diff --git a/.gitignore b/.gitignore index 08175cb56..10f706941 100644 --- a/.gitignore +++ b/.gitignore @@ -23,6 +23,7 @@ *.so *.so.* *~ +*.dSYM .autotools .cproject .dirstamp diff --git a/doc/flow_risks.rst b/doc/flow_risks.rst index 8f62749a0..fc13e4c0e 100644 --- a/doc/flow_risks.rst +++ b/doc/flow_risks.rst @@ -346,3 +346,9 @@ Connection with no data exchaged that looks like a probing attempt NDPI_OBFUSCATED_TRAFFIC ======================= This risk is triggered when a connection is likely using some obfuscation technique to try to "look like" something else, hiding its true nature + +.. _Risk 057: + +NDPI_SLOW_DOS +======================= +This risk is triggered when a TCP connection is likely subject to slow DoS attacks diff --git a/src/include/ndpi_api.h b/src/include/ndpi_api.h index 2f24d3e3b..044cc1e6b 100644 --- a/src/include/ndpi_api.h +++ b/src/include/ndpi_api.h @@ -1324,6 +1324,15 @@ extern "C" { const char *path, u_int16_t protocol_id); const char* ndpi_cipher2str(u_int32_t cipher, char unknown_cipher[8]); #ifndef __KERNEL__ + const char* ndpi_cipher2str(u_int32_t cipher, char unknown_cipher[8]); + const char* ndpi_tls_extension2str(u_int16_t extension_id, char unknown_extn[8]); + const char* ndpi_tls_elliptic_curve2str(u_int16_t curve_id, char unknown_curve[8]); + const char* ndpi_tls_signature_algo2str(u_int16_t algo_id, char unknown_algo[8]); + const char* ndpi_tls_elliptic_curve_groups2str(u_int16_t group_id, char unknown_group[8]); + const char* ndpi_tls_elliptic_curve_point_format2str(u_int16_t format_id, char unknown_group[8]); + const char* ndpi_tls_key_share_group2str(u_int16_t group_id, char unknown_group[8]); + const char* ndpi_tls_supported_version2str(u_int16_t version_id, char unknown_version[8]); + const char* ndpi_tunnel2str(ndpi_packet_tunnel tt); int ndpi_has_human_readeable_string(char *buffer, u_int buffer_size, u_int8_t min_string_match_len, /* Will return 0 if no string > min_string_match_len have been found */ diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index 3e319595d..8053b7502 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -183,6 +183,7 @@ typedef enum { NDPI_BINARY_DATA_TRANSFER, /* Attempt to transfer something in binary format */ NDPI_PROBING_ATTEMPT, /* Probing attempt (e.g. TCP connection with no data exchanged or unidirection traffic for bidirectional flows such as SSH) */ NDPI_OBFUSCATED_TRAFFIC, + NDPI_SLOW_DOS, /* Before allocating a new risk here, check if there are FREE entries above */ /* Leave this as last member */ @@ -941,6 +942,10 @@ struct ndpi_tls_block { }; struct ndpi_flow_tcp_struct { + struct { + u_int64_t syn_time, syn_ack_time, ack_time; + } three_way_handshake; + /* TCP sequence number */ u_int32_t next_tcp_seq_nr[2]; u_int16_t last_tcp_pkt_payload_len; diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 0f7df7ece..3bcfa42d1 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -234,7 +234,8 @@ static ndpi_risk_info ndpi_known_risks[] = { { NDPI_MALWARE_HOST_CONTACTED, NDPI_RISK_SEVERE, CLIENT_HIGH_RISK_PERCENTAGE, NDPI_CLIENT_ACCOUNTABLE }, { NDPI_BINARY_DATA_TRANSFER, NDPI_RISK_MEDIUM, CLIENT_FAIR_RISK_PERCENTAGE, NDPI_CLIENT_ACCOUNTABLE }, { NDPI_PROBING_ATTEMPT, NDPI_RISK_MEDIUM, CLIENT_FAIR_RISK_PERCENTAGE, NDPI_CLIENT_ACCOUNTABLE }, - { NDPI_OBFUSCATED_TRAFFIC, NDPI_RISK_HIGH, CLIENT_HIGH_RISK_PERCENTAGE, NDPI_BOTH_ACCOUNTABLE }, + { NDPI_OBFUSCATED_TRAFFIC, NDPI_RISK_HIGH, CLIENT_HIGH_RISK_PERCENTAGE, NDPI_BOTH_ACCOUNTABLE }, + { NDPI_SLOW_DOS, NDPI_RISK_HIGH, CLIENT_HIGH_RISK_PERCENTAGE, NDPI_CLIENT_ACCOUNTABLE }, /* Leave this as last member */ { NDPI_MAX_RISK, NDPI_RISK_LOW, CLIENT_FAIR_RISK_PERCENTAGE, NDPI_NO_ACCOUNTABILITY } @@ -8706,6 +8707,16 @@ static void connection_tracking(struct ndpi_detection_module_struct *ndpi_str, if(tcph != NULL) { u_int8_t flags = ((u_int8_t*)tcph)[13]; + u_int16_t syn_mask = TH_SYN | TH_ECE | TH_CWR | TH_ACK; + u_int8_t flags_3wh = flags & syn_mask; + + if((flags_3wh & (TH_SYN|TH_ACK)) == (TH_SYN|TH_ACK)) + flow->l4.tcp.three_way_handshake.syn_ack_time = packet->current_time_ms; + else if((flags_3wh & TH_SYN) == TH_SYN) + flow->l4.tcp.three_way_handshake.syn_time = packet->current_time_ms; + else if(((flags_3wh & TH_ACK) == TH_ACK) + && (flow->l4.tcp.three_way_handshake.ack_time == 0)) + flow->l4.tcp.three_way_handshake.ack_time = packet->current_time_ms; if(flags == 0) ndpi_set_risk(ndpi_str, flow, NDPI_TCP_ISSUES, "TCP NULL scan"); @@ -8892,6 +8903,8 @@ static void connection_tracking(struct ndpi_detection_module_struct *ndpi_str, else ndpi_str->input_info->in_pkt_dir = NDPI_IN_PKT_DIR_S_TO_C; } + + flow->last_packet_time_ms = packet->current_time_ms; } /* ************************************************ */ @@ -9388,6 +9401,38 @@ static void check_probing_attempt(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_flow_struct *flow) { /* TODO: check UDP traffic too */ + if(flow->l4_proto == IPPROTO_TCP) { + u_int64_t tdiff_ms; + + if(flow->l4.tcp.three_way_handshake.syn_ack_time && flow->l4.tcp.three_way_handshake.syn_time) { + if(flow->l4.tcp.three_way_handshake.syn_ack_time > flow->l4.tcp.three_way_handshake.syn_time) + tdiff_ms = flow->l4.tcp.three_way_handshake.syn_ack_time - flow->l4.tcp.three_way_handshake.syn_time; + else /* out of order */ + tdiff_ms = flow->l4.tcp.three_way_handshake.syn_time - flow->l4.tcp.three_way_handshake.syn_ack_time; + + if(tdiff_ms > 1500 /* 1.5 sec */) { + char buf[64]; + + snprintf(buf, sizeof(buf), "Slow TCP 3WH (SYN|ACK): %.1f sec", tdiff_ms/1000.); + ndpi_set_risk(ndpi_str, flow, NDPI_SLOW_DOS, buf); + } + } + + if(flow->l4.tcp.three_way_handshake.ack_time && flow->l4.tcp.three_way_handshake.syn_ack_time) { + if(flow->l4.tcp.three_way_handshake.ack_time > flow->l4.tcp.three_way_handshake.syn_ack_time) + tdiff_ms = flow->l4.tcp.three_way_handshake.ack_time - flow->l4.tcp.three_way_handshake.syn_ack_time; + else + tdiff_ms = flow->l4.tcp.three_way_handshake.syn_ack_time - flow->l4.tcp.three_way_handshake.ack_time; + + if(tdiff_ms > 1500 /* 1.5 sec */) { + char buf[64]; + + snprintf(buf, sizeof(buf), "Slow TCP 3WH (ACK): %.1f sec", tdiff_ms/1000.); + ndpi_set_risk(ndpi_str, flow, NDPI_SLOW_DOS, buf); + } + } + } + if((flow->l4_proto == IPPROTO_TCP) && (flow->l4.tcp.cli2srv_tcp_flags & TH_PUSH) && (flow->l4.tcp.srv2cli_tcp_flags & TH_PUSH)) { @@ -11158,6 +11203,22 @@ void ndpi_parse_packet_line_info(struct ndpi_detection_module_struct *ndpi_str, if(packet->packet_lines_parsed_complete != 0) return; + if((flow->l4.tcp.three_way_handshake.syn_time != 0) /* Check only if 3WH was observed */ + && (flow->l4.tcp.three_way_handshake.ack_time != 0) + && ((flow->detected_protocol_stack[0] == NDPI_PROTOCOL_HTTP) || (flow->detected_protocol_stack[1] == NDPI_PROTOCOL_HTTP)) + && (flow->http.method != NDPI_HTTP_METHOD_UNKNOWN) + && (flow->http.response_status_code == 0 /* Response code not observed yet */) + ) { + u_int64_t tdiff_ms = packet->current_time_ms - flow->l4.tcp.three_way_handshake.ack_time; + + if((tdiff_ms > 3000 /* 3 sec */) && (!ndpi_isset_risk(flow, NDPI_SLOW_DOS))) { + char buf[64]; + + snprintf(buf, sizeof(buf), "Slow HTTP Req. (Slowloris): %.1f sec", tdiff_ms/1000.); + ndpi_set_risk(ndpi_str, flow, NDPI_SLOW_DOS, buf); + } + } + packet->packet_lines_parsed_complete = 1; ndpi_reset_packet_line_info(packet); @@ -13395,14 +13456,10 @@ int ndpi_seen_flow_beginning(const struct ndpi_flow_struct *flow) void ndpi_set_user_data(struct ndpi_detection_module_struct *ndpi_str, void *user_data) { if (ndpi_str == NULL) - { - return; - } + return; if (ndpi_str->user_data != NULL) - { - NDPI_LOG_ERR(ndpi_str, "%s", "User data is already set. Overwriting.") - } + NDPI_LOG_ERR(ndpi_str, "%s", "User data is already set. Overwriting.") ndpi_str->user_data = user_data; } diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c index bbde4c385..c2ccad32b 100644 --- a/src/lib/ndpi_utils.c +++ b/src/lib/ndpi_utils.c @@ -1210,7 +1210,7 @@ void ndpi_serialize_proto(struct ndpi_detection_module_struct *ndpi_struct, ndpi_serialize_string_string(serializer, "proto_id", ndpi_protocol2id(l7_protocol.proto, buf, sizeof(buf))); ndpi_serialize_string_string(serializer, "proto_by_ip", ndpi_get_proto_name(ndpi_struct, l7_protocol.protocol_by_ip)); - ndpi_serialize_string_uint32(serializer, "proto_by_ip_id", l7_protocol.protocol_by_ip); + if(l7_protocol.protocol_by_ip) ndpi_serialize_string_uint32(serializer, "proto_by_ip_id", l7_protocol.protocol_by_ip); ndpi_serialize_string_uint32(serializer, "encrypted", ndpi_is_encrypted_proto(ndpi_struct, l7_protocol.proto)); ndpi_serialize_string_string(serializer, "breed", ndpi_get_proto_breed_name(l7_protocol.breed)); ndpi_serialize_string_uint32(serializer, "category_id", l7_protocol.category); @@ -1253,14 +1253,14 @@ void ndpi_serialize_tls_blocks(struct ndpi_detection_module_struct *ndpi_struct, (idx > 0) ? "," : "", ndpi_print_encoded_tls_block_type(flow->l4.tcp.tls.tls_blocks[i].block_type, true), flow->l4.tcp.tls.tls_blocks[i].len); - + if(ret > 0) idx += ret; else break; } /* for */ if(idx > 0) ndpi_serialize_string_string(serializer, "", buf); - - ndpi_serialize_end_of_list(serializer); + + ndpi_serialize_end_of_list(serializer); } #ifdef TLS_HANDLE_SIGNATURE_ALGORITMS @@ -1270,6 +1270,7 @@ void ndpi_serialize_tls_blocks(struct ndpi_detection_module_struct *ndpi_struct, if(flow->protos.tls_quic.ja_client != NULL) { ndpi_tls_client_info *c = flow->protos.tls_quic.ja_client; u_int16_t i; + char unknown_cipher[8]; ndpi_serialize_start_of_block(serializer, "client_data"); @@ -1277,61 +1278,79 @@ void ndpi_serialize_tls_blocks(struct ndpi_detection_module_struct *ndpi_struct, ndpi_serialize_start_of_list(serializer, "ciphers"); for(i=0; inum_ciphers; i++) - ndpi_serialize_string_uint32(serializer, "", c->cipher[i]); + ndpi_serialize_string_string(serializer, "", ndpi_cipher2str(c->cipher[i], unknown_cipher)); ndpi_serialize_end_of_list(serializer); } if(c->num_tls_extensions > 0) { + char unknown_extn[8]; + ndpi_serialize_start_of_list(serializer, "tls_extensions"); for(i=0; inum_tls_extensions; i++) - ndpi_serialize_string_uint32(serializer, "", c->tls_extension[i]); + ndpi_serialize_string_string(serializer, "", + ndpi_tls_extension2str(c->tls_extension[i], unknown_extn)); ndpi_serialize_end_of_list(serializer); } if(c->num_elliptic_curve_groups > 0) { + char unknown_group[8]; + ndpi_serialize_start_of_list(serializer, "elliptic_curve_groups"); for(i=0; inum_elliptic_curve_groups; i++) - ndpi_serialize_string_uint32(serializer, "", c->elliptic_curve_group[i]); + ndpi_serialize_string_string(serializer, "", + ndpi_tls_elliptic_curve_groups2str(c->elliptic_curve_group[i], unknown_group)); ndpi_serialize_end_of_list(serializer); } if(c->num_elliptic_curve_point_format > 0) { + char unknown_curve[8]; + ndpi_serialize_start_of_list(serializer, "elliptic_curve_point_format"); for(i=0; inum_elliptic_curve_point_format; i++) - ndpi_serialize_string_uint32(serializer, "", c->elliptic_curve_point_format[i]); + ndpi_serialize_string_string(serializer, "", + ndpi_tls_elliptic_curve2str(c->elliptic_curve_point_format[i], unknown_curve)); ndpi_serialize_end_of_list(serializer); } if(c->num_signature_algorithms > 0) { + char unknown_algo[8]; + ndpi_serialize_start_of_list(serializer, "signature_algorithms"); for(i=0; inum_signature_algorithms; i++) - ndpi_serialize_string_uint32(serializer, "", c->signature_algorithm[i]); + ndpi_serialize_string_string(serializer, "", + ndpi_tls_signature_algo2str(c->signature_algorithm[i], unknown_algo)); ndpi_serialize_end_of_list(serializer); } if(c->num_key_share_groups > 0) { + char unknown_group[8]; + ndpi_serialize_start_of_list(serializer, "key_share_groups"); for(i=0; inum_key_share_groups; i++) - ndpi_serialize_string_uint32(serializer, "", c->key_share_group[i]); + ndpi_serialize_string_string(serializer, "", + ndpi_tls_key_share_group2str(c->key_share_group[i], unknown_group)); ndpi_serialize_end_of_list(serializer); } if(c->num_supported_versions > 0) { + char unknown_version[8]; + ndpi_serialize_start_of_list(serializer, "supported_versions"); for(i=0; inum_supported_versions; i++) - ndpi_serialize_string_uint32(serializer, "", c->supported_version[i]); + ndpi_serialize_string_string(serializer, "", + ndpi_tls_supported_version2str(c->supported_version[i], unknown_version)); ndpi_serialize_end_of_list(serializer); } @@ -1342,6 +1361,7 @@ void ndpi_serialize_tls_blocks(struct ndpi_detection_module_struct *ndpi_struct, if(flow->protos.tls_quic.ja_server != NULL) { ndpi_tls_server_info *s = flow->protos.tls_quic.ja_server; u_int16_t i; + char unknown_cipher[8]; ndpi_serialize_start_of_block(serializer, "server_data"); @@ -1349,31 +1369,37 @@ void ndpi_serialize_tls_blocks(struct ndpi_detection_module_struct *ndpi_struct, ndpi_serialize_start_of_list(serializer, "ciphers"); for(i=0; inum_ciphers; i++) - ndpi_serialize_string_uint32(serializer, "", s->cipher[i]); + ndpi_serialize_string_string(serializer, "", ndpi_cipher2str(s->cipher[i], unknown_cipher)); ndpi_serialize_end_of_list(serializer); } if(s->num_tls_extensions > 0) { + char unknown_extn[8]; + ndpi_serialize_start_of_list(serializer, "tls_extensions"); for(i=0; inum_tls_extensions; i++) - ndpi_serialize_string_uint32(serializer, "", s->tls_extension[i]); + ndpi_serialize_string_string(serializer, "", + ndpi_tls_extension2str(s->tls_extension[i], unknown_extn)); ndpi_serialize_end_of_list(serializer); } if(s->num_elliptic_curve_point_format > 0) { + char unknown_curve[8]; + ndpi_serialize_start_of_list(serializer, "elliptic_curve_point_format"); for(i=0; inum_elliptic_curve_point_format; i++) - ndpi_serialize_string_uint32(serializer, "", s->elliptic_curve_point_format[i]); + ndpi_serialize_string_string(serializer, "", + ndpi_tls_elliptic_curve2str(s->elliptic_curve_point_format[i], unknown_curve)); ndpi_serialize_end_of_list(serializer); } ndpi_serialize_end_of_block(serializer); - } + } } /* ********************************** */ @@ -2591,6 +2617,9 @@ const char* ndpi_risk2str(ndpi_risk_enum risk) { case NDPI_OBFUSCATED_TRAFFIC: return("Obfuscated Traffic"); + case NDPI_SLOW_DOS: + return("(Possible) Slow DoS"); + default: ndpi_snprintf(buf, sizeof(buf), "%d", (int)risk); return(buf); @@ -2717,6 +2746,8 @@ const char* ndpi_risk2code(ndpi_risk_enum risk) { return STRINGIFY(NDPI_PROBING_ATTEMPT); case NDPI_OBFUSCATED_TRAFFIC: return STRINGIFY(NDPI_OBFUSCATED_TRAFFIC); + case NDPI_SLOW_DOS: + return STRINGIFY(NDPI_SLOW_DOS); default: return("Unknown risk"); @@ -2840,6 +2871,8 @@ ndpi_risk_enum ndpi_code2risk(const char* risk) { return(NDPI_PROBING_ATTEMPT); else if(strcmp(STRINGIFY(NDPI_OBFUSCATED_TRAFFIC), risk) == 0) return(NDPI_OBFUSCATED_TRAFFIC); + else if(strcmp(STRINGIFY(NDPI_SLOW_DOS), risk) == 0) + return(NDPI_SLOW_DOS); else return(NDPI_MAX_RISK); } @@ -2983,6 +3016,7 @@ const char *ndpi_risk_shortnames[NDPI_MAX_RISK] = { "binary_data_transfer", "probing", "obfuscated", + "slow_DoS" }; /* ******************************************************************** */ @@ -3479,9 +3513,26 @@ void ndpi_set_risk(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_fl u_int8_t i; for(i = 0; i < flow->num_risk_infos; i++) - if(flow->risk_infos[i].id == r) - return; + if(flow->risk_infos[i].id == r) { + if((flow->risk_infos[i].info != NULL) + && (r != NDPI_SUSPICIOUS_ENTROPY /* Entropy changes when recomputed, so let's keep only one message */) + /* Messages are different */ + && strcmp(flow->risk_infos[i].info, risk_message) && (strstr(flow->risk_infos[i].info, risk_message) == NULL) + ) { + char buf[256]; + /* Concatenate risks info */ + + snprintf(buf, sizeof(buf), "%s|%s", + flow->risk_infos[i].info, risk_message); + + ndpi_free(flow->risk_infos[i].info); + flow->risk_infos[i].info = ndpi_strdup(buf); + } + + return; + } + /* Risk already set without any details, but now we have a specific risk_message that we want to save. This might happen with NDPI_HTTP_CRAWLER_BOT which might have been set early via @@ -3539,7 +3590,7 @@ int ndpi_isset_risk(struct ndpi_flow_struct *flow, ndpi_risk_enum r) { /* ******************************************************************** */ -int ndpi_is_printable_buffer(uint8_t const * const buf, size_t len) { +int ndpi_is_printable_buffer(u_int8_t const * const buf, size_t len) { int retval = 1; size_t i; @@ -3738,8 +3789,8 @@ reset_risk: /* ******************************************************************** */ -static inline uint16_t get_n16bit(uint8_t const * cbuf) { - uint16_t r = ((uint16_t)cbuf[0]) | (((uint16_t)cbuf[1]) << 8); +static inline u_int16_t get_n16bit(u_int8_t const * cbuf) { + u_int16_t r = ((u_int16_t)cbuf[0]) | (((u_int16_t)cbuf[1]) << 8); return r; } @@ -4573,7 +4624,7 @@ char* ndpi_quick_encrypt(const char *cleartext_msg, encoded_buf[i] = n_padding; AES_init_ctx_iv(&ctx, binary_encrypt_key, nonce); - AES_CBC_encrypt_buffer(&ctx, (uint8_t*)encoded_buf, encoded_len); + AES_CBC_encrypt_buffer(&ctx, (u_int8_t*)encoded_buf, encoded_len); encoded = ndpi_base64_encode((const unsigned char *)encoded_buf, encoded_len); ndpi_free(encoded_buf); @@ -4626,7 +4677,7 @@ char* ndpi_quick_decrypt(const char *encrypted_msg, /* AES - https://github.com/kokke/tiny-AES-c */ AES_init_ctx_iv(&ctx, binary_decrypt_key, nonce); memcpy(decoded_string, content, content_len); - AES_CBC_decrypt_buffer(&ctx, (uint8_t*)decoded_string, content_len); + AES_CBC_decrypt_buffer(&ctx, (u_int8_t*)decoded_string, content_len); /* Remove PKCS5 padding */ n_padding = decoded_string[content_len-1]; @@ -5194,3 +5245,694 @@ const char* ndpi_print_encoded_tls_block_type(ndpi_tls_block_type block_type, bo default: return(numeric_mode ? "0" : "Unknown"); } } + +/* ****************************************** */ + +const char* ndpi_tls_extension2str(u_int16_t extension_id, + char unknown_extn[8]) { + switch(extension_id) { + /* RFC 6066 - TLS Extensions Definitions */ + case 0: return "server_name"; + case 1: return "max_fragment_length"; + case 2: return "client_certificate_url"; + case 3: return "trusted_ca_keys"; + case 4: return "truncated_hmac"; + case 5: return "status_request"; + + /* RFC 4366 - Transport Layer Security (TLS) Extensions */ + case 6: return "user_mapping"; + case 7: return "client_authz"; + case 8: return "server_authz"; + + /* RFC 4492 - Elliptic Curve Cryptography (ECC) Cipher Suites */ + case 10: return "supported_groups"; /* Formerly "elliptic_curves" */ + case 11: return "ec_point_formats"; + + /* RFC 4681 - TLS User Mapping Extension */ + case 12: return "srp"; + case 13: return "signature_algorithms"; + case 14: return "use_srtp"; + case 15: return "heartbeat"; + + /* RFC 7301 - Application-Layer Protocol Negotiation (ALPN) */ + case 16: return "application_layer_protocol_negotiation"; + + /* RFC 7685 - A TLS Extension for Certificate Status Request */ + case 17: return "status_request_v2"; + case 18: return "signed_certificate_timestamp"; + case 19: return "client_certificate_type"; + case 20: return "server_certificate_type"; + + /* RFC 8879 - TLS Certificate Compression */ + case 22: return "compress_certificate"; + + /* RFC 8449 - Record Size Limit Extension */ + case 28: return "record_size_limit"; + + /* RFC 5746 - Transport Layer Security (TLS) Renegotiation Indication */ + case 65281: return "renegotiation_info"; + + /* TLS 1.3 Extensions (RFC 8446) */ + case 21: return "padding"; + case 23: return "session_ticket"; + case 24: return "pre_shared_key"; + case 25: return "early_data"; + case 26: return "supported_versions"; + case 27: return "cookie"; + case 29: return "preshared_key"; /* Alternate spelling */ + case 30: return "psk_key_exchange_modes"; + case 31: return "ticket_early_data_info"; + case 32: return "certificate_authorities"; + case 33: return "oid_filters"; + case 34: return "post_handshake_auth"; + case 35: return "signature_algorithms_cert"; + case 36: return "key_share"; + case 37: return "transparency_info"; + case 38: return "connection_id"; + case 39: return "external_id_hash"; + case 40: return "external_session_id"; + case 41: return "quic_transport_parameters"; + case 42: return "ticket_request"; + case 43: return "dnssec_chain"; + + /* RFC 7627 - Extended Master Secret Extension */ + case 44: return "extended_master_secret"; + + /* RFC 8446 - Other TLS 1.3 extensions */ + case 45: return "token_binding"; + case 46: return "cached_info"; + case 47: return "tls_lts"; + + /* Drafts and other extensions */ + case 48: return "compress_certificate_algorithms"; + case 49: return "record_size_limit"; + case 50: return "pwd_protect"; + case 51: return "pwd_clear"; + case 52: return "password_salt"; + case 53: return "ticket_pinning"; + case 54: return "tls_cert_with_extern_psk"; + case 55: return "delegated_credential"; + case 56: return "session_ticket_tls"; + case 57: return "TLD"; + case 58: return "external_id_hash"; + case 59: return "external_session_id"; + case 60: return "quic_transport_parameters"; + case 61: return "ticket_request"; + case 62: return "dnssec_chain"; + case 63: return "sequence_number_encryption_algorithms"; + + /* GREASE values (RFC 8701) */ + case 0x0A0A: return "(GREASE)"; + case 0x1A1A: return "(GREASE)"; + case 0x2A2A: return "(GREASE)"; + case 0x3A3A: return "(GREASE)"; + case 0x4A4A: return "(GREASE)"; + case 0x5A5A: return "(GREASE)"; + case 0x6A6A: return "(GREASE)"; + case 0x7A7A: return "(GREASE)"; + case 0x8A8A: return "(GREASE)"; + case 0x9A9A: return "(GREASE)"; + case 0xAAAA: return "(GREASE)"; + case 0xBABA: return "(GREASE)"; + case 0xCACA: return "(GREASE)"; + case 0xDADA: return "(GREASE)"; + case 0xEAEA: return "(GREASE)"; + case 0xFAFA: return "(GREASE)"; + + case 0x44CD: return "application_settings"; + + /* Custom/Private extensions (experimental range) */ + case 65037: return "next_protocol_negotiation"; /* Google NPN */ + case 65280: return "extended_random"; /* Used in some implementations */ + case 65282: return "token_binding"; /* Alternate value */ + + default: + ndpi_snprintf(unknown_extn, 8, "0X%04X", extension_id); + return(unknown_extn); + } +} + +/* ****************************************** */ + +const char* ndpi_tls_elliptic_curve2str(u_int16_t curve_id, char unknown_curve[8]) { + if((curve_id >= 0x002B) && (curve_id <= 0x003F)) + return "(Reserved)"; + + switch (curve_id) { + /* RFC 4492 / 8422 - Standard Curves */ + case 0x0001: return "sect163k1"; // deprecated + case 0x0002: return "sect163r1"; // deprecated + case 0x0003: return "sect163r2"; // deprecated + case 0x0004: return "sect193r1"; // deprecated + case 0x0005: return "sect193r2"; // deprecated + case 0x0006: return "sect233k1"; // deprecated + case 0x0007: return "sect233r1"; // deprecated + case 0x0008: return "sect239k1"; // deprecated + case 0x0009: return "sect283k1"; // deprecated + case 0x000A: return "sect283r1"; // deprecated + case 0x000B: return "sect409k1"; // deprecated + case 0x000C: return "sect409r1"; // deprecated + case 0x000D: return "sect571k1"; // deprecated + case 0x000E: return "sect571r1"; // deprecated + case 0x000F: return "secp160k1"; // deprecated + case 0x0010: return "secp160r1"; // deprecated + case 0x0011: return "secp160r2"; // deprecated + case 0x0012: return "secp192k1"; // deprecated + case 0x0013: return "secp192r1"; // P-192, deprecated + case 0x0014: return "secp224k1"; // deprecated + case 0x0015: return "secp224r1"; // P-224 + case 0x0016: return "secp256k1"; // deprecated + case 0x0017: return "secp256r1"; // P-256 + case 0x0018: return "secp384r1"; // P-384 + case 0x0019: return "secp521r1"; // P-521 + + /* RFC 7027 - Brainpool Curves */ + case 0x001A: return "brainpoolP256r1"; + case 0x001B: return "brainpoolP384r1"; + case 0x001C: return "brainpoolP512r1"; + + /* RFC 8422 - TLS 1.3 Recommended Curves */ + case 0x001D: return "x25519"; // Curve25519 + case 0x001E: return "x448"; // Curve448 + + /* RFC 8998 - Hybrid Key Exchange in TLS 1.3 */ + case 0x001F: return "brainpoolP256r1tls13"; // Reserved, not used + case 0x0020: return "brainpoolP384r1tls13"; // Reserved, not used + case 0x0021: return "brainpoolP512r1tls13"; // Reserved, not used + + /* RFC 9189 - Post-Quantum Hybrid Key Exchange */ + case 0x0022: return "x25519kyber768"; + case 0x0023: return "secp256r1kyber768"; + case 0x0024: return "x25519kyber1024"; + case 0x0025: return "secp256r1kyber1024"; + case 0x0026: return "secp384r1kyber768"; + case 0x0027: return "secp384r1kyber1024"; + case 0x0028: return "secp521r1kyber1024"; + case 0x0029: return "x448kyber768"; + case 0x002A: return "x448kyber1024"; + + /* Arbitrary Prime and Characteristic-2 Curves */ + case 0xFF01: return "arbitrary_explicit_prime_curves"; + case 0xFF02: return "arbitrary_explicit_char2_curves"; + + /* GREASE values for Elliptic Curves (RFC 8701) */ + case 0x0A0A: return "(GREASE)"; + case 0x1A1A: return "(GREASE)"; + case 0x2A2A: return "(GREASE)"; + case 0x3A3A: return "(GREASE)"; + case 0x4A4A: return "(GREASE)"; + case 0x5A5A: return "(GREASE)"; + case 0x6A6A: return "(GREASE)"; + case 0x7A7A: return "(GREASE)"; + case 0x8A8A: return "(GREASE)"; + case 0x9A9A: return "(GREASE)"; + case 0xAAAA: return "(GREASE)"; + case 0xBABA: return "(GREASE)"; + case 0xCACA: return "(GREASE)"; + case 0xDADA: return "(GREASE)"; + case 0xEAEA: return "(GREASE)"; + case 0xFAFA: return "(GREASE)"; + + default: + ndpi_snprintf(unknown_curve, 8, "0X%04X", curve_id); + return(unknown_curve); + } +} + +/* ****************************************** */ + +const char* ndpi_tls_signature_algo2str(u_int16_t algo_id, char unknown_algo[8]) { + if (algo_id >= 0xFE00 && algo_id <= 0xFEFF) { + return("(Experimental/Private Use)"); + } + + switch (algo_id) { + // Legacy RSA PKCS#1 schemes (deprecated in TLS 1.3) + case 0x0201: return "rsa_pkcs1_sha1"; // Deprecated + case 0x0401: return "rsa_pkcs1_sha256"; + case 0x0501: return "rsa_pkcs1_sha384"; + case 0x0601: return "rsa_pkcs1_sha512"; + + // Legacy DSA schemes (deprecated) + case 0x0202: return "dsa_sha1"; // Deprecated + case 0x0402: return "dsa_sha256"; // Deprecated + case 0x0502: return "dsa_sha384"; // Deprecated + case 0x0602: return "dsa_sha512"; // Deprecated + + // Legacy ECDSA schemes (deprecated format) + case 0x0203: return "ecdsa_sha1"; // