vrr/nDPI
2
0
Fork 0
mirror of https://github.com/vel21ripn/nDPI.git synced 2026-05-18 14:49:02 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 5

Rework how hostname/SNI info is saved (#1330)

Browse source 
Looking at `struct ndpi_flow_struct` the two bigger fields are
`host_server_name[240]` (mainly for HTTP hostnames and DNS domains) and
`protos.tls_quic.client_requested_server_name[256]`
(for TLS/QUIC SNIs).

This commit aims to reduce `struct ndpi_flow_struct` size, according to
two simple observations:
 1) maximum one of these two fields is used for each flow. So it seems safe
to merge them;
 2) even if hostnames/SNIs might be very long, in practice they are rarely
longer than a fews tens of bytes. So, using a (single) large buffer is a
waste of memory for all kinds of flows. If we need to truncate the name,
we keep the *last* characters, easing domain matching.

Analyzing some real traffic, it seems safe to assume that the vast
majority of hostnames/SNIs is shorter than 80 bytes.

Hostnames/SNIs are always converted to lowercase.

Attention was given so as to be sure that unit-tests outputs are not
affected by this change.

Because of a bug, TLS/QUIC SNI were always truncated to 64 bytes (the
*first* 64 ones): as a consequence, there were some "Suspicious DGA
domain name" and "TLS Certificate Mismatch" false positives.
This commit is contained in:
Ivan Nardi 2021-11-24 10:46:48 +01:00 committed by GitHub
parent fd02e1b304
commit a8ffcd8bb0
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
22 changed files with 167 additions and 188 deletions
Download patch file Download diff file Expand all files Collapse all files

38
example/ndpiReader.c
View file

@ -742,7 +742,7 @@ void extcap_capture() {
void printCSVHeader() {
if(!csv_fp) return;
fprintf(csv_fp, "#flow_id,protocol,first_seen,last_seen,duration,src_ip,src_port,dst_ip,dst_port,ndpi_proto_num,ndpi_proto,server_name,");
fprintf(csv_fp, "#flow_id,protocol,first_seen,last_seen,duration,src_ip,src_port,dst_ip,dst_port,ndpi_proto_num,ndpi_proto,server_name_sni,");
fprintf(csv_fp, "benign_score,dos_slow_score,dos_goldeneye_score,dos_hulk_score,ddos_score,hearthbleed_score,ftp_patator_score,ssh_patator_score,infiltration_score,");
fprintf(csv_fp, "c_to_s_pkts,c_to_s_bytes,c_to_s_goodput_bytes,s_to_c_pkts,s_to_c_bytes,s_to_c_goodput_bytes,");
fprintf(csv_fp, "data_ratio,str_data_ratio,c_to_s_goodput_ratio,s_to_c_goodput_ratio,");
@ -767,7 +767,7 @@ void printCSVHeader() {
fprintf(csv_fp, "c_to_s_init_win,s_to_c_init_win,");
/* Flow info */
fprintf(csv_fp, "client_info,server_info,");
fprintf(csv_fp, "server_info,");
fprintf(csv_fp, "tls_version,ja3c,tls_client_unsafe,");
fprintf(csv_fp, "ja3s,tls_server_unsafe,");
fprintf(csv_fp, "tls_alpn,tls_supported_versions,");
@ -1311,8 +1311,7 @@ static void printFlow(u_int32_t id, struct ndpi_flow_info *flow, u_int16_t threa
/* TCP window */
fprintf(csv_fp, "%u,%u,", flow->c_to_s_init_win, flow->s_to_c_init_win);
fprintf(csv_fp, "%s,%s,",
(flow->ssh_tls.client_requested_server_name[0] != '\0') ? flow->ssh_tls.client_requested_server_name : "",
fprintf(csv_fp, "%s,",
(flow->ssh_tls.server_info[0] != '\0') ? flow->ssh_tls.server_info : "");
fprintf(csv_fp, "%s,%s,%s,%s,%s,",
@ -1421,7 +1420,15 @@ static void printFlow(u_int32_t id, struct ndpi_flow_info *flow, u_int16_t threa
if(flow->telnet.username) fprintf(out, "[Username: %s]", flow->telnet.username);
if(flow->telnet.password) fprintf(out, "[Password: %s]", flow->telnet.password);
if(flow->host_server_name[0] != '\0') fprintf(out, "[Host: %s]", flow->host_server_name);
if((flow->detected_protocol.master_protocol != NDPI_PROTOCOL_TLS)
&& (flow->detected_protocol.app_protocol != NDPI_PROTOCOL_TLS)
&& (flow->detected_protocol.master_protocol != NDPI_PROTOCOL_QUIC)
&& (flow->detected_protocol.app_protocol != NDPI_PROTOCOL_QUIC)
&& (flow->detected_protocol.app_protocol != NDPI_PROTOCOL_SSH)
&& (flow->detected_protocol.master_protocol != NDPI_PROTOCOL_SSH)) {
if(flow->host_server_name[0] != '\0') fprintf(out, "[Host: %s]", flow->host_server_name);
}
if(flow->info[0] != '\0') fprintf(out, "[%s]", flow->info);
if(flow->flow_extra_info[0] != '\0') fprintf(out, "[%s]", flow->flow_extra_info);
@ -1482,7 +1489,16 @@ static void printFlow(u_int32_t id, struct ndpi_flow_info *flow, u_int16_t threa
}
if(flow->ssh_tls.ssl_version != 0) fprintf(out, "[%s]", ndpi_ssl_version2str(flow->ndpi_flow, flow->ssh_tls.ssl_version, &known_tls));
if(flow->ssh_tls.client_requested_server_name[0] != '\0') fprintf(out, "[Client: %s]", flow->ssh_tls.client_requested_server_name);
if((flow->detected_protocol.master_protocol == NDPI_PROTOCOL_TLS)
|| (flow->detected_protocol.app_protocol == NDPI_PROTOCOL_TLS)
|| (flow->detected_protocol.master_protocol == NDPI_PROTOCOL_QUIC)
|| (flow->detected_protocol.app_protocol == NDPI_PROTOCOL_QUIC)
|| (flow->detected_protocol.master_protocol == NDPI_PROTOCOL_SSH)
|| (flow->detected_protocol.app_protocol == NDPI_PROTOCOL_SSH)) {
if(flow->host_server_name[0] != '\0') fprintf(out, "[Client: %s]", flow->host_server_name);
}
if(flow->ssh_tls.client_hassh[0] != '\0') fprintf(out, "[HASSH-C: %s]", flow->ssh_tls.client_hassh);
if(flow->ssh_tls.ja3_client[0] != '\0') fprintf(out, "[JA3C: %s%s]", flow->ssh_tls.ja3_client,
@ -2424,7 +2440,7 @@ static void printFlowsStats() {
newHost->host_server_info_hasht = NULL;
newHost->ip_string = all_flows[i].flow->src_name;
newHost->ip = all_flows[i].flow->src_ip;
newHost->dns_name = all_flows[i].flow->ssh_tls.client_requested_server_name;
newHost->dns_name = all_flows[i].flow->host_server_name;
ndpi_ja3_info *newJA3 = ndpi_malloc(sizeof(ndpi_ja3_info));
newJA3->ja3 = all_flows[i].flow->ssh_tls.ja3_client;
@ -2457,7 +2473,7 @@ static void printFlowsStats() {
newHost->ip = all_flows[i].flow->src_ip;
newHost->ip_string = all_flows[i].flow->src_name;
newHost->dns_name = all_flows[i].flow->ssh_tls.client_requested_server_name;;
newHost->dns_name = all_flows[i].flow->host_server_name;
ndpi_ja3_fingerprints_host *newElement = ndpi_malloc(sizeof(ndpi_ja3_fingerprints_host));
newElement->ja3 = all_flows[i].flow->ssh_tls.ja3_client;
@ -2474,7 +2490,7 @@ static void printFlowsStats() {
ndpi_ip_dns *newInnerElement = ndpi_malloc(sizeof(ndpi_ip_dns));
newInnerElement->ip = all_flows[i].flow->src_ip;
newInnerElement->ip_string = all_flows[i].flow->src_name;
newInnerElement->dns_name = all_flows[i].flow->ssh_tls.client_requested_server_name;
newInnerElement->dns_name = all_flows[i].flow->host_server_name;
HASH_ADD_INT(hostByJA3Found->ipToDNS_ht, ip, newInnerElement);
}
}
@ -2829,8 +2845,8 @@ static void printFlowsStats() {
printf("][similarity: %f]",
(similarity = ndpi_bin_similarity(&centroids[j], &bins[i], 0)));
if(all_flows[i].flow->ssh_tls.client_requested_server_name[0] != '\0')
fprintf(out, "[%s]", all_flows[i].flow->ssh_tls.client_requested_server_name);
if(all_flows[i].flow->host_server_name[0] != '\0')
fprintf(out, "[%s]", all_flows[i].flow->host_server_name);
if(enable_doh_dot_detection) {
if(((all_flows[i].flow->detected_protocol.master_protocol == NDPI_PROTOCOL_TLS)

