diff options
| author | Toni Uhlig <matzeton@googlemail.com> | 2024-11-11 16:19:07 +0100 |
|---|---|---|
| committer | Toni Uhlig <matzeton@googlemail.com> | 2024-11-13 17:23:31 +0100 |
| commit | 9efdecf4efa352a6046c88a945cf9ff8db1b37b9 (patch) | |
| tree | 43c6ba4a106f47420a4f5dc1ddfe393400c5dbda /test/results/flow-info | |
| parent | 8c114e49168eb38a8598b5b342c7144a07323320 (diff) | |
bump libnDPI to 59ee1fe1156be234fed796972a29a31a0589e25a
* set minimum nDPI version to 4.12.0 (incompatible API changes)
* fixed `ndpi_debug_printf()` function signature
* JSON schema (flow): added risk `56`: "Obfuscated Traffic"
* JSON schema (flow): added "domainame"
* fixed OpenWrt build
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
Diffstat (limited to 'test/results/flow-info')
108 files changed, 3876 insertions, 450 deletions
diff --git a/test/results/flow-info/caches_cfg/ookla.pcap.out b/test/results/flow-info/caches_cfg/ookla.pcap.out index 756bc9d29..1fc3de72a 100644 --- a/test/results/flow-info/caches_cfg/ookla.pcap.out +++ b/test/results/flow-info/caches_cfg/ookla.pcap.out @@ -28,6 +28,6 @@ detection-update: [.....6] [ip4][..tcp] [..192.168.1.128][35830] -> [..89.96.108.170][.8080] [TLS][Unknown][Web][Safe][spd-pub-mi-01-01.fastwebnet.it] RISK: Known Proto on Non Std Port idle: [.....5] [ip4][..tcp] [..192.168.1.128][48854] -> [..104.16.209.12][..443] [TLS.Ookla][Cloudflare][Network][Safe] - idle: [.....6] [ip4][..tcp] [..192.168.1.128][35830] -> [..89.96.108.170][.8080] [TLS][Unknown][Web][Safe][spd-pub-mi-01-01.fastwebnet.it] + idle: [.....6] [ip4][..tcp] [..192.168.1.128][35830] -> [..89.96.108.170][.8080] [TLS][Unknown][Web][Safe] RISK: Known Proto on Non Std Port DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/caches_cfg/teams.pcap.out b/test/results/flow-info/caches_cfg/teams.pcap.out index 2dbabe09e..1f7107eb9 100644 --- a/test/results/flow-info/caches_cfg/teams.pcap.out +++ b/test/results/flow-info/caches_cfg/teams.pcap.out @@ -34,7 +34,6 @@ ERROR-EVENT: Unknown packet type [7/16] new: [.....6] [ip4][..tcp] [....192.168.1.6][60534] -> [.....40.126.9.5][..443] detected: [.....6] [ip4][..tcp] [....192.168.1.6][60534] -> [.....40.126.9.5][..443] [TLS.Microsoft365][Microsoft365][Collaborative][Acceptable][login.microsoftonline.com] - detection-update: [.....6] [ip4][..tcp] [....192.168.1.6][60534] -> [.....40.126.9.5][..443] [TLS.Microsoft365][Microsoft365][Collaborative][Acceptable][login.microsoftonline.com] analyse: [.....4] [ip4][..tcp] [....192.168.1.6][60532] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.221| 0.032| 0.054| 2931.592| 3.400] @@ -51,7 +50,7 @@ new: [.....8] [ip4][..tcp] [....192.168.1.6][60536] -> [.52.113.194.132][..443] detected: [.....8] [ip4][..tcp] [....192.168.1.6][60536] -> [.52.113.194.132][..443] [TLS.Teams][Skype_Teams][Collaborative][Safe][teams.microsoft.com] detection-update: [.....8] [ip4][..tcp] [....192.168.1.6][60536] -> [.52.113.194.132][..443] [TLS.Teams][Skype_Teams][Collaborative][Safe][teams.microsoft.com] - analyse: [.....7] [ip4][..tcp] [....192.168.1.6][60535] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] + analyse: [.....7] [ip4][..tcp] [....192.168.1.6][60535] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.050| 0.018| 0.021| 449.200| 3.900] [PKTLEN......: 52.000| 1492.000| 680.600| 673.100| 453031.800| 4.200] @@ -101,15 +100,12 @@ new: [....19] [ip4][..tcp] [....192.168.1.6][60539] -> [...52.114.75.69][..443] detected: [....18] [ip4][..tcp] [....192.168.1.6][60538] -> [...52.114.75.70][..443] [TLS.Teams][Azure][Collaborative][Safe][eu-prod.asyncgw.teams.microsoft.com] detected: [....19] [ip4][..tcp] [....192.168.1.6][60539] -> [...52.114.75.69][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable][eu-api.asm.skype.com] - detection-update: [....18] [ip4][..tcp] [....192.168.1.6][60538] -> [...52.114.75.70][..443] [TLS.Teams][Azure][Collaborative][Safe][eu-prod.asyncgw.teams.microsoft.com] - detection-update: [....19] [ip4][..tcp] [....192.168.1.6][60539] -> [...52.114.75.69][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable][eu-api.asm.skype.com] new: [....20] [ip4][..tcp] [....192.168.1.6][60540] -> [...52.114.75.70][..443] new: [....21] [ip4][..tcp] [....192.168.1.6][60541] -> [...52.114.75.69][..443] detected: [....20] [ip4][..tcp] [....192.168.1.6][60540] -> [...52.114.75.70][..443] [TLS.Teams][Azure][Collaborative][Safe][eu-prod.asyncgw.teams.microsoft.com] detected: [....21] [ip4][..tcp] [....192.168.1.6][60541] -> [...52.114.75.69][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable][eu-api.asm.skype.com] new: [....22] [ip4][..udp] [....192.168.1.6][49514] -> [....192.168.1.1][...53] detected: [....22] [ip4][..udp] [....192.168.1.6][49514] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe][config.teams.microsoft.com] - detection-update: [....20] [ip4][..tcp] [....192.168.1.6][60540] -> [...52.114.75.70][..443] [TLS.Teams][Azure][Collaborative][Safe][eu-prod.asyncgw.teams.microsoft.com] detection-update: [....21] [ip4][..tcp] [....192.168.1.6][60541] -> [...52.114.75.69][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable][eu-api.asm.skype.com] detection-update: [....22] [ip4][..udp] [....192.168.1.6][49514] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe][config.teams.microsoft.com] new: [....23] [ip4][..tcp] [....192.168.1.6][60542] -> [.52.113.194.132][..443] @@ -123,7 +119,6 @@ detected: [....25] [ip4][..tcp] [....192.168.1.6][60543] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] RISK: TLS (probably) Not Carrying HTTPS detected: [....26] [ip4][..tcp] [....192.168.1.6][60544] -> [...52.114.76.48][..443] [TLS.Teams][Azure][Collaborative][Safe][northeurope.notifications.teams.microsoft.com] - detection-update: [....26] [ip4][..tcp] [....192.168.1.6][60544] -> [...52.114.76.48][..443] [TLS.Teams][Azure][Collaborative][Safe][northeurope.notifications.teams.microsoft.com] detection-update: [....25] [ip4][..tcp] [....192.168.1.6][60543] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] RISK: TLS (probably) Not Carrying HTTPS ERROR-EVENT: Unknown packet type [16/16] @@ -134,7 +129,6 @@ new: [....29] [ip4][..tcp] [.162.125.19.131][..443] -> [....192.168.1.6][60344] [MIDSTREAM] detected: [....29] [ip4][..tcp] [.162.125.19.131][..443] -> [....192.168.1.6][60344] [TLS][Dropbox][Web][Safe] detected: [....28] [ip4][..tcp] [....192.168.1.6][60545] -> [...52.114.77.58][..443] [TLS.Teams][Azure][Collaborative][Safe][presence.teams.microsoft.com] - detection-update: [....28] [ip4][..tcp] [....192.168.1.6][60545] -> [...52.114.77.58][..443] [TLS.Teams][Azure][Collaborative][Safe][presence.teams.microsoft.com] analyse: [....25] [ip4][..tcp] [....192.168.1.6][60543] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.153| 0.028| 0.040| 1626.047| 3.600] @@ -170,7 +164,7 @@ RISK: TLS (probably) Not Carrying HTTPS detection-update: [....33] [ip4][..tcp] [....192.168.1.6][60548] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] RISK: TLS (probably) Not Carrying HTTPS - analyse: [....32] [ip4][..tcp] [....192.168.1.6][60547] -> [...52.114.88.59][..443] [TLS.Teams][Azure][Collaborative][Safe][chatsvcagg.teams.microsoft.com] + analyse: [....32] [ip4][..tcp] [....192.168.1.6][60547] -> [...52.114.88.59][..443] [TLS.Teams][Azure][Collaborative][Safe] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.115| 0.021| 0.031| 968.681| 3.500] [PKTLEN......: 52.000| 1492.000| 377.200| 521.700| 272149.200| 3.900] @@ -241,7 +235,6 @@ detected: [....46] [ip4][..tcp] [....192.168.1.6][60556] -> [.....40.126.9.7][..443] [TLS.Microsoft365][Microsoft365][Collaborative][Acceptable][login.microsoftonline.com] detected: [....45] [ip4][..tcp] [....192.168.1.6][60555] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] RISK: TLS (probably) Not Carrying HTTPS - detection-update: [....46] [ip4][..tcp] [....192.168.1.6][60556] -> [.....40.126.9.7][..443] [TLS.Microsoft365][Microsoft365][Collaborative][Acceptable][login.microsoftonline.com] detection-update: [....42] [ip4][..tcp] [....192.168.1.6][60552] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] RISK: TLS (probably) Not Carrying HTTPS detection-update: [....45] [ip4][..tcp] [....192.168.1.6][60555] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] @@ -266,8 +259,6 @@ new: [....48] [ip4][..tcp] [....192.168.1.6][60559] -> [...52.114.77.33][..443] detected: [....48] [ip4][..tcp] [....192.168.1.6][60559] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] RISK: TLS (probably) Not Carrying HTTPS - detection-update: [....48] [ip4][..tcp] [....192.168.1.6][60559] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] - RISK: TLS (probably) Not Carrying HTTPS analyse: [....48] [ip4][..tcp] [....192.168.1.6][60559] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.053| 0.020| 0.022| 492.470| 3.900] @@ -293,7 +284,7 @@ detected: [....53] [ip4][..tcp] [....192.168.1.6][60562] -> [.104.40.187.151][..443] [TLS][Azure][Web][Safe][api.microsoftstream.com] detection-update: [....51] [ip4][..tcp] [....192.168.1.6][60561] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] RISK: TLS (probably) Not Carrying HTTPS - analyse: [....53] [ip4][..tcp] [....192.168.1.6][60562] -> [.104.40.187.151][..443] [TLS][Azure][Web][Safe][api.microsoftstream.com] + analyse: [....53] [ip4][..tcp] [....192.168.1.6][60562] -> [.104.40.187.151][..443] [TLS][Azure][Web][Safe] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.126| 0.019| 0.032| 1006.354| 3.400] [PKTLEN......: 52.000| 1492.000| 345.200| 499.900| 249913.200| 3.900] @@ -323,13 +314,11 @@ detection-update: [....56] [ip4][..udp] [....192.168.1.6][63930] -> [....192.168.1.1][...53] [DNS.Microsoft][Unknown][Network][Safe][dc.applicationinsights.microsoft.com] new: [....57] [ip4][..tcp] [....192.168.1.6][60564] -> [...40.79.138.41][..443] detected: [....57] [ip4][..tcp] [....192.168.1.6][60564] -> [...40.79.138.41][..443] [TLS][Azure][Web][Safe][gate.hockeyapp.net] - detection-update: [....57] [ip4][..tcp] [....192.168.1.6][60564] -> [...40.79.138.41][..443] [TLS][Azure][Web][Safe][gate.hockeyapp.net] new: [....58] [ip4][..udp] [....192.168.1.6][62863] -> [....192.168.1.1][...53] detected: [....58] [ip4][..udp] [....192.168.1.6][62863] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe][emea.ng.msg.teams-msgapi.trafficmanager.net] detection-update: [....58] [ip4][..udp] [....192.168.1.6][62863] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe][emea.ng.msg.teams-msgapi.trafficmanager.net] new: [....59] [ip4][..tcp] [....192.168.1.6][60565] -> [...52.114.108.8][..443] detected: [....59] [ip4][..tcp] [....192.168.1.6][60565] -> [...52.114.108.8][..443] [TLS.Teams][Azure][Collaborative][Safe][emea.ng.msg.teams.microsoft.com] - detection-update: [....59] [ip4][..tcp] [....192.168.1.6][60565] -> [...52.114.108.8][..443] [TLS.Teams][Azure][Collaborative][Safe][emea.ng.msg.teams.microsoft.com] analyse: [....59] [ip4][..tcp] [....192.168.1.6][60565] -> [...52.114.108.8][..443] [TLS.Teams][Azure][Collaborative][Safe][emea.ng.msg.teams.microsoft.com] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.277| 0.019| 0.049| 2449.644| 2.900] @@ -370,8 +359,6 @@ new: [....67] [ip4][..tcp] [....192.168.1.6][50021] -> [.52.114.250.123][..443] new: [....68] [ip4][..udp] [....192.168.1.6][50016] -> [.52.114.250.141][.3478] detected: [....68] [ip4][..udp] [....192.168.1.6][50016] -> [.52.114.250.141][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] - detection-update: [....64] [ip4][..tcp] [....192.168.1.6][50018] -> [.52.114.250.123][..443] [TLS.Teams][Azure][Collaborative][Safe][euaz.tr.teams.microsoft.com] - RISK: TLS (probably) Not Carrying HTTPS new: [....69] [ip4][..udp] [....192.168.1.6][50017] -> [.52.114.250.141][.3478] detected: [....69] [ip4][..udp] [....192.168.1.6][50017] -> [.52.114.250.141][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] detected: [....67] [ip4][..tcp] [....192.168.1.6][50021] -> [.52.114.250.123][..443] [TLS.Teams][Azure][Collaborative][Safe][euaz.tr.teams.microsoft.com] @@ -380,8 +367,6 @@ detected: [....70] [ip4][..udp] [....192.168.1.6][50036] -> [.52.114.250.137][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] new: [....71] [ip4][..udp] [....192.168.1.6][50037] -> [.52.114.250.137][.3478] detected: [....71] [ip4][..udp] [....192.168.1.6][50037] -> [.52.114.250.137][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] - detection-update: [....67] [ip4][..tcp] [....192.168.1.6][50021] -> [.52.114.250.123][..443] [TLS.Teams][Azure][Collaborative][Safe][euaz.tr.teams.microsoft.com] - RISK: TLS (probably) Not Carrying HTTPS detection-update: [....69] [ip4][..udp] [....192.168.1.6][50017] -> [.52.114.250.141][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] detection-update: [....71] [ip4][..udp] [....192.168.1.6][50037] -> [.52.114.250.137][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] new: [....72] [ip4][..tcp] [....192.168.1.6][50014] -> [.52.114.250.152][..443] @@ -400,8 +385,6 @@ detection-update: [....75] [ip4][..udp] [....192.168.1.6][60837] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe][c-flightproxy-euno-01-teams.cloudapp.net] detected: [....74] [ip4][..tcp] [....192.168.1.6][60567] -> [..52.114.77.136][..443] [TLS.Teams][Azure][Collaborative][Safe][api.flightproxy.teams.microsoft.com] RISK: TLS (probably) Not Carrying HTTPS - detection-update: [....74] [ip4][..tcp] [....192.168.1.6][60567] -> [..52.114.77.136][..443] [TLS.Teams][Azure][Collaborative][Safe][api.flightproxy.teams.microsoft.com] - RISK: TLS (probably) Not Carrying HTTPS new: [....76] [ip4][..udp] [....192.168.1.6][50016] -> [....192.168.0.4][50005] detected: [....76] [ip4][..udp] [....192.168.1.6][50016] -> [....192.168.0.4][50005] [STUN.Skype_TeamsCall][Unknown][VoIP][Acceptable][] RISK: Known Proto on Non Std Port @@ -442,7 +425,6 @@ RISK: Known Proto on Non Std Port, Unidirectional Traffic new: [....82] [ip4][..tcp] [....192.168.1.6][60568] -> [...40.79.138.41][..443] detected: [....82] [ip4][..tcp] [....192.168.1.6][60568] -> [...40.79.138.41][..443] [TLS][Azure][Web][Safe][gate.hockeyapp.net] - detection-update: [....82] [ip4][..tcp] [....192.168.1.6][60568] -> [...40.79.138.41][..443] [TLS][Azure][Web][Safe][gate.hockeyapp.net] new: [....83] [ip4][.icmp] [..93.71.110.205] -> [....192.168.1.6] detected: [....83] [ip4][.icmp] [..93.71.110.205] -> [....192.168.1.6] [ICMP][Unknown][Network][Acceptable] analyse: [....78] [ip4][..udp] [..93.71.110.205][16332] -> [....192.168.1.6][50016] [STUN.Skype_TeamsCall][Unknown][VoIP][Acceptable] @@ -473,7 +455,7 @@ RISK: TLS (probably) Not Carrying HTTPS idle: [....76] [ip4][..udp] [....192.168.1.6][50016] -> [....192.168.0.4][50005] [STUN.Skype_TeamsCall][Unknown][VoIP][Acceptable] RISK: Known Proto on Non Std Port, Unidirectional Traffic - idle: [....55] [ip4][..tcp] [....192.168.1.6][60563] -> [.52.169.186.119][..443] [TLS][Azure][Web][Safe][euno-1.api.microsoftstream.com] + idle: [....55] [ip4][..tcp] [....192.168.1.6][60563] -> [.52.169.186.119][..443] [TLS][Azure][Web][Safe] idle: [....17] [ip4][..udp] [....192.168.1.6][63106] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe][eu-prod.asyncgw.teams.microsoft.com] idle: [....77] [ip4][..udp] [....192.168.1.6][50036] -> [....192.168.0.4][50020] [STUN.Skype_TeamsCall][Unknown][VoIP][Acceptable] RISK: Known Proto on Non Std Port, Unidirectional Traffic @@ -521,10 +503,10 @@ idle: [....34] [ip4][..udp] [....192.168.1.6][59403] -> [....192.168.1.1][...53] [DNS.Microsoft365][Unknown][Network][Acceptable][substrate.office.com] idle: [....35] [ip4][..tcp] [....192.168.1.6][60549] -> [...13.107.18.11][..443] [TLS.Microsoft365][Outlook][Collaborative][Acceptable][substrate.office.com] idle: [....44] [ip4][..udp] [....192.168.1.6][51309] -> [....192.168.1.1][...53] [DNS][Unknown][Network][Acceptable][skypedataprdcolneu04.cloudapp.net] - end: [....30] [ip4][..tcp] [....192.168.1.6][60546] -> [.167.99.215.164][.4434] [TLS.ntop][Unknown][Network][Safe][dati.ntop.org] + end: [....30] [ip4][..tcp] [....192.168.1.6][60546] -> [.167.99.215.164][.4434] [TLS.ntop][Unknown][Network][Safe] RISK: Known Proto on Non Std Port idle: [....12] [ip4][..udp] [....192.168.1.6][17500] -> [..192.168.1.255][17500] [Dropbox][Unknown][Cloud][Acceptable] - idle: [....61] [ip4][..tcp] [....192.168.1.6][60566] -> [.167.99.215.164][.4434] [TLS.ntop][Unknown][Network][Safe][dati.ntop.org] + idle: [....61] [ip4][..tcp] [....192.168.1.6][60566] -> [.167.99.215.164][.4434] [TLS.ntop][Unknown][Network][Safe] RISK: Known Proto on Non Std Port idle: [....31] [ip4][..udp] [....192.168.1.6][57504] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe][chatsvcagg.svcs.teams.office.com] guessed: [....62] [ip4][..udp] [....192.168.1.6][51681] -> [..52.114.77.136][.3478] [Skype_TeamsCall][Azure][VoIP][Acceptable] diff --git a/test/results/flow-info/caches_global/ookla.pcap.out b/test/results/flow-info/caches_global/ookla.pcap.out index 648be479e..8aef4141e 100644 --- a/test/results/flow-info/caches_global/ookla.pcap.out +++ b/test/results/flow-info/caches_global/ookla.pcap.out @@ -26,7 +26,7 @@ RISK: Known Proto on Non Std Port detection-update: [.....6] [ip4][..tcp] [..192.168.1.128][35830] -> [..89.96.108.170][.8080] [TLS][Unknown][Web][Safe][spd-pub-mi-01-01.fastwebnet.it] RISK: Known Proto on Non Std Port - detection-update: [.....6] [ip4][..tcp] [..192.168.1.128][35830] -> [..89.96.108.170][.8080] [TLS.Ookla][Unknown][Web][Safe][spd-pub-mi-01-01.fastwebnet.it] idle: [.....5] [ip4][..tcp] [..192.168.1.128][48854] -> [..104.16.209.12][..443] [TLS.Ookla][Cloudflare][Network][Safe] - idle: [.....6] [ip4][..tcp] [..192.168.1.128][35830] -> [..89.96.108.170][.8080] [TLS.Ookla][Unknown][Web][Safe][spd-pub-mi-01-01.fastwebnet.it] + idle: [.....6] [ip4][..tcp] [..192.168.1.128][35830] -> [..89.96.108.170][.8080] [TLS][Unknown][Web][Safe] + RISK: Known Proto on Non Std Port DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/caches_global/teams.pcap.out b/test/results/flow-info/caches_global/teams.pcap.out index 9161d6afb..257fc16da 100644 --- a/test/results/flow-info/caches_global/teams.pcap.out +++ b/test/results/flow-info/caches_global/teams.pcap.out @@ -34,7 +34,6 @@ ERROR-EVENT: Unknown packet type [7/16] new: [.....6] [ip4][..tcp] [....192.168.1.6][60534] -> [.....40.126.9.5][..443] detected: [.....6] [ip4][..tcp] [....192.168.1.6][60534] -> [.....40.126.9.5][..443] [TLS.Microsoft365][Microsoft365][Collaborative][Acceptable][login.microsoftonline.com] - detection-update: [.....6] [ip4][..tcp] [....192.168.1.6][60534] -> [.....40.126.9.5][..443] [TLS.Microsoft365][Microsoft365][Collaborative][Acceptable][login.microsoftonline.com] analyse: [.....4] [ip4][..tcp] [....192.168.1.6][60532] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.221| 0.032| 0.054| 2931.592| 3.400] @@ -51,7 +50,7 @@ new: [.....8] [ip4][..tcp] [....192.168.1.6][60536] -> [.52.113.194.132][..443] detected: [.....8] [ip4][..tcp] [....192.168.1.6][60536] -> [.52.113.194.132][..443] [TLS.Teams][Skype_Teams][Collaborative][Safe][teams.microsoft.com] detection-update: [.....8] [ip4][..tcp] [....192.168.1.6][60536] -> [.52.113.194.132][..443] [TLS.Teams][Skype_Teams][Collaborative][Safe][teams.microsoft.com] - analyse: [.....7] [ip4][..tcp] [....192.168.1.6][60535] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] + analyse: [.....7] [ip4][..tcp] [....192.168.1.6][60535] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.050| 0.018| 0.021| 449.200| 3.900] [PKTLEN......: 52.000| 1492.000| 680.600| 673.100| 453031.800| 4.200] @@ -101,15 +100,12 @@ new: [....19] [ip4][..tcp] [....192.168.1.6][60539] -> [...52.114.75.69][..443] detected: [....18] [ip4][..tcp] [....192.168.1.6][60538] -> [...52.114.75.70][..443] [TLS.Teams][Azure][Collaborative][Safe][eu-prod.asyncgw.teams.microsoft.com] detected: [....19] [ip4][..tcp] [....192.168.1.6][60539] -> [...52.114.75.69][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable][eu-api.asm.skype.com] - detection-update: [....18] [ip4][..tcp] [....192.168.1.6][60538] -> [...52.114.75.70][..443] [TLS.Teams][Azure][Collaborative][Safe][eu-prod.asyncgw.teams.microsoft.com] - detection-update: [....19] [ip4][..tcp] [....192.168.1.6][60539] -> [...52.114.75.69][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable][eu-api.asm.skype.com] new: [....20] [ip4][..tcp] [....192.168.1.6][60540] -> [...52.114.75.70][..443] new: [....21] [ip4][..tcp] [....192.168.1.6][60541] -> [...52.114.75.69][..443] detected: [....20] [ip4][..tcp] [....192.168.1.6][60540] -> [...52.114.75.70][..443] [TLS.Teams][Azure][Collaborative][Safe][eu-prod.asyncgw.teams.microsoft.com] detected: [....21] [ip4][..tcp] [....192.168.1.6][60541] -> [...52.114.75.69][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable][eu-api.asm.skype.com] new: [....22] [ip4][..udp] [....192.168.1.6][49514] -> [....192.168.1.1][...53] detected: [....22] [ip4][..udp] [....192.168.1.6][49514] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe][config.teams.microsoft.com] - detection-update: [....20] [ip4][..tcp] [....192.168.1.6][60540] -> [...52.114.75.70][..443] [TLS.Teams][Azure][Collaborative][Safe][eu-prod.asyncgw.teams.microsoft.com] detection-update: [....21] [ip4][..tcp] [....192.168.1.6][60541] -> [...52.114.75.69][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable][eu-api.asm.skype.com] detection-update: [....22] [ip4][..udp] [....192.168.1.6][49514] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe][config.teams.microsoft.com] new: [....23] [ip4][..tcp] [....192.168.1.6][60542] -> [.52.113.194.132][..443] @@ -123,7 +119,6 @@ detected: [....25] [ip4][..tcp] [....192.168.1.6][60543] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] RISK: TLS (probably) Not Carrying HTTPS detected: [....26] [ip4][..tcp] [....192.168.1.6][60544] -> [...52.114.76.48][..443] [TLS.Teams][Azure][Collaborative][Safe][northeurope.notifications.teams.microsoft.com] - detection-update: [....26] [ip4][..tcp] [....192.168.1.6][60544] -> [...52.114.76.48][..443] [TLS.Teams][Azure][Collaborative][Safe][northeurope.notifications.teams.microsoft.com] detection-update: [....25] [ip4][..tcp] [....192.168.1.6][60543] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] RISK: TLS (probably) Not Carrying HTTPS ERROR-EVENT: Unknown packet type [16/16] @@ -134,7 +129,6 @@ new: [....29] [ip4][..tcp] [.162.125.19.131][..443] -> [....192.168.1.6][60344] [MIDSTREAM] detected: [....29] [ip4][..tcp] [.162.125.19.131][..443] -> [....192.168.1.6][60344] [TLS][Dropbox][Web][Safe] detected: [....28] [ip4][..tcp] [....192.168.1.6][60545] -> [...52.114.77.58][..443] [TLS.Teams][Azure][Collaborative][Safe][presence.teams.microsoft.com] - detection-update: [....28] [ip4][..tcp] [....192.168.1.6][60545] -> [...52.114.77.58][..443] [TLS.Teams][Azure][Collaborative][Safe][presence.teams.microsoft.com] analyse: [....25] [ip4][..tcp] [....192.168.1.6][60543] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.153| 0.028| 0.040| 1626.047| 3.600] @@ -170,7 +164,7 @@ RISK: TLS (probably) Not Carrying HTTPS detection-update: [....33] [ip4][..tcp] [....192.168.1.6][60548] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] RISK: TLS (probably) Not Carrying HTTPS - analyse: [....32] [ip4][..tcp] [....192.168.1.6][60547] -> [...52.114.88.59][..443] [TLS.Teams][Azure][Collaborative][Safe][chatsvcagg.teams.microsoft.com] + analyse: [....32] [ip4][..tcp] [....192.168.1.6][60547] -> [...52.114.88.59][..443] [TLS.Teams][Azure][Collaborative][Safe] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.115| 0.021| 0.031| 968.681| 3.500] [PKTLEN......: 52.000| 1492.000| 377.200| 521.700| 272149.200| 3.900] @@ -241,7 +235,6 @@ detected: [....46] [ip4][..tcp] [....192.168.1.6][60556] -> [.....40.126.9.7][..443] [TLS.Microsoft365][Microsoft365][Collaborative][Acceptable][login.microsoftonline.com] detected: [....45] [ip4][..tcp] [....192.168.1.6][60555] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] RISK: TLS (probably) Not Carrying HTTPS - detection-update: [....46] [ip4][..tcp] [....192.168.1.6][60556] -> [.....40.126.9.7][..443] [TLS.Microsoft365][Microsoft365][Collaborative][Acceptable][login.microsoftonline.com] detection-update: [....42] [ip4][..tcp] [....192.168.1.6][60552] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] RISK: TLS (probably) Not Carrying HTTPS detection-update: [....45] [ip4][..tcp] [....192.168.1.6][60555] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] @@ -266,8 +259,6 @@ new: [....48] [ip4][..tcp] [....192.168.1.6][60559] -> [...52.114.77.33][..443] detected: [....48] [ip4][..tcp] [....192.168.1.6][60559] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] RISK: TLS (probably) Not Carrying HTTPS - detection-update: [....48] [ip4][..tcp] [....192.168.1.6][60559] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] - RISK: TLS (probably) Not Carrying HTTPS analyse: [....48] [ip4][..tcp] [....192.168.1.6][60559] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.053| 0.020| 0.022| 492.470| 3.900] @@ -293,7 +284,7 @@ detected: [....53] [ip4][..tcp] [....192.168.1.6][60562] -> [.104.40.187.151][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable][api.microsoftstream.com] detection-update: [....51] [ip4][..tcp] [....192.168.1.6][60561] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] RISK: TLS (probably) Not Carrying HTTPS - analyse: [....53] [ip4][..tcp] [....192.168.1.6][60562] -> [.104.40.187.151][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable][api.microsoftstream.com] + analyse: [....53] [ip4][..tcp] [....192.168.1.6][60562] -> [.104.40.187.151][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.126| 0.019| 0.032| 1006.354| 3.400] [PKTLEN......: 52.000| 1492.000| 345.200| 499.900| 249913.200| 3.900] @@ -323,13 +314,11 @@ detection-update: [....56] [ip4][..udp] [....192.168.1.6][63930] -> [....192.168.1.1][...53] [DNS.Microsoft][Unknown][Network][Safe][dc.applicationinsights.microsoft.com] new: [....57] [ip4][..tcp] [....192.168.1.6][60564] -> [...40.79.138.41][..443] detected: [....57] [ip4][..tcp] [....192.168.1.6][60564] -> [...40.79.138.41][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable][gate.hockeyapp.net] - detection-update: [....57] [ip4][..tcp] [....192.168.1.6][60564] -> [...40.79.138.41][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable][gate.hockeyapp.net] new: [....58] [ip4][..udp] [....192.168.1.6][62863] -> [....192.168.1.1][...53] detected: [....58] [ip4][..udp] [....192.168.1.6][62863] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe][emea.ng.msg.teams-msgapi.trafficmanager.net] detection-update: [....58] [ip4][..udp] [....192.168.1.6][62863] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe][emea.ng.msg.teams-msgapi.trafficmanager.net] new: [....59] [ip4][..tcp] [....192.168.1.6][60565] -> [...52.114.108.8][..443] detected: [....59] [ip4][..tcp] [....192.168.1.6][60565] -> [...52.114.108.8][..443] [TLS.Teams][Azure][Collaborative][Safe][emea.ng.msg.teams.microsoft.com] - detection-update: [....59] [ip4][..tcp] [....192.168.1.6][60565] -> [...52.114.108.8][..443] [TLS.Teams][Azure][Collaborative][Safe][emea.ng.msg.teams.microsoft.com] analyse: [....59] [ip4][..tcp] [....192.168.1.6][60565] -> [...52.114.108.8][..443] [TLS.Teams][Azure][Collaborative][Safe][emea.ng.msg.teams.microsoft.com] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.277| 0.019| 0.049| 2449.644| 2.900] @@ -370,8 +359,6 @@ new: [....67] [ip4][..tcp] [....192.168.1.6][50021] -> [.52.114.250.123][..443] new: [....68] [ip4][..udp] [....192.168.1.6][50016] -> [.52.114.250.141][.3478] detected: [....68] [ip4][..udp] [....192.168.1.6][50016] -> [.52.114.250.141][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] - detection-update: [....64] [ip4][..tcp] [....192.168.1.6][50018] -> [.52.114.250.123][..443] [TLS.Teams][Azure][Collaborative][Safe][euaz.tr.teams.microsoft.com] - RISK: TLS (probably) Not Carrying HTTPS new: [....69] [ip4][..udp] [....192.168.1.6][50017] -> [.52.114.250.141][.3478] detected: [....69] [ip4][..udp] [....192.168.1.6][50017] -> [.52.114.250.141][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] detected: [....67] [ip4][..tcp] [....192.168.1.6][50021] -> [.52.114.250.123][..443] [TLS.Teams][Azure][Collaborative][Safe][euaz.tr.teams.microsoft.com] @@ -380,8 +367,6 @@ detected: [....70] [ip4][..udp] [....192.168.1.6][50036] -> [.52.114.250.137][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] new: [....71] [ip4][..udp] [....192.168.1.6][50037] -> [.52.114.250.137][.3478] detected: [....71] [ip4][..udp] [....192.168.1.6][50037] -> [.52.114.250.137][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] - detection-update: [....67] [ip4][..tcp] [....192.168.1.6][50021] -> [.52.114.250.123][..443] [TLS.Teams][Azure][Collaborative][Safe][euaz.tr.teams.microsoft.com] - RISK: TLS (probably) Not Carrying HTTPS detection-update: [....69] [ip4][..udp] [....192.168.1.6][50017] -> [.52.114.250.141][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] detection-update: [....71] [ip4][..udp] [....192.168.1.6][50037] -> [.52.114.250.137][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] new: [....72] [ip4][..tcp] [....192.168.1.6][50014] -> [.52.114.250.152][..443] @@ -400,8 +385,6 @@ detection-update: [....75] [ip4][..udp] [....192.168.1.6][60837] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe][c-flightproxy-euno-01-teams.cloudapp.net] detected: [....74] [ip4][..tcp] [....192.168.1.6][60567] -> [..52.114.77.136][..443] [TLS.Teams][Azure][Collaborative][Safe][api.flightproxy.teams.microsoft.com] RISK: TLS (probably) Not Carrying HTTPS - detection-update: [....74] [ip4][..tcp] [....192.168.1.6][60567] -> [..52.114.77.136][..443] [TLS.Teams][Azure][Collaborative][Safe][api.flightproxy.teams.microsoft.com] - RISK: TLS (probably) Not Carrying HTTPS new: [....76] [ip4][..udp] [....192.168.1.6][50016] -> [....192.168.0.4][50005] detected: [....76] [ip4][..udp] [....192.168.1.6][50016] -> [....192.168.0.4][50005] [STUN.Skype_TeamsCall][Unknown][VoIP][Acceptable][] RISK: Known Proto on Non Std Port @@ -442,7 +425,6 @@ RISK: Known Proto on Non Std Port, Unidirectional Traffic new: [....82] [ip4][..tcp] [....192.168.1.6][60568] -> [...40.79.138.41][..443] detected: [....82] [ip4][..tcp] [....192.168.1.6][60568] -> [...40.79.138.41][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable][gate.hockeyapp.net] - detection-update: [....82] [ip4][..tcp] [....192.168.1.6][60568] -> [...40.79.138.41][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable][gate.hockeyapp.net] new: [....83] [ip4][.icmp] [..93.71.110.205] -> [....192.168.1.6] detected: [....83] [ip4][.icmp] [..93.71.110.205] -> [....192.168.1.6] [ICMP][Unknown][Network][Acceptable] analyse: [....78] [ip4][..udp] [..93.71.110.205][16332] -> [....192.168.1.6][50016] [STUN.Skype_TeamsCall][Unknown][VoIP][Acceptable] @@ -473,7 +455,7 @@ RISK: TLS (probably) Not Carrying HTTPS idle: [....76] [ip4][..udp] [....192.168.1.6][50016] -> [....192.168.0.4][50005] [STUN.Skype_TeamsCall][Unknown][VoIP][Acceptable] RISK: Known Proto on Non Std Port, Unidirectional Traffic - idle: [....55] [ip4][..tcp] [....192.168.1.6][60563] -> [.52.169.186.119][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable][euno-1.api.microsoftstream.com] + idle: [....55] [ip4][..tcp] [....192.168.1.6][60563] -> [.52.169.186.119][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable] idle: [....17] [ip4][..udp] [....192.168.1.6][63106] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe][eu-prod.asyncgw.teams.microsoft.com] idle: [....77] [ip4][..udp] [....192.168.1.6][50036] -> [....192.168.0.4][50020] [STUN.Skype_TeamsCall][Unknown][VoIP][Acceptable] RISK: Known Proto on Non Std Port, Unidirectional Traffic @@ -521,10 +503,10 @@ idle: [....34] [ip4][..udp] [....192.168.1.6][59403] -> [....192.168.1.1][...53] [DNS.Microsoft365][Unknown][Network][Acceptable][substrate.office.com] idle: [....35] [ip4][..tcp] [....192.168.1.6][60549] -> [...13.107.18.11][..443] [TLS.Microsoft365][Outlook][Collaborative][Acceptable][substrate.office.com] idle: [....44] [ip4][..udp] [....192.168.1.6][51309] -> [....192.168.1.1][...53] [DNS][Unknown][Network][Acceptable][skypedataprdcolneu04.cloudapp.net] - end: [....30] [ip4][..tcp] [....192.168.1.6][60546] -> [.167.99.215.164][.4434] [TLS.ntop][Unknown][Network][Safe][dati.ntop.org] + end: [....30] [ip4][..tcp] [....192.168.1.6][60546] -> [.167.99.215.164][.4434] [TLS.ntop][Unknown][Network][Safe] RISK: Known Proto on Non Std Port idle: [....12] [ip4][..udp] [....192.168.1.6][17500] -> [..192.168.1.255][17500] [Dropbox][Unknown][Cloud][Acceptable] - idle: [....61] [ip4][..tcp] [....192.168.1.6][60566] -> [.167.99.215.164][.4434] [TLS.ntop][Unknown][Network][Safe][dati.ntop.org] + idle: [....61] [ip4][..tcp] [....192.168.1.6][60566] -> [.167.99.215.164][.4434] [TLS.ntop][Unknown][Network][Safe] RISK: Known Proto on Non Std Port idle: [....31] [ip4][..udp] [....192.168.1.6][57504] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe][chatsvcagg.svcs.teams.office.com] guessed: [....62] [ip4][..udp] [....192.168.1.6][51681] -> [..52.114.77.136][.3478] [Skype_TeamsCall][Azure][VoIP][Acceptable] diff --git a/test/results/flow-info/default/1kxun.pcap.out b/test/results/flow-info/default/1kxun.pcap.out index f5971556d..94ef6dc6b 100644 --- a/test/results/flow-info/default/1kxun.pcap.out +++ b/test/results/flow-info/default/1kxun.pcap.out @@ -529,13 +529,13 @@ idle: [....25] [ip4][..tcp] [..192.168.115.8][49598] -> [.222.73.254.167][...80] [HTTP.1kxun][Unknown][Streaming][Fun][kankan.1kxun.com] guessed: [....17] [ip4][..tcp] [...192.168.5.16][53622] -> [.192.168.115.75][..443] [TLS][Unknown][Web][Safe] end: [....17] [ip4][..tcp] [...192.168.5.16][53622] -> [.192.168.115.75][..443] - end: [....45] [ip4][..tcp] [...192.168.5.16][53623] -> [.192.168.115.75][..443] [TLS][Unknown][Web][Safe][192.168.115.75] + end: [....45] [ip4][..tcp] [...192.168.5.16][53623] -> [.192.168.115.75][..443] [TLS][Unknown][Web][Safe] RISK: Weak TLS Cipher, HTTP/TLS/QUIC Numeric Hostname/SNI, TLS (probably) Not Carrying HTTPS - end: [....87] [ip4][..tcp] [...192.168.5.16][53625] -> [.192.168.115.75][..443] [TLS][Unknown][Web][Safe][192.168.115.75] + end: [....87] [ip4][..tcp] [...192.168.5.16][53625] -> [.192.168.115.75][..443] [TLS][Unknown][Web][Safe] RISK: Weak TLS Cipher, HTTP/TLS/QUIC Numeric Hostname/SNI, TLS (probably) Not Carrying HTTPS - end: [...107] [ip4][..tcp] [...192.168.5.16][53626] -> [.192.168.115.75][..443] [TLS][Unknown][Web][Safe][192.168.115.75] + end: [...107] [ip4][..tcp] [...192.168.5.16][53626] -> [.192.168.115.75][..443] [TLS][Unknown][Web][Safe] RISK: Weak TLS Cipher, HTTP/TLS/QUIC Numeric Hostname/SNI, TLS (probably) Not Carrying HTTPS - end: [...117] [ip4][..tcp] [...192.168.5.16][53629] -> [.192.168.115.75][..443] [TLS][Unknown][Web][Safe][192.168.115.75] + end: [...117] [ip4][..tcp] [...192.168.5.16][53629] -> [.192.168.115.75][..443] [TLS][Unknown][Web][Safe] RISK: Weak TLS Cipher, HTTP/TLS/QUIC Numeric Hostname/SNI, TLS (probably) Not Carrying HTTPS idle: [.....6] [ip4][..udp] [...192.168.5.50][64674] -> [239.255.255.250][.1900] [SSDP][Unknown][System][Acceptable][239.255.255.250:1900] not-detected: [....65] [ip4][..udp] [192.168.140.140][62976] -> [255.255.255.255][62976] [Unknown][Unknown][Unrated] diff --git a/test/results/flow-info/default/443-curl.pcap.out b/test/results/flow-info/default/443-curl.pcap.out index 9be2df589..d635942f3 100644 --- a/test/results/flow-info/default/443-curl.pcap.out +++ b/test/results/flow-info/default/443-curl.pcap.out @@ -5,7 +5,7 @@ detected: [.....1] [ip4][..tcp] [...192.168.1.13][55523] -> [.178.62.197.130][..443] [TLS.ntop][Unknown][Network][Safe][www.ntop.org] detection-update: [.....1] [ip4][..tcp] [...192.168.1.13][55523] -> [.178.62.197.130][..443] [TLS.ntop][Unknown][Network][Safe][www.ntop.org] detection-update: [.....1] [ip4][..tcp] [...192.168.1.13][55523] -> [.178.62.197.130][..443] [TLS.ntop][Unknown][Network][Safe][www.ntop.org] - analyse: [.....1] [ip4][..tcp] [...192.168.1.13][55523] -> [.178.62.197.130][..443] [TLS.ntop][Unknown][Network][Safe][www.ntop.org] + analyse: [.....1] [ip4][..tcp] [...192.168.1.13][55523] -> [.178.62.197.130][..443] [TLS.ntop][Unknown][Network][Safe] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.784| 0.063| 0.190| 36203.258| 2.200] [PKTLEN......: 52.000| 1492.000| 397.200| 558.700| 312115.000| 3.800] diff --git a/test/results/flow-info/default/443-firefox.pcap.out b/test/results/flow-info/default/443-firefox.pcap.out index 046662670..3efd275fc 100644 --- a/test/results/flow-info/default/443-firefox.pcap.out +++ b/test/results/flow-info/default/443-firefox.pcap.out @@ -5,7 +5,7 @@ detected: [.....1] [ip4][..tcp] [...192.168.1.13][53096] -> [.178.62.197.130][..443] [TLS.ntop][Unknown][Network][Safe][www.ntop.org] detection-update: [.....1] [ip4][..tcp] [...192.168.1.13][53096] -> [.178.62.197.130][..443] [TLS.ntop][Unknown][Network][Safe][www.ntop.org] detection-update: [.....1] [ip4][..tcp] [...192.168.1.13][53096] -> [.178.62.197.130][..443] [TLS.ntop][Unknown][Network][Safe][www.ntop.org] - analyse: [.....1] [ip4][..tcp] [...192.168.1.13][53096] -> [.178.62.197.130][..443] [TLS.ntop][Unknown][Network][Safe][www.ntop.org] + analyse: [.....1] [ip4][..tcp] [...192.168.1.13][53096] -> [.178.62.197.130][..443] [TLS.ntop][Unknown][Network][Safe] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 1.656| 0.130| 0.404| 163175.268| 2.000] [PKTLEN......: 52.000| 1492.000| 518.700| 610.400| 372566.000| 4.000] diff --git a/test/results/flow-info/default/443-git.pcap.out b/test/results/flow-info/default/443-git.pcap.out index 70c543b9b..4eb17568c 100644 --- a/test/results/flow-info/default/443-git.pcap.out +++ b/test/results/flow-info/default/443-git.pcap.out @@ -5,7 +5,7 @@ detected: [.....1] [ip4][..tcp] [...192.168.1.13][55744] -> [...140.82.114.4][..443] [TLS.Github][Github][Collaborative][Acceptable][github.com] detection-update: [.....1] [ip4][..tcp] [...192.168.1.13][55744] -> [...140.82.114.4][..443] [TLS.Github][Github][Collaborative][Acceptable][github.com] detection-update: [.....1] [ip4][..tcp] [...192.168.1.13][55744] -> [...140.82.114.4][..443] [TLS.Github][Github][Collaborative][Acceptable][github.com] - analyse: [.....1] [ip4][..tcp] [...192.168.1.13][55744] -> [...140.82.114.4][..443] [TLS.Github][Github][Collaborative][Acceptable][github.com] + analyse: [.....1] [ip4][..tcp] [...192.168.1.13][55744] -> [...140.82.114.4][..443] [TLS.Github][Github][Collaborative][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.144| 0.033| 0.053| 2832.982| 3.200] [PKTLEN......: 52.000| 1476.000| 337.800| 464.400| 215710.400| 4.000] diff --git a/test/results/flow-info/default/443-safari.pcap.out b/test/results/flow-info/default/443-safari.pcap.out index 459806b25..ef9e5f325 100644 --- a/test/results/flow-info/default/443-safari.pcap.out +++ b/test/results/flow-info/default/443-safari.pcap.out @@ -5,7 +5,7 @@ detected: [.....1] [ip4][..tcp] [...192.168.1.13][53031] -> [.178.62.197.130][..443] [TLS.ntop][Unknown][Network][Safe][www.ntop.org] detection-update: [.....1] [ip4][..tcp] [...192.168.1.13][53031] -> [.178.62.197.130][..443] [TLS.ntop][Unknown][Network][Safe][www.ntop.org] detection-update: [.....1] [ip4][..tcp] [...192.168.1.13][53031] -> [.178.62.197.130][..443] [TLS.ntop][Unknown][Network][Safe][www.ntop.org] - analyse: [.....1] [ip4][..tcp] [...192.168.1.13][53031] -> [.178.62.197.130][..443] [TLS.ntop][Unknown][Network][Safe][www.ntop.org] + analyse: [.....1] [ip4][..tcp] [...192.168.1.13][53031] -> [.178.62.197.130][..443] [TLS.ntop][Unknown][Network][Safe] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.696| 0.070| 0.175| 30530.335| 2.600] [PKTLEN......: 52.000| 1492.000| 384.700| 559.600| 313139.800| 3.800] diff --git a/test/results/flow-info/default/KakaoTalk_chat.pcap.out b/test/results/flow-info/default/KakaoTalk_chat.pcap.out index 85f82f865..1d8ebad6b 100644 --- a/test/results/flow-info/default/KakaoTalk_chat.pcap.out +++ b/test/results/flow-info/default/KakaoTalk_chat.pcap.out @@ -102,7 +102,7 @@ new: [....30] [ip4][..tcp] [...10.24.82.188][58927] -> [.54.255.253.199][.5223] [MIDSTREAM] detected: [....30] [ip4][..tcp] [...10.24.82.188][58927] -> [.54.255.253.199][.5223] [TLS][AmazonAWS][Web][Safe] RISK: Known Proto on Non Std Port - analyse: [....26] [ip4][..tcp] [...10.24.82.188][43581] -> [....31.13.68.70][..443] [TLS.Facebook][Facebook][SocialNetwork][Fun][graph.facebook.com] + analyse: [....26] [ip4][..tcp] [...10.24.82.188][43581] -> [....31.13.68.70][..443] [TLS.Facebook][Facebook][SocialNetwork][Fun] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.174| 0.038| 0.043| 1891.518| 4.000] [PKTLEN......: 40.000| 1320.000| 256.100| 386.900| 149674.200| 3.800] diff --git a/test/results/flow-info/default/KakaoTalk_talk.pcap.out b/test/results/flow-info/default/KakaoTalk_talk.pcap.out index 4ec167094..f3bc648e2 100644 --- a/test/results/flow-info/default/KakaoTalk_talk.pcap.out +++ b/test/results/flow-info/default/KakaoTalk_talk.pcap.out @@ -8,6 +8,8 @@ new: [.....5] [ip4][..tcp] [.216.58.220.161][..443] -> [...10.24.82.188][56697] [MIDSTREAM] detected: [.....4] [ip4][..tcp] [...10.24.82.188][48489] -> [203.205.147.215][...80] [HTTP_Proxy.QQ][Tencent][Chat][Fun][hkminorshort.weixin.qq.com] RISK: Known Proto on Non Std Port + detection-update: [.....4] [ip4][..tcp] [...10.24.82.188][48489] -> [203.205.147.215][...80] [HTTP_Proxy.QQ][Tencent][Download][Fun][hkminorshort.weixin.qq.com] + RISK: Known Proto on Non Std Port, Binary File/Data Transfer (Attempt) new: [.....6] [ip4][..tcp] [...10.24.82.188][32968] -> [..110.76.143.50][.8080] detected: [.....6] [ip4][..tcp] [...10.24.82.188][32968] -> [..110.76.143.50][.8080] [TLS][Unknown][Web][Safe][] RISK: Known Proto on Non Std Port, Obsolete TLS (v1.1 or older) @@ -105,8 +107,8 @@ end: [....17] [ip4][..tcp] [173.194.117.229][..443] -> [...10.24.82.188][38380] idle: [....13] [ip4][..udp] [...10.24.82.188][10268] -> [....1.201.1.174][23046] [RTP][Unknown][Media][Acceptable] idle: [....11] [ip4][..udp] [...10.24.82.188][10269] -> [....1.201.1.174][23047] [KakaoTalk_Voice][Unknown][VoIP][Acceptable] - end: [.....4] [ip4][..tcp] [...10.24.82.188][48489] -> [203.205.147.215][...80] [HTTP_Proxy.QQ][Tencent][Chat][Fun] - RISK: Known Proto on Non Std Port + end: [.....4] [ip4][..tcp] [...10.24.82.188][48489] -> [203.205.147.215][...80] [HTTP_Proxy.QQ][Tencent][Download][Fun][hkminorshort.weixin.qq.com] + RISK: Known Proto on Non Std Port, Binary File/Data Transfer (Attempt) guessed: [.....2] [ip4][..tcp] [..120.28.26.242][...80] -> [...10.24.82.188][34533] [HTTP][Unknown][Web][Acceptable][] end: [.....2] [ip4][..tcp] [..120.28.26.242][...80] -> [...10.24.82.188][34533] idle: [.....6] [ip4][..tcp] [...10.24.82.188][32968] -> [..110.76.143.50][.8080] [TLS.KakaoTalk][Unknown][Chat][Acceptable] diff --git a/test/results/flow-info/default/alexa-app.pcapng.out b/test/results/flow-info/default/alexa-app.pcapng.out index 8ea47a247..68b847071 100644 --- a/test/results/flow-info/default/alexa-app.pcapng.out +++ b/test/results/flow-info/default/alexa-app.pcapng.out @@ -137,7 +137,7 @@ new: [....40] [ip4][..udp] [..172.16.42.216][43350] -> [....172.16.42.1][...53] detected: [....40] [ip4][..udp] [..172.16.42.216][43350] -> [....172.16.42.1][...53] [DNS.Amazon][Unknown][Network][Acceptable][fls-na.amazon.com] ERROR-EVENT: Unknown packet type [1/16] - analyse: [....28] [ip4][..tcp] [..172.16.42.216][45661] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][pitangui.amazon.com] + analyse: [....28] [ip4][..tcp] [..172.16.42.216][45661] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 1.016| 0.161| 0.286| 81844.249| 3.400] [PKTLEN......: 40.000| 1500.000| 366.200| 485.100| 235358.500| 3.900] @@ -214,7 +214,7 @@ detected: [....55] [ip4][..tcp] [..172.16.42.216][42143] -> [..72.21.206.135][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][fls-na.amazon.com] detection-update: [....54] [ip4][..tcp] [..172.16.42.216][54427] -> [..52.85.209.216][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][www.amazon.com] detection-update: [....55] [ip4][..tcp] [..172.16.42.216][42143] -> [..72.21.206.135][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][fls-na.amazon.com] - analyse: [....52] [ip4][..tcp] [..172.16.42.216][34034] -> [..54.239.24.186][..443] [TLS.AmazonAWS][AmazonAWS][Cloud][Acceptable][mobileanalytics.us-east-1.amazonaws.com] + analyse: [....52] [ip4][..tcp] [..172.16.42.216][34034] -> [..54.239.24.186][..443] [TLS.AmazonAWS][AmazonAWS][Cloud][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.352| 0.044| 0.079| 6215.196| 3.500] [PKTLEN......: 40.000| 1500.000| 643.200| 676.900| 458225.800| 4.100] @@ -265,7 +265,7 @@ RISK: TLS (probably) Not Carrying HTTPS detection-update: [....65] [ip4][..tcp] [..172.16.42.216][41691] -> [..54.239.29.146][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][api.amazon.com] RISK: TLS (probably) Not Carrying HTTPS - analyse: [....63] [ip4][..tcp] [..172.16.42.216][54434] -> [..52.85.209.216][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][www.amazon.com] + analyse: [....63] [ip4][..tcp] [..172.16.42.216][54434] -> [..52.85.209.216][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 2.897| 0.237| 0.560| 313730.662| 2.800] [PKTLEN......: 52.000| 1500.000| 603.100| 665.400| 442821.700| 4.100] @@ -381,7 +381,7 @@ detected: [....91] [ip4][..tcp] [..172.16.42.216][45714] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][pitangui.amazon.com] detected: [....89] [ip4][..tcp] [..172.16.42.216][45712] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][pitangui.amazon.com] detected: [....93] [ip4][..tcp] [..172.16.42.216][49630] -> [..52.94.232.134][...80] [HTTP.AmazonAlexa][AmazonAWS][VirtAssistant][Acceptable][alexa.amazon.com] - analyse: [....80] [ip4][..tcp] [..172.16.42.216][45703] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][pitangui.amazon.com] + analyse: [....80] [ip4][..tcp] [..172.16.42.216][45703] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 1.570| 0.289| 0.417| 173871.694| 3.700] [PKTLEN......: 40.000| 1500.000| 371.100| 516.000| 266233.000| 3.900] @@ -408,7 +408,7 @@ new: [....96] [ip4][..tcp] [..172.16.42.216][41820] -> [...54.231.72.88][..443] new: [....97] [ip4][..tcp] [..172.16.42.216][41821] -> [...54.231.72.88][..443] detected: [....96] [ip4][..tcp] [..172.16.42.216][41820] -> [...54.231.72.88][..443] [TLS.AmazonAWS][AmazonAWS][Cloud][Acceptable][s3-external-2.amazonaws.com] - analyse: [....87] [ip4][..tcp] [..172.16.42.216][45710] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][pitangui.amazon.com] + analyse: [....87] [ip4][..tcp] [..172.16.42.216][45710] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 1.192| 0.160| 0.282| 79548.359| 3.500] [PKTLEN......: 40.000| 1500.000| 343.000| 486.700| 236894.100| 3.900] @@ -420,7 +420,7 @@ [ENTROPIES...: 4.7,5.1,4.8,5.9,5.9,4.6,6.1,6.0,4.7,4.6,6.5,4.7,5.9,7.9,4.6,6.9,4.6,4.6,7.8,7.9,7.1,4.6,7.5,7.9,7.2,6.6,4.5,4.6,7.6,7.9,6.8,4.6] detection-update: [....96] [ip4][..tcp] [..172.16.42.216][41820] -> [...54.231.72.88][..443] [TLS.AmazonAWS][AmazonAWS][Cloud][Acceptable][s3-external-2.amazonaws.com] detection-update: [....96] [ip4][..tcp] [..172.16.42.216][41820] -> [...54.231.72.88][..443] [TLS.AmazonAWS][AmazonAWS][Cloud][Acceptable][s3-external-2.amazonaws.com] - analyse: [....89] [ip4][..tcp] [..172.16.42.216][45712] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][pitangui.amazon.com] + analyse: [....89] [ip4][..tcp] [..172.16.42.216][45712] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 1.080| 0.209| 0.303| 92031.574| 3.700] [PKTLEN......: 40.000| 1500.000| 360.500| 516.500| 266795.300| 3.800] @@ -475,7 +475,7 @@ RISK: Weak TLS Cipher detection-update: [...107] [ip4][..tcp] [..172.16.42.216][40856] -> [..54.239.29.253][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][skills-store.amazon.com] RISK: Weak TLS Cipher - analyse: [...107] [ip4][..tcp] [..172.16.42.216][40856] -> [..54.239.29.253][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][skills-store.amazon.com] + analyse: [...107] [ip4][..tcp] [..172.16.42.216][40856] -> [..54.239.29.253][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.326| 0.037| 0.075| 5555.152| 3.000] [PKTLEN......: 40.000| 1500.000| 545.400| 489.800| 239933.900| 4.400] @@ -485,7 +485,7 @@ [IATS(ms)....: 55.9,57.4,1.4,113.3,0.4,112.3,0.1,3.2,65.7,1.4,70.0,0.2,85.3,246.6,0.1,0.0,0.1,325.6,0.3,3.8,0.8,0.2,0.3,0.1,0.3,0.3,0.6,0.4,1.1,6.7,1.2] [PKTLENS.....: 60,48,40,251,1500,1275,40,40,366,46,99,1500,270,46,1021,589,589,589,40,40,1500,1500,741,1101,589,589,589,589,589,589,40,589] [ENTROPIES...: 4.6,5.2,4.8,5.6,7.3,7.3,4.9,4.9,7.3,4.6,6.1,7.9,7.2,4.6,7.8,7.7,7.6,7.6,4.9,4.8,7.9,7.9,7.7,7.8,7.6,7.6,7.7,7.6,7.6,7.6,4.9,7.7] - analyse: [...105] [ip4][..tcp] [..172.16.42.216][40854] -> [..54.239.29.253][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][skills-store.amazon.com] + analyse: [...105] [ip4][..tcp] [..172.16.42.216][40854] -> [..54.239.29.253][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.933| 0.089| 0.198| 39194.591| 3.000] [PKTLEN......: 40.000| 1500.000| 450.100| 541.500| 293230.800| 4.000] @@ -495,7 +495,7 @@ [IATS(ms)....: 109.9,111.6,1.6,102.0,0.2,101.6,0.3,1.9,56.2,0.1,87.5,19.1,7.6,147.9,304.1,639.4,932.7,32.7,0.1,0.0,0.7,0.1,0.0,0.3,0.6,110.7,0.2,1.8,0.2,0.1,0.1] [PKTLENS.....: 60,48,40,251,1500,1275,40,40,366,46,99,40,1500,254,46,1500,1500,46,1021,589,589,589,589,589,1469,77,40,40,40,40,40,40] [ENTROPIES...: 4.7,5.2,4.8,5.6,7.2,7.3,4.8,4.8,7.3,4.7,6.1,4.9,7.9,7.2,4.5,7.9,7.9,4.7,7.8,7.6,7.7,7.7,7.6,7.6,7.9,5.7,4.8,4.8,4.9,4.8,4.9,4.9] - analyse: [....88] [ip4][..tcp] [..172.16.42.216][45711] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][pitangui.amazon.com] + analyse: [....88] [ip4][..tcp] [..172.16.42.216][45711] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 9.247| 1.357| 2.197| 4827473.510| 3.500] [PKTLEN......: 40.000| 1500.000| 425.800| 556.200| 309356.400| 3.900] @@ -594,7 +594,7 @@ detected: [...125] [ip4][..tcp] [..172.16.42.216][40871] -> [..54.239.29.253][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][skills-store.amazon.com] detection-update: [...125] [ip4][..tcp] [..172.16.42.216][40871] -> [..54.239.29.253][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][skills-store.amazon.com] RISK: Weak TLS Cipher - analyse: [...125] [ip4][..tcp] [..172.16.42.216][40871] -> [..54.239.29.253][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][skills-store.amazon.com] + analyse: [...125] [ip4][..tcp] [..172.16.42.216][40871] -> [..54.239.29.253][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 1.107| 0.141| 0.257| 65864.266| 3.200] [PKTLEN......: 40.000| 1500.000| 430.000| 555.400| 308431.600| 4.000] @@ -707,42 +707,42 @@ RISK: Error Code end: [....28] [ip4][..tcp] [..172.16.42.216][45661] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][pitangui.amazon.com] RISK: Weak TLS Cipher - end: [....29] [ip4][..tcp] [..172.16.42.216][45662] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][pitangui.amazon.com] + end: [....29] [ip4][..tcp] [..172.16.42.216][45662] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] RISK: Weak TLS Cipher - end: [....30] [ip4][..tcp] [..172.16.42.216][45663] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][pitangui.amazon.com] + end: [....30] [ip4][..tcp] [..172.16.42.216][45663] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] RISK: Weak TLS Cipher - end: [....43] [ip4][..tcp] [..172.16.42.216][45673] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][pitangui.amazon.com] + end: [....43] [ip4][..tcp] [..172.16.42.216][45673] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] RISK: Weak TLS Cipher - end: [....44] [ip4][..tcp] [..172.16.42.216][45674] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][pitangui.amazon.com] + end: [....44] [ip4][..tcp] [..172.16.42.216][45674] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] RISK: Weak TLS Cipher - end: [....46] [ip4][..tcp] [..172.16.42.216][45676] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][pitangui.amazon.com] + end: [....46] [ip4][..tcp] [..172.16.42.216][45676] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] RISK: Weak TLS Cipher - end: [....47] [ip4][..tcp] [..172.16.42.216][45677] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][pitangui.amazon.com] + end: [....47] [ip4][..tcp] [..172.16.42.216][45677] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] RISK: Weak TLS Cipher - end: [....48] [ip4][..tcp] [..172.16.42.216][45678] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][pitangui.amazon.com] + end: [....48] [ip4][..tcp] [..172.16.42.216][45678] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] RISK: Weak TLS Cipher - end: [....49] [ip4][..tcp] [..172.16.42.216][45679] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][pitangui.amazon.com] + end: [....49] [ip4][..tcp] [..172.16.42.216][45679] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] RISK: Weak TLS Cipher - end: [....50] [ip4][..tcp] [..172.16.42.216][45680] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][pitangui.amazon.com] + end: [....50] [ip4][..tcp] [..172.16.42.216][45680] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] RISK: Weak TLS Cipher - end: [....53] [ip4][..tcp] [..172.16.42.216][45683] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][pitangui.amazon.com] + end: [....53] [ip4][..tcp] [..172.16.42.216][45683] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] RISK: Weak TLS Cipher end: [....37] [ip4][..tcp] [..172.16.42.216][54411] -> [..52.85.209.216][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][www.amazon.com] end: [....38] [ip4][..tcp] [..172.16.42.216][54412] -> [..52.85.209.216][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] guessed: [....39] [ip4][..tcp] [..172.16.42.216][54413] -> [..52.85.209.216][..443] [TLS][AmazonAWS][Web][Safe] end: [....39] [ip4][..tcp] [..172.16.42.216][54413] -> [..52.85.209.216][..443] - end: [....54] [ip4][..tcp] [..172.16.42.216][54427] -> [..52.85.209.216][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][www.amazon.com] + end: [....54] [ip4][..tcp] [..172.16.42.216][54427] -> [..52.85.209.216][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] end: [....41] [ip4][..tcp] [..172.16.42.216][42129] -> [..72.21.206.135][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] end: [....42] [ip4][..tcp] [..172.16.42.216][42130] -> [..72.21.206.135][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][fls-na.amazon.com] - end: [....55] [ip4][..tcp] [..172.16.42.216][42143] -> [..72.21.206.135][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][fls-na.amazon.com] - end: [....56] [ip4][..tcp] [..172.16.42.216][42144] -> [..72.21.206.135][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][fls-na.amazon.com] + end: [....55] [ip4][..tcp] [..172.16.42.216][42143] -> [..72.21.206.135][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] + end: [....56] [ip4][..tcp] [..172.16.42.216][42144] -> [..72.21.206.135][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] end: [....36] [ip4][..tcp] [..172.16.42.216][34019] -> [..54.239.24.186][..443] [TLS.AmazonAWS][AmazonAWS][Cloud][Acceptable] - end: [....51] [ip4][..tcp] [..172.16.42.216][34033] -> [..54.239.24.186][..443] [TLS.AmazonAWS][AmazonAWS][Cloud][Acceptable][mobileanalytics.us-east-1.amazonaws.com] + end: [....51] [ip4][..tcp] [..172.16.42.216][34033] -> [..54.239.24.186][..443] [TLS.AmazonAWS][AmazonAWS][Cloud][Acceptable] end: [....52] [ip4][..tcp] [..172.16.42.216][34034] -> [..54.239.24.186][..443] [TLS.AmazonAWS][AmazonAWS][Cloud][Acceptable][mobileanalytics.us-east-1.amazonaws.com] guessed: [....32] [ip4][..tcp] [..172.16.42.216][38391] -> [...192.168.11.1][.8080] [HTTP_Proxy][Unknown][Web][Acceptable][] RISK: TCP Connection Issues end: [....32] [ip4][..tcp] [..172.16.42.216][38391] -> [...192.168.11.1][.8080] - end: [....26] [ip4][..tcp] [..172.16.42.216][38364] -> [..34.199.52.240][..443] [TLS.AmazonAWS][AmazonAWS][Cloud][Acceptable][cognito-identity.us-east-1.amazonaws.com] + end: [....26] [ip4][..tcp] [..172.16.42.216][38364] -> [..34.199.52.240][..443] [TLS.AmazonAWS][AmazonAWS][Cloud][Acceptable] update: [.....3] [ip4][..udp] [........0.0.0.0][...68] -> [255.255.255.255][...67] [DHCP][Unknown][Network][Acceptable][android-1c1335ec95a27318] update: [.....9] [ip4][..udp] [..172.16.42.216][53188] -> [....172.16.42.1][...53] [DNS.GoogleServices][Unknown][Network][Acceptable][mtalk.google.com] update: [...114] [ip4][..udp] [..172.16.42.216][28614] -> [....172.16.42.1][...53] [DNS.AmazonAWS][Unknown][Network][Acceptable][mobileanalytics.us-east-1.amazonaws.com] @@ -770,11 +770,11 @@ detected: [...142] [ip4][..tcp] [..172.16.42.216][50799] -> [..54.239.28.178][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][pitangui.amazon.com] detection-update: [...142] [ip4][..tcp] [..172.16.42.216][50799] -> [..54.239.28.178][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][pitangui.amazon.com] RISK: Weak TLS Cipher - end: [....57] [ip4][..tcp] [..172.16.42.216][45687] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][pitangui.amazon.com] + end: [....57] [ip4][..tcp] [..172.16.42.216][45687] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] RISK: Weak TLS Cipher - end: [....59] [ip4][..tcp] [..172.16.42.216][45688] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][pitangui.amazon.com] + end: [....59] [ip4][..tcp] [..172.16.42.216][45688] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] RISK: Weak TLS Cipher - end: [....60] [ip4][..tcp] [..172.16.42.216][34041] -> [..54.239.24.186][..443] [TLS.AmazonAWS][AmazonAWS][Cloud][Acceptable][mobileanalytics.us-east-1.amazonaws.com] + end: [....60] [ip4][..tcp] [..172.16.42.216][34041] -> [..54.239.24.186][..443] [TLS.AmazonAWS][AmazonAWS][Cloud][Acceptable] update: [...118] [ip4][..udp] [..172.16.42.216][.4920] -> [....172.16.42.1][...53] [DNS.Amazon][Unknown][Network][Acceptable][ecx.images-amazon.com] new: [...143] [ip4][..tcp] [..172.16.42.216][50800] -> [..54.239.28.178][..443] detected: [...143] [ip4][..tcp] [..172.16.42.216][50800] -> [..54.239.28.178][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][pitangui.amazon.com] @@ -853,20 +853,20 @@ detection-update: [...156] [ip4][..tcp] [..172.16.42.216][58048] -> [..54.239.28.178][..443] [TLS][AmazonAWS][Web][Safe][] RISK: Obsolete TLS (v1.1 or older), Weak TLS Cipher end: [....66] [ip4][..tcp] [..172.16.42.216][49606] -> [..52.94.232.134][...80] [HTTP.AmazonAlexa][AmazonAWS][VirtAssistant][Acceptable][alexa.amazon.com] - end: [....67] [ip4][..tcp] [..172.16.42.216][45693] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][pitangui.amazon.com] + end: [....67] [ip4][..tcp] [..172.16.42.216][45693] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] RISK: Weak TLS Cipher end: [....68] [ip4][..tcp] [..172.16.42.216][45694] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] RISK: Weak TLS Cipher - end: [....70] [ip4][..tcp] [..172.16.42.216][45695] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][pitangui.amazon.com] + end: [....70] [ip4][..tcp] [..172.16.42.216][45695] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] RISK: Weak TLS Cipher - end: [....71] [ip4][..tcp] [..172.16.42.216][45696] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][pitangui.amazon.com] + end: [....71] [ip4][..tcp] [..172.16.42.216][45696] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] RISK: Weak TLS Cipher - end: [....72] [ip4][..tcp] [..172.16.42.216][45697] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][pitangui.amazon.com] + end: [....72] [ip4][..tcp] [..172.16.42.216][45697] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] RISK: Weak TLS Cipher - end: [....74] [ip4][..tcp] [..172.16.42.216][45698] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][pitangui.amazon.com] + end: [....74] [ip4][..tcp] [..172.16.42.216][45698] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] RISK: Weak TLS Cipher end: [....63] [ip4][..tcp] [..172.16.42.216][54434] -> [..52.85.209.216][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][www.amazon.com] - end: [....61] [ip4][..tcp] [..172.16.42.216][42148] -> [..72.21.206.135][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][fls-na.amazon.com] + end: [....61] [ip4][..tcp] [..172.16.42.216][42148] -> [..72.21.206.135][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] update: [....27] [ip4][..udp] [..172.16.42.216][54886] -> [....172.16.42.1][...53] [DNS.Amazon][Unknown][Network][Acceptable][pitangui.amazon.com] update: [....21] [ip4][..udp] [..172.16.42.216][41030] -> [....172.16.42.1][...53] [DNS.AmazonAlexa][Unknown][Network][Acceptable][alexa.amazon.com] update: [....40] [ip4][..udp] [..172.16.42.216][43350] -> [....172.16.42.1][...53] [DNS.Amazon][Unknown][Network][Acceptable][fls-na.amazon.com] @@ -979,11 +979,11 @@ end: [...106] [ip4][..tcp] [..172.16.42.216][40855] -> [..54.239.29.253][..443] end: [...107] [ip4][..tcp] [..172.16.42.216][40856] -> [..54.239.29.253][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][skills-store.amazon.com] RISK: Weak TLS Cipher - end: [...117] [ip4][..tcp] [..172.16.42.216][40864] -> [..54.239.29.253][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][skills-store.amazon.com] + end: [...117] [ip4][..tcp] [..172.16.42.216][40864] -> [..54.239.29.253][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] RISK: Weak TLS Cipher end: [...125] [ip4][..tcp] [..172.16.42.216][40871] -> [..54.239.29.253][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][skills-store.amazon.com] RISK: Weak TLS Cipher - end: [...132] [ip4][..tcp] [..172.16.42.216][40878] -> [..54.239.29.253][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][skills-store.amazon.com] + end: [...132] [ip4][..tcp] [..172.16.42.216][40878] -> [..54.239.29.253][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] RISK: Weak TLS Cipher idle: [.....9] [ip4][..udp] [..172.16.42.216][53188] -> [....172.16.42.1][...53] [DNS.GoogleServices][Unknown][Network][Acceptable][mtalk.google.com] idle: [...114] [ip4][..udp] [..172.16.42.216][28614] -> [....172.16.42.1][...53] [DNS.AmazonAWS][Unknown][Network][Acceptable][mobileanalytics.us-east-1.amazonaws.com] @@ -1006,13 +1006,13 @@ idle: [...149] [ip4][..tcp] [..172.16.42.216][41828] -> [..52.85.209.143][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][www.amazon.com] end: [....80] [ip4][..tcp] [..172.16.42.216][45703] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][pitangui.amazon.com] RISK: Weak TLS Cipher - end: [....81] [ip4][..tcp] [..172.16.42.216][45704] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][pitangui.amazon.com] + end: [....81] [ip4][..tcp] [..172.16.42.216][45704] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] RISK: Weak TLS Cipher - end: [....82] [ip4][..tcp] [..172.16.42.216][45705] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][pitangui.amazon.com] + end: [....82] [ip4][..tcp] [..172.16.42.216][45705] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] RISK: Weak TLS Cipher guessed: [....84] [ip4][..tcp] [..172.16.42.216][45707] -> [..52.94.232.134][..443] [TLS][AmazonAWS][Web][Safe] end: [....84] [ip4][..tcp] [..172.16.42.216][45707] -> [..52.94.232.134][..443] - end: [....86] [ip4][..tcp] [..172.16.42.216][45709] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][pitangui.amazon.com] + end: [....86] [ip4][..tcp] [..172.16.42.216][45709] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] RISK: Weak TLS Cipher end: [....87] [ip4][..tcp] [..172.16.42.216][45710] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][pitangui.amazon.com] RISK: Weak TLS Cipher @@ -1020,28 +1020,28 @@ RISK: Weak TLS Cipher end: [....89] [ip4][..tcp] [..172.16.42.216][45712] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][pitangui.amazon.com] RISK: Weak TLS Cipher - end: [....91] [ip4][..tcp] [..172.16.42.216][45714] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][pitangui.amazon.com] + end: [....91] [ip4][..tcp] [..172.16.42.216][45714] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] RISK: Weak TLS Cipher - end: [....92] [ip4][..tcp] [..172.16.42.216][45715] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][pitangui.amazon.com] + end: [....92] [ip4][..tcp] [..172.16.42.216][45715] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] RISK: Weak TLS Cipher - end: [...109] [ip4][..tcp] [..172.16.42.216][45728] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][pitangui.amazon.com] + end: [...109] [ip4][..tcp] [..172.16.42.216][45728] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] RISK: Weak TLS Cipher - end: [...110] [ip4][..tcp] [..172.16.42.216][45729] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][pitangui.amazon.com] + end: [...110] [ip4][..tcp] [..172.16.42.216][45729] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] RISK: Weak TLS Cipher - end: [...111] [ip4][..tcp] [..172.16.42.216][45730] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][pitangui.amazon.com] + end: [...111] [ip4][..tcp] [..172.16.42.216][45730] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] RISK: Weak TLS Cipher - end: [...112] [ip4][..tcp] [..172.16.42.216][45731] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][pitangui.amazon.com] + end: [...112] [ip4][..tcp] [..172.16.42.216][45731] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] RISK: Weak TLS Cipher - end: [...113] [ip4][..tcp] [..172.16.42.216][45732] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][pitangui.amazon.com] + end: [...113] [ip4][..tcp] [..172.16.42.216][45732] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] RISK: Weak TLS Cipher idle: [....20] [ip4][..tcp] [..172.16.42.216][53682] -> [..54.239.22.185][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] RISK: TLS (probably) Not Carrying HTTPS - end: [...133] [ip4][..tcp] [..172.16.42.216][45750] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][pitangui.amazon.com] + end: [...133] [ip4][..tcp] [..172.16.42.216][45750] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] RISK: Weak TLS Cipher - end: [...134] [ip4][..tcp] [..172.16.42.216][45751] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][pitangui.amazon.com] + end: [...134] [ip4][..tcp] [..172.16.42.216][45751] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] RISK: Weak TLS Cipher idle: [...108] [ip4][..udp] [..172.16.42.216][20922] -> [....172.16.42.1][...53] [DNS.Amazon][Unknown][Network][Acceptable][pitangui.amazon.com] - end: [...137] [ip4][..tcp] [..172.16.42.216][45752] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][pitangui.amazon.com] + end: [...137] [ip4][..tcp] [..172.16.42.216][45752] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] RISK: Weak TLS Cipher idle: [...144] [ip4][..udp] [..172.16.42.216][.8669] -> [....172.16.42.1][...53] [DNS.AmazonAWS][Unknown][Network][Acceptable][mobileanalytics.us-east-1.amazonaws.com] idle: [....69] [ip4][..udp] [..172.16.42.216][25081] -> [....172.16.42.1][...53] [DNS.AmazonAlexa][Unknown][Network][Acceptable][alexa.amazon.com] @@ -1055,7 +1055,7 @@ idle: [...148] [ip4][..udp] [..172.16.42.216][14934] -> [....172.16.42.1][...53] [DNS.Amazon][Unknown][Network][Acceptable][www.amazon.com] idle: [...158] [ip4][..udp] [..172.16.42.216][.2707] -> [....172.16.42.1][...53] [DNS.Amazon][Unknown][Network][Acceptable][fls-na.amazon.com] idle: [....98] [ip4][..udp] [..172.16.42.216][41639] -> [....172.16.42.1][...53] [DNS.Amazon][Unknown][Network][Acceptable][dp-gw-na-js.amazon.com] - end: [...115] [ip4][..tcp] [..172.16.42.216][37551] -> [..54.239.24.180][..443] [TLS.AmazonAWS][AmazonAWS][Cloud][Acceptable][mobileanalytics.us-east-1.amazonaws.com] + end: [...115] [ip4][..tcp] [..172.16.42.216][37551] -> [..54.239.24.180][..443] [TLS.AmazonAWS][AmazonAWS][Cloud][Acceptable] guessed: [...116] [ip4][..tcp] [..172.16.42.216][37552] -> [..54.239.24.180][..443] [TLS][AmazonAWS][Web][Safe] end: [...116] [ip4][..tcp] [..172.16.42.216][37552] -> [..54.239.24.180][..443] end: [...156] [ip4][..tcp] [..172.16.42.216][58048] -> [..54.239.28.178][..443] [TLS][AmazonAWS][Web][Safe] @@ -1088,13 +1088,13 @@ guessed: [....83] [ip4][..tcp] [..172.16.42.216][40242] -> [.10.201.126.241][.8080] [HTTP_Proxy][Unknown][Web][Acceptable][] RISK: Unidirectional Traffic idle: [....83] [ip4][..tcp] [..172.16.42.216][40242] -> [.10.201.126.241][.8080] - end: [....78] [ip4][..tcp] [..172.16.42.216][34053] -> [..54.239.24.186][..443] [TLS.AmazonAWS][AmazonAWS][Cloud][Acceptable][mobileanalytics.us-east-1.amazonaws.com] + end: [....78] [ip4][..tcp] [..172.16.42.216][34053] -> [..54.239.24.186][..443] [TLS.AmazonAWS][AmazonAWS][Cloud][Acceptable] guessed: [....79] [ip4][..tcp] [..172.16.42.216][34054] -> [..54.239.24.186][..443] [TLS][AmazonAWS][Web][Safe] end: [....79] [ip4][..tcp] [..172.16.42.216][34054] -> [..54.239.24.186][..443] - end: [....94] [ip4][..tcp] [..172.16.42.216][34069] -> [..54.239.24.186][..443] [TLS.AmazonAWS][AmazonAWS][Cloud][Acceptable][mobileanalytics.us-east-1.amazonaws.com] + end: [....94] [ip4][..tcp] [..172.16.42.216][34069] -> [..54.239.24.186][..443] [TLS.AmazonAWS][AmazonAWS][Cloud][Acceptable] guessed: [...100] [ip4][..tcp] [..172.16.42.216][34073] -> [..54.239.24.186][..443] [TLS][AmazonAWS][Web][Safe] end: [...100] [ip4][..tcp] [..172.16.42.216][34073] -> [..54.239.24.186][..443] - end: [...101] [ip4][..tcp] [..172.16.42.216][34074] -> [..54.239.24.186][..443] [TLS.AmazonAWS][AmazonAWS][Cloud][Acceptable][mobileanalytics.us-east-1.amazonaws.com] + end: [...101] [ip4][..tcp] [..172.16.42.216][34074] -> [..54.239.24.186][..443] [TLS.AmazonAWS][AmazonAWS][Cloud][Acceptable] end: [....99] [ip4][..tcp] [..172.16.42.216][44001] -> [..176.32.101.52][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][dp-gw-na-js.amazon.com] RISK: TLS (probably) Not Carrying HTTPS idle: [.....6] [ip4][..udp] [..172.16.42.216][.3440] -> [....172.16.42.1][...53] [DNS.Google][Unknown][Network][Acceptable][connectivitycheck.android.com] @@ -1103,7 +1103,7 @@ guessed: [....85] [ip4][..tcp] [..172.16.42.216][38434] -> [...192.168.11.1][.8080] [HTTP_Proxy][Unknown][Web][Acceptable][] RISK: TCP Connection Issues end: [....85] [ip4][..tcp] [..172.16.42.216][38434] -> [...192.168.11.1][.8080] - idle: [....11] [ip4][..tcp] [..172.16.42.216][42878] -> [173.194.223.188][.5228] [TLS.GoogleServices][Google][Web][Acceptable][mtalk.google.com] + idle: [....11] [ip4][..tcp] [..172.16.42.216][42878] -> [173.194.223.188][.5228] [TLS.GoogleServices][Google][Web][Acceptable] RISK: Known Proto on Non Std Port, TLS (probably) Not Carrying HTTPS idle: [....62] [ip4][..udp] [..172.16.42.216][44475] -> [....172.16.42.1][...53] [DNS.Amazon][Unknown][Network][Acceptable][www.amazon.com] end: [....16] [ip4][..tcp] [..172.16.42.216][55242] -> [..52.85.209.197][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][www.amazon.com] diff --git a/test/results/flow-info/default/android.pcap.out b/test/results/flow-info/default/android.pcap.out index 0dc966a89..7d1817cb1 100644 --- a/test/results/flow-info/default/android.pcap.out +++ b/test/results/flow-info/default/android.pcap.out @@ -81,7 +81,6 @@ detection-update: [....28] [ip4][..tcp] [...192.168.2.16][36890] -> [...172.217.18.3][..443] [TLS.Google][Google][ConnCheck][Acceptable][connectivitycheck.gstatic.com] detection-update: [....28] [ip4][..tcp] [...192.168.2.16][36890] -> [...172.217.18.3][..443] [TLS.Google][Google][ConnCheck][Acceptable][connectivitycheck.gstatic.com] detected: [....27] [ip4][..tcp] [...192.168.2.16][36888] -> [...172.217.18.3][..443] [TLS.Google][Google][ConnCheck][Acceptable][connectivitycheck.gstatic.com] - detection-update: [....27] [ip4][..tcp] [...192.168.2.16][36888] -> [...172.217.18.3][..443] [TLS.Google][Google][ConnCheck][Acceptable][connectivitycheck.gstatic.com] new: [....30] [ip4][..udp] [...192.168.2.16][39008] -> [....192.168.2.1][...53] detected: [....30] [ip4][..udp] [...192.168.2.16][39008] -> [....192.168.2.1][...53] [DNS.GoogleServices][Unknown][Network][Acceptable][mtalk.google.com] detection-update: [....30] [ip4][..udp] [...192.168.2.16][39008] -> [....192.168.2.1][...53] [DNS.GoogleServices][Unknown][Network][Acceptable][mtalk.google.com] @@ -173,7 +172,7 @@ new: [....60] [ip4][..udp] [...192.168.2.16][39760] -> [....192.168.2.1][...53] detected: [....60] [ip4][..udp] [...192.168.2.16][39760] -> [....192.168.2.1][...53] [DNS.GoogleServices][Unknown][Network][Acceptable][android.googleapis.com] detected: [....58] [ip4][..tcp] [...192.168.2.16][43646] -> [..172.217.20.76][..443] [TLS.DataSaver][Google][Web][Fun][proxy.googlezip.net] - analyse: [....42] [ip4][..tcp] [...192.168.2.16][32996] -> [.216.239.38.120][..443] [TLS.Google][Google][Web][Acceptable][www.google.com] + analyse: [....42] [ip4][..tcp] [...192.168.2.16][32996] -> [.216.239.38.120][..443] [TLS.Google][Google][Web][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.405| 0.048| 0.104| 10866.215| 3.000] [PKTLEN......: 52.000| 1470.000| 416.500| 552.700| 305506.200| 3.900] @@ -238,7 +237,7 @@ idle: [....12] [ip6][icmp6] [.....................................::] -> [......................ff02::1:ff9f:f627] [ICMPV6][Unknown][Network][Acceptable] idle: [....42] [ip4][..tcp] [...192.168.2.16][32996] -> [.216.239.38.120][..443] [TLS.Google][Google][Web][Acceptable][www.google.com] end: [....44] [ip4][..tcp] [...192.168.2.16][32998] -> [.216.239.38.120][..443] [TLS.Google][Google][Web][Acceptable] - idle: [....49] [ip4][..tcp] [...192.168.2.16][33002] -> [.216.239.38.120][..443] [TLS.Google][Google][Web][Acceptable][accounts.google.com] + idle: [....49] [ip4][..tcp] [...192.168.2.16][33002] -> [.216.239.38.120][..443] [TLS.Google][Google][Web][Acceptable] idle: [....59] [ip4][..tcp] [...192.168.2.16][33014] -> [.216.239.38.120][..443] [TLS.Google][Google][Web][Acceptable] idle: [....56] [ip4][..udp] [...192.168.2.16][10677] -> [....192.168.2.1][...53] [DNS.DataSaver][Unknown][Network][Fun][proxy.googlezip.net] idle: [.....9] [ip4][..udp] [....192.168.2.1][.5353] -> [....224.0.0.251][.5353] [MDNS][Unknown][Network][Acceptable] @@ -269,8 +268,8 @@ RISK: Unidirectional Traffic idle: [....63] [ip4][..tcp] [...192.168.2.16][43652] -> [..172.217.20.76][..443] idle: [....43] [ip4][..udp] [...192.168.2.16][46359] -> [....192.168.2.1][...53] [DNS.Google][Unknown][Network][Acceptable][accounts.google.com] - idle: [....40] [ip4][..tcp] [...192.168.2.16][51928] -> [.172.217.21.202][..443] [TLS.DataSaver][Google][Web][Fun][datasaver.googleapis.com] - idle: [....55] [ip4][..tcp] [...192.168.2.16][51944] -> [.172.217.21.202][..443] [TLS.DataSaver][Google][Web][Fun][datasaver.googleapis.com] + idle: [....40] [ip4][..tcp] [...192.168.2.16][51928] -> [.172.217.21.202][..443] [TLS.DataSaver][Google][Web][Fun] + idle: [....55] [ip4][..tcp] [...192.168.2.16][51944] -> [.172.217.21.202][..443] [TLS.DataSaver][Google][Web][Fun] idle: [....36] [ip4][..udp] [...192.168.2.16][.7660] -> [....192.168.2.1][...53] [DNS.DataSaver][Unknown][Network][Fun][datasaver.googleapis.com] idle: [....48] [ip4][..udp] [...192.168.2.16][58892] -> [....192.168.2.1][...53] [DNS.Google][Unknown][Network][Acceptable][accounts.google.com] idle: [....24] [ip4][..udp] [...192.168.2.16][54837] -> [....192.168.2.1][...53] [DNS.GoogleServices][Unknown][Network][Acceptable][play.googleapis.com] diff --git a/test/results/flow-info/default/anyconnect-vpn.pcap.out b/test/results/flow-info/default/anyconnect-vpn.pcap.out index b393c947c..f126f2896 100644 --- a/test/results/flow-info/default/anyconnect-vpn.pcap.out +++ b/test/results/flow-info/default/anyconnect-vpn.pcap.out @@ -307,7 +307,7 @@ idle: [....60] [ip4][..udp] [.....10.0.0.227][52595] -> [.......10.0.0.1][..192] idle: [....48] [ip4][..udp] [.....10.0.0.227][64193] -> [....75.75.75.75][...53] [DNS.ApplePush][Unknown][Network][Acceptable][24-courier.push.apple.com] idle: [....52] [ip4][..udp] [.....10.0.0.227][58074] -> [....75.75.75.75][...53] [DNS.Outlook][Unknown][Network][Acceptable][www.outlook.com] - end: [....28] [ip4][..tcp] [.....10.0.0.227][56920] -> [...99.86.34.156][..443] [TLS.Slack][AmazonAWS][Collaborative][Acceptable][slack.com] + end: [....28] [ip4][..tcp] [.....10.0.0.227][56920] -> [...99.86.34.156][..443] [TLS.Slack][AmazonAWS][Collaborative][Acceptable] idle: [....55] [ip4][..udp] [.....10.0.0.149][38616] -> [.....10.0.0.227][61328] [SSDP][Unknown][System][Acceptable] guessed: [....37] [ip4][..tcp] [.....10.0.0.227][56881] -> [.162.222.43.153][..443] [TLS][Unknown][Web][Safe] idle: [....37] [ip4][..tcp] [.....10.0.0.227][56881] -> [.162.222.43.153][..443] diff --git a/test/results/flow-info/default/dingtalk.pcap.out b/test/results/flow-info/default/dingtalk.pcap.out new file mode 100644 index 000000000..25738c108 --- /dev/null +++ b/test/results/flow-info/default/dingtalk.pcap.out @@ -0,0 +1,11 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....1] [ip4][..tcp] [...10.215.173.1][48910] -> [..47.246.133.39][..443] + detected: [.....1] [ip4][..tcp] [...10.215.173.1][48910] -> [..47.246.133.39][..443] [DingTalk][Alibaba][Chat][Acceptable] + new: [.....2] [ip4][..tcp] [...10.215.173.1][49352] -> [.104.166.182.25][..443] + detected: [.....2] [ip4][..tcp] [...10.215.173.1][49352] -> [.104.166.182.25][..443] [TLS.DingTalk][Unknown][Chat][Acceptable][static.dingtalk.com] + detection-update: [.....2] [ip4][..tcp] [...10.215.173.1][49352] -> [.104.166.182.25][..443] [TLS.DingTalk][Unknown][Chat][Acceptable][static.dingtalk.com] + idle: [.....1] [ip4][..tcp] [...10.215.173.1][48910] -> [..47.246.133.39][..443] [DingTalk][Alibaba][Chat][Acceptable] + end: [.....2] [ip4][..tcp] [...10.215.173.1][49352] -> [.104.166.182.25][..443] [TLS.DingTalk][Unknown][Chat][Acceptable] + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/dns_doh.pcap.out b/test/results/flow-info/default/dns_doh.pcap.out index 464cbf6fc..476ea4df1 100644 --- a/test/results/flow-info/default/dns_doh.pcap.out +++ b/test/results/flow-info/default/dns_doh.pcap.out @@ -4,7 +4,7 @@ new: [.....1] [ip4][..tcp] [....172.20.10.4][49877] -> [.104.16.248.249][..443] detected: [.....1] [ip4][..tcp] [....172.20.10.4][49877] -> [.104.16.248.249][..443] [TLS.DoH_DoT][Cloudflare][Network][Acceptable][mozilla.cloudflare-dns.com] detection-update: [.....1] [ip4][..tcp] [....172.20.10.4][49877] -> [.104.16.248.249][..443] [TLS.DoH_DoT][Cloudflare][Network][Acceptable][mozilla.cloudflare-dns.com] - analyse: [.....1] [ip4][..tcp] [....172.20.10.4][49877] -> [.104.16.248.249][..443] [TLS.DoH_DoT][Cloudflare][Network][Acceptable][mozilla.cloudflare-dns.com] + analyse: [.....1] [ip4][..tcp] [....172.20.10.4][49877] -> [.104.16.248.249][..443] [TLS.DoH_DoT][Cloudflare][Network][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.535| 0.062| 0.130| 16944.855| 3.000] [PKTLEN......: 40.000| 1340.000| 216.900| 327.300| 107137.200| 3.900] diff --git a/test/results/flow-info/default/dnscrypt-v2-doh.pcap.out b/test/results/flow-info/default/dnscrypt-v2-doh.pcap.out index 34a2f14ac..22b4da7b3 100644 --- a/test/results/flow-info/default/dnscrypt-v2-doh.pcap.out +++ b/test/results/flow-info/default/dnscrypt-v2-doh.pcap.out @@ -114,44 +114,44 @@ detection-update: [....34] [ip4][..tcp] [.......10.0.0.1][35742] -> [.209.250.241.25][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable][jarjar.meganerd.nl] detection-update: [....34] [ip4][..tcp] [.......10.0.0.1][35742] -> [.209.250.241.25][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable][jarjar.meganerd.nl] RISK: TLS Cert Expired - idle: [....29] [ip4][..tcp] [.......10.0.0.1][35714] -> [.209.250.241.25][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable][jarjar.meganerd.nl] + idle: [....29] [ip4][..tcp] [.......10.0.0.1][35714] -> [.209.250.241.25][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable] RISK: TLS Cert Expired - idle: [....12] [ip4][..tcp] [.......10.0.0.1][41720] -> [116.203.179.248][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable][rumpelsepp.org] - idle: [....34] [ip4][..tcp] [.......10.0.0.1][35742] -> [.209.250.241.25][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable][jarjar.meganerd.nl] + idle: [....12] [ip4][..tcp] [.......10.0.0.1][41720] -> [116.203.179.248][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable] + idle: [....34] [ip4][..tcp] [.......10.0.0.1][35742] -> [.209.250.241.25][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable] RISK: TLS Cert Expired - idle: [....25] [ip4][..tcp] [.......10.0.0.1][52028] -> [...45.76.113.31][.8443] [TLS.DoH_DoT][Unknown][Network][Acceptable][doh.seby.io] + idle: [....25] [ip4][..tcp] [.......10.0.0.1][52028] -> [...45.76.113.31][.8443] [TLS.DoH_DoT][Unknown][Network][Acceptable] RISK: Known Proto on Non Std Port - idle: [....26] [ip4][..tcp] [.......10.0.0.1][34036] -> [..217.169.20.23][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable][dns.aa.net.uk] - idle: [....10] [ip4][..tcp] [.......10.0.0.1][55322] -> [.185.134.196.55][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable][rdns.faelix.net] - idle: [....14] [ip4][..tcp] [.......10.0.0.1][46658] -> [185.233.106.232][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable][dns.dnshome.de] - idle: [....20] [ip4][..tcp] [.......10.0.0.1][33724] -> [...104.28.28.34][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable][jp.tiarap.org] - idle: [.....6] [ip4][..tcp] [.......10.0.0.1][40938] -> [..172.104.93.80][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable][jp.tiar.app] - idle: [.....4] [ip4][..tcp] [.......10.0.0.1][55962] -> [..51.158.147.50][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable][resolver-eu.lelux.fi] - idle: [.....8] [ip4][..tcp] [.......10.0.0.1][38186] -> [...185.43.135.1][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable][odvr.nic.cz] + idle: [....26] [ip4][..tcp] [.......10.0.0.1][34036] -> [..217.169.20.23][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable] + idle: [....10] [ip4][..tcp] [.......10.0.0.1][55322] -> [.185.134.196.55][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable] + idle: [....14] [ip4][..tcp] [.......10.0.0.1][46658] -> [185.233.106.232][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable] + idle: [....20] [ip4][..tcp] [.......10.0.0.1][33724] -> [...104.28.28.34][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable] + idle: [.....6] [ip4][..tcp] [.......10.0.0.1][40938] -> [..172.104.93.80][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable] + idle: [.....4] [ip4][..tcp] [.......10.0.0.1][55962] -> [..51.158.147.50][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable] + idle: [.....8] [ip4][..tcp] [.......10.0.0.1][38186] -> [...185.43.135.1][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable] RISK: TLS Cert Expired - idle: [....13] [ip4][..tcp] [.......10.0.0.1][60026] -> [...195.30.94.28][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable][doh.ffmuc.net] - idle: [....31] [ip4][..tcp] [.......10.0.0.1][57058] -> [..46.227.200.54][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable][rdns.faelix.net] - idle: [....17] [ip4][..tcp] [.......10.0.0.1][44640] -> [...185.235.81.1][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable][doh.dnslify.com] - idle: [....21] [ip4][..tcp] [.......10.0.0.1][53802] -> [........1.0.0.1][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable][dns.cloudflare.com] - idle: [....28] [ip4][..tcp] [.......10.0.0.1][54164] -> [...193.70.85.11][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable][doh.bortzmeyer.fr] - idle: [....27] [ip4][..tcp] [.......10.0.0.1][43718] -> [..146.255.56.98][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable][doh.appliedprivacy.net] - idle: [....33] [ip4][..tcp] [.......10.0.0.1][44704] -> [...185.235.81.1][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable][doh.dnslify.com] - idle: [....18] [ip4][..tcp] [.......10.0.0.1][43106] -> [.116.202.176.26][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable][doh.libredns.gr] - idle: [.....9] [ip4][..tcp] [.......10.0.0.1][51770] -> [.......9.9.9.10][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable][dns10.quad9.net] - idle: [....32] [ip4][..tcp] [.......10.0.0.1][51846] -> [.......9.9.9.10][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable][dns10.quad9.net] - idle: [....30] [ip4][..tcp] [.......10.0.0.1][43888] -> [.95.216.229.153][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable][fi.doh.dns.snopyta.org] - idle: [....11] [ip4][..tcp] [.......10.0.0.1][52386] -> [..51.15.124.208][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable][dnsnl.alekberg.net] - idle: [....19] [ip4][..tcp] [.......10.0.0.1][59026] -> [....85.5.93.230][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable][ibksturm.synology.me] - idle: [....23] [ip4][..tcp] [.......10.0.0.1][52176] -> [136.144.215.158][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable][doh.powerdns.org] - idle: [....22] [ip4][..tcp] [.......10.0.0.1][33338] -> [.....45.90.28.0][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable][dns.nextdns.io] + idle: [....13] [ip4][..tcp] [.......10.0.0.1][60026] -> [...195.30.94.28][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable] + idle: [....31] [ip4][..tcp] [.......10.0.0.1][57058] -> [..46.227.200.54][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable] + idle: [....17] [ip4][..tcp] [.......10.0.0.1][44640] -> [...185.235.81.1][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable] + idle: [....21] [ip4][..tcp] [.......10.0.0.1][53802] -> [........1.0.0.1][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable] + idle: [....28] [ip4][..tcp] [.......10.0.0.1][54164] -> [...193.70.85.11][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable] + idle: [....27] [ip4][..tcp] [.......10.0.0.1][43718] -> [..146.255.56.98][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable] + idle: [....33] [ip4][..tcp] [.......10.0.0.1][44704] -> [...185.235.81.1][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable] + idle: [....18] [ip4][..tcp] [.......10.0.0.1][43106] -> [.116.202.176.26][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable] + idle: [.....9] [ip4][..tcp] [.......10.0.0.1][51770] -> [.......9.9.9.10][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable] + idle: [....32] [ip4][..tcp] [.......10.0.0.1][51846] -> [.......9.9.9.10][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable] + idle: [....30] [ip4][..tcp] [.......10.0.0.1][43888] -> [.95.216.229.153][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable] + idle: [....11] [ip4][..tcp] [.......10.0.0.1][52386] -> [..51.15.124.208][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable] + idle: [....19] [ip4][..tcp] [.......10.0.0.1][59026] -> [....85.5.93.230][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable] + idle: [....23] [ip4][..tcp] [.......10.0.0.1][52176] -> [136.144.215.158][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable] + idle: [....22] [ip4][..tcp] [.......10.0.0.1][33338] -> [.....45.90.28.0][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable] idle: [.....1] [ip4][..tcp] [.......10.0.0.1][53674] -> [..139.99.222.72][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable] idle: [.....2] [ip4][..tcp] [.......10.0.0.1][53676] -> [..139.99.222.72][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable] - idle: [....15] [ip4][..tcp] [.......10.0.0.1][36012] -> [..149.56.228.45][..453] [TLS.DoH_DoT][Unknown][Network][Acceptable][dns2.dnscrypt.ca] + idle: [....15] [ip4][..tcp] [.......10.0.0.1][36012] -> [..149.56.228.45][..453] [TLS.DoH_DoT][Unknown][Network][Acceptable] RISK: Known Proto on Non Std Port - idle: [.....7] [ip4][..tcp] [.......10.0.0.1][37530] -> [167.114.220.125][..453] [TLS.DoH_DoT][Unknown][Network][Acceptable][dns1.dnscrypt.ca] + idle: [.....7] [ip4][..tcp] [.......10.0.0.1][37530] -> [167.114.220.125][..453] [TLS.DoH_DoT][Unknown][Network][Acceptable] RISK: Known Proto on Non Std Port - idle: [.....3] [ip4][..tcp] [.......10.0.0.1][50614] -> [..185.95.218.42][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable][dns.digitale-gesellschaft.ch] - idle: [....24] [ip4][..tcp] [.......10.0.0.1][39214] -> [...104.28.0.106][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable][doh.crypto.sx] - idle: [....16] [ip4][..tcp] [.......10.0.0.1][38018] -> [..45.153.187.96][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable][dnsse.alekberg.net] - idle: [.....5] [ip4][..tcp] [.......10.0.0.1][59404] -> [.185.253.154.66][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable][dnses.alekberg.net] + idle: [.....3] [ip4][..tcp] [.......10.0.0.1][50614] -> [..185.95.218.42][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable] + idle: [....24] [ip4][..tcp] [.......10.0.0.1][39214] -> [...104.28.0.106][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable] + idle: [....16] [ip4][..tcp] [.......10.0.0.1][38018] -> [..45.153.187.96][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable] + idle: [.....5] [ip4][..tcp] [.......10.0.0.1][59404] -> [.185.253.154.66][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/facebook.pcap.out b/test/results/flow-info/default/facebook.pcap.out index f87cc2f2b..74400406f 100644 --- a/test/results/flow-info/default/facebook.pcap.out +++ b/test/results/flow-info/default/facebook.pcap.out @@ -8,7 +8,7 @@ new: [.....2] [ip4][..tcp] [..192.168.43.18][44614] -> [....31.13.86.36][..443] detected: [.....2] [ip4][..tcp] [..192.168.43.18][44614] -> [....31.13.86.36][..443] [TLS.Facebook][Facebook][SocialNetwork][Fun][www.facebook.com] detection-update: [.....2] [ip4][..tcp] [..192.168.43.18][44614] -> [....31.13.86.36][..443] [TLS.Facebook][Facebook][SocialNetwork][Fun][www.facebook.com] - analyse: [.....2] [ip4][..tcp] [..192.168.43.18][44614] -> [....31.13.86.36][..443] [TLS.Facebook][Facebook][SocialNetwork][Fun][www.facebook.com] + analyse: [.....2] [ip4][..tcp] [..192.168.43.18][44614] -> [....31.13.86.36][..443] [TLS.Facebook][Facebook][SocialNetwork][Fun] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.155| 0.037| 0.058| 3352.274| 3.300] [PKTLEN......: 52.000| 1440.000| 555.100| 613.300| 376153.100| 4.100] diff --git a/test/results/flow-info/default/false_positives.pcapng.out b/test/results/flow-info/default/false_positives.pcapng.out index 6acef84eb..67348709b 100644 --- a/test/results/flow-info/default/false_positives.pcapng.out +++ b/test/results/flow-info/default/false_positives.pcapng.out @@ -5,6 +5,12 @@ ERROR-EVENT: Unknown packet type [2/16] ERROR-EVENT: Unknown packet type [3/16] ERROR-EVENT: Unknown packet type [4/16] + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + ERROR-EVENT: Unknown packet type [1/16] + ERROR-EVENT: Unknown packet type [2/16] + ERROR-EVENT: Unknown packet type [3/16] + ERROR-EVENT: Unknown packet type [4/16] ERROR-EVENT: Unknown packet type [5/16] ERROR-EVENT: Unknown packet type [6/16] ERROR-EVENT: Unknown packet type [7/16] diff --git a/test/results/flow-info/default/firefox.pcap.out b/test/results/flow-info/default/firefox.pcap.out index f164648bd..09ac1659b 100644 --- a/test/results/flow-info/default/firefox.pcap.out +++ b/test/results/flow-info/default/firefox.pcap.out @@ -20,7 +20,7 @@ detection-update: [.....4] [ip4][..tcp] [..192.168.1.178][51599] -> [...146.48.58.18][..443] [TLS][Unknown][Web][Safe][www.iit.cnr.it] detection-update: [.....6] [ip4][..tcp] [..192.168.1.178][51601] -> [...146.48.58.18][..443] [TLS][Unknown][Web][Safe][www.iit.cnr.it] idle: [.....1] [ip4][..tcp] [..192.168.1.178][51577] -> [...146.48.58.18][..443] [TLS][Unknown][Web][Safe] - idle: [.....2] [ip4][..tcp] [..192.168.1.178][51583] -> [...146.48.58.18][..443] [TLS][Unknown][Web][Safe][www.iit.cnr.it] + idle: [.....2] [ip4][..tcp] [..192.168.1.178][51583] -> [...146.48.58.18][..443] [TLS][Unknown][Web][Safe] idle: [.....3] [ip4][..tcp] [..192.168.1.178][51588] -> [...146.48.58.18][..443] [TLS][Unknown][Web][Safe] idle: [.....4] [ip4][..tcp] [..192.168.1.178][51599] -> [...146.48.58.18][..443] [TLS][Unknown][Web][Safe] idle: [.....5] [ip4][..tcp] [..192.168.1.178][51600] -> [...146.48.58.18][..443] [TLS][Unknown][Web][Safe] diff --git a/test/results/flow-info/default/forticlient.pcap.out b/test/results/flow-info/default/forticlient.pcap.out index aa985be71..fc63300cd 100644 --- a/test/results/flow-info/default/forticlient.pcap.out +++ b/test/results/flow-info/default/forticlient.pcap.out @@ -36,7 +36,7 @@ RISK: Known Proto on Non Std Port, TLS (probably) Not Carrying HTTPS detection-update: [.....5] [ip4][..tcp] [..192.168.1.178][61820] -> [....82.81.46.13][10443] [TLS.FortiClient][Unknown][VPN][Safe][82.81.46.13] RISK: Known Proto on Non Std Port, TLS (probably) Not Carrying HTTPS - analyse: [.....5] [ip4][..tcp] [..192.168.1.178][61820] -> [....82.81.46.13][10443] [TLS.FortiClient][Unknown][VPN][Safe][82.81.46.13] + analyse: [.....5] [ip4][..tcp] [..192.168.1.178][61820] -> [....82.81.46.13][10443] [TLS.FortiClient][Unknown][VPN][Safe] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.495| 0.071| 0.112| 12454.003| 3.700] [PKTLEN......: 52.000| 1492.000| 253.000| 343.000| 117623.000| 4.100] diff --git a/test/results/flow-info/default/fuzz-2006-06-26-2594.pcap.out b/test/results/flow-info/default/fuzz-2006-06-26-2594.pcap.out index 364879a3a..ef121ec66 100644 --- a/test/results/flow-info/default/fuzz-2006-06-26-2594.pcap.out +++ b/test/results/flow-info/default/fuzz-2006-06-26-2594.pcap.out @@ -980,7 +980,7 @@ detection-update: [...145] [ip4][..udp] [....192.168.1.2][.2774] -> [....192.168.1.1][...53] [DNS][Unknown][Network][Acceptable][_sip._udp.sip.cybercity.dk] RISK: Malformed Packet, Non-Printable/Invalid Chars Detected, Unidirectional Traffic guessed: [...114] [ip4][..udp] [.192.168.37.115][.2758] -> [....128.168.1.1][...53] [DNS][Unknown][Network][Acceptable][] - RISK: Malformed Packet, Unidirectional Traffic + RISK: Unidirectional Traffic idle: [...114] [ip4][..udp] [.192.168.37.115][.2758] -> [....128.168.1.1][...53] idle: [...115] [ip4][..udp] [....192.168.1.2][.2758] -> [....192.168.1.1][...53] [DNS][Unknown][Network][Acceptable] RISK: Unidirectional Traffic @@ -1007,7 +1007,7 @@ detection-update: [...148] [ip4][..udp] [....192.168.1.2][.2776] -> [....192.168.1.1][...53] [DNS][Unknown][Network][Acceptable][_sip._udp.sip.cybercity.dk] RISK: Malformed Packet, Non-Printable/Invalid Chars Detected, Unidirectional Traffic guessed: [...118] [ip4][..udp] [.....192.22.1.2][.2760] -> [....192.168.1.1][...53] [DNS][Unknown][Network][Acceptable][] - RISK: Malformed Packet, Unidirectional Traffic + RISK: Unidirectional Traffic idle: [...118] [ip4][..udp] [.....192.22.1.2][.2760] -> [....192.168.1.1][...53] idle: [...119] [ip4][..udp] [....192.168.1.2][.2760] -> [....192.168.1.1][...53] [DNS][Unknown][Network][Acceptable] RISK: Unidirectional Traffic @@ -1998,7 +1998,7 @@ detected: [...256] [ip4][..udp] [....192.168.1.2][.2831] -> [....192.168.1.1][...53] [DNS][Unknown][Network][Acceptable][1.0.0.127.in-addr.arpa] detection-update: [...256] [ip4][..udp] [....192.168.1.2][.2831] -> [....192.168.1.1][...53] [DNS][Unknown][Network][Acceptable][1.0.0.127.in-addr.arpa] guessed: [...222] [ip4][..udp] [....128.168.1.2][.2810] -> [....192.168.1.1][...53] [DNS][Unknown][Network][Acceptable][] - RISK: Malformed Packet, Unidirectional Traffic + RISK: Unidirectional Traffic idle: [...222] [ip4][..udp] [....128.168.1.2][.2810] -> [....192.168.1.1][...53] update: [...245] [ip4][..udp] [....192.168.1.2][.2827] -> [..192.168.1.114][...53] [DNS][Unknown][Network][Acceptable] update: [...246] [ip4][..udp] [....192.168.1.2][.2827] -> [....192.168.1.1][...53] [DNS][Unknown][Network][Acceptable] diff --git a/test/results/flow-info/default/fuzz-2006-09-29-28586.pcap.out b/test/results/flow-info/default/fuzz-2006-09-29-28586.pcap.out index c0d3a948f..3a3922c76 100644 --- a/test/results/flow-info/default/fuzz-2006-09-29-28586.pcap.out +++ b/test/results/flow-info/default/fuzz-2006-09-29-28586.pcap.out @@ -10,6 +10,8 @@ new: [.....4] [ip4][..tcp] [......0.20.3.13][...80] -> [.....172.20.3.5][.2601] [MIDSTREAM] ERROR-EVENT: Unknown packet type [3/16] new: [.....5] [ip4][..tcp] [....172.20.3.13][53132] -> [.....172.20.3.5][...80] + detected: [.....5] [ip4][..tcp] [....172.20.3.13][53132] -> [.....172.20.3.5][...80] [HTTP][Unknown][Web][Acceptable][%s] + RISK: Clear-Text Credentials, Non-Printable/Invalid Chars Detected, Possible Exploit Attempt new: [.....6] [ip4][..tcp] [.....172.20.3.1][...80] -> [....172.20.3.13][53132] [MIDSTREAM] detected: [.....6] [ip4][..tcp] [.....172.20.3.1][...80] -> [....172.20.3.13][53132] [HTTP][Unknown][Web][Acceptable][] RISK: HTTP Susp User-Agent @@ -74,8 +76,8 @@ new: [....39] [ip4][..115] [....172.20.3.13] -> [.....172.20.3.5] idle: [.....6] [ip4][..tcp] [.....172.20.3.1][...80] -> [....172.20.3.13][53132] [HTTP][Unknown][Web][Acceptable] RISK: HTTP Susp User-Agent - guessed: [.....5] [ip4][..tcp] [....172.20.3.13][53132] -> [.....172.20.3.5][...80] [HTTP][Unknown][Web][Acceptable][] - end: [.....5] [ip4][..tcp] [....172.20.3.13][53132] -> [.....172.20.3.5][...80] + end: [.....5] [ip4][..tcp] [....172.20.3.13][53132] -> [.....172.20.3.5][...80] [HTTP][Unknown][Web][Acceptable][%s] + RISK: Clear-Text Credentials, Non-Printable/Invalid Chars Detected, Possible Exploit Attempt guessed: [....36] [ip4][..tcp] [...172.20.67.13][53136] -> [.....172.20.3.5][...80] [HTTP][Unknown][Web][Acceptable][] RISK: Unidirectional Traffic idle: [....36] [ip4][..tcp] [...172.20.67.13][53136] -> [.....172.20.3.5][...80] diff --git a/test/results/flow-info/default/googledns_android10.pcap.out b/test/results/flow-info/default/googledns_android10.pcap.out index 30fa42554..64abf75b8 100644 --- a/test/results/flow-info/default/googledns_android10.pcap.out +++ b/test/results/flow-info/default/googledns_android10.pcap.out @@ -23,7 +23,7 @@ RISK: TLS (probably) Not Carrying HTTPS detection-update: [.....4] [ip4][..tcp] [..192.168.1.159][48048] -> [........8.8.4.4][..853] [TLS.DoH_DoT][Google][Network][Acceptable][dns.google] RISK: TLS (probably) Not Carrying HTTPS - analyse: [.....4] [ip4][..tcp] [..192.168.1.159][48048] -> [........8.8.4.4][..853] [TLS.DoH_DoT][Google][Network][Acceptable][dns.google] + analyse: [.....4] [ip4][..tcp] [..192.168.1.159][48048] -> [........8.8.4.4][..853] [TLS.DoH_DoT][Google][Network][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.447| 0.072| 0.122| 14825.912| 3.500] [PKTLEN......: 52.000| 1470.000| 268.200| 356.700| 127227.700| 4.100] @@ -44,7 +44,7 @@ RISK: TLS (probably) Not Carrying HTTPS detection-update: [.....7] [ip4][..tcp] [..192.168.1.159][48098] -> [........8.8.4.4][..853] [TLS.DoH_DoT][Google][Network][Acceptable][dns.google] RISK: TLS (probably) Not Carrying HTTPS - analyse: [.....7] [ip4][..tcp] [..192.168.1.159][48098] -> [........8.8.4.4][..853] [TLS.DoH_DoT][Google][Network][Acceptable][dns.google] + analyse: [.....7] [ip4][..tcp] [..192.168.1.159][48098] -> [........8.8.4.4][..853] [TLS.DoH_DoT][Google][Network][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 1.254| 0.185| 0.342| 116761.002| 3.200] [PKTLEN......: 52.000| 569.000| 198.200| 197.900| 39161.300| 4.400] @@ -75,7 +75,7 @@ RISK: TLS (probably) Not Carrying HTTPS detection-update: [.....8] [ip4][..tcp] [..192.168.1.159][48210] -> [........8.8.4.4][..853] [TLS.DoH_DoT][Google][Network][Acceptable][dns.google] RISK: TLS (probably) Not Carrying HTTPS - analyse: [.....8] [ip4][..tcp] [..192.168.1.159][48210] -> [........8.8.4.4][..853] [TLS.DoH_DoT][Google][Network][Acceptable][dns.google] + analyse: [.....8] [ip4][..tcp] [..192.168.1.159][48210] -> [........8.8.4.4][..853] [TLS.DoH_DoT][Google][Network][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 5.704| 0.390| 1.388| 1925240.193| 1.500] [PKTLEN......: 52.000| 1470.000| 268.200| 356.700| 127227.700| 4.100] diff --git a/test/results/flow-info/default/http-basic-auth.pcap.out b/test/results/flow-info/default/http-basic-auth.pcap.out new file mode 100644 index 000000000..5933e535d --- /dev/null +++ b/test/results/flow-info/default/http-basic-auth.pcap.out @@ -0,0 +1,206 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....1] [ip4][..tcp] [....192.168.0.4][54317] -> [192.254.189.169][...80] + new: [.....2] [ip4][..tcp] [....192.168.0.4][54318] -> [192.254.189.169][...80] + new: [.....3] [ip4][..tcp] [....192.168.0.4][54319] -> [192.254.189.169][...80] + new: [.....4] [ip4][..tcp] [....192.168.0.4][54320] -> [192.254.189.169][...80] + new: [.....5] [ip4][..tcp] [....192.168.0.4][54321] -> [192.254.189.169][...80] + new: [.....6] [ip4][..tcp] [....192.168.0.4][54322] -> [192.254.189.169][...80] + detected: [.....1] [ip4][..tcp] [....192.168.0.4][54317] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][browserspy.dk] + detection-update: [.....1] [ip4][..tcp] [....192.168.0.4][54317] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][browserspy.dk] + RISK: Error Code + analyse: [.....1] [ip4][..tcp] [....192.168.0.4][54317] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][browserspy.dk] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 4.822| 0.486| 1.309| 1713882.661| 2.300] + [PKTLEN......: 52.000| 1500.000| 626.500| 665.800| 443276.400| 4.100] + [BINS(c->s)..: 13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 3,0,1,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,0,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,0,1,0,0] + [IATS(ms)....: 243.2,243.3,0.1,201.9,227.4,1.3,430.4,0.6,0.6,0.7,0.7,3.6,3.8,7.4,3.7,8.0,11.6,0.7,3.2,3.9,163.9,2.4,166.3,3.7,3.9,7.6,2.9,2.9,4822.3,4822.3,3673.5] + [PKTLENS.....: 64,60,52,752,52,1500,537,52,131,52,274,52,1500,1500,52,1500,1500,52,1500,1500,52,1500,1500,52,1500,1500,52,1001,52,52,52,52] + [ENTROPIES...: 4.4,5.1,5.0,5.8,5.0,5.4,5.6,4.9,5.4,5.0,5.6,5.0,5.4,5.1,5.0,5.0,5.1,5.0,5.1,5.1,5.0,5.1,5.2,5.0,5.4,5.4,5.0,5.7,5.0,5.0,4.9,5.0] + detected: [.....2] [ip4][..tcp] [....192.168.0.4][54318] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][browserspy.dk] + RISK: Clear-Text Credentials + detection-update: [.....2] [ip4][..tcp] [....192.168.0.4][54318] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][browserspy.dk] + RISK: Clear-Text Credentials, Error Code + analyse: [.....2] [ip4][..tcp] [....192.168.0.4][54318] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][browserspy.dk] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 7.939| 0.797| 2.054| 4220874.654| 2.400] + [PKTLEN......: 52.000| 1500.000| 627.900| 665.600| 443017.800| 4.100] + [BINS(c->s)..: 12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 4,0,1,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0] + [DIRECTIONS..: 0,1,0,1,0,0,1,1,1,0,1,0,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,0,1] + [IATS(ms)....: 244.2,244.3,1383.3,1383.3,7743.3,7938.9,165.1,1.2,361.9,0.6,0.6,0.7,0.7,4.1,3.6,7.8,4.0,4.1,8.0,3.8,3.9,7.7,159.5,3.9,163.4,3.6,6.0,9.5,0.6,0.6,4835.5] + [PKTLENS.....: 64,60,52,60,52,787,58,1500,537,52,131,52,274,52,1500,1500,52,1500,1500,52,1500,1500,52,1500,1500,52,1500,1500,52,998,52,52] + [ENTROPIES...: 4.4,5.1,5.2,5.0,5.2,5.9,5.3,5.5,5.6,5.1,5.4,5.1,5.7,5.0,5.4,5.1,5.1,5.0,5.1,5.1,5.1,5.1,5.1,5.1,5.2,5.1,5.4,5.4,5.1,5.7,5.1,5.1] + new: [.....7] [ip4][..tcp] [....192.168.0.4][54337] -> [192.254.189.169][...80] + detected: [.....7] [ip4][..tcp] [....192.168.0.4][54337] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][browserspy.dk] + RISK: Clear-Text Credentials + new: [.....8] [ip4][..tcp] [....192.168.0.4][54338] -> [192.254.189.169][...80] + detection-update: [.....7] [ip4][..tcp] [....192.168.0.4][54337] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][browserspy.dk] + RISK: Clear-Text Credentials, Error Code + analyse: [.....7] [ip4][..tcp] [....192.168.0.4][54337] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][browserspy.dk] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 4.862| 0.405| 1.194| 1424465.723| 2.200] + [PKTLEN......: 52.000| 1500.000| 626.900| 665.600| 443042.200| 4.100] + [BINS(c->s)..: 13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 3,0,1,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,0,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,0,1,0,0] + [IATS(ms)....: 180.0,180.1,0.1,194.0,206.4,1.3,401.5,0.6,0.6,0.7,0.7,4.0,4.6,8.7,4.6,3.0,7.6,3.3,5.3,8.6,159.0,4.0,163.0,3.6,4.2,7.9,2.6,2.6,4861.8,4861.8,1269.0] + [PKTLENS.....: 64,60,52,791,52,1500,537,52,131,52,274,52,1500,1500,52,1500,1500,52,1500,1500,52,1500,1500,52,1500,1500,52,975,52,52,52,52] + [ENTROPIES...: 4.4,5.1,5.1,5.9,5.0,5.4,5.6,5.1,5.4,5.0,5.6,5.1,5.4,5.1,5.0,5.0,5.1,5.1,5.1,5.1,5.1,5.1,5.2,5.1,5.4,5.4,5.0,5.7,5.0,5.0,5.1,5.1] + detected: [.....8] [ip4][..tcp] [....192.168.0.4][54338] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][browserspy.dk] + RISK: Clear-Text Credentials + detection-update: [.....8] [ip4][..tcp] [....192.168.0.4][54338] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][browserspy.dk] + RISK: Clear-Text Credentials, Error Code + analyse: [.....8] [ip4][..tcp] [....192.168.0.4][54338] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][browserspy.dk] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 5.591| 0.470| 1.348| 1817151.799| 2.200] + [PKTLEN......: 52.000| 1500.000| 627.500| 656.200| 430625.700| 4.100] + [BINS(c->s)..: 12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 3,0,1,0,0,0,1,0,0,1,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0] + [DIRECTIONS..: 0,1,0,1,0,0,1,1,1,0,1,0,1,0,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1] + [IATS(ms)....: 181.5,181.5,1115.4,1115.4,5396.0,5591.1,193.0,1.4,389.4,1.1,1.1,0.6,0.6,0.7,0.7,7.1,0.8,7.9,3.9,3.5,7.3,4.2,161.7,166.0,3.9,4.0,7.9,3.9,3.7,7.7,1.8] + [PKTLENS.....: 64,60,52,60,52,791,58,1500,537,52,131,52,274,52,365,52,1500,1500,52,1500,1500,52,1500,1500,52,1500,1500,52,1500,1500,52,669] + [ENTROPIES...: 4.5,5.1,5.1,5.2,5.2,5.9,5.1,5.4,5.6,5.1,5.4,5.1,5.6,5.1,5.8,4.9,5.3,5.0,5.0,5.1,5.1,5.2,5.1,5.1,5.2,5.1,5.2,5.1,5.4,5.4,5.2,5.8] + new: [.....9] [ip4][..tcp] [....192.168.0.4][54340] -> [192.254.189.169][...80] + new: [....10] [ip4][..tcp] [....192.168.0.4][54341] -> [192.254.189.169][...80] + new: [....11] [ip4][..tcp] [....192.168.0.4][54342] -> [192.254.189.169][...80] + new: [....12] [ip4][..tcp] [....192.168.0.4][54343] -> [192.254.189.169][...80] + detected: [.....9] [ip4][..tcp] [....192.168.0.4][54340] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][browserspy.dk] + RISK: Clear-Text Credentials + detected: [....10] [ip4][..tcp] [....192.168.0.4][54341] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][browserspy.dk] + RISK: Clear-Text Credentials + detected: [....11] [ip4][..tcp] [....192.168.0.4][54342] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][browserspy.dk] + RISK: Clear-Text Credentials + detected: [....12] [ip4][..tcp] [....192.168.0.4][54343] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][browserspy.dk] + RISK: Clear-Text Credentials + new: [....13] [ip4][..tcp] [....192.168.0.4][54354] -> [192.254.189.169][...80] + analyse: [.....9] [ip4][..tcp] [....192.168.0.4][54340] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][browserspy.dk] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 4.812| 0.386| 1.140| 1299265.487| 2.300] + [PKTLEN......: 52.000| 1500.000| 464.500| 552.500| 305249.300| 4.100] + [BINS(c->s)..: 12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 3,0,1,0,3,0,1,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,1,1,0,1,0,1,0,1,0,1,1,0,1,0,1,1,0] + [IATS(ms)....: 203.4,203.5,0.3,194.8,10.4,204.8,49.7,338.1,288.3,3.6,208.9,205.3,4591.8,4811.6,185.3,1.8,406.8,0.6,0.6,0.6,0.6,0.8,0.8,3.8,6.5,10.3,1.4,1.4,3.9,3.7,7.6] + [PKTLENS.....: 64,60,52,783,52,189,52,788,189,52,791,189,52,761,58,1500,597,52,131,52,274,52,365,52,1500,1500,52,1500,52,1500,1500,52] + [ENTROPIES...: 4.4,5.1,5.0,5.9,5.1,5.8,5.1,5.9,5.8,5.1,5.9,5.8,5.1,5.9,5.2,5.4,5.5,5.1,5.4,5.0,5.7,5.0,5.7,5.1,5.3,5.0,5.1,5.1,5.0,5.1,5.1,5.0] + new: [....14] [ip4][..tcp] [....192.168.0.4][54487] -> [192.254.189.169][...80] + detected: [....14] [ip4][..tcp] [....192.168.0.4][54487] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][browserspy.dk] + RISK: Clear-Text Credentials + analyse: [....14] [ip4][..tcp] [....192.168.0.4][54487] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][browserspy.dk] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 4.838| 0.365| 1.179| 1389490.602| 1.900] + [PKTLEN......: 52.000| 1500.000| 615.900| 661.200| 437136.200| 4.100] + [BINS(c->s)..: 13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 3,0,1,0,0,0,0,0,0,0,1,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,0,1,0,1,1,0,1,0,1,1,0,1,0,1,1,0,1,0,1,1,0,1,0] + [IATS(ms)....: 197.2,197.3,0.1,193.6,225.1,1.6,420.1,0.3,0.3,1.2,1.3,4.2,3.6,7.8,4.1,4.1,3.7,4.1,7.8,4.0,4.0,162.1,4.0,166.1,4.0,4.0,3.5,1.4,4.9,4837.6,4837.6] + [PKTLENS.....: 64,60,52,761,52,1500,597,52,131,52,471,52,1500,1500,52,1500,52,1500,1500,52,1500,52,1500,1500,52,1500,52,1500,398,52,52,52] + [ENTROPIES...: 4.4,5.1,5.1,5.9,5.0,5.4,5.5,5.1,5.4,5.1,5.7,5.0,5.3,5.1,5.0,5.1,5.0,5.1,5.1,5.1,5.1,5.0,5.1,5.2,5.1,5.3,5.0,5.5,5.8,5.0,5.0,5.0] + new: [....15] [ip4][..tcp] [....192.168.0.4][54505] -> [192.254.189.169][...80] + new: [....16] [ip4][..tcp] [....192.168.0.4][54506] -> [192.254.189.169][...80] + new: [....17] [ip4][..tcp] [....192.168.0.4][54507] -> [192.254.189.169][...80] + new: [....18] [ip4][..tcp] [....192.168.0.4][54508] -> [192.254.189.169][...80] + new: [....19] [ip4][..tcp] [....192.168.0.4][54509] -> [192.254.189.169][...80] + detected: [....15] [ip4][..tcp] [....192.168.0.4][54505] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][browserspy.dk] + RISK: Clear-Text Credentials + analyse: [....15] [ip4][..tcp] [....192.168.0.4][54505] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][browserspy.dk] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 0.410| 0.053| 0.099| 9719.476| 3.100] + [PKTLEN......: 52.000| 1500.000| 614.700| 658.500| 433660.400| 4.100] + [BINS(c->s)..: 13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 2,0,1,0,0,0,1,1,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,0,1,0,1,0,1,1,0,1,1,0,1,0,1,1,0,1,0,1,1,0,1,0] + [IATS(ms)....: 204.5,204.6,0.2,194.7,213.8,1.8,410.0,0.6,0.6,0.6,0.6,0.9,0.9,5.4,2.2,7.6,3.9,4.0,7.9,3.8,21.6,169.0,3.7,154.9,4.0,4.1,3.9,4.0,7.8,2.6,2.5] + [PKTLENS.....: 64,60,52,714,52,1500,597,52,131,52,274,52,365,52,1500,1500,52,1500,1500,52,1500,52,1500,1500,52,1500,52,1500,1500,52,289,52] + [ENTROPIES...: 4.4,5.2,5.2,5.9,5.1,5.4,5.5,5.1,5.4,5.1,5.7,5.1,5.7,5.1,5.3,5.0,5.1,5.1,5.1,5.1,5.1,5.1,5.1,5.1,5.1,5.2,5.0,5.3,5.6,5.1,5.8,5.1] + detected: [....16] [ip4][..tcp] [....192.168.0.4][54506] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][browserspy.dk] + analyse: [....16] [ip4][..tcp] [....192.168.0.4][54506] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][browserspy.dk] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.001| 9.537| 0.739| 2.305| 5311970.148| 2.000] + [PKTLEN......: 52.000| 1500.000| 715.000| 702.000| 492871.900| 4.200] + [BINS(c->s)..: 13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 3,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0] + [DIRECTIONS..: 0,1,0,1,0,0,1,1,1,0,1,0,1,1,0,1,0,1,1,0,1,0,1,1,0,1,0,1,1,0,1,0] + [IATS(ms)....: 205.1,205.1,1239.2,1239.2,9336.2,9536.7,269.7,3.9,474.2,3.9,3.9,3.9,3.9,7.8,5.5,5.6,2.5,3.5,5.9,3.9,4.0,3.7,163.4,167.1,4.0,3.9,4.6,3.2,7.9,1.1,1.1] + [PKTLENS.....: 64,60,52,60,52,695,58,1500,1500,52,1500,52,1500,1500,52,1500,52,1500,1500,52,1500,52,1500,1500,52,1500,52,1500,1500,52,320,52] + [ENTROPIES...: 4.4,5.1,5.1,5.1,5.1,5.9,5.3,5.4,5.5,5.0,5.3,5.1,5.0,5.1,5.1,5.1,5.0,5.1,5.1,5.1,5.1,5.0,5.1,5.3,5.1,5.2,5.0,5.2,5.5,5.1,5.8,5.0] + new: [....20] [ip4][..tcp] [....192.168.0.4][54580] -> [192.254.189.169][...80] + new: [....21] [ip4][..tcp] [....192.168.0.4][54581] -> [192.254.189.169][...80] + new: [....22] [ip4][..tcp] [....192.168.0.4][54582] -> [192.254.189.169][...80] + new: [....23] [ip4][..tcp] [....192.168.0.4][54583] -> [192.254.189.169][...80] + new: [....24] [ip4][..tcp] [....192.168.0.4][54584] -> [192.254.189.169][...80] + new: [....25] [ip4][..tcp] [....192.168.0.4][54596] -> [192.254.189.169][...80] + detected: [....20] [ip4][..tcp] [....192.168.0.4][54580] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][browserspy.dk] + RISK: Clear-Text Credentials + detected: [....21] [ip4][..tcp] [....192.168.0.4][54581] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][browserspy.dk] + RISK: Clear-Text Credentials + detected: [....22] [ip4][..tcp] [....192.168.0.4][54582] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][browserspy.dk] + RISK: Clear-Text Credentials + detected: [....23] [ip4][..tcp] [....192.168.0.4][54583] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][browserspy.dk] + RISK: Clear-Text Credentials + detected: [....24] [ip4][..tcp] [....192.168.0.4][54584] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][browserspy.dk] + RISK: Clear-Text Credentials + analyse: [....24] [ip4][..tcp] [....192.168.0.4][54584] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][browserspy.dk] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.002| 2.440| 0.244| 0.570| 324880.892| 2.800] + [PKTLEN......: 52.000| 1500.000| 641.400| 656.800| 431405.000| 4.200] + [BINS(c->s)..: 12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 3,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,1,1,0,1,0,1,1,0,1,0,1,1,0,1,0,1,1,0,1,0,1,1,0] + [IATS(ms)....: 191.6,191.7,451.5,691.2,19.0,258.7,2193.0,2440.0,223.7,1.5,472.1,13.2,13.3,3.5,4.1,7.5,4.0,4.0,4.1,3.5,7.6,3.9,4.0,3.9,158.9,162.7,3.8,3.9,3.9,1.9,5.7] + [PKTLENS.....: 64,60,52,783,52,189,52,763,58,1500,597,52,131,52,1500,1500,52,1500,52,1500,1500,52,1500,52,1500,1500,52,1500,52,1500,757,52] + [ENTROPIES...: 4.3,5.0,5.1,5.9,5.0,5.8,5.0,5.9,5.2,5.4,5.5,5.1,5.4,5.1,5.4,5.2,5.1,5.0,5.0,5.1,5.1,5.1,5.1,5.0,5.1,5.2,5.1,5.2,5.0,5.4,5.7,5.1] + end: [.....1] [ip4][..tcp] [....192.168.0.4][54317] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][browserspy.dk] + RISK: Error Code + end: [.....2] [ip4][..tcp] [....192.168.0.4][54318] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][browserspy.dk] + RISK: Clear-Text Credentials, Error Code + guessed: [.....3] [ip4][..tcp] [....192.168.0.4][54319] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][] + end: [.....3] [ip4][..tcp] [....192.168.0.4][54319] -> [192.254.189.169][...80] + guessed: [.....4] [ip4][..tcp] [....192.168.0.4][54320] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][] + end: [.....4] [ip4][..tcp] [....192.168.0.4][54320] -> [192.254.189.169][...80] + guessed: [.....5] [ip4][..tcp] [....192.168.0.4][54321] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][] + end: [.....5] [ip4][..tcp] [....192.168.0.4][54321] -> [192.254.189.169][...80] + guessed: [.....6] [ip4][..tcp] [....192.168.0.4][54322] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][] + end: [.....6] [ip4][..tcp] [....192.168.0.4][54322] -> [192.254.189.169][...80] + end: [.....7] [ip4][..tcp] [....192.168.0.4][54337] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][browserspy.dk] + RISK: Clear-Text Credentials, Error Code + end: [.....8] [ip4][..tcp] [....192.168.0.4][54338] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][browserspy.dk] + RISK: Clear-Text Credentials, Error Code + end: [.....9] [ip4][..tcp] [....192.168.0.4][54340] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][browserspy.dk] + RISK: Clear-Text Credentials + end: [....10] [ip4][..tcp] [....192.168.0.4][54341] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][browserspy.dk] + RISK: Clear-Text Credentials + end: [....11] [ip4][..tcp] [....192.168.0.4][54342] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][browserspy.dk] + RISK: Clear-Text Credentials + end: [....12] [ip4][..tcp] [....192.168.0.4][54343] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][browserspy.dk] + RISK: Clear-Text Credentials + guessed: [....13] [ip4][..tcp] [....192.168.0.4][54354] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][] + end: [....13] [ip4][..tcp] [....192.168.0.4][54354] -> [192.254.189.169][...80] + end: [....14] [ip4][..tcp] [....192.168.0.4][54487] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][browserspy.dk] + RISK: Clear-Text Credentials + end: [....15] [ip4][..tcp] [....192.168.0.4][54505] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][browserspy.dk] + RISK: Clear-Text Credentials + end: [....16] [ip4][..tcp] [....192.168.0.4][54506] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][browserspy.dk] + guessed: [....17] [ip4][..tcp] [....192.168.0.4][54507] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][] + end: [....17] [ip4][..tcp] [....192.168.0.4][54507] -> [192.254.189.169][...80] + guessed: [....18] [ip4][..tcp] [....192.168.0.4][54508] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][] + end: [....18] [ip4][..tcp] [....192.168.0.4][54508] -> [192.254.189.169][...80] + guessed: [....19] [ip4][..tcp] [....192.168.0.4][54509] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][] + end: [....19] [ip4][..tcp] [....192.168.0.4][54509] -> [192.254.189.169][...80] + end: [....20] [ip4][..tcp] [....192.168.0.4][54580] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][browserspy.dk] + RISK: Clear-Text Credentials + end: [....21] [ip4][..tcp] [....192.168.0.4][54581] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][browserspy.dk] + RISK: Clear-Text Credentials + end: [....22] [ip4][..tcp] [....192.168.0.4][54582] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][browserspy.dk] + RISK: Clear-Text Credentials + end: [....23] [ip4][..tcp] [....192.168.0.4][54583] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][browserspy.dk] + RISK: Clear-Text Credentials + end: [....24] [ip4][..tcp] [....192.168.0.4][54584] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][browserspy.dk] + RISK: Clear-Text Credentials + guessed: [....25] [ip4][..tcp] [....192.168.0.4][54596] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][] + end: [....25] [ip4][..tcp] [....192.168.0.4][54596] -> [192.254.189.169][...80] + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/http-pwd.pcapng.out b/test/results/flow-info/default/http-pwd.pcapng.out new file mode 100644 index 000000000..a94239cf3 --- /dev/null +++ b/test/results/flow-info/default/http-pwd.pcapng.out @@ -0,0 +1,13 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....1] [ip4][..tcp] [......127.0.0.1][56451] -> [......127.0.0.1][.3000] + detected: [.....1] [ip4][..tcp] [......127.0.0.1][56451] -> [......127.0.0.1][.3000] [HTTP][Unknown][Web][Acceptable][localhost] + RISK: Known Proto on Non Std Port + detection-update: [.....1] [ip4][..tcp] [......127.0.0.1][56451] -> [......127.0.0.1][.3000] [HTTP][Unknown][Web][Acceptable][localhost] + RISK: Known Proto on Non Std Port, Clear-Text Credentials + detection-update: [.....1] [ip4][..tcp] [......127.0.0.1][56451] -> [......127.0.0.1][.3000] [HTTP.ntop][Unknown][Web][Safe][localhost] + RISK: Clear-Text Credentials + end: [.....1] [ip4][..tcp] [......127.0.0.1][56451] -> [......127.0.0.1][.3000] [HTTP.ntop][Unknown][Web][Safe][localhost] + RISK: Clear-Text Credentials + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/http_connect.pcap.out b/test/results/flow-info/default/http_connect.pcap.out index 1f5206203..fd0d5b6e9 100644 --- a/test/results/flow-info/default/http_connect.pcap.out +++ b/test/results/flow-info/default/http_connect.pcap.out @@ -10,7 +10,7 @@ new: [.....3] [ip4][..tcp] [..192.168.1.146][35968] -> [..151.101.2.132][..443] detected: [.....3] [ip4][..tcp] [..192.168.1.146][35968] -> [..151.101.2.132][..443] [TLS][Unknown][Web][Safe][apache.org] detection-update: [.....3] [ip4][..tcp] [..192.168.1.146][35968] -> [..151.101.2.132][..443] [TLS][Unknown][Web][Safe][apache.org] - analyse: [.....3] [ip4][..tcp] [..192.168.1.146][35968] -> [..151.101.2.132][..443] [TLS][Unknown][Web][Safe][apache.org] + analyse: [.....3] [ip4][..tcp] [..192.168.1.146][35968] -> [..151.101.2.132][..443] [TLS][Unknown][Web][Safe] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.016| 0.003| 0.005| 23.691| 3.400] [PKTLEN......: 52.000| 1436.000| 549.000| 627.700| 394029.600| 4.000] diff --git a/test/results/flow-info/default/http_ipv6.pcap.out b/test/results/flow-info/default/http_ipv6.pcap.out index d516b0969..4cbdc24ae 100644 --- a/test/results/flow-info/default/http_ipv6.pcap.out +++ b/test/results/flow-info/default/http_ipv6.pcap.out @@ -66,7 +66,7 @@ RISK: TLS Cert Mismatch end: [.....8] [ip6][..tcp] [........2a00:d40:1:3:7aac:c0ff:fea7:d4c][37494] -> [................2a03:b0c0:3:d0::70:1001][..443] [TLS.ntop][Unknown][Network][Safe] RISK: TLS Cert Mismatch - idle: [....12] [ip6][..tcp] [........2a00:d40:1:3:7aac:c0ff:fea7:d4c][37506] -> [................2a03:b0c0:3:d0::70:1001][..443] [TLS.ntop][Unknown][Network][Safe][www.ntop.org] + idle: [....12] [ip6][..tcp] [........2a00:d40:1:3:7aac:c0ff:fea7:d4c][37506] -> [................2a03:b0c0:3:d0::70:1001][..443] [TLS.ntop][Unknown][Network][Safe] RISK: TLS Cert Mismatch guessed: [.....1] [ip6][..tcp] [........2a00:d40:1:3:7aac:c0ff:fea7:d4c][40526] -> [...............2a00:1450:4006:804::200e][..443] [TLS][Google][Web][Safe] idle: [.....1] [ip6][..tcp] [........2a00:d40:1:3:7aac:c0ff:fea7:d4c][40526] -> [...............2a00:1450:4006:804::200e][..443] diff --git a/test/results/flow-info/default/instagram.pcap.out b/test/results/flow-info/default/instagram.pcap.out index 71ef03928..c906028f4 100644 --- a/test/results/flow-info/default/instagram.pcap.out +++ b/test/results/flow-info/default/instagram.pcap.out @@ -215,7 +215,7 @@ end: [....16] [ip4][..tcp] [..192.168.0.103][38817] -> [...46.33.70.160][...80] idle: [....10] [ip4][..udp] [..192.168.0.106][17500] -> [..192.168.0.255][17500] [Dropbox][Unknown][Cloud][Acceptable] idle: [....31] [ip4][..udp] [..192.168.0.103][27124] -> [........8.8.8.8][...53] [DNS.Instagram][Google][Network][Fun] - idle: [.....1] [ip4][..tcp] [..192.168.0.103][56382] -> [..173.252.107.4][..443] [TLS.Instagram][Facebook][SocialNetwork][Fun][telegraph-ash.instagram.com] + idle: [.....1] [ip4][..tcp] [..192.168.0.103][56382] -> [..173.252.107.4][..443] [TLS.Instagram][Facebook][SocialNetwork][Fun] RISK: Obsolete TLS (v1.1 or older) idle: [....15] [ip4][..tcp] [..192.168.0.103][33763] -> [....31.13.93.52][..443] [TLS][Facebook][Web][Safe] idle: [....29] [ip4][..tcp] [....2.22.236.51][...80] -> [..192.168.0.103][44151] [HTTP][Unknown][Web][Acceptable] @@ -234,7 +234,7 @@ detected: [....38] [ip4][..tcp] [...192.168.2.17][49361] -> [....31.13.86.52][..443] [TLS.Instagram][Facebook][SocialNetwork][Fun][scontent-mxp1-1.cdninstagram.com] detection-update: [....37] [ip4][..tcp] [...192.168.2.17][49360] -> [....31.13.86.52][..443] [TLS.Instagram][Facebook][SocialNetwork][Fun][scontent-mxp1-1.cdninstagram.com] detection-update: [....38] [ip4][..tcp] [...192.168.2.17][49361] -> [....31.13.86.52][..443] [TLS.Instagram][Facebook][SocialNetwork][Fun][scontent-mxp1-1.cdninstagram.com] - analyse: [....34] [ip4][..tcp] [...192.168.2.17][49357] -> [....31.13.86.52][..443] [TLS.Instagram][Facebook][SocialNetwork][Fun][scontent-mxp1-1.cdninstagram.com] + analyse: [....34] [ip4][..tcp] [...192.168.2.17][49357] -> [....31.13.86.52][..443] [TLS.Instagram][Facebook][SocialNetwork][Fun] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 10.470| 0.692| 2.561| 6557671.096| 1.200] [PKTLEN......: 52.000| 1440.000| 460.700| 528.600| 279392.300| 4.100] @@ -246,7 +246,7 @@ [ENTROPIES...: 4.2,5.1,4.9,7.1,7.6,5.0,5.0,6.8,4.9,6.4,7.0,4.8,7.7,7.9,7.9,7.8,7.9,7.9,7.7,7.9,5.8,5.0,5.0,4.9,4.9,4.9,5.0,7.6,7.6,5.1,5.1,7.8] idle: [....33] [ip4][..tcp] [...192.168.2.17][49355] -> [....31.13.86.52][..443] [TLS.Instagram][Facebook][SocialNetwork][Fun] end: [....34] [ip4][..tcp] [...192.168.2.17][49357] -> [....31.13.86.52][..443] [TLS.Instagram][Facebook][SocialNetwork][Fun][scontent-mxp1-1.cdninstagram.com] - idle: [....35] [ip4][..tcp] [...192.168.2.17][49358] -> [....31.13.86.52][..443] [TLS.Instagram][Facebook][SocialNetwork][Fun][scontent-mxp1-1.cdninstagram.com] + idle: [....35] [ip4][..tcp] [...192.168.2.17][49358] -> [....31.13.86.52][..443] [TLS.Instagram][Facebook][SocialNetwork][Fun] idle: [....36] [ip4][..tcp] [...192.168.2.17][49359] -> [....31.13.86.52][..443] [TLS.Instagram][Facebook][SocialNetwork][Fun] idle: [....37] [ip4][..tcp] [...192.168.2.17][49360] -> [....31.13.86.52][..443] [TLS.Instagram][Facebook][SocialNetwork][Fun] idle: [....38] [ip4][..tcp] [...192.168.2.17][49361] -> [....31.13.86.52][..443] [TLS.Instagram][Facebook][SocialNetwork][Fun] diff --git a/test/results/flow-info/default/iphone.pcap.out b/test/results/flow-info/default/iphone.pcap.out index 0b7a60a00..f7d12f89b 100644 --- a/test/results/flow-info/default/iphone.pcap.out +++ b/test/results/flow-info/default/iphone.pcap.out @@ -133,7 +133,7 @@ new: [....48] [ip4][..udp] [...192.168.2.17][65079] -> [....192.168.2.1][...53] detected: [....48] [ip4][..udp] [...192.168.2.17][65079] -> [....192.168.2.1][...53] [DNS.AppleiTunes][Unknown][Network][Fun][play.itunes.apple.com] detection-update: [....48] [ip4][..udp] [...192.168.2.17][65079] -> [....192.168.2.1][...53] [DNS.AppleiTunes][Unknown][Network][Fun][play.itunes.apple.com] - analyse: [....29] [ip4][..tcp] [...192.168.2.17][50580] -> [..17.248.176.75][..443] [TLS.AppleiCloud][Apple][Web][Acceptable][gateway.icloud.com] + analyse: [....29] [ip4][..tcp] [...192.168.2.17][50580] -> [..17.248.176.75][..443] [TLS.AppleiCloud][Apple][Web][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.686| 0.087| 0.170| 29013.449| 3.100] [PKTLEN......: 52.000| 1492.000| 310.700| 443.900| 197074.700| 3.900] @@ -146,7 +146,7 @@ new: [....49] [ip4][..tcp] [...192.168.2.17][50587] -> [...92.123.77.26][..443] detected: [....49] [ip4][..tcp] [...192.168.2.17][50587] -> [...92.123.77.26][..443] [TLS.AppleiTunes][Unknown][Streaming][Fun][play.itunes.apple.com] detection-update: [....49] [ip4][..tcp] [...192.168.2.17][50587] -> [...92.123.77.26][..443] [TLS.AppleiTunes][Unknown][Streaming][Fun][play.itunes.apple.com] - analyse: [....45] [ip4][..tcp] [...192.168.2.17][50584] -> [..17.248.176.75][..443] [TLS.AppleiCloud][Apple][Web][Acceptable][gateway.icloud.com] + analyse: [....45] [ip4][..tcp] [...192.168.2.17][50584] -> [..17.248.176.75][..443] [TLS.AppleiCloud][Apple][Web][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.655| 0.067| 0.146| 21410.738| 2.900] [PKTLEN......: 40.000| 1492.000| 299.400| 449.800| 202280.400| 3.800] @@ -156,7 +156,7 @@ [IATS(ms)....: 34.1,36.1,0.1,34.7,1.6,0.1,2.3,0.1,140.2,0.4,7.3,143.3,0.0,33.9,0.1,1.5,0.0,0.0,0.3,0.4,0.0,0.1,34.9,0.0,1.2,0.0,128.2,155.2,168.0,510.7,654.8] [PKTLENS.....: 64,60,52,569,52,1492,1492,1492,566,52,52,145,103,121,52,52,105,102,94,1070,90,436,90,52,90,52,52,52,736,52,40,52] [ENTROPIES...: 4.4,5.2,5.1,4.5,5.1,6.7,7.5,7.5,7.3,4.9,5.0,6.0,5.7,6.0,5.0,5.0,5.7,5.8,5.5,7.8,5.5,7.4,5.5,4.9,5.5,5.0,5.0,4.9,7.7,5.0,4.5,5.1] - analyse: [....49] [ip4][..tcp] [...192.168.2.17][50587] -> [...92.123.77.26][..443] [TLS.AppleiTunes][Unknown][Streaming][Fun][play.itunes.apple.com] + analyse: [....49] [ip4][..tcp] [...192.168.2.17][50587] -> [...92.123.77.26][..443] [TLS.AppleiTunes][Unknown][Streaming][Fun] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.147| 0.026| 0.045| 1989.449| 3.200] [PKTLEN......: 52.000| 1492.000| 322.100| 461.100| 212650.100| 3.900] @@ -186,7 +186,7 @@ idle: [....29] [ip4][..tcp] [...192.168.2.17][50580] -> [..17.248.176.75][..443] [TLS.AppleiCloud][Apple][Web][Acceptable][gateway.icloud.com] idle: [....38] [ip4][..tcp] [...192.168.2.17][50581] -> [..17.248.185.87][..443] [TLS.AppleiCloud][Apple][Web][Acceptable][p26-keyvalueservice.icloud.com] idle: [....45] [ip4][..tcp] [...192.168.2.17][50584] -> [..17.248.176.75][..443] [TLS.AppleiCloud][Apple][Web][Acceptable][gateway.icloud.com] - idle: [....47] [ip4][..tcp] [...192.168.2.17][50586] -> [..17.248.176.75][..443] [TLS.AppleiCloud][Apple][Web][Acceptable][gateway.icloud.com] + idle: [....47] [ip4][..tcp] [...192.168.2.17][50586] -> [..17.248.176.75][..443] [TLS.AppleiCloud][Apple][Web][Acceptable] idle: [....28] [ip4][..udp] [...192.168.2.17][52852] -> [....192.168.2.1][...53] [DNS.AppleiCloud][Unknown][Network][Acceptable][gateway.icloud.com] idle: [....16] [ip4][..udp] [...192.168.2.17][63143] -> [....192.168.2.1][...53] [DNS.AppleiCloud][Unknown][Network][Acceptable][p26-fmfmobile.icloud.com] idle: [.....2] [ip4][..udp] [........0.0.0.0][...68] -> [255.255.255.255][...67] [DHCP][Unknown][Network][Acceptable][lucas-imac] @@ -227,7 +227,7 @@ end: [....26] [ip4][..tcp] [...192.168.2.17][50578] -> [.17.253.105.202][..443] [TLS.Apple][Apple][Web][Safe] end: [....27] [ip4][..tcp] [...192.168.2.17][50579] -> [.17.253.105.202][..443] [TLS.Apple][Apple][Web][Safe] idle: [....23] [ip4][..tcp] [...192.168.2.17][50576] -> [...95.101.25.53][..443] [TLS.Apple][Unknown][Web][Safe] - idle: [....51] [ip4][..tcp] [...192.168.2.17][50588] -> [...95.101.24.53][..443] [TLS.AppleiTunes][Unknown][Streaming][Fun][sync.itunes.apple.com] + idle: [....51] [ip4][..tcp] [...192.168.2.17][50588] -> [...95.101.24.53][..443] [TLS.AppleiTunes][Unknown][Streaming][Fun] idle: [....33] [ip4][..udp] [...192.168.2.17][62526] -> [....192.168.2.1][...53] [DNS.Apple][Unknown][Network][Safe][cl4.apple.com] end: [....25] [ip4][..tcp] [...192.168.2.17][49152] -> [.17.253.105.202][...80] [HTTP.Apple][Apple][ConnCheck][Safe][captive.apple.com] idle: [....14] [ip6][icmp6] [...............fe80::823:3f17:8298:a29c] -> [...............................ff02::16] [ICMPV6][Unknown][Network][Acceptable] diff --git a/test/results/flow-info/default/line.pcap.out b/test/results/flow-info/default/line.pcap.out index 1bfbb8dcc..cd8913c1a 100644 --- a/test/results/flow-info/default/line.pcap.out +++ b/test/results/flow-info/default/line.pcap.out @@ -34,7 +34,7 @@ [IATS(ms)....: 74.6,74.7,34.4,71.2,134.8,63.6,34.3,34.4,78.2,122.6,44.3,34.3,34.3,68.3,109.3,41.2,34.5,34.3,6.9,46.8,64.5,59.0,90.2,2533.1,2477.5,34.5,34.2,78.8,154.7,69.6,35.1] [PKTLENS.....: 100,46,134,46,146,93,46,150,46,343,95,46,146,46,113,89,46,150,46,216,89,124,96,46,95,46,336,46,256,40,374,89] [ENTROPIES...: 5.9,4.7,6.3,4.7,6.6,6.0,4.7,6.6,4.7,7.4,6.0,4.7,6.5,4.7,6.4,5.9,4.7,6.7,4.7,7.0,5.9,6.3,6.0,4.7,6.0,4.7,7.3,4.7,7.1,4.8,7.4,5.9] - analyse: [.....3] [ip4][..tcp] [...10.200.3.125][58160] -> [.147.92.242.232][..443] [TLS.Line][Line][Chat][Acceptable][uts-front.line-apps.com] + analyse: [.....3] [ip4][..tcp] [...10.200.3.125][58160] -> [.147.92.242.232][..443] [TLS.Line][Line][Chat][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 7.306| 0.634| 1.725| 2976235.913| 2.700] [PKTLEN......: 40.000| 1500.000| 272.500| 367.300| 134881.600| 4.100] diff --git a/test/results/flow-info/default/malware.pcap.out b/test/results/flow-info/default/malware.pcap.out index 938a3b114..af612fda7 100644 --- a/test/results/flow-info/default/malware.pcap.out +++ b/test/results/flow-info/default/malware.pcap.out @@ -28,7 +28,8 @@ new: [.....6] [ip4][..tcp] [...192.168.0.20][41240] -> [.193.109.85.123][..443] detected: [.....6] [ip4][..tcp] [...192.168.0.20][41240] -> [.193.109.85.123][..443] [TLS][Unknown][Web][Safe][hobbeach.com] detection-update: [.....6] [ip4][..tcp] [...192.168.0.20][41240] -> [.193.109.85.123][..443] [TLS][Unknown][Web][Safe][hobbeach.com] - analyse: [.....6] [ip4][..tcp] [...192.168.0.20][41240] -> [.193.109.85.123][..443] [TLS][Unknown][Web][Safe][hobbeach.com] + detection-update: [.....6] [ip4][..tcp] [...192.168.0.20][41240] -> [.193.109.85.123][..443] [TLS][Unknown][Web][Safe][hobbeach.com] + analyse: [.....6] [ip4][..tcp] [...192.168.0.20][41240] -> [.193.109.85.123][..443] [TLS][Unknown][Web][Safe] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.111| 0.021| 0.035| 1237.078| 3.200] [PKTLEN......: 40.000| 1492.000| 579.600| 653.500| 427088.100| 4.000] diff --git a/test/results/flow-info/default/naver.pcap.out b/test/results/flow-info/default/naver.pcap.out new file mode 100644 index 000000000..ab719c4ec --- /dev/null +++ b/test/results/flow-info/default/naver.pcap.out @@ -0,0 +1,16 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....1] [ip4][..tcp] [...10.215.173.1][40026] -> [...23.52.84.208][..443] + detected: [.....1] [ip4][..tcp] [...10.215.173.1][40026] -> [...23.52.84.208][..443] [TLS.Naver][Unknown][Web][Safe][m.naver.com] + detection-update: [.....1] [ip4][..tcp] [...10.215.173.1][40026] -> [...23.52.84.208][..443] [TLS.Naver][Unknown][Web][Safe][m.naver.com] + new: [.....2] [ip4][..tcp] [...10.215.173.1][42040] -> [..110.93.157.96][..443] + detected: [.....2] [ip4][..tcp] [...10.215.173.1][42040] -> [..110.93.157.96][..443] [TLS.Naver][Unknown][Web][Safe][kr-col-ext.nelo.navercorp.com] + detection-update: [.....2] [ip4][..tcp] [...10.215.173.1][42040] -> [..110.93.157.96][..443] [TLS.Naver][Unknown][Web][Safe][kr-col-ext.nelo.navercorp.com] + new: [.....3] [ip4][..tcp] [...10.215.173.1][45578] -> [.184.50.200.195][..443] + detected: [.....3] [ip4][..tcp] [...10.215.173.1][45578] -> [.184.50.200.195][..443] [TLS.Naver][Unknown][Web][Safe][dthumb-phinf.pstatic.net] + detection-update: [.....3] [ip4][..tcp] [...10.215.173.1][45578] -> [.184.50.200.195][..443] [TLS.Naver][Unknown][Web][Safe][dthumb-phinf.pstatic.net] + idle: [.....1] [ip4][..tcp] [...10.215.173.1][40026] -> [...23.52.84.208][..443] [TLS.Naver][Unknown][Web][Safe] + idle: [.....2] [ip4][..tcp] [...10.215.173.1][42040] -> [..110.93.157.96][..443] [TLS.Naver][Unknown][Web][Safe] + idle: [.....3] [ip4][..tcp] [...10.215.173.1][45578] -> [.184.50.200.195][..443] [TLS.Naver][Unknown][Web][Safe] + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/netflix.pcap.out b/test/results/flow-info/default/netflix.pcap.out index b193aff4f..31480855f 100644 --- a/test/results/flow-info/default/netflix.pcap.out +++ b/test/results/flow-info/default/netflix.pcap.out @@ -34,7 +34,7 @@ RISK: TLS (probably) Not Carrying HTTPS detection-update: [.....8] [ip4][..tcp] [....192.168.1.7][53117] -> [...52.32.196.36][..443] [TLS.NetFlix][AmazonAWS][Video][Fun][api-global.netflix.com] RISK: TLS (probably) Not Carrying HTTPS - analyse: [.....4] [ip4][..tcp] [....192.168.1.7][53105] -> [..54.69.204.241][..443] [TLS.NetFlix][AmazonAWS][Video][Fun][ichnaea.netflix.com] + analyse: [.....4] [ip4][..tcp] [....192.168.1.7][53105] -> [..54.69.204.241][..443] [TLS.NetFlix][AmazonAWS][Video][Fun] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.364| 0.040| 0.082| 6699.630| 3.200] [PKTLEN......: 52.000| 1500.000| 265.200| 396.800| 157454.800| 3.900] @@ -494,7 +494,7 @@ RISK: TLS (probably) Not Carrying HTTPS detection-update: [....58] [ip4][..tcp] [....192.168.1.7][53250] -> [.....52.41.30.5][..443] [TLS.NetFlix][AmazonAWS][Video][Fun][api-global.netflix.com] RISK: TLS (probably) Not Carrying HTTPS - analyse: [....57] [ip4][..tcp] [....192.168.1.7][53249] -> [.....52.41.30.5][..443] [TLS.NetFlix][AmazonAWS][Video][Fun][api-global.netflix.com] + analyse: [....57] [ip4][..tcp] [....192.168.1.7][53249] -> [.....52.41.30.5][..443] [TLS.NetFlix][AmazonAWS][Video][Fun] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.141| 0.020| 0.029| 838.464| 3.900] [PKTLEN......: 52.000| 1500.000| 420.800| 506.400| 256458.000| 4.100] @@ -541,7 +541,7 @@ [IATS(ms)....: 15.4,16.8,2.1,27.2,1.0,1.1,27.3,38.1,39.4,39.9,44.7,83.4,40.7,236.7,277.7,1389.8,1416.3,0.3,12.8,48.7,0.2,12.8,12.8,15.9,13.8,16.3,12.8,12.7,23.2,13.3,13.2] [PKTLENS.....: 64,60,52,297,52,1500,1500,52,1500,52,1500,1500,52,1500,719,52,297,1500,1500,1500,52,52,1500,1500,52,1500,52,1500,1500,52,1500,52] [ENTROPIES...: 4.5,5.2,5.1,5.9,5.3,7.3,7.8,5.2,7.8,5.0,7.8,7.8,5.1,7.8,7.7,5.2,5.8,6.9,7.5,7.8,5.1,5.0,7.8,7.8,5.0,7.9,4.9,7.8,7.8,5.1,7.8,5.1] - idle: [....18] [ip4][..tcp] [....192.168.1.7][53141] -> [..104.86.97.179][..443] [TLS.NetFlix][Unknown][Video][Fun][art-s.nflximg.net] + idle: [....18] [ip4][..tcp] [....192.168.1.7][53141] -> [..104.86.97.179][..443] [TLS.NetFlix][Unknown][Video][Fun] idle: [....12] [ip4][....2] [....192.168.1.7] -> [239.255.255.250] [IGMP][Unknown][Network][Acceptable] idle: [....59] [ip4][..udp] [....192.168.1.7][57093] -> [....192.168.1.1][...53] [DNS][Unknown][Network][Acceptable][a1907.dscg.akamai.net] idle: [....19] [ip4][..udp] [....192.168.1.7][59180] -> [....192.168.1.1][...53] [DNS.NetFlix][Unknown][Network][Fun][artwork.akam.nflximg.net] @@ -560,7 +560,7 @@ end: [....24] [ip4][..tcp] [....192.168.1.7][53151] -> [.54.201.191.132][...80] [HTTP.NetFlix][AmazonAWS][Video][Fun][appboot.netflix.com] end: [.....6] [ip4][..tcp] [....192.168.1.7][53115] -> [...52.32.196.36][..443] [TLS.NetFlix][AmazonAWS][Video][Fun] idle: [.....7] [ip4][..tcp] [....192.168.1.7][53116] -> [...52.32.196.36][..443] [TLS.NetFlix][AmazonAWS][Video][Fun] - end: [.....8] [ip4][..tcp] [....192.168.1.7][53117] -> [...52.32.196.36][..443] [TLS.NetFlix][AmazonAWS][Video][Fun][api-global.netflix.com] + end: [.....8] [ip4][..tcp] [....192.168.1.7][53117] -> [...52.32.196.36][..443] [TLS.NetFlix][AmazonAWS][Video][Fun] RISK: TLS (probably) Not Carrying HTTPS idle: [....10] [ip4][..udp] [....192.168.1.7][53776] -> [239.255.255.250][.1900] [SSDP][Unknown][System][Acceptable][239.255.255.250:1900] end: [....20] [ip4][..tcp] [....192.168.1.7][53148] -> [..184.25.204.25][...80] [HTTP.NetFlix][Unknown][Video][Fun][art-2.nflximg.net] @@ -580,13 +580,13 @@ RISK: TLS (probably) Not Carrying HTTPS end: [....15] [ip4][..tcp] [....192.168.1.7][53133] -> [...52.89.39.139][..443] [TLS.NetFlix][AmazonAWS][Video][Fun][api-global.netflix.com] RISK: TLS (probably) Not Carrying HTTPS - end: [....16] [ip4][..tcp] [....192.168.1.7][53134] -> [...52.89.39.139][..443] [TLS.NetFlix][AmazonAWS][Video][Fun][api-global.netflix.com] + end: [....16] [ip4][..tcp] [....192.168.1.7][53134] -> [...52.89.39.139][..443] [TLS.NetFlix][AmazonAWS][Video][Fun] RISK: TLS (probably) Not Carrying HTTPS idle: [....52] [ip4][..udp] [....192.168.1.7][51622] -> [....192.168.1.1][...53] [DNS.NetFlix][Unknown][Network][Fun][ios.nccp.netflix.com] idle: [....55] [ip4][..tcp] [....192.168.1.7][53239] -> [.....52.41.30.5][..443] [TLS.NetFlix][AmazonAWS][Video][Fun][api-global.netflix.com] idle: [....57] [ip4][..tcp] [....192.168.1.7][53249] -> [.....52.41.30.5][..443] [TLS.NetFlix][AmazonAWS][Video][Fun][api-global.netflix.com] RISK: TLS (probably) Not Carrying HTTPS - idle: [....58] [ip4][..tcp] [....192.168.1.7][53250] -> [.....52.41.30.5][..443] [TLS.NetFlix][AmazonAWS][Video][Fun][api-global.netflix.com] + idle: [....58] [ip4][..tcp] [....192.168.1.7][53250] -> [.....52.41.30.5][..443] [TLS.NetFlix][AmazonAWS][Video][Fun] RISK: TLS (probably) Not Carrying HTTPS idle: [....26] [ip4][..udp] [....192.168.1.7][51728] -> [....192.168.1.1][...53] [DNS][Unknown][Network][Acceptable][a803.dscg.akamai.net] idle: [....13] [ip4][..udp] [....192.168.1.7][51949] -> [....192.168.1.1][...53] [DNS.NetFlix][Unknown][Network][Fun][api-global.latency.prodaa.netflix.com] diff --git a/test/results/flow-info/default/no_sni.pcap.out b/test/results/flow-info/default/no_sni.pcap.out index 22aa7880e..5bfc889f2 100644 --- a/test/results/flow-info/default/no_sni.pcap.out +++ b/test/results/flow-info/default/no_sni.pcap.out @@ -10,7 +10,7 @@ detected: [.....2] [ip4][..tcp] [..192.168.1.119][51606] -> [.104.16.249.249][..443] [TLS.DoH_DoT][Cloudflare][Network][Acceptable][mozilla.cloudflare-dns.com] detection-update: [.....2] [ip4][..tcp] [..192.168.1.119][51606] -> [.104.16.249.249][..443] [TLS.DoH_DoT][Cloudflare][Network][Acceptable][mozilla.cloudflare-dns.com] new: [.....3] [ip4][..tcp] [..192.168.1.119][51612] -> [..104.16.124.96][..443] - analyse: [.....2] [ip4][..tcp] [..192.168.1.119][51606] -> [.104.16.249.249][..443] [TLS.DoH_DoT][Cloudflare][Network][Acceptable][mozilla.cloudflare-dns.com] + analyse: [.....2] [ip4][..tcp] [..192.168.1.119][51606] -> [.104.16.249.249][..443] [TLS.DoH_DoT][Cloudflare][Network][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.180| 0.028| 0.054| 2913.211| 3.000] [PKTLEN......: 40.000| 722.000| 127.200| 163.800| 26828.900| 4.200] @@ -63,6 +63,6 @@ end: [.....1] [ip4][..tcp] [..192.168.1.119][51331] -> [.104.16.249.249][..443] [TLS][Cloudflare][Web][Safe] idle: [.....2] [ip4][..tcp] [..192.168.1.119][51606] -> [.104.16.249.249][..443] [TLS.DoH_DoT][Cloudflare][Network][Acceptable][mozilla.cloudflare-dns.com] idle: [.....3] [ip4][..tcp] [..192.168.1.119][51612] -> [..104.16.124.96][..443] [TLS][Cloudflare][Web][Safe] - idle: [.....4] [ip4][..tcp] [..192.168.1.119][51635] -> [..104.17.198.37][..443] [TLS][Cloudflare][Web][Safe][951c558a-5e07-47ca-a0c0-225da1b33163.is-cf.help.every1dns.net] - idle: [.....5] [ip4][..tcp] [..192.168.1.119][51636] -> [..104.17.198.37][..443] [TLS][Cloudflare][Web][Safe][951c558a-5e07-47ca-a0c0-225da1b33163.is-doh.help.every1dns.net] + idle: [.....4] [ip4][..tcp] [..192.168.1.119][51635] -> [..104.17.198.37][..443] [TLS][Cloudflare][Web][Safe] + idle: [.....5] [ip4][..tcp] [..192.168.1.119][51636] -> [..104.17.198.37][..443] [TLS][Cloudflare][Web][Safe] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/ocs.pcap.out b/test/results/flow-info/default/ocs.pcap.out index d2048a4a5..2c44d6e1c 100644 --- a/test/results/flow-info/default/ocs.pcap.out +++ b/test/results/flow-info/default/ocs.pcap.out @@ -86,14 +86,14 @@ guessed: [.....1] [ip4][..tcp] [..192.168.180.2][47699] -> [.64.233.184.188][.5228] [Google][Google][Web][Acceptable] RISK: Unidirectional Traffic idle: [.....1] [ip4][..tcp] [..192.168.180.2][47699] -> [.64.233.184.188][.5228] - end: [.....6] [ip4][..tcp] [..192.168.180.2][39263] -> [..23.21.230.199][..443] [TLS.Crashlytics][AmazonAWS][DataTransfer][Acceptable][settings.crashlytics.com] + end: [.....6] [ip4][..tcp] [..192.168.180.2][39263] -> [..23.21.230.199][..443] [TLS.Crashlytics][AmazonAWS][DataTransfer][Acceptable] RISK: Obsolete TLS (v1.1 or older), Unidirectional Traffic end: [.....7] [ip4][..tcp] [..192.168.180.2][53356] -> [137.135.129.206][...80] [HTTP][Azure][Web][Acceptable] RISK: HTTP Susp User-Agent, Unidirectional Traffic - idle: [....15] [ip4][..tcp] [..192.168.180.2][36680] -> [.178.248.208.54][..443] [TLS.OCS][OCS][Media][Fun][ocs.labgency.ws] + idle: [....15] [ip4][..tcp] [..192.168.180.2][36680] -> [.178.248.208.54][..443] [TLS.OCS][OCS][Media][Fun] RISK: Obsolete TLS (v1.1 or older), Unidirectional Traffic idle: [....14] [ip4][..udp] [..192.168.180.2][.2589] -> [........8.8.8.8][...53] [DNS.OCS][Google][Network][Fun] - idle: [....16] [ip4][..tcp] [..192.168.180.2][32946] -> [.64.233.184.188][..443] [TLS.GoogleServices][Google][Web][Acceptable][mtalk.google.com] + idle: [....16] [ip4][..tcp] [..192.168.180.2][32946] -> [.64.233.184.188][..443] [TLS.GoogleServices][Google][Web][Acceptable] RISK: TLS (probably) Not Carrying HTTPS, Unidirectional Traffic end: [....13] [ip4][..tcp] [..192.168.180.2][49881] -> [.178.248.208.54][...80] [HTTP.OCS][OCS][Media][Fun][ocu03.labgency.ws] RISK: Unidirectional Traffic diff --git a/test/results/flow-info/default/ookla.pcap.out b/test/results/flow-info/default/ookla.pcap.out index 648be479e..8aef4141e 100644 --- a/test/results/flow-info/default/ookla.pcap.out +++ b/test/results/flow-info/default/ookla.pcap.out @@ -26,7 +26,7 @@ RISK: Known Proto on Non Std Port detection-update: [.....6] [ip4][..tcp] [..192.168.1.128][35830] -> [..89.96.108.170][.8080] [TLS][Unknown][Web][Safe][spd-pub-mi-01-01.fastwebnet.it] RISK: Known Proto on Non Std Port - detection-update: [.....6] [ip4][..tcp] [..192.168.1.128][35830] -> [..89.96.108.170][.8080] [TLS.Ookla][Unknown][Web][Safe][spd-pub-mi-01-01.fastwebnet.it] idle: [.....5] [ip4][..tcp] [..192.168.1.128][48854] -> [..104.16.209.12][..443] [TLS.Ookla][Cloudflare][Network][Safe] - idle: [.....6] [ip4][..tcp] [..192.168.1.128][35830] -> [..89.96.108.170][.8080] [TLS.Ookla][Unknown][Web][Safe][spd-pub-mi-01-01.fastwebnet.it] + idle: [.....6] [ip4][..tcp] [..192.168.1.128][35830] -> [..89.96.108.170][.8080] [TLS][Unknown][Web][Safe] + RISK: Known Proto on Non Std Port DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/openvpn_obfuscated.pcapng.out b/test/results/flow-info/default/openvpn_obfuscated.pcapng.out new file mode 100644 index 000000000..81462f07d --- /dev/null +++ b/test/results/flow-info/default/openvpn_obfuscated.pcapng.out @@ -0,0 +1,38 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....1] [ip4][..tcp] [.192.168.12.156][37976] -> [..185.128.25.99][..465] + analyse: [.....1] [ip4][..tcp] [.192.168.12.156][37976] -> [..185.128.25.99][..465] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 1.020| 0.080| 0.242| 58469.183| 2.300] + [PKTLEN......: 52.000| 1500.000| 308.700| 431.500| 186180.000| 4.000] + [BINS(c->s)..: 7,0,1,3,1,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 7,0,0,4,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,1,1,1,0,0,0,1,0,1,0,1,0,1,0,1,1,0,1,0,1,0,1,1] + [IATS(ms)....: 20.0,22.1,6.2,28.1,0.0,21.2,1.0,26.3,0.0,0.0,0.0,28.0,0.1,0.2,23.6,57.5,41.8,4.8,15.8,16.4,4.9,7.9,24.7,0.5,24.0,23.3,24.7,66.8,1019.8,977.6,0.7] + [PKTLENS.....: 60,60,52,140,52,152,52,429,148,1500,1500,1500,52,52,152,164,52,52,376,873,52,52,801,52,310,172,395,176,52,199,52,148] + [ENTROPIES...: 4.7,5.2,5.1,6.5,5.1,6.6,5.1,7.3,6.6,7.9,7.9,7.9,5.0,5.1,6.5,6.7,5.1,5.1,7.3,7.8,5.1,5.1,7.7,5.2,7.3,6.7,7.5,6.5,5.1,6.9,5.1,6.5] + guessed: [.....1] [ip4][..tcp] [.192.168.12.156][37976] -> [..185.128.25.99][..465] [SMTPS][NordVPN][Email][Safe] + RISK: Fully Encrypted Flow + new: [.....2] [ip4][..udp] [.192.168.12.156][47128] -> [149.102.238.108][.1214] + DAEMON-EVENT: [Processed: 90 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 2 / 2|skipped: 0|!detected: 0|guessed: 1|detection-updates: 0|updates: 0] + new: [.....3] [ip4][..tcp] [.107.161.86.131][..443] -> [.192.168.12.156][48072] + analyse: [.....3] [ip4][..tcp] [.107.161.86.131][..443] -> [.192.168.12.156][48072] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 0.303| 0.045| 0.076| 5806.697| 3.500] + [PKTLEN......: 52.000| 152.000| 67.300| 23.700| 562.800| 4.900] + [BINS(c->s)..: 9,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 19,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,1,1,1,1,1,1,1,1,1,1,0,1,1,0,0,0,0,1,1,1,1,1,1,1,1,0,0,0,0,0] + [IATS(ms)....: 102.1,4.8,6.5,5.5,5.4,5.3,5.7,5.4,5.2,5.6,5.1,255.6,100.3,15.6,143.0,32.7,143.0,0.0,303.0,27.7,1.3,5.4,5.4,5.7,6.7,5.0,142.9,27.8,1.2,5.5,5.5] + [PKTLENS.....: 60,52,61,61,61,61,61,61,61,61,61,59,64,88,58,80,80,52,152,98,52,59,59,59,59,59,59,52,148,52,52,52] + [ENTROPIES...: 5.3,5.2,5.4,5.5,5.4,5.4,5.5,5.4,5.5,5.4,5.2,5.1,5.2,5.9,5.3,5.2,5.1,5.2,6.3,5.7,5.2,5.3,5.3,5.4,5.3,5.4,5.3,5.2,6.4,5.1,5.2,5.3] + guessed: [.....3] [ip4][..tcp] [.107.161.86.131][..443] -> [.192.168.12.156][48072] [TLS][Unknown][Web][Safe] + guessed: [.....2] [ip4][..udp] [.192.168.12.156][47128] -> [149.102.238.108][.1214] [NordVPN][NordVPN][VPN][Acceptable] + RISK: Susp Entropy + idle: [.....2] [ip4][..udp] [.192.168.12.156][47128] -> [149.102.238.108][.1214] + idle: [.....1] [ip4][..tcp] [.192.168.12.156][37976] -> [..185.128.25.99][..465] [SMTPS][NordVPN][Email][Safe] + RISK: Fully Encrypted Flow + idle: [.....3] [ip4][..tcp] [.107.161.86.131][..443] -> [.192.168.12.156][48072] [TLS][Unknown][Web][Safe] + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/opera-vpn.pcapng.out b/test/results/flow-info/default/opera-vpn.pcapng.out index 07709011e..b279907a3 100644 --- a/test/results/flow-info/default/opera-vpn.pcapng.out +++ b/test/results/flow-info/default/opera-vpn.pcapng.out @@ -87,7 +87,7 @@ detected: [....29] [ip4][..tcp] [...192.168.1.29][51426] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] new: [....31] [ip4][..tcp] [...192.168.1.29][51428] -> [..77.111.247.69][..443] detection-update: [....28] [ip4][..tcp] [...192.168.1.29][51425] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] - analyse: [.....1] [ip4][..tcp] [...192.168.1.29][51398] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [.....1] [ip4][..tcp] [...192.168.1.29][51398] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.035| 0.008| 0.013| 162.243| 3.300] [PKTLEN......: 52.000| 1492.000| 436.200| 558.200| 311541.900| 3.900] @@ -99,7 +99,7 @@ [ENTROPIES...: 4.2,5.2,4.8,4.4,5.1,7.8,4.8,7.8,4.8,6.0,7.9,5.1,5.1,5.9,4.8,5.9,5.6,4.7,7.6,5.1,7.8,4.8,7.8,4.8,7.8,7.7,4.8,7.9,4.8,7.9,6.0,4.8] detected: [....30] [ip4][..tcp] [...192.168.1.29][51427] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] detection-update: [....29] [ip4][..tcp] [...192.168.1.29][51426] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] - analyse: [....11] [ip4][..tcp] [...192.168.1.29][51408] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....11] [ip4][..tcp] [...192.168.1.29][51408] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.034| 0.008| 0.013| 161.460| 3.300] [PKTLEN......: 52.000| 1492.000| 405.900| 517.200| 267501.900| 3.900] @@ -109,7 +109,7 @@ [IATS(ms)....: 34.0,34.0,0.1,26.8,0.3,27.1,0.2,0.2,0.2,0.0,26.0,1.0,6.6,33.2,0.1,0.1,1.0,1.0,0.1,26.4,0.4,26.6,0.2,0.0,0.2,0.8,0.8,0.5,0.0,0.5,0.1] [PKTLENS.....: 64,60,52,569,52,1492,52,1127,52,116,1467,52,52,91,52,93,52,76,52,591,52,1098,52,1492,704,52,1308,52,1098,764,52,52] [ENTROPIES...: 4.2,5.1,4.6,4.4,5.0,7.8,4.7,7.8,4.7,5.8,7.9,4.9,5.0,5.9,4.7,6.0,4.7,5.6,4.7,7.6,5.0,7.8,4.7,7.9,7.7,4.7,7.9,4.7,7.8,7.7,4.7,4.7] - analyse: [....15] [ip4][..tcp] [...192.168.1.29][51412] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....15] [ip4][..tcp] [...192.168.1.29][51412] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.037| 0.008| 0.013| 178.814| 3.300] [PKTLEN......: 52.000| 1492.000| 395.100| 500.800| 250764.700| 4.000] @@ -119,7 +119,7 @@ [IATS(ms)....: 37.1,37.2,0.1,28.8,0.5,29.2,1.0,1.0,0.1,0.0,26.7,1.7,3.3,31.5,0.1,0.1,0.1,0.1,27.0,0.9,27.7,0.2,0.2,0.0,0.1,0.1,0.0,0.1,0.6,0.5,0.1] [PKTLENS.....: 64,60,52,569,52,1492,52,1128,52,116,1483,52,52,91,52,93,76,52,591,52,1098,52,1492,52,704,1098,52,262,52,1098,52,401] [ENTROPIES...: 4.1,5.3,4.7,4.4,4.9,7.8,4.7,7.8,4.6,5.8,7.9,4.9,5.0,5.9,4.8,5.9,5.6,4.8,7.6,5.0,7.8,4.7,7.9,4.8,7.7,7.8,4.7,7.1,4.8,7.8,4.7,7.4] - analyse: [....18] [ip4][..tcp] [...192.168.1.29][51415] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....18] [ip4][..tcp] [...192.168.1.29][51415] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.037| 0.008| 0.014| 182.825| 3.300] [PKTLEN......: 52.000| 1492.000| 368.800| 501.900| 251883.600| 3.900] @@ -130,7 +130,7 @@ [PKTLENS.....: 64,60,52,569,52,1492,52,1129,52,116,1483,52,52,91,52,93,52,76,52,591,52,1098,52,258,52,1098,52,1098,52,1492,213,52] [ENTROPIES...: 4.2,5.2,4.7,4.4,5.1,7.9,4.8,7.8,4.8,6.0,7.9,5.1,5.1,5.9,4.8,6.0,4.8,5.6,4.8,7.6,5.1,7.8,4.8,7.2,4.8,7.8,4.8,7.8,4.8,7.9,7.0,4.8] detected: [....31] [ip4][..tcp] [...192.168.1.29][51428] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] - analyse: [.....2] [ip4][..tcp] [...192.168.1.29][51399] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [.....2] [ip4][..tcp] [...192.168.1.29][51399] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.046| 0.009| 0.013| 176.947| 3.400] [PKTLEN......: 52.000| 1492.000| 420.800| 536.500| 287782.900| 3.900] @@ -140,7 +140,7 @@ [IATS(ms)....: 28.1,28.2,0.4,27.3,1.6,28.5,1.1,1.1,0.4,0.0,25.8,1.4,19.1,0.0,45.9,0.8,0.8,0.1,26.6,2.3,28.8,0.2,0.2,0.0,0.1,0.2,0.1,0.1,0.0,0.2,0.4] [PKTLENS.....: 64,60,52,569,52,1492,52,1127,52,116,1467,52,52,91,93,52,76,52,591,52,1098,52,1492,52,704,52,1492,52,1318,751,52,138] [ENTROPIES...: 4.2,5.2,4.7,4.5,5.1,7.9,4.7,7.8,4.7,5.9,7.9,5.0,5.0,5.9,6.1,4.7,5.6,4.7,7.6,5.1,7.8,4.7,7.8,4.8,7.7,4.8,7.9,4.8,7.8,7.8,4.7,6.3] - analyse: [.....3] [ip4][..tcp] [...192.168.1.29][51400] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [.....3] [ip4][..tcp] [...192.168.1.29][51400] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.048| 0.009| 0.014| 188.006| 3.300] [PKTLEN......: 52.000| 1492.000| 409.500| 521.500| 271995.400| 4.000] @@ -150,7 +150,7 @@ [IATS(ms)....: 29.2,29.3,0.5,27.5,1.4,28.3,0.2,0.2,0.2,0.0,26.6,1.2,20.2,47.9,0.1,0.1,0.2,0.1,0.1,27.6,0.2,27.7,1.4,1.4,0.2,0.0,0.2,0.2,0.0,0.0,0.2] [PKTLENS.....: 64,60,52,569,52,1492,52,1128,52,116,1471,52,52,91,52,93,52,76,52,591,52,1098,52,1098,52,1492,704,52,1492,272,469,52] [ENTROPIES...: 4.1,5.2,4.6,4.4,4.9,7.9,4.7,7.8,4.7,5.9,7.9,5.0,5.0,5.9,4.7,5.9,4.7,5.6,4.7,7.6,5.0,7.8,4.7,7.8,4.7,7.9,7.7,4.7,7.8,7.1,7.5,4.7] - analyse: [....20] [ip4][..tcp] [...192.168.1.29][51417] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....20] [ip4][..tcp] [...192.168.1.29][51417] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.039| 0.009| 0.014| 196.546| 3.300] [PKTLEN......: 52.000| 1492.000| 365.500| 491.400| 241507.300| 3.900] @@ -160,7 +160,7 @@ [IATS(ms)....: 38.7,38.7,0.1,30.4,0.5,30.6,0.1,0.1,0.2,0.0,27.6,0.3,6.1,33.7,0.1,0.1,0.4,0.5,0.0,27.5,2.4,29.9,0.2,0.0,0.2,0.3,0.3,0.5,0.6,0.1,0.1] [PKTLENS.....: 64,60,52,569,52,1492,52,1128,52,116,1485,52,52,91,52,93,52,76,52,591,52,1098,52,1492,704,52,626,52,1098,52,134,52] [ENTROPIES...: 4.1,5.2,4.6,4.4,5.0,7.9,4.8,7.9,4.7,5.8,7.9,5.0,4.9,5.8,4.7,5.8,4.7,5.4,4.7,7.6,5.0,7.8,4.8,7.9,7.7,4.8,7.6,4.7,7.8,4.8,6.4,4.8] - analyse: [....17] [ip4][..tcp] [...192.168.1.29][51414] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....17] [ip4][..tcp] [...192.168.1.29][51414] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.046| 0.009| 0.014| 204.413| 3.300] [PKTLEN......: 52.000| 1492.000| 390.400| 502.900| 252956.000| 3.900] @@ -171,7 +171,7 @@ [PKTLENS.....: 64,60,52,569,52,1492,52,1127,52,116,1467,52,52,52,91,93,52,52,76,52,591,52,1098,52,478,52,1098,52,1098,52,1492,704] [ENTROPIES...: 4.1,5.1,4.6,4.4,5.0,7.9,4.7,7.8,4.7,5.9,7.9,5.0,5.1,5.0,5.9,5.9,4.7,4.7,5.5,4.8,7.6,5.1,7.8,4.8,7.5,4.8,7.8,4.8,7.8,4.8,7.9,7.7] detection-update: [....30] [ip4][..tcp] [...192.168.1.29][51427] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] - analyse: [.....4] [ip4][..tcp] [...192.168.1.29][51401] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [.....4] [ip4][..tcp] [...192.168.1.29][51401] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.058| 0.009| 0.015| 228.299| 3.300] [PKTLEN......: 52.000| 1492.000| 397.300| 525.300| 275956.200| 3.900] @@ -181,7 +181,7 @@ [IATS(ms)....: 30.1,30.1,0.1,26.5,1.6,27.9,0.3,0.2,0.2,0.1,26.5,1.2,30.4,57.8,0.1,0.1,0.1,0.1,0.0,27.7,0.9,28.5,0.1,0.1,0.5,0.5,0.4,0.4,0.3,0.0,0.3] [PKTLENS.....: 64,60,52,569,52,1492,52,1128,52,116,1477,52,52,91,52,93,52,76,52,591,52,1098,52,1098,52,1492,52,704,52,1492,294,52] [ENTROPIES...: 4.2,5.3,4.8,4.5,5.1,7.9,4.8,7.8,4.8,5.8,7.9,5.1,5.1,5.8,4.7,5.9,4.7,5.7,4.7,7.7,5.1,7.8,4.7,7.8,4.7,7.9,4.8,7.7,4.7,7.9,7.2,4.7] - analyse: [.....9] [ip4][..tcp] [...192.168.1.29][51406] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [.....9] [ip4][..tcp] [...192.168.1.29][51406] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.033| 0.010| 0.013| 175.212| 3.500] [PKTLEN......: 52.000| 1492.000| 303.800| 468.300| 219308.000| 3.800] @@ -191,7 +191,7 @@ [IATS(ms)....: 32.8,32.9,0.1,27.7,0.4,27.9,0.3,0.2,0.2,0.0,26.3,0.1,0.2,4.7,0.0,31.1,0.0,0.1,0.1,0.3,26.0,1.9,27.5,0.2,0.0,0.2,0.5,26.6,1.7,27.7,0.6] [PKTLENS.....: 64,60,52,569,52,1492,52,1128,52,116,1475,52,52,52,91,93,52,52,76,52,591,52,1098,52,1492,58,52,138,52,253,52,148] [ENTROPIES...: 4.1,5.1,4.7,4.4,4.8,7.9,4.6,7.8,4.6,5.9,7.9,4.8,4.8,4.9,5.9,5.9,4.7,4.7,5.6,4.7,7.7,5.0,7.8,4.7,7.9,5.1,4.7,6.3,4.9,7.2,4.7,6.5] - analyse: [....16] [ip4][..tcp] [...192.168.1.29][51413] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....16] [ip4][..tcp] [...192.168.1.29][51413] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.048| 0.010| 0.015| 220.945| 3.400] [PKTLEN......: 52.000| 1492.000| 397.100| 521.500| 271947.300| 3.900] @@ -201,7 +201,7 @@ [IATS(ms)....: 37.4,37.5,0.0,31.0,0.2,31.3,0.8,0.7,0.2,0.1,26.8,1.3,20.0,47.9,0.0,0.1,1.4,1.4,0.1,27.0,1.9,28.8,0.2,0.0,0.2,0.9,0.0,0.9,0.4,0.4,0.1] [PKTLENS.....: 64,60,52,569,52,1492,52,1128,52,116,1469,52,52,91,52,93,52,76,52,591,52,1098,52,1492,84,52,1492,488,52,1098,52,478] [ENTROPIES...: 4.2,5.3,4.7,4.5,5.0,7.9,4.8,7.8,4.8,6.0,7.9,5.0,5.0,6.0,4.7,5.8,4.7,5.6,4.7,7.6,5.0,7.8,4.7,7.9,5.7,4.7,7.9,7.5,4.7,7.8,4.7,7.5] - analyse: [....26] [ip4][..tcp] [...192.168.1.29][51423] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....26] [ip4][..tcp] [...192.168.1.29][51423] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.043| 0.010| 0.015| 219.628| 3.400] [PKTLEN......: 52.000| 1492.000| 378.900| 495.600| 245645.300| 3.900] @@ -211,7 +211,7 @@ [IATS(ms)....: 42.5,42.5,0.1,29.5,0.6,30.0,1.4,1.4,0.2,0.1,27.9,1.1,12.4,41.0,0.0,0.1,0.1,0.1,28.1,1.3,29.2,0.0,0.1,0.1,0.1,0.2,0.0,0.1,3.2,3.2,0.4] [PKTLENS.....: 64,60,52,569,52,1492,52,1128,52,116,1467,52,52,91,52,93,76,52,591,52,1098,52,498,52,1098,52,1492,280,52,1031,52,154] [ENTROPIES...: 4.2,5.2,4.7,4.4,5.0,7.9,4.8,7.8,4.8,5.9,7.9,5.1,5.1,5.9,4.8,5.9,5.6,4.8,7.6,5.1,7.8,4.7,7.6,4.8,7.8,4.6,7.9,7.2,4.8,7.8,4.8,6.4] - analyse: [.....7] [ip4][..tcp] [...192.168.1.29][51404] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [.....7] [ip4][..tcp] [...192.168.1.29][51404] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.035| 0.010| 0.013| 178.858| 3.600] [PKTLEN......: 52.000| 1492.000| 304.800| 439.800| 193461.100| 3.900] @@ -221,7 +221,7 @@ [IATS(ms)....: 31.9,31.9,0.1,27.3,0.4,27.6,0.2,0.1,0.3,0.1,27.1,0.1,8.7,35.4,0.1,0.1,0.5,0.4,0.1,26.2,2.4,0.1,28.5,0.1,0.1,0.4,26.5,1.7,27.7,0.5,0.5] [PKTLENS.....: 64,60,52,569,52,1492,52,1127,52,116,1471,52,52,91,52,93,52,76,52,591,52,1098,1098,52,475,52,138,52,256,52,160,52] [ENTROPIES...: 4.2,5.2,4.7,4.4,5.0,7.8,4.8,7.8,4.8,6.0,7.9,5.0,5.1,5.9,4.8,5.9,4.7,5.5,4.7,7.7,4.9,7.8,7.8,4.8,7.6,4.8,6.3,5.1,7.1,4.8,6.6,4.7] - analyse: [....25] [ip4][..tcp] [...192.168.1.29][51422] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....25] [ip4][..tcp] [...192.168.1.29][51422] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.049| 0.010| 0.016| 255.568| 3.300] [PKTLEN......: 52.000| 1492.000| 418.400| 525.000| 275583.300| 4.000] @@ -231,7 +231,7 @@ [IATS(ms)....: 44.1,44.1,0.2,30.0,0.3,30.0,0.2,0.2,0.1,0.1,30.4,0.1,18.7,0.1,49.0,0.1,0.1,0.1,28.0,1.8,29.6,0.1,0.1,0.4,0.4,0.5,0.5,0.3,0.0,0.3,0.4] [PKTLENS.....: 64,60,52,569,52,1492,52,1128,52,116,1473,52,52,91,93,52,76,52,591,52,1098,52,1098,52,1492,52,704,52,1492,272,52,751] [ENTROPIES...: 4.2,5.2,4.7,4.4,5.0,7.9,4.7,7.9,4.7,5.8,7.8,5.0,5.0,5.8,5.9,4.7,5.5,4.7,7.7,5.0,7.8,4.8,7.8,4.7,7.9,4.7,7.7,4.8,7.9,7.2,4.8,7.7] - analyse: [....23] [ip4][..tcp] [...192.168.1.29][51420] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....23] [ip4][..tcp] [...192.168.1.29][51420] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.051| 0.010| 0.016| 247.288| 3.300] [PKTLEN......: 52.000| 1492.000| 397.700| 512.500| 262691.900| 3.900] @@ -241,7 +241,7 @@ [IATS(ms)....: 41.0,41.1,0.1,31.0,0.5,31.4,0.1,0.1,0.1,0.1,29.3,0.1,21.7,50.8,0.1,0.1,0.1,0.1,27.5,1.0,28.3,1.3,0.0,1.3,0.2,0.1,1.7,1.6,0.0,0.1,0.4] [PKTLENS.....: 64,60,52,569,52,1492,52,1127,52,116,1481,52,52,91,52,93,76,52,591,52,1098,52,1492,704,52,1308,52,1098,52,401,52,138] [ENTROPIES...: 4.2,5.2,4.7,4.4,5.0,7.8,4.8,7.8,4.8,6.0,7.9,5.1,5.0,5.9,4.8,6.0,5.6,4.8,7.7,5.1,7.8,4.8,7.9,7.7,4.8,7.8,4.8,7.8,4.8,7.5,4.8,6.4] - analyse: [.....6] [ip4][..tcp] [...192.168.1.29][51403] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [.....6] [ip4][..tcp] [...192.168.1.29][51403] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.054| 0.010| 0.016| 241.175| 3.400] [PKTLEN......: 52.000| 1492.000| 346.900| 471.500| 222289.800| 3.900] @@ -251,7 +251,7 @@ [IATS(ms)....: 30.7,30.8,0.1,27.2,1.0,28.1,0.3,0.3,0.2,0.1,26.4,1.1,0.0,27.0,54.2,0.0,0.1,0.1,0.1,27.4,16.7,44.0,0.6,0.6,0.1,0.2,0.2,0.1,0.3,0.3,0.3] [PKTLENS.....: 64,60,52,569,52,1492,52,1127,52,116,1477,52,52,52,91,52,93,76,52,591,52,1098,52,1098,52,922,52,1098,52,149,52,200] [ENTROPIES...: 4.2,5.2,4.7,4.4,4.9,7.8,4.8,7.8,4.8,5.9,7.9,5.0,5.0,5.0,5.7,4.7,5.9,5.5,4.8,7.6,5.0,7.8,4.7,7.8,4.7,7.8,4.7,7.8,4.8,6.6,4.8,6.8] - analyse: [....14] [ip4][..tcp] [...192.168.1.29][51411] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....14] [ip4][..tcp] [...192.168.1.29][51411] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.036| 0.009| 0.014| 184.863| 3.500] [PKTLEN......: 52.000| 1492.000| 402.200| 504.900| 254904.000| 4.000] @@ -262,7 +262,7 @@ [PKTLENS.....: 64,60,52,569,52,1492,52,1128,52,116,1483,52,52,91,52,93,52,76,52,591,52,1098,52,1098,52,1492,704,52,790,52,148,1050] [ENTROPIES...: 4.2,5.3,4.7,4.4,5.0,7.8,4.8,7.8,4.8,5.9,7.9,5.1,5.1,5.8,4.8,6.0,4.8,5.6,4.7,7.6,5.0,7.8,4.8,7.8,4.8,7.9,7.7,4.8,7.7,4.7,6.3,7.8] detection-update: [....31] [ip4][..tcp] [...192.168.1.29][51428] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] - analyse: [....19] [ip4][..tcp] [...192.168.1.29][51416] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....19] [ip4][..tcp] [...192.168.1.29][51416] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.040| 0.011| 0.014| 199.830| 3.700] [PKTLEN......: 52.000| 1492.000| 405.900| 519.400| 269778.800| 4.000] @@ -272,7 +272,7 @@ [IATS(ms)....: 40.2,40.2,0.1,29.5,1.5,0.0,31.0,0.1,0.1,29.8,29.5,0.1,5.1,0.0,0.0,5.3,0.2,21.3,7.6,1.2,29.8,1.3,0.0,1.3,0.3,0.0,0.3,0.5,26.6,1.6,27.7] [PKTLENS.....: 64,60,52,569,52,1492,1128,52,116,1477,64,116,52,91,93,76,52,591,64,52,1098,52,1492,704,52,1492,437,52,148,52,1044,52] [ENTROPIES...: 4.2,5.2,4.7,4.5,5.0,7.9,7.8,4.7,5.8,7.9,5.1,5.9,5.1,5.8,5.9,5.6,4.8,7.6,5.0,5.0,7.8,4.7,7.9,7.7,4.7,7.9,7.5,4.7,6.4,4.9,7.8,4.7] - analyse: [....22] [ip4][..tcp] [...192.168.1.29][51419] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....22] [ip4][..tcp] [...192.168.1.29][51419] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.042| 0.011| 0.015| 224.118| 3.600] [PKTLEN......: 52.000| 1492.000| 344.000| 469.500| 220464.400| 3.900] @@ -282,7 +282,7 @@ [IATS(ms)....: 40.2,40.3,0.0,29.3,0.2,29.4,1.0,0.9,0.2,0.0,27.6,0.3,14.6,42.2,0.0,0.1,0.1,0.1,28.0,1.0,28.9,0.2,0.0,0.1,1.5,0.1,1.6,0.3,25.8,1.2,26.7] [PKTLENS.....: 64,60,52,569,52,1492,52,1128,52,116,1475,52,52,91,52,93,76,52,591,52,1098,52,1304,258,52,1098,408,52,138,52,220,52] [ENTROPIES...: 4.2,5.2,4.7,4.5,5.1,7.9,4.8,7.8,4.8,5.9,7.9,5.1,5.1,6.0,4.8,6.0,5.7,4.8,7.7,5.0,7.8,4.7,7.8,7.1,4.7,7.8,7.5,4.8,6.3,5.1,6.9,4.8] - analyse: [.....5] [ip4][..tcp] [...192.168.1.29][51402] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [.....5] [ip4][..tcp] [...192.168.1.29][51402] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.037| 0.011| 0.015| 234.608| 3.600] [PKTLEN......: 52.000| 1492.000| 339.700| 452.700| 204941.100| 3.900] @@ -292,7 +292,7 @@ [IATS(ms)....: 35.1,35.1,0.1,31.2,2.6,33.7,0.1,0.1,0.1,0.1,30.8,1.5,5.3,37.3,0.1,0.0,0.1,0.0,31.8,2.2,33.9,0.1,0.1,0.5,0.4,0.4,0.3,0.4,31.9,1.3,32.8] [PKTLENS.....: 64,60,52,569,52,1492,52,1129,52,116,1469,52,52,91,52,93,76,52,591,52,1098,52,478,52,1098,52,831,52,138,52,696,52] [ENTROPIES...: 4.2,5.2,4.7,4.4,5.0,7.9,4.7,7.8,4.7,5.9,7.9,5.0,5.0,6.0,4.8,5.9,5.6,4.8,7.6,5.1,7.8,4.7,7.5,4.8,7.8,4.8,7.8,4.8,6.3,5.1,7.7,4.8] - analyse: [....12] [ip4][..tcp] [...192.168.1.29][51409] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....12] [ip4][..tcp] [...192.168.1.29][51409] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.043| 0.012| 0.016| 240.534| 3.600] [PKTLEN......: 52.000| 1492.000| 355.800| 507.100| 257111.100| 3.800] @@ -302,7 +302,7 @@ [IATS(ms)....: 37.6,37.7,0.1,30.9,30.8,0.4,0.4,0.2,0.0,1.1,28.2,0.1,13.5,0.1,42.8,0.1,0.1,0.1,30.6,8.7,39.1,0.2,0.0,0.2,0.2,0.0,0.2,0.4,27.5,1.4,28.5] [PKTLENS.....: 64,60,52,569,1492,52,1129,52,116,1469,52,52,52,91,93,52,76,52,591,52,1098,52,1492,104,52,1492,191,52,167,52,364,52] [ENTROPIES...: 4.2,5.2,4.7,4.4,7.8,4.7,7.8,4.7,5.9,7.9,5.0,5.0,5.1,5.8,5.9,4.7,5.6,4.7,7.6,5.0,7.8,4.7,7.8,6.0,4.7,7.9,6.9,4.7,6.5,5.1,7.4,4.7] - analyse: [....10] [ip4][..tcp] [...192.168.1.29][51407] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....10] [ip4][..tcp] [...192.168.1.29][51407] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.042| 0.012| 0.017| 274.646| 3.500] [PKTLEN......: 52.000| 1492.000| 304.800| 467.200| 218265.100| 3.800] @@ -312,7 +312,7 @@ [IATS(ms)....: 41.6,41.7,0.0,34.7,0.4,35.0,0.2,0.2,0.2,0.1,34.8,0.0,3.3,37.8,0.1,0.1,0.1,0.1,0.0,32.2,2.3,34.4,0.2,0.0,0.2,0.5,31.2,2.5,33.2,0.1,0.1] [PKTLENS.....: 64,60,52,569,52,1492,52,1128,52,116,1467,52,52,91,52,93,76,52,52,591,52,1098,52,1492,81,52,138,52,256,52,160,52] [ENTROPIES...: 4.1,5.2,4.6,4.4,4.9,7.8,4.6,7.8,4.7,5.9,7.9,4.9,4.9,5.7,4.7,5.8,5.6,4.7,4.7,7.7,4.8,7.8,4.7,7.9,5.7,4.7,6.2,5.0,7.1,4.7,6.6,4.7] - analyse: [....28] [ip4][..tcp] [...192.168.1.29][51425] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....28] [ip4][..tcp] [...192.168.1.29][51425] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.050| 0.009| 0.014| 196.097| 3.300] [PKTLEN......: 52.000| 1492.000| 424.800| 534.600| 285801.500| 4.000] @@ -323,7 +323,7 @@ [PKTLENS.....: 64,60,52,569,52,1492,52,1129,52,116,1471,52,52,91,93,76,52,52,591,52,1098,52,1492,704,52,1492,52,1318,751,52,138,172] [ENTROPIES...: 4.2,5.2,4.7,4.4,5.0,7.8,4.8,7.8,4.7,6.0,7.9,5.0,5.0,5.9,5.9,5.6,4.6,4.7,7.6,5.0,7.8,4.7,7.9,7.7,4.7,7.9,4.7,7.8,7.7,4.8,6.2,6.5] new: [....32] [ip4][..tcp] [...192.168.1.29][51429] -> [..77.111.247.69][..443] - analyse: [....24] [ip4][..tcp] [...192.168.1.29][51421] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....24] [ip4][..tcp] [...192.168.1.29][51421] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.044| 0.012| 0.015| 228.764| 3.700] [PKTLEN......: 52.000| 1492.000| 340.500| 468.200| 219238.800| 3.900] @@ -333,7 +333,7 @@ [IATS(ms)....: 40.3,40.3,0.1,30.2,0.4,30.5,0.1,0.1,0.1,0.0,28.4,28.3,0.0,24.6,0.0,24.7,0.1,0.1,0.1,1.1,25.8,17.4,44.2,0.2,0.0,0.2,0.1,0.1,0.5,25.4,16.3] [PKTLENS.....: 64,60,52,569,52,1492,52,1129,52,116,1487,64,116,52,91,93,52,76,52,591,64,52,1098,52,1492,528,52,627,52,200,52,314] [ENTROPIES...: 4.2,5.2,4.8,4.5,5.1,7.8,4.8,7.8,4.7,6.0,7.9,5.0,5.9,5.1,5.8,5.9,4.7,5.5,4.7,7.6,5.1,5.1,7.8,4.8,7.9,7.6,4.8,7.7,4.8,6.9,5.1,7.3] - analyse: [....29] [ip4][..tcp] [...192.168.1.29][51426] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....29] [ip4][..tcp] [...192.168.1.29][51426] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.039| 0.010| 0.013| 167.910| 3.600] [PKTLEN......: 52.000| 1492.000| 287.100| 439.400| 193071.900| 3.800] @@ -343,7 +343,7 @@ [IATS(ms)....: 27.3,27.4,0.2,27.1,0.9,27.6,0.3,0.3,0.2,0.0,25.7,2.8,10.9,39.1,0.1,0.0,0.1,0.1,26.6,0.1,26.6,1.5,0.1,0.0,26.8,0.2,0.1,25.5,1.0,1.0,0.1] [PKTLENS.....: 64,60,52,569,52,1492,52,1127,52,116,1457,52,52,91,52,93,76,52,638,52,322,52,138,172,1444,52,52,329,52,166,52,105] [ENTROPIES...: 4.2,5.2,4.7,4.5,5.1,7.9,4.8,7.8,4.8,5.9,7.9,5.0,5.0,5.9,4.7,5.9,5.6,4.8,7.6,5.0,7.3,4.6,6.3,6.7,7.8,5.0,4.9,7.3,4.7,6.6,4.7,5.9] - analyse: [....30] [ip4][..tcp] [...192.168.1.29][51427] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....30] [ip4][..tcp] [...192.168.1.29][51427] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.033| 0.009| 0.012| 153.174| 3.500] [PKTLEN......: 52.000| 1492.000| 342.200| 472.200| 222950.100| 3.900] @@ -353,7 +353,7 @@ [IATS(ms)....: 27.4,27.5,0.1,27.3,2.2,29.4,0.1,0.1,0.2,0.1,26.9,0.1,0.5,5.6,0.1,32.7,0.0,0.1,0.0,26.1,0.3,26.3,1.3,0.0,0.0,1.3,1.6,0.1,27.1,0.0,3.8] [PKTLENS.....: 64,60,52,569,52,1492,52,1127,52,116,1459,52,52,52,91,93,52,76,52,591,52,1098,52,1492,84,759,52,154,623,52,52,274] [ENTROPIES...: 4.2,5.2,4.7,4.4,5.1,7.9,4.6,7.8,4.8,5.8,7.9,5.0,5.0,5.1,5.9,5.9,4.7,5.6,4.7,7.7,5.0,7.8,4.7,7.9,5.8,7.7,4.6,6.6,7.6,5.0,5.0,7.1] - analyse: [....31] [ip4][..tcp] [...192.168.1.29][51428] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....31] [ip4][..tcp] [...192.168.1.29][51428] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.046| 0.009| 0.014| 185.505| 3.300] [PKTLEN......: 52.000| 1492.000| 406.800| 492.900| 242924.900| 4.000] @@ -369,7 +369,7 @@ RISK: TLS (probably) Not Carrying HTTPS new: [....33] [ip4][..tcp] [...192.168.1.29][51430] -> [..77.111.247.69][..443] detected: [....33] [ip4][..tcp] [...192.168.1.29][51430] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] - analyse: [....21] [ip4][..tcp] [...192.168.1.29][51418] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....21] [ip4][..tcp] [...192.168.1.29][51418] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.108| 0.020| 0.028| 811.176| 3.500] [PKTLEN......: 52.000| 1492.000| 324.200| 448.200| 200860.400| 3.900] @@ -380,7 +380,7 @@ [PKTLENS.....: 64,60,52,569,52,1492,52,1128,52,116,1471,64,52,116,64,91,52,93,52,76,52,591,52,1098,52,498,1098,52,810,52,200,52] [ENTROPIES...: 4.2,5.2,4.7,4.5,5.1,7.9,4.7,7.8,4.8,5.8,7.9,5.1,5.0,5.8,5.1,5.9,4.8,5.9,4.8,5.5,4.8,7.6,5.0,7.8,4.8,7.5,7.8,4.7,7.7,4.8,6.9,5.0] detection-update: [....33] [ip4][..tcp] [...192.168.1.29][51430] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] - analyse: [....32] [ip4][..tcp] [...192.168.1.29][51429] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....32] [ip4][..tcp] [...192.168.1.29][51429] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.037| 0.009| 0.014| 195.258| 3.400] [PKTLEN......: 52.000| 1492.000| 433.800| 539.400| 290977.100| 4.000] @@ -390,7 +390,7 @@ [IATS(ms)....: 31.1,31.3,0.3,31.0,1.4,32.0,0.1,0.1,2.8,0.1,33.2,1.2,5.1,0.0,0.0,36.6,0.1,31.1,2.9,33.9,0.3,0.0,0.2,0.2,0.2,0.2,0.2,0.5,0.5,0.6,0.2] [PKTLENS.....: 64,60,52,569,52,1492,52,1113,52,116,1324,52,52,91,93,76,52,591,52,1098,52,1492,704,52,1492,52,1492,52,950,52,138,252] [ENTROPIES...: 4.1,5.2,4.7,4.2,5.0,7.8,4.8,7.8,4.8,6.0,7.9,5.1,5.0,5.9,6.0,5.5,4.7,7.6,5.0,7.8,4.7,7.9,7.7,4.6,7.9,4.5,7.9,4.6,7.8,4.6,6.3,7.0] - analyse: [....33] [ip4][..tcp] [...192.168.1.29][51430] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....33] [ip4][..tcp] [...192.168.1.29][51430] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.031| 0.008| 0.012| 151.638| 3.300] [PKTLEN......: 52.000| 1492.000| 406.100| 507.800| 257847.600| 4.000] @@ -400,7 +400,7 @@ [IATS(ms)....: 28.1,28.2,0.1,28.4,1.4,29.7,0.1,0.1,0.1,0.1,27.0,0.0,0.0,3.7,0.0,0.0,30.5,0.1,0.1,27.4,1.6,28.7,0.1,0.1,0.1,0.1,0.3,0.2,0.7,0.7,0.1] [PKTLENS.....: 64,60,52,569,52,1492,52,1128,52,116,1465,52,52,52,91,93,76,52,52,591,52,1098,52,1098,52,1098,52,1308,52,1098,52,770] [ENTROPIES...: 4.1,5.3,4.7,4.5,4.9,7.9,4.7,7.8,4.7,5.9,7.9,5.0,5.1,5.0,5.9,5.8,5.5,4.7,4.7,7.7,5.0,7.8,4.7,7.8,4.7,7.8,4.7,7.9,4.7,7.8,4.7,7.7] - analyse: [....27] [ip4][..tcp] [...192.168.1.29][51424] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....27] [ip4][..tcp] [...192.168.1.29][51424] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.180| 0.027| 0.054| 2903.055| 2.900] [PKTLEN......: 52.000| 1492.000| 452.000| 548.400| 300791.000| 4.000] @@ -420,7 +420,7 @@ detection-update: [....34] [ip4][..tcp] [...192.168.1.29][51432] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] detected: [....36] [ip4][..tcp] [...192.168.1.29][51435] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] detection-update: [....35] [ip4][..tcp] [...192.168.1.29][51433] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] - analyse: [....13] [ip4][..tcp] [...192.168.1.29][51410] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....13] [ip4][..tcp] [...192.168.1.29][51410] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 1.028| 0.074| 0.247| 61210.599| 1.800] [PKTLEN......: 52.000| 1492.000| 351.000| 482.300| 232616.900| 3.900] @@ -437,7 +437,7 @@ detected: [....37] [ip4][..tcp] [...192.168.1.29][51436] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] detected: [....39] [ip4][..tcp] [...192.168.1.29][51438] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] detected: [....38] [ip4][..tcp] [...192.168.1.29][51437] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] - analyse: [....35] [ip4][..tcp] [...192.168.1.29][51433] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....35] [ip4][..tcp] [...192.168.1.29][51433] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.029| 0.007| 0.012| 137.076| 3.300] [PKTLEN......: 52.000| 1492.000| 397.000| 481.500| 231822.500| 4.000] @@ -448,7 +448,7 @@ [PKTLENS.....: 64,60,52,569,52,1492,52,1128,52,116,1467,52,52,91,52,93,76,52,591,52,1098,478,52,52,1098,52,1098,52,882,1098,52,478] [ENTROPIES...: 4.2,5.2,4.7,4.5,5.0,7.9,4.7,7.8,4.8,5.9,7.9,5.1,5.1,5.9,4.8,5.9,5.7,4.8,7.6,5.0,7.8,7.5,4.7,4.7,7.8,4.7,7.8,4.7,7.7,7.8,4.7,7.5] detection-update: [....37] [ip4][..tcp] [...192.168.1.29][51436] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] - analyse: [....34] [ip4][..tcp] [...192.168.1.29][51432] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....34] [ip4][..tcp] [...192.168.1.29][51432] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.058| 0.009| 0.015| 225.527| 3.300] [PKTLEN......: 52.000| 1492.000| 408.200| 535.400| 286624.800| 3.900] @@ -460,7 +460,7 @@ [ENTROPIES...: 4.2,5.3,4.8,4.4,5.1,7.8,4.8,7.8,4.8,5.9,7.9,5.1,5.1,5.8,4.8,5.9,4.8,5.7,4.8,7.6,5.1,7.8,4.8,7.9,7.7,4.8,4.8,7.9,4.7,7.8,4.8,7.5] detection-update: [....39] [ip4][..tcp] [...192.168.1.29][51438] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] detection-update: [....38] [ip4][..tcp] [...192.168.1.29][51437] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] - analyse: [....36] [ip4][..tcp] [...192.168.1.29][51435] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....36] [ip4][..tcp] [...192.168.1.29][51435] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.039| 0.008| 0.012| 156.003| 3.400] [PKTLEN......: 52.000| 1492.000| 410.500| 518.800| 269178.600| 4.000] @@ -473,7 +473,7 @@ new: [....40] [ip4][..tcp] [...192.168.1.29][51440] -> [..77.111.247.69][..443] detected: [....40] [ip4][..tcp] [...192.168.1.29][51440] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] detection-update: [....40] [ip4][..tcp] [...192.168.1.29][51440] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] - analyse: [....37] [ip4][..tcp] [...192.168.1.29][51436] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....37] [ip4][..tcp] [...192.168.1.29][51436] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.032| 0.009| 0.013| 159.388| 3.500] [PKTLEN......: 52.000| 1492.000| 374.000| 504.400| 254392.600| 3.900] @@ -483,7 +483,7 @@ [IATS(ms)....: 28.1,28.2,0.1,27.4,1.5,28.8,0.1,0.1,0.2,0.1,28.2,1.2,2.7,31.8,0.1,0.0,0.1,0.1,27.2,1.7,28.7,0.2,0.0,0.2,0.2,0.0,0.0,0.2,0.2,27.0,8.5] [PKTLENS.....: 64,60,52,569,52,1492,52,1129,52,116,1457,52,52,91,52,93,76,52,591,52,1098,52,1492,104,52,1492,280,367,52,138,52,584] [ENTROPIES...: 4.2,5.2,4.7,4.4,4.9,7.8,4.7,7.9,4.7,5.9,7.8,5.0,4.9,5.9,4.7,5.9,5.5,4.7,7.6,5.0,7.8,4.8,7.9,6.0,4.8,7.9,7.2,7.3,4.8,6.3,5.0,7.6] - analyse: [....40] [ip4][..tcp] [...192.168.1.29][51440] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....40] [ip4][..tcp] [...192.168.1.29][51440] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.036| 0.009| 0.013| 161.218| 3.500] [PKTLEN......: 52.000| 1492.000| 330.400| 469.300| 220240.500| 3.900] @@ -493,7 +493,7 @@ [IATS(ms)....: 27.8,27.9,0.1,27.1,0.5,27.5,0.8,0.8,0.3,0.1,26.2,1.0,8.7,0.0,35.6,0.1,0.1,0.0,26.0,5.3,31.3,0.2,0.0,0.0,0.2,0.1,1.6,0.1,0.1,26.9,1.3] [PKTLENS.....: 64,60,52,569,52,1492,52,1128,52,116,1475,52,52,91,93,52,76,52,591,52,1098,52,1492,704,132,52,52,154,172,338,52,52] [ENTROPIES...: 4.2,5.1,4.7,4.5,5.0,7.9,4.8,7.8,4.8,5.8,7.9,5.0,5.1,5.8,5.9,4.8,5.7,4.8,7.6,5.0,7.8,4.7,7.9,7.7,6.5,4.7,4.8,6.5,6.6,7.3,5.0,5.0] - analyse: [....39] [ip4][..tcp] [...192.168.1.29][51438] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....39] [ip4][..tcp] [...192.168.1.29][51438] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.122| 0.019| 0.034| 1173.117| 3.100] [PKTLEN......: 52.000| 1492.000| 390.500| 496.900| 246958.900| 4.000] @@ -503,7 +503,7 @@ [IATS(ms)....: 27.4,27.4,0.1,26.3,1.5,27.6,0.1,0.1,0.2,0.1,25.7,0.1,0.1,96.7,0.0,0.0,122.3,0.1,27.2,81.2,0.0,108.4,0.0,0.3,0.3,0.2,0.0,0.2,0.3,0.3,0.1] [PKTLENS.....: 64,60,52,569,52,1492,52,1128,52,116,1465,52,52,52,91,93,76,52,591,52,1098,478,52,52,1098,52,1492,488,52,1098,52,271] [ENTROPIES...: 4.1,5.2,4.6,4.4,5.0,7.8,4.7,7.8,4.6,5.9,7.9,4.8,4.8,4.9,5.7,5.8,5.6,4.7,7.6,5.0,7.8,7.5,4.8,4.8,7.8,4.8,7.9,7.5,4.8,7.8,4.8,7.1] - analyse: [....38] [ip4][..tcp] [...192.168.1.29][51437] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....38] [ip4][..tcp] [...192.168.1.29][51437] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.126| 0.020| 0.036| 1286.879| 3.200] [PKTLEN......: 52.000| 1492.000| 386.500| 502.300| 252311.900| 3.900] @@ -516,7 +516,7 @@ new: [....41] [ip4][..tcp] [...192.168.1.29][51441] -> [..77.111.247.69][..443] detected: [....41] [ip4][..tcp] [...192.168.1.29][51441] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] detection-update: [....41] [ip4][..tcp] [...192.168.1.29][51441] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] - analyse: [....41] [ip4][..tcp] [...192.168.1.29][51441] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....41] [ip4][..tcp] [...192.168.1.29][51441] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.125| 0.019| 0.036| 1295.429| 3.100] [PKTLEN......: 52.000| 1492.000| 390.500| 500.100| 250056.100| 4.000] @@ -535,7 +535,7 @@ detected: [....44] [ip4][..tcp] [...192.168.1.29][51444] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] detection-update: [....43] [ip4][..tcp] [...192.168.1.29][51443] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] detection-update: [....44] [ip4][..tcp] [...192.168.1.29][51444] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] - analyse: [....43] [ip4][..tcp] [...192.168.1.29][51443] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....43] [ip4][..tcp] [...192.168.1.29][51443] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.042| 0.008| 0.013| 169.929| 3.400] [PKTLEN......: 52.000| 1492.000| 425.100| 548.500| 300824.400| 3.900] @@ -545,7 +545,7 @@ [IATS(ms)....: 28.7,28.8,0.1,27.4,0.6,27.9,0.8,0.7,0.3,0.1,25.9,0.0,1.1,15.2,0.0,41.9,0.0,0.1,0.1,0.1,27.2,2.9,29.9,0.3,0.0,0.2,0.2,0.2,0.8,0.0,0.9] [PKTLENS.....: 64,60,52,569,52,1492,52,1129,52,116,1469,52,52,52,91,93,52,52,76,52,660,52,1098,52,1492,704,52,1492,52,1492,726,52] [ENTROPIES...: 4.2,5.2,4.8,4.4,5.1,7.8,4.8,7.8,4.7,5.9,7.9,5.0,5.0,5.0,6.0,6.0,4.8,4.8,5.7,4.8,7.6,5.0,7.8,4.8,7.9,7.7,4.8,7.9,4.8,7.9,7.8,4.8] - analyse: [....44] [ip4][..tcp] [...192.168.1.29][51444] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....44] [ip4][..tcp] [...192.168.1.29][51444] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.099| 0.017| 0.025| 636.110| 3.600] [PKTLEN......: 52.000| 1492.000| 288.800| 419.800| 176233.300| 3.900] @@ -558,7 +558,7 @@ new: [....45] [ip4][..tcp] [...192.168.1.29][51449] -> [..77.111.247.69][..443] new: [....46] [ip4][..tcp] [...192.168.1.29][51450] -> [..77.111.247.69][..443] new: [....47] [ip4][..tcp] [...192.168.1.29][51451] -> [..77.111.247.69][..443] - analyse: [....42] [ip4][..tcp] [...192.168.1.29][51442] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....42] [ip4][..tcp] [...192.168.1.29][51442] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.207| 0.028| 0.058| 3307.776| 2.900] [PKTLEN......: 52.000| 1492.000| 468.700| 574.100| 329541.200| 4.000] @@ -580,7 +580,7 @@ detected: [....49] [ip4][..tcp] [...192.168.1.29][51453] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] detection-update: [....48] [ip4][..tcp] [...192.168.1.29][51452] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] detection-update: [....49] [ip4][..tcp] [...192.168.1.29][51453] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] - analyse: [....45] [ip4][..tcp] [...192.168.1.29][51449] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....45] [ip4][..tcp] [...192.168.1.29][51449] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.032| 0.009| 0.012| 154.797| 3.600] [PKTLEN......: 52.000| 1492.000| 341.300| 465.200| 216385.700| 3.900] @@ -590,7 +590,7 @@ [IATS(ms)....: 26.4,26.4,0.1,27.0,0.5,27.4,0.9,0.9,0.3,0.0,25.9,1.2,5.1,32.0,0.1,0.1,0.1,0.1,26.0,1.6,27.4,0.1,0.1,0.3,0.3,0.3,0.1,25.5,1.3,1.3,27.7] [PKTLENS.....: 64,60,52,569,52,1492,52,1128,52,116,1459,52,52,91,52,93,76,52,591,52,1098,52,1098,52,1185,52,154,595,52,52,274,52] [ENTROPIES...: 4.2,5.2,4.7,4.5,5.0,7.8,4.8,7.8,4.7,5.8,7.9,4.9,4.9,5.9,4.8,5.9,5.7,4.8,7.6,4.9,7.8,4.7,7.8,4.7,7.8,4.7,6.3,7.6,5.0,5.1,7.2,4.8] - analyse: [....46] [ip4][..tcp] [...192.168.1.29][51450] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....46] [ip4][..tcp] [...192.168.1.29][51450] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.034| 0.008| 0.012| 146.948| 3.400] [PKTLEN......: 52.000| 1492.000| 259.000| 395.400| 156313.400| 3.900] @@ -600,7 +600,7 @@ [IATS(ms)....: 26.1,26.2,0.1,25.7,1.6,27.2,0.1,0.1,0.3,0.0,25.7,0.0,1.2,7.7,0.0,34.4,0.1,0.1,0.1,25.8,1.4,27.1,0.1,0.1,0.0,0.1,0.0,24.9,0.1,1.2,0.0] [PKTLENS.....: 64,60,52,569,52,1492,52,1128,52,116,1461,52,52,52,91,93,52,76,52,608,52,527,52,138,172,603,155,156,52,52,52,52] [ENTROPIES...: 4.2,5.1,4.7,4.4,4.9,7.8,4.7,7.8,4.7,5.9,7.9,5.0,5.0,5.1,5.9,5.8,4.7,5.5,4.7,7.7,5.1,7.6,4.7,6.2,6.7,7.6,6.5,6.5,5.0,4.9,5.0,4.9] - analyse: [....48] [ip4][..tcp] [...192.168.1.29][51452] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....48] [ip4][..tcp] [...192.168.1.29][51452] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.034| 0.009| 0.013| 163.660| 3.600] [PKTLEN......: 52.000| 1492.000| 255.100| 395.400| 156328.100| 3.800] @@ -613,7 +613,7 @@ new: [....50] [ip4][..tcp] [...192.168.1.29][51454] -> [..77.111.247.69][..443] detected: [....50] [ip4][..tcp] [...192.168.1.29][51454] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] detection-update: [....50] [ip4][..tcp] [...192.168.1.29][51454] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] - analyse: [....47] [ip4][..tcp] [...192.168.1.29][51451] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....47] [ip4][..tcp] [...192.168.1.29][51451] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.178| 0.027| 0.054| 2913.054| 2.900] [PKTLEN......: 52.000| 1492.000| 434.600| 557.900| 311277.200| 3.900] @@ -631,7 +631,7 @@ detection-update: [....51] [ip4][..tcp] [...192.168.1.29][51455] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] new: [....53] [ip4][..tcp] [...192.168.1.29][51457] -> [..77.111.247.69][..443] new: [....54] [ip4][..tcp] [...192.168.1.29][51458] -> [..77.111.247.69][..443] - analyse: [.....8] [ip4][..tcp] [...192.168.1.29][51405] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [.....8] [ip4][..tcp] [...192.168.1.29][51405] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 3.028| 0.204| 0.738| 545057.276| 1.400] [PKTLEN......: 52.000| 1492.000| 304.700| 439.900| 193493.400| 3.900] @@ -642,7 +642,7 @@ [PKTLENS.....: 64,60,52,569,52,1492,52,1128,52,116,1477,52,52,91,93,52,76,52,591,52,1098,52,1098,453,52,138,253,52,148,52,52,76] [ENTROPIES...: 4.2,5.2,4.8,4.4,5.0,7.8,4.8,7.8,4.8,6.0,7.9,5.0,4.9,5.9,5.9,4.8,5.7,4.8,7.6,5.0,7.8,4.7,7.8,7.6,4.7,6.3,7.1,4.8,6.6,4.7,4.6,5.6] new: [....55] [ip4][..tcp] [...192.168.1.29][51459] -> [..77.111.247.69][..443] - analyse: [....52] [ip4][..tcp] [...192.168.1.29][51456] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....52] [ip4][..tcp] [...192.168.1.29][51456] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.029| 0.007| 0.012| 139.021| 3.300] [PKTLEN......: 52.000| 1492.000| 382.700| 493.600| 243675.800| 4.000] @@ -652,7 +652,7 @@ [IATS(ms)....: 27.0,27.1,0.3,28.1,0.3,28.1,0.3,0.3,0.3,0.1,25.7,1.2,2.7,29.2,0.0,0.1,0.1,0.1,26.0,2.2,0.0,28.1,0.2,0.2,0.1,0.0,0.1,1.8,1.9,0.2,0.1] [PKTLENS.....: 64,60,52,569,52,1492,52,1129,52,116,1467,52,52,91,52,93,76,52,591,52,1098,498,52,1098,52,1492,280,52,1031,52,154,172] [ENTROPIES...: 4.1,5.1,4.6,4.4,5.0,7.8,4.6,7.8,4.7,5.9,7.9,5.0,5.0,5.8,4.6,6.0,5.6,4.6,7.7,5.0,7.8,7.5,4.6,7.8,4.7,7.9,7.1,4.7,7.8,4.6,6.5,6.6] - analyse: [....50] [ip4][..tcp] [...192.168.1.29][51454] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....50] [ip4][..tcp] [...192.168.1.29][51454] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.189| 0.028| 0.055| 3044.153| 3.000] [PKTLEN......: 52.000| 1492.000| 416.200| 521.000| 271438.600| 4.000] @@ -665,7 +665,7 @@ detected: [....54] [ip4][..tcp] [...192.168.1.29][51458] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] detected: [....55] [ip4][..tcp] [...192.168.1.29][51459] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] detection-update: [....54] [ip4][..tcp] [...192.168.1.29][51458] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] - analyse: [....51] [ip4][..tcp] [...192.168.1.29][51455] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....51] [ip4][..tcp] [...192.168.1.29][51455] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.040| 0.010| 0.014| 190.700| 3.500] [PKTLEN......: 52.000| 1492.000| 336.200| 468.300| 219266.800| 3.900] @@ -676,7 +676,7 @@ [PKTLENS.....: 64,60,52,569,52,1492,52,1127,52,116,1479,52,52,52,91,93,52,52,76,52,591,52,1098,52,1098,52,1227,52,154,172,472,52] [ENTROPIES...: 4.2,5.3,4.8,4.4,5.1,7.8,4.8,7.8,4.8,6.0,7.9,5.0,5.1,5.1,6.0,5.8,4.8,4.8,5.7,4.8,7.6,5.0,7.8,4.7,7.8,4.8,7.8,4.7,6.4,6.7,7.5,5.1] detection-update: [....55] [ip4][..tcp] [...192.168.1.29][51459] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] - analyse: [....54] [ip4][..tcp] [...192.168.1.29][51458] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....54] [ip4][..tcp] [...192.168.1.29][51458] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.169| 0.025| 0.051| 2565.544| 2.900] [PKTLEN......: 52.000| 1492.000| 435.800| 558.300| 311649.100| 3.900] @@ -686,7 +686,7 @@ [IATS(ms)....: 27.1,27.2,0.1,27.6,0.4,0.1,27.8,0.1,0.2,0.1,27.9,0.0,1.2,140.1,0.0,0.1,168.9,0.0,0.1,0.2,26.1,139.2,165.0,0.2,0.1,0.2,0.0,0.1,0.3,0.3,0.2] [PKTLENS.....: 64,60,52,569,52,1492,1127,52,52,116,1471,52,52,52,91,93,76,52,52,52,629,52,1098,52,1098,52,1492,704,52,1492,52,1492] [ENTROPIES...: 4.2,5.2,4.7,4.4,4.9,7.8,7.8,4.8,4.8,5.9,7.9,5.0,5.0,5.0,5.8,6.0,5.6,4.8,4.8,4.7,7.6,5.0,7.8,4.7,7.8,4.7,7.9,7.7,4.7,7.9,4.7,7.9] - analyse: [....55] [ip4][..tcp] [...192.168.1.29][51459] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....55] [ip4][..tcp] [...192.168.1.29][51459] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.179| 0.027| 0.054| 2949.282| 2.900] [PKTLEN......: 52.000| 1492.000| 461.800| 572.200| 327423.800| 4.000] @@ -696,7 +696,7 @@ [IATS(ms)....: 27.7,27.7,0.2,27.4,1.5,28.7,0.1,0.1,0.4,0.0,26.9,0.0,152.5,0.1,179.2,0.0,0.1,0.1,26.1,150.4,176.3,0.2,0.0,0.1,0.3,0.2,0.7,0.7,0.4,0.4,0.1] [PKTLENS.....: 64,60,52,569,52,1492,52,1128,52,116,1471,52,52,91,93,52,76,52,591,52,1098,52,1492,528,52,1492,52,704,52,1492,52,1492] [ENTROPIES...: 4.1,5.2,4.8,4.3,5.1,7.8,4.8,7.8,4.8,5.8,7.9,5.0,5.0,5.9,5.9,4.7,5.6,4.7,7.5,5.0,7.8,4.7,7.8,7.5,4.7,7.9,4.7,7.7,4.7,7.9,4.7,7.9] - analyse: [....49] [ip4][..tcp] [...192.168.1.29][51453] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....49] [ip4][..tcp] [...192.168.1.29][51453] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.604| 0.075| 0.151| 22860.368| 3.100] [PKTLEN......: 52.000| 1492.000| 384.700| 500.500| 250468.600| 3.900] @@ -709,7 +709,7 @@ new: [....56] [ip4][..tcp] [...192.168.1.29][51460] -> [..77.111.247.69][..443] detected: [....56] [ip4][..tcp] [...192.168.1.29][51460] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] detection-update: [....56] [ip4][..tcp] [...192.168.1.29][51460] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] - analyse: [....56] [ip4][..tcp] [...192.168.1.29][51460] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....56] [ip4][..tcp] [...192.168.1.29][51460] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.188| 0.020| 0.046| 2094.229| 2.900] [PKTLEN......: 52.000| 1492.000| 356.800| 487.600| 237730.200| 3.900] @@ -722,7 +722,7 @@ new: [....57] [ip4][..tcp] [...192.168.1.29][51461] -> [..77.111.247.69][..443] detected: [....57] [ip4][..tcp] [...192.168.1.29][51461] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] detection-update: [....57] [ip4][..tcp] [...192.168.1.29][51461] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] - analyse: [....57] [ip4][..tcp] [...192.168.1.29][51461] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....57] [ip4][..tcp] [...192.168.1.29][51461] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.034| 0.008| 0.012| 144.514| 3.500] [PKTLEN......: 52.000| 1492.000| 397.200| 485.100| 235309.800| 4.000] @@ -735,7 +735,7 @@ new: [....58] [ip4][..tcp] [...192.168.1.29][51462] -> [..77.111.247.69][..443] detected: [....58] [ip4][..tcp] [...192.168.1.29][51462] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] detection-update: [....58] [ip4][..tcp] [...192.168.1.29][51462] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] - analyse: [....58] [ip4][..tcp] [...192.168.1.29][51462] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....58] [ip4][..tcp] [...192.168.1.29][51462] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.033| 0.008| 0.012| 145.944| 3.400] [PKTLEN......: 52.000| 1492.000| 372.100| 488.600| 238772.900| 3.900] @@ -754,7 +754,7 @@ detected: [....61] [ip4][..tcp] [...192.168.1.29][51465] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] detection-update: [....60] [ip4][..tcp] [...192.168.1.29][51464] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] detection-update: [....61] [ip4][..tcp] [...192.168.1.29][51465] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] - analyse: [....59] [ip4][..tcp] [...192.168.1.29][51463] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....59] [ip4][..tcp] [...192.168.1.29][51463] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.034| 0.008| 0.012| 142.779| 3.400] [PKTLEN......: 52.000| 1492.000| 385.300| 506.900| 256960.200| 3.900] @@ -764,7 +764,7 @@ [IATS(ms)....: 26.9,27.0,0.1,26.1,1.5,27.4,0.1,0.1,0.2,0.1,25.7,1.2,7.6,34.1,0.1,0.0,0.1,0.1,26.1,2.8,28.8,0.3,0.3,0.9,0.9,0.3,0.0,0.3,0.5,0.1,0.1] [PKTLENS.....: 64,60,52,569,52,1492,52,1128,52,116,1469,52,52,91,52,93,76,52,591,52,1098,52,1492,52,704,52,1492,271,52,138,172,539] [ENTROPIES...: 4.2,5.2,4.6,4.4,4.9,7.8,4.7,7.8,4.7,5.9,7.9,5.0,5.0,6.0,4.8,5.9,5.6,4.8,7.6,4.9,7.8,4.6,7.9,4.6,7.7,4.6,7.9,7.2,4.6,6.3,6.5,7.6] - analyse: [....60] [ip4][..tcp] [...192.168.1.29][51464] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....60] [ip4][..tcp] [...192.168.1.29][51464] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.032| 0.009| 0.013| 162.784| 3.500] [PKTLEN......: 52.000| 1492.000| 403.100| 505.200| 255231.400| 4.000] @@ -774,7 +774,7 @@ [IATS(ms)....: 27.8,27.9,0.5,28.7,0.6,28.8,0.6,0.6,0.2,0.1,27.2,0.0,5.0,31.9,0.1,0.0,0.1,0.1,27.3,4.1,31.3,0.2,0.1,0.2,0.0,0.2,0.1,0.1,0.2,26.7,1.6] [PKTLENS.....: 64,60,52,569,52,1492,52,1127,52,116,1477,52,52,91,52,93,76,52,591,52,1098,52,1098,52,1492,704,52,830,52,148,52,1044] [ENTROPIES...: 4.1,5.2,4.6,4.4,4.9,7.8,4.7,7.8,4.7,6.0,7.9,5.0,4.9,5.9,4.7,6.0,5.7,4.7,7.6,5.0,7.8,4.7,7.8,4.7,7.9,7.7,4.7,7.8,4.7,6.3,5.0,7.8] - analyse: [....61] [ip4][..tcp] [...192.168.1.29][51465] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....61] [ip4][..tcp] [...192.168.1.29][51465] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.031| 0.009| 0.012| 155.373| 3.600] [PKTLEN......: 52.000| 1492.000| 343.300| 466.300| 217422.700| 3.900] diff --git a/test/results/flow-info/default/paltalk.pcapng.out b/test/results/flow-info/default/paltalk.pcapng.out new file mode 100644 index 000000000..9ebca8c3d --- /dev/null +++ b/test/results/flow-info/default/paltalk.pcapng.out @@ -0,0 +1,22 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....1] [ip4][..tcp] [.192.168.88.208][51807] -> [...3.162.112.93][..443] + detected: [.....1] [ip4][..tcp] [.192.168.88.208][51807] -> [...3.162.112.93][..443] [TLS.Paltalk][AmazonAWS][Chat][Acceptable][paltalk.com] + RISK: TLS (probably) Not Carrying HTTPS + detection-update: [.....1] [ip4][..tcp] [.192.168.88.208][51807] -> [...3.162.112.93][..443] [TLS.Paltalk][AmazonAWS][Chat][Acceptable][paltalk.com] + RISK: TLS (probably) Not Carrying HTTPS + new: [.....2] [ip4][..tcp] [.158.69.169.104][.6845] -> [.192.168.88.208][51887] + detected: [.....2] [ip4][..tcp] [.158.69.169.104][.6845] -> [.192.168.88.208][51887] [Paltalk][Unknown][Chat][Acceptable] + DAEMON-EVENT: [Processed: 9 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 2 / 2|skipped: 0|!detected: 0|guessed: 0|detection-updates: 1|updates: 0] + new: [.....3] [ip4][..tcp] [.192.168.88.208][50728] -> [...84.17.44.229][.7970] + detected: [.....3] [ip4][..tcp] [.192.168.88.208][50728] -> [...84.17.44.229][.7970] [Paltalk][Unknown][Chat][Acceptable] + new: [.....4] [ip4][..tcp] [.192.168.88.208][51825] -> [.44.194.181.195][...80] + detected: [.....4] [ip4][..tcp] [.192.168.88.208][51825] -> [.44.194.181.195][...80] [HTTP.Paltalk][AmazonAWS][Chat][Acceptable][qos.paltalkconnect.com] + idle: [.....2] [ip4][..tcp] [.158.69.169.104][.6845] -> [.192.168.88.208][51887] [Paltalk][Unknown][Chat][Acceptable] + idle: [.....4] [ip4][..tcp] [.192.168.88.208][51825] -> [.44.194.181.195][...80] [HTTP.Paltalk][AmazonAWS][Chat][Acceptable] + idle: [.....1] [ip4][..tcp] [.192.168.88.208][51807] -> [...3.162.112.93][..443] [TLS.Paltalk][AmazonAWS][Chat][Acceptable] + RISK: TLS (probably) Not Carrying HTTPS + idle: [.....3] [ip4][..tcp] [.192.168.88.208][50728] -> [...84.17.44.229][.7970] [Paltalk][Unknown][Chat][Acceptable] + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/pinterest.pcap.out b/test/results/flow-info/default/pinterest.pcap.out index 476c7c3cb..64f6de286 100644 --- a/test/results/flow-info/default/pinterest.pcap.out +++ b/test/results/flow-info/default/pinterest.pcap.out @@ -44,7 +44,7 @@ new: [....10] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][33156] -> [.....................64:ff9b::9765:7854][..443] [MIDSTREAM] new: [....11] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][58726] -> [...............2a00:1450:4007:80b::2002][..443] [MIDSTREAM] new: [....12] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][34626] -> [.....................64:ff9b::acd9:13e2][..443] [MIDSTREAM] - analyse: [.....4] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][38512] -> [.......................2a04:4e42:1d::84][..443] [TLS.Pinterest][Unknown][SocialNetwork][Fun][s.pinimg.com] + analyse: [.....4] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][38512] -> [.......................2a04:4e42:1d::84][..443] [TLS.Pinterest][Unknown][SocialNetwork][Fun] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.054| 0.008| 0.015| 217.895| 3.000] [PKTLEN......: 72.000| 1460.000| 381.000| 486.900| 237029.200| 4.100] @@ -62,7 +62,7 @@ new: [....15] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][33280] -> [.....................64:ff9b::9765:7854][..443] detection-update: [....14] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][40694] -> [...............2a00:1450:4007:816::2004][..443] [TLS.Google][Google][Web][Acceptable][www.google.com] detected: [....15] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][33280] -> [.....................64:ff9b::9765:7854][..443] [TLS.Pinterest][Unknown][SocialNetwork][Fun][accounts.pinterest.com] - analyse: [....14] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][40694] -> [...............2a00:1450:4007:816::2004][..443] [TLS.Google][Google][Web][Acceptable][www.google.com] + analyse: [....14] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][40694] -> [...............2a00:1450:4007:816::2004][..443] [TLS.Google][Google][Web][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.044| 0.009| 0.014| 192.210| 3.400] [PKTLEN......: 72.000| 1280.000| 251.000| 327.800| 107441.100| 4.100] @@ -75,7 +75,7 @@ detection-update: [....15] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][33280] -> [.....................64:ff9b::9765:7854][..443] [TLS.Pinterest][Unknown][SocialNetwork][Fun][accounts.pinterest.com] detection-update: [....15] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][33280] -> [.....................64:ff9b::9765:7854][..443] [TLS.Pinterest][Unknown][SocialNetwork][Fun][accounts.pinterest.com] new: [....16] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][57050] -> [......................2a04:4e42:1d::720][..443] - analyse: [....13] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][47032] -> [......................2600:1901::7a0b::][..443] [TLS][GoogleCloud][Web][Safe][sessions.bugsnag.com] + analyse: [....13] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][47032] -> [......................2600:1901::7a0b::][..443] [TLS][GoogleCloud][Web][Safe] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.133| 0.015| 0.030| 874.849| 3.100] [PKTLEN......: 72.000| 1280.000| 309.400| 401.100| 160869.700| 4.100] @@ -117,7 +117,7 @@ detected: [....19] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][51292] -> [.........2a03:2880:f030:13:face:b00c::3][..443] [TLS.Facebook][Facebook][SocialNetwork][Fun][connect.facebook.net] detection-update: [....18] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][54416] -> [...............2a00:1450:4007:806::200e][..443] [TLS.Google][Google][Web][Acceptable][apis.google.com] detection-update: [....19] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][51292] -> [.........2a03:2880:f030:13:face:b00c::3][..443] [TLS.Facebook][Facebook][SocialNetwork][Fun][connect.facebook.net] - analyse: [....19] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][51292] -> [.........2a03:2880:f030:13:face:b00c::3][..443] [TLS.Facebook][Facebook][SocialNetwork][Fun][connect.facebook.net] + analyse: [....19] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][51292] -> [.........2a03:2880:f030:13:face:b00c::3][..443] [TLS.Facebook][Facebook][SocialNetwork][Fun] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.093| 0.011| 0.022| 473.126| 3.000] [PKTLEN......: 72.000| 1452.000| 271.000| 368.400| 135732.300| 4.100] @@ -151,7 +151,7 @@ new: [....23] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][40894] -> [...............2a00:1450:4007:816::200d][..443] detected: [....23] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][40894] -> [...............2a00:1450:4007:816::200d][..443] [TLS.Google][Google][Web][Acceptable][accounts.google.com] detection-update: [....23] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][40894] -> [...............2a00:1450:4007:816::200d][..443] [TLS.Google][Google][Web][Acceptable][accounts.google.com] - analyse: [....21] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][47790] -> [...............2a00:1450:4007:816::200a][..443] [TLS.GoogleServices][Google][Web][Acceptable][content-autofill.googleapis.com] + analyse: [....21] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][47790] -> [...............2a00:1450:4007:816::200a][..443] [TLS.GoogleServices][Google][Web][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 1.486| 0.062| 0.261| 67965.321| 1.600] [PKTLEN......: 72.000| 1280.000| 238.100| 317.700| 100919.600| 4.100] @@ -161,7 +161,7 @@ [IATS(ms)....: 55.5,55.6,2.6,45.1,17.8,0.0,60.2,0.0,0.3,0.3,9.4,2.5,0.6,42.9,0.0,0.2,0.0,30.6,0.2,14.9,14.7,23.0,0.0,23.0,0.0,0.1,0.0,0.1,1.6,29.4,1485.9] [PKTLENS.....: 80,80,72,589,72,1280,1280,72,72,573,72,136,164,444,72,72,72,652,72,103,103,72,462,135,72,72,111,72,72,111,72,237] [ENTROPIES...: 4.8,5.2,5.1,4.7,5.0,7.8,7.8,5.2,5.2,7.6,5.2,6.1,6.5,7.5,5.1,5.1,5.1,7.6,5.2,5.8,5.7,5.2,7.5,6.2,5.2,5.2,5.9,5.1,5.2,6.0,5.1,6.9] - analyse: [....23] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][40894] -> [...............2a00:1450:4007:816::200d][..443] [TLS.Google][Google][Web][Acceptable][accounts.google.com] + analyse: [....23] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][40894] -> [...............2a00:1450:4007:816::200d][..443] [TLS.Google][Google][Web][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.043| 0.009| 0.013| 168.080| 3.500] [PKTLEN......: 72.000| 1280.000| 418.800| 492.400| 242485.900| 4.100] @@ -189,7 +189,7 @@ detection-update: [....35] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][38546] -> [.......................2a04:4e42:1d::84][..443] [TLS.Pinterest][Unknown][SocialNetwork][Fun][assets.pinterest.com] detection-update: [....35] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][38546] -> [.......................2a04:4e42:1d::84][..443] [TLS.Pinterest][Unknown][SocialNetwork][Fun][assets.pinterest.com] detection-update: [....36] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][45126] -> [...............2a00:1450:4007:80a::200e][..443] [TLS.Google][Google][Advertisement][Acceptable][www.google-analytics.com] - analyse: [....36] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][45126] -> [...............2a00:1450:4007:80a::200e][..443] [TLS.Google][Google][Advertisement][Acceptable][www.google-analytics.com] + analyse: [....36] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][45126] -> [...............2a00:1450:4007:80a::200e][..443] [TLS.Google][Google][Advertisement][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.157| 0.016| 0.035| 1243.837| 2.700] [PKTLEN......: 72.000| 1280.000| 413.000| 486.700| 236885.800| 4.100] diff --git a/test/results/flow-info/default/portable_executable.pcap.out b/test/results/flow-info/default/portable_executable.pcap.out index faed0371e..66d6ab09d 100644 --- a/test/results/flow-info/default/portable_executable.pcap.out +++ b/test/results/flow-info/default/portable_executable.pcap.out @@ -7,6 +7,6 @@ RISK: Binary App Transfer, Susp Entropy idle: [.....1] [ip4][..tcp] [..172.16.99.201][.1732] -> [..64.227.107.71][.4444] guessed: [.....2] [ip4][..tcp] [..64.227.107.71][...53] -> [...172.16.99.10][49652] [DNS][Unknown][Network][Acceptable][] - RISK: Binary App Transfer, Malformed Packet, Susp Entropy + RISK: Binary App Transfer, Susp Entropy idle: [.....2] [ip4][..tcp] [..64.227.107.71][...53] -> [...172.16.99.10][49652] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/quic_sh.pcap.out b/test/results/flow-info/default/quic_sh.pcap.out new file mode 100644 index 000000000..7dadeafa6 --- /dev/null +++ b/test/results/flow-info/default/quic_sh.pcap.out @@ -0,0 +1,19 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....1] [ip6][..udp] [...2001:b07:a3d:c112:91b7:b97e:6e2:fad8][37542] -> [.................2606:4700:7::a29f:9804][..443] + detected: [.....1] [ip6][..udp] [...2001:b07:a3d:c112:91b7:b97e:6e2:fad8][37542] -> [.................2606:4700:7::a29f:9804][..443] [QUIC][Cloudflare][Web][Acceptable] + RISK: Susp Entropy + new: [.....2] [ip6][..udp] [...............2a00:1450:4002:411::200e][..443] -> [...2001:b07:a3d:c112:91b7:b97e:6e2:fad8][33144] + detected: [.....2] [ip6][..udp] [...............2a00:1450:4002:411::200e][..443] -> [...2001:b07:a3d:c112:91b7:b97e:6e2:fad8][33144] [QUIC][Google][Web][Acceptable] + RISK: Susp Entropy + new: [.....3] [ip4][..udp] [..192.168.1.245][40408] -> [..13.226.175.53][..443] + detected: [.....3] [ip4][..udp] [..192.168.1.245][40408] -> [..13.226.175.53][..443] [QUIC][AmazonAWS][Web][Acceptable] + RISK: Unidirectional Traffic + idle: [.....3] [ip4][..udp] [..192.168.1.245][40408] -> [..13.226.175.53][..443] [QUIC][AmazonAWS][Web][Acceptable] + RISK: Unidirectional Traffic + idle: [.....1] [ip6][..udp] [...2001:b07:a3d:c112:91b7:b97e:6e2:fad8][37542] -> [.................2606:4700:7::a29f:9804][..443] [QUIC][Cloudflare][Web][Acceptable] + RISK: Susp Entropy + idle: [.....2] [ip6][..udp] [...............2a00:1450:4002:411::200e][..443] -> [...2001:b07:a3d:c112:91b7:b97e:6e2:fad8][33144] [QUIC][Google][Web][Acceptable] + RISK: Susp Entropy + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/rdp_over_tls.pcap.out b/test/results/flow-info/default/rdp_over_tls.pcap.out new file mode 100644 index 000000000..8a97a21d0 --- /dev/null +++ b/test/results/flow-info/default/rdp_over_tls.pcap.out @@ -0,0 +1,13 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....1][..77] [ip4][..tcp] [..91.238.181.21][35888] -> [....89.31.79.12][.3389] + detected: [.....1][..77] [ip4][..tcp] [..91.238.181.21][35888] -> [....89.31.79.12][.3389] [RDP][Unknown][RemoteAccess][Acceptable] + RISK: Desktop/File Sharing + detection-update: [.....1][..77] [ip4][..tcp] [..91.238.181.21][35888] -> [....89.31.79.12][.3389] [TLS.RDP][Unknown][RemoteAccess][Acceptable][] + RISK: TLS (probably) Not Carrying HTTPS, Missing SNI TLS Extn, Desktop/File Sharing + detection-update: [.....1][..77] [ip4][..tcp] [..91.238.181.21][35888] -> [....89.31.79.12][.3389] [TLS.RDP][Unknown][RemoteAccess][Acceptable][] + RISK: Self-signed Cert, TLS (probably) Not Carrying HTTPS, Missing SNI TLS Extn, Desktop/File Sharing + end: [.....1][..77] [ip4][..tcp] [..91.238.181.21][35888] -> [....89.31.79.12][.3389] [TLS.RDP][Unknown][RemoteAccess][Acceptable] + RISK: Self-signed Cert, TLS (probably) Not Carrying HTTPS, Missing SNI TLS Extn, Desktop/File Sharing + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/reddit.pcap.out b/test/results/flow-info/default/reddit.pcap.out index 43f2cd972..849971155 100644 --- a/test/results/flow-info/default/reddit.pcap.out +++ b/test/results/flow-info/default/reddit.pcap.out @@ -15,7 +15,7 @@ detected: [.....4] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56560] -> [.....................64:ff9b::9765:798c][..443] [TLS.Reddit][Unknown][SocialNetwork][Fun][www.reddit.com] detection-update: [.....4] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56560] -> [.....................64:ff9b::9765:798c][..443] [TLS.Reddit][Unknown][SocialNetwork][Fun][www.reddit.com] detection-update: [.....4] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56560] -> [.....................64:ff9b::9765:798c][..443] [TLS.Reddit][Unknown][SocialNetwork][Fun][www.reddit.com] - analyse: [.....1] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][40028] -> [...............2a00:1450:4007:80a::200a][..443] [TLS.GoogleServices][Google][Web][Acceptable][safebrowsing.googleapis.com] + analyse: [.....1] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][40028] -> [...............2a00:1450:4007:80a::200a][..443] [TLS.GoogleServices][Google][Web][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.076| 0.013| 0.023| 533.820| 3.200] [PKTLEN......: 72.000| 1280.000| 281.100| 342.100| 117045.100| 4.200] @@ -122,7 +122,7 @@ detection-update: [....22] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][50960] -> [...............2a00:1450:4007:805::2002][..443] [TLS.GoogleServices][Google][Web][Acceptable][www.googletagservices.com] detection-update: [....23] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][43492] -> [......................64:ff9b::df9:21c6][..443] [TLS.Amazon][Unknown][Web][Acceptable][c.amazon-adsystem.com] detection-update: [....24] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][38320] -> [.....................64:ff9b::6853:b3b6][..443] [TLS][Unknown][Web][Safe][c.aaxads.com] - analyse: [....22] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][50960] -> [...............2a00:1450:4007:805::2002][..443] [TLS.GoogleServices][Google][Web][Acceptable][www.googletagservices.com] + analyse: [....22] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][50960] -> [...............2a00:1450:4007:805::2002][..443] [TLS.GoogleServices][Google][Web][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.044| 0.008| 0.014| 200.596| 3.100] [PKTLEN......: 72.000| 1280.000| 422.500| 490.000| 240053.700| 4.100] @@ -153,7 +153,7 @@ detected: [....27] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][39520] -> [...............2a00:1450:4007:816::2008][..443] [TLS.GoogleServices][Google][Web][Acceptable][www.googletagmanager.com] detection-update: [....27] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][39520] -> [...............2a00:1450:4007:816::2008][..443] [TLS.GoogleServices][Google][Web][Acceptable][www.googletagmanager.com] new: [....28] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][32970] -> [.....................64:ff9b::6853:b3d1][..443] - analyse: [....27] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][39520] -> [...............2a00:1450:4007:816::2008][..443] [TLS.GoogleServices][Google][Web][Acceptable][www.googletagmanager.com] + analyse: [....27] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][39520] -> [...............2a00:1450:4007:816::2008][..443] [TLS.GoogleServices][Google][Web][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.044| 0.008| 0.014| 205.550| 3.200] [PKTLEN......: 72.000| 1280.000| 415.800| 486.500| 236643.500| 4.100] @@ -201,7 +201,7 @@ detection-update: [....34] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][51100] -> [.....................64:ff9b::d83a:d1e6][..443] [TLS.Google][Unknown][Advertisement][Acceptable][ad.doubleclick.net] detection-update: [....35] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][51102] -> [.....................64:ff9b::d83a:d1e6][..443] [TLS.Google][Unknown][Advertisement][Acceptable][ad.doubleclick.net] detection-update: [....36] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56186] -> [...2600:9000:219c:ee00:6:44e3:f8c0:93a1][..443] [TLS][AmazonAWS][Web][Safe][rules.quantcount.com] - analyse: [....34] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][51100] -> [.....................64:ff9b::d83a:d1e6][..443] [TLS.Google][Unknown][Advertisement][Acceptable][ad.doubleclick.net] + analyse: [....34] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][51100] -> [.....................64:ff9b::d83a:d1e6][..443] [TLS.Google][Unknown][Advertisement][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.043| 0.011| 0.015| 223.794| 3.600] [PKTLEN......: 72.000| 1460.000| 250.000| 362.600| 131502.000| 4.000] @@ -228,7 +228,7 @@ new: [....39] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][57282] -> [...............2a00:1450:4007:805::2004][..443] detected: [....38] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][54726] -> [...............2a00:1450:4007:808::2006][..443] [TLS.Google][Google][Advertisement][Acceptable][static.doubleclick.net] detected: [....39] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][57282] -> [...............2a00:1450:4007:805::2004][..443] [TLS.Google][Google][Web][Acceptable][www.google.com] - analyse: [....37] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][39736] -> [.....2606:2800:134:1a0d:1429:742:782:b6][..443] [TLS.Twitter][Edgecast][SocialNetwork][Fun][cdn.syndication.twimg.com] + analyse: [....37] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][39736] -> [.....2606:2800:134:1a0d:1429:742:782:b6][..443] [TLS.Twitter][Edgecast][SocialNetwork][Fun] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.051| 0.012| 0.018| 319.203| 3.500] [PKTLEN......: 72.000| 1280.000| 307.800| 396.400| 157103.100| 4.100] @@ -247,7 +247,7 @@ detected: [....42] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][47302] -> [...............2a00:1450:4007:80c::2003][..443] [TLS.Google][Google][Web][Acceptable][fonts.gstatic.com] detected: [....43] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][47304] -> [...............2a00:1450:4007:80c::2003][..443] [TLS.Google][Google][Web][Acceptable][fonts.gstatic.com] detected: [....40] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][58122] -> [...............2a00:1450:4007:805::2001][..443] [TLS.YouTube][Google][Media][Fun][yt3.ggpht.com] - analyse: [....39] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][57282] -> [...............2a00:1450:4007:805::2004][..443] [TLS.Google][Google][Web][Acceptable][www.google.com] + analyse: [....39] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][57282] -> [...............2a00:1450:4007:805::2004][..443] [TLS.Google][Google][Web][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.062| 0.009| 0.018| 308.294| 3.000] [PKTLEN......: 72.000| 1280.000| 412.800| 483.300| 233579.900| 4.100] @@ -262,7 +262,7 @@ detection-update: [....41] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][52296] -> [...............2a00:1450:4007:815::2016][..443] [TLS.YouTube][Google][Media][Fun][i.ytimg.com] detection-update: [....42] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][47302] -> [...............2a00:1450:4007:80c::2003][..443] [TLS.Google][Google][Web][Acceptable][fonts.gstatic.com] detection-update: [....43] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][47304] -> [...............2a00:1450:4007:80c::2003][..443] [TLS.Google][Google][Web][Acceptable][fonts.gstatic.com] - analyse: [....40] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][58122] -> [...............2a00:1450:4007:805::2001][..443] [TLS.YouTube][Google][Media][Fun][yt3.ggpht.com] + analyse: [....40] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][58122] -> [...............2a00:1450:4007:805::2001][..443] [TLS.YouTube][Google][Media][Fun] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.069| 0.011| 0.023| 518.376| 2.800] [PKTLEN......: 72.000| 1280.000| 385.700| 459.200| 210886.500| 4.100] @@ -299,7 +299,7 @@ detection-update: [....48] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][59624] -> [...............2a00:1450:4007:80b::2001][..443] [TLS.Google][Google][Advertisement][Acceptable][8a755a3fef0b189d8ab5b0d10758f68a.safeframe.googlesyndication.com] detection-update: [....47] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][46646] -> [.....................64:ff9b::345f:7ca5][..443] [TLS.Amazon][Unknown][Web][Acceptable][aax-eu.amazon-adsystem.com] detection-update: [....47] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][46646] -> [.....................64:ff9b::345f:7ca5][..443] [TLS.Amazon][Unknown][Web][Acceptable][aax-eu.amazon-adsystem.com] - analyse: [....46] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][59336] -> [...............2a00:1450:4007:80b::2002][..443] [TLS.Google][Google][Advertisement][Acceptable][adservice.google.com] + analyse: [....46] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][59336] -> [...............2a00:1450:4007:80b::2002][..443] [TLS.Google][Google][Advertisement][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.046| 0.008| 0.012| 155.374| 3.400] [PKTLEN......: 72.000| 1280.000| 280.100| 371.700| 138197.800| 4.100] @@ -309,7 +309,7 @@ [IATS(ms)....: 18.5,18.6,0.4,37.2,9.0,0.0,0.0,0.0,45.9,0.0,0.0,0.0,8.7,0.4,0.3,33.6,0.0,0.1,1.2,0.0,25.4,0.0,0.5,7.3,0.0,0.0,6.8,0.0,0.0,3.7,20.5] [PKTLENS.....: 80,80,72,589,72,1280,1280,1280,273,72,72,72,72,136,164,349,72,72,72,652,103,72,72,103,775,516,111,72,72,72,111,72] [ENTROPIES...: 4.8,5.3,5.2,4.6,5.1,7.8,7.8,7.8,7.0,5.2,5.2,5.2,5.2,6.3,6.6,7.3,5.1,5.1,5.1,7.6,5.7,5.3,5.3,5.9,7.7,7.6,5.9,5.2,5.2,5.2,6.0,5.0] - analyse: [....48] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][59624] -> [...............2a00:1450:4007:80b::2001][..443] [TLS.Google][Google][Advertisement][Acceptable][8a755a3fef0b189d8ab5b0d10758f68a.safeframe.googlesyndication.com] + analyse: [....48] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][59624] -> [...............2a00:1450:4007:80b::2001][..443] [TLS.Google][Google][Advertisement][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.034| 0.007| 0.011| 127.134| 3.400] [PKTLEN......: 72.000| 1280.000| 323.800| 408.200| 166632.700| 4.100] @@ -350,7 +350,7 @@ detection-update: [....56] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][36966] -> [...............2a00:1450:4007:80f::2001][..443] [TLS.Google][Google][Advertisement][Acceptable][tpc.googlesyndication.com] detection-update: [....58] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][36970] -> [...............2a00:1450:4007:80f::2001][..443] [TLS.Google][Google][Advertisement][Acceptable][tpc.googlesyndication.com] detection-update: [....57] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][36968] -> [...............2a00:1450:4007:80f::2001][..443] [TLS.Google][Google][Advertisement][Acceptable][tpc.googlesyndication.com] - analyse: [....55] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][36964] -> [...............2a00:1450:4007:80f::2001][..443] [TLS.Google][Google][Advertisement][Acceptable][tpc.googlesyndication.com] + analyse: [....55] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][36964] -> [...............2a00:1450:4007:80f::2001][..443] [TLS.Google][Google][Advertisement][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.046| 0.009| 0.014| 200.064| 3.400] [PKTLEN......: 72.000| 1280.000| 320.900| 398.400| 158685.900| 4.100] @@ -360,7 +360,7 @@ [IATS(ms)....: 29.5,29.5,0.1,39.8,6.2,0.0,0.0,45.9,0.0,0.0,16.6,7.4,0.9,0.2,45.4,0.2,20.4,0.5,14.7,1.9,0.0,0.0,16.1,2.9,0.0,0.0,3.0,0.0,0.0,1.6,0.0] [PKTLENS.....: 80,80,72,589,72,1280,1280,311,72,72,72,136,164,391,375,72,652,72,103,72,103,72,72,72,551,398,207,72,72,72,1280,1280] [ENTROPIES...: 4.9,5.3,5.2,4.6,5.1,7.8,7.9,7.2,5.2,5.2,5.1,6.1,6.5,7.4,7.3,5.0,7.7,5.2,5.8,5.1,5.8,5.0,5.0,5.1,7.6,7.4,6.7,5.2,5.2,5.1,7.8,7.8] - analyse: [....54] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][38166] -> [...............2a00:1450:4007:811::200a][..443] [TLS.GoogleServices][Google][Web][Acceptable][fonts.googleapis.com] + analyse: [....54] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][38166] -> [...............2a00:1450:4007:811::200a][..443] [TLS.GoogleServices][Google][Web][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.044| 0.010| 0.013| 181.589| 3.600] [PKTLEN......: 72.000| 1280.000| 270.100| 336.600| 113301.500| 4.200] @@ -426,14 +426,14 @@ idle: [....32] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][48648] -> [...2620:116:800d:21:f916:5049:f87f:108e][..443] [TLS][Unknown][Web][Safe][secure.quantserve.com] idle: [....54] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][38166] -> [...............2a00:1450:4007:811::200a][..443] [TLS.GoogleServices][Google][Web][Acceptable][fonts.googleapis.com] idle: [....23] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][43492] -> [......................64:ff9b::df9:21c6][..443] [TLS.Amazon][Unknown][Web][Acceptable][c.amazon-adsystem.com] - idle: [....38] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][54726] -> [...............2a00:1450:4007:808::2006][..443] [TLS.Google][Google][Advertisement][Acceptable][static.doubleclick.net] + idle: [....38] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][54726] -> [...............2a00:1450:4007:808::2006][..443] [TLS.Google][Google][Advertisement][Acceptable] idle: [....31] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][54862] -> [...............2a00:1450:4007:806::200e][..443] [TLS.YouTube][Google][Media][Fun] - idle: [....30] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][39626] -> [.....................64:ff9b::2278:cf94][..443] [TLS][Unknown][Web][Safe][id.rlcdn.com] - idle: [....49] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][46806] -> [...............2a00:1450:4007:808::2001][..443] [TLS.Google][Google][Web][Acceptable][cdn.ampproject.org] + idle: [....30] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][39626] -> [.....................64:ff9b::2278:cf94][..443] [TLS][Unknown][Web][Safe] + idle: [....49] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][46806] -> [...............2a00:1450:4007:808::2001][..443] [TLS.Google][Google][Web][Acceptable] end: [....50] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][46808] -> [...............2a00:1450:4007:808::2001][..443] [TLS.Google][Google][Web][Acceptable] end: [....51] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][46810] -> [...............2a00:1450:4007:808::2001][..443] [TLS.Google][Google][Web][Acceptable] end: [....52] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][46812] -> [...............2a00:1450:4007:808::2001][..443] [TLS.Google][Google][Web][Acceptable] end: [....53] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][46814] -> [...............2a00:1450:4007:808::2001][..443] [TLS.Google][Google][Web][Acceptable] idle: [....22] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][50960] -> [...............2a00:1450:4007:805::2002][..443] [TLS.GoogleServices][Google][Web][Acceptable][www.googletagservices.com] - idle: [....45] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][51006] -> [...............2a00:1450:4007:805::2002][..443] [TLS.Google][Google][Web][Acceptable][adservice.google.fr] + idle: [....45] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][51006] -> [...............2a00:1450:4007:805::2002][..443] [TLS.Google][Google][Web][Acceptable] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/rtmp.pcap.out b/test/results/flow-info/default/rtmp.pcap.out index b4f4d4534..e5f2ef925 100644 --- a/test/results/flow-info/default/rtmp.pcap.out +++ b/test/results/flow-info/default/rtmp.pcap.out @@ -3,5 +3,39 @@ DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] new: [.....1] [ip4][..tcp] [...192.168.43.1][.1177] -> [.192.168.43.128][.1935] detected: [.....1] [ip4][..tcp] [...192.168.43.1][.1177] -> [.192.168.43.128][.1935] [RTMP][Unknown][Media][Acceptable] + DAEMON-EVENT: [Processed: 26 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 1 / 1|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + ERROR-EVENT: Unknown packet type [1/16] + ERROR-EVENT: Unknown packet type [2/16] + ERROR-EVENT: Unknown packet type [3/16] + ERROR-EVENT: Unknown packet type [4/16] + ERROR-EVENT: Unknown packet type [5/16] + ERROR-EVENT: Unknown packet type [6/16] + ERROR-EVENT: Unknown packet type [7/16] + ERROR-EVENT: Unknown packet type [8/16] + ERROR-EVENT: Unknown packet type [9/16] + ERROR-EVENT: Unknown packet type [10/16] + ERROR-EVENT: Unknown packet type [11/16] + ERROR-EVENT: Unknown packet type [12/16] + ERROR-EVENT: Unknown packet type [13/16] + ERROR-EVENT: Unknown packet type [14/16] + ERROR-EVENT: Unknown packet type [15/16] + ERROR-EVENT: Unknown packet type [16/16] + ERROR-EVENT: Unknown packet type [1/16] + ERROR-EVENT: Unknown packet type [2/16] + ERROR-EVENT: Unknown packet type [3/16] + ERROR-EVENT: Unknown packet type [4/16] + ERROR-EVENT: Unknown packet type [5/16] + ERROR-EVENT: Unknown packet type [6/16] + ERROR-EVENT: Unknown packet type [7/16] + ERROR-EVENT: Unknown packet type [8/16] + ERROR-EVENT: Unknown packet type [9/16] + ERROR-EVENT: Unknown packet type [10/16] + ERROR-EVENT: Unknown packet type [11/16] + ERROR-EVENT: Unknown packet type [12/16] + ERROR-EVENT: Unknown packet type [13/16] + ERROR-EVENT: Unknown packet type [14/16] + ERROR-EVENT: Unknown packet type [15/16] + ERROR-EVENT: Unknown packet type [16/16] idle: [.....1] [ip4][..tcp] [...192.168.43.1][.1177] -> [.192.168.43.128][.1935] [RTMP][Unknown][Media][Acceptable] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/safari.pcap.out b/test/results/flow-info/default/safari.pcap.out index ce6ccc9f9..e1c5e434e 100644 --- a/test/results/flow-info/default/safari.pcap.out +++ b/test/results/flow-info/default/safari.pcap.out @@ -30,7 +30,7 @@ RISK: TLS (probably) Not Carrying HTTPS detection-update: [.....6] [ip4][..tcp] [..192.168.1.178][55269] -> [...146.48.58.18][..443] [TLS][Unknown][Web][Safe][www.iit.cnr.it] RISK: TLS (probably) Not Carrying HTTPS - analyse: [.....4] [ip4][..tcp] [..192.168.1.178][55267] -> [...146.48.58.18][..443] [TLS][Unknown][Web][Safe][www.iit.cnr.it] + analyse: [.....4] [ip4][..tcp] [..192.168.1.178][55267] -> [...146.48.58.18][..443] [TLS][Unknown][Web][Safe] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.119| 0.018| 0.029| 823.374| 3.500] [PKTLEN......: 52.000| 1492.000| 618.000| 660.500| 436248.100| 4.100] @@ -45,15 +45,15 @@ detection-update: [.....7] [ip4][..tcp] [..192.168.1.178][55285] -> [...146.48.58.18][..443] [TLS][Unknown][Web][Safe][www.iit.cnr.it] detection-update: [.....7] [ip4][..tcp] [..192.168.1.178][55285] -> [...146.48.58.18][..443] [TLS][Unknown][Web][Safe][www.iit.cnr.it] idle: [.....1] [ip4][..tcp] [..192.168.1.178][55262] -> [...146.48.58.18][..443] [TLS][Unknown][Web][Safe] - idle: [.....2] [ip4][..tcp] [..192.168.1.178][55265] -> [...146.48.58.18][..443] [TLS][Unknown][Web][Safe][www.iit.cnr.it] + idle: [.....2] [ip4][..tcp] [..192.168.1.178][55265] -> [...146.48.58.18][..443] [TLS][Unknown][Web][Safe] RISK: TLS (probably) Not Carrying HTTPS - idle: [.....3] [ip4][..tcp] [..192.168.1.178][55266] -> [...146.48.58.18][..443] [TLS][Unknown][Web][Safe][www.iit.cnr.it] + idle: [.....3] [ip4][..tcp] [..192.168.1.178][55266] -> [...146.48.58.18][..443] [TLS][Unknown][Web][Safe] RISK: TLS (probably) Not Carrying HTTPS idle: [.....4] [ip4][..tcp] [..192.168.1.178][55267] -> [...146.48.58.18][..443] [TLS][Unknown][Web][Safe][www.iit.cnr.it] RISK: TLS (probably) Not Carrying HTTPS - idle: [.....5] [ip4][..tcp] [..192.168.1.178][55268] -> [...146.48.58.18][..443] [TLS][Unknown][Web][Safe][www.iit.cnr.it] + idle: [.....5] [ip4][..tcp] [..192.168.1.178][55268] -> [...146.48.58.18][..443] [TLS][Unknown][Web][Safe] RISK: TLS (probably) Not Carrying HTTPS - idle: [.....6] [ip4][..tcp] [..192.168.1.178][55269] -> [...146.48.58.18][..443] [TLS][Unknown][Web][Safe][www.iit.cnr.it] + idle: [.....6] [ip4][..tcp] [..192.168.1.178][55269] -> [...146.48.58.18][..443] [TLS][Unknown][Web][Safe] RISK: TLS (probably) Not Carrying HTTPS idle: [.....7] [ip4][..tcp] [..192.168.1.178][55285] -> [...146.48.58.18][..443] [TLS][Unknown][Web][Safe] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/signal.pcap.out b/test/results/flow-info/default/signal.pcap.out index 736512cc4..f57521301 100644 --- a/test/results/flow-info/default/signal.pcap.out +++ b/test/results/flow-info/default/signal.pcap.out @@ -18,7 +18,7 @@ detected: [.....5] [ip4][..tcp] [...192.168.2.17][57019] -> [.34.225.240.173][..443] [TLS.Signal][AmazonAWS][Chat][Fun][textsecure-service.whispersystems.org] detected: [.....7] [ip4][..tcp] [...192.168.2.17][57021] -> [.34.225.240.173][..443] [TLS.Signal][AmazonAWS][Chat][Fun][textsecure-service.whispersystems.org] detected: [.....6] [ip4][..tcp] [...192.168.2.17][57020] -> [.34.225.240.173][..443] [TLS.Signal][AmazonAWS][Chat][Fun][textsecure-service.whispersystems.org] - analyse: [.....4] [ip4][..tcp] [...192.168.2.17][57018] -> [....23.57.24.16][..443] [TLS.AppleiTunes][Unknown][Streaming][Fun][itunes.apple.com] + analyse: [.....4] [ip4][..tcp] [...192.168.2.17][57018] -> [....23.57.24.16][..443] [TLS.AppleiTunes][Unknown][Streaming][Fun] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.052| 0.012| 0.020| 399.390| 3.200] [PKTLEN......: 52.000| 1492.000| 413.300| 522.500| 272968.600| 4.000] @@ -61,7 +61,7 @@ detected: [....13] [ip4][..tcp] [...192.168.2.17][57023] -> [....35.169.3.40][..443] [TLS.Signal][AmazonAWS][Chat][Fun][textsecure-service.whispersystems.org] detected: [....14] [ip4][..tcp] [...192.168.2.17][57024] -> [....35.169.3.40][..443] [TLS.Signal][AmazonAWS][Chat][Fun][textsecure-service.whispersystems.org] detected: [....15] [ip4][..tcp] [...192.168.2.17][57025] -> [....35.169.3.40][..443] [TLS.Signal][AmazonAWS][Chat][Fun][textsecure-service.whispersystems.org] - analyse: [....11] [ip4][..tcp] [...192.168.2.17][57022] -> [....23.57.24.16][..443] [TLS.AppleiTunes][Unknown][Streaming][Fun][itunes.apple.com] + analyse: [....11] [ip4][..tcp] [...192.168.2.17][57022] -> [....23.57.24.16][..443] [TLS.AppleiTunes][Unknown][Streaming][Fun] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.101| 0.015| 0.025| 625.062| 3.300] [PKTLEN......: 52.000| 1492.000| 431.700| 520.400| 270842.400| 4.100] @@ -85,7 +85,7 @@ detected: [....17] [ip4][..tcp] [...192.168.2.17][57026] -> [....35.169.3.40][..443] [TLS.Signal][AmazonAWS][Chat][Fun][textsecure-service.whispersystems.org] detection-update: [....17] [ip4][..tcp] [...192.168.2.17][57026] -> [....35.169.3.40][..443] [TLS.Signal][AmazonAWS][Chat][Fun][textsecure-service.whispersystems.org] detection-update: [....17] [ip4][..tcp] [...192.168.2.17][57026] -> [....35.169.3.40][..443] [TLS.Signal][AmazonAWS][Chat][Fun][textsecure-service.whispersystems.org] - analyse: [....17] [ip4][..tcp] [...192.168.2.17][57026] -> [....35.169.3.40][..443] [TLS.Signal][AmazonAWS][Chat][Fun][textsecure-service.whispersystems.org] + analyse: [....17] [ip4][..tcp] [...192.168.2.17][57026] -> [....35.169.3.40][..443] [TLS.Signal][AmazonAWS][Chat][Fun] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.115| 0.033| 0.050| 2490.513| 3.300] [PKTLEN......: 52.000| 1492.000| 519.200| 606.200| 367455.800| 4.100] @@ -121,12 +121,12 @@ end: [....18] [ip4][..tcp] [....23.57.24.16][..443] -> [...192.168.2.17][57016] [TLS][Unknown][Web][Safe] end: [.....4] [ip4][..tcp] [...192.168.2.17][57018] -> [....23.57.24.16][..443] [TLS.AppleiTunes][Unknown][Streaming][Fun][itunes.apple.com] end: [....11] [ip4][..tcp] [...192.168.2.17][57022] -> [....23.57.24.16][..443] [TLS.AppleiTunes][Unknown][Streaming][Fun][itunes.apple.com] - end: [.....5] [ip4][..tcp] [...192.168.2.17][57019] -> [.34.225.240.173][..443] [TLS.Signal][AmazonAWS][Chat][Fun][textsecure-service.whispersystems.org] - end: [.....6] [ip4][..tcp] [...192.168.2.17][57020] -> [.34.225.240.173][..443] [TLS.Signal][AmazonAWS][Chat][Fun][textsecure-service.whispersystems.org] - end: [.....7] [ip4][..tcp] [...192.168.2.17][57021] -> [.34.225.240.173][..443] [TLS.Signal][AmazonAWS][Chat][Fun][textsecure-service.whispersystems.org] - idle: [....13] [ip4][..tcp] [...192.168.2.17][57023] -> [....35.169.3.40][..443] [TLS.Signal][AmazonAWS][Chat][Fun][textsecure-service.whispersystems.org] - idle: [....14] [ip4][..tcp] [...192.168.2.17][57024] -> [....35.169.3.40][..443] [TLS.Signal][AmazonAWS][Chat][Fun][textsecure-service.whispersystems.org] - idle: [....15] [ip4][..tcp] [...192.168.2.17][57025] -> [....35.169.3.40][..443] [TLS.Signal][AmazonAWS][Chat][Fun][textsecure-service.whispersystems.org] + end: [.....5] [ip4][..tcp] [...192.168.2.17][57019] -> [.34.225.240.173][..443] [TLS.Signal][AmazonAWS][Chat][Fun] + end: [.....6] [ip4][..tcp] [...192.168.2.17][57020] -> [.34.225.240.173][..443] [TLS.Signal][AmazonAWS][Chat][Fun] + end: [.....7] [ip4][..tcp] [...192.168.2.17][57021] -> [.34.225.240.173][..443] [TLS.Signal][AmazonAWS][Chat][Fun] + idle: [....13] [ip4][..tcp] [...192.168.2.17][57023] -> [....35.169.3.40][..443] [TLS.Signal][AmazonAWS][Chat][Fun] + idle: [....14] [ip4][..tcp] [...192.168.2.17][57024] -> [....35.169.3.40][..443] [TLS.Signal][AmazonAWS][Chat][Fun] + idle: [....15] [ip4][..tcp] [...192.168.2.17][57025] -> [....35.169.3.40][..443] [TLS.Signal][AmazonAWS][Chat][Fun] idle: [....17] [ip4][..tcp] [...192.168.2.17][57026] -> [....35.169.3.40][..443] [TLS.Signal][AmazonAWS][Chat][Fun][textsecure-service.whispersystems.org] end: [.....9] [ip4][..tcp] [...192.168.2.17][57017] -> [...2.18.232.118][..443] [TLS][Unknown][Web][Safe] end: [.....3] [ip4][..tcp] [...192.168.2.17][49226] -> [.34.225.240.173][..443] [TLS.Signal][AmazonAWS][Chat][Fun] diff --git a/test/results/flow-info/default/sites.pcapng.out b/test/results/flow-info/default/sites.pcapng.out index 1874af900..3c5d4ff5d 100644 --- a/test/results/flow-info/default/sites.pcapng.out +++ b/test/results/flow-info/default/sites.pcapng.out @@ -260,7 +260,7 @@ detected: [....52] [ip6][..tcp] [..2001:b07:a3d:c112:9a00:ba78:86b1:e177][48624] -> [...................2001:67c:4e8:f004::9][..443] [TLS.Telegram][Telegram][Chat][Acceptable][telegram.me] detection-update: [....51] [ip6][..tcp] [..2001:b07:a3d:c112:9a00:ba78:86b1:e177][48616] -> [...................2001:67c:4e8:f004::9][..443] [TLS.Telegram][Telegram][Chat][Acceptable][t.me] detection-update: [....52] [ip6][..tcp] [..2001:b07:a3d:c112:9a00:ba78:86b1:e177][48624] -> [...................2001:67c:4e8:f004::9][..443] [TLS.Telegram][Telegram][Chat][Acceptable][telegram.me] - end: [....48] [ip4][..tcp] [..192.168.1.245][49558] -> [..80.158.42.215][..443] [TLS.HuaweiCloud][Unknown][Cloud][Acceptable][id7.cloud.huawei.com] + end: [....48] [ip4][..tcp] [..192.168.1.245][49558] -> [..80.158.42.215][..443] [TLS.HuaweiCloud][Unknown][Cloud][Acceptable] idle: [....47] [ip4][..tcp] [..192.168.1.245][54690] -> [.160.44.196.198][..443] [TLS.HuaweiCloud][Unknown][Cloud][Acceptable] idle: [....49] [ip6][..tcp] [...2001:b07:a3d:c112:c044:a6d4:80d:5d55][39970] -> [...2600:9000:25ea:1200:1:12d8:5a00:93a1][..443] [TLS.HuaweiCloud][AmazonAWS][Cloud][Acceptable] DAEMON-EVENT: [Processed: 584 pkts][ZLib][compressions: 0|diff: 0 / 0] @@ -325,6 +325,6 @@ new: [....64] [ip4][..tcp] [..192.168.1.183][44102] -> [..146.70.182.51][..443] detected: [....64] [ip4][..tcp] [..192.168.1.183][44102] -> [..146.70.182.51][..443] [TLS.SurfShark][Unknown][VPN][Acceptable][it-mil-v086.prod.surfshark.com] detection-update: [....64] [ip4][..tcp] [..192.168.1.183][44102] -> [..146.70.182.51][..443] [TLS.SurfShark][Unknown][VPN][Acceptable][it-mil-v086.prod.surfshark.com] - idle: [....64] [ip4][..tcp] [..192.168.1.183][44102] -> [..146.70.182.51][..443] [TLS.SurfShark][Unknown][VPN][Acceptable][it-mil-v086.prod.surfshark.com] - idle: [....63] [ip4][..tcp] [..192.168.1.245][58624] -> [.104.16.156.111][..443] [TLS.NordVPN][Cloudflare][VPN][Acceptable][s1.nordcdn.com] + idle: [....64] [ip4][..tcp] [..192.168.1.183][44102] -> [..146.70.182.51][..443] [TLS.SurfShark][Unknown][VPN][Acceptable] + idle: [....63] [ip4][..tcp] [..192.168.1.245][58624] -> [.104.16.156.111][..443] [TLS.NordVPN][Cloudflare][VPN][Acceptable] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/sites2.pcapng.out b/test/results/flow-info/default/sites2.pcapng.out new file mode 100644 index 000000000..ccfd070dc --- /dev/null +++ b/test/results/flow-info/default/sites2.pcapng.out @@ -0,0 +1,19 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....1] [ip4][..tcp] [..192.168.12.67][46892] -> [...2.23.155.106][..443] + detected: [.....1] [ip4][..tcp] [..192.168.12.67][46892] -> [...2.23.155.106][..443] [TLS.Shein][Unknown][Shopping][Acceptable][img.shein.com] + detection-update: [.....1] [ip4][..tcp] [..192.168.12.67][46892] -> [...2.23.155.106][..443] [TLS.Shein][Unknown][Shopping][Acceptable][img.shein.com] + DAEMON-EVENT: [Processed: 13 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 1 / 1|skipped: 0|!detected: 0|guessed: 0|detection-updates: 1|updates: 0] + new: [.....2] [ip4][..tcp] [..192.168.12.67][47694] -> [......20.15.0.9][..443] + detected: [.....2] [ip4][..tcp] [..192.168.12.67][47694] -> [......20.15.0.9][..443] [TLS.Temu][Azure][Shopping][Acceptable][gtm.temu.com] + detection-update: [.....2] [ip4][..tcp] [..192.168.12.67][47694] -> [......20.15.0.9][..443] [TLS.Temu][Azure][Shopping][Acceptable][gtm.temu.com] + new: [.....3] [ip4][..tcp] [..192.168.12.67][43446] -> [..59.82.122.224][..443] + detected: [.....3] [ip4][..tcp] [..192.168.12.67][43446] -> [..59.82.122.224][..443] [TLS.Taobao][Alibaba][Shopping][Acceptable][umdc.taobao.com] + detection-update: [.....3] [ip4][..tcp] [..192.168.12.67][43446] -> [..59.82.122.224][..443] [TLS.Taobao][Alibaba][Shopping][Acceptable][umdc.taobao.com] + detection-update: [.....3] [ip4][..tcp] [..192.168.12.67][43446] -> [..59.82.122.224][..443] [TLS.Taobao][Alibaba][Shopping][Acceptable][umdc.taobao.com] + idle: [.....1] [ip4][..tcp] [..192.168.12.67][46892] -> [...2.23.155.106][..443] [TLS.Shein][Unknown][Shopping][Acceptable] + idle: [.....2] [ip4][..tcp] [..192.168.12.67][47694] -> [......20.15.0.9][..443] [TLS.Temu][Azure][Shopping][Acceptable] + idle: [.....3] [ip4][..tcp] [..192.168.12.67][43446] -> [..59.82.122.224][..443] [TLS.Taobao][Alibaba][Shopping][Acceptable] + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/smtp-starttls.pcap.out b/test/results/flow-info/default/smtp-starttls.pcap.out index 320d13cfe..9c29e6843 100644 --- a/test/results/flow-info/default/smtp-starttls.pcap.out +++ b/test/results/flow-info/default/smtp-starttls.pcap.out @@ -10,7 +10,7 @@ RISK: Obsolete TLS (v1.1 or older) detection-update: [.....1] [ip4][..tcp] [.......10.0.0.1][57406] -> [..173.194.68.26][...25] [SMTPS.Google][Google][Email][Acceptable] RISK: Obsolete TLS (v1.1 or older) - analyse: [.....1] [ip4][..tcp] [.......10.0.0.1][57406] -> [..173.194.68.26][...25] [SMTPS.Google][Google][Email][Acceptable][mx.google.com] + analyse: [.....1] [ip4][..tcp] [.......10.0.0.1][57406] -> [..173.194.68.26][...25] [SMTPS.Google][Google][Email][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.157| 0.030| 0.035| 1204.841| 4.200] [PKTLEN......: 52.000| 1470.000| 240.300| 368.100| 135468.500| 4.000] @@ -28,7 +28,7 @@ RISK: TLS (probably) Not Carrying HTTPS, TLS Susp Extn detection-update: [.....2] [ip6][..tcp] [...2003:de:2016:125:fc36:8317:4e86:cb72][.7562] -> [...............2003:de:2016:120::a08:53][...25] [SMTPS][Unknown][Email][Safe] RISK: Self-signed Cert, TLS (probably) Not Carrying HTTPS, TLS Susp Extn - analyse: [.....2] [ip6][..tcp] [...2003:de:2016:125:fc36:8317:4e86:cb72][.7562] -> [...............2003:de:2016:120::a08:53][...25] [SMTPS][Unknown][Email][Safe][dovecot.weberlab.de] + analyse: [.....2] [ip6][..tcp] [...2003:de:2016:125:fc36:8317:4e86:cb72][.7562] -> [...............2003:de:2016:120::a08:53][...25] [SMTPS][Unknown][Email][Safe] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.203| 0.019| 0.049| 2372.381| 2.800] [PKTLEN......: 60.000| 1200.000| 180.500| 257.100| 66086.800| 4.200] diff --git a/test/results/flow-info/default/smtps.pcapng.out b/test/results/flow-info/default/smtps.pcapng.out index 80b081b41..ebe6232d6 100644 --- a/test/results/flow-info/default/smtps.pcapng.out +++ b/test/results/flow-info/default/smtps.pcapng.out @@ -4,8 +4,6 @@ new: [.....1] [ip4][..tcp] [....62.43.36.99][37682] -> [...21.65.95.132][..465] detected: [.....1] [ip4][..tcp] [....62.43.36.99][37682] -> [...21.65.95.132][..465] [SMTPS][Unknown][Email][Safe] RISK: TLS (probably) Not Carrying HTTPS, Missing SNI TLS Extn - detection-update: [.....1] [ip4][..tcp] [....62.43.36.99][37682] -> [...21.65.95.132][..465] [SMTPS][Unknown][Email][Safe] - RISK: TLS (probably) Not Carrying HTTPS, Missing SNI TLS Extn idle: [.....1] [ip4][..tcp] [....62.43.36.99][37682] -> [...21.65.95.132][..465] [SMTPS][Unknown][Email][Safe] RISK: TLS (probably) Not Carrying HTTPS, Missing SNI TLS Extn DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/snapchat.pcap.out b/test/results/flow-info/default/snapchat.pcap.out index 50b57301e..10e66fb5d 100644 --- a/test/results/flow-info/default/snapchat.pcap.out +++ b/test/results/flow-info/default/snapchat.pcap.out @@ -14,6 +14,6 @@ detection-update: [.....3] [ip4][..tcp] [.......10.8.0.1][56193] -> [.74.125.136.141][..443] [TLS.Snapchat][Google][SocialNetwork][Fun][feelinsonice-hrd.appspot.com] end: [.....1] [ip4][..tcp] [.......10.8.0.1][33233] -> [.74.125.136.141][..443] [TLS][Google][Web][Safe] RISK: TLS (probably) Not Carrying HTTPS, Missing SNI TLS Extn - idle: [.....3] [ip4][..tcp] [.......10.8.0.1][56193] -> [.74.125.136.141][..443] [TLS.Snapchat][Google][SocialNetwork][Fun][feelinsonice-hrd.appspot.com] - idle: [.....2] [ip4][..tcp] [.......10.8.0.1][44536] -> [.74.125.136.141][..443] [TLS.Snapchat][Google][SocialNetwork][Fun][feelinsonice-hrd.appspot.com] + idle: [.....3] [ip4][..tcp] [.......10.8.0.1][56193] -> [.74.125.136.141][..443] [TLS.Snapchat][Google][SocialNetwork][Fun] + idle: [.....2] [ip4][..tcp] [.......10.8.0.1][44536] -> [.74.125.136.141][..443] [TLS.Snapchat][Google][SocialNetwork][Fun] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/soap.pcap.out b/test/results/flow-info/default/soap.pcap.out index 4a974492b..c7ff5b26a 100644 --- a/test/results/flow-info/default/soap.pcap.out +++ b/test/results/flow-info/default/soap.pcap.out @@ -2,6 +2,7 @@ DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] new: [.....1] [ip4][..tcp] [..192.168.2.100][50100] -> [...23.2.213.165][...80] + detected: [.....1] [ip4][..tcp] [..192.168.2.100][50100] -> [...23.2.213.165][...80] [SOAP][Unknown][RPC][Acceptable] new: [.....2] [ip4][..tcp] [..192.168.2.100][50100] -> [...23.2.213.165][.4176] [MIDSTREAM] detected: [.....2] [ip4][..tcp] [..192.168.2.100][50100] -> [...23.2.213.165][.4176] [HTTP.SOAP][Unknown][Cloud][Acceptable][go.microsoft.com] RISK: Known Proto on Non Std Port @@ -12,6 +13,5 @@ idle: [.....3][.808] [ip4][..tcp] [..185.32.192.30][...80] -> [.85.154.114.113][56028] [SOAP][Unknown][RPC][Acceptable] idle: [.....2] [ip4][..tcp] [..192.168.2.100][50100] -> [...23.2.213.165][.4176] [HTTP.SOAP][Unknown][Cloud][Acceptable] RISK: Known Proto on Non Std Port - guessed: [.....1] [ip4][..tcp] [..192.168.2.100][50100] -> [...23.2.213.165][...80] [HTTP][Unknown][Web][Acceptable][] - end: [.....1] [ip4][..tcp] [..192.168.2.100][50100] -> [...23.2.213.165][...80] + end: [.....1] [ip4][..tcp] [..192.168.2.100][50100] -> [...23.2.213.165][...80] [SOAP][Unknown][RPC][Acceptable] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/sonos.pcapng.out b/test/results/flow-info/default/sonos.pcapng.out new file mode 100644 index 000000000..50883679b --- /dev/null +++ b/test/results/flow-info/default/sonos.pcapng.out @@ -0,0 +1,28 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....1] [ip4][..tcp] [...192.168.1.29][52425] -> [...192.168.1.70][.1443] + detected: [.....1] [ip4][..tcp] [...192.168.1.29][52425] -> [...192.168.1.70][.1443] [TLS][Unknown][Web][Safe][192.168.1.70] + RISK: Known Proto on Non Std Port, HTTP/TLS/QUIC Numeric Hostname/SNI, TLS (probably) Not Carrying HTTPS + detection-update: [.....1] [ip4][..tcp] [...192.168.1.29][52425] -> [...192.168.1.70][.1443] [TLS][Unknown][Web][Safe][192.168.1.70] + RISK: Known Proto on Non Std Port, Weak TLS Cipher, HTTP/TLS/QUIC Numeric Hostname/SNI, TLS (probably) Not Carrying HTTPS + detection-update: [.....1] [ip4][..tcp] [...192.168.1.29][52425] -> [...192.168.1.70][.1443] [TLS.Sonos][Unknown][Music][Fun][192.168.1.70] + RISK: Known Proto on Non Std Port, Weak TLS Cipher, TLS Cert Mismatch, TLS (probably) Not Carrying HTTPS + analyse: [.....1] [ip4][..tcp] [...192.168.1.29][52425] -> [...192.168.1.70][.1443] [TLS.Sonos][Unknown][Music][Fun] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 0.077| 0.006| 0.016| 258.244| 2.100] + [PKTLEN......: 52.000| 1500.000| 388.600| 553.200| 306044.500| 3.800] + [BINS(c->s)..: 12,1,0,0,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 5,2,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,0,0,0,0,1,1,1,0,1,0,0,1,1,0,1,1,0,0,1,0,1,1] + [IATS(ms)....: 0.3,0.3,0.1,0.4,0.6,0.8,0.6,0.6,0.0,0.1,0.6,0.1,0.0,41.1,36.3,0.1,76.7,0.1,0.1,0.1,0.4,5.2,5.5,0.1,0.1,0.1,0.0,0.2,0.2,0.1,0.1] + [PKTLENS.....: 64,60,52,199,52,114,52,1500,52,422,52,319,58,97,52,214,58,52,97,52,284,52,1500,52,1500,1500,52,52,1500,52,1500,774] + [ENTROPIES...: 4.1,5.0,4.6,5.4,5.0,5.5,4.7,7.0,4.7,7.5,4.6,7.2,4.6,5.3,4.9,6.9,4.9,4.7,5.6,4.7,7.1,5.0,7.8,4.6,7.9,7.9,4.6,4.6,7.9,4.6,7.9,7.7] + DAEMON-EVENT: [Processed: 44 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 1 / 1|skipped: 0|!detected: 0|guessed: 0|detection-updates: 2|updates: 0] + new: [.....2] [ip4][..udp] [..192.168.15.37][44467] -> [..192.168.15.36][.7080] + detected: [.....2] [ip4][..udp] [..192.168.15.37][44467] -> [..192.168.15.36][.7080] [Sonos][Unknown][Music][Fun] + end: [.....1] [ip4][..tcp] [...192.168.1.29][52425] -> [...192.168.1.70][.1443] [TLS.Sonos][Unknown][Music][Fun][192.168.1.70] + RISK: Known Proto on Non Std Port, Weak TLS Cipher, TLS Cert Mismatch, TLS (probably) Not Carrying HTTPS + idle: [.....2] [ip4][..udp] [..192.168.15.37][44467] -> [..192.168.15.36][.7080] [Sonos][Unknown][Music][Fun] + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/teams.pcap.out b/test/results/flow-info/default/teams.pcap.out index 9161d6afb..257fc16da 100644 --- a/test/results/flow-info/default/teams.pcap.out +++ b/test/results/flow-info/default/teams.pcap.out @@ -34,7 +34,6 @@ ERROR-EVENT: Unknown packet type [7/16] new: [.....6] [ip4][..tcp] [....192.168.1.6][60534] -> [.....40.126.9.5][..443] detected: [.....6] [ip4][..tcp] [....192.168.1.6][60534] -> [.....40.126.9.5][..443] [TLS.Microsoft365][Microsoft365][Collaborative][Acceptable][login.microsoftonline.com] - detection-update: [.....6] [ip4][..tcp] [....192.168.1.6][60534] -> [.....40.126.9.5][..443] [TLS.Microsoft365][Microsoft365][Collaborative][Acceptable][login.microsoftonline.com] analyse: [.....4] [ip4][..tcp] [....192.168.1.6][60532] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.221| 0.032| 0.054| 2931.592| 3.400] @@ -51,7 +50,7 @@ new: [.....8] [ip4][..tcp] [....192.168.1.6][60536] -> [.52.113.194.132][..443] detected: [.....8] [ip4][..tcp] [....192.168.1.6][60536] -> [.52.113.194.132][..443] [TLS.Teams][Skype_Teams][Collaborative][Safe][teams.microsoft.com] detection-update: [.....8] [ip4][..tcp] [....192.168.1.6][60536] -> [.52.113.194.132][..443] [TLS.Teams][Skype_Teams][Collaborative][Safe][teams.microsoft.com] - analyse: [.....7] [ip4][..tcp] [....192.168.1.6][60535] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] + analyse: [.....7] [ip4][..tcp] [....192.168.1.6][60535] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.050| 0.018| 0.021| 449.200| 3.900] [PKTLEN......: 52.000| 1492.000| 680.600| 673.100| 453031.800| 4.200] @@ -101,15 +100,12 @@ new: [....19] [ip4][..tcp] [....192.168.1.6][60539] -> [...52.114.75.69][..443] detected: [....18] [ip4][..tcp] [....192.168.1.6][60538] -> [...52.114.75.70][..443] [TLS.Teams][Azure][Collaborative][Safe][eu-prod.asyncgw.teams.microsoft.com] detected: [....19] [ip4][..tcp] [....192.168.1.6][60539] -> [...52.114.75.69][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable][eu-api.asm.skype.com] - detection-update: [....18] [ip4][..tcp] [....192.168.1.6][60538] -> [...52.114.75.70][..443] [TLS.Teams][Azure][Collaborative][Safe][eu-prod.asyncgw.teams.microsoft.com] - detection-update: [....19] [ip4][..tcp] [....192.168.1.6][60539] -> [...52.114.75.69][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable][eu-api.asm.skype.com] new: [....20] [ip4][..tcp] [....192.168.1.6][60540] -> [...52.114.75.70][..443] new: [....21] [ip4][..tcp] [....192.168.1.6][60541] -> [...52.114.75.69][..443] detected: [....20] [ip4][..tcp] [....192.168.1.6][60540] -> [...52.114.75.70][..443] [TLS.Teams][Azure][Collaborative][Safe][eu-prod.asyncgw.teams.microsoft.com] detected: [....21] [ip4][..tcp] [....192.168.1.6][60541] -> [...52.114.75.69][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable][eu-api.asm.skype.com] new: [....22] [ip4][..udp] [....192.168.1.6][49514] -> [....192.168.1.1][...53] detected: [....22] [ip4][..udp] [....192.168.1.6][49514] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe][config.teams.microsoft.com] - detection-update: [....20] [ip4][..tcp] [....192.168.1.6][60540] -> [...52.114.75.70][..443] [TLS.Teams][Azure][Collaborative][Safe][eu-prod.asyncgw.teams.microsoft.com] detection-update: [....21] [ip4][..tcp] [....192.168.1.6][60541] -> [...52.114.75.69][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable][eu-api.asm.skype.com] detection-update: [....22] [ip4][..udp] [....192.168.1.6][49514] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe][config.teams.microsoft.com] new: [....23] [ip4][..tcp] [....192.168.1.6][60542] -> [.52.113.194.132][..443] @@ -123,7 +119,6 @@ detected: [....25] [ip4][..tcp] [....192.168.1.6][60543] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] RISK: TLS (probably) Not Carrying HTTPS detected: [....26] [ip4][..tcp] [....192.168.1.6][60544] -> [...52.114.76.48][..443] [TLS.Teams][Azure][Collaborative][Safe][northeurope.notifications.teams.microsoft.com] - detection-update: [....26] [ip4][..tcp] [....192.168.1.6][60544] -> [...52.114.76.48][..443] [TLS.Teams][Azure][Collaborative][Safe][northeurope.notifications.teams.microsoft.com] detection-update: [....25] [ip4][..tcp] [....192.168.1.6][60543] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] RISK: TLS (probably) Not Carrying HTTPS ERROR-EVENT: Unknown packet type [16/16] @@ -134,7 +129,6 @@ new: [....29] [ip4][..tcp] [.162.125.19.131][..443] -> [....192.168.1.6][60344] [MIDSTREAM] detected: [....29] [ip4][..tcp] [.162.125.19.131][..443] -> [....192.168.1.6][60344] [TLS][Dropbox][Web][Safe] detected: [....28] [ip4][..tcp] [....192.168.1.6][60545] -> [...52.114.77.58][..443] [TLS.Teams][Azure][Collaborative][Safe][presence.teams.microsoft.com] - detection-update: [....28] [ip4][..tcp] [....192.168.1.6][60545] -> [...52.114.77.58][..443] [TLS.Teams][Azure][Collaborative][Safe][presence.teams.microsoft.com] analyse: [....25] [ip4][..tcp] [....192.168.1.6][60543] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.153| 0.028| 0.040| 1626.047| 3.600] @@ -170,7 +164,7 @@ RISK: TLS (probably) Not Carrying HTTPS detection-update: [....33] [ip4][..tcp] [....192.168.1.6][60548] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] RISK: TLS (probably) Not Carrying HTTPS - analyse: [....32] [ip4][..tcp] [....192.168.1.6][60547] -> [...52.114.88.59][..443] [TLS.Teams][Azure][Collaborative][Safe][chatsvcagg.teams.microsoft.com] + analyse: [....32] [ip4][..tcp] [....192.168.1.6][60547] -> [...52.114.88.59][..443] [TLS.Teams][Azure][Collaborative][Safe] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.115| 0.021| 0.031| 968.681| 3.500] [PKTLEN......: 52.000| 1492.000| 377.200| 521.700| 272149.200| 3.900] @@ -241,7 +235,6 @@ detected: [....46] [ip4][..tcp] [....192.168.1.6][60556] -> [.....40.126.9.7][..443] [TLS.Microsoft365][Microsoft365][Collaborative][Acceptable][login.microsoftonline.com] detected: [....45] [ip4][..tcp] [....192.168.1.6][60555] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] RISK: TLS (probably) Not Carrying HTTPS - detection-update: [....46] [ip4][..tcp] [....192.168.1.6][60556] -> [.....40.126.9.7][..443] [TLS.Microsoft365][Microsoft365][Collaborative][Acceptable][login.microsoftonline.com] detection-update: [....42] [ip4][..tcp] [....192.168.1.6][60552] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] RISK: TLS (probably) Not Carrying HTTPS detection-update: [....45] [ip4][..tcp] [....192.168.1.6][60555] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] @@ -266,8 +259,6 @@ new: [....48] [ip4][..tcp] [....192.168.1.6][60559] -> [...52.114.77.33][..443] detected: [....48] [ip4][..tcp] [....192.168.1.6][60559] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] RISK: TLS (probably) Not Carrying HTTPS - detection-update: [....48] [ip4][..tcp] [....192.168.1.6][60559] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] - RISK: TLS (probably) Not Carrying HTTPS analyse: [....48] [ip4][..tcp] [....192.168.1.6][60559] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.053| 0.020| 0.022| 492.470| 3.900] @@ -293,7 +284,7 @@ detected: [....53] [ip4][..tcp] [....192.168.1.6][60562] -> [.104.40.187.151][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable][api.microsoftstream.com] detection-update: [....51] [ip4][..tcp] [....192.168.1.6][60561] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] RISK: TLS (probably) Not Carrying HTTPS - analyse: [....53] [ip4][..tcp] [....192.168.1.6][60562] -> [.104.40.187.151][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable][api.microsoftstream.com] + analyse: [....53] [ip4][..tcp] [....192.168.1.6][60562] -> [.104.40.187.151][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.126| 0.019| 0.032| 1006.354| 3.400] [PKTLEN......: 52.000| 1492.000| 345.200| 499.900| 249913.200| 3.900] @@ -323,13 +314,11 @@ detection-update: [....56] [ip4][..udp] [....192.168.1.6][63930] -> [....192.168.1.1][...53] [DNS.Microsoft][Unknown][Network][Safe][dc.applicationinsights.microsoft.com] new: [....57] [ip4][..tcp] [....192.168.1.6][60564] -> [...40.79.138.41][..443] detected: [....57] [ip4][..tcp] [....192.168.1.6][60564] -> [...40.79.138.41][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable][gate.hockeyapp.net] - detection-update: [....57] [ip4][..tcp] [....192.168.1.6][60564] -> [...40.79.138.41][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable][gate.hockeyapp.net] new: [....58] [ip4][..udp] [....192.168.1.6][62863] -> [....192.168.1.1][...53] detected: [....58] [ip4][..udp] [....192.168.1.6][62863] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe][emea.ng.msg.teams-msgapi.trafficmanager.net] detection-update: [....58] [ip4][..udp] [....192.168.1.6][62863] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe][emea.ng.msg.teams-msgapi.trafficmanager.net] new: [....59] [ip4][..tcp] [....192.168.1.6][60565] -> [...52.114.108.8][..443] detected: [....59] [ip4][..tcp] [....192.168.1.6][60565] -> [...52.114.108.8][..443] [TLS.Teams][Azure][Collaborative][Safe][emea.ng.msg.teams.microsoft.com] - detection-update: [....59] [ip4][..tcp] [....192.168.1.6][60565] -> [...52.114.108.8][..443] [TLS.Teams][Azure][Collaborative][Safe][emea.ng.msg.teams.microsoft.com] analyse: [....59] [ip4][..tcp] [....192.168.1.6][60565] -> [...52.114.108.8][..443] [TLS.Teams][Azure][Collaborative][Safe][emea.ng.msg.teams.microsoft.com] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.277| 0.019| 0.049| 2449.644| 2.900] @@ -370,8 +359,6 @@ new: [....67] [ip4][..tcp] [....192.168.1.6][50021] -> [.52.114.250.123][..443] new: [....68] [ip4][..udp] [....192.168.1.6][50016] -> [.52.114.250.141][.3478] detected: [....68] [ip4][..udp] [....192.168.1.6][50016] -> [.52.114.250.141][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] - detection-update: [....64] [ip4][..tcp] [....192.168.1.6][50018] -> [.52.114.250.123][..443] [TLS.Teams][Azure][Collaborative][Safe][euaz.tr.teams.microsoft.com] - RISK: TLS (probably) Not Carrying HTTPS new: [....69] [ip4][..udp] [....192.168.1.6][50017] -> [.52.114.250.141][.3478] detected: [....69] [ip4][..udp] [....192.168.1.6][50017] -> [.52.114.250.141][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] detected: [....67] [ip4][..tcp] [....192.168.1.6][50021] -> [.52.114.250.123][..443] [TLS.Teams][Azure][Collaborative][Safe][euaz.tr.teams.microsoft.com] @@ -380,8 +367,6 @@ detected: [....70] [ip4][..udp] [....192.168.1.6][50036] -> [.52.114.250.137][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] new: [....71] [ip4][..udp] [....192.168.1.6][50037] -> [.52.114.250.137][.3478] detected: [....71] [ip4][..udp] [....192.168.1.6][50037] -> [.52.114.250.137][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] - detection-update: [....67] [ip4][..tcp] [....192.168.1.6][50021] -> [.52.114.250.123][..443] [TLS.Teams][Azure][Collaborative][Safe][euaz.tr.teams.microsoft.com] - RISK: TLS (probably) Not Carrying HTTPS detection-update: [....69] [ip4][..udp] [....192.168.1.6][50017] -> [.52.114.250.141][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] detection-update: [....71] [ip4][..udp] [....192.168.1.6][50037] -> [.52.114.250.137][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] new: [....72] [ip4][..tcp] [....192.168.1.6][50014] -> [.52.114.250.152][..443] @@ -400,8 +385,6 @@ detection-update: [....75] [ip4][..udp] [....192.168.1.6][60837] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe][c-flightproxy-euno-01-teams.cloudapp.net] detected: [....74] [ip4][..tcp] [....192.168.1.6][60567] -> [..52.114.77.136][..443] [TLS.Teams][Azure][Collaborative][Safe][api.flightproxy.teams.microsoft.com] RISK: TLS (probably) Not Carrying HTTPS - detection-update: [....74] [ip4][..tcp] [....192.168.1.6][60567] -> [..52.114.77.136][..443] [TLS.Teams][Azure][Collaborative][Safe][api.flightproxy.teams.microsoft.com] - RISK: TLS (probably) Not Carrying HTTPS new: [....76] [ip4][..udp] [....192.168.1.6][50016] -> [....192.168.0.4][50005] detected: [....76] [ip4][..udp] [....192.168.1.6][50016] -> [....192.168.0.4][50005] [STUN.Skype_TeamsCall][Unknown][VoIP][Acceptable][] RISK: Known Proto on Non Std Port @@ -442,7 +425,6 @@ RISK: Known Proto on Non Std Port, Unidirectional Traffic new: [....82] [ip4][..tcp] [....192.168.1.6][60568] -> [...40.79.138.41][..443] detected: [....82] [ip4][..tcp] [....192.168.1.6][60568] -> [...40.79.138.41][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable][gate.hockeyapp.net] - detection-update: [....82] [ip4][..tcp] [....192.168.1.6][60568] -> [...40.79.138.41][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable][gate.hockeyapp.net] new: [....83] [ip4][.icmp] [..93.71.110.205] -> [....192.168.1.6] detected: [....83] [ip4][.icmp] [..93.71.110.205] -> [....192.168.1.6] [ICMP][Unknown][Network][Acceptable] analyse: [....78] [ip4][..udp] [..93.71.110.205][16332] -> [....192.168.1.6][50016] [STUN.Skype_TeamsCall][Unknown][VoIP][Acceptable] @@ -473,7 +455,7 @@ RISK: TLS (probably) Not Carrying HTTPS idle: [....76] [ip4][..udp] [....192.168.1.6][50016] -> [....192.168.0.4][50005] [STUN.Skype_TeamsCall][Unknown][VoIP][Acceptable] RISK: Known Proto on Non Std Port, Unidirectional Traffic - idle: [....55] [ip4][..tcp] [....192.168.1.6][60563] -> [.52.169.186.119][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable][euno-1.api.microsoftstream.com] + idle: [....55] [ip4][..tcp] [....192.168.1.6][60563] -> [.52.169.186.119][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable] idle: [....17] [ip4][..udp] [....192.168.1.6][63106] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe][eu-prod.asyncgw.teams.microsoft.com] idle: [....77] [ip4][..udp] [....192.168.1.6][50036] -> [....192.168.0.4][50020] [STUN.Skype_TeamsCall][Unknown][VoIP][Acceptable] RISK: Known Proto on Non Std Port, Unidirectional Traffic @@ -521,10 +503,10 @@ idle: [....34] [ip4][..udp] [....192.168.1.6][59403] -> [....192.168.1.1][...53] [DNS.Microsoft365][Unknown][Network][Acceptable][substrate.office.com] idle: [....35] [ip4][..tcp] [....192.168.1.6][60549] -> [...13.107.18.11][..443] [TLS.Microsoft365][Outlook][Collaborative][Acceptable][substrate.office.com] idle: [....44] [ip4][..udp] [....192.168.1.6][51309] -> [....192.168.1.1][...53] [DNS][Unknown][Network][Acceptable][skypedataprdcolneu04.cloudapp.net] - end: [....30] [ip4][..tcp] [....192.168.1.6][60546] -> [.167.99.215.164][.4434] [TLS.ntop][Unknown][Network][Safe][dati.ntop.org] + end: [....30] [ip4][..tcp] [....192.168.1.6][60546] -> [.167.99.215.164][.4434] [TLS.ntop][Unknown][Network][Safe] RISK: Known Proto on Non Std Port idle: [....12] [ip4][..udp] [....192.168.1.6][17500] -> [..192.168.1.255][17500] [Dropbox][Unknown][Cloud][Acceptable] - idle: [....61] [ip4][..tcp] [....192.168.1.6][60566] -> [.167.99.215.164][.4434] [TLS.ntop][Unknown][Network][Safe][dati.ntop.org] + idle: [....61] [ip4][..tcp] [....192.168.1.6][60566] -> [.167.99.215.164][.4434] [TLS.ntop][Unknown][Network][Safe] RISK: Known Proto on Non Std Port idle: [....31] [ip4][..udp] [....192.168.1.6][57504] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe][chatsvcagg.svcs.teams.office.com] guessed: [....62] [ip4][..udp] [....192.168.1.6][51681] -> [..52.114.77.136][.3478] [Skype_TeamsCall][Azure][VoIP][Acceptable] diff --git a/test/results/flow-info/default/tls_1.2_unidirectional_client.pcapng.out b/test/results/flow-info/default/tls_1.2_unidirectional_client.pcapng.out new file mode 100644 index 000000000..6e5b7a799 --- /dev/null +++ b/test/results/flow-info/default/tls_1.2_unidirectional_client.pcapng.out @@ -0,0 +1,9 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....1] [ip4][..tcp] [.192.168.12.156][43854] -> [..216.58.209.42][..443] + detected: [.....1] [ip4][..tcp] [.192.168.12.156][43854] -> [..216.58.209.42][..443] [TLS.GoogleServices][Google][Web][Acceptable][notifications-pa.googleapis.com] + RISK: Unidirectional Traffic + end: [.....1] [ip4][..tcp] [.192.168.12.156][43854] -> [..216.58.209.42][..443] [TLS.GoogleServices][Google][Web][Acceptable] + RISK: Unidirectional Traffic + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/tls_1.2_unidirectional_client_no_cert.pcapng.out b/test/results/flow-info/default/tls_1.2_unidirectional_client_no_cert.pcapng.out new file mode 100644 index 000000000..9b324cc4e --- /dev/null +++ b/test/results/flow-info/default/tls_1.2_unidirectional_client_no_cert.pcapng.out @@ -0,0 +1,9 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....1] [ip4][..tcp] [.192.168.12.156][39958] -> [..172.67.21.133][..443] + detected: [.....1] [ip4][..tcp] [.192.168.12.156][39958] -> [..172.67.21.133][..443] [TLS][Cloudflare][Web][Safe][sb.adtidy.org] + RISK: Unidirectional Traffic + end: [.....1] [ip4][..tcp] [.192.168.12.156][39958] -> [..172.67.21.133][..443] [TLS][Cloudflare][Web][Safe] + RISK: Unidirectional Traffic + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/tls_1.2_unidirectional_server.pcapng.out b/test/results/flow-info/default/tls_1.2_unidirectional_server.pcapng.out new file mode 100644 index 000000000..1410a061a --- /dev/null +++ b/test/results/flow-info/default/tls_1.2_unidirectional_server.pcapng.out @@ -0,0 +1,11 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....1] [ip4][..tcp] [..216.58.209.42][..443] -> [.192.168.12.156][43854] + detected: [.....1] [ip4][..tcp] [..216.58.209.42][..443] -> [.192.168.12.156][43854] [TLS][Google][Web][Safe] + RISK: Unidirectional Traffic + detection-update: [.....1] [ip4][..tcp] [..216.58.209.42][..443] -> [.192.168.12.156][43854] [TLS.YouTubeUpload][Google][Media][Fun] + RISK: Unidirectional Traffic + idle: [.....1] [ip4][..tcp] [..216.58.209.42][..443] -> [.192.168.12.156][43854] [TLS.YouTubeUpload][Google][Media][Fun] + RISK: Unidirectional Traffic + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/tls_1.2_unidirectional_server_no_cert.pcapng.out b/test/results/flow-info/default/tls_1.2_unidirectional_server_no_cert.pcapng.out new file mode 100644 index 000000000..c54c75d01 --- /dev/null +++ b/test/results/flow-info/default/tls_1.2_unidirectional_server_no_cert.pcapng.out @@ -0,0 +1,9 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....1] [ip4][..tcp] [..172.67.21.133][..443] -> [.192.168.12.156][39958] + detected: [.....1] [ip4][..tcp] [..172.67.21.133][..443] -> [.192.168.12.156][39958] [TLS][Cloudflare][Web][Safe] + RISK: Unidirectional Traffic + end: [.....1] [ip4][..tcp] [..172.67.21.133][..443] -> [.192.168.12.156][39958] [TLS][Cloudflare][Web][Safe] + RISK: Unidirectional Traffic + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/tls_1.3_unidirectional_client.pcapng.out b/test/results/flow-info/default/tls_1.3_unidirectional_client.pcapng.out new file mode 100644 index 000000000..be71565b2 --- /dev/null +++ b/test/results/flow-info/default/tls_1.3_unidirectional_client.pcapng.out @@ -0,0 +1,9 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....1] [ip4][..tcp] [.192.168.12.156][39750] -> [.142.250.184.68][..443] + detected: [.....1] [ip4][..tcp] [.192.168.12.156][39750] -> [.142.250.184.68][..443] [TLS.Google][Google][Web][Acceptable][www.google.com] + RISK: Unidirectional Traffic + end: [.....1] [ip4][..tcp] [.192.168.12.156][39750] -> [.142.250.184.68][..443] [TLS.Google][Google][Web][Acceptable] + RISK: Unidirectional Traffic + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/tls_1.3_unidirectional_server.pcapng.out b/test/results/flow-info/default/tls_1.3_unidirectional_server.pcapng.out new file mode 100644 index 000000000..60174db8b --- /dev/null +++ b/test/results/flow-info/default/tls_1.3_unidirectional_server.pcapng.out @@ -0,0 +1,9 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....1] [ip4][..tcp] [.142.250.184.68][..443] -> [.192.168.12.156][39750] + detected: [.....1] [ip4][..tcp] [.142.250.184.68][..443] -> [.192.168.12.156][39750] [TLS][Google][Web][Safe] + RISK: Unidirectional Traffic + end: [.....1] [ip4][..tcp] [.142.250.184.68][..443] -> [.192.168.12.156][39750] [TLS][Google][Web][Safe] + RISK: Unidirectional Traffic + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/tls_2_reasms.pcapng.out b/test/results/flow-info/default/tls_2_reasms.pcapng.out index 6929abc24..e362321f2 100644 --- a/test/results/flow-info/default/tls_2_reasms.pcapng.out +++ b/test/results/flow-info/default/tls_2_reasms.pcapng.out @@ -4,5 +4,5 @@ new: [.....1] [ip4][..tcp] [.192.91.186.174][..443] -> [...25.137.80.32][38134] detected: [.....1] [ip4][..tcp] [.192.91.186.174][..443] -> [...25.137.80.32][38134] [TLS.Instagram][Unknown][SocialNetwork][Fun][i.instagram.com] detection-update: [.....1] [ip4][..tcp] [.192.91.186.174][..443] -> [...25.137.80.32][38134] [TLS.Instagram][Unknown][SocialNetwork][Fun][i.instagram.com] - idle: [.....1] [ip4][..tcp] [.192.91.186.174][..443] -> [...25.137.80.32][38134] [TLS.Instagram][Unknown][SocialNetwork][Fun][i.instagram.com] + idle: [.....1] [ip4][..tcp] [.192.91.186.174][..443] -> [...25.137.80.32][38134] [TLS.Instagram][Unknown][SocialNetwork][Fun] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/tls_change_cipher.pcap.out b/test/results/flow-info/default/tls_change_cipher.pcap.out new file mode 100644 index 000000000..5c6648a10 --- /dev/null +++ b/test/results/flow-info/default/tls_change_cipher.pcap.out @@ -0,0 +1,18 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + ERROR-EVENT: Unknown packet type [1/16] + ERROR-EVENT: Unknown packet type [2/16] + ERROR-EVENT: Unknown packet type [3/16] + ERROR-EVENT: Unknown packet type [4/16] + ERROR-EVENT: Unknown packet type [5/16] + ERROR-EVENT: Unknown packet type [6/16] + ERROR-EVENT: Unknown packet type [7/16] + ERROR-EVENT: Unknown packet type [8/16] + ERROR-EVENT: Unknown packet type [9/16] + ERROR-EVENT: Unknown packet type [10/16] + ERROR-EVENT: Unknown packet type [11/16] + ERROR-EVENT: Unknown packet type [12/16] + ERROR-EVENT: Unknown packet type [13/16] + ERROR-EVENT: Unknown packet type [14/16] + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/tls_heur__shadowsocks-tcp.pcapng.out b/test/results/flow-info/default/tls_heur__shadowsocks-tcp.pcapng.out new file mode 100644 index 000000000..e70a46b38 --- /dev/null +++ b/test/results/flow-info/default/tls_heur__shadowsocks-tcp.pcapng.out @@ -0,0 +1,31 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....1] [ip4][..tcp] [......127.0.0.1][44424] -> [......127.0.0.1][.1080] + detected: [.....1] [ip4][..tcp] [......127.0.0.1][44424] -> [......127.0.0.1][.1080] [SOCKS][Unknown][Web][Acceptable] + new: [.....2] [ip4][..udp] [......127.0.0.1][41182] -> [.....127.0.0.53][...53] + detected: [.....2] [ip4][..udp] [......127.0.0.1][41182] -> [.....127.0.0.53][...53] [DNS.YouTube][Unknown][Network][Fun][www.youtube.com] + detection-update: [.....2] [ip4][..udp] [......127.0.0.1][41182] -> [.....127.0.0.53][...53] [DNS.YouTube][Unknown][Network][Fun][www.youtube.com] + RISK: Unidirectional Traffic + detection-update: [.....2] [ip4][..udp] [......127.0.0.1][41182] -> [.....127.0.0.53][...53] [DNS.YouTube][Unknown][Network][Fun][www.youtube.com] + new: [.....3] [ip4][..tcp] [......127.0.0.1][40164] -> [......127.0.0.1][.1234] + new: [.....4] [ip6][..tcp] [..2001:b07:a3d:c112:8628:88aa:8b00:913c][45334] -> [...............2a00:1450:4002:416::200e][..443] + detected: [.....4] [ip6][..tcp] [..2001:b07:a3d:c112:8628:88aa:8b00:913c][45334] -> [...............2a00:1450:4002:416::200e][..443] [TLS.YouTube][Google][Media][Fun][www.youtube.com] + detection-update: [.....4] [ip6][..tcp] [..2001:b07:a3d:c112:8628:88aa:8b00:913c][45334] -> [...............2a00:1450:4002:416::200e][..443] [TLS.YouTube][Google][Media][Fun][www.youtube.com] + analyse: [.....4] [ip6][..tcp] [..2001:b07:a3d:c112:8628:88aa:8b00:913c][45334] -> [...............2a00:1450:4002:416::200e][..443] [TLS.YouTube][Google][Media][Fun] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.050| 0.008| 0.014| 183.336| 3.300] + [PKTLEN......: 72.000| 4948.000| 786.900| 1186.200| 1407143.500| 3.900] + [BINS(c->s)..: 13,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 3,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0,0,0,0,0,0,0,0,2] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,1,0,0,0,1,0,1,0,1,1,1,0,0,0,1,1,1,1,0,0,1,0,1,1] + [IATS(ms)....: 3.4,3.5,0.3,3.9,24.5,28.1,0.2,0.0,0.2,0.0,3.0,7.5,5.3,6.5,46.4,49.6,0.0,0.0,9.0,0.1,0.0,0.4,0.0,0.0,0.0,0.3,0.0,26.1,26.1,0.4,0.0] + [PKTLENS.....: 80,80,72,589,72,1280,72,4904,631,72,72,345,720,103,103,72,1280,293,1280,72,72,72,1280,1280,1280,4948,72,72,1280,72,1280,1280] + [ENTROPIES...: 4.8,5.3,5.2,4.8,5.2,7.8,5.2,8.0,7.6,5.2,5.2,7.1,7.7,5.8,5.8,5.1,7.8,7.1,7.9,5.2,5.2,5.2,7.8,7.9,7.8,8.0,5.1,5.2,7.9,5.2,7.8,7.8] + idle: [.....2] [ip4][..udp] [......127.0.0.1][41182] -> [.....127.0.0.53][...53] [DNS.YouTube][Unknown][Network][Fun][www.youtube.com] + not-detected: [.....3] [ip4][..tcp] [......127.0.0.1][40164] -> [......127.0.0.1][.1234] [Unknown][Unknown][Unrated] + RISK: Fully Encrypted Flow + idle: [.....3] [ip4][..tcp] [......127.0.0.1][40164] -> [......127.0.0.1][.1234] + idle: [.....1] [ip4][..tcp] [......127.0.0.1][44424] -> [......127.0.0.1][.1080] [SOCKS][Unknown][Web][Acceptable] + idle: [.....4] [ip6][..tcp] [..2001:b07:a3d:c112:8628:88aa:8b00:913c][45334] -> [...............2a00:1450:4002:416::200e][..443] [TLS.YouTube][Google][Media][Fun][www.youtube.com] + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/tls_heur__trojan-tcp-tls.pcapng.out b/test/results/flow-info/default/tls_heur__trojan-tcp-tls.pcapng.out new file mode 100644 index 000000000..8bc342628 --- /dev/null +++ b/test/results/flow-info/default/tls_heur__trojan-tcp-tls.pcapng.out @@ -0,0 +1,62 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....1] [ip4][..tcp] [......127.0.0.1][60654] -> [......127.0.0.1][.1080] + detected: [.....1] [ip4][..tcp] [......127.0.0.1][60654] -> [......127.0.0.1][.1080] [SOCKS][Unknown][Web][Acceptable] + new: [.....2] [ip4][..udp] [......127.0.0.1][52786] -> [.....127.0.0.53][...53] + detected: [.....2] [ip4][..udp] [......127.0.0.1][52786] -> [.....127.0.0.53][...53] [DNS.YouTube][Unknown][Network][Fun][www.youtube.com] + detection-update: [.....2] [ip4][..udp] [......127.0.0.1][52786] -> [.....127.0.0.53][...53] [DNS.YouTube][Unknown][Network][Fun][www.youtube.com] + RISK: Unidirectional Traffic + new: [.....3] [ip4][..udp] [..192.168.1.183][46451] -> [..192.168.1.253][...53] + detected: [.....3] [ip4][..udp] [..192.168.1.183][46451] -> [..192.168.1.253][...53] [DNS.YouTube][Unknown][Network][Fun][www.youtube.com] + new: [.....4] [ip4][..udp] [..192.168.1.183][54260] -> [..192.168.1.253][...53] + detected: [.....4] [ip4][..udp] [..192.168.1.183][54260] -> [..192.168.1.253][...53] [DNS.YouTube][Unknown][Network][Fun][www.youtube.com] + detection-update: [.....3] [ip4][..udp] [..192.168.1.183][46451] -> [..192.168.1.253][...53] [DNS.YouTube][Unknown][Network][Fun][www.youtube.com] + detection-update: [.....4] [ip4][..udp] [..192.168.1.183][54260] -> [..192.168.1.253][...53] [DNS.YouTube][Unknown][Network][Fun][www.youtube.com] + detection-update: [.....2] [ip4][..udp] [......127.0.0.1][52786] -> [.....127.0.0.53][...53] [DNS.YouTube][Unknown][Network][Fun][www.youtube.com] + new: [.....5] [ip4][..udp] [......127.0.0.1][53154] -> [.....127.0.0.53][...53] + detected: [.....5] [ip4][..udp] [......127.0.0.1][53154] -> [.....127.0.0.53][...53] [DNS][Unknown][Network][Acceptable][test.lan] + new: [.....6] [ip4][..udp] [......127.0.0.1][56496] -> [.....127.0.0.53][...53] + detected: [.....6] [ip4][..udp] [......127.0.0.1][56496] -> [.....127.0.0.53][...53] [DNS][Unknown][Network][Acceptable][test.lan] + new: [.....7] [ip4][..udp] [..192.168.1.183][39434] -> [..192.168.1.253][...53] + detected: [.....7] [ip4][..udp] [..192.168.1.183][39434] -> [..192.168.1.253][...53] [DNS][Unknown][Network][Acceptable][test.lan] + new: [.....8] [ip4][..udp] [..192.168.1.183][38613] -> [..192.168.1.253][...53] + detected: [.....8] [ip4][..udp] [..192.168.1.183][38613] -> [..192.168.1.253][...53] [DNS][Unknown][Network][Acceptable][test.lan] + detection-update: [.....7] [ip4][..udp] [..192.168.1.183][39434] -> [..192.168.1.253][...53] [DNS][Unknown][Network][Acceptable][test.lan] + RISK: Minor Issues + detection-update: [.....5] [ip4][..udp] [......127.0.0.1][53154] -> [.....127.0.0.53][...53] [DNS][Unknown][Network][Acceptable][test.lan] + RISK: Minor Issues + detection-update: [.....8] [ip4][..udp] [..192.168.1.183][38613] -> [..192.168.1.253][...53] [DNS][Unknown][Network][Acceptable][test.lan] + detection-update: [.....6] [ip4][..udp] [......127.0.0.1][56496] -> [.....127.0.0.53][...53] [DNS][Unknown][Network][Acceptable][test.lan] + new: [.....9] [ip4][..tcp] [......127.0.0.1][41796] -> [......127.0.0.1][.1234] + detected: [.....9] [ip4][..tcp] [......127.0.0.1][41796] -> [......127.0.0.1][.1234] [TLS][Unknown][Web][Safe][test.lan] + RISK: Known Proto on Non Std Port + detection-update: [.....9] [ip4][..tcp] [......127.0.0.1][41796] -> [......127.0.0.1][.1234] [TLS][Unknown][Web][Safe][test.lan] + RISK: Known Proto on Non Std Port + new: [....10] [ip4][..tcp] [..192.168.1.183][58730] -> [142.250.180.142][..443] + detected: [....10] [ip4][..tcp] [..192.168.1.183][58730] -> [142.250.180.142][..443] [TLS.YouTube][Google][Media][Fun][www.youtube.com] + detection-update: [....10] [ip4][..tcp] [..192.168.1.183][58730] -> [142.250.180.142][..443] [TLS.YouTube][Google][Media][Fun][www.youtube.com] + analyse: [....10] [ip4][..tcp] [..192.168.1.183][58730] -> [142.250.180.142][..443] [TLS.YouTube][Google][Media][Fun] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 0.070| 0.007| 0.015| 238.385| 3.000] + [PKTLEN......: 52.000| 1452.000| 481.500| 599.800| 359742.800| 3.900] + [BINS(c->s)..: 14,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,0,0,1,0,1,1,0,1,0,1,0,1,0,1,0,1,0] + [IATS(ms)....: 2.7,2.7,0.3,2.7,17.2,19.6,0.1,0.0,0.0,0.0,0.0,0.0,0.0,0.0,8.4,0.5,11.2,3.0,2.3,5.7,46.1,70.4,31.7,0.1,0.0,0.0,0.0,0.0,0.1,0.1,0.0] + [PKTLENS.....: 60,60,52,569,52,1452,52,1452,52,1452,52,1452,52,1053,52,132,245,700,83,83,52,52,1452,52,80,52,1452,52,1452,52,1452,52] + [ENTROPIES...: 4.6,5.2,4.9,4.8,4.9,7.8,4.8,7.8,4.9,7.9,4.8,7.9,4.8,7.8,4.8,6.2,7.0,7.7,5.6,5.5,4.9,4.9,7.9,4.9,5.6,4.9,7.9,4.9,7.9,4.9,7.9,4.8] + idle: [.....8] [ip4][..udp] [..192.168.1.183][38613] -> [..192.168.1.253][...53] [DNS][Unknown][Network][Acceptable][test.lan] + idle: [.....5] [ip4][..udp] [......127.0.0.1][53154] -> [.....127.0.0.53][...53] [DNS][Unknown][Network][Acceptable][test.lan] + RISK: Minor Issues + idle: [.....9] [ip4][..tcp] [......127.0.0.1][41796] -> [......127.0.0.1][.1234] [TLS][Unknown][Web][Safe] + RISK: Known Proto on Non Std Port + idle: [.....1] [ip4][..tcp] [......127.0.0.1][60654] -> [......127.0.0.1][.1080] [SOCKS][Unknown][Web][Acceptable] + idle: [....10] [ip4][..tcp] [..192.168.1.183][58730] -> [142.250.180.142][..443] [TLS.YouTube][Google][Media][Fun][www.youtube.com] + idle: [.....7] [ip4][..udp] [..192.168.1.183][39434] -> [..192.168.1.253][...53] [DNS][Unknown][Network][Acceptable][test.lan] + RISK: Minor Issues + idle: [.....4] [ip4][..udp] [..192.168.1.183][54260] -> [..192.168.1.253][...53] [DNS.YouTube][Unknown][Network][Fun][www.youtube.com] + idle: [.....6] [ip4][..udp] [......127.0.0.1][56496] -> [.....127.0.0.53][...53] [DNS][Unknown][Network][Acceptable][test.lan] + idle: [.....3] [ip4][..udp] [..192.168.1.183][46451] -> [..192.168.1.253][...53] [DNS.YouTube][Unknown][Network][Fun][www.youtube.com] + idle: [.....2] [ip4][..udp] [......127.0.0.1][52786] -> [.....127.0.0.53][...53] [DNS.YouTube][Unknown][Network][Fun][www.youtube.com] + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/tls_heur__vmess-tcp-tls.pcapng.out b/test/results/flow-info/default/tls_heur__vmess-tcp-tls.pcapng.out new file mode 100644 index 000000000..cc34610ac --- /dev/null +++ b/test/results/flow-info/default/tls_heur__vmess-tcp-tls.pcapng.out @@ -0,0 +1,52 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....1] [ip4][..tcp] [......127.0.0.1][40136] -> [......127.0.0.1][.1080] + detected: [.....1] [ip4][..tcp] [......127.0.0.1][40136] -> [......127.0.0.1][.1080] [SOCKS][Unknown][Web][Acceptable] + new: [.....2] [ip4][..udp] [......127.0.0.1][46548] -> [.....127.0.0.53][...53] + detected: [.....2] [ip4][..udp] [......127.0.0.1][46548] -> [.....127.0.0.53][...53] [DNS.YouTube][Unknown][Network][Fun][www.youtube.com] + detection-update: [.....2] [ip4][..udp] [......127.0.0.1][46548] -> [.....127.0.0.53][...53] [DNS.YouTube][Unknown][Network][Fun][www.youtube.com] + RISK: Unidirectional Traffic + new: [.....3] [ip4][..udp] [..192.168.1.183][49817] -> [..192.168.1.253][...53] + detected: [.....3] [ip4][..udp] [..192.168.1.183][49817] -> [..192.168.1.253][...53] [DNS.YouTube][Unknown][Network][Fun][www.youtube.com] + new: [.....4] [ip4][..udp] [..192.168.1.183][41933] -> [..192.168.1.253][...53] + detected: [.....4] [ip4][..udp] [..192.168.1.183][41933] -> [..192.168.1.253][...53] [DNS.YouTube][Unknown][Network][Fun][www.youtube.com] + detection-update: [.....3] [ip4][..udp] [..192.168.1.183][49817] -> [..192.168.1.253][...53] [DNS.YouTube][Unknown][Network][Fun][www.youtube.com] + detection-update: [.....4] [ip4][..udp] [..192.168.1.183][41933] -> [..192.168.1.253][...53] [DNS.YouTube][Unknown][Network][Fun][www.youtube.com] + detection-update: [.....2] [ip4][..udp] [......127.0.0.1][46548] -> [.....127.0.0.53][...53] [DNS.YouTube][Unknown][Network][Fun][www.youtube.com] + new: [.....5] [ip4][..udp] [......127.0.0.1][50125] -> [.....127.0.0.53][...53] + detected: [.....5] [ip4][..udp] [......127.0.0.1][50125] -> [.....127.0.0.53][...53] [DNS][Unknown][Network][Acceptable][test.lan] + new: [.....6] [ip4][..udp] [......127.0.0.1][45262] -> [.....127.0.0.53][...53] + detected: [.....6] [ip4][..udp] [......127.0.0.1][45262] -> [.....127.0.0.53][...53] [DNS][Unknown][Network][Acceptable][test.lan] + new: [.....7] [ip4][..udp] [..192.168.1.183][58009] -> [..192.168.1.253][...53] + detected: [.....7] [ip4][..udp] [..192.168.1.183][58009] -> [..192.168.1.253][...53] [DNS][Unknown][Network][Acceptable][test.lan] + new: [.....8] [ip4][..udp] [..192.168.1.183][42485] -> [..192.168.1.253][...53] + detected: [.....8] [ip4][..udp] [..192.168.1.183][42485] -> [..192.168.1.253][...53] [DNS][Unknown][Network][Acceptable][test.lan] + detection-update: [.....7] [ip4][..udp] [..192.168.1.183][58009] -> [..192.168.1.253][...53] [DNS][Unknown][Network][Acceptable][test.lan] + detection-update: [.....8] [ip4][..udp] [..192.168.1.183][42485] -> [..192.168.1.253][...53] [DNS][Unknown][Network][Acceptable][test.lan] + RISK: Minor Issues + detection-update: [.....5] [ip4][..udp] [......127.0.0.1][50125] -> [.....127.0.0.53][...53] [DNS][Unknown][Network][Acceptable][test.lan] + detection-update: [.....6] [ip4][..udp] [......127.0.0.1][45262] -> [.....127.0.0.53][...53] [DNS][Unknown][Network][Acceptable][test.lan] + RISK: Minor Issues + new: [.....9] [ip4][..tcp] [......127.0.0.1][57874] -> [......127.0.0.1][.1234] + detected: [.....9] [ip4][..tcp] [......127.0.0.1][57874] -> [......127.0.0.1][.1234] [TLS][Unknown][Web][Safe][test.lan] + RISK: Known Proto on Non Std Port + detection-update: [.....9] [ip4][..tcp] [......127.0.0.1][57874] -> [......127.0.0.1][.1234] [TLS][Unknown][Web][Safe][test.lan] + RISK: Known Proto on Non Std Port + new: [....10] [ip4][..tcp] [..192.168.1.183][58612] -> [.216.58.204.142][..443] + detected: [....10] [ip4][..tcp] [..192.168.1.183][58612] -> [.216.58.204.142][..443] [TLS.YouTube][Google][Media][Fun][www.youtube.com] + detection-update: [....10] [ip4][..tcp] [..192.168.1.183][58612] -> [.216.58.204.142][..443] [TLS.YouTube][Google][Media][Fun][www.youtube.com] + idle: [.....1] [ip4][..tcp] [......127.0.0.1][40136] -> [......127.0.0.1][.1080] [SOCKS][Unknown][Web][Acceptable] + idle: [.....6] [ip4][..udp] [......127.0.0.1][45262] -> [.....127.0.0.53][...53] [DNS][Unknown][Network][Acceptable][test.lan] + RISK: Minor Issues + idle: [....10] [ip4][..tcp] [..192.168.1.183][58612] -> [.216.58.204.142][..443] [TLS.YouTube][Google][Media][Fun] + idle: [.....7] [ip4][..udp] [..192.168.1.183][58009] -> [..192.168.1.253][...53] [DNS][Unknown][Network][Acceptable][test.lan] + idle: [.....3] [ip4][..udp] [..192.168.1.183][49817] -> [..192.168.1.253][...53] [DNS.YouTube][Unknown][Network][Fun][www.youtube.com] + idle: [.....5] [ip4][..udp] [......127.0.0.1][50125] -> [.....127.0.0.53][...53] [DNS][Unknown][Network][Acceptable][test.lan] + idle: [.....4] [ip4][..udp] [..192.168.1.183][41933] -> [..192.168.1.253][...53] [DNS.YouTube][Unknown][Network][Fun][www.youtube.com] + idle: [.....2] [ip4][..udp] [......127.0.0.1][46548] -> [.....127.0.0.53][...53] [DNS.YouTube][Unknown][Network][Fun][www.youtube.com] + idle: [.....8] [ip4][..udp] [..192.168.1.183][42485] -> [..192.168.1.253][...53] [DNS][Unknown][Network][Acceptable][test.lan] + RISK: Minor Issues + idle: [.....9] [ip4][..tcp] [......127.0.0.1][57874] -> [......127.0.0.1][.1234] [TLS][Unknown][Web][Safe] + RISK: Known Proto on Non Std Port + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/tls_heur__vmess-tcp.pcapng.out b/test/results/flow-info/default/tls_heur__vmess-tcp.pcapng.out new file mode 100644 index 000000000..39fccb4a8 --- /dev/null +++ b/test/results/flow-info/default/tls_heur__vmess-tcp.pcapng.out @@ -0,0 +1,31 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....1] [ip4][..tcp] [......127.0.0.1][37218] -> [......127.0.0.1][.1080] + detected: [.....1] [ip4][..tcp] [......127.0.0.1][37218] -> [......127.0.0.1][.1080] [SOCKS][Unknown][Web][Acceptable] + new: [.....2] [ip4][..udp] [......127.0.0.1][35957] -> [.....127.0.0.53][...53] + detected: [.....2] [ip4][..udp] [......127.0.0.1][35957] -> [.....127.0.0.53][...53] [DNS.YouTube][Unknown][Network][Fun][www.youtube.com] + detection-update: [.....2] [ip4][..udp] [......127.0.0.1][35957] -> [.....127.0.0.53][...53] [DNS.YouTube][Unknown][Network][Fun][www.youtube.com] + RISK: Unidirectional Traffic + detection-update: [.....2] [ip4][..udp] [......127.0.0.1][35957] -> [.....127.0.0.53][...53] [DNS.YouTube][Unknown][Network][Fun][www.youtube.com] + new: [.....3] [ip4][..tcp] [......127.0.0.1][40818] -> [......127.0.0.1][.1234] + new: [.....4] [ip6][..tcp] [..2001:b07:a3d:c112:8628:88aa:8b00:913c][48302] -> [...............2a00:1450:4006:80d::200e][..443] + detected: [.....4] [ip6][..tcp] [..2001:b07:a3d:c112:8628:88aa:8b00:913c][48302] -> [...............2a00:1450:4006:80d::200e][..443] [TLS.YouTube][Google][Media][Fun][www.youtube.com] + detection-update: [.....4] [ip6][..tcp] [..2001:b07:a3d:c112:8628:88aa:8b00:913c][48302] -> [...............2a00:1450:4006:80d::200e][..443] [TLS.YouTube][Google][Media][Fun][www.youtube.com] + analyse: [.....4] [ip6][..tcp] [..2001:b07:a3d:c112:8628:88aa:8b00:913c][48302] -> [...............2a00:1450:4006:80d::200e][..443] [TLS.YouTube][Google][Media][Fun] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 2.054| 0.141| 0.429| 184069.177| 1.900] + [PKTLEN......: 72.000| 2488.000| 635.500| 846.400| 716345.800| 3.900] + [BINS(c->s)..: 13,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 4,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,5] + [DIRECTIONS..: 0,0,0,1,0,0,1,1,1,0,0,1,1,0,0,0,0,1,1,0,0,1,1,1,1,0,1,0,1,0,1,0] + [IATS(ms)....: 1019.8,1024.0,2053.5,9.7,0.4,10.5,14.8,0.0,24.8,0.0,0.2,0.0,0.1,0.0,3.4,0.5,13.4,0.0,9.6,1.8,11.4,77.7,0.0,0.0,87.4,0.4,0.3,0.3,0.3,0.2,0.2] + [PKTLENS.....: 80,80,80,80,72,589,72,2488,1280,72,72,1280,1840,72,72,152,202,720,103,135,103,72,1280,307,1280,72,2488,72,2488,72,2488,72] + [ENTROPIES...: 4.9,4.8,4.9,5.4,5.2,4.8,5.2,7.9,7.8,5.2,5.2,7.8,7.9,5.2,5.2,6.4,6.6,7.7,5.9,6.4,5.9,5.2,7.9,7.2,7.9,5.2,7.9,5.2,7.9,5.2,7.9,5.2] + idle: [.....4] [ip6][..tcp] [..2001:b07:a3d:c112:8628:88aa:8b00:913c][48302] -> [...............2a00:1450:4006:80d::200e][..443] [TLS.YouTube][Google][Media][Fun][www.youtube.com] + not-detected: [.....3] [ip4][..tcp] [......127.0.0.1][40818] -> [......127.0.0.1][.1234] [Unknown][Unknown][Unrated] + RISK: Fully Encrypted Flow + idle: [.....3] [ip4][..tcp] [......127.0.0.1][40818] -> [......127.0.0.1][.1234] + idle: [.....2] [ip4][..udp] [......127.0.0.1][35957] -> [.....127.0.0.53][...53] [DNS.YouTube][Unknown][Network][Fun][www.youtube.com] + idle: [.....1] [ip4][..tcp] [......127.0.0.1][37218] -> [......127.0.0.1][.1080] [SOCKS][Unknown][Web][Acceptable] + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/tls_heur__vmess-websocket.pcapng.out b/test/results/flow-info/default/tls_heur__vmess-websocket.pcapng.out new file mode 100644 index 000000000..cc9ab1452 --- /dev/null +++ b/test/results/flow-info/default/tls_heur__vmess-websocket.pcapng.out @@ -0,0 +1,40 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....1] [ip4][..tcp] [......127.0.0.1][44532] -> [......127.0.0.1][.1080] + detected: [.....1] [ip4][..tcp] [......127.0.0.1][44532] -> [......127.0.0.1][.1080] [SOCKS][Unknown][Web][Acceptable] + new: [.....2] [ip4][..udp] [......127.0.0.1][39646] -> [.....127.0.0.53][...53] + detected: [.....2] [ip4][..udp] [......127.0.0.1][39646] -> [.....127.0.0.53][...53] [DNS.YouTube][Unknown][Network][Fun][www.youtube.com] + detection-update: [.....2] [ip4][..udp] [......127.0.0.1][39646] -> [.....127.0.0.53][...53] [DNS.YouTube][Unknown][Network][Fun][www.youtube.com] + new: [.....3] [ip4][..tcp] [......127.0.0.1][33702] -> [......127.0.0.1][.1234] + detected: [.....3] [ip4][..tcp] [......127.0.0.1][33702] -> [......127.0.0.1][.1234] [HTTP][Unknown][Web][Acceptable][127.0.0.1] + RISK: Known Proto on Non Std Port, HTTP/TLS/QUIC Numeric Hostname/SNI + new: [.....4] [ip4][..tcp] [..192.168.1.183][51390] -> [142.250.180.142][..443] + detected: [.....4] [ip4][..tcp] [..192.168.1.183][51390] -> [142.250.180.142][..443] [TLS.YouTube][Google][Media][Fun][www.youtube.com] + detection-update: [.....4] [ip4][..tcp] [..192.168.1.183][51390] -> [142.250.180.142][..443] [TLS.YouTube][Google][Media][Fun][www.youtube.com] + analyse: [.....3] [ip4][..tcp] [......127.0.0.1][33702] -> [......127.0.0.1][.1234] [HTTP][Unknown][Web][Acceptable][127.0.0.1] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 0.082| 0.011| 0.023| 506.460| 2.800] + [PKTLEN......: 52.000| 2104.000| 665.100| 842.700| 710078.000| 3.900] + [BINS(c->s)..: 13,0,1,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 2,0,1,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,0,1,0,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1] + [IATS(ms)....: 0.0,0.0,0.3,0.3,0.1,0.2,52.9,76.2,23.3,0.1,0.1,0.0,0.0,0.1,0.1,5.4,8.4,3.5,0.7,41.2,81.9,40.9,0.1,0.0,0.1,0.1,0.0,0.0,0.0,0.0,0.0] + [PKTLENS.....: 60,60,52,237,52,181,52,751,2104,52,2104,52,2104,52,723,52,406,753,144,123,52,2084,52,2046,52,2079,52,2043,52,2075,52,531] + [ENTROPIES...: 4.3,4.7,4.6,5.9,4.6,5.8,4.6,7.7,7.9,4.6,7.9,4.6,7.9,4.6,7.7,4.6,7.4,7.7,6.3,6.2,4.6,7.9,4.6,7.9,4.6,7.9,4.6,7.9,4.6,7.9,4.6,7.6] + analyse: [.....1] [ip4][..tcp] [......127.0.0.1][44532] -> [......127.0.0.1][.1080] [SOCKS][Unknown][Web][Acceptable] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 0.082| 0.011| 0.022| 482.912| 3.100] + [PKTLEN......: 52.000| 3984.000| 653.000| 1237.600| 1531706.800| 3.300] + [BINS(c->s)..: 13,4,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,0,1,0,1,0,0,0,0,0,0,1,1,0,1,0,1,0,1,0,1,0,1] + [IATS(ms)....: 0.1,0.1,0.1,0.1,0.4,0.4,4.5,4.7,44.0,9.4,77.6,24.3,0.3,0.3,4.2,0.3,0.0,0.0,0.0,4.6,3.4,3.7,0.6,41.3,82.0,41.2,0.1,0.2,0.2,0.2,0.1] + [PKTLENS.....: 60,60,52,56,52,54,52,62,62,52,569,3984,52,2720,52,132,98,101,87,115,52,700,83,83,52,3984,52,3984,52,2428,52,901] + [ENTROPIES...: 4.3,4.7,4.6,4.5,4.6,4.6,4.6,4.7,4.5,4.6,4.7,7.9,4.7,7.9,4.6,6.2,5.9,5.8,5.7,6.1,4.7,7.7,5.5,5.5,4.7,8.0,4.6,8.0,4.6,7.9,4.6,7.8] + idle: [.....3] [ip4][..tcp] [......127.0.0.1][33702] -> [......127.0.0.1][.1234] [HTTP][Unknown][Web][Acceptable][127.0.0.1] + RISK: Known Proto on Non Std Port, HTTP/TLS/QUIC Numeric Hostname/SNI + idle: [.....1] [ip4][..tcp] [......127.0.0.1][44532] -> [......127.0.0.1][.1080] [SOCKS][Unknown][Web][Acceptable] + idle: [.....2] [ip4][..udp] [......127.0.0.1][39646] -> [.....127.0.0.53][...53] [DNS.YouTube][Unknown][Network][Fun][www.youtube.com] + idle: [.....4] [ip4][..tcp] [..192.168.1.183][51390] -> [142.250.180.142][..443] [TLS.YouTube][Google][Media][Fun] + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/tls_invalid_reads.pcap.out b/test/results/flow-info/default/tls_invalid_reads.pcap.out index e236b1959..890fe2354 100644 --- a/test/results/flow-info/default/tls_invalid_reads.pcap.out +++ b/test/results/flow-info/default/tls_invalid_reads.pcap.out @@ -6,15 +6,13 @@ RISK: Obsolete TLS (v1.1 or older) detection-update: [.....1] [ip4][..tcp] [.192.168.10.101][.3967] -> [..206.33.61.113][..443] [TLS][Unknown][Web][Safe][] RISK: Obsolete TLS (v1.1 or older) - detection-update: [.....1] [ip4][..tcp] [.192.168.10.101][.3967] -> [..206.33.61.113][..443] [TLS][Unknown][Web][Safe][] - RISK: Obsolete TLS (v1.1 or older) DAEMON-EVENT: [Processed: 8 pkts][ZLib][compressions: 0|diff: 0 / 0] - DAEMON-EVENT: [Flows][active: 1 / 1|skipped: 0|!detected: 0|guessed: 0|detection-updates: 2|updates: 0] + DAEMON-EVENT: [Flows][active: 1 / 1|skipped: 0|!detected: 0|guessed: 0|detection-updates: 1|updates: 0] new: [.....2] [ip4][..tcp] [...74.80.160.99][.3258] -> [...67.217.77.28][..443] [MIDSTREAM] idle: [.....1] [ip4][..tcp] [.192.168.10.101][.3967] -> [..206.33.61.113][..443] [TLS][Unknown][Web][Safe] RISK: Obsolete TLS (v1.1 or older) DAEMON-EVENT: [Processed: 9 pkts][ZLib][compressions: 0|diff: 0 / 0] - DAEMON-EVENT: [Flows][active: 1 / 2|skipped: 0|!detected: 0|guessed: 0|detection-updates: 2|updates: 0] + DAEMON-EVENT: [Flows][active: 1 / 2|skipped: 0|!detected: 0|guessed: 0|detection-updates: 1|updates: 0] ERROR-EVENT: Unknown packet type [1/16] ERROR-EVENT: Unknown packet type [2/16] ERROR-EVENT: Unknown packet type [3/16] diff --git a/test/results/flow-info/default/tls_long_cert.pcap.out b/test/results/flow-info/default/tls_long_cert.pcap.out index ea01580e6..96ae9c9b8 100644 --- a/test/results/flow-info/default/tls_long_cert.pcap.out +++ b/test/results/flow-info/default/tls_long_cert.pcap.out @@ -5,7 +5,7 @@ detected: [.....1] [ip4][..tcp] [..192.168.2.126][60174] -> [.104.111.215.93][..443] [TLS][Unknown][Web][Safe][www.repubblica.it] detection-update: [.....1] [ip4][..tcp] [..192.168.2.126][60174] -> [.104.111.215.93][..443] [TLS][Unknown][Web][Safe][www.repubblica.it] detection-update: [.....1] [ip4][..tcp] [..192.168.2.126][60174] -> [.104.111.215.93][..443] [TLS][Unknown][Web][Safe][www.repubblica.it] - analyse: [.....1] [ip4][..tcp] [..192.168.2.126][60174] -> [.104.111.215.93][..443] [TLS][Unknown][Web][Safe][www.repubblica.it] + analyse: [.....1] [ip4][..tcp] [..192.168.2.126][60174] -> [.104.111.215.93][..443] [TLS][Unknown][Web][Safe] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.034| 0.008| 0.011| 130.013| 3.600] [PKTLEN......: 52.000| 1500.000| 532.900| 584.900| 342142.300| 4.100] diff --git a/test/results/flow-info/default/tls_with_huge_ch.pcapng.out b/test/results/flow-info/default/tls_with_huge_ch.pcapng.out new file mode 100644 index 000000000..17b76dd79 --- /dev/null +++ b/test/results/flow-info/default/tls_with_huge_ch.pcapng.out @@ -0,0 +1,19 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....1] [ip4][..tcp] [..172.30.84.193][40640] -> [208.253.217.142][..443] + detected: [.....1] [ip4][..tcp] [..172.30.84.193][40640] -> [208.253.217.142][..443] [TLS][Unknown][Web][Safe][] + RISK: Missing SNI TLS Extn, ALPN/SNI Mismatch, Obfuscated Traffic + analyse: [.....1] [ip4][..tcp] [..172.30.84.193][40640] -> [208.253.217.142][..443] [TLS][Unknown][Web][Safe] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 2.012| 0.239| 0.473| 223961.678| 3.000] + [PKTLEN......: 52.000| 1076.000| 410.500| 482.400| 232750.200| 4.000] + [BINS(c->s)..: 5,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 15,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,1,1,0,0,0,0,1,1,0,0,1,1,0,0,0,0,1,1,1,1,0,0,0,0,0,1,1,1,1,1] + [IATS(ms)....: 1026.7,1168.3,1014.0,2012.4,2.2,0.4,20.3,996.7,23.0,142.1,0.4,141.9,0.2,227.3,1.5,0.2,0.3,228.2,1.5,0.3,0.3,202.4,0.2,1.4,0.2,0.1,201.2,0.6,1.0,0.2,0.0] + [PKTLENS.....: 60,60,60,60,60,52,52,1076,60,52,1076,1076,52,52,1076,1076,1076,1076,52,52,52,52,1076,1076,1076,1076,211,52,52,52,52,52] + [ENTROPIES...: 4.8,4.8,5.3,5.4,4.8,5.1,5.1,2.4,5.4,5.2,0.5,0.5,5.1,5.2,0.5,0.5,0.5,0.5,5.2,5.2,5.2,5.1,0.5,0.5,0.5,0.5,1.9,5.1,5.1,5.1,5.1,5.2] + idle: [.....1] [ip4][..tcp] [..172.30.84.193][40640] -> [208.253.217.142][..443] [TLS][Unknown][Web][Safe] + RISK: Missing SNI TLS Extn, ALPN/SNI Mismatch, Obfuscated Traffic + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/tor.pcap.out b/test/results/flow-info/default/tor.pcap.out index 7010fa9e5..f6855da45 100644 --- a/test/results/flow-info/default/tor.pcap.out +++ b/test/results/flow-info/default/tor.pcap.out @@ -37,7 +37,7 @@ new: [.....5] [ip4][..udp] [..192.168.1.252][..138] -> [..192.168.1.255][..138] detected: [.....5] [ip4][..udp] [..192.168.1.252][..138] -> [..192.168.1.255][..138] [NetBIOS.SMBv1][Unknown][System][Dangerous][endian-pc] RISK: Unsafe Protocol - analyse: [.....3] [ip4][..tcp] [..192.168.1.252][51112] -> [...38.229.70.53][..443] [TLS.Tor][Unknown][VPN][Potentially Dangerous][www.q4cyamnc6mtokjurvdclt.com] + analyse: [.....3] [ip4][..tcp] [..192.168.1.252][51112] -> [...38.229.70.53][..443] [TLS.Tor][Unknown][VPN][Potentially Dangerous] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 31.166| 2.329| 7.550| 56997495.964| 1.900] [PKTLEN......: 40.000| 1500.000| 355.800| 354.900| 125974.500| 4.300] @@ -47,7 +47,7 @@ [IATS(ms)....: 143.8,144.2,0.4,152.7,0.2,159.6,171.7,164.7,190.9,0.1,190.7,0.6,185.1,185.5,145.1,5.7,151.7,184.2,104.7,290.0,146.6,2536.0,2930.5,30770.7,31166.0,0.9,147.0,185.7,696.5,885.2,147.1] [PKTLENS.....: 52,52,46,264,40,969,238,99,114,1500,126,46,626,40,626,40,626,626,40,626,626,40,626,46,626,40,626,626,40,626,626,40] [ENTROPIES...: 4.5,4.8,4.4,5.4,4.8,7.6,6.9,5.9,6.1,7.9,6.5,4.3,7.7,4.8,7.7,4.8,7.6,7.7,4.7,7.7,7.6,4.8,7.7,4.3,7.6,4.6,7.6,7.7,4.8,7.6,7.6,4.7] - analyse: [.....1] [ip4][..tcp] [..192.168.1.252][51110] -> [..91.143.93.242][..443] [TLS][Unknown][Web][Safe][www.ct7ctrgb6cr7.com] + analyse: [.....1] [ip4][..tcp] [..192.168.1.252][51110] -> [..91.143.93.242][..443] [TLS][Unknown][Web][Safe] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 37.996| 2.549| 9.274| 86002509.021| 1.400] [PKTLEN......: 40.000| 1500.000| 448.800| 476.200| 226793.400| 4.200] @@ -61,7 +61,7 @@ new: [.....6] [ip4][..tcp] [..192.168.1.252][51104] -> [...157.56.30.46][..443] [MIDSTREAM] update: [.....5] [ip4][..udp] [..192.168.1.252][..138] -> [..192.168.1.255][..138] [NetBIOS.SMBv1][Unknown][System][Dangerous][endian-pc] RISK: Unsafe Protocol - analyse: [.....2] [ip4][..tcp] [..192.168.1.252][51111] -> [....46.59.52.31][..443] [TLS.Tor][Unknown][VPN][Potentially Dangerous][www.e6r5p57kbafwrxj3plz.com] + analyse: [.....2] [ip4][..tcp] [..192.168.1.252][51111] -> [....46.59.52.31][..443] [TLS.Tor][Unknown][VPN][Potentially Dangerous] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 71.328| 4.658| 14.789| 218716025.389| 1.800] [PKTLEN......: 40.000| 1500.000| 330.600| 347.100| 120444.200| 4.200] @@ -90,7 +90,7 @@ RISK: Obsolete TLS (v1.1 or older) detection-update: [.....9] [ip4][..tcp] [..192.168.1.252][51176] -> [...38.229.70.53][..443] [TLS][Unknown][Web][Safe][www.jmts2id.com] RISK: Obsolete TLS (v1.1 or older) - analyse: [.....8] [ip4][..tcp] [..192.168.1.252][51175] -> [..91.143.93.242][..443] [TLS.Tor][Unknown][VPN][Potentially Dangerous][www.gfu7hbxpfp.com] + analyse: [.....8] [ip4][..tcp] [..192.168.1.252][51175] -> [..91.143.93.242][..443] [TLS.Tor][Unknown][VPN][Potentially Dangerous] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.991| 0.147| 0.220| 48576.569| 3.900] [PKTLEN......: 40.000| 1500.000| 348.200| 347.100| 120448.800| 4.300] @@ -133,7 +133,7 @@ update: [.....4] [ip4][..udp] [....192.168.1.1][17500] -> [..192.168.1.255][17500] [Dropbox][Unknown][Cloud][Acceptable] DAEMON-EVENT: [Processed: 337 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 7 / 11|skipped: 0|!detected: 0|guessed: 1|detection-updates: 7|updates: 5] - analyse: [.....7] [ip4][..tcp] [..192.168.1.252][51174] -> [.212.83.155.250][..443] [TLS][Unknown][Web][Safe][www.t3i3ru.com] + analyse: [.....7] [ip4][..tcp] [..192.168.1.252][51174] -> [.212.83.155.250][..443] [TLS][Unknown][Web][Safe] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 72.890| 8.727| 22.569| 509351076.823| 2.100] [PKTLEN......: 40.000| 1500.000| 312.000| 345.900| 119666.800| 4.200] @@ -148,12 +148,12 @@ RISK: Obsolete TLS (v1.1 or older), Susp DGA Domain name, Unsafe Protocol idle: [.....4] [ip4][..udp] [....192.168.1.1][17500] -> [..192.168.1.255][17500] [Dropbox][Unknown][Cloud][Acceptable] idle: [....11] [ip6][..udp] [..............fe80::c583:1972:5728:7323][..546] -> [..............................ff02::1:2][..547] [DHCPV6][Unknown][Network][Acceptable] - end: [....10] [ip4][..tcp] [..192.168.1.252][51185] -> [.62.210.137.230][..443] [TLS][Unknown][Web][Safe][www.6gyip7tqim7sieb.com] + end: [....10] [ip4][..tcp] [..192.168.1.252][51185] -> [.62.210.137.230][..443] [TLS][Unknown][Web][Safe] RISK: Obsolete TLS (v1.1 or older) end: [.....7] [ip4][..tcp] [..192.168.1.252][51174] -> [.212.83.155.250][..443] [TLS][Unknown][Web][Safe][www.t3i3ru.com] RISK: Obsolete TLS (v1.1 or older) idle: [.....3] [ip4][..tcp] [..192.168.1.252][51112] -> [...38.229.70.53][..443] [TLS.Tor][Unknown][VPN][Potentially Dangerous][www.q4cyamnc6mtokjurvdclt.com] RISK: Obsolete TLS (v1.1 or older), Susp DGA Domain name, Unsafe Protocol - idle: [.....9] [ip4][..tcp] [..192.168.1.252][51176] -> [...38.229.70.53][..443] [TLS][Unknown][Web][Safe][www.jmts2id.com] + idle: [.....9] [ip4][..tcp] [..192.168.1.252][51176] -> [...38.229.70.53][..443] [TLS][Unknown][Web][Safe] RISK: Obsolete TLS (v1.1 or older) DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/tumblr.pcap.out b/test/results/flow-info/default/tumblr.pcap.out index f0da8619d..6ba89eb55 100644 --- a/test/results/flow-info/default/tumblr.pcap.out +++ b/test/results/flow-info/default/tumblr.pcap.out @@ -56,7 +56,7 @@ detection-update: [....10] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][58380] -> [..2606:2800:135:155a:23ba:b2a:25ff:122d][..443] [TLS][Edgecast][Web][Safe][consent.cmp.oath.com] detected: [....11] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][58382] -> [..2606:2800:135:155a:23ba:b2a:25ff:122d][..443] [TLS][Edgecast][Web][Safe][consent.cmp.oath.com] detection-update: [....11] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][58382] -> [..2606:2800:135:155a:23ba:b2a:25ff:122d][..443] [TLS][Edgecast][Web][Safe][consent.cmp.oath.com] - analyse: [....10] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][58380] -> [..2606:2800:135:155a:23ba:b2a:25ff:122d][..443] [TLS][Edgecast][Web][Safe][consent.cmp.oath.com] + analyse: [....10] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][58380] -> [..2606:2800:135:155a:23ba:b2a:25ff:122d][..443] [TLS][Edgecast][Web][Safe] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.048| 0.010| 0.016| 259.261| 3.200] [PKTLEN......: 72.000| 1280.000| 300.700| 381.900| 145812.800| 4.100] @@ -153,7 +153,7 @@ detected: [....44] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][38608] -> [...............2a00:1450:4007:80b::200a][..443] [TLS.GoogleServices][Google][Web][Acceptable][ajax.googleapis.com] detection-update: [....43] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][49548] -> [...............2a00:1450:4007:809::200e][..443] [TLS.Google][Google][Web][Acceptable][apis.google.com] detection-update: [....44] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][38608] -> [...............2a00:1450:4007:80b::200a][..443] [TLS.GoogleServices][Google][Web][Acceptable][ajax.googleapis.com] - analyse: [....44] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][38608] -> [...............2a00:1450:4007:80b::200a][..443] [TLS.GoogleServices][Google][Web][Acceptable][ajax.googleapis.com] + analyse: [....44] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][38608] -> [...............2a00:1450:4007:80b::200a][..443] [TLS.GoogleServices][Google][Web][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.067| 0.011| 0.020| 396.007| 3.200] [PKTLEN......: 72.000| 1280.000| 378.400| 464.300| 215557.600| 4.100] @@ -163,7 +163,7 @@ [IATS(ms)....: 67.4,67.5,0.3,44.1,5.3,0.0,49.1,0.0,0.1,0.1,18.6,10.2,0.7,42.4,0.0,12.9,0.2,14.3,2.0,0.0,16.1,2.6,0.0,2.6,0.0,0.1,0.0,0.0,0.0,0.0,0.0] [PKTLENS.....: 80,80,72,589,72,1280,1280,72,72,572,72,136,164,350,72,652,72,103,72,103,72,72,521,1280,72,72,1280,1280,1280,72,72,72] [ENTROPIES...: 4.9,5.3,5.2,4.5,5.1,7.8,7.8,5.3,5.2,7.5,5.2,6.2,6.5,7.3,5.0,7.7,5.2,5.9,5.0,5.8,5.1,5.2,7.5,7.8,5.1,5.1,7.8,7.8,7.8,5.2,5.1,5.2] - analyse: [....43] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][49548] -> [...............2a00:1450:4007:809::200e][..443] [TLS.Google][Google][Web][Acceptable][apis.google.com] + analyse: [....43] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][49548] -> [...............2a00:1450:4007:809::200e][..443] [TLS.Google][Google][Web][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.083| 0.014| 0.021| 424.643| 3.600] [PKTLEN......: 72.000| 1280.000| 384.200| 474.800| 225406.500| 4.100] @@ -179,7 +179,7 @@ detected: [....45] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][39164] -> [......................64:ff9b::6006:749][..443] [TLS.ADS_Analytic_Track][Unknown][Advertisement][Tracker/Ads][sb.scorecardresearch.com] new: [....46] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][42674] -> [.....................64:ff9b::4a72:9a15][..443] [MIDSTREAM] detection-update: [....45] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][39164] -> [......................64:ff9b::6006:749][..443] [TLS.ADS_Analytic_Track][Unknown][Advertisement][Tracker/Ads][sb.scorecardresearch.com] - analyse: [....12] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][39152] -> [......................64:ff9b::6006:749][..443] [TLS.ADS_Analytic_Track][Unknown][Advertisement][Tracker/Ads][sb.scorecardresearch.com] + analyse: [....12] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][39152] -> [......................64:ff9b::6006:749][..443] [TLS.ADS_Analytic_Track][Unknown][Advertisement][Tracker/Ads] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 16.589| 1.119| 4.059| 16477581.214| 1.400] [PKTLEN......: 72.000| 1351.000| 350.400| 367.900| 135349.600| 4.300] @@ -208,7 +208,7 @@ idle: [.....1] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56592] -> [.....................64:ff9b::9765:798c][..443] guessed: [....18] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56594] -> [.....................64:ff9b::9765:798c][..443] [TLS][Unknown][Web][Safe] idle: [....18] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56594] -> [.....................64:ff9b::9765:798c][..443] - idle: [....13] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][47118] -> [.................2001:4998:14:800::1001][..443] [TLS.Yahoo][Unknown][Web][Safe][cookiex.ngd.yahoo.com] + idle: [....13] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][47118] -> [.................2001:4998:14:800::1001][..443] [TLS.Yahoo][Unknown][Web][Safe] idle: [....42] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][55560] -> [...............2a00:1450:4007:817::200a][..443] [TLS][Google][Web][Safe] guessed: [.....3] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56640] -> [.....................64:ff9b::9765:798c][..443] [TLS][Unknown][Web][Safe] idle: [.....3] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56640] -> [.....................64:ff9b::9765:798c][..443] diff --git a/test/results/flow-info/default/tunnelbear.pcap.out b/test/results/flow-info/default/tunnelbear.pcap.out index a8691647d..3076fcb91 100644 --- a/test/results/flow-info/default/tunnelbear.pcap.out +++ b/test/results/flow-info/default/tunnelbear.pcap.out @@ -21,7 +21,7 @@ new: [.....7] [ip4][..tcp] [.......10.8.0.1][47496] -> [162.247.243.188][..443] detected: [.....7] [ip4][..tcp] [.......10.8.0.1][47496] -> [162.247.243.188][..443] [TLS.ADS_Analytic_Track][Unknown][Advertisement][Tracker/Ads][mobile-collector.newrelic.com] detection-update: [.....7] [ip4][..tcp] [.......10.8.0.1][47496] -> [162.247.243.188][..443] [TLS.ADS_Analytic_Track][Unknown][Advertisement][Tracker/Ads][mobile-collector.newrelic.com] - analyse: [.....3] [ip4][..tcp] [.......10.8.0.1][45104] -> [..104.17.115.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable][api.polargrizzly.com] + analyse: [.....3] [ip4][..tcp] [.......10.8.0.1][45104] -> [..104.17.115.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.266| 0.037| 0.060| 3626.297| 3.500] [PKTLEN......: 40.000| 3697.000| 426.000| 812.300| 659832.900| 3.500] @@ -37,7 +37,7 @@ detected: [.....9] [ip4][..tcp] [.......10.8.0.1][45126] -> [..104.17.115.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable][api.polargrizzly.com] detection-update: [.....9] [ip4][..tcp] [.......10.8.0.1][45126] -> [..104.17.115.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable][api.polargrizzly.com] detection-update: [.....8] [ip4][..tcp] [.......10.8.0.1][45124] -> [..104.17.115.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable][api.polargrizzly.com] - analyse: [.....9] [ip4][..tcp] [.......10.8.0.1][45126] -> [..104.17.115.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable][api.polargrizzly.com] + analyse: [.....9] [ip4][..tcp] [.......10.8.0.1][45126] -> [..104.17.115.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.234| 0.036| 0.055| 3015.001| 3.600] [PKTLEN......: 40.000| 789.000| 149.700| 198.300| 39337.400| 4.100] @@ -71,7 +71,7 @@ end: [.....4] [ip4][..tcp] [.......10.8.0.1][45106] -> [..104.17.115.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable] end: [.....5] [ip4][..tcp] [.......10.8.0.1][45108] -> [..104.17.115.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable] end: [.....6] [ip4][..tcp] [.......10.8.0.1][45114] -> [..104.17.115.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable] - end: [.....8] [ip4][..tcp] [.......10.8.0.1][45124] -> [..104.17.115.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable][api.polargrizzly.com] + end: [.....8] [ip4][..tcp] [.......10.8.0.1][45124] -> [..104.17.115.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable] end: [.....9] [ip4][..tcp] [.......10.8.0.1][45126] -> [..104.17.115.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable][api.polargrizzly.com] detection-update: [....14] [ip4][..tcp] [.......10.8.0.1][47046] -> [.74.125.200.188][.5228] [TLS.GoogleServices][Google][Web][Acceptable][mtalk.google.com] RISK: Known Proto on Non Std Port, TLS (probably) Not Carrying HTTPS @@ -96,7 +96,7 @@ detection-update: [....20] [ip4][..tcp] [.......10.8.0.1][33848] -> [..104.17.114.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable][api.polargrizzly.com] detection-update: [....16] [ip4][..tcp] [.......10.8.0.1][50904] -> [.104.17.154.236][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable][api.tunnelbear.com] detection-update: [....21] [ip4][..tcp] [.......10.8.0.1][48222] -> [162.247.243.188][..443] [TLS.ADS_Analytic_Track][Unknown][Advertisement][Tracker/Ads][mobile-collector.newrelic.com] - analyse: [....15] [ip4][..tcp] [.......10.8.0.1][33830] -> [..104.17.114.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable][api.polargrizzly.com] + analyse: [....15] [ip4][..tcp] [.......10.8.0.1][33830] -> [..104.17.114.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.340| 0.040| 0.084| 7024.527| 3.000] [PKTLEN......: 40.000| 2940.000| 240.400| 516.400| 266681.900| 3.500] @@ -121,11 +121,11 @@ RISK: TLS (probably) Not Carrying HTTPS end: [....10] [ip4][..tcp] [..10.158.132.91][38398] -> [..104.17.114.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable] RISK: Unidirectional Traffic - idle: [.....2] [ip4][..tcp] [.......10.8.0.1][50178] -> [.104.17.154.236][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable][api.tunnelbear.com] + idle: [.....2] [ip4][..tcp] [.......10.8.0.1][50178] -> [.104.17.154.236][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable] end: [....15] [ip4][..tcp] [.......10.8.0.1][33830] -> [..104.17.114.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable][api.polargrizzly.com] - end: [....17] [ip4][..tcp] [.......10.8.0.1][33838] -> [..104.17.114.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable][api.polargrizzly.com] - end: [....18] [ip4][..tcp] [.......10.8.0.1][33842] -> [..104.17.114.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable][api.polargrizzly.com] - end: [....19] [ip4][..tcp] [.......10.8.0.1][33846] -> [..104.17.114.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable][api.polargrizzly.com] - end: [....20] [ip4][..tcp] [.......10.8.0.1][33848] -> [..104.17.114.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable][api.polargrizzly.com] + end: [....17] [ip4][..tcp] [.......10.8.0.1][33838] -> [..104.17.114.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable] + end: [....18] [ip4][..tcp] [.......10.8.0.1][33842] -> [..104.17.114.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable] + end: [....19] [ip4][..tcp] [.......10.8.0.1][33846] -> [..104.17.114.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable] + end: [....20] [ip4][..tcp] [.......10.8.0.1][33848] -> [..104.17.114.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable] idle: [....22] [ip4][..tcp] [.......10.8.0.1][33858] -> [..104.17.114.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/viber.pcap.out b/test/results/flow-info/default/viber.pcap.out index ae2df7a29..a24c13c2c 100644 --- a/test/results/flow-info/default/viber.pcap.out +++ b/test/results/flow-info/default/viber.pcap.out @@ -17,7 +17,6 @@ detection-update: [.....5] [ip4][..tcp] [...192.168.0.17][36986] -> [..54.69.166.226][..443] [TLS][AmazonAWS][Web][Safe][mapi.apptimize.com] new: [.....6] [ip4][..tcp] [...192.168.0.17][36988] -> [..54.69.166.226][..443] detected: [.....6] [ip4][..tcp] [...192.168.0.17][36988] -> [..54.69.166.226][..443] [TLS][AmazonAWS][Web][Safe][mapi.apptimize.com] - detection-update: [.....6] [ip4][..tcp] [...192.168.0.17][36988] -> [..54.69.166.226][..443] [TLS][AmazonAWS][Web][Safe][mapi.apptimize.com] new: [.....7] [ip4][..udp] [...192.168.0.17][37418] -> [...192.168.0.15][...53] detected: [.....7] [ip4][..udp] [...192.168.0.17][37418] -> [...192.168.0.15][...53] [DNS.Viber][Unknown][Network][Fun][media.cdn.viber.com] detection-update: [.....7] [ip4][..udp] [...192.168.0.17][37418] -> [...192.168.0.15][...53] [DNS.Viber][Unknown][Network][Fun][media.cdn.viber.com] @@ -58,7 +57,6 @@ detection-update: [....16] [ip4][..udp] [...192.168.0.17][44376] -> [...192.168.0.15][...53] [DNS][Unknown][Network][Acceptable][venetia.iad.appboy.com] new: [....17] [ip4][..tcp] [...192.168.0.17][55746] -> [..151.101.1.130][..443] detected: [....17] [ip4][..tcp] [...192.168.0.17][55746] -> [..151.101.1.130][..443] [TLS][Unknown][Web][Safe][venetia.iad.appboy.com] - detection-update: [....17] [ip4][..tcp] [...192.168.0.17][55746] -> [..151.101.1.130][..443] [TLS][Unknown][Web][Safe][venetia.iad.appboy.com] analyse: [.....1] [ip4][..tcp] [...192.168.0.17][33208] -> [...52.0.253.101][.4244] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 10.702| 1.934| 2.902| 8424002.683| 3.500] @@ -116,7 +114,7 @@ update: [.....2] [ip4][..udp] [...192.168.0.17][45743] -> [...192.168.0.15][...53] [DNS.Facebook][Unknown][Network][Fun][graph.facebook.com] update: [.....4] [ip4][..udp] [...192.168.0.17][62872] -> [...192.168.0.15][...53] [DNS][Unknown][Network][Acceptable][mapi.apptimize.com] DAEMON-EVENT: [Processed: 420 pkts][ZLib][compressions: 0|diff: 0 / 0] - DAEMON-EVENT: [Flows][active: 26 / 26|skipped: 0|!detected: 0|guessed: 1|detection-updates: 19|updates: 4] + DAEMON-EVENT: [Flows][active: 26 / 26|skipped: 0|!detected: 0|guessed: 1|detection-updates: 17|updates: 4] new: [....27] [ip4][..tcp] [..192.168.2.100][48690] -> [...52.0.252.145][.4244] detected: [....27] [ip4][..tcp] [..192.168.2.100][48690] -> [...52.0.252.145][.4244] [Viber][Viber][VoIP][Fun] end: [.....5] [ip4][..tcp] [...192.168.0.17][36986] -> [..54.69.166.226][..443] [TLS][AmazonAWS][Web][Safe] @@ -144,24 +142,24 @@ idle: [....25] [ip4][..udp] [...192.168.0.17][50097] -> [...192.168.0.15][...53] [DNS.Google][Unknown][Network][Acceptable][www.google.com] idle: [....23] [ip4][..udp] [...192.168.0.17][38190] -> [.....18.201.4.3][.7985] [Viber][AmazonAWS][VoIP][Fun] idle: [....24] [ip4][..udp] [...192.168.0.17][38190] -> [.....18.201.4.3][.7987] [Viber][AmazonAWS][VoIP][Fun] - idle: [....13] [ip4][..tcp] [...192.168.0.17][43702] -> [..172.217.23.78][..443] [TLS.Google][Google][Web][Acceptable][app-measurement.com] + idle: [....13] [ip4][..tcp] [...192.168.0.17][43702] -> [..172.217.23.78][..443] [TLS.Google][Google][Web][Acceptable] idle: [....16] [ip4][..udp] [...192.168.0.17][44376] -> [...192.168.0.15][...53] [DNS][Unknown][Network][Acceptable][venetia.iad.appboy.com] idle: [.....4] [ip4][..udp] [...192.168.0.17][62872] -> [...192.168.0.15][...53] [DNS][Unknown][Network][Acceptable][mapi.apptimize.com] guessed: [....22] [ip4][..tcp] [...192.168.0.17][33744] -> [.....18.201.4.3][..443] [TLS][AmazonAWS][Web][Safe] end: [....22] [ip4][..tcp] [...192.168.0.17][33744] -> [.....18.201.4.3][..443] idle: [.....9] [ip4][..udp] [...192.168.0.17][40445] -> [...192.168.0.15][...53] [DNS.Viber][Unknown][Network][Fun][dl-media.viber.com] DAEMON-EVENT: [Processed: 435 pkts][ZLib][compressions: 0|diff: 0 / 0] - DAEMON-EVENT: [Flows][active: 1 / 27|skipped: 0|!detected: 0|guessed: 4|detection-updates: 19|updates: 4] + DAEMON-EVENT: [Flows][active: 1 / 27|skipped: 0|!detected: 0|guessed: 4|detection-updates: 17|updates: 4] new: [....28] [ip4][..tcp] [..192.168.2.100][41184] -> [.....52.0.252.2][.5242] detected: [....28] [ip4][..tcp] [..192.168.2.100][41184] -> [.....52.0.252.2][.5242] [Viber][Viber][VoIP][Fun] DAEMON-EVENT: [Processed: 446 pkts][ZLib][compressions: 0|diff: 0 / 0] - DAEMON-EVENT: [Flows][active: 2 / 28|skipped: 0|!detected: 0|guessed: 4|detection-updates: 19|updates: 4] + DAEMON-EVENT: [Flows][active: 2 / 28|skipped: 0|!detected: 0|guessed: 4|detection-updates: 17|updates: 4] new: [....29] [ip4][..tcp] [..192.168.2.100][42900] -> [..44.192.202.74][.4244] [MIDSTREAM] detected: [....29] [ip4][..tcp] [..192.168.2.100][42900] -> [..44.192.202.74][.4244] [Viber][AmazonAWS][VoIP][Fun] end: [....28] [ip4][..tcp] [..192.168.2.100][41184] -> [.....52.0.252.2][.5242] [Viber][Viber][VoIP][Fun] idle: [....27] [ip4][..tcp] [..192.168.2.100][48690] -> [...52.0.252.145][.4244] [Viber][Viber][VoIP][Fun] DAEMON-EVENT: [Processed: 447 pkts][ZLib][compressions: 0|diff: 0 / 0] - DAEMON-EVENT: [Flows][active: 1 / 29|skipped: 0|!detected: 0|guessed: 4|detection-updates: 19|updates: 4] + DAEMON-EVENT: [Flows][active: 1 / 29|skipped: 0|!detected: 0|guessed: 4|detection-updates: 17|updates: 4] new: [....30] [ip4][..udp] [.192.168.12.156][40482] -> [...18.195.4.121][..443] detected: [....30] [ip4][..udp] [.192.168.12.156][40482] -> [...18.195.4.121][..443] [STUN][Viber][Network][Acceptable][] RISK: Known Proto on Non Std Port diff --git a/test/results/flow-info/default/wa_voice.pcap.out b/test/results/flow-info/default/wa_voice.pcap.out index df85859ce..500d8efe4 100644 --- a/test/results/flow-info/default/wa_voice.pcap.out +++ b/test/results/flow-info/default/wa_voice.pcap.out @@ -29,7 +29,7 @@ new: [.....7] [ip4][..tcp] [...192.168.2.12][50503] -> [....31.13.86.51][..443] detected: [.....7] [ip4][..tcp] [...192.168.2.12][50503] -> [....31.13.86.51][..443] [TLS.WhatsAppFiles][WhatsApp][Download][Acceptable][media-mxp1-1.cdn.whatsapp.net] detection-update: [.....7] [ip4][..tcp] [...192.168.2.12][50503] -> [....31.13.86.51][..443] [TLS.WhatsAppFiles][WhatsApp][Download][Acceptable][media-mxp1-1.cdn.whatsapp.net] - analyse: [.....7] [ip4][..tcp] [...192.168.2.12][50503] -> [....31.13.86.51][..443] [TLS.WhatsAppFiles][WhatsApp][Download][Acceptable][media-mxp1-1.cdn.whatsapp.net] + analyse: [.....7] [ip4][..tcp] [...192.168.2.12][50503] -> [....31.13.86.51][..443] [TLS.WhatsAppFiles][WhatsApp][Download][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.163| 0.020| 0.047| 2203.182| 2.500] [PKTLEN......: 52.000| 1440.000| 343.600| 489.700| 239839.300| 3.900] @@ -84,7 +84,7 @@ new: [....21] [ip4][..tcp] [...192.168.2.12][50504] -> [..157.240.20.52][..443] detected: [....21] [ip4][..tcp] [...192.168.2.12][50504] -> [..157.240.20.52][..443] [TLS.WhatsApp][WhatsApp][Chat][Acceptable][pps.whatsapp.net] detection-update: [....21] [ip4][..tcp] [...192.168.2.12][50504] -> [..157.240.20.52][..443] [TLS.WhatsApp][WhatsApp][Chat][Acceptable][pps.whatsapp.net] - analyse: [....21] [ip4][..tcp] [...192.168.2.12][50504] -> [..157.240.20.52][..443] [TLS.WhatsApp][WhatsApp][Chat][Acceptable][pps.whatsapp.net] + analyse: [....21] [ip4][..tcp] [...192.168.2.12][50504] -> [..157.240.20.52][..443] [TLS.WhatsApp][WhatsApp][Chat][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.129| 0.020| 0.031| 949.768| 3.500] [PKTLEN......: 52.000| 1440.000| 374.400| 526.300| 277041.400| 3.900] diff --git a/test/results/flow-info/default/webex.pcap.out b/test/results/flow-info/default/webex.pcap.out index 06a8c0f45..47cf0902e 100644 --- a/test/results/flow-info/default/webex.pcap.out +++ b/test/results/flow-info/default/webex.pcap.out @@ -31,7 +31,7 @@ RISK: TLS (probably) Not Carrying HTTPS detection-update: [.....4] [ip4][..tcp] [.......10.8.0.1][41351] -> [..64.68.105.103][..443] [TLS.Webex][Webex][VoIP][Acceptable][radcom.webex.com] RISK: TLS (probably) Not Carrying HTTPS - analyse: [.....2] [ip4][..tcp] [.......10.8.0.1][41348] -> [..64.68.105.103][..443] [TLS.Webex][Webex][VoIP][Acceptable][radcom.webex.com] + analyse: [.....2] [ip4][..tcp] [.......10.8.0.1][41348] -> [..64.68.105.103][..443] [TLS.Webex][Webex][VoIP][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.455| 0.115| 0.126| 15828.845| 4.100] [PKTLEN......: 40.000| 18006.000| 1574.700| 3700.100| 13691057.000| 2.900] @@ -399,9 +399,9 @@ RISK: TLS (probably) Not Carrying HTTPS idle: [.....2] [ip4][..tcp] [.......10.8.0.1][41348] -> [..64.68.105.103][..443] [TLS.Webex][Webex][VoIP][Acceptable][radcom.webex.com] RISK: TLS (probably) Not Carrying HTTPS - idle: [.....3] [ip4][..tcp] [.......10.8.0.1][41350] -> [..64.68.105.103][..443] [TLS.Webex][Webex][VoIP][Acceptable][radcom.webex.com] + idle: [.....3] [ip4][..tcp] [.......10.8.0.1][41350] -> [..64.68.105.103][..443] [TLS.Webex][Webex][VoIP][Acceptable] RISK: TLS (probably) Not Carrying HTTPS - idle: [.....4] [ip4][..tcp] [.......10.8.0.1][41351] -> [..64.68.105.103][..443] [TLS.Webex][Webex][VoIP][Acceptable][radcom.webex.com] + idle: [.....4] [ip4][..tcp] [.......10.8.0.1][41351] -> [..64.68.105.103][..443] [TLS.Webex][Webex][VoIP][Acceptable] RISK: TLS (probably) Not Carrying HTTPS end: [.....7] [ip4][..tcp] [.......10.8.0.1][41354] -> [..64.68.105.103][..443] [TLS.Webex][Webex][VoIP][Acceptable] RISK: Obsolete TLS (v1.1 or older), Weak TLS Cipher diff --git a/test/results/flow-info/default/wechat.pcap.out b/test/results/flow-info/default/wechat.pcap.out index f2ce69afb..08c5c3e49 100644 --- a/test/results/flow-info/default/wechat.pcap.out +++ b/test/results/flow-info/default/wechat.pcap.out @@ -40,7 +40,7 @@ detection-update: [....17] [ip4][..tcp] [..192.168.1.103][54090] -> [203.205.151.162][..443] [TLS.WeChat][Unknown][Chat][Fun][web.wechat.com] detection-update: [....17] [ip4][..tcp] [..192.168.1.103][54090] -> [203.205.151.162][..443] [TLS.WeChat][Unknown][Chat][Fun][web.wechat.com] detected: [....18] [ip4][..tcp] [..192.168.1.103][54091] -> [203.205.151.162][..443] [TLS.WeChat][Unknown][Chat][Fun][web.wechat.com] - analyse: [....16] [ip4][..tcp] [..192.168.1.103][54089] -> [203.205.151.162][..443] [TLS.WeChat][Unknown][Chat][Fun][web.wechat.com] + analyse: [....16] [ip4][..tcp] [..192.168.1.103][54089] -> [203.205.151.162][..443] [TLS.WeChat][Unknown][Chat][Fun] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.411| 0.155| 0.181| 32640.860| 3.800] [PKTLEN......: 52.000| 5878.000| 715.500| 1101.200| 1212669.600| 3.900] @@ -73,7 +73,7 @@ detection-update: [....24] [ip4][..tcp] [..192.168.1.103][54096] -> [203.205.151.162][..443] [TLS.WeChat][Unknown][Chat][Fun][web.wechat.com] detection-update: [....24] [ip4][..tcp] [..192.168.1.103][54096] -> [203.205.151.162][..443] [TLS.WeChat][Unknown][Chat][Fun][web.wechat.com] new: [....25] [ip4][..tcp] [..192.168.1.103][40740] -> [203.205.151.211][..443] [MIDSTREAM] - analyse: [....22] [ip4][..tcp] [..192.168.1.103][54094] -> [203.205.151.162][..443] [TLS.WeChat][Unknown][Chat][Fun][web.wechat.com] + analyse: [....22] [ip4][..tcp] [..192.168.1.103][54094] -> [203.205.151.162][..443] [TLS.WeChat][Unknown][Chat][Fun] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 4.544| 0.482| 1.044| 1090167.570| 3.200] [PKTLEN......: 52.000| 1740.000| 523.200| 556.000| 309130.700| 4.200] @@ -83,7 +83,7 @@ [IATS(ms)....: 359.2,359.3,0.4,360.6,1.9,362.1,0.5,0.5,3.6,359.7,357.1,3.3,369.2,32.8,2.8,400.5,15.0,3.3,382.0,38.0,403.1,2.4,369.1,37.0,438.8,4139.7,3.3,4544.3,34.1,398.8,1152.6] [PKTLENS.....: 60,60,52,290,52,1480,52,1740,52,178,103,1292,527,52,1480,221,52,1225,429,52,250,1292,527,52,988,52,1292,527,52,989,52,1220] [ENTROPIES...: 4.6,5.1,5.0,5.9,5.1,6.8,5.1,7.6,5.0,6.3,6.0,7.8,7.5,5.2,7.9,7.1,5.1,7.8,7.4,5.2,7.1,7.8,7.5,5.2,7.8,5.0,7.9,7.6,5.2,7.8,5.0,7.9] - analyse: [....23] [ip4][..tcp] [..192.168.1.103][54095] -> [203.205.151.162][..443] [TLS.WeChat][Unknown][Chat][Fun][web.wechat.com] + analyse: [....23] [ip4][..tcp] [..192.168.1.103][54095] -> [203.205.151.162][..443] [TLS.WeChat][Unknown][Chat][Fun] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 3.384| 0.466| 0.827| 684250.497| 3.400] [PKTLEN......: 52.000| 8277.000| 746.100| 1463.300| 2141136.500| 3.600] @@ -119,7 +119,7 @@ detected: [....27] [ip4][..tcp] [..192.168.1.103][54098] -> [203.205.151.162][..443] [TLS.WeChat][Unknown][Chat][Fun][web.wechat.com] detection-update: [....27] [ip4][..tcp] [..192.168.1.103][54098] -> [203.205.151.162][..443] [TLS.WeChat][Unknown][Chat][Fun][web.wechat.com] detection-update: [....27] [ip4][..tcp] [..192.168.1.103][54098] -> [203.205.151.162][..443] [TLS.WeChat][Unknown][Chat][Fun][web.wechat.com] - analyse: [....26] [ip4][..tcp] [..192.168.1.103][54097] -> [203.205.151.162][..443] [TLS.WeChat][Unknown][Chat][Fun][web.wechat.com] + analyse: [....26] [ip4][..tcp] [..192.168.1.103][54097] -> [203.205.151.162][..443] [TLS.WeChat][Unknown][Chat][Fun] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 6.862| 1.014| 1.948| 3793749.017| 3.100] [PKTLEN......: 52.000| 1740.000| 496.000| 523.800| 274414.800| 4.200] @@ -129,7 +129,7 @@ [IATS(ms)....: 362.7,362.7,0.7,359.8,0.7,359.7,1.8,1.8,3.2,360.0,358.1,7.2,373.9,64.6,431.4,4.5,369.6,40.0,442.3,4042.2,3.3,4448.9,74.4,439.2,6493.5,3.3,6862.2,32.1,397.5,4719.1,3.2] [PKTLENS.....: 60,60,52,290,52,1480,52,1740,52,178,103,1220,521,52,283,1292,527,52,988,52,1220,511,52,283,52,1292,527,52,989,52,1220,516] [ENTROPIES...: 4.7,5.2,5.1,5.9,5.1,6.8,5.0,7.6,4.9,6.4,6.0,7.8,7.6,5.1,7.2,7.8,7.6,5.0,7.8,5.1,7.8,7.5,4.9,7.2,5.0,7.8,7.6,5.2,7.8,5.0,7.8,7.5] - analyse: [....27] [ip4][..tcp] [..192.168.1.103][54098] -> [203.205.151.162][..443] [TLS.WeChat][Unknown][Chat][Fun][web.wechat.com] + analyse: [....27] [ip4][..tcp] [..192.168.1.103][54098] -> [203.205.151.162][..443] [TLS.WeChat][Unknown][Chat][Fun] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 6.095| 1.335| 2.042| 4168801.845| 3.500] [PKTLEN......: 52.000| 1740.000| 437.700| 521.000| 271486.500| 4.100] @@ -139,7 +139,7 @@ [IATS(ms)....: 346.8,346.9,899.5,1092.8,193.2,160.5,1.8,162.3,0.6,0.5,2.9,351.9,387.2,4178.9,3.3,4577.7,29.2,386.6,5733.7,3.7,6095.0,83.0,440.7,5485.5,3.3,5845.9,30.2,387.3,1889.1,2.7,2250.0] [PKTLENS.....: 60,60,52,290,60,52,52,1480,52,1740,52,178,103,52,1292,527,52,989,52,1220,508,52,283,52,1292,527,52,989,52,1220,513,52] [ENTROPIES...: 4.8,5.2,5.0,5.9,5.3,5.1,5.1,6.8,5.0,7.6,4.9,6.4,5.9,5.0,7.8,7.6,5.0,7.8,5.0,7.8,7.6,5.1,7.2,5.1,7.8,7.5,5.1,7.8,5.1,7.8,7.6,5.1] - analyse: [.....5] [ip4][..tcp] [..192.168.1.103][38657] -> [..172.217.22.14][..443] [TLS.Google][Google][Web][Acceptable][safebrowsing.googleusercontent.com] + analyse: [.....5] [ip4][..tcp] [..192.168.1.103][38657] -> [..172.217.22.14][..443] [TLS.Google][Google][Web][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 45.056| 5.827| 15.097| 227916113.773| 2.000] [PKTLEN......: 52.000| 1470.000| 253.200| 422.200| 178253.900| 3.700] @@ -182,7 +182,7 @@ detection-update: [....35] [ip4][..tcp] [..192.168.1.103][54103] -> [203.205.151.162][..443] [TLS.WeChat][Unknown][Chat][Fun][web.wechat.com] detection-update: [....35] [ip4][..tcp] [..192.168.1.103][54103] -> [203.205.151.162][..443] [TLS.WeChat][Unknown][Chat][Fun][web.wechat.com] new: [....36] [ip4][..tcp] [..192.168.1.103][54104] -> [203.205.151.162][..443] - analyse: [....31] [ip4][..tcp] [..192.168.1.103][54099] -> [203.205.151.162][..443] [TLS.WeChat][Unknown][Chat][Fun][web.wechat.com] + analyse: [....31] [ip4][..tcp] [..192.168.1.103][54099] -> [203.205.151.162][..443] [TLS.WeChat][Unknown][Chat][Fun] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.469| 0.183| 0.190| 36094.243| 4.000] [PKTLEN......: 52.000| 1740.000| 591.500| 612.000| 374517.100| 4.200] @@ -205,7 +205,7 @@ [IATS(ms)....: 360.8,360.9,1.1,320.2,2.0,321.1,0.8,0.8,0.5,0.5,2.5,331.8,329.8,339.6,0.8,339.8,0.5,4.5,5.1,2.5,2.5,1.1,1.1,271.4,646.7,0.8,376.1,0.5,0.9,1.5,0.5] [PKTLENS.....: 60,60,52,290,52,1480,52,1480,52,312,52,178,103,1140,1480,1480,52,1480,1480,52,2908,52,3120,52,1140,1480,1480,52,1480,1480,52,1480] [ENTROPIES...: 4.7,5.2,5.0,5.9,5.1,6.8,5.1,7.5,5.0,7.3,5.0,6.4,5.8,7.9,7.9,7.9,5.1,7.9,7.9,5.0,7.9,5.0,7.9,5.0,7.8,7.9,7.9,5.0,7.9,7.9,5.1,7.9] - analyse: [....33] [ip4][..tcp] [..192.168.1.103][54101] -> [203.205.151.162][..443] [TLS.WeChat][Unknown][Chat][Fun][web.wechat.com] + analyse: [....33] [ip4][..tcp] [..192.168.1.103][54101] -> [203.205.151.162][..443] [TLS.WeChat][Unknown][Chat][Fun] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.952| 0.213| 0.233| 54375.543| 4.000] [PKTLEN......: 52.000| 1740.000| 543.300| 599.100| 358890.200| 4.100] @@ -232,7 +232,7 @@ end: [....16] [ip4][..tcp] [..192.168.1.103][54089] -> [203.205.151.162][..443] [TLS.WeChat][Unknown][Chat][Fun][web.wechat.com] end: [....17] [ip4][..tcp] [..192.168.1.103][54090] -> [203.205.151.162][..443] [TLS.WeChat][Unknown][Chat][Fun] end: [....18] [ip4][..tcp] [..192.168.1.103][54091] -> [203.205.151.162][..443] [TLS.WeChat][Unknown][Chat][Fun] - end: [....19] [ip4][..tcp] [..192.168.1.103][54092] -> [203.205.151.162][..443] [TLS.WeChat][Unknown][Chat][Fun][web.wechat.com] + end: [....19] [ip4][..tcp] [..192.168.1.103][54092] -> [203.205.151.162][..443] [TLS.WeChat][Unknown][Chat][Fun] guessed: [....20] [ip4][..tcp] [..192.168.1.103][54093] -> [203.205.151.162][..443] [TLS][Unknown][Web][Safe] end: [....20] [ip4][..tcp] [..192.168.1.103][54093] -> [203.205.151.162][..443] end: [....22] [ip4][..tcp] [..192.168.1.103][54094] -> [203.205.151.162][..443] [TLS.WeChat][Unknown][Chat][Fun][web.wechat.com] @@ -270,7 +270,7 @@ new: [....45] [ip4][..tcp] [..192.168.1.103][43850] -> [.203.205.158.34][..443] new: [....46] [ip4][..tcp] [..192.168.1.103][43851] -> [.203.205.158.34][..443] detected: [....45] [ip4][..tcp] [..192.168.1.103][43850] -> [.203.205.158.34][..443] [TLS.QQ][Unknown][Chat][Fun][res.wx.qq.com] - analyse: [....42] [ip4][..tcp] [..192.168.1.103][54113] -> [203.205.151.162][..443] [TLS.WeChat][Unknown][Chat][Fun][web.wechat.com] + analyse: [....42] [ip4][..tcp] [..192.168.1.103][54113] -> [203.205.151.162][..443] [TLS.WeChat][Unknown][Chat][Fun] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 6.615| 0.560| 1.552| 2408711.979| 2.600] [PKTLEN......: 52.000| 1480.000| 478.200| 547.100| 299293.400| 4.100] @@ -305,7 +305,7 @@ update: [....44] [ip4][..udp] [..192.168.1.103][19041] -> [..192.168.1.254][...53] [DNS.QQ][Unknown][Network][Fun][res.wx.qq.com] update: [....47] [ip4][..udp] [..192.168.1.103][60562] -> [..192.168.1.254][...53] [DNS.Google][Unknown][Network][Acceptable][ssl.gstatic.com] update: [....48] [ip4][..udp] [..192.168.1.103][35601] -> [..172.217.23.67][..443] [QUIC.Google][Google][Web][Acceptable][ssl.gstatic.com] - analyse: [....50] [ip4][..tcp] [..192.168.1.103][54117] -> [203.205.151.162][..443] [TLS.WeChat][Unknown][Chat][Fun][web.wechat.com] + analyse: [....50] [ip4][..tcp] [..192.168.1.103][54117] -> [203.205.151.162][..443] [TLS.WeChat][Unknown][Chat][Fun] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 7.807| 0.648| 1.839| 3381034.746| 2.500] [PKTLEN......: 52.000| 1480.000| 445.300| 494.600| 244586.200| 4.200] @@ -347,7 +347,7 @@ update: [....49] [ip4][..udp] [..192.168.1.100][..138] -> [..192.168.1.255][..138] [NetBIOS.SMBv1][Unknown][System][Dangerous][giovanni-pc] RISK: Unsafe Protocol update: [.....2] [ip4][..udp] [..192.168.1.103][.5353] -> [....224.0.0.251][.5353] [MDNS][Unknown][Network][Acceptable][_googlecast._tcp.local] - analyse: [....52] [ip4][..tcp] [..192.168.1.103][54119] -> [203.205.151.162][..443] [TLS.WeChat][Unknown][Chat][Fun][web.wechat.com] + analyse: [....52] [ip4][..tcp] [..192.168.1.103][54119] -> [203.205.151.162][..443] [TLS.WeChat][Unknown][Chat][Fun] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 7.133| 0.619| 1.664| 2769657.004| 2.700] [PKTLEN......: 52.000| 1480.000| 478.200| 547.100| 299307.700| 4.100] @@ -380,7 +380,7 @@ detected: [....57] [ip4][..tcp] [..192.168.1.103][58038] -> [203.205.147.171][..443] [TLS.WeChat][Tencent][Chat][Fun][web.wechat.com] detection-update: [....57] [ip4][..tcp] [..192.168.1.103][58038] -> [203.205.147.171][..443] [TLS.WeChat][Tencent][Chat][Fun][web.wechat.com] detection-update: [....57] [ip4][..tcp] [..192.168.1.103][58038] -> [203.205.147.171][..443] [TLS.WeChat][Tencent][Chat][Fun][web.wechat.com] - analyse: [....57] [ip4][..tcp] [..192.168.1.103][58038] -> [203.205.147.171][..443] [TLS.WeChat][Tencent][Chat][Fun][web.wechat.com] + analyse: [....57] [ip4][..tcp] [..192.168.1.103][58038] -> [203.205.147.171][..443] [TLS.WeChat][Tencent][Chat][Fun] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 2.509| 0.286| 0.565| 319614.583| 3.400] [PKTLEN......: 52.000| 1740.000| 537.900| 561.400| 315202.600| 4.200] @@ -478,7 +478,7 @@ update: [....54] [ip4][..udp] [..192.168.1.103][60356] -> [..192.168.1.254][...53] [DNS.WeChat][Unknown][Network][Fun][web.wechat.com] update: [....70] [ip6][icmp6] [.....................................::] -> [......................ff02::1:ff86:6c5b] [ICMPV6][Unknown][Network][Acceptable] update: [....68] [ip6][icmp6] [...............fe80::842:a3f3:a286:6c5b] -> [................................ff02::2] [ICMPV6][Unknown][Network][Acceptable] - end: [....55] [ip4][..tcp] [..192.168.1.103][58036] -> [203.205.147.171][..443] [TLS.WeChat][Tencent][Chat][Fun][web.wechat.com] + end: [....55] [ip4][..tcp] [..192.168.1.103][58036] -> [203.205.147.171][..443] [TLS.WeChat][Tencent][Chat][Fun] update: [....66] [ip6][..udp] [..............fe80::91f9:3df3:7436:6cd6][50577] -> [..............................ff02::1:3][.5355] [LLMNR][Unknown][Network][Acceptable][mcztmpkc] update: [.....3] [ip6][..udp] [..............fe80::7a92:9cff:fe0f:a88e][.5353] -> [...............................ff02::fb][.5353] [MDNS][Unknown][Network][Acceptable][_googlecast._tcp.local] update: [....69] [ip4][..udp] [........0.0.0.0][...68] -> [255.255.255.255][...67] [DHCP][Unknown][Network][Acceptable][iphonedimonica] diff --git a/test/results/flow-info/default/weibo.pcap.out b/test/results/flow-info/default/weibo.pcap.out index 8d3699480..4bff7eebe 100644 --- a/test/results/flow-info/default/weibo.pcap.out +++ b/test/results/flow-info/default/weibo.pcap.out @@ -73,7 +73,7 @@ new: [....23] [ip4][..udp] [..192.168.1.105][53466] -> [....192.168.1.1][...53] detected: [....23] [ip4][..udp] [..192.168.1.105][53466] -> [....192.168.1.1][...53] [DNS.Alibaba][Unknown][Network][Acceptable][log.mmstat.com] new: [....24] [ip4][..udp] [..192.168.1.105][33822] -> [....192.168.1.1][...53] - detected: [....24] [ip4][..udp] [..192.168.1.105][33822] -> [....192.168.1.1][...53] [DNS][Unknown][Network][Acceptable][login.taobao.com] + detected: [....24] [ip4][..udp] [..192.168.1.105][33822] -> [....192.168.1.1][...53] [DNS.Taobao][Unknown][Network][Acceptable][login.taobao.com] new: [....25] [ip4][..tcp] [..192.168.1.105][35806] -> [.93.188.134.246][...80] new: [....26] [ip4][..tcp] [..192.168.1.105][35807] -> [.93.188.134.246][...80] new: [....27] [ip4][..tcp] [..192.168.1.105][35808] -> [.93.188.134.246][...80] @@ -105,7 +105,7 @@ RISK: Susp DGA Domain name, Risky Domain Name new: [....40] [ip4][..tcp] [..192.168.1.105][52271] -> [..42.156.184.19][..443] new: [....41] [ip4][..tcp] [..192.168.1.105][52272] -> [..42.156.184.19][..443] - detection-update: [....24] [ip4][..udp] [..192.168.1.105][33822] -> [....192.168.1.1][...53] [DNS][Unknown][Network][Acceptable][login.taobao.com] + detection-update: [....24] [ip4][..udp] [..192.168.1.105][33822] -> [....192.168.1.1][...53] [DNS.Taobao][Unknown][Network][Acceptable][login.taobao.com] new: [....42] [ip4][..tcp] [..192.168.1.105][47721] -> [.140.205.170.63][..443] detected: [....30] [ip4][..tcp] [..192.168.1.105][42275] -> [...222.73.28.96][...80] [HTTP.Sina][Unknown][SocialNetwork][Fun][u1.img.mobile.sina.cn] new: [....43] [ip4][..tcp] [..192.168.1.105][52274] -> [..42.156.184.19][..443] @@ -199,7 +199,7 @@ RISK: Unidirectional Traffic idle: [....39] [ip4][..tcp] [..192.168.1.105][48356] -> [..140.205.174.1][..443] idle: [....10] [ip4][..udp] [..192.168.1.105][.7148] -> [....192.168.1.1][...53] [DNS.SinaWeibo][Unknown][Network][Fun][www.weibo.com] - idle: [....24] [ip4][..udp] [..192.168.1.105][33822] -> [....192.168.1.1][...53] [DNS][Unknown][Network][Acceptable][login.taobao.com] + idle: [....24] [ip4][..udp] [..192.168.1.105][33822] -> [....192.168.1.1][...53] [DNS.Taobao][Unknown][Network][Acceptable][login.taobao.com] guessed: [.....1] [ip4][..udp] [..216.58.210.14][..443] -> [..192.168.1.105][49361] [QUIC][Google][Web][Acceptable] RISK: Susp Entropy idle: [.....1] [ip4][..udp] [..216.58.210.14][..443] -> [..192.168.1.105][49361] diff --git a/test/results/flow-info/default/whatsapp_login_call.pcap.out b/test/results/flow-info/default/whatsapp_login_call.pcap.out index dd0bef371..6a7917465 100644 --- a/test/results/flow-info/default/whatsapp_login_call.pcap.out +++ b/test/results/flow-info/default/whatsapp_login_call.pcap.out @@ -56,7 +56,7 @@ RISK: TLS (probably) Not Carrying HTTPS detection-update: [....17] [ip4][..tcp] [....192.168.2.4][49204] -> [..17.173.66.102][..443] [TLS.AppleStore][Apple][SoftwareUpdate][Safe][p53-buy.itunes.apple.com] RISK: TLS (probably) Not Carrying HTTPS - analyse: [....17] [ip4][..tcp] [....192.168.2.4][49204] -> [..17.173.66.102][..443] [TLS.AppleStore][Apple][SoftwareUpdate][Safe][p53-buy.itunes.apple.com] + analyse: [....17] [ip4][..tcp] [....192.168.2.4][49204] -> [..17.173.66.102][..443] [TLS.AppleStore][Apple][SoftwareUpdate][Safe] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.246| 0.057| 0.089| 7910.915| 3.400] [PKTLEN......: 40.000| 1480.000| 289.300| 408.500| 166890.900| 3.900] @@ -254,7 +254,7 @@ RISK: TLS (probably) Not Carrying HTTPS detection-update: [....57] [ip4][..tcp] [....192.168.2.4][49205] -> [..17.173.66.102][..443] [TLS.AppleStore][Apple][SoftwareUpdate][Safe][p53-buy.itunes.apple.com] RISK: TLS (probably) Not Carrying HTTPS - analyse: [....57] [ip4][..tcp] [....192.168.2.4][49205] -> [..17.173.66.102][..443] [TLS.AppleStore][Apple][SoftwareUpdate][Safe][p53-buy.itunes.apple.com] + analyse: [....57] [ip4][..tcp] [....192.168.2.4][49205] -> [..17.173.66.102][..443] [TLS.AppleStore][Apple][SoftwareUpdate][Safe] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.272| 0.058| 0.092| 8444.798| 3.300] [PKTLEN......: 40.000| 1480.000| 289.300| 408.500| 166876.700| 3.900] diff --git a/test/results/flow-info/default/whatsappfiles.pcap.out b/test/results/flow-info/default/whatsappfiles.pcap.out index f47961c4a..1820a0346 100644 --- a/test/results/flow-info/default/whatsappfiles.pcap.out +++ b/test/results/flow-info/default/whatsappfiles.pcap.out @@ -5,7 +5,7 @@ detected: [.....1] [ip4][..tcp] [...192.168.2.29][49674] -> [..185.60.216.53][..443] [TLS.WhatsAppFiles][WhatsApp][Download][Acceptable][mmg-fna.whatsapp.net] detection-update: [.....1] [ip4][..tcp] [...192.168.2.29][49674] -> [..185.60.216.53][..443] [TLS.WhatsAppFiles][WhatsApp][Download][Acceptable][mmg-fna.whatsapp.net] detection-update: [.....1] [ip4][..tcp] [...192.168.2.29][49674] -> [..185.60.216.53][..443] [TLS.WhatsAppFiles][WhatsApp][Download][Acceptable][mmg-fna.whatsapp.net] - analyse: [.....1] [ip4][..tcp] [...192.168.2.29][49674] -> [..185.60.216.53][..443] [TLS.WhatsAppFiles][WhatsApp][Download][Acceptable][mmg-fna.whatsapp.net] + analyse: [.....1] [ip4][..tcp] [...192.168.2.29][49674] -> [..185.60.216.53][..443] [TLS.WhatsAppFiles][WhatsApp][Download][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 24.640| 0.846| 4.345| 18880535.724| 0.500] [PKTLEN......: 52.000| 1450.000| 329.100| 491.800| 241822.200| 3.800] @@ -18,7 +18,7 @@ new: [.....2] [ip4][..tcp] [...192.168.2.29][49698] -> [..185.60.216.53][..443] detected: [.....2] [ip4][..tcp] [...192.168.2.29][49698] -> [..185.60.216.53][..443] [TLS.WhatsAppFiles][WhatsApp][Download][Acceptable][mmg-fna.whatsapp.net] detection-update: [.....2] [ip4][..tcp] [...192.168.2.29][49698] -> [..185.60.216.53][..443] [TLS.WhatsAppFiles][WhatsApp][Download][Acceptable][mmg-fna.whatsapp.net] - analyse: [.....2] [ip4][..tcp] [...192.168.2.29][49698] -> [..185.60.216.53][..443] [TLS.WhatsAppFiles][WhatsApp][Download][Acceptable][mmg-fna.whatsapp.net] + analyse: [.....2] [ip4][..tcp] [...192.168.2.29][49698] -> [..185.60.216.53][..443] [TLS.WhatsAppFiles][WhatsApp][Download][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.108| 0.019| 0.031| 953.946| 3.300] [PKTLEN......: 52.000| 1450.000| 485.400| 599.200| 359069.100| 4.000] diff --git a/test/results/flow-info/default/zoom.pcap.out b/test/results/flow-info/default/zoom.pcap.out index c76f9eff6..1f051c54f 100644 --- a/test/results/flow-info/default/zoom.pcap.out +++ b/test/results/flow-info/default/zoom.pcap.out @@ -120,7 +120,7 @@ RISK: TLS (probably) Not Carrying HTTPS detection-update: [.....4] [ip4][..tcp] [..192.168.1.117][54341] -> [.62.149.152.153][..993] [IMAPS][Unknown][Email][Safe] RISK: Unidirectional Traffic - analyse: [....30] [ip4][..tcp] [..192.168.1.117][54871] -> [..109.94.160.99][..443] [TLS.Zoom][Unknown][Video][Acceptable][zoomfrn99mmr.zoom.us] + analyse: [....30] [ip4][..tcp] [..192.168.1.117][54871] -> [..109.94.160.99][..443] [TLS.Zoom][Unknown][Video][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.156| 0.028| 0.040| 1628.090| 3.800] [PKTLEN......: 52.000| 1492.000| 420.500| 552.400| 305116.100| 3.900] @@ -205,7 +205,7 @@ RISK: Known Proto on Non Std Port idle: [.....2] [ip4][..udp] [..192.168.1.117][.5353] -> [....224.0.0.251][.5353] [MDNS][Unknown][Network][Acceptable] idle: [....22] [ip4][..udp] [..192.168.1.117][57621] -> [..192.168.1.255][57621] [Spotify][Unknown][Music][Fun] - end: [.....3] [ip4][..tcp] [..192.168.1.117][54863] -> [.167.99.215.164][.4434] [TLS.ntop][Unknown][Network][Safe][dati.ntop.org] + end: [.....3] [ip4][..tcp] [..192.168.1.117][54863] -> [.167.99.215.164][.4434] [TLS.ntop][Unknown][Network][Safe] RISK: Known Proto on Non Std Port, TLS (probably) Not Carrying HTTPS idle: [....24] [ip4][..udp] [..192.168.1.117][58063] -> [....192.168.1.1][...53] [DNS.Zoom][Unknown][Network][Acceptable][zoomfr84zc.zoom.us] end: [....25] [ip4][..tcp] [..192.168.1.117][54867] -> [.213.19.144.105][..443] [TLS.Zoom][Zoom][Video][Acceptable] diff --git a/test/results/flow-info/disable_aggressiveness/ookla.pcap.out b/test/results/flow-info/disable_aggressiveness/ookla.pcap.out index 48daea209..8aef4141e 100644 --- a/test/results/flow-info/disable_aggressiveness/ookla.pcap.out +++ b/test/results/flow-info/disable_aggressiveness/ookla.pcap.out @@ -27,6 +27,6 @@ detection-update: [.....6] [ip4][..tcp] [..192.168.1.128][35830] -> [..89.96.108.170][.8080] [TLS][Unknown][Web][Safe][spd-pub-mi-01-01.fastwebnet.it] RISK: Known Proto on Non Std Port idle: [.....5] [ip4][..tcp] [..192.168.1.128][48854] -> [..104.16.209.12][..443] [TLS.Ookla][Cloudflare][Network][Safe] - idle: [.....6] [ip4][..tcp] [..192.168.1.128][35830] -> [..89.96.108.170][.8080] [TLS][Unknown][Web][Safe][spd-pub-mi-01-01.fastwebnet.it] + idle: [.....6] [ip4][..tcp] [..192.168.1.128][35830] -> [..89.96.108.170][.8080] [TLS][Unknown][Web][Safe] RISK: Known Proto on Non Std Port DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/disable_metadata/sip.pcap.out b/test/results/flow-info/disable_metadata/sip.pcap.out new file mode 100644 index 000000000..e29d26b26 --- /dev/null +++ b/test/results/flow-info/disable_metadata/sip.pcap.out @@ -0,0 +1,56 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....1] [ip4][..udp] [....192.168.1.2][.5060] -> [..212.242.33.35][.5060] + detected: [.....1] [ip4][..udp] [....192.168.1.2][.5060] -> [..212.242.33.35][.5060] [SIP][Unknown][VoIP][Acceptable] + update: [.....1] [ip4][..udp] [....192.168.1.2][.5060] -> [..212.242.33.35][.5060] [SIP][Unknown][VoIP][Acceptable] + update: [.....1] [ip4][..udp] [....192.168.1.2][.5060] -> [..212.242.33.35][.5060] [SIP][Unknown][VoIP][Acceptable] + update: [.....1] [ip4][..udp] [....192.168.1.2][.5060] -> [..212.242.33.35][.5060] [SIP][Unknown][VoIP][Acceptable] + update: [.....1] [ip4][..udp] [....192.168.1.2][.5060] -> [..212.242.33.35][.5060] [SIP][Unknown][VoIP][Acceptable] + new: [.....2] [ip4][..udp] [....192.168.1.2][.5060] -> [..200.68.120.81][.5060] + detected: [.....2] [ip4][..udp] [....192.168.1.2][.5060] -> [..200.68.120.81][.5060] [SIP][Unknown][VoIP][Acceptable] + update: [.....1] [ip4][..udp] [....192.168.1.2][.5060] -> [..212.242.33.35][.5060] [SIP][Unknown][VoIP][Acceptable] + update: [.....1] [ip4][..udp] [....192.168.1.2][.5060] -> [..212.242.33.35][.5060] [SIP][Unknown][VoIP][Acceptable] + update: [.....2] [ip4][..udp] [....192.168.1.2][.5060] -> [..200.68.120.81][.5060] [SIP][Unknown][VoIP][Acceptable] + update: [.....1] [ip4][..udp] [....192.168.1.2][.5060] -> [..212.242.33.35][.5060] [SIP][Unknown][VoIP][Acceptable] + update: [.....2] [ip4][..udp] [....192.168.1.2][.5060] -> [..200.68.120.81][.5060] [SIP][Unknown][VoIP][Acceptable] + DAEMON-EVENT: [Processed: 43 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 2 / 2|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 9] + update: [.....1] [ip4][..udp] [....192.168.1.2][.5060] -> [..212.242.33.35][.5060] [SIP][Unknown][VoIP][Acceptable] + update: [.....2] [ip4][..udp] [....192.168.1.2][.5060] -> [..200.68.120.81][.5060] [SIP][Unknown][VoIP][Acceptable] + analyse: [.....1] [ip4][..udp] [....192.168.1.2][.5060] -> [..212.242.33.35][.5060] [SIP][Unknown][VoIP][Acceptable] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.026| 279.042| 42.751| 57.874| 3349363405.357| 4.000] + [PKTLEN......: 33.000| 853.000| 415.300| 273.000| 74531.700| 4.600] + [BINS(c->s)..: 9,0,0,0,0,0,0,0,0,0,1,0,0,0,4,0,0,0,0,0,0,4,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,2,1,0,0,0,1,6,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0] + [IATS(ms)....: 136.8,17415.6,17425.0,49.8,89928.6,89874.9,17280.7,17290.4,150200.0,150188.2,17325.2,17335.8,73916.0,73902.7,17325.0,17333.2,25.9,17725.0,29031.8,29092.7,34118.2,34119.1,29272.4,29031.8,29031.6,29031.5,17105.0,497.7,1001.8,279041.8,227.1] + [PKTLENS.....: 495,514,708,334,374,495,514,708,519,495,514,708,519,495,514,708,334,498,33,33,33,33,33,33,33,33,33,853,853,853,621,368] + [ENTROPIES...: 5.7,5.7,5.7,5.7,5.7,5.7,5.8,5.7,5.7,5.7,5.7,5.7,5.7,5.7,5.7,5.7,5.7,5.6,4.1,4.1,4.1,4.1,4.1,4.1,4.0,4.1,4.1,5.7,5.7,5.7,5.8,5.7] + update: [.....1] [ip4][..udp] [....192.168.1.2][.5060] -> [..212.242.33.35][.5060] [SIP][Unknown][VoIP][Acceptable] + update: [.....2] [ip4][..udp] [....192.168.1.2][.5060] -> [..200.68.120.81][.5060] [SIP][Unknown][VoIP][Acceptable] + idle: [.....2] [ip4][..udp] [....192.168.1.2][.5060] -> [..200.68.120.81][.5060] [SIP][Unknown][VoIP][Acceptable] + update: [.....1] [ip4][..udp] [....192.168.1.2][.5060] -> [..212.242.33.35][.5060] [SIP][Unknown][VoIP][Acceptable] + update: [.....1] [ip4][..udp] [....192.168.1.2][.5060] -> [..212.242.33.35][.5060] [SIP][Unknown][VoIP][Acceptable] + update: [.....1] [ip4][..udp] [....192.168.1.2][.5060] -> [..212.242.33.35][.5060] [SIP][Unknown][VoIP][Acceptable] + update: [.....1] [ip4][..udp] [....192.168.1.2][.5060] -> [..212.242.33.35][.5060] [SIP][Unknown][VoIP][Acceptable] + DAEMON-EVENT: [Processed: 68 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 1 / 2|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 17] + update: [.....1] [ip4][..udp] [....192.168.1.2][.5060] -> [..212.242.33.35][.5060] [SIP][Unknown][VoIP][Acceptable] + update: [.....1] [ip4][..udp] [....192.168.1.2][.5060] -> [..212.242.33.35][.5060] [SIP][Unknown][VoIP][Acceptable] + update: [.....1] [ip4][..udp] [....192.168.1.2][.5060] -> [..212.242.33.35][.5060] [SIP][Unknown][VoIP][Acceptable] + update: [.....1] [ip4][..udp] [....192.168.1.2][.5060] -> [..212.242.33.35][.5060] [SIP][Unknown][VoIP][Acceptable] + new: [.....3] [ip4][..udp] [....192.168.1.2][30000] -> [..212.242.33.36][40392] + detected: [.....3] [ip4][..udp] [....192.168.1.2][30000] -> [..212.242.33.36][40392] [RTP][Unknown][Media][Acceptable] + new: [.....4] [ip4][..udp] [....192.168.1.2][30001] -> [..212.242.33.36][40393] + update: [.....1] [ip4][..udp] [....192.168.1.2][.5060] -> [..212.242.33.35][.5060] [SIP][Unknown][VoIP][Acceptable] + update: [.....3] [ip4][..udp] [....192.168.1.2][30000] -> [..212.242.33.36][40392] [RTP][Unknown][Media][Acceptable] + update: [.....4] [ip4][..udp] [....192.168.1.2][30001] -> [..212.242.33.36][40393] + update: [.....1] [ip4][..udp] [....192.168.1.2][.5060] -> [..212.242.33.35][.5060] [SIP][Unknown][VoIP][Acceptable] + idle: [.....1] [ip4][..udp] [....192.168.1.2][.5060] -> [..212.242.33.35][.5060] [SIP][Unknown][VoIP][Acceptable] + idle: [.....3] [ip4][..udp] [....192.168.1.2][30000] -> [..212.242.33.36][40392] [RTP][Unknown][Media][Acceptable] + not-detected: [.....4] [ip4][..udp] [....192.168.1.2][30001] -> [..212.242.33.36][40393] [Unknown][Unknown][Unrated] + RISK: Susp Entropy, Unidirectional Traffic + idle: [.....4] [ip4][..udp] [....192.168.1.2][30001] -> [..212.242.33.36][40393] + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/disable_protocols/soap.pcap.out b/test/results/flow-info/disable_protocols/soap.pcap.out index 4a974492b..c7ff5b26a 100644 --- a/test/results/flow-info/disable_protocols/soap.pcap.out +++ b/test/results/flow-info/disable_protocols/soap.pcap.out @@ -2,6 +2,7 @@ DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] new: [.....1] [ip4][..tcp] [..192.168.2.100][50100] -> [...23.2.213.165][...80] + detected: [.....1] [ip4][..tcp] [..192.168.2.100][50100] -> [...23.2.213.165][...80] [SOAP][Unknown][RPC][Acceptable] new: [.....2] [ip4][..tcp] [..192.168.2.100][50100] -> [...23.2.213.165][.4176] [MIDSTREAM] detected: [.....2] [ip4][..tcp] [..192.168.2.100][50100] -> [...23.2.213.165][.4176] [HTTP.SOAP][Unknown][Cloud][Acceptable][go.microsoft.com] RISK: Known Proto on Non Std Port @@ -12,6 +13,5 @@ idle: [.....3][.808] [ip4][..tcp] [..185.32.192.30][...80] -> [.85.154.114.113][56028] [SOAP][Unknown][RPC][Acceptable] idle: [.....2] [ip4][..tcp] [..192.168.2.100][50100] -> [...23.2.213.165][.4176] [HTTP.SOAP][Unknown][Cloud][Acceptable] RISK: Known Proto on Non Std Port - guessed: [.....1] [ip4][..tcp] [..192.168.2.100][50100] -> [...23.2.213.165][...80] [HTTP][Unknown][Web][Acceptable][] - end: [.....1] [ip4][..tcp] [..192.168.2.100][50100] -> [...23.2.213.165][...80] + end: [.....1] [ip4][..tcp] [..192.168.2.100][50100] -> [...23.2.213.165][...80] [SOAP][Unknown][RPC][Acceptable] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/disable_use_client_ip/bot.pcap.out b/test/results/flow-info/disable_use_client_ip/bot.pcap.out new file mode 100644 index 000000000..a75817a39 --- /dev/null +++ b/test/results/flow-info/disable_use_client_ip/bot.pcap.out @@ -0,0 +1,19 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....1][..77] [ip4][..tcp] [...40.77.167.36][64768] -> [...89.31.72.220][...80] + detected: [.....1][..77] [ip4][..tcp] [...40.77.167.36][64768] -> [...89.31.72.220][...80] [HTTP][Unknown][Web][Acceptable][atlanteditorino.it] + RISK: Crawler/Bot + analyse: [.....1][..77] [ip4][..tcp] [...40.77.167.36][64768] -> [...89.31.72.220][...80] [HTTP][Unknown][Web][Acceptable][atlanteditorino.it] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 0.114| 0.014| 0.036| 1309.010| 2.200] + [PKTLEN......: 46.000| 1480.000| 1086.500| 631.200| 398369.000| 4.600] + [BINS(c->s)..: 6,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,23,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,1,1,1,1,1,1,0,0,1,1,1,1,1,1,1,1,1,1,1,1,0,0,1] + [IATS(ms)....: 0.4,106.5,0.0,106.7,7.6,0.1,0.1,0.1,0.0,0.0,0.8,0.0,0.0,0.0,114.2,0.3,105.4,0.1,0.0,0.0,0.1,0.0,0.0,0.0,0.2,0.0,0.1,0.0,0.8,0.1,0.5] + [PKTLENS.....: 48,48,46,356,46,1480,1480,1480,1480,1480,1480,1480,1480,1480,1480,46,46,1480,1480,1480,1480,1480,1480,1480,1480,1480,1480,1480,1480,46,46,1480] + [ENTROPIES...: 4.7,4.8,4.7,5.6,4.7,6.4,7.5,7.8,7.8,7.8,7.8,7.8,7.8,7.8,7.1,4.7,4.6,7.8,7.8,7.8,7.8,7.8,7.8,7.8,7.4,5.9,7.9,5.5,4.9,4.7,4.7,5.1] + end: [.....1][..77] [ip4][..tcp] [...40.77.167.36][64768] -> [...89.31.72.220][...80] [HTTP][Unknown][Web][Acceptable][atlanteditorino.it] + RISK: Crawler/Bot + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/disable_use_client_port/iphone.pcap.out b/test/results/flow-info/disable_use_client_port/iphone.pcap.out new file mode 100644 index 000000000..ff59aa3fe --- /dev/null +++ b/test/results/flow-info/disable_use_client_port/iphone.pcap.out @@ -0,0 +1,237 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....1] [ip4][..udp] [....192.168.2.1][17500] -> [..192.168.2.255][17500] + detected: [.....1] [ip4][..udp] [....192.168.2.1][17500] -> [..192.168.2.255][17500] [Dropbox][Unknown][Cloud][Acceptable] + new: [.....2] [ip4][..udp] [........0.0.0.0][...68] -> [255.255.255.255][...67] + detected: [.....2] [ip4][..udp] [........0.0.0.0][...68] -> [255.255.255.255][...67] [DHCP][Unknown][Network][Acceptable][lucas-imac] + new: [.....3] [ip4][..udp] [....192.168.2.1][.5353] -> [....224.0.0.251][.5353] + detected: [.....3] [ip4][..udp] [....192.168.2.1][.5353] -> [....224.0.0.251][.5353] [MDNS][Unknown][Network][Acceptable][lucas imac._odisk._tcp.local] + new: [.....4] [ip6][..udp] [...............fe80::c42c:3ff:fe60:6a64][.5353] -> [...............................ff02::fb][.5353] + detected: [.....4] [ip6][..udp] [...............fe80::c42c:3ff:fe60:6a64][.5353] -> [...............................ff02::fb][.5353] [MDNS][Unknown][Network][Acceptable][lucas imac._odisk._tcp.local] + new: [.....5] [ip4][..udp] [169.254.225.216][.5353] -> [....224.0.0.251][.5353] + detected: [.....5] [ip4][..udp] [169.254.225.216][.5353] -> [....224.0.0.251][.5353] [MDNS][Unknown][Network][Acceptable][lucas imac._odisk._tcp.local] + new: [.....6] [ip4][..udp] [....192.168.2.1][57621] -> [..192.168.2.255][57621] + detected: [.....6] [ip4][..udp] [....192.168.2.1][57621] -> [..192.168.2.255][57621] [Spotify][Unknown][Music][Fun] + new: [.....7] [ip4][..udp] [....192.168.2.1][.5351] -> [......224.0.0.1][.5350] + new: [.....8] [ip4][..udp] [169.254.225.216][60538] -> [239.255.255.250][.1900] + detected: [.....8] [ip4][..udp] [169.254.225.216][60538] -> [239.255.255.250][.1900] [SSDP][Unknown][System][Acceptable][239.255.255.250:1900] + new: [.....9] [ip4][..udp] [....192.168.2.1][51411] -> [239.255.255.250][.1900] + detected: [.....9] [ip4][..udp] [....192.168.2.1][51411] -> [239.255.255.250][.1900] [SSDP][Unknown][System][Acceptable][239.255.255.250:1900] + new: [....10] [ip4][..udp] [....192.168.2.1][...67] -> [...192.168.2.17][...68] + detected: [....10] [ip4][..udp] [....192.168.2.1][...67] -> [...192.168.2.17][...68] [DHCP][Unknown][Network][Acceptable][] + new: [....11] [ip6][icmp6] [.....................................::] -> [......................ff02::1:ff98:a29c] + detected: [....11] [ip6][icmp6] [.....................................::] -> [......................ff02::1:ff98:a29c] [ICMPV6][Unknown][Network][Acceptable] + new: [....12] [ip6][icmp6] [...............fe80::823:3f17:8298:a29c] -> [................................ff02::2] + detected: [....12] [ip6][icmp6] [...............fe80::823:3f17:8298:a29c] -> [................................ff02::2] [ICMPV6][Unknown][Network][Acceptable] + new: [....13] [ip6][..udp] [...............fe80::823:3f17:8298:a29c][.5353] -> [...............................ff02::fb][.5353] + detected: [....13] [ip6][..udp] [...............fe80::823:3f17:8298:a29c][.5353] -> [...............................ff02::fb][.5353] [MDNS][Unknown][Network][Acceptable][_homekit._tcp.local] + new: [....14] [ip6][icmp6] [...............fe80::823:3f17:8298:a29c] -> [...............................ff02::16] + detected: [....14] [ip6][icmp6] [...............fe80::823:3f17:8298:a29c] -> [...............................ff02::16] [ICMPV6][Unknown][Network][Acceptable] + new: [....15] [ip4][..udp] [...192.168.2.17][63381] -> [....192.168.2.1][...53] + detected: [....15] [ip4][..udp] [...192.168.2.17][63381] -> [....192.168.2.1][...53] [DNS.AppleiCloud][Unknown][Network][Acceptable][p26-keyvalueservice.icloud.com] + new: [....16] [ip4][..udp] [...192.168.2.17][63143] -> [....192.168.2.1][...53] + detected: [....16] [ip4][..udp] [...192.168.2.17][63143] -> [....192.168.2.1][...53] [DNS.AppleiCloud][Unknown][Network][Acceptable][p26-fmfmobile.icloud.com] + new: [....17] [ip4][..udp] [...192.168.2.17][61862] -> [....192.168.2.1][...53] + detected: [....17] [ip4][..udp] [...192.168.2.17][61862] -> [....192.168.2.1][...53] [DNS.Apple][Unknown][Network][Safe][gspe35-ssl.ls.apple.com] + new: [....18] [ip4][..udp] [...192.168.2.17][55914] -> [....192.168.2.1][...53] + detected: [....18] [ip4][..udp] [...192.168.2.17][55914] -> [....192.168.2.1][...53] [DNS.Apple][Unknown][Network][Safe][gsp85-ssl.ls.apple.com] + new: [....19] [ip4][..udp] [...192.168.2.17][51007] -> [....192.168.2.1][...53] + detected: [....19] [ip4][..udp] [...192.168.2.17][51007] -> [....192.168.2.1][...53] [DNS.Apple][Unknown][Network][Safe][captive.apple.com] + detection-update: [....16] [ip4][..udp] [...192.168.2.17][63143] -> [....192.168.2.1][...53] [DNS.AppleiCloud][Unknown][Network][Acceptable][p26-fmfmobile.icloud.com] + detection-update: [....15] [ip4][..udp] [...192.168.2.17][63381] -> [....192.168.2.1][...53] [DNS.AppleiCloud][Unknown][Network][Acceptable][p26-keyvalueservice.icloud.com] + detection-update: [....17] [ip4][..udp] [...192.168.2.17][61862] -> [....192.168.2.1][...53] [DNS.Apple][Unknown][Network][Safe][gspe35-ssl.ls.apple.com] + detection-update: [....18] [ip4][..udp] [...192.168.2.17][55914] -> [....192.168.2.1][...53] [DNS.Apple][Unknown][Network][Safe][gsp85-ssl.ls.apple.com] + new: [....20] [ip4][..tcp] [...192.168.2.17][50575] -> [.17.248.185.140][..443] + detection-update: [....19] [ip4][..udp] [...192.168.2.17][51007] -> [....192.168.2.1][...53] [DNS.Apple][Unknown][Network][Safe][captive.apple.com] + new: [....21] [ip4][..udp] [...192.168.2.17][55457] -> [....192.168.2.1][...53] + detected: [....21] [ip4][..udp] [...192.168.2.17][55457] -> [....192.168.2.1][...53] [DNS.Apple][Unknown][Network][Safe][mesu.apple.com] + new: [....22] [ip4][..udp] [...192.168.2.17][.5353] -> [....224.0.0.251][.5353] + detected: [....22] [ip4][..udp] [...192.168.2.17][.5353] -> [....224.0.0.251][.5353] [MDNS][Unknown][Network][Acceptable][_homekit._tcp.local] + new: [....23] [ip4][..tcp] [...192.168.2.17][50576] -> [...95.101.25.53][..443] + new: [....24] [ip4][..tcp] [...192.168.2.17][50577] -> [....17.130.2.46][..443] + new: [....25] [ip4][..tcp] [...192.168.2.17][49152] -> [.17.253.105.202][...80] + detected: [....20] [ip4][..tcp] [...192.168.2.17][50575] -> [.17.248.185.140][..443] [TLS.AppleiCloud][Apple][Web][Acceptable][p26-fmfmobile.icloud.com] + detection-update: [....21] [ip4][..udp] [...192.168.2.17][55457] -> [....192.168.2.1][...53] [DNS.Apple][Unknown][Network][Safe][mesu.apple.com] + detected: [....23] [ip4][..tcp] [...192.168.2.17][50576] -> [...95.101.25.53][..443] [TLS.Apple][Unknown][Web][Safe][gspe35-ssl.ls.apple.com] + new: [....26] [ip4][..tcp] [...192.168.2.17][50578] -> [.17.253.105.202][..443] + new: [....27] [ip4][..tcp] [...192.168.2.17][50579] -> [.17.253.105.202][..443] + detection-update: [....23] [ip4][..tcp] [...192.168.2.17][50576] -> [...95.101.25.53][..443] [TLS.Apple][Unknown][Web][Safe][gspe35-ssl.ls.apple.com] + new: [....28] [ip4][..udp] [...192.168.2.17][52852] -> [....192.168.2.1][...53] + detected: [....28] [ip4][..udp] [...192.168.2.17][52852] -> [....192.168.2.1][...53] [DNS.AppleiCloud][Unknown][Network][Acceptable][gateway.icloud.com] + detected: [....25] [ip4][..tcp] [...192.168.2.17][49152] -> [.17.253.105.202][...80] [HTTP.Apple][Apple][ConnCheck][Safe][captive.apple.com] + detected: [....24] [ip4][..tcp] [...192.168.2.17][50577] -> [....17.130.2.46][..443] [TLS.Apple][Apple][Web][Safe][gsp85-ssl.ls.apple.com] + detected: [....27] [ip4][..tcp] [...192.168.2.17][50579] -> [.17.253.105.202][..443] [TLS.Apple][Apple][Web][Safe][mesu.apple.com] + detected: [....26] [ip4][..tcp] [...192.168.2.17][50578] -> [.17.253.105.202][..443] [TLS.Apple][Apple][Web][Safe][mesu.apple.com] + detection-update: [....20] [ip4][..tcp] [...192.168.2.17][50575] -> [.17.248.185.140][..443] [TLS.AppleiCloud][Apple][Web][Acceptable][p26-fmfmobile.icloud.com] + detection-update: [....20] [ip4][..tcp] [...192.168.2.17][50575] -> [.17.248.185.140][..443] [TLS.AppleiCloud][Apple][Web][Acceptable][p26-fmfmobile.icloud.com] + detection-update: [....28] [ip4][..udp] [...192.168.2.17][52852] -> [....192.168.2.1][...53] [DNS.AppleiCloud][Unknown][Network][Acceptable][gateway.icloud.com] + detection-update: [....27] [ip4][..tcp] [...192.168.2.17][50579] -> [.17.253.105.202][..443] [TLS.Apple][Apple][Web][Safe][mesu.apple.com] + new: [....29] [ip4][..tcp] [...192.168.2.17][50580] -> [..17.248.176.75][..443] + detection-update: [....26] [ip4][..tcp] [...192.168.2.17][50578] -> [.17.253.105.202][..443] [TLS.Apple][Apple][Web][Safe][mesu.apple.com] + detection-update: [....24] [ip4][..tcp] [...192.168.2.17][50577] -> [....17.130.2.46][..443] [TLS.Apple][Apple][Web][Safe][gsp85-ssl.ls.apple.com] + detection-update: [....24] [ip4][..tcp] [...192.168.2.17][50577] -> [....17.130.2.46][..443] [TLS.Apple][Apple][Web][Safe][gsp85-ssl.ls.apple.com] + new: [....30] [ip4][..udp] [...192.168.2.17][52682] -> [....192.168.2.1][...53] + detected: [....30] [ip4][..udp] [...192.168.2.17][52682] -> [....192.168.2.1][...53] [DNS.AppleiCloud][Unknown][Network][Acceptable][www.icloud.com] + new: [....31] [ip4][..udp] [...192.168.2.17][64203] -> [....192.168.2.1][...53] + detected: [....31] [ip4][..udp] [...192.168.2.17][64203] -> [....192.168.2.1][...53] [DNS.Apple][Unknown][Network][Safe][basejumper.apple.com] + new: [....32] [ip4][..udp] [...192.168.2.17][53317] -> [....192.168.2.1][...53] + detected: [....32] [ip4][..udp] [...192.168.2.17][53317] -> [....192.168.2.1][...53] [DNS.Apple][Unknown][Network][Safe][iphone-ld.apple.com] + new: [....33] [ip4][..udp] [...192.168.2.17][62526] -> [....192.168.2.1][...53] + detected: [....33] [ip4][..udp] [...192.168.2.17][62526] -> [....192.168.2.1][...53] [DNS.Apple][Unknown][Network][Safe][cl4.apple.com] + new: [....34] [ip4][..udp] [...192.168.2.17][63377] -> [....192.168.2.1][...53] + detected: [....34] [ip4][..udp] [...192.168.2.17][63377] -> [....192.168.2.1][...53] [DNS.AppleiTunes][Unknown][Network][Fun][bag.itunes.apple.com] + new: [....35] [ip4][..udp] [...192.168.2.17][53272] -> [....192.168.2.1][...53] + detected: [....35] [ip4][..udp] [...192.168.2.17][53272] -> [....192.168.2.1][...53] [DNS.AppleiTunes][Unknown][Network][Fun][play.itunes.apple.com] + new: [....36] [ip4][..udp] [...192.168.2.17][53983] -> [....192.168.2.1][...53] + detected: [....36] [ip4][..udp] [...192.168.2.17][53983] -> [....192.168.2.1][...53] [DNS.AppleiTunes][Unknown][Network][Fun][bag.itunes.apple.com] + new: [....37] [ip4][..udp] [...192.168.2.17][49880] -> [....192.168.2.1][...53] + detected: [....37] [ip4][..udp] [...192.168.2.17][49880] -> [....192.168.2.1][...53] [DNS.AppleiTunes][Unknown][Network][Fun][init.itunes.apple.com] + new: [....38] [ip4][..tcp] [...192.168.2.17][50581] -> [..17.248.185.87][..443] + detected: [....29] [ip4][..tcp] [...192.168.2.17][50580] -> [..17.248.176.75][..443] [TLS.AppleiCloud][Apple][Web][Acceptable][gateway.icloud.com] + detection-update: [....30] [ip4][..udp] [...192.168.2.17][52682] -> [....192.168.2.1][...53] [DNS.AppleiCloud][Unknown][Network][Acceptable][www.icloud.com] + detection-update: [....32] [ip4][..udp] [...192.168.2.17][53317] -> [....192.168.2.1][...53] [DNS.Apple][Unknown][Network][Safe][iphone-ld.apple.com] + detection-update: [....31] [ip4][..udp] [...192.168.2.17][64203] -> [....192.168.2.1][...53] [DNS.Apple][Unknown][Network][Safe][basejumper.apple.com] + detection-update: [....34] [ip4][..udp] [...192.168.2.17][63377] -> [....192.168.2.1][...53] [DNS.AppleiTunes][Unknown][Network][Fun][bag.itunes.apple.com] + detection-update: [....36] [ip4][..udp] [...192.168.2.17][53983] -> [....192.168.2.1][...53] [DNS.AppleiTunes][Unknown][Network][Fun][bag.itunes.apple.com] + detection-update: [....29] [ip4][..tcp] [...192.168.2.17][50580] -> [..17.248.176.75][..443] [TLS.AppleiCloud][Apple][Web][Acceptable][gateway.icloud.com] + detection-update: [....37] [ip4][..udp] [...192.168.2.17][49880] -> [....192.168.2.1][...53] [DNS.AppleiTunes][Unknown][Network][Fun][init.itunes.apple.com] + detection-update: [....35] [ip4][..udp] [...192.168.2.17][53272] -> [....192.168.2.1][...53] [DNS.AppleiTunes][Unknown][Network][Fun][play.itunes.apple.com] + detection-update: [....33] [ip4][..udp] [...192.168.2.17][62526] -> [....192.168.2.1][...53] [DNS.Apple][Unknown][Network][Safe][cl4.apple.com] + new: [....39] [ip4][..tcp] [...192.168.2.17][50582] -> [..92.122.252.82][..443] + detection-update: [....29] [ip4][..tcp] [...192.168.2.17][50580] -> [..17.248.176.75][..443] [TLS.AppleiCloud][Apple][Web][Acceptable][gateway.icloud.com] + new: [....40] [ip4][.icmp] [...192.168.2.17] -> [....192.168.2.1] + detected: [....40] [ip4][.icmp] [...192.168.2.17] -> [....192.168.2.1] [ICMP][Unknown][Network][Acceptable] + new: [....41] [ip4][..tcp] [...192.168.2.17][50583] -> [...104.73.61.30][..443] + detected: [....39] [ip4][..tcp] [...192.168.2.17][50582] -> [..92.122.252.82][..443] [TLS.Apple][Unknown][Web][Safe][iphone-ld.apple.com] + detected: [....38] [ip4][..tcp] [...192.168.2.17][50581] -> [..17.248.185.87][..443] [TLS.AppleiCloud][Apple][Web][Acceptable][p26-keyvalueservice.icloud.com] + detection-update: [....39] [ip4][..tcp] [...192.168.2.17][50582] -> [..92.122.252.82][..443] [TLS.Apple][Unknown][Web][Safe][iphone-ld.apple.com] + detected: [....41] [ip4][..tcp] [...192.168.2.17][50583] -> [...104.73.61.30][..443] [TLS.Apple][Unknown][Web][Safe][cl4.apple.com] + detection-update: [....41] [ip4][..tcp] [...192.168.2.17][50583] -> [...104.73.61.30][..443] [TLS.Apple][Unknown][Web][Safe][cl4.apple.com] + detection-update: [....38] [ip4][..tcp] [...192.168.2.17][50581] -> [..17.248.185.87][..443] [TLS.AppleiCloud][Apple][Web][Acceptable][p26-keyvalueservice.icloud.com] + detection-update: [....38] [ip4][..tcp] [...192.168.2.17][50581] -> [..17.248.185.87][..443] [TLS.AppleiCloud][Apple][Web][Acceptable][p26-keyvalueservice.icloud.com] + new: [....42] [ip4][....2] [...192.168.2.17] -> [.....224.0.0.22] + detected: [....42] [ip4][....2] [...192.168.2.17] -> [.....224.0.0.22] [IGMP][Unknown][Network][Acceptable] + new: [....43] [ip4][..udp] [...192.168.2.17][62160] -> [....192.168.2.1][...53] + detected: [....43] [ip4][..udp] [...192.168.2.17][62160] -> [....192.168.2.1][...53] [DNS.Apple][Unknown][Network][Safe][gsa.apple.com] + new: [....44] [ip4][..udp] [...192.168.2.17][52031] -> [....192.168.2.1][...53] + detected: [....44] [ip4][..udp] [...192.168.2.17][52031] -> [....192.168.2.1][...53] [DNS.Apple][Unknown][Network][Safe][gsa.apple.com] + detection-update: [....43] [ip4][..udp] [...192.168.2.17][62160] -> [....192.168.2.1][...53] [DNS.Apple][Unknown][Network][Safe][gsa.apple.com] + detection-update: [....44] [ip4][..udp] [...192.168.2.17][52031] -> [....192.168.2.1][...53] [DNS.Apple][Unknown][Network][Safe][gsa.apple.com] + new: [....45] [ip4][..tcp] [...192.168.2.17][50584] -> [..17.248.176.75][..443] + detected: [....45] [ip4][..tcp] [...192.168.2.17][50584] -> [..17.248.176.75][..443] [TLS.AppleiCloud][Apple][Web][Acceptable][gateway.icloud.com] + detection-update: [....45] [ip4][..tcp] [...192.168.2.17][50584] -> [..17.248.176.75][..443] [TLS.AppleiCloud][Apple][Web][Acceptable][gateway.icloud.com] + detection-update: [....45] [ip4][..tcp] [...192.168.2.17][50584] -> [..17.248.176.75][..443] [TLS.AppleiCloud][Apple][Web][Acceptable][gateway.icloud.com] + new: [....46] [ip4][..tcp] [...192.168.2.17][50585] -> [..17.137.166.35][..443] + detected: [....46] [ip4][..tcp] [...192.168.2.17][50585] -> [..17.137.166.35][..443] [TLS.Apple][Apple][Web][Safe][gsa.apple.com] + new: [....47] [ip4][..tcp] [...192.168.2.17][50586] -> [..17.248.176.75][..443] + detected: [....47] [ip4][..tcp] [...192.168.2.17][50586] -> [..17.248.176.75][..443] [TLS.AppleiCloud][Apple][Web][Acceptable][gateway.icloud.com] + detection-update: [....46] [ip4][..tcp] [...192.168.2.17][50585] -> [..17.137.166.35][..443] [TLS.Apple][Apple][Web][Safe][gsa.apple.com] + detection-update: [....46] [ip4][..tcp] [...192.168.2.17][50585] -> [..17.137.166.35][..443] [TLS.Apple][Apple][Web][Safe][gsa.apple.com] + detection-update: [....47] [ip4][..tcp] [...192.168.2.17][50586] -> [..17.248.176.75][..443] [TLS.AppleiCloud][Apple][Web][Acceptable][gateway.icloud.com] + detection-update: [....47] [ip4][..tcp] [...192.168.2.17][50586] -> [..17.248.176.75][..443] [TLS.AppleiCloud][Apple][Web][Acceptable][gateway.icloud.com] + new: [....48] [ip4][..udp] [...192.168.2.17][65079] -> [....192.168.2.1][...53] + detected: [....48] [ip4][..udp] [...192.168.2.17][65079] -> [....192.168.2.1][...53] [DNS.AppleiTunes][Unknown][Network][Fun][play.itunes.apple.com] + detection-update: [....48] [ip4][..udp] [...192.168.2.17][65079] -> [....192.168.2.1][...53] [DNS.AppleiTunes][Unknown][Network][Fun][play.itunes.apple.com] + analyse: [....29] [ip4][..tcp] [...192.168.2.17][50580] -> [..17.248.176.75][..443] [TLS.AppleiCloud][Apple][Web][Acceptable] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 0.686| 0.087| 0.170| 29013.449| 3.100] + [PKTLEN......: 52.000| 1492.000| 310.700| 443.900| 197074.700| 3.900] + [BINS(c->s)..: 8,4,1,0,1,0,0,0,0,0,0,2,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 6,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,1,1,1,1,0,1,1,0] + [IATS(ms)....: 34.0,135.8,0.2,135.5,2.1,0.2,8.7,0.0,162.5,0.9,167.4,319.4,0.0,34.7,0.1,651.1,0.6,0.0,0.1,0.1,0.0,0.1,0.2,686.2,0.0,1.2,0.0,33.7,32.5,122.6,156.5] + [PKTLENS.....: 64,60,52,569,52,1492,1492,1492,566,52,52,145,103,121,52,52,105,102,94,1076,424,90,186,424,52,90,52,52,52,52,623,52] + [ENTROPIES...: 4.4,5.0,5.0,4.5,4.9,6.7,7.5,7.5,7.3,4.9,4.9,6.0,5.5,6.0,5.0,4.9,5.7,5.6,5.5,7.8,7.4,5.3,6.6,7.4,4.9,5.4,5.0,5.0,4.9,5.1,7.7,5.0] + new: [....49] [ip4][..tcp] [...192.168.2.17][50587] -> [...92.123.77.26][..443] + detected: [....49] [ip4][..tcp] [...192.168.2.17][50587] -> [...92.123.77.26][..443] [TLS.AppleiTunes][Unknown][Streaming][Fun][play.itunes.apple.com] + detection-update: [....49] [ip4][..tcp] [...192.168.2.17][50587] -> [...92.123.77.26][..443] [TLS.AppleiTunes][Unknown][Streaming][Fun][play.itunes.apple.com] + analyse: [....45] [ip4][..tcp] [...192.168.2.17][50584] -> [..17.248.176.75][..443] [TLS.AppleiCloud][Apple][Web][Acceptable] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 0.655| 0.067| 0.146| 21410.738| 2.900] + [PKTLEN......: 40.000| 1492.000| 299.400| 449.800| 202280.400| 3.800] + [BINS(c->s)..: 9,5,1,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 6,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,0,0,0,1,1,0,0,0,0,0,0,0,0,0,1,1,1,1,0,1,0,0,1] + [IATS(ms)....: 34.1,36.1,0.1,34.7,1.6,0.1,2.3,0.1,140.2,0.4,7.3,143.3,0.0,33.9,0.1,1.5,0.0,0.0,0.3,0.4,0.0,0.1,34.9,0.0,1.2,0.0,128.2,155.2,168.0,510.7,654.8] + [PKTLENS.....: 64,60,52,569,52,1492,1492,1492,566,52,52,145,103,121,52,52,105,102,94,1070,90,436,90,52,90,52,52,52,736,52,40,52] + [ENTROPIES...: 4.4,5.2,5.1,4.5,5.1,6.7,7.5,7.5,7.3,4.9,5.0,6.0,5.7,6.0,5.0,5.0,5.7,5.8,5.5,7.8,5.5,7.4,5.5,4.9,5.5,5.0,5.0,4.9,7.7,5.0,4.5,5.1] + analyse: [....49] [ip4][..tcp] [...192.168.2.17][50587] -> [...92.123.77.26][..443] [TLS.AppleiTunes][Unknown][Streaming][Fun] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 0.147| 0.026| 0.045| 1989.449| 3.200] + [PKTLEN......: 52.000| 1492.000| 322.100| 461.100| 212650.100| 3.900] + [BINS(c->s)..: 10,3,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0] + [BINS(s->c)..: 6,1,1,0,0,0,0,0,2,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,2,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,0,0,0,0,1,1,0,0,0,0,0,0,0,0,1,1,1,0,0,1,1,0,1] + [IATS(ms)....: 33.3,146.1,0.1,147.3,1.4,0.2,0.1,0.0,38.6,0.0,0.1,10.9,46.9,12.5,120.2,0.0,0.0,0.2,1.1,0.1,1.5,0.5,107.4,0.0,1.2,31.0,0.5,3.7,0.0,4.5,82.6] + [PKTLENS.....: 64,60,52,569,52,1492,1492,1268,442,52,52,52,132,339,339,98,95,87,1492,552,818,52,52,52,122,52,52,83,52,87,52,52] + [ENTROPIES...: 4.5,5.3,5.1,4.5,5.2,7.8,7.9,7.8,7.5,5.1,5.2,5.1,6.2,7.4,7.3,6.1,6.0,5.9,7.9,7.6,7.7,5.2,5.2,5.1,6.2,5.1,5.1,5.8,5.1,5.9,5.1,5.1] + analyse: [....38] [ip4][..tcp] [...192.168.2.17][50581] -> [..17.248.185.87][..443] [TLS.AppleiCloud][Apple][Web][Acceptable] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 0.804| 0.109| 0.185| 34306.707| 3.400] + [PKTLEN......: 52.000| 1492.000| 721.000| 667.300| 445284.800| 4.300] + [BINS(c->s)..: 8,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,7,0,0] + [BINS(s->c)..: 5,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,4,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,1,0,0,0,0,0,1,0,0,0,1,1,0,0,0,0,0,1,1,0,0,0,0] + [IATS(ms)....: 146.0,171.0,0.4,171.3,2.7,0.1,11.1,1.3,11.2,179.7,0.0,0.1,0.1,15.6,168.2,146.4,161.4,0.7,308.7,51.5,198.2,655.7,0.2,0.2,0.3,803.5,1.3,180.3,0.3,0.3,0.2] + [PKTLENS.....: 64,60,52,569,52,1492,1492,1492,1492,1474,52,52,52,52,145,103,52,1169,344,52,996,52,1164,1492,1492,1492,52,52,1492,1492,1492,1492] + [ENTROPIES...: 4.4,5.0,4.9,4.7,5.0,6.2,4.6,7.1,7.5,7.5,4.9,4.9,4.9,4.8,6.0,5.6,5.0,7.8,7.2,5.1,7.8,4.9,7.8,7.9,7.9,7.9,5.0,5.0,7.9,7.9,7.9,7.8] + new: [....50] [ip4][..udp] [...192.168.2.17][63677] -> [....192.168.2.1][...53] + detected: [....50] [ip4][..udp] [...192.168.2.17][63677] -> [....192.168.2.1][...53] [DNS.AppleiTunes][Unknown][Network][Fun][sync.itunes.apple.com] + detection-update: [....50] [ip4][..udp] [...192.168.2.17][63677] -> [....192.168.2.1][...53] [DNS.AppleiTunes][Unknown][Network][Fun][sync.itunes.apple.com] + new: [....51] [ip4][..tcp] [...192.168.2.17][50588] -> [...95.101.24.53][..443] + detected: [....51] [ip4][..tcp] [...192.168.2.17][50588] -> [...95.101.24.53][..443] [TLS.AppleiTunes][Unknown][Streaming][Fun][sync.itunes.apple.com] + detection-update: [....51] [ip4][..tcp] [...192.168.2.17][50588] -> [...95.101.24.53][..443] [TLS.AppleiTunes][Unknown][Streaming][Fun][sync.itunes.apple.com] + idle: [....20] [ip4][..tcp] [...192.168.2.17][50575] -> [.17.248.185.140][..443] [TLS.AppleiCloud][Apple][Web][Acceptable] + idle: [....29] [ip4][..tcp] [...192.168.2.17][50580] -> [..17.248.176.75][..443] [TLS.AppleiCloud][Apple][Web][Acceptable][gateway.icloud.com] + idle: [....38] [ip4][..tcp] [...192.168.2.17][50581] -> [..17.248.185.87][..443] [TLS.AppleiCloud][Apple][Web][Acceptable][p26-keyvalueservice.icloud.com] + idle: [....45] [ip4][..tcp] [...192.168.2.17][50584] -> [..17.248.176.75][..443] [TLS.AppleiCloud][Apple][Web][Acceptable][gateway.icloud.com] + idle: [....47] [ip4][..tcp] [...192.168.2.17][50586] -> [..17.248.176.75][..443] [TLS.AppleiCloud][Apple][Web][Acceptable] + idle: [....28] [ip4][..udp] [...192.168.2.17][52852] -> [....192.168.2.1][...53] [DNS.AppleiCloud][Unknown][Network][Acceptable][gateway.icloud.com] + idle: [....16] [ip4][..udp] [...192.168.2.17][63143] -> [....192.168.2.1][...53] [DNS.AppleiCloud][Unknown][Network][Acceptable][p26-fmfmobile.icloud.com] + idle: [.....2] [ip4][..udp] [........0.0.0.0][...68] -> [255.255.255.255][...67] [DHCP][Unknown][Network][Acceptable][lucas-imac] + idle: [....13] [ip6][..udp] [...............fe80::823:3f17:8298:a29c][.5353] -> [...............................ff02::fb][.5353] [MDNS][Unknown][Network][Acceptable] + idle: [.....9] [ip4][..udp] [....192.168.2.1][51411] -> [239.255.255.250][.1900] [SSDP][Unknown][System][Acceptable][239.255.255.250:1900] + idle: [....19] [ip4][..udp] [...192.168.2.17][51007] -> [....192.168.2.1][...53] [DNS.Apple][Unknown][Network][Safe][captive.apple.com] + idle: [....46] [ip4][..tcp] [...192.168.2.17][50585] -> [..17.137.166.35][..443] [TLS.Apple][Apple][Web][Safe] + idle: [....34] [ip4][..udp] [...192.168.2.17][63377] -> [....192.168.2.1][...53] [DNS.AppleiTunes][Unknown][Network][Fun][bag.itunes.apple.com] + idle: [....15] [ip4][..udp] [...192.168.2.17][63381] -> [....192.168.2.1][...53] [DNS.AppleiCloud][Unknown][Network][Acceptable][p26-keyvalueservice.icloud.com] + idle: [.....5] [ip4][..udp] [169.254.225.216][.5353] -> [....224.0.0.251][.5353] [MDNS][Unknown][Network][Acceptable][lucas imac._odisk._tcp.local] + idle: [....41] [ip4][..tcp] [...192.168.2.17][50583] -> [...104.73.61.30][..443] [TLS.Apple][Unknown][Web][Safe] + idle: [....40] [ip4][.icmp] [...192.168.2.17] -> [....192.168.2.1] [ICMP][Unknown][Network][Acceptable] + idle: [....42] [ip4][....2] [...192.168.2.17] -> [.....224.0.0.22] [IGMP][Unknown][Network][Acceptable] + idle: [....35] [ip4][..udp] [...192.168.2.17][53272] -> [....192.168.2.1][...53] [DNS.AppleiTunes][Unknown][Network][Fun][play.itunes.apple.com] + idle: [....32] [ip4][..udp] [...192.168.2.17][53317] -> [....192.168.2.1][...53] [DNS.Apple][Unknown][Network][Safe][iphone-ld.apple.com] + idle: [....10] [ip4][..udp] [....192.168.2.1][...67] -> [...192.168.2.17][...68] [DHCP][Unknown][Network][Acceptable] + idle: [....24] [ip4][..tcp] [...192.168.2.17][50577] -> [....17.130.2.46][..443] [TLS.Apple][Apple][Web][Safe] + idle: [.....1] [ip4][..udp] [....192.168.2.1][17500] -> [..192.168.2.255][17500] [Dropbox][Unknown][Cloud][Acceptable] + idle: [....21] [ip4][..udp] [...192.168.2.17][55457] -> [....192.168.2.1][...53] [DNS.Apple][Unknown][Network][Safe][mesu.apple.com] + idle: [....39] [ip4][..tcp] [...192.168.2.17][50582] -> [..92.122.252.82][..443] [TLS.Apple][Unknown][Web][Safe] + idle: [....50] [ip4][..udp] [...192.168.2.17][63677] -> [....192.168.2.1][...53] [DNS.AppleiTunes][Unknown][Network][Fun][sync.itunes.apple.com] + idle: [.....8] [ip4][..udp] [169.254.225.216][60538] -> [239.255.255.250][.1900] [SSDP][Unknown][System][Acceptable][239.255.255.250:1900] + idle: [.....4] [ip6][..udp] [...............fe80::c42c:3ff:fe60:6a64][.5353] -> [...............................ff02::fb][.5353] [MDNS][Unknown][Network][Acceptable][lucas imac._odisk._tcp.local] + idle: [....11] [ip6][icmp6] [.....................................::] -> [......................ff02::1:ff98:a29c] [ICMPV6][Unknown][Network][Acceptable] + idle: [....17] [ip4][..udp] [...192.168.2.17][61862] -> [....192.168.2.1][...53] [DNS.Apple][Unknown][Network][Safe][gspe35-ssl.ls.apple.com] + idle: [....49] [ip4][..tcp] [...192.168.2.17][50587] -> [...92.123.77.26][..443] [TLS.AppleiTunes][Unknown][Streaming][Fun][play.itunes.apple.com] + not-detected: [.....7] [ip4][..udp] [....192.168.2.1][.5351] -> [......224.0.0.1][.5350] [Unknown][Unknown][Unrated] + idle: [.....7] [ip4][..udp] [....192.168.2.1][.5351] -> [......224.0.0.1][.5350] + idle: [....22] [ip4][..udp] [...192.168.2.17][.5353] -> [....224.0.0.251][.5353] [MDNS][Unknown][Network][Acceptable] + idle: [.....3] [ip4][..udp] [....192.168.2.1][.5353] -> [....224.0.0.251][.5353] [MDNS][Unknown][Network][Acceptable][lucas imac._odisk._tcp.local] + idle: [.....6] [ip4][..udp] [....192.168.2.1][57621] -> [..192.168.2.255][57621] [Spotify][Unknown][Music][Fun] + idle: [....18] [ip4][..udp] [...192.168.2.17][55914] -> [....192.168.2.1][...53] [DNS.Apple][Unknown][Network][Safe][gsp85-ssl.ls.apple.com] + idle: [....31] [ip4][..udp] [...192.168.2.17][64203] -> [....192.168.2.1][...53] [DNS.Apple][Unknown][Network][Safe][basejumper.apple.com] + idle: [....43] [ip4][..udp] [...192.168.2.17][62160] -> [....192.168.2.1][...53] [DNS.Apple][Unknown][Network][Safe][gsa.apple.com] + idle: [....37] [ip4][..udp] [...192.168.2.17][49880] -> [....192.168.2.1][...53] [DNS.AppleiTunes][Unknown][Network][Fun][init.itunes.apple.com] + idle: [....36] [ip4][..udp] [...192.168.2.17][53983] -> [....192.168.2.1][...53] [DNS.AppleiTunes][Unknown][Network][Fun][bag.itunes.apple.com] + idle: [....44] [ip4][..udp] [...192.168.2.17][52031] -> [....192.168.2.1][...53] [DNS.Apple][Unknown][Network][Safe][gsa.apple.com] + end: [....26] [ip4][..tcp] [...192.168.2.17][50578] -> [.17.253.105.202][..443] [TLS.Apple][Apple][Web][Safe] + end: [....27] [ip4][..tcp] [...192.168.2.17][50579] -> [.17.253.105.202][..443] [TLS.Apple][Apple][Web][Safe] + idle: [....23] [ip4][..tcp] [...192.168.2.17][50576] -> [...95.101.25.53][..443] [TLS.Apple][Unknown][Web][Safe] + idle: [....51] [ip4][..tcp] [...192.168.2.17][50588] -> [...95.101.24.53][..443] [TLS.AppleiTunes][Unknown][Streaming][Fun] + idle: [....33] [ip4][..udp] [...192.168.2.17][62526] -> [....192.168.2.1][...53] [DNS.Apple][Unknown][Network][Safe][cl4.apple.com] + end: [....25] [ip4][..tcp] [...192.168.2.17][49152] -> [.17.253.105.202][...80] [HTTP.Apple][Apple][ConnCheck][Safe][captive.apple.com] + idle: [....14] [ip6][icmp6] [...............fe80::823:3f17:8298:a29c] -> [...............................ff02::16] [ICMPV6][Unknown][Network][Acceptable] + idle: [....12] [ip6][icmp6] [...............fe80::823:3f17:8298:a29c] -> [................................ff02::2] [ICMPV6][Unknown][Network][Acceptable] + idle: [....30] [ip4][..udp] [...192.168.2.17][52682] -> [....192.168.2.1][...53] [DNS.AppleiCloud][Unknown][Network][Acceptable][www.icloud.com] + idle: [....48] [ip4][..udp] [...192.168.2.17][65079] -> [....192.168.2.1][...53] [DNS.AppleiTunes][Unknown][Network][Fun][play.itunes.apple.com] + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/enable_payload_stat/1kxun.pcap.out b/test/results/flow-info/enable_payload_stat/1kxun.pcap.out index f5971556d..94ef6dc6b 100644 --- a/test/results/flow-info/enable_payload_stat/1kxun.pcap.out +++ b/test/results/flow-info/enable_payload_stat/1kxun.pcap.out @@ -529,13 +529,13 @@ idle: [....25] [ip4][..tcp] [..192.168.115.8][49598] -> [.222.73.254.167][...80] [HTTP.1kxun][Unknown][Streaming][Fun][kankan.1kxun.com] guessed: [....17] [ip4][..tcp] [...192.168.5.16][53622] -> [.192.168.115.75][..443] [TLS][Unknown][Web][Safe] end: [....17] [ip4][..tcp] [...192.168.5.16][53622] -> [.192.168.115.75][..443] - end: [....45] [ip4][..tcp] [...192.168.5.16][53623] -> [.192.168.115.75][..443] [TLS][Unknown][Web][Safe][192.168.115.75] + end: [....45] [ip4][..tcp] [...192.168.5.16][53623] -> [.192.168.115.75][..443] [TLS][Unknown][Web][Safe] RISK: Weak TLS Cipher, HTTP/TLS/QUIC Numeric Hostname/SNI, TLS (probably) Not Carrying HTTPS - end: [....87] [ip4][..tcp] [...192.168.5.16][53625] -> [.192.168.115.75][..443] [TLS][Unknown][Web][Safe][192.168.115.75] + end: [....87] [ip4][..tcp] [...192.168.5.16][53625] -> [.192.168.115.75][..443] [TLS][Unknown][Web][Safe] RISK: Weak TLS Cipher, HTTP/TLS/QUIC Numeric Hostname/SNI, TLS (probably) Not Carrying HTTPS - end: [...107] [ip4][..tcp] [...192.168.5.16][53626] -> [.192.168.115.75][..443] [TLS][Unknown][Web][Safe][192.168.115.75] + end: [...107] [ip4][..tcp] [...192.168.5.16][53626] -> [.192.168.115.75][..443] [TLS][Unknown][Web][Safe] RISK: Weak TLS Cipher, HTTP/TLS/QUIC Numeric Hostname/SNI, TLS (probably) Not Carrying HTTPS - end: [...117] [ip4][..tcp] [...192.168.5.16][53629] -> [.192.168.115.75][..443] [TLS][Unknown][Web][Safe][192.168.115.75] + end: [...117] [ip4][..tcp] [...192.168.5.16][53629] -> [.192.168.115.75][..443] [TLS][Unknown][Web][Safe] RISK: Weak TLS Cipher, HTTP/TLS/QUIC Numeric Hostname/SNI, TLS (probably) Not Carrying HTTPS idle: [.....6] [ip4][..udp] [...192.168.5.50][64674] -> [239.255.255.250][.1900] [SSDP][Unknown][System][Acceptable][239.255.255.250:1900] not-detected: [....65] [ip4][..udp] [192.168.140.140][62976] -> [255.255.255.255][62976] [Unknown][Unknown][Unrated] diff --git a/test/results/flow-info/fpc_disabled/teams.pcap.out b/test/results/flow-info/fpc_disabled/teams.pcap.out index 9161d6afb..257fc16da 100644 --- a/test/results/flow-info/fpc_disabled/teams.pcap.out +++ b/test/results/flow-info/fpc_disabled/teams.pcap.out @@ -34,7 +34,6 @@ ERROR-EVENT: Unknown packet type [7/16] new: [.....6] [ip4][..tcp] [....192.168.1.6][60534] -> [.....40.126.9.5][..443] detected: [.....6] [ip4][..tcp] [....192.168.1.6][60534] -> [.....40.126.9.5][..443] [TLS.Microsoft365][Microsoft365][Collaborative][Acceptable][login.microsoftonline.com] - detection-update: [.....6] [ip4][..tcp] [....192.168.1.6][60534] -> [.....40.126.9.5][..443] [TLS.Microsoft365][Microsoft365][Collaborative][Acceptable][login.microsoftonline.com] analyse: [.....4] [ip4][..tcp] [....192.168.1.6][60532] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.221| 0.032| 0.054| 2931.592| 3.400] @@ -51,7 +50,7 @@ new: [.....8] [ip4][..tcp] [....192.168.1.6][60536] -> [.52.113.194.132][..443] detected: [.....8] [ip4][..tcp] [....192.168.1.6][60536] -> [.52.113.194.132][..443] [TLS.Teams][Skype_Teams][Collaborative][Safe][teams.microsoft.com] detection-update: [.....8] [ip4][..tcp] [....192.168.1.6][60536] -> [.52.113.194.132][..443] [TLS.Teams][Skype_Teams][Collaborative][Safe][teams.microsoft.com] - analyse: [.....7] [ip4][..tcp] [....192.168.1.6][60535] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] + analyse: [.....7] [ip4][..tcp] [....192.168.1.6][60535] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.050| 0.018| 0.021| 449.200| 3.900] [PKTLEN......: 52.000| 1492.000| 680.600| 673.100| 453031.800| 4.200] @@ -101,15 +100,12 @@ new: [....19] [ip4][..tcp] [....192.168.1.6][60539] -> [...52.114.75.69][..443] detected: [....18] [ip4][..tcp] [....192.168.1.6][60538] -> [...52.114.75.70][..443] [TLS.Teams][Azure][Collaborative][Safe][eu-prod.asyncgw.teams.microsoft.com] detected: [....19] [ip4][..tcp] [....192.168.1.6][60539] -> [...52.114.75.69][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable][eu-api.asm.skype.com] - detection-update: [....18] [ip4][..tcp] [....192.168.1.6][60538] -> [...52.114.75.70][..443] [TLS.Teams][Azure][Collaborative][Safe][eu-prod.asyncgw.teams.microsoft.com] - detection-update: [....19] [ip4][..tcp] [....192.168.1.6][60539] -> [...52.114.75.69][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable][eu-api.asm.skype.com] new: [....20] [ip4][..tcp] [....192.168.1.6][60540] -> [...52.114.75.70][..443] new: [....21] [ip4][..tcp] [....192.168.1.6][60541] -> [...52.114.75.69][..443] detected: [....20] [ip4][..tcp] [....192.168.1.6][60540] -> [...52.114.75.70][..443] [TLS.Teams][Azure][Collaborative][Safe][eu-prod.asyncgw.teams.microsoft.com] detected: [....21] [ip4][..tcp] [....192.168.1.6][60541] -> [...52.114.75.69][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable][eu-api.asm.skype.com] new: [....22] [ip4][..udp] [....192.168.1.6][49514] -> [....192.168.1.1][...53] detected: [....22] [ip4][..udp] [....192.168.1.6][49514] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe][config.teams.microsoft.com] - detection-update: [....20] [ip4][..tcp] [....192.168.1.6][60540] -> [...52.114.75.70][..443] [TLS.Teams][Azure][Collaborative][Safe][eu-prod.asyncgw.teams.microsoft.com] detection-update: [....21] [ip4][..tcp] [....192.168.1.6][60541] -> [...52.114.75.69][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable][eu-api.asm.skype.com] detection-update: [....22] [ip4][..udp] [....192.168.1.6][49514] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe][config.teams.microsoft.com] new: [....23] [ip4][..tcp] [....192.168.1.6][60542] -> [.52.113.194.132][..443] @@ -123,7 +119,6 @@ detected: [....25] [ip4][..tcp] [....192.168.1.6][60543] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] RISK: TLS (probably) Not Carrying HTTPS detected: [....26] [ip4][..tcp] [....192.168.1.6][60544] -> [...52.114.76.48][..443] [TLS.Teams][Azure][Collaborative][Safe][northeurope.notifications.teams.microsoft.com] - detection-update: [....26] [ip4][..tcp] [....192.168.1.6][60544] -> [...52.114.76.48][..443] [TLS.Teams][Azure][Collaborative][Safe][northeurope.notifications.teams.microsoft.com] detection-update: [....25] [ip4][..tcp] [....192.168.1.6][60543] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] RISK: TLS (probably) Not Carrying HTTPS ERROR-EVENT: Unknown packet type [16/16] @@ -134,7 +129,6 @@ new: [....29] [ip4][..tcp] [.162.125.19.131][..443] -> [....192.168.1.6][60344] [MIDSTREAM] detected: [....29] [ip4][..tcp] [.162.125.19.131][..443] -> [....192.168.1.6][60344] [TLS][Dropbox][Web][Safe] detected: [....28] [ip4][..tcp] [....192.168.1.6][60545] -> [...52.114.77.58][..443] [TLS.Teams][Azure][Collaborative][Safe][presence.teams.microsoft.com] - detection-update: [....28] [ip4][..tcp] [....192.168.1.6][60545] -> [...52.114.77.58][..443] [TLS.Teams][Azure][Collaborative][Safe][presence.teams.microsoft.com] analyse: [....25] [ip4][..tcp] [....192.168.1.6][60543] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.153| 0.028| 0.040| 1626.047| 3.600] @@ -170,7 +164,7 @@ RISK: TLS (probably) Not Carrying HTTPS detection-update: [....33] [ip4][..tcp] [....192.168.1.6][60548] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] RISK: TLS (probably) Not Carrying HTTPS - analyse: [....32] [ip4][..tcp] [....192.168.1.6][60547] -> [...52.114.88.59][..443] [TLS.Teams][Azure][Collaborative][Safe][chatsvcagg.teams.microsoft.com] + analyse: [....32] [ip4][..tcp] [....192.168.1.6][60547] -> [...52.114.88.59][..443] [TLS.Teams][Azure][Collaborative][Safe] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.115| 0.021| 0.031| 968.681| 3.500] [PKTLEN......: 52.000| 1492.000| 377.200| 521.700| 272149.200| 3.900] @@ -241,7 +235,6 @@ detected: [....46] [ip4][..tcp] [....192.168.1.6][60556] -> [.....40.126.9.7][..443] [TLS.Microsoft365][Microsoft365][Collaborative][Acceptable][login.microsoftonline.com] detected: [....45] [ip4][..tcp] [....192.168.1.6][60555] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] RISK: TLS (probably) Not Carrying HTTPS - detection-update: [....46] [ip4][..tcp] [....192.168.1.6][60556] -> [.....40.126.9.7][..443] [TLS.Microsoft365][Microsoft365][Collaborative][Acceptable][login.microsoftonline.com] detection-update: [....42] [ip4][..tcp] [....192.168.1.6][60552] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] RISK: TLS (probably) Not Carrying HTTPS detection-update: [....45] [ip4][..tcp] [....192.168.1.6][60555] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] @@ -266,8 +259,6 @@ new: [....48] [ip4][..tcp] [....192.168.1.6][60559] -> [...52.114.77.33][..443] detected: [....48] [ip4][..tcp] [....192.168.1.6][60559] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] RISK: TLS (probably) Not Carrying HTTPS - detection-update: [....48] [ip4][..tcp] [....192.168.1.6][60559] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] - RISK: TLS (probably) Not Carrying HTTPS analyse: [....48] [ip4][..tcp] [....192.168.1.6][60559] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.053| 0.020| 0.022| 492.470| 3.900] @@ -293,7 +284,7 @@ detected: [....53] [ip4][..tcp] [....192.168.1.6][60562] -> [.104.40.187.151][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable][api.microsoftstream.com] detection-update: [....51] [ip4][..tcp] [....192.168.1.6][60561] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] RISK: TLS (probably) Not Carrying HTTPS - analyse: [....53] [ip4][..tcp] [....192.168.1.6][60562] -> [.104.40.187.151][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable][api.microsoftstream.com] + analyse: [....53] [ip4][..tcp] [....192.168.1.6][60562] -> [.104.40.187.151][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.126| 0.019| 0.032| 1006.354| 3.400] [PKTLEN......: 52.000| 1492.000| 345.200| 499.900| 249913.200| 3.900] @@ -323,13 +314,11 @@ detection-update: [....56] [ip4][..udp] [....192.168.1.6][63930] -> [....192.168.1.1][...53] [DNS.Microsoft][Unknown][Network][Safe][dc.applicationinsights.microsoft.com] new: [....57] [ip4][..tcp] [....192.168.1.6][60564] -> [...40.79.138.41][..443] detected: [....57] [ip4][..tcp] [....192.168.1.6][60564] -> [...40.79.138.41][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable][gate.hockeyapp.net] - detection-update: [....57] [ip4][..tcp] [....192.168.1.6][60564] -> [...40.79.138.41][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable][gate.hockeyapp.net] new: [....58] [ip4][..udp] [....192.168.1.6][62863] -> [....192.168.1.1][...53] detected: [....58] [ip4][..udp] [....192.168.1.6][62863] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe][emea.ng.msg.teams-msgapi.trafficmanager.net] detection-update: [....58] [ip4][..udp] [....192.168.1.6][62863] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe][emea.ng.msg.teams-msgapi.trafficmanager.net] new: [....59] [ip4][..tcp] [....192.168.1.6][60565] -> [...52.114.108.8][..443] detected: [....59] [ip4][..tcp] [....192.168.1.6][60565] -> [...52.114.108.8][..443] [TLS.Teams][Azure][Collaborative][Safe][emea.ng.msg.teams.microsoft.com] - detection-update: [....59] [ip4][..tcp] [....192.168.1.6][60565] -> [...52.114.108.8][..443] [TLS.Teams][Azure][Collaborative][Safe][emea.ng.msg.teams.microsoft.com] analyse: [....59] [ip4][..tcp] [....192.168.1.6][60565] -> [...52.114.108.8][..443] [TLS.Teams][Azure][Collaborative][Safe][emea.ng.msg.teams.microsoft.com] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.277| 0.019| 0.049| 2449.644| 2.900] @@ -370,8 +359,6 @@ new: [....67] [ip4][..tcp] [....192.168.1.6][50021] -> [.52.114.250.123][..443] new: [....68] [ip4][..udp] [....192.168.1.6][50016] -> [.52.114.250.141][.3478] detected: [....68] [ip4][..udp] [....192.168.1.6][50016] -> [.52.114.250.141][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] - detection-update: [....64] [ip4][..tcp] [....192.168.1.6][50018] -> [.52.114.250.123][..443] [TLS.Teams][Azure][Collaborative][Safe][euaz.tr.teams.microsoft.com] - RISK: TLS (probably) Not Carrying HTTPS new: [....69] [ip4][..udp] [....192.168.1.6][50017] -> [.52.114.250.141][.3478] detected: [....69] [ip4][..udp] [....192.168.1.6][50017] -> [.52.114.250.141][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] detected: [....67] [ip4][..tcp] [....192.168.1.6][50021] -> [.52.114.250.123][..443] [TLS.Teams][Azure][Collaborative][Safe][euaz.tr.teams.microsoft.com] @@ -380,8 +367,6 @@ detected: [....70] [ip4][..udp] [....192.168.1.6][50036] -> [.52.114.250.137][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] new: [....71] [ip4][..udp] [....192.168.1.6][50037] -> [.52.114.250.137][.3478] detected: [....71] [ip4][..udp] [....192.168.1.6][50037] -> [.52.114.250.137][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] - detection-update: [....67] [ip4][..tcp] [....192.168.1.6][50021] -> [.52.114.250.123][..443] [TLS.Teams][Azure][Collaborative][Safe][euaz.tr.teams.microsoft.com] - RISK: TLS (probably) Not Carrying HTTPS detection-update: [....69] [ip4][..udp] [....192.168.1.6][50017] -> [.52.114.250.141][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] detection-update: [....71] [ip4][..udp] [....192.168.1.6][50037] -> [.52.114.250.137][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] new: [....72] [ip4][..tcp] [....192.168.1.6][50014] -> [.52.114.250.152][..443] @@ -400,8 +385,6 @@ detection-update: [....75] [ip4][..udp] [....192.168.1.6][60837] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe][c-flightproxy-euno-01-teams.cloudapp.net] detected: [....74] [ip4][..tcp] [....192.168.1.6][60567] -> [..52.114.77.136][..443] [TLS.Teams][Azure][Collaborative][Safe][api.flightproxy.teams.microsoft.com] RISK: TLS (probably) Not Carrying HTTPS - detection-update: [....74] [ip4][..tcp] [....192.168.1.6][60567] -> [..52.114.77.136][..443] [TLS.Teams][Azure][Collaborative][Safe][api.flightproxy.teams.microsoft.com] - RISK: TLS (probably) Not Carrying HTTPS new: [....76] [ip4][..udp] [....192.168.1.6][50016] -> [....192.168.0.4][50005] detected: [....76] [ip4][..udp] [....192.168.1.6][50016] -> [....192.168.0.4][50005] [STUN.Skype_TeamsCall][Unknown][VoIP][Acceptable][] RISK: Known Proto on Non Std Port @@ -442,7 +425,6 @@ RISK: Known Proto on Non Std Port, Unidirectional Traffic new: [....82] [ip4][..tcp] [....192.168.1.6][60568] -> [...40.79.138.41][..443] detected: [....82] [ip4][..tcp] [....192.168.1.6][60568] -> [...40.79.138.41][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable][gate.hockeyapp.net] - detection-update: [....82] [ip4][..tcp] [....192.168.1.6][60568] -> [...40.79.138.41][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable][gate.hockeyapp.net] new: [....83] [ip4][.icmp] [..93.71.110.205] -> [....192.168.1.6] detected: [....83] [ip4][.icmp] [..93.71.110.205] -> [....192.168.1.6] [ICMP][Unknown][Network][Acceptable] analyse: [....78] [ip4][..udp] [..93.71.110.205][16332] -> [....192.168.1.6][50016] [STUN.Skype_TeamsCall][Unknown][VoIP][Acceptable] @@ -473,7 +455,7 @@ RISK: TLS (probably) Not Carrying HTTPS idle: [....76] [ip4][..udp] [....192.168.1.6][50016] -> [....192.168.0.4][50005] [STUN.Skype_TeamsCall][Unknown][VoIP][Acceptable] RISK: Known Proto on Non Std Port, Unidirectional Traffic - idle: [....55] [ip4][..tcp] [....192.168.1.6][60563] -> [.52.169.186.119][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable][euno-1.api.microsoftstream.com] + idle: [....55] [ip4][..tcp] [....192.168.1.6][60563] -> [.52.169.186.119][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable] idle: [....17] [ip4][..udp] [....192.168.1.6][63106] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe][eu-prod.asyncgw.teams.microsoft.com] idle: [....77] [ip4][..udp] [....192.168.1.6][50036] -> [....192.168.0.4][50020] [STUN.Skype_TeamsCall][Unknown][VoIP][Acceptable] RISK: Known Proto on Non Std Port, Unidirectional Traffic @@ -521,10 +503,10 @@ idle: [....34] [ip4][..udp] [....192.168.1.6][59403] -> [....192.168.1.1][...53] [DNS.Microsoft365][Unknown][Network][Acceptable][substrate.office.com] idle: [....35] [ip4][..tcp] [....192.168.1.6][60549] -> [...13.107.18.11][..443] [TLS.Microsoft365][Outlook][Collaborative][Acceptable][substrate.office.com] idle: [....44] [ip4][..udp] [....192.168.1.6][51309] -> [....192.168.1.1][...53] [DNS][Unknown][Network][Acceptable][skypedataprdcolneu04.cloudapp.net] - end: [....30] [ip4][..tcp] [....192.168.1.6][60546] -> [.167.99.215.164][.4434] [TLS.ntop][Unknown][Network][Safe][dati.ntop.org] + end: [....30] [ip4][..tcp] [....192.168.1.6][60546] -> [.167.99.215.164][.4434] [TLS.ntop][Unknown][Network][Safe] RISK: Known Proto on Non Std Port idle: [....12] [ip4][..udp] [....192.168.1.6][17500] -> [..192.168.1.255][17500] [Dropbox][Unknown][Cloud][Acceptable] - idle: [....61] [ip4][..tcp] [....192.168.1.6][60566] -> [.167.99.215.164][.4434] [TLS.ntop][Unknown][Network][Safe][dati.ntop.org] + idle: [....61] [ip4][..tcp] [....192.168.1.6][60566] -> [.167.99.215.164][.4434] [TLS.ntop][Unknown][Network][Safe] RISK: Known Proto on Non Std Port idle: [....31] [ip4][..udp] [....192.168.1.6][57504] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe][chatsvcagg.svcs.teams.office.com] guessed: [....62] [ip4][..udp] [....192.168.1.6][51681] -> [..52.114.77.136][.3478] [Skype_TeamsCall][Azure][VoIP][Acceptable] diff --git a/test/results/flow-info/guess_ip_before_port_enabled/1kxun.pcap.out b/test/results/flow-info/guess_ip_before_port_enabled/1kxun.pcap.out new file mode 100644 index 000000000..94ef6dc6b --- /dev/null +++ b/test/results/flow-info/guess_ip_before_port_enabled/1kxun.pcap.out @@ -0,0 +1,886 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....1] [ip4][..udp] [...192.168.5.44][59571] -> [....224.0.0.252][.5355] + detected: [.....1] [ip4][..udp] [...192.168.5.44][59571] -> [....224.0.0.252][.5355] [LLMNR][Unknown][Network][Acceptable] + new: [.....2] [ip4][..udp] [...192.168.5.57][55809] -> [239.255.255.250][.1900] + detected: [.....2] [ip4][..udp] [...192.168.5.57][55809] -> [239.255.255.250][.1900] [SSDP][Unknown][System][Acceptable][239.255.255.250:1900] + new: [.....3] [ip4][..udp] [...192.168.5.44][51389] -> [239.255.255.250][.1900] + detected: [.....3] [ip4][..udp] [...192.168.5.44][51389] -> [239.255.255.250][.1900] [SSDP][Unknown][System][Acceptable][239.255.255.250:1900] + new: [.....4] [ip4][..udp] [..192.168.119.1][...67] -> [255.255.255.255][...68] + detected: [.....4] [ip4][..udp] [..192.168.119.1][...67] -> [255.255.255.255][...68] [DHCP][Unknown][Network][Acceptable][] + new: [.....5] [ip4][..tcp] [...192.168.5.16][53605] -> [.68.233.253.133][...80] [MIDSTREAM] + new: [.....6] [ip4][..udp] [...192.168.5.50][64674] -> [239.255.255.250][.1900] + detected: [.....6] [ip4][..udp] [...192.168.5.50][64674] -> [239.255.255.250][.1900] [SSDP][Unknown][System][Acceptable][239.255.255.250:1900] + new: [.....7] [ip4][..udp] [...192.168.5.41][55312] -> [239.255.255.250][.1900] + detected: [.....7] [ip4][..udp] [...192.168.5.41][55312] -> [239.255.255.250][.1900] [SSDP][Unknown][System][Acceptable][239.255.255.250:1900] + new: [.....8] [ip4][..udp] [........0.0.0.0][...68] -> [255.255.255.255][...67] + detected: [.....8] [ip4][..udp] [........0.0.0.0][...68] -> [255.255.255.255][...67] [DHCP][Unknown][Network][Acceptable][shen] + new: [.....9] [ip6][..udp] [...............fe80::406:55a8:6453:25dd][..546] -> [..............................ff02::1:2][..547] + detected: [.....9] [ip6][..udp] [...............fe80::406:55a8:6453:25dd][..546] -> [..............................ff02::1:2][..547] [DHCPV6][Unknown][Network][Acceptable] + new: [....10] [ip6][..udp] [..............fe80::edf5:240a:c8c0:8312][61603] -> [..............................ff02::1:3][.5355] + detected: [....10] [ip6][..udp] [..............fe80::edf5:240a:c8c0:8312][61603] -> [..............................ff02::1:3][.5355] [LLMNR][Unknown][Network][Acceptable] + new: [....11] [ip4][..udp] [...192.168.5.47][61603] -> [....224.0.0.252][.5355] + detected: [....11] [ip4][..udp] [...192.168.5.47][61603] -> [....224.0.0.252][.5355] [LLMNR][Unknown][Network][Acceptable] + new: [....12] [ip4][..udp] [...192.168.5.47][60267] -> [239.255.255.250][.1900] + detected: [....12] [ip4][..udp] [...192.168.5.47][60267] -> [239.255.255.250][.1900] [SSDP][Unknown][System][Acceptable][239.255.255.250:1900] + new: [....13] [ip4][..udp] [..192.168.115.8][51458] -> [....224.0.0.252][.5355] + detected: [....13] [ip4][..udp] [..192.168.115.8][51458] -> [....224.0.0.252][.5355] [LLMNR][Unknown][Network][Acceptable] + new: [....14] [ip4][..udp] [..192.168.115.8][51024] -> [........8.8.8.8][...53] + detected: [....14] [ip4][..udp] [..192.168.115.8][51024] -> [........8.8.8.8][...53] [DNS.1kxun][Google][Network][Fun][jp.kankan.1kxun.mobi] + detection-update: [....14] [ip4][..udp] [..192.168.115.8][51024] -> [........8.8.8.8][...53] [DNS.1kxun][Google][Network][Fun][jp.kankan.1kxun.mobi] + RISK: Unidirectional Traffic + detection-update: [....14] [ip4][..udp] [..192.168.115.8][51024] -> [........8.8.8.8][...53] [DNS.1kxun][Google][Network][Fun][jp.kankan.1kxun.mobi] + new: [....15] [ip4][..tcp] [..192.168.115.8][49597] -> [.106.185.35.110][...80] + detected: [....15] [ip4][..tcp] [..192.168.115.8][49597] -> [.106.185.35.110][...80] [HTTP.1kxun][Unknown][Streaming][Fun][jp.kankan.1kxun.mobi] + new: [....16] [ip4][..udp] [..192.168.115.8][52723] -> [........8.8.8.8][...53] + detected: [....16] [ip4][..udp] [..192.168.115.8][52723] -> [........8.8.8.8][...53] [DNS.1kxun][Google][Network][Fun][kankan.1kxun.com] + detection-update: [....16] [ip4][..udp] [..192.168.115.8][52723] -> [........8.8.8.8][...53] [DNS.1kxun][Google][Network][Fun][kankan.1kxun.com] + RISK: Unidirectional Traffic + new: [....17] [ip4][..tcp] [...192.168.5.16][53622] -> [.192.168.115.75][..443] [MIDSTREAM] + new: [....18] [ip4][..udp] [..192.168.115.8][..137] -> [192.168.255.255][..137] + detected: [....18] [ip4][..udp] [..192.168.115.8][..137] -> [192.168.255.255][..137] [NetBIOS][Unknown][System][Acceptable][wpad] + new: [....19] [ip6][..udp] [..............fe80::e98f:bae2:19f7:6b0f][58779] -> [..............................ff02::1:3][.5355] + detected: [....19] [ip6][..udp] [..............fe80::e98f:bae2:19f7:6b0f][58779] -> [..............................ff02::1:3][.5355] [LLMNR][Unknown][Network][Acceptable] + RISK: Non-Printable/Invalid Chars Detected + new: [....20] [ip4][..udp] [...192.168.3.95][58779] -> [....224.0.0.252][.5355] + detected: [....20] [ip4][..udp] [...192.168.3.95][58779] -> [....224.0.0.252][.5355] [LLMNR][Unknown][Network][Acceptable] + RISK: Non-Printable/Invalid Chars Detected + new: [....21] [ip4][..udp] [...192.168.3.95][59468] -> [239.255.255.250][.1900] + detected: [....21] [ip4][..udp] [...192.168.3.95][59468] -> [239.255.255.250][.1900] [SSDP][Unknown][System][Acceptable][239.255.255.250:1900] + new: [....22] [ip4][..udp] [.192.168.125.30][62976] -> [255.255.255.255][62976] + new: [....23] [ip6][..udp] [..2001:b030:214:100:c2a0:bbff:fe73:eb47][62976] -> [................................ff02::1][62976] + new: [....24] [ip4][..udp] [..192.168.115.8][52723] -> [.....168.95.1.1][...53] + detected: [....24] [ip4][..udp] [..192.168.115.8][52723] -> [.....168.95.1.1][...53] [DNS.1kxun][Unknown][Network][Fun][kankan.1kxun.com] + detection-update: [....24] [ip4][..udp] [..192.168.115.8][52723] -> [.....168.95.1.1][...53] [DNS.1kxun][Unknown][Network][Fun][kankan.1kxun.com] + RISK: Unidirectional Traffic + detection-update: [....24] [ip4][..udp] [..192.168.115.8][52723] -> [.....168.95.1.1][...53] [DNS.1kxun][Unknown][Network][Fun][kankan.1kxun.com] + new: [....25] [ip4][..tcp] [..192.168.115.8][49598] -> [.222.73.254.167][...80] + detection-update: [....16] [ip4][..udp] [..192.168.115.8][52723] -> [........8.8.8.8][...53] [DNS.1kxun][Google][Network][Fun][kankan.1kxun.com] + detected: [....25] [ip4][..tcp] [..192.168.115.8][49598] -> [.222.73.254.167][...80] [HTTP.1kxun][Unknown][Streaming][Fun][kankan.1kxun.com] + new: [....26] [ip4][..udp] [..192.168.115.8][60724] -> [........8.8.8.8][...53] + detected: [....26] [ip4][..udp] [..192.168.115.8][60724] -> [........8.8.8.8][...53] [DNS.1kxun][Google][Network][Fun][pic.1kxun.com] + detection-update: [....26] [ip4][..udp] [..192.168.115.8][60724] -> [........8.8.8.8][...53] [DNS.1kxun][Google][Network][Fun][pic.1kxun.com] + RISK: Unidirectional Traffic + detection-update: [....26] [ip4][..udp] [..192.168.115.8][60724] -> [........8.8.8.8][...53] [DNS.1kxun][Google][Network][Fun][pic.1kxun.com] + new: [....27] [ip4][..tcp] [..192.168.115.8][49599] -> [.106.187.35.246][...80] + new: [....28] [ip4][..tcp] [..192.168.115.8][49600] -> [.106.187.35.246][...80] + new: [....29] [ip4][..tcp] [..192.168.115.8][49601] -> [.106.187.35.246][...80] + new: [....30] [ip4][..tcp] [..192.168.115.8][49602] -> [.106.187.35.246][...80] + new: [....31] [ip4][..tcp] [..192.168.115.8][49603] -> [.106.187.35.246][...80] + new: [....32] [ip4][..tcp] [..192.168.115.8][49604] -> [.106.187.35.246][...80] + new: [....33] [ip6][..udp] [..............fe80::e98f:bae2:19f7:6b0f][54888] -> [..............................ff02::1:3][.5355] + detected: [....33] [ip6][..udp] [..............fe80::e98f:bae2:19f7:6b0f][54888] -> [..............................ff02::1:3][.5355] [LLMNR][Unknown][Network][Acceptable] + RISK: Non-Printable/Invalid Chars Detected + new: [....34] [ip4][..udp] [...192.168.3.95][54888] -> [....224.0.0.252][.5355] + detected: [....34] [ip4][..udp] [...192.168.3.95][54888] -> [....224.0.0.252][.5355] [LLMNR][Unknown][Network][Acceptable] + RISK: Non-Printable/Invalid Chars Detected + detected: [....28] [ip4][..tcp] [..192.168.115.8][49600] -> [.106.187.35.246][...80] [HTTP.1kxun][Unknown][Streaming][Fun][pic.1kxun.com] + detected: [....27] [ip4][..tcp] [..192.168.115.8][49599] -> [.106.187.35.246][...80] [HTTP.1kxun][Unknown][Streaming][Fun][pic.1kxun.com] + detected: [....32] [ip4][..tcp] [..192.168.115.8][49604] -> [.106.187.35.246][...80] [HTTP.1kxun][Unknown][Streaming][Fun][pic.1kxun.com] + detected: [....29] [ip4][..tcp] [..192.168.115.8][49601] -> [.106.187.35.246][...80] [HTTP.1kxun][Unknown][Streaming][Fun][pic.1kxun.com] + detected: [....30] [ip4][..tcp] [..192.168.115.8][49602] -> [.106.187.35.246][...80] [HTTP.1kxun][Unknown][Streaming][Fun][pic.1kxun.com] + detected: [....31] [ip4][..tcp] [..192.168.115.8][49603] -> [.106.187.35.246][...80] [HTTP.1kxun][Unknown][Streaming][Fun][pic.1kxun.com] + analyse: [....29] [ip4][..tcp] [..192.168.115.8][49601] -> [.106.187.35.246][...80] [HTTP.1kxun][Unknown][Streaming][Fun][pic.1kxun.com] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 0.056| 0.011| 0.020| 413.706| 3.100] + [PKTLEN......: 40.000| 1300.000| 821.900| 585.300| 342554.800| 4.500] + [BINS(c->s)..: 8,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,19,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,1,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,0,0,1,1,1,1,0,0,1,1,1,1,1,1] + [IATS(ms)....: 0.0,52.1,52.2,0.0,5.5,0.0,48.2,11.6,0.8,0.1,0.1,0.0,0.3,0.0,0.0,0.0,0.5,56.2,0.0,50.5,3.5,0.1,0.1,53.9,0.0,17.7,0.1,0.1,0.1,0.0,0.1] + [PKTLENS.....: 52,52,52,40,40,400,400,46,359,1300,1300,1300,1300,1300,1300,1300,1300,1300,40,40,1300,1300,1300,1300,40,40,1300,1300,1300,1300,1300,1300] + [ENTROPIES...: 4.5,4.5,5.0,4.8,4.8,5.8,5.8,4.2,5.6,7.5,7.8,7.8,7.8,7.8,7.8,7.8,7.8,7.8,4.7,4.7,7.8,7.8,7.8,7.8,4.7,4.7,7.8,7.8,7.8,7.8,7.9,7.8] + analyse: [....30] [ip4][..tcp] [..192.168.115.8][49602] -> [.106.187.35.246][...80] [HTTP.1kxun][Unknown][Streaming][Fun][pic.1kxun.com] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 0.066| 0.012| 0.024| 579.055| 2.800] + [PKTLEN......: 40.000| 1300.000| 743.100| 600.300| 360321.400| 4.400] + [BINS(c->s)..: 10,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,17,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,1,0,0,0,0,1,1,1,1,1,1,1,1,1,1,0,0,1,1,1,0,0,1,1,1,1,1,1,0,0] + [IATS(ms)....: 0.0,54.6,54.7,0.0,4.2,0.1,64.5,0.1,0.0,0.0,0.1,0.0,0.7,0.1,0.1,0.1,61.7,0.0,0.9,65.4,0.1,66.2,0.1,0.5,2.9,0.6,0.1,0.1,0.1,3.9,0.0] + [PKTLENS.....: 52,52,52,40,40,399,399,46,359,1300,1300,1300,1300,1300,1300,1300,1300,40,40,1300,1300,1300,40,40,1300,1300,1300,1300,1300,1300,40,40] + [ENTROPIES...: 4.5,4.5,5.0,4.7,4.7,5.8,5.8,4.4,5.6,7.5,7.8,7.8,7.8,7.8,7.8,7.8,7.8,4.8,4.8,7.8,7.8,7.8,4.8,4.8,7.8,7.8,7.8,7.8,7.8,7.8,4.8,4.8] + analyse: [....27] [ip4][..tcp] [..192.168.115.8][49599] -> [.106.187.35.246][...80] [HTTP.1kxun][Unknown][Streaming][Fun][pic.1kxun.com] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 0.067| 0.012| 0.023| 544.113| 2.900] + [PKTLEN......: 40.000| 1300.000| 743.200| 600.200| 360235.600| 4.400] + [BINS(c->s)..: 10,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,17,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,1,0,0,0,0,1,1,1,1,0,0,1,1,1,1,1,1,0,0,1,1,1,1,1,0,0,1,1,1,1] + [IATS(ms)....: 0.0,53.2,53.3,0.0,4.6,0.1,61.5,0.0,0.3,0.1,57.3,0.0,5.1,0.1,0.3,0.0,0.3,0.1,5.9,0.0,1.4,65.1,0.1,0.1,0.1,66.8,0.0,3.8,0.1,0.8,0.1] + [PKTLENS.....: 52,52,52,40,40,401,401,46,359,1300,1300,40,40,1300,1300,1300,1300,1300,1300,40,40,1300,1300,1300,1300,1300,40,40,1300,1300,1300,1300] + [ENTROPIES...: 4.5,4.5,5.0,4.8,4.8,5.8,5.8,4.3,5.6,7.5,7.8,4.7,4.7,7.8,7.8,7.8,7.8,7.8,7.8,4.7,4.7,7.8,7.8,7.8,7.8,7.8,4.8,4.8,7.8,7.8,7.8,7.8] + analyse: [....32] [ip4][..tcp] [..192.168.115.8][49604] -> [.106.187.35.246][...80] [HTTP.1kxun][Unknown][Streaming][Fun][pic.1kxun.com] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 0.096| 0.013| 0.026| 693.255| 2.700] + [PKTLEN......: 40.000| 1300.000| 833.000| 555.000| 308021.300| 4.600] + [BINS(c->s)..: 6,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,18,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,1,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,0,0,1,1,1,1,1,1,1,1,1,1,0,0] + [IATS(ms)....: 0.0,50.7,50.8,0.0,5.7,0.0,60.3,0.1,0.1,0.1,0.0,0.1,0.7,0.0,0.0,0.1,0.3,56.3,0.0,72.3,0.1,0.0,0.1,0.2,0.1,0.1,0.1,0.3,0.0,96.5,0.1] + [PKTLENS.....: 52,52,52,40,40,400,400,46,359,1300,1300,1300,1300,1300,1300,1300,1300,1300,40,40,1300,1300,1300,1300,1300,1300,1300,1300,1300,918,409,409] + [ENTROPIES...: 4.5,4.5,5.0,4.9,4.9,5.8,5.8,4.4,5.7,7.5,7.8,7.8,7.8,7.8,7.8,7.8,7.8,7.8,4.8,4.8,7.8,7.8,7.8,7.8,7.8,7.9,7.8,7.9,7.8,7.7,5.8,5.8] + analyse: [....28] [ip4][..tcp] [..192.168.115.8][49600] -> [.106.187.35.246][...80] [HTTP.1kxun][Unknown][Streaming][Fun][pic.1kxun.com] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 0.142| 0.016| 0.032| 1046.271| 2.800] + [PKTLEN......: 40.000| 1300.000| 822.000| 585.200| 342449.500| 4.500] + [BINS(c->s)..: 8,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,19,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,1,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,1,0,0,1,1,1,1,1,0,0,1,1,1,1] + [IATS(ms)....: 0.1,51.9,52.1,0.0,5.2,0.1,60.5,0.9,0.0,0.0,0.1,0.0,0.4,0.1,0.0,0.1,0.2,85.1,142.0,0.0,40.8,2.5,0.1,0.1,0.1,43.6,0.1,0.4,0.1,0.1,0.0] + [PKTLENS.....: 52,52,52,40,40,402,402,46,359,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,40,40,1300,1300,1300,1300,1300,40,40,1300,1300,1300,1300] + [ENTROPIES...: 4.5,4.5,5.0,4.8,4.8,5.8,5.8,4.3,5.6,6.7,7.7,7.8,7.7,7.7,7.7,7.7,7.6,4.1,6.3,4.8,4.8,7.7,7.8,7.7,7.7,7.7,4.8,4.8,7.7,7.7,5.6,3.0] + new: [....35] [ip4][..udp] [...192.168.5.67][..138] -> [192.168.255.255][..138] + detected: [....35] [ip4][..udp] [...192.168.5.67][..138] -> [192.168.255.255][..138] [NetBIOS.SMBv1][Unknown][System][Dangerous][sanji-lifebook-] + RISK: Unsafe Protocol + new: [....36] [ip4][..tcp] [..192.168.115.8][49605] -> [.106.185.35.110][...80] + new: [....37] [ip4][..tcp] [..192.168.115.8][49606] -> [.106.185.35.110][...80] + detected: [....36] [ip4][..tcp] [..192.168.115.8][49605] -> [.106.185.35.110][...80] [HTTP.1kxun][Unknown][Streaming][Fun][jp.kankan.1kxun.mobi] + RISK: HTTP Susp User-Agent + detected: [....37] [ip4][..tcp] [..192.168.115.8][49606] -> [.106.185.35.110][...80] [HTTP.1kxun][Unknown][Streaming][Fun][jp.kankan.1kxun.mobi] + RISK: HTTP Susp User-Agent + analyse: [....37] [ip4][..tcp] [..192.168.115.8][49606] -> [.106.185.35.110][...80] [HTTP.1kxun][Unknown][Streaming][Fun][jp.kankan.1kxun.mobi] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 0.147| 0.015| 0.033| 1100.854| 2.600] + [PKTLEN......: 40.000| 1300.000| 693.600| 612.000| 374554.600| 4.300] + [BINS(c->s)..: 12,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,1,0,0,0,0,1,1,1,0,0,1,1,1,1,0,0,1,1,1,0,0,1,1,0,0,1,1,1,1,1] + [IATS(ms)....: 0.1,37.8,38.0,0.1,1.8,0.1,39.0,109.8,0.2,146.8,0.0,0.3,0.1,0.1,0.1,0.5,0.0,0.2,0.1,0.1,0.4,0.0,0.2,36.3,36.5,0.0,0.4,0.1,0.5,0.1,0.1] + [PKTLENS.....: 52,52,52,40,40,397,397,46,1300,1300,40,40,1300,1300,1300,1300,40,40,1300,1300,1300,40,40,1300,1300,40,40,1300,1300,1300,1300,1300] + [ENTROPIES...: 4.5,4.5,5.0,4.8,4.8,5.8,5.8,4.3,5.6,5.0,4.8,4.8,4.8,5.3,5.2,5.1,4.7,4.7,6.0,5.1,5.2,4.8,4.8,5.8,5.1,4.7,4.7,4.5,4.7,4.7,5.6,5.2] + new: [....38] [ip4][..tcp] [..192.168.115.8][49607] -> [218.244.135.170][.9099] + detected: [....38] [ip4][..tcp] [..192.168.115.8][49607] -> [218.244.135.170][.9099] [HTTP][Alibaba][Web][Acceptable][218.244.135.170] + RISK: Known Proto on Non Std Port, HTTP/TLS/QUIC Numeric Hostname/SNI + new: [....39] [ip4][..udp] [..192.168.115.8][54420] -> [........8.8.8.8][...53] + detected: [....39] [ip4][..udp] [..192.168.115.8][54420] -> [........8.8.8.8][...53] [DNS.QQ][Google][Network][Fun][vv.video.qq.com] + detection-update: [....39] [ip4][..udp] [..192.168.115.8][54420] -> [........8.8.8.8][...53] [DNS.QQ][Google][Network][Fun][vv.video.qq.com] + RISK: Unidirectional Traffic + detection-update: [....39] [ip4][..udp] [..192.168.115.8][54420] -> [........8.8.8.8][...53] [DNS.QQ][Google][Network][Fun][vv.video.qq.com] + new: [....40] [ip4][..tcp] [..192.168.115.8][49608] -> [203.205.151.234][...80] + detected: [....40] [ip4][..tcp] [..192.168.115.8][49608] -> [203.205.151.234][...80] [HTTP.QQ][Unknown][Chat][Fun][vv.video.qq.com] + new: [....41] [ip4][..tcp] [..192.168.115.8][49609] -> [..42.120.51.152][.8080] + new: [....42] [ip4][..udp] [.192.168.10.110][60480] -> [255.255.255.255][62976] + detected: [....41] [ip4][..tcp] [..192.168.115.8][49609] -> [..42.120.51.152][.8080] [HTTP][Alibaba][Web][Acceptable][42.120.51.152] + RISK: Known Proto on Non Std Port, HTTP/TLS/QUIC Numeric Hostname/SNI + new: [....43] [ip4][..udp] [...192.168.5.37][56366] -> [....224.0.0.252][.5355] + detected: [....43] [ip4][..udp] [...192.168.5.37][56366] -> [....224.0.0.252][.5355] [LLMNR][Unknown][Network][Acceptable] + new: [....44] [ip4][..udp] [...192.168.5.37][57325] -> [239.255.255.250][.1900] + detected: [....44] [ip4][..udp] [...192.168.5.37][57325] -> [239.255.255.250][.1900] [SSDP][Unknown][System][Acceptable][239.255.255.250:1900] + new: [....45] [ip4][..tcp] [...192.168.5.16][53623] -> [.192.168.115.75][..443] + detected: [....45] [ip4][..tcp] [...192.168.5.16][53623] -> [.192.168.115.75][..443] [TLS][Unknown][Web][Safe][192.168.115.75] + RISK: HTTP/TLS/QUIC Numeric Hostname/SNI, TLS (probably) Not Carrying HTTPS + detection-update: [....45] [ip4][..tcp] [...192.168.5.16][53623] -> [.192.168.115.75][..443] [TLS][Unknown][Web][Safe][192.168.115.75] + RISK: Weak TLS Cipher, HTTP/TLS/QUIC Numeric Hostname/SNI, TLS (probably) Not Carrying HTTPS + new: [....46] [ip4][..tcp] [..192.168.115.8][49612] -> [.183.131.48.145][...80] + new: [....47] [ip4][..udp] [.192.168.101.33][58456] -> [....224.0.0.252][.5355] + detected: [....47] [ip4][..udp] [.192.168.101.33][58456] -> [....224.0.0.252][.5355] [LLMNR][Unknown][Network][Acceptable] + new: [....48] [ip4][..udp] [....192.168.5.9][58456] -> [....224.0.0.252][.5355] + detected: [....48] [ip4][..udp] [....192.168.5.9][58456] -> [....224.0.0.252][.5355] [LLMNR][Unknown][Network][Acceptable] + detected: [....46] [ip4][..tcp] [..192.168.115.8][49612] -> [.183.131.48.145][...80] [HTTP][Unknown][Web][Acceptable][183.131.48.145] + RISK: HTTP Susp User-Agent, HTTP/TLS/QUIC Numeric Hostname/SNI + new: [....49] [ip4][..tcp] [..192.168.115.8][49613] -> [.183.131.48.144][...80] + analyse: [....41] [ip4][..tcp] [..192.168.115.8][49609] -> [..42.120.51.152][.8080] [HTTP][Alibaba][Web][Acceptable][42.120.51.152] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 0.399| 0.070| 0.104| 10878.943| 3.600] + [PKTLEN......: 40.000| 1300.000| 350.600| 410.300| 168364.100| 4.100] + [BINS(c->s)..: 9,0,0,0,0,0,0,4,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,1,0,0,0,0,1,1,0,0,0,0,1,1,1,0,0,1,1,1,0,0,0,0,1,1,0,0,1,1,0] + [IATS(ms)....: 0.1,76.5,76.6,0.0,1.1,0.0,62.3,0.1,61.8,0.0,298.9,0.1,399.0,66.5,0.2,166.1,0.0,60.3,0.5,0.1,60.8,0.0,117.1,0.0,178.1,0.5,62.0,0.0,102.3,44.3,349.7] + [PKTLENS.....: 52,52,48,40,40,292,292,46,65,485,485,485,485,46,1300,1300,40,40,1300,1300,528,40,40,267,267,46,65,477,477,46,733,40] + [ENTROPIES...: 4.6,4.6,5.0,5.0,5.0,5.8,5.8,4.7,5.4,6.1,6.1,6.1,6.1,4.6,5.3,4.7,4.9,4.9,4.7,5.2,4.9,4.9,4.9,5.8,5.8,4.6,5.4,6.1,6.1,4.7,5.7,4.9] + detected: [....49] [ip4][..tcp] [..192.168.115.8][49613] -> [.183.131.48.144][...80] [HTTP][Unknown][Web][Acceptable][183.131.48.144] + RISK: HTTP Susp User-Agent, HTTP/TLS/QUIC Numeric Hostname/SNI + detection-update: [....49] [ip4][..tcp] [..192.168.115.8][49613] -> [.183.131.48.144][...80] [HTTP][Unknown][Media][Acceptable][183.131.48.144] + RISK: HTTP Susp User-Agent, HTTP/TLS/QUIC Numeric Hostname/SNI + new: [....50] [ip4][..udp] [.192.168.101.33][55485] -> [239.255.255.250][.1900] + detected: [....50] [ip4][..udp] [.192.168.101.33][55485] -> [239.255.255.250][.1900] [SSDP][Unknown][System][Acceptable][239.255.255.250:1900] + new: [....51] [ip4][..udp] [....192.168.5.9][55484] -> [239.255.255.250][.1900] + detected: [....51] [ip4][..udp] [....192.168.5.9][55484] -> [239.255.255.250][.1900] [SSDP][Unknown][System][Acceptable][239.255.255.250:1900] + new: [....52] [ip6][..udp] [...............fe80::9bd:81dd:2fdc:5750][61548] -> [..............................ff02::1:3][.5355] + detected: [....52] [ip6][..udp] [...............fe80::9bd:81dd:2fdc:5750][61548] -> [..............................ff02::1:3][.5355] [LLMNR][Unknown][Network][Acceptable] + new: [....53] [ip4][..udp] [...192.168.5.49][61548] -> [....224.0.0.252][.5355] + detected: [....53] [ip4][..udp] [...192.168.5.49][61548] -> [....224.0.0.252][.5355] [LLMNR][Unknown][Network][Acceptable] + new: [....54] [ip4][..udp] [...192.168.5.49][51704] -> [239.255.255.250][.1900] + detected: [....54] [ip4][..udp] [...192.168.5.49][51704] -> [239.255.255.250][.1900] [SSDP][Unknown][System][Acceptable][239.255.255.250:1900] + new: [....55] [ip4][..udp] [...192.168.5.16][...68] -> [..192.168.119.1][...67] + detected: [....55] [ip4][..udp] [...192.168.5.16][...68] -> [..192.168.119.1][...67] [DHCP][Unknown][Network][Acceptable][macbook-air] + new: [....56] [ip4][..udp] [.59.120.208.218][50151] -> [255.255.255.255][.1947] + new: [....57] [ip4][..tcp] [..192.168.115.8][49596] -> [..203.66.182.87][..443] [MIDSTREAM] + new: [....58] [ip4][..tcp] [...192.168.5.16][53613] -> [.68.233.253.133][...80] [MIDSTREAM] + new: [....59] [ip4][..tcp] [...192.168.5.16][53624] -> [.68.233.253.133][...80] + detected: [....59] [ip4][..tcp] [...192.168.5.16][53624] -> [.68.233.253.133][...80] [HTTP][Unknown][Web][Acceptable][api.magicansoft.com] + new: [....60] [ip6][..udp] [...............fe80::4e5e:cff:fe9a:ec54][.5678] -> [................................ff02::1][.5678] + detection-update: [....59] [ip4][..tcp] [...192.168.5.16][53624] -> [.68.233.253.133][...80] [HTTP][Unknown][Web][Acceptable][api.magicansoft.com] + RISK: Error Code + new: [....61] [ip4][..tcp] [..192.168.115.8][49581] -> [.64.233.189.128][...80] [MIDSTREAM] + new: [....62] [ip6][..udp] [..............fe80::5d92:62a8:ebde:1319][63659] -> [..............................ff02::1:3][.5355] + detected: [....62] [ip6][..udp] [..............fe80::5d92:62a8:ebde:1319][63659] -> [..............................ff02::1:3][.5355] [LLMNR][Unknown][Network][Acceptable] + new: [....63] [ip4][..udp] [..192.168.3.236][51714] -> [....224.0.0.252][.5355] + detected: [....63] [ip4][..udp] [..192.168.3.236][51714] -> [....224.0.0.252][.5355] [LLMNR][Unknown][Network][Acceptable] + new: [....64] [ip4][..udp] [..192.168.3.236][..137] -> [192.168.255.255][..137] + detected: [....64] [ip4][..udp] [..192.168.3.236][..137] -> [192.168.255.255][..137] [NetBIOS][Unknown][System][Acceptable][isatap] + new: [....65] [ip4][..udp] [192.168.140.140][62976] -> [255.255.255.255][62976] + new: [....66] [ip6][..udp] [.......2001:b020:6::c2a0:bbff:fe73:eb57][62976] -> [................................ff02::1][62976] + new: [....67] [ip4][..udp] [...192.168.5.45][59789] -> [192.168.255.255][..137] + detected: [....67] [ip4][..udp] [...192.168.5.45][59789] -> [192.168.255.255][..137] [NetBIOS][Unknown][System][Acceptable][sanji-lifebook-] + new: [....68] [ip4][..udp] [...192.168.5.45][59461] -> [192.168.255.255][..137] + detected: [....68] [ip4][..udp] [...192.168.5.45][59461] -> [192.168.255.255][..137] [NetBIOS][Unknown][System][Acceptable][gfile] + new: [....69] [ip4][..udp] [...192.168.5.45][..137] -> [192.168.255.255][..137] + detected: [....69] [ip4][..udp] [...192.168.5.45][..137] -> [192.168.255.255][..137] [NetBIOS][Unknown][System][Acceptable][nasfile] + new: [....70] [ip4][..udp] [...192.168.5.45][..138] -> [192.168.255.255][..138] + detected: [....70] [ip4][..udp] [...192.168.5.45][..138] -> [192.168.255.255][..138] [NetBIOS.SMBv1][Unknown][System][Dangerous][macbookair-e1d0] + RISK: Unsafe Protocol + new: [....71] [ip4][..udp] [...192.168.10.7][62976] -> [255.255.255.255][62976] + new: [....72] [ip6][..udp] [..............fe80::4568:efbc:40b1:1346][50194] -> [..............................ff02::1:3][.5355] + detected: [....72] [ip6][..udp] [..............fe80::4568:efbc:40b1:1346][50194] -> [..............................ff02::1:3][.5355] [LLMNR][Unknown][Network][Acceptable] + new: [....73] [ip4][..udp] [...192.168.5.41][54470] -> [....224.0.0.252][.5355] + detected: [....73] [ip4][..udp] [...192.168.5.41][54470] -> [....224.0.0.252][.5355] [LLMNR][Unknown][Network][Acceptable] + new: [....74] [ip4][..udp] [....192.168.5.9][...68] -> [255.255.255.255][...67] + detected: [....74] [ip4][..udp] [....192.168.5.9][...68] -> [255.255.255.255][...67] [DHCP][Unknown][Network][Acceptable][joanna-pc] + new: [....75] [ip4][..udp] [...192.168.5.48][49701] -> [239.255.255.250][.1900] + detected: [....75] [ip4][..udp] [...192.168.5.48][49701] -> [239.255.255.250][.1900] [SSDP][Unknown][System][Acceptable][239.255.255.250:1900] + new: [....76] [ip4][..udp] [...192.168.5.64][.5353] -> [....224.0.0.251][.5353] + detected: [....76] [ip4][..udp] [...192.168.5.64][.5353] -> [....224.0.0.251][.5353] [MDNS][Unknown][Network][Acceptable][_googlecast._tcp.local] + new: [....77] [ip4][..udp] [..192.168.2.186][32768] -> [255.255.255.255][.1947] + new: [....78] [ip4][..udp] [...192.168.5.48][59797] -> [....224.0.0.252][.5355] + detected: [....78] [ip4][..udp] [...192.168.5.48][59797] -> [....224.0.0.252][.5355] [LLMNR][Unknown][Network][Acceptable] + new: [....79] [ip4][..udp] [..192.168.0.100][50925] -> [255.255.255.255][.5678] + new: [....80] [ip4][..udp] [...192.168.5.57][65150] -> [....224.0.0.252][.5355] + detected: [....80] [ip4][..udp] [...192.168.5.57][65150] -> [....224.0.0.252][.5355] [LLMNR][Unknown][Network][Acceptable] + new: [....81] [ip6][..udp] [...............fe80::e034:7be:d8f9:6197][62756] -> [..............................ff02::1:3][.5355] + detected: [....81] [ip6][..udp] [...............fe80::e034:7be:d8f9:6197][62756] -> [..............................ff02::1:3][.5355] [LLMNR][Unknown][Network][Acceptable] + new: [....82] [ip4][..udp] [...192.168.5.50][62756] -> [....224.0.0.252][.5355] + detected: [....82] [ip4][..udp] [...192.168.5.50][62756] -> [....224.0.0.252][.5355] [LLMNR][Unknown][Network][Acceptable] + new: [....83] [ip4][..udp] [...192.168.5.49][.1900] -> [239.255.255.250][.1900] + detected: [....83] [ip4][..udp] [...192.168.5.49][.1900] -> [239.255.255.250][.1900] [SSDP][Unknown][System][Acceptable][239.255.255.250:1900] + new: [....84] [ip6][..udp] [...............fe80::9bd:81dd:2fdc:5750][.1900] -> [................................ff02::c][.1900] + detected: [....84] [ip6][..udp] [...............fe80::9bd:81dd:2fdc:5750][.1900] -> [................................ff02::c][.1900] [SSDP][Unknown][System][Acceptable][[ff02::c]:1900] + new: [....85] [ip4][..udp] [...192.168.5.50][50030] -> [....224.0.0.252][.5355] + detected: [....85] [ip4][..udp] [...192.168.5.50][50030] -> [....224.0.0.252][.5355] [LLMNR][Unknown][Network][Acceptable] + new: [....86] [ip4][..udp] [.59.120.208.212][32768] -> [255.255.255.255][.1947] + new: [....87] [ip4][..tcp] [...192.168.5.16][53625] -> [.192.168.115.75][..443] + detected: [....87] [ip4][..tcp] [...192.168.5.16][53625] -> [.192.168.115.75][..443] [TLS][Unknown][Web][Safe][192.168.115.75] + RISK: HTTP/TLS/QUIC Numeric Hostname/SNI, TLS (probably) Not Carrying HTTPS + detection-update: [....87] [ip4][..tcp] [...192.168.5.16][53625] -> [.192.168.115.75][..443] [TLS][Unknown][Web][Safe][192.168.115.75] + RISK: Weak TLS Cipher, HTTP/TLS/QUIC Numeric Hostname/SNI, TLS (probably) Not Carrying HTTPS + new: [....88] [ip4][..udp] [..192.168.119.1][56861] -> [255.255.255.255][.5678] + new: [....89] [ip6][..udp] [................fe80::4e5e:cff:feea:365][.5678] -> [................................ff02::1][.5678] + new: [....90] [ip6][..udp] [..............fe80::5d92:62a8:ebde:1319][49735] -> [..............................ff02::1:3][.5355] + detected: [....90] [ip6][..udp] [..............fe80::5d92:62a8:ebde:1319][49735] -> [..............................ff02::1:3][.5355] [LLMNR][Unknown][Network][Acceptable] + new: [....91] [ip4][..udp] [..192.168.3.236][62069] -> [....224.0.0.252][.5355] + detected: [....91] [ip4][..udp] [..192.168.3.236][62069] -> [....224.0.0.252][.5355] [LLMNR][Unknown][Network][Acceptable] + new: [....92] [ip4][..udp] [...192.168.5.44][58702] -> [....224.0.0.252][.5355] + detected: [....92] [ip4][..udp] [...192.168.5.44][58702] -> [....224.0.0.252][.5355] [LLMNR][Unknown][Network][Acceptable] + new: [....93] [ip6][..udp] [..............fe80::beee:7bff:fe0c:b3de][..546] -> [..............................ff02::1:2][..547] + detected: [....93] [ip6][..udp] [..............fe80::beee:7bff:fe0c:b3de][..546] -> [..............................ff02::1:2][..547] [DHCPV6][Unknown][Network][Acceptable] + new: [....94] [ip4][..udp] [..192.168.119.2][43786] -> [255.255.255.255][.5678] + new: [....95] [ip6][..udp] [..............fe80::edf5:240a:c8c0:8312][53962] -> [..............................ff02::1:3][.5355] + detected: [....95] [ip6][..udp] [..............fe80::edf5:240a:c8c0:8312][53962] -> [..............................ff02::1:3][.5355] [LLMNR][Unknown][Network][Acceptable] + new: [....96] [ip4][..udp] [...192.168.5.47][53962] -> [....224.0.0.252][.5355] + detected: [....96] [ip4][..udp] [...192.168.5.47][53962] -> [....224.0.0.252][.5355] [LLMNR][Unknown][Network][Acceptable] + new: [....97] [ip6][..udp] [..............fe80::e98f:bae2:19f7:6b0f][51451] -> [..............................ff02::1:3][.5355] + detected: [....97] [ip6][..udp] [..............fe80::e98f:bae2:19f7:6b0f][51451] -> [..............................ff02::1:3][.5355] [LLMNR][Unknown][Network][Acceptable] + RISK: Non-Printable/Invalid Chars Detected + new: [....98] [ip4][..udp] [...192.168.3.95][51451] -> [....224.0.0.252][.5355] + detected: [....98] [ip4][..udp] [...192.168.3.95][51451] -> [....224.0.0.252][.5355] [LLMNR][Unknown][Network][Acceptable] + RISK: Non-Printable/Invalid Chars Detected + new: [....99] [ip6][..udp] [..............fe80::5d92:62a8:ebde:1319][53938] -> [..............................ff02::1:3][.5355] + detected: [....99] [ip6][..udp] [..............fe80::5d92:62a8:ebde:1319][53938] -> [..............................ff02::1:3][.5355] [LLMNR][Unknown][Network][Acceptable] + new: [...100] [ip4][..udp] [..192.168.3.236][56043] -> [....224.0.0.252][.5355] + detected: [...100] [ip4][..udp] [..192.168.3.236][56043] -> [....224.0.0.252][.5355] [LLMNR][Unknown][Network][Acceptable] + new: [...101] [ip4][..tcp] [.119.235.235.84][..443] -> [...192.168.5.16][53406] [MIDSTREAM] + new: [...102] [ip4][..udp] [...192.168.5.37][54506] -> [....224.0.0.252][.5355] + detected: [...102] [ip4][..udp] [...192.168.5.37][54506] -> [....224.0.0.252][.5355] [LLMNR][Unknown][Network][Acceptable] + new: [...103] [ip6][..udp] [...............fe80::9bd:81dd:2fdc:5750][64568] -> [..............................ff02::1:3][.5355] + detected: [...103] [ip6][..udp] [...............fe80::9bd:81dd:2fdc:5750][64568] -> [..............................ff02::1:3][.5355] [LLMNR][Unknown][Network][Acceptable] + new: [...104] [ip4][..udp] [...192.168.5.49][64568] -> [....224.0.0.252][.5355] + detected: [...104] [ip4][..udp] [...192.168.5.49][64568] -> [....224.0.0.252][.5355] [LLMNR][Unknown][Network][Acceptable] + new: [...105] [ip4][..udp] [...192.168.5.41][...68] -> [255.255.255.255][...67] + detected: [...105] [ip4][..udp] [...192.168.5.41][...68] -> [255.255.255.255][...67] [DHCP][Unknown][Network][Acceptable][kevin-pc] + new: [...106] [ip4][..tcp] [...192.168.5.16][53580] -> [....31.13.87.36][..443] [MIDSTREAM] + detected: [...106] [ip4][..tcp] [...192.168.5.16][53580] -> [....31.13.87.36][..443] [TLS][Facebook][Web][Safe] + new: [...107] [ip4][..tcp] [...192.168.5.16][53626] -> [.192.168.115.75][..443] + detection-update: [...106] [ip4][..tcp] [...192.168.5.16][53580] -> [....31.13.87.36][..443] [TLS][Facebook][Web][Safe] + RISK: Unidirectional Traffic + detection-update: [...106] [ip4][..tcp] [...192.168.5.16][53580] -> [....31.13.87.36][..443] [TLS][Facebook][Web][Safe] + detected: [...107] [ip4][..tcp] [...192.168.5.16][53626] -> [.192.168.115.75][..443] [TLS][Unknown][Web][Safe][192.168.115.75] + RISK: HTTP/TLS/QUIC Numeric Hostname/SNI, TLS (probably) Not Carrying HTTPS + detection-update: [...107] [ip4][..tcp] [...192.168.5.16][53626] -> [.192.168.115.75][..443] [TLS][Unknown][Web][Safe][192.168.115.75] + RISK: Weak TLS Cipher, HTTP/TLS/QUIC Numeric Hostname/SNI, TLS (probably) Not Carrying HTTPS + new: [...108] [ip4][..udp] [...192.168.5.16][63372] -> [.....168.95.1.1][...53] + detected: [...108] [ip4][..udp] [...192.168.5.16][63372] -> [.....168.95.1.1][...53] [DNS.Line][Unknown][Network][Acceptable][dl-obs.official.line.naver.jp] + detection-update: [...108] [ip4][..udp] [...192.168.5.16][63372] -> [.....168.95.1.1][...53] [DNS.Line][Unknown][Network][Acceptable][dl-obs.official.line.naver.jp] + new: [...109] [ip4][..tcp] [...192.168.5.16][53627] -> [...203.69.81.73][...80] + new: [...110] [ip4][..tcp] [...192.168.5.16][53628] -> [...203.69.81.73][...80] + detected: [...110] [ip4][..tcp] [...192.168.5.16][53628] -> [...203.69.81.73][...80] [HTTP.Line][Unknown][Chat][Acceptable][dl-obs.official.line.naver.jp] + detected: [...109] [ip4][..tcp] [...192.168.5.16][53627] -> [...203.69.81.73][...80] [HTTP.Line][Unknown][Chat][Acceptable][dl-obs.official.line.naver.jp] + new: [...111] [ip4][..udp] [.192.168.101.33][62822] -> [....224.0.0.252][.5355] + detected: [...111] [ip4][..udp] [.192.168.101.33][62822] -> [....224.0.0.252][.5355] [LLMNR][Unknown][Network][Acceptable] + new: [...112] [ip4][..udp] [....192.168.5.9][62822] -> [....224.0.0.252][.5355] + detected: [...112] [ip4][..udp] [....192.168.5.9][62822] -> [....224.0.0.252][.5355] [LLMNR][Unknown][Network][Acceptable] + new: [...113] [ip4][..tcp] [.....31.13.87.1][..443] -> [...192.168.5.16][53578] [MIDSTREAM] + detected: [...113] [ip4][..tcp] [.....31.13.87.1][..443] -> [...192.168.5.16][53578] [TLS][Facebook][Web][Safe] + new: [...114] [ip6][..udp] [..............fe80::5d92:62a8:ebde:1319][61172] -> [..............................ff02::1:3][.5355] + detected: [...114] [ip6][..udp] [..............fe80::5d92:62a8:ebde:1319][61172] -> [..............................ff02::1:3][.5355] [LLMNR][Unknown][Network][Acceptable] + new: [...115] [ip4][..udp] [..192.168.3.236][59730] -> [....224.0.0.252][.5355] + detected: [...115] [ip4][..udp] [..192.168.3.236][59730] -> [....224.0.0.252][.5355] [LLMNR][Unknown][Network][Acceptable] + new: [...116] [ip6][..udp] [..............fe80::f65c:89ff:fe89:e607][..546] -> [..............................ff02::1:2][..547] + detected: [...116] [ip6][..udp] [..............fe80::f65c:89ff:fe89:e607][..546] -> [..............................ff02::1:2][..547] [DHCPV6][Unknown][Network][Acceptable] + new: [...117] [ip4][..tcp] [...192.168.5.16][53629] -> [.192.168.115.75][..443] + detected: [...117] [ip4][..tcp] [...192.168.5.16][53629] -> [.192.168.115.75][..443] [TLS][Unknown][Web][Safe][192.168.115.75] + RISK: HTTP/TLS/QUIC Numeric Hostname/SNI, TLS (probably) Not Carrying HTTPS + detection-update: [...117] [ip4][..tcp] [...192.168.5.16][53629] -> [.192.168.115.75][..443] [TLS][Unknown][Web][Safe][192.168.115.75] + RISK: Weak TLS Cipher, HTTP/TLS/QUIC Numeric Hostname/SNI, TLS (probably) Not Carrying HTTPS + update: [.....7] [ip4][..udp] [...192.168.5.41][55312] -> [239.255.255.250][.1900] [SSDP][Unknown][System][Acceptable][239.255.255.250:1900] + update: [....14] [ip4][..udp] [..192.168.115.8][51024] -> [........8.8.8.8][...53] [DNS.1kxun][Google][Network][Fun][jp.kankan.1kxun.mobi] + update: [....21] [ip4][..udp] [...192.168.3.95][59468] -> [239.255.255.250][.1900] [SSDP][Unknown][System][Acceptable][239.255.255.250:1900] + update: [.....8] [ip4][..udp] [........0.0.0.0][...68] -> [255.255.255.255][...67] [DHCP][Unknown][Network][Acceptable][shen] + update: [.....3] [ip4][..udp] [...192.168.5.44][51389] -> [239.255.255.250][.1900] [SSDP][Unknown][System][Acceptable][239.255.255.250:1900] + update: [....23] [ip6][..udp] [..2001:b030:214:100:c2a0:bbff:fe73:eb47][62976] -> [................................ff02::1][62976] + update: [.....4] [ip4][..udp] [..192.168.119.1][...67] -> [255.255.255.255][...68] [DHCP][Unknown][Network][Acceptable] + update: [.....2] [ip4][..udp] [...192.168.5.57][55809] -> [239.255.255.250][.1900] [SSDP][Unknown][System][Acceptable][239.255.255.250:1900] + update: [....18] [ip4][..udp] [..192.168.115.8][..137] -> [192.168.255.255][..137] [NetBIOS][Unknown][System][Acceptable][wpad] + update: [....12] [ip4][..udp] [...192.168.5.47][60267] -> [239.255.255.250][.1900] [SSDP][Unknown][System][Acceptable][239.255.255.250:1900] + update: [....20] [ip4][..udp] [...192.168.3.95][58779] -> [....224.0.0.252][.5355] [LLMNR][Unknown][Network][Acceptable][????????????] + RISK: Non-Printable/Invalid Chars Detected + update: [.....6] [ip4][..udp] [...192.168.5.50][64674] -> [239.255.255.250][.1900] [SSDP][Unknown][System][Acceptable][239.255.255.250:1900] + update: [....22] [ip4][..udp] [.192.168.125.30][62976] -> [255.255.255.255][62976] + update: [.....9] [ip6][..udp] [...............fe80::406:55a8:6453:25dd][..546] -> [..............................ff02::1:2][..547] [DHCPV6][Unknown][Network][Acceptable] + update: [....19] [ip6][..udp] [..............fe80::e98f:bae2:19f7:6b0f][58779] -> [..............................ff02::1:3][.5355] [LLMNR][Unknown][Network][Acceptable][????????????] + RISK: Non-Printable/Invalid Chars Detected + update: [....24] [ip4][..udp] [..192.168.115.8][52723] -> [.....168.95.1.1][...53] [DNS.1kxun][Unknown][Network][Fun][kankan.1kxun.com] + update: [....16] [ip4][..udp] [..192.168.115.8][52723] -> [........8.8.8.8][...53] [DNS.1kxun][Google][Network][Fun][kankan.1kxun.com] + update: [....11] [ip4][..udp] [...192.168.5.47][61603] -> [....224.0.0.252][.5355] [LLMNR][Unknown][Network][Acceptable][ro_x1c] + update: [.....1] [ip4][..udp] [...192.168.5.44][59571] -> [....224.0.0.252][.5355] [LLMNR][Unknown][Network][Acceptable][jason-pc] + update: [....10] [ip6][..udp] [..............fe80::edf5:240a:c8c0:8312][61603] -> [..............................ff02::1:3][.5355] [LLMNR][Unknown][Network][Acceptable][ro_x1c] + update: [....13] [ip4][..udp] [..192.168.115.8][51458] -> [....224.0.0.252][.5355] [LLMNR][Unknown][Network][Acceptable][wpad] + analyse: [....31] [ip4][..tcp] [..192.168.115.8][49603] -> [.106.187.35.246][...80] [HTTP.1kxun][Unknown][Streaming][Fun][pic.1kxun.com] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 45.001| 1.464| 7.949| 63183326.806| 0.100] + [PKTLEN......: 40.000| 1300.000| 781.600| 593.200| 351838.700| 4.400] + [BINS(c->s)..: 9,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,17,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,1,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,0,0,1,1,1,1,1,1,1,1,1,0,0,0] + [IATS(ms)....: 0.0,54.5,54.6,0.0,4.9,0.0,65.5,0.1,0.1,0.4,0.1,0.1,0.2,0.0,0.0,0.0,0.0,61.5,0.0,69.0,0.1,0.1,0.0,0.7,0.1,0.1,0.1,0.5,70.7,0.0,45001.1] + [PKTLENS.....: 52,52,52,40,40,401,401,46,359,1300,1300,1300,1300,1300,1300,1300,1300,1300,40,40,1300,1300,1300,1300,1300,1300,1300,1300,1267,40,40,41] + [ENTROPIES...: 4.6,4.6,5.0,4.9,4.9,5.8,5.8,4.4,5.7,7.5,7.8,7.8,7.8,7.8,7.8,7.8,7.8,7.8,4.8,4.8,7.8,7.8,7.8,7.8,7.8,7.8,7.8,7.8,7.8,4.9,4.9,4.8] + new: [...118] [ip4][..udp] [..192.168.0.104][..137] -> [192.168.255.255][..137] + detected: [...118] [ip4][..udp] [..192.168.0.104][..137] -> [192.168.255.255][..137] [NetBIOS][Unknown][System][Acceptable][sc.arrancar.org] + new: [...119] [ip4][..udp] [...192.168.5.16][..123] -> [..17.253.26.125][..123] + detected: [...119] [ip4][..udp] [...192.168.5.16][..123] -> [..17.253.26.125][..123] [NTP][Apple][System][Acceptable] + new: [...120] [ip6][..udp] [..............fe80::4568:efbc:40b1:1346][57148] -> [..............................ff02::1:3][.5355] + detected: [...120] [ip6][..udp] [..............fe80::4568:efbc:40b1:1346][57148] -> [..............................ff02::1:3][.5355] [LLMNR][Unknown][Network][Acceptable] + new: [...121] [ip4][..udp] [...192.168.5.41][55593] -> [....224.0.0.252][.5355] + detected: [...121] [ip4][..udp] [...192.168.5.41][55593] -> [....224.0.0.252][.5355] [LLMNR][Unknown][Network][Acceptable] + new: [...122] [ip4][..udp] [...192.168.5.57][64428] -> [....224.0.0.252][.5355] + detected: [...122] [ip4][..udp] [...192.168.5.57][64428] -> [....224.0.0.252][.5355] [LLMNR][Unknown][Network][Acceptable] + new: [...123] [ip6][..udp] [...............fe80::e034:7be:d8f9:6197][57143] -> [..............................ff02::1:3][.5355] + detected: [...123] [ip6][..udp] [...............fe80::e034:7be:d8f9:6197][57143] -> [..............................ff02::1:3][.5355] [LLMNR][Unknown][Network][Acceptable] + new: [...124] [ip4][..udp] [...192.168.5.50][57143] -> [....224.0.0.252][.5355] + detected: [...124] [ip4][..udp] [...192.168.5.50][57143] -> [....224.0.0.252][.5355] [LLMNR][Unknown][Network][Acceptable] + new: [...125] [ip6][..udp] [...............fe80::e034:7be:d8f9:6197][49766] -> [..............................ff02::1:3][.5355] + detected: [...125] [ip6][..udp] [...............fe80::e034:7be:d8f9:6197][49766] -> [..............................ff02::1:3][.5355] [LLMNR][Unknown][Network][Acceptable] + new: [...126] [ip4][..udp] [...192.168.5.50][49766] -> [....224.0.0.252][.5355] + detected: [...126] [ip4][..udp] [...192.168.5.50][49766] -> [....224.0.0.252][.5355] [LLMNR][Unknown][Network][Acceptable] + new: [...127] [ip4][..udp] [...192.168.5.44][59062] -> [....224.0.0.252][.5355] + detected: [...127] [ip4][..udp] [...192.168.5.44][59062] -> [....224.0.0.252][.5355] [LLMNR][Unknown][Network][Acceptable] + new: [...128] [ip6][..udp] [..............fe80::5d92:62a8:ebde:1319][58468] -> [..............................ff02::1:3][.5355] + detected: [...128] [ip6][..udp] [..............fe80::5d92:62a8:ebde:1319][58468] -> [..............................ff02::1:3][.5355] [LLMNR][Unknown][Network][Acceptable] + new: [...129] [ip4][..udp] [..192.168.3.236][65496] -> [....224.0.0.252][.5355] + detected: [...129] [ip4][..udp] [..192.168.3.236][65496] -> [....224.0.0.252][.5355] [LLMNR][Unknown][Network][Acceptable] + update: [....44] [ip4][..udp] [...192.168.5.37][57325] -> [239.255.255.250][.1900] [SSDP][Unknown][System][Acceptable][239.255.255.250:1900] + update: [....51] [ip4][..udp] [....192.168.5.9][55484] -> [239.255.255.250][.1900] [SSDP][Unknown][System][Acceptable][239.255.255.250:1900] + update: [....50] [ip4][..udp] [.192.168.101.33][55485] -> [239.255.255.250][.1900] [SSDP][Unknown][System][Acceptable][239.255.255.250:1900] + update: [....55] [ip4][..udp] [...192.168.5.16][...68] -> [..192.168.119.1][...67] [DHCP][Unknown][Network][Acceptable][macbook-air] + update: [....54] [ip4][..udp] [...192.168.5.49][51704] -> [239.255.255.250][.1900] [SSDP][Unknown][System][Acceptable][239.255.255.250:1900] + update: [....35] [ip4][..udp] [...192.168.5.67][..138] -> [192.168.255.255][..138] [NetBIOS.SMBv1][Unknown][System][Dangerous][sanji-lifebook-] + RISK: Unsafe Protocol + update: [....43] [ip4][..udp] [...192.168.5.37][56366] -> [....224.0.0.252][.5355] [LLMNR][Unknown][Network][Acceptable][notebook] + update: [....47] [ip4][..udp] [.192.168.101.33][58456] -> [....224.0.0.252][.5355] [LLMNR][Unknown][Network][Acceptable][joanna-pc] + update: [....48] [ip4][..udp] [....192.168.5.9][58456] -> [....224.0.0.252][.5355] [LLMNR][Unknown][Network][Acceptable][joanna-pc] + update: [....42] [ip4][..udp] [.192.168.10.110][60480] -> [255.255.255.255][62976] + update: [....56] [ip4][..udp] [.59.120.208.218][50151] -> [255.255.255.255][.1947] + update: [....34] [ip4][..udp] [...192.168.3.95][54888] -> [....224.0.0.252][.5355] [LLMNR][Unknown][Network][Acceptable][????????????] + RISK: Non-Printable/Invalid Chars Detected + update: [....39] [ip4][..udp] [..192.168.115.8][54420] -> [........8.8.8.8][...53] [DNS.QQ][Google][Network][Fun][vv.video.qq.com] + update: [....26] [ip4][..udp] [..192.168.115.8][60724] -> [........8.8.8.8][...53] [DNS.1kxun][Google][Network][Fun][pic.1kxun.com] + update: [....52] [ip6][..udp] [...............fe80::9bd:81dd:2fdc:5750][61548] -> [..............................ff02::1:3][.5355] [LLMNR][Unknown][Network][Acceptable][caesar-thinkpad] + update: [....53] [ip4][..udp] [...192.168.5.49][61548] -> [....224.0.0.252][.5355] [LLMNR][Unknown][Network][Acceptable][caesar-thinkpad] + update: [....33] [ip6][..udp] [..............fe80::e98f:bae2:19f7:6b0f][54888] -> [..............................ff02::1:3][.5355] [LLMNR][Unknown][Network][Acceptable][????????????] + RISK: Non-Printable/Invalid Chars Detected + DAEMON-EVENT: [Processed: 1032 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 129 / 129|skipped: 0|!detected: 0|guessed: 0|detection-updates: 19|updates: 38] + new: [...130] [ip4][..tcp] [..192.168.2.126][60962] -> [..172.104.93.92][.1234] [MIDSTREAM] + detected: [...130] [ip4][..tcp] [..192.168.2.126][60962] -> [..172.104.93.92][.1234] [HTTP.1kxun][Unknown][Streaming][Fun][ws.1kxun.mobi] + RISK: Known Proto on Non Std Port + new: [...131] [ip4][..tcp] [..192.168.2.126][60972] -> [..172.104.93.92][.1234] [MIDSTREAM] + detected: [...131] [ip4][..tcp] [..192.168.2.126][60972] -> [..172.104.93.92][.1234] [HTTP.1kxun][Unknown][Streaming][Fun][ws.1kxun.mobi] + RISK: Known Proto on Non Std Port + new: [...132] [ip4][..tcp] [..192.168.2.126][60984] -> [..172.104.93.92][.1234] [MIDSTREAM] + detected: [...132] [ip4][..tcp] [..192.168.2.126][60984] -> [..172.104.93.92][.1234] [HTTP.1kxun][Unknown][Streaming][Fun][ws.1kxun.mobi] + RISK: Known Proto on Non Std Port + new: [...133] [ip4][..tcp] [..192.168.2.126][47230] -> [..161.117.13.29][...80] [MIDSTREAM] + detected: [...133] [ip4][..tcp] [..192.168.2.126][47230] -> [..161.117.13.29][...80] [HTTP.1kxun][Alibaba][Streaming][Fun][kankan.1kxun.mobi] + new: [...134] [ip4][..tcp] [..192.168.2.126][41134] -> [.129.226.107.77][...80] [MIDSTREAM] + detected: [...134] [ip4][..tcp] [..192.168.2.126][41134] -> [.129.226.107.77][...80] [HTTP.QQ][Tencent][Chat][Fun][cgi.connect.qq.com] + detection-update: [...133] [ip4][..tcp] [..192.168.2.126][47230] -> [..161.117.13.29][...80] [HTTP.1kxun][Alibaba][Download][Fun][kankan.1kxun.mobi] + RISK: Binary File/Data Transfer (Attempt) + new: [...135] [ip4][..tcp] [..192.168.2.126][47246] -> [..161.117.13.29][...80] [MIDSTREAM] + detected: [...135] [ip4][..tcp] [..192.168.2.126][47246] -> [..161.117.13.29][...80] [HTTP.1kxun][Alibaba][Streaming][Fun][kankan.1kxun.com] + new: [...136] [ip4][..tcp] [..192.168.2.126][47262] -> [..161.117.13.29][...80] [MIDSTREAM] + detected: [...136] [ip4][..tcp] [..192.168.2.126][47262] -> [..161.117.13.29][...80] [HTTP.1kxun][Alibaba][Streaming][Fun][kankan.1kxun.com] + idle: [....44] [ip4][..udp] [...192.168.5.37][57325] -> [239.255.255.250][.1900] [SSDP][Unknown][System][Acceptable][239.255.255.250:1900] + idle: [....78] [ip4][..udp] [...192.168.5.48][59797] -> [....224.0.0.252][.5355] [LLMNR][Unknown][Network][Acceptable][kasper-mac] + idle: [...108] [ip4][..udp] [...192.168.5.16][63372] -> [.....168.95.1.1][...53] [DNS.Line][Unknown][Network][Acceptable][dl-obs.official.line.naver.jp] + idle: [.....7] [ip4][..udp] [...192.168.5.41][55312] -> [239.255.255.250][.1900] [SSDP][Unknown][System][Acceptable][239.255.255.250:1900] + idle: [...125] [ip6][..udp] [...............fe80::e034:7be:d8f9:6197][49766] -> [..............................ff02::1:3][.5355] [LLMNR][Unknown][Network][Acceptable][charming-pc] + idle: [...109] [ip4][..tcp] [...192.168.5.16][53627] -> [...203.69.81.73][...80] [HTTP.Line][Unknown][Chat][Acceptable][dl-obs.official.line.naver.jp] + idle: [...110] [ip4][..tcp] [...192.168.5.16][53628] -> [...203.69.81.73][...80] [HTTP.Line][Unknown][Chat][Acceptable][dl-obs.official.line.naver.jp] + idle: [....14] [ip4][..udp] [..192.168.115.8][51024] -> [........8.8.8.8][...53] [DNS.1kxun][Google][Network][Fun][jp.kankan.1kxun.mobi] + not-detected: [....77] [ip4][..udp] [..192.168.2.186][32768] -> [255.255.255.255][.1947] [Unknown][Unknown][Unrated] + idle: [....77] [ip4][..udp] [..192.168.2.186][32768] -> [255.255.255.255][.1947] + idle: [....21] [ip4][..udp] [...192.168.3.95][59468] -> [239.255.255.250][.1900] [SSDP][Unknown][System][Acceptable][239.255.255.250:1900] + idle: [...120] [ip6][..udp] [..............fe80::4568:efbc:40b1:1346][57148] -> [..............................ff02::1:3][.5355] [LLMNR][Unknown][Network][Acceptable][kevin-pc] + idle: [.....8] [ip4][..udp] [........0.0.0.0][...68] -> [255.255.255.255][...67] [DHCP][Unknown][Network][Acceptable][shen] + idle: [....63] [ip4][..udp] [..192.168.3.236][51714] -> [....224.0.0.252][.5355] [LLMNR][Unknown][Network][Acceptable][isatap] + idle: [....40] [ip4][..tcp] [..192.168.115.8][49608] -> [203.205.151.234][...80] [HTTP.QQ][Unknown][Chat][Fun][vv.video.qq.com] + idle: [....51] [ip4][..udp] [....192.168.5.9][55484] -> [239.255.255.250][.1900] [SSDP][Unknown][System][Acceptable][239.255.255.250:1900] + idle: [....50] [ip4][..udp] [.192.168.101.33][55485] -> [239.255.255.250][.1900] [SSDP][Unknown][System][Acceptable][239.255.255.250:1900] + idle: [.....3] [ip4][..udp] [...192.168.5.44][51389] -> [239.255.255.250][.1900] [SSDP][Unknown][System][Acceptable][239.255.255.250:1900] + idle: [...113] [ip4][..tcp] [.....31.13.87.1][..443] -> [...192.168.5.16][53578] [TLS][Facebook][Web][Safe] + idle: [...106] [ip4][..tcp] [...192.168.5.16][53580] -> [....31.13.87.36][..443] [TLS][Facebook][Web][Safe] + not-detected: [....66] [ip6][..udp] [.......2001:b020:6::c2a0:bbff:fe73:eb57][62976] -> [................................ff02::1][62976] [Unknown][Unknown][Unrated] + idle: [....66] [ip6][..udp] [.......2001:b020:6::c2a0:bbff:fe73:eb57][62976] -> [................................ff02::1][62976] + not-detected: [....23] [ip6][..udp] [..2001:b030:214:100:c2a0:bbff:fe73:eb47][62976] -> [................................ff02::1][62976] [Unknown][Unknown][Unrated] + idle: [....23] [ip6][..udp] [..2001:b030:214:100:c2a0:bbff:fe73:eb47][62976] -> [................................ff02::1][62976] + idle: [...126] [ip4][..udp] [...192.168.5.50][49766] -> [....224.0.0.252][.5355] [LLMNR][Unknown][Network][Acceptable][charming-pc] + idle: [....91] [ip4][..udp] [..192.168.3.236][62069] -> [....224.0.0.252][.5355] [LLMNR][Unknown][Network][Acceptable][wangs-ltw] + idle: [...105] [ip4][..udp] [...192.168.5.41][...68] -> [255.255.255.255][...67] [DHCP][Unknown][Network][Acceptable][kevin-pc] + idle: [....74] [ip4][..udp] [....192.168.5.9][...68] -> [255.255.255.255][...67] [DHCP][Unknown][Network][Acceptable][joanna-pc] + idle: [.....4] [ip4][..udp] [..192.168.119.1][...67] -> [255.255.255.255][...68] [DHCP][Unknown][Network][Acceptable] + idle: [....96] [ip4][..udp] [...192.168.5.47][53962] -> [....224.0.0.252][.5355] [LLMNR][Unknown][Network][Acceptable][ro_x1c] + idle: [...100] [ip4][..udp] [..192.168.3.236][56043] -> [....224.0.0.252][.5355] [LLMNR][Unknown][Network][Acceptable][isatap] + idle: [....95] [ip6][..udp] [..............fe80::edf5:240a:c8c0:8312][53962] -> [..............................ff02::1:3][.5355] [LLMNR][Unknown][Network][Acceptable][ro_x1c] + idle: [....97] [ip6][..udp] [..............fe80::e98f:bae2:19f7:6b0f][51451] -> [..............................ff02::1:3][.5355] [LLMNR][Unknown][Network][Acceptable][????????????] + RISK: Non-Printable/Invalid Chars Detected + not-detected: [....94] [ip4][..udp] [..192.168.119.2][43786] -> [255.255.255.255][.5678] [Unknown][Unknown][Unrated] + RISK: Susp Entropy + idle: [....94] [ip4][..udp] [..192.168.119.2][43786] -> [255.255.255.255][.5678] + idle: [....85] [ip4][..udp] [...192.168.5.50][50030] -> [....224.0.0.252][.5355] [LLMNR][Unknown][Network][Acceptable][charming-pc] + idle: [....55] [ip4][..udp] [...192.168.5.16][...68] -> [..192.168.119.1][...67] [DHCP][Unknown][Network][Acceptable][macbook-air] + idle: [....54] [ip4][..udp] [...192.168.5.49][51704] -> [239.255.255.250][.1900] [SSDP][Unknown][System][Acceptable][239.255.255.250:1900] + idle: [.....2] [ip4][..udp] [...192.168.5.57][55809] -> [239.255.255.250][.1900] [SSDP][Unknown][System][Acceptable][239.255.255.250:1900] + idle: [...103] [ip6][..udp] [...............fe80::9bd:81dd:2fdc:5750][64568] -> [..............................ff02::1:3][.5355] [LLMNR][Unknown][Network][Acceptable][caesar-thinkpad] + idle: [...122] [ip4][..udp] [...192.168.5.57][64428] -> [....224.0.0.252][.5355] [LLMNR][Unknown][Network][Acceptable][usher-pc] + idle: [....41] [ip4][..tcp] [..192.168.115.8][49609] -> [..42.120.51.152][.8080] [HTTP][Alibaba][Web][Acceptable][42.120.51.152] + RISK: Known Proto on Non Std Port, HTTP/TLS/QUIC Numeric Hostname/SNI + idle: [...114] [ip6][..udp] [..............fe80::5d92:62a8:ebde:1319][61172] -> [..............................ff02::1:3][.5355] [LLMNR][Unknown][Network][Acceptable][sonusav] + idle: [....75] [ip4][..udp] [...192.168.5.48][49701] -> [239.255.255.250][.1900] [SSDP][Unknown][System][Acceptable][239.255.255.250:1900] + idle: [....68] [ip4][..udp] [...192.168.5.45][59461] -> [192.168.255.255][..137] [NetBIOS][Unknown][System][Acceptable][gfile] + idle: [...118] [ip4][..udp] [..192.168.0.104][..137] -> [192.168.255.255][..137] [NetBIOS][Unknown][System][Acceptable][sc.arrancar.org] + idle: [....69] [ip4][..udp] [...192.168.5.45][..137] -> [192.168.255.255][..137] [NetBIOS][Unknown][System][Acceptable][nasfile] + idle: [....64] [ip4][..udp] [..192.168.3.236][..137] -> [192.168.255.255][..137] [NetBIOS][Unknown][System][Acceptable][isatap] + idle: [....18] [ip4][..udp] [..192.168.115.8][..137] -> [192.168.255.255][..137] [NetBIOS][Unknown][System][Acceptable][wpad] + idle: [....70] [ip4][..udp] [...192.168.5.45][..138] -> [192.168.255.255][..138] [NetBIOS.SMBv1][Unknown][System][Dangerous][macbookair-e1d0] + RISK: Unsafe Protocol + idle: [....35] [ip4][..udp] [...192.168.5.67][..138] -> [192.168.255.255][..138] [NetBIOS.SMBv1][Unknown][System][Dangerous][sanji-lifebook-] + RISK: Unsafe Protocol + idle: [....43] [ip4][..udp] [...192.168.5.37][56366] -> [....224.0.0.252][.5355] [LLMNR][Unknown][Network][Acceptable][notebook] + idle: [...104] [ip4][..udp] [...192.168.5.49][64568] -> [....224.0.0.252][.5355] [LLMNR][Unknown][Network][Acceptable][caesar-thinkpad] + idle: [....38] [ip4][..tcp] [..192.168.115.8][49607] -> [218.244.135.170][.9099] [HTTP][Alibaba][Web][Acceptable][218.244.135.170] + RISK: Known Proto on Non Std Port, HTTP/TLS/QUIC Numeric Hostname/SNI + idle: [....48] [ip4][..udp] [....192.168.5.9][58456] -> [....224.0.0.252][.5355] [LLMNR][Unknown][Network][Acceptable][joanna-pc] + idle: [....47] [ip4][..udp] [.192.168.101.33][58456] -> [....224.0.0.252][.5355] [LLMNR][Unknown][Network][Acceptable][joanna-pc] + idle: [....81] [ip6][..udp] [...............fe80::e034:7be:d8f9:6197][62756] -> [..............................ff02::1:3][.5355] [LLMNR][Unknown][Network][Acceptable][charming-pc] + not-detected: [....42] [ip4][..udp] [.192.168.10.110][60480] -> [255.255.255.255][62976] [Unknown][Unknown][Unrated] + idle: [....42] [ip4][..udp] [.192.168.10.110][60480] -> [255.255.255.255][62976] + idle: [....73] [ip4][..udp] [...192.168.5.41][54470] -> [....224.0.0.252][.5355] [LLMNR][Unknown][Network][Acceptable][kevin-pc] + idle: [....76] [ip4][..udp] [...192.168.5.64][.5353] -> [....224.0.0.251][.5353] [MDNS][Unknown][Network][Acceptable] + idle: [...102] [ip4][..udp] [...192.168.5.37][54506] -> [....224.0.0.252][.5355] [LLMNR][Unknown][Network][Acceptable][notebook] + idle: [....12] [ip4][..udp] [...192.168.5.47][60267] -> [239.255.255.250][.1900] [SSDP][Unknown][System][Acceptable][239.255.255.250:1900] + idle: [....67] [ip4][..udp] [...192.168.5.45][59789] -> [192.168.255.255][..137] [NetBIOS][Unknown][System][Acceptable][sanji-lifebook-] + guessed: [.....5] [ip4][..tcp] [...192.168.5.16][53605] -> [.68.233.253.133][...80] [HTTP][Unknown][Web][Acceptable][] + RISK: Unidirectional Traffic + end: [.....5] [ip4][..tcp] [...192.168.5.16][53605] -> [.68.233.253.133][...80] + idle: [....82] [ip4][..udp] [...192.168.5.50][62756] -> [....224.0.0.252][.5355] [LLMNR][Unknown][Network][Acceptable][charming-pc] + guessed: [....58] [ip4][..tcp] [...192.168.5.16][53613] -> [.68.233.253.133][...80] [HTTP][Unknown][Web][Acceptable][] + RISK: Unidirectional Traffic + end: [....58] [ip4][..tcp] [...192.168.5.16][53613] -> [.68.233.253.133][...80] + not-detected: [....56] [ip4][..udp] [.59.120.208.218][50151] -> [255.255.255.255][.1947] [Unknown][Unknown][Unrated] + idle: [....56] [ip4][..udp] [.59.120.208.218][50151] -> [255.255.255.255][.1947] + end: [....59] [ip4][..tcp] [...192.168.5.16][53624] -> [.68.233.253.133][...80] [HTTP][Unknown][Web][Acceptable][api.magicansoft.com] + RISK: Error Code + idle: [....92] [ip4][..udp] [...192.168.5.44][58702] -> [....224.0.0.252][.5355] [LLMNR][Unknown][Network][Acceptable][jason-pc] + idle: [....62] [ip6][..udp] [..............fe80::5d92:62a8:ebde:1319][63659] -> [..............................ff02::1:3][.5355] [LLMNR][Unknown][Network][Acceptable][isatap] + idle: [...112] [ip4][..udp] [....192.168.5.9][62822] -> [....224.0.0.252][.5355] [LLMNR][Unknown][Network][Acceptable][joanna-pc] + idle: [...111] [ip4][..udp] [.192.168.101.33][62822] -> [....224.0.0.252][.5355] [LLMNR][Unknown][Network][Acceptable][joanna-pc] + guessed: [....61] [ip4][..tcp] [..192.168.115.8][49581] -> [.64.233.189.128][...80] [HTTP][Google][Web][Acceptable][] + idle: [....61] [ip4][..tcp] [..192.168.115.8][49581] -> [.64.233.189.128][...80] + idle: [....20] [ip4][..udp] [...192.168.3.95][58779] -> [....224.0.0.252][.5355] [LLMNR][Unknown][Network][Acceptable][????????????] + RISK: Non-Printable/Invalid Chars Detected + idle: [....15] [ip4][..tcp] [..192.168.115.8][49597] -> [.106.185.35.110][...80] [HTTP.1kxun][Unknown][Streaming][Fun][jp.kankan.1kxun.mobi] + idle: [....36] [ip4][..tcp] [..192.168.115.8][49605] -> [.106.185.35.110][...80] [HTTP.1kxun][Unknown][Streaming][Fun][jp.kankan.1kxun.mobi] + RISK: HTTP Susp User-Agent + idle: [....37] [ip4][..tcp] [..192.168.115.8][49606] -> [.106.185.35.110][...80] [HTTP.1kxun][Unknown][Streaming][Fun][jp.kankan.1kxun.mobi] + RISK: HTTP Susp User-Agent + idle: [....25] [ip4][..tcp] [..192.168.115.8][49598] -> [.222.73.254.167][...80] [HTTP.1kxun][Unknown][Streaming][Fun][kankan.1kxun.com] + guessed: [....17] [ip4][..tcp] [...192.168.5.16][53622] -> [.192.168.115.75][..443] [TLS][Unknown][Web][Safe] + end: [....17] [ip4][..tcp] [...192.168.5.16][53622] -> [.192.168.115.75][..443] + end: [....45] [ip4][..tcp] [...192.168.5.16][53623] -> [.192.168.115.75][..443] [TLS][Unknown][Web][Safe] + RISK: Weak TLS Cipher, HTTP/TLS/QUIC Numeric Hostname/SNI, TLS (probably) Not Carrying HTTPS + end: [....87] [ip4][..tcp] [...192.168.5.16][53625] -> [.192.168.115.75][..443] [TLS][Unknown][Web][Safe] + RISK: Weak TLS Cipher, HTTP/TLS/QUIC Numeric Hostname/SNI, TLS (probably) Not Carrying HTTPS + end: [...107] [ip4][..tcp] [...192.168.5.16][53626] -> [.192.168.115.75][..443] [TLS][Unknown][Web][Safe] + RISK: Weak TLS Cipher, HTTP/TLS/QUIC Numeric Hostname/SNI, TLS (probably) Not Carrying HTTPS + end: [...117] [ip4][..tcp] [...192.168.5.16][53629] -> [.192.168.115.75][..443] [TLS][Unknown][Web][Safe] + RISK: Weak TLS Cipher, HTTP/TLS/QUIC Numeric Hostname/SNI, TLS (probably) Not Carrying HTTPS + idle: [.....6] [ip4][..udp] [...192.168.5.50][64674] -> [239.255.255.250][.1900] [SSDP][Unknown][System][Acceptable][239.255.255.250:1900] + not-detected: [....65] [ip4][..udp] [192.168.140.140][62976] -> [255.255.255.255][62976] [Unknown][Unknown][Unrated] + idle: [....65] [ip4][..udp] [192.168.140.140][62976] -> [255.255.255.255][62976] + not-detected: [....71] [ip4][..udp] [...192.168.10.7][62976] -> [255.255.255.255][62976] [Unknown][Unknown][Unrated] + idle: [....71] [ip4][..udp] [...192.168.10.7][62976] -> [255.255.255.255][62976] + not-detected: [....22] [ip4][..udp] [.192.168.125.30][62976] -> [255.255.255.255][62976] [Unknown][Unknown][Unrated] + idle: [....22] [ip4][..udp] [.192.168.125.30][62976] -> [255.255.255.255][62976] + idle: [....34] [ip4][..udp] [...192.168.3.95][54888] -> [....224.0.0.252][.5355] [LLMNR][Unknown][Network][Acceptable][????????????] + RISK: Non-Printable/Invalid Chars Detected + idle: [...123] [ip6][..udp] [...............fe80::e034:7be:d8f9:6197][57143] -> [..............................ff02::1:3][.5355] [LLMNR][Unknown][Network][Acceptable][charming-pc] + idle: [....80] [ip4][..udp] [...192.168.5.57][65150] -> [....224.0.0.252][.5355] [LLMNR][Unknown][Network][Acceptable][usher-pc] + not-detected: [....88] [ip4][..udp] [..192.168.119.1][56861] -> [255.255.255.255][.5678] [Unknown][Unknown][Unrated] + RISK: Susp Entropy + idle: [....88] [ip4][..udp] [..192.168.119.1][56861] -> [255.255.255.255][.5678] + idle: [...116] [ip6][..udp] [..............fe80::f65c:89ff:fe89:e607][..546] -> [..............................ff02::1:2][..547] [DHCPV6][Unknown][Network][Acceptable] + idle: [....72] [ip6][..udp] [..............fe80::4568:efbc:40b1:1346][50194] -> [..............................ff02::1:3][.5355] [LLMNR][Unknown][Network][Acceptable][kevin-pc] + idle: [...127] [ip4][..udp] [...192.168.5.44][59062] -> [....224.0.0.252][.5355] [LLMNR][Unknown][Network][Acceptable][jason-pc] + idle: [....90] [ip6][..udp] [..............fe80::5d92:62a8:ebde:1319][49735] -> [..............................ff02::1:3][.5355] [LLMNR][Unknown][Network][Acceptable][wangs-ltw] + idle: [....39] [ip4][..udp] [..192.168.115.8][54420] -> [........8.8.8.8][...53] [DNS.QQ][Google][Network][Fun][vv.video.qq.com] + idle: [...124] [ip4][..udp] [...192.168.5.50][57143] -> [....224.0.0.252][.5355] [LLMNR][Unknown][Network][Acceptable][charming-pc] + not-detected: [....79] [ip4][..udp] [..192.168.0.100][50925] -> [255.255.255.255][.5678] [Unknown][Unknown][Unrated] + RISK: Susp Entropy + idle: [....79] [ip4][..udp] [..192.168.0.100][50925] -> [255.255.255.255][.5678] + idle: [....99] [ip6][..udp] [..............fe80::5d92:62a8:ebde:1319][53938] -> [..............................ff02::1:3][.5355] [LLMNR][Unknown][Network][Acceptable][isatap] + idle: [....27] [ip4][..tcp] [..192.168.115.8][49599] -> [.106.187.35.246][...80] [HTTP.1kxun][Unknown][Streaming][Fun][pic.1kxun.com] + idle: [....28] [ip4][..tcp] [..192.168.115.8][49600] -> [.106.187.35.246][...80] [HTTP.1kxun][Unknown][Streaming][Fun][pic.1kxun.com] + idle: [....29] [ip4][..tcp] [..192.168.115.8][49601] -> [.106.187.35.246][...80] [HTTP.1kxun][Unknown][Streaming][Fun][pic.1kxun.com] + idle: [....30] [ip4][..tcp] [..192.168.115.8][49602] -> [.106.187.35.246][...80] [HTTP.1kxun][Unknown][Streaming][Fun][pic.1kxun.com] + idle: [....26] [ip4][..udp] [..192.168.115.8][60724] -> [........8.8.8.8][...53] [DNS.1kxun][Google][Network][Fun][pic.1kxun.com] + idle: [....31] [ip4][..tcp] [..192.168.115.8][49603] -> [.106.187.35.246][...80] [HTTP.1kxun][Unknown][Streaming][Fun][pic.1kxun.com] + idle: [....32] [ip4][..tcp] [..192.168.115.8][49604] -> [.106.187.35.246][...80] [HTTP.1kxun][Unknown][Streaming][Fun][pic.1kxun.com] + idle: [.....9] [ip6][..udp] [...............fe80::406:55a8:6453:25dd][..546] -> [..............................ff02::1:2][..547] [DHCPV6][Unknown][Network][Acceptable] + idle: [....52] [ip6][..udp] [...............fe80::9bd:81dd:2fdc:5750][61548] -> [..............................ff02::1:3][.5355] [LLMNR][Unknown][Network][Acceptable][caesar-thinkpad] + idle: [...129] [ip4][..udp] [..192.168.3.236][65496] -> [....224.0.0.252][.5355] [LLMNR][Unknown][Network][Acceptable][wangs-ltw] + idle: [....19] [ip6][..udp] [..............fe80::e98f:bae2:19f7:6b0f][58779] -> [..............................ff02::1:3][.5355] [LLMNR][Unknown][Network][Acceptable][????????????] + RISK: Non-Printable/Invalid Chars Detected + guessed: [...101] [ip4][..tcp] [.119.235.235.84][..443] -> [...192.168.5.16][53406] [TLS][Line][Web][Safe] + idle: [...101] [ip4][..tcp] [.119.235.235.84][..443] -> [...192.168.5.16][53406] + end: [....46] [ip4][..tcp] [..192.168.115.8][49612] -> [.183.131.48.145][...80] [HTTP][Unknown][Web][Acceptable][183.131.48.145] + RISK: HTTP Susp User-Agent, HTTP/TLS/QUIC Numeric Hostname/SNI + idle: [....49] [ip4][..tcp] [..192.168.115.8][49613] -> [.183.131.48.144][...80] [HTTP][Unknown][Media][Acceptable][183.131.48.144] + RISK: HTTP Susp User-Agent, HTTP/TLS/QUIC Numeric Hostname/SNI + idle: [....24] [ip4][..udp] [..192.168.115.8][52723] -> [.....168.95.1.1][...53] [DNS.1kxun][Unknown][Network][Fun][kankan.1kxun.com] + not-detected: [....89] [ip6][..udp] [................fe80::4e5e:cff:feea:365][.5678] -> [................................ff02::1][.5678] [Unknown][Unknown][Unrated] + RISK: Susp Entropy + idle: [....89] [ip6][..udp] [................fe80::4e5e:cff:feea:365][.5678] -> [................................ff02::1][.5678] + not-detected: [....60] [ip6][..udp] [...............fe80::4e5e:cff:fe9a:ec54][.5678] -> [................................ff02::1][.5678] [Unknown][Unknown][Unrated] + RISK: Susp Entropy + idle: [....60] [ip6][..udp] [...............fe80::4e5e:cff:fe9a:ec54][.5678] -> [................................ff02::1][.5678] + idle: [...119] [ip4][..udp] [...192.168.5.16][..123] -> [..17.253.26.125][..123] [NTP][Apple][System][Acceptable] + idle: [....16] [ip4][..udp] [..192.168.115.8][52723] -> [........8.8.8.8][...53] [DNS.1kxun][Google][Network][Fun][kankan.1kxun.com] + guessed: [....57] [ip4][..tcp] [..192.168.115.8][49596] -> [..203.66.182.87][..443] [TLS][Unknown][Web][Safe] + idle: [....57] [ip4][..tcp] [..192.168.115.8][49596] -> [..203.66.182.87][..443] + idle: [....53] [ip4][..udp] [...192.168.5.49][61548] -> [....224.0.0.252][.5355] [LLMNR][Unknown][Network][Acceptable][caesar-thinkpad] + idle: [....93] [ip6][..udp] [..............fe80::beee:7bff:fe0c:b3de][..546] -> [..............................ff02::1:2][..547] [DHCPV6][Unknown][Network][Acceptable] + idle: [....11] [ip4][..udp] [...192.168.5.47][61603] -> [....224.0.0.252][.5355] [LLMNR][Unknown][Network][Acceptable][ro_x1c] + idle: [....33] [ip6][..udp] [..............fe80::e98f:bae2:19f7:6b0f][54888] -> [..............................ff02::1:3][.5355] [LLMNR][Unknown][Network][Acceptable][????????????] + RISK: Non-Printable/Invalid Chars Detected + idle: [.....1] [ip4][..udp] [...192.168.5.44][59571] -> [....224.0.0.252][.5355] [LLMNR][Unknown][Network][Acceptable][jason-pc] + idle: [....10] [ip6][..udp] [..............fe80::edf5:240a:c8c0:8312][61603] -> [..............................ff02::1:3][.5355] [LLMNR][Unknown][Network][Acceptable][ro_x1c] + idle: [....98] [ip4][..udp] [...192.168.3.95][51451] -> [....224.0.0.252][.5355] [LLMNR][Unknown][Network][Acceptable][????????????] + RISK: Non-Printable/Invalid Chars Detected + idle: [....83] [ip4][..udp] [...192.168.5.49][.1900] -> [239.255.255.250][.1900] [SSDP][Unknown][System][Acceptable][239.255.255.250:1900] + idle: [....13] [ip4][..udp] [..192.168.115.8][51458] -> [....224.0.0.252][.5355] [LLMNR][Unknown][Network][Acceptable][wpad] + idle: [...128] [ip6][..udp] [..............fe80::5d92:62a8:ebde:1319][58468] -> [..............................ff02::1:3][.5355] [LLMNR][Unknown][Network][Acceptable][wangs-ltw] + idle: [...121] [ip4][..udp] [...192.168.5.41][55593] -> [....224.0.0.252][.5355] [LLMNR][Unknown][Network][Acceptable][kevin-pc] + not-detected: [....86] [ip4][..udp] [.59.120.208.212][32768] -> [255.255.255.255][.1947] [Unknown][Unknown][Unrated] + idle: [....86] [ip4][..udp] [.59.120.208.212][32768] -> [255.255.255.255][.1947] + idle: [...115] [ip4][..udp] [..192.168.3.236][59730] -> [....224.0.0.252][.5355] [LLMNR][Unknown][Network][Acceptable][sonusav] + idle: [....84] [ip6][..udp] [...............fe80::9bd:81dd:2fdc:5750][.1900] -> [................................ff02::c][.1900] [SSDP][Unknown][System][Acceptable][[ff02::c]:1900] + new: [...137] [ip4][..tcp] [..192.168.2.126][47272] -> [..161.117.13.29][...80] [MIDSTREAM] + detected: [...137] [ip4][..tcp] [..192.168.2.126][47272] -> [..161.117.13.29][...80] [HTTP.1kxun][Alibaba][Streaming][Fun][messages.1kxun.mobi] + new: [...138] [ip4][..tcp] [..192.168.2.126][38834] -> [..119.45.78.184][...80] [MIDSTREAM] + detected: [...138] [ip4][..tcp] [..192.168.2.126][38834] -> [..119.45.78.184][...80] [HTTP.QQ][Tencent][Chat][Fun][pingma.qq.com] + RISK: HTTP Susp User-Agent + detection-update: [...138] [ip4][..tcp] [..192.168.2.126][38834] -> [..119.45.78.184][...80] [HTTP.QQ][Tencent][Chat][Fun][pingma.qq.com] + RISK: HTTP Susp User-Agent, Unidirectional Traffic + detection-update: [...138] [ip4][..tcp] [..192.168.2.126][38834] -> [..119.45.78.184][...80] [HTTP.QQ][Tencent][Chat][Fun][pingma.qq.com] + RISK: HTTP Susp User-Agent, Error Code + new: [...139] [ip4][..tcp] [..192.168.2.126][60148] -> [.172.105.121.82][...80] [MIDSTREAM] + detected: [...139] [ip4][..tcp] [..192.168.2.126][60148] -> [.172.105.121.82][...80] [HTTP.1kxun][Unknown][Streaming][Fun][pic.1kxun.com] + new: [...140] [ip4][..tcp] [..192.168.2.126][49242] -> [.172.104.119.80][...80] [MIDSTREAM] + detected: [...140] [ip4][..tcp] [..192.168.2.126][49242] -> [.172.104.119.80][...80] [HTTP.1kxun][Unknown][Streaming][Fun][android.yingshi.tcclick.1kxun.com] + detection-update: [...140] [ip4][..tcp] [..192.168.2.126][49242] -> [.172.104.119.80][...80] [HTTP.1kxun][Unknown][Streaming][Fun][android.yingshi.tcclick.1kxun.com] + RISK: Error Code + new: [...141] [ip4][..tcp] [..192.168.2.126][46184] -> [.172.105.121.82][...80] [MIDSTREAM] + detected: [...141] [ip4][..tcp] [..192.168.2.126][46184] -> [.172.105.121.82][...80] [HTTP.1kxun][Unknown][Streaming][Fun][pic.1kxun.com] + new: [...142] [ip4][..tcp] [..192.168.2.126][46170] -> [.172.105.121.82][...80] [MIDSTREAM] + detected: [...142] [ip4][..tcp] [..192.168.2.126][46170] -> [.172.105.121.82][...80] [HTTP.1kxun][Unknown][Streaming][Fun][pic.1kxun.com] + new: [...143] [ip4][..tcp] [..192.168.2.126][46200] -> [.172.105.121.82][...80] [MIDSTREAM] + detected: [...143] [ip4][..tcp] [..192.168.2.126][46200] -> [.172.105.121.82][...80] [HTTP.1kxun][Unknown][Streaming][Fun][pic.1kxun.com] + new: [...144] [ip4][..tcp] [..192.168.2.126][46212] -> [.172.105.121.82][...80] [MIDSTREAM] + detected: [...144] [ip4][..tcp] [..192.168.2.126][46212] -> [.172.105.121.82][...80] [HTTP.1kxun][Unknown][Streaming][Fun][pic.1kxun.com] + analyse: [...142] [ip4][..tcp] [..192.168.2.126][46170] -> [.172.105.121.82][...80] [HTTP.1kxun][Unknown][Streaming][Fun][pic.1kxun.com] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.895| 0.069| 0.184| 33990.969| 2.200] + [PKTLEN......: 260.000| 21652.000| 4534.200| 5608.100| 31450232.000| 4.200] + [BINS(c->s)..: 0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,16] + [DIRECTIONS..: 0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1,1,1,1,1,1] + [IATS(ms)....: 356.2,0.1,308.1,0.1,2.4,3.2,0.1,200.2,0.0,0.1,0.0,0.0,0.0,0.0,0.0,1.6,0.1,0.1,0.0,0.0,0.0,0.0,0.0,0.0,895.3,372.0,0.0,1.3,0.1,1.9,0.0] + [PKTLENS.....: 264,373,13012,14452,2932,2932,1492,7252,2932,1492,2932,2932,1492,1492,1492,1492,1492,4372,6324,2932,2932,1492,1492,1492,788,260,373,17332,21652,1492,4372,17332] + [ENTROPIES...: 5.9,5.7,8.0,8.0,7.9,7.9,7.9,8.0,7.9,7.8,7.9,7.9,7.9,7.8,7.8,7.9,7.8,7.9,7.9,7.9,7.9,7.9,7.8,7.8,7.7,5.8,5.8,8.0,8.0,7.9,7.9,8.0] + new: [...145] [ip4][..tcp] [..192.168.2.126][35200] -> [...103.29.71.30][...80] [MIDSTREAM] + detected: [...145] [ip4][..tcp] [..192.168.2.126][35200] -> [...103.29.71.30][...80] [HTTP.1kxun][Unknown][Streaming][Fun][release.bigdata.1kxun.com] + new: [...146] [ip4][..tcp] [..192.168.2.126][45380] -> [..161.117.13.29][...80] [MIDSTREAM] + detected: [...146] [ip4][..tcp] [..192.168.2.126][45380] -> [..161.117.13.29][...80] [HTTP.1kxun][Alibaba][Streaming][Fun][mangaweb.1kxun.mobi] + new: [...147] [ip4][..tcp] [..192.168.2.126][45388] -> [..161.117.13.29][...80] [MIDSTREAM] + detected: [...147] [ip4][..tcp] [..192.168.2.126][45388] -> [..161.117.13.29][...80] [HTTP.1kxun][Alibaba][Streaming][Fun][mangaweb.1kxun.mobi] + new: [...148] [ip4][..tcp] [..192.168.2.126][45398] -> [..161.117.13.29][...80] [MIDSTREAM] + detected: [...148] [ip4][..tcp] [..192.168.2.126][45398] -> [..161.117.13.29][...80] [HTTP.1kxun][Alibaba][Streaming][Fun][mangaweb.1kxun.mobi] + new: [...149] [ip4][..tcp] [..192.168.2.126][45414] -> [..161.117.13.29][...80] [MIDSTREAM] + detected: [...149] [ip4][..tcp] [..192.168.2.126][45414] -> [..161.117.13.29][...80] [HTTP.1kxun][Alibaba][Streaming][Fun][mangaweb.1kxun.mobi] + new: [...150] [ip4][..tcp] [..192.168.2.126][45416] -> [..161.117.13.29][...80] [MIDSTREAM] + detected: [...150] [ip4][..tcp] [..192.168.2.126][45416] -> [..161.117.13.29][...80] [HTTP.1kxun][Alibaba][Streaming][Fun][mangaweb.1kxun.mobi] + new: [...151] [ip4][..tcp] [..192.168.2.126][45422] -> [..161.117.13.29][...80] [MIDSTREAM] + detected: [...151] [ip4][..tcp] [..192.168.2.126][45422] -> [..161.117.13.29][...80] [HTTP.1kxun][Alibaba][Streaming][Fun][mangaweb.1kxun.mobi] + new: [...152] [ip4][..tcp] [..192.168.2.126][45424] -> [..161.117.13.29][...80] [MIDSTREAM] + detected: [...152] [ip4][..tcp] [..192.168.2.126][45424] -> [..161.117.13.29][...80] [HTTP][Alibaba][Streaming][Acceptable][tcad.wedolook.com] + new: [...153] [ip4][..tcp] [..192.168.2.126][41390] -> [....18.64.79.37][...80] [MIDSTREAM] + detected: [...153] [ip4][..tcp] [..192.168.2.126][41390] -> [....18.64.79.37][...80] [HTTP.Google][AmazonAWS][Web][Acceptable][google.open-js.com] + RISK: Susp Entropy + analyse: [...146] [ip4][..tcp] [..192.168.2.126][45380] -> [..161.117.13.29][...80] [HTTP.1kxun][Alibaba][Streaming][Fun][mangaweb.1kxun.mobi] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 0.409| 0.085| 0.132| 17528.007| 3.300] + [PKTLEN......: 476.000| 8692.000| 2601.900| 2200.300| 4841425.000| 4.600] + [BINS(c->s)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,16,0,12] + [DIRECTIONS..: 0,1,1,0,1,1,1,1,1,1,1,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1] + [IATS(ms)....: 380.4,4.6,408.6,215.7,0.5,1.0,1.0,178.5,0.3,0.5,379.6,185.4,1.4,0.7,331.7,5.7,174.2,6.1,0.3,0.9,170.5,0.4,6.0,1.1,0.3,0.7,169.5,0.5,0.6,5.3,0.4] + [PKTLENS.....: 817,1492,1253,488,1492,1492,7252,4372,1492,1492,2504,476,2932,8692,1492,2932,8692,2932,1492,1492,7252,1492,1492,2932,1492,1492,2932,1492,1492,2932,1492,1492] + [ENTROPIES...: 5.9,7.7,7.8,5.9,7.6,7.9,8.0,8.0,7.9,7.9,7.9,5.9,7.8,8.0,7.9,7.9,8.0,7.9,7.9,7.9,8.0,7.9,7.8,7.9,7.8,7.8,7.9,7.9,7.9,7.9,7.9,7.9] + new: [...154] [ip4][..tcp] [..192.168.2.126][51888] -> [.119.28.164.143][...80] [MIDSTREAM] + detected: [...154] [ip4][..tcp] [..192.168.2.126][51888] -> [.119.28.164.143][...80] [HTTP][Tencent][Web][Acceptable][qzonestyle.gtimg.cn] + new: [...155] [ip4][..tcp] [..192.168.2.126][38354] -> [.142.250.186.34][...80] [MIDSTREAM] + detected: [...155] [ip4][..tcp] [..192.168.2.126][38354] -> [.142.250.186.34][...80] [HTTP.Google][Google][Advertisement][Acceptable][pagead2.googlesyndication.com] + new: [...156] [ip4][..tcp] [..192.168.2.126][36732] -> [142.250.186.174][...80] [MIDSTREAM] + detected: [...156] [ip4][..tcp] [..192.168.2.126][36732] -> [142.250.186.174][...80] [HTTP.Google][Google][Advertisement][Acceptable][www.google-analytics.com] + new: [...157] [ip4][..tcp] [..192.168.2.126][49354] -> [.14.136.136.108][...80] [MIDSTREAM] + detected: [...157] [ip4][..tcp] [..192.168.2.126][49354] -> [.14.136.136.108][...80] [HTTP.1kxun][Unknown][Streaming][Fun][hkbn.content.1kxun.com] + new: [...158] [ip4][..tcp] [..192.168.2.126][49372] -> [.14.136.136.108][...80] [MIDSTREAM] + detected: [...158] [ip4][..tcp] [..192.168.2.126][49372] -> [.14.136.136.108][...80] [HTTP.1kxun][Unknown][Streaming][Fun][hkbn.content.1kxun.com] + new: [...159] [ip4][..tcp] [..192.168.2.126][49370] -> [.14.136.136.108][...80] [MIDSTREAM] + detected: [...159] [ip4][..tcp] [..192.168.2.126][49370] -> [.14.136.136.108][...80] [HTTP.1kxun][Unknown][Streaming][Fun][hkbn.content.1kxun.com] + new: [...160] [ip4][..tcp] [..192.168.2.126][49380] -> [.14.136.136.108][...80] [MIDSTREAM] + detected: [...160] [ip4][..tcp] [..192.168.2.126][49380] -> [.14.136.136.108][...80] [HTTP.1kxun][Unknown][Streaming][Fun][hkbn.content.1kxun.com] + new: [...161] [ip4][..tcp] [..192.168.2.126][49412] -> [.14.136.136.108][...80] [MIDSTREAM] + detected: [...161] [ip4][..tcp] [..192.168.2.126][49412] -> [.14.136.136.108][...80] [HTTP.1kxun][Unknown][Streaming][Fun][hkbn.content.1kxun.com] + new: [...162] [ip4][..tcp] [..192.168.2.126][49396] -> [.14.136.136.108][...80] [MIDSTREAM] + detected: [...162] [ip4][..tcp] [..192.168.2.126][49396] -> [.14.136.136.108][...80] [HTTP.1kxun][Unknown][Streaming][Fun][hkbn.content.1kxun.com] + analyse: [...160] [ip4][..tcp] [..192.168.2.126][49380] -> [.14.136.136.108][...80] [HTTP.1kxun][Unknown][Streaming][Fun][hkbn.content.1kxun.com] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.887| 0.071| 0.171| 29312.068| 2.600] + [PKTLEN......: 337.000| 18772.000| 3143.800| 3724.000| 13867894.000| 4.300] + [BINS(c->s)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,17,0,11] + [DIRECTIONS..: 0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1,1,1,1,1,1,1,1,1,1,1] + [IATS(ms)....: 223.7,209.6,1.7,0.0,207.2,0.4,1.3,0.7,0.5,0.5,1.2,204.0,0.4,1.4,0.7,0.6,3.5,0.0,0.0,886.9,237.6,0.5,1.0,2.5,0.8,206.7,0.9,0.4,0.9,0.0,0.7] + [PKTLENS.....: 566,2932,1492,1492,11572,1492,1492,2932,1492,1492,1492,7252,1492,1492,1492,1492,4372,1492,2932,4239,578,337,1492,8692,18772,1492,2932,1492,1492,5812,1492,1316] + [ENTROPIES...: 5.9,7.9,7.8,7.8,8.0,7.8,7.9,7.9,7.9,7.9,7.8,8.0,7.8,7.8,7.8,7.9,7.9,7.8,7.9,7.9,5.9,5.8,7.8,8.0,8.0,7.9,7.9,7.9,7.9,8.0,7.9,7.9] + analyse: [...158] [ip4][..tcp] [..192.168.2.126][49372] -> [.14.136.136.108][...80] [HTTP.1kxun][Unknown][Streaming][Fun][hkbn.content.1kxun.com] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.900| 0.096| 0.189| 35619.967| 3.000] + [PKTLEN......: 337.000| 18772.000| 3651.900| 4182.900| 17496908.000| 4.300] + [BINS(c->s)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,14] + [DIRECTIONS..: 0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1,1,1,1,1,1,1,1,1,0,1,1,1] + [IATS(ms)....: 205.6,2.1,0.0,0.0,0.0,224.8,0.4,0.3,1.4,0.0,193.7,0.4,0.4,1.7,1.3,1.9,226.0,899.7,238.0,0.0,2.4,199.2,0.5,1.0,1.3,0.0,0.0,407.3,371.5,0.0,1.5] + [PKTLENS.....: 566,337,1492,4372,2932,4372,1492,1492,1492,1492,5812,1492,1492,1492,2932,4372,5812,3718,578,337,7252,15892,1492,1492,7252,1492,5812,640,566,337,7787,18772] + [ENTROPIES...: 5.9,5.9,7.3,7.9,7.9,7.9,7.8,7.8,7.8,7.9,8.0,7.8,7.8,7.8,7.9,7.9,7.9,7.9,5.9,5.8,8.0,8.0,7.9,7.9,8.0,7.9,8.0,7.7,5.9,5.9,7.9,8.0] + new: [...163] [ip4][..tcp] [..192.168.2.126][44368] -> [..172.217.18.98][...80] [MIDSTREAM] + detected: [...163] [ip4][..tcp] [..192.168.2.126][44368] -> [..172.217.18.98][...80] [HTTP.GoogleServices][Google][Web][Acceptable][www.googletagservices.com] + RISK: Susp Entropy + new: [...164] [ip4][..tcp] [..192.168.2.126][50140] -> [..161.117.13.29][...80] [MIDSTREAM] + detected: [...164] [ip4][..tcp] [..192.168.2.126][50140] -> [..161.117.13.29][...80] [HTTP.1kxun][Alibaba][Streaming][Fun][mangaweb.1kxun.mobi] + new: [...165] [ip4][..tcp] [..192.168.2.126][50148] -> [..161.117.13.29][...80] [MIDSTREAM] + detected: [...165] [ip4][..tcp] [..192.168.2.126][50148] -> [..161.117.13.29][...80] [HTTP.1kxun][Alibaba][Streaming][Fun][mangaweb.1kxun.mobi] + new: [...166] [ip4][..tcp] [..192.168.2.126][50164] -> [..161.117.13.29][...80] [MIDSTREAM] + detected: [...166] [ip4][..tcp] [..192.168.2.126][50164] -> [..161.117.13.29][...80] [HTTP.1kxun][Alibaba][Streaming][Fun][mangaweb.1kxun.mobi] + new: [...167] [ip4][..tcp] [..192.168.2.126][50166] -> [..161.117.13.29][...80] [MIDSTREAM] + detected: [...167] [ip4][..tcp] [..192.168.2.126][50166] -> [..161.117.13.29][...80] [HTTP.1kxun][Alibaba][Streaming][Fun][mangaweb.1kxun.mobi] + new: [...168] [ip4][..tcp] [..192.168.2.126][50176] -> [..161.117.13.29][...80] [MIDSTREAM] + detected: [...168] [ip4][..tcp] [..192.168.2.126][50176] -> [..161.117.13.29][...80] [HTTP.1kxun][Alibaba][Streaming][Fun][mangaweb.1kxun.mobi] + analyse: [...150] [ip4][..tcp] [..192.168.2.126][45416] -> [..161.117.13.29][...80] [HTTP.1kxun][Alibaba][Streaming][Fun][mangaweb.1kxun.mobi] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 6.045| 1.047| 1.982| 3926937.043| 3.000] + [PKTLEN......: 486.000| 14452.000| 2813.500| 2993.900| 8963654.000| 4.400] + [BINS(c->s)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,1,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,1,0,0,7,0,13] + [DIRECTIONS..: 0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1,0,1,0,1,0,1,0,1,1,0,1,1,1,0,1] + [IATS(ms)....: 188.5,0.0,1.4,179.4,1.4,0.7,0.4,2.4,0.7,270.1,0.1,0.0,0.6,0.0,3892.8,3428.9,186.1,186.3,192.6,209.0,367.2,352.3,5253.8,5339.0,3.6,6045.0,5959.1,0.4,0.5,194.9,189.4] + [PKTLENS.....: 486,2932,2932,8692,2932,7252,1492,1492,14452,1492,2932,2932,7252,7252,4078,803,695,805,1511,807,1401,803,1516,1065,2932,1130,1155,1492,1492,1575,1166,1083] + [ENTROPIES...: 5.9,7.8,7.9,8.0,7.9,8.0,7.9,7.9,8.0,7.9,7.9,7.9,8.0,8.0,8.0,5.9,6.4,5.9,7.5,5.9,6.2,5.9,6.5,5.8,6.5,6.8,5.8,6.4,7.8,7.9,5.8,6.9] + new: [...169] [ip4][..tcp] [..192.168.2.126][38326] -> [.172.105.121.82][...80] [MIDSTREAM] + detected: [...169] [ip4][..tcp] [..192.168.2.126][38326] -> [.172.105.121.82][...80] [HTTP.1kxun][Unknown][Streaming][Fun][pic.1kxun.com] + new: [...170] [ip4][..tcp] [..192.168.2.126][38314] -> [.172.105.121.82][...80] [MIDSTREAM] + detected: [...170] [ip4][..tcp] [..192.168.2.126][38314] -> [.172.105.121.82][...80] [HTTP.1kxun][Unknown][Streaming][Fun][pic.1kxun.com] + new: [...171] [ip4][..tcp] [..192.168.2.126][38316] -> [.172.105.121.82][...80] [MIDSTREAM] + detected: [...171] [ip4][..tcp] [..192.168.2.126][38316] -> [.172.105.121.82][...80] [HTTP.1kxun][Unknown][Streaming][Fun][pic.1kxun.com] + new: [...172] [ip4][..tcp] [..192.168.2.126][59324] -> [.104.117.221.10][...80] [MIDSTREAM] + detected: [...172] [ip4][..tcp] [..192.168.2.126][59324] -> [.104.117.221.10][...80] [HTTP][Unknown][Web][Acceptable][m.vpon.com] + new: [...173] [ip4][..tcp] [..192.168.2.126][56094] -> [....3.72.69.158][...80] [MIDSTREAM] + detected: [...173] [ip4][..tcp] [..192.168.2.126][56094] -> [....3.72.69.158][...80] [HTTP][AmazonAWS][Web][Acceptable][setting.rayjump.com] + new: [...174] [ip4][..tcp] [..192.168.2.126][56098] -> [....3.72.69.158][...80] [MIDSTREAM] + detected: [...174] [ip4][..tcp] [..192.168.2.126][56098] -> [....3.72.69.158][...80] [HTTP][AmazonAWS][Web][Acceptable][setting.rayjump.com] + new: [...175] [ip4][..tcp] [..192.168.2.126][56096] -> [....3.72.69.158][...80] [MIDSTREAM] + detected: [...175] [ip4][..tcp] [..192.168.2.126][56096] -> [....3.72.69.158][...80] [HTTP][AmazonAWS][Web][Acceptable][setting.rayjump.com] + new: [...176] [ip4][..tcp] [..192.168.2.126][56104] -> [....3.72.69.158][...80] [MIDSTREAM] + detected: [...176] [ip4][..tcp] [..192.168.2.126][56104] -> [....3.72.69.158][...80] [HTTP][AmazonAWS][Web][Acceptable][setting.rayjump.com] + new: [...177] [ip4][..tcp] [..192.168.2.126][43266] -> [....18.64.79.58][...80] [MIDSTREAM] + detected: [...177] [ip4][..tcp] [..192.168.2.126][43266] -> [....18.64.79.58][...80] [HTTP][AmazonAWS][Web][Acceptable][net.rayjump.com] + new: [...178] [ip4][..tcp] [..192.168.2.126][56826] -> [...8.209.97.107][...80] [MIDSTREAM] + detected: [...178] [ip4][..tcp] [..192.168.2.126][56826] -> [...8.209.97.107][...80] [HTTP][Alibaba][Web][Acceptable][analytics.rayjump.com] + detection-update: [...178] [ip4][..tcp] [..192.168.2.126][56826] -> [...8.209.97.107][...80] [HTTP][Alibaba][Web][Acceptable][analytics.rayjump.com] + RISK: Unidirectional Traffic + detection-update: [...178] [ip4][..tcp] [..192.168.2.126][56826] -> [...8.209.97.107][...80] [HTTP][Alibaba][Web][Acceptable][analytics.rayjump.com] + new: [...179] [ip4][..tcp] [..192.168.2.126][43272] -> [....18.64.79.58][...80] [MIDSTREAM] + detected: [...179] [ip4][..tcp] [..192.168.2.126][43272] -> [....18.64.79.58][...80] [HTTP][AmazonAWS][Web][Acceptable][net.rayjump.com] + new: [...180] [ip4][..tcp] [..192.168.2.126][58758] -> [.202.153.196.53][...80] [MIDSTREAM] + detected: [...180] [ip4][..tcp] [..192.168.2.126][58758] -> [.202.153.196.53][...80] [HTTP][Unknown][Web][Acceptable][tw.api.vpon.com] + new: [...181] [ip4][..tcp] [..192.168.2.126][58760] -> [.202.153.196.53][...80] [MIDSTREAM] + detected: [...181] [ip4][..tcp] [..192.168.2.126][58760] -> [.202.153.196.53][...80] [HTTP][Unknown][Web][Acceptable][tw.api.vpon.com] + new: [...182] [ip4][..tcp] [..192.168.2.126][35664] -> [.....18.66.2.90][...80] [MIDSTREAM] + detected: [...182] [ip4][..tcp] [..192.168.2.126][35664] -> [.....18.66.2.90][...80] [HTTP][AmazonAWS][Web][Acceptable][cdn.liftoff.io] + new: [...183] [ip4][..tcp] [..192.168.2.126][35666] -> [.....18.66.2.90][...80] [MIDSTREAM] + detected: [...183] [ip4][..tcp] [..192.168.2.126][35666] -> [.....18.66.2.90][...80] [HTTP.MpegDash][AmazonAWS][Media][Fun][cdn.liftoff.io] + new: [...184] [ip4][..tcp] [..192.168.2.126][36636] -> [...18.64.103.30][...80] [MIDSTREAM] + detected: [...184] [ip4][..tcp] [..192.168.2.126][36636] -> [...18.64.103.30][...80] [HTTP][AmazonAWS][Web][Acceptable][hybird.rayjump.com] + new: [...185] [ip4][..tcp] [..192.168.2.126][36640] -> [...18.64.103.30][...80] [MIDSTREAM] + detected: [...185] [ip4][..tcp] [..192.168.2.126][36640] -> [...18.64.103.30][...80] [HTTP][AmazonAWS][Web][Acceptable][hybird.rayjump.com] + new: [...186] [ip4][..tcp] [..192.168.2.126][36654] -> [...18.64.103.30][...80] [MIDSTREAM] + detected: [...186] [ip4][..tcp] [..192.168.2.126][36654] -> [...18.64.103.30][...80] [HTTP][AmazonAWS][Web][Acceptable][hybird.rayjump.com] + new: [...187] [ip4][..tcp] [..192.168.2.126][36660] -> [...18.64.103.30][...80] [MIDSTREAM] + detected: [...187] [ip4][..tcp] [..192.168.2.126][36660] -> [...18.64.103.30][...80] [HTTP][AmazonAWS][Web][Acceptable][hybird.rayjump.com] + new: [...188] [ip4][..tcp] [..192.168.2.126][37100] -> [..52.29.177.177][...80] [MIDSTREAM] + detected: [...188] [ip4][..tcp] [..192.168.2.126][37100] -> [..52.29.177.177][...80] [HTTP][AmazonAWS][Web][Acceptable][] + RISK: HTTP Susp User-Agent + detection-update: [...188] [ip4][..tcp] [..192.168.2.126][37100] -> [..52.29.177.177][...80] [HTTP][AmazonAWS][Web][Acceptable][] + RISK: HTTP Susp User-Agent, Unidirectional Traffic + new: [...189] [ip4][..tcp] [..192.168.2.126][42554] -> [...35.156.44.13][...80] [MIDSTREAM] + detected: [...189] [ip4][..tcp] [..192.168.2.126][42554] -> [...35.156.44.13][...80] [HTTP][AmazonAWS][Web][Acceptable][de01.rayjump.com] + detection-update: [...188] [ip4][..tcp] [..192.168.2.126][37100] -> [..52.29.177.177][...80] [HTTP][AmazonAWS][Web][Acceptable][adx-tk.rayjump.com] + RISK: Unidirectional Traffic + new: [...190] [ip4][..tcp] [..192.168.2.126][42566] -> [...35.156.44.13][...80] [MIDSTREAM] + detected: [...190] [ip4][..tcp] [..192.168.2.126][42566] -> [...35.156.44.13][...80] [HTTP][AmazonAWS][Web][Acceptable][] + detection-update: [...190] [ip4][..tcp] [..192.168.2.126][42566] -> [...35.156.44.13][...80] [HTTP][AmazonAWS][Web][Acceptable][] + RISK: Unidirectional Traffic + new: [...191] [ip4][..tcp] [..192.168.2.126][41940] -> [....18.64.79.50][...80] [MIDSTREAM] + detected: [...191] [ip4][..tcp] [..192.168.2.126][41940] -> [....18.64.79.50][...80] [HTTP][AmazonAWS][Web][Acceptable][tknet-cdn.rayjump.com] + detection-update: [...190] [ip4][..tcp] [..192.168.2.126][42566] -> [...35.156.44.13][...80] [HTTP][AmazonAWS][Web][Acceptable][de01.rayjump.com] + RISK: Unidirectional Traffic + detection-update: [...188] [ip4][..tcp] [..192.168.2.126][37100] -> [..52.29.177.177][...80] [HTTP][AmazonAWS][Web][Acceptable][adx-tk.rayjump.com] + detection-update: [...190] [ip4][..tcp] [..192.168.2.126][42566] -> [...35.156.44.13][...80] [HTTP][AmazonAWS][Web][Acceptable][de01.rayjump.com] + new: [...192] [ip4][..tcp] [..192.168.2.126][54810] -> [..18.233.123.55][...80] [MIDSTREAM] + detected: [...192] [ip4][..tcp] [..192.168.2.126][54810] -> [..18.233.123.55][...80] [HTTP][AmazonAWS][Web][Acceptable][impression-east.liftoff.io] + new: [...193] [ip4][..tcp] [..192.168.2.126][40204] -> [...18.235.204.9][...80] [MIDSTREAM] + detected: [...193] [ip4][..tcp] [..192.168.2.126][40204] -> [...18.235.204.9][...80] [HTTP][AmazonAWS][Web][Acceptable][adexp.liftoff.io] + new: [...194] [ip4][..tcp] [..192.168.2.126][53416] -> [.172.217.16.142][...80] [MIDSTREAM] + detected: [...194] [ip4][..tcp] [..192.168.2.126][53416] -> [.172.217.16.142][...80] [HTTP.Google][Google][Web][Acceptable][play.google.com] + RISK: Susp Entropy + new: [...195] [ip4][..tcp] [..192.168.2.126][33042] -> [...3.122.190.70][...80] [MIDSTREAM] + detected: [...195] [ip4][..tcp] [..192.168.2.126][33042] -> [...3.122.190.70][...80] [HTTP][AmazonAWS][Web][Acceptable][click.liftoff.io] + new: [...196] [ip4][..tcp] [..192.168.2.126][35426] -> [..8.209.112.118][...80] [MIDSTREAM] + detected: [...196] [ip4][..tcp] [..192.168.2.126][35426] -> [..8.209.112.118][...80] [HTTP][Alibaba][Web][Acceptable][analytics.rayjump.com] + detection-update: [...196] [ip4][..tcp] [..192.168.2.126][35426] -> [..8.209.112.118][...80] [HTTP][Alibaba][Web][Acceptable][analytics.rayjump.com] + RISK: Unidirectional Traffic + detection-update: [...196] [ip4][..tcp] [..192.168.2.126][35426] -> [..8.209.112.118][...80] [HTTP][Alibaba][Web][Acceptable][analytics.rayjump.com] + new: [...197] [ip4][..tcp] [..192.168.2.126][51686] -> [....18.64.79.64][...80] [MIDSTREAM] + detected: [...197] [ip4][..tcp] [..192.168.2.126][51686] -> [....18.64.79.64][...80] [HTTP][AmazonAWS][Web][Acceptable][net.rayjump.com] + idle: [...147] [ip4][..tcp] [..192.168.2.126][45388] -> [..161.117.13.29][...80] [HTTP.1kxun][Alibaba][Streaming][Fun][mangaweb.1kxun.mobi] + idle: [...148] [ip4][..tcp] [..192.168.2.126][45398] -> [..161.117.13.29][...80] [HTTP.1kxun][Alibaba][Streaming][Fun][mangaweb.1kxun.mobi] + idle: [...163] [ip4][..tcp] [..192.168.2.126][44368] -> [..172.217.18.98][...80] [HTTP.GoogleServices][Google][Web][Acceptable][www.googletagservices.com] + RISK: Susp Entropy + idle: [...178] [ip4][..tcp] [..192.168.2.126][56826] -> [...8.209.97.107][...80] [HTTP][Alibaba][Web][Acceptable][analytics.rayjump.com] + idle: [...149] [ip4][..tcp] [..192.168.2.126][45414] -> [..161.117.13.29][...80] [HTTP.1kxun][Alibaba][Streaming][Fun][mangaweb.1kxun.mobi] + idle: [...150] [ip4][..tcp] [..192.168.2.126][45416] -> [..161.117.13.29][...80] [HTTP.1kxun][Alibaba][Streaming][Fun][mangaweb.1kxun.mobi] + idle: [...151] [ip4][..tcp] [..192.168.2.126][45422] -> [..161.117.13.29][...80] [HTTP.1kxun][Alibaba][Streaming][Fun][mangaweb.1kxun.mobi] + idle: [...152] [ip4][..tcp] [..192.168.2.126][45424] -> [..161.117.13.29][...80] [HTTP][Alibaba][Streaming][Acceptable][tcad.wedolook.com] + idle: [...154] [ip4][..tcp] [..192.168.2.126][51888] -> [.119.28.164.143][...80] [HTTP][Tencent][Web][Acceptable] + idle: [...192] [ip4][..tcp] [..192.168.2.126][54810] -> [..18.233.123.55][...80] [HTTP][AmazonAWS][Web][Acceptable][impression-east.liftoff.io] + idle: [...184] [ip4][..tcp] [..192.168.2.126][36636] -> [...18.64.103.30][...80] [HTTP][AmazonAWS][Web][Acceptable][hybird.rayjump.com] + idle: [...185] [ip4][..tcp] [..192.168.2.126][36640] -> [...18.64.103.30][...80] [HTTP][AmazonAWS][Web][Acceptable][hybird.rayjump.com] + idle: [...186] [ip4][..tcp] [..192.168.2.126][36654] -> [...18.64.103.30][...80] [HTTP][AmazonAWS][Web][Acceptable][hybird.rayjump.com] + idle: [...187] [ip4][..tcp] [..192.168.2.126][36660] -> [...18.64.103.30][...80] [HTTP][AmazonAWS][Web][Acceptable] + idle: [...180] [ip4][..tcp] [..192.168.2.126][58758] -> [.202.153.196.53][...80] [HTTP][Unknown][Web][Acceptable][tw.api.vpon.com] + idle: [...181] [ip4][..tcp] [..192.168.2.126][58760] -> [.202.153.196.53][...80] [HTTP][Unknown][Web][Acceptable][tw.api.vpon.com] + idle: [...170] [ip4][..tcp] [..192.168.2.126][38314] -> [.172.105.121.82][...80] [HTTP.1kxun][Unknown][Streaming][Fun][pic.1kxun.com] + idle: [...171] [ip4][..tcp] [..192.168.2.126][38316] -> [.172.105.121.82][...80] [HTTP.1kxun][Unknown][Streaming][Fun][pic.1kxun.com] + idle: [...169] [ip4][..tcp] [..192.168.2.126][38326] -> [.172.105.121.82][...80] [HTTP.1kxun][Unknown][Streaming][Fun][pic.1kxun.com] + idle: [...193] [ip4][..tcp] [..192.168.2.126][40204] -> [...18.235.204.9][...80] [HTTP][AmazonAWS][Web][Acceptable][adexp.liftoff.io] + idle: [...155] [ip4][..tcp] [..192.168.2.126][38354] -> [.142.250.186.34][...80] [HTTP.Google][Google][Advertisement][Acceptable][pagead2.googlesyndication.com] + idle: [...157] [ip4][..tcp] [..192.168.2.126][49354] -> [.14.136.136.108][...80] [HTTP.1kxun][Unknown][Streaming][Fun][hkbn.content.1kxun.com] + idle: [...159] [ip4][..tcp] [..192.168.2.126][49370] -> [.14.136.136.108][...80] [HTTP.1kxun][Unknown][Streaming][Fun][hkbn.content.1kxun.com] + idle: [...158] [ip4][..tcp] [..192.168.2.126][49372] -> [.14.136.136.108][...80] [HTTP.1kxun][Unknown][Streaming][Fun][hkbn.content.1kxun.com] + idle: [...160] [ip4][..tcp] [..192.168.2.126][49380] -> [.14.136.136.108][...80] [HTTP.1kxun][Unknown][Streaming][Fun][hkbn.content.1kxun.com] + idle: [...162] [ip4][..tcp] [..192.168.2.126][49396] -> [.14.136.136.108][...80] [HTTP.1kxun][Unknown][Streaming][Fun][hkbn.content.1kxun.com] + idle: [...140] [ip4][..tcp] [..192.168.2.126][49242] -> [.172.104.119.80][...80] [HTTP.1kxun][Unknown][Streaming][Fun][android.yingshi.tcclick.1kxun.com] + RISK: Error Code + idle: [...161] [ip4][..tcp] [..192.168.2.126][49412] -> [.14.136.136.108][...80] [HTTP.1kxun][Unknown][Streaming][Fun][hkbn.content.1kxun.com] + idle: [...177] [ip4][..tcp] [..192.168.2.126][43266] -> [....18.64.79.58][...80] [HTTP][AmazonAWS][Web][Acceptable] + idle: [...179] [ip4][..tcp] [..192.168.2.126][43272] -> [....18.64.79.58][...80] [HTTP][AmazonAWS][Web][Acceptable][net.rayjump.com] + idle: [...164] [ip4][..tcp] [..192.168.2.126][50140] -> [..161.117.13.29][...80] [HTTP.1kxun][Alibaba][Streaming][Fun][mangaweb.1kxun.mobi] + idle: [...165] [ip4][..tcp] [..192.168.2.126][50148] -> [..161.117.13.29][...80] [HTTP.1kxun][Alibaba][Streaming][Fun][mangaweb.1kxun.mobi] + idle: [...166] [ip4][..tcp] [..192.168.2.126][50164] -> [..161.117.13.29][...80] [HTTP.1kxun][Alibaba][Streaming][Fun][mangaweb.1kxun.mobi] + idle: [...167] [ip4][..tcp] [..192.168.2.126][50166] -> [..161.117.13.29][...80] [HTTP.1kxun][Alibaba][Streaming][Fun][mangaweb.1kxun.mobi] + idle: [...168] [ip4][..tcp] [..192.168.2.126][50176] -> [..161.117.13.29][...80] [HTTP.1kxun][Alibaba][Streaming][Fun][mangaweb.1kxun.mobi] + idle: [...153] [ip4][..tcp] [..192.168.2.126][41390] -> [....18.64.79.37][...80] [HTTP.Google][AmazonAWS][Web][Acceptable][google.open-js.com] + RISK: Susp Entropy + idle: [...197] [ip4][..tcp] [..192.168.2.126][51686] -> [....18.64.79.64][...80] [HTTP][AmazonAWS][Web][Acceptable][net.rayjump.com] + idle: [...156] [ip4][..tcp] [..192.168.2.126][36732] -> [142.250.186.174][...80] [HTTP.Google][Google][Advertisement][Acceptable][www.google-analytics.com] + idle: [...194] [ip4][..tcp] [..192.168.2.126][53416] -> [.172.217.16.142][...80] [HTTP.Google][Google][Web][Acceptable][play.google.com] + RISK: Susp Entropy + idle: [...189] [ip4][..tcp] [..192.168.2.126][42554] -> [...35.156.44.13][...80] [HTTP][AmazonAWS][Web][Acceptable][de01.rayjump.com] + idle: [...190] [ip4][..tcp] [..192.168.2.126][42566] -> [...35.156.44.13][...80] [HTTP][AmazonAWS][Web][Acceptable][de01.rayjump.com] + idle: [...195] [ip4][..tcp] [..192.168.2.126][33042] -> [...3.122.190.70][...80] [HTTP][AmazonAWS][Web][Acceptable][click.liftoff.io] + idle: [...173] [ip4][..tcp] [..192.168.2.126][56094] -> [....3.72.69.158][...80] [HTTP][AmazonAWS][Web][Acceptable][setting.rayjump.com] + idle: [...175] [ip4][..tcp] [..192.168.2.126][56096] -> [....3.72.69.158][...80] [HTTP][AmazonAWS][Web][Acceptable][setting.rayjump.com] + idle: [...174] [ip4][..tcp] [..192.168.2.126][56098] -> [....3.72.69.158][...80] [HTTP][AmazonAWS][Web][Acceptable][setting.rayjump.com] + idle: [...176] [ip4][..tcp] [..192.168.2.126][56104] -> [....3.72.69.158][...80] [HTTP][AmazonAWS][Web][Acceptable][setting.rayjump.com] + idle: [...134] [ip4][..tcp] [..192.168.2.126][41134] -> [.129.226.107.77][...80] [HTTP.QQ][Tencent][Chat][Fun][cgi.connect.qq.com] + idle: [...130] [ip4][..tcp] [..192.168.2.126][60962] -> [..172.104.93.92][.1234] [HTTP.1kxun][Unknown][Streaming][Fun][ws.1kxun.mobi] + RISK: Known Proto on Non Std Port + idle: [...131] [ip4][..tcp] [..192.168.2.126][60972] -> [..172.104.93.92][.1234] [HTTP.1kxun][Unknown][Streaming][Fun][ws.1kxun.mobi] + RISK: Known Proto on Non Std Port + idle: [...132] [ip4][..tcp] [..192.168.2.126][60984] -> [..172.104.93.92][.1234] [HTTP.1kxun][Unknown][Streaming][Fun][ws.1kxun.mobi] + RISK: Known Proto on Non Std Port + idle: [...196] [ip4][..tcp] [..192.168.2.126][35426] -> [..8.209.112.118][...80] [HTTP][Alibaba][Web][Acceptable][analytics.rayjump.com] + idle: [...191] [ip4][..tcp] [..192.168.2.126][41940] -> [....18.64.79.50][...80] [HTTP][AmazonAWS][Web][Acceptable][tknet-cdn.rayjump.com] + idle: [...139] [ip4][..tcp] [..192.168.2.126][60148] -> [.172.105.121.82][...80] [HTTP.1kxun][Unknown][Streaming][Fun][pic.1kxun.com] + idle: [...172] [ip4][..tcp] [..192.168.2.126][59324] -> [.104.117.221.10][...80] [HTTP][Unknown][Web][Acceptable][m.vpon.com] + idle: [...138] [ip4][..tcp] [..192.168.2.126][38834] -> [..119.45.78.184][...80] [HTTP.QQ][Tencent][Chat][Fun][pingma.qq.com] + RISK: HTTP Susp User-Agent, Error Code + idle: [...182] [ip4][..tcp] [..192.168.2.126][35664] -> [.....18.66.2.90][...80] [HTTP][AmazonAWS][Web][Acceptable][cdn.liftoff.io] + idle: [...183] [ip4][..tcp] [..192.168.2.126][35666] -> [.....18.66.2.90][...80] [HTTP.MpegDash][AmazonAWS][Media][Fun] + idle: [...142] [ip4][..tcp] [..192.168.2.126][46170] -> [.172.105.121.82][...80] [HTTP.1kxun][Unknown][Streaming][Fun][pic.1kxun.com] + idle: [...141] [ip4][..tcp] [..192.168.2.126][46184] -> [.172.105.121.82][...80] [HTTP.1kxun][Unknown][Streaming][Fun][pic.1kxun.com] + idle: [...133] [ip4][..tcp] [..192.168.2.126][47230] -> [..161.117.13.29][...80] [HTTP.1kxun][Alibaba][Download][Fun][kankan.1kxun.mobi] + RISK: Binary File/Data Transfer (Attempt) + idle: [...188] [ip4][..tcp] [..192.168.2.126][37100] -> [..52.29.177.177][...80] [HTTP][AmazonAWS][Web][Acceptable][adx-tk.rayjump.com] + idle: [...143] [ip4][..tcp] [..192.168.2.126][46200] -> [.172.105.121.82][...80] [HTTP.1kxun][Unknown][Streaming][Fun][pic.1kxun.com] + idle: [...135] [ip4][..tcp] [..192.168.2.126][47246] -> [..161.117.13.29][...80] [HTTP.1kxun][Alibaba][Streaming][Fun][kankan.1kxun.com] + idle: [...144] [ip4][..tcp] [..192.168.2.126][46212] -> [.172.105.121.82][...80] [HTTP.1kxun][Unknown][Streaming][Fun][pic.1kxun.com] + idle: [...136] [ip4][..tcp] [..192.168.2.126][47262] -> [..161.117.13.29][...80] [HTTP.1kxun][Alibaba][Streaming][Fun][kankan.1kxun.com] + idle: [...137] [ip4][..tcp] [..192.168.2.126][47272] -> [..161.117.13.29][...80] [HTTP.1kxun][Alibaba][Streaming][Fun][messages.1kxun.mobi] + idle: [...146] [ip4][..tcp] [..192.168.2.126][45380] -> [..161.117.13.29][...80] [HTTP.1kxun][Alibaba][Streaming][Fun][mangaweb.1kxun.mobi] + idle: [...145] [ip4][..tcp] [..192.168.2.126][35200] -> [...103.29.71.30][...80] [HTTP.1kxun][Unknown][Streaming][Fun][release.bigdata.1kxun.com] + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/guessing_disable/webex.pcap.out b/test/results/flow-info/guessing_disable/webex.pcap.out index 06a8c0f45..47cf0902e 100644 --- a/test/results/flow-info/guessing_disable/webex.pcap.out +++ b/test/results/flow-info/guessing_disable/webex.pcap.out @@ -31,7 +31,7 @@ RISK: TLS (probably) Not Carrying HTTPS detection-update: [.....4] [ip4][..tcp] [.......10.8.0.1][41351] -> [..64.68.105.103][..443] [TLS.Webex][Webex][VoIP][Acceptable][radcom.webex.com] RISK: TLS (probably) Not Carrying HTTPS - analyse: [.....2] [ip4][..tcp] [.......10.8.0.1][41348] -> [..64.68.105.103][..443] [TLS.Webex][Webex][VoIP][Acceptable][radcom.webex.com] + analyse: [.....2] [ip4][..tcp] [.......10.8.0.1][41348] -> [..64.68.105.103][..443] [TLS.Webex][Webex][VoIP][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.455| 0.115| 0.126| 15828.845| 4.100] [PKTLEN......: 40.000| 18006.000| 1574.700| 3700.100| 13691057.000| 2.900] @@ -399,9 +399,9 @@ RISK: TLS (probably) Not Carrying HTTPS idle: [.....2] [ip4][..tcp] [.......10.8.0.1][41348] -> [..64.68.105.103][..443] [TLS.Webex][Webex][VoIP][Acceptable][radcom.webex.com] RISK: TLS (probably) Not Carrying HTTPS - idle: [.....3] [ip4][..tcp] [.......10.8.0.1][41350] -> [..64.68.105.103][..443] [TLS.Webex][Webex][VoIP][Acceptable][radcom.webex.com] + idle: [.....3] [ip4][..tcp] [.......10.8.0.1][41350] -> [..64.68.105.103][..443] [TLS.Webex][Webex][VoIP][Acceptable] RISK: TLS (probably) Not Carrying HTTPS - idle: [.....4] [ip4][..tcp] [.......10.8.0.1][41351] -> [..64.68.105.103][..443] [TLS.Webex][Webex][VoIP][Acceptable][radcom.webex.com] + idle: [.....4] [ip4][..tcp] [.......10.8.0.1][41351] -> [..64.68.105.103][..443] [TLS.Webex][Webex][VoIP][Acceptable] RISK: TLS (probably) Not Carrying HTTPS end: [.....7] [ip4][..tcp] [.......10.8.0.1][41354] -> [..64.68.105.103][..443] [TLS.Webex][Webex][VoIP][Acceptable] RISK: Obsolete TLS (v1.1 or older), Weak TLS Cipher diff --git a/test/results/flow-info/ip_lists_disable/1kxun.pcap.out b/test/results/flow-info/ip_lists_disable/1kxun.pcap.out index f5971556d..94ef6dc6b 100644 --- a/test/results/flow-info/ip_lists_disable/1kxun.pcap.out +++ b/test/results/flow-info/ip_lists_disable/1kxun.pcap.out @@ -529,13 +529,13 @@ idle: [....25] [ip4][..tcp] [..192.168.115.8][49598] -> [.222.73.254.167][...80] [HTTP.1kxun][Unknown][Streaming][Fun][kankan.1kxun.com] guessed: [....17] [ip4][..tcp] [...192.168.5.16][53622] -> [.192.168.115.75][..443] [TLS][Unknown][Web][Safe] end: [....17] [ip4][..tcp] [...192.168.5.16][53622] -> [.192.168.115.75][..443] - end: [....45] [ip4][..tcp] [...192.168.5.16][53623] -> [.192.168.115.75][..443] [TLS][Unknown][Web][Safe][192.168.115.75] + end: [....45] [ip4][..tcp] [...192.168.5.16][53623] -> [.192.168.115.75][..443] [TLS][Unknown][Web][Safe] RISK: Weak TLS Cipher, HTTP/TLS/QUIC Numeric Hostname/SNI, TLS (probably) Not Carrying HTTPS - end: [....87] [ip4][..tcp] [...192.168.5.16][53625] -> [.192.168.115.75][..443] [TLS][Unknown][Web][Safe][192.168.115.75] + end: [....87] [ip4][..tcp] [...192.168.5.16][53625] -> [.192.168.115.75][..443] [TLS][Unknown][Web][Safe] RISK: Weak TLS Cipher, HTTP/TLS/QUIC Numeric Hostname/SNI, TLS (probably) Not Carrying HTTPS - end: [...107] [ip4][..tcp] [...192.168.5.16][53626] -> [.192.168.115.75][..443] [TLS][Unknown][Web][Safe][192.168.115.75] + end: [...107] [ip4][..tcp] [...192.168.5.16][53626] -> [.192.168.115.75][..443] [TLS][Unknown][Web][Safe] RISK: Weak TLS Cipher, HTTP/TLS/QUIC Numeric Hostname/SNI, TLS (probably) Not Carrying HTTPS - end: [...117] [ip4][..tcp] [...192.168.5.16][53629] -> [.192.168.115.75][..443] [TLS][Unknown][Web][Safe][192.168.115.75] + end: [...117] [ip4][..tcp] [...192.168.5.16][53629] -> [.192.168.115.75][..443] [TLS][Unknown][Web][Safe] RISK: Weak TLS Cipher, HTTP/TLS/QUIC Numeric Hostname/SNI, TLS (probably) Not Carrying HTTPS idle: [.....6] [ip4][..udp] [...192.168.5.50][64674] -> [239.255.255.250][.1900] [SSDP][Unknown][System][Acceptable][239.255.255.250:1900] not-detected: [....65] [ip4][..udp] [192.168.140.140][62976] -> [255.255.255.255][62976] [Unknown][Unknown][Unrated] diff --git a/test/results/flow-info/monitoring/stun.pcap.out b/test/results/flow-info/monitoring/stun.pcap.out new file mode 100644 index 000000000..bfc198108 --- /dev/null +++ b/test/results/flow-info/monitoring/stun.pcap.out @@ -0,0 +1,99 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....1][1611] [ip4][..tcp] [...10.77.110.51][41588] -> [..10.206.50.239][42000] + detected: [.....1][1611] [ip4][..tcp] [...10.77.110.51][41588] -> [..10.206.50.239][42000] [STUN.Skype_TeamsCall][Unknown][VoIP][Acceptable][] + DAEMON-EVENT: [Processed: 15 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 1 / 1|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....2] [ip4][..udp] [.192.168.12.169][43016] -> [.74.125.247.128][.3478] + detected: [.....2] [ip4][..udp] [.192.168.12.169][43016] -> [.74.125.247.128][.3478] [STUN][Google][Network][Acceptable][] + detection-update: [.....2] [ip4][..udp] [.192.168.12.169][43016] -> [.74.125.247.128][.3478] [STUN][Google][Network][Acceptable][] + RISK: Unidirectional Traffic + detection-update: [.....2] [ip4][..udp] [.192.168.12.169][43016] -> [.74.125.247.128][.3478] [STUN][Google][Network][Acceptable][] + detection-update: [.....2] [ip4][..udp] [.192.168.12.169][43016] -> [.74.125.247.128][.3478] [STUN.GoogleCall][Google][VoIP][Acceptable][turn.l.google.com] + new: [.....3] [ip4][.icmp] [.192.168.12.169] -> [.74.125.247.128] + detected: [.....3] [ip4][.icmp] [.192.168.12.169] -> [.74.125.247.128] [ICMP][Google][Network][Acceptable] + RISK: Susp Entropy + end: [.....1][1611] [ip4][..tcp] [...10.77.110.51][41588] -> [..10.206.50.239][42000] [STUN.Skype_TeamsCall][Unknown][VoIP][Acceptable] + DAEMON-EVENT: [Processed: 24 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 2 / 3|skipped: 0|!detected: 0|guessed: 0|detection-updates: 3|updates: 0] + new: [.....4] [ip6][..udp] [3516:bf0b:fc53:75e7:70af:f67f:8e49:f603][56880] -> [....2a38:e156:8167:a333:face:b00c::24d9][.3478] + detected: [.....4] [ip6][..udp] [3516:bf0b:fc53:75e7:70af:f67f:8e49:f603][56880] -> [....2a38:e156:8167:a333:face:b00c::24d9][.3478] [STUN][Unknown][Network][Acceptable][] + idle: [.....2] [ip4][..udp] [.192.168.12.169][43016] -> [.74.125.247.128][.3478] [STUN.GoogleCall][Google][VoIP][Acceptable][turn.l.google.com] + idle: [.....3] [ip4][.icmp] [.192.168.12.169] -> [.74.125.247.128] [ICMP][Google][Network][Acceptable] + RISK: Susp Entropy + update: [.....4] [ip6][..udp] [3516:bf0b:fc53:75e7:70af:f67f:8e49:f603][56880] -> [....2a38:e156:8167:a333:face:b00c::24d9][.3478] [STUN][Unknown][Network][Acceptable] + update: [.....4] [ip6][..udp] [3516:bf0b:fc53:75e7:70af:f67f:8e49:f603][56880] -> [....2a38:e156:8167:a333:face:b00c::24d9][.3478] [STUN][Unknown][Network][Acceptable] + analyse: [.....4] [ip6][..udp] [3516:bf0b:fc53:75e7:70af:f67f:8e49:f603][56880] -> [....2a38:e156:8167:a333:face:b00c::24d9][.3478] [STUN][Unknown][Network][Acceptable] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.003| 10.359| 9.105| 2.980| 8880623.976| 4.800] + [PKTLEN......: 68.000| 92.000| 80.000| 12.000| 144.000| 5.000] + [BINS(c->s)..: 16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1] + [IATS(ms)....: 6.9,10132.2,10132.3,10358.5,2.9,10358.5,2.9,10055.4,10055.5,10056.9,10056.9,10057.2,10057.2,10053.9,10054.0,10069.5,10069.5,10027.1,10027.1,10027.3,10027.3,10064.0,10063.9,10098.3,10098.4,10035.5,10035.4,10061.4,10061.4,10028.4,10028.3] + [PKTLENS.....: 68,92,68,92,68,68,92,92,68,92,68,92,68,92,68,92,68,92,68,92,68,92,68,92,68,92,68,92,68,92,68,92] + [ENTROPIES...: 5.4,5.5,5.4,5.5,5.5,5.5,5.5,5.5,5.5,5.6,5.5,5.6,5.4,5.6,5.5,5.6,5.4,5.5,5.5,5.5,5.4,5.6,5.4,5.5,5.5,5.6,5.5,5.6,5.5,5.5,5.4,5.5] + update: [.....4] [ip6][..udp] [3516:bf0b:fc53:75e7:70af:f67f:8e49:f603][56880] -> [....2a38:e156:8167:a333:face:b00c::24d9][.3478] [STUN][Unknown][Network][Acceptable] + DAEMON-EVENT: [Processed: 66 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 1 / 4|skipped: 0|!detected: 0|guessed: 0|detection-updates: 3|updates: 3] + new: [.....5] [ip4][..udp] [.192.168.12.169][38123] -> [....31.13.86.54][40003] + detected: [.....5] [ip4][..udp] [.192.168.12.169][38123] -> [....31.13.86.54][40003] [STUN][Facebook][Network][Acceptable][] + RISK: Known Proto on Non Std Port + detection-update: [.....5] [ip4][..udp] [.192.168.12.169][38123] -> [....31.13.86.54][40003] [STUN.FacebookVoip][Facebook][VoIP][Acceptable][turner.facebook] + RISK: Known Proto on Non Std Port + analyse: [.....5] [ip4][..udp] [.192.168.12.169][38123] -> [....31.13.86.54][40003] [STUN.FacebookVoip][Facebook][VoIP][Acceptable][turner.facebook] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 6.004| 0.447| 1.463| 2139022.033| 1.900] + [PKTLEN......: 56.000| 168.000| 139.600| 32.100| 1033.400| 5.000] + [BINS(c->s)..: 1,0,0,4,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 0,3,1,6,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,1,0,0,1,0,1,1,0,0,1,0,0,1,0,1,1,0,0,1,0,0,1,1,1,0,0,1,0,1] + [IATS(ms)....: 11.5,15.6,15.9,6004.4,4.7,5997.4,4.5,7.5,7.1,108.4,344.5,499.2,68.5,0.2,19.7,29.0,92.2,23.6,96.4,1.6,50.3,48.3,0.3,50.1,3.3,0.0,52.9,0.4,9.7,44.9,232.2] + [PKTLENS.....: 56,132,164,104,168,168,140,168,140,72,164,164,160,168,128,72,164,128,160,128,164,160,128,164,128,160,128,168,128,72,160,160] + [ENTROPIES...: 4.9,5.6,5.9,5.8,5.9,6.0,5.6,5.8,5.5,5.6,5.9,6.0,6.0,5.9,5.8,5.5,6.0,5.9,6.0,5.9,5.9,6.0,5.8,6.0,5.9,6.0,5.9,5.9,5.8,5.6,6.1,6.0] + idle: [.....4] [ip6][..udp] [3516:bf0b:fc53:75e7:70af:f67f:8e49:f603][56880] -> [....2a38:e156:8167:a333:face:b00c::24d9][.3478] [STUN][Unknown][Network][Acceptable] + DAEMON-EVENT: [Processed: 141 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 1 / 5|skipped: 0|!detected: 0|guessed: 0|detection-updates: 4|updates: 3] + new: [.....6] [ip4][..tcp] [...87.47.100.17][.3478] -> [....54.1.57.155][37257] + detected: [.....6] [ip4][..tcp] [...87.47.100.17][.3478] -> [....54.1.57.155][37257] [STUN][Unknown][Network][Acceptable][] + detection-update: [.....6] [ip4][..tcp] [...87.47.100.17][.3478] -> [....54.1.57.155][37257] [STUN][Unknown][Network][Acceptable][apps-host.com] + idle: [.....5] [ip4][..udp] [.192.168.12.169][38123] -> [....31.13.86.54][40003] [STUN.FacebookVoip][Facebook][VoIP][Acceptable][turner.facebook] + RISK: Known Proto on Non Std Port + DAEMON-EVENT: [Processed: 161 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 1 / 6|skipped: 0|!detected: 0|guessed: 0|detection-updates: 5|updates: 3] + new: [.....7] [ip4][..udp] [.192.168.12.169][49153] -> [..142.250.82.99][.3478] + detected: [.....7] [ip4][..udp] [.192.168.12.169][49153] -> [..142.250.82.99][.3478] [STUN.GoogleCall][Google][VoIP][Acceptable][] + detection-update: [.....7] [ip4][..udp] [.192.168.12.169][49153] -> [..142.250.82.99][.3478] [DTLS.GoogleCall][Google][VoIP][Acceptable] + detection-update: [.....7] [ip4][..udp] [.192.168.12.169][49153] -> [..142.250.82.99][.3478] [DTLS.GoogleCall][Google][VoIP][Acceptable] + analyse: [.....7] [ip4][..udp] [.192.168.12.169][49153] -> [..142.250.82.99][.3478] [DTLS.GoogleCall][Google][VoIP][Acceptable] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 0.836| 0.131| 0.227| 51553.292| 3.400] + [PKTLEN......: 62.000| 1226.000| 179.200| 221.300| 48965.100| 4.400] + [BINS(c->s)..: 0,0,9,5,2,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 0,2,9,2,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,0,1,1,1,0,0,1,0,1,1,1,1,0,0,1,1,0,1,1,0,0,1,0,0,0,0,0] + [IATS(ms)....: 22.9,25.6,18.8,27.0,9.0,16.5,8.2,0.0,96.0,9.4,96.1,13.9,9.7,14.0,0.0,0.0,28.4,12.0,233.2,17.4,835.9,625.3,352.7,699.8,203.7,550.7,72.1,9.0,20.6,28.1,14.7] + [PKTLENS.....: 136,120,181,140,1226,574,120,109,598,109,140,145,161,120,141,93,97,93,113,62,93,140,120,62,110,140,120,94,94,95,95,95] + [ENTROPIES...: 5.9,5.9,5.0,5.9,7.3,6.7,5.8,5.7,7.4,5.7,6.0,6.2,6.4,5.9,6.1,5.4,5.4,5.6,5.9,5.3,5.2,5.9,5.8,5.2,6.1,5.9,6.0,6.1,6.0,5.9,6.1,5.9] + idle: [.....6] [ip4][..tcp] [...87.47.100.17][.3478] -> [....54.1.57.155][37257] [STUN][Unknown][Network][Acceptable][apps-host.com] + DAEMON-EVENT: [Processed: 194 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 1 / 7|skipped: 0|!detected: 0|guessed: 0|detection-updates: 7|updates: 3] + new: [.....8] [ip4][..udp] [.192.168.43.169][48854] -> [.134.224.90.111][.8801] + detected: [.....8] [ip4][..udp] [.192.168.43.169][48854] -> [.134.224.90.111][.8801] [STUN][Zoom][Network][Acceptable][] + RISK: Known Proto on Non Std Port + detection-update: [.....8] [ip4][..udp] [.192.168.43.169][48854] -> [.134.224.90.111][.8801] [STUN][Zoom][Network][Acceptable][] + RISK: Unidirectional Traffic + detection-update: [.....8] [ip4][..udp] [.192.168.43.169][48854] -> [.134.224.90.111][.8801] [STUN][Zoom][Network][Acceptable][] + detection-update: [.....8] [ip4][..udp] [.192.168.43.169][48854] -> [.134.224.90.111][.8801] [DTLS][Zoom][Network][Safe] + idle: [.....7] [ip4][..udp] [.192.168.12.169][49153] -> [..142.250.82.99][.3478] [DTLS.GoogleCall][Google][VoIP][Acceptable] + DAEMON-EVENT: [Processed: 198 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 1 / 8|skipped: 0|!detected: 0|guessed: 0|detection-updates: 10|updates: 3] + new: [.....9] [ip6][..udp] [..............2600:1900:4160:5999::19::][.3478] -> [..2001:b07:a3d:c112:48a1:1094:1227:281e][48094] + detected: [.....9] [ip6][..udp] [..............2600:1900:4160:5999::19::][.3478] -> [..2001:b07:a3d:c112:48a1:1094:1227:281e][48094] [STUN][GoogleCloud][Network][Acceptable][] + detection-update: [.....9] [ip6][..udp] [..............2600:1900:4160:5999::19::][.3478] -> [..2001:b07:a3d:c112:48a1:1094:1227:281e][48094] [STUN][GoogleCloud][Network][Acceptable][] + RISK: Unidirectional Traffic + idle: [.....8] [ip4][..udp] [.192.168.43.169][48854] -> [.134.224.90.111][.8801] [DTLS][Zoom][Network][Safe] + idle: [.....9] [ip6][..udp] [..............2600:1900:4160:5999::19::][.3478] -> [..2001:b07:a3d:c112:48a1:1094:1227:281e][48094] [STUN][GoogleCloud][Network][Acceptable] + RISK: Unidirectional Traffic + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/monitoring/stun_google_meet.pcapng.out b/test/results/flow-info/monitoring/stun_google_meet.pcapng.out new file mode 100644 index 000000000..8fa17cd3a --- /dev/null +++ b/test/results/flow-info/monitoring/stun_google_meet.pcapng.out @@ -0,0 +1,93 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....1] [ip4][..udp] [.192.168.12.156][38152] -> [.74.125.128.127][19302] + detected: [.....1] [ip4][..udp] [.192.168.12.156][38152] -> [.74.125.128.127][19302] [STUN][Google][Network][Acceptable][] + RISK: Known Proto on Non Std Port + new: [.....2] [ip4][..udp] [.192.168.12.156][45400] -> [.74.125.128.127][19302] + detected: [.....2] [ip4][..udp] [.192.168.12.156][45400] -> [.74.125.128.127][19302] [STUN][Google][Network][Acceptable][] + RISK: Known Proto on Non Std Port + new: [.....3] [ip4][..udp] [.192.168.12.156][38152] -> [..142.250.82.76][19305] + detected: [.....3] [ip4][..udp] [.192.168.12.156][38152] -> [..142.250.82.76][19305] [STUN.GoogleCall][Google][VoIP][Acceptable][] + RISK: Known Proto on Non Std Port + new: [.....4] [ip4][..udp] [.192.168.12.156][45400] -> [..142.250.82.76][19305] + detected: [.....4] [ip4][..udp] [.192.168.12.156][45400] -> [..142.250.82.76][19305] [STUN.GoogleCall][Google][VoIP][Acceptable][] + RISK: Known Proto on Non Std Port + detection-update: [.....3] [ip4][..udp] [.192.168.12.156][38152] -> [..142.250.82.76][19305] [DTLS.GoogleCall][Google][VoIP][Acceptable] + detection-update: [.....3] [ip4][..udp] [.192.168.12.156][38152] -> [..142.250.82.76][19305] [DTLS.GoogleCall][Google][VoIP][Acceptable] + analyse: [.....3] [ip4][..udp] [.192.168.12.156][38152] -> [..142.250.82.76][19305] [DTLS.GoogleCall][Google][VoIP][Acceptable] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 0.164| 0.015| 0.039| 1549.851| 2.400] + [PKTLEN......: 65.000| 1231.000| 290.000| 203.200| 41279.000| 4.700] + [BINS(c->s)..: 0,0,1,2,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 0,1,3,0,1,0,0,0,20,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1,1,1,1,1,1,1,1] + [IATS(ms)....: 27.7,164.3,5.3,154.4,6.7,36.4,35.4,0.1,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,27.3,18.9,0.0,0.0,0.0,0.0,0.0,0.0,0.0] + [PKTLENS.....: 152,92,148,185,92,1231,573,598,65,288,288,288,288,288,288,288,288,288,288,288,288,288,109,109,288,288,288,165,288,288,288,288] + [ENTROPIES...: 5.9,5.7,5.9,5.0,5.7,7.3,6.8,7.4,4.6,7.1,7.1,7.2,7.1,7.0,7.0,7.1,7.1,7.0,7.1,7.1,7.1,7.1,5.7,5.7,7.0,7.1,7.0,6.4,7.2,7.1,7.1,7.1] + new: [.....5] [ip4][..udp] [.192.168.12.156][38152] -> [..142.250.82.76][.3478] + detected: [.....5] [ip4][..udp] [.192.168.12.156][38152] -> [..142.250.82.76][.3478] [STUN.GoogleCall][Google][VoIP][Acceptable][] + detection-update: [.....5] [ip4][..udp] [.192.168.12.156][38152] -> [..142.250.82.76][.3478] [DTLS.GoogleCall][Google][VoIP][Acceptable] + new: [.....6] [ip4][..udp] [.192.168.12.156][45400] -> [..142.250.82.76][.3478] + detected: [.....6] [ip4][..udp] [.192.168.12.156][45400] -> [..142.250.82.76][.3478] [STUN.GoogleCall][Google][VoIP][Acceptable][] + analyse: [.....5] [ip4][..udp] [.192.168.12.156][38152] -> [..142.250.82.76][.3478] [DTLS.GoogleCall][Google][VoIP][Acceptable] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 1.000| 0.179| 0.232| 53990.769| 4.000] + [PKTLEN......: 68.000| 565.000| 110.700| 85.700| 7337.900| 4.800] + [BINS(c->s)..: 0,14,3,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 0,3,5,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,1,0,1,1,0,0,0,1,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,1,0,1,0,0] + [IATS(ms)....: 28.7,31.6,20.7,57.3,57.1,114.9,326.7,7.6,0.3,359.3,399.5,20.9,399.5,20.8,60.3,761.6,238.3,310.5,33.1,16.7,106.5,1.4,298.5,11.7,401.0,18.9,1000.0,80.4,40.3,278.6,42.3] + [PKTLENS.....: 152,92,148,92,148,92,565,91,73,93,68,107,73,91,73,148,92,68,80,91,73,80,80,107,73,91,73,68,148,92,128,91] + [ENTROPIES...: 6.0,5.6,6.0,5.7,6.0,5.7,7.6,6.0,5.5,5.6,5.5,5.7,5.7,5.9,5.5,6.0,5.6,5.3,5.8,6.1,5.6,5.7,5.8,5.8,5.5,5.9,5.6,5.3,5.9,5.6,6.3,6.0] + detection-update: [.....1] [ip4][..udp] [.192.168.12.156][38152] -> [.74.125.128.127][19302] [STUN.GoogleCall][Google][VoIP][Acceptable][] + RISK: Known Proto on Non Std Port + detection-update: [.....2] [ip4][..udp] [.192.168.12.156][45400] -> [.74.125.128.127][19302] [STUN.GoogleCall][Google][VoIP][Acceptable][] + RISK: Known Proto on Non Std Port + analyse: [.....6] [ip4][..udp] [.192.168.12.156][45400] -> [..142.250.82.76][.3478] [STUN.GoogleCall][Google][VoIP][Acceptable] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.030| 8.438| 2.374| 2.514| 6318722.646| 4.300] + [PKTLEN......: 92.000| 152.000| 118.200| 26.300| 690.900| 5.000] + [BINS(c->s)..: 0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1] + [IATS(ms)....: 30.2,90.8,78.2,1745.7,1745.6,749.7,749.8,2799.7,2799.8,3108.6,3108.4,997.5,997.5,1610.3,1610.3,582.5,582.8,6554.8,6554.5,8437.5,8437.6,882.4,882.5,6551.7,6551.4,792.4,792.6,993.0,993.0,897.1,896.9] + [PKTLENS.....: 152,92,144,92,144,92,144,92,144,92,144,92,144,92,144,92,144,92,144,92,144,92,144,92,144,92,144,92,144,92,144,92] + [ENTROPIES...: 6.0,5.6,6.1,5.6,6.0,5.5,6.0,5.6,6.1,5.7,5.9,5.8,6.1,5.6,6.0,5.6,6.1,5.6,6.0,5.6,6.0,5.6,6.0,5.6,6.1,5.6,6.0,5.7,6.0,5.7,6.0,5.7] + update: [.....4] [ip4][..udp] [.192.168.12.156][45400] -> [..142.250.82.76][19305] [STUN.GoogleCall][Google][VoIP][Acceptable] + RISK: Known Proto on Non Std Port + update: [.....6] [ip4][..udp] [.192.168.12.156][45400] -> [..142.250.82.76][.3478] [STUN.GoogleCall][Google][VoIP][Acceptable] + update: [.....2] [ip4][..udp] [.192.168.12.156][45400] -> [.74.125.128.127][19302] [STUN.GoogleCall][Google][VoIP][Acceptable] + RISK: Known Proto on Non Std Port + update: [.....3] [ip4][..udp] [.192.168.12.156][38152] -> [..142.250.82.76][19305] [DTLS.GoogleCall][Google][VoIP][Acceptable] + update: [.....5] [ip4][..udp] [.192.168.12.156][38152] -> [..142.250.82.76][.3478] [DTLS.GoogleCall][Google][VoIP][Acceptable] + update: [.....1] [ip4][..udp] [.192.168.12.156][38152] -> [.74.125.128.127][19302] [STUN.GoogleCall][Google][VoIP][Acceptable] + RISK: Known Proto on Non Std Port + DAEMON-EVENT: [Processed: 214 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 6 / 6|skipped: 0|!detected: 0|guessed: 0|detection-updates: 5|updates: 6] + new: [.....7] [ip6][..udp] [..2001:b07:a3d:c112:48a1:1094:1227:281e][45572] -> [...................2001:4860:4864:6::81][19305] + detected: [.....7] [ip6][..udp] [..2001:b07:a3d:c112:48a1:1094:1227:281e][45572] -> [...................2001:4860:4864:6::81][19305] [STUN.GoogleCall][Google][VoIP][Acceptable][] + RISK: Known Proto on Non Std Port + detection-update: [.....7] [ip6][..udp] [..2001:b07:a3d:c112:48a1:1094:1227:281e][45572] -> [...................2001:4860:4864:6::81][19305] [DTLS.GoogleCall][Google][VoIP][Acceptable] + detection-update: [.....7] [ip6][..udp] [..2001:b07:a3d:c112:48a1:1094:1227:281e][45572] -> [...................2001:4860:4864:6::81][19305] [DTLS.GoogleCall][Google][VoIP][Acceptable] + analyse: [.....7] [ip6][..udp] [..2001:b07:a3d:c112:48a1:1094:1227:281e][45572] -> [...................2001:4860:4864:6::81][19305] [DTLS.GoogleCall][Google][VoIP][Acceptable] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.082| 0.009| 0.020| 398.613| 2.800] + [PKTLEN......: 85.000| 1251.000| 300.000| 206.900| 42788.400| 4.700] + [BINS(c->s)..: 0,0,1,3,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 0,1,4,1,0,0,0,0,18,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1,1,1,1,1,1,1,1] + [IATS(ms)....: 26.9,81.6,0.7,74.4,3.0,28.0,16.5,24.8,0.3,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,11.5,16.0,2.8,0.0,0.0,0.0,0.0,0.0,0.0] + [PKTLENS.....: 172,124,168,205,124,1251,594,168,618,85,308,308,308,308,308,308,308,308,308,308,308,308,129,129,124,308,308,308,308,165,308,308] + [ENTROPIES...: 6.0,5.7,5.8,5.0,5.9,7.3,6.7,5.9,7.4,4.7,7.0,7.1,7.1,7.1,7.0,7.0,7.1,7.1,7.0,7.1,7.0,7.1,5.7,5.7,5.7,7.1,7.1,7.0,7.0,6.1,7.0,7.0] + idle: [.....4] [ip4][..udp] [.192.168.12.156][45400] -> [..142.250.82.76][19305] [STUN.GoogleCall][Google][VoIP][Acceptable] + RISK: Known Proto on Non Std Port + idle: [.....7] [ip6][..udp] [..2001:b07:a3d:c112:48a1:1094:1227:281e][45572] -> [...................2001:4860:4864:6::81][19305] [DTLS.GoogleCall][Google][VoIP][Acceptable] + idle: [.....6] [ip4][..udp] [.192.168.12.156][45400] -> [..142.250.82.76][.3478] [STUN.GoogleCall][Google][VoIP][Acceptable] + idle: [.....2] [ip4][..udp] [.192.168.12.156][45400] -> [.74.125.128.127][19302] [STUN.GoogleCall][Google][VoIP][Acceptable] + RISK: Known Proto on Non Std Port + idle: [.....3] [ip4][..udp] [.192.168.12.156][38152] -> [..142.250.82.76][19305] [DTLS.GoogleCall][Google][VoIP][Acceptable] + idle: [.....5] [ip4][..udp] [.192.168.12.156][38152] -> [..142.250.82.76][.3478] [DTLS.GoogleCall][Google][VoIP][Acceptable] + idle: [.....1] [ip4][..udp] [.192.168.12.156][38152] -> [.74.125.128.127][19302] [STUN.GoogleCall][Google][VoIP][Acceptable] + RISK: Known Proto on Non Std Port + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/monitoring/stun_signal.pcapng.out b/test/results/flow-info/monitoring/stun_signal.pcapng.out new file mode 100644 index 000000000..33e3efd9f --- /dev/null +++ b/test/results/flow-info/monitoring/stun_signal.pcapng.out @@ -0,0 +1,215 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....1] [ip4][..udp] [.192.168.12.169][39518] -> [172.253.121.127][19302] + detected: [.....1] [ip4][..udp] [.192.168.12.169][39518] -> [172.253.121.127][19302] [STUN][Google][Network][Acceptable][] + RISK: Known Proto on Non Std Port + new: [.....2] [ip4][..udp] [.192.168.12.169][47204] -> [172.253.121.127][19302] + detected: [.....2] [ip4][..udp] [.192.168.12.169][47204] -> [172.253.121.127][19302] [STUN][Google][Network][Acceptable][] + RISK: Known Proto on Non Std Port + new: [.....3] [ip4][..udp] [.192.168.12.169][47204] -> [.35.158.183.167][..443] + detected: [.....3] [ip4][..udp] [.192.168.12.169][47204] -> [.35.158.183.167][..443] [STUN][AmazonAWS][Network][Acceptable][] + RISK: Known Proto on Non Std Port + new: [.....4] [ip4][..udp] [.192.168.12.169][47204] -> [.35.158.183.167][.3478] + detected: [.....4] [ip4][..udp] [.192.168.12.169][47204] -> [.35.158.183.167][.3478] [STUN][AmazonAWS][Network][Acceptable][] + new: [.....5] [ip4][..udp] [.192.168.12.169][39518] -> [.35.158.183.167][.3478] + detected: [.....5] [ip4][..udp] [.192.168.12.169][39518] -> [.35.158.183.167][.3478] [STUN][AmazonAWS][Network][Acceptable][] + new: [.....6] [ip4][..udp] [.192.168.12.169][39518] -> [.35.158.183.167][..443] + detected: [.....6] [ip4][..udp] [.192.168.12.169][39518] -> [.35.158.183.167][..443] [STUN][AmazonAWS][Network][Acceptable][] + RISK: Known Proto on Non Std Port + new: [.....7] [ip4][.icmp] [.35.158.183.167] -> [.192.168.12.169] + detected: [.....7] [ip4][.icmp] [.35.158.183.167] -> [.192.168.12.169] [ICMP][AmazonAWS][Network][Acceptable] + RISK: Susp Entropy + detection-update: [.....3] [ip4][..udp] [.192.168.12.169][47204] -> [.35.158.183.167][..443] [STUN][AmazonAWS][Network][Acceptable][] + RISK: Known Proto on Non Std Port, Unidirectional Traffic + detection-update: [.....6] [ip4][..udp] [.192.168.12.169][39518] -> [.35.158.183.167][..443] [STUN][AmazonAWS][Network][Acceptable][] + RISK: Known Proto on Non Std Port, Unidirectional Traffic + detection-update: [.....5] [ip4][..udp] [.192.168.12.169][39518] -> [.35.158.183.167][.3478] [STUN.SignalVoip][AmazonAWS][VoIP][Acceptable][signal.org] + detection-update: [.....4] [ip4][..udp] [.192.168.12.169][47204] -> [.35.158.183.167][.3478] [STUN.SignalVoip][AmazonAWS][VoIP][Acceptable][] + detection-update: [.....4] [ip4][..udp] [.192.168.12.169][47204] -> [.35.158.183.167][.3478] [STUN.SignalVoip][AmazonAWS][VoIP][Acceptable][signal.org] + detection-update: [.....1] [ip4][..udp] [.192.168.12.169][39518] -> [172.253.121.127][19302] [STUN.SignalVoip][Google][VoIP][Acceptable][] + RISK: Known Proto on Non Std Port, Unidirectional Traffic + detection-update: [.....2] [ip4][..udp] [.192.168.12.169][47204] -> [172.253.121.127][19302] [STUN.SignalVoip][Google][VoIP][Acceptable][] + RISK: Known Proto on Non Std Port, Unidirectional Traffic + detection-update: [.....3] [ip4][..udp] [.192.168.12.169][47204] -> [.35.158.183.167][..443] [STUN.SignalVoip][AmazonAWS][VoIP][Acceptable][] + RISK: Known Proto on Non Std Port, Unidirectional Traffic + detection-update: [.....6] [ip4][..udp] [.192.168.12.169][39518] -> [.35.158.183.167][..443] [STUN.SignalVoip][AmazonAWS][VoIP][Acceptable][] + RISK: Known Proto on Non Std Port, Unidirectional Traffic + detection-update: [.....1] [ip4][..udp] [.192.168.12.169][39518] -> [172.253.121.127][19302] [STUN.SignalVoip][Google][VoIP][Acceptable][] + RISK: Known Proto on Non Std Port + detection-update: [.....2] [ip4][..udp] [.192.168.12.169][47204] -> [172.253.121.127][19302] [STUN.SignalVoip][Google][VoIP][Acceptable][] + RISK: Known Proto on Non Std Port + new: [.....8] [ip4][..udp] [.192.168.12.169][43068] -> [.35.158.183.167][.3478] + detected: [.....8] [ip4][..udp] [.192.168.12.169][43068] -> [.35.158.183.167][.3478] [STUN.SignalVoip][AmazonAWS][VoIP][Acceptable][] + new: [.....9] [ip4][..udp] [.192.168.12.169][43068] -> [.35.158.183.167][..443] + detected: [.....9] [ip4][..udp] [.192.168.12.169][43068] -> [.35.158.183.167][..443] [STUN.SignalVoip][AmazonAWS][VoIP][Acceptable][] + RISK: Known Proto on Non Std Port + new: [....10] [ip4][..udp] [.192.168.12.169][43068] -> [172.253.121.127][19302] + detected: [....10] [ip4][..udp] [.192.168.12.169][43068] -> [172.253.121.127][19302] [STUN.SignalVoip][Google][VoIP][Acceptable][] + RISK: Known Proto on Non Std Port + new: [....11] [ip4][..udp] [.192.168.12.169][39950] -> [172.253.121.127][19302] + detected: [....11] [ip4][..udp] [.192.168.12.169][39950] -> [172.253.121.127][19302] [STUN.SignalVoip][Google][VoIP][Acceptable][] + RISK: Known Proto on Non Std Port + new: [....12] [ip4][..udp] [.192.168.12.169][39950] -> [.35.158.183.167][..443] + detected: [....12] [ip4][..udp] [.192.168.12.169][39950] -> [.35.158.183.167][..443] [STUN.SignalVoip][AmazonAWS][VoIP][Acceptable][] + RISK: Known Proto on Non Std Port + new: [....13] [ip4][..udp] [.192.168.12.169][39950] -> [.35.158.183.167][.3478] + detected: [....13] [ip4][..udp] [.192.168.12.169][39950] -> [.35.158.183.167][.3478] [STUN.SignalVoip][AmazonAWS][VoIP][Acceptable][] + detection-update: [.....9] [ip4][..udp] [.192.168.12.169][43068] -> [.35.158.183.167][..443] [STUN.SignalVoip][AmazonAWS][VoIP][Acceptable][] + RISK: Known Proto on Non Std Port, Unidirectional Traffic + detection-update: [....12] [ip4][..udp] [.192.168.12.169][39950] -> [.35.158.183.167][..443] [STUN.SignalVoip][AmazonAWS][VoIP][Acceptable][] + RISK: Known Proto on Non Std Port, Unidirectional Traffic + detection-update: [....13] [ip4][..udp] [.192.168.12.169][39950] -> [.35.158.183.167][.3478] [STUN.SignalVoip][AmazonAWS][VoIP][Acceptable][signal.org] + detection-update: [.....8] [ip4][..udp] [.192.168.12.169][43068] -> [.35.158.183.167][.3478] [STUN.SignalVoip][AmazonAWS][VoIP][Acceptable][signal.org] + detection-update: [....10] [ip4][..udp] [.192.168.12.169][43068] -> [172.253.121.127][19302] [STUN.SignalVoip][Google][VoIP][Acceptable][] + RISK: Known Proto on Non Std Port, Unidirectional Traffic + detection-update: [....11] [ip4][..udp] [.192.168.12.169][39950] -> [172.253.121.127][19302] [STUN.SignalVoip][Google][VoIP][Acceptable][] + RISK: Known Proto on Non Std Port, Unidirectional Traffic + detection-update: [....10] [ip4][..udp] [.192.168.12.169][43068] -> [172.253.121.127][19302] [STUN.SignalVoip][Google][VoIP][Acceptable][] + RISK: Known Proto on Non Std Port + detection-update: [....11] [ip4][..udp] [.192.168.12.169][39950] -> [172.253.121.127][19302] [STUN.SignalVoip][Google][VoIP][Acceptable][] + RISK: Known Proto on Non Std Port + new: [....14] [ip4][..udp] [.192.168.12.169][43068] -> [.18.195.131.143][61156] + detected: [....14] [ip4][..udp] [.192.168.12.169][43068] -> [.18.195.131.143][61156] [STUN.SignalVoip][AmazonAWS][VoIP][Acceptable][] + RISK: Known Proto on Non Std Port + analyse: [....14] [ip4][..udp] [.192.168.12.169][43068] -> [.18.195.131.143][61156] [STUN.SignalVoip][AmazonAWS][VoIP][Acceptable] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 0.679| 0.149| 0.201| 40331.911| 3.900] + [PKTLEN......: 56.000| 132.000| 91.900| 24.900| 621.500| 4.900] + [BINS(c->s)..: 4,3,4,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 3,4,5,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,1,0,0,0,1,1,0,1,1,0,0,0,1,1,0,1,0,1,1,0,0,1,1,1,0,0,1,0,0,1] + [IATS(ms)....: 83.9,0.0,92.5,7.8,46.1,91.4,0.0,37.9,40.0,9.1,41.9,367.7,0.1,441.0,0.0,600.8,610.2,117.9,49.9,49.8,64.2,212.9,679.4,8.7,0.0,503.8,102.9,201.0,101.8,9.3,62.2] + [PKTLENS.....: 124,92,124,92,132,132,92,124,92,92,124,92,84,56,84,56,124,92,84,84,124,92,56,84,56,56,56,124,92,84,56,84] + [ENTROPIES...: 5.8,5.8,5.9,5.8,5.7,5.6,5.9,5.9,5.8,5.8,5.9,5.8,5.7,5.1,5.8,5.3,5.9,5.8,5.8,5.7,5.9,5.8,5.1,5.8,5.2,5.2,5.1,5.8,5.8,5.6,5.1,5.8] + update: [.....7] [ip4][.icmp] [.35.158.183.167] -> [.192.168.12.169] [ICMP][AmazonAWS][Network][Acceptable] + RISK: Susp Entropy + analyse: [.....7] [ip4][.icmp] [.35.158.183.167] -> [.192.168.12.169] [ICMP][AmazonAWS][Network][Acceptable] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 17.079| 1.597| 3.547| 12584568.750| 2.800] + [PKTLEN......: 76.000| 124.000| 81.500| 11.600| 133.800| 5.000] + [BINS(c->s)..: 0,20,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [IATS(ms)....: 4.1,63.0,0.0,180.8,3.5,1499.2,2002.8,0.0,4842.0,0.1,17079.4,30.0,28.1,10.0,178.6,30.7,1472.4,2000.5,31.0,3968.8,29.9,37.3,7.8,7927.3,28.5,35.4,6.5,7931.2,29.2,34.6,5.1] + [PKTLENS.....: 76,76,84,84,76,76,76,76,76,124,124,76,76,84,84,76,76,76,76,76,76,76,84,84,76,76,84,84,76,76,84,84] + [ENTROPIES...: 5.0,5.2,5.1,5.0,5.1,5.1,5.0,5.0,5.1,5.5,5.7,5.0,5.0,5.0,5.0,4.9,5.0,5.0,5.0,5.0,5.0,5.0,5.0,5.0,5.0,5.1,5.1,5.0,5.0,5.0,5.0,5.1] + update: [.....3] [ip4][..udp] [.192.168.12.169][47204] -> [.35.158.183.167][..443] [STUN.SignalVoip][AmazonAWS][VoIP][Acceptable] + RISK: Known Proto on Non Std Port, Unidirectional Traffic + update: [.....2] [ip4][..udp] [.192.168.12.169][47204] -> [172.253.121.127][19302] [STUN.SignalVoip][Google][VoIP][Acceptable] + RISK: Known Proto on Non Std Port + update: [.....6] [ip4][..udp] [.192.168.12.169][39518] -> [.35.158.183.167][..443] [STUN.SignalVoip][AmazonAWS][VoIP][Acceptable] + RISK: Known Proto on Non Std Port, Unidirectional Traffic + update: [.....1] [ip4][..udp] [.192.168.12.169][39518] -> [172.253.121.127][19302] [STUN.SignalVoip][Google][VoIP][Acceptable] + RISK: Known Proto on Non Std Port + update: [.....4] [ip4][..udp] [.192.168.12.169][47204] -> [.35.158.183.167][.3478] [STUN.SignalVoip][AmazonAWS][VoIP][Acceptable][signal.org] + update: [.....5] [ip4][..udp] [.192.168.12.169][39518] -> [.35.158.183.167][.3478] [STUN.SignalVoip][AmazonAWS][VoIP][Acceptable][signal.org] + new: [....15] [ip4][..udp] [.192.168.12.169][47767] -> [172.253.121.127][19302] + detected: [....15] [ip4][..udp] [.192.168.12.169][47767] -> [172.253.121.127][19302] [STUN.SignalVoip][Google][VoIP][Acceptable][] + RISK: Known Proto on Non Std Port + new: [....16] [ip4][..udp] [.192.168.12.169][37970] -> [172.253.121.127][19302] + detected: [....16] [ip4][..udp] [.192.168.12.169][37970] -> [172.253.121.127][19302] [STUN.SignalVoip][Google][VoIP][Acceptable][] + RISK: Known Proto on Non Std Port + new: [....17] [ip4][..udp] [.192.168.12.169][47767] -> [.35.158.122.211][..443] + detected: [....17] [ip4][..udp] [.192.168.12.169][47767] -> [.35.158.122.211][..443] [STUN.SignalVoip][AmazonAWS][VoIP][Acceptable][] + RISK: Known Proto on Non Std Port + new: [....18] [ip4][..udp] [.192.168.12.169][37970] -> [.35.158.122.211][..443] + detected: [....18] [ip4][..udp] [.192.168.12.169][37970] -> [.35.158.122.211][..443] [STUN.SignalVoip][AmazonAWS][VoIP][Acceptable][] + RISK: Known Proto on Non Std Port + detection-update: [....17] [ip4][..udp] [.192.168.12.169][47767] -> [.35.158.122.211][..443] [STUN.SignalVoip][AmazonAWS][VoIP][Acceptable][] + RISK: Known Proto on Non Std Port, Unidirectional Traffic + new: [....19] [ip4][..udp] [.192.168.12.169][47767] -> [.35.158.122.211][.3478] + detected: [....19] [ip4][..udp] [.192.168.12.169][47767] -> [.35.158.122.211][.3478] [STUN.SignalVoip][AmazonAWS][VoIP][Acceptable][] + new: [....20] [ip4][..udp] [.192.168.12.169][37970] -> [.35.158.122.211][.3478] + detected: [....20] [ip4][..udp] [.192.168.12.169][37970] -> [.35.158.122.211][.3478] [STUN.SignalVoip][AmazonAWS][VoIP][Acceptable][] + detection-update: [....19] [ip4][..udp] [.192.168.12.169][47767] -> [.35.158.122.211][.3478] [STUN.SignalVoip][AmazonAWS][VoIP][Acceptable][] + RISK: Unidirectional Traffic + detection-update: [....20] [ip4][..udp] [.192.168.12.169][37970] -> [.35.158.122.211][.3478] [STUN.SignalVoip][AmazonAWS][VoIP][Acceptable][] + RISK: Unidirectional Traffic + new: [....21] [ip4][.icmp] [.35.158.122.211] -> [.192.168.12.169] + detected: [....21] [ip4][.icmp] [.35.158.122.211] -> [.192.168.12.169] [ICMP][AmazonAWS][Network][Acceptable] + RISK: Susp Entropy + detection-update: [....19] [ip4][..udp] [.192.168.12.169][47767] -> [.35.158.122.211][.3478] [STUN.SignalVoip][AmazonAWS][VoIP][Acceptable][signal.org] + detection-update: [....20] [ip4][..udp] [.192.168.12.169][37970] -> [.35.158.122.211][.3478] [STUN.SignalVoip][AmazonAWS][VoIP][Acceptable][] + detection-update: [....18] [ip4][..udp] [.192.168.12.169][37970] -> [.35.158.122.211][..443] [STUN.SignalVoip][AmazonAWS][VoIP][Acceptable][] + RISK: Known Proto on Non Std Port, Unidirectional Traffic + detection-update: [....20] [ip4][..udp] [.192.168.12.169][37970] -> [.35.158.122.211][.3478] [STUN.SignalVoip][AmazonAWS][VoIP][Acceptable][signal.org] + detection-update: [....15] [ip4][..udp] [.192.168.12.169][47767] -> [172.253.121.127][19302] [STUN.SignalVoip][Google][VoIP][Acceptable][] + RISK: Known Proto on Non Std Port, Unidirectional Traffic + detection-update: [....16] [ip4][..udp] [.192.168.12.169][37970] -> [172.253.121.127][19302] [STUN.SignalVoip][Google][VoIP][Acceptable][] + RISK: Known Proto on Non Std Port, Unidirectional Traffic + detection-update: [....16] [ip4][..udp] [.192.168.12.169][37970] -> [172.253.121.127][19302] [STUN.SignalVoip][Google][VoIP][Acceptable][] + RISK: Known Proto on Non Std Port + detection-update: [....15] [ip4][..udp] [.192.168.12.169][47767] -> [172.253.121.127][19302] [STUN.SignalVoip][Google][VoIP][Acceptable][] + RISK: Known Proto on Non Std Port + new: [....22] [ip4][..udp] [.192.168.12.169][47767] -> [.18.195.131.143][54054] + detected: [....22] [ip4][..udp] [.192.168.12.169][47767] -> [.18.195.131.143][54054] [STUN.SignalVoip][AmazonAWS][VoIP][Acceptable][] + RISK: Known Proto on Non Std Port + new: [....23] [ip4][..udp] [.192.168.12.169][47767] -> [.18.195.131.143][61498] + detected: [....23] [ip4][..udp] [.192.168.12.169][47767] -> [.18.195.131.143][61498] [STUN.SignalVoip][AmazonAWS][VoIP][Acceptable][] + RISK: Known Proto on Non Std Port + analyse: [....23] [ip4][..udp] [.192.168.12.169][47767] -> [.18.195.131.143][61498] [STUN.SignalVoip][AmazonAWS][VoIP][Acceptable] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 0.665| 0.153| 0.189| 35784.253| 4.000] + [PKTLEN......: 56.000| 132.000| 94.200| 24.600| 605.900| 4.900] + [BINS(c->s)..: 3,3,5,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 3,3,5,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,1,0,0,0,1,1,0,1,1,0,0,0,1,1,0,1,1,0,0,1,1,0,1,1,0,0,0,1,1,0] + [IATS(ms)....: 68.5,0.1,70.3,29.3,44.7,113.4,0.0,43.2,26.5,8.5,31.0,313.6,0.3,410.7,0.0,665.0,630.5,122.5,190.5,61.6,378.1,7.9,325.5,42.2,76.0,424.9,96.8,5.4,434.3,47.7,66.2] + [PKTLENS.....: 124,92,124,92,132,132,92,124,92,92,124,92,84,56,84,56,124,92,124,92,84,84,56,56,56,84,124,84,56,92,124,92] + [ENTROPIES...: 5.9,5.8,5.9,5.7,5.9,5.8,5.8,6.0,5.8,5.8,5.9,5.8,5.8,5.2,5.7,5.1,5.8,5.8,5.9,5.7,5.7,5.9,5.2,5.1,5.1,5.8,5.9,5.8,5.1,5.8,5.8,5.8] + update: [....13] [ip4][..udp] [.192.168.12.169][39950] -> [.35.158.183.167][.3478] [STUN.SignalVoip][AmazonAWS][VoIP][Acceptable][signal.org] + update: [.....9] [ip4][..udp] [.192.168.12.169][43068] -> [.35.158.183.167][..443] [STUN.SignalVoip][AmazonAWS][VoIP][Acceptable] + RISK: Known Proto on Non Std Port, Unidirectional Traffic + update: [....10] [ip4][..udp] [.192.168.12.169][43068] -> [172.253.121.127][19302] [STUN.SignalVoip][Google][VoIP][Acceptable] + RISK: Known Proto on Non Std Port + update: [....14] [ip4][..udp] [.192.168.12.169][43068] -> [.18.195.131.143][61156] [STUN.SignalVoip][AmazonAWS][VoIP][Acceptable] + RISK: Known Proto on Non Std Port + update: [....12] [ip4][..udp] [.192.168.12.169][39950] -> [.35.158.183.167][..443] [STUN.SignalVoip][AmazonAWS][VoIP][Acceptable] + RISK: Known Proto on Non Std Port, Unidirectional Traffic + update: [.....8] [ip4][..udp] [.192.168.12.169][43068] -> [.35.158.183.167][.3478] [STUN.SignalVoip][AmazonAWS][VoIP][Acceptable][signal.org] + update: [....11] [ip4][..udp] [.192.168.12.169][39950] -> [172.253.121.127][19302] [STUN.SignalVoip][Google][VoIP][Acceptable] + RISK: Known Proto on Non Std Port + update: [.....7] [ip4][.icmp] [.35.158.183.167] -> [.192.168.12.169] [ICMP][AmazonAWS][Network][Acceptable] + RISK: Susp Entropy + idle: [....13] [ip4][..udp] [.192.168.12.169][39950] -> [.35.158.183.167][.3478] [STUN.SignalVoip][AmazonAWS][VoIP][Acceptable][signal.org] + idle: [....20] [ip4][..udp] [.192.168.12.169][37970] -> [.35.158.122.211][.3478] [STUN.SignalVoip][AmazonAWS][VoIP][Acceptable][signal.org] + idle: [.....9] [ip4][..udp] [.192.168.12.169][43068] -> [.35.158.183.167][..443] [STUN.SignalVoip][AmazonAWS][VoIP][Acceptable] + RISK: Known Proto on Non Std Port, Unidirectional Traffic + idle: [.....3] [ip4][..udp] [.192.168.12.169][47204] -> [.35.158.183.167][..443] [STUN.SignalVoip][AmazonAWS][VoIP][Acceptable] + RISK: Known Proto on Non Std Port, Unidirectional Traffic + idle: [....22] [ip4][..udp] [.192.168.12.169][47767] -> [.18.195.131.143][54054] [STUN.SignalVoip][AmazonAWS][VoIP][Acceptable] + RISK: Known Proto on Non Std Port + idle: [....10] [ip4][..udp] [.192.168.12.169][43068] -> [172.253.121.127][19302] [STUN.SignalVoip][Google][VoIP][Acceptable] + RISK: Known Proto on Non Std Port + idle: [.....2] [ip4][..udp] [.192.168.12.169][47204] -> [172.253.121.127][19302] [STUN.SignalVoip][Google][VoIP][Acceptable] + RISK: Known Proto on Non Std Port + idle: [....14] [ip4][..udp] [.192.168.12.169][43068] -> [.18.195.131.143][61156] [STUN.SignalVoip][AmazonAWS][VoIP][Acceptable] + RISK: Known Proto on Non Std Port + idle: [.....6] [ip4][..udp] [.192.168.12.169][39518] -> [.35.158.183.167][..443] [STUN.SignalVoip][AmazonAWS][VoIP][Acceptable] + RISK: Known Proto on Non Std Port, Unidirectional Traffic + idle: [....17] [ip4][..udp] [.192.168.12.169][47767] -> [.35.158.122.211][..443] [STUN.SignalVoip][AmazonAWS][VoIP][Acceptable] + RISK: Known Proto on Non Std Port, Unidirectional Traffic + idle: [.....1] [ip4][..udp] [.192.168.12.169][39518] -> [172.253.121.127][19302] [STUN.SignalVoip][Google][VoIP][Acceptable] + RISK: Known Proto on Non Std Port + idle: [....15] [ip4][..udp] [.192.168.12.169][47767] -> [172.253.121.127][19302] [STUN.SignalVoip][Google][VoIP][Acceptable] + RISK: Known Proto on Non Std Port + idle: [....12] [ip4][..udp] [.192.168.12.169][39950] -> [.35.158.183.167][..443] [STUN.SignalVoip][AmazonAWS][VoIP][Acceptable] + RISK: Known Proto on Non Std Port, Unidirectional Traffic + idle: [.....8] [ip4][..udp] [.192.168.12.169][43068] -> [.35.158.183.167][.3478] [STUN.SignalVoip][AmazonAWS][VoIP][Acceptable][signal.org] + idle: [.....4] [ip4][..udp] [.192.168.12.169][47204] -> [.35.158.183.167][.3478] [STUN.SignalVoip][AmazonAWS][VoIP][Acceptable][signal.org] + idle: [....18] [ip4][..udp] [.192.168.12.169][37970] -> [.35.158.122.211][..443] [STUN.SignalVoip][AmazonAWS][VoIP][Acceptable] + RISK: Known Proto on Non Std Port, Unidirectional Traffic + idle: [....11] [ip4][..udp] [.192.168.12.169][39950] -> [172.253.121.127][19302] [STUN.SignalVoip][Google][VoIP][Acceptable] + RISK: Known Proto on Non Std Port + idle: [....16] [ip4][..udp] [.192.168.12.169][37970] -> [172.253.121.127][19302] [STUN.SignalVoip][Google][VoIP][Acceptable] + RISK: Known Proto on Non Std Port + idle: [....23] [ip4][..udp] [.192.168.12.169][47767] -> [.18.195.131.143][61498] [STUN.SignalVoip][AmazonAWS][VoIP][Acceptable] + RISK: Known Proto on Non Std Port + idle: [....21] [ip4][.icmp] [.35.158.122.211] -> [.192.168.12.169] [ICMP][AmazonAWS][Network][Acceptable] + RISK: Susp Entropy + idle: [.....7] [ip4][.icmp] [.35.158.183.167] -> [.192.168.12.169] [ICMP][AmazonAWS][Network][Acceptable] + RISK: Susp Entropy + idle: [.....5] [ip4][..udp] [.192.168.12.169][39518] -> [.35.158.183.167][.3478] [STUN.SignalVoip][AmazonAWS][VoIP][Acceptable][signal.org] + idle: [....19] [ip4][..udp] [.192.168.12.169][47767] -> [.35.158.122.211][.3478] [STUN.SignalVoip][AmazonAWS][VoIP][Acceptable][signal.org] + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/monitoring/stun_wa_call.pcapng.out b/test/results/flow-info/monitoring/stun_wa_call.pcapng.out new file mode 100644 index 000000000..31e08d37c --- /dev/null +++ b/test/results/flow-info/monitoring/stun_wa_call.pcapng.out @@ -0,0 +1,108 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....1] [ip4][..udp] [.192.168.12.156][46652] -> [..93.57.123.227][.3478] + detected: [.....1] [ip4][..udp] [.192.168.12.156][46652] -> [..93.57.123.227][.3478] [STUN.WhatsAppCall][Unknown][VoIP][Acceptable][] + detection-update: [.....1] [ip4][..udp] [.192.168.12.156][46652] -> [..93.57.123.227][.3478] [STUN.WhatsAppCall][Unknown][VoIP][Acceptable][] + RISK: Unidirectional Traffic + new: [.....2] [ip4][..udp] [.192.168.12.156][46652] -> [.157.240.203.62][.3478] + detected: [.....2] [ip4][..udp] [.192.168.12.156][46652] -> [.157.240.203.62][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable][] + detection-update: [.....2] [ip4][..udp] [.192.168.12.156][46652] -> [.157.240.203.62][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable][] + RISK: Unidirectional Traffic + new: [.....3] [ip4][..udp] [.192.168.12.156][46652] -> [.157.240.231.62][.3478] + detected: [.....3] [ip4][..udp] [.192.168.12.156][46652] -> [.157.240.231.62][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable][] + detection-update: [.....3] [ip4][..udp] [.192.168.12.156][46652] -> [.157.240.231.62][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable][] + RISK: Unidirectional Traffic + new: [.....4] [ip4][..udp] [.192.168.12.156][46652] -> [..157.240.21.51][.3478] + detected: [.....4] [ip4][..udp] [.192.168.12.156][46652] -> [..157.240.21.51][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable][] + detection-update: [.....4] [ip4][..udp] [.192.168.12.156][46652] -> [..157.240.21.51][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable][] + RISK: Unidirectional Traffic + new: [.....5] [ip4][..udp] [.192.168.12.156][46652] -> [.157.240.195.48][.3478] + detected: [.....5] [ip4][..udp] [.192.168.12.156][46652] -> [.157.240.195.48][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable][] + detection-update: [.....5] [ip4][..udp] [.192.168.12.156][46652] -> [.157.240.195.48][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable][] + RISK: Unidirectional Traffic + detection-update: [.....1] [ip4][..udp] [.192.168.12.156][46652] -> [..93.57.123.227][.3478] [STUN.WhatsAppCall][Unknown][VoIP][Acceptable][] + detection-update: [.....2] [ip4][..udp] [.192.168.12.156][46652] -> [.157.240.203.62][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable][] + detection-update: [.....3] [ip4][..udp] [.192.168.12.156][46652] -> [.157.240.231.62][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable][] + detection-update: [.....4] [ip4][..udp] [.192.168.12.156][46652] -> [..157.240.21.51][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable][] + detection-update: [.....5] [ip4][..udp] [.192.168.12.156][46652] -> [.157.240.195.48][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable][] + analyse: [.....1] [ip4][..udp] [.192.168.12.156][46652] -> [..93.57.123.227][.3478] [STUN.WhatsAppCall][Unknown][VoIP][Acceptable] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 2.505| 0.249| 0.601| 361608.839| 2.900] + [PKTLEN......: 48.000| 300.000| 146.400| 92.200| 8492.200| 4.700] + [BINS(c->s)..: 2,4,1,1,0,0,3,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 2,2,10,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,1,1,1,0,0,0,0,1,1,0,1,1,0,1,0,0,0,1,1,0,0,1,1,1,0,1,0,0,0,1] + [IATS(ms)....: 0.2,8.4,0.0,2463.7,2505.3,0.2,3.6,0.3,39.5,0.1,6.1,4.8,0.0,25.9,31.6,82.0,37.7,1.7,120.9,0.0,78.6,59.9,292.8,130.0,59.7,381.6,376.4,412.4,0.0,227.9,362.0] + [PKTLENS.....: 240,240,96,96,74,300,300,300,300,96,96,74,96,96,48,48,98,300,300,96,96,89,53,107,108,53,77,86,150,73,227,273] + [ENTROPIES...: 7.0,7.0,5.8,5.8,5.8,7.0,7.0,7.0,7.0,5.7,5.8,5.7,5.7,5.7,5.2,5.2,5.8,7.0,7.0,5.7,5.8,5.8,4.9,6.0,6.1,5.0,5.5,5.7,6.6,5.5,6.9,7.2] + new: [.....6] [ip4][..udp] [.192.168.12.156][49526] -> [.157.240.203.62][.3478] + detected: [.....6] [ip4][..udp] [.192.168.12.156][49526] -> [.157.240.203.62][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable][] + detection-update: [.....6] [ip4][..udp] [.192.168.12.156][49526] -> [.157.240.203.62][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable][] + RISK: Unidirectional Traffic + new: [.....7] [ip4][..udp] [.192.168.12.156][49526] -> [.157.240.231.62][.3478] + detected: [.....7] [ip4][..udp] [.192.168.12.156][49526] -> [.157.240.231.62][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable][] + detection-update: [.....7] [ip4][..udp] [.192.168.12.156][49526] -> [.157.240.231.62][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable][] + RISK: Unidirectional Traffic + new: [.....8] [ip4][..udp] [.192.168.12.156][49526] -> [.157.240.196.62][.3478] + detected: [.....8] [ip4][..udp] [.192.168.12.156][49526] -> [.157.240.196.62][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable][] + detection-update: [.....8] [ip4][..udp] [.192.168.12.156][49526] -> [.157.240.196.62][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable][] + RISK: Unidirectional Traffic + new: [.....9] [ip4][..udp] [.192.168.12.156][49526] -> [..179.60.192.48][.3478] + detected: [.....9] [ip4][..udp] [.192.168.12.156][49526] -> [..179.60.192.48][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable][] + detection-update: [.....9] [ip4][..udp] [.192.168.12.156][49526] -> [..179.60.192.48][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable][] + RISK: Unidirectional Traffic + new: [....10] [ip4][..udp] [.192.168.12.156][49526] -> [..185.60.216.51][.3478] + detected: [....10] [ip4][..udp] [.192.168.12.156][49526] -> [..185.60.216.51][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable][] + detection-update: [....10] [ip4][..udp] [.192.168.12.156][49526] -> [..185.60.216.51][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable][] + RISK: Unidirectional Traffic + detection-update: [.....6] [ip4][..udp] [.192.168.12.156][49526] -> [.157.240.203.62][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable][] + detection-update: [.....7] [ip4][..udp] [.192.168.12.156][49526] -> [.157.240.231.62][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable][] + detection-update: [....10] [ip4][..udp] [.192.168.12.156][49526] -> [..185.60.216.51][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable][] + detection-update: [.....9] [ip4][..udp] [.192.168.12.156][49526] -> [..179.60.192.48][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable][] + detection-update: [.....8] [ip4][..udp] [.192.168.12.156][49526] -> [.157.240.196.62][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable][] + analyse: [.....6] [ip4][..udp] [.192.168.12.156][49526] -> [.157.240.203.62][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 0.025| 0.011| 0.005| 24.788| 4.800] + [PKTLEN......: 48.000| 540.000| 284.500| 217.500| 47305.800| 4.600] + [BINS(c->s)..: 1,0,13,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 1,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1] + [IATS(ms)....: 0.1,8.3,0.0,10.1,8.1,24.5,25.3,11.6,10.1,12.8,14.4,10.6,10.6,10.6,10.5,16.3,6.1,16.2,5.9,10.0,9.7,10.6,11.3,10.7,10.5,10.8,10.6,10.2,10.7,11.3,11.5] + [PKTLENS.....: 300,300,96,96,92,540,92,540,92,540,92,540,92,540,92,540,48,92,48,540,92,540,92,540,92,540,92,540,92,540,92,540] + [ENTROPIES...: 7.0,7.0,5.8,5.7,5.7,1.5,5.8,1.5,5.6,1.5,5.6,1.5,5.7,1.5,5.6,1.5,5.2,5.7,5.1,1.5,5.7,1.5,5.7,1.5,5.6,1.5,5.7,1.5,5.8,1.5,5.7,1.5] + new: [....11] [ip4][..udp] [.192.168.12.156][49526] -> [...10.82.40.241][40436] + detected: [....11] [ip4][..udp] [.192.168.12.156][49526] -> [...10.82.40.241][40436] [STUN.WhatsAppCall][Unknown][VoIP][Acceptable][] + RISK: Known Proto on Non Std Port + new: [....12] [ip4][..udp] [.192.168.12.156][49526] -> [...93.33.118.87][41107] + detected: [....12] [ip4][..udp] [.192.168.12.156][49526] -> [...93.33.118.87][41107] [STUN.WhatsAppCall][Unknown][VoIP][Acceptable][] + RISK: Known Proto on Non Std Port + detection-update: [....12] [ip4][..udp] [.192.168.12.156][49526] -> [...93.33.118.87][41107] [SRTP.WhatsAppCall][Unknown][VoIP][Acceptable] + RISK: Known Proto on Non Std Port + detection-update: [....11] [ip4][..udp] [.192.168.12.156][49526] -> [...10.82.40.241][40436] [STUN.WhatsAppCall][Unknown][VoIP][Acceptable][] + RISK: Known Proto on Non Std Port, Unidirectional Traffic + new: [....13] [ip4][.icmp] [..93.63.100.129] -> [.192.168.12.156] + detected: [....13] [ip4][.icmp] [..93.63.100.129] -> [.192.168.12.156] [ICMP][Unknown][Network][Acceptable] + RISK: Susp Entropy + update: [.....2] [ip4][..udp] [.192.168.12.156][46652] -> [.157.240.203.62][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable] + update: [.....4] [ip4][..udp] [.192.168.12.156][46652] -> [..157.240.21.51][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable] + update: [.....5] [ip4][..udp] [.192.168.12.156][46652] -> [.157.240.195.48][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable] + update: [.....3] [ip4][..udp] [.192.168.12.156][46652] -> [.157.240.231.62][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable] + update: [.....1] [ip4][..udp] [.192.168.12.156][46652] -> [..93.57.123.227][.3478] [STUN.WhatsAppCall][Unknown][VoIP][Acceptable] + idle: [....13] [ip4][.icmp] [..93.63.100.129] -> [.192.168.12.156] [ICMP][Unknown][Network][Acceptable] + RISK: Susp Entropy + idle: [.....7] [ip4][..udp] [.192.168.12.156][49526] -> [.157.240.231.62][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable] + idle: [.....8] [ip4][..udp] [.192.168.12.156][49526] -> [.157.240.196.62][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable] + idle: [.....6] [ip4][..udp] [.192.168.12.156][49526] -> [.157.240.203.62][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable] + idle: [....11] [ip4][..udp] [.192.168.12.156][49526] -> [...10.82.40.241][40436] [STUN.WhatsAppCall][Unknown][VoIP][Acceptable] + RISK: Known Proto on Non Std Port, Unidirectional Traffic + idle: [....12] [ip4][..udp] [.192.168.12.156][49526] -> [...93.33.118.87][41107] [SRTP.WhatsAppCall][Unknown][VoIP][Acceptable] + RISK: Known Proto on Non Std Port + idle: [.....9] [ip4][..udp] [.192.168.12.156][49526] -> [..179.60.192.48][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable] + idle: [....10] [ip4][..udp] [.192.168.12.156][49526] -> [..185.60.216.51][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable] + idle: [.....3] [ip4][..udp] [.192.168.12.156][46652] -> [.157.240.231.62][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable] + idle: [.....5] [ip4][..udp] [.192.168.12.156][46652] -> [.157.240.195.48][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable] + idle: [.....4] [ip4][..udp] [.192.168.12.156][46652] -> [..157.240.21.51][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable] + idle: [.....2] [ip4][..udp] [.192.168.12.156][46652] -> [.157.240.203.62][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable] + idle: [.....1] [ip4][..udp] [.192.168.12.156][46652] -> [..93.57.123.227][.3478] [STUN.WhatsAppCall][Unknown][VoIP][Acceptable] + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/monitoring/stun_zoom.pcapng.out b/test/results/flow-info/monitoring/stun_zoom.pcapng.out new file mode 100644 index 000000000..05276f928 --- /dev/null +++ b/test/results/flow-info/monitoring/stun_zoom.pcapng.out @@ -0,0 +1,34 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....1] [ip4][..udp] [.192.168.43.169][48854] -> [.134.224.90.111][.8801] + detected: [.....1] [ip4][..udp] [.192.168.43.169][48854] -> [.134.224.90.111][.8801] [STUN][Zoom][Network][Acceptable][] + RISK: Known Proto on Non Std Port + detection-update: [.....1] [ip4][..udp] [.192.168.43.169][48854] -> [.134.224.90.111][.8801] [STUN][Zoom][Network][Acceptable][] + RISK: Known Proto on Non Std Port, Unidirectional Traffic + detection-update: [.....1] [ip4][..udp] [.192.168.43.169][48854] -> [.134.224.90.111][.8801] [STUN][Zoom][Network][Acceptable][] + RISK: Known Proto on Non Std Port + detection-update: [.....1] [ip4][..udp] [.192.168.43.169][48854] -> [.134.224.90.111][.8801] [DTLS][Zoom][Network][Safe] + new: [.....2] [ip4][..udp] [.192.168.43.169][53065] -> [.134.224.90.111][.8801] + detected: [.....2] [ip4][..udp] [.192.168.43.169][53065] -> [.134.224.90.111][.8801] [STUN][Zoom][Network][Acceptable][] + RISK: Known Proto on Non Std Port + detection-update: [.....2] [ip4][..udp] [.192.168.43.169][53065] -> [.134.224.90.111][.8801] [STUN][Zoom][Network][Acceptable][] + RISK: Known Proto on Non Std Port, Unidirectional Traffic + detection-update: [.....1] [ip4][..udp] [.192.168.43.169][48854] -> [.134.224.90.111][.8801] [DTLS][Zoom][Network][Safe] + detection-update: [.....1] [ip4][..udp] [.192.168.43.169][48854] -> [.134.224.90.111][.8801] [DTLS.Zoom][Zoom][Video][Acceptable] + detection-update: [.....2] [ip4][..udp] [.192.168.43.169][53065] -> [.134.224.90.111][.8801] [STUN][Zoom][Network][Acceptable][] + RISK: Known Proto on Non Std Port + detection-update: [.....2] [ip4][..udp] [.192.168.43.169][53065] -> [.134.224.90.111][.8801] [DTLS][Zoom][Network][Safe] + analyse: [.....2] [ip4][..udp] [.192.168.43.169][53065] -> [.134.224.90.111][.8801] [DTLS][Zoom][Network][Safe] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 0.194| 0.048| 0.051| 2615.352| 4.100] + [PKTLEN......: 42.000| 1080.000| 270.100| 313.100| 98043.500| 4.300] + [BINS(c->s)..: 0,1,1,0,11,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 1,0,9,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,0,0,1,0,0,0,0,0,0,1,1,1,0,0,0,1,1,1,1,1,1,0,1,1,0,1,0,1,0,1] + [IATS(ms)....: 20.2,79.9,20.3,193.8,73.6,0.2,50.4,49.7,26.4,24.4,170.2,80.6,11.0,149.6,50.7,0.0,93.6,0.0,0.0,0.0,0.0,0.0,8.3,29.7,4.8,50.2,80.8,100.2,42.2,3.7,58.5] + [PKTLENS.....: 184,184,184,184,92,184,217,217,184,184,217,92,92,92,184,192,78,92,1080,1080,1080,1080,399,186,92,92,186,92,186,95,101,42] + [ENTROPIES...: 5.8,5.8,5.8,5.8,5.6,5.8,5.2,5.2,5.9,5.8,5.2,5.7,5.6,5.7,5.9,5.3,4.1,5.7,7.0,7.3,7.3,7.4,7.2,6.1,5.7,5.7,6.1,5.7,6.1,5.4,6.0,4.3] + idle: [.....1] [ip4][..udp] [.192.168.43.169][48854] -> [.134.224.90.111][.8801] [DTLS.Zoom][Zoom][Video][Acceptable] + idle: [.....2] [ip4][..udp] [.192.168.43.169][53065] -> [.134.224.90.111][.8801] [DTLS][Zoom][Network][Safe] + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/monitoring/teams.pcap.out b/test/results/flow-info/monitoring/teams.pcap.out new file mode 100644 index 000000000..257fc16da --- /dev/null +++ b/test/results/flow-info/monitoring/teams.pcap.out @@ -0,0 +1,555 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....1] [ip4][..udp] [....192.168.0.1][...68] -> [255.255.255.255][...67] + detected: [.....1] [ip4][..udp] [....192.168.0.1][...68] -> [255.255.255.255][...67] [DHCP][Unknown][Network][Acceptable][tl-sg116e] + ERROR-EVENT: Unknown packet type [1/16] + new: [.....2] [ip4][..tcp] [....192.168.1.6][58533] -> [.149.154.167.91][..443] [MIDSTREAM] + ERROR-EVENT: Unknown packet type [2/16] + ERROR-EVENT: Unknown packet type [3/16] + ERROR-EVENT: Unknown packet type [4/16] + ERROR-EVENT: Unknown packet type [5/16] + ERROR-EVENT: Unknown packet type [6/16] + new: [.....3] [ip4][..udp] [....192.168.1.6][60813] -> [....192.168.1.1][...53] + detected: [.....3] [ip4][..udp] [....192.168.1.6][60813] -> [....192.168.1.1][...53] [DNS][Unknown][Network][Acceptable][skypedataprdcolneu04.cloudapp.net] + detection-update: [.....3] [ip4][..udp] [....192.168.1.6][60813] -> [....192.168.1.1][...53] [DNS][Unknown][Network][Acceptable][skypedataprdcolneu04.cloudapp.net] + new: [.....4] [ip4][..tcp] [....192.168.1.6][60532] -> [...52.114.77.33][..443] + new: [.....5] [ip4][..tcp] [....192.168.1.6][60533] -> [.52.113.194.132][..443] + detected: [.....5] [ip4][..tcp] [....192.168.1.6][60533] -> [.52.113.194.132][..443] [TLS.Teams][Skype_Teams][Collaborative][Safe][teams.microsoft.com] + detection-update: [.....5] [ip4][..tcp] [....192.168.1.6][60533] -> [.52.113.194.132][..443] [TLS.Teams][Skype_Teams][Collaborative][Safe][teams.microsoft.com] + detected: [.....4] [ip4][..tcp] [....192.168.1.6][60532] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] + RISK: TLS (probably) Not Carrying HTTPS + analyse: [.....5] [ip4][..tcp] [....192.168.1.6][60533] -> [.52.113.194.132][..443] [TLS.Teams][Skype_Teams][Collaborative][Safe] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 0.030| 0.006| 0.009| 77.930| 3.700] + [PKTLEN......: 40.000| 1492.000| 393.900| 548.100| 300365.600| 3.900] + [BINS(c->s)..: 10,1,1,0,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 5,1,1,0,0,0,1,0,0,0,1,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,0,1,1,0,0,1,1,0,1,0,0,0,0,1,1,0,1,1,0,1,1,1,0] + [IATS(ms)....: 12.5,12.6,1.4,13.9,1.6,0.2,14.3,0.3,0.2,0.1,0.0,0.1,4.9,16.5,1.1,12.8,0.3,0.3,11.4,0.4,0.2,23.0,0.0,11.1,0.4,29.3,29.8,0.5,0.1,0.0,0.5] + [PKTLENS.....: 64,52,40,250,46,1492,1492,40,1492,40,1492,257,40,198,46,366,40,109,40,133,78,298,78,46,40,46,556,40,1492,1492,671,40] + [ENTROPIES...: 4.4,4.9,4.5,5.4,4.6,7.4,7.4,4.7,7.5,4.6,7.6,7.1,4.6,6.6,4.6,7.2,4.7,6.0,4.6,6.2,5.1,7.0,5.4,4.6,4.7,4.6,7.6,4.7,7.8,7.8,7.7,4.7] + detection-update: [.....4] [ip4][..tcp] [....192.168.1.6][60532] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] + RISK: TLS (probably) Not Carrying HTTPS + ERROR-EVENT: Unknown packet type [7/16] + new: [.....6] [ip4][..tcp] [....192.168.1.6][60534] -> [.....40.126.9.5][..443] + detected: [.....6] [ip4][..tcp] [....192.168.1.6][60534] -> [.....40.126.9.5][..443] [TLS.Microsoft365][Microsoft365][Collaborative][Acceptable][login.microsoftonline.com] + analyse: [.....4] [ip4][..tcp] [....192.168.1.6][60532] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 0.221| 0.032| 0.054| 2931.592| 3.400] + [PKTLEN......: 52.000| 1492.000| 907.900| 687.500| 472618.500| 4.400] + [BINS(c->s)..: 5,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0] + [BINS(s->c)..: 5,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,2,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,0,1,0,0,0,0,1,0,0,0,0,1,0,0,1,0,0,0,0,1,0,0,0] + [IATS(ms)....: 43.2,43.3,94.0,139.8,0.2,45.9,0.1,0.1,1.4,46.8,45.4,177.2,0.0,0.0,221.2,44.0,0.0,0.0,0.0,21.3,21.2,0.0,23.0,23.0,0.0,0.0,0.0,1.2,1.2,0.0,0.0] + [PKTLENS.....: 64,60,52,226,1492,1492,52,1375,52,145,103,52,1480,1480,1480,52,1480,1480,1480,1480,52,1480,1480,52,1480,1480,1480,1480,52,1480,1480,1480] + [ENTROPIES...: 4.4,5.2,4.9,5.6,7.3,7.3,4.9,7.7,4.9,5.9,5.5,4.9,7.9,7.9,7.9,5.1,7.9,7.9,7.9,7.9,5.1,7.9,7.9,5.1,7.9,7.9,7.9,7.9,5.1,7.9,7.9,7.9] + new: [.....7] [ip4][..tcp] [....192.168.1.6][60535] -> [...52.114.77.33][..443] + detected: [.....7] [ip4][..tcp] [....192.168.1.6][60535] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] + RISK: TLS (probably) Not Carrying HTTPS + new: [.....8] [ip4][..tcp] [....192.168.1.6][60536] -> [.52.113.194.132][..443] + detected: [.....8] [ip4][..tcp] [....192.168.1.6][60536] -> [.52.113.194.132][..443] [TLS.Teams][Skype_Teams][Collaborative][Safe][teams.microsoft.com] + detection-update: [.....8] [ip4][..tcp] [....192.168.1.6][60536] -> [.52.113.194.132][..443] [TLS.Teams][Skype_Teams][Collaborative][Safe][teams.microsoft.com] + analyse: [.....7] [ip4][..tcp] [....192.168.1.6][60535] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 0.050| 0.018| 0.021| 449.200| 3.900] + [PKTLEN......: 52.000| 1492.000| 680.600| 673.100| 453031.800| 4.200] + [BINS(c->s)..: 7,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0] + [BINS(s->c)..: 7,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,2,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,0,1,0,0,0,0,1,0,0,0,0,1,0,0,1,0,0,1,1,1,1,0,0] + [IATS(ms)....: 45.3,45.4,0.3,49.2,0.0,48.8,0.2,0.2,1.3,46.5,45.3,1.9,0.0,0.0,47.7,45.8,0.0,0.0,0.0,37.7,37.7,0.0,8.0,8.1,0.0,0.7,37.0,7.8,4.3,49.8,1.3] + [PKTLENS.....: 64,60,52,258,1492,1375,64,1492,52,145,103,52,1480,1480,1480,52,1480,1480,1480,1480,52,1480,1480,52,1480,825,52,52,52,497,52,83] + [ENTROPIES...: 4.3,5.2,5.0,6.0,7.3,7.7,5.1,7.3,5.0,6.0,5.7,5.1,7.8,7.9,7.9,5.2,7.9,7.9,7.9,7.9,5.2,7.9,7.9,5.2,7.9,7.8,5.1,5.2,5.2,7.5,5.0,5.3] + ERROR-EVENT: Unknown packet type [8/16] + ERROR-EVENT: Unknown packet type [9/16] + new: [.....9] [ip4][..tcp] [....192.168.1.6][60537] -> [...52.114.77.33][..443] + detected: [.....9] [ip4][..tcp] [....192.168.1.6][60537] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] + RISK: TLS (probably) Not Carrying HTTPS + detection-update: [.....9] [ip4][..tcp] [....192.168.1.6][60537] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] + RISK: TLS (probably) Not Carrying HTTPS + ERROR-EVENT: Unknown packet type [10/16] + new: [....10] [ip4][..udp] [....192.168.1.6][64046] -> [....192.168.1.1][...53] + detected: [....10] [ip4][..udp] [....192.168.1.6][64046] -> [....192.168.1.1][...53] [DNS.ntop][Unknown][Network][Safe][b._dns-sd._udp.ntop.org] + new: [....11] [ip4][..udp] [....192.168.1.6][17500] -> [255.255.255.255][17500] + detected: [....11] [ip4][..udp] [....192.168.1.6][17500] -> [255.255.255.255][17500] [Dropbox][Unknown][Cloud][Acceptable] + new: [....12] [ip4][..udp] [....192.168.1.6][17500] -> [..192.168.1.255][17500] + detected: [....12] [ip4][..udp] [....192.168.1.6][17500] -> [..192.168.1.255][17500] [Dropbox][Unknown][Cloud][Acceptable] + ERROR-EVENT: Unknown packet type [11/16] + ERROR-EVENT: Unknown packet type [12/16] + detection-update: [....10] [ip4][..udp] [....192.168.1.6][64046] -> [....192.168.1.1][...53] [DNS.ntop][Unknown][Network][Safe][b._dns-sd._udp.ntop.org] + RISK: Unidirectional Traffic + detection-update: [....10] [ip4][..udp] [....192.168.1.6][64046] -> [....192.168.1.1][...53] [DNS.ntop][Unknown][Network][Safe][b._dns-sd._udp.ntop.org] + RISK: Error Code + new: [....13] [ip4][..udp] [........0.0.0.0][...68] -> [255.255.255.255][...67] + detected: [....13] [ip4][..udp] [........0.0.0.0][...68] -> [255.255.255.255][...67] [DHCP][Unknown][Network][Acceptable][] + new: [....14] [ip4][..tcp] [..93.62.150.157][..443] -> [....192.168.1.6][60512] [MIDSTREAM] + detected: [....14] [ip4][..tcp] [..93.62.150.157][..443] -> [....192.168.1.6][60512] [TLS][Unknown][Web][Safe] + ERROR-EVENT: Unknown packet type [13/16] + new: [....15] [ip4][..udp] [....192.168.1.6][56634] -> [....192.168.1.1][...53] + detected: [....15] [ip4][..udp] [....192.168.1.6][56634] -> [....192.168.1.1][...53] [DNS.Apple][Unknown][Network][Safe][captive.apple.com.edgekey.net] + detection-update: [....15] [ip4][..udp] [....192.168.1.6][56634] -> [....192.168.1.1][...53] [DNS.Apple][Unknown][Network][Safe][captive.apple.com.edgekey.net] + ERROR-EVENT: Unknown packet type [14/16] + ERROR-EVENT: Unknown packet type [15/16] + new: [....16] [ip4][..udp] [....192.168.1.6][51033] -> [....192.168.1.1][...53] + detected: [....16] [ip4][..udp] [....192.168.1.6][51033] -> [....192.168.1.1][...53] [DNS.Skype_Teams][Unknown][Network][Acceptable][eu-api.asm.skype.com] + new: [....17] [ip4][..udp] [....192.168.1.6][63106] -> [....192.168.1.1][...53] + detected: [....17] [ip4][..udp] [....192.168.1.6][63106] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe][eu-prod.asyncgw.teams.microsoft.com] + detection-update: [....17] [ip4][..udp] [....192.168.1.6][63106] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe][eu-prod.asyncgw.teams.microsoft.com] + new: [....18] [ip4][..tcp] [....192.168.1.6][60538] -> [...52.114.75.70][..443] + detection-update: [....16] [ip4][..udp] [....192.168.1.6][51033] -> [....192.168.1.1][...53] [DNS.Skype_Teams][Unknown][Network][Acceptable][eu-api.asm.skype.com] + new: [....19] [ip4][..tcp] [....192.168.1.6][60539] -> [...52.114.75.69][..443] + detected: [....18] [ip4][..tcp] [....192.168.1.6][60538] -> [...52.114.75.70][..443] [TLS.Teams][Azure][Collaborative][Safe][eu-prod.asyncgw.teams.microsoft.com] + detected: [....19] [ip4][..tcp] [....192.168.1.6][60539] -> [...52.114.75.69][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable][eu-api.asm.skype.com] + new: [....20] [ip4][..tcp] [....192.168.1.6][60540] -> [...52.114.75.70][..443] + new: [....21] [ip4][..tcp] [....192.168.1.6][60541] -> [...52.114.75.69][..443] + detected: [....20] [ip4][..tcp] [....192.168.1.6][60540] -> [...52.114.75.70][..443] [TLS.Teams][Azure][Collaborative][Safe][eu-prod.asyncgw.teams.microsoft.com] + detected: [....21] [ip4][..tcp] [....192.168.1.6][60541] -> [...52.114.75.69][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable][eu-api.asm.skype.com] + new: [....22] [ip4][..udp] [....192.168.1.6][49514] -> [....192.168.1.1][...53] + detected: [....22] [ip4][..udp] [....192.168.1.6][49514] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe][config.teams.microsoft.com] + detection-update: [....21] [ip4][..tcp] [....192.168.1.6][60541] -> [...52.114.75.69][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable][eu-api.asm.skype.com] + detection-update: [....22] [ip4][..udp] [....192.168.1.6][49514] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe][config.teams.microsoft.com] + new: [....23] [ip4][..tcp] [....192.168.1.6][60542] -> [.52.113.194.132][..443] + detected: [....23] [ip4][..tcp] [....192.168.1.6][60542] -> [.52.113.194.132][..443] [TLS.Teams][Skype_Teams][Collaborative][Safe][config.teams.microsoft.com] + detection-update: [....23] [ip4][..tcp] [....192.168.1.6][60542] -> [.52.113.194.132][..443] [TLS.Teams][Skype_Teams][Collaborative][Safe][config.teams.microsoft.com] + new: [....24] [ip4][..udp] [....192.168.1.6][65387] -> [....192.168.1.1][...53] + detected: [....24] [ip4][..udp] [....192.168.1.6][65387] -> [....192.168.1.1][...53] [DNS.Microsoft][Unknown][Network][Safe][northeuropecns.trafficmanager.net] + new: [....25] [ip4][..tcp] [....192.168.1.6][60543] -> [...52.114.77.33][..443] + detection-update: [....24] [ip4][..udp] [....192.168.1.6][65387] -> [....192.168.1.1][...53] [DNS.Microsoft][Unknown][Network][Safe][northeuropecns.trafficmanager.net] + new: [....26] [ip4][..tcp] [....192.168.1.6][60544] -> [...52.114.76.48][..443] + detected: [....25] [ip4][..tcp] [....192.168.1.6][60543] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] + RISK: TLS (probably) Not Carrying HTTPS + detected: [....26] [ip4][..tcp] [....192.168.1.6][60544] -> [...52.114.76.48][..443] [TLS.Teams][Azure][Collaborative][Safe][northeurope.notifications.teams.microsoft.com] + detection-update: [....25] [ip4][..tcp] [....192.168.1.6][60543] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] + RISK: TLS (probably) Not Carrying HTTPS + ERROR-EVENT: Unknown packet type [16/16] + new: [....27] [ip4][..udp] [....192.168.1.6][57530] -> [....192.168.1.1][...53] + detected: [....27] [ip4][..udp] [....192.168.1.6][57530] -> [....192.168.1.1][...53] [DNS.Microsoft][Unknown][Network][Safe][presence.services.sfb.trafficmanager.net] + detection-update: [....27] [ip4][..udp] [....192.168.1.6][57530] -> [....192.168.1.1][...53] [DNS.Microsoft][Unknown][Network][Safe][presence.services.sfb.trafficmanager.net] + new: [....28] [ip4][..tcp] [....192.168.1.6][60545] -> [...52.114.77.58][..443] + new: [....29] [ip4][..tcp] [.162.125.19.131][..443] -> [....192.168.1.6][60344] [MIDSTREAM] + detected: [....29] [ip4][..tcp] [.162.125.19.131][..443] -> [....192.168.1.6][60344] [TLS][Dropbox][Web][Safe] + detected: [....28] [ip4][..tcp] [....192.168.1.6][60545] -> [...52.114.77.58][..443] [TLS.Teams][Azure][Collaborative][Safe][presence.teams.microsoft.com] + analyse: [....25] [ip4][..tcp] [....192.168.1.6][60543] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 0.153| 0.028| 0.040| 1626.047| 3.600] + [PKTLEN......: 52.000| 1492.000| 819.700| 699.200| 488828.900| 4.300] + [BINS(c->s)..: 5,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0,0] + [BINS(s->c)..: 7,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,2,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,0,0,1,1,0,0,0,0,1,0,0,0,0,1,0,0,1,0,0,0,0,1,0] + [IATS(ms)....: 50.5,50.6,0.3,64.6,72.0,0.2,136.5,0.1,0.1,1.4,68.0,86.2,152.9,2.3,0.0,0.0,46.4,44.1,0.0,0.0,0.0,23.6,23.6,0.0,20.9,20.9,0.0,0.0,0.0,0.8,0.8] + [PKTLENS.....: 64,60,52,258,52,1492,1492,52,1375,52,145,52,103,52,1480,1480,1480,52,1480,1480,1480,1480,52,1480,1480,52,1480,1480,1480,1480,52,1480] + [ENTROPIES...: 4.4,5.3,5.0,5.9,5.1,7.3,7.3,5.0,7.7,5.0,5.9,5.2,5.6,5.0,7.9,7.8,7.9,5.2,7.9,7.9,7.9,7.9,5.2,7.9,7.9,5.2,7.9,7.9,7.8,7.9,5.2,7.9] + new: [....30] [ip4][..tcp] [....192.168.1.6][60546] -> [.167.99.215.164][.4434] + detected: [....30] [ip4][..tcp] [....192.168.1.6][60546] -> [.167.99.215.164][.4434] [TLS.ntop][Unknown][Network][Safe][dati.ntop.org] + RISK: Known Proto on Non Std Port + detection-update: [....30] [ip4][..tcp] [....192.168.1.6][60546] -> [.167.99.215.164][.4434] [TLS.ntop][Unknown][Network][Safe][dati.ntop.org] + RISK: Known Proto on Non Std Port + analyse: [....28] [ip4][..tcp] [....192.168.1.6][60545] -> [...52.114.77.58][..443] [TLS.Teams][Azure][Collaborative][Safe][presence.teams.microsoft.com] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 0.201| 0.025| 0.047| 2215.159| 3.200] + [PKTLEN......: 40.000| 1492.000| 340.200| 510.300| 260451.700| 3.800] + [BINS(c->s)..: 11,1,1,1,1,1,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0] + [BINS(s->c)..: 3,3,1,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,1,1,0,1,0,0,0,0,1,0,1,0,0,1,0,1,0,1,0,0,0,1,1] + [IATS(ms)....: 45.7,45.8,0.2,47.9,0.0,47.7,0.0,0.1,0.2,0.1,0.2,9.9,9.9,3.5,10.4,0.4,51.4,37.1,0.2,0.2,0.2,7.1,7.0,1.3,1.2,79.2,201.4,0.0,0.0,167.5,0.2] + [PKTLENS.....: 64,52,40,259,1492,1492,52,40,40,1492,1492,40,453,40,198,133,503,91,40,109,40,78,78,40,479,40,46,1480,150,206,46,82] + [ENTROPIES...: 4.4,5.0,4.6,5.4,7.1,7.4,4.7,4.7,4.5,7.6,7.6,4.7,7.5,4.7,6.6,6.1,7.6,5.4,4.6,6.0,4.5,5.2,5.4,4.7,7.5,4.7,4.5,7.9,6.6,6.7,4.5,5.4] + new: [....31] [ip4][..udp] [....192.168.1.6][57504] -> [....192.168.1.1][...53] + detected: [....31] [ip4][..udp] [....192.168.1.6][57504] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe][chatsvcagg.svcs.teams.office.com] + detection-update: [....31] [ip4][..udp] [....192.168.1.6][57504] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe][chatsvcagg.svcs.teams.office.com] + new: [....32] [ip4][..tcp] [....192.168.1.6][60547] -> [...52.114.88.59][..443] + detected: [....32] [ip4][..tcp] [....192.168.1.6][60547] -> [...52.114.88.59][..443] [TLS.Teams][Azure][Collaborative][Safe][chatsvcagg.teams.microsoft.com] + new: [....33] [ip4][..tcp] [....192.168.1.6][60548] -> [...52.114.77.33][..443] + detected: [....33] [ip4][..tcp] [....192.168.1.6][60548] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] + RISK: TLS (probably) Not Carrying HTTPS + detection-update: [....33] [ip4][..tcp] [....192.168.1.6][60548] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] + RISK: TLS (probably) Not Carrying HTTPS + analyse: [....32] [ip4][..tcp] [....192.168.1.6][60547] -> [...52.114.88.59][..443] [TLS.Teams][Azure][Collaborative][Safe] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 0.115| 0.021| 0.031| 968.681| 3.500] + [PKTLEN......: 52.000| 1492.000| 377.200| 521.700| 272149.200| 3.900] + [BINS(c->s)..: 11,1,1,1,0,0,2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0] + [BINS(s->c)..: 3,2,1,0,0,1,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,4,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,1,0,0,0,0,1,0,1,0,0,1,0,1,0,1,0,0,1,1,0,1] + [IATS(ms)....: 34.2,34.3,0.3,36.9,0.0,36.6,0.0,0.2,0.2,0.1,0.0,0.1,1.0,12.0,0.3,36.0,22.7,0.2,0.2,0.1,10.4,10.3,0.6,0.6,77.1,91.7,0.0,49.1,80.4,115.1,0.2] + [PKTLENS.....: 64,60,52,273,1492,1492,64,52,1492,52,1492,302,52,178,145,533,103,52,121,52,90,90,52,414,52,52,1480,247,52,227,52,1139] + [ENTROPIES...: 4.3,5.1,4.7,5.5,7.4,7.3,4.8,4.8,7.5,4.7,7.6,7.4,4.8,6.3,6.2,7.5,5.6,4.9,6.0,4.9,5.4,5.5,4.8,7.4,4.9,5.1,7.8,7.0,5.0,6.8,4.7,7.8] + new: [....34] [ip4][..udp] [....192.168.1.6][59403] -> [....192.168.1.1][...53] + detected: [....34] [ip4][..udp] [....192.168.1.6][59403] -> [....192.168.1.1][...53] [DNS.Microsoft365][Unknown][Network][Acceptable][substrate.office.com] + detection-update: [....34] [ip4][..udp] [....192.168.1.6][59403] -> [....192.168.1.1][...53] [DNS.Microsoft365][Unknown][Network][Acceptable][substrate.office.com] + new: [....35] [ip4][..tcp] [....192.168.1.6][60549] -> [...13.107.18.11][..443] + detected: [....35] [ip4][..tcp] [....192.168.1.6][60549] -> [...13.107.18.11][..443] [TLS.Microsoft365][Outlook][Collaborative][Acceptable][substrate.office.com] + detection-update: [....35] [ip4][..tcp] [....192.168.1.6][60549] -> [...13.107.18.11][..443] [TLS.Microsoft365][Outlook][Collaborative][Acceptable][substrate.office.com] + analyse: [....23] [ip4][..tcp] [....192.168.1.6][60542] -> [.52.113.194.132][..443] [TLS.Teams][Skype_Teams][Collaborative][Safe] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 2.010| 0.146| 0.490| 239614.050| 1.700] + [PKTLEN......: 40.000| 1492.000| 305.200| 468.100| 219152.800| 3.800] + [BINS(c->s)..: 9,1,1,0,1,0,1,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 7,1,1,0,1,0,0,0,0,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,0,1,1,0,0,1,1,1,0,0,0,0,0,1,1,0,1,1,1,0,0,1,1] + [IATS(ms)....: 12.7,12.8,0.2,12.4,2.5,0.3,14.9,0.5,0.5,0.2,0.0,0.8,4.9,17.1,1.4,0.0,13.1,0.0,0.2,0.3,0.1,11.8,0.0,11.2,0.1,0.6,112.9,113.7,1998.1,2009.8,174.6] + [PKTLENS.....: 64,52,40,257,46,1492,1492,40,1492,40,1492,181,40,198,46,366,109,40,40,133,78,561,46,78,40,46,46,440,40,342,46,345] + [ENTROPIES...: 4.4,5.0,4.6,5.5,4.5,7.3,7.5,4.6,7.5,4.6,7.7,6.8,4.7,6.5,4.5,7.2,6.0,4.6,4.6,6.2,5.2,7.6,4.4,5.4,4.6,4.5,4.5,7.5,4.7,7.2,4.5,7.3] + analyse: [....35] [ip4][..tcp] [....192.168.1.6][60549] -> [...13.107.18.11][..443] [TLS.Microsoft365][Outlook][Collaborative][Acceptable] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 0.540| 0.024| 0.095| 8949.939| 1.900] + [PKTLEN......: 40.000| 1492.000| 331.500| 473.500| 224192.200| 3.900] + [BINS(c->s)..: 9,1,1,0,2,0,2,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0] + [BINS(s->c)..: 5,2,1,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,1,0,0,0,0,0,1,1,1,0,0,0,1,1,0,1,1,0,1,0,0,0,0] + [IATS(ms)....: 11.5,11.6,0.3,11.9,32.5,0.1,44.2,0.2,0.0,0.2,3.8,7.7,0.3,0.1,14.6,1.5,0.0,4.2,0.0,0.3,6.5,0.5,6.7,4.3,9.9,14.2,10.7,10.7,539.6,0.0,0.3] + [PKTLENS.....: 64,52,40,251,46,1492,1492,40,1492,80,40,198,133,578,172,46,366,109,40,40,78,46,78,40,46,689,40,359,40,1480,694,248] + [ENTROPIES...: 4.4,4.9,4.5,5.4,4.5,6.7,7.5,4.6,7.6,5.7,4.7,6.5,6.2,7.6,6.5,4.5,7.2,5.8,4.6,4.6,5.3,4.5,5.4,4.6,4.5,7.7,4.7,7.3,4.7,7.8,7.7,7.0] + new: [....36] [ip4][..udp] [....192.168.1.6][61245] -> [....192.168.1.1][...53] + detected: [....36] [ip4][..udp] [....192.168.1.6][61245] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe][euaz.tr.teams.microsoft.com] + new: [....37] [ip4][..udp] [....192.168.1.6][53678] -> [....192.168.1.1][...53] + detected: [....37] [ip4][..udp] [....192.168.1.6][53678] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe][trouter2-asse-a.trouter.teams.microsoft.com] + new: [....38] [ip4][..udp] [....192.168.1.6][65230] -> [....192.168.1.1][...53] + detected: [....38] [ip4][..udp] [....192.168.1.6][65230] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe][trouter2-asse-a.trouter.teams.microsoft.com] + new: [....39] [ip4][..udp] [....192.168.1.6][50653] -> [....192.168.1.1][...53] + detected: [....39] [ip4][..udp] [....192.168.1.6][50653] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe][api.flightproxy.teams.microsoft.com] + detection-update: [....37] [ip4][..udp] [....192.168.1.6][53678] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe][trouter2-asse-a.trouter.teams.microsoft.com] + detection-update: [....38] [ip4][..udp] [....192.168.1.6][65230] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe][trouter2-asse-a.trouter.teams.microsoft.com] + new: [....40] [ip4][..tcp] [....192.168.1.6][60551] -> [...52.114.15.45][..443] + detection-update: [....39] [ip4][..udp] [....192.168.1.6][50653] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe][api.flightproxy.teams.microsoft.com] + detection-update: [....36] [ip4][..udp] [....192.168.1.6][61245] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe][euaz.tr.teams.microsoft.com] + RISK: Minor Issues + new: [....41] [ip4][..udp] [....192.168.1.6][58457] -> [....192.168.1.1][...53] + detected: [....41] [ip4][..udp] [....192.168.1.6][58457] -> [....192.168.1.1][...53] [DNS.Microsoft365][Unknown][Network][Acceptable][outlook.office.com] + detection-update: [....41] [ip4][..udp] [....192.168.1.6][58457] -> [....192.168.1.1][...53] [DNS.Microsoft365][Unknown][Network][Acceptable][outlook.office.com] + new: [....42] [ip4][..tcp] [....192.168.1.6][60552] -> [...52.114.77.33][..443] + new: [....43] [ip4][..tcp] [....192.168.1.6][60554] -> [.52.113.194.132][..443] + new: [....44] [ip4][..udp] [....192.168.1.6][51309] -> [....192.168.1.1][...53] + detected: [....44] [ip4][..udp] [....192.168.1.6][51309] -> [....192.168.1.1][...53] [DNS][Unknown][Network][Acceptable][skypedataprdcolneu04.cloudapp.net] + new: [....45] [ip4][..tcp] [....192.168.1.6][60555] -> [...52.114.77.33][..443] + new: [....46] [ip4][..tcp] [....192.168.1.6][60556] -> [.....40.126.9.7][..443] + detected: [....43] [ip4][..tcp] [....192.168.1.6][60554] -> [.52.113.194.132][..443] [TLS.Teams][Skype_Teams][Collaborative][Safe][config.teams.microsoft.com] + RISK: TLS (probably) Not Carrying HTTPS + detection-update: [....44] [ip4][..udp] [....192.168.1.6][51309] -> [....192.168.1.1][...53] [DNS][Unknown][Network][Acceptable][skypedataprdcolneu04.cloudapp.net] + detected: [....40] [ip4][..tcp] [....192.168.1.6][60551] -> [...52.114.15.45][..443] [TLS.Teams][Azure][Collaborative][Safe][trouter2-asse-a.trouter.teams.microsoft.com] + RISK: TLS (probably) Not Carrying HTTPS + detection-update: [....43] [ip4][..tcp] [....192.168.1.6][60554] -> [.52.113.194.132][..443] [TLS.Teams][Skype_Teams][Collaborative][Safe][config.teams.microsoft.com] + RISK: TLS (probably) Not Carrying HTTPS + detected: [....42] [ip4][..tcp] [....192.168.1.6][60552] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] + RISK: TLS (probably) Not Carrying HTTPS + detected: [....46] [ip4][..tcp] [....192.168.1.6][60556] -> [.....40.126.9.7][..443] [TLS.Microsoft365][Microsoft365][Collaborative][Acceptable][login.microsoftonline.com] + detected: [....45] [ip4][..tcp] [....192.168.1.6][60555] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] + RISK: TLS (probably) Not Carrying HTTPS + detection-update: [....42] [ip4][..tcp] [....192.168.1.6][60552] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] + RISK: TLS (probably) Not Carrying HTTPS + detection-update: [....45] [ip4][..tcp] [....192.168.1.6][60555] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] + RISK: TLS (probably) Not Carrying HTTPS + detection-update: [....40] [ip4][..tcp] [....192.168.1.6][60551] -> [...52.114.15.45][..443] [TLS.Teams][Azure][Collaborative][Safe][trouter2-asse-a.trouter.teams.microsoft.com] + RISK: TLS (probably) Not Carrying HTTPS + analyse: [....43] [ip4][..tcp] [....192.168.1.6][60554] -> [.52.113.194.132][..443] [TLS.Teams][Skype_Teams][Collaborative][Safe] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 0.154| 0.015| 0.036| 1274.324| 2.800] + [PKTLEN......: 40.000| 1492.000| 585.700| 671.400| 450756.000| 4.000] + [BINS(c->s)..: 10,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 5,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,10,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,0,1,1,0,0,1,0,1,1,0,0,1,1,1,0,1,0,1,1,0,0,1,1] + [IATS(ms)....: 12.9,13.0,0.5,12.4,2.0,1.5,15.4,0.1,0.1,0.1,0.0,0.1,21.6,33.0,11.5,11.7,0.1,11.8,0.6,13.4,140.4,0.7,154.0,0.2,0.2,0.2,0.2,0.5,0.0,0.1,0.2] + [PKTLENS.....: 64,52,40,226,46,1492,1492,40,1492,40,1492,168,40,147,46,91,46,91,40,1122,46,1492,1492,40,1317,40,1492,1492,40,40,1492,1492] + [ENTROPIES...: 4.4,4.9,4.5,5.5,4.4,7.3,7.5,4.6,7.5,4.5,7.7,6.7,4.6,6.5,4.5,5.7,4.5,5.6,4.6,7.8,4.6,7.9,7.9,4.6,7.9,4.6,7.9,7.9,4.6,4.5,7.9,7.9] + new: [....47] [ip4][..tcp] [....192.168.1.6][60557] -> [.52.113.194.132][..443] + detected: [....47] [ip4][..tcp] [....192.168.1.6][60557] -> [.52.113.194.132][..443] [TLS.Teams][Skype_Teams][Collaborative][Safe][teams.microsoft.com] + RISK: TLS (probably) Not Carrying HTTPS + detection-update: [....47] [ip4][..tcp] [....192.168.1.6][60557] -> [.52.113.194.132][..443] [TLS.Teams][Skype_Teams][Collaborative][Safe][teams.microsoft.com] + RISK: TLS (probably) Not Carrying HTTPS + new: [....48] [ip4][..tcp] [....192.168.1.6][60559] -> [...52.114.77.33][..443] + detected: [....48] [ip4][..tcp] [....192.168.1.6][60559] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] + RISK: TLS (probably) Not Carrying HTTPS + analyse: [....48] [ip4][..tcp] [....192.168.1.6][60559] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 0.053| 0.020| 0.022| 492.470| 3.900] + [PKTLEN......: 52.000| 1492.000| 640.900| 667.900| 446080.700| 4.100] + [BINS(c->s)..: 9,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0,0] + [BINS(s->c)..: 6,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,2,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,0,1,0,0,0,0,1,0,0,0,0,1,0,0,1,0,1,1,1,0,0,0] + [IATS(ms)....: 48.6,48.7,0.3,51.0,0.1,50.7,0.0,0.3,0.3,1.7,49.8,48.1,1.4,0.0,0.0,50.5,49.1,0.0,0.0,0.0,37.2,37.2,0.0,11.5,11.5,1.0,36.0,16.0,53.0,0.7,0.1] + [PKTLENS.....: 64,60,52,258,1492,1492,64,52,1375,52,145,103,52,1480,1480,1480,52,1480,1480,1480,1480,52,1480,1480,52,985,52,52,497,52,83,52] + [ENTROPIES...: 4.4,5.3,4.9,6.0,7.3,7.3,5.1,4.9,7.6,5.0,5.9,5.7,5.0,7.9,7.9,7.9,5.1,7.9,7.9,7.9,7.9,5.2,7.8,7.9,5.1,7.8,5.1,5.2,7.6,5.1,5.3,5.0] + new: [....49] [ip4][..udp] [..192.168.1.112][57621] -> [..192.168.1.255][57621] + detected: [....49] [ip4][..udp] [..192.168.1.112][57621] -> [..192.168.1.255][57621] [Spotify][Unknown][Music][Fun] + new: [....50] [ip4][..tcp] [....192.168.1.6][60560] -> [....40.126.9.67][..443] + detected: [....50] [ip4][..tcp] [....192.168.1.6][60560] -> [....40.126.9.67][..443] [TLS.Microsoft365][Microsoft365][Collaborative][Acceptable][login.microsoftonline.com] + detection-update: [....50] [ip4][..tcp] [....192.168.1.6][60560] -> [....40.126.9.67][..443] [TLS.Microsoft365][Microsoft365][Collaborative][Acceptable][login.microsoftonline.com] + new: [....51] [ip4][..tcp] [....192.168.1.6][60561] -> [...52.114.77.33][..443] + detected: [....51] [ip4][..tcp] [....192.168.1.6][60561] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] + RISK: TLS (probably) Not Carrying HTTPS + new: [....52] [ip4][..udp] [....192.168.1.6][54069] -> [....192.168.1.1][...53] + detected: [....52] [ip4][..udp] [....192.168.1.6][54069] -> [....192.168.1.1][...53] [DNS][Unknown][Network][Acceptable][api.microsoftstream.com] + detection-update: [....52] [ip4][..udp] [....192.168.1.6][54069] -> [....192.168.1.1][...53] [DNS][Unknown][Network][Acceptable][api.microsoftstream.com] + new: [....53] [ip4][..tcp] [....192.168.1.6][60562] -> [.104.40.187.151][..443] + detected: [....53] [ip4][..tcp] [....192.168.1.6][60562] -> [.104.40.187.151][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable][api.microsoftstream.com] + detection-update: [....51] [ip4][..tcp] [....192.168.1.6][60561] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] + RISK: TLS (probably) Not Carrying HTTPS + analyse: [....53] [ip4][..tcp] [....192.168.1.6][60562] -> [.104.40.187.151][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 0.126| 0.019| 0.032| 1006.354| 3.400] + [PKTLEN......: 52.000| 1492.000| 345.200| 499.900| 249913.200| 3.900] + [BINS(c->s)..: 12,1,3,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0] + [BINS(s->c)..: 2,3,1,0,0,0,0,1,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,0,1,1,0,0,0,0,1,1,0,0,0,1,0,1,0,0,0,1,1,0,1,0] + [IATS(ms)....: 29.5,29.6,0.2,45.7,0.2,45.7,0.1,0.1,0.1,0.1,0.0,0.1,0.6,23.2,0.2,30.2,0.0,6.1,0.0,0.2,22.9,22.6,1.5,1.4,2.9,0.0,32.7,0.2,30.1,125.5,125.6] + [PKTLENS.....: 64,60,52,266,1492,1492,64,1492,52,52,1492,281,52,145,145,424,103,121,52,52,90,90,52,548,52,1365,135,52,94,52,510,52] + [ENTROPIES...: 4.4,5.2,4.9,5.6,7.4,7.5,4.9,7.4,4.9,4.8,7.6,7.1,5.0,5.9,6.3,7.4,5.6,6.1,4.9,4.9,5.4,5.6,4.9,7.5,5.0,7.9,6.1,5.1,5.7,5.0,7.5,4.9] + new: [....54] [ip4][..udp] [....192.168.1.6][62735] -> [....192.168.1.1][...53] + detected: [....54] [ip4][..udp] [....192.168.1.6][62735] -> [....192.168.1.1][...53] [DNS][Unknown][Network][Acceptable][euno-1.api.microsoftstream.com] + detection-update: [....54] [ip4][..udp] [....192.168.1.6][62735] -> [....192.168.1.1][...53] [DNS][Unknown][Network][Acceptable][euno-1.api.microsoftstream.com] + new: [....55] [ip4][..tcp] [....192.168.1.6][60563] -> [.52.169.186.119][..443] + analyse: [....51] [ip4][..tcp] [....192.168.1.6][60561] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 0.162| 0.032| 0.044| 1964.919| 3.600] + [PKTLEN......: 52.000| 1492.000| 736.700| 694.000| 481656.100| 4.200] + [BINS(c->s)..: 5,0,1,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,0,0] + [BINS(s->c)..: 8,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,2,0,0] + [DIRECTIONS..: 0,1,0,0,0,1,1,1,0,1,0,0,1,0,0,0,0,1,0,0,0,0,1,0,0,0,0,1,0,1,1,1] + [IATS(ms)....: 48.4,48.5,0.5,88.2,136.5,113.7,0.2,161.8,0.1,0.1,1.1,74.6,73.5,1.1,0.0,0.0,50.1,49.0,0.0,0.0,0.0,48.4,48.4,0.0,0.0,0.0,1.6,1.5,46.9,1.1,1.7] + [PKTLENS.....: 64,60,52,258,258,64,1492,1492,52,1375,52,145,103,52,1480,1480,1480,52,1480,1480,1480,1480,52,1480,1480,1480,1480,52,1462,52,52,52] + [ENTROPIES...: 4.4,5.3,4.9,6.0,6.0,5.1,7.3,7.3,5.0,7.7,5.0,6.0,5.6,5.0,7.9,7.9,7.9,5.2,7.9,7.9,7.9,7.9,5.1,7.9,7.9,7.9,7.9,5.2,7.9,5.2,5.2,5.2] + detected: [....55] [ip4][..tcp] [....192.168.1.6][60563] -> [.52.169.186.119][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable][euno-1.api.microsoftstream.com] + new: [....56] [ip4][..udp] [....192.168.1.6][63930] -> [....192.168.1.1][...53] + detected: [....56] [ip4][..udp] [....192.168.1.6][63930] -> [....192.168.1.1][...53] [DNS.Microsoft][Unknown][Network][Safe][dc.applicationinsights.microsoft.com] + detection-update: [....56] [ip4][..udp] [....192.168.1.6][63930] -> [....192.168.1.1][...53] [DNS.Microsoft][Unknown][Network][Safe][dc.applicationinsights.microsoft.com] + new: [....57] [ip4][..tcp] [....192.168.1.6][60564] -> [...40.79.138.41][..443] + detected: [....57] [ip4][..tcp] [....192.168.1.6][60564] -> [...40.79.138.41][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable][gate.hockeyapp.net] + new: [....58] [ip4][..udp] [....192.168.1.6][62863] -> [....192.168.1.1][...53] + detected: [....58] [ip4][..udp] [....192.168.1.6][62863] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe][emea.ng.msg.teams-msgapi.trafficmanager.net] + detection-update: [....58] [ip4][..udp] [....192.168.1.6][62863] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe][emea.ng.msg.teams-msgapi.trafficmanager.net] + new: [....59] [ip4][..tcp] [....192.168.1.6][60565] -> [...52.114.108.8][..443] + detected: [....59] [ip4][..tcp] [....192.168.1.6][60565] -> [...52.114.108.8][..443] [TLS.Teams][Azure][Collaborative][Safe][emea.ng.msg.teams.microsoft.com] + analyse: [....59] [ip4][..tcp] [....192.168.1.6][60565] -> [...52.114.108.8][..443] [TLS.Teams][Azure][Collaborative][Safe][emea.ng.msg.teams.microsoft.com] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 0.277| 0.019| 0.049| 2449.644| 2.900] + [PKTLEN......: 52.000| 1492.000| 370.200| 512.100| 262257.700| 3.900] + [BINS(c->s)..: 11,1,2,1,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 3,3,1,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,4,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,1,0,0,0,0,1,1,0,0,0,1,0,1,0,1,0,0,1,1,0,1] + [IATS(ms)....: 19.2,19.3,0.2,22.0,0.0,21.8,0.0,0.2,0.2,0.2,0.0,0.2,1.1,12.3,0.3,19.9,0.0,6.3,0.0,0.6,12.0,11.4,1.5,1.4,55.0,62.1,0.0,25.5,0.0,18.4,276.9] + [PKTLENS.....: 64,60,52,274,1492,1492,64,52,1492,52,1492,471,52,178,145,525,103,121,52,52,90,90,52,511,52,52,1046,134,52,94,52,1335] + [ENTROPIES...: 4.4,5.3,4.9,5.6,7.1,7.3,5.0,5.0,7.5,4.9,7.6,7.5,4.9,6.3,6.3,7.6,5.6,5.9,5.0,4.9,5.4,5.7,5.0,7.5,5.0,5.2,7.8,6.2,5.2,5.6,5.0,7.8] + analyse: [....26] [ip4][..tcp] [....192.168.1.6][60544] -> [...52.114.76.48][..443] [TLS.Teams][Azure][Collaborative][Safe][northeurope.notifications.teams.microsoft.com] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 8.978| 0.329| 1.582| 2503841.415| 0.800] + [PKTLEN......: 40.000| 1492.000| 339.200| 486.100| 236250.500| 3.900] + [BINS(c->s)..: 10,1,1,0,1,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 4,3,1,0,0,0,0,0,1,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,1,1,1,0,0,0,0,0,1,0,1,0,0,1,1,0,1,0,1,1,1,1,1] + [IATS(ms)....: 47.1,47.2,0.5,44.4,0.0,43.9,0.0,0.0,0.2,0.1,0.0,0.2,0.0,4.4,9.7,0.3,46.5,32.1,0.5,0.4,0.1,18.9,1.4,20.2,62.9,403.2,425.0,8978.2,0.0,0.0,0.0] + [PKTLENS.....: 64,52,40,276,1492,1492,52,40,40,1492,1492,309,40,40,198,133,568,91,40,109,40,78,46,409,40,46,1100,46,411,415,86,78] + [ENTROPIES...: 4.3,4.9,4.6,5.6,7.4,7.3,4.7,4.6,4.6,7.5,7.6,7.1,4.7,4.6,6.5,6.1,7.6,5.4,4.6,5.9,4.6,5.2,4.5,7.4,4.7,4.5,7.8,4.6,7.4,7.5,5.6,5.5] + new: [....60] [ip4][..tcp] [..151.11.50.139][.2222] -> [....192.168.1.6][54750] [MIDSTREAM] + new: [....61] [ip4][..tcp] [....192.168.1.6][60566] -> [.167.99.215.164][.4434] + detected: [....61] [ip4][..tcp] [....192.168.1.6][60566] -> [.167.99.215.164][.4434] [TLS.ntop][Unknown][Network][Safe][dati.ntop.org] + RISK: Known Proto on Non Std Port + detection-update: [....61] [ip4][..tcp] [....192.168.1.6][60566] -> [.167.99.215.164][.4434] [TLS.ntop][Unknown][Network][Safe][dati.ntop.org] + RISK: Known Proto on Non Std Port + new: [....62] [ip4][..udp] [....192.168.1.6][51681] -> [..52.114.77.136][.3478] + new: [....63] [ip4][..udp] [....192.168.1.6][50016] -> [.52.114.250.123][.3478] + detected: [....63] [ip4][..udp] [....192.168.1.6][50016] -> [.52.114.250.123][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] + new: [....64] [ip4][..tcp] [....192.168.1.6][50018] -> [.52.114.250.123][..443] + new: [....65] [ip4][..udp] [....192.168.1.6][55765] -> [....192.168.1.1][...53] + detected: [....65] [ip4][..udp] [....192.168.1.6][55765] -> [....192.168.1.1][...53] [DNS.Azure][Unknown][Network][Acceptable][b-tr-teams-euno-05.northeurope.cloudapp.azure.com] + detection-update: [....65] [ip4][..udp] [....192.168.1.6][55765] -> [....192.168.1.1][...53] [DNS.Azure][Unknown][Network][Acceptable][b-tr-teams-euno-05.northeurope.cloudapp.azure.com] + detected: [....64] [ip4][..tcp] [....192.168.1.6][50018] -> [.52.114.250.123][..443] [TLS.Teams][Azure][Collaborative][Safe][euaz.tr.teams.microsoft.com] + RISK: TLS (probably) Not Carrying HTTPS + new: [....66] [ip4][..udp] [....192.168.1.6][50036] -> [.52.114.250.123][.3478] + detected: [....66] [ip4][..udp] [....192.168.1.6][50036] -> [.52.114.250.123][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] + new: [....67] [ip4][..tcp] [....192.168.1.6][50021] -> [.52.114.250.123][..443] + new: [....68] [ip4][..udp] [....192.168.1.6][50016] -> [.52.114.250.141][.3478] + detected: [....68] [ip4][..udp] [....192.168.1.6][50016] -> [.52.114.250.141][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] + new: [....69] [ip4][..udp] [....192.168.1.6][50017] -> [.52.114.250.141][.3478] + detected: [....69] [ip4][..udp] [....192.168.1.6][50017] -> [.52.114.250.141][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] + detected: [....67] [ip4][..tcp] [....192.168.1.6][50021] -> [.52.114.250.123][..443] [TLS.Teams][Azure][Collaborative][Safe][euaz.tr.teams.microsoft.com] + RISK: TLS (probably) Not Carrying HTTPS + new: [....70] [ip4][..udp] [....192.168.1.6][50036] -> [.52.114.250.137][.3478] + detected: [....70] [ip4][..udp] [....192.168.1.6][50036] -> [.52.114.250.137][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] + new: [....71] [ip4][..udp] [....192.168.1.6][50037] -> [.52.114.250.137][.3478] + detected: [....71] [ip4][..udp] [....192.168.1.6][50037] -> [.52.114.250.137][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] + detection-update: [....69] [ip4][..udp] [....192.168.1.6][50017] -> [.52.114.250.141][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] + detection-update: [....71] [ip4][..udp] [....192.168.1.6][50037] -> [.52.114.250.137][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] + new: [....72] [ip4][..tcp] [....192.168.1.6][50014] -> [.52.114.250.152][..443] + new: [....73] [ip4][..tcp] [....192.168.1.6][50036] -> [.52.114.250.153][..443] + detected: [....72] [ip4][..tcp] [....192.168.1.6][50014] -> [.52.114.250.152][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable][52.114.250.152] + RISK: HTTP/TLS/QUIC Numeric Hostname/SNI, TLS (probably) Not Carrying HTTPS + detected: [....73] [ip4][..tcp] [....192.168.1.6][50036] -> [.52.114.250.153][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable][52.114.250.153] + RISK: HTTP/TLS/QUIC Numeric Hostname/SNI, TLS (probably) Not Carrying HTTPS + detection-update: [....72] [ip4][..tcp] [....192.168.1.6][50014] -> [.52.114.250.152][..443] [TLS.Teams][Azure][Collaborative][Safe][52.114.250.152] + RISK: TLS Cert Mismatch, TLS (probably) Not Carrying HTTPS + detection-update: [....73] [ip4][..tcp] [....192.168.1.6][50036] -> [.52.114.250.153][..443] [TLS.Teams][Azure][Collaborative][Safe][52.114.250.153] + RISK: TLS Cert Mismatch, TLS (probably) Not Carrying HTTPS + new: [....74] [ip4][..tcp] [....192.168.1.6][60567] -> [..52.114.77.136][..443] + new: [....75] [ip4][..udp] [....192.168.1.6][60837] -> [....192.168.1.1][...53] + detected: [....75] [ip4][..udp] [....192.168.1.6][60837] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe][c-flightproxy-euno-01-teams.cloudapp.net] + detection-update: [....75] [ip4][..udp] [....192.168.1.6][60837] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe][c-flightproxy-euno-01-teams.cloudapp.net] + detected: [....74] [ip4][..tcp] [....192.168.1.6][60567] -> [..52.114.77.136][..443] [TLS.Teams][Azure][Collaborative][Safe][api.flightproxy.teams.microsoft.com] + RISK: TLS (probably) Not Carrying HTTPS + new: [....76] [ip4][..udp] [....192.168.1.6][50016] -> [....192.168.0.4][50005] + detected: [....76] [ip4][..udp] [....192.168.1.6][50016] -> [....192.168.0.4][50005] [STUN.Skype_TeamsCall][Unknown][VoIP][Acceptable][] + RISK: Known Proto on Non Std Port + new: [....77] [ip4][..udp] [....192.168.1.6][50036] -> [....192.168.0.4][50020] + detected: [....77] [ip4][..udp] [....192.168.1.6][50036] -> [....192.168.0.4][50020] [STUN.Skype_TeamsCall][Unknown][VoIP][Acceptable][] + RISK: Known Proto on Non Std Port + new: [....78] [ip4][..udp] [..93.71.110.205][16332] -> [....192.168.1.6][50016] + detected: [....78] [ip4][..udp] [..93.71.110.205][16332] -> [....192.168.1.6][50016] [STUN.Skype_TeamsCall][Unknown][VoIP][Acceptable][] + RISK: Known Proto on Non Std Port + new: [....79] [ip4][..udp] [..93.71.110.205][16333] -> [....192.168.1.6][50036] + detected: [....79] [ip4][..udp] [..93.71.110.205][16333] -> [....192.168.1.6][50036] [STUN.Skype_TeamsCall][Unknown][VoIP][Acceptable][] + RISK: Known Proto on Non Std Port + detection-update: [....68] [ip4][..udp] [....192.168.1.6][50016] -> [.52.114.250.141][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] + RISK: Unidirectional Traffic + detection-update: [....70] [ip4][..udp] [....192.168.1.6][50036] -> [.52.114.250.137][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] + RISK: Unidirectional Traffic + detection-update: [....68] [ip4][..udp] [....192.168.1.6][50016] -> [.52.114.250.141][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] + detection-update: [....70] [ip4][..udp] [....192.168.1.6][50036] -> [.52.114.250.137][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] + new: [....80] [ip4][..udp] [..52.114.252.21][.3480] -> [....192.168.1.6][50036] + detected: [....80] [ip4][..udp] [..52.114.252.21][.3480] -> [....192.168.1.6][50036] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] + RISK: Known Proto on Non Std Port + new: [....81] [ip4][..udp] [...52.114.252.8][.3479] -> [....192.168.1.6][50016] + detected: [....81] [ip4][..udp] [...52.114.252.8][.3479] -> [....192.168.1.6][50016] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] + RISK: Known Proto on Non Std Port + analyse: [....64] [ip4][..tcp] [....192.168.1.6][50018] -> [.52.114.250.123][..443] [TLS.Teams][Azure][Collaborative][Safe][euaz.tr.teams.microsoft.com] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 1.567| 0.072| 0.275| 75449.426| 1.900] + [PKTLEN......: 40.000| 1492.000| 256.900| 427.000| 182315.300| 3.700] + [BINS(c->s)..: 15,1,0,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 4,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0] + [DIRECTIONS..: 0,1,0,0,1,0,1,1,0,0,1,1,0,0,1,1,0,0,0,0,0,0,1,1,0,0,1,0,0,0,1,1] + [IATS(ms)....: 45.0,45.1,0.2,47.4,47.2,0.2,0.0,0.1,0.0,0.1,0.0,0.1,0.0,0.1,0.0,0.1,0.0,0.0,8.0,0.0,0.0,52.4,1.2,45.6,48.6,92.2,43.7,69.1,0.3,113.5,1566.9] + [PKTLENS.....: 64,52,40,227,1492,52,1492,588,52,52,1492,588,52,40,588,166,40,40,40,147,46,85,46,91,40,141,224,40,71,40,46,46] + [ENTROPIES...: 4.4,4.9,4.5,5.4,7.5,4.6,7.4,6.2,4.7,4.7,7.7,7.0,4.7,4.5,7.6,6.6,4.4,4.5,4.5,6.4,4.5,5.8,4.6,5.4,4.6,6.4,6.9,4.5,5.4,4.4,4.6,4.6] + detection-update: [....76] [ip4][..udp] [....192.168.1.6][50016] -> [....192.168.0.4][50005] [STUN.Skype_TeamsCall][Unknown][VoIP][Acceptable][] + RISK: Known Proto on Non Std Port, Unidirectional Traffic + detection-update: [....77] [ip4][..udp] [....192.168.1.6][50036] -> [....192.168.0.4][50020] [STUN.Skype_TeamsCall][Unknown][VoIP][Acceptable][] + RISK: Known Proto on Non Std Port, Unidirectional Traffic + new: [....82] [ip4][..tcp] [....192.168.1.6][60568] -> [...40.79.138.41][..443] + detected: [....82] [ip4][..tcp] [....192.168.1.6][60568] -> [...40.79.138.41][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable][gate.hockeyapp.net] + new: [....83] [ip4][.icmp] [..93.71.110.205] -> [....192.168.1.6] + detected: [....83] [ip4][.icmp] [..93.71.110.205] -> [....192.168.1.6] [ICMP][Unknown][Network][Acceptable] + analyse: [....78] [ip4][..udp] [..93.71.110.205][16332] -> [....192.168.1.6][50016] [STUN.Skype_TeamsCall][Unknown][VoIP][Acceptable] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 1.168| 0.160| 0.366| 133702.353| 2.700] + [PKTLEN......: 66.000| 1242.000| 253.400| 374.400| 140199.200| 4.000] + [BINS(c->s)..: 0,2,16,4,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 0,1,1,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,1,0,1,0,0,0,1,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [IATS(ms)....: 24.8,0.2,101.3,1168.2,1167.0,967.1,50.8,1119.2,0.0,0.0,51.0,80.3,2.0,2.7,3.7,0.0,0.0,0.0,10.7,24.2,9.3,21.5,4.5,19.9,25.3,9.2,24.4,24.6,9.5,26.0,24.3] + [PKTLENS.....: 140,116,140,116,144,116,138,136,66,1242,1242,136,101,66,1242,1242,70,194,126,94,96,103,108,110,102,98,112,106,103,101,102,102] + [ENTROPIES...: 5.4,5.4,5.6,5.5,5.5,5.5,6.4,5.5,5.3,7.8,7.8,5.4,6.1,5.3,7.8,7.8,5.4,6.9,6.4,5.9,6.0,6.1,5.4,6.3,6.1,6.0,6.3,6.0,6.1,6.2,6.1,6.2] + idle: [....72] [ip4][..tcp] [....192.168.1.6][50014] -> [.52.114.250.152][..443] [TLS.Teams][Azure][Collaborative][Safe] + RISK: TLS Cert Mismatch, TLS (probably) Not Carrying HTTPS + end: [....64] [ip4][..tcp] [....192.168.1.6][50018] -> [.52.114.250.123][..443] [TLS.Teams][Azure][Collaborative][Safe][euaz.tr.teams.microsoft.com] + RISK: TLS (probably) Not Carrying HTTPS + end: [....67] [ip4][..tcp] [....192.168.1.6][50021] -> [.52.114.250.123][..443] [TLS.Teams][Azure][Collaborative][Safe][euaz.tr.teams.microsoft.com] + RISK: TLS (probably) Not Carrying HTTPS + idle: [....83] [ip4][.icmp] [..93.71.110.205] -> [....192.168.1.6] [ICMP][Unknown][Network][Acceptable] + end: [....73] [ip4][..tcp] [....192.168.1.6][50036] -> [.52.114.250.153][..443] [TLS.Teams][Azure][Collaborative][Safe] + RISK: TLS Cert Mismatch, TLS (probably) Not Carrying HTTPS + idle: [.....5] [ip4][..tcp] [....192.168.1.6][60533] -> [.52.113.194.132][..443] [TLS.Teams][Skype_Teams][Collaborative][Safe][teams.microsoft.com] + idle: [.....8] [ip4][..tcp] [....192.168.1.6][60536] -> [.52.113.194.132][..443] [TLS.Teams][Skype_Teams][Collaborative][Safe] + idle: [....23] [ip4][..tcp] [....192.168.1.6][60542] -> [.52.113.194.132][..443] [TLS.Teams][Skype_Teams][Collaborative][Safe][config.teams.microsoft.com] + idle: [....43] [ip4][..tcp] [....192.168.1.6][60554] -> [.52.113.194.132][..443] [TLS.Teams][Skype_Teams][Collaborative][Safe][config.teams.microsoft.com] + RISK: TLS (probably) Not Carrying HTTPS + idle: [....47] [ip4][..tcp] [....192.168.1.6][60557] -> [.52.113.194.132][..443] [TLS.Teams][Skype_Teams][Collaborative][Safe] + RISK: TLS (probably) Not Carrying HTTPS + idle: [....76] [ip4][..udp] [....192.168.1.6][50016] -> [....192.168.0.4][50005] [STUN.Skype_TeamsCall][Unknown][VoIP][Acceptable] + RISK: Known Proto on Non Std Port, Unidirectional Traffic + idle: [....55] [ip4][..tcp] [....192.168.1.6][60563] -> [.52.169.186.119][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable] + idle: [....17] [ip4][..udp] [....192.168.1.6][63106] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe][eu-prod.asyncgw.teams.microsoft.com] + idle: [....77] [ip4][..udp] [....192.168.1.6][50036] -> [....192.168.0.4][50020] [STUN.Skype_TeamsCall][Unknown][VoIP][Acceptable] + RISK: Known Proto on Non Std Port, Unidirectional Traffic + idle: [....38] [ip4][..udp] [....192.168.1.6][65230] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe][trouter2-asse-a.trouter.teams.microsoft.com] + idle: [....13] [ip4][..udp] [........0.0.0.0][...68] -> [255.255.255.255][...67] [DHCP][Unknown][Network][Acceptable] + idle: [....36] [ip4][..udp] [....192.168.1.6][61245] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe][euaz.tr.teams.microsoft.com] + RISK: Minor Issues + idle: [....16] [ip4][..udp] [....192.168.1.6][51033] -> [....192.168.1.1][...53] [DNS.Skype_Teams][Unknown][Network][Acceptable][eu-api.asm.skype.com] + end: [.....4] [ip4][..tcp] [....192.168.1.6][60532] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] + RISK: TLS (probably) Not Carrying HTTPS + end: [.....7] [ip4][..tcp] [....192.168.1.6][60535] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] + RISK: TLS (probably) Not Carrying HTTPS + end: [.....9] [ip4][..tcp] [....192.168.1.6][60537] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe] + RISK: TLS (probably) Not Carrying HTTPS + idle: [....18] [ip4][..tcp] [....192.168.1.6][60538] -> [...52.114.75.70][..443] [TLS.Teams][Azure][Collaborative][Safe][eu-prod.asyncgw.teams.microsoft.com] + idle: [....19] [ip4][..tcp] [....192.168.1.6][60539] -> [...52.114.75.69][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable][eu-api.asm.skype.com] + idle: [....24] [ip4][..udp] [....192.168.1.6][65387] -> [....192.168.1.1][...53] [DNS.Microsoft][Unknown][Network][Safe][northeuropecns.trafficmanager.net] + idle: [....20] [ip4][..tcp] [....192.168.1.6][60540] -> [...52.114.75.70][..443] [TLS.Teams][Azure][Collaborative][Safe][eu-prod.asyncgw.teams.microsoft.com] + idle: [....21] [ip4][..tcp] [....192.168.1.6][60541] -> [...52.114.75.69][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable] + end: [....25] [ip4][..tcp] [....192.168.1.6][60543] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] + RISK: TLS (probably) Not Carrying HTTPS + idle: [....26] [ip4][..tcp] [....192.168.1.6][60544] -> [...52.114.76.48][..443] [TLS.Teams][Azure][Collaborative][Safe][northeurope.notifications.teams.microsoft.com] + idle: [....28] [ip4][..tcp] [....192.168.1.6][60545] -> [...52.114.77.58][..443] [TLS.Teams][Azure][Collaborative][Safe][presence.teams.microsoft.com] + idle: [....32] [ip4][..tcp] [....192.168.1.6][60547] -> [...52.114.88.59][..443] [TLS.Teams][Azure][Collaborative][Safe][chatsvcagg.teams.microsoft.com] + end: [....33] [ip4][..tcp] [....192.168.1.6][60548] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe] + RISK: TLS (probably) Not Carrying HTTPS + idle: [....40] [ip4][..tcp] [....192.168.1.6][60551] -> [...52.114.15.45][..443] [TLS.Teams][Azure][Collaborative][Safe] + RISK: TLS (probably) Not Carrying HTTPS + end: [....42] [ip4][..tcp] [....192.168.1.6][60552] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe] + RISK: TLS (probably) Not Carrying HTTPS + idle: [....45] [ip4][..tcp] [....192.168.1.6][60555] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe] + RISK: TLS (probably) Not Carrying HTTPS + end: [....48] [ip4][..tcp] [....192.168.1.6][60559] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] + RISK: TLS (probably) Not Carrying HTTPS + end: [....51] [ip4][..tcp] [....192.168.1.6][60561] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] + RISK: TLS (probably) Not Carrying HTTPS + idle: [....59] [ip4][..tcp] [....192.168.1.6][60565] -> [...52.114.108.8][..443] [TLS.Teams][Azure][Collaborative][Safe][emea.ng.msg.teams.microsoft.com] + idle: [....74] [ip4][..tcp] [....192.168.1.6][60567] -> [..52.114.77.136][..443] [TLS.Teams][Azure][Collaborative][Safe][api.flightproxy.teams.microsoft.com] + RISK: TLS (probably) Not Carrying HTTPS + idle: [.....1] [ip4][..udp] [....192.168.0.1][...68] -> [255.255.255.255][...67] [DHCP][Unknown][Network][Acceptable][tl-sg116e] + idle: [....11] [ip4][..udp] [....192.168.1.6][17500] -> [255.255.255.255][17500] [Dropbox][Unknown][Cloud][Acceptable] + guessed: [.....2] [ip4][..tcp] [....192.168.1.6][58533] -> [.149.154.167.91][..443] [Telegram][Telegram][Chat][Acceptable] + RISK: Unidirectional Traffic + end: [.....2] [ip4][..tcp] [....192.168.1.6][58533] -> [.149.154.167.91][..443] + idle: [....34] [ip4][..udp] [....192.168.1.6][59403] -> [....192.168.1.1][...53] [DNS.Microsoft365][Unknown][Network][Acceptable][substrate.office.com] + idle: [....35] [ip4][..tcp] [....192.168.1.6][60549] -> [...13.107.18.11][..443] [TLS.Microsoft365][Outlook][Collaborative][Acceptable][substrate.office.com] + idle: [....44] [ip4][..udp] [....192.168.1.6][51309] -> [....192.168.1.1][...53] [DNS][Unknown][Network][Acceptable][skypedataprdcolneu04.cloudapp.net] + end: [....30] [ip4][..tcp] [....192.168.1.6][60546] -> [.167.99.215.164][.4434] [TLS.ntop][Unknown][Network][Safe] + RISK: Known Proto on Non Std Port + idle: [....12] [ip4][..udp] [....192.168.1.6][17500] -> [..192.168.1.255][17500] [Dropbox][Unknown][Cloud][Acceptable] + idle: [....61] [ip4][..tcp] [....192.168.1.6][60566] -> [.167.99.215.164][.4434] [TLS.ntop][Unknown][Network][Safe] + RISK: Known Proto on Non Std Port + idle: [....31] [ip4][..udp] [....192.168.1.6][57504] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe][chatsvcagg.svcs.teams.office.com] + guessed: [....62] [ip4][..udp] [....192.168.1.6][51681] -> [..52.114.77.136][.3478] [Skype_TeamsCall][Azure][VoIP][Acceptable] + RISK: Susp Entropy + idle: [....62] [ip4][..udp] [....192.168.1.6][51681] -> [..52.114.77.136][.3478] + idle: [....27] [ip4][..udp] [....192.168.1.6][57530] -> [....192.168.1.1][...53] [DNS.Microsoft][Unknown][Network][Safe][presence.services.sfb.trafficmanager.net] + not-detected: [....60] [ip4][..tcp] [..151.11.50.139][.2222] -> [....192.168.1.6][54750] [Unknown][Unknown][Unrated] + idle: [....60] [ip4][..tcp] [..151.11.50.139][.2222] -> [....192.168.1.6][54750] + idle: [....22] [ip4][..udp] [....192.168.1.6][49514] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe][config.teams.microsoft.com] + idle: [....78] [ip4][..udp] [..93.71.110.205][16332] -> [....192.168.1.6][50016] [STUN.Skype_TeamsCall][Unknown][VoIP][Acceptable] + RISK: Known Proto on Non Std Port + idle: [....79] [ip4][..udp] [..93.71.110.205][16333] -> [....192.168.1.6][50036] [STUN.Skype_TeamsCall][Unknown][VoIP][Acceptable] + RISK: Known Proto on Non Std Port + idle: [....37] [ip4][..udp] [....192.168.1.6][53678] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe][trouter2-asse-a.trouter.teams.microsoft.com] + idle: [....56] [ip4][..udp] [....192.168.1.6][63930] -> [....192.168.1.1][...53] [DNS.Microsoft][Unknown][Network][Safe][dc.applicationinsights.microsoft.com] + idle: [....65] [ip4][..udp] [....192.168.1.6][55765] -> [....192.168.1.1][...53] [DNS.Azure][Unknown][Network][Acceptable][b-tr-teams-euno-05.northeurope.cloudapp.azure.com] + idle: [....49] [ip4][..udp] [..192.168.1.112][57621] -> [..192.168.1.255][57621] [Spotify][Unknown][Music][Fun] + idle: [....29] [ip4][..tcp] [.162.125.19.131][..443] -> [....192.168.1.6][60344] [TLS][Dropbox][Web][Safe] + idle: [....10] [ip4][..udp] [....192.168.1.6][64046] -> [....192.168.1.1][...53] [DNS.ntop][Unknown][Network][Safe][b._dns-sd._udp.ntop.org] + RISK: Error Code + idle: [....68] [ip4][..udp] [....192.168.1.6][50016] -> [.52.114.250.141][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable] + idle: [....63] [ip4][..udp] [....192.168.1.6][50016] -> [.52.114.250.123][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable] + idle: [....81] [ip4][..udp] [...52.114.252.8][.3479] -> [....192.168.1.6][50016] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable] + RISK: Known Proto on Non Std Port + idle: [....69] [ip4][..udp] [....192.168.1.6][50017] -> [.52.114.250.141][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable] + idle: [....70] [ip4][..udp] [....192.168.1.6][50036] -> [.52.114.250.137][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable] + idle: [....66] [ip4][..udp] [....192.168.1.6][50036] -> [.52.114.250.123][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable] + idle: [....71] [ip4][..udp] [....192.168.1.6][50037] -> [.52.114.250.137][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable] + idle: [....80] [ip4][..udp] [..52.114.252.21][.3480] -> [....192.168.1.6][50036] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable] + RISK: Known Proto on Non Std Port + idle: [....52] [ip4][..udp] [....192.168.1.6][54069] -> [....192.168.1.1][...53] [DNS][Unknown][Network][Acceptable][api.microsoftstream.com] + end: [.....6] [ip4][..tcp] [....192.168.1.6][60534] -> [.....40.126.9.5][..443] [TLS.Microsoft365][Microsoft365][Collaborative][Acceptable][login.microsoftonline.com] + end: [....46] [ip4][..tcp] [....192.168.1.6][60556] -> [.....40.126.9.7][..443] [TLS.Microsoft365][Microsoft365][Collaborative][Acceptable][login.microsoftonline.com] + end: [....50] [ip4][..tcp] [....192.168.1.6][60560] -> [....40.126.9.67][..443] [TLS.Microsoft365][Microsoft365][Collaborative][Acceptable] + end: [....14] [ip4][..tcp] [..93.62.150.157][..443] -> [....192.168.1.6][60512] [TLS][Unknown][Web][Safe] + idle: [....41] [ip4][..udp] [....192.168.1.6][58457] -> [....192.168.1.1][...53] [DNS.Microsoft365][Unknown][Network][Acceptable][outlook.office.com] + idle: [....57] [ip4][..tcp] [....192.168.1.6][60564] -> [...40.79.138.41][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable][gate.hockeyapp.net] + idle: [....82] [ip4][..tcp] [....192.168.1.6][60568] -> [...40.79.138.41][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable][gate.hockeyapp.net] + idle: [....54] [ip4][..udp] [....192.168.1.6][62735] -> [....192.168.1.1][...53] [DNS][Unknown][Network][Acceptable][euno-1.api.microsoftstream.com] + idle: [....15] [ip4][..udp] [....192.168.1.6][56634] -> [....192.168.1.1][...53] [DNS.Apple][Unknown][Network][Safe][captive.apple.com.edgekey.net] + idle: [.....3] [ip4][..udp] [....192.168.1.6][60813] -> [....192.168.1.1][...53] [DNS][Unknown][Network][Acceptable][skypedataprdcolneu04.cloudapp.net] + idle: [....58] [ip4][..udp] [....192.168.1.6][62863] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe][emea.ng.msg.teams-msgapi.trafficmanager.net] + idle: [....75] [ip4][..udp] [....192.168.1.6][60837] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe][c-flightproxy-euno-01-teams.cloudapp.net] + idle: [....53] [ip4][..tcp] [....192.168.1.6][60562] -> [.104.40.187.151][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable][api.microsoftstream.com] + idle: [....39] [ip4][..udp] [....192.168.1.6][50653] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe][api.flightproxy.teams.microsoft.com] + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/monitoring/telegram_videocall.pcapng.out b/test/results/flow-info/monitoring/telegram_videocall.pcapng.out new file mode 100644 index 000000000..feb8f5928 --- /dev/null +++ b/test/results/flow-info/monitoring/telegram_videocall.pcapng.out @@ -0,0 +1,228 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....1] [ip6][icmp6] [..............fe80::98df:58ff:fefa:ebdc] -> [................................ff02::2] + detected: [.....1] [ip6][icmp6] [..............fe80::98df:58ff:fefa:ebdc] -> [................................ff02::2] [ICMPV6][Unknown][Network][Acceptable] + new: [.....2] [ip4][..udp] [...192.168.12.1][17500] -> [.192.168.12.255][17500] + detected: [.....2] [ip4][..udp] [...192.168.12.1][17500] -> [.192.168.12.255][17500] [Dropbox][Unknown][Cloud][Acceptable] + new: [.....3] [ip4][..tcp] [.192.168.12.169][37948] -> [.149.154.167.91][..443] + new: [.....4] [ip4][..tcp] [.192.168.12.169][37950] -> [.149.154.167.91][..443] + new: [.....5] [ip4][..tcp] [.192.168.12.169][46862] -> [.149.154.167.51][..443] + new: [.....6] [ip4][..tcp] [.192.168.12.169][46866] -> [.149.154.167.51][..443] + detected: [.....4] [ip4][..tcp] [.192.168.12.169][37950] -> [.149.154.167.91][..443] [Telegram][Telegram][Chat][Acceptable] + RISK: Susp Entropy + detected: [.....5] [ip4][..tcp] [.192.168.12.169][46862] -> [.149.154.167.51][..443] [Telegram][Telegram][Chat][Acceptable] + RISK: Susp Entropy + detected: [.....6] [ip4][..tcp] [.192.168.12.169][46866] -> [.149.154.167.51][..443] [Telegram][Telegram][Chat][Acceptable] + RISK: Susp Entropy + analyse: [.....4] [ip4][..tcp] [.192.168.12.169][37950] -> [.149.154.167.91][..443] [Telegram][Telegram][Chat][Acceptable] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 0.127| 0.025| 0.031| 963.939| 3.900] + [PKTLEN......: 52.000| 1280.000| 541.900| 516.100| 266324.800| 4.300] + [BINS(c->s)..: 6,0,0,1,1,0,0,1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 4,0,2,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,0,0,1,1,1,1,0,0,0,0,1,1,0,1,0,1,1,1,1,1,0,0,1,1,1,1,1] + [IATS(ms)....: 30.7,31.9,0.3,33.0,35.6,10.2,44.5,8.2,4.4,4.1,48.7,1.4,3.1,6.4,36.5,17.8,50.9,88.4,126.9,78.7,32.9,0.1,0.0,0.0,65.5,0.3,2.2,0.0,0.0,0.0,0.0] + [PKTLENS.....: 60,60,52,333,157,52,936,825,672,141,141,52,767,189,301,52,349,317,52,157,52,1280,1280,1280,1280,52,52,1280,1280,1280,1280,1280] + [ENTROPIES...: 4.8,5.2,5.2,7.3,6.7,5.1,7.8,7.7,7.7,6.6,6.6,5.1,7.7,6.9,7.2,5.2,7.4,7.3,5.3,6.7,5.3,7.9,7.8,7.9,7.8,5.2,5.2,7.8,7.8,7.9,7.9,7.8] + new: [.....7] [ip4][..tcp] [.192.168.12.169][40830] -> [149.154.167.222][..443] + new: [.....8] [ip4][..tcp] [.192.168.12.169][40832] -> [149.154.167.222][..443] + detected: [.....7] [ip4][..tcp] [.192.168.12.169][40830] -> [149.154.167.222][..443] [Telegram][Telegram][Chat][Acceptable] + RISK: Susp Entropy + detected: [.....8] [ip4][..tcp] [.192.168.12.169][40832] -> [149.154.167.222][..443] [Telegram][Telegram][Chat][Acceptable] + RISK: Susp Entropy + new: [.....9] [ip4][..tcp] [.192.168.12.169][40834] -> [149.154.167.222][..443] + detected: [.....9] [ip4][..tcp] [.192.168.12.169][40834] -> [149.154.167.222][..443] [Telegram][Telegram][Chat][Acceptable] + RISK: Susp Entropy + analyse: [.....7] [ip4][..tcp] [.192.168.12.169][40830] -> [149.154.167.222][..443] [Telegram][Telegram][Chat][Acceptable] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 0.047| 0.009| 0.015| 220.392| 3.200] + [PKTLEN......: 52.000| 1280.000| 644.300| 571.900| 327061.800| 4.300] + [BINS(c->s)..: 9,0,0,0,0,1,0,1,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 2,0,0,1,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,0,1,1,1,0,0,0,1,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,1,1,1,1,1] + [IATS(ms)....: 30.1,31.4,0.3,0.6,31.5,0.0,0.0,35.0,0.2,6.9,41.7,13.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,46.8,0.1,0.0,0.1,0.9,6.5,31.9,0.0,0.0,0.0,0.0] + [PKTLENS.....: 60,60,52,630,221,52,157,262,52,52,333,221,1280,1280,1280,1280,1280,1280,1280,1280,1280,52,52,52,52,52,285,1280,1280,1280,1280,1280] + [ENTROPIES...: 4.8,5.2,5.2,7.7,7.0,5.2,6.8,7.1,5.2,5.2,7.4,7.1,7.9,7.9,7.8,7.9,7.8,7.8,7.8,7.8,7.8,5.1,5.2,5.1,5.1,5.2,7.1,7.9,7.8,7.9,7.8,7.8] + new: [....10] [ip4][..tcp] [.192.168.12.169][37966] -> [.149.154.167.91][..443] + detected: [....10] [ip4][..tcp] [.192.168.12.169][37966] -> [.149.154.167.91][..443] [Telegram][Telegram][Chat][Acceptable] + RISK: Susp Entropy + new: [....11] [ip4][..udp] [...192.168.12.1][.5353] -> [....224.0.0.251][.5353] + detected: [....11] [ip4][..udp] [...192.168.12.1][.5353] -> [....224.0.0.251][.5353] [MDNS][Unknown][Network][Acceptable][_ipps._tcp.local] + new: [....12] [ip4][..udp] [.192.168.12.169][40906] -> [....91.108.9.35][.1400] + detected: [....12] [ip4][..udp] [.192.168.12.169][40906] -> [....91.108.9.35][.1400] [STUN][Telegram][Network][Acceptable][] + RISK: Known Proto on Non Std Port + new: [....13] [ip4][..udp] [.192.168.12.169][40906] -> [...91.108.13.23][.1400] + detected: [....13] [ip4][..udp] [.192.168.12.169][40906] -> [...91.108.13.23][.1400] [STUN][Telegram][Network][Acceptable][] + RISK: Known Proto on Non Std Port + new: [....14] [ip4][..udp] [.192.168.12.169][40906] -> [....91.108.17.2][.1400] + detected: [....14] [ip4][..udp] [.192.168.12.169][40906] -> [....91.108.17.2][.1400] [STUN][Telegram][Network][Acceptable][] + RISK: Known Proto on Non Std Port + new: [....15] [ip4][..udp] [.192.168.12.169][42197] -> [....91.108.9.35][.1400] + detected: [....15] [ip4][..udp] [.192.168.12.169][42197] -> [....91.108.9.35][.1400] [STUN][Telegram][Network][Acceptable][] + RISK: Known Proto on Non Std Port + new: [....16] [ip4][..udp] [.192.168.12.169][42197] -> [...91.108.13.23][.1400] + detected: [....16] [ip4][..udp] [.192.168.12.169][42197] -> [...91.108.13.23][.1400] [STUN][Telegram][Network][Acceptable][] + RISK: Known Proto on Non Std Port + new: [....17] [ip4][..udp] [.192.168.12.169][42197] -> [....91.108.17.2][.1400] + detected: [....17] [ip4][..udp] [.192.168.12.169][42197] -> [....91.108.17.2][.1400] [STUN][Telegram][Network][Acceptable][] + RISK: Known Proto on Non Std Port + new: [....18] [ip4][..udp] [.192.168.12.169][40643] -> [....91.108.9.35][.1400] + detected: [....18] [ip4][..udp] [.192.168.12.169][40643] -> [....91.108.9.35][.1400] [STUN][Telegram][Network][Acceptable][] + RISK: Known Proto on Non Std Port + new: [....19] [ip4][..udp] [.192.168.12.169][49667] -> [...91.108.13.23][.1400] + detected: [....19] [ip4][..udp] [.192.168.12.169][49667] -> [...91.108.13.23][.1400] [STUN][Telegram][Network][Acceptable][] + RISK: Known Proto on Non Std Port + new: [....20] [ip4][..udp] [.192.168.12.169][49780] -> [....91.108.17.2][.1400] + detected: [....20] [ip4][..udp] [.192.168.12.169][49780] -> [....91.108.17.2][.1400] [STUN][Telegram][Network][Acceptable][] + RISK: Known Proto on Non Std Port + new: [....21] [ip4][..udp] [.192.168.12.169][37849] -> [....91.108.9.35][.1400] + detected: [....21] [ip4][..udp] [.192.168.12.169][37849] -> [....91.108.9.35][.1400] [STUN][Telegram][Network][Acceptable][] + RISK: Known Proto on Non Std Port + new: [....22] [ip4][..udp] [.192.168.12.169][37530] -> [...91.108.13.23][.1400] + detected: [....22] [ip4][..udp] [.192.168.12.169][37530] -> [...91.108.13.23][.1400] [STUN][Telegram][Network][Acceptable][] + RISK: Known Proto on Non Std Port + new: [....23] [ip4][..udp] [.192.168.12.169][37444] -> [....91.108.17.2][.1400] + detected: [....23] [ip4][..udp] [.192.168.12.169][37444] -> [....91.108.17.2][.1400] [STUN][Telegram][Network][Acceptable][] + RISK: Known Proto on Non Std Port + detection-update: [....21] [ip4][..udp] [.192.168.12.169][37849] -> [....91.108.9.35][.1400] [STUN.TelegramVoip][Telegram][VoIP][Acceptable][telegram.org] + RISK: Known Proto on Non Std Port + detection-update: [....18] [ip4][..udp] [.192.168.12.169][40643] -> [....91.108.9.35][.1400] [STUN.TelegramVoip][Telegram][VoIP][Acceptable][telegram.org] + RISK: Known Proto on Non Std Port + detection-update: [....19] [ip4][..udp] [.192.168.12.169][49667] -> [...91.108.13.23][.1400] [STUN.TelegramVoip][Telegram][VoIP][Acceptable][telegram.org] + RISK: Known Proto on Non Std Port + detection-update: [....22] [ip4][..udp] [.192.168.12.169][37530] -> [...91.108.13.23][.1400] [STUN.TelegramVoip][Telegram][VoIP][Acceptable][telegram.org] + RISK: Known Proto on Non Std Port + detection-update: [....20] [ip4][..udp] [.192.168.12.169][49780] -> [....91.108.17.2][.1400] [STUN.TelegramVoip][Telegram][VoIP][Acceptable][telegram.org] + RISK: Known Proto on Non Std Port + detection-update: [....23] [ip4][..udp] [.192.168.12.169][37444] -> [....91.108.17.2][.1400] [STUN.TelegramVoip][Telegram][VoIP][Acceptable][telegram.org] + RISK: Known Proto on Non Std Port + new: [....24] [ip4][..udp] [.192.168.12.169][42405] -> [..10.46.103.200][42554] + detected: [....24] [ip4][..udp] [.192.168.12.169][42405] -> [..10.46.103.200][42554] [STUN.TelegramVoip][Unknown][VoIP][Acceptable][] + RISK: Known Proto on Non Std Port + new: [....25] [ip4][..udp] [.192.168.12.169][40906] -> [..10.46.103.200][42554] + detected: [....25] [ip4][..udp] [.192.168.12.169][40906] -> [..10.46.103.200][42554] [STUN.TelegramVoip][Unknown][VoIP][Acceptable][] + RISK: Known Proto on Non Std Port + new: [....26] [ip4][..udp] [.192.168.12.169][42405] -> [...93.36.13.115][35393] + detected: [....26] [ip4][..udp] [.192.168.12.169][42405] -> [...93.36.13.115][35393] [STUN.TelegramVoip][Unknown][VoIP][Acceptable][] + RISK: Known Proto on Non Std Port + new: [....27] [ip4][..udp] [.192.168.12.169][40906] -> [...93.36.13.115][35393] + detected: [....27] [ip4][..udp] [.192.168.12.169][40906] -> [...93.36.13.115][35393] [STUN.TelegramVoip][Unknown][VoIP][Acceptable][] + RISK: Known Proto on Non Std Port + detection-update: [....24] [ip4][..udp] [.192.168.12.169][42405] -> [..10.46.103.200][42554] [STUN.TelegramVoip][Unknown][VoIP][Acceptable][] + RISK: Known Proto on Non Std Port, Unidirectional Traffic + detection-update: [....25] [ip4][..udp] [.192.168.12.169][40906] -> [..10.46.103.200][42554] [STUN.TelegramVoip][Unknown][VoIP][Acceptable][] + RISK: Known Proto on Non Std Port, Unidirectional Traffic + new: [....28] [ip6][icmp6] [...............fe80::abe:acff:fe0b:176e] -> [................................ff02::2] + detected: [....28] [ip6][icmp6] [...............fe80::abe:acff:fe0b:176e] -> [................................ff02::2] [ICMPV6][Unknown][Network][Acceptable] + analyse: [....26] [ip4][..udp] [.192.168.12.169][42405] -> [...93.36.13.115][35393] [STUN.TelegramVoip][Unknown][VoIP][Acceptable] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 0.475| 0.052| 0.095| 9109.989| 3.600] + [PKTLEN......: 49.000| 265.000| 106.200| 48.900| 2396.000| 4.900] + [BINS(c->s)..: 3,2,11,3,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 2,3,3,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,1,0,0,0,0,0,1,1,1,0,0,1,1,1,0,0,0,0,0,0,0,0,1,1,0,0,0,1,0] + [IATS(ms)....: 75.7,88.0,12.8,2.3,9.0,48.9,21.7,0.2,117.5,0.1,18.9,57.5,0.3,20.7,0.0,35.1,54.6,306.4,41.6,24.8,9.9,17.7,18.1,17.4,474.7,0.1,42.1,15.5,14.1,40.1,18.5] + [PKTLENS.....: 128,92,51,124,92,128,128,65,71,92,92,124,54,92,64,49,124,92,265,119,119,119,119,119,265,53,64,59,119,119,79,119] + [ENTROPIES...: 5.4,5.7,5.3,5.6,5.6,5.5,5.4,5.7,5.8,5.8,5.7,5.6,5.5,5.8,5.7,5.3,5.6,5.8,7.1,6.5,6.4,6.4,6.5,6.4,7.2,5.5,5.7,5.6,6.3,6.4,5.9,6.5] + new: [....29] [ip6][..udp] [...............fe80::abe:acff:fe0b:176e][.5353] -> [...............................ff02::fb][.5353] + detected: [....29] [ip6][..udp] [...............fe80::abe:acff:fe0b:176e][.5353] -> [...............................ff02::fb][.5353] [MDNS][Unknown][Network][Acceptable][_ipps._tcp.local] + new: [....30] [ip4][..tcp] [.192.168.12.169][40710] -> [....52.58.18.25][.5222] [MIDSTREAM] + detection-update: [....12] [ip4][..udp] [.192.168.12.169][40906] -> [....91.108.9.35][.1400] [STUN.TelegramVoip][Telegram][VoIP][Acceptable][] + RISK: Known Proto on Non Std Port + detection-update: [....15] [ip4][..udp] [.192.168.12.169][42197] -> [....91.108.9.35][.1400] [STUN.TelegramVoip][Telegram][VoIP][Acceptable][] + RISK: Known Proto on Non Std Port + detection-update: [....16] [ip4][..udp] [.192.168.12.169][42197] -> [...91.108.13.23][.1400] [STUN.TelegramVoip][Telegram][VoIP][Acceptable][] + RISK: Known Proto on Non Std Port + detection-update: [....13] [ip4][..udp] [.192.168.12.169][40906] -> [...91.108.13.23][.1400] [STUN.TelegramVoip][Telegram][VoIP][Acceptable][] + RISK: Known Proto on Non Std Port + detection-update: [....14] [ip4][..udp] [.192.168.12.169][40906] -> [....91.108.17.2][.1400] [STUN.TelegramVoip][Telegram][VoIP][Acceptable][] + RISK: Known Proto on Non Std Port + detection-update: [....17] [ip4][..udp] [.192.168.12.169][42197] -> [....91.108.17.2][.1400] [STUN.TelegramVoip][Telegram][VoIP][Acceptable][] + RISK: Known Proto on Non Std Port + update: [.....1] [ip6][icmp6] [..............fe80::98df:58ff:fefa:ebdc] -> [................................ff02::2] [ICMPV6][Unknown][Network][Acceptable] + analyse: [.....8] [ip4][..tcp] [.192.168.12.169][40832] -> [149.154.167.222][..443] [Telegram][Telegram][Chat][Acceptable] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 25.078| 1.818| 6.147| 37780767.900| 1.500] + [PKTLEN......: 52.000| 1280.000| 482.700| 530.000| 280877.200| 4.100] + [BINS(c->s)..: 14,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 2,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,0,0,1,1,1,1,1,0,0,0,0,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0,1] + [IATS(ms)....: 29.1,30.6,0.5,31.6,35.4,6.5,41.7,9.9,0.0,0.0,0.0,46.9,0.0,41.7,2909.6,2997.7,0.0,0.0,0.0,2.4,0.1,0.1,44.3,0.0,0.0,0.1,0.1,0.1,0.1,25044.9,25078.5] + [PKTLENS.....: 60,60,52,630,262,52,205,221,1280,1280,1280,700,52,52,52,381,1280,1280,1280,1280,1280,1280,680,52,52,52,52,52,52,52,52,52] + [ENTROPIES...: 4.9,5.3,5.2,7.6,7.1,5.1,6.9,7.0,7.8,7.8,7.8,7.7,5.2,5.1,5.1,7.5,7.8,7.9,7.8,7.9,7.8,7.8,7.7,5.2,5.0,5.1,5.1,5.2,5.2,5.1,5.1,5.2] + new: [....31] [ip4][.icmp] [.192.168.12.169] -> [....91.108.9.35] + detected: [....31] [ip4][.icmp] [.192.168.12.169] -> [....91.108.9.35] [ICMP][Telegram][Network][Acceptable] + RISK: Susp Entropy + new: [....32] [ip4][.icmp] [.192.168.12.169] -> [...91.108.13.23] + detected: [....32] [ip4][.icmp] [.192.168.12.169] -> [...91.108.13.23] [ICMP][Telegram][Network][Acceptable] + RISK: Susp Entropy + new: [....33] [ip4][.icmp] [.192.168.12.169] -> [....91.108.17.2] + detected: [....33] [ip4][.icmp] [.192.168.12.169] -> [....91.108.17.2] [ICMP][Telegram][Network][Acceptable] + RISK: Susp Entropy + new: [....34] [ip4][..tcp] [..18.195.162.93][..443] -> [.192.168.12.169][38956] [MIDSTREAM] + detected: [....34] [ip4][..tcp] [..18.195.162.93][..443] -> [.192.168.12.169][38956] [TLS][AmazonAWS][Web][Safe] + guessed: [.....3] [ip4][..tcp] [.192.168.12.169][37948] -> [.149.154.167.91][..443] [Telegram][Telegram][Chat][Acceptable] + RISK: TCP Connection Issues + end: [.....3] [ip4][..tcp] [.192.168.12.169][37948] -> [.149.154.167.91][..443] + idle: [.....4] [ip4][..tcp] [.192.168.12.169][37950] -> [.149.154.167.91][..443] [Telegram][Telegram][Chat][Acceptable] + RISK: Susp Entropy + idle: [....10] [ip4][..tcp] [.192.168.12.169][37966] -> [.149.154.167.91][..443] [Telegram][Telegram][Chat][Acceptable] + RISK: Susp Entropy + idle: [....18] [ip4][..udp] [.192.168.12.169][40643] -> [....91.108.9.35][.1400] [STUN.TelegramVoip][Telegram][VoIP][Acceptable][telegram.org] + RISK: Known Proto on Non Std Port + idle: [....28] [ip6][icmp6] [...............fe80::abe:acff:fe0b:176e] -> [................................ff02::2] [ICMPV6][Unknown][Network][Acceptable] + idle: [.....2] [ip4][..udp] [...192.168.12.1][17500] -> [.192.168.12.255][17500] [Dropbox][Unknown][Cloud][Acceptable] + idle: [....14] [ip4][..udp] [.192.168.12.169][40906] -> [....91.108.17.2][.1400] [STUN.TelegramVoip][Telegram][VoIP][Acceptable] + RISK: Known Proto on Non Std Port + idle: [....13] [ip4][..udp] [.192.168.12.169][40906] -> [...91.108.13.23][.1400] [STUN.TelegramVoip][Telegram][VoIP][Acceptable] + RISK: Known Proto on Non Std Port + idle: [....12] [ip4][..udp] [.192.168.12.169][40906] -> [....91.108.9.35][.1400] [STUN.TelegramVoip][Telegram][VoIP][Acceptable] + RISK: Known Proto on Non Std Port + idle: [....24] [ip4][..udp] [.192.168.12.169][42405] -> [..10.46.103.200][42554] [STUN.TelegramVoip][Unknown][VoIP][Acceptable] + RISK: Known Proto on Non Std Port, Unidirectional Traffic + idle: [....11] [ip4][..udp] [...192.168.12.1][.5353] -> [....224.0.0.251][.5353] [MDNS][Unknown][Network][Acceptable] + idle: [.....1] [ip6][icmp6] [..............fe80::98df:58ff:fefa:ebdc] -> [................................ff02::2] [ICMPV6][Unknown][Network][Acceptable] + idle: [....29] [ip6][..udp] [...............fe80::abe:acff:fe0b:176e][.5353] -> [...............................ff02::fb][.5353] [MDNS][Unknown][Network][Acceptable] + end: [.....5] [ip4][..tcp] [.192.168.12.169][46862] -> [.149.154.167.51][..443] [Telegram][Telegram][Chat][Acceptable] + RISK: Susp Entropy + end: [.....6] [ip4][..tcp] [.192.168.12.169][46866] -> [.149.154.167.51][..443] [Telegram][Telegram][Chat][Acceptable] + RISK: Susp Entropy + end: [.....7] [ip4][..tcp] [.192.168.12.169][40830] -> [149.154.167.222][..443] [Telegram][Telegram][Chat][Acceptable] + RISK: Susp Entropy + end: [.....8] [ip4][..tcp] [.192.168.12.169][40832] -> [149.154.167.222][..443] [Telegram][Telegram][Chat][Acceptable] + RISK: Susp Entropy + idle: [.....9] [ip4][..tcp] [.192.168.12.169][40834] -> [149.154.167.222][..443] [Telegram][Telegram][Chat][Acceptable] + RISK: Susp Entropy + idle: [....19] [ip4][..udp] [.192.168.12.169][49667] -> [...91.108.13.23][.1400] [STUN.TelegramVoip][Telegram][VoIP][Acceptable][telegram.org] + RISK: Known Proto on Non Std Port + idle: [....25] [ip4][..udp] [.192.168.12.169][40906] -> [..10.46.103.200][42554] [STUN.TelegramVoip][Unknown][VoIP][Acceptable] + RISK: Known Proto on Non Std Port, Unidirectional Traffic + idle: [....23] [ip4][..udp] [.192.168.12.169][37444] -> [....91.108.17.2][.1400] [STUN.TelegramVoip][Telegram][VoIP][Acceptable] + RISK: Known Proto on Non Std Port + idle: [....26] [ip4][..udp] [.192.168.12.169][42405] -> [...93.36.13.115][35393] [STUN.TelegramVoip][Unknown][VoIP][Acceptable] + RISK: Known Proto on Non Std Port + idle: [....20] [ip4][..udp] [.192.168.12.169][49780] -> [....91.108.17.2][.1400] [STUN.TelegramVoip][Telegram][VoIP][Acceptable][telegram.org] + RISK: Known Proto on Non Std Port + idle: [....33] [ip4][.icmp] [.192.168.12.169] -> [....91.108.17.2] [ICMP][Telegram][Network][Acceptable] + RISK: Susp Entropy + idle: [....32] [ip4][.icmp] [.192.168.12.169] -> [...91.108.13.23] [ICMP][Telegram][Network][Acceptable] + RISK: Susp Entropy + idle: [....31] [ip4][.icmp] [.192.168.12.169] -> [....91.108.9.35] [ICMP][Telegram][Network][Acceptable] + RISK: Susp Entropy + idle: [....22] [ip4][..udp] [.192.168.12.169][37530] -> [...91.108.13.23][.1400] [STUN.TelegramVoip][Telegram][VoIP][Acceptable] + RISK: Known Proto on Non Std Port + end: [....34] [ip4][..tcp] [..18.195.162.93][..443] -> [.192.168.12.169][38956] [TLS][AmazonAWS][Web][Safe] + guessed: [....30] [ip4][..tcp] [.192.168.12.169][40710] -> [....52.58.18.25][.5222] [AmazonAWS][AmazonAWS][Cloud][Acceptable] + idle: [....30] [ip4][..tcp] [.192.168.12.169][40710] -> [....52.58.18.25][.5222] + idle: [....21] [ip4][..udp] [.192.168.12.169][37849] -> [....91.108.9.35][.1400] [STUN.TelegramVoip][Telegram][VoIP][Acceptable] + RISK: Known Proto on Non Std Port + idle: [....27] [ip4][..udp] [.192.168.12.169][40906] -> [...93.36.13.115][35393] [STUN.TelegramVoip][Unknown][VoIP][Acceptable] + RISK: Known Proto on Non Std Port + idle: [....17] [ip4][..udp] [.192.168.12.169][42197] -> [....91.108.17.2][.1400] [STUN.TelegramVoip][Telegram][VoIP][Acceptable] + RISK: Known Proto on Non Std Port + idle: [....16] [ip4][..udp] [.192.168.12.169][42197] -> [...91.108.13.23][.1400] [STUN.TelegramVoip][Telegram][VoIP][Acceptable] + RISK: Known Proto on Non Std Port + idle: [....15] [ip4][..udp] [.192.168.12.169][42197] -> [....91.108.9.35][.1400] [STUN.TelegramVoip][Telegram][VoIP][Acceptable] + RISK: Known Proto on Non Std Port + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/openvpn_heuristic_enabled/openvpn_obfuscated.pcapng.out b/test/results/flow-info/openvpn_heuristic_enabled/openvpn_obfuscated.pcapng.out new file mode 100644 index 000000000..81462f07d --- /dev/null +++ b/test/results/flow-info/openvpn_heuristic_enabled/openvpn_obfuscated.pcapng.out @@ -0,0 +1,38 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....1] [ip4][..tcp] [.192.168.12.156][37976] -> [..185.128.25.99][..465] + analyse: [.....1] [ip4][..tcp] [.192.168.12.156][37976] -> [..185.128.25.99][..465] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 1.020| 0.080| 0.242| 58469.183| 2.300] + [PKTLEN......: 52.000| 1500.000| 308.700| 431.500| 186180.000| 4.000] + [BINS(c->s)..: 7,0,1,3,1,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 7,0,0,4,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,1,1,1,0,0,0,1,0,1,0,1,0,1,0,1,1,0,1,0,1,0,1,1] + [IATS(ms)....: 20.0,22.1,6.2,28.1,0.0,21.2,1.0,26.3,0.0,0.0,0.0,28.0,0.1,0.2,23.6,57.5,41.8,4.8,15.8,16.4,4.9,7.9,24.7,0.5,24.0,23.3,24.7,66.8,1019.8,977.6,0.7] + [PKTLENS.....: 60,60,52,140,52,152,52,429,148,1500,1500,1500,52,52,152,164,52,52,376,873,52,52,801,52,310,172,395,176,52,199,52,148] + [ENTROPIES...: 4.7,5.2,5.1,6.5,5.1,6.6,5.1,7.3,6.6,7.9,7.9,7.9,5.0,5.1,6.5,6.7,5.1,5.1,7.3,7.8,5.1,5.1,7.7,5.2,7.3,6.7,7.5,6.5,5.1,6.9,5.1,6.5] + guessed: [.....1] [ip4][..tcp] [.192.168.12.156][37976] -> [..185.128.25.99][..465] [SMTPS][NordVPN][Email][Safe] + RISK: Fully Encrypted Flow + new: [.....2] [ip4][..udp] [.192.168.12.156][47128] -> [149.102.238.108][.1214] + DAEMON-EVENT: [Processed: 90 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 2 / 2|skipped: 0|!detected: 0|guessed: 1|detection-updates: 0|updates: 0] + new: [.....3] [ip4][..tcp] [.107.161.86.131][..443] -> [.192.168.12.156][48072] + analyse: [.....3] [ip4][..tcp] [.107.161.86.131][..443] -> [.192.168.12.156][48072] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 0.303| 0.045| 0.076| 5806.697| 3.500] + [PKTLEN......: 52.000| 152.000| 67.300| 23.700| 562.800| 4.900] + [BINS(c->s)..: 9,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 19,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,1,1,1,1,1,1,1,1,1,1,0,1,1,0,0,0,0,1,1,1,1,1,1,1,1,0,0,0,0,0] + [IATS(ms)....: 102.1,4.8,6.5,5.5,5.4,5.3,5.7,5.4,5.2,5.6,5.1,255.6,100.3,15.6,143.0,32.7,143.0,0.0,303.0,27.7,1.3,5.4,5.4,5.7,6.7,5.0,142.9,27.8,1.2,5.5,5.5] + [PKTLENS.....: 60,52,61,61,61,61,61,61,61,61,61,59,64,88,58,80,80,52,152,98,52,59,59,59,59,59,59,52,148,52,52,52] + [ENTROPIES...: 5.3,5.2,5.4,5.5,5.4,5.4,5.5,5.4,5.5,5.4,5.2,5.1,5.2,5.9,5.3,5.2,5.1,5.2,6.3,5.7,5.2,5.3,5.3,5.4,5.3,5.4,5.3,5.2,6.4,5.1,5.2,5.3] + guessed: [.....3] [ip4][..tcp] [.107.161.86.131][..443] -> [.192.168.12.156][48072] [TLS][Unknown][Web][Safe] + guessed: [.....2] [ip4][..udp] [.192.168.12.156][47128] -> [149.102.238.108][.1214] [NordVPN][NordVPN][VPN][Acceptable] + RISK: Susp Entropy + idle: [.....2] [ip4][..udp] [.192.168.12.156][47128] -> [149.102.238.108][.1214] + idle: [.....1] [ip4][..tcp] [.192.168.12.156][37976] -> [..185.128.25.99][..465] [SMTPS][NordVPN][Email][Safe] + RISK: Fully Encrypted Flow + idle: [.....3] [ip4][..tcp] [.107.161.86.131][..443] -> [.192.168.12.156][48072] [TLS][Unknown][Web][Safe] + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/stun_all_attributes_disabled/teams.pcap.out b/test/results/flow-info/stun_all_attributes_disabled/teams.pcap.out index 9161d6afb..257fc16da 100644 --- a/test/results/flow-info/stun_all_attributes_disabled/teams.pcap.out +++ b/test/results/flow-info/stun_all_attributes_disabled/teams.pcap.out @@ -34,7 +34,6 @@ ERROR-EVENT: Unknown packet type [7/16] new: [.....6] [ip4][..tcp] [....192.168.1.6][60534] -> [.....40.126.9.5][..443] detected: [.....6] [ip4][..tcp] [....192.168.1.6][60534] -> [.....40.126.9.5][..443] [TLS.Microsoft365][Microsoft365][Collaborative][Acceptable][login.microsoftonline.com] - detection-update: [.....6] [ip4][..tcp] [....192.168.1.6][60534] -> [.....40.126.9.5][..443] [TLS.Microsoft365][Microsoft365][Collaborative][Acceptable][login.microsoftonline.com] analyse: [.....4] [ip4][..tcp] [....192.168.1.6][60532] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.221| 0.032| 0.054| 2931.592| 3.400] @@ -51,7 +50,7 @@ new: [.....8] [ip4][..tcp] [....192.168.1.6][60536] -> [.52.113.194.132][..443] detected: [.....8] [ip4][..tcp] [....192.168.1.6][60536] -> [.52.113.194.132][..443] [TLS.Teams][Skype_Teams][Collaborative][Safe][teams.microsoft.com] detection-update: [.....8] [ip4][..tcp] [....192.168.1.6][60536] -> [.52.113.194.132][..443] [TLS.Teams][Skype_Teams][Collaborative][Safe][teams.microsoft.com] - analyse: [.....7] [ip4][..tcp] [....192.168.1.6][60535] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] + analyse: [.....7] [ip4][..tcp] [....192.168.1.6][60535] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.050| 0.018| 0.021| 449.200| 3.900] [PKTLEN......: 52.000| 1492.000| 680.600| 673.100| 453031.800| 4.200] @@ -101,15 +100,12 @@ new: [....19] [ip4][..tcp] [....192.168.1.6][60539] -> [...52.114.75.69][..443] detected: [....18] [ip4][..tcp] [....192.168.1.6][60538] -> [...52.114.75.70][..443] [TLS.Teams][Azure][Collaborative][Safe][eu-prod.asyncgw.teams.microsoft.com] detected: [....19] [ip4][..tcp] [....192.168.1.6][60539] -> [...52.114.75.69][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable][eu-api.asm.skype.com] - detection-update: [....18] [ip4][..tcp] [....192.168.1.6][60538] -> [...52.114.75.70][..443] [TLS.Teams][Azure][Collaborative][Safe][eu-prod.asyncgw.teams.microsoft.com] - detection-update: [....19] [ip4][..tcp] [....192.168.1.6][60539] -> [...52.114.75.69][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable][eu-api.asm.skype.com] new: [....20] [ip4][..tcp] [....192.168.1.6][60540] -> [...52.114.75.70][..443] new: [....21] [ip4][..tcp] [....192.168.1.6][60541] -> [...52.114.75.69][..443] detected: [....20] [ip4][..tcp] [....192.168.1.6][60540] -> [...52.114.75.70][..443] [TLS.Teams][Azure][Collaborative][Safe][eu-prod.asyncgw.teams.microsoft.com] detected: [....21] [ip4][..tcp] [....192.168.1.6][60541] -> [...52.114.75.69][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable][eu-api.asm.skype.com] new: [....22] [ip4][..udp] [....192.168.1.6][49514] -> [....192.168.1.1][...53] detected: [....22] [ip4][..udp] [....192.168.1.6][49514] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe][config.teams.microsoft.com] - detection-update: [....20] [ip4][..tcp] [....192.168.1.6][60540] -> [...52.114.75.70][..443] [TLS.Teams][Azure][Collaborative][Safe][eu-prod.asyncgw.teams.microsoft.com] detection-update: [....21] [ip4][..tcp] [....192.168.1.6][60541] -> [...52.114.75.69][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable][eu-api.asm.skype.com] detection-update: [....22] [ip4][..udp] [....192.168.1.6][49514] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe][config.teams.microsoft.com] new: [....23] [ip4][..tcp] [....192.168.1.6][60542] -> [.52.113.194.132][..443] @@ -123,7 +119,6 @@ detected: [....25] [ip4][..tcp] [....192.168.1.6][60543] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] RISK: TLS (probably) Not Carrying HTTPS detected: [....26] [ip4][..tcp] [....192.168.1.6][60544] -> [...52.114.76.48][..443] [TLS.Teams][Azure][Collaborative][Safe][northeurope.notifications.teams.microsoft.com] - detection-update: [....26] [ip4][..tcp] [....192.168.1.6][60544] -> [...52.114.76.48][..443] [TLS.Teams][Azure][Collaborative][Safe][northeurope.notifications.teams.microsoft.com] detection-update: [....25] [ip4][..tcp] [....192.168.1.6][60543] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] RISK: TLS (probably) Not Carrying HTTPS ERROR-EVENT: Unknown packet type [16/16] @@ -134,7 +129,6 @@ new: [....29] [ip4][..tcp] [.162.125.19.131][..443] -> [....192.168.1.6][60344] [MIDSTREAM] detected: [....29] [ip4][..tcp] [.162.125.19.131][..443] -> [....192.168.1.6][60344] [TLS][Dropbox][Web][Safe] detected: [....28] [ip4][..tcp] [....192.168.1.6][60545] -> [...52.114.77.58][..443] [TLS.Teams][Azure][Collaborative][Safe][presence.teams.microsoft.com] - detection-update: [....28] [ip4][..tcp] [....192.168.1.6][60545] -> [...52.114.77.58][..443] [TLS.Teams][Azure][Collaborative][Safe][presence.teams.microsoft.com] analyse: [....25] [ip4][..tcp] [....192.168.1.6][60543] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.153| 0.028| 0.040| 1626.047| 3.600] @@ -170,7 +164,7 @@ RISK: TLS (probably) Not Carrying HTTPS detection-update: [....33] [ip4][..tcp] [....192.168.1.6][60548] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] RISK: TLS (probably) Not Carrying HTTPS - analyse: [....32] [ip4][..tcp] [....192.168.1.6][60547] -> [...52.114.88.59][..443] [TLS.Teams][Azure][Collaborative][Safe][chatsvcagg.teams.microsoft.com] + analyse: [....32] [ip4][..tcp] [....192.168.1.6][60547] -> [...52.114.88.59][..443] [TLS.Teams][Azure][Collaborative][Safe] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.115| 0.021| 0.031| 968.681| 3.500] [PKTLEN......: 52.000| 1492.000| 377.200| 521.700| 272149.200| 3.900] @@ -241,7 +235,6 @@ detected: [....46] [ip4][..tcp] [....192.168.1.6][60556] -> [.....40.126.9.7][..443] [TLS.Microsoft365][Microsoft365][Collaborative][Acceptable][login.microsoftonline.com] detected: [....45] [ip4][..tcp] [....192.168.1.6][60555] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] RISK: TLS (probably) Not Carrying HTTPS - detection-update: [....46] [ip4][..tcp] [....192.168.1.6][60556] -> [.....40.126.9.7][..443] [TLS.Microsoft365][Microsoft365][Collaborative][Acceptable][login.microsoftonline.com] detection-update: [....42] [ip4][..tcp] [....192.168.1.6][60552] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] RISK: TLS (probably) Not Carrying HTTPS detection-update: [....45] [ip4][..tcp] [....192.168.1.6][60555] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] @@ -266,8 +259,6 @@ new: [....48] [ip4][..tcp] [....192.168.1.6][60559] -> [...52.114.77.33][..443] detected: [....48] [ip4][..tcp] [....192.168.1.6][60559] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] RISK: TLS (probably) Not Carrying HTTPS - detection-update: [....48] [ip4][..tcp] [....192.168.1.6][60559] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] - RISK: TLS (probably) Not Carrying HTTPS analyse: [....48] [ip4][..tcp] [....192.168.1.6][60559] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.053| 0.020| 0.022| 492.470| 3.900] @@ -293,7 +284,7 @@ detected: [....53] [ip4][..tcp] [....192.168.1.6][60562] -> [.104.40.187.151][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable][api.microsoftstream.com] detection-update: [....51] [ip4][..tcp] [....192.168.1.6][60561] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] RISK: TLS (probably) Not Carrying HTTPS - analyse: [....53] [ip4][..tcp] [....192.168.1.6][60562] -> [.104.40.187.151][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable][api.microsoftstream.com] + analyse: [....53] [ip4][..tcp] [....192.168.1.6][60562] -> [.104.40.187.151][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.126| 0.019| 0.032| 1006.354| 3.400] [PKTLEN......: 52.000| 1492.000| 345.200| 499.900| 249913.200| 3.900] @@ -323,13 +314,11 @@ detection-update: [....56] [ip4][..udp] [....192.168.1.6][63930] -> [....192.168.1.1][...53] [DNS.Microsoft][Unknown][Network][Safe][dc.applicationinsights.microsoft.com] new: [....57] [ip4][..tcp] [....192.168.1.6][60564] -> [...40.79.138.41][..443] detected: [....57] [ip4][..tcp] [....192.168.1.6][60564] -> [...40.79.138.41][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable][gate.hockeyapp.net] - detection-update: [....57] [ip4][..tcp] [....192.168.1.6][60564] -> [...40.79.138.41][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable][gate.hockeyapp.net] new: [....58] [ip4][..udp] [....192.168.1.6][62863] -> [....192.168.1.1][...53] detected: [....58] [ip4][..udp] [....192.168.1.6][62863] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe][emea.ng.msg.teams-msgapi.trafficmanager.net] detection-update: [....58] [ip4][..udp] [....192.168.1.6][62863] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe][emea.ng.msg.teams-msgapi.trafficmanager.net] new: [....59] [ip4][..tcp] [....192.168.1.6][60565] -> [...52.114.108.8][..443] detected: [....59] [ip4][..tcp] [....192.168.1.6][60565] -> [...52.114.108.8][..443] [TLS.Teams][Azure][Collaborative][Safe][emea.ng.msg.teams.microsoft.com] - detection-update: [....59] [ip4][..tcp] [....192.168.1.6][60565] -> [...52.114.108.8][..443] [TLS.Teams][Azure][Collaborative][Safe][emea.ng.msg.teams.microsoft.com] analyse: [....59] [ip4][..tcp] [....192.168.1.6][60565] -> [...52.114.108.8][..443] [TLS.Teams][Azure][Collaborative][Safe][emea.ng.msg.teams.microsoft.com] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.277| 0.019| 0.049| 2449.644| 2.900] @@ -370,8 +359,6 @@ new: [....67] [ip4][..tcp] [....192.168.1.6][50021] -> [.52.114.250.123][..443] new: [....68] [ip4][..udp] [....192.168.1.6][50016] -> [.52.114.250.141][.3478] detected: [....68] [ip4][..udp] [....192.168.1.6][50016] -> [.52.114.250.141][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] - detection-update: [....64] [ip4][..tcp] [....192.168.1.6][50018] -> [.52.114.250.123][..443] [TLS.Teams][Azure][Collaborative][Safe][euaz.tr.teams.microsoft.com] - RISK: TLS (probably) Not Carrying HTTPS new: [....69] [ip4][..udp] [....192.168.1.6][50017] -> [.52.114.250.141][.3478] detected: [....69] [ip4][..udp] [....192.168.1.6][50017] -> [.52.114.250.141][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] detected: [....67] [ip4][..tcp] [....192.168.1.6][50021] -> [.52.114.250.123][..443] [TLS.Teams][Azure][Collaborative][Safe][euaz.tr.teams.microsoft.com] @@ -380,8 +367,6 @@ detected: [....70] [ip4][..udp] [....192.168.1.6][50036] -> [.52.114.250.137][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] new: [....71] [ip4][..udp] [....192.168.1.6][50037] -> [.52.114.250.137][.3478] detected: [....71] [ip4][..udp] [....192.168.1.6][50037] -> [.52.114.250.137][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] - detection-update: [....67] [ip4][..tcp] [....192.168.1.6][50021] -> [.52.114.250.123][..443] [TLS.Teams][Azure][Collaborative][Safe][euaz.tr.teams.microsoft.com] - RISK: TLS (probably) Not Carrying HTTPS detection-update: [....69] [ip4][..udp] [....192.168.1.6][50017] -> [.52.114.250.141][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] detection-update: [....71] [ip4][..udp] [....192.168.1.6][50037] -> [.52.114.250.137][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] new: [....72] [ip4][..tcp] [....192.168.1.6][50014] -> [.52.114.250.152][..443] @@ -400,8 +385,6 @@ detection-update: [....75] [ip4][..udp] [....192.168.1.6][60837] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe][c-flightproxy-euno-01-teams.cloudapp.net] detected: [....74] [ip4][..tcp] [....192.168.1.6][60567] -> [..52.114.77.136][..443] [TLS.Teams][Azure][Collaborative][Safe][api.flightproxy.teams.microsoft.com] RISK: TLS (probably) Not Carrying HTTPS - detection-update: [....74] [ip4][..tcp] [....192.168.1.6][60567] -> [..52.114.77.136][..443] [TLS.Teams][Azure][Collaborative][Safe][api.flightproxy.teams.microsoft.com] - RISK: TLS (probably) Not Carrying HTTPS new: [....76] [ip4][..udp] [....192.168.1.6][50016] -> [....192.168.0.4][50005] detected: [....76] [ip4][..udp] [....192.168.1.6][50016] -> [....192.168.0.4][50005] [STUN.Skype_TeamsCall][Unknown][VoIP][Acceptable][] RISK: Known Proto on Non Std Port @@ -442,7 +425,6 @@ RISK: Known Proto on Non Std Port, Unidirectional Traffic new: [....82] [ip4][..tcp] [....192.168.1.6][60568] -> [...40.79.138.41][..443] detected: [....82] [ip4][..tcp] [....192.168.1.6][60568] -> [...40.79.138.41][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable][gate.hockeyapp.net] - detection-update: [....82] [ip4][..tcp] [....192.168.1.6][60568] -> [...40.79.138.41][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable][gate.hockeyapp.net] new: [....83] [ip4][.icmp] [..93.71.110.205] -> [....192.168.1.6] detected: [....83] [ip4][.icmp] [..93.71.110.205] -> [....192.168.1.6] [ICMP][Unknown][Network][Acceptable] analyse: [....78] [ip4][..udp] [..93.71.110.205][16332] -> [....192.168.1.6][50016] [STUN.Skype_TeamsCall][Unknown][VoIP][Acceptable] @@ -473,7 +455,7 @@ RISK: TLS (probably) Not Carrying HTTPS idle: [....76] [ip4][..udp] [....192.168.1.6][50016] -> [....192.168.0.4][50005] [STUN.Skype_TeamsCall][Unknown][VoIP][Acceptable] RISK: Known Proto on Non Std Port, Unidirectional Traffic - idle: [....55] [ip4][..tcp] [....192.168.1.6][60563] -> [.52.169.186.119][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable][euno-1.api.microsoftstream.com] + idle: [....55] [ip4][..tcp] [....192.168.1.6][60563] -> [.52.169.186.119][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable] idle: [....17] [ip4][..udp] [....192.168.1.6][63106] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe][eu-prod.asyncgw.teams.microsoft.com] idle: [....77] [ip4][..udp] [....192.168.1.6][50036] -> [....192.168.0.4][50020] [STUN.Skype_TeamsCall][Unknown][VoIP][Acceptable] RISK: Known Proto on Non Std Port, Unidirectional Traffic @@ -521,10 +503,10 @@ idle: [....34] [ip4][..udp] [....192.168.1.6][59403] -> [....192.168.1.1][...53] [DNS.Microsoft365][Unknown][Network][Acceptable][substrate.office.com] idle: [....35] [ip4][..tcp] [....192.168.1.6][60549] -> [...13.107.18.11][..443] [TLS.Microsoft365][Outlook][Collaborative][Acceptable][substrate.office.com] idle: [....44] [ip4][..udp] [....192.168.1.6][51309] -> [....192.168.1.1][...53] [DNS][Unknown][Network][Acceptable][skypedataprdcolneu04.cloudapp.net] - end: [....30] [ip4][..tcp] [....192.168.1.6][60546] -> [.167.99.215.164][.4434] [TLS.ntop][Unknown][Network][Safe][dati.ntop.org] + end: [....30] [ip4][..tcp] [....192.168.1.6][60546] -> [.167.99.215.164][.4434] [TLS.ntop][Unknown][Network][Safe] RISK: Known Proto on Non Std Port idle: [....12] [ip4][..udp] [....192.168.1.6][17500] -> [..192.168.1.255][17500] [Dropbox][Unknown][Cloud][Acceptable] - idle: [....61] [ip4][..tcp] [....192.168.1.6][60566] -> [.167.99.215.164][.4434] [TLS.ntop][Unknown][Network][Safe][dati.ntop.org] + idle: [....61] [ip4][..tcp] [....192.168.1.6][60566] -> [.167.99.215.164][.4434] [TLS.ntop][Unknown][Network][Safe] RISK: Known Proto on Non Std Port idle: [....31] [ip4][..udp] [....192.168.1.6][57504] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe][chatsvcagg.svcs.teams.office.com] guessed: [....62] [ip4][..udp] [....192.168.1.6][51681] -> [..52.114.77.136][.3478] [Skype_TeamsCall][Azure][VoIP][Acceptable] diff --git a/test/results/flow-info/tls_heuristics_enabled/tls_heur__shadowsocks-tcp.pcapng.out b/test/results/flow-info/tls_heuristics_enabled/tls_heur__shadowsocks-tcp.pcapng.out new file mode 100644 index 000000000..e70a46b38 --- /dev/null +++ b/test/results/flow-info/tls_heuristics_enabled/tls_heur__shadowsocks-tcp.pcapng.out @@ -0,0 +1,31 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....1] [ip4][..tcp] [......127.0.0.1][44424] -> [......127.0.0.1][.1080] + detected: [.....1] [ip4][..tcp] [......127.0.0.1][44424] -> [......127.0.0.1][.1080] [SOCKS][Unknown][Web][Acceptable] + new: [.....2] [ip4][..udp] [......127.0.0.1][41182] -> [.....127.0.0.53][...53] + detected: [.....2] [ip4][..udp] [......127.0.0.1][41182] -> [.....127.0.0.53][...53] [DNS.YouTube][Unknown][Network][Fun][www.youtube.com] + detection-update: [.....2] [ip4][..udp] [......127.0.0.1][41182] -> [.....127.0.0.53][...53] [DNS.YouTube][Unknown][Network][Fun][www.youtube.com] + RISK: Unidirectional Traffic + detection-update: [.....2] [ip4][..udp] [......127.0.0.1][41182] -> [.....127.0.0.53][...53] [DNS.YouTube][Unknown][Network][Fun][www.youtube.com] + new: [.....3] [ip4][..tcp] [......127.0.0.1][40164] -> [......127.0.0.1][.1234] + new: [.....4] [ip6][..tcp] [..2001:b07:a3d:c112:8628:88aa:8b00:913c][45334] -> [...............2a00:1450:4002:416::200e][..443] + detected: [.....4] [ip6][..tcp] [..2001:b07:a3d:c112:8628:88aa:8b00:913c][45334] -> [...............2a00:1450:4002:416::200e][..443] [TLS.YouTube][Google][Media][Fun][www.youtube.com] + detection-update: [.....4] [ip6][..tcp] [..2001:b07:a3d:c112:8628:88aa:8b00:913c][45334] -> [...............2a00:1450:4002:416::200e][..443] [TLS.YouTube][Google][Media][Fun][www.youtube.com] + analyse: [.....4] [ip6][..tcp] [..2001:b07:a3d:c112:8628:88aa:8b00:913c][45334] -> [...............2a00:1450:4002:416::200e][..443] [TLS.YouTube][Google][Media][Fun] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.050| 0.008| 0.014| 183.336| 3.300] + [PKTLEN......: 72.000| 4948.000| 786.900| 1186.200| 1407143.500| 3.900] + [BINS(c->s)..: 13,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 3,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0,0,0,0,0,0,0,0,2] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,1,0,0,0,1,0,1,0,1,1,1,0,0,0,1,1,1,1,0,0,1,0,1,1] + [IATS(ms)....: 3.4,3.5,0.3,3.9,24.5,28.1,0.2,0.0,0.2,0.0,3.0,7.5,5.3,6.5,46.4,49.6,0.0,0.0,9.0,0.1,0.0,0.4,0.0,0.0,0.0,0.3,0.0,26.1,26.1,0.4,0.0] + [PKTLENS.....: 80,80,72,589,72,1280,72,4904,631,72,72,345,720,103,103,72,1280,293,1280,72,72,72,1280,1280,1280,4948,72,72,1280,72,1280,1280] + [ENTROPIES...: 4.8,5.3,5.2,4.8,5.2,7.8,5.2,8.0,7.6,5.2,5.2,7.1,7.7,5.8,5.8,5.1,7.8,7.1,7.9,5.2,5.2,5.2,7.8,7.9,7.8,8.0,5.1,5.2,7.9,5.2,7.8,7.8] + idle: [.....2] [ip4][..udp] [......127.0.0.1][41182] -> [.....127.0.0.53][...53] [DNS.YouTube][Unknown][Network][Fun][www.youtube.com] + not-detected: [.....3] [ip4][..tcp] [......127.0.0.1][40164] -> [......127.0.0.1][.1234] [Unknown][Unknown][Unrated] + RISK: Fully Encrypted Flow + idle: [.....3] [ip4][..tcp] [......127.0.0.1][40164] -> [......127.0.0.1][.1234] + idle: [.....1] [ip4][..tcp] [......127.0.0.1][44424] -> [......127.0.0.1][.1080] [SOCKS][Unknown][Web][Acceptable] + idle: [.....4] [ip6][..tcp] [..2001:b07:a3d:c112:8628:88aa:8b00:913c][45334] -> [...............2a00:1450:4002:416::200e][..443] [TLS.YouTube][Google][Media][Fun][www.youtube.com] + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/tls_heuristics_enabled/tls_heur__trojan-tcp-tls.pcapng.out b/test/results/flow-info/tls_heuristics_enabled/tls_heur__trojan-tcp-tls.pcapng.out new file mode 100644 index 000000000..8bc342628 --- /dev/null +++ b/test/results/flow-info/tls_heuristics_enabled/tls_heur__trojan-tcp-tls.pcapng.out @@ -0,0 +1,62 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....1] [ip4][..tcp] [......127.0.0.1][60654] -> [......127.0.0.1][.1080] + detected: [.....1] [ip4][..tcp] [......127.0.0.1][60654] -> [......127.0.0.1][.1080] [SOCKS][Unknown][Web][Acceptable] + new: [.....2] [ip4][..udp] [......127.0.0.1][52786] -> [.....127.0.0.53][...53] + detected: [.....2] [ip4][..udp] [......127.0.0.1][52786] -> [.....127.0.0.53][...53] [DNS.YouTube][Unknown][Network][Fun][www.youtube.com] + detection-update: [.....2] [ip4][..udp] [......127.0.0.1][52786] -> [.....127.0.0.53][...53] [DNS.YouTube][Unknown][Network][Fun][www.youtube.com] + RISK: Unidirectional Traffic + new: [.....3] [ip4][..udp] [..192.168.1.183][46451] -> [..192.168.1.253][...53] + detected: [.....3] [ip4][..udp] [..192.168.1.183][46451] -> [..192.168.1.253][...53] [DNS.YouTube][Unknown][Network][Fun][www.youtube.com] + new: [.....4] [ip4][..udp] [..192.168.1.183][54260] -> [..192.168.1.253][...53] + detected: [.....4] [ip4][..udp] [..192.168.1.183][54260] -> [..192.168.1.253][...53] [DNS.YouTube][Unknown][Network][Fun][www.youtube.com] + detection-update: [.....3] [ip4][..udp] [..192.168.1.183][46451] -> [..192.168.1.253][...53] [DNS.YouTube][Unknown][Network][Fun][www.youtube.com] + detection-update: [.....4] [ip4][..udp] [..192.168.1.183][54260] -> [..192.168.1.253][...53] [DNS.YouTube][Unknown][Network][Fun][www.youtube.com] + detection-update: [.....2] [ip4][..udp] [......127.0.0.1][52786] -> [.....127.0.0.53][...53] [DNS.YouTube][Unknown][Network][Fun][www.youtube.com] + new: [.....5] [ip4][..udp] [......127.0.0.1][53154] -> [.....127.0.0.53][...53] + detected: [.....5] [ip4][..udp] [......127.0.0.1][53154] -> [.....127.0.0.53][...53] [DNS][Unknown][Network][Acceptable][test.lan] + new: [.....6] [ip4][..udp] [......127.0.0.1][56496] -> [.....127.0.0.53][...53] + detected: [.....6] [ip4][..udp] [......127.0.0.1][56496] -> [.....127.0.0.53][...53] [DNS][Unknown][Network][Acceptable][test.lan] + new: [.....7] [ip4][..udp] [..192.168.1.183][39434] -> [..192.168.1.253][...53] + detected: [.....7] [ip4][..udp] [..192.168.1.183][39434] -> [..192.168.1.253][...53] [DNS][Unknown][Network][Acceptable][test.lan] + new: [.....8] [ip4][..udp] [..192.168.1.183][38613] -> [..192.168.1.253][...53] + detected: [.....8] [ip4][..udp] [..192.168.1.183][38613] -> [..192.168.1.253][...53] [DNS][Unknown][Network][Acceptable][test.lan] + detection-update: [.....7] [ip4][..udp] [..192.168.1.183][39434] -> [..192.168.1.253][...53] [DNS][Unknown][Network][Acceptable][test.lan] + RISK: Minor Issues + detection-update: [.....5] [ip4][..udp] [......127.0.0.1][53154] -> [.....127.0.0.53][...53] [DNS][Unknown][Network][Acceptable][test.lan] + RISK: Minor Issues + detection-update: [.....8] [ip4][..udp] [..192.168.1.183][38613] -> [..192.168.1.253][...53] [DNS][Unknown][Network][Acceptable][test.lan] + detection-update: [.....6] [ip4][..udp] [......127.0.0.1][56496] -> [.....127.0.0.53][...53] [DNS][Unknown][Network][Acceptable][test.lan] + new: [.....9] [ip4][..tcp] [......127.0.0.1][41796] -> [......127.0.0.1][.1234] + detected: [.....9] [ip4][..tcp] [......127.0.0.1][41796] -> [......127.0.0.1][.1234] [TLS][Unknown][Web][Safe][test.lan] + RISK: Known Proto on Non Std Port + detection-update: [.....9] [ip4][..tcp] [......127.0.0.1][41796] -> [......127.0.0.1][.1234] [TLS][Unknown][Web][Safe][test.lan] + RISK: Known Proto on Non Std Port + new: [....10] [ip4][..tcp] [..192.168.1.183][58730] -> [142.250.180.142][..443] + detected: [....10] [ip4][..tcp] [..192.168.1.183][58730] -> [142.250.180.142][..443] [TLS.YouTube][Google][Media][Fun][www.youtube.com] + detection-update: [....10] [ip4][..tcp] [..192.168.1.183][58730] -> [142.250.180.142][..443] [TLS.YouTube][Google][Media][Fun][www.youtube.com] + analyse: [....10] [ip4][..tcp] [..192.168.1.183][58730] -> [142.250.180.142][..443] [TLS.YouTube][Google][Media][Fun] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 0.070| 0.007| 0.015| 238.385| 3.000] + [PKTLEN......: 52.000| 1452.000| 481.500| 599.800| 359742.800| 3.900] + [BINS(c->s)..: 14,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,0,0,1,0,1,1,0,1,0,1,0,1,0,1,0,1,0] + [IATS(ms)....: 2.7,2.7,0.3,2.7,17.2,19.6,0.1,0.0,0.0,0.0,0.0,0.0,0.0,0.0,8.4,0.5,11.2,3.0,2.3,5.7,46.1,70.4,31.7,0.1,0.0,0.0,0.0,0.0,0.1,0.1,0.0] + [PKTLENS.....: 60,60,52,569,52,1452,52,1452,52,1452,52,1452,52,1053,52,132,245,700,83,83,52,52,1452,52,80,52,1452,52,1452,52,1452,52] + [ENTROPIES...: 4.6,5.2,4.9,4.8,4.9,7.8,4.8,7.8,4.9,7.9,4.8,7.9,4.8,7.8,4.8,6.2,7.0,7.7,5.6,5.5,4.9,4.9,7.9,4.9,5.6,4.9,7.9,4.9,7.9,4.9,7.9,4.8] + idle: [.....8] [ip4][..udp] [..192.168.1.183][38613] -> [..192.168.1.253][...53] [DNS][Unknown][Network][Acceptable][test.lan] + idle: [.....5] [ip4][..udp] [......127.0.0.1][53154] -> [.....127.0.0.53][...53] [DNS][Unknown][Network][Acceptable][test.lan] + RISK: Minor Issues + idle: [.....9] [ip4][..tcp] [......127.0.0.1][41796] -> [......127.0.0.1][.1234] [TLS][Unknown][Web][Safe] + RISK: Known Proto on Non Std Port + idle: [.....1] [ip4][..tcp] [......127.0.0.1][60654] -> [......127.0.0.1][.1080] [SOCKS][Unknown][Web][Acceptable] + idle: [....10] [ip4][..tcp] [..192.168.1.183][58730] -> [142.250.180.142][..443] [TLS.YouTube][Google][Media][Fun][www.youtube.com] + idle: [.....7] [ip4][..udp] [..192.168.1.183][39434] -> [..192.168.1.253][...53] [DNS][Unknown][Network][Acceptable][test.lan] + RISK: Minor Issues + idle: [.....4] [ip4][..udp] [..192.168.1.183][54260] -> [..192.168.1.253][...53] [DNS.YouTube][Unknown][Network][Fun][www.youtube.com] + idle: [.....6] [ip4][..udp] [......127.0.0.1][56496] -> [.....127.0.0.53][...53] [DNS][Unknown][Network][Acceptable][test.lan] + idle: [.....3] [ip4][..udp] [..192.168.1.183][46451] -> [..192.168.1.253][...53] [DNS.YouTube][Unknown][Network][Fun][www.youtube.com] + idle: [.....2] [ip4][..udp] [......127.0.0.1][52786] -> [.....127.0.0.53][...53] [DNS.YouTube][Unknown][Network][Fun][www.youtube.com] + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/tls_heuristics_enabled/tls_heur__vmess-tcp-tls.pcapng.out b/test/results/flow-info/tls_heuristics_enabled/tls_heur__vmess-tcp-tls.pcapng.out new file mode 100644 index 000000000..cc34610ac --- /dev/null +++ b/test/results/flow-info/tls_heuristics_enabled/tls_heur__vmess-tcp-tls.pcapng.out @@ -0,0 +1,52 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....1] [ip4][..tcp] [......127.0.0.1][40136] -> [......127.0.0.1][.1080] + detected: [.....1] [ip4][..tcp] [......127.0.0.1][40136] -> [......127.0.0.1][.1080] [SOCKS][Unknown][Web][Acceptable] + new: [.....2] [ip4][..udp] [......127.0.0.1][46548] -> [.....127.0.0.53][...53] + detected: [.....2] [ip4][..udp] [......127.0.0.1][46548] -> [.....127.0.0.53][...53] [DNS.YouTube][Unknown][Network][Fun][www.youtube.com] + detection-update: [.....2] [ip4][..udp] [......127.0.0.1][46548] -> [.....127.0.0.53][...53] [DNS.YouTube][Unknown][Network][Fun][www.youtube.com] + RISK: Unidirectional Traffic + new: [.....3] [ip4][..udp] [..192.168.1.183][49817] -> [..192.168.1.253][...53] + detected: [.....3] [ip4][..udp] [..192.168.1.183][49817] -> [..192.168.1.253][...53] [DNS.YouTube][Unknown][Network][Fun][www.youtube.com] + new: [.....4] [ip4][..udp] [..192.168.1.183][41933] -> [..192.168.1.253][...53] + detected: [.....4] [ip4][..udp] [..192.168.1.183][41933] -> [..192.168.1.253][...53] [DNS.YouTube][Unknown][Network][Fun][www.youtube.com] + detection-update: [.....3] [ip4][..udp] [..192.168.1.183][49817] -> [..192.168.1.253][...53] [DNS.YouTube][Unknown][Network][Fun][www.youtube.com] + detection-update: [.....4] [ip4][..udp] [..192.168.1.183][41933] -> [..192.168.1.253][...53] [DNS.YouTube][Unknown][Network][Fun][www.youtube.com] + detection-update: [.....2] [ip4][..udp] [......127.0.0.1][46548] -> [.....127.0.0.53][...53] [DNS.YouTube][Unknown][Network][Fun][www.youtube.com] + new: [.....5] [ip4][..udp] [......127.0.0.1][50125] -> [.....127.0.0.53][...53] + detected: [.....5] [ip4][..udp] [......127.0.0.1][50125] -> [.....127.0.0.53][...53] [DNS][Unknown][Network][Acceptable][test.lan] + new: [.....6] [ip4][..udp] [......127.0.0.1][45262] -> [.....127.0.0.53][...53] + detected: [.....6] [ip4][..udp] [......127.0.0.1][45262] -> [.....127.0.0.53][...53] [DNS][Unknown][Network][Acceptable][test.lan] + new: [.....7] [ip4][..udp] [..192.168.1.183][58009] -> [..192.168.1.253][...53] + detected: [.....7] [ip4][..udp] [..192.168.1.183][58009] -> [..192.168.1.253][...53] [DNS][Unknown][Network][Acceptable][test.lan] + new: [.....8] [ip4][..udp] [..192.168.1.183][42485] -> [..192.168.1.253][...53] + detected: [.....8] [ip4][..udp] [..192.168.1.183][42485] -> [..192.168.1.253][...53] [DNS][Unknown][Network][Acceptable][test.lan] + detection-update: [.....7] [ip4][..udp] [..192.168.1.183][58009] -> [..192.168.1.253][...53] [DNS][Unknown][Network][Acceptable][test.lan] + detection-update: [.....8] [ip4][..udp] [..192.168.1.183][42485] -> [..192.168.1.253][...53] [DNS][Unknown][Network][Acceptable][test.lan] + RISK: Minor Issues + detection-update: [.....5] [ip4][..udp] [......127.0.0.1][50125] -> [.....127.0.0.53][...53] [DNS][Unknown][Network][Acceptable][test.lan] + detection-update: [.....6] [ip4][..udp] [......127.0.0.1][45262] -> [.....127.0.0.53][...53] [DNS][Unknown][Network][Acceptable][test.lan] + RISK: Minor Issues + new: [.....9] [ip4][..tcp] [......127.0.0.1][57874] -> [......127.0.0.1][.1234] + detected: [.....9] [ip4][..tcp] [......127.0.0.1][57874] -> [......127.0.0.1][.1234] [TLS][Unknown][Web][Safe][test.lan] + RISK: Known Proto on Non Std Port + detection-update: [.....9] [ip4][..tcp] [......127.0.0.1][57874] -> [......127.0.0.1][.1234] [TLS][Unknown][Web][Safe][test.lan] + RISK: Known Proto on Non Std Port + new: [....10] [ip4][..tcp] [..192.168.1.183][58612] -> [.216.58.204.142][..443] + detected: [....10] [ip4][..tcp] [..192.168.1.183][58612] -> [.216.58.204.142][..443] [TLS.YouTube][Google][Media][Fun][www.youtube.com] + detection-update: [....10] [ip4][..tcp] [..192.168.1.183][58612] -> [.216.58.204.142][..443] [TLS.YouTube][Google][Media][Fun][www.youtube.com] + idle: [.....1] [ip4][..tcp] [......127.0.0.1][40136] -> [......127.0.0.1][.1080] [SOCKS][Unknown][Web][Acceptable] + idle: [.....6] [ip4][..udp] [......127.0.0.1][45262] -> [.....127.0.0.53][...53] [DNS][Unknown][Network][Acceptable][test.lan] + RISK: Minor Issues + idle: [....10] [ip4][..tcp] [..192.168.1.183][58612] -> [.216.58.204.142][..443] [TLS.YouTube][Google][Media][Fun] + idle: [.....7] [ip4][..udp] [..192.168.1.183][58009] -> [..192.168.1.253][...53] [DNS][Unknown][Network][Acceptable][test.lan] + idle: [.....3] [ip4][..udp] [..192.168.1.183][49817] -> [..192.168.1.253][...53] [DNS.YouTube][Unknown][Network][Fun][www.youtube.com] + idle: [.....5] [ip4][..udp] [......127.0.0.1][50125] -> [.....127.0.0.53][...53] [DNS][Unknown][Network][Acceptable][test.lan] + idle: [.....4] [ip4][..udp] [..192.168.1.183][41933] -> [..192.168.1.253][...53] [DNS.YouTube][Unknown][Network][Fun][www.youtube.com] + idle: [.....2] [ip4][..udp] [......127.0.0.1][46548] -> [.....127.0.0.53][...53] [DNS.YouTube][Unknown][Network][Fun][www.youtube.com] + idle: [.....8] [ip4][..udp] [..192.168.1.183][42485] -> [..192.168.1.253][...53] [DNS][Unknown][Network][Acceptable][test.lan] + RISK: Minor Issues + idle: [.....9] [ip4][..tcp] [......127.0.0.1][57874] -> [......127.0.0.1][.1234] [TLS][Unknown][Web][Safe] + RISK: Known Proto on Non Std Port + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/tls_heuristics_enabled/tls_heur__vmess-tcp.pcapng.out b/test/results/flow-info/tls_heuristics_enabled/tls_heur__vmess-tcp.pcapng.out new file mode 100644 index 000000000..39fccb4a8 --- /dev/null +++ b/test/results/flow-info/tls_heuristics_enabled/tls_heur__vmess-tcp.pcapng.out @@ -0,0 +1,31 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....1] [ip4][..tcp] [......127.0.0.1][37218] -> [......127.0.0.1][.1080] + detected: [.....1] [ip4][..tcp] [......127.0.0.1][37218] -> [......127.0.0.1][.1080] [SOCKS][Unknown][Web][Acceptable] + new: [.....2] [ip4][..udp] [......127.0.0.1][35957] -> [.....127.0.0.53][...53] + detected: [.....2] [ip4][..udp] [......127.0.0.1][35957] -> [.....127.0.0.53][...53] [DNS.YouTube][Unknown][Network][Fun][www.youtube.com] + detection-update: [.....2] [ip4][..udp] [......127.0.0.1][35957] -> [.....127.0.0.53][...53] [DNS.YouTube][Unknown][Network][Fun][www.youtube.com] + RISK: Unidirectional Traffic + detection-update: [.....2] [ip4][..udp] [......127.0.0.1][35957] -> [.....127.0.0.53][...53] [DNS.YouTube][Unknown][Network][Fun][www.youtube.com] + new: [.....3] [ip4][..tcp] [......127.0.0.1][40818] -> [......127.0.0.1][.1234] + new: [.....4] [ip6][..tcp] [..2001:b07:a3d:c112:8628:88aa:8b00:913c][48302] -> [...............2a00:1450:4006:80d::200e][..443] + detected: [.....4] [ip6][..tcp] [..2001:b07:a3d:c112:8628:88aa:8b00:913c][48302] -> [...............2a00:1450:4006:80d::200e][..443] [TLS.YouTube][Google][Media][Fun][www.youtube.com] + detection-update: [.....4] [ip6][..tcp] [..2001:b07:a3d:c112:8628:88aa:8b00:913c][48302] -> [...............2a00:1450:4006:80d::200e][..443] [TLS.YouTube][Google][Media][Fun][www.youtube.com] + analyse: [.....4] [ip6][..tcp] [..2001:b07:a3d:c112:8628:88aa:8b00:913c][48302] -> [...............2a00:1450:4006:80d::200e][..443] [TLS.YouTube][Google][Media][Fun] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 2.054| 0.141| 0.429| 184069.177| 1.900] + [PKTLEN......: 72.000| 2488.000| 635.500| 846.400| 716345.800| 3.900] + [BINS(c->s)..: 13,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 4,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,5] + [DIRECTIONS..: 0,0,0,1,0,0,1,1,1,0,0,1,1,0,0,0,0,1,1,0,0,1,1,1,1,0,1,0,1,0,1,0] + [IATS(ms)....: 1019.8,1024.0,2053.5,9.7,0.4,10.5,14.8,0.0,24.8,0.0,0.2,0.0,0.1,0.0,3.4,0.5,13.4,0.0,9.6,1.8,11.4,77.7,0.0,0.0,87.4,0.4,0.3,0.3,0.3,0.2,0.2] + [PKTLENS.....: 80,80,80,80,72,589,72,2488,1280,72,72,1280,1840,72,72,152,202,720,103,135,103,72,1280,307,1280,72,2488,72,2488,72,2488,72] + [ENTROPIES...: 4.9,4.8,4.9,5.4,5.2,4.8,5.2,7.9,7.8,5.2,5.2,7.8,7.9,5.2,5.2,6.4,6.6,7.7,5.9,6.4,5.9,5.2,7.9,7.2,7.9,5.2,7.9,5.2,7.9,5.2,7.9,5.2] + idle: [.....4] [ip6][..tcp] [..2001:b07:a3d:c112:8628:88aa:8b00:913c][48302] -> [...............2a00:1450:4006:80d::200e][..443] [TLS.YouTube][Google][Media][Fun][www.youtube.com] + not-detected: [.....3] [ip4][..tcp] [......127.0.0.1][40818] -> [......127.0.0.1][.1234] [Unknown][Unknown][Unrated] + RISK: Fully Encrypted Flow + idle: [.....3] [ip4][..tcp] [......127.0.0.1][40818] -> [......127.0.0.1][.1234] + idle: [.....2] [ip4][..udp] [......127.0.0.1][35957] -> [.....127.0.0.53][...53] [DNS.YouTube][Unknown][Network][Fun][www.youtube.com] + idle: [.....1] [ip4][..tcp] [......127.0.0.1][37218] -> [......127.0.0.1][.1080] [SOCKS][Unknown][Web][Acceptable] + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/tls_heuristics_enabled/tls_heur__vmess-websocket.pcapng.out b/test/results/flow-info/tls_heuristics_enabled/tls_heur__vmess-websocket.pcapng.out new file mode 100644 index 000000000..cc9ab1452 --- /dev/null +++ b/test/results/flow-info/tls_heuristics_enabled/tls_heur__vmess-websocket.pcapng.out @@ -0,0 +1,40 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....1] [ip4][..tcp] [......127.0.0.1][44532] -> [......127.0.0.1][.1080] + detected: [.....1] [ip4][..tcp] [......127.0.0.1][44532] -> [......127.0.0.1][.1080] [SOCKS][Unknown][Web][Acceptable] + new: [.....2] [ip4][..udp] [......127.0.0.1][39646] -> [.....127.0.0.53][...53] + detected: [.....2] [ip4][..udp] [......127.0.0.1][39646] -> [.....127.0.0.53][...53] [DNS.YouTube][Unknown][Network][Fun][www.youtube.com] + detection-update: [.....2] [ip4][..udp] [......127.0.0.1][39646] -> [.....127.0.0.53][...53] [DNS.YouTube][Unknown][Network][Fun][www.youtube.com] + new: [.....3] [ip4][..tcp] [......127.0.0.1][33702] -> [......127.0.0.1][.1234] + detected: [.....3] [ip4][..tcp] [......127.0.0.1][33702] -> [......127.0.0.1][.1234] [HTTP][Unknown][Web][Acceptable][127.0.0.1] + RISK: Known Proto on Non Std Port, HTTP/TLS/QUIC Numeric Hostname/SNI + new: [.....4] [ip4][..tcp] [..192.168.1.183][51390] -> [142.250.180.142][..443] + detected: [.....4] [ip4][..tcp] [..192.168.1.183][51390] -> [142.250.180.142][..443] [TLS.YouTube][Google][Media][Fun][www.youtube.com] + detection-update: [.....4] [ip4][..tcp] [..192.168.1.183][51390] -> [142.250.180.142][..443] [TLS.YouTube][Google][Media][Fun][www.youtube.com] + analyse: [.....3] [ip4][..tcp] [......127.0.0.1][33702] -> [......127.0.0.1][.1234] [HTTP][Unknown][Web][Acceptable][127.0.0.1] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 0.082| 0.011| 0.023| 506.460| 2.800] + [PKTLEN......: 52.000| 2104.000| 665.100| 842.700| 710078.000| 3.900] + [BINS(c->s)..: 13,0,1,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 2,0,1,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,0,1,0,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1] + [IATS(ms)....: 0.0,0.0,0.3,0.3,0.1,0.2,52.9,76.2,23.3,0.1,0.1,0.0,0.0,0.1,0.1,5.4,8.4,3.5,0.7,41.2,81.9,40.9,0.1,0.0,0.1,0.1,0.0,0.0,0.0,0.0,0.0] + [PKTLENS.....: 60,60,52,237,52,181,52,751,2104,52,2104,52,2104,52,723,52,406,753,144,123,52,2084,52,2046,52,2079,52,2043,52,2075,52,531] + [ENTROPIES...: 4.3,4.7,4.6,5.9,4.6,5.8,4.6,7.7,7.9,4.6,7.9,4.6,7.9,4.6,7.7,4.6,7.4,7.7,6.3,6.2,4.6,7.9,4.6,7.9,4.6,7.9,4.6,7.9,4.6,7.9,4.6,7.6] + analyse: [.....1] [ip4][..tcp] [......127.0.0.1][44532] -> [......127.0.0.1][.1080] [SOCKS][Unknown][Web][Acceptable] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 0.082| 0.011| 0.022| 482.912| 3.100] + [PKTLEN......: 52.000| 3984.000| 653.000| 1237.600| 1531706.800| 3.300] + [BINS(c->s)..: 13,4,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,0,1,0,1,0,0,0,0,0,0,1,1,0,1,0,1,0,1,0,1,0,1] + [IATS(ms)....: 0.1,0.1,0.1,0.1,0.4,0.4,4.5,4.7,44.0,9.4,77.6,24.3,0.3,0.3,4.2,0.3,0.0,0.0,0.0,4.6,3.4,3.7,0.6,41.3,82.0,41.2,0.1,0.2,0.2,0.2,0.1] + [PKTLENS.....: 60,60,52,56,52,54,52,62,62,52,569,3984,52,2720,52,132,98,101,87,115,52,700,83,83,52,3984,52,3984,52,2428,52,901] + [ENTROPIES...: 4.3,4.7,4.6,4.5,4.6,4.6,4.6,4.7,4.5,4.6,4.7,7.9,4.7,7.9,4.6,6.2,5.9,5.8,5.7,6.1,4.7,7.7,5.5,5.5,4.7,8.0,4.6,8.0,4.6,7.9,4.6,7.8] + idle: [.....3] [ip4][..tcp] [......127.0.0.1][33702] -> [......127.0.0.1][.1234] [HTTP][Unknown][Web][Acceptable][127.0.0.1] + RISK: Known Proto on Non Std Port, HTTP/TLS/QUIC Numeric Hostname/SNI + idle: [.....1] [ip4][..tcp] [......127.0.0.1][44532] -> [......127.0.0.1][.1080] [SOCKS][Unknown][Web][Acceptable] + idle: [.....2] [ip4][..udp] [......127.0.0.1][39646] -> [.....127.0.0.53][...53] [DNS.YouTube][Unknown][Network][Fun][www.youtube.com] + idle: [.....4] [ip4][..tcp] [..192.168.1.183][51390] -> [142.250.180.142][..443] [TLS.YouTube][Google][Media][Fun] + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/zoom_extra_dissection/zoom.pcap.out b/test/results/flow-info/zoom_extra_dissection/zoom.pcap.out index c76f9eff6..1f051c54f 100644 --- a/test/results/flow-info/zoom_extra_dissection/zoom.pcap.out +++ b/test/results/flow-info/zoom_extra_dissection/zoom.pcap.out @@ -120,7 +120,7 @@ RISK: TLS (probably) Not Carrying HTTPS detection-update: [.....4] [ip4][..tcp] [..192.168.1.117][54341] -> [.62.149.152.153][..993] [IMAPS][Unknown][Email][Safe] RISK: Unidirectional Traffic - analyse: [....30] [ip4][..tcp] [..192.168.1.117][54871] -> [..109.94.160.99][..443] [TLS.Zoom][Unknown][Video][Acceptable][zoomfrn99mmr.zoom.us] + analyse: [....30] [ip4][..tcp] [..192.168.1.117][54871] -> [..109.94.160.99][..443] [TLS.Zoom][Unknown][Video][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.156| 0.028| 0.040| 1628.090| 3.800] [PKTLEN......: 52.000| 1492.000| 420.500| 552.400| 305116.100| 3.900] @@ -205,7 +205,7 @@ RISK: Known Proto on Non Std Port idle: [.....2] [ip4][..udp] [..192.168.1.117][.5353] -> [....224.0.0.251][.5353] [MDNS][Unknown][Network][Acceptable] idle: [....22] [ip4][..udp] [..192.168.1.117][57621] -> [..192.168.1.255][57621] [Spotify][Unknown][Music][Fun] - end: [.....3] [ip4][..tcp] [..192.168.1.117][54863] -> [.167.99.215.164][.4434] [TLS.ntop][Unknown][Network][Safe][dati.ntop.org] + end: [.....3] [ip4][..tcp] [..192.168.1.117][54863] -> [.167.99.215.164][.4434] [TLS.ntop][Unknown][Network][Safe] RISK: Known Proto on Non Std Port, TLS (probably) Not Carrying HTTPS idle: [....24] [ip4][..udp] [..192.168.1.117][58063] -> [....192.168.1.1][...53] [DNS.Zoom][Unknown][Network][Acceptable][zoomfr84zc.zoom.us] end: [....25] [ip4][..tcp] [..192.168.1.117][54867] -> [.213.19.144.105][..443] [TLS.Zoom][Zoom][Video][Acceptable] |