508| 0.502| 1.826|3335198.867| 0.000] + [PKTLEN......: 66.000| 1514.000| 372.800| 520.700|271128.800| 3.900] [BINS(c->s)..: 10,1,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0] [BINS(s->c)..: 6,3,0,0,1,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,0,0,0,0,1,1,0,0,0,1,0,1,1,1,0,0,0,0,0,1,1,1,1] + [IATS........: 49499,50871,4368,54319,2439,996,53513,42973,42827,12725,273,205,57417,5098,49336,4198,388,49955,75766,32147,2030,911,5107,4712,147,7402221,150,7507819,929,35745,990,0] + [PKTLENS.....: 78,74,66,274,66,1514,1514,66,259,66,141,72,111,66,117,66,1514,675,66,66,198,110,100,66,66,66,1514,803,66,66,1514,488] detection-update: [....14] [ip4][..tcp] [....192.168.1.7][53132] -> [...52.89.39.139][..443] [TLS.NetFlix][Video][Fun] RISK: TLS (probably) Not Carrying HTTPS new: [....19] [ip4][..udp] [....192.168.1.7][59180] -> [....192.168.1.1][...53] @@ -124,24 +134,28 @@ new: [....22] [ip4][..tcp] [....192.168.1.7][53150] -> [..184.25.204.25][...80] detected: [....22] [ip4][..tcp] [....192.168.1.7][53150] -> [..184.25.204.25][...80] [HTTP.NetFlix][Video][Fun] analyse: [....21] [ip4][..tcp] [....192.168.1.7][53149] -> [..184.25.204.25][...80] [HTTP.NetFlix][Video][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.007| 1.300| 0.097| 0.230] - [IAT(c->s)...: 0.007| 1.300| 0.253| 0.469][IAT(s->c)...: 0.013| 0.399| 0.060| 0.074] - [PKTLEN(c->s): 66.000| 311.000| 106.700| 84.000][PKTLEN(s->c): 66.000|1514.000|1398.500| 391.700] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.007| 1.300| 0.097| 0.230|52797.755| 0.000] + [PKTLEN......: 66.000| 1514.000| 1115.900| 637.700|406609.600| 4.700] [BINS(c->s)..: 6,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,23,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,1,1,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0] + [IATS........: 22705,29125,36813,70338,13255,32378,25989,101810,6882,28009,25233,44994,56409,27146,27165,53793,54320,26078,52109,80662,53766,398536,54325,39942,109640,40469,26128,51507,108074,13323,1300093,0] + [PKTLENS.....: 78,74,66,311,66,1514,1514,1514,66,66,1514,1514,66,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,94] new: [....23] [ip4][..udp] [....192.168.1.7][58102] -> [....192.168.1.1][...53] detected: [....23] [ip4][..udp] [....192.168.1.7][58102] -> [....192.168.1.1][...53] [DNS.NetFlix][Video][Fun] detection-update: [....23] [ip4][..udp] [....192.168.1.7][58102] -> [....192.168.1.1][...53] [DNS.NetFlix][Video][Fun] new: [....24] [ip4][..tcp] [....192.168.1.7][53151] -> [.54.201.191.132][...80] detected: [....24] [ip4][..tcp] [....192.168.1.7][53151] -> [.54.201.191.132][...80] [HTTP.NetFlix][Video][Fun] analyse: [....24] [ip4][..tcp] [....192.168.1.7][53151] -> [.54.201.191.132][...80] [HTTP.NetFlix][Video][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.187| 0.029| 0.042] - [IAT(c->s)...: 0.000| 0.187| 0.041| 0.057][IAT(s->c)...: 0.000| 0.135| 0.022| 0.030] - [PKTLEN(c->s): 66.000|1514.000| 285.700| 441.600][PKTLEN(s->c): 66.000|1514.000|1150.800| 575.500] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.187| 0.029| 0.042| 1791.215| 0.000] + [PKTLEN......: 66.000| 1514.000| 826.300| 674.900|455511.900| 4.400] [BINS(c->s)..: 9,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0] [BINS(s->c)..: 4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,13,0,0] + [DIRECTIONS..: 0,1,0,0,0,0,1,1,1,1,1,0,1,0,1,0,1,1,0,1,0,1,1,0,1,1,1,1,1,1,1,0] + [IATS........: 44122,45598,3902,10660,193,60003,5736,990,135055,302,187154,5655,5706,13881,14022,13277,14383,27821,13324,13128,9212,13280,22521,13399,39251,13309,13303,13855,13324,13288,124463,0] + [PKTLENS.....: 78,74,66,379,1514,917,66,66,66,728,1514,66,1514,66,1514,66,1514,1514,66,1026,66,1514,1307,66,1514,1514,1514,1514,1514,1514,1514,78] new: [....25] [ip4][..tcp] [....192.168.1.7][53152] -> [...52.89.39.139][...80] detected: [....25] [ip4][..tcp] [....192.168.1.7][53152] -> [...52.89.39.139][...80] [HTTP.NetFlix][Video][Fun] detection-update: [....25] [ip4][..tcp] [....192.168.1.7][53152] -> [...52.89.39.139][...80] [HTTP.NetFlix][Video][Fun] @@ -150,12 +164,14 @@ new: [....27] [ip4][..udp] [....192.168.1.7][52347] -> [....192.168.1.1][...53] detected: [....27] [ip4][..udp] [....192.168.1.7][52347] -> [....192.168.1.1][...53] [DNS.NetFlix][Video][Fun] analyse: [....20] [ip4][..tcp] [....192.168.1.7][53148] -> [..184.25.204.25][...80] [HTTP.NetFlix][Video][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.001| 6.031| 0.428| 1.232] - [IAT(c->s)...: 0.012| 3.644| 0.510| 0.997][IAT(s->c)...: 0.001| 6.031| 0.369| 1.373] - [PKTLEN(c->s): 66.000| 312.000| 110.200| 82.900][PKTLEN(s->c): 66.000|1514.000|1353.600| 453.800] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.001| 6.031| 0.428| 1.232|1516791.529| 0.000] + [PKTLEN......: 66.000| 1514.000| 809.600| 706.600|499284.200| 4.300] [BINS(c->s)..: 12,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,0,1,1,0,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0,1,1] + [IATS........: 22448,28943,26758,57708,590,13165,40076,31828,42757,26526,25526,50240,53221,30909,25521,54871,53768,27167,52693,79537,53772,544724,1519985,11557,27351,27280,28765,635381,3643850,6030936,1068,0] + [PKTLENS.....: 78,74,66,312,66,1514,1514,66,1514,66,1514,1514,66,1514,1514,1514,1514,1514,1514,1514,1514,1514,94,94,94,86,78,66,66,311,1514,1514] detection-update: [....26] [ip4][..udp] [....192.168.1.7][51728] -> [....192.168.1.1][...53] [DNS][Network][Acceptable] new: [....28] [ip4][..tcp] [....192.168.1.7][53153] -> [..184.25.204.24][...80] detection-update: [....27] [ip4][..udp] [....192.168.1.7][52347] -> [....192.168.1.1][...53] [DNS.NetFlix][Video][Fun] @@ -173,39 +189,47 @@ detected: [....30] [ip4][..tcp] [....192.168.1.7][53163] -> [..23.246.11.145][...80] [HTTP.NetFlix][Video][Fun] RISK: HTTP Numeric IP Address analyse: [....30] [ip4][..tcp] [....192.168.1.7][53163] -> [..23.246.11.145][...80] [HTTP.NetFlix][Video][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.004| 0.651| 0.082| 0.154] - [IAT(c->s)...: 0.004| 0.651| 0.126| 0.200][IAT(s->c)...: 0.005| 0.582| 0.061| 0.120] - [PKTLEN(c->s): 66.000| 422.000| 103.100| 101.200][PKTLEN(s->c): 74.000|1514.000|1401.000| 357.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.004| 0.651| 0.082| 0.154|23582.077| 0.000] + [PKTLEN......: 66.000| 1514.000| 954.800| 683.500|467159.100| 4.500] [BINS(c->s)..: 10,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,19,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,1,0,1,0,1,1,1,1,1,1,0,1,1,1,1,0,0,1,1,0,1,0,1,1] + [IATS........: 24769,26290,3794,42485,4828,43771,27157,40474,69366,43854,44827,78254,38808,79815,102619,28781,14718,354324,85041,14066,12423,12747,651024,22850,582496,8619,27490,16417,16392,14698,15077,0] + [PKTLENS.....: 78,74,66,422,581,1514,66,1514,1514,66,1514,66,1514,1514,1514,1514,1514,1514,94,1514,1514,1514,1514,78,66,1514,1514,66,1514,66,1514,1514] new: [....31] [ip4][..tcp] [....192.168.1.7][53164] -> [..23.246.10.139][...80] detected: [....31] [ip4][..tcp] [....192.168.1.7][53164] -> [..23.246.10.139][...80] [HTTP.NetFlix][Video][Fun] RISK: HTTP Numeric IP Address analyse: [....31] [ip4][..tcp] [....192.168.1.7][53164] -> [..23.246.10.139][...80] [HTTP.NetFlix][Video][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.001| 0.639| 0.088| 0.152] - [IAT(c->s)...: 0.005| 0.639| 0.113| 0.181][IAT(s->c)...: 0.001| 0.580| 0.072| 0.128] - [PKTLEN(c->s): 66.000| 422.000| 101.100| 93.200][PKTLEN(s->c): 74.000|1514.000|1389.200| 373.200] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.001| 0.639| 0.088| 0.152|23073.200| 0.000] + [PKTLEN......: 66.000| 1514.000| 865.900| 697.400|486427.500| 4.400] [BINS(c->s)..: 12,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,17,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,0,1,0,1,0,1,1,1,1,1,1,1,0,1,0,1,0,1,0,0,1,0,1] + [IATS........: 18792,21375,5144,35741,1043,5439,35508,13242,13983,20324,20435,13235,116191,170244,28107,56564,51631,31663,27571,12760,327583,131379,638852,579987,19881,15021,30035,13582,42286,118688,118005,0] + [PKTLENS.....: 78,74,66,422,582,1514,1514,66,1514,66,1514,66,1514,66,1514,1514,1514,1514,1514,1514,1514,94,1514,94,1514,86,1514,78,66,1514,66,1514] new: [....32] [ip4][..tcp] [....192.168.1.7][53171] -> [...23.246.3.140][...80] detected: [....32] [ip4][..tcp] [....192.168.1.7][53171] -> [...23.246.3.140][...80] [HTTP.NetFlix][Video][Fun] RISK: HTTP Numeric IP Address analyse: [....32] [ip4][..tcp] [....192.168.1.7][53171] -> [...23.246.3.140][...80] [HTTP.NetFlix][Video][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.002| 0.044| 0.018| 0.010] - [IAT(c->s)...: 0.006| 0.041| 0.021| 0.011][IAT(s->c)...: 0.002| 0.044| 0.017| 0.009] - [PKTLEN(c->s): 66.000| 420.000| 102.600| 105.900][PKTLEN(s->c): 74.000|1514.000|1406.300| 349.100] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.002| 0.044| 0.018| 0.010| 100.655| 0.000] + [PKTLEN......: 66.000| 1514.000| 998.900| 672.700|452466.100| 4.500] [BINS(c->s)..: 9,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,1,0,1,0,1,1,0,1,0,1,1,0,1,0,1,1,1,1,1,1,1,1,1,1] + [IATS........: 30791,32492,5528,44333,2187,41107,2921,12763,15575,14938,14982,12802,12713,26425,12767,11943,13284,17180,31033,13321,13566,25571,14329,13905,26660,13805,13288,27210,13255,13305,27167,0] + [PKTLENS.....: 78,74,66,420,585,1514,66,1514,1514,66,1514,66,1514,1514,66,1514,66,1514,1514,66,1514,66,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514] analyse: [....28] [ip4][..tcp] [....192.168.1.7][53153] -> [..184.25.204.24][...80] [HTTP.NetFlix][Video][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.003| 4.094| 0.319| 0.812] - [IAT(c->s)...: 0.003| 1.864| 0.290| 0.559][IAT(s->c)...: 0.025| 4.094| 0.354| 1.038] - [PKTLEN(c->s): 66.000| 282.000| 94.200| 46.900][PKTLEN(s->c): 66.000|1514.000|1307.700| 505.300] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.003| 4.094| 0.319| 0.812|659111.739| 0.000] + [PKTLEN......: 66.000| 1514.000| 625.100| 689.400|475329.800| 4.100] [BINS(c->s)..: 17,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,0,1,0,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,1] + [IATS........: 24907,27714,2986,28468,27857,27840,80258,56838,56993,49295,90365,82473,40903,66540,53920,192092,80506,134732,711253,22984,31289,47833,1645394,40376,54849,160828,1864439,25699,40451,28479,4093620,0] + [PKTLENS.....: 78,74,66,282,66,1514,1514,66,1514,66,1514,78,1514,1514,1514,1514,1514,1514,1514,94,94,94,94,94,94,94,94,86,78,78,66,1514] new: [....33] [ip4][..tcp] [....192.168.1.7][53172] -> [..23.246.11.133][...80] new: [....34] [ip4][..tcp] [....192.168.1.7][53173] -> [..23.246.11.133][...80] new: [....35] [ip4][..tcp] [....192.168.1.7][53174] -> [..23.246.11.141][...80] @@ -240,89 +264,113 @@ detected: [....43] [ip4][..tcp] [....192.168.1.7][53182] -> [..23.246.11.141][...80] [HTTP.NetFlix][Video][Fun] RISK: HTTP Numeric IP Address analyse: [....41] [ip4][..tcp] [....192.168.1.7][53180] -> [..23.246.11.141][...80] [HTTP.NetFlix][Video][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 2.098| 0.201| 0.403] - [IAT(c->s)...: 0.000| 1.162| 0.156| 0.251][IAT(s->c)...: 0.000| 2.098| 0.285| 0.577] - [PKTLEN(c->s): 66.000| 426.000| 93.400| 75.300][PKTLEN(s->c): 74.000|1514.000|1298.500| 469.800] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 2.098| 0.201| 0.403|162731.114| 0.000] + [PKTLEN......: 66.000| 1514.000| 507.700| 638.100|407212.300| 3.900] [BINS(c->s)..: 20,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,1,0,1,0,1,1,0,1,0,1,0,0,0,1,0,1] + [IATS........: 61813,72267,473,134860,394,125851,1162295,73601,899,212949,11519,409208,101075,1892,70852,2097549,79500,52131,129820,120649,42895,59919,67076,69354,174355,284029,29385,65003,252681,150502,125903,0] + [PKTLENS.....: 78,74,66,426,584,1514,66,94,94,94,94,94,94,78,78,66,1514,66,1514,66,1514,1514,66,1514,66,1514,78,66,66,1514,66,1514] analyse: [....38] [ip4][..tcp] [....192.168.1.7][53177] -> [..23.246.11.141][...80] [HTTP.NetFlix][Video][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 1.047| 0.281| 0.301] - [IAT(c->s)...: 0.000| 0.636| 0.227| 0.202][IAT(s->c)...: 0.001| 1.047| 0.365| 0.397] - [PKTLEN(c->s): 66.000| 426.000| 88.400| 77.800][PKTLEN(s->c): 74.000|1514.000|1196.900| 557.100] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 1.047| 0.281| 0.301|90549.584| 0.000] + [PKTLEN......: 66.000| 1514.000| 504.100| 638.900|408170.900| 3.900] [BINS(c->s)..: 19,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,8,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,0,0,0,0,1,1,0,0,0,1,1,0,0,0,1,0,0,1,0,1,1,0,1] + [IATS........: 43730,45845,23628,124789,4917,111637,635898,176069,176,135,41643,37401,940199,857,45449,434520,483806,1046959,74656,202356,418896,472205,955340,169880,525271,694311,167240,252312,98045,326303,148897,0] + [PKTLENS.....: 78,74,66,426,585,1514,66,86,86,78,78,78,66,102,1490,66,66,66,1514,1514,66,66,66,1514,66,66,1514,66,1514,1514,66,1514] analyse: [....36] [ip4][..tcp] [....192.168.1.7][53175] -> [..23.246.11.141][...80] [HTTP.NetFlix][Video][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.001| 1.636| 0.284| 0.363] - [IAT(c->s)...: 0.001| 1.105| 0.230| 0.268][IAT(s->c)...: 0.004| 1.636| 0.370| 0.463] - [PKTLEN(c->s): 66.000| 423.000| 91.100| 76.500][PKTLEN(s->c): 74.000|1514.000|1316.500| 453.700] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.001| 1.636| 0.284| 0.363|131453.321| 0.000] + [PKTLEN......: 66.000| 1514.000| 550.600| 657.900|432827.800| 4.000] [BINS(c->s)..: 19,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,0,0,0,0,0,1,1,0,0,0,1,1,0,0,1,1,0,0,1,0,1,0,1] + [IATS........: 16087,19422,23622,88585,4002,82236,1105315,26930,21843,19608,569,13093,381586,1636184,66410,119030,421421,408128,882662,90167,143374,490378,519431,92259,120978,487097,597701,217631,227512,270000,221864,0] + [PKTLENS.....: 78,74,66,423,584,1514,66,86,86,86,78,78,78,78,1514,1514,66,78,66,1514,1514,66,66,1514,1514,66,66,1514,66,1514,78,1514] analyse: [....34] [ip4][..tcp] [....192.168.1.7][53173] -> [..23.246.11.133][...80] [HTTP.NetFlix][Video][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.005| 1.397| 0.291| 0.314] - [IAT(c->s)...: 0.018| 0.986| 0.299| 0.264][IAT(s->c)...: 0.005| 1.397| 0.284| 0.355] - [PKTLEN(c->s): 66.000| 423.000| 94.600| 85.400][PKTLEN(s->c): 74.000|1514.000|1365.900| 402.100] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.005| 1.397| 0.291| 0.314|98805.531| 0.000] + [PKTLEN......: 66.000| 1514.000| 730.200| 699.000|488561.800| 4.200] [BINS(c->s)..: 15,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,0,0,1,0,1,0,1,1,1,0,1,0,1,0,0,1,0,1,1,0,1,0,1] + [IATS........: 23914,25117,18248,72539,4949,71292,152183,249467,985618,26703,1397235,519076,299466,499851,482346,40528,55620,206768,137068,537495,535230,174291,571825,775969,198842,230534,89909,283953,128056,116304,110490,0] + [PKTLENS.....: 78,74,66,423,584,1514,66,1514,66,94,94,1514,86,1514,78,1514,1514,1514,66,1514,66,1514,66,66,1514,66,1514,1514,66,1514,66,1514] analyse: [....43] [ip4][..tcp] [....192.168.1.7][53182] -> [..23.246.11.141][...80] [HTTP.NetFlix][Video][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 2.716| 0.300| 0.539] - [IAT(c->s)...: 0.001| 1.163| 0.233| 0.311][IAT(s->c)...: 0.000| 2.716| 0.423| 0.787] - [PKTLEN(c->s): 66.000| 424.000| 91.800| 74.900][PKTLEN(s->c): 74.000|1514.000|1298.500| 469.800] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 2.716| 0.300| 0.539|290723.889| 0.000] + [PKTLEN......: 66.000| 1514.000| 506.600| 638.800|408052.900| 3.900] [BINS(c->s)..: 20,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,1,1,0,1,0,1,0,1,0,0,1,0,1,1,0] + [IATS........: 61747,63082,19443,172653,342,153906,1162512,94154,1429,12319,104280,65945,674747,41474,39967,488929,2716440,44869,75746,28743,32797,29468,133613,256105,742961,71312,1131465,569658,135441,73631,104098,0] + [PKTLENS.....: 78,74,66,424,584,1514,66,94,86,86,86,86,86,86,78,66,66,1514,1514,66,1514,66,1514,66,1514,78,66,1514,66,1514,1514,66] analyse: [....35] [ip4][..tcp] [....192.168.1.7][53174] -> [..23.246.11.141][...80] [HTTP.NetFlix][Video][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 3.094| 0.303| 0.556] - [IAT(c->s)...: 0.005| 0.626| 0.225| 0.222][IAT(s->c)...: 0.000| 3.094| 0.465| 0.904] - [PKTLEN(c->s): 66.000| 424.000| 91.200| 73.000][PKTLEN(s->c): 74.000|1514.000|1277.000| 487.500] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 3.094| 0.303| 0.556|309287.715| 0.000] + [PKTLEN......: 66.000| 1514.000| 461.800| 616.500|380048.700| 3.900] [BINS(c->s)..: 21,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,1,0,1,0,1,0,0,1,0,1,0] + [IATS........: 19993,22151,5332,69145,137,72224,626011,606979,26604,520264,51479,55493,593239,41657,80288,418048,3094333,65564,425655,469983,40810,84995,52141,54303,117697,383081,387305,709380,53664,73805,158619,0] + [PKTLENS.....: 78,74,66,424,584,1514,66,86,86,86,86,78,78,86,78,66,66,1514,78,78,1514,1514,66,1514,66,1514,66,78,1514,78,1514,66] analyse: [....42] [ip4][..tcp] [....192.168.1.7][53181] -> [..23.246.11.141][...80] [HTTP.NetFlix][Video][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 2.609| 0.294| 0.529] - [IAT(c->s)...: 0.000| 1.152| 0.234| 0.302][IAT(s->c)...: 0.000| 2.609| 0.422| 0.808] - [PKTLEN(c->s): 66.000| 425.000| 93.400| 73.100][PKTLEN(s->c): 74.000|1514.000|1276.900| 487.700] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 2.609| 0.294| 0.529|280024.056| 0.000] + [PKTLEN......: 66.000| 1514.000| 463.200| 615.600|378913.200| 3.900] [BINS(c->s)..: 21,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,1,1,0,1,0,1,1,0,1,0,0,0,1,0,0] + [IATS........: 61899,63035,8952,155118,266,150147,1152400,92133,498,591361,113696,141666,52293,522,39853,381137,2608516,28241,68204,27169,29555,26620,56459,81742,44814,43749,497350,496550,1208877,807442,91559,0] + [PKTLENS.....: 78,74,66,425,583,1514,66,94,94,94,94,86,78,78,78,66,78,1514,1514,66,1514,66,1514,1514,66,1514,66,78,66,1514,86,86] analyse: [....33] [ip4][..tcp] [....192.168.1.7][53172] -> [..23.246.11.133][...80] [HTTP.NetFlix][Video][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 3.064| 0.322| 0.577] - [IAT(c->s)...: 0.001| 0.811| 0.246| 0.261][IAT(s->c)...: 0.000| 3.064| 0.461| 0.885] - [PKTLEN(c->s): 66.000| 424.000| 95.400| 74.300][PKTLEN(s->c): 74.000|1514.000|1298.500| 469.800] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 3.064| 0.322| 0.577|332375.130| 0.000] + [PKTLEN......: 66.000| 1514.000| 509.000| 637.200|406023.800| 4.000] [BINS(c->s)..: 20,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,1,0,0,0,0,0,0,0,0,1,0,1,0,1,0,0,0,0,0,1,0,1,1] + [IATS........: 11668,15660,2402,60224,1206,79,57126,107813,316921,313910,536684,811161,71198,122498,693690,84709,585634,3064500,52838,57895,98411,231468,526235,115101,671,585669,117652,1178873,25807,79129,64284,0] + [PKTLENS.....: 78,74,66,424,584,1514,1514,66,66,1514,66,94,94,94,94,86,78,86,1514,86,1514,78,1514,94,78,66,78,66,1514,66,1514,1514] analyse: [....39] [ip4][..tcp] [....192.168.1.7][53178] -> [..23.246.11.141][...80] [HTTP.NetFlix][Video][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 3.546| 0.356| 0.683] - [IAT(c->s)...: 0.000| 1.318| 0.274| 0.373][IAT(s->c)...: 0.005| 3.546| 0.506| 1.013] - [PKTLEN(c->s): 66.000| 423.000| 92.700| 74.500][PKTLEN(s->c): 74.000|1514.000|1298.500| 469.800] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 3.546| 0.356| 0.683|466078.499| 0.000] + [PKTLEN......: 66.000| 1514.000| 507.200| 638.400|407523.400| 3.900] [BINS(c->s)..: 20,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,1,1,0,1,0,1,0,0,0,1,1] + [IATS........: 43247,45294,13187,106701,4927,97880,1317695,102059,98186,240,515839,59813,1148424,57207,54890,165165,3546297,68400,92258,155981,131046,69975,95851,103962,104462,205130,729427,91959,551213,1189389,68168,0] + [PKTLENS.....: 78,74,66,423,584,1514,66,94,94,86,86,86,86,86,78,78,66,1514,66,1514,66,1514,1514,66,1514,66,1514,78,66,66,1514,1514] analyse: [....40] [ip4][..tcp] [....192.168.1.7][53179] -> [..23.246.11.141][...80] [HTTP.NetFlix][Video][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 4.457| 0.415| 0.811] - [IAT(c->s)...: 0.001| 1.393| 0.337| 0.392][IAT(s->c)...: 0.000| 4.457| 0.537| 1.197] - [PKTLEN(c->s): 66.000| 424.000| 93.500| 76.500][PKTLEN(s->c): 74.000|1514.000|1316.500| 453.700] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 4.457| 0.415| 0.811|658300.731| 0.000] + [PKTLEN......: 66.000| 1514.000| 552.100| 656.800|431419.800| 4.000] [BINS(c->s)..: 19,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,1,1,0,0,1,1,0,1,0,1,0,1,1,0,0,1] + [IATS........: 41445,43452,2932,82082,72,78739,1252127,77707,132171,828,525346,100674,510044,513013,40289,4457097,87034,1392951,522404,574888,39602,91204,57625,58127,138968,449063,380142,69915,139503,473414,516793,0] + [PKTLENS.....: 78,74,66,424,584,1514,66,94,94,86,86,86,86,86,78,78,1514,1514,66,66,1514,1514,66,1514,66,1514,66,1514,1514,66,66,1514] analyse: [....37] [ip4][..tcp] [....192.168.1.7][53176] -> [..23.246.11.141][...80] [HTTP.NetFlix][Video][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.001| 4.432| 0.435| 0.814] - [IAT(c->s)...: 0.001| 1.251| 0.305| 0.347][IAT(s->c)...: 0.005| 4.432| 0.754| 1.360] - [PKTLEN(c->s): 66.000| 424.000| 92.500| 71.200][PKTLEN(s->c): 74.000|1514.000|1250.600| 507.300] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.001| 4.432| 0.435| 0.814|663375.512| 0.000] + [PKTLEN......: 66.000| 1514.000| 418.200| 589.200|347103.400| 3.800] [BINS(c->s)..: 22,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,1,0,0,0,1,1,0,1] + [IATS........: 43856,45826,13429,88623,4898,81946,1250769,92472,118428,682,544165,69196,495457,501654,62886,1143862,28583,39116,4431980,82976,87813,169881,586445,795488,292945,509017,501170,1203523,55860,83014,70669,0] + [PKTLENS.....: 78,74,66,424,583,1514,66,94,94,86,86,86,86,86,78,78,78,78,78,1514,66,1514,78,66,1514,78,66,66,1514,1514,66,1514] analyse: [.....9] [ip4][..tcp] [....192.168.1.7][53118] -> [..54.69.204.241][..443] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 30.086| 1.958| 7.380] - [IAT(c->s)...: 0.000| 30.033| 1.895| 7.265][IAT(s->c)...: 0.000| 30.086| 2.025| 7.500] - [PKTLEN(c->s): 66.000|1514.000| 439.300| 588.400][PKTLEN(s->c): 66.000|1514.000| 342.700| 514.100] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 30.086| 1.958| 7.380|54461959.504| 0.000] + [PKTLEN......: 66.000| 1514.000| 394.000| 556.900|310128.200| 3.900] [BINS(c->s)..: 9,1,1,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,3,0,0] [BINS(s->c)..: 9,2,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,0,0,0,0,1,1,0,0,0,0,1,0,0,1,1,1,1,1,0,0,0,1,1] + [IATS........: 47011,48359,1676,53080,2562,989,62283,11050,5991,10798,261,350,60341,3416,50128,4429,893,563,55944,50485,306,42722,3984,5077,5232,136,57719,311,30033380,30086001,822,0] + [PKTLENS.....: 78,74,66,295,66,1514,1514,66,229,66,141,72,111,66,117,66,1416,1514,1514,66,1514,351,66,66,66,1007,126,66,66,66,97,66] detection-update: [.....9] [ip4][..tcp] [....192.168.1.7][53118] -> [..54.69.204.241][..443] [TLS.NetFlix][Video][Fun] new: [....44] [ip4][..tcp] [....192.168.1.7][53183] -> [...23.246.3.140][...80] new: [....45] [ip4][..tcp] [....192.168.1.7][53184] -> [..23.246.11.141][...80] @@ -337,12 +385,14 @@ detection-update: [....48] [ip4][..udp] [....192.168.1.7][60962] -> [....192.168.1.1][...53] [DNS.NetFlix][Video][Fun] new: [....49] [ip4][..tcp] [....192.168.1.7][53203] -> [...52.37.36.252][..443] analyse: [....11] [ip4][..tcp] [....192.168.1.7][53119] -> [..54.69.204.241][..443] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 30.431| 1.003| 5.373] - [IAT(c->s)...: 0.000| 30.431| 1.810| 7.155][IAT(s->c)...: 0.000| 0.072| 0.024| 0.026] - [PKTLEN(c->s): 66.000|1514.000| 417.700| 578.300][PKTLEN(s->c): 66.000|1514.000| 362.300| 526.700] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 30.431| 1.003| 5.373|28867930.620| 0.000] + [PKTLEN......: 66.000| 1514.000| 393.500| 557.000|310204.400| 3.900] [BINS(c->s)..: 10,1,1,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,3,0,0] [BINS(s->c)..: 7,3,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,0,0,0,0,1,1,0,0,0,0,1,0,0,1,1,1,1,1,1,0,0,0,0] + [IATS........: 44924,46321,7446,58250,1844,979,55802,12140,9904,9342,287,206,60460,132,50780,11459,460,157,72134,60865,339,50757,444,15673,16944,136,74,82928,303,146,30431499,0] + [PKTLENS.....: 78,74,66,295,66,1514,1514,66,229,66,141,72,111,66,117,66,1416,1514,1514,66,1514,336,66,66,66,1007,121,100,66,66,66,66] detection-update: [....11] [ip4][..tcp] [....192.168.1.7][53119] -> [..54.69.204.241][..443] [TLS.NetFlix][Video][Fun] detected: [....46] [ip4][..tcp] [....192.168.1.7][53193] -> [...54.191.17.51][..443] [TLS.NetFlix][Video][Fun] RISK: TLS (probably) Not Carrying HTTPS @@ -360,55 +410,67 @@ RISK: TLS (probably) Not Carrying HTTPS detection-update: [....49] [ip4][..tcp] [....192.168.1.7][53203] -> [...52.37.36.252][..443] [TLS.NetFlix][Video][Fun] analyse: [....46] [ip4][..tcp] [....192.168.1.7][53193] -> [...54.191.17.51][..443] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.266| 0.048| 0.057] - [IAT(c->s)...: 0.000| 0.147| 0.033| 0.044][IAT(s->c)...: 0.000| 0.266| 0.084| 0.069] - [PKTLEN(c->s): 66.000|1514.000|1082.000| 624.800][PKTLEN(s->c): 66.000|1514.000| 361.700| 525.200] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.266| 0.048| 0.057| 3291.764| 0.000] + [PKTLEN......: 66.000| 1514.000| 879.400| 680.500|463015.400| 4.400] [BINS(c->s)..: 5,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,15,0,0] [BINS(s->c)..: 5,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,1,0,0,1,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,1] + [IATS........: 53359,54641,4455,73724,451,53617,123531,11602,72543,62717,1529,55777,52363,2209,208,426,218,96299,96364,227,131,105,82592,81689,880,205,155,38176,40581,146597,266118,0] + [PKTLENS.....: 78,74,66,583,66,1514,1146,66,192,117,66,1058,120,66,1514,1514,1514,1514,66,1514,1514,1514,1514,66,1514,1514,1514,1514,1514,1514,1514,86] detection-update: [....46] [ip4][..tcp] [....192.168.1.7][53193] -> [...54.191.17.51][..443] [TLS.NetFlix][Video][Fun] RISK: TLS (probably) Not Carrying HTTPS analyse: [....47] [ip4][..tcp] [....192.168.1.7][53202] -> [...54.191.17.51][..443] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.282| 0.053| 0.058] - [IAT(c->s)...: 0.000| 0.282| 0.046| 0.071][IAT(s->c)...: 0.011| 0.127| 0.062| 0.029] - [PKTLEN(c->s): 66.000|1514.000| 552.900| 622.300][PKTLEN(s->c): 66.000|1514.000| 586.200| 640.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.282| 0.053| 0.058| 3383.537| 0.000] + [PKTLEN......: 66.000| 1514.000| 566.500| 629.700|396553.700| 4.100] [BINS(c->s)..: 10,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0] [BINS(s->c)..: 5,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,1,2,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,1,0,0,1,0,0,0,0,0,1,0,0,1,1,1,0,1,1,0,1,0,0,0] + [IATS........: 50844,52144,6261,61059,40719,74658,170395,11813,79420,67625,2032,57431,55801,1745,844,219,182,82546,79700,249,94600,127478,60574,282465,10583,27617,37968,39882,42871,7730,723,0] + [PKTLENS.....: 78,74,66,583,66,1514,1146,66,192,117,66,1057,120,66,1514,1514,1514,1514,66,1514,401,66,66,1257,66,1514,1500,66,115,66,97,66] detection-update: [....47] [ip4][..tcp] [....192.168.1.7][53202] -> [...54.191.17.51][..443] [TLS.NetFlix][Video][Fun] RISK: TLS (probably) Not Carrying HTTPS analyse: [....49] [ip4][..tcp] [....192.168.1.7][53203] -> [...52.37.36.252][..443] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.333| 0.059| 0.083] - [IAT(c->s)...: 0.000| 0.333| 0.044| 0.078][IAT(s->c)...: 0.001| 0.332| 0.092| 0.085] - [PKTLEN(c->s): 66.000|1514.000| 933.900| 690.000][PKTLEN(s->c): 66.000|1514.000| 377.800| 570.100] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.333| 0.059| 0.083| 6944.879| 0.000] + [PKTLEN......: 66.000| 1514.000| 760.100| 703.800|495333.000| 4.300] [BINS(c->s)..: 6,1,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,12,0,0] [BINS(s->c)..: 6,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,0,0,0,0,1,1,0,0,0,0,1,0,0,0,0,1,0,0,0,0,1,0,0] + [IATS........: 69450,70962,2650,55568,49103,64385,167918,331939,332646,26549,653,732,87677,534,60709,8817,7117,449,81078,62803,767,160,105,68135,67101,803,163,105,111161,109572,2549,0] + [PKTLENS.....: 78,74,66,295,66,1514,1514,66,229,66,141,72,111,66,117,66,1417,1514,1514,66,1514,1514,1514,1514,66,1514,1514,1514,1514,66,1514,1514] detection-update: [....49] [ip4][..tcp] [....192.168.1.7][53203] -> [...52.37.36.252][..443] [TLS.NetFlix][Video][Fun] analyse: [....45] [ip4][..tcp] [....192.168.1.7][53184] -> [..23.246.11.141][...80] [HTTP.NetFlix][Video][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.003| 0.472| 0.093| 0.119] - [IAT(c->s)...: 0.003| 0.472| 0.095| 0.134][IAT(s->c)...: 0.005| 0.417| 0.092| 0.104] - [PKTLEN(c->s): 66.000| 581.000| 135.200| 167.600][PKTLEN(s->c): 74.000|1514.000|1262.300| 453.600] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.003| 0.472| 0.093| 0.119|14235.635| 0.000] + [PKTLEN......: 66.000| 1514.000| 698.800| 659.100|434476.800| 4.300] [BINS(c->s)..: 14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,0,1,1,0,1,0,1,1,0,1,0,0,1,1,0,1,0,1,0,0,0,1,1] + [IATS........: 26070,27491,2593,46530,5363,49411,29634,29502,8466,38422,5397,39840,38400,39693,140326,138333,356578,206910,471964,29274,417442,40849,81521,44012,43364,83015,187750,28619,25160,184386,25502,0] + [PKTLENS.....: 78,74,66,575,635,1514,66,677,66,581,643,1514,66,1514,66,1514,1514,94,1514,78,66,1514,1514,66,1514,66,1514,86,78,66,1514,1514] analyse: [....44] [ip4][..tcp] [....192.168.1.7][53183] -> [...23.246.3.140][...80] [HTTP.NetFlix][Video][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.005| 0.731| 0.102| 0.156] - [IAT(c->s)...: 0.006| 0.731| 0.126| 0.200][IAT(s->c)...: 0.005| 0.280| 0.077| 0.077] - [PKTLEN(c->s): 66.000| 578.000| 131.000| 162.100][PKTLEN(s->c): 74.000|1514.000|1264.500| 445.700] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.005| 0.731| 0.102| 0.156|24231.225| 0.000] + [PKTLEN......: 66.000| 1514.000| 662.300| 653.400|426995.300| 4.200] [BINS(c->s)..: 15,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,1,0,1,1,1,0,0,0,1,1,0,1,0,1,1,0,1,0,1,0,0,0,0] + [IATS........: 30477,31515,13216,64005,5292,56409,6142,68156,5406,71534,109518,202677,164827,560321,47319,78954,279545,27696,94465,26601,26144,15824,70512,85885,39451,39774,41592,84438,730898,41457,39720,0] + [PKTLENS.....: 78,74,66,571,632,965,66,578,642,1514,66,1514,1514,1514,86,78,66,1514,1514,66,1514,66,1514,1514,66,1514,66,1514,78,86,78,66] new: [....50] [ip4][..tcp] [....192.168.1.7][53210] -> [..23.246.11.133][...80] detected: [....50] [ip4][..tcp] [....192.168.1.7][53210] -> [..23.246.11.133][...80] [HTTP.NetFlix][Video][Fun] RISK: HTTP Numeric IP Address analyse: [....50] [ip4][..tcp] [....192.168.1.7][53210] -> [..23.246.11.133][...80] [HTTP.NetFlix][Video][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.004| 0.530| 0.111| 0.160] - [IAT(c->s)...: 0.004| 0.527| 0.133| 0.181][IAT(s->c)...: 0.005| 0.530| 0.096| 0.142] - [PKTLEN(c->s): 66.000| 581.000| 142.900| 177.800][PKTLEN(s->c): 74.000|1514.000|1287.900| 438.400] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.004| 0.530| 0.111| 0.160|25664.158| 0.000] + [PKTLEN......: 66.000| 1514.000| 786.900| 666.800|444580.800| 4.400] [BINS(c->s)..: 12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,0,1,1,0,1,0,1,1,0,1,1,1,1,0,1,0,1,0,1,1,0,1,0] + [IATS........: 18406,19875,3710,28859,18073,45753,41559,39617,18474,45294,5405,31729,29350,29485,41132,41119,82225,87690,42083,64319,51529,299907,159779,515651,435957,526591,530041,39964,69880,40403,40425,0] + [PKTLENS.....: 78,74,66,575,634,1514,66,635,66,581,643,1514,66,1514,66,1514,1514,66,1514,1514,1514,1514,94,1514,78,1514,66,1514,1514,66,1514,66] update: [....10] [ip4][..udp] [....192.168.1.7][53776] -> [239.255.255.250][.1900] [SSDP][System][Acceptable] update: [.....2] [ip4][..udp] [....192.168.1.7][51543] -> [....192.168.1.1][...53] [DNS.NetFlix][Video][Fun] update: [....13] [ip4][..udp] [....192.168.1.7][51949] -> [....192.168.1.1][...53] [DNS.NetFlix][Video][Fun] @@ -419,12 +481,14 @@ detected: [....51] [ip4][..tcp] [....192.168.1.7][53217] -> [..23.246.11.141][...80] [HTTP.NetFlix][Video][Fun] RISK: HTTP Numeric IP Address analyse: [....51] [ip4][..tcp] [....192.168.1.7][53217] -> [..23.246.11.141][...80] [HTTP.NetFlix][Video][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.286| 0.030| 0.050] - [IAT(c->s)...: 0.000| 0.286| 0.041| 0.075][IAT(s->c)...: 0.001| 0.071| 0.024| 0.019] - [PKTLEN(c->s): 66.000| 584.000| 147.500| 184.300][PKTLEN(s->c): 74.000|1514.000|1302.000| 426.300] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.286| 0.030| 0.050| 2491.019| 0.000] + [PKTLEN......: 66.000| 1514.000| 833.000| 665.800|443241.700| 4.400] [BINS(c->s)..: 11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,15,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,0,1,1,0,1,0,1,1,0,1,0,1,1,0,1,0,1,1,1,1,1,1,0] + [IATS........: 13013,14780,4042,30273,839,3652,30261,186,16542,35559,2040,21479,3192,3317,13322,13300,26482,13309,13526,13848,42739,56409,14727,15199,71007,25498,25497,25504,51553,55156,286066,0] + [PKTLENS.....: 78,74,66,575,634,1514,677,66,66,584,643,1514,66,1514,66,1514,1514,66,1514,66,1514,1514,66,1514,66,1514,1514,1514,1514,1514,1514,86] update: [....26] [ip4][..udp] [....192.168.1.7][51728] -> [....192.168.1.1][...53] [DNS][Network][Acceptable] update: [....23] [ip4][..udp] [....192.168.1.7][58102] -> [....192.168.1.1][...53] [DNS.NetFlix][Video][Fun] update: [....27] [ip4][..udp] [....192.168.1.7][52347] -> [....192.168.1.1][...53] [DNS.NetFlix][Video][Fun] @@ -465,12 +529,14 @@ detection-update: [....58] [ip4][..tcp] [....192.168.1.7][53250] -> [.....52.41.30.5][..443] [TLS.NetFlix][Video][Fun] RISK: TLS (probably) Not Carrying HTTPS analyse: [....57] [ip4][..tcp] [....192.168.1.7][53249] -> [.....52.41.30.5][..443] [TLS.NetFlix][Video][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.141| 0.020| 0.029] - [IAT(c->s)...: 0.000| 0.141| 0.021| 0.036][IAT(s->c)...: 0.000| 0.059| 0.020| 0.021] - [PKTLEN(c->s): 66.000|1514.000| 204.600| 360.800][PKTLEN(s->c): 66.000|1514.000| 665.100| 526.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.141| 0.020| 0.029| 838.464| 0.000] + [PKTLEN......: 66.000| 1514.000| 434.800| 506.400|256458.000| 4.100] [BINS(c->s)..: 12,1,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0] [BINS(s->c)..: 4,0,0,0,1,1,0,0,0,0,0,1,0,0,0,1,0,0,1,0,1,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,2,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,0,0,1,1,1,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1] + [IATS........: 52701,54230,4655,50068,892,45987,1145,402,2281,621,48897,36085,58570,140,1031,141407,13303,12185,4698,8739,8491,4498,3692,4536,12375,12816,15153,13884,6123,6182,6840,0] + [PKTLENS.....: 78,74,66,274,66,211,66,72,111,1514,564,66,66,1514,227,1514,66,559,66,1005,66,439,66,1306,66,1406,66,660,66,808,66,721] new: [....59] [ip4][..udp] [....192.168.1.7][57093] -> [....192.168.1.1][...53] detected: [....59] [ip4][..udp] [....192.168.1.7][57093] -> [....192.168.1.1][...53] [DNS][Network][Acceptable] detection-update: [....59] [ip4][..udp] [....192.168.1.7][57093] -> [....192.168.1.1][...53] [DNS][Network][Acceptable] @@ -479,27 +545,33 @@ detected: [....60] [ip4][..tcp] [....192.168.1.7][53251] -> [..184.25.204.10][...80] [HTTP.NetFlix][Video][Fun] detected: [....61] [ip4][..tcp] [....192.168.1.7][53252] -> [..184.25.204.10][...80] [HTTP.NetFlix][Video][Fun] analyse: [....55] [ip4][..tcp] [....192.168.1.7][53239] -> [.....52.41.30.5][..443] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.501| 0.064| 0.122] - [IAT(c->s)...: 0.000| 0.437| 0.051| 0.107][IAT(s->c)...: 0.000| 0.501| 0.077| 0.134] - [PKTLEN(c->s): 66.000|1514.000| 354.700| 483.800][PKTLEN(s->c): 66.000|1514.000| 572.500| 600.300] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.501| 0.064| 0.122|14766.799| 0.000] + [PKTLEN......: 66.000| 1514.000| 456.800| 552.300|305076.800| 4.100] [BINS(c->s)..: 10,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0] [BINS(s->c)..: 5,2,0,0,0,0,1,0,0,0,0,0,1,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,0,0,0,0,1,1,0,0,0,1,1,1,0,1,0,1,0,1,0,0,0,1,1] + [IATS........: 58292,61223,1798,70566,2939,1016,71265,11570,12325,13054,147,95,65707,781,52265,3649,191,91649,51753,301,140150,3732,3446,3903,5462,6438,5030,437212,863,500942,291945,0] + [PKTLENS.....: 78,74,66,583,66,1514,1514,66,259,66,141,72,111,66,117,66,1514,803,66,1514,490,66,462,66,765,66,100,66,1514,686,66,1514] detection-update: [....55] [ip4][..tcp] [....192.168.1.7][53239] -> [.....52.41.30.5][..443] [TLS.NetFlix][Video][Fun] analyse: [....61] [ip4][..tcp] [....192.168.1.7][53252] -> [..184.25.204.10][...80] [HTTP.NetFlix][Video][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.001| 0.100| 0.036| 0.022] - [IAT(c->s)...: 0.012| 0.100| 0.039| 0.032][IAT(s->c)...: 0.001| 0.081| 0.036| 0.019] - [PKTLEN(c->s): 66.000| 311.000| 110.800| 89.700][PKTLEN(s->c): 66.000|1514.000|1402.900| 384.800] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.001| 0.100| 0.036| 0.022| 464.586| 0.000] + [PKTLEN......: 66.000| 1514.000| 1160.700| 613.300|376142.500| 4.700] [BINS(c->s)..: 5,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,24,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,0,1,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1] + [IATS........: 16679,17740,11985,38478,508,12702,40101,27115,27112,58536,99830,81106,33879,23672,53768,53762,65076,48010,65429,13865,30914,13324,28733,40448,54528,28786,29443,29431,27518,25487,25489,0] + [PKTLENS.....: 78,74,66,311,66,1514,1514,66,1514,66,1514,78,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514] analyse: [....60] [ip4][..tcp] [....192.168.1.7][53251] -> [..184.25.204.10][...80] [HTTP.NetFlix][Video][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 1.416| 0.126| 0.341] - [IAT(c->s)...: 0.000| 1.390| 0.150| 0.365][IAT(s->c)...: 0.000| 1.416| 0.108| 0.321] - [PKTLEN(c->s): 66.000| 311.000| 101.900| 85.400][PKTLEN(s->c): 66.000|1514.000|1310.200| 473.300] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 1.416| 0.126| 0.341|116136.157| 0.000] + [PKTLEN......: 66.000| 1514.000| 781.500| 698.900|488505.900| 4.300] [BINS(c->s)..: 12,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,15,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,0,1,1,0,1,1,0,0,1,1,1,0,0,1,1,0,1,0,1,1,0,1,0] + [IATS........: 15432,16762,2055,27228,957,1055,27336,38112,39355,39938,44658,83445,40664,236734,277719,1389753,1416280,268,12835,48683,241,12768,12757,15934,13837,16300,12778,12746,23173,13285,13156,0] + [PKTLENS.....: 78,74,66,311,66,1514,1514,66,1514,66,1514,1514,66,1514,733,66,311,1514,1514,1514,66,66,1514,1514,66,1514,66,1514,1514,66,1514,66] end: [....18] [ip4][..tcp] [....192.168.1.7][53141] -> [..104.86.97.179][..443] [TLS.NetFlix][Video][Fun] idle: [....12] [ip4][....2] [....192.168.1.7] -> [239.255.255.250] [IGMP][Network][Acceptable] idle: [....59] [ip4][..udp] [....192.168.1.7][57093] -> [....192.168.1.1][...53] [DNS][Network][Acceptable] diff --git a/test/results/flow-info/nfsv2.pcap.out b/test/results/flow-info/nfsv2.pcap.out index 216c732ba..c7d1e7418 100644 --- a/test/results/flow-info/nfsv2.pcap.out +++ b/test/results/flow-info/nfsv2.pcap.out @@ -15,12 +15,14 @@ new: [.....5] [ip4][..udp] [....139.25.22.2][.1023] -> [..139.25.22.102][.2049] detected: [.....5] [ip4][..udp] [....139.25.22.2][.1023] -> [..139.25.22.102][.2049] [NFS][DataTransfer][Acceptable] analyse: [.....5] [ip4][..udp] [....139.25.22.2][.1023] -> [..139.25.22.102][.2049] [NFS][DataTransfer][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.010| 0.040| 0.015| 0.011] - [IAT(c->s)...: 0.010| 0.040| 0.015| 0.011][IAT(s->c)...: 0.010| 0.040| 0.015| 0.011] - [PKTLEN(c->s): 166.000| 214.000| 177.500| 14.400][PKTLEN(s->c): 70.000| 170.000| 117.500| 41.400] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.010| 0.040| 0.015| 0.011| 125.000| 0.000] + [PKTLEN......: 70.000| 214.000| 147.500| 43.100| 1860.800| 4.900] [BINS(c->s)..: 0,0,0,5,9,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 6,1,0,5,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1] + [IATS........: 40000,40000,10000,10000,10000,10000,10000,10000,10000,10000,10000,10000,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [PKTLENS.....: 166,138,166,90,174,70,174,70,206,170,166,138,166,138,174,170,198,138,174,170,174,70,174,70,174,170,174,70,214,70,166,138] new: [.....6] [ip4][..udp] [....139.25.22.2][.3293] -> [..139.25.22.102][..111] detected: [.....6] [ip4][..udp] [....139.25.22.2][.3293] -> [..139.25.22.102][..111] [NFS][DataTransfer][Acceptable] RISK: Known Proto on Non Std Port diff --git a/test/results/flow-info/nfsv3.pcap.out b/test/results/flow-info/nfsv3.pcap.out index 7dbeac35f..0d51ae8c6 100644 --- a/test/results/flow-info/nfsv3.pcap.out +++ b/test/results/flow-info/nfsv3.pcap.out @@ -18,12 +18,14 @@ new: [.....6] [ip4][..udp] [....139.25.22.2][.1022] -> [..139.25.22.102][.2049] detected: [.....6] [ip4][..udp] [....139.25.22.2][.1022] -> [..139.25.22.102][.2049] [NFS][DataTransfer][Acceptable] analyse: [.....6] [ip4][..udp] [....139.25.22.2][.1022] -> [..139.25.22.102][.2049] [NFS][DataTransfer][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.010| 0.050| 0.017| 0.015] - [IAT(c->s)...: 0.010| 0.050| 0.017| 0.015][IAT(s->c)...: 0.010| 0.050| 0.017| 0.015] - [PKTLEN(c->s): 170.000| 226.000| 183.000| 17.600][PKTLEN(s->c): 74.000| 314.000| 169.800| 87.400] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.010| 0.050| 0.017| 0.015| 222.222| 0.000] + [PKTLEN......: 74.000| 314.000| 176.400| 63.400| 4021.900| 4.900] [BINS(c->s)..: 0,0,0,0,13,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,6,0,2,2,2,0,2,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1] + [IATS........: 10000,10000,50000,50000,10000,10000,10000,10000,10000,10000,10000,10000,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [PKTLENS.....: 170,154,170,206,170,210,170,182,178,74,178,74,226,314,170,154,206,186,178,74,178,74,178,282,178,74,222,302,178,282,178,74] new: [.....7] [ip4][..udp] [....139.25.22.2][.3299] -> [..139.25.22.102][..111] detected: [.....7] [ip4][..udp] [....139.25.22.2][.3299] -> [..139.25.22.102][..111] [NFS][DataTransfer][Acceptable] RISK: Known Proto on Non Std Port diff --git a/test/results/flow-info/nintendo.pcap.out b/test/results/flow-info/nintendo.pcap.out index 28a6ac403..c45b7adba 100644 --- a/test/results/flow-info/nintendo.pcap.out +++ b/test/results/flow-info/nintendo.pcap.out @@ -12,12 +12,14 @@ new: [.....5] [ip4][..udp] [.192.168.12.114][52119] -> [...35.158.74.61][33335] detected: [.....5] [ip4][..udp] [.192.168.12.114][52119] -> [...35.158.74.61][33335] [Nintendo][Game][Fun] analyse: [.....1] [ip4][..udp] [.192.168.12.114][52119] -> [....91.8.243.35][49432] [Nintendo][Game][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 1.730| 0.194| 0.332] - [IAT(c->s)...: 0.000| 0.514| 0.195| 0.208][IAT(s->c)...: 0.000| 1.730| 0.192| 0.416] - [PKTLEN(c->s): 102.000| 230.000| 121.000| 31.100][PKTLEN(s->c): 102.000| 854.000| 213.000| 243.300] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 1.730| 0.194| 0.332|110172.324| 0.000] + [PKTLEN......: 102.000| 854.000| 167.000| 179.500|32207.000| 4.500] [BINS(c->s)..: 0,7,7,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,4,8,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,1,0,1,1,0,1,0,1,1,0,1,0,0,1,0,1,1,1,0,0,0,0,0,0,0,0,1,1,1,1] + [IATS........: 87919,239629,335441,89838,30639,131192,103304,499986,507312,130872,234805,19308,15810,5164,16850,12585,53490,8758,197,60833,14170,505639,501514,5142,514446,94641,233,1729670,53,52619,81,0] + [PKTLENS.....: 102,102,198,230,118,102,150,118,102,118,150,134,118,118,118,854,118,854,102,102,118,102,102,102,102,102,118,118,118,118,118,118] new: [.....6] [ip4][..udp] [.192.168.12.114][52119] -> [..52.10.205.177][34343] new: [.....7] [ip4][..udp] [.192.168.12.114][18874] -> [...192.168.12.1][...53] detected: [.....7] [ip4][..udp] [.192.168.12.114][18874] -> [...192.168.12.1][...53] [DNS.Nintendo][Game][Fun] @@ -50,12 +52,14 @@ detection-update: [....16] [ip4][..tcp] [.192.168.12.114][31329] -> [....54.192.27.8][..443] [TLS.Nintendo][Game][Fun] RISK: TLS (probably) Not Carrying HTTPS analyse: [.....4] [ip4][..tcp] [..54.187.10.185][..443] -> [.192.168.12.114][48328] [TLS.AmazonAWS][Cloud][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 14.019| 1.263| 3.443] - [IAT(c->s)...: 0.000| 14.019| 1.087| 3.232][IAT(s->c)...: 0.004| 13.944| 1.507| 3.702] - [PKTLEN(c->s): 66.000| 400.000| 123.400| 76.900][PKTLEN(s->c): 66.000| 471.000| 150.200| 121.500] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 14.019| 1.263| 3.443|11853821.379| 0.000] + [PKTLEN......: 66.000| 471.000| 134.200| 98.400| 9678.600| 4.700] [BINS(c->s)..: 8,5,0,5,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 4,6,1,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,1,0,0,0,1,1,0,0,1,0,1,0,1,0,0,0,0,1,1,0,1,0,0,0,1,1,0,0,1] + [IATS........: 6277,307132,3508675,3481620,246,43,276417,18546,55237,145,35743,210876,214177,255332,13944464,14019058,757,51,5265,332523,29922,280387,254222,215658,3394,13561,231064,4335,258992,453544,730768,0] + [PKTLENS.....: 166,117,66,133,66,124,113,66,117,166,166,66,66,117,66,471,66,113,400,166,66,117,66,382,66,123,113,66,117,66,166,117] new: [....17] [ip4][..udp] [.192.168.12.114][55915] -> [.185.118.169.65][27520] detected: [....17] [ip4][..udp] [.192.168.12.114][55915] -> [.185.118.169.65][27520] [Nintendo][Game][Fun] new: [....18] [ip4][.icmp] [..151.6.184.100] -> [.192.168.12.114] @@ -67,26 +71,32 @@ new: [....21] [ip4][.icmp] [...151.6.184.98] -> [.192.168.12.114] detected: [....21] [ip4][.icmp] [...151.6.184.98] -> [.192.168.12.114] [ICMP][Network][Acceptable] analyse: [....17] [ip4][..udp] [.192.168.12.114][55915] -> [.185.118.169.65][27520] [Nintendo][Game][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.754| 0.078| 0.153] - [IAT(c->s)...: 0.000| 0.312| 0.055| 0.096][IAT(s->c)...: 0.000| 0.754| 0.127| 0.222] - [PKTLEN(c->s): 102.000| 886.000| 154.400| 160.300][PKTLEN(s->c): 102.000| 886.000| 198.000| 230.300] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.754| 0.078| 0.153|23284.658| 0.000] + [PKTLEN......: 102.000| 886.000| 168.000| 186.200|34652.000| 4.500] [BINS(c->s)..: 0,2,18,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,2,6,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,1,0,0,0,0,1,1,1,0,0,1,0,0,1,1,1] + [IATS........: 280,397,210011,243,431,203806,304,212,311877,2339,183,754134,1127,30674,588,242272,245592,5517,2752,1899,125604,98,25,109131,222,10721,20118,10437,105846,2222,28907,0] + [PKTLENS.....: 118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,182,102,118,118,182,102,118,118,118,118,886,102,886,118,118,102] analyse: [....19] [ip4][..udp] [.192.168.12.114][55915] -> [.93.237.131.235][56066] [Nintendo][Game][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.758| 0.106| 0.188] - [IAT(c->s)...: 0.000| 0.607| 0.080| 0.147][IAT(s->c)...: 0.000| 0.758| 0.161| 0.245] - [PKTLEN(c->s): 102.000| 886.000| 231.500| 231.800][PKTLEN(s->c): 102.000| 886.000| 198.000| 230.300] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.758| 0.106| 0.188|35487.695| 0.000] + [PKTLEN......: 102.000| 886.000| 221.000| 231.800|53743.000| 4.500] [BINS(c->s)..: 0,3,13,0,1,0,0,0,0,1,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,2,6,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,1,1,1,0,0,1,1,0,0,1,1,1,0,0,0,0,0] + [IATS........: 726,2728,200750,236,363,313750,216,309,757918,67,245897,246,38434,238,116689,3047,25905,110485,1189,79734,7959,87905,10077,91853,20145,506365,607064,9714,10174,12917,36738,0] + [PKTLENS.....: 118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,182,102,182,102,886,102,886,102,118,118,102,358,854,486,486] analyse: [....20] [ip4][..udp] [.192.168.12.114][55915] -> [..81.61.158.138][51769] [Nintendo][Game][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.649| 0.099| 0.184] - [IAT(c->s)...: 0.000| 0.649| 0.081| 0.162][IAT(s->c)...: 0.000| 0.629| 0.128| 0.211] - [PKTLEN(c->s): 102.000| 886.000| 157.200| 167.900][PKTLEN(s->c): 102.000| 886.000| 184.700| 212.300] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.649| 0.099| 0.184|33766.533| 0.000] + [PKTLEN......: 102.000| 886.000| 167.500| 186.300|34709.800| 4.500] [BINS(c->s)..: 0,3,15,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,2,8,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,1,0,0,0,0,1,1,1,1,1,1,0,0,1,1,1,0] + [IATS........: 295,399,313495,260,289,284287,137,381,629371,5230,43658,5349,61371,137,131610,65365,7948,186,836,31052,435,67583,2946,484,7525,105852,5669,103301,9836,549379,649265,0] + [PKTLENS.....: 118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,182,102,118,118,182,118,118,102,118,118,886,102,886,102,118,118,102] guessed: [....11] [ip4][..udp] [.192.168.12.114][55915] -> [...35.158.74.61][10025] [AmazonAWS][Cloud][Acceptable] idle: [....11] [ip4][..udp] [.192.168.12.114][55915] -> [...35.158.74.61][10025] idle: [....15] [ip4][..udp] [.192.168.12.114][51035] -> [...192.168.12.1][...53] [DNS.Nintendo][Game][Fun] diff --git a/test/results/flow-info/nntp.pcap.out b/test/results/flow-info/nntp.pcap.out index c39f64538..9a9e0dd86 100644 --- a/test/results/flow-info/nntp.pcap.out +++ b/test/results/flow-info/nntp.pcap.out @@ -4,11 +4,13 @@ new: [.....1] [ip4][..tcp] [.192.168.190.20][55630] -> [..192.168.190.5][..119] detected: [.....1] [ip4][..tcp] [.192.168.190.20][55630] -> [..192.168.190.5][..119] [Usenet][Web][Acceptable] analyse: [.....1] [ip4][..tcp] [.192.168.190.20][55630] -> [..192.168.190.5][..119] [Usenet][Web][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 25.684| 4.346| 7.782] - [IAT(c->s)...: 0.000| 25.684| 3.742| 7.372][IAT(s->c)...: 0.000| 25.684| 5.182| 8.245] - [PKTLEN(c->s): 54.000| 97.000| 71.700| 10.000][PKTLEN(s->c): 66.000|1514.000| 436.500| 556.500] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 25.684| 4.346| 7.782|60565611.348| 0.000] + [PKTLEN......: 54.000| 1514.000| 219.900| 397.400|157950.100| 3.700] [BINS(c->s)..: 19,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 4,3,0,2,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,2,0,0] + [DIRECTIONS..: 0,1,0,1,0,0,1,1,0,1,1,0,0,1,0,0,1,0,1,0,0,1,0,0,1,0,1,0,0,0,1,0] + [IATS........: 157,178,17001,17072,178,379,673149,673694,608,343,40452,19518042,19565845,7986,4770071,4784435,14326,95,29,25683555,25684268,770,12078373,12090740,12467,209,55,4543973,116,4544308,283,0] + [PKTLENS.....: 74,74,66,190,66,79,66,113,92,66,115,66,79,1294,66,79,1514,66,186,66,97,116,66,77,1514,66,332,66,72,66,94,54] end: [.....1] [ip4][..tcp] [.192.168.190.20][55630] -> [..192.168.190.5][..119] [Usenet][Web][Acceptable] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/no_sni.pcap.out b/test/results/flow-info/no_sni.pcap.out index 99ca8be0b..8bdf8757e 100644 --- a/test/results/flow-info/no_sni.pcap.out +++ b/test/results/flow-info/no_sni.pcap.out @@ -8,21 +8,25 @@ detection-update: [.....2] [ip4][..tcp] [..192.168.1.119][51606] -> [.104.16.249.249][..443] [TLS.DoH_DoT][Network][Fun] new: [.....3] [ip4][..tcp] [..192.168.1.119][51612] -> [..104.16.124.96][..443] analyse: [.....2] [ip4][..tcp] [..192.168.1.119][51606] -> [.104.16.249.249][..443] [TLS.DoH_DoT][Network][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.180| 0.028| 0.054] - [IAT(c->s)...: 0.000| 0.178| 0.027| 0.053][IAT(s->c)...: 0.000| 0.180| 0.029| 0.055] - [PKTLEN(c->s): 54.000| 670.000| 131.600| 144.900][PKTLEN(s->c): 60.000| 736.000| 152.000| 182.300] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.180| 0.028| 0.054| 2913.211| 0.000] + [PKTLEN......: 54.000| 736.000| 141.200| 163.800|26828.900| 4.400] [BINS(c->s)..: 10,1,3,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 11,1,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,0,0,1,1,0,1,1,0,0,1,1,0,0,0,0,0,0,1,1,1,1,1,0,0,1,1,1,0] + [IATS........: 137944,138022,4673,280,93,180261,3035,178242,156,4,141,2334,6395,1417,5511,15440,136,687,115,1388,73966,13479,4177,2946,6,76790,62,5422,2521,12,7950,0] + [PKTLENS.....: 78,66,54,670,60,224,60,736,54,116,60,54,138,60,85,54,205,140,114,146,85,60,60,60,380,85,54,54,60,307,85,54] detected: [.....3] [ip4][..tcp] [..192.168.1.119][51612] -> [..104.16.124.96][..443] [TLS.Cloudflare][Web][Acceptable] detection-update: [.....3] [ip4][..tcp] [..192.168.1.119][51612] -> [..104.16.124.96][..443] [TLS.Cloudflare][Web][Acceptable] analyse: [.....3] [ip4][..tcp] [..192.168.1.119][51612] -> [..104.16.124.96][..443] [TLS.Cloudflare][Web][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.473| 0.050| 0.107] - [IAT(c->s)...: 0.000| 0.473| 0.052| 0.119][IAT(s->c)...: 0.000| 0.380| 0.049| 0.095] - [PKTLEN(c->s): 54.000|1001.000| 185.200| 295.900][PKTLEN(s->c): 60.000|1514.000| 576.800| 561.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.473| 0.050| 0.107|11455.737| 0.000] + [PKTLEN......: 54.000| 1514.000| 381.000| 489.400|239474.400| 4.000] [BINS(c->s)..: 12,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 7,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,2,0,1,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,0,1,1,0,1,1,0,0,1,1,1,0,1,0,1,0,1,0,1,1,0,1,0] + [IATS........: 121173,121273,5431,100429,365,95332,957,4750,120,77068,533,71774,182,427,594,188,76917,15494,380381,472643,2763,2757,2091,2075,1637,1645,1367,284,1629,603,593,0] + [PKTLENS.....: 78,66,54,1001,60,286,54,118,224,917,60,566,54,60,85,54,85,60,60,1092,54,844,54,1445,54,1445,54,1514,407,54,1178,54] new: [.....4] [ip4][..tcp] [..192.168.1.119][51635] -> [..104.17.198.37][..443] new: [.....5] [ip4][..tcp] [..192.168.1.119][51636] -> [..104.17.198.37][..443] new: [.....6] [ip4][..tcp] [..192.168.1.119][51637] -> [..104.22.72.170][..443] @@ -39,12 +43,14 @@ detection-update: [.....8] [ip4][..tcp] [..192.168.1.119][51639] -> [..104.22.72.170][..443] [TLS.Cloudflare][Web][Acceptable] detection-update: [.....7] [ip4][..tcp] [..192.168.1.119][51638] -> [..104.22.72.170][..443] [TLS.Cloudflare][Web][Acceptable] analyse: [.....6] [ip4][..tcp] [..192.168.1.119][51637] -> [..104.22.72.170][..443] [TLS.Cloudflare][Web][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.144| 0.032| 0.043] - [IAT(c->s)...: 0.000| 0.126| 0.029| 0.037][IAT(s->c)...: 0.000| 0.144| 0.035| 0.049] - [PKTLEN(c->s): 54.000| 766.000| 136.700| 172.600][PKTLEN(s->c): 60.000|1514.000| 476.300| 529.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.144| 0.032| 0.043| 1852.691| 0.000] + [PKTLEN......: 54.000| 1514.000| 285.300| 409.400|167573.600| 4.000] [BINS(c->s)..: 12,0,3,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 7,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,1,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,0,0,0,0,1,0,1,1,0,0,1,1,0,1,1,0,0,1,0,1,0,1,0] + [IATS........: 81926,82025,5271,129371,1703,673,126443,63976,9103,148,11896,1581,143742,57056,79239,1596,80830,1627,14677,255,13311,11856,23,12136,91,25357,25014,814,775,5252,5500,0] + [PKTLENS.....: 78,66,54,766,60,1514,1385,54,118,224,380,129,129,1385,66,60,566,54,85,60,85,54,581,85,54,54,368,54,85,54,368,54] idle: [.....6] [ip4][..tcp] [..192.168.1.119][51637] -> [..104.22.72.170][..443] [TLS.Cloudflare][Web][Acceptable] end: [.....7] [ip4][..tcp] [..192.168.1.119][51638] -> [..104.22.72.170][..443] end: [.....8] [ip4][..tcp] [..192.168.1.119][51639] -> [..104.22.72.170][..443] diff --git a/test/results/flow-info/ocs.pcap.out b/test/results/flow-info/ocs.pcap.out index 70aabf2e5..020824d19 100644 --- a/test/results/flow-info/ocs.pcap.out +++ b/test/results/flow-info/ocs.pcap.out @@ -33,12 +33,14 @@ detected: [....15] [ip4][..tcp] [..192.168.180.2][36680] -> [.178.248.208.54][..443] [TLS.OCS][Media][Fun] RISK: Obsolete TLS (v1.1 or older) analyse: [....13] [ip4][..tcp] [..192.168.180.2][49881] -> [.178.248.208.54][...80] [HTTP.OCS][Media][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.929| 0.088| 0.173] - [IAT(c->s)...: 0.000| 0.929| 0.088| 0.173][IAT(s->c)...: 0.000| 0.000| 0.000| 0.000] - [PKTLEN(c->s): 52.000| 715.000| 83.100| 113.800][PKTLEN(s->c): 0.000| 0.000| 0.000| 0.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.929| 0.088| 0.173|29794.175| 0.000] + [PKTLEN......: 52.000| 715.000| 83.100| 113.800|12942.200| 4.500] [BINS(c->s)..: 31,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [IATS........: 83797,14275,246872,572,450,68391,1837,71492,506,5433,4137,41728,146026,90832,71054,77421,63432,3718,80468,1653,86121,564,67336,32599,43283,386587,73735,2510,928563,31722,2140,0] + [PKTLENS.....: 60,52,715,64,72,72,80,72,72,72,72,72,64,52,64,64,64,52,52,52,52,64,64,64,64,52,52,64,64,52,64,64] new: [....16] [ip4][..tcp] [..192.168.180.2][32946] -> [.64.233.184.188][..443] detected: [....16] [ip4][..tcp] [..192.168.180.2][32946] -> [.64.233.184.188][..443] [TLS.GoogleServices][Web][Acceptable] RISK: TLS (probably) Not Carrying HTTPS @@ -58,12 +60,14 @@ new: [....20] [ip4][..tcp] [..192.168.180.2][42590] -> [178.248.208.210][...80] detected: [....20] [ip4][..tcp] [..192.168.180.2][42590] -> [178.248.208.210][...80] [HTTP.OCS][Media][Fun] analyse: [....20] [ip4][..tcp] [..192.168.180.2][42590] -> [178.248.208.210][...80] [HTTP.OCS][Media][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.079| 0.027| 0.030] - [IAT(c->s)...: 0.000| 0.079| 0.027| 0.030][IAT(s->c)...: 0.000| 0.000| 0.000| 0.000] - [PKTLEN(c->s): 52.000| 204.000| 63.900| 26.300][PKTLEN(s->c): 0.000| 0.000| 0.000| 0.