diff --git a/doc/configuration_parameters.rst b/doc/configuration_parameters.rst index e229f921d..31a5ba2dd 100644 --- a/doc/configuration_parameters.rst +++ b/doc/configuration_parameters.rst @@ -208,7 +208,7 @@ List of the supported configuration options: | | | | | | SurfSharkVPN, Teamviewer, Telegram, Tencent, Threema, TOR, Twitch, Twitter, VK, Yandex, Yandex Cloud, Webex, Whatsapp, Zoom | +--------------+---------------------------------------------------------------+-----------------+------------+------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | $PROTO_NAME | "monitoring" | disable | NULL | NULL | Enable/disable monitoring state for this specific protocol. Use "any" as protocol name if you want to easily enable/disable monitoring feature for all protocols. | -| | | | | | This knob is valid only for the following protocols: Stun. Monitoring allows nDPI to process the entire flow (i.e. all its packets), without any limits. | +| | | | | | This knob is valid only for the following protocols: S7Comm, Stun. Monitoring allows nDPI to process the entire flow (i.e. all its packets), without any limits. | | | | | | | See doc/monitoring.md for further details | +--------------+---------------------------------------------------------------+-----------------+------------+------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | $PROTO_NAME | "enable" | enable | NULL | NULL | Enable/disable the specific protocol. Use "any" or "all" as protocol name if you want to easily enable/disable all protocols. | diff --git a/doc/monitoring.rst b/doc/monitoring.rst index 53dcbea9c..21045aa00 100644 --- a/doc/monitoring.rst +++ b/doc/monitoring.rst @@ -20,7 +20,7 @@ In other words: - "(current) packet metadata" is saved in ``ndpi_flow->monitor``, only if monitor is enabled. Monitoring must be explicitly enabled with something like: ``--cfg=stun,monitoring,1``. -To enable/disable monitoring for all protocols you can use ``--cfg=any,monitoring,1`` but only STUN is supported right now. +To enable/disable monitoring for all protocols you can use ``--cfg=any,monitoring,1`` but only STUN and S7COMM are supported right now. Since monitoring processes *all* the flow packets, it might have an impact on performances. diff --git a/example/ndpiReader.c b/example/ndpiReader.c index 6e8715b0b..07df6573b 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -2487,7 +2487,8 @@ static void printFlow(u_int32_t id, struct ndpi_flow_info *flow, u_int16_t threa print_ndpi_address_port_list_file(out, "Other IP/Port", &flow->stun.other_address); /* These counters make sense only if the flow entered the monitor state */ - if(flow->num_packets_before_monitoring > 0) + if(flow->num_packets_before_monitoring > 0 && + (flow->stun.rtp_counters[0] > 0 || flow->stun.rtp_counters[1] > 0)) fprintf(out, "[RTP packets: %d/%d]", flow->stun.rtp_counters[0], flow->stun.rtp_counters[1]); if(flow->http.url[0] != '\0') @@ -3448,7 +3449,8 @@ static void setupDetection(u_int16_t thread_id, pcap_t * pcap_handle, } char buf[16]; - if(ndpi_get_config(ndpi_thread_info[thread_id].workflow->ndpi_struct, "stun", "monitoring", buf, sizeof(buf)) != NULL) { + if(ndpi_get_config(ndpi_thread_info[thread_id].workflow->ndpi_struct, "stun", "monitoring", buf, sizeof(buf)) != NULL || + ndpi_get_config(ndpi_thread_info[thread_id].workflow->ndpi_struct, "s7comm", "monitoring", buf, sizeof(buf)) != NULL) { if(atoi(buf)) monitoring_enabled = 1; } diff --git a/fuzz/fuzz_ndpi_reader.c b/fuzz/fuzz_ndpi_reader.c index e90e1706b..d7e5de13f 100644 --- a/fuzz/fuzz_ndpi_reader.c +++ b/fuzz/fuzz_ndpi_reader.c @@ -143,7 +143,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { assert(ndpi_set_config(workflow->ndpi_struct, "tls", "metadata.ja4r_fingerprint", "1") == NDPI_CFG_OK); assert(ndpi_set_config(workflow->ndpi_struct, "tls", "dpi.heuristics", "0x07") == NDPI_CFG_OK); assert(ndpi_set_config(workflow->ndpi_struct, "tls", "dpi.heuristics.max_packets_extra_dissection", "40") == NDPI_CFG_OK); - assert(ndpi_set_config(workflow->ndpi_struct, "stun", "monitoring", "1") == NDPI_CFG_OK); + assert(ndpi_set_config(workflow->ndpi_struct, "all", "monitoring", "1") == NDPI_CFG_OK); assert(ndpi_set_config(workflow->ndpi_struct, NULL, "dpi.address_cache_size", "8192") == NDPI_CFG_OK); assert(ndpi_set_config(workflow->ndpi_struct, NULL, "hostname_dns_check", "1") == NDPI_CFG_OK); diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index d6bee5dfa..8c7cb8772 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -1824,6 +1824,22 @@ struct ndpi_flow_struct { u_int16_t user_id; } bfcp; + struct { + u_int16_t num_requests; /* Total number of requests (Job messages) */ + u_int16_t num_responses; /* Total number of responses (Ack_Data messages) */ + u_int8_t num_acks; /* Number of acknowledgments without data */ + u_int8_t num_userdata; /* Number of UserData messages */ + /* Function code counters (top 8 most common S7Comm functions) */ + u_int8_t num_read_var; /* Read Var (0x04) */ + u_int8_t num_write_var; /* Write Var (0x05) */ + u_int8_t num_setup_comm; /* Setup Communication (0xF0) */ + u_int8_t num_download; /* Download (0x1A) */ + u_int8_t num_upload; /* Upload (0x1B) */ + u_int8_t num_plc_control; /* PLC Control (0x28) */ + u_int8_t num_plc_stop; /* PLC Stop (0x29) */ + u_int8_t num_other_funcs; /* Other function codes */ + } s7comm; + } protos; /* **Packet** metadata for flows where monitoring is enabled. It is reset after each packet! */ diff --git a/src/lib/protocols/s7comm.c b/src/lib/protocols/s7comm.c index 24906551b..feafbf45a 100644 --- a/src/lib/protocols/s7comm.c +++ b/src/lib/protocols/s7comm.c @@ -33,32 +33,196 @@ #define S7COMM_MAGIC_BYTE 0x32 #define S7COMM_PLUS_MAGIC_BYTE 0x72 +/* S7Comm Message Types */ +#define S7COMM_MSG_JOB 0x01 /* Request */ +#define S7COMM_MSG_ACK 0x02 /* Acknowledgment without data */ +#define S7COMM_MSG_ACK_DATA 0x03 /* Response with data */ +#define S7COMM_MSG_USERDATA 0x07 /* UserData (programming/debugging) */ + +/* S7Comm Function Codes (in Job messages) */ +#define S7COMM_FUNC_READ_VAR 0x04 /* Read Var */ +#define S7COMM_FUNC_WRITE_VAR 0x05 /* Write Var */ +#define S7COMM_FUNC_DOWNLOAD 0x1A /* Download block */ +#define S7COMM_FUNC_UPLOAD 0x1B /* Upload block */ +#define S7COMM_FUNC_PLC_CONTROL 0x28 /* PLC Control */ +#define S7COMM_FUNC_PLC_STOP 0x29 /* PLC Stop */ +#define S7COMM_FUNC_SETUP_COMM 0xF0 /* Setup Communication */ + +/* S7Comm header offsets (after TPKT + COTP) */ +#define S7COMM_HEADER_PROTOCOL_ID 0 /* Protocol ID (0x32) */ +#define S7COMM_HEADER_MSG_TYPE 1 /* Message