2
example/ndpiSimpleIntegration.c
View file

@ -924,7 +924,7 @@ static void ndpi_process_packet(uint8_t * const args,
ndpi_ssl_version2str(flow_to_process->ndpi_flow,
flow_to_process->ndpi_flow->protos.tls_quic.ssl_version,
&unknown_tls_version),
flow_to_process->ndpi_flow->protos.tls_quic.client_requested_server_name,
flow_to_process->ndpi_flow->host_server_name,
(flow_to_process->ndpi_flow->protos.tls_quic.alpn != NULL ?
flow_to_process->ndpi_flow->protos.tls_quic.alpn : "-"));
flow_to_process->tls_client_hello_seen = 1;

10
example/reader_util.c
View file

@ -1105,8 +1105,7 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl
}
/* MDNS */
else if(is_ndpi_proto(flow, NDPI_PROTOCOL_MDNS)) {
char *name = (char*)flow->ndpi_flow->host_server_name; /* Trick to avoid warning(s) */
snprintf(flow->info, sizeof(flow->info), "%s", name);
snprintf(flow->info, sizeof(flow->info), "%s", flow->ndpi_flow->host_server_name);
}
/* UBNTAC2 */
else if(is_ndpi_proto(flow, NDPI_PROTOCOL_UBNTAC2)) {
@ -1161,8 +1160,8 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl
if(flow->ndpi_flow->protos.telnet.password[0] != '\0')
flow->telnet.password = ndpi_strdup(flow->ndpi_flow->protos.telnet.password);
} else if(is_ndpi_proto(flow, NDPI_PROTOCOL_SSH)) {
snprintf(flow->ssh_tls.client_requested_server_name,
sizeof(flow->ssh_tls.client_requested_server_name), "%s",
snprintf(flow->host_server_name,
sizeof(flow->host_server_name), "%s",
flow->ndpi_flow->protos.ssh.client_signature);
snprintf(flow->ssh_tls.server_info, sizeof(flow->ssh_tls.server_info), "%s",
flow->ndpi_flow->protos.ssh.server_signature);
@ -1178,9 +1177,6 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl
|| (flow->ndpi_flow->protos.tls_quic.ja3_client[0] != '\0')
) {
flow->ssh_tls.ssl_version = flow->ndpi_flow->protos.tls_quic.ssl_version;
snprintf(flow->ssh_tls.client_requested_server_name,
sizeof(flow->ssh_tls.client_requested_server_name), "%s",
flow->ndpi_flow->protos.tls_quic.client_requested_server_name);
snprintf(flow->http.user_agent, sizeof(flow->http.user_agent), "%s", flow->ndpi_flow->http.user_agent ? flow->ndpi_flow->http.user_agent : "");

4
example/reader_util.h
View file

@ -197,7 +197,7 @@ typedef struct ndpi_flow_info {
char info[255];
char flow_extra_info[16];
char host_server_name[240];
char host_server_name[80]; /* Hostname/SNI */
char *bittorent_hash;
char *dhcp_fingerprint;
char *dhcp_class_ident;
@ -205,7 +205,7 @@ typedef struct ndpi_flow_info {
struct {
u_int16_t ssl_version;
char client_requested_server_name[256], server_info[64],
char server_info[64],
client_hassh[33], server_hassh[33], *server_names,
*tls_alpn, *tls_supported_versions,
*tls_issuerDN, *tls_subjectDN,

7
python/ndpi.py
View file

@ -986,8 +986,8 @@ struct ndpi_flow_struct {
/* Place textual flow info here */
char flow_extra_info[16];
/* HTTP host or DNS query */
uint8_t host_server_name[240];
char host_server_name[80];
uint8_t initial_binary_bytes[8], initial_binary_bytes_len;
uint8_t risk_checked;
ndpi_risk risk; /* Issues found with this flow [bitmask of ndpi_risk] */
@ -1051,8 +1051,7 @@ struct ndpi_flow_struct {
struct {
char ssl_version_str[12];
uint16_t ssl_version, server_names_len;
char client_requested_server_name[64], *server_names,
*alpn, *tls_supported_versions, *issuerDN, *subjectDN;
char *server_names, *alpn, *tls_supported_versions, *issuerDN, *subjectDN;
uint32_t notBefore, notAfter;
char ja3_client[33], ja3_server[33];
uint16_t server_cipher;

2
python/ndpi_typestruct.py
View file

@ -686,7 +686,7 @@ NDPIFlowStruct._fields_ = [
("num_processed_pkts", c_uint8),
("extra_packets_func", CFUNCTYPE(c_int, POINTER(NDPIDetectionModuleStruct), POINTER(NDPIFlowStruct))),
("l4", L4),
("host_server_name", c_ubyte * 256),
("host_server_name", c_char * 80),
("http", Http),
("stun", Stun),
("ftp_imap_pop_smtp", FtpImapPopSmtp),

3
src/include/ndpi_main.h
View file

@ -155,6 +155,9 @@ extern "C" {
void load_common_alpns(struct ndpi_detection_module_struct *ndpi_str);
u_int8_t is_a_common_alpn(struct ndpi_detection_module_struct *ndpi_str,
const char *alpn_to_check, u_int alpn_to_check_len);
char *ndpi_hostname_sni_set(struct ndpi_flow_struct *flow, const u_int8_t *value, size_t value_len);
#ifdef __cplusplus
}
#endif