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.079| 0.027| 0.030| 875.550| 0.000] + [PKTLEN......: 52.000| 204.000| 63.900| 26.300| 690.500| 4.900] [BINS(c->s)..: 31,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [IATS........: 71399,1526,54762,1106,3570,59902,605,77,5328,64776,1667,1533,79495,5458,58361,1849,64604,1987,67520,26503,42864,25995,65439,972,48553,1253,1960,1270,75524,1445,4821,0] + [PKTLENS.....: 60,52,204,52,52,52,52,52,64,64,64,64,72,64,64,72,72,72,64,64,64,52,52,52,52,52,52,52,52,52,64,72] update: [....17] [ip4][..udp] [..192.168.180.2][11793] -> [........8.8.8.8][...53] idle: [....20] [ip4][..tcp] [..192.168.180.2][42590] -> [178.248.208.210][...80] [HTTP.OCS][Media][Fun] end: [.....8] [ip4][..tcp] [..192.168.180.2][44959] -> [137.135.129.206][...80] diff --git a/test/results/flow-info/ocsp.pcapng.out b/test/results/flow-info/ocsp.pcapng.out index a1f23802d..3161ecc06 100644 --- a/test/results/flow-info/ocsp.pcapng.out +++ b/test/results/flow-info/ocsp.pcapng.out @@ -11,19 +11,23 @@ new: [.....3] [ip4][..tcp] [..192.168.1.128][43728] -> [..92.122.95.235][...80] detected: [.....3] [ip4][..tcp] [..192.168.1.128][43728] -> [..92.122.95.235][...80] [HTTP.OCSP][Network][Safe] analyse: [.....2] [ip4][..tcp] [..192.168.1.128][54154] -> [.142.250.184.99][...80] [HTTP.OCSP][Cloud][Safe] - [min|max|avg|stddev] - [IAT(flow)...: 0.003| 10.243| 7.530| 4.272] - [IAT(c->s)...: 0.007| 10.243| 7.871| 4.060][IAT(s->c)...: 0.003| 10.243| 7.189| 4.448] - [PKTLEN(c->s): 118.000| 512.000| 164.800| 126.800][PKTLEN(s->c): 118.000| 820.000| 212.100| 238.400] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.003| 10.243| 7.530| 4.272|18250505.126| 0.000] + [PKTLEN......: 118.000| 820.000| 187.000| 189.100|35745.500| 4.500] [BINS(c->s)..: 15,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,1,0,0,1,0,1,0,1,0] + [IATS........: 3376,7013,7440,102951,109262,10007824,10012989,10151666,10151973,10240500,10240566,10243102,10242877,10236097,10235872,10239925,10240468,10239857,10239497,5617732,5617894,102927,109302,10148797,10155034,10236056,10236089,10239827,10239709,10239962,0,0] + [PKTLENS.....: 126,126,118,512,118,820,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,512,118,820,118,118,118,118,118,118,118,118] analyse: [.....3] [ip4][..tcp] [..192.168.1.128][43728] -> [..92.122.95.235][...80] [HTTP.OCSP][Network][Safe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 10.244| 7.440| 4.399] - [IAT(c->s)...: 0.000| 10.244| 7.527| 4.355][IAT(s->c)...: 0.001| 10.244| 7.347| 4.442] - [PKTLEN(c->s): 118.000| 504.000| 163.900| 124.200][PKTLEN(s->c): 118.000|1007.000| 237.100| 302.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 10.244| 7.440| 4.399|19348030.751| 0.000] + [PKTLEN......: 118.000| 1007.000| 198.200| 228.700|52281.300| 4.400] [BINS(c->s)..: 15,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0] + [IATS........: 12043,16085,280,19618,157130,176931,7779779,7796085,1344,16621,10045906,10060740,10239929,10239733,10239821,10240037,10244027,10243851,10239937,10239981,10236031,10236118,10243927,10244049,10235957,10235895,10239975,10239809,10240030,10240044,10239885,0] + [PKTLENS.....: 126,126,118,504,118,1007,118,504,118,1007,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118] new: [.....4] [ip4][..tcp] [..192.168.1.128][34320] -> [.151.139.128.14][...80] detected: [.....4] [ip4][..tcp] [..192.168.1.128][34320] -> [.151.139.128.14][...80] [HTTP.OCSP][Network][Safe] new: [.....5] [ip4][..tcp] [..192.168.1.128][34340] -> [.151.139.128.14][...80] @@ -37,12 +41,14 @@ end: [.....4] [ip4][..tcp] [..192.168.1.128][34320] -> [.151.139.128.14][...80] [HTTP.OCSP][Network][Safe] end: [.....5] [ip4][..tcp] [..192.168.1.128][34340] -> [.151.139.128.14][...80] [HTTP.OCSP][Network][Safe] analyse: [.....6] [ip4][..tcp] [..192.168.1.128][47904] -> [..93.184.220.29][...80] [HTTP.OCSP][Network][Safe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 10.240| 6.308| 4.932] - [IAT(c->s)...: 0.000| 10.240| 6.052| 4.990][IAT(s->c)...: 0.000| 10.240| 6.618| 4.843] - [PKTLEN(c->s): 118.000| 505.000| 182.900| 144.000][PKTLEN(s->c): 118.000| 917.000| 289.800| 327.600] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 10.240| 6.308| 4.932|24328020.165| 0.000] + [PKTLEN......: 118.000| 917.000| 229.700| 247.800|61420.800| 4.400] [BINS(c->s)..: 15,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,0,1,0,0,1,0,1,0,1,0,1,0] + [IATS........: 3075,7547,2588,10413,297,8000,10198565,10205648,10239932,10239686,10240046,10239807,10240147,10240173,10239675,10239894,594543,595404,7786,346,7916,7271,10142015,10148632,10239909,10240023,10239943,10239865,10239954,10239944,10239922,0] + [PKTLENS.....: 126,126,118,505,118,917,118,118,118,118,118,118,118,118,118,118,118,505,917,118,505,917,118,118,118,118,118,118,118,118,118,118] DAEMON-EVENT: [Processed: 207 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 1 / 6|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] new: [.....7] [ip4][..tcp] [..192.168.1.128][49382] -> [....52.85.15.92][...80] @@ -51,19 +57,23 @@ detected: [.....8] [ip4][..tcp] [..192.168.1.128][59922] -> [..151.101.2.133][...80] [HTTP.OCSP][Network][Safe] end: [.....6] [ip4][..tcp] [..192.168.1.128][47904] -> [..93.184.220.29][...80] [HTTP.OCSP][Network][Safe] analyse: [.....8] [ip4][..tcp] [..192.168.1.128][59922] -> [..151.101.2.133][...80] [HTTP.OCSP][Network][Safe] - [min|max|avg|stddev] - [IAT(flow)...: 0.001| 10.241| 7.851| 4.241] - [IAT(c->s)...: 0.001| 10.241| 7.676| 4.274][IAT(s->c)...: 0.001| 10.240| 8.039| 4.196] - [PKTLEN(c->s): 118.000| 519.000| 142.100| 94.300][PKTLEN(s->c): 118.000|1462.000| 251.700| 362.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.001| 10.241| 7.851| 4.241|17983611.077| 0.000] + [PKTLEN......: 118.000| 1462.000| 193.500| 263.000|69147.600| 4.300] [BINS(c->s)..: 16,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0] + [IATS........: 3378,7400,923,8114,615,9140,10126876,10134843,10240392,10240491,10239169,10239578,10239933,10239705,10239910,10239519,10239942,10240185,10239877,10240084,10240632,10240175,10239571,10239443,10239518,10240005,10239975,10240013,2594877,0,0,0] + [PKTLENS.....: 126,126,118,519,118,1462,772,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118] analyse: [.....7] [ip4][..tcp] [..192.168.1.128][49382] -> [....52.85.15.92][...80] [HTTP.OCSP][Network][Safe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 10.241| 7.462| 4.365] - [IAT(c->s)...: 0.000| 10.241| 7.229| 4.486][IAT(s->c)...: 0.012| 10.241| 7.711| 4.217] - [PKTLEN(c->s): 118.000| 514.000| 141.800| 93.100][PKTLEN(s->c): 118.000|1124.000| 185.600| 250.800] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 10.241| 7.462| 4.365|19049033.499| 0.000] + [PKTLEN......: 118.000| 1124.000| 162.300| 185.900|34567.000| 4.500] [BINS(c->s)..: 16,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0] + [IATS........: 11963,16479,379,17094,109967,126649,9996419,10012379,10239928,10239783,10239896,10240232,10239903,10239633,10239951,10239961,10239904,10240133,10239949,10239714,10239909,10239972,10240568,10240566,10239801,10239750,10239347,10239527,3107000,3107879,16865,0] + [PKTLENS.....: 126,126,118,514,118,1124,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118] DAEMON-EVENT: [Processed: 274 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 2 / 8|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] new: [.....9] [ip4][..tcp] [..192.168.1.128][45514] -> [.109.70.240.114][...80] @@ -74,11 +84,13 @@ detected: [....10] [ip4][..tcp] [..192.168.1.128][49034] -> [...23.12.96.145][...80] [HTTP.OCSP][Network][Safe] end: [.....9] [ip4][..tcp] [..192.168.1.128][45514] -> [.109.70.240.114][...80] [HTTP.OCSP][Network][Safe] analyse: [....10] [ip4][..tcp] [..192.168.1.128][49034] -> [...23.12.96.145][...80] [HTTP.OCSP][Network][Safe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 10.241| 4.682| 4.929] - [IAT(c->s)...: 0.000| 10.241| 4.896| 4.949][IAT(s->c)...: 0.003| 10.240| 4.451| 4.897] - [PKTLEN(c->s): 118.000| 505.000| 186.600| 147.100][PKTLEN(s->c): 118.000|1566.000| 510.000| 563.500] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 10.241| 4.682| 4.929|24292207.100| 0.000] + [PKTLEN......: 118.000| 1566.000| 338.200| 431.700|186386.900| 4.200] [BINS(c->s)..: 14,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,0,1,1,1,0,0,0,1,1,1,0,0,0,1,0,1,0,1,0,1,0,1,0] + [IATS........: 12234,16624,475,17773,3362,21718,1169650,1186786,9796,24736,1031529,1046686,2550,18982,10158449,10174381,10240180,10240467,10240694,10240443,10239931,10239902,10238718,10240083,10241196,0,0,0,0,0,0,0] + [PKTLENS.....: 126,126,118,504,118,1566,627,118,118,504,118,1566,627,118,118,505,118,1566,628,118,118,118,118,118,118,118,118,118,118,118,118,118] end: [....10] [ip4][..tcp] [..192.168.1.128][49034] -> [...23.12.96.145][...80] [HTTP.OCSP][Network][Safe] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/ookla.pcap.out b/test/results/flow-info/ookla.pcap.out index ca525102d..58daa6550 100644 --- a/test/results/flow-info/ookla.pcap.out +++ b/test/results/flow-info/ookla.pcap.out @@ -6,12 +6,14 @@ new: [.....2] [ip4][..tcp] [....192.168.1.7][51215] -> [..46.44.253.187][.8080] detected: [.....2] [ip4][..tcp] [....192.168.1.7][51215] -> [..46.44.253.187][.8080] [Ookla][Network][Safe] analyse: [.....2] [ip4][..tcp] [....192.168.1.7][51215] -> [..46.44.253.187][.8080] [Ookla][Network][Safe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.138| 0.055| 0.033] - [IAT(c->s)...: 0.026| 0.103| 0.045| 0.024][IAT(s->c)...: 0.000| 0.138| 0.073| 0.038] - [PKTLEN(c->s): 66.000| 85.000| 74.900| 9.100][PKTLEN(s->c): 66.000| 100.000| 83.600| 7.900] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.138| 0.055| 0.033| 1064.798| 0.000] + [PKTLEN......: 66.000| 100.000| 77.900| 9.700| 93.700| 5.000] [BINS(c->s)..: 21,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 10,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0] + [IATS........: 36785,36897,27990,64017,72,36059,38392,72665,34304,27134,61863,34745,97665,133205,35538,27694,63063,35336,68477,103729,35275,26006,61113,35107,103239,137734,34506,32637,67251,34614,94056,0] + [PKTLENS.....: 78,74,66,69,66,100,66,85,85,66,85,85,66,85,85,66,85,85,66,85,85,66,85,85,66,85,85,66,85,85,66,85] end: [.....2] [ip4][..tcp] [....192.168.1.7][51215] -> [..46.44.253.187][.8080] [Ookla][Network][Safe] end: [.....1] [ip4][..tcp] [....192.168.1.7][51207] -> [..46.44.253.187][...80] [HTTP.Ookla][Network][Safe] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/openvpn.pcap.out b/test/results/flow-info/openvpn.pcap.out index 848a09a3f..fcffb9258 100644 --- a/test/results/flow-info/openvpn.pcap.out +++ b/test/results/flow-info/openvpn.pcap.out @@ -5,24 +5,28 @@ detected: [.....1] [ip4][..tcp] [...192.168.1.77][60140] -> [.46.101.231.218][..443] [OpenVPN][VPN][Acceptable] RISK: Known Proto on Non Std Port analyse: [.....1] [ip4][..tcp] [...192.168.1.77][60140] -> [.46.101.231.218][..443] [OpenVPN][VPN][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.998| 0.088| 0.234] - [IAT(c->s)...: 0.000| 0.945| 0.103| 0.244][IAT(s->c)...: 0.000| 0.998| 0.077| 0.225] - [PKTLEN(c->s): 66.000| 371.000| 128.600| 84.300][PKTLEN(s->c): 66.000| 222.000| 174.200| 60.300] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.998| 0.088| 0.234|54526.591| 0.000] + [PKTLEN......: 66.000| 371.000| 154.300| 75.300| 5671.500| 4.800] [BINS(c->s)..: 6,5,0,0,2,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 4,1,0,0,13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,1,1,0,1,1,0,1,0,1,0,1,1,0,1,0,1,0,1,1,0,1] + [IATS........: 54914,54953,945324,997748,484,52895,181,76406,76231,41001,2720,125,43907,139,238,305,40498,40497,41001,40993,125,124,261,41001,40990,40292,40328,460,133,578,40117,0] + [PKTLENS.....: 74,74,66,110,66,122,66,118,66,371,66,222,210,118,210,210,66,210,222,210,118,210,210,66,210,222,210,118,210,210,66,210] DAEMON-EVENT: [Processed: 95 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 1 / 1|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] new: [.....2] [ip4][..udp] [..192.168.43.12][41507] -> [.139.59.151.137][13680] detected: [.....2] [ip4][..udp] [..192.168.43.12][41507] -> [.139.59.151.137][13680] [OpenVPN][VPN][Acceptable] RISK: Known Proto on Non Std Port analyse: [.....2] [ip4][..udp] [..192.168.43.12][41507] -> [.139.59.151.137][13680] [OpenVPN][VPN][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.196| 0.045| 0.060] - [IAT(c->s)...: 0.000| 0.196| 0.044| 0.059][IAT(s->c)...: 0.000| 0.195| 0.047| 0.060] - [PKTLEN(c->s): 84.000| 345.000| 106.400| 59.700][PKTLEN(s->c): 96.000| 196.000| 178.900| 22.400] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.196| 0.045| 0.060| 3547.546| 0.000] + [PKTLEN......: 84.000| 345.000| 140.400| 58.600| 3436.100| 4.900] [BINS(c->s)..: 0,16,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,1,0,0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0] + [IATS........: 195179,195816,838,177248,176180,535,476,500,395,473,450,98532,98585,29601,29590,19812,19831,411,519,50093,49983,29934,29992,20280,20221,9484,9461,38312,38344,31856,31865,0] + [PKTLENS.....: 84,96,92,345,196,92,184,92,184,92,184,92,184,92,184,92,184,92,184,92,184,92,184,92,184,92,184,92,184,92,184,92] idle: [.....1] [ip4][..tcp] [...192.168.1.77][60140] -> [.46.101.231.218][..443] [OpenVPN][VPN][Acceptable] RISK: Known Proto on Non Std Port DAEMON-EVENT: [Processed: 178 pkts][ZLib][compressions: 0|diff: 0 / 0] @@ -31,12 +35,14 @@ detected: [.....3] [ip4][..udp] [..192.168.43.18][13680] -> [.139.59.151.137][13680] [OpenVPN][VPN][Acceptable] RISK: Known Proto on Non Std Port analyse: [.....3] [ip4][..udp] [..192.168.43.18][13680] -> [.139.59.151.137][13680] [OpenVPN][VPN][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 2.242| 0.188| 0.537] - [IAT(c->s)...: 0.000| 2.196| 0.182| 0.524][IAT(s->c)...: 0.000| 2.242| 0.194| 0.551] - [PKTLEN(c->s): 84.000| 345.000| 105.900| 59.800][PKTLEN(s->c): 92.000| 196.000| 172.800| 31.100] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 2.242| 0.188| 0.537|288658.031| 0.000] + [PKTLEN......: 84.000| 345.000| 137.300| 58.900| 3466.400| 4.900] [BINS(c->s)..: 0,16,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,2,0,0,13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0] + [IATS........: 2195888,2242452,46716,128,203103,15136,218070,621,558,521,518,3451,3482,185164,185172,417,398,39454,39467,9396,9396,82274,82279,3757,3775,34199,34189,15722,15714,74305,74299,0] + [PKTLENS.....: 84,84,96,92,345,92,196,92,184,92,184,92,184,92,184,92,184,92,184,92,184,92,184,92,184,92,184,92,184,92,184,92] idle: [.....2] [ip4][..udp] [..192.168.43.12][41507] -> [.139.59.151.137][13680] [OpenVPN][VPN][Acceptable] RISK: Known Proto on Non Std Port idle: [.....3] [ip4][..udp] [..192.168.43.18][13680] -> [.139.59.151.137][13680] [OpenVPN][VPN][Acceptable] diff --git a/test/results/flow-info/pgm.pcap.out b/test/results/flow-info/pgm.pcap.out index 9fda8eec8..99dbba2cd 100644 --- a/test/results/flow-info/pgm.pcap.out +++ b/test/results/flow-info/pgm.pcap.out @@ -4,11 +4,13 @@ new: [.....1] [ip4][..113] [..10.244.64.154] -> [.....235.0.1.47] detected: [.....1] [ip4][..113] [..10.244.64.154] -> [.....235.0.1.47] [PGM][Network][Acceptable] analyse: [.....1] [ip4][..113] [..10.244.64.154] -> [.....235.0.1.47] [PGM][Network][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.841| 0.063| 0.156] - [IAT(c->s)...: 0.000| 0.841| 0.063| 0.156][IAT(s->c)...: 0.000| 0.000| 0.000| 0.000] - [PKTLEN(c->s): 70.000|1344.000| 203.200| 214.800][PKTLEN(s->c): 0.000| 0.000| 0.000| 0.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.841| 0.063| 0.156|24250.839| 0.000] + [PKTLEN......: 70.000| 1344.000| 203.200| 214.800|46132.500| 4.600] [BINS(c->s)..: 0,1,9,12,2,1,2,1,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [IATS........: 840685,20786,25,36771,5581,109,6559,20,17008,16,14904,14731,16,37275,29,168236,95027,1618,67043,1565,11009,51225,29,243023,25455,15996,6391,15033,3510,84,240009,0] + [PKTLENS.....: 70,129,127,321,1344,206,126,130,170,285,252,333,179,131,227,313,129,141,148,128,129,144,146,145,128,135,133,134,133,135,126,127] idle: [.....1] [ip4][..113] [..10.244.64.154] -> [.....235.0.1.47] [PGM][Network][Acceptable] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/pinterest.pcap.out b/test/results/flow-info/pinterest.pcap.out index edea36e82..0289760ca 100644 --- a/test/results/flow-info/pinterest.pcap.out +++ b/test/results/flow-info/pinterest.pcap.out @@ -8,12 +8,14 @@ detection-update: [.....3] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][33262] -> [.....................64:ff9b::9765:7854][..443] [TLS.Pinterest][SocialNetwork][Fun] detection-update: [.....3] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][33262] -> [.....................64:ff9b::9765:7854][..443] [TLS.Pinterest][SocialNetwork][Fun] analyse: [.....3] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][33262] -> [.....................64:ff9b::9765:7854][..443] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.172| 0.014| 0.033] - [IAT(c->s)...: 0.000| 0.041| 0.007| 0.013][IAT(s->c)...: 0.000| 0.172| 0.020| 0.042] - [PKTLEN(c->s): 86.000| 603.000| 160.700| 149.900][PKTLEN(s->c): 86.000|1134.000| 569.900| 485.800] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.172| 0.014| 0.033| 1083.758| 0.000] + [PKTLEN......: 86.000| 1134.000| 378.100| 421.400|177613.600| 4.200] [BINS(c->s)..: 10,1,1,1,0,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 6,0,2,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,1,1,1,0,0,0,0,0,0,1,1,1,0,1,1,0,0,1,1,1,1] + [IATS........: 17629,17683,505,39969,1745,1,2,41182,41,13,234,2,175,23,26,7012,281,424,41621,1,1,33877,492,1,473,243,41960,172415,2,1,0,0] + [PKTLENS.....: 94,94,86,603,86,1134,1134,1134,86,86,86,1134,1134,168,86,86,86,179,185,451,86,86,344,86,152,86,86,124,86,1134,1134,563] detection-update: [.....3] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][33262] -> [.....................64:ff9b::9765:7854][..443] [TLS.Pinterest][SocialNetwork][Fun] new: [.....4] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][38512] -> [.......................2a04:4e42:1d::84][..443] new: [.....5] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][38514] -> [.......................2a04:4e42:1d::84][..443] @@ -43,12 +45,14 @@ new: [....11] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][58726] -> [...............2a00:1450:4007:80b::2002][..443] [MIDSTREAM] new: [....12] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][34626] -> [.....................64:ff9b::acd9:13e2][..443] [MIDSTREAM] analyse: [.....4] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][38512] -> [.......................2a04:4e42:1d::84][..443] [TLS.Pinterest][SocialNetwork][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.054| 0.008| 0.015] - [IAT(c->s)...: 0.000| 0.044| 0.007| 0.013][IAT(s->c)...: 0.000| 0.054| 0.009| 0.017] - [PKTLEN(c->s): 86.000|1040.000| 244.100| 244.000][PKTLEN(s->c): 86.000|1474.000| 589.000| 631.100] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.054| 0.008| 0.015| 223.156| 0.000] + [PKTLEN......: 86.000| 1474.000| 395.000| 486.900|237029.200| 4.100] [BINS(c->s)..: 9,1,1,1,0,0,0,0,2,2,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 7,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,4,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,0,0,0,0,0,0,0,0,0,0,0,1,1,1,1,0,1,1,1,0,0,1,0] + [IATS........: 29210,29304,461,30605,2146,1,1,1,32223,44,9,7,7205,255,2012,156,139,311,354,53871,1,222,1,43618,1326,1,1343,231,798,527,0,0] + [PKTLENS.....: 94,94,86,603,86,1474,1474,1474,1244,86,86,86,86,179,185,377,397,364,1040,342,86,86,86,344,86,152,86,86,86,124,1474,86] new: [....13] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][47032] -> [......................2600:1901::7a0b::][..443] detected: [....13] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][47032] -> [......................2600:1901::7a0b::][..443] [TLS][Web][Safe] new: [....14] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][40694] -> [...............2a00:1450:4007:816::2004][..443] @@ -58,40 +62,48 @@ detection-update: [....14] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][40694] -> [...............2a00:1450:4007:816::2004][..443] [TLS.Google][Web][Acceptable] detected: [....15] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][33280] -> [.....................64:ff9b::9765:7854][..443] [TLS.Pinterest][SocialNetwork][Fun] analyse: [....14] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][40694] -> [...............2a00:1450:4007:816::2004][..443] [TLS.Google][Web][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.044| 0.009| 0.014] - [IAT(c->s)...: 0.000| 0.044| 0.008| 0.014][IAT(s->c)...: 0.000| 0.039| 0.011| 0.014] - [PKTLEN(c->s): 86.000| 603.000| 149.200| 137.000][PKTLEN(s->c): 86.000|1294.000| 396.200| 419.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.044| 0.009| 0.014| 199.945| 0.000] + [PKTLEN......: 86.000| 1294.000| 265.000| 327.800|107441.100| 4.200] [BINS(c->s)..: 12,1,2,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 7,1,0,0,0,0,2,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,1,0,0,0,0,1,1,1,1,0,0,1,0,1,1,1,0,0,0,1,0,0,1] + [IATS........: 26021,26034,177,34476,9474,43788,3,51,24,2375,110,130,39176,1,238,310,37117,263,3095,2873,7183,1,7144,49,3,681,625,589,26257,0,0,0] + [PKTLENS.....: 94,94,86,603,86,1294,1294,86,86,303,86,150,178,409,86,86,86,666,86,117,117,86,507,832,281,86,86,86,125,86,125,86] detection-update: [....15] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][33280] -> [.....................64:ff9b::9765:7854][..443] [TLS.Pinterest][SocialNetwork][Fun] detection-update: [....15] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][33280] -> [.....................64:ff9b::9765:7854][..443] [TLS.Pinterest][SocialNetwork][Fun] new: [....16] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][57050] -> [......................2a04:4e42:1d::720][..443] analyse: [....13] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][47032] -> [......................2600:1901::7a0b::][..443] [TLS][Web][Safe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.133| 0.017| 0.031] - [IAT(c->s)...: 0.000| 0.133| 0.014| 0.032][IAT(s->c)...: 0.000| 0.094| 0.021| 0.027] - [PKTLEN(c->s): 86.000| 603.000| 185.200| 170.400][PKTLEN(s->c): 86.000|1294.000| 501.000| 523.700] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.133| 0.017| 0.031| 941.058| 0.000] + [PKTLEN......: 86.000| 1294.000| 323.400| 401.100|160869.700| 4.200] [BINS(c->s)..: 11,1,2,0,1,0,0,0,0,0,0,1,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 7,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,1,1,0,0,0,0,0,1,1,1,1,1,0,0,0,1,1,0,0,0,0] + [IATS........: 23500,23520,222,32278,1902,1,33966,35,25,324,242,8,1731,75,102,35078,5741,3731,1,42641,14,135,39228,93613,132689,1225,118,74,0,0,0,0] + [PKTLENS.....: 94,94,86,603,86,1294,1294,1294,86,86,86,1294,187,86,86,150,178,465,86,86,666,117,86,86,86,117,86,344,86,125,243,585] detected: [....16] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][57050] -> [......................2a04:4e42:1d::720][..443] [TLS][Web][Safe] detection-update: [....16] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][57050] -> [......................2a04:4e42:1d::720][..443] [TLS][Web][Safe] detection-update: [....16] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][57050] -> [......................2a04:4e42:1d::720][..443] [TLS][Media][Safe] analyse: [....15] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][33280] -> [.....................64:ff9b::9765:7854][..443] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.090| 0.016| 0.023] - [IAT(c->s)...: 0.000| 0.090| 0.014| 0.025][IAT(s->c)...: 0.000| 0.050| 0.018| 0.020] - [PKTLEN(c->s): 86.000| 603.000| 151.700| 138.300][PKTLEN(s->c): 86.000|1134.000| 478.000| 456.800] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.090| 0.016| 0.023| 544.707| 0.000] + [PKTLEN......: 86.000| 1134.000| 314.800| 374.800|140490.000| 4.200] [BINS(c->s)..: 11,1,1,1,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 6,0,2,0,0,1,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,1,1,0,0,1,1,0,0,0,0,0,1,1,1,1,1,0,0,0,1,1,1,0] + [IATS........: 39835,39893,388,39880,1850,1,41296,35,60,18,4,565,563,29,2922,2605,564,39805,119,1086,1924,36819,15,203,49740,40102,89623,0,0,0,0,0] + [PKTLENS.....: 94,94,86,603,86,1134,1134,86,86,1134,1134,86,86,1134,168,86,86,179,185,382,86,86,86,344,152,86,86,124,86,530,260,86] detection-update: [....15] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][33280] -> [.....................64:ff9b::9765:7854][..443] [TLS.Pinterest][SocialNetwork][Fun] analyse: [....16] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][57050] -> [......................2a04:4e42:1d::720][..443] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.050| 0.009| 0.016] - [IAT(c->s)...: 0.000| 0.050| 0.008| 0.016][IAT(s->c)...: 0.000| 0.050| 0.011| 0.017] - [PKTLEN(c->s): 86.000| 603.000| 153.800| 147.400][PKTLEN(s->c): 86.000|1474.000| 871.600| 656.400] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.050| 0.009| 0.016| 268.348| 0.000] + [PKTLEN......: 86.000| 1474.000| 512.700| 595.900|355070.700| 4.100] [BINS(c->s)..: 12,0,1,1,0,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 5,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,8,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,1,0,1,1,0,0,0,0,0,1,1,1,1,1,0,0,1,1,1,0,0,0,1] + [IATS........: 50290,50337,220,31719,3102,34561,13,675,659,1179,1,1182,11,2643,116,155,32346,1,29460,6,548,1,514,15,6,589,0,0,0,0,0,0] + [PKTLENS.....: 94,94,86,603,86,1474,1474,86,86,1474,86,1474,1219,86,86,179,185,454,86,86,86,344,152,86,86,1474,1474,1474,86,86,86,1474] detection-update: [....16] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][57050] -> [......................2a04:4e42:1d::720][..443] [TLS][Media][Safe] new: [....17] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][51582] -> [...............2a00:1450:4007:816::2003][..443] detected: [....17] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][51582] -> [...............2a00:1450:4007:816::2003][..443] [TLS.Google][Web][Acceptable] @@ -103,26 +115,32 @@ detection-update: [....18] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][54416] -> [...............2a00:1450:4007:806::200e][..443] [TLS.Google][Web][Acceptable] detection-update: [....19] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][51292] -> [.........2a03:2880:f030:13:face:b00c::3][..443] [TLS.Facebook][SocialNetwork][Fun] analyse: [....17] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][51582] -> [...............2a00:1450:4007:816::2003][..443] [TLS.Google][Web][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.077| 0.017| 0.027] - [IAT(c->s)...: 0.000| 0.077| 0.013| 0.027][IAT(s->c)...: 0.000| 0.077| 0.022| 0.027] - [PKTLEN(c->s): 86.000| 603.000| 148.200| 140.700][PKTLEN(s->c): 86.000|1294.000| 694.900| 550.600] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.077| 0.017| 0.027| 751.406| 0.000] + [PKTLEN......: 86.000| 1294.000| 421.600| 486.000|236213.000| 4.200] [BINS(c->s)..: 12,0,2,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 6,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0] + [IATS........: 76818,76867,1845,47286,29961,75361,6,2,2110,577,1618,47934,88,1,1,1,1,43713,12,4,2,3,3,4,0,0,0,0,0,0,0,0] + [PKTLENS.....: 94,94,86,603,86,1294,1294,356,86,86,86,150,178,400,86,86,86,666,117,484,1294,1294,1294,1294,1294,86,86,86,86,86,86,86] analyse: [....18] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][54416] -> [...............2a00:1450:4007:806::200e][..443] [TLS.Google][Web][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.079| 0.014| 0.022] - [IAT(c->s)...: 0.000| 0.079| 0.014| 0.024][IAT(s->c)...: 0.000| 0.070| 0.014| 0.021] - [PKTLEN(c->s): 86.000| 603.000| 146.800| 134.600][PKTLEN(s->c): 86.000|1294.000| 725.400| 553.800] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.079| 0.014| 0.022| 503.587| 0.000] + [PKTLEN......: 86.000| 1294.000| 436.100| 496.100|246097.600| 4.200] [BINS(c->s)..: 12,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 6,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,0,0,0,1,1,1,1,0,0,1,0,1,1,1,1,0,0,0,0,1,1] + [IATS........: 51607,51735,639,27991,20462,1,47699,14,8,3349,184,136,69956,1,28,13172,79486,329,8681,8388,16746,3,2,2,16717,40,14,21,164,2,0,0] + [PKTLENS.....: 94,94,86,603,86,1294,1294,326,86,86,86,150,178,347,86,86,86,666,86,117,117,86,1002,1294,1294,1294,86,86,86,86,1294,1294] analyse: [....19] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][51292] -> [.........2a03:2880:f030:13:face:b00c::3][..443] [TLS.Facebook][SocialNetwork][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.093| 0.012| 0.022] - [IAT(c->s)...: 0.000| 0.065| 0.012| 0.019][IAT(s->c)...: 0.000| 0.093| 0.012| 0.026] - [PKTLEN(c->s): 86.000| 603.000| 161.300| 135.000][PKTLEN(s->c): 86.000|1466.000| 444.000| 491.800] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.093| 0.012| 0.022| 484.499| 0.000] + [PKTLEN......: 86.000| 1466.000| 285.000| 368.400|135732.300| 4.200] [BINS(c->s)..: 12,0,2,1,0,0,0,0,2,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 5,2,1,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,0,0,0,0,1,1,1,1,1,1,1,0,0,0,0,1,1,1,0,0,0,0,0] + [IATS........: 26987,27077,236,32338,1,32042,17,3873,399,116,64739,93180,2,1,290,2,3,2,24343,46,12,9,157,3,2,82,23,41,4388,39879,0,0] + [PKTLENS.....: 94,94,86,603,86,1466,993,86,86,150,178,344,344,86,86,86,265,166,130,667,86,86,86,86,497,1466,128,86,86,86,117,213] new: [....20] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][60340] -> [......2a03:2880:f11f:83:face:b00c::25de][..443] detected: [....20] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][60340] -> [......2a03:2880:f11f:83:face:b00c::25de][..443] [TLS.Facebook][SocialNetwork][Fun] new: [....21] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][47790] -> [...............2a00:1450:4007:816::200a][..443] @@ -132,36 +150,44 @@ new: [....22] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][43562] -> [...............2a00:1450:4007:805::2003][..443] [MIDSTREAM] detected: [....22] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][43562] -> [...............2a00:1450:4007:805::2003][..443] [TLS][Web][Safe] analyse: [....22] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][43562] -> [...............2a00:1450:4007:805::2003][..443] [TLS][Web][Safe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.029| 0.002| 0.007] - [IAT(c->s)...: 0.000| 0.029| 0.004| 0.009][IAT(s->c)...: 0.000| 0.023| 0.002| 0.006] - [PKTLEN(c->s): 86.000| 244.000| 117.200| 59.000][PKTLEN(s->c): 86.000|1294.000|1001.600| 493.800] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.029| 0.002| 0.007| 49.867| 0.000] + [PKTLEN......: 86.000| 1294.000| 752.800| 578.200|334348.700| 4.500] [BINS(c->s)..: 7,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,1,0,1,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,17,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,1,1,1,1,0,1,1,1,1,0,0,1,1,0,1,1,1,1,0,0,1,1,1,1,1,0,1,1,1,1] + [IATS........: 202,23469,160,5107,2,28590,251,1,1,2,214,4,31,19,391,1,1,397,8,1304,1,1316,72,1,1,0,0,0,0,0,0,0] + [PKTLENS.....: 244,209,86,86,277,1294,86,1294,1294,1294,1294,86,86,1294,1294,86,1294,1294,1294,1294,86,86,1294,1294,251,125,213,86,1294,1294,1294,1294] new: [....23] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][40894] -> [...............2a00:1450:4007:816::200d][..443] detected: [....23] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][40894] -> [...............2a00:1450:4007:816::200d][..443] [TLS.Google][Web][Acceptable] detection-update: [....23] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][40894] -> [...............2a00:1450:4007:816::200d][..443] [TLS.Google][Web][Acceptable] analyse: [....21] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][47790] -> [...............2a00:1450:4007:816::200a][..443] [TLS.GoogleServices][Web][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 1.486| 0.068| 0.273] - [IAT(c->s)...: 0.000| 1.486| 0.105| 0.357][IAT(s->c)...: 0.000| 0.055| 0.019| 0.019] - [PKTLEN(c->s): 86.000| 603.000| 161.800| 143.600][PKTLEN(s->c): 86.000|1294.000| 354.500| 415.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 1.486| 0.068| 0.273|74793.992| 0.000] + [PKTLEN......: 86.000| 1294.000| 252.100| 317.700|100919.600| 4.200] [BINS(c->s)..: 11,1,2,0,0,1,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 8,2,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,1,0,0,0,0,1,1,1,1,0,0,1,0,1,1,0,0,1,1,0,0,1,0] + [IATS........: 55481,55557,2604,45080,17803,15,60231,16,286,275,9398,2484,606,42880,228,1,30633,193,14864,14650,23014,23014,8,85,70,1606,29384,1485939,0,0,0,0] + [PKTLENS.....: 94,94,86,603,86,1294,1294,86,86,587,86,150,178,458,86,86,86,666,86,117,117,86,476,149,86,86,125,86,86,125,86,251] analyse: [....23] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][40894] -> [...............2a00:1450:4007:816::200d][..443] [TLS.Google][Web][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.043| 0.009| 0.013] - [IAT(c->s)...: 0.000| 0.040| 0.009| 0.013][IAT(s->c)...: 0.000| 0.043| 0.010| 0.013] - [PKTLEN(c->s): 86.000| 603.000| 146.400| 134.000][PKTLEN(s->c): 86.000|1294.000| 719.100| 550.500] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.043| 0.009| 0.013| 174.232| 0.000] + [PKTLEN......: 86.000| 1294.000| 432.800| 492.400|242485.900| 4.200] [BINS(c->s)..: 12,0,2,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 6,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,0,0,0,1,1,1,1,0,0,1,0,1,1,0,0,1,1,1,1,0,0] + [IATS........: 23434,23612,605,27825,5261,2,32335,48,7,3191,171,159,42968,880,1,157,40413,894,3393,2534,21369,1,21337,22,7799,1,1,7829,32,0,0,0] + [PKTLENS.....: 94,94,86,603,86,1294,1294,336,86,86,86,150,178,341,86,86,86,666,86,117,117,86,890,1294,86,86,1294,1294,1294,1294,86,86] analyse: [....20] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][60340] -> [......2a03:2880:f11f:83:face:b00c::25de][..443] [TLS.Facebook][SocialNetwork][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 1.522| 0.133| 0.377] - [IAT(c->s)...: 0.000| 1.490| 0.127| 0.367][IAT(s->c)...: 0.000| 1.522| 0.141| 0.386] - [PKTLEN(c->s): 86.000| 632.000| 187.800| 185.400][PKTLEN(s->c): 86.000|1466.000| 359.100| 464.100] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 1.522| 0.133| 0.377|141791.068| 0.000] + [PKTLEN......: 86.000| 1466.000| 273.400| 363.600|132225.800| 4.100] [BINS(c->s)..: 11,0,2,0,0,0,0,0,0,0,0,1,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 8,2,1,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,0,0,0,1,1,1,1,1,1,0,0,0,0,1,0,1,1,0,0,1,1,0,1] + [IATS........: 51050,51117,702,184290,1,183671,66,7538,8559,3870,48706,3,10603,1,1,39192,55,6,1700,5826,4025,34675,42375,77042,1489773,1522186,1,32460,71970,0,0,0] + [PKTLENS.....: 94,94,86,603,86,1466,994,86,86,150,178,456,86,86,86,257,166,117,86,86,86,117,121,86,86,506,86,632,86,121,86,1388] new: [....24] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56940] -> [......................2a04:4e42:1d::720][..443] [MIDSTREAM] new: [....25] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][51472] -> [...............2a00:1450:4007:816::2003][..443] [MIDSTREAM] new: [....26] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][54308] -> [...............2a00:1450:4007:806::200e][..443] [MIDSTREAM] @@ -181,31 +207,37 @@ detection-update: [....35] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][38546] -> [.......................2a04:4e42:1d::84][..443] [TLS.Pinterest][SocialNetwork][Fun] detection-update: [....36] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][45126] -> [...............2a00:1450:4007:80a::200e][..443] [TLS.Google][Advertisement][Acceptable] analyse: [....36] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][45126] -> [...............2a00:1450:4007:80a::200e][..443] [TLS.Google][Advertisement][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.157| 0.019| 0.038] - [IAT(c->s)...: 0.000| 0.157| 0.015| 0.039][IAT(s->c)...: 0.000| 0.112| 0.024| 0.035] - [PKTLEN(c->s): 86.000| 603.000| 143.500| 131.700][PKTLEN(s->c): 86.000|1294.000| 748.300| 539.800] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.157| 0.019| 0.038| 1426.179| 0.000] + [PKTLEN......: 86.000| 1294.000| 427.000| 486.700|236885.800| 4.200] [BINS(c->s)..: 13,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 5,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,0,0,0,1,1,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0] + [IATS........: 46894,46909,201,112030,45428,2,157269,9,5,2935,270,2964,37660,1,1100,1,32562,12,3,631,955,1,308,7,3,3,0,0,0,0,0,0] + [PKTLENS.....: 94,94,86,603,86,1294,1294,563,86,86,86,150,178,351,86,86,86,666,500,1294,86,86,86,117,1294,1294,1294,1294,86,86,86,86] analyse: [....35] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][38546] -> [.......................2a04:4e42:1d::84][..443] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.136| 0.027| 0.042] - [IAT(c->s)...: 0.000| 0.111| 0.023| 0.039][IAT(s->c)...: 0.000| 0.136| 0.032| 0.045] - [PKTLEN(c->s): 86.000| 603.000| 163.300| 138.400][PKTLEN(s->c): 86.000|1474.000| 692.800| 639.800] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.136| 0.027| 0.042| 1750.865| 0.000] + [PKTLEN......: 86.000| 1474.000| 444.600| 544.300|296293.800| 4.100] [BINS(c->s)..: 9,1,1,1,1,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 7,0,1,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,6,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,1,1,0,0,0,0,0,1,1,1,1,1,1,0,0,0,0,1,0,1,1,1,1] + [IATS........: 46509,46553,392,49783,3591,52945,10,1267,1,1272,3,2358,266,496,109019,1,1,105909,5,6,6499,35807,111148,135965,1,2,0,0,0,0,0,0] + [PKTLENS.....: 94,94,86,603,86,1474,1474,86,86,1474,1244,86,86,179,185,352,86,86,344,152,86,584,86,86,86,124,86,224,86,1474,1474,1474] detection-update: [....35] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][38546] -> [.......................2a04:4e42:1d::84][..443] [TLS.Pinterest][SocialNetwork][Fun] new: [....37] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][40114] -> [.....................64:ff9b::9765:7a6e][..443] detected: [....37] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][40114] -> [.....................64:ff9b::9765:7a6e][..443] [TLS][Web][Safe] detection-update: [....37] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][40114] -> [.....................64:ff9b::9765:7a6e][..443] [TLS][Web][Safe] detection-update: [....37] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][40114] -> [.....................64:ff9b::9765:7a6e][..443] [TLS][Media][Safe] analyse: [....37] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][40114] -> [.....................64:ff9b::9765:7a6e][..443] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.045| 0.007| 0.012] - [IAT(c->s)...: 0.000| 0.045| 0.007| 0.013][IAT(s->c)...: 0.000| 0.037| 0.007| 0.012] - [PKTLEN(c->s): 86.000| 603.000| 150.100| 135.700][PKTLEN(s->c): 86.000|1134.000| 633.300| 504.100] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.045| 0.007| 0.012| 147.627| 0.000] + [PKTLEN......: 86.000| 1134.000| 391.700| 441.200|194656.500| 4.200] [BINS(c->s)..: 11,1,1,1,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 5,1,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,1,1,1,1,0,0,0,0,1,0,0,0,0,1,1,1,1,0,0,0,1,1,1] + [IATS........: 20965,21014,506,37100,8905,1,45476,39,2004,2,1,1,1959,29,12,7,90,33,7803,454,394,31006,1,387,1,22756,38,359,8296,2575,2,0] + [PKTLENS.....: 94,94,86,603,86,1134,1134,86,86,1134,1134,1134,1134,86,86,86,86,127,86,179,185,356,86,86,344,152,86,86,124,86,1134,1134] detection-update: [....37] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][40114] -> [.....................64:ff9b::9765:7a6e][..443] [TLS][Media][Safe] guessed: [.....2] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][40876] -> [...............2a00:1450:4007:807::200a][..443] [TLS][Web][Safe] idle: [.....2] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][40876] -> [...............2a00:1450:4007:807::200a][..443] diff --git a/test/results/flow-info/pop3_stls.pcap.out b/test/results/flow-info/pop3_stls.pcap.out index f220f8117..c5715ef6f 100644 --- a/test/results/flow-info/pop3_stls.pcap.out +++ b/test/results/flow-info/pop3_stls.pcap.out @@ -11,12 +11,14 @@ detection-update: [.....1] [ip4][..tcp] [..192.168.20.18][50583] -> [...72.249.41.52][..110] [POPS][Email][Safe] RISK: Known Proto on Non Std Port, Obsolete TLS (v1.1 or older) analyse: [.....1] [ip4][..tcp] [..192.168.20.18][50583] -> [...72.249.41.52][..110] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 2.072| 0.263| 0.525] - [IAT(c->s)...: 0.007| 2.072| 0.337| 0.592][IAT(s->c)...: 0.000| 2.003| 0.216| 0.472] - [PKTLEN(c->s): 54.000| 368.000| 104.800| 87.300][PKTLEN(s->c): 60.000|1514.000| 346.800| 513.600] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 2.072| 0.263| 0.525|275477.529| 0.000] + [PKTLEN......: 54.000| 1514.000| 248.500| 417.000|173868.900| 3.800] [BINS(c->s)..: 9,2,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 8,4,0,0,1,1,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0] + [DIRECTIONS..: 0,1,0,1,0,1,1,0,1,1,0,1,0,1,1,0,1,1,0,0,1,1,0,1,1,0,1,1,0,1,0,1] + [IATS........: 68193,68972,68661,120626,119751,1003135,1075317,72544,524,70840,70284,69545,70981,215,69915,69104,262,69187,6957,114416,36010,229437,154000,2002867,2072094,69067,658,117241,116699,68875,75810,0] + [PKTLENS.....: 66,66,54,65,60,60,82,60,60,203,60,91,222,1514,1514,54,1514,414,54,368,60,292,85,60,107,85,60,222,98,103,96,103] detection-update: [.....1] [ip4][..tcp] [..192.168.20.18][50583] -> [...72.249.41.52][..110] [POPS][Email][Safe] RISK: Known Proto on Non Std Port, Obsolete TLS (v1.1 or older) end: [.....1] [ip4][..tcp] [..192.168.20.18][50583] -> [...72.249.41.52][..110] [POPS][Email][Safe] diff --git a/test/results/flow-info/pps.pcap.out b/test/results/flow-info/pps.pcap.out index 5180733f9..dffbdd8cc 100644 --- a/test/results/flow-info/pps.pcap.out +++ b/test/results/flow-info/pps.pcap.out @@ -9,39 +9,47 @@ new: [.....6] [ip4][..udp] [..192.168.115.8][22793] -> [.111.249.53.196][32443] new: [.....7] [ip4][..udp] [..192.168.115.8][22793] -> [219.228.107.156][.1250] analyse: [.....1] [ip4][..udp] [....1.173.5.226][22636] -> [..192.168.115.8][22793] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.014| 0.003| 0.004] - [IAT(c->s)...: 0.001| 0.014| 0.004| 0.004][IAT(s->c)...: 0.000| 0.013| 0.002| 0.004] - [PKTLEN(c->s): 1107.000|1107.000|1107.000| 0.000][PKTLEN(s->c): 79.000| 79.000| 79.000| 0.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.014| 0.003| 0.004| 16.289| 0.000] + [PKTLEN......: 79.000| 1107.000| 400.200| 476.500|227043.400| 4.000] [BINS(c->s)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,22,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,1,0,0,1,1,1,1,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1] + [IATS........: 306,331,2951,1986,4674,337,125,2,561,612,2012,866,221,1880,1060,119,11920,11824,91,13556,13473,115,2750,2611,216,1278,998,122,1608,1850,320,0] + [PKTLENS.....: 1107,79,79,1107,1107,79,79,79,79,79,79,1107,79,79,1107,79,79,1107,79,79,1107,79,79,1107,79,79,1107,79,79,1107,79,79] not-detected: [.....1] [ip4][..udp] [....1.173.5.226][22636] -> [..192.168.115.8][22793] [Unknown][Unrated] analyse: [.....3] [ip4][..udp] [..192.168.115.8][22793] -> [...114.42.0.158][.7716] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.013| 0.002| 0.004] - [IAT(c->s)...: 0.000| 0.013| 0.002| 0.003][IAT(s->c)...: 0.001| 0.013| 0.004| 0.004] - [PKTLEN(c->s): 79.000| 79.000| 79.000| 0.000][PKTLEN(s->c): 1107.000|1107.000|1107.000| 0.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.013| 0.002| 0.004| 13.731| 0.000] + [PKTLEN......: 79.000| 1107.000| 400.200| 476.500|227043.400| 4.000] [BINS(c->s)..: 0,22,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0] + [IATS........: 314,12554,12553,190,1137,940,141,1586,1472,244,2060,1844,332,694,598,286,1704,1051,140,3586,5819,415,11908,9064,111,1248,1392,110,1452,1075,107,0] + [PKTLENS.....: 79,79,1107,79,79,1107,79,79,1107,79,79,1107,79,79,1107,79,79,1107,79,79,1107,79,79,1107,79,79,1107,79,79,1107,79,79] not-detected: [.....3] [ip4][..udp] [..192.168.115.8][22793] -> [...114.42.0.158][.7716] [Unknown][Unrated] new: [.....8] [ip4][..udp] [.183.228.182.44][13913] -> [..192.168.115.8][22793] analyse: [.....2] [ip4][..udp] [..118.171.15.56][.5544] -> [..192.168.115.8][22793] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.027| 0.009| 0.008] - [IAT(c->s)...: 0.005| 0.027| 0.015| 0.007][IAT(s->c)...: 0.000| 0.024| 0.006| 0.007] - [PKTLEN(c->s): 1107.000|1107.000|1107.000| 0.000][PKTLEN(s->c): 79.000| 79.000| 79.000| 0.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.027| 0.009| 0.008| 71.240| 0.000] + [PKTLEN......: 79.000| 1107.000| 400.200| 476.500|227043.400| 4.000] [BINS(c->s)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,22,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,1,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,1,1,0,1,1,0] + [IATS........: 354,233,4927,176,24291,18871,121,5388,6873,160,19127,17570,126,13829,13759,135,13082,15439,116,26979,24414,172,9012,10973,385,1993,887,14115,8282,98,12123,0] + [PKTLENS.....: 1107,79,79,79,79,1107,79,79,1107,79,79,1107,79,79,1107,79,79,1107,79,79,1107,79,79,1107,79,79,79,79,1107,79,79,1107] not-detected: [.....2] [ip4][..udp] [..118.171.15.56][.5544] -> [..192.168.115.8][22793] [Unknown][Unrated] new: [.....9] [ip4][..tcp] [..192.168.115.8][50462] -> [.202.108.14.236][...80] [MIDSTREAM] new: [....10] [ip4][..tcp] [...192.168.5.15][65125] -> [.68.233.253.133][...80] [MIDSTREAM] analyse: [.....7] [ip4][..udp] [..192.168.115.8][22793] -> [219.228.107.156][.1250] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.070| 0.024| 0.021] - [IAT(c->s)...: 0.000| 0.046| 0.016| 0.017][IAT(s->c)...: 0.030| 0.070| 0.046| 0.016] - [PKTLEN(c->s): 79.000| 79.000| 79.000| 0.000][PKTLEN(s->c): 1107.000|1107.000|1107.000| 0.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.070| 0.024| 0.021| 457.568| 0.000] + [PKTLEN......: 79.000| 1107.000| 336.000| 445.100|198147.000| 4.000] [BINS(c->s)..: 0,24,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,1,0,0,1,0,0,0,0,1,0,0,1,0,0,0,0,1,0,0,1,0,0,0,0,1,0,0,1,0,0] + [IATS........: 416,29926,29688,118,32027,32808,298,45715,281,69635,23035,67,41991,41569,116,35956,327,59526,23042,142,31796,32196,302,44442,309,68337,22748,167,30877,30767,160,0] + [PKTLENS.....: 79,79,1107,79,79,1107,79,79,79,79,1107,79,79,1107,79,79,79,79,1107,79,79,1107,79,79,79,79,1107,79,79,1107,79,79] not-detected: [.....7] [ip4][..udp] [..192.168.115.8][22793] -> [219.228.107.156][.1250] [Unknown][Unrated] new: [....11] [ip4][..udp] [..192.168.115.8][22793] -> [..218.61.39.103][17788] new: [....12] [ip4][..udp] [..192.168.115.8][22793] -> [...210.44.171.1][29702] @@ -70,12 +78,14 @@ new: [....35] [ip4][..udp] [..192.168.115.8][22793] -> [119.188.133.182][17788] new: [....36] [ip4][..udp] [..192.168.115.8][22793] -> [.183.61.167.104][17788] analyse: [.....4] [ip4][..udp] [..192.168.115.8][22793] -> [.222.197.138.12][.6956] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.108| 0.029| 0.031] - [IAT(c->s)...: 0.000| 0.079| 0.019| 0.025][IAT(s->c)...: 0.018| 0.108| 0.058| 0.027] - [PKTLEN(c->s): 79.000| 79.000| 79.000| 0.000][PKTLEN(s->c): 61.000|1107.000| 976.200| 345.900] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.108| 0.029| 0.031| 941.853| 0.000] + [PKTLEN......: 61.000| 1107.000| 303.300| 425.300|180865.500| 3.900] [BINS(c->s)..: 0,24,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,1,0,0,0,0,1,0,0,1,0,0,0,0,1,0,0,1,0,0,0,0,1,0,0,0,0,1,0,0,1] + [IATS........: 939,52844,52258,255,55452,67,77746,21970,217,78270,79276,484,437,117,46524,44383,93,18436,18537,325,35971,83,108044,71536,720,28274,507,45891,16142,358,33466,0] + [PKTLENS.....: 79,79,1107,79,79,79,79,1107,79,79,1107,79,79,79,79,1107,79,79,1107,79,79,79,79,1107,79,79,79,79,1107,79,79,61] not-detected: [.....4] [ip4][..udp] [..192.168.115.8][22793] -> [.222.197.138.12][.6956] [Unknown][Unrated] new: [....37] [ip4][..tcp] [..192.168.115.8][50463] -> [.101.227.200.11][...80] [MIDSTREAM] detected: [....37] [ip4][..tcp] [..192.168.115.8][50463] -> [.101.227.200.11][...80] [HTTP.PPStream][Streaming][Fun] @@ -209,12 +219,14 @@ new: [....82] [ip4][..tcp] [..192.168.115.8][50504] -> [.202.108.14.236][...80] [MIDSTREAM] detected: [....82] [ip4][..tcp] [..192.168.115.8][50504] -> [.202.108.14.236][...80] [HTTP][Streaming][Acceptable] analyse: [....81] [ip4][..tcp] [..192.168.115.8][50505] -> [..223.26.106.19][...80] [HTTP][Web][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.036| 0.003| 0.009] - [IAT(c->s)...: 0.035| 0.035| 0.035| 0.000][IAT(s->c)...: 0.000| 0.036| 0.002| 0.007] - [PKTLEN(c->s): 198.000| 202.000| 200.000| 2.000][PKTLEN(s->c): 566.000|1314.000|1289.100| 134.300] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.036| 0.003| 0.009| 84.840| 0.000] + [PKTLEN......: 198.000| 1314.000| 1221.000| 293.900|86398.000| 4.900] [BINS(c->s)..: 0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,29,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1] + [IATS........: 2901,35025,35765,2,54,1038,2,1,1,1,1,1,4098,1,1,1,1,557,2,1,1,4317,82,1,1,1,1,0,0,0,0,0] + [PKTLENS.....: 198,566,202,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314] new: [....83] [ip4][..udp] [...192.168.5.38][.1900] -> [239.255.255.250][.1900] detected: [....83] [ip4][..udp] [...192.168.5.38][.1900] -> [239.255.255.250][.1900] [SSDP][System][Acceptable] new: [....84] [ip4][..udp] [...192.168.5.41][50374] -> [239.255.255.250][.1900] @@ -256,12 +268,14 @@ new: [...102] [ip4][..tcp] [..192.168.115.8][50778] -> [..223.26.106.20][...80] [MIDSTREAM] detected: [...102] [ip4][..tcp] [..192.168.115.8][50778] -> [..223.26.106.20][...80] [HTTP.PPStream][Streaming][Fun] analyse: [...102] [ip4][..tcp] [..192.168.115.8][50778] -> [..223.26.106.20][...80] [HTTP.PPStream][Streaming][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.061| 0.005| 0.014] - [IAT(c->s)...: 0.000| 0.000| 0.000| 0.000][IAT(s->c)...: 0.000| 0.061| 0.005| 0.014] - [PKTLEN(c->s): 303.000| 303.000| 303.000| 0.000][PKTLEN(s->c): 1314.000|1314.000|1314.000| 0.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.061| 0.005| 0.014| 183.828| 0.000] + [PKTLEN......: 303.000| 1314.000| 1282.400| 175.900|30943.100| 5.000] [BINS(c->s)..: 0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,31,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1] + [IATS........: 61439,3,3,1,1,30336,2,1,1,25868,1,484,2,1,1,574,2,3519,3,772,1,1,1,1,1,2191,0,0,0,0,0,0] + [PKTLENS.....: 303,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314] new: [...103] [ip4][..udp] [..192.168.115.1][50945] -> [239.255.255.250][.1900] detected: [...103] [ip4][..udp] [..192.168.115.1][50945] -> [239.255.255.250][.1900] [SSDP][System][Acceptable] new: [...104] [ip4][..tcp] [..192.168.115.8][50779] -> [..111.206.22.77][...80] [MIDSTREAM] @@ -269,12 +283,14 @@ new: [...105] [ip4][..tcp] [..192.168.115.8][50780] -> [..223.26.106.20][...80] [MIDSTREAM] detected: [...105] [ip4][..tcp] [..192.168.115.8][50780] -> [..223.26.106.20][...80] [HTTP.PPStream][Streaming][Fun] analyse: [...105] [ip4][..tcp] [..192.168.115.8][50780] -> [..223.26.106.20][...80] [HTTP.PPStream][Streaming][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.063| 0.006| 0.016] - [IAT(c->s)...: 0.000| 0.000| 0.000| 0.000][IAT(s->c)...: 0.000| 0.063| 0.006| 0.016] - [PKTLEN(c->s): 303.000| 303.000| 303.000| 0.000][PKTLEN(s->c): 1314.000|1314.000|1314.000| 0.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.063| 0.006| 0.016| 268.635| 0.000] + [PKTLEN......: 303.000| 1314.000| 1282.400| 175.900|30943.100| 5.000] [BINS(c->s)..: 0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,31,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1] + [IATS........: 62853,7,1,1,1,1,28633,3,1,57886,1,1,29,1,1,276,1,311,1,3236,49,2,773,2,1,1,2,0,0,0,0,0] + [PKTLENS.....: 303,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314] update: [....55] [ip4][..udp] [...192.168.5.57][59648] -> [239.255.255.250][.1900] [SSDP][System][Acceptable] new: [...106] [ip4][..tcp] [..192.168.115.8][50781] -> [..223.26.106.20][...80] [MIDSTREAM] detected: [...106] [ip4][..tcp] [..192.168.115.8][50781] -> [..223.26.106.20][...80] [HTTP.PPStream][Streaming][Fun] diff --git a/test/results/flow-info/psiphon3.pcap.out b/test/results/flow-info/psiphon3.pcap.out index 47aaec341..aa7f1f574 100644 --- a/test/results/flow-info/psiphon3.pcap.out +++ b/test/results/flow-info/psiphon3.pcap.out @@ -9,12 +9,14 @@ detection-update: [.....1] [ip4][..tcp] [..192.168.0.103][40557] -> [.104.18.151.190][..443] [TLS.Psiphon][VPN][Acceptable] RISK: Missing SNI TLS Extn analyse: [.....1] [ip4][..tcp] [..192.168.0.103][40557] -> [.104.18.151.190][..443] - [min|max|avg|stddev] - [IAT(flow)...: 0.001| 0.046| 0.011| 0.012] - [IAT(c->s)...: 0.001| 0.046| 0.011| 0.014][IAT(s->c)...: 0.001| 0.026| 0.010| 0.008] - [PKTLEN(c->s): 40.000|1048.000| 155.400| 236.000][PKTLEN(s->c): 40.000|1500.000| 434.400| 539.800] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.001| 0.046| 0.011| 0.012| 137.508| 0.000] + [PKTLEN......: 40.000| 1500.000| 277.500| 421.900|177964.300| 3.800] [BINS(c->s)..: 10,1,3,0,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 6,0,2,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0] + [DIRECTIONS..: 0,0,1,1,0,0,0,0,1,1,1,1,1,1,0,0,0,0,0,0,1,1,1,1,1,1,0,0,0,0,0,0] + [IATS........: 6003,17375,14372,998,15961,7000,4998,3002,27963,1997,2998,1002,7002,25852,1389,4047,20760,1037,46102,1001,0,0,0,0,0,0,0,0,0,0,0,0] + [PKTLENS.....: 60,60,52,52,40,208,40,208,40,40,1500,1002,1500,1002,40,40,40,40,133,133,40,40,298,109,298,109,40,40,133,417,78,1048] detection-update: [.....1] [ip4][..tcp] [..192.168.0.103][40557] -> [.104.18.151.190][..443] [TLS.Psiphon][VPN][Acceptable] RISK: Missing SNI TLS Extn end: [.....1] [ip4][..tcp] [..192.168.0.103][40557] -> [.104.18.151.190][..443] [TLS.Psiphon][VPN][Acceptable] diff --git a/test/results/flow-info/quic-28.pcap.out b/test/results/flow-info/quic-28.pcap.out index 0fefa9cc9..3c6efc732 100644 --- a/test/results/flow-info/quic-28.pcap.out +++ b/test/results/flow-info/quic-28.pcap.out @@ -4,11 +4,13 @@ new: [.....1] [ip4][..udp] [.......10.9.0.2][60106] -> [..104.26.11.240][..443] detected: [.....1] [ip4][..udp] [.......10.9.0.2][60106] -> [..104.26.11.240][..443] [QUIC.Cloudflare][Web][Acceptable] analyse: [.....1] [ip4][..udp] [.......10.9.0.2][60106] -> [..104.26.11.240][..443] [QUIC.Cloudflare][Web][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.021| 0.006| 0.007] - [IAT(c->s)...: 0.000| 0.021| 0.007| 0.007][IAT(s->c)...: 0.000| 0.020| 0.005| 0.007] - [PKTLEN(c->s): 85.000|1242.000| 372.500| 477.000][PKTLEN(s->c): 85.000|1239.000| 324.200| 385.300] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.021| 0.006| 0.007| 51.479| 0.000] + [PKTLEN......: 85.000| 1242.000| 343.800| 425.600|181138.200| 4.100] [BINS(c->s)..: 0,6,1,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,9,3,0,0,1,1,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,1,1,0,1,1,1,0,0,0,0,0,1,1,1,1,1,1,1,1,0,1,1,0,0,1,1,0,0,1] + [IATS........: 13634,13791,13932,1053,15111,1394,4,2,2195,342,15,8,10,14715,11,4,4,3,4,4,3,13849,1181,10523,11750,5487,19948,6547,20960,4038,19076,0] + [PKTLENS.....: 1242,89,1242,113,203,1242,1238,1239,259,152,103,85,85,168,112,557,85,85,110,85,85,85,85,85,700,85,147,85,859,85,122,86] idle: [.....1] [ip4][..udp] [.......10.9.0.2][60106] -> [..104.26.11.240][..443] [QUIC.Cloudflare][Web][Acceptable] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/quic-33.pcapng.out b/test/results/flow-info/quic-33.pcapng.out index b0e4588eb..4c09763f5 100644 --- a/test/results/flow-info/quic-33.pcapng.out +++ b/test/results/flow-info/quic-33.pcapng.out @@ -5,12 +5,14 @@ detected: [.....1] [ip6][..udp] [....................................::1][51430] -> [....................................::1][.4443] [QUIC][Web][Acceptable] RISK: Known Proto on Non Std Port, Missing SNI TLS Extn analyse: [.....1] [ip6][..udp] [....................................::1][51430] -> [....................................::1][.4443] [QUIC][Web][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.003| 0.000| 0.001] - [IAT(c->s)...: 0.000| 0.003| 0.001| 0.001][IAT(s->c)...: 0.000| 0.003| 0.000| 0.001] - [PKTLEN(c->s): 115.000|1502.000| 454.300| 513.100][PKTLEN(s->c): 117.000|1502.000|1220.400| 491.200] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.003| 0.000| 0.001| 0.627| 0.000] + [PKTLEN......: 115.000| 1502.000| 1004.900| 605.000|366070.200| 4.700] [BINS(c->s)..: 0,4,0,0,1,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0] [BINS(s->c)..: 0,3,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,15,0,0] + [DIRECTIONS..: 0,1,1,1,0,1,0,0,1,1,0,0,1,0,1,1,0,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1] + [IATS........: 2813,127,21,3446,599,267,22,367,71,407,38,1140,1379,530,25,290,50,285,35,19,16,16,16,16,15,17,16,46,17,16,16,0] + [PKTLENS.....: 1294,1294,805,1502,115,117,209,117,1294,1294,373,1502,501,245,117,117,117,117,1502,1502,1502,1502,1502,1502,1502,1502,1502,1502,1502,1502,1502,1502] idle: [.....1] [ip6][..udp] [....................................::1][51430] -> [....................................::1][.4443] [QUIC][Web][Acceptable] RISK: Known Proto on Non Std Port, Missing SNI TLS Extn DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/quic-mvfst-22.pcap.out b/test/results/flow-info/quic-mvfst-22.pcap.out index a86e5454b..ce8549613 100644 --- a/test/results/flow-info/quic-mvfst-22.pcap.out +++ b/test/results/flow-info/quic-mvfst-22.pcap.out @@ -2,12 +2,14 @@ new: [.....1] [ip4][..udp] [......10.0.2.15][35601] -> [.....31.13.86.8][..443] detected: [.....1] [ip4][..udp] [......10.0.2.15][35601] -> [.....31.13.86.8][..443] [QUIC.Facebook][SocialNetwork][Fun] analyse: [.....1] [ip4][..udp] [......10.0.2.15][35601] -> [.....31.13.86.8][..443] [QUIC.Facebook][SocialNetwork][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 2.091| 0.169| 0.515] - [IAT(c->s)...: 0.000| 2.091| 0.226| 0.593][IAT(s->c)...: 0.000| 2.073| 0.135| 0.460] - [PKTLEN(c->s): 73.000|1274.000| 611.700| 550.200][PKTLEN(s->c): 66.000|1294.000| 641.800| 592.200] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 2.091| 0.169| 0.515|264779.547| 0.000] + [PKTLEN......: 66.000| 1294.000| 630.500| 577.000|332915.800| 4.300] [BINS(c->s)..: 1,3,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,3,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 6,3,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,1,1,1,0,0,0,1,1,0,1,0,1,0,0,0,0,1,1,0,1,1,1,1,1,1,0,1,1,1,1] + [IATS........: 6626,174,24,23,15783,192,68,25740,16544,24398,2090987,2072824,30640,212689,1822,115,243417,45,25374,21896,80671,49,21,8,9,96673,35817,60860,70,11,0,0] + [PKTLENS.....: 1274,1294,1294,235,95,1274,120,109,80,275,73,66,1142,70,74,612,1274,1235,70,70,74,66,1294,1294,1294,1294,98,79,66,1294,1294,1294] update: [.....1] [ip4][..udp] [......10.0.2.15][35601] -> [.....31.13.86.8][..443] [QUIC.Facebook][SocialNetwork][Fun] idle: [.....1] [ip4][..udp] [......10.0.2.15][35601] -> [.....31.13.86.8][..443] [QUIC.Facebook][SocialNetwork][Fun] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/quic-mvfst-22_decryption_error.pcap.out b/test/results/flow-info/quic-mvfst-22_decryption_error.pcap.out index d57c73e49..8b2f79faa 100644 --- a/test/results/flow-info/quic-mvfst-22_decryption_error.pcap.out +++ b/test/results/flow-info/quic-mvfst-22_decryption_error.pcap.out @@ -4,11 +4,13 @@ new: [.....1] [ip4][..udp] [..10.230.40.168][62196] -> [..94.97.225.146][..443] detected: [.....1] [ip4][..udp] [..10.230.40.168][62196] -> [..94.97.225.146][..443] [QUIC][Web][Acceptable] analyse: [.....1] [ip4][..udp] [..10.230.40.168][62196] -> [..94.97.225.146][..443] [QUIC][Web][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.001| 0.003| 0.002| 0.001] - [IAT(c->s)...: 0.001| 0.001| 0.001| 0.000][IAT(s->c)...: 0.001| 0.003| 0.002| 0.001] - [PKTLEN(c->s): 60.000|1260.000| 385.200| 401.200][PKTLEN(s->c): 66.000|1280.000| 855.500| 517.700] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.001| 0.003| 0.002| 0.001| 0.889| 0.000] + [PKTLEN......: 60.000| 1280.000| 708.500| 531.100|282057.000| 4.500] [BINS(c->s)..: 0,3,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,3,0,0,0,0,0,3,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,13,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1] + [IATS........: 1000,3000,1000,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [PKTLENS.....: 1260,106,106,106,698,698,698,60,60,60,66,66,66,261,261,261,400,400,400,1280,1280,1280,1280,1280,1280,1280,1280,1280,1280,1280,1280,1280] idle: [.....1] [ip4][..udp] [..10.230.40.168][62196] -> [..94.97.225.146][..443] [QUIC][Web][Acceptable] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/quic-v2-01.pcapng.out b/test/results/flow-info/quic-v2-01.pcapng.out index ee2c6e8e4..9a58a143d 100644 --- a/test/results/flow-info/quic-v2-01.pcapng.out +++ b/test/results/flow-info/quic-v2-01.pcapng.out @@ -5,12 +5,14 @@ detected: [.....1] [ip4][..udp] [...192.168.56.1][34229] -> [.192.168.56.198][.4443] [QUIC][Web][Acceptable] RISK: Known Proto on Non Std Port, Missing SNI TLS Extn analyse: [.....1] [ip4][..udp] [...192.168.56.1][34229] -> [.192.168.56.198][.4443] [QUIC][Web][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.003| 0.000| 0.001] - [IAT(c->s)...: 0.000| 0.003| 0.001| 0.001][IAT(s->c)...: 0.000| 0.002| 0.000| 0.000] - [PKTLEN(c->s): 97.000|1482.000| 451.000| 513.900][PKTLEN(s->c): 97.000|1482.000|1278.700| 439.200] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.003| 0.000| 0.001| 0.343| 0.000] + [PKTLEN......: 97.000| 1482.000| 1045.900| 592.800|351417.000| 4.700] [BINS(c->s)..: 0,4,0,0,0,2,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0] [BINS(s->c)..: 0,2,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,18,0,0] + [DIRECTIONS..: 0,1,1,1,0,0,0,1,0,1,0,1,0,1,1,1,1,1,1,1,1,0,1,1,1,1,1,1,1,1,0,1] + [IATS........: 2220,34,85,2611,15,161,480,75,75,407,511,344,364,20,7,7,7,5,8,6,304,236,17,5,4,4,3,7,5,393,329,0] + [PKTLENS.....: 1294,1294,766,1482,445,1482,225,97,97,481,97,97,225,1482,1482,1482,1482,1482,1482,1482,1482,97,1482,1482,1482,1482,1482,1482,1482,1482,97,1482] idle: [.....1] [ip4][..udp] [...192.168.56.1][34229] -> [.192.168.56.198][.4443] [QUIC][Web][Acceptable] RISK: Known Proto on Non Std Port, Missing SNI TLS Extn DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/quic.pcap.out b/test/results/flow-info/quic.pcap.out index 895202c7b..5d9fa8bd0 100644 --- a/test/results/flow-info/quic.pcap.out +++ b/test/results/flow-info/quic.pcap.out @@ -4,12 +4,14 @@ new: [.....1] [ip4][..udp] [..192.168.1.109][57833] -> [.216.58.212.101][..443] detected: [.....1] [ip4][..udp] [..192.168.1.109][57833] -> [.216.58.212.101][..443] [QUIC.GMail][Email][Acceptable] analyse: [.....1] [ip4][..udp] [..192.168.1.109][57833] -> [.216.58.212.101][..443] [QUIC.GMail][Email][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 3.198| 0.584| 0.964] - [IAT(c->s)...: 0.015| 3.119| 0.603| 0.951][IAT(s->c)...: 0.000| 3.198| 0.565| 0.975] - [PKTLEN(c->s): 79.000|1392.000| 312.800| 392.500][PKTLEN(s->c): 61.000|1392.000| 333.300| 372.700] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 3.198| 0.584| 0.964|929164.558| 0.000] + [PKTLEN......: 61.000| 1392.000| 323.100| 382.900|146578.800| 4.200] [BINS(c->s)..: 0,8,0,1,1,1,1,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0] [BINS(s->c)..: 4,4,0,0,1,1,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0] + [DIRECTIONS..: 0,0,1,0,1,1,0,1,0,0,1,1,0,0,1,1,1,0,0,0,0,1,1,1,1,0,1,0,0,1,1,0] + [IATS........: 46000,60057,14787,65380,2487,93393,168067,168088,622738,681338,42,58036,3119141,3197585,40,12,54064,25544,1951118,28580,2034695,28303,25,7,56884,470823,496378,2190158,2289756,44685,126004,0] + [PKTLENS.....: 1392,478,1392,79,74,725,82,725,79,214,508,70,82,194,170,69,101,82,79,255,163,77,71,240,61,88,215,79,1190,77,758,469] DAEMON-EVENT: [Processed: 413 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 1 / 1|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] new: [.....2] [ip4][..udp] [.......10.0.0.4][40134] -> [.......10.0.0.3][.6121] @@ -38,12 +40,14 @@ new: [....10] [ip4][..udp] [..192.168.1.109][35236] -> [.216.58.210.206][..443] detected: [....10] [ip4][..udp] [..192.168.1.109][35236] -> [.216.58.210.206][..443] [QUIC.YouTube][Media][Fun] analyse: [....10] [ip4][..udp] [..192.168.1.109][35236] -> [.216.58.210.206][..443] [QUIC.YouTube][Media][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.829| 0.062| 0.199] - [IAT(c->s)...: 0.000| 0.803| 0.087| 0.227][IAT(s->c)...: 0.000| 0.829| 0.048| 0.180] - [PKTLEN(c->s): 79.000|1392.000| 350.800| 478.600][PKTLEN(s->c): 75.000|1392.000|1184.400| 467.600] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.829| 0.062| 0.199|39440.069| 0.000] + [PKTLEN......: 75.000| 1392.000| 871.800| 620.800|385421.500| 4.500] [BINS(c->s)..: 0,8,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0] [BINS(s->c)..: 0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,16,0,0,0,0,0] + [DIRECTIONS..: 0,0,1,1,0,0,1,0,1,1,1,0,1,1,1,0,0,1,1,0,1,1,1,0,1,0,1,1,1,0,1,1] + [IATS........: 565,35358,43,40485,132,24017,25957,16828,62,532,35459,51659,446,11,26638,25576,828641,25,803246,620,371,204,811,210,360,238,291,204,540,286,244,0] + [PKTLENS.....: 1392,387,1392,1392,1392,383,79,82,1392,75,75,85,1392,1392,1188,82,79,1392,1392,82,1392,1392,1392,82,1392,82,1392,1392,1392,82,1392,1392] idle: [.....7] [ip4][..udp] [..192.168.1.105][40030] -> [.216.58.201.227][..443] [QUIC.Google][Web][Acceptable] guessed: [.....4] [ip4][..udp] [..192.168.1.105][40461] -> [...172.217.16.3][..443] [Google][Web][Acceptable] idle: [.....4] [ip4][..udp] [..192.168.1.105][40461] -> [...172.217.16.3][..443] diff --git a/test/results/flow-info/quic046.pcap.out b/test/results/flow-info/quic046.pcap.out index 6d9015d0a..de26761c2 100644 --- a/test/results/flow-info/quic046.pcap.out +++ b/test/results/flow-info/quic046.pcap.out @@ -4,11 +4,13 @@ new: [.....1] [ip4][..udp] [..192.168.1.236][50587] -> [..216.58.206.86][..443] detected: [.....1] [ip4][..udp] [..192.168.1.236][50587] -> [..216.58.206.86][..443] [QUIC.YouTube][Media][Fun] analyse: [.....1] [ip4][..udp] [..192.168.1.236][50587] -> [..216.58.206.86][..443] [QUIC.YouTube][Media][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.029| 0.002| 0.006] - [IAT(c->s)...: 0.001| 0.021| 0.003| 0.006][IAT(s->c)...: 0.000| 0.029| 0.002| 0.007] - [PKTLEN(c->s): 70.000|1392.000| 387.000| 444.300][PKTLEN(s->c): 62.000|1392.000|1262.900| 377.900] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.029| 0.002| 0.006| 39.230| 0.000] + [PKTLEN......: 62.000| 1392.000| 907.100| 591.600|350034.900| 4.600] [BINS(c->s)..: 2,0,1,0,5,2,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0] [BINS(s->c)..: 1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,17,0,0,0,0,0] + [DIRECTIONS..: 0,0,0,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1,1,0,1] + [IATS........: 987,559,560,557,592,573,584,606,710,21225,29469,423,216,240,242,250,248,254,253,253,237,265,240,242,256,252,6530,176,509,707,228,0] + [PKTLENS.....: 1392,574,128,201,199,199,200,199,205,202,1392,1392,269,1392,1392,1392,1392,1392,1392,1392,1392,1392,1392,1392,1392,1392,1392,70,62,1392,70,1392] idle: [.....1] [ip4][..udp] [..192.168.1.236][50587] -> [..216.58.206.86][..443] [QUIC.YouTube][Media][Fun] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/quic_q39.pcap.out b/test/results/flow-info/quic_q39.pcap.out index a77c5153f..9f5e9eeea 100644 --- a/test/results/flow-info/quic_q39.pcap.out +++ b/test/results/flow-info/quic_q39.pcap.out @@ -4,11 +4,13 @@ new: [.....1] [ip4][..udp] [.170.216.16.209][38620] -> [.21.157.183.227][..443] detected: [.....1] [ip4][..udp] [.170.216.16.209][38620] -> [.21.157.183.227][..443] [QUIC.YouTube][Media][Fun] analyse: [.....1] [ip4][..udp] [.170.216.16.209][38620] -> [.21.157.183.227][..443] [QUIC.YouTube][Media][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 6.515| 0.578| 1.532] - [IAT(c->s)...: 0.001| 6.185| 0.609| 1.508][IAT(s->c)...: 0.000| 6.515| 0.548| 1.553] - [PKTLEN(c->s): 83.000|1392.000| 940.600| 575.500][PKTLEN(s->c): 60.000|1392.000| 171.900| 320.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 6.515| 0.578| 1.532|2346988.339| 0.000] + [PKTLEN......: 60.000| 1392.000| 556.200| 603.700|364512.400| 4.100] [BINS(c->s)..: 0,4,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,9,0,0,0,0,0] [BINS(s->c)..: 4,10,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0] + [DIRECTIONS..: 0,0,1,1,1,0,0,1,1,1,0,0,0,1,0,0,1,0,1,0,1,0,1,0,1,0,0,1,1,1,1,0] + [IATS........: 8931,36678,89781,7,404130,1367,298294,119221,31,434781,6185342,12819,6514643,11351,11378,22730,702601,702694,435266,435159,11351,11442,16019,15861,397203,9235,397732,33897,93428,52,499948,0] + [PKTLENS.....: 1392,1174,77,1392,73,83,83,72,305,60,83,270,1392,78,1392,1392,75,1392,74,1392,76,1392,76,1392,76,1392,730,76,76,104,60,98] idle: [.....1] [ip4][..udp] [.170.216.16.209][38620] -> [.21.157.183.227][..443] [QUIC.YouTube][Media][Fun] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/quic_t51.pcap.out b/test/results/flow-info/quic_t51.pcap.out index a119f0396..818350ae2 100644 --- a/test/results/flow-info/quic_t51.pcap.out +++ b/test/results/flow-info/quic_t51.pcap.out @@ -4,12 +4,14 @@ new: [.....1] [ip4][..udp] [187.227.136.152][55356] -> [.211.247.147.90][..443] detected: [.....1] [ip4][..udp] [187.227.136.152][55356] -> [.211.247.147.90][..443] [QUIC.Google][Web][Acceptable] analyse: [.....1] [ip4][..udp] [187.227.136.152][55356] -> [.211.247.147.90][..443] [QUIC.Google][Web][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 19.583| 2.165| 5.210] - [IAT(c->s)...: 0.002| 19.472| 2.583| 5.571][IAT(s->c)...: 0.000| 19.583| 1.863| 4.910] - [PKTLEN(c->s): 75.000|1392.000| 375.300| 484.200][PKTLEN(s->c): 67.000|1392.000| 510.200| 504.700] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 19.583| 2.165| 5.210|27140724.621| 0.000] + [PKTLEN......: 67.000| 1392.000| 451.200| 500.300|250315.800| 4.200] [BINS(c->s)..: 0,8,1,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0] [BINS(s->c)..: 7,0,0,1,0,0,0,1,1,0,0,0,0,1,0,0,0,0,0,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,3,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,1,1,1,0,0,0,1,1,0,0,1,1,1,1,0,0,0,1,1,1,1,0,0,0,1,1,1,1,0] + [IATS........: 5872,69285,110768,19,33,113561,2317,5835,79981,27,46402,10090862,10162287,246207,1361,7,331600,26165,19472426,19582580,120230,670,167,185037,26475,2999498,3090044,125889,1350,111,205624,0] + [PKTLENS.....: 1392,1392,1392,1392,1392,1254,83,83,115,68,658,75,1003,67,682,68,313,75,75,511,67,734,68,151,75,75,225,67,470,68,273,75] update: [.....1] [ip4][..udp] [187.227.136.152][55356] -> [.211.247.147.90][..443] [QUIC.Google][Web][Acceptable] idle: [.....1] [ip4][..udp] [187.227.136.152][55356] -> [.211.247.147.90][..443] [QUIC.Google][Web][Acceptable] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/quickplay.pcap.out b/test/results/flow-info/quickplay.pcap.out index fcdf76245..bee258994 100644 --- a/test/results/flow-info/quickplay.pcap.out +++ b/test/results/flow-info/quickplay.pcap.out @@ -34,12 +34,14 @@ detected: [....14] [ip4][..tcp] [..10.54.169.250][42762] -> [203.205.129.101][...80] [HTTP_Proxy.QQ][Chat][Fun] RISK: Known Proto on Non Std Port analyse: [....11] [ip4][..tcp] [..10.54.169.250][52009] -> [...120.28.35.40][...80] [HTTP][Streaming][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.183| 5.871| 2.460| 1.331] - [IAT(c->s)...: 0.183| 5.871| 2.249| 1.405][IAT(s->c)...: 0.646| 5.777| 2.715| 1.186] - [PKTLEN(c->s): 500.000| 587.000| 520.400| 34.800][PKTLEN(s->c): 76.000|1456.000| 831.100| 469.800] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.183| 5.871| 2.460| 1.331|1772261.736| 0.000] + [PKTLEN......: 76.000| 1456.000| 656.400| 347.900|121006.600| 4.800] [BINS(c->s)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,13,1,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 1,0,0,1,0,1,0,0,0,1,0,0,0,0,0,0,1,0,1,0,0,0,0,0,1,0,0,0,1,0,0,0,0,1,0,0,1,2,0,0,0,0,0,2,0,0,0,0] + [DIRECTIONS..: 0,1,0,1,0,0,1,0,0,1,0,1,0,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0] + [IATS........: 2337891,2470825,5776550,5871155,324615,2084534,1689148,182557,2170257,2013275,645600,519622,2223724,2353455,480927,4401947,3911834,3909668,3936554,2356476,2338349,2619995,2626526,2264068,2270477,2391541,2349518,2604523,2641967,2224884,2252137,0] + [PKTLENS.....: 500,1456,500,240,585,502,1248,585,502,854,587,76,504,1268,585,502,158,502,658,502,1124,502,1208,502,348,502,1456,502,962,502,580,502] new: [....15] [ip4][..tcp] [..10.54.169.250][35670] -> [203.205.147.215][...80] [MIDSTREAM] detected: [....15] [ip4][..tcp] [..10.54.169.250][35670] -> [203.205.147.215][...80] [HTTP_Proxy.QQ][Chat][Fun] RISK: Known Proto on Non Std Port diff --git a/test/results/flow-info/rdp.pcap.out b/test/results/flow-info/rdp.pcap.out index 054d11376..a3fd4ad80 100644 --- a/test/results/flow-info/rdp.pcap.out +++ b/test/results/flow-info/rdp.pcap.out @@ -5,12 +5,14 @@ detected: [.....1] [ip4][..tcp] [...172.16.2.185][52494] -> [..192.168.2.142][.3389] [RDP][RemoteAccess][Acceptable] RISK: Desktop/File Sharing analyse: [.....1] [ip4][..tcp] [...172.16.2.185][52494] -> [..192.168.2.142][.3389] [RDP][RemoteAccess][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.086| 0.035| 0.023] - [IAT(c->s)...: 0.000| 0.083| 0.027| 0.024][IAT(s->c)...: 0.040| 0.086| 0.049| 0.012] - [PKTLEN(c->s): 44.000| 616.000| 125.700| 154.000][PKTLEN(s->c): 44.000|1223.000| 217.800| 327.800] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.086| 0.035| 0.023| 533.403| 0.000] + [PKTLEN......: 44.000| 1223.000| 157.300| 233.300|54415.100| 4.100] [BINS(c->s)..: 12,3,1,2,0,1,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 3,4,1,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,0,1,1,0,0,1,0] + [IATS........: 42415,42485,360,46147,45785,5885,50430,44534,5170,48270,43112,41453,86174,44710,10166,53885,43706,302,43769,43467,297,43729,43444,307,149,43556,40251,83348,297,42450,42166,0] + [PKTLENS.....: 68,56,44,63,63,44,217,1223,44,170,95,44,130,335,44,616,132,44,149,77,44,535,199,44,85,81,44,84,44,85,88,44] end: [.....1] [ip4][..tcp] [...172.16.2.185][52494] -> [..192.168.2.142][.3389] [RDP][RemoteAccess][Acceptable] RISK: Desktop/File Sharing DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/reasm_crash_anon.pcapng.out b/test/results/flow-info/reasm_crash_anon.pcapng.out index ffc310186..62716c65e 100644 --- a/test/results/flow-info/reasm_crash_anon.pcapng.out +++ b/test/results/flow-info/reasm_crash_anon.pcapng.out @@ -3,12 +3,14 @@ DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] new: [.....1] [ip4][..tcp] [192.168.145.147][51218] -> [...10.209.8.148][21999] [MIDSTREAM] analyse: [.....1] [ip4][..tcp] [192.168.145.147][51218] -> [...10.209.8.148][21999] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 30.166| 9.710| 14.065] - [IAT(c->s)...: 0.000| 30.098| 6.841| 12.605][IAT(s->c)...: 0.001| 30.166| 16.723| 14.956] - [PKTLEN(c->s): 68.000| 81.000| 73.100| 6.300][PKTLEN(s->c): 122.000| 793.000| 421.100| 330.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 30.166| 9.710| 14.065|197823744.180| 0.000] + [PKTLEN......: 68.000| 793.000| 171.000| 234.800|55144.500| 4.200] [BINS(c->s)..: 23,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,1,0,0,1,0,0,0,1,0,0,1,0,0,0,1,0,0,0,0,0,1,0,0,1,1,0,0,0,1,0] + [IATS........: 9,1510,1527,4,1248,1237,4,30097711,30099473,1765,3,1246,1236,30097518,8,30099327,1814,1237,30097422,1775,4,30101686,1241,30097498,30165638,1254,69395,30031106,8,30032779,1670,0] + [PKTLENS.....: 81,81,142,68,68,793,68,68,81,122,68,68,781,68,81,81,122,68,68,81,68,68,793,68,81,122,793,68,81,81,122,68] not-detected: [.....1] [ip4][..tcp] [192.168.145.147][51218] -> [...10.209.8.148][21999] [Unknown][Unrated] DAEMON-EVENT: [Processed: 93 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 1 / 1|skipped: 0|!detected: 1|guessed: 0|detection-updates: 0|updates: 0] diff --git a/test/results/flow-info/reasm_segv_anon.pcapng.out b/test/results/flow-info/reasm_segv_anon.pcapng.out index 519c792df..4e097338f 100644 --- a/test/results/flow-info/reasm_segv_anon.pcapng.out +++ b/test/results/flow-info/reasm_segv_anon.pcapng.out @@ -13,12 +13,14 @@ ERROR-EVENT: Captured packet size is smaller than expected packet size ERROR-EVENT: Captured packet size is smaller than expected packet size analyse: [.....1] [ip4][..udp] [...145.76.2.236][.2152] -> [...187.96.52.85][.2152] [GTP.GTP_U][Network][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 1.859| 0.305| 0.564] - [IAT(c->s)...: 0.020| 1.859| 0.592| 0.678][IAT(s->c)...: 0.000| 1.799| 0.206| 0.480] - [PKTLEN(c->s): 106.000| 122.000| 113.100| 5.900][PKTLEN(s->c): 90.000|1490.000|1255.600| 472.300] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 1.859| 0.305| 0.564|318078.976| 0.000] + [PKTLEN......: 90.000| 1490.000| 934.200| 651.300|424215.900| 4.500] [BINS(c->s)..: 0,0,9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,2,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,17,0,0] + [DIRECTIONS..: 0,0,0,1,1,1,1,1,1,1,1,1,1,0,1,0,1,1,1,1,1,1,1,0,0,0,1,1,1,0,1,1] + [IATS........: 396021,83822,1376171,124,2,2,1,3,2,2,113,124,1859119,964928,439709,439658,123,2,1,1,1,121,163901,20078,1615354,1799040,121,3,155764,155637,124,0] + [PKTLENS.....: 106,106,106,1490,1490,1490,1490,1490,1490,1490,1490,1490,1490,114,1490,114,1490,1490,1490,1490,1386,1490,1490,122,122,114,90,402,1178,114,90,402] ERROR-EVENT: Captured packet size is smaller than expected packet size ERROR-EVENT: Captured packet size is smaller than expected packet size ERROR-EVENT: Captured packet size is smaller than expected packet size diff --git a/test/results/flow-info/reddit.pcap.out b/test/results/flow-info/reddit.pcap.out index 058f74615..f55efabd5 100644 --- a/test/results/flow-info/reddit.pcap.out +++ b/test/results/flow-info/reddit.pcap.out @@ -16,19 +16,23 @@ detection-update: [.....4] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56560] -> [.....................64:ff9b::9765:798c][..443] [TLS.Reddit][SocialNetwork][Fun] detection-update: [.....4] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56560] -> [.....................64:ff9b::9765:798c][..443] [TLS.Reddit][SocialNetwork][Fun] analyse: [.....1] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][40028] -> [...............2a00:1450:4007:80a::200a][..443] [TLS.GoogleServices][Web][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.076| 0.015| 0.024] - [IAT(c->s)...: 0.000| 0.075| 0.014| 0.023][IAT(s->c)...: 0.000| 0.076| 0.016| 0.025] - [PKTLEN(c->s): 86.000| 910.000| 221.900| 258.800][PKTLEN(s->c): 86.000|1294.000| 368.200| 395.500] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.076| 0.015| 0.024| 570.611| 0.000] + [PKTLEN......: 86.000| 1294.000| 295.100| 342.100|117045.100| 4.300] [BINS(c->s)..: 11,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 7,1,1,0,0,0,1,0,0,1,1,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,0,0,0,0,1,1,0,1,1,0,0,1,1,1,1,1,1,1,0,0,0] + [IATS........: 24940,24984,493,75646,1,1,75219,11,11,8777,4975,582,741,37567,3490,25948,1187,485,1611,1121,59921,1,1,1,1,58810,38,10,0,0,0,0] + [PKTLENS.....: 94,94,86,603,86,1294,1294,586,86,86,86,150,178,910,724,86,666,86,86,117,86,117,86,86,398,436,299,125,153,86,86,86] analyse: [.....3] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56558] -> [.....................64:ff9b::9765:798c][..443] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 1.288| 0.099| 0.316] - [IAT(c->s)...: 0.000| 1.288| 0.110| 0.340][IAT(s->c)...: 0.000| 1.229| 0.090| 0.295] - [PKTLEN(c->s): 86.000| 603.000| 166.600| 154.800][PKTLEN(s->c): 86.000|1134.000| 606.100| 487.100] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 1.288| 0.099| 0.316|100085.416| 0.000] + [PKTLEN......: 86.000| 1134.000| 413.800| 437.600|191482.000| 4.300] [BINS(c->s)..: 9,1,1,1,0,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 6,0,1,0,1,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,0,0,0,0,0,0,0,1,1,1,0,1,0,0,1,1,1,0,1,1,1,1,1] + [IATS........: 33174,33242,863,66592,1,1,1,1,65678,11,9,6,13203,712,517,42062,2,27621,483,471,1369,59921,136,1228856,1287577,855,2,1,1,0,0,0] + [PKTLENS.....: 94,94,86,603,86,1134,1134,1134,601,86,86,86,86,179,185,459,86,344,86,86,152,86,124,86,86,1134,86,1134,1134,1134,217,1134] detection-update: [.....3] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56558] -> [.....................64:ff9b::9765:798c][..443] [TLS.Reddit][SocialNetwork][Fun] new: [.....5] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56562] -> [.....................64:ff9b::9765:798c][..443] new: [.....6] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56564] -> [.....................64:ff9b::9765:798c][..443] @@ -91,51 +95,61 @@ detection-update: [....18] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56588] -> [.....................64:ff9b::9765:798c][..443] [TLS.Reddit][SocialNetwork][Fun] detection-update: [....18] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56588] -> [.....................64:ff9b::9765:798c][..443] [TLS.Reddit][SocialNetwork][Fun] analyse: [.....6] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56564] -> [.....................64:ff9b::9765:798c][..443] [TLS.Reddit][SocialNetwork][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.042| 0.008| 0.014] - [IAT(c->s)...: 0.000| 0.040| 0.006| 0.013][IAT(s->c)...: 0.000| 0.042| 0.014| 0.017] - [PKTLEN(c->s): 86.000|1474.000| 259.400| 294.700][PKTLEN(s->c): 86.000|1134.000| 485.600| 451.600] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.042| 0.008| 0.014| 206.884| 0.000] + [PKTLEN......: 86.000| 1474.000| 330.100| 366.700|134435.400| 4.300] [BINS(c->s)..: 8,1,1,4,2,0,2,0,0,2,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0] [BINS(s->c)..: 4,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,1,1,0,0,0,0,0,0,0,0,1,1,0,0,0,1,1,0,0,0,0,0,0] + [IATS........: 29904,29917,129,38003,2302,1,40177,45,72,17,3,2699,111,630,30,181,4,41517,1269,39145,1579,42,7307,1546,7292,2107,217,138,38,226,0,0] + [PKTLENS.....: 94,94,86,603,86,1134,1134,86,86,1134,606,86,86,179,185,375,405,1474,283,86,344,86,209,241,86,152,86,231,124,196,197,308] detection-update: [....20] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56592] -> [.....................64:ff9b::9765:798c][..443] [TLS.Reddit][SocialNetwork][Fun] detection-update: [....20] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56592] -> [.....................64:ff9b::9765:798c][..443] [TLS.Reddit][SocialNetwork][Fun] detection-update: [....19] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56590] -> [.....................64:ff9b::9765:798c][..443] [TLS.Reddit][SocialNetwork][Fun] detection-update: [....19] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56590] -> [.....................64:ff9b::9765:798c][..443] [TLS.Reddit][SocialNetwork][Fun] analyse: [....13] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56578] -> [.....................64:ff9b::9765:798c][..443] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.048| 0.010| 0.016] - [IAT(c->s)...: 0.000| 0.039| 0.010| 0.015][IAT(s->c)...: 0.000| 0.048| 0.011| 0.017] - [PKTLEN(c->s): 86.000| 603.000| 189.900| 166.700][PKTLEN(s->c): 86.000|1134.000| 629.900| 491.700] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.048| 0.010| 0.016| 264.552| 0.000] + [PKTLEN......: 86.000| 1134.000| 423.600| 435.500|189657.000| 4.300] [BINS(c->s)..: 8,2,1,1,0,0,0,0,0,0,0,1,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 6,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,1,0,0,0,0,0,0,0,1,1,0,1,1,1,0,0,1,1,1,1,1,1] + [IATS........: 38700,38720,198,38531,1,38345,41,14,329,334,4,2216,2804,187,210,6465,48292,2910,39329,6844,2704,1,9551,251,801,2129,1,0,0,0,0,0] + [PKTLENS.....: 94,94,86,603,86,1134,86,1134,86,1134,616,86,86,179,185,450,482,129,86,344,86,86,86,152,86,124,86,1134,1134,1134,1134,1134] detection-update: [....13] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56578] -> [.....................64:ff9b::9765:798c][..443] [TLS.Reddit][SocialNetwork][Fun] analyse: [....15] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56582] -> [.....................64:ff9b::9765:798c][..443] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.060| 0.011| 0.020] - [IAT(c->s)...: 0.000| 0.057| 0.009| 0.018][IAT(s->c)...: 0.000| 0.060| 0.015| 0.022] - [PKTLEN(c->s): 86.000| 603.000| 178.400| 151.100][PKTLEN(s->c): 86.000|1134.000| 462.200| 445.200] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.060| 0.011| 0.020| 392.540| 0.000] + [PKTLEN......: 86.000| 1134.000| 311.400| 353.700|125114.100| 4.300] [BINS(c->s)..: 10,1,1,1,1,0,0,0,1,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 7,0,1,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,1,0,0,0,0,0,0,0,1,1,1,0,1,1,1,1,1,1,0,0,0,0] + [IATS........: 36077,36109,144,41300,1,41154,44,17,686,689,5,2344,1105,220,36,172,60278,1038,57438,31,1,25,34,2,940,0,0,0,0,0,0,0] + [PKTLENS.....: 94,94,86,603,86,1134,86,1134,86,1134,590,86,86,179,185,460,373,241,86,344,86,86,152,86,86,86,1134,701,86,86,86,124] detection-update: [....15] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56582] -> [.....................64:ff9b::9765:798c][..443] [TLS.Reddit][SocialNetwork][Fun] analyse: [....20] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56592] -> [.....................64:ff9b::9765:798c][..443] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.052| 0.011| 0.020] - [IAT(c->s)...: 0.000| 0.052| 0.010| 0.019][IAT(s->c)...: 0.000| 0.051| 0.011| 0.020] - [PKTLEN(c->s): 86.000| 603.000| 155.700| 140.300][PKTLEN(s->c): 86.000|1134.000| 598.200| 489.700] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.052| 0.011| 0.020| 382.734| 0.000] + [PKTLEN......: 86.000| 1134.000| 377.000| 422.800|178733.300| 4.200] [BINS(c->s)..: 11,0,2,1,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 6,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,0,0,0,0,0,0,0,0,1,1,0,1,1,1,1,1,1,0,0,0,1,0,1] + [IATS........: 44627,44653,347,50980,1843,1,52464,10,3,2,2413,668,102,121,49031,1,45760,75,169,1186,1,1,1443,16,7,133,49,15,0,0,0,0] + [PKTLENS.....: 94,94,86,603,86,1134,1134,1134,616,86,86,86,86,179,185,403,167,86,344,86,86,86,152,86,1134,1132,86,86,86,1134,86,1134] detection-update: [....20] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56592] -> [.....................64:ff9b::9765:798c][..443] [TLS.Reddit][SocialNetwork][Fun] new: [....21] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56594] -> [.....................64:ff9b::9765:798c][..443] detected: [....21] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56594] -> [.....................64:ff9b::9765:798c][..443] [TLS.Reddit][SocialNetwork][Fun] detection-update: [....21] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56594] -> [.....................64:ff9b::9765:798c][..443] [TLS.Reddit][SocialNetwork][Fun] detection-update: [....21] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56594] -> [.....................64:ff9b::9765:798c][..443] [TLS.Reddit][SocialNetwork][Fun] analyse: [....21] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56594] -> [.....................64:ff9b::9765:798c][..443] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.092| 0.013| 0.024] - [IAT(c->s)...: 0.000| 0.092| 0.011| 0.024][IAT(s->c)...: 0.000| 0.066| 0.017| 0.022] - [PKTLEN(c->s): 86.000| 603.000| 149.900| 138.800][PKTLEN(s->c): 86.000|1134.000| 635.000| 486.500] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.092| 0.013| 0.024| 558.351| 0.000] + [PKTLEN......: 86.000| 1134.000| 377.300| 424.000|179781.300| 4.200] [BINS(c->s)..: 12,1,1,1,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 5,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,1,1,0,0,0,0,0,0,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0] + [IATS........: 25838,25880,395,66367,26055,91996,835,829,7,4,1579,121,254,42141,1,1,6209,2,1,46395,10,6,2,1,4,940,0,0,0,0,0,0] + [PKTLENS.....: 94,94,86,603,86,1134,86,1134,1134,637,86,86,86,179,185,417,86,86,86,360,152,1134,1134,1134,1134,86,86,86,86,86,86,124] detection-update: [....21] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56594] -> [.....................64:ff9b::9765:798c][..443] [TLS.Reddit][SocialNetwork][Fun] new: [....22] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][50960] -> [...............2a00:1450:4007:805::2002][..443] new: [....23] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][43492] -> [......................64:ff9b::df9:21c6][..443] @@ -147,27 +161,33 @@ detection-update: [....23] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][43492] -> [......................64:ff9b::df9:21c6][..443] [TLS.Amazon][Web][Acceptable] detection-update: [....24] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][38320] -> [.....................64:ff9b::6853:b3b6][..443] [TLS][Web][Safe] analyse: [....22] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][50960] -> [...............2a00:1450:4007:805::2002][..443] [TLS.GoogleServices][Web][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.044| 0.009| 0.015] - [IAT(c->s)...: 0.000| 0.044| 0.008| 0.015][IAT(s->c)...: 0.000| 0.038| 0.010| 0.014] - [PKTLEN(c->s): 86.000| 603.000| 146.800| 134.600][PKTLEN(s->c): 86.000|1294.000| 726.100| 542.400] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.044| 0.009| 0.015| 214.376| 0.000] + [PKTLEN......: 86.000| 1294.000| 436.500| 490.000|240053.700| 4.200] [BINS(c->s)..: 12,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 6,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,1,0,0,0,0,1,1,1,0,1,0,0,1,1,0,1,0,1,1,0,0,1,1] + [IATS........: 31477,31507,233,36835,7050,43636,16,599,576,2431,165,135,37718,689,1069,36764,111,89,22,531,8580,9121,90,75,174,158,5,98,0,0,0,0] + [PKTLENS.....: 94,94,86,603,86,1294,1294,86,86,547,86,150,178,347,86,86,666,86,117,86,117,86,792,86,1294,86,1294,1294,86,86,1294,1294] analyse: [....23] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][43492] -> [......................64:ff9b::df9:21c6][..443] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.051| 0.009| 0.016] - [IAT(c->s)...: 0.000| 0.051| 0.008| 0.016][IAT(s->c)...: 0.000| 0.039| 0.011| 0.015] - [PKTLEN(c->s): 86.000| 603.000| 143.100| 131.100][PKTLEN(s->c): 86.000|1474.000| 852.500| 668.500] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.051| 0.009| 0.016| 249.330| 0.000] + [PKTLEN......: 86.000| 1474.000| 475.600| 586.500|343946.100| 4.000] [BINS(c->s)..: 13,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 5,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,1,0,0,0,0,0,0,0,0,1,1,1,1,0,0,1,1,1,1,0,0,0,0] + [IATS........: 38538,38619,398,37312,14166,1,1,51019,20,3,2,2,2408,107,140,31274,2,1645,1,30239,111,3355,1,3233,8,2,2,0,0,0,0,0] + [PKTLENS.....: 94,94,86,603,86,1474,1474,1474,1474,401,86,86,86,86,86,150,178,344,86,86,86,157,86,117,1474,1474,1474,1474,86,86,86,86] detection-update: [....23] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][43492] -> [......................64:ff9b::df9:21c6][..443] [TLS.Amazon][Web][Acceptable] analyse: [....24] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][38320] -> [.....................64:ff9b::6853:b3b6][..443] [TLS][Web][Safe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.072| 0.015| 0.019] - [IAT(c->s)...: 0.000| 0.072| 0.014| 0.023][IAT(s->c)...: 0.000| 0.037| 0.016| 0.015] - [PKTLEN(c->s): 86.000| 603.000| 153.100| 139.800][PKTLEN(s->c): 86.000|1474.000| 706.200| 645.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.072| 0.015| 0.019| 374.318| 0.000] + [PKTLEN......: 86.000| 1474.000| 446.900| 553.500|306346.900| 4.100] [BINS(c->s)..: 11,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 6,0,1,0,0,0,0,1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,5,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,0,0,0,1,1,1,1,1,1,0,0,0,0,1,1,0,1,1,1,1,0] + [IATS........: 27356,27416,299,37313,35299,1,72269,38,3,2523,128,130,31242,2117,15088,1,45626,28,24,154,29754,10263,39831,697,1,666,0,0,0,0,0,0] + [PKTLENS.....: 94,94,86,603,86,1474,1474,324,86,86,86,166,178,364,86,86,86,357,357,156,86,86,86,117,86,1474,86,1459,1474,1459,1474,86] new: [....25] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][51026] -> [.....................64:ff9b::acd9:12c2][..443] detected: [....25] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][51026] -> [.....................64:ff9b::acd9:12c2][..443] [TLS.Google][Advertisement][Acceptable] new: [....26] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][48240] -> [.....................64:ff9b::9765:789d][..443] @@ -176,31 +196,37 @@ detection-update: [....26] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][48240] -> [.....................64:ff9b::9765:789d][..443] [TLS.Twitter][SocialNetwork][Fun] detection-update: [....26] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][48240] -> [.....................64:ff9b::9765:789d][..443] [TLS.Twitter][SocialNetwork][Fun] analyse: [....25] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][51026] -> [.....................64:ff9b::acd9:12c2][..443] [TLS.Google][Advertisement][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.049| 0.009| 0.015] - [IAT(c->s)...: 0.000| 0.049| 0.008| 0.016][IAT(s->c)...: 0.000| 0.039| 0.011| 0.014] - [PKTLEN(c->s): 86.000| 603.000| 147.600| 135.800][PKTLEN(s->c): 86.000|1474.000| 765.600| 644.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.049| 0.009| 0.015| 230.505| 0.000] + [PKTLEN......: 86.000| 1474.000| 456.600| 558.600|312025.400| 4.100] [BINS(c->s)..: 12,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 6,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,1,0,0,0,0,0,1,1,1,1,1,0,0,0,1,1,1,0,0,0,1,0,1,1] + [IATS........: 27211,27234,262,32139,7460,39332,541,528,9,1876,115,75,39448,325,11758,49462,14,229,1909,2,1682,24,5,95,52,1631,0,0,0,0,0,0] + [PKTLENS.....: 94,94,86,603,86,1474,86,1474,188,86,86,150,178,360,86,86,86,666,117,86,86,117,522,1474,1474,86,86,86,1474,86,1474,1474] analyse: [....26] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][48240] -> [.....................64:ff9b::9765:789d][..443] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.061| 0.009| 0.016] - [IAT(c->s)...: 0.000| 0.061| 0.008| 0.017][IAT(s->c)...: 0.000| 0.047| 0.010| 0.015] - [PKTLEN(c->s): 86.000| 603.000| 146.000| 132.000][PKTLEN(s->c): 86.000|1134.000| 639.300| 487.600] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.061| 0.009| 0.016| 263.464| 0.000] + [PKTLEN......: 86.000| 1134.000| 377.200| 425.800|181298.700| 4.200] [BINS(c->s)..: 12,1,1,1,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 5,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,1,1,0,0,0,0,0,0,1,1,1,1,0,1,0,0,1,1,1,1,0,0,0,0] + [IATS........: 30377,30415,332,47450,13993,61125,95,1,49,10,2,3286,115,139,30628,2061,91,29231,1271,1309,181,374,3,2,1,161,6,3,2,0,0,0] + [PKTLENS.....: 94,94,86,603,86,1134,86,1134,1134,718,86,86,86,179,185,351,86,86,86,344,86,152,86,124,1134,1134,1134,1134,86,86,86,86] detection-update: [....26] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][48240] -> [.....................64:ff9b::9765:789d][..443] [TLS.Twitter][SocialNetwork][Fun] new: [....27] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][39520] -> [...............2a00:1450:4007:816::2008][..443] detected: [....27] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][39520] -> [...............2a00:1450:4007:816::2008][..443] [TLS.GoogleServices][Web][Acceptable] detection-update: [....27] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][39520] -> [...............2a00:1450:4007:816::2008][..443] [TLS.GoogleServices][Web][Acceptable] new: [....28] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][32970] -> [.....................64:ff9b::6853:b3d1][..443] analyse: [....27] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][39520] -> [...............2a00:1450:4007:816::2008][..443] [TLS.GoogleServices][Web][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.044| 0.009| 0.015] - [IAT(c->s)...: 0.000| 0.044| 0.009| 0.015][IAT(s->c)...: 0.000| 0.038| 0.009| 0.015] - [PKTLEN(c->s): 86.000| 603.000| 146.900| 134.800][PKTLEN(s->c): 86.000|1294.000| 712.600| 543.300] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.044| 0.009| 0.015| 214.690| 0.000] + [PKTLEN......: 86.000| 1294.000| 429.800| 486.500|236643.500| 4.200] [BINS(c->s)..: 12,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 6,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,0,0,0,1,1,1,1,0,0,0,1,1,0,1,1,0,0,1,0,1,1] + [IATS........: 34309,34348,1675,38053,7520,1,43870,15,3,2990,179,332,37258,1,401,1,34144,24,176,2332,6921,9068,836,1,863,34,109,28,721,0,0,0] + [PKTLENS.....: 94,94,86,603,86,1294,1294,564,86,86,86,150,178,349,86,86,666,117,86,86,117,86,559,86,1294,1294,86,86,1294,86,1294,1294] detected: [....28] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][32970] -> [.....................64:ff9b::6853:b3d1][..443] [TLS][Web][Safe] new: [....29] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56782] -> [.....................64:ff9b::68f4:2ac8][..443] detected: [....29] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56782] -> [.....................64:ff9b::68f4:2ac8][..443] [TLS.Twitter][SocialNetwork][Fun] @@ -221,20 +247,24 @@ detection-update: [....29] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56782] -> [.....................64:ff9b::68f4:2ac8][..443] [TLS.Twitter][SocialNetwork][Fun] detection-update: [....29] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56782] -> [.....................64:ff9b::68f4:2ac8][..443] [TLS.Twitter][SocialNetwork][Fun] analyse: [....32] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][48648] -> [...2620:116:800d:21:f916:5049:f87f:108e][..443] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.180| 0.022| 0.040] - [IAT(c->s)...: 0.000| 0.094| 0.022| 0.033][IAT(s->c)...: 0.000| 0.180| 0.023| 0.046] - [PKTLEN(c->s): 86.000| 603.000| 167.500| 141.700][PKTLEN(s->c): 86.000|1474.000| 754.300| 650.300] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.180| 0.022| 0.040| 1578.121| 0.000] + [PKTLEN......: 86.000| 1474.000| 460.900| 554.600|307585.900| 4.100] [BINS(c->s)..: 10,1,0,2,0,0,0,0,2,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 5,1,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,0,0,0,0,1,1,1,0,0,0,1,1,1,0,1,1,0,0,1,1,1] + [IATS........: 41345,41375,239,45639,16078,1,61463,16,3,3880,365,125,94049,180245,10480,2,92307,53,428,5467,8019,1891,14882,15513,1,15533,36,263,1,0,0,0] + [PKTLENS.....: 94,94,86,603,86,1474,1474,674,86,86,86,212,185,344,344,86,360,155,86,86,124,86,86,124,86,1474,1474,86,86,1474,1474,1474] detection-update: [....32] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][48648] -> [...2620:116:800d:21:f916:5049:f87f:108e][..443] [TLS][Web][Safe] analyse: [....31] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][54862] -> [...............2a00:1450:4007:806::200e][..443] [TLS.YouTube][Media][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.169| 0.024| 0.039] - [IAT(c->s)...: 0.000| 0.092| 0.021| 0.032][IAT(s->c)...: 0.000| 0.169| 0.026| 0.046] - [PKTLEN(c->s): 86.000| 603.000| 175.500| 166.700][PKTLEN(s->c): 86.000|1294.000| 673.200| 548.300] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.169| 0.024| 0.039| 1530.136| 0.000] + [PKTLEN......: 86.000| 1294.000| 408.800| 466.200|217386.300| 4.200] [BINS(c->s)..: 12,0,2,0,0,0,0,0,0,0,0,0,2,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 6,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,1,1,0,0,0,0,0,0,0,1,1,0,0,1,1,0,1,1,1,0,0,1,0,1] + [IATS........: 34819,34839,225,53032,4946,57771,466,435,8,5,3584,2043,379,91732,168765,1823,72847,231,970,1993,2727,14555,61747,2,76315,38,696,685,116,0,0,0] + [PKTLENS.....: 94,94,86,603,86,1294,86,1294,1294,286,86,86,86,150,178,491,491,86,666,86,117,86,117,86,86,827,1294,86,86,1294,86,1294] new: [....34] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][51100] -> [.....................64:ff9b::d83a:d1e6][..443] new: [....35] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][51102] -> [.....................64:ff9b::d83a:d1e6][..443] new: [....36] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56186] -> [...2600:9000:219c:ee00:6:44e3:f8c0:93a1][..443] @@ -245,19 +275,23 @@ detection-update: [....35] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][51102] -> [.....................64:ff9b::d83a:d1e6][..443] [TLS.Google][Advertisement][Acceptable] detection-update: [....36] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56186] -> [...2600:9000:219c:ee00:6:44e3:f8c0:93a1][..443] [TLS][Web][Safe] analyse: [....34] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][51100] -> [.....................64:ff9b::d83a:d1e6][..443] [TLS.Google][Advertisement][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.043| 0.011| 0.015] - [IAT(c->s)...: 0.000| 0.043| 0.010| 0.015][IAT(s->c)...: 0.000| 0.041| 0.012| 0.014] - [PKTLEN(c->s): 86.000| 603.000| 164.300| 146.900][PKTLEN(s->c): 86.000|1474.000| 392.100| 493.600] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.043| 0.011| 0.015| 223.794| 0.000] + [PKTLEN......: 86.000| 1474.000| 264.000| 362.600|131502.000| 4.100] [BINS(c->s)..: 11,2,2,0,0,0,1,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 8,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,1,0,0,0,0,0,1,1,1,0,0,1,1,0,1,1,1,0,0,0,0,0,0,1] + [IATS........: 41079,41100,165,31856,11033,42730,469,1,470,25,2812,1299,93,34223,10205,1,40205,536,1458,1,938,16571,1,3,16547,20,17,4417,310,12670,24540,0] + [PKTLENS.....: 94,94,86,603,86,1474,86,1474,186,86,86,150,178,500,86,666,86,86,117,86,117,86,807,117,125,86,86,86,125,121,296,86] analyse: [....29] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56782] -> [.....................64:ff9b::68f4:2ac8][..443] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.217| 0.048| 0.068] - [IAT(c->s)...: 0.000| 0.217| 0.046| 0.070][IAT(s->c)...: 0.000| 0.212| 0.051| 0.066] - [PKTLEN(c->s): 86.000| 603.000| 177.800| 145.300][PKTLEN(s->c): 86.000|1474.000| 367.000| 459.100] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.217| 0.048| 0.068| 4645.676| 0.000] + [PKTLEN......: 86.000| 1474.000| 272.400| 353.400|124913.600| 4.200] [BINS(c->s)..: 9,1,0,3,0,0,0,0,0,2,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 8,2,0,0,0,0,0,1,1,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,1,0,0,0,0,0,0,1,1,1,0,1,1,0,1,0,0,1,0,1,1,1,0,1] + [IATS........: 29231,29299,228,29539,187299,216552,332,326,7,1815,188,30,70254,211900,6516,1,182884,58339,20162,41757,64,46,873,11694,10868,9898,6233,112514,128634,76106,0,0] + [PKTLENS.....: 94,94,86,603,86,1474,86,1474,749,86,86,212,185,376,376,86,86,86,186,86,328,86,130,86,124,124,86,86,86,545,86,352] detection-update: [....29] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56782] -> [.....................64:ff9b::68f4:2ac8][..443] [TLS.Twitter][SocialNetwork][Fun] new: [....37] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][39736] -> [.....2606:2800:134:1a0d:1429:742:782:b6][..443] detected: [....37] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][39736] -> [.....2606:2800:134:1a0d:1429:742:782:b6][..443] [TLS.Twitter][SocialNetwork][Fun] @@ -267,12 +301,14 @@ detected: [....38] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][54726] -> [...............2a00:1450:4007:808::2006][..443] [TLS.Google][Advertisement][Acceptable] detected: [....39] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][57282] -> [...............2a00:1450:4007:805::2004][..443] [TLS.Google][Web][Acceptable] analyse: [....37] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][39736] -> [.....2606:2800:134:1a0d:1429:742:782:b6][..443] [TLS.Twitter][SocialNetwork][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.051| 0.013| 0.018] - [IAT(c->s)...: 0.000| 0.051| 0.012| 0.019][IAT(s->c)...: 0.000| 0.043| 0.014| 0.017] - [PKTLEN(c->s): 86.000| 609.000| 188.000| 183.600][PKTLEN(s->c): 86.000|1294.000| 455.600| 494.700] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.051| 0.013| 0.018| 330.361| 0.000] + [PKTLEN......: 86.000| 1294.000| 321.800| 396.400|157103.100| 4.200] [BINS(c->s)..: 11,0,2,0,0,0,0,0,0,0,0,0,1,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 7,0,0,2,0,0,0,2,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,1,0,1,1,0,0,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1] + [IATS........: 43010,43065,309,41280,10189,51136,400,38397,3509,41489,471,1,468,4,62,52,2291,169,102,38533,1,35978,9,3,58,5162,2233,17560,249,0,0,0] + [PKTLENS.....: 94,94,86,603,86,185,86,609,86,1294,86,1294,1294,86,86,423,86,160,178,473,86,341,341,182,86,86,86,117,86,86,117,1294] detection-update: [....38] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][54726] -> [...............2a00:1450:4007:808::2006][..443] [TLS.Google][Advertisement][Acceptable] new: [....40] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][58122] -> [...............2a00:1450:4007:805::2001][..443] new: [....41] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][52296] -> [...............2a00:1450:4007:815::2016][..443] @@ -283,49 +319,59 @@ detected: [....43] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][47304] -> [...............2a00:1450:4007:80c::2003][..443] [TLS.Google][Web][Acceptable] detected: [....40] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][58122] -> [...............2a00:1450:4007:805::2001][..443] [TLS.YouTube][Media][Fun] analyse: [....39] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][57282] -> [...............2a00:1450:4007:805::2004][..443] [TLS.Google][Web][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.062| 0.010| 0.018] - [IAT(c->s)...: 0.000| 0.062| 0.010| 0.019][IAT(s->c)...: 0.000| 0.047| 0.010| 0.017] - [PKTLEN(c->s): 86.000| 603.000| 148.400| 137.000][PKTLEN(s->c): 86.000|1294.000| 705.100| 541.700] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.062| 0.010| 0.018| 322.960| 0.000] + [PKTLEN......: 86.000| 1294.000| 426.800| 483.300|233579.900| 4.200] [BINS(c->s)..: 12,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 5,0,0,0,0,0,2,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,1,0,0,0,0,1,1,1,1,0,0,1,0,1,0,1,1,1,0,0,0,1,1] + [IATS........: 37391,37416,173,47446,15044,62320,24,361,320,2535,232,269,39947,114,2294,39328,242,2903,2650,782,796,254,1,2,253,13,20,95,1,0,0,0] + [PKTLENS.....: 94,94,86,603,86,1294,1294,86,86,303,86,150,178,372,86,86,86,666,86,117,511,86,1294,86,1294,1294,1294,86,86,86,1294,306] detected: [....41] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][52296] -> [...............2a00:1450:4007:815::2016][..443] [TLS.YouTube][Media][Fun] detection-update: [....40] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][58122] -> [...............2a00:1450:4007:805::2001][..443] [TLS.YouTube][Media][Fun] detection-update: [....41] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][52296] -> [...............2a00:1450:4007:815::2016][..443] [TLS.YouTube][Media][Fun] detection-update: [....42] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][47302] -> [...............2a00:1450:4007:80c::2003][..443] [TLS.Google][Web][Acceptable] detection-update: [....43] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][47304] -> [...............2a00:1450:4007:80c::2003][..443] [TLS.Google][Web][Acceptable] analyse: [....40] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][58122] -> [...............2a00:1450:4007:805::2001][..443] [TLS.YouTube][Media][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.069| 0.013| 0.024] - [IAT(c->s)...: 0.000| 0.069| 0.013| 0.023][IAT(s->c)...: 0.000| 0.069| 0.014| 0.025] - [PKTLEN(c->s): 86.000| 603.000| 155.800| 146.100][PKTLEN(s->c): 86.000|1294.000| 614.800| 528.600] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.069| 0.013| 0.024| 573.258| 0.000] + [PKTLEN......: 86.000| 1294.000| 399.700| 459.200|210886.500| 4.200] [BINS(c->s)..: 11,0,2,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 6,1,0,0,0,0,0,0,1,0,0,0,1,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,0,0,0,0,1,0,0,0,0,1,1,1,1,0,0,1,1,0,0,1,1,1,1] + [IATS........: 63745,63780,224,68524,719,1,1,1,68993,14,7,6,49,23,8336,2581,2495,40185,1017,27807,170,1594,1,1430,17,147,1,0,0,0,0,0] + [PKTLENS.....: 94,94,86,603,86,1294,1294,1294,1294,86,86,86,86,483,86,150,178,421,86,666,86,86,86,117,117,517,86,86,1294,1294,342,125] analyse: [....42] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][47302] -> [...............2a00:1450:4007:80c::2003][..443] [TLS.Google][Web][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.073| 0.012| 0.021] - [IAT(c->s)...: 0.000| 0.073| 0.011| 0.021][IAT(s->c)...: 0.000| 0.066| 0.013| 0.021] - [PKTLEN(c->s): 86.000| 603.000| 154.400| 137.700][PKTLEN(s->c): 86.000|1294.000| 692.700| 552.800] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.073| 0.012| 0.021| 448.970| 0.000] + [PKTLEN......: 86.000| 1294.000| 423.500| 484.500|234727.200| 4.200] [BINS(c->s)..: 11,0,3,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 6,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,1,0,0,0,0,0,0,1,1,0,0,1,1,1,1,1,1,1,0,0,0,0,1,1] + [IATS........: 45331,45373,379,65680,8193,73480,42,21,5,12589,926,174,173,41157,1595,28896,105,3348,1,3744,1,1,6991,22,3,3,85,1,0,0,0,0] + [PKTLENS.....: 94,94,86,603,86,1294,86,1294,355,86,86,150,178,387,167,86,666,86,117,86,86,86,480,1294,1294,1294,86,86,86,86,1294,1294] analyse: [....41] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][52296] -> [...............2a00:1450:4007:815::2016][..443] [TLS.YouTube][Media][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.068| 0.014| 0.023] - [IAT(c->s)...: 0.000| 0.067| 0.013| 0.022][IAT(s->c)...: 0.000| 0.068| 0.015| 0.024] - [PKTLEN(c->s): 86.000| 603.000| 149.400| 138.800][PKTLEN(s->c): 86.000|1294.000| 719.600| 544.100] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.068| 0.014| 0.023| 533.315| 0.000] + [PKTLEN......: 86.000| 1294.000| 434.500| 488.800|238946.400| 4.200] [BINS(c->s)..: 12,0,2,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 6,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,0,0,0,1,1,0,0,1,1,1,0,1,0,1,0,1,1,1,1,0,0] + [IATS........: 63335,63360,1131,67787,769,1,1,67414,6,6,11732,1751,188,41623,368,28482,452,4153,1923,5466,17937,17942,106,77,226,1,229,7,0,0,0,0] + [PKTLENS.....: 94,94,86,603,86,1294,1294,765,86,86,86,150,178,389,86,666,86,117,86,86,117,86,470,86,1294,86,1294,1294,1294,1294,86,86] new: [....44] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56640] -> [.....................64:ff9b::9765:798c][..443] detected: [....44] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56640] -> [.....................64:ff9b::9765:798c][..443] [TLS.Reddit][SocialNetwork][Fun] detection-update: [....44] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56640] -> [.....................64:ff9b::9765:798c][..443] [TLS.Reddit][SocialNetwork][Fun] detection-update: [....44] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56640] -> [.....................64:ff9b::9765:798c][..443] [TLS.Reddit][SocialNetwork][Fun] analyse: [....44] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56640] -> [.....................64:ff9b::9765:798c][..443] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.144| 0.017| 0.037] - [IAT(c->s)...: 0.000| 0.144| 0.015| 0.037][IAT(s->c)...: 0.000| 0.144| 0.019| 0.038] - [PKTLEN(c->s): 86.000| 603.000| 193.400| 178.700][PKTLEN(s->c): 86.000|1134.000| 361.000| 399.800] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.144| 0.017| 0.037| 1404.834| 0.000] + [PKTLEN......: 86.000| 1134.000| 277.200| 320.800|102914.800| 4.300] [BINS(c->s)..: 9,1,2,1,0,0,0,0,0,0,0,0,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 8,1,1,0,0,0,0,0,1,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,1,1,0,0,0,0,0,1,1,1,1,0,0,1,1,0,0,0,0,1,1,1,1] + [IATS........: 25745,25768,203,144189,2,143997,4,71,1,41,7,2508,597,1253,49737,1,1,45397,18,103,1,65,704,437,888,38392,2516,1067,2238,0,0,0] + [PKTLENS.....: 94,94,86,603,86,1134,1134,86,86,1134,601,86,86,179,185,485,86,86,344,152,86,86,86,453,86,124,580,156,86,86,86,128] detection-update: [....44] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56640] -> [.....................64:ff9b::9765:798c][..443] [TLS.Reddit][SocialNetwork][Fun] new: [....45] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][51006] -> [...............2a00:1450:4007:805::2002][..443] new: [....46] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][59336] -> [...............2a00:1450:4007:80b::2002][..443] @@ -341,19 +387,23 @@ detection-update: [....47] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][46646] -> [.....................64:ff9b::345f:7ca5][..443] [TLS.Amazon][Web][Acceptable] detection-update: [....47] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][46646] -> [.....................64:ff9b::345f:7ca5][..443] [TLS.Amazon][Web][Acceptable] analyse: [....46] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][59336] -> [...............2a00:1450:4007:80b::2002][..443] [TLS.Google][Web][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.046| 0.008| 0.012] - [IAT(c->s)...: 0.000| 0.046| 0.007| 0.012][IAT(s->c)...: 0.000| 0.037| 0.008| 0.012] - [PKTLEN(c->s): 86.000| 603.000| 146.500| 132.200][PKTLEN(s->c): 86.000|1294.000| 461.300| 471.500] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.046| 0.008| 0.012| 155.374| 0.000] + [PKTLEN......: 86.000| 1294.000| 294.100| 371.700|138197.800| 4.200] [BINS(c->s)..: 12,1,2,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 7,1,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,0,0,0,0,0,0,0,1,1,1,1,1,0,0,0,1,1,1,0,0,0,0,1] + [IATS........: 18528,18557,358,37185,9026,1,2,1,45875,10,14,14,8672,419,266,33620,1,89,1151,1,25433,25,482,7313,1,1,6808,24,7,3698,20526,0] + [PKTLENS.....: 94,94,86,603,86,1294,1294,1294,287,86,86,86,86,150,178,363,86,86,86,666,117,86,86,117,789,530,125,86,86,86,125,86] analyse: [....48] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][59624] -> [...............2a00:1450:4007:80b::2001][..443] [TLS.Google][Advertisement][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.034| 0.007| 0.011] - [IAT(c->s)...: 0.000| 0.034| 0.007| 0.011][IAT(s->c)...: 0.000| 0.033| 0.008| 0.012] - [PKTLEN(c->s): 86.000| 603.000| 148.500| 140.800][PKTLEN(s->c): 86.000|1294.000| 552.300| 496.400] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.034| 0.007| 0.011| 129.744| 0.000] + [PKTLEN......: 86.000| 1294.000| 337.800| 408.200|166632.700| 4.200] [BINS(c->s)..: 13,0,2,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 6,1,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,0,0,0,0,1,1,0,0,1,1,0,1,1,1,1,0,0,0,1,1,0,0] + [IATS........: 28106,28139,660,33241,1626,34221,71,30,636,643,4625,213,224,27018,3512,25468,241,4283,1409,5453,77,6348,1,6424,34,8,196,1,158,22,0,0] + [PKTLENS.....: 94,94,86,603,86,1294,86,1294,86,548,86,150,178,436,86,666,86,117,86,117,86,86,496,1294,1294,86,86,86,718,125,86,86] new: [....49] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][46806] -> [...............2a00:1450:4007:808::2001][..443] new: [....50] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][46808] -> [...............2a00:1450:4007:808::2001][..443] new: [....51] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][46810] -> [...............2a00:1450:4007:808::2001][..443] @@ -386,26 +436,32 @@ detection-update: [....58] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][36970] -> [...............2a00:1450:4007:80f::2001][..443] [TLS.Google][Advertisement][Acceptable] detection-update: [....57] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][36968] -> [...............2a00:1450:4007:80f::2001][..443] [TLS.Google][Advertisement][Acceptable] analyse: [....49] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][46806] -> [...............2a00:1450:4007:808::2001][..443] [TLS][Web][Safe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.042| 0.008| 0.012] - [IAT(c->s)...: 0.000| 0.038| 0.008| 0.012][IAT(s->c)...: 