diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 0f50a150e..aa6902410 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -2972,7 +2972,7 @@ static void init_protocol_defaults(struct ndpi_detection_module_struct *ndpi_str ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 0); - ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_MSGPACK, + ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 1 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_MSGPACK, "MessagePack", NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, diff --git a/src/lib/protocols/msgpack.c b/src/lib/protocols/msgpack.c index 3aa3c36a3..f19f84fc1 100644 --- a/src/lib/protocols/msgpack.c +++ b/src/lib/protocols/msgpack.c @@ -43,13 +43,14 @@ static void ndpi_int_msgpack_add_connection(struct ndpi_detection_module_struct } static u_int32_t msgpack_dissect_next(u_int8_t const ** const start, - u_int16_t * const size) + u_int16_t * const size, + u_int8_t * const fb) { if (*size == 0) return 0; u_int32_t next_size = 0; - u_int8_t first_byte = (*start)[0]; + u_int8_t first_byte = *fb = (*start)[0]; // unused if (first_byte == 0xC1) @@ -119,18 +120,24 @@ static u_int32_t msgpack_dissect_next(u_int8_t const ** const start, if (*size < 3) return 0; next_size += 3 + get_u_int8_t(*start, 1); + if (next_size < 3) // check for possible overflow + return 0; } else if (first_byte == 0xC8 /* ext16 */) { if (*size < 4) return 0; next_size += 4 + ntohs(get_u_int16_t(*start, 1)); + if (next_size < 4) // check for possible overflow + return 0; } else if (first_byte == 0xC9 /* ext32 */) { if (*size < 6) return 0; next_size += 6 + ntohl(get_u_int32_t(*start, 1)); + if (next_size < 6) // check for possible overflow + return 0; } // map / array / string / bin format else if ((first_byte & 0xF0) == 0x80 /* fixmap: 1000 xxxx */ || @@ -141,6 +148,8 @@ static u_int32_t msgpack_dissect_next(u_int8_t const ** const start, else if ((first_byte & 0xE0) == 0xA0 /* fixstr: 101x xxxx */) { next_size += 1 + (first_byte & 0x1F); + if (next_size < 1) // check for possible overflow + return 0; } else if (first_byte == 0xDE /* map16 */ || first_byte == 0xDC /* array16 */) @@ -158,6 +167,8 @@ static u_int32_t msgpack_dissect_next(u_int8_t const ** const start, if (*size < 2) return 0; next_size += 2 + get_u_int8_t(*start, 1); + if (next_size < 2) // check for possible overflow + return 0; } else if (first_byte == 0xDA /* str16 */ || first_byte == 0xC5 /* bin16 */) @@ -165,6 +176,8 @@ static u_int32_t msgpack_dissect_next(u_int8_t const ** const start, if (*size < 3) return 0; next_size += 3 + ntohs(get_u_int16_t(*start, 1)); + if (next_size < 3) // check for possible overflow + return 0; } else if (first_byte == 0xDB /* str32 */ || first_byte == 0xC6 /* bin32 */) @@ -172,17 +185,48 @@ static u_int32_t msgpack_dissect_next(u_int8_t const ** const start, if (*size < 5) return 0; next_size += 5 + ntohl(get_u_int32_t(*start, 1)); - } - - if (next_size > 0) { - if (next_size > *size) + if (next_size < 5) // check for possible overflow return 0; - (*start) += next_size; - (*size) -= next_size; - return next_size; } - return 0; + if (next_size == 0) + return 0; + if (next_size > *size) + return 0; + + // check for valid UTF-8 / ASCII strings + char const * str = NULL; + u_int32_t str_len = 0; + if ((first_byte & 0xE0) == 0xA0 /* fixstr */) { + str = (const char *)(*start + 1); + str_len = next_size - 1; + } + else if (first_byte == 0xD9 /* str8 */) + { + str = (const char *)(*start + 2); + str_len = next_size - 2; + } + else if (first_byte == 0xDA /* str16 */) + { + str = (const char *)(*start + 3); + str_len = next_size - 3; + } + else if (first_byte == 0xDB /* str32 */) + { + str = (const char *)(*start + 5); + str_len = next_size - 5; + } + if (str != NULL && str_len > 0) { + u_int32_t i; + for (i = 0; i < str_len; ++i) { + if (isascii(str[i]) != 0 && ndpi_isprint(str[i]) == 0 && ndpi_isspace(str[i]) == 0) + return 0; + } + } + + (*start) += next_size; + (*size) -= next_size; + return next_size; } void ndpi_search_msgpack(struct ndpi_detection_module_struct *ndpi_struct, @@ -196,26 +240,34 @@ void ndpi_search_msgpack(struct ndpi_detection_module_struct *ndpi_struct, u_int16_t rem_siz = packet->payload_packet_len; u_int16_t msgpack_objects = 0; u_int16_t byte_type_objects = 0; // required to prevent false positives due to fixint's + u_int16_t tlv_objects = 0; do { - u_int32_t type_size = msgpack_dissect_next(&cur_msg, &rem_siz); - if (type_size == 0) + u_int8_t first_byte = 0xC1; + u_int32_t type_size = msgpack_dissect_next(&cur_msg, &rem_siz, &first_byte); + if (type_size == 0 || first_byte == 0xC1) break; if (type_size == 1) { // fixmap's and fixarray's get also counted as byte type objects.. - u_int8_t first_byte = cur_msg[-1]; if ((first_byte & 0xF0) != 0x80 /* fixmap: 1000 xxxx */ && (first_byte & 0xF0) != 0x90 /* fixarray: 1001 xxxx */) { byte_type_objects++; } } + if (type_size >= 2) { + // check for variable sized ext's / str's / bin's + if ((first_byte >= 0xC4 && first_byte <= 0xC9 /* bin8, bin16, bin32, ext8, ext16, ext32 */) + || (first_byte & 0xE0) == 0xA0 /* fixstr */ + || (first_byte >= 0xD9 && first_byte <= 0xDB /* str8, str16, str32 */)) + { + tlv_objects++; + } + } + } while (++msgpack_objects < MSGPACK_MAX_OBJECTS); - msgpack_objects++; - } while (msgpack_objects < MSGPACK_MAX_OBJECTS); - - NDPI_LOG_DBG(ndpi_struct, " [Objects: %u][ByteTypes: %u][Remaining: %u][Length %u]\n", - msgpack_objects, byte_type_objects, rem_siz, packet->payload_packet_len); + NDPI_LOG_DBG(ndpi_struct, " [Objects: %u][ByteTypes: %u][TLVs: %u][Remaining: %u][Length %u]\n", + msgpack_objects, byte_type_objects, tlv_objects, rem_siz, packet->payload_packet_len); if (byte_type_objects * 2 >= msgpack_objects || rem_siz * 4 >= packet->payload_packet_len) @@ -225,8 +277,11 @@ void ndpi_search_msgpack(struct ndpi_detection_module_struct *ndpi_struct, return; } - if (rem_siz == 0 || byte_type_objects * 4 < msgpack_objects) + if ((rem_siz == 0 && flow->packet_counter > 1) || tlv_objects > 0 + || (byte_type_objects * 4 < msgpack_objects && packet->tcp != NULL)) + { ndpi_int_msgpack_add_connection(ndpi_struct, flow); + } if (flow->packet_counter < MSGPACK_MAX_PACKETS) return; diff --git a/tests/cfgs/default/pcap/false_positives.pcapng b/tests/cfgs/default/pcap/false_positives.pcapng index 3f6223c87..f8a5e0082 100644 Binary files a/tests/cfgs/default/pcap/false_positives.pcapng and b/tests/cfgs/default/pcap/false_positives.pcapng differ diff --git a/tests/cfgs/default/pcap/msgpack.pcap b/tests/cfgs/default/pcap/msgpack.pcap index 456164d73..26c0cb0eb 100644 Binary files a/tests/cfgs/default/pcap/msgpack.pcap and b/tests/cfgs/default/pcap/msgpack.pcap differ diff --git a/tests/cfgs/default/result/EAQ.pcap.out b/tests/cfgs/default/result/EAQ.pcap.out index 8b8bbdde0..c290bb4f3 100644 --- a/tests/cfgs/default/result/EAQ.pcap.out +++ b/tests/cfgs/default/result/EAQ.pcap.out @@ -1,7 +1,7 @@ DPI Packets (TCP): 12 (6.00 pkts/flow) DPI Packets (UDP): 116 (4.00 pkts/flow) Confidence DPI : 31 (flows) -Num dissector calls: 5290 (170.65 diss/flow) +Num dissector calls: 5272 (170.06 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/0/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) diff --git a/tests/cfgs/default/result/KakaoTalk_talk.pcap.out