From 05aa27e477af86eb1794807d43a2f4eceb84fa9d Mon Sep 17 00:00:00 2001
From: emanuele-f <black.silver@hotmail.it>
Date: Fri, 27 Sep 2019 14:01:12 +0200
Subject: [PATCH] Add test for custom categories match on HTTP and SSL flows

---
 tests/pcap/malware.pcap       | Bin 468 -> 8441 bytes
 tests/result/malware.pcap.out |  16 ++++++++++++----
 2 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/tests/pcap/malware.pcap b/tests/pcap/malware.pcap
index c63389f0473644d1cd4456447b250a0108d3c4d3..7480b7014aabb4a7285d879ab7445919da0ee6a0 100644
GIT binary patch
literal 8441
zcmc&(2UJtZyPunc5CTykp|^mF^xV*ksPrPesfZ<n2oXpiq3&8jP!tu!ie02AYr%$X
zZJ=VouBeD8DCk;1aZ$0LytzSKFS!2SJMW$I?qT%io0+f7{N^ij8_w+CN&qDA&qD$T
z{IU3S!PJK5!@w-~jy1|Gs`E5`H0)B+MjZ<90w5;$E&$_IEEQ@h<>e9hR7imx@U5pR
zmLp6V3jh#eW@hGaz95Y!67bSuIdSpn*<vDBm<+qHA*RZZGklZ)6;NK1LWU*3`D5`C
zDA^S%B!C@Q`zBK+UnY5m)wc1#L1ltHCKZzo?4axbpCrZd97#Xp{~)<WX<!&2dEAY;
z2{n=1g((6+A(TGHlL}(tJJyES9npGaJQ$BCoW&#;E$L~dfbw$~J8UM#K>%lCkFts?
zouQ_#p{b><qpPQHz%(=(F>;jgXcJR2a|=r=7Rt7^v9+^zSOw=T$(IA}a1PdnNVMJi
z8A>EO?HiDoy90!5Nq+wUlOiE}>IxYP0D&Y|jUXffLL|x;Jt~-LJe>yS!6nApV2((t
zn*zqMXcWc~TYwW(5OVQE!}gb%=ORNik@x)L0Qh)CFj-9Bh=>pt+lo!2`U=Hq&P=$W
zR)aRw3T`Nk8Y$+9EZyRH0yrp8_!~bdiNmt9LYXEL`GPoMrkEKN!DORWs0&k+;cV|{
zg_<&bc-%xG%Nk{)@Q=;(=8JeUg;^}DlSXypa(O9`R~j!Xjg^p=oMgdCNlD^!Ica>M
zfR%+&%(DhllapLhT~RA13p19P?9Fk2k!1i!5TDM8=Q%TZ0?Wv73!XqW!0!71F9BB=
z#}~vqGvj~br&uuKcr%kYX*?R$GbqBD2^YXaC=l?tn0RMqB9E71$w}g8!2ZaTco8R#
zXXz&p^SJ3Eo@E#>HJv9;6U%1NsLSDY*iA&fLuv@1BaG1Tz>$1J2ipo6phHejUuIrb
zxOn1rSBNI)Os4=~VOM`NE%;oESKF#v2Wh_tPy0N!MBI1w>E~_C<l<_dCv`jLAz{%y
zp$19-tc4OQ4=MZtQgyE|04U8F06=~@a_oVB^veNACCtM^3gdXcOzAtvAvV|ofZ5QL
zIA8;EEWccjUq2Rd?U1O7l%G!?%JDtqXb(kVZ7@iIN!@Fij*ABA*a5kY3sFYiCy4tk
zowGv;xDbG>4dz0ytn0$KP^CZR0--)D3jlQ@Lcor2FOe9lqx8u^za-92`6;JG?A`sY
z_P9rwa+{<Tc~lwkhtD<U@w;sg7}huK=PgUWbI?S<iPE^Go{%-={;}hmyw<trPXZ(9
z2%ShL)R@<>F8^`4vc{qYt)bQ^)X-}fzy>%07Ic$TC~O%tS{G;opz$wf3TOb(C-ak3