0.000| 0.042| 0.007| 0.013] - [PKTLEN(c->s): 86.000| 603.000| 172.600| 150.900][PKTLEN(s->c): 86.000|1294.000| 756.000| 562.600] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.042| 0.008| 0.012| 152.931| 0.000] + [PKTLEN......: 86.000| 1294.000| 482.500| 513.400|263601.800| 4.200] [BINS(c->s)..: 10,0,2,0,0,0,0,0,1,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 6,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,1,1,1,1,1,0,0,0,0,0,0,1,1,0,0,1,1,1,1,1,1,0,0] + [IATS........: 25564,25583,1059,31489,7154,1,37586,36,127,1,1,1,87,28,7124,13598,568,199,42183,2,20688,340,10112,7,263,1,3,2,10101,50,0,0] + [PKTLENS.....: 94,94,86,603,86,1294,1294,86,86,1294,1294,1294,1294,234,86,86,150,178,356,403,86,666,86,117,86,86,86,1076,1294,1294,86,86] analyse: [....55] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][36964] -> [...............2a00:1450:4007:80f::2001][..443] [TLS.Google][Advertisement][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.046| 0.009| 0.014] - [IAT(c->s)...: 0.000| 0.046| 0.009| 0.013][IAT(s->c)...: 0.000| 0.045| 0.009| 0.015] - [PKTLEN(c->s): 86.000| 603.000| 169.400| 150.700][PKTLEN(s->c): 86.000|1294.000| 500.400| 489.800] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.046| 0.009| 0.014| 203.864| 0.000] + [PKTLEN......: 86.000| 1294.000| 334.900| 398.400|158685.900| 4.200] [BINS(c->s)..: 11,0,2,0,0,0,0,0,0,2,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 7,0,0,0,1,0,0,1,0,0,1,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,0,0,0,0,1,1,0,0,1,1,1,1,0,1,1,1,0,0,0,1,1] + [IATS........: 29535,29546,105,39799,6197,1,1,45897,20,10,16645,7440,877,217,45409,188,20393,461,14689,1873,1,1,16098,2949,2,2950,29,8,1564,1,0,0] + [PKTLENS.....: 94,94,86,603,86,1294,1294,325,86,86,86,150,178,405,389,86,666,86,117,86,117,86,86,86,565,412,221,86,86,86,1294,1294] analyse: [....54] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][38166] -> [...............2a00:1450:4007:811::200a][..443] [TLS.GoogleServices][Web][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.044| 0.010| 0.014] - [IAT(c->s)...: 0.000| 0.044| 0.010| 0.013][IAT(s->c)...: 0.000| 0.044| 0.010| 0.014] - [PKTLEN(c->s): 86.000| 603.000| 148.200| 136.700][PKTLEN(s->c): 86.000|1294.000| 419.900| 413.500] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.044| 0.010| 0.014| 184.491| 0.000] + [PKTLEN......: 86.000| 1294.000| 284.100| 336.600|113301.500| 4.200] [BINS(c->s)..: 12,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 7,1,0,0,0,0,1,0,1,0,0,0,0,0,1,1,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,0,0,0,0,1,1,0,0,1,1,1,0,1,1,1,1,0,0,0,0,1,1] + [IATS........: 28655,28663,221,37924,6057,43801,75,33,588,595,16415,9761,878,43789,3898,20653,579,14876,1700,16044,10542,2,1,1,10492,40,13,10,172,3,0,0] + [PKTLENS.....: 94,94,86,603,86,1294,86,1294,86,586,86,150,178,369,86,666,86,117,86,117,86,86,545,911,286,371,86,86,86,86,125,86] new: [....60] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][47006] -> [.....................64:ff9b::34d3:acec][..443] detected: [....60] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][47006] -> [.....................64:ff9b::34d3:acec][..443] [TLS][Web][Safe] detection-update: [....60] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][47006] -> [.....................64:ff9b::34d3:acec][..443] [TLS][Web][Safe] diff --git a/test/results/flow-info/rtsp.pcap.out b/test/results/flow-info/rtsp.pcap.out index 45e4fb47f..865db9b47 100644 --- a/test/results/flow-info/rtsp.pcap.out +++ b/test/results/flow-info/rtsp.pcap.out @@ -8,66 +8,78 @@ detected: [.....2] [ip4][..tcp] [......10.1.1.10][52472] -> [.......10.2.2.2][.8554] [RTSP][Media][Fun] RISK: Known Proto on Non Std Port analyse: [.....2] [ip4][..tcp] [......10.1.1.10][52472] -> [.......10.2.2.2][.8554] [RTSP][Media][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.021| 0.002| 0.006] - [IAT(c->s)...: 0.000| 0.021| 0.002| 0.006][IAT(s->c)...: 0.000| 0.021| 0.002| 0.006] - [PKTLEN(c->s): 56.000| 198.000| 124.600| 61.100][PKTLEN(s->c): 56.000| 181.000| 92.500| 51.200] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.021| 0.002| 0.006| 34.529| 0.000] + [PKTLEN......: 56.000| 198.000| 108.600| 58.600| 3438.900| 4.800] [BINS(c->s)..: 8,0,0,4,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 12,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,0,0,1,1,1,1,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1,0,0,0,0,1,1,1,1] + [IATS........: 35,2,147,185,74,3,21,233,32,2,57,13140,10,5,57,13537,3,20,31,20633,10,29,32,21135,10,3,84,464,2,22,30,0] + [PKTLENS.....: 68,68,68,68,68,68,68,68,62,62,56,62,172,172,172,172,62,56,62,62,181,181,181,181,198,198,198,198,62,56,62,62] new: [.....3] [ip4][..tcp] [......10.1.1.10][52474] -> [.......10.2.2.2][.8554] detected: [.....3] [ip4][..tcp] [......10.1.1.10][52474] -> [.......10.2.2.2][.8554] [RTSP][Media][Fun] RISK: Known Proto on Non Std Port analyse: [.....3] [ip4][..tcp] [......10.1.1.10][52474] -> [.......10.2.2.2][.8554] [RTSP][Media][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.021| 0.002| 0.005] - [IAT(c->s)...: 0.000| 0.021| 0.002| 0.006][IAT(s->c)...: 0.000| 0.020| 0.002| 0.005] - [PKTLEN(c->s): 56.000| 198.000| 124.600| 61.100][PKTLEN(s->c): 56.000| 181.000| 92.500| 51.200] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.021| 0.002| 0.005| 29.923| 0.000] + [PKTLEN......: 56.000| 198.000| 108.600| 58.600| 3438.900| 4.800] [BINS(c->s)..: 8,0,0,4,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 12,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,0,0,1,1,1,1,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1,0,0,0,0,1,1,1,1] + [IATS........: 11,6,72,280,3,19,31,588,10,4,95,9323,12,6,70,10052,3,20,30,20464,12,35,38,21234,11,6,415,877,63,5,25,0] + [PKTLENS.....: 68,68,68,68,68,68,68,68,62,62,56,62,172,172,172,172,62,56,62,62,181,181,181,181,198,198,198,198,62,62,56,62] new: [.....4] [ip4][..tcp] [......10.1.1.10][52476] -> [.......10.2.2.2][.8554] detected: [.....4] [ip4][..tcp] [......10.1.1.10][52476] -> [.......10.2.2.2][.8554] [RTSP][Media][Fun] RISK: Known Proto on Non Std Port analyse: [.....4] [ip4][..tcp] [......10.1.1.10][52476] -> [.......10.2.2.2][.8554] [RTSP][Media][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.021| 0.002| 0.005] - [IAT(c->s)...: 0.000| 0.021| 0.002| 0.005][IAT(s->c)...: 0.000| 0.020| 0.002| 0.005] - [PKTLEN(c->s): 56.000| 198.000| 124.600| 61.100][PKTLEN(s->c): 56.000| 181.000| 92.500| 51.200] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.021| 0.002| 0.005| 26.106| 0.000] + [PKTLEN......: 56.000| 198.000| 108.600| 58.600| 3438.900| 4.800] [BINS(c->s)..: 8,0,0,4,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 12,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,0,0,1,1,1,1,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1,0,0,0,0,1,1,1,1] + [IATS........: 11,6,298,316,75,4,113,848,111,3,200,4833,13,7,374,6198,62,5,77,20136,13,74,34,21000,11,7,67,946,6,27,79,0] + [PKTLENS.....: 68,68,68,68,68,68,68,68,62,62,56,62,172,172,172,172,62,62,56,62,181,181,181,181,198,198,198,198,62,56,62,62] new: [.....5] [ip4][..tcp] [......10.1.1.10][52478] -> [.......10.2.2.2][.8554] detected: [.....5] [ip4][..tcp] [......10.1.1.10][52478] -> [.......10.2.2.2][.8554] [RTSP][Media][Fun] RISK: Known Proto on Non Std Port analyse: [.....5] [ip4][..tcp] [......10.1.1.10][52478] -> [.......10.2.2.2][.8554] [RTSP][Media][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.505| 0.033| 0.124] - [IAT(c->s)...: 0.000| 0.505| 0.034| 0.126][IAT(s->c)...: 0.000| 0.505| 0.033| 0.122] - [PKTLEN(c->s): 56.000| 172.000| 92.100| 46.200][PKTLEN(s->c): 56.000| 181.000| 92.500| 51.200] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.505| 0.033| 0.124|15344.430| 0.000] + [PKTLEN......: 56.000| 181.000| 92.300| 48.800| 2380.700| 4.800] [BINS(c->s)..: 12,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 12,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1] + [IATS........: 13,12,110,1319,2,16,338,505214,14,12,119,504501,5,45,55,1025,12,6,56,113,30,3,36,579,55,2,21,20351,8,26,107,0] + [PKTLENS.....: 68,68,68,68,62,56,62,62,68,68,68,68,68,68,68,68,62,62,56,62,172,172,172,172,62,62,56,62,181,181,181,181] end: [.....1] [ip4][..tcp] [......10.1.1.10][52470] -> [.......10.2.2.2][.8554] [RTSP][Media][Fun] RISK: Known Proto on Non Std Port new: [.....6] [ip4][..tcp] [......10.1.1.10][52480] -> [.......10.2.2.2][.8554] detected: [.....6] [ip4][..tcp] [......10.1.1.10][52480] -> [.......10.2.2.2][.8554] [RTSP][Media][Fun] RISK: Known Proto on Non Std Port analyse: [.....6] [ip4][..tcp] [......10.1.1.10][52480] -> [.......10.2.2.2][.8554] [RTSP][Media][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.024| 0.002| 0.006] - [IAT(c->s)...: 0.000| 0.024| 0.002| 0.006][IAT(s->c)...: 0.000| 0.020| 0.002| 0.005] - [PKTLEN(c->s): 56.000| 198.000| 124.600| 61.100][PKTLEN(s->c): 56.000| 181.000| 92.500| 51.200] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.024| 0.002| 0.006| 34.195| 0.000] + [PKTLEN......: 56.000| 198.000| 108.600| 58.600| 3438.900| 4.800] [BINS(c->s)..: 8,0,0,4,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 12,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,0,0,1,1,1,1,0,0,0,0,0,0,0,1,1,0,1,1,1,1,1,1,0,0,0,0,1,1,1,1] + [IATS........: 13,10,107,377,5,25,77,583,10,4,135,10337,14,11,11449,2,754,44,76,20263,13,28,87,23771,10,4,96,3496,1,20,106,0] + [PKTLENS.....: 68,68,68,68,68,68,68,68,62,62,56,62,172,172,172,62,56,172,62,62,181,181,181,181,198,198,198,198,62,56,62,62] end: [.....2] [ip4][..tcp] [......10.1.1.10][52472] -> [.......10.2.2.2][.8554] [RTSP][Media][Fun] RISK: Known Proto on Non Std Port new: [.....7] [ip4][..tcp] [......10.1.1.10][52482] -> [.......10.2.2.2][.8554] detected: [.....7] [ip4][..tcp] [......10.1.1.10][52482] -> [.......10.2.2.2][.8554] [RTSP][Media][Fun] RISK: Known Proto on Non Std Port analyse: [.....7] [ip4][..tcp] [......10.1.1.10][52482] -> [.......10.2.2.2][.8554] [RTSP][Media][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.021| 0.002| 0.005] - [IAT(c->s)...: 0.000| 0.021| 0.002| 0.005][IAT(s->c)...: 0.000| 0.020| 0.002| 0.005] - [PKTLEN(c->s): 56.000| 198.000| 124.600| 61.100][PKTLEN(s->c): 56.000| 181.000| 92.500| 51.200] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.021| 0.002| 0.005| 26.978| 0.000] + [PKTLEN......: 56.000| 198.000| 108.600| 58.600| 3438.900| 4.800] [BINS(c->s)..: 8,0,0,4,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 12,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,0,0,1,1,1,1,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1,0,0,0,0,1,1,1,1] + [IATS........: 13,12,126,440,5,40,92,581,9,4,94,6644,14,9,113,7455,6,53,93,20043,15,52,57,21029,9,6,97,810,5,21,76,0] + [PKTLENS.....: 68,68,68,68,68,68,68,68,62,62,56,62,172,172,172,172,62,56,62,62,181,181,181,181,198,198,198,198,62,56,62,62] end: [.....3] [ip4][..tcp] [......10.1.1.10][52474] -> [.......10.2.2.2][.8554] [RTSP][Media][Fun] RISK: Known Proto on Non Std Port end: [.....4] [ip4][..tcp] [......10.1.1.10][52476] -> [.......10.2.2.2][.8554] [RTSP][Media][Fun] diff --git a/test/results/flow-info/rx.pcap.out b/test/results/flow-info/rx.pcap.out index 92098cc7a..449853960 100644 --- a/test/results/flow-info/rx.pcap.out +++ b/test/results/flow-info/rx.pcap.out @@ -12,12 +12,14 @@ new: [.....5] [ip4][..udp] [131.114.219.168][.7001] -> [192.167.206.124][.7000] detected: [.....5] [ip4][..udp] [131.114.219.168][.7001] -> [192.167.206.124][.7000] [RX][RPC][Acceptable] analyse: [.....4] [ip4][..udp] [131.114.219.168][.7001] -> [192.167.206.241][.7000] [RX][RPC][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.105| 0.029| 0.034] - [IAT(c->s)...: 0.000| 0.103| 0.028| 0.033][IAT(s->c)...: 0.000| 0.105| 0.030| 0.034] - [PKTLEN(c->s): 70.000| 510.000| 190.700| 158.700][PKTLEN(s->c): 74.000| 782.000| 160.700| 172.300] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.105| 0.029| 0.034| 1128.030| 0.000] + [PKTLEN......: 70.000| 782.000| 176.700| 165.900|27529.200| 4.500] [BINS(c->s)..: 1,4,7,0,1,0,0,0,0,0,0,0,2,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,6,5,0,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,1,0,1,1,0,1,1,0,0,1,0,1,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,1] + [IATS........: 77545,77601,57048,57152,38155,1292,39484,65722,277,65926,103176,105287,2087,8975,9068,2966,1842,4798,61436,65225,3784,52,6802,6683,61,3692,3703,4895,8042,2994,2787,0] + [PKTLENS.....: 74,108,107,74,510,107,118,70,107,78,107,94,86,435,74,510,107,198,107,174,782,107,94,198,107,110,214,107,94,86,435,74] idle: [.....1] [ip4][..udp] [131.114.219.168][41559] -> [192.167.206.124][.7002] [RX][RPC][Acceptable] idle: [.....5] [ip4][..udp] [131.114.219.168][.7001] -> [192.167.206.124][.7000] [RX][RPC][Acceptable] idle: [.....4] [ip4][..udp] [131.114.219.168][.7001] -> [192.167.206.241][.7000] [RX][RPC][Acceptable] diff --git a/test/results/flow-info/s7comm.pcap.out b/test/results/flow-info/s7comm.pcap.out index c96da46e9..991ff42b8 100644 --- a/test/results/flow-info/s7comm.pcap.out +++ b/test/results/flow-info/s7comm.pcap.out @@ -4,11 +4,13 @@ new: [.....1] [ip4][..tcp] [...192.168.1.10][.4185] -> [...192.168.1.40][..102] [MIDSTREAM] detected: [.....1] [ip4][..tcp] [...192.168.1.10][.4185] -> [...192.168.1.40][..102] [s7comm][Network][Acceptable] analyse: [.....1] [ip4][..tcp] [...192.168.1.10][.4185] -> [...192.168.1.40][..102] [s7comm][Network][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.009| 0.005| 0.003] - [IAT(c->s)...: 0.000| 0.009| 0.004| 0.003][IAT(s->c)...: 0.003| 0.009| 0.007| 0.002] - [PKTLEN(c->s): 61.000| 87.000| 72.900| 11.600][PKTLEN(s->c): 76.000| 275.000| 126.200| 51.100] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.009| 0.005| 0.003| 11.033| 0.000] + [PKTLEN......: 61.000| 275.000| 91.200| 40.300| 1625.500| 4.900] [BINS(c->s)..: 17,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,5,3,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0] + [IATS........: 3735,3883,3114,3055,66,6981,6927,4642,8989,4385,568,7037,6437,271,5970,5746,295,9009,8666,204,8975,8763,201,9013,8819,232,8990,8762,250,4988,4713,0] + [PKTLENS.....: 76,76,79,81,61,87,135,61,87,135,61,87,275,61,87,135,61,83,115,61,83,115,61,83,115,61,83,115,61,85,91,61] idle: [.....1] [ip4][..tcp] [...192.168.1.10][.4185] -> [...192.168.1.40][..102] [s7comm][Network][Acceptable] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/safari.pcap.out b/test/results/flow-info/safari.pcap.out index f7fc1d3a1..2b6647471 100644 --- a/test/results/flow-info/safari.pcap.out +++ b/test/results/flow-info/safari.pcap.out @@ -11,12 +11,14 @@ new: [.....5] [ip4][..tcp] [..192.168.1.178][55268] -> [...146.48.58.18][..443] new: [.....6] [ip4][..tcp] [..192.168.1.178][55269] -> [...146.48.58.18][..443] analyse: [.....1] [ip4][..tcp] [..192.168.1.178][55262] -> [...146.48.58.18][..443] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.579| 0.077| 0.167] - [IAT(c->s)...: 0.000| 0.579| 0.085| 0.174][IAT(s->c)...: 0.000| 0.551| 0.070| 0.160] - [PKTLEN(c->s): 66.000| 445.000| 137.900| 131.400][PKTLEN(s->c): 66.000|1506.000| 950.400| 676.200] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.579| 0.077| 0.167|27833.076| 0.000] + [PKTLEN......: 66.000| 1506.000| 569.500| 644.500|415419.900| 4.100] [BINS(c->s)..: 11,0,1,0,0,0,0,1,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 5,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,1,1,0,0,1,1,1,0,1,0,1,0,1,0,1,0,0,1,1,1,0] + [IATS........: 28338,28438,576,28670,6985,69,14,35105,3,52717,81952,29,29304,948,28144,550635,1230,579033,248,252,138,105,115,138,126,100,428094,455026,4375,1236,32565,0] + [PKTLENS.....: 78,74,66,301,66,1506,1506,641,66,66,159,66,117,66,425,66,1506,1506,66,1506,66,1506,66,1506,66,1506,66,445,66,1506,1506,66] detection-update: [.....1] [ip4][..tcp] [..192.168.1.178][55262] -> [...146.48.58.18][..443] [TLS][Web][Safe] detected: [.....4] [ip4][..tcp] [..192.168.1.178][55267] -> [...146.48.58.18][..443] [TLS][Web][Safe] RISK: TLS (probably) Not Carrying HTTPS @@ -39,40 +41,50 @@ detection-update: [.....6] [ip4][..tcp] [..192.168.1.178][55269] -> [...146.48.58.18][..443] [TLS][Web][Safe] RISK: TLS (probably) Not Carrying HTTPS analyse: [.....4] [ip4][..tcp] [..192.168.1.178][55267] -> [...146.48.58.18][..443] [TLS][Web][Safe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.119| 0.018| 0.029] - [IAT(c->s)...: 0.000| 0.084| 0.020| 0.024][IAT(s->c)...: 0.000| 0.119| 0.016| 0.032] - [PKTLEN(c->s): 66.000| 508.000| 147.900| 154.600][PKTLEN(s->c): 66.000|1506.000|1008.600| 658.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.119| 0.018| 0.029| 823.374| 0.000] + [PKTLEN......: 66.000| 1506.000| 632.000| 660.500|436248.100| 4.200] [BINS(c->s)..: 10,1,0,0,0,0,1,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 5,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,1,1,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,0,0,0,1,1] + [IATS........: 29610,29665,2362,30524,2,28159,51917,8877,77853,8496,625,1248,27408,129,120,247,131,125,259,123,123,248,503,122,637,24023,24010,84464,7818,118862,914,0] + [PKTLENS.....: 78,74,66,277,66,207,66,117,508,66,66,1506,1506,66,1506,1506,66,1506,1506,66,1506,1506,66,1506,1506,66,1043,66,66,497,66,1506] analyse: [.....2] [ip4][..tcp] [..192.168.1.178][55265] -> [...146.48.58.18][..443] [TLS][Web][Safe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.140| 0.019| 0.033] - [IAT(c->s)...: 0.000| 0.104| 0.023| 0.028][IAT(s->c)...: 0.000| 0.140| 0.017| 0.036] - [PKTLEN(c->s): 66.000| 500.000| 145.600| 149.200][PKTLEN(s->c): 66.000|1506.000| 982.000| 665.600] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.140| 0.019| 0.033| 1086.908| 0.000] + [PKTLEN......: 66.000| 1506.000| 616.100| 656.600|431150.100| 4.100] [BINS(c->s)..: 10,1,0,0,0,0,1,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 5,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,1,1,1,1,0,1,1,0,1,1,1,0,0,0,0,1,1,1,0,1,1,0,1] + [IATS........: 30407,30442,2425,30749,1690,30065,50340,8582,78328,9234,5001,125,33713,130,749,881,125,129,16,259,3,103964,6593,140358,1494,509,31816,122,126,243,376,0] + [PKTLENS.....: 78,74,66,277,66,207,66,117,472,66,66,1506,1506,66,1506,1506,66,1506,1506,565,66,66,66,500,66,1506,1506,66,1506,1506,66,1506] analyse: [.....3] [ip4][..tcp] [..192.168.1.178][55266] -> [...146.48.58.18][..443] [TLS][Web][Safe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.144| 0.020| 0.034] - [IAT(c->s)...: 0.000| 0.107| 0.023| 0.029][IAT(s->c)...: 0.000| 0.144| 0.017| 0.036] - [PKTLEN(c->s): 66.000| 503.000| 147.600| 153.700][PKTLEN(s->c): 66.000|1506.000| 994.600| 659.800] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.144| 0.020| 0.034| 1135.493| 0.000] + [PKTLEN......: 66.000| 1506.000| 624.000| 657.100|431734.900| 4.200] [BINS(c->s)..: 10,1,0,0,0,0,1,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 5,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,1,1,1,1,0,1,1,0,1,0,0,0,1,1,1,0,1,1,0,1,1,0,1] + [IATS........: 31343,31380,1377,32375,996,31994,49530,8158,77501,8373,630,1247,30061,122,9,127,127,136,106790,7135,144002,5758,108,35937,131,121,250,128,122,249,129,0] + [PKTLENS.....: 78,74,66,277,66,207,66,117,503,66,66,1506,1506,66,1506,1506,66,791,66,66,497,66,1506,1506,66,1506,1506,66,1506,1506,66,1506] analyse: [.....6] [ip4][..tcp] [..192.168.1.178][55269] -> [...146.48.58.18][..443] [TLS][Web][Safe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.147| 0.020| 0.034] - [IAT(c->s)...: 0.000| 0.105| 0.023| 0.029][IAT(s->c)...: 0.000| 0.147| 0.017| 0.037] - [PKTLEN(c->s): 66.000| 500.000| 147.200| 152.900][PKTLEN(s->c): 66.000|1506.000| 960.700| 684.600] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.147| 0.020| 0.034| 1161.612| 0.000] + [PKTLEN......: 66.000| 1506.000| 604.800| 660.800|436665.800| 4.100] [BINS(c->s)..: 10,1,0,0,0,0,1,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 5,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,1,1,1,1,0,1,1,0,0,0,1,1,1,0,1,1,0,1,1,0,1,1,0] + [IATS........: 33594,33644,1195,33573,9,32379,46938,8284,78165,6257,993,261,30448,865,3,877,105414,6486,147007,2135,111,37341,124,122,246,129,624,757,125,122,244,0] + [PKTLENS.....: 78,74,66,277,66,207,66,117,495,66,66,1506,1506,66,1506,181,66,66,500,66,1506,1506,66,1506,1506,66,1506,1506,66,1506,1506,66] analyse: [.....5] [ip4][..tcp] [..192.168.1.178][55268] -> [...146.48.58.18][..443] [TLS][Web][Safe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.146| 0.022| 0.035] - [IAT(c->s)...: 0.000| 0.116| 0.024| 0.030][IAT(s->c)...: 0.000| 0.146| 0.020| 0.038] - [PKTLEN(c->s): 66.000| 503.000| 170.700| 171.800][PKTLEN(s->c): 66.000|1506.000| 852.800| 687.200] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.146| 0.022| 0.035| 1194.506| 0.000] + [PKTLEN......: 66.000| 1506.000| 533.000| 616.900|380607.300| 4.100] [BINS(c->s)..: 10,1,0,0,0,0,1,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 6,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,8,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,1,1,1,0,0,1,1,1,0,1,1,0,1,1,1,0,0,0,0,1,1,1,0] + [IATS........: 30429,30474,1424,31291,132,29986,50740,8293,78244,9210,246,28671,116212,146010,494,137,30426,114,380,498,130,113,14,250,2,896,5501,36248,1496,132,31482,0] + [PKTLENS.....: 78,74,66,277,66,207,66,117,494,66,66,1413,66,497,66,1506,1506,66,1506,1506,66,1506,1506,425,66,66,66,503,66,1506,1506,66] new: [.....7] [ip4][..tcp] [..192.168.1.178][55285] -> [...146.48.58.18][..443] detected: [.....7] [ip4][..tcp] [..192.168.1.178][55285] -> [...146.48.58.18][..443] [TLS][Web][Safe] detection-update: [.....7] [ip4][..tcp] [..192.168.1.178][55285] -> [...146.48.58.18][..443] [TLS][Web][Safe] diff --git a/test/results/flow-info/signal.pcap.out b/test/results/flow-info/signal.pcap.out index 73730f6be..cb825c9fd 100644 --- a/test/results/flow-info/signal.pcap.out +++ b/test/results/flow-info/signal.pcap.out @@ -19,12 +19,14 @@ detected: [.....7] [ip4][..tcp] [...192.168.2.17][57021] -> [.34.225.240.173][..443] [TLS.Signal][Chat][Fun] detected: [.....6] [ip4][..tcp] [...192.168.2.17][57020] -> [.34.225.240.173][..443] [TLS.Signal][Chat][Fun] analyse: [.....4] [ip4][..tcp] [...192.168.2.17][57018] -> [....23.57.24.16][..443] [TLS.AppleiTunes][Streaming][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.052| 0.012| 0.020] - [IAT(c->s)...: 0.000| 0.048| 0.013| 0.020][IAT(s->c)...: 0.000| 0.052| 0.012| 0.020] - [PKTLEN(c->s): 66.000| 583.000| 122.600| 124.700][PKTLEN(s->c): 66.000|1506.000| 732.000| 587.100] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.052| 0.012| 0.020| 399.390| 0.000] + [PKTLEN......: 66.000| 1506.000| 427.300| 522.500|272968.600| 4.100] [BINS(c->s)..: 10,3,1,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 4,0,1,0,0,0,0,0,2,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,1,0,0,0,0,0,0,4,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,0,0,0,1,0,0,0,0,0,0,1,1,1,1,0,0,1,0,0,1,1,1,1] + [IATS........: 44158,46025,121,45605,778,217,319,168,47796,18,50,46011,44670,7772,1684,58,381,118,52274,18,1127,18,42555,122,704,525,120,879,64,358,7,0] + [PKTLENS.....: 78,74,66,583,66,1506,1506,1282,1506,66,66,66,673,66,146,112,109,101,207,337,337,66,136,66,66,66,66,97,1112,1112,1506,427] detection-update: [.....3] [ip4][..tcp] [...192.168.2.17][49226] -> [.34.225.240.173][..443] [TLS.Signal][Chat][Fun] RISK: TLS (probably) Not Carrying HTTPS detection-update: [.....3] [ip4][..tcp] [...192.168.2.17][49226] -> [.34.225.240.173][..443] [TLS.Signal][Chat][Fun] @@ -57,12 +59,14 @@ detected: [....14] [ip4][..tcp] [...192.168.2.17][57024] -> [....35.169.3.40][..443] [TLS.Signal][Chat][Fun] detected: [....15] [ip4][..tcp] [...192.168.2.17][57025] -> [....35.169.3.40][..443] [TLS.Signal][Chat][Fun] analyse: [....11] [ip4][..tcp] [...192.168.2.17][57022] -> [....23.57.24.16][..443] [TLS.AppleiTunes][Streaming][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.101| 0.015| 0.025] - [IAT(c->s)...: 0.000| 0.101| 0.017| 0.027][IAT(s->c)...: 0.000| 0.083| 0.014| 0.023] - [PKTLEN(c->s): 66.000| 583.000| 125.100| 128.200][PKTLEN(s->c): 66.000|1506.000| 728.500| 569.700] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.101| 0.015| 0.025| 625.062| 0.000] + [PKTLEN......: 66.000| 1506.000| 445.700| 520.400|270842.400| 4.100] [BINS(c->s)..: 9,3,1,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 4,0,1,0,0,0,0,0,2,0,0,1,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,1,0,0,0,0,0,0,4,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,0,0,1,0,1,0,0,0,0,0,0,1,1,0,0,1,1,1,0,1,1,1,1] + [IATS........: 34916,37696,123,37363,772,231,309,173,37044,153,34846,100663,83343,17640,1078,2531,59,427,91,36023,34,31611,467,2412,13,489,2231,1076,233,244,7,0] + [PKTLENS.....: 78,74,66,583,66,1506,1506,1282,1506,66,66,673,66,673,78,146,112,109,101,207,337,337,66,66,66,136,66,66,1112,1112,1506,427] detection-update: [....10] [ip4][..tcp] [...192.168.2.17][49227] -> [....35.169.3.40][..443] [TLS.Signal][Chat][Fun] RISK: TLS (probably) Not Carrying HTTPS detection-update: [....10] [ip4][..tcp] [...192.168.2.17][49227] -> [....35.169.3.40][..443] [TLS.Signal][Chat][Fun] @@ -78,12 +82,14 @@ detection-update: [....17] [ip4][..tcp] [...192.168.2.17][57026] -> [....35.169.3.40][..443] [TLS.Signal][Chat][Fun] detection-update: [....17] [ip4][..tcp] [...192.168.2.17][57026] -> [....35.169.3.40][..443] [TLS.Signal][Chat][Fun] analyse: [....17] [ip4][..tcp] [...192.168.2.17][57026] -> [....35.169.3.40][..443] [TLS.Signal][Chat][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.115| 0.033| 0.050] - [IAT(c->s)...: 0.000| 0.112| 0.024| 0.045][IAT(s->c)...: 0.000| 0.115| 0.047| 0.054] - [PKTLEN(c->s): 66.000|1506.000| 681.200| 632.900][PKTLEN(s->c): 66.000|1506.000| 286.300| 463.400] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.115| 0.033| 0.050| 2490.513| 0.000] + [PKTLEN......: 66.000| 1506.000| 533.200| 606.200|367455.800| 4.100] [BINS(c->s)..: 4,3,1,1,0,0,0,1,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0] [BINS(s->c)..: 7,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,1,1,0,0,0,0,0,0,0,0,0,1,1,0,1,1,0,0,0,0,0,1,1] + [IATS........: 108942,110621,122,110401,2138,28,112445,4951,114919,23,109553,1892,17,11,122,779,118,231,116,111402,211,108448,1776,614,1715,181,200,291,136,109394,1485,0] + [PKTLENS.....: 78,74,66,583,66,1506,1104,66,192,117,135,66,119,116,108,312,1506,1506,1506,378,66,104,848,66,66,1506,1506,1506,1506,151,66,66] new: [....18] [ip4][..tcp] [....23.57.24.16][..443] -> [...192.168.2.17][57016] [MIDSTREAM] detected: [....18] [ip4][..tcp] [....23.57.24.16][..443] -> [...192.168.2.17][57016] [TLS][Web][Safe] new: [....19] [ip4][..tcp] [...192.168.2.17][57027] -> [...13.35.253.42][..443] @@ -91,12 +97,14 @@ detection-update: [....19] [ip4][..tcp] [...192.168.2.17][57027] -> [...13.35.253.42][..443] [TLS.Signal][Chat][Fun] detection-update: [....19] [ip4][..tcp] [...192.168.2.17][57027] -> [...13.35.253.42][..443] [TLS.Signal][Chat][Fun] analyse: [....19] [ip4][..tcp] [...192.168.2.17][57027] -> [...13.35.253.42][..443] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.043| 0.012| 0.016] - [IAT(c->s)...: 0.000| 0.040| 0.009| 0.014][IAT(s->c)...: 0.000| 0.043| 0.016| 0.018] - [PKTLEN(c->s): 66.000|1506.000| 652.400| 646.100][PKTLEN(s->c): 66.000|1506.000| 278.400| 450.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.043| 0.012| 0.016| 257.340| 0.000] + [PKTLEN......: 66.000| 1506.000| 512.200| 608.000|369644.200| 4.100] [BINS(c->s)..: 5,4,0,1,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0] [BINS(s->c)..: 7,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,1,1,1,0,0,0,0,0,0,0,0,0,0,1,1,1,0,1,0,0,0,0,1] + [IATS........: 32885,39763,98,40023,2747,13,39382,7752,43365,416,22,34673,57,7463,493,19,81,373,5900,119,379,42152,16,471,26781,7559,10672,123,259,280,26119,0] + [PKTLENS.....: 78,74,66,583,66,1506,1009,66,192,66,117,135,66,66,119,116,108,257,104,1506,1506,1506,66,104,66,685,66,1506,1506,1506,1506,66] detection-update: [....19] [ip4][..tcp] [...192.168.2.17][57027] -> [...13.35.253.42][..443] [TLS.Signal][Chat][Fun] idle: [.....1] [ip4][..udp] [........0.0.0.0][...68] -> [255.255.255.255][...67] [DHCP][Network][Acceptable] end: [.....8] [ip4][..tcp] [...192.168.2.17][56996] -> [.17.248.146.144][..443] [TLS.Apple][Web][Safe] diff --git a/test/results/flow-info/simple-dnscrypt.pcap.out b/test/results/flow-info/simple-dnscrypt.pcap.out index b9693b90d..a2b4eb5fb 100644 --- a/test/results/flow-info/simple-dnscrypt.pcap.out +++ b/test/results/flow-info/simple-dnscrypt.pcap.out @@ -6,12 +6,14 @@ detection-update: [.....1] [ip4][..tcp] [.192.168.43.167][50233] -> [..134.119.26.24][..443] [TLS][Web][Safe] detection-update: [.....1] [ip4][..tcp] [.192.168.43.167][50233] -> [..134.119.26.24][..443] [TLS.DNScrypt][Network][Safe] analyse: [.....1] [ip4][..tcp] [.192.168.43.167][50233] -> [..134.119.26.24][..443] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.222| 0.043| 0.053] - [IAT(c->s)...: 0.000| 0.115| 0.042| 0.043][IAT(s->c)...: 0.000| 0.222| 0.044| 0.060] - [PKTLEN(c->s): 54.000| 272.000| 108.400| 70.700][PKTLEN(s->c): 54.000|1364.000| 652.500| 599.900] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.222| 0.043| 0.053| 2772.255| 0.000] + [PKTLEN......: 54.000| 1364.000| 397.400| 516.900|267229.700| 4.000] [BINS(c->s)..: 7,4,1,1,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 5,1,1,0,0,0,0,0,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,6,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,1,1,1,0,0,0,0,0,0,1,1,0,0,1,1,1,0,1,1,0,0,1,1] + [IATS........: 110617,111151,27928,119560,18487,5167,114877,3012,7467,5,1,10608,4894,14894,118,54,378,91813,2,71462,3132,28841,26832,76361,36004,32630,95192,61613,221977,1,0,0] + [PKTLENS.....: 66,66,54,260,54,1364,1364,54,1364,1364,1364,360,54,180,107,110,96,272,312,123,54,92,54,92,54,54,54,415,54,119,1364,1324] detection-update: [.....1] [ip4][..tcp] [.192.168.43.167][50233] -> [..134.119.26.24][..443] [TLS.DNScrypt][Network][Safe] new: [.....2] [ip4][..tcp] [.192.168.43.167][50253] -> [..134.119.26.24][..443] new: [.....3] [ip4][..tcp] [.192.168.43.167][50258] -> [..134.119.26.24][..443] @@ -26,12 +28,14 @@ detection-update: [.....3] [ip4][..tcp] [.192.168.43.167][50258] -> [..134.119.26.24][..443] [TLS.DNScrypt][Network][Safe] detection-update: [.....3] [ip4][..tcp] [.192.168.43.167][50258] -> [..134.119.26.24][..443] [TLS.DNScrypt][Network][Safe] analyse: [.....4] [ip4][..tcp] [.192.168.43.167][50259] -> [..134.119.26.24][..443] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.106| 0.026| 0.036] - [IAT(c->s)...: 0.000| 0.106| 0.026| 0.039][IAT(s->c)...: 0.000| 0.085| 0.026| 0.033] - [PKTLEN(c->s): 54.000| 334.000| 114.900| 79.300][PKTLEN(s->c): 54.000|1364.000| 551.200| 561.900] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.106| 0.026| 0.036| 1310.829| 0.000] + [PKTLEN......: 54.000| 1364.000| 333.100| 456.800|208637.000| 4.000] [BINS(c->s)..: 7,4,2,1,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 5,1,1,0,0,0,0,0,1,1,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,1,0,1,1,0,0,0,0,0,0,0,0,1,1,0,1,1,1,0,1,1,1,0] + [IATS........: 76904,76992,229,75549,27738,2534,105611,594,1,590,1297,3,1553,3254,3682,128,52,3057,79,49,84732,1,74133,4254,9610,25085,23405,82024,4138,98354,0,0] + [PKTLENS.....: 66,66,54,264,54,1364,1364,54,1364,1364,54,1364,360,54,180,107,110,96,334,133,132,312,123,54,54,92,54,92,54,416,415,54] detection-update: [.....4] [ip4][..tcp] [.192.168.43.167][50259] -> [..134.119.26.24][..443] [TLS.DNScrypt][Network][Safe] idle: [.....1] [ip4][..tcp] [.192.168.43.167][50233] -> [..134.119.26.24][..443] [TLS.DNScrypt][Network][Safe] idle: [.....2] [ip4][..tcp] [.192.168.43.167][50253] -> [..134.119.26.24][..443] diff --git a/test/results/flow-info/sip.pcap.out b/test/results/flow-info/sip.pcap.out index 00eb5d11f..632e42e10 100644 --- a/test/results/flow-info/sip.pcap.out +++ b/test/results/flow-info/sip.pcap.out @@ -19,12 +19,14 @@ update: [.....1] [ip4][..udp] [....192.168.1.2][.5060] -> [..212.242.33.35][.5060] [SIP][VoIP][Acceptable] update: [.....2] [ip4][..udp] [....192.168.1.2][.5060] -> [..200.68.120.81][.5060] [SIP][VoIP][Acceptable] analyse: [.....1] [ip4][..udp] [....192.168.1.2][.5060] -> [..212.242.33.35][.5060] [SIP][VoIP][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.026| 279.042| 42.751| 57.874] - [IAT(c->s)...: 0.227| 150.200| 33.134| 34.181][IAT(s->c)...: 0.026| 279.042| 60.237| 82.710] - [PKTLEN(c->s): 47.000| 867.000| 396.700| 326.500][PKTLEN(s->c): 348.000| 635.000| 491.700| 86.200] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.026| 279.042| 42.751| 57.874|3349363405.357| 0.000] + [PKTLEN......: 47.000| 867.000| 429.300| 273.000|74531.700| 4.600] [BINS(c->s)..: 9,0,0,0,0,0,0,0,0,0,1,0,0,0,4,0,0,0,0,0,0,4,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,2,1,0,0,0,1,6,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0] + [IATS........: 136757,17415627,17424961,49834,89928591,89874891,17280679,17290428,150200040,150188219,17325180,17335822,73916043,73902652,17325038,17333170,25935,17724998,29031776,29092737,34118166,34119076,29272359,29031830,29031631,29031476,17104967,497671,1001842,279041814,227102,0] + [PKTLENS.....: 509,528,722,348,388,509,528,722,533,509,528,722,533,509,528,722,348,512,47,47,47,47,47,47,47,47,47,867,867,867,635,382] update: [.....1] [ip4][..udp] [....192.168.1.2][.5060] -> [..212.242.33.35][.5060] [SIP][VoIP][Acceptable] update: [.....2] [ip4][..udp] [....192.168.1.2][.5060] -> [..200.68.120.81][.5060] [SIP][VoIP][Acceptable] idle: [.....2] [ip4][..udp] [....192.168.1.2][.5060] -> [..200.68.120.81][.5060] [SIP][VoIP][Acceptable] diff --git a/test/results/flow-info/sites.pcapng.out b/test/results/flow-info/sites.pcapng.out index c24bce420..3e513f925 100644 --- a/test/results/flow-info/sites.pcapng.out +++ b/test/results/flow-info/sites.pcapng.out @@ -23,12 +23,14 @@ detected: [.....4] [ip4][..tcp] [..192.168.1.128][50620] -> [.91.198.174.208][..443] [TLS.Wikipedia][Web][Safe] detection-update: [.....4] [ip4][..tcp] [..192.168.1.128][50620] -> [.91.198.174.208][..443] [TLS.Wikipedia][Web][Safe] analyse: [.....4] [ip4][..tcp] [..192.168.1.128][50620] -> [.91.198.174.208][..443] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.053| 0.020| 0.024] - [IAT(c->s)...: 0.000| 0.052| 0.020| 0.024][IAT(s->c)...: 0.000| 0.053| 0.020| 0.024] - [PKTLEN(c->s): 66.000| 583.000| 140.600| 142.000][PKTLEN(s->c): 66.000|1514.000| 981.900| 646.100] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.053| 0.020| 0.024| 571.173| 0.000] + [PKTLEN......: 66.000| 1514.000| 613.800| 646.400|417856.700| 4.200] [BINS(c->s)..: 10,0,1,0,0,1,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 3,1,0,1,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,10,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,1,0,0,0,0] + [IATS........: 46836,50076,2241,52937,230,52220,1478,638,2420,52443,779,3077,237,199,47900,235,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [PKTLENS.....: 74,74,66,583,66,1514,1514,1266,166,66,66,66,66,146,236,304,369,109,97,1514,1514,1514,1514,1514,1514,1514,1514,388,66,66,66,97] detection-update: [.....4] [ip4][..tcp] [..192.168.1.128][50620] -> [.91.198.174.208][..443] [TLS.Wikipedia][Web][Safe] end: [.....3] [ip4][..tcp] [..192.168.1.227][50071] -> [...52.73.71.226][..443] DAEMON-EVENT: [Processed: 118 pkts][ZLib][compressions: 0|diff: 0 / 0] @@ -36,12 +38,14 @@ new: [.....5] [ip4][..tcp] [..192.168.1.250][39890] -> [...45.82.241.51][...80] detected: [.....5] [ip4][..tcp] [..192.168.1.250][39890] -> [...45.82.241.51][...80] [HTTP.Likee][SocialNetwork][Fun] analyse: [.....5] [ip4][..tcp] [..192.168.1.250][39890] -> [...45.82.241.51][...80] [HTTP.Likee][SocialNetwork][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 1.031| 0.138| 0.327] - [IAT(c->s)...: 0.000| 0.974| 0.110| 0.289][IAT(s->c)...: 0.000| 1.031| 0.184| 0.379] - [PKTLEN(c->s): 60.000| 244.000| 82.500| 59.100][PKTLEN(s->c): 60.000|1514.000|1312.700| 491.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 1.031| 0.138| 0.327|107215.077| 0.000] + [PKTLEN......: 60.000| 1514.000| 659.100| 701.200|491744.000| 4.100] [BINS(c->s)..: 15,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,12,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0,1,1,1,1,0,0,1,1,0,0,0,0] + [IATS........: 27914,29082,9509,39180,2950,249,59912,307,304,974261,1031142,29550,491,2002,490,730,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [PKTLENS.....: 74,66,60,244,60,1514,1514,1514,1514,1514,1514,1396,60,60,60,60,60,60,60,244,1514,1514,1514,1514,60,60,1514,1514,60,60,60,60] end: [.....4] [ip4][..tcp] [..192.168.1.128][50620] -> [.91.198.174.208][..443] [TLS.Wikipedia][Web][Safe] DAEMON-EVENT: [Processed: 230 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 1 / 5|skipped: 0|!detected: 0|guessed: 0|detection-updates: 6|updates: 0] diff --git a/test/results/flow-info/skinny.pcap.out b/test/results/flow-info/skinny.pcap.out index 4b2a9347d..cf32597a0 100644 --- a/test/results/flow-info/skinny.pcap.out +++ b/test/results/flow-info/skinny.pcap.out @@ -6,12 +6,14 @@ new: [.....2] [ip4][..tcp] [.192.168.193.12][.2000] -> [.192.168.195.50][51532] [MIDSTREAM] detected: [.....2] [ip4][..tcp] [.192.168.193.12][.2000] -> [.192.168.195.50][51532] [CiscoSkinny][VoIP][Acceptable] analyse: [.....1] [ip4][..tcp] [.192.168.195.58][49399] -> [.192.168.193.12][.2000] [CiscoSkinny][VoIP][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 3.610| 0.245| 0.877] - [IAT(c->s)...: 0.006| 3.610| 0.318| 0.993][IAT(s->c)...: 0.000| 3.560| 0.199| 0.792] - [PKTLEN(c->s): 60.000| 106.000| 76.300| 20.000][PKTLEN(s->c): 60.000| 378.000| 140.200| 85.800] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 3.610| 0.245| 0.877|769437.794| 0.000] + [PKTLEN......: 60.000| 378.000| 114.200| 74.300| 5521.700| 4.800] [BINS(c->s)..: 9,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 9,2,0,0,5,1,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,1,1,0,1,1,1,1,0,1,0,1,1,1,1,0,1,0,0,1,1,0,1,0,1,1,0,0,0,1,0] + [IATS........: 2211,18,14,5962,3780,258,15,49,20014,19685,10391,48806,3559643,16,82,3609828,11683,20052,16478,36490,7020,23440,32822,19981,11660,17,20000,11522,27273,50735,26736,0] + [PKTLENS.....: 78,82,70,78,60,378,82,90,82,60,214,74,60,78,194,90,60,266,60,102,60,198,60,198,60,198,186,60,106,106,60,106] new: [.....3] [ip4][..udp] [.192.168.195.58][32150] -> [.192.168.193.24][.9395] detected: [.....3] [ip4][..udp] [.192.168.195.58][32150] -> [.192.168.193.24][.9395] [RTP][Media][Acceptable] new: [.....4] [ip4][..udp] [.192.168.195.58][32144] -> [.192.168.195.50][17718] @@ -23,49 +25,61 @@ new: [.....7] [ip4][..udp] [.192.168.195.50][17732] -> [.192.168.193.24][.9400] detected: [.....7] [ip4][..udp] [.192.168.195.50][17732] -> [.192.168.193.24][.9400] [RTP][Media][Acceptable] analyse: [.....4] [ip4][..udp] [.192.168.195.58][32144] -> [.192.168.195.50][17718] [RTP][Media][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.026| 0.010| 0.010] - [IAT(c->s)...: 0.000| 0.020| 0.009| 0.010][IAT(s->c)...: 0.000| 0.026| 0.010| 0.010] - [PKTLEN(c->s): 214.000| 214.000| 214.000| 0.000][PKTLEN(s->c): 214.000| 214.000| 214.000| 0.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.026| 0.010| 0.010| 104.356| 0.000] + [PKTLEN......: 214.000| 214.000| 214.000| 0.000| 0.000| 5.000] [BINS(c->s)..: 0,0,0,0,0,18,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,0,0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0] + [IATS........: 25,19949,10,25564,11,20009,15,19949,15,19947,7,19983,8,20009,7,20042,7,20010,7,19977,4,19971,13,19997,11,20024,12,20020,11,19956,10,0] + [PKTLENS.....: 214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214] analyse: [.....3] [ip4][..udp] [.192.168.195.58][32150] -> [.192.168.193.24][.9395] [RTP][Media][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.020| 0.020| 0.020| 0.000] - [IAT(c->s)...: 0.020| 0.020| 0.020| 0.000][IAT(s->c)...: 0.000| 0.000| 0.000| 0.000] - [PKTLEN(c->s): 214.000| 214.000| 214.000| 0.000][PKTLEN(s->c): 0.000| 0.000| 0.000| 0.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.020| 0.020| 0.020| 0.000| 0.001| 0.000] + [PKTLEN......: 214.000| 214.000| 214.000| 0.000| 0.000| 5.000] [BINS(c->s)..: 0,0,0,0,0,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [IATS........: 20010,20035,19901,20015,19977,20040,20015,20006,19996,20018,19974,20009,19997,20001,20001,19982,20073,20009,20000,19999,20061,19944,19990,19953,20026,19940,20010,20055,20010,19978,19998,0] + [PKTLENS.....: 214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214] analyse: [.....5] [ip4][..udp] [.192.168.195.50][17726] -> [.192.168.193.24][.9399] [RTP][Media][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.020| 0.020| 0.020| 0.000] - [IAT(c->s)...: 0.020| 0.020| 0.020| 0.000][IAT(s->c)...: 0.000| 0.000| 0.000| 0.000] - [PKTLEN(c->s): 214.000| 214.000| 214.000| 0.000][PKTLEN(s->c): 0.000| 0.000| 0.000| 0.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.020| 0.020| 0.020| 0.000| 0.001| 0.000] + [PKTLEN......: 214.000| 214.000| 214.000| 0.000| 0.000| 5.000] [BINS(c->s)..: 0,0,0,0,0,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [IATS........: 19962,19969,20095,19966,20007,20019,20010,19970,19996,20019,19982,19965,20001,20006,19994,20032,19986,19999,19985,19996,20021,19995,20005,19995,19975,19984,19971,20037,20033,19973,20008,0] + [PKTLENS.....: 214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214] analyse: [.....6] [ip4][..udp] [.192.168.195.58][32152] -> [.192.168.193.24][.9396] [RTP][Media][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.019| 0.021| 0.020| 0.000] - [IAT(c->s)...: 0.019| 0.021| 0.020| 0.000][IAT(s->c)...: 0.000| 0.000| 0.000| 0.000] - [PKTLEN(c->s): 214.000| 214.000| 214.000| 0.000][PKTLEN(s->c): 0.000| 0.000| 0.000| 0.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.019| 0.021| 0.020| 0.000| 0.020| 0.000] + [PKTLEN......: 214.000| 214.000| 214.000| 0.000| 0.000| 5.000] [BINS(c->s)..: 0,0,0,0,0,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [IATS........: 19831,19959,20146,19907,20018,20014,20011,20005,20001,20003,20045,19895,20035,19968,20008,20010,19972,20003,20520,19475,20014,19970,20034,19981,19987,19986,19966,20048,20036,19972,20021,0] + [PKTLENS.....: 214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214] analyse: [.....7] [ip4][..udp] [.192.168.195.50][17732] -> [.192.168.193.24][.9400] [RTP][Media][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.020| 0.020| 0.020| 0.000] - [IAT(c->s)...: 0.020| 0.020| 0.020| 0.000][IAT(s->c)...: 0.000| 0.000| 0.000| 0.000] - [PKTLEN(c->s): 214.000| 214.000| 214.000| 0.000][PKTLEN(s->c): 0.000| 0.000| 0.000| 0.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.020| 0.020| 0.020| 0.000| 0.001| 0.000] + [PKTLEN......: 214.000| 214.000| 214.000| 0.000| 0.000| 5.000] [BINS(c->s)..: 0,0,0,0,0,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [IATS........: 19977,19980,20100,19974,19997,19973,19984,19994,20002,20000,19996,19991,19980,20100,20004,19971,19986,20073,19948,19997,19947,20007,19941,20015,20065,19981,19993,20024,20019,20002,20013,0] + [PKTLENS.....: 214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214] new: [.....8] [ip4][..tcp] [.192.168.195.58][50917] -> [.....10.16.2.25][.2000] [MIDSTREAM] detected: [.....8] [ip4][..tcp] [.192.168.195.58][50917] -> [.....10.16.2.25][.2000] [CiscoSkinny][VoIP][Acceptable] analyse: [.....2] [ip4][..tcp] [.192.168.193.12][.2000] -> [.192.168.195.50][51532] [CiscoSkinny][VoIP][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 7.046| 0.705| 1.877] - [IAT(c->s)...: 0.000| 7.000| 0.642| 1.801][IAT(s->c)...: 0.001| 7.046| 0.780| 1.963] - [PKTLEN(c->s): 60.000| 546.000| 139.000| 116.300][PKTLEN(s->c): 60.000| 106.000| 74.900| 19.700] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 7.046| 0.705| 1.877|3523893.789| 0.000] + [PKTLEN......: 60.000| 546.000| 110.900| 93.800| 8793.000| 4.700] [BINS(c->s)..: 10,2,0,0,4,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 10,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,0,1,0,1,1,1,0,0,0,0,1,0,1,0,0,1,0,1,1,0,1,1,1,0,1,0,0,0,0,1] + [IATS........: 15,57,704,686,19914,3582983,19282,3622236,2065,19,22,17967,15924,20052,36329,2146,19966,30884,40036,6899,19067,13061,64116,28324,103909,42273,80357,6999604,16,5837,7045910,0] + [PKTLENS.....: 90,82,86,60,266,60,74,74,60,82,70,78,60,546,60,198,198,60,198,60,102,186,60,106,106,60,106,60,82,82,78,60] new: [.....9] [ip4][.icmp] [.192.168.195.50] -> [.192.168.195.58] detected: [.....9] [ip4][.icmp] [.192.168.195.50] -> [.192.168.195.58] [ICMP][Network][Acceptable] idle: [.....9] [ip4][.icmp] [.192.168.195.50] -> [.192.168.195.58] [ICMP][Network][Acceptable] diff --git a/test/results/flow-info/skype-conference-call.pcap.out b/test/results/flow-info/skype-conference-call.pcap.out index 5f29973e0..0268b4dd8 100644 --- a/test/results/flow-info/skype-conference-call.pcap.out +++ b/test/results/flow-info/skype-conference-call.pcap.out @@ -5,12 +5,14 @@ detected: [.....1] [ip4][..udp] [...192.168.2.20][49282] -> [...104.46.40.49][60642] [STUN.Skype_TeamsCall][VoIP][Acceptable] RISK: Known Proto on Non Std Port analyse: [.....1] [ip4][..udp] [...192.168.2.20][49282] -> [...104.46.40.49][60642] [STUN.Skype_TeamsCall][VoIP][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.100| 0.011| 0.022] - [IAT(c->s)...: 0.000| 0.055| 0.012| 0.017][IAT(s->c)...: 0.000| 0.100| 0.010| 0.027] - [PKTLEN(c->s): 85.000| 957.000| 443.100| 398.500][PKTLEN(s->c): 77.000| 209.000| 156.000| 30.100] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.100| 0.011| 0.022| 503.840| 0.000] + [PKTLEN......: 77.000| 957.000| 299.500| 317.000|100457.800| 4.400] [BINS(c->s)..: 0,1,4,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,1,2,12,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,1,1,0,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0,0] + [IATS........: 7339,44500,54477,177,54879,336,10342,20091,24441,100094,319,61,211,59,179,235,59,177,199,208,82,2810,14708,381,241,219,267,215,202,197,3718,0] + [PKTLENS.....: 146,146,114,114,146,114,150,152,145,137,209,77,169,169,169,169,169,169,169,169,169,169,114,85,957,957,957,957,957,957,169,135] idle: [.....1] [ip4][..udp] [...192.168.2.20][49282] -> [...104.46.40.49][60642] [STUN.Skype_TeamsCall][VoIP][Acceptable] RISK: Known Proto on Non Std Port DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/skype.pcap.out b/test/results/flow-info/skype.pcap.out index 00c7b8668..2f9139640 100644 --- a/test/results/flow-info/skype.pcap.out +++ b/test/results/flow-info/skype.pcap.out @@ -45,12 +45,14 @@ detected: [....18] [ip4][..tcp] [...192.168.1.34][50029] -> [..23.206.33.166][..443] [TLS.Skype_Teams][VoIP][Acceptable] RISK: TLS (probably) Not Carrying HTTPS analyse: [....15] [ip4][..tcp] [...192.168.1.34][50028] -> [.157.56.126.211][..443] [TLS.Skype_Teams][VoIP][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.301| 0.083| 0.084] - [IAT(c->s)...: 0.000| 0.288| 0.076| 0.082][IAT(s->c)...: 0.000| 0.301| 0.092| 0.087] - [PKTLEN(c->s): 66.000|1383.000| 244.300| 332.700][PKTLEN(s->c): 66.000|1506.000| 535.600| 559.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.301| 0.083| 0.084| 7113.901| 0.000] + [PKTLEN......: 66.000| 1506.000| 371.800| 468.900|219872.600| 4.100] [BINS(c->s)..: 10,1,1,1,0,0,1,1,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0] [BINS(s->c)..: 4,1,0,1,0,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,1,0,0,1,0,1,0,0,1,0,0,1,0,0,1,1,0,0,0,1,0,1,1,0] + [IATS........: 75158,75224,28759,111209,161,82580,77181,227,77415,12662,300868,288212,83419,83480,324,86654,86327,3080,96533,93421,270,253866,5,253632,1,362,87184,86820,115773,3,115745,0] + [PKTLENS.....: 78,70,66,160,1506,86,66,1506,864,66,173,66,125,125,66,295,247,66,695,247,66,263,759,279,66,66,631,167,1383,1506,71,66] new: [....19] [ip4][..tcp] [...192.168.1.34][50030] -> [...65.55.223.33][..443] new: [....20] [ip4][..udp] [...192.168.1.34][60288] -> [....192.168.1.1][...53] detected: [....20] [ip4][..udp] [...192.168.1.34][60288] -> [....192.168.1.1][...53] [DNS.Skype_Teams][VoIP][Acceptable] @@ -446,12 +448,14 @@ new: [...225] [ip4][..tcp] [...192.168.1.34][50102] -> [...65.55.223.15][..443] new: [...226] [ip4][..tcp] [...192.168.1.34][50103] -> [....64.4.23.166][..443] analyse: [....22] [ip4][..udp] [..192.168.0.254][.1025] -> [239.255.255.250][.1900] [SSDP][System][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.015| 19.851| 1.938| 5.863] - [IAT(c->s)...: 0.015| 19.851| 1.938| 5.863][IAT(s->c)...: 0.000| 0.000| 0.000| 0.000] - [PKTLEN(c->s): 327.000| 405.000| 372.000| 29.200][PKTLEN(s->c): 0.000| 0.000| 0.000| 0.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.015| 19.851| 1.938| 5.863|34377878.733| 0.000] + [PKTLEN......: 327.000| 405.000| 372.000| 29.200| 851.500| 5.000] [BINS(c->s)..: 0,0,0,0,0,0,0,0,3,10,6,13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [IATS........: 15861,16704,16998,17146,15818,17029,16643,16363,16834,19850743,15743,18751,14698,83170,16831,19850724,16057,16593,16866,16918,16233,17002,16501,16455,16854,19850599,16277,16449,16736,16676,16486,0] + [PKTLENS.....: 333,351,405,397,327,369,401,347,399,393,333,351,405,397,399,393,333,351,405,397,327,369,401,347,399,393,333,351,405,397,327,369] update: [....69] [ip4][..udp] [...192.168.1.34][13021] -> [...157.56.52.24][40001] [Skype_Teams.Skype_TeamsCall][VoIP][Acceptable] update: [....76] [ip4][..udp] [...192.168.1.34][13021] -> [...157.56.52.21][40004] [Skype_Teams.Skype_TeamsCall][VoIP][Acceptable] update: [....42] [ip4][..udp] [...192.168.1.34][13021] -> [...157.56.52.33][40011] [Skype_Teams.Skype_TeamsCall][VoIP][Acceptable] @@ -517,12 +521,14 @@ detected: [...231] [ip4][.icmp] [....192.168.1.1] -> [...192.168.1.34] [ICMP][Network][Acceptable] new: [...232] [ip4][..tcp] [...192.168.1.34][50109] -> [.91.190.216.125][12350] analyse: [...227] [ip4][..tcp] [...192.168.1.34][50108] -> [...157.56.52.28][40009] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.965| 0.176| 0.204] - [IAT(c->s)...: 0.000| 0.965| 0.181| 0.230][IAT(s->c)...: 0.000| 0.761| 0.172| 0.177] - [PKTLEN(c->s): 66.000| 675.000| 148.300| 178.000][PKTLEN(s->c): 66.000|1506.000| 208.800| 360.700] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.965| 0.176| 0.204|41803.604| 0.000] + [PKTLEN......: 66.000| 1506.000| 178.600| 286.000|81813.500| 4.000] [BINS(c->s)..: 10,3,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 11,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,0,1,0,1,0,1,1,0,1,0,0,1,0,1,1,0,1,0,1,0,1] + [IATS........: 243983,244064,543,204260,761004,964718,546,202004,201464,40219,40223,162241,162248,40183,40179,200900,6,200973,204113,204068,127,240781,240640,207489,6,207586,2955,4516,199645,198010,41627,0] + [PKTLENS.....: 78,74,66,138,66,123,66,74,74,66,66,102,134,66,66,105,66,69,66,210,66,70,66,675,66,70,66,1506,120,619,549,66] not-detected: [...227] [ip4][..tcp] [...192.168.1.34][50108] -> [...157.56.52.28][40009] [Unknown][Unrated] new: [...233] [ip4][..tcp] [...192.168.1.34][50110] -> [.91.190.216.125][12350] new: [...234] [ip4][..udp] [...192.168.1.34][13021] -> [..176.26.55.167][63773] @@ -553,12 +559,14 @@ new: [...251] [ip4][..tcp] [...192.168.1.34][50121] -> [...81.83.77.141][17639] new: [...252] [ip4][..tcp] [...192.168.1.34][50122] -> [..81.133.19.185][44431] analyse: [...250] [ip4][..tcp] [...192.168.1.34][50119] -> [....86.31.35.30][59621] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.200| 0.063| 0.061] - [IAT(c->s)...: 0.000| 0.200| 0.051| 0.062][IAT(s->c)...: 0.000| 0.200| 0.081| 0.055] - [PKTLEN(c->s): 66.000| 820.000| 151.500| 194.100][PKTLEN(s->c): 66.000|1249.000| 211.100| 323.100] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.200| 0.063| 0.061| 3703.968| 0.000] + [PKTLEN......: 66.000| 1249.000| 173.800| 252.000|63524.500| 4.200] [BINS(c->s)..: 14,2,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 7,1,1,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,0,0,1,0,0,1,0,1,0,1,0,0,1,0,0,0,0,1,1,1,0,0,0,1,1,0,0] + [IATS........: 83391,83495,120,64053,63956,403,68492,68085,2947,71202,68249,199756,199749,154162,154128,2646,133845,131248,179,107,71,64327,8428,55511,127901,188,164,70489,3,70121,226,0] + [PKTLENS.....: 78,74,66,126,113,66,83,80,66,820,80,66,66,70,1249,66,623,166,144,94,133,123,66,66,146,66,94,87,361,66,66,93] not-detected: [...250] [ip4][..tcp] [...192.168.1.34][50119] -> [....86.31.35.30][59621] [Unknown][Unrated] new: [...253] [ip4][..tcp] [...192.168.1.34][50123] -> [...80.14.46.121][.4415] new: [...254] [ip4][..tcp] [...192.168.1.34][50124] -> [..81.133.19.185][44431] @@ -578,12 +586,14 @@ RISK: TLS (probably) Not Carrying HTTPS new: [...261] [ip4][..tcp] [...192.168.1.34][50129] -> [.91.190.218.125][12350] analyse: [...260] [ip4][..tcp] [...192.168.1.34][50128] -> [..17.172.100.36][..443] [TLS.AppleiCloud][Web][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.605| 0.068| 0.136] - [IAT(c->s)...: 0.000| 0.449| 0.069| 0.123][IAT(s->c)...: 0.000| 0.605| 0.067| 0.145] - [PKTLEN(c->s): 54.000| 680.000| 233.300| 258.700][PKTLEN(s->c): 60.000|1494.000| 262.700| 415.200] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.605| 0.068| 0.136|18472.737| 0.000] + [PKTLEN......: 54.000| 1494.000| 248.900| 350.900|123149.100| 4.000] [BINS(c->s)..: 9,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 9,3,1,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,0,0,0,0,1,1,1,1,1,1,0,0,1,1,1,0,0,0,0,1,1,1,1] + [IATS........: 148679,148806,840,151642,7,49,150807,1,231,1,31483,95,153251,682,32561,5239,16750,14,176748,67,2129,1532,4,3534,1,449491,70,604696,5454,16453,7,0] + [PKTLENS.....: 78,60,54,287,60,146,91,54,54,60,91,680,620,60,60,60,60,387,90,54,54,1494,1221,80,54,54,673,632,60,60,387,90] update: [...108] [ip4][..udp] [...192.168.1.34][13021] -> [...157.56.52.26][40026] [Skype_Teams.Skype_TeamsCall][VoIP][Acceptable] update: [...111] [ip4][..udp] [...192.168.1.34][13021] -> [...157.56.52.47][40029] [Skype_Teams.Skype_TeamsCall][VoIP][Acceptable] update: [...104] [ip4][..udp] [...192.168.1.34][13021] -> [....64.4.23.146][33033] [Skype_Teams.Skype_TeamsCall][VoIP][Acceptable] @@ -625,12 +635,14 @@ new: [...263] [ip4][..udp] [...192.168.1.34][56387] -> [....192.168.1.1][...53] detected: [...263] [ip4][..udp] [...192.168.1.34][56387] -> [....192.168.1.1][...53] [DNS.Skype_Teams][VoIP][Acceptable] analyse: [...251] [ip4][..tcp] [...192.168.1.34][50121] -> [...81.83.77.141][17639] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 1.782| 0.325| 0.510] - [IAT(c->s)...: 0.000| 1.468| 0.280| 0.473][IAT(s->c)...: 0.060| 1.782| 0.388| 0.550] - [PKTLEN(c->s): 66.000| 819.000| 145.400| 200.500][PKTLEN(s->c): 66.000|1190.000| 174.800| 293.700] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 1.782| 0.325| 0.510|259840.393| 0.000] + [PKTLEN......: 66.000| 1190.000| 157.300| 243.100|59118.200| 4.100] [BINS(c->s)..: 14,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 7,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,0,0,1,0,0,1,0,1,0,1,0,0,1,0,0,1,1,0,0,1,0,0,1,1,0,1,0] + [IATS........: 60786,60878,104,60135,60019,392,72414,72021,2895,63202,60274,262292,262312,157419,157474,3644,187775,184138,1852,62855,110047,171036,158,63674,63522,1468105,1782015,746099,1060012,1410290,1410276,0] + [PKTLENS.....: 78,74,66,111,127,66,82,80,66,819,80,66,66,70,1190,66,623,111,102,86,66,109,66,95,94,66,103,66,104,66,105,66] not-detected: [...251] [ip4][..tcp] [...192.168.1.34][50121] -> [...81.83.77.141][17639] [Unknown][Unrated] new: [...264] [ip4][..udp] [...192.168.1.34][52714] -> [....192.168.1.1][...53] detected: [...264] [ip4][..udp] [...192.168.1.34][52714] -> [....192.168.1.1][...53] [DNS.Skype_Teams][VoIP][Acceptable] @@ -717,12 +729,14 @@ update: [....11] [ip4][..udp] [...192.168.1.34][65045] -> [....192.168.1.1][...53] [DNS.Skype_Teams][VoIP][Acceptable] update: [...206] [ip4][..udp] [...192.168.1.34][13021] -> [213.199.179.145][40027] [Skype_Teams.Skype_TeamsCall][VoIP][Acceptable] analyse: [...248] [ip4][..tcp] [...192.168.1.34][50117] -> [...71.238.7.203][18767] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 25.524| 1.927| 6.197] - [IAT(c->s)...: 0.000| 25.524| 1.757| 5.960][IAT(s->c)...: 0.000| 25.388| 2.133| 6.467] - [PKTLEN(c->s): 66.000| 843.000| 152.000| 209.600][PKTLEN(s->c): 66.000|1090.000| 162.300| 258.600] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 25.524| 1.927| 6.197|38401982.071| 0.000] + [PKTLEN......: 66.000| 1090.000| 156.500| 232.300|53983.100| 4.100] [BINS(c->s)..: 14,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 8,4,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,0,0,1,0,1,0,0,1,0,1,1,0,1,0,0,1,0,0,1,1,0,0,1,0,1,1,0] + [IATS........: 228112,228245,119,219602,219451,352,214503,214173,209707,209682,96,381818,2061048,2011661,148181,480497,212142,212191,3594,275159,271497,162,220246,3,220142,134,216099,215969,136225,25387599,25523822,0] + [PKTLENS.....: 78,78,66,123,101,66,83,80,66,80,66,70,66,843,66,1090,66,156,66,623,108,134,93,66,112,66,95,122,66,66,81,66] not-detected: [...248] [ip4][..tcp] [...192.168.1.34][50117] -> [...71.238.7.203][18767] [Unknown][Unrated] new: [...274] [ip4][..udp] [...192.168.1.34][56886] -> [239.255.255.250][.1900] detected: [...274] [ip4][..udp] [...192.168.1.34][56886] -> [239.255.255.250][.1900] [SSDP][System][Acceptable] @@ -970,12 +984,14 @@ update: [....25] [ip4][..udp] [...192.168.1.34][13021] -> [.157.55.130.155][40020] [Skype_Teams.Skype_TeamsCall][VoIP][Acceptable] update: [....32] [ip4][..udp] [...192.168.1.34][13021] -> [.157.55.235.176][40022] [Skype_Teams.Skype_TeamsCall][VoIP][Acceptable] analyse: [...283] [ip4][..tcp] [...192.168.1.34][50138] -> [...71.238.7.203][18767] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 30.126| 1.349| 5.301] - [IAT(c->s)...: 0.000| 30.126| 2.016| 6.850][IAT(s->c)...: 0.075| 3.022| 0.424| 0.753] - [PKTLEN(c->s): 66.000| 842.000| 147.200| 204.700][PKTLEN(s->c): 66.000|1090.000| 167.300| 267.500] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 30.126| 1.349| 5.301|28102044.418| 0.000] + [PKTLEN......: 66.000| 1090.000| 155.400| 232.500|54056.900| 4.100] [BINS(c->s)..: 15,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 7,4,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,0,0,1,0,1,0,0,1,0,1,1,0,1,0,0,1,0,0,1,0,0,1,1,0,1,0,0] + [IATS........: 214728,214808,140,223488,223372,360,217535,217176,213636,213655,98,315319,2988490,3022192,145311,494208,215912,215930,3576,275623,272053,209,291401,291140,160,74979,137019,211866,164254,30125563,821148,0] + [PKTLENS.....: 78,78,66,106,101,66,83,80,66,80,66,70,66,842,66,1090,66,156,66,622,101,146,95,111,66,95,66,114,66,66,66,66] not-detected: [...283] [ip4][..tcp] [...192.168.1.34][50138] -> [...71.238.7.203][18767] [Unknown][Unrated] not-detected: [...221] [ip4][..tcp] [...192.168.1.34][50098] -> [...65.55.223.15][40026] [Unknown][Unrated] end: [...221] [ip4][..tcp] [...192.168.1.34][50098] -> [...65.55.223.15][40026] diff --git a/test/results/flow-info/skype_no_unknown.pcap.out b/test/results/flow-info/skype_no_unknown.pcap.out index 2b8c37035..8d2dad4fb 100644 --- a/test/results/flow-info/skype_no_unknown.pcap.out +++ b/test/results/flow-info/skype_no_unknown.pcap.out @@ -46,12 +46,14 @@ detected: [....19] [ip4][..tcp] [.17.143.160.149][.5223] -> [...192.168.1.34][50407] [TLS.Apple][Web][Safe] RISK: Known Proto on Non Std Port analyse: [....13] [ip4][..tcp] [...192.168.1.34][51230] -> [.157.56.126.211][..443] [TLS.Skype_Teams][VoIP][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.302| 0.085| 0.091] - [IAT(c->s)...: 0.000| 0.287| 0.072| 0.082][IAT(s->c)...: 0.000| 0.302| 0.099| 0.098] - [PKTLEN(c->s): 66.000|1383.000| 254.800| 339.400][PKTLEN(s->c): 66.000|1506.000| 504.300| 552.600] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.302| 0.085| 0.091| 8331.101| 0.000] + [PKTLEN......: 66.000| 1506.000| 371.800| 468.900|219872.600| 4.100] [BINS(c->s)..: 9,1,1,1,0,0,1,1,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0] [BINS(s->c)..: 5,1,0,1,0,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,1,0,0,1,0,1,0,0,1,0,0,1,0,0,1,0,1,0,0,1,0,1,1,1] + [IATS........: 75602,75664,27532,108847,162,81462,75632,793,76430,15396,302172,286823,74727,74702,490,91055,90550,1676,83562,81907,257,247113,246931,287,176,301,92281,92015,289787,38677,4,0] + [PKTLENS.....: 78,70,66,160,1506,86,66,1506,864,66,173,66,125,125,66,295,247,66,695,247,66,263,759,66,279,66,631,167,1383,66,1506,71] new: [....20] [ip4][..udp] [...192.168.1.34][50055] -> [....192.168.1.1][...53] detected: [....20] [ip4][..udp] [...192.168.1.34][50055] -> [....192.168.1.1][...53] [DNS.Skype_Teams][VoIP][Acceptable] new: [....21] [ip4][..udp] [...192.168.1.34][51753] -> [....192.168.1.1][...53] @@ -60,12 +62,14 @@ new: [....23] [ip4][..tcp] [...192.168.1.34][51227] -> [..17.172.100.36][..443] [MIDSTREAM] detected: [....23] [ip4][..tcp] [...192.168.1.34][51227] -> [..17.172.100.36][..443] [TLS.Apple][Web][Safe] analyse: [....23] [ip4][..tcp] [...192.168.1.34][51227] -> [..17.172.100.36][..443] [TLS.Apple][Web][Safe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 1.077| 0.169| 0.340] - [IAT(c->s)...: 0.000| 0.933| 0.208| 0.334][IAT(s->c)...: 0.000| 1.077| 0.143| 0.342] - [PKTLEN(c->s): 54.000| 680.000| 273.600| 284.800][PKTLEN(s->c): 60.000| 661.000| 204.200| 210.300] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 1.077| 0.169| 0.340|115831.161| 0.000] + [PKTLEN......: 54.000| 680.000| 238.900| 252.700|63877.700| 4.300] [BINS(c->s)..: 10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,1,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 8,3,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,1,1,1,1,0,0,1,1,0,0,0,0,1,1,1,1,0,0,1,1,0,0,0,0,1,1,1,0,1,0] + [IATS........: 72,141755,4583,11838,4,158204,1417,4,1400,933119,61,1077385,3887,16084,4,164206,1860,3,1840,866377,142,1010555,4963,11788,160778,157,141,0,0,0,0,0] + [PKTLENS.....: 680,622,60,60,387,90,54,54,656,80,54,54,673,630,60,60,387,90,54,54,661,80,54,54,677,556,60,60,387,54,90,54] new: [....24] [ip4][..udp] [...192.168.1.34][..137] -> [..192.168.1.255][..137] detected: [....24] [ip4][..udp] [...192.168.1.34][..137] -> [..192.168.1.255][..137] [NetBIOS][System][Acceptable] new: [....25] [ip4][..udp] [....192.168.1.1][..137] -> [...192.168.1.34][..137] @@ -460,12 +464,14 @@ new: [...227] [ip4][..tcp] [...192.168.1.34][51284] -> [.91.190.218.125][12350] new: [...228] [ip4][..tcp] [...192.168.1.34][51285] -> [.91.190.218.125][12350] analyse: [...210] [ip4][..tcp] [...192.168.1.34][51279] -> [..111.221.74.48][40008] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 1.297| 0.245| 0.278] - [IAT(c->s)...: 0.000| 1.006| 0.237| 0.242][IAT(s->c)...: 0.000| 1.297| 0.253| 0.312] - [PKTLEN(c->s): 66.000| 675.000| 147.000| 182.100][PKTLEN(s->c): 66.000|1506.000| 218.700| 370.600] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 1.297| 0.245| 0.278|77244.252| 0.000] + [PKTLEN......: 66.000| 1506.000| 180.600| 288.600|83264.900| 4.000] [BINS(c->s)..: 11,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 11,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0] + [DIRECTIONS..: 0,0,1,0,0,1,1,0,0,1,0,1,0,1,0,1,0,1,1,0,1,0,0,1,0,1,1,0,1,0,1,0] + [IATS........: 1006187,1296903,290818,554,292771,2163,294344,530,293322,292842,39566,39558,253265,253274,40127,40121,350396,3,350380,293934,293924,133,334278,334179,299989,7,300043,2124,4226,292441,290303,0] + [PKTLENS.....: 78,78,74,66,116,66,169,66,74,74,66,66,112,95,66,66,105,66,69,66,210,66,70,66,675,66,70,66,1506,120,617,609] not-detected: [...210] [ip4][..tcp] [...192.168.1.34][51279] -> [..111.221.74.48][40008] [Unknown][Unrated] new: [...229] [ip4][..tcp] [...192.168.1.34][51286] -> [.91.190.218.125][..443] new: [...230] [ip4][..udp] [...192.168.1.34][13021] -> [.174.49.171.224][32011] @@ -525,12 +531,14 @@ new: [...251] [ip4][..tcp] [...192.168.1.34][51302] -> [.91.190.216.125][..443] new: [...252] [ip4][..tcp] [...192.168.1.34][51303] -> [...80.121.84.93][62381] analyse: [...242] [ip4][..tcp] [...192.168.1.34][51294] -> [...81.83.77.141][17639] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 2.004| 0.281| 0.501] - [IAT(c->s)...: 0.000| 1.936| 0.239| 0.489][IAT(s->c)...: 0.064| 2.004| 0.333| 0.510] - [PKTLEN(c->s): 66.000| 818.000| 151.600| 204.400][PKTLEN(s->c): 66.000|1190.000| 164.500| 284.900] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 2.004| 0.281| 0.501|251090.993| 0.000] + [PKTLEN......: 66.000| 1190.000| 157.200| 243.000|59065.600| 4.100] [BINS(c->s)..: 13,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 9,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,0,0,1,0,0,1,0,1,0,1,0,0,1,0,0,1,1,0,0,1,0,1,0,1,1,0,1] + [IATS........: 69753,69875,128,64112,63941,396,65391,64977,1952,66745,64884,268026,267948,126507,126511,3724,173414,169731,172,68870,95737,164424,174,67018,66860,198434,1936170,2004084,795927,1062252,592589,0] + [PKTLENS.....: 78,74,66,131,94,66,82,80,66,818,80,66,66,70,1190,66,622,109,110,92,66,109,66,93,87,66,66,104,66,105,66,111] not-detected: [...242] [ip4][..tcp] [...192.168.1.34][51294] -> [...81.83.77.141][17639] [Unknown][Unrated] new: [...253] [ip4][..tcp] [...192.168.1.34][51305] -> [...149.13.32.15][13392] new: [...254] [ip4][..tcp] [...192.168.1.34][51306] -> [...80.121.84.93][62381] @@ -611,12 +619,14 @@ new: [...266] [ip4][..udp] [...192.168.1.34][13021] -> [..133.236.67.25][49195] detected: [...266] [ip4][..udp] [...192.168.1.34][13021] -> [..133.236.67.25][49195] [Skype_Teams.Skype_TeamsCall][VoIP][Acceptable] analyse: [....49] [ip4][..udp] [..192.168.0.254][.1025] -> [239.255.255.250][.1900] [SSDP][System][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 19.857| 1.935| 5.865] - [IAT(c->s)...: 0.000| 19.857| 1.935| 5.865][IAT(s->c)...: 0.000| 0.000| 0.000| 0.000] - [PKTLEN(c->s): 327.000| 405.000| 370.700| 29.100][PKTLEN(s->c): 0.000| 0.000| 0.000| 0.