b/tests/cfgs/default/result/KakaoTalk_talk.pcap.out index 121b63c5a..82930363f 100644 --- a/tests/cfgs/default/result/KakaoTalk_talk.pcap.out +++ b/tests/cfgs/default/result/KakaoTalk_talk.pcap.out @@ -5,7 +5,7 @@ DPI Packets (UDP): 17 (3.40 pkts/flow) Confidence Match by port : 8 (flows) Confidence DPI : 11 (flows) Confidence Match by IP : 1 (flows) -Num dissector calls: 1244 (62.20 diss/flow) +Num dissector calls: 1242 (62.10 diss/flow) LRU cache ookla: 0/2/0 (insert/search/found) LRU cache bittorrent: 0/27/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) diff --git a/tests/cfgs/default/result/false_positives.pcapng.out b/tests/cfgs/default/result/false_positives.pcapng.out index c05d29155..d3bfa7563 100644 --- a/tests/cfgs/default/result/false_positives.pcapng.out +++ b/tests/cfgs/default/result/false_positives.pcapng.out @@ -1,15 +1,15 @@ DPI Packets (TCP): 16 (5.33 pkts/flow) -DPI Packets (UDP): 54 (10.80 pkts/flow) -Confidence Unknown : 1 (flows) -Confidence DPI : 7 (flows) -Num dissector calls: 1069 (133.62 diss/flow) +DPI Packets (UDP): 66 (7.33 pkts/flow) +Confidence Unknown : 4 (flows) +Confidence DPI : 8 (flows) +Num dissector calls: 1750 (145.83 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) -LRU cache bittorrent: 0/3/0 (insert/search/found) +LRU cache bittorrent: 0/12/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) LRU cache tls_cert: 0/0/0 (insert/search/found) -LRU cache mining: 0/1/0 (insert/search/found) +LRU cache mining: 0/4/0 (insert/search/found) LRU cache msteams: 0/0/0 (insert/search/found) -LRU cache fpc_dns: 0/8/0 (insert/search/found) +LRU cache fpc_dns: 0/12/0 (insert/search/found) Automa host: 4/0 (search/found) Automa domain: 2/0 (search/found) Automa tls cert: 0/0 (search/found) @@ -18,9 +18,9 @@ Automa common alpns: 0/0 (search/found) Patricia risk mask: 6/0 (search/found) Patricia risk mask IPv6: 0/0 (search/found) Patricia risk: 1/0 (search/found) -Patricia risk IPv6: 0/0 (search/found) -Patricia protocols: 14/2 (search/found) -Patricia protocols IPv6: 0/0 (search/found) +Patricia risk IPv6: 1/0 (search/found) +Patricia protocols: 20/2 (search/found) +Patricia protocols IPv6: 2/0 (search/found) Hash malicious ja4: 1/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 3/0 (search/found) @@ -29,19 +29,21 @@ Hash ja4 custom protos: 1/0 (search/found) Hash fp custom protos: 1/0 (search/found) Hash url custom protos: 1/0 (search/found) -Unknown 6 460 1 +Unknown 15 1539 4 SMTP 33 20130 1 RTP 110 19309 4 RDP 5 1571 1 +IMO 21 1512 1 WebSocket 4 973 1 -Unrated 6 460 1 -Acceptable 152 41983 7 +Unrated 15 1539 4 +Acceptable 173 43495 8 -Unspecified 6 460 1 +Unspecified 15 1539 4 Media 110 19309 4 Email 33 20130 1 Web 4 973 1 +VoIP 21 1512 1 RemoteAccess 5 1571 1 JA Host Stats: @@ -55,8 +57,12 @@ JA Host Stats: 4 UDP 10.102.45.249:31046 <-> 10.133.48.100:21176 [VLAN: 10][proto: GTP:87/RTP][Stack: RTP][IP: 0/Unknown][Payload Type: Unknown (102.0) / Unknown (102.0)][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 17][cat: Media/1][Breed: Acceptable][22 pkts/2860 bytes <-> 8 pkts/989 bytes][Goodput ratio: 34/30][0.44 sec][bytes ratio: 0.486 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/19 22/19 44/20 15/0][Pkt Len c2s/s2c min/avg/max/stddev: 130/113 130/124 130/130 0/8][Plen Bins: 10,90,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 5 UDP 10.133.32.101:36408 -> 10.110.31.25:1272 [VLAN: 10][proto: GTP:87/RTP][Stack: RTP][IP: 0/Unknown][Payload Type: AMR (118.0)][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 20][cat: Media/1][Breed: Acceptable][20 pkts/2260 bytes -> 0 pkts/0 bytes][Goodput ratio: 24/0][0.38 