From 3a75a46212c044efc423d1833be89c4f144438ec Mon Sep 17 00:00:00 2001 From: Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> Date: Mon, 20 Mar 2023 17:56:02 +0100 Subject: [PATCH] Add a new protocol id for generic Adult Content traffic (#1906) The list has been taken from https://www.similarweb.com/top-websites/adult/ Fix a GoTo false positive. --- src/include/ndpi_protocol_ids.h | 2 +- src/include/ndpi_typedefs.h | 1 + src/lib/ndpi_content_match.c.inc | 58 +++++++++++++++++- src/lib/ndpi_main.c | 6 +- src/lib/protocols/stun.c | 3 + tests/pcap/adult_content.pcap | Bin 0 -> 8396 bytes tests/result/adult_content.pcap.out | 25 ++++++++ .../http_guessed_host_and_guessed.pcapng.out | 16 ++--- 8 files changed, 96 insertions(+), 15 deletions(-) create mode 100644 tests/pcap/adult_content.pcap create mode 100644 tests/result/adult_content.pcap.out diff --git a/src/include/ndpi_protocol_ids.h b/src/include/ndpi_protocol_ids.h index ec96e1a3e..27ce840cc 100644 --- a/src/include/ndpi_protocol_ids.h +++ b/src/include/ndpi_protocol_ids.h @@ -136,7 +136,7 @@ typedef enum { NDPI_PROTOCOL_CROSSFIRE = 105, NDPI_PROTOCOL_DOFUS = 106, NDPI_PROTOCOL_ADS_ANALYTICS_TRACK = 107, /* Generic id for advertisement/analytics/tracking stuff */ - NDPI_PROTOCOL_FREE_108 = 108, /* FREE */ + NDPI_PROTOCOL_ADULT_CONTENT = 108, NDPI_PROTOCOL_GUILDWARS = 109, NDPI_PROTOCOL_AMAZON_ALEXA = 110, NDPI_PROTOCOL_KERBEROS = 111, diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index 45a98a0e1..3379ac660 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -993,6 +993,7 @@ typedef enum { */ NDPI_PROTOCOL_CATEGORY_VIRTUAL_ASSISTANT, NDPI_PROTOCOL_CATEGORY_CYBERSECURITY, + NDPI_PROTOCOL_CATEGORY_ADULT_CONTENT, /* Some custom categories */ CUSTOM_CATEGORY_MINING = 99, diff --git a/src/lib/ndpi_content_match.c.inc b/src/lib/ndpi_content_match.c.inc index 5770124b7..28acc3693 100644 --- a/src/lib/ndpi_content_match.c.inc +++ b/src/lib/ndpi_content_match.c.inc @@ -1693,7 +1693,6 @@ static ndpi_protocol_match host_match[] = { "logmeininc.com", "GoTo", NDPI_PROTOCOL_GOTO, NDPI_PROTOCOL_CATEGORY_VOIP, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL }, { "gotowebinar.com", "GoTo", NDPI_PROTOCOL_GOTO, NDPI_PROTOCOL_CATEGORY_VOIP, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL }, { "gototraining.com", "GoTo", NDPI_PROTOCOL_GOTO, NDPI_PROTOCOL_CATEGORY_VOIP, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL }, - { "launchdarkly.com", "GoTo", NDPI_PROTOCOL_GOTO, NDPI_PROTOCOL_CATEGORY_VOIP, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL }, { "api-pub.mltree.net", "GoTo", NDPI_PROTOCOL_GOTO, NDPI_PROTOCOL_CATEGORY_VOIP, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL }, { "getgocdn.com", "GoTo", NDPI_PROTOCOL_GOTO, NDPI_PROTOCOL_CATEGORY_VOIP, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL }, { "cdngetgo.com", "GoTo", NDPI_PROTOCOL_GOTO, NDPI_PROTOCOL_CATEGORY_VOIP, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL }, @@ -1861,6 +1860,63 @@ static ndpi_protocol_match host_match[] = /* Kochava is the industry leader for mobile app attribution and mobile app analytics */ { ".kochava.com", "ADS_Analytic_Track", NDPI_PROTOCOL_ADS_ANALYTICS_TRACK, CUSTOM_CATEGORY_ADVERTISEMENT, NDPI_PROTOCOL_TRACKER_ADS, NDPI_PROTOCOL_DEFAULT_LEVEL }, + { "xvideos.", "AdultContent", NDPI_PROTOCOL_ADULT_CONTENT, NDPI_PROTOCOL_CATEGORY_ADULT_CONTENT, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL }, + { "pornhub.com", "AdultContent", NDPI_PROTOCOL_ADULT_CONTENT, NDPI_PROTOCOL_CATEGORY_ADULT_CONTENT, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL }, + { "xnxx.com", "AdultContent", NDPI_PROTOCOL_ADULT_CONTENT, NDPI_PROTOCOL_CATEGORY_ADULT_CONTENT, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL }, + { "xhamster.", "AdultContent", NDPI_PROTOCOL_ADULT_CONTENT, NDPI_PROTOCOL_CATEGORY_ADULT_CONTENT, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL }, + { "realsrv.com", "AdultContent", NDPI_PROTOCOL_ADULT_CONTENT, NDPI_PROTOCOL_CATEGORY_ADULT_CONTENT, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL }, + { "stripchat.com", "AdultContent", NDPI_PROTOCOL_ADULT_CONTENT, NDPI_PROTOCOL_CATEGORY_ADULT_CONTENT, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL }, + { "spankbang.com", "AdultContent", NDPI_PROTOCOL_ADULT_CONTENT, NDPI_PROTOCOL_CATEGORY_ADULT_CONTENT, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL }, + { "chaturbate.com", "AdultContent", NDPI_PROTOCOL_ADULT_CONTENT, NDPI_PROTOCOL_CATEGORY_ADULT_CONTENT, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL }, + { "xhamster18.desi", "AdultContent", NDPI_PROTOCOL_ADULT_CONTENT, NDPI_PROTOCOL_CATEGORY_ADULT_CONTENT, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL }, + { "onlyfans.com", "AdultContent", NDPI_PROTOCOL_ADULT_CONTENT, NDPI_PROTOCOL_CATEGORY_ADULT_CONTENT, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL }, + { "twinrdsrv.com", "AdultContent", NDPI_PROTOCOL_ADULT_CONTENT, NDPI_PROTOCOL_CATEGORY_ADULT_CONTENT, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL }, + { "livejasmin.com", "AdultContent", NDPI_PROTOCOL_ADULT_CONTENT, NDPI_PROTOCOL_CATEGORY_ADULT_CONTENT, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL }, + { "dmm.co.jp", "AdultContent", NDPI_PROTOCOL_ADULT_CONTENT, NDPI_PROTOCOL_CATEGORY_ADULT_CONTENT, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL }, + { "youporn.com", "AdultContent", NDPI_PROTOCOL_ADULT_CONTENT, NDPI_PROTOCOL_CATEGORY_ADULT_CONTENT, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL }, + { "xhamsterlive.com", "AdultContent", NDPI_PROTOCOL_ADULT_CONTENT, NDPI_PROTOCOL_CATEGORY_ADULT_CONTENT, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL }, + { "bongacams.com", "AdultContent", NDPI_PROTOCOL_ADULT_CONTENT, NDPI_PROTOCOL_CATEGORY_ADULT_CONTENT, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL }, + { "eporner.com", "AdultContent", NDPI_PROTOCOL_ADULT_CONTENT, NDPI_PROTOCOL_CATEGORY_ADULT_CONTENT, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL }, + { "xvideos2.com", "AdultContent", NDPI_PROTOCOL_ADULT_CONTENT, NDPI_PROTOCOL_CATEGORY_ADULT_CONTENT, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL }, + { "nhentai.net", "AdultContent", NDPI_PROTOCOL_ADULT_CONTENT, NDPI_PROTOCOL_CATEGORY_ADULT_CONTENT, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL }, + { "ixxx.com", "AdultContent", NDPI_PROTOCOL_ADULT_CONTENT, NDPI_PROTOCOL_CATEGORY_ADULT_CONTENT, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL }, + { "redtube.com", "AdultContent", NDPI_PROTOCOL_ADULT_CONTENT, NDPI_PROTOCOL_CATEGORY_ADULT_CONTENT, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL }, + { "cityheaven.net", "AdultContent", NDPI_PROTOCOL_ADULT_CONTENT, NDPI_PROTOCOL_CATEGORY_ADULT_CONTENT, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL }, + { "missav.com", "AdultContent", NDPI_PROTOCOL_ADULT_CONTENT, NDPI_PROTOCOL_CATEGORY_ADULT_CONTENT, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL }, + { "rule34.xxx", "AdultContent", NDPI_PROTOCOL_ADULT_CONTENT, NDPI_PROTOCOL_CATEGORY_ADULT_CONTENT, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL }, + { "xnxx.tv", "AdultContent", NDPI_PROTOCOL_ADULT_CONTENT, NDPI_PROTOCOL_CATEGORY_ADULT_CONTENT, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL }, + { "crjpgate.com", "AdultContent", NDPI_PROTOCOL_ADULT_CONTENT, NDPI_PROTOCOL_CATEGORY_ADULT_CONTENT, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL }, + { "tnaflix.com", "AdultContent", NDPI_PROTOCOL_ADULT_CONTENT, NDPI_PROTOCOL_CATEGORY_ADULT_CONTENT, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL }, + { "xlivrdr.com", "AdultContent", NDPI_PROTOCOL_ADULT_CONTENT, NDPI_PROTOCOL_CATEGORY_ADULT_CONTENT, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL }, + { "dlsite.com", "AdultContent", NDPI_PROTOCOL_ADULT_CONTENT, NDPI_PROTOCOL_CATEGORY_ADULT_CONTENT, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL }, + { "hqporner.com", "AdultContent", NDPI_PROTOCOL_ADULT_CONTENT, NDPI_PROTOCOL_CATEGORY_ADULT_CONTENT, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL }, + { "youjizz.com", "AdultContent", NDPI_PROTOCOL_ADULT_CONTENT, NDPI_PROTOCOL_CATEGORY_ADULT_CONTENT, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL }, + { "txxx.com", "AdultContent", NDPI_PROTOCOL_ADULT_CONTENT, NDPI_PROTOCOL_CATEGORY_ADULT_CONTENT, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL }, + { "xvideos3.com", "AdultContent", NDPI_PROTOCOL_ADULT_CONTENT, NDPI_PROTOCOL_CATEGORY_ADULT_CONTENT, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL }, + { "xxxnewvideos.com", "AdultContent", NDPI_PROTOCOL_ADULT_CONTENT, NDPI_PROTOCOL_CATEGORY_ADULT_CONTENT, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL }, + { "ok.xxx", "AdultContent", NDPI_PROTOCOL_ADULT_CONTENT, NDPI_PROTOCOL_CATEGORY_ADULT_CONTENT, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL }, + { "xnxx115.com", "AdultContent", NDPI_PROTOCOL_ADULT_CONTENT, NDPI_PROTOCOL_CATEGORY_ADULT_CONTENT, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL }, + { "nutaku.net", "AdultContent", NDPI_PROTOCOL_ADULT_CONTENT, NDPI_PROTOCOL_CATEGORY_ADULT_CONTENT, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL }, + { "sxyprn.com", "AdultContent", NDPI_PROTOCOL_ADULT_CONTENT, NDPI_PROTOCOL_CATEGORY_ADULT_CONTENT, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL }, + { "brazzersnetwork.com", "AdultContent", NDPI_PROTOCOL_ADULT_CONTENT, NDPI_PROTOCOL_CATEGORY_ADULT_CONTENT, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL }, + { "superchatlive.com", "AdultContent", NDPI_PROTOCOL_ADULT_CONTENT, NDPI_PROTOCOL_CATEGORY_ADULT_CONTENT, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL }, + { "theporndude.com", "AdultContent", NDPI_PROTOCOL_ADULT_CONTENT, NDPI_PROTOCOL_CATEGORY_ADULT_CONTENT, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL }, + { "fapello.com", "AdultContent", NDPI_PROTOCOL_ADULT_CONTENT, NDPI_PROTOCOL_CATEGORY_ADULT_CONTENT, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL }, + { "hitomi.la", "AdultContent", NDPI_PROTOCOL_ADULT_CONTENT, NDPI_PROTOCOL_CATEGORY_ADULT_CONTENT, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL }, + { "erome.com", "AdultContent", NDPI_PROTOCOL_ADULT_CONTENT, NDPI_PROTOCOL_CATEGORY_ADULT_CONTENT, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL }, + { "kiynew.com", "AdultContent", NDPI_PROTOCOL_ADULT_CONTENT, NDPI_PROTOCOL_CATEGORY_ADULT_CONTENT, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL }, + { "jerkmate.com", "AdultContent", NDPI_PROTOCOL_ADULT_CONTENT, NDPI_PROTOCOL_CATEGORY_ADULT_CONTENT, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL }, + { ".xnxx-cdn.com", "AdultContent", NDPI_PROTOCOL_ADULT_CONTENT, NDPI_PROTOCOL_CATEGORY_ADULT_CONTENT, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL }, + { ".xvideos-cdn.com", "AdultContent", NDPI_PROTOCOL_ADULT_CONTENT, NDPI_PROTOCOL_CATEGORY_ADULT_CONTENT, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL }, + { ".porndudecdn.com", "AdultContent", NDPI_PROTOCOL_ADULT_CONTENT, NDPI_PROTOCOL_CATEGORY_ADULT_CONTENT, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL }, + { ".xhcdn.com", "AdultContent", NDPI_PROTOCOL_ADULT_CONTENT, NDPI_PROTOCOL_CATEGORY_ADULT_CONTENT, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL }, + { ".phncdn.com", "AdultContent", NDPI_PROTOCOL_ADULT_CONTENT, NDPI_PROTOCOL_CATEGORY_ADULT_CONTENT, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL }, + { ".ypncdn.com", "AdultContent", NDPI_PROTOCOL_ADULT_CONTENT, NDPI_PROTOCOL_CATEGORY_ADULT_CONTENT, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL }, + { "strpst.com", "AdultContent", NDPI_PROTOCOL_ADULT_CONTENT, NDPI_PROTOCOL_CATEGORY_ADULT_CONTENT, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL }, + { "trafficjunky.net", "AdultContent", NDPI_PROTOCOL_ADULT_CONTENT, NDPI_PROTOCOL_CATEGORY_ADULT_CONTENT, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL }, + { ".afcdn.net", "AdultContent", NDPI_PROTOCOL_ADULT_CONTENT, NDPI_PROTOCOL_CATEGORY_ADULT_CONTENT, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL }, + { ".ktkjmp.com", "AdultContent", NDPI_PROTOCOL_ADULT_CONTENT, NDPI_PROTOCOL_CATEGORY_ADULT_CONTENT, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL }, + #ifdef CUSTOM_NDPI_PROTOCOLS #include "../../../nDPI-custom/custom_ndpi_content_match_host_match.c.inc" #endif diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index dbdc37b13..3a21ceebc 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -1406,10 +1406,6 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp "Dofus", NDPI_PROTOCOL_CATEGORY_GAME, ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); - ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_FREE_108, - "Free108", NDPI_PROTOCOL_CATEGORY_GAME, - ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, - ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_GUILDWARS, "Guildwars", NDPI_PROTOCOL_CATEGORY_GAME, ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, @@ -2542,7 +2538,7 @@ static const char *categories[] = { "IoT-Scada", "VirtAssistant", "Cybersecurity", - "", + "AdultContent", "", "", "", diff --git a/src/lib/protocols/stun.c b/src/lib/protocols/stun.c index 22b4c7097..97ba37b4d 100644 --- a/src/lib/protocols/stun.c +++ b/src/lib/protocols/stun.c @@ -357,6 +357,9 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * } else if(strstr(flow->host_server_name, "facebook") != NULL) { *app_proto = NDPI_PROTOCOL_FACEBOOK_VOIP; return(NDPI_IS_STUN); + } else if(strstr(flow->host_server_name, "stripcdn.com") != NULL) { + *app_proto = NDPI_PROTOCOL_ADULT_CONTENT; + return(NDPI_IS_STUN); } } } diff --git a/tests/pcap/adult_content.pcap b/tests/pcap/adult_content.pcap new file mode 100644 index 0000000000000000000000000000000000000000..68f8016c10a8b0da975786eca24c0a0bba2cde52 GIT binary patch literal 8396 zcmcI}2{={l*Y|zqW1ivve(2oN<`S$-1kwz>wXh~wBOpQgj6@<42%z}8 zHoyesElw}DaT3au1t@@rQK+k#_#Jk0*7Nj|*#kHLngP-RYn95xfGB7T%OBi= zg8jC*`E29nfDK150j)o@QUH1Y&h4U zoB%UmvfJf&LP~bGpTDoGx4nbcZhNvPfVoN?ezX9ix{-wemmoy2{J}Mbq`k%U{5G!s zCv70EW-zKCqW~#wPfb}h6L;7D!xdlw&W-Hi|2G8x5iK4t7jDu=2FcWnjp>?q zyNMLUK5C1Jgi$iT#egsfAuNCR&O7+@mhU{b`OY%)F#-jMf1qTA=ls$YE5?HR+hT+U z4sfIybd}jeceOH7NoS{t>&sQ*nP8oZ{#oU)&*%mzOkp(Z?=T<>LITSlK8q)jwtN=8 z&1XTon<34XFd8)l2@QJ>bERW)YFdC1M#K1V-_u6i|Hg0DH=eO~)_0wKpS;o+%J_Wn zdAR*I7^%e+2Hb;C!tw{wVv@lYQoC(PFLI^;RuBXuwKddJKkB4rr>mxDyA3H5Z~+Kl z1mEK=ZRV}zCgCgV>f#GApiy$&6XIrO@1(4w5aa?`Z8C-Zikb}H3Gg?Uujz?5mK_Dc z&;=oY_5%Eyu)kZbkpgfL6;`3=0v=u)qp>1eQN$pA>v$ zYxcdj&AtlDZ3G_h|KV@QTKUBAey_?Yego&@I~MGb{Xz9K;;^-n)Zjy~wGGHx3uFnF zKde;*=WbcUZ?l$LRSej`IoO(XP)B*jTPZQVm=EfJ33x!YX)9CyJ3m4Ggd(9T5voNS zKjQL7jD`yUoG$rj<(H