type */ +#define S7COMM_HEADER_RESERVED 2 /* Reserved (2 bytes) */ +#define S7COMM_HEADER_PDU_REF 4 /* PDU reference (2 bytes) */ +#define S7COMM_HEADER_PARAM_LEN 6 /* Parameter length (2 bytes) */ +#define S7COMM_HEADER_DATA_LEN 8 /* Data length (2 bytes) */ +#define S7COMM_HEADER_ERR_CLASS 10 /* Error class (1 bytes); only in Ack or Ack-Data messages */ +#define S7COMM_HEADER_ERR_CODE 11 /* Error code (1 bytes); only in Ack or Ack-Data messages */ +#define S7COMM_HEADER_MIN_LEN 10 /* Minimum header length */ +#define S7COMM_HEADER_MIN_LEN_ACKS 12 /* Minimum header length (for Ack or Ack-Data messages) */ + +/* For Ack_Data messages, there's an error code before parameters */ +#define S7COMM_ACK_DATA_ERROR_CODE 10 /* Error code (2 bytes, only in Ack_Data) */ +#define S7COMM_ACK_DATA_PARAM_START 12 /* Parameter start for Ack_Data */ +#define S7COMM_JOB_PARAM_START 10 /* Parameter start for Job */ +#define S7COMM_USERDATA_PARAM_START 10 /* Parameter start for Userdata */ + +/* Helper function to parse S7Comm message and update statistics */ +static void ndpi_parse_s7comm_message(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow, + const u_int8_t *s7comm_header, + u_int16_t s7comm_len) +{ + u_int8_t msg_type; + u_int16_t param_len; + u_int8_t function_code; + + /* Need at least the minimum S7Comm header */ + if (s7comm_len < S7COMM_HEADER_MIN_LEN) + return; + + if(flow->monit == NULL) + flow->monit = ndpi_calloc(1, sizeof(struct ndpi_metadata_monitoring)); + + msg_type = s7comm_header[S7COMM_HEADER_MSG_TYPE]; + param_len = ntohs(get_u_int16_t(s7comm_header, S7COMM_HEADER_PARAM_LEN)); + + /* Ack and Ack_data header is longer */ + if((msg_type == S7COMM_MSG_ACK || msg_type == S7COMM_MSG_ACK_DATA) && + s7comm_len < S7COMM_HEADER_MIN_LEN_ACKS) + return; + + NDPI_LOG_DBG2(ndpi_struct, "S7Comm msg_type=0x%02x, param_len=%u\n", msg_type, param_len); + + /* Update message type counters */ + switch(msg_type) { + case S7COMM_MSG_JOB: + flow->protos.s7comm.num_requests++; + + /* Parse function code from parameter section for Job messages */ + if (param_len > 0 && s7comm_len > S7COMM_JOB_PARAM_START) { + function_code = s7comm_header[S7COMM_JOB_PARAM_START]; + NDPI_LOG_DBG2(ndpi_struct, "S7Comm Job function_code=0x%02x\n", function_code); + + /* Update function-specific counters */ + switch(function_code) { + case S7COMM_FUNC_READ_VAR: + flow->protos.s7comm.num_read_var++; + break; + case S7COMM_FUNC_WRITE_VAR: + flow->protos.s7comm.num_write_var++; + break; + case S7COMM_FUNC_SETUP_COMM: + flow->protos.s7comm.num_setup_comm++; + break; + case S7COMM_FUNC_DOWNLOAD: + flow->protos.s7comm.num_download++; + break; + case S7COMM_FUNC_UPLOAD: + flow->protos.s7comm.num_upload++; + break; + case S7COMM_FUNC_PLC_CONTROL: + flow->protos.s7comm.num_plc_control++; + break; + case S7COMM_FUNC_PLC_STOP: + flow->protos.s7comm.num_plc_stop++; + break; + default: + flow->protos.s7comm.num_other_funcs++; + break; + } + } + break; + + case S7COMM_MSG_ACK: + flow->protos.s7comm.num_acks++; + break; + + case S7COMM_MSG_ACK_DATA: + flow->protos.s7comm.num_responses++; + /* Could also parse the function code from Ack_Data if needed */ + if (param_len > 0 && s7comm_len > S7COMM_ACK_DATA_PARAM_START) { + function_code = s7comm_header[S7COMM_ACK_DATA_PARAM_START]; + NDPI_LOG_DBG2(ndpi_struct, "S7Comm Ack_Data function_code=0x%02x\n", function_code); + } + break; + + case S7COMM_MSG_USERDATA: + flow->protos.s7comm.num_userdata++; + break; + + default: + NDPI_LOG_DBG2(ndpi_struct, "S7Comm unknown msg_type=0x%02x\n", msg_type); + break; + } +} + +/* Callback function for continuous packet processing after detection */ +static int ndpi_search_s7comm_again(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow) +{ + struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; + u_int8_t s7comm_offset = 7; /* TPKT(4) + COTP(3) = offset 7 for S7Comm header */ + + NDPI_LOG_DBG2(ndpi_struct, "S7Comm extra dissection\n"); + + /* Skip retransmissions and empty packets */ + if (packet->tcp_retransmission || packet->payload_packet_len == 0) + return 1; /* Continue extra dissection */ + + /* Parse S7Comm messages for statistics throughout the session */ + if (tpkt_verify_hdr(packet) && (packet->payload_packet_len > s7comm_offset + S7COMM_HEADER_MIN_LEN)) { + if (packet->payload[s7comm_offset] == S7COMM_MAGIC_BYTE) { + ndpi_parse_s7comm_message(ndpi_struct, flow, + &packet->payload[s7comm_offset], + packet->payload_packet_len - s7comm_offset); + } + } + + return 1; /* Continue extra dissection */ +} + static void ndpi_search_s7comm(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct const * const packet = ndpi_get_packet_struct(ndpi_struct); + u_int8_t s7comm_offset = 7; /* TPKT(4) + COTP(3) = offset 7 for S7Comm header */ NDPI_LOG_DBG(ndpi_struct, "search S7comm\n"); + /* Initial detection */ if (tpkt_verify_hdr(packet) && (packet->payload_packet_len > 17) && ((packet->tcp->source == htons(TPKT_PORT)) || (packet->tcp->dest == htons(TPKT_PORT)))) { - if (packet->payload[7] == S7COMM_PLUS_MAGIC_BYTE) { + if (packet->payload[s7comm_offset] == S7COMM_PLUS_MAGIC_BYTE) { const u_int16_t trail_byte_offset = packet->payload_packet_len - 4; if (packet->payload[trail_byte_offset] == S7COMM_PLUS_MAGIC_BYTE) { NDPI_LOG_INFO(ndpi_struct, "found S7CommPlus\n"); - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_S7COMM_PLUS, + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_S7COMM_PLUS, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); + /* TODO: monitoring? */ return; - } - } else if (packet->payload[7] == S7COMM_MAGIC_BYTE) { - if (((packet->payload[8] <= 0x03) || (packet->payload[8] == 0x07)) && - (get_u_int16_t(packet->payload, 9) == 0)) + } + } else if (packet->payload[s7comm_offset] == S7COMM_MAGIC_BYTE) { + if (((packet->payload[s7comm_offset + 1] <= 0x03) || (packet->payload[s7comm_offset + 1] == 0x07)) && + (get_u_int16_t(packet->payload, s7comm_offset + 2) == 0)) { NDPI_LOG_INFO(ndpi_struct, "found S7Comm\n"); - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_S7COMM, + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_S7COMM, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); + + if(is_monitoring_enabled(ndpi_struct, NDPI_PROTOCOL_S7COMM)) { + /* Parse this first message for statistics. + * It makes sense only in monitoring */ + ndpi_parse_s7comm_message(ndpi_struct, flow, + &packet->payload[s7comm_offset], + packet->payload_packet_len - s7comm_offset); + + NDPI_LOG_DBG(ndpi_struct, "Enabled monitoring\n"); + flow->state = NDPI_STATE_MONITORING; + /* No extra