diff options
Diffstat (limited to 'test/results/flow-info/default')
79 files changed, 1049 insertions, 335 deletions
diff --git a/test/results/flow-info/default/1kxun.pcap.out b/test/results/flow-info/default/1kxun.pcap.out index f5971556d..94ef6dc6b 100644 --- a/test/results/flow-info/default/1kxun.pcap.out +++ b/test/results/flow-info/default/1kxun.pcap.out @@ -529,13 +529,13 @@ idle: [....25] [ip4][..tcp] [..192.168.115.8][49598] -> [.222.73.254.167][...80] [HTTP.1kxun][Unknown][Streaming][Fun][kankan.1kxun.com] guessed: [....17] [ip4][..tcp] [...192.168.5.16][53622] -> [.192.168.115.75][..443] [TLS][Unknown][Web][Safe] end: [....17] [ip4][..tcp] [...192.168.5.16][53622] -> [.192.168.115.75][..443] - end: [....45] [ip4][..tcp] [...192.168.5.16][53623] -> [.192.168.115.75][..443] [TLS][Unknown][Web][Safe][192.168.115.75] + end: [....45] [ip4][..tcp] [...192.168.5.16][53623] -> [.192.168.115.75][..443] [TLS][Unknown][Web][Safe] RISK: Weak TLS Cipher, HTTP/TLS/QUIC Numeric Hostname/SNI, TLS (probably) Not Carrying HTTPS - end: [....87] [ip4][..tcp] [...192.168.5.16][53625] -> [.192.168.115.75][..443] [TLS][Unknown][Web][Safe][192.168.115.75] + end: [....87] [ip4][..tcp] [...192.168.5.16][53625] -> [.192.168.115.75][..443] [TLS][Unknown][Web][Safe] RISK: Weak TLS Cipher, HTTP/TLS/QUIC Numeric Hostname/SNI, TLS (probably) Not Carrying HTTPS - end: [...107] [ip4][..tcp] [...192.168.5.16][53626] -> [.192.168.115.75][..443] [TLS][Unknown][Web][Safe][192.168.115.75] + end: [...107] [ip4][..tcp] [...192.168.5.16][53626] -> [.192.168.115.75][..443] [TLS][Unknown][Web][Safe] RISK: Weak TLS Cipher, HTTP/TLS/QUIC Numeric Hostname/SNI, TLS (probably) Not Carrying HTTPS - end: [...117] [ip4][..tcp] [...192.168.5.16][53629] -> [.192.168.115.75][..443] [TLS][Unknown][Web][Safe][192.168.115.75] + end: [...117] [ip4][..tcp] [...192.168.5.16][53629] -> [.192.168.115.75][..443] [TLS][Unknown][Web][Safe] RISK: Weak TLS Cipher, HTTP/TLS/QUIC Numeric Hostname/SNI, TLS (probably) Not Carrying HTTPS idle: [.....6] [ip4][..udp] [...192.168.5.50][64674] -> [239.255.255.250][.1900] [SSDP][Unknown][System][Acceptable][239.255.255.250:1900] not-detected: [....65] [ip4][..udp] [192.168.140.140][62976] -> [255.255.255.255][62976] [Unknown][Unknown][Unrated] diff --git a/test/results/flow-info/default/443-curl.pcap.out b/test/results/flow-info/default/443-curl.pcap.out index 9be2df589..d635942f3 100644 --- a/test/results/flow-info/default/443-curl.pcap.out +++ b/test/results/flow-info/default/443-curl.pcap.out @@ -5,7 +5,7 @@ detected: [.....1] [ip4][..tcp] [...192.168.1.13][55523] -> [.178.62.197.130][..443] [TLS.ntop][Unknown][Network][Safe][www.ntop.org] detection-update: [.....1] [ip4][..tcp] [...192.168.1.13][55523] -> [.178.62.197.130][..443] [TLS.ntop][Unknown][Network][Safe][www.ntop.org] detection-update: [.....1] [ip4][..tcp] [...192.168.1.13][55523] -> [.178.62.197.130][..443] [TLS.ntop][Unknown][Network][Safe][www.ntop.org] - analyse: [.....1] [ip4][..tcp] [...192.168.1.13][55523] -> [.178.62.197.130][..443] [TLS.ntop][Unknown][Network][Safe][www.ntop.org] + analyse: [.....1] [ip4][..tcp] [...192.168.1.13][55523] -> [.178.62.197.130][..443] [TLS.ntop][Unknown][Network][Safe] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.784| 0.063| 0.190| 36203.258| 2.200] [PKTLEN......: 52.000| 1492.000| 397.200| 558.700| 312115.000| 3.800] diff --git a/test/results/flow-info/default/443-firefox.pcap.out b/test/results/flow-info/default/443-firefox.pcap.out index 046662670..3efd275fc 100644 --- a/test/results/flow-info/default/443-firefox.pcap.out +++ b/test/results/flow-info/default/443-firefox.pcap.out @@ -5,7 +5,7 @@ detected: [.....1] [ip4][..tcp] [...192.168.1.13][53096] -> [.178.62.197.130][..443] [TLS.ntop][Unknown][Network][Safe][www.ntop.org] detection-update: [.....1] [ip4][..tcp] [...192.168.1.13][53096] -> [.178.62.197.130][..443] [TLS.ntop][Unknown][Network][Safe][www.ntop.org] detection-update: [.....1] [ip4][..tcp] [...192.168.1.13][53096] -> [.178.62.197.130][..443] [TLS.ntop][Unknown][Network][Safe][www.ntop.org] - analyse: [.....1] [ip4][..tcp] [...192.168.1.13][53096] -> [.178.62.197.130][..443] [TLS.ntop][Unknown][Network][Safe][www.ntop.org] + analyse: [.....1] [ip4][..tcp] [...192.168.1.13][53096] -> [.178.62.197.130][..443] [TLS.ntop][Unknown][Network][Safe] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 1.656| 0.130| 0.404| 163175.268| 2.000] [PKTLEN......: 52.000| 1492.000| 518.700| 610.400| 372566.000| 4.000] diff --git a/test/results/flow-info/default/443-git.pcap.out b/test/results/flow-info/default/443-git.pcap.out index 70c543b9b..4eb17568c 100644 --- a/test/results/flow-info/default/443-git.pcap.out +++ b/test/results/flow-info/default/443-git.pcap.out @@ -5,7 +5,7 @@ detected: [.....1] [ip4][..tcp] [...192.168.1.13][55744] -> [...140.82.114.4][..443] [TLS.Github][Github][Collaborative][Acceptable][github.com] detection-update: [.....1] [ip4][..tcp] [...192.168.1.13][55744] -> [...140.82.114.4][..443] [TLS.Github][Github][Collaborative][Acceptable][github.com] detection-update: [.....1] [ip4][..tcp] [...192.168.1.13][55744] -> [...140.82.114.4][..443] [TLS.Github][Github][Collaborative][Acceptable][github.com] - analyse: [.....1] [ip4][..tcp] [...192.168.1.13][55744] -> [...140.82.114.4][..443] [TLS.Github][Github][Collaborative][Acceptable][github.com] + analyse: [.....1] [ip4][..tcp] [...192.168.1.13][55744] -> [...140.82.114.4][..443] [TLS.Github][Github][Collaborative][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.144| 0.033| 0.053| 2832.982| 3.200] [PKTLEN......: 52.000| 1476.000| 337.800| 464.400| 215710.400| 4.000] diff --git a/test/results/flow-info/default/443-safari.pcap.out b/test/results/flow-info/default/443-safari.pcap.out index 459806b25..ef9e5f325 100644 --- a/test/results/flow-info/default/443-safari.pcap.out +++ b/test/results/flow-info/default/443-safari.pcap.out @@ -5,7 +5,7 @@ detected: [.....1] [ip4][..tcp] [...192.168.1.13][53031] -> [.178.62.197.130][..443] [TLS.ntop][Unknown][Network][Safe][www.ntop.org] detection-update: [.....1] [ip4][..tcp] [...192.168.1.13][53031] -> [.178.62.197.130][..443] [TLS.ntop][Unknown][Network][Safe][www.ntop.org] detection-update: [.....1] [ip4][..tcp] [...192.168.1.13][53031] -> [.178.62.197.130][..443] [TLS.ntop][Unknown][Network][Safe][www.ntop.org] - analyse: [.....1] [ip4][..tcp] [...192.168.1.13][53031] -> [.178.62.197.130][..443] [TLS.ntop][Unknown][Network][Safe][www.ntop.org] + analyse: [.....1] [ip4][..tcp] [...192.168.1.13][53031] -> [.178.62.197.130][..443] [TLS.ntop][Unknown][Network][Safe] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.696| 0.070| 0.175| 30530.335| 2.600] [PKTLEN......: 52.000| 1492.000| 384.700| 559.600| 313139.800| 3.800] diff --git a/test/results/flow-info/default/KakaoTalk_chat.pcap.out b/test/results/flow-info/default/KakaoTalk_chat.pcap.out index 85f82f865..1d8ebad6b 100644 --- a/test/results/flow-info/default/KakaoTalk_chat.pcap.out +++ b/test/results/flow-info/default/KakaoTalk_chat.pcap.out @@ -102,7 +102,7 @@ new: [....30] [ip4][..tcp] [...10.24.82.188][58927] -> [.54.255.253.199][.5223] [MIDSTREAM] detected: [....30] [ip4][..tcp] [...10.24.82.188][58927] -> [.54.255.253.199][.5223] [TLS][AmazonAWS][Web][Safe] RISK: Known Proto on Non Std Port - analyse: [....26] [ip4][..tcp] [...10.24.82.188][43581] -> [....31.13.68.70][..443] [TLS.Facebook][Facebook][SocialNetwork][Fun][graph.facebook.com] + analyse: [....26] [ip4][..tcp] [...10.24.82.188][43581] -> [....31.13.68.70][..443] [TLS.Facebook][Facebook][SocialNetwork][Fun] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.174| 0.038| 0.043| 1891.518| 4.000] [PKTLEN......: 40.000| 1320.000| 256.100| 386.900| 149674.200| 3.800] diff --git a/test/results/flow-info/default/KakaoTalk_talk.pcap.out b/test/results/flow-info/default/KakaoTalk_talk.pcap.out index 4ec167094..f3bc648e2 100644 --- a/test/results/flow-info/default/KakaoTalk_talk.pcap.out +++ b/test/results/flow-info/default/KakaoTalk_talk.pcap.out @@ -8,6 +8,8 @@ new: [.....5] [ip4][..tcp] [.216.58.220.161][..443] -> [...10.24.82.188][56697] [MIDSTREAM] detected: [.....4] [ip4][..tcp] [...10.24.82.188][48489] -> [203.205.147.215][...80] [HTTP_Proxy.QQ][Tencent][Chat][Fun][hkminorshort.weixin.qq.com] RISK: Known Proto on Non Std Port + detection-update: [.....4] [ip4][..tcp] [...10.24.82.188][48489] -> [203.205.147.215][...80] [HTTP_Proxy.QQ][Tencent][Download][Fun][hkminorshort.weixin.qq.com] + RISK: Known Proto on Non Std Port, Binary File/Data Transfer (Attempt) new: [.....6] [ip4][..tcp] [...10.24.82.188][32968] -> [..110.76.143.50][.8080] detected: [.....6] [ip4][..tcp] [...10.24.82.188][32968] -> [..110.76.143.50][.8080] [TLS][Unknown][Web][Safe][] RISK: Known Proto on Non Std Port, Obsolete TLS (v1.1 or older) @@ -105,8 +107,8 @@ end: [....17] [ip4][..tcp] [173.194.117.229][..443] -> [...10.24.82.188][38380] idle: [....13] [ip4][..udp] [...10.24.82.188][10268] -> [....1.201.1.174][23046] [RTP][Unknown][Media][Acceptable] idle: [....11] [ip4][..udp] [...10.24.82.188][10269] -> [....1.201.1.174][23047] [KakaoTalk_Voice][Unknown][VoIP][Acceptable] - end: [.....4] [ip4][..tcp] [...10.24.82.188][48489] -> [203.205.147.215][...80] [HTTP_Proxy.QQ][Tencent][Chat][Fun] - RISK: Known Proto on Non Std Port + end: [.....4] [ip4][..tcp] [...10.24.82.188][48489] -> [203.205.147.215][...80] [HTTP_Proxy.QQ][Tencent][Download][Fun][hkminorshort.weixin.qq.com] + RISK: Known Proto on Non Std Port, Binary File/Data Transfer (Attempt) guessed: [.....2] [ip4][..tcp] [..120.28.26.242][...80] -> [...10.24.82.188][34533] [HTTP][Unknown][Web][Acceptable][] end: [.....2] [ip4][..tcp] [..120.28.26.242][...80] -> [...10.24.82.188][34533] idle: [.....6] [ip4][..tcp] [...10.24.82.188][32968] -> [..110.76.143.50][.8080] [TLS.KakaoTalk][Unknown][Chat][Acceptable] diff --git a/test/results/flow-info/default/alexa-app.pcapng.out b/test/results/flow-info/default/alexa-app.pcapng.out index 8ea47a247..68b847071 100644 --- a/test/results/flow-info/default/alexa-app.pcapng.out +++ b/test/results/flow-info/default/alexa-app.pcapng.out @@ -137,7 +137,7 @@ new: [....40] [ip4][..udp] [..172.16.42.216][43350] -> [....172.16.42.1][...53] detected: [....40] [ip4][..udp] [..172.16.42.216][43350] -> [....172.16.42.1][...53] [DNS.Amazon][Unknown][Network][Acceptable][fls-na.amazon.com] ERROR-EVENT: Unknown packet type [1/16] - analyse: [....28] [ip4][..tcp] [..172.16.42.216][45661] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][pitangui.amazon.com] + analyse: [....28] [ip4][..tcp] [..172.16.42.216][45661] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 1.016| 0.161| 0.286| 81844.249| 3.400] [PKTLEN......: 40.000| 1500.000| 366.200| 485.100| 235358.500| 3.900] @@ -214,7 +214,7 @@ detected: [....55] [ip4][..tcp] [..172.16.42.216][42143] -> [..72.21.206.135][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][fls-na.amazon.com] detection-update: [....54] [ip4][..tcp] [..172.16.42.216][54427] -> [..52.85.209.216][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][www.amazon.com] detection-update: [....55] [ip4][..tcp] [..172.16.42.216][42143] -> [..72.21.206.135][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][fls-na.amazon.com] - analyse: [....52] [ip4][..tcp] [..172.16.42.216][34034] -> [..54.239.24.186][..443] [TLS.AmazonAWS][AmazonAWS][Cloud][Acceptable][mobileanalytics.us-east-1.amazonaws.com] + analyse: [....52] [ip4][..tcp] [..172.16.42.216][34034] -> [..54.239.24.186][..443] [TLS.AmazonAWS][AmazonAWS][Cloud][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.352| 0.044| 0.079| 6215.196| 3.500] [PKTLEN......: 40.000| 1500.000| 643.200| 676.900| 458225.800| 4.100] @@ -265,7 +265,7 @@ RISK: TLS (probably) Not Carrying HTTPS detection-update: [....65] [ip4][..tcp] [..172.16.42.216][41691] -> [..54.239.29.146][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][api.amazon.com] RISK: TLS (probably) Not Carrying HTTPS - analyse: [....63] [ip4][..tcp] [..172.16.42.216][54434] -> [..52.85.209.216][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][www.amazon.com] + analyse: [....63] [ip4][..tcp] [..172.16.42.216][54434] -> [..52.85.209.216][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 2.897| 0.237| 0.560| 313730.662| 2.800] [PKTLEN......: 52.000| 1500.000| 603.100| 665.400| 442821.700| 4.100] @@ -381,7 +381,7 @@ detected: [....91] [ip4][..tcp] [..172.16.42.216][45714] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][pitangui.amazon.com] detected: [....89] [ip4][..tcp] [..172.16.42.216][45712] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][pitangui.amazon.com] detected: [....93] [ip4][..tcp] [..172.16.42.216][49630] -> [..52.94.232.134][...80] [HTTP.AmazonAlexa][AmazonAWS][VirtAssistant][Acceptable][alexa.amazon.com] - analyse: [....80] [ip4][..tcp] [..172.16.42.216][45703] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][pitangui.amazon.com] + analyse: [....80] [ip4][..tcp] [..172.16.42.216][45703] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 1.570| 0.289| 0.417| 173871.694| 3.700] [PKTLEN......: 40.000| 1500.000| 371.100| 516.000| 266233.000| 3.900] @@ -408,7 +408,7 @@ new: [....96] [ip4][..tcp] [..172.16.42.216][41820] -> [...54.231.72.88][..443] new: [....97] [ip4][..tcp] [..172.16.42.216][41821] -> [...54.231.72.88][..443] detected: [....96] [ip4][..tcp] [..172.16.42.216][41820] -> [...54.231.72.88][..443] [TLS.AmazonAWS][AmazonAWS][Cloud][Acceptable][s3-external-2.amazonaws.com] - analyse: [....87] [ip4][..tcp] [..172.16.42.216][45710] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][pitangui.amazon.com] + analyse: [....87] [ip4][..tcp] [..172.16.42.216][45710] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 1.192| 0.160| 0.282| 79548.359| 3.500] [PKTLEN......: 40.000| 1500.000| 343.000| 486.700| 236894.100| 3.900] @@ -420,7 +420,7 @@ [ENTROPIES...: 4.7,5.1,4.8,5.9,5.9,4.6,6.1,6.0,4.7,4.6,6.5,4.7,5.9,7.9,4.6,6.9,4.6,4.6,7.8,7.9,7.1,4.6,7.5,7.9,7.2,6.6,4.5,4.6,7.6,7.9,6.8,4.6] detection-update: [....96] [ip4][..tcp] [..172.16.42.216][41820] -> [...54.231.72.88][..443] [TLS.AmazonAWS][AmazonAWS][Cloud][Acceptable][s3-external-2.amazonaws.com] detection-update: [....96] [ip4][..tcp] [..172.16.42.216][41820] -> [...54.231.72.88][..443] [TLS.AmazonAWS][AmazonAWS][Cloud][Acceptable][s3-external-2.amazonaws.com] - analyse: [....89] [ip4][..tcp] [..172.16.42.216][45712] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][pitangui.amazon.com] + analyse: [....89] [ip4][..tcp] [..172.16.42.216][45712] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 1.080| 0.209| 0.303| 92031.574| 3.700] [PKTLEN......: 40.000| 1500.000| 360.500| 516.500| 266795.300| 3.800] @@ -475,7 +475,7 @@ RISK: Weak TLS Cipher detection-update: [...107] [ip4][..tcp] [..172.16.42.216][40856] -> [..54.239.29.253][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][skills-store.amazon.com] RISK: Weak TLS Cipher - analyse: [...107] [ip4][..tcp] [..172.16.42.216][40856] -> [..54.239.29.253][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][skills-store.amazon.com] + analyse: [...107] [ip4][..tcp] [..172.16.42.216][40856] -> [..54.239.29.253][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.326| 0.037| 0.075| 5555.152| 3.000] [PKTLEN......: 40.000| 1500.000| 545.400| 489.800| 239933.900| 4.400] @@ -485,7 +485,7 @@ [IATS(ms)....: 55.9,57.4,1.4,113.3,0.4,112.3,0.1,3.2,65.7,1.4,70.0,0.2,85.3,246.6,0.1,0.0,0.1,325.6,0.3,3.8,0.8,0.2,0.3,0.1,0.3,0.3,0.6,0.4,1.1,6.7,1.2] [PKTLENS.....: 60,48,40,251,1500,1275,40,40,366,46,99,1500,270,46,1021,589,589,589,40,40,1500,1500,741,1101,589,589,589,589,589,589,40,589] [ENTROPIES...: 4.6,5.2,4.8,5.6,7.3,7.3,4.9,4.9,7.3,4.6,6.1,7.9,7.2,4.6,7.8,7.7,7.6,7.6,4.9,4.8,7.9,7.9,7.7,7.8,7.6,7.6,7.7,7.6,7.6,7.6,4.9,7.7] - analyse: [...105] [ip4][..tcp] [..172.16.42.216][40854] -> [..54.239.29.253][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][skills-store.amazon.com] + analyse: [...105] [ip4][..tcp] [..172.16.42.216][40854] -> [..54.239.29.253][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.933| 0.089| 0.198| 39194.591| 3.000] [PKTLEN......: 40.000| 1500.000| 450.100| 541.500| 293230.800| 4.000] @@ -495,7 +495,7 @@ [IATS(ms)....: 109.9,111.6,1.6,102.0,0.2,101.6,0.3,1.9,56.2,0.1,87.5,19.1,7.6,147.9,304.1,639.4,932.7,32.7,0.1,0.0,0.7,0.1,0.0,0.3,0.6,110.7,0.2,1.8,0.2,0.1,0.1] [PKTLENS.....: 60,48,40,251,1500,1275,40,40,366,46,99,40,1500,254,46,1500,1500,46,1021,589,589,589,589,589,1469,77,40,40,40,40,40,40] [ENTROPIES...: 4.7,5.2,4.8,5.6,7.2,7.3,4.8,4.8,7.3,4.7,6.1,4.9,7.9,7.2,4.5,7.9,7.9,4.7,7.8,7.6,7.7,7.7,7.6,7.6,7.9,5.7,4.8,4.8,4.9,4.8,4.9,4.9] - analyse: [....88] [ip4][..tcp] [..172.16.42.216][45711] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][pitangui.amazon.com] + analyse: [....88] [ip4][..tcp] [..172.16.42.216][45711] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 9.247| 1.357| 2.197| 4827473.510| 3.500] [PKTLEN......: 40.000| 1500.000| 425.800| 556.200| 309356.400| 3.900] @@ -594,7 +594,7 @@ detected: [...125] [ip4][..tcp] [..172.16.42.216][40871] -> [..54.239.29.253][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][skills-store.amazon.com] detection-update: [...125] [ip4][..tcp] [..172.16.42.216][40871] -> [..54.239.29.253][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][skills-store.amazon.com] RISK: Weak TLS Cipher - analyse: [...125] [ip4][..tcp] [..172.16.42.216][40871] -> [..54.239.29.253][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][skills-store.amazon.com] + analyse: [...125] [ip4][..tcp] [..172.16.42.216][40871] -> [..54.239.29.253][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 1.107| 0.141| 0.257| 65864.266| 3.200] [PKTLEN......: 40.000| 1500.000| 430.000| 555.400| 308431.600| 4.000] @@ -707,42 +707,42 @@ RISK: Error Code end: [....28] [ip4][..tcp] [..172.16.42.216][45661] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][pitangui.amazon.com] RISK: Weak TLS Cipher - end: [....29] [ip4][..tcp] [..172.16.42.216][45662] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][pitangui.amazon.com] + end: [....29] [ip4][..tcp] [..172.16.42.216][45662] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] RISK: Weak TLS Cipher - end: [....30] [ip4][..tcp] [..172.16.42.216][45663] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][pitangui.amazon.com] + end: [....30] [ip4][..tcp] [..172.16.42.216][45663] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] RISK: Weak TLS Cipher - end: [....43] [ip4][..tcp] [..172.16.42.216][45673] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][pitangui.amazon.com] + end: [....43] [ip4][..tcp] [..172.16.42.216][45673] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] RISK: Weak TLS Cipher - end: [....44] [ip4][..tcp] [..172.16.42.216][45674] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][pitangui.amazon.com] + end: [....44] [ip4][..tcp] [..172.16.42.216][45674] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] RISK: Weak TLS Cipher - end: [....46] [ip4][..tcp] [..172.16.42.216][45676] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][pitangui.amazon.com] + end: [....46] [ip4][..tcp] [..172.16.42.216][45676] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] RISK: Weak TLS Cipher - end: [....47] [ip4][..tcp] [..172.16.42.216][45677] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][pitangui.amazon.com] + end: [....47] [ip4][..tcp] [..172.16.42.216][45677] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] RISK: Weak TLS Cipher - end: [....48] [ip4][..tcp] [..172.16.42.216][45678] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][pitangui.amazon.com] + end: [....48] [ip4][..tcp] [..172.16.42.216][45678] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] RISK: Weak TLS Cipher - end: [....49] [ip4][..tcp] [..172.16.42.216][45679] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][pitangui.amazon.com] + end: [....49] [ip4][..tcp] [..172.16.42.216][45679] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] RISK: Weak TLS Cipher - end: [....50] [ip4][..tcp] [..172.16.42.216][45680] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][pitangui.amazon.com] + end: [....50] [ip4][..tcp] [..172.16.42.216][45680] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] RISK: Weak TLS Cipher - end: [....53] [ip4][..tcp] [..172.16.42.216][45683] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][pitangui.amazon.com] + end: [....53] [ip4][..tcp] [..172.16.42.216][45683] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] RISK: Weak TLS Cipher end: [....37] [ip4][..tcp] [..172.16.42.216][54411] -> [..52.85.209.216][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][www.amazon.com] end: [....38] [ip4][..tcp] [..172.16.42.216][54412] -> [..52.85.209.216][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] guessed: [....39] [ip4][..tcp] [..172.16.42.216][54413] -> [..52.85.209.216][..443] [TLS][AmazonAWS][Web][Safe] end: [....39] [ip4][..tcp] [..172.16.42.216][54413] -> [..52.85.209.216][..443] - end: [....54] [ip4][..tcp] [..172.16.42.216][54427] -> [..52.85.209.216][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][www.amazon.com] + end: [....54] [ip4][..tcp] [..172.16.42.216][54427] -> [..52.85.209.216][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] end: [....41] [ip4][..tcp] [..172.16.42.216][42129] -> [..72.21.206.135][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] end: [....42] [ip4][..tcp] [..172.16.42.216][42130] -> [..72.21.206.135][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][fls-na.amazon.com] - end: [....55] [ip4][..tcp] [..172.16.42.216][42143] -> [..72.21.206.135][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][fls-na.amazon.com] - end: [....56] [ip4][..tcp] [..172.16.42.216][42144] -> [..72.21.206.135][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][fls-na.amazon.com] + end: [....55] [ip4][..tcp] [..172.16.42.216][42143] -> [..72.21.206.135][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] + end: [....56] [ip4][..tcp] [..172.16.42.216][42144] -> [..72.21.206.135][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] end: [....36] [ip4][..tcp] [..172.16.42.216][34019] -> [..54.239.24.186][..443] [TLS.AmazonAWS][AmazonAWS][Cloud][Acceptable] - end: [....51] [ip4][..tcp] [..172.16.42.216][34033] -> [..54.239.24.186][..443] [TLS.AmazonAWS][AmazonAWS][Cloud][Acceptable][mobileanalytics.us-east-1.amazonaws.com] + end: [....51] [ip4][..tcp] [..172.16.42.216][34033] -> [..54.239.24.186][..443] [TLS.AmazonAWS][AmazonAWS][Cloud][Acceptable] end: [....52] [ip4][..tcp] [..172.16.42.216][34034] -> [..54.239.24.186][..443] [TLS.AmazonAWS][AmazonAWS][Cloud][Acceptable][mobileanalytics.us-east-1.amazonaws.com] guessed: [....32] [ip4][..tcp] [..172.16.42.216][38391] -> [...192.168.11.1][.8080] [HTTP_Proxy][Unknown][Web][Acceptable][] RISK: TCP Connection Issues end: [....32] [ip4][..tcp] [..172.16.42.216][38391] -> [...192.168.11.1][.8080] - end: [....26] [ip4][..tcp] [..172.16.42.216][38364] -> [..34.199.52.240][..443] [TLS.AmazonAWS][AmazonAWS][Cloud][Acceptable][cognito-identity.us-east-1.amazonaws.com] + end: [....26] [ip4][..tcp] [..172.16.42.216][38364] -> [..34.199.52.240][..443] [TLS.AmazonAWS][AmazonAWS][Cloud][Acceptable] update: [.....3] [ip4][..udp] [........0.0.0.0][...68] -> [255.255.255.255][...67] [DHCP][Unknown][Network][Acceptable][android-1c1335ec95a27318] update: [.....9] [ip4][..udp] [..172.16.42.216][53188] -> [....172.16.42.1][...53] [DNS.GoogleServices][Unknown][Network][Acceptable][mtalk.google.com] update: [...114] [ip4][..udp] [..172.16.42.216][28614] -> [....172.16.42.1][...53] [DNS.AmazonAWS][Unknown][Network][Acceptable][mobileanalytics.us-east-1.amazonaws.com] @@ -770,11 +770,11 @@ detected: [...142] [ip4][..tcp] [..172.16.42.216][50799] -> [..54.239.28.178][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][pitangui.amazon.com] detection-update: [...142] [ip4][..tcp] [..172.16.42.216][50799] -> [..54.239.28.178][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][pitangui.amazon.com] RISK: Weak TLS Cipher - end: [....57] [ip4][..tcp] [..172.16.42.216][45687] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][pitangui.amazon.com] + end: [....57] [ip4][..tcp] [..172.16.42.216][45687] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] RISK: Weak TLS Cipher - end: [....59] [ip4][..tcp] [..172.16.42.216][45688] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][pitangui.amazon.com] + end: [....59] [ip4][..tcp] [..172.16.42.216][45688] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] RISK: Weak TLS Cipher - end: [....60] [ip4][..tcp] [..172.16.42.216][34041] -> [..54.239.24.186][..443] [TLS.AmazonAWS][AmazonAWS][Cloud][Acceptable][mobileanalytics.us-east-1.amazonaws.com] + end: [....60] [ip4][..tcp] [..172.16.42.216][34041] -> [..54.239.24.186][..443] [TLS.AmazonAWS][AmazonAWS][Cloud][Acceptable] update: [...118] [ip4][..udp] [..172.16.42.216][.4920] -> [....172.16.42.1][...53] [DNS.Amazon][Unknown][Network][Acceptable][ecx.images-amazon.com] new: [...143] [ip4][..tcp] [..172.16.42.216][50800] -> [..54.239.28.178][..443] detected: [...143] [ip4][..tcp] [..172.16.42.216][50800] -> [..54.239.28.178][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][pitangui.amazon.com] @@ -853,20 +853,20 @@ detection-update: [...156] [ip4][..tcp] [..172.16.42.216][58048] -> [..54.239.28.178][..443] [TLS][AmazonAWS][Web][Safe][] RISK: Obsolete TLS (v1.1 or older), Weak TLS Cipher end: [....66] [ip4][..tcp] [..172.16.42.216][49606] -> [..52.94.232.134][...80] [HTTP.AmazonAlexa][AmazonAWS][VirtAssistant][Acceptable][alexa.amazon.com] - end: [....67] [ip4][..tcp] [..172.16.42.216][45693] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][pitangui.amazon.com] + end: [....67] [ip4][..tcp] [..172.16.42.216][45693] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] RISK: Weak TLS Cipher end: [....68] [ip4][..tcp] [..172.16.42.216][45694] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] RISK: Weak TLS Cipher - end: [....70] [ip4][..tcp] [..172.16.42.216][45695] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][pitangui.amazon.com] + end: [....70] [ip4][..tcp] [..172.16.42.216][45695] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] RISK: Weak TLS Cipher - end: [....71] [ip4][..tcp] [..172.16.42.216][45696] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][pitangui.amazon.com] + end: [....71] [ip4][..tcp] [..172.16.42.216][45696] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] RISK: Weak TLS Cipher - end: [....72] [ip4][..tcp] [..172.16.42.216][45697] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][pitangui.amazon.com] + end: [....72] [ip4][..tcp] [..172.16.42.216][45697] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] RISK: Weak TLS Cipher - end: [....74] [ip4][..tcp] [..172.16.42.216][45698] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][pitangui.amazon.com] + end: [....74] [ip4][..tcp] [..172.16.42.216][45698] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] RISK: Weak TLS Cipher end: [....63] [ip4][..tcp] [..172.16.42.216][54434] -> [..52.85.209.216][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][www.amazon.com] - end: [....61] [ip4][..tcp] [..172.16.42.216][42148] -> [..72.21.206.135][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][fls-na.amazon.com] + end: [....61] [ip4][..tcp] [..172.16.42.216][42148] -> [..72.21.206.135][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] update: [....27] [ip4][..udp] [..172.16.42.216][54886] -> [....172.16.42.1][...53] [DNS.Amazon][Unknown][Network][Acceptable][pitangui.amazon.com] update: [....21] [ip4][..udp] [..172.16.42.216][41030] -> [....172.16.42.1][...53] [DNS.AmazonAlexa][Unknown][Network][Acceptable][alexa.amazon.com] update: [....40] [ip4][..udp] [..172.16.42.216][43350] -> [....172.16.42.1][...53] [DNS.Amazon][Unknown][Network][Acceptable][fls-na.amazon.com] @@ -979,11 +979,11 @@ end: [...106] [ip4][..tcp] [..172.16.42.216][40855] -> [..54.239.29.253][..443] end: [...107] [ip4][..tcp] [..172.16.42.216][40856] -> [..54.239.29.253][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][skills-store.amazon.com] RISK: Weak TLS Cipher - end: [...117] [ip4][..tcp] [..172.16.42.216][40864] -> [..54.239.29.253][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][skills-store.amazon.com] + end: [...117] [ip4][..tcp] [..172.16.42.216][40864] -> [..54.239.29.253][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] RISK: Weak TLS Cipher end: [...125] [ip4][..tcp] [..172.16.42.216][40871] -> [..54.239.29.253][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][skills-store.amazon.com] RISK: Weak TLS Cipher - end: [...132] [ip4][..tcp] [..172.16.42.216][40878] -> [..54.239.29.253][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][skills-store.amazon.com] + end: [...132] [ip4][..tcp] [..172.16.42.216][40878] -> [..54.239.29.253][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] RISK: Weak TLS Cipher idle: [.....9] [ip4][..udp] [..172.16.42.216][53188] -> [....172.16.42.1][...53] [DNS.GoogleServices][Unknown][Network][Acceptable][mtalk.google.com] idle: [...114] [ip4][..udp] [..172.16.42.216][28614] -> [....172.16.42.1][...53] [DNS.AmazonAWS][Unknown][Network][Acceptable][mobileanalytics.us-east-1.amazonaws.com] @@ -1006,13 +1006,13 @@ idle: [...149] [ip4][..tcp] [..172.16.42.216][41828] -> [..52.85.209.143][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][www.amazon.com] end: [....80] [ip4][..tcp] [..172.16.42.216][45703] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][pitangui.amazon.com] RISK: Weak TLS Cipher - end: [....81] [ip4][..tcp] [..172.16.42.216][45704] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][pitangui.amazon.com] + end: [....81] [ip4][..tcp] [..172.16.42.216][45704] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] RISK: Weak TLS Cipher - end: [....82] [ip4][..tcp] [..172.16.42.216][45705] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][pitangui.amazon.com] + end: [....82] [ip4][..tcp] [..172.16.42.216][45705] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] RISK: Weak TLS Cipher guessed: [....84] [ip4][..tcp] [..172.16.42.216][45707] -> [..52.94.232.134][..443] [TLS][AmazonAWS][Web][Safe] end: [....84] [ip4][..tcp] [..172.16.42.216][45707] -> [..52.94.232.134][..443] - end: [....86] [ip4][..tcp] [..172.16.42.216][45709] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][pitangui.amazon.com] + end: [....86] [ip4][..tcp] [..172.16.42.216][45709] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] RISK: Weak TLS Cipher end: [....87] [ip4][..tcp] [..172.16.42.216][45710] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][pitangui.amazon.com] RISK: Weak TLS Cipher @@ -1020,28 +1020,28 @@ RISK: Weak TLS Cipher end: [....89] [ip4][..tcp] [..172.16.42.216][45712] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][pitangui.amazon.com] RISK: Weak TLS Cipher - end: [....91] [ip4][..tcp] [..172.16.42.216][45714] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][pitangui.amazon.com] + end: [....91] [ip4][..tcp] [..172.16.42.216][45714] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] RISK: Weak TLS Cipher - end: [....92] [ip4][..tcp] [..172.16.42.216][45715] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][pitangui.amazon.com] + end: [....92] [ip4][..tcp] [..172.16.42.216][45715] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] RISK: Weak TLS Cipher - end: [...109] [ip4][..tcp] [..172.16.42.216][45728] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][pitangui.amazon.com] + end: [...109] [ip4][..tcp] [..172.16.42.216][45728] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] RISK: Weak TLS Cipher - end: [...110] [ip4][..tcp] [..172.16.42.216][45729] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][pitangui.amazon.com] + end: [...110] [ip4][..tcp] [..172.16.42.216][45729] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] RISK: Weak TLS Cipher - end: [...111] [ip4][..tcp] [..172.16.42.216][45730] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][pitangui.amazon.com] + end: [...111] [ip4][..tcp] [..172.16.42.216][45730] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] RISK: Weak TLS Cipher - end: [...112] [ip4][..tcp] [..172.16.42.216][45731] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][pitangui.amazon.com] + end: [...112] [ip4][..tcp] [..172.16.42.216][45731] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] RISK: Weak TLS Cipher - end: [...113] [ip4][..tcp] [..172.16.42.216][45732] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][pitangui.amazon.com] + end: [...113] [ip4][..tcp] [..172.16.42.216][45732] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] RISK: Weak TLS Cipher idle: [....20] [ip4][..tcp] [..172.16.42.216][53682] -> [..54.239.22.185][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] RISK: TLS (probably) Not Carrying HTTPS - end: [...133] [ip4][..tcp] [..172.16.42.216][45750] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][pitangui.amazon.com] + end: [...133] [ip4][..tcp] [..172.16.42.216][45750] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] RISK: Weak TLS Cipher - end: [...134] [ip4][..tcp] [..172.16.42.216][45751] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][pitangui.amazon.com] + end: [...134] [ip4][..tcp] [..172.16.42.216][45751] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] RISK: Weak TLS Cipher idle: [...108] [ip4][..udp] [..172.16.42.216][20922] -> [....172.16.42.1][...53] [DNS.Amazon][Unknown][Network][Acceptable][pitangui.amazon.com] - end: [...137] [ip4][..tcp] [..172.16.42.216][45752] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][pitangui.amazon.com] + end: [...137] [ip4][..tcp] [..172.16.42.216][45752] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable] RISK: Weak TLS Cipher idle: [...144] [ip4][..udp] [..172.16.42.216][.8669] -> [....172.16.42.1][...53] [DNS.AmazonAWS][Unknown][Network][Acceptable][mobileanalytics.us-east-1.amazonaws.com] idle: [....69] [ip4][..udp] [..172.16.42.216][25081] -> [....172.16.42.1][...53] [DNS.AmazonAlexa][Unknown][Network][Acceptable][alexa.amazon.com] @@ -1055,7 +1055,7 @@ idle: [...148] [ip4][..udp] [..172.16.42.216][14934] -> [....172.16.42.1][...53] [DNS.Amazon][Unknown][Network][Acceptable][www.amazon.com] idle: [...158] [ip4][..udp] [..172.16.42.216][.2707] -> [....172.16.42.1][...53] [DNS.Amazon][Unknown][Network][Acceptable][fls-na.amazon.com] idle: [....98] [ip4][..udp] [..172.16.42.216][41639] -> [....172.16.42.1][...53] [DNS.Amazon][Unknown][Network][Acceptable][dp-gw-na-js.amazon.com] - end: [...115] [ip4][..tcp] [..172.16.42.216][37551] -> [..54.239.24.180][..443] [TLS.AmazonAWS][AmazonAWS][Cloud][Acceptable][mobileanalytics.us-east-1.amazonaws.com] + end: [...115] [ip4][..tcp] [..172.16.42.216][37551] -> [..54.239.24.180][..443] [TLS.AmazonAWS][AmazonAWS][Cloud][Acceptable] guessed: [...116] [ip4][..tcp] [..172.16.42.216][37552] -> [..54.239.24.180][..443] [TLS][AmazonAWS][Web][Safe] end: [...116] [ip4][..tcp] [..172.16.42.216][37552] -> [..54.239.24.180][..443] end: [...156] [ip4][..tcp] [..172.16.42.216][58048] -> [..54.239.28.178][..443] [TLS][AmazonAWS][Web][Safe] @@ -1088,13 +1088,13 @@ guessed: [....83] [ip4][..tcp] [..172.16.42.216][40242] -> [.10.201.126.241][.8080] [HTTP_Proxy][Unknown][Web][Acceptable][] RISK: Unidirectional Traffic idle: [....83] [ip4][..tcp] [..172.16.42.216][40242] -> [.10.201.126.241][.8080] - end: [....78] [ip4][..tcp] [..172.16.42.216][34053] -> [..54.239.24.186][..443] [TLS.AmazonAWS][AmazonAWS][Cloud][Acceptable][mobileanalytics.us-east-1.amazonaws.com] + end: [....78] [ip4][..tcp] [..172.16.42.216][34053] -> [..54.239.24.186][..443] [TLS.AmazonAWS][AmazonAWS][Cloud][Acceptable] guessed: [....79] [ip4][..tcp] [..172.16.42.216][34054] -> [..54.239.24.186][..443] [TLS][AmazonAWS][Web][Safe] end: [....79] [ip4][..tcp] [..172.16.42.216][34054] -> [..54.239.24.186][..443] - end: [....94] [ip4][..tcp] [..172.16.42.216][34069] -> [..54.239.24.186][..443] [TLS.AmazonAWS][AmazonAWS][Cloud][Acceptable][mobileanalytics.us-east-1.amazonaws.com] + end: [....94] [ip4][..tcp] [..172.16.42.216][34069] -> [..54.239.24.186][..443] [TLS.AmazonAWS][AmazonAWS][Cloud][Acceptable] guessed: [...100] [ip4][..tcp] [..172.16.42.216][34073] -> [..54.239.24.186][..443] [TLS][AmazonAWS][Web][Safe] end: [...100] [ip4][..tcp] [..172.16.42.216][34073] -> [..54.239.24.186][..443] - end: [...101] [ip4][..tcp] [..172.16.42.216][34074] -> [..54.239.24.186][..443] [TLS.AmazonAWS][AmazonAWS][Cloud][Acceptable][mobileanalytics.us-east-1.amazonaws.com] + end: [...101] [ip4][..tcp] [..172.16.42.216][34074] -> [..54.239.24.186][..443] [TLS.AmazonAWS][AmazonAWS][Cloud][Acceptable] end: [....99] [ip4][..tcp] [..172.16.42.216][44001] -> [..176.32.101.52][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][dp-gw-na-js.amazon.com] RISK: TLS (probably) Not Carrying HTTPS idle: [.....6] [ip4][..udp] [..172.16.42.216][.3440] -> [....172.16.42.1][...53] [DNS.Google][Unknown][Network][Acceptable][connectivitycheck.android.com] @@ -1103,7 +1103,7 @@ guessed: [....85] [ip4][..tcp] [..172.16.42.216][38434] -> [...192.168.11.1][.8080] [HTTP_Proxy][Unknown][Web][Acceptable][] RISK: TCP Connection Issues end: [....85] [ip4][..tcp] [..172.16.42.216][38434] -> [...192.168.11.1][.8080] - idle: [....11] [ip4][..tcp] [..172.16.42.216][42878] -> [173.194.223.188][.5228] [TLS.GoogleServices][Google][Web][Acceptable][mtalk.google.com] + idle: [....11] [ip4][..tcp] [..172.16.42.216][42878] -> [173.194.223.188][.5228] [TLS.GoogleServices][Google][Web][Acceptable] RISK: Known Proto on Non Std Port, TLS (probably) Not Carrying HTTPS idle: [....62] [ip4][..udp] [..172.16.42.216][44475] -> [....172.16.42.1][...53] [DNS.Amazon][Unknown][Network][Acceptable][www.amazon.com] end: [....16] [ip4][..tcp] [..172.16.42.216][55242] -> [..52.85.209.197][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][www.amazon.com] diff --git a/test/results/flow-info/default/android.pcap.out b/test/results/flow-info/default/android.pcap.out index 0dc966a89..7d1817cb1 100644 --- a/test/results/flow-info/default/android.pcap.out +++ b/test/results/flow-info/default/android.pcap.out @@ -81,7 +81,6 @@ detection-update: [....28] [ip4][..tcp] [...192.168.2.16][36890] -> [...172.217.18.3][..443] [TLS.Google][Google][ConnCheck][Acceptable][connectivitycheck.gstatic.com] detection-update: [....28] [ip4][..tcp] [...192.168.2.16][36890] -> [...172.217.18.3][..443] [TLS.Google][Google][ConnCheck][Acceptable][connectivitycheck.gstatic.com] detected: [....27] [ip4][..tcp] [...192.168.2.16][36888] -> [...172.217.18.3][..443] [TLS.Google][Google][ConnCheck][Acceptable][connectivitycheck.gstatic.com] - detection-update: [....27] [ip4][..tcp] [...192.168.2.16][36888] -> [...172.217.18.3][..443] [TLS.Google][Google][ConnCheck][Acceptable][connectivitycheck.gstatic.com] new: [....30] [ip4][..udp] [...192.168.2.16][39008] -> [....192.168.2.1][...53] detected: [....30] [ip4][..udp] [...192.168.2.16][39008] -> [....192.168.2.1][...53] [DNS.GoogleServices][Unknown][Network][Acceptable][mtalk.google.com] detection-update: [....30] [ip4][..udp] [...192.168.2.16][39008] -> [....192.168.2.1][...53] [DNS.GoogleServices][Unknown][Network][Acceptable][mtalk.google.com] @@ -173,7 +172,7 @@ new: [....60] [ip4][..udp] [...192.168.2.16][39760] -> [....192.168.2.1][...53] detected: [....60] [ip4][..udp] [...192.168.2.16][39760] -> [....192.168.2.1][...53] [DNS.GoogleServices][Unknown][Network][Acceptable][android.googleapis.com] detected: [....58] [ip4][..tcp] [...192.168.2.16][43646] -> [..172.217.20.76][..443] [TLS.DataSaver][Google][Web][Fun][proxy.googlezip.net] - analyse: [....42] [ip4][..tcp] [...192.168.2.16][32996] -> [.216.239.38.120][..443] [TLS.Google][Google][Web][Acceptable][www.google.com] + analyse: [....42] [ip4][..tcp] [...192.168.2.16][32996] -> [.216.239.38.120][..443] [TLS.Google][Google][Web][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.405| 0.048| 0.104| 10866.215| 3.000] [PKTLEN......: 52.000| 1470.000| 416.500| 552.700| 305506.200| 3.900] @@ -238,7 +237,7 @@ idle: [....12] [ip6][icmp6] [.....................................::] -> [......................ff02::1:ff9f:f627] [ICMPV6][Unknown][Network][Acceptable] idle: [....42] [ip4][..tcp] [...192.168.2.16][32996] -> [.216.239.38.120][..443] [TLS.Google][Google][Web][Acceptable][www.google.com] end: [....44] [ip4][..tcp] [...192.168.2.16][32998] -> [.216.239.38.120][..443] [TLS.Google][Google][Web][Acceptable] - idle: [....49] [ip4][..tcp] [...192.168.2.16][33002] -> [.216.239.38.120][..443] [TLS.Google][Google][Web][Acceptable][accounts.google.com] + idle: [....49] [ip4][..tcp] [...192.168.2.16][33002] -> [.216.239.38.120][..443] [TLS.Google][Google][Web][Acceptable] idle: [....59] [ip4][..tcp] [...192.168.2.16][33014] -> [.216.239.38.120][..443] [TLS.Google][Google][Web][Acceptable] idle: [....56] [ip4][..udp] [...192.168.2.16][10677] -> [....192.168.2.1][...53] [DNS.DataSaver][Unknown][Network][Fun][proxy.googlezip.net] idle: [.....9] [ip4][..udp] [....192.168.2.1][.5353] -> [....224.0.0.251][.5353] [MDNS][Unknown][Network][Acceptable] @@ -269,8 +268,8 @@ RISK: Unidirectional Traffic idle: [....63] [ip4][..tcp] [...192.168.2.16][43652] -> [..172.217.20.76][..443] idle: [....43] [ip4][..udp] [...192.168.2.16][46359] -> [....192.168.2.1][...53] [DNS.Google][Unknown][Network][Acceptable][accounts.google.com] - idle: [....40] [ip4][..tcp] [...192.168.2.16][51928] -> [.172.217.21.202][..443] [TLS.DataSaver][Google][Web][Fun][datasaver.googleapis.com] - idle: [....55] [ip4][..tcp] [...192.168.2.16][51944] -> [.172.217.21.202][..443] [TLS.DataSaver][Google][Web][Fun][datasaver.googleapis.com] + idle: [....40] [ip4][..tcp] [...192.168.2.16][51928] -> [.172.217.21.202][..443] [TLS.DataSaver][Google][Web][Fun] + idle: [....55] [ip4][..tcp] [...192.168.2.16][51944] -> [.172.217.21.202][..443] [TLS.DataSaver][Google][Web][Fun] idle: [....36] [ip4][..udp] [...192.168.2.16][.7660] -> [....192.168.2.1][...53] [DNS.DataSaver][Unknown][Network][Fun][datasaver.googleapis.com] idle: [....48] [ip4][..udp] [...192.168.2.16][58892] -> [....192.168.2.1][...53] [DNS.Google][Unknown][Network][Acceptable][accounts.google.com] idle: [....24] [ip4][..udp] [...192.168.2.16][54837] -> [....192.168.2.1][...53] [DNS.GoogleServices][Unknown][Network][Acceptable][play.googleapis.com] diff --git a/test/results/flow-info/default/anyconnect-vpn.pcap.out b/test/results/flow-info/default/anyconnect-vpn.pcap.out index b393c947c..f126f2896 100644 --- a/test/results/flow-info/default/anyconnect-vpn.pcap.out +++ b/test/results/flow-info/default/anyconnect-vpn.pcap.out @@ -307,7 +307,7 @@ idle: [....60] [ip4][..udp] [.....10.0.0.227][52595] -> [.......10.0.0.1][..192] idle: [....48] [ip4][..udp] [.....10.0.0.227][64193] -> [....75.75.75.75][...53] [DNS.ApplePush][Unknown][Network][Acceptable][24-courier.push.apple.com] idle: [....52] [ip4][..udp] [.....10.0.0.227][58074] -> [....75.75.75.75][...53] [DNS.Outlook][Unknown][Network][Acceptable][www.outlook.com] - end: [....28] [ip4][..tcp] [.....10.0.0.227][56920] -> [...99.86.34.156][..443] [TLS.Slack][AmazonAWS][Collaborative][Acceptable][slack.com] + end: [....28] [ip4][..tcp] [.....10.0.0.227][56920] -> [...99.86.34.156][..443] [TLS.Slack][AmazonAWS][Collaborative][Acceptable] idle: [....55] [ip4][..udp] [.....10.0.0.149][38616] -> [.....10.0.0.227][61328] [SSDP][Unknown][System][Acceptable] guessed: [....37] [ip4][..tcp] [.....10.0.0.227][56881] -> [.162.222.43.153][..443] [TLS][Unknown][Web][Safe] idle: [....37] [ip4][..tcp] [.....10.0.0.227][56881] -> [.162.222.43.153][..443] diff --git a/test/results/flow-info/default/dingtalk.pcap.out b/test/results/flow-info/default/dingtalk.pcap.out new file mode 100644 index 000000000..25738c108 --- /dev/null +++ b/test/results/flow-info/default/dingtalk.pcap.out @@ -0,0 +1,11 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....1] [ip4][..tcp] [...10.215.173.1][48910] -> [..47.246.133.39][..443] + detected: [.....1] [ip4][..tcp] [...10.215.173.1][48910] -> [..47.246.133.39][..443] [DingTalk][Alibaba][Chat][Acceptable] + new: [.....2] [ip4][..tcp] [...10.215.173.1][49352] -> [.104.166.182.25][..443] + detected: [.....2] [ip4][..tcp] [...10.215.173.1][49352] -> [.104.166.182.25][..443] [TLS.DingTalk][Unknown][Chat][Acceptable][static.dingtalk.com] + detection-update: [.....2] [ip4][..tcp] [...10.215.173.1][49352] -> [.104.166.182.25][..443] [TLS.DingTalk][Unknown][Chat][Acceptable][static.dingtalk.com] + idle: [.....1] [ip4][..tcp] [...10.215.173.1][48910] -> [..47.246.133.39][..443] [DingTalk][Alibaba][Chat][Acceptable] + end: [.....2] [ip4][..tcp] [...10.215.173.1][49352] -> [.104.166.182.25][..443] [TLS.DingTalk][Unknown][Chat][Acceptable] + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/dns_doh.pcap.out b/test/results/flow-info/default/dns_doh.pcap.out index 464cbf6fc..476ea4df1 100644 --- a/test/results/flow-info/default/dns_doh.pcap.out +++ b/test/results/flow-info/default/dns_doh.pcap.out @@ -4,7 +4,7 @@ new: [.....1] [ip4][..tcp] [....172.20.10.4][49877] -> [.104.16.248.249][..443] detected: [.....1] [ip4][..tcp] [....172.20.10.4][49877] -> [.104.16.248.249][..443] [TLS.DoH_DoT][Cloudflare][Network][Acceptable][mozilla.cloudflare-dns.com] detection-update: [.....1] [ip4][..tcp] [....172.20.10.4][49877] -> [.104.16.248.249][..443] [TLS.DoH_DoT][Cloudflare][Network][Acceptable][mozilla.cloudflare-dns.com] - analyse: [.....1] [ip4][..tcp] [....172.20.10.4][49877] -> [.104.16.248.249][..443] [TLS.DoH_DoT][Cloudflare][Network][Acceptable][mozilla.cloudflare-dns.com] + analyse: [.....1] [ip4][..tcp] [....172.20.10.4][49877] -> [.104.16.248.249][..443] [TLS.DoH_DoT][Cloudflare][Network][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.535| 0.062| 0.130| 16944.855| 3.000] [PKTLEN......: 40.000| 1340.000| 216.900| 327.300| 107137.200| 3.900] diff --git a/test/results/flow-info/default/dnscrypt-v2-doh.pcap.out b/test/results/flow-info/default/dnscrypt-v2-doh.pcap.out index 34a2f14ac..22b4da7b3 100644 --- a/test/results/flow-info/default/dnscrypt-v2-doh.pcap.out +++ b/test/results/flow-info/default/dnscrypt-v2-doh.pcap.out @@ -114,44 +114,44 @@ detection-update: [....34] [ip4][..tcp] [.......10.0.0.1][35742] -> [.209.250.241.25][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable][jarjar.meganerd.nl] detection-update: [....34] [ip4][..tcp] [.......10.0.0.1][35742] -> [.209.250.241.25][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable][jarjar.meganerd.nl] RISK: TLS Cert Expired - idle: [....29] [ip4][..tcp] [.......10.0.0.1][35714] -> [.209.250.241.25][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable][jarjar.meganerd.nl] + idle: [....29] [ip4][..tcp] [.......10.0.0.1][35714] -> [.209.250.241.25][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable] RISK: TLS Cert Expired - idle: [....12] [ip4][..tcp] [.......10.0.0.1][41720] -> [116.203.179.248][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable][rumpelsepp.org] - idle: [....34] [ip4][..tcp] [.......10.0.0.1][35742] -> [.209.250.241.25][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable][jarjar.meganerd.nl] + idle: [....12] [ip4][..tcp] [.......10.0.0.1][41720] -> [116.203.179.248][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable] + idle: [....34] [ip4][..tcp] [.......10.0.0.1][35742] -> [.209.250.241.25][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable] RISK: TLS Cert Expired - idle: [....25] [ip4][..tcp] [.......10.0.0.1][52028] -> [...45.76.113.31][.8443] [TLS.DoH_DoT][Unknown][Network][Acceptable][doh.seby.io] + idle: [....25] [ip4][..tcp] [.......10.0.0.1][52028] -> [...45.76.113.31][.8443] [TLS.DoH_DoT][Unknown][Network][Acceptable] RISK: Known Proto on Non Std Port - idle: [....26] [ip4][..tcp] [.......10.0.0.1][34036] -> [..217.169.20.23][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable][dns.aa.net.uk] - idle: [....10] [ip4][..tcp] [.......10.0.0.1][55322] -> [.185.134.196.55][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable][rdns.faelix.net] - idle: [....14] [ip4][..tcp] [.......10.0.0.1][46658] -> [185.233.106.232][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable][dns.dnshome.de] - idle: [....20] [ip4][..tcp] [.......10.0.0.1][33724] -> [...104.28.28.34][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable][jp.tiarap.org] - idle: [.....6] [ip4][..tcp] [.......10.0.0.1][40938] -> [..172.104.93.80][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable][jp.tiar.app] - idle: [.....4] [ip4][..tcp] [.......10.0.0.1][55962] -> [..51.158.147.50][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable][resolver-eu.lelux.fi] - idle: [.....8] [ip4][..tcp] [.......10.0.0.1][38186] -> [...185.43.135.1][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable][odvr.nic.cz] + idle: [....26] [ip4][..tcp] [.......10.0.0.1][34036] -> [..217.169.20.23][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable] + idle: [....10] [ip4][..tcp] [.......10.0.0.1][55322] -> [.185.134.196.55][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable] + idle: [....14] [ip4][..tcp] [.......10.0.0.1][46658] -> [185.233.106.232][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable] + idle: [....20] [ip4][..tcp] [.......10.0.0.1][33724] -> [...104.28.28.34][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable] + idle: [.....6] [ip4][..tcp] [.......10.0.0.1][40938] -> [..172.104.93.80][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable] + idle: [.....4] [ip4][..tcp] [.......10.0.0.1][55962] -> [..51.158.147.50][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable] + idle: [.....8] [ip4][..tcp] [.......10.0.0.1][38186] -> [...185.43.135.1][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable] RISK: TLS Cert Expired - idle: [....13] [ip4][..tcp] [.......10.0.0.1][60026] -> [...195.30.94.28][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable][doh.ffmuc.net] - idle: [....31] [ip4][..tcp] [.......10.0.0.1][57058] -> [..46.227.200.54][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable][rdns.faelix.net] - idle: [....17] [ip4][..tcp] [.......10.0.0.1][44640] -> [...185.235.81.1][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable][doh.dnslify.com] - idle: [....21] [ip4][..tcp] [.......10.0.0.1][53802] -> [........1.0.0.1][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable][dns.cloudflare.com] - idle: [....28] [ip4][..tcp] [.......10.0.0.1][54164] -> [...193.70.85.11][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable][doh.bortzmeyer.fr] - idle: [....27] [ip4][..tcp] [.......10.0.0.1][43718] -> [..146.255.56.98][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable][doh.appliedprivacy.net] - idle: [....33] [ip4][..tcp] [.......10.0.0.1][44704] -> [...185.235.81.1][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable][doh.dnslify.com] - idle: [....18] [ip4][..tcp] [.......10.0.0.1][43106] -> [.116.202.176.26][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable][doh.libredns.gr] - idle: [.....9] [ip4][..tcp] [.......10.0.0.1][51770] -> [.......9.9.9.10][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable][dns10.quad9.net] - idle: [....32] [ip4][..tcp] [.......10.0.0.1][51846] -> [.......9.9.9.10][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable][dns10.quad9.net] - idle: [....30] [ip4][..tcp] [.......10.0.0.1][43888] -> [.95.216.229.153][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable][fi.doh.dns.snopyta.org] - idle: [....11] [ip4][..tcp] [.......10.0.0.1][52386] -> [..51.15.124.208][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable][dnsnl.alekberg.net] - idle: [....19] [ip4][..tcp] [.......10.0.0.1][59026] -> [....85.5.93.230][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable][ibksturm.synology.me] - idle: [....23] [ip4][..tcp] [.......10.0.0.1][52176] -> [136.144.215.158][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable][doh.powerdns.org] - idle: [....22] [ip4][..tcp] [.......10.0.0.1][33338] -> [.....45.90.28.0][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable][dns.nextdns.io] + idle: [....13] [ip4][..tcp] [.......10.0.0.1][60026] -> [...195.30.94.28][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable] + idle: [....31] [ip4][..tcp] [.......10.0.0.1][57058] -> [..46.227.200.54][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable] + idle: [....17] [ip4][..tcp] [.......10.0.0.1][44640] -> [...185.235.81.1][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable] + idle: [....21] [ip4][..tcp] [.......10.0.0.1][53802] -> [........1.0.0.1][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable] + idle: [....28] [ip4][..tcp] [.......10.0.0.1][54164] -> [...193.70.85.11][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable] + idle: [....27] [ip4][..tcp] [.......10.0.0.1][43718] -> [..146.255.56.98][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable] + idle: [....33] [ip4][..tcp] [.......10.0.0.1][44704] -> [...185.235.81.1][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable] + idle: [....18] [ip4][..tcp] [.......10.0.0.1][43106] -> [.116.202.176.26][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable] + idle: [.....9] [ip4][..tcp] [.......10.0.0.1][51770] -> [.......9.9.9.10][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable] + idle: [....32] [ip4][..tcp] [.......10.0.0.1][51846] -> [.......9.9.9.10][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable] + idle: [....30] [ip4][..tcp] [.......10.0.0.1][43888] -> [.95.216.229.153][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable] + idle: [....11] [ip4][..tcp] [.......10.0.0.1][52386] -> [..51.15.124.208][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable] + idle: [....19] [ip4][..tcp] [.......10.0.0.1][59026] -> [....85.5.93.230][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable] + idle: [....23] [ip4][..tcp] [.......10.0.0.1][52176] -> [136.144.215.158][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable] + idle: [....22] [ip4][..tcp] [.......10.0.0.1][33338] -> [.....45.90.28.0][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable] idle: [.....1] [ip4][..tcp] [.......10.0.0.1][53674] -> [..139.99.222.72][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable] idle: [.....2] [ip4][..tcp] [.......10.0.0.1][53676] -> [..139.99.222.72][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable] - idle: [....15] [ip4][..tcp] [.......10.0.0.1][36012] -> [..149.56.228.45][..453] [TLS.DoH_DoT][Unknown][Network][Acceptable][dns2.dnscrypt.ca] + idle: [....15] [ip4][..tcp] [.......10.0.0.1][36012] -> [..149.56.228.45][..453] [TLS.DoH_DoT][Unknown][Network][Acceptable] RISK: Known Proto on Non Std Port - idle: [.....7] [ip4][..tcp] [.......10.0.0.1][37530] -> [167.114.220.125][..453] [TLS.DoH_DoT][Unknown][Network][Acceptable][dns1.dnscrypt.ca] + idle: [.....7] [ip4][..tcp] [.......10.0.0.1][37530] -> [167.114.220.125][..453] [TLS.DoH_DoT][Unknown][Network][Acceptable] RISK: Known Proto on Non Std Port - idle: [.....3] [ip4][..tcp] [.......10.0.0.1][50614] -> [..185.95.218.42][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable][dns.digitale-gesellschaft.ch] - idle: [....24] [ip4][..tcp] [.......10.0.0.1][39214] -> [...104.28.0.106][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable][doh.crypto.sx] - idle: [....16] [ip4][..tcp] [.......10.0.0.1][38018] -> [..45.153.187.96][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable][dnsse.alekberg.net] - idle: [.....5] [ip4][..tcp] [.......10.0.0.1][59404] -> [.185.253.154.66][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable][dnses.alekberg.net] + idle: [.....3] [ip4][..tcp] [.......10.0.0.1][50614] -> [..185.95.218.42][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable] + idle: [....24] [ip4][..tcp] [.......10.0.0.1][39214] -> [...104.28.0.106][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable] + idle: [....16] [ip4][..tcp] [.......10.0.0.1][38018] -> [..45.153.187.96][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable] + idle: [.....5] [ip4][..tcp] [.......10.0.0.1][59404] -> [.185.253.154.66][..443] [TLS.DoH_DoT][Unknown][Network][Acceptable] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/facebook.pcap.out b/test/results/flow-info/default/facebook.pcap.out index f87cc2f2b..74400406f 100644 --- a/test/results/flow-info/default/facebook.pcap.out +++ b/test/results/flow-info/default/facebook.pcap.out @@ -8,7 +8,7 @@ new: [.....2] [ip4][..tcp] [..192.168.43.18][44614] -> [....31.13.86.36][..443] detected: [.....2] [ip4][..tcp] [..192.168.43.18][44614] -> [....31.13.86.36][..443] [TLS.Facebook][Facebook][SocialNetwork][Fun][www.facebook.com] detection-update: [.....2] [ip4][..tcp] [..192.168.43.18][44614] -> [....31.13.86.36][..443] [TLS.Facebook][Facebook][SocialNetwork][Fun][www.facebook.com] - analyse: [.....2] [ip4][..tcp] [..192.168.43.18][44614] -> [....31.13.86.36][..443] [TLS.Facebook][Facebook][SocialNetwork][Fun][www.facebook.com] + analyse: [.....2] [ip4][..tcp] [..192.168.43.18][44614] -> [....31.13.86.36][..443] [TLS.Facebook][Facebook][SocialNetwork][Fun] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.155| 0.037| 0.058| 3352.274| 3.300] [PKTLEN......: 52.000| 1440.000| 555.100| 613.300| 376153.100| 4.100] diff --git a/test/results/flow-info/default/false_positives.pcapng.out b/test/results/flow-info/default/false_positives.pcapng.out index 6acef84eb..67348709b 100644 --- a/test/results/flow-info/default/false_positives.pcapng.out +++ b/test/results/flow-info/default/false_positives.pcapng.out @@ -5,6 +5,12 @@ ERROR-EVENT: Unknown packet type [2/16] ERROR-EVENT: Unknown packet type [3/16] ERROR-EVENT: Unknown packet type [4/16] + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + ERROR-EVENT: Unknown packet type [1/16] + ERROR-EVENT: Unknown packet type [2/16] + ERROR-EVENT: Unknown packet type [3/16] + ERROR-EVENT: Unknown packet type [4/16] ERROR-EVENT: Unknown packet type [5/16] ERROR-EVENT: Unknown packet type [6/16] ERROR-EVENT: Unknown packet type [7/16] diff --git a/test/results/flow-info/default/firefox.pcap.out b/test/results/flow-info/default/firefox.pcap.out index f164648bd..09ac1659b 100644 --- a/test/results/flow-info/default/firefox.pcap.out +++ b/test/results/flow-info/default/firefox.pcap.out @@ -20,7 +20,7 @@ detection-update: [.....4] [ip4][..tcp] [..192.168.1.178][51599] -> [...146.48.58.18][..443] [TLS][Unknown][Web][Safe][www.iit.cnr.it] detection-update: [.....6] [ip4][..tcp] [..192.168.1.178][51601] -> [...146.48.58.18][..443] [TLS][Unknown][Web][Safe][www.iit.cnr.it] idle: [.....1] [ip4][..tcp] [..192.168.1.178][51577] -> [...146.48.58.18][..443] [TLS][Unknown][Web][Safe] - idle: [.....2] [ip4][..tcp] [..192.168.1.178][51583] -> [...146.48.58.18][..443] [TLS][Unknown][Web][Safe][www.iit.cnr.it] + idle: [.....2] [ip4][..tcp] [..192.168.1.178][51583] -> [...146.48.58.18][..443] [TLS][Unknown][Web][Safe] idle: [.....3] [ip4][..tcp] [..192.168.1.178][51588] -> [...146.48.58.18][..443] [TLS][Unknown][Web][Safe] idle: [.....4] [ip4][..tcp] [..192.168.1.178][51599] -> [...146.48.58.18][..443] [TLS][Unknown][Web][Safe] idle: [.....5] [ip4][..tcp] [..192.168.1.178][51600] -> [...146.48.58.18][..443] [TLS][Unknown][Web][Safe] diff --git a/test/results/flow-info/default/forticlient.pcap.out b/test/results/flow-info/default/forticlient.pcap.out index aa985be71..fc63300cd 100644 --- a/test/results/flow-info/default/forticlient.pcap.out +++ b/test/results/flow-info/default/forticlient.pcap.out @@ -36,7 +36,7 @@ RISK: Known Proto on Non Std Port, TLS (probably) Not Carrying HTTPS detection-update: [.....5] [ip4][..tcp] [..192.168.1.178][61820] -> [....82.81.46.13][10443] [TLS.FortiClient][Unknown][VPN][Safe][82.81.46.13] RISK: Known Proto on Non Std Port, TLS (probably) Not Carrying HTTPS - analyse: [.....5] [ip4][..tcp] [..192.168.1.178][61820] -> [....82.81.46.13][10443] [TLS.FortiClient][Unknown][VPN][Safe][82.81.46.13] + analyse: [.....5] [ip4][..tcp] [..192.168.1.178][61820] -> [....82.81.46.13][10443] [TLS.FortiClient][Unknown][VPN][Safe] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.495| 0.071| 0.112| 12454.003| 3.700] [PKTLEN......: 52.000| 1492.000| 253.000| 343.000| 117623.000| 4.100] diff --git a/test/results/flow-info/default/fuzz-2006-06-26-2594.pcap.out b/test/results/flow-info/default/fuzz-2006-06-26-2594.pcap.out index 364879a3a..ef121ec66 100644 --- a/test/results/flow-info/default/fuzz-2006-06-26-2594.pcap.out +++ b/test/results/flow-info/default/fuzz-2006-06-26-2594.pcap.out @@ -980,7 +980,7 @@ detection-update: [...145] [ip4][..udp] [....192.168.1.2][.2774] -> [....192.168.1.1][...53] [DNS][Unknown][Network][Acceptable][_sip._udp.sip.cybercity.dk] RISK: Malformed Packet, Non-Printable/Invalid Chars Detected, Unidirectional Traffic guessed: [...114] [ip4][..udp] [.192.168.37.115][.2758] -> [....128.168.1.1][...53] [DNS][Unknown][Network][Acceptable][] - RISK: Malformed Packet, Unidirectional Traffic + RISK: Unidirectional Traffic idle: [...114] [ip4][..udp] [.192.168.37.115][.2758] -> [....128.168.1.1][...53] idle: [...115] [ip4][..udp] [....192.168.1.2][.2758] -> [....192.168.1.1][...53] [DNS][Unknown][Network][Acceptable] RISK: Unidirectional Traffic @@ -1007,7 +1007,7 @@ detection-update: [...148] [ip4][..udp] [....192.168.1.2][.2776] -> [....192.168.1.1][...53] [DNS][Unknown][Network][Acceptable][_sip._udp.sip.cybercity.dk] RISK: Malformed Packet, Non-Printable/Invalid Chars Detected, Unidirectional Traffic guessed: [...118] [ip4][..udp] [.....192.22.1.2][.2760] -> [....192.168.1.1][...53] [DNS][Unknown][Network][Acceptable][] - RISK: Malformed Packet, Unidirectional Traffic + RISK: Unidirectional Traffic idle: [...118] [ip4][..udp] [.....192.22.1.2][.2760] -> [....192.168.1.1][...53] idle: [...119] [ip4][..udp] [....192.168.1.2][.2760] -> [....192.168.1.1][...53] [DNS][Unknown][Network][Acceptable] RISK: Unidirectional Traffic @@ -1998,7 +1998,7 @@ detected: [...256] [ip4][..udp] [....192.168.1.2][.2831] -> [....192.168.1.1][...53] [DNS][Unknown][Network][Acceptable][1.0.0.127.in-addr.arpa] detection-update: [...256] [ip4][..udp] [....192.168.1.2][.2831] -> [....192.168.1.1][...53] [DNS][Unknown][Network][Acceptable][1.0.0.127.in-addr.arpa] guessed: [...222] [ip4][..udp] [....128.168.1.2][.2810] -> [....192.168.1.1][...53] [DNS][Unknown][Network][Acceptable][] - RISK: Malformed Packet, Unidirectional Traffic + RISK: Unidirectional Traffic idle: [...222] [ip4][..udp] [....128.168.1.2][.2810] -> [....192.168.1.1][...53] update: [...245] [ip4][..udp] [....192.168.1.2][.2827] -> [..192.168.1.114][...53] [DNS][Unknown][Network][Acceptable] update: [...246] [ip4][..udp] [....192.168.1.2][.2827] -> [....192.168.1.1][...53] [DNS][Unknown][Network][Acceptable] diff --git a/test/results/flow-info/default/fuzz-2006-09-29-28586.pcap.out b/test/results/flow-info/default/fuzz-2006-09-29-28586.pcap.out index c0d3a948f..3a3922c76 100644 --- a/test/results/flow-info/default/fuzz-2006-09-29-28586.pcap.out +++ b/test/results/flow-info/default/fuzz-2006-09-29-28586.pcap.out @@ -10,6 +10,8 @@ new: [.....4] [ip4][..tcp] [......0.20.3.13][...80] -> [.....172.20.3.5][.2601] [MIDSTREAM] ERROR-EVENT: Unknown packet type [3/16] new: [.....5] [ip4][..tcp] [....172.20.3.13][53132] -> [.....172.20.3.5][...80] + detected: [.....5] [ip4][..tcp] [....172.20.3.13][53132] -> [.....172.20.3.5][...80] [HTTP][Unknown][Web][Acceptable][%s] + RISK: Clear-Text Credentials, Non-Printable/Invalid Chars Detected, Possible Exploit Attempt new: [.....6] [ip4][..tcp] [.....172.20.3.1][...80] -> [....172.20.3.13][53132] [MIDSTREAM] detected: [.....6] [ip4][..tcp] [.....172.20.3.1][...80] -> [....172.20.3.13][53132] [HTTP][Unknown][Web][Acceptable][] RISK: HTTP Susp User-Agent @@ -74,8 +76,8 @@ new: [....39] [ip4][..115] [....172.20.3.13] -> [.....172.20.3.5] idle: [.....6] [ip4][..tcp] [.....172.20.3.1][...80] -> [....172.20.3.13][53132] [HTTP][Unknown][Web][Acceptable] RISK: HTTP Susp User-Agent - guessed: [.....5] [ip4][..tcp] [....172.20.3.13][53132] -> [.....172.20.3.5][...80] [HTTP][Unknown][Web][Acceptable][] - end: [.....5] [ip4][..tcp] [....172.20.3.13][53132] -> [.....172.20.3.5][...80] + end: [.....5] [ip4][..tcp] [....172.20.3.13][53132] -> [.....172.20.3.5][...80] [HTTP][Unknown][Web][Acceptable][%s] + RISK: Clear-Text Credentials, Non-Printable/Invalid Chars Detected, Possible Exploit Attempt guessed: [....36] [ip4][..tcp] [...172.20.67.13][53136] -> [.....172.20.3.5][...80] [HTTP][Unknown][Web][Acceptable][] RISK: Unidirectional Traffic idle: [....36] [ip4][..tcp] [...172.20.67.13][53136] -> [.....172.20.3.5][...80] diff --git a/test/results/flow-info/default/googledns_android10.pcap.out b/test/results/flow-info/default/googledns_android10.pcap.out index 30fa42554..64abf75b8 100644 --- a/test/results/flow-info/default/googledns_android10.pcap.out +++ b/test/results/flow-info/default/googledns_android10.pcap.out @@ -23,7 +23,7 @@ RISK: TLS (probably) Not Carrying HTTPS detection-update: [.....4] [ip4][..tcp] [..192.168.1.159][48048] -> [........8.8.4.4][..853] [TLS.DoH_DoT][Google][Network][Acceptable][dns.google] RISK: TLS (probably) Not Carrying HTTPS - analyse: [.....4] [ip4][..tcp] [..192.168.1.159][48048] -> [........8.8.4.4][..853] [TLS.DoH_DoT][Google][Network][Acceptable][dns.google] + analyse: [.....4] [ip4][..tcp] [..192.168.1.159][48048] -> [........8.8.4.4][..853] [TLS.DoH_DoT][Google][Network][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.447| 0.072| 0.122| 14825.912| 3.500] [PKTLEN......: 52.000| 1470.000| 268.200| 356.700| 127227.700| 4.100] @@ -44,7 +44,7 @@ RISK: TLS (probably) Not Carrying HTTPS detection-update: [.....7] [ip4][..tcp] [..192.168.1.159][48098] -> [........8.8.4.4][..853] [TLS.DoH_DoT][Google][Network][Acceptable][dns.google] RISK: TLS (probably) Not Carrying HTTPS - analyse: [.....7] [ip4][..tcp] [..192.168.1.159][48098] -> [........8.8.4.4][..853] [TLS.DoH_DoT][Google][Network][Acceptable][dns.google] + analyse: [.....7] [ip4][..tcp] [..192.168.1.159][48098] -> [........8.8.4.4][..853] [TLS.DoH_DoT][Google][Network][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 1.254| 0.185| 0.342| 116761.002| 3.200] [PKTLEN......: 52.000| 569.000| 198.200| 197.900| 39161.300| 4.400] @@ -75,7 +75,7 @@ RISK: TLS (probably) Not Carrying HTTPS detection-update: [.....8] [ip4][..tcp] [..192.168.1.159][48210] -> [........8.8.4.4][..853] [TLS.DoH_DoT][Google][Network][Acceptable][dns.google] RISK: TLS (probably) Not Carrying HTTPS - analyse: [.....8] [ip4][..tcp] [..192.168.1.159][48210] -> [........8.8.4.4][..853] [TLS.DoH_DoT][Google][Network][Acceptable][dns.google] + analyse: [.....8] [ip4][..tcp] [..192.168.1.159][48210] -> [........8.8.4.4][..853] [TLS.DoH_DoT][Google][Network][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 5.704| 0.390| 1.388| 1925240.193| 1.500] [PKTLEN......: 52.000| 1470.000| 268.200| 356.700| 127227.700| 4.100] diff --git a/test/results/flow-info/default/http-basic-auth.pcap.out b/test/results/flow-info/default/http-basic-auth.pcap.out new file mode 100644 index 000000000..5933e535d --- /dev/null +++ b/test/results/flow-info/default/http-basic-auth.pcap.out @@ -0,0 +1,206 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....1] [ip4][..tcp] [....192.168.0.4][54317] -> [192.254.189.169][...80] + new: [.....2] [ip4][..tcp] [....192.168.0.4][54318] -> [192.254.189.169][...80] + new: [.....3] [ip4][..tcp] [....192.168.0.4][54319] -> [192.254.189.169][...80] + new: [.....4] [ip4][..tcp] [....192.168.0.4][54320] -> [192.254.189.169][...80] + new: [.....5] [ip4][..tcp] [....192.168.0.4][54321] -> [192.254.189.169][...80] + new: [.....6] [ip4][..tcp] [....192.168.0.4][54322] -> [192.254.189.169][...80] + detected: [.....1] [ip4][..tcp] [....192.168.0.4][54317] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][browserspy.dk] + detection-update: [.....1] [ip4][..tcp] [....192.168.0.4][54317] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][browserspy.dk] + RISK: Error Code + analyse: [.....1] [ip4][..tcp] [....192.168.0.4][54317] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][browserspy.dk] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 4.822| 0.486| 1.309| 1713882.661| 2.300] + [PKTLEN......: 52.000| 1500.000| 626.500| 665.800| 443276.400| 4.100] + [BINS(c->s)..: 13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 3,0,1,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,0,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,0,1,0,0] + [IATS(ms)....: 243.2,243.3,0.1,201.9,227.4,1.3,430.4,0.6,0.6,0.7,0.7,3.6,3.8,7.4,3.7,8.0,11.6,0.7,3.2,3.9,163.9,2.4,166.3,3.7,3.9,7.6,2.9,2.9,4822.3,4822.3,3673.5] + [PKTLENS.....: 64,60,52,752,52,1500,537,52,131,52,274,52,1500,1500,52,1500,1500,52,1500,1500,52,1500,1500,52,1500,1500,52,1001,52,52,52,52] + [ENTROPIES...: 4.4,5.1,5.0,5.8,5.0,5.4,5.6,4.9,5.4,5.0,5.6,5.0,5.4,5.1,5.0,5.0,5.1,5.0,5.1,5.1,5.0,5.1,5.2,5.0,5.4,5.4,5.0,5.7,5.0,5.0,4.9,5.0] + detected: [.....2] [ip4][..tcp] [....192.168.0.4][54318] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][browserspy.dk] + RISK: Clear-Text Credentials + detection-update: [.....2] [ip4][..tcp] [....192.168.0.4][54318] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][browserspy.dk] + RISK: Clear-Text Credentials, Error Code + analyse: [.....2] [ip4][..tcp] [....192.168.0.4][54318] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][browserspy.dk] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 7.939| 0.797| 2.054| 4220874.654| 2.400] + [PKTLEN......: 52.000| 1500.000| 627.900| 665.600| 443017.800| 4.100] + [BINS(c->s)..: 12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 4,0,1,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0] + [DIRECTIONS..: 0,1,0,1,0,0,1,1,1,0,1,0,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,0,1] + [IATS(ms)....: 244.2,244.3,1383.3,1383.3,7743.3,7938.9,165.1,1.2,361.9,0.6,0.6,0.7,0.7,4.1,3.6,7.8,4.0,4.1,8.0,3.8,3.9,7.7,159.5,3.9,163.4,3.6,6.0,9.5,0.6,0.6,4835.5] + [PKTLENS.....: 64,60,52,60,52,787,58,1500,537,52,131,52,274,52,1500,1500,52,1500,1500,52,1500,1500,52,1500,1500,52,1500,1500,52,998,52,52] + [ENTROPIES...: 4.4,5.1,5.2,5.0,5.2,5.9,5.3,5.5,5.6,5.1,5.4,5.1,5.7,5.0,5.4,5.1,5.1,5.0,5.1,5.1,5.1,5.1,5.1,5.1,5.2,5.1,5.4,5.4,5.1,5.7,5.1,5.1] + new: [.....7] [ip4][..tcp] [....192.168.0.4][54337] -> [192.254.189.169][...80] + detected: [.....7] [ip4][..tcp] [....192.168.0.4][54337] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][browserspy.dk] + RISK: Clear-Text Credentials + new: [.....8] [ip4][..tcp] [....192.168.0.4][54338] -> [192.254.189.169][...80] + detection-update: [.....7] [ip4][..tcp] [....192.168.0.4][54337] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][browserspy.dk] + RISK: Clear-Text Credentials, Error Code + analyse: [.....7] [ip4][..tcp] [....192.168.0.4][54337] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][browserspy.dk] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 4.862| 0.405| 1.194| 1424465.723| 2.200] + [PKTLEN......: 52.000| 1500.000| 626.900| 665.600| 443042.200| 4.100] + [BINS(c->s)..: 13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 3,0,1,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,0,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,0,1,0,0] + [IATS(ms)....: 180.0,180.1,0.1,194.0,206.4,1.3,401.5,0.6,0.6,0.7,0.7,4.0,4.6,8.7,4.6,3.0,7.6,3.3,5.3,8.6,159.0,4.0,163.0,3.6,4.2,7.9,2.6,2.6,4861.8,4861.8,1269.0] + [PKTLENS.....: 64,60,52,791,52,1500,537,52,131,52,274,52,1500,1500,52,1500,1500,52,1500,1500,52,1500,1500,52,1500,1500,52,975,52,52,52,52] + [ENTROPIES...: 4.4,5.1,5.1,5.9,5.0,5.4,5.6,5.1,5.4,5.0,5.6,5.1,5.4,5.1,5.0,5.0,5.1,5.1,5.1,5.1,5.1,5.1,5.2,5.1,5.4,5.4,5.0,5.7,5.0,5.0,5.1,5.1] + detected: [.....8] [ip4][..tcp] [....192.168.0.4][54338] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][browserspy.dk] + RISK: Clear-Text Credentials + detection-update: [.....8] [ip4][..tcp] [....192.168.0.4][54338] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][browserspy.dk] + RISK: Clear-Text Credentials, Error Code + analyse: [.....8] [ip4][..tcp] [....192.168.0.4][54338] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][browserspy.dk] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 5.591| 0.470| 1.348| 1817151.799| 2.200] + [PKTLEN......: 52.000| 1500.000| 627.500| 656.200| 430625.700| 4.100] + [BINS(c->s)..: 12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 3,0,1,0,0,0,1,0,0,1,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0] + [DIRECTIONS..: 0,1,0,1,0,0,1,1,1,0,1,0,1,0,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1] + [IATS(ms)....: 181.5,181.5,1115.4,1115.4,5396.0,5591.1,193.0,1.4,389.4,1.1,1.1,0.6,0.6,0.7,0.7,7.1,0.8,7.9,3.9,3.5,7.3,4.2,161.7,166.0,3.9,4.0,7.9,3.9,3.7,7.7,1.8] + [PKTLENS.....: 64,60,52,60,52,791,58,1500,537,52,131,52,274,52,365,52,1500,1500,52,1500,1500,52,1500,1500,52,1500,1500,52,1500,1500,52,669] + [ENTROPIES...: 4.5,5.1,5.1,5.2,5.2,5.9,5.1,5.4,5.6,5.1,5.4,5.1,5.6,5.1,5.8,4.9,5.3,5.0,5.0,5.1,5.1,5.2,5.1,5.1,5.2,5.1,5.2,5.1,5.4,5.4,5.2,5.8] + new: [.....9] [ip4][..tcp] [....192.168.0.4][54340] -> [192.254.189.169][...80] + new: [....10] [ip4][..tcp] [....192.168.0.4][54341] -> [192.254.189.169][...80] + new: [....11] [ip4][..tcp] [....192.168.0.4][54342] -> [192.254.189.169][...80] + new: [....12] [ip4][..tcp] [....192.168.0.4][54343] -> [192.254.189.169][...80] + detected: [.....9] [ip4][..tcp] [....192.168.0.4][54340] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][browserspy.dk] + RISK: Clear-Text Credentials + detected: [....10] [ip4][..tcp] [....192.168.0.4][54341] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][browserspy.dk] + RISK: Clear-Text Credentials + detected: [....11] [ip4][..tcp] [....192.168.0.4][54342] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][browserspy.dk] + RISK: Clear-Text Credentials + detected: [....12] [ip4][..tcp] [....192.168.0.4][54343] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][browserspy.dk] + RISK: Clear-Text Credentials + new: [....13] [ip4][..tcp] [....192.168.0.4][54354] -> [192.254.189.169][...80] + analyse: [.....9] [ip4][..tcp] [....192.168.0.4][54340] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][browserspy.dk] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 4.812| 0.386| 1.140| 1299265.487| 2.300] + [PKTLEN......: 52.000| 1500.000| 464.500| 552.500| 305249.300| 4.100] + [BINS(c->s)..: 12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 3,0,1,0,3,0,1,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,1,1,0,1,0,1,0,1,0,1,1,0,1,0,1,1,0] + [IATS(ms)....: 203.4,203.5,0.3,194.8,10.4,204.8,49.7,338.1,288.3,3.6,208.9,205.3,4591.8,4811.6,185.3,1.8,406.8,0.6,0.6,0.6,0.6,0.8,0.8,3.8,6.5,10.3,1.4,1.4,3.9,3.7,7.6] + [PKTLENS.....: 64,60,52,783,52,189,52,788,189,52,791,189,52,761,58,1500,597,52,131,52,274,52,365,52,1500,1500,52,1500,52,1500,1500,52] + [ENTROPIES...: 4.4,5.1,5.0,5.9,5.1,5.8,5.1,5.9,5.8,5.1,5.9,5.8,5.1,5.9,5.2,5.4,5.5,5.1,5.4,5.0,5.7,5.0,5.7,5.1,5.3,5.0,5.1,5.1,5.0,5.1,5.1,5.0] + new: [....14] [ip4][..tcp] [....192.168.0.4][54487] -> [192.254.189.169][...80] + detected: [....14] [ip4][..tcp] [....192.168.0.4][54487] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][browserspy.dk] + RISK: Clear-Text Credentials + analyse: [....14] [ip4][..tcp] [....192.168.0.4][54487] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][browserspy.dk] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 4.838| 0.365| 1.179| 1389490.602| 1.900] + [PKTLEN......: 52.000| 1500.000| 615.900| 661.200| 437136.200| 4.100] + [BINS(c->s)..: 13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 3,0,1,0,0,0,0,0,0,0,1,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,0,1,0,1,1,0,1,0,1,1,0,1,0,1,1,0,1,0,1,1,0,1,0] + [IATS(ms)....: 197.2,197.3,0.1,193.6,225.1,1.6,420.1,0.3,0.3,1.2,1.3,4.2,3.6,7.8,4.1,4.1,3.7,4.1,7.8,4.0,4.0,162.1,4.0,166.1,4.0,4.0,3.5,1.4,4.9,4837.6,4837.6] + [PKTLENS.....: 64,60,52,761,52,1500,597,52,131,52,471,52,1500,1500,52,1500,52,1500,1500,52,1500,52,1500,1500,52,1500,52,1500,398,52,52,52] + [ENTROPIES...: 4.4,5.1,5.1,5.9,5.0,5.4,5.5,5.1,5.4,5.1,5.7,5.0,5.3,5.1,5.0,5.1,5.0,5.1,5.1,5.1,5.1,5.0,5.1,5.2,5.1,5.3,5.0,5.5,5.8,5.0,5.0,5.0] + new: [....15] [ip4][..tcp] [....192.168.0.4][54505] -> [192.254.189.169][...80] + new: [....16] [ip4][..tcp] [....192.168.0.4][54506] -> [192.254.189.169][...80] + new: [....17] [ip4][..tcp] [....192.168.0.4][54507] -> [192.254.189.169][...80] + new: [....18] [ip4][..tcp] [....192.168.0.4][54508] -> [192.254.189.169][...80] + new: [....19] [ip4][..tcp] [....192.168.0.4][54509] -> [192.254.189.169][...80] + detected: [....15] [ip4][..tcp] [....192.168.0.4][54505] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][browserspy.dk] + RISK: Clear-Text Credentials + analyse: [....15] [ip4][..tcp] [....192.168.0.4][54505] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][browserspy.dk] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 0.410| 0.053| 0.099| 9719.476| 3.100] + [PKTLEN......: 52.000| 1500.000| 614.700| 658.500| 433660.400| 4.100] + [BINS(c->s)..: 13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 2,0,1,0,0,0,1,1,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,0,1,0,1,0,1,1,0,1,1,0,1,0,1,1,0,1,0,1,1,0,1,0] + [IATS(ms)....: 204.5,204.6,0.2,194.7,213.8,1.8,410.0,0.6,0.6,0.6,0.6,0.9,0.9,5.4,2.2,7.6,3.9,4.0,7.9,3.8,21.6,169.0,3.7,154.9,4.0,4.1,3.9,4.0,7.8,2.6,2.5] + [PKTLENS.....: 64,60,52,714,52,1500,597,52,131,52,274,52,365,52,1500,1500,52,1500,1500,52,1500,52,1500,1500,52,1500,52,1500,1500,52,289,52] + [ENTROPIES...: 4.4,5.2,5.2,5.9,5.1,5.4,5.5,5.1,5.4,5.1,5.7,5.1,5.7,5.1,5.3,5.0,5.1,5.1,5.1,5.1,5.1,5.1,5.1,5.1,5.1,5.2,5.0,5.3,5.6,5.1,5.8,5.1] + detected: [....16] [ip4][..tcp] [....192.168.0.4][54506] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][browserspy.dk] + analyse: [....16] [ip4][..tcp] [....192.168.0.4][54506] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][browserspy.dk] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.001| 9.537| 0.739| 2.305| 5311970.148| 2.000] + [PKTLEN......: 52.000| 1500.000| 715.000| 702.000| 492871.900| 4.200] + [BINS(c->s)..: 13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 3,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0] + [DIRECTIONS..: 0,1,0,1,0,0,1,1,1,0,1,0,1,1,0,1,0,1,1,0,1,0,1,1,0,1,0,1,1,0,1,0] + [IATS(ms)....: 205.1,205.1,1239.2,1239.2,9336.2,9536.7,269.7,3.9,474.2,3.9,3.9,3.9,3.9,7.8,5.5,5.6,2.5,3.5,5.9,3.9,4.0,3.7,163.4,167.1,4.0,3.9,4.6,3.2,7.9,1.1,1.1] + [PKTLENS.....: 64,60,52,60,52,695,58,1500,1500,52,1500,52,1500,1500,52,1500,52,1500,1500,52,1500,52,1500,1500,52,1500,52,1500,1500,52,320,52] + [ENTROPIES...: 4.4,5.1,5.1,5.1,5.1,5.9,5.3,5.4,5.5,5.0,5.3,5.1,5.0,5.1,5.1,5.1,5.0,5.1,5.1,5.1,5.1,5.0,5.1,5.3,5.1,5.2,5.0,5.2,5.5,5.1,5.8,5.0] + new: [....20] [ip4][..tcp] [....192.168.0.4][54580] -> [192.254.189.169][...80] + new: [....21] [ip4][..tcp] [....192.168.0.4][54581] -> [192.254.189.169][...80] + new: [....22] [ip4][..tcp] [....192.168.0.4][54582] -> [192.254.189.169][...80] + new: [....23] [ip4][..tcp] [....192.168.0.4][54583] -> [192.254.189.169][...80] + new: [....24] [ip4][..tcp] [....192.168.0.4][54584] -> [192.254.189.169][...80] + new: [....25] [ip4][..tcp] [....192.168.0.4][54596] -> [192.254.189.169][...80] + detected: [....20] [ip4][..tcp] [....192.168.0.4][54580] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][browserspy.dk] + RISK: Clear-Text Credentials + detected: [....21] [ip4][..tcp] [....192.168.0.4][54581] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][browserspy.dk] + RISK: Clear-Text Credentials + detected: [....22] [ip4][..tcp] [....192.168.0.4][54582] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][browserspy.dk] + RISK: Clear-Text Credentials + detected: [....23] [ip4][..tcp] [....192.168.0.4][54583] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][browserspy.dk] + RISK: Clear-Text Credentials + detected: [....24] [ip4][..tcp] [....192.168.0.4][54584] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][browserspy.dk] + RISK: Clear-Text Credentials + analyse: [....24] [ip4][..tcp] [....192.168.0.4][54584] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][browserspy.dk] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.002| 2.440| 0.244| 0.570| 324880.892| 2.800] + [PKTLEN......: 52.000| 1500.000| 641.400| 656.800| 431405.000| 4.200] + [BINS(c->s)..: 12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 3,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,1,1,0,1,0,1,1,0,1,0,1,1,0,1,0,1,1,0,1,0,1,1,0] + [IATS(ms)....: 191.6,191.7,451.5,691.2,19.0,258.7,2193.0,2440.0,223.7,1.5,472.1,13.2,13.3,3.5,4.1,7.5,4.0,4.0,4.1,3.5,7.6,3.9,4.0,3.9,158.9,162.7,3.8,3.9,3.9,1.9,5.7] + [PKTLENS.....: 64,60,52,783,52,189,52,763,58,1500,597,52,131,52,1500,1500,52,1500,52,1500,1500,52,1500,52,1500,1500,52,1500,52,1500,757,52] + [ENTROPIES...: 4.3,5.0,5.1,5.9,5.0,5.8,5.0,5.9,5.2,5.4,5.5,5.1,5.4,5.1,5.4,5.2,5.1,5.0,5.0,5.1,5.1,5.1,5.1,5.0,5.1,5.2,5.1,5.2,5.0,5.4,5.7,5.1] + end: [.....1] [ip4][..tcp] [....192.168.0.4][54317] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][browserspy.dk] + RISK: Error Code + end: [.....2] [ip4][..tcp] [....192.168.0.4][54318] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][browserspy.dk] + RISK: Clear-Text Credentials, Error Code + guessed: [.....3] [ip4][..tcp] [....192.168.0.4][54319] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][] + end: [.....3] [ip4][..tcp] [....192.168.0.4][54319] -> [192.254.189.169][...80] + guessed: [.....4] [ip4][..tcp] [....192.168.0.4][54320] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][] + end: [.....4] [ip4][..tcp] [....192.168.0.4][54320] -> [192.254.189.169][...80] + guessed: [.....5] [ip4][..tcp] [....192.168.0.4][54321] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][] + end: [.....5] [ip4][..tcp] [....192.168.0.4][54321] -> [192.254.189.169][...80] + guessed: [.....6] [ip4][..tcp] [....192.168.0.4][54322] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][] + end: [.....6] [ip4][..tcp] [....192.168.0.4][54322] -> [192.254.189.169][...80] + end: [.....7] [ip4][..tcp] [....192.168.0.4][54337] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][browserspy.dk] + RISK: Clear-Text Credentials, Error Code + end: [.....8] [ip4][..tcp] [....192.168.0.4][54338] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][browserspy.dk] + RISK: Clear-Text Credentials, Error Code + end: [.....9] [ip4][..tcp] [....192.168.0.4][54340] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][browserspy.dk] + RISK: Clear-Text Credentials + end: [....10] [ip4][..tcp] [....192.168.0.4][54341] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][browserspy.dk] + RISK: Clear-Text Credentials + end: [....11] [ip4][..tcp] [....192.168.0.4][54342] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][browserspy.dk] + RISK: Clear-Text Credentials + end: [....12] [ip4][..tcp] [....192.168.0.4][54343] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][browserspy.dk] + RISK: Clear-Text Credentials + guessed: [....13] [ip4][..tcp] [....192.168.0.4][54354] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][] + end: [....13] [ip4][..tcp] [....192.168.0.4][54354] -> [192.254.189.169][...80] + end: [....14] [ip4][..tcp] [....192.168.0.4][54487] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][browserspy.dk] + RISK: Clear-Text Credentials + end: [....15] [ip4][..tcp] [....192.168.0.4][54505] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][browserspy.dk] + RISK: Clear-Text Credentials + end: [....16] [ip4][..tcp] [....192.168.0.4][54506] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][browserspy.dk] + guessed: [....17] [ip4][..tcp] [....192.168.0.4][54507] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][] + end: [....17] [ip4][..tcp] [....192.168.0.4][54507] -> [192.254.189.169][...80] + guessed: [....18] [ip4][..tcp] [....192.168.0.4][54508] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][] + end: [....18] [ip4][..tcp] [....192.168.0.4][54508] -> [192.254.189.169][...80] + guessed: [....19] [ip4][..tcp] [....192.168.0.4][54509] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][] + end: [....19] [ip4][..tcp] [....192.168.0.4][54509] -> [192.254.189.169][...80] + end: [....20] [ip4][..tcp] [....192.168.0.4][54580] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][browserspy.dk] + RISK: Clear-Text Credentials + end: [....21] [ip4][..tcp] [....192.168.0.4][54581] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][browserspy.dk] + RISK: Clear-Text Credentials + end: [....22] [ip4][..tcp] [....192.168.0.4][54582] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][browserspy.dk] + RISK: Clear-Text Credentials + end: [....23] [ip4][..tcp] [....192.168.0.4][54583] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][browserspy.dk] + RISK: Clear-Text Credentials + end: [....24] [ip4][..tcp] [....192.168.0.4][54584] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][browserspy.dk] + RISK: Clear-Text Credentials + guessed: [....25] [ip4][..tcp] [....192.168.0.4][54596] -> [192.254.189.169][...80] [HTTP][Unknown][Web][Acceptable][] + end: [....25] [ip4][..tcp] [....192.168.0.4][54596] -> [192.254.189.169][...80] + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/http-pwd.pcapng.out b/test/results/flow-info/default/http-pwd.pcapng.out new file mode 100644 index 000000000..a94239cf3 --- /dev/null +++ b/test/results/flow-info/default/http-pwd.pcapng.out @@ -0,0 +1,13 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....1] [ip4][..tcp] [......127.0.0.1][56451] -> [......127.0.0.1][.3000] + detected: [.....1] [ip4][..tcp] [......127.0.0.1][56451] -> [......127.0.0.1][.3000] [HTTP][Unknown][Web][Acceptable][localhost] + RISK: Known Proto on Non Std Port + detection-update: [.....1] [ip4][..tcp] [......127.0.0.1][56451] -> [......127.0.0.1][.3000] [HTTP][Unknown][Web][Acceptable][localhost] + RISK: Known Proto on Non Std Port, Clear-Text Credentials + detection-update: [.....1] [ip4][..tcp] [......127.0.0.1][56451] -> [......127.0.0.1][.3000] [HTTP.ntop][Unknown][Web][Safe][localhost] + RISK: Clear-Text Credentials + end: [.....1] [ip4][..tcp] [......127.0.0.1][56451] -> [......127.0.0.1][.3000] [HTTP.ntop][Unknown][Web][Safe][localhost] + RISK: Clear-Text Credentials + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/http_connect.pcap.out b/test/results/flow-info/default/http_connect.pcap.out index 1f5206203..fd0d5b6e9 100644 --- a/test/results/flow-info/default/http_connect.pcap.out +++ b/test/results/flow-info/default/http_connect.pcap.out @@ -10,7 +10,7 @@ new: [.....3] [ip4][..tcp] [..192.168.1.146][35968] -> [..151.101.2.132][..443] detected: [.....3] [ip4][..tcp] [..192.168.1.146][35968] -> [..151.101.2.132][..443] [TLS][Unknown][Web][Safe][apache.org] detection-update: [.....3] [ip4][..tcp] [..192.168.1.146][35968] -> [..151.101.2.132][..443] [TLS][Unknown][Web][Safe][apache.org] - analyse: [.....3] [ip4][..tcp] [..192.168.1.146][35968] -> [..151.101.2.132][..443] [TLS][Unknown][Web][Safe][apache.org] + analyse: [.....3] [ip4][..tcp] [..192.168.1.146][35968] -> [..151.101.2.132][..443] [TLS][Unknown][Web][Safe] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.016| 0.003| 0.005| 23.691| 3.400] [PKTLEN......: 52.000| 1436.000| 549.000| 627.700| 394029.600| 4.000] diff --git a/test/results/flow-info/default/http_ipv6.pcap.out b/test/results/flow-info/default/http_ipv6.pcap.out index d516b0969..4cbdc24ae 100644 --- a/test/results/flow-info/default/http_ipv6.pcap.out +++ b/test/results/flow-info/default/http_ipv6.pcap.out @@ -66,7 +66,7 @@ RISK: TLS Cert Mismatch end: [.....8] [ip6][..tcp] [........2a00:d40:1:3:7aac:c0ff:fea7:d4c][37494] -> [................2a03:b0c0:3:d0::70:1001][..443] [TLS.ntop][Unknown][Network][Safe] RISK: TLS Cert Mismatch - idle: [....12] [ip6][..tcp] [........2a00:d40:1:3:7aac:c0ff:fea7:d4c][37506] -> [................2a03:b0c0:3:d0::70:1001][..443] [TLS.ntop][Unknown][Network][Safe][www.ntop.org] + idle: [....12] [ip6][..tcp] [........2a00:d40:1:3:7aac:c0ff:fea7:d4c][37506] -> [................2a03:b0c0:3:d0::70:1001][..443] [TLS.ntop][Unknown][Network][Safe] RISK: TLS Cert Mismatch guessed: [.....1] [ip6][..tcp] [........2a00:d40:1:3:7aac:c0ff:fea7:d4c][40526] -> [...............2a00:1450:4006:804::200e][..443] [TLS][Google][Web][Safe] idle: [.....1] [ip6][..tcp] [........2a00:d40:1:3:7aac:c0ff:fea7:d4c][40526] -> [...............2a00:1450:4006:804::200e][..443] diff --git a/test/results/flow-info/default/instagram.pcap.out b/test/results/flow-info/default/instagram.pcap.out index 71ef03928..c906028f4 100644 --- a/test/results/flow-info/default/instagram.pcap.out +++ b/test/results/flow-info/default/instagram.pcap.out @@ -215,7 +215,7 @@ end: [....16] [ip4][..tcp] [..192.168.0.103][38817] -> [...46.33.70.160][...80] idle: [....10] [ip4][..udp] [..192.168.0.106][17500] -> [..192.168.0.255][17500] [Dropbox][Unknown][Cloud][Acceptable] idle: [....31] [ip4][..udp] [..192.168.0.103][27124] -> [........8.8.8.8][...53] [DNS.Instagram][Google][Network][Fun] - idle: [.....1] [ip4][..tcp] [..192.168.0.103][56382] -> [..173.252.107.4][..443] [TLS.Instagram][Facebook][SocialNetwork][Fun][telegraph-ash.instagram.com] + idle: [.....1] [ip4][..tcp] [..192.168.0.103][56382] -> [..173.252.107.4][..443] [TLS.Instagram][Facebook][SocialNetwork][Fun] RISK: Obsolete TLS (v1.1 or older) idle: [....15] [ip4][..tcp] [..192.168.0.103][33763] -> [....31.13.93.52][..443] [TLS][Facebook][Web][Safe] idle: [....29] [ip4][..tcp] [....2.22.236.51][...80] -> [..192.168.0.103][44151] [HTTP][Unknown][Web][Acceptable] @@ -234,7 +234,7 @@ detected: [....38] [ip4][..tcp] [...192.168.2.17][49361] -> [....31.13.86.52][..443] [TLS.Instagram][Facebook][SocialNetwork][Fun][scontent-mxp1-1.cdninstagram.com] detection-update: [....37] [ip4][..tcp] [...192.168.2.17][49360] -> [....31.13.86.52][..443] [TLS.Instagram][Facebook][SocialNetwork][Fun][scontent-mxp1-1.cdninstagram.com] detection-update: [....38] [ip4][..tcp] [...192.168.2.17][49361] -> [....31.13.86.52][..443] [TLS.Instagram][Facebook][SocialNetwork][Fun][scontent-mxp1-1.cdninstagram.com] - analyse: [....34] [ip4][..tcp] [...192.168.2.17][49357] -> [....31.13.86.52][..443] [TLS.Instagram][Facebook][SocialNetwork][Fun][scontent-mxp1-1.cdninstagram.com] + analyse: [....34] [ip4][..tcp] [...192.168.2.17][49357] -> [....31.13.86.52][..443] [TLS.Instagram][Facebook][SocialNetwork][Fun] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 10.470| 0.692| 2.561| 6557671.096| 1.200] [PKTLEN......: 52.000| 1440.000| 460.700| 528.600| 279392.300| 4.100] @@ -246,7 +246,7 @@ [ENTROPIES...: 4.2,5.1,4.9,7.1,7.6,5.0,5.0,6.8,4.9,6.4,7.0,4.8,7.7,7.9,7.9,7.8,7.9,7.9,7.7,7.9,5.8,5.0,5.0,4.9,4.9,4.9,5.0,7.6,7.6,5.1,5.1,7.8] idle: [....33] [ip4][..tcp] [...192.168.2.17][49355] -> [....31.13.86.52][..443] [TLS.Instagram][Facebook][SocialNetwork][Fun] end: [....34] [ip4][..tcp] [...192.168.2.17][49357] -> [....31.13.86.52][..443] [TLS.Instagram][Facebook][SocialNetwork][Fun][scontent-mxp1-1.cdninstagram.com] - idle: [....35] [ip4][..tcp] [...192.168.2.17][49358] -> [....31.13.86.52][..443] [TLS.Instagram][Facebook][SocialNetwork][Fun][scontent-mxp1-1.cdninstagram.com] + idle: [....35] [ip4][..tcp] [...192.168.2.17][49358] -> [....31.13.86.52][..443] [TLS.Instagram][Facebook][SocialNetwork][Fun] idle: [....36] [ip4][..tcp] [...192.168.2.17][49359] -> [....31.13.86.52][..443] [TLS.Instagram][Facebook][SocialNetwork][Fun] idle: [....37] [ip4][..tcp] [...192.168.2.17][49360] -> [....31.13.86.52][..443] [TLS.Instagram][Facebook][SocialNetwork][Fun] idle: [....38] [ip4][..tcp] [...192.168.2.17][49361] -> [....31.13.86.52][..443] [TLS.Instagram][Facebook][SocialNetwork][Fun] diff --git a/test/results/flow-info/default/iphone.pcap.out b/test/results/flow-info/default/iphone.pcap.out index 0b7a60a00..f7d12f89b 100644 --- a/test/results/flow-info/default/iphone.pcap.out +++ b/test/results/flow-info/default/iphone.pcap.out @@ -133,7 +133,7 @@ new: [....48] [ip4][..udp] [...192.168.2.17][65079] -> [....192.168.2.1][...53] detected: [....48] [ip4][..udp] [...192.168.2.17][65079] -> [....192.168.2.1][...53] [DNS.AppleiTunes][Unknown][Network][Fun][play.itunes.apple.com] detection-update: [....48] [ip4][..udp] [...192.168.2.17][65079] -> [....192.168.2.1][...53] [DNS.AppleiTunes][Unknown][Network][Fun][play.itunes.apple.com] - analyse: [....29] [ip4][..tcp] [...192.168.2.17][50580] -> [..17.248.176.75][..443] [TLS.AppleiCloud][Apple][Web][Acceptable][gateway.icloud.com] + analyse: [....29] [ip4][..tcp] [...192.168.2.17][50580] -> [..17.248.176.75][..443] [TLS.AppleiCloud][Apple][Web][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.686| 0.087| 0.170| 29013.449| 3.100] [PKTLEN......: 52.000| 1492.000| 310.700| 443.900| 197074.700| 3.900] @@ -146,7 +146,7 @@ new: [....49] [ip4][..tcp] [...192.168.2.17][50587] -> [...92.123.77.26][..443] detected: [....49] [ip4][..tcp] [...192.168.2.17][50587] -> [...92.123.77.26][..443] [TLS.AppleiTunes][Unknown][Streaming][Fun][play.itunes.apple.com] detection-update: [....49] [ip4][..tcp] [...192.168.2.17][50587] -> [...92.123.77.26][..443] [TLS.AppleiTunes][Unknown][Streaming][Fun][play.itunes.apple.com] - analyse: [....45] [ip4][..tcp] [...192.168.2.17][50584] -> [..17.248.176.75][..443] [TLS.AppleiCloud][Apple][Web][Acceptable][gateway.icloud.com] + analyse: [....45] [ip4][..tcp] [...192.168.2.17][50584] -> [..17.248.176.75][..443] [TLS.AppleiCloud][Apple][Web][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.655| 0.067| 0.146| 21410.738| 2.900] [PKTLEN......: 40.000| 1492.000| 299.400| 449.800| 202280.400| 3.800] @@ -156,7 +156,7 @@ [IATS(ms)....: 34.1,36.1,0.1,34.7,1.6,0.1,2.3,0.1,140.2,0.4,7.3,143.3,0.0,33.9,0.1,1.5,0.0,0.0,0.3,0.4,0.0,0.1,34.9,0.0,1.2,0.0,128.2,155.2,168.0,510.7,654.8] [PKTLENS.....: 64,60,52,569,52,1492,1492,1492,566,52,52,145,103,121,52,52,105,102,94,1070,90,436,90,52,90,52,52,52,736,52,40,52] [ENTROPIES...: 4.4,5.2,5.1,4.5,5.1,6.7,7.5,7.5,7.3,4.9,5.0,6.0,5.7,6.0,5.0,5.0,5.7,5.8,5.5,7.8,5.5,7.4,5.5,4.9,5.5,5.0,5.0,4.9,7.7,5.0,4.5,5.1] - analyse: [....49] [ip4][..tcp] [...192.168.2.17][50587] -> [...92.123.77.26][..443] [TLS.AppleiTunes][Unknown][Streaming][Fun][play.itunes.apple.com] + analyse: [....49] [ip4][..tcp] [...192.168.2.17][50587] -> [...92.123.77.26][..443] [TLS.AppleiTunes][Unknown][Streaming][Fun] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.147| 0.026| 0.045| 1989.449| 3.200] [PKTLEN......: 52.000| 1492.000| 322.100| 461.100| 212650.100| 3.900] @@ -186,7 +186,7 @@ idle: [....29] [ip4][..tcp] [...192.168.2.17][50580] -> [..17.248.176.75][..443] [TLS.AppleiCloud][Apple][Web][Acceptable][gateway.icloud.com] idle: [....38] [ip4][..tcp] [...192.168.2.17][50581] -> [..17.248.185.87][..443] [TLS.AppleiCloud][Apple][Web][Acceptable][p26-keyvalueservice.icloud.com] idle: [....45] [ip4][..tcp] [...192.168.2.17][50584] -> [..17.248.176.75][..443] [TLS.AppleiCloud][Apple][Web][Acceptable][gateway.icloud.com] - idle: [....47] [ip4][..tcp] [...192.168.2.17][50586] -> [..17.248.176.75][..443] [TLS.AppleiCloud][Apple][Web][Acceptable][gateway.icloud.com] + idle: [....47] [ip4][..tcp] [...192.168.2.17][50586] -> [..17.248.176.75][..443] [TLS.AppleiCloud][Apple][Web][Acceptable] idle: [....28] [ip4][..udp] [...192.168.2.17][52852] -> [....192.168.2.1][...53] [DNS.AppleiCloud][Unknown][Network][Acceptable][gateway.icloud.com] idle: [....16] [ip4][..udp] [...192.168.2.17][63143] -> [....192.168.2.1][...53] [DNS.AppleiCloud][Unknown][Network][Acceptable][p26-fmfmobile.icloud.com] idle: [.....2] [ip4][..udp] [........0.0.0.0][...68] -> [255.255.255.255][...67] [DHCP][Unknown][Network][Acceptable][lucas-imac] @@ -227,7 +227,7 @@ end: [....26] [ip4][..tcp] [...192.168.2.17][50578] -> [.17.253.105.202][..443] [TLS.Apple][Apple][Web][Safe] end: [....27] [ip4][..tcp] [...192.168.2.17][50579] -> [.17.253.105.202][..443] [TLS.Apple][Apple][Web][Safe] idle: [....23] [ip4][..tcp] [...192.168.2.17][50576] -> [...95.101.25.53][..443] [TLS.Apple][Unknown][Web][Safe] - idle: [....51] [ip4][..tcp] [...192.168.2.17][50588] -> [...95.101.24.53][..443] [TLS.AppleiTunes][Unknown][Streaming][Fun][sync.itunes.apple.com] + idle: [....51] [ip4][..tcp] [...192.168.2.17][50588] -> [...95.101.24.53][..443] [TLS.AppleiTunes][Unknown][Streaming][Fun] idle: [....33] [ip4][..udp] [...192.168.2.17][62526] -> [....192.168.2.1][...53] [DNS.Apple][Unknown][Network][Safe][cl4.apple.com] end: [....25] [ip4][..tcp] [...192.168.2.17][49152] -> [.17.253.105.202][...80] [HTTP.Apple][Apple][ConnCheck][Safe][captive.apple.com] idle: [....14] [ip6][icmp6] [...............fe80::823:3f17:8298:a29c] -> [...............................ff02::16] [ICMPV6][Unknown][Network][Acceptable] diff --git a/test/results/flow-info/default/line.pcap.out b/test/results/flow-info/default/line.pcap.out index 1bfbb8dcc..cd8913c1a 100644 --- a/test/results/flow-info/default/line.pcap.out +++ b/test/results/flow-info/default/line.pcap.out @@ -34,7 +34,7 @@ [IATS(ms)....: 74.6,74.7,34.4,71.2,134.8,63.6,34.3,34.4,78.2,122.6,44.3,34.3,34.3,68.3,109.3,41.2,34.5,34.3,6.9,46.8,64.5,59.0,90.2,2533.1,2477.5,34.5,34.2,78.8,154.7,69.6,35.1] [PKTLENS.....: 100,46,134,46,146,93,46,150,46,343,95,46,146,46,113,89,46,150,46,216,89,124,96,46,95,46,336,46,256,40,374,89] [ENTROPIES...: 5.9,4.7,6.3,4.7,6.6,6.0,4.7,6.6,4.7,7.4,6.0,4.7,6.5,4.7,6.4,5.9,4.7,6.7,4.7,7.0,5.9,6.3,6.0,4.7,6.0,4.7,7.3,4.7,7.1,4.8,7.4,5.9] - analyse: [.....3] [ip4][..tcp] [...10.200.3.125][58160] -> [.147.92.242.232][..443] [TLS.Line][Line][Chat][Acceptable][uts-front.line-apps.com] + analyse: [.....3] [ip4][..tcp] [...10.200.3.125][58160] -> [.147.92.242.232][..443] [TLS.Line][Line][Chat][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 7.306| 0.634| 1.725| 2976235.913| 2.700] [PKTLEN......: 40.000| 1500.000| 272.500| 367.300| 134881.600| 4.100] diff --git a/test/results/flow-info/default/malware.pcap.out b/test/results/flow-info/default/malware.pcap.out index 938a3b114..af612fda7 100644 --- a/test/results/flow-info/default/malware.pcap.out +++ b/test/results/flow-info/default/malware.pcap.out @@ -28,7 +28,8 @@ new: [.....6] [ip4][..tcp] [...192.168.0.20][41240] -> [.193.109.85.123][..443] detected: [.....6] [ip4][..tcp] [...192.168.0.20][41240] -> [.193.109.85.123][..443] [TLS][Unknown][Web][Safe][hobbeach.com] detection-update: [.....6] [ip4][..tcp] [...192.168.0.20][41240] -> [.193.109.85.123][..443] [TLS][Unknown][Web][Safe][hobbeach.com] - analyse: [.....6] [ip4][..tcp] [...192.168.0.20][41240] -> [.193.109.85.123][..443] [TLS][Unknown][Web][Safe][hobbeach.com] + detection-update: [.....6] [ip4][..tcp] [...192.168.0.20][41240] -> [.193.109.85.123][..443] [TLS][Unknown][Web][Safe][hobbeach.com] + analyse: [.....6] [ip4][..tcp] [...192.168.0.20][41240] -> [.193.109.85.123][..443] [TLS][Unknown][Web][Safe] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.111| 0.021| 0.035| 1237.078| 3.200] [PKTLEN......: 40.000| 1492.000| 579.600| 653.500| 427088.100| 4.000] diff --git a/test/results/flow-info/default/naver.pcap.out b/test/results/flow-info/default/naver.pcap.out new file mode 100644 index 000000000..ab719c4ec --- /dev/null +++ b/test/results/flow-info/default/naver.pcap.out @@ -0,0 +1,16 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....1] [ip4][..tcp] [...10.215.173.1][40026] -> [...23.52.84.208][..443] + detected: [.....1] [ip4][..tcp] [...10.215.173.1][40026] -> [...23.52.84.208][..443] [TLS.Naver][Unknown][Web][Safe][m.naver.com] + detection-update: [.....1] [ip4][..tcp] [...10.215.173.1][40026] -> [...23.52.84.208][..443] [TLS.Naver][Unknown][Web][Safe][m.naver.com] + new: [.....2] [ip4][..tcp] [...10.215.173.1][42040] -> [..110.93.157.96][..443] + detected: [.....2] [ip4][..tcp] [...10.215.173.1][42040] -> [..110.93.157.96][..443] [TLS.Naver][Unknown][Web][Safe][kr-col-ext.nelo.navercorp.com] + detection-update: [.....2] [ip4][..tcp] [...10.215.173.1][42040] -> [..110.93.157.96][..443] [TLS.Naver][Unknown][Web][Safe][kr-col-ext.nelo.navercorp.com] + new: [.....3] [ip4][..tcp] [...10.215.173.1][45578] -> [.184.50.200.195][..443] + detected: [.....3] [ip4][..tcp] [...10.215.173.1][45578] -> [.184.50.200.195][..443] [TLS.Naver][Unknown][Web][Safe][dthumb-phinf.pstatic.net] + detection-update: [.....3] [ip4][..tcp] [...10.215.173.1][45578] -> [.184.50.200.195][..443] [TLS.Naver][Unknown][Web][Safe][dthumb-phinf.pstatic.net] + idle: [.....1] [ip4][..tcp] [...10.215.173.1][40026] -> [...23.52.84.208][..443] [TLS.Naver][Unknown][Web][Safe] + idle: [.....2] [ip4][..tcp] [...10.215.173.1][42040] -> [..110.93.157.96][..443] [TLS.Naver][Unknown][Web][Safe] + idle: [.....3] [ip4][..tcp] [...10.215.173.1][45578] -> [.184.50.200.195][..443] [TLS.Naver][Unknown][Web][Safe] + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/netflix.pcap.out b/test/results/flow-info/default/netflix.pcap.out index b193aff4f..31480855f 100644 --- a/test/results/flow-info/default/netflix.pcap.out +++ b/test/results/flow-info/default/netflix.pcap.out @@ -34,7 +34,7 @@ RISK: TLS (probably) Not Carrying HTTPS detection-update: [.....8] [ip4][..tcp] [....192.168.1.7][53117] -> [...52.32.196.36][..443] [TLS.NetFlix][AmazonAWS][Video][Fun][api-global.netflix.com] RISK: TLS (probably) Not Carrying HTTPS - analyse: [.....4] [ip4][..tcp] [....192.168.1.7][53105] -> [..54.69.204.241][..443] [TLS.NetFlix][AmazonAWS][Video][Fun][ichnaea.netflix.com] + analyse: [.....4] [ip4][..tcp] [....192.168.1.7][53105] -> [..54.69.204.241][..443] [TLS.NetFlix][AmazonAWS][Video][Fun] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.364| 0.040| 0.082| 6699.630| 3.200] [PKTLEN......: 52.000| 1500.000| 265.200| 396.800| 157454.800| 3.900] @@ -494,7 +494,7 @@ RISK: TLS (probably) Not Carrying HTTPS detection-update: [....58] [ip4][..tcp] [....192.168.1.7][53250] -> [.....52.41.30.5][..443] [TLS.NetFlix][AmazonAWS][Video][Fun][api-global.netflix.com] RISK: TLS (probably) Not Carrying HTTPS - analyse: [....57] [ip4][..tcp] [....192.168.1.7][53249] -> [.....52.41.30.5][..443] [TLS.NetFlix][AmazonAWS][Video][Fun][api-global.netflix.com] + analyse: [....57] [ip4][..tcp] [....192.168.1.7][53249] -> [.....52.41.30.5][..443] [TLS.NetFlix][AmazonAWS][Video][Fun] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.141| 0.020| 0.029| 838.464| 3.900] [PKTLEN......: 52.000| 1500.000| 420.800| 506.400| 256458.000| 4.100] @@ -541,7 +541,7 @@ [IATS(ms)....: 15.4,16.8,2.1,27.2,1.0,1.1,27.3,38.1,39.4,39.9,44.7,83.4,40.7,236.7,277.7,1389.8,1416.3,0.3,12.8,48.7,0.2,12.8,12.8,15.9,13.8,16.3,12.8,12.7,23.2,13.3,13.2] [PKTLENS.....: 64,60,52,297,52,1500,1500,52,1500,52,1500,1500,52,1500,719,52,297,1500,1500,1500,52,52,1500,1500,52,1500,52,1500,1500,52,1500,52] [ENTROPIES...: 4.5,5.2,5.1,5.9,5.3,7.3,7.8,5.2,7.8,5.0,7.8,7.8,5.1,7.8,7.7,5.2,5.8,6.9,7.5,7.8,5.1,5.0,7.8,7.8,5.0,7.9,4.9,7.8,7.8,5.1,7.8,5.1] - idle: [....18] [ip4][..tcp] [....192.168.1.7][53141] -> [..104.86.97.179][..443] [TLS.NetFlix][Unknown][Video][Fun][art-s.nflximg.net] + idle: [....18] [ip4][..tcp] [....192.168.1.7][53141] -> [..104.86.97.179][..443] [TLS.NetFlix][Unknown][Video][Fun] idle: [....12] [ip4][....2] [....192.168.1.7] -> [239.255.255.250] [IGMP][Unknown][Network][Acceptable] idle: [....59] [ip4][..udp] [....192.168.1.7][57093] -> [....192.168.1.1][...53] [DNS][Unknown][Network][Acceptable][a1907.dscg.akamai.net] idle: [....19] [ip4][..udp] [....192.168.1.7][59180] -> [....192.168.1.1][...53] [DNS.NetFlix][Unknown][Network][Fun][artwork.akam.nflximg.net] @@ -560,7 +560,7 @@ end: [....24] [ip4][..tcp] [....192.168.1.7][53151] -> [.54.201.191.132][...80] [HTTP.NetFlix][AmazonAWS][Video][Fun][appboot.netflix.com] end: [.....6] [ip4][..tcp] [....192.168.1.7][53115] -> [...52.32.196.36][..443] [TLS.NetFlix][AmazonAWS][Video][Fun] idle: [.....7] [ip4][..tcp] [....192.168.1.7][53116] -> [...52.32.196.36][..443] [TLS.NetFlix][AmazonAWS][Video][Fun] - end: [.....8] [ip4][..tcp] [....192.168.1.7][53117] -> [...52.32.196.36][..443] [TLS.NetFlix][AmazonAWS][Video][Fun][api-global.netflix.com] + end: [.....8] [ip4][..tcp] [....192.168.1.7][53117] -> [...52.32.196.36][..443] [TLS.NetFlix][AmazonAWS][Video][Fun] RISK: TLS (probably) Not Carrying HTTPS idle: [....10] [ip4][..udp] [....192.168.1.7][53776] -> [239.255.255.250][.1900] [SSDP][Unknown][System][Acceptable][239.255.255.250:1900] end: [....20] [ip4][..tcp] [....192.168.1.7][53148] -> [..184.25.204.25][...80] [HTTP.NetFlix][Unknown][Video][Fun][art-2.nflximg.net] @@ -580,13 +580,13 @@ RISK: TLS (probably) Not Carrying HTTPS end: [....15] [ip4][..tcp] [....192.168.1.7][53133] -> [...52.89.39.139][..443] [TLS.NetFlix][AmazonAWS][Video][Fun][api-global.netflix.com] RISK: TLS (probably) Not Carrying HTTPS - end: [....16] [ip4][..tcp] [....192.168.1.7][53134] -> [...52.89.39.139][..443] [TLS.NetFlix][AmazonAWS][Video][Fun][api-global.netflix.com] + end: [....16] [ip4][..tcp] [....192.168.1.7][53134] -> [...52.89.39.139][..443] [TLS.NetFlix][AmazonAWS][Video][Fun] RISK: TLS (probably) Not Carrying HTTPS idle: [....52] [ip4][..udp] [....192.168.1.7][51622] -> [....192.168.1.1][...53] [DNS.NetFlix][Unknown][Network][Fun][ios.nccp.netflix.com] idle: [....55] [ip4][..tcp] [....192.168.1.7][53239] -> [.....52.41.30.5][..443] [TLS.NetFlix][AmazonAWS][Video][Fun][api-global.netflix.com] idle: [....57] [ip4][..tcp] [....192.168.1.7][53249] -> [.....52.41.30.5][..443] [TLS.NetFlix][AmazonAWS][Video][Fun][api-global.netflix.com] RISK: TLS (probably) Not Carrying HTTPS - idle: [....58] [ip4][..tcp] [....192.168.1.7][53250] -> [.....52.41.30.5][..443] [TLS.NetFlix][AmazonAWS][Video][Fun][api-global.netflix.com] + idle: [....58] [ip4][..tcp] [....192.168.1.7][53250] -> [.....52.41.30.5][..443] [TLS.NetFlix][AmazonAWS][Video][Fun] RISK: TLS (probably) Not Carrying HTTPS idle: [....26] [ip4][..udp] [....192.168.1.7][51728] -> [....192.168.1.1][...53] [DNS][Unknown][Network][Acceptable][a803.dscg.akamai.net] idle: [....13] [ip4][..udp] [....192.168.1.7][51949] -> [....192.168.1.1][...53] [DNS.NetFlix][Unknown][Network][Fun][api-global.latency.prodaa.netflix.com] diff --git a/test/results/flow-info/default/no_sni.pcap.out b/test/results/flow-info/default/no_sni.pcap.out index 22aa7880e..5bfc889f2 100644 --- a/test/results/flow-info/default/no_sni.pcap.out +++ b/test/results/flow-info/default/no_sni.pcap.out @@ -10,7 +10,7 @@ detected: [.....2] [ip4][..tcp] [..192.168.1.119][51606] -> [.104.16.249.249][..443] [TLS.DoH_DoT][Cloudflare][Network][Acceptable][mozilla.cloudflare-dns.com] detection-update: [.....2] [ip4][..tcp] [..192.168.1.119][51606] -> [.104.16.249.249][..443] [TLS.DoH_DoT][Cloudflare][Network][Acceptable][mozilla.cloudflare-dns.com] new: [.....3] [ip4][..tcp] [..192.168.1.119][51612] -> [..104.16.124.96][..443] - analyse: [.....2] [ip4][..tcp] [..192.168.1.119][51606] -> [.104.16.249.249][..443] [TLS.DoH_DoT][Cloudflare][Network][Acceptable][mozilla.cloudflare-dns.com] + analyse: [.....2] [ip4][..tcp] [..192.168.1.119][51606] -> [.104.16.249.249][..443] [TLS.DoH_DoT][Cloudflare][Network][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.180| 0.028| 0.054| 2913.211| 3.000] [PKTLEN......: 40.000| 722.000| 127.200| 163.800| 26828.900| 4.200] @@ -63,6 +63,6 @@ end: [.....1] [ip4][..tcp] [..192.168.1.119][51331] -> [.104.16.249.249][..443] [TLS][Cloudflare][Web][Safe] idle: [.....2] [ip4][..tcp] [..192.168.1.119][51606] -> [.104.16.249.249][..443] [TLS.DoH_DoT][Cloudflare][Network][Acceptable][mozilla.cloudflare-dns.com] idle: [.....3] [ip4][..tcp] [..192.168.1.119][51612] -> [..104.16.124.96][..443] [TLS][Cloudflare][Web][Safe] - idle: [.....4] [ip4][..tcp] [..192.168.1.119][51635] -> [..104.17.198.37][..443] [TLS][Cloudflare][Web][Safe][951c558a-5e07-47ca-a0c0-225da1b33163.is-cf.help.every1dns.net] - idle: [.....5] [ip4][..tcp] [..192.168.1.119][51636] -> [..104.17.198.37][..443] [TLS][Cloudflare][Web][Safe][951c558a-5e07-47ca-a0c0-225da1b33163.is-doh.help.every1dns.net] + idle: [.....4] [ip4][..tcp] [..192.168.1.119][51635] -> [..104.17.198.37][..443] [TLS][Cloudflare][Web][Safe] + idle: [.....5] [ip4][..tcp] [..192.168.1.119][51636] -> [..104.17.198.37][..443] [TLS][Cloudflare][Web][Safe] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/ocs.pcap.out b/test/results/flow-info/default/ocs.pcap.out index d2048a4a5..2c44d6e1c 100644 --- a/test/results/flow-info/default/ocs.pcap.out +++ b/test/results/flow-info/default/ocs.pcap.out @@ -86,14 +86,14 @@ guessed: [.....1] [ip4][..tcp] [..192.168.180.2][47699] -> [.64.233.184.188][.5228] [Google][Google][Web][Acceptable] RISK: Unidirectional Traffic idle: [.....1] [ip4][..tcp] [..192.168.180.2][47699] -> [.64.233.184.188][.5228] - end: [.....6] [ip4][..tcp] [..192.168.180.2][39263] -> [..23.21.230.199][..443] [TLS.Crashlytics][AmazonAWS][DataTransfer][Acceptable][settings.crashlytics.com] + end: [.....6] [ip4][..tcp] [..192.168.180.2][39263] -> [..23.21.230.199][..443] [TLS.Crashlytics][AmazonAWS][DataTransfer][Acceptable] RISK: Obsolete TLS (v1.1 or older), Unidirectional Traffic end: [.....7] [ip4][..tcp] [..192.168.180.2][53356] -> [137.135.129.206][...80] [HTTP][Azure][Web][Acceptable] RISK: HTTP Susp User-Agent, Unidirectional Traffic - idle: [....15] [ip4][..tcp] [..192.168.180.2][36680] -> [.178.248.208.54][..443] [TLS.OCS][OCS][Media][Fun][ocs.labgency.ws] + idle: [....15] [ip4][..tcp] [..192.168.180.2][36680] -> [.178.248.208.54][..443] [TLS.OCS][OCS][Media][Fun] RISK: Obsolete TLS (v1.1 or older), Unidirectional Traffic idle: [....14] [ip4][..udp] [..192.168.180.2][.2589] -> [........8.8.8.8][...53] [DNS.OCS][Google][Network][Fun] - idle: [....16] [ip4][..tcp] [..192.168.180.2][32946] -> [.64.233.184.188][..443] [TLS.GoogleServices][Google][Web][Acceptable][mtalk.google.com] + idle: [....16] [ip4][..tcp] [..192.168.180.2][32946] -> [.64.233.184.188][..443] [TLS.GoogleServices][Google][Web][Acceptable] RISK: TLS (probably) Not Carrying HTTPS, Unidirectional Traffic end: [....13] [ip4][..tcp] [..192.168.180.2][49881] -> [.178.248.208.54][...80] [HTTP.OCS][OCS][Media][Fun][ocu03.labgency.ws] RISK: Unidirectional Traffic diff --git a/test/results/flow-info/default/ookla.pcap.out b/test/results/flow-info/default/ookla.pcap.out index 648be479e..8aef4141e 100644 --- a/test/results/flow-info/default/ookla.pcap.out +++ b/test/results/flow-info/default/ookla.pcap.out @@ -26,7 +26,7 @@ RISK: Known Proto on Non Std Port detection-update: [.....6] [ip4][..tcp] [..192.168.1.128][35830] -> [..89.96.108.170][.8080] [TLS][Unknown][Web][Safe][spd-pub-mi-01-01.fastwebnet.it] RISK: Known Proto on Non Std Port - detection-update: [.....6] [ip4][..tcp] [..192.168.1.128][35830] -> [..89.96.108.170][.8080] [TLS.Ookla][Unknown][Web][Safe][spd-pub-mi-01-01.fastwebnet.it] idle: [.....5] [ip4][..tcp] [..192.168.1.128][48854] -> [..104.16.209.12][..443] [TLS.Ookla][Cloudflare][Network][Safe] - idle: [.....6] [ip4][..tcp] [..192.168.1.128][35830] -> [..89.96.108.170][.8080] [TLS.Ookla][Unknown][Web][Safe][spd-pub-mi-01-01.fastwebnet.it] + idle: [.....6] [ip4][..tcp] [..192.168.1.128][35830] -> [..89.96.108.170][.8080] [TLS][Unknown][Web][Safe] + RISK: Known Proto on Non Std Port DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/openvpn_obfuscated.pcapng.out b/test/results/flow-info/default/openvpn_obfuscated.pcapng.out new file mode 100644 index 000000000..81462f07d --- /dev/null +++ b/test/results/flow-info/default/openvpn_obfuscated.pcapng.out @@ -0,0 +1,38 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....1] [ip4][..tcp] [.192.168.12.156][37976] -> [..185.128.25.99][..465] + analyse: [.....1] [ip4][..tcp] [.192.168.12.156][37976] -> [..185.128.25.99][..465] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 1.020| 0.080| 0.242| 58469.183| 2.300] + [PKTLEN......: 52.000| 1500.000| 308.700| 431.500| 186180.000| 4.000] + [BINS(c->s)..: 7,0,1,3,1,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 7,0,0,4,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,1,1,1,0,0,0,1,0,1,0,1,0,1,0,1,1,0,1,0,1,0,1,1] + [IATS(ms)....: 20.0,22.1,6.2,28.1,0.0,21.2,1.0,26.3,0.0,0.0,0.0,28.0,0.1,0.2,23.6,57.5,41.8,4.8,15.8,16.4,4.9,7.9,24.7,0.5,24.0,23.3,24.7,66.8,1019.8,977.6,0.7] + [PKTLENS.....: 60,60,52,140,52,152,52,429,148,1500,1500,1500,52,52,152,164,52,52,376,873,52,52,801,52,310,172,395,176,52,199,52,148] + [ENTROPIES...: 4.7,5.2,5.1,6.5,5.1,6.6,5.1,7.3,6.6,7.9,7.9,7.9,5.0,5.1,6.5,6.7,5.1,5.1,7.3,7.8,5.1,5.1,7.7,5.2,7.3,6.7,7.5,6.5,5.1,6.9,5.1,6.5] + guessed: [.....1] [ip4][..tcp] [.192.168.12.156][37976] -> [..185.128.25.99][..465] [SMTPS][NordVPN][Email][Safe] + RISK: Fully Encrypted Flow + new: [.....2] [ip4][..udp] [.192.168.12.156][47128] -> [149.102.238.108][.1214] + DAEMON-EVENT: [Processed: 90 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 2 / 2|skipped: 0|!detected: 0|guessed: 1|detection-updates: 0|updates: 0] + new: [.....3] [ip4][..tcp] [.107.161.86.131][..443] -> [.192.168.12.156][48072] + analyse: [.....3] [ip4][..tcp] [.107.161.86.131][..443] -> [.192.168.12.156][48072] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 0.303| 0.045| 0.076| 5806.697| 3.500] + [PKTLEN......: 52.000| 152.000| 67.300| 23.700| 562.800| 4.900] + [BINS(c->s)..: 9,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 19,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,1,1,1,1,1,1,1,1,1,1,1,0,1,1,0,0,0,0,1,1,1,1,1,1,1,1,0,0,0,0,0] + [IATS(ms)....: 102.1,4.8,6.5,5.5,5.4,5.3,5.7,5.4,5.2,5.6,5.1,255.6,100.3,15.6,143.0,32.7,143.0,0.0,303.0,27.7,1.3,5.4,5.4,5.7,6.7,5.0,142.9,27.8,1.2,5.5,5.5] + [PKTLENS.....: 60,52,61,61,61,61,61,61,61,61,61,59,64,88,58,80,80,52,152,98,52,59,59,59,59,59,59,52,148,52,52,52] + [ENTROPIES...: 5.3,5.2,5.4,5.5,5.4,5.4,5.5,5.4,5.5,5.4,5.2,5.1,5.2,5.9,5.3,5.2,5.1,5.2,6.3,5.7,5.2,5.3,5.3,5.4,5.3,5.4,5.3,5.2,6.4,5.1,5.2,5.3] + guessed: [.....3] [ip4][..tcp] [.107.161.86.131][..443] -> [.192.168.12.156][48072] [TLS][Unknown][Web][Safe] + guessed: [.....2] [ip4][..udp] [.192.168.12.156][47128] -> [149.102.238.108][.1214] [NordVPN][NordVPN][VPN][Acceptable] + RISK: Susp Entropy + idle: [.....2] [ip4][..udp] [.192.168.12.156][47128] -> [149.102.238.108][.1214] + idle: [.....1] [ip4][..tcp] [.192.168.12.156][37976] -> [..185.128.25.99][..465] [SMTPS][NordVPN][Email][Safe] + RISK: Fully Encrypted Flow + idle: [.....3] [ip4][..tcp] [.107.161.86.131][..443] -> [.192.168.12.156][48072] [TLS][Unknown][Web][Safe] + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/opera-vpn.pcapng.out b/test/results/flow-info/default/opera-vpn.pcapng.out index 07709011e..b279907a3 100644 --- a/test/results/flow-info/default/opera-vpn.pcapng.out +++ b/test/results/flow-info/default/opera-vpn.pcapng.out @@ -87,7 +87,7 @@ detected: [....29] [ip4][..tcp] [...192.168.1.29][51426] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] new: [....31] [ip4][..tcp] [...192.168.1.29][51428] -> [..77.111.247.69][..443] detection-update: [....28] [ip4][..tcp] [...192.168.1.29][51425] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] - analyse: [.....1] [ip4][..tcp] [...192.168.1.29][51398] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [.....1] [ip4][..tcp] [...192.168.1.29][51398] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.035| 0.008| 0.013| 162.243| 3.300] [PKTLEN......: 52.000| 1492.000| 436.200| 558.200| 311541.900| 3.900] @@ -99,7 +99,7 @@ [ENTROPIES...: 4.2,5.2,4.8,4.4,5.1,7.8,4.8,7.8,4.8,6.0,7.9,5.1,5.1,5.9,4.8,5.9,5.6,4.7,7.6,5.1,7.8,4.8,7.8,4.8,7.8,7.7,4.8,7.9,4.8,7.9,6.0,4.8] detected: [....30] [ip4][..tcp] [...192.168.1.29][51427] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] detection-update: [....29] [ip4][..tcp] [...192.168.1.29][51426] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] - analyse: [....11] [ip4][..tcp] [...192.168.1.29][51408] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....11] [ip4][..tcp] [...192.168.1.29][51408] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.034| 0.008| 0.013| 161.460| 3.300] [PKTLEN......: 52.000| 1492.000| 405.900| 517.200| 267501.900| 3.900] @@ -109,7 +109,7 @@ [IATS(ms)....: 34.0,34.0,0.1,26.8,0.3,27.1,0.2,0.2,0.2,0.0,26.0,1.0,6.6,33.2,0.1,0.1,1.0,1.0,0.1,26.4,0.4,26.6,0.2,0.0,0.2,0.8,0.8,0.5,0.0,0.5,0.1] [PKTLENS.....: 64,60,52,569,52,1492,52,1127,52,116,1467,52,52,91,52,93,52,76,52,591,52,1098,52,1492,704,52,1308,52,1098,764,52,52] [ENTROPIES...: 4.2,5.1,4.6,4.4,5.0,7.8,4.7,7.8,4.7,5.8,7.9,4.9,5.0,5.9,4.7,6.0,4.7,5.6,4.7,7.6,5.0,7.8,4.7,7.9,7.7,4.7,7.9,4.7,7.8,7.7,4.7,4.7] - analyse: [....15] [ip4][..tcp] [...192.168.1.29][51412] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....15] [ip4][..tcp] [...192.168.1.29][51412] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.037| 0.008| 0.013| 178.814| 3.300] [PKTLEN......: 52.000| 1492.000| 395.100| 500.800| 250764.700| 4.000] @@ -119,7 +119,7 @@ [IATS(ms)....: 37.1,37.2,0.1,28.8,0.5,29.2,1.0,1.0,0.1,0.0,26.7,1.7,3.3,31.5,0.1,0.1,0.1,0.1,27.0,0.9,27.7,0.2,0.2,0.0,0.1,0.1,0.0,0.1,0.6,0.5,0.1] [PKTLENS.....: 64,60,52,569,52,1492,52,1128,52,116,1483,52,52,91,52,93,76,52,591,52,1098,52,1492,52,704,1098,52,262,52,1098,52,401] [ENTROPIES...: 4.1,5.3,4.7,4.4,4.9,7.8,4.7,7.8,4.6,5.8,7.9,4.9,5.0,5.9,4.8,5.9,5.6,4.8,7.6,5.0,7.8,4.7,7.9,4.8,7.7,7.8,4.7,7.1,4.8,7.8,4.7,7.4] - analyse: [....18] [ip4][..tcp] [...192.168.1.29][51415] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....18] [ip4][..tcp] [...192.168.1.29][51415] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.037| 0.008| 0.014| 182.825| 3.300] [PKTLEN......: 52.000| 1492.000| 368.800| 501.900| 251883.600| 3.900] @@ -130,7 +130,7 @@ [PKTLENS.....: 64,60,52,569,52,1492,52,1129,52,116,1483,52,52,91,52,93,52,76,52,591,52,1098,52,258,52,1098,52,1098,52,1492,213,52] [ENTROPIES...: 4.2,5.2,4.7,4.4,5.1,7.9,4.8,7.8,4.8,6.0,7.9,5.1,5.1,5.9,4.8,6.0,4.8,5.6,4.8,7.6,5.1,7.8,4.8,7.2,4.8,7.8,4.8,7.8,4.8,7.9,7.0,4.8] detected: [....31] [ip4][..tcp] [...192.168.1.29][51428] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] - analyse: [.....2] [ip4][..tcp] [...192.168.1.29][51399] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [.....2] [ip4][..tcp] [...192.168.1.29][51399] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.046| 0.009| 0.013| 176.947| 3.400] [PKTLEN......: 52.000| 1492.000| 420.800| 536.500| 287782.900| 3.900] @@ -140,7 +140,7 @@ [IATS(ms)....: 28.1,28.2,0.4,27.3,1.6,28.5,1.1,1.1,0.4,0.0,25.8,1.4,19.1,0.0,45.9,0.8,0.8,0.1,26.6,2.3,28.8,0.2,0.2,0.0,0.1,0.2,0.1,0.1,0.0,0.2,0.4] [PKTLENS.....: 64,60,52,569,52,1492,52,1127,52,116,1467,52,52,91,93,52,76,52,591,52,1098,52,1492,52,704,52,1492,52,1318,751,52,138] [ENTROPIES...: 4.2,5.2,4.7,4.5,5.1,7.9,4.7,7.8,4.7,5.9,7.9,5.0,5.0,5.9,6.1,4.7,5.6,4.7,7.6,5.1,7.8,4.7,7.8,4.8,7.7,4.8,7.9,4.8,7.8,7.8,4.7,6.3] - analyse: [.....3] [ip4][..tcp] [...192.168.1.29][51400] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [.....3] [ip4][..tcp] [...192.168.1.29][51400] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.048| 0.009| 0.014| 188.006| 3.300] [PKTLEN......: 52.000| 1492.000| 409.500| 521.500| 271995.400| 4.000] @@ -150,7 +150,7 @@ [IATS(ms)....: 29.2,29.3,0.5,27.5,1.4,28.3,0.2,0.2,0.2,0.0,26.6,1.2,20.2,47.9,0.1,0.1,0.2,0.1,0.1,27.6,0.2,27.7,1.4,1.4,0.2,0.0,0.2,0.2,0.0,0.0,0.2] [PKTLENS.....: 64,60,52,569,52,1492,52,1128,52,116,1471,52,52,91,52,93,52,76,52,591,52,1098,52,1098,52,1492,704,52,1492,272,469,52] [ENTROPIES...: 4.1,5.2,4.6,4.4,4.9,7.9,4.7,7.8,4.7,5.9,7.9,5.0,5.0,5.9,4.7,5.9,4.7,5.6,4.7,7.6,5.0,7.8,4.7,7.8,4.7,7.9,7.7,4.7,7.8,7.1,7.5,4.7] - analyse: [....20] [ip4][..tcp] [...192.168.1.29][51417] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....20] [ip4][..tcp] [...192.168.1.29][51417] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.039| 0.009| 0.014| 196.546| 3.300] [PKTLEN......: 52.000| 1492.000| 365.500| 491.400| 241507.300| 3.900] @@ -160,7 +160,7 @@ [IATS(ms)....: 38.7,38.7,0.1,30.4,0.5,30.6,0.1,0.1,0.2,0.0,27.6,0.3,6.1,33.7,0.1,0.1,0.4,0.5,0.0,27.5,2.4,29.9,0.2,0.0,0.2,0.3,0.3,0.5,0.6,0.1,0.1] [PKTLENS.....: 64,60,52,569,52,1492,52,1128,52,116,1485,52,52,91,52,93,52,76,52,591,52,1098,52,1492,704,52,626,52,1098,52,134,52] [ENTROPIES...: 4.1,5.2,4.6,4.4,5.0,7.9,4.8,7.9,4.7,5.8,7.9,5.0,4.9,5.8,4.7,5.8,4.7,5.4,4.7,7.6,5.0,7.8,4.8,7.9,7.7,4.8,7.6,4.7,7.8,4.8,6.4,4.8] - analyse: [....17] [ip4][..tcp] [...192.168.1.29][51414] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....17] [ip4][..tcp] [...192.168.1.29][51414] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.046| 0.009| 0.014| 204.413| 3.300] [PKTLEN......: 52.000| 1492.000| 390.400| 502.900| 252956.000| 3.900] @@ -171,7 +171,7 @@ [PKTLENS.....: 64,60,52,569,52,1492,52,1127,52,116,1467,52,52,52,91,93,52,52,76,52,591,52,1098,52,478,52,1098,52,1098,52,1492,704] [ENTROPIES...: 4.1,5.1,4.6,4.4,5.0,7.9,4.7,7.8,4.7,5.9,7.9,5.0,5.1,5.0,5.9,5.9,4.7,4.7,5.5,4.8,7.6,5.1,7.8,4.8,7.5,4.8,7.8,4.8,7.8,4.8,7.9,7.7] detection-update: [....30] [ip4][..tcp] [...192.168.1.29][51427] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] - analyse: [.....4] [ip4][..tcp] [...192.168.1.29][51401] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [.....4] [ip4][..tcp] [...192.168.1.29][51401] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.058| 0.009| 0.015| 228.299| 3.300] [PKTLEN......: 52.000| 1492.000| 397.300| 525.300| 275956.200| 3.900] @@ -181,7 +181,7 @@ [IATS(ms)....: 30.1,30.1,0.1,26.5,1.6,27.9,0.3,0.2,0.2,0.1,26.5,1.2,30.4,57.8,0.1,0.1,0.1,0.1,0.0,27.7,0.9,28.5,0.1,0.1,0.5,0.5,0.4,0.4,0.3,0.0,0.3] [PKTLENS.....: 64,60,52,569,52,1492,52,1128,52,116,1477,52,52,91,52,93,52,76,52,591,52,1098,52,1098,52,1492,52,704,52,1492,294,52] [ENTROPIES...: 4.2,5.3,4.8,4.5,5.1,7.9,4.8,7.8,4.8,5.8,7.9,5.1,5.1,5.8,4.7,5.9,4.7,5.7,4.7,7.7,5.1,7.8,4.7,7.8,4.7,7.9,4.8,7.7,4.7,7.9,7.2,4.7] - analyse: [.....9] [ip4][..tcp] [...192.168.1.29][51406] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [.....9] [ip4][..tcp] [...192.168.1.29][51406] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.033| 0.010| 0.013| 175.212| 3.500] [PKTLEN......: 52.000| 1492.000| 303.800| 468.300| 219308.000| 3.800] @@ -191,7 +191,7 @@ [IATS(ms)....: 32.8,32.9,0.1,27.7,0.4,27.9,0.3,0.2,0.2,0.0,26.3,0.1,0.2,4.7,0.0,31.1,0.0,0.1,0.1,0.3,26.0,1.9,27.5,0.2,0.0,0.2,0.5,26.6,1.7,27.7,0.6] [PKTLENS.....: 64,60,52,569,52,1492,52,1128,52,116,1475,52,52,52,91,93,52,52,76,52,591,52,1098,52,1492,58,52,138,52,253,52,148] [ENTROPIES...: 4.1,5.1,4.7,4.4,4.8,7.9,4.6,7.8,4.6,5.9,7.9,4.8,4.8,4.9,5.9,5.9,4.7,4.7,5.6,4.7,7.7,5.0,7.8,4.7,7.9,5.1,4.7,6.3,4.9,7.2,4.7,6.5] - analyse: [....16] [ip4][..tcp] [...192.168.1.29][51413] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....16] [ip4][..tcp] [...192.168.1.29][51413] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.048| 0.010| 0.015| 220.945| 3.400] [PKTLEN......: 52.000| 1492.000| 397.100| 521.500| 271947.300| 3.900] @@ -201,7 +201,7 @@ [IATS(ms)....: 37.4,37.5,0.0,31.0,0.2,31.3,0.8,0.7,0.2,0.1,26.8,1.3,20.0,47.9,0.0,0.1,1.4,1.4,0.1,27.0,1.9,28.8,0.2,0.0,0.2,0.9,0.0,0.9,0.4,0.4,0.1] [PKTLENS.....: 64,60,52,569,52,1492,52,1128,52,116,1469,52,52,91,52,93,52,76,52,591,52,1098,52,1492,84,52,1492,488,52,1098,52,478] [ENTROPIES...: 4.2,5.3,4.7,4.5,5.0,7.9,4.8,7.8,4.8,6.0,7.9,5.0,5.0,6.0,4.7,5.8,4.7,5.6,4.7,7.6,5.0,7.8,4.7,7.9,5.7,4.7,7.9,7.5,4.7,7.8,4.7,7.5] - analyse: [....26] [ip4][..tcp] [...192.168.1.29][51423] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....26] [ip4][..tcp] [...192.168.1.29][51423] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.043| 0.010| 0.015| 219.628| 3.400] [PKTLEN......: 52.000| 1492.000| 378.900| 495.600| 245645.300| 3.900] @@ -211,7 +211,7 @@ [IATS(ms)....: 42.5,42.5,0.1,29.5,0.6,30.0,1.4,1.4,0.2,0.1,27.9,1.1,12.4,41.0,0.0,0.1,0.1,0.1,28.1,1.3,29.2,0.0,0.1,0.1,0.1,0.2,0.0,0.1,3.2,3.2,0.4] [PKTLENS.....: 64,60,52,569,52,1492,52,1128,52,116,1467,52,52,91,52,93,76,52,591,52,1098,52,498,52,1098,52,1492,280,52,1031,52,154] [ENTROPIES...: 4.2,5.2,4.7,4.4,5.0,7.9,4.8,7.8,4.8,5.9,7.9,5.1,5.1,5.9,4.8,5.9,5.6,4.8,7.6,5.1,7.8,4.7,7.6,4.8,7.8,4.6,7.9,7.2,4.8,7.8,4.8,6.4] - analyse: [.....7] [ip4][..tcp] [...192.168.1.29][51404] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [.....7] [ip4][..tcp] [...192.168.1.29][51404] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.035| 0.010| 0.013| 178.858| 3.600] [PKTLEN......: 52.000| 1492.000| 304.800| 439.800| 193461.100| 3.900] @@ -221,7 +221,7 @@ [IATS(ms)....: 31.9,31.9,0.1,27.3,0.4,27.6,0.2,0.1,0.3,0.1,27.1,0.1,8.7,35.4,0.1,0.1,0.5,0.4,0.1,26.2,2.4,0.1,28.5,0.1,0.1,0.4,26.5,1.7,27.7,0.5,0.5] [PKTLENS.....: 64,60,52,569,52,1492,52,1127,52,116,1471,52,52,91,52,93,52,76,52,591,52,1098,1098,52,475,52,138,52,256,52,160,52] [ENTROPIES...: 4.2,5.2,4.7,4.4,5.0,7.8,4.8,7.8,4.8,6.0,7.9,5.0,5.1,5.9,4.8,5.9,4.7,5.5,4.7,7.7,4.9,7.8,7.8,4.8,7.6,4.8,6.3,5.1,7.1,4.8,6.6,4.7] - analyse: [....25] [ip4][..tcp] [...192.168.1.29][51422] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....25] [ip4][..tcp] [...192.168.1.29][51422] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.049| 0.010| 0.016| 255.568| 3.300] [PKTLEN......: 52.000| 1492.000| 418.400| 525.000| 275583.300| 4.000] @@ -231,7 +231,7 @@ [IATS(ms)....: 44.1,44.1,0.2,30.0,0.3,30.0,0.2,0.2,0.1,0.1,30.4,0.1,18.7,0.1,49.0,0.1,0.1,0.1,28.0,1.8,29.6,0.1,0.1,0.4,0.4,0.5,0.5,0.3,0.0,0.3,0.4] [PKTLENS.....: 64,60,52,569,52,1492,52,1128,52,116,1473,52,52,91,93,52,76,52,591,52,1098,52,1098,52,1492,52,704,52,1492,272,52,751] [ENTROPIES...: 4.2,5.2,4.7,4.4,5.0,7.9,4.7,7.9,4.7,5.8,7.8,5.0,5.0,5.8,5.9,4.7,5.5,4.7,7.7,5.0,7.8,4.8,7.8,4.7,7.9,4.7,7.7,4.8,7.9,7.2,4.8,7.7] - analyse: [....23] [ip4][..tcp] [...192.168.1.29][51420] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....23] [ip4][..tcp] [...192.168.1.29][51420] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.051| 0.010| 0.016| 247.288| 3.300] [PKTLEN......: 52.000| 1492.000| 397.700| 512.500| 262691.900| 3.900] @@ -241,7 +241,7 @@ [IATS(ms)....: 41.0,41.1,0.1,31.0,0.5,31.4,0.1,0.1,0.1,0.1,29.3,0.1,21.7,50.8,0.1,0.1,0.1,0.1,27.5,1.0,28.3,1.3,0.0,1.3,0.2,0.1,1.7,1.6,0.0,0.1,0.4] [PKTLENS.....: 64,60,52,569,52,1492,52,1127,52,116,1481,52,52,91,52,93,76,52,591,52,1098,52,1492,704,52,1308,52,1098,52,401,52,138] [ENTROPIES...: 4.2,5.2,4.7,4.4,5.0,7.8,4.8,7.8,4.8,6.0,7.9,5.1,5.0,5.9,4.8,6.0,5.6,4.8,7.7,5.1,7.8,4.8,7.9,7.7,4.8,7.8,4.8,7.8,4.8,7.5,4.8,6.4] - analyse: [.....6] [ip4][..tcp] [...192.168.1.29][51403] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [.....6] [ip4][..tcp] [...192.168.1.29][51403] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.054| 0.010| 0.016| 241.175| 3.400] [PKTLEN......: 52.000| 1492.000| 346.900| 471.500| 222289.800| 3.900] @@ -251,7 +251,7 @@ [IATS(ms)....: 30.7,30.8,0.1,27.2,1.0,28.1,0.3,0.3,0.2,0.1,26.4,1.1,0.0,27.0,54.2,0.0,0.1,0.1,0.1,27.4,16.7,44.0,0.6,0.6,0.1,0.2,0.2,0.1,0.3,0.3,0.3] [PKTLENS.....: 64,60,52,569,52,1492,52,1127,52,116,1477,52,52,52,91,52,93,76,52,591,52,1098,52,1098,52,922,52,1098,52,149,52,200] [ENTROPIES...: 4.2,5.2,4.7,4.4,4.9,7.8,4.8,7.8,4.8,5.9,7.9,5.0,5.0,5.0,5.7,4.7,5.9,5.5,4.8,7.6,5.0,7.8,4.7,7.8,4.7,7.8,4.7,7.8,4.8,6.6,4.8,6.8] - analyse: [....14] [ip4][..tcp] [...192.168.1.29][51411] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....14] [ip4][..tcp] [...192.168.1.29][51411] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.036| 0.009| 0.014| 184.863| 3.500] [PKTLEN......: 52.000| 1492.000| 402.200| 504.900| 254904.000| 4.000] @@ -262,7 +262,7 @@ [PKTLENS.....: 64,60,52,569,52,1492,52,1128,52,116,1483,52,52,91,52,93,52,76,52,591,52,1098,52,1098,52,1492,704,52,790,52,148,1050] [ENTROPIES...: 4.2,5.3,4.7,4.4,5.0,7.8,4.8,7.8,4.8,5.9,7.9,5.1,5.1,5.8,4.8,6.0,4.8,5.6,4.7,7.6,5.0,7.8,4.8,7.8,4.8,7.9,7.7,4.8,7.7,4.7,6.3,7.8] detection-update: [....31] [ip4][..tcp] [...192.168.1.29][51428] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] - analyse: [....19] [ip4][..tcp] [...192.168.1.29][51416] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....19] [ip4][..tcp] [...192.168.1.29][51416] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.040| 0.011| 0.014| 199.830| 3.700] [PKTLEN......: 52.000| 1492.000| 405.900| 519.400| 269778.800| 4.000] @@ -272,7 +272,7 @@ [IATS(ms)....: 40.2,40.2,0.1,29.5,1.5,0.0,31.0,0.1,0.1,29.8,29.5,0.1,5.1,0.0,0.0,5.3,0.2,21.3,7.6,1.2,29.8,1.3,0.0,1.3,0.3,0.0,0.3,0.5,26.6,1.6,27.7] [PKTLENS.....: 64,60,52,569,52,1492,1128,52,116,1477,64,116,52,91,93,76,52,591,64,52,1098,52,1492,704,52,1492,437,52,148,52,1044,52] [ENTROPIES...: 4.2,5.2,4.7,4.5,5.0,7.9,7.8,4.7,5.8,7.9,5.1,5.9,5.1,5.8,5.9,5.6,4.8,7.6,5.0,5.0,7.8,4.7,7.9,7.7,4.7,7.9,7.5,4.7,6.4,4.9,7.8,4.7] - analyse: [....22] [ip4][..tcp] [...192.168.1.29][51419] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....22] [ip4][..tcp] [...192.168.1.29][51419] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.042| 0.011| 0.015| 224.118| 3.600] [PKTLEN......: 52.000| 1492.000| 344.000| 469.500| 220464.400| 3.900] @@ -282,7 +282,7 @@ [IATS(ms)....: 40.2,40.3,0.0,29.3,0.2,29.4,1.0,0.9,0.2,0.0,27.6,0.3,14.6,42.2,0.0,0.1,0.1,0.1,28.0,1.0,28.9,0.2,0.0,0.1,1.5,0.1,1.6,0.3,25.8,1.2,26.7] [PKTLENS.....: 64,60,52,569,52,1492,52,1128,52,116,1475,52,52,91,52,93,76,52,591,52,1098,52,1304,258,52,1098,408,52,138,52,220,52] [ENTROPIES...: 4.2,5.2,4.7,4.5,5.1,7.9,4.8,7.8,4.8,5.9,7.9,5.1,5.1,6.0,4.8,6.0,5.7,4.8,7.7,5.0,7.8,4.7,7.8,7.1,4.7,7.8,7.5,4.8,6.3,5.1,6.9,4.8] - analyse: [.....5] [ip4][..tcp] [...192.168.1.29][51402] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [.....5] [ip4][..tcp] [...192.168.1.29][51402] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.037| 0.011| 0.015| 234.608| 3.600] [PKTLEN......: 52.000| 1492.000| 339.700| 452.700| 204941.100| 3.900] @@ -292,7 +292,7 @@ [IATS(ms)....: 35.1,35.1,0.1,31.2,2.6,33.7,0.1,0.1,0.1,0.1,30.8,1.5,5.3,37.3,0.1,0.0,0.1,0.0,31.8,2.2,33.9,0.1,0.1,0.5,0.4,0.4,0.3,0.4,31.9,1.3,32.8] [PKTLENS.....: 64,60,52,569,52,1492,52,1129,52,116,1469,52,52,91,52,93,76,52,591,52,1098,52,478,52,1098,52,831,52,138,52,696,52] [ENTROPIES...: 4.2,5.2,4.7,4.4,5.0,7.9,4.7,7.8,4.7,5.9,7.9,5.0,5.0,6.0,4.8,5.9,5.6,4.8,7.6,5.1,7.8,4.7,7.5,4.8,7.8,4.8,7.8,4.8,6.3,5.1,7.7,4.8] - analyse: [....12] [ip4][..tcp] [...192.168.1.29][51409] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....12] [ip4][..tcp] [...192.168.1.29][51409] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.043| 0.012| 0.016| 240.534| 3.600] [PKTLEN......: 52.000| 1492.000| 355.800| 507.100| 257111.100| 3.800] @@ -302,7 +302,7 @@ [IATS(ms)....: 37.6,37.7,0.1,30.9,30.8,0.4,0.4,0.2,0.0,1.1,28.2,0.1,13.5,0.1,42.8,0.1,0.1,0.1,30.6,8.7,39.1,0.2,0.0,0.2,0.2,0.0,0.2,0.4,27.5,1.4,28.5] [PKTLENS.....: 64,60,52,569,1492,52,1129,52,116,1469,52,52,52,91,93,52,76,52,591,52,1098,52,1492,104,52,1492,191,52,167,52,364,52] [ENTROPIES...: 4.2,5.2,4.7,4.4,7.8,4.7,7.8,4.7,5.9,7.9,5.0,5.0,5.1,5.8,5.9,4.7,5.6,4.7,7.6,5.0,7.8,4.7,7.8,6.0,4.7,7.9,6.9,4.7,6.5,5.1,7.4,4.7] - analyse: [....10] [ip4][..tcp] [...192.168.1.29][51407] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....10] [ip4][..tcp] [...192.168.1.29][51407] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.042| 0.012| 0.017| 274.646| 3.500] [PKTLEN......: 52.000| 1492.000| 304.800| 467.200| 218265.100| 3.800] @@ -312,7 +312,7 @@ [IATS(ms)....: 41.6,41.7,0.0,34.7,0.4,35.0,0.2,0.2,0.2,0.1,34.8,0.0,3.3,37.8,0.1,0.1,0.1,0.1,0.0,32.2,2.3,34.4,0.2,0.0,0.2,0.5,31.2,2.5,33.2,0.1,0.1] [PKTLENS.....: 64,60,52,569,52,1492,52,1128,52,116,1467,52,52,91,52,93,76,52,52,591,52,1098,52,1492,81,52,138,52,256,52,160,52] [ENTROPIES...: 4.1,5.2,4.6,4.4,4.9,7.8,4.6,7.8,4.7,5.9,7.9,4.9,4.9,5.7,4.7,5.8,5.6,4.7,4.7,7.7,4.8,7.8,4.7,7.9,5.7,4.7,6.2,5.0,7.1,4.7,6.6,4.7] - analyse: [....28] [ip4][..tcp] [...192.168.1.29][51425] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....28] [ip4][..tcp] [...192.168.1.29][51425] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.050| 0.009| 0.014| 196.097| 3.300] [PKTLEN......: 52.000| 1492.000| 424.800| 534.600| 285801.500| 4.000] @@ -323,7 +323,7 @@ [PKTLENS.....: 64,60,52,569,52,1492,52,1129,52,116,1471,52,52,91,93,76,52,52,591,52,1098,52,1492,704,52,1492,52,1318,751,52,138,172] [ENTROPIES...: 4.2,5.2,4.7,4.4,5.0,7.8,4.8,7.8,4.7,6.0,7.9,5.0,5.0,5.9,5.9,5.6,4.6,4.7,7.6,5.0,7.8,4.7,7.9,7.7,4.7,7.9,4.7,7.8,7.7,4.8,6.2,6.5] new: [....32] [ip4][..tcp] [...192.168.1.29][51429] -> [..77.111.247.69][..443] - analyse: [....24] [ip4][..tcp] [...192.168.1.29][51421] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....24] [ip4][..tcp] [...192.168.1.29][51421] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.044| 0.012| 0.015| 228.764| 3.700] [PKTLEN......: 52.000| 1492.000| 340.500| 468.200| 219238.800| 3.900] @@ -333,7 +333,7 @@ [IATS(ms)....: 40.3,40.3,0.1,30.2,0.4,30.5,0.1,0.1,0.1,0.0,28.4,28.3,0.0,24.6,0.0,24.7,0.1,0.1,0.1,1.1,25.8,17.4,44.2,0.2,0.0,0.2,0.1,0.1,0.5,25.4,16.3] [PKTLENS.....: 64,60,52,569,52,1492,52,1129,52,116,1487,64,116,52,91,93,52,76,52,591,64,52,1098,52,1492,528,52,627,52,200,52,314] [ENTROPIES...: 4.2,5.2,4.8,4.5,5.1,7.8,4.8,7.8,4.7,6.0,7.9,5.0,5.9,5.1,5.8,5.9,4.7,5.5,4.7,7.6,5.1,5.1,7.8,4.8,7.9,7.6,4.8,7.7,4.8,6.9,5.1,7.3] - analyse: [....29] [ip4][..tcp] [...192.168.1.29][51426] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....29] [ip4][..tcp] [...192.168.1.29][51426] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.039| 0.010| 0.013| 167.910| 3.600] [PKTLEN......: 52.000| 1492.000| 287.100| 439.400| 193071.900| 3.800] @@ -343,7 +343,7 @@ [IATS(ms)....: 27.3,27.4,0.2,27.1,0.9,27.6,0.3,0.3,0.2,0.0,25.7,2.8,10.9,39.1,0.1,0.0,0.1,0.1,26.6,0.1,26.6,1.5,0.1,0.0,26.8,0.2,0.1,25.5,1.0,1.0,0.1] [PKTLENS.....: 64,60,52,569,52,1492,52,1127,52,116,1457,52,52,91,52,93,76,52,638,52,322,52,138,172,1444,52,52,329,52,166,52,105] [ENTROPIES...: 4.2,5.2,4.7,4.5,5.1,7.9,4.8,7.8,4.8,5.9,7.9,5.0,5.0,5.9,4.7,5.9,5.6,4.8,7.6,5.0,7.3,4.6,6.3,6.7,7.8,5.0,4.9,7.3,4.7,6.6,4.7,5.9] - analyse: [....30] [ip4][..tcp] [...192.168.1.29][51427] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....30] [ip4][..tcp] [...192.168.1.29][51427] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.033| 0.009| 0.012| 153.174| 3.500] [PKTLEN......: 52.000| 1492.000| 342.200| 472.200| 222950.100| 3.900] @@ -353,7 +353,7 @@ [IATS(ms)....: 27.4,27.5,0.1,27.3,2.2,29.4,0.1,0.1,0.2,0.1,26.9,0.1,0.5,5.6,0.1,32.7,0.0,0.1,0.0,26.1,0.3,26.3,1.3,0.0,0.0,1.3,1.6,0.1,27.1,0.0,3.8] [PKTLENS.....: 64,60,52,569,52,1492,52,1127,52,116,1459,52,52,52,91,93,52,76,52,591,52,1098,52,1492,84,759,52,154,623,52,52,274] [ENTROPIES...: 4.2,5.2,4.7,4.4,5.1,7.9,4.6,7.8,4.8,5.8,7.9,5.0,5.0,5.1,5.9,5.9,4.7,5.6,4.7,7.7,5.0,7.8,4.7,7.9,5.8,7.7,4.6,6.6,7.6,5.0,5.0,7.1] - analyse: [....31] [ip4][..tcp] [...192.168.1.29][51428] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....31] [ip4][..tcp] [...192.168.1.29][51428] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.046| 0.009| 0.014| 185.505| 3.300] [PKTLEN......: 52.000| 1492.000| 406.800| 492.900| 242924.900| 4.000] @@ -369,7 +369,7 @@ RISK: TLS (probably) Not Carrying HTTPS new: [....33] [ip4][..tcp] [...192.168.1.29][51430] -> [..77.111.247.69][..443] detected: [....33] [ip4][..tcp] [...192.168.1.29][51430] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] - analyse: [....21] [ip4][..tcp] [...192.168.1.29][51418] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....21] [ip4][..tcp] [...192.168.1.29][51418] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.108| 0.020| 0.028| 811.176| 3.500] [PKTLEN......: 52.000| 1492.000| 324.200| 448.200| 200860.400| 3.900] @@ -380,7 +380,7 @@ [PKTLENS.....: 64,60,52,569,52,1492,52,1128,52,116,1471,64,52,116,64,91,52,93,52,76,52,591,52,1098,52,498,1098,52,810,52,200,52] [ENTROPIES...: 4.2,5.2,4.7,4.5,5.1,7.9,4.7,7.8,4.8,5.8,7.9,5.1,5.0,5.8,5.1,5.9,4.8,5.9,4.8,5.5,4.8,7.6,5.0,7.8,4.8,7.5,7.8,4.7,7.7,4.8,6.9,5.0] detection-update: [....33] [ip4][..tcp] [...192.168.1.29][51430] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] - analyse: [....32] [ip4][..tcp] [...192.168.1.29][51429] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....32] [ip4][..tcp] [...192.168.1.29][51429] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.037| 0.009| 0.014| 195.258| 3.400] [PKTLEN......: 52.000| 1492.000| 433.800| 539.400| 290977.100| 4.000] @@ -390,7 +390,7 @@ [IATS(ms)....: 31.1,31.3,0.3,31.0,1.4,32.0,0.1,0.1,2.8,0.1,33.2,1.2,5.1,0.0,0.0,36.6,0.1,31.1,2.9,33.9,0.3,0.0,0.2,0.2,0.2,0.2,0.2,0.5,0.5,0.6,0.2] [PKTLENS.....: 64,60,52,569,52,1492,52,1113,52,116,1324,52,52,91,93,76,52,591,52,1098,52,1492,704,52,1492,52,1492,52,950,52,138,252] [ENTROPIES...: 4.1,5.2,4.7,4.2,5.0,7.8,4.8,7.8,4.8,6.0,7.9,5.1,5.0,5.9,6.0,5.5,4.7,7.6,5.0,7.8,4.7,7.9,7.7,4.6,7.9,4.5,7.9,4.6,7.8,4.6,6.3,7.0] - analyse: [....33] [ip4][..tcp] [...192.168.1.29][51430] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....33] [ip4][..tcp] [...192.168.1.29][51430] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.031| 0.008| 0.012| 151.638| 3.300] [PKTLEN......: 52.000| 1492.000| 406.100| 507.800| 257847.600| 4.000] @@ -400,7 +400,7 @@ [IATS(ms)....: 28.1,28.2,0.1,28.4,1.4,29.7,0.1,0.1,0.1,0.1,27.0,0.0,0.0,3.7,0.0,0.0,30.5,0.1,0.1,27.4,1.6,28.7,0.1,0.1,0.1,0.1,0.3,0.2,0.7,0.7,0.1] [PKTLENS.....: 64,60,52,569,52,1492,52,1128,52,116,1465,52,52,52,91,93,76,52,52,591,52,1098,52,1098,52,1098,52,1308,52,1098,52,770] [ENTROPIES...: 4.1,5.3,4.7,4.5,4.9,7.9,4.7,7.8,4.7,5.9,7.9,5.0,5.1,5.0,5.9,5.8,5.5,4.7,4.7,7.7,5.0,7.8,4.7,7.8,4.7,7.8,4.7,7.9,4.7,7.8,4.7,7.7] - analyse: [....27] [ip4][..tcp] [...192.168.1.29][51424] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....27] [ip4][..tcp] [...192.168.1.29][51424] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.180| 0.027| 0.054| 2903.055| 2.900] [PKTLEN......: 52.000| 1492.000| 452.000| 548.400| 300791.000| 4.000] @@ -420,7 +420,7 @@ detection-update: [....34] [ip4][..tcp] [...192.168.1.29][51432] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] detected: [....36] [ip4][..tcp] [...192.168.1.29][51435] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] detection-update: [....35] [ip4][..tcp] [...192.168.1.29][51433] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] - analyse: [....13] [ip4][..tcp] [...192.168.1.29][51410] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....13] [ip4][..tcp] [...192.168.1.29][51410] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 1.028| 0.074| 0.247| 61210.599| 1.800] [PKTLEN......: 52.000| 1492.000| 351.000| 482.300| 232616.900| 3.900] @@ -437,7 +437,7 @@ detected: [....37] [ip4][..tcp] [...192.168.1.29][51436] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] detected: [....39] [ip4][..tcp] [...192.168.1.29][51438] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] detected: [....38] [ip4][..tcp] [...192.168.1.29][51437] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] - analyse: [....35] [ip4][..tcp] [...192.168.1.29][51433] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....35] [ip4][..tcp] [...192.168.1.29][51433] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.029| 0.007| 0.012| 137.076| 3.300] [PKTLEN......: 52.000| 1492.000| 397.000| 481.500| 231822.500| 4.000] @@ -448,7 +448,7 @@ [PKTLENS.....: 64,60,52,569,52,1492,52,1128,52,116,1467,52,52,91,52,93,76,52,591,52,1098,478,52,52,1098,52,1098,52,882,1098,52,478] [ENTROPIES...: 4.2,5.2,4.7,4.5,5.0,7.9,4.7,7.8,4.8,5.9,7.9,5.1,5.1,5.9,4.8,5.9,5.7,4.8,7.6,5.0,7.8,7.5,4.7,4.7,7.8,4.7,7.8,4.7,7.7,7.8,4.7,7.5] detection-update: [....37] [ip4][..tcp] [...192.168.1.29][51436] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] - analyse: [....34] [ip4][..tcp] [...192.168.1.29][51432] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....34] [ip4][..tcp] [...192.168.1.29][51432] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.058| 0.009| 0.015| 225.527| 3.300] [PKTLEN......: 52.000| 1492.000| 408.200| 535.400| 286624.800| 3.900] @@ -460,7 +460,7 @@ [ENTROPIES...: 4.2,5.3,4.8,4.4,5.1,7.8,4.8,7.8,4.8,5.9,7.9,5.1,5.1,5.8,4.8,5.9,4.8,5.7,4.8,7.6,5.1,7.8,4.8,7.9,7.7,4.8,4.8,7.9,4.7,7.8,4.8,7.5] detection-update: [....39] [ip4][..tcp] [...192.168.1.29][51438] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] detection-update: [....38] [ip4][..tcp] [...192.168.1.29][51437] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] - analyse: [....36] [ip4][..tcp] [...192.168.1.29][51435] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....36] [ip4][..tcp] [...192.168.1.29][51435] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.039| 0.008| 0.012| 156.003| 3.400] [PKTLEN......: 52.000| 1492.000| 410.500| 518.800| 269178.600| 4.000] @@ -473,7 +473,7 @@ new: [....40] [ip4][..tcp] [...192.168.1.29][51440] -> [..77.111.247.69][..443] detected: [....40] [ip4][..tcp] [...192.168.1.29][51440] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] detection-update: [....40] [ip4][..tcp] [...192.168.1.29][51440] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] - analyse: [....37] [ip4][..tcp] [...192.168.1.29][51436] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....37] [ip4][..tcp] [...192.168.1.29][51436] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.032| 0.009| 0.013| 159.388| 3.500] [PKTLEN......: 52.000| 1492.000| 374.000| 504.400| 254392.600| 3.900] @@ -483,7 +483,7 @@ [IATS(ms)....: 28.1,28.2,0.1,27.4,1.5,28.8,0.1,0.1,0.2,0.1,28.2,1.2,2.7,31.8,0.1,0.0,0.1,0.1,27.2,1.7,28.7,0.2,0.0,0.2,0.2,0.0,0.0,0.2,0.2,27.0,8.5] [PKTLENS.....: 64,60,52,569,52,1492,52,1129,52,116,1457,52,52,91,52,93,76,52,591,52,1098,52,1492,104,52,1492,280,367,52,138,52,584] [ENTROPIES...: 4.2,5.2,4.7,4.4,4.9,7.8,4.7,7.9,4.7,5.9,7.8,5.0,4.9,5.9,4.7,5.9,5.5,4.7,7.6,5.0,7.8,4.8,7.9,6.0,4.8,7.9,7.2,7.3,4.8,6.3,5.0,7.6] - analyse: [....40] [ip4][..tcp] [...192.168.1.29][51440] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....40] [ip4][..tcp] [...192.168.1.29][51440] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.036| 0.009| 0.013| 161.218| 3.500] [PKTLEN......: 52.000| 1492.000| 330.400| 469.300| 220240.500| 3.900] @@ -493,7 +493,7 @@ [IATS(ms)....: 27.8,27.9,0.1,27.1,0.5,27.5,0.8,0.8,0.3,0.1,26.2,1.0,8.7,0.0,35.6,0.1,0.1,0.0,26.0,5.3,31.3,0.2,0.0,0.0,0.2,0.1,1.6,0.1,0.1,26.9,1.3] [PKTLENS.....: 64,60,52,569,52,1492,52,1128,52,116,1475,52,52,91,93,52,76,52,591,52,1098,52,1492,704,132,52,52,154,172,338,52,52] [ENTROPIES...: 4.2,5.1,4.7,4.5,5.0,7.9,4.8,7.8,4.8,5.8,7.9,5.0,5.1,5.8,5.9,4.8,5.7,4.8,7.6,5.0,7.8,4.7,7.9,7.7,6.5,4.7,4.8,6.5,6.6,7.3,5.0,5.0] - analyse: [....39] [ip4][..tcp] [...192.168.1.29][51438] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....39] [ip4][..tcp] [...192.168.1.29][51438] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.122| 0.019| 0.034| 1173.117| 3.100] [PKTLEN......: 52.000| 1492.000| 390.500| 496.900| 246958.900| 4.000] @@ -503,7 +503,7 @@ [IATS(ms)....: 27.4,27.4,0.1,26.3,1.5,27.6,0.1,0.1,0.2,0.1,25.7,0.1,0.1,96.7,0.0,0.0,122.3,0.1,27.2,81.2,0.0,108.4,0.0,0.3,0.3,0.2,0.0,0.2,0.3,0.3,0.1] [PKTLENS.....: 64,60,52,569,52,1492,52,1128,52,116,1465,52,52,52,91,93,76,52,591,52,1098,478,52,52,1098,52,1492,488,52,1098,52,271] [ENTROPIES...: 4.1,5.2,4.6,4.4,5.0,7.8,4.7,7.8,4.6,5.9,7.9,4.8,4.8,4.9,5.7,5.8,5.6,4.7,7.6,5.0,7.8,7.5,4.8,4.8,7.8,4.8,7.9,7.5,4.8,7.8,4.8,7.1] - analyse: [....38] [ip4][..tcp] [...192.168.1.29][51437] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....38] [ip4][..tcp] [...192.168.1.29][51437] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.126| 0.020| 0.036| 1286.879| 3.200] [PKTLEN......: 52.000| 1492.000| 386.500| 502.300| 252311.900| 3.900] @@ -516,7 +516,7 @@ new: [....41] [ip4][..tcp] [...192.168.1.29][51441] -> [..77.111.247.69][..443] detected: [....41] [ip4][..tcp] [...192.168.1.29][51441] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] detection-update: [....41] [ip4][..tcp] [...192.168.1.29][51441] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] - analyse: [....41] [ip4][..tcp] [...192.168.1.29][51441] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....41] [ip4][..tcp] [...192.168.1.29][51441] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.125| 0.019| 0.036| 1295.429| 3.100] [PKTLEN......: 52.000| 1492.000| 390.500| 500.100| 250056.100| 4.000] @@ -535,7 +535,7 @@ detected: [....44] [ip4][..tcp] [...192.168.1.29][51444] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] detection-update: [....43] [ip4][..tcp] [...192.168.1.29][51443] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] detection-update: [....44] [ip4][..tcp] [...192.168.1.29][51444] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] - analyse: [....43] [ip4][..tcp] [...192.168.1.29][51443] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....43] [ip4][..tcp] [...192.168.1.29][51443] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.042| 0.008| 0.013| 169.929| 3.400] [PKTLEN......: 52.000| 1492.000| 425.100| 548.500| 300824.400| 3.900] @@ -545,7 +545,7 @@ [IATS(ms)....: 28.7,28.8,0.1,27.4,0.6,27.9,0.8,0.7,0.3,0.1,25.9,0.0,1.1,15.2,0.0,41.9,0.0,0.1,0.1,0.1,27.2,2.9,29.9,0.3,0.0,0.2,0.2,0.2,0.8,0.0,0.9] [PKTLENS.....: 64,60,52,569,52,1492,52,1129,52,116,1469,52,52,52,91,93,52,52,76,52,660,52,1098,52,1492,704,52,1492,52,1492,726,52] [ENTROPIES...: 4.2,5.2,4.8,4.4,5.1,7.8,4.8,7.8,4.7,5.9,7.9,5.0,5.0,5.0,6.0,6.0,4.8,4.8,5.7,4.8,7.6,5.0,7.8,4.8,7.9,7.7,4.8,7.9,4.8,7.9,7.8,4.8] - analyse: [....44] [ip4][..tcp] [...192.168.1.29][51444] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....44] [ip4][..tcp] [...192.168.1.29][51444] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.099| 0.017| 0.025| 636.110| 3.600] [PKTLEN......: 52.000| 1492.000| 288.800| 419.800| 176233.300| 3.900] @@ -558,7 +558,7 @@ new: [....45] [ip4][..tcp] [...192.168.1.29][51449] -> [..77.111.247.69][..443] new: [....46] [ip4][..tcp] [...192.168.1.29][51450] -> [..77.111.247.69][..443] new: [....47] [ip4][..tcp] [...192.168.1.29][51451] -> [..77.111.247.69][..443] - analyse: [....42] [ip4][..tcp] [...192.168.1.29][51442] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....42] [ip4][..tcp] [...192.168.1.29][51442] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.207| 0.028| 0.058| 3307.776| 2.900] [PKTLEN......: 52.000| 1492.000| 468.700| 574.100| 329541.200| 4.000] @@ -580,7 +580,7 @@ detected: [....49] [ip4][..tcp] [...192.168.1.29][51453] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] detection-update: [....48] [ip4][..tcp] [...192.168.1.29][51452] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] detection-update: [....49] [ip4][..tcp] [...192.168.1.29][51453] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] - analyse: [....45] [ip4][..tcp] [...192.168.1.29][51449] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....45] [ip4][..tcp] [...192.168.1.29][51449] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.032| 0.009| 0.012| 154.797| 3.600] [PKTLEN......: 52.000| 1492.000| 341.300| 465.200| 216385.700| 3.900] @@ -590,7 +590,7 @@ [IATS(ms)....: 26.4,26.4,0.1,27.0,0.5,27.4,0.9,0.9,0.3,0.0,25.9,1.2,5.1,32.0,0.1,0.1,0.1,0.1,26.0,1.6,27.4,0.1,0.1,0.3,0.3,0.3,0.1,25.5,1.3,1.3,27.7] [PKTLENS.....: 64,60,52,569,52,1492,52,1128,52,116,1459,52,52,91,52,93,76,52,591,52,1098,52,1098,52,1185,52,154,595,52,52,274,52] [ENTROPIES...: 4.2,5.2,4.7,4.5,5.0,7.8,4.8,7.8,4.7,5.8,7.9,4.9,4.9,5.9,4.8,5.9,5.7,4.8,7.6,4.9,7.8,4.7,7.8,4.7,7.8,4.7,6.3,7.6,5.0,5.1,7.2,4.8] - analyse: [....46] [ip4][..tcp] [...192.168.1.29][51450] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....46] [ip4][..tcp] [...192.168.1.29][51450] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.034| 0.008| 0.012| 146.948| 3.400] [PKTLEN......: 52.000| 1492.000| 259.000| 395.400| 156313.400| 3.900] @@ -600,7 +600,7 @@ [IATS(ms)....: 26.1,26.2,0.1,25.7,1.6,27.2,0.1,0.1,0.3,0.0,25.7,0.0,1.2,7.7,0.0,34.4,0.1,0.1,0.1,25.8,1.4,27.1,0.1,0.1,0.0,0.1,0.0,24.9,0.1,1.2,0.0] [PKTLENS.....: 64,60,52,569,52,1492,52,1128,52,116,1461,52,52,52,91,93,52,76,52,608,52,527,52,138,172,603,155,156,52,52,52,52] [ENTROPIES...: 4.2,5.1,4.7,4.4,4.9,7.8,4.7,7.8,4.7,5.9,7.9,5.0,5.0,5.1,5.9,5.8,4.7,5.5,4.7,7.7,5.1,7.6,4.7,6.2,6.7,7.6,6.5,6.5,5.0,4.9,5.0,4.9] - analyse: [....48] [ip4][..tcp] [...192.168.1.29][51452] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....48] [ip4][..tcp] [...192.168.1.29][51452] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.034| 0.009| 0.013| 163.660| 3.600] [PKTLEN......: 52.000| 1492.000| 255.100| 395.400| 156328.100| 3.800] @@ -613,7 +613,7 @@ new: [....50] [ip4][..tcp] [...192.168.1.29][51454] -> [..77.111.247.69][..443] detected: [....50] [ip4][..tcp] [...192.168.1.29][51454] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] detection-update: [....50] [ip4][..tcp] [...192.168.1.29][51454] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] - analyse: [....47] [ip4][..tcp] [...192.168.1.29][51451] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....47] [ip4][..tcp] [...192.168.1.29][51451] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.178| 0.027| 0.054| 2913.054| 2.900] [PKTLEN......: 52.000| 1492.000| 434.600| 557.900| 311277.200| 3.900] @@ -631,7 +631,7 @@ detection-update: [....51] [ip4][..tcp] [...192.168.1.29][51455] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] new: [....53] [ip4][..tcp] [...192.168.1.29][51457] -> [..77.111.247.69][..443] new: [....54] [ip4][..tcp] [...192.168.1.29][51458] -> [..77.111.247.69][..443] - analyse: [.....8] [ip4][..tcp] [...192.168.1.29][51405] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [.....8] [ip4][..tcp] [...192.168.1.29][51405] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 3.028| 0.204| 0.738| 545057.276| 1.400] [PKTLEN......: 52.000| 1492.000| 304.700| 439.900| 193493.400| 3.900] @@ -642,7 +642,7 @@ [PKTLENS.....: 64,60,52,569,52,1492,52,1128,52,116,1477,52,52,91,93,52,76,52,591,52,1098,52,1098,453,52,138,253,52,148,52,52,76] [ENTROPIES...: 4.2,5.2,4.8,4.4,5.0,7.8,4.8,7.8,4.8,6.0,7.9,5.0,4.9,5.9,5.9,4.8,5.7,4.8,7.6,5.0,7.8,4.7,7.8,7.6,4.7,6.3,7.1,4.8,6.6,4.7,4.6,5.6] new: [....55] [ip4][..tcp] [...192.168.1.29][51459] -> [..77.111.247.69][..443] - analyse: [....52] [ip4][..tcp] [...192.168.1.29][51456] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....52] [ip4][..tcp] [...192.168.1.29][51456] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.029| 0.007| 0.012| 139.021| 3.300] [PKTLEN......: 52.000| 1492.000| 382.700| 493.600| 243675.800| 4.000] @@ -652,7 +652,7 @@ [IATS(ms)....: 27.0,27.1,0.3,28.1,0.3,28.1,0.3,0.3,0.3,0.1,25.7,1.2,2.7,29.2,0.0,0.1,0.1,0.1,26.0,2.2,0.0,28.1,0.2,0.2,0.1,0.0,0.1,1.8,1.9,0.2,0.1] [PKTLENS.....: 64,60,52,569,52,1492,52,1129,52,116,1467,52,52,91,52,93,76,52,591,52,1098,498,52,1098,52,1492,280,52,1031,52,154,172] [ENTROPIES...: 4.1,5.1,4.6,4.4,5.0,7.8,4.6,7.8,4.7,5.9,7.9,5.0,5.0,5.8,4.6,6.0,5.6,4.6,7.7,5.0,7.8,7.5,4.6,7.8,4.7,7.9,7.1,4.7,7.8,4.6,6.5,6.6] - analyse: [....50] [ip4][..tcp] [...192.168.1.29][51454] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....50] [ip4][..tcp] [...192.168.1.29][51454] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.189| 0.028| 0.055| 3044.153| 3.000] [PKTLEN......: 52.000| 1492.000| 416.200| 521.000| 271438.600| 4.000] @@ -665,7 +665,7 @@ detected: [....54] [ip4][..tcp] [...192.168.1.29][51458] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] detected: [....55] [ip4][..tcp] [...192.168.1.29][51459] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] detection-update: [....54] [ip4][..tcp] [...192.168.1.29][51458] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] - analyse: [....51] [ip4][..tcp] [...192.168.1.29][51455] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....51] [ip4][..tcp] [...192.168.1.29][51455] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.040| 0.010| 0.014| 190.700| 3.500] [PKTLEN......: 52.000| 1492.000| 336.200| 468.300| 219266.800| 3.900] @@ -676,7 +676,7 @@ [PKTLENS.....: 64,60,52,569,52,1492,52,1127,52,116,1479,52,52,52,91,93,52,52,76,52,591,52,1098,52,1098,52,1227,52,154,172,472,52] [ENTROPIES...: 4.2,5.3,4.8,4.4,5.1,7.8,4.8,7.8,4.8,6.0,7.9,5.0,5.1,5.1,6.0,5.8,4.8,4.8,5.7,4.8,7.6,5.0,7.8,4.7,7.8,4.8,7.8,4.7,6.4,6.7,7.5,5.1] detection-update: [....55] [ip4][..tcp] [...192.168.1.29][51459] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] - analyse: [....54] [ip4][..tcp] [...192.168.1.29][51458] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....54] [ip4][..tcp] [...192.168.1.29][51458] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.169| 0.025| 0.051| 2565.544| 2.900] [PKTLEN......: 52.000| 1492.000| 435.800| 558.300| 311649.100| 3.900] @@ -686,7 +686,7 @@ [IATS(ms)....: 27.1,27.2,0.1,27.6,0.4,0.1,27.8,0.1,0.2,0.1,27.9,0.0,1.2,140.1,0.0,0.1,168.9,0.0,0.1,0.2,26.1,139.2,165.0,0.2,0.1,0.2,0.0,0.1,0.3,0.3,0.2] [PKTLENS.....: 64,60,52,569,52,1492,1127,52,52,116,1471,52,52,52,91,93,76,52,52,52,629,52,1098,52,1098,52,1492,704,52,1492,52,1492] [ENTROPIES...: 4.2,5.2,4.7,4.4,4.9,7.8,7.8,4.8,4.8,5.9,7.9,5.0,5.0,5.0,5.8,6.0,5.6,4.8,4.8,4.7,7.6,5.0,7.8,4.7,7.8,4.7,7.9,7.7,4.7,7.9,4.7,7.9] - analyse: [....55] [ip4][..tcp] [...192.168.1.29][51459] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....55] [ip4][..tcp] [...192.168.1.29][51459] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.179| 0.027| 0.054| 2949.282| 2.900] [PKTLEN......: 52.000| 1492.000| 461.800| 572.200| 327423.800| 4.000] @@ -696,7 +696,7 @@ [IATS(ms)....: 27.7,27.7,0.2,27.4,1.5,28.7,0.1,0.1,0.4,0.0,26.9,0.0,152.5,0.1,179.2,0.0,0.1,0.1,26.1,150.4,176.3,0.2,0.0,0.1,0.3,0.2,0.7,0.7,0.4,0.4,0.1] [PKTLENS.....: 64,60,52,569,52,1492,52,1128,52,116,1471,52,52,91,93,52,76,52,591,52,1098,52,1492,528,52,1492,52,704,52,1492,52,1492] [ENTROPIES...: 4.1,5.2,4.8,4.3,5.1,7.8,4.8,7.8,4.8,5.8,7.9,5.0,5.0,5.9,5.9,4.7,5.6,4.7,7.5,5.0,7.8,4.7,7.8,7.5,4.7,7.9,4.7,7.7,4.7,7.9,4.7,7.9] - analyse: [....49] [ip4][..tcp] [...192.168.1.29][51453] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....49] [ip4][..tcp] [...192.168.1.29][51453] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.604| 0.075| 0.151| 22860.368| 3.100] [PKTLEN......: 52.000| 1492.000| 384.700| 500.500| 250468.600| 3.900] @@ -709,7 +709,7 @@ new: [....56] [ip4][..tcp] [...192.168.1.29][51460] -> [..77.111.247.69][..443] detected: [....56] [ip4][..tcp] [...192.168.1.29][51460] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] detection-update: [....56] [ip4][..tcp] [...192.168.1.29][51460] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] - analyse: [....56] [ip4][..tcp] [...192.168.1.29][51460] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....56] [ip4][..tcp] [...192.168.1.29][51460] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.188| 0.020| 0.046| 2094.229| 2.900] [PKTLEN......: 52.000| 1492.000| 356.800| 487.600| 237730.200| 3.900] @@ -722,7 +722,7 @@ new: [....57] [ip4][..tcp] [...192.168.1.29][51461] -> [..77.111.247.69][..443] detected: [....57] [ip4][..tcp] [...192.168.1.29][51461] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] detection-update: [....57] [ip4][..tcp] [...192.168.1.29][51461] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] - analyse: [....57] [ip4][..tcp] [...192.168.1.29][51461] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....57] [ip4][..tcp] [...192.168.1.29][51461] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.034| 0.008| 0.012| 144.514| 3.500] [PKTLEN......: 52.000| 1492.000| 397.200| 485.100| 235309.800| 4.000] @@ -735,7 +735,7 @@ new: [....58] [ip4][..tcp] [...192.168.1.29][51462] -> [..77.111.247.69][..443] detected: [....58] [ip4][..tcp] [...192.168.1.29][51462] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] detection-update: [....58] [ip4][..tcp] [...192.168.1.29][51462] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] - analyse: [....58] [ip4][..tcp] [...192.168.1.29][51462] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....58] [ip4][..tcp] [...192.168.1.29][51462] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.033| 0.008| 0.012| 145.944| 3.400] [PKTLEN......: 52.000| 1492.000| 372.100| 488.600| 238772.900| 3.900] @@ -754,7 +754,7 @@ detected: [....61] [ip4][..tcp] [...192.168.1.29][51465] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] detection-update: [....60] [ip4][..tcp] [...192.168.1.29][51464] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] detection-update: [....61] [ip4][..tcp] [...192.168.1.29][51465] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] - analyse: [....59] [ip4][..tcp] [...192.168.1.29][51463] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....59] [ip4][..tcp] [...192.168.1.29][51463] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.034| 0.008| 0.012| 142.779| 3.400] [PKTLEN......: 52.000| 1492.000| 385.300| 506.900| 256960.200| 3.900] @@ -764,7 +764,7 @@ [IATS(ms)....: 26.9,27.0,0.1,26.1,1.5,27.4,0.1,0.1,0.2,0.1,25.7,1.2,7.6,34.1,0.1,0.0,0.1,0.1,26.1,2.8,28.8,0.3,0.3,0.9,0.9,0.3,0.0,0.3,0.5,0.1,0.1] [PKTLENS.....: 64,60,52,569,52,1492,52,1128,52,116,1469,52,52,91,52,93,76,52,591,52,1098,52,1492,52,704,52,1492,271,52,138,172,539] [ENTROPIES...: 4.2,5.2,4.6,4.4,4.9,7.8,4.7,7.8,4.7,5.9,7.9,5.0,5.0,6.0,4.8,5.9,5.6,4.8,7.6,4.9,7.8,4.6,7.9,4.6,7.7,4.6,7.9,7.2,4.6,6.3,6.5,7.6] - analyse: [....60] [ip4][..tcp] [...192.168.1.29][51464] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....60] [ip4][..tcp] [...192.168.1.29][51464] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.032| 0.009| 0.013| 162.784| 3.500] [PKTLEN......: 52.000| 1492.000| 403.100| 505.200| 255231.400| 4.000] @@ -774,7 +774,7 @@ [IATS(ms)....: 27.8,27.9,0.5,28.7,0.6,28.8,0.6,0.6,0.2,0.1,27.2,0.0,5.0,31.9,0.1,0.0,0.1,0.1,27.3,4.1,31.3,0.2,0.1,0.2,0.0,0.2,0.1,0.1,0.2,26.7,1.6] [PKTLENS.....: 64,60,52,569,52,1492,52,1127,52,116,1477,52,52,91,52,93,76,52,591,52,1098,52,1098,52,1492,704,52,830,52,148,52,1044] [ENTROPIES...: 4.1,5.2,4.6,4.4,4.9,7.8,4.7,7.8,4.7,6.0,7.9,5.0,4.9,5.9,4.7,6.0,5.7,4.7,7.6,5.0,7.8,4.7,7.8,4.7,7.9,7.7,4.7,7.8,4.7,6.3,5.0,7.8] - analyse: [....61] [ip4][..tcp] [...192.168.1.29][51465] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable][eu0.sec-tunnel.com] + analyse: [....61] [ip4][..tcp] [...192.168.1.29][51465] -> [..77.111.247.69][..443] [TLS.OperaVPN][Unknown][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.031| 0.009| 0.012| 155.373| 3.600] [PKTLEN......: 52.000| 1492.000| 343.300| 466.300| 217422.700| 3.900] diff --git a/test/results/flow-info/default/paltalk.pcapng.out b/test/results/flow-info/default/paltalk.pcapng.out new file mode 100644 index 000000000..9ebca8c3d --- /dev/null +++ b/test/results/flow-info/default/paltalk.pcapng.out @@ -0,0 +1,22 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....1] [ip4][..tcp] [.192.168.88.208][51807] -> [...3.162.112.93][..443] + detected: [.....1] [ip4][..tcp] [.192.168.88.208][51807] -> [...3.162.112.93][..443] [TLS.Paltalk][AmazonAWS][Chat][Acceptable][paltalk.com] + RISK: TLS (probably) Not Carrying HTTPS + detection-update: [.....1] [ip4][..tcp] [.192.168.88.208][51807] -> [...3.162.112.93][..443] [TLS.Paltalk][AmazonAWS][Chat][Acceptable][paltalk.com] + RISK: TLS (probably) Not Carrying HTTPS + new: [.....2] [ip4][..tcp] [.158.69.169.104][.6845] -> [.192.168.88.208][51887] + detected: [.....2] [ip4][..tcp] [.158.69.169.104][.6845] -> [.192.168.88.208][51887] [Paltalk][Unknown][Chat][Acceptable] + DAEMON-EVENT: [Processed: 9 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 2 / 2|skipped: 0|!detected: 0|guessed: 0|detection-updates: 1|updates: 0] + new: [.....3] [ip4][..tcp] [.192.168.88.208][50728] -> [...84.17.44.229][.7970] + detected: [.....3] [ip4][..tcp] [.192.168.88.208][50728] -> [...84.17.44.229][.7970] [Paltalk][Unknown][Chat][Acceptable] + new: [.....4] [ip4][..tcp] [.192.168.88.208][51825] -> [.44.194.181.195][...80] + detected: [.....4] [ip4][..tcp] [.192.168.88.208][51825] -> [.44.194.181.195][...80] [HTTP.Paltalk][AmazonAWS][Chat][Acceptable][qos.paltalkconnect.com] + idle: [.....2] [ip4][..tcp] [.158.69.169.104][.6845] -> [.192.168.88.208][51887] [Paltalk][Unknown][Chat][Acceptable] + idle: [.....4] [ip4][..tcp] [.192.168.88.208][51825] -> [.44.194.181.195][...80] [HTTP.Paltalk][AmazonAWS][Chat][Acceptable] + idle: [.....1] [ip4][..tcp] [.192.168.88.208][51807] -> [...3.162.112.93][..443] [TLS.Paltalk][AmazonAWS][Chat][Acceptable] + RISK: TLS (probably) Not Carrying HTTPS + idle: [.....3] [ip4][..tcp] [.192.168.88.208][50728] -> [...84.17.44.229][.7970] [Paltalk][Unknown][Chat][Acceptable] + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/pinterest.pcap.out b/test/results/flow-info/default/pinterest.pcap.out index 476c7c3cb..64f6de286 100644 --- a/test/results/flow-info/default/pinterest.pcap.out +++ b/test/results/flow-info/default/pinterest.pcap.out @@ -44,7 +44,7 @@ new: [....10] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][33156] -> [.....................64:ff9b::9765:7854][..443] [MIDSTREAM] new: [....11] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][58726] -> [...............2a00:1450:4007:80b::2002][..443] [MIDSTREAM] new: [....12] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][34626] -> [.....................64:ff9b::acd9:13e2][..443] [MIDSTREAM] - analyse: [.....4] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][38512] -> [.......................2a04:4e42:1d::84][..443] [TLS.Pinterest][Unknown][SocialNetwork][Fun][s.pinimg.com] + analyse: [.....4] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][38512] -> [.......................2a04:4e42:1d::84][..443] [TLS.Pinterest][Unknown][SocialNetwork][Fun] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.054| 0.008| 0.015| 217.895| 3.000] [PKTLEN......: 72.000| 1460.000| 381.000| 486.900| 237029.200| 4.100] @@ -62,7 +62,7 @@ new: [....15] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][33280] -> [.....................64:ff9b::9765:7854][..443] detection-update: [....14] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][40694] -> [...............2a00:1450:4007:816::2004][..443] [TLS.Google][Google][Web][Acceptable][www.google.com] detected: [....15] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][33280] -> [.....................64:ff9b::9765:7854][..443] [TLS.Pinterest][Unknown][SocialNetwork][Fun][accounts.pinterest.com] - analyse: [....14] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][40694] -> [...............2a00:1450:4007:816::2004][..443] [TLS.Google][Google][Web][Acceptable][www.google.com] + analyse: [....14] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][40694] -> [...............2a00:1450:4007:816::2004][..443] [TLS.Google][Google][Web][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.044| 0.009| 0.014| 192.210| 3.400] [PKTLEN......: 72.000| 1280.000| 251.000| 327.800| 107441.100| 4.100] @@ -75,7 +75,7 @@ detection-update: [....15] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][33280] -> [.....................64:ff9b::9765:7854][..443] [TLS.Pinterest][Unknown][SocialNetwork][Fun][accounts.pinterest.com] detection-update: [....15] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][33280] -> [.....................64:ff9b::9765:7854][..443] [TLS.Pinterest][Unknown][SocialNetwork][Fun][accounts.pinterest.com] new: [....16] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][57050] -> [......................2a04:4e42:1d::720][..443] - analyse: [....13] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][47032] -> [......................2600:1901::7a0b::][..443] [TLS][GoogleCloud][Web][Safe][sessions.bugsnag.com] + analyse: [....13] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][47032] -> [......................2600:1901::7a0b::][..443] [TLS][GoogleCloud][Web][Safe] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.133| 0.015| 0.030| 874.849| 3.100] [PKTLEN......: 72.000| 1280.000| 309.400| 401.100| 160869.700| 4.100] @@ -117,7 +117,7 @@ detected: [....19] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][51292] -> [.........2a03:2880:f030:13:face:b00c::3][..443] [TLS.Facebook][Facebook][SocialNetwork][Fun][connect.facebook.net] detection-update: [....18] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][54416] -> [...............2a00:1450:4007:806::200e][..443] [TLS.Google][Google][Web][Acceptable][apis.google.com] detection-update: [....19] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][51292] -> [.........2a03:2880:f030:13:face:b00c::3][..443] [TLS.Facebook][Facebook][SocialNetwork][Fun][connect.facebook.net] - analyse: [....19] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][51292] -> [.........2a03:2880:f030:13:face:b00c::3][..443] [TLS.Facebook][Facebook][SocialNetwork][Fun][connect.facebook.net] + analyse: [....19] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][51292] -> [.........2a03:2880:f030:13:face:b00c::3][..443] [TLS.Facebook][Facebook][SocialNetwork][Fun] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.093| 0.011| 0.022| 473.126| 3.000] [PKTLEN......: 72.000| 1452.000| 271.000| 368.400| 135732.300| 4.100] @@ -151,7 +151,7 @@ new: [....23] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][40894] -> [...............2a00:1450:4007:816::200d][..443] detected: [....23] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][40894] -> [...............2a00:1450:4007:816::200d][..443] [TLS.Google][Google][Web][Acceptable][accounts.google.com] detection-update: [....23] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][40894] -> [...............2a00:1450:4007:816::200d][..443] [TLS.Google][Google][Web][Acceptable][accounts.google.com] - analyse: [....21] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][47790] -> [...............2a00:1450:4007:816::200a][..443] [TLS.GoogleServices][Google][Web][Acceptable][content-autofill.googleapis.com] + analyse: [....21] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][47790] -> [...............2a00:1450:4007:816::200a][..443] [TLS.GoogleServices][Google][Web][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 1.486| 0.062| 0.261| 67965.321| 1.600] [PKTLEN......: 72.000| 1280.000| 238.100| 317.700| 100919.600| 4.100] @@ -161,7 +161,7 @@ [IATS(ms)....: 55.5,55.6,2.6,45.1,17.8,0.0,60.2,0.0,0.3,0.3,9.4,2.5,0.6,42.9,0.0,0.2,0.0,30.6,0.2,14.9,14.7,23.0,0.0,23.0,0.0,0.1,0.0,0.1,1.6,29.4,1485.9] [PKTLENS.....: 80,80,72,589,72,1280,1280,72,72,573,72,136,164,444,72,72,72,652,72,103,103,72,462,135,72,72,111,72,72,111,72,237] [ENTROPIES...: 4.8,5.2,5.1,4.7,5.0,7.8,7.8,5.2,5.2,7.6,5.2,6.1,6.5,7.5,5.1,5.1,5.1,7.6,5.2,5.8,5.7,5.2,7.5,6.2,5.2,5.2,5.9,5.1,5.2,6.0,5.1,6.9] - analyse: [....23] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][40894] -> [...............2a00:1450:4007:816::200d][..443] [TLS.Google][Google][Web][Acceptable][accounts.google.com] + analyse: [....23] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][40894] -> [...............2a00:1450:4007:816::200d][..443] [TLS.Google][Google][Web][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.043| 0.009| 0.013| 168.080| 3.500] [PKTLEN......: 72.000| 1280.000| 418.800| 492.400| 242485.900| 4.100] @@ -189,7 +189,7 @@ detection-update: [....35] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][38546] -> [.......................2a04:4e42:1d::84][..443] [TLS.Pinterest][Unknown][SocialNetwork][Fun][assets.pinterest.com] detection-update: [....35] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][38546] -> [.......................2a04:4e42:1d::84][..443] [TLS.Pinterest][Unknown][SocialNetwork][Fun][assets.pinterest.com] detection-update: [....36] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][45126] -> [...............2a00:1450:4007:80a::200e][..443] [TLS.Google][Google][Advertisement][Acceptable][www.google-analytics.com] - analyse: [....36] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][45126] -> [...............2a00:1450:4007:80a::200e][..443] [TLS.Google][Google][Advertisement][Acceptable][www.google-analytics.com] + analyse: [....36] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][45126] -> [...............2a00:1450:4007:80a::200e][..443] [TLS.Google][Google][Advertisement][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.157| 0.016| 0.035| 1243.837| 2.700] [PKTLEN......: 72.000| 1280.000| 413.000| 486.700| 236885.800| 4.100] diff --git a/test/results/flow-info/default/portable_executable.pcap.out b/test/results/flow-info/default/portable_executable.pcap.out index faed0371e..66d6ab09d 100644 --- a/test/results/flow-info/default/portable_executable.pcap.out +++ b/test/results/flow-info/default/portable_executable.pcap.out @@ -7,6 +7,6 @@ RISK: Binary App Transfer, Susp Entropy idle: [.....1] [ip4][..tcp] [..172.16.99.201][.1732] -> [..64.227.107.71][.4444] guessed: [.....2] [ip4][..tcp] [..64.227.107.71][...53] -> [...172.16.99.10][49652] [DNS][Unknown][Network][Acceptable][] - RISK: Binary App Transfer, Malformed Packet, Susp Entropy + RISK: Binary App Transfer, Susp Entropy idle: [.....2] [ip4][..tcp] [..64.227.107.71][...53] -> [...172.16.99.10][49652] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/quic_sh.pcap.out b/test/results/flow-info/default/quic_sh.pcap.out new file mode 100644 index 000000000..7dadeafa6 --- /dev/null +++ b/test/results/flow-info/default/quic_sh.pcap.out @@ -0,0 +1,19 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....1] [ip6][..udp] [...2001:b07:a3d:c112:91b7:b97e:6e2:fad8][37542] -> [.................2606:4700:7::a29f:9804][..443] + detected: [.....1] [ip6][..udp] [...2001:b07:a3d:c112:91b7:b97e:6e2:fad8][37542] -> [.................2606:4700:7::a29f:9804][..443] [QUIC][Cloudflare][Web][Acceptable] + RISK: Susp Entropy + new: [.....2] [ip6][..udp] [...............2a00:1450:4002:411::200e][..443] -> [...2001:b07:a3d:c112:91b7:b97e:6e2:fad8][33144] + detected: [.....2] [ip6][..udp] [...............2a00:1450:4002:411::200e][..443] -> [...2001:b07:a3d:c112:91b7:b97e:6e2:fad8][33144] [QUIC][Google][Web][Acceptable] + RISK: Susp Entropy + new: [.....3] [ip4][..udp] [..192.168.1.245][40408] -> [..13.226.175.53][..443] + detected: [.....3] [ip4][..udp] [..192.168.1.245][40408] -> [..13.226.175.53][..443] [QUIC][AmazonAWS][Web][Acceptable] + RISK: Unidirectional Traffic + idle: [.....3] [ip4][..udp] [..192.168.1.245][40408] -> [..13.226.175.53][..443] [QUIC][AmazonAWS][Web][Acceptable] + RISK: Unidirectional Traffic + idle: [.....1] [ip6][..udp] [...2001:b07:a3d:c112:91b7:b97e:6e2:fad8][37542] -> [.................2606:4700:7::a29f:9804][..443] [QUIC][Cloudflare][Web][Acceptable] + RISK: Susp Entropy + idle: [.....2] [ip6][..udp] [...............2a00:1450:4002:411::200e][..443] -> [...2001:b07:a3d:c112:91b7:b97e:6e2:fad8][33144] [QUIC][Google][Web][Acceptable] + RISK: Susp Entropy + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/rdp_over_tls.pcap.out b/test/results/flow-info/default/rdp_over_tls.pcap.out new file mode 100644 index 000000000..8a97a21d0 --- /dev/null +++ b/test/results/flow-info/default/rdp_over_tls.pcap.out @@ -0,0 +1,13 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....1][..77] [ip4][..tcp] [..91.238.181.21][35888] -> [....89.31.79.12][.3389] + detected: [.....1][..77] [ip4][..tcp] [..91.238.181.21][35888] -> [....89.31.79.12][.3389] [RDP][Unknown][RemoteAccess][Acceptable] + RISK: Desktop/File Sharing + detection-update: [.....1][..77] [ip4][..tcp] [..91.238.181.21][35888] -> [....89.31.79.12][.3389] [TLS.RDP][Unknown][RemoteAccess][Acceptable][] + RISK: TLS (probably) Not Carrying HTTPS, Missing SNI TLS Extn, Desktop/File Sharing + detection-update: [.....1][..77] [ip4][..tcp] [..91.238.181.21][35888] -> [....89.31.79.12][.3389] [TLS.RDP][Unknown][RemoteAccess][Acceptable][] + RISK: Self-signed Cert, TLS (probably) Not Carrying HTTPS, Missing SNI TLS Extn, Desktop/File Sharing + end: [.....1][..77] [ip4][..tcp] [..91.238.181.21][35888] -> [....89.31.79.12][.3389] [TLS.RDP][Unknown][RemoteAccess][Acceptable] + RISK: Self-signed Cert, TLS (probably) Not Carrying HTTPS, Missing SNI TLS Extn, Desktop/File Sharing + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/reddit.pcap.out b/test/results/flow-info/default/reddit.pcap.out index 43f2cd972..849971155 100644 --- a/test/results/flow-info/default/reddit.pcap.out +++ b/test/results/flow-info/default/reddit.pcap.out @@ -15,7 +15,7 @@ detected: [.....4] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56560] -> [.....................64:ff9b::9765:798c][..443] [TLS.Reddit][Unknown][SocialNetwork][Fun][www.reddit.com] detection-update: [.....4] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56560] -> [.....................64:ff9b::9765:798c][..443] [TLS.Reddit][Unknown][SocialNetwork][Fun][www.reddit.com] detection-update: [.....4] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56560] -> [.....................64:ff9b::9765:798c][..443] [TLS.Reddit][Unknown][SocialNetwork][Fun][www.reddit.com] - analyse: [.....1] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][40028] -> [...............2a00:1450:4007:80a::200a][..443] [TLS.GoogleServices][Google][Web][Acceptable][safebrowsing.googleapis.com] + analyse: [.....1] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][40028] -> [...............2a00:1450:4007:80a::200a][..443] [TLS.GoogleServices][Google][Web][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.076| 0.013| 0.023| 533.820| 3.200] [PKTLEN......: 72.000| 1280.000| 281.100| 342.100| 117045.100| 4.200] @@ -122,7 +122,7 @@ detection-update: [....22] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][50960] -> [...............2a00:1450:4007:805::2002][..443] [TLS.GoogleServices][Google][Web][Acceptable][www.googletagservices.com] detection-update: [....23] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][43492] -> [......................64:ff9b::df9:21c6][..443] [TLS.Amazon][Unknown][Web][Acceptable][c.amazon-adsystem.com] detection-update: [....24] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][38320] -> [.....................64:ff9b::6853:b3b6][..443] [TLS][Unknown][Web][Safe][c.aaxads.com] - analyse: [....22] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][50960] -> [...............2a00:1450:4007:805::2002][..443] [TLS.GoogleServices][Google][Web][Acceptable][www.googletagservices.com] + analyse: [....22] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][50960] -> [...............2a00:1450:4007:805::2002][..443] [TLS.GoogleServices][Google][Web][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.044| 0.008| 0.014| 200.596| 3.100] [PKTLEN......: 72.000| 1280.000| 422.500| 490.000| 240053.700| 4.100] @@ -153,7 +153,7 @@ detected: [....27] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][39520] -> [...............2a00:1450:4007:816::2008][..443] [TLS.GoogleServices][Google][Web][Acceptable][www.googletagmanager.com] detection-update: [....27] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][39520] -> [...............2a00:1450:4007:816::2008][..443] [TLS.GoogleServices][Google][Web][Acceptable][www.googletagmanager.com] new: [....28] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][32970] -> [.....................64:ff9b::6853:b3d1][..443] - analyse: [....27] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][39520] -> [...............2a00:1450:4007:816::2008][..443] [TLS.GoogleServices][Google][Web][Acceptable][www.googletagmanager.com] + analyse: [....27] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][39520] -> [...............2a00:1450:4007:816::2008][..443] [TLS.GoogleServices][Google][Web][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.044| 0.008| 0.014| 205.550| 3.200] [PKTLEN......: 72.000| 1280.000| 415.800| 486.500| 236643.500| 4.100] @@ -201,7 +201,7 @@ detection-update: [....34] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][51100] -> [.....................64:ff9b::d83a:d1e6][..443] [TLS.Google][Unknown][Advertisement][Acceptable][ad.doubleclick.net] detection-update: [....35] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][51102] -> [.....................64:ff9b::d83a:d1e6][..443] [TLS.Google][Unknown][Advertisement][Acceptable][ad.doubleclick.net] detection-update: [....36] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56186] -> [...2600:9000:219c:ee00:6:44e3:f8c0:93a1][..443] [TLS][AmazonAWS][Web][Safe][rules.quantcount.com] - analyse: [....34] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][51100] -> [.....................64:ff9b::d83a:d1e6][..443] [TLS.Google][Unknown][Advertisement][Acceptable][ad.doubleclick.net] + analyse: [....34] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][51100] -> [.....................64:ff9b::d83a:d1e6][..443] [TLS.Google][Unknown][Advertisement][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.043| 0.011| 0.015| 223.794| 3.600] [PKTLEN......: 72.000| 1460.000| 250.000| 362.600| 131502.000| 4.000] @@ -228,7 +228,7 @@ new: [....39] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][57282] -> [...............2a00:1450:4007:805::2004][..443] detected: [....38] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][54726] -> [...............2a00:1450:4007:808::2006][..443] [TLS.Google][Google][Advertisement][Acceptable][static.doubleclick.net] detected: [....39] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][57282] -> [...............2a00:1450:4007:805::2004][..443] [TLS.Google][Google][Web][Acceptable][www.google.com] - analyse: [....37] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][39736] -> [.....2606:2800:134:1a0d:1429:742:782:b6][..443] [TLS.Twitter][Edgecast][SocialNetwork][Fun][cdn.syndication.twimg.com] + analyse: [....37] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][39736] -> [.....2606:2800:134:1a0d:1429:742:782:b6][..443] [TLS.Twitter][Edgecast][SocialNetwork][Fun] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.051| 0.012| 0.018| 319.203| 3.500] [PKTLEN......: 72.000| 1280.000| 307.800| 396.400| 157103.100| 4.100] @@ -247,7 +247,7 @@ detected: [....42] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][47302] -> [...............2a00:1450:4007:80c::2003][..443] [TLS.Google][Google][Web][Acceptable][fonts.gstatic.com] detected: [....43] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][47304] -> [...............2a00:1450:4007:80c::2003][..443] [TLS.Google][Google][Web][Acceptable][fonts.gstatic.com] detected: [....40] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][58122] -> [...............2a00:1450:4007:805::2001][..443] [TLS.YouTube][Google][Media][Fun][yt3.ggpht.com] - analyse: [....39] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][57282] -> [...............2a00:1450:4007:805::2004][..443] [TLS.Google][Google][Web][Acceptable][www.google.com] + analyse: [....39] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][57282] -> [...............2a00:1450:4007:805::2004][..443] [TLS.Google][Google][Web][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.062| 0.009| 0.018| 308.294| 3.000] [PKTLEN......: 72.000| 1280.000| 412.800| 483.300| 233579.900| 4.100] @@ -262,7 +262,7 @@ detection-update: [....41] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][52296] -> [...............2a00:1450:4007:815::2016][..443] [TLS.YouTube][Google][Media][Fun][i.ytimg.com] detection-update: [....42] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][47302] -> [...............2a00:1450:4007:80c::2003][..443] [TLS.Google][Google][Web][Acceptable][fonts.gstatic.com] detection-update: [....43] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][47304] -> [...............2a00:1450:4007:80c::2003][..443] [TLS.Google][Google][Web][Acceptable][fonts.gstatic.com] - analyse: [....40] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][58122] -> [...............2a00:1450:4007:805::2001][..443] [TLS.YouTube][Google][Media][Fun][yt3.ggpht.com] + analyse: [....40] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][58122] -> [...............2a00:1450:4007:805::2001][..443] [TLS.YouTube][Google][Media][Fun] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.069| 0.011| 0.023| 518.376| 2.800] [PKTLEN......: 72.000| 1280.000| 385.700| 459.200| 210886.500| 4.100] @@ -299,7 +299,7 @@ detection-update: [....48] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][59624] -> [...............2a00:1450:4007:80b::2001][..443] [TLS.Google][Google][Advertisement][Acceptable][8a755a3fef0b189d8ab5b0d10758f68a.safeframe.googlesyndication.com] detection-update: [....47] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][46646] -> [.....................64:ff9b::345f:7ca5][..443] [TLS.Amazon][Unknown][Web][Acceptable][aax-eu.amazon-adsystem.com] detection-update: [....47] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][46646] -> [.....................64:ff9b::345f:7ca5][..443] [TLS.Amazon][Unknown][Web][Acceptable][aax-eu.amazon-adsystem.com] - analyse: [....46] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][59336] -> [...............2a00:1450:4007:80b::2002][..443] [TLS.Google][Google][Advertisement][Acceptable][adservice.google.com] + analyse: [....46] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][59336] -> [...............2a00:1450:4007:80b::2002][..443] [TLS.Google][Google][Advertisement][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.046| 0.008| 0.012| 155.374| 3.400] [PKTLEN......: 72.000| 1280.000| 280.100| 371.700| 138197.800| 4.100] @@ -309,7 +309,7 @@ [IATS(ms)....: 18.5,18.6,0.4,37.2,9.0,0.0,0.0,0.0,45.9,0.0,0.0,0.0,8.7,0.4,0.3,33.6,0.0,0.1,1.2,0.0,25.4,0.0,0.5,7.3,0.0,0.0,6.8,0.0,0.0,3.7,20.5] [PKTLENS.....: 80,80,72,589,72,1280,1280,1280,273,72,72,72,72,136,164,349,72,72,72,652,103,72,72,103,775,516,111,72,72,72,111,72] [ENTROPIES...: 4.8,5.3,5.2,4.6,5.1,7.8,7.8,7.8,7.0,5.2,5.2,5.2,5.2,6.3,6.6,7.3,5.1,5.1,5.1,7.6,5.7,5.3,5.3,5.9,7.7,7.6,5.9,5.2,5.2,5.2,6.0,5.0] - analyse: [....48] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][59624] -> [...............2a00:1450:4007:80b::2001][..443] [TLS.Google][Google][Advertisement][Acceptable][8a755a3fef0b189d8ab5b0d10758f68a.safeframe.googlesyndication.com] + analyse: [....48] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][59624] -> [...............2a00:1450:4007:80b::2001][..443] [TLS.Google][Google][Advertisement][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.034| 0.007| 0.011| 127.134| 3.400] [PKTLEN......: 72.000| 1280.000| 323.800| 408.200| 166632.700| 4.100] @@ -350,7 +350,7 @@ detection-update: [....56] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][36966] -> [...............2a00:1450:4007:80f::2001][..443] [TLS.Google][Google][Advertisement][Acceptable][tpc.googlesyndication.com] detection-update: [....58] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][36970] -> [...............2a00:1450:4007:80f::2001][..443] [TLS.Google][Google][Advertisement][Acceptable][tpc.googlesyndication.com] detection-update: [....57] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][36968] -> [...............2a00:1450:4007:80f::2001][..443] [TLS.Google][Google][Advertisement][Acceptable][tpc.googlesyndication.com] - analyse: [....55] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][36964] -> [...............2a00:1450:4007:80f::2001][..443] [TLS.Google][Google][Advertisement][Acceptable][tpc.googlesyndication.com] + analyse: [....55] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][36964] -> [...............2a00:1450:4007:80f::2001][..443] [TLS.Google][Google][Advertisement][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.046| 0.009| 0.014| 200.064| 3.400] [PKTLEN......: 72.000| 1280.000| 320.900| 398.400| 158685.900| 4.100] @@ -360,7 +360,7 @@ [IATS(ms)....: 29.5,29.5,0.1,39.8,6.2,0.0,0.0,45.9,0.0,0.0,16.6,7.4,0.9,0.2,45.4,0.2,20.4,0.5,14.7,1.9,0.0,0.0,16.1,2.9,0.0,0.0,3.0,0.0,0.0,1.6,0.0] [PKTLENS.....: 80,80,72,589,72,1280,1280,311,72,72,72,136,164,391,375,72,652,72,103,72,103,72,72,72,551,398,207,72,72,72,1280,1280] [ENTROPIES...: 4.9,5.3,5.2,4.6,5.1,7.8,7.9,7.2,5.2,5.2,5.1,6.1,6.5,7.4,7.3,5.0,7.7,5.2,5.8,5.1,5.8,5.0,5.0,5.1,7.6,7.4,6.7,5.2,5.2,5.1,7.8,7.8] - analyse: [....54] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][38166] -> [...............2a00:1450:4007:811::200a][..443] [TLS.GoogleServices][Google][Web][Acceptable][fonts.googleapis.com] + analyse: [....54] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][38166] -> [...............2a00:1450:4007:811::200a][..443] [TLS.GoogleServices][Google][Web][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.044| 0.010| 0.013| 181.589| 3.600] [PKTLEN......: 72.000| 1280.000| 270.100| 336.600| 113301.500| 4.200] @@ -426,14 +426,14 @@ idle: [....32] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][48648] -> [...2620:116:800d:21:f916:5049:f87f:108e][..443] [TLS][Unknown][Web][Safe][secure.quantserve.com] idle: [....54] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][38166] -> [...............2a00:1450:4007:811::200a][..443] [TLS.GoogleServices][Google][Web][Acceptable][fonts.googleapis.com] idle: [....23] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][43492] -> [......................64:ff9b::df9:21c6][..443] [TLS.Amazon][Unknown][Web][Acceptable][c.amazon-adsystem.com] - idle: [....38] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][54726] -> [...............2a00:1450:4007:808::2006][..443] [TLS.Google][Google][Advertisement][Acceptable][static.doubleclick.net] + idle: [....38] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][54726] -> [...............2a00:1450:4007:808::2006][..443] [TLS.Google][Google][Advertisement][Acceptable] idle: [....31] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][54862] -> [...............2a00:1450:4007:806::200e][..443] [TLS.YouTube][Google][Media][Fun] - idle: [....30] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][39626] -> [.....................64:ff9b::2278:cf94][..443] [TLS][Unknown][Web][Safe][id.rlcdn.com] - idle: [....49] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][46806] -> [...............2a00:1450:4007:808::2001][..443] [TLS.Google][Google][Web][Acceptable][cdn.ampproject.org] + idle: [....30] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][39626] -> [.....................64:ff9b::2278:cf94][..443] [TLS][Unknown][Web][Safe] + idle: [....49] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][46806] -> [...............2a00:1450:4007:808::2001][..443] [TLS.Google][Google][Web][Acceptable] end: [....50] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][46808] -> [...............2a00:1450:4007:808::2001][..443] [TLS.Google][Google][Web][Acceptable] end: [....51] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][46810] -> [...............2a00:1450:4007:808::2001][..443] [TLS.Google][Google][Web][Acceptable] end: [....52] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][46812] -> [...............2a00:1450:4007:808::2001][..443] [TLS.Google][Google][Web][Acceptable] end: [....53] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][46814] -> [...............2a00:1450:4007:808::2001][..443] [TLS.Google][Google][Web][Acceptable] idle: [....22] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][50960] -> [...............2a00:1450:4007:805::2002][..443] [TLS.GoogleServices][Google][Web][Acceptable][www.googletagservices.com] - idle: [....45] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][51006] -> [...............2a00:1450:4007:805::2002][..443] [TLS.Google][Google][Web][Acceptable][adservice.google.fr] + idle: [....45] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][51006] -> [...............2a00:1450:4007:805::2002][..443] [TLS.Google][Google][Web][Acceptable] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/rtmp.pcap.out b/test/results/flow-info/default/rtmp.pcap.out index b4f4d4534..e5f2ef925 100644 --- a/test/results/flow-info/default/rtmp.pcap.out +++ b/test/results/flow-info/default/rtmp.pcap.out @@ -3,5 +3,39 @@ DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] new: [.....1] [ip4][..tcp] [...192.168.43.1][.1177] -> [.192.168.43.128][.1935] detected: [.....1] [ip4][..tcp] [...192.168.43.1][.1177] -> [.192.168.43.128][.1935] [RTMP][Unknown][Media][Acceptable] + DAEMON-EVENT: [Processed: 26 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 1 / 1|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + ERROR-EVENT: Unknown packet type [1/16] + ERROR-EVENT: Unknown packet type [2/16] + ERROR-EVENT: Unknown packet type [3/16] + ERROR-EVENT: Unknown packet type [4/16] + ERROR-EVENT: Unknown packet type [5/16] + ERROR-EVENT: Unknown packet type [6/16] + ERROR-EVENT: Unknown packet type [7/16] + ERROR-EVENT: Unknown packet type [8/16] + ERROR-EVENT: Unknown packet type [9/16] + ERROR-EVENT: Unknown packet type [10/16] + ERROR-EVENT: Unknown packet type [11/16] + ERROR-EVENT: Unknown packet type [12/16] + ERROR-EVENT: Unknown packet type [13/16] + ERROR-EVENT: Unknown packet type [14/16] + ERROR-EVENT: Unknown packet type [15/16] + ERROR-EVENT: Unknown packet type [16/16] + ERROR-EVENT: Unknown packet type [1/16] + ERROR-EVENT: Unknown packet type [2/16] + ERROR-EVENT: Unknown packet type [3/16] + ERROR-EVENT: Unknown packet type [4/16] + ERROR-EVENT: Unknown packet type [5/16] + ERROR-EVENT: Unknown packet type [6/16] + ERROR-EVENT: Unknown packet type [7/16] + ERROR-EVENT: Unknown packet type [8/16] + ERROR-EVENT: Unknown packet type [9/16] + ERROR-EVENT: Unknown packet type [10/16] + ERROR-EVENT: Unknown packet type [11/16] + ERROR-EVENT: Unknown packet type [12/16] + ERROR-EVENT: Unknown packet type [13/16] + ERROR-EVENT: Unknown packet type [14/16] + ERROR-EVENT: Unknown packet type [15/16] + ERROR-EVENT: Unknown packet type [16/16] idle: [.....1] [ip4][..tcp] [...192.168.43.1][.1177] -> [.192.168.43.128][.1935] [RTMP][Unknown][Media][Acceptable] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/safari.pcap.out b/test/results/flow-info/default/safari.pcap.out index ce6ccc9f9..e1c5e434e 100644 --- a/test/results/flow-info/default/safari.pcap.out +++ b/test/results/flow-info/default/safari.pcap.out @@ -30,7 +30,7 @@ RISK: TLS (probably) Not Carrying HTTPS detection-update: [.....6] [ip4][..tcp] [..192.168.1.178][55269] -> [...146.48.58.18][..443] [TLS][Unknown][Web][Safe][www.iit.cnr.it] RISK: TLS (probably) Not Carrying HTTPS - analyse: [.....4] [ip4][..tcp] [..192.168.1.178][55267] -> [...146.48.58.18][..443] [TLS][Unknown][Web][Safe][www.iit.cnr.it] + analyse: [.....4] [ip4][..tcp] [..192.168.1.178][55267] -> [...146.48.58.18][..443] [TLS][Unknown][Web][Safe] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.119| 0.018| 0.029| 823.374| 3.500] [PKTLEN......: 52.000| 1492.000| 618.000| 660.500| 436248.100| 4.100] @@ -45,15 +45,15 @@ detection-update: [.....7] [ip4][..tcp] [..192.168.1.178][55285] -> [...146.48.58.18][..443] [TLS][Unknown][Web][Safe][www.iit.cnr.it] detection-update: [.....7] [ip4][..tcp] [..192.168.1.178][55285] -> [...146.48.58.18][..443] [TLS][Unknown][Web][Safe][www.iit.cnr.it] idle: [.....1] [ip4][..tcp] [..192.168.1.178][55262] -> [...146.48.58.18][..443] [TLS][Unknown][Web][Safe] - idle: [.....2] [ip4][..tcp] [..192.168.1.178][55265] -> [...146.48.58.18][..443] [TLS][Unknown][Web][Safe][www.iit.cnr.it] + idle: [.....2] [ip4][..tcp] [..192.168.1.178][55265] -> [...146.48.58.18][..443] [TLS][Unknown][Web][Safe] RISK: TLS (probably) Not Carrying HTTPS - idle: [.....3] [ip4][..tcp] [..192.168.1.178][55266] -> [...146.48.58.18][..443] [TLS][Unknown][Web][Safe][www.iit.cnr.it] + idle: [.....3] [ip4][..tcp] [..192.168.1.178][55266] -> [...146.48.58.18][..443] [TLS][Unknown][Web][Safe] RISK: TLS (probably) Not Carrying HTTPS idle: [.....4] [ip4][..tcp] [..192.168.1.178][55267] -> [...146.48.58.18][..443] [TLS][Unknown][Web][Safe][www.iit.cnr.it] RISK: TLS (probably) Not Carrying HTTPS - idle: [.....5] [ip4][..tcp] [..192.168.1.178][55268] -> [...146.48.58.18][..443] [TLS][Unknown][Web][Safe][www.iit.cnr.it] + idle: [.....5] [ip4][..tcp] [..192.168.1.178][55268] -> [...146.48.58.18][..443] [TLS][Unknown][Web][Safe] RISK: TLS (probably) Not Carrying HTTPS - idle: [.....6] [ip4][..tcp] [..192.168.1.178][55269] -> [...146.48.58.18][..443] [TLS][Unknown][Web][Safe][www.iit.cnr.it] + idle: [.....6] [ip4][..tcp] [..192.168.1.178][55269] -> [...146.48.58.18][..443] [TLS][Unknown][Web][Safe] RISK: TLS (probably) Not Carrying HTTPS idle: [.....7] [ip4][..tcp] [..192.168.1.178][55285] -> [...146.48.58.18][..443] [TLS][Unknown][Web][Safe] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/signal.pcap.out b/test/results/flow-info/default/signal.pcap.out index 736512cc4..f57521301 100644 --- a/test/results/flow-info/default/signal.pcap.out +++ b/test/results/flow-info/default/signal.pcap.out @@ -18,7 +18,7 @@ detected: [.....5] [ip4][..tcp] [...192.168.2.17][57019] -> [.34.225.240.173][..443] [TLS.Signal][AmazonAWS][Chat][Fun][textsecure-service.whispersystems.org] detected: [.....7] [ip4][..tcp] [...192.168.2.17][57021] -> [.34.225.240.173][..443] [TLS.Signal][AmazonAWS][Chat][Fun][textsecure-service.whispersystems.org] detected: [.....6] [ip4][..tcp] [...192.168.2.17][57020] -> [.34.225.240.173][..443] [TLS.Signal][AmazonAWS][Chat][Fun][textsecure-service.whispersystems.org] - analyse: [.....4] [ip4][..tcp] [...192.168.2.17][57018] -> [....23.57.24.16][..443] [TLS.AppleiTunes][Unknown][Streaming][Fun][itunes.apple.com] + analyse: [.....4] [ip4][..tcp] [...192.168.2.17][57018] -> [....23.57.24.16][..443] [TLS.AppleiTunes][Unknown][Streaming][Fun] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.052| 0.012| 0.020| 399.390| 3.200] [PKTLEN......: 52.000| 1492.000| 413.300| 522.500| 272968.600| 4.000] @@ -61,7 +61,7 @@ detected: [....13] [ip4][..tcp] [...192.168.2.17][57023] -> [....35.169.3.40][..443] [TLS.Signal][AmazonAWS][Chat][Fun][textsecure-service.whispersystems.org] detected: [....14] [ip4][..tcp] [...192.168.2.17][57024] -> [....35.169.3.40][..443] [TLS.Signal][AmazonAWS][Chat][Fun][textsecure-service.whispersystems.org] detected: [....15] [ip4][..tcp] [...192.168.2.17][57025] -> [....35.169.3.40][..443] [TLS.Signal][AmazonAWS][Chat][Fun][textsecure-service.whispersystems.org] - analyse: [....11] [ip4][..tcp] [...192.168.2.17][57022] -> [....23.57.24.16][..443] [TLS.AppleiTunes][Unknown][Streaming][Fun][itunes.apple.com] + analyse: [....11] [ip4][..tcp] [...192.168.2.17][57022] -> [....23.57.24.16][..443] [TLS.AppleiTunes][Unknown][Streaming][Fun] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.101| 0.015| 0.025| 625.062| 3.300] [PKTLEN......: 52.000| 1492.000| 431.700| 520.400| 270842.400| 4.100] @@ -85,7 +85,7 @@ detected: [....17] [ip4][..tcp] [...192.168.2.17][57026] -> [....35.169.3.40][..443] [TLS.Signal][AmazonAWS][Chat][Fun][textsecure-service.whispersystems.org] detection-update: [....17] [ip4][..tcp] [...192.168.2.17][57026] -> [....35.169.3.40][..443] [TLS.Signal][AmazonAWS][Chat][Fun][textsecure-service.whispersystems.org] detection-update: [....17] [ip4][..tcp] [...192.168.2.17][57026] -> [....35.169.3.40][..443] [TLS.Signal][AmazonAWS][Chat][Fun][textsecure-service.whispersystems.org] - analyse: [....17] [ip4][..tcp] [...192.168.2.17][57026] -> [....35.169.3.40][..443] [TLS.Signal][AmazonAWS][Chat][Fun][textsecure-service.whispersystems.org] + analyse: [....17] [ip4][..tcp] [...192.168.2.17][57026] -> [....35.169.3.40][..443] [TLS.Signal][AmazonAWS][Chat][Fun] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.115| 0.033| 0.050| 2490.513| 3.300] [PKTLEN......: 52.000| 1492.000| 519.200| 606.200| 367455.800| 4.100] @@ -121,12 +121,12 @@ end: [....18] [ip4][..tcp] [....23.57.24.16][..443] -> [...192.168.2.17][57016] [TLS][Unknown][Web][Safe] end: [.....4] [ip4][..tcp] [...192.168.2.17][57018] -> [....23.57.24.16][..443] [TLS.AppleiTunes][Unknown][Streaming][Fun][itunes.apple.com] end: [....11] [ip4][..tcp] [...192.168.2.17][57022] -> [....23.57.24.16][..443] [TLS.AppleiTunes][Unknown][Streaming][Fun][itunes.apple.com] - end: [.....5] [ip4][..tcp] [...192.168.2.17][57019] -> [.34.225.240.173][..443] [TLS.Signal][AmazonAWS][Chat][Fun][textsecure-service.whispersystems.org] - end: [.....6] [ip4][..tcp] [...192.168.2.17][57020] -> [.34.225.240.173][..443] [TLS.Signal][AmazonAWS][Chat][Fun][textsecure-service.whispersystems.org] - end: [.....7] [ip4][..tcp] [...192.168.2.17][57021] -> [.34.225.240.173][..443] [TLS.Signal][AmazonAWS][Chat][Fun][textsecure-service.whispersystems.org] - idle: [....13] [ip4][..tcp] [...192.168.2.17][57023] -> [....35.169.3.40][..443] [TLS.Signal][AmazonAWS][Chat][Fun][textsecure-service.whispersystems.org] - idle: [....14] [ip4][..tcp] [...192.168.2.17][57024] -> [....35.169.3.40][..443] [TLS.Signal][AmazonAWS][Chat][Fun][textsecure-service.whispersystems.org] - idle: [....15] [ip4][..tcp] [...192.168.2.17][57025] -> [....35.169.3.40][..443] [TLS.Signal][AmazonAWS][Chat][Fun][textsecure-service.whispersystems.org] + end: [.....5] [ip4][..tcp] [...192.168.2.17][57019] -> [.34.225.240.173][..443] [TLS.Signal][AmazonAWS][Chat][Fun] + end: [.....6] [ip4][..tcp] [...192.168.2.17][57020] -> [.34.225.240.173][..443] [TLS.Signal][AmazonAWS][Chat][Fun] + end: [.....7] [ip4][..tcp] [...192.168.2.17][57021] -> [.34.225.240.173][..443] [TLS.Signal][AmazonAWS][Chat][Fun] + idle: [....13] [ip4][..tcp] [...192.168.2.17][57023] -> [....35.169.3.40][..443] [TLS.Signal][AmazonAWS][Chat][Fun] + idle: [....14] [ip4][..tcp] [...192.168.2.17][57024] -> [....35.169.3.40][..443] [TLS.Signal][AmazonAWS][Chat][Fun] + idle: [....15] [ip4][..tcp] [...192.168.2.17][57025] -> [....35.169.3.40][..443] [TLS.Signal][AmazonAWS][Chat][Fun] idle: [....17] [ip4][..tcp] [...192.168.2.17][57026] -> [....35.169.3.40][..443] [TLS.Signal][AmazonAWS][Chat][Fun][textsecure-service.whispersystems.org] end: [.....9] [ip4][..tcp] [...192.168.2.17][57017] -> [...2.18.232.118][..443] [TLS][Unknown][Web][Safe] end: [.....3] [ip4][..tcp] [...192.168.2.17][49226] -> [.34.225.240.173][..443] [TLS.Signal][AmazonAWS][Chat][Fun] diff --git a/test/results/flow-info/default/sites.pcapng.out b/test/results/flow-info/default/sites.pcapng.out index 1874af900..3c5d4ff5d 100644 --- a/test/results/flow-info/default/sites.pcapng.out +++ b/test/results/flow-info/default/sites.pcapng.out @@ -260,7 +260,7 @@ detected: [....52] [ip6][..tcp] [..2001:b07:a3d:c112:9a00:ba78:86b1:e177][48624] -> [...................2001:67c:4e8:f004::9][..443] [TLS.Telegram][Telegram][Chat][Acceptable][telegram.me] detection-update: [....51] [ip6][..tcp] [..2001:b07:a3d:c112:9a00:ba78:86b1:e177][48616] -> [...................2001:67c:4e8:f004::9][..443] [TLS.Telegram][Telegram][Chat][Acceptable][t.me] detection-update: [....52] [ip6][..tcp] [..2001:b07:a3d:c112:9a00:ba78:86b1:e177][48624] -> [...................2001:67c:4e8:f004::9][..443] [TLS.Telegram][Telegram][Chat][Acceptable][telegram.me] - end: [....48] [ip4][..tcp] [..192.168.1.245][49558] -> [..80.158.42.215][..443] [TLS.HuaweiCloud][Unknown][Cloud][Acceptable][id7.cloud.huawei.com] + end: [....48] [ip4][..tcp] [..192.168.1.245][49558] -> [..80.158.42.215][..443] [TLS.HuaweiCloud][Unknown][Cloud][Acceptable] idle: [....47] [ip4][..tcp] [..192.168.1.245][54690] -> [.160.44.196.198][..443] [TLS.HuaweiCloud][Unknown][Cloud][Acceptable] idle: [....49] [ip6][..tcp] [...2001:b07:a3d:c112:c044:a6d4:80d:5d55][39970] -> [...2600:9000:25ea:1200:1:12d8:5a00:93a1][..443] [TLS.HuaweiCloud][AmazonAWS][Cloud][Acceptable] DAEMON-EVENT: [Processed: 584 pkts][ZLib][compressions: 0|diff: 0 / 0] @@ -325,6 +325,6 @@ new: [....64] [ip4][..tcp] [..192.168.1.183][44102] -> [..146.70.182.51][..443] detected: [....64] [ip4][..tcp] [..192.168.1.183][44102] -> [..146.70.182.51][..443] [TLS.SurfShark][Unknown][VPN][Acceptable][it-mil-v086.prod.surfshark.com] detection-update: [....64] [ip4][..tcp] [..192.168.1.183][44102] -> [..146.70.182.51][..443] [TLS.SurfShark][Unknown][VPN][Acceptable][it-mil-v086.prod.surfshark.com] - idle: [....64] [ip4][..tcp] [..192.168.1.183][44102] -> [..146.70.182.51][..443] [TLS.SurfShark][Unknown][VPN][Acceptable][it-mil-v086.prod.surfshark.com] - idle: [....63] [ip4][..tcp] [..192.168.1.245][58624] -> [.104.16.156.111][..443] [TLS.NordVPN][Cloudflare][VPN][Acceptable][s1.nordcdn.com] + idle: [....64] [ip4][..tcp] [..192.168.1.183][44102] -> [..146.70.182.51][..443] [TLS.SurfShark][Unknown][VPN][Acceptable] + idle: [....63] [ip4][..tcp] [..192.168.1.245][58624] -> [.104.16.156.111][..443] [TLS.NordVPN][Cloudflare][VPN][Acceptable] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/sites2.pcapng.out b/test/results/flow-info/default/sites2.pcapng.out new file mode 100644 index 000000000..ccfd070dc --- /dev/null +++ b/test/results/flow-info/default/sites2.pcapng.out @@ -0,0 +1,19 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....1] [ip4][..tcp] [..192.168.12.67][46892] -> [...2.23.155.106][..443] + detected: [.....1] [ip4][..tcp] [..192.168.12.67][46892] -> [...2.23.155.106][..443] [TLS.Shein][Unknown][Shopping][Acceptable][img.shein.com] + detection-update: [.....1] [ip4][..tcp] [..192.168.12.67][46892] -> [...2.23.155.106][..443] [TLS.Shein][Unknown][Shopping][Acceptable][img.shein.com] + DAEMON-EVENT: [Processed: 13 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 1 / 1|skipped: 0|!detected: 0|guessed: 0|detection-updates: 1|updates: 0] + new: [.....2] [ip4][..tcp] [..192.168.12.67][47694] -> [......20.15.0.9][..443] + detected: [.....2] [ip4][..tcp] [..192.168.12.67][47694] -> [......20.15.0.9][..443] [TLS.Temu][Azure][Shopping][Acceptable][gtm.temu.com] + detection-update: [.....2] [ip4][..tcp] [..192.168.12.67][47694] -> [......20.15.0.9][..443] [TLS.Temu][Azure][Shopping][Acceptable][gtm.temu.com] + new: [.....3] [ip4][..tcp] [..192.168.12.67][43446] -> [..59.82.122.224][..443] + detected: [.....3] [ip4][..tcp] [..192.168.12.67][43446] -> [..59.82.122.224][..443] [TLS.Taobao][Alibaba][Shopping][Acceptable][umdc.taobao.com] + detection-update: [.....3] [ip4][..tcp] [..192.168.12.67][43446] -> [..59.82.122.224][..443] [TLS.Taobao][Alibaba][Shopping][Acceptable][umdc.taobao.com] + detection-update: [.....3] [ip4][..tcp] [..192.168.12.67][43446] -> [..59.82.122.224][..443] [TLS.Taobao][Alibaba][Shopping][Acceptable][umdc.taobao.com] + idle: [.....1] [ip4][..tcp] [..192.168.12.67][46892] -> [...2.23.155.106][..443] [TLS.Shein][Unknown][Shopping][Acceptable] + idle: [.....2] [ip4][..tcp] [..192.168.12.67][47694] -> [......20.15.0.9][..443] [TLS.Temu][Azure][Shopping][Acceptable] + idle: [.....3] [ip4][..tcp] [..192.168.12.67][43446] -> [..59.82.122.224][..443] [TLS.Taobao][Alibaba][Shopping][Acceptable] + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/smtp-starttls.pcap.out b/test/results/flow-info/default/smtp-starttls.pcap.out index 320d13cfe..9c29e6843 100644 --- a/test/results/flow-info/default/smtp-starttls.pcap.out +++ b/test/results/flow-info/default/smtp-starttls.pcap.out @@ -10,7 +10,7 @@ RISK: Obsolete TLS (v1.1 or older) detection-update: [.....1] [ip4][..tcp] [.......10.0.0.1][57406] -> [..173.194.68.26][...25] [SMTPS.Google][Google][Email][Acceptable] RISK: Obsolete TLS (v1.1 or older) - analyse: [.....1] [ip4][..tcp] [.......10.0.0.1][57406] -> [..173.194.68.26][...25] [SMTPS.Google][Google][Email][Acceptable][mx.google.com] + analyse: [.....1] [ip4][..tcp] [.......10.0.0.1][57406] -> [..173.194.68.26][...25] [SMTPS.Google][Google][Email][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.157| 0.030| 0.035| 1204.841| 4.200] [PKTLEN......: 52.000| 1470.000| 240.300| 368.100| 135468.500| 4.000] @@ -28,7 +28,7 @@ RISK: TLS (probably) Not Carrying HTTPS, TLS Susp Extn detection-update: [.....2] [ip6][..tcp] [...2003:de:2016:125:fc36:8317:4e86:cb72][.7562] -> [...............2003:de:2016:120::a08:53][...25] [SMTPS][Unknown][Email][Safe] RISK: Self-signed Cert, TLS (probably) Not Carrying HTTPS, TLS Susp Extn - analyse: [.....2] [ip6][..tcp] [...2003:de:2016:125:fc36:8317:4e86:cb72][.7562] -> [...............2003:de:2016:120::a08:53][...25] [SMTPS][Unknown][Email][Safe][dovecot.weberlab.de] + analyse: [.....2] [ip6][..tcp] [...2003:de:2016:125:fc36:8317:4e86:cb72][.7562] -> [...............2003:de:2016:120::a08:53][...25] [SMTPS][Unknown][Email][Safe] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.203| 0.019| 0.049| 2372.381| 2.800] [PKTLEN......: 60.000| 1200.000| 180.500| 257.100| 66086.800| 4.200] diff --git a/test/results/flow-info/default/smtps.pcapng.out b/test/results/flow-info/default/smtps.pcapng.out index 80b081b41..ebe6232d6 100644 --- a/test/results/flow-info/default/smtps.pcapng.out +++ b/test/results/flow-info/default/smtps.pcapng.out @@ -4,8 +4,6 @@ new: [.....1] [ip4][..tcp] [....62.43.36.99][37682] -> [...21.65.95.132][..465] detected: [.....1] [ip4][..tcp] [....62.43.36.99][37682] -> [...21.65.95.132][..465] [SMTPS][Unknown][Email][Safe] RISK: TLS (probably) Not Carrying HTTPS, Missing SNI TLS Extn - detection-update: [.....1] [ip4][..tcp] [....62.43.36.99][37682] -> [...21.65.95.132][..465] [SMTPS][Unknown][Email][Safe] - RISK: TLS (probably) Not Carrying HTTPS, Missing SNI TLS Extn idle: [.....1] [ip4][..tcp] [....62.43.36.99][37682] -> [...21.65.95.132][..465] [SMTPS][Unknown][Email][Safe] RISK: TLS (probably) Not Carrying HTTPS, Missing SNI TLS Extn DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/snapchat.pcap.out b/test/results/flow-info/default/snapchat.pcap.out index 50b57301e..10e66fb5d 100644 --- a/test/results/flow-info/default/snapchat.pcap.out +++ b/test/results/flow-info/default/snapchat.pcap.out @@ -14,6 +14,6 @@ detection-update: [.....3] [ip4][..tcp] [.......10.8.0.1][56193] -> [.74.125.136.141][..443] [TLS.Snapchat][Google][SocialNetwork][Fun][feelinsonice-hrd.appspot.com] end: [.....1] [ip4][..tcp] [.......10.8.0.1][33233] -> [.74.125.136.141][..443] [TLS][Google][Web][Safe] RISK: TLS (probably) Not Carrying HTTPS, Missing SNI TLS Extn - idle: [.....3] [ip4][..tcp] [.......10.8.0.1][56193] -> [.74.125.136.141][..443] [TLS.Snapchat][Google][SocialNetwork][Fun][feelinsonice-hrd.appspot.com] - idle: [.....2] [ip4][..tcp] [.......10.8.0.1][44536] -> [.74.125.136.141][..443] [TLS.Snapchat][Google][SocialNetwork][Fun][feelinsonice-hrd.appspot.com] + idle: [.....3] [ip4][..tcp] [.......10.8.0.1][56193] -> [.74.125.136.141][..443] [TLS.Snapchat][Google][SocialNetwork][Fun] + idle: [.....2] [ip4][..tcp] [.......10.8.0.1][44536] -> [.74.125.136.141][..443] [TLS.Snapchat][Google][SocialNetwork][Fun] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/soap.pcap.out b/test/results/flow-info/default/soap.pcap.out index 4a974492b..c7ff5b26a 100644 --- a/test/results/flow-info/default/soap.pcap.out +++ b/test/results/flow-info/default/soap.pcap.out @@ -2,6 +2,7 @@ DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] new: [.....1] [ip4][..tcp] [..192.168.2.100][50100] -> [...23.2.213.165][...80] + detected: [.....1] [ip4][..tcp] [..192.168.2.100][50100] -> [...23.2.213.165][...80] [SOAP][Unknown][RPC][Acceptable] new: [.....2] [ip4][..tcp] [..192.168.2.100][50100] -> [...23.2.213.165][.4176] [MIDSTREAM] detected: [.....2] [ip4][..tcp] [..192.168.2.100][50100] -> [...23.2.213.165][.4176] [HTTP.SOAP][Unknown][Cloud][Acceptable][go.microsoft.com] RISK: Known Proto on Non Std Port @@ -12,6 +13,5 @@ idle: [.....3][.808] [ip4][..tcp] [..185.32.192.30][...80] -> [.85.154.114.113][56028] [SOAP][Unknown][RPC][Acceptable] idle: [.....2] [ip4][..tcp] [..192.168.2.100][50100] -> [...23.2.213.165][.4176] [HTTP.SOAP][Unknown][Cloud][Acceptable] RISK: Known Proto on Non Std Port - guessed: [.....1] [ip4][..tcp] [..192.168.2.100][50100] -> [...23.2.213.165][...80] [HTTP][Unknown][Web][Acceptable][] - end: [.....1] [ip4][..tcp] [..192.168.2.100][50100] -> [...23.2.213.165][...80] + end: [.....1] [ip4][..tcp] [..192.168.2.100][50100] -> [...23.2.213.165][...80] [SOAP][Unknown][RPC][Acceptable] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/sonos.pcapng.out b/test/results/flow-info/default/sonos.pcapng.out new file mode 100644 index 000000000..50883679b --- /dev/null +++ b/test/results/flow-info/default/sonos.pcapng.out @@ -0,0 +1,28 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....1] [ip4][..tcp] [...192.168.1.29][52425] -> [...192.168.1.70][.1443] + detected: [.....1] [ip4][..tcp] [...192.168.1.29][52425] -> [...192.168.1.70][.1443] [TLS][Unknown][Web][Safe][192.168.1.70] + RISK: Known Proto on Non Std Port, HTTP/TLS/QUIC Numeric Hostname/SNI, TLS (probably) Not Carrying HTTPS + detection-update: [.....1] [ip4][..tcp] [...192.168.1.29][52425] -> [...192.168.1.70][.1443] [TLS][Unknown][Web][Safe][192.168.1.70] + RISK: Known Proto on Non Std Port, Weak TLS Cipher, HTTP/TLS/QUIC Numeric Hostname/SNI, TLS (probably) Not Carrying HTTPS + detection-update: [.....1] [ip4][..tcp] [...192.168.1.29][52425] -> [...192.168.1.70][.1443] [TLS.Sonos][Unknown][Music][Fun][192.168.1.70] + RISK: Known Proto on Non Std Port, Weak TLS Cipher, TLS Cert Mismatch, TLS (probably) Not Carrying HTTPS + analyse: [.....1] [ip4][..tcp] [...192.168.1.29][52425] -> [...192.168.1.70][.1443] [TLS.Sonos][Unknown][Music][Fun] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 0.077| 0.006| 0.016| 258.244| 2.100] + [PKTLEN......: 52.000| 1500.000| 388.600| 553.200| 306044.500| 3.800] + [BINS(c->s)..: 12,1,0,0,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 5,2,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,0,0,0,0,1,1,1,0,1,0,0,1,1,0,1,1,0,0,1,0,1,1] + [IATS(ms)....: 0.3,0.3,0.1,0.4,0.6,0.8,0.6,0.6,0.0,0.1,0.6,0.1,0.0,41.1,36.3,0.1,76.7,0.1,0.1,0.1,0.4,5.2,5.5,0.1,0.1,0.1,0.0,0.2,0.2,0.1,0.1] + [PKTLENS.....: 64,60,52,199,52,114,52,1500,52,422,52,319,58,97,52,214,58,52,97,52,284,52,1500,52,1500,1500,52,52,1500,52,1500,774] + [ENTROPIES...: 4.1,5.0,4.6,5.4,5.0,5.5,4.7,7.0,4.7,7.5,4.6,7.2,4.6,5.3,4.9,6.9,4.9,4.7,5.6,4.7,7.1,5.0,7.8,4.6,7.9,7.9,4.6,4.6,7.9,4.6,7.9,7.7] + DAEMON-EVENT: [Processed: 44 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 1 / 1|skipped: 0|!detected: 0|guessed: 0|detection-updates: 2|updates: 0] + new: [.....2] [ip4][..udp] [..192.168.15.37][44467] -> [..192.168.15.36][.7080] + detected: [.....2] [ip4][..udp] [..192.168.15.37][44467] -> [..192.168.15.36][.7080] [Sonos][Unknown][Music][Fun] + end: [.....1] [ip4][..tcp] [...192.168.1.29][52425] -> [...192.168.1.70][.1443] [TLS.Sonos][Unknown][Music][Fun][192.168.1.70] + RISK: Known Proto on Non Std Port, Weak TLS Cipher, TLS Cert Mismatch, TLS (probably) Not Carrying HTTPS + idle: [.....2] [ip4][..udp] [..192.168.15.37][44467] -> [..192.168.15.36][.7080] [Sonos][Unknown][Music][Fun] + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/teams.pcap.out b/test/results/flow-info/default/teams.pcap.out index 9161d6afb..257fc16da 100644 --- a/test/results/flow-info/default/teams.pcap.out +++ b/test/results/flow-info/default/teams.pcap.out @@ -34,7 +34,6 @@ ERROR-EVENT: Unknown packet type [7/16] new: [.....6] [ip4][..tcp] [....192.168.1.6][60534] -> [.....40.126.9.5][..443] detected: [.....6] [ip4][..tcp] [....192.168.1.6][60534] -> [.....40.126.9.5][..443] [TLS.Microsoft365][Microsoft365][Collaborative][Acceptable][login.microsoftonline.com] - detection-update: [.....6] [ip4][..tcp] [....192.168.1.6][60534] -> [.....40.126.9.5][..443] [TLS.Microsoft365][Microsoft365][Collaborative][Acceptable][login.microsoftonline.com] analyse: [.....4] [ip4][..tcp] [....192.168.1.6][60532] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.221| 0.032| 0.054| 2931.592| 3.400] @@ -51,7 +50,7 @@ new: [.....8] [ip4][..tcp] [....192.168.1.6][60536] -> [.52.113.194.132][..443] detected: [.....8] [ip4][..tcp] [....192.168.1.6][60536] -> [.52.113.194.132][..443] [TLS.Teams][Skype_Teams][Collaborative][Safe][teams.microsoft.com] detection-update: [.....8] [ip4][..tcp] [....192.168.1.6][60536] -> [.52.113.194.132][..443] [TLS.Teams][Skype_Teams][Collaborative][Safe][teams.microsoft.com] - analyse: [.....7] [ip4][..tcp] [....192.168.1.6][60535] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] + analyse: [.....7] [ip4][..tcp] [....192.168.1.6][60535] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.050| 0.018| 0.021| 449.200| 3.900] [PKTLEN......: 52.000| 1492.000| 680.600| 673.100| 453031.800| 4.200] @@ -101,15 +100,12 @@ new: [....19] [ip4][..tcp] [....192.168.1.6][60539] -> [...52.114.75.69][..443] detected: [....18] [ip4][..tcp] [....192.168.1.6][60538] -> [...52.114.75.70][..443] [TLS.Teams][Azure][Collaborative][Safe][eu-prod.asyncgw.teams.microsoft.com] detected: [....19] [ip4][..tcp] [....192.168.1.6][60539] -> [...52.114.75.69][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable][eu-api.asm.skype.com] - detection-update: [....18] [ip4][..tcp] [....192.168.1.6][60538] -> [...52.114.75.70][..443] [TLS.Teams][Azure][Collaborative][Safe][eu-prod.asyncgw.teams.microsoft.com] - detection-update: [....19] [ip4][..tcp] [....192.168.1.6][60539] -> [...52.114.75.69][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable][eu-api.asm.skype.com] new: [....20] [ip4][..tcp] [....192.168.1.6][60540] -> [...52.114.75.70][..443] new: [....21] [ip4][..tcp] [....192.168.1.6][60541] -> [...52.114.75.69][..443] detected: [....20] [ip4][..tcp] [....192.168.1.6][60540] -> [...52.114.75.70][..443] [TLS.Teams][Azure][Collaborative][Safe][eu-prod.asyncgw.teams.microsoft.com] detected: [....21] [ip4][..tcp] [....192.168.1.6][60541] -> [...52.114.75.69][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable][eu-api.asm.skype.com] new: [....22] [ip4][..udp] [....192.168.1.6][49514] -> [....192.168.1.1][...53] detected: [....22] [ip4][..udp] [....192.168.1.6][49514] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe][config.teams.microsoft.com] - detection-update: [....20] [ip4][..tcp] [....192.168.1.6][60540] -> [...52.114.75.70][..443] [TLS.Teams][Azure][Collaborative][Safe][eu-prod.asyncgw.teams.microsoft.com] detection-update: [....21] [ip4][..tcp] [....192.168.1.6][60541] -> [...52.114.75.69][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable][eu-api.asm.skype.com] detection-update: [....22] [ip4][..udp] [....192.168.1.6][49514] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe][config.teams.microsoft.com] new: [....23] [ip4][..tcp] [....192.168.1.6][60542] -> [.52.113.194.132][..443] @@ -123,7 +119,6 @@ detected: [....25] [ip4][..tcp] [....192.168.1.6][60543] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] RISK: TLS (probably) Not Carrying HTTPS detected: [....26] [ip4][..tcp] [....192.168.1.6][60544] -> [...52.114.76.48][..443] [TLS.Teams][Azure][Collaborative][Safe][northeurope.notifications.teams.microsoft.com] - detection-update: [....26] [ip4][..tcp] [....192.168.1.6][60544] -> [...52.114.76.48][..443] [TLS.Teams][Azure][Collaborative][Safe][northeurope.notifications.teams.microsoft.com] detection-update: [....25] [ip4][..tcp] [....192.168.1.6][60543] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] RISK: TLS (probably) Not Carrying HTTPS ERROR-EVENT: Unknown packet type [16/16] @@ -134,7 +129,6 @@ new: [....29] [ip4][..tcp] [.162.125.19.131][..443] -> [....192.168.1.6][60344] [MIDSTREAM] detected: [....29] [ip4][..tcp] [.162.125.19.131][..443] -> [....192.168.1.6][60344] [TLS][Dropbox][Web][Safe] detected: [....28] [ip4][..tcp] [....192.168.1.6][60545] -> [...52.114.77.58][..443] [TLS.Teams][Azure][Collaborative][Safe][presence.teams.microsoft.com] - detection-update: [....28] [ip4][..tcp] [....192.168.1.6][60545] -> [...52.114.77.58][..443] [TLS.Teams][Azure][Collaborative][Safe][presence.teams.microsoft.com] analyse: [....25] [ip4][..tcp] [....192.168.1.6][60543] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.153| 0.028| 0.040| 1626.047| 3.600] @@ -170,7 +164,7 @@ RISK: TLS (probably) Not Carrying HTTPS detection-update: [....33] [ip4][..tcp] [....192.168.1.6][60548] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] RISK: TLS (probably) Not Carrying HTTPS - analyse: [....32] [ip4][..tcp] [....192.168.1.6][60547] -> [...52.114.88.59][..443] [TLS.Teams][Azure][Collaborative][Safe][chatsvcagg.teams.microsoft.com] + analyse: [....32] [ip4][..tcp] [....192.168.1.6][60547] -> [...52.114.88.59][..443] [TLS.Teams][Azure][Collaborative][Safe] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.115| 0.021| 0.031| 968.681| 3.500] [PKTLEN......: 52.000| 1492.000| 377.200| 521.700| 272149.200| 3.900] @@ -241,7 +235,6 @@ detected: [....46] [ip4][..tcp] [....192.168.1.6][60556] -> [.....40.126.9.7][..443] [TLS.Microsoft365][Microsoft365][Collaborative][Acceptable][login.microsoftonline.com] detected: [....45] [ip4][..tcp] [....192.168.1.6][60555] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] RISK: TLS (probably) Not Carrying HTTPS - detection-update: [....46] [ip4][..tcp] [....192.168.1.6][60556] -> [.....40.126.9.7][..443] [TLS.Microsoft365][Microsoft365][Collaborative][Acceptable][login.microsoftonline.com] detection-update: [....42] [ip4][..tcp] [....192.168.1.6][60552] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] RISK: TLS (probably) Not Carrying HTTPS detection-update: [....45] [ip4][..tcp] [....192.168.1.6][60555] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] @@ -266,8 +259,6 @@ new: [....48] [ip4][..tcp] [....192.168.1.6][60559] -> [...52.114.77.33][..443] detected: [....48] [ip4][..tcp] [....192.168.1.6][60559] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] RISK: TLS (probably) Not Carrying HTTPS - detection-update: [....48] [ip4][..tcp] [....192.168.1.6][60559] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] - RISK: TLS (probably) Not Carrying HTTPS analyse: [....48] [ip4][..tcp] [....192.168.1.6][60559] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.053| 0.020| 0.022| 492.470| 3.900] @@ -293,7 +284,7 @@ detected: [....53] [ip4][..tcp] [....192.168.1.6][60562] -> [.104.40.187.151][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable][api.microsoftstream.com] detection-update: [....51] [ip4][..tcp] [....192.168.1.6][60561] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] RISK: TLS (probably) Not Carrying HTTPS - analyse: [....53] [ip4][..tcp] [....192.168.1.6][60562] -> [.104.40.187.151][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable][api.microsoftstream.com] + analyse: [....53] [ip4][..tcp] [....192.168.1.6][60562] -> [.104.40.187.151][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.126| 0.019| 0.032| 1006.354| 3.400] [PKTLEN......: 52.000| 1492.000| 345.200| 499.900| 249913.200| 3.900] @@ -323,13 +314,11 @@ detection-update: [....56] [ip4][..udp] [....192.168.1.6][63930] -> [....192.168.1.1][...53] [DNS.Microsoft][Unknown][Network][Safe][dc.applicationinsights.microsoft.com] new: [....57] [ip4][..tcp] [....192.168.1.6][60564] -> [...40.79.138.41][..443] detected: [....57] [ip4][..tcp] [....192.168.1.6][60564] -> [...40.79.138.41][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable][gate.hockeyapp.net] - detection-update: [....57] [ip4][..tcp] [....192.168.1.6][60564] -> [...40.79.138.41][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable][gate.hockeyapp.net] new: [....58] [ip4][..udp] [....192.168.1.6][62863] -> [....192.168.1.1][...53] detected: [....58] [ip4][..udp] [....192.168.1.6][62863] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe][emea.ng.msg.teams-msgapi.trafficmanager.net] detection-update: [....58] [ip4][..udp] [....192.168.1.6][62863] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe][emea.ng.msg.teams-msgapi.trafficmanager.net] new: [....59] [ip4][..tcp] [....192.168.1.6][60565] -> [...52.114.108.8][..443] detected: [....59] [ip4][..tcp] [....192.168.1.6][60565] -> [...52.114.108.8][..443] [TLS.Teams][Azure][Collaborative][Safe][emea.ng.msg.teams.microsoft.com] - detection-update: [....59] [ip4][..tcp] [....192.168.1.6][60565] -> [...52.114.108.8][..443] [TLS.Teams][Azure][Collaborative][Safe][emea.ng.msg.teams.microsoft.com] analyse: [....59] [ip4][..tcp] [....192.168.1.6][60565] -> [...52.114.108.8][..443] [TLS.Teams][Azure][Collaborative][Safe][emea.ng.msg.teams.microsoft.com] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.277| 0.019| 0.049| 2449.644| 2.900] @@ -370,8 +359,6 @@ new: [....67] [ip4][..tcp] [....192.168.1.6][50021] -> [.52.114.250.123][..443] new: [....68] [ip4][..udp] [....192.168.1.6][50016] -> [.52.114.250.141][.3478] detected: [....68] [ip4][..udp] [....192.168.1.6][50016] -> [.52.114.250.141][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] - detection-update: [....64] [ip4][..tcp] [....192.168.1.6][50018] -> [.52.114.250.123][..443] [TLS.Teams][Azure][Collaborative][Safe][euaz.tr.teams.microsoft.com] - RISK: TLS (probably) Not Carrying HTTPS new: [....69] [ip4][..udp] [....192.168.1.6][50017] -> [.52.114.250.141][.3478] detected: [....69] [ip4][..udp] [....192.168.1.6][50017] -> [.52.114.250.141][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] detected: [....67] [ip4][..tcp] [....192.168.1.6][50021] -> [.52.114.250.123][..443] [TLS.Teams][Azure][Collaborative][Safe][euaz.tr.teams.microsoft.com] @@ -380,8 +367,6 @@ detected: [....70] [ip4][..udp] [....192.168.1.6][50036] -> [.52.114.250.137][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] new: [....71] [ip4][..udp] [....192.168.1.6][50037] -> [.52.114.250.137][.3478] detected: [....71] [ip4][..udp] [....192.168.1.6][50037] -> [.52.114.250.137][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] - detection-update: [....67] [ip4][..tcp] [....192.168.1.6][50021] -> [.52.114.250.123][..443] [TLS.Teams][Azure][Collaborative][Safe][euaz.tr.teams.microsoft.com] - RISK: TLS (probably) Not Carrying HTTPS detection-update: [....69] [ip4][..udp] [....192.168.1.6][50017] -> [.52.114.250.141][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] detection-update: [....71] [ip4][..udp] [....192.168.1.6][50037] -> [.52.114.250.137][.3478] [STUN.Skype_TeamsCall][Azure][VoIP][Acceptable][] new: [....72] [ip4][..tcp] [....192.168.1.6][50014] -> [.52.114.250.152][..443] @@ -400,8 +385,6 @@ detection-update: [....75] [ip4][..udp] [....192.168.1.6][60837] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe][c-flightproxy-euno-01-teams.cloudapp.net] detected: [....74] [ip4][..tcp] [....192.168.1.6][60567] -> [..52.114.77.136][..443] [TLS.Teams][Azure][Collaborative][Safe][api.flightproxy.teams.microsoft.com] RISK: TLS (probably) Not Carrying HTTPS - detection-update: [....74] [ip4][..tcp] [....192.168.1.6][60567] -> [..52.114.77.136][..443] [TLS.Teams][Azure][Collaborative][Safe][api.flightproxy.teams.microsoft.com] - RISK: TLS (probably) Not Carrying HTTPS new: [....76] [ip4][..udp] [....192.168.1.6][50016] -> [....192.168.0.4][50005] detected: [....76] [ip4][..udp] [....192.168.1.6][50016] -> [....192.168.0.4][50005] [STUN.Skype_TeamsCall][Unknown][VoIP][Acceptable][] RISK: Known Proto on Non Std Port @@ -442,7 +425,6 @@ RISK: Known Proto on Non Std Port, Unidirectional Traffic new: [....82] [ip4][..tcp] [....192.168.1.6][60568] -> [...40.79.138.41][..443] detected: [....82] [ip4][..tcp] [....192.168.1.6][60568] -> [...40.79.138.41][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable][gate.hockeyapp.net] - detection-update: [....82] [ip4][..tcp] [....192.168.1.6][60568] -> [...40.79.138.41][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable][gate.hockeyapp.net] new: [....83] [ip4][.icmp] [..93.71.110.205] -> [....192.168.1.6] detected: [....83] [ip4][.icmp] [..93.71.110.205] -> [....192.168.1.6] [ICMP][Unknown][Network][Acceptable] analyse: [....78] [ip4][..udp] [..93.71.110.205][16332] -> [....192.168.1.6][50016] [STUN.Skype_TeamsCall][Unknown][VoIP][Acceptable] @@ -473,7 +455,7 @@ RISK: TLS (probably) Not Carrying HTTPS idle: [....76] [ip4][..udp] [....192.168.1.6][50016] -> [....192.168.0.4][50005] [STUN.Skype_TeamsCall][Unknown][VoIP][Acceptable] RISK: Known Proto on Non Std Port, Unidirectional Traffic - idle: [....55] [ip4][..tcp] [....192.168.1.6][60563] -> [.52.169.186.119][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable][euno-1.api.microsoftstream.com] + idle: [....55] [ip4][..tcp] [....192.168.1.6][60563] -> [.52.169.186.119][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable] idle: [....17] [ip4][..udp] [....192.168.1.6][63106] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe][eu-prod.asyncgw.teams.microsoft.com] idle: [....77] [ip4][..udp] [....192.168.1.6][50036] -> [....192.168.0.4][50020] [STUN.Skype_TeamsCall][Unknown][VoIP][Acceptable] RISK: Known Proto on Non Std Port, Unidirectional Traffic @@ -521,10 +503,10 @@ idle: [....34] [ip4][..udp] [....192.168.1.6][59403] -> [....192.168.1.1][...53] [DNS.Microsoft365][Unknown][Network][Acceptable][substrate.office.com] idle: [....35] [ip4][..tcp] [....192.168.1.6][60549] -> [...13.107.18.11][..443] [TLS.Microsoft365][Outlook][Collaborative][Acceptable][substrate.office.com] idle: [....44] [ip4][..udp] [....192.168.1.6][51309] -> [....192.168.1.1][...53] [DNS][Unknown][Network][Acceptable][skypedataprdcolneu04.cloudapp.net] - end: [....30] [ip4][..tcp] [....192.168.1.6][60546] -> [.167.99.215.164][.4434] [TLS.ntop][Unknown][Network][Safe][dati.ntop.org] + end: [....30] [ip4][..tcp] [....192.168.1.6][60546] -> [.167.99.215.164][.4434] [TLS.ntop][Unknown][Network][Safe] RISK: Known Proto on Non Std Port idle: [....12] [ip4][..udp] [....192.168.1.6][17500] -> [..192.168.1.255][17500] [Dropbox][Unknown][Cloud][Acceptable] - idle: [....61] [ip4][..tcp] [....192.168.1.6][60566] -> [.167.99.215.164][.4434] [TLS.ntop][Unknown][Network][Safe][dati.ntop.org] + idle: [....61] [ip4][..tcp] [....192.168.1.6][60566] -> [.167.99.215.164][.4434] [TLS.ntop][Unknown][Network][Safe] RISK: Known Proto on Non Std Port idle: [....31] [ip4][..udp] [....192.168.1.6][57504] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe][chatsvcagg.svcs.teams.office.com] guessed: [....62] [ip4][..udp] [....192.168.1.6][51681] -> [..52.114.77.136][.3478] [Skype_TeamsCall][Azure][VoIP][Acceptable] diff --git a/test/results/flow-info/default/tls_1.2_unidirectional_client.pcapng.out b/test/results/flow-info/default/tls_1.2_unidirectional_client.pcapng.out new file mode 100644 index 000000000..6e5b7a799 --- /dev/null +++ b/test/results/flow-info/default/tls_1.2_unidirectional_client.pcapng.out @@ -0,0 +1,9 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....1] [ip4][..tcp] [.192.168.12.156][43854] -> [..216.58.209.42][..443] + detected: [.....1] [ip4][..tcp] [.192.168.12.156][43854] -> [..216.58.209.42][..443] [TLS.GoogleServices][Google][Web][Acceptable][notifications-pa.googleapis.com] + RISK: Unidirectional Traffic + end: [.....1] [ip4][..tcp] [.192.168.12.156][43854] -> [..216.58.209.42][..443] [TLS.GoogleServices][Google][Web][Acceptable] + RISK: Unidirectional Traffic + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/tls_1.2_unidirectional_client_no_cert.pcapng.out b/test/results/flow-info/default/tls_1.2_unidirectional_client_no_cert.pcapng.out new file mode 100644 index 000000000..9b324cc4e --- /dev/null +++ b/test/results/flow-info/default/tls_1.2_unidirectional_client_no_cert.pcapng.out @@ -0,0 +1,9 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....1] [ip4][..tcp] [.192.168.12.156][39958] -> [..172.67.21.133][..443] + detected: [.....1] [ip4][..tcp] [.192.168.12.156][39958] -> [..172.67.21.133][..443] [TLS][Cloudflare][Web][Safe][sb.adtidy.org] + RISK: Unidirectional Traffic + end: [.....1] [ip4][..tcp] [.192.168.12.156][39958] -> [..172.67.21.133][..443] [TLS][Cloudflare][Web][Safe] + RISK: Unidirectional Traffic + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/tls_1.2_unidirectional_server.pcapng.out b/test/results/flow-info/default/tls_1.2_unidirectional_server.pcapng.out new file mode 100644 index 000000000..1410a061a --- /dev/null +++ b/test/results/flow-info/default/tls_1.2_unidirectional_server.pcapng.out @@ -0,0 +1,11 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....1] [ip4][..tcp] [..216.58.209.42][..443] -> [.192.168.12.156][43854] + detected: [.....1] [ip4][..tcp] [..216.58.209.42][..443] -> [.192.168.12.156][43854] [TLS][Google][Web][Safe] + RISK: Unidirectional Traffic + detection-update: [.....1] [ip4][..tcp] [..216.58.209.42][..443] -> [.192.168.12.156][43854] [TLS.YouTubeUpload][Google][Media][Fun] + RISK: Unidirectional Traffic + idle: [.....1] [ip4][..tcp] [..216.58.209.42][..443] -> [.192.168.12.156][43854] [TLS.YouTubeUpload][Google][Media][Fun] + RISK: Unidirectional Traffic + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/tls_1.2_unidirectional_server_no_cert.pcapng.out b/test/results/flow-info/default/tls_1.2_unidirectional_server_no_cert.pcapng.out new file mode 100644 index 000000000..c54c75d01 --- /dev/null +++ b/test/results/flow-info/default/tls_1.2_unidirectional_server_no_cert.pcapng.out @@ -0,0 +1,9 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....1] [ip4][..tcp] [..172.67.21.133][..443] -> [.192.168.12.156][39958] + detected: [.....1] [ip4][..tcp] [..172.67.21.133][..443] -> [.192.168.12.156][39958] [TLS][Cloudflare][Web][Safe] + RISK: Unidirectional Traffic + end: [.....1] [ip4][..tcp] [..172.67.21.133][..443] -> [.192.168.12.156][39958] [TLS][Cloudflare][Web][Safe] + RISK: Unidirectional Traffic + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/tls_1.3_unidirectional_client.pcapng.out b/test/results/flow-info/default/tls_1.3_unidirectional_client.pcapng.out new file mode 100644 index 000000000..be71565b2 --- /dev/null +++ b/test/results/flow-info/default/tls_1.3_unidirectional_client.pcapng.out @@ -0,0 +1,9 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....1] [ip4][..tcp] [.192.168.12.156][39750] -> [.142.250.184.68][..443] + detected: [.....1] [ip4][..tcp] [.192.168.12.156][39750] -> [.142.250.184.68][..443] [TLS.Google][Google][Web][Acceptable][www.google.com] + RISK: Unidirectional Traffic + end: [.....1] [ip4][..tcp] [.192.168.12.156][39750] -> [.142.250.184.68][..443] [TLS.Google][Google][Web][Acceptable] + RISK: Unidirectional Traffic + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/tls_1.3_unidirectional_server.pcapng.out b/test/results/flow-info/default/tls_1.3_unidirectional_server.pcapng.out new file mode 100644 index 000000000..60174db8b --- /dev/null +++ b/test/results/flow-info/default/tls_1.3_unidirectional_server.pcapng.out @@ -0,0 +1,9 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....1] [ip4][..tcp] [.142.250.184.68][..443] -> [.192.168.12.156][39750] + detected: [.....1] [ip4][..tcp] [.142.250.184.68][..443] -> [.192.168.12.156][39750] [TLS][Google][Web][Safe] + RISK: Unidirectional Traffic + end: [.....1] [ip4][..tcp] [.142.250.184.68][..443] -> [.192.168.12.156][39750] [TLS][Google][Web][Safe] + RISK: Unidirectional Traffic + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/tls_2_reasms.pcapng.out b/test/results/flow-info/default/tls_2_reasms.pcapng.out index 6929abc24..e362321f2 100644 --- a/test/results/flow-info/default/tls_2_reasms.pcapng.out +++ b/test/results/flow-info/default/tls_2_reasms.pcapng.out @@ -4,5 +4,5 @@ new: [.....1] [ip4][..tcp] [.192.91.186.174][..443] -> [...25.137.80.32][38134] detected: [.....1] [ip4][..tcp] [.192.91.186.174][..443] -> [...25.137.80.32][38134] [TLS.Instagram][Unknown][SocialNetwork][Fun][i.instagram.com] detection-update: [.....1] [ip4][..tcp] [.192.91.186.174][..443] -> [...25.137.80.32][38134] [TLS.Instagram][Unknown][SocialNetwork][Fun][i.instagram.com] - idle: [.....1] [ip4][..tcp] [.192.91.186.174][..443] -> [...25.137.80.32][38134] [TLS.Instagram][Unknown][SocialNetwork][Fun][i.instagram.com] + idle: [.....1] [ip4][..tcp] [.192.91.186.174][..443] -> [...25.137.80.32][38134] [TLS.Instagram][Unknown][SocialNetwork][Fun] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/tls_change_cipher.pcap.out b/test/results/flow-info/default/tls_change_cipher.pcap.out new file mode 100644 index 000000000..5c6648a10 --- /dev/null +++ b/test/results/flow-info/default/tls_change_cipher.pcap.out @@ -0,0 +1,18 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + ERROR-EVENT: Unknown packet type [1/16] + ERROR-EVENT: Unknown packet type [2/16] + ERROR-EVENT: Unknown packet type [3/16] + ERROR-EVENT: Unknown packet type [4/16] + ERROR-EVENT: Unknown packet type [5/16] + ERROR-EVENT: Unknown packet type [6/16] + ERROR-EVENT: Unknown packet type [7/16] + ERROR-EVENT: Unknown packet type [8/16] + ERROR-EVENT: Unknown packet type [9/16] + ERROR-EVENT: Unknown packet type [10/16] + ERROR-EVENT: Unknown packet type [11/16] + ERROR-EVENT: Unknown packet type [12/16] + ERROR-EVENT: Unknown packet type [13/16] + ERROR-EVENT: Unknown packet type [14/16] + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/tls_heur__shadowsocks-tcp.pcapng.out b/test/results/flow-info/default/tls_heur__shadowsocks-tcp.pcapng.out new file mode 100644 index 000000000..e70a46b38 --- /dev/null +++ b/test/results/flow-info/default/tls_heur__shadowsocks-tcp.pcapng.out @@ -0,0 +1,31 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....1] [ip4][..tcp] [......127.0.0.1][44424] -> [......127.0.0.1][.1080] + detected: [.....1] [ip4][..tcp] [......127.0.0.1][44424] -> [......127.0.0.1][.1080] [SOCKS][Unknown][Web][Acceptable] + new: [.....2] [ip4][..udp] [......127.0.0.1][41182] -> [.....127.0.0.53][...53] + detected: [.....2] [ip4][..udp] [......127.0.0.1][41182] -> [.....127.0.0.53][...53] [DNS.YouTube][Unknown][Network][Fun][www.youtube.com] + detection-update: [.....2] [ip4][..udp] [......127.0.0.1][41182] -> [.....127.0.0.53][...53] [DNS.YouTube][Unknown][Network][Fun][www.youtube.com] + RISK: Unidirectional Traffic + detection-update: [.....2] [ip4][..udp] [......127.0.0.1][41182] -> [.....127.0.0.53][...53] [DNS.YouTube][Unknown][Network][Fun][www.youtube.com] + new: [.....3] [ip4][..tcp] [......127.0.0.1][40164] -> [......127.0.0.1][.1234] + new: [.....4] [ip6][..tcp] [..2001:b07:a3d:c112:8628:88aa:8b00:913c][45334] -> [...............2a00:1450:4002:416::200e][..443] + detected: [.....4] [ip6][..tcp] [..2001:b07:a3d:c112:8628:88aa:8b00:913c][45334] -> [...............2a00:1450:4002:416::200e][..443] [TLS.YouTube][Google][Media][Fun][www.youtube.com] + detection-update: [.....4] [ip6][..tcp] [..2001:b07:a3d:c112:8628:88aa:8b00:913c][45334] -> [...............2a00:1450:4002:416::200e][..443] [TLS.YouTube][Google][Media][Fun][www.youtube.com] + analyse: [.....4] [ip6][..tcp] [..2001:b07:a3d:c112:8628:88aa:8b00:913c][45334] -> [...............2a00:1450:4002:416::200e][..443] [TLS.YouTube][Google][Media][Fun] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.050| 0.008| 0.014| 183.336| 3.300] + [PKTLEN......: 72.000| 4948.000| 786.900| 1186.200| 1407143.500| 3.900] + [BINS(c->s)..: 13,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 3,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0,0,0,0,0,0,0,0,2] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,1,0,0,0,1,0,1,0,1,1,1,0,0,0,1,1,1,1,0,0,1,0,1,1] + [IATS(ms)....: 3.4,3.5,0.3,3.9,24.5,28.1,0.2,0.0,0.2,0.0,3.0,7.5,5.3,6.5,46.4,49.6,0.0,0.0,9.0,0.1,0.0,0.4,0.0,0.0,0.0,0.3,0.0,26.1,26.1,0.4,0.0] + [PKTLENS.....: 80,80,72,589,72,1280,72,4904,631,72,72,345,720,103,103,72,1280,293,1280,72,72,72,1280,1280,1280,4948,72,72,1280,72,1280,1280] + [ENTROPIES...: 4.8,5.3,5.2,4.8,5.2,7.8,5.2,8.0,7.6,5.2,5.2,7.1,7.7,5.8,5.8,5.1,7.8,7.1,7.9,5.2,5.2,5.2,7.8,7.9,7.8,8.0,5.1,5.2,7.9,5.2,7.8,7.8] + idle: [.....2] [ip4][..udp] [......127.0.0.1][41182] -> [.....127.0.0.53][...53] [DNS.YouTube][Unknown][Network][Fun][www.youtube.com] + not-detected: [.....3] [ip4][..tcp] [......127.0.0.1][40164] -> [......127.0.0.1][.1234] [Unknown][Unknown][Unrated] + RISK: Fully Encrypted Flow + idle: [.....3] [ip4][..tcp] [......127.0.0.1][40164] -> [......127.0.0.1][.1234] + idle: [.....1] [ip4][..tcp] [......127.0.0.1][44424] -> [......127.0.0.1][.1080] [SOCKS][Unknown][Web][Acceptable] + idle: [.....4] [ip6][..tcp] [..2001:b07:a3d:c112:8628:88aa:8b00:913c][45334] -> [...............2a00:1450:4002:416::200e][..443] [TLS.YouTube][Google][Media][Fun][www.youtube.com] + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/tls_heur__trojan-tcp-tls.pcapng.out b/test/results/flow-info/default/tls_heur__trojan-tcp-tls.pcapng.out new file mode 100644 index 000000000..8bc342628 --- /dev/null +++ b/test/results/flow-info/default/tls_heur__trojan-tcp-tls.pcapng.out @@ -0,0 +1,62 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....1] [ip4][..tcp] [......127.0.0.1][60654] -> [......127.0.0.1][.1080] + detected: [.....1] [ip4][..tcp] [......127.0.0.1][60654] -> [......127.0.0.1][.1080] [SOCKS][Unknown][Web][Acceptable] + new: [.....2] [ip4][..udp] [......127.0.0.1][52786] -> [.....127.0.0.53][...53] + detected: [.....2] [ip4][..udp] [......127.0.0.1][52786] -> [.....127.0.0.53][...53] [DNS.YouTube][Unknown][Network][Fun][www.youtube.com] + detection-update: [.....2] [ip4][..udp] [......127.0.0.1][52786] -> [.....127.0.0.53][...53] [DNS.YouTube][Unknown][Network][Fun][www.youtube.com] + RISK: Unidirectional Traffic + new: [.....3] [ip4][..udp] [..192.168.1.183][46451] -> [..192.168.1.253][...53] + detected: [.....3] [ip4][..udp] [..192.168.1.183][46451] -> [..192.168.1.253][...53] [DNS.YouTube][Unknown][Network][Fun][www.youtube.com] + new: [.....4] [ip4][..udp] [..192.168.1.183][54260] -> [..192.168.1.253][...53] + detected: [.....4] [ip4][..udp] [..192.168.1.183][54260] -> [..192.168.1.253][...53] [DNS.YouTube][Unknown][Network][Fun][www.youtube.com] + detection-update: [.....3] [ip4][..udp] [..192.168.1.183][46451] -> [..192.168.1.253][...53] [DNS.YouTube][Unknown][Network][Fun][www.youtube.com] + detection-update: [.....4] [ip4][..udp] [..192.168.1.183][54260] -> [..192.168.1.253][...53] [DNS.YouTube][Unknown][Network][Fun][www.youtube.com] + detection-update: [.....2] [ip4][..udp] [......127.0.0.1][52786] -> [.....127.0.0.53][...53] [DNS.YouTube][Unknown][Network][Fun][www.youtube.com] + new: [.....5] [ip4][..udp] [......127.0.0.1][53154] -> [.....127.0.0.53][...53] + detected: [.....5] [ip4][..udp] [......127.0.0.1][53154] -> [.....127.0.0.53][...53] [DNS][Unknown][Network][Acceptable][test.lan] + new: [.....6] [ip4][..udp] [......127.0.0.1][56496] -> [.....127.0.0.53][...53] + detected: [.....6] [ip4][..udp] [......127.0.0.1][56496] -> [.....127.0.0.53][...53] [DNS][Unknown][Network][Acceptable][test.lan] + new: [.....7] [ip4][..udp] [..192.168.1.183][39434] -> [..192.168.1.253][...53] + detected: [.....7] [ip4][..udp] [..192.168.1.183][39434] -> [..192.168.1.253][...53] [DNS][Unknown][Network][Acceptable][test.lan] + new: [.....8] [ip4][..udp] [..192.168.1.183][38613] -> [..192.168.1.253][...53] + detected: [.....8] [ip4][..udp] [..192.168.1.183][38613] -> [..192.168.1.253][...53] [DNS][Unknown][Network][Acceptable][test.lan] + detection-update: [.....7] [ip4][..udp] [..192.168.1.183][39434] -> [..192.168.1.253][...53] [DNS][Unknown][Network][Acceptable][test.lan] + RISK: Minor Issues + detection-update: [.....5] [ip4][..udp] [......127.0.0.1][53154] -> [.....127.0.0.53][...53] [DNS][Unknown][Network][Acceptable][test.lan] + RISK: Minor Issues + detection-update: [.....8] [ip4][..udp] [..192.168.1.183][38613] -> [..192.168.1.253][...53] [DNS][Unknown][Network][Acceptable][test.lan] + detection-update: [.....6] [ip4][..udp] [......127.0.0.1][56496] -> [.....127.0.0.53][...53] [DNS][Unknown][Network][Acceptable][test.lan] + new: [.....9] [ip4][..tcp] [......127.0.0.1][41796] -> [......127.0.0.1][.1234] + detected: [.....9] [ip4][..tcp] [......127.0.0.1][41796] -> [......127.0.0.1][.1234] [TLS][Unknown][Web][Safe][test.lan] + RISK: Known Proto on Non Std Port + detection-update: [.....9] [ip4][..tcp] [......127.0.0.1][41796] -> [......127.0.0.1][.1234] [TLS][Unknown][Web][Safe][test.lan] + RISK: Known Proto on Non Std Port + new: [....10] [ip4][..tcp] [..192.168.1.183][58730] -> [142.250.180.142][..443] + detected: [....10] [ip4][..tcp] [..192.168.1.183][58730] -> [142.250.180.142][..443] [TLS.YouTube][Google][Media][Fun][www.youtube.com] + detection-update: [....10] [ip4][..tcp] [..192.168.1.183][58730] -> [142.250.180.142][..443] [TLS.YouTube][Google][Media][Fun][www.youtube.com] + analyse: [....10] [ip4][..tcp] [..192.168.1.183][58730] -> [142.250.180.142][..443] [TLS.YouTube][Google][Media][Fun] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 0.070| 0.007| 0.015| 238.385| 3.000] + [PKTLEN......: 52.000| 1452.000| 481.500| 599.800| 359742.800| 3.900] + [BINS(c->s)..: 14,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0] + [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,0,0,1,0,1,1,0,1,0,1,0,1,0,1,0,1,0] + [IATS(ms)....: 2.7,2.7,0.3,2.7,17.2,19.6,0.1,0.0,0.0,0.0,0.0,0.0,0.0,0.0,8.4,0.5,11.2,3.0,2.3,5.7,46.1,70.4,31.7,0.1,0.0,0.0,0.0,0.0,0.1,0.1,0.0] + [PKTLENS.....: 60,60,52,569,52,1452,52,1452,52,1452,52,1452,52,1053,52,132,245,700,83,83,52,52,1452,52,80,52,1452,52,1452,52,1452,52] + [ENTROPIES...: 4.6,5.2,4.9,4.8,4.9,7.8,4.8,7.8,4.9,7.9,4.8,7.9,4.8,7.8,4.8,6.2,7.0,7.7,5.6,5.5,4.9,4.9,7.9,4.9,5.6,4.9,7.9,4.9,7.9,4.9,7.9,4.8] + idle: [.....8] [ip4][..udp] [..192.168.1.183][38613] -> [..192.168.1.253][...53] [DNS][Unknown][Network][Acceptable][test.lan] + idle: [.....5] [ip4][..udp] [......127.0.0.1][53154] -> [.....127.0.0.53][...53] [DNS][Unknown][Network][Acceptable][test.lan] + RISK: Minor Issues + idle: [.....9] [ip4][..tcp] [......127.0.0.1][41796] -> [......127.0.0.1][.1234] [TLS][Unknown][Web][Safe] + RISK: Known Proto on Non Std Port + idle: [.....1] [ip4][..tcp] [......127.0.0.1][60654] -> [......127.0.0.1][.1080] [SOCKS][Unknown][Web][Acceptable] + idle: [....10] [ip4][..tcp] [..192.168.1.183][58730] -> [142.250.180.142][..443] [TLS.YouTube][Google][Media][Fun][www.youtube.com] + idle: [.....7] [ip4][..udp] [..192.168.1.183][39434] -> [..192.168.1.253][...53] [DNS][Unknown][Network][Acceptable][test.lan] + RISK: Minor Issues + idle: [.....4] [ip4][..udp] [..192.168.1.183][54260] -> [..192.168.1.253][...53] [DNS.YouTube][Unknown][Network][Fun][www.youtube.com] + idle: [.....6] [ip4][..udp] [......127.0.0.1][56496] -> [.....127.0.0.53][...53] [DNS][Unknown][Network][Acceptable][test.lan] + idle: [.....3] [ip4][..udp] [..192.168.1.183][46451] -> [..192.168.1.253][...53] [DNS.YouTube][Unknown][Network][Fun][www.youtube.com] + idle: [.....2] [ip4][..udp] [......127.0.0.1][52786] -> [.....127.0.0.53][...53] [DNS.YouTube][Unknown][Network][Fun][www.youtube.com] + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/tls_heur__vmess-tcp-tls.pcapng.out b/test/results/flow-info/default/tls_heur__vmess-tcp-tls.pcapng.out new file mode 100644 index 000000000..cc34610ac --- /dev/null +++ b/test/results/flow-info/default/tls_heur__vmess-tcp-tls.pcapng.out @@ -0,0 +1,52 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....1] [ip4][..tcp] [......127.0.0.1][40136] -> [......127.0.0.1][.1080] + detected: [.....1] [ip4][..tcp] [......127.0.0.1][40136] -> [......127.0.0.1][.1080] [SOCKS][Unknown][Web][Acceptable] + new: [.....2] [ip4][..udp] [......127.0.0.1][46548] -> [.....127.0.0.53][...53] + detected: [.....2] [ip4][..udp] [......127.0.0.1][46548] -> [.....127.0.0.53][...53] [DNS.YouTube][Unknown][Network][Fun][www.youtube.com] + detection-update: [.....2] [ip4][..udp] [......127.0.0.1][46548] -> [.....127.0.0.53][...53] [DNS.YouTube][Unknown][Network][Fun][www.youtube.com] + RISK: Unidirectional Traffic + new: [.....3] [ip4][..udp] [..192.168.1.183][49817] -> [..192.168.1.253][...53] + detected: [.....3] [ip4][..udp] [..192.168.1.183][49817] -> [..192.168.1.253][...53] [DNS.YouTube][Unknown][Network][Fun][www.youtube.com] + new: [.....4] [ip4][..udp] [..192.168.1.183][41933] -> [..192.168.1.253][...53] + detected: [.....4] [ip4][..udp] [..192.168.1.183][41933] -> [..192.168.1.253][...53] [DNS.YouTube][Unknown][Network][Fun][www.youtube.com] + detection-update: [.....3] [ip4][..udp] [..192.168.1.183][49817] -> [..192.168.1.253][...53] [DNS.YouTube][Unknown][Network][Fun][www.youtube.com] + detection-update: [.....4] [ip4][..udp] [..192.168.1.183][41933] -> [..192.168.1.253][...53] [DNS.YouTube][Unknown][Network][Fun][www.youtube.com] + detection-update: [.....2] [ip4][..udp] [......127.0.0.1][46548] -> [.....127.0.0.53][...53] [DNS.YouTube][Unknown][Network][Fun][www.youtube.com] + new: [.....5] [ip4][..udp] [......127.0.0.1][50125] -> [.....127.0.0.53][...53] + detected: [.....5] [ip4][..udp] [......127.0.0.1][50125] -> [.....127.0.0.53][...53] [DNS][Unknown][Network][Acceptable][test.lan] + new: [.....6] [ip4][..udp] [......127.0.0.1][45262] -> [.....127.0.0.53][...53] + detected: [.....6] [ip4][..udp] [......127.0.0.1][45262] -> [.....127.0.0.53][...53] [DNS][Unknown][Network][Acceptable][test.lan] + new: [.....7] [ip4][..udp] [..192.168.1.183][58009] -> [..192.168.1.253][...53] + detected: [.....7] [ip4][..udp] [..192.168.1.183][58009] -> [..192.168.1.253][...53] [DNS][Unknown][Network][Acceptable][test.lan] + new: [.....8] [ip4][..udp] [..192.168.1.183][42485] -> [..192.168.1.253][...53] + detected: [.....8] [ip4][..udp] [..192.168.1.183][42485] -> [..192.168.1.253][...53] [DNS][Unknown][Network][Acceptable][test.lan] + detection-update: [.....7] [ip4][..udp] [..192.168.1.183][58009] -> [..192.168.1.253][...53] [DNS][Unknown][Network][Acceptable][test.lan] + detection-update: [.....8] [ip4][..udp] [..192.168.1.183][42485] -> [..192.168.1.253][...53] [DNS][Unknown][Network][Acceptable][test.lan] + RISK: Minor Issues + detection-update: [.....5] [ip4][..udp] [......127.0.0.1][50125] -> [.....127.0.0.53][...53] [DNS][Unknown][Network][Acceptable][test.lan] + detection-update: [.....6] [ip4][..udp] [......127.0.0.1][45262] -> [.....127.0.0.53][...53] [DNS][Unknown][Network][Acceptable][test.lan] + RISK: Minor Issues + new: [.....9] [ip4][..tcp] [......127.0.0.1][57874] -> [......127.0.0.1][.1234] + detected: [.....9] [ip4][..tcp] [......127.0.0.1][57874] -> [......127.0.0.1][.1234] [TLS][Unknown][Web][Safe][test.lan] + RISK: Known Proto on Non Std Port + detection-update: [.....9] [ip4][..tcp] [......127.0.0.1][57874] -> [......127.0.0.1][.1234] [TLS][Unknown][Web][Safe][test.lan] + RISK: Known Proto on Non Std Port + new: [....10] [ip4][..tcp] [..192.168.1.183][58612] -> [.216.58.204.142][..443] + detected: [....10] [ip4][..tcp] [..192.168.1.183][58612] -> [.216.58.204.142][..443] [TLS.YouTube][Google][Media][Fun][www.youtube.com] + detection-update: [....10] [ip4][..tcp] [..192.168.1.183][58612] -> [.216.58.204.142][..443] [TLS.YouTube][Google][Media][Fun][www.youtube.com] + idle: [.....1] [ip4][..tcp] [......127.0.0.1][40136] -> [......127.0.0.1][.1080] [SOCKS][Unknown][Web][Acceptable] + idle: [.....6] [ip4][..udp] [......127.0.0.1][45262] -> [.....127.0.0.53][...53] [DNS][Unknown][Network][Acceptable][test.lan] + RISK: Minor Issues + idle: [....10] [ip4][..tcp] [..192.168.1.183][58612] -> [.216.58.204.142][..443] [TLS.YouTube][Google][Media][Fun] + idle: [.....7] [ip4][..udp] [..192.168.1.183][58009] -> [..192.168.1.253][...53] [DNS][Unknown][Network][Acceptable][test.lan] + idle: [.....3] [ip4][..udp] [..192.168.1.183][49817] -> [..192.168.1.253][...53] [DNS.YouTube][Unknown][Network][Fun][www.youtube.com] + idle: [.....5] [ip4][..udp] [......127.0.0.1][50125] -> [.....127.0.0.53][...53] [DNS][Unknown][Network][Acceptable][test.lan] + idle: [.....4] [ip4][..udp] [..192.168.1.183][41933] -> [..192.168.1.253][...53] [DNS.YouTube][Unknown][Network][Fun][www.youtube.com] + idle: [.....2] [ip4][..udp] [......127.0.0.1][46548] -> [.....127.0.0.53][...53] [DNS.YouTube][Unknown][Network][Fun][www.youtube.com] + idle: [.....8] [ip4][..udp] [..192.168.1.183][42485] -> [..192.168.1.253][...53] [DNS][Unknown][Network][Acceptable][test.lan] + RISK: Minor Issues + idle: [.....9] [ip4][..tcp] [......127.0.0.1][57874] -> [......127.0.0.1][.1234] [TLS][Unknown][Web][Safe] + RISK: Known Proto on Non Std Port + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/tls_heur__vmess-tcp.pcapng.out b/test/results/flow-info/default/tls_heur__vmess-tcp.pcapng.out new file mode 100644 index 000000000..39fccb4a8 --- /dev/null +++ b/test/results/flow-info/default/tls_heur__vmess-tcp.pcapng.out @@ -0,0 +1,31 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....1] [ip4][..tcp] [......127.0.0.1][37218] -> [......127.0.0.1][.1080] + detected: [.....1] [ip4][..tcp] [......127.0.0.1][37218] -> [......127.0.0.1][.1080] [SOCKS][Unknown][Web][Acceptable] + new: [.....2] [ip4][..udp] [......127.0.0.1][35957] -> [.....127.0.0.53][...53] + detected: [.....2] [ip4][..udp] [......127.0.0.1][35957] -> [.....127.0.0.53][...53] [DNS.YouTube][Unknown][Network][Fun][www.youtube.com] + detection-update: [.....2] [ip4][..udp] [......127.0.0.1][35957] -> [.....127.0.0.53][...53] [DNS.YouTube][Unknown][Network][Fun][www.youtube.com] + RISK: Unidirectional Traffic + detection-update: [.....2] [ip4][..udp] [......127.0.0.1][35957] -> [.....127.0.0.53][...53] [DNS.YouTube][Unknown][Network][Fun][www.youtube.com] + new: [.....3] [ip4][..tcp] [......127.0.0.1][40818] -> [......127.0.0.1][.1234] + new: [.....4] [ip6][..tcp] [..2001:b07:a3d:c112:8628:88aa:8b00:913c][48302] -> [...............2a00:1450:4006:80d::200e][..443] + detected: [.....4] [ip6][..tcp] [..2001:b07:a3d:c112:8628:88aa:8b00:913c][48302] -> [...............2a00:1450:4006:80d::200e][..443] [TLS.YouTube][Google][Media][Fun][www.youtube.com] + detection-update: [.....4] [ip6][..tcp] [..2001:b07:a3d:c112:8628:88aa:8b00:913c][48302] -> [...............2a00:1450:4006:80d::200e][..443] [TLS.YouTube][Google][Media][Fun][www.youtube.com] + analyse: [.....4] [ip6][..tcp] [..2001:b07:a3d:c112:8628:88aa:8b00:913c][48302] -> [...............2a00:1450:4006:80d::200e][..443] [TLS.YouTube][Google][Media][Fun] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 2.054| 0.141| 0.429| 184069.177| 1.900] + [PKTLEN......: 72.000| 2488.000| 635.500| 846.400| 716345.800| 3.900] + [BINS(c->s)..: 13,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 4,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,5] + [DIRECTIONS..: 0,0,0,1,0,0,1,1,1,0,0,1,1,0,0,0,0,1,1,0,0,1,1,1,1,0,1,0,1,0,1,0] + [IATS(ms)....: 1019.8,1024.0,2053.5,9.7,0.4,10.5,14.8,0.0,24.8,0.0,0.2,0.0,0.1,0.0,3.4,0.5,13.4,0.0,9.6,1.8,11.4,77.7,0.0,0.0,87.4,0.4,0.3,0.3,0.3,0.2,0.2] + [PKTLENS.....: 80,80,80,80,72,589,72,2488,1280,72,72,1280,1840,72,72,152,202,720,103,135,103,72,1280,307,1280,72,2488,72,2488,72,2488,72] + [ENTROPIES...: 4.9,4.8,4.9,5.4,5.2,4.8,5.2,7.9,7.8,5.2,5.2,7.8,7.9,5.2,5.2,6.4,6.6,7.7,5.9,6.4,5.9,5.2,7.9,7.2,7.9,5.2,7.9,5.2,7.9,5.2,7.9,5.2] + idle: [.....4] [ip6][..tcp] [..2001:b07:a3d:c112:8628:88aa:8b00:913c][48302] -> [...............2a00:1450:4006:80d::200e][..443] [TLS.YouTube][Google][Media][Fun][www.youtube.com] + not-detected: [.....3] [ip4][..tcp] [......127.0.0.1][40818] -> [......127.0.0.1][.1234] [Unknown][Unknown][Unrated] + RISK: Fully Encrypted Flow + idle: [.....3] [ip4][..tcp] [......127.0.0.1][40818] -> [......127.0.0.1][.1234] + idle: [.....2] [ip4][..udp] [......127.0.0.1][35957] -> [.....127.0.0.53][...53] [DNS.YouTube][Unknown][Network][Fun][www.youtube.com] + idle: [.....1] [ip4][..tcp] [......127.0.0.1][37218] -> [......127.0.0.1][.1080] [SOCKS][Unknown][Web][Acceptable] + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/tls_heur__vmess-websocket.pcapng.out b/test/results/flow-info/default/tls_heur__vmess-websocket.pcapng.out new file mode 100644 index 000000000..cc9ab1452 --- /dev/null +++ b/test/results/flow-info/default/tls_heur__vmess-websocket.pcapng.out @@ -0,0 +1,40 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....1] [ip4][..tcp] [......127.0.0.1][44532] -> [......127.0.0.1][.1080] + detected: [.....1] [ip4][..tcp] [......127.0.0.1][44532] -> [......127.0.0.1][.1080] [SOCKS][Unknown][Web][Acceptable] + new: [.....2] [ip4][..udp] [......127.0.0.1][39646] -> [.....127.0.0.53][...53] + detected: [.....2] [ip4][..udp] [......127.0.0.1][39646] -> [.....127.0.0.53][...53] [DNS.YouTube][Unknown][Network][Fun][www.youtube.com] + detection-update: [.....2] [ip4][..udp] [......127.0.0.1][39646] -> [.....127.0.0.53][...53] [DNS.YouTube][Unknown][Network][Fun][www.youtube.com] + new: [.....3] [ip4][..tcp] [......127.0.0.1][33702] -> [......127.0.0.1][.1234] + detected: [.....3] [ip4][..tcp] [......127.0.0.1][33702] -> [......127.0.0.1][.1234] [HTTP][Unknown][Web][Acceptable][127.0.0.1] + RISK: Known Proto on Non Std Port, HTTP/TLS/QUIC Numeric Hostname/SNI + new: [.....4] [ip4][..tcp] [..192.168.1.183][51390] -> [142.250.180.142][..443] + detected: [.....4] [ip4][..tcp] [..192.168.1.183][51390] -> [142.250.180.142][..443] [TLS.YouTube][Google][Media][Fun][www.youtube.com] + detection-update: [.....4] [ip4][..tcp] [..192.168.1.183][51390] -> [142.250.180.142][..443] [TLS.YouTube][Google][Media][Fun][www.youtube.com] + analyse: [.....3] [ip4][..tcp] [......127.0.0.1][33702] -> [......127.0.0.1][.1234] [HTTP][Unknown][Web][Acceptable][127.0.0.1] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 0.082| 0.011| 0.023| 506.460| 2.800] + [PKTLEN......: 52.000| 2104.000| 665.100| 842.700| 710078.000| 3.900] + [BINS(c->s)..: 13,0,1,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 2,0,1,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,0,1,0,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1] + [IATS(ms)....: 0.0,0.0,0.3,0.3,0.1,0.2,52.9,76.2,23.3,0.1,0.1,0.0,0.0,0.1,0.1,5.4,8.4,3.5,0.7,41.2,81.9,40.9,0.1,0.0,0.1,0.1,0.0,0.0,0.0,0.0,0.0] + [PKTLENS.....: 60,60,52,237,52,181,52,751,2104,52,2104,52,2104,52,723,52,406,753,144,123,52,2084,52,2046,52,2079,52,2043,52,2075,52,531] + [ENTROPIES...: 4.3,4.7,4.6,5.9,4.6,5.8,4.6,7.7,7.9,4.6,7.9,4.6,7.9,4.6,7.7,4.6,7.4,7.7,6.3,6.2,4.6,7.9,4.6,7.9,4.6,7.9,4.6,7.9,4.6,7.9,4.6,7.6] + analyse: [.....1] [ip4][..tcp] [......127.0.0.1][44532] -> [......127.0.0.1][.1080] [SOCKS][Unknown][Web][Acceptable] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 0.082| 0.011| 0.022| 482.912| 3.100] + [PKTLEN......: 52.000| 3984.000| 653.000| 1237.600| 1531706.800| 3.300] + [BINS(c->s)..: 13,4,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5] + [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,0,1,0,1,0,0,0,0,0,0,1,1,0,1,0,1,0,1,0,1,0,1] + [IATS(ms)....: 0.1,0.1,0.1,0.1,0.4,0.4,4.5,4.7,44.0,9.4,77.6,24.3,0.3,0.3,4.2,0.3,0.0,0.0,0.0,4.6,3.4,3.7,0.6,41.3,82.0,41.2,0.1,0.2,0.2,0.2,0.1] + [PKTLENS.....: 60,60,52,56,52,54,52,62,62,52,569,3984,52,2720,52,132,98,101,87,115,52,700,83,83,52,3984,52,3984,52,2428,52,901] + [ENTROPIES...: 4.3,4.7,4.6,4.5,4.6,4.6,4.6,4.7,4.5,4.6,4.7,7.9,4.7,7.9,4.6,6.2,5.9,5.8,5.7,6.1,4.7,7.7,5.5,5.5,4.7,8.0,4.6,8.0,4.6,7.9,4.6,7.8] + idle: [.....3] [ip4][..tcp] [......127.0.0.1][33702] -> [......127.0.0.1][.1234] [HTTP][Unknown][Web][Acceptable][127.0.0.1] + RISK: Known Proto on Non Std Port, HTTP/TLS/QUIC Numeric Hostname/SNI + idle: [.....1] [ip4][..tcp] [......127.0.0.1][44532] -> [......127.0.0.1][.1080] [SOCKS][Unknown][Web][Acceptable] + idle: [.....2] [ip4][..udp] [......127.0.0.1][39646] -> [.....127.0.0.53][...53] [DNS.YouTube][Unknown][Network][Fun][www.youtube.com] + idle: [.....4] [ip4][..tcp] [..192.168.1.183][51390] -> [142.250.180.142][..443] [TLS.YouTube][Google][Media][Fun] + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/tls_invalid_reads.pcap.out b/test/results/flow-info/default/tls_invalid_reads.pcap.out index e236b1959..890fe2354 100644 --- a/test/results/flow-info/default/tls_invalid_reads.pcap.out +++ b/test/results/flow-info/default/tls_invalid_reads.pcap.out @@ -6,15 +6,13 @@ RISK: Obsolete TLS (v1.1 or older) detection-update: [.....1] [ip4][..tcp] [.192.168.10.101][.3967] -> [..206.33.61.113][..443] [TLS][Unknown][Web][Safe][] RISK: Obsolete TLS (v1.1 or older) - detection-update: [.....1] [ip4][..tcp] [.192.168.10.101][.3967] -> [..206.33.61.113][..443] [TLS][Unknown][Web][Safe][] - RISK: Obsolete TLS (v1.1 or older) DAEMON-EVENT: [Processed: 8 pkts][ZLib][compressions: 0|diff: 0 / 0] - DAEMON-EVENT: [Flows][active: 1 / 1|skipped: 0|!detected: 0|guessed: 0|detection-updates: 2|updates: 0] + DAEMON-EVENT: [Flows][active: 1 / 1|skipped: 0|!detected: 0|guessed: 0|detection-updates: 1|updates: 0] new: [.....2] [ip4][..tcp] [...74.80.160.99][.3258] -> [...67.217.77.28][..443] [MIDSTREAM] idle: [.....1] [ip4][..tcp] [.192.168.10.101][.3967] -> [..206.33.61.113][..443] [TLS][Unknown][Web][Safe] RISK: Obsolete TLS (v1.1 or older) DAEMON-EVENT: [Processed: 9 pkts][ZLib][compressions: 0|diff: 0 / 0] - DAEMON-EVENT: [Flows][active: 1 / 2|skipped: 0|!detected: 0|guessed: 0|detection-updates: 2|updates: 0] + DAEMON-EVENT: [Flows][active: 1 / 2|skipped: 0|!detected: 0|guessed: 0|detection-updates: 1|updates: 0] ERROR-EVENT: Unknown packet type [1/16] ERROR-EVENT: Unknown packet type [2/16] ERROR-EVENT: Unknown packet type [3/16] diff --git a/test/results/flow-info/default/tls_long_cert.pcap.out b/test/results/flow-info/default/tls_long_cert.pcap.out index ea01580e6..96ae9c9b8 100644 --- a/test/results/flow-info/default/tls_long_cert.pcap.out +++ b/test/results/flow-info/default/tls_long_cert.pcap.out @@ -5,7 +5,7 @@ detected: [.....1] [ip4][..tcp] [..192.168.2.126][60174] -> [.104.111.215.93][..443] [TLS][Unknown][Web][Safe][www.repubblica.it] detection-update: [.....1] [ip4][..tcp] [..192.168.2.126][60174] -> [.104.111.215.93][..443] [TLS][Unknown][Web][Safe][www.repubblica.it] detection-update: [.....1] [ip4][..tcp] [..192.168.2.126][60174] -> [.104.111.215.93][..443] [TLS][Unknown][Web][Safe][www.repubblica.it] - analyse: [.....1] [ip4][..tcp] [..192.168.2.126][60174] -> [.104.111.215.93][..443] [TLS][Unknown][Web][Safe][www.repubblica.it] + analyse: [.....1] [ip4][..tcp] [..192.168.2.126][60174] -> [.104.111.215.93][..443] [TLS][Unknown][Web][Safe] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.034| 0.008| 0.011| 130.013| 3.600] [PKTLEN......: 52.000| 1500.000| 532.900| 584.900| 342142.300| 4.100] diff --git a/test/results/flow-info/default/tls_with_huge_ch.pcapng.out b/test/results/flow-info/default/tls_with_huge_ch.pcapng.out new file mode 100644 index 000000000..17b76dd79 --- /dev/null +++ b/test/results/flow-info/default/tls_with_huge_ch.pcapng.out @@ -0,0 +1,19 @@ + DAEMON-EVENT: init + DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0] + DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] + new: [.....1] [ip4][..tcp] [..172.30.84.193][40640] -> [208.253.217.142][..443] + detected: [.....1] [ip4][..tcp] [..172.30.84.193][40640] -> [208.253.217.142][..443] [TLS][Unknown][Web][Safe][] + RISK: Missing SNI TLS Extn, ALPN/SNI Mismatch, Obfuscated Traffic + analyse: [.....1] [ip4][..tcp] [..172.30.84.193][40640] -> [208.253.217.142][..443] [TLS][Unknown][Web][Safe] + min| max| avg| stddev| variance| entropy + [IAT.........: < 0.001| 2.012| 0.239| 0.473| 223961.678| 3.000] + [PKTLEN......: 52.000| 1076.000| 410.500| 482.400| 232750.200| 4.000] + [BINS(c->s)..: 5,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [BINS(s->c)..: 15,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + [DIRECTIONS..: 0,0,1,1,0,0,0,0,1,1,0,0,1,1,0,0,0,0,1,1,1,1,0,0,0,0,0,1,1,1,1,1] + [IATS(ms)....: 1026.7,1168.3,1014.0,2012.4,2.2,0.4,20.3,996.7,23.0,142.1,0.4,141.9,0.2,227.3,1.5,0.2,0.3,228.2,1.5,0.3,0.3,202.4,0.2,1.4,0.2,0.1,201.2,0.6,1.0,0.2,0.0] + [PKTLENS.....: 60,60,60,60,60,52,52,1076,60,52,1076,1076,52,52,1076,1076,1076,1076,52,52,52,52,1076,1076,1076,1076,211,52,52,52,52,52] + [ENTROPIES...: 4.8,4.8,5.3,5.4,4.8,5.1,5.1,2.4,5.4,5.2,0.5,0.5,5.1,5.2,0.5,0.5,0.5,0.5,5.2,5.2,5.2,5.1,0.5,0.5,0.5,0.5,1.9,5.1,5.1,5.1,5.1,5.2] + idle: [.....1] [ip4][..tcp] [..172.30.84.193][40640] -> [208.253.217.142][..443] [TLS][Unknown][Web][Safe] + RISK: Missing SNI TLS Extn, ALPN/SNI Mismatch, Obfuscated Traffic + DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/tor.pcap.out b/test/results/flow-info/default/tor.pcap.out index 7010fa9e5..f6855da45 100644 --- a/test/results/flow-info/default/tor.pcap.out +++ b/test/results/flow-info/default/tor.pcap.out @@ -37,7 +37,7 @@ new: [.....5] [ip4][..udp] [..192.168.1.252][..138] -> [..192.168.1.255][..138] detected: [.....5] [ip4][..udp] [..192.168.1.252][..138] -> [..192.168.1.255][..138] [NetBIOS.SMBv1][Unknown][System][Dangerous][endian-pc] RISK: Unsafe Protocol - analyse: [.....3] [ip4][..tcp] [..192.168.1.252][51112] -> [...38.229.70.53][..443] [TLS.Tor][Unknown][VPN][Potentially Dangerous][www.q4cyamnc6mtokjurvdclt.com] + analyse: [.....3] [ip4][..tcp] [..192.168.1.252][51112] -> [...38.229.70.53][..443] [TLS.Tor][Unknown][VPN][Potentially Dangerous] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 31.166| 2.329| 7.550| 56997495.964| 1.900] [PKTLEN......: 40.000| 1500.000| 355.800| 354.900| 125974.500| 4.300] @@ -47,7 +47,7 @@ [IATS(ms)....: 143.8,144.2,0.4,152.7,0.2,159.6,171.7,164.7,190.9,0.1,190.7,0.6,185.1,185.5,145.1,5.7,151.7,184.2,104.7,290.0,146.6,2536.0,2930.5,30770.7,31166.0,0.9,147.0,185.7,696.5,885.2,147.1] [PKTLENS.....: 52,52,46,264,40,969,238,99,114,1500,126,46,626,40,626,40,626,626,40,626,626,40,626,46,626,40,626,626,40,626,626,40] [ENTROPIES...: 4.5,4.8,4.4,5.4,4.8,7.6,6.9,5.9,6.1,7.9,6.5,4.3,7.7,4.8,7.7,4.8,7.6,7.7,4.7,7.7,7.6,4.8,7.7,4.3,7.6,4.6,7.6,7.7,4.8,7.6,7.6,4.7] - analyse: [.....1] [ip4][..tcp] [..192.168.1.252][51110] -> [..91.143.93.242][..443] [TLS][Unknown][Web][Safe][www.ct7ctrgb6cr7.com] + analyse: [.....1] [ip4][..tcp] [..192.168.1.252][51110] -> [..91.143.93.242][..443] [TLS][Unknown][Web][Safe] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 37.996| 2.549| 9.274| 86002509.021| 1.400] [PKTLEN......: 40.000| 1500.000| 448.800| 476.200| 226793.400| 4.200] @@ -61,7 +61,7 @@ new: [.....6] [ip4][..tcp] [..192.168.1.252][51104] -> [...157.56.30.46][..443] [MIDSTREAM] update: [.....5] [ip4][..udp] [..192.168.1.252][..138] -> [..192.168.1.255][..138] [NetBIOS.SMBv1][Unknown][System][Dangerous][endian-pc] RISK: Unsafe Protocol - analyse: [.....2] [ip4][..tcp] [..192.168.1.252][51111] -> [....46.59.52.31][..443] [TLS.Tor][Unknown][VPN][Potentially Dangerous][www.e6r5p57kbafwrxj3plz.com] + analyse: [.....2] [ip4][..tcp] [..192.168.1.252][51111] -> [....46.59.52.31][..443] [TLS.Tor][Unknown][VPN][Potentially Dangerous] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 71.328| 4.658| 14.789| 218716025.389| 1.800] [PKTLEN......: 40.000| 1500.000| 330.600| 347.100| 120444.200| 4.200] @@ -90,7 +90,7 @@ RISK: Obsolete TLS (v1.1 or older) detection-update: [.....9] [ip4][..tcp] [..192.168.1.252][51176] -> [...38.229.70.53][..443] [TLS][Unknown][Web][Safe][www.jmts2id.com] RISK: Obsolete TLS (v1.1 or older) - analyse: [.....8] [ip4][..tcp] [..192.168.1.252][51175] -> [..91.143.93.242][..443] [TLS.Tor][Unknown][VPN][Potentially Dangerous][www.gfu7hbxpfp.com] + analyse: [.....8] [ip4][..tcp] [..192.168.1.252][51175] -> [..91.143.93.242][..443] [TLS.Tor][Unknown][VPN][Potentially Dangerous] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.991| 0.147| 0.220| 48576.569| 3.900] [PKTLEN......: 40.000| 1500.000| 348.200| 347.100| 120448.800| 4.300] @@ -133,7 +133,7 @@ update: [.....4] [ip4][..udp] [....192.168.1.1][17500] -> [..192.168.1.255][17500] [Dropbox][Unknown][Cloud][Acceptable] DAEMON-EVENT: [Processed: 337 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 7 / 11|skipped: 0|!detected: 0|guessed: 1|detection-updates: 7|updates: 5] - analyse: [.....7] [ip4][..tcp] [..192.168.1.252][51174] -> [.212.83.155.250][..443] [TLS][Unknown][Web][Safe][www.t3i3ru.com] + analyse: [.....7] [ip4][..tcp] [..192.168.1.252][51174] -> [.212.83.155.250][..443] [TLS][Unknown][Web][Safe] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 72.890| 8.727| 22.569| 509351076.823| 2.100] [PKTLEN......: 40.000| 1500.000| 312.000| 345.900| 119666.800| 4.200] @@ -148,12 +148,12 @@ RISK: Obsolete TLS (v1.1 or older), Susp DGA Domain name, Unsafe Protocol idle: [.....4] [ip4][..udp] [....192.168.1.1][17500] -> [..192.168.1.255][17500] [Dropbox][Unknown][Cloud][Acceptable] idle: [....11] [ip6][..udp] [..............fe80::c583:1972:5728:7323][..546] -> [..............................ff02::1:2][..547] [DHCPV6][Unknown][Network][Acceptable] - end: [....10] [ip4][..tcp] [..192.168.1.252][51185] -> [.62.210.137.230][..443] [TLS][Unknown][Web][Safe][www.6gyip7tqim7sieb.com] + end: [....10] [ip4][..tcp] [..192.168.1.252][51185] -> [.62.210.137.230][..443] [TLS][Unknown][Web][Safe] RISK: Obsolete TLS (v1.1 or older) end: [.....7] [ip4][..tcp] [..192.168.1.252][51174] -> [.212.83.155.250][..443] [TLS][Unknown][Web][Safe][www.t3i3ru.com] RISK: Obsolete TLS (v1.1 or older) idle: [.....3] [ip4][..tcp] [..192.168.1.252][51112] -> [...38.229.70.53][..443] [TLS.Tor][Unknown][VPN][Potentially Dangerous][www.q4cyamnc6mtokjurvdclt.com] RISK: Obsolete TLS (v1.1 or older), Susp DGA Domain name, Unsafe Protocol - idle: [.....9] [ip4][..tcp] [..192.168.1.252][51176] -> [...38.229.70.53][..443] [TLS][Unknown][Web][Safe][www.jmts2id.com] + idle: [.....9] [ip4][..tcp] [..192.168.1.252][51176] -> [...38.229.70.53][..443] [TLS][Unknown][Web][Safe] RISK: Obsolete TLS (v1.1 or older) DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/tumblr.pcap.out b/test/results/flow-info/default/tumblr.pcap.out index f0da8619d..6ba89eb55 100644 --- a/test/results/flow-info/default/tumblr.pcap.out +++ b/test/results/flow-info/default/tumblr.pcap.out @@ -56,7 +56,7 @@ detection-update: [....10] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][58380] -> [..2606:2800:135:155a:23ba:b2a:25ff:122d][..443] [TLS][Edgecast][Web][Safe][consent.cmp.oath.com] detected: [....11] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][58382] -> [..2606:2800:135:155a:23ba:b2a:25ff:122d][..443] [TLS][Edgecast][Web][Safe][consent.cmp.oath.com] detection-update: [....11] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][58382] -> [..2606:2800:135:155a:23ba:b2a:25ff:122d][..443] [TLS][Edgecast][Web][Safe][consent.cmp.oath.com] - analyse: [....10] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][58380] -> [..2606:2800:135:155a:23ba:b2a:25ff:122d][..443] [TLS][Edgecast][Web][Safe][consent.cmp.oath.com] + analyse: [....10] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][58380] -> [..2606:2800:135:155a:23ba:b2a:25ff:122d][..443] [TLS][Edgecast][Web][Safe] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.048| 0.010| 0.016| 259.261| 3.200] [PKTLEN......: 72.000| 1280.000| 300.700| 381.900| 145812.800| 4.100] @@ -153,7 +153,7 @@ detected: [....44] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][38608] -> [...............2a00:1450:4007:80b::200a][..443] [TLS.GoogleServices][Google][Web][Acceptable][ajax.googleapis.com] detection-update: [....43] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][49548] -> [...............2a00:1450:4007:809::200e][..443] [TLS.Google][Google][Web][Acceptable][apis.google.com] detection-update: [....44] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][38608] -> [...............2a00:1450:4007:80b::200a][..443] [TLS.GoogleServices][Google][Web][Acceptable][ajax.googleapis.com] - analyse: [....44] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][38608] -> [...............2a00:1450:4007:80b::200a][..443] [TLS.GoogleServices][Google][Web][Acceptable][ajax.googleapis.com] + analyse: [....44] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][38608] -> [...............2a00:1450:4007:80b::200a][..443] [TLS.GoogleServices][Google][Web][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.067| 0.011| 0.020| 396.007| 3.200] [PKTLEN......: 72.000| 1280.000| 378.400| 464.300| 215557.600| 4.100] @@ -163,7 +163,7 @@ [IATS(ms)....: 67.4,67.5,0.3,44.1,5.3,0.0,49.1,0.0,0.1,0.1,18.6,10.2,0.7,42.4,0.0,12.9,0.2,14.3,2.0,0.0,16.1,2.6,0.0,2.6,0.0,0.1,0.0,0.0,0.0,0.0,0.0] [PKTLENS.....: 80,80,72,589,72,1280,1280,72,72,572,72,136,164,350,72,652,72,103,72,103,72,72,521,1280,72,72,1280,1280,1280,72,72,72] [ENTROPIES...: 4.9,5.3,5.2,4.5,5.1,7.8,7.8,5.3,5.2,7.5,5.2,6.2,6.5,7.3,5.0,7.7,5.2,5.9,5.0,5.8,5.1,5.2,7.5,7.8,5.1,5.1,7.8,7.8,7.8,5.2,5.1,5.2] - analyse: [....43] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][49548] -> [...............2a00:1450:4007:809::200e][..443] [TLS.Google][Google][Web][Acceptable][apis.google.com] + analyse: [....43] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][49548] -> [...............2a00:1450:4007:809::200e][..443] [TLS.Google][Google][Web][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.083| 0.014| 0.021| 424.643| 3.600] [PKTLEN......: 72.000| 1280.000| 384.200| 474.800| 225406.500| 4.100] @@ -179,7 +179,7 @@ detected: [....45] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][39164] -> [......................64:ff9b::6006:749][..443] [TLS.ADS_Analytic_Track][Unknown][Advertisement][Tracker/Ads][sb.scorecardresearch.com] new: [....46] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][42674] -> [.....................64:ff9b::4a72:9a15][..443] [MIDSTREAM] detection-update: [....45] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][39164] -> [......................64:ff9b::6006:749][..443] [TLS.ADS_Analytic_Track][Unknown][Advertisement][Tracker/Ads][sb.scorecardresearch.com] - analyse: [....12] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][39152] -> [......................64:ff9b::6006:749][..443] [TLS.ADS_Analytic_Track][Unknown][Advertisement][Tracker/Ads][sb.scorecardresearch.com] + analyse: [....12] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][39152] -> [......................64:ff9b::6006:749][..443] [TLS.ADS_Analytic_Track][Unknown][Advertisement][Tracker/Ads] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 16.589| 1.119| 4.059| 16477581.214| 1.400] [PKTLEN......: 72.000| 1351.000| 350.400| 367.900| 135349.600| 4.300] @@ -208,7 +208,7 @@ idle: [.....1] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56592] -> [.....................64:ff9b::9765:798c][..443] guessed: [....18] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56594] -> [.....................64:ff9b::9765:798c][..443] [TLS][Unknown][Web][Safe] idle: [....18] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56594] -> [.....................64:ff9b::9765:798c][..443] - idle: [....13] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][47118] -> [.................2001:4998:14:800::1001][..443] [TLS.Yahoo][Unknown][Web][Safe][cookiex.ngd.yahoo.com] + idle: [....13] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][47118] -> [.................2001:4998:14:800::1001][..443] [TLS.Yahoo][Unknown][Web][Safe] idle: [....42] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][55560] -> [...............2a00:1450:4007:817::200a][..443] [TLS][Google][Web][Safe] guessed: [.....3] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56640] -> [.....................64:ff9b::9765:798c][..443] [TLS][Unknown][Web][Safe] idle: [.....3] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56640] -> [.....................64:ff9b::9765:798c][..443] diff --git a/test/results/flow-info/default/tunnelbear.pcap.out b/test/results/flow-info/default/tunnelbear.pcap.out index a8691647d..3076fcb91 100644 --- a/test/results/flow-info/default/tunnelbear.pcap.out +++ b/test/results/flow-info/default/tunnelbear.pcap.out @@ -21,7 +21,7 @@ new: [.....7] [ip4][..tcp] [.......10.8.0.1][47496] -> [162.247.243.188][..443] detected: [.....7] [ip4][..tcp] [.......10.8.0.1][47496] -> [162.247.243.188][..443] [TLS.ADS_Analytic_Track][Unknown][Advertisement][Tracker/Ads][mobile-collector.newrelic.com] detection-update: [.....7] [ip4][..tcp] [.......10.8.0.1][47496] -> [162.247.243.188][..443] [TLS.ADS_Analytic_Track][Unknown][Advertisement][Tracker/Ads][mobile-collector.newrelic.com] - analyse: [.....3] [ip4][..tcp] [.......10.8.0.1][45104] -> [..104.17.115.