11
src/include/ndpi_typedefs.h
View file

@ -1193,8 +1193,14 @@ struct ndpi_flow_struct {
/* Place textual flow info here */
char flow_extra_info[16];
/* HTTP host or DNS query */
u_char host_server_name[240];
/* General purpose field used to save mainly hostname/SNI information.
* In details it used for: DNS and NETBIOS name, HTTP and DHCP hostname,
* WHOIS request, TLS/QUIC server name and STUN realm.
*
* Please, think *very* hard before increasing its size!
*/
char host_server_name[80];
u_int8_t initial_binary_bytes[8], initial_binary_bytes_len;
u_int8_t risk_checked:1, ip_risk_mask_evaluated:1, host_risk_mask_evaluated:1, _notused:5;
ndpi_risk risk_mask; /* Stores the flow risk mask for flow peers */
@ -1262,7 +1268,6 @@ struct ndpi_flow_struct {
struct {
char ssl_version_str[12];
u_int16_t ssl_version, server_names_len;
char client_requested_server_name[256]; /* SNI hostname length: RFC 4366 */
char *server_names, *alpn, *tls_supported_versions, *issuerDN, *subjectDN;
u_int32_t notBefore, notAfter;
char ja3_client[33], ja3_server[33];

55
src/lib/ndpi_main.c
View file

@ -4916,7 +4916,7 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st
ndpi_set_detected_protocol(ndpi_str, flow, flow->guessed_protocol_id, NDPI_PROTOCOL_UNKNOWN);
}
else if((flow->protos.tls_quic.hello_processed == 1) &&
(flow->protos.tls_quic.client_requested_server_name[0] != '\0')) {
(flow->host_server_name[0] != '\0')) {
*protocol_was_guessed = 1;
ndpi_set_detected_protocol(ndpi_str, flow, NDPI_PROTOCOL_TLS, NDPI_PROTOCOL_UNKNOWN);
} else if(enable_guess) {
@ -5198,21 +5198,8 @@ void ndpi_fill_protocol_category(struct ndpi_detection_module_struct *ndpi_str,
if(flow->host_server_name[0] != '\0') {
u_int32_t id;
int rc = ndpi_match_custom_category(ndpi_str, (char *) flow->host_server_name,
strlen((char *) flow->host_server_name), &id);
if(rc == 0) {
flow->category = ret->category = (ndpi_protocol_category_t) id;
return;
}
}
if(flow->protos.tls_quic.hello_processed == 1 &&
flow->protos.tls_quic.client_requested_server_name[0] != '\0') {
u_int32_t id;
int rc = ndpi_match_custom_category(ndpi_str, (char *) flow->protos.tls_quic.client_requested_server_name,
strlen(flow->protos.tls_quic.client_requested_server_name), &id);
int rc = ndpi_match_custom_category(ndpi_str, flow->host_server_name,
strlen(flow->host_server_name), &id);
if(rc == 0) {
flow->category = ret->category = (ndpi_protocol_category_t) id;
return;
@ -5389,7 +5376,7 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct
struct ndpi_id_struct *src, struct ndpi_id_struct *dst) {
struct ndpi_packet_struct *packet = &ndpi_str->packet;
NDPI_SELECTION_BITMASK_PROTOCOL_SIZE ndpi_selection_packet;
u_int32_t a, num_calls = 0;
u_int32_t num_calls = 0;
ndpi_protocol ret = { flow->detected_protocol_stack[1], flow->detected_protocol_stack[0], flow->category };
if(ndpi_str->ndpi_log_level >= NDPI_LOG_TRACE)
@ -5467,23 +5454,6 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct
num_calls = ndpi_check_flow_func(ndpi_str, flow, &ndpi_selection_packet);
a = flow->detected_protocol_stack[0];
if(NDPI_COMPARE_PROTOCOL_TO_BITMASK(ndpi_str->detection_bitmask, a) == 0)
a = NDPI_PROTOCOL_UNKNOWN;
if(a != NDPI_PROTOCOL_UNKNOWN) {
unsigned int i;
for(i = 0; i < sizeof(flow->host_server_name); i++) {
if(flow->host_server_name[i] != '\0')
flow->host_server_name[i] = tolower(flow->host_server_name[i]);
else {
flow->host_server_name[i] = '\0';
break;
}
}
}
ret_protocols:
if(flow->detected_protocol_stack[1] != NDPI_PROTOCOL_UNKNOWN) {
ret.master_protocol = flow->detected_protocol_stack[1], ret.app_protocol = flow->detected_protocol_stack[0];
@ -7783,3 +7753,20 @@ int ndpi_check_dga_name(struct ndpi_detection_module_struct *ndpi_str,
ndpi_risk_info* ndpi_risk2severity(ndpi_risk_enum risk) {
return(&ndpi_known_risks[risk]);
}
/* ******************************************************************** */
char *ndpi_hostname_sni_set(struct ndpi_flow_struct *flow, const u_int8_t *value, size_t value_len)
{
char *dst;
size_t len, i;
len = ndpi_min(value_len, sizeof(flow->host_server_name) - 1);
dst = flow->host_server_name;
for(i = 0; i < len; i++)
dst[i] = tolower(value[value_len - len + i]);
dst[i] = '\0';
return dst;
}

21
src/lib/ndpi_utils.c
View file

@ -862,12 +862,12 @@ static const char* ndpi_get_flow_info_by_proto_id(struct ndpi_flow_struct const
{
case NDPI_PROTOCOL_DNS:
case NDPI_PROTOCOL_HTTP:
return (char const *)flow->host_server_name;
return flow->host_server_name;
case NDPI_PROTOCOL_QUIC:
case NDPI_PROTOCOL_TLS:
if (flow->protos.tls_quic.hello_processed != 0)
{
return flow->protos.tls_quic.client_requested_server_name;
return flow->host_server_name;
}
break;
}
@ -1150,7 +1150,7 @@ int ndpi_dpi2json(struct ndpi_detection_module_struct *ndpi_struct,
switch(l7_protocol.master_protocol ? l7_protocol.master_protocol : l7_protocol.app_protocol) {
case NDPI_PROTOCOL_DHCP:
ndpi_serialize_start_of_block(serializer, "dhcp");
ndpi_serialize_string_string(serializer, "hostname", (const char*)flow->host_server_name);
ndpi_serialize_string_string(serializer, "hostname", flow->host_server_name);
ndpi_serialize_string_string(serializer, "fingerprint", flow->protos.dhcp.fingerprint);
ndpi_serialize_string_string(serializer, "class_ident", flow->protos.dhcp.class_ident);
ndpi_serialize_end_of_block(serializer);
@ -1179,7 +1179,7 @@ int ndpi_dpi2json(struct ndpi_detection_module_struct *ndpi_struct,
case NDPI_PROTOCOL_DNS:
ndpi_serialize_start_of_block(serializer, "dns");
if(flow->host_server_name[0] != '\0')
ndpi_serialize_string_string(serializer, "query", (const char*)flow->host_server_name);
ndpi_serialize_string_string(serializer, "query", flow->host_server_name);
ndpi_serialize_string_uint32(serializer, "num_queries", flow->protos.dns.num_queries);
ndpi_serialize_string_uint32(serializer, "num_answers", flow->protos.dns.num_answers);
ndpi_serialize_string_uint32(serializer, "reply_code", flow->protos.dns.reply_code);
@ -1200,7 +1200,7 @@ int ndpi_dpi2json(struct ndpi_detection_module_struct *ndpi_struct,
case NDPI_PROTOCOL_MDNS:
ndpi_serialize_start_of_block(serializer, "mdns");
ndpi_serialize_string_string(serializer, "answer", (const char*)flow->host_server_name);
ndpi_serialize_string_string(serializer, "answer", flow->host_server_name);
ndpi_serialize_end_of_block(serializer);
break;
@ -1228,7 +1228,7 @@ int ndpi_dpi2json(struct ndpi_detection_module_struct *ndpi_struct,
case NDPI_PROTOCOL_HTTP:
ndpi_serialize_start_of_block(serializer, "http");
if(flow->host_server_name[0] != '\0')
ndpi_serialize_string_string(serializer, "hostname", (const char*)flow->host_server_name);
ndpi_serialize_string_string(serializer, "hostname", flow->host_server_name);
if(flow->http.url != NULL){
ndpi_serialize_string_string(serializer, "url", flow->http.url);
ndpi_serialize_string_uint32(serializer, "code", flow->http.response_status_code);
@ -1240,9 +1240,9 @@ int ndpi_dpi2json(struct ndpi_detection_module_struct *ndpi_struct,
case NDPI_PROTOCOL_QUIC:
ndpi_serialize_start_of_block(serializer, "quic");
if(flow->protos.tls_quic.client_requested_server_name[0] != '\0')
if(flow->host_server_name[0] != '\0')
ndpi_serialize_string_string(serializer, "client_requested_server_name",
flow->protos.tls_quic.client_requested_server_name);
flow->host_server_name);
if(flow->protos.tls_quic.server_names)
ndpi_serialize_string_string(serializer, "server_names", flow->protos.tls_quic.server_names);
if(flow->http.user_agent)
@ -1318,7 +1318,7 @@ int ndpi_dpi2json(struct ndpi_detection_module_struct *ndpi_struct,
ndpi_serialize_start_of_block(serializer, "tls");
ndpi_serialize_string_string(serializer, "version", version);
ndpi_serialize_string_string(serializer, "client_requested_server_name",
flow->protos.tls_quic.client_requested_server_name);
flow->host_server_name);
if(flow->protos.tls_quic.server_names)
ndpi_serialize_string_string(serializer, "server_names", flow->protos.tls_quic.server_names);
@ -2199,9 +2199,6 @@ char* ndpi_get_flow_name(struct ndpi_flow_struct *flow) {
if(flow->host_server_name[0] != '\0')
return((char*)flow->host_server_name);
if(flow->protos.tls_quic.client_requested_server_name[0] != '\0')
return(flow->protos.tls_quic.client_requested_server_name);
no_flow_info:
return((char*)"");
}