dissection, we move directly to monitor state */ + flow->extra_packets_func = ndpi_search_s7comm_again; + } return; } } diff --git a/tests/cfgs/default/pcap/ethernet_ip-cip.pcap b/tests/cfgs/default/pcap/ethernet_ip-cip.pcap new file mode 100644 index 000000000..d2903441c Binary files /dev/null and b/tests/cfgs/default/pcap/ethernet_ip-cip.pcap differ diff --git a/tests/cfgs/default/pcap/ethernet_ip-cip_io.pcapng b/tests/cfgs/default/pcap/ethernet_ip-cip_io.pcapng new file mode 100644 index 000000000..5657add20 Binary files /dev/null and b/tests/cfgs/default/pcap/ethernet_ip-cip_io.pcapng differ diff --git a/tests/cfgs/default/pcap/s7comm.pcap b/tests/cfgs/default/pcap/s7comm.pcap index a524d64f1..5046889d1 100644 Binary files a/tests/cfgs/default/pcap/s7comm.pcap and b/tests/cfgs/default/pcap/s7comm.pcap differ diff --git a/tests/cfgs/default/result/ethernet_ip-cip.pcap.out b/tests/cfgs/default/result/ethernet_ip-cip.pcap.out new file mode 100644 index 000000000..821bc1ea5 --- /dev/null +++ b/tests/cfgs/default/result/ethernet_ip-cip.pcap.out @@ -0,0 +1,37 @@ +DPI Packets (TCP): 2 (1.00 pkts/flow) +Confidence DPI : 2 (flows) +Num dissector calls: 2 (1.00 diss/flow) +LRU cache ookla: 0/0/0 (insert/search/found) +LRU cache bittorrent: 0/0/0 (insert/search/found) +LRU cache stun: 0/0/0 (insert/search/found) +LRU cache tls_cert: 0/0/0 (insert/search/found) +LRU cache mining: 0/0/0 (insert/search/found) +LRU cache msteams: 0/0/0 (insert/search/found) +LRU cache fpc_dns: 0/0/0 (insert/search/found) +Automa host: 0/0 (search/found) +Automa domain: 0/0 (search/found) +Automa tls cert: 0/0 (search/found) +Automa risk mask: 0/0 (search/found) +Automa common alpns: 0/0 (search/found) +Patricia risk mask: 0/0 (search/found) +Patricia risk mask IPv6: 0/0 (search/found) +Patricia risk: 0/0 (search/found) +Patricia risk IPv6: 0/0 (search/found) +Patricia protocols: 4/0 (search/found) +Patricia protocols IPv6: 0/0 (search/found) +Hash malicious ja4: 0/0 (search/found) +Hash malicious sha1: 0/0 (search/found) +Hash TCP fingerprints: 0/0 (search/found) +Hash public domain suffix: 0/0 (search/found) +Hash ja4 custom protos: 0/0 (search/found) +Hash fp custom protos: 0/0 (search/found) +Hash url custom protos: 0/0 (search/found) + +EthernetIP 268 46394 2 + +Acceptable 268 46394 2 + +Network 268 46394 2 + + 1 TCP 192.168.10.105:3033 <-> 192.168.10.120:44818 [proto: 278/EthernetIP][Stack: EthernetIP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 278/EthernetIP, Confidence: DPI][DPI packets: 1][cat: Network/14][Breed: Acceptable][134 pkts/21062 bytes <-> 133 pkts/25222 bytes][Goodput ratio: 66/72][20.01 sec][bytes ratio: -0.090 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 3/4 154/151 508/505 221/220][Pkt Len c2s/s2c min/avg/max/stddev: 110/110 157/190 264/347 71/104][PLAIN TEXT (00 Eastern Time )][Plen Bins: 0,61,0,9,0,0,15,0,0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 2 TCP 10.100.90.51:37844 -> 10.100.40.11:44818 [VLAN: 90][proto: 278/EthernetIP][Stack: EthernetIP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 278/EthernetIP, Confidence: DPI][DPI packets: 1][cat: Network/14][Breed: Acceptable][1 pkts/110 bytes -> 0 pkts/0 bytes][Goodput ratio: 47/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (pycomm)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/default/result/ethernet_ip-cip_io.pcapng.out b/tests/cfgs/default/result/ethernet_ip-cip_io.pcapng.out new file mode 100644 index 000000000..cb80702bb --- /dev/null +++ b/tests/cfgs/default/result/ethernet_ip-cip_io.pcapng.out @@ -0,0 +1,36 @@ +DPI Packets (UDP): 1 (1.00 pkts/flow) +Confidence DPI : 1 (flows) +Num dissector calls: 1 (1.00 diss/flow) +LRU cache ookla: 0/0/0 (insert/search/found) +LRU cache bittorrent: 0/0/0 (insert/search/found) +LRU cache stun: 0/0/0 (insert/search/found) +LRU cache tls_cert: 0/0/0 (insert/search/found) +LRU cache mining: 0/0/0 (insert/search/found) +LRU cache msteams: 0/0/0 (insert/search/found) +LRU cache fpc_dns: 0/0/0 (insert/search/found) +Automa host: 0/0 (search/found) +Automa domain: 0/0 (search/found) +Automa tls cert: 0/0 (search/found) +Automa risk mask: 0/0 (search/found) +Automa common alpns: 0/0 (search/found) +Patricia risk mask: 0/0 (search/found) +Patricia risk mask IPv6: 0/0 (search/found) +Patricia risk: 0/0 (search/found) +Patricia risk IPv6: 0/0 (search/found) +Patricia protocols: 2/0 (search/found) +Patricia protocols IPv6: 0/0 (search/found) +Hash malicious ja4: 0/0 (search/found) +Hash malicious sha1: 0/0 (search/found) +Hash TCP fingerprints: 0/0 (search/found) +Hash public domain suffix: 0/0 (search/found) +Hash ja4 custom protos: 0/0 (search/found) +Hash fp custom protos: 0/0 (search/found) +Hash url custom protos: 0/0 (search/found) + +CIP 398 28690 1 + +Acceptable 398 28690 1 + +IoT-Scada 398 28690 1 + + 1 UDP 192.168.1.24:2222 <-> 192.168.1.22:2222 [proto: 393/CIP][Stack: CIP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 393/CIP, Confidence: DPI][DPI packets: 1][cat: IoT-Scada/31][Breed: Acceptable][368 pkts/26830 bytes <-> 30 pkts/1860 bytes][Goodput ratio: 42/32][0.00 sec][bytes ratio: 0.870 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 0/0 0/0 0/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/62 73/62 148/62 23/0][Plen Bins: 92,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/default/result/s7comm.pcap.out b/tests/cfgs/default/result/s7comm.pcap.out index e0261a7ec..a49ea7df4 100644 --- a/tests/cfgs/default/result/s7comm.pcap.out +++ b/tests/cfgs/default/result/s7comm.pcap.out @@ -1,13 +1,13 @@ -DPI Packets (TCP): 3 (3.00 pkts/flow) -Confidence DPI : 1 (flows) -Num dissector calls: 189 (189.00 diss/flow) +DPI Packets (TCP): 18 (4.50 pkts/flow) +Confidence DPI : 4 (flows) +Num dissector calls: 655 (163.75 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/0/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) LRU cache tls_cert: 0/0/0 (insert/search/found) LRU cache mining: 0/0/0 (insert/search/found) LRU cache msteams: 0/0/0 (insert/search/found) -LRU cache fpc_dns: 0/1/0 (insert/search/found) +LRU cache fpc_dns: 0/3/0 (insert/search/found) Automa host: 0/0 (search/found) Automa domain: 0/0 (search/found) Automa tls cert: 0/0 (search/found) @@ -15,22 +15,25 @@ Automa risk mask: 0/0 (search/found) Automa common alpns: 0/0 (search/found) Patricia risk mask: 0/0 (search/found) Patricia risk mask IPv6: 0/0 (search/found) -Patricia risk: 0/0 (search/found) +Patricia risk: 1/0 (search/found) Patricia risk IPv6: 0/0 (search/found) -Patricia protocols: 2/0 (search/found) +Patricia