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable][api.polargrizzly.com] + analyse: [.....3] [ip4][..tcp] [.......10.8.0.1][45104] -> [..104.17.115.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.266| 0.037| 0.060| 3626.297| 3.500] [PKTLEN......: 40.000| 3697.000| 426.000| 812.300| 659832.900| 3.500] @@ -37,7 +37,7 @@ detected: [.....9] [ip4][..tcp] [.......10.8.0.1][45126] -> [..104.17.115.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable][api.polargrizzly.com] detection-update: [.....9] [ip4][..tcp] [.......10.8.0.1][45126] -> [..104.17.115.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable][api.polargrizzly.com] detection-update: [.....8] [ip4][..tcp] [.......10.8.0.1][45124] -> [..104.17.115.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable][api.polargrizzly.com] - analyse: [.....9] [ip4][..tcp] [.......10.8.0.1][45126] -> [..104.17.115.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable][api.polargrizzly.com] + analyse: [.....9] [ip4][..tcp] [.......10.8.0.1][45126] -> [..104.17.115.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.234| 0.036| 0.055| 3015.001| 3.600] [PKTLEN......: 40.000| 789.000| 149.700| 198.300| 39337.400| 4.100] @@ -71,7 +71,7 @@ end: [.....4] [ip4][..tcp] [.......10.8.0.1][45106] -> [..104.17.115.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable] end: [.....5] [ip4][..tcp] [.......10.8.0.1][45108] -> [..104.17.115.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable] end: [.....6] [ip4][..tcp] [.......10.8.0.1][45114] -> [..104.17.115.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable] - end: [.....8] [ip4][..tcp] [.......10.8.0.1][45124] -> [..104.17.115.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable][api.polargrizzly.com] + end: [.....8] [ip4][..tcp] [.......10.8.0.1][45124] -> [..104.17.115.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable] end: [.....9] [ip4][..tcp] [.......10.8.0.1][45126] -> [..104.17.115.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable][api.polargrizzly.com] detection-update: [....14] [ip4][..tcp] [.......10.8.0.1][47046] -> [.74.125.200.188][.5228] [TLS.GoogleServices][Google][Web][Acceptable][mtalk.google.com] RISK: Known Proto on Non Std Port, TLS (probably) Not Carrying HTTPS @@ -96,7 +96,7 @@ detection-update: [....20] [ip4][..tcp] [.......10.8.0.1][33848] -> [..104.17.114.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable][api.polargrizzly.com] detection-update: [....16] [ip4][..tcp] [.......10.8.0.1][50904] -> [.104.17.154.236][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable][api.tunnelbear.com] detection-update: [....21] [ip4][..tcp] [.......10.8.0.1][48222] -> [162.247.243.188][..443] [TLS.ADS_Analytic_Track][Unknown][Advertisement][Tracker/Ads][mobile-collector.newrelic.com] - analyse: [....15] [ip4][..tcp] [.......10.8.0.1][33830] -> [..104.17.114.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable][api.polargrizzly.com] + analyse: [....15] [ip4][..tcp] [.......10.8.0.1][33830] -> [..104.17.114.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.340| 0.040| 0.084| 7024.527| 3.000] [PKTLEN......: 40.000| 2940.000| 240.400| 516.400| 266681.900| 3.500] @@ -121,11 +121,11 @@ RISK: TLS (probably) Not Carrying HTTPS end: [....10] [ip4][..tcp] [..10.158.132.91][38398] -> [..104.17.114.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable] RISK: Unidirectional Traffic - idle: [.....2] [ip4][..tcp] [.......10.8.0.1][50178] -> [.104.17.154.236][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable][api.tunnelbear.com] + idle: [.....2] [ip4][..tcp] [.......10.8.0.1][50178] -> [.104.17.154.236][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable] end: [....15] [ip4][..tcp] [.......10.8.0.1][33830] -> [..104.17.114.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable][api.polargrizzly.com] - end: [....17] [ip4][..tcp] [.......10.8.0.1][33838] -> [..104.17.114.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable][api.polargrizzly.com] - end: [....18] [ip4][..tcp] [.......10.8.0.1][33842] -> [..104.17.114.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable][api.polargrizzly.com] - end: [....19] [ip4][..tcp] [.......10.8.0.1][33846] -> [..104.17.114.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable][api.polargrizzly.com] - end: [....20] [ip4][..tcp] [.......10.8.0.1][33848] -> [..104.17.114.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable][api.polargrizzly.com] + end: [....17] [ip4][..tcp] [.......10.8.0.1][33838] -> [..104.17.114.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable] + end: [....18] [ip4][..tcp] [.......10.8.0.1][33842] -> [..104.17.114.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable] + end: [....19] [ip4][..tcp] [.......10.8.0.1][33846] -> [..104.17.114.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable] + end: [....20] [ip4][..tcp] [.......10.8.0.1][33848] -> [..104.17.114.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable] idle: [....22] [ip4][..tcp] [.......10.8.0.1][33858] -> [..104.17.114.40][..443] [TLS.TunnelBear][Cloudflare][VPN][Acceptable] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/viber.pcap.out b/test/results/flow-info/default/viber.pcap.out index ae2df7a29..a24c13c2c 100644 --- a/test/results/flow-info/default/viber.pcap.out +++ b/test/results/flow-info/default/viber.pcap.out @@ -17,7 +17,6 @@ detection-update: [.....5] [ip4][..tcp] [...192.168.0.17][36986] -> [..54.69.166.226][..443] [TLS][AmazonAWS][Web][Safe][mapi.apptimize.com] new: [.....6] [ip4][..tcp] [...192.168.0.17][36988] -> [..54.69.166.226][..443] detected: [.....6] [ip4][..tcp] [...192.168.0.17][36988] -> [..54.69.166.226][..443] [TLS][AmazonAWS][Web][Safe][mapi.apptimize.com] - detection-update: [.....6] [ip4][..tcp] [...192.168.0.17][36988] -> [..54.69.166.226][..443] [TLS][AmazonAWS][Web][Safe][mapi.apptimize.com] new: [.....7] [ip4][..udp] [...192.168.0.17][37418] -> [...192.168.0.15][...53] detected: [.....7] [ip4][..udp] [...192.168.0.17][37418] -> [...192.168.0.15][...53] [DNS.Viber][Unknown][Network][Fun][media.cdn.viber.com] detection-update: [.....7] [ip4][..udp] [...192.168.0.17][37418] -> [...192.168.0.15][...53] [DNS.Viber][Unknown][Network][Fun][media.cdn.viber.com] @@ -58,7 +57,6 @@ detection-update: [....16] [ip4][..udp] [...192.168.0.17][44376] -> [...192.168.0.15][...53] [DNS][Unknown][Network][Acceptable][venetia.iad.appboy.com] new: [....17] [ip4][..tcp] [...192.168.0.17][55746] -> [..151.101.1.130][..443] detected: [....17] [ip4][..tcp] [...192.168.0.17][55746] -> [..151.101.1.130][..443] [TLS][Unknown][Web][Safe][venetia.iad.appboy.com] - detection-update: [....17] [ip4][..tcp] [...192.168.0.17][55746] -> [..151.101.1.130][..443] [TLS][Unknown][Web][Safe][venetia.iad.appboy.com] analyse: [.....1] [ip4][..tcp] [...192.168.0.17][33208] -> [...52.0.253.101][.4244] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 10.702| 1.934| 2.902| 8424002.683| 3.500] @@ -116,7 +114,7 @@ update: [.....2] [ip4][..udp] [...192.168.0.17][45743] -> [...192.168.0.15][...53] [DNS.Facebook][Unknown][Network][Fun][graph.facebook.com] update: [.....4] [ip4][..udp] [...192.168.0.17][62872] -> [...192.168.0.15][...53] [DNS][Unknown][Network][Acceptable][mapi.apptimize.com] DAEMON-EVENT: [Processed: 420 pkts][ZLib][compressions: 0|diff: 0 / 0] - DAEMON-EVENT: [Flows][active: 26 / 26|skipped: 0|!detected: 0|guessed: 1|detection-updates: 19|updates: 4] + DAEMON-EVENT: [Flows][active: 26 / 26|skipped: 0|!detected: 0|guessed: 1|detection-updates: 17|updates: 4] new: [....27] [ip4][..tcp] [..192.168.2.100][48690] -> [...52.0.252.145][.4244] detected: [....27] [ip4][..tcp] [..192.168.2.100][48690] -> [...52.0.252.145][.4244] [Viber][Viber][VoIP][Fun] end: [.....5] [ip4][..tcp] [...192.168.0.17][36986] -> [..54.69.166.226][..443] [TLS][AmazonAWS][Web][Safe] @@ -144,24 +142,24 @@ idle: [....25] [ip4][..udp] [...192.168.0.17][50097] -> [...192.168.0.15][...53] [DNS.Google][Unknown][Network][Acceptable][www.google.com] idle: [....23] [ip4][..udp] [...192.168.0.17][38190] -> [.....18.201.4.3][.7985] [Viber][AmazonAWS][VoIP][Fun] idle: [....24] [ip4][..udp] [...192.168.0.17][38190] -> [.....18.201.4.3][.7987] [Viber][AmazonAWS][VoIP][Fun] - idle: [....13] [ip4][..tcp] [...192.168.0.17][43702] -> [..172.217.23.78][..443] [TLS.Google][Google][Web][Acceptable][app-measurement.com] + idle: [....13] [ip4][..tcp] [...192.168.0.17][43702] -> [..172.217.23.78][..443] [TLS.Google][Google][Web][Acceptable] idle: [....16] [ip4][..udp] [...192.168.0.17][44376] -> [...192.168.0.15][...53] [DNS][Unknown][Network][Acceptable][venetia.iad.appboy.com] idle: [.....4] [ip4][..udp] [...192.168.0.17][62872] -> [...192.168.0.15][...53] [DNS][Unknown][Network][Acceptable][mapi.apptimize.com] guessed: [....22] [ip4][..tcp] [...192.168.0.17][33744] -> [.....18.201.4.3][..443] [TLS][AmazonAWS][Web][Safe] end: [....22] [ip4][..tcp] [...192.168.0.17][33744] -> [.....18.201.4.3][..443] idle: [.....9] [ip4][..udp] [...192.168.0.17][40445] -> [...192.168.0.15][...53] [DNS.Viber][Unknown][Network][Fun][dl-media.viber.com] DAEMON-EVENT: [Processed: 435 pkts][ZLib][compressions: 0|diff: 0 / 0] - DAEMON-EVENT: [Flows][active: 1 / 27|skipped: 0|!detected: 0|guessed: 4|detection-updates: 19|updates: 4] + DAEMON-EVENT: [Flows][active: 1 / 27|skipped: 0|!detected: 0|guessed: 4|detection-updates: 17|updates: 4] new: [....28] [ip4][..tcp] [..192.168.2.100][41184] -> [.....52.0.252.2][.5242] detected: [....28] [ip4][..tcp] [..192.168.2.100][41184] -> [.....52.0.252.2][.5242] [Viber][Viber][VoIP][Fun] DAEMON-EVENT: [Processed: 446 pkts][ZLib][compressions: 0|diff: 0 / 0] - DAEMON-EVENT: [Flows][active: 2 / 28|skipped: 0|!detected: 0|guessed: 4|detection-updates: 19|updates: 4] + DAEMON-EVENT: [Flows][active: 2 / 28|skipped: 0|!detected: 0|guessed: 4|detection-updates: 17|updates: 4] new: [....29] [ip4][..tcp] [..192.168.2.100][42900] -> [..44.192.202.74][.4244] [MIDSTREAM] detected: [....29] [ip4][..tcp] [..192.168.2.100][42900] -> [..44.192.202.74][.4244] [Viber][AmazonAWS][VoIP][Fun] end: [....28] [ip4][..tcp] [..192.168.2.100][41184] -> [.....52.0.252.2][.5242] [Viber][Viber][VoIP][Fun] idle: [....27] [ip4][..tcp] [..192.168.2.100][48690] -> [...52.0.252.145][.4244] [Viber][Viber][VoIP][Fun] DAEMON-EVENT: [Processed: 447 pkts][ZLib][compressions: 0|diff: 0 / 0] - DAEMON-EVENT: [Flows][active: 1 / 29|skipped: 0|!detected: 0|guessed: 4|detection-updates: 19|updates: 4] + DAEMON-EVENT: [Flows][active: 1 / 29|skipped: 0|!detected: 0|guessed: 4|detection-updates: 17|updates: 4] new: [....30] [ip4][..udp] [.192.168.12.156][40482] -> [...18.195.4.121][..443] detected: [....30] [ip4][..udp] [.192.168.12.156][40482] -> [...18.195.4.121][..443] [STUN][Viber][Network][Acceptable][] RISK: Known Proto on Non Std Port diff --git a/test/results/flow-info/default/wa_voice.pcap.out b/test/results/flow-info/default/wa_voice.pcap.out index df85859ce..500d8efe4 100644 --- a/test/results/flow-info/default/wa_voice.pcap.out +++ b/test/results/flow-info/default/wa_voice.pcap.out @@ -29,7 +29,7 @@ new: [.....7] [ip4][..tcp] [...192.168.2.12][50503] -> [....31.13.86.51][..443] detected: [.....7] [ip4][..tcp] [...192.168.2.12][50503] -> [....31.13.86.51][..443] [TLS.WhatsAppFiles][WhatsApp][Download][Acceptable][media-mxp1-1.cdn.whatsapp.net] detection-update: [.....7] [ip4][..tcp] [...192.168.2.12][50503] -> [....31.13.86.51][..443] [TLS.WhatsAppFiles][WhatsApp][Download][Acceptable][media-mxp1-1.cdn.whatsapp.net] - analyse: [.....7] [ip4][..tcp] [...192.168.2.12][50503] -> [....31.13.86.51][..443] [TLS.WhatsAppFiles][WhatsApp][Download][Acceptable][media-mxp1-1.cdn.whatsapp.net] + analyse: [.....7] [ip4][..tcp] [...192.168.2.12][50503] -> [....31.13.86.51][..443] [TLS.WhatsAppFiles][WhatsApp][Download][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.163| 0.020| 0.047| 2203.182| 2.500] [PKTLEN......: 52.000| 1440.000| 343.600| 489.700| 239839.300| 3.900] @@ -84,7 +84,7 @@ new: [....21] [ip4][..tcp] [...192.168.2.12][50504] -> [..157.240.20.52][..443] detected: [....21] [ip4][..tcp] [...192.168.2.12][50504] -> [..157.240.20.52][..443] [TLS.WhatsApp][WhatsApp][Chat][Acceptable][pps.whatsapp.net] detection-update: [....21] [ip4][..tcp] [...192.168.2.12][50504] -> [..157.240.20.52][..443] [TLS.WhatsApp][WhatsApp][Chat][Acceptable][pps.whatsapp.net] - analyse: [....21] [ip4][..tcp] [...192.168.2.12][50504] -> [..157.240.20.52][..443] [TLS.WhatsApp][WhatsApp][Chat][Acceptable][pps.whatsapp.net] + analyse: [....21] [ip4][..tcp] [...192.168.2.12][50504] -> [..157.240.20.52][..443] [TLS.WhatsApp][WhatsApp][Chat][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.129| 0.020| 0.031| 949.768| 3.500] [PKTLEN......: 52.000| 1440.000| 374.400| 526.300| 277041.400| 3.900] diff --git a/test/results/flow-info/default/webex.pcap.out b/test/results/flow-info/default/webex.pcap.out index 06a8c0f45..47cf0902e 100644 --- a/test/results/flow-info/default/webex.pcap.out +++ b/test/results/flow-info/default/webex.pcap.out @@ -31,7 +31,7 @@ RISK: TLS (probably) Not Carrying HTTPS detection-update: [.....4] [ip4][..tcp] [.......10.8.0.1][41351] -> [..64.68.105.103][..443] [TLS.Webex][Webex][VoIP][Acceptable][radcom.webex.com] RISK: TLS (probably) Not Carrying HTTPS - analyse: [.....2] [ip4][..tcp] [.......10.8.0.1][41348] -> [..64.68.105.103][..443] [TLS.Webex][Webex][VoIP][Acceptable][radcom.webex.com] + analyse: [.....2] [ip4][..tcp] [.......10.8.0.1][41348] -> [..64.68.105.103][..443] [TLS.Webex][Webex][VoIP][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.455| 0.115| 0.126| 15828.845| 4.100] [PKTLEN......: 40.000| 18006.000| 1574.700| 3700.100| 13691057.000| 2.900] @@ -399,9 +399,9 @@ RISK: TLS (probably) Not Carrying HTTPS idle: [.....2] [ip4][..tcp] [.......10.8.0.1][41348] -> [..64.68.105.103][..443] [TLS.Webex][Webex][VoIP][Acceptable][radcom.webex.com] RISK: TLS (probably) Not Carrying HTTPS - idle: [.....3] [ip4][..tcp] [.......10.8.0.1][41350] -> [..64.68.105.103][..443] [TLS.Webex][Webex][VoIP][Acceptable][radcom.webex.com] + idle: [.....3] [ip4][..tcp] [.......10.8.0.1][41350] -> [..64.68.105.103][..443] [TLS.Webex][Webex][VoIP][Acceptable] RISK: TLS (probably) Not Carrying HTTPS - idle: [.....4] [ip4][..tcp] [.......10.8.0.1][41351] -> [..64.68.105.103][..443] [TLS.Webex][Webex][VoIP][Acceptable][radcom.webex.com] + idle: [.....4] [ip4][..tcp] [.......10.8.0.1][41351] -> [..64.68.105.103][..443] [TLS.Webex][Webex][VoIP][Acceptable] RISK: TLS (probably) Not Carrying HTTPS end: [.....7] [ip4][..tcp] [.......10.8.0.1][41354] -> [..64.68.105.103][..443] [TLS.Webex][Webex][VoIP][Acceptable] RISK: Obsolete TLS (v1.1 or older), Weak TLS Cipher diff --git a/test/results/flow-info/default/wechat.pcap.out b/test/results/flow-info/default/wechat.pcap.out index f2ce69afb..08c5c3e49 100644 --- a/test/results/flow-info/default/wechat.pcap.out +++ b/test/results/flow-info/default/wechat.pcap.out @@ -40,7 +40,7 @@ detection-update: [....17] [ip4][..tcp] [..192.168.1.103][54090] -> [203.205.151.162][..443] [TLS.WeChat][Unknown][Chat][Fun][web.wechat.com] detection-update: [....17] [ip4][..tcp] [..192.168.1.103][54090] -> [203.205.151.162][..443] [TLS.WeChat][Unknown][Chat][Fun][web.wechat.com] detected: [....18] [ip4][..tcp] [..192.168.1.103][54091] -> [203.205.151.162][..443] [TLS.WeChat][Unknown][Chat][Fun][web.wechat.com] - analyse: [....16] [ip4][..tcp] [..192.168.1.103][54089] -> [203.205.151.162][..443] [TLS.WeChat][Unknown][Chat][Fun][web.wechat.com] + analyse: [....16] [ip4][..tcp] [..192.168.1.103][54089] -> [203.205.151.162][..443] [TLS.WeChat][Unknown][Chat][Fun] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.411| 0.155| 0.181| 32640.860| 3.800] [PKTLEN......: 52.000| 5878.000| 715.500| 1101.200| 1212669.600| 3.900] @@ -73,7 +73,7 @@ detection-update: [....24] [ip4][..tcp] [..192.168.1.103][54096] -> [203.205.151.162][..443] [TLS.WeChat][Unknown][Chat][Fun][web.wechat.com] detection-update: [....24] [ip4][..tcp] [..192.168.1.103][54096] -> [203.205.151.162][..443] [TLS.WeChat][Unknown][Chat][Fun][web.wechat.com] new: [....25] [ip4][..tcp] [..192.168.1.103][40740] -> [203.205.151.211][..443] [MIDSTREAM] - analyse: [....22] [ip4][..tcp] [..192.168.1.103][54094] -> [203.205.151.162][..443] [TLS.WeChat][Unknown][Chat][Fun][web.wechat.com] + analyse: [....22] [ip4][..tcp] [..192.168.1.103][54094] -> [203.205.151.162][..443] [TLS.WeChat][Unknown][Chat][Fun] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 4.544| 0.482| 1.044| 1090167.570| 3.200] [PKTLEN......: 52.000| 1740.000| 523.200| 556.000| 309130.700| 4.200] @@ -83,7 +83,7 @@ [IATS(ms)....: 359.2,359.3,0.4,360.6,1.9,362.1,0.5,0.5,3.6,359.7,357.1,3.3,369.2,32.8,2.8,400.5,15.0,3.3,382.0,38.0,403.1,2.4,369.1,37.0,438.8,4139.7,3.3,4544.3,34.1,398.8,1152.6] [PKTLENS.....: 60,60,52,290,52,1480,52,1740,52,178,103,1292,527,52,1480,221,52,1225,429,52,250,1292,527,52,988,52,1292,527,52,989,52,1220] [ENTROPIES...: 4.6,5.1,5.0,5.9,5.1,6.8,5.1,7.6,5.0,6.3,6.0,7.8,7.5,5.2,7.9,7.1,5.1,7.8,7.4,5.2,7.1,7.8,7.5,5.2,7.8,5.0,7.9,7.6,5.2,7.8,5.0,7.9] - analyse: [....23] [ip4][..tcp] [..192.168.1.103][54095] -> [203.205.151.162][..443] [TLS.WeChat][Unknown][Chat][Fun][web.wechat.com] + analyse: [....23] [ip4][..tcp] [..192.168.1.103][54095] -> [203.205.151.162][..443] [TLS.WeChat][Unknown][Chat][Fun] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 3.384| 0.466| 0.827| 684250.497| 3.400] [PKTLEN......: 52.000| 8277.000| 746.100| 1463.300| 2141136.500| 3.600] @@ -119,7 +119,7 @@ detected: [....27] [ip4][..tcp] [..192.168.1.103][54098] -> [203.205.151.162][..443] [TLS.WeChat][Unknown][Chat][Fun][web.wechat.com] detection-update: [....27] [ip4][..tcp] [..192.168.1.103][54098] -> [203.205.151.162][..443] [TLS.WeChat][Unknown][Chat][Fun][web.wechat.com] detection-update: [....27] [ip4][..tcp] [..192.168.1.103][54098] -> [203.205.151.162][..443] [TLS.WeChat][Unknown][Chat][Fun][web.wechat.com] - analyse: [....26] [ip4][..tcp] [..192.168.1.103][54097] -> [203.205.151.162][..443] [TLS.WeChat][Unknown][Chat][Fun][web.wechat.com] + analyse: [....26] [ip4][..tcp] [..192.168.1.103][54097] -> [203.205.151.162][..443] [TLS.WeChat][Unknown][Chat][Fun] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 6.862| 1.014| 1.948| 3793749.017| 3.100] [PKTLEN......: 52.000| 1740.000| 496.000| 523.800| 274414.800| 4.200] @@ -129,7 +129,7 @@ [IATS(ms)....: 362.7,362.7,0.7,359.8,0.7,359.7,1.8,1.8,3.2,360.0,358.1,7.2,373.9,64.6,431.4,4.5,369.6,40.0,442.3,4042.2,3.3,4448.9,74.4,439.2,6493.5,3.3,6862.2,32.1,397.5,4719.1,3.2] [PKTLENS.....: 60,60,52,290,52,1480,52,1740,52,178,103,1220,521,52,283,1292,527,52,988,52,1220,511,52,283,52,1292,527,52,989,52,1220,516] [ENTROPIES...: 4.7,5.2,5.1,5.9,5.1,6.8,5.0,7.6,4.9,6.4,6.0,7.8,7.6,5.1,7.2,7.8,7.6,5.0,7.8,5.1,7.8,7.5,4.9,7.2,5.0,7.8,7.6,5.2,7.8,5.0,7.8,7.5] - analyse: [....27] [ip4][..tcp] [..192.168.1.103][54098] -> [203.205.151.162][..443] [TLS.WeChat][Unknown][Chat][Fun][web.wechat.com] + analyse: [....27] [ip4][..tcp] [..192.168.1.103][54098] -> [203.205.151.162][..443] [TLS.WeChat][Unknown][Chat][Fun] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 6.095| 1.335| 2.042| 4168801.845| 3.500] [PKTLEN......: 52.000| 1740.000| 437.700| 521.000| 271486.500| 4.100] @@ -139,7 +139,7 @@ [IATS(ms)....: 346.8,346.9,899.5,1092.8,193.2,160.5,1.8,162.3,0.6,0.5,2.9,351.9,387.2,4178.9,3.3,4577.7,29.2,386.6,5733.7,3.7,6095.0,83.0,440.7,5485.5,3.3,5845.9,30.2,387.3,1889.1,2.7,2250.0] [PKTLENS.....: 60,60,52,290,60,52,52,1480,52,1740,52,178,103,52,1292,527,52,989,52,1220,508,52,283,52,1292,527,52,989,52,1220,513,52] [ENTROPIES...: 4.8,5.2,5.0,5.9,5.3,5.1,5.1,6.8,5.0,7.6,4.9,6.4,5.9,5.0,7.8,7.6,5.0,7.8,5.0,7.8,7.6,5.1,7.2,5.1,7.8,7.5,5.1,7.8,5.1,7.8,7.6,5.1] - analyse: [.....5] [ip4][..tcp] [..192.168.1.103][38657] -> [..172.217.22.14][..443] [TLS.Google][Google][Web][Acceptable][safebrowsing.googleusercontent.com] + analyse: [.....5] [ip4][..tcp] [..192.168.1.103][38657] -> [..172.217.22.14][..443] [TLS.Google][Google][Web][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 45.056| 5.827| 15.097| 227916113.773| 2.000] [PKTLEN......: 52.000| 1470.000| 253.200| 422.200| 178253.900| 3.700] @@ -182,7 +182,7 @@ detection-update: [....35] [ip4][..tcp] [..192.168.1.103][54103] -> [203.205.151.162][..443] [TLS.WeChat][Unknown][Chat][Fun][web.wechat.com] detection-update: [....35] [ip4][..tcp] [..192.168.1.103][54103] -> [203.205.151.162][..443] [TLS.WeChat][Unknown][Chat][Fun][web.wechat.com] new: [....36] [ip4][..tcp] [..192.168.1.103][54104] -> [203.205.151.162][..443] - analyse: [....31] [ip4][..tcp] [..192.168.1.103][54099] -> [203.205.151.162][..443] [TLS.WeChat][Unknown][Chat][Fun][web.wechat.com] + analyse: [....31] [ip4][..tcp] [..192.168.1.103][54099] -> [203.205.151.162][..443] [TLS.WeChat][Unknown][Chat][Fun] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.469| 0.183| 0.190| 36094.243| 4.000] [PKTLEN......: 52.000| 1740.000| 591.500| 612.000| 374517.100| 4.200] @@ -205,7 +205,7 @@ [IATS(ms)....: 360.8,360.9,1.1,320.2,2.0,321.1,0.8,0.8,0.5,0.5,2.5,331.8,329.8,339.6,0.8,339.8,0.5,4.5,5.1,2.5,2.5,1.1,1.1,271.4,646.7,0.8,376.1,0.5,0.9,1.5,0.5] [PKTLENS.....: 60,60,52,290,52,1480,52,1480,52,312,52,178,103,1140,1480,1480,52,1480,1480,52,2908,52,3120,52,1140,1480,1480,52,1480,1480,52,1480] [ENTROPIES...: 4.7,5.2,5.0,5.9,5.1,6.8,5.1,7.5,5.0,7.3,5.0,6.4,5.8,7.9,7.9,7.9,5.1,7.9,7.9,5.0,7.9,5.0,7.9,5.0,7.8,7.9,7.9,5.0,7.9,7.9,5.1,7.9] - analyse: [....33] [ip4][..tcp] [..192.168.1.103][54101] -> [203.205.151.162][..443] [TLS.WeChat][Unknown][Chat][Fun][web.wechat.com] + analyse: [....33] [ip4][..tcp] [..192.168.1.103][54101] -> [203.205.151.162][..443] [TLS.WeChat][Unknown][Chat][Fun] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.952| 0.213| 0.233| 54375.543| 4.000] [PKTLEN......: 52.000| 1740.000| 543.300| 599.100| 358890.200| 4.100] @@ -232,7 +232,7 @@ end: [....16] [ip4][..tcp] [..192.168.1.103][54089] -> [203.205.151.162][..443] [TLS.WeChat][Unknown][Chat][Fun][web.wechat.com] end: [....17] [ip4][..tcp] [..192.168.1.103][54090] -> [203.205.151.162][..443] [TLS.WeChat][Unknown][Chat][Fun] end: [....18] [ip4][..tcp] [..192.168.1.103][54091] -> [203.205.151.162][..443] [TLS.WeChat][Unknown][Chat][Fun] - end: [....19] [ip4][..tcp] [..192.168.1.103][54092] -> [203.205.151.162][..443] [TLS.WeChat][Unknown][Chat][Fun][web.wechat.com] + end: [....19] [ip4][..tcp] [..192.168.1.103][54092] -> [203.205.151.162][..443] [TLS.WeChat][Unknown][Chat][Fun] guessed: [....20] [ip4][..tcp] [..192.168.1.103][54093] -> [203.205.151.162][..443] [TLS][Unknown][Web][Safe] end: [....20] [ip4][..tcp] [..192.168.1.103][54093] -> [203.205.151.162][..443] end: [....22] [ip4][..tcp] [..192.168.1.103][54094] -> [203.205.151.162][..443] [TLS.WeChat][Unknown][Chat][Fun][web.wechat.com] @@ -270,7 +270,7 @@ new: [....45] [ip4][..tcp] [..192.168.1.103][43850] -> [.203.205.158.34][..443] new: [....46] [ip4][..tcp] [..192.168.1.103][43851] -> [.203.205.158.34][..443] detected: [....45] [ip4][..tcp] [..192.168.1.103][43850] -> [.203.205.158.34][..443] [TLS.QQ][Unknown][Chat][Fun][res.wx.qq.com] - analyse: [....42] [ip4][..tcp] [..192.168.1.103][54113] -> [203.205.151.162][..443] [TLS.WeChat][Unknown][Chat][Fun][web.wechat.com] + analyse: [....42] [ip4][..tcp] [..192.168.1.103][54113] -> [203.205.151.162][..443] [TLS.WeChat][Unknown][Chat][Fun] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 6.615| 0.560| 1.552| 2408711.979| 2.600] [PKTLEN......: 52.000| 1480.000| 478.200| 547.100| 299293.400| 4.100] @@ -305,7 +305,7 @@ update: [....44] [ip4][..udp] [..192.168.1.103][19041] -> [..192.168.1.254][...53] [DNS.QQ][Unknown][Network][Fun][res.wx.qq.com] update: [....47] [ip4][..udp] [..192.168.1.103][60562] -> [..192.168.1.254][...53] [DNS.Google][Unknown][Network][Acceptable][ssl.gstatic.com] update: [....48] [ip4][..udp] [..192.168.1.103][35601] -> [..172.217.23.67][..443] [QUIC.Google][Google][Web][Acceptable][ssl.gstatic.com] - analyse: [....50] [ip4][..tcp] [..192.168.1.103][54117] -> [203.205.151.162][..443] [TLS.WeChat][Unknown][Chat][Fun][web.wechat.com] + analyse: [....50] [ip4][..tcp] [..192.168.1.103][54117] -> [203.205.151.162][..443] [TLS.WeChat][Unknown][Chat][Fun] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 7.807| 0.648| 1.839| 3381034.746| 2.500] [PKTLEN......: 52.000| 1480.000| 445.300| 494.600| 244586.200| 4.200] @@ -347,7 +347,7 @@ update: [....49] [ip4][..udp] [..192.168.1.100][..138] -> [..192.168.1.255][..138] [NetBIOS.SMBv1][Unknown][System][Dangerous][giovanni-pc] RISK: Unsafe Protocol update: [.....2] [ip4][..udp] [..192.168.1.103][.5353] -> [....224.0.0.251][.5353] [MDNS][Unknown][Network][Acceptable][_googlecast._tcp.local] - analyse: [....52] [ip4][..tcp] [..192.168.1.103][54119] -> [203.205.151.162][..443] [TLS.WeChat][Unknown][Chat][Fun][web.wechat.com] + analyse: [....52] [ip4][..tcp] [..192.168.1.103][54119] -> [203.205.151.162][..443] [TLS.WeChat][Unknown][Chat][Fun] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 7.133| 0.619| 1.664| 2769657.004| 2.700] [PKTLEN......: 52.000| 1480.000| 478.200| 547.100| 299307.700| 4.100] @@ -380,7 +380,7 @@ detected: [....57] [ip4][..tcp] [..192.168.1.103][58038] -> [203.205.147.171][..443] [TLS.WeChat][Tencent][Chat][Fun][web.wechat.com] detection-update: [....57] [ip4][..tcp] [..192.168.1.103][58038] -> [203.205.147.171][..443] [TLS.WeChat][Tencent][Chat][Fun][web.wechat.com] detection-update: [....57] [ip4][..tcp] [..192.168.1.103][58038] -> [203.205.147.171][..443] [TLS.WeChat][Tencent][Chat][Fun][web.wechat.com] - analyse: [....57] [ip4][..tcp] [..192.168.1.103][58038] -> [203.205.147.171][..443] [TLS.WeChat][Tencent][Chat][Fun][web.wechat.com] + analyse: [....57] [ip4][..tcp] [..192.168.1.103][58038] -> [203.205.147.171][..443] [TLS.WeChat][Tencent][Chat][Fun] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 2.509| 0.286| 0.565| 319614.583| 3.400] [PKTLEN......: 52.000| 1740.000| 537.900| 561.400| 315202.600| 4.200] @@ -478,7 +478,7 @@ update: [....54] [ip4][..udp] [..192.168.1.103][60356] -> [..192.168.1.254][...53] [DNS.WeChat][Unknown][Network][Fun][web.wechat.com] update: [....70] [ip6][icmp6] [.....................................::] -> [......................ff02::1:ff86:6c5b] [ICMPV6][Unknown][Network][Acceptable] update: [....68] [ip6][icmp6] [...............fe80::842:a3f3:a286:6c5b] -> [................................ff02::2] [ICMPV6][Unknown][Network][Acceptable] - end: [....55] [ip4][..tcp] [..192.168.1.103][58036] -> [203.205.147.171][..443] [TLS.WeChat][Tencent][Chat][Fun][web.wechat.com] + end: [....55] [ip4][..tcp] [..192.168.1.103][58036] -> [203.205.147.171][..443] [TLS.WeChat][Tencent][Chat][Fun] update: [....66] [ip6][..udp] [..............fe80::91f9:3df3:7436:6cd6][50577] -> [..............................ff02::1:3][.5355] [LLMNR][Unknown][Network][Acceptable][mcztmpkc] update: [.....3] [ip6][..udp] [..............fe80::7a92:9cff:fe0f:a88e][.5353] -> [...............................ff02::fb][.5353] [MDNS][Unknown][Network][Acceptable][_googlecast._tcp.local] update: [....69] [ip4][..udp] [........0.0.0.0][...68] -> [255.255.255.255][...67] [DHCP][Unknown][Network][Acceptable][iphonedimonica] diff --git a/test/results/flow-info/default/weibo.pcap.out b/test/results/flow-info/default/weibo.pcap.out index 8d3699480..4bff7eebe 100644 --- a/test/results/flow-info/default/weibo.pcap.out +++ b/test/results/flow-info/default/weibo.pcap.out @@ -73,7 +73,7 @@ new: [....23] [ip4][..udp] [..192.168.1.105][53466] -> [....192.168.1.1][...53] detected: [....23] [ip4][..udp] [..192.168.1.105][53466] -> [....192.168.1.1][...53] [DNS.Alibaba][Unknown][Network][Acceptable][log.mmstat.com] new: [....24] [ip4][..udp] [..192.168.1.105][33822] -> [....192.168.1.1][...53] - detected: [....24] [ip4][..udp] [..192.168.1.105][33822] -> [....192.168.1.1][...53] [DNS][Unknown][Network][Acceptable][login.taobao.com] + detected: [....24] [ip4][..udp] [..192.168.1.105][33822] -> [....192.168.1.1][...53] [DNS.Taobao][Unknown][Network][Acceptable][login.taobao.com] new: [....25] [ip4][..tcp] [..192.168.1.105][35806] -> [.93.188.134.246][...80] new: [....26] [ip4][..tcp] [..192.168.1.105][35807] -> [.93.188.134.246][...80] new: [....27] [ip4][..tcp] [..192.168.1.105][35808] -> [.93.188.134.246][...80] @@ -105,7 +105,7 @@ RISK: Susp DGA Domain name, Risky Domain Name new: [....40] [ip4][..tcp] [..192.168.1.105][52271] -> [..42.156.184.19][..443] new: [....41] [ip4][..tcp] [..192.168.1.105][52272] -> [..42.156.184.19][..443] - detection-update: [....24] [ip4][..udp] [..192.168.1.105][33822] -> [....192.168.1.1][...53] [DNS][Unknown][Network][Acceptable][login.taobao.com] + detection-update: [....24] [ip4][..udp] [..192.168.1.105][33822] -> [....192.168.1.1][...53] [DNS.Taobao][Unknown][Network][Acceptable][login.taobao.com] new: [....42] [ip4][..tcp] [..192.168.1.105][47721] -> [.140.205.170.63][..443] detected: [....30] [ip4][..tcp] [..192.168.1.105][42275] -> [...222.73.28.96][...80] [HTTP.Sina][Unknown][SocialNetwork][Fun][u1.img.mobile.sina.cn] new: [....43] [ip4][..tcp] [..192.168.1.105][52274] -> [..42.156.184.19][..443] @@ -199,7 +199,7 @@ RISK: Unidirectional Traffic idle: [....39] [ip4][..tcp] [..192.168.1.105][48356] -> [..140.205.174.1][..443] idle: [....10] [ip4][..udp] [..192.168.1.105][.7148] -> [....192.168.1.1][...53] [DNS.SinaWeibo][Unknown][Network][Fun][www.weibo.com] - idle: [....24] [ip4][..udp] [..192.168.1.105][33822] -> [....192.168.1.1][...53] [DNS][Unknown][Network][Acceptable][login.taobao.com] + idle: [....24] [ip4][..udp] [..192.168.1.105][33822] -> [....192.168.1.1][...53] [DNS.Taobao][Unknown][Network][Acceptable][login.taobao.com] guessed: [.....1] [ip4][..udp] [..216.58.210.14][..443] -> [..192.168.1.105][49361] [QUIC][Google][Web][Acceptable] RISK: Susp Entropy idle: [.....1] [ip4][..udp] [..216.58.210.14][..443] -> [..192.168.1.105][49361] diff --git a/test/results/flow-info/default/whatsapp_login_call.pcap.out b/test/results/flow-info/default/whatsapp_login_call.pcap.out index dd0bef371..6a7917465 100644 --- a/test/results/flow-info/default/whatsapp_login_call.pcap.out +++ b/test/results/flow-info/default/whatsapp_login_call.pcap.out @@ -56,7 +56,7 @@ RISK: TLS (probably) Not Carrying HTTPS detection-update: [....17] [ip4][..tcp] [....192.168.2.4][49204] -> [..17.173.66.102][..443] [TLS.AppleStore][Apple][SoftwareUpdate][Safe][p53-buy.itunes.apple.com] RISK: TLS (probably) Not Carrying HTTPS - analyse: [....17] [ip4][..tcp] [....192.168.2.4][49204] -> [..17.173.66.102][..443] [TLS.AppleStore][Apple][SoftwareUpdate][Safe][p53-buy.itunes.apple.com] + analyse: [....17] [ip4][..tcp] [....192.168.2.4][49204] -> [..17.173.66.102][..443] [TLS.AppleStore][Apple][SoftwareUpdate][Safe] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.246| 0.057| 0.089| 7910.915| 3.400] [PKTLEN......: 40.000| 1480.000| 289.300| 408.500| 166890.900| 3.900] @@ -254,7 +254,7 @@ RISK: TLS (probably) Not Carrying HTTPS detection-update: [....57] [ip4][..tcp] [....192.168.2.4][49205] -> [..17.173.66.102][..443] [TLS.AppleStore][Apple][SoftwareUpdate][Safe][p53-buy.itunes.apple.com] RISK: TLS (probably) Not Carrying HTTPS - analyse: [....57] [ip4][..tcp] [....192.168.2.4][49205] -> [..17.173.66.102][..443] [TLS.AppleStore][Apple][SoftwareUpdate][Safe][p53-buy.itunes.apple.com] + analyse: [....57] [ip4][..tcp] [....192.168.2.4][49205] -> [..17.173.66.102][..443] [TLS.AppleStore][Apple][SoftwareUpdate][Safe] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.272| 0.058| 0.092| 8444.798| 3.300] [PKTLEN......: 40.000| 1480.000| 289.300| 408.500| 166876.700| 3.900] diff --git a/test/results/flow-info/default/whatsappfiles.pcap.out b/test/results/flow-info/default/whatsappfiles.pcap.out index f47961c4a..1820a0346 100644 --- a/test/results/flow-info/default/whatsappfiles.pcap.out +++ b/test/results/flow-info/default/whatsappfiles.pcap.out @@ -5,7 +5,7 @@ detected: [.....1] [ip4][..tcp] [...192.168.2.29][49674] -> [..185.60.216.53][..443] [TLS.WhatsAppFiles][WhatsApp][Download][Acceptable][mmg-fna.whatsapp.net] detection-update: [.....1] [ip4][..tcp] [...192.168.2.29][49674] -> [..185.60.216.53][..443] [TLS.WhatsAppFiles][WhatsApp][Download][Acceptable][mmg-fna.whatsapp.net] detection-update: [.....1] [ip4][..tcp] [...192.168.2.29][49674] -> [..185.60.216.53][..443] [TLS.WhatsAppFiles][WhatsApp][Download][Acceptable][mmg-fna.whatsapp.net] - analyse: [.....1] [ip4][..tcp] [...192.168.2.29][49674] -> [..185.60.216.53][..443] [TLS.WhatsAppFiles][WhatsApp][Download][Acceptable][mmg-fna.whatsapp.net] + analyse: [.....1] [ip4][..tcp] [...192.168.2.29][49674] -> [..185.60.216.53][..443] [TLS.WhatsAppFiles][WhatsApp][Download][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 24.640| 0.846| 4.345| 18880535.724| 0.500] [PKTLEN......: 52.000| 1450.000| 329.100| 491.800| 241822.200| 3.800] @@ -18,7 +18,7 @@ new: [.....2] [ip4][..tcp] [...192.168.2.29][49698] -> [..185.60.216.53][..443] detected: [.....2] [ip4][..tcp] [...192.168.2.29][49698] -> [..185.60.216.53][..443] [TLS.WhatsAppFiles][WhatsApp][Download][Acceptable][mmg-fna.whatsapp.net] detection-update: [.....2] [ip4][..tcp] [...192.168.2.29][49698] -> [..185.60.216.53][..443] [TLS.WhatsAppFiles][WhatsApp][Download][Acceptable][mmg-fna.whatsapp.net] - analyse: [.....2] [ip4][..tcp] [...192.168.2.29][49698] -> [..185.60.216.53][..443] [TLS.WhatsAppFiles][WhatsApp][Download][Acceptable][mmg-fna.whatsapp.net] + analyse: [.....2] [ip4][..tcp] [...192.168.2.29][49698] -> [..185.60.216.53][..443] [TLS.WhatsAppFiles][WhatsApp][Download][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.108| 0.019| 0.031| 953.946| 3.300] [PKTLEN......: 52.000| 1450.000| 485.400| 599.200| 359069.100| 4.000] diff --git a/test/results/flow-info/default/zoom.pcap.out b/test/results/flow-info/default/zoom.pcap.out index c76f9eff6..1f051c54f 100644 --- a/test/results/flow-info/default/zoom.pcap.out +++ b/test/results/flow-info/default/zoom.pcap.out @@ -120,7 +120,7 @@ RISK: TLS (probably) Not Carrying HTTPS detection-update: [.....4] [ip4][..tcp] [..192.168.1.117][54341] -> [.62.149.152.153][..993] [IMAPS][Unknown][Email][Safe] RISK: Unidirectional Traffic - analyse: [....30] [ip4][..tcp] [..192.168.1.117][54871] -> [..109.94.160.99][..443] [TLS.Zoom][Unknown][Video][Acceptable][zoomfrn99mmr.zoom.us] + analyse: [....30] [ip4][..tcp] [..192.168.1.117][54871] -> [..109.94.160.99][..443] [TLS.Zoom][Unknown][Video][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.156| 0.028| 0.040| 1628.090| 3.800] [PKTLEN......: 52.000| 1492.000| 420.500| 552.400| 305116.100| 3.900] @@ -205,7 +205,7 @@ RISK: Known Proto on Non Std Port idle: [.....2] [ip4][..udp] [..192.168.1.117][.5353] -> [....224.0.0.251][.5353] [MDNS][Unknown][Network][Acceptable] idle: [....22] [ip4][..udp] [..192.168.1.117][57621] -> [..192.168.1.255][57621] [Spotify][Unknown][Music][Fun] - end: [.....3] [ip4][..tcp] [..192.168.1.117][54863] -> [.167.99.215.164][.4434] [TLS.ntop][Unknown][Network][Safe][dati.ntop.org] + end: [.....3] [ip4][..tcp] [..192.168.1.117][54863] -> [.167.99.215.164][.4434] [TLS.ntop][Unknown][Network][Safe] RISK: Known Proto on Non Std Port, TLS (probably) Not Carrying HTTPS idle: [....24] [ip4][..udp] [..192.168.1.117][58063] -> [....192.168.1.1][...53] [DNS.Zoom][Unknown][Network][Acceptable][zoomfr84zc.zoom.us] end: [....25] [ip4][..tcp] [..192.168.1.117][54867] -> [.213.19.144.105][..443] [TLS.Zoom][Zoom][Video][Acceptable] |