zFbw)gJxI_5T9ASOML>WDdjw>mjP(%`tSJd;X(`xA1#&<R_QA&nBmzF1#@yw^ibz#2
zDh*-j&Z#K!6&7y~^b56r|Juatj^YQyFLIEv8)>UtXYr+5{*D?w@qE9(iu~r@SpUlS
zPQzDe>z%m~WB&+Xx395v^L)QjN2oA=Qrp*)0rA<&rdvl|b&yzPC}7%|0|g3^L?jXk
zL<G>Fs_G=79Fa_<kSKB#G6|7G$OwT5^|pk{BhYrjcm$|{g)&|L|NmJBA->iJfH6=N
ztPO#<i7|pfygFkL#K%4Gk9iZK3_92O4_JZmvQ7iwg<O9d%uBA>n1J!Bs{J=!`ByMl
z5`h~8wkwgizRUQjq4biI@~sB3jbFNXJF2rVBaoH9drc^vWD*k(YFGfM^`k`*kca>R
z8bb$^54k9NDgx#4K-m>2Zb7Ar8&D}Vw*>A4fuKxV@yOW7ZihQ{T%5%oaA*WdBP*EY
z`R4V|5JXW9pn+^fRDn#4B$4Ta$Z)nAO2>Xs=}Mmbc)kZul*aTEaM`2LQ5cy>*Z)oq
z_jR*ohRYlx{7;m@6EQv9P<;&=+Yz<3wnt@8v<A%@MIEf2zWqd#@Z#vG3dWa0r+PqV
zJ5wkU@HuRClz|cD>9lZ;faxvb2)KMPS2#eY(rLjdJb`CWxCN%06<ZTk?^kX(Cxve%
zgne-WF&4B?DPr`ay@(tjN|E6J(y0U~gy@ZFPt@k9arFz$CE3l#AM7vfY1V!I#P7XQ
zlwQaurG@cPTda&<wU^}wPBsqH4RJ|tTt`x_<Zm)-w6<K=u%>9=f#s9^s~VnO@b4_B
zs+KFz@~4+GmO8SU9Cw|gG90%q$bZIgPl$46bTy$ylk_IqmHK`tt6I?z;hX-~^BBXd
ztA0%pxl4^w4EDTTbLc}`l<KVOZJwcV3-6A8Det!DY<H+p%cYRgj#||=^4)|-^SpyA
zS`~Vg&hPJ0SU%I<e)yRH_d0O3<4wmA(WqsHr#9q%I8rU>=sR)o&zda4cGJjg2~&Y#
zq;i#~yF775t(I{Cd+qi{r4Kt@gNa(2mtKgP60w7flu0R3sFV_h8o*W58$p80DPatk
zaCD_?&TW>-Uj^Qd)fSJ=-FuAcVFQMd)Jcrr9h<k0U2yPFFHdXQ-O7Mi&Cr+GsFbt?
z8=yjxlGeZ<E2M+>L#h=EH#3eGXPG37=L>$^Dyce`!%g5}e~CD{8r;X^bOApt8%I`;
z<A@Vtg&a|wHIA<KosJ`Ge<xe=Q!;FEeQL?#l%FWXfM6Orcz|k;XTeENOZd%d5d5U7
zal&NIAUhceyrdMXj1;`}41OGs6U!0cZC4q(OmvuM$MZNMoOo>!Ps~e7g8A9d399^L
zm=uX|<2Czfmg!=c4&i!K#A!ki4@XiJ^Wz2SDR^31CO?TU#L?*KDRD5J!b?&WCvZf(
zINU&$G@&pFKTJio`M6Qa*kYz9$BLj~9PBVlwejG=^=bTo9$bg|Kk&iPHNFGF8ZYG^
zVBzUH-zH$5KMZ>QU!*l}WNA$vJ|T&DqsPD24bz%;SXzT|ne*%TL6pUh8hre?);$o5
zMp*+Oit7g`&NB6X;EbcIeaG`p$@X}2)&D^>ZaDoLq;W*G@0iAuzk?b_R_zBVj>Z^(
zHIAw?2-mny`Zr+Xh*~&g<GNJ)p^c-_zhN6s{043ukuiX79F_hJ-Z-LaKfdv_et`c-
zLx*9`ayWwYkw`>>TuHxo9Yw;TAH|%E$jQkQk?(H=G!YwaK#D_SQC5j%iFuwWmJm9#
zSX@z(ja3|s)?65^v6I3Qi@6+2sG7B9yuB6d9y-DHKTHU~gfU58s0ZpmR+y3Ji{yPt
zLJ-spH5pKefT-(Y8i=6^Sb~ewz#}9arI5+-IZ7}GL1z!lfdy;|DnLgL{6>*H&2Lr+
zx#AQY57hhnC_<j|fUO+NNHK08Yak`TGLrs;q(2|=aD&FDp-Px7bZngoC>HwPk*RQb