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 19.857| 1.935| 5.865|34398418.239| 0.000] + [PKTLEN......: 327.000| 405.000| 370.700| 29.100| 844.300| 5.000] [BINS(c->s)..: 0,0,0,0,0,0,0,0,4,9,7,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [IATS........: 557,584,518,491,526,99678,590,558,630,19856559,16227,16968,16620,16461,16743,19850608,16179,16542,16730,16663,16557,16953,16553,16675,16584,19850616,15995,16653,16828,16721,16628,0] + [PKTLENS.....: 333,351,405,397,327,369,401,347,399,393,327,369,401,347,399,393,333,351,405,397,327,369,401,347,399,393,333,351,405,397,327,369] new: [...267] [ip4][..tcp] [...192.168.1.34][51319] -> [...212.161.8.36][13392] idle: [...233] [ip4][..udp] [...192.168.1.34][13021] -> [189.188.134.174][22436] [Skype_Teams.Skype_TeamsCall][VoIP][Acceptable] guessed: [....75] [ip4][..tcp] [...192.168.1.34][51240] -> [..111.221.74.45][..443] [TLS][Web][Safe] diff --git a/test/results/flow-info/smb_deletefile.pcap.out b/test/results/flow-info/smb_deletefile.pcap.out index c8b3c7c23..70e783b89 100644 --- a/test/results/flow-info/smb_deletefile.pcap.out +++ b/test/results/flow-info/smb_deletefile.pcap.out @@ -4,11 +4,13 @@ new: [.....1] [ip4][..tcp] [..192.168.1.118][56848] -> [..192.168.1.187][..445] [MIDSTREAM] detected: [.....1] [ip4][..tcp] [..192.168.1.118][56848] -> [..192.168.1.187][..445] [NetBIOS.SMBv23][System][Acceptable] analyse: [.....1] [ip4][..tcp] [..192.168.1.118][56848] -> [..192.168.1.187][..445] [NetBIOS.SMBv23][System][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 2.158| 0.143| 0.529] - [IAT(c->s)...: 0.000| 2.157| 0.116| 0.481][IAT(s->c)...: 0.000| 2.158| 0.184| 0.595] - [PKTLEN(c->s): 54.000| 466.000| 202.600| 166.500][PKTLEN(s->c): 60.000| 554.000| 373.300| 180.900] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 2.158| 0.143| 0.529|280112.169| 0.000] + [PKTLEN......: 54.000| 554.000| 266.600| 190.900|36432.900| 4.600] [BINS(c->s)..: 10,0,0,2,0,0,0,1,0,0,4,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 1,0,1,2,0,0,0,0,0,1,0,1,1,0,1,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,0,0,1,0,0,1,0,1,0,0,0,1,1,0,1,0,0,1,0,0,1,0,0,1,0,0,1] + [IATS........: 1172,1225,2157281,2158424,1159,87,1253,1160,7461,9355,1883,124,103,75,20,492,151,550,5618,5637,4741,5866,1131,107,1245,1127,130,997,857,25951,26895,0] + [PKTLENS.....: 434,554,54,378,522,54,394,538,54,466,180,54,554,54,158,154,60,158,54,130,54,394,538,54,434,410,54,298,370,54,402,466] idle: [.....1] [ip4][..tcp] [..192.168.1.118][56848] -> [..192.168.1.187][..445] [NetBIOS.SMBv23][System][Acceptable] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/smtp-starttls.pcap.out b/test/results/flow-info/smtp-starttls.pcap.out index 5329c18b1..66756fd89 100644 --- a/test/results/flow-info/smtp-starttls.pcap.out +++ b/test/results/flow-info/smtp-starttls.pcap.out @@ -11,12 +11,14 @@ detection-update: [.....1] [ip4][..tcp] [.......10.0.0.1][57406] -> [..173.194.68.26][...25] [SMTPS.Google][Email][Acceptable] RISK: Obsolete TLS (v1.1 or older) analyse: [.....1] [ip4][..tcp] [.......10.0.0.1][57406] -> [..173.194.68.26][...25] [SMTPS.Google][Email][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.157| 0.030| 0.035] - [IAT(c->s)...: 0.000| 0.157| 0.032| 0.040][IAT(s->c)...: 0.000| 0.104| 0.027| 0.029] - [PKTLEN(c->s): 66.000| 752.000| 158.800| 176.200][PKTLEN(s->c): 66.000|1484.000| 338.600| 460.900] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.157| 0.030| 0.035| 1204.841| 0.000] + [PKTLEN......: 66.000| 1484.000| 254.300| 368.100|135468.500| 4.100] [BINS(c->s)..: 9,3,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 6,1,3,1,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0] + [DIRECTIONS..: 0,1,0,1,0,0,1,1,0,1,0,1,1,0,1,0,1,0,1,0,1,0,1,1,0,1,0,1,1,0,0,1] + [IATS........: 11168,11193,11857,11849,79,11152,39169,67072,28169,11489,12210,262,12322,26,24821,37890,13457,11887,11608,11639,11817,51431,103694,156957,13622,11529,11126,16410,67319,42853,94080,0] + [PKTLENS.....: 74,74,66,117,66,94,66,220,76,96,178,1484,1484,66,919,380,276,119,231,127,131,127,66,172,752,66,94,66,142,66,97,147] DAEMON-EVENT: [Processed: 36 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 1 / 1|skipped: 0|!detected: 0|guessed: 0|detection-updates: 4|updates: 0] new: [.....2] [ip6][..tcp] [...2003:de:2016:125:fc36:8317:4e86:cb72][.7562] -> [...............2003:de:2016:120::a08:53][...25] @@ -26,12 +28,14 @@ detection-update: [.....2] [ip6][..tcp] [...2003:de:2016:125:fc36:8317:4e86:cb72][.7562] -> [...............2003:de:2016:120::a08:53][...25] [SMTPS][Email][Safe] RISK: Self-signed Cert, TLS (probably) Not Carrying HTTPS analyse: [.....2] [ip6][..tcp] [...2003:de:2016:125:fc36:8317:4e86:cb72][.7562] -> [...............2003:de:2016:120::a08:53][...25] [SMTPS][Email][Safe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.203| 0.019| 0.049] - [IAT(c->s)...: 0.000| 0.203| 0.020| 0.050][IAT(s->c)...: 0.000| 0.202| 0.018| 0.048] - [PKTLEN(c->s): 78.000|1112.000| 187.100| 243.900][PKTLEN(s->c): 78.000|1218.000| 209.800| 269.100] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.203| 0.019| 0.049| 2372.381| 0.000] + [PKTLEN......: 78.000| 1218.000| 198.500| 257.100|66086.800| 4.300] [BINS(c->s)..: 7,4,2,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 6,4,2,0,1,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,1,0,1,1,0,1,0,1,0,0,1,1,0,0,1,0,1,0,1,1,0,1,1,0,1,0,0,1,0] + [IATS........: 744,995,19017,29506,11113,127,1248,999,1000,6126,12754,624,8625,202034,202908,998,7251,6751,7252,7260,1247,2128,2995,378,21009,21750,990,6762,2,6750,736,0] + [PKTLENS.....: 90,90,78,136,128,78,230,88,108,260,1218,204,157,336,245,78,167,121,141,121,113,144,78,1112,78,143,113,122,109,78,109,78] end: [.....2] [ip6][..tcp] [...2003:de:2016:125:fc36:8317:4e86:cb72][.7562] -> [...............2003:de:2016:120::a08:53][...25] [SMTPS][Email][Safe] RISK: Self-signed Cert, TLS (probably) Not Carrying HTTPS end: [.....1] [ip4][..tcp] [.......10.0.0.1][57406] -> [..173.194.68.26][...25] [SMTPS.Google][Email][Acceptable] diff --git a/test/results/flow-info/smtp.pcap.out b/test/results/flow-info/smtp.pcap.out index 7fb8fbb80..4882fc206 100644 --- a/test/results/flow-info/smtp.pcap.out +++ b/test/results/flow-info/smtp.pcap.out @@ -4,11 +4,13 @@ new: [.....1] [ip4][..tcp] [..194.7.248.153][.2127] -> [.172.16.114.207][...25] detected: [.....1] [ip4][..tcp] [..194.7.248.153][.2127] -> [.172.16.114.207][...25] [SMTP][Email][Acceptable] analyse: [.....1] [ip4][..tcp] [..194.7.248.153][.2127] -> [.172.16.114.207][...25] [SMTP][Email][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.055| 0.006| 0.012] - [IAT(c->s)...: 0.001| 0.031| 0.006| 0.010][IAT(s->c)...: 0.000| 0.055| 0.006| 0.014] - [PKTLEN(c->s): 60.000| 94.000| 84.400| 13.000][PKTLEN(s->c): 60.000| 138.000| 90.800| 16.500] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.055| 0.006| 0.012| 143.094| 0.000] + [PKTLEN......: 60.000| 138.000| 87.600| 15.200| 230.100| 5.000] [BINS(c->s)..: 5,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 3,12,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1] + [IATS........: 316,1134,19693,31096,24595,55118,2208,21382,1142,1166,1125,1230,1225,1086,1083,1063,1064,1068,1066,1077,1106,1085,1057,1068,1067,1048,1046,1060,1062,1055,1054,0] + [PKTLENS.....: 60,60,60,138,60,76,60,80,76,98,90,97,93,92,93,92,94,93,93,92,93,92,94,93,92,91,91,90,94,93,92,91] end: [.....1] [ip4][..tcp] [..194.7.248.153][.2127] -> [.172.16.114.207][...25] [SMTP][Email][Acceptable] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/snapchat_call.pcapng.out b/test/results/flow-info/snapchat_call.pcapng.out index 3bbefe491..6fa783631 100644 --- a/test/results/flow-info/snapchat_call.pcapng.out +++ b/test/results/flow-info/snapchat_call.pcapng.out @@ -7,12 +7,14 @@ detection-update: [.....1] [ip4][..udp] [.192.168.12.169][42083] -> [.18.184.138.142][..443] [QUIC.SnapchatCall][VoIP][Acceptable] RISK: Missing SNI TLS Extn analyse: [.....1] [ip4][..udp] [.192.168.12.169][42083] -> [.18.184.138.142][..443] [QUIC.SnapchatCall][VoIP][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 1.447| 0.221| 0.397] - [IAT(c->s)...: 0.000| 1.173| 0.201| 0.353][IAT(s->c)...: 0.000| 1.447| 0.240| 0.434] - [PKTLEN(c->s): 70.000|1392.000| 285.900| 438.500][PKTLEN(s->c): 62.000|1392.000| 406.000| 489.400] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 1.447| 0.221| 0.397|157833.134| 0.000] + [PKTLEN......: 62.000| 1392.000| 345.900| 468.500|219532.900| 4.000] [BINS(c->s)..: 4,8,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0] [BINS(s->c)..: 4,4,0,0,0,0,0,0,2,2,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0] + [DIRECTIONS..: 0,1,1,0,0,1,1,1,1,0,0,0,0,0,0,0,1,1,1,0,1,1,1,1,0,0,0,1,0,0,1,1] + [IATS........: 16846,68,30414,96,24231,5110,25,16,20308,29142,5531,102,7,211,2051,54351,38,19,507575,1447282,48721,53521,57932,1172660,3328,7500,379723,803486,440070,1155688,589800,0] + [PKTLENS.....: 1392,1392,1392,1392,625,78,1392,62,428,70,86,80,80,80,201,100,62,62,62,86,351,303,351,303,86,70,70,86,70,86,86,86] idle: [.....1] [ip4][..udp] [.192.168.12.169][42083] -> [.18.184.138.142][..443] [QUIC.SnapchatCall][VoIP][Acceptable] RISK: Missing SNI TLS Extn DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/softether.pcap.out b/test/results/flow-info/softether.pcap.out index 9c693fe56..a26ebe9e4 100644 --- a/test/results/flow-info/softether.pcap.out +++ b/test/results/flow-info/softether.pcap.out @@ -72,12 +72,14 @@ DAEMON-EVENT: [Processed: 130 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 1 / 6|skipped: 0|!detected: 0|guessed: 0|detection-updates: 6|updates: 29] analyse: [.....6] [ip4][..udp] [..192.168.2.100][51381] -> [..130.158.6.113][.5004] [Softether][VPN][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.257|1566.080| 36.711| 451.865] - [IAT(c->s)...: 5.427|1540.291| 169.774| 407.981][IAT(s->c)...: 0.257|1566.080| 181.109| 428.570] - [PKTLEN(c->s): 43.000| 522.000| 99.400| 154.300][PKTLEN(s->c): 70.000| 370.000| 110.000| 102.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.257| 1566.080| 36.711| 451.865|204182401654.456| 0.000] + [PKTLEN......: 43.000| 522.000| 104.300| 132.500|17556.200| 4.300] [BINS(c->s)..: 15,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 13,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,0,1] + [IATS........: 257000,27676000,27674000,26195000,26194000,26159000,26161000,10299000,10301000,14858000,14853000,27814000,27815000,25788000,1540291232,1566080232,18689000,18689000,5427000,5426000,27856000,27856000,26072000,26072000,26524000,26524000,24993000,24993000,25093000,862645000,887738000,0] + [PKTLENS.....: 43,70,43,70,43,70,43,70,522,370,43,70,43,70,43,43,70,522,370,43,70,43,70,43,70,43,70,43,70,43,43,70] update: [.....6] [ip4][..udp] [..192.168.2.100][51381] -> [..130.158.6.113][.5004] [Softether][VPN][Acceptable] update: [.....6] [ip4][..udp] [..192.168.2.100][51381] -> [..130.158.6.113][.5004] [Softether][VPN][Acceptable] update: [.....6] [ip4][..udp] [..192.168.2.100][51381] -> [..130.158.6.113][.5004] [Softether][VPN][Acceptable] diff --git a/test/results/flow-info/ssh.pcap.out b/test/results/flow-info/ssh.pcap.out index 6e147de6b..97b5110b1 100644 --- a/test/results/flow-info/ssh.pcap.out +++ b/test/results/flow-info/ssh.pcap.out @@ -13,12 +13,14 @@ detection-update: [.....1] [ip4][..tcp] [...172.16.238.1][58395] -> [.172.16.238.168][...22] [SSH][RemoteAccess][Acceptable] RISK: SSH Obsolete Cli Vers/Cipher, SSH Obsolete Ser Vers/Cipher analyse: [.....1] [ip4][..tcp] [...172.16.238.1][58395] -> [.172.16.238.168][...22] [SSH][RemoteAccess][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 2.907| 0.395| 0.889] - [IAT(c->s)...: 0.000| 2.907| 0.445| 0.955][IAT(s->c)...: 0.000| 2.633| 0.333| 0.796] - [PKTLEN(c->s): 66.000| 970.000| 150.500| 205.300][PKTLEN(s->c): 66.000| 850.000| 201.200| 255.800] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 2.907| 0.395| 0.889|789856.780| 0.000] + [PKTLEN......: 66.000| 970.000| 172.700| 230.100|52961.800| 4.200] [BINS(c->s)..: 12,1,1,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 8,1,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,1,0,0,1,0,1,1,0,0,1,0,0,1,0,0,1,0,1,1,0,0,1,1,0,0,1,1,0,0] + [IATS........: 26,41,8112,8146,295,788,470,140,1469,1611,306,1791,1560,1614,14729,13069,1842,42337,40496,170,257,393,251,40593,51194,91555,2632288,2632557,1868772,1869058,2907110,0] + [PKTLENS.....: 78,74,66,87,66,87,66,970,66,850,66,90,218,66,210,786,66,82,66,114,66,114,66,130,66,146,66,210,66,146,66,210] end: [.....1] [ip4][..tcp] [...172.16.238.1][58395] -> [.172.16.238.168][...22] [SSH][RemoteAccess][Acceptable] RISK: SSH Obsolete Cli Vers/Cipher, SSH Obsolete Ser Vers/Cipher DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/starcraft_battle.pcap.out b/test/results/flow-info/starcraft_battle.pcap.out index 294c3df47..0ced38f42 100644 --- a/test/results/flow-info/starcraft_battle.pcap.out +++ b/test/results/flow-info/starcraft_battle.pcap.out @@ -42,12 +42,14 @@ detection-update: [....15] [ip4][..tcp] [..192.168.1.100][.3508] -> [.87.248.221.254][...80] [HTTP][Download][Acceptable] RISK: Binary App Transfer, Suspicious DGA Domain name analyse: [....15] [ip4][..tcp] [..192.168.1.100][.3508] -> [.87.248.221.254][...80] [HTTP][Download][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.072| 0.012| 0.024] - [IAT(c->s)...: 0.000| 0.072| 0.013| 0.025][IAT(s->c)...: 0.000| 0.058| 0.012| 0.022] - [PKTLEN(c->s): 54.000| 241.000| 66.400| 45.200][PKTLEN(s->c): 60.000|1514.000|1332.600| 479.900] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.072| 0.012| 0.024| 562.008| 0.000] + [PKTLEN......: 54.000| 1514.000| 699.500| 719.000|516967.300| 4.100] [BINS(c->s)..: 15,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1] + [IATS........: 58058,58113,96,58244,14251,72387,112,82,193,195,145,152,166,165,184,184,148,146,165,165,56805,56877,234,178,216,245,157,122,91,74,234,0] + [PKTLENS.....: 66,66,54,241,60,1514,54,1514,54,1514,54,1514,54,1514,54,1514,54,1514,54,1514,54,1514,54,1514,54,1514,54,1514,54,1514,54,1514] new: [....16] [ip4][..tcp] [..192.168.1.100][.3512] -> [..12.129.222.54][...80] detected: [....16] [ip4][..tcp] [..192.168.1.100][.3512] -> [..12.129.222.54][...80] [HTTP.WorldOfWarcraft][Game][Fun] new: [....17] [ip4][..tcp] [..192.168.1.100][.3492] -> [...2.228.46.104][..443] [MIDSTREAM] @@ -84,12 +86,14 @@ detected: [....31] [ip4][..tcp] [..192.168.1.100][.3517] -> [213.248.127.130][.1119] [Starcraft][Game][Fun] detected: [....33] [ip4][..tcp] [..192.168.1.100][.3519] -> [..80.239.186.21][...80] [HTTP][Web][Acceptable] analyse: [....31] [ip4][..tcp] [..192.168.1.100][.3517] -> [213.248.127.130][.1119] [Starcraft][Game][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.166| 0.038| 0.053] - [IAT(c->s)...: 0.000| 0.129| 0.024| 0.040][IAT(s->c)...: 0.024| 0.166| 0.097| 0.062] - [PKTLEN(c->s): 54.000| 249.000| 88.800| 47.600][PKTLEN(s->c): 60.000| 797.000| 236.000| 266.800] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.166| 0.038| 0.053| 2837.592| 0.000] + [PKTLEN......: 54.000| 797.000| 116.400| 136.000|18494.500| 4.500] [BINS(c->s)..: 23,0,0,1,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 3,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [IATS........: 52549,52614,94628,145687,24327,95105,95914,166321,70940,49609,160290,31197,128649,15235,41,28,25,24,29,35,25,23,24,30,27,23,28,23,22,29,22,0] + [PKTLENS.....: 66,60,54,156,60,797,54,234,317,54,249,60,122,56,77,77,77,77,77,77,77,77,77,77,77,77,77,77,77,77,77,77] new: [....34] [ip4][..udp] [..192.168.1.100][53146] -> [...5.42.180.154][.1119] new: [....35] [ip4][..udp] [..192.168.1.100][53146] -> [..62.115.246.51][.1119] new: [....36] [ip4][..udp] [..192.168.1.100][.6113] -> [213.248.127.212][.1119] @@ -125,12 +129,14 @@ detected: [....50] [ip4][..tcp] [..192.168.1.100][.3532] -> [...2.228.46.112][...80] [HTTP][Web][Acceptable] detected: [....51] [ip4][..tcp] [..192.168.1.100][.3533] -> [...2.228.46.112][...80] [HTTP][Web][Acceptable] analyse: [....45] [ip4][..tcp] [..192.168.1.100][.3527] -> [...2.228.46.112][...80] [HTTP][Web][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.034| 0.007| 0.013] - [IAT(c->s)...: 0.000| 0.034| 0.009| 0.015][IAT(s->c)...: 0.000| 0.034| 0.005| 0.012] - [PKTLEN(c->s): 54.000| 203.000| 67.400| 41.000][PKTLEN(s->c): 60.000|1514.000|1368.900| 435.300] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.034| 0.007| 0.013| 169.003| 0.000] + [PKTLEN......: 54.000| 1514.000| 880.800| 718.400|516058.300| 4.400] [BINS(c->s)..: 11,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,18,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0] + [IATS........: 32476,32510,1623,34324,1138,65,33880,153,130,283,141,278,419,213,122,339,108,139,244,139,597,734,100,131,232,130,134,265,32899,285,33184,0] + [PKTLENS.....: 66,66,54,203,60,1514,1514,54,1514,1514,54,1514,1514,54,1514,1514,54,1514,1514,54,1514,1514,54,1514,1514,54,1514,1514,54,1514,1514,54] guessed: [....35] [ip4][..udp] [..192.168.1.100][53146] -> [..62.115.246.51][.1119] [Starcraft][Game][Fun] idle: [....35] [ip4][..udp] [..192.168.1.100][53146] -> [..62.115.246.51][.1119] guessed: [....11] [ip4][..tcp] [..192.168.1.100][.2759] -> [.64.233.184.188][.5228] [Google][Web][Acceptable] diff --git a/test/results/flow-info/stun.pcap.out b/test/results/flow-info/stun.pcap.out index 30e0433fa..6e7012c4f 100644 --- a/test/results/flow-info/stun.pcap.out +++ b/test/results/flow-info/stun.pcap.out @@ -6,12 +6,14 @@ update: [.....1] [ip6][..udp] [3516:bf0b:fc53:75e7:70af:f67f:8e49:f603][56880] -> [....2a38:e156:8167:a333:face:b00c::24d9][.3478] [STUN][Network][Acceptable] update: [.....1] [ip6][..udp] [3516:bf0b:fc53:75e7:70af:f67f:8e49:f603][56880] -> [....2a38:e156:8167:a333:face:b00c::24d9][.3478] [STUN][Network][Acceptable] analyse: [.....1] [ip6][..udp] [3516:bf0b:fc53:75e7:70af:f67f:8e49:f603][56880] -> [....2a38:e156:8167:a333:face:b00c::24d9][.3478] [STUN][Network][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.003| 10.359| 9.105| 2.980] - [IAT(c->s)...: 0.003| 10.359| 9.409| 2.515][IAT(s->c)...: 0.003| 10.359| 8.821| 3.333] - [PKTLEN(c->s): 82.000| 82.000| 82.000| 0.000][PKTLEN(s->c): 106.000| 106.000| 106.000| 0.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.003| 10.359| 9.105| 2.980|8880623.976| 0.000] + [PKTLEN......: 82.000| 106.000| 94.000| 12.000| 144.000| 5.000] [BINS(c->s)..: 16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1] + [IATS........: 6861,10132226,10132257,10358549,2935,10358540,2867,10055433,10055494,10056921,10056927,10057230,10057183,10053930,10053957,10069481,10069496,10027109,10027105,10027261,10027286,10063952,10063896,10098322,10098363,10035461,10035403,10061356,10061442,10028354,10028259,0] + [PKTLENS.....: 82,106,82,106,82,82,106,106,82,106,82,106,82,106,82,106,82,106,82,106,82,106,82,106,82,106,82,106,82,106,82,106] update: [.....1] [ip6][..udp] [3516:bf0b:fc53:75e7:70af:f67f:8e49:f603][56880] -> [....2a38:e156:8167:a333:face:b00c::24d9][.3478] [STUN][Network][Acceptable] DAEMON-EVENT: [Processed: 42 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 1 / 1|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 3] @@ -19,12 +21,14 @@ detected: [.....2] [ip4][..udp] [.192.168.12.169][38123] -> [....31.13.86.54][40003] [STUN.FacebookVoip][VoIP][Acceptable] RISK: Known Proto on Non Std Port analyse: [.....2] [ip4][..udp] [.192.168.12.169][38123] -> [....31.13.86.54][40003] [STUN.FacebookVoip][VoIP][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 6.004| 0.447| 1.463] - [IAT(c->s)...: 0.000| 6.004| 0.427| 1.443][IAT(s->c)...: 0.000| 5.997| 0.468| 1.483] - [PKTLEN(c->s): 70.000| 182.000| 164.100| 28.400][PKTLEN(s->c): 86.000| 174.000| 141.700| 32.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 6.004| 0.447| 1.463|2139022.033| 0.000] + [PKTLEN......: 70.000| 182.000| 153.600| 32.100| 1033.400| 5.000] [BINS(c->s)..: 1,0,0,4,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,3,1,6,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,1,0,0,1,0,1,1,0,0,1,0,0,1,0,1,1,0,0,1,0,0,1,1,1,0,0,1,0,1] + [IATS........: 11521,15638,15947,6004359,4743,5997443,4483,7520,7140,108439,344493,499169,68464,195,19689,29038,92171,23636,96419,1566,50324,48303,277,50092,3265,34,52919,437,9663,44853,232153,0] + [PKTLENS.....: 70,146,178,118,182,182,154,182,154,86,178,178,174,182,142,86,178,142,174,142,178,174,142,178,142,174,142,182,142,86,174,174] idle: [.....1] [ip6][..udp] [3516:bf0b:fc53:75e7:70af:f67f:8e49:f603][56880] -> [....2a38:e156:8167:a333:face:b00c::24d9][.3478] [STUN][Network][Acceptable] DAEMON-EVENT: [Processed: 117 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 1 / 2|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 3] @@ -37,12 +41,14 @@ new: [.....4] [ip4][..udp] [.192.168.12.169][49153] -> [..142.250.82.99][.3478] detected: [.....4] [ip4][..udp] [.192.168.12.169][49153] -> [..142.250.82.99][.3478] [STUN.GoogleHangoutDuo][VoIP][Acceptable] analyse: [.....4] [ip4][..udp] [.192.168.12.169][49153] -> [..142.250.82.99][.3478] [STUN.GoogleHangoutDuo][VoIP][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.836| 0.131| 0.227] - [IAT(c->s)...: 0.009| 0.836| 0.131| 0.247][IAT(s->c)...: 0.000| 0.625| 0.132| 0.204] - [PKTLEN(c->s): 107.000| 588.000| 161.600| 109.700][PKTLEN(s->c): 76.000|1240.000| 229.100| 297.300] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.836| 0.131| 0.227|51553.292| 0.000] + [PKTLEN......: 76.000| 1240.000| 193.200| 221.300|48965.100| 4.500] [BINS(c->s)..: 0,0,9,5,2,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,2,9,2,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,0,1,1,1,0,0,1,0,1,1,1,1,0,0,1,1,0,1,1,0,0,1,0,0,0,0,0] + [IATS........: 22933,25637,18754,26966,8994,16545,8218,21,95990,9415,96088,13935,9667,14034,28,10,28365,12045,233249,17389,835905,625348,352669,699812,203670,550729,72132,9045,20632,28113,14681,0] + [PKTLENS.....: 150,134,195,154,1240,588,134,123,612,123,154,159,175,134,155,107,111,107,127,76,107,154,134,76,124,154,134,108,108,109,109,109] idle: [.....4] [ip4][..udp] [.192.168.12.169][49153] -> [..142.250.82.99][.3478] [STUN.GoogleHangoutDuo][VoIP][Acceptable] idle: [.....3] [ip4][..tcp] [...87.47.100.17][.3478] -> [....54.1.57.155][37257] [STUN][Network][Acceptable] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/stun_signal.pcapng.out b/test/results/flow-info/stun_signal.pcapng.out index 1ac98e2a4..3ab39e963 100644 --- a/test/results/flow-info/stun_signal.pcapng.out +++ b/test/results/flow-info/stun_signal.pcapng.out @@ -33,24 +33,28 @@ detected: [....14] [ip4][..udp] [.192.168.12.169][43068] -> [.18.195.131.143][61156] [STUN.AmazonAWS][Cloud][Acceptable] RISK: Known Proto on Non Std Port analyse: [....14] [ip4][..udp] [.192.168.12.169][43068] -> [.18.195.131.143][61156] [STUN.AmazonAWS][Cloud][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.679| 0.149| 0.201] - [IAT(c->s)...: 0.000| 0.601| 0.154| 0.181][IAT(s->c)...: 0.000| 0.679| 0.145| 0.217] - [PKTLEN(c->s): 70.000| 146.000| 106.500| 27.000][PKTLEN(s->c): 70.000| 138.000| 105.200| 22.700] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.679| 0.149| 0.201|40331.911| 0.000] + [PKTLEN......: 70.000| 146.000| 105.900| 24.900| 621.500| 5.000] [BINS(c->s)..: 4,3,4,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 3,4,5,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,1,0,0,0,1,1,0,1,1,0,0,0,1,1,0,1,0,1,1,0,0,1,1,1,0,0,1,0,0,1] + [IATS........: 83894,37,92476,7793,46066,91419,25,37867,39955,9097,41868,367689,125,441001,43,600796,610250,117949,49918,49758,64212,212886,679364,8747,45,503798,102888,200994,101814,9344,62177,0] + [PKTLENS.....: 138,106,138,106,146,146,106,138,106,106,138,106,98,70,98,70,138,106,98,98,138,106,70,98,70,70,70,138,106,98,70,98] update: [.....7] [ip4][.icmp] [.35.158.183.167] -> [.192.168.12.169] [ICMP][Network][Acceptable] detected: [....10] [ip4][..udp] [.192.168.12.169][43068] -> [172.253.121.127][19302] [STUN.AmazonAWS][Cloud][Acceptable] RISK: Known Proto on Non Std Port detected: [....11] [ip4][..udp] [.192.168.12.169][39950] -> [172.253.121.127][19302] [STUN.GoogleHangoutDuo][VoIP][Acceptable] RISK: Known Proto on Non Std Port analyse: [.....7] [ip4][.icmp] [.35.158.183.167] -> [.192.168.12.169] [ICMP][Network][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 17.079| 1.597| 3.547] - [IAT(c->s)...: 0.000| 17.079| 1.540| 3.605][IAT(s->c)...: 0.000| 4.842| 2.421| 2.421] - [PKTLEN(c->s): 90.000| 98.000| 92.700| 3.800][PKTLEN(s->c): 138.000| 138.000| 138.000| 0.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 17.079| 1.597| 3.547|12584568.750| 0.000] + [PKTLEN......: 90.000| 138.000| 95.500| 11.600| 133.800| 5.000] [BINS(c->s)..: 0,20,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [IATS........: 4084,63003,42,180775,3510,1499231,2002773,15,4841966,76,17079364,30045,28084,9989,178591,30710,1472432,2000483,30998,3968781,29896,37348,7808,7927339,28492,35381,6539,7931223,29238,34577,5065,0] + [PKTLENS.....: 90,90,98,98,90,90,90,90,90,138,138,90,90,98,98,90,90,90,90,90,90,90,98,98,90,90,98,98,90,90,98,98] update: [.....3] [ip4][..udp] [.192.168.12.169][47204] -> [.35.158.183.167][..443] [STUN.AmazonAWS][Cloud][Acceptable] RISK: Known Proto on Non Std Port update: [.....2] [ip4][..udp] [.192.168.12.169][47204] -> [172.253.121.127][19302] @@ -85,12 +89,14 @@ detected: [....23] [ip4][..udp] [.192.168.12.169][47767] -> [.18.195.131.143][61498] [STUN.SignalVoip][VoIP][Acceptable] RISK: Known Proto on Non Std Port analyse: [....23] [ip4][..udp] [.192.168.12.169][47767] -> [.18.195.131.143][61498] [STUN.SignalVoip][VoIP][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.665| 0.153| 0.189] - [IAT(c->s)...: 0.000| 0.665| 0.158| 0.186][IAT(s->c)...: 0.000| 0.631| 0.148| 0.192] - [PKTLEN(c->s): 70.000| 146.000| 108.800| 25.300][PKTLEN(s->c): 70.000| 138.000| 107.800| 23.900] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.665| 0.153| 0.189|35784.253| 0.000] + [PKTLEN......: 70.000| 146.000| 108.200| 24.600| 605.900| 5.000] [BINS(c->s)..: 3,3,5,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 3,3,5,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,1,0,0,0,1,1,0,1,1,0,0,0,1,1,0,1,1,0,0,1,1,0,1,1,0,0,0,1,1,0] + [IATS........: 68482,50,70303,29273,44732,113365,45,43187,26522,8477,31033,313588,306,410657,43,665020,630540,122450,190474,61616,378076,7868,325508,42160,76005,424878,96788,5410,434339,47676,66176,0] + [PKTLENS.....: 138,106,138,106,146,146,106,138,106,106,138,106,98,70,98,70,138,106,138,106,98,98,70,70,70,98,138,98,70,106,138,106] update: [....13] [ip4][..udp] [.192.168.12.169][39950] -> [.35.158.183.167][.3478] [STUN.SignalVoip][VoIP][Acceptable] update: [.....9] [ip4][..udp] [.192.168.12.169][43068] -> [.35.158.183.167][..443] [STUN.AmazonAWS][Cloud][Acceptable] RISK: Known Proto on Non Std Port diff --git a/test/results/flow-info/teams.pcap.out b/test/results/flow-info/teams.pcap.out index 57df5d70c..7085cba5d 100644 --- a/test/results/flow-info/teams.pcap.out +++ b/test/results/flow-info/teams.pcap.out @@ -20,12 +20,14 @@ detected: [.....4] [ip4][..tcp] [....192.168.1.6][60532] -> [...52.114.77.33][..443] [TLS.Microsoft][Cloud][Safe] RISK: TLS (probably) Not Carrying HTTPS analyse: [.....5] [ip4][..tcp] [....192.168.1.6][60533] -> [.52.113.194.132][..443] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.030| 0.006| 0.009] - [IAT(c->s)...: 0.000| 0.030| 0.007| 0.008][IAT(s->c)...: 0.000| 0.029| 0.006| 0.009] - [PKTLEN(c->s): 54.000| 312.000| 106.100| 83.900][PKTLEN(s->c): 60.000|1506.000| 674.300| 638.600] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.030| 0.006| 0.009| 77.930| 0.000] + [PKTLEN......: 54.000| 1506.000| 407.900| 548.100|300365.600| 3.900] [BINS(c->s)..: 10,1,1,0,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 5,1,1,0,0,0,1,0,0,0,1,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,0,1,1,0,0,1,1,0,1,0,0,0,0,1,1,0,1,1,0,1,1,1,0] + [IATS........: 12466,12563,1399,13862,1628,233,14289,254,250,114,2,99,4851,16541,1120,12847,339,301,11408,365,232,23032,26,11077,443,29285,29755,471,122,15,537,0] + [PKTLENS.....: 78,66,54,264,60,1506,1506,54,1506,54,1506,271,54,212,60,380,54,123,54,147,92,312,92,60,54,60,570,54,1506,1506,685,54] detection-update: [.....5] [ip4][..tcp] [....192.168.1.6][60533] -> [.52.113.194.132][..443] [TLS.Teams][Collaborative][Safe] detection-update: [.....4] [ip4][..tcp] [....192.168.1.6][60532] -> [...52.114.77.33][..443] [TLS.Microsoft][Cloud][Safe] RISK: TLS (probably) Not Carrying HTTPS @@ -34,12 +36,14 @@ detected: [.....6] [ip4][..tcp] [....192.168.1.6][60534] -> [.....40.126.9.5][..443] [TLS.Microsoft365][Collaborative][Acceptable] detection-update: [.....6] [ip4][..tcp] [....192.168.1.6][60534] -> [.....40.126.9.5][..443] [TLS.Microsoft365][Collaborative][Acceptable] analyse: [.....4] [ip4][..tcp] [....192.168.1.6][60532] -> [...52.114.77.33][..443] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.221| 0.032| 0.054] - [IAT(c->s)...: 0.000| 0.177| 0.023| 0.042][IAT(s->c)...: 0.000| 0.221| 0.055| 0.072] - [PKTLEN(c->s): 66.000|1494.000|1071.500| 639.700][PKTLEN(s->c): 66.000|1506.000| 539.600| 656.800] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.221| 0.032| 0.054| 2931.592| 0.000] + [PKTLEN......: 66.000| 1506.000| 921.900| 687.500|472618.500| 4.500] [BINS(c->s)..: 5,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0] [BINS(s->c)..: 5,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,2,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,0,1,0,0,0,0,1,0,0,0,0,1,0,0,1,0,0,0,0,1,0,0,0] + [IATS........: 43237,43341,94039,139750,215,45878,125,102,1406,46781,45438,177198,6,1,221245,44042,6,2,2,21255,21237,4,23005,23005,5,2,3,1223,1159,4,3,0] + [PKTLENS.....: 78,74,66,240,1506,1506,66,1389,66,159,117,66,1494,1494,1494,66,1494,1494,1494,1494,66,1494,1494,66,1494,1494,1494,1494,66,1494,1494,1494] detection-update: [.....4] [ip4][..tcp] [....192.168.1.6][60532] -> [...52.114.77.33][..443] [TLS.Microsoft][Cloud][Safe] RISK: TLS (probably) Not Carrying HTTPS new: [.....7] [ip4][..tcp] [....192.168.1.6][60535] -> [...52.114.77.33][..443] @@ -49,19 +53,23 @@ detected: [.....8] [ip4][..tcp] [....192.168.1.6][60536] -> [.52.113.194.132][..443] [TLS.Teams][Collaborative][Safe] detection-update: [.....8] [ip4][..tcp] [....192.168.1.6][60536] -> [.52.113.194.132][..443] [TLS.Teams][Collaborative][Safe] analyse: [.....7] [ip4][..tcp] [....192.168.1.6][60535] -> [...52.114.77.33][..443] [TLS.Microsoft][Cloud][Safe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.050| 0.018| 0.021] - [IAT(c->s)...: 0.000| 0.050| 0.015| 0.021][IAT(s->c)...: 0.000| 0.049| 0.024| 0.021] - [PKTLEN(c->s): 66.000|1494.000| 836.300| 677.200][PKTLEN(s->c): 66.000|1506.000| 458.200| 595.300] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.050| 0.018| 0.021| 449.200| 0.000] + [PKTLEN......: 66.000| 1506.000| 694.600| 673.100|453031.800| 4.200] [BINS(c->s)..: 7,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0] [BINS(s->c)..: 7,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,2,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,0,1,0,0,0,0,1,0,0,0,0,1,0,0,1,0,0,1,1,1,1,0,0] + [IATS........: 45263,45409,339,49216,21,48838,224,177,1271,46526,45316,1920,4,2,47729,45783,4,2,3,37748,37711,4,8018,8058,5,734,37027,7756,4339,49836,1321,0] + [PKTLENS.....: 78,74,66,272,1506,1389,78,1506,66,159,117,66,1494,1494,1494,66,1494,1494,1494,1494,66,1494,1494,66,1494,839,66,66,66,511,66,97] analyse: [.....8] [ip4][..tcp] [....192.168.1.6][60536] -> [.52.113.194.132][..443] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.050| 0.005| 0.010] - [IAT(c->s)...: 0.000| 0.014| 0.004| 0.005][IAT(s->c)...: 0.000| 0.050| 0.006| 0.012] - [PKTLEN(c->s): 54.000|1494.000| 257.900| 412.500][PKTLEN(s->c): 60.000|1506.000| 581.800| 641.500] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.050| 0.005| 0.010| 94.878| 0.000] + [PKTLEN......: 54.000| 1506.000| 430.000| 569.700|324516.500| 3.900] [BINS(c->s)..: 8,1,2,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0] [BINS(s->c)..: 7,1,1,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,0,1,1,0,0,1,0,1,1,0,0,0,0,0,0,1,1,0,1,1,1,1,1] + [IATS........: 11421,11522,225,11256,2751,92,13830,124,124,124,3,141,4803,15532,11803,1342,15,233,10,306,235,4,56,10886,31,10351,1699,244,14,50397,30,0] + [PKTLENS.....: 78,66,54,268,60,1506,1506,54,1506,54,1506,271,54,212,60,147,380,123,54,54,92,1494,1061,138,60,92,54,60,60,60,1506,1069] detection-update: [.....8] [ip4][..tcp] [....192.168.1.6][60536] -> [.52.113.194.132][..443] [TLS.Teams][Collaborative][Safe] ERROR-EVENT: Unknown packet type ERROR-EVENT: Unknown packet type @@ -135,12 +143,14 @@ detected: [....28] [ip4][..tcp] [....192.168.1.6][60545] -> [...52.114.77.58][..443] [TLS.Teams][Collaborative][Safe] detection-update: [....28] [ip4][..tcp] [....192.168.1.6][60545] -> [...52.114.77.58][..443] [TLS.Teams][Collaborative][Safe] analyse: [....25] [ip4][..tcp] [....192.168.1.6][60543] -> [...52.114.77.33][..443] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.153| 0.028| 0.040] - [IAT(c->s)...: 0.000| 0.153| 0.022| 0.044][IAT(s->c)...: 0.000| 0.086| 0.039| 0.030] - [PKTLEN(c->s): 66.000|1494.000|1032.800| 653.600][PKTLEN(s->c): 66.000|1506.000| 453.500| 621.500] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.153| 0.028| 0.040| 1626.047| 0.000] + [PKTLEN......: 66.000| 1506.000| 833.700| 699.200|488828.900| 4.400] [BINS(c->s)..: 5,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0,0] [BINS(s->c)..: 7,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,2,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,0,0,1,1,0,0,0,0,1,0,0,0,0,1,0,0,1,0,0,0,0,1,0] + [IATS........: 50532,50647,291,64604,72036,210,136507,124,96,1421,68048,86231,152917,2268,6,3,46387,44112,4,2,3,23630,23615,4,20861,20866,7,7,3,845,765,0] + [PKTLENS.....: 78,74,66,272,66,1506,1506,66,1389,66,159,66,117,66,1494,1494,1494,66,1494,1494,1494,1494,66,1494,1494,66,1494,1494,1494,1494,66,1494] detection-update: [....25] [ip4][..tcp] [....192.168.1.6][60543] -> [...52.114.77.33][..443] [TLS.Microsoft][Cloud][Safe] RISK: TLS (probably) Not Carrying HTTPS new: [....30] [ip4][..tcp] [....192.168.1.6][60546] -> [.167.99.215.164][.4434] @@ -149,12 +159,14 @@ detection-update: [....30] [ip4][..tcp] [....192.168.1.6][60546] -> [.167.99.215.164][.4434] [TLS.ntop][Network][Safe] RISK: Known Proto on Non Std Port analyse: [....28] [ip4][..tcp] [....192.168.1.6][60545] -> [...52.114.77.58][..443] [TLS.Teams][Collaborative][Safe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.201| 0.025| 0.047] - [IAT(c->s)...: 0.000| 0.201| 0.020| 0.047][IAT(s->c)...: 0.000| 0.168| 0.032| 0.047] - [PKTLEN(c->s): 54.000|1494.000| 197.300| 326.200][PKTLEN(s->c): 60.000|1506.000| 583.500| 630.100] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.201| 0.025| 0.047| 2215.159| 0.000] + [PKTLEN......: 54.000| 1506.000| 354.200| 510.300|260451.700| 3.900] [BINS(c->s)..: 11,1,1,1,1,1,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0] [BINS(s->c)..: 3,3,1,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,1,1,0,1,0,0,0,0,1,0,1,0,0,1,0,1,0,1,0,0,0,1,1] + [IATS........: 45653,45756,213,47886,30,47672,17,83,202,104,167,9896,9950,3499,10390,395,51386,37078,221,190,155,7115,7018,1251,1197,79250,201410,7,34,167536,222,0] + [PKTLENS.....: 78,66,54,273,1506,1506,66,54,54,1506,1506,54,467,54,212,147,517,105,54,123,54,92,92,54,493,54,60,1494,164,220,60,96] new: [....31] [ip4][..udp] [....192.168.1.6][57504] -> [....192.168.1.1][...53] detected: [....31] [ip4][..udp] [....192.168.1.6][57504] -> [....192.168.1.1][...53] [DNS.Teams][Collaborative][Safe] detection-update: [....31] [ip4][..udp] [....192.168.1.6][57504] -> [....192.168.1.1][...53] [DNS.Teams][Collaborative][Safe] @@ -167,12 +179,14 @@ detection-update: [....33] [ip4][..tcp] [....192.168.1.6][60548] -> [...52.114.77.33][..443] [TLS.Microsoft][Cloud][Safe] RISK: TLS (probably) Not Carrying HTTPS analyse: [....32] [ip4][..tcp] [....192.168.1.6][60547] -> [...52.114.88.59][..443] [TLS.Teams][Collaborative][Safe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.115| 0.021| 0.031] - [IAT(c->s)...: 0.000| 0.115| 0.019| 0.033][IAT(s->c)...: 0.000| 0.080| 0.023| 0.028] - [PKTLEN(c->s): 66.000|1494.000| 210.800| 333.900][PKTLEN(s->c): 66.000|1506.000| 623.100| 618.900] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.115| 0.021| 0.031| 968.681| 0.000] + [PKTLEN......: 66.000| 1506.000| 391.200| 521.700|272149.200| 4.000] [BINS(c->s)..: 11,1,1,1,0,0,2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0] [BINS(s->c)..: 3,2,1,0,0,1,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,4,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,1,0,0,0,0,1,0,1,0,0,1,0,1,0,1,0,0,1,1,0,1] + [IATS........: 34191,34298,279,36871,33,36580,20,190,171,120,2,98,1011,12039,309,36028,22727,226,163,129,10387,10298,599,557,77127,91684,7,49137,80440,115070,185,0] + [PKTLENS.....: 78,74,66,287,1506,1506,78,66,1506,66,1506,316,66,192,159,547,117,66,135,66,104,104,66,428,66,66,1494,261,66,241,66,1153] ERROR-EVENT: Unknown packet type new: [....34] [ip4][..udp] [....192.168.1.6][59403] -> [....192.168.1.1][...53] detected: [....34] [ip4][..udp] [....192.168.1.6][59403] -> [....192.168.1.1][...53] [DNS.Microsoft365][Collaborative][Acceptable] @@ -181,21 +195,25 @@ detected: [....35] [ip4][..tcp] [....192.168.1.6][60549] -> [...13.107.18.11][..443] [TLS.Microsoft365][Collaborative][Acceptable] detection-update: [....35] [ip4][..tcp] [....192.168.1.6][60549] -> [...13.107.18.11][..443] [TLS.Microsoft365][Collaborative][Acceptable] analyse: [....23] [ip4][..tcp] [....192.168.1.6][60542] -> [.52.113.194.132][..443] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 2.010| 0.146| 0.490] - [IAT(c->s)...: 0.000| 1.998| 0.155| 0.512][IAT(s->c)...: 0.000| 2.010| 0.139| 0.470] - [PKTLEN(c->s): 54.000| 575.000| 144.200| 146.800][PKTLEN(s->c): 60.000|1506.000| 473.700| 585.300] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 2.010| 0.146| 0.490|239614.050| 0.000] + [PKTLEN......: 54.000| 1506.000| 319.200| 468.100|219152.800| 3.900] [BINS(c->s)..: 9,1,1,0,1,0,1,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 7,1,1,0,1,0,0,0,0,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,0,1,1,0,0,1,1,1,0,0,0,0,0,1,1,0,1,1,1,0,0,1,1] + [IATS........: 12667,12766,154,12385,2459,251,14879,502,529,250,3,817,4854,17134,1376,20,13097,4,249,321,136,11841,14,11155,108,621,112917,113684,1998116,2009785,174632,0] + [PKTLENS.....: 78,66,54,271,60,1506,1506,54,1506,54,1506,195,54,212,60,380,123,54,54,147,92,575,60,92,54,60,60,454,54,356,60,359] detection-update: [....23] [ip4][..tcp] [....192.168.1.6][60542] -> [.52.113.194.132][..443] [TLS.Teams][Collaborative][Safe] ERROR-EVENT: Unknown packet type analyse: [....35] [ip4][..tcp] [....192.168.1.6][60549] -> [...13.107.18.11][..443] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.540| 0.024| 0.095] - [IAT(c->s)...: 0.000| 0.540| 0.038| 0.126][IAT(s->c)...: 0.000| 0.033| 0.007| 0.009] - [PKTLEN(c->s): 54.000|1494.000| 248.200| 353.800][PKTLEN(s->c): 60.000|1506.000| 470.600| 569.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.540| 0.024| 0.095| 8949.939| 0.000] + [PKTLEN......: 54.000| 1506.000| 345.500| 473.500|224192.200| 4.000] [BINS(c->s)..: 9,1,1,0,2,0,2,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0] [BINS(s->c)..: 5,2,1,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,1,0,0,0,0,0,1,1,1,0,0,0,1,1,0,1,1,0,1,0,0,0,0] + [IATS........: 11504,11610,262,11878,32500,90,44163,247,1,223,3839,7741,325,72,14634,1492,13,4159,11,266,6513,474,6734,4309,9884,14215,10718,10725,539594,6,314,0] + [PKTLENS.....: 78,66,54,265,60,1506,1506,54,1506,94,54,212,147,592,186,60,380,123,54,54,92,60,92,54,60,703,54,373,54,1494,708,262] detection-update: [....35] [ip4][..tcp] [....192.168.1.6][60549] -> [...13.107.18.11][..443] [TLS.Microsoft365][Collaborative][Acceptable] new: [....36] [ip4][..udp] [....192.168.1.6][61245] -> [....192.168.1.1][...53] detected: [....36] [ip4][..udp] [....192.168.1.6][61245] -> [....192.168.1.1][...53] [DNS.Teams][Collaborative][Safe] @@ -241,12 +259,14 @@ detection-update: [....40] [ip4][..tcp] [....192.168.1.6][60551] -> [...52.114.15.45][..443] [TLS.Teams][Collaborative][Safe] RISK: TLS (probably) Not Carrying HTTPS analyse: [....43] [ip4][..tcp] [....192.168.1.6][60554] -> [.52.113.194.132][..443] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.154| 0.015| 0.036] - [IAT(c->s)...: 0.000| 0.154| 0.018| 0.040][IAT(s->c)...: 0.000| 0.140| 0.013| 0.032] - [PKTLEN(c->s): 54.000|1136.000| 157.600| 276.400][PKTLEN(s->c): 60.000|1506.000| 943.600| 686.800] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.154| 0.015| 0.036| 1274.324| 0.000] + [PKTLEN......: 54.000| 1506.000| 599.700| 671.400|450756.000| 4.100] [BINS(c->s)..: 10,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 5,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,10,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,0,1,1,0,0,1,0,1,1,0,0,1,1,1,0,1,0,1,1,0,0,1,1] + [IATS........: 12903,12995,473,12371,1988,1502,15362,129,134,115,3,85,21608,33026,11480,11732,109,11784,570,13396,140399,715,153955,248,230,250,250,503,25,129,243,0] + [PKTLENS.....: 78,66,54,240,60,1506,1506,54,1506,54,1506,182,54,161,60,105,60,105,54,1136,60,1506,1506,54,1331,54,1506,1506,54,54,1506,1506] detection-update: [....43] [ip4][..tcp] [....192.168.1.6][60554] -> [.52.113.194.132][..443] [TLS.Teams][Collaborative][Safe] RISK: TLS (probably) Not Carrying HTTPS ERROR-EVENT: Unknown packet type @@ -261,12 +281,14 @@ detection-update: [....48] [ip4][..tcp] [....192.168.1.6][60559] -> [...52.114.77.33][..443] [TLS.Microsoft][Cloud][Safe] RISK: TLS (probably) Not Carrying HTTPS analyse: [....48] [ip4][..tcp] [....192.168.1.6][60559] -> [...52.114.77.33][..443] [TLS.Microsoft][Cloud][Safe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.053| 0.020| 0.022] - [IAT(c->s)...: 0.000| 0.053| 0.015| 0.022][IAT(s->c)...: 0.000| 0.051| 0.027| 0.021] - [PKTLEN(c->s): 66.000|1494.000| 739.300| 681.600][PKTLEN(s->c): 66.000|1506.000| 493.900| 609.300] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.053| 0.020| 0.022| 492.470| 0.000] + [PKTLEN......: 66.000| 1506.000| 654.900| 667.900|446080.700| 4.200] [BINS(c->s)..: 9,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0,0] [BINS(s->c)..: 6,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,2,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,0,1,0,0,0,0,1,0,0,0,0,1,0,0,1,0,1,1,1,0,0,0] + [IATS........: 48601,48710,307,51003,89,50699,16,253,253,1686,49778,48144,1391,5,2,50498,49101,4,2,3,37233,37219,5,11525,11515,965,36039,15972,52987,736,111,0] + [PKTLENS.....: 78,74,66,272,1506,1506,78,66,1389,66,159,117,66,1494,1494,1494,66,1494,1494,1494,1494,66,1494,1494,66,999,66,66,511,66,97,66] ERROR-EVENT: Unknown packet type new: [....49] [ip4][..udp] [..192.168.1.112][57621] -> [..192.168.1.255][57621] detected: [....49] [ip4][..udp] [..192.168.1.112][57621] -> [..192.168.1.255][57621] [Spotify][Music][Acceptable] @@ -286,23 +308,27 @@ RISK: TLS (probably) Not Carrying HTTPS ERROR-EVENT: Unknown packet type analyse: [....53] [ip4][..tcp] [....192.168.1.6][60562] -> [.104.40.187.151][..443] [TLS.Azure][Cloud][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.126| 0.019| 0.032] - [IAT(c->s)...: 0.000| 0.126| 0.016| 0.030][IAT(s->c)...: 0.000| 0.126| 0.022| 0.034] - [PKTLEN(c->s): 66.000|1379.000| 183.400| 296.700][PKTLEN(s->c): 66.000|1506.000| 616.100| 612.700] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.126| 0.019| 0.032| 1006.354| 0.000] + [PKTLEN......: 66.000| 1506.000| 359.200| 499.900|249913.200| 4.000] [BINS(c->s)..: 12,1,3,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0] [BINS(s->c)..: 2,3,1,0,0,0,0,1,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,0,1,1,0,0,0,0,1,1,0,0,0,1,0,1,0,0,0,1,1,0,1,0] + [IATS........: 29516,29616,237,45747,220,45693,117,89,54,132,3,86,615,23250,232,30155,31,6115,4,245,22863,22646,1494,1434,2892,30,32749,246,30074,125513,125561,0] + [PKTLENS.....: 78,74,66,280,1506,1506,78,1506,66,66,1506,295,66,159,159,438,117,135,66,66,104,104,66,562,66,1379,149,66,108,66,524,66] new: [....54] [ip4][..udp] [....192.168.1.6][62735] -> [....192.168.1.1][...53] detected: [....54] [ip4][..udp] [....192.168.1.6][62735] -> [....192.168.1.1][...53] [DNS][Network][Acceptable] detection-update: [....54] [ip4][..udp] [....192.168.1.6][62735] -> [....192.168.1.1][...53] [DNS][Network][Acceptable] new: [....55] [ip4][..tcp] [....192.168.1.6][60563] -> [.52.169.186.119][..443] analyse: [....51] [ip4][..tcp] [....192.168.1.6][60561] -> [...52.114.77.33][..443] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.162| 0.032| 0.044] - [IAT(c->s)...: 0.000| 0.162| 0.025| 0.043][IAT(s->c)...: 0.000| 0.136| 0.044| 0.044] - [PKTLEN(c->s): 66.000|1494.000| 947.800| 669.400][PKTLEN(s->c): 66.000|1506.000| 422.200| 604.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.162| 0.032| 0.044| 1964.919| 0.000] + [PKTLEN......: 66.000| 1506.000| 750.700| 694.000|481656.100| 4.300] [BINS(c->s)..: 5,0,1,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,0,0] [BINS(s->c)..: 8,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,2,0,0] + [DIRECTIONS..: 0,1,0,0,0,1,1,1,0,1,0,0,1,0,0,0,0,1,0,0,0,0,1,0,0,0,0,1,0,1,1,1] + [IATS........: 48418,48527,459,88180,136486,113743,249,161774,129,117,1072,74551,73518,1076,4,2,50124,49022,3,3,12,48400,48413,4,15,2,1599,1536,46881,1065,1749,0] + [PKTLENS.....: 78,74,66,272,272,78,1506,1506,66,1389,66,159,117,66,1494,1494,1494,66,1494,1494,1494,1494,66,1494,1494,1494,1494,66,1476,66,66,66] detection-update: [....51] [ip4][..tcp] [....192.168.1.6][60561] -> [...52.114.77.33][..443] [TLS.Microsoft][Cloud][Safe] RISK: TLS (probably) Not Carrying HTTPS detected: [....55] [ip4][..tcp] [....192.168.1.6][60563] -> [.52.169.186.119][..443] [TLS.Azure][Cloud][Acceptable] @@ -324,20 +350,24 @@ detection-update: [....59] [ip4][..tcp] [....192.168.1.6][60565] -> [...52.114.108.8][..443] [TLS.Teams][Collaborative][Safe] ERROR-EVENT: Unknown packet type analyse: [....59] [ip4][..tcp] [....192.168.1.6][60565] -> [...52.114.108.8][..443] [TLS.Teams][Collaborative][Safe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.277| 0.019| 0.049] - [IAT(c->s)...: 0.000| 0.062| 0.009| 0.015][IAT(s->c)...: 0.000| 0.277| 0.031| 0.070] - [PKTLEN(c->s): 66.000|1060.000| 180.000| 242.700][PKTLEN(s->c): 66.000|1506.000| 646.600| 633.400] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.277| 0.019| 0.049| 2449.644| 0.000] + [PKTLEN......: 66.000| 1506.000| 384.200| 512.100|262257.700| 4.000] [BINS(c->s)..: 11,1,2,1,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 3,3,1,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,4,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,1,0,0,0,0,1,1,0,0,0,1,0,1,0,1,0,0,1,1,0,1] + [IATS........: 19199,19302,171,22008,34,21827,18,184,203,246,14,193,1070,12295,280,19893,29,6313,3,603,11971,11399,1472,1415,54998,62106,42,25528,33,18437,276869,0] + [PKTLENS.....: 78,74,66,288,1506,1506,78,66,1506,66,1506,485,66,192,159,539,117,135,66,66,104,104,66,525,66,66,1060,148,66,108,66,1349] ERROR-EVENT: Unknown packet type analyse: [....26] [ip4][..tcp] [....192.168.1.6][60544] -> [...52.114.76.48][..443] [TLS.Teams][Collaborative][Safe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 8.978| 0.329| 1.582] - [IAT(c->s)...: 0.000| 0.403| 0.037| 0.099][IAT(s->c)...: 0.000| 8.978| 0.602| 2.165] - [PKTLEN(c->s): 54.000|1114.000| 188.300| 274.500][PKTLEN(s->c): 60.000|1506.000| 518.100| 585.500] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 8.978| 0.329| 1.582|2503841.415| 0.000] + [PKTLEN......: 54.000| 1506.000| 353.200| 486.100|236250.500| 4.000] [BINS(c->s)..: 10,1,1,0,1,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 4,3,1,0,0,0,0,0,1,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,1,1,1,0,0,0,0,0,1,0,1,0,0,1,1,0,1,0,1,1,1,1,1] + [IATS........: 47150,47228,506,44398,29,43913,16,46,186,124,2,213,4,4433,9743,291,46519,32116,477,409,98,18910,1378,20235,62883,403234,424977,8978171,32,9,7,0] + [PKTLENS.....: 78,66,54,290,1506,1506,66,54,54,1506,1506,323,54,54,212,147,582,105,54,123,54,92,60,423,54,60,1114,60,425,429,100,92] new: [....60] [ip4][..tcp] [..151.11.50.139][.2222] -> [....192.168.1.6][54750] [MIDSTREAM] ERROR-EVENT: Unknown packet type new: [....61] [ip4][..tcp] [....192.168.1.6][60566] -> [.167.99.215.164][.4434] @@ -412,12 +442,14 @@ detected: [....81] [ip4][..udp] [...52.114.252.8][.3479] -> [....192.168.1.6][50016] [STUN.Skype_TeamsCall][VoIP][Acceptable] RISK: Known Proto on Non Std Port analyse: [....64] [ip4][..tcp] [....192.168.1.6][50018] -> [.52.114.250.123][..443] [TLS.Teams][Collaborative][Safe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 1.567| 0.072| 0.275] - [IAT(c->s)...: 0.000| 0.069| 0.017| 0.024][IAT(s->c)...: 0.000| 1.567| 0.148| 0.411] - [PKTLEN(c->s): 54.000| 241.000| 82.900| 48.600][PKTLEN(s->c): 60.000|1506.000| 545.600| 564.100] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 1.567| 0.072| 0.275|75449.426| 0.000] + [PKTLEN......: 54.000| 1506.000| 270.900| 427.000|182315.300| 3.800] [BINS(c->s)..: 15,1,0,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 4,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0] + [DIRECTIONS..: 0,1,0,0,1,0,1,1,0,0,1,1,0,0,1,1,0,0,0,0,0,0,1,1,0,0,1,0,0,0,1,1] + [IATS........: 44968,45079,183,47440,47249,164,13,124,2,107,17,104,3,107,2,120,2,1,8026,8,35,52434,1246,45626,48613,92238,43679,69083,272,113543,1566873,0] + [PKTLENS.....: 78,66,54,241,1506,66,1506,602,66,66,1506,602,66,54,602,180,54,54,54,161,60,99,60,105,54,155,238,54,85,54,60,60] ERROR-EVENT: Unknown packet type ERROR-EVENT: Unknown packet type new: [....82] [ip4][..tcp] [....192.168.1.6][60568] -> [...40.79.138.41][..443] @@ -428,12 +460,14 @@ new: [....83] [ip4][.icmp] [..93.71.110.205] -> [....192.168.1.6] detected: [....83] [ip4][.icmp] [..93.71.110.205] -> [....192.168.1.6] [ICMP][Network][Acceptable] analyse: [....78] [ip4][..udp] [..93.71.110.205][16332] -> [....192.168.1.6][50016] [STUN.Skype_TeamsCall][VoIP][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 1.168| 0.160| 0.366] - [IAT(c->s)...: 0.000| 1.167| 0.109| 0.291][IAT(s->c)...: 0.000| 1.168| 0.338| 0.510] - [PKTLEN(c->s): 80.000|1256.000| 215.000| 307.900][PKTLEN(s->c): 80.000|1256.000| 454.900| 507.300] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 1.168| 0.160| 0.366|133702.353| 0.000] + [PKTLEN......: 80.000| 1256.000| 267.400| 374.400|140199.200| 4.100] [BINS(c->s)..: 0,2,16,4,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,1,1,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,1,0,1,0,0,0,1,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [IATS........: 24795,221,101349,1168245,1167037,967065,50759,1119237,13,25,50990,80302,1990,2655,3736,4,1,2,10681,24170,9306,21453,4525,19907,25341,9245,24382,24626,9496,26004,24257,0] + [PKTLENS.....: 154,130,154,130,158,130,152,150,80,1256,1256,150,115,80,1256,1256,84,208,140,108,110,117,122,124,116,112,126,120,117,115,116,116] idle: [....72] [ip4][..tcp] [....192.168.1.6][50014] -> [.52.114.250.152][..443] end: [....64] [ip4][..tcp] [....192.168.1.6][50018] -> [.52.114.250.123][..443] [TLS.Teams][Collaborative][Safe] RISK: TLS (probably) Not Carrying HTTPS diff --git a/test/results/flow-info/teamviewer.pcap.out b/test/results/flow-info/teamviewer.pcap.out index 3a6d24931..fa7eac76b 100644 --- a/test/results/flow-info/teamviewer.pcap.out +++ b/test/results/flow-info/teamviewer.pcap.out @@ -2,22 +2,26 @@ new: [.....1] [ip4][..tcp] [......10.0.2.15][35732] -> [..162.250.2.170][.5938] detected: [.....1] [ip4][..tcp] [......10.0.2.15][35732] -> [..162.250.2.170][.5938] [TeamViewer][RemoteAccess][Acceptable] analyse: [.....1] [ip4][..tcp] [......10.0.2.15][35732] -> [..162.250.2.170][.5938] [TeamViewer][RemoteAccess][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.274| 0.067| 0.088] - [IAT(c->s)...: 0.000| 0.274| 0.074| 0.092][IAT(s->c)...: 0.000| 0.256| 0.061| 0.085] - [PKTLEN(c->s): 60.000|1514.000| 460.900| 544.600][PKTLEN(s->c): 54.000|1514.000| 314.200| 479.700] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.274| 0.067| 0.088| 7794.386| 0.000] + [PKTLEN......: 54.000| 1514.000| 383.000| 516.400|266637.300| 3.900] [BINS(c->s)..: 5,3,1,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,2,0,0] [BINS(s->c)..: 11,1,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,1,0,0] + [DIRECTIONS..: 0,1,0,0,1,0,1,0,0,1,1,1,0,1,0,1,1,0,0,1,1,0,1,1,0,1,0,1,0,0,1,1] + [IATS........: 136273,137235,573,1795,12093,11937,35737,56,35774,25,88318,88631,11617,11587,151937,89,151972,35682,35919,255841,274397,18558,256484,257570,1057,306,258,28908,45,29127,29,0] + [PKTLENS.....: 74,58,60,91,54,120,54,1514,432,54,54,102,60,201,60,1514,1290,60,1132,54,1143,1155,54,494,110,54,102,54,1514,429,54,54] new: [.....2] [ip4][..udp] [......10.0.2.15][34417] -> [..93.47.224.241][36037] detected: [.....2] [ip4][..udp] [......10.0.2.15][34417] -> [..93.47.224.241][36037] [TeamViewer][RemoteAccess][Acceptable] RISK: Known Proto on Non Std Port, Desktop/File Sharing analyse: [.....2] [ip4][..udp] [......10.0.2.15][34417] -> [..93.47.224.241][36037] [TeamViewer][RemoteAccess][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.443| 0.037| 0.097] - [IAT(c->s)...: 0.000| 0.000| 0.000| 0.000][IAT(s->c)...: 0.000| 0.443| 0.037| 0.097] - [PKTLEN(c->s): 138.000| 138.000| 138.000| 0.000][PKTLEN(s->c): 58.000|1066.000| 463.000| 454.