diff options
| author | Toni Uhlig <matzeton@googlemail.com> | 2024-09-09 09:29:08 +0200 |
|---|---|---|
| committer | Toni Uhlig <matzeton@googlemail.com> | 2024-09-09 09:29:08 +0200 |
| commit | aef9d629f01b66a5e1985f265e9c74fd40542fe1 (patch) | |
| tree | 7ef5f363f149395ee4fe40a893894361da42a846 /test/results/flow-info | |
| parent | f97b3880b6d6e577bdd197faab25baf139dd9254 (diff) | |
bump libnDPI to 92507c014626bc542f2ab11c729742802c0bc345
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
Diffstat (limited to 'test/results/flow-info')
140 files changed, 3040 insertions, 1307 deletions
diff --git a/test/results/flow-info/caches_cfg/teams.pcap.out b/test/results/flow-info/caches_cfg/teams.pcap.out index 9c24be31a..e04e45d16 100644 --- a/test/results/flow-info/caches_cfg/teams.pcap.out +++ b/test/results/flow-info/caches_cfg/teams.pcap.out @@ -369,7 +369,7 @@ detected: [....66] [ip4][..udp] [....192.168.1.6][50036] -> [.52.114.250.123][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] new: [....67] [ip4][..tcp] [....192.168.1.6][50021] -> [.52.114.250.123][..443] new: [....68] [ip4][..udp] [....192.168.1.6][50016] -> [.52.114.250.141][.3478] - detected: [....68] [ip4][..udp] [....192.168.1.6][50016] -> [.52.114.250.141][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][?n???z`?s????}??d??]] + detected: [....68] [ip4][..udp] [....192.168.1.6][50016] -> [.52.114.250.141][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] detection-update: [....64] [ip4][..tcp] [....192.168.1.6][50018] -> [.52.114.250.123][..443] [TLS.Teams][Azure][Collaborative][Safe][euaz.tr.teams.microsoft.com] RISK: TLS (probably) Not Carrying HTTPS new: [....69] [ip4][..udp] [....192.168.1.6][50017] -> [.52.114.250.141][.3478] @@ -377,13 +377,13 @@ detected: [....67] [ip4][..tcp] [....192.168.1.6][50021] -> [.52.114.250.123][..443] [TLS.Teams][Azure][Collaborative][Safe][euaz.tr.teams.microsoft.com] RISK: TLS (probably) Not Carrying HTTPS new: [....70] [ip4][..udp] [....192.168.1.6][50036] -> [.52.114.250.137][.3478] - detected: [....70] [ip4][..udp] [....192.168.1.6][50036] -> [.52.114.250.137][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][<??a????h (?/??????] + detected: [....70] [ip4][..udp] [....192.168.1.6][50036] -> [.52.114.250.137][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] new: [....71] [ip4][..udp] [....192.168.1.6][50037] -> [.52.114.250.137][.3478] detected: [....71] [ip4][..udp] [....192.168.1.6][50037] -> [.52.114.250.137][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] detection-update: [....67] [ip4][..tcp] [....192.168.1.6][50021] -> [.52.114.250.123][..443] [TLS.Teams][Azure][Collaborative][Safe][euaz.tr.teams.microsoft.com] RISK: TLS (probably) Not Carrying HTTPS - detection-update: [....69] [ip4][..udp] [....192.168.1.6][50017] -> [.52.114.250.141][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][>??i)?<????????????r] - detection-update: [....71] [ip4][..udp] [....192.168.1.6][50037] -> [.52.114.250.137][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][s?>?ed???[??+ez4???m] + detection-update: [....69] [ip4][..udp] [....192.168.1.6][50017] -> [.52.114.250.141][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] + detection-update: [....71] [ip4][..udp] [....192.168.1.6][50037] -> [.52.114.250.137][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] new: [....72] [ip4][..tcp] [....192.168.1.6][50014] -> [.52.114.250.152][..443] new: [....73] [ip4][..tcp] [....192.168.1.6][50036] -> [.52.114.250.153][..443] detected: [....72] [ip4][..tcp] [....192.168.1.6][50014] -> [.52.114.250.152][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable][52.114.250.152] @@ -414,12 +414,12 @@ new: [....79] [ip4][..udp] [..93.71.110.205][16333] -> [....192.168.1.6][50036] detected: [....79] [ip4][..udp] [..93.71.110.205][16333] -> [....192.168.1.6][50036] [STUN.Skype_TeamsCall][Unknown][VoIP][Acceptable][] RISK: Known Proto on Non Std Port - detection-update: [....68] [ip4][..udp] [....192.168.1.6][50016] -> [.52.114.250.141][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][?n???z`?s????}??d??]] + detection-update: [....68] [ip4][..udp] [....192.168.1.6][50016] -> [.52.114.250.141][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] RISK: Unidirectional Traffic - detection-update: [....70] [ip4][..udp] [....192.168.1.6][50036] -> [.52.114.250.137][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][<??a????h (?/??????] + detection-update: [....70] [ip4][..udp] [....192.168.1.6][50036] -> [.52.114.250.137][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] RISK: Unidirectional Traffic - detection-update: [....68] [ip4][..udp] [....192.168.1.6][50016] -> [.52.114.250.141][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][?n???z`?s????}??d??]] - detection-update: [....70] [ip4][..udp] [....192.168.1.6][50036] -> [.52.114.250.137][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][<??a????h (?/??????] + detection-update: [....68] [ip4][..udp] [....192.168.1.6][50016] -> [.52.114.250.141][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] + detection-update: [....70] [ip4][..udp] [....192.168.1.6][50036] -> [.52.114.250.137][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] new: [....80] [ip4][..udp] [..52.114.252.21][.3480] -> [....192.168.1.6][50036] detected: [....80] [ip4][..udp] [..52.114.252.21][.3480] -> [....192.168.1.6][50036] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] RISK: Known Proto on Non Std Port @@ -527,7 +527,7 @@ idle: [....61] [ip4][..tcp] [....192.168.1.6][60566] -> [.167.99.215.164][.4434] [TLS.ntop][Unknown][Network][Safe] RISK: Known Proto on Non Std Port idle: [....31] [ip4][..udp] [....192.168.1.6][57504] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe] - guessed: [....62] [ip4][..udp] [....192.168.1.6][51681] -> [..52.114.77.136][.3478] [Skype_Teams][Azure][VoIP][Acceptable] + guessed: [....62] [ip4][..udp] [....192.168.1.6][51681] -> [..52.114.77.136][.3478] [Skype_TeamsCall][Azure][VoIP][Acceptable] RISK: Susp Entropy idle: [....62] [ip4][..udp] [....192.168.1.6][51681] -> [..52.114.77.136][.3478] idle: [....27] [ip4][..udp] [....192.168.1.6][57530] -> [....192.168.1.1][...53] [DNS.Microsoft][Unknown][Network][Safe] diff --git a/test/results/flow-info/caches_global/lru_ipv6_caches.pcapng.out b/test/results/flow-info/caches_global/lru_ipv6_caches.pcapng.out index 8d8174ec0..f78bd9ee9 100644 --- a/test/results/flow-info/caches_global/lru_ipv6_caches.pcapng.out +++ b/test/results/flow-info/caches_global/lru_ipv6_caches.pcapng.out @@ -2,7 +2,7 @@ DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] new: [.....1] [ip6][..udp] [....32fb:f967:681e:e96b:face:b00c::74fd][.3478] -> [20ed:470f:6f73:ce60:60be:8b4f:df37:b080][45658] - detected: [.....1] [ip6][..udp] [....32fb:f967:681e:e96b:face:b00c::74fd][.3478] -> [20ed:470f:6f73:ce60:60be:8b4f:df37:b080][45658] [STUN][Unknown][Network][Acceptable][] + detected: [.....1] [ip6][..udp] [....32fb:f967:681e:e96b:face:b00c::74fd][.3478] -> [20ed:470f:6f73:ce60:60be:8b4f:df37:b080][45658] [RTCP][Unknown][VoIP][Acceptable] new: [.....2] [ip6][..udp] [.3991:72d:336e:65ec:c5bf:a5fa:83ad:23de][.6881] -> [3024:e5ee:ac2f:cd76:5dd6:a7a1:f17f:5c27][60506] detected: [.....2] [ip6][..udp] [.3991:72d:336e:65ec:c5bf:a5fa:83ad:23de][.6881] -> [3024:e5ee:ac2f:cd76:5dd6:a7a1:f17f:5c27][60506] [BitTorrent][Unknown][Download][Acceptable] RISK: Known Proto on Non Std Port @@ -27,21 +27,21 @@ detection-update: [.....7] [ip6][..udp] [2118:ec33:112b:7908:2c80:27ff:fef7:d71f][48415] -> [....32fb:f967:681e:e96b:face:b00c::74fd][.3478] [STUN.WhatsAppCall][Unknown][VoIP][Acceptable][] RISK: Unidirectional Traffic new: [.....8] [ip6][..tcp] [........................2001:db8:200::1][..443] -> [..........................2001:db8:1::1][44144] - detected: [.....8] [ip6][..tcp] [........................2001:db8:200::1][..443] -> [..........................2001:db8:1::1][44144] [TLS][Unknown][Web][Safe][] + detected: [.....8] [ip6][..tcp] [........................2001:db8:200::1][..443] -> [..........................2001:db8:1::1][44144] [TLS][Unknown][Web][Safe] RISK: Unidirectional Traffic - detection-update: [.....8] [ip6][..tcp] [........................2001:db8:200::1][..443] -> [..........................2001:db8:1::1][44144] [TLS.Cloudflare][Unknown][Web][Acceptable][] + detection-update: [.....8] [ip6][..tcp] [........................2001:db8:200::1][..443] -> [..........................2001:db8:1::1][44144] [TLS.Cloudflare][Unknown][Web][Acceptable] RISK: Unidirectional Traffic new: [.....9] [ip6][..tcp] [........................2001:db8:200::1][..443] -> [..........................2001:db8:1::1][44150] - detected: [.....9] [ip6][..tcp] [........................2001:db8:200::1][..443] -> [..........................2001:db8:1::1][44150] [TLS.Cloudflare][Unknown][Web][Acceptable][] + detected: [.....9] [ip6][..tcp] [........................2001:db8:200::1][..443] -> [..........................2001:db8:1::1][44150] [TLS.Cloudflare][Unknown][Web][Acceptable] RISK: Unidirectional Traffic - detection-update: [.....9] [ip6][..tcp] [........................2001:db8:200::1][..443] -> [..........................2001:db8:1::1][44150] [TLS.Cloudflare][Unknown][Web][Acceptable][] + detection-update: [.....9] [ip6][..tcp] [........................2001:db8:200::1][..443] -> [..........................2001:db8:1::1][44150] [TLS.Cloudflare][Unknown][Web][Acceptable] RISK: Unidirectional Traffic detection-update: [.....6] [ip6][..udp] [.3991:72d:336e:65ec:c5bf:a5fa:83ad:23de][.6881] -> [.38b2:46b7:27a4:94c3:c134:948:e069:d71f][....1] [BitTorrent][Unknown][Download][Acceptable] RISK: Known Proto on Non Std Port, Unidirectional Traffic new: [....10] [ip6][..tcp] [........................2001:db8:200::1][..443] -> [..........................2001:db8:1::1][44192] - detected: [....10] [ip6][..tcp] [........................2001:db8:200::1][..443] -> [..........................2001:db8:1::1][44192] [TLS.Cloudflare][Unknown][Web][Acceptable][] + detected: [....10] [ip6][..tcp] [........................2001:db8:200::1][..443] -> [..........................2001:db8:1::1][44192] [TLS.Cloudflare][Unknown][Web][Acceptable] RISK: Unidirectional Traffic - detection-update: [....10] [ip6][..tcp] [........................2001:db8:200::1][..443] -> [..........................2001:db8:1::1][44192] [TLS.Cloudflare][Unknown][Web][Acceptable][] + detection-update: [....10] [ip6][..tcp] [........................2001:db8:200::1][..443] -> [..........................2001:db8:1::1][44192] [TLS.Cloudflare][Unknown][Web][Acceptable] RISK: Unidirectional Traffic new: [....11] [ip6][..udp] [.3297:a1af:5121:cfc:360b:2e07:872f:1ea0][43865] -> [....32fb:f967:681e:e96b:face:b00c::74fd][.3478] detected: [....11] [ip6][..udp] [.3297:a1af:5121:cfc:360b:2e07:872f:1ea0][43865] -> [....32fb:f967:681e:e96b:face:b00c::74fd][.3478] [STUN.WhatsAppCall][Unknown][VoIP][Acceptable][] @@ -69,7 +69,7 @@ RISK: Unidirectional Traffic idle: [....11] [ip6][..udp] [.3297:a1af:5121:cfc:360b:2e07:872f:1ea0][43865] -> [....32fb:f967:681e:e96b:face:b00c::74fd][.3478] [STUN.WhatsAppCall][Unknown][VoIP][Acceptable] RISK: Unidirectional Traffic - idle: [.....1] [ip6][..udp] [....32fb:f967:681e:e96b:face:b00c::74fd][.3478] -> [20ed:470f:6f73:ce60:60be:8b4f:df37:b080][45658] [STUN][Unknown][Network][Acceptable] + idle: [.....1] [ip6][..udp] [....32fb:f967:681e:e96b:face:b00c::74fd][.3478] -> [20ed:470f:6f73:ce60:60be:8b4f:df37:b080][45658] [RTCP][Unknown][VoIP][Acceptable] idle: [....12] [ip6][..udp] [.3069:c624:1d42:9469:98b1:67ff:fe43:325][56131] -> [....32fb:f967:681e:e96b:face:b00c::74fd][.3478] [STUN.WhatsAppCall][Unknown][VoIP][Acceptable] RISK: Unidirectional Traffic idle: [.....3] [ip6][..udp] [.2a2f:8509:1cb2:466d:ecbf:69d6:109c:608][62229] -> [.3991:72d:336e:65ec:c5bf:a5fa:83ad:23de][.6881] [BitTorrent][Unknown][Download][Acceptable] diff --git a/test/results/flow-info/caches_global/teams.pcap.out b/test/results/flow-info/caches_global/teams.pcap.out index 9c24be31a..e04e45d16 100644 --- a/test/results/flow-info/caches_global/teams.pcap.out +++ b/test/results/flow-info/caches_global/teams.pcap.out @@ -369,7 +369,7 @@ detected: [....66] [ip4][..udp] [....192.168.1.6][50036] -> [.52.114.250.123][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] new: [....67] [ip4][..tcp] [....192.168.1.6][50021] -> [.52.114.250.123][..443] new: [....68] [ip4][..udp] [....192.168.1.6][50016] -> [.52.114.250.141][.3478] - detected: [....68] [ip4][..udp] [....192.168.1.6][50016] -> [.52.114.250.141][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][?n???z`?s????}??d??]] + detected: [....68] [ip4][..udp] [....192.168.1.6][50016] -> [.52.114.250.141][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] detection-update: [....64] [ip4][..tcp] [....192.168.1.6][50018] -> [.52.114.250.123][..443] [TLS.Teams][Azure][Collaborative][Safe][euaz.tr.teams.microsoft.com] RISK: TLS (probably) Not Carrying HTTPS new: [....69] [ip4][..udp] [....192.168.1.6][50017] -> [.52.114.250.141][.3478] @@ -377,13 +377,13 @@ detected: [....67] [ip4][..tcp] [....192.168.1.6][50021] -> [.52.114.250.123][..443] [TLS.Teams][Azure][Collaborative][Safe][euaz.tr.teams.microsoft.com] RISK: TLS (probably) Not Carrying HTTPS new: [....70] [ip4][..udp] [....192.168.1.6][50036] -> [.52.114.250.137][.3478] - detected: [....70] [ip4][..udp] [....192.168.1.6][50036] -> [.52.114.250.137][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][<??a????h (?/??????] + detected: [....70] [ip4][..udp] [....192.168.1.6][50036] -> [.52.114.250.137][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] new: [....71] [ip4][..udp] [....192.168.1.6][50037] -> [.52.114.250.137][.3478] detected: [....71] [ip4][..udp] [....192.168.1.6][50037] -> [.52.114.250.137][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] detection-update: [....67] [ip4][..tcp] [....192.168.1.6][50021] -> [.52.114.250.123][..443] [TLS.Teams][Azure][Collaborative][Safe][euaz.tr.teams.microsoft.com] RISK: TLS (probably) Not Carrying HTTPS - detection-update: [....69] [ip4][..udp] [....192.168.1.6][50017] -> [.52.114.250.141][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][>??i)?<????????????r] - detection-update: [....71] [ip4][..udp] [....192.168.1.6][50037] -> [.52.114.250.137][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][s?>?ed???[??+ez4???m] + detection-update: [....69] [ip4][..udp] [....192.168.1.6][50017] -> [.52.114.250.141][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] + detection-update: [....71] [ip4][..udp] [....192.168.1.6][50037] -> [.52.114.250.137][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] new: [....72] [ip4][..tcp] [....192.168.1.6][50014] -> [.52.114.250.152][..443] new: [....73] [ip4][..tcp] [....192.168.1.6][50036] -> [.52.114.250.153][..443] detected: [....72] [ip4][..tcp] [....192.168.1.6][50014] -> [.52.114.250.152][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable][52.114.250.152] @@ -414,12 +414,12 @@ new: [....79] [ip4][..udp] [..93.71.110.205][16333] -> [....192.168.1.6][50036] detected: [....79] [ip4][..udp] [..93.71.110.205][16333] -> [....192.168.1.6][50036] [STUN.Skype_TeamsCall][Unknown][VoIP][Acceptable][] RISK: Known Proto on Non Std Port - detection-update: [....68] [ip4][..udp] [....192.168.1.6][50016] -> [.52.114.250.141][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][?n???z`?s????}??d??]] + detection-update: [....68] [ip4][..udp] [....192.168.1.6][50016] -> [.52.114.250.141][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] RISK: Unidirectional Traffic - detection-update: [....70] [ip4][..udp] [....192.168.1.6][50036] -> [.52.114.250.137][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][<??a????h (?/??????] + detection-update: [....70] [ip4][..udp] [....192.168.1.6][50036] -> [.52.114.250.137][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] RISK: Unidirectional Traffic - detection-update: [....68] [ip4][..udp] [....192.168.1.6][50016] -> [.52.114.250.141][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][?n???z`?s????}??d??]] - detection-update: [....70] [ip4][..udp] [....192.168.1.6][50036] -> [.52.114.250.137][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][<??a????h (?/??????] + detection-update: [....68] [ip4][..udp] [....192.168.1.6][50016] -> [.52.114.250.141][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] + detection-update: [....70] [ip4][..udp] [....192.168.1.6][50036] -> [.52.114.250.137][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] new: [....80] [ip4][..udp] [..52.114.252.21][.3480] -> [....192.168.1.6][50036] detected: [....80] [ip4][..udp] [..52.114.252.21][.3480] -> [....192.168.1.6][50036] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] RISK: Known Proto on Non Std Port @@ -527,7 +527,7 @@ idle: [....61] [ip4][..tcp] [....192.168.1.6][60566] -> [.167.99.215.164][.4434] [TLS.ntop][Unknown][Network][Safe] RISK: Known Proto on Non Std Port idle: [....31] [ip4][..udp] [....192.168.1.6][57504] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe] - guessed: [....62] [ip4][..udp] [....192.168.1.6][51681] -> [..52.114.77.136][.3478] [Skype_Teams][Azure][VoIP][Acceptable] + guessed: [....62] [ip4][..udp] [....192.168.1.6][51681] -> [..52.114.77.136][.3478] [Skype_TeamsCall][Azure][VoIP][Acceptable] RISK: Susp Entropy idle: [....62] [ip4][..udp] [....192.168.1.6][51681] -> [..52.114.77.136][.3478] idle: [....27] [ip4][..udp] [....192.168.1.6][57530] -> [....192.168.1.1][...53] [DNS.Microsoft][Unknown][Network][Safe] diff --git a/test/results/flow-info/caches_global/zoom_p2p.pcapng.out b/test/results/flow-info/caches_global/zoom_p2p.pcapng.out index 99a03c91a..794bfd0a9 100644 --- a/test/results/flow-info/caches_global/zoom_p2p.pcapng.out +++ b/test/results/flow-info/caches_global/zoom_p2p.pcapng.out @@ -15,12 +15,18 @@ detected: [.....4] [ip4][..udp] [.192.168.12.156][38453] -> [.206.247.87.213][.3478] [STUN.Zoom][Zoom][Video][Acceptable][] new: [.....5] [ip4][.icmp] [.206.247.87.213] -> [.192.168.12.156] detected: [.....5] [ip4][.icmp] [.206.247.87.213] -> [.192.168.12.156] [ICMP][Zoom][Network][Acceptable] + RISK: Susp Entropy update: [.....1] [ip4][..udp] [...192.168.12.1][17500] -> [.192.168.12.255][17500] [Dropbox][Unknown][Cloud][Acceptable] new: [.....6] [ip4][..udp] [.192.168.12.156][38453] -> [..192.168.1.226][41036] + detected: [.....6] [ip4][..udp] [.192.168.12.156][38453] -> [..192.168.1.226][41036] [Zoom][Unknown][Video][Acceptable] + detection-update: [.....6] [ip4][..udp] [.192.168.12.156][38453] -> [..192.168.1.226][41036] [Zoom][Unknown][Video][Acceptable] + RISK: Unidirectional Traffic update: [.....5] [ip4][.icmp] [.206.247.87.213] -> [.192.168.12.156] [ICMP][Zoom][Network][Acceptable] + RISK: Susp Entropy update: [.....2] [ip4][..udp] [...192.168.12.1][.5353] -> [....224.0.0.251][.5353] [MDNS][Unknown][Network][Acceptable] new: [.....7] [ip4][..udp] [.192.168.12.156][39065] -> [..192.168.1.226][46757] - analyse: [.....7] [ip4][..udp] [.192.168.12.156][39065] -> [..192.168.1.226][46757] + detected: [.....7] [ip4][..udp] [.192.168.12.156][39065] -> [..192.168.1.226][46757] [Zoom][Unknown][Video][Acceptable] + analyse: [.....7] [ip4][..udp] [.192.168.12.156][39065] -> [..192.168.1.226][46757] [Zoom][Unknown][Video][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.089| 0.026| 0.021| 430.173| 4.500] [PKTLEN......: 113.000| 1277.000| 673.700| 485.600| 235788.400| 4.500] @@ -33,28 +39,32 @@ update: [.....4] [ip4][..udp] [.192.168.12.156][38453] -> [.206.247.87.213][.3478] [STUN.Zoom][Zoom][Video][Acceptable] update: [.....3] [ip4][..udp] [.192.168.12.156][39065] -> [.206.247.87.213][.3478] [STUN.Zoom][Zoom][Video][Acceptable] update: [.....5] [ip4][.icmp] [.206.247.87.213] -> [.192.168.12.156] [ICMP][Zoom][Network][Acceptable] + RISK: Susp Entropy update: [.....1] [ip4][..udp] [...192.168.12.1][17500] -> [.192.168.12.255][17500] [Dropbox][Unknown][Cloud][Acceptable] - update: [.....6] [ip4][..udp] [.192.168.12.156][38453] -> [..192.168.1.226][41036] + update: [.....6] [ip4][..udp] [.192.168.12.156][38453] -> [..192.168.1.226][41036] [Zoom][Unknown][Video][Acceptable] + RISK: Unidirectional Traffic update: [.....5] [ip4][.icmp] [.206.247.87.213] -> [.192.168.12.156] [ICMP][Zoom][Network][Acceptable] - update: [.....7] [ip4][..udp] [.192.168.12.156][39065] -> [..192.168.1.226][46757] + RISK: Susp Entropy + update: [.....7] [ip4][..udp] [.192.168.12.156][39065] -> [..192.168.1.226][46757] [Zoom][Unknown][Video][Acceptable] update: [.....2] [ip4][..udp] [...192.168.12.1][.5353] -> [....224.0.0.251][.5353] [MDNS][Unknown][Network][Acceptable] update: [.....4] [ip4][..udp] [.192.168.12.156][38453] -> [.206.247.87.213][.3478] [STUN.Zoom][Zoom][Video][Acceptable] update: [.....3] [ip4][..udp] [.192.168.12.156][39065] -> [.206.247.87.213][.3478] [STUN.Zoom][Zoom][Video][Acceptable] update: [.....5] [ip4][.icmp] [.206.247.87.213] -> [.192.168.12.156] [ICMP][Zoom][Network][Acceptable] + RISK: Susp Entropy update: [.....1] [ip4][..udp] [...192.168.12.1][17500] -> [.192.168.12.255][17500] [Dropbox][Unknown][Cloud][Acceptable] idle: [.....5] [ip4][.icmp] [.206.247.87.213] -> [.192.168.12.156] [ICMP][Zoom][Network][Acceptable] - update: [.....6] [ip4][..udp] [.192.168.12.156][38453] -> [..192.168.1.226][41036] - update: [.....7] [ip4][..udp] [.192.168.12.156][39065] -> [..192.168.1.226][46757] + RISK: Susp Entropy + update: [.....6] [ip4][..udp] [.192.168.12.156][38453] -> [..192.168.1.226][41036] [Zoom][Unknown][Video][Acceptable] + RISK: Unidirectional Traffic + update: [.....7] [ip4][..udp] [.192.168.12.156][39065] -> [..192.168.1.226][46757] [Zoom][Unknown][Video][Acceptable] update: [.....2] [ip4][..udp] [...192.168.12.1][.5353] -> [....224.0.0.251][.5353] [MDNS][Unknown][Network][Acceptable] update: [.....4] [ip4][..udp] [.192.168.12.156][38453] -> [.206.247.87.213][.3478] [STUN.Zoom][Zoom][Video][Acceptable] update: [.....3] [ip4][..udp] [.192.168.12.156][39065] -> [.206.247.87.213][.3478] [STUN.Zoom][Zoom][Video][Acceptable] idle: [.....2] [ip4][..udp] [...192.168.12.1][.5353] -> [....224.0.0.251][.5353] [MDNS][Unknown][Network][Acceptable] update: [.....1] [ip4][..udp] [...192.168.12.1][17500] -> [.192.168.12.255][17500] [Dropbox][Unknown][Cloud][Acceptable] - guessed: [.....6] [ip4][..udp] [.192.168.12.156][38453] -> [..192.168.1.226][41036] [Zoom][Unknown][Video][Acceptable] + idle: [.....6] [ip4][..udp] [.192.168.12.156][38453] -> [..192.168.1.226][41036] [Zoom][Unknown][Video][Acceptable] RISK: Unidirectional Traffic - idle: [.....6] [ip4][..udp] [.192.168.12.156][38453] -> [..192.168.1.226][41036] - guessed: [.....7] [ip4][..udp] [.192.168.12.156][39065] -> [..192.168.1.226][46757] [Zoom][Unknown][Video][Acceptable] - idle: [.....7] [ip4][..udp] [.192.168.12.156][39065] -> [..192.168.1.226][46757] + idle: [.....7] [ip4][..udp] [.192.168.12.156][39065] -> [..192.168.1.226][46757] [Zoom][Unknown][Video][Acceptable] idle: [.....4] [ip4][..udp] [.192.168.12.156][38453] -> [.206.247.87.213][.3478] [STUN.Zoom][Zoom][Video][Acceptable] idle: [.....3] [ip4][..udp] [.192.168.12.156][39065] -> [.206.247.87.213][.3478] [STUN.Zoom][Zoom][Video][Acceptable] new: [.....8] [ip4][..udp] [.192.168.12.156][49579] -> [.206.247.10.253][.3478] @@ -63,6 +73,7 @@ detected: [.....9] [ip4][..udp] [.192.168.12.156][42208] -> [.206.247.10.253][.3478] [STUN.Zoom][Zoom][Video][Acceptable][] new: [....10] [ip4][.icmp] [.206.247.10.253] -> [.192.168.12.156] detected: [....10] [ip4][.icmp] [.206.247.10.253] -> [.192.168.12.156] [ICMP][Zoom][Network][Acceptable] + RISK: Susp Entropy new: [....11] [ip4][..udp] [...192.168.12.1][.5353] -> [....224.0.0.251][.5353] detected: [....11] [ip4][..udp] [...192.168.12.1][.5353] -> [....224.0.0.251][.5353] [MDNS][Unknown][Network][Acceptable][_ipps._tcp.local] update: [.....1] [ip4][..udp] [...192.168.12.1][17500] -> [.192.168.12.255][17500] [Dropbox][Unknown][Cloud][Acceptable] @@ -77,9 +88,16 @@ [PKTLENS.....: 100,100,100,100,100,100,100,100,100,100,100,100,100,100,100,100,100,100,100,100,100,100,100,100,100,100,100,100,100,100,100,100] [ENTROPIES...: 5.4,5.3,5.2,5.3,5.4,5.3,5.4,5.3,5.4,5.3,5.3,5.4,5.3,5.3,5.3,5.4,5.3,5.4,5.3,5.3,5.3,5.3,5.3,5.3,5.4,5.3,5.3,5.4,5.4,5.3,5.4,5.3] new: [....12] [ip4][..udp] [.192.168.12.156][42208] -> [...10.78.14.178][47312] + detected: [....12] [ip4][..udp] [.192.168.12.156][42208] -> [...10.78.14.178][47312] [Zoom][Unknown][Video][Acceptable] + detection-update: [....12] [ip4][..udp] [.192.168.12.156][42208] -> [...10.78.14.178][47312] [Zoom][Unknown][Video][Acceptable] + RISK: Unidirectional Traffic new: [....13] [ip4][..udp] [.192.168.12.156][49579] -> [...10.78.14.178][49586] + detected: [....13] [ip4][..udp] [.192.168.12.156][49579] -> [...10.78.14.178][49586] [Zoom][Unknown][Video][Acceptable] + detection-update: [....13] [ip4][..udp] [.192.168.12.156][49579] -> [...10.78.14.178][49586] [Zoom][Unknown][Video][Acceptable] + RISK: Unidirectional Traffic update: [....10] [ip4][.icmp] [.206.247.10.253] -> [.192.168.12.156] [ICMP][Zoom][Network][Acceptable] - analyse: [....12] [ip4][..udp] [.192.168.12.156][42208] -> [...10.78.14.178][47312] + RISK: Susp Entropy + analyse: [....12] [ip4][..udp] [.192.168.12.156][42208] -> [...10.78.14.178][47312] [Zoom][Unknown][Video][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.052| 0.013| 0.016| 253.890| 4.000] [PKTLEN......: 112.000| 112.000| 112.000| 0.000| 0.000| 5.000] @@ -89,7 +107,7 @@ [IATS(ms)....: 0.2,27.3,11.2,7.7,6.8,1.5,0.1,13.3,6.9,1.7,40.5,0.2,15.5,0.6,33.3,0.2,50.8,0.4,5.9,5.7,52.3,0.4,7.2,2.3,22.7,0.2,31.0,0.2,40.9,0.2,22.6] [PKTLENS.....: 112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112] [ENTROPIES...: 5.0,5.0,5.0,5.0,5.0,5.0,5.0,5.0,5.0,5.0,5.0,5.0,5.0,5.0,5.0,5.0,5.0,5.0,5.0,5.0,5.0,5.0,5.0,5.0,5.0,5.0,5.0,5.0,5.0,5.0,5.0,5.0] - analyse: [....13] [ip4][..udp] [.192.168.12.156][49579] -> [...10.78.14.178][49586] + analyse: [....13] [ip4][..udp] [.192.168.12.156][49579] -> [...10.78.14.178][49586] [Zoom][Unknown][Video][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.055| 0.027| 0.014| 209.331| 4.700] [PKTLEN......: 112.000| 112.000| 112.000| 0.000| 0.000| 5.000] @@ -100,14 +118,13 @@ [PKTLENS.....: 112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112] [ENTROPIES...: 4.9,4.9,4.9,4.9,4.9,4.9,4.9,4.9,4.9,4.9,4.9,4.9,4.9,4.9,4.9,4.9,4.9,4.9,4.9,4.9,4.9,4.9,4.9,4.9,4.9,4.9,4.9,4.9,4.9,4.9,4.9,4.9] idle: [....10] [ip4][.icmp] [.206.247.10.253] -> [.192.168.12.156] [ICMP][Zoom][Network][Acceptable] - guessed: [....13] [ip4][..udp] [.192.168.12.156][49579] -> [...10.78.14.178][49586] [Zoom][Unknown][Video][Acceptable] + RISK: Susp Entropy + idle: [....13] [ip4][..udp] [.192.168.12.156][49579] -> [...10.78.14.178][49586] [Zoom][Unknown][Video][Acceptable] RISK: Unidirectional Traffic - idle: [....13] [ip4][..udp] [.192.168.12.156][49579] -> [...10.78.14.178][49586] idle: [.....1] [ip4][..udp] [...192.168.12.1][17500] -> [.192.168.12.255][17500] [Dropbox][Unknown][Cloud][Acceptable] idle: [.....9] [ip4][..udp] [.192.168.12.156][42208] -> [.206.247.10.253][.3478] [STUN.Zoom][Zoom][Video][Acceptable] idle: [....11] [ip4][..udp] [...192.168.12.1][.5353] -> [....224.0.0.251][.5353] [MDNS][Unknown][Network][Acceptable] - guessed: [....12] [ip4][..udp] [.192.168.12.156][42208] -> [...10.78.14.178][47312] [Zoom][Unknown][Video][Acceptable] + idle: [....12] [ip4][..udp] [.192.168.12.156][42208] -> [...10.78.14.178][47312] [Zoom][Unknown][Video][Acceptable] RISK: Unidirectional Traffic - idle: [....12] [ip4][..udp] [.192.168.12.156][42208] -> [...10.78.14.178][47312] idle: [.....8] [ip4][..udp] [.192.168.12.156][49579] -> [.206.247.10.253][.3478] [STUN.Zoom][Zoom][Video][Acceptable] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/1kxun.pcap.out b/test/results/flow-info/default/1kxun.pcap.out index 8a5569319..75be7adee 100644 --- a/test/results/flow-info/default/1kxun.pcap.out +++ b/test/results/flow-info/default/1kxun.pcap.out @@ -427,7 +427,7 @@ new: [...134] [ip4][..tcp] [..192.168.2.126][41134] -> [.129.226.107.77][...80] [MIDSTREAM] detected: [...134] [ip4][..tcp] [..192.168.2.126][41134] -> [.129.226.107.77][...80] [HTTP.QQ][Tencent][Chat][Fun][cgi.connect.qq.com] detection-update: [...133] [ip4][..tcp] [..192.168.2.126][47230] -> [..161.117.13.29][...80] [HTTP.1kxun][Alibaba][Download][Fun][kankan.1kxun.mobi] - RISK: Binary file/data transfer (attempt) + RISK: Binary File/Data Transfer (Attempt) new: [...135] [ip4][..tcp] [..192.168.2.126][47246] -> [..161.117.13.29][...80] [MIDSTREAM] detected: [...135] [ip4][..tcp] [..192.168.2.126][47246] -> [..161.117.13.29][...80] [HTTP.1kxun][Alibaba][Streaming][Fun][kankan.1kxun.com] new: [...136] [ip4][..tcp] [..192.168.2.126][47262] -> [..161.117.13.29][...80] [MIDSTREAM] @@ -467,6 +467,7 @@ idle: [....97] [ip6][..udp] [..............fe80::e98f:bae2:19f7:6b0f][51451] -> [..............................ff02::1:3][.5355] [LLMNR][Unknown][Network][Acceptable] RISK: Non-Printable/Invalid Chars Detected not-detected: [....94] [ip4][..udp] [..192.168.119.2][43786] -> [255.255.255.255][.5678] [Unknown][Unknown][Unrated] + RISK: Susp Entropy idle: [....94] [ip4][..udp] [..192.168.119.2][43786] -> [255.255.255.255][.5678] idle: [....85] [ip4][..udp] [...192.168.5.50][50030] -> [....224.0.0.252][.5355] [LLMNR][Unknown][Network][Acceptable] idle: [....55] [ip4][..udp] [...192.168.5.16][...68] -> [..192.168.119.1][...67] [DHCP][Unknown][Network][Acceptable] @@ -548,6 +549,7 @@ idle: [...123] [ip6][..udp] [...............fe80::e034:7be:d8f9:6197][57143] -> [..............................ff02::1:3][.5355] [LLMNR][Unknown][Network][Acceptable] idle: [....80] [ip4][..udp] [...192.168.5.57][65150] -> [....224.0.0.252][.5355] [LLMNR][Unknown][Network][Acceptable] not-detected: [....88] [ip4][..udp] [..192.168.119.1][56861] -> [255.255.255.255][.5678] [Unknown][Unknown][Unrated] + RISK: Susp Entropy idle: [....88] [ip4][..udp] [..192.168.119.1][56861] -> [255.255.255.255][.5678] idle: [...116] [ip6][..udp] [..............fe80::f65c:89ff:fe89:e607][..546] -> [..............................ff02::1:2][..547] [DHCPV6][Unknown][Network][Acceptable] idle: [....72] [ip6][..udp] [..............fe80::4568:efbc:40b1:1346][50194] -> [..............................ff02::1:3][.5355] [LLMNR][Unknown][Network][Acceptable] @@ -556,6 +558,7 @@ idle: [....39] [ip4][..udp] [..192.168.115.8][54420] -> [........8.8.8.8][...53] [DNS.QQ][Google][Network][Fun] idle: [...124] [ip4][..udp] [...192.168.5.50][57143] -> [....224.0.0.252][.5355] [LLMNR][Unknown][Network][Acceptable] not-detected: [....79] [ip4][..udp] [..192.168.0.100][50925] -> [255.255.255.255][.5678] [Unknown][Unknown][Unrated] + RISK: Susp Entropy idle: [....79] [ip4][..udp] [..192.168.0.100][50925] -> [255.255.255.255][.5678] idle: [....99] [ip6][..udp] [..............fe80::5d92:62a8:ebde:1319][53938] -> [..............................ff02::1:3][.5355] [LLMNR][Unknown][Network][Acceptable] idle: [....27] [ip4][..tcp] [..192.168.115.8][49599] -> [.106.187.35.246][...80] [HTTP.1kxun][Unknown][Streaming][Fun] @@ -571,7 +574,6 @@ idle: [....19] [ip6][..udp] [..............fe80::e98f:bae2:19f7:6b0f][58779] -> [..............................ff02::1:3][.5355] [LLMNR][Unknown][Network][Acceptable] RISK: Non-Printable/Invalid Chars Detected guessed: [...101] [ip4][..tcp] [.119.235.235.84][..443] -> [...192.168.5.16][53406] [TLS][Line][Web][Safe] - RISK: Susp Entropy idle: [...101] [ip4][..tcp] [.119.235.235.84][..443] -> [...192.168.5.16][53406] end: [....46] [ip4][..tcp] [..192.168.115.8][49612] -> [.183.131.48.145][...80] [HTTP][Unknown][Web][Acceptable] RISK: HTTP Susp User-Agent, HTTP/TLS/QUIC Numeric Hostname/SNI @@ -579,8 +581,10 @@ RISK: HTTP Susp User-Agent, HTTP/TLS/QUIC Numeric Hostname/SNI idle: [....24] [ip4][..udp] [..192.168.115.8][52723] -> [.....168.95.1.1][...53] [DNS.1kxun][Unknown][Network][Fun] not-detected: [....89] [ip6][..udp] [................fe80::4e5e:cff:feea:365][.5678] -> [................................ff02::1][.5678] [Unknown][Unknown][Unrated] + RISK: Susp Entropy idle: [....89] [ip6][..udp] [................fe80::4e5e:cff:feea:365][.5678] -> [................................ff02::1][.5678] not-detected: [....60] [ip6][..udp] [...............fe80::4e5e:cff:fe9a:ec54][.5678] -> [................................ff02::1][.5678] [Unknown][Unknown][Unrated] + RISK: Susp Entropy idle: [....60] [ip6][..udp] [...............fe80::4e5e:cff:fe9a:ec54][.5678] -> [................................ff02::1][.5678] idle: [...119] [ip4][..udp] [...192.168.5.16][..123] -> [..17.253.26.125][..123] [NTP][Apple][System][Acceptable] idle: [....16] [ip4][..udp] [..192.168.115.8][52723] -> [........8.8.8.8][...53] [DNS.1kxun][Google][Network][Fun] @@ -654,6 +658,7 @@ detected: [...152] [ip4][..tcp] [..192.168.2.126][45424] -> [..161.117.13.29][...80] [HTTP][Alibaba][Streaming][Acceptable][tcad.wedolook.com] new: [...153] [ip4][..tcp] [..192.168.2.126][41390] -> [....18.64.79.37][...80] [MIDSTREAM] detected: [...153] [ip4][..tcp] [..192.168.2.126][41390] -> [....18.64.79.37][...80] [HTTP.Google][AmazonAWS][Web][Acceptable][google.open-js.com] + RISK: Susp Entropy analyse: [...146] [ip4][..tcp] [..192.168.2.126][45380] -> [..161.117.13.29][...80] [HTTP.1kxun][Alibaba][Streaming][Fun] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.409| 0.085| 0.132| 17528.007| 3.300] @@ -704,6 +709,7 @@ [ENTROPIES...: 5.9,5.9,7.3,7.9,7.9,7.9,7.8,7.8,7.8,7.9,8.0,7.8,7.8,7.8,7.9,7.9,7.9,7.9,5.9,5.8,8.0,8.0,7.9,7.9,8.0,7.9,8.0,7.7,5.9,5.9,7.9,8.0] new: [...163] [ip4][..tcp] [..192.168.2.126][44368] -> [..172.217.18.98][...80] [MIDSTREAM] detected: [...163] [ip4][..tcp] [..192.168.2.126][44368] -> [..172.217.18.98][...80] [HTTP.GoogleServices][Google][Web][Acceptable][www.googletagservices.com] + RISK: Susp Entropy new: [...164] [ip4][..tcp] [..192.168.2.126][50140] -> [..161.117.13.29][...80] [MIDSTREAM] detected: [...164] [ip4][..tcp] [..192.168.2.126][50140] -> [..161.117.13.29][...80] [HTTP.1kxun][Alibaba][Streaming][Fun][mangaweb.1kxun.mobi] new: [...165] [ip4][..tcp] [..192.168.2.126][50148] -> [..161.117.13.29][...80] [MIDSTREAM] @@ -790,6 +796,7 @@ detected: [...193] [ip4][..tcp] [..192.168.2.126][40204] -> [...18.235.204.9][...80] [HTTP][AmazonAWS][Web][Acceptable][adexp.liftoff.io] new: [...194] [ip4][..tcp] [..192.168.2.126][53416] -> [.172.217.16.142][...80] [MIDSTREAM] detected: [...194] [ip4][..tcp] [..192.168.2.126][53416] -> [.172.217.16.142][...80] [HTTP.Google][Google][Web][Acceptable][play.google.com] + RISK: Susp Entropy new: [...195] [ip4][..tcp] [..192.168.2.126][33042] -> [...3.122.190.70][...80] [MIDSTREAM] detected: [...195] [ip4][..tcp] [..192.168.2.126][33042] -> [...3.122.190.70][...80] [HTTP][AmazonAWS][Web][Acceptable][click.liftoff.io] new: [...196] [ip4][..tcp] [..192.168.2.126][35426] -> [..8.209.112.118][...80] [MIDSTREAM] @@ -802,6 +809,7 @@ idle: [...147] [ip4][..tcp] [..192.168.2.126][45388] -> [..161.117.13.29][...80] [HTTP.1kxun][Alibaba][Streaming][Fun] idle: [...148] [ip4][..tcp] [..192.168.2.126][45398] -> [..161.117.13.29][...80] [HTTP.1kxun][Alibaba][Streaming][Fun] idle: [...163] [ip4][..tcp] [..192.168.2.126][44368] -> [..172.217.18.98][...80] [HTTP.GoogleServices][Google][Web][Acceptable] + RISK: Susp Entropy idle: [...178] [ip4][..tcp] [..192.168.2.126][56826] -> [...8.209.97.107][...80] [HTTP][Alibaba][Web][Acceptable] idle: [...149] [ip4][..tcp] [..192.168.2.126][45414] -> [..161.117.13.29][...80] [HTTP.1kxun][Alibaba][Streaming][Fun] idle: [...150] [ip4][..tcp] [..192.168.2.126][45416] -> [..161.117.13.29][...80] [HTTP.1kxun][Alibaba][Streaming][Fun] @@ -836,9 +844,11 @@ idle: [...167] [ip4][..tcp] [..192.168.2.126][50166] -> [..161.117.13.29][...80] [HTTP.1kxun][Alibaba][Streaming][Fun] idle: [...168] [ip4][..tcp] [..192.168.2.126][50176] -> [..161.117.13.29][...80] [HTTP.1kxun][Alibaba][Streaming][Fun] idle: [...153] [ip4][..tcp] [..192.168.2.126][41390] -> [....18.64.79.37][...80] [HTTP.Google][AmazonAWS][Web][Acceptable] + RISK: Susp Entropy idle: [...197] [ip4][..tcp] [..192.168.2.126][51686] -> [....18.64.79.64][...80] [HTTP][AmazonAWS][Web][Acceptable] idle: [...156] [ip4][..tcp] [..192.168.2.126][36732] -> [142.250.186.174][...80] [HTTP.Google][Google][Advertisement][Acceptable] idle: [...194] [ip4][..tcp] [..192.168.2.126][53416] -> [.172.217.16.142][...80] [HTTP.Google][Google][Web][Acceptable] + RISK: Susp Entropy idle: [...189] [ip4][..tcp] [..192.168.2.126][42554] -> [...35.156.44.13][...80] [HTTP][AmazonAWS][Web][Acceptable] idle: [...190] [ip4][..tcp] [..192.168.2.126][42566] -> [...35.156.44.13][...80] [HTTP][AmazonAWS][Web][Acceptable] idle: [...195] [ip4][..tcp] [..192.168.2.126][33042] -> [...3.122.190.70][...80] [HTTP][AmazonAWS][Web][Acceptable] @@ -864,7 +874,7 @@ idle: [...142] [ip4][..tcp] [..192.168.2.126][46170] -> [.172.105.121.82][...80] [HTTP.1kxun][Unknown][Streaming][Fun] idle: [...141] [ip4][..tcp] [..192.168.2.126][46184] -> [.172.105.121.82][...80] [HTTP.1kxun][Unknown][Streaming][Fun] idle: [...133] [ip4][..tcp] [..192.168.2.126][47230] -> [..161.117.13.29][...80] [HTTP.1kxun][Alibaba][Download][Fun] - RISK: Binary file/data transfer (attempt) + RISK: Binary File/Data Transfer (Attempt) idle: [...188] [ip4][..tcp] [..192.168.2.126][37100] -> [..52.29.177.177][...80] [HTTP][AmazonAWS][Web][Acceptable] idle: [...143] [ip4][..tcp] [..192.168.2.126][46200] -> [.172.105.121.82][...80] [HTTP.1kxun][Unknown][Streaming][Fun] idle: [...135] [ip4][..tcp] [..192.168.2.126][47246] -> [..161.117.13.29][...80] [HTTP.1kxun][Alibaba][Streaming][Fun] diff --git a/test/results/flow-info/default/EAQ.pcap.out b/test/results/flow-info/default/EAQ.pcap.out index 3c6b2cf50..e29ff31dd 100644 --- a/test/results/flow-info/default/EAQ.pcap.out +++ b/test/results/flow-info/default/EAQ.pcap.out @@ -6,7 +6,7 @@ RISK: HTTP Susp User-Agent new: [.....2] [ip4][..tcp] [.......10.8.0.1][40467] -> [.173.194.119.24][...80] detected: [.....2] [ip4][..tcp] [.......10.8.0.1][40467] -> [.173.194.119.24][...80] [HTTP.Google][Google][Web][Acceptable][www.google.com.br] - RISK: HTTP Susp User-Agent + RISK: HTTP Susp User-Agent, Susp Entropy new: [.....3] [ip4][..udp] [.......10.8.0.1][52257] -> [200.185.138.146][.6000] new: [.....4] [ip4][..udp] [.......10.8.0.1][48890] -> [200.185.125.226][.6000] new: [.....5] [ip4][..udp] [.......10.8.0.1][51569] -> [.200.194.148.67][.6000] @@ -127,7 +127,7 @@ idle: [....23] [ip4][..udp] [.......10.8.0.1][36552] -> [.200.194.136.66][.6000] [EAQ][Unknown][Network][Acceptable] RISK: Unidirectional Traffic end: [.....2] [ip4][..tcp] [.......10.8.0.1][40467] -> [.173.194.119.24][...80] [HTTP.Google][Google][Web][Acceptable] - RISK: HTTP Susp User-Agent + RISK: HTTP Susp User-Agent, Susp Entropy idle: [....26] [ip4][..udp] [.......10.8.0.1][59098] -> [.200.194.134.68][.6000] [EAQ][Unknown][Network][Acceptable] RISK: Unidirectional Traffic idle: [....28] [ip4][..udp] [.......10.8.0.1][36577] -> [.200.194.149.68][.6000] [EAQ][Unknown][Network][Acceptable] diff --git a/test/results/flow-info/default/KakaoTalk_chat.pcap.out b/test/results/flow-info/default/KakaoTalk_chat.pcap.out index dd73ed7ce..6409ff5d0 100644 --- a/test/results/flow-info/default/KakaoTalk_chat.pcap.out +++ b/test/results/flow-info/default/KakaoTalk_chat.pcap.out @@ -190,7 +190,7 @@ idle: [....12] [ip4][..udp] [...10.24.82.188][43077] -> [.....10.188.1.1][...53] [DNS.KakaoTalk][Unknown][Network][Acceptable] idle: [....37] [ip4][..tcp] [...10.24.82.188][49217] -> [.216.58.220.174][..443] [TLS][Google][Web][Safe] guessed: [....13] [ip4][..tcp] [...10.24.82.188][51021] -> [.103.246.57.251][.8080] [HTTP_Proxy][Unknown][Web][Acceptable][] - RISK: Fully encrypted flow + RISK: Fully Encrypted Flow idle: [....13] [ip4][..tcp] [...10.24.82.188][51021] -> [.103.246.57.251][.8080] end: [....20] [ip4][..tcp] [...10.24.82.188][37821] -> [.210.103.240.15][..443] [TLS.KakaoTalk][Unknown][Chat][Acceptable] RISK: Obsolete TLS (v1.1 or older), Weak TLS Cipher @@ -214,7 +214,6 @@ guessed: [....14] [ip4][..tcp] [..216.58.221.10][...80] -> [...10.24.82.188][35922] [HTTP][Google][Web][Acceptable][] end: [....14] [ip4][..tcp] [..216.58.221.10][...80] -> [...10.24.82.188][35922] guessed: [....35] [ip4][..tcp] [..139.150.0.125][..443] -> [...10.24.82.188][46947] [TLS][Unknown][Web][Safe] - RISK: Susp Entropy idle: [....35] [ip4][..tcp] [..139.150.0.125][..443] -> [...10.24.82.188][46947] idle: [.....8] [ip4][..udp] [...10.24.82.188][.9094] -> [.....10.188.1.1][...53] [DNS.KakaoTalk][Unknown][Network][Acceptable] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/Oscar.pcap.out b/test/results/flow-info/default/Oscar.pcap.out index cc61de9c3..7a41b82fc 100644 --- a/test/results/flow-info/default/Oscar.pcap.out +++ b/test/results/flow-info/default/Oscar.pcap.out @@ -13,6 +13,7 @@ [PKTLENS.....: 64,46,40,355,50,40,605,40,92,130,40,56,1400,337,40,66,46,152,497,40,270,40,252,46,335,76,46,78,40,78,46,76] [ENTROPIES...: 4.4,4.9,4.7,7.1,4.7,4.7,5.2,4.7,4.0,4.3,4.6,4.3,3.8,3.9,4.6,4.3,4.5,3.5,4.2,4.6,3.7,4.6,5.5,4.5,3.4,4.8,4.5,5.0,4.6,4.5,4.5,4.8] guessed: [.....1] [ip4][..tcp] [.....10.30.29.3][63357] -> [.178.237.24.249][..443] [TLS][Unknown][Web][Safe] - RISK: Fully encrypted flow - idle: [.....1] [ip4][..tcp] [.....10.30.29.3][63357] -> [.178.237.24.249][..443] + RISK: Fully Encrypted Flow + idle: [.....1] [ip4][..tcp] [.....10.30.29.3][63357] -> [.178.237.24.249][..443] [TLS][Unknown][Web][Safe] + RISK: Fully Encrypted Flow DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/alexa-app.pcapng.out b/test/results/flow-info/default/alexa-app.pcapng.out index c1a8768fe..848125ed4 100644 --- a/test/results/flow-info/default/alexa-app.pcapng.out +++ b/test/results/flow-info/default/alexa-app.pcapng.out @@ -39,6 +39,7 @@ detected: [....13] [ip4][..tcp] [..172.16.42.216][35540] -> [..172.217.9.142][...80] [HTTP.Google][Google][ConnCheck][Acceptable][connectivitycheck.android.com] new: [....14] [ip4][.icmp] [....172.16.42.1] -> [..172.16.42.216] detected: [....14] [ip4][.icmp] [....172.16.42.1] -> [..172.16.42.216] [ICMP][Unknown][Network][Acceptable] + RISK: Susp Entropy new: [....15] [ip4][..udp] [..172.16.42.216][48155] -> [....172.16.42.1][...53] detected: [....15] [ip4][..udp] [..172.16.42.216][48155] -> [....172.16.42.1][...53] [DNS.Amazon][Unknown][Network][Acceptable][www.amazon.com] detection-update: [....15] [ip4][..udp] [..172.16.42.216][48155] -> [....172.16.42.1][...53] [DNS.Amazon][Unknown][Network][Acceptable][www.amazon.com] @@ -241,6 +242,7 @@ detected: [....60] [ip4][..tcp] [..172.16.42.216][34041] -> [..54.239.24.186][..443] [TLS.AmazonAWS][AmazonAWS][Cloud][Acceptable][mobileanalytics.us-east-1.amazonaws.com] detection-update: [....60] [ip4][..tcp] [..172.16.42.216][34041] -> [..54.239.24.186][..443] [TLS.AmazonAWS][AmazonAWS][Cloud][Acceptable][mobileanalytics.us-east-1.amazonaws.com] update: [....14] [ip4][.icmp] [....172.16.42.1] -> [..172.16.42.216] [ICMP][Unknown][Network][Acceptable] + RISK: Susp Entropy update: [.....1] [ip6][icmp6] [.....................................::] -> [......................ff02::1:ffd3:fbc2] [ICMPV6][Unknown][Network][Acceptable] update: [.....2] [ip6][icmp6] [.....................................::] -> [...............................ff02::16] [ICMPV6][Unknown][Network][Acceptable] update: [.....5] [ip6][icmp6] [..............fe80::7af8:82ff:fed3:fbc2] -> [................................ff02::2] [ICMPV6][Unknown][Network][Acceptable] @@ -439,6 +441,7 @@ ERROR-EVENT: Unknown packet type [1/16] update: [....27] [ip4][..udp] [..172.16.42.216][54886] -> [....172.16.42.1][...53] [DNS.Amazon][Unknown][Network][Acceptable] update: [....14] [ip4][.icmp] [....172.16.42.1] -> [..172.16.42.216] [ICMP][Unknown][Network][Acceptable] + RISK: Susp Entropy update: [....40] [ip4][..udp] [..172.16.42.216][43350] -> [....172.16.42.1][...53] [DNS.Amazon][Unknown][Network][Acceptable] update: [.....1] [ip6][icmp6] [.....................................::] -> [......................ff02::1:ffd3:fbc2] [ICMPV6][Unknown][Network][Acceptable] update: [.....2] [ip6][icmp6] [.....................................::] -> [...............................ff02::16] [ICMPV6][Unknown][Network][Acceptable] @@ -566,11 +569,17 @@ new: [...123] [ip4][..tcp] [..172.16.42.216][51989] -> [....52.84.63.56][...80] new: [...124] [ip4][..tcp] [..172.16.42.216][51990] -> [....52.84.63.56][...80] detected: [...123] [ip4][..tcp] [..172.16.42.216][51989] -> [....52.84.63.56][...80] [HTTP.Amazon][AmazonAWS][Web][Acceptable][ecx.images-amazon.com] + RISK: Susp Entropy detected: [...122] [ip4][..tcp] [..172.16.42.216][51988] -> [....52.84.63.56][...80] [HTTP.Amazon][AmazonAWS][Web][Acceptable][ecx.images-amazon.com] + RISK: Susp Entropy detected: [...119] [ip4][..tcp] [..172.16.42.216][51985] -> [....52.84.63.56][...80] [HTTP.Amazon][AmazonAWS][Web][Acceptable][ecx.images-amazon.com] + RISK: Susp Entropy detected: [...120] [ip4][..tcp] [..172.16.42.216][51986] -> [....52.84.63.56][...80] [HTTP.Amazon][AmazonAWS][Web][Acceptable][ecx.images-amazon.com] + RISK: Susp Entropy detected: [...121] [ip4][..tcp] [..172.16.42.216][51987] -> [....52.84.63.56][...80] [HTTP.Amazon][AmazonAWS][Web][Acceptable][ecx.images-amazon.com] + RISK: Susp Entropy detected: [...124] [ip4][..tcp] [..172.16.42.216][51990] -> [....52.84.63.56][...80] [HTTP.Amazon][AmazonAWS][Web][Acceptable][ecx.images-amazon.com] + RISK: Susp Entropy analyse: [...120] [ip4][..tcp] [..172.16.42.216][51986] -> [....52.84.63.56][...80] [HTTP.Amazon][AmazonAWS][Web][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.295| 0.052| 0.098| 9533.209| 3.000] @@ -602,11 +611,17 @@ new: [...130] [ip4][..tcp] [..172.16.42.216][51996] -> [....52.84.63.56][...80] new: [...131] [ip4][..tcp] [..172.16.42.216][51997] -> [....52.84.63.56][...80] detected: [...126] [ip4][..tcp] [..172.16.42.216][51992] -> [....52.84.63.56][...80] [HTTP.Amazon][AmazonAWS][Web][Acceptable][ecx.images-amazon.com] + RISK: Susp Entropy detected: [...128] [ip4][..tcp] [..172.16.42.216][51994] -> [....52.84.63.56][...80] [HTTP.Amazon][AmazonAWS][Web][Acceptable][ecx.images-amazon.com] + RISK: Susp Entropy detected: [...129] [ip4][..tcp] [..172.16.42.216][51995] -> [....52.84.63.56][...80] [HTTP.Amazon][AmazonAWS][Web][Acceptable][ecx.images-amazon.com] + RISK: Susp Entropy detected: [...127] [ip4][..tcp] [..172.16.42.216][51993] -> [....52.84.63.56][...80] [HTTP.Amazon][AmazonAWS][Web][Acceptable][ecx.images-amazon.com] + RISK: Susp Entropy detected: [...130] [ip4][..tcp] [..172.16.42.216][51996] -> [....52.84.63.56][...80] [HTTP.Amazon][AmazonAWS][Web][Acceptable][ecx.images-amazon.com] + RISK: Susp Entropy detected: [...131] [ip4][..tcp] [..172.16.42.216][51997] -> [....52.84.63.56][...80] [HTTP.Amazon][AmazonAWS][Web][Acceptable][ecx.images-amazon.com] + RISK: Susp Entropy analyse: [...129] [ip4][..tcp] [..172.16.42.216][51995] -> [....52.84.63.56][...80] [HTTP.Amazon][AmazonAWS][Web][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.179| 0.023| 0.044| 1924.322| 3.100] @@ -619,6 +634,7 @@ [ENTROPIES...: 4.7,5.3,4.8,6.0,5.0,7.1,7.7,7.6,7.6,7.7,7.7,7.7,7.5,7.5,5.1,5.0,5.1,5.1,5.1,5.1,5.1,5.1,5.2,6.0,7.1,7.8,5.1,7.8,7.8,7.8,7.8,5.0] update: [....27] [ip4][..udp] [..172.16.42.216][54886] -> [....172.16.42.1][...53] [DNS.Amazon][Unknown][Network][Acceptable] update: [....14] [ip4][.icmp] [....172.16.42.1] -> [..172.16.42.216] [ICMP][Unknown][Network][Acceptable] + RISK: Susp Entropy update: [....21] [ip4][..udp] [..172.16.42.216][41030] -> [....172.16.42.1][...53] [DNS.AmazonAlexa][Unknown][Network][Acceptable] update: [....40] [ip4][..udp] [..172.16.42.216][43350] -> [....172.16.42.1][...53] [DNS.Amazon][Unknown][Network][Acceptable] update: [.....1] [ip6][icmp6] [.....................................::] -> [......................ff02::1:ffd3:fbc2] [ICMPV6][Unknown][Network][Acceptable] @@ -669,6 +685,7 @@ RISK: Weak TLS Cipher end: [....22] [ip4][..tcp] [..172.16.42.216][49572] -> [..52.94.232.134][...80] [HTTP.AmazonAlexa][AmazonAWS][VirtAssistant][Acceptable] idle: [....14] [ip4][.icmp] [....172.16.42.1] -> [..172.16.42.216] [ICMP][Unknown][Network][Acceptable] + RISK: Susp Entropy idle: [....23] [ip6][icmp6] [..............fe80::7af8:82ff:fed3:fbc2] -> [...............................ff02::16] [ICMPV6][Unknown][Network][Acceptable] idle: [.....5] [ip6][icmp6] [..............fe80::7af8:82ff:fed3:fbc2] -> [................................ff02::2] [ICMPV6][Unknown][Network][Acceptable] end: [....25] [ip4][..tcp] [..172.16.42.216][38363] -> [..34.199.52.240][..443] [TLS.AmazonAWS][AmazonAWS][Cloud][Acceptable] @@ -921,17 +938,29 @@ idle: [...143] [ip4][..tcp] [..172.16.42.216][50800] -> [..54.239.28.178][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] RISK: Weak TLS Cipher end: [...119] [ip4][..tcp] [..172.16.42.216][51985] -> [....52.84.63.56][...80] [HTTP.Amazon][AmazonAWS][Web][Acceptable] + RISK: Susp Entropy end: [...120] [ip4][..tcp] [..172.16.42.216][51986] -> [....52.84.63.56][...80] [HTTP.Amazon][AmazonAWS][Web][Acceptable] + RISK: Susp Entropy end: [...121] [ip4][..tcp] [..172.16.42.216][51987] -> [....52.84.63.56][...80] [HTTP.Amazon][AmazonAWS][Web][Acceptable] + RISK: Susp Entropy end: [...122] [ip4][..tcp] [..172.16.42.216][51988] -> [....52.84.63.56][...80] [HTTP.Amazon][AmazonAWS][Web][Acceptable] + RISK: Susp Entropy end: [...123] [ip4][..tcp] [..172.16.42.216][51989] -> [....52.84.63.56][...80] [HTTP.Amazon][AmazonAWS][Web][Acceptable] + RISK: Susp Entropy end: [...124] [ip4][..tcp] [..172.16.42.216][51990] -> [....52.84.63.56][...80] [HTTP.Amazon][AmazonAWS][Web][Acceptable] + RISK: Susp Entropy end: [...126] [ip4][..tcp] [..172.16.42.216][51992] -> [....52.84.63.56][...80] [HTTP.Amazon][AmazonAWS][Web][Acceptable] + RISK: Susp Entropy end: [...127] [ip4][..tcp] [..172.16.42.216][51993] -> [....52.84.63.56][...80] [HTTP.Amazon][AmazonAWS][Web][Acceptable] + RISK: Susp Entropy end: [...128] [ip4][..tcp] [..172.16.42.216][51994] -> [....52.84.63.56][...80] [HTTP.Amazon][AmazonAWS][Web][Acceptable] + RISK: Susp Entropy end: [...129] [ip4][..tcp] [..172.16.42.216][51995] -> [....52.84.63.56][...80] [HTTP.Amazon][AmazonAWS][Web][Acceptable] + RISK: Susp Entropy end: [...130] [ip4][..tcp] [..172.16.42.216][51996] -> [....52.84.63.56][...80] [HTTP.Amazon][AmazonAWS][Web][Acceptable] + RISK: Susp Entropy end: [...131] [ip4][..tcp] [..172.16.42.216][51997] -> [....52.84.63.56][...80] [HTTP.Amazon][AmazonAWS][Web][Acceptable] + RISK: Susp Entropy idle: [.....3] [ip4][..udp] [........0.0.0.0][...68] -> [255.255.255.255][...67] [DHCP][Unknown][Network][Acceptable] idle: [....58] [ip4][....2] [........0.0.0.0] -> [......224.0.0.1] [IGMP][Unknown][Network][Acceptable] end: [....76] [ip4][..tcp] [..172.16.42.216][49613] -> [..52.94.232.134][...80] [HTTP.AmazonAlexa][AmazonAWS][VirtAssistant][Acceptable] diff --git a/test/results/flow-info/default/android.pcap.out b/test/results/flow-info/default/android.pcap.out index 443fccef6..81ded9b22 100644 --- a/test/results/flow-info/default/android.pcap.out +++ b/test/results/flow-info/default/android.pcap.out @@ -112,6 +112,7 @@ detected: [....41] [ip4][..udp] [...192.168.2.16][40580] -> [....192.168.2.1][...53] [DNS.Google][Unknown][Network][Acceptable][www.google.com] detection-update: [....41] [ip4][..udp] [...192.168.2.16][40580] -> [....192.168.2.1][...53] [DNS.Google][Unknown][Network][Acceptable][www.google.com] detected: [....39] [ip4][..tcp] [...192.168.2.16][36834] -> [.173.194.79.114][...80] [HTTP.DataSaver][Google][Web][Fun][check.googlezip.net] + RISK: Susp Entropy detection-update: [....38] [ip4][..tcp] [...192.168.2.16][32990] -> [.216.239.38.120][..443] [TLS.PlayStore][Google][SoftwareUpdate][Safe][android.clients.google.com] RISK: TLS (probably) Not Carrying HTTPS detection-update: [....34] [ip4][..tcp] [...192.168.2.16][32986] -> [.216.239.38.120][..443] [TLS.PlayStore][Google][SoftwareUpdate][Safe][android.clients.google.com] @@ -158,6 +159,7 @@ detection-update: [....54] [ip4][..udp] [...192.168.2.16][18379] -> [....192.168.2.1][...53] [DNS.DataSaver][Unknown][Network][Fun][datasaver.googleapis.com] new: [....55] [ip4][..tcp] [...192.168.2.16][51944] -> [.172.217.21.202][..443] detected: [....52] [ip4][..tcp] [...192.168.2.16][36848] -> [.173.194.79.114][...80] [HTTP.DataSaver][Google][Web][Fun][check.googlezip.net] + RISK: Susp Entropy new: [....56] [ip4][..udp] [...192.168.2.16][10677] -> [....192.168.2.1][...53] detected: [....56] [ip4][..udp] [...192.168.2.16][10677] -> [....192.168.2.1][...53] [DNS.DataSaver][Unknown][Network][Fun][proxy.googlezip.net] detection-update: [....56] [ip4][..udp] [...192.168.2.16][10677] -> [....192.168.2.1][...53] [DNS.DataSaver][Unknown][Network][Fun][proxy.googlezip.net] @@ -242,7 +244,9 @@ idle: [.....9] [ip4][..udp] [....192.168.2.1][.5353] -> [....224.0.0.251][.5353] [MDNS][Unknown][Network][Acceptable] idle: [....50] [ip4][..udp] [...192.168.2.16][33240] -> [....192.168.2.1][...53] [DNS.DataSaver][Unknown][Network][Fun] end: [....39] [ip4][..tcp] [...192.168.2.16][36834] -> [.173.194.79.114][...80] [HTTP.DataSaver][Google][Web][Fun] + RISK: Susp Entropy idle: [....52] [ip4][..tcp] [...192.168.2.16][36848] -> [.173.194.79.114][...80] [HTTP.DataSaver][Google][Web][Fun] + RISK: Susp Entropy guessed: [....53] [ip4][..tcp] [...192.168.2.16][36850] -> [.173.194.79.114][...80] [HTTP][Google][Web][Acceptable][] idle: [....53] [ip4][..tcp] [...192.168.2.16][36850] -> [.173.194.79.114][...80] idle: [.....7] [ip4][..udp] [....192.168.2.1][57621] -> [..192.168.2.255][57621] [Spotify][Unknown][Music][Fun] diff --git a/test/results/flow-info/default/atg.pcap.out b/test/results/flow-info/default/atg.pcap.out new file mode 100644 index 000000000..152b78b30 --- /dev/null +++ b/test/results/flow-info/default/atg.pcap.out @@ -0,0 +1,10 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....1] [ip4][..tcp] [..192.168.0.105][.3134] -> [..20.108.25.119][10001] [MIDSTREAM] + detected: [.....1] [ip4][..tcp] [..192.168.0.105][.3134] -> [..20.108.25.119][10001] [ATG][Azure][IoT-Scada][Acceptable] + new: [.....2] [ip4][..tcp] [..192.168.0.105][.3148] -> [..20.108.25.119][10001] + detected: [.....2] [ip4][..tcp] [..192.168.0.105][.3148] -> [..20.108.25.119][10001] [ATG][Azure][IoT-Scada][Acceptable] + end: [.....1] [ip4][..tcp] [..192.168.0.105][.3134] -> [..20.108.25.119][10001] [ATG][Azure][IoT-Scada][Acceptable] + idle: [.....2] [ip4][..tcp] [..192.168.0.105][.3148] -> [..20.108.25.119][10001] [ATG][Azure][IoT-Scada][Acceptable] + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/bfcp.pcapng.out b/test/results/flow-info/default/bfcp.pcapng.out new file mode 100644 index 000000000..8fe1ee555 --- /dev/null +++ b/test/results/flow-info/default/bfcp.pcapng.out @@ -0,0 +1,12 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....1] [ip4][..tcp] [......127.0.0.1][44450] -> [......127.0.0.1][.5070] + detected: [.....1] [ip4][..tcp] [......127.0.0.1][44450] -> [......127.0.0.1][.5070] [BFCP][Unknown][Video][Acceptable] + DAEMON-EVENT: [Processed: 11 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 1 / 1|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....2] [ip4][..udp] [......127.0.0.1][47706] -> [......127.0.0.1][.5070] + detected: [.....2] [ip4][..udp] [......127.0.0.1][47706] -> [......127.0.0.1][.5070] [BFCP][Unknown][Video][Acceptable] + end: [.....1] [ip4][..tcp] [......127.0.0.1][44450] -> [......127.0.0.1][.5070] [BFCP][Unknown][Video][Acceptable] + idle: [.....2] [ip4][..udp] [......127.0.0.1][47706] -> [......127.0.0.1][.5070] [BFCP][Unknown][Video][Acceptable] + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/bt-http.pcapng.out b/test/results/flow-info/default/bt-http.pcapng.out index 32bfd2319..0fe35eb9f 100644 --- a/test/results/flow-info/default/bt-http.pcapng.out +++ b/test/results/flow-info/default/bt-http.pcapng.out @@ -3,5 +3,7 @@ DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] new: [.....1] [ip4][..tcp] [..192.168.1.128][46882] -> [.176.31.225.118][...80] detected: [.....1] [ip4][..tcp] [..192.168.1.128][46882] -> [.176.31.225.118][...80] [HTTP.BitTorrent][Unknown][Download][Acceptable][tracker.trackerfix.com] + RISK: Susp Entropy end: [.....1] [ip4][..tcp] [..192.168.1.128][46882] -> [.176.31.225.118][...80] [HTTP.BitTorrent][Unknown][Download][Acceptable] + RISK: Susp Entropy DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/cloudflare-warp.pcap.out b/test/results/flow-info/default/cloudflare-warp.pcap.out index 6062efd15..867e553bc 100644 --- a/test/results/flow-info/default/cloudflare-warp.pcap.out +++ b/test/results/flow-info/default/cloudflare-warp.pcap.out @@ -5,9 +5,9 @@ new: [.....2] [ip4][..tcp] [.......10.8.0.1][42344] -> [..159.138.85.48][.5223] detected: [.....2] [ip4][..tcp] [.......10.8.0.1][42344] -> [..159.138.85.48][.5223] [Jabber][Unknown][Web][Acceptable] new: [.....3] [ip4][..tcp] [.......10.8.0.1][40214] -> [..157.240.16.32][..443] - detected: [.....3] [ip4][..tcp] [.......10.8.0.1][40214] -> [..157.240.16.32][..443] [TLS.Messenger][Facebook][Chat][Acceptable][mqtt-mini.facebook.com] + detected: [.....3] [ip4][..tcp] [.......10.8.0.1][40214] -> [..157.240.16.32][..443] [TLS.FacebookMessenger][Facebook][Chat][Acceptable][mqtt-mini.facebook.com] RISK: TLS (probably) Not Carrying HTTPS - detection-update: [.....3] [ip4][..tcp] [.......10.8.0.1][40214] -> [..157.240.16.32][..443] [TLS.Messenger][Facebook][Chat][Acceptable][mqtt-mini.facebook.com] + detection-update: [.....3] [ip4][..tcp] [.......10.8.0.1][40214] -> [..157.240.16.32][..443] [TLS.FacebookMessenger][Facebook][Chat][Acceptable][mqtt-mini.facebook.com] RISK: TLS (probably) Not Carrying HTTPS new: [.....4] [ip4][..tcp] [..10.158.134.93][40454] -> [..216.58.196.68][..443] [MIDSTREAM] new: [.....5] [ip4][..tcp] [.......10.8.0.1][45606] -> [..104.18.47.234][..443] @@ -19,6 +19,10 @@ detected: [.....7] [ip4][..tcp] [.......10.8.0.1][51296] -> [142.250.183.163][..443] [TLS.GoogleServices][Google][Web][Acceptable][crashlyticsreports-pa.googleapis.com] detection-update: [.....6] [ip4][..tcp] [.......10.8.0.1][45610] -> [..104.18.47.234][..443] [TLS.CloudflareWarp][Cloudflare][VPN][Acceptable][api.cloudflareclient.com] new: [.....8] [ip4][..tcp] [.......10.8.0.1][43600] -> [172.217.194.188][.5228] + DAEMON-EVENT: [Processed: 63 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 8 / 8|skipped: 0|!detected: 0|guessed: 0|detection-updates: 3|updates: 0] + new: [.....9] [ip4][..udp] [...192.168.1.84][60555] -> [..162.159.192.7][.2408] + detected: [.....9] [ip4][..udp] [...192.168.1.84][60555] -> [..162.159.192.7][.2408] [CloudflareWarp][CloudflareWarp][VPN][Acceptable] guessed: [.....8] [ip4][..tcp] [.......10.8.0.1][43600] -> [172.217.194.188][.5228] [Google][Google][Web][Acceptable] idle: [.....8] [ip4][..tcp] [.......10.8.0.1][43600] -> [172.217.194.188][.5228] guessed: [.....4] [ip4][..tcp] [..10.158.134.93][40454] -> [..216.58.196.68][..443] [TLS][Google][Web][Safe] @@ -30,6 +34,7 @@ idle: [.....7] [ip4][..tcp] [.......10.8.0.1][51296] -> [142.250.183.163][..443] [TLS.GoogleServices][Google][Web][Acceptable] idle: [.....5] [ip4][..tcp] [.......10.8.0.1][45606] -> [..104.18.47.234][..443] [TLS.CloudflareWarp][Cloudflare][VPN][Acceptable] idle: [.....6] [ip4][..tcp] [.......10.8.0.1][45610] -> [..104.18.47.234][..443] [TLS.CloudflareWarp][Cloudflare][VPN][Acceptable] - idle: [.....3] [ip4][..tcp] [.......10.8.0.1][40214] -> [..157.240.16.32][..443] [TLS.Messenger][Facebook][Chat][Acceptable] + idle: [.....9] [ip4][..udp] [...192.168.1.84][60555] -> [..162.159.192.7][.2408] [CloudflareWarp][CloudflareWarp][VPN][Acceptable] + idle: [.....3] [ip4][..tcp] [.......10.8.0.1][40214] -> [..157.240.16.32][..443] [TLS.FacebookMessenger][Facebook][Chat][Acceptable] RISK: TLS (probably) Not Carrying HTTPS DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/cnp_ip.pcapng.out b/test/results/flow-info/default/cnp_ip.pcapng.out new file mode 100644 index 000000000..135f45aa1 --- /dev/null +++ b/test/results/flow-info/default/cnp_ip.pcapng.out @@ -0,0 +1,7 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....1] [ip4][..udp] [......127.0.0.1][39819] -> [......127.0.0.1][.1628] + detected: [.....1] [ip4][..udp] [......127.0.0.1][39819] -> [......127.0.0.1][.1628] [CNP-IP][Unknown][IoT-Scada][Acceptable] + idle: [.....1] [ip4][..udp] [......127.0.0.1][39819] -> [......127.0.0.1][.1628] [CNP-IP][Unknown][IoT-Scada][Acceptable] + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/codm.pcap.out b/test/results/flow-info/default/codm.pcap.out new file mode 100644 index 000000000..f3729a549 --- /dev/null +++ b/test/results/flow-info/default/codm.pcap.out @@ -0,0 +1,19 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....1] [ip4][..tcp] [...10.215.173.1][45028] -> [...49.51.177.25][.8013] + detected: [.....1] [ip4][..tcp] [...10.215.173.1][45028] -> [...49.51.177.25][.8013] [TLS.CoD_Mobile][Tencent][Game][Fun][west-tdm.codmwest.com] + RISK: Known Proto on Non Std Port + detection-update: [.....1] [ip4][..tcp] [...10.215.173.1][45028] -> [...49.51.177.25][.8013] [TLS.CoD_Mobile][Tencent][Game][Fun][west-tdm.codmwest.com] + RISK: Known Proto on Non Std Port + new: [.....2] [ip4][..udp] [...10.215.173.1][40282] -> [.23.248.172.158][.7500] + detected: [.....2] [ip4][..udp] [...10.215.173.1][40282] -> [.23.248.172.158][.7500] [CoD_Mobile][Unknown][Game][Fun] + DAEMON-EVENT: [Processed: 9 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 2 / 2|skipped: 0|!detected: 0|guessed: 0|detection-updates: 1|updates: 0] + new: [.....3] [ip4][..udp] [...10.215.173.1][38704] -> [...43.131.34.20][.7948] + detected: [.....3] [ip4][..udp] [...10.215.173.1][38704] -> [...43.131.34.20][.7948] [CoD_Mobile][Tencent][Game][Fun] + idle: [.....3] [ip4][..udp] [...10.215.173.1][38704] -> [...43.131.34.20][.7948] [CoD_Mobile][Tencent][Game][Fun] + idle: [.....1] [ip4][..tcp] [...10.215.173.1][45028] -> [...49.51.177.25][.8013] [TLS.CoD_Mobile][Tencent][Game][Fun] + RISK: Known Proto on Non Std Port + idle: [.....2] [ip4][..udp] [...10.215.173.1][40282] -> [.23.248.172.158][.7500] [CoD_Mobile][Unknown][Game][Fun] + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/conncheck.pcap.out b/test/results/flow-info/default/conncheck.pcap.out new file mode 100644 index 000000000..62cb5f860 --- /dev/null +++ b/test/results/flow-info/default/conncheck.pcap.out @@ -0,0 +1,35 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....1] [ip4][..udp] [......10.1.0.60][46571] -> [.......10.1.0.1][...53] + detected: [.....1] [ip4][..udp] [......10.1.0.60][46571] -> [.......10.1.0.1][...53] [DNS][Unknown][Network][Acceptable][conn-service-eu-04.allawnos.com] + detection-update: [.....1] [ip4][..udp] [......10.1.0.60][46571] -> [.......10.1.0.1][...53] [DNS][Unknown][Network][Acceptable][conn-service-eu-04.allawnos.com] + new: [.....2] [ip4][..tcp] [......10.1.0.60][49642] -> [142.250.180.163][...80] + detected: [.....2] [ip4][..tcp] [......10.1.0.60][49642] -> [142.250.180.163][...80] [HTTP.Google][Google][ConnCheck][Acceptable][www.google.eu] + new: [.....3] [ip4][..tcp] [......10.1.0.60][49656] -> [142.250.180.163][...80] + detected: [.....3] [ip4][..tcp] [......10.1.0.60][49656] -> [142.250.180.163][...80] [HTTP.Google][Google][ConnCheck][Acceptable][www.google.eu] + new: [.....4] [ip4][..tcp] [......10.1.0.60][49658] -> [142.250.180.163][...80] + new: [.....5] [ip4][..tcp] [......10.1.0.60][38008] -> [.92.123.101.121][...80] + detected: [.....4] [ip4][..tcp] [......10.1.0.60][49658] -> [142.250.180.163][...80] [HTTP.Google][Google][ConnCheck][Acceptable][www.google.eu] + detected: [.....5] [ip4][..tcp] [......10.1.0.60][38008] -> [.92.123.101.121][...80] [HTTP][Unknown][ConnCheck][Acceptable][conn-service-eu-04.allawnos.com] + new: [.....6] [ip4][..tcp] [......10.1.0.60][49672] -> [142.250.180.163][...80] + new: [.....7] [ip4][..tcp] [......10.1.0.60][46980] -> [.92.123.101.153][...80] + detected: [.....6] [ip4][..tcp] [......10.1.0.60][49672] -> [142.250.180.163][...80] [HTTP.Google][Google][ConnCheck][Acceptable][www.google.eu] + detected: [.....7] [ip4][..tcp] [......10.1.0.60][46980] -> [.92.123.101.153][...80] [HTTP][Unknown][ConnCheck][Acceptable][conn-service-eu-04.allawnos.com] + new: [.....8] [ip4][..tcp] [......10.1.0.60][38024] -> [.92.123.101.121][...80] + detected: [.....8] [ip4][..tcp] [......10.1.0.60][38024] -> [.92.123.101.121][...80] [HTTP][Unknown][ConnCheck][Acceptable][conn-service-eu-04.allawnos.com] + new: [.....9] [ip4][..tcp] [......10.1.0.60][49674] -> [142.250.180.163][...80] + detected: [.....9] [ip4][..tcp] [......10.1.0.60][49674] -> [142.250.180.163][...80] [HTTP.Google][Google][ConnCheck][Acceptable][www.google.eu] + new: [....10] [ip4][..tcp] [......10.1.0.70][54612] -> [142.250.180.138][...80] + detected: [....10] [ip4][..tcp] [......10.1.0.70][54612] -> [142.250.180.138][...80] [HTTP.GoogleServices][Google][ConnCheck][Acceptable][play.googleapis.com] + idle: [.....1] [ip4][..udp] [......10.1.0.60][46571] -> [.......10.1.0.1][...53] [DNS][Unknown][Network][Acceptable] + end: [.....5] [ip4][..tcp] [......10.1.0.60][38008] -> [.92.123.101.121][...80] [HTTP.ntop][Unknown][ConnCheck][Safe] + idle: [....10] [ip4][..tcp] [......10.1.0.70][54612] -> [142.250.180.138][...80] [HTTP.GoogleServices][Google][ConnCheck][Acceptable] + idle: [.....8] [ip4][..tcp] [......10.1.0.60][38024] -> [.92.123.101.121][...80] [HTTP][Unknown][ConnCheck][Acceptable] + end: [.....7] [ip4][..tcp] [......10.1.0.60][46980] -> [.92.123.101.153][...80] [HTTP.ntop][Unknown][ConnCheck][Safe] + end: [.....2] [ip4][..tcp] [......10.1.0.60][49642] -> [142.250.180.163][...80] [HTTP.ntop][Google][ConnCheck][Safe] + end: [.....3] [ip4][..tcp] [......10.1.0.60][49656] -> [142.250.180.163][...80] [HTTP.ntop][Google][ConnCheck][Safe] + end: [.....4] [ip4][..tcp] [......10.1.0.60][49658] -> [142.250.180.163][...80] [HTTP.ntop][Google][ConnCheck][Safe] + end: [.....6] [ip4][..tcp] [......10.1.0.60][49672] -> [142.250.180.163][...80] [HTTP.ntop][Google][ConnCheck][Safe] + idle: [.....9] [ip4][..tcp] [......10.1.0.60][49674] -> [142.250.180.163][...80] [HTTP.Google][Google][ConnCheck][Acceptable] + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/dns-exf.pcap.out b/test/results/flow-info/default/dns-exf.pcap.out index e41b0d900..f1ab07fe3 100644 --- a/test/results/flow-info/default/dns-exf.pcap.out +++ b/test/results/flow-info/default/dns-exf.pcap.out @@ -3,9 +3,9 @@ DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] new: [.....1] [ip4][..udp] [..192.168.2.225][45290] -> [..192.168.2.134][...53] detected: [.....1] [ip4][..udp] [..192.168.2.225][45290] -> [..192.168.2.134][...53] [DNS][Unknown][Network][Acceptable][4sicn03_2qaa3rlc3qudhh0aavjycxwakjehelu5klueow0zjxulgage-.4s2fgaaaa__-.test.txt] - RISK: Susp DNS Traffic, Non-Printable/Invalid Chars Detected + RISK: Susp DNS Traffic, Susp Entropy, Non-Printable/Invalid Chars Detected detection-update: [.....1] [ip4][..udp] [..192.168.2.225][45290] -> [..192.168.2.134][...53] [DNS][Unknown][Network][Acceptable][4sicn03_2qaa3rlc3qudhh0aavjycxwakjehelu5klueow0zjxulgage-.4s2fgaaaa__-.test.txt] - RISK: Susp DNS Traffic, Non-Printable/Invalid Chars Detected, Minor Issues + RISK: Susp DNS Traffic, Susp Entropy, Non-Printable/Invalid Chars Detected, Minor Issues idle: [.....1] [ip4][..udp] [..192.168.2.225][45290] -> [..192.168.2.134][...53] [DNS][Unknown][Network][Acceptable] - RISK: Susp DNS Traffic, Non-Printable/Invalid Chars Detected, Minor Issues + RISK: Susp DNS Traffic, Susp Entropy, Non-Printable/Invalid Chars Detected, Minor Issues DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/dotenv.pcap.out b/test/results/flow-info/default/dotenv.pcap.out index 448aa097d..504e8bcec 100644 --- a/test/results/flow-info/default/dotenv.pcap.out +++ b/test/results/flow-info/default/dotenv.pcap.out @@ -5,7 +5,7 @@ detected: [.....1] [ip4][..tcp] [..192.168.2.198][51327] -> [....89.31.76.10][...80] [HTTP][Unknown][Web][Acceptable][sevenpitaly.com] RISK: Possible Exploit Attempt detection-update: [.....1] [ip4][..tcp] [..192.168.2.198][51327] -> [....89.31.76.10][...80] [HTTP][Unknown][Download][Acceptable][sevenpitaly.com] - RISK: Possible Exploit Attempt, Error Code, Binary file/data transfer (attempt) + RISK: Possible Exploit Attempt, Error Code, Binary File/Data Transfer (Attempt) end: [.....1] [ip4][..tcp] [..192.168.2.198][51327] -> [....89.31.76.10][...80] [HTTP][Unknown][Download][Acceptable] - RISK: Possible Exploit Attempt, Error Code, Binary file/data transfer (attempt) + RISK: Possible Exploit Attempt, Error Code, Binary File/Data Transfer (Attempt) DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/dtls.pcap.out b/test/results/flow-info/default/dtls.pcap.out index 400cb06a0..cc3a903be 100644 --- a/test/results/flow-info/default/dtls.pcap.out +++ b/test/results/flow-info/default/dtls.pcap.out @@ -6,6 +6,21 @@ RISK: TLS (probably) Not Carrying HTTPS, Missing SNI TLS Extn detection-update: [.....1] [ip4][..udp] [.192.168.13.203][40739] -> [..192.168.13.57][56515] [DTLS][Unknown][Web][Safe] RISK: TLS (probably) Not Carrying HTTPS, Missing SNI TLS Extn, Unidirectional Traffic + DAEMON-EVENT: [Processed: 2 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 1 / 1|skipped: 0|!detected: 0|guessed: 0|detection-updates: 1|updates: 0] + ERROR-EVENT: Unknown packet type [1/16] + ERROR-EVENT: Unknown packet type [2/16] + ERROR-EVENT: Unknown packet type [3/16] + ERROR-EVENT: Unknown packet type [4/16] + DAEMON-EVENT: [Processed: 2 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 1 / 1|skipped: 0|!detected: 0|guessed: 0|detection-updates: 1|updates: 0] + new: [.....2] [ip4][..udp] [......127.0.0.1][40983] -> [......127.0.0.1][11111] + detected: [.....2] [ip4][..udp] [......127.0.0.1][40983] -> [......127.0.0.1][11111] [DTLS][Unknown][Web][Safe] + RISK: TLS (probably) Not Carrying HTTPS, Missing SNI TLS Extn + detection-update: [.....2] [ip4][..udp] [......127.0.0.1][40983] -> [......127.0.0.1][11111] [DTLS][Unknown][Web][Safe] + RISK: TLS (probably) Not Carrying HTTPS, Missing SNI TLS Extn + idle: [.....2] [ip4][..udp] [......127.0.0.1][40983] -> [......127.0.0.1][11111] [DTLS][Unknown][Web][Safe] + RISK: TLS (probably) Not Carrying HTTPS, Missing SNI TLS Extn idle: [.....1] [ip4][..udp] [.192.168.13.203][40739] -> [..192.168.13.57][56515] [DTLS][Unknown][Web][Safe] RISK: TLS (probably) Not Carrying HTTPS, Missing SNI TLS Extn, Unidirectional Traffic DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/egd.pcapng.out b/test/results/flow-info/default/egd.pcapng.out new file mode 100644 index 000000000..483d94a81 --- /dev/null +++ b/test/results/flow-info/default/egd.pcapng.out @@ -0,0 +1,7 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....1] [ip4][..udp] [...192.168.8.77][18246] -> [..192.168.8.169][18246] + detected: [.....1] [ip4][..udp] [...192.168.8.77][18246] -> [..192.168.8.169][18246] [EthernetGlobalData][Unknown][IoT-Scada][Acceptable] + idle: [.....1] [ip4][..udp] [...192.168.8.77][18246] -> [..192.168.8.169][18246] [EthernetGlobalData][Unknown][IoT-Scada][Acceptable] + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/emotet.pcap.out b/test/results/flow-info/default/emotet.pcap.out index b04634f07..63d781cd1 100644 --- a/test/results/flow-info/default/emotet.pcap.out +++ b/test/results/flow-info/default/emotet.pcap.out @@ -33,7 +33,7 @@ new: [.....3] [ip4][..tcp] [....10.4.20.102][54319] -> [107.161.178.210][...80] detected: [.....3] [ip4][..tcp] [....10.4.20.102][54319] -> [107.161.178.210][...80] [HTTP][Unknown][Web][Acceptable][gandhitoday.org] detection-update: [.....3] [ip4][..tcp] [....10.4.20.102][54319] -> [107.161.178.210][...80] [HTTP][Unknown][Download][Acceptable][gandhitoday.org] - RISK: Binary App Transfer, Binary file/data transfer (attempt) + RISK: Binary App Transfer, Binary File/Data Transfer (Attempt) idle: [.....2] [ip4][..tcp] [....10.3.29.101][56309] -> [.104.161.127.22][...80] [HTTP][Unknown][Web][Acceptable] DAEMON-EVENT: [Processed: 122 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 1 / 3|skipped: 0|!detected: 0|guessed: 0|detection-updates: 1|updates: 0] @@ -41,9 +41,9 @@ detected: [.....4] [ip4][..tcp] [....10.4.25.101][49797] -> [..77.105.36.156][...80] [HTTP][Unknown][Web][Acceptable][filmmogzivota.rs] RISK: HTTP Susp User-Agent detection-update: [.....4] [ip4][..tcp] [....10.4.25.101][49797] -> [..77.105.36.156][...80] [HTTP][Unknown][Download][Acceptable][filmmogzivota.rs] - RISK: Binary App Transfer, HTTP Susp User-Agent, Binary file/data transfer (attempt) + RISK: Binary App Transfer, HTTP Susp User-Agent, Binary File/Data Transfer (Attempt) idle: [.....3] [ip4][..tcp] [....10.4.20.102][54319] -> [107.161.178.210][...80] [HTTP][Unknown][Download][Acceptable] - RISK: Binary App Transfer, Binary file/data transfer (attempt) + RISK: Binary App Transfer, Binary File/Data Transfer (Attempt) new: [.....5] [ip4][..tcp] [....10.4.25.101][49803] -> [138.197.147.101][..443] detected: [.....5] [ip4][..tcp] [....10.4.25.101][49803] -> [138.197.147.101][..443] [TLS][Unknown][Web][Safe][] RISK: TLS (probably) Not Carrying HTTPS, Missing SNI TLS Extn @@ -55,7 +55,7 @@ detection-update: [.....6] [ip4][..tcp] [....10.4.25.101][49804] -> [138.197.147.101][..443] [TLS][Unknown][Web][Safe][] RISK: TLS (probably) Not Carrying HTTPS, Missing SNI TLS Extn idle: [.....4] [ip4][..tcp] [....10.4.25.101][49797] -> [..77.105.36.156][...80] [HTTP][Unknown][Download][Acceptable] - RISK: Binary App Transfer, HTTP Susp User-Agent, Binary file/data transfer (attempt) + RISK: Binary App Transfer, HTTP Susp User-Agent, Binary File/Data Transfer (Attempt) idle: [.....5] [ip4][..tcp] [....10.4.25.101][49803] -> [138.197.147.101][..443] [TLS][Unknown][Web][Safe] RISK: Self-signed Cert, TLS (probably) Not Carrying HTTPS, Missing SNI TLS Extn end: [.....6] [ip4][..tcp] [....10.4.25.101][49804] -> [138.197.147.101][..443] [TLS][Unknown][Web][Safe] diff --git a/test/results/flow-info/default/exe_download.pcap.out b/test/results/flow-info/default/exe_download.pcap.out index aa74f9c93..f0318b847 100644 --- a/test/results/flow-info/default/exe_download.pcap.out +++ b/test/results/flow-info/default/exe_download.pcap.out @@ -5,7 +5,7 @@ detected: [.....1] [ip4][..tcp] [....10.9.25.101][49165] -> [..144.91.69.195][...80] [HTTP][Unknown][Web][Acceptable][144.91.69.195] RISK: HTTP Susp User-Agent, HTTP/TLS/QUIC Numeric Hostname/SNI detection-update: [.....1] [ip4][..tcp] [....10.9.25.101][49165] -> [..144.91.69.195][...80] [HTTP][Unknown][Download][Acceptable][144.91.69.195] - RISK: Binary App Transfer, HTTP Susp User-Agent, HTTP/TLS/QUIC Numeric Hostname/SNI, HTTP Obsolete Server, Binary file/data transfer (attempt) + RISK: Binary App Transfer, HTTP Susp User-Agent, HTTP/TLS/QUIC Numeric Hostname/SNI, HTTP Obsolete Server, Binary File/Data Transfer (Attempt) idle: [.....1] [ip4][..tcp] [....10.9.25.101][49165] -> [..144.91.69.195][...80] [HTTP][Unknown][Download][Acceptable] - RISK: Binary App Transfer, HTTP Susp User-Agent, HTTP/TLS/QUIC Numeric Hostname/SNI, HTTP Obsolete Server, Binary file/data transfer (attempt) + RISK: Binary App Transfer, HTTP Susp User-Agent, HTTP/TLS/QUIC Numeric Hostname/SNI, HTTP Obsolete Server, Binary File/Data Transfer (Attempt) DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/false_positives.pcapng.out b/test/results/flow-info/default/false_positives.pcapng.out new file mode 100644 index 000000000..d2a0dbfcd --- /dev/null +++ b/test/results/flow-info/default/false_positives.pcapng.out @@ -0,0 +1,47 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + ERROR-EVENT: Unknown packet type [1/16] + ERROR-EVENT: Unknown packet type [2/16] + ERROR-EVENT: Unknown packet type [3/16] + ERROR-EVENT: Unknown packet type [4/16] + ERROR-EVENT: Unknown packet type [5/16] + ERROR-EVENT: Unknown packet type [6/16] + ERROR-EVENT: Unknown packet type [7/16] + ERROR-EVENT: Unknown packet type [8/16] + ERROR-EVENT: Unknown packet type [9/16] + ERROR-EVENT: Unknown packet type [10/16] + ERROR-EVENT: Unknown packet type [11/16] + ERROR-EVENT: Unknown packet type [12/16] + ERROR-EVENT: Unknown packet type [13/16] + ERROR-EVENT: Unknown packet type [14/16] + ERROR-EVENT: Unknown packet type [15/16] + ERROR-EVENT: Unknown packet type [16/16] + new: [.....1] [ip4][..udp] [...10.126.70.67][23784] -> [...10.236.7.225][50160] + detected: [.....1] [ip4][..udp] [...10.126.70.67][23784] -> [...10.236.7.225][50160] [RTP][Unknown][Media][Acceptable] + DAEMON-EVENT: [Processed: 30 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 1 / 1|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + ERROR-EVENT: Unknown packet type [1/16] + ERROR-EVENT: Unknown packet type [2/16] + ERROR-EVENT: Unknown packet type [3/16] + ERROR-EVENT: Unknown packet type [4/16] + ERROR-EVENT: Unknown packet type [5/16] + ERROR-EVENT: Unknown packet type [6/16] + ERROR-EVENT: Unknown packet type [7/16] + ERROR-EVENT: Unknown packet type [8/16] + ERROR-EVENT: Unknown packet type [9/16] + ERROR-EVENT: Unknown packet type [10/16] + ERROR-EVENT: Unknown packet type [11/16] + ERROR-EVENT: Unknown packet type [12/16] + ERROR-EVENT: Unknown packet type [13/16] + ERROR-EVENT: Unknown packet type [14/16] + ERROR-EVENT: Unknown packet type [15/16] + ERROR-EVENT: Unknown packet type [16/16] + DAEMON-EVENT: [Processed: 30 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 1 / 1|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....2] [ip4][..udp] [.192.168.12.156][37649] -> [..57.128.172.97][.9981] + idle: [.....1] [ip4][..udp] [...10.126.70.67][23784] -> [...10.236.7.225][50160] [RTP][Unknown][Media][Acceptable] + not-detected: [.....2] [ip4][..udp] [.192.168.12.156][37649] -> [..57.128.172.97][.9981] [Unknown][Unknown][Unrated] + RISK: Susp Entropy + idle: [.....2] [ip4][..udp] [.192.168.12.156][37649] -> [..57.128.172.97][.9981] + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/ftp.pcap.out b/test/results/flow-info/default/ftp.pcap.out index e34743ca0..09c73721c 100644 --- a/test/results/flow-info/default/ftp.pcap.out +++ b/test/results/flow-info/default/ftp.pcap.out @@ -28,7 +28,7 @@ [PKTLENS.....: 64,60,52,1492,64,1492,52,1492,52,1492,1492,52,1492,52,1492,1492,1492,52,52,1492,1492,52,1492,52,1492,1492,52,52,1492,52,1492,1492] [ENTROPIES...: 4.3,5.3,4.9,0.4,5.0,0.4,5.0,0.4,4.8,0.4,0.4,4.9,0.4,4.8,0.4,0.4,0.4,4.9,4.8,0.4,0.4,4.9,0.4,4.8,0.4,0.4,5.2,5.0,0.4,4.8,0.4,0.4] not-detected: [.....3] [ip4][..tcp] [..192.168.1.212][50696] -> [...90.130.70.73][24523] [Unknown][Unknown][Unrated] - idle: [.....3] [ip4][..tcp] [..192.168.1.212][50696] -> [...90.130.70.73][24523] + idle: [.....3] [ip4][..tcp] [..192.168.1.212][50696] -> [...90.130.70.73][24523] [Unknown][Unknown][Unrated] end: [.....1] [ip4][..tcp] [..192.168.1.212][50694] -> [...90.130.70.73][...21] [FTP_CONTROL][Unknown][Download][Unsafe] RISK: Unsafe Protocol, Clear-Text Credentials end: [.....2] [ip4][..tcp] [..192.168.1.212][50695] -> [...90.130.70.73][25685] [FTP_DATA][Unknown][Download][Acceptable] diff --git a/test/results/flow-info/default/fuzz-2006-06-26-2594.pcap.out b/test/results/flow-info/default/fuzz-2006-06-26-2594.pcap.out index 40b8df226..7168dba97 100644 --- a/test/results/flow-info/default/fuzz-2006-06-26-2594.pcap.out +++ b/test/results/flow-info/default/fuzz-2006-06-26-2594.pcap.out @@ -82,7 +82,6 @@ new: [....30] [ip4][..tcp] [..147.234.1.249][.2069] -> [....192.168.1.2][.2720] [MIDSTREAM] new: [....31] [ip4][..tcp] [..147.234.1.253][...21] -> [....192.168.1.2][.2208] [MIDSTREAM] new: [....32] [ip4][..tcp] [..147.234.1.253][...21] -> [....192.168.1.2][.2732] [MIDSTREAM] - detected: [....32] [ip4][..tcp] [..147.234.1.253][...21] -> [....192.168.1.2][.2732] [Protobuf][Unknown][Network][Safe] new: [....33] [ip4][..tcp] [..147.234.1.253][.1045] -> [....192.168.1.2][.2720] [MIDSTREAM] new: [....34] [ip4][..tcp] [..147.234.1.253][...21] -> [...192.168.65.2][.2720] [MIDSTREAM] ERROR-EVENT: Unknown L3 protocol [3/16] @@ -852,7 +851,7 @@ detected: [...134] [ip4][..udp] [....192.168.1.2][.2769] -> [....192.168.1.1][...53] [DNS][Unknown][Network][Acceptable][1.0.0.127.in-addr.arpa] new: [...135] [ip4][..udp] [....192.168.1.1][..117] -> [....192.168.1.2][.2769] guessed: [...105] [ip4][..udp] [.....192.86.1.2][.5060] -> [..200.68.120.99][.5060] [SIP][Unknown][VoIP][Acceptable] - RISK: Unidirectional Traffic + RISK: Susp Entropy, Unidirectional Traffic idle: [...105] [ip4][..udp] [.....192.86.1.2][.5060] -> [..200.68.120.99][.5060] idle: [...104] [ip4][..udp] [....192.168.1.2][.2753] -> [....192.168.1.1][...53] [DNS][Unknown][Network][Acceptable] idle: [...103] [ip4][..udp] [....192.169.1.2][.5060] -> [..200.68.120.81][.5060] [SIP][Unknown][VoIP][Acceptable] @@ -1330,7 +1329,7 @@ update: [...107] [ip4][..118] [....192.168.1.2] -> [..200.68.120.81] ERROR-EVENT: nDPI IPv4/L4 payload detection failed [1/16] not-detected: [...162] [ip4][..udp] [..212.242.33.35][.9587] -> [....192.168.1.2][..196] [Unknown][Unknown][Unrated] - RISK: Unidirectional Traffic + RISK: Susp Entropy, Unidirectional Traffic idle: [...162] [ip4][..udp] [..212.242.33.35][.9587] -> [....192.168.1.2][..196] not-detected: [....85] [ip4][..240] [....192.168.1.2] -> [....192.168.1.1] [Unknown][Unknown][Unrated] RISK: Unidirectional Traffic @@ -2111,19 +2110,21 @@ guessed: [....34] [ip4][..tcp] [..147.234.1.253][...21] -> [...192.168.65.2][.2720] [FTP_CONTROL][Unknown][Download][Unsafe] RISK: Unsafe Protocol, Unidirectional Traffic idle: [....34] [ip4][..tcp] [..147.234.1.253][...21] -> [...192.168.65.2][.2720] - idle: [....32] [ip4][..tcp] [..147.234.1.253][...21] -> [....192.168.1.2][.2732] [Protobuf][Unknown][Network][Safe] + guessed: [....32] [ip4][..tcp] [..147.234.1.253][...21] -> [....192.168.1.2][.2732] [FTP_CONTROL][Unknown][Download][Unsafe] + RISK: Unsafe Protocol, Unidirectional Traffic + idle: [....32] [ip4][..tcp] [..147.234.1.253][...21] -> [....192.168.1.2][.2732] not-detected: [...237] [ip4][..udp] [.....81.168.1.2][30000] -> [..212.242.33.36][40392] [Unknown][Unknown][Unrated] - RISK: Unidirectional Traffic + RISK: Susp Entropy, Unidirectional Traffic idle: [...237] [ip4][..udp] [.....81.168.1.2][30000] -> [..212.242.33.36][40392] not-detected: [....28] [ip4][..tcp] [..147.234.1.253][..120] -> [....192.168.1.2][.2720] [Unknown][Unknown][Unrated] RISK: Unidirectional Traffic idle: [....28] [ip4][..tcp] [..147.234.1.253][..120] -> [....192.168.1.2][.2720] idle: [...235] [ip4][..udp] [....192.168.1.2][30000] -> [..212.242.33.36][40392] [RTP][Unknown][Media][Acceptable] not-detected: [...233] [ip4][..udp] [....192.168.1.3][30000] -> [..212.242.33.36][40392] [Unknown][Unknown][Unrated] - RISK: Unidirectional Traffic + RISK: Susp Entropy, Unidirectional Traffic idle: [...233] [ip4][..udp] [....192.168.1.3][30000] -> [..212.242.33.36][40392] not-detected: [...236] [ip4][..udp] [....192.168.1.2][30000] -> [..214.242.33.36][40392] [Unknown][Unknown][Unrated] - RISK: Unidirectional Traffic + RISK: Susp Entropy, Unidirectional Traffic idle: [...236] [ip4][..udp] [....192.168.1.2][30000] -> [..214.242.33.36][40392] guessed: [....18] [ip4][..tcp] [....192.168.1.2][.2717] -> [..147.137.21.94][..445] [SMBv23][Unknown][System][Acceptable] RISK: Unidirectional Traffic @@ -2131,7 +2132,7 @@ idle: [...247] [ip4][..udp] [....192.168.1.2][.2827] -> [....192.170.1.1][...53] [DNS][Unknown][Network][Acceptable] RISK: Non-Printable/Invalid Chars Detected not-detected: [...234] [ip4][..udp] [....192.168.1.2][30000] -> [....37.115.0.36][40392] [Unknown][Unknown][Unrated] - RISK: Unidirectional Traffic + RISK: Susp Entropy, Unidirectional Traffic idle: [...234] [ip4][..udp] [....192.168.1.2][30000] -> [....37.115.0.36][40392] guessed: [....24] [ip4][..tcp] [..147.234.1.253][...21] -> [....192.169.1.2][.2720] [FTP_CONTROL][Unknown][Download][Unsafe] RISK: Unsafe Protocol, Unidirectional Traffic diff --git a/test/results/flow-info/default/fuzz-2006-09-29-28586.pcap.out b/test/results/flow-info/default/fuzz-2006-09-29-28586.pcap.out