11
src/lib/protocols/dhcp.c
View file

@ -159,17 +159,14 @@ void ndpi_search_dhcp_udp(struct ndpi_detection_module_struct *ndpi_struct, stru
strncpy((char*)flow->protos.dhcp.class_ident, name, j);
flow->protos.dhcp.class_ident[j] = '\0';
} else if(id == 12 /* Host Name */) {
char *name = (char*)&dhcp->options[i+2];
int j = 0;
u_int8_t *name = &dhcp->options[i+2];
#ifdef DHCP_DEBUG
NDPI_LOG_DBG2(ndpi_struct, "[DHCP] '%.*s'\n",name,len);
// while(j < len) { printf( "%c", name[j]); j++; }; printf("\n");
#endif
j = ndpi_min(len, sizeof(flow->host_server_name)-1);
strncpy((char*)flow->host_server_name, name, j);
flow->host_server_name[j] = '\0';
}
ndpi_hostname_sni_set(flow, name, len);
}
i += len + 2;
}

50
src/lib/protocols/dns.c
View file

@ -368,6 +368,7 @@ static void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, st
int invalid = search_valid_dns(ndpi_struct, flow, &dns_header, payload_offset, &is_query);
ndpi_protocol ret;
u_int num_queries, idx;
char _hostname[256];
ret.master_protocol = NDPI_PROTOCOL_UNKNOWN;
ret.app_protocol = (d_port == LLMNR_PORT) ? NDPI_PROTOCOL_LLMNR : ((d_port == MDNS_PORT) ? NDPI_PROTOCOL_MDNS : NDPI_PROTOCOL_DNS);
@ -378,7 +379,6 @@ static void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, st
}
/* extract host name server */
max_len = sizeof(flow->host_server_name)-1;
off = sizeof(struct ndpi_dns_packet_header) + payload_offset;
/* Before continuing let's dissect the following queries to see if they are valid */
@ -434,6 +434,7 @@ static void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, st
} /* for */
u_int8_t hostname_is_valid = 1;
max_len = sizeof(_hostname)-1;
while((j < max_len) && (off < packet->payload_packet_len) && (packet->payload[off] != '\0')) {
uint8_t c, cl = packet->payload[off++];
@ -443,40 +444,43 @@ static void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, st
break;
}
if(j && (j < max_len)) flow->host_server_name[j++] = '.';
if(j && (j < max_len)) _hostname[j++] = '.';
while((j < max_len) && (cl != 0)) {
u_int32_t shift;
while((j < max_len) && (cl != 0)) {
u_int32_t shift;
c = packet->payload[off++];
shift = ((u_int32_t) 1) << (c & 0x1f);
if ((dns_validchar[c >> 5] & shift)) {
flow->host_server_name[j++] = tolower(c);
} else {
if (isprint(c) == 0) {
hostname_is_valid = 0;
flow->host_server_name[j++] = '?';
} else {
flow->host_server_name[j++] = '_';
}
}
cl--;
}
c = packet->payload[off++];
shift = ((u_int32_t) 1) << (c & 0x1f);
if((dns_validchar[c >> 5] & shift)) {
_hostname[j++] = tolower(c);
} else {
if (isprint(c) == 0) {
hostname_is_valid = 0;
_hostname[j++] = '?';
} else {
_hostname[j++] = '_';
}
}
cl--;
}
}
_hostname[j] = '\0';
ndpi_hostname_sni_set(flow, (const u_int8_t *)_hostname, j);
if (hostname_is_valid == 0) {
ndpi_set_risk(ndpi_struct, flow, NDPI_INVALID_CHARACTERS);
}
flow->host_server_name[j] = '\0';
if(j > 0) {
ndpi_protocol_match_result ret_match;
ndpi_check_dga_name(ndpi_struct, flow, (char*)flow->host_server_name, 1);
ndpi_check_dga_name(ndpi_struct, flow, flow->host_server_name, 1);
ret.app_protocol = ndpi_match_host_subprotocol(ndpi_struct, flow,
(char *)flow->host_server_name,
strlen((const char*)flow->host_server_name),
flow->host_server_name,
strlen(flow->host_server_name),
&ret_match,
NDPI_PROTOCOL_DNS);

10
src/lib/protocols/http.c
View file

@ -371,8 +371,8 @@ static void ndpi_http_parse_subprotocol(struct ndpi_detection_module_struct *ndp
if(double_col) double_col[0] = '\0';
if(ndpi_match_hostname_protocol(ndpi_struct, flow, NDPI_PROTOCOL_HTTP,
(char *)flow->host_server_name,
strlen((const char *)flow->host_server_name)) == 0) {
flow->host_server_name,
strlen(flow->host_server_name)) == 0) {
if(flow->http.url &&
((strstr(flow->http.url, ":8080/downloading?n=0.") != NULL)
|| (strstr(flow->http.url, ":8080/upload?n=0.") != NULL))) {
@ -566,12 +566,10 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_
packet->host_line.len, packet->host_line.ptr);
/* Copy result for nDPI apps */
len = ndpi_min(packet->host_line.len, sizeof(flow->host_server_name)-1);
strncpy((char*)flow->host_server_name, (char*)packet->host_line.ptr, len);
flow->host_server_name[len] = '\0';
ndpi_hostname_sni_set(flow, packet->host_line.ptr, packet->host_line.len);
flow->extra_packets_func = NULL; /* We're good now */
if(len > 0) ndpi_check_dga_name(ndpi_struct, flow, (char*)flow->host_server_name, 1);
if(strlen(flow->host_server_name) > 0) ndpi_check_dga_name(ndpi_struct, flow, flow->host_server_name, 1);
if(packet->forwarded_line.ptr) {
len = ndpi_min(packet->forwarded_line.len, sizeof(flow->http.nat_ip)-1);