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.443| 0.037| 0.097| 9363.771| 0.000] + [PKTLEN......: 58.000| 1066.000| 452.800| 450.400|202865.500| 4.300] [BINS(c->s)..: 0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 4,7,4,1,2,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1] + [IATS........: 12327,12251,57,40726,3898,3159,6600,81845,9028,72,7415,9247,442863,41858,345075,64,9,8,11,9,7,2034,57,13,9567,57,8,51028,58831,63,12,0] + [PKTLENS.....: 138,138,506,1066,62,98,90,90,90,191,118,66,66,90,90,1066,1066,1066,1066,1066,1066,1066,1066,1066,1066,182,118,118,58,239,131,85] update: [.....2] [ip4][..udp] [......10.0.2.15][34417] -> [..93.47.224.241][36037] [TeamViewer][RemoteAccess][Acceptable] RISK: Known Proto on Non Std Port, Desktop/File Sharing DAEMON-EVENT: [Processed: 1282 pkts][ZLib][compressions: 0|diff: 0 / 0] diff --git a/test/results/flow-info/telegram.pcap.out b/test/results/flow-info/telegram.pcap.out index 2f5bfbcc3..6ca903744 100644 --- a/test/results/flow-info/telegram.pcap.out +++ b/test/results/flow-info/telegram.pcap.out @@ -28,19 +28,23 @@ new: [....12] [ip4][..udp] [...192.168.1.77][.5353] -> [...192.168.1.53][.5353] detected: [....12] [ip4][..udp] [...192.168.1.77][.5353] -> [...192.168.1.53][.5353] [MDNS][Network][Acceptable] analyse: [.....5] [ip4][..udp] [...192.168.1.75][.5353] -> [....224.0.0.251][.5353] [MDNS][Network][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 1.089| 0.260| 0.238] - [IAT(c->s)...: 0.000| 1.089| 0.260| 0.238][IAT(s->c)...: 0.000| 0.000| 0.000| 0.000] - [PKTLEN(c->s): 142.000| 308.000| 198.700| 56.400][PKTLEN(s->c): 0.000| 0.000| 0.000| 0.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 1.089| 0.260| 0.238|56779.682| 0.000] + [PKTLEN......: 142.000| 308.000| 198.700| 56.400| 3176.800| 4.900] [BINS(c->s)..: 0,0,0,18,2,6,0,1,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [IATS........: 549364,840,252816,249231,102809,152763,104881,141371,2649,102162,252500,506171,1089013,524484,451,254547,249123,108883,146831,101026,145194,2416,102114,255962,497942,504741,600172,564928,424,248284,249193,0] + [PKTLENS.....: 142,233,308,169,153,169,153,211,184,308,153,167,275,142,233,308,169,153,169,153,211,184,308,153,167,211,167,142,233,308,169,153] analyse: [.....6] [ip6][..udp] [................fe80::4ba:91a:7817:e318][.5353] -> [...............................ff02::fb][.5353] [MDNS][Network][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 1.089| 0.260| 0.238] - [IAT(c->s)...: 0.000| 1.089| 0.260| 0.238][IAT(s->c)...: 0.000| 0.000| 0.000| 0.000] - [PKTLEN(c->s): 162.000| 328.000| 218.700| 56.400][PKTLEN(s->c): 0.000| 0.000| 0.000| 0.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 1.089| 0.260| 0.238|56762.626| 0.000] + [PKTLEN......: 162.000| 328.000| 218.700| 56.400| 3176.800| 5.000] [BINS(c->s)..: 0,0,0,18,2,6,0,1,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [IATS........: 549636,368,252675,249340,102637,153314,104807,140890,2645,102602,252497,506250,1088510,524637,499,254511,249377,108993,147062,100772,145197,1893,102609,256062,497966,504718,600438,564206,375,249009,248380,0] + [PKTLENS.....: 162,253,328,189,173,189,173,231,204,328,173,187,295,162,253,328,189,173,189,173,231,204,328,173,187,231,187,162,253,328,189,173] detection-update: [.....3] [ip4][..udp] [...192.168.1.53][.5353] -> [....224.0.0.251][.5353] [MDNS][Network][Acceptable] detection-update: [....11] [ip6][..udp] [..............fe80::18a0:a412:8935:c01b][.5353] -> [...............................ff02::fb][.5353] [MDNS][Network][Acceptable] new: [....13] [ip4][..udp] [...192.168.1.77][52118] -> [....192.168.1.1][...53] @@ -74,23 +78,27 @@ detected: [....26] [ip4][..udp] [...192.168.1.77][23174] -> [..87.11.205.195][60723] [OpenVPN][VPN][Acceptable] RISK: Known Proto on Non Std Port analyse: [....19] [ip4][..udp] [...192.168.1.77][23174] -> [.....91.108.8.7][..521] [Telegram][Chat][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.001| 0.501| 0.118| 0.112] - [IAT(c->s)...: 0.001| 0.501| 0.202| 0.131][IAT(s->c)...: 0.004| 0.308| 0.084| 0.081] - [PKTLEN(c->s): 74.000| 138.000| 109.200| 28.900][PKTLEN(s->c): 90.000| 234.000| 180.200| 53.200] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.001| 0.501| 0.118| 0.112|12556.351| 0.000] + [PKTLEN......: 74.000| 234.000| 158.000| 57.300| 3288.000| 4.900] [BINS(c->s)..: 0,5,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,1,4,4,0,8,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,1,0,1,0,1,0,0,1,0,1,1,0,1,1,1,1,0,1,1,1,1,0,1,1,1,1,1,1,0,1] + [IATS........: 33725,303789,500928,195774,135671,308435,212114,658,38919,154099,154494,74510,133656,63749,29902,38640,63854,177395,37753,25997,43596,64156,189778,58771,4478,63507,64504,42995,64523,315929,64393,0] + [PKTLENS.....: 82,106,138,82,106,138,138,74,138,90,82,106,234,138,234,138,234,218,138,138,218,234,218,82,106,218,218,202,218,218,138,234] new: [....27] [ip4][..udp] [...192.168.1.77][47127] -> [....192.168.1.1][...53] detected: [....27] [ip4][..udp] [...192.168.1.77][47127] -> [....192.168.1.1][...53] [DNS.GoogleServices][Web][Acceptable] detection-update: [....27] [ip4][..udp] [...192.168.1.77][47127] -> [....192.168.1.1][...53] [DNS.GoogleServices][Web][Acceptable] RISK: Suspicious DNS Traffic analyse: [....25] [ip4][..udp] [...192.168.1.77][23174] -> [...192.168.1.52][31480] - [min|max|avg|stddev] - [IAT(flow)...: 0.042| 1.999| 0.261| 0.473] - [IAT(c->s)...: 0.058| 1.999| 0.337| 0.588][IAT(s->c)...: 0.042| 1.681| 0.213| 0.374] - [PKTLEN(c->s): 90.000| 234.000| 197.100| 50.700][PKTLEN(s->c): 90.000| 282.000| 211.300| 56.200] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.042| 1.999| 0.261| 0.473|223426.380| 0.000] + [PKTLEN......: 90.000| 282.000| 205.500| 54.500| 2971.800| 4.900] [BINS(c->s)..: 0,1,2,0,0,6,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,1,3,0,0,5,6,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,1,1,0,0,1,1,1,1,1,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0] + [IATS........: 176557,505731,492773,1175336,327643,331901,1681273,64229,63452,64312,42308,63943,1998754,63768,58341,64131,69558,64360,57812,43094,58078,62201,58103,63786,58195,64166,58195,62003,69553,66619,57696,0] + [PKTLENS.....: 122,122,122,90,106,90,106,234,266,282,266,266,250,218,234,234,234,218,202,234,218,218,218,234,218,218,218,218,234,218,234,234] not-detected: [....25] [ip4][..udp] [...192.168.1.77][23174] -> [...192.168.1.52][31480] [Unknown][Unrated] new: [....28] [ip4][..udp] [........0.0.0.0][...68] -> [255.255.255.255][...67] detected: [....28] [ip4][..udp] [........0.0.0.0][...68] -> [255.255.255.255][...67] [DHCP][Network][Acceptable] @@ -131,20 +139,24 @@ new: [....43] [ip4][..udp] [...192.168.1.77][52127] -> [239.255.255.250][.1900] detected: [....43] [ip4][..udp] [...192.168.1.77][52127] -> [239.255.255.250][.1900] [SSDP][System][Acceptable] analyse: [....37] [ip4][..udp] [...192.168.1.77][28150] -> [.....91.108.8.8][..529] [Telegram][Chat][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.008| 0.505| 0.099| 0.138] - [IAT(c->s)...: 0.008| 0.505| 0.069| 0.098][IAT(s->c)...: 0.026| 0.472| 0.171| 0.186] - [PKTLEN(c->s): 74.000| 234.000| 173.500| 57.300][PKTLEN(s->c): 90.000| 138.000| 118.400| 18.100] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.008| 0.505| 0.099| 0.138|18965.475| 0.000] + [PKTLEN......: 74.000| 234.000| 158.000| 55.400| 3064.000| 4.900] [BINS(c->s)..: 0,5,0,4,0,13,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,1,4,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,1,1,0,1,0,0,0,0,0,0,0,1,0,0,1,0,0,1,0,0,0,0,0,0,0,0,1,0,1] + [IATS........: 38704,504672,472194,31371,48787,83063,90104,75511,57499,58021,58053,58125,51991,386634,9517,8470,27260,36050,21667,40197,58112,58011,58152,57862,69999,57869,58016,8183,436304,11258,25605,0] + [PKTLENS.....: 82,106,82,138,106,138,138,74,218,218,218,234,218,82,138,138,218,106,138,218,90,218,218,202,218,202,218,218,82,138,138,106] new: [....44] [ip4][..udp] [...192.168.1.77][28150] -> [..87.11.205.195][59772] analyse: [....40] [ip4][..udp] [...192.168.1.77][28150] -> [.....91.108.8.1][..533] [Telegram][Chat][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.007| 0.505| 0.113| 0.151] - [IAT(c->s)...: 0.049| 0.505| 0.223| 0.190][IAT(s->c)...: 0.007| 0.477| 0.082| 0.120] - [PKTLEN(c->s): 74.000| 138.000| 102.000| 28.000][PKTLEN(s->c): 90.000| 218.000| 175.300| 48.100] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.007| 0.505| 0.113| 0.151|22855.887| 0.000] + [PKTLEN......: 74.000| 218.000| 157.000| 54.200| 2943.000| 4.900] [BINS(c->s)..: 0,5,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,1,4,5,0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,1,1,0,0,0,1,1,0,1,1,1,1,1,1,1,1,0,1,1,1,0,1,1,1,1,1,1,1,1] + [IATS........: 34096,504936,476895,26281,48588,90140,359286,474896,22927,53992,44091,48774,32735,70515,63740,63677,64572,42031,447918,51385,12513,7087,54201,56023,36226,28925,63945,41904,63934,64562,64617,0] + [PKTLENS.....: 82,106,82,138,106,138,74,82,138,106,138,90,138,218,218,202,218,218,218,82,138,218,106,138,218,138,218,218,202,218,202,218] new: [....45] [ip4][..udp] [...192.168.1.53][50698] -> [239.255.255.250][.1900] detected: [....45] [ip4][..udp] [...192.168.1.53][50698] -> [239.255.255.250][.1900] [SSDP][System][Acceptable] update: [.....1] [ip4][..udp] [....192.168.0.1][...68] -> [255.255.255.255][...67] [DHCP][Network][Acceptable] diff --git a/test/results/flow-info/telnet.pcap.out b/test/results/flow-info/telnet.pcap.out index 02a936136..1e9a1a938 100644 --- a/test/results/flow-info/telnet.pcap.out +++ b/test/results/flow-info/telnet.pcap.out @@ -9,12 +9,14 @@ detection-update: [.....1] [ip4][..tcp] [....192.168.0.2][.1550] -> [....192.168.0.1][...23] [Telnet][RemoteAccess][Unsafe] RISK: Unsafe Protocol analyse: [.....1] [ip4][..tcp] [....192.168.0.2][.1550] -> [....192.168.0.1][...23] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 1.233| 0.125| 0.337] - [IAT(c->s)...: 0.000| 1.233| 0.160| 0.383][IAT(s->c)...: 0.001| 1.107| 0.088| 0.275] - [PKTLEN(c->s): 66.000| 151.000| 78.400| 23.800][PKTLEN(s->c): 66.000| 98.000| 75.800| 10.400] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 1.233| 0.125| 0.337|113396.253| 0.000] + [PKTLEN......: 66.000| 151.000| 77.200| 18.800| 354.000| 5.000] [BINS(c->s)..: 15,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 14,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,0,0,1,1,0,1,1,0,1,1,0,0,0,1,0,1,1,0,1,1,0,1,0,1,0,0,0] + [IATS........: 2525,2572,1588,147810,146242,172,1611,1711,3291,1327,593,1791,1069,2370,3571,617,1174,22251,20360,1248,13791,15049,1196,784,12789,12241,20023,1107336,1099990,1232764,1372,0] + [PKTLENS.....: 74,74,66,93,69,66,69,66,91,130,66,84,75,66,90,66,151,66,69,69,66,78,72,66,81,66,98,66,73,66,72,66] detection-update: [.....1] [ip4][..tcp] [....192.168.0.2][.1550] -> [....192.168.0.1][...23] [Telnet][RemoteAccess][Unsafe] RISK: Unsafe Protocol end: [.....1] [ip4][..tcp] [....192.168.0.2][.1550] -> [....192.168.0.1][...23] [Telnet][RemoteAccess][Unsafe] diff --git a/test/results/flow-info/tftp.pcap.out b/test/results/flow-info/tftp.pcap.out index 3fd04331c..465fc3451 100644 --- a/test/results/flow-info/tftp.pcap.out +++ b/test/results/flow-info/tftp.pcap.out @@ -13,12 +13,14 @@ detected: [.....4] [ip4][..udp] [...192.168.0.10][.3445] -> [..192.168.0.253][50618] [TFTP][DataTransfer][Acceptable] RISK: Known Proto on Non Std Port analyse: [.....4] [ip4][..udp] [...192.168.0.10][.3445] -> [..192.168.0.253][50618] [TFTP][DataTransfer][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.000| 0.000| 0.000] - [IAT(c->s)...: 0.000| 0.000| 0.000| 0.000][IAT(s->c)...: 0.000| 0.000| 0.000| 0.000] - [PKTLEN(c->s): 558.000| 558.000| 558.000| 0.000][PKTLEN(s->c): 60.000| 60.000| 60.000| 0.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.000| 0.000| 0.000| 0.000| 0.000] + [PKTLEN......: 60.000| 558.000| 309.000| 249.000|62001.000| 4.500] [BINS(c->s)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1] + [IATS........: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [PKTLENS.....: 558,60,558,60,558,60,558,60,558,60,558,60,558,60,558,60,558,60,558,60,558,60,558,60,558,60,558,60,558,60,558,60] DAEMON-EVENT: [Processed: 101 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 4 / 4|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] new: [.....5] [ip4][..udp] [....172.28.4.53][54627] -> [...172.16.5.170][...69] diff --git a/test/results/flow-info/tinc.pcap.out b/test/results/flow-info/tinc.pcap.out index ecbccce87..bf88815dd 100644 --- a/test/results/flow-info/tinc.pcap.out +++ b/test/results/flow-info/tinc.pcap.out @@ -14,19 +14,23 @@ detected: [.....4] [ip4][..udp] [.185.83.218.112][55656] -> [.131.114.168.27][55656] [TINC][VPN][Acceptable] RISK: Known Proto on Non Std Port analyse: [.....3] [ip4][..udp] [.131.114.168.27][55655] -> [.185.83.218.112][55655] [TINC][VPN][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 1.070| 0.172| 0.377] - [IAT(c->s)...: 0.000| 1.070| 0.198| 0.406][IAT(s->c)...: 0.000| 1.024| 0.144| 0.342] - [PKTLEN(c->s): 190.000|1510.000|1168.400| 444.700][PKTLEN(s->c): 190.000|1502.000|1127.600| 455.700] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 1.070| 0.172| 0.377|142420.984| 0.000] + [PKTLEN......: 190.000| 1510.000| 1149.200| 450.400|202833.500| 4.900] [BINS(c->s)..: 0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,2,0,0,2,6,0,0] [BINS(s->c)..: 0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,2,0,0,0,6,0,0] + [DIRECTIONS..: 0,0,1,1,1,0,0,0,0,0,0,1,1,1,1,1,0,0,0,1,1,0,0,1,1,1,1,1,0,0,0,0] + [IATS........: 157,27472,47,25,27522,244,68,237,181,126,15445,30,41839,33,23,1057953,304,258,1003680,53,1840,184,45315,102,25,1024085,82,1069532,137,1001358,279,0] + [PKTLENS.....: 686,734,238,1486,782,230,1270,190,1310,1478,774,686,734,1278,190,1310,1358,1478,1374,1486,1502,1486,1494,1358,1486,1374,1502,1502,1502,1494,1510,1494] analyse: [.....4] [ip4][..udp] [.185.83.218.112][55656] -> [.131.114.168.27][55656] [TINC][VPN][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 2.412| 0.291| 0.559] - [IAT(c->s)...: 0.000| 2.412| 0.412| 0.745][IAT(s->c)...: 0.000| 1.048| 0.224| 0.408] - [PKTLEN(c->s): 190.000|1486.000| 954.000| 431.400][PKTLEN(s->c): 118.000|1494.000|1067.600| 456.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 2.412| 0.291| 0.559|312123.949| 0.000] + [PKTLEN......: 118.000| 1494.000| 1025.000| 450.300|202783.000| 4.800] [BINS(c->s)..: 0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,1,0,0,0,1,0,0,1,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,1,0,2,1,0,0,1,0,0] [BINS(s->c)..: 0,0,1,0,1,0,0,0,0,1,0,0,0,0,0,1,0,0,0,1,0,1,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,1,2,2,2,0,0,2,3,0,0] + [DIRECTIONS..: 0,0,0,1,1,1,1,0,0,0,1,1,1,1,1,1,0,0,0,1,1,0,1,1,1,1,1,1,1,1,0,0] + [IATS........: 50,27,594,482,207,142,1049148,39,24,1048033,86,239,119,120,91,44079,43,25,1044735,279,1021999,20586,1001463,275,241,363633,1001240,149,123,2412459,39,0] + [PKTLENS.....: 766,1486,958,734,1270,1486,958,1070,670,334,1062,190,1310,526,670,334,190,1310,526,1478,1374,1374,1374,1486,1350,1318,118,1494,1478,1342,1390,1374] end: [.....2] [ip4][..tcp] [.131.114.168.27][49290] -> [.185.83.218.112][55656] [TINC][VPN][Acceptable] RISK: Known Proto on Non Std Port idle: [.....3] [ip4][..udp] [.131.114.168.27][55655] -> [.185.83.218.112][55655] [TINC][VPN][Acceptable] diff --git a/test/results/flow-info/tls-appdata.pcap.out b/test/results/flow-info/tls-appdata.pcap.out index 899609605..029ed3136 100644 --- a/test/results/flow-info/tls-appdata.pcap.out +++ b/test/results/flow-info/tls-appdata.pcap.out @@ -9,12 +9,14 @@ detected: [.....2] [ip4][..tcp] [..192.168.2.100][58976] -> [...52.223.198.7][..443] [TLS.Twitch][Video][Fun] end: [.....1] [ip4][..tcp] [.179.60.195.173][..443] -> [..192.168.2.100][60636] analyse: [.....2] [ip4][..tcp] [..192.168.2.100][58976] -> [...52.223.198.7][..443] - [min|max|avg|stddev] - [IAT(flow)...: 0.001| 15.956| 2.459| 5.752] - [IAT(c->s)...: 0.001| 15.941| 2.283| 5.576][IAT(s->c)...: 0.001| 15.956| 2.663| 5.945] - [PKTLEN(c->s): 54.000|1506.000| 313.800| 551.900][PKTLEN(s->c): 60.000|2958.000|2083.100|1156.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.001| 15.956| 2.459| 5.752|33086771.298| 0.000] + [PKTLEN......: 54.000| 2958.000| 1143.200| 1252.100|1567845.500| 4.000] [BINS(c->s)..: 14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0] [BINS(s->c)..: 3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,9] + [DIRECTIONS..: 0,0,1,1,1,0,1,0,0,1,1,0,0,0,0,0,0,1,1,1,0,1,0,1,0,0,1,1,1,0,1,0] + [IATS........: 2000,15000,3000,16000,1000,1000,15941000,1000,15956000,5000,19000,1000,1000,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [PKTLENS.....: 1506,74,60,1506,2958,54,2958,54,54,2958,2885,54,54,54,54,1506,74,60,1506,2958,54,2958,54,2958,1506,74,60,1506,2958,54,2958,54] detection-update: [.....2] [ip4][..tcp] [..192.168.2.100][58976] -> [...52.223.198.7][..443] [TLS.Twitch][Video][Fun] DAEMON-EVENT: [Processed: 45 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 1 / 2|skipped: 0|!detected: 0|guessed: 0|detection-updates: 1|updates: 0] diff --git a/test/results/flow-info/tls_certificate_too_long.pcap.out b/test/results/flow-info/tls_certificate_too_long.pcap.out index f4efda2b8..1b387e31e 100644 --- a/test/results/flow-info/tls_certificate_too_long.pcap.out +++ b/test/results/flow-info/tls_certificate_too_long.pcap.out @@ -70,19 +70,23 @@ detected: [....25] [ip4][..tcp] [..192.168.1.121][53428] -> [...52.98.163.18][..443] [TLS.Outlook][Email][Acceptable] detection-update: [....23] [ip4][..udp] [..192.168.1.121][51998] -> [........8.8.8.8][...53] [DNS.Google][Web][Acceptable] analyse: [....24] [ip4][..tcp] [..192.168.1.121][53429] -> [...52.98.163.18][..443] [TLS.Outlook][Email][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.067| 0.005| 0.015] - [IAT(c->s)...: 0.000| 0.067| 0.017| 0.029][IAT(s->c)...: 0.000| 0.042| 0.003| 0.009] - [PKTLEN(c->s): 54.000|1502.000| 938.600| 600.500][PKTLEN(s->c): 54.000|1372.000| 279.400| 236.800] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.067| 0.005| 0.015| 217.103| 0.000] + [PKTLEN......: 54.000| 1502.000| 423.600| 443.800|196953.100| 4.400] [BINS(c->s)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0] [BINS(s->c)..: 2,3,0,1,0,0,11,6,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,0,1,1,1,1] + [IATS........: 1268,1,22712,2791,42219,7,1,1,2,1,1,3,1,2,1,1,1,1,2,1,1,1,66556,1,207,4,1,1,0,0,0,0] + [PKTLENS.....: 1502,936,1502,1502,1020,54,54,1372,166,112,269,281,285,281,267,273,287,273,275,275,271,281,273,283,273,114,54,54,254,275,341,96] analyse: [....25] [ip4][..tcp] [..192.168.1.121][53428] -> [...52.98.163.18][..443] [TLS.Outlook][Email][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.048| 0.009| 0.014] - [IAT(c->s)...: 0.000| 0.048| 0.012| 0.018][IAT(s->c)...: 0.000| 0.037| 0.007| 0.012] - [PKTLEN(c->s): 54.000|1502.000| 757.600| 557.400][PKTLEN(s->c): 54.000|1366.000| 270.600| 331.300] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.048| 0.009| 0.014| 206.122| 0.000] + [PKTLEN......: 54.000| 1502.000| 453.200| 490.600|240677.500| 4.200] [BINS(c->s)..: 4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,2,0,0] [BINS(s->c)..: 4,6,1,0,2,0,2,1,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,0,1,0,1,1,1,1,1,1,0,1,0,1,0,0,0,1,0,1,1,0,1,1,1,1,1,1,1,0,1] + [IATS........: 1,1055,23210,47617,37039,8,1,2,1,1,11720,448,454,9939,10211,1,619,25332,48024,32224,8,8662,433,9,3,3,2,1,2,508,12955,0] + [PKTLENS.....: 1502,936,1292,54,1292,1366,189,273,452,96,99,54,88,54,66,1502,935,708,54,708,1003,445,54,193,253,295,137,96,99,88,54,66] new: [....26] [ip4][..tcp] [..192.168.1.121][53914] -> [...40.113.10.47][..443] new: [....27] [ip4][..tcp] [..192.168.1.121][53915] -> [...40.113.10.47][..443] detected: [....26] [ip4][..tcp] [..192.168.1.121][53914] -> [...40.113.10.47][..443] [TLS.Microsoft][Cloud][Safe] diff --git a/test/results/flow-info/tls_long_cert.pcap.out b/test/results/flow-info/tls_long_cert.pcap.out index 022add874..6dee0be6f 100644 --- a/test/results/flow-info/tls_long_cert.pcap.out +++ b/test/results/flow-info/tls_long_cert.pcap.out @@ -6,11 +6,13 @@ detection-update: [.....1] [ip4][..tcp] [..192.168.2.126][60174] -> [.104.111.215.93][..443] [TLS][Web][Safe] detection-update: [.....1] [ip4][..tcp] [..192.168.2.126][60174] -> [.104.111.215.93][..443] [TLS][Web][Safe] analyse: [.....1] [ip4][..tcp] [..192.168.2.126][60174] -> [.104.111.215.93][..443] [TLS][Web][Safe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.034| 0.008| 0.011] - [IAT(c->s)...: 0.000| 0.034| 0.008| 0.011][IAT(s->c)...: 0.000| 0.030| 0.008| 0.011] - [PKTLEN(c->s): 66.000| 902.000| 167.400| 227.500][PKTLEN(s->c): 66.000|1514.000| 926.500| 586.900] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.034| 0.008| 0.011| 130.013| 0.000] + [PKTLEN......: 66.000| 1514.000| 546.900| 584.900|342142.300| 4.200] [BINS(c->s)..: 11,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 3,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,2,0,0,0,0,1,0,0,0,0,0,0,0,6,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,0,1,0,0,0,0,1,0,1,1,0,0,1,1,1,0,0,0,1,0,1,1,1] + [IATS........: 25199,25284,303,30105,3339,1074,34221,792,742,1850,1850,782,8352,423,28143,18603,6453,607,7069,119,26007,3,43,25894,1,59,186,154,696,4,1,0] + [PKTLENS.....: 78,74,66,583,66,1514,1514,66,1266,66,855,66,192,159,902,308,66,66,143,66,104,1119,1119,1514,66,66,66,724,66,1514,1514,1514] end: [.....1] [ip4][..tcp] [..192.168.2.126][60174] -> [.104.111.215.93][..443] [TLS][Web][Safe] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/tls_verylong_certificate.pcap.out b/test/results/flow-info/tls_verylong_certificate.pcap.out index 08ea17e0c..132eac076 100644 --- a/test/results/flow-info/tls_verylong_certificate.pcap.out +++ b/test/results/flow-info/tls_verylong_certificate.pcap.out @@ -6,12 +6,14 @@ detection-update: [.....1] [ip4][..tcp] [..192.168.1.160][54804] -> [..151.101.66.49][..443] [TLS][Web][Safe] detection-update: [.....1] [ip4][..tcp] [..192.168.1.160][54804] -> [..151.101.66.49][..443] [TLS][Media][Safe] analyse: [.....1] [ip4][..tcp] [..192.168.1.160][54804] -> [..151.101.66.49][..443] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.022| 0.005| 0.007] - [IAT(c->s)...: 0.000| 0.015| 0.005| 0.006][IAT(s->c)...: 0.000| 0.022| 0.004| 0.007] - [PKTLEN(c->s): 66.000| 583.000| 121.000| 133.400][PKTLEN(s->c): 66.000|1434.000| 895.700| 644.700] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.022| 0.005| 0.007| 43.853| 0.000] + [PKTLEN......: 66.000| 1434.000| 532.600| 615.300|378610.900| 4.100] [BINS(c->s)..: 12,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,4,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,0,1,1,0,0,1,0,0,1,1,1,0,0,0,1,1,1,0,0,1,0,1,1] + [IATS........: 11591,11712,5740,17683,3137,204,15209,67,53,134,2,140,10611,21714,11194,334,14931,21,2,14564,19,7,256,346,4,564,2,480,517,112,2,0] + [PKTLENS.....: 78,74,66,583,66,1434,1434,66,1434,66,1434,276,66,192,117,66,236,1434,1434,118,66,66,66,1434,1434,118,66,66,1434,66,1434,118] detection-update: [.....1] [ip4][..tcp] [..192.168.1.160][54804] -> [..151.101.66.49][..443] [TLS][Media][Safe] end: [.....1] [ip4][..tcp] [..192.168.1.160][54804] -> [..151.101.66.49][..443] [TLS][Media][Safe] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/tor.pcap.out b/test/results/flow-info/tor.pcap.out index bd254e57b..6d66c6e4a 100644 --- a/test/results/flow-info/tor.pcap.out +++ b/test/results/flow-info/tor.pcap.out @@ -45,19 +45,23 @@ ERROR-EVENT: Unknown packet type ERROR-EVENT: Unknown packet type analyse: [.....3] [ip4][..tcp] [..192.168.1.252][51112] -> [...38.229.70.53][..443] [TLS.Tor][VPN][Potentially Dangerous] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 31.166| 2.329| 7.550] - [IAT(c->s)...: 0.000| 30.771| 2.771| 8.118][IAT(s->c)...: 0.000| 31.166| 2.009| 7.094] - [PKTLEN(c->s): 60.000| 640.000| 384.600| 263.100][PKTLEN(s->c): 54.000|1514.000| 358.200| 412.100] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 31.166| 2.329| 7.550|56997495.964| 0.000] + [PKTLEN......: 54.000| 1514.000| 369.800| 354.900|125974.500| 4.300] [BINS(c->s)..: 4,0,1,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 9,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,1,0,0,1,0,1,1,0,1,1,0,1,1,0,0,1,1,0,1,1,0,1] + [IATS........: 143824,144206,386,152663,157,159633,171698,164686,190851,113,190713,627,185098,185495,145105,5747,151688,184201,104686,289985,146556,2535956,2930532,30770666,31166013,871,147027,185685,696487,885191,147130,0] + [PKTLENS.....: 66,66,60,278,54,983,252,113,128,1514,140,60,640,54,640,54,640,640,54,640,640,54,640,60,640,54,640,640,54,640,640,54] analyse: [.....1] [ip4][..tcp] [..192.168.1.252][51110] -> [..91.143.93.242][..443] [TLS][Web][Safe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 37.996| 2.549| 9.274] - [IAT(c->s)...: 0.001| 37.720| 3.036| 10.014][IAT(s->c)...: 0.000| 37.996| 2.197| 8.683] - [PKTLEN(c->s): 60.000| 640.000| 337.900| 267.500][PKTLEN(s->c): 54.000|1514.000| 559.800| 571.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 37.996| 2.549| 9.274|86002509.021| 0.000] + [PKTLEN......: 54.000| 1514.000| 462.800| 476.200|226793.400| 4.300] [BINS(c->s)..: 5,0,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 7,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,1,0,0,1,0,1,1,0,1,0,1,1,0,0,1,0,1,1,1,0,1,1] + [IATS........: 70996,71325,6669,104314,10783,112643,88567,84606,73691,120,73665,754,108431,107711,67797,2260,74630,103567,101811,113368,368689,686539,37720424,37995839,68191,67504,104050,189003,360821,68695,181,0] + [PKTLENS.....: 66,66,60,269,54,802,188,113,128,1514,156,60,640,54,640,54,640,640,640,640,54,640,60,640,54,640,54,640,1514,60,1514,1514] ERROR-EVENT: Unknown packet type ERROR-EVENT: Unknown packet type ERROR-EVENT: Unknown packet type @@ -98,12 +102,14 @@ ERROR-EVENT: Unknown packet type ERROR-EVENT: Unknown packet type analyse: [.....2] [ip4][..tcp] [..192.168.1.252][51111] -> [....46.59.52.31][..443] [TLS.Tor][VPN][Potentially Dangerous] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 71.328| 4.658| 14.789] - [IAT(c->s)...: 0.000| 71.328| 7.713| 19.711][IAT(s->c)...: 0.000| 34.353| 2.142| 8.054] - [PKTLEN(c->s): 60.000| 640.000| 319.900| 267.500][PKTLEN(s->c): 54.000|1514.000| 366.500| 403.200] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 71.328| 4.658| 14.789|218716025.389| 0.000] + [PKTLEN......: 54.000| 1514.000| 344.600| 347.100|120444.200| 4.300] [BINS(c->s)..: 6,0,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 8,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,1,0,0,1,0,1,1,0,1,0,1,1,0,1,1,0,1,1,0,1,0,0] + [IATS........: 73367,74408,357,74070,3203,80209,86098,83238,77261,90,76164,838,117183,116350,75240,23977,101877,114494,465564,429267,3455,80828,117031,388775,507320,75910,393949,666205,34353103,34399015,71328355,0] + [PKTLENS.....: 66,66,60,276,54,803,188,113,128,1514,156,60,640,54,640,54,640,640,54,640,54,640,640,54,640,640,54,640,60,640,60,60] ERROR-EVENT: Unknown packet type ERROR-EVENT: Unknown packet type ERROR-EVENT: Unknown packet type @@ -130,20 +136,24 @@ detection-update: [.....9] [ip4][..tcp] [..192.168.1.252][51176] -> [...38.229.70.53][..443] [TLS][Web][Safe] RISK: Obsolete TLS (v1.1 or older) analyse: [.....8] [ip4][..tcp] [..192.168.1.252][51175] -> [..91.143.93.242][..443] [TLS.Tor][VPN][Potentially Dangerous] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.991| 0.147| 0.220] - [IAT(c->s)...: 0.001| 0.694| 0.172| 0.215][IAT(s->c)...: 0.000| 0.991| 0.128| 0.222] - [PKTLEN(c->s): 60.000| 640.000| 379.200| 266.200][PKTLEN(s->c): 54.000|1514.000| 349.100| 398.300] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.991| 0.147| 0.220|48576.569| 0.000] + [PKTLEN......: 54.000| 1514.000| 362.200| 347.100|120448.800| 4.400] [BINS(c->s)..: 4,0,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 9,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,1,0,0,1,0,1,1,0,1,1,0,1,1,0,0,1,1,0,1,1,0,1] + [IATS........: 64392,65808,9514,82112,4238,79785,91000,88446,79568,146,78186,925,110026,109380,69120,1548,80197,113582,35660,145791,70785,343658,637547,693937,990883,1625,71983,109022,69049,180072,69902,0] + [PKTLENS.....: 66,66,60,267,54,802,188,113,128,1514,156,60,640,54,640,54,640,640,54,640,640,54,640,60,640,54,640,640,54,640,640,54] ERROR-EVENT: Unknown packet type analyse: [.....9] [ip4][..tcp] [..192.168.1.252][51176] -> [...38.229.70.53][..443] [TLS][Web][Safe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.755| 0.186| 0.164] - [IAT(c->s)...: 0.001| 0.755| 0.221| 0.193][IAT(s->c)...: 0.000| 0.608| 0.160| 0.133] - [PKTLEN(c->s): 60.000| 640.000| 342.600| 265.100][PKTLEN(s->c): 54.000|1514.000| 358.200| 412.100] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.755| 0.186| 0.164|26767.544| 0.000] + [PKTLEN......: 54.000| 1514.000| 351.400| 355.400|126324.200| 4.300] [BINS(c->s)..: 5,0,1,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 9,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,1,1,0,0,1,0,1,1,0,1,1,0,1,0,1,1,0,1,1,0,1,0] + [IATS........: 143944,144327,714,149478,37247,195972,163599,153986,192261,56166,215,255054,2118,152835,143919,143900,44572,192109,147551,608487,755290,145485,149387,149841,132696,281585,155046,87778,477208,367752,127492,0] + [PKTLENS.....: 66,66,60,264,54,983,252,113,128,54,1514,140,60,640,54,640,54,640,640,54,640,640,54,640,54,640,640,54,640,60,640,66] end: [.....1] [ip4][..tcp] [..192.168.1.252][51110] -> [..91.143.93.242][..443] [TLS][Web][Safe] RISK: Obsolete TLS (v1.1 or older) idle: [.....5] [ip4][..udp] [..192.168.1.252][..138] -> [..192.168.1.255][..138] [NetBIOS.SMBv1][System][Dangerous] @@ -233,12 +243,14 @@ ERROR-EVENT: Unknown packet type ERROR-EVENT: Unknown packet type analyse: [.....7] [ip4][..tcp] [..192.168.1.252][51174] -> [.212.83.155.250][..443] [TLS][Web][Safe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 72.890| 8.727| 22.569] - [IAT(c->s)...: 0.002| 72.591| 9.018| 22.849][IAT(s->c)...: 0.000| 72.890| 8.454| 22.300] - [PKTLEN(c->s): 60.000| 640.000| 230.700| 242.600][PKTLEN(s->c): 54.000|1514.000| 421.200| 402.900] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 72.890| 8.727| 22.569|509351076.823| 0.000] + [PKTLEN......: 54.000| 1514.000| 326.000| 345.900|119666.800| 4.300] [BINS(c->s)..: 9,0,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 6,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,1,0,0,1,0,1,1,0,1,0,1,0,1,0,1,0,1,0,0,1,1,0] + [IATS........: 59390,61607,13819,72120,2062,62909,63545,60042,79423,319,78805,1749,98338,96626,56518,4501,61844,64873,64036,73717,275721,252847,50798,9733,261423,61538274,61491411,72591366,72890007,3990,98034,0] + [PKTLENS.....: 66,66,60,263,54,797,188,113,128,1514,140,60,640,54,640,54,640,640,640,640,640,60,640,66,640,60,640,60,60,54,54,60] ERROR-EVENT: Unknown packet type ERROR-EVENT: Unknown packet type ERROR-EVENT: Unknown packet type diff --git a/test/results/flow-info/trickbot.pcap.out b/test/results/flow-info/trickbot.pcap.out index da14251f3..1fe781cb4 100644 --- a/test/results/flow-info/trickbot.pcap.out +++ b/test/results/flow-info/trickbot.pcap.out @@ -7,12 +7,14 @@ detection-update: [.....1] [ip4][..tcp] [...10.12.29.101][61318] -> [.82.118.225.196][.7080] [HTTP][Web][Acceptable] RISK: Known Proto on Non Std Port, HTTP Numeric IP Address, HTTP Suspicious Content analyse: [.....1] [ip4][..tcp] [...10.12.29.101][61318] -> [.82.118.225.196][.7080] [HTTP][Web][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.931| 0.157| 0.258] - [IAT(c->s)...: 0.000| 0.931| 0.273| 0.296][IAT(s->c)...: 0.000| 0.931| 0.116| 0.230] - [PKTLEN(c->s): 54.000| 982.000| 197.200| 297.900][PKTLEN(s->c): 54.000|1514.000|1236.200| 521.800] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.931| 0.157| 0.258|66793.452| 0.000] + [PKTLEN......: 54.000| 1514.000| 944.000| 662.500|438885.500| 4.500] [BINS(c->s)..: 7,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 3,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,3,0,0,14,0,0] + [DIRECTIONS..: 0,1,0,0,0,1,1,1,0,1,0,1,1,0,1,1,1,1,1,1,1,1,1,1,1,1,0,1,0,1,1,1] + [IATS........: 245675,245918,203,81,530,37,931085,931328,2339,2280,480234,19,480300,297566,15,8,7,8,7,8,8,7,7,6,9,297680,227938,227937,482874,14,14,0] + [PKTLENS.....: 66,58,54,403,982,54,54,1412,54,1412,54,1514,1337,54,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,290,54,1412,54,1514,1514,1208] end: [.....1] [ip4][..tcp] [...10.12.29.101][61318] -> [.82.118.225.196][.7080] [HTTP][Web][Acceptable] RISK: Known Proto on Non Std Port, HTTP Numeric IP Address, HTTP Suspicious Content DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/tumblr.pcap.out b/test/results/flow-info/tumblr.pcap.out index 4385a500c..f9c635f70 100644 --- a/test/results/flow-info/tumblr.pcap.out +++ b/test/results/flow-info/tumblr.pcap.out @@ -12,45 +12,53 @@ detected: [.....6] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][42908] -> [.....................64:ff9b::98c7:1593][..443] [TLS][Web][Safe] new: [.....7] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56782] -> [.....................64:ff9b::68f4:2ac8][..443] [MIDSTREAM] analyse: [.....6] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][42908] -> [.....................64:ff9b::98c7:1593][..443] [TLS][Web][Safe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.701| 0.084| 0.189] - [IAT(c->s)...: 0.000| 0.701| 0.087| 0.192][IAT(s->c)...: 0.000| 0.701| 0.081| 0.186] - [PKTLEN(c->s): 86.000| 468.000| 123.900| 93.400][PKTLEN(s->c): 86.000|1486.000| 803.100| 652.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.701| 0.084| 0.189|35694.846| 0.000] + [PKTLEN......: 86.000| 1486.000| 463.500| 576.400|332266.900| 4.000] [BINS(c->s)..: 11,3,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 6,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0] + [DIRECTIONS..: 0,0,0,1,1,1,1,0,1,0,0,0,1,1,1,0,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0] + [IATS........: 870,91738,194148,2,1,2772,104383,700859,700827,1324,5830,44963,352,357119,395282,1534,2,2,1,1,1,1,2,1529,39,13,18,11,13,13,12,0] + [PKTLENS.....: 468,125,125,86,86,86,125,86,958,86,121,198,86,86,1474,86,98,1486,1486,1486,1486,849,1486,1486,86,86,86,86,86,86,86,86] new: [.....8] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][43420] -> [.....................64:ff9b::c000:4d28][..443] [MIDSTREAM] detected: [.....8] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][43420] -> [.....................64:ff9b::c000:4d28][..443] [TLS][Web][Safe] new: [.....9] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][43434] -> [.....................64:ff9b::c000:4d28][..443] [MIDSTREAM] detected: [.....9] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][43434] -> [.....................64:ff9b::c000:4d28][..443] [TLS][Web][Safe] new: [....10] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][58380] -> [..2606:2800:135:155a:23ba:b2a:25ff:122d][..443] analyse: [.....8] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][43420] -> [.....................64:ff9b::c000:4d28][..443] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.037| 0.003| 0.008] - [IAT(c->s)...: 0.000| 0.037| 0.003| 0.009][IAT(s->c)...: 0.000| 0.026| 0.003| 0.007] - [PKTLEN(c->s): 86.000| 246.000| 105.400| 51.500][PKTLEN(s->c): 86.000|1486.000| 839.600| 667.600] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.037| 0.003| 0.008| 65.352| 0.000] + [PKTLEN......: 86.000| 1486.000| 472.500| 599.100|358951.000| 4.000] [BINS(c->s)..: 14,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 6,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0] + [DIRECTIONS..: 0,0,1,1,1,0,1,1,0,0,1,0,1,0,1,1,0,0,1,0,1,0,1,0,1,0,1,1,0,0,1,0] + [IATS........: 469,25881,1104,10603,37135,1897,1,1911,13,717,678,9927,9935,107,1,101,8,237,229,116,116,308,309,92,91,472,1,479,15,99,79,0] + [PKTLENS.....: 246,237,86,86,905,86,125,1474,86,86,98,86,1486,86,1486,1474,86,86,98,86,1486,86,1486,86,1474,86,98,1474,86,86,98,86] detection-update: [.....8] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][43420] -> [.....................64:ff9b::c000:4d28][..443] [TLS][Web][Safe] detected: [....10] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][58380] -> [..2606:2800:135:155a:23ba:b2a:25ff:122d][..443] [TLS][Web][Safe] analyse: [.....9] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][43434] -> [.....................64:ff9b::c000:4d28][..443] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.045| 0.004| 0.009] - [IAT(c->s)...: 0.000| 0.045| 0.004| 0.011][IAT(s->c)...: 0.000| 0.027| 0.004| 0.007] - [PKTLEN(c->s): 86.000| 198.000| 108.600| 42.000][PKTLEN(s->c): 86.000|1486.000|1136.000| 606.200] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.045| 0.004| 0.009| 88.667| 0.000] + [PKTLEN......: 86.000| 1486.000| 622.300| 669.700|448506.000| 4.100] [BINS(c->s)..: 12,1,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,0,0,0] + [DIRECTIONS..: 0,0,0,0,1,1,1,1,1,0,1,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0] + [IATS........: 365,4822,355,27249,2992,337,2701,17288,45055,519,518,603,1,579,9,7282,1,7292,34,289,2,248,25,174,1,157,27,1036,1,1005,28,0] + [PKTLENS.....: 198,125,197,186,86,86,86,86,1486,86,1486,86,1486,1486,86,86,1486,1486,86,86,1486,1486,86,86,1486,1486,86,86,1486,1486,86,86] detection-update: [.....9] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][43434] -> [.....................64:ff9b::c000:4d28][..443] [TLS][Web][Safe] new: [....11] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][58382] -> [..2606:2800:135:155a:23ba:b2a:25ff:122d][..443] detection-update: [....10] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][58380] -> [..2606:2800:135:155a:23ba:b2a:25ff:122d][..443] [TLS][Web][Safe] detected: [....11] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][58382] -> [..2606:2800:135:155a:23ba:b2a:25ff:122d][..443] [TLS][Web][Safe] detection-update: [....11] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][58382] -> [..2606:2800:135:155a:23ba:b2a:25ff:122d][..443] [TLS][Web][Safe] analyse: [....10] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][58380] -> [..2606:2800:135:155a:23ba:b2a:25ff:122d][..443] [TLS][Web][Safe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.048| 0.012| 0.017] - [IAT(c->s)...: 0.000| 0.047| 0.010| 0.016][IAT(s->c)...: 0.000| 0.048| 0.014| 0.018] - [PKTLEN(c->s): 86.000| 609.000| 181.400| 172.900][PKTLEN(s->c): 86.000|1294.000| 448.000| 475.600] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.048| 0.012| 0.017| 287.486| 0.000] + [PKTLEN......: 86.000| 1294.000| 314.700| 381.900|145812.800| 4.200] [BINS(c->s)..: 10,1,2,0,0,0,0,0,1,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 7,0,0,2,0,0,0,2,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,1,1,1,0,0,0,1,0,1,0,0,0,0,0,1,1,1,1,1,1,1,0,0] + [IATS........: 33179,33247,488,47694,47160,1225,37725,2106,38598,23,3,754,718,796,796,2589,248,171,60,26260,592,1,74,1362,25234,8,0,0,0,0,0,0] + [PKTLENS.....: 94,94,86,603,86,185,86,609,86,1294,1294,1294,86,86,86,558,86,1069,86,160,178,343,142,86,86,86,86,341,341,182,86,86] new: [....12] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][39152] -> [......................64:ff9b::6006:749][..443] new: [....13] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][47118] -> [.................2001:4998:14:800::1001][..443] detected: [....12] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][39152] -> [......................64:ff9b::6006:749][..443] [TLS][Advertisement][Safe] @@ -59,12 +67,14 @@ new: [....14] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56794] -> [.....................64:ff9b::c000:4d03][..443] [MIDSTREAM] detected: [....14] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56794] -> [.....................64:ff9b::c000:4d03][..443] [TLS][Web][Safe] analyse: [....14] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56794] -> [.....................64:ff9b::c000:4d03][..443] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.037| 0.004| 0.009] - [IAT(c->s)...: 0.000| 0.026| 0.004| 0.009][IAT(s->c)...: 0.000| 0.037| 0.004| 0.009] - [PKTLEN(c->s): 86.000| 216.000| 123.500| 50.800][PKTLEN(s->c): 86.000|1486.000| 703.400| 679.200] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.037| 0.004| 0.009| 82.581| 0.000] + [PKTLEN......: 86.000| 1486.000| 449.700| 586.000|343353.700| 4.000] [BINS(c->s)..: 8,2,1,1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 9,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,7,0,0,0,0] + [DIRECTIONS..: 0,0,0,0,0,0,1,1,1,1,1,1,0,1,0,1,1,1,0,0,1,1,1,1,0,0,1,1,0,1,1,0] + [IATS........: 375,92,385,236,26419,36646,2159,376,10012,21697,203,197,169,221,406,8,175,469,1,620,51,101,150,197,535,21,562,0,0,0,0,0] + [PKTLENS.....: 206,125,215,216,157,122,86,86,86,86,86,1486,86,1486,86,1474,98,1486,86,86,1474,98,1341,117,86,86,125,1474,86,98,1474,86] detection-update: [....14] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56794] -> [.....................64:ff9b::c000:4d03][..443] [TLS][Web][Safe] new: [....15] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][51874] -> [.....................64:ff9b::c000:4c03][..443] [MIDSTREAM] detected: [....15] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][51874] -> [.....................64:ff9b::c000:4c03][..443] [TLS][Web][Safe] @@ -77,12 +87,14 @@ detected: [....20] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56842] -> [.....................64:ff9b::c000:4d03][..443] [TLS.Tumblr][SocialNetwork][Fun] detection-update: [....20] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56842] -> [.....................64:ff9b::c000:4d03][..443] [TLS.Tumblr][SocialNetwork][Fun] analyse: [....20] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56842] -> [.....................64:ff9b::c000:4d03][..443] [TLS.Tumblr][SocialNetwork][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.070| 0.013| 0.021] - [IAT(c->s)...: 0.000| 0.060| 0.012| 0.021][IAT(s->c)...: 0.000| 0.070| 0.015| 0.021] - [PKTLEN(c->s): 86.000| 603.000| 169.900| 155.400][PKTLEN(s->c): 86.000|1486.000| 585.800| 602.200] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.070| 0.013| 0.021| 430.743| 0.000] + [PKTLEN......: 86.000| 1486.000| 377.800| 486.500|236637.800| 4.100] [BINS(c->s)..: 11,0,2,0,0,0,0,0,0,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 6,1,0,1,0,0,0,0,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,4,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,0,0,0,0,1,0,0,0,0,0,1,1,1,1,0,1,1,1,1,1,0,0,0] + [IATS........: 22637,22712,440,30662,24781,1,1,54941,10,7,4,36,7,1509,240,132,59732,70171,1,28567,37136,504,1,1,500,15,4,0,0,0,0,0] + [PKTLENS.....: 94,94,86,603,86,1486,1486,1382,1486,86,86,86,86,207,86,150,178,417,417,86,86,86,357,86,357,148,117,1486,422,86,86,86] new: [....21] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56558] -> [.....................64:ff9b::9765:798c][..443] [MIDSTREAM] new: [....22] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][50960] -> [...............2a00:1450:4007:805::2002][..443] [MIDSTREAM] new: [....23] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][49496] -> [...............2a00:1450:4007:815::2003][..443] [MIDSTREAM] @@ -109,42 +121,50 @@ detection-update: [....41] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][43328] -> [.....................64:ff9b::4a72:9a16][..443] [TLS.Tumblr][SocialNetwork][Fun] detection-update: [....41] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][43328] -> [.....................64:ff9b::4a72:9a16][..443] [TLS.Tumblr][SocialNetwork][Fun] analyse: [....41] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][43328] -> [.....................64:ff9b::4a72:9a16][..443] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.189| 0.029| 0.050] - [IAT(c->s)...: 0.000| 0.189| 0.029| 0.056][IAT(s->c)...: 0.000| 0.160| 0.029| 0.044] - [PKTLEN(c->s): 86.000| 603.000| 159.900| 158.100][PKTLEN(s->c): 86.000|1486.000| 776.100| 656.600] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.189| 0.029| 0.050| 2509.587| 0.000] + [PKTLEN......: 86.000| 1486.000| 468.000| 568.300|322990.400| 4.100] [BINS(c->s)..: 12,0,2,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 6,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,6,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,1,0,0,1,0,0,0,0,1,1,1,1,1,0,0,0,1,1,0,1,0,1,0,1] + [IATS........: 21421,21468,523,29545,160398,189403,235,213,14,842,826,3808,144,202,28681,1,1011,77988,2,103570,74,656,29813,79144,108203,110,95,435,441,86,0,0] + [PKTLENS.....: 94,94,86,603,86,1486,86,1486,1382,86,86,1087,86,171,177,537,86,86,86,352,156,86,86,116,86,1486,86,1486,86,1486,86,1486] detection-update: [....41] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][43328] -> [.....................64:ff9b::4a72:9a16][..443] [TLS.Tumblr][SocialNetwork][Fun] new: [....43] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][49548] -> [...............2a00:1450:4007:809::200e][..443] detected: [.....2] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][48240] -> [.....................64:ff9b::9765:789d][..443] [TLS][Web][Safe] detected: [....43] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][49548] -> [...............2a00:1450:4007:809::200e][..443] [TLS.Google][Web][Acceptable] new: [....44] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][38608] -> [...............2a00:1450:4007:80b::200a][..443] analyse: [.....2] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][48240] -> [.....................64:ff9b::9765:789d][..443] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 19.514| 1.561| 5.288] - [IAT(c->s)...: 0.000| 19.473| 1.394| 5.014][IAT(s->c)...: 0.000| 19.514| 1.774| 5.610] - [PKTLEN(c->s): 86.000| 172.000| 94.800| 23.600][PKTLEN(s->c): 86.000|1134.000|1072.400| 246.600] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 19.514| 1.561| 5.288|27962124.534| 0.000] + [PKTLEN......: 86.000| 1134.000| 614.100| 520.100|270533.200| 4.400] [BINS(c->s)..: 13,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,0,1,1,0,1,1,0,0,1,0,1,0,1,1,1,1,1,1,1,0,0,0,0,0,0,0,1,1,1,1] + [IATS........: 19473275,346,19513573,40000,58,14,3,47,46,590,601,1080,1,1,1,1081,15,50,4,2,3,4,112,1,1,0,0,0,0,0,0,0] + [PKTLENS.....: 86,172,132,86,1134,86,1134,1134,86,86,1134,86,1134,86,1134,1134,1134,1134,1134,1134,1134,86,86,86,86,86,86,86,1134,1134,1134,1134] detection-update: [.....2] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][48240] -> [.....................64:ff9b::9765:789d][..443] [TLS][Web][Safe] detected: [....44] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][38608] -> [...............2a00:1450:4007:80b::200a][..443] [TLS.GoogleServices][Web][Acceptable] detection-update: [....43] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][49548] -> [...............2a00:1450:4007:809::200e][..443] [TLS.Google][Web][Acceptable] detection-update: [....44] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][38608] -> [...............2a00:1450:4007:80b::200a][..443] [TLS.GoogleServices][Web][Acceptable] analyse: [....44] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][38608] -> [...............2a00:1450:4007:80b::200a][..443] [TLS.GoogleServices][Web][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.067| 0.012| 0.020] - [IAT(c->s)...: 0.000| 0.067| 0.011| 0.019][IAT(s->c)...: 0.000| 0.067| 0.014| 0.022] - [PKTLEN(c->s): 86.000| 603.000| 144.200| 133.000][PKTLEN(s->c): 86.000|1294.000| 673.700| 539.300] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.067| 0.012| 0.020| 413.573| 0.000] + [PKTLEN......: 86.000| 1294.000| 392.400| 464.300|215557.600| 4.100] [BINS(c->s)..: 13,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 6,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,1,0,0,0,0,1,1,0,0,1,1,1,0,1,1,0,0,1,1,1,0,0,0] + [IATS........: 67445,67472,269,44078,5271,1,49097,3,94,53,18571,10150,718,42370,12940,229,14297,2020,1,16083,2556,1,2570,25,64,1,22,4,8,0,0,0] + [PKTLENS.....: 94,94,86,603,86,1294,1294,86,86,586,86,150,178,364,86,666,86,117,86,117,86,86,535,1294,86,86,1294,1294,1294,86,86,86] analyse: [....43] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][49548] -> [...............2a00:1450:4007:809::200e][..443] [TLS.Google][Web][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.083| 0.015| 0.021] - [IAT(c->s)...: 0.000| 0.083| 0.014| 0.022][IAT(s->c)...: 0.000| 0.071| 0.016| 0.020] - [PKTLEN(c->s): 86.000| 603.000| 146.600| 134.300][PKTLEN(s->c): 86.000|1294.000| 649.700| 553.400] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.083| 0.015| 0.021| 439.399| 0.000] + [PKTLEN......: 86.000| 1294.000| 398.200| 474.800|225406.500| 4.100] [BINS(c->s)..: 12,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 7,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,0,1,1,0,0,0,0,1,1,0,1,1,1,1,1,1,0,0,0,0,1] + [IATS........: 30258,30298,226,70679,12575,2,1,83018,62,4,882,32413,31475,5911,16277,137,34580,1914,14156,7168,10659,16853,1,1,34679,24,2,2,942,0,0,0] + [PKTLENS.....: 94,94,86,603,86,1294,1294,325,86,86,86,150,86,666,86,178,117,344,86,117,86,86,86,999,1294,1294,1294,86,86,86,86,1294] detected: [....42] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][55560] -> [...............2a00:1450:4007:817::200a][..443] [TLS][Web][Safe] detected: [.....7] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56782] -> [.....................64:ff9b::68f4:2ac8][..443] [TLS][Web][Safe] new: [....45] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][39164] -> [......................64:ff9b::6006:749][..443] @@ -152,12 +172,14 @@ new: [....46] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][42674] -> [.....................64:ff9b::4a72:9a15][..443] [MIDSTREAM] detection-update: [....45] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][39164] -> [......................64:ff9b::6006:749][..443] [TLS][Advertisement][Safe] analyse: [....12] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][39152] -> [......................64:ff9b::6006:749][..443] [TLS][Advertisement][Safe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 16.589| 1.119| 4.059] - [IAT(c->s)...: 0.000| 16.557| 1.087| 3.995][IAT(s->c)...: 0.002| 16.589| 1.154| 4.126] - [PKTLEN(c->s): 86.000| 850.000| 334.500| 298.600][PKTLEN(s->c): 86.000|1365.000| 398.300| 430.800] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 16.589| 1.119| 4.059|16477581.214| 0.000] + [PKTLEN......: 86.000| 1365.000| 364.400| 367.900|135349.600| 4.300] [BINS(c->s)..: 9,0,1,0,0,0,0,0,0,0,0,0,0,2,0,0,0,1,1,1,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 8,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,1,1,1,0,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0] + [IATS........: 29466,29487,204,37942,9029,46759,696,98,30996,1834,7035,39073,52635,52694,371915,406395,20731,55185,2451,32929,9268,39721,16556740,16588707,11402,43353,16903,58413,9807,93158,46822,0] + [PKTLENS.....: 94,94,86,706,86,356,86,166,503,86,86,373,86,1273,86,838,86,869,86,850,86,356,86,514,86,1365,86,658,86,686,86,670] new: [....47] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][40190] -> [...............2a00:1450:4007:80a::200a][..443] [MIDSTREAM] guessed: [....36] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][48988] -> [...............2a00:1450:4007:811::2004][..443] [TLS][Web][Safe] idle: [....36] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][48988] -> [...............2a00:1450:4007:811::2004][..443] diff --git a/test/results/flow-info/tunnelbear.pcap.out b/test/results/flow-info/tunnelbear.pcap.out index 188ff1a25..83239694f 100644 --- a/test/results/flow-info/tunnelbear.pcap.out +++ b/test/results/flow-info/tunnelbear.pcap.out @@ -20,12 +20,14 @@ detected: [.....6] [ip4][..tcp] [.......10.8.0.1][47496] -> [162.247.243.188][..443] [TLS][Web][Safe] detection-update: [.....6] [ip4][..tcp] [.......10.8.0.1][47496] -> [162.247.243.188][..443] [TLS][Web][Safe] analyse: [.....2] [ip4][..tcp] [.......10.8.0.1][45104] -> [..104.17.115.40][..443] [TLS.TunnelBear][VPN][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.266| 0.037| 0.060] - [IAT(c->s)...: 0.000| 0.266| 0.039| 0.067][IAT(s->c)...: 0.000| 0.214| 0.036| 0.054] - [PKTLEN(c->s): 54.000| 590.000| 239.800| 219.800][PKTLEN(s->c): 54.000|3711.000| 640.200|1091.400] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.266| 0.037| 0.060| 3626.297| 0.000] + [PKTLEN......: 54.000| 3711.000| 440.000| 812.300|659832.900| 3.600] [BINS(c->s)..: 7,1,1,1,0,0,0,0,1,0,1,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 10,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,0,1,0,1,1,0,1,0,1,0,1,0,0,1,1,0,1,0,1,0,1] + [IATS........: 4811,10763,14,6027,71146,71669,62476,63085,171,99,103,116,2258,2217,58331,58816,497,202,194,148,171,85,633,797,214474,265866,52392,51419,53825,54567,51776,0] + [PKTLENS.....: 74,54,54,571,54,3711,54,147,54,590,54,590,54,319,54,390,375,54,590,54,164,54,54,92,54,1646,54,705,54,366,54,2885] new: [.....7] [ip4][..tcp] [.......10.8.0.1][45124] -> [..104.17.115.40][..443] new: [.....8] [ip4][..tcp] [.......10.8.0.1][45126] -> [..104.17.115.40][..443] detected: [.....7] [ip4][..tcp] [.......10.8.0.1][45124] -> [..104.17.115.40][..443] [TLS.TunnelBear][VPN][Acceptable] @@ -33,12 +35,14 @@ detection-update: [.....8] [ip4][..tcp] [.......10.8.0.1][45126] -> [..104.17.115.40][..443] [TLS.TunnelBear][VPN][Acceptable] detection-update: [.....7] [ip4][..tcp] [.......10.8.0.1][45124] -> [..104.17.115.40][..443] [TLS.TunnelBear][VPN][Acceptable] analyse: [.....8] [ip4][..tcp] [.......10.8.0.1][45126] -> [..104.17.115.40][..443] [TLS.TunnelBear][VPN][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.234| 0.036| 0.055] - [IAT(c->s)...: 0.000| 0.234| 0.037| 0.061][IAT(s->c)...: 0.000| 0.197| 0.035| 0.048] - [PKTLEN(c->s): 54.000| 590.000| 198.700| 207.000][PKTLEN(s->c): 54.000| 803.000| 128.600| 182.600] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.234| 0.036| 0.055| 3015.001| 0.000] + [PKTLEN......: 54.000| 803.000| 163.700| 198.300|39337.400| 4.200] [BINS(c->s)..: 9,2,0,0,0,0,0,0,1,0,1,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 11,1,1,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,0,1,0,1,1,0,1,0,1,1,0,1,0,1,0,0,1,0,1,1,0] + [IATS........: 3428,3938,2003,2864,57273,107978,750,51373,305,140,145,128,138,133,50874,51892,1049,50443,50842,196795,233720,37672,51488,50853,51099,141,51026,454,234,444,1019,0] + [PKTLENS.....: 74,54,54,571,54,210,54,105,54,590,54,590,54,317,54,132,377,54,92,54,803,54,227,54,92,54,85,54,54,54,54,54] new: [.....9] [ip4][..tcp] [..10.158.132.91][38398] -> [..104.17.114.40][..443] [MIDSTREAM] detected: [.....9] [ip4][..tcp] [..10.158.132.91][38398] -> [..104.17.114.40][..443] [TLS.TunnelBear][VPN][Acceptable] new: [....10] [ip4][..tcp] [..10.158.132.91][51120] -> [........8.8.8.8][...53] [MIDSTREAM] @@ -87,12 +91,14 @@ detection-update: [....15] [ip4][..tcp] [.......10.8.0.1][50904] -> [.104.17.154.236][..443] [TLS.TunnelBear][VPN][Acceptable] detection-update: [....20] [ip4][..tcp] [.......10.8.0.1][48222] -> [162.247.243.188][..443] [TLS][Web][Safe] analyse: [....14] [ip4][..tcp] [.......10.8.0.1][33830] -> [..104.17.114.40][..443] [TLS.TunnelBear][VPN][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.340| 0.040| 0.084] - [IAT(c->s)...: 0.000| 0.240| 0.032| 0.069][IAT(s->c)...: 0.000| 0.340| 0.046| 0.094] - [PKTLEN(c->s): 54.000| 590.000| 270.700| 212.000][PKTLEN(s->c): 54.000|2954.000| 240.100| 679.600] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.340| 0.040| 0.084| 7024.527| 0.000] + [PKTLEN......: 54.000| 2954.000| 254.400| 516.400|266681.900| 3.700] [BINS(c->s)..: 3,3,1,2,0,0,0,0,0,0,2,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 13,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,0,1,0,1,0,1,0,1,1,0,1,1,0,1,0,1,0,1,0,1,1] + [IATS........: 4054,5298,2009,3384,237730,240091,25,2380,9328,9409,226,61,1426,1484,112,59,79,69,100518,152574,52262,7046,20588,16017,10024,8002,820,1293,7036,6175,340372,0] + [PKTLENS.....: 74,54,54,571,54,210,54,105,54,107,54,140,54,590,54,590,54,179,54,123,92,54,92,375,54,590,54,162,54,377,54,2954] new: [....21] [ip4][..tcp] [.......10.8.0.1][33858] -> [..104.17.114.40][..443] detected: [....21] [ip4][..tcp] [.......10.8.0.1][33858] -> [..104.17.114.40][..443] [TLS.TunnelBear][VPN][Acceptable] idle: [....13] [ip4][..tcp] [.......10.8.0.1][47046] -> [.74.125.200.188][.5228] diff --git a/test/results/flow-info/ultrasurf.pcap.out b/test/results/flow-info/ultrasurf.pcap.out index c36c73051..7e5ca73bb 100644 --- a/test/results/flow-info/ultrasurf.pcap.out +++ b/test/results/flow-info/ultrasurf.pcap.out @@ -4,36 +4,42 @@ new: [.....1] [ip4][..tcp] [....65.49.68.25][50053] -> [....10.132.0.23][37898] [MIDSTREAM] detected: [.....1] [ip4][..tcp] [....65.49.68.25][50053] -> [....10.132.0.23][37898] [UltraSurf][VPN][Acceptable] analyse: [.....1] [ip4][..tcp] [....65.49.68.25][50053] -> [....10.132.0.23][37898] [UltraSurf][VPN][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.150| 0.021| 0.036] - [IAT(c->s)...: 0.000| 0.150| 0.017| 0.031][IAT(s->c)...: 0.000| 0.142| 0.029| 0.042] - [PKTLEN(c->s): 1350.000|2646.000|1943.100| 641.700][PKTLEN(s->c): 98.000| 98.000| 98.000| 0.