protocols: 8/0 (search/found) Patricia protocols IPv6: 0/0 (search/found) Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) -Hash TCP fingerprints: 0/0 (search/found) +Hash TCP fingerprints: 2/0 (search/found) Hash public domain suffix: 0/0 (search/found) Hash ja4 custom protos: 0/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) -S7Comm 55 5260 1 +S7Comm 193 19127 4 -Acceptable 55 5260 1 +Acceptable 193 19127 4 -IoT-Scada 55 5260 1 +IoT-Scada 193 19127 4 - 1 TCP 192.168.1.10:4185 <-> 192.168.1.40:102 [proto: 249/S7Comm][Stack: S7Comm][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 3][cat: IoT-Scada/31][Breed: Acceptable][36 pkts/3146 bytes <-> 19 pkts/2114 bytes][Goodput ratio: 38/51][0.14 sec][bytes ratio: 0.196 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/3 3/6 8/12 3/3][Pkt Len c2s/s2c min/avg/max/stddev: 61/74 87/111 301/275 54/44][PLAIN TEXT (TestHMI00040)][Plen Bins: 53,32,9,0,0,0,1,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 1 TCP 134.217.61.131:51212 <-> 134.217.61.211:102 [proto: 249/S7Comm][Stack: S7Comm][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 249/S7Comm, Confidence: DPI][DPI packets: 1][cat: IoT-Scada/31][Breed: Acceptable][32 pkts/2944 bytes <-> 32 pkts/4268 bytes][Goodput ratio: 41/59][0.55 sec][bytes ratio: -0.184 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 3/3 12/16 108/108 20/27][Pkt Len c2s/s2c min/avg/max/stddev: 79/73 92/133 249/301 30/81][PLAIN TEXT (ES7 315)][Plen Bins: 40,43,3,1,3,1,1,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 2 TCP 192.168.1.10:4185 <-> 192.168.1.40:102 [proto: 249/S7Comm][Stack: S7Comm][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 3][cat: IoT-Scada/31][Breed: Acceptable][36 pkts/3146 bytes <-> 19 pkts/2114 bytes][Goodput ratio: 38/51][0.14 sec][bytes ratio: 0.196 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/3 3/6 8/12 3/3][Pkt Len c2s/s2c min/avg/max/stddev: 61/74 87/111 301/275 54/44][PLAIN TEXT (TestHMI00040)][Plen Bins: 53,32,9,0,0,0,1,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 3 TCP 172.17.0.2:33028 <-> 172.17.0.2:102 [proto: 249/S7Comm][Stack: S7Comm][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 8][cat: IoT-Scada/31][Breed: Acceptable][21 pkts/1825 bytes <-> 15 pkts/1993 bytes][Goodput ratio: 24/50][0.23 sec][bytes ratio: -0.044 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/1 9/11 56/101 18/30][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 87/133 145/447 20/96][TCP Fingerprint: 2_64_33280_db1b9381215d/Unknown][PLAIN TEXT (ES7 315)][Plen Bins: 33,45,8,0,8,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 4 TCP 192.168.1.180:1117 <-> 192.168.1.11:102 [proto: 249/S7Comm][Stack: S7Comm][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: IoT-Scada/31][Breed: Acceptable][20 pkts/1605 bytes <-> 18 pkts/1232 bytes][Goodput ratio: 22/20][7.11 sec][bytes ratio: 0.131 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/3 381/372 1004/871 476/355][Pkt Len c2s/s2c min/avg/max/stddev: 68/54 80/68 93/83 11/14][TCP Fingerprint: 2_128_65535_44bd01ba086e/Unknown][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/default/result/s7comm2.pcap.out b/tests/cfgs/default/result/s7comm2.pcap.out new file mode 100644 index 000000000..e0261a7ec --- /dev/null +++ b/tests/cfgs/default/result/s7comm2.pcap.out @@ -0,0 +1,36 @@ +DPI Packets (TCP): 3 (3.00 pkts/flow) +Confidence DPI : 1 (flows) +Num dissector calls: 189 (189.00 diss/flow) +LRU cache ookla: 0/0/0 (insert/search/found) +LRU cache bittorrent: 0/0/0 (insert/search/found) +LRU cache stun: 0/0/0 (insert/search/found) +LRU cache tls_cert: 0/0/0 (insert/search/found) +LRU cache mining: 0/0/0 (insert/search/found) +LRU cache msteams: 0/0/0 (insert/search/found) +LRU cache fpc_dns: 0/1/0 (insert/search/found) +Automa host: 0/0 (search/found) +Automa domain: 0/0 (search/found) +Automa tls cert: 0/0 (search/found) +Automa risk mask: 0/0 (search/found) +Automa common alpns: 0/0 (search/found) +Patricia risk mask: 0/0 (search/found) +Patricia risk mask IPv6: 0/0 (search/found) +Patricia risk: 0/0 (search/found) +Patricia risk IPv6: 0/0 (search/found) +Patricia protocols: 2/0 (search/found) +Patricia protocols IPv6: 0/0 (search/found) +Hash malicious ja4: 0/0 (search/found) +Hash malicious sha1: 0/0 (search/found) +Hash TCP fingerprints: 0/0 (search/found) +Hash public domain suffix: 0/0 (search/found) +Hash ja4 custom protos: 0/0 (search/found) +Hash fp custom protos: 0/0 (search/found) +Hash url custom protos: 0/0 (search/found) + +S7Comm 55 5260 1 + +Acceptable 55 5260 1 + +IoT-Scada 55 5260 1 + + 1 TCP 192.168.1.10:4185 <-> 192.168.1.40:102 [proto: 249/S7Comm][Stack: S7Comm][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 3][cat: IoT-Scada/31][Breed: Acceptable][36 pkts/3146 bytes <-> 19 pkts/2114 bytes][Goodput ratio: 38/51][0.14 sec][bytes ratio: 0.196 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/3 3/6 8/12 3/3][Pkt Len c2s/s2c min/avg/max/stddev: 61/74 87/111 301/275 54/44][PLAIN TEXT (TestHMI00040)][Plen Bins: 53,32,9,0,0,0,1,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/monitoring/config.txt b/tests/cfgs/monitoring/config.txt index 6c7878a05..89c0b05ad 100644 --- a/tests/cfgs/monitoring/config.txt +++ b/tests/cfgs/monitoring/config.txt @@ -1 +1 @@ ---cfg=packets_limit_per_flow,64 --cfg=stun,monitoring,1 --cfg=stun,max_packets_extra_dissection,32 -U 0 -T 0 +--cfg=packets_limit_per_flow,64 --cfg=all,monitoring,1 --cfg=stun,max_packets_extra_dissection,32 -U 0 -T 0 diff --git a/tests/cfgs/monitoring/pcap/s7comm.pcap b/tests/cfgs/monitoring/pcap/s7comm.pcap new file mode 120000 index 000000000..49a083f5a --- /dev/null +++ b/tests/cfgs/monitoring/pcap/s7comm.pcap @@ -0,0 +1 @@ +../../default/pcap/s7comm.pcap \ No newline at end of file diff --git a/tests/cfgs/monitoring/result/s7comm.pcap.out b/tests/cfgs/monitoring/result/s7comm.pcap.out new file mode 100644 index 000000000..f9ef3383a --- /dev/null +++ b/tests/cfgs/monitoring/result/s7comm.pcap.out @@ -0,0 +1,39 @@ +DPI Packets (TCP): 193 (48.25 pkts/flow) +Confidence DPI : 4 (flows) +Num dissector calls: 655 (163.75 diss/flow) +LRU cache ookla: 0/0/0 (insert/search/found) +LRU cache bittorrent: 0/0/0 (insert/search/found) +LRU cache stun: 0/0/0 (insert/search/found) +LRU cache tls_cert: 0/0/0 (insert/search/found) +LRU cache mining: 0/0/0 (insert/search/found) +LRU cache msteams: 0/0/0 (insert/search/found) +LRU cache fpc_dns: 0/3/0 (insert/search/found) +Automa host: 0/0 (search/found) +Automa domain: 0/0 (search/found) +Automa tls cert: 0/0 (search/found) +Automa