11
src/lib/protocols/mail_smtp.c
View file

@ -147,12 +147,11 @@ void ndpi_search_mail_smtp_tcp(struct ndpi_detection_module_struct *ndpi_struct,
&& (packet->line[a].ptr[i+1] != '\n')) {
len = i-4;
/* Copy result for nDPI apps */
len = ndpi_min(len, sizeof(flow->host_server_name)-1);
strncpy((char*)flow->host_server_name, (char*)&packet->line[a].ptr[4], len);
flow->host_server_name[len] = '\0';
if(ndpi_match_hostname_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MAIL_SMTP,
(char *)flow->host_server_name,
strlen((const char *)flow->host_server_name))) {
ndpi_hostname_sni_set(flow, &packet->line[a].ptr[4], len);
if (ndpi_match_hostname_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MAIL_SMTP,
flow->host_server_name,
strlen(flow->host_server_name))) {
/* We set the protocols; we need to initialize extra dissection
to search for credentials */
NDPI_LOG_DBG(ndpi_struct, "SMTP: hostname matched\n");

4
src/lib/protocols/netbios.c
View file

@ -102,9 +102,9 @@ static void ndpi_int_netbios_add_connection(struct ndpi_detection_module_struct
if((off < packet->payload_packet_len)
&& ndpi_netbios_name_interpret((unsigned char*)&packet->payload[off],
(u_int)(packet->payload_packet_len - off), name, sizeof(name)-1) > 0) {
snprintf((char*)flow->host_server_name, sizeof(flow->host_server_name)-1, "%s", name);
ndpi_hostname_sni_set(flow, (const u_int8_t *)name, strlen((char *)name));
ndpi_check_dga_name(ndpi_struct, flow, (char*)flow->host_server_name, 1);
ndpi_check_dga_name(ndpi_struct, flow, flow->host_server_name, 1);
}
if(sub_protocol == NDPI_PROTOCOL_UNKNOWN)

20
src/lib/protocols/quic.c
View file

@ -1324,7 +1324,7 @@ static void process_chlo(struct ndpi_detection_module_struct *ndpi_struct,
uint32_t i;
uint16_t num_tags;
uint32_t prev_offset;
uint32_t tag_offset_start, offset, len, sni_len;
uint32_t tag_offset_start, offset, len;
ndpi_protocol_match_result ret_match;
int sni_found = 0, ua_found = 0;
@ -1356,22 +1356,20 @@ static void process_chlo(struct ndpi_detection_module_struct *ndpi_struct,
crypto_data_len, tag_offset_start, prev_offset, offset, len);
#endif
if(memcmp(tag, "SNI\0", 4) == 0) {
sni_len = MIN(len, sizeof(flow->protos.tls_quic.client_requested_server_name) - 1);
memcpy(flow->protos.tls_quic.client_requested_server_name,
&crypto_data[tag_offset_start + prev_offset], sni_len);
flow->protos.tls_quic.client_requested_server_name[sni_len] = '\0';
ndpi_hostname_sni_set(flow, &crypto_data[tag_offset_start + prev_offset], len);
NDPI_LOG_DBG2(ndpi_struct, "SNI: [%s]\n",
flow->protos.tls_quic.client_requested_server_name);
flow->host_server_name);
ndpi_match_host_subprotocol(ndpi_struct, flow,
(char *)flow->protos.tls_quic.client_requested_server_name,
strlen((const char*)flow->protos.tls_quic.client_requested_server_name),
flow->host_server_name,
strlen(flow->host_server_name),
&ret_match, NDPI_PROTOCOL_QUIC);
flow->protos.tls_quic.hello_processed = 1; /* Allow matching of custom categories */
ndpi_check_dga_name(ndpi_struct, flow,
flow->protos.tls_quic.client_requested_server_name, 1);
flow->host_server_name, 1);
sni_found = 1;
if (ua_found)
@ -1396,7 +1394,7 @@ static void process_chlo(struct ndpi_detection_module_struct *ndpi_struct,
NDPI_LOG_DBG(ndpi_struct, "Something went wrong in tags iteration\n");
/* Add check for missing SNI */
if(flow->protos.tls_quic.client_requested_server_name[0] == '\0') {
if(flow->host_server_name[0] == '\0') {
/* This is a bit suspicious */
ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_MISSING_SNI);
}
@ -1508,7 +1506,7 @@ static int eval_extra_processing(struct ndpi_detection_module_struct *ndpi_struc
*/
if((version == V_Q046 &&
flow->protos.tls_quic.client_requested_server_name[0] == '\0') ||
flow->host_server_name[0] == '\0') ||
is_ch_reassembler_pending(flow)) {
NDPI_LOG_DBG2(ndpi_struct, "We have further work to do\n");
return 1;

14
src/lib/protocols/stun.c
View file

@ -349,25 +349,21 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
u_int16_t realm_len = ntohs(*((u_int16_t*)&payload[offset+2]));
if(flow->host_server_name[0] == '\0') {
u_int i;
u_int k = offset+4;
i = ndpi_min(realm_len, sizeof(flow->host_server_name) - 1);
i = ndpi_min(i, payload_length - k);
memcpy(flow->host_server_name, payload + k, i);
flow->host_server_name[i] = '\0';
ndpi_hostname_sni_set(flow, payload + k, ndpi_min(realm_len, payload_length - k));
#ifdef DEBUG_STUN
printf("==> [%s]\n", flow->host_server_name);
#endif
if(strstr((char*) flow->host_server_name, "google.com") != NULL) {
if(strstr(flow->host_server_name, "google.com") != NULL) {
flow->guessed_host_protocol_id = NDPI_PROTOCOL_HANGOUT_DUO;
return(NDPI_IS_STUN);
} else if(strstr((char*) flow->host_server_name, "whispersystems.org") != NULL) {
} else if(strstr(flow->host_server_name, "whispersystems.org") != NULL) {
flow->guessed_host_protocol_id = NDPI_PROTOCOL_SIGNAL;
return(NDPI_IS_STUN);
} else if(strstr((char*) flow->host_server_name, "facebook") != NULL) {
} else if(strstr(flow->host_server_name, "facebook") != NULL) {
flow->guessed_host_protocol_id = NDPI_PROTOCOL_MESSENGER;
return(NDPI_IS_STUN);
}