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.150| 0.021| 0.036| 1271.455| 0.000] + [PKTLEN......: 98.000| 2646.000| 1366.500| 1007.200|1014474.800| 4.500] [BINS(c->s)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,0,0,0,0,0,10] [BINS(s->c)..: 10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,0,0,0,0,1,1,0,0,0,1,0,0,0,0,1,1,1,1,0,1,0,0,0,1,1,0,0,0,0,0] + [IATS........: 7,21335,5,10969,29128,61453,2,10832,4,9189,30801,10791,6,19965,5,29291,5,3,3,9324,30618,150485,11,11883,141836,4,17858,20033,9,20018,10094,0] + [PKTLENS.....: 2646,2646,1358,1358,2646,2646,98,98,1358,1358,2646,98,1358,1358,1350,2646,98,98,98,98,1358,98,1358,1358,2646,98,98,2646,1358,1358,2646,2646] new: [.....2] [ip4][..tcp] [....10.132.0.23][38120] -> [....65.49.68.25][50053] detected: [.....2] [ip4][..tcp] [....10.132.0.23][38120] -> [....65.49.68.25][50053] [TLS][Web][Safe] RISK: Known Proto on Non Std Port, Missing SNI TLS Extn detection-update: [.....2] [ip4][..tcp] [....10.132.0.23][38120] -> [....65.49.68.25][50053] [TLS][Web][Safe] RISK: Known Proto on Non Std Port, Missing SNI TLS Extn analyse: [.....2] [ip4][..tcp] [....10.132.0.23][38120] -> [....65.49.68.25][50053] [TLS][Web][Safe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.271| 0.063| 0.099] - [IAT(c->s)...: 0.000| 0.260| 0.063| 0.099][IAT(s->c)...: 0.000| 0.271| 0.062| 0.100] - [PKTLEN(c->s): 70.000|1418.000| 404.300| 430.600][PKTLEN(s->c): 70.000|1358.000| 334.600| 463.300] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.271| 0.063| 0.099| 9897.855| 0.000] + [PKTLEN......: 70.000| 1418.000| 367.300| 449.600|202163.000| 4.100] [BINS(c->s)..: 7,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0] [BINS(s->c)..: 4,8,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,2,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,0,0,0,1,1,1,1,0,0,1,0,1,0,0,0,1,1,1,1,1,1] + [IATS........: 211168,260384,4,269572,5,10096,9894,260379,4,20013,20030,10943,4,270784,9694,4,10276,229481,5,19977,40078,29866,14,10092,29929,210869,5,2,9,9396,4,0] + [PKTLENS.....: 78,78,70,587,70,1358,1358,1274,70,70,70,134,156,708,125,105,101,126,101,70,112,1418,104,1166,698,668,70,105,262,205,105,131] new: [.....3] [ip4][..tcp] [....10.132.0.23][38152] -> [....65.49.68.25][50053] detected: [.....3] [ip4][..tcp] [....10.132.0.23][38152] -> [....65.49.68.25][50053] [TLS][Web][Safe] RISK: Known Proto on Non Std Port, Missing SNI TLS Extn detection-update: [.....3] [ip4][..tcp] [....10.132.0.23][38152] -> [....65.49.68.25][50053] [TLS][Web][Safe] RISK: Known Proto on Non Std Port, Missing SNI TLS Extn analyse: [.....3] [ip4][..tcp] [....10.132.0.23][38152] -> [....65.49.68.25][50053] [TLS][Web][Safe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.269| 0.059| 0.101] - [IAT(c->s)...: 0.000| 0.261| 0.053| 0.096][IAT(s->c)...: 0.000| 0.269| 0.064| 0.105] - [PKTLEN(c->s): 70.000|1418.000| 371.000| 429.700][PKTLEN(s->c): 70.000|1358.000| 436.200| 523.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.269| 0.059| 0.101|10170.351| 0.000] + [PKTLEN......: 70.000| 1418.000| 403.600| 479.700|230117.000| 4.200] [BINS(c->s)..: 7,0,1,0,0,1,1,0,0,1,0,1,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0] [BINS(s->c)..: 3,5,1,0,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,3,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,0,0,1,1,1,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1] + [IATS........: 209494,239714,10,251051,6,11439,12,260675,5,9589,20029,20030,269120,19987,5,231024,5,19971,10,4,3,3,2,249606,8,2,3,3,10064,10,3,0] + [PKTLENS.....: 78,78,70,587,70,1358,1358,1274,70,70,70,134,386,125,105,157,70,101,1418,446,1418,498,268,252,70,105,131,218,262,105,205,1358] end: [.....1] [ip4][..tcp] [....65.49.68.25][50053] -> [....10.132.0.23][37898] [UltraSurf][VPN][Acceptable] end: [.....2] [ip4][..tcp] [....10.132.0.23][38120] -> [....65.49.68.25][50053] [TLS][Web][Safe] RISK: Known Proto on Non Std Port, Missing SNI TLS Extn diff --git a/test/results/flow-info/viber.pcap.out b/test/results/flow-info/viber.pcap.out index 698ddeb71..2b3e07e4f 100644 --- a/test/results/flow-info/viber.pcap.out +++ b/test/results/flow-info/viber.pcap.out @@ -33,12 +33,14 @@ detection-update: [....10] [ip4][..tcp] [...192.168.0.17][53934] -> [...54.230.93.53][..443] [TLS.Viber][Chat][Acceptable] detection-update: [....10] [ip4][..tcp] [...192.168.0.17][53934] -> [...54.230.93.53][..443] [TLS.Viber][Chat][Acceptable] analyse: [....10] [ip4][..tcp] [...192.168.0.17][53934] -> [...54.230.93.53][..443] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.048| 0.009| 0.015] - [IAT(c->s)...: 0.000| 0.041| 0.011| 0.015][IAT(s->c)...: 0.000| 0.048| 0.008| 0.015] - [PKTLEN(c->s): 66.000| 774.000| 139.200| 184.300][PKTLEN(s->c): 66.000|1514.000|1186.100| 547.900] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.048| 0.009| 0.015| 217.133| 0.000] + [PKTLEN......: 66.000| 1514.000| 728.100| 673.400|453425.200| 4.300] [BINS(c->s)..: 11,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,13,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,0,0,0,0,0,1,0,1,1,1,1,1,1,1,1,1,1,1,0,0,0,0,0] + [IATS........: 19470,21663,1023,22292,3214,249,21,217,39369,88,574,349,10837,47784,22339,40800,258,54,169,260,19,213,268,217,249,532,41188,70,47,44,1080,0] + [PKTLENS.....: 74,74,66,249,66,1514,1514,1514,411,66,66,66,66,192,308,774,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,808,66,66,66,66,66] detection-update: [....10] [ip4][..tcp] [...192.168.0.17][53934] -> [...54.230.93.53][..443] [TLS.Viber][Chat][Acceptable] new: [....11] [ip4][..udp] [...192.168.0.17][41993] -> [.172.217.23.106][..443] new: [....12] [ip4][..udp] [...192.168.0.17][35331] -> [...192.168.0.15][...53] @@ -58,12 +60,14 @@ detected: [....17] [ip4][..tcp] [...192.168.0.17][55746] -> [..151.101.1.130][..443] [TLS][Web][Safe] detection-update: [....17] [ip4][..tcp] [...192.168.0.17][55746] -> [..151.101.1.130][..443] [TLS][Web][Safe] analyse: [.....1] [ip4][..tcp] [...192.168.0.17][33208] -> [...52.0.253.101][.4244] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 10.702| 1.934| 2.902] - [IAT(c->s)...: 0.000| 10.564| 2.006| 2.878][IAT(s->c)...: 0.000| 10.702| 1.858| 2.926] - [PKTLEN(c->s): 66.000| 596.000| 211.100| 159.700][PKTLEN(s->c): 66.000| 164.000| 92.900| 39.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 10.702| 1.934| 2.902|8424002.683| 0.000] + [PKTLEN......: 66.000| 596.000| 155.700| 133.200|17739.800| 4.600] [BINS(c->s)..: 4,1,6,2,0,0,0,0,0,0,1,1,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 10,0,3,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,1,1,0,0,1,0,1,0,0,1,0,1,0,1,0,1,1,0,0,1,0,1,0,0,1,1,1,0,1,0] + [IATS........: 54240,95930,270,43992,41788,57048,16087,92087,91609,10563926,10701681,4192149,4152724,4422076,4422070,309467,309552,21641,197002,97,215011,3974475,3934854,3635331,52554,3635290,52615,12721,140816,167507,4361173,0] + [PKTLENS.....: 167,122,66,142,66,508,130,66,134,66,163,66,160,66,160,66,405,66,164,66,150,66,160,66,160,424,66,66,164,150,66,596] guessed: [.....1] [ip4][..tcp] [...192.168.0.17][33208] -> [...52.0.253.101][.4244] [Viber][VoIP][Acceptable] detected: [.....1] [ip4][..tcp] [...192.168.0.17][33208] -> [...52.0.253.101][.4244] [Viber][VoIP][Acceptable] new: [....18] [ip4][..tcp] [...192.168.0.17][45424] -> [....18.201.4.32][..443] @@ -76,12 +80,14 @@ detection-update: [....21] [ip4][..tcp] [...192.168.0.17][49048] -> [..54.187.91.182][..443] [TLS.AmazonAWS][Cloud][Acceptable] detection-update: [....21] [ip4][..tcp] [...192.168.0.17][49048] -> [..54.187.91.182][..443] [TLS.AmazonAWS][Cloud][Acceptable] analyse: [....19] [ip4][..udp] [...192.168.0.17][47171] -> [....18.201.4.32][.7985] [Viber][VoIP][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.525| 0.329| 0.210] - [IAT(c->s)...: 0.000| 0.525| 0.321| 0.212][IAT(s->c)...: 0.015| 0.525| 0.337| 0.208] - [PKTLEN(c->s): 62.000| 299.000| 215.400| 113.300][PKTLEN(s->c): 76.000| 118.000| 104.000| 19.800] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.525| 0.329| 0.210|44226.417| 0.000] + [PKTLEN......: 62.000| 299.000| 163.200| 100.400|10086.100| 4.700] [BINS(c->s)..: 6,0,0,0,0,0,0,0,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,5,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,1,0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0] + [IATS........: 129,33097,500276,500261,503516,15204,503250,15302,516057,515704,477654,477626,36790,36786,524953,525007,440389,440669,68112,67828,523108,523160,411969,411845,84133,84199,517782,517791,399760,399674,114810,0] + [PKTLENS.....: 299,62,118,299,118,62,299,76,118,299,118,62,76,299,118,299,118,62,76,299,118,299,118,62,76,299,118,299,118,62,76,299] new: [....22] [ip4][..tcp] [...192.168.0.17][33744] -> [.....18.201.4.3][..443] new: [....23] [ip4][..udp] [...192.168.0.17][38190] -> [.....18.201.4.3][.7985] detected: [....23] [ip4][..udp] [...192.168.0.17][38190] -> [.....18.201.4.3][.7985] [Viber][VoIP][Acceptable] @@ -89,12 +95,14 @@ detected: [....24] [ip4][..udp] [...192.168.0.17][38190] -> [.....18.201.4.3][.7987] [Viber][VoIP][Acceptable] update: [....15] [ip6][icmp6] [..............fe80::3207:4dff:fea3:5fa7] -> [................................ff02::2] [ICMPV6][Network][Acceptable] analyse: [....23] [ip4][..udp] [...192.168.0.17][38190] -> [.....18.201.4.3][.7985] [Viber][VoIP][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.531| 0.262| 0.245] - [IAT(c->s)...: 0.000| 0.531| 0.226| 0.244][IAT(s->c)...: 0.000| 0.531| 0.311| 0.237] - [PKTLEN(c->s): 54.000| 299.000| 172.500| 120.100][PKTLEN(s->c): 76.000| 118.000| 101.800| 20.400] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.531| 0.262| 0.245|59968.385| 0.000] + [PKTLEN......: 54.000| 299.000| 143.800| 99.700| 9932.100| 4.700] [BINS(c->s)..: 10,0,0,0,0,0,0,0,9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,5,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,0,1,1,0,1,0,0,0,1,1,0,1,0,0,0,1,1,0,1,0,0,0,1,1,0,1,0,0,1,0] + [IATS........: 2549,75,31700,2304,505528,505691,496908,2109,6670,496650,8720,505323,505404,490799,100,14960,490657,15090,513169,513225,531417,103,49,531356,217,492947,492967,448249,97,448143,58424,0] + [PKTLENS.....: 299,60,62,118,76,299,118,62,54,299,76,118,299,118,62,54,299,76,118,299,118,62,54,299,76,118,299,118,62,54,76,299] new: [....25] [ip4][..udp] [...192.168.0.17][50097] -> [...192.168.0.15][...53] detected: [....25] [ip4][..udp] [...192.168.0.17][50097] -> [...192.168.0.15][...53] [DNS.Google][Web][Acceptable] detection-update: [....25] [ip4][..udp] [...192.168.0.17][50097] -> [...192.168.0.15][...53] [DNS.Google][Web][Acceptable] diff --git a/test/results/flow-info/vnc.pcap.out b/test/results/flow-info/vnc.pcap.out index 773a5ef10..90b6ab529 100644 --- a/test/results/flow-info/vnc.pcap.out +++ b/test/results/flow-info/vnc.pcap.out @@ -5,22 +5,26 @@ detected: [.....1] [ip4][..tcp] [..95.237.48.208][59791] -> [..192.168.2.110][.6900] [VNC][RemoteAccess][Acceptable] RISK: Known Proto on Non Std Port, Desktop/File Sharing analyse: [.....1] [ip4][..tcp] [..95.237.48.208][59791] -> [..192.168.2.110][.6900] [VNC][RemoteAccess][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.545| 0.058| 0.113] - [IAT(c->s)...: 0.000| 0.545| 0.056| 0.133][IAT(s->c)...: 0.000| 0.310| 0.060| 0.088] - [PKTLEN(c->s): 60.000| 89.000| 73.600| 11.900][PKTLEN(s->c): 54.000| 88.000| 67.100| 12.800] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.545| 0.058| 0.113|12857.595| 0.000] + [PKTLEN......: 54.000| 89.000| 70.600| 12.800| 163.200| 5.000] [BINS(c->s)..: 12,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 13,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,1,0,1,0,1,1,0,0,1,0,1,0,0,1,0,0,1,0,0,1,0,1,1,1,1,0,0,0,1] + [IATS........: 524,38820,49897,50306,38760,37061,157832,7049,164493,745,37544,181,35,36356,3,37327,1189,1,198,747,2,747,516,199031,310273,46,50,545295,719,22308,59473,0] + [PKTLENS.....: 66,66,60,66,66,62,60,54,73,60,83,88,88,76,60,89,54,88,86,54,82,86,54,77,54,84,82,86,60,60,81,54] new: [.....2] [ip4][..tcp] [..95.237.48.208][51559] -> [..192.168.2.110][.6900] detected: [.....2] [ip4][..tcp] [..95.237.48.208][51559] -> [..192.168.2.110][.6900] [VNC][RemoteAccess][Acceptable] RISK: Known Proto on Non Std Port, Desktop/File Sharing analyse: [.....2] [ip4][..tcp] [..95.237.48.208][51559] -> [..192.168.2.110][.6900] [VNC][RemoteAccess][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.539| 0.054| 0.125] - [IAT(c->s)...: 0.000| 0.539| 0.053| 0.125][IAT(s->c)...: 0.000| 0.502| 0.054| 0.126] - [PKTLEN(c->s): 60.000| 89.000| 72.900| 12.000][PKTLEN(s->c): 54.000| 88.000| 68.100| 12.800] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.539| 0.054| 0.125|15641.482| 0.000] + [PKTLEN......: 54.000| 89.000| 70.800| 12.600| 158.000| 5.000] [BINS(c->s)..: 13,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 12,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,1,0,1,0,1,0,1,1,0,0,1,0,1,0,0,1,0,0,1,0,0,0,1,1,1,1,0,0,0] + [IATS........: 107,37501,48667,49552,38334,36850,46381,48516,45667,1708,45497,182,37420,547,413,36764,2984,39898,772,181,762,824,181,2,1005,501772,46,703,538844,2,97724,0] + [PKTLENS.....: 66,66,60,66,66,62,60,54,60,54,73,60,83,88,88,76,60,89,54,88,86,54,82,86,77,54,84,82,86,60,60,81] idle: [.....2] [ip4][..tcp] [..95.237.48.208][51559] -> [..192.168.2.110][.6900] [VNC][RemoteAccess][Acceptable] RISK: Known Proto on Non Std Port, Desktop/File Sharing end: [.....1] [ip4][..tcp] [..95.237.48.208][59791] -> [..192.168.2.110][.6900] [VNC][RemoteAccess][Acceptable] diff --git a/test/results/flow-info/vxlan.pcap.out b/test/results/flow-info/vxlan.pcap.out index 69f169477..184892c76 100644 --- a/test/results/flow-info/vxlan.pcap.out +++ b/test/results/flow-info/vxlan.pcap.out @@ -20,19 +20,23 @@ new: [.....9] [ip4][..udp] [...192.168.22.4][60230] -> [...192.168.22.5][.4789] detected: [.....9] [ip4][..udp] [...192.168.22.4][60230] -> [...192.168.22.5][.4789] [VXLAN][Network][Acceptable] analyse: [.....8] [ip4][..udp] [...192.168.22.5][36286] -> [...192.168.22.4][.4789] [VXLAN][Network][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.141| 0.010| 0.031] - [IAT(c->s)...: 0.000| 0.141| 0.010| 0.031][IAT(s->c)...: 0.000| 0.000| 0.000| 0.000] - [PKTLEN(c->s): 120.000|1500.000|1169.700| 546.600][PKTLEN(s->c): 0.000| 0.000| 0.000| 0.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.141| 0.010| 0.031| 963.930| 0.000] + [PKTLEN......: 120.000| 1500.000| 1169.700| 546.600|298767.600| 4.800] [BINS(c->s)..: 0,0,5,0,0,0,0,1,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,23,0,0] [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [IATS........: 10532,1402,105,10,11439,530,9521,113264,10571,140558,101,64,3057,190,558,175,1284,181,1316,3621,187,402,189,2282,184,313,186,833,189,694,184,0] + [PKTLENS.....: 128,120,1500,1500,588,120,289,120,572,120,1500,1500,874,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500] analyse: [.....7] [ip4][..udp] [...192.168.22.4][40646] -> [...192.168.22.5][.4789] [VXLAN][Network][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.151| 0.011| 0.030] - [IAT(c->s)...: 0.000| 0.151| 0.011| 0.030][IAT(s->c)...: 0.000| 0.000| 0.000| 0.000] - [PKTLEN(c->s): 120.000| 438.000| 143.100| 68.200][PKTLEN(s->c): 0.000| 0.000| 0.000| 0.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.151| 0.011| 0.030| 901.957| 0.000] + [PKTLEN......: 120.000| 438.000| 143.100| 68.200| 4655.600| 4.900] [BINS(c->s)..: 0,0,28,0,1,0,0,1,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [IATS........: 10329,305,11530,200,4,1301,10031,41817,81536,403,150839,3109,802,1504,1403,3811,602,2508,504,1003,903,802,707,803,710,2107,301,402,2307,401,201,0] + [PKTLENS.....: 128,120,438,120,120,120,184,285,120,120,303,120,120,120,120,120,120,120,120,120,120,120,120,120,120,120,120,120,120,120,120,120] idle: [.....5] [ip4][..udp] [...192.168.22.4][60351] -> [...192.168.22.5][.4789] [VXLAN][Network][Acceptable] idle: [.....6] [ip4][..udp] [...192.168.22.5][50251] -> [...192.168.22.4][.4789] [VXLAN][Network][Acceptable] idle: [.....8] [ip4][..udp] [...192.168.22.5][36286] -> [...192.168.22.4][.4789] [VXLAN][Network][Acceptable] diff --git a/test/results/flow-info/wa_video.pcap.out b/test/results/flow-info/wa_video.pcap.out index 5814b5410..720dee6ac 100644 --- a/test/results/flow-info/wa_video.pcap.out +++ b/test/results/flow-info/wa_video.pcap.out @@ -17,21 +17,25 @@ new: [.....8] [ip4][..udp] [...192.168.2.12][51277] -> [239.255.255.250][.1900] detected: [.....8] [ip4][..udp] [...192.168.2.12][51277] -> [239.255.255.250][.1900] [SSDP][System][Acceptable] analyse: [.....2] [ip4][..tcp] [...192.168.2.12][49355] -> [..157.240.20.53][.5222] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 2.404| 0.182| 0.481] - [IAT(c->s)...: 0.000| 2.404| 0.166| 0.556][IAT(s->c)...: 0.000| 1.228| 0.205| 0.336] - [PKTLEN(c->s): 66.000| 614.000| 153.600| 130.800][PKTLEN(s->c): 66.000|1454.000| 470.700| 438.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 2.404| 0.182| 0.481|231053.525| 0.000] + [PKTLEN......: 66.000| 1454.000| 282.400| 335.200|112371.900| 4.300] [BINS(c->s)..: 11,0,0,0,5,2,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 1,0,0,1,1,4,0,0,1,0,0,1,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0] + [DIRECTIONS..: 0,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,1,1,0,0,1,0,1,0,0,0,0,0,0,0,0] + [IATS........: 51726,176830,2,439642,1227815,753,306057,108901,2404473,241,10,252,9,41,323,133116,635,40681,277,7651,7949,1743,1602,528764,1087,660,696,654,2651,2561,0,0] + [PKTLENS.....: 614,66,1454,169,522,522,346,203,239,1454,66,66,78,66,66,66,78,242,242,66,66,242,66,418,66,228,226,220,220,220,220,220] guessed: [.....2] [ip4][..tcp] [...192.168.2.12][49355] -> [..157.240.20.53][.5222] [WhatsApp][Chat][Acceptable] detected: [.....2] [ip4][..tcp] [...192.168.2.12][49355] -> [..157.240.20.53][.5222] [WhatsApp][Chat][Acceptable] analyse: [.....3] [ip4][..udp] [...192.168.2.12][53688] -> [....31.13.86.48][.3478] [STUN.WhatsAppCall][VoIP][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.550| 0.064| 0.136] - [IAT(c->s)...: 0.000| 0.548| 0.045| 0.117][IAT(s->c)...: 0.001| 0.550| 0.110| 0.163] - [PKTLEN(c->s): 48.000| 514.000| 394.300| 183.500][PKTLEN(s->c): 44.000| 514.000| 221.300| 207.400] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.550| 0.064| 0.136|18373.693| 0.000] + [PKTLEN......: 44.000| 514.000| 345.600| 205.800|42355.100| 4.700] [BINS(c->s)..: 3,0,0,4,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,4,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,1,1,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,1,1,0,1,1,0] + [IATS........: 95,13142,1109,548212,794,550126,16210,117,20333,106,23568,573,14505,979,116,79305,29641,99,23164,167,19951,342,24390,3500,104447,150456,15882,197610,75380,2499,68245,0] + [PKTLENS.....: 168,168,86,86,168,514,86,514,514,514,514,514,514,48,514,514,44,514,514,514,514,514,514,514,168,86,62,514,62,514,514,62] new: [.....9] [ip4][..udp] [........0.0.0.0][...68] -> [255.255.255.255][...67] detected: [.....9] [ip4][..udp] [........0.0.0.0][...68] -> [255.255.255.255][...67] [DHCP][Network][Acceptable] new: [....10] [ip4][..udp] [...192.168.2.12][53688] -> [.....1.60.78.64][59491] @@ -41,12 +45,14 @@ detected: [....11] [ip4][..udp] [...192.168.2.12][53688] -> [...91.252.56.51][32641] [STUN.WhatsAppCall][VoIP][Acceptable] RISK: Known Proto on Non Std Port analyse: [....11] [ip4][..udp] [...192.168.2.12][53688] -> [...91.252.56.51][32641] [STUN.WhatsAppCall][VoIP][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 1.979| 0.150| 0.383] - [IAT(c->s)...: 0.000| 0.707| 0.093| 0.208][IAT(s->c)...: 0.026| 1.979| 0.389| 0.713] - [PKTLEN(c->s): 86.000|1160.000| 628.200| 430.500][PKTLEN(s->c): 86.000| 224.000| 144.500| 48.300] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 1.979| 0.150| 0.383|146861.081| 0.000] + [PKTLEN......: 86.000| 1160.000| 537.500| 432.000|186635.800| 4.500] [BINS(c->s)..: 0,6,0,2,1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,7,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,2,0,2,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,0,0,1,0,0,1,1,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1] + [IATS........: 707140,619781,619147,1979427,36290,69699,132037,26361,100137,1489,36501,24632,139,224,338,341,10692,26140,102372,15137,296,563,516,886,169,757,7597,915,148,631,131189,0] + [PKTLENS.....: 86,86,86,86,86,86,86,170,86,179,164,144,913,913,913,912,1160,208,157,212,1036,1036,1036,1036,1036,1034,164,934,934,934,1062,224] new: [....12] [ip4][..udp] [....192.168.2.1][17500] -> [..192.168.2.255][17500] detected: [....12] [ip4][..udp] [....192.168.2.1][17500] -> [..192.168.2.255][17500] [Dropbox][Cloud][Acceptable] new: [....13] [ip4][..udp] [...192.168.2.12][65025] -> [239.255.255.250][.1900] diff --git a/test/results/flow-info/wa_voice.pcap.out b/test/results/flow-info/wa_voice.pcap.out index 131c2735f..83f2274af 100644 --- a/test/results/flow-info/wa_voice.pcap.out +++ b/test/results/flow-info/wa_voice.pcap.out @@ -14,12 +14,14 @@ new: [.....5] [ip4][..tcp] [...192.168.2.12][49355] -> [..157.240.20.53][.5222] detected: [.....5] [ip4][..tcp] [...192.168.2.12][49355] -> [..157.240.20.53][.5222] [WhatsApp][Chat][Acceptable] analyse: [.....5] [ip4][..tcp] [...192.168.2.12][49355] -> [..157.240.20.53][.5222] [WhatsApp][Chat][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.304| 0.044| 0.076] - [IAT(c->s)...: 0.000| 0.210| 0.042| 0.071][IAT(s->c)...: 0.000| 0.304| 0.046| 0.082] - [PKTLEN(c->s): 66.000| 352.000| 112.400| 85.000][PKTLEN(s->c): 66.000|1454.000| 532.700| 603.500] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.304| 0.044| 0.076| 5836.115| 0.000] + [PKTLEN......: 66.000| 1454.000| 309.400| 467.500|218553.500| 3.900] [BINS(c->s)..: 11,3,1,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 4,3,1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,1,1] + [IATS........: 40742,137033,170366,304081,130232,56,30959,5260,28,391,1,177,42,1186,210132,335,9,41,206,11,311,41447,129925,50,6,6,5,1043,24269,131853,38,0] + [PKTLENS.....: 78,74,66,322,66,123,117,151,1454,106,1454,169,1454,178,1454,66,66,66,66,66,66,66,1059,98,112,133,96,125,66,352,66,66] new: [.....6] [ip4][..udp] [...192.168.2.12][55296] -> [....192.168.2.1][...53] detected: [.....6] [ip4][..udp] [...192.168.2.12][55296] -> [....192.168.2.1][...53] [DNS.WhatsAppFiles][Download][Acceptable] detection-update: [.....6] [ip4][..udp] [...192.168.2.12][55296] -> [....192.168.2.1][...53] [DNS.WhatsAppFiles][Download][Acceptable] @@ -27,12 +29,14 @@ detected: [.....7] [ip4][..tcp] [...192.168.2.12][50503] -> [....31.13.86.51][..443] [TLS.WhatsAppFiles][Download][Acceptable] detection-update: [.....7] [ip4][..tcp] [...192.168.2.12][50503] -> [....31.13.86.51][..443] [TLS.WhatsAppFiles][Download][Acceptable] analyse: [.....7] [ip4][..tcp] [...192.168.2.12][50503] -> [....31.13.86.51][..443] [TLS.WhatsAppFiles][Download][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.163| 0.021| 0.048] - [IAT(c->s)...: 0.000| 0.145| 0.020| 0.045][IAT(s->c)...: 0.000| 0.163| 0.023| 0.051] - [PKTLEN(c->s): 66.000| 583.000| 145.000| 143.800][PKTLEN(s->c): 66.000|1454.000| 598.500| 615.600] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.163| 0.021| 0.048| 2262.349| 0.000] + [PKTLEN......: 66.000| 1454.000| 357.600| 489.700|239839.300| 4.000] [BINS(c->s)..: 10,3,1,0,0,0,0,0,1,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 5,1,1,0,0,1,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,0,0,0,0,1,0,1,1,0] + [IATS........: 19749,127653,2783,126251,2925,28,22,21046,163,145211,12,6,5,40,5,163286,2,38,250,1,16,17472,279,12,8,2386,284,150,389,567,0,0] + [PKTLENS.....: 78,74,66,583,66,1454,1454,349,66,66,130,112,109,101,402,325,66,237,140,97,66,114,498,66,66,66,66,1454,66,1454,1454,97] new: [.....8] [ip4][..udp] [....192.168.2.1][17500] -> [..192.168.2.255][17500] detected: [.....8] [ip4][..udp] [....192.168.2.1][17500] -> [..192.168.2.255][17500] [Dropbox][Cloud][Acceptable] new: [.....9] [ip4][..tcp] [...17.171.47.85][..443] -> [...192.168.2.12][50502] [MIDSTREAM] @@ -64,34 +68,40 @@ detected: [....21] [ip4][..tcp] [...192.168.2.12][50504] -> [..157.240.20.52][..443] [TLS.WhatsApp][Chat][Acceptable] detection-update: [....21] [ip4][..tcp] [...192.168.2.12][50504] -> [..157.240.20.52][..443] [TLS.WhatsApp][Chat][Acceptable] analyse: [....21] [ip4][..tcp] [...192.168.2.12][50504] -> [..157.240.20.52][..443] [TLS.WhatsApp][Chat][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.129| 0.020| 0.031] - [IAT(c->s)...: 0.000| 0.129| 0.020| 0.033][IAT(s->c)...: 0.000| 0.077| 0.019| 0.028] - [PKTLEN(c->s): 66.000| 583.000| 124.800| 127.300][PKTLEN(s->c): 66.000|1454.000| 652.100| 631.500] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.129| 0.020| 0.031| 949.768| 0.000] + [PKTLEN......: 66.000| 1454.000| 388.400| 526.300|277041.400| 4.000] [BINS(c->s)..: 10,3,1,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 5,1,1,0,0,1,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,0,0,0,0,1,1,0,0,0,1,1,0,1,0,1,1,0,1,1,1,1] + [IATS........: 37234,38970,11147,51469,985,103,11,42805,136,34645,3771,380,216,299,76165,5,34895,421,279,3605,27,2938,1342,3436,77447,53735,129132,1406,40,219,120,0] + [PKTLENS.....: 78,74,66,583,66,1454,1454,347,66,66,130,112,109,101,258,237,140,66,66,97,66,97,66,101,66,66,516,66,1454,1454,1454,1454] new: [....22] [ip4][..udp] [........0.0.0.0][...68] -> [255.255.255.255][...67] detected: [....22] [ip4][..udp] [........0.0.0.0][...68] -> [255.255.255.255][...67] [DHCP][Network][Acceptable] new: [....23] [ip4][..udp] [...91.252.56.51][32704] -> [...192.168.2.12][56328] detected: [....23] [ip4][..udp] [...91.252.56.51][32704] -> [...192.168.2.12][56328] [STUN.WhatsAppCall][VoIP][Acceptable] RISK: Known Proto on Non Std Port analyse: [....14] [ip4][..udp] [...192.168.2.12][56328] -> [....31.13.86.48][.3478] [STUN.WhatsAppCall][VoIP][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 12.196| 1.588| 3.050] - [IAT(c->s)...: 0.000| 12.194| 2.237| 3.447][IAT(s->c)...: 0.000| 12.196| 1.231| 2.744] - [PKTLEN(c->s): 48.000| 168.000| 108.000| 60.000][PKTLEN(s->c): 44.000| 320.000| 133.600| 98.700] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 12.196| 1.588| 3.050|9304956.469| 0.000] + [PKTLEN......: 44.000| 320.000| 124.000| 87.200| 7598.900| 4.700] [BINS(c->s)..: 6,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 7,6,0,1,0,0,3,1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,1,1,0,1,0,0,1,1,0,1,0,1,0,1,0,1,1,1,1,1,1,1,1,1,1,0,1,0,0,1] + [IATS........: 61,13448,128,12194152,12196243,104402,58,105108,1,108628,104619,3043264,3048902,3100925,3096031,3015294,3016553,2001940,2156,107078,164036,190107,88523,28769,198646,133957,3008088,90958,35571,314,36546,0] + [PKTLENS.....: 168,168,86,86,48,44,168,168,86,86,48,44,48,44,48,44,48,44,88,68,246,275,254,164,320,248,316,48,44,168,168,86] new: [....24] [ip4][..udp] [...192.168.2.12][56328] -> [.....1.60.78.64][64282] detected: [....24] [ip4][..udp] [...192.168.2.12][56328] -> [.....1.60.78.64][64282] [STUN.WhatsAppCall][VoIP][Acceptable] RISK: Known Proto on Non Std Port analyse: [....23] [ip4][..udp] [...91.252.56.51][32704] -> [...192.168.2.12][56328] [STUN.WhatsAppCall][VoIP][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 1.204| 0.182| 0.229] - [IAT(c->s)...: 0.000| 0.624| 0.166| 0.171][IAT(s->c)...: 0.003| 1.204| 0.202| 0.283] - [PKTLEN(c->s): 68.000| 213.000| 146.100| 41.700][PKTLEN(s->c): 86.000| 315.000| 175.500| 58.100] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 1.204| 0.182| 0.229|52393.320| 0.000] + [PKTLEN......: 68.000| 315.000| 158.900| 51.700| 2672.500| 4.900] [BINS(c->s)..: 1,4,0,8,4,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,2,0,4,6,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,0,1,1,0,0,1,0,0,1,0,1,0,1,0,1,1,0,1,0,1,0,1,1,0,0,0,1,0,0,1] + [IATS........: 578236,623635,1203723,72457,167216,11596,115693,158378,2,172820,173607,169808,156213,136586,155315,179817,99336,157427,38286,163380,181314,166574,142422,2967,25967,115313,6126,171847,106305,56249,143448,0] + [PKTLENS.....: 86,86,86,86,86,86,213,274,164,175,315,151,173,173,147,163,150,164,186,178,169,173,178,184,164,68,164,164,170,164,153,193] detection-update: [....12] [ip4][..udp] [...192.168.2.12][.5353] -> [....224.0.0.251][.5353] [MDNS][Network][Acceptable] detection-update: [....13] [ip6][..udp] [...............fe80::414:409d:8afd:9f05][.5353] -> [...............................ff02::fb][.5353] [MDNS][Network][Acceptable] new: [....25] [ip4][..tcp] [...192.168.2.12][49352] -> [169.254.162.244][49159] [MIDSTREAM] diff --git a/test/results/flow-info/waze.pcap.out b/test/results/flow-info/waze.pcap.out index 11ab22042..a307c289c 100644 --- a/test/results/flow-info/waze.pcap.out +++ b/test/results/flow-info/waze.pcap.out @@ -65,19 +65,23 @@ detected: [....17] [ip4][..tcp] [.......10.8.0.1][45554] -> [.54.230.227.172][...80] [HTTP.Waze][Web][Acceptable] detection-update: [....17] [ip4][..tcp] [.......10.8.0.1][45554] -> [.54.230.227.172][...80] [HTTP.Waze][Web][Acceptable] analyse: [.....3] [ip4][..tcp] [.......10.8.0.1][54915] -> [..65.39.128.135][...80] [HTTP][Download][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.002| 3.681| 0.340| 0.885] - [IAT(c->s)...: 0.002| 3.681| 0.351| 0.898][IAT(s->c)...: 0.003| 3.678| 0.329| 0.872] - [PKTLEN(c->s): 54.000| 317.000| 71.700| 63.500][PKTLEN(s->c): 54.000|11833.000|3861.800|3452.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.002| 3.681| 0.340| 0.885|782653.260| 0.000] + [PKTLEN......: 54.000|11833.000| 1966.700| 3090.500|9551439.000| 3.500] [BINS(c->s)..: 15,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,10] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1] + [IATS........: 3747,3915,21835,22372,3677989,3680611,286073,284297,338879,393453,330278,329396,54620,2041,179324,179523,2610,51219,50746,3092,28507,76268,51141,51323,122745,73523,10248,59104,52582,58295,56477,0] + [PKTLENS.....: 74,54,54,317,54,1422,54,2790,54,5526,54,8262,54,2687,54,1422,54,1422,54,9630,54,2790,54,5526,54,5526,54,2790,54,11833,54,54] analyse: [.....5] [ip4][..tcp] [.......10.8.0.1][36100] -> [..46.51.173.182][..443] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 1.659| 0.289| 0.505] - [IAT(c->s)...: 0.000| 1.659| 0.299| 0.522][IAT(s->c)...: 0.000| 1.602| 0.280| 0.489] - [PKTLEN(c->s): 54.000| 590.000| 256.600| 210.100][PKTLEN(s->c): 54.000|5515.000| 878.900|1729.800] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 1.659| 0.289| 0.505|255075.107| 0.000] + [PKTLEN......: 54.000| 5515.000| 567.800| 1270.800|1615041.000| 3.100] [BINS(c->s)..: 5,2,0,0,3,1,0,0,0,0,1,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 12,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,1,0,1,0,1,0,1,1,0,0,1,0,1,0,1,0,1,0,1,1,0,0,1] + [IATS........: 1230,10859,357221,367097,474392,475318,8069,9038,265872,317654,51992,865,554,304,254,1430075,1483289,119461,172808,51439,51948,1420,901,467,433,340,381,1601922,1658841,169,57061,0] + [PKTLENS.....: 74,54,54,236,54,3201,54,380,54,288,203,54,590,54,115,54,5515,54,203,54,590,54,590,54,590,54,115,54,4411,54,203,54] detection-update: [.....5] [ip4][..tcp] [.......10.8.0.1][36100] -> [..46.51.173.182][..443] [TLS.Waze][Web][Acceptable] RISK: Obsolete TLS (v1.1 or older), Weak TLS Cipher detection-update: [....12] [ip4][..tcp] [.......10.8.0.1][51050] -> [.176.34.103.105][..443] [TLS.AmazonAWS][Cloud][Acceptable] @@ -124,28 +128,34 @@ new: [....29] [ip4][..tcp] [.......10.8.0.1][43089] -> [..200.160.4.198][..443] [MIDSTREAM] new: [....30] [ip4][..tcp] [.......10.8.0.1][60479] -> [...200.160.4.49][..443] [MIDSTREAM] analyse: [....18] [ip4][..tcp] [.......10.8.0.1][39021] -> [..52.17.114.219][..443] [TLS.Waze][Web][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.416| 0.170| 0.135] - [IAT(c->s)...: 0.000| 0.387| 0.176| 0.137][IAT(s->c)...: 0.000| 0.416| 0.165| 0.133] - [PKTLEN(c->s): 54.000| 590.000| 119.200| 135.400][PKTLEN(s->c): 54.000|21942.000|3558.400|6124.900] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.416| 0.170| 0.135|18249.146| 0.000] + [PKTLEN......: 54.000|21942.000| 1838.800| 4660.800|21723254.000| 2.600] [BINS(c->s)..: 12,0,0,0,2,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 8,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,5] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,0,1,1,0,0,1,0,1,0,1,1,0,1,0,1,0,1,0,1,0,0,1,1] + [IATS........: 1325,1585,226918,227495,336533,387205,51299,1169,297221,297772,252519,309444,358705,415925,755,475,490,567,254342,305451,51846,52474,211304,161331,247956,249119,81326,79510,208662,209727,563,0] + [PKTLENS.....: 74,54,54,236,54,1422,54,2177,54,188,54,288,54,203,54,590,54,77,54,1422,54,12366,54,5526,54,21942,54,11359,54,54,54,54] analyse: [....19] [ip4][..tcp] [.......10.8.0.1][36312] -> [.176.34.186.180][..443] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 1.449| 0.192| 0.280] - [IAT(c->s)...: 0.000| 1.449| 0.231| 0.359][IAT(s->c)...: 0.000| 0.476| 0.150| 0.143] - [PKTLEN(c->s): 54.000| 590.000| 128.000| 147.300][PKTLEN(s->c): 54.000|11186.000|2829.500|3901.400] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 1.449| 0.192| 0.280|78147.936| 0.000] + [PKTLEN......: 54.000|11186.000| 1394.300| 2994.000|8963944.000| 3.000] [BINS(c->s)..: 12,1,0,0,1,1,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 6,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,0,1,1,0,0,1,0,1,0,1,1,0,1,0,1,0,1,0,1,0,1,0,0] + [IATS........: 2413,2787,291811,292494,279839,332432,52742,50748,425063,475681,259886,310653,731,51371,620,734,450,330,293909,545953,252820,1543,20204,21185,56923,56823,156171,205918,52727,4217,1449192,0] + [PKTLENS.....: 74,54,54,236,54,1066,54,2533,54,188,54,288,54,590,54,403,54,91,54,10174,54,8150,54,1066,54,11186,54,1066,54,6590,54,54] detection-update: [....19] [ip4][..tcp] [.......10.8.0.1][36312] -> [.176.34.186.180][..443] [TLS.Waze][Web][Acceptable] RISK: Obsolete TLS (v1.1 or older) analyse: [.....6] [ip4][..tcp] [.......10.8.0.1][36102] -> [..46.51.173.182][..443] [TLS.Waze][Web][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 5.891| 1.026| 1.779] - [IAT(c->s)...: 0.001| 5.839| 1.061| 1.794][IAT(s->c)...: 0.000| 5.891| 0.994| 1.764] - [PKTLEN(c->s): 54.000| 555.000| 155.200| 147.900][PKTLEN(s->c): 54.000|3660.000| 576.900| 980.100] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 5.891| 1.026| 1.779|3164212.036| 0.000] + [PKTLEN......: 54.000| 3660.000| 366.100| 731.900|535720.000| 3.500] [BINS(c->s)..: 10,0,0,0,1,2,0,0,1,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 8,2,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,0,1,1,0,0,1,0,1,1,0,1,0,1,0,0,1,0,1,1,0,1,0,1] + [IATS........: 9060,9459,461199,462055,319157,370793,51463,554,58722,59273,267346,318521,5838678,5890947,1921,3057,232692,285896,1892628,1892382,50926,52168,293028,345106,632,413,1258587,1309974,5014758,5014527,51517,0] + [PKTLENS.....: 74,54,54,236,54,1066,54,2189,54,380,54,288,54,235,54,555,54,107,54,1066,54,3660,54,203,54,315,54,331,54,91,54,54] new: [....31] [ip4][..tcp] [.......10.8.0.1][36134] -> [..46.51.173.182][..443] detected: [....31] [ip4][..tcp] [.......10.8.0.1][36134] -> [..46.51.173.182][..443] [TLS.AmazonAWS][Cloud][Acceptable] RISK: Obsolete TLS (v1.1 or older) diff --git a/test/results/flow-info/webex.pcap.out b/test/results/flow-info/webex.pcap.out index c8755d68e..16ab0b366 100644 --- a/test/results/flow-info/webex.pcap.out +++ b/test/results/flow-info/webex.pcap.out @@ -7,12 +7,14 @@ detection-update: [.....1] [ip4][..tcp] [.......10.8.0.1][41346] -> [..64.68.105.103][..443] [TLS.Webex][VoIP][Acceptable] RISK: TLS (probably) Not Carrying HTTPS analyse: [.....1] [ip4][..tcp] [.......10.8.0.1][41346] -> [..64.68.105.103][..443] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.557| 0.113| 0.156] - [IAT(c->s)...: 0.000| 0.557| 0.109| 0.168][IAT(s->c)...: 0.001| 0.506| 0.116| 0.142] - [PKTLEN(c->s): 54.000| 590.000| 227.800| 214.200][PKTLEN(s->c): 54.000|2774.000| 599.300| 783.900] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.557| 0.113| 0.156|24421.341| 0.000] + [PKTLEN......: 54.000| 2774.000| 401.900| 588.900|346810.600| 3.900] [BINS(c->s)..: 9,0,1,0,0,0,1,0,1,1,0,0,0,0,1,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 8,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,2,0,0,0,0,1] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,0,1,1,0,0,1,0,1,1,0,1,0,0,1,0,1,1,0,1,0,0,1,0] + [IATS........: 6506,6734,160,592,505708,557327,57852,60147,905,55625,257454,309311,10052,61432,845,730,299224,351252,55954,56159,800,52876,398,2835,268644,322298,52259,51930,18450,69467,546,0] + [PKTLENS.....: 74,54,54,249,54,2774,54,1273,54,364,54,97,54,590,54,138,54,1414,54,823,54,590,54,328,54,1414,54,762,54,590,54,518] detection-update: [.....1] [ip4][..tcp] [.......10.8.0.1][41346] -> [..64.68.105.103][..443] [TLS.Webex][VoIP][Acceptable] RISK: TLS (probably) Not Carrying HTTPS new: [.....2] [ip4][..tcp] [.......10.8.0.1][41348] -> [..64.68.105.103][..443] @@ -31,12 +33,14 @@ detection-update: [.....4] [ip4][..tcp] [.......10.8.0.1][41351] -> [..64.68.105.103][..443] [TLS.Webex][VoIP][Acceptable] RISK: TLS (probably) Not Carrying HTTPS analyse: [.....2] [ip4][..tcp] [.......10.8.0.1][41348] -> [..64.68.105.103][..443] [TLS.Webex][VoIP][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.455| 0.115| 0.126] - [IAT(c->s)...: 0.000| 0.455| 0.121| 0.134][IAT(s->c)...: 0.000| 0.405| 0.109| 0.117] - [PKTLEN(c->s): 54.000| 590.000| 197.100| 213.800][PKTLEN(s->c): 54.000|18020.000|2980.200|4843.900] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.455| 0.115| 0.126|15828.845| 0.000] + [PKTLEN......: 54.000|18020.000| 1588.700| 3700.100|13691056.000| 2.900] [BINS(c->s)..: 10,1,0,0,0,0,0,1,0,0,0,0,0,0,2,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 7,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,5] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,0,1,1,0,1,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0] + [IATS........: 5615,6788,156,1539,404661,455330,597,51300,245810,245870,436,307,223296,274841,51601,360,302,283113,286107,84087,131768,50921,51207,56841,56675,181041,181034,56067,58557,54529,58449,0] + [PKTLENS.....: 74,54,54,281,54,183,54,97,54,590,54,533,54,1658,590,54,503,54,6854,54,1414,54,9477,54,1414,54,1414,54,18020,54,6871,54] new: [.....5] [ip4][..tcp] [..10.133.206.47][54651] -> [..185.63.147.10][..443] [MIDSTREAM] new: [.....6] [ip4][..tcp] [..10.133.206.47][59447] -> [..107.20.242.44][..443] [MIDSTREAM] new: [.....7] [ip4][..tcp] [.......10.8.0.1][41354] -> [..64.68.105.103][..443] @@ -55,12 +59,14 @@ detection-update: [.....9] [ip4][..tcp] [.......10.8.0.1][41358] -> [..64.68.105.103][..443] [TLS.Webex][VoIP][Acceptable] RISK: Obsolete TLS (v1.1 or older), Weak TLS Cipher analyse: [.....9] [ip4][..tcp] [.......10.8.0.1][41358] -> [..64.68.105.103][..443] [TLS.Webex][VoIP][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 1.031| 0.154| 0.247] - [IAT(c->s)...: 0.000| 1.031| 0.161| 0.259][IAT(s->c)...: 0.001| 0.980| 0.148| 0.235] - [PKTLEN(c->s): 54.000| 590.000| 115.200| 145.600][PKTLEN(s->c): 54.000|8901.000|2129.800|2912.500] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 1.031| 0.154| 0.247|61096.366| 0.000] + [PKTLEN......: 54.000| 8901.000| 1122.500| 2294.900|5266404.000| 3.200] [BINS(c->s)..: 12,2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 5,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,4] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,0,1,1,0,1,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0] + [IATS........: 3053,3185,1891,2192,397016,448096,52033,52145,383,52378,209850,261823,51847,1288,975,979869,1031495,52580,53500,94069,93832,53071,53864,119063,117547,148351,147839,51431,51376,96737,96627,0] + [PKTLENS.....: 74,54,54,117,54,1414,54,2633,54,380,54,113,590,54,88,54,1414,54,8171,54,1414,54,8901,54,187,54,1414,54,6731,54,1414,54] new: [....10] [ip4][..tcp] [.......10.8.0.1][41726] -> [.114.29.213.212][..443] new: [....11] [ip4][..tcp] [.......10.8.0.1][51646] -> [..114.29.204.49][..443] detected: [....10] [ip4][..tcp] [.......10.8.0.1][41726] -> [.114.29.213.212][..443] [TLS.Webex][VoIP][Acceptable] @@ -186,21 +192,25 @@ detected: [....39] [ip4][..tcp] [.......10.8.0.1][55665] -> [..173.243.0.110][..443] [TLS.Webex][VoIP][Acceptable] RISK: Obsolete TLS (v1.1 or older) analyse: [....37] [ip4][..tcp] [.......10.8.0.1][51155] -> [.62.109.224.120][..443] [TLS.Webex][VoIP][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 2.215| 0.340| 0.548] - [IAT(c->s)...: 0.000| 2.165| 0.351| 0.548][IAT(s->c)...: 0.003| 2.215| 0.329| 0.547] - [PKTLEN(c->s): 54.000| 528.000| 109.200| 133.800][PKTLEN(s->c): 54.000|10581.000|1158.100|2602.200] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 2.215| 0.340| 0.548|300050.219| 0.000] + [PKTLEN......: 54.000|10581.000| 633.600| 1915.700|3669828.500| 2.600] [BINS(c->s)..: 13,1,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 4,1,1,1,0,1,1,1,0,0,1,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,1,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0] + [IATS........: 14198,16626,142,3176,966820,968167,50625,52096,160025,217339,56893,151808,203416,506402,456173,506119,506174,257962,307348,51007,1799,210726,261737,55501,54303,51893,51311,2214636,2165090,3222,2890,0] + [PKTLENS.....: 74,54,54,117,54,3961,54,380,54,113,528,54,272,54,1024,54,10581,54,171,54,288,54,123,54,219,54,399,54,560,54,602,54] detection-update: [....39] [ip4][..tcp] [.......10.8.0.1][55665] -> [..173.243.0.110][..443] [TLS.Webex][VoIP][Acceptable] RISK: Obsolete TLS (v1.1 or older), Weak TLS Cipher analyse: [....36] [ip4][..tcp] [.......10.8.0.1][51154] -> [.62.109.224.120][..443] [TLS.Webex][VoIP][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 2.270| 0.347| 0.598] - [IAT(c->s)...: 0.000| 2.270| 0.358| 0.605][IAT(s->c)...: 0.000| 2.270| 0.336| 0.591] - [PKTLEN(c->s): 54.000| 590.000| 347.300| 213.600][PKTLEN(s->c): 54.000|3961.000| 301.900| 944.900] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 2.270| 0.347| 0.598|357673.959| 0.000] + [PKTLEN......: 54.000| 3961.000| 324.600| 685.400|469733.500| 3.600] [BINS(c->s)..: 3,1,1,1,0,0,1,0,0,0,3,0,0,0,0,1,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 14,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1] + [IATS........: 9053,24144,367,16512,915259,917382,50710,52699,154574,206585,52440,7882,9392,3319,2120,963298,961965,473,411,393,309,561975,562100,368561,368512,670,601,2270083,2270107,1037,1021,0] + [PKTLENS.....: 74,54,54,117,54,3961,54,380,54,113,560,54,590,54,136,54,590,54,590,54,400,54,400,54,590,54,168,54,590,54,264,54] new: [....40] [ip4][..tcp] [.......10.8.0.1][51833] -> [.62.109.229.158][..443] detected: [....40] [ip4][..tcp] [.......10.8.0.1][51833] -> [.62.109.229.158][..443] [TLS.Webex][VoIP][Acceptable] RISK: Obsolete TLS (v1.1 or older) @@ -263,12 +273,14 @@ new: [....53] [ip4][..udp] [.......10.8.0.1][51772] -> [.62.109.229.158][.9000] new: [....54] [ip4][..tcp] [.......10.8.0.1][51859] -> [.62.109.229.158][..443] analyse: [....52] [ip4][..tcp] [.......10.8.0.1][51857] -> [.62.109.229.158][..443] [TLS.Webex][VoIP][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 1.367| 0.190| 0.352] - [IAT(c->s)...: 0.000| 1.367| 0.163| 0.333][IAT(s->c)...: 0.001| 1.313| 0.216| 0.368] - [PKTLEN(c->s): 54.000| 432.000| 152.700| 113.700][PKTLEN(s->c): 54.000|3961.000| 343.400| 941.400] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 1.367| 0.190| 0.352|124124.103| 0.000] + [PKTLEN......: 54.000| 3961.000| 248.000| 677.200|458632.100| 3.200] [BINS(c->s)..: 7,0,2,3,1,1,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 10,2,2,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,1,0,0,1,0,1,0,1,0,1,0,1,1] + [IATS........: 4232,4962,6442,7614,1312624,1366658,17526,71444,145665,198977,339,53733,129549,180935,213,51454,121214,172258,51492,51164,125484,176177,50764,50844,546,1023,264310,263832,849,855,1006853,0] + [PKTLENS.....: 74,54,54,241,54,3961,54,380,54,113,54,128,54,91,54,432,54,123,54,543,54,144,54,208,54,176,54,176,54,160,54,123] new: [....55] [ip4][..tcp] [.......10.8.0.1][51190] -> [.62.109.224.120][..443] detected: [....55] [ip4][..tcp] [.......10.8.0.1][51190] -> [.62.109.224.120][..443] [TLS.Webex][VoIP][Acceptable] RISK: Obsolete TLS (v1.1 or older) diff --git a/test/results/flow-info/wechat.pcap.out b/test/results/flow-info/wechat.pcap.out index cd8aae425..a6c77316f 100644 --- a/test/results/flow-info/wechat.pcap.out +++ b/test/results/flow-info/wechat.pcap.out @@ -41,12 +41,14 @@ detection-update: [....17] [ip4][..tcp] [..192.168.1.103][54090] -> [203.205.151.162][..443] [TLS.WeChat][Chat][Fun] detected: [....18] [ip4][..tcp] [..192.168.1.103][54091] -> [203.205.151.162][..443] [TLS.WeChat][Chat][Fun] analyse: [....16] [ip4][..tcp] [..192.168.1.103][54089] -> [203.205.151.162][..443] [TLS.WeChat][Chat][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.411| 0.155| 0.181] - [IAT(c->s)...: 0.000| 0.411| 0.161| 0.184][IAT(s->c)...: 0.000| 0.393| 0.150| 0.177] - [PKTLEN(c->s): 66.000|1306.000| 361.300| 443.200][PKTLEN(s->c): 66.000|5892.000|1097.600|1399.200] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.411| 0.155| 0.181|32640.860| 0.000] + [PKTLEN......: 66.000| 5892.000| 729.500| 1101.200|1212669.500| 3.900] [BINS(c->s)..: 9,0,0,1,0,0,0,1,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,1,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 4,1,0,0,0,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,1] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,0,0,1,0,0,1,1,1,0,0,0,1,1,0,1,1,0,1,1,0,1,0] + [IATS........: 361610,361650,376,378130,3564,381307,56857,56856,287,287,2657,376606,375028,3327,373835,38287,2818,410564,21157,3298,393374,30885,401110,383706,785,383140,2859,2894,5754,1113,1113,0] + [PKTLENS.....: 74,74,66,304,66,1494,66,1494,66,326,66,192,117,1306,541,66,1494,233,66,1239,443,66,264,1154,1494,1494,66,1494,1494,66,5892,66] detection-update: [....18] [ip4][..tcp] [..192.168.1.103][54091] -> [203.205.151.162][..443] [TLS.WeChat][Chat][Fun] detection-update: [....18] [ip4][..tcp] [..192.168.1.103][54091] -> [203.205.151.162][..443] [TLS.WeChat][Chat][Fun] detected: [.....6] [ip4][..tcp] [..192.168.1.103][47627] -> [..216.58.205.78][..443] [TLS.Google][Web][Acceptable] @@ -71,26 +73,32 @@ detection-update: [....24] [ip4][..tcp] [..192.168.1.103][54096] -> [203.205.151.162][..443] [TLS.WeChat][Chat][Fun] new: [....25] [ip4][..tcp] [..192.168.1.103][40740] -> [203.205.151.211][..443] [MIDSTREAM] analyse: [....22] [ip4][..tcp] [..192.168.1.103][54094] -> [203.205.151.162][..443] [TLS.WeChat][Chat][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 4.544| 0.482| 1.044] - [IAT(c->s)...: 0.000| 4.140| 0.473| 0.962][IAT(s->c)...: 0.000| 4.544| 0.492| 1.136] - [PKTLEN(c->s): 66.000|1306.000| 523.500| 498.700][PKTLEN(s->c): 66.000|1754.000| 554.800| 621.500] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 4.544| 0.482| 1.044|1090167.570| 0.000] + [PKTLEN......: 66.000| 1754.000| 537.200| 556.000|309130.700| 4.200] [BINS(c->s)..: 7,0,0,1,0,0,0,1,0,0,0,1,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,3,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 6,1,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,1] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,0,1,0,0,1,1,1,0,0,0,1,1,0,0,1,1,0,0,0,1,1,0,0] + [IATS........: 359228,359315,435,360585,1948,362066,491,468,3580,359717,357128,3318,369214,32832,2766,400529,15038,3260,381959,38044,403106,2395,369120,36996,438834,4139732,3287,4544256,34139,398836,1152600,0] + [PKTLENS.....: 74,74,66,304,66,1494,66,1754,66,192,117,1306,541,66,1494,235,66,1239,443,66,264,1306,541,66,1002,66,1306,541,66,1003,66,1234] analyse: [....23] [ip4][..tcp] [..192.168.1.103][54095] -> [203.205.151.162][..443] [TLS.WeChat][Chat][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 3.384| 0.466| 0.827] - [IAT(c->s)...: 0.000| 3.018| 0.483| 0.789][IAT(s->c)...: 0.000| 3.384| 0.446| 0.871] - [PKTLEN(c->s): 66.000|1306.000| 423.700| 471.100][PKTLEN(s->c): 66.000|8291.000|1192.600|2067.900] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 3.384| 0.466| 0.827|684250.497| 0.000] + [PKTLEN......: 66.000| 8291.000| 760.100| 1463.300|2141136.500| 3.600] [BINS(c->s)..: 9,0,0,1,0,0,0,1,0,0,0,1,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,2,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 5,1,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,4,0,0,1] + [DIRECTIONS..: 0,1,0,0,1,0,1,1,0,1,0,1,0,0,1,0,1,1,0,1,0,0,0,1,1,0,0,1,1,0,0,0] + [IATS........: 353750,353837,953113,1178147,225005,127739,4445,132165,453,438,626,638,1531,362180,361114,370977,4561,375090,3297,3310,3017858,3341,3383945,31235,408978,7414,382158,34643,434308,1925965,3353,0] + [PKTLENS.....: 74,74,66,304,74,66,66,1494,66,1494,66,326,66,192,117,1153,1494,1494,66,8291,66,1306,541,66,1377,1239,443,66,264,66,1306,541] analyse: [....13] [ip4][..tcp] [203.205.151.162][..443] -> [..192.168.1.103][54058] [TLS][Web][Safe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 11.774| 2.195| 3.338] - [IAT(c->s)...: 0.006| 11.415| 2.279| 3.297][IAT(s->c)...: 0.000| 11.774| 2.116| 3.373] - [PKTLEN(c->s): 66.000| 264.000| 165.000| 99.000][PKTLEN(s->c): 66.000|1254.000| 660.000| 594.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 11.774| 2.195| 3.338|11139408.724| 0.000] + [PKTLEN......: 66.000| 1254.000| 412.500| 492.500|242574.800| 4.100] [BINS(c->s)..: 8,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0] + [IATS........: 67,1713342,2033838,5903,326356,805535,1165376,11414547,11774429,393649,716591,9325022,9647966,1906296,2225757,6412,325847,425651,784494,2983400,3342263,487827,806732,9168,328050,421461,782117,1181667,1542348,420552,739953,0] + [PKTLENS.....: 264,66,1254,66,264,66,1254,66,264,66,1254,66,264,66,1254,66,264,66,1254,66,264,66,1254,66,264,66,1254,66,264,66,1254,66] update: [.....3] [ip6][..udp] [..............fe80::7a92:9cff:fe0f:a88e][.5353] -> [...............................ff02::fb][.5353] [MDNS][Network][Acceptable] update: [.....2] [ip4][..udp] [..192.168.1.103][.5353] -> [....224.0.0.251][.5353] [MDNS][Network][Acceptable] update: [.....4] [ip4][..udp] [..192.168.1.103][53734] -> [..192.168.1.254][...53] [DNS.Google][Web][Acceptable] @@ -108,26 +116,32 @@ detection-update: [....27] [ip4][..tcp] [..192.168.1.103][54098] -> [203.205.151.162][..443] [TLS.WeChat][Chat][Fun] detection-update: [....27] [ip4][..tcp] [..192.168.1.103][54098] -> [203.205.151.162][..443] [TLS.WeChat][Chat][Fun] analyse: [....26] [ip4][..tcp] [..192.168.1.103][54097] -> [203.205.151.162][..443] [TLS.WeChat][Chat][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.001| 6.862| 1.014| 1.948] - [IAT(c->s)...: 0.001| 6.494| 1.004| 1.882][IAT(s->c)...: 0.001| 6.862| 1.027| 2.035] - [PKTLEN(c->s): 66.000|1306.000| 523.800| 478.800][PKTLEN(s->c): 66.000|1754.000| 489.800| 582.900] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.001| 6.862| 1.014| 1.948|3793749.017| 0.000] + [PKTLEN......: 66.000| 1754.000| 510.000| 523.800|274414.800| 4.300] [BINS(c->s)..: 7,0,0,1,0,0,0,1,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,2,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 6,1,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,0,1,0,0,1,1,0,0,1,1,0,0,0,1,1,0,0,0,1,1,0,0,0] + [IATS........: 362688,362730,698,359771,652,359747,1773,1754,3156,359980,358071,7205,373852,64622,431388,4503,369570,39986,442333,4042219,3253,4448907,74384,439211,6493521,3286,6862195,32133,397513,4719084,3239,0] + [PKTLENS.....: 74,74,66,304,66,1494,66,1754,66,192,117,1234,535,66,297,1306,541,66,1002,66,1234,525,66,297,66,1306,541,66,1003,66,1234,530] analyse: [....27] [ip4][..tcp] [..192.168.1.103][54098] -> [203.205.151.162][..443] [TLS.WeChat][Chat][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.001| 6.095| 1.335| 2.042] - [IAT(c->s)...: 0.001| 5.734| 1.139| 1.860][IAT(s->c)...: 0.001| 6.095| 1.605| 2.242] - [PKTLEN(c->s): 66.000|1306.000| 437.300| 466.100][PKTLEN(s->c): 66.000|1754.000| 472.800| 591.600] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.001| 6.095| 1.335| 2.042|4168801.845| 0.000] + [PKTLEN......: 66.000| 1754.000| 451.700| 521.000|271486.500| 4.100] [BINS(c->s)..: 9,0,0,1,0,0,0,1,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,2,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 7,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1] + [DIRECTIONS..: 0,1,0,0,1,0,1,1,0,1,0,0,1,0,0,0,1,1,0,0,0,1,1,0,0,0,1,1,0,0,0,1] + [IATS........: 346826,346918,899535,1092804,193235,160456,1799,162254,554,539,2941,351941,387151,4178860,3305,4577735,29191,386626,5733723,3651,6095000,83021,440653,5485473,3274,5845918,30151,387318,1889056,2742,2249980,0] + [PKTLENS.....: 74,74,66,304,74,66,66,1494,66,1754,66,192,117,66,1306,541,66,1003,66,1234,522,66,297,66,1306,541,66,1003,66,1234,527,66] analyse: [.....5] [ip4][..tcp] [..192.168.1.103][38657] -> [..172.217.22.14][..443] [TLS.Google][Web][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 45.056| 5.827| 15.097] - [IAT(c->s)...: 0.000| 45.056| 6.020| 15.309][IAT(s->c)...: 0.000| 45.053| 5.647| 14.893] - [PKTLEN(c->s): 66.000| 895.000| 146.700| 200.800][PKTLEN(s->c): 66.000|1484.000| 387.600| 535.900] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 45.056| 5.827| 15.097|227916113.773| 0.000] + [PKTLEN......: 66.000| 1484.000| 267.200| 422.200|178253.900| 3.900] [BINS(c->s)..: 10,3,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 8,3,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,2,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,0,0,0,0,1,1,1,0,0,1,1,1,0,1,0,0,1,1,0,1,0,1] + [IATS........: 48172,48219,208,52487,725,52995,2368,2380,502,490,4525,7884,13634,51249,2766,53,28029,293,26129,2791,10149,38903,378,801,249,45379,2766,45043937,45047542,45056034,45052882,0] + [PKTLENS.....: 74,74,66,288,66,1484,66,1484,66,1442,66,151,111,895,336,114,100,66,96,66,96,572,66,104,104,100,66,66,66,66,66,66] new: [....28] [ip4][....2] [..192.168.1.254] -> [......224.0.0.1] detected: [....28] [ip4][....2] [..192.168.1.254] -> [......224.0.0.1] [IGMP][Network][Acceptable] new: [....29] [ip4][....2] [..192.168.1.100] -> [.....224.0.0.22] @@ -162,30 +176,36 @@ detection-update: [....35] [ip4][..tcp] [..192.168.1.103][54103] -> [203.205.151.162][..443] [TLS.WeChat][Chat][Fun] new: [....36] [ip4][..tcp] [..192.168.1.103][54104] -> [203.205.151.162][..443] analyse: [....31] [ip4][..tcp] [..192.168.1.103][54099] -> [203.205.151.162][..443] [TLS.WeChat][Chat][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.469| 0.183| 0.190] - [IAT(c->s)...: 0.000| 0.469| 0.189| 0.196][IAT(s->c)...: 0.001| 0.407| 0.177| 0.184] - [PKTLEN(c->s): 66.000|1306.000| 458.200| 474.000][PKTLEN(s->c): 66.000|1754.000| 752.800| 693.500] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.469| 0.183| 0.190|36094.243| 0.000] + [PKTLEN......: 66.000| 1754.000| 605.500| 612.000|374517.100| 4.200] [BINS(c->s)..: 7,0,0,1,0,0,0,1,0,0,0,2,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,2,0,1,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 5,1,0,0,0,0,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,1] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,0,1,0,0,1,1,1,0,0,0,1,1,0,0,1,1,0,1,1,0,1,1,0] + [IATS........: 366115,366204,470,368626,765,368875,8160,8175,3097,367881,365600,3239,378746,92724,1992,469392,27762,1703,407097,30016,408635,3752,397818,10943,404654,396022,789,396156,518,1239,1756,0] + [PKTLENS.....: 74,74,66,304,66,1494,66,1754,66,192,117,1306,541,66,1494,344,66,1239,443,66,264,1239,443,66,264,1154,1494,1494,66,1494,1494,66] detected: [....36] [ip4][..tcp] [..192.168.1.103][54104] -> [203.205.151.162][..443] [TLS.WeChat][Chat][Fun] detection-update: [....36] [ip4][..tcp] [..192.168.1.103][54104] -> [203.205.151.162][..443] [TLS.WeChat][Chat][Fun] detection-update: [....36] [ip4][..tcp] [..192.168.1.103][54104] -> [203.205.151.162][..443] [TLS.WeChat][Chat][Fun] analyse: [....35] [ip4][..tcp] [..192.168.1.103][54103] -> [203.205.151.162][..443] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.647| 0.130| 0.182] - [IAT(c->s)...: 0.000| 0.376| 0.144| 0.165][IAT(s->c)...: 0.000| 0.647| 0.119| 0.194] - [PKTLEN(c->s): 66.000|1154.000| 235.900| 365.800][PKTLEN(s->c): 66.000|3134.000|1357.200| 830.500] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.647| 0.130| 0.182|33080.510| 0.000] + [PKTLEN......: 66.000| 3134.000| 831.600| 861.600|742326.200| 4.200] [BINS(c->s)..: 11,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0,2] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,0,0,1,0,1,1,0,1,1,0,1,0,1,0,0,1,1,0,1,1,0,1] + [IATS........: 360844,360859,1106,320164,2049,321124,836,835,489,485,2516,331784,329811,339551,757,339771,547,4542,5088,2482,2487,1143,1132,271360,646724,757,376133,549,914,1456,539,0] + [PKTLENS.....: 74,74,66,304,66,1494,66,1494,66,326,66,192,117,1154,1494,1494,66,1494,1494,66,2922,66,3134,66,1154,1494,1494,66,1494,1494,66,1494] detection-update: [....35] [ip4][..tcp] [..192.168.1.103][54103] -> [203.205.151.162][..443] [TLS.WeChat][Chat][Fun] analyse: [....33] [ip4][..tcp] [..192.168.1.103][54101] -> [203.205.151.162][..443] [TLS.WeChat][Chat][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.952| 0.213| 0.233] - [IAT(c->s)...: 0.000| 0.543| 0.206| 0.206][IAT(s->c)...: 0.001| 0.952| 0.220| 0.259] - [PKTLEN(c->s): 66.000|1306.000| 435.100| 469.000][PKTLEN(s->c): 66.000|1754.000| 695.800| 693.