risk mask: 0/0 (search/found) +Automa common alpns: 0/0 (search/found) +Patricia risk mask: 0/0 (search/found) +Patricia risk mask IPv6: 0/0 (search/found) +Patricia risk: 1/0 (search/found) +Patricia risk IPv6: 0/0 (search/found) +Patricia protocols: 8/0 (search/found) +Patricia protocols IPv6: 0/0 (search/found) +Hash malicious ja4: 0/0 (search/found) +Hash malicious sha1: 0/0 (search/found) +Hash TCP fingerprints: 2/0 (search/found) +Hash public domain suffix: 0/0 (search/found) +Hash ja4 custom protos: 0/0 (search/found) +Hash fp custom protos: 0/0 (search/found) +Hash url custom protos: 0/0 (search/found) + +S7Comm 193 19127 4 + +Acceptable 193 19127 4 + +IoT-Scada 193 19127 4 + + 1 TCP 134.217.61.131:51212 <-> 134.217.61.211:102 [proto: 249/S7Comm][Stack: S7Comm][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 249/S7Comm, Confidence: DPI][DPI packets: 64][DPI packets before monitoring: 1][cat: IoT-Scada/31][Breed: Acceptable][32 pkts/2944 bytes <-> 32 pkts/4268 bytes][Goodput ratio: 41/59][0.55 sec][bytes ratio: -0.184 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 3/3 12/16 108/108 20/27][Pkt Len c2s/s2c min/avg/max/stddev: 79/73 92/133 249/301 30/81][PLAIN TEXT (ES7 315)][Plen Bins: 40,43,3,1,3,1,1,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 2 TCP 192.168.1.10:4185 <-> 192.168.1.40:102 [proto: 249/S7Comm][Stack: S7Comm][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 55][DPI packets before monitoring: 3][cat: IoT-Scada/31][Breed: Acceptable][36 pkts/3146 bytes <-> 19 pkts/2114 bytes][Goodput ratio: 38/51][0.14 sec][bytes ratio: 0.196 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/3 3/6 8/12 3/3][Pkt Len c2s/s2c min/avg/max/stddev: 61/74 87/111 301/275 54/44][PLAIN TEXT (TestHMI00040)][Plen Bins: 53,32,9,0,0,0,1,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 3 TCP 172.17.0.2:33028 <-> 172.17.0.2:102 [proto: 249/S7Comm][Stack: S7Comm][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 36][DPI packets before monitoring: 8][cat: IoT-Scada/31][Breed: Acceptable][21 pkts/1825 bytes <-> 15 pkts/1993 bytes][Goodput ratio: 24/50][0.23 sec][bytes ratio: -0.044 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/1 9/11 56/101 18/30][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 87/133 145/447 20/96][TCP Fingerprint: 2_64_33280_db1b9381215d/Unknown][PLAIN TEXT (ES7 315)][Plen Bins: 33,45,8,0,8,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 4 TCP 192.168.1.180:1117 <-> 192.168.1.11:102 [proto: 249/S7Comm][Stack: S7Comm][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 38][DPI packets before monitoring: 6][cat: IoT-Scada/31][Breed: Acceptable][20 pkts/1605 bytes <-> 18 pkts/1232 bytes][Goodput ratio: 22/20][7.11 sec][bytes ratio: 0.131 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/3 381/372 1004/871 476/355][Pkt Len c2s/s2c min/avg/max/stddev: 68/54 80/68 93/83 11/14][TCP Fingerprint: 2_128_65535_44bd01ba086e/Unknown][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/monitoring/result/signal_audiocall.pcapng.out b/tests/cfgs/monitoring/result/signal_audiocall.pcapng.out index 6e2dcd922..dfb3bfe9a 100644 --- a/tests/cfgs/monitoring/result/signal_audiocall.pcapng.out +++ b/tests/cfgs/monitoring/result/signal_audiocall.pcapng.out @@ -35,6 +35,6 @@ Acceptable 268 50558 4 VoIP 268 50558 4 1 UDP 192.168.12.67:45419 <-> 35.219.226.11:54116 [proto: 78.269/STUN.SignalVoip][Stack: STUN.SignalVoip][IP: 284/GoogleCloud][Stream Content: Audio][ClearText][Confidence: DPI (cache)][FPC: 78.269/STUN.SignalVoip, Confidence: DPI][DPI packets: 178][DPI packets before monitoring: 33][cat: VoIP/10][Breed: Acceptable][91 pkts/20258 bytes <-> 87 pkts/18776 bytes][Goodput ratio: 81/81][16.10 sec][bytes ratio: 0.038 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 185/163 2145/2221 406/335][Pkt Len c2s/s2c min/avg/max/stddev: 70/70 223/216 337/337 105/106][Mapped IP/Port: 93.35.168.30:45251, 35.219.226.11:54116][RTP packets: 56/58][PLAIN TEXT (zaziGwgI)][Plen Bins: 6,15,11,11,0,0,0,0,46,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 2 UDP 192.168.12.67:45419 <-> 35.219.252.146:3478 [proto: 78.269/STUN.SignalVoip][Stack: STUN.SignalVoip][IP: 284/GoogleCloud][ClearText][Confidence: DPI][FPC: 78/STUN, Confidence: DPI][DPI packets: 58][DPI packets before monitoring: 33][cat: VoIP/10][Breed: Acceptable][29 pkts/3570 bytes <-> 29 pkts/4210 bytes][Goodput ratio: 66/71][19.07 sec][Hostname/SNI: signal.org][bytes ratio: -0.082 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 1/0 594/604 2518/2516 688/680][Pkt Len c2s/s2c min/avg/max/stddev: 62/94 123/145 182/182 41/34][Mapped IP/Port: 93.35.168.30:45250, 35.219.226.11:54116, 35.219.252.146:22269, 35.219.226.11:12261][Peer IP/Port: 35.219.226.11:12261, 35.219.226.11:54116, 35.219.226.11:10127][Relayed IP/Port: 35.219.252.146:22269][RTP packets: 0/0][PLAIN TEXT (BDIbPI2)][Plen Bins: 17,8,15,32,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 2 UDP 192.168.12.67:45419 <-> 35.219.252.146:3478 [proto: 78.269/STUN.SignalVoip][Stack: STUN.SignalVoip][IP: 284/GoogleCloud][ClearText][Confidence: DPI][FPC: 78/STUN, Confidence: DPI][DPI packets: 58][DPI packets before monitoring: 33][cat: VoIP/10][Breed: Acceptable][29 pkts/3570 bytes <-> 29 pkts/4210 bytes][Goodput ratio: 66/71][19.07 sec][Hostname/SNI: signal.org][bytes ratio: -0.082 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 1/0 594/604 2518/2516 688/680][Pkt Len c2s/s2c min/avg/max/stddev: 62/94 123/145 182/182 41/34][Mapped IP/Port: 93.35.168.30:45250, 35.219.226.11:54116, 35.219.252.146:22269, 35.219.226.11:12261][Peer IP/Port: 35.219.226.11:12261, 35.219.226.11:54116, 35.219.226.11:10127][Relayed IP/Port: 35.219.252.146:22269][PLAIN TEXT (BDIbPI2)][Plen Bins: 17,8,15,32,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 3 UDP 192.168.12.67:45419 <-> 35.219.226.11:12261 [proto: 78.269/STUN.SignalVoip][Stack: STUN.SignalVoip][IP: 284/GoogleCloud][ClearText][Confidence: DPI (cache)][FPC: 78.269/STUN.SignalVoip, Confidence: DPI][DPI packets: 22][cat: VoIP/10][Breed: Acceptable][11 pkts/1238 bytes <-> 11 pkts/1454 bytes][Goodput ratio: 63/68][14.81 sec][bytes ratio: -0.080 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 97/26 1215/1207 2521/2521 1083/1093][Pkt Len c2s/s2c min/avg/max/stddev: 106/106 113/132 146/138 14/12][Mapped IP/Port: 93.35.168.30:45251, 35.219.226.11:12261][PLAIN TEXT (BV39hIkc1)][Plen Bins: 0,0,50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 4 UDP 192.168.12.67:45419 <-> 35.216.234.234:3478 [proto: 78.269/STUN.SignalVoip][Stack: STUN.SignalVoip][IP: 284/GoogleCloud][ClearText][Confidence: DPI (cache)][FPC: 78/STUN, Confidence: DPI][DPI packets: 10][cat: VoIP/10][Breed: Acceptable][5 pkts/510 bytes <-> 5 pkts/542 bytes][Goodput ratio: 59/61][10.03 sec][Hostname/SNI: signal.org][bytes ratio: -0.030 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 8/8 2504/2504 9975/9975 4313/4313][Pkt Len c2s/s2c min/avg/max/stddev: 62/94 102/108 158/126 46/15][Mapped IP/Port: 93.35.168.30:45250][Relayed IP/Port: 35.216.234.234:45312][PLAIN TEXT (sWCyiFie)][Plen Bins: 30,30,20,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/monitoring/result/stun.pcap.out b/tests/cfgs/monitoring/result/stun.pcap.out index b6a37fa35..7408f4755 100644 --- a/tests/cfgs/monitoring/result/stun.pcap.out +++ b/tests/cfgs/monitoring/result/stun.pcap.out @@ -47,9 +47,9 @@ JA Host Stats: 2 192.168.43.169 1 - 1 UDP 192.168.12.169:38123 <-> 31.13.86.54:40003 [proto: 78.268/STUN.FacebookVoip][Stack: STUN.FacebookVoip][IP: 119/Facebook][ClearText][Confidence: DPI][FPC: 78/STUN, Confidence: DPI][DPI packets: 75][DPI packets before monitoring: 33][cat: VoIP/10][Breed: Acceptable][40 pkts/6134 bytes <-> 35 pkts/4420 bytes][Goodput ratio: 73/67][10.09 sec][Hostname/SNI: turner.facebook][bytes ratio: 0.162 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 260/331 6004/5997 1040/1126][Pkt Len c2s/s2c min/avg/max/stddev: 70/68 153/126 190/174 31/39][Mapped IP/Port: 93.47.226.1:11162, 185.170.139.1:12176, 31.13.86.54:53789, 185.170.139.1:42272, 31.13.86.54:57556][Peer IP/Port: 192.168.0.102:44459, 10.36.43.120:42272, 185.170.139.1:44459, 185.170.139.1:12176, 185.170.139.1:42272, 31.13.86.54:57556][Relayed IP/Port: 31.13.86.54:53789][RTP packets: 0/0][PLAIN TEXT (unauthorized)][Plen Bins: 8,14,9,28,40,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 1 UDP 192.168.12.169:38123 <-> 31.13.86.54:40003 [proto: 78.268/STUN.FacebookVoip][Stack: STUN.FacebookVoip][IP: 119/Facebook][ClearText][Confidence: DPI][FPC: 78/STUN, Confidence: DPI][DPI packets: 75][DPI packets before monitoring: 33][cat: VoIP/10][Breed: Acceptable][40 pkts/6134 bytes <-> 35 pkts/4420 bytes][Goodput ratio: 73/67][10.09 sec][Hostname/SNI: turner.facebook][bytes ratio: 0.162 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 260/331 6004/5997 1040/1126][Pkt Len c2s/s2c min/avg/max/stddev: 70/68 153/126 190/174 31/39][Mapped IP/Port: 93.47.226.1:11162, 185.170.139.1:12176, 31.13.86.54:53789, 185.170.139.1:42272, 31.13.86.54:57556][Peer IP/Port: 192.168.0.102:44459, 10.36.43.120:42272, 185.170.139.1:44459, 185.170.139.1:12176, 185.170.139.1:42272, 31.13.86.54:57556][Relayed IP/Port: 31.13.86.54:53789][PLAIN TEXT (unauthorized)][Plen Bins: 8,14,9,28,40,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 2 UDP 192.168.12.169:49153 <-> 142.250.82.99:3478 [proto: 30.404/DTLS.GoogleCall][Stack: STUN.DTLS.GoogleCall][IP: 126/Google][Stream Content: Audio][Encrypted][Confidence: DPI][FPC: 78.404/STUN.GoogleCall, Confidence: DPI][DPI packets: 33][cat: VoIP/10][Breed: Acceptable][18 pkts/2856 bytes <-> 15 pkts/3436 bytes][Goodput ratio: 74/82][2.12 sec][bytes ratio: -0.092 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 8/0 88/153 699/625 177/222][Pkt Len c2s/s2c min/avg/max/stddev: 107/76 159/229 588/1240 107/297][Mapped IP/Port: 93.47.225.70:12165][nDPI Fingerprint: c1d577a85c8ed52900cbc42aa007e9b3][DTLSv1.2][JA4: dd2i110700_c45550529adf_d9dd6182da81][JA3S: 1f5d6a6d0bc5d514dd84d13e6283d309][Issuer: CN=hangouts][Subject: CN=hangouts][Certificate SHA-1: 6C:D0:9A:70:A1:F1:9E:BF:8E:EF:FE:B6:F1:37:A3:E8:8A:3B:F7:C8][Validity: 2022-03-17 02:11:17 - 2023-03-18 02:11:17][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][PLAIN TEXT (BwlkYDtFJ)][Plen Bins: 0,6,57,21,6,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0] - 3 UDP [3516:bf0b:fc53:75e7:70af:f67f:8e49:f603]:56880 <-> [2a38:e156:8167:a333:face:b00c::24d9]:3478 [proto: 78/STUN][Stack: STUN][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 78/STUN, Confidence: DPI][DPI packets: 42][DPI packets before monitoring: 33][cat: Network/14][Breed: Acceptable][21 pkts/1722 bytes <-> 21 pkts/2226 bytes][Goodput ratio: 24/41][191.49 sec][bytes ratio: -0.128 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 2/2 9451/9451 10358/10358 2441/2441][Pkt Len c2s/s2c min/avg/max/stddev: 82/106 82/106 82/106 0/0][Mapped IP/Port: [2001:1670:c:eb04:70af:f67f:8e49:f603]:56880][RTP packets: 0/0][PLAIN TEXT (WOBTrOXR)][Plen Bins: 50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 3 UDP [3516:bf0b:fc53:75e7:70af:f67f:8e49:f603]:56880 <-> [2a38:e156:8167:a333:face:b00c::24d9]:3478 [proto: 78/STUN][Stack: STUN][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 78/STUN, Confidence: DPI][DPI packets: 42][DPI packets before monitoring: 33][cat: Network/14][Breed: Acceptable][21 pkts/1722 bytes <-> 21 pkts/2226 bytes][Goodput ratio: 24/41][191.49 sec][bytes ratio: -0.128 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 2/2 9451/9451 10358/10358 2441/2441][Pkt Len c2s/s2c min/avg/max/stddev: 82/106 82/106 82/106 0/0][Mapped IP/Port: [2001:1670:c:eb04:70af:f67f:8e49:f603]:56880][PLAIN TEXT (WOBTrOXR)][Plen Bins: 50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 4 TCP 87.47.100.17:3478 <-> 54.1.57.155:37257 [proto: 78/STUN][Stack: STUN][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 20][cat: Network/14][Breed: Acceptable][9 pkts/1494 bytes <-> 11 pkts/2178 bytes][Goodput ratio: 60/67][0.95 sec][Hostname/SNI: apps-host.com][bytes ratio: -0.186 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 104/96 267/252 102/93][Pkt Len c2s/s2c min/avg/max/stddev: 74/94 166/198 234/354 41/65][Mapped IP/Port: 5.37.217.126:37257][Peer IP/Port: 192.168.8.153:60001, 127.0.0.1:38763, 66.55.92.16:64920, 66.55.92.16:58225, 5.162.130.14:16947][Relayed IP/Port: 66.55.92.16:40576][PLAIN TEXT (Unauthorized)][Plen Bins: 10,0,15,21,42,5,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 5 TCP 10.77.110.51:41588 <-> 10.206.50.239:42000 [VLAN: 1611][proto: 78.38/STUN.TeamsCall][Stack: STUN.TeamsCall][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 15][cat: VoIP/10][Breed: Acceptable][7 pkts/1006 bytes <-> 8 pkts/1118 bytes][Goodput ratio: 58/57][1.05 sec][bytes ratio: -0.053 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 189/134 369/399 144/153][Pkt Len c2s/s2c min/avg/max/stddev: 70/64 144/140 164/172 31/43][Mapped IP/Port: 10.77.110.51:41588, 10.206.50.239:42000][TCP Fingerprint: 2_128_8192_5e2eda046ca7/Unknown][Plen Bins: 0,0,25,75,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 6 UDP 