1^>4mnzzs?c-KfAvU z55tU5vRI%DRa{tpXM~Up&Vw2CB>l<=!A=Z>7_GsK-cbjyC*CWy{V1T^05O_i-PnXY z^W%5{X>9*{+`h5SF!{o^EYrP4xr#-A$>g!Y0fI=uX8Z$tD80 z+Ige1xbtR{MAIIS(!RVgfQC8(aaZKn2KwJzx{EVC*N)P6dtk&D1Za(Nht~W0}i?_ff59HKZpRD2xvZ-q%8(xS4z5lKI0z947Q&hPxhNz8 ziNx>TU7hMG8T*MqiN)`X(t4_jMj;6dQgj3wEXo*-qQ;s!+8G$B6L{HZq-6*)Qu0#r zvIH3=^Q}|ae@_3?BgY6#SlpIQB;s%7C-lHtq0EmNmftco|5d4!bm zpt9<#<2{mdZ!F37VFG$-CX00>{Gp8_nOWzt^f$_{ZQ^0ySgmNfFg9ktf<^xP%&g`$(OLLT>MCVjU zNH>kK?kCFobB>z>XU`}8^cxbKqz1qn@+N$EqW}+oMn$Dh&&V!~q30crH1~>!*`(B3 zt|0cj^TIDFI&L%F3z(1dWj(0Phvj*Pz7Om8{*x`NlprQ=+u=lS;73to3@DcW=w zpj&eErhU83gs*kTqnRQu&)yMm6EF|&98it8#(Bsde?I#s5EKxm0Z^8rwt#RT5k$a< zM&Z#=_Mz|?3<8hELfHo;>_72@2Gq3h%|AO%IFbco{&f}jYpX6>{aVFRkm zE%%^0>MpALP%Hg-he)7U2KC)$TGH;jci~LW(CD&)ttms+VliM#ey^FBlfidjYn@WR zTEn7TLU1ph-%Bd$~G~LW518>gg z(A@q^!Fm{qTM8)Vq84co2r3L97)enPDBw`WG9lHENih)U;1e7*UdPqb*3XaZA;n0b zhyO)MO<@Q(dg?B={!+XI?jPaL^7s0||050f4IO<09DTR4K}t%Rph%FHl9iHyvqAco z)BjIaBai~W(nDYXDgsFd2oXq1WCRojjeZ*9d_<%BnYND~oIkuGG^qAa`)q?vW@8%S zpvgpKt(r*NyCK0veUj^kwz?=xbzWuWh<4q62bCHc>ZH#fXG!;r%a7Q$r0*A=KFJXC zseifZtC2x_h@M+)^G)NCTb6pg?P=y3(g!+u<4fD7tLq0PFbq`2#q9QW4ULFeKZz$z z&qS6bzTDMjNULrbX=08`2bzN|OS1+}7mo~h#D!g!I{ppmJ>B^-oJ@SCqe^EuTM=-a zJnpCHD{LTlxY*Crb*JeqdBMg7j_vXpHO3-SV1;pUID=dGcvE5Aa(JtcGsz zy&i~d60aT z-<*F+E@gbG>})4`h3R78dXLV#_rkKBdwcdy`?s14WQ8oX2dRdi&)djKpK;C^(>E5O z+eFz;1-n+r-L>{C;MJ!oC~_S*y<64zTYlnNeNfyRP4WwI$#<>Fz4W@Auhz>X?3{2y zh#rQp-G*O9KR+uO6wo^ts9Dnuq=yDuktk?I$TuYD6L_HL<)KBhqM46ZF?0&jGJ4i< z-LW|ml$=HL^ppUB556pjW+$+Q|K}UvB;jE~AU4q$0t)*1HSD0Qg2D~~>Q=0)ijaaz zJh^@c?Z3B{aP~bam`9E04|p22b2<}VWhqOrq?2gZ7ggH$Jw7p7pN^QurKN6U*%!p} zJ?o=mk$t?E(y-%;?wi+27Sw9CC+jwy{_;d;T&s+=o)YqX<=sJvn>u9Xf7Zf%;u&I0 z^b3O_*2KL_IPUK5!7_$&!Bh%W`(^!q`T{uj}GSvM#OvkbSnD_;?mY@<&E_WH<8ESW`s- zgLcxBldhq<`UAA{tUP>&o*!X9c8Boz0rnoQVO4&WO}^4em27jsKXog9(q0^bU4yhp~$zGY>+H|qf#`6;V2iIn1bsJSe zYo4Nx^icy}cy<&pWUJp-nYBkQkw1JM~;0qVB(y`{_tX+ z`8j6;Yx2WS%TrRUop5EYzk&r)&|(71@0A%P7+ell=BLrWR%R5PB_|P}P(Ld(5?KCS znW3@_Z3fuRmNY#oQkf09JGFV`@{Q9;N!G{_Bz1|u-zS57+ z2!vV*EQa!#5*xd1k6=1piaKRlQQ<_|jX2ixQIXH3Dd&C~LV;b-tNM<=SK%G}c4lGP zo8kd}x1U_jKk*=`7ad%t&BIOEm6jGZl)!c8#Lp+uNP0SeME_Vek!U;`3D_R`YSQc? zK6wB7RF(pJRu3bdNUTUtd-5>>^!l5#ogM>3z< zuXrDkt*_^3>5j{OTe6tIX0|qdz=+9*&z$~Qv-GuonGOG15oDqM>y`bwMm_SymF5)u z2QLg#C}D2z)4EU{#iP3LNsrg_d~;8mL-6XZ*51lR?LM(vc|)^{i!#y~Quc+iQzPcr zHC$?zjm}W?NwY+FXWC4aUJ4CJQD@9gxXZ4p*r$}Ccfy|N}Bic$M*q5=2 z2WJZWGL_$2MJ%kv3X5zEh259-Lz@q`q*5+RI@&Nh#j(;*Bu1oNbg?U{_oUsCZYpcZ zv3EY?QvBWLY`a7mGLmR&(|xqp$fI(eJEH>k6z|8CpE)ty7uaxMfYT%3!pU{lI-?X_ zmU5qRJu-J5e(Jmj@k`!L;gDS;QQUzKo60B7rAQtpeIk@aJSB&!TvCOePkMfSwi0~xlsKF~ z#9S&PJU^DW zlJxxr0r$0T!S8$0Q?H9mgMFxDyo_gh7hUFwf>MXqDK0#(X?c4xe{_6R(Mv^}oQPm~ z@>j<<8RIKrOdFRLj-&JEBIAx2pFUEOZJPf%?dn-dfmOQ5dYR=bPnbR-Dwp|>aQIVH zR!Y?3j0YaOWlxVRRxslm*hRCnoB4Zuy?QkyjinavGtVL>r=^ugY2UwYO}pi|l5_uM z9fmHPj%8Xtanmy^TmJN%o!jWf4)1Vn{x1U-vjV9yg=OfJQE)e5q5E;OJ%}{#mr~4uZi%XFfWu=wikJNtM0P&O*YESbSOZhL-DGKl=%2p_{2u zgZ)d|jGy9VsQ895;uHPvo$kM8W9=`h?$_#w5J|-4e7Mzff%BOV%W-d|rTQq*wXP3> z-z|3&thsS|&BRldflJ2Iy5)tG8mw+UoxU8Uh2~x%amFW8V=ZQu+>CAZDdlPJk+~ot zSTchttDbxlOY)$6v-1oCcJXRM{i&Afm`cBH_0+ke$sZ@I?7k|vXq)=%&biO1BVTWb z8=zWwVLl}EEh%)<@)AZ$<0Zu#?tH`b zW!>nyN~WrjK*d7`H*7>1C8EY+&wM(v(TrqPB)HC$t9EjgO*S)Y%X`*3999eTV$%&S z&u!Nj=`Gr=>s=Ty`z^1~`=Z;MHZ^- z(ii=bv@VFov>vimSVf#$GLK%o ztE?p%btaRj@LuZ6S;r7u_#OIrh2q0Ut2B6ei&QNR_B`o{+La>`_>wLC)nn0K9V6z< z0DOse$<^6@&C|GQo?6PJ)tj|vXOcD+KRhSu`++pPoPaoB#7UD+ob&#yro)WMFo}5W ze_@eoVZmg5@z_VF`L)?e3yR?EFYBf8hf61T2`D+m=l*+cn`bN5)@SUAe84S|caJBn z0+W>jq-LYacpim2%8yFs$Io)FQ>`F;brXgit4xzfd}pESDE*kDmuQd6$So)RB9 zUvHvaObT0y`P|0zC0!t$<-J*I#obIDAH$-_dg)yk?0ngpvm_^&qF;p$F9hx@dg_!~ z8M$Ycj>oB`{-R2clu2TgJKH|3S|_x?lBA7#&1KWjj`95-g%2NNW18Cwll4ySOpuMt z5NA+HeahoN!JouAyy7@4Hzbnau9*BZfrJTjPst3sLEHV<(Ec@3)?D_;D-AT`W?z`9 zdGEb>w{K5!cQ2y4I-Uc+y48;kCulNM?j5sd73h();=Xz?k*Ozqaq;_DN`U{w$$^Wq zUUj8b<@6Uv4;>)((5<{B^U2-L6X6u4q6KgF--oN+MX1^-K`+6u z{9f&l5+obA+I{T(wb~)s*d>VoN%gbZVG(tIS39WGA@00AM0EU&RRq46Y;4`G{3t4&P=1^1eFQ=7r$iyT(vjtQ^68g^yqQ`}(d z7rW;;SmnIhQ?PK2L#tv`zR72ufn$?A1m`~aN_MY z%d!N!+rqRQHl6Np&EX=(ig%8FzMt;gY%$a3$}8Fx$4_aeieuJ%Bv5gcz)=>M@G^gb z>Le2j0@adfP%2_6YcpM1+B4#4$$#Ufj5w?0^ znNhv=pUWoh_hoaXA?2Hsk7GMFd@O%ft(kW^y=~vR2mY0hnoQ%mbfVy+PLfFJX9IdT zkor5Y|MsQC0S=@Y?_UE6_*=FS!Oy*N@&U5qK{aDny%3!cXs_>ov{$Y(sQRRR?`^B0L#?Y?6GqCXC^8BoO^1-agSrP;{y;hq+yNu)+5WBX z0mmZU(vC_7{{l1?J7eV*RiUC9Oc-k&rxT_==Vm^K4@ql+8(DH zp|y=ee;qr$r!I939PP}fUzsk`mwLG{sr3C^Xro&60`G-;sy_2vlHCXDq|LM~Tk#nT z4>rx6MC@liX9QfyX3|e{3g6_i&*R66>AyU#P?&tlt6Lo=ef{4_cW#lc*)}~7%AuE+ zEz$_!b!`eJ?THud06e5LN%#6t8@Xc?eW&);?NLpZ+Uy!;Z>k-rz98cJdG18tHLO4ZUW#on;m;zW-UCF4UPS3FF*?B7XuZIQ0tPTCaOncgCe1YXyRVbZBN zYoh`$H@d8p*Ym`NFEhFM5a-RU#3`y@IKSQU<+-yC(_3x37mgj(uZ5 zX1NAu*9uZS!4VVNLNDiEd#lR)Xs(#EN?Y-HyLQL>O)huLn=AR=S6+_YQm1}%fy-jk zR+b{lfx-L5c~LfRvu~uovX4IT8SS(vh?%@isaYsd@m2%PcL3S#JYL5h<$F`E0Kqgy z$?0rZ6_v;mP|%zcV5F@Aldk=D(oeTYS8XT#=K9~HQNZh_3rzZ8Y~(tf@7bIke8q25 zN^`{>BTDoF9+d5HQ6F;YH!E)$IyXs}eK2mD?lLE%ep=dSgFwPk&JPQw-}J}{rQ4-o zQp?@)%&2tKF39GDN~DT36Unku1*I32qKK5Ze0)|uJ=y%g`#aB`uhKe+^HfLcMl6gF zj`UD*K3-cs)xV?WutaoMN1ijcfYrQoR#sxT)R)w-jM21r`Ah7W9k$oVjarEGKi?CN>iY(IxVz|i_#F26pVmmy>wID1yCyrz Wyh}EgmUL_#SQ^LR$|Etzp8a3CbdCA| literal 0 HcmV?d00001 diff --git a/tests/result/adult_content.pcap.out b/tests/result/adult_content.pcap.out new file mode 100644 index 000000000..8f7ed8a13 --- /dev/null +++ b/tests/result/adult_content.pcap.out @@ -0,0 +1,25 @@ +Guessed flow protos: 0 + +DPI Packets (UDP): 4 (4.00 pkts/flow) +Confidence DPI : 1 (flows) +Num dissector calls: 142 (142.00 diss/flow) +LRU cache ookla: 0/0/0 (insert/search/found) +LRU cache bittorrent: 0/3/0 (insert/search/found) +LRU cache zoom: 0/0/0 (insert/search/found) +LRU cache stun: 2/10/0 (insert/search/found) +LRU cache tls_cert: 0/0/0 (insert/search/found) +LRU cache mining: 0/0/0 (insert/search/found) +LRU cache msteams: 0/0/0 (insert/search/found) +LRU cache stun_zoom: 0/0/0 (insert/search/found) +Automa host: 0/0 (search/found) +Automa domain: 0/0 (search/found) +Automa tls cert: 0/0 (search/found) +Automa risk mask: 1/0 (search/found) +Automa common alpns: 0/0 (search/found) +Patricia risk mask: 2/0 (search/found) +Patricia risk: 0/0 (search/found) +Patricia protocols: 2/0 (search/found) + +AdultContent 25 7972 1 + + 1 UDP 192.168.1.199:42759 <-> 31.220.27.69:80 [proto: 78.108/STUN.AdultContent][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 4][cat: AdultContent/34][11 pkts/3593 bytes <-> 14 pkts/4379 bytes][Goodput ratio: 87/87][0.22 sec][Hostname/SNI: b-eu14.stripcdn.com][bytes ratio: -0.099 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 16/14 55/54 17/17][Pkt Len c2s/s2c min/avg/max/stddev: 62/94 327/313 1246/1418 350/353][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][PLAIN TEXT (NurOKA)][Plen Bins: 8,8,12,24,8,16,0,0,4,0,0,0,0,0,0,0,4,0,0,0,4,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,4,0,0,0,0] diff --git a/tests/result/http_guessed_host_and_guessed.pcapng.out b/tests/result/http_guessed_host_and_guessed.pcapng.out index b79d63cca..1c4c208ca 100644 --- a/tests/result/http_guessed_host_and_guessed.pcapng.out +++ b/tests/result/http_guessed_host_and_guessed.pcapng.out @@ -1,17 +1,17 @@ -Guessed flow protos: 1 +Guessed flow protos: 0 DPI Packets (TCP): 1 (1.00 pkts/flow) -Confidence DPI (partial) : 1 (flows) -Num dissector calls: 116 (116.00 diss/flow) +Confidence DPI : 1 (flows) +Num dissector calls: 13 (13.00 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) -LRU cache bittorrent: 0/3/0 (insert/search/found) +LRU cache bittorrent: 0/0/0 (insert/search/found) LRU cache zoom: 0/0/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) LRU cache tls_cert: 0/0/0 (insert/search/found) -LRU cache mining: 0/1/0 (insert/search/found) +LRU cache mining: 0/0/0 (insert/search/found) LRU cache msteams: 0/0/0 (insert/search/found) LRU cache stun_zoom: 0/0/0 (insert/search/found) -Automa host: 1/0 (search/found) +Automa host: 1/1 (search/found) Automa domain: 1/0 (search/found) Automa tls cert: 0/0 (search/found) Automa risk mask: 1/0 (search/found) @@ -20,6 +20,6 @@ Patricia risk mask: 2/0 (search/found) Patricia risk: 0/0 (search/found) Patricia protocols: 1/1 (search/found) -Alibaba 1 123 1 +AdultContent 1 123 1 - 1 TCP 170.33.13.5:110 -> 192.168.0.1:179 [proto: 2.274/POP3.Alibaba][IP: 274/Alibaba][ClearText][Confidence: DPI (partial)][DPI packets: 1][cat: Email/3][1 pkts/123 bytes -> 0 pkts/0 bytes][Goodput ratio: 40/0][< 1 sec][Hostname/SNI: pornhub.com][Risk: ** Unsafe Protocol **** Unidirectional Traffic **** TCP Connection Issues **][Risk Score: 70][Risk Info: No client to server traffic / TCP probing attempt][PLAIN TEXT (6 HTTP/1.1)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 1 TCP 170.33.13.5:110 -> 192.168.0.1:179 [proto: 7.108/HTTP.AdultContent][IP: 274/Alibaba][ClearText][Confidence: DPI][DPI packets: 1][cat: AdultContent/34][1 pkts/123 bytes -> 0 pkts/0 bytes][Goodput ratio: 40/0][< 1 sec][Hostname/SNI: pornhub.com][Risk: ** Known Proto on Non Std Port **** Unidirectional Traffic **][Risk Score: 60][Risk Info: No client to server traffic / Expected on port 80][PLAIN TEXT (6 HTTP/1.1)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]