zNywdS0*OG9B2Qp@gtUNkP<~XQs9JLpW8pD+>E-wo>KMDVq>nl+N7^#447)&UhL;%#
zmpJtTJijmj^F}=h%!n>mix)?>MzyCKae})INyZvqsH8iWRI&@ZSG8u`ZzV9N*KWGl
zJZAP$dzy`J;moXQ({{X+7A^evyl;8?G4ALuW*`Fy!!vfVyVzQd>p*#^T3@D`uF5?^
zEife)?5C`ExJU07Tdyt?>w|g`48hmKpl;m~Q@)Rft-2$qFVpWUeEfR3-51u^>*Aco
z#v26YMC&L1CbZK=S6Ck=8lPDs?%Sm$Kl#~+^S;l-$o8}?JE7cT_gan{EKWVRa@C09
z9V>qKah$lCx-;yVcF~$R`$GL23;N|=Wd9)dWUQ{ssoF;KRpIk4M|?>NaNSel(&Lqv
zZ&L9n?sODam%vOeG|Mhfca=<C`P_4&4RIE7H)s3R@SeuK=9|famWV_sH!`Q;w0e;}
z;{QT%!^AP+T{Z2FSt+9^8mzJ%dh+yJu)f8X`O@JZ<ep$iv}amAsf!3oOIoxvR6}{=
zn@nnM*_no%1M^P5`MZt4<XUC)&3>eH?e=_ky}7UJ7fjb*oIJB&uW3NSNX?R!&DB5V
zfiUldc_0GVhl_#}RJ9Jq_Yw2=MDKn;I={x1b<S?uJmpo_md;{-c)q_Xd7Rz}i)iYI
z3mv9&4px-6Y$H~4-#ux4F>l_xm5(W@O`#47k4=l5CRze|nfusLaU}sMplaQd$lGPF
z3go+d^?DN}JynxVH5HuVOiL0NYtF+wfBvuI$KSH}v0!NYxV;_5kIsSkF(dt#^#@57
zKThG}$L;L{@xxCS0MC1_74IWEmU*rYS|QmO<0(?>k+k`lt7|kQ4KL>2k*e2awCCO4
zKE7-6r4ZlLym(ro(f--3TC_tu$U7;^#}&OSRs6~&Q_?+_wy3QeJ69CApkd0>387z3
zNLE(NovBm*yk4Po*tOgXOUtQUnJpaOCxwAuohU{doc$->3vd6Rn{vDAFTDxos%Pgp
z{SHWLVa~V;l@e!vt6Y#TWiJKw=@%AxED=q(c6|Au9Yi_!QsQ4K7cEo+o_~@eU3svR
zVlz>Ftcyt381NuWpCn-{Cy5y*6s8SSGd8FV>d1yw42oja%#T0+uZySuRIW5vO)3hk
zJ&URp*-a6Qk*dA3h&j=Azc1C}Q`{&?!z<0wz^<9ssbYc3T6>MSJr0|`d~%z==lq_f
zU$w=7*KCT5O4lq5&ow`~E#22rFUsNfCbqTq-CaA$Z+A?caM;KDf!WG4MON7o$!j`k
z7Q^M>h7~7I%kzSIn|k|xt7?v!8_8CB<|JQ!_ay6<;;ftdTBd)Um=^A0CwWj+=(+a5
zmSMM=TJOG1G~MaBeZr*q$tx!0oM{p-Q7!f@B6+22KX70duXuJPg67g*JI-mE)sgO)
zxyprkZlJ(xrqAB3ysITUOcjE<i(fvo+Bsab9Ub=R{M#>#%roUvOeUT_@KO5Zu-Bvw
z-^vvv8hY_4RQ0=Gr=Vo$-r>aqKBgjhsO>-ufsw}qHU4i#p5HOf2Bb7pggTVimDuF5
z2g1*gP&<H}e&ArZkwu-Pp%Vv%+<%?uiV0_u>``0PnoNSP;C~c#|EbY_TEhKU;}IW*
z*hSq4I5xAZ?6Ho{nd1GfHzEfeGMSqkF}7vGO}2Z*p}Foc+MbvBHxjC+PG}_=CQW#p
ze0g7M@v?2<3RiZR@t!yZ>*rPoV%C<9G=BPdYv;=IR)lkb{-^f3w`4UPsQj4RXSg8T
zenvpX)egtzJE4-Ux;sxA0!PQ~+;Dzu>Sy2LBR0tw>GH4El<H`zy^jeP-+AD4M_+1f
zn@?ZEQBdvR-o(84La_K1gIqPIbn@Col{!Mpw|`$`OgFw}Q82gDq2`a<PDiDuw3J@h