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.952| 0.213| 0.233|54375.543| 0.000] + [PKTLEN......: 66.000| 1754.000| 557.300| 599.100|358890.200| 4.200] [BINS(c->s)..: 8,0,0,1,0,0,0,1,0,0,0,2,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,2,0,1,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 5,1,0,0,0,1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,1] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,0,1,0,0,1,1,0,0,1,1,1,0,0,0,1,1,0,0,1,0,1,0,1] + [IATS........: 378875,378978,383,354036,2419,355982,2806,2818,1046,367448,367322,4404,365806,31144,394889,3196,367851,55930,2766,420112,17934,846,381296,34840,434328,543113,951677,371599,549,523,1340,0] + [PKTLENS.....: 74,74,66,304,66,1494,66,1754,66,192,117,1239,443,66,264,1306,541,66,1494,230,66,1239,443,66,264,66,1154,1494,66,1494,66,1494] guessed: [.....1] [ip4][..tcp] [203.205.151.162][..443] -> [..192.168.1.103][54084] [TLS][Web][Safe] end: [.....1] [ip4][..tcp] [203.205.151.162][..443] -> [..192.168.1.103][54084] guessed: [....15] [ip4][..tcp] [..192.168.1.103][54085] -> [203.205.151.162][..443] [TLS][Web][Safe] @@ -242,12 +262,14 @@ new: [....46] [ip4][..tcp] [..192.168.1.103][43851] -> [.203.205.158.34][..443] detected: [....45] [ip4][..tcp] [..192.168.1.103][43850] -> [.203.205.158.34][..443] [TLS.QQ][Chat][Fun] analyse: [....42] [ip4][..tcp] [..192.168.1.103][54113] -> [203.205.151.162][..443] [TLS.WeChat][Chat][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 6.615| 0.560| 1.552] - [IAT(c->s)...: 0.000| 6.259| 0.523| 1.490][IAT(s->c)...: 0.000| 6.615| 0.600| 1.615] - [PKTLEN(c->s): 66.000|1306.000| 443.200| 474.300][PKTLEN(s->c): 66.000|1494.000| 547.700| 614.600] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 6.615| 0.560| 1.552|2408711.979| 0.000] + [PKTLEN......: 66.000| 1494.000| 492.200| 547.100|299293.400| 4.200] [BINS(c->s)..: 8,0,0,1,0,0,0,1,0,0,0,1,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,2,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 6,2,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,0,0,1,0,0,1,1,1,0,0,0,1,1,0,0,0,1,1,0,0,1,1] + [IATS........: 315233,315308,441,318358,1918,319817,471,453,1116,1109,2559,316619,315146,4640,327259,29671,2699,353912,21653,4624,349989,32226,392645,18020,3295,380639,36894,359501,6259002,6615415,265584,0] + [PKTLENS.....: 74,74,66,304,66,1494,66,1494,66,326,66,192,117,1306,541,66,1494,126,66,1239,443,66,264,66,1306,541,66,1003,66,1127,66,1494] detection-update: [....45] [ip4][..tcp] [..192.168.1.103][43850] -> [.203.205.158.34][..443] [TLS.QQ][Chat][Fun] RISK: Weak TLS Cipher detection-update: [....45] [ip4][..tcp] [..192.168.1.103][43850] -> [.203.205.158.34][..443] [TLS.QQ][Chat][Fun] @@ -274,26 +296,32 @@ update: [....47] [ip4][..udp] [..192.168.1.103][60562] -> [..192.168.1.254][...53] [DNS.Google][Web][Acceptable] update: [....48] [ip4][..udp] [..192.168.1.103][35601] -> [..172.217.23.67][..443] [QUIC.Google][Web][Acceptable] analyse: [....50] [ip4][..tcp] [..192.168.1.103][54117] -> [203.205.151.162][..443] [TLS.WeChat][Chat][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 7.807| 0.648| 1.839] - [IAT(c->s)...: 0.000| 7.431| 0.592| 1.719][IAT(s->c)...: 0.000| 7.807| 0.716| 1.972] - [PKTLEN(c->s): 66.000|1306.000| 459.200| 470.600][PKTLEN(s->c): 66.000|1494.000| 459.600| 523.800] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 7.807| 0.648| 1.839|3381034.746| 0.000] + [PKTLEN......: 66.000| 1494.000| 459.300| 494.600|244586.200| 4.200] [BINS(c->s)..: 8,0,0,1,0,0,0,1,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,2,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 6,1,0,0,0,0,0,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,0,0,1,0,0,1,1,0,0,1,1,0,0,0,1,1,0,0,0,1,1,0] + [IATS........: 325248,325323,463,328002,697,328217,391,370,3942,3944,2661,325903,324620,3183,337595,77061,411866,3780,340251,28032,402656,7430680,3764,7806976,79928,412549,2872,372,340125,30342,405762,0] + [PKTLENS.....: 74,74,66,304,66,1494,66,1494,66,326,66,192,117,1234,538,66,297,1306,541,66,1002,66,1234,533,66,297,66,1306,541,66,1003,66] analyse: [.....2] [ip4][..udp] [..192.168.1.103][.5353] -> [....224.0.0.251][.5353] [MDNS][Network][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 183.801| 12.094| 33.303] - [IAT(c->s)...: 0.000| 183.801| 12.094| 33.303][IAT(s->c)...: 0.000| 0.000| 0.000| 0.000] - [PKTLEN(c->s): 82.000| 82.000| 82.000| 0.000][PKTLEN(s->c): 0.000| 0.000| 0.000| 0.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 183.801| 12.094| 33.303|1109122757.951| 0.000] + [PKTLEN......: 82.000| 82.000| 82.000| 0.000| 0.000| 5.000] [BINS(c->s)..: 0,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [IATS........: 304,1000351,2000370,14687423,324,1000207,2000433,21831590,431,1000458,2000811,26318928,434,1000298,2000470,41917186,377,1000169,2000682,183800554,363,1000944,2000954,33299722,386,1000653,2000531,29036990,312,1000238,2000730,0] + [PKTLENS.....: 82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82] analyse: [.....3] [ip6][..udp] [..............fe80::7a92:9cff:fe0f:a88e][.5353] -> [...............................ff02::fb][.5353] [MDNS][Network][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 183.800| 12.094| 33.303] - [IAT(c->s)...: 0.000| 183.800| 12.094| 33.303][IAT(s->c)...: 0.000| 0.000| 0.000| 0.000] - [PKTLEN(c->s): 102.000| 102.000| 102.000| 0.000][PKTLEN(s->c): 0.000| 0.000| 0.000| 0.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 183.800| 12.094| 33.303|1109120811.794| 0.000] + [PKTLEN......: 102.000| 102.000| 102.000| 0.000| 0.000| 5.000] [BINS(c->s)..: 0,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [IATS........: 285,1000432,2000369,14687365,298,1000306,2000399,21831547,409,1000568,2000773,26318883,413,1000363,2000495,41917120,347,1000193,2000827,183800433,319,1000975,2001003,33299664,360,1000743,2000515,29036936,291,1000323,2000677,0] + [PKTLENS.....: 102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102] new: [....52] [ip4][..tcp] [..192.168.1.103][54119] -> [203.205.151.162][..443] new: [....53] [ip4][..tcp] [..192.168.1.103][54120] -> [203.205.151.162][..443] detected: [....52] [ip4][..tcp] [..192.168.1.103][54119] -> [203.205.151.162][..443] [TLS.WeChat][Chat][Fun] @@ -307,12 +335,14 @@ RISK: Unsafe Protocol update: [.....2] [ip4][..udp] [..192.168.1.103][.5353] -> [....224.0.0.251][.5353] [MDNS][Network][Acceptable] analyse: [....52] [ip4][..tcp] [..192.168.1.103][54119] -> [203.205.151.162][..443] [TLS.WeChat][Chat][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 7.133| 0.619| 1.664] - [IAT(c->s)...: 0.000| 6.696| 0.600| 1.587][IAT(s->c)...: 0.000| 7.133| 0.640| 1.743] - [PKTLEN(c->s): 66.000|1306.000| 443.200| 474.300][PKTLEN(s->c): 66.000|1494.000| 547.700| 614.700] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 7.133| 0.619| 1.664|2769657.004| 0.000] + [PKTLEN......: 66.000| 1494.000| 492.200| 547.100|299307.700| 4.200] [BINS(c->s)..: 8,0,0,1,0,0,0,1,0,0,0,1,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,2,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 6,2,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,0,0,1,0,0,1,1,1,0,0,0,1,1,0,0,1,1,0,0,1,1,0] + [IATS........: 356187,356245,409,353317,672,353556,677,668,333,334,2390,365567,364474,5597,381303,26713,2760,403898,13549,5018,378842,57192,418881,4165,370546,28172,433154,6695589,7132743,143519,540660,0] + [PKTLENS.....: 74,74,66,304,66,1494,66,1494,66,326,66,192,117,1306,541,66,1494,126,66,1239,443,66,263,1306,541,66,1003,66,1127,66,1494,66] guessed: [....37] [ip4][..tcp] [..192.168.1.103][54109] -> [203.205.151.162][..443] [TLS][Web][Safe] end: [....37] [ip4][..tcp] [..192.168.1.103][54109] -> [203.205.151.162][..443] guessed: [....38] [ip4][..tcp] [..192.168.1.103][54110] -> [203.205.151.162][..443] [TLS][Web][Safe] @@ -337,12 +367,14 @@ detection-update: [....57] [ip4][..tcp] [..192.168.1.103][58038] -> [203.205.147.171][..443] [TLS.WeChat][Chat][Fun] detection-update: [....57] [ip4][..tcp] [..192.168.1.103][58038] -> [203.205.147.171][..443] [TLS.WeChat][Chat][Fun] analyse: [....57] [ip4][..tcp] [..192.168.1.103][58038] -> [203.205.147.171][..443] [TLS.WeChat][Chat][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 2.509| 0.286| 0.565] - [IAT(c->s)...: 0.000| 2.228| 0.247| 0.501][IAT(s->c)...: 0.001| 2.509| 0.340| 0.640] - [PKTLEN(c->s): 66.000|1306.000| 519.500| 486.100][PKTLEN(s->c): 66.000|1754.000| 599.200| 653.200] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 2.509| 0.286| 0.565|319614.583| 0.000] + [PKTLEN......: 66.000| 1754.000| 551.900| 561.400|315202.600| 4.200] [BINS(c->s)..: 7,0,0,1,0,0,0,1,0,0,0,2,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,3,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 6,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,1,0,0,1,0,0,1] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,0,1,0,0,1,1,0,0,1,1,0,0,0,1,1,0,0,0,1,1,0,0,0] + [IATS........: 266637,266706,433,272250,1305,273110,594,572,2940,271769,269630,3217,281421,29714,327642,3217,299639,37418,350851,50937,3180,368575,30208,307140,2227616,3191,2508511,50935,328714,16106,3139,0] + [PKTLENS.....: 74,74,66,304,66,1494,66,1754,66,192,117,1306,541,66,1371,1239,443,66,264,66,1306,541,66,1004,66,1306,541,66,1381,66,1239,443] guessed: [....41] [ip4][..tcp] [..192.168.1.103][54106] -> [203.205.151.162][..443] [TLS][Web][Safe] end: [....41] [ip4][..tcp] [..192.168.1.103][54106] -> [203.205.151.162][..443] update: [.....3] [ip6][..udp] [..............fe80::7a92:9cff:fe0f:a88e][.5353] -> [...............................ff02::fb][.5353] [MDNS][Network][Acceptable] @@ -412,12 +444,14 @@ detection-update: [....72] [ip4][..tcp] [..192.168.1.103][58040] -> [203.205.147.171][..443] [TLS.WeChat][Chat][Fun] detection-update: [....72] [ip4][..tcp] [..192.168.1.103][58040] -> [203.205.147.171][..443] [TLS.WeChat][Chat][Fun] analyse: [....72] [ip4][..tcp] [..192.168.1.103][58040] -> [203.205.147.171][..443] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 1.577| 0.182| 0.352] - [IAT(c->s)...: 0.000| 1.256| 0.148| 0.294][IAT(s->c)...: 0.000| 1.577| 0.234| 0.422] - [PKTLEN(c->s): 66.000|1494.000| 681.000| 612.600][PKTLEN(s->c): 66.000|1494.000| 357.400| 515.700] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 1.577| 0.182| 0.352|123851.137| 0.000] + [PKTLEN......: 66.000| 1494.000| 559.600| 599.000|358844.300| 4.200] [BINS(c->s)..: 7,0,0,1,0,0,0,1,1,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,1,0,0,0,0,0,5,0,0,0] [BINS(s->c)..: 6,1,1,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,0,0,1,0,0,0,0,0,0,0,1,1,1,1,0,0,0,1,1,0,0,0] + [IATS........: 268280,268366,474,270444,798,270739,392,385,993,969,2788,273097,271415,164,26,13,12,11,1155,289376,22800,22424,9724,380702,1255603,4960,1577028,73342,350958,5989,3258,0] + [PKTLENS.....: 74,74,66,304,66,1494,66,1494,66,326,66,192,117,1246,1494,1494,1494,1494,1494,329,66,66,66,157,66,1234,527,66,297,66,1306,541] detection-update: [....72] [ip4][..tcp] [..192.168.1.103][58040] -> [203.205.147.171][..443] [TLS.WeChat][Chat][Fun] detected: [....73] [ip4][..tcp] [..192.168.1.103][58041] -> [203.205.147.171][..443] [TLS.WeChat][Chat][Fun] detection-update: [....73] [ip4][..tcp] [..192.168.1.103][58041] -> [203.205.147.171][..443] [TLS.WeChat][Chat][Fun] diff --git a/test/results/flow-info/weibo.pcap.out b/test/results/flow-info/weibo.pcap.out index 4ddbf10fc..e7c6da89d 100644 --- a/test/results/flow-info/weibo.pcap.out +++ b/test/results/flow-info/weibo.pcap.out @@ -23,12 +23,14 @@ new: [....14] [ip4][..tcp] [..192.168.1.105][34699] -> [..216.58.212.65][..443] [MIDSTREAM] detection-update: [....11] [ip4][..tcp] [..192.168.1.105][51698] -> [.93.188.134.137][...80] [HTTP.Sina(Weibo)][SocialNetwork][Fun] analyse: [....11] [ip4][..tcp] [..192.168.1.105][51698] -> [.93.188.134.137][...80] [HTTP.Sina(Weibo)][SocialNetwork][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.482| 0.042| 0.114] - [IAT(c->s)...: 0.000| 0.482| 0.041| 0.119][IAT(s->c)...: 0.000| 0.454| 0.042| 0.108] - [PKTLEN(c->s): 66.000| 516.000| 103.600| 106.700][PKTLEN(s->c): 66.000|2938.000| 820.600| 832.600] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.482| 0.042| 0.114|12948.299| 0.000] + [PKTLEN......: 66.000| 2938.000| 462.100| 693.400|480801.900| 3.800] [BINS(c->s)..: 15,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 7,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,1] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1] + [IATS........: 29171,29227,299,28208,454492,482409,111,67,13207,13244,85,48,39,29,8363,8394,90,62,24,21,24,24,26,28,15403,15440,68319,68302,68,48,54797,0] + [PKTLENS.....: 74,74,66,516,66,71,78,1502,78,1502,78,68,86,1078,78,72,78,2938,78,294,86,68,86,1502,78,819,66,72,66,1502,66,1502] new: [....15] [ip4][..udp] [..192.168.1.105][53543] -> [....192.168.1.1][...53] detected: [....15] [ip4][..udp] [..192.168.1.105][53543] -> [....192.168.1.1][...53] [DNS.Sina(Weibo)][SocialNetwork][Fun] detection-update: [....15] [ip4][..udp] [..192.168.1.105][53543] -> [....192.168.1.1][...53] [DNS.Sina(Weibo)][SocialNetwork][Fun] @@ -42,19 +44,23 @@ new: [....19] [ip4][..udp] [..192.168.1.105][41352] -> [....192.168.1.1][...53] detected: [....19] [ip4][..udp] [..192.168.1.105][41352] -> [....192.168.1.1][...53] [DNS.Sina(Weibo)][SocialNetwork][Fun] analyse: [....17] [ip4][..tcp] [..192.168.1.105][35804] -> [.93.188.134.246][...80] [HTTP.Sina(Weibo)][SocialNetwork][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.314| 0.038| 0.072] - [IAT(c->s)...: 0.000| 0.314| 0.039| 0.076][IAT(s->c)...: 0.000| 0.283| 0.037| 0.067] - [PKTLEN(c->s): 66.000| 498.000| 98.800| 103.200][PKTLEN(s->c): 66.000|2938.000|1322.700| 789.100] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.314| 0.038| 0.072| 5116.345| 0.000] + [PKTLEN......: 66.000| 2938.000| 710.700| 831.300|691142.800| 4.100] [BINS(c->s)..: 15,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,2] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1] + [IATS........: 26765,26778,207,31365,283150,314329,2585,2590,16662,16689,12849,12816,59,38,45726,45760,5061,5035,70980,70980,5479,5518,32285,32296,43007,42980,3236,3222,2548,2543,2807,0] + [PKTLENS.....: 74,74,66,498,66,580,66,1502,66,2938,66,1502,66,1078,78,1502,66,893,66,580,78,2938,78,1502,78,1502,78,1502,78,1502,78,1502] analyse: [....16] [ip4][..tcp] [..192.168.1.105][35803] -> [.93.188.134.246][...80] [HTTP.Sina(Weibo)][SocialNetwork][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.401| 0.041| 0.093] - [IAT(c->s)...: 0.000| 0.401| 0.042| 0.098][IAT(s->c)...: 0.003| 0.372| 0.040| 0.088] - [PKTLEN(c->s): 66.000| 486.000| 96.500| 100.700][PKTLEN(s->c): 66.000|4374.000|1599.100|1251.400] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.401| 0.041| 0.093| 8612.838| 0.000] + [PKTLEN......: 66.000| 4374.000| 847.800| 1162.900|1352437.000| 3.900] [BINS(c->s)..: 15,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,3] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1] + [IATS........: 26749,26781,151,28232,372448,400547,6653,6652,6583,6577,15474,15480,6563,6553,9179,9174,23391,23365,49260,49303,71669,71670,3337,3323,2937,2940,2804,2796,5515,5515,3734,0] + [PKTLENS.....: 74,74,66,486,66,581,66,1502,66,4374,66,1502,66,4374,66,2938,66,581,78,581,78,1502,66,1502,66,1502,78,1502,78,1502,78,1502] new: [....20] [ip4][..udp] [..192.168.1.105][18035] -> [....192.168.1.1][...53] detected: [....20] [ip4][..udp] [..192.168.1.105][18035] -> [....192.168.1.1][...53] [DNS.Sina(Weibo)][SocialNetwork][Fun] new: [....21] [ip4][..udp] [..192.168.1.105][50640] -> [....192.168.1.1][...53] @@ -103,26 +109,32 @@ new: [....43] [ip4][..tcp] [..192.168.1.105][52274] -> [..42.156.184.19][..443] new: [....44] [ip4][..tcp] [..192.168.1.105][47723] -> [.140.205.170.63][..443] analyse: [....18] [ip4][..tcp] [..192.168.1.105][35805] -> [.93.188.134.246][...80] [HTTP.Sina(Weibo)][SocialNetwork][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.439| 0.087| 0.119] - [IAT(c->s)...: 0.000| 0.376| 0.090| 0.116][IAT(s->c)...: 0.003| 0.439| 0.084| 0.122] - [PKTLEN(c->s): 66.000| 525.000| 123.800| 142.700][PKTLEN(s->c): 66.000|1502.000| 932.100| 568.100] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.439| 0.087| 0.119|14239.990| 0.000] + [PKTLEN......: 66.000| 1502.000| 528.000| 578.700|334896.400| 4.200] [BINS(c->s)..: 14,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 3,0,0,0,0,0,0,0,0,0,0,0,0,2,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1] + [IATS........: 26772,26783,259,31384,276129,307295,6901,6886,153887,153903,2935,2946,375915,438815,4367,67220,2924,2959,31457,31439,138473,138467,6109,6114,4495,4505,193484,193526,28775,28708,2661,0] + [PKTLENS.....: 74,74,66,476,66,577,66,1026,66,577,78,1026,78,525,66,494,66,1502,66,494,78,1502,66,1502,66,1502,66,1502,78,1502,66,1502] analyse: [....26] [ip4][..tcp] [..192.168.1.105][35807] -> [.93.188.134.246][...80] [HTTP.Sina(Weibo)][SocialNetwork][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.184| 0.031| 0.055] - [IAT(c->s)...: 0.000| 0.184| 0.032| 0.057][IAT(s->c)...: 0.002| 0.162| 0.030| 0.052] - [PKTLEN(c->s): 66.000| 550.000| 97.500| 116.900][PKTLEN(s->c): 66.000|1502.000|1196.900| 539.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.184| 0.031| 0.055| 2983.622| 0.000] + [PKTLEN......: 66.000| 1502.000| 647.200| 674.000|454231.700| 4.100] [BINS(c->s)..: 15,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1] + [IATS........: 62151,62179,142,161101,22711,183686,5733,5740,2565,2546,10538,10551,5220,5299,3225,3182,2451,2404,5526,5539,2866,2854,2576,2563,4789,4821,162100,162064,26294,26318,3143,0] + [PKTLENS.....: 74,74,66,550,66,493,66,1502,66,1502,66,1502,66,1502,66,1502,66,1502,66,1502,66,1502,66,1502,66,1502,66,493,78,1502,66,1502] analyse: [....28] [ip4][..tcp] [..192.168.1.105][35809] -> [.93.188.134.246][...80] [HTTP.Sina(Weibo)][SocialNetwork][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.252| 0.036| 0.056] - [IAT(c->s)...: 0.000| 0.252| 0.037| 0.063][IAT(s->c)...: 0.003| 0.181| 0.035| 0.047] - [PKTLEN(c->s): 66.000| 539.000| 96.800| 114.200][PKTLEN(s->c): 66.000|1502.000|1198.600| 536.700] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.252| 0.036| 0.056| 3089.619| 0.000] + [PKTLEN......: 66.000| 1502.000| 647.700| 673.800|454044.400| 4.100] [BINS(c->s)..: 15,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1] + [IATS........: 50173,50197,137,181460,70884,252228,2685,2690,2552,2523,4210,4257,31840,31804,8134,8135,11411,11401,8727,8746,2645,2641,7148,7148,13606,13617,66334,66313,92394,92405,2753,0] + [PKTLENS.....: 74,74,66,539,66,507,66,1502,66,1502,66,1502,66,1502,66,1502,66,1502,66,1502,66,1502,66,1502,66,1502,66,507,78,1502,66,1502] idle: [....30] [ip4][..tcp] [..192.168.1.105][42275] -> [...222.73.28.96][...80] guessed: [....37] [ip4][..tcp] [..192.168.1.105][42280] -> [...222.73.28.96][...80] [HTTP][Web][Acceptable] idle: [....37] [ip4][..tcp] [..192.168.1.105][42280] -> [...222.73.28.96][...80] diff --git a/test/results/flow-info/whatsapp_login_call.pcap.out b/test/results/flow-info/whatsapp_login_call.pcap.out index 1c1e3a89b..db5110440 100644 --- a/test/results/flow-info/whatsapp_login_call.pcap.out +++ b/test/results/flow-info/whatsapp_login_call.pcap.out @@ -30,33 +30,39 @@ detected: [....16] [ip4][..tcp] [....192.168.2.4][49193] -> [..17.110.229.14][.5223] [ApplePush][Cloud][Acceptable] detected: [....14] [ip4][..tcp] [....192.168.2.4][49202] -> [.184.173.179.37][.5222] [WhatsApp][Chat][Acceptable] analyse: [....13] [ip4][..tcp] [....192.168.2.4][49201] -> [..17.178.104.12][..443] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.712| 0.120| 0.179] - [IAT(c->s)...: 0.000| 0.405| 0.100| 0.151][IAT(s->c)...: 0.000| 0.712| 0.144| 0.206] - [PKTLEN(c->s): 54.000|1494.000| 415.700| 580.900][PKTLEN(s->c): 54.000|1494.000| 487.000| 610.400] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.712| 0.120| 0.179|32210.293| 0.000] + [PKTLEN......: 54.000| 1494.000| 446.900| 595.100|354099.200| 3.900] [BINS(c->s)..: 9,1,0,2,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0] [BINS(s->c)..: 8,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,3,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,0,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1] + [IATS........: 281831,283163,8705,294373,1121,35,286034,828,475,587,39758,240,307,326381,1436,373,2981,289942,5828,471,9,317531,1875,68938,587,382640,405162,707,17,712466,1952,0] + [PKTLENS.....: 78,66,54,244,1494,1494,585,54,54,54,54,321,60,91,54,54,54,97,54,1494,1494,167,54,54,1494,1210,54,1494,1494,167,54,54] detection-update: [....13] [ip4][..tcp] [....192.168.2.4][49201] -> [..17.178.104.12][..443] [TLS.Apple][Web][Safe] RISK: TLS (probably) Not Carrying HTTPS new: [....17] [ip4][..tcp] [....192.168.2.4][49204] -> [..17.173.66.102][..443] analyse: [....14] [ip4][..tcp] [....192.168.2.4][49202] -> [.184.173.179.37][.5222] [WhatsApp][Chat][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.709| 0.199| 0.171] - [IAT(c->s)...: 0.000| 0.708| 0.188| 0.160][IAT(s->c)...: 0.000| 0.709| 0.212| 0.182] - [PKTLEN(c->s): 66.000| 267.000| 134.900| 77.700][PKTLEN(s->c): 66.000| 144.000| 96.200| 16.200] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.709| 0.199| 0.171|29317.118| 0.000] + [PKTLEN......: 66.000| 267.000| 116.800| 60.800| 3698.600| 4.800] [BINS(c->s)..: 9,0,2,0,2,2,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 4,10,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,1,0,1,1,0,0,0,1,0,1,0,0,1,0,0,1,0,1,1,0,0,1,1,0,0,1,1,1,0] + [IATS........: 153871,242175,244771,708056,709350,35643,213202,306,145666,324955,262756,250323,148242,98446,249378,163432,164508,351063,174021,177975,4,178327,331,171720,16,302683,276,301856,4,204047,0,0] + [PKTLENS.....: 78,74,66,66,232,144,87,66,66,267,98,85,87,66,241,98,66,132,98,198,98,98,200,66,99,99,266,66,99,99,99,132] detected: [....17] [ip4][..tcp] [....192.168.2.4][49204] -> [..17.173.66.102][..443] [TLS.AppleStore][SoftwareUpdate][Safe] RISK: TLS (probably) Not Carrying HTTPS detection-update: [....17] [ip4][..tcp] [....192.168.2.4][49204] -> [..17.173.66.102][..443] [TLS.AppleStore][SoftwareUpdate][Safe] RISK: TLS (probably) Not Carrying HTTPS analyse: [....17] [ip4][..tcp] [....192.168.2.4][49204] -> [..17.173.66.102][..443] [TLS.AppleStore][SoftwareUpdate][Safe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.246| 0.057| 0.089] - [IAT(c->s)...: 0.000| 0.241| 0.058| 0.090][IAT(s->c)...: 0.000| 0.246| 0.057| 0.088] - [PKTLEN(c->s): 54.000|1494.000| 362.800| 464.100][PKTLEN(s->c): 54.000|1002.000| 235.900| 321.500] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.246| 0.057| 0.089| 7910.915| 0.000] + [PKTLEN......: 54.000| 1494.000| 303.300| 408.500|166890.900| 4.000] [BINS(c->s)..: 9,1,0,0,0,0,0,1,0,0,0,0,0,0,1,1,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0] [BINS(s->c)..: 9,1,1,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,0,0,0,0,0,1,1,1,1,1,1,1,0,0,0,0,0,1,1,1,1,0,0] + [IATS........: 139279,206534,8183,215650,62,2706,195534,776,251,20,1876,267,2144,191589,2382,13135,3735,6431,14684,18,200945,301,63298,290,2226,246332,5270,14887,15,241033,179,0] + [PKTLENS.....: 78,66,54,281,54,146,91,54,54,60,91,1494,531,610,54,54,54,54,54,1002,400,54,54,1494,540,610,54,54,1002,400,54,54] new: [....18] [ip4][..tcp] [....192.168.2.4][49192] -> [...93.186.135.8][...80] [MIDSTREAM] new: [....19] [ip4][..tcp] [....192.168.2.4][49191] -> [..17.172.100.49][..443] [MIDSTREAM] new: [....20] [ip4][..tcp] [....192.168.2.4][49182] -> [..17.172.100.52][..443] [MIDSTREAM] @@ -94,12 +100,14 @@ detected: [....39] [ip4][..udp] [....192.168.2.4][51518] -> [..91.253.176.65][.9344] [STUN.WhatsAppCall][VoIP][Acceptable] RISK: Known Proto on Non Std Port analyse: [....39] [ip4][..udp] [....192.168.2.4][51518] -> [..91.253.176.65][.9344] [STUN.WhatsAppCall][VoIP][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.352| 0.131| 0.070] - [IAT(c->s)...: 0.000| 0.189| 0.127| 0.056][IAT(s->c)...: 0.000| 0.352| 0.136| 0.083] - [PKTLEN(c->s): 68.000| 351.000| 246.200| 97.700][PKTLEN(s->c): 64.000| 331.000| 175.400| 85.700] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.352| 0.131| 0.070| 4931.355| 0.000] + [PKTLEN......: 64.000| 351.000| 213.000| 98.800| 9763.600| 4.800] [BINS(c->s)..: 1,2,1,1,0,1,1,1,7,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,2,3,1,1,1,3,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,1,0,0,1,0,1,0,0,1,1,0,1,0,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1] + [IATS........: 85532,95222,66134,60379,102693,208383,184141,159624,139073,188537,352421,23426,152856,55080,31139,91630,61,141160,44,163250,159227,188593,161930,163639,162107,156758,164890,143228,181638,163297,123877,0] + [PKTLENS.....: 86,86,342,86,86,315,225,311,248,315,220,148,64,249,199,148,137,68,260,68,274,134,351,117,315,117,319,243,320,331,329,305] new: [....40] [ip4][.icmp] [....192.168.2.4] -> [..91.253.176.65] detected: [....40] [ip4][.icmp] [....192.168.2.4] -> [..91.253.176.65] [ICMP][Network][Acceptable] new: [....41] [ip4][..udp] [........0.0.0.0][...68] -> [255.255.255.255][...67] @@ -151,12 +159,14 @@ detected: [....55] [ip4][..udp] [....192.168.2.4][52794] -> [..91.253.176.65][.9665] [STUN.WhatsAppCall][VoIP][Acceptable] RISK: Known Proto on Non Std Port analyse: [....55] [ip4][..udp] [....192.168.2.4][52794] -> [..91.253.176.65][.9665] [STUN.WhatsAppCall][VoIP][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.307| 0.114| 0.086] - [IAT(c->s)...: 0.000| 0.307| 0.121| 0.090][IAT(s->c)...: 0.000| 0.304| 0.107| 0.082] - [PKTLEN(c->s): 68.000| 320.000| 160.000| 63.000][PKTLEN(s->c): 68.000| 242.000| 149.900| 53.700] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.307| 0.114| 0.086| 7398.241| 0.000] + [PKTLEN......: 68.000| 320.000| 155.000| 58.800| 3453.300| 4.900] [BINS(c->s)..: 1,3,0,6,3,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,2,2,3,4,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,1,0,0,1,0,1,0,0,0,1,0,1,1,0,1,1,0,1,0,1,1,0,0] + [IATS........: 304269,307394,8384,89918,31917,6521,226162,154173,40,188009,271,163937,163420,160100,21775,153703,73,168136,122602,138908,158523,186698,16232,65895,114250,83709,193240,164541,1311,77123,55436,0] + [PKTLENS.....: 86,86,86,86,86,148,138,320,181,68,246,148,242,226,117,148,165,68,186,170,175,186,170,148,128,154,219,154,223,68,148,185] update: [....39] [ip4][..udp] [....192.168.2.4][51518] -> [..91.253.176.65][.9344] [STUN.WhatsAppCall][VoIP][Acceptable] RISK: Known Proto on Non Std Port update: [....40] [ip4][.icmp] [....192.168.2.4] -> [..91.253.176.65] [ICMP][Network][Acceptable] @@ -184,12 +194,14 @@ detection-update: [....57] [ip4][..tcp] [....192.168.2.4][49205] -> [..17.173.66.102][..443] [TLS.AppleStore][SoftwareUpdate][Safe] RISK: TLS (probably) Not Carrying HTTPS analyse: [....57] [ip4][..tcp] [....192.168.2.4][49205] -> [..17.173.66.102][..443] [TLS.AppleStore][SoftwareUpdate][Safe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.272| 0.058| 0.092] - [IAT(c->s)...: 0.000| 0.272| 0.059| 0.097][IAT(s->c)...: 0.000| 0.229| 0.056| 0.086] - [PKTLEN(c->s): 54.000|1494.000| 362.700| 464.100][PKTLEN(s->c): 54.000|1002.000| 235.900| 321.500] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.272| 0.058| 0.092| 8444.798| 0.000] + [PKTLEN......: 54.000| 1494.000| 303.300| 408.500|166876.700| 4.000] [BINS(c->s)..: 9,1,0,0,0,0,0,1,0,0,0,0,0,0,1,1,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0] [BINS(s->c)..: 9,1,1,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,0,0,0,0,0,1,1,1,1,1,1,1,0,0,0,0,0,1,1,1,1,0,0] + [IATS........: 139873,225073,4218,228888,70,2672,200693,278,1388,194,2268,310,435,198176,1008,14244,4721,5042,13250,23,199875,308,34695,427,52,217025,5837,15994,11,271808,275,0] + [PKTLENS.....: 78,66,54,281,54,146,91,54,54,60,91,1494,530,610,54,54,54,54,54,1002,400,54,54,1494,540,610,54,54,1002,400,54,54] guessed: [.....7] [ip4][..tcp] [....192.168.2.4][49174] -> [....5.178.42.26][...80] [HTTP][Web][Acceptable] end: [.....7] [ip4][..tcp] [....192.168.2.4][49174] -> [....5.178.42.26][...80] guessed: [.....5] [ip4][..tcp] [....192.168.2.4][49173] -> [..93.186.135.82][...80] [HTTP][Web][Acceptable] diff --git a/test/results/flow-info/whatsapp_login_chat.pcap.out b/test/results/flow-info/whatsapp_login_chat.pcap.out index 0801158b9..0d8198c9d 100644 --- a/test/results/flow-info/whatsapp_login_chat.pcap.out +++ b/test/results/flow-info/whatsapp_login_chat.pcap.out @@ -11,12 +11,14 @@ new: [.....4] [ip4][..tcp] [....192.168.2.4][49205] -> [..17.173.66.102][..443] [MIDSTREAM] detected: [.....4] [ip4][..tcp] [....192.168.2.4][49205] -> [..17.173.66.102][..443] [TLS.Apple][Web][Safe] analyse: [.....4] [ip4][..tcp] [....192.168.2.4][49205] -> [..17.173.66.102][..443] [TLS.Apple][Web][Safe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 3.031| 0.229| 0.711] - [IAT(c->s)...: 0.000| 2.803| 0.224| 0.672][IAT(s->c)...: 0.000| 3.031| 0.234| 0.750] - [PKTLEN(c->s): 54.000|1494.000| 721.000| 554.800][PKTLEN(s->c): 54.000|1002.000| 312.700| 369.500] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 3.031| 0.229| 0.711|505750.847| 0.000] + [PKTLEN......: 54.000| 1494.000| 529.600| 518.700|269058.200| 4.300] [BINS(c->s)..: 4,0,1,0,0,0,0,0,0,0,0,0,0,0,2,1,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,4,0,0] [BINS(s->c)..: 9,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,0,1,1,1,1,0,0,0,0,0,1,1,1,1,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,0] + [IATS........: 307,68,156057,6041,20562,3,205015,214,59650,355,76,237850,6388,13739,3,246436,156,2803227,690,58,155,163,149,3030585,5762,13968,11,3,10327,10365,268249,0] + [PKTLENS.....: 1494,531,610,54,54,1000,400,54,54,1494,538,610,54,54,1002,400,54,54,1494,531,610,1494,1254,1254,54,54,1002,400,54,54,54,127] new: [.....5] [ip4][..udp] [....192.168.2.1][17500] -> [..192.168.2.255][17500] detected: [.....5] [ip4][..udp] [....192.168.2.1][17500] -> [..192.168.2.255][17500] [Dropbox][Cloud][Acceptable] new: [.....6] [ip4][..udp] [........0.0.0.0][...68] -> [255.255.255.255][...67] diff --git a/test/results/flow-info/whatsapp_voice_and_message.pcap.out b/test/results/flow-info/whatsapp_voice_and_message.pcap.out index d83dab9cf..e5bfed23a 100644 --- a/test/results/flow-info/whatsapp_voice_and_message.pcap.out +++ b/test/results/flow-info/whatsapp_voice_and_message.pcap.out @@ -20,23 +20,27 @@ new: [.....9] [ip4][..udp] [.......10.8.0.1][53620] -> [....31.13.73.48][.3478] detected: [.....9] [ip4][..udp] [.......10.8.0.1][53620] -> [....31.13.73.48][.3478] [STUN.WhatsAppCall][VoIP][Acceptable] analyse: [.....1] [ip4][..tcp] [.......10.8.0.1][35480] -> [.184.173.179.46][..443] [WhatsApp][Chat][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 10.749| 0.839| 2.600] - [IAT(c->s)...: 0.000| 10.697| 0.813| 2.557][IAT(s->c)...: 0.000| 10.749| 0.867| 2.645] - [PKTLEN(c->s): 54.000| 410.000| 113.100| 87.100][PKTLEN(s->c): 54.000| 469.000| 101.100| 107.900] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 10.749| 0.839| 2.600|6759456.965| 0.000] + [PKTLEN......: 54.000| 469.000| 107.400| 97.600| 9526.400| 4.600] [BINS(c->s)..: 9,2,4,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 12,0,1,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,1,0,0,1,0,1,0,1,1,0,1,0,1,0,0,1,0,1,0,1,0] + [IATS........: 61035,61126,147705,147918,346802,397248,61,50507,310058,310119,199799,397950,91,198181,50507,50568,386718,386688,54077,104523,50476,50446,398316,399963,10696747,10748901,336,153,244,335,183,0] + [PKTLENS.....: 74,54,54,231,54,132,54,84,54,77,54,223,54,86,54,104,54,410,54,77,54,75,54,469,54,133,54,133,54,133,54,133] new: [....10] [ip4][..tcp] [.......10.8.0.1][44819] -> [...158.85.58.42][.5222] detected: [....10] [ip4][..tcp] [.......10.8.0.1][44819] -> [...158.85.58.42][.5222] [WhatsApp][Chat][Acceptable] new: [....11] [ip4][..tcp] [.......10.8.0.1][42241] -> [173.192.222.189][.5222] detected: [....11] [ip4][..tcp] [.......10.8.0.1][42241] -> [173.192.222.189][.5222] [WhatsApp][Chat][Acceptable] analyse: [....11] [ip4][..tcp] [.......10.8.0.1][42241] -> [173.192.222.189][.5222] [WhatsApp][Chat][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.458| 0.064| 0.104] - [IAT(c->s)...: 0.000| 0.458| 0.071| 0.114][IAT(s->c)...: 0.000| 0.401| 0.058| 0.094] - [PKTLEN(c->s): 54.000| 299.000| 102.500| 68.400][PKTLEN(s->c): 54.000| 559.000| 101.900| 121.700] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.458| 0.064| 0.104|10787.211| 0.000] + [PKTLEN......: 54.000| 559.000| 102.200| 100.300|10067.600| 4.600] [BINS(c->s)..: 10,2,1,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 14,0,1,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,1,0,1,0,0,1,1,0,1,0,1,1,0,1,0,1,1,0,1,1,0,0] + [IATS........: 1312,2441,29816,31189,401459,457947,56427,244,122,152,50476,50415,214,112548,112763,50812,57282,6500,274,183,50385,50538,122,50415,131042,50415,131164,122,50507,50629,793,0] + [PKTLENS.....: 74,54,54,228,54,132,54,559,84,54,54,77,54,54,79,54,76,135,54,299,54,76,78,54,108,54,72,105,54,223,54,54] update: [.....5] [ip4][..udp] [.......10.8.0.1][53620] -> [..173.252.121.1][.3478] [STUN.WhatsAppCall][VoIP][Acceptable] update: [.....6] [ip4][..udp] [.......10.8.0.1][53620] -> [..179.60.192.48][.3478] [STUN.WhatsAppCall][VoIP][Acceptable] update: [.....2] [ip4][..udp] [.......10.8.0.1][53620] -> [....31.13.84.48][.3478] [STUN.WhatsAppCall][VoIP][Acceptable] @@ -48,12 +52,14 @@ new: [....12] [ip4][..tcp] [.......10.8.0.1][49721] -> [..158.85.58.109][.5222] detected: [....12] [ip4][..tcp] [.......10.8.0.1][49721] -> [..158.85.58.109][.5222] [WhatsApp][Chat][Acceptable] analyse: [....12] [ip4][..tcp] [.......10.8.0.1][49721] -> [..158.85.58.109][.5222] [WhatsApp][Chat][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 1.768| 0.148| 0.316] - [IAT(c->s)...: 0.000| 1.768| 0.214| 0.432][IAT(s->c)...: 0.000| 0.390| 0.087| 0.104] - [PKTLEN(c->s): 54.000| 299.000| 97.200| 68.000][PKTLEN(s->c): 54.000| 308.000| 100.900| 72.700] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 1.768| 0.148| 0.316|100094.116| 0.000] + [PKTLEN......: 54.000| 308.000| 99.100| 70.400| 4957.000| 4.700] [BINS(c->s)..: 11,2,1,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 11,1,1,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,0,1,0,1,1,0,1,1,0,1,0,0,1,0,1,1,0,1,0,1,0,0] + [IATS........: 2014,2563,34089,34790,390289,440887,50599,183,91,50446,50537,139282,139252,92,50506,50445,92,51240,51147,213,122,77789,128296,50873,179230,229706,260559,260559,50476,50476,1768433,0] + [PKTLENS.....: 74,54,54,228,54,132,54,308,84,54,77,54,79,54,76,135,54,76,299,54,54,54,223,112,54,113,54,179,54,76,54,90] update: [.....5] [ip4][..udp] [.......10.8.0.1][53620] -> [..173.252.121.1][.3478] [STUN.WhatsAppCall][VoIP][Acceptable] update: [.....6] [ip4][..udp] [.......10.8.0.1][53620] -> [..179.60.192.48][.3478] [STUN.WhatsAppCall][VoIP][Acceptable] update: [.....2] [ip4][..udp] [.......10.8.0.1][53620] -> [....31.13.84.48][.3478] [STUN.WhatsAppCall][VoIP][Acceptable] diff --git a/test/results/flow-info/whatsappfiles.pcap.out b/test/results/flow-info/whatsappfiles.pcap.out index ec0354039..1771bccf4 100644 --- a/test/results/flow-info/whatsappfiles.pcap.out +++ b/test/results/flow-info/whatsappfiles.pcap.out @@ -6,22 +6,26 @@ detection-update: [.....1] [ip4][..tcp] [...192.168.2.29][49674] -> [..185.60.216.53][..443] [TLS.WhatsAppFiles][Download][Acceptable] detection-update: [.....1] [ip4][..tcp] [...192.168.2.29][49674] -> [..185.60.216.53][..443] [TLS.WhatsAppFiles][Download][Acceptable] analyse: [.....1] [ip4][..tcp] [...192.168.2.29][49674] -> [..185.60.216.53][..443] [TLS.WhatsAppFiles][Download][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 24.640| 0.846| 4.345] - [IAT(c->s)...: 0.000| 24.640| 1.338| 5.493][IAT(s->c)...: 0.000| 0.461| 0.067| 0.126] - [PKTLEN(c->s): 66.000|1464.000| 324.200| 484.600][PKTLEN(s->c): 66.000|1464.000| 374.600| 501.900] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 24.640| 0.846| 4.345|18880535.724| 0.000] + [PKTLEN......: 66.000| 1464.000| 343.100| 491.800|241822.200| 3.900] [BINS(c->s)..: 9,4,0,1,0,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0] [BINS(s->c)..: 5,1,1,1,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,0,1,1,0,0,0,0,0,0,0,1,1,1,1,0,0,1,0,0,0,0] + [IATS........: 89960,91931,2998,95622,1439,1232,31,95929,999,78942,282792,460945,6,97926,4,3994,6995,998,5,4,115136,17,1231,43,102916,998,41079,24639770,4996,5995,2998,0] + [PKTLENS.....: 78,74,66,309,66,1464,1464,478,66,66,66,192,324,147,66,66,119,116,108,249,104,66,104,66,176,66,66,66,289,1464,1464,1464] new: [.....2] [ip4][..tcp] [...192.168.2.29][49698] -> [..185.60.216.53][..443] detected: [.....2] [ip4][..tcp] [...192.168.2.29][49698] -> [..185.60.216.53][..443] [TLS.WhatsAppFiles][Download][Acceptable] detection-update: [.....2] [ip4][..tcp] [...192.168.2.29][49698] -> [..185.60.216.53][..443] [TLS.WhatsAppFiles][Download][Acceptable] analyse: [.....2] [ip4][..tcp] [...192.168.2.29][49698] -> [..185.60.216.53][..443] [TLS.WhatsAppFiles][Download][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.108| 0.019| 0.031] - [IAT(c->s)...: 0.000| 0.065| 0.016| 0.025][IAT(s->c)...: 0.000| 0.108| 0.021| 0.034] - [PKTLEN(c->s): 66.000| 583.000| 141.900| 139.700][PKTLEN(s->c): 66.000|1464.000| 744.100| 666.400] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.108| 0.019| 0.031| 953.946| 0.000] + [PKTLEN......: 66.000| 1464.000| 499.400| 599.200|359069.100| 4.000] [BINS(c->s)..: 6,5,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 5,2,1,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,8,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,0,0,0,1,0,0,1,1,1,1,0,0,1,1,1,1,1,1,1,1,1,1,1] + [IATS........: 56726,60954,999,65972,116,64953,998,4998,4,994,4,59896,50958,5,7285,18,4137,107,10987,4,86355,107518,6,1398,909,1355,1209,1240,1010,1222,1201,0] + [PKTLENS.....: 78,74,66,583,66,212,66,117,119,116,108,290,147,66,104,66,104,66,108,66,66,66,1464,234,1464,1282,1464,1464,1464,1464,1464,1464] end: [.....1] [ip4][..tcp] [...192.168.2.29][49674] -> [..185.60.216.53][..443] [TLS.WhatsAppFiles][Download][Acceptable] idle: [.....2] [ip4][..tcp] [...192.168.2.29][49698] -> [..185.60.216.53][..443] [TLS.WhatsAppFiles][Download][Acceptable] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/wireguard.pcap.out b/test/results/flow-info/wireguard.pcap.out index 991765440..4b50869ce 100644 --- a/test/results/flow-info/wireguard.pcap.out +++ b/test/results/flow-info/wireguard.pcap.out @@ -4,12 +4,14 @@ new: [.....1] [ip4][..udp] [139.162.192.157][51820] -> [...192.168.0.14][36116] detected: [.....1] [ip4][..udp] [139.162.192.157][51820] -> [...192.168.0.14][36116] [WireGuard][VPN][Acceptable] analyse: [.....1] [ip4][..udp] [139.162.192.157][51820] -> [...192.168.0.14][36116] [WireGuard][VPN][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 5.526| 0.606| 1.489] - [IAT(c->s)...: 0.000| 5.526| 0.522| 1.396][IAT(s->c)...: 0.000| 5.526| 0.723| 1.603] - [PKTLEN(c->s): 138.000| 842.000| 295.500| 218.500][PKTLEN(s->c): 138.000| 314.000| 208.200| 79.800] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 5.526| 0.606| 1.489|2218508.681| 0.000] + [PKTLEN......: 138.000| 842.000| 260.000| 181.000|32764.000| 4.700] [BINS(c->s)..: 0,0,0,6,7,0,0,0,0,1,1,0,0,0,0,0,1,0,0,1,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,7,1,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,1,1,0,0,0,1,1,0,0,0,1,1,0,0,0,1,1,0,1,0,0,1,0,0,1,1,0,0,0,1] + [IATS........: 23,158,13304,82421,23440,98,92806,699,114421,124480,180,238536,14265,86010,36434,91,108248,778,113616,3087006,3060616,97488,183654,5525873,24,5525882,16499,87990,44371,59,115907,0] + [PKTLENS.....: 842,186,138,314,138,330,186,138,298,138,666,186,138,314,138,362,186,138,298,138,186,154,186,154,698,186,138,314,138,570,186,138] update: [.....1] [ip4][..udp] [139.162.192.157][51820] -> [...192.168.0.14][36116] [WireGuard][VPN][Acceptable] update: [.....1] [ip4][..udp] [139.162.192.157][51820] -> [...192.168.0.14][36116] [WireGuard][VPN][Acceptable] update: [.....1] [ip4][..udp] [139.162.192.157][51820] -> [...192.168.0.14][36116] [WireGuard][VPN][Acceptable] diff --git a/test/results/flow-info/youtube_quic.pcap.out b/test/results/flow-info/youtube_quic.pcap.out index e48d41a1d..57a72ea83 100644 --- a/test/results/flow-info/youtube_quic.pcap.out +++ b/test/results/flow-info/youtube_quic.pcap.out @@ -6,12 +6,14 @@ new: [.....2] [ip4][..udp] [....192.168.1.7][56074] -> [..216.58.198.33][..443] detected: [.....2] [ip4][..udp] [....192.168.1.7][56074] -> [..216.58.198.33][..443] [QUIC.YouTube][Media][Fun] analyse: [.....2] [ip4][..udp] [....192.168.1.7][56074] -> [..216.58.198.33][..443] [QUIC.YouTube][Media][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.047| 0.007| 0.013] - [IAT(c->s)...: 0.000| 0.047| 0.009| 0.016][IAT(s->c)...: 0.000| 0.044| 0.006| 0.011] - [PKTLEN(c->s): 80.000|1392.000| 326.500| 465.400][PKTLEN(s->c): 73.000|1392.000|1234.300| 405.700] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.047| 0.007| 0.013| 177.503| 0.000] + [PKTLEN......: 73.000| 1392.000| 865.500| 620.100|384534.200| 4.500] [BINS(c->s)..: 0,8,0,0,2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0] [BINS(s->c)..: 1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0] + [DIRECTIONS..: 0,1,1,0,0,0,0,1,1,1,0,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1] + [IATS........: 43682,599,47402,292,154,45,22593,22345,6,41882,73,4311,1249,5208,1009,1199,2078,995,1205,2173,1079,939,1972,1276,1007,2312,930,1274,2300,574,7716,0] + [PKTLENS.....: 1392,1392,1392,1392,459,177,178,77,1392,73,83,83,1392,1392,80,1392,1392,80,1392,1392,80,1392,1392,80,1392,1392,80,1392,1392,80,1030,1392] new: [.....3] [ip4][..udp] [....192.168.1.7][53859] -> [..216.58.205.66][..443] detected: [.....3] [ip4][..udp] [....192.168.1.7][53859] -> [..216.58.205.66][..443] [QUIC.Google][Advertisement][Acceptable] idle: [.....2] [ip4][..udp] [....192.168.1.7][56074] -> [..216.58.198.33][..443] [QUIC.YouTube][Media][Fun] diff --git a/test/results/flow-info/youtubeupload.pcap.out b/test/results/flow-info/youtubeupload.pcap.out index b9044fa35..5ee09c99b 100644 --- a/test/results/flow-info/youtubeupload.pcap.out +++ b/test/results/flow-info/youtubeupload.pcap.out @@ -10,12 +10,14 @@ new: [.....3] [ip4][..udp] [...192.168.2.27][62232] -> [.172.217.23.111][..443] detected: [.....3] [ip4][..udp] [...192.168.2.27][62232] -> [.172.217.23.111][..443] [QUIC.YouTubeUpload][Media][Fun] analyse: [.....1] [ip4][..udp] [...192.168.2.27][51925] -> [.172.217.23.111][..443] [QUIC.YouTubeUpload][Media][Fun] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 1.883| 0.207| 0.510] - [IAT(c->s)...: 0.000| 1.826| 0.153| 0.444][IAT(s->c)...: 0.000| 1.883| 0.320| 0.611] - [PKTLEN(c->s): 77.000|1392.000| 897.100| 601.900][PKTLEN(s->c): 58.000|1392.000| 528.000| 587.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 1.883| 0.207| 0.510|259988.193| 0.000] + [PKTLEN......: 58.000| 1392.000| 781.800| 621.300|386013.800| 4.400] [BINS(c->s)..: 0,6,0,0,0,0,0,0,0,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,13,0,0,0,0,0] [BINS(s->c)..: 4,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0] + [DIRECTIONS..: 0,1,1,0,0,0,1,1,0,0,1,1,1,0,0,0,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0] + [IATS........: 56118,973,59784,1844,356,60874,87,57514,351,30658,1096880,488,1126775,721,1825776,1883081,71241,80,128481,3345,2763,363,669,1041,1120,1220,1141,1157,1131,1161,1163,0] + [PKTLENS.....: 1392,1392,1392,80,1392,424,1392,73,83,80,72,58,611,83,77,344,78,154,58,83,387,1392,1392,1392,1392,1392,1392,1392,1392,1392,1392,1392] idle: [.....2] [ip4][..tcp] [...192.168.2.27][57452] -> [.172.217.23.111][..443] idle: [.....1] [ip4][..udp] [...192.168.2.27][51925] -> [.172.217.23.111][..443] [QUIC.YouTubeUpload][Media][Fun] idle: [.....3] [ip4][..udp] [...192.168.2.27][62232] -> [.172.217.23.111][..443] [QUIC.YouTubeUpload][Media][Fun] diff --git a/test/results/flow-info/zcash.pcap.out b/test/results/flow-info/zcash.pcap.out index 763b4052e..2df9651ad 100644 --- a/test/results/flow-info/zcash.pcap.out +++ b/test/results/flow-info/zcash.pcap.out @@ -5,12 +5,14 @@ detected: [.....1] [ip4][..tcp] [...192.168.2.92][55190] -> [.178.32.196.217][.9050] [Mining][Mining][Unsafe] RISK: Known Proto on Non Std Port, Unsafe Protocol analyse: [.....1] [ip4][..tcp] [...192.168.2.92][55190] -> [.178.32.196.217][.9050] [Mining][Mining][Unsafe] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 50.191| 6.014| 12.034] - [IAT(c->s)...: 0.000| 48.786| 5.480| 11.434][IAT(s->c)...: 0.000| 50.191| 6.663| 12.694] - [PKTLEN(c->s): 66.000| 326.000| 162.200| 96.900][PKTLEN(s->c): 66.000| 369.000| 149.400| 101.000] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 50.191| 6.014| 12.034|144808530.149| 0.000] + [PKTLEN......: 66.000| 369.000| 156.600| 98.900| 9779.100| 4.700] [BINS(c->s)..: 9,0,0,0,0,8,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 6,5,0,0,0,0,0,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,1,0,0,0,0,0,1,1,1,1,0,1,0,0,1,1] + [IATS........: 82662,82715,169,82626,1477,83954,12149836,12261597,111733,2618837,2732392,113543,6931182,7043979,112799,7848884,7848880,48786215,308388,319989,608003,50191373,143,24,41664,210617,4833234,4833228,8034710,8116947,41430,0] + [PKTLENS.....: 74,74,66,326,66,369,66,249,129,66,249,129,66,249,129,66,319,66,249,249,249,249,78,78,78,129,66,319,66,249,66,129] DAEMON-EVENT: [Processed: 87 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 1 / 1|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] idle: [.....1] [ip4][..tcp] [...192.168.2.92][55190] -> [.178.32.196.217][.9050] [Mining][Mining][Unsafe] diff --git a/test/results/flow-info/zoom.pcap.out b/test/results/flow-info/zoom.pcap.out index 966c04af9..23ffccae8 100644 --- a/test/results/flow-info/zoom.pcap.out +++ b/test/results/flow-info/zoom.pcap.out @@ -58,12 +58,14 @@ detection-update: [....21] [ip4][..tcp] [..192.168.1.117][54866] -> [..52.202.62.236][..443] [TLS.Zoom][Video][Acceptable] detection-update: [....21] [ip4][..tcp] [..192.168.1.117][54866] -> [..52.202.62.236][..443] [TLS.Zoom][Video][Acceptable] analyse: [....21] [ip4][..tcp] [..192.168.1.117][54866] -> [..52.202.62.236][..443] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.211| 0.038| 0.059] - [IAT(c->s)...: 0.000| 0.211| 0.043| 0.065][IAT(s->c)...: 0.000| 0.144| 0.035| 0.055] - [PKTLEN(c->s): 54.000| 864.000| 202.900| 271.500][PKTLEN(s->c): 60.000|1506.000|1095.400| 617.800] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.211| 0.038| 0.059| 3527.760| 0.000] + [PKTLEN......: 54.000| 1506.000| 677.000| 660.100|435695.100| 4.200] [BINS(c->s)..: 11,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 3,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,11,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,1,0,0,0,1,0,0,0,1,1,1,1,0,0,1,1,0,1,1,0,1,1,0] + [IATS........: 112386,112530,31116,143960,1761,226,34,114802,166,170,7182,2922,121940,111900,4272,3,116559,98015,494,36,210729,39,183,114,242,129,123,246,127,13,148,0] + [PKTLENS.....: 78,66,54,571,60,1506,1506,1506,54,1306,54,54,245,105,54,745,864,60,1506,1506,1506,54,54,1506,1506,54,1506,1506,54,1506,459,54] detection-update: [....21] [ip4][..tcp] [..192.168.1.117][54866] -> [..52.202.62.236][..443] [TLS.Zoom][Video][Acceptable] new: [....22] [ip4][..udp] [..192.168.1.117][57621] -> [..192.168.1.255][57621] detected: [....22] [ip4][..udp] [..192.168.1.117][57621] -> [..192.168.1.255][57621] [Spotify][Music][Acceptable] @@ -112,24 +114,28 @@ detection-update: [....30] [ip4][..tcp] [..192.168.1.117][54871] -> [..109.94.160.99][..443] [TLS.Zoom][Video][Acceptable] RISK: TLS (probably) Not Carrying HTTPS analyse: [....30] [ip4][..tcp] [..192.168.1.117][54871] -> [..109.94.160.99][..443] [TLS.Zoom][Video][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.156| 0.028| 0.040] - [IAT(c->s)...: 0.000| 0.156| 0.028| 0.038][IAT(s->c)...: 0.000| 0.156| 0.029| 0.043] - [PKTLEN(c->s): 66.000|1506.000| 236.800| 344.500][PKTLEN(s->c): 66.000|1506.000| 688.600| 655.800] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.156| 0.028| 0.040| 1628.090| 0.000] + [PKTLEN......: 66.000| 1506.000| 434.500| 552.400|305116.100| 4.000] [BINS(c->s)..: 10,1,0,1,2,1,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0] [BINS(s->c)..: 4,1,2,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,4,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,1,1,0,0,1,0,0,1,0,0,0,1,1,0,1,0,1,1,0,0,0,0] + [IATS........: 31621,31782,223,32749,1986,135,18,34538,3,10485,3,10554,60088,93852,33789,375,31290,30856,4598,4,36582,6223,38193,156062,156067,114,1,94,10606,59053,3101,0] + [PKTLENS.....: 78,74,66,583,66,1506,1506,1282,66,66,1506,93,66,192,308,66,206,132,66,1506,547,66,104,66,1331,66,1506,160,66,104,216,237] new: [....31] [ip4][..udp] [..192.168.1.117][58327] -> [..109.94.160.99][.8801] detected: [....31] [ip4][..udp] [..192.168.1.117][58327] -> [..109.94.160.99][.8801] [Zoom][Video][Acceptable] ERROR-EVENT: Unknown packet type new: [....32] [ip4][..udp] [..192.168.1.117][60620] -> [..109.94.160.99][.8801] detected: [....32] [ip4][..udp] [..192.168.1.117][60620] -> [..109.94.160.99][.8801] [Zoom][Video][Acceptable] analyse: [....31] [ip4][..udp] [..192.168.1.117][58327] -> [..109.94.160.99][.8801] [Zoom][Video][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.036| 0.010| 0.009] - [IAT(c->s)...: 0.005| 0.032| 0.018| 0.014][IAT(s->c)...: 0.000| 0.036| 0.010| 0.008] - [PKTLEN(c->s): 55.000| 149.000| 103.000| 38.400][PKTLEN(s->c): 60.000|1071.000| 967.900| 303.600] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.036| 0.010| 0.009| 72.691| 0.000] + [PKTLEN......: 55.000| 1071.000| 886.800| 383.700|147246.200| 4.800] [BINS(c->s)..: 1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,26,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,1,0,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1] + [IATS........: 31967,28,32217,4719,35562,13763,10264,10242,9996,63,10130,10327,9979,9966,107,9866,10246,10252,10251,126,10146,9980,10130,10478,32,9954,10261,9714,10315,406,9850,0] + [PKTLENS.....: 149,77,60,55,105,85,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071] new: [....33] [ip4][..udp] [..192.168.1.117][61731] -> [..109.94.160.99][.8801] detected: [....33] [ip4][..udp] [..192.168.1.117][61731] -> [..109.94.160.99][.8801] [Zoom][Video][Acceptable] idle: [....17] [ip4][.icmp] [..192.168.1.117] -> [..162.255.38.14] [ICMP][Network][Acceptable] diff --git a/test/results/flow-info/zoom2.pcap.out b/test/results/flow-info/zoom2.pcap.out index 11cf229fc..24c0365d3 100644 --- a/test/results/flow-info/zoom2.pcap.out +++ b/test/results/flow-info/zoom2.pcap.out @@ -9,40 +9,48 @@ detection-update: [.....1] [ip4][..tcp] [..192.168.1.178][50076] -> [.144.195.73.154][..443] [TLS.Zoom][Video][Acceptable] RISK: TLS (probably) Not Carrying HTTPS analyse: [.....1] [ip4][..tcp] [..192.168.1.178][50076] -> [.144.195.73.154][..443] [TLS.Zoom][Video][Acceptable] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.199| 0.059| 0.083] - [IAT(c->s)...: 0.000| 0.182| 0.057| 0.080][IAT(s->c)...: 0.000| 0.199| 0.061| 0.086] - [PKTLEN(c->s): 66.000|1506.000| 243.400| 372.600][PKTLEN(s->c): 66.000|1506.000| 714.700| 603.300] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.199| 0.059| 0.083| 6897.605| 0.000] + [PKTLEN......: 66.000| 1506.000| 464.300| 547.400|299645.500| 4.100] [BINS(c->s)..: 11,1,0,1,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0] [BINS(s->c)..: 3,1,1,0,1,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,2,0,0,0,0,0,3,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,0,0,0,0,0,1,0,0,1,0,0,0,1,1,1,0,1,0,0,1,0,1,1] + [IATS........: 174660,174776,564,174002,1305,35,10,9,175382,5,1,23625,1263,198571,173076,348,174461,174128,5783,7,187559,672,15,182407,110,83,84,878,803,496,2,0] + [PKTLENS.....: 78,74,66,583,66,1506,1506,1282,828,66,66,66,66,192,117,66,222,141,66,1506,781,66,1506,456,66,214,66,116,1344,66,1344,270] new: [.....2] [ip4][..udp] [..192.168.1.178][60653] -> [.144.195.73.154][.8801] analyse: [.....2] [ip4][..udp] [..192.168.1.178][60653] -> [.144.195.73.154][.8801] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.167| 0.025| 0.040] - [IAT(c->s)...: 0.012| 0.102| 0.072| 0.036][IAT(s->c)...: 0.000| 0.167| 0.018| 0.036] - [PKTLEN(c->s): 165.000| 170.000| 168.000| 2.400][PKTLEN(s->c): 60.000|1078.000| 820.700| 435.100] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.167| 0.025| 0.040| 1639.456| 0.000] + [PKTLEN......: 60.000| 1078.000| 718.700| 464.600|215864.300| 4.600] [BINS(c->s)..: 0,0,0,2,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,1,1,0,0,1,1,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1] + [IATS........: 101379,166585,27,72990,12330,100439,29,101849,72959,11921,4860,10860,10480,10129,246,9160,10351,10320,11352,21,292,9440,8565,5418,4862,82,10799,10006,10476,9401,205,0] + [PKTLENS.....: 165,165,86,60,170,170,86,60,170,102,102,1078,1078,1078,1078,1078,1078,1078,1078,1078,1078,1078,1078,1078,102,1078,1078,1078,1078,1078,1078,1078] guessed: [.....2] [ip4][..udp] [..192.168.1.178][60653] -> [.144.195.73.154][.8801] [Zoom][Video][Acceptable] detected: [.....2] [ip4][..udp] [..192.168.1.178][60653] -> [.144.195.73.154][.8801] [Zoom][Video][Acceptable] new: [.....3] [ip4][..udp] [..192.168.1.178][58117] -> [.144.195.73.154][.8801] new: [.....4] [ip4][..udp] [..192.168.1.178][57953] -> [.144.195.73.154][.8801] analyse: [.....3] [ip4][..udp] [..192.168.1.178][58117] -> [.144.195.73.154][.8801] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.176| 0.043| 0.049] - [IAT(c->s)...: 0.000| 0.168| 0.060| 0.053][IAT(s->c)...: 0.000| 0.176| 0.033| 0.044] - [PKTLEN(c->s): 130.000| 203.000| 166.200| 16.000][PKTLEN(s->c): 60.000| 178.000| 129.100| 37.100] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.176| 0.043| 0.049| 2389.122| 0.000] + [PKTLEN......: 60.000| 203.000| 143.000| 35.800| 1279.800| 4.900] [BINS(c->s)..: 0,0,1,6,4,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,5,3,8,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,1,1,0,0,1,1,0,1,1,1,1,1,1,1,0,1,1,1,1,1,1,1,0,0,1,0,0,0,0,1] + [IATS........: 98469,176446,124,85491,9538,94754,12,99878,94166,12337,1946,12440,20627,16992,20131,168367,18000,3631,10879,10252,19350,32137,20903,115345,15,17844,18745,20098,20216,21487,85502,0] + [PKTLENS.....: 165,165,86,60,170,170,86,60,170,102,102,175,178,168,163,159,130,102,163,106,157,158,148,149,180,203,130,164,162,157,158,130] guessed: [.....3] [ip4][..udp] [..192.168.1.178][58117] -> [.144.195.73.154][.8801] [Zoom][Video][Acceptable] detected: [.....3] [ip4][..udp] [..192.168.1.178][58117] -> [.144.195.73.154][.8801] [Zoom][Video][Acceptable] analyse: [.....4] [ip4][..udp] [..192.168.1.178][57953] -> [.144.195.73.154][.8801] - [min|max|avg|stddev] - [IAT(flow)...: 0.000| 0.188| 0.047| 0.043] - [IAT(c->s)...: 0.000| 0.106| 0.052| 0.034][IAT(s->c)...: 0.000| 0.188| 0.042| 0.049] - [PKTLEN(c->s): 69.000| 185.000| 125.800| 53.300][PKTLEN(s->c): 60.000| 117.000| 86.900| 23.200] + [min|max|avg|stddev|variance|entropy] + [IAT.........: 0.000| 0.188| 0.047| 0.043| 1844.784| 0.000] + [PKTLEN......: 60.000| 185.000| 105.100| 44.600| 1993.400| 4.900] [BINS(c->s)..: 7,0,0,2,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 9,2,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,1,1,0,0,1,1,0,0,0,1,1,0,1,0,0,1,1,0,1,1,1,0,1,0,1,1,0,1,1,0] + [IATS........: 102087,187597,15,105625,59,93505,28,87640,70667,56,105994,30,21517,32815,58979,18,48377,5541,49496,50209,26,8,55223,45719,56325,52361,22,59786,52118,47745,58582,0] + [PKTLENS.....: 167,167,86,60,177,177,86,60,177,177,177,117,117,69,69,185,69,69,117,69,117,117,69,69,69,69,117,69,69,69,69,69] guessed: [.....4] [ip4][..udp] [..192.168.1.178][57953] -> [.144.195.73.154][.8801] [Zoom][Video][Acceptable] detected: [.....4] [ip4][..udp] [..192.168.1.178][57953] -> [.144.195.73.154][.8801] [Zoom][Video][Acceptable] new: [.....5] [ip4][.icmp] [..192.168.1.178] -> [.144.195.73.154] |