index 8cd895007..7566a2c81 100644 --- a/test/results/flow-info/default/fuzz-2006-09-29-28586.pcap.out +++ b/test/results/flow-info/default/fuzz-2006-09-29-28586.pcap.out @@ -101,12 +101,12 @@ RISK: Unidirectional Traffic idle: [.....8] [ip4][..tcp] [......172.6.3.5][...80] -> [....172.20.3.13][53132] guessed: [....35] [ip4][..tcp] [....172.20.3.13][53136] -> [.....172.70.3.5][...80] [HTTP][Cloudflare][Web][Acceptable][] - RISK: Unidirectional Traffic + RISK: Susp Entropy, Unidirectional Traffic idle: [....35] [ip4][..tcp] [....172.20.3.13][53136] -> [.....172.70.3.5][...80] idle: [....23] [ip4][..tcp] [....172.20.3.13][...80] -> [......44.20.3.5][.2605] [HTTP][Unknown][Web][Acceptable] RISK: HTTP Susp User-Agent guessed: [....21] [ip4][..tcp] [......51.20.3.5][.2605] -> [....172.20.3.13][...80] [HTTP][AmazonAWS][Web][Acceptable][] - RISK: Unidirectional Traffic + RISK: Susp Entropy, Unidirectional Traffic idle: [....21] [ip4][..tcp] [......51.20.3.5][.2605] -> [....172.20.3.13][...80] guessed: [....15] [ip4][..tcp] [.....172.20.3.5][.2603] -> [.....72.20.3.13][...80] [HTTP][Unknown][Web][Acceptable][] RISK: Unidirectional Traffic @@ -162,7 +162,7 @@ RISK: Unidirectional Traffic idle: [....10] [ip4][..170] [170.170.170.170] -> [170.170.170.170] guessed: [.....7] [ip4][..tcp] [.....172.20.3.5][...80] -> [....172.57.3.13][53132] [HTTP][Unknown][Web][Acceptable][] - RISK: Unidirectional Traffic + RISK: Susp Entropy, Unidirectional Traffic idle: [.....7] [ip4][..tcp] [.....172.20.3.5][...80] -> [....172.57.3.13][53132] idle: [....30] [ip4][..tcp] [.....172.20.3.5][.9587] -> [....172.20.3.13][...80] [HTTP][Unknown][Web][Acceptable] RISK: HTTP Susp User-Agent diff --git a/test/results/flow-info/default/fuzz-2020-02-16-11740.pcap.out b/test/results/flow-info/default/fuzz-2020-02-16-11740.pcap.out index bb75496f4..6bb781acf 100644 --- a/test/results/flow-info/default/fuzz-2020-02-16-11740.pcap.out +++ b/test/results/flow-info/default/fuzz-2020-02-16-11740.pcap.out @@ -61,7 +61,7 @@ ERROR-EVENT: Unknown packet type [1/16] idle: [.....8] [ip4][..udp] [.....10.4.64.30][29200] -> [..198.226.25.53][.1812] [Radius][Unknown][Network][Acceptable] not-detected: [....10] [ip4][..udp] [..198.226.25.53][..309] -> [....10.12.64.30][12339] [Unknown][Unknown][Unrated] - RISK: Unidirectional Traffic + RISK: Susp Entropy, Unidirectional Traffic idle: [....10] [ip4][..udp] [..198.226.25.53][..309] -> [....10.12.64.30][12339] idle: [.....9] [ip4][..udp] [..198.226.25.53][.1812] -> [....10.12.64.30][29270] [Radius][Unknown][Network][Acceptable] not-detected: [.....7] [ip4][..udp] [198.226.170.170][43690] -> [170.170.170.170][43690] [Unknown][Unknown][Unrated] @@ -116,7 +116,7 @@ detected: [....21] [ip4][..udp] [..198.157.25.53][.1812] -> [....10.12.64.30][29200] [Radius][Unknown][Network][Acceptable] ERROR-EVENT: nDPI IPv4/L4 payload detection failed [2/16] not-detected: [....13] [ip4][..udp] [..198.162.25.53][.1810] -> [....10.12.64.30][29200] [Unknown][Unknown][Unrated] - RISK: Unidirectional Traffic + RISK: Susp Entropy, Unidirectional Traffic idle: [....13] [ip4][..udp] [..198.162.25.53][.1810] -> [....10.12.64.30][29200] idle: [....12] [ip4][..udp] [..198.226.25.53][.1813] -> [....10.12.64.30][29264] [Radius][Unknown][Network][Acceptable] not-detected: [....11] [ip4][..udp] [170.170.170.170][43690] -> [170.170.170.170][43690] [Unknown][Unknown][Unrated] @@ -193,7 +193,7 @@ idle: [....24] [ip4][..udp] [..198.226.82.53][.1812] -> [....10.12.64.30][29200] [Radius][Unknown][Network][Acceptable] idle: [....16] [ip4][..udp] [....10.12.64.30][29200] -> [..198.226.25.62][.1812] [Radius][Unknown][Network][Acceptable] not-detected: [....25] [ip4][..udp] [..198.226.25.53][.1895] -> [....10.12.64.30][29200] [Unknown][Unknown][Unrated] - RISK: Unidirectional Traffic + RISK: Susp Entropy, Unidirectional Traffic idle: [....25] [ip4][..udp] [..198.226.25.53][.1895] -> [....10.12.64.30][29200] idle: [....26] [ip4][..udp] [....10.12.64.30][30224] -> [..198.226.25.53][.1812] [Radius][Unknown][Network][Acceptable] idle: [....22] [ip4][..udp] [..198.230.25.62][.1812] -> [....10.12.64.30][29200] [Radius][Unknown][Network][Acceptable] @@ -319,7 +319,7 @@ idle: [....45] [ip4][..udp] [..198.234.25.53][.1812] -> [....10.12.64.30][29200] [Radius][Unknown][Network][Acceptable] idle: [....49] [ip4][..udp] [.....10.84.37.0][29200] -> [..198.226.25.53][.1812] [Radius][Unknown][Network][Acceptable] not-detected: [....43] [ip4][..udp] [..198.226.25.53][.1965] -> [....10.12.64.30][29200] [Unknown][Unknown][Unrated] - RISK: Unidirectional Traffic + RISK: Susp Entropy, Unidirectional Traffic idle: [....43] [ip4][..udp] [..198.226.25.53][.1965] -> [....10.12.64.30][29200] not-detected: [....47] [ip4][..udp] [..198.226.25.53][43690] -> [..10.12.170.170][43690] [Unknown][Unknown][Unrated] RISK: Unidirectional Traffic @@ -426,14 +426,14 @@ idle: [....72] [ip4][..udp] [....10.12.64.30][29200] -> [..198.226.25.21][.1812] [Radius][Unknown][Network][Acceptable] idle: [.....3] [ip4][..udp] [....10.12.64.30][29200] -> [..198.226.25.53][.1812] [Radius][Unknown][Network][Acceptable] not-detected: [....64] [ip4][..udp] [..198.226.25.53][.3860] -> [....14.12.64.30][29200] [Unknown][Unknown][Unrated] - RISK: Unidirectional Traffic + RISK: Susp Entropy, Unidirectional Traffic idle: [....64] [ip4][..udp] [..198.226.25.53][.3860] -> [....14.12.64.30][29200] idle: [....70] [ip4][..udp] [..198.226.25.53][.1812] -> [....10.12.64.30][29208] [Radius][Unknown][Network][Acceptable] idle: [....66] [ip4][..udp] [....10.12.64.30][29232] -> [..198.226.25.53][.1812] [Radius][Unknown][Network][Acceptable] idle: [....59] [ip4][..udp] [....88.12.80.30][29200] -> [..198.226.25.53][.1812] [Radius][Unknown][Network][Acceptable] idle: [....71] [ip4][..udp] [....10.12.64.30][29289] -> [..198.226.25.53][.1812] [Radius][Unknown][Network][Acceptable] not-detected: [....68] [ip4][..udp] [..198.226.25.53][43028] -> [....10.12.64.30][29200] [Unknown][Unknown][Unrated] - RISK: Unidirectional Traffic + RISK: Susp Entropy, Unidirectional Traffic idle: [....68] [ip4][..udp] [..198.226.25.53][43028] -> [....10.12.64.30][29200] idle: [....61] [ip4][..udp] [.....10.6.64.30][29200] -> [..198.226.25.53][.1812] [Radius][Unknown][Network][Acceptable] idle: [....67] [ip4][..udp] [..198.226.25.53][.1812] -> [....10.81.64.30][29200] [Radius][Unknown][Network][Acceptable] @@ -467,7 +467,7 @@ idle: [....78] [ip4][..udp] [..198.226.25.53][.1813] -> [....10.12.64.30][21008] [Radius][Unknown][Network][Acceptable] idle: [....77] [ip4][..udp] [....10.12.64.30][29200] -> [..198.226.25.53][.1813] [Radius][Unknown][Network][Acceptable] not-detected: [....74] [ip4][..udp] [..198.226.25.53][.1814] -> [....10.12.64.30][29200] [Unknown][Unknown][Unrated] - RISK: Unidirectional Traffic + RISK: Susp Entropy, Unidirectional Traffic idle: [....74] [ip4][..udp] [..198.226.25.53][.1814] -> [....10.12.64.30][29200] not-detected: [....75] [ip4][..udp] [....57.12.64.30][29200] -> [..198.226.25.53][28948] [Unknown][Unknown][Unrated] RISK: Unidirectional Traffic diff --git a/test/results/flow-info/default/geforcenow.pcapng.out b/test/results/flow-info/default/geforcenow.pcapng.out index 7a0d71585..5e59fe148 100644 --- a/test/results/flow-info/default/geforcenow.pcapng.out +++ b/test/results/flow-info/default/geforcenow.pcapng.out @@ -27,7 +27,7 @@ RISK: Known Proto on Non Std Port detection-update: [.....2] [ip4][..udp] [..192.168.1.245][52441] -> [..80.84.167.206][18452] [DTLS][Nvidia][Network][Safe] detection-update: [.....2] [ip4][..udp] [..192.168.1.245][52441] -> [..80.84.167.206][18452] [DTLS.GeForceNow][Nvidia][Game][Fun] - RISK: Self-signed Cert, TLS Cert Validity Too Long + RISK: TLS Cert Validity Too Long analyse: [.....2] [ip4][..udp] [..192.168.1.245][52441] -> [..80.84.167.206][18452] [DTLS.GeForceNow][Nvidia][Game][Fun] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.690| 0.065| 0.136| 18500.616| 3.200] @@ -39,7 +39,7 @@ [PKTLENS.....: 124,124,124,92,185,185,185,185,689,568,119,358,164,107,53,95,101,101,141,137,105,109,73,113,113,113,73,85,89,105,85,105] [ENTROPIES...: 5.8,5.8,5.8,5.7,5.0,5.0,5.0,5.0,6.5,6.7,4.8,6.6,6.2,4.4,3.8,5.3,6.0,5.8,6.4,6.3,5.9,6.0,5.4,6.0,6.2,6.1,5.4,5.6,5.8,6.1,5.7,6.1] idle: [.....2] [ip4][..udp] [..192.168.1.245][52441] -> [..80.84.167.206][18452] [DTLS.GeForceNow][Nvidia][Game][Fun] - RISK: Self-signed Cert, TLS Cert Validity Too Long + RISK: TLS Cert Validity Too Long idle: [.....1] [ip4][..tcp] [..192.168.1.245][57490] -> [..80.84.167.206][49100] [TLS.GeForceNow][Nvidia][Game][Fun] RISK: Known Proto on Non Std Port DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/gnutella.pcap.out b/test/results/flow-info/default/gnutella.pcap.out index 1fec92df6..b173ceddd 100644 --- a/test/results/flow-info/default/gnutella.pcap.out +++ b/test/results/flow-info/default/gnutella.pcap.out @@ -864,14 +864,14 @@ new: [...333] [ip4][..tcp] [......10.0.2.15][50327] -> [.69.118.162.229][46906] new: [...334] [ip4][..tcp] [......10.0.2.15][50328] -> [..189.147.72.83][26108] detected: [...333] [ip4][..tcp] [......10.0.2.15][50327] -> [.69.118.162.229][46906] [HTTP.Gnutella][Unknown][Download][Potentially Dangerous][69.118.162.229] - RISK: Known Proto on Non Std Port, HTTP/TLS/QUIC Numeric Hostname/SNI, Unsafe Protocol + RISK: Known Proto on Non Std Port, HTTP/TLS/QUIC Numeric Hostname/SNI, Unsafe Protocol, Susp Entropy detected: [...334] [ip4][..tcp] [......10.0.2.15][50328] -> [..189.147.72.83][26108] [HTTP.Gnutella][Unknown][Download][Potentially Dangerous][189.147.72.83] - RISK: Known Proto on Non Std Port, HTTP/TLS/QUIC Numeric Hostname/SNI, Unsafe Protocol + RISK: Known Proto on Non Std Port, HTTP/TLS/QUIC Numeric Hostname/SNI, Unsafe Protocol, Susp Entropy new: [...335] [ip4][..udp] [......10.0.2.15][28681] -> [.14.200.255.229][37058] detection-update: [...333] [ip4][..tcp] [......10.0.2.15][50327] -> [.69.118.162.229][46906] [HTTP.Gnutella][Unknown][Media][Potentially Dangerous][69.118.162.229] - RISK: Known Proto on Non Std Port, HTTP/TLS/QUIC Numeric Hostname/SNI, Unsafe Protocol, Binary file/data transfer (attempt) + RISK: Known Proto on Non Std Port, HTTP/TLS/QUIC Numeric Hostname/SNI, Unsafe Protocol, Susp Entropy, Binary File/Data Transfer (Attempt) detection-update: [...334] [ip4][..tcp] [......10.0.2.15][50328] -> [..189.147.72.83][26108] [HTTP.Gnutella][Unknown][Media][Potentially Dangerous][189.147.72.83] - RISK: Known Proto on Non Std Port, HTTP/TLS/QUIC Numeric Hostname/SNI, Unsafe Protocol, Binary file/data transfer (attempt) + RISK: Known Proto on Non Std Port, HTTP/TLS/QUIC Numeric Hostname/SNI, Unsafe Protocol, Susp Entropy, Binary File/Data Transfer (Attempt) new: [...336] [ip4][..udp] [......10.0.2.15][28681] -> [...80.7.252.192][.6888] detected: [...336] [ip4][..udp] [......10.0.2.15][28681] -> [...80.7.252.192][.6888] [Gnutella][Unknown][Download][Potentially Dangerous] RISK: Unsafe Protocol @@ -1017,7 +1017,7 @@ RISK: Unsafe Protocol new: [...345] [ip4][..tcp] [......10.0.2.15][50330] -> [.69.118.162.229][46906] detected: [...345] [ip4][..tcp] [......10.0.2.15][50330] -> [.69.118.162.229][46906] [HTTP.Gnutella][Unknown][Download][Potentially Dangerous][69.118.162.229] - RISK: Known Proto on Non Std Port, HTTP/TLS/QUIC Numeric Hostname/SNI, Unsafe Protocol + RISK: Known Proto on Non Std Port, HTTP/TLS/QUIC Numeric Hostname/SNI, Unsafe Protocol, Susp Entropy new: [...346] [ip4][..udp] [......10.0.2.15][28681] -> [..76.226.85.105][.6346] detected: [...346] [ip4][..udp] [......10.0.2.15][28681] -> [..76.226.85.105][.6346] [Gnutella][Unknown][Download][Potentially Dangerous] RISK: Unsafe Protocol @@ -1029,6 +1029,7 @@ RISK: Unsafe Protocol new: [...349] [ip4][.icmp] [...84.197.97.94] -> [......10.0.2.15] detected: [...349] [ip4][.icmp] [...84.197.97.94] -> [......10.0.2.15] [ICMP][Unknown][Network][Acceptable] + RISK: Susp Entropy new: [...350] [ip4][..udp] [......10.0.2.15][28681] -> [..99.250.253.99][11819] detected: [...350] [ip4][..udp] [......10.0.2.15][28681] -> [..99.250.253.99][11819] [Gnutella][Unknown][Download][Potentially Dangerous] RISK: Unsafe Protocol @@ -1321,6 +1322,7 @@ update: [...336] [ip4][..udp] [......10.0.2.15][28681] -> [...80.7.252.192][.6888] [Gnutella][Unknown][Download][Potentially Dangerous] RISK: Unsafe Protocol update: [...349] [ip4][.icmp] [...84.197.97.94] -> [......10.0.2.15] [ICMP][Unknown][Network][Acceptable] + RISK: Susp Entropy update: [....26] [ip4][..udp] [......10.0.2.15][57619] -> [.......10.0.2.2][.5351] [NAT-PMP][Unknown][Network][Acceptable] update: [....27] [ip4][..udp] [......10.0.2.15][57620] -> [.......10.0.2.2][.5351] [NAT-PMP][Unknown][Network][Acceptable] update: [....34] [ip4][..udp] [......10.0.2.15][57621] -> [.......10.0.2.2][.5351] [NAT-PMP][Unknown][Network][Acceptable] @@ -1750,6 +1752,7 @@ update: [...248] [ip4][..udp] [......10.0.2.15][28681] -> [..66.30.221.181][12012] [Gnutella][Unknown][Download][Potentially Dangerous] RISK: Unsafe Protocol update: [...349] [ip4][.icmp] [...84.197.97.94] -> [......10.0.2.15] [ICMP][Unknown][Network][Acceptable] + RISK: Susp Entropy update: [...263] [ip4][..udp] [......10.0.2.15][28681] -> [..82.217.176.52][.7446] [Gnutella][Unknown][Download][Potentially Dangerous] RISK: Unsafe Protocol update: [...253] [ip4][..udp] [......10.0.2.15][28681] -> [.193.37.255.130][61616] [Gnutella][Unknown][Download][Potentially Dangerous] @@ -2146,6 +2149,7 @@ update: [...185] [ip4][..udp] [......10.0.2.15][28681] -> [.109.132.196.58][.6346] [Gnutella][Unknown][Download][Potentially Dangerous] RISK: Unsafe Protocol update: [...349] [ip4][.icmp] [...84.197.97.94] -> [......10.0.2.15] [ICMP][Unknown][Network][Acceptable] + RISK: Susp Entropy update: [...165] [ip4][..udp] [......10.0.2.15][28681] -> [...86.75.43.182][43502] [Gnutella][Unknown][Download][Potentially Dangerous] RISK: Unsafe Protocol update: [...161] [ip4][..udp] [......10.0.2.15][28681] -> [..213.120.26.86][29946] [Gnutella][Unknown][Download][Potentially Dangerous] @@ -2497,7 +2501,7 @@ idle: [...101] [ip4][..udp] [......10.0.2.15][28681] -> [123.205.126.102][.5193] [Gnutella][Unknown][Download][Potentially Dangerous] RISK: Unsafe Protocol end: [...345] [ip4][..tcp] [......10.0.2.15][50330] -> [.69.118.162.229][46906] [HTTP.Gnutella][Unknown][Download][Potentially Dangerous] - RISK: Known Proto on Non Std Port, HTTP/TLS/QUIC Numeric Hostname/SNI, Unsafe Protocol + RISK: Known Proto on Non Std Port, HTTP/TLS/QUIC Numeric Hostname/SNI, Unsafe Protocol, Susp Entropy idle: [...131] [ip4][..udp] [......10.0.2.15][28681] -> [.86.225.140.186][.6346] [Gnutella][Unknown][Download][Potentially Dangerous] RISK: Unsafe Protocol idle: [...106] [ip4][..udp] [......10.0.2.15][28681] -> [..114.39.154.69][.4832] [Gnutella][Unknown][Download][Potentially Dangerous] @@ -2511,6 +2515,7 @@ idle: [....99] [ip4][..udp] [......10.0.2.15][28681] -> [....114.38.9.82][24223] [Gnutella][Unknown][Download][Potentially Dangerous] RISK: Unsafe Protocol idle: [...349] [ip4][.icmp] [...84.197.97.94] -> [......10.0.2.15] [ICMP][Unknown][Network][Acceptable] + RISK: Susp Entropy idle: [...107] [ip4][..udp] [......10.0.2.15][28681] -> [..202.151.63.59][.7624] [Gnutella][Unknown][Download][Potentially Dangerous] RISK: Unsafe Protocol idle: [...103] [ip4][..udp] [......10.0.2.15][28681] -> [.220.134.167.82][.5820] [Gnutella][Unknown][Download][Potentially Dangerous] @@ -2551,6 +2556,7 @@ idle: [...196] [ip4][..udp] [......10.0.2.15][28681] -> [..88.127.72.106][.6346] [Gnutella][Unknown][Download][Potentially Dangerous] RISK: Unsafe Protocol not-detected: [...220] [ip4][..udp] [......10.0.2.15][28681] -> [.113.252.86.162][.9239] [Unknown][Unknown][Unrated] + RISK: Susp Entropy idle: [...220] [ip4][..udp] [......10.0.2.15][28681] -> [.113.252.86.162][.9239] idle: [...217] [ip4][..udp] [......10.0.2.15][28681] -> [.126.117.45.151][19323] [Gnutella][Unknown][Download][Potentially Dangerous] RISK: Unsafe Protocol @@ -3056,6 +3062,7 @@ new: [...744] [ip4][..udp] [......10.0.2.15][28681] -> [..164.132.10.25][48250] new: [...745] [ip4][.icmp] [..164.132.10.25] -> [......10.0.2.15] detected: [...745] [ip4][.icmp] [..164.132.10.25] -> [......10.0.2.15] [ICMP][Unknown][Network][Acceptable] + RISK: Susp Entropy idle: [...320] [ip4][..udp] [......10.0.2.15][28681] -> [185.236.200.137][48142] [Gnutella][Unknown][Download][Potentially Dangerous] RISK: Unsafe Protocol idle: [...325] [ip4][..udp] [......10.0.2.15][28681] -> [..83.160.143.48][37036] [Gnutella][Unknown][Download][Potentially Dangerous] @@ -3487,6 +3494,7 @@ idle: [...311] [ip4][..udp] [......10.0.2.15][28681] -> [.109.132.188.98][62851] [Gnutella][Unknown][Download][Potentially Dangerous] RISK: Unsafe Protocol not-detected: [...300] [ip4][..udp] [......10.0.2.15][28681] -> [104.238.172.250][23548] [Unknown][Unknown][Unrated] + RISK: Susp Entropy idle: [...300] [ip4][..udp] [......10.0.2.15][28681] -> [104.238.172.250][23548] idle: [...324] [ip4][..udp] [......10.0.2.15][28681] -> [.73.250.179.237][20848] [Gnutella][Unknown][Download][Potentially Dangerous] RISK: Unsafe Protocol @@ -3557,6 +3565,7 @@ update: [...116] [ip4][..udp] [......10.0.2.15][28681] -> [.124.44.190.145][10170] [Gnutella][Unknown][Download][Potentially Dangerous] RISK: Unsafe Protocol update: [...745] [ip4][.icmp] [..164.132.10.25] -> [......10.0.2.15] [ICMP][Unknown][Network][Acceptable] + RISK: Susp Entropy update: [...319] [ip4][..udp] [......10.0.2.15][28681] -> [..164.132.10.25][55302] [Gnutella][Unknown][Download][Potentially Dangerous] RISK: Unsafe Protocol update: [...133] [ip4][..udp] [......10.0.2.15][28681] -> [.91.175.220.161][15721] [Gnutella][Unknown][Download][Potentially Dangerous] @@ -4188,6 +4197,7 @@ not-detected: [...301] [ip4][..udp] [......10.0.2.15][28681] -> [..188.61.52.183][11852] [Unknown][Unknown][Unrated] idle: [...301] [ip4][..udp] [......10.0.2.15][28681] -> [..188.61.52.183][11852] not-detected: [...243] [ip4][..udp] [......10.0.2.15][28681] -> [.104.156.226.72][53258] [Unknown][Unknown][Unrated] + RISK: Susp Entropy idle: [...243] [ip4][..udp] [......10.0.2.15][28681] -> [.104.156.226.72][53258] idle: [...330] [ip4][..udp] [......10.0.2.15][28681] -> [....82.64.44.11][.1352] [Gnutella][Unknown][Download][Potentially Dangerous] RISK: Unsafe Protocol @@ -4202,6 +4212,7 @@ update: [...490] [ip4][..udp] [......10.0.2.15][28681] -> [...90.3.215.132][20356] [Gnutella][Unknown][Download][Potentially Dangerous] RISK: Unsafe Protocol update: [...745] [ip4][.icmp] [..164.132.10.25] -> [......10.0.2.15] [ICMP][Unknown][Network][Acceptable] + RISK: Susp Entropy update: [...489] [ip4][..udp] [......10.0.2.15][28681] -> [...108.44.45.25][.6346] [Gnutella][Unknown][Download][Potentially Dangerous] RISK: Unsafe Protocol update: [...487] [ip4][..udp] [......10.0.2.15][28681] -> [..24.78.134.188][49046] [Gnutella][Unknown][Download][Potentially Dangerous] @@ -4214,7 +4225,7 @@ detected: [...755] [ip4][..udp] [......10.0.2.15][28681] -> [..83.134.107.32][38836] [Gnutella][Unknown][Download][Potentially Dangerous] RISK: Unsafe Protocol not-detected: [...242] [ip4][..udp] [......10.0.2.15][28681] -> [..75.133.101.93][52367] [Unknown][Unknown][Unrated] - RISK: Unidirectional Traffic + RISK: Susp Entropy, Unidirectional Traffic idle: [...242] [ip4][..udp] [......10.0.2.15][28681] -> [..75.133.101.93][52367] idle: [...308] [ip4][..udp] [......10.0.2.15][28681] -> [...81.205.91.45][40137] [Gnutella][Unknown][Download][Potentially Dangerous] RISK: Unsafe Protocol @@ -4787,6 +4798,7 @@ update: [...405] [ip4][..udp] [......10.0.2.15][28681] -> [.176.155.31.118][.6346] [Gnutella][Unknown][Download][Potentially Dangerous] RISK: Unsafe Protocol update: [...745] [ip4][.icmp] [..164.132.10.25] -> [......10.0.2.15] [ICMP][Unknown][Network][Acceptable] + RISK: Susp Entropy update: [...387] [ip4][..udp] [......10.0.2.15][28681] -> [....220.135.8.7][.1219] update: [...302] [ip4][..udp] [......10.0.2.15][28681] -> [.185.187.74.173][53489] update: [...255] [ip4][..udp] [......10.0.2.15][28681] -> [..80.61.221.246][30577] [Gnutella][Unknown][Download][Potentially Dangerous] @@ -4894,6 +4906,7 @@ idle: [...372] [ip4][..udp] [......10.0.2.15][28681] -> [.91.179.185.126][.6346] [Gnutella][Unknown][Download][Potentially Dangerous] RISK: Unsafe Protocol idle: [...745] [ip4][.icmp] [..164.132.10.25] -> [......10.0.2.15] [ICMP][Unknown][Network][Acceptable] + RISK: Susp Entropy idle: [...373] [ip4][..udp] [......10.0.2.15][28681] -> [..88.122.233.15][11488] [Gnutella][Unknown][Download][Potentially Dangerous] RISK: Unsafe Protocol update: [...750] [ip4][..udp] [......10.0.2.15][28681] -> [....67.193.8.52][38584] [Gnutella][Unknown][Download][Potentially Dangerous] @@ -5029,6 +5042,7 @@ idle: [...416] [ip4][..udp] [......10.0.2.15][28681] -> [..92.139.61.103][24096] [Gnutella][Unknown][Download][Potentially Dangerous] RISK: Unsafe Protocol not-detected: [...304] [ip4][..udp] [......10.0.2.15][28681] -> [.193.32.126.214][59596] [Unknown][Unknown][Unrated] + RISK: Susp Entropy idle: [...304] [ip4][..udp] [......10.0.2.15][28681] -> [.193.32.126.214][59596] not-detected: [...389] [ip4][..udp] [......10.0.2.15][28681] -> [..94.215.183.71][31310] [Unknown][Unknown][Unrated] RISK: Unidirectional Traffic @@ -5060,6 +5074,7 @@ idle: [...431] [ip4][..udp] [......10.0.2.15][28681] -> [..88.124.71.246][49035] [Gnutella][Unknown][Download][Potentially Dangerous] RISK: Unsafe Protocol not-detected: [...303] [ip4][..udp] [......10.0.2.15][28681] -> [.142.132.165.13][30566] [Unknown][Unknown][Unrated] + RISK: Susp Entropy idle: [...303] [ip4][..udp] [......10.0.2.15][28681] -> [.142.132.165.13][30566] not-detected: [...395] [ip4][..udp] [......10.0.2.15][28681] -> [..191.114.88.39][18751] [Unknown][Unknown][Unrated] RISK: Unidirectional Traffic @@ -6051,6 +6066,7 @@ RISK: Unidirectional Traffic idle: [...723] [ip4][..udp] [......10.0.2.15][28681] -> [.175.39.219.223][13482] not-detected: [...376] [ip4][..udp] [......10.0.2.15][28681] -> [....156.57.42.2][33476] [Unknown][Unknown][Unrated] + RISK: Susp Entropy idle: [...376] [ip4][..udp] [......10.0.2.15][28681] -> [....156.57.42.2][33476] not-detected: [...673] [ip4][..udp] [......10.0.2.15][28681] -> [.125.59.215.249][14571] [Unknown][Unknown][Unrated] RISK: Unidirectional Traffic @@ -6090,6 +6106,7 @@ idle: [...319] [ip4][..udp] [......10.0.2.15][28681] -> [..164.132.10.25][55302] [Gnutella][Unknown][Download][Potentially Dangerous] RISK: Unsafe Protocol not-detected: [...302] [ip4][..udp] [......10.0.2.15][28681] -> [.185.187.74.173][53489] [Unknown][Unknown][Unrated] + RISK: Susp Entropy idle: [...302] [ip4][..udp] [......10.0.2.15][28681] -> [.185.187.74.173][53489] not-detected: [...668] [ip4][..udp] [......10.0.2.15][28681] -> [..218.103.139.2][64731] [Unknown][Unknown][Unrated] RISK: Unidirectional Traffic @@ -6544,6 +6561,7 @@ new: [...782] [ip4][..udp] [......10.0.2.15][28681] -> [.65.182.231.232][.7890] new: [...783] [ip4][.icmp] [.65.182.231.232] -> [......10.0.2.15] detected: [...783] [ip4][.icmp] [.65.182.231.232] -> [......10.0.2.15] [ICMP][Unknown][Network][Acceptable] + RISK: Susp Entropy new: [...784] [ip4][..udp] [......10.0.2.15][28681] -> [..23.19.141.110][.6346] idle: [....88] [ip4][..udp] [......10.0.2.15][28681] -> [.....81.50.24.2][17874] [Gnutella][Unknown][Download][Potentially Dangerous] RISK: Unsafe Protocol @@ -6801,6 +6819,7 @@ update: [...140] [ip4][..udp] [......10.0.2.15][28681] -> [.77.197.111.186][.6346] [Gnutella][Unknown][Download][Potentially Dangerous] RISK: Unsafe Protocol update: [...783] [ip4][.icmp] [.65.182.231.232] -> [......10.0.2.15] [ICMP][Unknown][Network][Acceptable] + RISK: Susp Entropy update: [...175] [ip4][..udp] [......10.0.2.15][28681] -> [...115.69.62.99][.6346] [Gnutella][Unknown][Download][Potentially Dangerous] RISK: Unsafe Protocol update: [...756] [ip4][..udp] [......10.0.2.15][28681] -> [..41.100.68.255][12838] [Gnutella][Unknown][Download][Potentially Dangerous] @@ -6879,6 +6898,7 @@ RISK: Unsafe Protocol new: [...797] [ip4][.icmp] [...154.3.42.209] -> [......10.0.2.15] detected: [...797] [ip4][.icmp] [...154.3.42.209] -> [......10.0.2.15] [ICMP][Unknown][Network][Acceptable] + RISK: Susp Entropy idle: [...195] [ip4][..udp] [......10.0.2.15][28681] -> [.177.231.151.16][.6346] [Gnutella][Unknown][Download][Potentially Dangerous] RISK: Unsafe Protocol idle: [...191] [ip4][..udp] [......10.0.2.15][28681] -> [.190.153.143.54][65535] [Gnutella][Unknown][Download][Potentially Dangerous] @@ -6894,6 +6914,7 @@ RISK: Unsafe Protocol update: [...794] [ip4][..udp] [......10.0.2.15][50214] -> [239.255.255.250][.1900] [SSDP][Unknown][System][Acceptable] update: [...783] [ip4][.icmp] [.65.182.231.232] -> [......10.0.2.15] [ICMP][Unknown][Network][Acceptable] + RISK: Susp Entropy idle: [...759] [ip4][..udp] [......10.0.2.15][28681] -> [104.238.172.250][23548] [Gnutella][Unknown][Download][Potentially Dangerous] RISK: Unsafe Protocol idle: [...757] [ip4][..udp] [......10.0.2.15][28681] -> [.104.156.226.72][53258] [Gnutella][Unknown][Download][Potentially Dangerous] @@ -7002,6 +7023,7 @@ RISK: Unsafe Protocol idle: [...758] [ip4][..udp] [......10.0.2.15][50213] -> [239.255.255.250][.1900] [SSDP][Unknown][System][Acceptable] update: [...797] [ip4][.icmp] [...154.3.42.209] -> [......10.0.2.15] [ICMP][Unknown][Network][Acceptable] + RISK: Susp Entropy new: [...798] [ip4][..udp] [......10.0.2.15][63962] -> [239.255.255.250][.1900] detected: [...798] [ip4][..udp] [......10.0.2.15][63962] -> [239.255.255.250][.1900] [SSDP][Unknown][System][Acceptable][239.255.255.250:1900] new: [...799] [ip6][..udp] [..............fe80::c50d:519f:96a4:e108][63958] -> [................................ff02::c][.3702] @@ -7069,6 +7091,7 @@ not-detected: [...768] [ip4][..udp] [......10.0.2.15][28681] -> [.14.200.255.229][37058] [Unknown][Unknown][Unrated] idle: [...768] [ip4][..udp] [......10.0.2.15][28681] -> [.14.200.255.229][37058] not-detected: [...765] [ip4][..udp] [......10.0.2.15][28681] -> [213.229.111.224][.4876] [Unknown][Unknown][Unrated] + RISK: Susp Entropy idle: [...765] [ip4][..udp] [......10.0.2.15][28681] -> [213.229.111.224][.4876] not-detected: [....75] [ip4][..tcp] [......10.0.2.15][50234] -> [...66.189.28.17][16269] [Unknown][Unknown][Unrated] RISK: Unidirectional Traffic @@ -7108,7 +7131,7 @@ idle: [...123] [ip4][..tcp] [......10.0.2.15][50254] -> [..24.78.134.188][49046] idle: [...799] [ip6][..udp] [..............fe80::c50d:519f:96a4:e108][63958] -> [................................ff02::c][.3702] [WSD][Unknown][Network][Acceptable] idle: [...333] [ip4][..tcp] [......10.0.2.15][50327] -> [.69.118.162.229][46906] [HTTP.Gnutella][Unknown][Media][Potentially Dangerous] - RISK: Known Proto on Non Std Port, HTTP/TLS/QUIC Numeric Hostname/SNI, Unsafe Protocol, Binary file/data transfer (attempt) + RISK: Known Proto on Non Std Port, HTTP/TLS/QUIC Numeric Hostname/SNI, Unsafe Protocol, Susp Entropy, Binary File/Data Transfer (Attempt) not-detected: [....64] [ip4][..tcp] [......10.0.2.15][50223] -> [118.167.248.220][63108] [Unknown][Unknown][Unrated] RISK: Unidirectional Traffic idle: [....64] [ip4][..tcp] [......10.0.2.15][50223] -> [118.167.248.220][63108] @@ -7169,6 +7192,7 @@ RISK: Unidirectional Traffic idle: [...266] [ip4][..tcp] [......10.0.2.15][50290] -> [....73.89.249.8][50649] idle: [...797] [ip4][.icmp] [...154.3.42.209] -> [......10.0.2.15] [ICMP][Unknown][Network][Acceptable] + RISK: Susp Entropy idle: [...135] [ip4][..udp] [......10.0.2.15][28681] -> [.193.250.99.158][.6346] [Gnutella][Unknown][Download][Potentially Dangerous] RISK: Unsafe Protocol not-detected: [....78] [ip4][..tcp] [......10.0.2.15][50237] -> [.88.123.202.175][37910] [Unknown][Unknown][Unrated] @@ -7341,13 +7365,14 @@ RISK: Unidirectional Traffic idle: [...235] [ip4][..tcp] [......10.0.2.15][50281] -> [.94.134.154.158][54130] idle: [...783] [ip4][.icmp] [.65.182.231.232] -> [......10.0.2.15] [ICMP][Unknown][Network][Acceptable] + RISK: Susp Entropy not-detected: [....60] [ip4][..tcp] [......10.0.2.15][50219] -> [.193.121.165.12][55376] [Unknown][Unknown][Unrated] RISK: Unidirectional Traffic idle: [....60] [ip4][..tcp] [......10.0.2.15][50219] -> [.193.121.165.12][55376] end: [...239] [ip4][..tcp] [......10.0.2.15][50285] -> [..75.133.101.93][52367] [Gnutella][Unknown][Download][Potentially Dangerous] RISK: Unsafe Protocol idle: [...334] [ip4][..tcp] [......10.0.2.15][50328] -> [..189.147.72.83][26108] [HTTP.Gnutella][Unknown][Media][Potentially Dangerous] - RISK: Known Proto on Non Std Port, HTTP/TLS/QUIC Numeric Hostname/SNI, Unsafe Protocol, Binary file/data transfer (attempt) + RISK: Known Proto on Non Std Port, HTTP/TLS/QUIC Numeric Hostname/SNI, Unsafe Protocol, Susp Entropy, Binary File/Data Transfer (Attempt) idle: [...175] [ip4][..udp] [......10.0.2.15][28681] -> [...115.69.62.99][.6346] [Gnutella][Unknown][Download][Potentially Dangerous] RISK: Unsafe Protocol idle: [...756] [ip4][..udp] [......10.0.2.15][28681] -> [..41.100.68.255][12838] [Gnutella][Unknown][Download][Potentially Dangerous] diff --git a/test/results/flow-info/default/googledns_android10.pcap.out b/test/results/flow-info/default/googledns_android10.pcap.out index 8d29f8eb9..8f0c1668b 100644 --- a/test/results/flow-info/default/googledns_android10.pcap.out +++ b/test/results/flow-info/default/googledns_android10.pcap.out @@ -35,8 +35,10 @@ [ENTROPIES...: 4.3,5.0,5.0,5.4,5.0,7.1,7.5,7.1,5.1,5.0,5.1,6.1,7.1,6.7,5.0,6.8,7.6,4.9,7.6,5.1,6.8,5.1,7.5,5.1,6.8,5.0,7.6,5.1,6.8,5.0,7.6,5.1] new: [.....5] [ip4][.icmp] [..192.168.1.159] -> [........8.8.8.8] detected: [.....5] [ip4][.icmp] [..192.168.1.159] -> [........8.8.8.8] [ICMP][Google][Network][Acceptable] + RISK: Susp Entropy new: [.....6] [ip4][..tcp] [........8.8.4.4][..853] -> [..192.168.1.159][47968] [MIDSTREAM] update: [.....5] [ip4][.icmp] [..192.168.1.159] -> [........8.8.8.8] [ICMP][Google][Network][Acceptable] + RISK: Susp Entropy new: [.....7] [ip4][..tcp] [..192.168.1.159][48098] -> [........8.8.4.4][..853] detected: [.....7] [ip4][..tcp] [..192.168.1.159][48098] -> [........8.8.4.4][..853] [TLS.DoH_DoT][Google][Network][Acceptable][dns.google] RISK: TLS (probably) Not Carrying HTTPS @@ -53,7 +55,9 @@ [PKTLENS.....: 60,60,52,569,52,199,52,103,52,211,52,551,52,211,52,551,52,211,52,551,52,211,52,551,52,211,52,211,551,52,52,551] [ENTROPIES...: 4.2,4.9,4.8,6.2,4.7,6.1,4.8,5.5,4.8,6.8,4.7,7.5,4.8,6.8,4.8,7.5,4.8,6.7,4.9,7.6,4.9,6.7,4.8,7.6,4.9,6.8,4.9,6.8,7.6,4.9,4.9,7.6] update: [.....5] [ip4][.icmp] [..192.168.1.159] -> [........8.8.8.8] [ICMP][Google][Network][Acceptable] + RISK: Susp Entropy idle: [.....5] [ip4][.icmp] [..192.168.1.159] -> [........8.8.8.8] [ICMP][Google][Network][Acceptable] + RISK: Susp Entropy guessed: [.....1] [ip4][..tcp] [........8.8.8.8][..853] -> [..192.168.1.159][55856] [DoH_DoT][Google][Network][Acceptable] end: [.....1] [ip4][..tcp] [........8.8.8.8][..853] -> [..192.168.1.159][55856] end: [.....3] [ip4][..tcp] [..192.168.1.159][56024] -> [........8.8.8.8][..853] [TLS.DoH_DoT][Google][Network][Acceptable] diff --git a/test/results/flow-info/default/gtp_false_positive.pcapng.out b/test/results/flow-info/default/gtp_false_positive.pcapng.out index 65e6186e3..8f19de172 100644 --- a/test/results/flow-info/default/gtp_false_positive.pcapng.out +++ b/test/results/flow-info/default/gtp_false_positive.pcapng.out @@ -16,6 +16,6 @@ RISK: Unidirectional Traffic idle: [.....2] [ip4][..udp] [...50.7.111.134][17000] -> [103.225.103.159][.2123] guessed: [.....3] [ip4][..udp] [119.185.190.173][.2123] -> [...66.86.98.114][50140] [GTP][Unknown][Network][Acceptable] - RISK: Unidirectional Traffic + RISK: Susp Entropy, Unidirectional Traffic idle: [.....3] [ip4][..udp] [119.185.190.173][.2123] -> [...66.86.98.114][50140] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/h323.pcap.out b/test/results/flow-info/default/h323.pcap.out index 4aca46e03..c286c5687 100644 --- a/test/results/flow-info/default/h323.pcap.out +++ b/test/results/flow-info/default/h323.pcap.out @@ -1,10 +1,31 @@ DAEMON-EVENT: init DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] - new: [.....1] [ip4][..udp] [.....17.2.0.124][.2034] -> [.....17.2.0.161][.1719] - detected: [.....1] [ip4][..udp] [.....17.2.0.124][.2034] -> [.....17.2.0.161][.1719] [H323][Apple][VoIP][Acceptable] - new: [.....2] [ip4][..tcp] [.....17.2.0.124][.3032] -> [.....17.2.0.122][.1720] [MIDSTREAM] - detected: [.....2] [ip4][..tcp] [.....17.2.0.124][.3032] -> [.....17.2.0.122][.1720] [H323][Apple][VoIP][Acceptable] - idle: [.....1] [ip4][..udp] [.....17.2.0.124][.2034] -> [.....17.2.0.161][.1719] [H323][Apple][VoIP][Acceptable] - idle: [.....2] [ip4][..tcp] [.....17.2.0.124][.3032] -> [.....17.2.0.122][.1720] [H323][Apple][VoIP][Acceptable] + new: [.....1] [ip4][..tcp] [.....10.1.3.143][32803] -> [......10.1.6.18][.1720] + detected: [.....1] [ip4][..tcp] [.....10.1.3.143][32803] -> [......10.1.6.18][.1720] [H323][Unknown][VoIP][Acceptable] + new: [.....2] [ip4][..tcp] [.....10.1.3.143][32804] -> [......10.1.6.18][.1232] + detected: [.....2] [ip4][..tcp] [.....10.1.3.143][32804] -> [......10.1.6.18][.1232] [H323][Unknown][VoIP][Acceptable] + RISK: Known Proto on Non Std Port + DAEMON-EVENT: [Processed: 43 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 2 / 2|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....3] [ip4][..tcp] [..192.168.0.208][56837] -> [....192.168.0.1][.1720] + detected: [.....3] [ip4][..tcp] [..192.168.0.208][56837] -> [....192.168.0.1][.1720] [H323][Unknown][VoIP][Acceptable] + idle: [.....1] [ip4][..tcp] [.....10.1.3.143][32803] -> [......10.1.6.18][.1720] [H323][Unknown][VoIP][Acceptable] + idle: [.....2] [ip4][..tcp] [.....10.1.3.143][32804] -> [......10.1.6.18][.1232] [H323][Unknown][VoIP][Acceptable] + RISK: Known Proto on Non Std Port + DAEMON-EVENT: [Processed: 58 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 1 / 3|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....4] [ip4][..udp] [.....17.2.0.124][.2034] -> [.....17.2.0.161][.1719] + detected: [.....4] [ip4][..udp] [.....17.2.0.124][.2034] -> [.....17.2.0.161][.1719] [H323][Apple][VoIP][Acceptable] + new: [.....5] [ip4][..tcp] [.....17.2.0.124][.3032] -> [.....17.2.0.122][.1720] [MIDSTREAM] + detected: [.....5] [ip4][..tcp] [.....17.2.0.124][.3032] -> [.....17.2.0.122][.1720] [H323][Apple][VoIP][Acceptable] + idle: [.....3] [ip4][..tcp] [..192.168.0.208][56837] -> [....192.168.0.1][.1720] [H323][Unknown][VoIP][Acceptable] + update: [.....4] [ip4][..udp] [.....17.2.0.124][.2034] -> [.....17.2.0.161][.1719] [H323][Apple][VoIP][Acceptable] + DAEMON-EVENT: [Processed: 70 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 2 / 5|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 1] + new: [.....6] [ip4][..udp] [..10.47.208.204][.1719] -> [...10.47.208.50][.1719] + detected: [.....6] [ip4][..udp] [..10.47.208.204][.1719] -> [...10.47.208.50][.1719] [H323][Unknown][VoIP][Acceptable] + idle: [.....4] [ip4][..udp] [.....17.2.0.124][.2034] -> [.....17.2.0.161][.1719] [H323][Apple][VoIP][Acceptable] + idle: [.....5] [ip4][..tcp] [.....17.2.0.124][.3032] -> [.....17.2.0.122][.1720] [H323][Apple][VoIP][Acceptable] + idle: [.....6] [ip4][..udp] [..10.47.208.204][.1719] -> [...10.47.208.50][.1719] [H323][Unknown][VoIP][Acceptable] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/h323_tcp.pcap.out b/test/results/flow-info/default/h323_tcp.pcap.out deleted file mode 100644 index 4b14e2046..000000000 --- a/test/results/flow-info/default/h323_tcp.pcap.out +++ /dev/null @@ -1,7 +0,0 @@ - DAEMON-EVENT: init - DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] - DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] - new: [.....1] [ip4][..tcp] [......10.1.6.18][.1720] -> [.....10.1.3.143][32803] - detected: [.....1] [ip4][..tcp] [......10.1.6.18][.1720] -> [.....10.1.3.143][32803] [H323][Unknown][VoIP][Acceptable] - idle: [.....1] [ip4][..tcp] [......10.1.6.18][.1720] -> [.....10.1.3.143][32803] [H323][Unknown][VoIP][Acceptable] - DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/haproxy.pcap.out b/test/results/flow-info/default/haproxy.pcap.out index c38f25757..046799347 100644 --- a/test/results/flow-info/default/haproxy.pcap.out +++ b/test/results/flow-info/default/haproxy.pcap.out @@ -3,5 +3,7 @@ DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] new: [.....1] [ip4][..tcp] [........1.1.1.1][48502] -> [........2.2.2.2][..443] [MIDSTREAM] detected: [.....1] [ip4][..tcp] [........1.1.1.1][48502] -> [........2.2.2.2][..443] [HAProxy][Unknown][Web][Safe] + RISK: Susp Entropy idle: [.....1] [ip4][..tcp] [........1.1.1.1][48502] -> [........2.2.2.2][..443] [HAProxy][Unknown][Web][Safe] + RISK: Susp Entropy DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/heuristic_tcp_ack_payload.pcap.out b/test/results/flow-info/default/heuristic_tcp_ack_payload.pcap.out index e06f8f109..771f5c167 100644 --- a/test/results/flow-info/default/heuristic_tcp_ack_payload.pcap.out +++ b/test/results/flow-info/default/heuristic_tcp_ack_payload.pcap.out @@ -12,11 +12,13 @@ [IATS(ms)....: 50.3,51.1,0.6,51.7,0.1,0.0,0.1,51.3,1.4,0.0,1.9,0.5,0.2,0.2,0.0,51.7,0.0,0.0,0.1,50.1,0.4,8.1,0.0,8.1,85.1,28647.7,0.0,0.1,28613.9,0.0,0.0] [PKTLENS.....: 52,52,42,557,46,153,1500,2960,42,378,49,42,166,145,502,550,160,91,118,46,42,78,439,78,42,46,113,86,1125,46,46,86] [ENTROPIES...: 4.7,4.8,4.7,5.8,4.4,5.8,7.2,7.3,4.7,7.4,4.8,4.7,6.2,6.3,7.6,7.6,6.6,5.4,6.1,4.4,4.7,5.4,7.5,5.4,4.7,4.5,6.0,5.6,7.8,4.4,4.5,5.5] + guessed: [.....1] [ip4][..tcp] [.194.226.199.21][58155] -> [..52.18.127.189][..443] [TLS][AmazonAWS][Web][Safe] + RISK: Susp Entropy DAEMON-EVENT: [Processed: 63 pkts][ZLib][compressions: 0|diff: 0 / 0] - DAEMON-EVENT: [Flows][active: 1 / 1|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + DAEMON-EVENT: [Flows][active: 1 / 1|skipped: 0|!detected: 0|guessed: 1|detection-updates: 0|updates: 0] new: [.....2] [ip4][..tcp] [194.226.199.226][34101] -> [..8.247.226.126][...80] - guessed: [.....1] [ip4][..tcp] [.194.226.199.21][58155] -> [..52.18.127.189][..443] [TLS][AmazonAWS][Web][Safe] - end: [.....1] [ip4][..tcp] [.194.226.199.21][58155] -> [..52.18.127.189][..443] + end: [.....1] [ip4][..tcp] [.194.226.199.21][58155] -> [..52.18.127.189][..443] [TLS][AmazonAWS][Web][Safe] + RISK: Susp Entropy new: [.....3] [ip4][..tcp] [.194.226.199.61][27453] -> [...35.241.9.150][..443] analyse: [.....3] [ip4][..tcp] [.194.226.199.61][27453] -> [...35.241.9.150][..443] min| max| avg| stddev| variance| entropy @@ -28,14 +30,16 @@ [IATS(ms)....: 24.1,24.4,0.4,25.0,2.4,0.0,0.0,27.4,0.3,4.7,29.9,0.0,24.6,1.2,0.0,0.1,26.5,0.0,0.3,0.0,25.6,0.9,0.5,1.6,0.3,1.0,1.0,1.3,1.2,1.0,1.3] [PKTLENS.....: 52,52,42,258,46,2088,2088,462,42,42,133,318,109,42,217,361,78,46,78,364,1452,42,1452,2864,42,42,2864,42,2864,42,2864,42] [ENTROPIES...: 4.6,5.0,4.7,5.7,4.5,7.4,7.6,7.4,4.7,4.7,5.8,7.0,5.8,4.7,6.9,7.4,5.3,4.5,5.2,7.3,7.9,4.6,7.9,7.9,4.7,4.8,7.9,4.8,7.9,4.8,7.9,4.6] + guessed: [.....3] [ip4][..tcp] [.194.226.199.61][27453] -> [...35.241.9.150][..443] [TLS][GoogleCloud][Web][Safe] + RISK: Susp Entropy guessed: [.....2] [ip4][..tcp] [194.226.199.226][34101] -> [..8.247.226.126][...80] [HTTP][Unknown][Web][Acceptable][] end: [.....2] [ip4][..tcp] [194.226.199.226][34101] -> [..8.247.226.126][...80] DAEMON-EVENT: [Processed: 160 pkts][ZLib][compressions: 0|diff: 0 / 0] - DAEMON-EVENT: [Flows][active: 1 / 3|skipped: 0|!detected: 0|guessed: 2|detection-updates: 0|updates: 0] + DAEMON-EVENT: [Flows][active: 1 / 3|skipped: 0|!detected: 0|guessed: 3|detection-updates: 0|updates: 0] new: [.....4] [ip4][..tcp] [..194.226.199.9][49756] -> [..92.223.106.21][..443] new: [.....5] [ip4][..tcp] [194.226.199.103][62580] -> [..217.69.139.59][..443] - guessed: [.....3] [ip4][..tcp] [.194.226.199.61][27453] -> [...35.241.9.150][..443] [TLS][GoogleCloud][Web][Safe] - end: [.....3] [ip4][..tcp] [.194.226.199.61][27453] -> [...35.241.9.150][..443] + end: [.....3] [ip4][..tcp] [.194.226.199.61][27453] -> [...35.241.9.150][..443] [TLS][GoogleCloud][Web][Safe] + RISK: Susp Entropy analyse: [.....5] [ip4][..tcp] [194.226.199.103][62580] -> [..217.69.139.59][..443] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 5.456| 0.293| 1.017| 1033283.961| 1.700] @@ -46,6 +50,7 @@ [IATS(ms)....: 0.0,10.5,0.0,1548.8,0.0,1559.9,0.0,2.5,0.0,14.1,0.0,4.4,0.0,0.1,0.0,17.1,0.0,0.0,0.0,4.7,0.0,18.5,0.0,216.2,0.0,213.8,0.0,10.4,0.0,5455.6,0.0] [PKTLENS.....: 52,52,46,46,46,46,42,42,609,609,46,46,1450,1450,2883,2883,42,42,42,42,166,166,298,298,42,42,298,298,42,42,71,71] [ENTROPIES...: 4.5,4.5,4.8,4.8,4.8,4.8,4.8,4.8,7.1,7.1,4.6,4.6,7.2,7.2,7.5,7.5,4.7,4.7,4.7,4.7,6.3,6.3,7.1,7.1,4.8,4.8,7.1,7.1,4.7,4.7,5.2,5.2] + guessed: [.....5] [ip4][..tcp] [194.226.199.103][62580] -> [..217.69.139.59][..443] [TLS][Unknown][Web][Safe] new: [.....6] [ip4][..tcp] [.194.226.199.61][.6946] -> [....2.22.40.186][..443] analyse: [.....6] [ip4][..tcp] [.194.226.199.61][.6946] -> [....2.22.40.186][..443] min| max| avg| stddev| variance| entropy @@ -58,9 +63,11 @@ [PKTLENS.....: 52,52,52,52,42,561,52,52,46,2960,1216,1500,52,46,1500,1500,1500,52,52,42,42,120,138,46,311,327,46,101,71,1500,658,673] [ENTROPIES...: 4.8,5.0,5.0,4.8,4.6,6.8,5.0,5.0,4.6,7.9,7.8,7.9,4.8,5.1,7.9,7.9,7.9,4.9,4.8,4.7,4.8,6.3,6.6,4.6,7.3,7.3,4.6,6.2,5.8,7.9,7.6,7.7] guessed: [.....6] [ip4][..tcp] [.194.226.199.61][.6946] -> [....2.22.40.186][..443] [TLS][Unknown][Web][Safe] - idle: [.....6] [ip4][..tcp] [.194.226.199.61][.6946] -> [....2.22.40.186][..443] + RISK: Susp Entropy + idle: [.....6] [ip4][..tcp] [.194.226.199.61][.6946] -> [....2.22.40.186][..443] [TLS][Unknown][Web][Safe] + RISK: Susp Entropy guessed: [.....4] [ip4][..tcp] [..194.226.199.9][49756] -> [..92.223.106.21][..443] [TLS][Unknown][Web][Safe] + RISK: Susp Entropy end: [.....4] [ip4][..tcp] [..194.226.199.9][49756] -> [..92.223.106.21][..443] - guessed: [.....5] [ip4][..tcp] [194.226.199.103][62580] -> [..217.69.139.59][..443] [TLS][Unknown][Web][Safe] - end: [.....5] [ip4][..tcp] [194.226.199.103][62580] -> [..217.69.139.59][..443] + end: [.....5] [ip4][..tcp] [194.226.199.103][62580] -> [..217.69.139.59][..443] [TLS][Unknown][Web][Safe] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/hls.pcapng.out b/test/results/flow-info/default/hls.pcapng.out new file mode 100644 index 000000000..29113d42d --- /dev/null +++ b/test/results/flow-info/default/hls.pcapng.out @@ -0,0 +1,9 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....1] [ip4][..tcp] [...10.215.173.1][41644] -> [.192.168.88.231][.8080] + detected: [.....1] [ip4][..tcp] [...10.215.173.1][41644] -> [.192.168.88.231][.8080] [HTTP][Unknown][Web][Acceptable][192.168.88.231] + RISK: Known Proto on Non Std Port, HTTP/TLS/QUIC Numeric Hostname/SNI + end: [.....1] [ip4][..tcp] [...10.215.173.1][41644] -> [.192.168.88.231][.8080] [HTTP.HLS][Unknown][Web][Fun] + RISK: Known Proto on Non Std Port, HTTP/TLS/QUIC Numeric Hostname/SNI + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/http-proxy.pcapng.out b/test/results/flow-info/default/http-proxy.pcapng.out index 35baf31dc..878adc432 100644 --- a/test/results/flow-info/default/http-proxy.pcapng.out +++ b/test/results/flow-info/default/http-proxy.pcapng.out @@ -3,5 +3,7 @@ DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] new: [.....1] [ip4][..tcp] [..192.168.1.103][.1241] -> [..192.168.1.146][.8080] detected: [.....1] [ip4][..tcp] [..192.168.1.103][.1241] -> [..192.168.1.146][.8080] [HTTP_Proxy][Unknown][Web][Acceptable][http.com] + RISK: Susp Entropy end: [.....1] [ip4][..tcp] [..192.168.1.103][.1241] -> [..192.168.1.146][.8080] [HTTP_Proxy][Unknown][Web][Acceptable] + RISK: Susp Entropy DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/http_asymmetric.pcapng.out b/test/results/flow-info/default/http_asymmetric.pcapng.out index 1481b9b76..583395338 100644 --- a/test/results/flow-info/default/http_asymmetric.pcapng.out +++ b/test/results/flow-info/default/http_asymmetric.pcapng.out @@ -6,11 +6,11 @@ detected: [.....1] [ip4][..tcp] [....192.168.0.1][.1044] -> [.....10.10.10.1][...80] [HTTP][Unknown][Web][Acceptable][proxy.wiresharkfest.acropolis.local] RISK: Unidirectional Traffic detected: [.....2] [ip4][..tcp] [..192.168.1.146][...80] -> [..192.168.1.103][.1044] [HTTP][Unknown][Web][Acceptable][] - RISK: HTTP Susp User-Agent, Unidirectional Traffic + RISK: HTTP Susp User-Agent, Susp Entropy, Unidirectional Traffic detection-update: [.....2] [ip4][..tcp] [..192.168.1.146][...80] -> [..192.168.1.103][.1044] [HTTP][Unknown][Web][Acceptable][] - RISK: HTTP Susp User-Agent, Error Code, Unidirectional Traffic + RISK: HTTP Susp User-Agent, Susp Entropy, Error Code, Unidirectional Traffic end: [.....2] [ip4][..tcp] [..192.168.1.146][...80] -> [..192.168.1.103][.1044] [HTTP][Unknown][Web][Acceptable] - RISK: HTTP Susp User-Agent, Error Code, Unidirectional Traffic + RISK: HTTP Susp User-Agent, Susp Entropy, Error Code, Unidirectional Traffic end: [.....1] [ip4][..tcp] [....192.168.0.1][.1044] -> [.....10.10.10.1][...80] [HTTP][Unknown][Web][Acceptable] RISK: Unidirectional Traffic DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/http_connect.pcap.out b/test/results/flow-info/default/http_connect.pcap.out index 51abef881..e95b9b9bb 100644 --- a/test/results/flow-info/default/http_connect.pcap.out +++ b/test/results/flow-info/default/http_connect.pcap.out @@ -3,6 +3,7 @@ DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] new: [.....1] [ip4][..tcp] [..192.168.1.103][.1714] -> [..192.168.1.146][.8080] detected: [.....1] [ip4][..tcp] [..192.168.1.103][.1714] -> [..192.168.1.146][.8080] [HTTP_Connect][Unknown][Web][Acceptable][apache.org] + RISK: Susp Entropy new: [.....2] [ip4][..udp] [..192.168.1.146][47767] -> [....192.168.1.2][...53] detected: [.....2] [ip4][..udp] [..192.168.1.146][47767] -> [....192.168.1.2][...53] [DNS][Unknown][Network][Acceptable][apache.org] detection-update: [.....2] [ip4][..udp] [..192.168.1.146][47767] -> [....192.168.1.2][...53] [DNS][Unknown][Network][Acceptable][apache.org] @@ -32,4 +33,5 @@ idle: [.....2] [ip4][..udp] [..192.168.1.146][47767] -> [....192.168.1.2][...53] [DNS][Unknown][Network][Acceptable] idle: [.....3] [ip4][..tcp] [..192.168.1.146][35968] -> [..151.101.2.132][..443] [TLS][Unknown][Web][Safe] idle: [.....1] [ip4][..tcp] [..192.168.1.103][.1714] -> [..192.168.1.146][.8080] [HTTP_Connect][Unknown][Web][Acceptable] + RISK: Susp Entropy DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/http_guessed_host_and_guessed.pcapng.out b/test/results/flow-info/default/http_guessed_host_and_guessed.pcapng.out index 48418eb26..3dd3f4fe3 100644 --- a/test/results/flow-info/default/http_guessed_host_and_guessed.pcapng.out +++ b/test/results/flow-info/default/http_guessed_host_and_guessed.pcapng.out @@ -3,6 +3,6 @@ DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] new: [.....1] [ip4][..tcp] [....170.33.13.5][..110] -> [....192.168.0.1][..179] guessed: [.....1] [ip4][..tcp] [....170.33.13.5][..110] -> [....192.168.0.1][..179] [POP3][Alibaba][Email][Unsafe] - RISK: Unsafe Protocol, Unidirectional Traffic, TCP Connection Issues + RISK: Unsafe Protocol, Susp Entropy, Unidirectional Traffic, TCP Connection Issues end: [.....1] [ip4][..tcp] [....170.33.13.5][..110] -> [....192.168.0.1][..179] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/http_ipv6.pcap.out b/test/results/flow-info/default/http_ipv6.pcap.out index 1f684621e..9547ce50c 100644 --- a/test/results/flow-info/default/http_ipv6.pcap.out +++ b/test/results/flow-info/default/http_ipv6.pcap.out @@ -73,7 +73,6 @@ guessed: [....10] [ip6][..tcp] [........2a00:d40:1:3:7aac:c0ff:fea7:d4c][40308] -> [....2a03:2880:1010:3f20:face:b00c::25de][..443] [TLS][Facebook][Web][Safe] idle: [....10] [ip6][..tcp] [........2a00:d40:1:3:7aac:c0ff:fea7:d4c][40308] -> [....2a03:2880:1010:3f20:face:b00c::25de][..443] guessed: [.....5] [ip6][..udp] [........2a00:d40:1:3:7aac:c0ff:fea7:d4c][55145] -> [.................2a00:1450:400b:c02::5f][..443] [QUIC][Google][Web][Acceptable] - RISK: Susp Entropy idle: [.....5] [ip6][..udp] [........2a00:d40:1:3:7aac:c0ff:fea7:d4c][55145] -> [.................2a00:1450:400b:c02::5f][..443] guessed: [....11] [ip6][..tcp] [........2a00:d40:1:3:7aac:c0ff:fea7:d4c][33062] -> [.................2a00:1450:400b:c02::9a][..443] [TLS][Google][Web][Safe] idle: [....11] [ip6][..tcp] [........2a00:d40:1:3:7aac:c0ff:fea7:d4c][33062] -> [.................2a00:1450:400b:c02::9a][..443] diff --git a/test/results/flow-info/default/http_starting_with_reply.pcapng.out b/test/results/flow-info/default/http_starting_with_reply.pcapng.out index d0978f7ba..7d5a7c546 100644 --- a/test/results/flow-info/default/http_starting_with_reply.pcapng.out +++ b/test/results/flow-info/default/http_starting_with_reply.pcapng.out @@ -3,11 +3,13 @@ DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] new: [.....1] [ip4][..tcp] [..192.168.1.146][...80] -> [..192.168.1.103][.1044] [MIDSTREAM] detected: [.....1] [ip4][..tcp] [..192.168.1.146][...80] -> [..192.168.1.103][.1044] [HTTP][Unknown][Web][Acceptable][] - RISK: HTTP Susp User-Agent + RISK: HTTP Susp User-Agent, Susp Entropy detection-update: [.....1] [ip4][..tcp] [..192.168.1.146][...80] -> [..192.168.1.103][.1044] [HTTP][Unknown][Web][Acceptable][] - RISK: HTTP Susp User-Agent, Unidirectional Traffic + RISK: HTTP Susp User-Agent, Susp Entropy, Unidirectional Traffic detection-update: [.....1] [ip4][..tcp] [..192.168.1.146][...80] -> [..192.168.1.103][.1044] [HTTP][Unknown][Web][Acceptable][] - RISK: HTTP Susp User-Agent + RISK: HTTP Susp User-Agent, Susp Entropy detection-update: [.....1] [ip4][..tcp] [..192.168.1.146][...80] -> [..192.168.1.103][.1044] [HTTP][Unknown][Web][Acceptable][proxy.wiresharkfest.acropolis.local] + RISK: Susp Entropy end: [.....1] [ip4][..tcp] [..192.168.1.146][...80] -> [..192.168.1.103][.1044] [HTTP][Unknown][Web][Acceptable] + RISK: Susp Entropy DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/icmp-tunnel.pcap.out b/test/results/flow-info/default/icmp-tunnel.pcap.out index 35c7c8d39..991c4edb6 100644 --- a/test/results/flow-info/default/icmp-tunnel.pcap.out +++ b/test/results/flow-info/default/icmp-tunnel.pcap.out @@ -3,7 +3,7 @@ DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] new: [.....1] [ip4][.icmp] [192.168.154.131] -> [192.168.154.132] detected: [.....1] [ip4][.icmp] [192.168.154.131] -> [192.168.154.132] [ICMP][Unknown][Network][Acceptable] - RISK: Malformed Packet + RISK: Malformed Packet, Susp Entropy analyse: [.....1] [ip4][.icmp] [192.168.154.131] -> [192.168.154.132] [ICMP][Unknown][Network][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: 0.999| 13.999| 1.420| 2.297| 5274800.751| 4.200] @@ -15,59 +15,59 @@ [PKTLENS.....: 112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112] [ENTROPIES...: 5.6,5.6,5.7,5.7,5.7,5.6,5.6,5.6,5.6,5.6,5.6,5.7,5.7,5.6,5.7,5.7,5.7,5.7,5.6,5.7,5.6,5.7,5.6,5.7,5.6,5.7,5.6,5.6,5.7,5.7,5.7,5.7] update: [.....1] [ip4][.icmp] [192.168.154.131] -> [192.168.154.132] [ICMP][Unknown][Network][Acceptable] - RISK: Malformed Packet + RISK: Malformed Packet, Susp Entropy update: [.....1] [ip4][.icmp] [192.168.154.131] -> [192.168.154.132] [ICMP][Unknown][Network][Acceptable] - RISK: Malformed Packet + RISK: Malformed Packet, Susp Entropy update: [.....1] [ip4][.icmp] [192.168.154.131] -> [192.168.154.132] [ICMP][Unknown][Network][Acceptable] - RISK: Malformed Packet + RISK: Malformed Packet, Susp Entropy update: [.....1] [ip4][.icmp] [192.168.154.131] -> [192.168.154.132] [ICMP][Unknown][Network][Acceptable] - RISK: Malformed Packet + RISK: Malformed Packet, Susp Entropy update: [.....1] [ip4][.icmp] [192.168.154.131] -> [192.168.154.132] [ICMP][Unknown][Network][Acceptable] - RISK: Malformed Packet + RISK: Malformed Packet, Susp Entropy update: [.....1] [ip4][.icmp] [192.168.154.131] -> [192.168.154.132] [ICMP][Unknown][Network][Acceptable] - RISK: Malformed Packet + RISK: Malformed Packet, Susp Entropy update: [.....1] [ip4][.icmp] [192.168.154.131] -> [192.168.154.132] [ICMP][Unknown][Network][Acceptable] - RISK: Malformed Packet + RISK: Malformed Packet, Susp Entropy update: [.....1] [ip4][.icmp] [192.168.154.131] -> [192.168.154.132] [ICMP][Unknown][Network][Acceptable] - RISK: Malformed Packet + RISK: Malformed Packet, Susp Entropy update: [.....1] [ip4][.icmp] [192.168.154.131] -> [192.168.154.132] [ICMP][Unknown][Network][Acceptable] - RISK: Malformed Packet + RISK: Malformed Packet, Susp Entropy update: [.....1] [ip4][.icmp] [192.168.154.131] -> [192.168.154.132] [ICMP][Unknown][Network][Acceptable] - RISK: Malformed Packet + RISK: Malformed Packet, Susp Entropy update: [.....1] [ip4][.icmp] [192.168.154.131] -> [192.168.154.132] [ICMP][Unknown][Network][Acceptable] - RISK: Malformed Packet + RISK: Malformed Packet, Susp Entropy update: [.....1] [ip4][.icmp] [192.168.154.131] -> [192.168.154.132] [ICMP][Unknown][Network][Acceptable] - RISK: Malformed Packet + RISK: Malformed Packet, Susp Entropy DAEMON-EVENT: [Processed: 251 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 1 / 1|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 12] update: [.....1] [ip4][.icmp] [192.168.154.131] -> [192.168.154.132] [ICMP][Unknown][Network][Acceptable] - RISK: Malformed Packet + RISK: Malformed Packet, Susp Entropy update: [.....1] [ip4][.icmp] [192.168.154.131] -> [192.168.154.132] [ICMP][Unknown][Network][Acceptable] - RISK: Malformed Packet + RISK: Malformed Packet, Susp Entropy update: [.....1] [ip4][.icmp] [192.168.154.131] -> [192.168.154.132] [ICMP][Unknown][Network][Acceptable] - RISK: Malformed Packet + RISK: Malformed Packet, Susp Entropy update: [.....1] [ip4][.icmp] [192.168.154.131] -> [192.168.154.132] [ICMP][Unknown][Network][Acceptable] - RISK: Malformed Packet + RISK: Malformed Packet, Susp Entropy update: [.....1] [ip4][.icmp] [192.168.154.131] -> [192.168.154.132] [ICMP][Unknown][Network][Acceptable] - RISK: Malformed Packet + RISK: Malformed Packet, Susp Entropy update: [.....1] [ip4][.icmp] [192.168.154.131] -> [192.168.154.132] [ICMP][Unknown][Network][Acceptable] - RISK: Malformed Packet + RISK: Malformed Packet, Susp Entropy update: [.....1] [ip4][.icmp] [192.168.154.131] -> [192.168.154.132] [ICMP][Unknown][Network][Acceptable] - RISK: Malformed Packet + RISK: Malformed Packet, Susp Entropy update: [.....1] [ip4][.icmp] [192.168.154.131] -> [192.168.154.132] [ICMP][Unknown][Network][Acceptable] - RISK: Malformed Packet + RISK: Malformed Packet, Susp Entropy update: [.....1] [ip4][.icmp] [192.168.154.131] -> [192.168.154.132] [ICMP][Unknown][Network][Acceptable] - RISK: Malformed Packet + RISK: Malformed Packet, Susp Entropy update: [.....1] [ip4][.icmp] [192.168.154.131] -> [192.168.154.132] [ICMP][Unknown][Network][Acceptable] - RISK: Malformed Packet + RISK: Malformed Packet, Susp Entropy update: [.....1] [ip4][.icmp] [192.168.154.131] -> [192.168.154.132] [ICMP][Unknown][Network][Acceptable] - RISK: Malformed Packet + RISK: Malformed Packet, Susp Entropy update: [.....1] [ip4][.icmp] [192.168.154.131] -> [192.168.154.132] [ICMP][Unknown][Network][Acceptable] - RISK: Malformed Packet + RISK: Malformed Packet, Susp Entropy update: [.....1] [ip4][.icmp] [192.168.154.131] -> [192.168.154.132] [ICMP][Unknown][Network][Acceptable] - RISK: Malformed Packet + RISK: Malformed Packet, Susp Entropy update: [.....1] [ip4][.icmp] [192.168.154.131] -> [192.168.154.132] [ICMP][Unknown][Network][Acceptable] - RISK: Malformed Packet + RISK: Malformed Packet, Susp Entropy idle: [.....1] [ip4][.icmp] [192.168.154.131] -> [192.168.154.132] [ICMP][Unknown][Network][Acceptable] - RISK: Malformed Packet + RISK: Malformed Packet, Susp Entropy DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/instagram.pcap.out b/test/results/flow-info/default/instagram.pcap.out index 324365a57..810831f2d 100644 --- a/test/results/flow-info/default/instagram.pcap.out +++ b/test/results/flow-info/default/instagram.pcap.out @@ -83,6 +83,8 @@ [IATS(ms)....: 0.2,0.9,1.5,2.7,0.5,0.4,0.3,0.4,1.5,0.5,1.2,1.8,0.1,0.0,2.3,0.1,3.2,0.4,3.6,1.0,0.5,0.4,2.0,0.9,0.9,0.7,3.6,0.1,4.7,0.2,7321.5] [PKTLENS.....: 52,52,1470,1470,52,1470,1470,1470,1470,52,52,1470,1470,1470,1470,52,52,1470,1470,52,1470,1470,1470,52,1470,52,1470,1470,1323,52,52,52] [ENTROPIES...: 5.0,5.0,7.8,7.8,5.0,7.8,7.8,7.8,7.8,5.0,5.1,7.8,7.8,7.8,7.8,5.1,5.0,7.8,7.8,5.0,7.8,7.8,7.8,5.1,7.8,5.0,7.8,7.8,7.8,5.1,5.1,5.1] + guessed: [.....7] [ip4][..tcp] [..192.168.0.103][33976] -> [....77.67.29.17][...80] [HTTP][Unknown][Web][Acceptable][] + RISK: Susp Entropy new: [....17] [ip4][..udp] [..192.168.0.103][51219] -> [........8.8.8.8][...53] detected: [....17] [ip4][..udp] [..192.168.0.103][51219] -> [........8.8.8.8][...53] [DNS.Instagram][Google][Network][Fun][igcdn-photos-h-a.akamaihd.net] new: [....18] [ip4][..udp] [..192.168.0.103][33603] -> [........8.8.8.8][...53] @@ -147,6 +149,7 @@ [IATS(ms)....: 0.4,1.5,1.6,0.5,0.5,0.8,1.5,0.1,0.0,1.6,2.2,2.1,0.4,0.2,0.6,0.4,1.3,1.7,0.5,0.2,0.6,0.6,1.0,1.7,0.3,0.5,0.9,0.8,0.3,1.0,0.7] [PKTLENS.....: 1450,52,1450,52,1450,1450,52,1450,1450,1450,52,1450,52,1450,1450,52,1450,1450,52,1450,1450,52,1450,1450,52,1450,1450,52,1450,1450,52,1450] [ENTROPIES...: 7.8,5.0,7.5,5.0,7.9,7.9,5.0,7.8,7.4,7.5,5.0,7.9,5.0,7.8,7.9,5.0,7.8,7.8,5.0,7.2,7.8,5.0,7.8,7.9,5.0,7.8,7.8,5.0,7.4,7.9,5.0,7.9] + guessed: [....28] [ip4][..tcp] [....31.13.86.52][...80] -> [..192.168.0.103][58216] [HTTP][Facebook][Web][Acceptable][] update: [....14] [ip4][.icmp] [..192.168.0.103] -> [..192.168.0.103] [ICMP][Unknown][Network][Acceptable] new: [....29] [ip4][..tcp] [....2.22.236.51][...80] -> [..192.168.0.103][44151] [MIDSTREAM] new: [....30] [ip4][..tcp] [..192.168.0.103][58690] -> [...46.33.70.159][..443] [MIDSTREAM] @@ -163,12 +166,13 @@ [IATS(ms)....: 0.1,2.1,0.4,3.4,0.0,3.2,2.3,0.4,0.9,1.9,0.2,2.6,1.8,3.8,0.1,3.8,0.2,1.3,1.3,0.4,0.2,0.2,0.3,0.5,0.5,0.9,0.9,2.1,2.1,2.0,0.1] [PKTLENS.....: 1470,52,1470,1470,52,52,1470,52,1470,1470,52,52,1470,52,1470,1470,52,52,1470,52,1470,52,1470,52,1470,52,1470,52,1470,52,1470,1470] [ENTROPIES...: 7.8,5.1,7.8,7.8,5.1,5.1,7.8,5.1,7.8,7.7,5.0,5.1,7.7,5.1,7.7,7.8,5.2,5.1,7.7,5.2,7.8,5.2,7.8,5.2,7.8,5.1,7.8,5.1,7.8,5.1,7.8,7.8] + guessed: [....29] [ip4][..tcp] [....2.22.236.51][...80] -> [..192.168.0.103][44151] [HTTP][Unknown][Web][Acceptable][] new: [....32] [ip4][..tcp] [...46.33.70.150][...80] -> [..192.168.0.103][40855] update: [.....9] [ip4][..udp] [..192.168.0.106][17500] -> [255.255.255.255][17500] [Dropbox][Unknown][Cloud][Acceptable] update: [....10] [ip4][..udp] [..192.168.0.106][17500] -> [..192.168.0.255][17500] [Dropbox][Unknown][Cloud][Acceptable] update: [....11] [ip4][..udp] [....192.168.0.1][..520] -> [..192.168.0.255][..520] DAEMON-EVENT: [Processed: 633 pkts][ZLib][compressions: 0|diff: 0 / 0] - DAEMON-EVENT: [Flows][active: 32 / 32|skipped: 0|!detected: 0|guessed: 0|detection-updates: 12|updates: 4] + DAEMON-EVENT: [Flows][active: 32 / 32|skipped: 0|!detected: 0|guessed: 3|detection-updates: 12|updates: 4] new: [....33] [ip4][..tcp] [...192.168.2.17][49355] -> [....31.13.86.52][..443] detected: [....33] [ip4][..tcp] [...192.168.2.17][49355] -> [....31.13.86.52][..443] [TLS.Instagram][Facebook][SocialNetwork][Fun][scontent-mxp1-1.cdninstagram.com] detection-update: [....33] [ip4][..tcp] [...192.168.2.17][49355] -> [....31.13.86.52][..443] [TLS.Instagram][Facebook][SocialNetwork][Fun][scontent-mxp1-1.cdninstagram.com] @@ -192,9 +196,8 @@ guessed: [....19] [ip4][..tcp] [..192.168.0.103][57966] -> [...82.85.26.185][...80] [HTTP][Unknown][Web][Acceptable][] end: [....19] [ip4][..tcp] [..192.168.0.103][57966] -> [...82.85.26.185][...80] end: [....30] [ip4][..tcp] [..192.168.0.103][58690] -> [...46.33.70.159][..443] [TLS][Unknown][Web][Safe] - guessed: [.....7] [ip4][..tcp] [..192.168.0.103][33976] -> [....77.67.29.17][...80] [HTTP][Unknown][Web][Acceptable][] + end: [.....7] [ip4][..tcp] [..192.168.0.103][33976] -> [....77.67.29.17][...80] [HTTP][Unknown][Web][Acceptable] RISK: Susp Entropy - end: [.....7] [ip4][..tcp] [..192.168.0.103][33976] -> [....77.67.29.17][...80] idle: [....17] [ip4][..udp] [..192.168.0.103][51219] -> [........8.8.8.8][...53] [DNS.Instagram][Google][Network][Fun] idle: [....26] [ip4][..tcp] [..192.168.0.103][58052] -> [...82.85.26.162][...80] [HTTP.Instagram][Unknown][SocialNetwork][Fun] idle: [....27] [ip4][..tcp] [..192.168.0.103][58053] -> [...82.85.26.162][...80] [HTTP.Instagram][Unknown][SocialNetwork][Fun] @@ -202,9 +205,7 @@ idle: [.....9] [ip4][..udp] [..192.168.0.106][17500] -> [255.255.255.255][17500] [Dropbox][Unknown][Cloud][Acceptable] idle: [....24] [ip4][..tcp] [..192.168.0.103][60908] -> [...46.33.70.136][..443] [TLS.Instagram][Unknown][SocialNetwork][Fun] RISK: Obsolete TLS (v1.1 or older) - guessed: [....28] [ip4][..tcp] [....31.13.86.52][...80] -> [..192.168.0.103][58216] [HTTP][Facebook][Web][Acceptable][] - RISK: Susp Entropy - idle: [....28] [ip4][..tcp] [....31.13.86.52][...80] -> [..192.168.0.103][58216] + idle: [....28] [ip4][..tcp] [....31.13.86.52][...80] -> [..192.168.0.103][58216] [HTTP][Facebook][Web][Acceptable] idle: [....21] [ip4][..tcp] [..192.168.0.103][44558] -> [...46.33.70.174][..443] [TLS.Instagram][Unknown][SocialNetwork][Fun] RISK: Obsolete TLS (v1.1 or older) guessed: [....32] [ip4][..tcp] [...46.33.70.150][...80] -> [..192.168.0.103][40855] [HTTP][Unknown][Web][Acceptable][] @@ -217,9 +218,7 @@ idle: [.....1] [ip4][..tcp] [..192.168.0.103][56382] -> [..173.252.107.4][..443] [TLS.Instagram][Facebook][SocialNetwork][Fun] RISK: Obsolete TLS (v1.1 or older) idle: [....15] [ip4][..tcp] [..192.168.0.103][33763] -> [....31.13.93.52][..443] [TLS][Facebook][Web][Safe] - guessed: [....29] [ip4][..tcp] [....2.22.236.51][...80] -> [..192.168.0.103][44151] [HTTP][Unknown][Web][Acceptable][] - RISK: Susp Entropy - idle: [....29] [ip4][..tcp] [....2.22.236.51][...80] -> [..192.168.0.103][44151] + idle: [....29] [ip4][..tcp] [....2.22.236.51][...80] -> [..192.168.0.103][44151] [HTTP][Unknown][Web][Acceptable] end: [.....5] [ip4][..tcp] [..192.168.0.103][44379] -> [...82.85.26.186][...80] [HTTP.Instagram][Unknown][SocialNetwork][Fun] idle: [....12] [ip4][..tcp] [....31.13.93.52][..443] -> [..192.168.0.103][33934] [TLS][Facebook][Web][Safe] idle: [....13] [ip4][..tcp] [..192.168.0.103][33935] -> [....31.13.93.52][..443] [TLS][Facebook][Web][Safe] @@ -228,7 +227,6 @@ not-detected: [....11] [ip4][..udp] [....192.168.0.1][..520] -> [..192.168.0.255][..520] [Unknown][Unknown][Unrated] idle: [....11] [ip4][..udp] [....192.168.0.1][..520] -> [..192.168.0.255][..520] guessed: [....25] [ip4][..tcp] [..92.122.48.138][...80] -> [..192.168.0.103][41562] [HTTP][Unknown][Web][Acceptable][] - RISK: Susp Entropy idle: [....25] [ip4][..tcp] [..92.122.48.138][...80] -> [..192.168.0.103][41562] new: [....37] [ip4][..tcp] [...192.168.2.17][49360] -> [....31.13.86.52][..443] new: [....38] [ip4][..tcp] [...192.168.2.17][49361] -> [....31.13.86.52][..443] diff --git a/test/results/flow-info/default/ipsec_isakmp_esp.pcap.out b/test/results/flow-info/default/ipsec_isakmp_esp.pcap.out index 15991b75f..7af13fbb6 100644 --- a/test/results/flow-info/default/ipsec_isakmp_esp.pcap.out +++ b/test/results/flow-info/default/ipsec_isakmp_esp.pcap.out @@ -69,7 +69,7 @@ detected: [.....9] [ip4][..udp] [..192.168.2.100][10500] -> [109.237.187.225][..500] [IPSec][Unknown][VPN][Safe] new: [....10] [ip4][..udp] [..192.168.2.100][14500] -> [109.237.187.225][.4500] detected: [....10] [ip4][..udp] [..192.168.2.100][14500] -> [109.237.187.225][.4500] [IPSec][Unknown][VPN][Safe] - RISK: Malformed Packet + RISK: Malformed Packet, Susp Entropy idle: [.....8] [ip4][..udp] [..192.168.2.100][14500] -> [109.237.187.194][.4500] [IPSec][Unknown][VPN][Safe] idle: [.....7] [ip4][..udp] [..192.168.2.100][10500] -> [109.237.187.194][..500] [IPSec][Unknown][VPN][Safe] new: [....11] [ip4][..udp] [..192.168.2.100][10500] -> [109.237.187.131][..500] @@ -78,7 +78,7 @@ new: [....12] [ip4][..udp] [..192.168.2.100][14500] -> [109.237.187.131][.4500] detected: [....12] [ip4][..udp] [..192.168.2.100][14500] -> [109.237.187.131][.4500] [IPSec][Unknown][VPN][Safe] idle: [....10] [ip4][..udp] [..192.168.2.100][14500] -> [109.237.187.225][.4500] [IPSec][Unknown][VPN][Safe] - RISK: Malformed Packet + RISK: Malformed Packet, Susp Entropy idle: [.....9] [ip4][..udp] [..192.168.2.100][10500] -> [109.237.187.225][..500] [IPSec][Unknown][VPN][Safe] DAEMON-EVENT: [Processed: 225 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 2 / 12|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 18] diff --git a/test/results/flow-info/default/iqiyi.pcap.out b/test/results/flow-info/default/iqiyi.pcap.out new file mode 100644 index 000000000..5f94f709d --- /dev/null +++ b/test/results/flow-info/default/iqiyi.pcap.out @@ -0,0 +1,7 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....1] [ip4][..udp] [...10.215.173.1][50412] -> [116.211.199.199][16600] + detected: [.....1] [ip4][..udp] [...10.215.173.1][50412] -> [116.211.199.199][16600] [iQIYI][Unknown][Streaming][Fun] + idle: [.....1] [ip4][..udp] [...10.215.173.1][50412] -> [116.211.199.199][16600] [iQIYI][Unknown][Streaming][Fun] + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/jabber.pcap.out b/test/results/flow-info/default/jabber.pcap.out index bf1585c0e..c20860060 100644 --- a/test/results/flow-info/default/jabber.pcap.out +++ b/test/results/flow-info/default/jabber.pcap.out @@ -36,6 +36,7 @@ detected: [.....5] [ip4][..tcp] [....172.16.0.62][57147] -> [...172.16.1.138][.5222] [Jabber][Unknown][Web][Acceptable] new: [.....6] [ip4][..tcp] [....172.16.0.62][57149] -> [...172.16.1.138][.5222] [MIDSTREAM] detected: [.....6] [ip4][..tcp] [....172.16.0.62][57149] -> [...172.16.1.138][.5222] [Jabber][Unknown][Web][Acceptable] + RISK: Susp Entropy end: [.....5] [ip4][..tcp] [....172.16.0.62][57147] -> [...172.16.1.138][.5222] [Jabber][Unknown][Web][Acceptable] DAEMON-EVENT: [Processed: 243 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 4 / 6|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] @@ -57,6 +58,7 @@ idle: [.....2] [ip4][..tcp] [....172.16.0.62][57122] -> [...172.16.1.138][.5222] [Jabber][Unknown][Web][Acceptable] idle: [.....4] [ip4][..tcp] [....172.16.0.62][57129] -> [...172.16.1.138][.5222] [Jabber][Unknown][Web][Acceptable] idle: [.....6] [ip4][..tcp] [....172.16.0.62][57149] -> [...172.16.1.138][.5222] [Jabber][Unknown][Web][Acceptable] + RISK: Susp Entropy DAEMON-EVENT: [Processed: 283 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 1 / 7|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] new: [.....8] [ip4][..tcp] [..192.168.2.100][34218] -> [.160.44.201.102][.5223] diff --git a/test/results/flow-info/default/jrmi.pcap.out b/test/results/flow-info/default/jrmi.pcap.out new file mode 100644 index 000000000..5c32036b2 --- /dev/null +++ b/test/results/flow-info/default/jrmi.pcap.out @@ -0,0 +1,7 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....1] [ip4][..tcp] [......127.0.0.1][34450] -> [......127.0.1.1][.1099] + detected: [.....1] [ip4][..tcp] [......127.0.0.1][34450] -> [......127.0.1.1][.1099] [JRMI][Unknown][RPC][Acceptable] + end: [.....1] [ip4][..tcp] [......127.0.0.1][34450] -> [......127.0.1.1][.1099] [JRMI][Unknown][RPC][Acceptable] + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/kafka.pcapng.out b/test/results/flow-info/default/kafka.pcapng.out index 370172211..49f12def8 100644 --- a/test/results/flow-info/default/kafka.pcapng.out +++ b/test/results/flow-info/default/kafka.pcapng.out @@ -1,7 +1,47 @@ DAEMON-EVENT: init DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] - new: [.....1] [ip4][..tcp] [......127.0.0.1][46136] -> [......127.0.0.1][.9092] - detected: [.....1] [ip4][..tcp] [......127.0.0.1][46136] -> [......127.0.0.1][.9092] [Kafka][Unknown][RPC][Acceptable] - end: [.....1] [ip4][..tcp] [......127.0.0.1][46136] -> [......127.0.0.1][.9092] [Kafka][Unknown][RPC][Acceptable] + new: [.....1] [ip4][..tcp] [..172.16.17.101][49280] -> [...172.30.0.237][.9092] [MIDSTREAM] + detected: [.....1] [ip4][..tcp] [..172.16.17.101][49280] -> [...172.30.0.237][.9092] [Kafka][Unknown][RPC][Acceptable] + DAEMON-EVENT: [Processed: 4 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 1 / 1|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + DAEMON-EVENT: [Processed: 5 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 1 / 1|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....2] [ip4][..tcp] [...172.30.0.237][.9092] -> [..172.16.17.101][58052] [MIDSTREAM] + DAEMON-EVENT: [Processed: 10 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 2 / 2|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....3] [ip4][..tcp] [..172.16.17.101][40042] -> [...172.30.0.237][.9092] [MIDSTREAM] + detected: [.....3] [ip4][..tcp] [..172.16.17.101][40042] -> [...172.30.0.237][.9092] [Kafka][Unknown][RPC][Acceptable] + idle: [.....1] [ip4][..tcp] [..172.16.17.101][49280] -> [...172.30.0.237][.9092] [Kafka][Unknown][RPC][Acceptable] + guessed: [.....2] [ip4][..tcp] [...172.30.0.237][.9092] -> [..172.16.17.101][58052] [Kafka][Unknown][RPC][Acceptable] + idle: [.....2] [ip4][..tcp] [...172.30.0.237][.9092] -> [..172.16.17.101][58052] + DAEMON-EVENT: [Processed: 12 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 1 / 3|skipped: 0|!detected: 0|guessed: 1|detection-updates: 0|updates: 0] + new: [.....4] [ip4][..tcp] [..172.16.17.101][56556] -> [...172.30.0.237][.9092] [MIDSTREAM] + detected: [.....4] [ip4][..tcp] [..172.16.17.101][56556] -> [...172.30.0.237][.9092] [Kafka][Unknown][RPC][Acceptable] + DAEMON-EVENT: [Processed: 14 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 2 / 4|skipped: 0|!detected: 0|guessed: 1|detection-updates: 0|updates: 0] + new: [.....5] [ip4][..tcp] [..172.16.17.101][38176] -> [...172.30.0.237][.9092] [MIDSTREAM] + detected: [.....5] [ip4][..tcp] [..172.16.17.101][38176] -> [...172.30.0.237][.9092] [Kafka][Unknown][RPC][Acceptable] + new: [.....6] [ip4][..tcp] [..172.16.17.101][53768] -> [...172.30.0.237][.9092] [MIDSTREAM] + detected: [.....6] [ip4][..tcp] [..172.16.17.101][53768] -> [...172.30.0.237][.9092] [Kafka][Unknown][RPC][Acceptable] + idle: [.....3] [ip4][..tcp] [..172.16.17.101][40042] -> [...172.30.0.237][.9092] [Kafka][Unknown][RPC][Acceptable] + idle: [.....4] [ip4][..tcp] [..172.16.17.101][56556] -> [...172.30.0.237][.9092] [Kafka][Unknown][RPC][Acceptable] + DAEMON-EVENT: [Processed: 20 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 2 / 6|skipped: 0|!detected: 0|guessed: 1|detection-updates: 0|updates: 0] + new: [.....7] [ip4][..tcp] [..172.16.17.101][58300] -> [...172.30.0.237][.9092] [MIDSTREAM] + detected: [.....7] [ip4][..tcp] [..172.16.17.101][58300] -> [...172.30.0.237][.9092] [Kafka][Unknown][RPC][Acceptable] + DAEMON-EVENT: [Processed: 21 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 3 / 7|skipped: 0|!detected: 0|guessed: 1|detection-updates: 0|updates: 0] + new: [.....8] [ip4][..tcp] [..172.16.17.101][53052] -> [...172.30.0.237][.9092] [MIDSTREAM] + detected: [.....8] [ip4][..tcp] [..172.16.17.101][53052] -> [...172.30.0.237][.9092] [Kafka][Unknown][RPC][Acceptable] + DAEMON-EVENT: [Processed: 22 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 4 / 8|skipped: 0|!detected: 0|guessed: 1|detection-updates: 0|updates: 0] + new: [.....9] [ip4][..tcp] [......127.0.0.1][46136] -> [......127.0.0.1][.9092] + detected: [.....9] [ip4][..tcp] [......127.0.0.1][46136] -> [......127.0.0.1][.9092] [Kafka][Unknown][RPC][Acceptable] + idle: [.....5] [ip4][..tcp] [..172.16.17.101][38176] -> [...172.30.0.237][.9092] [Kafka][Unknown][RPC][Acceptable] + idle: [.....8] [ip4][..tcp] [..172.16.17.101][53052] -> [...172.30.0.237][.9092] [Kafka][Unknown][RPC][Acceptable] + idle: [.....6] [ip4][..tcp] [..172.16.17.101][53768] -> [...172.30.0.237][.9092] [Kafka][Unknown][RPC][Acceptable] + idle: [.....7] [ip4][..tcp] [..172.16.17.101][58300] -> [...172.30.0.237][.9092] [Kafka][Unknown][RPC][Acceptable] + end: [.....9] [ip4][..tcp] [......127.0.0.1][46136] -> [......127.0.0.1][.9092] [Kafka][Unknown][RPC][Acceptable] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/kerberos.pcap.out b/test/results/flow-info/default/kerberos.pcap.out index f7ae85f6e..b659efba8 100644 --- a/test/results/flow-info/default/kerberos.pcap.out +++ b/test/results/flow-info/default/kerberos.pcap.out @@ -60,40 +60,52 @@ idle: [.....1] [ip4][..tcp] [...172.16.8.201][49157] -> [.....172.16.8.8][...88] [Kerberos][Unknown][Network][Acceptable] idle: [.....2] [ip4][..tcp] [...172.16.8.201][49158] -> [.....172.16.8.8][...88] [Kerberos][Unknown][Network][Acceptable] guessed: [.....3] [ip4][..tcp] [...172.16.8.201][49159] -> [.....172.16.8.8][...88] [Kerberos][Unknown][Network][Acceptable] + RISK: Susp Entropy idle: [.....3] [ip4][..tcp] [...172.16.8.201][49159] -> [.....172.16.8.8][...88] idle: [.....4] [ip4][..tcp] [...172.16.8.201][49160] -> [.....172.16.8.8][...88] [Kerberos][Unknown][Network][Acceptable] guessed: [.....6] [ip4][..tcp] [...172.16.8.201][49162] -> [.....172.16.8.8][...88] [Kerberos][Unknown][Network][Acceptable] + RISK: Susp Entropy idle: [.....6] [ip4][..tcp] [...172.16.8.201][49162] -> [.....172.16.8.8][...88] idle: [.....8] [ip4][..tcp] [...172.16.8.201][49166] -> [.....172.16.8.8][...88] [Kerberos][Unknown][Network][Acceptable] idle: [.....9] [ip4][..tcp] [...172.16.8.201][49167] -> [.....172.16.8.8][...88] [Kerberos][Unknown][Network][Acceptable] guessed: [....10] [ip4][..tcp] [...172.16.8.201][49168] -> [.....172.16.8.8][...88] [Kerberos][Unknown][Network][Acceptable] + RISK: Susp Entropy idle: [....10] [ip4][..tcp] [...172.16.8.201][49168] -> [.....172.16.8.8][...88] guessed: [....13] [ip4][..tcp] [...172.16.8.201][49170] -> [.....172.16.8.8][...88] [Kerberos][Unknown][Network][Acceptable] + RISK: Susp Entropy idle: [....13] [ip4][..tcp] [...172.16.8.201][49170] -> [.....172.16.8.8][...88] idle: [....14] [ip4][..tcp] [...172.16.8.201][49171] -> [.....172.16.8.8][...88] [Kerberos][Unknown][Network][Acceptable] guessed: [....15] [ip4][..tcp] [...172.16.8.201][49173] -> [.....172.16.8.8][...88] [Kerberos][Unknown][Network][Acceptable] RISK: Susp Entropy idle: [....15] [ip4][..tcp] [...172.16.8.201][49173] -> [.....172.16.8.8][...88] guessed: [....17] [ip4][..tcp] [...172.16.8.201][49175] -> [.....172.16.8.8][...88] [Kerberos][Unknown][Network][Acceptable] + RISK: Susp Entropy idle: [....17] [ip4][..tcp] [...172.16.8.201][49175] -> [.....172.16.8.8][...88] idle: [....18] [ip4][..tcp] [...172.16.8.201][49176] -> [.....172.16.8.8][...88] [Kerberos][Unknown][Network][Acceptable] idle: [....22] [ip4][..tcp] [...172.16.8.201][49181] -> [.....172.16.8.8][...88] [Kerberos][Unknown][Network][Acceptable] idle: [....23] [ip4][..tcp] [...172.16.8.201][49182] -> [.....172.16.8.8][...88] [Kerberos][Unknown][Network][Acceptable] guessed: [....24] [ip4][..tcp] [...172.16.8.201][49183] -> [.....172.16.8.8][...88] [Kerberos][Unknown][Network][Acceptable] + RISK: Susp Entropy idle: [....24] [ip4][..tcp] [...172.16.8.201][49183] -> [.....172.16.8.8][...88] guessed: [....25] [ip4][..tcp] [...172.16.8.201][49186] -> [.....172.16.8.8][...88] [Kerberos][Unknown][Network][Acceptable] + RISK: Susp Entropy idle: [....25] [ip4][..tcp] [...172.16.8.201][49186] -> [.....172.16.8.8][...88] idle: [....27] [ip4][..tcp] [...172.16.8.201][49187] -> [.....172.16.8.8][...88] [Kerberos][Unknown][Network][Acceptable] idle: [....28] [ip4][..tcp] [...172.16.8.201][49188] -> [.....172.16.8.8][...88] [Kerberos][Unknown][Network][Acceptable] guessed: [....29] [ip4][..tcp] [...172.16.8.201][49189] -> [.....172.16.8.8][...88] [Kerberos][Unknown][Network][Acceptable] + RISK: Susp Entropy idle: [....29] [ip4][..tcp] [...172.16.8.201][49189] -> [.....172.16.8.8][...88] guessed: [....30] [ip4][..tcp] [...172.16.8.201][49190] -> [.....172.16.8.8][...88] [Kerberos][Unknown][Network][Acceptable] + RISK: Susp Entropy idle: [....30] [ip4][..tcp] [...172.16.8.201][49190] -> [.....172.16.8.8][...88] guessed: [....31] [ip4][..tcp] [...172.16.8.201][49192] -> [.....172.16.8.8][...88] [Kerberos][Unknown][Network][Acceptable] + RISK: Susp Entropy idle: [....31] [ip4][..tcp] [...172.16.8.201][49192] -> [.....172.16.8.8][...88] guessed: [....34] [ip4][..tcp] [...172.16.8.201][49195] -> [.....172.16.8.8][...88] [Kerberos][Unknown][Network][Acceptable] + RISK: Susp Entropy idle: [....34] [ip4][..tcp] [...172.16.8.201][49195] -> [.....172.16.8.8][...88] guessed: [....35] [ip4][..tcp] [...172.16.8.201][49196] -> [.....172.16.8.8][...88] [Kerberos][Unknown][Network][Acceptable] + RISK: Susp Entropy idle: [....35] [ip4][..tcp] [...172.16.8.201][49196] -> [.....172.16.8.8][...88] guessed: [.....7] [ip4][..tcp] [...172.16.8.201][49161] -> [.....172.16.8.8][..389] [LDAP][Unknown][System][Acceptable] RISK: Susp Entropy diff --git a/test/results/flow-info/default/knxip.pcapng.out b/test/results/flow-info/default/knxip.pcapng.out new file mode 100644 index 000000000..53077dbbb --- /dev/null +++ b/test/results/flow-info/default/knxip.pcapng.out @@ -0,0 +1,10 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....1] [ip4][..udp] [.192.168.88.231][41343] -> [....224.0.23.12][.3671] + detected: [.....1] [ip4][..udp] [.192.168.88.231][41343] -> [....224.0.23.12][.3671] [KNXnet_IP][Unknown][IoT-Scada][Acceptable] + new: [.....2] [ip4][..tcp] [...192.168.1.28][.3671] -> [...192.168.1.24][54445] [MIDSTREAM] + detected: [.....2] [ip4][..tcp] [...192.168.1.28][.3671] -> [...192.168.1.24][54445] [KNXnet_IP][Unknown][IoT-Scada][Acceptable] + idle: [.....1] [ip4][..udp] [.192.168.88.231][41343] -> [....224.0.23.12][.3671] [KNXnet_IP][Unknown][IoT-Scada][Acceptable] + idle: [.....2] [ip4][..tcp] [...192.168.1.28][.3671] -> [...192.168.1.24][54445] [KNXnet_IP][Unknown][IoT-Scada][Acceptable] + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/kontiki.pcap.out b/test/results/flow-info/default/kontiki.pcap.out deleted file mode 100644 index b9df63015..000000000 --- a/test/results/flow-info/default/kontiki.pcap.out +++ /dev/null @@ -1,43 +0,0 @@ - DAEMON-EVENT: init - DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] - DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] - new: [.....1] [ip4][..udp] [....10.25.32.59][19948] -> [255.255.255.255][19948] - new: [.....2] [ip4][..udp] [....10.25.32.59][19948] -> [..64.200.148.82][.1948] - new: [.....3] [ip4][..udp] [....10.25.32.59][19948] -> [..64.200.148.86][.8888] - detected: [.....3] [ip4][..udp] [....10.25.32.59][19948] -> [..64.200.148.86][.8888] [Kontiki][Unknown][Media][Potentially Dangerous] - RISK: Unsafe Protocol - new: [.....4] [ip4][.icmp] [...10.25.249.14] -> [....10.25.32.59] - detected: [.....4] [ip4][.icmp] [...10.25.249.14] -> [....10.25.32.59] [ICMP][Unknown][Network][Acceptable] - new: [.....5] [ip4][..udp] [....10.25.32.59][19948] -> [..64.200.148.88][...80] - detected: [.....5] [ip4][..udp] [....10.25.32.59][19948] -> [..64.200.148.88][...80] [Kontiki][Unknown][Media][Potentially Dangerous] - RISK: Unsafe Protocol - new: [.....6] [ip4][.icmp] [.....10.25.32.3] -> [....10.25.32.59] - detected: [.....6] [ip4][.icmp] [.....10.25.32.3] -> [....10.25.32.59] [ICMP][Unknown][Network][Acceptable] - new: [.....7] [ip4][.icmp] [216.168.241.157] -> [....10.25.32.59] - detected: [.....7] [ip4][.icmp] [216.168.241.157] -> [....10.25.32.59] [ICMP][Unknown][Network][Acceptable] - new: [.....8] [ip4][.icmp] [...4.79.219.125] -> [....10.25.32.59] - detected: [.....8] [ip4][.icmp] [...4.79.219.125] -> [....10.25.32.59] [ICMP][Unknown][Network][Acceptable] - analyse: [.....3] [ip4][..udp] [....10.25.32.59][19948] -> [..64.200.148.86][.8888] [Kontiki][Unknown][Media][Potentially Dangerous] - min| max| avg| stddev| variance| entropy - [IAT.........: < 0.001| 0.608| 0.045| 0.118| 13931.400| 2.600] - [PKTLEN......: 32.000| 1269.000| 804.400| 568.000| 322604.600| 4.500] - [BINS(c->s)..: 7,0,1,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - [BINS(s->c)..: 1,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,19,0,0,0,0,0,0,0,0,0] - [DIRECTIONS..: 0,0,0,0,1,0,1,0,1,0,1,1,1,1,0,1,1,1,1,1,0,1,1,1,1,1,1,0,1,1,1,1] - [IATS(ms)....: 198.6,212.4,193.8,607.7,3.1,5.8,31.2,30.0,8.8,9.1,0.1,0.2,0.0,19.4,18.3,0.1,0.1,0.1,0.1,15.3,14.9,0.0,0.2,0.1,0.0,0.1,15.9,15.4,0.0,0.1,0.1] - [PKTLENS.....: 32,32,32,48,56,245,499,232,204,118,1269,1269,1269,1269,44,1269,1269,1269,1269,1269,44,1269,1269,1269,1269,1269,1269,44,1269,1269,1269,1269] - [ENTROPIES...: 4.3,4.4,4.4,4.8,5.1,6.3,7.3,7.0,6.9,6.2,7.9,7.8,7.8,7.8,4.9,7.8,7.8,7.8,7.8,7.8,4.9,7.9,7.8,7.8,7.8,7.9,7.8,4.9,7.8,7.8,7.9,7.9] - idle: [.....8] [ip4][.icmp] [...4.79.219.125] -> [....10.25.32.59] [ICMP][Unknown][Network][Acceptable] - idle: [.....7] [ip4][.icmp] [216.168.241.157] -> [....10.25.32.59] [ICMP][Unknown][Network][Acceptable] - idle: [.....3] [ip4][..udp] [....10.25.32.59][19948] -> [..64.200.148.86][.8888] [Kontiki][Unknown][Media][Potentially Dangerous] - RISK: Unsafe Protocol - idle: [.....6] [ip4][.icmp] [.....10.25.32.3] -> [....10.25.32.59] [ICMP][Unknown][Network][Acceptable] - idle: [.....4] [ip4][.icmp] [...10.25.249.14] -> [....10.25.32.59] [ICMP][Unknown][Network][Acceptable] - not-detected: [.....1] [ip4][..udp] [....10.25.32.59][19948] -> [255.255.255.255][19948] [Unknown][Unknown][Unrated] - idle: [.....1] [ip4][..udp] [....10.25.32.59][19948] -> [255.255.255.255][19948] - not-detected: [.....2] [ip4][..udp] [....10.25.32.59][19948] -> [..64.200.148.82][.1948] [Unknown][Unknown][Unrated] - RISK: Susp Entropy - idle: [.....2] [ip4][..udp] [....10.25.32.59][19948] -> [..64.200.148.82][.1948] - idle: [.....5] [ip4][..udp] [....10.25.32.59][19948] -> [..64.200.148.88][...80] [Kontiki][Unknown][Media][Potentially Dangerous] - RISK: Unsafe Protocol - DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/ldp.pcap.out b/test/results/flow-info/default/ldp.pcap.out new file mode 100644 index 000000000..dee2f177b --- /dev/null +++ b/test/results/flow-info/default/ldp.pcap.out @@ -0,0 +1,13 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....1] [ip4][..udp] [.......10.0.0.2][..646] -> [......224.0.0.2][..646] + detected: [.....1] [ip4][..udp] [.......10.0.0.2][..646] -> [......224.0.0.2][..646] [LDP][Unknown][Network][Acceptable] + new: [.....2] [ip4][..udp] [.......10.0.0.1][..646] -> [......224.0.0.2][..646] + detected: [.....2] [ip4][..udp] [.......10.0.0.1][..646] -> [......224.0.0.2][..646] [LDP][Unknown][Network][Acceptable] + new: [.....3] [ip4][..tcp] [.......10.0.1.1][45334] -> [.......10.0.0.6][..646] [MIDSTREAM] + detected: [.....3] [ip4][..tcp] [.......10.0.1.1][45334] -> [.......10.0.0.6][..646] [LDP][Unknown][Network][Acceptable] + idle: [.....3] [ip4][..tcp] [.......10.0.1.1][45334] -> [.......10.0.0.6][..646] [LDP][Unknown][Network][Acceptable] + idle: [.....2] [ip4][..udp] [.......10.0.0.1][..646] -> [......224.0.0.2][..646] [LDP][Unknown][Network][Acceptable] + idle: [.....1] [ip4][..udp] [.......10.0.0.2][..646] -> [......224.0.0.2][..646] [LDP][Unknown][Network][Acceptable] + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/log4j-webapp-exploit.pcap.out b/test/results/flow-info/default/log4j-webapp-exploit.pcap.out index b5f515b83..82d6769e4 100644 --- a/test/results/flow-info/default/log4j-webapp-exploit.pcap.out +++ b/test/results/flow-info/default/log4j-webapp-exploit.pcap.out @@ -27,6 +27,7 @@ [IATS(ms)....: 0.1,0.2,7288.6,7288.6,60.5,60.7,0.3,0.2,0.1,0.1,0.1,0.1,0.1,0.1,0.2,0.2,0.1,0.1,0.1,0.1,0.1,0.1,0.1,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.1] [PKTLENS.....: 60,60,52,55,52,53,52,53,52,53,52,53,52,53,52,53,52,53,52,55,52,57,52,55,52,55,52,55,52,55,52,55] [ENTROPIES...: 4.5,5.1,5.0,5.1,4.9,5.0,4.9,5.0,4.8,4.9,4.9,5.0,4.9,5.0,4.9,4.9,4.9,4.9,4.9,4.9,4.9,5.0,4.8,5.0,4.9,5.0,4.9,5.0,4.9,5.0,4.9,4.9] + not-detected: [.....4] [ip4][..tcp] [..172.16.238.10][55408] -> [....10.10.10.31][.9001] [Unknown][Unknown][Unrated] new: [.....5] [ip4][..tcp] [..172.16.238.10][57742] -> [..172.16.238.11][.1389] detected: [.....5] [ip4][..tcp] [..172.16.238.10][57742] -> [..172.16.238.11][.1389] [LDAP][Unknown][System][Acceptable] RISK: Known