67
src/lib/protocols/tls.c
View file

@ -478,7 +478,7 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi
u_int8_t matched_name = 0;
/* If the client hello was not observed or the requested name was missing, there is no need to trigger an alert */
if(flow->protos.tls_quic.client_requested_server_name[0] == '\0')
if(flow->host_server_name[0] == '\0')
matched_name = 1;
#ifdef DEBUG_TLS
@ -520,7 +520,7 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi
#if DEBUG_TLS
printf("[TLS] dNSName %s [%s][len: %u][leftover: %d]\n", dNSName,
flow->protos.tls_quic.client_requested_server_name, len,
flow->host_server_name, len,
packet->payload_packet_len-i-len);
#endif
if (ndpi_is_printable_string(dNSName, len) == 0) {
@ -530,27 +530,24 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi
if(matched_name == 0) {
#if DEBUG_TLS
printf("[TLS] Trying to match '%s' with '%s'\n",
flow->protos.tls_quic.client_requested_server_name,
flow->host_server_name,
dNSName);
#endif
if(flow->protos.tls_quic.client_requested_server_name[0] == '\0')
if(flow->host_server_name[0] == '\0') {
matched_name = 1; /* No SNI */
else if (dNSName[0] == '*')
{
char * label = strstr(flow->protos.tls_quic.client_requested_server_name, &dNSName[1]);
} else if (dNSName[0] == '*') {
char * label = strstr(flow->host_server_name, &dNSName[1]);
if (label != NULL)
{
char * first_dot = strchr(flow->protos.tls_quic.client_requested_server_name, '.');
if (label != NULL) {
char * first_dot = strchr(flow->host_server_name, '.');
if (first_dot == NULL || first_dot >= label)
{
matched_name = 1;
}
}
}
else if(strcmp(flow->protos.tls_quic.client_requested_server_name, dNSName) == 0) {
if (first_dot == NULL || first_dot >= label) {
matched_name = 1;
}
}
}
else if(strcmp(flow->host_server_name, dNSName) == 0) {
matched_name = 1;
}
}
@ -1244,7 +1241,6 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
u_int32_t i, j;
u_int16_t total_len;
u_int8_t handshake_type;
char buffer[64] = { '\0' };
int is_quic = (quic_version != 0);
int is_dtls = packet->udp && (!is_quic);
@ -1721,50 +1717,41 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
if((offset+extension_offset+4) < packet->payload_packet_len) {
len = (packet->payload[offset+extension_offset+3] << 8) + packet->payload[offset+extension_offset+4];
len = (u_int)ndpi_min(len, sizeof(buffer)-1);
if((offset+extension_offset+5+len) <= packet->payload_packet_len) {
strncpy(buffer, (char*)&packet->payload[offset+extension_offset+5], len);
buffer[len] = '\0';
cleanupServerName(buffer, sizeof(buffer));
snprintf(flow->protos.tls_quic.client_requested_server_name,
sizeof(flow->protos.tls_quic.client_requested_server_name),
"%s", buffer);
char *sni = ndpi_hostname_sni_set(flow, &packet->payload[offset+extension_offset+5], len);
int sni_len = strlen(sni);
#ifdef DEBUG_TLS
printf("[TLS] SNI: [%s]\n", buffer);
printf("[TLS] SNI: [%s]\n", sni);
#endif
if (ndpi_is_printable_string(buffer, len) == 0)
if (ndpi_is_printable_string(sni, sni_len) == 0)
{
ndpi_set_risk(ndpi_struct, flow, NDPI_INVALID_CHARACTERS);
}
if(!is_quic) {
if(ndpi_match_hostname_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TLS, buffer, strlen(buffer)))
if(ndpi_match_hostname_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TLS, sni, sni_len))
flow->protos.tls_quic.subprotocol_detected = 1;
} else {
if(ndpi_match_hostname_protocol(ndpi_struct, flow, NDPI_PROTOCOL_QUIC, buffer, strlen(buffer)))
if(ndpi_match_hostname_protocol(ndpi_struct, flow, NDPI_PROTOCOL_QUIC, sni, sni_len))
flow->protos.tls_quic.subprotocol_detected = 1;
}
if(ndpi_check_dga_name(ndpi_struct, flow,
flow->protos.tls_quic.client_requested_server_name, 1)) {
char *sni = flow->protos.tls_quic.client_requested_server_name;
int len = strlen(sni);
sni, 1)) {
#ifdef DEBUG_TLS
printf("[TLS] SNI: (DGA) [%s]\n", flow->protos.tls_quic.client_requested_server_name);
printf("[TLS] SNI: (DGA) [%s]\n", sni);
#endif
if((len >= 4)
if((sni_len >= 4)
/* Check if it ends in .com or .net */
&& ((strcmp(&sni[len-4], ".com") == 0) || (strcmp(&sni[len-4], ".net") == 0))
&& ((strcmp(&sni[sni_len-4], ".com") == 0) || (strcmp(&sni[sni_len-4], ".net") == 0))
&& (strncmp(sni, "www.", 4) == 0)) /* Not starting with www.... */
ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TOR, NDPI_PROTOCOL_TLS);
} else {
#ifdef DEBUG_TLS
printf("[TLS] SNI: (NO DGA) [%s]\n", flow->protos.tls_quic.client_requested_server_name);
printf("[TLS] SNI: (NO DGA) [%s]\n", sni);
#endif
}
} else {
@ -2268,12 +2255,12 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
/* Suspicious Domain Fronting:
https://github.com/SixGenInc/Noctilucent/blob/master/docs/ */
if(flow->protos.tls_quic.encrypted_sni.esni &&
flow->protos.tls_quic.client_requested_server_name[0] != '\0') {
flow->host_server_name[0] != '\0') {
ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_SUSPICIOUS_ESNI_USAGE);
}
/* Add check for missing SNI */
if((flow->protos.tls_quic.client_requested_server_name[0] == 0)
if(flow->host_server_name[0] == '\0'
&& (flow->protos.tls_quic.ssl_version >= 0x0302) /* TLSv1.1 */
&& (flow->protos.tls_quic.encrypted_sni.esni == NULL) /* No ESNI */
) {

5
src/lib/protocols/whoisdas.c
View file

@ -41,10 +41,7 @@ void ndpi_search_whois_das(struct ndpi_detection_module_struct *ndpi_struct, str
ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_WHOIS_DAS, NDPI_PROTOCOL_UNKNOWN);
if((dport == 43) || (dport == 4343)) { /* Request */
u_int hostname_len = ndpi_min(sizeof(flow->host_server_name) - 1, (long unsigned int)packet->payload_packet_len - 2); /* Skip \r\n */
memcpy(flow->host_server_name, &packet->payload[0], hostname_len);
flow->host_server_name[hostname_len] = '\0';
ndpi_hostname_sni_set(flow, &packet->payload[0], packet->payload_packet_len - 2); /* Skip \r\n */
NDPI_LOG_INFO(ndpi_struct, "[WHOIS/DAS] %s\n", flow->host_server_name);
}
return;

2
tests/result/dns_exfiltration.pcap.out
View file

@ -4,4 +4,4 @@ DPI Packets (UDP): 2 (2.00 pkts/flow)
DNS 300 73545 1
1 UDP 192.168.220.56:56373 <-> 192.168.203.167:53 [proto: 5/DNS][ClearText][cat: Network/14][150 pkts/32419 bytes <-> 150 pkts/41126 bytes][Goodput ratio: 81/85][59.99 sec][Host: dnscat.546b03f50000000000a6023ed4df184d6ac5c2628b47714fdee584fed739.5a03b5b1e1aa8f8fdb1bbe8d5e04952141f7d4f82c7e3b06dcc8b87fad7a.19e4d098dc8c618f8d81cfeb02][::][bytes ratio: -0.118 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 1/1 398/397 1035/1015 491/489][Pkt Len c2s/s2c min/avg/max/stddev: 101/148 216/274 300/386 97/97][Risk: ** Suspicious DGA domain name **][Risk Score: 100][PLAIN TEXT (dnscat)][Plen Bins: 0,24,0,23,0,0,0,0,26,26,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
1 UDP 192.168.220.56:56373 <-> 192.168.203.167:53 [proto: 5/DNS][ClearText][cat: Network/14][150 pkts/32419 bytes <-> 150 pkts/41126 bytes][Goodput ratio: 81/85][59.99 sec][Host: e1aa8f8fdb1bbe8d5e04952141f7d4f82c7e3b06dcc8b87fad7a.19e4d098dc8c618f8d81cfeb02][::][bytes ratio: -0.118 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 1/1 398/397 1035/1015 491/489][Pkt Len c2s/s2c min/avg/max/stddev: 101/148 216/274 300/386 97/97][Risk: ** Suspicious DGA domain name **][Risk Score: 100][PLAIN TEXT (dnscat)][Plen Bins: 0,24,0,23,0,0,0,0,26,26,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]