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 19/0 20/0 21/0 1/0][Pkt Len c2s/s2c min/avg/max/stddev: 113/0 113/0 113/0 0/0][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 6 TCP 91.238.181.21:35888 <-> 89.31.79.12:3389 [VLAN: 77][proto: 91.88/TLS.RDP][Stack: RDP.TLS][IP: 0/Unknown][Encrypted][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 5][cat: RemoteAccess/12][Breed: Acceptable][3 pkts/239 bytes <-> 2 pkts/1332 bytes][Goodput ratio: 20/91][0.07 sec][Risk: ** TLS (probably) Not Carrying HTTPS **** Missing SNI TLS Extn **** Desktop/File Sharing **** TLS Susp Extn **** Non-Printable/Invalid Chars Detected **** Possible Exploit Attempt **][Risk Score: 420][Risk Info: Invalid chars found in SNI: exploit or misconfiguration? / xsen??????????????????tsp:8/w-speedtest.:find_????tsp:32766/w-speed][nDPI Fingerprint: 4b1df66adac4158c4dff9d37fd37ae88][TCP Fingerprint: 194_128_8192_6bb88f5575fd/Unknown][TLS (0589)][JA4: t00i001700_e3b0c44298fc_6d0650a004ef][PLAIN TEXT (Cookie)][Plen Bins: 33,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,0] - 7 TCP 10.140.231.26:61202 <-> 159.65.12.169:443 [VLAN: 113][proto: GTP:7.251/HTTP.WebSocket][Stack: HTTP.WebSocket][IP: 442/DigitalOcean][ClearText][Confidence: DPI][FPC: 442/DigitalOcean, Confidence: IP address][DPI packets: 4][cat: Web/5][Breed: Acceptable][2 pkts/557 bytes <-> 2 pkts/416 bytes][Goodput ratio: 58/45][0.20 sec][Hostname/SNI: wludo.superkinglabs.com][URL: wludo.superkinglabs.com:443/ws][StatusCode: 101][Server: nginx/1.12.2][Risk: ** Known Proto on Non Std Port **** HTTP Susp User-Agent **** HTTP Obsolete Server **][Risk Score: 200][Risk Info: Obsolete nginx server 1.12.2 / Empty or missing User-Agent / Expected on port 80][TCP Fingerprint: 2_64_65535_15db81ff8b0d/Unknown][PLAIN TEXT (GET /ws HTTP/1.1)][Plen Bins: 0,0,0,0,0,50,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 7 UDP 192.168.12.67:48612 <-> 93.38.195.192:42034 [proto: 216/IMO][Stack: IMO][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 3][cat: VoIP/10][Breed: Acceptable][10 pkts/728 bytes <-> 11 pkts/784 bytes][Goodput ratio: 42/41][0.77 sec][bytes ratio: -0.037 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 89/26 340/101 102/37][Pkt Len c2s/s2c min/avg/max/stddev: 43/43 73/71 278/167 68/45][Plen Bins: 86,0,0,9,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 8 TCP 10.140.231.26:61202 <-> 159.65.12.169:443 [VLAN: 113][proto: GTP:7.251/HTTP.WebSocket][Stack: HTTP.WebSocket][IP: 442/DigitalOcean][ClearText][Confidence: DPI][FPC: 442/DigitalOcean, Confidence: IP address][DPI packets: 4][cat: Web/5][Breed: Acceptable][2 pkts/557 bytes <-> 2 pkts/416 bytes][Goodput ratio: 58/45][0.20 sec][Hostname/SNI: wludo.superkinglabs.com][URL: wludo.superkinglabs.com:443/ws][StatusCode: 101][Server: nginx/1.12.2][Risk: ** Known Proto on Non Std Port **** HTTP Susp User-Agent **** HTTP Obsolete Server **][Risk Score: 200][Risk Info: Obsolete nginx server 1.12.2 / Empty or missing User-Agent / Expected on port 80][TCP Fingerprint: 2_64_65535_15db81ff8b0d/Unknown][PLAIN TEXT (GET /ws HTTP/1.1)][Plen Bins: 0,0,0,0,0,50,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] Undetected flows: - 1 UDP 192.168.12.156:37649 <-> 57.128.172.97:9981 [proto: 0/Unknown][Stack: Unknown][IP: 0/Unknown][ClearText][Confidence: Unknown][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][Breed: Unrated][3 pkts/230 bytes <-> 3 pkts/230 bytes][Goodput ratio: 45/45][1.03 sec][bytes ratio: 0.000 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 498/498 505/504 512/511 7/6][Pkt Len c2s/s2c min/avg/max/stddev: 72/72 77/77 82/82 4/4][Risk: ** Susp Entropy **][Risk Score: 10][Risk Info: Entropy: 4.970 (Executable?)][Plen Bins: 33,66,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 1 UDP 192.168.1.204:28707 <-> 178.184.92.158:17534 [proto: 0/Unknown][Stack: Unknown][IP: 0/Unknown][ClearText][Confidence: Unknown][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][Breed: Unrated][3 pkts/283 bytes <-> 3 pkts/453 bytes][Goodput ratio: 55/72][8.84 sec][bytes ratio: -0.231 (Download)][IAT c2s/s2c min/avg/max/stddev: 364/348 4348/4168 8333/7989 3984/3820][Pkt Len c2s/s2c min/avg/max/stddev: 87/90 94/151 109/273 10/86][Plen Bins: 0,66,16,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 2 UDP 192.168.12.156:37649 <-> 57.128.172.97:9981 [proto: 0/Unknown][Stack: Unknown][IP: 0/Unknown][ClearText][Confidence: Unknown][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][Breed: Unrated][3 pkts/230 bytes <-> 3 pkts/230 bytes][Goodput ratio: 45/45][1.03 sec][bytes ratio: 0.000 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 498/498 505/504 512/511 7/6][Pkt Len c2s/s2c min/avg/max/stddev: 72/72 77/77 82/82 4/4][Risk: ** Susp Entropy **][Risk Score: 10][Risk Info: Entropy: 4.970 (Executable?)][Plen Bins: 33,66,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 3 UDP 192.168.1.204:28707 <-> 77.35.229.111:21324 [proto: 0/Unknown][Stack: Unknown][IP: 0/Unknown][ClearText][Confidence: Unknown][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 2][Breed: Unrated][1 pkts/109 bytes <-> 1 pkts/111 bytes][Goodput ratio: 61/62][0.18 sec][Plen Bins: 0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 4 UDP [2001:b07:a3d:c112:d881:db12:ed03:a477]:28707 -> [2a04:4a43:843f:fdf5:a1f2:e9fe:bd28:d36b]:29695 [proto: 0/Unknown][Stack: Unknown][IP: 0/Unknown][ClearText][Confidence: Unknown][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 1][Breed: Unrated][1 pkts/123 bytes -> 0 pkts/0 bytes][Goodput ratio: 49/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/default/result/gnutella.pcap.out b/tests/cfgs/default/result/gnutella.pcap.out index 08dd4252e..1e9ce574a 100644 --- a/tests/cfgs/default/result/gnutella.pcap.out +++ b/tests/cfgs/default/result/gnutella.pcap.out @@ -3,7 +3,7 @@ DPI Packets (UDP): 616 (1.00 pkts/flow) DPI Packets (other): 10 (1.00 pkts/flow) Confidence Unknown : 86 (flows) Confidence DPI : 674 (flows) -Num dissector calls: 8117 (10.68 diss/flow) +Num dissector calls: 8116 (10.68 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/258/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) diff --git a/tests/cfgs/default/result/jabber.pcap.out b/tests/cfgs/default/result/jabber.pcap.out index 432c50038..2f586efc6 100644 --- a/tests/cfgs/default/result/jabber.pcap.out +++ b/tests/cfgs/default/result/jabber.pcap.out @@ -1,6 +1,6 @@ DPI Packets (TCP): 74 (6.17 pkts/flow) Confidence DPI : 12 (flows) -Num dissector calls: 1713 (142.75 diss/flow) +Num dissector calls: 1711 (142.58 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/0/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) diff --git a/tests/cfgs/default/result/kerberos.pcap.out b/tests/cfgs/default/result/kerberos.pcap.out index 7f801f747..def558409 100644 --- a/tests/cfgs/default/result/kerberos.pcap.out +++ b/tests/cfgs/default/result/kerberos.pcap.out @@ -4,7 +4,7 @@ DPI Packets (TCP): 77 (2.14 pkts/flow) Confidence Unknown : 2 (flows) Confidence Match by port : 23 (flows) Confidence DPI : 11 (flows) -Num dissector calls: 4611 (128.08 diss/flow) +Num dissector calls: 4610 (128.06 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/75/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) diff --git a/tests/cfgs/default/result/msgpack.pcap.out