Proto on Non Std Port @@ -40,8 +41,7 @@ RISK: Known Proto on Non Std Port idle: [.....1] [ip4][..tcp] [...172.16.238.1][.1984] -> [..172.16.238.10][.8080] [HTTP][Unknown][Web][Acceptable] RISK: Known Proto on Non Std Port, HTTP/TLS/QUIC Numeric Hostname/SNI, HTTP Susp Header, Possible Exploit Attempt - not-detected: [.....4] [ip4][..tcp] [..172.16.238.10][55408] -> [....10.10.10.31][.9001] [Unknown][Unknown][Unrated] - end: [.....4] [ip4][..tcp] [..172.16.238.10][55408] -> [....10.10.10.31][.9001] + end: [.....4] [ip4][..tcp] [..172.16.238.10][55408] -> [....10.10.10.31][.9001] [Unknown][Unknown][Unrated] not-detected: [.....7] [ip4][..tcp] [..172.16.238.10][55498] -> [....10.10.10.31][.9001] [Unknown][Unknown][Unrated] RISK: TCP Connection Issues end: [.....7] [ip4][..tcp] [..172.16.238.10][55498] -> [....10.10.10.31][.9001] diff --git a/test/results/flow-info/default/lru_ipv6_caches.pcapng.out b/test/results/flow-info/default/lru_ipv6_caches.pcapng.out index 8d8174ec0..f78bd9ee9 100644 --- a/test/results/flow-info/default/lru_ipv6_caches.pcapng.out +++ b/test/results/flow-info/default/lru_ipv6_caches.pcapng.out @@ -2,7 +2,7 @@ DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] new: [.....1] [ip6][..udp] [....32fb:f967:681e:e96b:face:b00c::74fd][.3478] -> [20ed:470f:6f73:ce60:60be:8b4f:df37:b080][45658] - detected: [.....1] [ip6][..udp] [....32fb:f967:681e:e96b:face:b00c::74fd][.3478] -> [20ed:470f:6f73:ce60:60be:8b4f:df37:b080][45658] [STUN][Unknown][Network][Acceptable][] + detected: [.....1] [ip6][..udp] [....32fb:f967:681e:e96b:face:b00c::74fd][.3478] -> [20ed:470f:6f73:ce60:60be:8b4f:df37:b080][45658] [RTCP][Unknown][VoIP][Acceptable] new: [.....2] [ip6][..udp] [.3991:72d:336e:65ec:c5bf:a5fa:83ad:23de][.6881] -> [3024:e5ee:ac2f:cd76:5dd6:a7a1:f17f:5c27][60506] detected: [.....2] [ip6][..udp] [.3991:72d:336e:65ec:c5bf:a5fa:83ad:23de][.6881] -> [3024:e5ee:ac2f:cd76:5dd6:a7a1:f17f:5c27][60506] [BitTorrent][Unknown][Download][Acceptable] RISK: Known Proto on Non Std Port @@ -27,21 +27,21 @@ detection-update: [.....7] [ip6][..udp] [2118:ec33:112b:7908:2c80:27ff:fef7:d71f][48415] -> [....32fb:f967:681e:e96b:face:b00c::74fd][.3478] [STUN.WhatsAppCall][Unknown][VoIP][Acceptable][] RISK: Unidirectional Traffic new: [.....8] [ip6][..tcp] [........................2001:db8:200::1][..443] -> [..........................2001:db8:1::1][44144] - detected: [.....8] [ip6][..tcp] [........................2001:db8:200::1][..443] -> [..........................2001:db8:1::1][44144] [TLS][Unknown][Web][Safe][] + detected: [.....8] [ip6][..tcp] [........................2001:db8:200::1][..443] -> [..........................2001:db8:1::1][44144] [TLS][Unknown][Web][Safe] RISK: Unidirectional Traffic - detection-update: [.....8] [ip6][..tcp] [........................2001:db8:200::1][..443] -> [..........................2001:db8:1::1][44144] [TLS.Cloudflare][Unknown][Web][Acceptable][] + detection-update: [.....8] [ip6][..tcp] [........................2001:db8:200::1][..443] -> [..........................2001:db8:1::1][44144] [TLS.Cloudflare][Unknown][Web][Acceptable] RISK: Unidirectional Traffic new: [.....9] [ip6][..tcp] [........................2001:db8:200::1][..443] -> [..........................2001:db8:1::1][44150] - detected: [.....9] [ip6][..tcp] [........................2001:db8:200::1][..443] -> [..........................2001:db8:1::1][44150] [TLS.Cloudflare][Unknown][Web][Acceptable][] + detected: [.....9] [ip6][..tcp] [........................2001:db8:200::1][..443] -> [..........................2001:db8:1::1][44150] [TLS.Cloudflare][Unknown][Web][Acceptable] RISK: Unidirectional Traffic - detection-update: [.....9] [ip6][..tcp] [........................2001:db8:200::1][..443] -> [..........................2001:db8:1::1][44150] [TLS.Cloudflare][Unknown][Web][Acceptable][] + detection-update: [.....9] [ip6][..tcp] [........................2001:db8:200::1][..443] -> [..........................2001:db8:1::1][44150] [TLS.Cloudflare][Unknown][Web][Acceptable] RISK: Unidirectional Traffic detection-update: [.....6] [ip6][..udp] [.3991:72d:336e:65ec:c5bf:a5fa:83ad:23de][.6881] -> [.38b2:46b7:27a4:94c3:c134:948:e069:d71f][....1] [BitTorrent][Unknown][Download][Acceptable] RISK: Known Proto on Non Std Port, Unidirectional Traffic new: [....10] [ip6][..tcp] [........................2001:db8:200::1][..443] -> [..........................2001:db8:1::1][44192] - detected: [....10] [ip6][..tcp] [........................2001:db8:200::1][..443] -> [..........................2001:db8:1::1][44192] [TLS.Cloudflare][Unknown][Web][Acceptable][] + detected: [....10] [ip6][..tcp] [........................2001:db8:200::1][..443] -> [..........................2001:db8:1::1][44192] [TLS.Cloudflare][Unknown][Web][Acceptable] RISK: Unidirectional Traffic - detection-update: [....10] [ip6][..tcp] [........................2001:db8:200::1][..443] -> [..........................2001:db8:1::1][44192] [TLS.Cloudflare][Unknown][Web][Acceptable][] + detection-update: [....10] [ip6][..tcp] [........................2001:db8:200::1][..443] -> [..........................2001:db8:1::1][44192] [TLS.Cloudflare][Unknown][Web][Acceptable] RISK: Unidirectional Traffic new: [....11] [ip6][..udp] [.3297:a1af:5121:cfc:360b:2e07:872f:1ea0][43865] -> [....32fb:f967:681e:e96b:face:b00c::74fd][.3478] detected: [....11] [ip6][..udp] [.3297:a1af:5121:cfc:360b:2e07:872f:1ea0][43865] -> [....32fb:f967:681e:e96b:face:b00c::74fd][.3478] [STUN.WhatsAppCall][Unknown][VoIP][Acceptable][] @@ -69,7 +69,7 @@ RISK: Unidirectional Traffic idle: [....11] [ip6][..udp] [.3297:a1af:5121:cfc:360b:2e07:872f:1ea0][43865] -> [....32fb:f967:681e:e96b:face:b00c::74fd][.3478] [STUN.WhatsAppCall][Unknown][VoIP][Acceptable] RISK: Unidirectional Traffic - idle: [.....1] [ip6][..udp] [....32fb:f967:681e:e96b:face:b00c::74fd][.3478] -> [20ed:470f:6f73:ce60:60be:8b4f:df37:b080][45658] [STUN][Unknown][Network][Acceptable] + idle: [.....1] [ip6][..udp] [....32fb:f967:681e:e96b:face:b00c::74fd][.3478] -> [20ed:470f:6f73:ce60:60be:8b4f:df37:b080][45658] [RTCP][Unknown][VoIP][Acceptable] idle: [....12] [ip6][..udp] [.3069:c624:1d42:9469:98b1:67ff:fe43:325][56131] -> [....32fb:f967:681e:e96b:face:b00c::74fd][.3478] [STUN.WhatsAppCall][Unknown][VoIP][Acceptable] RISK: Unidirectional Traffic idle: [.....3] [ip6][..udp] [.2a2f:8509:1cb2:466d:ecbf:69d6:109c:608][62229] -> [.3991:72d:336e:65ec:c5bf:a5fa:83ad:23de][.6881] [BitTorrent][Unknown][Download][Acceptable] diff --git a/test/results/flow-info/default/lustre.pcapng.out b/test/results/flow-info/default/lustre.pcapng.out new file mode 100644 index 000000000..4e874077f --- /dev/null +++ b/test/results/flow-info/default/lustre.pcapng.out @@ -0,0 +1,8 @@ + DAEMON-EVENT: init + new: [.....1] [ip4][..tcp] [.192.168.88.132][.1022] -> [.192.168.88.131][..988] + detected: [.....1] [ip4][..tcp] [.192.168.88.132][.1022] -> [.192.168.88.131][..988] [Lustre][Unknown][DataTransfer][Acceptable] + new: [.....2] [ip4][..tcp] [.192.168.88.118][.1023] -> [.192.168.88.119][..988] [MIDSTREAM] + detected: [.....2] [ip4][..tcp] [.192.168.88.118][.1023] -> [.192.168.88.119][..988] [Lustre][Unknown][DataTransfer][Acceptable] + idle: [.....1] [ip4][..tcp] [.192.168.88.132][.1022] -> [.192.168.88.131][..988] [Lustre][Unknown][DataTransfer][Acceptable] + idle: [.....2] [ip4][..tcp] [.192.168.88.118][.1023] -> [.192.168.88.119][..988] [Lustre][Unknown][DataTransfer][Acceptable] + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/malware.pcap.out b/test/results/flow-info/default/malware.pcap.out index de5a1132b..c25366bbc 100644 --- a/test/results/flow-info/default/malware.pcap.out +++ b/test/results/flow-info/default/malware.pcap.out @@ -6,20 +6,22 @@ detection-update: [.....1] [ip4][..udp] [....192.168.7.7][42370] -> [........1.1.1.1][...53] [DNS][Unknown][Network][Acceptable][www.internetbadguys.com] new: [.....2] [ip4][.icmp] [....192.168.7.7] -> [144.139.247.220] detected: [.....2] [ip4][.icmp] [....192.168.7.7] -> [144.139.247.220] [ICMP][Unknown][Network][Acceptable] + RISK: Susp Entropy new: [.....3] [ip4][..tcp] [....192.168.7.7][33706] -> [144.139.247.220][...80] DAEMON-EVENT: [Processed: 4 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 3 / 3|skipped: 0|!detected: 0|guessed: 0|detection-updates: 1|updates: 0] new: [.....4] [ip4][..tcp] [....192.168.7.7][48394] -> [..67.215.92.210][...80] [MIDSTREAM] - detected: [.....4] [ip4][..tcp] [....192.168.7.7][48394] -> [..67.215.92.210][...80] [HTTP][OpenDNS][Web][Acceptable][www.internetbadguys.com] + detected: [.....4] [ip4][..tcp] [....192.168.7.7][48394] -> [..67.215.92.210][...80] [HTTP][Unknown][Web][Acceptable][www.internetbadguys.com] new: [.....5] [ip4][..tcp] [....192.168.7.7][35236] -> [..67.215.92.210][..443] - detected: [.....5] [ip4][..tcp] [....192.168.7.7][35236] -> [..67.215.92.210][..443] [TLS][OpenDNS][Web][Safe][www.internetbadguys.com] - detection-update: [.....5] [ip4][..tcp] [....192.168.7.7][35236] -> [..67.215.92.210][..443] [TLS][OpenDNS][Web][Safe][www.internetbadguys.com] - detection-update: [.....5] [ip4][..tcp] [....192.168.7.7][35236] -> [..67.215.92.210][..443] [TLS.OpenDNS][OpenDNS][Network][Acceptable][www.internetbadguys.com] + detected: [.....5] [ip4][..tcp] [....192.168.7.7][35236] -> [..67.215.92.210][..443] [TLS][Unknown][Web][Safe][www.internetbadguys.com] + detection-update: [.....5] [ip4][..tcp] [....192.168.7.7][35236] -> [..67.215.92.210][..443] [TLS][Unknown][Web][Safe][www.internetbadguys.com] + detection-update: [.....5] [ip4][..tcp] [....192.168.7.7][35236] -> [..67.215.92.210][..443] [TLS.OpenDNS][Unknown][Network][Acceptable][www.internetbadguys.com] RISK: TLS Cert Mismatch guessed: [.....3] [ip4][..tcp] [....192.168.7.7][33706] -> [144.139.247.220][...80] [HTTP][Unknown][Web][Acceptable][] RISK: Unidirectional Traffic idle: [.....3] [ip4][..tcp] [....192.168.7.7][33706] -> [144.139.247.220][...80] idle: [.....2] [ip4][.icmp] [....192.168.7.7] -> [144.139.247.220] [ICMP][Unknown][Network][Acceptable] + RISK: Susp Entropy idle: [.....1] [ip4][..udp] [....192.168.7.7][42370] -> [........1.1.1.1][...53] [DNS][Unknown][Network][Acceptable] DAEMON-EVENT: [Processed: 26 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 2 / 5|skipped: 0|!detected: 0|guessed: 1|detection-updates: 3|updates: 0] @@ -37,7 +39,7 @@ [PKTLENS.....: 52,52,40,692,46,1492,40,46,121,52,1492,40,133,314,511,46,1492,1492,40,46,1367,1492,40,1492,46,1269,40,1492,1492,40,46,1492] [ENTROPIES...: 4.7,4.9,4.8,7.2,4.4,7.4,4.9,4.4,6.3,5.0,7.6,4.9,6.0,7.2,7.6,4.4,7.9,7.9,4.8,4.4,7.9,7.9,4.9,7.9,4.4,7.8,4.9,7.9,7.9,4.8,4.5,7.9] idle: [.....6] [ip4][..tcp] [...192.168.0.20][41240] -> [.193.109.85.123][..443] [TLS][Unknown][Web][Safe] - end: [.....5] [ip4][..tcp] [....192.168.7.7][35236] -> [..67.215.92.210][..443] [TLS.OpenDNS][OpenDNS][Network][Acceptable] + end: [.....5] [ip4][..tcp] [....192.168.7.7][35236] -> [..67.215.92.210][..443] [TLS.OpenDNS][Unknown][Network][Acceptable] RISK: TLS Cert Mismatch - idle: [.....4] [ip4][..tcp] [....192.168.7.7][48394] -> [..67.215.92.210][...80] [HTTP][OpenDNS][Web][Acceptable] + idle: [.....4] [ip4][..tcp] [....192.168.7.7][48394] -> [..67.215.92.210][...80] [HTTP][Unknown][Web][Acceptable] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/mongo_false_positive.pcapng.out b/test/results/flow-info/default/mongo_false_positive.pcapng.out index 4e9d419ae..af22cc5f6 100644 --- a/test/results/flow-info/default/mongo_false_positive.pcapng.out +++ b/test/results/flow-info/default/mongo_false_positive.pcapng.out @@ -3,6 +3,6 @@ DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] new: [.....1] [ip4][..tcp] [..188.75.184.20][49542] -> [.251.182.120.32][..443] guessed: [.....1] [ip4][..tcp] [..188.75.184.20][49542] -> [.251.182.120.32][..443] [TLS][Unknown][Web][Safe] - RISK: Fully encrypted flow + RISK: Fully Encrypted Flow end: [.....1] [ip4][..tcp] [..188.75.184.20][49542] -> [.251.182.120.32][..443] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/mullvad_wireguard.pcap.out b/test/results/flow-info/default/mullvad_wireguard.pcap.out index f2ca169a2..047df2d45 100644 --- a/test/results/flow-info/default/mullvad_wireguard.pcap.out +++ b/test/results/flow-info/default/mullvad_wireguard.pcap.out @@ -2,8 +2,8 @@ DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] new: [.....1] [ip4][..udp] [.192.168.122.11][22595] -> [..198.54.131.98][.5060] - detected: [.....1] [ip4][..udp] [.192.168.122.11][22595] -> [..198.54.131.98][.5060] [WireGuard][Mullvad][VPN][Acceptable] + detected: [.....1] [ip4][..udp] [.192.168.122.11][22595] -> [..198.54.131.98][.5060] [WireGuard.Mullvad][Mullvad][VPN][Acceptable] RISK: Known Proto on Non Std Port - idle: [.....1] [ip4][..udp] [.192.168.122.11][22595] -> [..198.54.131.98][.5060] [WireGuard][Mullvad][VPN][Acceptable] + idle: [.....1] [ip4][..udp] [.192.168.122.11][22595] -> [..198.54.131.98][.5060] [WireGuard.Mullvad][Mullvad][VPN][Acceptable] RISK: Known Proto on Non Std Port DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/nano.pcapng.out b/test/results/flow-info/default/nano.pcapng.out new file mode 100644 index 000000000..e28334900 --- /dev/null +++ b/test/results/flow-info/default/nano.pcapng.out @@ -0,0 +1,7 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....1] [ip4][..tcp] [.192.168.88.231][59642] -> [.37.120.187.138][.7075] + detected: [.....1] [ip4][..tcp] [.192.168.88.231][59642] -> [.37.120.187.138][.7075] [Nano][Unknown][Crypto_Currency][Acceptable] + idle: [.....1] [ip4][..tcp] [.192.168.88.231][59642] -> [.37.120.187.138][.7075] [Nano][Unknown][Crypto_Currency][Acceptable] + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/netbios.pcap.out b/test/results/flow-info/default/netbios.pcap.out index 00c5cc89f..aee6cae60 100644 --- a/test/results/flow-info/default/netbios.pcap.out +++ b/test/results/flow-info/default/netbios.pcap.out @@ -56,6 +56,12 @@ update: [.....2] [ip4][..udp] [.....10.0.5.233][..137] -> [.....10.0.5.255][..137] [NetBIOS][Unknown][System][Acceptable] update: [.....3] [ip4][..udp] [.......10.0.5.9][..138] -> [.....10.0.5.255][..138] [NetBIOS.SMBv1][Unknown][System][Dangerous] RISK: Unsafe Protocol + update: [.....6] [ip4][..udp] [.....10.0.4.101][..137] -> [.....10.0.5.255][..137] [NetBIOS][Unknown][System][Acceptable] + update: [.....5] [ip4][..udp] [......10.0.1.87][57836] -> [......10.0.4.24][..137] [NetBIOS][Unknown][System][Acceptable] + DAEMON-EVENT: [Processed: 260 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 15 / 15|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 5] + new: [....16] [ip4][..tcp] [...10.19.71.184][55489] -> [..10.17.113.129][..139] [MIDSTREAM] + detected: [....16] [ip4][..tcp] [...10.19.71.184][55489] -> [..10.17.113.129][..139] [NetBIOS][Unknown][System][Acceptable][] idle: [.....8] [ip4][..udp] [......10.0.4.24][..137] -> [.....10.0.4.165][..137] [NetBIOS][Unknown][System][Acceptable] idle: [.....7] [ip4][..udp] [.....10.0.4.165][..137] -> [.....10.0.5.255][..137] [NetBIOS][Unknown][System][Acceptable] idle: [.....2] [ip4][..udp] [.....10.0.5.233][..137] -> [.....10.0.5.255][..137] [NetBIOS][Unknown][System][Acceptable] @@ -72,6 +78,7 @@ RISK: Unsafe Protocol idle: [.....5] [ip4][..udp] [......10.0.1.87][57836] -> [......10.0.4.24][..137] [NetBIOS][Unknown][System][Acceptable] idle: [....15] [ip4][..udp] [......10.0.1.87][57921] -> [......10.0.4.24][..137] [NetBIOS][Unknown][System][Acceptable] + idle: [....16] [ip4][..tcp] [...10.19.71.184][55489] -> [..10.17.113.129][..139] [NetBIOS][Unknown][System][Acceptable] guessed: [.....4] [ip4][..tcp] [......10.0.4.24][..139] -> [.....10.0.4.131][.1398] [NetBIOS][Unknown][System][Acceptable][] idle: [.....4] [ip4][..tcp] [......10.0.4.24][..139] -> [.....10.0.4.131][.1398] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/netflix.pcap.out b/test/results/flow-info/default/netflix.pcap.out index 6cca6ebd9..149f37d45 100644 --- a/test/results/flow-info/default/netflix.pcap.out +++ b/test/results/flow-info/default/netflix.pcap.out @@ -162,7 +162,7 @@ detected: [....30] [ip4][..tcp] [....192.168.1.7][53163] -> [..23.246.11.145][...80] [HTTP][NetFlix][Web][Acceptable][23.246.11.145] RISK: HTTP/TLS/QUIC Numeric Hostname/SNI detection-update: [....30] [ip4][..tcp] [....192.168.1.7][53163] -> [..23.246.11.145][...80] [HTTP][NetFlix][Download][Acceptable][23.246.11.145] - RISK: HTTP/TLS/QUIC Numeric Hostname/SNI, Binary file/data transfer (attempt) + RISK: HTTP/TLS/QUIC Numeric Hostname/SNI, Binary File/Data Transfer (Attempt) analyse: [....30] [ip4][..tcp] [....192.168.1.7][53163] -> [..23.246.11.145][...80] [HTTP][NetFlix][Download][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: 0.004| 0.651| 0.082| 0.154| 23582.077| 3.600] @@ -177,12 +177,12 @@ detected: [....31] [ip4][..tcp] [....192.168.1.7][53164] -> [..23.246.10.139][...80] [HTTP][NetFlix][Web][Acceptable][23.246.10.139] RISK: HTTP/TLS/QUIC Numeric Hostname/SNI detection-update: [....31] [ip4][..tcp] [....192.168.1.7][53164] -> [..23.246.10.139][...80] [HTTP][NetFlix][Download][Acceptable][23.246.10.139] - RISK: HTTP/TLS/QUIC Numeric Hostname/SNI, Binary file/data transfer (attempt) + RISK: HTTP/TLS/QUIC Numeric Hostname/SNI, Binary File/Data Transfer (Attempt) new: [....32] [ip4][..tcp] [....192.168.1.7][53171] -> [...23.246.3.140][...80] detected: [....32] [ip4][..tcp] [....192.168.1.7][53171] -> [...23.246.3.140][...80] [HTTP][NetFlix][Web][Acceptable][23.246.3.140] RISK: HTTP/TLS/QUIC Numeric Hostname/SNI detection-update: [....32] [ip4][..tcp] [....192.168.1.7][53171] -> [...23.246.3.140][...80] [HTTP][NetFlix][Download][Acceptable][23.246.3.140] - RISK: HTTP/TLS/QUIC Numeric Hostname/SNI, Binary file/data transfer (attempt) + RISK: HTTP/TLS/QUIC Numeric Hostname/SNI, Binary File/Data Transfer (Attempt) analyse: [....32] [ip4][..tcp] [....192.168.1.7][53171] -> [...23.246.3.140][...80] [HTTP][NetFlix][Download][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: 0.002| 0.044| 0.018| 0.010| 100.655| 4.700] @@ -213,7 +213,7 @@ detected: [....36] [ip4][..tcp] [....192.168.1.7][53175] -> [..23.246.11.141][...80] [HTTP][NetFlix][Web][Acceptable][23.246.11.141] RISK: HTTP/TLS/QUIC Numeric Hostname/SNI detection-update: [....33] [ip4][..tcp] [....192.168.1.7][53172] -> [..23.246.11.133][...80] [HTTP][NetFlix][Download][Acceptable][23.246.11.133] - RISK: HTTP/TLS/QUIC Numeric Hostname/SNI, Binary file/data transfer (attempt) + RISK: HTTP/TLS/QUIC Numeric Hostname/SNI, Binary File/Data Transfer (Attempt) detected: [....40] [ip4][..tcp] [....192.168.1.7][53179] -> [..23.246.11.141][...80] [HTTP][NetFlix][Web][Acceptable][23.246.11.141] RISK: HTTP/TLS/QUIC Numeric Hostname/SNI detected: [....39] [ip4][..tcp] [....192.168.1.7][53178] -> [..23.246.11.141][...80] [HTTP][NetFlix][Web][Acceptable][23.246.11.141] @@ -223,31 +223,31 @@ detected: [....38] [ip4][..tcp] [....192.168.1.7][53177] -> [..23.246.11.141][...80] [HTTP][NetFlix][Web][Acceptable][23.246.11.141] RISK: HTTP/TLS/QUIC Numeric Hostname/SNI detection-update: [....35] [ip4][..tcp] [....192.168.1.7][53174] -> [..23.246.11.141][...80] [HTTP][NetFlix][Download][Acceptable][23.246.11.141] - RISK: HTTP/TLS/QUIC Numeric Hostname/SNI, Binary file/data transfer (attempt) + RISK: HTTP/TLS/QUIC Numeric Hostname/SNI, Binary File/Data Transfer (Attempt) detection-update: [....34] [ip4][..tcp] [....192.168.1.7][53173] -> [..23.246.11.133][...80] [HTTP][NetFlix][Download][Acceptable][23.246.11.133] - RISK: HTTP/TLS/QUIC Numeric Hostname/SNI, Binary file/data transfer (attempt) + RISK: HTTP/TLS/QUIC Numeric Hostname/SNI, Binary File/Data Transfer (Attempt) detected: [....41] [ip4][..tcp] [....192.168.1.7][53180] -> [..23.246.11.141][...80] [HTTP][NetFlix][Web][Acceptable][23.246.11.141] RISK: HTTP/TLS/QUIC Numeric Hostname/SNI detection-update: [....36] [ip4][..tcp] [....192.168.1.7][53175] -> [..23.246.11.141][...80] [HTTP][NetFlix][Download][Acceptable][23.246.11.141] - RISK: HTTP/TLS/QUIC Numeric Hostname/SNI, Binary file/data transfer (attempt) + RISK: HTTP/TLS/QUIC Numeric Hostname/SNI, Binary File/Data Transfer (Attempt) detected: [....42] [ip4][..tcp] [....192.168.1.7][53181] -> [..23.246.11.141][...80] [HTTP][NetFlix][Web][Acceptable][23.246.11.141] RISK: HTTP/TLS/QUIC Numeric Hostname/SNI detected: [....43] [ip4][..tcp] [....192.168.1.7][53182] -> [..23.246.11.141][...80] [HTTP][NetFlix][Web][Acceptable][23.246.11.141] RISK: HTTP/TLS/QUIC Numeric Hostname/SNI detection-update: [....40] [ip4][..tcp] [....192.168.1.7][53179] -> [..23.246.11.141][...80] [HTTP][NetFlix][Download][Acceptable][23.246.11.141] - RISK: HTTP/TLS/QUIC Numeric Hostname/SNI, Binary file/data transfer (attempt) + RISK: HTTP/TLS/QUIC Numeric Hostname/SNI, Binary File/Data Transfer (Attempt) detection-update: [....37] [ip4][..tcp] [....192.168.1.7][53176] -> [..23.246.11.141][...80] [HTTP][NetFlix][Download][Acceptable][23.246.11.141] - RISK: HTTP/TLS/QUIC Numeric Hostname/SNI, Binary file/data transfer (attempt) + RISK: HTTP/TLS/QUIC Numeric Hostname/SNI, Binary File/Data Transfer (Attempt) detection-update: [....39] [ip4][..tcp] [....192.168.1.7][53178] -> [..23.246.11.141][...80] [HTTP][NetFlix][Download][Acceptable][23.246.11.141] - RISK: HTTP/TLS/QUIC Numeric Hostname/SNI, Binary file/data transfer (attempt) + RISK: HTTP/TLS/QUIC Numeric Hostname/SNI, Binary File/Data Transfer (Attempt) detection-update: [....38] [ip4][..tcp] [....192.168.1.7][53177] -> [..23.246.11.141][...80] [HTTP][NetFlix][Download][Acceptable][23.246.11.141] - RISK: HTTP/TLS/QUIC Numeric Hostname/SNI, Binary file/data transfer (attempt) + RISK: HTTP/TLS/QUIC Numeric Hostname/SNI, Binary File/Data Transfer (Attempt) detection-update: [....41] [ip4][..tcp] [....192.168.1.7][53180] -> [..23.246.11.141][...80] [HTTP][NetFlix][Download][Acceptable][23.246.11.141] - RISK: HTTP/TLS/QUIC Numeric Hostname/SNI, Binary file/data transfer (attempt) + RISK: HTTP/TLS/QUIC Numeric Hostname/SNI, Binary File/Data Transfer (Attempt) detection-update: [....42] [ip4][..tcp] [....192.168.1.7][53181] -> [..23.246.11.141][...80] [HTTP][NetFlix][Download][Acceptable][23.246.11.141] - RISK: HTTP/TLS/QUIC Numeric Hostname/SNI, Binary file/data transfer (attempt) + RISK: HTTP/TLS/QUIC Numeric Hostname/SNI, Binary File/Data Transfer (Attempt) detection-update: [....43] [ip4][..tcp] [....192.168.1.7][53182] -> [..23.246.11.141][...80] [HTTP][NetFlix][Download][Acceptable][23.246.11.141] - RISK: HTTP/TLS/QUIC Numeric Hostname/SNI, Binary file/data transfer (attempt) + RISK: HTTP/TLS/QUIC Numeric Hostname/SNI, Binary File/Data Transfer (Attempt) analyse: [....41] [ip4][..tcp] [....192.168.1.7][53180] -> [..23.246.11.141][...80] [HTTP][NetFlix][Download][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 2.098| 0.201| 0.403| 162731.114| 3.600] @@ -375,13 +375,13 @@ detected: [....44] [ip4][..tcp] [....192.168.1.7][53183] -> [...23.246.3.140][...80] [HTTP][NetFlix][Web][Acceptable][23.246.3.140] RISK: HTTP/TLS/QUIC Numeric Hostname/SNI detection-update: [....45] [ip4][..tcp] [....192.168.1.7][53184] -> [..23.246.11.141][...80] [HTTP][NetFlix][Download][Acceptable][23.246.11.141] - RISK: HTTP/TLS/QUIC Numeric Hostname/SNI, Binary file/data transfer (attempt) + RISK: HTTP/TLS/QUIC Numeric Hostname/SNI, Binary File/Data Transfer (Attempt) new: [....46] [ip4][..tcp] [....192.168.1.7][53193] -> [...54.191.17.51][..443] new: [....47] [ip4][..tcp] [....192.168.1.7][53202] -> [...54.191.17.51][..443] new: [....48] [ip4][..udp] [....192.168.1.7][60962] -> [....192.168.1.1][...53] detected: [....48] [ip4][..udp] [....192.168.1.7][60962] -> [....192.168.1.1][...53] [DNS.NetFlix][Unknown][Network][Fun][ichnaea.geo.netflix.com] detection-update: [....44] [ip4][..tcp] [....192.168.1.7][53183] -> [...23.246.3.140][...80] [HTTP][NetFlix][Download][Acceptable][23.246.3.140] - RISK: HTTP/TLS/QUIC Numeric Hostname/SNI, Binary file/data transfer (attempt) + RISK: HTTP/TLS/QUIC Numeric Hostname/SNI, Binary File/Data Transfer (Attempt) detection-update: [....48] [ip4][..udp] [....192.168.1.7][60962] -> [....192.168.1.1][...53] [DNS.NetFlix][Unknown][Network][Fun][ichnaea.geo.netflix.com] new: [....49] [ip4][..tcp] [....192.168.1.7][53203] -> [...52.37.36.252][..443] analyse: [....11] [ip4][..tcp] [....192.168.1.7][53119] -> [..54.69.204.241][..443] [TLS.NetFlix][AmazonAWS][Video][Fun] @@ -443,7 +443,7 @@ detected: [....50] [ip4][..tcp] [....192.168.1.7][53210] -> [..23.246.11.133][...80] [HTTP][NetFlix][Web][Acceptable][23.246.11.133] RISK: HTTP/TLS/QUIC Numeric Hostname/SNI detection-update: [....50] [ip4][..tcp] [....192.168.1.7][53210] -> [..23.246.11.133][...80] [HTTP][NetFlix][Download][Acceptable][23.246.11.133] - RISK: HTTP/TLS/QUIC Numeric Hostname/SNI, Binary file/data transfer (attempt) + RISK: HTTP/TLS/QUIC Numeric Hostname/SNI, Binary File/Data Transfer (Attempt) update: [....10] [ip4][..udp] [....192.168.1.7][53776] -> [239.255.255.250][.1900] [SSDP][Unknown][System][Acceptable] update: [.....2] [ip4][..udp] [....192.168.1.7][51543] -> [....192.168.1.1][...53] [DNS.NetFlix][Unknown][Network][Fun] update: [....17] [ip4][..udp] [....192.168.1.7][57719] -> [....192.168.1.1][...53] [DNS.NetFlix][Unknown][Network][Fun] @@ -453,7 +453,7 @@ detected: [....51] [ip4][..tcp] [....192.168.1.7][53217] -> [..23.246.11.141][...80] [HTTP][NetFlix][Web][Acceptable][23.246.11.141] RISK: HTTP/TLS/QUIC Numeric Hostname/SNI detection-update: [....51] [ip4][..tcp] [....192.168.1.7][53217] -> [..23.246.11.141][...80] [HTTP][NetFlix][Download][Acceptable][23.246.11.141] - RISK: HTTP/TLS/QUIC Numeric Hostname/SNI, Binary file/data transfer (attempt) + RISK: HTTP/TLS/QUIC Numeric Hostname/SNI, Binary File/Data Transfer (Attempt) update: [....19] [ip4][..udp] [....192.168.1.7][59180] -> [....192.168.1.1][...53] [DNS.NetFlix][Unknown][Network][Fun] update: [....26] [ip4][..udp] [....192.168.1.7][51728] -> [....192.168.1.1][...53] [DNS][Unknown][Network][Acceptable] update: [....23] [ip4][..udp] [....192.168.1.7][58102] -> [....192.168.1.1][...53] [DNS.NetFlix][Unknown][Network][Fun] @@ -595,41 +595,41 @@ idle: [.....3] [ip4][..udp] [....192.168.1.7][52116] -> [....192.168.1.1][...53] [DNS.NetFlix][Unknown][Network][Fun] idle: [....27] [ip4][..udp] [....192.168.1.7][52347] -> [....192.168.1.1][...53] [DNS.NetFlix][Unknown][Network][Fun] end: [....30] [ip4][..tcp] [....192.168.1.7][53163] -> [..23.246.11.145][...80] [HTTP][NetFlix][Download][Acceptable] - RISK: HTTP/TLS/QUIC Numeric Hostname/SNI, Binary file/data transfer (attempt) + RISK: HTTP/TLS/QUIC Numeric Hostname/SNI, Binary File/Data Transfer (Attempt) idle: [....31] [ip4][..tcp] [....192.168.1.7][53164] -> [..23.246.10.139][...80] [HTTP][NetFlix][Download][Acceptable] - RISK: HTTP/TLS/QUIC Numeric Hostname/SNI, Binary file/data transfer (attempt) + RISK: HTTP/TLS/QUIC Numeric Hostname/SNI, Binary File/Data Transfer (Attempt) end: [....32] [ip4][..tcp] [....192.168.1.7][53171] -> [...23.246.3.140][...80] [HTTP][NetFlix][Download][Acceptable] - RISK: HTTP/TLS/QUIC Numeric Hostname/SNI, Binary file/data transfer (attempt) + RISK: HTTP/TLS/QUIC Numeric Hostname/SNI, Binary File/Data Transfer (Attempt) end: [....33] [ip4][..tcp] [....192.168.1.7][53172] -> [..23.246.11.133][...80] [HTTP][NetFlix][Download][Acceptable] - RISK: HTTP/TLS/QUIC Numeric Hostname/SNI, Binary file/data transfer (attempt) + RISK: HTTP/TLS/QUIC Numeric Hostname/SNI, Binary File/Data Transfer (Attempt) end: [....34] [ip4][..tcp] [....192.168.1.7][53173] -> [..23.246.11.133][...80] [HTTP][NetFlix][Download][Acceptable] - RISK: HTTP/TLS/QUIC Numeric Hostname/SNI, Binary file/data transfer (attempt) + RISK: HTTP/TLS/QUIC Numeric Hostname/SNI, Binary File/Data Transfer (Attempt) end: [....35] [ip4][..tcp] [....192.168.1.7][53174] -> [..23.246.11.141][...80] [HTTP][NetFlix][Download][Acceptable] - RISK: HTTP/TLS/QUIC Numeric Hostname/SNI, Binary file/data transfer (attempt) + RISK: HTTP/TLS/QUIC Numeric Hostname/SNI, Binary File/Data Transfer (Attempt) end: [....36] [ip4][..tcp] [....192.168.1.7][53175] -> [..23.246.11.141][...80] [HTTP][NetFlix][Download][Acceptable] - RISK: HTTP/TLS/QUIC Numeric Hostname/SNI, Binary file/data transfer (attempt) + RISK: HTTP/TLS/QUIC Numeric Hostname/SNI, Binary File/Data Transfer (Attempt) end: [....37] [ip4][..tcp] [....192.168.1.7][53176] -> [..23.246.11.141][...80] [HTTP][NetFlix][Download][Acceptable] - RISK: HTTP/TLS/QUIC Numeric Hostname/SNI, Binary file/data transfer (attempt) + RISK: HTTP/TLS/QUIC Numeric Hostname/SNI, Binary File/Data Transfer (Attempt) end: [....38] [ip4][..tcp] [....192.168.1.7][53177] -> [..23.246.11.141][...80] [HTTP][NetFlix][Download][Acceptable] - RISK: HTTP/TLS/QUIC Numeric Hostname/SNI, Binary file/data transfer (attempt) + RISK: HTTP/TLS/QUIC Numeric Hostname/SNI, Binary File/Data Transfer (Attempt) end: [....39] [ip4][..tcp] [....192.168.1.7][53178] -> [..23.246.11.141][...80] [HTTP][NetFlix][Download][Acceptable] - RISK: HTTP/TLS/QUIC Numeric Hostname/SNI, Binary file/data transfer (attempt) + RISK: HTTP/TLS/QUIC Numeric Hostname/SNI, Binary File/Data Transfer (Attempt) end: [....40] [ip4][..tcp] [....192.168.1.7][53179] -> [..23.246.11.141][...80] [HTTP][NetFlix][Download][Acceptable] - RISK: HTTP/TLS/QUIC Numeric Hostname/SNI, Binary file/data transfer (attempt) + RISK: HTTP/TLS/QUIC Numeric Hostname/SNI, Binary File/Data Transfer (Attempt) end: [....41] [ip4][..tcp] [....192.168.1.7][53180] -> [..23.246.11.141][...80] [HTTP][NetFlix][Download][Acceptable] - RISK: HTTP/TLS/QUIC Numeric Hostname/SNI, Binary file/data transfer (attempt) + RISK: HTTP/TLS/QUIC Numeric Hostname/SNI, Binary File/Data Transfer (Attempt) end: [....42] [ip4][..tcp] [....192.168.1.7][53181] -> [..23.246.11.141][...80] [HTTP][NetFlix][Download][Acceptable] - RISK: HTTP/TLS/QUIC Numeric Hostname/SNI, Binary file/data transfer (attempt) + RISK: HTTP/TLS/QUIC Numeric Hostname/SNI, Binary File/Data Transfer (Attempt) end: [....43] [ip4][..tcp] [....192.168.1.7][53182] -> [..23.246.11.141][...80] [HTTP][NetFlix][Download][Acceptable] - RISK: HTTP/TLS/QUIC Numeric Hostname/SNI, Binary file/data transfer (attempt) + RISK: HTTP/TLS/QUIC Numeric Hostname/SNI, Binary File/Data Transfer (Attempt) idle: [....44] [ip4][..tcp] [....192.168.1.7][53183] -> [...23.246.3.140][...80] [HTTP][NetFlix][Download][Acceptable] - RISK: HTTP/TLS/QUIC Numeric Hostname/SNI, Binary file/data transfer (attempt) + RISK: HTTP/TLS/QUIC Numeric Hostname/SNI, Binary File/Data Transfer (Attempt) idle: [....45] [ip4][..tcp] [....192.168.1.7][53184] -> [..23.246.11.141][...80] [HTTP][NetFlix][Download][Acceptable] - RISK: HTTP/TLS/QUIC Numeric Hostname/SNI, Binary file/data transfer (attempt) + RISK: HTTP/TLS/QUIC Numeric Hostname/SNI, Binary File/Data Transfer (Attempt) idle: [....50] [ip4][..tcp] [....192.168.1.7][53210] -> [..23.246.11.133][...80] [HTTP][NetFlix][Download][Acceptable] - RISK: HTTP/TLS/QUIC Numeric Hostname/SNI, Binary file/data transfer (attempt) + RISK: HTTP/TLS/QUIC Numeric Hostname/SNI, Binary File/Data Transfer (Attempt) idle: [....51] [ip4][..tcp] [....192.168.1.7][53217] -> [..23.246.11.141][...80] [HTTP][NetFlix][Download][Acceptable] - RISK: HTTP/TLS/QUIC Numeric Hostname/SNI, Binary file/data transfer (attempt) + RISK: HTTP/TLS/QUIC Numeric Hostname/SNI, Binary File/Data Transfer (Attempt) end: [.....4] [ip4][..tcp] [....192.168.1.7][53105] -> [..54.69.204.241][..443] [TLS.NetFlix][AmazonAWS][Video][Fun] end: [.....9] [ip4][..tcp] [....192.168.1.7][53118] -> [..54.69.204.241][..443] [TLS.NetFlix][AmazonAWS][Video][Fun] end: [....11] [ip4][..tcp] [....192.168.1.7][53119] -> [..54.69.204.241][..443] [TLS.NetFlix][AmazonAWS][Video][Fun] diff --git a/test/results/flow-info/default/nintendo.pcap.out b/test/results/flow-info/default/nintendo.pcap.out index 416910ee0..8d8f8d854 100644 --- a/test/results/flow-info/default/nintendo.pcap.out +++ b/test/results/flow-info/default/nintendo.pcap.out @@ -118,7 +118,7 @@ RISK: Unidirectional Traffic idle: [....12] [ip4][..udp] [.192.168.12.114][55915] -> [...35.158.74.61][33335] guessed: [....14] [ip4][..udp] [.192.168.12.114][55915] -> [..52.10.205.177][34343] [AmazonAWS][AmazonAWS][Cloud][Acceptable] - RISK: Unidirectional Traffic + RISK: Susp Entropy, Unidirectional Traffic idle: [....14] [ip4][..udp] [.192.168.12.114][55915] -> [..52.10.205.177][34343] idle: [....19] [ip4][..udp] [.192.168.12.114][55915] -> [.93.237.131.235][56066] [Nintendo][Unknown][Game][Fun] idle: [.....5] [ip4][..udp] [.192.168.12.114][52119] -> [...35.158.74.61][33335] [Nintendo][AmazonAWS][Game][Fun] diff --git a/test/results/flow-info/default/openvpn.pcap.out b/test/results/flow-info/default/openvpn.pcap.out index b75018661..070784b4f 100644 --- a/test/results/flow-info/default/openvpn.pcap.out +++ b/test/results/flow-info/default/openvpn.pcap.out @@ -105,6 +105,20 @@ [PKTLENS.....: 60,46,40,96,46,108,40,104,46,395,46,1166,40,104,1426,40,46,104,46,976,104,46,1166,1500,46,767,46,46,104,40,613,40] [ENTROPIES...: 4.4,4.4,4.3,5.8,3.9,5.9,4.4,5.9,4.0,7.4,3.9,7.8,4.3,5.8,7.8,4.3,4.0,5.9,4.0,7.8,5.9,4.0,7.8,7.9,4.0,7.8,4.0,3.9,5.7,4.2,7.6,4.3] idle: [.....7] [ip4][..udp] [...3.111.166.78][51146] -> [..85.134.13.165][.1194] [OpenVPN][AmazonAWS][VPN][Acceptable] + DAEMON-EVENT: [Processed: 660 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 1 / 8|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....9] [ip4][..udp] [.192.168.12.156][41133] -> [.107.161.86.131][..443] + detected: [.....9] [ip4][..udp] [.192.168.12.156][41133] -> [.107.161.86.131][..443] [OpenVPN][Unknown][VPN][Acceptable] + RISK: Known Proto on Non Std Port, Susp Entropy end: [.....8] [ip4][..tcp] [......127.0.0.1][36138] -> [......127.0.0.1][..443] [OpenVPN][Unknown][VPN][Acceptable] RISK: Known Proto on Non Std Port + DAEMON-EVENT: [Processed: 691 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 1 / 9|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [....10] [ip4][..udp] [.192.168.12.156][37383] -> [.217.138.197.43][.1234] + detected: [....10] [ip4][..udp] [.192.168.12.156][37383] -> [.217.138.197.43][.1234] [OpenVPN.NordVPN][NordVPN][VPN][Acceptable] + RISK: Known Proto on Non Std Port + idle: [....10] [ip4][..udp] [.192.168.12.156][37383] -> [.217.138.197.43][.1234] [OpenVPN.NordVPN][NordVPN][VPN][Acceptable] + RISK: Known Proto on Non Std Port + idle: [.....9] [ip4][..udp] [.192.168.12.156][41133] -> [.107.161.86.131][..443] [OpenVPN][Unknown][VPN][Acceptable] + RISK: Known Proto on Non Std Port, Susp Entropy DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/openwire.pcapng.out b/test/results/flow-info/default/openwire.pcapng.out new file mode 100644 index 000000000..c8b315530 --- /dev/null +++ b/test/results/flow-info/default/openwire.pcapng.out @@ -0,0 +1,20 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + ERROR-EVENT: Unknown datalink layer packet [1/16] + ERROR-EVENT: Unknown datalink layer packet [2/16] + ERROR-EVENT: Unknown datalink layer packet [3/16] + ERROR-EVENT: Unknown datalink layer packet [4/16] + ERROR-EVENT: Unknown datalink layer packet [5/16] + ERROR-EVENT: Unknown datalink layer packet [6/16] + ERROR-EVENT: Unknown datalink layer packet [7/16] + ERROR-EVENT: Unknown datalink layer packet [8/16] + ERROR-EVENT: Unknown datalink layer packet [9/16] + ERROR-EVENT: Unknown datalink layer packet [10/16] + ERROR-EVENT: Unknown datalink layer packet [11/16] + ERROR-EVENT: Unknown datalink layer packet [12/16] + ERROR-EVENT: Unknown datalink layer packet [13/16] + ERROR-EVENT: Unknown datalink layer packet [14/16] + ERROR-EVENT: Unknown datalink layer packet [15/16] + ERROR-EVENT: Unknown datalink layer packet [16/16] + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/oracle12.pcapng.out b/test/results/flow-info/default/oracle12.pcapng.out index 261b644a8..2aa701be3 100644 --- a/test/results/flow-info/default/oracle12.pcapng.out +++ b/test/results/flow-info/default/oracle12.pcapng.out @@ -2,6 +2,6 @@ DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] new: [.....1] [ip4][..tcp] [......10.0.2.15][40226] -> [....10.0.72.139][.1521] - guessed: [.....1] [ip4][..tcp] [......10.0.2.15][40226] -> [....10.0.72.139][.1521] [Oracle][Unknown][Database][Acceptable] - idle: [.....1] [ip4][..tcp] [......10.0.2.15][40226] -> [....10.0.72.139][.1521] + detected: [.....1] [ip4][..tcp] [......10.0.2.15][40226] -> [....10.0.72.139][.1521] [Oracle][Unknown][Database][Acceptable] + idle: [.....1] [ip4][..tcp] [......10.0.2.15][40226] -> [....10.0.72.139][.1521] [Oracle][Unknown][Database][Acceptable] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/ossfuzz_seed_fake_traces_1.pcapng.out b/test/results/flow-info/default/ossfuzz_seed_fake_traces_1.pcapng.out index 9eaad9b51..217c3777e 100644 --- a/test/results/flow-info/default/ossfuzz_seed_fake_traces_1.pcapng.out +++ b/test/results/flow-info/default/ossfuzz_seed_fake_traces_1.pcapng.out @@ -35,7 +35,6 @@ DAEMON-EVENT: [Processed: 16 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 5 / 7|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 3] new: [.....8] [ip4][..udp] [......127.0.0.1][17788] -> [......127.0.0.1][17788] - detected: [.....8] [ip4][..udp] [......127.0.0.1][17788] -> [......127.0.0.1][17788] [PPStream][Unknown][Streaming][Fun] not-detected: [.....7] [ip4][..udp] [......127.0.0.1][..100] -> [......127.0.0.1][..200] [Unknown][Unknown][Unrated] idle: [.....7] [ip4][..udp] [......127.0.0.1][..100] -> [......127.0.0.1][..200] idle: [.....4] [ip4][..tcp] [..192.168.1.128][....1] -> [121.254.200.130][.1119] [Starcraft][Unknown][Game][Fun] @@ -51,7 +50,9 @@ new: [.....9] [ip4][..tcp] [..192.168.1.128][....1] -> [........1.2.3.4][...10] [MIDSTREAM] detected: [.....9] [ip4][..tcp] [..192.168.1.128][....1] -> [........1.2.3.4][...10] [Gnutella][Unknown][Download][Potentially Dangerous] RISK: Unsafe Protocol, Unidirectional Traffic, TCP Connection Issues - idle: [.....8] [ip4][..udp] [......127.0.0.1][17788] -> [......127.0.0.1][17788] [PPStream][Unknown][Streaming][Fun] + not-detected: [.....8] [ip4][..udp] [......127.0.0.1][17788] -> [......127.0.0.1][17788] [Unknown][Unknown][Unrated] + RISK: Unidirectional Traffic + idle: [.....8] [ip4][..udp] [......127.0.0.1][17788] -> [......127.0.0.1][17788] new: [....10] [ip4][..tcp] [..192.168.1.128][....1] -> [........1.2.3.4][...11] [MIDSTREAM] detected: [....10] [ip4][..tcp] [..192.168.1.128][....1] -> [........1.2.3.4][...11] [Gnutella][Unknown][Download][Potentially Dangerous] RISK: Unsafe Protocol, Unidirectional Traffic, TCP Connection Issues diff --git a/test/results/flow-info/default/pgsql2.pcapng.out b/test/results/flow-info/default/pgsql2.pcapng.out new file mode 100644 index 000000000..672b69189 --- /dev/null +++ b/test/results/flow-info/default/pgsql2.pcapng.out @@ -0,0 +1,9 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....1] [ip4][..tcp] [...10.220.20.67][58574] -> [...10.220.20.67][60102] + detected: [.....1] [ip4][..tcp] [...10.220.20.67][58574] -> [...10.220.20.67][60102] [PostgreSQL][Unknown][Database][Acceptable] + RISK: Known Proto on Non Std Port + idle: [.....1] [ip4][..tcp] [...10.220.20.67][58574] -> [...10.220.20.67][60102] [PostgreSQL][Unknown][Database][Acceptable] + RISK: Known Proto on Non Std Port + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/portable_executable.pcap.out b/test/results/flow-info/default/portable_executable.pcap.out index 973ba812c..faed0371e 100644 --- a/test/results/flow-info/default/portable_executable.pcap.out +++ b/test/results/flow-info/default/portable_executable.pcap.out @@ -4,9 +4,9 @@ new: [.....1] [ip4][..tcp] [..172.16.99.201][.1732] -> [..64.227.107.71][.4444] new: [.....2] [ip4][..tcp] [..64.227.107.71][...53] -> [...172.16.99.10][49652] not-detected: [.....1] [ip4][..tcp] [..172.16.99.201][.1732] -> [..64.227.107.71][.4444] [Unknown][Unknown][Unrated] - RISK: Binary App Transfer + RISK: Binary App Transfer, Susp Entropy idle: [.....1] [ip4][..tcp] [..172.16.99.201][.1732] -> [..64.227.107.71][.4444] guessed: [.....2] [ip4][..tcp] [..64.227.107.71][...53] -> [...172.16.99.10][49652] [DNS][Unknown][Network][Acceptable][] - RISK: Binary App Transfer, Malformed Packet + RISK: Binary App Transfer, Malformed Packet, Susp Entropy idle: [.....2] [ip4][..tcp] [..64.227.107.71][...53] -> [...172.16.99.10][49652] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/pps.pcap.out b/test/results/flow-info/default/pps.pcap.out deleted file mode 100644 index 1877cc50a..000000000 --- a/test/results/flow-info/default/pps.pcap.out +++ /dev/null @@ -1,589 +0,0 @@ - DAEMON-EVENT: init - DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] - DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] - new: [.....1] [ip4][..udp] [....1.173.5.226][22636] -> [..192.168.115.8][22793] - new: [.....2] [ip4][..udp] [..118.171.15.56][.5544] -> [..192.168.115.8][22793] - new: [.....3] [ip4][..udp] [..192.168.115.8][22793] -> [...114.42.0.158][.7716] - new: [.....4] [ip4][..udp] [..192.168.115.8][22793] -> [.222.197.138.12][.6956] - new: [.....5] [ip4][..udp] [..192.168.115.8][22793] -> [...202.198.7.89][16039] - new: [.....6] [ip4][..udp] [..192.168.115.8][22793] -> [.111.249.53.196][32443] - new: [.....7] [ip4][..udp] [..192.168.115.8][22793] -> [219.228.107.156][.1250] - analyse: [.....1] [ip4][..udp] [....1.173.5.226][22636] -> [..192.168.115.8][22793] - min| max| avg| stddev| variance| entropy - [IAT.........: < 0.001| 0.014| 0.003| 0.004| 16.289| 3.700] - [PKTLEN......: 65.000| 1093.000| 386.200| 476.500| 227043.400| 4.000] - [BINS(c->s)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - [BINS(s->c)..: 0,22,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - [DIRECTIONS..: 0,1,1,0,0,1,1,1,1,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1] - [IATS(ms)....: 0.3,0.3,3.0,2.0,4.7,0.3,0.1,0.0,0.6,0.6,2.0,0.9,0.2,1.9,1.1,0.1,11.9,11.8,0.1,13.6,13.5,0.1,2.8,2.6,0.2,1.3,1.0,0.1,1.6,1.9,0.3] - [PKTLENS.....: 1093,65,65,1093,1093,65,65,65,65,65,65,1093,65,65,1093,65,65,1093,65,65,1093,65,65,1093,65,65,1093,65,65,1093,65,65] - [ENTROPIES...: 7.8,5.1,5.1,7.8,7.8,5.2,5.1,5.2,5.1,5.2,5.2,7.8,5.1,5.1,7.8,5.2,5.2,7.8,5.1,5.1,7.8,5.2,5.2,7.8,5.1,5.1,7.6,5.2,5.2,7.8,5.2,5.2] - analyse: [.....3] [ip4][..udp] [..192.168.115.8][22793] -> [...114.42.0.158][.7716] - min| max| avg| stddev| variance| entropy - [IAT.........: < 0.001| 0.013| 0.002| 0.004| 13.731| 3.800] - [PKTLEN......: 65.000| 1093.000| 386.200| 476.500| 227043.400| 4.000] - [BINS(c->s)..: 0,22,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - [DIRECTIONS..: 0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0] - [IATS(ms)....: 0.3,12.6,12.6,0.2,1.1,0.9,0.1,1.6,1.5,0.2,2.1,1.8,0.3,0.7,0.6,0.3,1.7,1.1,0.1,3.6,5.8,0.4,11.9,9.1,0.1,1.2,1.4,0.1,1.5,1.1,0.1] - [PKTLENS.....: 65,65,1093,65,65,1093,65,65,1093,65,65,1093,65,65,1093,65,65,1093,65,65,1093,65,65,1093,65,65,1093,65,65,1093,65,65] - [ENTROPIES...: 5.1,5.1,7.8,5.2,5.2,7.7,5.0,5.0,7.8,5.2,5.2,7.8,5.1,5.1,7.8,5.1,5.1,7.8,5.1,5.1,7.8,5.1,5.1,7.8,5.1,5.1,7.8,5.2,5.2,7.8,5.2,5.2] - new: [.....8] [ip4][..udp] [.183.228.182.44][13913] -> [..192.168.115.8][22793] - analyse: [.....2] [ip4][..udp] [..118.171.15.56][.5544] -> [..192.168.115.8][22793] - min| max| avg| stddev| variance| entropy - [IAT.........: < 0.001| 0.027| 0.009| 0.008| 71.240| 4.100] - [PKTLEN......: 65.000| 1093.000| 386.200| 476.500| 227043.400| 4.000] - [BINS(c->s)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - [BINS(s->c)..: 0,22,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - [DIRECTIONS..: 0,1,1,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,1,1,0,1,1,0] - [IATS(ms)....: 0.4,0.2,4.9,0.2,24.3,18.9,0.1,5.4,6.9,0.2,19.1,17.6,0.1,13.8,13.8,0.1,13.1,15.4,0.1,27.0,24.4,0.2,9.0,11.0,0.4,2.0,0.9,14.1,8.3,0.1,12.1] - [PKTLENS.....: 1093,65,65,65,65,1093,65,65,1093,65,65,1093,65,65,1093,65,65,1093,65,65,1093,65,65,1093,65,65,65,65,1093,65,65,1093] - [ENTROPIES...: 7.7,5.1,5.1,5.1,5.1,7.8,5.1,5.1,7.8,5.2,5.2,7.8,5.1,5.1,7.8,5.0,5.0,7.8,5.1,5.1,7.8,5.2,5.2,7.8,5.1,5.1,5.0,5.0,7.8,5.1,5.1,7.8] - new: [.....9] [ip4][..tcp] [..192.168.115.8][50462] -> [.202.108.14.236][...80] [MIDSTREAM] - new: [....10] [ip4][..tcp] [...192.168.5.15][65125] -> [.68.233.253.133][...80] [MIDSTREAM] - analyse: [.....7] [ip4][..udp] [..192.168.115.8][22793] -> [219.228.107.156][.1250] - min| max| avg| stddev| variance| entropy - [IAT.........: < 0.001| 0.070| 0.024| 0.021| 457.568| 4.200] - [PKTLEN......: 65.000| 1093.000| 322.000| 445.100| 198147.000| 3.900] - [BINS(c->s)..: 0,24,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - [DIRECTIONS..: 0,0,1,0,0,1,0,0,0,0,1,0,0,1,0,0,0,0,1,0,0,1,0,0,0,0,1,0,0,1,0,0] - [IATS(ms)....: 0.4,29.9,29.7,0.1,32.0,32.8,0.3,45.7,0.3,69.6,23.0,0.1,42.0,41.6,0.1,36.0,0.3,59.5,23.0,0.1,31.8,32.2,0.3,44.4,0.3,68.3,22.7,0.2,30.9,30.8,0.2] - [PKTLENS.....: 65,65,1093,65,65,1093,65,65,65,65,1093,65,65,1093,65,65,65,65,1093,65,65,1093,65,65,65,65,1093,65,65,1093,65,65] - [ENTROPIES...: 5.1,5.1,7.8,5.2,5.2,7.8,5.2,5.2,5.2,5.2,7.8,5.3,5.3,7.8,5.1,5.1,5.1,5.1,7.8,5.2,5.2,7.8,5.2,5.2,5.2,5.2,7.8,5.1,5.1,7.8,4.9,4.9] - new: [....11] [ip4][..udp] [..192.168.115.8][22793] -> [..218.61.39.103][17788] - detected: [....11] [ip4][..udp] [..192.168.115.8][22793] -> [..218.61.39.103][17788] [PPStream][Unknown][Streaming][Fun] - new: [....12] [ip4][..udp] [..192.168.115.8][22793] -> [...210.44.171.1][29702] - new: [....13] [ip4][..udp] [..192.168.115.8][22793] -> [.111.250.102.66][.1107] - new: [....14] [ip4][..udp] [..192.168.115.8][22793] -> [..61.223.204.67][11102] - new: [....15] [ip4][..udp] [..192.168.115.8][22793] -> [..36.237.154.69][.4316] - new: [....16] [ip4][..udp] [..192.168.115.8][22793] -> [...36.233.39.81][18590] - new: [....17] [ip4][..udp] [..192.168.115.8][22793] -> [.111.117.101.81][10162] - new: [....18] [ip4][..udp] [..192.168.115.8][22793] -> [..61.227.170.88][20227] - new: [....19] [ip4][..udp] [..192.168.115.8][22793] -> [..202.112.31.89][29072] - new: [....20] [ip4][..udp] [..192.168.115.8][22793] -> [.121.248.133.93][12757] - new: [....21] [ip4][..udp] [..192.168.115.8][22793] -> [..1.175.128.104][.5185] - new: [....22] [ip4][..udp] [..192.168.115.8][22793] -> [.222.26.193.119][.7133] - new: [....23] [ip4][..udp] [..192.168.115.8][22793] -> [.114.37.142.173][.1074] - new: [....24] [ip4][..udp] [..192.168.115.8][22793] -> [..222.26.74.190][.1037] - new: [....25] [ip4][..udp] [..192.168.115.8][22793] -> [.115.157.62.243][29006] - new: [....26] [ip4][..udp] [..192.168.115.8][22793] -> [.210.44.232.243][21044] - new: [....27] [ip4][..udp] [..192.168.115.8][22793] -> [..1.169.136.116][17951] - new: [....28] [ip4][..udp] [..192.168.115.8][22793] -> [.114.41.144.153][10492] - new: [....29] [ip4][..udp] [..192.168.115.8][22793] -> [..183.61.167.82][17788] - detected: [....29] [ip4][..udp] [..192.168.115.8][22793] -> [..183.61.167.82][17788] [PPStream][Unknown][Streaming][Fun] - new: [....30] [ip4][..udp] [..192.168.115.8][22793] -> [...210.47.12.19][33738] - new: [....31] [ip4][..udp] [..192.168.115.8][22793] -> [...210.47.12.20][33738] - new: [....32] [ip4][..udp] [..192.168.115.8][22793] -> [..114.47.91.129][22576] - new: [....33] [ip4][..udp] [..192.168.115.8][22793] -> [.220.130.154.23][35941] - new: [....34] [ip4][..udp] [..192.168.115.8][22793] -> [...218.61.39.87][17788] - detected: [....34] [ip4][..udp] [..192.168.115.8][22793] -> [...218.61.39.87][17788] [PPStream][Unknown][Streaming][Fun] - new: [....35] [ip4][..udp] [..192.168.115.8][22793] -> [119.188.133.182][17788] - detected: [....35] [ip4][..udp] [..192.168.115.8][22793] -> [119.188.133.182][17788] [PPStream][Unknown][Streaming][Fun] - new: [....36] [ip4][..udp] [..192.168.115.8][22793] -> [.183.61.167.104][17788] - detected: [....36] [ip4][..udp] [..192.168.115.8][22793] -> [.183.61.167.104][17788] [PPStream][Unknown][Streaming][Fun] - analyse: [.....4] [ip4][..udp] [..192.168.115.8][22793] -> [.222.197.138.12][.6956] - min| max| avg| stddev| variance| entropy - [IAT.........: < 0.001| 0.108| 0.029| 0.031| 941.853| 4.000] - [PKTLEN......: 47.000| 1093.000| 289.300| 425.300| 180865.500| 3.800] - [BINS(c->s)..: 0,24,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - [BINS(s->c)..: 1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - [DIRECTIONS..: 0,0,1,0,0,0,0,1,0,0,1,0,0,0,0,1,0,0,1,0,0,0,0,1,0,0,0,0,1,0,0,1] - [IATS(ms)....: 0.9,52.8,52.3,0.3,55.5,0.1,77.7,22.0,0.2,78.3,79.3,0.5,0.4,0.1,46.5,44.4,0.1,18.4,18.5,0.3,36.0,0.1,108.0,71.5,0.7,28.3,0.5,45.9,16.1,0.4,33.5] - [PKTLENS.....: 65,65,1093,65,65,65,65,1093,65,65,1093,65,65,65,65,1093,65,65,1093,65,65,65,65,1093,65,65,65,65,1093,65,65,47] - [ENTROPIES...: 5.3,5.3,7.8,5.3,5.3,5.3,5.3,7.8,5.2,5.2,7.8,5.0,5.0,5.1,5.1,7.8,5.2,5.2,7.7,5.1,5.1,5.1,5.1,7.8,5.1,5.1,5.1,5.1,7.8,5.1,5.1,4.9] - new: [....37] [ip4][..tcp] [..192.168.115.8][50463] -> [.101.227.200.11][...80] [MIDSTREAM] - detected: [....37] [ip4][..tcp] [..192.168.115.8][50463] -> [.101.227.200.11][...80] [HTTP.PPStream][Unknown][Streaming][Fun][api.cupid.iqiyi.com] - detection-update: [....37] [ip4][..tcp] [..192.168.115.8][50463] -> [.101.227.200.11][...80] [HTTP.PPStream][Unknown][Streaming][Fun][api.cupid.iqiyi.com] - RISK: Unidirectional Traffic - detection-update: [....37] [ip4][..tcp] [..192.168.115.8][50463] -> [.101.227.200.11][...80] [HTTP.PPStream][Unknown][Streaming][Fun][api.cupid.iqiyi.com] - RISK: HTTP Obsolete Server - new: [....38] [ip4][..tcp] [..192.168.115.8][50464] -> [.123.125.112.49][...80] [MIDSTREAM] - detected: [....38] [ip4][..tcp] [..192.168.115.8][50464] -> [.123.125.112.49][...80] [HTTP][Unknown][Web][Acceptable][click.hm.baidu.com] - new: [....39] [ip4][..tcp] [..192.168.115.8][50466] -> [..203.66.182.24][...80] [MIDSTREAM] - detected: [....39] [ip4][..tcp] [..192.168.115.8][50466] -> [..203.66.182.24][...80] [HTTP.Google][Unknown][Web][Acceptable][clients1.google.com] - new: [....40] [ip4][..tcp] [..192.168.115.8][50467] -> [.202.108.14.219][...80] [MIDSTREAM] - detected: [....40] [ip4][..tcp] [..192.168.115.8][50467] -> [.202.108.14.219][...80] [HTTP][Unknown][Streaming][Acceptable][msg.71.am] - detection-update: [....40] [ip4][..tcp] [..192.168.115.8][50467] -> [.202.108.14.219][...80] [HTTP][Unknown][Streaming][Acceptable][msg.71.am] - RISK: HTTP Obsolete Server - new: [....41] [ip4][..tcp] [..192.168.115.8][50469] -> [.202.108.14.219][...80] [MIDSTREAM] - detected: [....41] [ip4][..tcp] [..192.168.115.8][50469] -> [.202.108.14.219][...80] [HTTP][Unknown][Streaming][Acceptable][msg.71.am] - new: [....42] [ip4][..tcp] [..192.168.115.8][50470] -> [.202.108.14.236][...80] [MIDSTREAM] - detected: [....42] [ip4][..tcp] [..192.168.115.8][50470] -> [.202.108.14.236][...80] [HTTP.PPStream][Unknown][Streaming][Fun][msg.iqiyi.com] - detection-update: [....42] [ip4][..tcp] [..192.168.115.8][50470] -> [.202.108.14.236][...80] [HTTP.PPStream][Unknown][Streaming][Fun][msg.iqiyi.com] - RISK: HTTP Obsolete Server - detection-update: [....41] [ip4][..tcp] [..192.168.115.8][50469] -> [.202.108.14.219][...80] [HTTP][Unknown][Streaming][Acceptable][msg.71.am] - RISK: HTTP Obsolete Server - new: [....43] [ip4][..tcp] [..192.168.115.8][50471] -> [.202.108.14.236][...80] [MIDSTREAM] - detected: [....43] [ip4][..tcp] [..192.168.115.8][50471] -> [.202.108.14.236][...80] [HTTP][Unknown][Streaming][Acceptable][msg.71.am] - detection-update: [....43] [ip4][..tcp] [..192.168.115.8][50471] -> [.202.108.14.236][...80] [HTTP][Unknown][Streaming][Acceptable][msg.71.am] - RISK: HTTP Obsolete Server - new: [....44] [ip4][..tcp] [..192.168.115.8][50474] -> [.202.108.14.221][...80] [MIDSTREAM] - detected: [....44] [ip4][..tcp] [..192.168.115.8][50474] -> [.202.108.14.221][...80] [HTTP.PPStream][Unknown][Streaming][Fun][msg.iqiyi.com] - new: [....45] [ip4][..tcp] [..192.168.115.8][50475] -> [.202.108.14.236][...80] [MIDSTREAM] - detected: [....45] [ip4][..tcp] [..192.168.115.8][50475] -> [.202.108.14.236][...80] [HTTP][Unknown][Streaming][Acceptable][msg.71.am] - detection-update: [....44] [ip4][..tcp] [..192.168.115.8][50474] -> [.202.108.14.221][...80] [HTTP.PPStream][Unknown][Streaming][Fun][msg.iqiyi.com] - RISK: HTTP Obsolete Server - new: [....46] [ip4][..tcp] [..192.168.115.8][50473] -> [.202.108.14.219][...80] [MIDSTREAM] - detected: [....46] [ip4][..tcp] [..192.168.115.8][50473] -> [.202.108.14.219][...80] [HTTP][Unknown][Streaming][Acceptable][msg.71.am] - detection-update: [....45] [ip4][..tcp] [..192.168.115.8][50475] -> [.202.108.14.236][...80] [HTTP][Unknown][Streaming][Acceptable][msg.71.am] - RISK: HTTP Obsolete Server - new: [....47] [ip4][..tcp] [..192.168.115.8][50476] -> [..101.227.32.39][...80] [MIDSTREAM] - detected: [....47] [ip4][..tcp] [..192.168.115.8][50476] -> [..101.227.32.39][...80] [HTTP.PPStream][Unknown][Streaming][Fun][cache.video.iqiyi.com] - RISK: HTTP Susp User-Agent - detection-update: [....46] [ip4][..tcp] [..192.168.115.8][50473] -> [.202.108.14.219][...80] [HTTP][Unknown][Streaming][Acceptable][msg.71.am] - RISK: HTTP Obsolete Server - new: [....48] [ip4][..tcp] [..192.168.115.8][50477] -> [.202.108.14.219][...80] [MIDSTREAM] - detected: [....48] [ip4][..tcp] [..192.168.115.8][50477] -> [.202.108.14.219][...80] [HTTP][Unknown][Streaming][Acceptable][msg.71.am] - detection-update: [....48] [ip4][..tcp] [..192.168.115.8][50477] -> [.202.108.14.219][...80] [HTTP][Unknown][Streaming][Acceptable][msg.71.am] - RISK: HTTP Obsolete Server - new: [....49] [ip4][..tcp] [..117.79.81.135][...80] -> [..192.168.115.8][50443] [MIDSTREAM] - detected: [....49] [ip4][..tcp] [..117.79.81.135][...80] -> [..192.168.115.8][50443] [HTTP][Unknown][Web][Acceptable][] - RISK: HTTP Susp User-Agent - new: [....50] [ip4][..tcp] [..192.168.115.8][50482] -> [.140.205.243.64][...80] [MIDSTREAM] - detected: [....50] [ip4][..tcp] [..192.168.115.8][50482] -> [.140.205.243.64][...80] [HTTP][Alibaba][Web][Acceptable][cmc.tanx.com] - new: [....51] [ip4][..tcp] [..192.168.115.8][50483] -> [.202.108.14.219][...80] [MIDSTREAM] - detected: [....51] [ip4][..tcp] [..192.168.115.8][50483] -> [.202.108.14.219][...80] [HTTP][Unknown][Streaming][Acceptable][msg.71.am] - detection-update: [....51] [ip4][..tcp] [..192.168.115.8][50483] -> [.202.108.14.219][...80] [HTTP][Unknown][Streaming][Acceptable][msg.71.am] - RISK: HTTP Obsolete Server - new: [....52] [ip4][..tcp] [..192.168.115.8][50484] -> [.202.108.14.219][...80] [MIDSTREAM] - detected: [....52] [ip4][..tcp] [..192.168.115.8][50484] -> [.202.108.14.219][...80] [HTTP][Unknown][Streaming][Acceptable][msg.71.am] - detection-update: [....52] [ip4][..tcp] [..192.168.115.8][50484] -> [.202.108.14.219][...80] [HTTP][Unknown][Streaming][Acceptable][msg.71.am] - RISK: HTTP Obsolete Server - new: [....53] [ip4][..tcp] [..192.168.115.8][50485] -> [.202.108.14.236][...80] [MIDSTREAM] - detected: [....53] [ip4][..tcp] [..192.168.115.8][50485] -> [.202.108.14.236][...80] [HTTP][Unknown][Streaming][Acceptable][msg.71.am] - detection-update: [....53] [ip4][..tcp] [..192.168.115.8][50485] -> [.202.108.14.236][...80] [HTTP][Unknown][Streaming][Acceptable][msg.71.am] - RISK: HTTP Obsolete Server - new: [....54] [ip4][..tcp] [..192.168.115.8][50486] -> [...77.234.40.96][...80] [MIDSTREAM] - detected: [....54] [ip4][..tcp] [..192.168.115.8][50486] -> [...77.234.40.96][...80] [HTTP.Cybersec][AVAST][Cybersecurity][Safe][bcu.ff.avast.com] - RISK: HTTP Susp User-Agent - detection-update: [....54] [ip4][..tcp] [..192.168.115.8][50486] -> [...77.234.40.96][...80] [HTTP.Cybersec][AVAST][Cybersecurity][Safe][bcu.ff.avast.com] - RISK: HTTP Susp User-Agent, Unidirectional Traffic - new: [....55] [ip4][..udp] [...192.168.5.57][59648] -> [239.255.255.250][.1900] - detected: [....55] [ip4][..udp] [...192.168.5.57][59648] -> [239.255.255.250][.1900] [SSDP][Unknown][System][Acceptable][239.255.255.250:1900] - detection-update: [....54] [ip4][..tcp] [..192.168.115.8][50486] -> [...77.234.40.96][...80] [HTTP.Cybersec][AVAST][Download][Safe][bcu.ff.avast.com] - RISK: HTTP Susp User-Agent, HTTP Obsolete Server, Binary file/data transfer (attempt) - new: [....56] [ip4][..tcp] [..192.168.115.8][50487] -> [.202.108.14.219][...80] [MIDSTREAM] - detected: [....56] [ip4][..tcp] [..192.168.115.8][50487] -> [.202.108.14.219][...80] [HTTP][Unknown][Streaming][Acceptable][msg.71.am] - new: [....57] [ip4][..tcp] [..192.168.115.8][50488] -> [..223.26.106.20][...80] [MIDSTREAM] - detected: [....57] [ip4][..tcp] [..192.168.115.8][50488] -> [..223.26.106.20][...80] [HTTP][Unknown][Web][Acceptable][meta.video.qiyi.com] - new: [....58] [ip4][..tcp] [..192.168.115.8][50489] -> [.119.188.13.188][...80] [MIDSTREAM] - detected: [....58] [ip4][..tcp] [..192.168.115.8][50489] -> [.119.188.13.188][...80] [HTTP][Unknown][Web][Acceptable][pdata.video.qiyi.com] - detection-update: [....58] [ip4][..tcp] [..192.168.115.8][50489] -> [.119.188.13.188][...80] [HTTP][Unknown][Web][Acceptable][pdata.video.qiyi.com] - RISK: HTTP Obsolete Server - new: [....59] [ip4][..tcp] [..192.168.115.8][50490] -> [.119.188.13.188][...80] [MIDSTREAM] - detected: [....59] [ip4][..tcp] [..192.168.115.8][50490] -> [.119.188.13.188][...80] [HTTP][Unknown][Web][Acceptable][pdata.video.qiyi.com] - detection-update: [....59] [ip4][..tcp] [..192.168.115.8][50490] -> [.119.188.13.188][...80] [HTTP][Unknown][Web][Acceptable][pdata.video.qiyi.com] - RISK: HTTP Obsolete Server - new: [....60] [ip4][..tcp] [..192.168.115.8][50491] -> [..223.26.106.66][...80] [MIDSTREAM] - detected: [....60] [ip4][..tcp] [..192.168.115.8][50491] -> [..223.26.106.66][...80] [HTTP][Unknown][Web][Acceptable][223.26.106.66] - RISK: HTTP/TLS/QUIC Numeric Hostname/SNI - new: [....61] [ip4][..tcp] [..192.168.115.8][50492] -> [...111.206.13.3][...80] [MIDSTREAM] - detected: [....61] [ip4][..tcp] [..192.168.115.8][50492] -> [...111.206.13.3][...80] [HTTP][Unknown][Web][Acceptable][pdata.video.qiyi.com] - new: [....62] [ip4][..tcp] [..192.168.115.8][50493] -> [.202.108.14.236][...80] [MIDSTREAM] - detected: [....62] [ip4][..tcp] [..192.168.115.8][50493] -> [.202.108.14.236][...80] [HTTP][Unknown][Streaming][Acceptable][msg.71.am] - detection-update: [....61] [ip4][..tcp] [..192.168.115.8][50492] -> [...111.206.13.3][...80] [HTTP][Unknown][Web][Acceptable][pdata.video.qiyi.com] - RISK: HTTP Obsolete Server - new: [....63] [ip4][..tcp] [..192.168.115.8][50494] -> [..223.26.106.66][...80] [MIDSTREAM] - detected: [....63] [ip4][..tcp] [..192.168.115.8][50494] -> [..223.26.106.66][...80] [HTTP][Unknown][Web][Acceptable][223.26.106.66] - RISK: HTTP/TLS/QUIC Numeric Hostname/SNI - detection-update: [....62] [ip4][..tcp] [..192.168.115.8][50493] -> [.202.108.14.236][...80] [HTTP][Unknown][Streaming][Acceptable][msg.71.am] - RISK: HTTP Obsolete Server - new: [....64] [ip4][..tcp] [...192.168.5.15][65127] -> [.68.233.253.133][...80] [MIDSTREAM] - detected: [....64] [ip4][..tcp] [...192.168.5.15][65127] -> [.68.233.253.133][...80] [HTTP][Unknown][Web][Acceptable][api.magicansoft.com] - detection-update: [....64] [ip4][..tcp] [...192.168.5.15][65127] -> [.68.233.253.133][...80] [HTTP][Unknown][Web][Acceptable][api.magicansoft.com] - RISK: Error Code - detection-update: [....63] [ip4][..tcp] [..192.168.115.8][50494] -> [..223.26.106.66][...80] [HTTP][Unknown][Web][Acceptable][223.26.106.66] - RISK: HTTP/TLS/QUIC Numeric Hostname/SNI, Unidirectional Traffic - detection-update: [....63] [ip4][..tcp] [..192.168.115.8][50494] -> [..223.26.106.66][...80] [HTTP][Unknown][Download][Acceptable][223.26.106.66] - RISK: HTTP/TLS/QUIC Numeric Hostname/SNI, Binary file/data transfer (attempt) - new: [....65] [ip4][..udp] [...192.168.5.48][63930] -> [239.255.255.250][.1900] - detected: [....65] [ip4][..udp] [...192.168.5.48][63930] -> [239.255.255.250][.1900] [SSDP][Unknown][System][Acceptable][239.255.255.250:1900] - new: [....66] [ip4][..tcp] [..192.168.115.8][50495] -> [.202.108.14.236][...80] [MIDSTREAM] - detected: [....66] [ip4][..tcp] [..192.168.115.8][50495] -> [.202.108.14.236][...80] [HTTP][Unknown][Streaming][Acceptable][msg.71.am] - detection-update: [....66] [ip4][..tcp] [..192.168.115.8][50495] -> [.202.108.14.236][...80] [HTTP][Unknown][Streaming][Acceptable][msg.71.am] - RISK: HTTP Obsolete Server - new: [....67] [ip4][..tcp] [..192.168.115.8][50496] -> [.101.227.200.11][...80] [MIDSTREAM] - detected: [....67] [ip4][..tcp] [..192.168.115.8][50496] -> [.101.227.200.11][...80] [HTTP.PPStream][Unknown][Streaming][Fun][api.cupid.iqiyi.com] - detection-update: [....67] [ip4][..tcp] [..192.168.115.8][50496] -> [.101.227.200.11][...80] [HTTP.PPStream][Unknown][Streaming][Fun][api.cupid.iqiyi.com] - RISK: Unidirectional Traffic - detection-update: [....67] [ip4][..tcp] [..192.168.115.8][50496] -> [.101.227.200.11][...80] [HTTP.PPStream][Unknown][Streaming][Fun][api.cupid.iqiyi.com] - RISK: HTTP Obsolete Server - new: [....68] [ip4][..tcp] [..192.168.115.8][50497] -> [.123.125.112.49][...80] [MIDSTREAM] - detected: [....68] [ip4][..tcp] [..192.168.115.8][50497] -> [.123.125.112.49][...80] [HTTP][Unknown][Web][Acceptable][click.hm.baidu.com] - new: [....69] [ip4][..udp] [...192.168.5.63][39383] -> [239.255.255.250][.1900] - detected: [....69] [ip4][..udp] [...192.168.5.63][39383] -> [239.255.255.250][.1900] [SSDP][Unknown][System][Acceptable][239.255.255.250:1900] - new: [....70] [ip4][..udp] [...192.168.5.63][60976] -> [239.255.255.250][.1900] - detected: [....70] [ip4][..udp] [...192.168.5.63][60976] -> [239.255.255.250][.1900] [SSDP][Unknown][System][Acceptable][239.255.255.250:1900] - new: [....71] [ip4][..tcp] [..192.168.115.8][50498] -> [..36.110.220.15][...80] [MIDSTREAM] - detected: [....71] [ip4][..tcp] [..192.168.115.8][50498] -> [..36.110.220.15][...80] [HTTP][Unknown][Web][Acceptable][msg.video.qiyi.com] - detection-update: [....71] [ip4][..tcp] [..192.168.115.8][50498] -> [..36.110.220.15][...80] [HTTP][Unknown][Web][Acceptable][msg.video.qiyi.com] - RISK: HTTP Obsolete Server - new: [....72] [ip4][..tcp] [..192.168.115.8][50499] -> [..111.206.22.76][...80] [MIDSTREAM] - detected: [....72] [ip4][..tcp] [..192.168.115.8][50499] -> [..111.206.22.76][...80] [HTTP.PPStream][Unknown][Streaming][Fun][msg.iqiyi.com] - detection-update: [....72] [ip4][..tcp] [..192.168.115.8][50499] -> [..111.206.22.76][...80] [HTTP.PPStream][Unknown][Streaming][Fun][msg.iqiyi.com] - RISK: HTTP Obsolete Server - new: [....73] [ip4][..tcp] [..192.168.115.8][50500] -> [..23.41.133.163][...80] [MIDSTREAM] - detected: [....73] [ip4][..tcp] [..192.168.115.8][50500] -> [..23.41.133.163][...80] [HTTP][Unknown][Web][Acceptable][s1.symcb.com] - new: [....74] [ip4][..tcp] [..192.168.115.8][50501] -> [.202.108.14.236][...80] [MIDSTREAM] - detected: [....74] [ip4][..tcp] [..192.168.115.8][50501] -> [.202.108.14.236][...80] [HTTP][Unknown][Streaming][Acceptable][msg.71.am] - detection-update: [....74] [ip4][..tcp] [..192.168.115.8][50501] -> [.202.108.14.236][...80] [HTTP][Unknown][Streaming][Acceptable][msg.71.am] - RISK: HTTP Obsolete Server - new: [....75] [ip4][..udp] [...192.168.5.38][58897] -> [239.255.255.250][.1900] - detected: [....75] [ip4][..udp] [...192.168.5.38][58897] -> [239.255.255.250][.1900] [SSDP][Unknown][System][Acceptable][239.255.255.250:1900] - new: [....76] [ip4][..tcp] [..192.168.115.8][50502] -> [.202.108.14.236][...80] [MIDSTREAM] - detected: [....76] [ip4][..tcp] [..192.168.115.8][50502] -> [.202.108.14.236][...80] [HTTP][Unknown][Streaming][Acceptable][msg.71.am] - detection-update: [....76] [ip4][..tcp] [..192.168.115.8][50502] -> [.202.108.14.236][...80] [HTTP][Unknown][Streaming][Acceptable][msg.71.am] - RISK: HTTP Obsolete Server - new: [....77] [ip4][..udp] [...192.168.5.50][52529] -> [239.255.255.250][.1900] - detected: [....77] [ip4][..udp] [...192.168.5.50][52529] -> [239.255.255.250][.1900] [SSDP][Unknown][System][Acceptable][239.255.255.250:1900] - new: [....78] [ip4][..tcp] [...192.168.5.15][65128] -> [.68.233.253.133][...80] [MIDSTREAM] - detected: [....78] [ip4][..tcp] [...192.168.5.15][65128] -> [.68.233.253.133][...80] [HTTP][Unknown][Web][Acceptable][api.magicansoft.com] - detection-update: [....78] [ip4][..tcp] [...192.168.5.15][65128] -> [.68.233.253.133][...80] [HTTP][Unknown][Web][Acceptable][api.magicansoft.com] - RISK: Error Code - new: [....79] [ip4][..tcp] [..192.168.115.8][50503] -> [.202.108.14.219][...80] [MIDSTREAM] - detected: [....79] [ip4][..tcp] [..192.168.115.8][50503] -> [.202.108.14.219][...80] [HTTP][Unknown][Streaming][Acceptable][msg.71.am] - detection-update: [....79] [ip4][..tcp] [..192.168.115.8][50503] -> [.202.108.14.219][...80] [HTTP][Unknown][Streaming][Acceptable][msg.71.am] - RISK: HTTP Obsolete Server - new: [....80] [ip4][..udp] [...192.168.5.28][60023] -> [239.255.255.250][.1900] - detected: [....80] [ip4][..udp] [...192.168.5.28][60023] -> [239.255.255.250][.1900] [SSDP][Unknown][System][Acceptable][239.255.255.250:1900] - update: [....22] [ip4][..udp] [..192.168.115.8][22793] -> [.222.26.193.119][.7133] - update: [....25] [ip4][..udp] [..192.168.115.8][22793] -> [.115.157.62.243][29006] - update: [....13] [ip4][..udp] [..192.168.115.8][22793] -> [.111.250.102.66][.1107] - update: [....24] [ip4][..udp] [..192.168.115.8][22793] -> [..222.26.74.190][.1037] - update: [....26] [ip4][..udp] [..192.168.115.8][22793] -> [.210.44.232.243][21044] - update: [....27] [ip4][..udp] [..192.168.115.8][22793] -> [..1.169.136.116][17951] - update: [....33] [ip4][..udp] [..192.168.115.8][22793] -> [.220.130.154.23][35941] - update: [....32] [ip4][..udp] [..192.168.115.8][22793] -> [..114.47.91.129][22576] - update: [.....6] [ip4][..udp] [..192.168.115.8][22793] -> [.111.249.53.196][32443] - update: [.....3] [ip4][..udp] [..192.168.115.8][22793] -> [...114.42.0.158][.7716] - update: [....12] [ip4][..udp] [..192.168.115.8][22793] -> [...210.44.171.1][29702] - update: [.....4] [ip4][..udp] [..192.168.115.8][22793] -> [.222.197.138.12][.6956] - update: [.....2] [ip4][..udp] [..118.171.15.56][.5544] -> [..192.168.115.8][22793] - update: [....23] [ip4][..udp] [..192.168.115.8][22793] -> [.114.37.142.173][.1074] - update: [.....7] [ip4][..udp] [..192.168.115.8][22793] -> [219.228.107.156][.1250] - update: [....16] [ip4][..udp] [..192.168.115.8][22793] -> [...36.233.39.81][18590] - update: [....35] [ip4][..udp] [..192.168.115.8][22793] -> [119.188.133.182][17788] [PPStream][Unknown][Streaming][Fun] - update: [....18] [ip4][..udp] [..192.168.115.8][22793] -> [..61.227.170.88][20227] - update: [....20] [ip4][..udp] [..192.168.115.8][22793] -> [.121.248.133.93][12757] - update: [....19] [ip4][..udp] [..192.168.115.8][22793] -> [..202.112.31.89][29072] - update: [....28] [ip4][..udp] [..192.168.115.8][22793] -> [.114.41.144.153][10492] - update: [....14] [ip4][..udp] [..192.168.115.8][22793] -> [..61.223.204.67][11102] - update: [.....8] [ip4][..udp] [.183.228.182.44][13913] -> [..192.168.115.8][22793] - update: [....29] [ip4][..udp] [..192.168.115.8][22793] -> [..183.61.167.82][17788] [PPStream][Unknown][Streaming][Fun] - update: [....36] [ip4][..udp] [..192.168.115.8][22793] -> [.183.61.167.104][17788] [PPStream][Unknown][Streaming][Fun] - update: [....21] [ip4][..udp] [..192.168.115.8][22793] -> [..1.175.128.104][.5185] - update: [....11] [ip4][..udp] [..192.168.115.8][22793] -> [..218.61.39.103][17788] [PPStream][Unknown][Streaming][Fun] - update: [....34] [ip4][..udp] [..192.168.115.8][22793] -> [...218.61.39.87][17788] [PPStream][Unknown][Streaming][Fun] - update: [....30] [ip4][..udp] [..192.168.115.8][22793] -> [...210.47.12.19][33738] - update: [....31] [ip4][..udp] [..192.168.115.8][22793] -> [...210.47.12.20][33738] - update: [....17] [ip4][..udp] [..192.168.115.8][22793] -> [.111.117.101.81][10162] - update: [.....1] [ip4][..udp] [....1.173.5.226][22636] -> [..192.168.115.8][22793] - update: [.....5] [ip4][..udp] [..192.168.115.8][22793] -> [...202.198.7.89][16039] - update: [....15] [ip4][..udp] [..192.168.115.8][22793] -> [..36.237.154.69][.4316] - new: [....81] [ip4][..tcp] [..192.168.115.8][50505] -> [..223.26.106.19][...80] [MIDSTREAM] - detected: [....81] [ip4][..tcp] [..192.168.115.8][50505] -> [..223.26.106.19][...80] [HTTP][Unknown][Web][Acceptable][static.qiyi.com] - detection-update: [....81] [ip4][..tcp] [..192.168.115.8][50505] -> [..223.26.106.19][...80] [HTTP][Unknown][Download][Acceptable][static.qiyi.com] - RISK: Binary file/data transfer (attempt) - new: [....82] [ip4][..tcp] [..192.168.115.8][50504] -> [.202.108.14.236][...80] [MIDSTREAM] - detected: [....82] [ip4][..tcp] [..192.168.115.8][50504] -> [.202.108.14.236][...80] [HTTP][Unknown][Streaming][Acceptable][msg.71.am] - new: [....83] [ip4][..udp] [...192.168.5.38][.1900] -> [239.255.255.250][.1900] - detected: [....83] [ip4][..udp] [...192.168.5.38][.1900] -> [239.255.255.250][.1900] [SSDP][Unknown][System][Acceptable][239.255.255.250:1900] - new: [....84] [ip4][..udp] [...192.168.5.41][50374] -> [239.255.255.250][.1900] - detected: [....84] [ip4][..udp] [...192.168.5.41][50374] -> [239.255.255.250][.1900] [SSDP][Unknown][System][Acceptable][239.255.255.250:1900] - new: [....85] [ip4][..tcp] [..192.168.115.8][50507] -> [..223.26.106.19][...80] [MIDSTREAM] - detected: [....85] [ip4][..tcp] [..192.168.115.8][50507] -> [..223.26.106.19][...80] [HTTP][Unknown][Web][Acceptable][static.qiyi.com] - detection-update: [....85] [ip4][..tcp] [..192.168.115.8][50507] -> [..223.26.106.19][...80] [HTTP][Unknown][Download][Acceptable][static.qiyi.com] - RISK: Binary file/data transfer (attempt) - new: [....86] [ip4][..tcp] [.202.108.14.219][...80] -> [..192.168.115.8][50506] [MIDSTREAM] - detected: [....86] [ip4][..tcp] [.202.108.14.219][...80] -> [..192.168.115.8][50506] [HTTP][Unknown][Web][Acceptable][] - RISK: HTTP Susp User-Agent, HTTP Obsolete Server - new: [....87] [ip4][..tcp] [.202.108.14.219][...80] -> [..192.168.115.8][50295] [MIDSTREAM] - detected: [....87] [ip4][..tcp] [.202.108.14.219][...80] -> [..192.168.115.8][50295] [HTTP][Unknown][Web][Acceptable][] - RISK: HTTP Susp User-Agent, HTTP Obsolete Server - detection-update: [....87] [ip4][..tcp] [.202.108.14.219][...80] -> [..192.168.115.8][50295] [HTTP][Unknown][Web][Acceptable][] - RISK: HTTP Susp User-Agent, Unidirectional Traffic, HTTP Obsolete Server - new: [....88] [ip4][..tcp] [..192.168.115.8][50508] -> [..223.26.106.19][...80] [MIDSTREAM] - detected: [....88] [ip4][..tcp] [..192.168.115.8][50508] -> [..223.26.106.19][...80] [HTTP][Unknown][Web][Acceptable][static.qiyi.com] - detection-update: [....88] [ip4][..tcp] [..192.168.115.8][50508] -> [..223.26.106.19][...80] [HTTP][Unknown][Download][Acceptable][static.qiyi.com] - RISK: Binary file/data transfer (attempt) - new: [....89] [ip4][..tcp] [..192.168.115.8][50509] -> [.106.38.219.107][...80] [MIDSTREAM] - detected: [....89] [ip4][..tcp] [..192.168.115.8][50509] -> [.106.38.219.107][...80] [HTTP][Unknown][Web][Acceptable][iplocation.geo.qiyi.com] - new: [....90] [ip4][..tcp] [..192.168.115.8][50766] -> [..223.26.106.20][...80] [MIDSTREAM] - detected: [....90] [ip4][..tcp] [..192.168.115.8][50766] -> [..223.26.106.20][...80] [HTTP][Unknown][Web][Acceptable][static.qiyi.com] - detection-update: [....90] [ip4][..tcp] [..192.168.115.8][50766] -> [..223.26.106.20][...80] [HTTP][Unknown][Download][Acceptable][static.qiyi.com] - RISK: Binary file/data transfer (attempt) - new: [....91] [ip4][..tcp] [..192.168.115.8][50767] -> [..223.26.106.20][...80] [MIDSTREAM] - detected: [....91] [ip4][..tcp] [..192.168.115.8][50767] -> [..223.26.106.20][...80] [HTTP][Unknown][Web][Acceptable][static.qiyi.com] - detection-update: [....91] [ip4][..tcp] [..192.168.115.8][50767] -> [..223.26.106.20][...80] [HTTP][Unknown][Download][Acceptable][static.qiyi.com] - RISK: Binary file/data transfer (attempt) - new: [....92] [ip4][..tcp] [..192.168.115.8][50765] -> [..36.110.220.15][...80] [MIDSTREAM] - detected: [....92] [ip4][..tcp] [..192.168.115.8][50765] -> [..36.110.220.15][...80] [HTTP][Unknown][Web][Acceptable][msg.video.qiyi.com] - new: [....93] [ip4][..tcp] [..192.168.115.8][50768] -> [..223.26.106.19][...80] [MIDSTREAM] - detected: [....93] [ip4][..tcp] [..192.168.115.8][50768] -> [..223.26.106.19][...80] [HTTP][Unknown][Web][Acceptable][static.qiyi.com] - detection-update: [....92] [ip4][..tcp] [..192.168.115.8][50765] -> [..36.110.220.15][...80] [HTTP][Unknown][Web][Acceptable][msg.video.qiyi.com] - RISK: HTTP Obsolete Server - detection-update: [....93] [ip4][..tcp] [..192.168.115.8][50768] -> [..223.26.106.19][...80] [HTTP][Unknown][Download][Acceptable][static.qiyi.com] - RISK: Binary file/data transfer (attempt) - new: [....94] [ip4][..tcp] [..192.168.115.8][50769] -> [.101.227.200.11][...80] [MIDSTREAM] - detected: [....94] [ip4][..tcp] [..192.168.115.8][50769] -> [.101.227.200.11][...80] [HTTP.PPStream][Unknown][Streaming][Fun][api.cupid.iqiyi.com] - detection-update: [....94] [ip4][..tcp] [..192.168.115.8][50769] -> [.101.227.200.11][...80] [HTTP.PPStream][Unknown][Streaming][Fun][api.cupid.iqiyi.com] - RISK: HTTP Obsolete Server - new: [....95] [ip4][..tcp] [..192.168.115.8][50771] -> [.202.108.14.236][...80] [MIDSTREAM] - detected: [....95] [ip4][..tcp] [..192.168.115.8][50771] -> [.202.108.14.236][...80] [HTTP][Unknown][Streaming][Acceptable][msg.71.am] - new: [....96] [ip4][..tcp] [..192.168.115.8][50772] -> [.123.125.111.70][...80] [MIDSTREAM] - detected: [....96] [ip4][..tcp] [..192.168.115.8][50772] -> [.123.125.111.70][...80] [HTTP.PPStream][Unknown][Streaming][Fun][nl.rcd.iqiyi.com] - detection-update: [....95] [ip4][..tcp] [..192.168.115.8][50771] -> [.202.108.14.236][...80] [HTTP][Unknown][Streaming][Acceptable][msg.71.am] - RISK: HTTP Obsolete Server - new: [....97] [ip4][..tcp] [..192.168.115.8][50773] -> [.202.108.14.221][...80] [MIDSTREAM] - detected: [....97] [ip4][..tcp] [..192.168.115.8][50773] -> [.202.108.14.221][...80] [HTTP][Unknown][Streaming][Acceptable][msg.71.am] - detection-update: [....97] [ip4][..tcp] [..192.168.115.8][50773] -> [.202.108.14.221][...80] [HTTP][Unknown][Streaming][Acceptable][msg.71.am] - RISK: HTTP Obsolete Server - new: [....98] [ip4][..tcp] [..192.168.115.8][50775] -> [.123.125.111.70][...80] [MIDSTREAM] - detected: [....98] [ip4][..tcp] [..192.168.115.8][50775] -> [.123.125.111.70][...80] [HTTP.PPStream][Unknown][Streaming][Fun][nl.rcd.iqiyi.com] - new: [....99] [ip4][..tcp] [..192.168.115.8][50774] -> [.202.108.14.219][...80] [MIDSTREAM] - detected: [....99] [ip4][..tcp] [..192.168.115.8][50774] -> [.202.108.14.219][...80] [HTTP][Unknown][Streaming][Acceptable][msg.71.am] - new: [...100] [ip4][..tcp] [..192.168.115.8][50776] -> [..111.206.22.77][...80] [MIDSTREAM] - detected: [...100] [ip4][..tcp] [..192.168.115.8][50776] -> [..111.206.22.77][...80] [HTTP.PPStream][Unknown][Streaming][Fun][msg.iqiyi.com] - detection-update: [....99] [ip4][..tcp] [..192.168.115.8][50774] -> [.202.108.14.219][...80] [HTTP][Unknown][Streaming][Acceptable][msg.71.am] - RISK: HTTP Obsolete Server - detection-update: [...100] [ip4][..tcp] [..192.168.115.8][50776] -> [..111.206.22.77][...80] [HTTP.PPStream][Unknown][Streaming][Fun][msg.iqiyi.com] - RISK: HTTP Obsolete Server - new: [...101] [ip4][..tcp] [..192.168.115.8][50777] -> [..111.206.22.77][...80] [MIDSTREAM] - detected: [...101] [ip4][..tcp] [..192.168.115.8][50777] -> [..111.206.22.77][...80] [HTTP.PPStream][Unknown][Streaming][Fun][msg.iqiyi.com] - detection-update: [...101] [ip4][..tcp] [..192.168.115.8][50777] -> [..111.206.22.77][...80] [HTTP.PPStream][Unknown][Streaming][Fun][msg.iqiyi.com] - RISK: HTTP Obsolete Server - new: [...102] [ip4][..tcp] [..192.168.115.8][50778] -> [..223.26.106.20][...80] [MIDSTREAM] - detected: [...102] [ip4][..tcp] [..192.168.115.8][50778] -> [..223.26.106.20][...80] [HTTP.PPStream][Unknown][Streaming][Fun][preimage1.qiyipic.com] - new: [...103] [ip4][..udp] [..192.168.115.1][50945] -> [239.255.255.250][.1900] - detected: [...103] [ip4][..udp] [..192.168.115.1][50945] -> [239.255.255.250][.1900] [SSDP][Unknown][System][Acceptable][239.255.255.250:1900] - new: [...104] [ip4][..tcp] [..192.168.115.8][50779] -> [..111.206.22.77][...80] [MIDSTREAM] - detected: [...104] [ip4][..tcp] [..192.168.115.8][50779] -> [..111.206.22.77][...80] [HTTP.PPStream][Unknown][Streaming][Fun][msg.iqiyi.com] - detection-update: [...104] [ip4][..tcp] [..192.168.115.8][50779] -> [..111.206.22.77][...80] [HTTP.PPStream][Unknown][Streaming][Fun][msg.iqiyi.com] - RISK: Unidirectional Traffic - detection-update: [...104] [ip4][..tcp] [..192.168.115.8][50779] -> [..111.206.22.77][...80] [HTTP.PPStream][Unknown][Streaming][Fun][msg.iqiyi.com] - RISK: HTTP Obsolete Server - new: [...105] [ip4][..tcp] [..192.168.115.8][50780] -> [..223.26.106.20][...80] [MIDSTREAM] - detected: [...105] [ip4][..tcp] [..192.168.115.8][50780] -> [..223.26.106.20][...80] [HTTP.PPStream][Unknown][Streaming][Fun][preimage1.qiyipic.com] - update: [....55] [ip4][..udp] [...192.168.5.57][59648] -> [239.255.255.250][.1900] [SSDP][Unknown][System][Acceptable] - new: [...106] [ip4][..tcp] [..192.168.115.8][50781] -> [..223.26.106.20][...80] [MIDSTREAM] - detected: [...106] [ip4][..tcp] [..192.168.115.8][50781] -> [..223.26.106.20][...80] [HTTP.PPStream][Unknown][Streaming][Fun][preimage1.qiyipic.com] - new: [...107] [ip4][..tcp] [...77.234.41.35][...80] -> [..192.168.115.8][49174] [MIDSTREAM] - detected: [...107] [ip4][..tcp] [...77.234.41.35][...80] -> [..192.168.115.8][49174] [HTTP][AVAST][Download][Acceptable][] - RISK: HTTP Susp User-Agent, Binary file/data transfer (attempt) - detection-update: [...107] [ip4][..tcp] [...77.234.41.35][...80] -> [..192.168.115.8][49174] [HTTP][AVAST][Download][Acceptable][] - RISK: HTTP Susp User-Agent, Unidirectional Traffic, Binary file/data transfer (attempt) - detection-update: [...107] [ip4][..tcp] [...77.234.41.35][...80] -> [..192.168.115.8][49174] [HTTP.Cybersec][AVAST][Cybersecurity][Safe][su.ff.avast.com] - RISK: HTTP Susp User-Agent, Binary file/data transfer (attempt) - not-detected: [....22] [ip4][..udp] [..192.168.115.8][22793] -> [.222.26.193.119][.7133] [Unknown][Unknown][Unrated] - RISK: Unidirectional Traffic - idle: [....22] [ip4][..udp] [..192.168.115.8][22793] -> [.222.26.193.119][.7133] - idle: [....54] [ip4][..tcp] [..192.168.115.8][50486] -> [...77.234.40.96][...80] [HTTP.Cybersec][AVAST][Download][Safe] - RISK: HTTP Susp User-Agent, HTTP Obsolete Server, Binary file/data transfer (attempt) - not-detected: [....25] [ip4][..udp] [..192.168.115.8][22793] -> [.115.157.62.243][29006] [Unknown][Unknown][Unrated] - RISK: Unidirectional Traffic - idle: [....25] [ip4][..udp] [..192.168.115.8][22793] -> [.115.157.62.243][29006] - not-detected: [....13] [ip4][..udp] [..192.168.115.8][22793] -> [.111.250.102.66][.1107] [Unknown][Unknown][Unrated] - RISK: Unidirectional Traffic - idle: [....13] [ip4][..udp] [..192.168.115.8][22793] -> [.111.250.102.66][.1107] - guessed: [....10] [ip4][..tcp] [...192.168.5.15][65125] -> [.68.233.253.133][...80] [HTTP][Unknown][Web][Acceptable][] - RISK: Unidirectional Traffic - end: [....10] [ip4][..tcp] [...192.168.5.15][65125] -> [.68.233.253.133][...80] - idle: [....64] [ip4][..tcp] [...192.168.5.15][65127] -> [.68.233.253.133][...80] [HTTP][Unknown][Web][Acceptable] - RISK: Error Code - idle: [....78] [ip4][..tcp] [...192.168.5.15][65128] -> [.68.233.253.133][...80] [HTTP][Unknown][Web][Acceptable] - RISK: Error Code - not-detected: [....24] [ip4][..udp] [..192.168.115.8][22793] -> [..222.26.74.190][.1037] [Unknown][Unknown][Unrated] - RISK: Unidirectional Traffic - idle: [....24] [ip4][..udp] [..192.168.115.8][22793] -> [..222.26.74.190][.1037] - not-detected: [....26] [ip4][..udp] [..192.168.115.8][22793] -> [.210.44.232.243][21044] [Unknown][Unknown][Unrated] - RISK: Unidirectional Traffic - idle: [....26] [ip4][..udp] [..192.168.115.8][22793] -> [.210.44.232.243][21044] - not-detected: [....27] [ip4][..udp] [..192.168.115.8][22793] -> [..1.169.136.116][17951] [Unknown][Unknown][Unrated] - RISK: Unidirectional Traffic - idle: [....27] [ip4][..udp] [..192.168.115.8][22793] -> [..1.169.136.116][17951] - idle: [....39] [ip4][..tcp] [..192.168.115.8][50466] -> [..203.66.182.24][...80] [HTTP.OCSP][Unknown][Web][Safe] - not-detected: [....33] [ip4][..udp] [..192.168.115.8][22793] -> [.220.130.154.23][35941] [Unknown][Unknown][Unrated] - RISK: Unidirectional Traffic - idle: [....33] [ip4][..udp] [..192.168.115.8][22793] -> [.220.130.154.23][35941] - idle: [....55] [ip4][..udp] [...192.168.5.57][59648] -> [239.255.255.250][.1900] [SSDP][Unknown][System][Acceptable] - idle: [....57] [ip4][..tcp] [..192.168.115.8][50488] -> [..223.26.106.20][...80] [HTTP][Unknown][Web][Acceptable] - idle: [....60] [ip4][..tcp] [..192.168.115.8][50491] -> [..223.26.106.66][...80] [HTTP][Unknown][Web][Acceptable] - RISK: HTTP/TLS/QUIC Numeric Hostname/SNI - idle: [....63] [ip4][..tcp] [..192.168.115.8][50494] -> [..223.26.106.66][...80] [HTTP][Unknown][Download][Acceptable] - RISK: HTTP/TLS/QUIC Numeric Hostname/SNI, Binary file/data transfer (attempt) - idle: [....81] [ip4][..tcp] [..192.168.115.8][50505] -> [..223.26.106.19][...80] [HTTP][Unknown][Download][Acceptable] - RISK: Binary file/data transfer (attempt) - idle: [....85] [ip4][..tcp] [..192.168.115.8][50507] -> [..223.26.106.19][...80] [HTTP][Unknown][Download][Acceptable] - RISK: Binary file/data transfer (attempt) - idle: [....88] [ip4][..tcp] [..192.168.115.8][50508] -> [..223.26.106.19][...80] [HTTP][Unknown][Download][Acceptable] - RISK: Binary file/data transfer (attempt) - not-detected: [....32] [ip4][..udp] [..192.168.115.8][22793] -> [..114.47.91.129][22576] [Unknown][Unknown][Unrated] - RISK: Unidirectional Traffic - idle: [....32] [ip4][..udp] [..192.168.115.8][22793] -> [..114.47.91.129][22576] - idle: [....37] [ip4][..tcp] [..192.168.115.8][50463] -> [.101.227.200.11][...80] [HTTP.PPStream][Unknown][Streaming][Fun] - RISK: HTTP Obsolete Server - idle: [....47] [ip4][..tcp] [..192.168.115.8][50476] -> [..101.227.32.39][...80] [HTTP.PPStream][Unknown][Streaming][Fun] - RISK: HTTP Susp User-Agent - idle: [....67] [ip4][..tcp] [..192.168.115.8][50496] -> [.101.227.200.11][...80] [HTTP.PPStream][Unknown][Streaming][Fun] - RISK: HTTP Obsolete Server - idle: [....65] [ip4][..udp] [...192.168.5.48][63930] -> [239.255.255.250][.1900] [SSDP][Unknown][System][Acceptable] - idle: [....69] [ip4][..udp] [...192.168.5.63][39383] -> [239.255.255.250][.1900] [SSDP][Unknown][System][Acceptable] - not-detected: [.....6] [ip4][..udp] [..192.168.115.8][22793] -> [.111.249.53.196][32443] [Unknown][Unknown][Unrated] - RISK: Unidirectional Traffic - idle: [.....6] [ip4][..udp] [..192.168.115.8][22793] -> [.111.249.53.196][32443] - idle: [....90] [ip4][..tcp] [..192.168.115.8][50766] -> [..223.26.106.20][...80] [HTTP][Unknown][Download][Acceptable] - RISK: Binary file/data transfer (attempt) - idle: [....91] [ip4][..tcp] [..192.168.115.8][50767] -> [..223.26.106.20][...80] [HTTP][Unknown][Download][Acceptable] - RISK: Binary file/data transfer (attempt) - idle: [....93] [ip4][..tcp] [..192.168.115.8][50768] -> [..223.26.106.19][...80] [HTTP][Unknown][Download][Acceptable] - RISK: Binary file/data transfer (attempt) - idle: [...102] [ip4][..tcp] [..192.168.115.8][50778] -> [..223.26.106.20][...80] [HTTP.PPStream][Unknown][Streaming][Fun] - idle: [...105] [ip4][..tcp] [..192.168.115.8][50780] -> [..223.26.106.20][...80] [HTTP.PPStream][Unknown][Streaming][Fun] - idle: [...106] [ip4][..tcp] [..192.168.115.8][50781] -> [..223.26.106.20][...80] [HTTP.PPStream][Unknown][Streaming][Fun] - idle: [....87] [ip4][..tcp] [.202.108.14.219][...80] -> [..192.168.115.8][50295] [HTTP][Unknown][Web][Acceptable] - RISK: HTTP Susp User-Agent, Unidirectional Traffic, HTTP Obsolete Server - not-detected: [.....3] [ip4][..udp] [..192.168.115.8][22793] -> [...114.42.0.158][.7716] [Unknown][Unknown][Unrated] - idle: [.....3] [ip4][..udp] [..192.168.115.8][22793] -> [...114.42.0.158][.7716] - idle: [....80] [ip4][..udp] [...192.168.5.28][60023] -> [239.255.255.250][.1900] [SSDP][Unknown][System][Acceptable] - not-detected: [....12] [ip4][..udp] [..192.168.115.8][22793] -> [...210.44.171.1][29702] [Unknown][Unknown][Unrated] - RISK: Unidirectional Traffic - idle: [....12] [ip4][..udp] [..192.168.115.8][22793] -> [...210.44.171.1][29702] - idle: [....58] [ip4][..tcp] [..192.168.115.8][50489] -> [.119.188.13.188][...80] [HTTP][Unknown][Web][Acceptable] - RISK: HTTP Obsolete Server - idle: [....59] [ip4][..tcp] [..192.168.115.8][50490] -> [.119.188.13.188][...80] [HTTP][Unknown][Web][Acceptable] - RISK: HTTP Obsolete Server - idle: [....94] [ip4][..tcp] [..192.168.115.8][50769] -> [.101.227.200.11][...80] [HTTP.PPStream][Unknown][Streaming][Fun] - RISK: HTTP Obsolete Server - not-detected: [.....4] [ip4][..udp] [..192.168.115.8][22793] -> [.222.197.138.12][.6956] [Unknown][Unknown][Unrated] - idle: [.....4] [ip4][..udp] [..192.168.115.8][22793] -> [.222.197.138.12][.6956] - not-detected: [.....2] [ip4][..udp] [..118.171.15.56][.5544] -> [..192.168.115.8][22793] [Unknown][Unknown][Unrated] - RISK: Susp Entropy - idle: [.....2] [ip4][..udp] [..118.171.15.56][.5544] -> [..192.168.115.8][22793] - guessed: [.....9] [ip4][..tcp] [..192.168.115.8][50462] -> [.202.108.14.236][...80] [HTTP][Unknown][Web][Acceptable][] - RISK: Unidirectional Traffic - idle: [.....9] [ip4][..tcp] [..192.168.115.8][50462] -> [.202.108.14.236][...80] - idle: [....40] [ip4][..tcp] [..192.168.115.8][50467] -> [.202.108.14.219][...80] [HTTP][Unknown][Streaming][Acceptable] - RISK: HTTP Obsolete Server - idle: [....41] [ip4][..tcp] [..192.168.115.8][50469] -> [.202.108.14.219][...80] [HTTP][Unknown][Streaming][Acceptable] - RISK: HTTP Obsolete Server - idle: [....42] [ip4][..tcp] [..192.168.115.8][50470] -> [.202.108.14.236][...80] [HTTP.PPStream][Unknown][Streaming][Fun] - RISK: HTTP Obsolete Server - idle: [....43] [ip4][..tcp] [..192.168.115.8][50471] -> [.202.108.14.236][...80] [HTTP][Unknown][Streaming][Acceptable] - RISK: HTTP Obsolete Server - idle: [....46] [ip4][..tcp] [..192.168.115.8][50473] -> [.202.108.14.219][...80] [HTTP][Unknown][Streaming][Acceptable] - RISK: HTTP Obsolete Server - idle: [....44] [ip4][..tcp] [..192.168.115.8][50474] -> [.202.108.14.221][...80] [HTTP.PPStream][Unknown][Streaming][Fun] - RISK: HTTP Obsolete Server - idle: [....45] [ip4][..tcp] [..192.168.115.8][50475] -> [.202.108.14.236][...80] [HTTP][Unknown][Streaming][Acceptable] - RISK: HTTP Obsolete Server - idle: [....48] [ip4][..tcp] [..192.168.115.8][50477] -> [.202.108.14.219][...80] [HTTP][Unknown][Streaming][Acceptable] - RISK: HTTP Obsolete Server - idle: [....51] [ip4][..tcp] [..192.168.115.8][50483] -> [.202.108.14.219][...80] [HTTP][Unknown][Streaming][Acceptable] - RISK: HTTP Obsolete Server - idle: [....52] [ip4][..tcp] [..192.168.115.8][50484] -> [.202.108.14.219][...80] [HTTP][Unknown][Streaming][Acceptable] - RISK: HTTP Obsolete Server - idle: [....53] [ip4][..tcp] [..192.168.115.8][50485] -> [.202.108.14.236][...80] [HTTP][Unknown][Streaming][Acceptable] - RISK: HTTP Obsolete Server - idle: [....56] [ip4][..tcp] [..192.168.115.8][50487] -> [.202.108.14.219][...80] [HTTP][Unknown][Streaming][Acceptable] - idle: [....62] [ip4][..tcp] [..192.168.115.8][50493] -> [.202.108.14.236][...80] [HTTP][Unknown][Streaming][Acceptable] - RISK: HTTP Obsolete Server - idle: [....66] [ip4][..tcp] [..192.168.115.8][50495] -> [.202.108.14.236][...80] [HTTP][Unknown][Streaming][Acceptable] - RISK: HTTP Obsolete Server - idle: [....74] [ip4][..tcp] [..192.168.115.8][50501] -> [.202.108.14.236][...80] [HTTP][Unknown][Streaming][Acceptable] - RISK: HTTP Obsolete Server - idle: [....76] [ip4][..tcp] [..192.168.115.8][50502] -> [.202.108.14.236][...80] [HTTP][Unknown][Streaming][Acceptable] - RISK: HTTP Obsolete Server - idle: [....79] [ip4][..tcp] [..192.168.115.8][50503] -> [.202.108.14.219][...80] [HTTP][Unknown][Streaming][Acceptable] - RISK: HTTP Obsolete Server - idle: [....82] [ip4][..tcp] [..192.168.115.8][50504] -> [.202.108.14.236][...80] [HTTP][Unknown][Streaming][Acceptable] - idle: [....86] [ip4][..tcp] [.202.108.14.219][...80] -> [..192.168.115.8][50506] [HTTP][Unknown][Web][Acceptable] - RISK: HTTP Susp User-Agent, HTTP Obsolete Server - idle: [...107] [ip4][..tcp] [...77.234.41.35][...80] -> [..192.168.115.8][49174] [HTTP.Cybersec][AVAST][Cybersecurity][Safe] - RISK: HTTP Susp User-Agent, Binary file/data transfer (attempt) - not-detected: [....23] [ip4][..udp] [..192.168.115.8][22793] -> [.114.37.142.173][.1074] [Unknown][Unknown][Unrated] - RISK: Unidirectional Traffic - idle: [....23] [ip4][..udp] [..192.168.115.8][22793] -> [.114.37.142.173][.1074] - not-detected: [.....7] [ip4][..udp] [..192.168.115.8][22793] -> [219.228.107.156][.1250] [Unknown][Unknown][Unrated] - idle: [.....7] [ip4][..udp] [..192.168.115.8][22793] -> [219.228.107.156][.1250] - not-detected: [....16] [ip4][..udp] [..192.168.115.8][22793] -> [...36.233.39.81][18590] [Unknown][Unknown][Unrated] - RISK: Unidirectional Traffic - idle: [....16] [ip4][..udp] [..192.168.115.8][22793] -> [...36.233.39.81][18590] - idle: [....38] [ip4][..tcp] [..192.168.115.8][50464] -> [.123.125.112.49][...80] [HTTP][Unknown][Web][Acceptable] - idle: [....35] [ip4][..udp] [..192.168.115.8][22793] -> [119.188.133.182][17788] [PPStream][Unknown][Streaming][Fun] - end: [....68] [ip4][..tcp] [..192.168.115.8][50497] -> [.123.125.112.49][...80] [HTTP][Unknown][Web][Acceptable] - idle: [....50] [ip4][..tcp] [..192.168.115.8][50482] -> [.140.205.243.64][...80] [HTTP][Alibaba][Web][Acceptable] - not-detected: [....18] [ip4][..udp] [..192.168.115.8][22793] -> [..61.227.170.88][20227] [Unknown][Unknown][Unrated] - RISK: Unidirectional Traffic - idle: [....18] [ip4][..udp] [..192.168.115.8][22793] -> [..61.227.170.88][20227] - not-detected: [....20] [ip4][..udp] [..192.168.115.8][22793] -> [.121.248.133.93][12757] [Unknown][Unknown][Unrated] - RISK: Unidirectional Traffic - idle: [....20] [ip4][..udp] [..192.168.115.8][22793] -> [.121.248.133.93][12757] - idle: [....95] [ip4][..tcp] [..192.168.115.8][50771] -> [.202.108.14.236][...80] [HTTP][Unknown][Streaming][Acceptable] - RISK: HTTP Obsolete Server - not-detected: [....19] [ip4][..udp] [..192.168.115.8][22793] -> [..202.112.31.89][29072] [Unknown][Unknown][Unrated] - RISK: Unidirectional Traffic - idle: [....19] [ip4][..udp] [..192.168.115.8][22793] -> [..202.112.31.89][29072] - idle: [....97] [ip4][..tcp] [..192.168.115.8][50773] -> [.202.108.14.221][...80] [HTTP][Unknown][Streaming][Acceptable] - RISK: HTTP Obsolete Server - idle: [....99] [ip4][..tcp] [..192.168.115.8][50774] -> [.202.108.14.219][...80] [HTTP][Unknown][Streaming][Acceptable] - RISK: HTTP Obsolete Server - not-detected: [....28] [ip4][..udp] [..192.168.115.8][22793] -> [.114.41.144.153][10492] [Unknown][Unknown][Unrated] - RISK: Unidirectional Traffic - idle: [....28] [ip4][..udp] [..192.168.115.8][22793] -> [.114.41.144.153][10492] - not-detected: [....14] [ip4][..udp] [..192.168.115.8][22793] -> [..61.223.204.67][11102] [Unknown][Unknown][Unrated] - RISK: Unidirectional Traffic - idle: [....14] [ip4][..udp] [..192.168.115.8][22793] -> [..61.223.204.67][11102] - idle: [....71] [ip4][..tcp] [..192.168.115.8][50498] -> [..36.110.220.15][...80] [HTTP][Unknown][Web][Acceptable] - RISK: HTTP Obsolete Server - idle: [....61] [ip4][..tcp] [..192.168.115.8][50492] -> [...111.206.13.3][...80] [HTTP][Unknown][Web][Acceptable] - RISK: HTTP Obsolete Server - idle: [....72] [ip4][..tcp] [..192.168.115.8][50499] -> [..111.206.22.76][...80] [HTTP.PPStream][Unknown][Streaming][Fun] - RISK: HTTP Obsolete Server - idle: [....89] [ip4][..tcp] [..192.168.115.8][50509] -> [.106.38.219.107][...80] [HTTP][Unknown][Web][Acceptable] - idle: [....96] [ip4][..tcp] [..192.168.115.8][50772] -> [.123.125.111.70][...80] [HTTP.PPStream][Unknown][Streaming][Fun] - idle: [....98] [ip4][..tcp] [..192.168.115.8][50775] -> [.123.125.111.70][...80] [HTTP.PPStream][Unknown][Streaming][Fun] - not-detected: [.....8] [ip4][..udp] [.183.228.182.44][13913] -> [..192.168.115.8][22793] [Unknown][Unknown][Unrated] - idle: [.....8] [ip4][..udp] [.183.228.182.44][13913] -> [..192.168.115.8][22793] - idle: [....84] [ip4][..udp] [...192.168.5.41][50374] -> [239.255.255.250][.1900] [SSDP][Unknown][System][Acceptable] - idle: [....36] [ip4][..udp] [..192.168.115.8][22793] -> [.183.61.167.104][17788] [PPStream][Unknown][Streaming][Fun] - idle: [....29] [ip4][..udp] [..192.168.115.8][22793] -> [..183.61.167.82][17788] [PPStream][Unknown][Streaming][Fun] - not-detected: [....21] [ip4][..udp] [..192.168.115.8][22793] -> [..1.175.128.104][.5185] [Unknown][Unknown][Unrated] - RISK: Unidirectional Traffic - idle: [....21] [ip4][..udp] [..192.168.115.8][22793] -> [..1.175.128.104][.5185] - idle: [....34] [ip4][..udp] [..192.168.115.8][22793] -> [...218.61.39.87][17788] [PPStream][Unknown][Streaming][Fun] - idle: [....11] [ip4][..udp] [..192.168.115.8][22793] -> [..218.61.39.103][17788] [PPStream][Unknown][Streaming][Fun] - idle: [....77] [ip4][..udp] [...192.168.5.50][52529] -> [239.255.255.250][.1900] [SSDP][Unknown][System][Acceptable] - not-detected: [....31] [ip4][..udp] [..192.168.115.8][22793] -> [...210.47.12.20][33738] [Unknown][Unknown][Unrated] - RISK: Unidirectional Traffic - idle: [....31] [ip4][..udp] [..192.168.115.8][22793] -> [...210.47.12.20][33738] - not-detected: [....30] [ip4][..udp] [..192.168.115.8][22793] -> [...210.47.12.19][33738] [Unknown][Unknown][Unrated] - RISK: Unidirectional Traffic - idle: [....30] [ip4][..udp] [..192.168.115.8][22793] -> [...210.47.12.19][33738] - idle: [....92] [ip4][..tcp] [..192.168.115.8][50765] -> [..36.110.220.15][...80] [HTTP][Unknown][Web][Acceptable] - RISK: HTTP Obsolete Server - idle: [....49] [ip4][..tcp] [..117.79.81.135][...80] -> [..192.168.115.8][50443] [HTTP][Unknown][Web][Acceptable] - RISK: HTTP Susp User-Agent - idle: [...100] [ip4][..tcp] [..192.168.115.8][50776] -> [..111.206.22.77][...80] [HTTP.PPStream][Unknown][Streaming][Fun] - RISK: HTTP Obsolete Server - idle: [...101] [ip4][..tcp] [..192.168.115.8][50777] -> [..111.206.22.77][...80] [HTTP.PPStream][Unknown][Streaming][Fun] - RISK: HTTP Obsolete Server - idle: [...104] [ip4][..tcp] [..192.168.115.8][50779] -> [..111.206.22.77][...80] [HTTP.PPStream][Unknown][Streaming][Fun] - RISK: HTTP Obsolete Server - idle: [....75] [ip4][..udp] [...192.168.5.38][58897] -> [239.255.255.250][.1900] [SSDP][Unknown][System][Acceptable] - idle: [....70] [ip4][..udp] [...192.168.5.63][60976] -> [239.255.255.250][.1900] [SSDP][Unknown][System][Acceptable] - not-detected: [....17] [ip4][..udp] [..192.168.115.8][22793] -> [.111.117.101.81][10162] [Unknown][Unknown][Unrated] - RISK: Unidirectional Traffic - idle: [....17] [ip4][..udp] [..192.168.115.8][22793] -> [.111.117.101.81][10162] - idle: [...103] [ip4][..udp] [..192.168.115.1][50945] -> [239.255.255.250][.1900] [SSDP][Unknown][System][Acceptable] - not-detected: [.....1] [ip4][..udp] [....1.173.5.226][22636] -> [..192.168.115.8][22793] [Unknown][Unknown][Unrated] - RISK: Susp Entropy - idle: [.....1] [ip4][..udp] [....1.173.5.226][22636] -> [..192.168.115.8][22793] - not-detected: [.....5] [ip4][..udp] [..192.168.115.8][22793] -> [...202.198.7.89][16039] [Unknown][Unknown][Unrated] - idle: [.....5] [ip4][..udp] [..192.168.115.8][22793] -> [...202.198.7.89][16039] - idle: [....73] [ip4][..tcp] [..192.168.115.8][50500] -> [..23.41.133.163][...80] [HTTP][Unknown][Web][Acceptable] - idle: [....83] [ip4][..udp] [...192.168.5.38][.1900] -> [239.255.255.250][.1900] [SSDP][Unknown][System][Acceptable] - not-detected: [....15] [ip4][..udp] [..192.168.115.8][22793] -> [..36.237.154.69][.4316] [Unknown][Unknown][Unrated] - RISK: Unidirectional Traffic - idle: [....15] [ip4][..udp] [..192.168.115.8][22793] -> [..36.237.154.69][.4316] - DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/quic.pcap.out b/test/results/flow-info/default/quic.pcap.out index d4d6faf0c..fb3d9b71b 100644 --- a/test/results/flow-info/default/quic.pcap.out +++ b/test/results/flow-info/default/quic.pcap.out @@ -52,6 +52,7 @@ [ENTROPIES...: 5.1,7.4,7.6,2.6,5.4,7.4,5.3,5.5,7.9,5.5,5.5,5.7,7.9,7.9,7.8,5.6,5.6,7.9,7.9,5.7,7.9,7.9,7.9,5.6,7.9,5.7,7.9,7.8,7.9,5.6,7.9,7.9] idle: [.....7] [ip4][..udp] [..192.168.1.105][40030] -> [.216.58.201.227][..443] [QUIC.Google][Google][Web][Acceptable] guessed: [.....4] [ip4][..udp] [..192.168.1.105][40461] -> [...172.217.16.3][..443] [QUIC][Google][Web][Acceptable] + RISK: Susp Entropy idle: [.....4] [ip4][..udp] [..192.168.1.105][40461] -> [...172.217.16.3][..443] idle: [.....6] [ip4][..udp] [..192.168.1.105][48445] -> [.216.58.214.110][..443] [QUIC.YouTube][Google][Media][Fun] idle: [.....5] [ip4][..udp] [..192.168.1.105][34438] -> [.216.58.210.238][..443] [QUIC.YouTube][Google][Media][Fun] diff --git a/test/results/flow-info/default/quickplay.pcap.out b/test/results/flow-info/default/quickplay.pcap.out index cbbe5a432..9fd126ffc 100644 --- a/test/results/flow-info/default/quickplay.pcap.out +++ b/test/results/flow-info/default/quickplay.pcap.out @@ -12,7 +12,7 @@ new: [.....5] [ip4][..tcp] [..10.54.169.250][52288] -> [..173.252.74.22][...80] [MIDSTREAM] detected: [.....5] [ip4][..tcp] [..10.54.169.250][52288] -> [..173.252.74.22][...80] [HTTP.Facebook][Facebook][SocialNetwork][Fun][www.facebook.com] new: [.....6] [ip4][..tcp] [..10.54.169.250][33277] -> [..120.28.26.231][...80] [MIDSTREAM] - detected: [.....6] [ip4][..tcp] [..10.54.169.250][33277] -> [..120.28.26.231][...80] [HTTP.Google][Unknown][Web][Acceptable][clients3.google.com] + detected: [.....6] [ip4][..tcp] [..10.54.169.250][33277] -> [..120.28.26.231][...80] [HTTP.Google][Unknown][ConnCheck][Acceptable][clients3.google.com] new: [.....7] [ip4][..tcp] [..10.54.169.250][44793] -> [....31.13.68.49][...80] [MIDSTREAM] detected: [.....7] [ip4][..tcp] [..10.54.169.250][44793] -> [....31.13.68.49][...80] [HTTP.Facebook][Facebook][SocialNetwork][Fun][www.facebook.com] new: [.....8] [ip4][..tcp] [..10.54.169.250][44256] -> [....120.28.5.41][...80] [MIDSTREAM] @@ -41,14 +41,14 @@ detected: [....13] [ip4][..tcp] [..10.54.169.250][54885] -> [203.205.151.160][...80] [HTTP_Proxy.QQ][Unknown][Chat][Fun][hkextshort.weixin.qq.com] RISK: Known Proto on Non Std Port detection-update: [....12] [ip4][..tcp] [..10.54.169.250][42761] -> [203.205.129.101][...80] [HTTP_Proxy.QQ][Tencent][Download][Fun][hkextshort.weixin.qq.com] - RISK: Known Proto on Non Std Port, Binary file/data transfer (attempt) + RISK: Known Proto on Non Std Port, Binary File/Data Transfer (Attempt) detection-update: [....13] [ip4][..tcp] [..10.54.169.250][54885] -> [203.205.151.160][...80] [HTTP_Proxy.QQ][Unknown][Download][Fun][hkextshort.weixin.qq.com] - RISK: Known Proto on Non Std Port, Binary file/data transfer (attempt) + RISK: Known Proto on Non Std Port, Binary File/Data Transfer (Attempt) new: [....14] [ip4][..tcp] [..10.54.169.250][42762] -> [203.205.129.101][...80] [MIDSTREAM] detected: [....14] [ip4][..tcp] [..10.54.169.250][42762] -> [203.205.129.101][...80] [HTTP_Proxy.QQ][Tencent][Chat][Fun][hkextshort.weixin.qq.com] RISK: Known Proto on Non Std Port detection-update: [....14] [ip4][..tcp] [..10.54.169.250][42762] -> [203.205.129.101][...80] [HTTP_Proxy.QQ][Tencent][Download][Fun][hkextshort.weixin.qq.com] - RISK: Known Proto on Non Std Port, Binary file/data transfer (attempt) + RISK: Known Proto on Non Std Port, Binary File/Data Transfer (Attempt) analyse: [....11] [ip4][..tcp] [..10.54.169.250][52009] -> [...120.28.35.40][...80] [HTTP][Unknown][Streaming][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: 0.183| 5.871| 2.460| 1.331| 1772261.736| 4.700] @@ -63,13 +63,14 @@ detected: [....15] [ip4][..tcp] [..10.54.169.250][35670] -> [203.205.147.215][...80] [HTTP_Proxy.QQ][Tencent][Chat][Fun][hkminorshort.weixin.qq.com] RISK: Known Proto on Non Std Port detection-update: [....15] [ip4][..tcp] [..10.54.169.250][35670] -> [203.205.147.215][...80] [HTTP_Proxy.QQ][Tencent][Download][Fun][hkminorshort.weixin.qq.com] - RISK: Known Proto on Non Std Port, Binary file/data transfer (attempt) + RISK: Known Proto on Non Std Port, Binary File/Data Transfer (Attempt) new: [....16] [ip4][..tcp] [..10.54.169.250][56381] -> [..54.179.140.65][...80] [MIDSTREAM] detected: [....16] [ip4][..tcp] [..10.54.169.250][56381] -> [..54.179.140.65][...80] [HTTP.Xiaomi][AmazonAWS][Web][Acceptable][api.account.xiaomi.com] + RISK: Susp Entropy new: [....17] [ip4][..tcp] [..10.54.169.250][52017] -> [...120.28.35.40][...80] [MIDSTREAM] detected: [....17] [ip4][..tcp] [..10.54.169.250][52017] -> [...120.28.35.40][...80] [HTTP][Unknown][Streaming][Acceptable][vod-singtelhawk.quickplay.com] end: [....13] [ip4][..tcp] [..10.54.169.250][54885] -> [203.205.151.160][...80] [HTTP_Proxy.QQ][Unknown][Download][Fun] - RISK: Known Proto on Non Std Port, Binary file/data transfer (attempt) + RISK: Known Proto on Non Std Port, Binary File/Data Transfer (Attempt) new: [....18] [ip4][..tcp] [..10.54.169.250][52018] -> [...120.28.35.40][...80] [MIDSTREAM] detected: [....18] [ip4][..tcp] [..10.54.169.250][52018] -> [...120.28.35.40][...80] [HTTP][Unknown][Streaming][Acceptable][vod-singtelhawk.quickplay.com] new: [....19] [ip4][..tcp] [..10.54.169.250][52019] -> [...120.28.35.40][...80] [MIDSTREAM] @@ -84,12 +85,13 @@ idle: [....10] [ip4][..tcp] [..10.54.169.250][54883] -> [203.205.151.160][...80] [HTTP_Proxy.QQ][Unknown][Chat][Fun] RISK: Known Proto on Non Std Port idle: [....12] [ip4][..tcp] [..10.54.169.250][42761] -> [203.205.129.101][...80] [HTTP_Proxy.QQ][Tencent][Download][Fun] - RISK: Known Proto on Non Std Port, Binary file/data transfer (attempt) + RISK: Known Proto on Non Std Port, Binary File/Data Transfer (Attempt) idle: [....14] [ip4][..tcp] [..10.54.169.250][42762] -> [203.205.129.101][...80] [HTTP_Proxy.QQ][Tencent][Download][Fun] - RISK: Known Proto on Non Std Port, Binary file/data transfer (attempt) + RISK: Known Proto on Non Std Port, Binary File/Data Transfer (Attempt) idle: [.....3] [ip4][..tcp] [..10.54.169.250][33064] -> [....120.28.5.18][...80] [HTTP][Unknown][Streaming][Acceptable] - idle: [.....6] [ip4][..tcp] [..10.54.169.250][33277] -> [..120.28.26.231][...80] [HTTP.Google][Unknown][Web][Acceptable] + idle: [.....6] [ip4][..tcp] [..10.54.169.250][33277] -> [..120.28.26.231][...80] [HTTP.Google][Unknown][ConnCheck][Acceptable] idle: [....16] [ip4][..tcp] [..10.54.169.250][56381] -> [..54.179.140.65][...80] [HTTP.Xiaomi][AmazonAWS][Web][Acceptable] + RISK: Susp Entropy idle: [.....9] [ip4][..tcp] [..10.54.169.250][52007] -> [...120.28.35.40][...80] [HTTP][Unknown][Streaming][Acceptable] idle: [....11] [ip4][..tcp] [..10.54.169.250][52009] -> [...120.28.35.40][...80] [HTTP][Unknown][Streaming][Acceptable] idle: [....17] [ip4][..tcp] [..10.54.169.250][52017] -> [...120.28.35.40][...80] [HTTP][Unknown][Streaming][Acceptable] @@ -100,6 +102,6 @@ idle: [.....4] [ip4][..tcp] [..10.54.169.250][52285] -> [..173.252.74.22][...80] [HTTP.Facebook][Facebook][SocialNetwork][Fun] idle: [.....5] [ip4][..tcp] [..10.54.169.250][52288] -> [..173.252.74.22][...80] [HTTP.Facebook][Facebook][SocialNetwork][Fun] idle: [....15] [ip4][..tcp] [..10.54.169.250][35670] -> [203.205.147.215][...80] [HTTP_Proxy.QQ][Tencent][Download][Fun] - RISK: Known Proto on Non Std Port, Binary file/data transfer (attempt) + RISK: Known Proto on Non Std Port, Binary File/Data Transfer (Attempt) idle: [.....8] [ip4][..tcp] [..10.54.169.250][44256] -> [....120.28.5.41][...80] [HTTP][Unknown][Streaming][Acceptable] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/raknet.pcap.out b/test/results/flow-info/default/raknet.pcap.out index d2a1e1fb8..c60bd3c06 100644 --- a/test/results/flow-info/default/raknet.pcap.out +++ b/test/results/flow-info/default/raknet.pcap.out @@ -20,8 +20,8 @@ RISK: Unidirectional Traffic new: [.....7] [ip4][..udp] [..192.168.2.100][32953] -> [.148.153.35.205][60021] detected: [.....7] [ip4][..udp] [..192.168.2.100][32953] -> [.148.153.35.205][60021] [RakNet][Unknown][Game][Fun] + RISK: Unidirectional Traffic new: [.....8] [ip4][..udp] [..192.168.2.100][60690] -> [.148.153.35.205][60028] - detected: [.....8] [ip4][..udp] [..192.168.2.100][60690] -> [.148.153.35.205][60028] [RakNet][Unknown][Game][Fun] new: [.....9] [ip4][..udp] [.148.153.35.205][60005] -> [..192.168.2.100][32951] detected: [.....9] [ip4][..udp] [.148.153.35.205][60005] -> [..192.168.2.100][32951] [RakNet][Unknown][Game][Fun] idle: [.....2] [ip4][..udp] [..192.168.2.100][60689] -> [.148.153.35.205][60028] [RakNet][Unknown][Game][Fun] @@ -29,7 +29,7 @@ new: [....10] [ip4][..udp] [..192.168.2.100][44501] -> [.148.153.35.205][60031] detected: [....10] [ip4][..udp] [..192.168.2.100][44501] -> [.148.153.35.205][60031] [RakNet][Unknown][Game][Fun] new: [....11] [ip4][..udp] [..192.168.2.100][44501] -> [.148.153.35.205][59935] - update: [.....8] [ip4][..udp] [..192.168.2.100][60690] -> [.148.153.35.205][60028] [RakNet][Unknown][Game][Fun] + update: [.....8] [ip4][..udp] [..192.168.2.100][60690] -> [.148.153.35.205][60028] update: [....10] [ip4][..udp] [..192.168.2.100][44501] -> [.148.153.35.205][60031] [RakNet][Unknown][Game][Fun] update: [.....9] [ip4][..udp] [.148.153.35.205][60005] -> [..192.168.2.100][32951] [RakNet][Unknown][Game][Fun] update: [.....3] [ip4][..udp] [..192.168.2.100][32951] -> [.148.153.35.205][60021] [RakNet][Unknown][Game][Fun] @@ -37,9 +37,10 @@ update: [.....5] [ip4][..udp] [..192.168.2.100][32952] -> [.148.153.35.205][60021] [RakNet][Unknown][Game][Fun] RISK: Unidirectional Traffic update: [.....7] [ip4][..udp] [..192.168.2.100][32953] -> [.148.153.35.205][60021] [RakNet][Unknown][Game][Fun] + RISK: Unidirectional Traffic update: [.....6] [ip4][..udp] [.148.153.35.205][60025] -> [..192.168.2.100][32951] [RakNet][Unknown][Game][Fun] RISK: Unidirectional Traffic - update: [.....8] [ip4][..udp] [..192.168.2.100][60690] -> [.148.153.35.205][60028] [RakNet][Unknown][Game][Fun] + update: [.....8] [ip4][..udp] [..192.168.2.100][60690] -> [.148.153.35.205][60028] update: [....11] [ip4][..udp] [..192.168.2.100][44501] -> [.148.153.35.205][59935] update: [....10] [ip4][..udp] [..192.168.2.100][44501] -> [.148.153.35.205][60031] [RakNet][Unknown][Game][Fun] update: [.....9] [ip4][..udp] [.148.153.35.205][60005] -> [..192.168.2.100][32951] [RakNet][Unknown][Game][Fun] @@ -48,11 +49,14 @@ update: [.....5] [ip4][..udp] [..192.168.2.100][32952] -> [.148.153.35.205][60021] [RakNet][Unknown][Game][Fun] RISK: Unidirectional Traffic update: [.....7] [ip4][..udp] [..192.168.2.100][32953] -> [.148.153.35.205][60021] [RakNet][Unknown][Game][Fun] + RISK: Unidirectional Traffic update: [.....6] [ip4][..udp] [.148.153.35.205][60025] -> [..192.168.2.100][32951] [RakNet][Unknown][Game][Fun] RISK: Unidirectional Traffic detected: [....11] [ip4][..udp] [..192.168.2.100][44501] -> [.148.153.35.205][59935] [RakNet][Unknown][Game][Fun] RISK: Unidirectional Traffic - idle: [.....8] [ip4][..udp] [..192.168.2.100][60690] -> [.148.153.35.205][60028] [RakNet][Unknown][Game][Fun] + not-detected: [.....8] [ip4][..udp] [..192.168.2.100][60690] -> [.148.153.35.205][60028] [Unknown][Unknown][Unrated] + RISK: Unidirectional Traffic + idle: [.....8] [ip4][..udp] [..192.168.2.100][60690] -> [.148.153.35.205][60028] idle: [....10] [ip4][..udp] [..192.168.2.100][44501] -> [.148.153.35.205][60031] [RakNet][Unknown][Game][Fun] idle: [.....9] [ip4][..udp] [.148.153.35.205][60005] -> [..192.168.2.100][32951] [RakNet][Unknown][Game][Fun] idle: [.....3] [ip4][..udp] [..192.168.2.100][32951] -> [.148.153.35.205][60021] [RakNet][Unknown][Game][Fun] @@ -60,13 +64,15 @@ RISK: Unidirectional Traffic idle: [.....4] [ip4][..udp] [.148.153.35.205][60022] -> [..192.168.2.100][32951] [RakNet][Unknown][Game][Fun] idle: [.....7] [ip4][..udp] [..192.168.2.100][32953] -> [.148.153.35.205][60021] [RakNet][Unknown][Game][Fun] + RISK: Unidirectional Traffic idle: [.....6] [ip4][..udp] [.148.153.35.205][60025] -> [..192.168.2.100][32951] [RakNet][Unknown][Game][Fun] RISK: Unidirectional Traffic update: [....11] [ip4][..udp] [..192.168.2.100][44501] -> [.148.153.35.205][59935] [RakNet][Unknown][Game][Fun] RISK: Unidirectional Traffic new: [....12] [ip4][..udp] [.148.153.35.205][43582] -> [..192.168.2.100][44501] - detected: [....12] [ip4][..udp] [.148.153.35.205][43582] -> [..192.168.2.100][44501] [RakNet][Unknown][Game][Fun] idle: [....11] [ip4][..udp] [..192.168.2.100][44501] -> [.148.153.35.205][59935] [RakNet][Unknown][Game][Fun] RISK: Unidirectional Traffic - idle: [....12] [ip4][..udp] [.148.153.35.205][43582] -> [..192.168.2.100][44501] [RakNet][Unknown][Game][Fun] + not-detected: [....12] [ip4][..udp] [.148.153.35.205][43582] -> [..192.168.2.100][44501] [Unknown][Unknown][Unrated] + RISK: Unidirectional Traffic + idle: [....12] [ip4][..udp] [.148.153.35.205][43582] -> [..192.168.2.100][44501] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/reasm_crash_anon.pcapng.out b/test/results/flow-info/default/reasm_crash_anon.pcapng.out index 08dd1ea64..f4a87cf08 100644 --- a/test/results/flow-info/default/reasm_crash_anon.pcapng.out +++ b/test/results/flow-info/default/reasm_crash_anon.pcapng.out @@ -12,10 +12,12 @@ [IATS(ms)....: 0.0,1.5,1.5,0.0,1.2,1.2,0.0,30097.7,30099.5,1.8,0.0,1.2,1.2,30097.5,0.0,30099.3,1.8,1.2,30097.4,1.8,0.0,30101.7,1.2,30097.5,30165.6,1.3,69.4,30031.1,0.0,30032.8,1.7] [PKTLENS.....: 65,65,126,52,52,777,52,52,65,106,52,52,765,52,65,65,106,52,52,65,52,52,777,52,65,106,777,52,65,65,106,52] [ENTROPIES...: 5.5,5.5,3.0,5.2,5.2,5.3,5.2,5.2,5.4,5.6,5.1,5.1,0.5,5.1,5.4,5.4,5.6,5.2,5.2,5.5,5.1,5.2,5.3,5.1,5.4,5.6,5.3,5.0,5.4,5.4,5.6,5.2] + not-detected: [.....1] [ip4][..tcp] [192.168.145.147][51218] -> [...10.209.8.148][21999] [Unknown][Unknown][Unrated] + RISK: Susp Entropy DAEMON-EVENT: [Processed: 93 pkts][ZLib][compressions: 0|diff: 0 / 0] - DAEMON-EVENT: [Flows][active: 1 / 1|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + DAEMON-EVENT: [Flows][active: 1 / 1|skipped: 0|!detected: 1|guessed: 0|detection-updates: 0|updates: 0] DAEMON-EVENT: [Processed: 169 pkts][ZLib][compressions: 0|diff: 0 / 0] - DAEMON-EVENT: [Flows][active: 1 / 1|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] - not-detected: [.....1] [ip4][..tcp] [192.168.145.147][51218] -> [...10.209.8.148][21999] [Unknown][Unknown][Unrated] - end: [.....1] [ip4][..tcp] [192.168.145.147][51218] -> [...10.209.8.148][21999] + DAEMON-EVENT: [Flows][active: 1 / 1|skipped: 0|!detected: 1|guessed: 0|detection-updates: 0|updates: 0] + end: [.....1] [ip4][..tcp] [192.168.145.147][51218] -> [...10.209.8.148][21999] [Unknown][Unknown][Unrated] + RISK: Susp Entropy DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/riot.pcapng.out b/test/results/flow-info/default/riot.pcapng.out index a0388ef6d..a99f5509c 100644 --- a/test/results/flow-info/default/riot.pcapng.out +++ b/test/results/flow-info/default/riot.pcapng.out @@ -3,10 +3,10 @@ DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] new: [.....1] [ip4][..tcp] [..52.41.135.135][..443] -> [..192.168.26.22][51817] [MIDSTREAM] new: [.....2] [ip4][..tcp] [..35.234.85.218][..443] -> [..192.168.26.22][51949] [MIDSTREAM] - detected: [.....2] [ip4][..tcp] [..35.234.85.218][..443] -> [..192.168.26.22][51949] [TLS][GoogleCloud][Web][Safe][] - detection-update: [.....2] [ip4][..tcp] [..35.234.85.218][..443] -> [..192.168.26.22][51949] [TLS][GoogleCloud][Web][Safe][] + detected: [.....2] [ip4][..tcp] [..35.234.85.218][..443] -> [..192.168.26.22][51949] [TLS][GoogleCloud][Web][Safe] + detection-update: [.....2] [ip4][..tcp] [..35.234.85.218][..443] -> [..192.168.26.22][51949] [TLS][GoogleCloud][Web][Safe] RISK: Unidirectional Traffic - detection-update: [.....2] [ip4][..tcp] [..35.234.85.218][..443] -> [..192.168.26.22][51949] [TLS.RiotGames][GoogleCloud][Game][Fun][] + detection-update: [.....2] [ip4][..tcp] [..35.234.85.218][..443] -> [..192.168.26.22][51949] [TLS.RiotGames][GoogleCloud][Game][Fun] RISK: Unidirectional Traffic guessed: [.....1] [ip4][..tcp] [..52.41.135.135][..443] -> [..192.168.26.22][51817] [TLS][AmazonAWS][Web][Safe] RISK: Susp Entropy, Unidirectional Traffic diff --git a/test/results/flow-info/default/ripe_atlas.pcap.out b/test/results/flow-info/default/ripe_atlas.pcap.out new file mode 100644 index 000000000..3e416008d --- /dev/null +++ b/test/results/flow-info/default/ripe_atlas.pcap.out @@ -0,0 +1,33 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....1] [ip4][..udp] [.207.246.88.254][56857] -> [..96.78.208.202][29195] + detected: [.....1] [ip4][..udp] [.207.246.88.254][56857] -> [..96.78.208.202][29195] [RipeAtlas][Unknown][Network][Acceptable] + new: [.....2] [ip4][..udp] [...23.57.157.60][36137] -> [152.246.227.169][.4712] + detected: [.....2] [ip4][..udp] [...23.57.157.60][36137] -> [152.246.227.169][.4712] [RipeAtlas][Unknown][Network][Acceptable] + idle: [.....1] [ip4][..udp] [.207.246.88.254][56857] -> [..96.78.208.202][29195] [RipeAtlas][Unknown][Network][Acceptable] + DAEMON-EVENT: [Processed: 2 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 1 / 2|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....3] [ip4][..udp] [168.139.124.224][11476] -> [..19.132.223.32][36467] + detected: [.....3] [ip4][..udp] [168.139.124.224][11476] -> [..19.132.223.32][36467] [RipeAtlas][Unknown][Network][Acceptable] + idle: [.....2] [ip4][..udp] [...23.57.157.60][36137] -> [152.246.227.169][.4712] [RipeAtlas][Unknown][Network][Acceptable] + DAEMON-EVENT: [Processed: 3 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 1 / 3|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....4] [ip4][..udp] [...9.160.203.32][41059] -> [....68.90.0.255][38409] + detected: [.....4] [ip4][..udp] [...9.160.203.32][41059] -> [....68.90.0.255][38409] [RipeAtlas][Unknown][Network][Acceptable] + idle: [.....3] [ip4][..udp] [168.139.124.224][11476] -> [..19.132.223.32][36467] [RipeAtlas][Unknown][Network][Acceptable] + new: [.....5] [ip4][..udp] [.250.175.205.18][20715] -> [...127.251.0.38][26625] + detected: [.....5] [ip4][..udp] [.250.175.205.18][20715] -> [...127.251.0.38][26625] [RipeAtlas][Unknown][Network][Acceptable] + idle: [.....4] [ip4][..udp] [...9.160.203.32][41059] -> [....68.90.0.255][38409] [RipeAtlas][Unknown][Network][Acceptable] + DAEMON-EVENT: [Processed: 5 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 1 / 5|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....6] [ip4][..udp] [.147.63.105.185][48224] -> [...128.53.92.31][.2164] + detected: [.....6] [ip4][..udp] [.147.63.105.185][48224] -> [...128.53.92.31][.2164] [RipeAtlas][Unknown][Network][Acceptable] + idle: [.....5] [ip4][..udp] [.250.175.205.18][20715] -> [...127.251.0.38][26625] [RipeAtlas][Unknown][Network][Acceptable] + DAEMON-EVENT: [Processed: 6 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 1 / 6|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....7] [ip4][..udp] [.252.216.99.208][15422] -> [..255.103.25.63][.5081] + detected: [.....7] [ip4][..udp] [.252.216.99.208][15422] -> [..255.103.25.63][.5081] [RipeAtlas][Unknown][Network][Acceptable] + idle: [.....7] [ip4][..udp] [.252.216.99.208][15422] -> [..255.103.25.63][.5081] [RipeAtlas][Unknown][Network][Acceptable] + idle: [.....6] [ip4][..udp] [.147.63.105.185][48224] -> [...128.53.92.31][.2164] [RipeAtlas][Unknown][Network][Acceptable] + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/rtp.pcapng.out b/test/results/flow-info/default/rtp.pcapng.out index de9a06c71..b5b4ff7c4 100644 --- a/test/results/flow-info/default/rtp.pcapng.out +++ b/test/results/flow-info/default/rtp.pcapng.out @@ -5,11 +5,26 @@ detected: [.....1] [ip4][..udp] [..10.204.220.71][.6000] -> [.10.204.220.171][.6000] [RTP][Unknown][Media][Acceptable] DAEMON-EVENT: [Processed: 15 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 1 / 1|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] - new: [.....2] [ip4][..udp] [.150.219.118.19][54234] -> [192.113.193.227][50003] - detected: [.....2] [ip4][..udp] [.150.219.118.19][54234] -> [192.113.193.227][50003] [Discord][Unknown][Collaborative][Fun] + new: [.....2] [ip4][..tcp] [..172.16.168.24][40252] -> [..172.16.168.64][.5000] idle: [.....1] [ip4][..udp] [..10.204.220.71][.6000] -> [.10.204.220.171][.6000] [RTP][Unknown][Media][Acceptable] - new: [.....3] [ip4][..udp] [..10.140.67.167][55402] -> [..148.153.85.97][.6008] - detected: [.....3] [ip4][..udp] [..10.140.67.167][55402] -> [..148.153.85.97][.6008] [RTP][Unknown][Media][Acceptable] - idle: [.....2] [ip4][..udp] [.150.219.118.19][54234] -> [192.113.193.227][50003] [Discord][Unknown][Collaborative][Fun] - idle: [.....3] [ip4][..udp] [..10.140.67.167][55402] -> [..148.153.85.97][.6008] [RTP][Unknown][Media][Acceptable] + detected: [.....2] [ip4][..tcp] [..172.16.168.24][40252] -> [..172.16.168.64][.5000] [RTP][Unknown][Media][Acceptable] + analyse: [.....2] [ip4][..tcp] [..172.16.168.24][40252] -> [..172.16.168.64][.5000] [RTP][Unknown][Media][Acceptable] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 82.924| 5.477| 20.338| 413654440.739| 1.200] + [PKTLEN......: 52.000| 1266.000| 621.600| 605.300| 366444.400| 4.200] + [BINS(c->s)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,15,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 15,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0] + [IATS(ms)....: 0.1,0.8,82923.1,82923.9,93.2,93.2,148.9,148.9,149.2,149.2,151.0,151.0,151.5,151.4,148.4,148.5,149.0,148.9,151.7,151.8,150.9,150.9,149.7,149.6,148.4,148.4,151.3,151.3,150.8,150.8,149.0] + [PKTLENS.....: 60,60,52,1266,52,1266,52,1266,52,1266,52,1266,52,1266,52,1266,52,1266,52,1266,52,1266,52,1266,52,1266,52,1266,52,1266,52,1266] + [ENTROPIES...: 4.7,5.2,5.1,2.8,4.9,4.4,5.0,5.5,5.0,5.5,5.0,5.8,5.0,5.7,5.0,7.3,5.0,6.6,5.0,6.3,5.0,7.2,5.0,7.2,5.0,7.2,5.0,6.4,5.0,6.9,5.0,7.1] + DAEMON-EVENT: [Processed: 52 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 1 / 2|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....3] [ip4][..udp] [.150.219.118.19][54234] -> [192.113.193.227][50003] + detected: [.....3] [ip4][..udp] [.150.219.118.19][54234] -> [192.113.193.227][50003] [Discord][Unknown][Collaborative][Fun] + idle: [.....2] [ip4][..tcp] [..172.16.168.24][40252] -> [..172.16.168.64][.5000] [RTP][Unknown][Media][Acceptable] + new: [.....4] [ip4][..udp] [..10.140.67.167][55402] -> [..148.153.85.97][.6008] + detected: [.....4] [ip4][..udp] [..10.140.67.167][55402] -> [..148.153.85.97][.6008] [RTP][Unknown][Media][Acceptable] + idle: [.....3] [ip4][..udp] [.150.219.118.19][54234] -> [192.113.193.227][50003] [Discord][Unknown][Collaborative][Fun] + idle: [.....4] [ip4][..udp] [..10.140.67.167][55402] -> [..148.153.85.97][.6008] [RTP][Unknown][Media][Acceptable] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/shadowsocks.pcap.out b/test/results/flow-info/default/shadowsocks.pcap.out index d314e93c4..317f6475d 100644 --- a/test/results/flow-info/default/shadowsocks.pcap.out +++ b/test/results/flow-info/default/shadowsocks.pcap.out @@ -6,6 +6,6 @@ new: [.....2] [ip4][..tcp] [......127.0.0.1][44276] -> [......127.0.0.1][.8388] end: [.....1] [ip4][..tcp] [......127.0.0.1][37904] -> [......127.0.0.1][.1080] [SOCKS][Unknown][Web][Acceptable] not-detected: [.....2] [ip4][..tcp] [......127.0.0.1][44276] -> [......127.0.0.1][.8388] [Unknown][Unknown][Unrated] - RISK: Fully encrypted flow + RISK: Fully Encrypted Flow end: [.....2] [ip4][..tcp] [......127.0.0.1][44276] -> [......127.0.0.1][.8388] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/shell.pcap.out b/test/results/flow-info/default/shell.pcap.out index a8902a531..8e0d86eb0 100644 --- a/test/results/flow-info/default/shell.pcap.out +++ b/test/results/flow-info/default/shell.pcap.out @@ -12,9 +12,9 @@ RISK: Possible Exploit Attempt end: [.....1] [ip4][..tcp] [......127.0.0.1][47638] -> [......127.0.0.1][33333] not-detected: [.....2] [ip4][..udp] [......127.0.0.1][54112] -> [......127.0.0.1][33333] [Unknown][Unknown][Unrated] - RISK: Possible Exploit Attempt, Unidirectional Traffic + RISK: Susp Entropy, Possible Exploit Attempt, Unidirectional Traffic idle: [.....2] [ip4][..udp] [......127.0.0.1][54112] -> [......127.0.0.1][33333] not-detected: [.....3] [ip4][..udp] [......127.0.0.1][58538] -> [......127.0.0.1][33333] [Unknown][Unknown][Unrated] - RISK: Possible Exploit Attempt, Unidirectional Traffic + RISK: Susp Entropy, Possible Exploit Attempt, Unidirectional Traffic idle: [.....3] [ip4][..udp] [......127.0.0.1][58538] -> [......127.0.0.1][33333] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/sip.pcap.out b/test/results/flow-info/default/sip.pcap.out index f5d249ce5..e29d26b26 100644 --- a/test/results/flow-info/default/sip.pcap.out +++ b/test/results/flow-info/default/sip.pcap.out @@ -44,12 +44,13 @@ new: [.....3] [ip4][..udp] [....192.168.1.2][30000] -> [..212.242.33.36][40392] detected: [.....3] [ip4][..udp] [....192.168.1.2][30000] -> [..212.242.33.36][40392] [RTP][Unknown][Media][Acceptable] new: [.....4] [ip4][..udp] [....192.168.1.2][30001] -> [..212.242.33.36][40393] - detected: [.....4] [ip4][..udp] [....192.168.1.2][30001] -> [..212.242.33.36][40393] [RTCP][Unknown][VoIP][Acceptable] update: [.....1] [ip4][..udp] [....192.168.1.2][.5060] -> [..212.242.33.35][.5060] [SIP][Unknown][VoIP][Acceptable] update: [.....3] [ip4][..udp] [....192.168.1.2][30000] -> [..212.242.33.36][40392] [RTP][Unknown][Media][Acceptable] - update: [.....4] [ip4][..udp] [....192.168.1.2][30001] -> [..212.242.33.36][40393] [RTCP][Unknown][VoIP][Acceptable] + update: [.....4] [ip4][..udp] [....192.168.1.2][30001] -> [..212.242.33.36][40393] update: [.....1] [ip4][..udp] [....192.168.1.2][.5060] -> [..212.242.33.35][.5060] [SIP][Unknown][VoIP][Acceptable] idle: [.....1] [ip4][..udp] [....192.168.1.2][.5060] -> [..212.242.33.35][.5060] [SIP][Unknown][VoIP][Acceptable] idle: [.....3] [ip4][..udp] [....192.168.1.2][30000] -> [..212.242.33.36][40392] [RTP][Unknown][Media][Acceptable] - idle: [.....4] [ip4][..udp] [....192.168.1.2][30001] -> [..212.242.33.36][40393] [RTCP][Unknown][VoIP][Acceptable] + not-detected: [.....4] [ip4][..udp] [....192.168.1.2][30001] -> [..212.242.33.36][40393] [Unknown][Unknown][Unrated] + RISK: Susp Entropy, Unidirectional Traffic + idle: [.....4] [ip4][..udp] [....192.168.1.2][30001] -> [..212.242.33.36][40393] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/sip_hello.pcapng.out b/test/results/flow-info/default/sip_hello.pcapng.out index a0b0b4dde..3737d619f 100644 --- a/test/results/flow-info/default/sip_hello.pcapng.out +++ b/test/results/flow-info/default/sip_hello.pcapng.out @@ -2,9 +2,6 @@ DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] new: [.....1] [ip4][..udp] [.10.239.156.235][.5060] -> [...172.29.38.91][.5060] - update: [.....1] [ip4][..udp] [.10.239.156.235][.5060] -> [...172.29.38.91][.5060] - update: [.....1] [ip4][..udp] [.10.239.156.235][.5060] -> [...172.29.38.91][.5060] - update: [.....1] [ip4][..udp] [.10.239.156.235][.5060] -> [...172.29.38.91][.5060] detected: [.....1] [ip4][..udp] [.10.239.156.235][.5060] -> [...172.29.38.91][.5060] [SIP][Unknown][VoIP][Acceptable] update: [.....1] [ip4][..udp] [.10.239.156.235][.5060] -> [...172.29.38.91][.5060] [SIP][Unknown][VoIP][Acceptable] update: [.....1] [ip4][..udp] [.10.239.156.235][.5060] -> [...172.29.38.91][.5060] [SIP][Unknown][VoIP][Acceptable] @@ -12,5 +9,8 @@ update: [.....1] [ip4][..udp] [.10.239.156.235][.5060] -> [...172.29.38.91][.5060] [SIP][Unknown][VoIP][Acceptable] update: [.....1] [ip4][..udp] [.10.239.156.235][.5060] -> [...172.29.38.91][.5060] [SIP][Unknown][VoIP][Acceptable] update: [.....1] [ip4][..udp] [.10.239.156.235][.5060] -> [...172.29.38.91][.5060] [SIP][Unknown][VoIP][Acceptable] + update: [.....1] [ip4][..udp] [.10.239.156.235][.5060] -> [...172.29.38.91][.5060] [SIP][Unknown][VoIP][Acceptable] + update: [.....1] [ip4][..udp] [.10.239.156.235][.5060] -> [...172.29.38.91][.5060] [SIP][Unknown][VoIP][Acceptable] + update: [.....1] [ip4][..udp] [.10.239.156.235][.5060] -> [...172.29.38.91][.5060] [SIP][Unknown][VoIP][Acceptable] idle: [.....1] [ip4][..udp] [.10.239.156.235][.5060] -> [...172.29.38.91][.5060] [SIP][Unknown][VoIP][Acceptable] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/sites.pcapng.out b/test/results/flow-info/default/sites.pcapng.out index 5227150a6..310b1bb3a 100644 --- a/test/results/flow-info/default/sites.pcapng.out +++ b/test/results/flow-info/default/sites.pcapng.out @@ -2,14 +2,14 @@ DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] new: [.....1] [ip4][..tcp] [.192.168.12.169][46160] -> [..69.171.250.20][..443] - detected: [.....1] [ip4][..tcp] [.192.168.12.169][46160] -> [..69.171.250.20][..443] [TLS.Messenger][Facebook][Chat][Acceptable][edge-mqtt.facebook.com] - detection-update: [.....1] [ip4][..tcp] [.192.168.12.169][46160] -> [..69.171.250.20][..443] [TLS.Messenger][Facebook][Chat][Acceptable][edge-mqtt.facebook.com] + detected: [.....1] [ip4][..tcp] [.192.168.12.169][46160] -> [..69.171.250.20][..443] [TLS.FacebookMessenger][Facebook][Chat][Acceptable][edge-mqtt.facebook.com] + detection-update: [.....1] [ip4][..tcp] [.192.168.12.169][46160] -> [..69.171.250.20][..443] [TLS.FacebookMessenger][Facebook][Chat][Acceptable][edge-mqtt.facebook.com] DAEMON-EVENT: [Processed: 4 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 1 / 1|skipped: 0|!detected: 0|guessed: 0|detection-updates: 1|updates: 0] new: [.....2] [ip4][..tcp] [..192.168.1.250][41878] -> [...92.122.95.99][..443] detected: [.....2] [ip4][..tcp] [..192.168.1.250][41878] -> [...92.122.95.99][..443] [TLS.TikTok][Unknown][SocialNetwork][Fun][vcs-va.tiktokv.com] detection-update: [.....2] [ip4][..tcp] [..192.168.1.250][41878] -> [...92.122.95.99][..443] [TLS.TikTok][Unknown][SocialNetwork][Fun][vcs-va.tiktokv.com] - idle: [.....1] [ip4][..tcp] [.192.168.12.169][46160] -> [..69.171.250.20][..443] [TLS.Messenger][Facebook][Chat][Acceptable] + idle: [.....1] [ip4][..tcp] [.192.168.12.169][46160] -> [..69.171.250.20][..443] [TLS.FacebookMessenger][Facebook][Chat][Acceptable] DAEMON-EVENT: [Processed: 35 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 1 / 2|skipped: 0|!detected: 0|guessed: 0|detection-updates: 2|updates: 0] new: [.....3] [ip4][..tcp] [..192.168.1.227][50071] -> [...52.73.71.226][..443] @@ -92,199 +92,239 @@ new: [....15] [ip4][..tcp] [..192.168.1.128][51806] -> [..18.66.196.102][..443] detected: [....15] [ip4][..tcp] [..192.168.1.128][51806] -> [..18.66.196.102][..443] [TLS.SoundCloud][AmazonAWS][Music][Fun][soundcloud.com] detection-update: [....15] [ip4][..tcp] [..192.168.1.128][51806] -> [..18.66.196.102][..443] [TLS.SoundCloud][AmazonAWS][Music][Fun][soundcloud.com] - new: [....16] [ip4][..tcp] [..192.168.1.128][56468] -> [.151.101.192.92][..443] - detected: [....16] [ip4][..tcp] [..192.168.1.128][56468] -> [.151.101.192.92][..443] [TLS.Vevo][Unknown][Music][Fun][vevo.com] - detection-update: [....16] [ip4][..tcp] [..192.168.1.128][56468] -> [.151.101.192.92][..443] [TLS.Vevo][Unknown][Music][Fun][vevo.com] - detection-update: [....16] [ip4][..tcp] [..192.168.1.128][56468] -> [.151.101.192.92][..443] [TLS.Vevo][Unknown][Music][Fun][vevo.com] - new: [....17] [ip4][..tcp] [..192.168.1.128][48140] -> [.....23.1.66.79][..443] - detected: [....17] [ip4][..tcp] [..192.168.1.128][48140] -> [.....23.1.66.79][..443] [TLS.CNN][Unknown][Web][Safe][cdn.cnn.com] - detection-update: [....17] [ip4][..tcp] [..192.168.1.128][48140] -> [.....23.1.66.79][..443] [TLS.CNN][Unknown][Web][Safe][cdn.cnn.com] - new: [....18] [ip4][..tcp] [..192.168.1.128][40832] -> [....2.17.141.49][..443] - detected: [....18] [ip4][..tcp] [..192.168.1.128][40832] -> [....2.17.141.49][..443] [TLS.eBay][Unknown][Shopping][Safe][www.ebay.com] - detection-update: [....18] [ip4][..tcp] [..192.168.1.128][40832] -> [....2.17.141.49][..443] [TLS.eBay][Unknown][Shopping][Safe][www.ebay.com] - new: [....19] [ip4][..tcp] [..192.168.1.128][42884] -> [.185.125.190.21][..443] - detected: [....19] [ip4][..tcp] [..192.168.1.128][42884] -> [.185.125.190.21][..443] [TLS.UbuntuONE][UbuntuONE][Cloud][Acceptable][assets.ubuntu.com] - detection-update: [....19] [ip4][..tcp] [..192.168.1.128][42884] -> [.185.125.190.21][..443] [TLS.UbuntuONE][UbuntuONE][Cloud][Acceptable][assets.ubuntu.com] - new: [....20] [ip4][..tcp] [..192.168.1.128][51248] -> [..95.131.169.91][..443] - detected: [....20] [ip4][..tcp] [..192.168.1.128][51248] -> [..95.131.169.91][..443] [TLS.Tuenti][Unknown][VoIP][Acceptable][tuenti.com] - detection-update: [....20] [ip4][..tcp] [..192.168.1.128][51248] -> [..95.131.169.91][..443] [TLS.Tuenti][Unknown][VoIP][Acceptable][tuenti.com] - detection-update: [....20] [ip4][..tcp] [..192.168.1.128][51248] -> [..95.131.169.91][..443] [TLS.Tuenti][Unknown][VoIP][Acceptable][tuenti.com] - new: [....21] [ip4][..tcp] [..192.168.1.128][39302] -> [..95.131.170.91][..443] - detected: [....21] [ip4][..tcp] [..192.168.1.128][39302] -> [..95.131.170.91][..443] [TLS.Tuenti][Unknown][VoIP][Acceptable][static.tuenti.com] - detection-update: [....21] [ip4][..tcp] [..192.168.1.128][39302] -> [..95.131.170.91][..443] [TLS.Tuenti][Unknown][VoIP][Acceptable][static.tuenti.com] - detection-update: [....21] [ip4][..tcp] [..192.168.1.128][39302] -> [..95.131.170.91][..443] [TLS.Tuenti][Unknown][VoIP][Acceptable][static.tuenti.com] - new: [....22] [ip4][..tcp] [..192.168.1.128][51432] -> [.95.101.195.214][..443] - detected: [....22] [ip4][..tcp] [..192.168.1.128][51432] -> [.95.101.195.214][..443] [TLS.Hulu][Unknown][Streaming][Fun][hulu.com] - detection-update: [....22] [ip4][..tcp] [..192.168.1.128][51432] -> [.95.101.195.214][..443] [TLS.Hulu][Unknown][Streaming][Fun][hulu.com] - new: [....23] [ip4][..tcp] [..192.168.1.128][44954] -> [..34.96.123.111][...80] - new: [....24] [ip4][..tcp] [..192.168.1.128][47122] -> [.35.201.112.136][..443] - detected: [....24] [ip4][..tcp] [..192.168.1.128][47122] -> [.35.201.112.136][..443] [TLS.LastFM][GoogleCloud][Music][Fun][kerve.last.fm] - detection-update: [....24] [ip4][..tcp] [..192.168.1.128][47122] -> [.35.201.112.136][..443] [TLS.LastFM][GoogleCloud][Music][Fun][kerve.last.fm] - new: [....25] [ip4][..tcp] [..192.168.1.128][39036] -> [..69.191.252.15][...80] - new: [....26] [ip4][..tcp] [..192.168.1.128][43412] -> [.151.101.193.73][..443] - detected: [....26] [ip4][..tcp] [..192.168.1.128][43412] -> [.151.101.193.73][..443] [TLS.Bloomberg][Unknown][Cloud][Acceptable][www.bloomberg.com] - detection-update: [....26] [ip4][..tcp] [..192.168.1.128][43412] -> [.151.101.193.73][..443] [TLS.Bloomberg][Unknown][Cloud][Acceptable][www.bloomberg.com] - detection-update: [....26] [ip4][..tcp] [..192.168.1.128][43412] -> [.151.101.193.73][..443] [TLS.Bloomberg][Unknown][Cloud][Acceptable][www.bloomberg.com] - new: [....27] [ip4][..tcp] [..192.168.1.128][57014] -> [108.139.210.102][..443] - detected: [....27] [ip4][..tcp] [..192.168.1.128][57014] -> [108.139.210.102][..443] [TLS.Bloomberg][AmazonAWS][Cloud][Acceptable][sourcepointcmp.bloomberg.com] - detection-update: [....27] [ip4][..tcp] [..192.168.1.128][57014] -> [108.139.210.102][..443] [TLS.Bloomberg][AmazonAWS][Cloud][Acceptable][sourcepointcmp.bloomberg.com] - new: [....28] [ip4][..tcp] [..192.168.1.128][48654] -> [...13.107.42.14][..443] - detected: [....28] [ip4][..tcp] [..192.168.1.128][48654] -> [...13.107.42.14][..443] [TLS.LinkedIn][Azure][SocialNetwork][Fun][www.linkedin.com] - detection-update: [....28] [ip4][..tcp] [..192.168.1.128][48654] -> [...13.107.42.14][..443] [TLS.LinkedIn][Azure][SocialNetwork][Fun][www.linkedin.com] - new: [....29] [ip4][..tcp] [..192.168.1.128][39934] -> [..104.23.98.190][..443] - detected: [....29] [ip4][..tcp] [..192.168.1.128][39934] -> [..104.23.98.190][..443] [TLS.Pastebin][Cloudflare][Download][Potentially Dangerous][pastebin.com] + new: [....16] [ip4][..tcp] [..192.168.1.128][48140] -> [.....23.1.66.79][..443] + detected: [....16] [ip4][..tcp] [..192.168.1.128][48140] -> [.....23.1.66.79][..443] [TLS.CNN][Unknown][Web][Safe][cdn.cnn.com] + detection-update: [....16] [ip4][..tcp] [..192.168.1.128][48140] -> [.....23.1.66.79][..443] [TLS.CNN][Unknown][Web][Safe][cdn.cnn.com] + new: [....17] [ip4][..tcp] [..192.168.1.128][40832] -> [....2.17.141.49][..443] + detected: [....17] [ip4][..tcp] [..192.168.1.128][40832] -> [....2.17.141.49][..443] [TLS.eBay][Unknown][Shopping][Safe][www.ebay.com] + detection-update: [....17] [ip4][..tcp] [..192.168.1.128][40832] -> [....2.17.141.49][..443] [TLS.eBay][Unknown][Shopping][Safe][www.ebay.com] + new: [....18] [ip4][..tcp] [..192.168.1.128][42884] -> [.185.125.190.21][..443] + detected: [....18] [ip4][..tcp] [..192.168.1.128][42884] -> [.185.125.190.21][..443] [TLS.UbuntuONE][UbuntuONE][Cloud][Acceptable][assets.ubuntu.com] + detection-update: [....18] [ip4][..tcp] [..192.168.1.128][42884] -> [.185.125.190.21][..443] [TLS.UbuntuONE][UbuntuONE][Cloud][Acceptable][assets.ubuntu.com] + new: [....19] [ip4][..tcp] [..192.168.1.128][51432] -> [.95.101.195.214][..443] + detected: [....19] [ip4][..tcp] [..192.168.1.128][51432] -> [.95.101.195.214][..443] [TLS.Hulu][Unknown][Streaming][Fun][hulu.com] + detection-update: [....19] [ip4][..tcp] [..192.168.1.128][51432] -> [.95.101.195.214][..443] [TLS.Hulu][Unknown][Streaming][Fun][hulu.com] + new: [....20] [ip4][..tcp] [..192.168.1.128][44954] -> [..34.96.123.111][...80] + new: [....21] [ip4][..tcp] [..192.168.1.128][47122] -> [.35.201.112.136][..443] + detected: [....21] [ip4][..tcp] [..192.168.1.128][47122] -> [.35.201.112.136][..443] [TLS.LastFM][GoogleCloud][Music][Fun][kerve.last.fm] + detection-update: [....21] [ip4][..tcp] [..192.168.1.128][47122] -> [.35.201.112.136][..443] [TLS.LastFM][GoogleCloud][Music][Fun][kerve.last.fm] + new: [....22] [ip4][..tcp] [..192.168.1.128][39036] -> [..69.191.252.15][...80] + new: [....23] [ip4][..tcp] [..192.168.1.128][43412] -> [.151.101.193.73][..443] + detected: [....23] [ip4][..tcp] [..192.168.1.128][43412] -> [.151.101.193.73][..443] [TLS.Bloomberg][Unknown][Cloud][Acceptable][www.bloomberg.com] + detection-update: [....23] [ip4][..tcp] [..192.168.1.128][43412] -> [.151.101.193.73][..443] [TLS.Bloomberg][Unknown][Cloud][Acceptable][www.bloomberg.com] + detection-update: [....23] [ip4][..tcp] [..192.168.1.128][43412] -> [.151.101.193.73][..443] [TLS.Bloomberg][Unknown][Cloud][Acceptable][www.bloomberg.com] + new: [....24] [ip4][..tcp] [..192.168.1.128][57014] -> [108.139.210.102][..443] + detected: [....24] [ip4][..tcp] [..192.168.1.128][57014] -> [108.139.210.102][..443] [TLS.Bloomberg][AmazonAWS][Cloud][Acceptable][sourcepointcmp.bloomberg.com] + detection-update: [....24] [ip4][..tcp] [..192.168.1.128][57014] -> [108.139.210.102][..443] [TLS.Bloomberg][AmazonAWS][Cloud][Acceptable][sourcepointcmp.bloomberg.com] + new: [....25] [ip4][..tcp] [..192.168.1.128][48654] -> [...13.107.42.14][..443] + detected: [....25] [ip4][..tcp] [..192.168.1.128][48654] -> [...13.107.42.14][..443] [TLS.LinkedIn][Azure][SocialNetwork][Fun][www.linkedin.com] + detection-update: [....25] [ip4][..tcp] [..192.168.1.128][48654] -> [...13.107.42.14][..443] [TLS.LinkedIn][Azure][SocialNetwork][Fun][www.linkedin.com] + new: [....26] [ip4][..tcp] [..192.168.1.128][39934] -> [..104.23.98.190][..443] + detected: [....26] [ip4][..tcp] [..192.168.1.128][39934] -> [..104.23.98.190][..443] [TLS.Pastebin][Cloudflare][Download][Potentially Dangerous][pastebin.com] RISK: Unsafe Protocol - detection-update: [....29] [ip4][..tcp] [..192.168.1.128][39934] -> [..104.23.98.190][..443] [TLS.Pastebin][Cloudflare][Download][Potentially Dangerous][pastebin.com] + detection-update: [....26] [ip4][..tcp] [..192.168.1.128][39934] -> [..104.23.98.190][..443] [TLS.Pastebin][Cloudflare][Download][Potentially Dangerous][pastebin.com] RISK: Unsafe Protocol - new: [....30] [ip4][..tcp] [..192.168.1.128][57336] -> [....23.1.68.189][..443] - detected: [....30] [ip4][..tcp] [..192.168.1.128][57336] -> [....23.1.68.189][..443] [TLS.Playstation][Unknown][Game][Fun][www.playstation.com] - detection-update: [....30] [ip4][..tcp] [..192.168.1.128][57336] -> [....23.1.68.189][..443] [TLS.Playstation][Unknown][Game][Fun][www.playstation.com] - detection-update: [....30] [ip4][..tcp] [..192.168.1.128][57336] -> [....23.1.68.189][..443] [TLS.Playstation][Unknown][Game][Fun][www.playstation.com] - new: [....31] [ip4][..tcp] [..192.168.1.128][46264] -> [...23.51.246.65][..443] - detected: [....31] [ip4][..tcp] [..192.168.1.128][46264] -> [...23.51.246.65][..443] [TLS.Playstation][Unknown][Game][Fun][static.playstation.com] - detection-update: [....31] [ip4][..tcp] [..192.168.1.128][46264] -> [...23.51.246.65][..443] [TLS.Playstation][Unknown][Game][Fun][static.playstation.com] - new: [....32] [ip4][..tcp] [..192.168.1.128][43150] -> [.108.138.199.67][..443] - detected: [....32] [ip4][..tcp] [..192.168.1.128][43150] -> [.108.138.199.67][..443] [TLS.Deezer][AmazonAWS][Music][Fun][deezer.com] - detection-update: [....32] [ip4][..tcp] [..192.168.1.128][43150] -> [.108.138.199.67][..443] [TLS.Deezer][AmazonAWS][Music][Fun][deezer.com] - new: [....33] [ip4][..tcp] [..192.168.1.128][52070] -> [....18.65.82.67][...80] - new: [....34] [ip4][..tcp] [..192.168.1.128][38858] -> [142.250.180.142][..443] - detected: [....34] [ip4][..tcp] [..192.168.1.128][38858] -> [142.250.180.142][..443] [TLS.GoogleMaps][Google][Web][Safe][maps.google.com] - detection-update: [....34] [ip4][..tcp] [..192.168.1.128][38858] -> [142.250.180.142][..443] [TLS.GoogleMaps][Google][Web][Safe][maps.google.com] - new: [....35] [ip4][..tcp] [..192.168.1.128][48902] -> [....2.17.140.63][..443] - detected: [....35] [ip4][..tcp] [..192.168.1.128][48902] -> [....2.17.140.63][..443] [TLS.Xbox][Unknown][Game][Fun][account.xbox.com] - detection-update: [....35] [ip4][..tcp] [..192.168.1.128][48902] -> [....2.17.140.63][..443] [TLS.Xbox][Unknown][Game][Fun][account.xbox.com] - new: [....36] [ip4][..tcp] [..192.168.1.128][39828] -> [....40.97.160.2][..443] - detected: [....36] [ip4][..tcp] [..192.168.1.128][39828] -> [....40.97.160.2][..443] [TLS.Outlook][Outlook][Email][Acceptable][outlook.com] - detection-update: [....36] [ip4][..tcp] [..192.168.1.128][39828] -> [....40.97.160.2][..443] [TLS.Outlook][Outlook][Email][Acceptable][outlook.com] - DAEMON-EVENT: [Processed: 457 pkts][ZLib][compressions: 0|diff: 0 / 0] - DAEMON-EVENT: [Flows][active: 27 / 36|skipped: 0|!detected: 0|guessed: 0|detection-updates: 38|updates: 0] - new: [....37] [ip4][..tcp] [..192.168.1.128][45898] -> [..15.160.39.187][..443] - detected: [....37] [ip4][..tcp] [..192.168.1.128][45898] -> [..15.160.39.187][..443] [TLS.AppleSiri][AmazonAWS][VirtAssistant][Acceptable][guzzoni.apple.com] - detection-update: [....37] [ip4][..tcp] [..192.168.1.128][45898] -> [..15.160.39.187][..443] [TLS.AppleSiri][AmazonAWS][VirtAssistant][Acceptable][guzzoni.apple.com] - idle: [....22] [ip4][..tcp] [..192.168.1.128][51432] -> [.95.101.195.214][..443] [TLS.Hulu][Unknown][Streaming][Fun] - guessed: [....23] [ip4][..tcp] [..192.168.1.128][44954] -> [..34.96.123.111][...80] [HTTP][GoogleCloud][Web][Acceptable][] - idle: [....23] [ip4][..tcp] [..192.168.1.128][44954] -> [..34.96.123.111][...80] - guessed: [....25] [ip4][..tcp] [..192.168.1.128][39036] -> [..69.191.252.15][...80] [HTTP][Bloomberg][Web][Acceptable][] - idle: [....25] [ip4][..tcp] [..192.168.1.128][39036] -> [..69.191.252.15][...80] + new: [....27] [ip4][..tcp] [..192.168.1.128][57336] -> [....23.1.68.189][..443] + detected: [....27] [ip4][..tcp] [..192.168.1.128][57336] -> [....23.1.68.189][..443] [TLS.Playstation][Unknown][Game][Fun][www.playstation.com] + detection-update: [....27] [ip4][..tcp] [..192.168.1.128][57336] -> [....23.1.68.189][..443] [TLS.Playstation][Unknown][Game][Fun][www.playstation.com] + detection-update: [....27] [ip4][..tcp] [..192.168.1.128][57336] -> [....23.1.68.189][..443] [TLS.Playstation][Unknown][Game][Fun][www.playstation.com] + new: [....28] [ip4][..tcp] [..192.168.1.128][46264] -> [...23.51.246.65][..443] + detected: [....28] [ip4][..tcp] [..192.168.1.128][46264] -> [...23.51.246.65][..443] [TLS.Playstation][Unknown][Game][Fun][static.playstation.com] + detection-update: [....28] [ip4][..tcp] [..192.168.1.128][46264] -> [...23.51.246.65][..443] [TLS.Playstation][Unknown][Game][Fun][static.playstation.com] + new: [....29] [ip4][..tcp] [..192.168.1.128][43150] -> [.108.138.199.67][..443] + detected: [....29] [ip4][..tcp] [..192.168.1.128][43150] -> [.108.138.199.67][..443] [TLS.Deezer][AmazonAWS][Music][Fun][deezer.com] + detection-update: [....29] [ip4][..tcp] [..192.168.1.128][43150] -> [.108.138.199.67][..443] [TLS.Deezer][AmazonAWS][Music][Fun][deezer.com] + new: [....30] [ip4][..tcp] [..192.168.1.128][52070] -> [....18.65.82.67][...80] + new: [....31] [ip4][..tcp] [..192.168.1.128][38858] -> [142.250.180.142][..443] + detected: [....31] [ip4][..tcp] [..192.168.1.128][38858] -> [142.250.180.142][..443] [TLS.GoogleMaps][Google][Web][Safe][maps.google.com] + detection-update: [....31] [ip4][..tcp] [..192.168.1.128][38858] -> [142.250.180.142][..443] [TLS.GoogleMaps][Google][Web][Safe][maps.google.com] + new: [....32] [ip4][..tcp] [..192.168.1.128][48902] -> [....2.17.140.63][..443] + detected: [....32] [ip4][..tcp] [..192.168.1.128][48902] -> [....2.17.140.63][..443] [TLS.Xbox][Unknown][Game][Fun][account.xbox.com] + detection-update: [....32] [ip4][..tcp] [..192.168.1.128][48902] -> [....2.17.140.63][..443] [TLS.Xbox][Unknown][Game][Fun][account.xbox.com] + new: [....33] [ip4][..tcp] [..192.168.1.128][39828] -> [....40.97.160.2][..443] + detected: [....33] [ip4][..tcp] [..192.168.1.128][39828] -> [....40.97.160.2][..443] [TLS.Outlook][Outlook][Email][Acceptable][outlook.com] + detection-update: [....33] [ip4][..tcp] [..192.168.1.128][39828] -> [....40.97.160.2][..443] [TLS.Outlook][Outlook][Email][Acceptable][outlook.com] + DAEMON-EVENT: [Processed: 433 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 24 / 33|skipped: 0|!detected: 0|guessed: 0|detection-updates: 32|updates: 0] + new: [....34] [ip4][..tcp] [..192.168.1.128][45898] -> [..15.160.39.187][..443] + detected: [....34] [ip4][..tcp] [..192.168.1.128][45898] -> [..15.160.39.187][..443] [TLS.AppleSiri][AmazonAWS][VirtAssistant][Acceptable][guzzoni.apple.com] + detection-update: [....34] [ip4][..tcp] [..192.168.1.128][45898] -> [..15.160.39.187][..443] [TLS.AppleSiri][AmazonAWS][VirtAssistant][Acceptable][guzzoni.apple.com] + idle: [....19] [ip4][..tcp] [..192.168.1.128][51432] -> [.95.101.195.214][..443] [TLS.Hulu][Unknown][Streaming][Fun] + guessed: [....20] [ip4][..tcp] [..192.168.1.128][44954] -> [..34.96.123.111][...80] [HTTP][GoogleCloud][Web][Acceptable][] + idle: [....20] [ip4][..tcp] [..192.168.1.128][44954] -> [..34.96.123.111][...80] + guessed: [....22] [ip4][..tcp] [..192.168.1.128][39036] -> [..69.191.252.15][...80] [HTTP][Bloomberg][Web][Acceptable][] + idle: [....22] [ip4][..tcp] [..192.168.1.128][39036] -> [..69.191.252.15][...80] idle: [....10] [ip4][..tcp] [..192.168.1.128][35054] -> [..31.222.67.112][..443] [TLS.Badoo][Unknown][SocialNetwork][Fun] - idle: [....26] [ip4][..tcp] [..192.168.1.128][43412] -> [.151.101.193.73][..443] [TLS.Bloomberg][Unknown][Cloud][Acceptable] + idle: [....23] [ip4][..tcp] [..192.168.1.128][43412] -> [.151.101.193.73][..443] [TLS.Bloomberg][Unknown][Cloud][Acceptable] idle: [....12] [ip4][..tcp] [..192.168.1.128][42580] -> [...2.17.141.128][..443] [TLS.Activision][Unknown][Game][Fun] idle: [....13] [ip4][..tcp] [..192.168.1.128][46084] -> [..146.75.62.167][..443] [TLS.Twitch][Unknown][Video][Fun] - idle: [....31] [ip4][..tcp] [..192.168.1.128][46264] -> [...23.51.246.65][..443] [TLS.Playstation][Unknown][Game][Fun] + idle: [....28] [ip4][..tcp] [..192.168.1.128][46264] -> [...23.51.246.65][..443] [TLS.Playstation][Unknown][Game][Fun] guessed: [....14] [ip4][..tcp] [..192.168.1.128][45936] -> [..208.85.40.158][...80] [HTTP][Unknown][Web][Acceptable][] idle: [....14] [ip4][..tcp] [..192.168.1.128][45936] -> [..208.85.40.158][...80] - idle: [....35] [ip4][..tcp] [..192.168.1.128][48902] -> [....2.17.140.63][..443] [TLS.Xbox][Unknown][Game][Fun] - idle: [....18] [ip4][..tcp] [..192.168.1.128][40832] -> [....2.17.141.49][..443] [TLS.eBay][Unknown][Shopping][Safe] - idle: [....30] [ip4][..tcp] [..192.168.1.128][57336] -> [....23.1.68.189][..443] [TLS.Playstation][Unknown][Game][Fun] - idle: [....28] [ip4][..tcp] [..192.168.1.128][48654] -> [...13.107.42.14][..443] [TLS.LinkedIn][Azure][SocialNetwork][Fun] - idle: [....24] [ip4][..tcp] [..192.168.1.128][47122] -> [.35.201.112.136][..443] [TLS.LastFM][GoogleCloud][Music][Fun] - idle: [....27] [ip4][..tcp] [..192.168.1.128][57014] -> [108.139.210.102][..443] [TLS.Bloomberg][AmazonAWS][Cloud][Acceptable] - idle: [....16] [ip4][..tcp] [..192.168.1.128][56468] -> [.151.101.192.92][..443] [TLS.Vevo][Unknown][Music][Fun] - idle: [....34] [ip4][..tcp] [..192.168.1.128][38858] -> [142.250.180.142][..443] [TLS.GoogleMaps][Google][Web][Safe] - idle: [....32] [ip4][..tcp] [..192.168.1.128][43150] -> [.108.138.199.67][..443] [TLS.Deezer][AmazonAWS][Music][Fun] - guessed: [....33] [ip4][..tcp] [..192.168.1.128][52070] -> [....18.65.82.67][...80] [HTTP][AmazonAWS][Web][Acceptable][] - idle: [....33] [ip4][..tcp] [..192.168.1.128][52070] -> [....18.65.82.67][...80] - idle: [....29] [ip4][..tcp] [..192.168.1.128][39934] -> [..104.23.98.190][..443] [TLS.Pastebin][Cloudflare][Download][Potentially Dangerous] + idle: [....32] [ip4][..tcp] [..192.168.1.128][48902] -> [....2.17.140.63][..443] [TLS.Xbox][Unknown][Game][Fun] + idle: [....17] [ip4][..tcp] [..192.168.1.128][40832] -> [....2.17.141.49][..443] [TLS.eBay][Unknown][Shopping][Safe] + idle: [....27] [ip4][..tcp] [..192.168.1.128][57336] -> [....23.1.68.189][..443] [TLS.Playstation][Unknown][Game][Fun] + idle: [....25] [ip4][..tcp] [..192.168.1.128][48654] -> [...13.107.42.14][..443] [TLS.LinkedIn][Azure][SocialNetwork][Fun] + idle: [....21] [ip4][..tcp] [..192.168.1.128][47122] -> [.35.201.112.136][..443] [TLS.LastFM][GoogleCloud][Music][Fun] + idle: [....24] [ip4][..tcp] [..192.168.1.128][57014] -> [108.139.210.102][..443] [TLS.Bloomberg][AmazonAWS][Cloud][Acceptable] + idle: [....31] [ip4][..tcp] [..192.168.1.128][38858] -> [142.250.180.142][..443] [TLS.GoogleMaps][Google][Web][Safe] + idle: [....29] [ip4][..tcp] [..192.168.1.128][43150] -> [.108.138.199.67][..443] [TLS.Deezer][AmazonAWS][Music][Fun] + guessed: [....30] [ip4][..tcp] [..192.168.1.128][52070] -> [....18.65.82.67][...80] [HTTP][AmazonAWS][Web][Acceptable][] + idle: [....30] [ip4][..tcp] [..192.168.1.128][52070] -> [....18.65.82.67][...80] + idle: [....26] [ip4][..tcp] [..192.168.1.128][39934] -> [..104.23.98.190][..443] [TLS.Pastebin][Cloudflare][Download][Potentially Dangerous] RISK: Unsafe Protocol - idle: [....20] [ip4][..tcp] [..192.168.1.128][51248] -> [..95.131.169.91][..443] [TLS.Tuenti][Unknown][VoIP][Acceptable] idle: [....15] [ip4][..tcp] [..192.168.1.128][51806] -> [..18.66.196.102][..443] [TLS.SoundCloud][AmazonAWS][Music][Fun] idle: [....11] [ip4][..tcp] [..192.168.1.128][53998] -> [..172.65.251.78][..443] [TLS.GitLab][Cloudflare][Collaborative][Fun] - idle: [....36] [ip4][..tcp] [..192.168.1.128][39828] -> [....40.97.160.2][..443] [TLS.Outlook][Outlook][Email][Acceptable] - idle: [....21] [ip4][..tcp] [..192.168.1.128][39302] -> [..95.131.170.91][..443] [TLS.Tuenti][Unknown][VoIP][Acceptable] - idle: [....17] [ip4][..tcp] [..192.168.1.128][48140] -> [.....23.1.66.79][..443] [TLS.CNN][Unknown][Web][Safe] - idle: [....19] [ip4][..tcp] [..192.168.1.128][42884] -> [.185.125.190.21][..443] [TLS.UbuntuONE][UbuntuONE][Cloud][Acceptable] - new: [....38] [ip4][..tcp] [..192.168.1.128][57878] -> [.52.113.194.132][..443] - detected: [....38] [ip4][..tcp] [..192.168.1.128][57878] -> [.52.113.194.132][..443] [TLS.Teams][Skype_Teams][Collaborative][Safe][teams.office.com] - detection-update: [....38] [ip4][..tcp] [..192.168.1.128][57878] -> [.52.113.194.132][..443] [TLS.Teams][Skype_Teams][Collaborative][Safe][teams.office.com] - new: [....39] [ip4][..tcp] [..192.168.1.128][33664] -> [108.138.185.106][..443] - detected: [....39] [ip4][..tcp] [..192.168.1.128][33664] -> [108.138.185.106][..443] [TLS.AmazonVideo][AmazonAWS][Video][Fun][www.primevideo.com] - detection-update: [....39] [ip4][..tcp] [..192.168.1.128][33664] -> [108.138.185.106][..443] [TLS.AmazonVideo][AmazonAWS][Video][Fun][www.primevideo.com] - new: [....40] [ip4][..tcp] [..192.168.1.128][56458] -> [142.250.185.142][..443] - detected: [....40] [ip4][..tcp] [..192.168.1.128][56458] -> [142.250.185.142][..443] [TLS.GoogleDrive][Google][Cloud][Acceptable][drive.google.com] - detection-update: [....40] [ip4][..tcp] [..192.168.1.128][56458] -> [142.250.185.142][..443] [TLS.GoogleDrive][Google][Cloud][Acceptable][drive.google.com] - new: [....41] [ip4][..tcp] [..192.168.1.128][33102] -> [...13.81.118.91][..443] - detected: [....41] [ip4][..tcp] [..192.168.1.128][33102] -> [...13.81.118.91][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable][onedrive.com] - detection-update: [....41] [ip4][..tcp] [..192.168.1.128][33102] -> [...13.81.118.91][..443] [TLS.Microsoft][Azure][Cloud][Safe][onedrive.com] - new: [....42] [ip4][..tcp] [..192.168.1.128][56836] -> [...13.107.42.13][..443] - detected: [....42] [ip4][..tcp] [..192.168.1.128][56836] -> [...13.107.42.13][..443] [TLS.MS_OneDrive][Azure][Cloud][Acceptable][onedrive.live.com] - detection-update: [....42] [ip4][..tcp] [..192.168.1.128][56836] -> [...13.107.42.13][..443] [TLS.MS_OneDrive][Azure][Cloud][Acceptable][onedrive.live.com] - new: [....43] [ip4][..tcp] [..192.168.1.128][45014] -> [129.226.107.210][..443] - detected: [....43] [ip4][..tcp] [..192.168.1.128][45014] -> [129.226.107.210][..443] [TLS.IFLIX][Tencent][Video][Fun][www.iflix.com] - detection-update: [....43] [ip4][..tcp] [..192.168.1.128][45014] -> [129.226.107.210][..443] [TLS.IFLIX][Tencent][Video][Fun][www.iflix.com] - detection-update: [....43] [ip4][..tcp] [..192.168.1.128][45014] -> [129.226.107.210][..443] [TLS.IFLIX][Tencent][Video][Fun][www.iflix.com] - new: [....44] [ip4][..udp] [..192.168.1.128][38642] -> [.216.58.212.142][..443] - detected: [....44] [ip4][..udp] [..192.168.1.128][38642] -> [.216.58.212.142][..443] [QUIC.Google][Google][Web][Acceptable][hangouts.google.com] - new: [....45] [ip4][..tcp] [..192.168.1.128][50608] -> [142.250.185.206][..443] - detected: [....45] [ip4][..tcp] [..192.168.1.128][50608] -> [142.250.185.206][..443] [TLS][Google][Web][Safe][googleplus.com] - detection-update: [....45] [ip4][..tcp] [..192.168.1.128][50608] -> [142.250.185.206][..443] [TLS][Google][Web][Safe][googleplus.com] - new: [....46] [ip4][..udp] [..192.168.1.128][36832] -> [142.250.181.238][..443] - detected: [....46] [ip4][..udp] [..192.168.1.128][36832] -> [142.250.181.238][..443] [QUIC.Google][Google][Web][Acceptable][plus.google.com] - update: [....44] [ip4][..udp] [..192.168.1.128][38642] -> [.216.58.212.142][..443] [QUIC.Google][Google][Web][Acceptable] - DAEMON-EVENT: [Processed: 512 pkts][ZLib][compressions: 0|diff: 0 / 0] - DAEMON-EVENT: [Flows][active: 10 / 46|skipped: 0|!detected: 0|guessed: 4|detection-updates: 47|updates: 1] - new: [....47] [ip4][..tcp] [..192.168.1.128][53978] -> [..208.85.40.158][..443] - detected: [....47] [ip4][..tcp] [..192.168.1.128][53978] -> [..208.85.40.158][..443] [TLS.Pandora][Unknown][Streaming][Fun][pandora.com] - detection-update: [....47] [ip4][..tcp] [..192.168.1.128][53978] -> [..208.85.40.158][..443] [TLS.Pandora][Unknown][Streaming][Fun][pandora.com] - detection-update: [....47] [ip4][..tcp] [..192.168.1.128][53978] -> [..208.85.40.158][..443] [TLS.Pandora][Unknown][Streaming][Fun][pandora.com] - idle: [....39] [ip4][..tcp] [..192.168.1.128][33664] -> [108.138.185.106][..443] [TLS.AmazonVideo][AmazonAWS][Video][Fun] - idle: [....40] [ip4][..tcp] [..192.168.1.128][56458] -> [142.250.185.142][..443] [TLS.GoogleDrive][Google][Cloud][Acceptable] - idle: [....45] [ip4][..tcp] [..192.168.1.128][50608] -> [142.250.185.206][..443] [TLS][Google][Web][Safe] - idle: [....42] [ip4][..tcp] [..192.168.1.128][56836] -> [...13.107.42.13][..443] [TLS.MS_OneDrive][Azure][Cloud][Acceptable] - idle: [....44] [ip4][..udp] [..192.168.1.128][38642] -> [.216.58.212.142][..443] [QUIC.Google][Google][Web][Acceptable] - idle: [....43] [ip4][..tcp] [..192.168.1.128][45014] -> [129.226.107.210][..443] [TLS.IFLIX][Tencent][Video][Fun] - idle: [....41] [ip4][..tcp] [..192.168.1.128][33102] -> [...13.81.118.91][..443] [TLS.Microsoft][Azure][Cloud][Safe] - idle: [....46] [ip4][..udp] [..192.168.1.128][36832] -> [142.250.181.238][..443] [QUIC.Google][Google][Web][Acceptable] - idle: [....38] [ip4][..tcp] [..192.168.1.128][57878] -> [.52.113.194.132][..443] [TLS.Teams][Skype_Teams][Collaborative][Safe] - idle: [....37] [ip4][..tcp] [..192.168.1.128][45898] -> [..15.160.39.187][..443] [TLS.AppleSiri][AmazonAWS][VirtAssistant][Acceptable] - DAEMON-EVENT: [Processed: 520 pkts][ZLib][compressions: 0|diff: 0 / 0] - DAEMON-EVENT: [Flows][active: 1 / 47|skipped: 0|!detected: 0|guessed: 4|detection-updates: 49|updates: 1] - new: [....48] [ip4][..tcp] [.192.168.88.231][33920] -> [..185.5.161.203][..443] - detected: [....48] [ip4][..tcp] [.192.168.88.231][33920] -> [..185.5.161.203][..443] [TLS.ElectronicArts][Unknown][Game][Fun][origin-a.akamaihd.net] + idle: [....33] [ip4][..tcp] [..192.168.1.128][39828] -> [....40.97.160.2][..443] [TLS.Outlook][Outlook][Email][Acceptable] + idle: [....16] [ip4][..tcp] [..192.168.1.128][48140] -> [.....23.1.66.79][..443] [TLS.CNN][Unknown][Web][Safe] + idle: [....18] [ip4][..tcp] [..192.168.1.128][42884] -> [.185.125.190.21][..443] [TLS.UbuntuONE][UbuntuONE][Cloud][Acceptable] + new: [....35] [ip4][..tcp] [..192.168.1.128][57878] -> [.52.113.194.132][..443] + detected: [....35] [ip4][..tcp] [..192.168.1.128][57878] -> [.52.113.194.132][..443] [TLS.Teams][Skype_Teams][Collaborative][Safe][teams.office.com] + detection-update: [....35] [ip4][..tcp] [..192.168.1.128][57878] -> [.52.113.194.132][..443] [TLS.Teams][Skype_Teams][Collaborative][Safe][teams.office.com] + new: [....36] [ip4][..tcp] [..192.168.1.128][33664] -> [108.138.185.106][..443] + detected: [....36] [ip4][..tcp] [..192.168.1.128][33664] -> [108.138.185.106][..443] [TLS.AmazonVideo][AmazonAWS][Video][Fun][www.primevideo.com] + detection-update: [....36] [ip4][..tcp] [..192.168.1.128][33664] -> [108.138.185.106][..443] [TLS.AmazonVideo][AmazonAWS][Video][Fun][www.primevideo.com] + new: [....37] [ip4][..tcp] [..192.168.1.128][56458] -> [142.250.185.142][..443] + detected: [....37] [ip4][..tcp] [..192.168.1.128][56458] -> [142.250.185.142][..443] [TLS.GoogleDrive][Google][Cloud][Acceptable][drive.google.com] + detection-update: [....37] [ip4][..tcp] [..192.168.1.128][56458] -> [142.250.185.142][..443] [TLS.GoogleDrive][Google][Cloud][Acceptable][drive.google.com] + new: [....38] [ip4][..tcp] [..192.168.1.128][33102] -> [...13.81.118.91][..443] + detected: [....38] [ip4][..tcp] [..192.168.1.128][33102] -> [...13.81.118.91][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable][onedrive.com] + detection-update: [....38] [ip4][..tcp] [..192.168.1.128][33102] -> [...13.81.118.91][..443] [TLS.Microsoft][Azure][Cloud][Safe][onedrive.com] + new: [....39] [ip4][..tcp] [..192.168.1.128][56836] -> [...13.107.42.13][..443] + detected: [....39] [ip4][..tcp] [..192.168.1.128][56836] -> [...13.107.42.13][..443] [TLS.MS_OneDrive][Azure][Cloud][Acceptable][onedrive.live.com] + detection-update: [....39] [ip4][..tcp] [..192.168.1.128][56836] -> [...13.107.42.13][..443] [TLS.MS_OneDrive][Azure][Cloud][Acceptable][onedrive.live.com] + new: [....40] [ip4][..tcp] [..192.168.1.128][45014] -> [129.226.107.210][..443] + detected: [....40] [ip4][..tcp] [..192.168.1.128][45014] -> [129.226.107.210][..443] [TLS.IFLIX][Tencent][Video][Fun][www.iflix.com] + detection-update: [....40] [ip4][..tcp] [..192.168.1.128][45014] -> [129.226.107.210][..443] [TLS.IFLIX][Tencent][Video][Fun][www.iflix.com] + detection-update: [....40] [ip4][..tcp] [..192.168.1.128][45014] -> [129.226.107.210][..443] [TLS.IFLIX][Tencent][Video][Fun][www.iflix.com] + new: [....41] [ip4][..udp] [..192.168.1.128][38642] -> [.216.58.212.142][..443] + detected: [....41] [ip4][..udp] [..192.168.1.128][38642] -> [.216.58.212.142][..443] [QUIC.Google][Google][Web][Acceptable][hangouts.google.com] + new: [....42] [ip4][..tcp] [..192.168.1.128][50608] -> [142.250.185.206][..443] + detected: [....42] [ip4][..tcp] [..192.168.1.128][50608] -> [142.250.185.206][..443] [TLS][Google][Web][Safe][googleplus.com] + detection-update: [....42] [ip4][..tcp] [..192.168.1.128][50608] -> [142.250.185.206][..443] [TLS][Google][Web][Safe][googleplus.com] + new: [....43] [ip4][..udp] [..192.168.1.128][36832] -> [142.250.181.238][..443] + detected: [....43] [ip4][..udp] [..192.168.1.128][36832] -> [142.250.181.238][..443] [QUIC.Google][Google][Web][Acceptable][plus.google.com] + update: [....41] [ip4][..udp] [..192.168.1.128][38642] -> [.216.58.212.142][..443] [QUIC.Google][Google][Web][Acceptable] + DAEMON-EVENT: [Processed: 488 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 10 / 43|skipped: 0|!detected: 0|guessed: 4|detection-updates: 41|updates: 1] + new: [....44] [ip4][..tcp] [..192.168.1.128][53978] -> [..208.85.40.158][..443] + detected: [....44] [ip4][..tcp] [..192.168.1.128][53978] -> [..208.85.40.158][..443] [TLS.Pandora][Unknown][Streaming][Fun][pandora.com] + detection-update: [....44] [ip4][..tcp] [..192.168.1.128][53978] -> [..208.85.40.158][..443] [TLS.Pandora][Unknown][Streaming][Fun][pandora.com] + detection-update: [....44] [ip4][..tcp] [..192.168.1.128][53978] -> [..208.85.40.158][..443] [TLS.Pandora][Unknown][Streaming][Fun][pandora.com] + idle: [....36] [ip4][..tcp] [..192.168.1.128][33664] -> [108.138.185.106][..443] [TLS.AmazonVideo][AmazonAWS][Video][Fun] + idle: [....37] [ip4][..tcp] [..192.168.1.128][56458] -> [142.250.185.142][..443] [TLS.GoogleDrive][Google][Cloud][Acceptable] + idle: [....42] [ip4][..tcp] [..192.168.1.128][50608] -> [142.250.185.206][..443] [TLS][Google][Web][Safe] + idle: [....39] [ip4][..tcp] [..192.168.1.128][56836] -> [...13.107.42.13][..443] [TLS.MS_OneDrive][Azure][Cloud][Acceptable] + idle: [....41] [ip4][..udp] [..192.168.1.128][38642] -> [.216.58.212.142][..443] [QUIC.Google][Google][Web][Acceptable] + idle: [....40] [ip4][..tcp] [..192.168.1.128][45014] -> [129.226.107.210][..443] [TLS.IFLIX][Tencent][Video][Fun] + idle: [....38] [ip4][..tcp] [..192.168.1.128][33102] -> [...13.81.118.91][..443] [TLS.Microsoft][Azure][Cloud][Safe] + idle: [....43] [ip4][..udp] [..192.168.1.128][36832] -> [142.250.181.238][..443] [QUIC.Google][Google][Web][Acceptable] + idle: [....35] [ip4][..tcp] [..192.168.1.128][57878] -> [.52.113.194.132][..443] [TLS.Teams][Skype_Teams][Collaborative][Safe] + idle: [....34] [ip4][..tcp] [..192.168.1.128][45898] -> [..15.160.39.187][..443] [TLS.AppleSiri][AmazonAWS][VirtAssistant][Acceptable] + DAEMON-EVENT: [Processed: 496 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 1 / 44|skipped: 0|!detected: 0|guessed: 4|detection-updates: 43|updates: 1] + new: [....45] [ip4][..tcp] [.192.168.88.231][33920] -> [..185.5.161.203][..443] + detected: [....45] [ip4][..tcp] [.192.168.88.231][33920] -> [..185.5.161.203][..443] [TLS.ElectronicArts][Unknown][Game][Fun][origin-a.akamaihd.net] RISK: TLS (probably) Not Carrying HTTPS - detection-update: [....48] [ip4][..tcp] [.192.168.88.231][33920] -> [..185.5.161.203][..443] [TLS.ElectronicArts][Unknown][Game][Fun][origin-a.akamaihd.net] + detection-update: [....45] [ip4][..tcp] [.192.168.88.231][33920] -> [..185.5.161.203][..443] [TLS.ElectronicArts][Unknown][Game][Fun][origin-a.akamaihd.net] RISK: TLS (probably) Not Carrying HTTPS - new: [....49] [ip4][..tcp] [.192.168.88.231][49950] -> [159.153.191.240][..443] - detected: [....49] [ip4][..tcp] [.192.168.88.231][49950] -> [159.153.191.240][..443] [TLS.ElectronicArts][Unknown][Game][Fun][accounts.ea.com] + new: [....46] [ip4][..tcp] [.192.168.88.231][49950] -> [159.153.191.240][..443] + detected: [....46] [ip4][..tcp] [.192.168.88.231][49950] -> [159.153.191.240][..443] [TLS.ElectronicArts][Unknown][Game][Fun][accounts.ea.com] RISK: TLS (probably) Not Carrying HTTPS - detection-update: [....49] [ip4][..tcp] [.192.168.88.231][49950] -> [159.153.191.240][..443] [TLS.ElectronicArts][Unknown][Game][Fun][accounts.ea.com] + detection-update: [....46] [ip4][..tcp] [.192.168.88.231][49950] -> [159.153.191.240][..443] [TLS.ElectronicArts][Unknown][Game][Fun][accounts.ea.com] RISK: Weak TLS Cipher, TLS (probably) Not Carrying HTTPS - idle: [....47] [ip4][..tcp] [..192.168.1.128][53978] -> [..208.85.40.158][..443] [TLS.Pandora][Unknown][Streaming][Fun] - DAEMON-EVENT: [Processed: 536 pkts][ZLib][compressions: 0|diff: 0 / 0] - DAEMON-EVENT: [Flows][active: 2 / 49|skipped: 0|!detected: 0|guessed: 4|detection-updates: 51|updates: 1] - new: [....50] [ip4][..tcp] [..192.168.1.245][54690] -> [.160.44.196.198][..443] - detected: [....50] [ip4][..tcp] [..192.168.1.245][54690] -> [.160.44.196.198][..443] [TLS.HuaweiCloud][Unknown][Cloud][Acceptable][cloud.huawei.com] - detection-update: [....50] [ip4][..tcp] [..192.168.1.245][54690] -> [.160.44.196.198][..443] [TLS.HuaweiCloud][Unknown][Cloud][Acceptable][cloud.huawei.com] - new: [....51] [ip4][..tcp] [..192.168.1.245][49558] -> [..80.158.42.215][..443] - detected: [....51] [ip4][..tcp] [..192.168.1.245][49558] -> [..80.158.42.215][..443] [TLS.HuaweiCloud][Unknown][Cloud][Acceptable][id7.cloud.huawei.com] - detection-update: [....51] [ip4][..tcp] [..192.168.1.245][49558] -> [..80.158.42.215][..443] [TLS.HuaweiCloud][Unknown][Cloud][Acceptable][id7.cloud.huawei.com] - new: [....52] [ip6][..tcp] [...2001:b07:a3d:c112:c044:a6d4:80d:5d55][39970] -> [...2600:9000:25ea:1200:1:12d8:5a00:93a1][..443] - detected: [....52] [ip6][..tcp] [...2001:b07:a3d:c112:c044:a6d4:80d:5d55][39970] -> [...2600:9000:25ea:1200:1:12d8:5a00:93a1][..443] [TLS.HuaweiCloud][AmazonAWS][Cloud][Acceptable][contentcenter-dre.dbankcdn.com] - detection-update: [....52] [ip6][..tcp] [...2001:b07:a3d:c112:c044:a6d4:80d:5d55][39970] -> [...2600:9000:25ea:1200:1:12d8:5a00:93a1][..443] [TLS.HuaweiCloud][AmazonAWS][Cloud][Acceptable][contentcenter-dre.dbankcdn.com] - idle: [....48] [ip4][..tcp] [.192.168.88.231][33920] -> [..185.5.161.203][..443] [TLS.ElectronicArts][Unknown][Game][Fun] + idle: [....44] [ip4][..tcp] [..192.168.1.128][53978] -> [..208.85.40.158][..443] [TLS.Pandora][Unknown][Streaming][Fun] + DAEMON-EVENT: [Processed: 512 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 2 / 46|skipped: 0|!detected: 0|guessed: 4|detection-updates: 45|updates: 1] + new: [....47] [ip4][..tcp] [..192.168.1.245][54690] -> [.160.44.196.198][..443] + detected: [....47] [ip4][..tcp] [..192.168.1.245][54690] -> [.160.44.196.198][..443] [TLS.HuaweiCloud][Unknown][Cloud][Acceptable][cloud.huawei.com] + detection-update: [....47] [ip4][..tcp] [..192.168.1.245][54690] -> [.160.44.196.198][..443] [TLS.HuaweiCloud][Unknown][Cloud][Acceptable][cloud.huawei.com] + new: [....48] [ip4][..tcp] [..192.168.1.245][49558] -> [..80.158.42.215][..443] + detected: [....48] [ip4][..tcp] [..192.168.1.245][49558] -> [..80.158.42.215][..443] [TLS.HuaweiCloud][Unknown][Cloud][Acceptable][id7.cloud.huawei.com] + detection-update: [....48] [ip4][..tcp] [..192.168.1.245][49558] -> [..80.158.42.215][..443] [TLS.HuaweiCloud][Unknown][Cloud][Acceptable][id7.cloud.huawei.com] + new: [....49] [ip6][..tcp] [...2001:b07:a3d:c112:c044:a6d4:80d:5d55][39970] -> [...2600:9000:25ea:1200:1:12d8:5a00:93a1][..443] + detected: [....49] [ip6][..tcp] [...2001:b07:a3d:c112:c044:a6d4:80d:5d55][39970] -> [...2600:9000:25ea:1200:1:12d8:5a00:93a1][..443] [TLS.HuaweiCloud][AmazonAWS][Cloud][Acceptable][contentcenter-dre.dbankcdn.com] + detection-update: [....49] [ip6][..tcp] [...2001:b07:a3d:c112:c044:a6d4:80d:5d55][39970] -> [...2600:9000:25ea:1200:1:12d8:5a00:93a1][..443] [TLS.HuaweiCloud][AmazonAWS][Cloud][Acceptable][contentcenter-dre.dbankcdn.com] + idle: [....45] [ip4][..tcp] [.192.168.88.231][33920] -> [..185.5.161.203][..443] [TLS.ElectronicArts][Unknown][Game][Fun] RISK: TLS (probably) Not Carrying HTTPS - idle: [....49] [ip4][..tcp] [.192.168.88.231][49950] -> [159.153.191.240][..443] [TLS.ElectronicArts][Unknown][Game][Fun] + idle: [....46] [ip4][..tcp] [.192.168.88.231][49950] -> [159.153.191.240][..443] [TLS.ElectronicArts][Unknown][Game][Fun] RISK: Weak TLS Cipher, TLS (probably) Not Carrying HTTPS - DAEMON-EVENT: [Processed: 586 pkts][ZLib][compressions: 0|diff: 0 / 0] - DAEMON-EVENT: [Flows][active: 3 / 52|skipped: 0|!detected: 0|guessed: 4|detection-updates: 54|updates: 1] - new: [....53] [ip6][..tcp] [..2001:b07:a3d:c112:9a00:ba78:86b1:e177][48594] -> [...................2001:67c:4e8:f004::9][..443] - detected: [....53] [ip6][..tcp] [..2001:b07:a3d:c112:9a00:ba78:86b1:e177][48594] -> [...................2001:67c:4e8:f004::9][..443] [TLS.Telegram][Telegram][Chat][Acceptable][web.telegram.org] - detection-update: [....53] [ip6][..tcp] [..2001:b07:a3d:c112:9a00:ba78:86b1:e177][48594] -> [...................2001:67c:4e8:f004::9][..443] [TLS.Telegram][Telegram][Chat][Acceptable][web.telegram.org] - new: [....54] [ip6][..tcp] [..2001:b07:a3d:c112:9a00:ba78:86b1:e177][48616] -> [...................2001:67c:4e8:f004::9][..443] - new: [....55] [ip6][..tcp] [..2001:b07:a3d:c112:9a00:ba78:86b1:e177][48624] -> [...................2001:67c:4e8:f004::9][..443] - detected: [....54] [ip6][..tcp] [..2001:b07:a3d:c112:9a00:ba78:86b1:e177][48616] -> [...................2001:67c:4e8:f004::9][..443] [TLS.Telegram][Telegram][Chat][Acceptable][t.me] - detected: [....55] [ip6][..tcp] [..2001:b07:a3d:c112:9a00:ba78:86b1:e177][48624] -> [...................2001:67c:4e8:f004::9][..443] [TLS.Telegram][Telegram][Chat][Acceptable][telegram.me] - detection-update: [....54] [ip6][..tcp] [..2001:b07:a3d:c112:9a00:ba78:86b1:e177][48616] -> [...................2001:67c:4e8:f004::9][..443] [TLS.Telegram][Telegram][Chat][Acceptable][t.me] - detection-update: [....55] [ip6][..tcp] [..2001:b07:a3d:c112:9a00:ba78:86b1:e177][48624] -> [...................2001:67c:4e8:f004::9][..443] [TLS.Telegram][Telegram][Chat][Acceptable][telegram.me] - end: [....51] [ip4][..tcp] [..192.168.1.245][49558] -> [..80.158.42.215][..443] [TLS.HuaweiCloud][Unknown][Cloud][Acceptable] - idle: [....50] [ip4][..tcp] [..192.168.1.245][54690] -> [.160.44.196.198][..443] [TLS.HuaweiCloud][Unknown][Cloud][Acceptable] - idle: [....52] [ip6][..tcp] [...2001:b07:a3d:c112:c044:a6d4:80d:5d55][39970] -> [...2600:9000:25ea:1200:1:12d8:5a00:93a1][..443] [TLS.HuaweiCloud][AmazonAWS][Cloud][Acceptable] - DAEMON-EVENT: [Processed: 608 pkts][ZLib][compressions: 0|diff: 0 / 0] - DAEMON-EVENT: [Flows][active: 3 / 55|skipped: 0|!detected: 0|guessed: 4|detection-updates: 57|updates: 1] - new: [....56] [ip4][..tcp] [..192.168.1.245][46174] -> [.....5.61.23.30][..443] - detected: [....56] [ip4][..tcp] [..192.168.1.245][46174] -> [.....5.61.23.30][..443] [TLS][Unknown][Web][Safe][732231.ms.ok.ru] - detection-update: [....56] [ip4][..tcp] [..192.168.1.245][46174] -> [.....5.61.23.30][..443] [TLS][Unknown][Web][Safe][732231.ms.ok.ru] - idle: [....53] [ip6][..tcp] [..2001:b07:a3d:c112:9a00:ba78:86b1:e177][48594] -> [...................2001:67c:4e8:f004::9][..443] [TLS.Telegram][Telegram][Chat][Acceptable] - idle: [....54] [ip6][..tcp] [..2001:b07:a3d:c112:9a00:ba78:86b1:e177][48616] -> [...................2001:67c:4e8:f004::9][..443] [TLS.Telegram][Telegram][Chat][Acceptable] - idle: [....55] [ip6][..tcp] [..2001:b07:a3d:c112:9a00:ba78:86b1:e177][48624] -> [...................2001:67c:4e8:f004::9][..443] [TLS.Telegram][Telegram][Chat][Acceptable] - end: [....56] [ip4][..tcp] [..192.168.1.245][46174] -> [.....5.61.23.30][..443] [TLS][Unknown][Web][Safe] + DAEMON-EVENT: [Processed: 562 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 3 / 49|skipped: 0|!detected: 0|guessed: 4|detection-updates: 48|updates: 1] + new: [....50] [ip6][..tcp] [..2001:b07:a3d:c112:9a00:ba78:86b1:e177][48594] -> [...................2001:67c:4e8:f004::9][..443] + detected: [....50] [ip6][..tcp] [..2001:b07:a3d:c112:9a00:ba78:86b1:e177][48594] -> [...................2001:67c:4e8:f004::9][..443] [TLS.Telegram][Telegram][Chat][Acceptable][web.telegram.org] + detection-update: [....50] [ip6][..tcp] [..2001:b07:a3d:c112:9a00:ba78:86b1:e177][48594] -> [...................2001:67c:4e8:f004::9][..443] [TLS.Telegram][Telegram][Chat][Acceptable][web.telegram.org] + new: [....51] [ip6][..tcp] [..2001:b07:a3d:c112:9a00:ba78:86b1:e177][48616] -> [...................2001:67c:4e8:f004::9][..443] + new: [....52] [ip6][..tcp] [..2001:b07:a3d:c112:9a00:ba78:86b1:e177][48624] -> [...................2001:67c:4e8:f004::9][..443] + detected: [....51] [ip6][..tcp] [..2001:b07:a3d:c112:9a00:ba78:86b1:e177][48616] -> [...................2001:67c:4e8:f004::9][..443] [TLS.Telegram][Telegram][Chat][Acceptable][t.me] + detected: [....52] [ip6][..tcp] [..2001:b07:a3d:c112:9a00:ba78:86b1:e177][48624] -> [...................2001:67c:4e8:f004::9][..443] [TLS.Telegram][Telegram][Chat][Acceptable][telegram.me] + detection-update: [....51] [ip6][..tcp] [..2001:b07:a3d:c112:9a00:ba78:86b1:e177][48616] -> [...................2001:67c:4e8:f004::9][..443] [TLS.Telegram][Telegram][Chat][Acceptable][t.me] + detection-update: [....52] [ip6][..tcp] [..2001:b07:a3d:c112:9a00:ba78:86b1:e177][48624] -> [...................2001:67c:4e8:f004::9][..443] [TLS.Telegram][Telegram][Chat][Acceptable][telegram.me] + end: [....48] [ip4][..tcp] [..192.168.1.245][49558] -> [..80.158.42.215][..443] [TLS.HuaweiCloud][Unknown][Cloud][Acceptable] + idle: [....47] [ip4][..tcp] [..192.168.1.245][54690] -> [.160.44.196.198][..443] [TLS.HuaweiCloud][Unknown][Cloud][Acceptable] + idle: [....49] [ip6][..tcp] [...2001:b07:a3d:c112:c044:a6d4:80d:5d55][39970] -> [...2600:9000:25ea:1200:1:12d8:5a00:93a1][..443] [TLS.HuaweiCloud][AmazonAWS][Cloud][Acceptable] + DAEMON-EVENT: [Processed: 584 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 3 / 52|skipped: 0|!detected: 0|guessed: 4|detection-updates: 51|updates: 1] + new: [....53] [ip4][..tcp] [..192.168.1.245][46174] -> [.....5.61.23.30][..443] + detected: [....53] [ip4][..tcp] [..192.168.1.245][46174] -> [.....5.61.23.30][..443] [TLS][Unknown][Web][Safe][732231.ms.ok.ru] + detection-update: [....53] [ip4][..tcp] [..192.168.1.245][46174] -> [.....5.61.23.30][..443] [TLS][Unknown][Web][Safe][732231.ms.ok.ru] + idle: [....50] [ip6][..tcp] [..2001:b07:a3d:c112:9a00:ba78:86b1:e177][48594] -> [...................2001:67c:4e8:f004::9][..443] [TLS.Telegram][Telegram][Chat][Acceptable] + idle: [....51] [ip6][..tcp] [..2001:b07:a3d:c112:9a00:ba78:86b1:e177][48616] -> [...................2001:67c:4e8:f004::9][..443] [TLS.Telegram][Telegram][Chat][Acceptable] + idle: [....52] [ip6][..tcp] [..2001:b07:a3d:c112:9a00:ba78:86b1:e177][48624] -> [...................2001:67c:4e8:f004::9][..443] [TLS.Telegram][Telegram][Chat][Acceptable] + DAEMON-EVENT: [Processed: 604 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 1 / 53|skipped: 0|!detected: 0|guessed: 4|detection-updates: 52|updates: 1] + new: [....54] [ip4][..tcp] [.192.168.88.171][55272] -> [116.211.202.129][..443] + detected: [....54] [ip4][..tcp] [.192.168.88.171][55272] -> [116.211.202.129][..443] [TLS.iQIYI][Unknown][Streaming][Fun][opportunarch.iqiyi.com] + detection-update: [....54] [ip4][..tcp] [.192.168.88.171][55272] -> [116.211.202.129][..443] [TLS.iQIYI][Unknown][Streaming][Fun][opportunarch.iqiyi.com] + new: [....55] [ip4][..tcp] [.192.168.88.171][55468] -> [...184.86.2.194][..443] + detected: [....55] [ip4][..tcp] [.192.168.88.171][55468] -> [...184.86.2.194][..443] [TLS.iQIYI][Unknown][Streaming][Fun][stc.iqiyipic.com] + detection-update: [....55] [ip4][..tcp] [.192.168.88.171][55468] -> [...184.86.2.194][..443] [TLS.iQIYI][Unknown][Streaming][Fun][stc.iqiyipic.com] + new: [....56] [ip4][..tcp] [.192.168.88.171][55280] -> [.124.237.225.21][..443] + detected: [....56] [ip4][..tcp] [.192.168.88.171][55280] -> [.124.237.225.21][..443] [TLS.iQIYI][Unknown][Streaming][Fun][msg.qy.net] + detection-update: [....56] [ip4][..tcp] [.192.168.88.171][55280] -> [.124.237.225.21][..443] [TLS.iQIYI][Unknown][Streaming][Fun][msg.qy.net] + end: [....53] [ip4][..tcp] [..192.168.1.245][46174] -> [.....5.61.23.30][..443] [TLS][Unknown][Web][Safe] + DAEMON-EVENT: [Processed: 623 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 3 / 56|skipped: 0|!detected: 0|guessed: 4|detection-updates: 55|updates: 1] + new: [....57] [ip4][..tcp] [.192.168.88.171][49217] -> [.54.208.106.218][..443] + detected: [....57] [ip4][..tcp] [.192.168.88.171][49217] -> [.54.208.106.218][..443] [TLS.AdobeConnect][AmazonAWS][Video][Acceptable][meet27083742.adobeconnect.com] + detection-update: [....57] [ip4][..tcp] [.192.168.88.171][49217] -> [.54.208.106.218][..443] [TLS.AdobeConnect][AmazonAWS][Video][Acceptable][meet27083742.adobeconnect.com] + idle: [....55] [ip4][..tcp] [.192.168.88.171][55468] -> [...184.86.2.194][..443] [TLS.iQIYI][Unknown][Streaming][Fun] + idle: [....54] [ip4][..tcp] [.192.168.88.171][55272] -> [116.211.202.129][..443] [TLS.iQIYI][Unknown][Streaming][Fun] + idle: [....56] [ip4][..tcp] [.192.168.88.171][55280] -> [.124.237.225.21][..443] [TLS.iQIYI][Unknown][Streaming][Fun] + DAEMON-EVENT: [Processed: 629 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 1 / 57|skipped: 0|!detected: 0|guessed: 4|detection-updates: 56|updates: 1] + new: [....58] [ip4][..tcp] [..192.168.1.245][50142] -> [...3.136.49.254][..443] + detected: [....58] [ip4][..tcp] [..192.168.1.245][50142] -> [...3.136.49.254][..443] [TLS.Bluesky][AmazonAWS][SocialNetwork][Fun][bsky.app] + detection-update: [....58] [ip4][..tcp] [..192.168.1.245][50142] -> [...3.136.49.254][..443] [TLS.Bluesky][AmazonAWS][SocialNetwork][Fun][bsky.app] + new: [....59] [ip4][..tcp] [..192.168.1.245][55362] -> [....44.218.3.81][..443] + detected: [....59] [ip4][..tcp] [..192.168.1.245][55362] -> [....44.218.3.81][..443] [TLS.Bluesky][AmazonAWS][SocialNetwork][Fun][bsky.social] + detection-update: [....59] [ip4][..tcp] [..192.168.1.245][55362] -> [....44.218.3.81][..443] [TLS.Bluesky][AmazonAWS][SocialNetwork][Fun][bsky.social] + new: [....60] [ip4][..tcp] [..192.168.1.245][33212] -> [..15.204.197.32][..443] + detected: [....60] [ip4][..tcp] [..192.168.1.245][33212] -> [..15.204.197.32][..443] [TLS.Bluesky][Unknown][SocialNetwork][Fun][enoki.us-east.host.bsky.network] + detection-update: [....60] [ip4][..tcp] [..192.168.1.245][33212] -> [..15.204.197.32][..443] [TLS.Bluesky][Unknown][SocialNetwork][Fun][enoki.us-east.host.bsky.network] + idle: [....57] [ip4][..tcp] [.192.168.88.171][49217] -> [.54.208.106.218][..443] [TLS.AdobeConnect][AmazonAWS][Video][Acceptable] + new: [....61] [ip6][..tcp] [...2001:b07:a3d:c112:6ea5:ab52:9230:ba5][35968] -> [.....................2a04:4e42:c00::347][..443] + detected: [....61] [ip6][..tcp] [...2001:b07:a3d:c112:6ea5:ab52:9230:ba5][35968] -> [.....................2a04:4e42:c00::347][..443] [TLS.Mastodon][Unknown][SocialNetwork][Fun][mastodon.social] + detection-update: [....61] [ip6][..tcp] [...2001:b07:a3d:c112:6ea5:ab52:9230:ba5][35968] -> [.....................2a04:4e42:c00::347][..443] [TLS.Mastodon][Unknown][SocialNetwork][Fun][mastodon.social] + DAEMON-EVENT: [Processed: 655 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 4 / 61|skipped: 0|!detected: 0|guessed: 4|detection-updates: 60|updates: 1] + new: [....62] [ip6][..udp] [...2001:b07:a3d:c112:6ea5:ab52:9230:ba5][41590] -> [......2a03:2880:f208:c4:face:b00c::43fe][..443] + detected: [....62] [ip6][..udp] [...2001:b07:a3d:c112:6ea5:ab52:9230:ba5][41590] -> [......2a03:2880:f208:c4:face:b00c::43fe][..443] [QUIC.Threads][Facebook][SocialNetwork][Fun][www.threads.net] + DAEMON-EVENT: [Processed: 656 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 5 / 62|skipped: 0|!detected: 0|guessed: 4|detection-updates: 60|updates: 1] + new: [....63] [ip4][..tcp] [..192.168.1.245][58624] -> [.104.16.156.111][..443] + detected: [....63] [ip4][..tcp] [..192.168.1.245][58624] -> [.104.16.156.111][..443] [TLS.NordVPN][Cloudflare][VPN][Acceptable][s1.nordcdn.com] + detection-update: [....63] [ip4][..tcp] [..192.168.1.245][58624] -> [.104.16.156.111][..443] [TLS.NordVPN][Cloudflare][VPN][Acceptable][s1.nordcdn.com] + idle: [....60] [ip4][..tcp] [..192.168.1.245][33212] -> [..15.204.197.32][..443] [TLS.Bluesky][Unknown][SocialNetwork][Fun] + idle: [....61] [ip6][..tcp] [...2001:b07:a3d:c112:6ea5:ab52:9230:ba5][35968] -> [.....................2a04:4e42:c00::347][..443] [TLS.Mastodon][Unknown][SocialNetwork][Fun] + idle: [....59] [ip4][..tcp] [..192.168.1.245][55362] -> [....44.218.3.81][..443] [TLS.Bluesky][AmazonAWS][SocialNetwork][Fun] + idle: [....62] [ip6][..udp] [...2001:b07:a3d:c112:6ea5:ab52:9230:ba5][41590] -> [......2a03:2880:f208:c4:face:b00c::43fe][..443] [QUIC.Threads][Facebook][SocialNetwork][Fun] + idle: [....58] [ip4][..tcp] [..192.168.1.245][50142] -> [...3.136.49.254][..443] [TLS.Bluesky][AmazonAWS][SocialNetwork][Fun] + DAEMON-EVENT: [Processed: 678 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 1 / 63|skipped: 0|!detected: 0|guessed: 4|detection-updates: 61|updates: 1] + new: [....64] [ip4][..tcp] [..192.168.1.183][44102] -> [..146.70.182.51][..443] + detected: [....64] [ip4][..tcp] [..192.168.1.183][44102] -> [..146.70.182.51][..443] [TLS.SurfShark][Unknown][VPN][Acceptable][it-mil-v086.prod.surfshark.com] + detection-update: [....64] [ip4][..tcp] [..192.168.1.183][44102] -> [..146.70.182.51][..443] [TLS.SurfShark][Unknown][VPN][Acceptable][it-mil-v086.prod.surfshark.com] + idle: [....64] [ip4][..tcp] [..192.168.1.183][44102] -> [..146.70.182.51][..443] [TLS.SurfShark][Unknown][VPN][Acceptable] + idle: [....63] [ip4][..tcp] [..192.168.1.245][58624] -> [.104.16.156.111][..443] [TLS.NordVPN][Cloudflare][VPN][Acceptable] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/srvloc.pcap.out b/test/results/flow-info/default/srvloc.pcap.out index 9c658737d..bce7413ba 100644 --- a/test/results/flow-info/default/srvloc.pcap.out +++ b/test/results/flow-info/default/srvloc.pcap.out @@ -1995,12 +1995,12 @@ detected: [...445] [ip4][..udp] [.173.161.10.173][43924] -> [..90.111.212.50][..427] [Service_Location_Protocol][Unknown][RPC][Acceptable] idle: [...444] [ip4][..udp] [.47.236.248.231][52985] -> [...90.141.37.56][..427] [Service_Location_Protocol][Alibaba][RPC][Acceptable] new: [...446] [ip4][..udp] [185.213.154.138][52528] -> [.165.114.202.61][..427] - detected: [...446] [ip4][..udp] [185.213.154.138][52528] -> [.165.114.202.61][..427] [Service_Location_Protocol][Mullvad][RPC][Acceptable] + detected: [...446] [ip4][..udp] [185.213.154.138][52528] -> [.165.114.202.61][..427] [Service_Location_Protocol][Unknown][RPC][Acceptable] update: [...445] [ip4][..udp] [.173.161.10.173][43924] -> [..90.111.212.50][..427] [Service_Location_Protocol][Unknown][RPC][Acceptable] new: [...447] [ip4][..udp] [..191.184.52.78][64609] -> [..90.111.212.50][..427] detected: [...447] [ip4][..udp] [..191.184.52.78][64609] -> [..90.111.212.50][..427] [Service_Location_Protocol][Unknown][RPC][Acceptable] idle: [...445] [ip4][..udp] [.173.161.10.173][43924] -> [..90.111.212.50][..427] [Service_Location_Protocol][Unknown][RPC][Acceptable] - idle: [...446] [ip4][..udp] [185.213.154.138][52528] -> [.165.114.202.61][..427] [Service_Location_Protocol][Mullvad][RPC][Acceptable] + idle: [...446] [ip4][..udp] [185.213.154.138][52528] -> [.165.114.202.61][..427] [Service_Location_Protocol][Unknown][RPC][Acceptable] DAEMON-EVENT: [Processed: 453 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 1 / 447|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 82] new: [...448] [ip4][..udp] [..167.65.212.80][.3597] -> [..165.144.84.62][..427] diff --git a/test/results/flow-info/default/ssh.pcap.out b/test/results/flow-info/default/ssh.pcap.out index cfe50d010..6424501c5 100644 --- a/test/results/flow-info/default/ssh.pcap.out +++ b/test/results/flow-info/default/ssh.pcap.out @@ -22,6 +22,31 @@ [IATS(ms)....: 0.0,0.0,8.1,8.1,0.3,0.8,0.5,0.1,1.5,1.6,0.3,1.8,1.6,1.6,14.7,13.1,1.8,42.3,40.5,0.2,0.3,0.4,0.3,40.6,51.2,91.6,2632.3,2632.6,1868.8,1869.1,2907.1] [PKTLENS.....: 64,60,52,73,52,73,52,956,52,836,52,76,204,52,196,772,52,68,52,100,52,100,52,116,52,132,52,196,52,132,52,196] [ENTROPIES...: 4.5,5.0,4.9,5.4,4.9,5.4,4.9,5.1,4.9,5.2,4.9,4.4,6.5,5.0,6.7,7.5,4.9,4.5,4.8,6.0,4.9,6.0,4.9,6.3,4.9,6.4,4.9,6.8,4.9,6.3,4.9,6.8] + DAEMON-EVENT: [Processed: 258 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 1 / 1|skipped: 0|!detected: 0|guessed: 0|detection-updates: 4|updates: 0] + new: [.....2] [ip4][..tcp] [......127.0.0.1][58496] -> [......127.0.0.1][.8000] + detected: [.....2] [ip4][..tcp] [......127.0.0.1][58496] -> [......127.0.0.1][.8000] [SSH][Unknown][RemoteAccess][Acceptable] + RISK: Known Proto on Non Std Port + detection-update: [.....2] [ip4][..tcp] [......127.0.0.1][58496] -> [......127.0.0.1][.8000] [SSH][Unknown][RemoteAccess][Acceptable] + RISK: Known Proto on Non Std Port + detection-update: [.....2] [ip4][..tcp] [......127.0.0.1][58496] -> [......127.0.0.1][.8000] [SSH][Unknown][RemoteAccess][Acceptable] + RISK: Known Proto on Non Std Port, SSH Obsolete Ser Vers/Cipher + detection-update: [.....2] [ip4][..tcp] [......127.0.0.1][58496] -> [......127.0.0.1][.8000] [SSH][Unknown][RemoteAccess][Acceptable] + RISK: Known Proto on Non Std Port, SSH Obsolete Ser Vers/Cipher + detection-update: [.....2] [ip4][..tcp] [......127.0.0.1][58496] -> [......127.0.0.1][.8000] [SSH][Unknown][RemoteAccess][Acceptable] + RISK: Known Proto on Non Std Port, SSH Obsolete Ser Vers/Cipher + analyse: [.....2] [ip4][..tcp] [......127.0.0.1][58496] -> [......127.0.0.1][.8000] [SSH][Unknown][RemoteAccess][Acceptable] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 1.760| 0.137| 0.429| 184135.827| 2.000] + [PKTLEN......: 52.000| 1588.000| 222.500| 339.500| 115254.500| 4.000] + [BINS(c->s)..: 9,1,4,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1] + [BINS(s->c)..: 7,0,4,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,1,0,1,0,0,1,0,1,1,0,0,1,0,1,0,0,1,0,1,0,1] + [IATS(ms)....: 0.0,0.0,0.4,0.4,18.2,18.3,0.8,7.3,7.5,42.1,159.7,241.1,40.4,0.0,1760.4,1760.4,5.2,5.2,16.5,16.5,0.1,0.4,41.8,41.5,0.0,0.1,6.9,16.5,17.5,8.0,16.5] + [PKTLENS.....: 60,60,52,94,52,79,52,1588,1084,132,52,700,52,68,52,68,52,120,52,136,52,136,136,52,152,52,440,408,712,120,120,136] + [ENTROPIES...: 4.3,4.7,4.6,5.4,4.5,5.1,4.6,4.9,5.1,5.9,4.6,7.5,4.6,4.8,4.5,4.2,4.5,6.0,4.5,6.2,4.5,6.3,6.2,4.5,6.3,4.5,7.4,7.4,7.7,6.0,5.9,6.1] + idle: [.....2] [ip4][..tcp] [......127.0.0.1][58496] -> [......127.0.0.1][.8000] [SSH][Unknown][RemoteAccess][Acceptable] + RISK: Known Proto on Non Std Port, SSH Obsolete Ser Vers/Cipher end: [.....1] [ip4][..tcp] [...172.16.238.1][58395] -> [.172.16.238.168][...22] [SSH][Unknown][RemoteAccess][Acceptable] RISK: SSH Obsolete Cli Vers/Cipher, SSH Obsolete Ser Vers/Cipher DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/ssh_unidirectional.pcap.out b/test/results/flow-info/default/ssh_unidirectional.pcap.out new file mode 100644 index 000000000..19cb01e16 --- /dev/null +++ b/test/results/flow-info/default/ssh_unidirectional.pcap.out @@ -0,0 +1,8 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....1] [ip4][..tcp] [..192.168.2.198][50306] -> [....192.168.2.1][...22] + detected: [.....1] [ip4][..tcp] [..192.168.2.198][50306] -> [....192.168.2.1][...22] [SSH][Unknown][RemoteAccess][Acceptable] + detection-update: [.....1] [ip4][..tcp] [..192.168.2.198][50306] -> [....192.168.2.1][...22] [SSH][Unknown][RemoteAccess][Acceptable] + end: [.....1] [ip4][..tcp] [..192.168.2.198][50306] -> [....192.168.2.1][...22] [SSH][Unknown][RemoteAccess][Acceptable] + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/starcraft_battle.pcap.out b/test/results/flow-info/default/starcraft_battle.pcap.out index b710f8d60..f40e7fd5e 100644 --- a/test/results/flow-info/default/starcraft_battle.pcap.out +++ b/test/results/flow-info/default/starcraft_battle.pcap.out @@ -47,7 +47,7 @@ detected: [....15] [ip4][..tcp] [..192.168.1.100][.3508] -> [.87.248.221.254][...80] [HTTP][Unknown][Web][Acceptable][llnw.blizzard.com] RISK: Susp DGA Domain name detection-update: [....15] [ip4][..tcp] [..192.168.1.100][.3508] -> [.87.248.221.254][...80] [HTTP][Unknown][Download][Acceptable][llnw.blizzard.com] - RISK: Susp DGA Domain name, Binary file/data transfer (attempt) + RISK: Susp DGA Domain name, Binary File/Data Transfer (Attempt) analyse: [....15] [ip4][..tcp] [..192.168.1.100][.3508] -> [.87.248.221.254][...80] [HTTP][Unknown][Download][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.072| 0.012| 0.024| 562.008| 2.800] @@ -205,6 +205,7 @@ end: [....42] [ip4][..tcp] [..192.168.1.100][.3525] -> [..80.239.186.40][...80] [HTTP][Unknown][Web][Acceptable] end: [....43] [ip4][..tcp] [..192.168.1.100][.3526] -> [..80.239.186.40][...80] [HTTP][Unknown][Web][Acceptable] guessed: [.....6] [ip4][..udp] [..173.194.40.22][..443] -> [..192.168.1.100][53568] [QUIC][Google][Web][Acceptable] + RISK: Susp Entropy idle: [.....6] [ip4][..udp] [..173.194.40.22][..443] -> [..192.168.1.100][53568] guessed: [....34] [ip4][..udp] [..192.168.1.100][53146] -> [...5.42.180.154][.1119] [Starcraft][Unknown][Game][Fun] idle: [....34] [ip4][..udp] [..192.168.1.100][53146] -> [...5.42.180.154][.1119] @@ -212,7 +213,7 @@ end: [....25] [ip4][..tcp] [..192.168.1.100][.3486] -> [.199.38.164.156][..443] idle: [....12] [ip4][..udp] [..192.168.1.254][38605] -> [239.255.255.250][.1900] [SSDP][Unknown][System][Acceptable] end: [....15] [ip4][..tcp] [..192.168.1.100][.3508] -> [.87.248.221.254][...80] [HTTP][Unknown][Download][Acceptable] - RISK: Susp DGA Domain name, Binary file/data transfer (attempt) + RISK: Susp DGA Domain name, Binary File/Data Transfer (Attempt) guessed: [.....3] [ip4][..tcp] [..80.239.186.26][..443] -> [..192.168.1.100][.3476] [TLS][Unknown][Web][Safe] RISK: Unidirectional Traffic, TCP Connection Issues end: [.....3] [ip4][..tcp] [..80.239.186.26][..443] -> [..192.168.1.100][.3476] diff --git a/test/results/flow-info/default/stun.pcap.out b/test/results/flow-info/default/stun.pcap.out index 273c8fc9c..28ad21f66 100644 --- a/test/results/flow-info/default/stun.pcap.out +++ b/test/results/flow-info/default/stun.pcap.out @@ -13,6 +13,7 @@ detection-update: [.....2] [ip4][..udp] [.192.168.12.169][43016] -> [.74.125.247.128][.3478] [STUN.GoogleCall][Google][VoIP][Acceptable][turn.l.google.com] new: [.....3] [ip4][.icmp] [.192.168.12.169] -> [.74.125.247.128] detected: [.....3] [ip4][.icmp] [.192.168.12.169] -> [.74.125.247.128] [ICMP][Google][Network][Acceptable] + RISK: Susp Entropy end: [.....1] [ip4][..tcp] [...10.77.110.51][41588] -> [..10.206.50.239][42000] [STUN.Skype_TeamsCall][Unknown][VoIP][Acceptable] DAEMON-EVENT: [Processed: 24 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 2 / 3|skipped: 0|!detected: 0|guessed: 0|detection-updates: 3|updates: 0] @@ -20,6 +21,7 @@ detected: [.....4] [ip6][..udp] [3516:bf0b:fc53:75e7:70af:f67f:8e49:f603][56880] -> [....2a38:e156:8167:a333:face:b00c::24d9][.3478] [STUN][Unknown][Network][Acceptable][] idle: [.....2] [ip4][..udp] [.192.168.12.169][43016] -> [.74.125.247.128][.3478] [STUN.GoogleCall][Google][VoIP][Acceptable] idle: [.....3] [ip4][.icmp] [.192.168.12.169] -> [.74.125.247.128] [ICMP][Google][Network][Acceptable] + RISK: Susp Entropy update: [.....4] [ip6][..udp] [3516:bf0b:fc53:75e7:70af:f67f:8e49:f603][56880] -> [....2a38:e156:8167:a333:face:b00c::24d9][.3478] [STUN][Unknown][Network][Acceptable] update: [.....4] [ip6][..udp] [3516:bf0b:fc53:75e7:70af:f67f:8e49:f603][56880] -> [....2a38:e156:8167:a333:face:b00c::24d9][.3478] [STUN][Unknown][Network][Acceptable] analyse: [.....4] [ip6][..udp] [3516:bf0b:fc53:75e7:70af:f67f:8e49:f603][56880] -> [....2a38:e156:8167:a333:face:b00c::24d9][.3478] [STUN][Unknown][Network][Acceptable] @@ -62,7 +64,9 @@ DAEMON-EVENT: [Flows][active: 1 / 6|skipped: 0|!detected: 0|guessed: 0|detection-updates: 5|updates: 3] new: [.....7] [ip4][..udp] [.192.168.12.169][49153] -> [..142.250.82.99][.3478] detected: [.....7] [ip4][..udp] [.192.168.12.169][49153] -> [..142.250.82.99][.3478] [STUN.GoogleCall][Google][VoIP][Acceptable][] - analyse: [.....7] [ip4][..udp] [.192.168.12.169][49153] -> [..142.250.82.99][.3478] [STUN.GoogleCall][Google][VoIP][Acceptable] + detection-update: [.....7] [ip4][..udp] [.192.168.12.169][49153] -> [..142.250.82.99][.3478] [DTLS.GoogleCall][Google][VoIP][Acceptable] + detection-update: [.....7] [ip4][..udp] [.192.168.12.169][49153] -> [..142.250.82.99][.3478] [DTLS.GoogleCall][Google][VoIP][Acceptable] + analyse: [.....7] [ip4][..udp] [.192.168.12.169][49153] -> [..142.250.82.99][.3478] [DTLS.GoogleCall][Google][VoIP][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.836| 0.131| 0.227| 51553.292| 3.400] [PKTLEN......: 62.000| 1226.000| 179.200| 221.300| 48965.100| 4.400] @@ -74,7 +78,7 @@ [ENTROPIES...: 5.9,5.9,5.0,5.9,7.3,6.7,5.8,5.7,7.4,5.7,6.0,6.2,6.4,5.9,6.1,5.4,5.4,5.6,5.9,5.3,5.2,5.9,5.8,5.2,6.1,5.9,6.0,6.1,6.0,5.9,6.1,5.9] idle: [.....6] [ip4][..tcp] [...87.47.100.17][.3478] -> [....54.1.57.155][37257] [STUN][Unknown][Network][Acceptable] DAEMON-EVENT: [Processed: 194 pkts][ZLib][compressions: 0|diff: 0 / 0] - DAEMON-EVENT: [Flows][active: 1 / 7|skipped: 0|!detected: 0|guessed: 0|detection-updates: 5|updates: 3] + DAEMON-EVENT: [Flows][active: 1 / 7|skipped: 0|!detected: 0|guessed: 0|detection-updates: 7|updates: 3] new: [.....8] [ip4][..udp] [.192.168.43.169][48854] -> [.134.224.90.111][.8801] detected: [.....8] [ip4][..udp] [.192.168.43.169][48854] -> [.134.224.90.111][.8801] [STUN][Zoom][Network][Acceptable][] RISK: Known Proto on Non Std Port @@ -82,9 +86,9 @@ RISK: Unidirectional Traffic detection-update: [.....8] [ip4][..udp] [.192.168.43.169][48854] -> [.134.224.90.111][.8801] [STUN][Zoom][Network][Acceptable][] detection-update: [.....8] [ip4][..udp] [.192.168.43.169][48854] -> [.134.224.90.111][.8801] [DTLS][Zoom][Network][Safe] - idle: [.....7] [ip4][..udp] [.192.168.12.169][49153] -> [..142.250.82.99][.3478] [STUN.GoogleCall][Google][VoIP][Acceptable] + idle: [.....7] [ip4][..udp] [.192.168.12.169][49153] -> [..142.250.82.99][.3478] [DTLS.GoogleCall][Google][VoIP][Acceptable] DAEMON-EVENT: [Processed: 198 pkts][ZLib][compressions: 0|diff: 0 / 0] - DAEMON-EVENT: [Flows][active: 1 / 8|skipped: 0|!detected: 0|guessed: 0|detection-updates: 8|updates: 3] + DAEMON-EVENT: [Flows][active: 1 / 8|skipped: 0|!detected: 0|guessed: 0|detection-updates: 10|updates: 3] new: [.....9] [ip6][..udp] [..............2600:1900:4160:5999::19::][.3478] -> [..2001:b07:a3d:c112:48a1:1094:1227:281e][48094] detected: [.....9] [ip6][..udp] [..............2600:1900:4160:5999::19::][.3478] -> [..2001:b07:a3d:c112:48a1:1094:1227:281e][48094] [STUN][GoogleCloud][Network][Acceptable][] detection-update: [.....9] [ip6][..udp] [..............2600:1900:4160:5999::19::][.3478] -> [..2001:b07:a3d:c112:48a1:1094:1227:281e][48094] [STUN][GoogleCloud][Network][Acceptable][] diff --git a/test/results/flow-info/default/stun_dtls_rtp.pcapng.out b/test/results/flow-info/default/stun_dtls_rtp.pcapng.out index 9a4573458..69d1acfc7 100644 --- a/test/results/flow-info/default/stun_dtls_rtp.pcapng.out +++ b/test/results/flow-info/default/stun_dtls_rtp.pcapng.out @@ -4,7 +4,9 @@ new: [.....1] [ip4][..udp] [.192.168.12.156][37967] -> [..142.250.82.76][19305] detected: [.....1] [ip4][..udp] [.192.168.12.156][37967] -> [..142.250.82.76][19305] [STUN.GoogleCall][Google][VoIP][Acceptable][] RISK: Known Proto on Non Std Port - analyse: [.....1] [ip4][..udp] [.192.168.12.156][37967] -> [..142.250.82.76][19305] [STUN.GoogleCall][Google][VoIP][Acceptable] + detection-update: [.....1] [ip4][..udp] [.192.168.12.156][37967] -> [..142.250.82.76][19305] [DTLS.GoogleCall][Google][VoIP][Acceptable] + detection-update: [.....1] [ip4][..udp] [.192.168.12.156][37967] -> [..142.250.82.76][19305] [DTLS.GoogleCall][Google][VoIP][Acceptable] + analyse: [.....1] [ip4][..udp] [.192.168.12.156][37967] -> [..142.250.82.76][19305] [DTLS.GoogleCall][Google][VoIP][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.258| 0.044| 0.058| 3387.402| 4.000] [PKTLEN......: 68.000| 1231.000| 221.200| 244.400| 59721.800| 4.400] @@ -14,6 +16,21 @@ [IATS(ms)....: 23.5,57.2,58.6,110.3,0.4,107.9,0.1,0.0,31.9,33.2,42.6,42.8,84.1,83.2,24.8,0.6,0.4,2.5,24.8,0.1,0.1,34.2,28.1,7.9,22.9,203.2,6.7,19.6,19.9,258.1,19.4] [PKTLENS.....: 144,128,185,1231,148,573,128,109,598,573,598,109,149,117,141,93,125,121,97,93,97,113,93,68,93,93,127,112,112,128,469,112] [ENTROPIES...: 6.0,5.8,5.0,7.4,5.9,6.8,5.9,5.7,7.4,6.7,7.4,5.7,6.3,5.9,6.3,5.5,6.0,5.9,5.7,5.4,5.4,5.8,5.5,5.5,5.5,5.5,6.1,6.2,6.3,6.0,7.5,6.2] - idle: [.....1] [ip4][..udp] [.192.168.12.156][37967] -> [..142.250.82.76][19305] [STUN.GoogleCall][Google][VoIP][Acceptable] - RISK: Known Proto on Non Std Port + DAEMON-EVENT: [Processed: 39 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 1 / 1|skipped: 0|!detected: 0|guessed: 0|detection-updates: 2|updates: 0] + new: [.....2] [ip4][..tcp] [.192.168.12.182][50221] -> [.142.250.82.249][.3478] + detected: [.....2] [ip4][..tcp] [.192.168.12.182][50221] -> [.142.250.82.249][.3478] [STUN.GoogleCall][Google][VoIP][Acceptable][] + detection-update: [.....2] [ip4][..tcp] [.192.168.12.182][50221] -> [.142.250.82.249][.3478] [STUN.GoogleCall][Google][VoIP][Acceptable][turn.l.google.com] + analyse: [.....2] [ip4][..tcp] [.192.168.12.182][50221] -> [.142.250.82.249][.3478] [STUN.GoogleCall][Google][VoIP][Acceptable] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.509| 0.047| 0.118| 13863.927| 2.800] + [PKTLEN......: 40.000| 696.000| 142.100| 150.700| 22704.000| 4.400] + [BINS(c->s)..: 8,0,0,2,5,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 6,1,2,3,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,0,1,1,0,1,0,1,0,0,0,1,1,0,1,0,0,1,0,1,1,0,0,1,1,0,0,1,1] + [IATS(ms)....: 3.0,4.7,0.3,0.2,5.0,0.0,4.1,4.1,3.9,466.7,509.5,1.2,0.2,46.6,1.1,55.4,53.6,7.4,0.0,8.6,49.7,55.5,0.2,49.0,10.1,51.4,4.5,8.0,5.7,16.6,19.1] + [PKTLENS.....: 52,52,40,40,68,40,120,192,116,40,180,196,148,172,84,40,40,140,204,236,40,172,40,696,40,172,140,648,40,160,40,160] + [ENTROPIES...: 4.8,5.0,4.8,4.8,5.3,4.8,5.8,6.2,5.8,4.8,6.0,6.2,6.0,6.1,5.9,5.0,4.9,6.1,6.2,5.4,5.0,6.1,5.0,6.6,4.9,6.1,6.0,7.4,4.8,6.0,5.0,5.9] + idle: [.....1] [ip4][..udp] [.192.168.12.156][37967] -> [..142.250.82.76][19305] [DTLS.GoogleCall][Google][VoIP][Acceptable] + idle: [.....2] [ip4][..tcp] [.192.168.12.182][50221] -> [.142.250.82.249][.3478] [STUN.GoogleCall][Google][VoIP][Acceptable] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/stun_google_meet.pcapng.out b/test/results/flow-info/default/stun_google_meet.pcapng.out index 536f4fc6c..8fa17cd3a 100644 --- a/test/results/flow-info/default/stun_google_meet.pcapng.out +++ b/test/results/flow-info/default/stun_google_meet.pcapng.out @@ -13,7 +13,9 @@ new: [.....4] [ip4][..udp] [.192.168.12.156][45400] -> [..142.250.82.76][19305] detected: [.....4] [ip4][..udp] [.192.168.12.156][45400] -> [..142.250.82.76][19305] [STUN.GoogleCall][Google][VoIP][Acceptable][] RISK: Known Proto on Non Std Port - analyse: [.....3] [ip4][..udp] [.192.168.12.156][38152] -> [..142.250.82.76][19305] [STUN.GoogleCall][Google][VoIP][Acceptable] + detection-update: [.....3] [ip4][..udp] [.192.168.12.156][38152] -> [..142.250.82.76][19305] [DTLS.GoogleCall][Google][VoIP][Acceptable] + detection-update: [.....3] [ip4][..udp] [.192.168.12.156][38152] -> [..142.250.82.76][19305] [DTLS.GoogleCall][Google][VoIP][Acceptable] + analyse: [.....3] [ip4][..udp] [.192.168.12.156][38152] -> [..142.250.82.76][19305] [DTLS.GoogleCall][Google][VoIP][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.164| 0.015| 0.039| 1549.851| 2.400] [PKTLEN......: 65.000| 1231.000| 290.000| 203.200| 41279.000| 4.700] @@ -25,9 +27,10 @@ [ENTROPIES...: 5.9,5.7,5.9,5.0,5.7,7.3,6.8,7.4,4.6,7.1,7.1,7.2,7.1,7.0,7.0,7.1,7.1,7.0,7.1,7.1,7.1,7.1,5.7,5.7,7.0,7.1,7.0,6.4,7.2,7.1,7.1,7.1] new: [.....5] [ip4][..udp] [.192.168.12.156][38152] -> [..142.250.82.76][.3478] detected: [.....5] [ip4][..udp] [.192.168.12.156][38152] -> [..142.250.82.76][.3478] [STUN.GoogleCall][Google][VoIP][Acceptable][] + detection-update: [.....5] [ip4][..udp] [.192.168.12.156][38152] -> [..142.250.82.76][.3478] [DTLS.GoogleCall][Google][VoIP][Acceptable] new: [.....6] [ip4][..udp] [.192.168.12.156][45400] -> [..142.250.82.76][.3478] detected: [.....6] [ip4][..udp] [.192.168.12.156][45400] -> [..142.250.82.76][.3478] [STUN.GoogleCall][Google][VoIP][Acceptable][] - analyse: [.....5] [ip4][..udp] [.192.168.12.156][38152] -> [..142.250.82.76][.3478] [STUN.GoogleCall][Google][VoIP][Acceptable] + analyse: [.....5] [ip4][..udp] [.192.168.12.156][38152] -> [..142.250.82.76][.3478] [DTLS.GoogleCall][Google][VoIP][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 1.000| 0.179| 0.232| 53990.769| 4.000] [PKTLEN......: 68.000| 565.000| 110.700| 85.700| 7337.900| 4.800] @@ -56,17 +59,18 @@ update: [.....6] [ip4][..udp] [.192.168.12.156][45400] -> [..142.250.82.76][.3478] [STUN.GoogleCall][Google][VoIP][Acceptable] update: [.....2] [ip4][..udp] [.192.168.12.156][45400] -> [.74.125.128.127][19302] [STUN.GoogleCall][Google][VoIP][Acceptable] RISK: Known Proto on Non Std Port - update: [.....3] [ip4][..udp] [.192.168.12.156][38152] -> [..142.250.82.76][19305] [STUN.GoogleCall][Google][VoIP][Acceptable] - RISK: Known Proto on Non Std Port - update: [.....5] [ip4][..udp] [.192.168.12.156][38152] -> [..142.250.82.76][.3478] [STUN.GoogleCall][Google][VoIP][Acceptable] + update: [.....3] [ip4][..udp] [.192.168.12.156][38152] -> [..142.250.82.76][19305] [DTLS.GoogleCall][Google][VoIP][Acceptable] + update: [.....5] [ip4][..udp] [.192.168.12.156][38152] -> [..142.250.82.76][.3478] [DTLS.GoogleCall][Google][VoIP][Acceptable] update: [.....1] [ip4][..udp] [.192.168.12.156][38152] -> [.74.125.128.127][19302] [STUN.GoogleCall][Google][VoIP][Acceptable] RISK: Known Proto on Non Std Port DAEMON-EVENT: [Processed: 214 pkts][ZLib][compressions: 0|diff: 0 / 0] - DAEMON-EVENT: [Flows][active: 6 / 6|skipped: 0|!detected: 0|guessed: 0|detection-updates: 2|updates: 6] + DAEMON-EVENT: [Flows][active: 6 / 6|skipped: 0|!detected: 0|guessed: 0|detection-updates: 5|updates: 6] new: [.....7] [ip6][..udp] [..2001:b07:a3d:c112:48a1:1094:1227:281e][45572] -> [...................2001:4860:4864:6::81][19305] detected: [.....7] [ip6][..udp] [..2001:b07:a3d:c112:48a1:1094:1227:281e][45572] -> [...................2001:4860:4864:6::81][19305] [STUN.GoogleCall][Google][VoIP][Acceptable][] RISK: Known Proto on Non Std Port - analyse: [.....7] [ip6][..udp] [..2001:b07:a3d:c112:48a1:1094:1227:281e][45572] -> [...................2001:4860:4864:6::81][19305] [STUN.GoogleCall][Google][VoIP][Acceptable] + detection-update: [.....7] [ip6][..udp] [..2001:b07:a3d:c112:48a1:1094:1227:281e][45572] -> [...................2001:4860:4864:6::81][19305] [DTLS.GoogleCall][Google][VoIP][Acceptable] + detection-update: [.....7] [ip6][..udp] [..2001:b07:a3d:c112:48a1:1094:1227:281e][45572] -> [...................2001:4860:4864:6::81][19305] [DTLS.GoogleCall][Google][VoIP][Acceptable] + analyse: [.....7] [ip6][..udp] [..2001:b07:a3d:c112:48a1:1094:1227:281e][45572] -> [...................2001:4860:4864:6::81][19305] [DTLS.GoogleCall][Google][VoIP][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.082| 0.009| 0.020| 398.613| 2.800] [PKTLEN......: 85.000| 1251.000| 300.000| 206.900| 42788.400| 4.700] @@ -78,14 +82,12 @@ [ENTROPIES...: 6.0,5.7,5.8,5.0,5.9,7.3,6.7,5.9,7.4,4.7,7.0,7.1,7.1,7.1,7.0,7.0,7.1,7.1,7.0,7.1,7.0,7.1,5.7,5.7,5.7,7.1,7.1,7.0,7.0,6.1,7.0,7.0] idle: [.....4] [ip4][..udp] [.192.168.12.156][45400] -> [..142.250.82.76][19305] [STUN.GoogleCall][Google][VoIP][Acceptable] RISK: Known Proto on Non Std Port - idle: [.....7] [ip6][..udp] [..2001:b07:a3d:c112:48a1:1094:1227:281e][45572] -> [...................2001:4860:4864:6::81][19305] [STUN.GoogleCall][Google][VoIP][Acceptable] - RISK: Known Proto on Non Std Port + idle: [.....7] [ip6][..udp] [..2001:b07:a3d:c112:48a1:1094:1227:281e][45572] -> [...................2001:4860:4864:6::81][19305] [DTLS.GoogleCall][Google][VoIP][Acceptable] idle: [.....6] [ip4][..udp] [.192.168.12.156][45400] -> [..142.250.82.76][.3478] [STUN.GoogleCall][Google][VoIP][Acceptable] idle: [.....2] [ip4][..udp] [.192.168.12.156][45400] -> [.74.125.128.127][19302] [STUN.GoogleCall][Google][VoIP][Acceptable] RISK: Known Proto on Non Std Port - idle: [.....3] [ip4][..udp] [.192.168.12.156][38152] -> [..142.250.82.76][19305] [STUN.GoogleCall][Google][VoIP][Acceptable] - RISK: Known Proto on Non Std Port - idle: [.....5] [ip4][..udp] [.192.168.12.156][38152] -> [..142.250.82.76][.3478] [STUN.GoogleCall][Google][VoIP][Acceptable] + idle: [.....3] [ip4][..udp] [.192.168.12.156][38152] -> [..142.250.82.76][19305] [DTLS.GoogleCall][Google][VoIP][Acceptable] + idle: [.....5] [ip4][..udp] [.192.168.12.156][38152] -> [..142.250.82.76][.3478] [DTLS.GoogleCall][Google][VoIP][Acceptable] idle: [.....1] [ip4][..udp] [.192.168.12.156][38152] -> [.74.125.128.127][19302] [STUN.GoogleCall][Google][VoIP][Acceptable] RISK: Known Proto on Non Std Port DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/stun_msteams_unidir.pcapng.out b/test/results/flow-info/default/stun_msteams_unidir.pcapng.out index ee06868f3..3f25d4813 100644 --- a/test/results/flow-info/default/stun_msteams_unidir.pcapng.out +++ b/test/results/flow-info/default/stun_msteams_unidir.pcapng.out @@ -4,6 +4,8 @@ new: [.....1] [ip4][..udp] [..52.115.136.55][.3479] -> [.......10.0.0.1][50006] detected: [.....1] [ip4][..udp] [..52.115.136.55][.3479] -> [.......10.0.0.1][50006] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] RISK: Known Proto on Non Std Port + detection-update: [.....1] [ip4][..udp] [..52.115.136.55][.3479] -> [.......10.0.0.1][50006] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] + RISK: Known Proto on Non Std Port, Unidirectional Traffic idle: [.....1] [ip4][..udp] [..52.115.136.55][.3479] -> [.......10.0.0.1][50006] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable] - RISK: Known Proto on Non Std Port + RISK: Known Proto on Non Std Port, Unidirectional Traffic DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/stun_signal.pcapng.out b/test/results/flow-info/default/stun_signal.pcapng.out index 94036af3b..736c78b1d 100644 --- a/test/results/flow-info/default/stun_signal.pcapng.out +++ b/test/results/flow-info/default/stun_signal.pcapng.out @@ -19,12 +19,14 @@ RISK: Known Proto on Non Std Port new: [.....7] [ip4][.icmp] [.35.158.183.167] -> [.192.168.12.169] detected: [.....7] [ip4][.icmp] [.35.158.183.167] -> [.192.168.12.169] [ICMP][AmazonAWS][Network][Acceptable] + RISK: Susp Entropy detection-update: [.....3] [ip4][..udp] [.192.168.12.169][47204] -> [.35.158.183.167][..443] [STUN][AmazonAWS][Network][Acceptable][] RISK: Known Proto on Non Std Port, Unidirectional Traffic detection-update: [.....6] [ip4][..udp] [.192.168.12.169][39518] -> [.35.158.183.167][..443] [STUN][AmazonAWS][Network][Acceptable][] RISK: Known Proto on Non Std Port, Unidirectional Traffic detection-update: [.....5] [ip4][..udp] [.192.168.12.169][39518] -> [.35.158.183.167][.3478] [STUN.SignalVoip][AmazonAWS][VoIP][Acceptable][signal.org] detection-update: [.....4] [ip4][..udp] [.192.168.12.169][47204] -> [.35.158.183.167][.3478] [STUN.SignalVoip][AmazonAWS][VoIP][Acceptable][] + detection-update: [.....4] [ip4][..udp] [.192.168.12.169][47204] -> [.35.158.183.167][.3478] [STUN.SignalVoip][AmazonAWS][VoIP][Acceptable][signal.org] detection-update: [.....1] [ip4][..udp] [.192.168.12.169][39518] -> [172.253.121.127][19302] [STUN.SignalVoip][Google][VoIP][Acceptable][] RISK: Known Proto on Non Std Port, Unidirectional Traffic detection-update: [.....2] [ip4][..udp] [.192.168.12.169][47204] -> [172.253.121.127][19302] [STUN.SignalVoip][Google][VoIP][Acceptable][] @@ -57,6 +59,8 @@ RISK: Known Proto on Non Std Port, Unidirectional Traffic detection-update: [....12] [ip4][..udp] [.192.168.12.169][39950] -> [.35.158.183.167][..443] [STUN.SignalVoip][AmazonAWS][VoIP][Acceptable][] RISK: Known Proto on Non Std Port, Unidirectional Traffic + detection-update: [....13] [ip4][..udp] [.192.168.12.169][39950] -> [.35.158.183.167][.3478] [STUN.SignalVoip][AmazonAWS][VoIP][Acceptable][signal.org] + detection-update: [.....8] [ip4][..udp] [.192.168.12.169][43068] -> [.35.158.183.167][.3478] [STUN.SignalVoip][AmazonAWS][VoIP][Acceptable][signal.org] detection-update: [....10] [ip4][..udp] [.192.168.12.169][43068] -> [172.253.121.127][19302] [STUN.SignalVoip][Google][VoIP][Acceptable][] RISK: Known Proto on Non Std Port, Unidirectional Traffic detection-update: [....11] [ip4][..udp] [.192.168.12.169][39950] -> [172.253.121.127][19302] [STUN.SignalVoip][Google][VoIP][Acceptable][] @@ -79,6 +83,7 @@ [PKTLENS.....: 124,92,124,92,132,132,92,124,92,92,124,92,84,56,84,56,124,92,84,84,124,92,56,84,56,56,56,124,92,84,56,84] [ENTROPIES...: 5.8,5.8,5.9,5.8,5.7,5.6,5.9,5.9,5.8,5.8,5.9,5.8,5.7,5.1,5.8,5.3,5.9,5.8,5.8,5.7,5.9,5.8,5.1,5.8,5.2,5.2,5.1,5.8,5.8,5.6,5.1,5.8] update: [.....7] [ip4][.icmp] [.35.158.183.167] -> [.192.168.12.169] [ICMP][AmazonAWS][Network][Acceptable] + RISK: Susp Entropy analyse: [.....7] [ip4][.icmp] [.35.158.183.167] -> [.192.168.12.169] [ICMP][AmazonAWS][Network][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 17.079| 1.597| 3.547| 12584568.750| 2.800] @@ -123,10 +128,12 @@ RISK: Unidirectional Traffic new: [....21] [ip4][.icmp] [.35.158.122.211] -> [.192.168.12.169] detected: [....21] [ip4][.icmp] [.35.158.122.211] -> [.192.168.12.169] [ICMP][AmazonAWS][Network][Acceptable] + RISK: Susp Entropy detection-update: [....19] [ip4][..udp] [.192.168.12.169][47767] -> [.35.158.122.211][.3478] [STUN.SignalVoip][AmazonAWS][VoIP][Acceptable][signal.org] detection-update: [....20] [ip4][..udp] [.192.168.12.169][37970] -> [.35.158.122.211][.3478] [STUN.SignalVoip][AmazonAWS][VoIP][Acceptable][] detection-update: [....18] [ip4][..udp] [.192.168.12.169][37970] -> [.35.158.122.211][..443] [STUN.SignalVoip][AmazonAWS][VoIP][Acceptable][] RISK: Known Proto on Non Std Port, Unidirectional Traffic + detection-update: [....20] [ip4][..udp] [.192.168.12.169][37970] -> [.35.158.122.211][.3478] [STUN.SignalVoip][AmazonAWS][VoIP][Acceptable][signal.org] detection-update: [....15] [ip4][..udp] [.192.168.12.169][47767] -> [172.253.121.127][19302] [STUN.SignalVoip][Google][VoIP][Acceptable][] RISK: Known Proto on Non Std Port, Unidirectional Traffic detection-update: [....16] [ip4][..udp] [.192.168.12.169][37970] -> [172.253.121.127][19302] [STUN.SignalVoip][Google][VoIP][Acceptable][] @@ -164,6 +171,7 @@ update: [....11] [ip4][..udp] [.192.168.12.169][39950] -> [172.253.121.127][19302] [STUN.SignalVoip][Google][VoIP][Acceptable] RISK: Known Proto on Non Std Port update: [.....7] [ip4][.icmp] [.35.158.183.167] -> [.192.168.12.169] [ICMP][AmazonAWS][Network][Acceptable] + RISK: Susp Entropy idle: [....13] [ip4][..udp] [.192.168.12.169][39950] -> [.35.158.183.167][.3478] [STUN.SignalVoip][AmazonAWS][VoIP][Acceptable] idle: [....20] [ip4][..udp] [.192.168.12.169][37970] -> [.35.158.122.211][.3478] [STUN.SignalVoip][AmazonAWS][VoIP][Acceptable] idle: [.....9] [ip4][..udp] [.192.168.12.169][43068] -> [.35.158.183.167][..443] [STUN.SignalVoip][AmazonAWS][VoIP][Acceptable] @@ -199,7 +207,9 @@ idle: [....23] [ip4][..udp] [.192.168.12.169][47767] -> [.18.195.131.143][61498] [STUN.SignalVoip][AmazonAWS][VoIP][Acceptable] RISK: Known Proto on Non Std Port idle: [....21] [ip4][.icmp] [.35.158.122.211] -> [.192.168.12.169] [ICMP][AmazonAWS][Network][Acceptable] + RISK: Susp Entropy idle: [.....7] [ip4][.icmp] [.35.158.183.167] -> [.192.168.12.169] [ICMP][AmazonAWS][Network][Acceptable] + RISK: Susp Entropy idle: [.....5] [ip4][..udp] [.192.168.12.169][39518] -> [.35.158.183.167][.3478] [STUN.SignalVoip][AmazonAWS][VoIP][Acceptable] idle: [....19] [ip4][..udp] [.192.168.12.169][47767] -> [.35.158.122.211][.3478] [STUN.SignalVoip][AmazonAWS][VoIP][Acceptable] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/stun_wa_call.pcapng.out b/test/results/flow-info/default/stun_wa_call.pcapng.out index c76506e55..31e08d37c 100644 --- a/test/results/flow-info/default/stun_wa_call.pcapng.out +++ b/test/results/flow-info/default/stun_wa_call.pcapng.out @@ -83,12 +83,14 @@ RISK: Known Proto on Non Std Port, Unidirectional Traffic new: [....13] [ip4][.icmp] [..93.63.100.129] -> [.192.168.12.156] detected: [....13] [ip4][.icmp] [..93.63.100.129] -> [.192.168.12.156] [ICMP][Unknown][Network][Acceptable] + RISK: Susp Entropy update: [.....2] [ip4][..udp] [.192.168.12.156][46652] -> [.157.240.203.62][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable] update: [.....4] [ip4][..udp] [.192.168.12.156][46652] -> [..157.240.21.51][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable] update: [.....5] [ip4][..udp] [.192.168.12.156][46652] -> [.157.240.195.48][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable] update: [.....3] [ip4][..udp] [.192.168.12.156][46652] -> [.157.240.231.62][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable] update: [.....1] [ip4][..udp] [.192.168.12.156][46652] -> [..93.57.123.227][.3478] [STUN.WhatsAppCall][Unknown][VoIP][Acceptable] idle: [....13] [ip4][.icmp] [..93.63.100.129] -> [.192.168.12.156] [ICMP][Unknown][Network][Acceptable] + RISK: Susp Entropy idle: [.....7] [ip4][..udp] [.192.168.12.156][49526] -> [.157.240.231.62][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable] idle: [.....8] [ip4][..udp] [.192.168.12.156][49526] -> [.157.240.196.62][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable] idle: [.....6] [ip4][..udp] [.192.168.12.156][49526] -> [.157.240.203.62][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable] diff --git a/test/results/flow-info/default/stun_zoom.pcapng.out b/test/results/flow-info/default/stun_zoom.pcapng.out index 1c370f3c4..05276f928 100644 --- a/test/results/flow-info/default/stun_zoom.pcapng.out +++ b/test/results/flow-info/default/stun_zoom.pcapng.out @@ -18,7 +18,8 @@ detection-update: [.....1] [ip4][..udp] [.192.168.43.169][48854] -> [.134.224.90.111][.8801] [DTLS.Zoom][Zoom][Video][Acceptable] detection-update: [.....2] [ip4][..udp] [.192.168.43.169][53065] -> [.134.224.90.111][.8801] [STUN][Zoom][Network][Acceptable][] RISK: Known Proto on Non Std Port - analyse: [.....2] [ip4][..udp] [.192.168.43.169][53065] -> [.134.224.90.111][.8801] [STUN][Zoom][Network][Acceptable] + detection-update: [.....2] [ip4][..udp] [.192.168.43.169][53065] -> [.134.224.90.111][.8801] [DTLS][Zoom][Network][Safe] + analyse: [.....2] [ip4][..udp] [.192.168.43.169][53065] -> [.134.224.90.111][.8801] [DTLS][Zoom][Network][Safe] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.194| 0.048| 0.051| 2615.352| 4.100] [PKTLEN......: 42.000| 1080.000| 270.100| 313.100| 98043.500| 4.300] @@ -29,6 +30,5 @@ [PKTLENS.....: 184,184,184,184,92,184,217,217,184,184,217,92,92,92,184,192,78,92,1080,1080,1080,1080,399,186,92,92,186,92,186,95,101,42] [ENTROPIES...: 5.8,5.8,5.8,5.8,5.6,5.8,5.2,5.2,5.9,5.8,5.2,5.7,5.6,5.7,5.9,5.3,4.1,5.7,7.0,7.3,7.3,7.4,7.2,6.1,5.7,5.7,6.1,5.7,6.1,5.4,6.0,4.3] idle: [.....1] [ip4][..udp] [.192.168.43.169][48854] -> [.134.224.90.111][.8801] [DTLS.Zoom][Zoom][Video][Acceptable] - idle: [.....2] [ip4][..udp] [.192.168.43.169][53065] -> [.134.224.90.111][.8801] [STUN][Zoom][Network][Acceptable] - RISK: Known Proto on Non Std Port + idle: [.....2] [ip4][..udp] [.192.168.43.169][53065] -> [.134.224.90.111][.8801] [DTLS][Zoom][Network][Safe] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/synscan.pcap.out b/test/results/flow-info/default/synscan.pcap.out index 5ba044991..e5c57aac1 100644 --- a/test/results/flow-info/default/synscan.pcap.out +++ b/test/results/flow-info/default/synscan.pcap.out @@ -5646,10 +5646,10 @@ guessed: [..1814] [ip4][..tcp] [.....172.16.0.8][36051] -> [...64.13.134.52][.6789] [Ceph][Unknown][DataTransfer][Acceptable] RISK: Unidirectional Traffic idle: [..1814] [ip4][..tcp] [.....172.16.0.8][36051] -> [...64.13.134.52][.6789] - not-detected: [...497] [ip4][..tcp] [.....172.16.0.8][36050] -> [...64.13.134.52][..646] [Unknown][Unknown][Unrated] + guessed: [...497] [ip4][..tcp] [.....172.16.0.8][36050] -> [...64.13.134.52][..646] [LDP][Unknown][Network][Acceptable] RISK: Unidirectional Traffic idle: [...497] [ip4][..tcp] [.....172.16.0.8][36050] -> [...64.13.134.52][..646] - not-detected: [...534] [ip4][..tcp] [.....172.16.0.8][36051] -> [...64.13.134.52][..646] [Unknown][Unknown][Unrated] + guessed: [...534] [ip4][..tcp] [.....172.16.0.8][36051] -> [...64.13.134.52][..646] [LDP][Unknown][Network][Acceptable] RISK: Unidirectional Traffic idle: [...534] [ip4][..tcp] [.....172.16.0.8][36051] -> [...64.13.134.52][..646] not-detected: [..1499] [ip4][..tcp] [.....172.16.0.8][36050] -> [...64.13.134.52][.6792] [Unknown][Unknown][Unrated] @@ -7200,13 +7200,13 @@ not-detected: [..1303] [ip4][..tcp] [.....172.16.0.8][36051] -> [...64.13.134.52][.1098] [Unknown][Unknown][Unrated] RISK: Unidirectional Traffic idle: [..1303] [ip4][..tcp] [.....172.16.0.8][36051] -> [...64.13.134.52][.1098] - not-detected: [..1045] [ip4][..tcp] [.....172.16.0.8][36050] -> [...64.13.134.52][.1099] [Unknown][Unknown][Unrated] + guessed: [..1045] [ip4][..tcp] [.....172.16.0.8][36050] -> [...64.13.134.52][.1099] [JRMI][Unknown][RPC][Acceptable] RISK: Unidirectional Traffic idle: [..1045] [ip4][..tcp] [.....172.16.0.8][36050] -> [...64.13.134.52][.1099] not-detected: [..1166] [ip4][..tcp] [.....172.16.0.8][36050] -> [...64.13.134.52][.1100] [Unknown][Unknown][Unrated] RISK: Unidirectional Traffic idle: [..1166] [ip4][..tcp] [.....172.16.0.8][36050] -> [...64.13.134.52][.1100] - not-detected: [..1110] [ip4][..tcp] [.....172.16.0.8][36051] -> [...64.13.134.52][.1099] [Unknown][Unknown][Unrated] + guessed: [..1110] [ip4][..tcp] [.....172.16.0.8][36051] -> [...64.13.134.52][.1099] [JRMI][Unknown][RPC][Acceptable] RISK: Unidirectional Traffic idle: [..1110] [ip4][..tcp] [.....172.16.0.8][36051] -> [...64.13.134.52][.1099] not-detected: [..1241] [ip4][..tcp] [.....172.16.0.8][36051] -> [...64.13.134.52][.1100] [Unknown][Unknown][Unrated] diff --git a/test/results/flow-info/default/teams.pcap.out b/test/results/flow-info/default/teams.pcap.out index 9c24be31a..e04e45d16 100644 --- a/test/results/flow-info/default/teams.pcap.out +++ b/test/results/flow-info/default/teams.pcap.out @@ -369,7 +369,7 @@ detected: [....66] [ip4][..udp] [....192.168.1.6][50036] -> [.52.114.250.123][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] new: [....67] [ip4][..tcp] [....192.168.1.6][50021] -> [.52.114.250.123][..443] new: [....68] [ip4][..udp] [....192.168.1.6][50016] -> [.52.114.250.141][.3478] - detected: [....68] [ip4][..udp] [....192.168.1.6][50016] -> [.52.114.250.141][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][?n???z`?s????}??d??]] + detected: [....68] [ip4][..udp] [....192.168.1.6][50016] -> [.52.114.250.141][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] detection-update: [....64] [ip4][..tcp] [....192.168.1.6][50018] -> [.52.114.250.123][..443] [TLS.Teams][Azure][Collaborative][Safe][euaz.tr.teams.microsoft.com] RISK: TLS (probably) Not Carrying HTTPS new: [....69] [ip4][..udp] [....192.168.1.6][50017] -> [.52.114.250.141][.3478] @@ -377,13 +377,13 @@ detected: [....67] [ip4][..tcp] [....192.168.1.6][50021] -> [.52.114.250.123][..443] [TLS.Teams][Azure][Collaborative][Safe][euaz.tr.teams.microsoft.com] RISK: TLS (probably) Not Carrying HTTPS new: [....70] [ip4][..udp] [....192.168.1.6][50036] -> [.52.114.250.137][.3478] - detected: [....70] [ip4][..udp] [....192.168.1.6][50036] -> [.52.114.250.137][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][<??a????h (?/??????] + detected: [....70] [ip4][..udp] [....192.168.1.6][50036] -> [.52.114.250.137][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] new: [....71] [ip4][..udp] [....192.168.1.6][50037] -> [.52.114.250.137][.3478] detected: [....71] [ip4][..udp] [....192.168.1.6][50037] -> [.52.114.250.137][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] detection-update: [....67] [ip4][..tcp] [....192.168.1.6][50021] -> [.52.114.250.123][..443] [TLS.Teams][Azure][Collaborative][Safe][euaz.tr.teams.microsoft.com] RISK: TLS (probably) Not Carrying HTTPS - detection-update: [....69] [ip4][..udp] [....192.168.1.6][50017] -> [.52.114.250.141][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][>??i)?<????????????r] - detection-update: [....71] [ip4][..udp] [....192.168.1.6][50037] -> [.52.114.250.137][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][s?>?ed???[??+ez4???m] + detection-update: [....69] [ip4][..udp] [....192.168.1.6][50017] -> [.52.114.250.141][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] + detection-update: [....71] [ip4][..udp] [....192.168.1.6][50037] -> [.52.114.250.137][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] new: [....72] [ip4][..tcp] [....192.168.1.6][50014] -> [.52.114.250.152][..443] new: [....73] [ip4][..tcp] [....192.168.1.6][50036] -> [.52.114.250.153][..443] detected: [....72] [ip4][..tcp] [....192.168.1.6][50014] -> [.52.114.250.152][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable][52.114.250.152] @@ -414,12 +414,12 @@ new: [....79] [ip4][..udp] [..93.71.110.205][16333] -> [....192.168.1.6][50036] detected: [....79] [ip4][..udp] [..93.71.110.205][16333] -> [....192.168.1.6][50036] [STUN.Skype_TeamsCall][Unknown][VoIP][Acceptable][] RISK: Known Proto on Non Std Port - detection-update: [....68] [ip4][..udp] [....192.168.1.6][50016] -> [.52.114.250.141][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][?n???z`?s????}??d??]] + detection-update: [....68] [ip4][..udp] [....192.168.1.6][50016] -> [.52.114.250.141][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] RISK: Unidirectional Traffic - detection-update: [....70] [ip4][..udp] [....192.168.1.6][50036] -> [.52.114.250.137][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][<??a????h (?/??????] + detection-update: [....70] [ip4][..udp] [....192.168.1.6][50036] -> [.52.114.250.137][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] RISK: Unidirectional Traffic - detection-update: [....68] [ip4][..udp] [....192.168.1.6][50016] -> [.52.114.250.141][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][?n???z`?s????}??d??]] - detection-update: [....70] [ip4][..udp] [....192.168.1.6][50036] -> [.52.114.250.137][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][<??a????h (?/??????] + detection-update: [....68] [ip4][..udp] [....192.168.1.6][50016] -> [.52.114.250.141][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] + detection-update: [....70] [ip4][..udp] [....192.168.1.6][50036] -> [.52.114.250.137][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] new: [....80] [ip4][..udp] [..52.114.252.21][.3480] -> [....192.168.1.6][50036] detected: [....80] [ip4][..udp] [..52.114.252.21][.3480] -> [....192.168.1.6][50036] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] RISK: Known Proto on Non Std Port @@ -527,7 +527,7 @@ idle: [....61] [ip4][..tcp] [....192.168.1.6][60566] -> [.167.99.215.164][.4434] [TLS.ntop][Unknown][Network][Safe] RISK: Known Proto on Non Std Port idle: [....31] [ip4][..udp] [....192.168.1.6][57504] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe] - guessed: [....62] [ip4][..udp] [....192.168.1.6][51681] -> [..52.114.77.136][.3478] [Skype_Teams][Azure][VoIP][Acceptable] + guessed: [....62] [ip4][..udp] [....192.168.1.6][51681] -> [..52.114.77.136][.3478] [Skype_TeamsCall][Azure][VoIP][Acceptable] RISK: Susp Entropy idle: [....62] [ip4][..udp] [....192.168.1.6][51681] -> [..52.114.77.136][.3478] idle: [....27] [ip4][..udp] [....192.168.1.6][57530] -> [....192.168.1.1][...53] [DNS.Microsoft][Unknown][Network][Safe] diff --git a/test/results/flow-info/default/telegram.pcap.out b/test/results/flow-info/default/telegram.pcap.out index 206b3f384..2873a6cf2 100644 --- a/test/results/flow-info/default/telegram.pcap.out +++ b/test/results/flow-info/default/telegram.pcap.out @@ -101,6 +101,8 @@ [IATS(ms)....: 176.6,505.7,492.8,1175.3,327.6,331.9,1681.3,64.2,63.5,64.3,42.3,63.9,1998.8,63.8,58.3,64.1,69.6,64.4,57.8,43.1,58.1,62.2,58.1,63.8,58.2,64.2,58.2,62.0,69.6,66.6,57.7] [PKTLENS.....: 108,108,108,76,92,76,92,220,252,268,252,252,236,204,220,220,220,204,188,220,204,204,204,220,204,204,204,204,220,204,220,220] [ENTROPIES...: 6.4,6.1,6.3,5.8,6.0,5.8,6.0,6.9,7.1,7.2,7.1,7.1,7.1,7.0,7.0,7.1,7.0,6.9,6.8,7.0,7.0,7.0,6.9,6.9,6.9,6.9,6.9,6.9,7.0,6.9,7.0,7.1] + not-detected: [....25] [ip4][..udp] [...192.168.1.77][23174] -> [...192.168.1.52][31480] [Unknown][Unknown][Unrated] + RISK: Susp Entropy new: [....28] [ip4][..udp] [........0.0.0.0][...68] -> [255.255.255.255][...67] detected: [....28] [ip4][..udp] [........0.0.0.0][...68] -> [255.255.255.255][...67] [DHCP][Unknown][Network][Acceptable][] new: [....29] [ip4][..udp] [...192.168.1.43][..138] -> [..192.168.1.255][..138] @@ -212,13 +214,13 @@ idle: [....17] [ip4][..udp] [...192.168.1.52][.5353] -> [....224.0.0.251][.5353] [MDNS][Unknown][Network][Acceptable] idle: [.....3] [ip4][..udp] [...192.168.1.53][.5353] -> [....224.0.0.251][.5353] [MDNS][Unknown][Network][Acceptable] not-detected: [....44] [ip4][..udp] [...192.168.1.77][28150] -> [..87.11.205.195][59772] [Unknown][Unknown][Unrated] - RISK: Unidirectional Traffic + RISK: Susp Entropy, Unidirectional Traffic idle: [....44] [ip4][..udp] [...192.168.1.77][28150] -> [..87.11.205.195][59772] idle: [....36] [ip4][..udp] [...192.168.1.77][57621] -> [..192.168.1.255][57621] [Spotify][Unknown][Music][Fun] idle: [....14] [ip4][..udp] [...192.168.1.53][57621] -> [..192.168.1.255][57621] [Spotify][Unknown][Music][Fun] idle: [....43] [ip4][..udp] [...192.168.1.77][52127] -> [239.255.255.250][.1900] [SSDP][Unknown][System][Acceptable] not-detected: [....26] [ip4][..udp] [...192.168.1.77][23174] -> [..87.11.205.195][60723] [Unknown][Unknown][Unrated] - RISK: Unidirectional Traffic + RISK: Susp Entropy, Unidirectional Traffic idle: [....26] [ip4][..udp] [...192.168.1.77][23174] -> [..87.11.205.195][60723] idle: [....35] [ip4][..udp] [...192.168.1.77][50822] -> [..216.58.205.68][..443] [QUIC.Google][Google][Web][Acceptable] idle: [....31] [ip4][..udp] [...192.168.1.77][49764] -> [....192.168.1.1][...53] [DNS.ntop][Unknown][Network][Safe] @@ -236,8 +238,8 @@ idle: [....47] [ip4][..udp] [...192.168.1.77][58615] -> [....192.168.1.1][...53] [DNS.Dropbox][Unknown][Network][Acceptable] idle: [....33] [ip4][..udp] [...192.168.1.77][54595] -> [....192.168.1.1][...53] [DNS.ntop][Unknown][Network][Safe] RISK: Error Code - not-detected: [....25] [ip4][..udp] [...192.168.1.77][23174] -> [...192.168.1.52][31480] [Unknown][Unknown][Unrated] - idle: [....25] [ip4][..udp] [...192.168.1.77][23174] -> [...192.168.1.52][31480] + idle: [....25] [ip4][..udp] [...192.168.1.77][23174] -> [...192.168.1.52][31480] [Unknown][Unknown][Unrated] + RISK: Susp Entropy idle: [....34] [ip4][..udp] [...192.168.1.77][61974] -> [..216.58.205.68][..443] [QUIC.Google][Google][Web][Acceptable] idle: [.....6] [ip6][..udp] [................fe80::4ba:91a:7817:e318][.5353] -> [...............................ff02::fb][.5353] [MDNS][Unknown][Network][Acceptable] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/telegram_videocall.pcapng.out b/test/results/flow-info/default/telegram_videocall.pcapng.out index d21678e9e..98062635f 100644 --- a/test/results/flow-info/default/telegram_videocall.pcapng.out +++ b/test/results/flow-info/default/telegram_videocall.pcapng.out @@ -10,8 +10,11 @@ new: [.....5] [ip4][..tcp] [.192.168.12.169][46862] -> [.149.154.167.51][..443] new: [.....6] [ip4][..tcp] [.192.168.12.169][46866] -> [.149.154.167.51][..443] detected: [.....4] [ip4][..tcp] [.192.168.12.169][37950] -> [.149.154.167.91][..443] [Telegram][Telegram][Chat][Acceptable] + RISK: Susp Entropy detected: [.....5] [ip4][..tcp] [.192.168.12.169][46862] -> [.149.154.167.51][..443] [Telegram][Telegram][Chat][Acceptable] + RISK: Susp Entropy detected: [.....6] [ip4][..tcp] [.192.168.12.169][46866] -> [.149.154.167.51][..443] [Telegram][Telegram][Chat][Acceptable] + RISK: Susp Entropy analyse: [.....4] [ip4][..tcp] [.192.168.12.169][37950] -> [.149.154.167.91][..443] [Telegram][Telegram][Chat][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.127| 0.025| 0.031| 963.939| 3.900] @@ -25,9 +28,12 @@ new: [.....7] [ip4][..tcp] [.192.168.12.169][40830] -> [149.154.167.222][..443] new: [.....8] [ip4][..tcp] [.192.168.12.169][40832] -> [149.154.167.222][..443] detected: [.....7] [ip4][..tcp] [.192.168.12.169][40830] -> [149.154.167.222][..443] [Telegram][Telegram][Chat][Acceptable] + RISK: Susp Entropy detected: [.....8] [ip4][..tcp] [.192.168.12.169][40832] -> [149.154.167.222][..443] [Telegram][Telegram][Chat][Acceptable] + RISK: Susp Entropy new: [.....9] [ip4][..tcp] [.192.168.12.169][40834] -> [149.154.167.222][..443] detected: [.....9] [ip4][..tcp] [.192.168.12.169][40834] -> [149.154.167.222][..443] [Telegram][Telegram][Chat][Acceptable] + RISK: Susp Entropy analyse: [.....7] [ip4][..tcp] [.192.168.12.169][40830] -> [149.154.167.222][..443] [Telegram][Telegram][Chat][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.047| 0.009| 0.015| 220.392| 3.200] @@ -40,6 +46,7 @@ [ENTROPIES...: 4.8,5.2,5.2,7.7,7.0,5.2,6.8,7.1,5.2,5.2,7.4,7.1,7.9,7.9,7.8,7.9,7.8,7.8,7.8,7.8,7.8,5.1,5.2,5.1,5.1,5.2,7.1,7.9,7.8,7.9,7.8,7.8] new: [....10] [ip4][..tcp] [.192.168.12.169][37966] -> [.149.154.167.91][..443] detected: [....10] [ip4][..tcp] [.192.168.12.169][37966] -> [.149.154.167.91][..443] [Telegram][Telegram][Chat][Acceptable] + RISK: Susp Entropy new: [....11] [ip4][..udp] [...192.168.12.1][.5353] -> [....224.0.0.251][.5353] detected: [....11] [ip4][..udp] [...192.168.12.1][.5353] -> [....224.0.0.251][.5353] [MDNS][Unknown][Network][Acceptable][_ipps._tcp.local] new: [....12] [ip4][..udp] [.192.168.12.169][40906] -> [....91.108.9.35][.1400] @@ -146,17 +153,22 @@ [ENTROPIES...: 4.9,5.3,5.2,7.6,7.1,5.1,6.9,7.0,7.8,7.8,7.8,7.7,5.2,5.1,5.1,7.5,7.8,7.9,7.8,7.9,7.8,7.8,7.7,5.2,5.0,5.1,5.1,5.2,5.2,5.1,5.1,5.2] new: [....31] [ip4][.icmp] [.192.168.12.169] -> [....91.108.9.35] detected: [....31] [ip4][.icmp] [.192.168.12.169] -> [....91.108.9.35] [ICMP][Telegram][Network][Acceptable] + RISK: Susp Entropy new: [....32] [ip4][.icmp] [.192.168.12.169] -> [...91.108.13.23] detected: [....32] [ip4][.icmp] [.192.168.12.169] -> [...91.108.13.23] [ICMP][Telegram][Network][Acceptable] + RISK: Susp Entropy new: [....33] [ip4][.icmp] [.192.168.12.169] -> [....91.108.17.2] detected: [....33] [ip4][.icmp] [.192.168.12.169] -> [....91.108.17.2] [ICMP][Telegram][Network][Acceptable] + RISK: Susp Entropy new: [....34] [ip4][..tcp] [..18.195.162.93][..443] -> [.192.168.12.169][38956] [MIDSTREAM] detected: [....34] [ip4][..tcp] [..18.195.162.93][..443] -> [.192.168.12.169][38956] [TLS][AmazonAWS][Web][Safe] guessed: [.....3] [ip4][..tcp] [.192.168.12.169][37948] -> [.149.154.167.91][..443] [Telegram][Telegram][Chat][Acceptable] RISK: TCP Connection Issues end: [.....3] [ip4][..tcp] [.192.168.12.169][37948] -> [.149.154.167.91][..443] idle: [.....4] [ip4][..tcp] [.192.168.12.169][37950] -> [.149.154.167.91][..443] [Telegram][Telegram][Chat][Acceptable] + RISK: Susp Entropy idle: [....10] [ip4][..tcp] [.192.168.12.169][37966] -> [.149.154.167.91][..443] [Telegram][Telegram][Chat][Acceptable] + RISK: Susp Entropy idle: [....18] [ip4][..udp] [.192.168.12.169][40643] -> [....91.108.9.35][.1400] [STUN.TelegramVoip][Telegram][VoIP][Acceptable] RISK: Known Proto on Non Std Port idle: [....28] [ip6][icmp6] [...............fe80::abe:acff:fe0b:176e] -> [................................ff02::2] [ICMPV6][Unknown][Network][Acceptable] @@ -173,10 +185,15 @@ idle: [.....1] [ip6][icmp6] [..............fe80::98df:58ff:fefa:ebdc] -> [................................ff02::2] [ICMPV6][Unknown][Network][Acceptable] idle: [....29] [ip6][..udp] [...............fe80::abe:acff:fe0b:176e][.5353] -> [...............................ff02::fb][.5353] [MDNS][Unknown][Network][Acceptable] end: [.....5] [ip4][..tcp] [.192.168.12.169][46862] -> [.149.154.167.51][..443] [Telegram][Telegram][Chat][Acceptable] + RISK: Susp Entropy end: [.....6] [ip4][..tcp] [.192.168.12.169][46866] -> [.149.154.167.51][..443] [Telegram][Telegram][Chat][Acceptable] + RISK: Susp Entropy end: [.....7] [ip4][..tcp] [.192.168.12.169][40830] -> [149.154.167.222][..443] [Telegram][Telegram][Chat][Acceptable] + RISK: Susp Entropy end: [.....8] [ip4][..tcp] [.192.168.12.169][40832] -> [149.154.167.222][..443] [Telegram][Telegram][Chat][Acceptable] + RISK: Susp Entropy idle: [.....9] [ip4][..tcp] [.192.168.12.169][40834] -> [149.154.167.222][..443] [Telegram][Telegram][Chat][Acceptable] + RISK: Susp Entropy idle: [....19] [ip4][..udp] [.192.168.12.169][49667] -> [...91.108.13.23][.1400] [STUN.TelegramVoip][Telegram][VoIP][Acceptable] RISK: Known Proto on Non Std Port idle: [....25] [ip4][..udp] [.192.168.12.169][40906] -> [..10.46.103.200][42554] [STUN.TelegramVoip][Unknown][VoIP][Acceptable] @@ -188,8 +205,11 @@ idle: [....20] [ip4][..udp] [.192.168.12.169][49780] -> [....91.108.17.2][.1400] [STUN.TelegramVoip][Telegram][VoIP][Acceptable] RISK: Known Proto on Non Std Port idle: [....33] [ip4][.icmp] [.192.168.12.169] -> [....91.108.17.2] [ICMP][Telegram][Network][Acceptable] + RISK: Susp Entropy idle: [....32] [ip4][.icmp] [.192.168.12.169] -> [...91.108.13.23] [ICMP][Telegram][Network][Acceptable] + RISK: Susp Entropy idle: [....31] [ip4][.icmp] [.192.168.12.169] -> [....91.108.9.35] [ICMP][Telegram][Network][Acceptable] + RISK: Susp Entropy idle: [....22] [ip4][..udp] [.192.168.12.169][37530] -> [...91.108.13.23][.1400] [STUN.TelegramVoip][Telegram][VoIP][Acceptable] RISK: Known Proto on Non Std Port end: [....34] [ip4][..tcp] [..18.195.162.93][..443] -> [.192.168.12.169][38956] [TLS][AmazonAWS][Web][Safe] diff --git a/test/results/flow-info/default/teso.pcapng.out b/test/results/flow-info/default/teso.pcapng.out new file mode 100644 index 000000000..8e462b476 --- /dev/null +++ b/test/results/flow-info/default/teso.pcapng.out @@ -0,0 +1,12 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....1] [ip4][..tcp] [.192.168.88.231][56158] -> [159.100.232.124][24120] + detected: [.....1] [ip4][..tcp] [.192.168.88.231][56158] -> [159.100.232.124][24120] [TES_Online][Unknown][Game][Fun] + DAEMON-EVENT: [Processed: 4 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 1 / 1|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....2] [ip4][..tcp] [.192.168.88.231][47860] -> [159.100.232.114][24504] + detected: [.....2] [ip4][..tcp] [.192.168.88.231][47860] -> [159.100.232.114][24504] [TES_Online][Unknown][Game][Fun] + idle: [.....2] [ip4][..tcp] [.192.168.88.231][47860] -> [159.100.232.114][24504] [TES_Online][Unknown][Game][Fun] + idle: [.....1] [ip4][..tcp] [.192.168.88.231][56158] -> [159.100.232.124][24120] [TES_Online][Unknown][Game][Fun] + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/threema.pcap.out b/test/results/flow-info/default/threema.pcap.out index e36a4c89a..1c0ce9632 100644 --- a/test/results/flow-info/default/threema.pcap.out +++ b/test/results/flow-info/default/threema.pcap.out @@ -20,11 +20,11 @@ DAEMON-EVENT: [Flows][active: 3 / 5|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] new: [.....6] [ip4][..tcp] [..192.168.2.100][50860] -> [.185.88.236.110][.5222] guessed: [.....5] [ip4][..tcp] [..192.168.2.100][50718] -> [.185.88.236.110][.5222] [Threema][Threema][Chat][Fun] - RISK: Fully encrypted flow + RISK: Fully Encrypted Flow end: [.....5] [ip4][..tcp] [..192.168.2.100][50718] -> [.185.88.236.110][.5222] idle: [.....1] [ip4][..tcp] [..192.168.2.100][50298] -> [.185.88.236.110][.5222] [Threema][Threema][Chat][Fun] idle: [.....2] [ip4][..tcp] [..192.168.2.100][50484] -> [.185.88.236.110][.5222] [Threema][Threema][Chat][Fun] guessed: [.....6] [ip4][..tcp] [..192.168.2.100][50860] -> [.185.88.236.110][.5222] [Threema][Threema][Chat][Fun] - RISK: Fully encrypted flow + RISK: Fully Encrypted Flow end: [.....6] [ip4][..tcp] [..192.168.2.100][50860] -> [.185.88.236.110][.5222] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/tls_certificate_too_long.pcap.out b/test/results/flow-info/default/tls_certificate_too_long.pcap.out index 2d0586881..fe8eb673e 100644 --- a/test/results/flow-info/default/tls_certificate_too_long.pcap.out +++ b/test/results/flow-info/default/tls_certificate_too_long.pcap.out @@ -55,11 +55,11 @@ detected: [....18] [ip4][..tcp] [..192.168.1.121][53912] -> [....2.22.33.235][...80] [HTTP.Microsoft][Unknown][Cloud][Safe][www.microsoft.com] detection-update: [....17] [ip4][..udp] [..192.168.1.121][54561] -> [........8.8.8.8][...53] [DNS][Google][Network][Acceptable][e13678.dscb.akamaiedge.net] detection-update: [....18] [ip4][..tcp] [..192.168.1.121][53912] -> [....2.22.33.235][...80] [HTTP.Microsoft][Unknown][Download][Safe][www.microsoft.com] - RISK: HTTP Susp Header, Binary file/data transfer (attempt) + RISK: HTTP Susp Header, Binary File/Data Transfer (Attempt) new: [....19] [ip4][..tcp] [..192.168.1.121][53913] -> [....2.22.33.235][...80] detected: [....19] [ip4][..tcp] [..192.168.1.121][53913] -> [....2.22.33.235][...80] [HTTP.Microsoft][Unknown][Cloud][Safe][www.microsoft.com] detection-update: [....19] [ip4][..tcp] [..192.168.1.121][53913] -> [....2.22.33.235][...80] [HTTP.Microsoft][Unknown][Download][Safe][www.microsoft.com] - RISK: HTTP Susp Header, Binary file/data transfer (attempt) + RISK: HTTP Susp Header, Binary File/Data Transfer (Attempt) new: [....20] [ip4][..tcp] [..192.168.1.121][53905] -> [..140.82.113.26][..443] [MIDSTREAM] new: [....21] [ip4][..udp] [..192.168.1.121][65213] -> [........8.8.8.8][...53] detected: [....21] [ip4][..udp] [..192.168.1.121][65213] -> [........8.8.8.8][...53] [DNS.Apple][Google][Network][Safe][time-macos.apple.com] @@ -136,9 +136,9 @@ idle: [.....8] [ip4][....2] [..192.168.1.139] -> [....224.0.0.251] [IGMP][Unknown][Network][Acceptable] idle: [.....7] [ip4][....2] [..192.168.1.139] -> [......224.0.0.2] [IGMP][Unknown][Network][Acceptable] end: [....18] [ip4][..tcp] [..192.168.1.121][53912] -> [....2.22.33.235][...80] [HTTP.Microsoft][Unknown][Download][Safe] - RISK: HTTP Susp Header, Binary file/data transfer (attempt) + RISK: HTTP Susp Header, Binary File/Data Transfer (Attempt) end: [....19] [ip4][..tcp] [..192.168.1.121][53913] -> [....2.22.33.235][...80] [HTTP.Microsoft][Unknown][Download][Safe] - RISK: HTTP Susp Header, Binary file/data transfer (attempt) + RISK: HTTP Susp Header, Binary File/Data Transfer (Attempt) idle: [....14] [ip4][..udp] [..192.168.1.121][51364] -> [........8.8.8.8][...53] [DNS.Microsoft][Google][Network][Safe] idle: [.....9] [ip4][..udp] [..192.168.1.121][55567] -> [........8.8.8.8][...53] [DNS.Microsoft][Google][Network][Safe] idle: [....16] [ip4][..udp] [..192.168.1.121][55578] -> [........8.8.8.8][...53] [DNS][Google][Network][Acceptable] diff --git a/test/results/flow-info/default/tls_invalid_reads.pcap.out b/test/results/flow-info/default/tls_invalid_reads.pcap.out index 4658cd47a..e236b1959 100644 --- a/test/results/flow-info/default/tls_invalid_reads.pcap.out +++ b/test/results/flow-info/default/tls_invalid_reads.pcap.out @@ -18,7 +18,7 @@ ERROR-EVENT: Unknown packet type [1/16] ERROR-EVENT: Unknown packet type [2/16] ERROR-EVENT: Unknown packet type [3/16] - guessed: [.....2] [ip4][..tcp] [...74.80.160.99][.3258] -> [...67.217.77.28][..443] [TLS][GoTo][Web][Safe] + guessed: [.....2] [ip4][..tcp] [...74.80.160.99][.3258] -> [...67.217.77.28][..443] [TLS][Unknown][Web][Safe] RISK: Unidirectional Traffic idle: [.....2] [ip4][..tcp] [...74.80.160.99][.3258] -> [...67.217.77.28][..443] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/tls_missing_ch_frag.pcap.out b/test/results/flow-info/default/tls_missing_ch_frag.pcap.out index dfb30fb92..c56b54fe6 100644 --- a/test/results/flow-info/default/tls_missing_ch_frag.pcap.out +++ b/test/results/flow-info/default/tls_missing_ch_frag.pcap.out @@ -2,6 +2,6 @@ DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] new: [.....1] [ip4][..tcp] [.....10.10.10.1][..443] -> [....192.168.0.1][33063] - detected: [.....1] [ip4][..tcp] [.....10.10.10.1][..443] -> [....192.168.0.1][33063] [TLS][Unknown][Web][Safe][] + detected: [.....1] [ip4][..tcp] [.....10.10.10.1][..443] -> [....192.168.0.1][33063] [TLS][Unknown][Web][Safe] end: [.....1] [ip4][..tcp] [.....10.10.10.1][..443] -> [....192.168.0.1][33063] [TLS][Unknown][Web][Safe] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/tls_unidirectional.pcap.out b/test/results/flow-info/default/tls_unidirectional.pcap.out index 613d92820..f1dbae8fc 100644 --- a/test/results/flow-info/default/tls_unidirectional.pcap.out +++ b/test/results/flow-info/default/tls_unidirectional.pcap.out @@ -1,18 +1,7 @@ DAEMON-EVENT: init DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] - new: [.....1] [ip4][..tcp] [.142.250.27.188][.5228] -> [...10.140.72.24][12654] - detected: [.....1] [ip4][..tcp] [.142.250.27.188][.5228] -> [...10.140.72.24][12654] [TLS][Google][Web][Safe][] - RISK: Known Proto on Non Std Port, Unidirectional Traffic - detection-update: [.....1] [ip4][..tcp] [.142.250.27.188][.5228] -> [...10.140.72.24][12654] [TLS.Google][Google][Web][Acceptable][] - RISK: Known Proto on Non Std Port, Unidirectional Traffic - DAEMON-EVENT: [Processed: 6 pkts][ZLib][compressions: 0|diff: 0 / 0] - DAEMON-EVENT: [Flows][active: 1 / 1|skipped: 0|!detected: 0|guessed: 0|detection-updates: 1|updates: 0] - new: [.....2] [ip4][..tcp] [..192.168.1.128][48260] -> [195.181.174.176][..443] - detected: [.....2] [ip4][..tcp] [..192.168.1.128][48260] -> [195.181.174.176][..443] [TLS.AnyDesk][Unknown][RemoteAccess][Acceptable][] - RISK: Missing SNI TLS Extn, Desktop/File Sharing, Uncommon TLS ALPN, Unidirectional Traffic - idle: [.....1] [ip4][..tcp] [.142.250.27.188][.5228] -> [...10.140.72.24][12654] [TLS.Google][Google][Web][Acceptable] - RISK: Known Proto on Non Std Port, Unidirectional Traffic - idle: [.....2] [ip4][..tcp] [..192.168.1.128][48260] -> [195.181.174.176][..443] [TLS.AnyDesk][Unknown][RemoteAccess][Acceptable] - RISK: Missing SNI TLS Extn, Desktop/File Sharing, Uncommon TLS ALPN, Unidirectional Traffic + new: [.....1] [ip4][..tcp] [..192.168.2.198][50548] -> [....192.168.2.1][..443] + guessed: [.....1] [ip4][..tcp] [..192.168.2.198][50548] -> [....192.168.2.1][..443] [TLS][Unknown][Web][Safe] + end: [.....1] [ip4][..tcp] [..192.168.2.198][50548] -> [....192.168.2.1][..443] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/toca-boca.pcap.out b/test/results/flow-info/default/toca-boca.pcap.out index 94a27efd1..233568ab0 100644 --- a/test/results/flow-info/default/toca-boca.pcap.out +++ b/test/results/flow-info/default/toca-boca.pcap.out @@ -68,7 +68,7 @@ new: [....17] [ip4][..udp] [..91.199.81.122][.5055] -> [..192.168.2.100][34503] detected: [....17] [ip4][..udp] [..91.199.81.122][.5055] -> [..192.168.2.100][34503] [TocaBoca][Unknown][Game][Fun] guessed: [....16] [ip4][..udp] [..91.199.81.123][.5055] -> [..192.168.2.100][37167] [TocaBoca][Unknown][Game][Fun] - RISK: Unidirectional Traffic + RISK: Susp Entropy, Unidirectional Traffic idle: [....16] [ip4][..udp] [..91.199.81.123][.5055] -> [..192.168.2.100][37167] idle: [....15] [ip4][..udp] [..192.168.2.100][35671] -> [..91.199.81.123][.5055] [TocaBoca][Unknown][Game][Fun] DAEMON-EVENT: [Processed: 73 pkts][ZLib][compressions: 0|diff: 0 / 0] @@ -81,7 +81,7 @@ new: [....20] [ip4][..udp] [..192.168.2.100][45096] -> [..91.199.81.208][.5055] detected: [....20] [ip4][..udp] [..192.168.2.100][45096] -> [..91.199.81.208][.5055] [TocaBoca][Unknown][Game][Fun] guessed: [....18] [ip4][..udp] [..91.199.81.225][.5055] -> [..192.168.2.100][50337] [TocaBoca][Unknown][Game][Fun] - RISK: Unidirectional Traffic + RISK: Susp Entropy, Unidirectional Traffic idle: [....18] [ip4][..udp] [..91.199.81.225][.5055] -> [..192.168.2.100][50337] DAEMON-EVENT: [Processed: 76 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 2 / 20|skipped: 0|!detected: 0|guessed: 2|detection-updates: 0|updates: 5] @@ -91,6 +91,6 @@ idle: [....19] [ip4][..udp] [..91.199.81.122][.5055] -> [..192.168.2.100][56920] idle: [....20] [ip4][..udp] [..192.168.2.100][45096] -> [..91.199.81.208][.5055] [TocaBoca][Unknown][Game][Fun] guessed: [....21] [ip4][..udp] [..91.199.81.225][.5055] -> [..192.168.2.100][43151] [TocaBoca][Unknown][Game][Fun] - RISK: Unidirectional Traffic + RISK: Susp Entropy, Unidirectional Traffic idle: [....21] [ip4][..udp] [..91.199.81.225][.5055] -> [..192.168.2.100][43151] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/trdp.pcapng.out b/test/results/flow-info/default/trdp.pcapng.out new file mode 100644 index 000000000..47aae9537 --- /dev/null +++ b/test/results/flow-info/default/trdp.pcapng.out @@ -0,0 +1,13 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....1] [ip4][..tcp] [.192.168.88.231][45482] -> [.192.168.88.138][17225] + detected: [.....1] [ip4][..tcp] [.192.168.88.231][45482] -> [.192.168.88.138][17225] [TRDP][Unknown][IoT-Scada][Acceptable] + new: [.....2] [ip4][..udp] [.192.168.88.231][45318] -> [.192.168.88.138][17225] + detected: [.....2] [ip4][..udp] [.192.168.88.231][45318] -> [.192.168.88.138][17225] [TRDP][Unknown][IoT-Scada][Acceptable] + new: [.....3] [ip4][..udp] [.192.168.88.231][47228] -> [.192.168.88.138][17224] + detected: [.....3] [ip4][..udp] [.192.168.88.231][47228] -> [.192.168.88.138][17224] [TRDP][Unknown][IoT-Scada][Acceptable] + idle: [.....3] [ip4][..udp] [.192.168.88.231][47228] -> [.192.168.88.138][17224] [TRDP][Unknown][IoT-Scada][Acceptable] + idle: [.....2] [ip4][..udp] [.192.168.88.231][45318] -> [.192.168.88.138][17225] [TRDP][Unknown][IoT-Scada][Acceptable] + end: [.....1] [ip4][..tcp] [.192.168.88.231][45482] -> [.192.168.88.138][17225] [TRDP][Unknown][IoT-Scada][Acceptable] + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/tunnelbear.pcap.out b/test/results/flow-info/default/tunnelbear.pcap.out index 520cba44a..8686c49a6 100644 --- a/test/results/flow-info/default/tunnelbear.pcap.out +++ b/test/results/flow-info/default/tunnelbear.pcap.out @@ -1,25 +1,27 @@ DAEMON-EVENT: init - DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] - DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] - new: [.....1] [ip4][..tcp] [.......10.8.0.1][50178] -> [.104.17.154.236][..443] - detected: [.....1] [ip4][..tcp] [.......10.8.0.1][50178] -> [.104.17.154.236][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable][api.tunnelbear.com] - new: [.....2] [ip4][..tcp] [.......10.8.0.1][45104] -> [..104.17.115.40][..443] - new: [.....3] [ip4][..tcp] [.......10.8.0.1][45106] -> [..104.17.115.40][..443] - new: [.....4] [ip4][..tcp] [.......10.8.0.1][45108] -> [..104.17.115.40][..443] - detected: [.....2] [ip4][..tcp] [.......10.8.0.1][45104] -> [..104.17.115.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable][api.polargrizzly.com] - new: [.....5] [ip4][..tcp] [.......10.8.0.1][45114] -> [..104.17.115.40][..443] - detected: [.....3] [ip4][..tcp] [.......10.8.0.1][45106] -> [..104.17.115.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable][api.polargrizzly.com] - detected: [.....4] [ip4][..tcp] [.......10.8.0.1][45108] -> [..104.17.115.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable][api.polargrizzly.com] - detected: [.....5] [ip4][..tcp] [.......10.8.0.1][45114] -> [..104.17.115.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable][api.polargrizzly.com] - detection-update: [.....2] [ip4][..tcp] [.......10.8.0.1][45104] -> [..104.17.115.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable][api.polargrizzly.com] - detection-update: [.....1] [ip4][..tcp] [.......10.8.0.1][50178] -> [.104.17.154.236][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable][api.tunnelbear.com] - detection-update: [.....3] [ip4][..tcp] [.......10.8.0.1][45106] -> [..104.17.115.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable][api.polargrizzly.com] - detection-update: [.....4] [ip4][..tcp] [.......10.8.0.1][45108] -> [..104.17.115.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable][api.polargrizzly.com] - detection-update: [.....5] [ip4][..tcp] [.......10.8.0.1][45114] -> [..104.17.115.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable][api.polargrizzly.com] - new: [.....6] [ip4][..tcp] [.......10.8.0.1][47496] -> [162.247.243.188][..443] - detected: [.....6] [ip4][..tcp] [.......10.8.0.1][47496] -> [162.247.243.188][..443] [TLS.ADS_Analytic_Track][Unknown][Advertisement][Tracker/Ads][mobile-collector.newrelic.com] - detection-update: [.....6] [ip4][..tcp] [.......10.8.0.1][47496] -> [162.247.243.188][..443] [TLS.ADS_Analytic_Track][Unknown][Advertisement][Tracker/Ads][mobile-collector.newrelic.com] - analyse: [.....2] [ip4][..tcp] [.......10.8.0.1][45104] -> [..104.17.115.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable] + new: [.....1] [ip4][..udp] [......10.0.2.15][57636] -> [...142.93.78.79][51820] + detected: [.....1] [ip4][..udp] [......10.0.2.15][57636] -> [...142.93.78.79][51820] [WireGuard.TunnelBear][Unknown][VPN][Acceptable] + DAEMON-EVENT: [Processed: 12 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 1 / 1|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....2] [ip4][..tcp] [.......10.8.0.1][50178] -> [.104.17.154.236][..443] + detected: [.....2] [ip4][..tcp] [.......10.8.0.1][50178] -> [.104.17.154.236][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable][api.tunnelbear.com] + new: [.....3] [ip4][..tcp] [.......10.8.0.1][45104] -> [..104.17.115.40][..443] + new: [.....4] [ip4][..tcp] [.......10.8.0.1][45106] -> [..104.17.115.40][..443] + new: [.....5] [ip4][..tcp] [.......10.8.0.1][45108] -> [..104.17.115.40][..443] + detected: [.....3] [ip4][..tcp] [.......10.8.0.1][45104] -> [..104.17.115.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable][api.polargrizzly.com] + new: [.....6] [ip4][..tcp] [.......10.8.0.1][45114] -> [..104.17.115.40][..443] + detected: [.....4] [ip4][..tcp] [.......10.8.0.1][45106] -> [..104.17.115.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable][api.polargrizzly.com] + detected: [.....5] [ip4][..tcp] [.......10.8.0.1][45108] -> [..104.17.115.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable][api.polargrizzly.com] + detected: [.....6] [ip4][..tcp] [.......10.8.0.1][45114] -> [..104.17.115.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable][api.polargrizzly.com] + detection-update: [.....3] [ip4][..tcp] [.......10.8.0.1][45104] -> [..104.17.115.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable][api.polargrizzly.com] + detection-update: [.....2] [ip4][..tcp] [.......10.8.0.1][50178] -> [.104.17.154.236][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable][api.tunnelbear.com] + detection-update: [.....4] [ip4][..tcp] [.......10.8.0.1][45106] -> [..104.17.115.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable][api.polargrizzly.com] + detection-update: [.....5] [ip4][..tcp] [.......10.8.0.1][45108] -> [..104.17.115.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable][api.polargrizzly.com] + detection-update: [.....6] [ip4][..tcp] [.......10.8.0.1][45114] -> [..104.17.115.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable][api.polargrizzly.com] + new: [.....7] [ip4][..tcp] [.......10.8.0.1][47496] -> [162.247.243.188][..443] + detected: [.....7] [ip4][..tcp] [.......10.8.0.1][47496] -> [162.247.243.188][..443] [TLS.ADS_Analytic_Track][Unknown][Advertisement][Tracker/Ads][mobile-collector.newrelic.com] + detection-update: [.....7] [ip4][..tcp] [.......10.8.0.1][47496] -> [162.247.243.188][..443] [TLS.ADS_Analytic_Track][Unknown][Advertisement][Tracker/Ads][mobile-collector.newrelic.com] + analyse: [.....3] [ip4][..tcp] [.......10.8.0.1][45104] -> [..104.17.115.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.266| 0.037| 0.060| 3626.297| 3.500] [PKTLEN......: 40.000| 3697.000| 426.000| 812.300| 659832.900| 3.500] @@ -29,13 +31,13 @@ [IATS(ms)....: 4.8,10.8,0.0,6.0,71.1,71.7,62.5,63.1,0.2,0.1,0.1,0.1,2.3,2.2,58.3,58.8,0.5,0.2,0.2,0.1,0.2,0.1,0.6,0.8,214.5,265.9,52.4,51.4,53.8,54.6,51.8] [PKTLENS.....: 60,40,40,557,40,3697,40,133,40,576,40,576,40,305,40,376,361,40,576,40,150,40,40,78,40,1632,40,691,40,352,40,2871] [ENTROPIES...: 4.5,4.5,4.6,6.1,4.5,7.2,4.5,5.9,4.5,7.4,4.5,7.6,4.6,7.4,4.5,7.1,7.4,4.5,7.6,4.5,6.5,4.5,4.6,5.3,4.5,7.9,4.6,7.6,4.6,7.1,4.6,7.9] - new: [.....7] [ip4][..tcp] [.......10.8.0.1][45124] -> [..104.17.115.40][..443] - new: [.....8] [ip4][..tcp] [.......10.8.0.1][45126] -> [..104.17.115.40][..443] - detected: [.....7] [ip4][..tcp] [.......10.8.0.1][45124] -> [..104.17.115.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable][api.polargrizzly.com] - detected: [.....8] [ip4][..tcp] [.......10.8.0.1][45126] -> [..104.17.115.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable][api.polargrizzly.com] - detection-update: [.....8] [ip4][..tcp] [.......10.8.0.1][45126] -> [..104.17.115.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable][api.polargrizzly.com] - detection-update: [.....7] [ip4][..tcp] [.......10.8.0.1][45124] -> [..104.17.115.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable][api.polargrizzly.com] - analyse: [.....8] [ip4][..tcp] [.......10.8.0.1][45126] -> [..104.17.115.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable] + new: [.....8] [ip4][..tcp] [.......10.8.0.1][45124] -> [..104.17.115.40][..443] + new: [.....9] [ip4][..tcp] [.......10.8.0.1][45126] -> [..104.17.115.40][..443] + detected: [.....8] [ip4][..tcp] [.......10.8.0.1][45124] -> [..104.17.115.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable][api.polargrizzly.com] + detected: [.....9] [ip4][..tcp] [.......10.8.0.1][45126] -> [..104.17.115.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable][api.polargrizzly.com] + detection-update: [.....9] [ip4][..tcp] [.......10.8.0.1][45126] -> [..104.17.115.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable][api.polargrizzly.com] + detection-update: [.....8] [ip4][..tcp] [.......10.8.0.1][45124] -> [..104.17.115.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable][api.polargrizzly.com] + analyse: [.....9] [ip4][..tcp] [.......10.8.0.1][45126] -> [..104.17.115.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.234| 0.036| 0.055| 3015.001| 3.600] [PKTLEN......: 40.000| 789.000| 149.700| 198.300| 39337.400| 4.100] @@ -45,55 +47,56 @@ [IATS(ms)....: 3.4,3.9,2.0,2.9,57.3,108.0,0.8,51.4,0.3,0.1,0.1,0.1,0.1,0.1,50.9,51.9,1.0,50.4,50.8,196.8,233.7,37.7,51.5,50.9,51.1,0.1,51.0,0.5,0.2,0.4,1.0] [PKTLENS.....: 60,40,40,557,40,196,40,91,40,576,40,576,40,303,40,118,363,40,78,40,789,40,213,40,78,40,71,40,40,40,40,40] [ENTROPIES...: 4.5,4.6,4.6,6.1,4.5,6.1,4.7,5.4,4.5,7.4,4.6,7.6,4.5,7.2,4.5,5.9,7.4,4.6,5.3,4.6,7.7,4.7,6.8,4.7,5.3,4.6,5.1,4.5,4.5,4.4,4.5,4.5] - new: [.....9] [ip4][..tcp] [..10.158.132.91][38398] -> [..104.17.114.40][..443] [MIDSTREAM] - detected: [.....9] [ip4][..tcp] [..10.158.132.91][38398] -> [..104.17.114.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable][api.polargrizzly.com] + idle: [.....1] [ip4][..udp] [......10.0.2.15][57636] -> [...142.93.78.79][51820] [WireGuard.TunnelBear][Unknown][VPN][Acceptable] + new: [....10] [ip4][..tcp] [..10.158.132.91][38398] -> [..104.17.114.40][..443] [MIDSTREAM] + detected: [....10] [ip4][..tcp] [..10.158.132.91][38398] -> [..104.17.114.