2
tests/result/fuzz-2006-06-26-2594.pcap.out
View file

@ -17,7 +17,7 @@ SIP 85 39540 15
1 UDP 212.242.33.35:5060 <-> 192.168.1.2:5060 [proto: 100/SIP][ClearText][cat: VoIP/10][23 pkts/11772 bytes <-> 37 pkts/14743 bytes][Goodput ratio: 91/89][1521.43 sec][bytes ratio: -0.112 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 19/227 32597/38366 167478/304738 41340/57147][Pkt Len c2s/s2c min/avg/max/stddev: 344/47 512/398 711/1118 86/358][PLAIN TEXT (SIP/2.0 401 Unauthorized)][Plen Bins: 29,0,0,0,0,0,0,0,0,3,6,0,3,6,8,13,1,0,3,0,1,15,0,0,0,5,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
2 UDP 192.168.1.2:5060 <-> 200.68.120.81:5060 [proto: 100/SIP][ClearText][cat: VoIP/10][9 pkts/4647 bytes <-> 3 pkts/1944 bytes][Goodput ratio: 92/93][66.58 sec][bytes ratio: 0.410 (Upload)][IAT c2s/s2c min/avg/max/stddev: 507/34556 8170/34556 32608/34556 10578/0][Pkt Len c2s/s2c min/avg/max/stddev: 417/637 516/648 864/656 186/8][PLAIN TEXT (INVITEKsip)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,59,0,0,0,0,0,0,8,16,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
3 UDP 192.168.1.2:137 -> 192.168.1.255:137 [proto: 10/NetBIOS][ClearText][cat: System/18][71 pkts/6532 bytes -> 0 pkts/0 bytes][Goodput ratio: 54/0][1527.12 sec][Host: eci_domain][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 741/0 20522/0 93225/0 24163/0][Pkt Len c2s/s2c min/avg/max/stddev: 92/0 92/0 92/0 0/0][PLAIN TEXT ( EFEDEJ)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
4 TCP 192.168.1.2:2720 <-> 147.234.1.253:21 [proto: 1/FTP_CONTROL][ClearText][cat: Download/7][11 pkts/624 bytes <-> 14 pkts/1080 bytes][Goodput ratio: 4/27][0.32 sec][Host: ProFTPD][bytes ratio: -0.268 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 24/7 115/18 38/8][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 57/77 70/113 5/19][Risk: ** Unsafe Protocol **][Risk Score: 10][PLAIN TEXT (220 ProFTPD Server In ECI Telec)][Plen Bins: 66,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
4 TCP 192.168.1.2:2720 <-> 147.234.1.253:21 [proto: 1/FTP_CONTROL][ClearText][cat: Download/7][11 pkts/624 bytes <-> 14 pkts/1080 bytes][Goodput ratio: 4/27][0.32 sec][Host: proftpd][bytes ratio: -0.268 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 24/7 115/18 38/8][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 57/77 70/113 5/19][Risk: ** Unsafe Protocol **][Risk Score: 10][PLAIN TEXT (220 ProFTPD Server In ECI Telec)][Plen Bins: 66,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
5 UDP 192.168.1.2:5060 -> 212.242.33.35:17860 [proto: 100/SIP][ClearText][cat: VoIP/10][1 pkts/1118 bytes -> 0 pkts/0 bytes][Goodput ratio: 96/0][< 1 sec][PLAIN TEXT (INVITE six)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
6 UDP 192.168.1.2:30000 -> 212.242.33.36:40392 [proto: 87/RTP][ClearText][cat: Media/1][5 pkts/1070 bytes -> 0 pkts/0 bytes][Goodput ratio: 80/0][0.05 sec][PLAIN TEXT (goxcffj)][Plen Bins: 0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
7 UDP 192.168.1.2:68 <-> 192.168.1.1:67 [proto: 18/DHCP][ClearText][cat: Network/14][1 pkts/342 bytes <-> 1 pkts/590 bytes][Goodput ratio: 87/93][0.00 sec][Host: d002465][DHCP Fingerprint: 1,15,3,6,44,46,47,31,33,43][DHCP Class Ident: MSFT 5.0][PLAIN TEXT (002465Q)][Plen Bins: 0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]