b/tests/cfgs/default/result/msgpack.pcap.out index 1961c6011..e77d02f59 100644 --- a/tests/cfgs/default/result/msgpack.pcap.out +++ b/tests/cfgs/default/result/msgpack.pcap.out @@ -1,52 +1,54 @@ -DPI Packets (TCP): 12 (4.00 pkts/flow) -DPI Packets (UDP): 11 (1.57 pkts/flow) +DPI Packets (TCP): 19 (4.75 pkts/flow) +DPI Packets (UDP): 12 (1.71 pkts/flow) Confidence Unknown : 1 (flows) -Confidence DPI : 9 (flows) -Num dissector calls: 1632 (163.20 diss/flow) +Confidence DPI : 10 (flows) +Num dissector calls: 1660 (150.91 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/3/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) LRU cache tls_cert: 0/0/0 (insert/search/found) LRU cache mining: 0/1/0 (insert/search/found) LRU cache msteams: 0/0/0 (insert/search/found) -LRU cache fpc_dns: 0/4/0 (insert/search/found) -Automa host: 0/0 (search/found) -Automa domain: 0/0 (search/found) +LRU cache fpc_dns: 0/6/0 (insert/search/found) +Automa host: 2/0 (search/found) +Automa domain: 1/0 (search/found) Automa tls cert: 0/0 (search/found) -Automa risk mask: 0/0 (search/found) +Automa risk mask: 1/0 (search/found) Automa common alpns: 0/0 (search/found) -Patricia risk mask: 0/0 (search/found) +Patricia risk mask: 2/0 (search/found) Patricia risk mask IPv6: 0/0 (search/found) Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) -Patricia protocols: 20/0 (search/found) +Patricia protocols: 22/0 (search/found) Patricia protocols IPv6: 0/0 (search/found) Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) -Hash TCP fingerprints: 1/0 (search/found) +Hash TCP fingerprints: 2/0 (search/found) Hash public domain suffix: 0/0 (search/found) Hash ja4 custom protos: 0/0 (search/found) Hash fp custom protos: 0/0 (search/found) -Hash url custom protos: 0/0 (search/found) +Hash url custom protos: 1/0 (search/found) Unknown 8 573 1 -MessagePack 33 3174 9 +MessagePack 40 3955 10 Unrated 8 573 1 -Acceptable 33 3174 9 +Acceptable 40 3955 10 Unspecified 8 573 1 +Web 7 781 1 Network 33 3174 9 1 UDP 127.0.0.1:47907 -> 127.0.0.1:5056 [proto: 469/MessagePack][Stack: MessagePack][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 469/MessagePack, Confidence: DPI][DPI packets: 1][cat: Network/14][Breed: Acceptable][1 pkts/1069 bytes -> 0 pkts/0 bytes][Goodput ratio: 96/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 2 TCP 127.0.0.1:41948 <-> 127.0.0.1:1337 [proto: 469/MessagePack][Stack: MessagePack][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 469/MessagePack, Confidence: DPI][DPI packets: 1][cat: Network/14][Breed: Acceptable][4 pkts/295 bytes <-> 3 pkts/198 bytes][Goodput ratio: 10/0][70.18 sec][bytes ratio: 0.197 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/48728 23393/48728 48728/48728 19940/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 74/66 86/66 8/0][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 3 UDP 127.0.0.1:31337 -> 127.0.0.1:1339 [proto: 469/MessagePack][Stack: MessagePack][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 4][cat: Network/14][Breed: Acceptable][8 pkts/442 bytes -> 0 pkts/0 bytes][Goodput ratio: 24/0][230.35 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 9924/0 32906/0 100215/0 29632/0][Pkt Len c2s/s2c min/avg/max/stddev: 43/0 55/0 75/0 12/0][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 87,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 4 TCP 127.0.0.1:37856 <-> 127.0.0.1:1337 [proto: 469/MessagePack][Stack: MessagePack][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 3][cat: Network/14][Breed: Acceptable][3 pkts/242 bytes <-> 2 pkts/132 bytes][Goodput ratio: 18/0][106.61 sec][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 5 UDP 