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable][api.polargrizzly.com] RISK: Unidirectional Traffic - new: [....10] [ip4][..tcp] [..10.158.132.91][51120] -> [........8.8.8.8][...53] [MIDSTREAM] - new: [....11] [ip4][..tcp] [.......10.8.0.1][60224] -> [...157.240.7.32][..443] - detected: [....11] [ip4][..tcp] [.......10.8.0.1][60224] -> [...157.240.7.32][..443] [TLS.Messenger][Facebook][Chat][Acceptable][mqtt-mini.facebook.com] + new: [....11] [ip4][..tcp] [..10.158.132.91][51120] -> [........8.8.8.8][...53] [MIDSTREAM] + new: [....12] [ip4][..tcp] [.......10.8.0.1][60224] -> [...157.240.7.32][..443] + detected: [....12] [ip4][..tcp] [.......10.8.0.1][60224] -> [...157.240.7.32][..443] [TLS.FacebookMessenger][Facebook][Chat][Acceptable][mqtt-mini.facebook.com] RISK: TLS (probably) Not Carrying HTTPS - detection-update: [....11] [ip4][..tcp] [.......10.8.0.1][60224] -> [...157.240.7.32][..443] [TLS.Messenger][Facebook][Chat][Acceptable][mqtt-mini.facebook.com] + detection-update: [....12] [ip4][..tcp] [.......10.8.0.1][60224] -> [...157.240.7.32][..443] [TLS.FacebookMessenger][Facebook][Chat][Acceptable][mqtt-mini.facebook.com] RISK: TLS (probably) Not Carrying HTTPS - new: [....12] [ip4][..tcp] [.......10.8.0.1][47594] -> [..99.83.135.170][..443] - detected: [....12] [ip4][..tcp] [.......10.8.0.1][47594] -> [..99.83.135.170][..443] [TLS][AmazonAWS][Web][Safe][capi.grammarly.com] + new: [....13] [ip4][..tcp] [.......10.8.0.1][47594] -> [..99.83.135.170][..443] + detected: [....13] [ip4][..tcp] [.......10.8.0.1][47594] -> [..99.83.135.170][..443] [TLS][AmazonAWS][Web][Safe][capi.grammarly.com] RISK: TLS (probably) Not Carrying HTTPS - detection-update: [....12] [ip4][..tcp] [.......10.8.0.1][47594] -> [..99.83.135.170][..443] [TLS][AmazonAWS][Web][Safe][capi.grammarly.com] + detection-update: [....13] [ip4][..tcp] [.......10.8.0.1][47594] -> [..99.83.135.170][..443] [TLS][AmazonAWS][Web][Safe][capi.grammarly.com] RISK: TLS (probably) Not Carrying HTTPS - detection-update: [....12] [ip4][..tcp] [.......10.8.0.1][47594] -> [..99.83.135.170][..443] [TLS][AmazonAWS][Web][Safe][capi.grammarly.com] + detection-update: [....13] [ip4][..tcp] [.......10.8.0.1][47594] -> [..99.83.135.170][..443] [TLS][AmazonAWS][Web][Safe][capi.grammarly.com] RISK: TLS (probably) Not Carrying HTTPS - new: [....13] [ip4][..tcp] [.......10.8.0.1][47046] -> [.74.125.200.188][.5228] - detected: [....13] [ip4][..tcp] [.......10.8.0.1][47046] -> [.74.125.200.188][.5228] [TLS.GoogleServices][Google][Web][Acceptable][mtalk.google.com] + new: [....14] [ip4][..tcp] [.......10.8.0.1][47046] -> [.74.125.200.188][.5228] + detected: [....14] [ip4][..tcp] [.......10.8.0.1][47046] -> [.74.125.200.188][.5228] [TLS.GoogleServices][Google][Web][Acceptable][mtalk.google.com] RISK: Known Proto on Non Std Port, TLS (probably) Not Carrying HTTPS - end: [.....2] [ip4][..tcp] [.......10.8.0.1][45104] -> [..104.17.115.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable] - end: [.....3] [ip4][..tcp] [.......10.8.0.1][45106] -> [..104.17.115.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable] - end: [.....4] [ip4][..tcp] [.......10.8.0.1][45108] -> [..104.17.115.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable] - end: [.....5] [ip4][..tcp] [.......10.8.0.1][45114] -> [..104.17.115.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable] - end: [.....7] [ip4][..tcp] [.......10.8.0.1][45124] -> [..104.17.115.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable] - end: [.....8] [ip4][..tcp] [.......10.8.0.1][45126] -> [..104.17.115.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable] - detection-update: [....13] [ip4][..tcp] [.......10.8.0.1][47046] -> [.74.125.200.188][.5228] [TLS.GoogleServices][Google][Web][Acceptable][mtalk.google.com] + end: [.....3] [ip4][..tcp] [.......10.8.0.1][45104] -> [..104.17.115.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable] + end: [.....4] [ip4][..tcp] [.......10.8.0.1][45106] -> [..104.17.115.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable] + end: [.....5] [ip4][..tcp] [.......10.8.0.1][45108] -> [..104.17.115.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable] + end: [.....6] [ip4][..tcp] [.......10.8.0.1][45114] -> [..104.17.115.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable] + end: [.....8] [ip4][..tcp] [.......10.8.0.1][45124] -> [..104.17.115.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable] + end: [.....9] [ip4][..tcp] [.......10.8.0.1][45126] -> [..104.17.115.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable] + detection-update: [....14] [ip4][..tcp] [.......10.8.0.1][47046] -> [.74.125.200.188][.5228] [TLS.GoogleServices][Google][Web][Acceptable][mtalk.google.com] RISK: Known Proto on Non Std Port, TLS (probably) Not Carrying HTTPS - new: [....14] [ip4][..tcp] [.......10.8.0.1][33830] -> [..104.17.114.40][..443] - detected: [....14] [ip4][..tcp] [.......10.8.0.1][33830] -> [..104.17.114.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable][api.polargrizzly.com] - new: [....15] [ip4][..tcp] [.......10.8.0.1][50904] -> [.104.17.154.236][..443] - new: [....16] [ip4][..tcp] [.......10.8.0.1][33838] -> [..104.17.114.40][..443] - detected: [....16] [ip4][..tcp] [.......10.8.0.1][33838] -> [..104.17.114.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable][api.polargrizzly.com] - new: [....17] [ip4][..tcp] [.......10.8.0.1][33842] -> [..104.17.114.40][..443] - new: [....18] [ip4][..tcp] [.......10.8.0.1][33846] -> [..104.17.114.40][..443] - detected: [....15] [ip4][..tcp] [.......10.8.0.1][50904] -> [.104.17.154.236][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable][api.tunnelbear.com] - new: [....19] [ip4][..tcp] [.......10.8.0.1][33848] -> [..104.17.114.40][..443] - detected: [....17] [ip4][..tcp] [.......10.8.0.1][33842] -> [..104.17.114.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable][api.polargrizzly.com] - detected: [....18] [ip4][..tcp] [.......10.8.0.1][33846] -> [..104.17.114.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable][api.polargrizzly.com] - detected: [....19] [ip4][..tcp] [.......10.8.0.1][33848] -> [..104.17.114.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable][api.polargrizzly.com] - detection-update: [....14] [ip4][..tcp] [.......10.8.0.1][33830] -> [..104.17.114.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable][api.polargrizzly.com] - new: [....20] [ip4][..tcp] [.......10.8.0.1][48222] -> [162.247.243.188][..443] - detected: [....20] [ip4][..tcp] [.......10.8.0.1][48222] -> [162.247.243.188][..443] [TLS.ADS_Analytic_Track][Unknown][Advertisement][Tracker/Ads][mobile-collector.newrelic.com] - detection-update: [....18] [ip4][..tcp] [.......10.8.0.1][33846] -> [..104.17.114.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable][api.polargrizzly.com] - detection-update: [....17] [ip4][..tcp] [.......10.8.0.1][33842] -> [..104.17.114.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable][api.polargrizzly.com] - detection-update: [....16] [ip4][..tcp] [.......10.8.0.1][33838] -> [..104.17.114.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable][api.polargrizzly.com] - detection-update: [....19] [ip4][..tcp] [.......10.8.0.1][33848] -> [..104.17.114.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable][api.polargrizzly.com] - detection-update: [....15] [ip4][..tcp] [.......10.8.0.1][50904] -> [.104.17.154.236][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable][api.tunnelbear.com] - detection-update: [....20] [ip4][..tcp] [.......10.8.0.1][48222] -> [162.247.243.188][..443] [TLS.ADS_Analytic_Track][Unknown][Advertisement][Tracker/Ads][mobile-collector.newrelic.com] - analyse: [....14] [ip4][..tcp] [.......10.8.0.1][33830] -> [..104.17.114.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable] + new: [....15] [ip4][..tcp] [.......10.8.0.1][33830] -> [..104.17.114.40][..443] + detected: [....15] [ip4][..tcp] [.......10.8.0.1][33830] -> [..104.17.114.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable][api.polargrizzly.com] + new: [....16] [ip4][..tcp] [.......10.8.0.1][50904] -> [.104.17.154.236][..443] + new: [....17] [ip4][..tcp] [.......10.8.0.1][33838] -> [..104.17.114.40][..443] + detected: [....17] [ip4][..tcp] [.......10.8.0.1][33838] -> [..104.17.114.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable][api.polargrizzly.com] + new: [....18] [ip4][..tcp] [.......10.8.0.1][33842] -> [..104.17.114.40][..443] + new: [....19] [ip4][..tcp] [.......10.8.0.1][33846] -> [..104.17.114.40][..443] + detected: [....16] [ip4][..tcp] [.......10.8.0.1][50904] -> [.104.17.154.236][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable][api.tunnelbear.com] + new: [....20] [ip4][..tcp] [.......10.8.0.1][33848] -> [..104.17.114.40][..443] + detected: [....18] [ip4][..tcp] [.......10.8.0.1][33842] -> [..104.17.114.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable][api.polargrizzly.com] + detected: [....19] [ip4][..tcp] [.......10.8.0.1][33846] -> [..104.17.114.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable][api.polargrizzly.com] + detected: [....20] [ip4][..tcp] [.......10.8.0.1][33848] -> [..104.17.114.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable][api.polargrizzly.com] + detection-update: [....15] [ip4][..tcp] [.......10.8.0.1][33830] -> [..104.17.114.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable][api.polargrizzly.com] + new: [....21] [ip4][..tcp] [.......10.8.0.1][48222] -> [162.247.243.188][..443] + detected: [....21] [ip4][..tcp] [.......10.8.0.1][48222] -> [162.247.243.188][..443] [TLS.ADS_Analytic_Track][Unknown][Advertisement][Tracker/Ads][mobile-collector.newrelic.com] + detection-update: [....19] [ip4][..tcp] [.......10.8.0.1][33846] -> [..104.17.114.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable][api.polargrizzly.com] + detection-update: [....18] [ip4][..tcp] [.......10.8.0.1][33842] -> [..104.17.114.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable][api.polargrizzly.com] + detection-update: [....17] [ip4][..tcp] [.......10.8.0.1][33838] -> [..104.17.114.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable][api.polargrizzly.com] + detection-update: [....20] [ip4][..tcp] [.......10.8.0.1][33848] -> [..104.17.114.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable][api.polargrizzly.com] + detection-update: [....16] [ip4][..tcp] [.......10.8.0.1][50904] -> [.104.17.154.236][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable][api.tunnelbear.com] + detection-update: [....21] [ip4][..tcp] [.......10.8.0.1][48222] -> [162.247.243.188][..443] [TLS.ADS_Analytic_Track][Unknown][Advertisement][Tracker/Ads][mobile-collector.newrelic.com] + analyse: [....15] [ip4][..tcp] [.......10.8.0.1][33830] -> [..104.17.114.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.340| 0.040| 0.084| 7024.527| 3.000] [PKTLEN......: 40.000| 2940.000| 240.400| 516.400| 266681.900| 3.500] @@ -103,26 +106,26 @@ [IATS(ms)....: 4.1,5.3,2.0,3.4,237.7,240.1,0.0,2.4,9.3,9.4,0.2,0.1,1.4,1.5,0.1,0.1,0.1,0.1,100.5,152.6,52.3,7.0,20.6,16.0,10.0,8.0,0.8,1.3,7.0,6.2,340.4] [PKTLENS.....: 60,40,40,557,40,196,40,91,40,93,40,126,40,576,40,576,40,165,40,109,78,40,78,361,40,576,40,148,40,363,40,2940] [ENTROPIES...: 4.5,4.5,4.5,6.1,4.6,6.0,4.6,5.4,4.6,5.5,4.6,5.9,4.5,7.6,4.5,7.6,4.6,6.8,4.5,5.9,5.3,4.6,5.3,7.2,4.6,7.6,4.6,6.5,4.6,7.3,4.5,7.9] - new: [....21] [ip4][..tcp] [.......10.8.0.1][33858] -> [..104.17.114.40][..443] - detected: [....21] [ip4][..tcp] [.......10.8.0.1][33858] -> [..104.17.114.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable][api.polargrizzly.com] - idle: [....13] [ip4][..tcp] [.......10.8.0.1][47046] -> [.74.125.200.188][.5228] [TLS.GoogleServices][Google][Web][Acceptable] + new: [....22] [ip4][..tcp] [.......10.8.0.1][33858] -> [..104.17.114.40][..443] + detected: [....22] [ip4][..tcp] [.......10.8.0.1][33858] -> [..104.17.114.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable][api.polargrizzly.com] + idle: [....14] [ip4][..tcp] [.......10.8.0.1][47046] -> [.74.125.200.188][.5228] [TLS.GoogleServices][Google][Web][Acceptable] RISK: Known Proto on Non Std Port, TLS (probably) Not Carrying HTTPS - idle: [....15] [ip4][..tcp] [.......10.8.0.1][50904] -> [.104.17.154.236][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable] - idle: [.....6] [ip4][..tcp] [.......10.8.0.1][47496] -> [162.247.243.188][..443] [TLS.ADS_Analytic_Track][Unknown][Advertisement][Tracker/Ads] - idle: [....11] [ip4][..tcp] [.......10.8.0.1][60224] -> [...157.240.7.32][..443] [TLS.Messenger][Facebook][Chat][Acceptable] + idle: [....16] [ip4][..tcp] [.......10.8.0.1][50904] -> [.104.17.154.236][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable] + idle: [.....7] [ip4][..tcp] [.......10.8.0.1][47496] -> [162.247.243.188][..443] [TLS.ADS_Analytic_Track][Unknown][Advertisement][Tracker/Ads] + idle: [....12] [ip4][..tcp] [.......10.8.0.1][60224] -> [...157.240.7.32][..443] [TLS.FacebookMessenger][Facebook][Chat][Acceptable] RISK: TLS (probably) Not Carrying HTTPS - idle: [....20] [ip4][..tcp] [.......10.8.0.1][48222] -> [162.247.243.188][..443] [TLS.ADS_Analytic_Track][Unknown][Advertisement][Tracker/Ads] - guessed: [....10] [ip4][..tcp] [..10.158.132.91][51120] -> [........8.8.8.8][...53] [DNS][Google][Network][Acceptable][] - end: [....10] [ip4][..tcp] [..10.158.132.91][51120] -> [........8.8.8.8][...53] - idle: [....12] [ip4][..tcp] [.......10.8.0.1][47594] -> [..99.83.135.170][..443] [TLS][AmazonAWS][Web][Safe] + idle: [....21] [ip4][..tcp] [.......10.8.0.1][48222] -> [162.247.243.188][..443] [TLS.ADS_Analytic_Track][Unknown][Advertisement][Tracker/Ads] + guessed: [....11] [ip4][..tcp] [..10.158.132.91][51120] -> [........8.8.8.8][...53] [DNS][Google][Network][Acceptable][] + end: [....11] [ip4][..tcp] [..10.158.132.91][51120] -> [........8.8.8.8][...53] + idle: [....13] [ip4][..tcp] [.......10.8.0.1][47594] -> [..99.83.135.170][..443] [TLS][AmazonAWS][Web][Safe] RISK: TLS (probably) Not Carrying HTTPS - end: [.....9] [ip4][..tcp] [..10.158.132.91][38398] -> [..104.17.114.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable] + end: [....10] [ip4][..tcp] [..10.158.132.91][38398] -> [..104.17.114.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable] RISK: Unidirectional Traffic - idle: [.....1] [ip4][..tcp] [.......10.8.0.1][50178] -> [.104.17.154.236][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable] - end: [....14] [ip4][..tcp] [.......10.8.0.1][33830] -> [..104.17.114.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable] - end: [....16] [ip4][..tcp] [.......10.8.0.1][33838] -> [..104.17.114.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable] - end: [....17] [ip4][..tcp] [.......10.8.0.1][33842] -> [..104.17.114.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable] - end: [....18] [ip4][..tcp] [.......10.8.0.1][33846] -> [..104.17.114.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable] - end: [....19] [ip4][..tcp] [.......10.8.0.1][33848] -> [..104.17.114.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable] - idle: [....21] [ip4][..tcp] [.......10.8.0.1][33858] -> [..104.17.114.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable] + idle: [.....2] [ip4][..tcp] [.......10.8.0.1][50178] -> [.104.17.154.236][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable] + end: [....15] [ip4][..tcp] [.......10.8.0.1][33830] -> [..104.17.114.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable] + end: [....17] [ip4][..tcp] [.......10.8.0.1][33838] -> [..104.17.114.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable] + end: [....18] [ip4][..tcp] [.......10.8.0.1][33842] -> [..104.17.114.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable] + end: [....19] [ip4][..tcp] [.......10.8.0.1][33846] -> [..104.17.114.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable] + end: [....20] [ip4][..tcp] [.......10.8.0.1][33848] -> [..104.17.114.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable] + idle: [....22] [ip4][..tcp] [.......10.8.0.1][33858] -> [..104.17.114.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/viber.pcap.out b/test/results/flow-info/default/viber.pcap.out index 9dbacd4d2..6829a1d06 100644 --- a/test/results/flow-info/default/viber.pcap.out +++ b/test/results/flow-info/default/viber.pcap.out @@ -69,6 +69,8 @@ [IATS(ms)....: 54.2,95.9,0.3,44.0,41.8,57.0,16.1,92.1,91.6,10563.9,10701.7,4192.1,4152.7,4422.1,4422.1,309.5,309.6,21.6,197.0,0.1,215.0,3974.5,3934.9,3635.3,52.6,3635.3,52.6,12.7,140.8,167.5,4361.2] [PKTLENS.....: 153,108,52,128,52,494,116,52,120,52,149,52,146,52,146,52,391,52,150,52,136,52,146,52,146,410,52,52,150,136,52,582] [ENTROPIES...: 6.4,6.0,4.8,6.2,5.0,7.6,6.1,5.0,6.1,4.9,6.3,4.9,6.4,5.0,6.5,4.9,7.4,5.0,6.5,5.0,6.3,5.0,6.5,5.0,6.4,7.4,5.0,5.0,6.5,6.4,5.0,7.6] + guessed: [.....1] [ip4][..tcp] [...192.168.0.17][33208] -> [...52.0.253.101][.4244] [Viber][Viber][VoIP][Fun] + RISK: Susp Entropy new: [....18] [ip4][..tcp] [...192.168.0.17][45424] -> [....18.201.4.32][..443] new: [....19] [ip4][..udp] [...192.168.0.17][47171] -> [....18.201.4.32][.7985] detected: [....19] [ip4][..udp] [...192.168.0.17][47171] -> [....18.201.4.32][.7985] [Viber][AmazonAWS][VoIP][Fun] @@ -109,11 +111,12 @@ detection-update: [....25] [ip4][..udp] [...192.168.0.17][50097] -> [...192.168.0.15][...53] [DNS.Google][Unknown][Network][Acceptable][www.google.com] new: [....26] [ip4][.icmp] [...192.168.0.17] -> [...192.168.0.15] detected: [....26] [ip4][.icmp] [...192.168.0.17] -> [...192.168.0.15] [ICMP][Unknown][Network][Acceptable] + RISK: Susp Entropy update: [.....3] [ip4][..udp] [...192.168.0.17][35283] -> [...192.168.0.15][...53] [DNS.ADS_Analytic_Track][Unknown][Network][Tracker/Ads] update: [.....2] [ip4][..udp] [...192.168.0.17][45743] -> [...192.168.0.15][...53] [DNS.Facebook][Unknown][Network][Fun] update: [.....4] [ip4][..udp] [...192.168.0.17][62872] -> [...192.168.0.15][...53] [DNS][Unknown][Network][Acceptable] DAEMON-EVENT: [Processed: 420 pkts][ZLib][compressions: 0|diff: 0 / 0] - DAEMON-EVENT: [Flows][active: 26 / 26|skipped: 0|!detected: 0|guessed: 0|detection-updates: 19|updates: 4] + DAEMON-EVENT: [Flows][active: 26 / 26|skipped: 0|!detected: 0|guessed: 1|detection-updates: 19|updates: 4] new: [....27] [ip4][..tcp] [..192.168.2.100][48690] -> [...52.0.252.145][.4244] detected: [....27] [ip4][..tcp] [..192.168.2.100][48690] -> [...52.0.252.145][.4244] [Viber][Viber][VoIP][Fun] end: [.....5] [ip4][..tcp] [...192.168.0.17][36986] -> [..54.69.166.226][..443] [TLS][AmazonAWS][Web][Safe] @@ -124,9 +127,10 @@ idle: [....20] [ip4][..udp] [...192.168.0.17][47171] -> [....18.201.4.32][.7987] [Viber][AmazonAWS][VoIP][Fun] idle: [.....8] [ip4][..tcp] [...192.168.0.17][57520] -> [...54.230.93.96][..443] [TLS.Viber][AmazonAWS][Chat][Fun] idle: [....26] [ip4][.icmp] [...192.168.0.17] -> [...192.168.0.15] [ICMP][Unknown][Network][Acceptable] + RISK: Susp Entropy idle: [....17] [ip4][..tcp] [...192.168.0.17][55746] -> [..151.101.1.130][..443] [TLS][Unknown][Web][Safe] - guessed: [.....1] [ip4][..tcp] [...192.168.0.17][33208] -> [...52.0.253.101][.4244] [Viber][Viber][VoIP][Fun] - idle: [.....1] [ip4][..tcp] [...192.168.0.17][33208] -> [...52.0.253.101][.4244] + idle: [.....1] [ip4][..tcp] [...192.168.0.17][33208] -> [...52.0.253.101][.4244] [Viber][Viber][VoIP][Fun] + RISK: Susp Entropy idle: [....10] [ip4][..tcp] [...192.168.0.17][53934] -> [...54.230.93.53][..443] [TLS.Viber][AmazonAWS][Chat][Fun] idle: [....15] [ip6][icmp6] [..............fe80::3207:4dff:fea3:5fa7] -> [................................ff02::2] [ICMPV6][Unknown][Network][Acceptable] idle: [....14] [ip4][..udp] [...192.168.0.17][.5353] -> [....224.0.0.251][.5353] [MDNS][Unknown][Network][Acceptable] @@ -154,7 +158,16 @@ DAEMON-EVENT: [Flows][active: 2 / 28|skipped: 0|!detected: 0|guessed: 4|detection-updates: 19|updates: 4] new: [....29] [ip4][..tcp] [..192.168.2.100][42900] -> [..44.192.202.74][.4244] [MIDSTREAM] detected: [....29] [ip4][..tcp] [..192.168.2.100][42900] -> [..44.192.202.74][.4244] [Viber][AmazonAWS][VoIP][Fun] - idle: [....29] [ip4][..tcp] [..192.168.2.100][42900] -> [..44.192.202.74][.4244] [Viber][AmazonAWS][VoIP][Fun] end: [....28] [ip4][..tcp] [..192.168.2.100][41184] -> [.....52.0.252.2][.5242] [Viber][Viber][VoIP][Fun] idle: [....27] [ip4][..tcp] [..192.168.2.100][48690] -> [...52.0.252.145][.4244] [Viber][Viber][VoIP][Fun] + DAEMON-EVENT: [Processed: 447 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 1 / 29|skipped: 0|!detected: 0|guessed: 4|detection-updates: 19|updates: 4] + new: [....30] [ip4][..udp] [.192.168.12.156][40482] -> [...18.195.4.121][..443] + detected: [....30] [ip4][..udp] [.192.168.12.156][40482] -> [...18.195.4.121][..443] [STUN][Viber][Network][Acceptable][] + RISK: Known Proto on Non Std Port + detection-update: [....30] [ip4][..udp] [.192.168.12.156][40482] -> [...18.195.4.121][..443] [STUN.ViberVoip][Viber][VoIP][Acceptable][viber.com] + RISK: Known Proto on Non Std Port + idle: [....29] [ip4][..tcp] [..192.168.2.100][42900] -> [..44.192.202.74][.4244] [Viber][AmazonAWS][VoIP][Fun] + idle: [....30] [ip4][..udp] [.192.168.12.156][40482] -> [...18.195.4.121][..443] [STUN.ViberVoip][Viber][VoIP][Acceptable] + RISK: Known Proto on Non Std Port DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/wa_video.pcap.out b/test/results/flow-info/default/wa_video.pcap.out index c0ba900b5..d62690839 100644 --- a/test/results/flow-info/default/wa_video.pcap.out +++ b/test/results/flow-info/default/wa_video.pcap.out @@ -41,6 +41,8 @@ [IATS(ms)....: 51.7,176.8,0.0,0.0,439.6,1227.8,0.8,306.1,108.9,2404.5,0.2,0.0,0.3,0.0,0.0,0.3,133.1,0.6,40.7,0.3,7.7,7.9,1.7,1.6,528.8,1.1,0.7,0.7,0.7,2.7,2.6] [PKTLENS.....: 600,52,1440,155,508,508,332,189,225,1440,52,52,64,52,52,52,64,228,228,52,52,228,52,404,52,214,212,206,206,206,206,206] [ENTROPIES...: 7.6,5.1,7.9,6.7,7.6,7.6,7.3,6.7,7.0,7.9,5.0,5.1,5.1,5.1,5.1,5.1,5.2,7.0,7.0,5.1,5.1,7.0,5.1,7.5,5.1,6.9,6.9,6.9,6.9,6.9,6.8,7.0] + guessed: [.....2] [ip4][..tcp] [...192.168.2.12][49355] -> [..157.240.20.53][.5222] [WhatsApp][WhatsApp][Chat][Acceptable] + RISK: Susp Entropy analyse: [.....3] [ip4][..udp] [...192.168.2.12][53688] -> [....31.13.86.48][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.550| 0.064| 0.136| 18373.693| 3.100] @@ -94,9 +96,8 @@ idle: [....13] [ip4][..udp] [...192.168.2.12][65025] -> [239.255.255.250][.1900] [SSDP][Unknown][System][Acceptable] idle: [....11] [ip4][..udp] [...192.168.2.12][53688] -> [...91.252.56.51][32641] [STUN.WhatsAppCall][Unknown][VoIP][Acceptable] RISK: Known Proto on Non Std Port - guessed: [.....2] [ip4][..tcp] [...192.168.2.12][49355] -> [..157.240.20.53][.5222] [WhatsApp][WhatsApp][Chat][Acceptable] + idle: [.....2] [ip4][..tcp] [...192.168.2.12][49355] -> [..157.240.20.53][.5222] [WhatsApp][WhatsApp][Chat][Acceptable] RISK: Susp Entropy - idle: [.....2] [ip4][..tcp] [...192.168.2.12][49355] -> [..157.240.20.53][.5222] idle: [....10] [ip4][..udp] [...192.168.2.12][53688] -> [.....1.60.78.64][59491] [STUN.WhatsAppCall][Unknown][VoIP][Acceptable] RISK: Known Proto on Non Std Port, Unidirectional Traffic DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/wa_voice.pcap.out b/test/results/flow-info/default/wa_voice.pcap.out index de43affaf..296ec76e7 100644 --- a/test/results/flow-info/default/wa_voice.pcap.out +++ b/test/results/flow-info/default/wa_voice.pcap.out @@ -116,9 +116,11 @@ RISK: Known Proto on Non Std Port detection-update: [....23] [ip4][..udp] [...91.252.56.51][32704] -> [...192.168.2.12][56328] [STUN.WhatsAppCall][Unknown][VoIP][Acceptable][] RISK: Known Proto on Non Std Port + detection-update: [....23] [ip4][..udp] [...91.252.56.51][32704] -> [...192.168.2.12][56328] [SRTP.WhatsAppCall][Unknown][VoIP][Acceptable] + RISK: Known Proto on Non Std Port detection-update: [....24] [ip4][..udp] [...192.168.2.12][56328] -> [.....1.60.78.64][64282] [STUN.WhatsAppCall][Unknown][VoIP][Acceptable][] RISK: Known Proto on Non Std Port, Unidirectional Traffic - analyse: [....23] [ip4][..udp] [...91.252.56.51][32704] -> [...192.168.2.12][56328] [STUN.WhatsAppCall][Unknown][VoIP][Acceptable] + analyse: [....23] [ip4][..udp] [...91.252.56.51][32704] -> [...192.168.2.12][56328] [SRTP.WhatsAppCall][Unknown][VoIP][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 1.204| 0.182| 0.229| 52393.320| 4.200] [PKTLEN......: 54.000| 301.000| 144.900| 51.700| 2672.500| 4.900] @@ -146,7 +148,7 @@ idle: [....25] [ip4][..tcp] [...192.168.2.12][49352] -> [169.254.162.244][49159] end: [....21] [ip4][..tcp] [...192.168.2.12][50504] -> [..157.240.20.52][..443] [TLS.WhatsApp][WhatsApp][Chat][Acceptable] idle: [....22] [ip4][..udp] [........0.0.0.0][...68] -> [255.255.255.255][...67] [DHCP][Unknown][Network][Acceptable] - idle: [....23] [ip4][..udp] [...91.252.56.51][32704] -> [...192.168.2.12][56328] [STUN.WhatsAppCall][Unknown][VoIP][Acceptable] + idle: [....23] [ip4][..udp] [...91.252.56.51][32704] -> [...192.168.2.12][56328] [SRTP.WhatsAppCall][Unknown][VoIP][Acceptable] RISK: Known Proto on Non Std Port idle: [....27] [ip4][..udp] [...192.168.2.12][57546] -> [239.255.255.250][.1900] [SSDP][Unknown][System][Acceptable] idle: [.....6] [ip4][..udp] [...192.168.2.12][55296] -> [....192.168.2.1][...53] [DNS.WhatsAppFiles][Unknown][Network][Acceptable] diff --git a/test/results/flow-info/default/waze.pcap.out b/test/results/flow-info/default/waze.pcap.out index d7404cdef..ebb9ba4e4 100644 --- a/test/results/flow-info/default/waze.pcap.out +++ b/test/results/flow-info/default/waze.pcap.out @@ -10,6 +10,7 @@ new: [.....5] [ip4][..tcp] [.......10.8.0.1][36100] -> [..46.51.173.182][..443] new: [.....6] [ip4][..tcp] [.......10.8.0.1][36102] -> [..46.51.173.182][..443] detected: [.....4] [ip4][..tcp] [.......10.8.0.1][45529] -> [.54.230.227.172][...80] [HTTP.Waze][AmazonAWS][Web][Acceptable][roadshields.waze.com] + RISK: Susp Entropy new: [.....7] [ip4][..tcp] [.......10.8.0.1][36585] -> [.173.194.118.48][..443] detected: [.....5] [ip4][..tcp] [.......10.8.0.1][36100] -> [..46.51.173.182][..443] [TLS][AmazonAWS][Web][Safe][] RISK: Obsolete TLS (v1.1 or older) @@ -21,6 +22,7 @@ RISK: Obsolete TLS (v1.1 or older) new: [.....8] [ip4][..tcp] [.......10.8.0.1][45536] -> [.54.230.227.172][...80] detected: [.....8] [ip4][..tcp] [.......10.8.0.1][45536] -> [.54.230.227.172][...80] [HTTP.Waze][AmazonAWS][Web][Acceptable][cres.waze.com] + RISK: Susp Entropy detection-update: [.....6] [ip4][..tcp] [.......10.8.0.1][36102] -> [..46.51.173.182][..443] [TLS][AmazonAWS][Web][Safe][] RISK: Obsolete TLS (v1.1 or older), Weak TLS Cipher detection-update: [.....5] [ip4][..tcp] [.......10.8.0.1][36100] -> [..46.51.173.182][..443] [TLS.Waze][AmazonAWS][Web][Acceptable][] @@ -28,11 +30,13 @@ detection-update: [.....6] [ip4][..tcp] [.......10.8.0.1][36102] -> [..46.51.173.182][..443] [TLS.Waze][AmazonAWS][Web][Acceptable][] RISK: Obsolete TLS (v1.1 or older), Weak TLS Cipher detection-update: [.....3] [ip4][..tcp] [.......10.8.0.1][54915] -> [..65.39.128.135][...80] [HTTP][Unknown][Download][Acceptable][xtra1.gpsonextra.net] - RISK: Binary file/data transfer (attempt) + RISK: Binary File/Data Transfer (Attempt) new: [.....9] [ip4][..tcp] [.......10.8.0.1][45538] -> [.54.230.227.172][...80] new: [....10] [ip4][..tcp] [.......10.8.0.1][45540] -> [.54.230.227.172][...80] detected: [.....9] [ip4][..tcp] [.......10.8.0.1][45538] -> [.54.230.227.172][...80] [HTTP.Waze][AmazonAWS][Web][Acceptable][cres.waze.com] + RISK: Susp Entropy detected: [....10] [ip4][..tcp] [.......10.8.0.1][45540] -> [.54.230.227.172][...80] [HTTP.Waze][AmazonAWS][Web][Acceptable][roadshields.waze.com] + RISK: Susp Entropy new: [....11] [ip4][..tcp] [.......10.8.0.1][51049] -> [.176.34.103.105][..443] new: [....12] [ip4][..tcp] [.......10.8.0.1][51050] -> [.176.34.103.105][..443] new: [....13] [ip4][..tcp] [.......10.8.0.1][51051] -> [.176.34.103.105][..443] @@ -47,8 +51,10 @@ detected: [....14] [ip4][..tcp] [.......10.8.0.1][39010] -> [..52.17.114.219][..443] [TLS][AmazonAWS][Web][Safe][] RISK: Obsolete TLS (v1.1 or older) detected: [....15] [ip4][..tcp] [.......10.8.0.1][45546] -> [.54.230.227.172][...80] [HTTP.Waze][AmazonAWS][Web][Acceptable][cres.waze.com] + RISK: Susp Entropy new: [....16] [ip4][..tcp] [.......10.8.0.1][45552] -> [.54.230.227.172][...80] detected: [....16] [ip4][..tcp] [.......10.8.0.1][45552] -> [.54.230.227.172][...80] [HTTP.Waze][AmazonAWS][Web][Acceptable][cres.waze.com] + RISK: Susp Entropy detection-update: [....13] [ip4][..tcp] [.......10.8.0.1][51051] -> [.176.34.103.105][..443] [TLS][AmazonAWS][Web][Safe][] RISK: Obsolete TLS (v1.1 or older) detection-update: [....11] [ip4][..tcp] [.......10.8.0.1][51049] -> [.176.34.103.105][..443] [TLS][AmazonAWS][Web][Safe][] @@ -57,6 +63,7 @@ RISK: Obsolete TLS (v1.1 or older) new: [....17] [ip4][..tcp] [.......10.8.0.1][45554] -> [.54.230.227.172][...80] detected: [....17] [ip4][..tcp] [.......10.8.0.1][45554] -> [.54.230.227.172][...80] [HTTP.Waze][AmazonAWS][Web][Acceptable][cres.waze.com] + RISK: Susp Entropy analyse: [.....3] [ip4][..tcp] [.......10.8.0.1][54915] -> [..65.39.128.135][...80] [HTTP][Unknown][Download][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: 0.002| 3.681| 0.340| 0.885| 782653.260| 2.800] @@ -167,12 +174,19 @@ guessed: [....26] [ip4][..tcp] [...10.16.37.157][52953] -> [...200.160.4.49][...80] [HTTP][Unknown][Web][Acceptable][] end: [....26] [ip4][..tcp] [...10.16.37.157][52953] -> [...200.160.4.49][...80] end: [.....4] [ip4][..tcp] [.......10.8.0.1][45529] -> [.54.230.227.172][...80] [HTTP.Waze][AmazonAWS][Web][Acceptable] + RISK: Susp Entropy end: [.....8] [ip4][..tcp] [.......10.8.0.1][45536] -> [.54.230.227.172][...80] [HTTP.Waze][AmazonAWS][Web][Acceptable] + RISK: Susp Entropy end: [.....9] [ip4][..tcp] [.......10.8.0.1][45538] -> [.54.230.227.172][...80] [HTTP.Waze][AmazonAWS][Web][Acceptable] + RISK: Susp Entropy end: [....10] [ip4][..tcp] [.......10.8.0.1][45540] -> [.54.230.227.172][...80] [HTTP.Waze][AmazonAWS][Web][Acceptable] + RISK: Susp Entropy end: [....15] [ip4][..tcp] [.......10.8.0.1][45546] -> [.54.230.227.172][...80] [HTTP.Waze][AmazonAWS][Web][Acceptable] + RISK: Susp Entropy end: [....16] [ip4][..tcp] [.......10.8.0.1][45552] -> [.54.230.227.172][...80] [HTTP.Waze][AmazonAWS][Web][Acceptable] + RISK: Susp Entropy end: [....17] [ip4][..tcp] [.......10.8.0.1][45554] -> [.54.230.227.172][...80] [HTTP.Waze][AmazonAWS][Web][Acceptable] + RISK: Susp Entropy idle: [....32] [ip4][..tcp] [.......10.8.0.1][50828] -> [108.168.176.228][..443] [WhatsApp][Unknown][Chat][Acceptable] guessed: [....25] [ip4][..tcp] [.......10.8.0.1][45169] -> [..200.160.4.198][...80] [HTTP][Unknown][Web][Acceptable][] end: [....25] [ip4][..tcp] [.......10.8.0.1][45169] -> [..200.160.4.198][...80] @@ -211,7 +225,7 @@ guessed: [....28] [ip4][..tcp] [.......10.8.0.1][60574] -> [...200.160.4.49][...80] [HTTP][Unknown][Web][Acceptable][] end: [....28] [ip4][..tcp] [.......10.8.0.1][60574] -> [...200.160.4.49][...80] end: [.....3] [ip4][..tcp] [.......10.8.0.1][54915] -> [..65.39.128.135][...80] [HTTP][Unknown][Download][Acceptable] - RISK: Binary file/data transfer (attempt) + RISK: Binary File/Data Transfer (Attempt) guessed: [....23] [ip4][..tcp] [...10.16.37.157][46473] -> [...200.160.4.49][...80] [HTTP][Unknown][Web][Acceptable][] end: [....23] [ip4][..tcp] [...10.16.37.157][46473] -> [...200.160.4.49][...80] guessed: [....30] [ip4][..tcp] [.......10.8.0.1][60479] -> [...200.160.4.49][..443] [TLS][Unknown][Web][Safe] diff --git a/test/results/flow-info/default/webdav.pcap.out b/test/results/flow-info/default/webdav.pcap.out index 5e5cf1804..fe2da2f65 100644 --- a/test/results/flow-info/default/webdav.pcap.out +++ b/test/results/flow-info/default/webdav.pcap.out @@ -4,6 +4,50 @@ new: [.....1] [ip4][..tcp] [....10.24.8.189][50652] -> [..104.156.149.6][...80] detected: [.....1] [ip4][..tcp] [....10.24.8.189][50652] -> [..104.156.149.6][...80] [HTTP.WebDAV][Unknown][Collaborative][Acceptable][104.156.149.6] RISK: HTTP/TLS/QUIC Numeric Hostname/SNI + DAEMON-EVENT: [Processed: 14 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 1 / 1|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....2] [ip4][..tcp] [.192.168.16.173][35612] -> [.198.244.151.63][...80] + detected: [.....2] [ip4][..tcp] [.192.168.16.173][35612] -> [.198.244.151.63][...80] [HTTP.WebDAV][Unknown][Collaborative][Acceptable][www.dlp-test.com] + detection-update: [.....2] [ip4][..tcp] [.192.168.16.173][35612] -> [.198.244.151.63][...80] [HTTP.WebDAV][Unknown][Collaborative][Acceptable][www.dlp-test.com] + RISK: Error Code end: [.....1] [ip4][..tcp] [....10.24.8.189][50652] -> [..104.156.149.6][...80] [HTTP.WebDAV][Unknown][Collaborative][Acceptable] RISK: HTTP/TLS/QUIC Numeric Hostname/SNI + new: [.....3] [ip4][..tcp] [.192.168.16.173][41714] -> [.198.244.151.63][...80] + detected: [.....3] [ip4][..tcp] [.192.168.16.173][41714] -> [.198.244.151.63][...80] [HTTP.WebDAV][Unknown][Collaborative][Acceptable][www.dlp-test.com] + detection-update: [.....3] [ip4][..tcp] [.192.168.16.173][41714] -> [.198.244.151.63][...80] [HTTP.WebDAV][Unknown][Collaborative][Acceptable][www.dlp-test.com] + RISK: Error Code + new: [.....4] [ip4][..tcp] [.192.168.16.173][55974] -> [.198.244.151.63][...80] + detected: [.....4] [ip4][..tcp] [.192.168.16.173][55974] -> [.198.244.151.63][...80] [HTTP.WebDAV][Unknown][Collaborative][Acceptable][www.dlp-test.com] + detection-update: [.....4] [ip4][..tcp] [.192.168.16.173][55974] -> [.198.244.151.63][...80] [HTTP.WebDAV][Unknown][Collaborative][Acceptable][www.dlp-test.com] + RISK: Error Code + new: [.....5] [ip4][..tcp] [.192.168.16.173][47432] -> [.198.244.151.63][...80] + detected: [.....5] [ip4][..tcp] [.192.168.16.173][47432] -> [.198.244.151.63][...80] [HTTP.WebDAV][Unknown][Collaborative][Acceptable][www.dlp-test.com] + detection-update: [.....5] [ip4][..tcp] [.192.168.16.173][47432] -> [.198.244.151.63][...80] [HTTP.WebDAV][Unknown][Collaborative][Acceptable][www.dlp-test.com] + RISK: Error Code + new: [.....6] [ip4][..tcp] [.192.168.16.173][47436] -> [.198.244.151.63][...80] + detected: [.....6] [ip4][..tcp] [.192.168.16.173][47436] -> [.198.244.151.63][...80] [HTTP.WebDAV][Unknown][Collaborative][Acceptable][www.dlp-test.com] + detection-update: [.....6] [ip4][..tcp] [.192.168.16.173][47436] -> [.198.244.151.63][...80] [HTTP.WebDAV][Unknown][Collaborative][Acceptable][www.dlp-test.com] + RISK: Error Code + new: [.....7] [ip4][..tcp] [.192.168.16.173][47726] -> [.198.244.151.63][...80] + detected: [.....7] [ip4][..tcp] [.192.168.16.173][47726] -> [.198.244.151.63][...80] [HTTP.WebDAV][Unknown][Collaborative][Acceptable][www.dlp-test.com] + detection-update: [.....7] [ip4][..tcp] [.192.168.16.173][47726] -> [.198.244.151.63][...80] [HTTP.WebDAV][Unknown][Collaborative][Acceptable][www.dlp-test.com] + RISK: Error Code + new: [.....8] [ip4][..tcp] [.192.168.16.173][57432] -> [.198.244.151.63][...80] + detected: [.....8] [ip4][..tcp] [.192.168.16.173][57432] -> [.198.244.151.63][...80] [HTTP.WebDAV][Unknown][Collaborative][Acceptable][www.dlp-test.com] + detection-update: [.....8] [ip4][..tcp] [.192.168.16.173][57432] -> [.198.244.151.63][...80] [HTTP.WebDAV][Unknown][Collaborative][Acceptable][www.dlp-test.com] + RISK: Error Code + end: [.....7] [ip4][..tcp] [.192.168.16.173][47726] -> [.198.244.151.63][...80] [HTTP.WebDAV][Unknown][Collaborative][Acceptable] + RISK: Error Code + end: [.....4] [ip4][..tcp] [.192.168.16.173][55974] -> [.198.244.151.63][...80] [HTTP.WebDAV][Unknown][Collaborative][Acceptable] + RISK: Error Code + end: [.....3] [ip4][..tcp] [.192.168.16.173][41714] -> [.198.244.151.63][...80] [HTTP.WebDAV][Unknown][Collaborative][Acceptable] + RISK: Error Code + end: [.....2] [ip4][..tcp] [.192.168.16.173][35612] -> [.198.244.151.63][...80] [HTTP.WebDAV][Unknown][Collaborative][Acceptable] + RISK: Error Code + end: [.....8] [ip4][..tcp] [.192.168.16.173][57432] -> [.198.244.151.63][...80] [HTTP.WebDAV][Unknown][Collaborative][Acceptable] + RISK: Error Code + end: [.....5] [ip4][..tcp] [.192.168.16.173][47432] -> [.198.244.151.63][...80] [HTTP.WebDAV][Unknown][Collaborative][Acceptable] + RISK: Error Code + end: [.....6] [ip4][..tcp] [.192.168.16.173][47436] -> [.198.244.151.63][...80] [HTTP.WebDAV][Unknown][Collaborative][Acceptable] + RISK: Error Code DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/wechat.pcap.out b/test/results/flow-info/default/wechat.pcap.out index 4d8acc25f..a9fd8499b 100644 --- a/test/results/flow-info/default/wechat.pcap.out +++ b/test/results/flow-info/default/wechat.pcap.out @@ -216,7 +216,6 @@ [PKTLENS.....: 60,60,52,290,52,1480,52,1740,52,178,103,1225,429,52,250,1292,527,52,1480,216,52,1225,429,52,250,52,1140,1480,52,1480,52,1480] [ENTROPIES...: 4.7,5.2,5.1,5.9,5.1,6.8,5.0,7.6,5.0,6.4,6.1,7.8,7.4,5.1,7.1,7.8,7.6,5.1,7.9,7.0,5.0,7.8,7.4,5.1,7.1,5.0,7.8,7.9,5.1,7.9,5.1,7.9] guessed: [.....1] [ip4][..tcp] [203.205.151.162][..443] -> [..192.168.1.103][54084] [TLS][Unknown][Web][Safe] - RISK: Susp Entropy end: [.....1] [ip4][..tcp] [203.205.151.162][..443] -> [..192.168.1.103][54084] guessed: [....15] [ip4][..tcp] [..192.168.1.103][54085] -> [203.205.151.162][..443] [TLS][Unknown][Web][Safe] end: [....15] [ip4][..tcp] [..192.168.1.103][54085] -> [203.205.151.162][..443] diff --git a/test/results/flow-info/default/weibo.pcap.out b/test/results/flow-info/default/weibo.pcap.out index 99e555b67..f4c14bdaa 100644 --- a/test/results/flow-info/default/weibo.pcap.out +++ b/test/results/flow-info/default/weibo.pcap.out @@ -211,7 +211,6 @@ guessed: [.....9] [ip4][..tcp] [..192.168.1.105][35154] -> [.216.58.210.206][..443] [TLS][Google][Web][Safe] idle: [.....9] [ip4][..tcp] [..192.168.1.105][35154] -> [.216.58.210.206][..443] guessed: [.....4] [ip4][..udp] [..192.168.1.105][53656] -> [.216.58.210.227][..443] [QUIC][Google][Web][Acceptable] - RISK: Susp Entropy idle: [.....4] [ip4][..udp] [..192.168.1.105][53656] -> [.216.58.210.227][..443] idle: [....33] [ip4][..udp] [..192.168.1.105][50533] -> [....192.168.1.1][...53] [DNS.SinaWeibo][Unknown][Network][Fun] idle: [....11] [ip4][..tcp] [..192.168.1.105][51698] -> [.93.188.134.137][...80] [HTTP.SinaWeibo][Unknown][SocialNetwork][Fun] diff --git a/test/results/flow-info/default/whatsapp_login_call.pcap.out b/test/results/flow-info/default/whatsapp_login_call.pcap.out index 25c80512f..175304d00 100644 --- a/test/results/flow-info/default/whatsapp_login_call.pcap.out +++ b/test/results/flow-info/default/whatsapp_login_call.pcap.out @@ -165,7 +165,7 @@ update: [....30] [ip4][..udp] [....192.168.2.4][51518] -> [....31.13.73.48][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable] update: [....27] [ip4][..udp] [....192.168.2.4][51518] -> [....31.13.91.48][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable] update: [....28] [ip4][..udp] [....192.168.2.4][51518] -> [...31.13.79.192][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable] - update: [....29] [ip4][..udp] [....192.168.2.4][51518] -> [....31.13.93.48][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable] + update: [....29] [ip4][..udp] [....192.168.2.4][51518] -> [....31.13.93.48][.3478] [SRTP.WhatsAppCall][Facebook][VoIP][Acceptable] new: [....46] [ip4][..udp] [....192.168.2.4][52794] -> [....31.13.73.48][.3478] detected: [....46] [ip4][..udp] [....192.168.2.4][52794] -> [....31.13.73.48][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable][] detection-update: [....46] [ip4][..udp] [....192.168.2.4][52794] -> [....31.13.73.48][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable][] @@ -214,9 +214,11 @@ new: [....55] [ip4][..udp] [....192.168.2.4][52794] -> [..91.253.176.65][.9665] detected: [....55] [ip4][..udp] [....192.168.2.4][52794] -> [..91.253.176.65][.9665] [STUN.WhatsAppCall][Unknown][VoIP][Acceptable][] RISK: Known Proto on Non Std Port + detection-update: [....55] [ip4][..udp] [....192.168.2.4][52794] -> [..91.253.176.65][.9665] [SRTP.WhatsAppCall][Unknown][VoIP][Acceptable] + RISK: Known Proto on Non Std Port detection-update: [....54] [ip4][..udp] [....192.168.2.4][52794] -> [...1.194.90.191][51727] [STUN.WhatsAppCall][Unknown][VoIP][Acceptable][] RISK: Known Proto on Non Std Port, Unidirectional Traffic - analyse: [....55] [ip4][..udp] [....192.168.2.4][52794] -> [..91.253.176.65][.9665] [STUN.WhatsAppCall][Unknown][VoIP][Acceptable] + analyse: [....55] [ip4][..udp] [....192.168.2.4][52794] -> [..91.253.176.65][.9665] [SRTP.WhatsAppCall][Unknown][VoIP][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.307| 0.114| 0.086| 7398.241| 4.500] [PKTLEN......: 54.000| 306.000| 141.000| 58.800| 3453.300| 4.900] @@ -244,7 +246,7 @@ update: [....30] [ip4][..udp] [....192.168.2.4][51518] -> [....31.13.73.48][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable] update: [....27] [ip4][..udp] [....192.168.2.4][51518] -> [....31.13.91.48][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable] update: [....28] [ip4][..udp] [....192.168.2.4][51518] -> [...31.13.79.192][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable] - update: [....29] [ip4][..udp] [....192.168.2.4][51518] -> [....31.13.93.48][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable] + update: [....29] [ip4][..udp] [....192.168.2.4][51518] -> [....31.13.93.48][.3478] [SRTP.WhatsAppCall][Facebook][VoIP][Acceptable] update: [....12] [ip4][..udp] [....192.168.2.4][52190] -> [....192.168.2.1][...53] [DNS.WhatsApp][Unknown][Network][Acceptable] update: [....43] [ip6][..udp] [................fe80::da30:62ff:fe56:1c][.5353] -> [...............................ff02::fb][.5353] [MDNS][Unknown][Network][Acceptable] new: [....57] [ip4][..tcp] [....192.168.2.4][49205] -> [..17.173.66.102][..443] @@ -296,7 +298,7 @@ update: [....52] [ip4][..udp] [....192.168.2.4][52794] -> [....31.13.74.48][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable] update: [....53] [ip4][..udp] [....192.168.2.4][52794] -> [....31.13.84.48][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable] update: [....48] [ip4][..udp] [....192.168.2.4][52794] -> [...31.13.79.192][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable] - update: [....55] [ip4][..udp] [....192.168.2.4][52794] -> [..91.253.176.65][.9665] [STUN.WhatsAppCall][Unknown][VoIP][Acceptable] + update: [....55] [ip4][..udp] [....192.168.2.4][52794] -> [..91.253.176.65][.9665] [SRTP.WhatsAppCall][Unknown][VoIP][Acceptable] RISK: Known Proto on Non Std Port update: [....33] [ip4][..udp] [....192.168.2.1][17500] -> [..192.168.2.255][17500] [Dropbox][Unknown][Cloud][Acceptable] update: [....54] [ip4][..udp] [....192.168.2.4][52794] -> [...1.194.90.191][51727] [STUN.WhatsAppCall][Unknown][VoIP][Acceptable] @@ -328,7 +330,7 @@ end: [....36] [ip4][..tcp] [....192.168.2.4][49198] -> [..17.167.142.13][..443] guessed: [....37] [ip4][..tcp] [....192.168.2.4][49200] -> [..17.167.142.13][..443] [TLS][Apple][Web][Safe] end: [....37] [ip4][..tcp] [....192.168.2.4][49200] -> [..17.167.142.13][..443] - idle: [....55] [ip4][..udp] [....192.168.2.4][52794] -> [..91.253.176.65][.9665] [STUN.WhatsAppCall][Unknown][VoIP][Acceptable] + idle: [....55] [ip4][..udp] [....192.168.2.4][52794] -> [..91.253.176.65][.9665] [SRTP.WhatsAppCall][Unknown][VoIP][Acceptable] RISK: Known Proto on Non Std Port idle: [....33] [ip4][..udp] [....192.168.2.1][17500] -> [..192.168.2.255][17500] [Dropbox][Unknown][Cloud][Acceptable] idle: [....45] [ip6][..udp] [...............fe80::c42c:3ff:fe60:6a64][.5353] -> [...............................ff02::fb][.5353] [MDNS][Unknown][Network][Acceptable] @@ -343,7 +345,7 @@ idle: [....11] [ip4][..udp] [....192.168.2.4][51897] -> [....192.168.2.1][...53] [DNS.Apple][Unknown][Network][Safe] end: [....13] [ip4][..tcp] [....192.168.2.4][49201] -> [..17.178.104.12][..443] [TLS.Apple][Apple][Web][Safe] RISK: TLS (probably) Not Carrying HTTPS - idle: [....29] [ip4][..udp] [....192.168.2.4][51518] -> [....31.13.93.48][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable] + idle: [....29] [ip4][..udp] [....192.168.2.4][51518] -> [....31.13.93.48][.3478] [SRTP.WhatsAppCall][Facebook][VoIP][Acceptable] idle: [....28] [ip4][..udp] [....192.168.2.4][51518] -> [...31.13.79.192][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable] idle: [....27] [ip4][..udp] [....192.168.2.4][51518] -> [....31.13.91.48][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable] idle: [....30] [ip4][..udp] [....192.168.2.4][51518] -> [....31.13.73.48][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable] diff --git a/test/results/flow-info/default/windowsupdate_over_http.pcap.out b/test/results/flow-info/default/windowsupdate_over_http.pcap.out index f4e62aff6..c11505f56 100644 --- a/test/results/flow-info/default/windowsupdate_over_http.pcap.out +++ b/test/results/flow-info/default/windowsupdate_over_http.pcap.out @@ -3,7 +3,7 @@ detected: [.....1] [ip4][..tcp] [......10.0.2.15][49815] -> [..151.99.72.125][...80] [HTTP.WindowsUpdate][Unknown][SoftwareUpdate][Safe][151.99.72.125] RISK: HTTP/TLS/QUIC Numeric Hostname/SNI detection-update: [.....1] [ip4][..tcp] [......10.0.2.15][49815] -> [..151.99.72.125][...80] [HTTP.WindowsUpdate][Unknown][Download][Safe][151.99.72.125] - RISK: HTTP/TLS/QUIC Numeric Hostname/SNI, Binary file/data transfer (attempt) + RISK: HTTP/TLS/QUIC Numeric Hostname/SNI, Binary File/Data Transfer (Attempt) idle: [.....1] [ip4][..tcp] [......10.0.2.15][49815] -> [..151.99.72.125][...80] [HTTP.WindowsUpdate][Unknown][Download][Safe] - RISK: HTTP/TLS/QUIC Numeric Hostname/SNI, Binary file/data transfer (attempt) + RISK: HTTP/TLS/QUIC Numeric Hostname/SNI, Binary File/Data Transfer (Attempt) DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/windscribe.pcapng.out b/test/results/flow-info/default/windscribe.pcapng.out new file mode 100644 index 000000000..b1202a6d0 --- /dev/null +++ b/test/results/flow-info/default/windscribe.pcapng.out @@ -0,0 +1,11 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....1] [ip4][..tcp] [.192.168.12.156][42192] -> [.107.161.86.132][..443] + detected: [.....1] [ip4][..tcp] [.192.168.12.156][42192] -> [.107.161.86.132][..443] [TLS][Unknown][Web][Safe][] + RISK: Missing SNI TLS Extn, ALPN/SNI Mismatch + detection-update: [.....1] [ip4][..tcp] [.192.168.12.156][42192] -> [.107.161.86.132][..443] [TLS.Windscribe][Unknown][VPN][Acceptable][] + RISK: Self-signed Cert, Weak TLS Cipher, Missing SNI TLS Extn, ALPN/SNI Mismatch + idle: [.....1] [ip4][..tcp] [.192.168.12.156][42192] -> [.107.161.86.132][..443] [TLS.Windscribe][Unknown][VPN][Acceptable] + RISK: Self-signed Cert, Weak TLS Cipher, Missing SNI TLS Extn, ALPN/SNI Mismatch + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/xiaomi.pcap.out b/test/results/flow-info/default/xiaomi.pcap.out index 0339e3e04..354238c93 100644 --- a/test/results/flow-info/default/xiaomi.pcap.out +++ b/test/results/flow-info/default/xiaomi.pcap.out @@ -7,29 +7,39 @@ DAEMON-EVENT: [Flows][active: 1 / 1|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] new: [.....2] [ip4][..tcp] [.115.164.74.232][.5222] -> [192.168.244.219][45904] detected: [.....2] [ip4][..tcp] [.115.164.74.232][.5222] -> [192.168.244.219][45904] [Xiaomi][Unknown][Web][Acceptable][47.241.35.73] + RISK: Susp Entropy new: [.....3] [ip4][..tcp] [.115.164.74.232][.5222] -> [.192.168.247.13][38018] detected: [.....3] [ip4][..tcp] [.115.164.74.232][.5222] -> [.192.168.247.13][38018] [Xiaomi][Unknown][Web][Acceptable][47.241.35.73] + RISK: Susp Entropy idle: [.....1] [ip4][..tcp] [....47.241.7.88][.5222] -> [..10.52.151.160][39180] [Xiaomi][Alibaba][Web][Acceptable] new: [.....4] [ip4][..tcp] [..97.39.119.172][.5222] -> [..192.168.93.59][51488] detected: [.....4] [ip4][..tcp] [..97.39.119.172][.5222] -> [..192.168.93.59][51488] [Xiaomi][Unknown][Web][Acceptable][47.241.59.87] + RISK: Susp Entropy DAEMON-EVENT: [Processed: 18 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 3 / 4|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] new: [.....5] [ip4][..tcp] [..192.168.2.100][37708] -> [...3.127.176.74][.5222] detected: [.....5] [ip4][..tcp] [..192.168.2.100][37708] -> [...3.127.176.74][.5222] [Xiaomi][AmazonAWS][Web][Acceptable][fr-app-chat-global-xiaomi-net1-1667981913.eu-central-1.elb.amazonaws.com] + RISK: Susp Entropy idle: [.....2] [ip4][..tcp] [.115.164.74.232][.5222] -> [192.168.244.219][45904] [Xiaomi][Unknown][Web][Acceptable] + RISK: Susp Entropy idle: [.....4] [ip4][..tcp] [..97.39.119.172][.5222] -> [..192.168.93.59][51488] [Xiaomi][Unknown][Web][Acceptable] + RISK: Susp Entropy idle: [.....3] [ip4][..tcp] [.115.164.74.232][.5222] -> [.192.168.247.13][38018] [Xiaomi][Unknown][Web][Acceptable] + RISK: Susp Entropy DAEMON-EVENT: [Processed: 33 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 1 / 5|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] new: [.....6] [ip4][..tcp] [..192.168.2.100][45106] -> [.18.193.233.122][.5222] detected: [.....6] [ip4][..tcp] [..192.168.2.100][45106] -> [.18.193.233.122][.5222] [Xiaomi][AmazonAWS][Web][Acceptable][fr-app-chat-global-xiaomi-net2-2117517874.eu-central-1.elb.amazonaws.com] + RISK: Susp Entropy idle: [.....5] [ip4][..tcp] [..192.168.2.100][37708] -> [...3.127.176.74][.5222] [Xiaomi][AmazonAWS][Web][Acceptable] + RISK: Susp Entropy DAEMON-EVENT: [Processed: 48 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 1 / 6|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] new: [.....7] [ip4][..tcp] [..192.168.2.100][48698] -> [...203.107.1.65][...80] detected: [.....7] [ip4][..tcp] [..192.168.2.100][48698] -> [...203.107.1.65][...80] [HTTP.Xiaomi][Alibaba][Web][Acceptable][203.107.1.65] - RISK: HTTP/TLS/QUIC Numeric Hostname/SNI + RISK: HTTP/TLS/QUIC Numeric Hostname/SNI, Susp Entropy idle: [.....7] [ip4][..tcp] [..192.168.2.100][48698] -> [...203.107.1.65][...80] [HTTP.Xiaomi][Alibaba][Web][Acceptable] - RISK: HTTP/TLS/QUIC Numeric Hostname/SNI + RISK: HTTP/TLS/QUIC Numeric Hostname/SNI, Susp Entropy idle: [.....6] [ip4][..tcp] [..192.168.2.100][45106] -> [.18.193.233.122][.5222] [Xiaomi][AmazonAWS][Web][Acceptable] + RISK: Susp Entropy DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/zoom.pcap.out b/test/results/flow-info/default/zoom.pcap.out index f7f50d8cc..8c9028cdc 100644 --- a/test/results/flow-info/default/zoom.pcap.out +++ b/test/results/flow-info/default/zoom.pcap.out @@ -135,7 +135,7 @@ ERROR-EVENT: Unknown packet type [3/16] new: [....32] [ip4][..udp] [..192.168.1.117][60620] -> [..109.94.160.99][.8801] detected: [....32] [ip4][..udp] [..192.168.1.117][60620] -> [..109.94.160.99][.8801] [Zoom][Unknown][Video][Acceptable] - analyse: [....31] [ip4][..udp] [..192.168.1.117][58327] -> [..109.94.160.99][.8801] [SRTP.Zoom][Unknown][Video][Acceptable] + analyse: [....31] [ip4][..udp] [..192.168.1.117][58327] -> [..109.94.160.99][.8801] [Zoom][Unknown][Video][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.036| 0.010| 0.009| 72.691| 4.500] [PKTLEN......: 41.000| 1057.000| 872.800| 383.700| 147246.200| 4.800] @@ -193,9 +193,8 @@ idle: [.....1] [ip4][..tcp] [..192.168.1.117][54854] -> [..172.217.21.72][..443] [TLS.GoogleServices][Google][Web][Acceptable] RISK: Obsolete TLS (v1.1 or older), Unidirectional Traffic idle: [.....6] [ip4][..udp] [..192.168.1.117][..137] -> [..192.168.1.255][..137] [NetBIOS][Unknown][System][Acceptable] - idle: [....33] [ip4][..udp] [..192.168.1.117][61731] -> [..109.94.160.99][.8801] [SRTP.Zoom][Unknown][Video][Acceptable] + idle: [....33] [ip4][..udp] [..192.168.1.117][61731] -> [..109.94.160.99][.8801] [Zoom][Unknown][Video][Acceptable] guessed: [....15] [ip4][..tcp] [..192.168.1.117][53867] -> [..104.199.65.42][...80] [HTTP][Google][Web][Acceptable][] - RISK: Susp Entropy idle: [....15] [ip4][..tcp] [..192.168.1.117][53867] -> [..104.199.65.42][...80] idle: [.....8] [ip4][..tcp] [..192.168.1.117][54864] -> [..52.202.62.238][..443] [TLS.Zoom][Zoom][Video][Acceptable] idle: [....19] [ip4][..tcp] [..192.168.1.117][54865] -> [..52.202.62.196][..443] [TLS.Zoom][Zoom][Video][Acceptable] @@ -214,7 +213,7 @@ end: [....26] [ip4][..tcp] [..192.168.1.117][54868] -> [.213.19.144.104][..443] [TLS.Zoom][Zoom][Video][Acceptable] RISK: TLS (probably) Not Carrying HTTPS idle: [.....7] [ip4][..udp] [..192.168.1.117][64352] -> [....192.168.1.1][...53] [DNS.Zoom][Unknown][Network][Acceptable] - idle: [....31] [ip4][..udp] [..192.168.1.117][58327] -> [..109.94.160.99][.8801] [SRTP.Zoom][Unknown][Video][Acceptable] + idle: [....31] [ip4][..udp] [..192.168.1.117][58327] -> [..109.94.160.99][.8801] [Zoom][Unknown][Video][Acceptable] end: [....27] [ip4][..tcp] [..192.168.1.117][54869] -> [.213.244.140.85][..443] [TLS.Zoom][Zoom][Video][Acceptable] RISK: TLS (probably) Not Carrying HTTPS end: [....28] [ip4][..tcp] [..192.168.1.117][54870] -> [.213.244.140.84][..443] [TLS.Zoom][Zoom][Video][Acceptable] @@ -222,7 +221,7 @@ idle: [....23] [ip4][..udp] [..192.168.1.117][62563] -> [....192.168.1.1][...53] [DNS.Zoom][Unknown][Network][Acceptable] idle: [.....4] [ip4][..tcp] [..192.168.1.117][54341] -> [.62.149.152.153][..993] [IMAPS][Unknown][Email][Safe] RISK: Unidirectional Traffic - idle: [....32] [ip4][..udp] [..192.168.1.117][60620] -> [..109.94.160.99][.8801] [SRTP.Zoom][Unknown][Video][Acceptable] + idle: [....32] [ip4][..udp] [..192.168.1.117][60620] -> [..109.94.160.99][.8801] [Zoom][Unknown][Video][Acceptable] idle: [.....5] [ip4][..udp] [..192.168.1.117][57025] -> [239.255.255.250][.1900] [SSDP][Unknown][System][Acceptable] idle: [....16] [ip4][..tcp] [..192.168.1.117][53872] -> [..35.186.224.53][..443] [TLS][GoogleCloud][Web][Safe] idle: [....30] [ip4][..tcp] [..192.168.1.117][54871] -> [..109.94.160.99][..443] [TLS.Zoom][Unknown][Video][Acceptable] diff --git a/test/results/flow-info/default/zoom2.pcap.out b/test/results/flow-info/default/zoom2.pcap.out index 4248302cd..c5c434804 100644 --- a/test/results/flow-info/default/zoom2.pcap.out +++ b/test/results/flow-info/default/zoom2.pcap.out @@ -13,7 +13,7 @@ detection-update: [.....2] [ip4][..udp] [..192.168.1.178][60653] -> [.144.195.73.154][.8801] [Zoom][Zoom][Video][Acceptable] RISK: Unidirectional Traffic detection-update: [.....2] [ip4][..udp] [..192.168.1.178][60653] -> [.144.195.73.154][.8801] [Zoom][Zoom][Video][Acceptable] - analyse: [.....2] [ip4][..udp] [..192.168.1.178][60653] -> [.144.195.73.154][.8801] [SRTP.Zoom][Zoom][Video][Acceptable] + analyse: [.....2] [ip4][..udp] [..192.168.1.178][60653] -> [.144.195.73.154][.8801] [Zoom][Zoom][Video][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.167| 0.025| 0.040| 1639.456| 3.600] [PKTLEN......: 46.000| 1064.000| 704.700| 464.600| 215864.300| 4.600] @@ -33,7 +33,7 @@ detection-update: [.....4] [ip4][..udp] [..192.168.1.178][57953] -> [.144.195.73.154][.8801] [Zoom][Zoom][Video][Acceptable] RISK: Unidirectional Traffic detection-update: [.....4] [ip4][..udp] [..192.168.1.178][57953] -> [.144.195.73.154][.8801] [Zoom][Zoom][Video][Acceptable] - analyse: [.....3] [ip4][..udp] [..192.168.1.178][58117] -> [.144.195.73.154][.8801] [SRTP.Zoom][Zoom][Video][Acceptable] + analyse: [.....3] [ip4][..udp] [..192.168.1.178][58117] -> [.144.195.73.154][.8801] [Zoom][Zoom][Video][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.176| 0.043| 0.049| 2389.122| 4.100] [PKTLEN......: 46.000| 189.000| 129.000| 35.800| 1279.800| 4.900] @@ -43,7 +43,7 @@ [IATS(ms)....: 98.5,176.4,0.1,85.5,9.5,94.8,0.0,99.9,94.2,12.3,1.9,12.4,20.6,17.0,20.1,168.4,18.0,3.6,10.9,10.3,19.4,32.1,20.9,115.3,0.0,17.8,18.7,20.1,20.2,21.5,85.5] [PKTLENS.....: 151,151,72,46,156,156,72,46,156,88,88,161,164,154,149,145,116,88,149,92,143,144,134,135,166,189,116,150,148,143,144,116] [ENTROPIES...: 5.8,5.8,4.9,4.4,5.6,5.6,4.8,4.4,5.5,4.7,4.7,6.0,6.0,5.9,5.8,5.7,5.1,4.7,5.8,4.7,5.7,5.7,5.6,5.6,6.0,6.2,5.3,5.7,5.7,5.7,5.7,5.2] - analyse: [.....4] [ip4][..udp] [..192.168.1.178][57953] -> [.144.195.73.154][.8801] [SRTP.Zoom][Zoom][Video][Acceptable] + analyse: [.....4] [ip4][..udp] [..192.168.1.178][57953] -> [.144.195.73.154][.8801] [Zoom][Zoom][Video][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.188| 0.047| 0.043| 1844.784| 4.300] [PKTLEN......: 46.000| 171.000| 91.100| 44.600| 1993.400| 4.800] @@ -53,9 +53,9 @@ [IATS(ms)....: 102.1,187.6,0.0,105.6,0.1,93.5,0.0,87.6,70.7,0.1,106.0,0.0,21.5,32.8,59.0,0.0,48.4,5.5,49.5,50.2,0.0,0.0,55.2,45.7,56.3,52.4,0.0,59.8,52.1,47.7,58.6] [PKTLENS.....: 153,153,72,46,163,163,72,46,163,163,163,103,103,55,55,171,55,55,103,55,103,103,55,55,55,55,103,55,55,55,55,55] [ENTROPIES...: 5.8,5.9,4.8,4.3,5.5,5.5,4.8,4.4,5.6,5.5,5.6,4.4,4.5,3.6,3.9,5.5,3.6,3.9,4.5,3.7,4.5,4.5,3.9,3.7,4.0,3.7,4.5,3.9,3.7,3.9,3.9,3.7] - idle: [.....4] [ip4][..udp] [..192.168.1.178][57953] -> [.144.195.73.154][.8801] [SRTP.Zoom][Zoom][Video][Acceptable] + idle: [.....4] [ip4][..udp] [..192.168.1.178][57953] -> [.144.195.73.154][.8801] [Zoom][Zoom][Video][Acceptable] idle: [.....1] [ip4][..tcp] [..192.168.1.178][50076] -> [.144.195.73.154][..443] [TLS.Zoom][Zoom][Video][Acceptable] RISK: TLS (probably) Not Carrying HTTPS - idle: [.....3] [ip4][..udp] [..192.168.1.178][58117] -> [.144.195.73.154][.8801] [SRTP.Zoom][Zoom][Video][Acceptable] - idle: [.....2] [ip4][..udp] [..192.168.1.178][60653] -> [.144.195.73.154][.8801] [SRTP.Zoom][Zoom][Video][Acceptable] + idle: [.....3] [ip4][..udp] [..192.168.1.178][58117] -> [.144.195.73.154][.8801] [Zoom][Zoom][Video][Acceptable] + idle: [.....2] [ip4][..udp] [..192.168.1.178][60653] -> [.144.195.73.154][.8801] [Zoom][Zoom][Video][Acceptable] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/zoom_p2p.pcapng.out b/test/results/flow-info/default/zoom_p2p.pcapng.out index 99a03c91a..794bfd0a9 100644 --- a/test/results/flow-info/default/zoom_p2p.pcapng.out +++ b/test/results/flow-info/default/zoom_p2p.pcapng.out @@ -15,12 +15,18 @@ detected: [.....4] [ip4][..udp] [.192.168.12.156][38453] -> [.206.247.87.213][.3478] [STUN.Zoom][Zoom][Video][Acceptable][] new: [.....5] [ip4][.icmp] [.206.247.87.213] -> [.192.168.12.156] detected: [.....5] [ip4][.icmp] [.206.247.87.213] -> [.192.168.12.156] [ICMP][Zoom][Network][Acceptable] + RISK: Susp Entropy update: [.....1] [ip4][..udp] [...192.168.12.1][17500] -> [.192.168.12.255][17500] [Dropbox][Unknown][Cloud][Acceptable] new: [.....6] [ip4][..udp] [.192.168.12.156][38453] -> [..192.168.1.226][41036] + detected: [.....6] [ip4][..udp] [.192.168.12.156][38453] -> [..192.168.1.226][41036] [Zoom][Unknown][Video][Acceptable] + detection-update: [.....6] [ip4][..udp] [.192.168.12.156][38453] -> [..192.168.1.226][41036] [Zoom][Unknown][Video][Acceptable] + RISK: Unidirectional Traffic update: [.....5] [ip4][.icmp] [.206.247.87.213] -> [.192.168.12.156] [ICMP][Zoom][Network][Acceptable] + RISK: Susp Entropy update: [.....2] [ip4][..udp] [...192.168.12.1][.5353] -> [....224.0.0.251][.5353] [MDNS][Unknown][Network][Acceptable] new: [.....7] [ip4][..udp] [.192.168.12.156][39065] -> [..192.168.1.226][46757] - analyse: [.....7] [ip4][..udp] [.192.168.12.156][39065] -> [..192.168.1.226][46757] + detected: [.....7] [ip4][..udp] [.192.168.12.156][39065] -> [..192.168.1.226][46757] [Zoom][Unknown][Video][Acceptable] + analyse: [.....7] [ip4][..udp] [.192.168.12.156][39065] -> [..192.168.1.226][46757] [Zoom][Unknown][Video][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.089| 0.026| 0.021| 430.173| 4.500] [PKTLEN......: 113.000| 1277.000| 673.700| 485.600| 235788.400| 4.500] @@ -33,28 +39,32 @@ update: [.....4] [ip4][..udp] [.192.168.12.156][38453] -> [.206.247.87.213][.3478] [STUN.Zoom][Zoom][Video][Acceptable] update: [.....3] [ip4][..udp] [.192.168.12.156][39065] -> [.206.247.87.213][.3478] [STUN.Zoom][Zoom][Video][Acceptable] update: [.....5] [ip4][.icmp] [.206.247.87.213] -> [.192.168.12.156] [ICMP][Zoom][Network][Acceptable] + RISK: Susp Entropy update: [.....1] [ip4][..udp] [...192.168.12.1][17500] -> [.192.168.12.255][17500] [Dropbox][Unknown][Cloud][Acceptable] - update: [.....6] [ip4][..udp] [.192.168.12.156][38453] -> [..192.168.1.226][41036] + update: [.....6] [ip4][..udp] [.192.168.12.156][38453] -> [..192.168.1.226][41036] [Zoom][Unknown][Video][Acceptable] + RISK: Unidirectional Traffic update: [.....5] [ip4][.icmp] [.206.247.87.213] -> [.192.168.12.156] [ICMP][Zoom][Network][Acceptable] - update: [.....7] [ip4][..udp] [.192.168.12.156][39065] -> [..192.168.1.226][46757] + RISK: Susp Entropy + update: [.....7] [ip4][..udp] [.192.168.12.156][39065] -> [..192.168.1.226][46757] [Zoom][Unknown][Video][Acceptable] update: [.....2] [ip4][..udp] [...192.168.12.1][.5353] -> [....224.0.0.251][.5353] [MDNS][Unknown][Network][Acceptable] update: [.....4] [ip4][..udp] [.192.168.12.156][38453] -> [.206.247.87.213][.3478] [STUN.Zoom][Zoom][Video][Acceptable] update: [.....3] [ip4][..udp] [.192.168.12.156][39065] -> [.206.247.87.213][.3478] [STUN.Zoom][Zoom][Video][Acceptable] update: [.....5] [ip4][.icmp] [.206.247.87.213] -> [.192.168.12.156] [ICMP][Zoom][Network][Acceptable] + RISK: Susp Entropy update: [.....1] [ip4][..udp] [...192.168.12.1][17500] -> [.192.168.12.255][17500] [Dropbox][Unknown][Cloud][Acceptable] idle: [.....5] [ip4][.icmp] [.206.247.87.213] -> [.192.168.12.156] [ICMP][Zoom][Network][Acceptable] - update: [.....6] [ip4][..udp] [.192.168.12.156][38453] -> [..192.168.1.226][41036] - update: [.....7] [ip4][..udp] [.192.168.12.156][39065] -> [..192.168.1.226][46757] + RISK: Susp Entropy + update: [.....6] [ip4][..udp] [.192.168.12.156][38453] -> [..192.168.1.226][41036] [Zoom][Unknown][Video][Acceptable] + RISK: Unidirectional Traffic + update: [.....7] [ip4][..udp] [.192.168.12.156][39065] -> [..192.168.1.226][46757] [Zoom][Unknown][Video][Acceptable] update: [.....2] [ip4][..udp] [...192.168.12.1][.5353] -> [....224.0.0.251][.5353] [MDNS][Unknown][Network][Acceptable] update: [.....4] [ip4][..udp] [.192.168.12.156][38453] -> [.206.247.87.213][.3478] [STUN.Zoom][Zoom][Video][Acceptable] update: [.....3] [ip4][..udp] [.192.168.12.156][39065] -> [.206.247.87.213][.3478] [STUN.Zoom][Zoom][Video][Acceptable] idle: [.....2] [ip4][..udp] [...192.168.12.1][.5353] -> [....224.0.0.251][.5353] [MDNS][Unknown][Network][Acceptable] update: [.....1] [ip4][..udp] [...192.168.12.1][17500] -> [.192.168.12.255][17500] [Dropbox][Unknown][Cloud][Acceptable] - guessed: [.....6] [ip4][..udp] [.192.168.12.156][38453] -> [..192.168.1.226][41036] [Zoom][Unknown][Video][Acceptable] + idle: [.....6] [ip4][..udp] [.192.168.12.156][38453] -> [..192.168.1.226][41036] [Zoom][Unknown][Video][Acceptable] RISK: Unidirectional Traffic - idle: [.....6] [ip4][..udp] [.192.168.12.156][38453] -> [..192.168.1.226][41036] - guessed: [.....7] [ip4][..udp] [.192.168.12.156][39065] -> [..192.168.1.226][46757] [Zoom][Unknown][Video][Acceptable] - idle: [.....7] [ip4][..udp] [.192.168.12.156][39065] -> [..192.168.1.226][46757] + idle: [.....7] [ip4][..udp] [.192.168.12.156][39065] -> [..192.168.1.226][46757] [Zoom][Unknown][Video][Acceptable] idle: [.....4] [ip4][..udp] [.192.168.12.156][38453] -> [.206.247.87.213][.3478] [STUN.Zoom][Zoom][Video][Acceptable] idle: [.....3] [ip4][..udp] [.192.168.12.156][39065] -> [.206.247.87.213][.3478] [STUN.Zoom][Zoom][Video][Acceptable] new: [.....8] [ip4][..udp] [.192.168.12.156][49579] -> [.206.247.10.253][.3478] @@ -63,6 +73,7 @@ detected: [.....9] [ip4][..udp] [.192.168.12.156][42208] -> [.206.247.10.253][.3478] [STUN.Zoom][Zoom][Video][Acceptable][] new: [....10] [ip4][.icmp] [.206.247.10.253] -> [.192.168.12.156] detected: [....10] [ip4][.icmp] [.206.247.10.253] -> [.192.168.12.156] [ICMP][Zoom][Network][Acceptable] + RISK: Susp Entropy new: [....11] [ip4][..udp] [...192.168.12.1][.5353] -> [....224.0.0.251][.5353] detected: [....11] [ip4][..udp] [...192.168.12.1][.5353] -> [....224.0.0.251][.5353] [MDNS][Unknown][Network][Acceptable][_ipps._tcp.local] update: [.....1] [ip4][..udp] [...192.168.12.1][17500] -> [.192.168.12.255][17500] [Dropbox][Unknown][Cloud][Acceptable] @@ -77,9 +88,16 @@ [PKTLENS.....: 100,100,100,100,100,100,100,100,100,100,100,100,100,100,100,100,100,100,100,100,100,100,100,100,100,100,100,100,100,100,100,100] [ENTROPIES...: 5.4,5.3,5.2,5.3,5.4,5.3,5.4,5.3,5.4,5.3,5.3,5.4,5.3,5.3,5.3,5.4,5.3,5.4,5.3,5.3,5.3,5.3,5.3,5.3,5.4,5.3,5.3,5.4,5.4,5.3,5.4,5.3] new: [....12] [ip4][..udp] [.192.168.12.156][42208] -> [...10.78.14.178][47312] + detected: [....12] [ip4][..udp] [.192.168.12.156][42208] -> [...10.78.14.178][47312] [Zoom][Unknown][Video][Acceptable] + detection-update: [....12] [ip4][..udp] [.192.168.12.156][42208] -> [...10.78.14.178][47312] [Zoom][Unknown][Video][Acceptable] + RISK: Unidirectional Traffic new: [....13] [ip4][..udp] [.192.168.12.156][49579] -> [...10.78.14.178][49586] + detected: [....13] [ip4][..udp] [.192.168.12.156][49579] -> [...10.78.14.178][49586] [Zoom][Unknown][Video][Acceptable] + detection-update: [....13] [ip4][..udp] [.192.168.12.156][49579] -> [...10.78.14.178][49586] [Zoom][Unknown][Video][Acceptable] + RISK: Unidirectional Traffic update: [....10] [ip4][.icmp] [.206.247.10.253] -> [.192.168.12.156] [ICMP][Zoom][Network][Acceptable] - analyse: [....12] [ip4][..udp] [.192.168.12.156][42208] -> [...10.78.14.178][47312] + RISK: Susp Entropy + analyse: [....12] [ip4][..udp] [.192.168.12.156][42208] -> [...10.78.14.178][47312] [Zoom][Unknown][Video][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.052| 0.013| 0.016| 253.890| 4.000] [PKTLEN......: 112.000| 112.000| 112.000| 0.000| 0.000| 5.000] @@ -89,7 +107,7 @@ [IATS(ms)....: 0.2,27.3,11.2,7.7,6.8,1.5,0.1,13.3,6.9,1.7,40.5,0.2,15.5,0.6,33.3,0.2,50.8,0.4,5.9,5.7,52.3,0.4,7.2,2.3,22.7,0.2,31.0,0.2,40.9,0.2,22.6] [PKTLENS.....: 112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112] [ENTROPIES...: 5.0,5.0,5.0,5.0,5.0,5.0,5.0,5.0,5.0,5.0,5.0,5.0,5.0,5.0,5.0,5.0,5.0,5.0,5.0,5.0,5.0,5.0,5.0,5.0,5.0,5.0,5.0,5.0,5.0,5.0,5.0,5.0] - analyse: [....13] [ip4][..udp] [.192.168.12.156][49579] -> [...10.78.14.178][49586] + analyse: [....13] [ip4][..udp] [.192.168.12.156][49579] -> [...10.78.14.178][49586] [Zoom][Unknown][Video][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.055| 0.027| 0.014| 209.331| 4.700] [PKTLEN......: 112.000| 112.000| 112.000| 0.000| 0.000| 5.000] @@ -100,14 +118,13 @@ [PKTLENS.....: 112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112] [ENTROPIES...: 4.9,4.9,4.9,4.9,4.9,4.9,4.9,4.9,4.9,4.9,4.9,4.9,4.9,4.9,4.9,4.9,4.9,4.9,4.9,4.9,4.9,4.9,4.9,4.9,4.9,4.9,4.9,4.9,4.9,4.9,4.9,4.9] idle: [....10] [ip4][.icmp] [.206.247.10.253] -> [.192.168.12.156] [ICMP][Zoom][Network][Acceptable] - guessed: [....13] [ip4][..udp] [.192.168.12.156][49579] -> [...10.78.14.178][49586] [Zoom][Unknown][Video][Acceptable] + RISK: Susp Entropy + idle: [....13] [ip4][..udp] [.192.168.12.156][49579] -> [...10.78.14.178][49586] [Zoom][Unknown][Video][Acceptable] RISK: Unidirectional Traffic - idle: [....13] [ip4][..udp] [.192.168.12.156][49579] -> [...10.78.14.178][49586] idle: [.....1] [ip4][..udp] [...192.168.12.1][17500] -> [.192.168.12.255][17500] [Dropbox][Unknown][Cloud][Acceptable] idle: [.....9] [ip4][..udp] [.192.168.12.156][42208] -> [.206.247.10.253][.3478] [STUN.Zoom][Zoom][Video][Acceptable] idle: [....11] [ip4][..udp] [...192.168.12.1][.5353] -> [....224.0.0.251][.5353] [MDNS][Unknown][Network][Acceptable] - guessed: [....12] [ip4][..udp] [.192.168.12.156][42208] -> [...10.78.14.178][47312] [Zoom][Unknown][Video][Acceptable] + idle: [....12] [ip4][..udp] [.192.168.12.156][42208] -> [...10.78.14.178][47312] [Zoom][Unknown][Video][Acceptable] RISK: Unidirectional Traffic - idle: [....12] [ip4][..udp] [.192.168.12.156][42208] -> [...10.78.14.178][47312] idle: [.....8] [ip4][..udp] [.192.168.12.156][49579] -> [.206.247.10.253][.3478] [STUN.Zoom][Zoom][Video][Acceptable] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/zug.pcap.out b/test/results/flow-info/default/zug.pcap.out new file mode 100644 index 000000000..f3edffdda --- /dev/null +++ b/test/results/flow-info/default/zug.pcap.out @@ -0,0 +1,35 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....1] [ip4][..udp] [..197.130.35.95][39594] -> [.163.40.238.205][19000] + detected: [.....1] [ip4][..udp] [..197.130.35.95][39594] -> [.163.40.238.205][19000] [ZUG][Unknown][Crypto_Currency][Acceptable] + DAEMON-EVENT: [Processed: 1 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 1 / 1|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....2] [ip4][..udp] [225.110.130.102][44066] -> [133.150.105.134][19000] + detected: [.....2] [ip4][..udp] [225.110.130.102][44066] -> [133.150.105.134][19000] [ZUG][Unknown][Crypto_Currency][Acceptable] + idle: [.....1] [ip4][..udp] [..197.130.35.95][39594] -> [.163.40.238.205][19000] [ZUG][Unknown][Crypto_Currency][Acceptable] + new: [.....3] [ip4][..udp] [.117.220.197.41][37556] -> [..44.22.132.225][19000] + detected: [.....3] [ip4][..udp] [.117.220.197.41][37556] -> [..44.22.132.225][19000] [ZUG][Unknown][Crypto_Currency][Acceptable] + update: [.....2] [ip4][..udp] [225.110.130.102][44066] -> [133.150.105.134][19000] [ZUG][Unknown][Crypto_Currency][Acceptable] + DAEMON-EVENT: [Processed: 3 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 2 / 3|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 1] + new: [.....4] [ip4][..udp] [..61.59.105.181][19000] -> [..199.24.15.231][48793] + idle: [.....2] [ip4][..udp] [225.110.130.102][44066] -> [133.150.105.134][19000] [ZUG][Unknown][Crypto_Currency][Acceptable] + idle: [.....3] [ip4][..udp] [.117.220.197.41][37556] -> [..44.22.132.225][19000] [ZUG][Unknown][Crypto_Currency][Acceptable] + DAEMON-EVENT: [Processed: 4 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 1 / 4|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 1] + new: [.....5] [ip4][..udp] [..173.46.102.72][41686] -> [.204.88.149.147][19000] + detected: [.....5] [ip4][..udp] [..173.46.102.72][41686] -> [.204.88.149.147][19000] [ZUG][Unknown][Crypto_Currency][Acceptable] + not-detected: [.....4] [ip4][..udp] [..61.59.105.181][19000] -> [..199.24.15.231][48793] [Unknown][Unknown][Unrated] + RISK: Susp Entropy, Unidirectional Traffic + idle: [.....4] [ip4][..udp] [..61.59.105.181][19000] -> [..199.24.15.231][48793] + DAEMON-EVENT: [Processed: 5 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 1 / 5|skipped: 0|!detected: 1|guessed: 0|detection-updates: 0|updates: 1] + new: [.....6] [ip4][..udp] [...74.90.102.55][44370] -> [..17.218.251.92][19000] + detected: [.....6] [ip4][..udp] [...74.90.102.55][44370] -> [..17.218.251.92][19000] [ZUG][Apple][Crypto_Currency][Acceptable] + new: [.....7] [ip4][..udp] [...52.104.45.69][44174] -> [...53.52.158.15][19000] + detected: [.....7] [ip4][..udp] [...52.104.45.69][44174] -> [...53.52.158.15][19000] [ZUG][MS_OneDrive][Crypto_Currency][Acceptable] + idle: [.....7] [ip4][..udp] [...52.104.45.69][44174] -> [...53.52.158.15][19000] [ZUG][MS_OneDrive][Crypto_Currency][Acceptable] + idle: [.....6] [ip4][..udp] [...74.90.102.55][44370] -> [..17.218.251.92][19000] [ZUG][Apple][Crypto_Currency][Acceptable] + idle: [.....5] [ip4][..udp] [..173.46.102.72][41686] -> [.204.88.149.147][19000] [ZUG][Unknown][Crypto_Currency][Acceptable] + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/enable_payload_stat/1kxun.pcap.out b/test/results/flow-info/enable_payload_stat/1kxun.pcap.out index 8a5569319..75be7adee 100644 --- a/test/results/flow-info/enable_payload_stat/1kxun.pcap.out +++ b/test/results/flow-info/enable_payload_stat/1kxun.pcap.out @@ -427,7 +427,7 @@ new: [...134] [ip4][..tcp] [..192.168.2.126][41134] -> [.129.226.107.77][...80] [MIDSTREAM] detected: [...134] [ip4][..tcp] [..192.168.2.126][41134] -> [.129.226.107.77][...80] [HTTP.QQ][Tencent][Chat][Fun][cgi.connect.qq.com] detection-update: [...133] [ip4][..tcp] [..192.168.2.126][47230] -> [..161.117.13.29][...80] [HTTP.1kxun][Alibaba][Download][Fun][kankan.1kxun.mobi] - RISK: Binary file/data transfer (attempt) + RISK: Binary File/Data Transfer (Attempt) new: [...135] [ip4][..tcp] [..192.168.2.126][47246] -> [..161.117.13.29][...80] [MIDSTREAM] detected: [...135] [ip4][..tcp] [..192.168.2.126][47246] -> [..161.117.13.29][...80] [HTTP.1kxun][Alibaba][Streaming][Fun][kankan.1kxun.com] new: [...136] [ip4][..tcp] [..192.168.2.126][47262] -> [..161.117.13.29][...80] [MIDSTREAM] @@ -467,6 +467,7 @@ idle: [....97] [ip6][..udp] [..............fe80::e98f:bae2:19f7:6b0f][51451] -> [..............................ff02::1:3][.5355] [LLMNR][Unknown][Network][Acceptable] RISK: Non-Printable/Invalid Chars Detected not-detected: [....94] [ip4][..udp] [..192.168.119.2][43786] -> [255.255.255.255][.5678] [Unknown][Unknown][Unrated] + RISK: Susp Entropy idle: [....94] [ip4][..udp] [..192.168.119.2][43786] -> [255.255.255.255][.5678] idle: [....85] [ip4][..udp] [...192.168.5.50][50030] -> [....224.0.0.252][.5355] [LLMNR][Unknown][Network][Acceptable] idle: [....55] [ip4][..udp] [...192.168.5.16][...68] -> [..192.168.119.1][...67] [DHCP][Unknown][Network][Acceptable] @@ -548,6 +549,7 @@ idle: [...123] [ip6][..udp] [...............fe80::e034:7be:d8f9:6197][57143] -> [..............................ff02::1:3][.5355] [LLMNR][Unknown][Network][Acceptable] idle: [....80] [ip4][..udp] [...192.168.5.57][65150] -> [....224.0.0.252][.5355] [LLMNR][Unknown][Network][Acceptable] not-detected: [....88] [ip4][..udp] [..192.168.119.1][56861] -> [255.255.255.255][.5678] [Unknown][Unknown][Unrated] + RISK: Susp Entropy idle: [....88] [ip4][..udp] [..192.168.119.1][56861] -> [255.255.255.255][.5678] idle: [...116] [ip6][..udp] [..............fe80::f65c:89ff:fe89:e607][..546] -> [..............................ff02::1:2][..547] [DHCPV6][Unknown][Network][Acceptable] idle: [....72] [ip6][..udp] [..............fe80::4568:efbc:40b1:1346][50194] -> [..............................ff02::1:3][.5355] [LLMNR][Unknown][Network][Acceptable] @@ -556,6 +558,7 @@ idle: [....39] [ip4][..udp] [..192.168.115.8][54420] -> [........8.8.8.8][...53] [DNS.QQ][Google][Network][Fun] idle: [...124] [ip4][..udp] [...192.168.5.50][57143] -> [....224.0.0.252][.5355] [LLMNR][Unknown][Network][Acceptable] not-detected: [....79] [ip4][..udp] [..192.168.0.100][50925] -> [255.255.255.255][.5678] [Unknown][Unknown][Unrated] + RISK: Susp Entropy idle: [....79] [ip4][..udp] [..192.168.0.100][50925] -> [255.255.255.255][.5678] idle: [....99] [ip6][..udp] [..............fe80::5d92:62a8:ebde:1319][53938] -> [..............................ff02::1:3][.5355] [LLMNR][Unknown][Network][Acceptable] idle: [....27] [ip4][..tcp] [..192.168.115.8][49599] -> [.106.187.35.246][...80] [HTTP.1kxun][Unknown][Streaming][Fun] @@ -571,7 +574,6 @@ idle: [....19] [ip6][..udp] [..............fe80::e98f:bae2:19f7:6b0f][58779] -> [..............................ff02::1:3][.5355] [LLMNR][Unknown][Network][Acceptable] RISK: Non-Printable/Invalid Chars Detected guessed: [...101] [ip4][..tcp] [.119.235.235.84][..443] -> [...192.168.5.16][53406] [TLS][Line][Web][Safe] - RISK: Susp Entropy idle: [...101] [ip4][..tcp] [.119.235.235.84][..443] -> [...192.168.5.16][53406] end: [....46] [ip4][..tcp] [..192.168.115.8][49612] -> [.183.131.48.145][...80] [HTTP][Unknown][Web][Acceptable] RISK: HTTP Susp User-Agent, HTTP/TLS/QUIC Numeric Hostname/SNI @@ -579,8 +581,10 @@ RISK: HTTP Susp User-Agent, HTTP/TLS/QUIC Numeric Hostname/SNI idle: [....24] [ip4][..udp] [..192.168.115.8][52723] -> [.....168.95.1.1][...53] [DNS.1kxun][Unknown][Network][Fun] not-detected: [....89] [ip6][..udp] [................fe80::4e5e:cff:feea:365][.5678] -> [................................ff02::1][.5678] [Unknown][Unknown][Unrated] + RISK: Susp Entropy idle: [....89] [ip6][..udp] [................fe80::4e5e:cff:feea:365][.5678] -> [................................ff02::1][.5678] not-detected: [....60] [ip6][..udp] [...............fe80::4e5e:cff:fe9a:ec54][.5678] -> [................................ff02::1][.5678] [Unknown][Unknown][Unrated] + RISK: Susp Entropy idle: [....60] [ip6][..udp] [...............fe80::4e5e:cff:fe9a:ec54][.5678] -> [................................ff02::1][.5678] idle: [...119] [ip4][..udp] [...192.168.5.16][..123] -> [..17.253.26.125][..123] [NTP][Apple][System][Acceptable] idle: [....16] [ip4][..udp] [..192.168.115.8][52723] -> [........8.8.8.8][...53] [DNS.1kxun][Google][Network][Fun] @@ -654,6 +658,7 @@ detected: [...152] [ip4][..tcp] [..192.168.2.126][45424] -> [..161.117.13.29][...80] [HTTP][Alibaba][Streaming][Acceptable][tcad.wedolook.com] new: [...153] [ip4][..tcp] [..192.168.2.126][41390] -> [....18.64.79.37][...80] [MIDSTREAM] detected: [...153] [ip4][..tcp] [..192.168.2.126][41390] -> [....18.64.79.37][...80] [HTTP.Google][AmazonAWS][Web][Acceptable][google.open-js.com] + RISK: Susp Entropy analyse: [...146] [ip4][..tcp] [..192.168.2.126][45380] -> [..161.117.13.29][...80] [HTTP.1kxun][Alibaba][Streaming][Fun] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.409| 0.085| 0.132| 17528.007| 3.300] @@ -704,6 +709,7 @@ [ENTROPIES...: 5.9,5.9,7.3,7.9,7.9,7.9,7.8,7.8,7.8,7.9,8.0,7.8,7.8,7.8,7.9,7.9,7.9,7.9,5.9,5.8,8.0,8.0,7.9,7.9,8.0,7.9,8.0,7.7,5.9,5.9,7.9,8.0] new: [...163] [ip4][..tcp] [..192.168.2.126][44368] -> [..172.217.18.98][...80] [MIDSTREAM] detected: [...163] [ip4][..tcp] [..192.168.2.126][44368] -> [..172.217.18.98][...80] [HTTP.GoogleServices][Google][Web][Acceptable][www.googletagservices.com] + RISK: Susp Entropy new: [...164] [ip4][..tcp] [..192.168.2.126][50140] -> [..161.117.13.29][...80] [MIDSTREAM] detected: [...164] [ip4][..tcp] [..192.168.2.126][50140] -> [..161.117.13.29][...80] [HTTP.1kxun][Alibaba][Streaming][Fun][mangaweb.1kxun.mobi] new: [...165] [ip4][..tcp] [..192.168.2.126][50148] -> [..161.117.13.29][...80] [MIDSTREAM] @@ -790,6 +796,7 @@ detected: [...193] [ip4][..tcp] [..192.168.2.126][40204] -> [...18.235.204.9][...80] [HTTP][AmazonAWS][Web][Acceptable][adexp.liftoff.io] new: [...194] [ip4][..tcp] [..192.168.2.126][53416] -> [.172.217.16.142][...80] [MIDSTREAM] detected: [...194] [ip4][..tcp] [..192.168.2.126][53416] -> [.172.217.16.142][...80] [HTTP.Google][Google][Web][Acceptable][play.google.com] + RISK: Susp Entropy new: [...195] [ip4][..tcp] [..192.168.2.126][33042] -> [...3.122.190.70][...80] [MIDSTREAM] detected: [...195] [ip4][..tcp] [..192.168.2.126][33042] -> [...3.122.190.70][...80] [HTTP][AmazonAWS][Web][Acceptable][click.liftoff.io] new: [...196] [ip4][..tcp] [..192.168.2.126][35426] -> [..8.209.112.118][...80] [MIDSTREAM] @@ -802,6 +809,7 @@ idle: [...147] [ip4][..tcp] [..192.168.2.126][45388] -> [..161.117.13.29][...80] [HTTP.1kxun][Alibaba][Streaming][Fun] idle: [...148] [ip4][..tcp] [..192.168.2.126][45398] -> [..161.117.13.29][...80] [HTTP.1kxun][Alibaba][Streaming][Fun] idle: [...163] [ip4][..tcp] [..192.168.2.126][44368] -> [..172.217.18.98][...80] [HTTP.GoogleServices][Google][Web][Acceptable] + RISK: Susp Entropy idle: [...178] [ip4][..tcp] [..192.168.2.126][56826] -> [...8.209.97.107][...80] [HTTP][Alibaba][Web][Acceptable] idle: [...149] [ip4][..tcp] [..192.168.2.126][45414] -> [..161.117.13.29][...80] [HTTP.1kxun][Alibaba][Streaming][Fun] idle: [...150] [ip4][..tcp] [..192.168.2.126][45416] -> [..161.117.13.29][...80] [HTTP.1kxun][Alibaba][Streaming][Fun] @@ -836,9 +844,11 @@ idle: [...167] [ip4][..tcp] [..192.168.2.126][50166] -> [..161.117.13.29][...80] [HTTP.1kxun][Alibaba][Streaming][Fun] idle: [...168] [ip4][..tcp] [..192.168.2.126][50176] -> [..161.117.13.29][...80] [HTTP.1kxun][Alibaba][Streaming][Fun] idle: [...153] [ip4][..tcp] [..192.168.2.126][41390] -> [....18.64.79.37][...80] [HTTP.Google][AmazonAWS][Web][Acceptable] + RISK: Susp Entropy idle: [...197] [ip4][..tcp] [..192.168.2.126][51686] -> [....18.64.79.64][...80] [HTTP][AmazonAWS][Web][Acceptable] idle: [...156] [ip4][..tcp] [..192.168.2.126][36732] -> [142.250.186.174][...80] [HTTP.Google][Google][Advertisement][Acceptable] idle: [...194] [ip4][..tcp] [..192.168.2.126][53416] -> [.172.217.16.142][...80] [HTTP.Google][Google][Web][Acceptable] + RISK: Susp Entropy idle: [...189] [ip4][..tcp] [..192.168.2.126][42554] -> [...35.156.44.13][...80] [HTTP][AmazonAWS][Web][Acceptable] idle: [...190] [ip4][..tcp] [..192.168.2.126][42566] -> [...35.156.44.13][...80] [HTTP][AmazonAWS][Web][Acceptable] idle: [...195] [ip4][..tcp] [..192.168.2.126][33042] -> [...3.122.190.70][...80] [HTTP][AmazonAWS][Web][Acceptable] @@ -864,7 +874,7 @@ idle: [...142] [ip4][..tcp] [..192.168.2.126][46170] -> [.172.105.121.82][...80] [HTTP.1kxun][Unknown][Streaming][Fun] idle: [...141] [ip4][..tcp] [..192.168.2.126][46184] -> [.172.105.121.82][...80] [HTTP.1kxun][Unknown][Streaming][Fun] idle: [...133] [ip4][..tcp] [..192.168.2.126][47230] -> [..161.117.13.29][...80] [HTTP.1kxun][Alibaba][Download][Fun] - RISK: Binary file/data transfer (attempt) + RISK: Binary File/Data Transfer (Attempt) idle: [...188] [ip4][..tcp] [..192.168.2.126][37100] -> [..52.29.177.177][...80] [HTTP][AmazonAWS][Web][Acceptable] idle: [...143] [ip4][..tcp] [..192.168.2.126][46200] -> [.172.105.121.82][...80] [HTTP.1kxun][Unknown][Streaming][Fun] idle: [...135] [ip4][..tcp] [..192.168.2.126][47246] -> [..161.117.13.29][...80] [HTTP.1kxun][Alibaba][Streaming][Fun] diff --git a/test/results/flow-info/stun_mapped_address_disabled/teams.pcap.out b/test/results/flow-info/fpc_disabled/teams.pcap.out index 9c24be31a..e04e45d16 100644 --- a/test/results/flow-info/stun_mapped_address_disabled/teams.pcap.out +++ b/test/results/flow-info/fpc_disabled/teams.pcap.out @@ -369,7 +369,7 @@ detected: [....66] [ip4][..udp] [....192.168.1.6][50036] -> [.52.114.250.123][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] new: [....67] [ip4][..tcp] [....192.168.1.6][50021] -> [.52.114.250.123][..443] new: [....68] [ip4][..udp] [....192.168.1.6][50016] -> [.52.114.250.141][.3478] - detected: [....68] [ip4][..udp] [....192.168.1.6][50016] -> [.52.114.250.141][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][?n???z`?s????}??d??]] + detected: [....68] [ip4][..udp] [....192.168.1.6][50016] -> [.52.114.250.141][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] detection-update: [....64] [ip4][..tcp] [....192.168.1.6][50018] -> [.52.114.250.123][..443] [TLS.Teams][Azure][Collaborative][Safe][euaz.tr.teams.microsoft.com] RISK: TLS (probably) Not Carrying HTTPS new: [....69] [ip4][..udp] [....192.168.1.6][50017] -> [.52.114.250.141][.3478] @@ -377,13 +377,13 @@ detected: [....67] [ip4][..tcp] [....192.168.1.6][50021] -> [.52.114.250.123][..443] [TLS.Teams][Azure][Collaborative][Safe][euaz.tr.teams.microsoft.com] RISK: TLS (probably) Not Carrying HTTPS new: [....70] [ip4][..udp] [....192.168.1.6][50036] -> [.52.114.250.137][.3478] - detected: [....70] [ip4][..udp] [....192.168.1.6][50036] -> [.52.114.250.137][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][<??a????h (?/??????] + detected: [....70] [ip4][..udp] [....192.168.1.6][50036] -> [.52.114.250.137][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] new: [....71] [ip4][..udp] [....192.168.1.6][50037] -> [.52.114.250.137][.3478] detected: [....71] [ip4][..udp] [....192.168.1.6][50037] -> [.52.114.250.137][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] detection-update: [....67] [ip4][..tcp] [....192.168.1.6][50021] -> [.52.114.250.123][..443] [TLS.Teams][Azure][Collaborative][Safe][euaz.tr.teams.microsoft.com] RISK: TLS (probably) Not Carrying HTTPS - detection-update: [....69] [ip4][..udp] [....192.168.1.6][50017] -> [.52.114.250.141][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][>??i)?<????????????r] - detection-update: [....71] [ip4][..udp] [....192.168.1.6][50037] -> [.52.114.250.137][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][s?>?ed???[??+ez4???m] + detection-update: [....69] [ip4][..udp] [....192.168.1.6][50017] -> [.52.114.250.141][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] + detection-update: [....71] [ip4][..udp] [....192.168.1.6][50037] -> [.52.114.250.137][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] new: [....72] [ip4][..tcp] [....192.168.1.6][50014] -> [.52.114.250.152][..443] new: [....73] [ip4][..tcp] [....192.168.1.6][50036] -> [.52.114.250.153][..443] detected: [....72] [ip4][..tcp] [....192.168.1.6][50014] -> [.52.114.250.152][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable][52.114.250.152] @@ -414,12 +414,12 @@ new: [....79] [ip4][..udp] [..93.71.110.205][16333] -> [....192.168.1.6][50036] detected: [....79] [ip4][..udp] [..93.71.110.205][16333] -> [....192.168.1.6][50036] [STUN.Skype_TeamsCall][Unknown][VoIP][Acceptable][] RISK: Known Proto on Non Std Port - detection-update: [....68] [ip4][..udp] [....192.168.1.6][50016] -> [.52.114.250.141][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][?n???z`?s????}??d??]] + detection-update: [....68] [ip4][..udp] [....192.168.1.6][50016] -> [.52.114.250.141][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] RISK: Unidirectional Traffic - detection-update: [....70] [ip4][..udp] [....192.168.1.6][50036] -> [.52.114.250.137][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][<??a????h (?