6
tests/result/reddit.pcap.out
View file

@ -2,10 +2,10 @@ Guessed flow protos: 1
DPI Packets (TCP): 445 (7.42 pkts/flow)
TLS 612 384211 15
TLS 577 373106 14
Twitter 863 686585 3
YouTube 881 966947 3
Google 618 334683 13
Google 653 345788 14
Amazon 100 59185 2
Reddit 8337 9059073 20
GoogleServices 271 87487 4
@ -39,7 +39,7 @@ JA3 Host Stats:
22 TCP [2a01:cb01:2049:8b07:991d:ec85:28df:f629]:56782 <-> [64:ff9b::68f4:2ac8]:443 [proto: 91.120/TLS.Twitter][Encrypted][cat: SocialNetwork/6][23 pkts/5030 bytes <-> 22 pkts/7292 bytes][Goodput ratio: 61/74][4.33 sec][ALPN: h2;http/1.1][TLS Supported Versions: GREASE;TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.184 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 216/228 2512/2545 565/587][Pkt Len c2s/s2c min/avg/max/stddev: 86/86 219/331 854/1474 227/405][TLSv1.2][Client: syndication.twitter.com][JA3C: b32309a26951912be7dba376398abc3b][ServerNames: syndication.twitter.com,syndication.twimg.com,syndication-o.twitter.com,syndication-o.twimg.com,cdn.syndication.twitter.com,cdn.syndication.twimg.com][JA3S: 8d2a028aa94425f76ced7826b1f39039][Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA][Subject: C=US, ST=California, L=San Francisco, O=Twitter, Inc., OU=lon3, CN=syndication.twitter.com][Certificate SHA-1: 09:D3:FE:9A:3E:39:A7:E2:90:5B:C9:1F:3B:7D:CE:7C:7E:08:1C:6F][Chrome][Validity: 2020-01-02 00:00:00 - 2020-12-24 12:00:00][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,15,0,20,0,0,4,4,4,15,0,0,4,0,4,0,4,0,0,0,4,0,4,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0,0,0]
23 TCP [2a01:cb01:2049:8b07:991d:ec85:28df:f629]:56640 <-> [64:ff9b::9765:798c]:443 [proto: 91.205/TLS.Reddit][Encrypted][cat: SocialNetwork/6][23 pkts/3696 bytes <-> 22 pkts/8527 bytes][Goodput ratio: 46/78][0.57 sec][ALPN: h2;http/1.1][TLS Supported Versions: GREASE;TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.395 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 27/30 307/307 76/75][Pkt Len c2s/s2c min/avg/max/stddev: 86/86 161/388 603/1134 157/388][TLSv1.2][Client: gateway.reddit.com][JA3C: b32309a26951912be7dba376398abc3b][ServerNames: reddit.com,*.reddit.com][JA3S: 16c0b3e6a7b8173c16d944cfeaeee9cf][Issuer: C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA][Subject: C=US, ST=California, L=San Francisco, O=Reddit Inc., CN=*.reddit.com][Certificate SHA-1: DB:E9:D5:FE:EB:EF:68:34:55:FD:62:BA:C9:BB:04:D4:E3:22:18:81][Chrome][Validity: 2020-08-26 00:00:00 - 2021-02-22 12:00:00][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,14,20,4,4,0,0,0,4,0,0,4,9,0,0,9,9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
24 TCP [2a01:cb01:2049:8b07:991d:ec85:28df:f629]:46646 <-> [64:ff9b::345f:7ca5]:443 [proto: 91.178/TLS.Amazon][Encrypted][cat: Web/5][14 pkts/3201 bytes <-> 13 pkts/8450 bytes][Goodput ratio: 62/87][0.22 sec][ALPN: h2;http/1.1][TLS Supported Versions: GREASE;TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.451 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 15/17 60/42 22/16][Pkt Len c2s/s2c min/avg/max/stddev: 86/86 229/650 762/1446 254/571][TLSv1.2][Client: aax-eu.amazon-adsystem.com][JA3C: b32309a26951912be7dba376398abc3b][ServerNames: aax-eu.amazon-adsystem.com,aax.amazon-adsystem.com,aax-cpm.amazon-adsystem.com,aax-dtb-web.amazon-adsystem.com][JA3S: 49b45fc1ab090aa3a159778313fc9b9e][Issuer: C=US, O=Amazon, OU=Server CA 1B, CN=Amazon][Subject: CN=aax-eu.amazon-adsystem.com][Certificate SHA-1: 5D:18:8E:CB:B7:91:5C:79:26:B5:08:49:FF:2C:24:D8:06:54:91:8B][Chrome][Validity: 2020-06-15 00:00:00 - 2021-06-15 12:00:00][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,0,0,8,0,0,0,0,8,0,0,0,8,0,0,8,8,0,0,0,8,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,34,0,0,0,0,0]
25 TCP [2a01:cb01:2049:8b07:991d:ec85:28df:f629]:59624 <-> [2a00:1450:4007:80b::2001]:443 [proto: 91/TLS][Encrypted][cat: Web/5][18 pkts/2649 bytes <-> 17 pkts/8456 bytes][Goodput ratio: 41/83][0.15 sec][ALPN: h2;http/1.1][TLS Supported Versions: GREASE;TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.523 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 7/5 34/33 12/10][Pkt Len c2s/s2c min/avg/max/stddev: 86/86 147/497 603/1294 137/490][Risk: ** Suspicious DGA domain name **][Risk Score: 100][TLSv1.3][Client: 8a755a3fef0b189d8ab5b0d10758f68a.safeframe.googlesyndication.co][JA3C: b32309a26951912be7dba376398abc3b][JA3S: eb1d94daa7e0344597e756a1fb6e7054][Chrome][Cipher: TLS_AES_128_GCM_SHA256][Plen Bins: 12,12,12,0,0,0,0,0,0,0,6,0,6,0,6,0,6,0,6,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0]
25 TCP [2a01:cb01:2049:8b07:991d:ec85:28df:f629]:59624 <-> [2a00:1450:4007:80b::2001]:443 [proto: 91.126/TLS.Google][Encrypted][cat: Web/5][18 pkts/2649 bytes <-> 17 pkts/8456 bytes][Goodput ratio: 41/83][0.15 sec][ALPN: h2;http/1.1][TLS Supported Versions: GREASE;TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.523 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 7/5 34/33 12/10][Pkt Len c2s/s2c min/avg/max/stddev: 86/86 147/497 603/1294 137/490][TLSv1.3][Client: 8a755a3fef0b189d8ab5b0d10758f68a.safeframe.googlesyndication.com][JA3C: b32309a26951912be7dba376398abc3b][JA3S: eb1d94daa7e0344597e756a1fb6e7054][Chrome][Cipher: TLS_AES_128_GCM_SHA256][Plen Bins: 12,12,12,0,0,0,0,0,0,0,6,0,6,0,6,0,6,0,6,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0]
26 TCP [2a01:cb01:2049:8b07:991d:ec85:28df:f629]:46808 <-> [2a00:1450:4007:808::2001]:443 [proto: 91/TLS][Encrypted][cat: Web/5][15 pkts/1843 bytes <-> 13 pkts/9101 bytes][Goodput ratio: 32/88][0.12 sec][ALPN: h2;http/1.1][TLS Supported Versions: GREASE;TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.663 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 5/5 32/32 11/10][Pkt Len c2s/s2c min/avg/max/stddev: 74/86 123/700 603/1294 129/569][TLSv1.3][Client: cdn.ampproject.org][JA3C: b32309a26951912be7dba376398abc3b][JA3S: eb1d94daa7e0344597e756a1fb6e7054][Chrome][Cipher: TLS_AES_128_GCM_SHA256][Plen Bins: 0,0,10,0,10,0,0,0,0,0,0,0,0,0,0,0,10,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,60,0,0,0,0,0,0,0,0,0,0]
27 TCP [2a01:cb01:2049:8b07:991d:ec85:28df:f629]:46810 <-> [2a00:1450:4007:808::2001]:443 [proto: 91/TLS][Encrypted][cat: Web/5][15 pkts/1843 bytes <-> 13 pkts/9100 bytes][Goodput ratio: 32/88][0.12 sec][ALPN: h2;http/1.1][TLS Supported Versions: GREASE;TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.663 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 5/6 31/34 11/11][Pkt Len c2s/s2c min/avg/max/stddev: 74/86 123/700 603/1294 129/569][TLSv1.3][Client: cdn.ampproject.org][JA3C: b32309a26951912be7dba376398abc3b][JA3S: eb1d94daa7e0344597e756a1fb6e7054][Chrome][Cipher: TLS_AES_128_GCM_SHA256][Plen Bins: 0,0,10,0,10,0,0,0,0,0,0,0,0,0,0,0,10,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,60,0,0,0,0,0,0,0,0,0,0]
28 TCP [2a01:cb01:2049:8b07:991d:ec85:28df:f629]:46814 <-> [2a00:1450:4007:808::2001]:443 [proto: 91/TLS][Encrypted][cat: Web/5][14 pkts/1769 bytes <-> 13 pkts/9102 bytes][Goodput ratio: 33/88][0.12 sec][ALPN: h2;http/1.1][TLS Supported Versions: GREASE;TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.675 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 10/5 43/36 15/11][Pkt Len c2s/s2c min/avg/max/stddev: 74/86 126/700 603/1294 133/569][TLSv1.3][Client: cdn.ampproject.org][JA3C: b32309a26951912be7dba376398abc3b][JA3S: eb1d94daa7e0344597e756a1fb6e7054][Chrome][Cipher: TLS_AES_128_GCM_SHA256][Plen Bins: 0,0,10,0,10,0,0,0,0,0,0,0,0,0,0,0,10,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,60,0,0,0,0,0,0,0,0,0,0]