127.0.0.1:31337 -> 127.0.0.1:1337 [proto: 469/MessagePack][Stack: MessagePack][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 2][cat: Network/14][Breed: Acceptable][5 pkts/267 bytes -> 0 pkts/0 bytes][Goodput ratio: 21/0][104.86 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 6 UDP 127.0.0.1:31337 -> 127.0.0.1:1338 [proto: 469/MessagePack][Stack: MessagePack][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 469/MessagePack, Confidence: DPI][DPI packets: 1][cat: Network/14][Breed: Acceptable][4 pkts/181 bytes -> 0 pkts/0 bytes][Goodput ratio: 7/0][40.79 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 7 UDP 127.0.0.1:15913 -> 127.0.0.1:16549 [proto: 469/MessagePack][Stack: MessagePack][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 469/MessagePack, Confidence: DPI][DPI packets: 1][cat: Network/14][Breed: Acceptable][1 pkts/172 bytes -> 0 pkts/0 bytes][Goodput ratio: 75/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 8 UDP 127.0.0.1:33861 -> 127.0.0.1:55471 [proto: 469/MessagePack][Stack: MessagePack][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 469/MessagePack, Confidence: DPI][DPI packets: 1][cat: Network/14][Breed: Acceptable][1 pkts/88 bytes -> 0 pkts/0 bytes][Goodput ratio: 52/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (Hello World)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 9 UDP 127.0.0.1:58940 -> 127.0.0.1:19044 [proto: 469/MessagePack][Stack: MessagePack][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 469/MessagePack, Confidence: DPI][DPI packets: 1][cat: Network/14][Breed: Acceptable][1 pkts/88 bytes -> 0 pkts/0 bytes][Goodput ratio: 52/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (Hello World)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 2 TCP 127.0.0.1:38250 <-> 127.0.0.1:1337 [proto: 7.469/HTTP.MessagePack][Stack: HTTP.MessagePack][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 7][cat: Web/5][Breed: Acceptable][4 pkts/575 bytes <-> 3 pkts/206 bytes][Goodput ratio: 53/0][< 1 sec][Hostname/SNI: 127.0.0.1][bytes ratio: 0.472 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 0/0 0/0 0/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 144/69 266/74 81/4][URL: 127.0.0.1:1337/][Req Content-Type: application/x-www-form-urlencoded][User-Agent: Wget/1.25.0][Risk: ** Known Proto on Non Std Port **** HTTP/TLS/QUIC Numeric Hostname/SNI **][Risk Score: 60][Risk Info: Found host 127.0.0.1 / Expected on port 80][TCP Fingerprint: 2_192_65495_db1b9381215d/Unknown][PLAIN TEXT (POST / HTTP/1.1)][Plen Bins: 0,0,0,50,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 3 TCP 127.0.0.1:41948 <-> 127.0.0.1:1337 [proto: 469/MessagePack][Stack: MessagePack][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 469/MessagePack, Confidence: DPI][DPI packets: 1][cat: Network/14][Breed: Acceptable][4 pkts/295 bytes <-> 3 pkts/198 bytes][Goodput ratio: 10/0][70.18 sec][bytes ratio: 0.197 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/48728 23393/48728 48728/48728 19940/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 74/66 86/66 8/0][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 4 UDP 127.0.0.1:31337 -> 127.0.0.1:1339 [proto: 469/MessagePack][Stack: MessagePack][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 4][cat: Network/14][Breed: Acceptable][8 pkts/442 bytes -> 0 pkts/0 bytes][Goodput ratio: 24/0][230.35 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 9924/0 32906/0 100215/0 29632/0][Pkt Len c2s/s2c min/avg/max/stddev: 43/0 55/0 75/0 12/0][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 87,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 5 TCP 127.0.0.1:37856 <-> 127.0.0.1:1337 [proto: 469/MessagePack][Stack: MessagePack][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 3][cat: Network/14][Breed: Acceptable][3 pkts/242 bytes <-> 2 pkts/132 bytes][Goodput ratio: 18/0][106.61 sec][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 6 UDP 127.0.0.1:31337 -> 127.0.0.1:1337 [proto: 469/MessagePack][Stack: MessagePack][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 2][cat: Network/14][Breed: Acceptable][5 pkts/267 bytes -> 0 pkts/0 bytes][Goodput ratio: 21/0][104.86 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 7 UDP 127.0.0.1:31337 -> 127.0.0.1:1338 [proto: 469/MessagePack][Stack: MessagePack][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 2][cat: Network/14][Breed: Acceptable][4 pkts/181 bytes -> 0 pkts/0 bytes][Goodput ratio: 7/0][40.79 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 8 UDP 127.0.0.1:15913 -> 127.0.0.1:16549 [proto: 469/MessagePack][Stack: MessagePack][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 469/MessagePack, Confidence: DPI][DPI packets: 1][cat: Network/14][Breed: Acceptable][1 pkts/172 bytes -> 0 pkts/0 bytes][Goodput ratio: 75/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 9 UDP 127.0.0.1:33861 -> 127.0.0.1:55471 [proto: 469/MessagePack][Stack: MessagePack][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 469/MessagePack, Confidence: DPI][DPI packets: 1][cat: Network/14][Breed: Acceptable][1 pkts/88 bytes -> 0 pkts/0 bytes][Goodput ratio: 52/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (Hello World)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 10 UDP 127.0.0.1:58940 -> 127.0.0.1:19044 [proto: 469/MessagePack][Stack: MessagePack][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 469/MessagePack, Confidence: DPI][DPI packets: 1][cat: Network/14][Breed: Acceptable][1 pkts/88 bytes -> 0 pkts/0 bytes][Goodput ratio: 52/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (Hello World)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] Undetected flows: diff --git a/tests/cfgs/default/result/nordvpn.pcap.out b/tests/cfgs/default/result/nordvpn.pcap.out index 748a24062..f6fa4ced8 100644 --- a/tests/cfgs/default/result/nordvpn.pcap.out +++ b/tests/cfgs/default/result/nordvpn.pcap.out @@ -5,7 +5,7 @@ DPI Packets (UDP): 11 (5.50 pkts/flow) Confidence Match by port : 1 (flows) Confidence DPI : 2 (flows) Confidence Match by IP : 1 (flows) -Num dissector calls: 601 (150.25 diss/flow) +Num dissector calls: 600 (150.00 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/6/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) diff --git a/tests/cfgs/default/result/quic_sh.pcap.out b/tests/cfgs/default/result/quic_sh.pcap.out index d7d9f417a..c6e55f5bc 100644 --- a/tests/cfgs/default/result/quic_sh.pcap.out +++ b/tests/cfgs/default/result/quic_sh.pcap.out @@ -1,6 +1,6 @@ DPI Packets (UDP): 14 (4.67 pkts/flow) Confidence DPI : 3 (flows) -Num dissector calls: 537 (179.00 diss/flow) +Num dissector calls: 536 (178.67 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/9/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) diff --git a/tests/cfgs/default/result/raknet.pcap.out b/tests/cfgs/default/result/raknet.pcap.out index 1171fb9a9..bb51726e6 100644 --- a/tests/cfgs/default/result/raknet.pcap.out +++ b/tests/cfgs/default/result/raknet.pcap.out @@ -1,7 +1,7 @@ DPI Packets (UDP): 26 (2.17 pkts/flow) Confidence Unknown : 2 (flows) Confidence DPI : 10 (flows) -Num dissector calls: 1785 (148.75 diss/flow) +Num dissector calls: 1784 (148.67 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/6/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found)