/??????] + detection-update: [....70] [ip4][..udp] [....192.168.1.6][50036] -> [.52.114.250.137][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] RISK: Unidirectional Traffic - detection-update: [....68] [ip4][..udp] [....192.168.1.6][50016] -> [.52.114.250.141][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][?n???z`?s????}??d??]] - detection-update: [....70] [ip4][..udp] [....192.168.1.6][50036] -> [.52.114.250.137][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][<??a????h (?/??????] + detection-update: [....68] [ip4][..udp] [....192.168.1.6][50016] -> [.52.114.250.141][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] + detection-update: [....70] [ip4][..udp] [....192.168.1.6][50036] -> [.52.114.250.137][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] new: [....80] [ip4][..udp] [..52.114.252.21][.3480] -> [....192.168.1.6][50036] detected: [....80] [ip4][..udp] [..52.114.252.21][.3480] -> [....192.168.1.6][50036] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] RISK: Known Proto on Non Std Port @@ -527,7 +527,7 @@ idle: [....61] [ip4][..tcp] [....192.168.1.6][60566] -> [.167.99.215.164][.4434] [TLS.ntop][Unknown][Network][Safe] RISK: Known Proto on Non Std Port idle: [....31] [ip4][..udp] [....192.168.1.6][57504] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe] - guessed: [....62] [ip4][..udp] [....192.168.1.6][51681] -> [..52.114.77.136][.3478] [Skype_Teams][Azure][VoIP][Acceptable] + guessed: [....62] [ip4][..udp] [....192.168.1.6][51681] -> [..52.114.77.136][.3478] [Skype_TeamsCall][Azure][VoIP][Acceptable] RISK: Susp Entropy idle: [....62] [ip4][..udp] [....192.168.1.6][51681] -> [..52.114.77.136][.3478] idle: [....27] [ip4][..udp] [....192.168.1.6][57530] -> [....192.168.1.1][...53] [DNS.Microsoft][Unknown][Network][Safe] diff --git a/test/results/flow-info/http_process_response_disable/http_asymmetric.pcapng.out b/test/results/flow-info/http_process_response_disable/http_asymmetric.pcapng.out index 1481b9b76..583395338 100644 --- a/test/results/flow-info/http_process_response_disable/http_asymmetric.pcapng.out +++ b/test/results/flow-info/http_process_response_disable/http_asymmetric.pcapng.out @@ -6,11 +6,11 @@ detected: [.....1] [ip4][..tcp] [....192.168.0.1][.1044] -> [.....10.10.10.1][...80] [HTTP][Unknown][Web][Acceptable][proxy.wiresharkfest.acropolis.local] RISK: Unidirectional Traffic detected: [.....2] [ip4][..tcp] [..192.168.1.146][...80] -> [..192.168.1.103][.1044] [HTTP][Unknown][Web][Acceptable][] - RISK: HTTP Susp User-Agent, Unidirectional Traffic + RISK: HTTP Susp User-Agent, Susp Entropy, Unidirectional Traffic detection-update: [.....2] [ip4][..tcp] [..192.168.1.146][...80] -> [..192.168.1.103][.1044] [HTTP][Unknown][Web][Acceptable][] - RISK: HTTP Susp User-Agent, Error Code, Unidirectional Traffic + RISK: HTTP Susp User-Agent, Susp Entropy, Error Code, Unidirectional Traffic end: [.....2] [ip4][..tcp] [..192.168.1.146][...80] -> [..192.168.1.103][.1044] [HTTP][Unknown][Web][Acceptable] - RISK: HTTP Susp User-Agent, Error Code, Unidirectional Traffic + RISK: HTTP Susp User-Agent, Susp Entropy, Error Code, Unidirectional Traffic end: [.....1] [ip4][..tcp] [....192.168.0.1][.1044] -> [.....10.10.10.1][...80] [HTTP][Unknown][Web][Acceptable] RISK: Unidirectional Traffic DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/ip_lists_disable/1kxun.pcap.out b/test/results/flow-info/ip_lists_disable/1kxun.pcap.out index 8a5569319..75be7adee 100644 --- a/test/results/flow-info/ip_lists_disable/1kxun.pcap.out +++ b/test/results/flow-info/ip_lists_disable/1kxun.pcap.out @@ -427,7 +427,7 @@ new: [...134] [ip4][..tcp] [..192.168.2.126][41134] -> [.129.226.107.77][...80] [MIDSTREAM] detected: [...134] [ip4][..tcp] [..192.168.2.126][41134] -> [.129.226.107.77][...80] [HTTP.QQ][Tencent][Chat][Fun][cgi.connect.qq.com] detection-update: [...133] [ip4][..tcp] [..192.168.2.126][47230] -> [..161.117.13.29][...80] [HTTP.1kxun][Alibaba][Download][Fun][kankan.1kxun.mobi] - RISK: Binary file/data transfer (attempt) + RISK: Binary File/Data Transfer (Attempt) new: [...135] [ip4][..tcp] [..192.168.2.126][47246] -> [..161.117.13.29][...80] [MIDSTREAM] detected: [...135] [ip4][..tcp] [..192.168.2.126][47246] -> [..161.117.13.29][...80] [HTTP.1kxun][Alibaba][Streaming][Fun][kankan.1kxun.com] new: [...136] [ip4][..tcp] [..192.168.2.126][47262] -> [..161.117.13.29][...80] [MIDSTREAM] @@ -467,6 +467,7 @@ idle: [....97] [ip6][..udp] [..............fe80::e98f:bae2:19f7:6b0f][51451] -> [..............................ff02::1:3][.5355] [LLMNR][Unknown][Network][Acceptable] RISK: Non-Printable/Invalid Chars Detected not-detected: [....94] [ip4][..udp] [..192.168.119.2][43786] -> [255.255.255.255][.5678] [Unknown][Unknown][Unrated] + RISK: Susp Entropy idle: [....94] [ip4][..udp] [..192.168.119.2][43786] -> [255.255.255.255][.5678] idle: [....85] [ip4][..udp] [...192.168.5.50][50030] -> [....224.0.0.252][.5355] [LLMNR][Unknown][Network][Acceptable] idle: [....55] [ip4][..udp] [...192.168.5.16][...68] -> [..192.168.119.1][...67] [DHCP][Unknown][Network][Acceptable] @@ -548,6 +549,7 @@ idle: [...123] [ip6][..udp] [...............fe80::e034:7be:d8f9:6197][57143] -> [..............................ff02::1:3][.5355] [LLMNR][Unknown][Network][Acceptable] idle: [....80] [ip4][..udp] [...192.168.5.57][65150] -> [....224.0.0.252][.5355] [LLMNR][Unknown][Network][Acceptable] not-detected: [....88] [ip4][..udp] [..192.168.119.1][56861] -> [255.255.255.255][.5678] [Unknown][Unknown][Unrated] + RISK: Susp Entropy idle: [....88] [ip4][..udp] [..192.168.119.1][56861] -> [255.255.255.255][.5678] idle: [...116] [ip6][..udp] [..............fe80::f65c:89ff:fe89:e607][..546] -> [..............................ff02::1:2][..547] [DHCPV6][Unknown][Network][Acceptable] idle: [....72] [ip6][..udp] [..............fe80::4568:efbc:40b1:1346][50194] -> [..............................ff02::1:3][.5355] [LLMNR][Unknown][Network][Acceptable] @@ -556,6 +558,7 @@ idle: [....39] [ip4][..udp] [..192.168.115.8][54420] -> [........8.8.8.8][...53] [DNS.QQ][Google][Network][Fun] idle: [...124] [ip4][..udp] [...192.168.5.50][57143] -> [....224.0.0.252][.5355] [LLMNR][Unknown][Network][Acceptable] not-detected: [....79] [ip4][..udp] [..192.168.0.100][50925] -> [255.255.255.255][.5678] [Unknown][Unknown][Unrated] + RISK: Susp Entropy idle: [....79] [ip4][..udp] [..192.168.0.100][50925] -> [255.255.255.255][.5678] idle: [....99] [ip6][..udp] [..............fe80::5d92:62a8:ebde:1319][53938] -> [..............................ff02::1:3][.5355] [LLMNR][Unknown][Network][Acceptable] idle: [....27] [ip4][..tcp] [..192.168.115.8][49599] -> [.106.187.35.246][...80] [HTTP.1kxun][Unknown][Streaming][Fun] @@ -571,7 +574,6 @@ idle: [....19] [ip6][..udp] [..............fe80::e98f:bae2:19f7:6b0f][58779] -> [..............................ff02::1:3][.5355] [LLMNR][Unknown][Network][Acceptable] RISK: Non-Printable/Invalid Chars Detected guessed: [...101] [ip4][..tcp] [.119.235.235.84][..443] -> [...192.168.5.16][53406] [TLS][Line][Web][Safe] - RISK: Susp Entropy idle: [...101] [ip4][..tcp] [.119.235.235.84][..443] -> [...192.168.5.16][53406] end: [....46] [ip4][..tcp] [..192.168.115.8][49612] -> [.183.131.48.145][...80] [HTTP][Unknown][Web][Acceptable] RISK: HTTP Susp User-Agent, HTTP/TLS/QUIC Numeric Hostname/SNI @@ -579,8 +581,10 @@ RISK: HTTP Susp User-Agent, HTTP/TLS/QUIC Numeric Hostname/SNI idle: [....24] [ip4][..udp] [..192.168.115.8][52723] -> [.....168.95.1.1][...53] [DNS.1kxun][Unknown][Network][Fun] not-detected: [....89] [ip6][..udp] [................fe80::4e5e:cff:feea:365][.5678] -> [................................ff02::1][.5678] [Unknown][Unknown][Unrated] + RISK: Susp Entropy idle: [....89] [ip6][..udp] [................fe80::4e5e:cff:feea:365][.5678] -> [................................ff02::1][.5678] not-detected: [....60] [ip6][..udp] [...............fe80::4e5e:cff:fe9a:ec54][.5678] -> [................................ff02::1][.5678] [Unknown][Unknown][Unrated] + RISK: Susp Entropy idle: [....60] [ip6][..udp] [...............fe80::4e5e:cff:fe9a:ec54][.5678] -> [................................ff02::1][.5678] idle: [...119] [ip4][..udp] [...192.168.5.16][..123] -> [..17.253.26.125][..123] [NTP][Apple][System][Acceptable] idle: [....16] [ip4][..udp] [..192.168.115.8][52723] -> [........8.8.8.8][...53] [DNS.1kxun][Google][Network][Fun] @@ -654,6 +658,7 @@ detected: [...152] [ip4][..tcp] [..192.168.2.126][45424] -> [..161.117.13.29][...80] [HTTP][Alibaba][Streaming][Acceptable][tcad.wedolook.com] new: [...153] [ip4][..tcp] [..192.168.2.126][41390] -> [....18.64.79.37][...80] [MIDSTREAM] detected: [...153] [ip4][..tcp] [..192.168.2.126][41390] -> [....18.64.79.37][...80] [HTTP.Google][AmazonAWS][Web][Acceptable][google.open-js.com] + RISK: Susp Entropy analyse: [...146] [ip4][..tcp] [..192.168.2.126][45380] -> [..161.117.13.29][...80] [HTTP.1kxun][Alibaba][Streaming][Fun] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.409| 0.085| 0.132| 17528.007| 3.300] @@ -704,6 +709,7 @@ [ENTROPIES...: 5.9,5.9,7.3,7.9,7.9,7.9,7.8,7.8,7.8,7.9,8.0,7.8,7.8,7.8,7.9,7.9,7.9,7.9,5.9,5.8,8.0,8.0,7.9,7.9,8.0,7.9,8.0,7.7,5.9,5.9,7.9,8.0] new: [...163] [ip4][..tcp] [..192.168.2.126][44368] -> [..172.217.18.98][...80] [MIDSTREAM] detected: [...163] [ip4][..tcp] [..192.168.2.126][44368] -> [..172.217.18.98][...80] [HTTP.GoogleServices][Google][Web][Acceptable][www.googletagservices.com] + RISK: Susp Entropy new: [...164] [ip4][..tcp] [..192.168.2.126][50140] -> [..161.117.13.29][...80] [MIDSTREAM] detected: [...164] [ip4][..tcp] [..192.168.2.126][50140] -> [..161.117.13.29][...80] [HTTP.1kxun][Alibaba][Streaming][Fun][mangaweb.1kxun.mobi] new: [...165] [ip4][..tcp] [..192.168.2.126][50148] -> [..161.117.13.29][...80] [MIDSTREAM] @@ -790,6 +796,7 @@ detected: [...193] [ip4][..tcp] [..192.168.2.126][40204] -> [...18.235.204.9][...80] [HTTP][AmazonAWS][Web][Acceptable][adexp.liftoff.io] new: [...194] [ip4][..tcp] [..192.168.2.126][53416] -> [.172.217.16.142][...80] [MIDSTREAM] detected: [...194] [ip4][..tcp] [..192.168.2.126][53416] -> [.172.217.16.142][...80] [HTTP.Google][Google][Web][Acceptable][play.google.com] + RISK: Susp Entropy new: [...195] [ip4][..tcp] [..192.168.2.126][33042] -> [...3.122.190.70][...80] [MIDSTREAM] detected: [...195] [ip4][..tcp] [..192.168.2.126][33042] -> [...3.122.190.70][...80] [HTTP][AmazonAWS][Web][Acceptable][click.liftoff.io] new: [...196] [ip4][..tcp] [..192.168.2.126][35426] -> [..8.209.112.118][...80] [MIDSTREAM] @@ -802,6 +809,7 @@ idle: [...147] [ip4][..tcp] [..192.168.2.126][45388] -> [..161.117.13.29][...80] [HTTP.1kxun][Alibaba][Streaming][Fun] idle: [...148] [ip4][..tcp] [..192.168.2.126][45398] -> [..161.117.13.29][...80] [HTTP.1kxun][Alibaba][Streaming][Fun] idle: [...163] [ip4][..tcp] [..192.168.2.126][44368] -> [..172.217.18.98][...80] [HTTP.GoogleServices][Google][Web][Acceptable] + RISK: Susp Entropy idle: [...178] [ip4][..tcp] [..192.168.2.126][56826] -> [...8.209.97.107][...80] [HTTP][Alibaba][Web][Acceptable] idle: [...149] [ip4][..tcp] [..192.168.2.126][45414] -> [..161.117.13.29][...80] [HTTP.1kxun][Alibaba][Streaming][Fun] idle: [...150] [ip4][..tcp] [..192.168.2.126][45416] -> [..161.117.13.29][...80] [HTTP.1kxun][Alibaba][Streaming][Fun] @@ -836,9 +844,11 @@ idle: [...167] [ip4][..tcp] [..192.168.2.126][50166] -> [..161.117.13.29][...80] [HTTP.1kxun][Alibaba][Streaming][Fun] idle: [...168] [ip4][..tcp] [..192.168.2.126][50176] -> [..161.117.13.29][...80] [HTTP.1kxun][Alibaba][Streaming][Fun] idle: [...153] [ip4][..tcp] [..192.168.2.126][41390] -> [....18.64.79.37][...80] [HTTP.Google][AmazonAWS][Web][Acceptable] + RISK: Susp Entropy idle: [...197] [ip4][..tcp] [..192.168.2.126][51686] -> [....18.64.79.64][...80] [HTTP][AmazonAWS][Web][Acceptable] idle: [...156] [ip4][..tcp] [..192.168.2.126][36732] -> [142.250.186.174][...80] [HTTP.Google][Google][Advertisement][Acceptable] idle: [...194] [ip4][..tcp] [..192.168.2.126][53416] -> [.172.217.16.142][...80] [HTTP.Google][Google][Web][Acceptable] + RISK: Susp Entropy idle: [...189] [ip4][..tcp] [..192.168.2.126][42554] -> [...35.156.44.13][...80] [HTTP][AmazonAWS][Web][Acceptable] idle: [...190] [ip4][..tcp] [..192.168.2.126][42566] -> [...35.156.44.13][...80] [HTTP][AmazonAWS][Web][Acceptable] idle: [...195] [ip4][..tcp] [..192.168.2.126][33042] -> [...3.122.190.70][...80] [HTTP][AmazonAWS][Web][Acceptable] @@ -864,7 +874,7 @@ idle: [...142] [ip4][..tcp] [..192.168.2.126][46170] -> [.172.105.121.82][...80] [HTTP.1kxun][Unknown][Streaming][Fun] idle: [...141] [ip4][..tcp] [..192.168.2.126][46184] -> [.172.105.121.82][...80] [HTTP.1kxun][Unknown][Streaming][Fun] idle: [...133] [ip4][..tcp] [..192.168.2.126][47230] -> [..161.117.13.29][...80] [HTTP.1kxun][Alibaba][Download][Fun] - RISK: Binary file/data transfer (attempt) + RISK: Binary File/Data Transfer (Attempt) idle: [...188] [ip4][..tcp] [..192.168.2.126][37100] -> [..52.29.177.177][...80] [HTTP][AmazonAWS][Web][Acceptable] idle: [...143] [ip4][..tcp] [..192.168.2.126][46200] -> [.172.105.121.82][...80] [HTTP.1kxun][Unknown][Streaming][Fun] idle: [...135] [ip4][..tcp] [..192.168.2.126][47246] -> [..161.117.13.29][...80] [HTTP.1kxun][Alibaba][Streaming][Fun] diff --git a/test/results/flow-info/stun_all_attributes_disabled/teams.pcap.out b/test/results/flow-info/stun_all_attributes_disabled/teams.pcap.out new file mode 100644 index 000000000..e04e45d16 --- /dev/null +++ b/test/results/flow-info/stun_all_attributes_disabled/teams.pcap.out @@ -0,0 +1,573 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....1] [ip4][..udp] [....192.168.0.1][...68] -> [255.255.255.255][...67] + detected: [.....1] [ip4][..udp] [....192.168.0.1][...68] -> [255.255.255.255][...67] [DHCP][Unknown][Network][Acceptable][tl-sg116e] + ERROR-EVENT: Unknown packet type [1/16] + new: [.....2] [ip4][..tcp] [....192.168.1.6][58533] -> [.149.154.167.91][..443] [MIDSTREAM] + ERROR-EVENT: Unknown packet type [2/16] + ERROR-EVENT: Unknown packet type [3/16] + ERROR-EVENT: Unknown packet type [4/16] + ERROR-EVENT: Unknown packet type [5/16] + ERROR-EVENT: Unknown packet type [6/16] + new: [.....3] [ip4][..udp] [....192.168.1.6][60813] -> [....192.168.1.1][...53] + detected: [.....3] [ip4][..udp] [....192.168.1.6][60813] -> [....192.168.1.1][...53] [DNS][Unknown][Network][Acceptable][skypedataprdcolneu04.cloudapp.net] + detection-update: [.....3] [ip4][..udp] [....192.168.1.6][60813] -> [....192.168.1.1][...53] [DNS][Unknown][Network][Acceptable][skypedataprdcolneu04.cloudapp.net] + new: [.....4] [ip4][..tcp] [....192.168.1.6][60532] -> [...52.114.77.33][..443] + new: [.....5] [ip4][..tcp] [....192.168.1.6][60533] -> [.52.113.194.132][..443] + detected: [.....5] [ip4][..tcp] [....192.168.1.6][60533] -> [.52.113.194.132][..443] [TLS.Teams][Skype_Teams][Collaborative][Safe][teams.microsoft.com] + detection-update: [.....5] [ip4][..tcp] [....192.168.1.6][60533] -> [.52.113.194.132][..443] [TLS.Teams][Skype_Teams][Collaborative][Safe][teams.microsoft.com] + detected: [.....4] [ip4][..tcp] [....192.168.1.6][60532] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] + RISK: TLS (probably) Not Carrying HTTPS + analyse: [.....5] [ip4][..tcp] [....192.168.1.6][60533] -> [.52.113.194.132][..443] [TLS.Teams][Skype_Teams][Collaborative][Safe] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 0.030| 0.006| 0.009| 77.930| 3.700] + [PKTLEN......: 40.000| 1492.000| 393.900| 548.100| 300365.600| 3.900] + [BINS(c->s)..: 10,1,1,0,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 5,1,1,0,0,0,1,0,0,0,1,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,0,1,1,0,0,1,1,0,1,0,0,0,0,1,1,0,1,1,0,1,1,1,0] + [IATS(ms)....: 12.5,12.6,1.4,13.9,1.6,0.2,14.3,0.3,0.2,0.1,0.0,0.1,4.9,16.5,1.1,12.8,0.3,0.3,11.4,0.4,0.2,23.0,0.0,11.1,0.4,29.3,29.8,0.5,0.1,0.0,0.5] + [PKTLENS.....: 64,52,40,250,46,1492,1492,40,1492,40,1492,257,40,198,46,366,40,109,40,133,78,298,78,46,40,46,556,40,1492,1492,671,40] + [ENTROPIES...: 4.4,4.9,4.5,5.4,4.6,7.4,7.4,4.7,7.5,4.6,7.6,7.1,4.6,6.6,4.6,7.2,4.7,6.0,4.6,6.2,5.1,7.0,5.4,4.6,4.7,4.6,7.6,4.7,7.8,7.8,7.7,4.7] + detection-update: [.....4] [ip4][..tcp] [....192.168.1.6][60532] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] + RISK: TLS (probably) Not Carrying HTTPS + ERROR-EVENT: Unknown packet type [7/16] + new: [.....6] [ip4][..tcp] [....192.168.1.6][60534] -> [.....40.126.9.5][..443] + detected: [.....6] [ip4][..tcp] [....192.168.1.6][60534] -> [.....40.126.9.5][..443] [TLS.Microsoft365][Microsoft365][Collaborative][Acceptable][login.microsoftonline.com] + detection-update: [.....6] [ip4][..tcp] [....192.168.1.6][60534] -> [.....40.126.9.5][..443] [TLS.Microsoft365][Microsoft365][Collaborative][Acceptable][login.microsoftonline.com] + analyse: [.....4] [ip4][..tcp] [....192.168.1.6][60532] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 0.221| 0.032| 0.054| 2931.592| 3.400] + [PKTLEN......: 52.000| 1492.000| 907.900| 687.500| 472618.500| 4.400] + [BINS(c->s)..: 5,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0] + [BINS(s->c)..: 5,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,2,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,0,1,0,0,0,0,1,0,0,0,0,1,0,0,1,0,0,0,0,1,0,0,0] + [IATS(ms)....: 43.2,43.3,94.0,139.8,0.2,45.9,0.1,0.1,1.4,46.8,45.4,177.2,0.0,0.0,221.2,44.0,0.0,0.0,0.0,21.3,21.2,0.0,23.0,23.0,0.0,0.0,0.0,1.2,1.2,0.0,0.0] + [PKTLENS.....: 64,60,52,226,1492,1492,52,1375,52,145,103,52,1480,1480,1480,52,1480,1480,1480,1480,52,1480,1480,52,1480,1480,1480,1480,52,1480,1480,1480] + [ENTROPIES...: 4.4,5.2,4.9,5.6,7.3,7.3,4.9,7.7,4.9,5.9,5.5,4.9,7.9,7.9,7.9,5.1,7.9,7.9,7.9,7.9,5.1,7.9,7.9,5.1,7.9,7.9,7.9,7.9,5.1,7.9,7.9,7.9] + new: [.....7] [ip4][..tcp] [....192.168.1.6][60535] -> [...52.114.77.33][..443] + detected: [.....7] [ip4][..tcp] [....192.168.1.6][60535] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] + RISK: TLS (probably) Not Carrying HTTPS + new: [.....8] [ip4][..tcp] [....192.168.1.6][60536] -> [.52.113.194.132][..443] + detected: [.....8] [ip4][..tcp] [....192.168.1.6][60536] -> [.52.113.194.132][..443] [TLS.Teams][Skype_Teams][Collaborative][Safe][teams.microsoft.com] + detection-update: [.....8] [ip4][..tcp] [....192.168.1.6][60536] -> [.52.113.194.132][..443] [TLS.Teams][Skype_Teams][Collaborative][Safe][teams.microsoft.com] + analyse: [.....7] [ip4][..tcp] [....192.168.1.6][60535] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 0.050| 0.018| 0.021| 449.200| 3.900] + [PKTLEN......: 52.000| 1492.000| 680.600| 673.100| 453031.800| 4.200] + [BINS(c->s)..: 7,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0] + [BINS(s->c)..: 7,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,2,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,0,1,0,0,0,0,1,0,0,0,0,1,0,0,1,0,0,1,1,1,1,0,0] + [IATS(ms)....: 45.3,45.4,0.3,49.2,0.0,48.8,0.2,0.2,1.3,46.5,45.3,1.9,0.0,0.0,47.7,45.8,0.0,0.0,0.0,37.7,37.7,0.0,8.0,8.1,0.0,0.7,37.0,7.8,4.3,49.8,1.3] + [PKTLENS.....: 64,60,52,258,1492,1375,64,1492,52,145,103,52,1480,1480,1480,52,1480,1480,1480,1480,52,1480,1480,52,1480,825,52,52,52,497,52,83] + [ENTROPIES...: 4.3,5.2,5.0,6.0,7.3,7.7,5.1,7.3,5.0,6.0,5.7,5.1,7.8,7.9,7.9,5.2,7.9,7.9,7.9,7.9,5.2,7.9,7.9,5.2,7.9,7.8,5.1,5.2,5.2,7.5,5.0,5.3] + ERROR-EVENT: Unknown packet type [8/16] + ERROR-EVENT: Unknown packet type [9/16] + new: [.....9] [ip4][..tcp] [....192.168.1.6][60537] -> [...52.114.77.33][..443] + detected: [.....9] [ip4][..tcp] [....192.168.1.6][60537] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] + RISK: TLS (probably) Not Carrying HTTPS + detection-update: [.....9] [ip4][..tcp] [....192.168.1.6][60537] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] + RISK: TLS (probably) Not Carrying HTTPS + ERROR-EVENT: Unknown packet type [10/16] + new: [....10] [ip4][..udp] [....192.168.1.6][64046] -> [....192.168.1.1][...53] + detected: [....10] [ip4][..udp] [....192.168.1.6][64046] -> [....192.168.1.1][...53] [DNS.ntop][Unknown][Network][Safe][b._dns-sd._udp.ntop.org] + new: [....11] [ip4][..udp] [....192.168.1.6][17500] -> [255.255.255.255][17500] + detected: [....11] [ip4][..udp] [....192.168.1.6][17500] -> [255.255.255.255][17500] [Dropbox][Unknown][Cloud][Acceptable] + new: [....12] [ip4][..udp] [....192.168.1.6][17500] -> [..192.168.1.255][17500] + detected: [....12] [ip4][..udp] [....192.168.1.6][17500] -> [..192.168.1.255][17500] [Dropbox][Unknown][Cloud][Acceptable] + ERROR-EVENT: Unknown packet type [11/16] + ERROR-EVENT: Unknown packet type [12/16] + detection-update: [....10] [ip4][..udp] [....192.168.1.6][64046] -> [....192.168.1.1][...53] [DNS.ntop][Unknown][Network][Safe][b._dns-sd._udp.ntop.org] + RISK: Unidirectional Traffic + detection-update: [....10] [ip4][..udp] [....192.168.1.6][64046] -> [....192.168.1.1][...53] [DNS.ntop][Unknown][Network][Safe][b._dns-sd._udp.ntop.org] + RISK: Error Code + new: [....13] [ip4][..udp] [........0.0.0.0][...68] -> [255.255.255.255][...67] + detected: [....13] [ip4][..udp] [........0.0.0.0][...68] -> [255.255.255.255][...67] [DHCP][Unknown][Network][Acceptable][] + new: [....14] [ip4][..tcp] [..93.62.150.157][..443] -> [....192.168.1.6][60512] [MIDSTREAM] + detected: [....14] [ip4][..tcp] [..93.62.150.157][..443] -> [....192.168.1.6][60512] [TLS][Unknown][Web][Safe] + ERROR-EVENT: Unknown packet type [13/16] + new: [....15] [ip4][..udp] [....192.168.1.6][56634] -> [....192.168.1.1][...53] + detected: [....15] [ip4][..udp] [....192.168.1.6][56634] -> [....192.168.1.1][...53] [DNS.Apple][Unknown][Network][Safe][captive.apple.com.edgekey.net] + detection-update: [....15] [ip4][..udp] [....192.168.1.6][56634] -> [....192.168.1.1][...53] [DNS.Apple][Unknown][Network][Safe][captive.apple.com.edgekey.net] + ERROR-EVENT: Unknown packet type [14/16] + ERROR-EVENT: Unknown packet type [15/16] + new: [....16] [ip4][..udp] [....192.168.1.6][51033] -> [....192.168.1.1][...53] + detected: [....16] [ip4][..udp] [....192.168.1.6][51033] -> [....192.168.1.1][...53] [DNS.Skype_Teams][Unknown][Network][Acceptable][eu-api.asm.skype.com] + new: [....17] [ip4][..udp] [....192.168.1.6][63106] -> [....192.168.1.1][...53] + detected: [....17] [ip4][..udp] [....192.168.1.6][63106] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe][eu-prod.asyncgw.teams.microsoft.com] + detection-update: [....17] [ip4][..udp] [....192.168.1.6][63106] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe][eu-prod.asyncgw.teams.microsoft.com] + new: [....18] [ip4][..tcp] [....192.168.1.6][60538] -> [...52.114.75.70][..443] + detection-update: [....16] [ip4][..udp] [....192.168.1.6][51033] -> [....192.168.1.1][...53] [DNS.Skype_Teams][Unknown][Network][Acceptable][eu-api.asm.skype.com] + new: [....19] [ip4][..tcp] [....192.168.1.6][60539] -> [...52.114.75.69][..443] + detected: [....18] [ip4][..tcp] [....192.168.1.6][60538] -> [...52.114.75.70][..443] [TLS.Teams][Azure][Collaborative][Safe][eu-prod.asyncgw.teams.microsoft.com] + detected: [....19] [ip4][..tcp] [....192.168.1.6][60539] -> [...52.114.75.69][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable][eu-api.asm.skype.com] + detection-update: [....18] [ip4][..tcp] [....192.168.1.6][60538] -> [...52.114.75.70][..443] [TLS.Teams][Azure][Collaborative][Safe][eu-prod.asyncgw.teams.microsoft.com] + detection-update: [....19] [ip4][..tcp] [....192.168.1.6][60539] -> [...52.114.75.69][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable][eu-api.asm.skype.com] + new: [....20] [ip4][..tcp] [....192.168.1.6][60540] -> [...52.114.75.70][..443] + new: [....21] [ip4][..tcp] [....192.168.1.6][60541] -> [...52.114.75.69][..443] + detected: [....20] [ip4][..tcp] [....192.168.1.6][60540] -> [...52.114.75.70][..443] [TLS.Teams][Azure][Collaborative][Safe][eu-prod.asyncgw.teams.microsoft.com] + detected: [....21] [ip4][..tcp] [....192.168.1.6][60541] -> [...52.114.75.69][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable][eu-api.asm.skype.com] + new: [....22] [ip4][..udp] [....192.168.1.6][49514] -> [....192.168.1.1][...53] + detected: [....22] [ip4][..udp] [....192.168.1.6][49514] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe][config.teams.microsoft.com] + detection-update: [....20] [ip4][..tcp] [....192.168.1.6][60540] -> [...52.114.75.70][..443] [TLS.Teams][Azure][Collaborative][Safe][eu-prod.asyncgw.teams.microsoft.com] + detection-update: [....21] [ip4][..tcp] [....192.168.1.6][60541] -> [...52.114.75.69][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable][eu-api.asm.skype.com] + detection-update: [....22] [ip4][..udp] [....192.168.1.6][49514] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe][config.teams.microsoft.com] + new: [....23] [ip4][..tcp] [....192.168.1.6][60542] -> [.52.113.194.132][..443] + detected: [....23] [ip4][..tcp] [....192.168.1.6][60542] -> [.52.113.194.132][..443] [TLS.Teams][Skype_Teams][Collaborative][Safe][config.teams.microsoft.com] + detection-update: [....23] [ip4][..tcp] [....192.168.1.6][60542] -> [.52.113.194.132][..443] [TLS.Teams][Skype_Teams][Collaborative][Safe][config.teams.microsoft.com] + new: [....24] [ip4][..udp] [....192.168.1.6][65387] -> [....192.168.1.1][...53] + detected: [....24] [ip4][..udp] [....192.168.1.6][65387] -> [....192.168.1.1][...53] [DNS.Microsoft][Unknown][Network][Safe][northeuropecns.trafficmanager.net] + new: [....25] [ip4][..tcp] [....192.168.1.6][60543] -> [...52.114.77.33][..443] + detection-update: [....24] [ip4][..udp] [....192.168.1.6][65387] -> [....192.168.1.1][...53] [DNS.Microsoft][Unknown][Network][Safe][northeuropecns.trafficmanager.net] + new: [....26] [ip4][..tcp] [....192.168.1.6][60544] -> [...52.114.76.48][..443] + detected: [....25] [ip4][..tcp] [....192.168.1.6][60543] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] + RISK: TLS (probably) Not Carrying HTTPS + detected: [....26] [ip4][..tcp] [....192.168.1.6][60544] -> [...52.114.76.48][..443] [TLS.Teams][Azure][Collaborative][Safe][northeurope.notifications.teams.microsoft.com] + detection-update: [....26] [ip4][..tcp] [....192.168.1.6][60544] -> [...52.114.76.48][..443] [TLS.Teams][Azure][Collaborative][Safe][northeurope.notifications.teams.microsoft.com] + detection-update: [....25] [ip4][..tcp] [....192.168.1.6][60543] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] + RISK: TLS (probably) Not Carrying HTTPS + ERROR-EVENT: Unknown packet type [16/16] + new: [....27] [ip4][..udp] [....192.168.1.6][57530] -> [....192.168.1.1][...53] + detected: [....27] [ip4][..udp] [....192.168.1.6][57530] -> [....192.168.1.1][...53] [DNS.Microsoft][Unknown][Network][Safe][presence.services.sfb.trafficmanager.net] + detection-update: [....27] [ip4][..udp] [....192.168.1.6][57530] -> [....192.168.1.1][...53] [DNS.Microsoft][Unknown][Network][Safe][presence.services.sfb.trafficmanager.net] + new: [....28] [ip4][..tcp] [....192.168.1.6][60545] -> [...52.114.77.58][..443] + new: [....29] [ip4][..tcp] [.162.125.19.131][..443] -> [....192.168.1.6][60344] [MIDSTREAM] + detected: [....29] [ip4][..tcp] [.162.125.19.131][..443] -> [....192.168.1.6][60344] [TLS][Dropbox][Web][Safe] + detected: [....28] [ip4][..tcp] [....192.168.1.6][60545] -> [...52.114.77.58][..443] [TLS.Teams][Azure][Collaborative][Safe][presence.teams.microsoft.com] + detection-update: [....28] [ip4][..tcp] [....192.168.1.6][60545] -> [...52.114.77.58][..443] [TLS.Teams][Azure][Collaborative][Safe][presence.teams.microsoft.com] + analyse: [....25] [ip4][..tcp] [....192.168.1.6][60543] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 0.153| 0.028| 0.040| 1626.047| 3.600] + [PKTLEN......: 52.000| 1492.000| 819.700| 699.200| 488828.900| 4.300] + [BINS(c->s)..: 5,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0,0] + [BINS(s->c)..: 7,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,2,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,0,0,1,1,0,0,0,0,1,0,0,0,0,1,0,0,1,0,0,0,0,1,0] + [IATS(ms)....: 50.5,50.6,0.3,64.6,72.0,0.2,136.5,0.1,0.1,1.4,68.0,86.2,152.9,2.3,0.0,0.0,46.4,44.1,0.0,0.0,0.0,23.6,23.6,0.0,20.9,20.9,0.0,0.0,0.0,0.8,0.8] + [PKTLENS.....: 64,60,52,258,52,1492,1492,52,1375,52,145,52,103,52,1480,1480,1480,52,1480,1480,1480,1480,52,1480,1480,52,1480,1480,1480,1480,52,1480] + [ENTROPIES...: 4.4,5.3,5.0,5.9,5.1,7.3,7.3,5.0,7.7,5.0,5.9,5.2,5.6,5.0,7.9,7.8,7.9,5.2,7.9,7.9,7.9,7.9,5.2,7.9,7.9,5.2,7.9,7.9,7.8,7.9,5.2,7.9] + new: [....30] [ip4][..tcp] [....192.168.1.6][60546] -> [.167.99.215.164][.4434] + detected: [....30] [ip4][..tcp] [....192.168.1.6][60546] -> [.167.99.215.164][.4434] [TLS.ntop][Unknown][Network][Safe][dati.ntop.org] + RISK: Known Proto on Non Std Port + detection-update: [....30] [ip4][..tcp] [....192.168.1.6][60546] -> [.167.99.215.164][.4434] [TLS.ntop][Unknown][Network][Safe][dati.ntop.org] + RISK: Known Proto on Non Std Port + analyse: [....28] [ip4][..tcp] [....192.168.1.6][60545] -> [...52.114.77.58][..443] [TLS.Teams][Azure][Collaborative][Safe] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 0.201| 0.025| 0.047| 2215.159| 3.200] + [PKTLEN......: 40.000| 1492.000| 340.200| 510.300| 260451.700| 3.800] + [BINS(c->s)..: 11,1,1,1,1,1,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0] + [BINS(s->c)..: 3,3,1,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,1,1,0,1,0,0,0,0,1,0,1,0,0,1,0,1,0,1,0,0,0,1,1] + [IATS(ms)....: 45.7,45.8,0.2,47.9,0.0,47.7,0.0,0.1,0.2,0.1,0.2,9.9,9.9,3.5,10.4,0.4,51.4,37.1,0.2,0.2,0.2,7.1,7.0,1.3,1.2,79.2,201.4,0.0,0.0,167.5,0.2] + [PKTLENS.....: 64,52,40,259,1492,1492,52,40,40,1492,1492,40,453,40,198,133,503,91,40,109,40,78,78,40,479,40,46,1480,150,206,46,82] + [ENTROPIES...: 4.4,5.0,4.6,5.4,7.1,7.4,4.7,4.7,4.5,7.6,7.6,4.7,7.5,4.7,6.6,6.1,7.6,5.4,4.6,6.0,4.5,5.2,5.4,4.7,7.5,4.7,4.5,7.9,6.6,6.7,4.5,5.4] + new: [....31] [ip4][..udp] [....192.168.1.6][57504] -> [....192.168.1.1][...53] + detected: [....31] [ip4][..udp] [....192.168.1.6][57504] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe][chatsvcagg.svcs.teams.office.com] + detection-update: [....31] [ip4][..udp] [....192.168.1.6][57504] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe][chatsvcagg.svcs.teams.office.com] + new: [....32] [ip4][..tcp] [....192.168.1.6][60547] -> [...52.114.88.59][..443] + detected: [....32] [ip4][..tcp] [....192.168.1.6][60547] -> [...52.114.88.59][..443] [TLS.Teams][Azure][Collaborative][Safe][chatsvcagg.teams.microsoft.com] + new: [....33] [ip4][..tcp] [....192.168.1.6][60548] -> [...52.114.77.33][..443] + detected: [....33] [ip4][..tcp] [....192.168.1.6][60548] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] + RISK: TLS (probably) Not Carrying HTTPS + detection-update: [....33] [ip4][..tcp] [....192.168.1.6][60548] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] + RISK: TLS (probably) Not Carrying HTTPS + analyse: [....32] [ip4][..tcp] [....192.168.1.6][60547] -> [...52.114.88.59][..443] [TLS.Teams][Azure][Collaborative][Safe] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 0.115| 0.021| 0.031| 968.681| 3.500] + [PKTLEN......: 52.000| 1492.000| 377.200| 521.700| 272149.200| 3.900] + [BINS(c->s)..: 11,1,1,1,0,0,2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0] + [BINS(s->c)..: 3,2,1,0,0,1,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,4,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,1,0,0,0,0,1,0,1,0,0,1,0,1,0,1,0,0,1,1,0,1] + [IATS(ms)....: 34.2,34.3,0.3,36.9,0.0,36.6,0.0,0.2,0.2,0.1,0.0,0.1,1.0,12.0,0.3,36.0,22.7,0.2,0.2,0.1,10.4,10.3,0.6,0.6,77.1,91.7,0.0,49.1,80.4,115.1,0.2] + [PKTLENS.....: 64,60,52,273,1492,1492,64,52,1492,52,1492,302,52,178,145,533,103,52,121,52,90,90,52,414,52,52,1480,247,52,227,52,1139] + [ENTROPIES...: 4.3,5.1,4.7,5.5,7.4,7.3,4.8,4.8,7.5,4.7,7.6,7.4,4.8,6.3,6.2,7.5,5.6,4.9,6.0,4.9,5.4,5.5,4.8,7.4,4.9,5.1,7.8,7.0,5.0,6.8,4.7,7.8] + new: [....34] [ip4][..udp] [....192.168.1.6][59403] -> [....192.168.1.1][...53] + detected: [....34] [ip4][..udp] [....192.168.1.6][59403] -> [....192.168.1.1][...53] [DNS.Microsoft365][Unknown][Network][Acceptable][substrate.office.com] + detection-update: [....34] [ip4][..udp] [....192.168.1.6][59403] -> [....192.168.1.1][...53] [DNS.Microsoft365][Unknown][Network][Acceptable][substrate.office.com] + new: [....35] [ip4][..tcp] [....192.168.1.6][60549] -> [...13.107.18.11][..443] + detected: [....35] [ip4][..tcp] [....192.168.1.6][60549] -> [...13.107.18.11][..443] [TLS.Microsoft365][Outlook][Collaborative][Acceptable][substrate.office.com] + detection-update: [....35] [ip4][..tcp] [....192.168.1.6][60549] -> [...13.107.18.11][..443] [TLS.Microsoft365][Outlook][Collaborative][Acceptable][substrate.office.com] + analyse: [....23] [ip4][..tcp] [....192.168.1.6][60542] -> [.52.113.194.132][..443] [TLS.Teams][Skype_Teams][Collaborative][Safe] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 2.010| 0.146| 0.490| 239614.050| 1.700] + [PKTLEN......: 40.000| 1492.000| 305.200| 468.100| 219152.800| 3.800] + [BINS(c->s)..: 9,1,1,0,1,0,1,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 7,1,1,0,1,0,0,0,0,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,0,1,1,0,0,1,1,1,0,0,0,0,0,1,1,0,1,1,1,0,0,1,1] + [IATS(ms)....: 12.7,12.8,0.2,12.4,2.5,0.3,14.9,0.5,0.5,0.2,0.0,0.8,4.9,17.1,1.4,0.0,13.1,0.0,0.2,0.3,0.1,11.8,0.0,11.2,0.1,0.6,112.9,113.7,1998.1,2009.8,174.6] + [PKTLENS.....: 64,52,40,257,46,1492,1492,40,1492,40,1492,181,40,198,46,366,109,40,40,133,78,561,46,78,40,46,46,440,40,342,46,345] + [ENTROPIES...: 4.4,5.0,4.6,5.5,4.5,7.3,7.5,4.6,7.5,4.6,7.7,6.8,4.7,6.5,4.5,7.2,6.0,4.6,4.6,6.2,5.2,7.6,4.4,5.4,4.6,4.5,4.5,7.5,4.7,7.2,4.5,7.3] + analyse: [....35] [ip4][..tcp] [....192.168.1.6][60549] -> [...13.107.18.11][..443] [TLS.Microsoft365][Outlook][Collaborative][Acceptable] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 0.540| 0.024| 0.095| 8949.939| 1.900] + [PKTLEN......: 40.000| 1492.000| 331.500| 473.500| 224192.200| 3.900] + [BINS(c->s)..: 9,1,1,0,2,0,2,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0] + [BINS(s->c)..: 5,2,1,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,1,0,0,0,0,0,1,1,1,0,0,0,1,1,0,1,1,0,1,0,0,0,0] + [IATS(ms)....: 11.5,11.6,0.3,11.9,32.5,0.1,44.2,0.2,0.0,0.2,3.8,7.7,0.3,0.1,14.6,1.5,0.0,4.2,0.0,0.3,6.5,0.5,6.7,4.3,9.9,14.2,10.7,10.7,539.6,0.0,0.3] + [PKTLENS.....: 64,52,40,251,46,1492,1492,40,1492,80,40,198,133,578,172,46,366,109,40,40,78,46,78,40,46,689,40,359,40,1480,694,248] + [ENTROPIES...: 4.4,4.9,4.5,5.4,4.5,6.7,7.5,4.6,7.6,5.7,4.7,6.5,6.2,7.6,6.5,4.5,7.2,5.8,4.6,4.6,5.3,4.5,5.4,4.6,4.5,7.7,4.7,7.3,4.7,7.8,7.7,7.0] + new: [....36] [ip4][..udp] [....192.168.1.6][61245] -> [....192.168.1.1][...53] + detected: [....36] [ip4][..udp] [....192.168.1.6][61245] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe][euaz.tr.teams.microsoft.com] + new: [....37] [ip4][..udp] [....192.168.1.6][53678] -> [....192.168.1.1][...53] + detected: [....37] [ip4][..udp] [....192.168.1.6][53678] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe][trouter2-asse-a.trouter.teams.microsoft.com] + new: [....38] [ip4][..udp] [....192.168.1.6][65230] -> [....192.168.1.1][...53] + detected: [....38] [ip4][..udp] [....192.168.1.6][65230] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe][trouter2-asse-a.trouter.teams.microsoft.com] + new: [....39] [ip4][..udp] [....192.168.1.6][50653] -> [....192.168.1.1][...53] + detected: [....39] [ip4][..udp] [....192.168.1.6][50653] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe][api.flightproxy.teams.microsoft.com] + detection-update: [....37] [ip4][..udp] [....192.168.1.6][53678] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe][trouter2-asse-a.trouter.teams.microsoft.com] + detection-update: [....38] [ip4][..udp] [....192.168.1.6][65230] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe][trouter2-asse-a.trouter.teams.microsoft.com] + new: [....40] [ip4][..tcp] [....192.168.1.6][60551] -> [...52.114.15.45][..443] + detection-update: [....39] [ip4][..udp] [....192.168.1.6][50653] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe][api.flightproxy.teams.microsoft.com] + detection-update: [....36] [ip4][..udp] [....192.168.1.6][61245] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe][euaz.tr.teams.microsoft.com] + RISK: Minor Issues + new: [....41] [ip4][..udp] [....192.168.1.6][58457] -> [....192.168.1.1][...53] + detected: [....41] [ip4][..udp] [....192.168.1.6][58457] -> [....192.168.1.1][...53] [DNS.Microsoft365][Unknown][Network][Acceptable][outlook.office.com] + detection-update: [....41] [ip4][..udp] [....192.168.1.6][58457] -> [....192.168.1.1][...53] [DNS.Microsoft365][Unknown][Network][Acceptable][outlook.office.com] + new: [....42] [ip4][..tcp] [....192.168.1.6][60552] -> [...52.114.77.33][..443] + new: [....43] [ip4][..tcp] [....192.168.1.6][60554] -> [.52.113.194.132][..443] + new: [....44] [ip4][..udp] [....192.168.1.6][51309] -> [....192.168.1.1][...53] + detected: [....44] [ip4][..udp] [....192.168.1.6][51309] -> [....192.168.1.1][...53] [DNS][Unknown][Network][Acceptable][skypedataprdcolneu04.cloudapp.net] + new: [....45] [ip4][..tcp] [....192.168.1.6][60555] -> [...52.114.77.33][..443] + new: [....46] [ip4][..tcp] [....192.168.1.6][60556] -> [.....40.126.9.7][..443] + detected: [....43] [ip4][..tcp] [....192.168.1.6][60554] -> [.52.113.194.132][..443] [TLS.Teams][Skype_Teams][Collaborative][Safe][config.teams.microsoft.com] + RISK: TLS (probably) Not Carrying HTTPS + detection-update: [....44] [ip4][..udp] [....192.168.1.6][51309] -> [....192.168.1.1][...53] [DNS][Unknown][Network][Acceptable][skypedataprdcolneu04.cloudapp.net] + detected: [....40] [ip4][..tcp] [....192.168.1.6][60551] -> [...52.114.15.45][..443] [TLS.Teams][Azure][Collaborative][Safe][trouter2-asse-a.trouter.teams.microsoft.com] + RISK: TLS (probably) Not Carrying HTTPS + detection-update: [....43] [ip4][..tcp] [....192.168.1.6][60554] -> [.52.113.194.132][..443] [TLS.Teams][Skype_Teams][Collaborative][Safe][config.teams.microsoft.com] + RISK: TLS (probably) Not Carrying HTTPS + detected: [....42] [ip4][..tcp] [....192.168.1.6][60552] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] + RISK: TLS (probably) Not Carrying HTTPS + detected: [....46] [ip4][..tcp] [....192.168.1.6][60556] -> [.....40.126.9.7][..443] [TLS.Microsoft365][Microsoft365][Collaborative][Acceptable][login.microsoftonline.com] + detected: [....45] [ip4][..tcp] [....192.168.1.6][60555] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] + RISK: TLS (probably) Not Carrying HTTPS + detection-update: [....46] [ip4][..tcp] [....192.168.1.6][60556] -> [.....40.126.9.7][..443] [TLS.Microsoft365][Microsoft365][Collaborative][Acceptable][login.microsoftonline.com] + detection-update: [....42] [ip4][..tcp] [....192.168.1.6][60552] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] + RISK: TLS (probably) Not Carrying HTTPS + detection-update: [....45] [ip4][..tcp] [....192.168.1.6][60555] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] + RISK: TLS (probably) Not Carrying HTTPS + detection-update: [....40] [ip4][..tcp] [....192.168.1.6][60551] -> [...52.114.15.45][..443] [TLS.Teams][Azure][Collaborative][Safe][trouter2-asse-a.trouter.teams.microsoft.com] + RISK: TLS (probably) Not Carrying HTTPS + analyse: [....43] [ip4][..tcp] [....192.168.1.6][60554] -> [.52.113.194.132][..443] [TLS.Teams][Skype_Teams][Collaborative][Safe] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 0.154| 0.015| 0.036| 1274.324| 2.800] + [PKTLEN......: 40.000| 1492.000| 585.700| 671.400| 450756.000| 4.000] + [BINS(c->s)..: 10,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 5,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,10,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,0,1,1,0,0,1,0,1,1,0,0,1,1,1,0,1,0,1,1,0,0,1,1] + [IATS(ms)....: 12.9,13.0,0.5,12.4,2.0,1.5,15.4,0.1,0.1,0.1,0.0,0.1,21.6,33.0,11.5,11.7,0.1,11.8,0.6,13.4,140.4,0.7,154.0,0.2,0.2,0.2,0.2,0.5,0.0,0.1,0.2] + [PKTLENS.....: 64,52,40,226,46,1492,1492,40,1492,40,1492,168,40,147,46,91,46,91,40,1122,46,1492,1492,40,1317,40,1492,1492,40,40,1492,1492] + [ENTROPIES...: 4.4,4.9,4.5,5.5,4.4,7.3,7.5,4.6,7.5,4.5,7.7,6.7,4.6,6.5,4.5,5.7,4.5,5.6,4.6,7.8,4.6,7.9,7.9,4.6,7.9,4.6,7.9,7.9,4.6,4.5,7.9,7.9] + new: [....47] [ip4][..tcp] [....192.168.1.6][60557] -> [.52.113.194.132][..443] + detected: [....47] [ip4][..tcp] [....192.168.1.6][60557] -> [.52.113.194.132][..443] [TLS.Teams][Skype_Teams][Collaborative][Safe][teams.microsoft.com] + RISK: TLS (probably) Not Carrying HTTPS + detection-update: [....47] [ip4][..tcp] [....192.168.1.6][60557] -> [.52.113.194.132][..443] [TLS.Teams][Skype_Teams][Collaborative][Safe][teams.microsoft.com] + RISK: TLS (probably) Not Carrying HTTPS + new: [....48] [ip4][..tcp] [....192.168.1.6][60559] -> [...52.114.77.33][..443] + detected: [....48] [ip4][..tcp] [....192.168.1.6][60559] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] + RISK: TLS (probably) Not Carrying HTTPS + detection-update: [....48] [ip4][..tcp] [....192.168.1.6][60559] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] + RISK: TLS (probably) Not Carrying HTTPS + analyse: [....48] [ip4][..tcp] [....192.168.1.6][60559] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 0.053| 0.020| 0.022| 492.470| 3.900] + [PKTLEN......: 52.000| 1492.000| 640.900| 667.900| 446080.700| 4.100] + [BINS(c->s)..: 9,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0,0] + [BINS(s->c)..: 6,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,2,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,0,1,0,0,0,0,1,0,0,0,0,1,0,0,1,0,1,1,1,0,0,0] + [IATS(ms)....: 48.6,48.7,0.3,51.0,0.1,50.7,0.0,0.3,0.3,1.7,49.8,48.1,1.4,0.0,0.0,50.5,49.1,0.0,0.0,0.0,37.2,37.2,0.0,11.5,11.5,1.0,36.0,16.0,53.0,0.7,0.1] + [PKTLENS.....: 64,60,52,258,1492,1492,64,52,1375,52,145,103,52,1480,1480,1480,52,1480,1480,1480,1480,52,1480,1480,52,985,52,52,497,52,83,52] + [ENTROPIES...: 4.4,5.3,4.9,6.0,7.3,7.3,5.1,4.9,7.6,5.0,5.9,5.7,5.0,7.9,7.9,7.9,5.1,7.9,7.9,7.9,7.9,5.2,7.8,7.9,5.1,7.8,5.1,5.2,7.6,5.1,5.3,5.0] + new: [....49] [ip4][..udp] [..192.168.1.112][57621] -> [..192.168.1.255][57621] + detected: [....49] [ip4][..udp] [..192.168.1.112][57621] -> [..192.168.1.255][57621] [Spotify][Unknown][Music][Fun] + new: [....50] [ip4][..tcp] [....192.168.1.6][60560] -> [....40.126.9.67][..443] + detected: [....50] [ip4][..tcp] [....192.168.1.6][60560] -> [....40.126.9.67][..443] [TLS.Microsoft365][Microsoft365][Collaborative][Acceptable][login.microsoftonline.com] + detection-update: [....50] [ip4][..tcp] [....192.168.1.6][60560] -> [....40.126.9.67][..443] [TLS.Microsoft365][Microsoft365][Collaborative][Acceptable][login.microsoftonline.com] + new: [....51] [ip4][..tcp] [....192.168.1.6][60561] -> [...52.114.77.33][..443] + detected: [....51] [ip4][..tcp] [....192.168.1.6][60561] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] + RISK: TLS (probably) Not Carrying HTTPS + new: [....52] [ip4][..udp] [....192.168.1.6][54069] -> [....192.168.1.1][...53] + detected: [....52] [ip4][..udp] [....192.168.1.6][54069] -> [....192.168.1.1][...53] [DNS][Unknown][Network][Acceptable][api.microsoftstream.com] + detection-update: [....52] [ip4][..udp] [....192.168.1.6][54069] -> [....192.168.1.1][...53] [DNS][Unknown][Network][Acceptable][api.microsoftstream.com] + new: [....53] [ip4][..tcp] [....192.168.1.6][60562] -> [.104.40.187.151][..443] + detected: [....53] [ip4][..tcp] [....192.168.1.6][60562] -> [.104.40.187.151][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable][api.microsoftstream.com] + detection-update: [....51] [ip4][..tcp] [....192.168.1.6][60561] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] + RISK: TLS (probably) Not Carrying HTTPS + analyse: [....53] [ip4][..tcp] [....192.168.1.6][60562] -> [.104.40.187.151][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 0.126| 0.019| 0.032| 1006.354| 3.400] + [PKTLEN......: 52.000| 1492.000| 345.200| 499.900| 249913.200| 3.900] + [BINS(c->s)..: 12,1,3,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0] + [BINS(s->c)..: 2,3,1,0,0,0,0,1,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,0,1,1,0,0,0,0,1,1,0,0,0,1,0,1,0,0,0,1,1,0,1,0] + [IATS(ms)....: 29.5,29.6,0.2,45.7,0.2,45.7,0.1,0.1,0.1,0.1,0.0,0.1,0.6,23.2,0.2,30.2,0.0,6.1,0.0,0.2,22.9,22.6,1.5,1.4,2.9,0.0,32.7,0.2,30.1,125.5,125.6] + [PKTLENS.....: 64,60,52,266,1492,1492,64,1492,52,52,1492,281,52,145,145,424,103,121,52,52,90,90,52,548,52,1365,135,52,94,52,510,52] + [ENTROPIES...: 4.4,5.2,4.9,5.6,7.4,7.5,4.9,7.4,4.9,4.8,7.6,7.1,5.0,5.9,6.3,7.4,5.6,6.1,4.9,4.9,5.4,5.6,4.9,7.5,5.0,7.9,6.1,5.1,5.7,5.0,7.5,4.9] + new: [....54] [ip4][..udp] [....192.168.1.6][62735] -> [....192.168.1.1][...53] + detected: [....54] [ip4][..udp] [....192.168.1.6][62735] -> [....192.168.1.1][...53] [DNS][Unknown][Network][Acceptable][euno-1.api.microsoftstream.com] + detection-update: [....54] [ip4][..udp] [....192.168.1.6][62735] -> [....192.168.1.1][...53] [DNS][Unknown][Network][Acceptable][euno-1.api.microsoftstream.com] + new: [....55] [ip4][..tcp] [....192.168.1.6][60563] -> [.52.169.186.119][..443] + analyse: [....51] [ip4][..tcp] [....192.168.1.6][60561] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 0.162| 0.032| 0.044| 1964.919| 3.600] + [PKTLEN......: 52.000| 1492.000| 736.700| 694.000| 481656.100| 4.200] + [BINS(c->s)..: 5,0,1,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,0,0] + [BINS(s->c)..: 8,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,2,0,0] + [DIRECTIONS..: 0,1,0,0,0,1,1,1,0,1,0,0,1,0,0,0,0,1,0,0,0,0,1,0,0,0,0,1,0,1,1,1] + [IATS(ms)....: 48.4,48.5,0.5,88.2,136.5,113.7,0.2,161.8,0.1,0.1,1.1,74.6,73.5,1.1,0.0,0.0,50.1,49.0,0.0,0.0,0.0,48.4,48.4,0.0,0.0,0.0,1.6,1.5,46.9,1.1,1.7] + [PKTLENS.....: 64,60,52,258,258,64,1492,1492,52,1375,52,145,103,52,1480,1480,1480,52,1480,1480,1480,1480,52,1480,1480,1480,1480,52,1462,52,52,52] + [ENTROPIES...: 4.4,5.3,4.9,6.0,6.0,5.1,7.3,7.3,5.0,7.7,5.0,6.0,5.6,5.0,7.9,7.9,7.9,5.2,7.9,7.9,7.9,7.9,5.1,7.9,7.9,7.9,7.9,5.2,7.9,5.2,5.2,5.2] + detected: [....55] [ip4][..tcp] [....192.168.1.6][60563] -> [.52.169.186.119][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable][euno-1.api.microsoftstream.com] + new: [....56] [ip4][..udp] [....192.168.1.6][63930] -> [....192.168.1.1][...53] + detected: [....56] [ip4][..udp] [....192.168.1.6][63930] -> [....192.168.1.1][...53] [DNS.Microsoft][Unknown][Network][Safe][dc.applicationinsights.microsoft.com] + detection-update: [....56] [ip4][..udp] [....192.168.1.6][63930] -> [....192.168.1.1][...53] [DNS.Microsoft][Unknown][Network][Safe][dc.applicationinsights.microsoft.com] + new: [....57] [ip4][..tcp] [....192.168.1.6][60564] -> [...40.79.138.41][..443] + detected: [....57] [ip4][..tcp] [....192.168.1.6][60564] -> [...40.79.138.41][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable][gate.hockeyapp.net] + detection-update: [....57] [ip4][..tcp] [....192.168.1.6][60564] -> [...40.79.138.41][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable][gate.hockeyapp.net] + new: [....58] [ip4][..udp] [....192.168.1.6][62863] -> [....192.168.1.1][...53] + detected: [....58] [ip4][..udp] [....192.168.1.6][62863] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe][emea.ng.msg.teams-msgapi.trafficmanager.net] + detection-update: [....58] [ip4][..udp] [....192.168.1.6][62863] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe][emea.ng.msg.teams-msgapi.trafficmanager.net] + new: [....59] [ip4][..tcp] [....192.168.1.6][60565] -> [...52.114.108.8][..443] + detected: [....59] [ip4][..tcp] [....192.168.1.6][60565] -> [...52.114.108.8][..443] [TLS.Teams][Azure][Collaborative][Safe][emea.ng.msg.teams.microsoft.com] + detection-update: [....59] [ip4][..tcp] [....192.168.1.6][60565] -> [...52.114.108.8][..443] [TLS.Teams][Azure][Collaborative][Safe][emea.ng.msg.teams.microsoft.com] + analyse: [....59] [ip4][..tcp] [....192.168.1.6][60565] -> [...52.114.108.8][..443] [TLS.Teams][Azure][Collaborative][Safe] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 0.277| 0.019| 0.049| 2449.644| 2.900] + [PKTLEN......: 52.000| 1492.000| 370.200| 512.100| 262257.700| 3.900] + [BINS(c->s)..: 11,1,2,1,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 3,3,1,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,4,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,1,0,0,0,0,1,1,0,0,0,1,0,1,0,1,0,0,1,1,0,1] + [IATS(ms)....: 19.2,19.3,0.2,22.0,0.0,21.8,0.0,0.2,0.2,0.2,0.0,0.2,1.1,12.3,0.3,19.9,0.0,6.3,0.0,0.6,12.0,11.4,1.5,1.4,55.0,62.1,0.0,25.5,0.0,18.4,276.9] + [PKTLENS.....: 64,60,52,274,1492,1492,64,52,1492,52,1492,471,52,178,145,525,103,121,52,52,90,90,52,511,52,52,1046,134,52,94,52,1335] + [ENTROPIES...: 4.4,5.3,4.9,5.6,7.1,7.3,5.0,5.0,7.5,4.9,7.6,7.5,4.9,6.3,6.3,7.6,5.6,5.9,5.0,4.9,5.4,5.7,5.0,7.5,5.0,5.2,7.8,6.2,5.2,5.6,5.0,7.8] + analyse: [....26] [ip4][..tcp] [....192.168.1.6][60544] -> [...52.114.76.48][..443] [TLS.Teams][Azure][Collaborative][Safe] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 8.978| 0.329| 1.582| 2503841.415| 0.800] + [PKTLEN......: 40.000| 1492.000| 339.200| 486.100| 236250.500| 3.900] + [BINS(c->s)..: 10,1,1,0,1,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 4,3,1,0,0,0,0,0,1,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,1,1,1,0,0,0,0,0,1,0,1,0,0,1,1,0,1,0,1,1,1,1,1] + [IATS(ms)....: 47.1,47.2,0.5,44.4,0.0,43.9,0.0,0.0,0.2,0.1,0.0,0.2,0.0,4.4,9.7,0.3,46.5,32.1,0.5,0.4,0.1,18.9,1.4,20.2,62.9,403.2,425.0,8978.2,0.0,0.0,0.0] + [PKTLENS.....: 64,52,40,276,1492,1492,52,40,40,1492,1492,309,40,40,198,133,568,91,40,109,40,78,46,409,40,46,1100,46,411,415,86,78] + [ENTROPIES...: 4.3,4.9,4.6,5.6,7.4,7.3,4.7,4.6,4.6,7.5,7.6,7.1,4.7,4.6,6.5,6.1,7.6,5.4,4.6,5.9,4.6,5.2,4.5,7.4,4.7,4.5,7.8,4.6,7.4,7.5,5.6,5.5] + new: [....60] [ip4][..tcp] [..151.11.50.139][.2222] -> [....192.168.1.6][54750] [MIDSTREAM] + new: [....61] [ip4][..tcp] [....192.168.1.6][60566] -> [.167.99.215.164][.4434] + detected: [....61] [ip4][..tcp] [....192.168.1.6][60566] -> [.167.99.215.164][.4434] [TLS.ntop][Unknown][Network][Safe][dati.ntop.org] + RISK: Known Proto on Non Std Port + detection-update: [....61] [ip4][..tcp] [....192.168.1.6][60566] -> [.167.99.215.164][.4434] [TLS.ntop][Unknown][Network][Safe][dati.ntop.org] + RISK: Known Proto on Non Std Port + new: [....62] [ip4][..udp] [....192.168.1.6][51681] -> [..52.114.77.136][.3478] + new: [....63] [ip4][..udp] [....192.168.1.6][50016] -> [.52.114.250.123][.3478] + detected: [....63] [ip4][..udp] [....192.168.1.6][50016] -> [.52.114.250.123][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] + new: [....64] [ip4][..tcp] [....192.168.1.6][50018] -> [.52.114.250.123][..443] + new: [....65] [ip4][..udp] [....192.168.1.6][55765] -> [....192.168.1.1][...53] + detected: [....65] [ip4][..udp] [....192.168.1.6][55765] -> [....192.168.1.1][...53] [DNS.Azure][Unknown][Network][Acceptable][b-tr-teams-euno-05.northeurope.cloudapp.azure.com] + detection-update: [....65] [ip4][..udp] [....192.168.1.6][55765] -> [....192.168.1.1][...53] [DNS.Azure][Unknown][Network][Acceptable][b-tr-teams-euno-05.northeurope.cloudapp.azure.com] + detected: [....64] [ip4][..tcp] [....192.168.1.6][50018] -> [.52.114.250.123][..443] [TLS.Teams][Azure][Collaborative][Safe][euaz.tr.teams.microsoft.com] + RISK: TLS (probably) Not Carrying HTTPS + new: [....66] [ip4][..udp] [....192.168.1.6][50036] -> [.52.114.250.123][.3478] + detected: [....66] [ip4][..udp] [....192.168.1.6][50036] -> [.52.114.250.123][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] + new: [....67] [ip4][..tcp] [....192.168.1.6][50021] -> [.52.114.250.123][..443] + new: [....68] [ip4][..udp] [....192.168.1.6][50016] -> [.52.114.250.141][.3478] + detected: [....68] [ip4][..udp] [....192.168.1.6][50016] -> [.52.114.250.141][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] + detection-update: [....64] [ip4][..tcp] [....192.168.1.6][50018] -> [.52.114.250.123][..443] [TLS.Teams][Azure][Collaborative][Safe][euaz.tr.teams.microsoft.com] + RISK: TLS (probably) Not Carrying HTTPS + new: [....69] [ip4][..udp] [....192.168.1.6][50017] -> [.52.114.250.141][.3478] + detected: [....69] [ip4][..udp] [....192.168.1.6][50017] -> [.52.114.250.141][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] + detected: [....67] [ip4][..tcp] [....192.168.1.6][50021] -> [.52.114.250.123][..443] [TLS.Teams][Azure][Collaborative][Safe][euaz.tr.teams.microsoft.com] + RISK: TLS (probably) Not Carrying HTTPS + new: [....70] [ip4][..udp] [....192.168.1.6][50036] -> [.52.114.250.137][.3478] + detected: [....70] [ip4][..udp] [....192.168.1.6][50036] -> [.52.114.250.137][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] + new: [....71] [ip4][..udp] [....192.168.1.6][50037] -> [.52.114.250.137][.3478] + detected: [....71] [ip4][..udp] [....192.168.1.6][50037] -> [.52.114.250.137][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] + detection-update: [....67] [ip4][..tcp] [....192.168.1.6][50021] -> [.52.114.250.123][..443] [TLS.Teams][Azure][Collaborative][Safe][euaz.tr.teams.microsoft.com] + RISK: TLS (probably) Not Carrying HTTPS + detection-update: [....69] [ip4][..udp] [....192.168.1.6][50017] -> [.52.114.250.141][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] + detection-update: [....71] [ip4][..udp] [....192.168.1.6][50037] -> [.52.114.250.137][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] + new: [....72] [ip4][..tcp] [....192.168.1.6][50014] -> [.52.114.250.152][..443] + new: [....73] [ip4][..tcp] [....192.168.1.6][50036] -> [.52.114.250.153][..443] + detected: [....72] [ip4][..tcp] [....192.168.1.6][50014] -> [.52.114.250.152][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable][52.114.250.152] + RISK: HTTP/TLS/QUIC Numeric Hostname/SNI, TLS (probably) Not Carrying HTTPS + detected: [....73] [ip4][..tcp] [....192.168.1.6][50036] -> [.52.114.250.153][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable][52.114.250.153] + RISK: HTTP/TLS/QUIC Numeric Hostname/SNI, TLS (probably) Not Carrying HTTPS + detection-update: [....72] [ip4][..tcp] [....192.168.1.6][50014] -> [.52.114.250.152][..443] [TLS.Teams][Azure][Collaborative][Safe][52.114.250.152] + RISK: TLS Cert Mismatch, TLS (probably) Not Carrying HTTPS + detection-update: [....73] [ip4][..tcp] [....192.168.1.6][50036] -> [.52.114.250.153][..443] [TLS.Teams][Azure][Collaborative][Safe][52.114.250.153] + RISK: TLS Cert Mismatch, TLS (probably) Not Carrying HTTPS + new: [....74] [ip4][..tcp] [....192.168.1.6][60567] -> [..52.114.77.136][..443] + new: [....75] [ip4][..udp] [....192.168.1.6][60837] -> [....192.168.1.1][...53] + detected: [....75] [ip4][..udp] [....192.168.1.6][60837] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe][c-flightproxy-euno-01-teams.cloudapp.net] + detection-update: [....75] [ip4][..udp] [....192.168.1.6][60837] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe][c-flightproxy-euno-01-teams.cloudapp.net] + detected: [....74] [ip4][..tcp] [....192.168.1.6][60567] -> [..52.114.77.136][..443] [TLS.Teams][Azure][Collaborative][Safe][api.flightproxy.teams.microsoft.com] + RISK: TLS (probably) Not Carrying HTTPS + detection-update: [....74] [ip4][..tcp] [....192.168.1.6][60567] -> [..52.114.77.136][..443] [TLS.Teams][Azure][Collaborative][Safe][api.flightproxy.teams.microsoft.com] + RISK: TLS (probably) Not Carrying HTTPS + new: [....76] [ip4][..udp] [....192.168.1.6][50016] -> [....192.168.0.4][50005] + detected: [....76] [ip4][..udp] [....192.168.1.6][50016] -> [....192.168.0.4][50005] [STUN.Skype_TeamsCall][Unknown][VoIP][Acceptable][] + RISK: Known Proto on Non Std Port + new: [....77] [ip4][..udp] [....192.168.1.6][50036] -> [....192.168.0.4][50020] + detected: [....77] [ip4][..udp] [....192.168.1.6][50036] -> [....192.168.0.4][50020] [STUN.Skype_TeamsCall][Unknown][VoIP][Acceptable][] + RISK: Known Proto on Non Std Port + new: [....78] [ip4][..udp] [..93.71.110.205][16332] -> [....192.168.1.6][50016] + detected: [....78] [ip4][..udp] [..93.71.110.205][16332] -> [....192.168.1.6][50016] [STUN.Skype_TeamsCall][Unknown][VoIP][Acceptable][] + RISK: Known Proto on Non Std Port + new: [....79] [ip4][..udp] [..93.71.110.205][16333] -> [....192.168.1.6][50036] + detected: [....79] [ip4][..udp] [..93.71.110.205][16333] -> [....192.168.1.6][50036] [STUN.Skype_TeamsCall][Unknown][VoIP][Acceptable][] + RISK: Known Proto on Non Std Port + detection-update: [....68] [ip4][..udp] [....192.168.1.6][50016] -> [.52.114.250.141][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] + RISK: Unidirectional Traffic + detection-update: [....70] [ip4][..udp] [....192.168.1.6][50036] -> [.52.114.250.137][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] + RISK: Unidirectional Traffic + detection-update: [....68] [ip4][..udp] [....192.168.1.6][50016] -> [.52.114.250.141][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] + detection-update: [....70] [ip4][..udp] [....192.168.1.6][50036] -> [.52.114.250.137][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] + new: [....80] [ip4][..udp] [..52.114.252.21][.3480] -> [....192.168.1.6][50036] + detected: [....80] [ip4][..udp] [..52.114.252.21][.3480] -> [....192.168.1.6][50036] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] + RISK: Known Proto on Non Std Port + new: [....81] [ip4][..udp] [...52.114.252.8][.3479] -> [....192.168.1.6][50016] + detected: [....81] [ip4][..udp] [...52.114.252.8][.3479] -> [....192.168.1.6][50016] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] + RISK: Known Proto on Non Std Port + analyse: [....64] [ip4][..tcp] [....192.168.1.6][50018] -> [.52.114.250.123][..443] [TLS.Teams][Azure][Collaborative][Safe] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 1.567| 0.072| 0.275| 75449.426| 1.900] + [PKTLEN......: 40.000| 1492.000| 256.900| 427.000| 182315.300| 3.700] + [BINS(c->s)..: 15,1,0,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 4,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0] + [DIRECTIONS..: 0,1,0,0,1,0,1,1,0,0,1,1,0,0,1,1,0,0,0,0,0,0,1,1,0,0,1,0,0,0,1,1] + [IATS(ms)....: 45.0,45.1,0.2,47.4,47.2,0.2,0.0,0.1,0.0,0.1,0.0,0.1,0.0,0.1,0.0,0.1,0.0,0.0,8.0,0.0,0.0,52.4,1.2,45.6,48.6,92.2,43.7,69.1,0.3,113.5,1566.9] + [PKTLENS.....: 64,52,40,227,1492,52,1492,588,52,52,1492,588,52,40,588,166,40,40,40,147,46,85,46,91,40,141,224,40,71,40,46,46] + [ENTROPIES...: 4.4,4.9,4.5,5.4,7.5,4.6,7.4,6.2,4.7,4.7,7.7,7.0,4.7,4.5,7.6,6.6,4.4,4.5,4.5,6.4,4.5,5.8,4.6,5.4,4.6,6.4,6.9,4.5,5.4,4.4,4.6,4.6] + detection-update: [....76] [ip4][..udp] [....192.168.1.6][50016] -> [....192.168.0.4][50005] [STUN.Skype_TeamsCall][Unknown][VoIP][Acceptable][] + RISK: Known Proto on Non Std Port, Unidirectional Traffic + detection-update: [....77] [ip4][..udp] [....192.168.1.6][50036] -> [....192.168.0.4][50020] [STUN.Skype_TeamsCall][Unknown][VoIP][Acceptable][] + RISK: Known Proto on Non Std Port, Unidirectional Traffic + new: [....82] [ip4][..tcp] [....192.168.1.6][60568] -> [...40.79.138.41][..443] + detected: [....82] [ip4][..tcp] [....192.168.1.6][60568] -> [...40.79.138.41][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable][gate.hockeyapp.net] + detection-update: [....82] [ip4][..tcp] [....192.168.1.6][60568] -> [...40.79.138.41][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable][gate.hockeyapp.net] + new: [....83] [ip4][.icmp] [..93.71.110.205] -> [....192.168.1.6] + detected: [....83] [ip4][.icmp] [..93.71.110.205] -> [....192.168.1.6] [ICMP][Unknown][Network][Acceptable] + analyse: [....78] [ip4][..udp] [..93.71.110.205][16332] -> [....192.168.1.6][50016] [STUN.Skype_TeamsCall][Unknown][VoIP][Acceptable] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 1.168| 0.160| 0.366| 133702.353| 2.700] + [PKTLEN......: 66.000| 1242.000| 253.400| 374.400| 140199.200| 4.000] + [BINS(c->s)..: 0,2,16,4,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 0,1,1,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,1,0,1,0,0,0,1,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [IATS(ms)....: 24.8,0.2,101.3,1168.2,1167.0,967.1,50.8,1119.2,0.0,0.0,51.0,80.3,2.0,2.7,3.7,0.0,0.0,0.0,10.7,24.2,9.3,21.5,4.5,19.9,25.3,9.2,24.4,24.6,9.5,26.0,24.3] + [PKTLENS.....: 140,116,140,116,144,116,138,136,66,1242,1242,136,101,66,1242,1242,70,194,126,94,96,103,108,110,102,98,112,106,103,101,102,102] + [ENTROPIES...: 5.4,5.4,5.6,5.5,5.5,5.5,6.4,5.5,5.3,7.8,7.8,5.4,6.1,5.3,7.8,7.8,5.4,6.9,6.4,5.9,6.0,6.1,5.4,6.3,6.1,6.0,6.3,6.0,6.1,6.2,6.1,6.2] + idle: [....72] [ip4][..tcp] [....192.168.1.6][50014] -> [.52.114.250.152][..443] [TLS.Teams][Azure][Collaborative][Safe] + RISK: TLS Cert Mismatch, TLS (probably) Not Carrying HTTPS + end: [....64] [ip4][..tcp] [....192.168.1.6][50018] -> [.52.114.250.123][..443] [TLS.Teams][Azure][Collaborative][Safe] + RISK: TLS (probably) Not Carrying HTTPS + end: [....67] [ip4][..tcp] [....192.168.1.6][50021] -> [.52.114.250.123][..443] [TLS.Teams][Azure][Collaborative][Safe] + RISK: TLS (probably) Not Carrying HTTPS + idle: [....83] [ip4][.icmp] [..93.71.110.205] -> [....192.168.1.6] [ICMP][Unknown][Network][Acceptable] + end: [....73] [ip4][..tcp] [....192.168.1.6][50036] -> [.52.114.250.153][..443] [TLS.Teams][Azure][Collaborative][Safe] + RISK: TLS Cert Mismatch, TLS (probably) Not Carrying HTTPS + idle: [.....5] [ip4][..tcp] [....192.168.1.6][60533] -> [.52.113.194.132][..443] [TLS.Teams][Skype_Teams][Collaborative][Safe] + idle: [.....8] [ip4][..tcp] [....192.168.1.6][60536] -> [.52.113.194.132][..443] [TLS.Teams][Skype_Teams][Collaborative][Safe] + idle: [....23] [ip4][..tcp] [....192.168.1.6][60542] -> [.52.113.194.132][..443] [TLS.Teams][Skype_Teams][Collaborative][Safe] + idle: [....43] [ip4][..tcp] [....192.168.1.6][60554] -> [.52.113.194.132][..443] [TLS.Teams][Skype_Teams][Collaborative][Safe] + RISK: TLS (probably) Not Carrying HTTPS + idle: [....47] [ip4][..tcp] [....192.168.1.6][60557] -> [.52.113.194.132][..443] [TLS.Teams][Skype_Teams][Collaborative][Safe] + RISK: TLS (probably) Not Carrying HTTPS + idle: [....76] [ip4][..udp] [....192.168.1.6][50016] -> [....192.168.0.4][50005] [STUN.Skype_TeamsCall][Unknown][VoIP][Acceptable] + RISK: Known Proto on Non Std Port, Unidirectional Traffic + idle: [....55] [ip4][..tcp] [....192.168.1.6][60563] -> [.52.169.186.119][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable] + idle: [....17] [ip4][..udp] [....192.168.1.6][63106] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe] + idle: [....77] [ip4][..udp] [....192.168.1.6][50036] -> [....192.168.0.4][50020] [STUN.Skype_TeamsCall][Unknown][VoIP][Acceptable] + RISK: Known Proto on Non Std Port, Unidirectional Traffic + idle: [....38] [ip4][..udp] [....192.168.1.6][65230] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe] + idle: [....13] [ip4][..udp] [........0.0.0.0][...68] -> [255.255.255.255][...67] [DHCP][Unknown][Network][Acceptable] + idle: [....36] [ip4][..udp] [....192.168.1.6][61245] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe] + RISK: Minor Issues + idle: [....16] [ip4][..udp] [....192.168.1.6][51033] -> [....192.168.1.1][...53] [DNS.Skype_Teams][Unknown][Network][Acceptable] + end: [.....4] [ip4][..tcp] [....192.168.1.6][60532] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe] + RISK: TLS (probably) Not Carrying HTTPS + end: [.....7] [ip4][..tcp] [....192.168.1.6][60535] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe] + RISK: TLS (probably) Not Carrying HTTPS + end: [.....9] [ip4][..tcp] [....192.168.1.6][60537] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe] + RISK: TLS (probably) Not Carrying HTTPS + idle: [....18] [ip4][..tcp] [....192.168.1.6][60538] -> [...52.114.75.70][..443] [TLS.Teams][Azure][Collaborative][Safe] + idle: [....19] [ip4][..tcp] [....192.168.1.6][60539] -> [...52.114.75.69][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable] + idle: [....24] [ip4][..udp] [....192.168.1.6][65387] -> [....192.168.1.1][...53] [DNS.Microsoft][Unknown][Network][Safe] + idle: [....20] [ip4][..tcp] [....192.168.1.6][60540] -> [...52.114.75.70][..443] [TLS.Teams][Azure][Collaborative][Safe] + idle: [....21] [ip4][..tcp] [....192.168.1.6][60541] -> [...52.114.75.69][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable] + end: [....25] [ip4][..tcp] [....192.168.1.6][60543] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe] + RISK: TLS (probably) Not Carrying HTTPS + idle: [....26] [ip4][..tcp] [....192.168.1.6][60544] -> [...52.114.76.48][..443] [TLS.Teams][Azure][Collaborative][Safe] + idle: [....28] [ip4][..tcp] [....192.168.1.6][60545] -> [...52.114.77.58][..443] [TLS.Teams][Azure][Collaborative][Safe] + idle: [....32] [ip4][..tcp] [....192.168.1.6][60547] -> [...52.114.88.59][..443] [TLS.Teams][Azure][Collaborative][Safe] + end: [....33] [ip4][..tcp] [....192.168.1.6][60548] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe] + RISK: TLS (probably) Not Carrying HTTPS + idle: [....40] [ip4][..tcp] [....192.168.1.6][60551] -> [...52.114.15.45][..443] [TLS.Teams][Azure][Collaborative][Safe] + RISK: TLS (probably) Not Carrying HTTPS + end: [....42] [ip4][..tcp] [....192.168.1.6][60552] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe] + RISK: TLS (probably) Not Carrying HTTPS + idle: [....45] [ip4][..tcp] [....192.168.1.6][60555] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe] + RISK: TLS (probably) Not Carrying HTTPS + end: [....48] [ip4][..tcp] [....192.168.1.6][60559] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe] + RISK: TLS (probably) Not Carrying HTTPS + end: [....51] [ip4][..tcp] [....192.168.1.6][60561] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe] + RISK: TLS (probably) Not Carrying HTTPS + idle: [....59] [ip4][..tcp] [....192.168.1.6][60565] -> [...52.114.108.8][..443] [TLS.Teams][Azure][Collaborative][Safe] + idle: [....74] [ip4][..tcp] [....192.168.1.6][60567] -> [..52.114.77.136][..443] [TLS.Teams][Azure][Collaborative][Safe] + RISK: TLS (probably) Not Carrying HTTPS + idle: [.....1] [ip4][..udp] [....192.168.0.1][...68] -> [255.255.255.255][...67] [DHCP][Unknown][Network][Acceptable] + idle: [....11] [ip4][..udp] [....192.168.1.6][17500] -> [255.255.255.255][17500] [Dropbox][Unknown][Cloud][Acceptable] + guessed: [.....2] [ip4][..tcp] [....192.168.1.6][58533] -> [.149.154.167.91][..443] [Telegram][Telegram][Chat][Acceptable] + RISK: Unidirectional Traffic + end: [.....2] [ip4][..tcp] [....192.168.1.6][58533] -> [.149.154.167.91][..443] + idle: [....34] [ip4][..udp] [....192.168.1.6][59403] -> [....192.168.1.1][...53] [DNS.Microsoft365][Unknown][Network][Acceptable] + idle: [....35] [ip4][..tcp] [....192.168.1.6][60549] -> [...13.107.18.11][..443] [TLS.Microsoft365][Outlook][Collaborative][Acceptable] + idle: [....44] [ip4][..udp] [....192.168.1.6][51309] -> [....192.168.1.1][...53] [DNS][Unknown][Network][Acceptable] + end: [....30] [ip4][..tcp] [....192.168.1.6][60546] -> [.167.99.215.164][.4434] [TLS.ntop][Unknown][Network][Safe] + RISK: Known Proto on Non Std Port + idle: [....12] [ip4][..udp] [....192.168.1.6][17500] -> [..192.168.1.255][17500] [Dropbox][Unknown][Cloud][Acceptable] + idle: [....61] [ip4][..tcp] [....192.168.1.6][60566] -> [.167.99.215.164][.4434] [TLS.ntop][Unknown][Network][Safe] + RISK: Known Proto on Non Std Port + idle: [....31] [ip4][..udp] [....192.168.1.6][57504] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe] + guessed: [....62] [ip4][..udp] [....192.168.1.6][51681] -> [..52.114.77.136][.3478] [Skype_TeamsCall][Azure][VoIP][Acceptable] + RISK: Susp Entropy + idle: [....62] [ip4][..udp] [....192.168.1.6][51681] -> [..52.114.77.136][.3478] + idle: [....27] [ip4][..udp] [....192.168.1.6][57530] -> [....192.168.1.1][...53] [DNS.Microsoft][Unknown][Network][Safe] + not-detected: [....60] [ip4][..tcp] [..151.11.50.139][.2222] -> [....192.168.1.6][54750] [Unknown][Unknown][Unrated] + idle: [....60] [ip4][..tcp] [..151.11.50.139][.2222] -> [....192.168.1.6][54750] + idle: [....22] [ip4][..udp] [....192.168.1.6][49514] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe] + idle: [....78] [ip4][..udp] [..93.71.110.205][16332] -> [....192.168.1.6][50016] [STUN.Skype_TeamsCall][Unknown][VoIP][Acceptable] + RISK: Known Proto on Non Std Port + idle: [....79] [ip4][..udp] [..93.71.110.205][16333] -> [....192.168.1.6][50036] [STUN.Skype_TeamsCall][Unknown][VoIP][Acceptable] + RISK: Known Proto on Non Std Port + idle: [....37] [ip4][..udp] [....192.168.1.6][53678] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe] + idle: [....56] [ip4][..udp] [....192.168.1.6][63930] -> [....192.168.1.1][...53] [DNS.Microsoft][Unknown][Network][Safe] + idle: [....65] [ip4][..udp] [....192.168.1.6][55765] -> [....192.168.1.1][...53] [DNS.Azure][Unknown][Network][Acceptable] + idle: [....49] [ip4][..udp] [..192.168.1.112][57621] -> [..192.168.1.255][57621] [Spotify][Unknown][Music][Fun] + idle: [....29] [ip4][..tcp] [.162.125.19.131][..443] -> [....192.168.1.6][60344] [TLS][Dropbox][Web][Safe] + idle: [....10] [ip4][..udp] [....192.168.1.6][64046] -> [....192.168.1.1][...53] [DNS.ntop][Unknown][Network][Safe] + RISK: Error Code + idle: [....68] [ip4][..udp] [....192.168.1.6][50016] -> [.52.114.250.141][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable] + idle: [....63] [ip4][..udp] [....192.168.1.6][50016] -> [.52.114.250.123][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable] + idle: [....81] [ip4][..udp] [...52.114.252.8][.3479] -> [....192.168.1.6][50016] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable] + RISK: Known Proto on Non Std Port + idle: [....69] [ip4][..udp] [....192.168.1.6][50017] -> [.52.114.250.141][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable] + idle: [....70] [ip4][..udp] [....192.168.1.6][50036] -> [.52.114.250.137][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable] + idle: [....66] [ip4][..udp] [....192.168.1.6][50036] -> [.52.114.250.123][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable] + idle: [....71] [ip4][..udp] [....192.168.1.6][50037] -> [.52.114.250.137][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable] + idle: [....80] [ip4][..udp] [..52.114.252.21][.3480] -> [....192.168.1.6][50036] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable] + RISK: Known Proto on Non Std Port + idle: [....52] [ip4][..udp] [....192.168.1.6][54069] -> [....192.168.1.1][...53] [DNS][Unknown][Network][Acceptable] + end: [.....6] [ip4][..tcp] [....192.168.1.6][60534] -> [.....40.126.9.5][..443] [TLS.Microsoft365][Microsoft365][Collaborative][Acceptable] + end: [....46] [ip4][..tcp] [....192.168.1.6][60556] -> [.....40.126.9.7][..443] [TLS.Microsoft365][Microsoft365][Collaborative][Acceptable] + end: [....50] [ip4][..tcp] [....192.168.1.6][60560] -> [....40.126.9.67][..443] [TLS.Microsoft365][Microsoft365][Collaborative][Acceptable] + end: [....14] [ip4][..tcp] [..93.62.150.157][..443] -> [....192.168.1.6][60512] [TLS][Unknown][Web][Safe] + idle: [....41] [ip4][..udp] [....192.168.1.6][58457] -> [....192.168.1.1][...53] [DNS.Microsoft365][Unknown][Network][Acceptable] + idle: [....57] [ip4][..tcp] [....192.168.1.6][60564] -> [...40.79.138.41][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable] + idle: [....82] [ip4][..tcp] [....192.168.1.6][60568] -> [...40.79.138.41][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable] + idle: [....54] [ip4][..udp] [....192.168.1.6][62735] -> [....192.168.1.1][...53] [DNS][Unknown][Network][Acceptable] + idle: [....15] [ip4][..udp] [....192.168.1.6][56634] -> [....192.168.1.1][...53] [DNS.Apple][Unknown][Network][Safe] + idle: [.....3] [ip4][..udp] [....192.168.1.6][60813] -> [....192.168.1.1][...53] [DNS][Unknown][Network][Acceptable] + idle: [....58] [ip4][..udp] [....192.168.1.6][62863] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe] + idle: [....75] [ip4][..udp] [....192.168.1.6][60837] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe] + idle: [....53] [ip4][..tcp] [....192.168.1.6][60562] -> [.104.40.187.151][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable] + idle: [....39] [ip4][..udp] [....192.168.1.6][50653] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe] + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/stun_extra_dissection/lru_ipv6_caches.pcapng.out b/test/results/flow-info/stun_extra_dissection/lru_ipv6_caches.pcapng.out new file mode 100644 index 000000000..f78bd9ee9 --- /dev/null +++ b/test/results/flow-info/stun_extra_dissection/lru_ipv6_caches.pcapng.out @@ -0,0 +1,77 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....1] [ip6][..udp] [....32fb:f967:681e:e96b:face:b00c::74fd][.3478] -> [20ed:470f:6f73:ce60:60be:8b4f:df37:b080][45658] + detected: [.....1] [ip6][..udp] [....32fb:f967:681e:e96b:face:b00c::74fd][.3478] -> [20ed:470f:6f73:ce60:60be:8b4f:df37:b080][45658] [RTCP][Unknown][VoIP][Acceptable] + new: [.....2] [ip6][..udp] [.3991:72d:336e:65ec:c5bf:a5fa:83ad:23de][.6881] -> [3024:e5ee:ac2f:cd76:5dd6:a7a1:f17f:5c27][60506] + detected: [.....2] [ip6][..udp] [.3991:72d:336e:65ec:c5bf:a5fa:83ad:23de][.6881] -> [3024:e5ee:ac2f:cd76:5dd6:a7a1:f17f:5c27][60506] [BitTorrent][Unknown][Download][Acceptable] + RISK: Known Proto on Non Std Port + detection-update: [.....2] [ip6][..udp] [.3991:72d:336e:65ec:c5bf:a5fa:83ad:23de][.6881] -> [3024:e5ee:ac2f:cd76:5dd6:a7a1:f17f:5c27][60506] [BitTorrent][Unknown][Download][Acceptable] + RISK: Known Proto on Non Std Port, Unidirectional Traffic + new: [.....3] [ip6][..udp] [.2a2f:8509:1cb2:466d:ecbf:69d6:109c:608][62229] -> [.3991:72d:336e:65ec:c5bf:a5fa:83ad:23de][.6881] + new: [.....4] [ip6][..udp] [.3991:72d:336e:65ec:c5bf:a5fa:83ad:23de][.6881] -> [2fda:1f8a:c107:88a4:e509:d2e1:445f:f34c][.6881] + detected: [.....4] [ip6][..udp] [.3991:72d:336e:65ec:c5bf:a5fa:83ad:23de][.6881] -> [2fda:1f8a:c107:88a4:e509:d2e1:445f:f34c][.6881] [BitTorrent][Unknown][Download][Acceptable] + RISK: Known Proto on Non Std Port + new: [.....5] [ip6][..udp] [.3991:72d:336e:65ec:c5bf:a5fa:83ad:23de][.6881] -> [2c7f:d7a0:44a9:49e9:e586:fb7f:5b85:9c83][....1] + detected: [.....5] [ip6][..udp] [.3991:72d:336e:65ec:c5bf:a5fa:83ad:23de][.6881] -> [2c7f:d7a0:44a9:49e9:e586:fb7f:5b85:9c83][....1] [BitTorrent][Unknown][Download][Acceptable] + RISK: Known Proto on Non Std Port + detected: [.....3] [ip6][..udp] [.2a2f:8509:1cb2:466d:ecbf:69d6:109c:608][62229] -> [.3991:72d:336e:65ec:c5bf:a5fa:83ad:23de][.6881] [BitTorrent][Unknown][Download][Acceptable] + RISK: Known Proto on Non Std Port, Unidirectional Traffic + new: [.....6] [ip6][..udp] [.3991:72d:336e:65ec:c5bf:a5fa:83ad:23de][.6881] -> [.38b2:46b7:27a4:94c3:c134:948:e069:d71f][....1] + detected: [.....6] [ip6][..udp] [.3991:72d:336e:65ec:c5bf:a5fa:83ad:23de][.6881] -> [.38b2:46b7:27a4:94c3:c134:948:e069:d71f][....1] [BitTorrent][Unknown][Download][Acceptable] + RISK: Known Proto on Non Std Port + detection-update: [.....4] [ip6][..udp] [.3991:72d:336e:65ec:c5bf:a5fa:83ad:23de][.6881] -> [2fda:1f8a:c107:88a4:e509:d2e1:445f:f34c][.6881] [BitTorrent][Unknown][Download][Acceptable] + RISK: Known Proto on Non Std Port, Unidirectional Traffic + new: [.....7] [ip6][..udp] [2118:ec33:112b:7908:2c80:27ff:fef7:d71f][48415] -> [....32fb:f967:681e:e96b:face:b00c::74fd][.3478] + detected: [.....7] [ip6][..udp] [2118:ec33:112b:7908:2c80:27ff:fef7:d71f][48415] -> [....32fb:f967:681e:e96b:face:b00c::74fd][.3478] [STUN.WhatsAppCall][Unknown][VoIP][Acceptable][] + detection-update: [.....7] [ip6][..udp] [2118:ec33:112b:7908:2c80:27ff:fef7:d71f][48415] -> [....32fb:f967:681e:e96b:face:b00c::74fd][.3478] [STUN.WhatsAppCall][Unknown][VoIP][Acceptable][] + RISK: Unidirectional Traffic + new: [.....8] [ip6][..tcp] [........................2001:db8:200::1][..443] -> [..........................2001:db8:1::1][44144] + detected: [.....8] [ip6][..tcp] [........................2001:db8:200::1][..443] -> [..........................2001:db8:1::1][44144] [TLS][Unknown][Web][Safe] + RISK: Unidirectional Traffic + detection-update: [.....8] [ip6][..tcp] [........................2001:db8:200::1][..443] -> [..........................2001:db8:1::1][44144] [TLS.Cloudflare][Unknown][Web][Acceptable] + RISK: Unidirectional Traffic + new: [.....9] [ip6][..tcp] [........................2001:db8:200::1][..443] -> [..........................2001:db8:1::1][44150] + detected: [.....9] [ip6][..tcp] [........................2001:db8:200::1][..443] -> [..........................2001:db8:1::1][44150] [TLS.Cloudflare][Unknown][Web][Acceptable] + RISK: Unidirectional Traffic + detection-update: [.....9] [ip6][..tcp] [........................2001:db8:200::1][..443] -> [..........................2001:db8:1::1][44150] [TLS.Cloudflare][Unknown][Web][Acceptable] + RISK: Unidirectional Traffic + detection-update: [.....6] [ip6][..udp] [.3991:72d:336e:65ec:c5bf:a5fa:83ad:23de][.6881] -> [.38b2:46b7:27a4:94c3:c134:948:e069:d71f][....1] [BitTorrent][Unknown][Download][Acceptable] + RISK: Known Proto on Non Std Port, Unidirectional Traffic + new: [....10] [ip6][..tcp] [........................2001:db8:200::1][..443] -> [..........................2001:db8:1::1][44192] + detected: [....10] [ip6][..tcp] [........................2001:db8:200::1][..443] -> [..........................2001:db8:1::1][44192] [TLS.Cloudflare][Unknown][Web][Acceptable] + RISK: Unidirectional Traffic + detection-update: [....10] [ip6][..tcp] [........................2001:db8:200::1][..443] -> [..........................2001:db8:1::1][44192] [TLS.Cloudflare][Unknown][Web][Acceptable] + RISK: Unidirectional Traffic + new: [....11] [ip6][..udp] [.3297:a1af:5121:cfc:360b:2e07:872f:1ea0][43865] -> [....32fb:f967:681e:e96b:face:b00c::74fd][.3478] + detected: [....11] [ip6][..udp] [.3297:a1af:5121:cfc:360b:2e07:872f:1ea0][43865] -> [....32fb:f967:681e:e96b:face:b00c::74fd][.3478] [STUN.WhatsAppCall][Unknown][VoIP][Acceptable][] + detection-update: [....11] [ip6][..udp] [.3297:a1af:5121:cfc:360b:2e07:872f:1ea0][43865] -> [....32fb:f967:681e:e96b:face:b00c::74fd][.3478] [STUN.WhatsAppCall][Unknown][VoIP][Acceptable][] + RISK: Unidirectional Traffic + new: [....12] [ip6][..udp] [.3069:c624:1d42:9469:98b1:67ff:fe43:325][56131] -> [....32fb:f967:681e:e96b:face:b00c::74fd][.3478] + detected: [....12] [ip6][..udp] [.3069:c624:1d42:9469:98b1:67ff:fe43:325][56131] -> [....32fb:f967:681e:e96b:face:b00c::74fd][.3478] [STUN.WhatsAppCall][Unknown][VoIP][Acceptable][] + detection-update: [....12] [ip6][..udp] [.3069:c624:1d42:9469:98b1:67ff:fe43:325][56131] -> [....32fb:f967:681e:e96b:face:b00c::74fd][.3478] [STUN.WhatsAppCall][Unknown][VoIP][Acceptable][] + RISK: Unidirectional Traffic + idle: [.....8] [ip6][..tcp] [........................2001:db8:200::1][..443] -> [..........................2001:db8:1::1][44144] [TLS.Cloudflare][Unknown][Web][Acceptable] + RISK: Unidirectional Traffic + idle: [.....9] [ip6][..tcp] [........................2001:db8:200::1][..443] -> [..........................2001:db8:1::1][44150] [TLS.Cloudflare][Unknown][Web][Acceptable] + RISK: Unidirectional Traffic + idle: [....10] [ip6][..tcp] [........................2001:db8:200::1][..443] -> [..........................2001:db8:1::1][44192] [TLS.Cloudflare][Unknown][Web][Acceptable] + RISK: Unidirectional Traffic + idle: [.....5] [ip6][..udp] [.3991:72d:336e:65ec:c5bf:a5fa:83ad:23de][.6881] -> [2c7f:d7a0:44a9:49e9:e586:fb7f:5b85:9c83][....1] [BitTorrent][Unknown][Download][Acceptable] + RISK: Known Proto on Non Std Port + idle: [.....2] [ip6][..udp] [.3991:72d:336e:65ec:c5bf:a5fa:83ad:23de][.6881] -> [3024:e5ee:ac2f:cd76:5dd6:a7a1:f17f:5c27][60506] [BitTorrent][Unknown][Download][Acceptable] + RISK: Known Proto on Non Std Port, Unidirectional Traffic + idle: [.....4] [ip6][..udp] [.3991:72d:336e:65ec:c5bf:a5fa:83ad:23de][.6881] -> [2fda:1f8a:c107:88a4:e509:d2e1:445f:f34c][.6881] [BitTorrent][Unknown][Download][Acceptable] + RISK: Known Proto on Non Std Port, Unidirectional Traffic + idle: [.....6] [ip6][..udp] [.3991:72d:336e:65ec:c5bf:a5fa:83ad:23de][.6881] -> [.38b2:46b7:27a4:94c3:c134:948:e069:d71f][....1] [BitTorrent][Unknown][Download][Acceptable] + RISK: Known Proto on Non Std Port, Unidirectional Traffic + idle: [.....7] [ip6][..udp] [2118:ec33:112b:7908:2c80:27ff:fef7:d71f][48415] -> [....32fb:f967:681e:e96b:face:b00c::74fd][.3478] [STUN.WhatsAppCall][Unknown][VoIP][Acceptable] + RISK: Unidirectional Traffic + idle: [....11] [ip6][..udp] [.3297:a1af:5121:cfc:360b:2e07:872f:1ea0][43865] -> [....32fb:f967:681e:e96b:face:b00c::74fd][.3478] [STUN.WhatsAppCall][Unknown][VoIP][Acceptable] + RISK: Unidirectional Traffic + idle: [.....1] [ip6][..udp] [....32fb:f967:681e:e96b:face:b00c::74fd][.3478] -> [20ed:470f:6f73:ce60:60be:8b4f:df37:b080][45658] [RTCP][Unknown][VoIP][Acceptable] + idle: [....12] [ip6][..udp] [.3069:c624:1d42:9469:98b1:67ff:fe43:325][56131] -> [....32fb:f967:681e:e96b:face:b00c::74fd][.3478] [STUN.WhatsAppCall][Unknown][VoIP][Acceptable] + RISK: Unidirectional Traffic + idle: [.....3] [ip6][..udp] [.2a2f:8509:1cb2:466d:ecbf:69d6:109c:608][62229] -> [.3991:72d:336e:65ec:c5bf:a5fa:83ad:23de][.6881] [BitTorrent][Unknown][Download][Acceptable] + RISK: Known Proto on Non Std Port, Unidirectional Traffic + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/stun_extra_dissection/stun_dtls_rtp.pcapng.out b/test/results/flow-info/stun_extra_dissection/stun_dtls_rtp.pcapng.out new file mode 100644 index 000000000..69d1acfc7 --- /dev/null +++ b/test/results/flow-info/stun_extra_dissection/stun_dtls_rtp.pcapng.out @@ -0,0 +1,36 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....1] [ip4][..udp] [.192.168.12.156][37967] -> [..142.250.82.76][19305] + detected: [.....1] [ip4][..udp] [.192.168.12.156][37967] -> [..142.250.82.76][19305] [STUN.GoogleCall][Google][VoIP][Acceptable][] + RISK: Known Proto on Non Std Port + detection-update: [.....1] [ip4][..udp] [.192.168.12.156][37967] -> [..142.250.82.76][19305] [DTLS.GoogleCall][Google][VoIP][Acceptable] + detection-update: [.....1] [ip4][..udp] [.192.168.12.156][37967] -> [..142.250.82.76][19305] [DTLS.GoogleCall][Google][VoIP][Acceptable] + analyse: [.....1] [ip4][..udp] [.192.168.12.156][37967] -> [..142.250.82.76][19305] [DTLS.GoogleCall][Google][VoIP][Acceptable] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 0.258| 0.044| 0.058| 3387.402| 4.000] + [PKTLEN......: 68.000| 1231.000| 221.200| 244.400| 59721.800| 4.400] + [BINS(c->s)..: 0,0,10,5,1,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 0,1,5,4,0,0,0,0,0,0,0,0,0,1,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,1,0,0,1,1,1,0,1,0,1,0,1,0,0,0,0,1,1,1,0,1,1,0,0,0,0,0,1,0] + [IATS(ms)....: 23.5,57.2,58.6,110.3,0.4,107.9,0.1,0.0,31.9,33.2,42.6,42.8,84.1,83.2,24.8,0.6,0.4,2.5,24.8,0.1,0.1,34.2,28.1,7.9,22.9,203.2,6.7,19.6,19.9,258.1,19.4] + [PKTLENS.....: 144,128,185,1231,148,573,128,109,598,573,598,109,149,117,141,93,125,121,97,93,97,113,93,68,93,93,127,112,112,128,469,112] + [ENTROPIES...: 6.0,5.8,5.0,7.4,5.9,6.8,5.9,5.7,7.4,6.7,7.4,5.7,6.3,5.9,6.3,5.5,6.0,5.9,5.7,5.4,5.4,5.8,5.5,5.5,5.5,5.5,6.1,6.2,6.3,6.0,7.5,6.2] + DAEMON-EVENT: [Processed: 39 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 1 / 1|skipped: 0|!detected: 0|guessed: 0|detection-updates: 2|updates: 0] + new: [.....2] [ip4][..tcp] [.192.168.12.182][50221] -> [.142.250.82.249][.3478] + detected: [.....2] [ip4][..tcp] [.192.168.12.182][50221] -> [.142.250.82.249][.3478] [STUN.GoogleCall][Google][VoIP][Acceptable][] + detection-update: [.....2] [ip4][..tcp] [.192.168.12.182][50221] -> [.142.250.82.249][.3478] [STUN.GoogleCall][Google][VoIP][Acceptable][turn.l.google.com] + analyse: [.....2] [ip4][..tcp] [.192.168.12.182][50221] -> [.142.250.82.249][.3478] [STUN.GoogleCall][Google][VoIP][Acceptable] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.509| 0.047| 0.118| 13863.927| 2.800] + [PKTLEN......: 40.000| 696.000| 142.100| 150.700| 22704.000| 4.400] + [BINS(c->s)..: 8,0,0,2,5,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 6,1,2,3,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,0,1,1,0,1,0,1,0,0,0,1,1,0,1,0,0,1,0,1,1,0,0,1,1,0,0,1,1] + [IATS(ms)....: 3.0,4.7,0.3,0.2,5.0,0.0,4.1,4.1,3.9,466.7,509.5,1.2,0.2,46.6,1.1,55.4,53.6,7.4,0.0,8.6,49.7,55.5,0.2,49.0,10.1,51.4,4.5,8.0,5.7,16.6,19.1] + [PKTLENS.....: 52,52,40,40,68,40,120,192,116,40,180,196,148,172,84,40,40,140,204,236,40,172,40,696,40,172,140,648,40,160,40,160] + [ENTROPIES...: 4.8,5.0,4.8,4.8,5.3,4.8,5.8,6.2,5.8,4.8,6.0,6.2,6.0,6.1,5.9,5.0,4.9,6.1,6.2,5.4,5.0,6.1,5.0,6.6,4.9,6.1,6.0,7.4,4.8,6.0,5.0,5.9] + idle: [.....1] [ip4][..udp] [.192.168.12.156][37967] -> [..142.250.82.76][19305] [DTLS.GoogleCall][Google][VoIP][Acceptable] + idle: [.....2] [ip4][..tcp] [.192.168.12.182][50221] -> [.142.250.82.249][.3478] [STUN.GoogleCall][Google][VoIP][Acceptable] + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/stun_extra_dissection/stun_zoom.pcapng.out b/test/results/flow-info/stun_extra_dissection/stun_zoom.pcapng.out index 1c370f3c4..05276f928 100644 --- a/test/results/flow-info/stun_extra_dissection/stun_zoom.pcapng.out +++ b/test/results/flow-info/stun_extra_dissection/stun_zoom.pcapng.out @@ -18,7 +18,8 @@ detection-update: [.....1] [ip4][..udp] [.192.168.43.169][48854] -> [.134.224.90.111][.8801] [DTLS.Zoom][Zoom][Video][Acceptable] detection-update: [.....2] [ip4][..udp] [.192.168.43.169][53065] -> [.134.224.90.111][.8801] [STUN][Zoom][Network][Acceptable][] RISK: Known Proto on Non Std Port - analyse: [.....2] [ip4][..udp] [.192.168.43.169][53065] -> [.134.224.90.111][.8801] [STUN][Zoom][Network][Acceptable] + detection-update: [.....2] [ip4][..udp] [.192.168.43.169][53065] -> [.134.224.90.111][.8801] [DTLS][Zoom][Network][Safe] + analyse: [.....2] [ip4][..udp] [.192.168.43.169][53065] -> [.134.224.90.111][.8801] [DTLS][Zoom][Network][Safe] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.194| 0.048| 0.051| 2615.352| 4.100] [PKTLEN......: 42.000| 1080.000| 270.100| 313.100| 98043.500| 4.300] @@ -29,6 +30,5 @@ [PKTLENS.....: 184,184,184,184,92,184,217,217,184,184,217,92,92,92,184,192,78,92,1080,1080,1080,1080,399,186,92,92,186,92,186,95,101,42] [ENTROPIES...: 5.8,5.8,5.8,5.8,5.6,5.8,5.2,5.2,5.9,5.8,5.2,5.7,5.6,5.7,5.9,5.3,4.1,5.7,7.0,7.3,7.3,7.4,7.2,6.1,5.7,5.7,6.1,5.7,6.1,5.4,6.0,4.3] idle: [.....1] [ip4][..udp] [.192.168.43.169][48854] -> [.134.224.90.111][.8801] [DTLS.Zoom][Zoom][Video][Acceptable] - idle: [.....2] [ip4][..udp] [.192.168.43.169][53065] -> [.134.224.90.111][.8801] [STUN][Zoom][Network][Acceptable] - RISK: Known Proto on Non Std Port + idle: [.....2] [ip4][..udp] [.192.168.43.169][53065] -> [.134.224.90.111][.8801] [DTLS][Zoom][Network][Safe] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/stun_only_peer_address_enabled/stun_wa_call.pcapng.out b/test/results/flow-info/stun_only_peer_address_enabled/stun_wa_call.pcapng.out new file mode 100644 index 000000000..31e08d37c --- /dev/null +++ b/test/results/flow-info/stun_only_peer_address_enabled/stun_wa_call.pcapng.out @@ -0,0 +1,108 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....1] [ip4][..udp] [.192.168.12.156][46652] -> [..93.57.123.227][.3478] + detected: [.....1] [ip4][..udp] [.192.168.12.156][46652] -> [..93.57.123.227][.3478] [STUN.WhatsAppCall][Unknown][VoIP][Acceptable][] + detection-update: [.....1] [ip4][..udp] [.192.168.12.156][46652] -> [..93.57.123.227][.3478] [STUN.WhatsAppCall][Unknown][VoIP][Acceptable][] + RISK: Unidirectional Traffic + new: [.....2] [ip4][..udp] [.192.168.12.156][46652] -> [.157.240.203.62][.3478] + detected: [.....2] [ip4][..udp] [.192.168.12.156][46652] -> [.157.240.203.62][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable][] + detection-update: [.....2] [ip4][..udp] [.192.168.12.156][46652] -> [.157.240.203.62][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable][] + RISK: Unidirectional Traffic + new: [.....3] [ip4][..udp] [.192.168.12.156][46652] -> [.157.240.231.62][.3478] + detected: [.....3] [ip4][..udp] [.192.168.12.156][46652] -> [.157.240.231.62][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable][] + detection-update: [.....3] [ip4][..udp] [.192.168.12.156][46652] -> [.157.240.231.62][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable][] + RISK: Unidirectional Traffic + new: [.....4] [ip4][..udp] [.192.168.12.156][46652] -> [..157.240.21.51][.3478] + detected: [.....4] [ip4][..udp] [.192.168.12.156][46652] -> [..157.240.21.51][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable][] + detection-update: [.....4] [ip4][..udp] [.192.168.12.156][46652] -> [..157.240.21.51][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable][] + RISK: Unidirectional Traffic + new: [.....5] [ip4][..udp] [.192.168.12.156][46652] -> [.157.240.195.48][.3478] + detected: [.....5] [ip4][..udp] [.192.168.12.156][46652] -> [.157.240.195.48][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable][] + detection-update: [.....5] [ip4][..udp] [.192.168.12.156][46652] -> [.157.240.195.48][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable][] + RISK: Unidirectional Traffic + detection-update: [.....1] [ip4][..udp] [.192.168.12.156][46652] -> [..93.57.123.227][.3478] [STUN.WhatsAppCall][Unknown][VoIP][Acceptable][] + detection-update: [.....2] [ip4][..udp] [.192.168.12.156][46652] -> [.157.240.203.62][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable][] + detection-update: [.....3] [ip4][..udp] [.192.168.12.156][46652] -> [.157.240.231.62][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable][] + detection-update: [.....4] [ip4][..udp] [.192.168.12.156][46652] -> [..157.240.21.51][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable][] + detection-update: [.....5] [ip4][..udp] [.192.168.12.156][46652] -> [.157.240.195.48][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable][] + analyse: [.....1] [ip4][..udp] [.192.168.12.156][46652] -> [..93.57.123.227][.3478] [STUN.WhatsAppCall][Unknown][VoIP][Acceptable] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 2.505| 0.249| 0.601| 361608.839| 2.900] + [PKTLEN......: 48.000| 300.000| 146.400| 92.200| 8492.200| 4.700] + [BINS(c->s)..: 2,4,1,1,0,0,3,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 2,2,10,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,1,1,1,0,0,0,0,1,1,0,1,1,0,1,0,0,0,1,1,0,0,1,1,1,0,1,0,0,0,1] + [IATS(ms)....: 0.2,8.4,0.0,2463.7,2505.3,0.2,3.6,0.3,39.5,0.1,6.1,4.8,0.0,25.9,31.6,82.0,37.7,1.7,120.9,0.0,78.6,59.9,292.8,130.0,59.7,381.6,376.4,412.4,0.0,227.9,362.0] + [PKTLENS.....: 240,240,96,96,74,300,300,300,300,96,96,74,96,96,48,48,98,300,300,96,96,89,53,107,108,53,77,86,150,73,227,273] + [ENTROPIES...: 7.0,7.0,5.8,5.8,5.8,7.0,7.0,7.0,7.0,5.7,5.8,5.7,5.7,5.7,5.2,5.2,5.8,7.0,7.0,5.7,5.8,5.8,4.9,6.0,6.1,5.0,5.5,5.7,6.6,5.5,6.9,7.2] + new: [.....6] [ip4][..udp] [.192.168.12.156][49526] -> [.157.240.203.62][.3478] + detected: [.....6] [ip4][..udp] [.192.168.12.156][49526] -> [.157.240.203.62][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable][] + detection-update: [.....6] [ip4][..udp] [.192.168.12.156][49526] -> [.157.240.203.62][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable][] + RISK: Unidirectional Traffic + new: [.....7] [ip4][..udp] [.192.168.12.156][49526] -> [.157.240.231.62][.3478] + detected: [.....7] [ip4][..udp] [.192.168.12.156][49526] -> [.157.240.231.62][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable][] + detection-update: [.....7] [ip4][..udp] [.192.168.12.156][49526] -> [.157.240.231.62][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable][] + RISK: Unidirectional Traffic + new: [.....8] [ip4][..udp] [.192.168.12.156][49526] -> [.157.240.196.62][.3478] + detected: [.....8] [ip4][..udp] [.192.168.12.156][49526] -> [.157.240.196.62][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable][] + detection-update: [.....8] [ip4][..udp] [.192.168.12.156][49526] -> [.157.240.196.62][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable][] + RISK: Unidirectional Traffic + new: [.....9] [ip4][..udp] [.192.168.12.156][49526] -> [..179.60.192.48][.3478] + detected: [.....9] [ip4][..udp] [.192.168.12.156][49526] -> [..179.60.192.48][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable][] + detection-update: [.....9] [ip4][..udp] [.192.168.12.156][49526] -> [..179.60.192.48][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable][] + RISK: Unidirectional Traffic + new: [....10] [ip4][..udp] [.192.168.12.156][49526] -> [..185.60.216.51][.3478] + detected: [....10] [ip4][..udp] [.192.168.12.156][49526] -> [..185.60.216.51][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable][] + detection-update: [....10] [ip4][..udp] [.192.168.12.156][49526] -> [..185.60.216.51][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable][] + RISK: Unidirectional Traffic + detection-update: [.....6] [ip4][..udp] [.192.168.12.156][49526] -> [.157.240.203.62][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable][] + detection-update: [.....7] [ip4][..udp] [.192.168.12.156][49526] -> [.157.240.231.62][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable][] + detection-update: [....10] [ip4][..udp] [.192.168.12.156][49526] -> [..185.60.216.51][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable][] + detection-update: [.....9] [ip4][..udp] [.192.168.12.156][49526] -> [..179.60.192.48][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable][] + detection-update: [.....8] [ip4][..udp] [.192.168.12.156][49526] -> [.157.240.196.62][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable][] + analyse: [.....6] [ip4][..udp] [.192.168.12.156][49526] -> [.157.240.203.62][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 0.025| 0.011| 0.005| 24.788| 4.800] + [PKTLEN......: 48.000| 540.000| 284.500| 217.500| 47305.800| 4.600] + [BINS(c->s)..: 1,0,13,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 1,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1] + [IATS(ms)....: 0.1,8.3,0.0,10.1,8.1,24.5,25.3,11.6,10.1,12.8,14.4,10.6,10.6,10.6,10.5,16.3,6.1,16.2,5.9,10.0,9.7,10.6,11.3,10.7,10.5,10.8,10.6,10.2,10.7,11.3,11.5] + [PKTLENS.....: 300,300,96,96,92,540,92,540,92,540,92,540,92,540,92,540,48,92,48,540,92,540,92,540,92,540,92,540,92,540,92,540] + [ENTROPIES...: 7.0,7.0,5.8,5.7,5.7,1.5,5.8,1.5,5.6,1.5,5.6,1.5,5.7,1.5,5.6,1.5,5.2,5.7,5.1,1.5,5.7,1.5,5.7,1.5,5.6,1.5,5.7,1.5,5.8,1.5,5.7,1.5] + new: [....11] [ip4][..udp] [.192.168.12.156][49526] -> [...10.82.40.241][40436] + detected: [....11] [ip4][..udp] [.192.168.12.156][49526] -> [...10.82.40.241][40436] [STUN.WhatsAppCall][Unknown][VoIP][Acceptable][] + RISK: Known Proto on Non Std Port + new: [....12] [ip4][..udp] [.192.168.12.156][49526] -> [...93.33.118.87][41107] + detected: [....12] [ip4][..udp] [.192.168.12.156][49526] -> [...93.33.118.87][41107] [STUN.WhatsAppCall][Unknown][VoIP][Acceptable][] + RISK: Known Proto on Non Std Port + detection-update: [....12] [ip4][..udp] [.192.168.12.156][49526] -> [...93.33.118.87][41107] [SRTP.WhatsAppCall][Unknown][VoIP][Acceptable] + RISK: Known Proto on Non Std Port + detection-update: [....11] [ip4][..udp] [.192.168.12.156][49526] -> [...10.82.40.241][40436] [STUN.WhatsAppCall][Unknown][VoIP][Acceptable][] + RISK: Known Proto on Non Std Port, Unidirectional Traffic + new: [....13] [ip4][.icmp] [..93.63.100.129] -> [.192.168.12.156] + detected: [....13] [ip4][.icmp] [..93.63.100.129] -> [.192.168.12.156] [ICMP][Unknown][Network][Acceptable] + RISK: Susp Entropy + update: [.....2] [ip4][..udp] [.192.168.12.156][46652] -> [.157.240.203.62][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable] + update: [.....4] [ip4][..udp] [.192.168.12.156][46652] -> [..157.240.21.51][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable] + update: [.....5] [ip4][..udp] [.192.168.12.156][46652] -> [.157.240.195.48][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable] + update: [.....3] [ip4][..udp] [.192.168.12.156][46652] -> [.157.240.231.62][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable] + update: [.....1] [ip4][..udp] [.192.168.12.156][46652] -> [..93.57.123.227][.3478] [STUN.WhatsAppCall][Unknown][VoIP][Acceptable] + idle: [....13] [ip4][.icmp] [..93.63.100.129] -> [.192.168.12.156] [ICMP][Unknown][Network][Acceptable] + RISK: Susp Entropy + idle: [.....7] [ip4][..udp] [.192.168.12.156][49526] -> [.157.240.231.62][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable] + idle: [.....8] [ip4][..udp] [.192.168.12.156][49526] -> [.157.240.196.62][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable] + idle: [.....6] [ip4][..udp] [.192.168.12.156][49526] -> [.157.240.203.62][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable] + idle: [....11] [ip4][..udp] [.192.168.12.156][49526] -> [...10.82.40.241][40436] [STUN.WhatsAppCall][Unknown][VoIP][Acceptable] + RISK: Known Proto on Non Std Port, Unidirectional Traffic + idle: [....12] [ip4][..udp] [.192.168.12.156][49526] -> [...93.33.118.87][41107] [SRTP.WhatsAppCall][Unknown][VoIP][Acceptable] + RISK: Known Proto on Non Std Port + idle: [.....9] [ip4][..udp] [.192.168.12.156][49526] -> [..179.60.192.48][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable] + idle: [....10] [ip4][..udp] [.192.168.12.156][49526] -> [..185.60.216.51][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable] + idle: [.....3] [ip4][..udp] [.192.168.12.156][46652] -> [.157.240.231.62][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable] + idle: [.....5] [ip4][..udp] [.192.168.12.156][46652] -> [.157.240.195.48][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable] + idle: [.....4] [ip4][..udp] [.192.168.12.156][46652] -> [..157.240.21.51][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable] + idle: [.....2] [ip4][..udp] [.192.168.12.156][46652] -> [.157.240.203.62][.3478] [STUN.WhatsAppCall][Facebook][VoIP][Acceptable] + idle: [.....1] [ip4][..udp] [.192.168.12.156][46652] -> [..93.57.123.227][.3478] [STUN.WhatsAppCall][Unknown][VoIP][Acceptable] + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/stun_only_peer_address_enabled/telegram_videocall.pcapng.out b/test/results/flow-info/stun_only_peer_address_enabled/telegram_videocall.pcapng.out new file mode 100644 index 000000000..98062635f --- /dev/null +++ b/test/results/flow-info/stun_only_peer_address_enabled/telegram_videocall.pcapng.out @@ -0,0 +1,228 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....1] [ip6][icmp6] [..............fe80::98df:58ff:fefa:ebdc] -> [................................ff02::2] + detected: [.....1] [ip6][icmp6] [..............fe80::98df:58ff:fefa:ebdc] -> [................................ff02::2] [ICMPV6][Unknown][Network][Acceptable] + new: [.....2] [ip4][..udp] [...192.168.12.1][17500] -> [.192.168.12.255][17500] + detected: [.....2] [ip4][..udp] [...192.168.12.1][17500] -> [.192.168.12.255][17500] [Dropbox][Unknown][Cloud][Acceptable] + new: [.....3] [ip4][..tcp] [.192.168.12.169][37948] -> [.149.154.167.91][..443] + new: [.....4] [ip4][..tcp] [.192.168.12.169][37950] -> [.149.154.167.91][..443] + new: [.....5] [ip4][..tcp] [.192.168.12.169][46862] -> [.149.154.167.51][..443] + new: [.....6] [ip4][..tcp] [.192.168.12.169][46866] -> [.149.154.167.51][..443] + detected: [.....4] [ip4][..tcp] [.192.168.12.169][37950] -> [.149.154.167.91][..443] [Telegram][Telegram][Chat][Acceptable] + RISK: Susp Entropy + detected: [.....5] [ip4][..tcp] [.192.168.12.169][46862] -> [.149.154.167.51][..443] [Telegram][Telegram][Chat][Acceptable] + RISK: Susp Entropy + detected: [.....6] [ip4][..tcp] [.192.168.12.169][46866] -> [.149.154.167.51][..443] [Telegram][Telegram][Chat][Acceptable] + RISK: Susp Entropy + analyse: [.....4] [ip4][..tcp] [.192.168.12.169][37950] -> [.149.154.167.91][..443] [Telegram][Telegram][Chat][Acceptable] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 0.127| 0.025| 0.031| 963.939| 3.900] + [PKTLEN......: 52.000| 1280.000| 541.900| 516.100| 266324.800| 4.300] + [BINS(c->s)..: 6,0,0,1,1,0,0,1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 4,0,2,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,0,0,1,1,1,1,0,0,0,0,1,1,0,1,0,1,1,1,1,1,0,0,1,1,1,1,1] + [IATS(ms)....: 30.7,31.9,0.3,33.0,35.6,10.2,44.5,8.2,4.4,4.1,48.7,1.4,3.1,6.4,36.5,17.8,50.9,88.4,126.9,78.7,32.9,0.1,0.0,0.0,65.5,0.3,2.2,0.0,0.0,0.0,0.0] + [PKTLENS.....: 60,60,52,333,157,52,936,825,672,141,141,52,767,189,301,52,349,317,52,157,52,1280,1280,1280,1280,52,52,1280,1280,1280,1280,1280] + [ENTROPIES...: 4.8,5.2,5.2,7.3,6.7,5.1,7.8,7.7,7.7,6.6,6.6,5.1,7.7,6.9,7.2,5.2,7.4,7.3,5.3,6.7,5.3,7.9,7.8,7.9,7.8,5.2,5.2,7.8,7.8,7.9,7.9,7.8] + new: [.....7] [ip4][..tcp] [.192.168.12.169][40830] -> [149.154.167.222][..443] + new: [.....8] [ip4][..tcp] [.192.168.12.169][40832] -> [149.154.167.222][..443] + detected: [.....7] [ip4][..tcp] [.192.168.12.169][40830] -> [149.154.167.222][..443] [Telegram][Telegram][Chat][Acceptable] + RISK: Susp Entropy + detected: [.....8] [ip4][..tcp] [.192.168.12.169][40832] -> [149.154.167.222][..443] [Telegram][Telegram][Chat][Acceptable] + RISK: Susp Entropy + new: [.....9] [ip4][..tcp] [.192.168.12.169][40834] -> [149.154.167.222][..443] + detected: [.....9] [ip4][..tcp] [.192.168.12.169][40834] -> [149.154.167.222][..443] [Telegram][Telegram][Chat][Acceptable] + RISK: Susp Entropy + analyse: [.....7] [ip4][..tcp] [.192.168.12.169][40830] -> [149.154.167.222][..443] [Telegram][Telegram][Chat][Acceptable] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 0.047| 0.009| 0.015| 220.392| 3.200] + [PKTLEN......: 52.000| 1280.000| 644.300| 571.900| 327061.800| 4.300] + [BINS(c->s)..: 9,0,0,0,0,1,0,1,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 2,0,0,1,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,0,1,1,1,0,0,0,1,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,1,1,1,1,1] + [IATS(ms)....: 30.1,31.4,0.3,0.6,31.5,0.0,0.0,35.0,0.2,6.9,41.7,13.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,46.8,0.1,0.0,0.1,0.9,6.5,31.9,0.0,0.0,0.0,0.0] + [PKTLENS.....: 60,60,52,630,221,52,157,262,52,52,333,221,1280,1280,1280,1280,1280,1280,1280,1280,1280,52,52,52,52,52,285,1280,1280,1280,1280,1280] + [ENTROPIES...: 4.8,5.2,5.2,7.7,7.0,5.2,6.8,7.1,5.2,5.2,7.4,7.1,7.9,7.9,7.8,7.9,7.8,7.8,7.8,7.8,7.8,5.1,5.2,5.1,5.1,5.2,7.1,7.9,7.8,7.9,7.8,7.8] + new: [....10] [ip4][..tcp] [.192.168.12.169][37966] -> [.149.154.167.91][..443] + detected: [....10] [ip4][..tcp] [.192.168.12.169][37966] -> [.149.154.167.91][..443] [Telegram][Telegram][Chat][Acceptable] + RISK: Susp Entropy + new: [....11] [ip4][..udp] [...192.168.12.1][.5353] -> [....224.0.0.251][.5353] + detected: [....11] [ip4][..udp] [...192.168.12.1][.5353] -> [....224.0.0.251][.5353] [MDNS][Unknown][Network][Acceptable][_ipps._tcp.local] + new: [....12] [ip4][..udp] [.192.168.12.169][40906] -> [....91.108.9.35][.1400] + detected: [....12] [ip4][..udp] [.192.168.12.169][40906] -> [....91.108.9.35][.1400] [STUN][Telegram][Network][Acceptable][] + RISK: Known Proto on Non Std Port + new: [....13] [ip4][..udp] [.192.168.12.169][40906] -> [...91.108.13.23][.1400] + detected: [....13] [ip4][..udp] [.192.168.12.169][40906] -> [...91.108.13.23][.1400] [STUN][Telegram][Network][Acceptable][] + RISK: Known Proto on Non Std Port + new: [....14] [ip4][..udp] [.192.168.12.169][40906] -> [....91.108.17.2][.1400] + detected: [....14] [ip4][..udp] [.192.168.12.169][40906] -> [....91.108.17.2][.1400] [STUN][Telegram][Network][Acceptable][] + RISK: Known Proto on Non Std Port + new: [....15] [ip4][..udp] [.192.168.12.169][42197] -> [....91.108.9.35][.1400] + detected: [....15] [ip4][..udp] [.192.168.12.169][42197] -> [....91.108.9.35][.1400] [STUN][Telegram][Network][Acceptable][] + RISK: Known Proto on Non Std Port + new: [....16] [ip4][..udp] [.192.168.12.169][42197] -> [...91.108.13.23][.1400] + detected: [....16] [ip4][..udp] [.192.168.12.169][42197] -> [...91.108.13.23][.1400] [STUN][Telegram][Network][Acceptable][] + RISK: Known Proto on Non Std Port + new: [....17] [ip4][..udp] [.192.168.12.169][42197] -> [....91.108.17.2][.1400] + detected: [....17] [ip4][..udp] [.192.168.12.169][42197] -> [....91.108.17.2][.1400] [STUN][Telegram][Network][Acceptable][] + RISK: Known Proto on Non Std Port + new: [....18] [ip4][..udp] [.192.168.12.169][40643] -> [....91.108.9.35][.1400] + detected: [....18] [ip4][..udp] [.192.168.12.169][40643] -> [....91.108.9.35][.1400] [STUN][Telegram][Network][Acceptable][] + RISK: Known Proto on Non Std Port + new: [....19] [ip4][..udp] [.192.168.12.169][49667] -> [...91.108.13.23][.1400] + detected: [....19] [ip4][..udp] [.192.168.12.169][49667] -> [...91.108.13.23][.1400] [STUN][Telegram][Network][Acceptable][] + RISK: Known Proto on Non Std Port + new: [....20] [ip4][..udp] [.192.168.12.169][49780] -> [....91.108.17.2][.1400] + detected: [....20] [ip4][..udp] [.192.168.12.169][49780] -> [....91.108.17.2][.1400] [STUN][Telegram][Network][Acceptable][] + RISK: Known Proto on Non Std Port + new: [....21] [ip4][..udp] [.192.168.12.169][37849] -> [....91.108.9.35][.1400] + detected: [....21] [ip4][..udp] [.192.168.12.169][37849] -> [....91.108.9.35][.1400] [STUN][Telegram][Network][Acceptable][] + RISK: Known Proto on Non Std Port + new: [....22] [ip4][..udp] [.192.168.12.169][37530] -> [...91.108.13.23][.1400] + detected: [....22] [ip4][..udp] [.192.168.12.169][37530] -> [...91.108.13.23][.1400] [STUN][Telegram][Network][Acceptable][] + RISK: Known Proto on Non Std Port + new: [....23] [ip4][..udp] [.192.168.12.169][37444] -> [....91.108.17.2][.1400] + detected: [....23] [ip4][..udp] [.192.168.12.169][37444] -> [....91.108.17.2][.1400] [STUN][Telegram][Network][Acceptable][] + RISK: Known Proto on Non Std Port + detection-update: [....21] [ip4][..udp] [.192.168.12.169][37849] -> [....91.108.9.35][.1400] [STUN.TelegramVoip][Telegram][VoIP][Acceptable][telegram.org] + RISK: Known Proto on Non Std Port + detection-update: [....18] [ip4][..udp] [.192.168.12.169][40643] -> [....91.108.9.35][.1400] [STUN.TelegramVoip][Telegram][VoIP][Acceptable][telegram.org] + RISK: Known Proto on Non Std Port + detection-update: [....19] [ip4][..udp] [.192.168.12.169][49667] -> [...91.108.13.23][.1400] [STUN.TelegramVoip][Telegram][VoIP][Acceptable][telegram.org] + RISK: Known Proto on Non Std Port + detection-update: [....22] [ip4][..udp] [.192.168.12.169][37530] -> [...91.108.13.23][.1400] [STUN.TelegramVoip][Telegram][VoIP][Acceptable][telegram.org] + RISK: Known Proto on Non Std Port + detection-update: [....20] [ip4][..udp] [.192.168.12.169][49780] -> [....91.108.17.2][.1400] [STUN.TelegramVoip][Telegram][VoIP][Acceptable][telegram.org] + RISK: Known Proto on Non Std Port + detection-update: [....23] [ip4][..udp] [.192.168.12.169][37444] -> [....91.108.17.2][.1400] [STUN.TelegramVoip][Telegram][VoIP][Acceptable][telegram.org] + RISK: Known Proto on Non Std Port + new: [....24] [ip4][..udp] [.192.168.12.169][42405] -> [..10.46.103.200][42554] + detected: [....24] [ip4][..udp] [.192.168.12.169][42405] -> [..10.46.103.200][42554] [STUN.TelegramVoip][Unknown][VoIP][Acceptable][] + RISK: Known Proto on Non Std Port + new: [....25] [ip4][..udp] [.192.168.12.169][40906] -> [..10.46.103.200][42554] + detected: [....25] [ip4][..udp] [.192.168.12.169][40906] -> [..10.46.103.200][42554] [STUN.TelegramVoip][Unknown][VoIP][Acceptable][] + RISK: Known Proto on Non Std Port + new: [....26] [ip4][..udp] [.192.168.12.169][42405] -> [...93.36.13.115][35393] + detected: [....26] [ip4][..udp] [.192.168.12.169][42405] -> [...93.36.13.115][35393] [STUN.TelegramVoip][Unknown][VoIP][Acceptable][] + RISK: Known Proto on Non Std Port + new: [....27] [ip4][..udp] [.192.168.12.169][40906] -> [...93.36.13.115][35393] + detected: [....27] [ip4][..udp] [.192.168.12.169][40906] -> [...93.36.13.115][35393] [STUN.TelegramVoip][Unknown][VoIP][Acceptable][] + RISK: Known Proto on Non Std Port + detection-update: [....24] [ip4][..udp] [.192.168.12.169][42405] -> [..10.46.103.200][42554] [STUN.TelegramVoip][Unknown][VoIP][Acceptable][] + RISK: Known Proto on Non Std Port, Unidirectional Traffic + detection-update: [....25] [ip4][..udp] [.192.168.12.169][40906] -> [..10.46.103.200][42554] [STUN.TelegramVoip][Unknown][VoIP][Acceptable][] + RISK: Known Proto on Non Std Port, Unidirectional Traffic + new: [....28] [ip6][icmp6] [...............fe80::abe:acff:fe0b:176e] -> [................................ff02::2] + detected: [....28] [ip6][icmp6] [...............fe80::abe:acff:fe0b:176e] -> [................................ff02::2] [ICMPV6][Unknown][Network][Acceptable] + analyse: [....26] [ip4][..udp] [.192.168.12.169][42405] -> [...93.36.13.115][35393] [STUN.TelegramVoip][Unknown][VoIP][Acceptable] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 0.475| 0.052| 0.095| 9109.989| 3.600] + [PKTLEN......: 49.000| 265.000| 106.200| 48.900| 2396.000| 4.900] + [BINS(c->s)..: 3,2,11,3,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 2,3,3,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,1,0,0,0,0,0,1,1,1,0,0,1,1,1,0,0,0,0,0,0,0,0,1,1,0,0,0,1,0] + [IATS(ms)....: 75.7,88.0,12.8,2.3,9.0,48.9,21.7,0.2,117.5,0.1,18.9,57.5,0.3,20.7,0.0,35.1,54.6,306.4,41.6,24.8,9.9,17.7,18.1,17.4,474.7,0.1,42.1,15.5,14.1,40.1,18.5] + [PKTLENS.....: 128,92,51,124,92,128,128,65,71,92,92,124,54,92,64,49,124,92,265,119,119,119,119,119,265,53,64,59,119,119,79,119] + [ENTROPIES...: 5.4,5.7,5.3,5.6,5.6,5.5,5.4,5.7,5.8,5.8,5.7,5.6,5.5,5.8,5.7,5.3,5.6,5.8,7.1,6.5,6.4,6.4,6.5,6.4,7.2,5.5,5.7,5.6,6.3,6.4,5.9,6.5] + new: [....29] [ip6][..udp] [...............fe80::abe:acff:fe0b:176e][.5353] -> [...............................ff02::fb][.5353] + detected: [....29] [ip6][..udp] [...............fe80::abe:acff:fe0b:176e][.5353] -> [...............................ff02::fb][.5353] [MDNS][Unknown][Network][Acceptable][_ipps._tcp.local] + new: [....30] [ip4][..tcp] [.192.168.12.169][40710] -> [....52.58.18.25][.5222] [MIDSTREAM] + detection-update: [....12] [ip4][..udp] [.192.168.12.169][40906] -> [....91.108.9.35][.1400] [STUN.TelegramVoip][Telegram][VoIP][Acceptable][] + RISK: Known Proto on Non Std Port + detection-update: [....15] [ip4][..udp] [.192.168.12.169][42197] -> [....91.108.9.35][.1400] [STUN.TelegramVoip][Telegram][VoIP][Acceptable][] + RISK: Known Proto on Non Std Port + detection-update: [....16] [ip4][..udp] [.192.168.12.169][42197] -> [...91.108.13.23][.1400] [STUN.TelegramVoip][Telegram][VoIP][Acceptable][] + RISK: Known Proto on Non Std Port + detection-update: [....13] [ip4][..udp] [.192.168.12.169][40906] -> [...91.108.13.23][.1400] [STUN.TelegramVoip][Telegram][VoIP][Acceptable][] + RISK: Known Proto on Non Std Port + detection-update: [....14] [ip4][..udp] [.192.168.12.169][40906] -> [....91.108.17.2][.1400] [STUN.TelegramVoip][Telegram][VoIP][Acceptable][] + RISK: Known Proto on Non Std Port + detection-update: [....17] [ip4][..udp] [.192.168.12.169][42197] -> [....91.108.17.2][.1400] [STUN.TelegramVoip][Telegram][VoIP][Acceptable][] + RISK: Known Proto on Non Std Port + update: [.....1] [ip6][icmp6] [..............fe80::98df:58ff:fefa:ebdc] -> [................................ff02::2] [ICMPV6][Unknown][Network][Acceptable] + analyse: [.....8] [ip4][..tcp] [.192.168.12.169][40832] -> [149.154.167.222][..443] [Telegram][Telegram][Chat][Acceptable] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 25.078| 1.818| 6.147| 37780767.900| 1.500] + [PKTLEN......: 52.000| 1280.000| 482.700| 530.000| 280877.200| 4.100] + [BINS(c->s)..: 14,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 2,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,0,0,1,1,1,1,1,0,0,0,0,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0,1] + [IATS(ms)....: 29.1,30.6,0.5,31.6,35.4,6.5,41.7,9.9,0.0,0.0,0.0,46.9,0.0,41.7,2909.6,2997.7,0.0,0.0,0.0,2.4,0.1,0.1,44.3,0.0,0.0,0.1,0.1,0.1,0.1,25044.9,25078.5] + [PKTLENS.....: 60,60,52,630,262,52,205,221,1280,1280,1280,700,52,52,52,381,1280,1280,1280,1280,1280,1280,680,52,52,52,52,52,52,52,52,52] + [ENTROPIES...: 4.9,5.3,5.2,7.6,7.1,5.1,6.9,7.0,7.8,7.8,7.8,7.7,5.2,5.1,5.1,7.5,7.8,7.9,7.8,7.9,7.8,7.8,7.7,5.2,5.0,5.1,5.1,5.2,5.2,5.1,5.1,5.2] + new: [....31] [ip4][.icmp] [.192.168.12.169] -> [....91.108.9.35] + detected: [....31] [ip4][.icmp] [.192.168.12.169] -> [....91.108.9.35] [ICMP][Telegram][Network][Acceptable] + RISK: Susp Entropy + new: [....32] [ip4][.icmp] [.192.168.12.169] -> [...91.108.13.23] + detected: [....32] [ip4][.icmp] [.192.168.12.169] -> [...91.108.13.23] [ICMP][Telegram][Network][Acceptable] + RISK: Susp Entropy + new: [....33] [ip4][.icmp] [.192.168.12.169] -> [....91.108.17.2] + detected: [....33] [ip4][.icmp] [.192.168.12.169] -> [....91.108.17.2] [ICMP][Telegram][Network][Acceptable] + RISK: Susp Entropy + new: [....34] [ip4][..tcp] [..18.195.162.93][..443] -> [.192.168.12.169][38956] [MIDSTREAM] + detected: [....34] [ip4][..tcp] [..18.195.162.93][..443] -> [.192.168.12.169][38956] [TLS][AmazonAWS][Web][Safe] + guessed: [.....3] [ip4][..tcp] [.192.168.12.169][37948] -> [.149.154.167.91][..443] [Telegram][Telegram][Chat][Acceptable] + RISK: TCP Connection Issues + end: [.....3] [ip4][..tcp] [.192.168.12.169][37948] -> [.149.154.167.91][..443] + idle: [.....4] [ip4][..tcp] [.192.168.12.169][37950] -> [.149.154.167.91][..443] [Telegram][Telegram][Chat][Acceptable] + RISK: Susp Entropy + idle: [....10] [ip4][..tcp] [.192.168.12.169][37966] -> [.149.154.167.91][..443] [Telegram][Telegram][Chat][Acceptable] + RISK: Susp Entropy + idle: [....18] [ip4][..udp] [.192.168.12.169][40643] -> [....91.108.9.35][.1400] [STUN.TelegramVoip][Telegram][VoIP][Acceptable] + RISK: Known Proto on Non Std Port + idle: [....28] [ip6][icmp6] [...............fe80::abe:acff:fe0b:176e] -> [................................ff02::2] [ICMPV6][Unknown][Network][Acceptable] + idle: [.....2] [ip4][..udp] [...192.168.12.1][17500] -> [.192.168.12.255][17500] [Dropbox][Unknown][Cloud][Acceptable] + idle: [....14] [ip4][..udp] [.192.168.12.169][40906] -> [....91.108.17.2][.1400] [STUN.TelegramVoip][Telegram][VoIP][Acceptable] + RISK: Known Proto on Non Std Port + idle: [....13] [ip4][..udp] [.192.168.12.169][40906] -> [...91.108.13.23][.1400] [STUN.TelegramVoip][Telegram][VoIP][Acceptable] + RISK: Known Proto on Non Std Port + idle: [....12] [ip4][..udp] [.192.168.12.169][40906] -> [....91.108.9.35][.1400] [STUN.TelegramVoip][Telegram][VoIP][Acceptable] + RISK: Known Proto on Non Std Port + idle: [....24] [ip4][..udp] [.192.168.12.169][42405] -> [..10.46.103.200][42554] [STUN.TelegramVoip][Unknown][VoIP][Acceptable] + RISK: Known Proto on Non Std Port, Unidirectional Traffic + idle: [....11] [ip4][..udp] [...192.168.12.1][.5353] -> [....224.0.0.251][.5353] [MDNS][Unknown][Network][Acceptable] + idle: [.....1] [ip6][icmp6] [..............fe80::98df:58ff:fefa:ebdc] -> [................................ff02::2] [ICMPV6][Unknown][Network][Acceptable] + idle: [....29] [ip6][..udp] [...............fe80::abe:acff:fe0b:176e][.5353] -> [...............................ff02::fb][.5353] [MDNS][Unknown][Network][Acceptable] + end: [.....5] [ip4][..tcp] [.192.168.12.169][46862] -> [.149.154.167.51][..443] [Telegram][Telegram][Chat][Acceptable] + RISK: Susp Entropy + end: [.....6] [ip4][..tcp] [.192.168.12.169][46866] -> [.149.154.167.51][..443] [Telegram][Telegram][Chat][Acceptable] + RISK: Susp Entropy + end: [.....7] [ip4][..tcp] [.192.168.12.169][40830] -> [149.154.167.222][..443] [Telegram][Telegram][Chat][Acceptable] + RISK: Susp Entropy + end: [.....8] [ip4][..tcp] [.192.168.12.169][40832] -> [149.154.167.222][..443] [Telegram][Telegram][Chat][Acceptable] + RISK: Susp Entropy + idle: [.....9] [ip4][..tcp] [.192.168.12.169][40834] -> [149.154.167.222][..443] [Telegram][Telegram][Chat][Acceptable] + RISK: Susp Entropy + idle: [....19] [ip4][..udp] [.192.168.12.169][49667] -> [...91.108.13.23][.1400] [STUN.TelegramVoip][Telegram][VoIP][Acceptable] + RISK: Known Proto on Non Std Port + idle: [....25] [ip4][..udp] [.192.168.12.169][40906] -> [..10.46.103.200][42554] [STUN.TelegramVoip][Unknown][VoIP][Acceptable] + RISK: Known Proto on Non Std Port, Unidirectional Traffic + idle: [....23] [ip4][..udp] [.192.168.12.169][37444] -> [....91.108.17.2][.1400] [STUN.TelegramVoip][Telegram][VoIP][Acceptable] + RISK: Known Proto on Non Std Port + idle: [....26] [ip4][..udp] [.192.168.12.169][42405] -> [...93.36.13.115][35393] [STUN.TelegramVoip][Unknown][VoIP][Acceptable] + RISK: Known Proto on Non Std Port + idle: [....20] [ip4][..udp] [.192.168.12.169][49780] -> [....91.108.17.2][.1400] [STUN.TelegramVoip][Telegram][VoIP][Acceptable] + RISK: Known Proto on Non Std Port + idle: [....33] [ip4][.icmp] [.192.168.12.169] -> [....91.108.17.2] [ICMP][Telegram][Network][Acceptable] + RISK: Susp Entropy + idle: [....32] [ip4][.icmp] [.192.168.12.169] -> [...91.108.13.23] [ICMP][Telegram][Network][Acceptable] + RISK: Susp Entropy + idle: [....31] [ip4][.icmp] [.192.168.12.169] -> [....91.108.9.35] [ICMP][Telegram][Network][Acceptable] + RISK: Susp Entropy + idle: [....22] [ip4][..udp] [.192.168.12.169][37530] -> [...91.108.13.23][.1400] [STUN.TelegramVoip][Telegram][VoIP][Acceptable] + RISK: Known Proto on Non Std Port + end: [....34] [ip4][..tcp] [..18.195.162.93][..443] -> [.192.168.12.169][38956] [TLS][AmazonAWS][Web][Safe] + guessed: [....30] [ip4][..tcp] [.192.168.12.169][40710] -> [....52.58.18.25][.5222] [AmazonAWS][AmazonAWS][Cloud][Acceptable] + idle: [....30] [ip4][..tcp] [.192.168.12.169][40710] -> [....52.58.18.25][.5222] + idle: [....21] [ip4][..udp] [.192.168.12.169][37849] -> [....91.108.9.35][.1400] [STUN.TelegramVoip][Telegram][VoIP][Acceptable] + RISK: Known Proto on Non Std Port + idle: [....27] [ip4][..udp] [.192.168.12.169][40906] -> [...93.36.13.115][35393] [STUN.TelegramVoip][Unknown][VoIP][Acceptable] + RISK: Known Proto on Non Std Port + idle: [....17] [ip4][..udp] [.192.168.12.169][42197] -> [....91.108.17.2][.1400] [STUN.TelegramVoip][Telegram][VoIP][Acceptable] + RISK: Known Proto on Non Std Port + idle: [....16] [ip4][..udp] [.192.168.12.169][42197] -> [...91.108.13.23][.1400] [STUN.TelegramVoip][Telegram][VoIP][Acceptable] + RISK: Known Proto on Non Std Port + idle: [....15] [ip4][..udp] [.192.168.12.169][42197] -> [....91.108.9.35][.1400] [STUN.TelegramVoip][Telegram][VoIP][Acceptable] + RISK: Known Proto on Non Std Port + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/subclassification_disable/anydesk.pcapng.out b/test/results/flow-info/subclassification_disable/anydesk.pcapng.out new file mode 100644 index 000000000..f83683ddf --- /dev/null +++ b/test/results/flow-info/subclassification_disable/anydesk.pcapng.out @@ -0,0 +1,83 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....1] [ip4][..tcp] [192.168.149.129][36351] -> [..51.83.239.144][...80] [MIDSTREAM] + detected: [.....1] [ip4][..tcp] [192.168.149.129][36351] -> [..51.83.239.144][...80] [TLS][AnyDesk][Web][Safe] + RISK: Known Proto on Non Std Port + new: [.....2] [ip4][..tcp] [192.168.149.129][43535] -> [..51.83.238.219][...80] + detected: [.....2] [ip4][..tcp] [192.168.149.129][43535] -> [..51.83.238.219][...80] [TLS][AnyDesk][Web][Safe][] + RISK: Known Proto on Non Std Port, TLS (probably) Not Carrying HTTPS, Missing SNI TLS Extn + detection-update: [.....2] [ip4][..tcp] [192.168.149.129][43535] -> [..51.83.238.219][...80] [TLS][AnyDesk][Web][Safe][] + RISK: Known Proto on Non Std Port, TLS (probably) Not Carrying HTTPS, Missing SNI TLS Extn + detection-update: [.....2] [ip4][..tcp] [192.168.149.129][43535] -> [..51.83.238.219][...80] [TLS.AnyDesk][AnyDesk][RemoteAccess][Acceptable][] + RISK: Known Proto on Non Std Port, TLS (probably) Not Carrying HTTPS, Missing SNI TLS Extn, Desktop/File Sharing + analyse: [.....2] [ip4][..tcp] [192.168.149.129][43535] -> [..51.83.238.219][...80] [TLS.AnyDesk][AnyDesk][RemoteAccess][Acceptable] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 1.603| 0.177| 0.394| 155451.113| 2.800] + [PKTLEN......: 40.000| 1500.000| 392.700| 555.200| 308238.000| 3.800] + [BINS(c->s)..: 8,0,1,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,2,0,0] + [BINS(s->c)..: 9,2,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,2,0,0,0,0,1,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,0,0,1,1,0,1,0,0,1,1,0,0,1,1,0,0,0,1,1,1,1,1] + [IATS(ms)....: 164.8,164.9,0.6,1.1,165.0,165.4,0.5,0.5,0.3,0.3,1.8,2.0,164.9,165.2,0.2,0.2,0.2,0.3,218.6,218.7,0.6,0.9,1215.5,1216.3,0.0,0.1,0.9,0.0,0.0,1602.9,0.1] + [PKTLENS.....: 60,46,40,303,46,1340,40,1340,40,46,40,1134,46,91,40,80,40,186,46,186,40,111,46,119,1500,1500,1242,46,46,46,1500,1180] + [ENTROPIES...: 4.8,4.9,4.8,5.4,4.4,7.5,4.8,7.8,4.8,4.6,4.7,7.6,4.4,5.8,4.8,5.8,4.8,6.7,4.4,6.8,4.8,6.3,4.4,6.4,7.9,7.9,7.8,4.4,4.4,4.4,7.9,7.8] + DAEMON-EVENT: [Processed: 61 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 2 / 2|skipped: 0|!detected: 0|guessed: 0|detection-updates: 2|updates: 0] + new: [.....3] [ip4][..udp] [..192.168.1.187][59511] -> [....192.168.1.1][...53] + detected: [.....3] [ip4][..udp] [..192.168.1.187][59511] -> [....192.168.1.1][...53] [DNS.AnyDesk][Unknown][Network][Acceptable][relay-3185a847.net.anydesk.com] + detection-update: [.....3] [ip4][..udp] [..192.168.1.187][59511] -> [....192.168.1.1][...53] [DNS.AnyDesk][Unknown][Network][Acceptable][relay-3185a847.net.anydesk.com] + new: [.....4] [ip4][..udp] [..192.168.1.187][55376] -> [....192.168.1.1][...53] + detected: [.....4] [ip4][..udp] [..192.168.1.187][55376] -> [....192.168.1.1][...53] [DNS.AnyDesk][Unknown][Network][Acceptable][relay-9b6827f2.net.anydesk.com] + detection-update: [.....4] [ip4][..udp] [..192.168.1.187][55376] -> [....192.168.1.1][...53] [DNS.AnyDesk][Unknown][Network][Acceptable][relay-9b6827f2.net.anydesk.com] + idle: [.....1] [ip4][..tcp] [192.168.149.129][36351] -> [..51.83.239.144][...80] [TLS][AnyDesk][Web][Safe] + RISK: Known Proto on Non Std Port + idle: [.....2] [ip4][..tcp] [192.168.149.129][43535] -> [..51.83.238.219][...80] [TLS.AnyDesk][AnyDesk][RemoteAccess][Acceptable] + RISK: Known Proto on Non Std Port, TLS (probably) Not Carrying HTTPS, Missing SNI TLS Extn, Desktop/File Sharing + new: [.....5] [ip4][..tcp] [..192.168.1.187][54164] -> [..192.168.1.178][.7070] + detected: [.....5] [ip4][..tcp] [..192.168.1.187][54164] -> [..192.168.1.178][.7070] [TLS][Unknown][Web][Safe][] + RISK: Known Proto on Non Std Port, TLS (probably) Not Carrying HTTPS, Missing SNI TLS Extn + detection-update: [.....5] [ip4][..tcp] [..192.168.1.187][54164] -> [..192.168.1.178][.7070] [TLS.AnyDesk][Unknown][RemoteAccess][Acceptable][] + RISK: Known Proto on Non Std Port, TLS (probably) Not Carrying HTTPS, Missing SNI TLS Extn, Desktop/File Sharing + new: [.....6] [ip4][..tcp] [..192.168.1.178][52039] -> [..192.168.1.187][.7070] + detected: [.....6] [ip4][..tcp] [..192.168.1.178][52039] -> [..192.168.1.187][.7070] [TLS][Unknown][Web][Safe][] + RISK: Known Proto on Non Std Port, TLS (probably) Not Carrying HTTPS, Missing SNI TLS Extn + detection-update: [.....6] [ip4][..tcp] [..192.168.1.178][52039] -> [..192.168.1.187][.7070] [TLS.AnyDesk][Unknown][RemoteAccess][Acceptable][] + RISK: Known Proto on Non Std Port, Weak TLS Cipher, TLS (probably) Not Carrying HTTPS, Missing SNI TLS Extn, Desktop/File Sharing + analyse: [.....5] [ip4][..tcp] [..192.168.1.187][54164] -> [..192.168.1.178][.7070] [TLS.AnyDesk][Unknown][RemoteAccess][Acceptable] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 3.022| 0.410| 0.826| 682181.919| 2.900] + [PKTLEN......: 40.000| 3966.000| 306.300| 747.400| 558552.100| 3.100] + [BINS(c->s)..: 6,4,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,1] + [BINS(s->c)..: 11,3,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,1,1,1,0,0,1,1,0,1,1,0,0,1,1,1,0,1,1,0,0,1,0] + [IATS(ms)....: 0.5,0.5,0.3,0.4,0.3,10.5,0.0,10.9,39.6,40.3,8.7,0.0,9.5,516.9,517.5,1.6,27.8,26.2,2.4,56.3,902.9,957.3,0.0,0.0,1754.2,1753.7,16.4,71.2,2966.8,3021.8,4.0] + [PKTLENS.....: 52,52,40,285,46,46,1500,183,40,1326,46,954,80,40,87,46,75,74,46,74,40,3966,46,46,46,79,46,141,40,99,46,116] + [ENTROPIES...: 4.5,4.7,4.7,5.4,4.2,4.3,7.7,6.2,4.7,7.7,4.3,7.8,5.6,4.6,5.7,4.2,5.5,5.6,4.3,5.6,4.7,8.0,4.2,4.3,4.2,5.7,4.3,6.5,4.6,6.0,4.3,6.2] + DAEMON-EVENT: [Processed: 120 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 4 / 6|skipped: 0|!detected: 0|guessed: 0|detection-updates: 6|updates: 0] + new: [.....7] [ip4][..tcp] [..192.168.1.128][48260] -> [195.181.174.176][..443] + detected: [.....7] [ip4][..tcp] [..192.168.1.128][48260] -> [195.181.174.176][..443] [TLS.AnyDesk][Unknown][RemoteAccess][Acceptable][] + RISK: Missing SNI TLS Extn, Desktop/File Sharing, Uncommon TLS ALPN + detection-update: [.....7] [ip4][..tcp] [..192.168.1.128][48260] -> [195.181.174.176][..443] [TLS.AnyDesk][Unknown][RemoteAccess][Acceptable][] + RISK: Missing SNI TLS Extn, Desktop/File Sharing, Uncommon TLS ALPN + detection-update: [.....7] [ip4][..tcp] [..192.168.1.128][48260] -> [195.181.174.176][..443] [TLS.AnyDesk][Unknown][RemoteAccess][Acceptable][] + RISK: Missing SNI TLS Extn, Desktop/File Sharing, Uncommon TLS ALPN + analyse: [.....7] [ip4][..tcp] [..192.168.1.128][48260] -> [195.181.174.176][..443] [TLS.AnyDesk][Unknown][RemoteAccess][Acceptable] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 8.445| 0.583| 2.064| 4258557.067| 1.500] + [PKTLEN......: 52.000| 1500.000| 328.900| 495.500| 245485.500| 3.800] + [BINS(c->s)..: 8,0,2,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,2,0,0] + [BINS(s->c)..: 7,4,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,0,1,0,1,0,0,1,1,0,0,1,1,0,0,0,1,1,1,1,0,0,1,1] + [IATS(ms)....: 17.7,17.8,0.9,17.8,3.4,20.3,0.1,0.0,3.8,21.9,18.1,0.1,0.0,0.9,64.2,13.4,76.8,1.5,18.4,206.6,224.8,0.0,0.0,18.7,0.0,62.8,0.0,80.2,8427.9,8444.6,314.0] + [PKTLENS.....: 60,60,52,341,52,1500,52,1132,52,1146,103,52,92,52,199,52,198,52,137,52,145,1500,1500,1273,52,52,92,90,52,137,52,145] + [ENTROPIES...: 4.8,5.3,5.1,5.6,5.1,7.5,5.1,7.7,5.1,7.7,6.0,5.1,6.1,5.1,6.9,5.2,6.9,5.2,6.6,5.2,6.6,7.9,7.9,7.8,5.2,5.2,6.1,5.9,5.1,6.5,5.2,6.6] + end: [.....6] [ip4][..tcp] [..192.168.1.178][52039] -> [..192.168.1.187][.7070] [TLS.AnyDesk][Unknown][RemoteAccess][Acceptable] + RISK: Known Proto on Non Std Port, Weak TLS Cipher, TLS (probably) Not Carrying HTTPS, Missing SNI TLS Extn, Desktop/File Sharing + idle: [.....5] [ip4][..tcp] [..192.168.1.187][54164] -> [..192.168.1.178][.7070] [TLS.AnyDesk][Unknown][RemoteAccess][Acceptable] + RISK: Known Proto on Non Std Port, TLS (probably) Not Carrying HTTPS, Missing SNI TLS Extn, Desktop/File Sharing + idle: [.....4] [ip4][..udp] [..192.168.1.187][55376] -> [....192.168.1.1][...53] [DNS.AnyDesk][Unknown][Network][Acceptable] + idle: [.....3] [ip4][..udp] [..192.168.1.187][59511] -> [....192.168.1.1][...53] [DNS.AnyDesk][Unknown][Network][Acceptable] + idle: [.....7] [ip4][..tcp] [..192.168.1.128][48260] -> [195.181.174.176][..443] [TLS.AnyDesk][Unknown][RemoteAccess][Acceptable] + RISK: Missing SNI TLS Extn, Desktop/File Sharing, Uncommon TLS ALPN + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/dns_subclassification_disable/dns.pcap.out b/test/results/flow-info/subclassification_disable/dns.pcap.out index 9f35988ab..9f35988ab 100644 --- a/test/results/flow-info/dns_subclassification_disable/dns.pcap.out +++ b/test/results/flow-info/subclassification_disable/dns.pcap.out diff --git a/test/results/flow-info/subclassification_disable/http.pcapng.out b/test/results/flow-info/subclassification_disable/http.pcapng.out new file mode 100644 index 000000000..b36af79c7 --- /dev/null +++ b/test/results/flow-info/subclassification_disable/http.pcapng.out @@ -0,0 +1,7 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....1] [ip4][..tcp] [..192.168.1.128][42170] -> [.216.58.208.142][...80] + detected: [.....1] [ip4][..tcp] [..192.168.1.128][42170] -> [.216.58.208.142][...80] [HTTP.Google][Google][Web][Acceptable][google.com] + end: [.....1] [ip4][..tcp] [..192.168.1.128][42170] -> [.216.58.208.142][...80] [HTTP.Google][Google][Web][Acceptable] + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/subclassification_disable/quic-mvfst-27.pcapng.out b/test/results/flow-info/subclassification_disable/quic-mvfst-27.pcapng.out new file mode 100644 index 000000000..ffd1d5b83 --- /dev/null +++ b/test/results/flow-info/subclassification_disable/quic-mvfst-27.pcapng.out @@ -0,0 +1,5 @@ + DAEMON-EVENT: init + new: [.....1] [ip4][..udp] [......10.0.2.15][35957] -> [..69.171.250.15][..443] + detected: [.....1] [ip4][..udp] [......10.0.2.15][35957] -> [..69.171.250.15][..443] [QUIC.Facebook][Facebook][SocialNetwork][Fun][graph.facebook.com] + idle: [.....1] [ip4][..udp] [......10.0.2.15][35957] -> [..69.171.250.15][..443] [QUIC.Facebook][Facebook][SocialNetwork][Fun] + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/subclassification_disable/tls_ech.pcapng.out b/test/results/flow-info/subclassification_disable/tls_ech.pcapng.out new file mode 100644 index 000000000..4151d5f6e --- /dev/null +++ b/test/results/flow-info/subclassification_disable/tls_ech.pcapng.out @@ -0,0 +1,8 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....1] [ip6][..tcp] [..2001:b07:a3d:c112:ce16:b409:3d0a:9177][47460] -> [...................2606:4700::6812:1e4e][..443] + detected: [.....1] [ip6][..tcp] [..2001:b07:a3d:c112:ce16:b409:3d0a:9177][47460] -> [...................2606:4700::6812:1e4e][..443] [TLS.Cloudflare][Cloudflare][Web][Acceptable][performance.radar.cloudflare.com] + detection-update: [.....1] [ip6][..tcp] [..2001:b07:a3d:c112:ce16:b409:3d0a:9177][47460] -> [...................2606:4700::6812:1e4e][..443] [TLS.Cloudflare][Cloudflare][Web][Acceptable][performance.radar.cloudflare.com] + idle: [.....1] [ip6][..tcp] [..2001:b07:a3d:c112:ce16:b409:3d0a:9177][47460] -> [...................2606:4700::6812:1e4e][..443] [TLS.Cloudflare][Cloudflare][Web][Acceptable] + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/zoom_extra_dissection/zoom.pcap.out b/test/results/flow-info/zoom_extra_dissection/zoom.pcap.out new file mode 100644 index 000000000..8c9028cdc --- /dev/null +++ b/test/results/flow-info/zoom_extra_dissection/zoom.pcap.out @@ -0,0 +1,230 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....1] [ip4][..tcp] [..192.168.1.117][54854] -> [..172.217.21.72][..443] [MIDSTREAM] + detected: [.....1] [ip4][..tcp] [..192.168.1.117][54854] -> [..172.217.21.72][..443] [TLS.GoogleServices][Google][Web][Acceptable][www.googletagmanager.com] + RISK: Obsolete TLS (v1.1 or older) + new: [.....2] [ip4][..udp] [..192.168.1.117][.5353] -> [....224.0.0.251][.5353] + detected: [.....2] [ip4][..udp] [..192.168.1.117][.5353] -> [....224.0.0.251][.5353] [MDNS][Unknown][Network][Acceptable][_spotify-connect._tcp.local] + new: [.....3] [ip4][..tcp] [..192.168.1.117][54863] -> [.167.99.215.164][.4434] + detected: [.....3] [ip4][..tcp] [..192.168.1.117][54863] -> [.167.99.215.164][.4434] [TLS.ntop][Unknown][Network][Safe][dati.ntop.org] + RISK: Known Proto on Non Std Port, TLS (probably) Not Carrying HTTPS + detection-update: [.....3] [ip4][..tcp] [..192.168.1.117][54863] -> [.167.99.215.164][.4434] [TLS.ntop][Unknown][Network][Safe][dati.ntop.org] + RISK: Known Proto on Non Std Port, TLS (probably) Not Carrying HTTPS + ERROR-EVENT: Unknown packet type [1/16] + new: [.....4] [ip4][..tcp] [..192.168.1.117][54341] -> [.62.149.152.153][..993] [MIDSTREAM] + detected: [.....4] [ip4][..tcp] [..192.168.1.117][54341] -> [.62.149.152.153][..993] [IMAPS][Unknown][Email][Safe] + detection-update: [.....1] [ip4][..tcp] [..192.168.1.117][54854] -> [..172.217.21.72][..443] [TLS.GoogleServices][Google][Web][Acceptable][www.googletagmanager.com] + RISK: Obsolete TLS (v1.1 or older), Unidirectional Traffic + new: [.....5] [ip4][..udp] [..192.168.1.117][57025] -> [239.255.255.250][.1900] + detected: [.....5] [ip4][..udp] [..192.168.1.117][57025] -> [239.255.255.250][.1900] [SSDP][Unknown][System][Acceptable][239.255.255.250:1900] + new: [.....6] [ip4][..udp] [..192.168.1.117][..137] -> [..192.168.1.255][..137] + detected: [.....6] [ip4][..udp] [..192.168.1.117][..137] -> [..192.168.1.255][..137] [NetBIOS][Unknown][System][Acceptable][workgroup] + new: [.....7] [ip4][..udp] [..192.168.1.117][64352] -> [....192.168.1.1][...53] + detected: [.....7] [ip4][..udp] [..192.168.1.117][64352] -> [....192.168.1.1][...53] [DNS.Zoom][Unknown][Network][Acceptable][log.zoom.us] + detection-update: [.....7] [ip4][..udp] [..192.168.1.117][64352] -> [....192.168.1.1][...53] [DNS.Zoom][Unknown][Network][Acceptable][log.zoom.us] + new: [.....8] [ip4][..tcp] [..192.168.1.117][54864] -> [..52.202.62.238][..443] + new: [.....9] [ip4][..udp] [..192.168.1.117][65394] -> [....192.168.1.1][...53] + detected: [.....9] [ip4][..udp] [..192.168.1.117][65394] -> [....192.168.1.1][...53] [DNS][Unknown][Network][Acceptable][local] + detection-update: [.....9] [ip4][..udp] [..192.168.1.117][65394] -> [....192.168.1.1][...53] [DNS][Unknown][Network][Acceptable][local] + RISK: Error Code + new: [....10] [ip4][.icmp] [..192.168.1.117] -> [....192.168.1.1] + detected: [....10] [ip4][.icmp] [..192.168.1.117] -> [....192.168.1.1] [ICMP][Unknown][Network][Acceptable] + new: [....11] [ip4][..tcp] [..192.168.1.117][54798] -> [..13.225.84.182][..443] [MIDSTREAM] + detected: [.....8] [ip4][..tcp] [..192.168.1.117][54864] -> [..52.202.62.238][..443] [TLS.Zoom][Zoom][Video][Acceptable][log.zoom.us] + new: [....12] [ip4][..udp] [..192.168.1.117][23903] -> [..162.255.37.14][.3478] + detected: [....12] [ip4][..udp] [..192.168.1.117][23903] -> [..162.255.37.14][.3478] [STUN.Zoom][Zoom][Video][Acceptable][] + detection-update: [.....8] [ip4][..tcp] [..192.168.1.117][54864] -> [..52.202.62.238][..443] [TLS.Zoom][Zoom][Video][Acceptable][log.zoom.us] + detection-update: [.....8] [ip4][..tcp] [..192.168.1.117][54864] -> [..52.202.62.238][..443] [TLS.Zoom][Zoom][Video][Acceptable][log.zoom.us] + new: [....13] [ip4][..udp] [..192.168.1.117][23903] -> [..162.255.38.14][.3478] + detected: [....13] [ip4][..udp] [..192.168.1.117][23903] -> [..162.255.38.14][.3478] [STUN.Zoom][Zoom][Video][Acceptable][] + new: [....14] [ip4][..udp] [..192.168.1.117][23903] -> [..162.255.38.14][.3479] + detected: [....14] [ip4][..udp] [..192.168.1.117][23903] -> [..162.255.38.14][.3479] [STUN.Zoom][Zoom][Video][Acceptable][] + RISK: Known Proto on Non Std Port + new: [....15] [ip4][..tcp] [..192.168.1.117][53867] -> [..104.199.65.42][...80] [MIDSTREAM] + new: [....16] [ip4][..tcp] [..192.168.1.117][53872] -> [..35.186.224.53][..443] [MIDSTREAM] + detected: [....16] [ip4][..tcp] [..192.168.1.117][53872] -> [..35.186.224.53][..443] [TLS][GoogleCloud][Web][Safe] + RISK: Unidirectional Traffic + detection-update: [....16] [ip4][..tcp] [..192.168.1.117][53872] -> [..35.186.224.53][..443] [TLS][GoogleCloud][Web][Safe] + new: [....17] [ip4][.icmp] [..192.168.1.117] -> [..162.255.38.14] + detected: [....17] [ip4][.icmp] [..192.168.1.117] -> [..162.255.38.14] [ICMP][Zoom][Network][Acceptable] + ERROR-EVENT: Unknown packet type [2/16] + new: [....18] [ip4][..udp] [....192.168.0.1][...68] -> [255.255.255.255][...67] + detected: [....18] [ip4][..udp] [....192.168.0.1][...68] -> [255.255.255.255][...67] [DHCP][Unknown][Network][Acceptable][tl-sg116e] + new: [....19] [ip4][..tcp] [..192.168.1.117][54865] -> [..52.202.62.196][..443] + new: [....20] [ip4][..udp] [..192.168.1.117][62988] -> [....192.168.1.1][...53] + detected: [....20] [ip4][..udp] [..192.168.1.117][62988] -> [....192.168.1.1][...53] [DNS.Zoom][Unknown][Network][Acceptable][www3.zoom.us] + detection-update: [....20] [ip4][..udp] [..192.168.1.117][62988] -> [....192.168.1.1][...53] [DNS.Zoom][Unknown][Network][Acceptable][www3.zoom.us] + new: [....21] [ip4][..tcp] [..192.168.1.117][54866] -> [..52.202.62.236][..443] + detected: [....19] [ip4][..tcp] [..192.168.1.117][54865] -> [..52.202.62.196][..443] [TLS.Zoom][Zoom][Video][Acceptable][zoom.us] + detected: [....21] [ip4][..tcp] [..192.168.1.117][54866] -> [..52.202.62.236][..443] [TLS.Zoom][Zoom][Video][Acceptable][www3.zoom.us] + detection-update: [....19] [ip4][..tcp] [..192.168.1.117][54865] -> [..52.202.62.196][..443] [TLS.Zoom][Zoom][Video][Acceptable][zoom.us] + detection-update: [....19] [ip4][..tcp] [..192.168.1.117][54865] -> [..52.202.62.196][..443] [TLS.Zoom][Zoom][Video][Acceptable][zoom.us] + detection-update: [....21] [ip4][..tcp] [..192.168.1.117][54866] -> [..52.202.62.236][..443] [TLS.Zoom][Zoom][Video][Acceptable][www3.zoom.us] + detection-update: [....21] [ip4][..tcp] [..192.168.1.117][54866] -> [..52.202.62.236][..443] [TLS.Zoom][Zoom][Video][Acceptable][www3.zoom.us] + analyse: [....21] [ip4][..tcp] [..192.168.1.117][54866] -> [..52.202.62.236][..443] [TLS.Zoom][Zoom][Video][Acceptable] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 0.211| 0.038| 0.059| 3527.760| 3.300] + [PKTLEN......: 40.000| 1492.000| 663.000| 660.100| 435695.100| 4.200] + [BINS(c->s)..: 11,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 3,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,11,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,1,0,0,0,1,0,0,0,1,1,1,1,0,0,1,1,0,1,1,0,1,1,0] + [IATS(ms)....: 112.4,112.5,31.1,144.0,1.8,0.2,0.0,114.8,0.2,0.2,7.2,2.9,121.9,111.9,4.3,0.0,116.6,98.0,0.5,0.0,210.7,0.0,0.2,0.1,0.2,0.1,0.1,0.2,0.1,0.0,0.1] + [PKTLENS.....: 64,52,40,557,46,1492,1492,1492,40,1292,40,40,231,91,40,731,850,46,1492,1492,1492,40,40,1492,1492,40,1492,1492,40,1492,445,40] + [ENTROPIES...: 4.4,4.9,4.5,4.1,4.5,7.1,7.3,7.3,4.7,7.6,4.6,4.7,6.9,5.7,4.7,7.7,7.7,4.5,7.9,7.9,7.9,4.7,4.6,7.9,7.9,4.7,7.9,7.9,4.6,7.9,7.5,4.6] + new: [....22] [ip4][..udp] [..192.168.1.117][57621] -> [..192.168.1.255][57621] + detected: [....22] [ip4][..udp] [..192.168.1.117][57621] -> [..192.168.1.255][57621] [Spotify][Unknown][Music][Fun] + new: [....23] [ip4][..udp] [..192.168.1.117][62563] -> [....192.168.1.1][...53] + detected: [....23] [ip4][..udp] [..192.168.1.117][62563] -> [....192.168.1.1][...53] [DNS.Zoom][Unknown][Network][Acceptable][zoomfr85zc.zoom.us] + new: [....24] [ip4][..udp] [..192.168.1.117][58063] -> [....192.168.1.1][...53] + detected: [....24] [ip4][..udp] [..192.168.1.117][58063] -> [....192.168.1.1][...53] [DNS.Zoom][Unknown][Network][Acceptable][zoomfr84zc.zoom.us] + new: [....25] [ip4][..tcp] [..192.168.1.117][54867] -> [.213.19.144.105][..443] + new: [....26] [ip4][..tcp] [..192.168.1.117][54868] -> [.213.19.144.104][..443] + detection-update: [....23] [ip4][..udp] [..192.168.1.117][62563] -> [....192.168.1.1][...53] [DNS.Zoom][Unknown][Network][Acceptable][zoomfr85zc.zoom.us] + new: [....27] [ip4][..tcp] [..192.168.1.117][54869] -> [.213.244.140.85][..443] + detected: [....25] [ip4][..tcp] [..192.168.1.117][54867] -> [.213.19.144.105][..443] [TLS.Zoom][Zoom][Video][Acceptable][zoomam105zc.zoom.us] + RISK: TLS (probably) Not Carrying HTTPS + detection-update: [....24] [ip4][..udp] [..192.168.1.117][58063] -> [....192.168.1.1][...53] [DNS.Zoom][Unknown][Network][Acceptable][zoomfr84zc.zoom.us] + new: [....28] [ip4][..tcp] [..192.168.1.117][54870] -> [.213.244.140.84][..443] + detected: [....26] [ip4][..tcp] [..192.168.1.117][54868] -> [.213.19.144.104][..443] [TLS.Zoom][Zoom][Video][Acceptable][zoomam104zc.zoom.us] + RISK: TLS (probably) Not Carrying HTTPS + detected: [....27] [ip4][..tcp] [..192.168.1.117][54869] -> [.213.244.140.85][..443] [TLS.Zoom][Zoom][Video][Acceptable][zoomfr85zc.zoom.us] + RISK: TLS (probably) Not Carrying HTTPS + detected: [....28] [ip4][..tcp] [..192.168.1.117][54870] -> [.213.244.140.84][..443] [TLS.Zoom][Zoom][Video][Acceptable][zoomfr84zc.zoom.us] + RISK: TLS (probably) Not Carrying HTTPS + detection-update: [....25] [ip4][..tcp] [..192.168.1.117][54867] -> [.213.19.144.105][..443] [TLS.Zoom][Zoom][Video][Acceptable][zoomam105zc.zoom.us] + RISK: TLS (probably) Not Carrying HTTPS + detection-update: [....27] [ip4][..tcp] [..192.168.1.117][54869] -> [.213.244.140.85][..443] [TLS.Zoom][Zoom][Video][Acceptable][zoomfr85zc.zoom.us] + RISK: TLS (probably) Not Carrying HTTPS + detection-update: [....25] [ip4][..tcp] [..192.168.1.117][54867] -> [.213.19.144.105][..443] [TLS.Zoom][Zoom][Video][Acceptable][zoomam105zc.zoom.us] + RISK: TLS (probably) Not Carrying HTTPS + detection-update: [....26] [ip4][..tcp] [..192.168.1.117][54868] -> [.213.19.144.104][..443] [TLS.Zoom][Zoom][Video][Acceptable][zoomam104zc.zoom.us] + RISK: TLS (probably) Not Carrying HTTPS + detection-update: [....27] [ip4][..tcp] [..192.168.1.117][54869] -> [.213.244.140.85][..443] [TLS.Zoom][Zoom][Video][Acceptable][zoomfr85zc.zoom.us] + RISK: TLS (probably) Not Carrying HTTPS + detection-update: [....28] [ip4][..tcp] [..192.168.1.117][54870] -> [.213.244.140.84][..443] [TLS.Zoom][Zoom][Video][Acceptable][zoomfr84zc.zoom.us] + RISK: TLS (probably) Not Carrying HTTPS + detection-update: [....26] [ip4][..tcp] [..192.168.1.117][54868] -> [.213.19.144.104][..443] [TLS.Zoom][Zoom][Video][Acceptable][zoomam104zc.zoom.us] + RISK: TLS (probably) Not Carrying HTTPS + detection-update: [....28] [ip4][..tcp] [..192.168.1.117][54870] -> [.213.244.140.84][..443] [TLS.Zoom][Zoom][Video][Acceptable][zoomfr84zc.zoom.us] + RISK: TLS (probably) Not Carrying HTTPS + new: [....29] [ip4][..udp] [..192.168.1.117][51185] -> [....192.168.1.1][...53] + detected: [....29] [ip4][..udp] [..192.168.1.117][51185] -> [....192.168.1.1][...53] [DNS.Zoom][Unknown][Network][Acceptable][zoomfrn99mmr.zoom.us] + detection-update: [....29] [ip4][..udp] [..192.168.1.117][51185] -> [....192.168.1.1][...53] [DNS.Zoom][Unknown][Network][Acceptable][zoomfrn99mmr.zoom.us] + new: [....30] [ip4][..tcp] [..192.168.1.117][54871] -> [..109.94.160.99][..443] + detected: [....30] [ip4][..tcp] [..192.168.1.117][54871] -> [..109.94.160.99][..443] [TLS.Zoom][Unknown][Video][Acceptable][zoomfrn99mmr.zoom.us] + RISK: TLS (probably) Not Carrying HTTPS + detection-update: [....30] [ip4][..tcp] [..192.168.1.117][54871] -> [..109.94.160.99][..443] [TLS.Zoom][Unknown][Video][Acceptable][zoomfrn99mmr.zoom.us] + RISK: TLS (probably) Not Carrying HTTPS + detection-update: [....30] [ip4][..tcp] [..192.168.1.117][54871] -> [..109.94.160.99][..443] [TLS.Zoom][Unknown][Video][Acceptable][zoomfrn99mmr.zoom.us] + RISK: TLS (probably) Not Carrying HTTPS + detection-update: [.....4] [ip4][..tcp] [..192.168.1.117][54341] -> [.62.149.152.153][..993] [IMAPS][Unknown][Email][Safe] + RISK: Unidirectional Traffic + analyse: [....30] [ip4][..tcp] [..192.168.1.117][54871] -> [..109.94.160.99][..443] [TLS.Zoom][Unknown][Video][Acceptable] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 0.156| 0.028| 0.040| 1628.090| 3.800] + [PKTLEN......: 52.000| 1492.000| 420.500| 552.400| 305116.100| 3.900] + [BINS(c->s)..: 10,1,0,1,2,1,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0] + [BINS(s->c)..: 4,1,2,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,4,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,1,1,0,0,1,0,0,1,0,0,0,1,1,0,1,0,1,1,0,0,0,0] + [IATS(ms)....: 31.6,31.8,0.2,32.7,2.0,0.1,0.0,34.5,0.0,10.5,0.0,10.6,60.1,93.9,33.8,0.4,31.3,30.9,4.6,0.0,36.6,6.2,38.2,156.1,156.1,0.1,0.0,0.1,10.6,59.1,3.1] + [PKTLENS.....: 64,60,52,569,52,1492,1492,1268,52,52,1492,79,52,178,294,52,192,118,52,1492,533,52,90,52,1317,52,1492,146,52,90,202,223] + [ENTROPIES...: 4.4,5.3,5.0,4.3,5.2,7.1,7.3,7.3,5.0,5.1,7.6,5.6,5.1,6.6,7.1,5.1,6.9,6.3,5.1,7.9,7.6,5.1,5.9,5.1,7.9,5.1,7.9,6.6,5.1,5.8,6.9,7.0] + new: [....31] [ip4][..udp] [..192.168.1.117][58327] -> [..109.94.160.99][.8801] + detected: [....31] [ip4][..udp] [..192.168.1.117][58327] -> [..109.94.160.99][.8801] [Zoom][Unknown][Video][Acceptable] + ERROR-EVENT: Unknown packet type [3/16] + new: [....32] [ip4][..udp] [..192.168.1.117][60620] -> [..109.94.160.99][.8801] + detected: [....32] [ip4][..udp] [..192.168.1.117][60620] -> [..109.94.160.99][.8801] [Zoom][Unknown][Video][Acceptable] + analyse: [....31] [ip4][..udp] [..192.168.1.117][58327] -> [..109.94.160.99][.8801] [Zoom][Unknown][Video][Acceptable] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 0.036| 0.010| 0.009| 72.691| 4.500] + [PKTLEN......: 41.000| 1057.000| 872.800| 383.700| 147246.200| 4.800] + [BINS(c->s)..: 1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,26,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,1,0,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1] + [IATS(ms)....: 32.0,0.0,32.2,4.7,35.6,13.8,10.3,10.2,10.0,0.1,10.1,10.3,10.0,10.0,0.1,9.9,10.2,10.3,10.3,0.1,10.1,10.0,10.1,10.5,0.0,10.0,10.3,9.7,10.3,0.4,9.8] + [PKTLENS.....: 135,63,46,41,91,71,1057,1057,1057,1057,1057,1057,1057,1057,1057,1057,1057,1057,1057,1057,1057,1057,1057,1057,1057,1057,1057,1057,1057,1057,1057,1057] + [ENTROPIES...: 5.9,4.8,4.4,4.6,5.1,4.8,0.5,0.5,0.5,0.5,0.5,0.5,0.5,0.5,0.5,0.5,0.5,0.5,0.5,0.5,0.5,0.5,0.5,0.5,0.5,0.5,0.5,0.5,0.5,0.5,0.5,0.5] + new: [....33] [ip4][..udp] [..192.168.1.117][61731] -> [..109.94.160.99][.8801] + detected: [....33] [ip4][..udp] [..192.168.1.117][61731] -> [..109.94.160.99][.8801] [Zoom][Unknown][Video][Acceptable] + DAEMON-EVENT: [Processed: 697 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 33 / 33|skipped: 0|!detected: 0|guessed: 0|detection-updates: 26|updates: 0] + ERROR-EVENT: Unknown packet type [1/16] + ERROR-EVENT: Unknown packet type [2/16] + ERROR-EVENT: Unknown packet type [3/16] + ERROR-EVENT: Unknown packet type [4/16] + ERROR-EVENT: Unknown packet type [5/16] + ERROR-EVENT: Unknown packet type [6/16] + ERROR-EVENT: Unknown packet type [7/16] + ERROR-EVENT: Unknown packet type [8/16] + ERROR-EVENT: Unknown packet type [9/16] + ERROR-EVENT: Unknown packet type [10/16] + ERROR-EVENT: Unknown packet type [11/16] + ERROR-EVENT: Unknown packet type [12/16] + ERROR-EVENT: Unknown packet type [13/16] + ERROR-EVENT: Unknown packet type [14/16] + ERROR-EVENT: Unknown packet type [15/16] + ERROR-EVENT: Unknown packet type [16/16] + ERROR-EVENT: Unknown packet type [1/16] + ERROR-EVENT: Unknown packet type [2/16] + ERROR-EVENT: Unknown packet type [3/16] + ERROR-EVENT: Unknown packet type [4/16] + ERROR-EVENT: Unknown packet type [5/16] + ERROR-EVENT: Unknown packet type [6/16] + ERROR-EVENT: Unknown packet type [7/16] + ERROR-EVENT: Unknown packet type [8/16] + ERROR-EVENT: Unknown packet type [9/16] + ERROR-EVENT: Unknown packet type [10/16] + ERROR-EVENT: Unknown packet type [11/16] + ERROR-EVENT: Unknown packet type [12/16] + ERROR-EVENT: Unknown packet type [13/16] + ERROR-EVENT: Unknown packet type [14/16] + ERROR-EVENT: Unknown packet type [15/16] + ERROR-EVENT: Unknown packet type [16/16] + idle: [....17] [ip4][.icmp] [..192.168.1.117] -> [..162.255.38.14] [ICMP][Zoom][Network][Acceptable] + idle: [.....9] [ip4][..udp] [..192.168.1.117][65394] -> [....192.168.1.1][...53] [DNS][Unknown][Network][Acceptable] + RISK: Error Code + idle: [....18] [ip4][..udp] [....192.168.0.1][...68] -> [255.255.255.255][...67] [DHCP][Unknown][Network][Acceptable] + idle: [....10] [ip4][.icmp] [..192.168.1.117] -> [....192.168.1.1] [ICMP][Unknown][Network][Acceptable] + guessed: [....11] [ip4][..tcp] [..192.168.1.117][54798] -> [..13.225.84.182][..443] [TLS][AmazonAWS][Web][Safe] + RISK: TCP Connection Issues + end: [....11] [ip4][..tcp] [..192.168.1.117][54798] -> [..13.225.84.182][..443] + idle: [....29] [ip4][..udp] [..192.168.1.117][51185] -> [....192.168.1.1][...53] [DNS.Zoom][Unknown][Network][Acceptable] + idle: [.....1] [ip4][..tcp] [..192.168.1.117][54854] -> [..172.217.21.72][..443] [TLS.GoogleServices][Google][Web][Acceptable] + RISK: Obsolete TLS (v1.1 or older), Unidirectional Traffic + idle: [.....6] [ip4][..udp] [..192.168.1.117][..137] -> [..192.168.1.255][..137] [NetBIOS][Unknown][System][Acceptable] + idle: [....33] [ip4][..udp] [..192.168.1.117][61731] -> [..109.94.160.99][.8801] [Zoom][Unknown][Video][Acceptable] + guessed: [....15] [ip4][..tcp] [..192.168.1.117][53867] -> [..104.199.65.42][...80] [HTTP][Google][Web][Acceptable][] + idle: [....15] [ip4][..tcp] [..192.168.1.117][53867] -> [..104.199.65.42][...80] + idle: [.....8] [ip4][..tcp] [..192.168.1.117][54864] -> [..52.202.62.238][..443] [TLS.Zoom][Zoom][Video][Acceptable] + idle: [....19] [ip4][..tcp] [..192.168.1.117][54865] -> [..52.202.62.196][..443] [TLS.Zoom][Zoom][Video][Acceptable] + idle: [....21] [ip4][..tcp] [..192.168.1.117][54866] -> [..52.202.62.236][..443] [TLS.Zoom][Zoom][Video][Acceptable] + idle: [....13] [ip4][..udp] [..192.168.1.117][23903] -> [..162.255.38.14][.3478] [STUN.Zoom][Zoom][Video][Acceptable] + idle: [....12] [ip4][..udp] [..192.168.1.117][23903] -> [..162.255.37.14][.3478] [STUN.Zoom][Zoom][Video][Acceptable] + idle: [....14] [ip4][..udp] [..192.168.1.117][23903] -> [..162.255.38.14][.3479] [STUN.Zoom][Zoom][Video][Acceptable] + RISK: Known Proto on Non Std Port + idle: [.....2] [ip4][..udp] [..192.168.1.117][.5353] -> [....224.0.0.251][.5353] [MDNS][Unknown][Network][Acceptable] + idle: [....22] [ip4][..udp] [..192.168.1.117][57621] -> [..192.168.1.255][57621] [Spotify][Unknown][Music][Fun] + end: [.....3] [ip4][..tcp] [..192.168.1.117][54863] -> [.167.99.215.164][.4434] [TLS.ntop][Unknown][Network][Safe] + RISK: Known Proto on Non Std Port, TLS (probably) Not Carrying HTTPS + idle: [....24] [ip4][..udp] [..192.168.1.117][58063] -> [....192.168.1.1][...53] [DNS.Zoom][Unknown][Network][Acceptable] + end: [....25] [ip4][..tcp] [..192.168.1.117][54867] -> [.213.19.144.105][..443] [TLS.Zoom][Zoom][Video][Acceptable] + RISK: TLS (probably) Not Carrying HTTPS + end: [....26] [ip4][..tcp] [..192.168.1.117][54868] -> [.213.19.144.104][..443] [TLS.Zoom][Zoom][Video][Acceptable] + RISK: TLS (probably) Not Carrying HTTPS + idle: [.....7] [ip4][..udp] [..192.168.1.117][64352] -> [....192.168.1.1][...53] [DNS.Zoom][Unknown][Network][Acceptable] + idle: [....31] [ip4][..udp] [..192.168.1.117][58327] -> [..109.94.160.99][.8801] [Zoom][Unknown][Video][Acceptable] + end: [....27] [ip4][..tcp] [..192.168.1.117][54869] -> [.213.244.140.85][..443] [TLS.Zoom][Zoom][Video][Acceptable] + RISK: TLS (probably) Not Carrying HTTPS + end: [....28] [ip4][..tcp] [..192.168.1.117][54870] -> [.213.244.140.84][..443] [TLS.Zoom][Zoom][Video][Acceptable] + RISK: TLS (probably) Not Carrying HTTPS + idle: [....23] [ip4][..udp] [..192.168.1.117][62563] -> [....192.168.1.1][...53] [DNS.Zoom][Unknown][Network][Acceptable] + idle: [.....4] [ip4][..tcp] [..192.168.1.117][54341] -> [.62.149.152.153][..993] [IMAPS][Unknown][Email][Safe] + RISK: Unidirectional Traffic + idle: [....32] [ip4][..udp] [..192.168.1.117][60620] -> [..109.94.160.99][.8801] [Zoom][Unknown][Video][Acceptable] + idle: [.....5] [ip4][..udp] [..192.168.1.117][57025] -> [239.255.255.250][.1900] [SSDP][Unknown][System][Acceptable] + idle: [....16] [ip4][..tcp] [..192.168.1.117][53872] -> [..35.186.224.53][..443] [TLS][GoogleCloud][Web][Safe] + idle: [....30] [ip4][..tcp] [..192.168.1.117][54871] -> [..109.94.160.99][..443] [TLS.Zoom][Unknown][Video][Acceptable] + RISK: TLS (probably) Not Carrying HTTPS + idle: [....20] [ip4][..udp] [..192.168.1.117][62988] -> [....192.168.1.1][...53] [DNS.Zoom][Unknown][Network][Acceptable] + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/zoom_extra_dissection/zoom2.pcap.out b/test/results/flow-info/zoom_extra_dissection/zoom2.pcap.out new file mode 100644 index 000000000..c5c434804 --- /dev/null +++ b/test/results/flow-info/zoom_extra_dissection/zoom2.pcap.out @@ -0,0 +1,61 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....1] [ip4][..tcp] [..192.168.1.178][50076] -> [.144.195.73.154][..443] + detected: [.....1] [ip4][..tcp] [..192.168.1.178][50076] -> [.144.195.73.154][..443] [TLS.Zoom][Zoom][Video][Acceptable][zoomsjccv154mmr.sjc.zoom.us] + RISK: TLS (probably) Not Carrying HTTPS + detection-update: [.....1] [ip4][..tcp] [..192.168.1.178][50076] -> [.144.195.73.154][..443] [TLS.Zoom][Zoom][Video][Acceptable][zoomsjccv154mmr.sjc.zoom.us] + RISK: TLS (probably) Not Carrying HTTPS + detection-update: [.....1] [ip4][..tcp] [..192.168.1.178][50076] -> [.144.195.73.154][..443] [TLS.Zoom][Zoom][Video][Acceptable][zoomsjccv154mmr.sjc.zoom.us] + RISK: TLS (probably) Not Carrying HTTPS + new: [.....2] [ip4][..udp] [..192.168.1.178][60653] -> [.144.195.73.154][.8801] + detected: [.....2] [ip4][..udp] [..192.168.1.178][60653] -> [.144.195.73.154][.8801] [Zoom][Zoom][Video][Acceptable] + detection-update: [.....2] [ip4][..udp] [..192.168.1.178][60653] -> [.144.195.73.154][.8801] [Zoom][Zoom][Video][Acceptable] + RISK: Unidirectional Traffic + detection-update: [.....2] [ip4][..udp] [..192.168.1.178][60653] -> [.144.195.73.154][.8801] [Zoom][Zoom][Video][Acceptable] + analyse: [.....2] [ip4][..udp] [..192.168.1.178][60653] -> [.144.195.73.154][.8801] [Zoom][Zoom][Video][Acceptable] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 0.167| 0.025| 0.040| 1639.456| 3.600] + [PKTLEN......: 46.000| 1064.000| 704.700| 464.600| 215864.300| 4.600] + [BINS(c->s)..: 0,0,0,2,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 2,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,1,1,0,0,1,1,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1] + [IATS(ms)....: 101.4,166.6,0.0,73.0,12.3,100.4,0.0,101.8,73.0,11.9,4.9,10.9,10.5,10.1,0.2,9.2,10.4,10.3,11.4,0.0,0.3,9.4,8.6,5.4,4.9,0.1,10.8,10.0,10.5,9.4,0.2] + [PKTLENS.....: 151,151,72,46,156,156,72,46,156,88,88,1064,1064,1064,1064,1064,1064,1064,1064,1064,1064,1064,1064,1064,88,1064,1064,1064,1064,1064,1064,1064] + [ENTROPIES...: 5.8,5.8,4.9,4.2,5.4,5.6,4.8,4.3,5.6,4.7,4.7,0.6,0.6,0.6,0.6,0.6,0.6,0.6,0.6,0.6,0.6,0.6,0.6,0.6,4.8,0.6,0.6,0.6,0.6,0.6,0.6,0.6] + new: [.....3] [ip4][..udp] [..192.168.1.178][58117] -> [.144.195.73.154][.8801] + detected: [.....3] [ip4][..udp] [..192.168.1.178][58117] -> [.144.195.73.154][.8801] [Zoom][Zoom][Video][Acceptable] + detection-update: [.....3] [ip4][..udp] [..192.168.1.178][58117] -> [.144.195.73.154][.8801] [Zoom][Zoom][Video][Acceptable] + RISK: Unidirectional Traffic + new: [.....4] [ip4][..udp] [..192.168.1.178][57953] -> [.144.195.73.154][.8801] + detected: [.....4] [ip4][..udp] [..192.168.1.178][57953] -> [.144.195.73.154][.8801] [Zoom][Zoom][Video][Acceptable] + detection-update: [.....3] [ip4][..udp] [..192.168.1.178][58117] -> [.144.195.73.154][.8801] [Zoom][Zoom][Video][Acceptable] + detection-update: [.....4] [ip4][..udp] [..192.168.1.178][57953] -> [.144.195.73.154][.8801] [Zoom][Zoom][Video][Acceptable] + RISK: Unidirectional Traffic + detection-update: [.....4] [ip4][..udp] [..192.168.1.178][57953] -> [.144.195.73.154][.8801] [Zoom][Zoom][Video][Acceptable] + analyse: [.....3] [ip4][..udp] [..192.168.1.178][58117] -> [.144.195.73.154][.8801] [Zoom][Zoom][Video][Acceptable] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 0.176| 0.043| 0.049| 2389.122| 4.100] + [PKTLEN......: 46.000| 189.000| 129.000| 35.800| 1279.800| 4.900] + [BINS(c->s)..: 0,0,1,6,4,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 2,5,3,8,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,1,1,0,0,1,1,0,1,1,1,1,1,1,1,0,1,1,1,1,1,1,1,0,0,1,0,0,0,0,1] + [IATS(ms)....: 98.5,176.4,0.1,85.5,9.5,94.8,0.0,99.9,94.2,12.3,1.9,12.4,20.6,17.0,20.1,168.4,18.0,3.6,10.9,10.3,19.4,32.1,20.9,115.3,0.0,17.8,18.7,20.1,20.2,21.5,85.5] + [PKTLENS.....: 151,151,72,46,156,156,72,46,156,88,88,161,164,154,149,145,116,88,149,92,143,144,134,135,166,189,116,150,148,143,144,116] + [ENTROPIES...: 5.8,5.8,4.9,4.4,5.6,5.6,4.8,4.4,5.5,4.7,4.7,6.0,6.0,5.9,5.8,5.7,5.1,4.7,5.8,4.7,5.7,5.7,5.6,5.6,6.0,6.2,5.3,5.7,5.7,5.7,5.7,5.2] + analyse: [.....4] [ip4][..udp] [..192.168.1.178][57953] -> [.144.195.73.154][.8801] [Zoom][Zoom][Video][Acceptable] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 0.188| 0.047| 0.043| 1844.784| 4.300] + [PKTLEN......: 46.000| 171.000| 91.100| 44.600| 1993.400| 4.800] + [BINS(c->s)..: 7,0,0,2,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 9,2,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,1,1,0,0,1,1,0,0,0,1,1,0,1,0,0,1,1,0,1,1,1,0,1,0,1,1,0,1,1,0] + [IATS(ms)....: 102.1,187.6,0.0,105.6,0.1,93.5,0.0,87.6,70.7,0.1,106.0,0.0,21.5,32.8,59.0,0.0,48.4,5.5,49.5,50.2,0.0,0.0,55.2,45.7,56.3,52.4,0.0,59.8,52.1,47.7,58.6] + [PKTLENS.....: 153,153,72,46,163,163,72,46,163,163,163,103,103,55,55,171,55,55,103,55,103,103,55,55,55,55,103,55,55,55,55,55] + [ENTROPIES...: 5.8,5.9,4.8,4.3,5.5,5.5,4.8,4.4,5.6,5.5,5.6,4.4,4.5,3.6,3.9,5.5,3.6,3.9,4.5,3.7,4.5,4.5,3.9,3.7,4.0,3.7,4.5,3.9,3.7,3.9,3.9,3.7] + idle: [.....4] [ip4][..udp] [..192.168.1.178][57953] -> [.144.195.73.154][.8801] [Zoom][Zoom][Video][Acceptable] + idle: [.....1] [ip4][..tcp] [..192.168.1.178][50076] -> [.144.195.73.154][..443] [TLS.Zoom][Zoom][Video][Acceptable] + RISK: TLS (probably) Not Carrying HTTPS + idle: [.....3] [ip4][..udp] [..192.168.1.178][58117] -> [.144.195.73.154][.8801] [Zoom][Zoom][Video][Acceptable] + idle: [.....2] [ip4][..udp] [..192.168.1.178][60653] -> [.144.195.73.154][.8801] [Zoom][Zoom][Video][Acceptable] + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/zoom_extra_dissection/zoom_p2p.pcapng.out b/test/results/flow-info/zoom_extra_dissection/zoom_p2p.pcapng.out new file mode 100644 index 000000000..794bfd0a9 --- /dev/null +++ b/test/results/flow-info/zoom_extra_dissection/zoom_p2p.pcapng.out @@ -0,0 +1,130 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....1] [ip4][..udp] [...192.168.12.1][17500] -> [.192.168.12.255][17500] + detected: [.....1] [ip4][..udp] [...192.168.12.1][17500] -> [.192.168.12.255][17500] [Dropbox][Unknown][Cloud][Acceptable] + new: [.....2] [ip4][..udp] [...192.168.12.1][.5353] -> [....224.0.0.251][.5353] + detected: [.....2] [ip4][..udp] [...192.168.12.1][.5353] -> [....224.0.0.251][.5353] [MDNS][Unknown][Network][Acceptable][_ipps._tcp.local] + update: [.....1] [ip4][..udp] [...192.168.12.1][17500] -> [.192.168.12.255][17500] [Dropbox][Unknown][Cloud][Acceptable] + update: [.....2] [ip4][..udp] [...192.168.12.1][.5353] -> [....224.0.0.251][.5353] [MDNS][Unknown][Network][Acceptable] + update: [.....1] [ip4][..udp] [...192.168.12.1][17500] -> [.192.168.12.255][17500] [Dropbox][Unknown][Cloud][Acceptable] + update: [.....2] [ip4][..udp] [...192.168.12.1][.5353] -> [....224.0.0.251][.5353] [MDNS][Unknown][Network][Acceptable] + new: [.....3] [ip4][..udp] [.192.168.12.156][39065] -> [.206.247.87.213][.3478] + detected: [.....3] [ip4][..udp] [.192.168.12.156][39065] -> [.206.247.87.213][.3478] [STUN.Zoom][Zoom][Video][Acceptable][] + new: [.....4] [ip4][..udp] [.192.168.12.156][38453] -> [.206.247.87.213][.3478] + detected: [.....4] [ip4][..udp] [.192.168.12.156][38453] -> [.206.247.87.213][.3478] [STUN.Zoom][Zoom][Video][Acceptable][] + new: [.....5] [ip4][.icmp] [.206.247.87.213] -> [.192.168.12.156] + detected: [.....5] [ip4][.icmp] [.206.247.87.213] -> [.192.168.12.156] [ICMP][Zoom][Network][Acceptable] + RISK: Susp Entropy + update: [.....1] [ip4][..udp] [...192.168.12.1][17500] -> [.192.168.12.255][17500] [Dropbox][Unknown][Cloud][Acceptable] + new: [.....6] [ip4][..udp] [.192.168.12.156][38453] -> [..192.168.1.226][41036] + detected: [.....6] [ip4][..udp] [.192.168.12.156][38453] -> [..192.168.1.226][41036] [Zoom][Unknown][Video][Acceptable] + detection-update: [.....6] [ip4][..udp] [.192.168.12.156][38453] -> [..192.168.1.226][41036] [Zoom][Unknown][Video][Acceptable] + RISK: Unidirectional Traffic + update: [.....5] [ip4][.icmp] [.206.247.87.213] -> [.192.168.12.156] [ICMP][Zoom][Network][Acceptable] + RISK: Susp Entropy + update: [.....2] [ip4][..udp] [...192.168.12.1][.5353] -> [....224.0.0.251][.5353] [MDNS][Unknown][Network][Acceptable] + new: [.....7] [ip4][..udp] [.192.168.12.156][39065] -> [..192.168.1.226][46757] + detected: [.....7] [ip4][..udp] [.192.168.12.156][39065] -> [..192.168.1.226][46757] [Zoom][Unknown][Video][Acceptable] + analyse: [.....7] [ip4][..udp] [.192.168.12.156][39065] -> [..192.168.1.226][46757] [Zoom][Unknown][Video][Acceptable] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 0.089| 0.026| 0.021| 430.173| 4.500] + [PKTLEN......: 113.000| 1277.000| 673.700| 485.600| 235788.400| 4.500] + [BINS(c->s)..: 0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,1,0,0,0,0,0,3,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,1,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,0,1,1,0,1,0,1,1,0,1,0,0,1,0,1,1,1,0,0,1,0,0,1,0,1,1,0,0,1,0] + [IATS(ms)....: 8.4,10.2,12.0,0.1,14.3,5.0,17.5,37.3,28.4,52.5,29.0,88.6,0.2,71.3,10.8,22.4,0.1,28.5,48.7,32.5,39.0,13.4,0.2,30.2,24.5,22.8,31.8,53.4,31.8,40.1,10.0] + [PKTLENS.....: 113,113,113,113,113,113,113,113,113,113,113,1246,1056,1056,1246,800,1245,119,1245,800,800,1245,800,799,118,831,1245,1277,1043,1043,1257,1043] + [ENTROPIES...: 4.9,4.8,4.8,4.9,4.9,4.8,4.8,4.9,4.8,4.8,4.8,7.8,0.5,0.5,7.8,7.7,7.8,5.8,7.8,7.7,7.7,7.8,7.7,7.7,5.8,7.7,7.8,7.8,7.8,7.8,7.8,7.8] + update: [.....4] [ip4][..udp] [.192.168.12.156][38453] -> [.206.247.87.213][.3478] [STUN.Zoom][Zoom][Video][Acceptable] + update: [.....3] [ip4][..udp] [.192.168.12.156][39065] -> [.206.247.87.213][.3478] [STUN.Zoom][Zoom][Video][Acceptable] + update: [.....5] [ip4][.icmp] [.206.247.87.213] -> [.192.168.12.156] [ICMP][Zoom][Network][Acceptable] + RISK: Susp Entropy + update: [.....1] [ip4][..udp] [...192.168.12.1][17500] -> [.192.168.12.255][17500] [Dropbox][Unknown][Cloud][Acceptable] + update: [.....6] [ip4][..udp] [.192.168.12.156][38453] -> [..192.168.1.226][41036] [Zoom][Unknown][Video][Acceptable] + RISK: Unidirectional Traffic + update: [.....5] [ip4][.icmp] [.206.247.87.213] -> [.192.168.12.156] [ICMP][Zoom][Network][Acceptable] + RISK: Susp Entropy + update: [.....7] [ip4][..udp] [.192.168.12.156][39065] -> [..192.168.1.226][46757] [Zoom][Unknown][Video][Acceptable] + update: [.....2] [ip4][..udp] [...192.168.12.1][.5353] -> [....224.0.0.251][.5353] [MDNS][Unknown][Network][Acceptable] + update: [.....4] [ip4][..udp] [.192.168.12.156][38453] -> [.206.247.87.213][.3478] [STUN.Zoom][Zoom][Video][Acceptable] + update: [.....3] [ip4][..udp] [.192.168.12.156][39065] -> [.206.247.87.213][.3478] [STUN.Zoom][Zoom][Video][Acceptable] + update: [.....5] [ip4][.icmp] [.206.247.87.213] -> [.192.168.12.156] [ICMP][Zoom][Network][Acceptable] + RISK: Susp Entropy + update: [.....1] [ip4][..udp] [...192.168.12.1][17500] -> [.192.168.12.255][17500] [Dropbox][Unknown][Cloud][Acceptable] + idle: [.....5] [ip4][.icmp] [.206.247.87.213] -> [.192.168.12.156] [ICMP][Zoom][Network][Acceptable] + RISK: Susp Entropy + update: [.....6] [ip4][..udp] [.192.168.12.156][38453] -> [..192.168.1.226][41036] [Zoom][Unknown][Video][Acceptable] + RISK: Unidirectional Traffic + update: [.....7] [ip4][..udp] [.192.168.12.156][39065] -> [..192.168.1.226][46757] [Zoom][Unknown][Video][Acceptable] + update: [.....2] [ip4][..udp] [...192.168.12.1][.5353] -> [....224.0.0.251][.5353] [MDNS][Unknown][Network][Acceptable] + update: [.....4] [ip4][..udp] [.192.168.12.156][38453] -> [.206.247.87.213][.3478] [STUN.Zoom][Zoom][Video][Acceptable] + update: [.....3] [ip4][..udp] [.192.168.12.156][39065] -> [.206.247.87.213][.3478] [STUN.Zoom][Zoom][Video][Acceptable] + idle: [.....2] [ip4][..udp] [...192.168.12.1][.5353] -> [....224.0.0.251][.5353] [MDNS][Unknown][Network][Acceptable] + update: [.....1] [ip4][..udp] [...192.168.12.1][17500] -> [.192.168.12.255][17500] [Dropbox][Unknown][Cloud][Acceptable] + idle: [.....6] [ip4][..udp] [.192.168.12.156][38453] -> [..192.168.1.226][41036] [Zoom][Unknown][Video][Acceptable] + RISK: Unidirectional Traffic + idle: [.....7] [ip4][..udp] [.192.168.12.156][39065] -> [..192.168.1.226][46757] [Zoom][Unknown][Video][Acceptable] + idle: [.....4] [ip4][..udp] [.192.168.12.156][38453] -> [.206.247.87.213][.3478] [STUN.Zoom][Zoom][Video][Acceptable] + idle: [.....3] [ip4][..udp] [.192.168.12.156][39065] -> [.206.247.87.213][.3478] [STUN.Zoom][Zoom][Video][Acceptable] + new: [.....8] [ip4][..udp] [.192.168.12.156][49579] -> [.206.247.10.253][.3478] + detected: [.....8] [ip4][..udp] [.192.168.12.156][49579] -> [.206.247.10.253][.3478] [STUN.Zoom][Zoom][Video][Acceptable][] + new: [.....9] [ip4][..udp] [.192.168.12.156][42208] -> [.206.247.10.253][.3478] + detected: [.....9] [ip4][..udp] [.192.168.12.156][42208] -> [.206.247.10.253][.3478] [STUN.Zoom][Zoom][Video][Acceptable][] + new: [....10] [ip4][.icmp] [.206.247.10.253] -> [.192.168.12.156] + detected: [....10] [ip4][.icmp] [.206.247.10.253] -> [.192.168.12.156] [ICMP][Zoom][Network][Acceptable] + RISK: Susp Entropy + new: [....11] [ip4][..udp] [...192.168.12.1][.5353] -> [....224.0.0.251][.5353] + detected: [....11] [ip4][..udp] [...192.168.12.1][.5353] -> [....224.0.0.251][.5353] [MDNS][Unknown][Network][Acceptable][_ipps._tcp.local] + update: [.....1] [ip4][..udp] [...192.168.12.1][17500] -> [.192.168.12.255][17500] [Dropbox][Unknown][Cloud][Acceptable] + analyse: [....10] [ip4][.icmp] [.206.247.10.253] -> [.192.168.12.156] [ICMP][Zoom][Network][Acceptable] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 2.031| 0.974| 1.005| 1010541.658| 3.900] + [PKTLEN......: 100.000| 100.000| 100.000| 0.000| 0.000| 5.000] + [BINS(c->s)..: 0,0,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [IATS(ms)....: 0.0,2023.3,0.0,2021.5,0.0,2008.4,0.0,2013.5,0.0,1994.8,0.0,2022.5,0.0,1990.7,0.1,2022.2,0.0,2022.0,0.1,1995.4,0.0,2020.2,0.0,2002.2,3.1,1996.9,3.1,2014.1,0.0,2030.9,0.0] + [PKTLENS.....: 100,100,100,100,100,100,100,100,100,100,100,100,100,100,100,100,100,100,100,100,100,100,100,100,100,100,100,100,100,100,100,100] + [ENTROPIES...: 5.4,5.3,5.2,5.3,5.4,5.3,5.4,5.3,5.4,5.3,5.3,5.4,5.3,5.3,5.3,5.4,5.3,5.4,5.3,5.3,5.3,5.3,5.3,5.3,5.4,5.3,5.3,5.4,5.4,5.3,5.4,5.3] + new: [....12] [ip4][..udp] [.192.168.12.156][42208] -> [...10.78.14.178][47312] + detected: [....12] [ip4][..udp] [.192.168.12.156][42208] -> [...10.78.14.178][47312] [Zoom][Unknown][Video][Acceptable] + detection-update: [....12] [ip4][..udp] [.192.168.12.156][42208] -> [...10.78.14.178][47312] [Zoom][Unknown][Video][Acceptable] + RISK: Unidirectional Traffic + new: [....13] [ip4][..udp] [.192.168.12.156][49579] -> [...10.78.14.178][49586] + detected: [....13] [ip4][..udp] [.192.168.12.156][49579] -> [...10.78.14.178][49586] [Zoom][Unknown][Video][Acceptable] + detection-update: [....13] [ip4][..udp] [.192.168.12.156][49579] -> [...10.78.14.178][49586] [Zoom][Unknown][Video][Acceptable] + RISK: Unidirectional Traffic + update: [....10] [ip4][.icmp] [.206.247.10.253] -> [.192.168.12.156] [ICMP][Zoom][Network][Acceptable] + RISK: Susp Entropy + analyse: [....12] [ip4][..udp] [.192.168.12.156][42208] -> [...10.78.14.178][47312] [Zoom][Unknown][Video][Acceptable] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 0.052| 0.013| 0.016| 253.890| 4.000] + [PKTLEN......: 112.000| 112.000| 112.000| 0.000| 0.000| 5.000] + [BINS(c->s)..: 0,0,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [IATS(ms)....: 0.2,27.3,11.2,7.7,6.8,1.5,0.1,13.3,6.9,1.7,40.5,0.2,15.5,0.6,33.3,0.2,50.8,0.4,5.9,5.7,52.3,0.4,7.2,2.3,22.7,0.2,31.0,0.2,40.9,0.2,22.6] + [PKTLENS.....: 112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112] + [ENTROPIES...: 5.0,5.0,5.0,5.0,5.0,5.0,5.0,5.0,5.0,5.0,5.0,5.0,5.0,5.0,5.0,5.0,5.0,5.0,5.0,5.0,5.0,5.0,5.0,5.0,5.0,5.0,5.0,5.0,5.0,5.0,5.0,5.0] + analyse: [....13] [ip4][..udp] [.192.168.12.156][49579] -> [...10.78.14.178][49586] [Zoom][Unknown][Video][Acceptable] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 0.055| 0.027| 0.014| 209.331| 4.700] + [PKTLEN......: 112.000| 112.000| 112.000| 0.000| 0.000| 5.000] + [BINS(c->s)..: 0,0,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [IATS(ms)....: 23.8,0.3,29.8,1.6,40.5,0.5,22.7,46.4,8.7,38.1,43.6,20.5,19.3,34.0,24.4,41.5,21.1,25.0,31.1,47.2,23.8,22.9,54.8,6.0,45.0,14.9,26.8,31.6,48.3,23.8,18.7] + [PKTLENS.....: 112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112] + [ENTROPIES...: 4.9,4.9,4.9,4.9,4.9,4.9,4.9,4.9,4.9,4.9,4.9,4.9,4.9,4.9,4.9,4.9,4.9,4.9,4.9,4.9,4.9,4.9,4.9,4.9,4.9,4.9,4.9,4.9,4.9,4.9,4.9,4.9] + idle: [....10] [ip4][.icmp] [.206.247.10.253] -> [.192.168.12.156] [ICMP][Zoom][Network][Acceptable] + RISK: Susp Entropy + idle: [....13] [ip4][..udp] [.192.168.12.156][49579] -> [...10.78.14.178][49586] [Zoom][Unknown][Video][Acceptable] + RISK: Unidirectional Traffic + idle: [.....1] [ip4][..udp] [...192.168.12.1][17500] -> [.192.168.12.255][17500] [Dropbox][Unknown][Cloud][Acceptable] + idle: [.....9] [ip4][..udp] [.192.168.12.156][42208] -> [.206.247.10.253][.3478] [STUN.Zoom][Zoom][Video][Acceptable] + idle: [....11] [ip4][..udp] [...192.168.12.1][.5353] -> [....224.0.0.251][.5353] [MDNS][Unknown][Network][Acceptable] + idle: [....12] [ip4][..udp] [.192.168.12.156][42208] -> [...10.78.14.178][47312] [Zoom][Unknown][Video][Acceptable] + RISK: Unidirectional Traffic + idle: [.....8] [ip4][..udp] [.192.168.12.156][49579] -> [.206.247.10.253][.3478] [STUN.Zoom][Zoom][Video][Acceptable] + DAEMON-EVENT: shutdown |