z?g54gA9jl$U$ky=9Hkg}YrS4qLSCnpo9*k_6(M@3oIl>Gr6@h^)L%SlRQr+4-IjuP
zVGpX)mhJSj+T^m**2Ey|>Z%v#Pu#kgtoty=x*J}wAT8<uxetrwyAXP};O$<C6uAsv
zFOU`bQ#BL<Oo|+Zq=RVA=2BQ9|7`g+hr`QoC)CN>0cG1dS+k>2F`A0{!3!8U^I=4S
zwj3Zal&5d|O+wjpaP$_ttGS9Ei#C^?r~SYUiyx`b^Z%m$=$6Hg`9tH!{V6bhv=79O
z1(3@#c>9F4!S`2$CSy4)e(W1mf83uUiy!dHx^FZ9Kimxry=anvA=Z|t^poKC09*J)
zz!qBo{B@KJZ{=01uO6xIiP`WhVs(_TAz#Gd<sH44lSyvh>|sT99+g)z`|ACTYm9Q<
zGWG<wtT_9%C60XM?VI-pin5{(_1bQ0tbI2t;=TU8H^z;cXV?MS*Vo8hUhA(?RB~ik
zjBB*<!$q2=3!`JqW<1h1_@pqmbis^=rQ?3Tbi+fP`0?wc#gFFS8xuN(vVZkim)h~l
zLc`H}J!6e$Ga~gL*P3RETyI<RR!`8rxQUjpdah?_;cABbu9!ldk*RszU%!4*iuHb5
z)yoYyD|o-5&a1O;2kLpjTd%;oW6aaD>5ETFV^bEtOVum6XEQ(3!(mCqQ?vGtZtmYZ
zR|jXD)>;Cls=L0@;YuPfyamE9SbjvH;YM1QB|LgEe6mX6jgr2wa5Yw)0azHVeev;A
zpB(bjTGq&C=6e=euMkG8RQ@<#e)6c@uPQfLP0g5ZvS>^Qp+1=GMS_Wrs>;k0S%(`x
zO?SVLXYfK>DmlA+5sBt}Ag7Kn_QSfhHLiXiy*E$T>k<%ZmS16UV|uQ$v7_m_%&i8C
z?Sjm=@BduB=bcrL#HjXAP|L;$r<Olwd^WOJWUaNk`<TaXuQGRq1s`B6P5&SXP~C8H
zr)8~8Wp=LXpOrmjxnTYdN6&YaiRncuPbzi0M>bgc*{cUfpZ|QM=Yi(x6}tEC+piV|
zW#?)&r0+j9T42;$<kH1ZJXvP8{y?(h7sJH;QD?S3Z?Cp23VOS5eXprT!PxN5hnv^t
zP_9nTUUXymbb3*p^UaPx6$O8)-Nx4H_WOmguhkEBG@Gn`d-9B67qzf=Yu>@g`u*5N
zD`^<KF2zpI@?W2xx3bfdJM{ECq`}kEGH`nSTnj)o<cPJwA0@!Hx_2@zq@Qxpgm(aM
z`fq=|VNK!gM$*{mpj+^6a<q0%*k5|4cliy1Icbjj9HJRx&Lq~heEdWs&QAAFc&^mZ
z<(b%h{krY$Q`8N)D$4VfGAjDoFStiCpnV8}S!n{*kv%m*F0r>g?X!3Lx^2ARzbln~
z_IXxx>iy+S#C&Q+UVAvU5{>Hth=ilDHpB*>y7w|0V(~Ui73%TfN@zhFR=^u+C=!0*
zkUfZQ`Jq?qU2k#(b-ksA+V?v{$}l1KJV?K~awlVMraBd$raq)S@SnO2yK<lZ@Edp8
z){(qOz!!e|z}jG!g*Y3_W4sPb`zbHzvRZrk7rhC7e7*yV3=435MSRAvdDVSgTb4f(
z2)fB3N(c7y{tyHoj8i-puHD=G)*(|>k#d0%G%kf<effgC`%4L!Ww@zCTkYYp?r_Q%
z>1nI7qb`&=3)sp_tZRzA$M3d3pv+TZx+;qcsv^YpZ3kVCZ(i0&Ym7LSX*idJn$0K<
zYo1ti*z8z9an7<2M;~2xOlq_Y<=LpaP3oz<)XuFg<ckZ5MvQ2+#(J>Ywk+ne`Izi$
zl0IX*5|upb8w-p~Nu7`DOI8_<*YSu7KeoP`HjQeack{^!AHU~!XD;LY00iq8O}5We
zonF+p#mucb!lmu(D<$t`JD8j9H_N@!t$v=V9dxcCc*`wpkM_WI{r7+Z00xAcnS+3U
tecu8ha4mC!`VSW0`<FXSk?ph)zdJ1kvYl1|ow=8O-05t{>wl-we*vm7Vs-!k

delta 7