192.168.12.169:43016 <-> 74.125.247.128:3478 [proto: 78.404/STUN.GoogleCall][Stack: STUN.GoogleCall][IP: 126/Google][ClearText][Confidence: DPI][FPC: 78/STUN, Confidence: DPI][DPI packets: 8][cat: VoIP/10][Breed: Acceptable][4 pkts/528 bytes <-> 4 pkts/408 bytes][Goodput ratio: 68/59][1.25 sec][Hostname/SNI: turn.l.google.com][bytes ratio: 0.128 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 9/23 342/409 974/1177 447/543][Pkt Len c2s/s2c min/avg/max/stddev: 62/74 132/102 198/122 61/19][Mapped IP/Port: 93.47.225.225:23616][Relayed IP/Port: 10.2.0.86:44908][PLAIN TEXT (BSnLfRxS6)][Plen Bins: 12,37,25,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/monitoring/result/stun_google_meet.pcapng.out b/tests/cfgs/monitoring/result/stun_google_meet.pcapng.out index e45a94c1a..fe77fdf66 100644 --- a/tests/cfgs/monitoring/result/stun_google_meet.pcapng.out +++ b/tests/cfgs/monitoring/result/stun_google_meet.pcapng.out @@ -43,7 +43,7 @@ JA Host Stats: 1 UDP [2001:b07:a3d:c112:48a1:1094:1227:281e]:45572 <-> [2001:4860:4864:6::81]:19305 [proto: 30.404/DTLS.GoogleCall][Stack: STUN.DTLS.GoogleCall][IP: 126/Google][Stream Content: Audio][Encrypted][Confidence: DPI][FPC: 78.404/STUN.GoogleCall, Confidence: DPI][DPI packets: 148][DPI packets before monitoring: 43][cat: VoIP/10][Breed: Acceptable][30 pkts/4693 bytes <-> 118 pkts/36197 bytes][Goodput ratio: 60/80][0.71 sec][bytes ratio: -0.770 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 22/2 152/74 32/9][Pkt Len c2s/s2c min/avg/max/stddev: 106/99 156/307 608/1265 88/113][Mapped IP/Port: [2001:b07:a3d:c112:48a1:1094:1227:281e]:45572][RTP packets: 11/104][nDPI Fingerprint: c1d577a85c8ed52900cbc42aa007e9b3][DTLSv1.2][JA4: dd2i110700_c45550529adf_d9dd6182da81][JA3S: 1f5d6a6d0bc5d514dd84d13e6283d309][Issuer: CN=hangouts][Subject: CN=hangouts][Certificate SHA-1: 07:CC:FC:28:04:F2:29:8F:E9:C4:BF:AC:F6:D2:BD:F2:BA:36:AD:31][Validity: 2023-10-11 02:02:47 - 2024-10-11 02:02:47][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][PLAIN TEXT (igoKAAiKAiADEA)][Plen Bins: 0,6,16,5,2,0,0,0,68,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 2 UDP 192.168.12.156:38152 <-> 142.250.82.76:19305 [proto: 30.404/DTLS.GoogleCall][Stack: STUN.DTLS.GoogleCall][IP: 126/Google][Stream Content: Audio][Encrypted][Confidence: DPI][FPC: 78.404/STUN.GoogleCall, Confidence: DPI][DPI packets: 74][DPI packets before monitoring: 43][cat: VoIP/10][Breed: Acceptable][28 pkts/4034 bytes <-> 46 pkts/12188 bytes][Goodput ratio: 71/84][0.87 sec][bytes ratio: -0.503 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 30/10 205/154 50/29][Pkt Len c2s/s2c min/avg/max/stddev: 87/79 144/265 587/1245 89/180][Mapped IP/Port: 93.35.171.209:39032][RTP packets: 11/31][nDPI Fingerprint: c1d577a85c8ed52900cbc42aa007e9b3][DTLSv1.2][JA4: dd2i110700_c45550529adf_d9dd6182da81][JA3S: 1f5d6a6d0bc5d514dd84d13e6283d309][Issuer: CN=hangouts][Subject: CN=hangouts][Certificate SHA-1: 49:1A:C7:70:3E:79:F9:C5:3D:0F:46:33:B7:A4:EC:54:B0:93:C9:61][Validity: 2023-06-19 17:32:20 - 2024-06-19 17:32:20][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][PLAIN TEXT (HrRgpad)][Plen Bins: 0,8,37,9,4,0,0,0,38,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0] 3 UDP 192.168.12.156:38152 <-> 142.250.82.76:3478 [proto: 30.404/DTLS.GoogleCall][Stack: STUN.DTLS.GoogleCall][IP: 126/Google][Stream Content: Audio][Encrypted][Confidence: DPI][FPC: 78.404/STUN.GoogleCall, Confidence: DPI][DPI packets: 79][DPI packets before monitoring: 43][cat: VoIP/10][Breed: Acceptable][55 pkts/7402 bytes <-> 24 pkts/3525 bytes][Goodput ratio: 69/71][6.63 sec][bytes ratio: 0.355 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/2 109/184 402/761 143/224][Pkt Len c2s/s2c min/avg/max/stddev: 87/82 135/147 423/579 69/115][Mapped IP/Port: 93.35.171.209:39032][RTP packets: 34/0][PLAIN TEXT (HrRgpad)][Plen Bins: 0,39,34,15,0,1,0,0,5,1,1,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 4 UDP 192.168.12.156:45400 <-> 142.250.82.76:3478 [proto: 78.404/STUN.GoogleCall][Stack: STUN.GoogleCall][IP: 126/Google][ClearText][Confidence: DPI][FPC: 78.404/STUN.GoogleCall, Confidence: DPI][DPI packets: 33][DPI packets before monitoring: 33][cat: VoIP/10][Breed: Acceptable][17 pkts/2694 bytes <-> 16 pkts/1696 bytes][Goodput ratio: 73/60][54.70 sec][bytes ratio: 0.227 (Upload)][IAT c2s/s2c min/avg/max/stddev: 90/78 3250/2028 17905/6554 4698/2127][Pkt Len c2s/s2c min/avg/max/stddev: 158/106 158/106 166/106 2/0][Mapped IP/Port: 93.35.171.209:39033][RTP packets: 0/0][PLAIN TEXT (HrRgpad)][Plen Bins: 0,0,48,51,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 4 UDP 192.168.12.156:45400 <-> 142.250.82.76:3478 [proto: 78.404/STUN.GoogleCall][Stack: STUN.GoogleCall][IP: 126/Google][ClearText][Confidence: DPI][FPC: 78.404/STUN.GoogleCall, Confidence: DPI][DPI packets: 33][DPI packets before monitoring: 33][cat: VoIP/10][Breed: Acceptable][17 pkts/2694 bytes <-> 16 pkts/1696 bytes][Goodput ratio: 73/60][54.70 sec][bytes ratio: 0.227 (Upload)][IAT c2s/s2c min/avg/max/stddev: 90/78 3250/2028 17905/6554 4698/2127][Pkt Len c2s/s2c min/avg/max/stddev: 158/106 158/106 166/106 2/0][Mapped IP/Port: 93.35.171.209:39033][PLAIN TEXT (HrRgpad)][Plen Bins: 0,0,48,51,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 5 UDP 192.168.12.156:38152 <-> 74.125.128.127:19302 [proto: 78.404/STUN.GoogleCall][Stack: STUN.GoogleCall][IP: 126/Google][ClearText][Confidence: DPI (cache)][FPC: 78/STUN, Confidence: DPI][DPI packets: 12][cat: VoIP/10][Breed: Acceptable][6 pkts/372 bytes <-> 6 pkts/444 bytes][Goodput ratio: 32/43][50.12 sec][bytes ratio: -0.088 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 10019/10019 10022/10021 10026/10025 3/3][Pkt Len c2s/s2c min/avg/max/stddev: 62/74 62/74 62/74 0/0][Mapped IP/Port: 93.35.171.209:39032][PLAIN TEXT (kAGNNzv)][Plen Bins: 50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 6 UDP 192.168.12.156:45400 <-> 74.125.128.127:19302 [proto: 78.404/STUN.GoogleCall][Stack: STUN.GoogleCall][IP: 126/Google][ClearText][Confidence: DPI (cache)][FPC: 78/STUN, Confidence: DPI][DPI packets: 12][cat: VoIP/10][Breed: Acceptable][6 pkts/372 bytes <-> 6 pkts/444 bytes][Goodput ratio: 32/43][50.12 sec][bytes ratio: -0.088 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 10020/10019 10022/10021 10026/10025 3/3][Pkt Len c2s/s2c min/avg/max/stddev: 62/74 62/74 62/74 0/0][Mapped IP/Port: 93.35.171.209:39033][PLAIN TEXT (tcEcaq476)][Plen Bins: 50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 7 UDP 192.168.12.156:45400 <-> 142.250.82.76:19305 [proto: 78.404/STUN.GoogleCall][Stack: STUN.GoogleCall][IP: 126/Google][ClearText][Confidence: DPI][FPC: 78.404/STUN.GoogleCall, Confidence: DPI][DPI packets: 4][cat: VoIP/10][Breed: Acceptable][2 pkts/324 bytes <-> 2 pkts/212 bytes][Goodput ratio: 74/60][0.63 sec][Mapped IP/Port: 93.35.171.209:39033][PLAIN TEXT (ByyD/CC)][Plen Bins: 0,0,50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/monitoring/result/stun_zoom.pcapng.out b/tests/cfgs/monitoring/result/stun_zoom.pcapng.out index 61266731b..6889d0032 100644 --- a/tests/cfgs/monitoring/result/stun_zoom.pcapng.out +++ b/tests/cfgs/monitoring/result/stun_zoom.pcapng.out @@ -38,5 +38,5 @@ JA Host Stats: 1 192.168.43.169 1 - 1 UDP 192.168.43.169:53065 <-> 134.224.90.111:8801 [proto: 30.189/DTLS.Zoom][Stack: STUN.DTLS.Zoom][IP: 189/Zoom][Encrypted][Confidence: DPI][FPC: 78/STUN, Confidence: DPI][DPI packets: 40][DPI packets before monitoring: 22][cat: Video/26][Breed: Acceptable][19 pkts/3524 bytes <-> 21 pkts/6353 bytes][Goodput ratio: 77/86][1.19 sec][(Advertised) ALPNs: webrtc;c-webrtc][bytes ratio: -0.286 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 64/45 153/178 50/56][Pkt Len c2s/s2c min/avg/max/stddev: 91/56 185/303 231/1094 42/390][Mapped IP/Port: 93.33.105.111:8466][RTP packets: 0/0][nDPI Fingerprint: 53fc3595190d1a92663b2e552af49022][DTLSv1.2][JA4: dd2i0808wc_c6c2b6ec87e0_06b1ae923e2a][ServerNames: *.cloud.zoom.us][JA3S: 323ab23be4a686962b978f9ca6735add][Issuer: C=US, O=DigiCert Inc, CN=DigiCert TLS RSA SHA256 2020 CA1][Subject: C=US, ST=California, L=San Jose, O=Zoom Video Communications, Inc., CN=*.cloud.zoom.us][Certificate SHA-1: FD:F2:22:45:64:31:28:BD:2D:56:D6:F4:56:01:71:88:E3:4C:2C:D9][Firefox][Validity: 2022-01-22 00:00:00 - 2023-01-24 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256][PLAIN TEXT (webrtc)][Plen Bins: 5,15,27,2,27,10,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 2 UDP 192.168.43.169:48854 <-> 134.224.90.111:8801 [proto: 30.189/DTLS.Zoom][Stack: STUN.DTLS.Zoom][IP: 189/Zoom][Encrypted][Confidence: DPI][FPC: 78/STUN, Confidence: DPI][DPI packets: 30][DPI packets before monitoring: 14][cat: Video/26][Breed: Acceptable][13 pkts/2491 bytes <-> 17 pkts/5890 bytes][Goodput ratio: 78/88][0.76 sec][(Advertised) ALPNs: webrtc;c-webrtc][bytes ratio: -0.406 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 73/43 200/286 59/80][Pkt Len c2s/s2c min/avg/max/stddev: 91/56 192/346 231/1094 40/422][Mapped IP/Port: 93.33.105.111:8466][RTP packets: 0/0][nDPI Fingerprint: 53fc3595190d1a92663b2e552af49022][DTLSv1.2][JA4: dd2i0808wc_c6c2b6ec87e0_06b1ae923e2a][ServerNames: *.cloud.zoom.us][JA3S: 323ab23be4a686962b978f9ca6735add][Issuer: C=US, O=DigiCert Inc, CN=DigiCert TLS RSA SHA256 2020 CA1][Subject: C=US, ST=California, L=San Jose, O=Zoom Video Communications, Inc., CN=*.cloud.zoom.us][Certificate SHA-1: FD:F2:22:45:64:31:28:BD:2D:56:D6:F4:56:01:71:88:E3:4C:2C:D9][Firefox][Validity: 2022-01-22 00:00:00 - 2023-01-24 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256][PLAIN TEXT (DCBD09778680)][Plen Bins: 10,13,23,0,26,10,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 1 UDP 192.168.43.169:53065 <-> 134.224.90.111:8801 [proto: 30.189/DTLS.Zoom][Stack: STUN.DTLS.Zoom][IP: 189/Zoom][Encrypted][Confidence: DPI][FPC: 78/STUN, Confidence: DPI][DPI packets: 40][DPI packets before monitoring: 22][cat: Video/26][Breed: Acceptable][19 pkts/3524 bytes <-> 21 pkts/6353 bytes][Goodput ratio: 77/86][1.19 sec][(Advertised) ALPNs: webrtc;c-webrtc][bytes ratio: -0.286 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 64/45 153/178 50/56][Pkt Len c2s/s2c min/avg/max/stddev: 91/56 185/303 231/1094 42/390][Mapped IP/Port: 93.33.105.111:8466][nDPI Fingerprint: 53fc3595190d1a92663b2e552af49022][DTLSv1.2][JA4: dd2i0808wc_c6c2b6ec87e0_06b1ae923e2a][ServerNames: *.cloud.zoom.us][JA3S: 323ab23be4a686962b978f9ca6735add][Issuer: C=US, O=DigiCert Inc, CN=DigiCert TLS RSA SHA256 2020 CA1][Subject: C=US, ST=California, L=San Jose, O=Zoom Video Communications, Inc., CN=*.cloud.zoom.us][Certificate SHA-1: FD:F2:22:45:64:31:28:BD:2D:56:D6:F4:56:01:71:88:E3:4C:2C:D9][Firefox][Validity: 2022-01-22 00:00:00 - 2023-01-24 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256][PLAIN TEXT (webrtc)][Plen Bins: 5,15,27,2,27,10,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 2 UDP 192.168.43.169:48854 <-> 134.224.90.111:8801 [proto: 30.189/DTLS.Zoom][Stack: STUN.DTLS.Zoom][IP: 189/Zoom][Encrypted][Confidence: DPI][FPC: 78/STUN, Confidence: DPI][DPI packets: 30][DPI packets before monitoring: 14][cat: Video/26][Breed: Acceptable][13 pkts/2491 bytes <-> 17 pkts/5890 bytes][Goodput ratio: 78/88][0.76 sec][(Advertised) ALPNs: webrtc;c-webrtc][bytes ratio: -0.406 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 73/43 200/286 59/80][Pkt Len c2s/s2c min/avg/max/stddev: 91/56 192/346 231/1094 40/422][Mapped IP/Port: 93.33.105.111:8466][nDPI Fingerprint: 53fc3595190d1a92663b2e552af49022][DTLSv1.2][JA4: dd2i0808wc_c6c2b6ec87e0_06b1ae923e2a][ServerNames: *.cloud.zoom.us][JA3S: 323ab23be4a686962b978f9ca6735add][Issuer: C=US, O=DigiCert Inc, CN=DigiCert TLS RSA SHA256 2020 CA1][Subject: C=US, ST=California, L=San Jose, O=Zoom Video Communications, Inc., CN=*.cloud.zoom.us][Certificate SHA-1: FD:F2:22:45:64:31:28:BD:2D:56:D6:F4:56:01:71:88:E3:4C:2C:D9][Firefox][Validity: 2022-01-22 00:00:00 - 2023-01-24 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256][PLAIN TEXT (DCBD09778680)][Plen Bins: 10,13,23,0,26,10,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/ossfuzz.sh b/tests/ossfuzz.sh index 2d9af778b..fa045e13f 100644 --- a/tests/ossfuzz.sh +++ b/tests/ossfuzz.sh @@ -48,15 +48,7 @@ cd ndpi ./autogen.sh && AR=llvm-ar RANLIB=llvm-ranlib LDFLAGS="-L/usr/local/lib -lpcap" ADDITIONAL_INCS="-I/usr/local/include/json-c/" ADDITIONAL_LIBS="-L/usr/local/lib -ljson-c" ./configure --disable-shared --enable-fuzztargets --enable-tls-sigs --with-only-libndpi make -j$(nproc) # Copy fuzzers -# TEMPORARY HACK for #14297: let's check if introspector job failed because -# we have too many fuzzers... -if [[ "$SANITIZER" != "introspector" ]]; then - ls fuzz/fuzz* | grep -v "\." | while read -r i; do cp "$i" "$OUT"/; done -else - ls fuzz/fuzz_ndpi_reader* | grep -v "\." | while read -r i; do cp "$i" "$OUT"/; done - ls fuzz/fuzz_config | grep -v "\." | while read -r i; do cp "$i" "$OUT"/; done - ls fuzz/fuzz_serialization | grep -v "\." | while read -r i; do cp "$i" "$OUT"/; done -fi +ls fuzz/fuzz* | grep -v "\." | while read -r i; do cp "$i" "$OUT"/; done # Copy dictionaries cp fuzz/*.dict "$OUT"/ # Copy seed corpus