OcmezAc!hbx6-EFMMFW=r

diff --git a/tests/result/malware.pcap.out b/tests/result/malware.pcap.out
index 448633b3e..6ce62b33d 100644
--- a/tests/result/malware.pcap.out
+++ b/tests/result/malware.pcap.out
@@ -1,7 +1,15 @@
 DNS	2	216	1
-HTTP	1	66	1
+HTTP	3	547	2
 ICMP	1	98	1
+OpenDNS	20	7140	1
 
-	1	UDP 192.168.7.7:42370 <-> 1.1.1.1:53 [proto: 5/DNS][cat: Malware/100][1 pkts/106 bytes <-> 1 pkts/110 bytes][Host: www.internetbadguys.com][PLAIN TEXT (internetbadguys)]
-	2	ICMP 192.168.7.7:0 -> 144.139.247.220:0 [proto: 81/ICMP][cat: Malware/100][1 pkts/98 bytes -> 0 pkts/0 bytes]
-	3	TCP 192.168.7.7:33706 -> 144.139.247.220:80 [proto: 7/HTTP][cat: Malware/100][1 pkts/66 bytes -> 0 pkts/0 bytes]
+JA3 Host Stats: 
+		 IP Address                  	 # JA3C     
+	1	 192.168.7.7              	 1      
+
+
+	1	TCP 192.168.7.7:35236 <-> 67.215.92.210:443 [proto: 91.225/TLS.OpenDNS][cat: Malware/100][11 pkts/1280 bytes <-> 9 pkts/5860 bytes][bytes ratio: -0.641 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 57.1/64.1 199/249 87.3/99.3][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 116.4/651.1 571/1514 148.2/644.4][TLSv1.2][Client: www.internetbadguys.com][JA3C: f6ce47303dce394049af395fc6d0bc20][Server: api.opendns.com][JA3S: 0c0aff9ccea5e7e1de5c3a0069d103f3][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
+	2	TCP 192.168.7.7:48394 <-> 67.215.92.210:80 [proto: 7.7/HTTP][cat: Malware/100][1 pkts/383 bytes <-> 1 pkts/98 bytes][Host: www.internetbadguys.com][PLAIN TEXT (GET / HTTP/1.1)]
+	3	UDP 192.168.7.7:42370 <-> 1.1.1.1:53 [proto: 5/DNS][cat: Malware/100][1 pkts/106 bytes <-> 1 pkts/110 bytes][Host: www.internetbadguys.com][PLAIN TEXT (internetbadguys)]
+	4	ICMP 192.168.7.7:0 -> 144.139.247.220:0 [proto: 81/ICMP][cat: Malware/100][1 pkts/98 bytes -> 0 pkts/0 bytes]
+	5	TCP 192.168.7.7:33706 -> 144.139.247.220:80 [proto: 7/HTTP][cat: Malware/100][1 pkts/66 bytes -> 0 pkts/0 bytes]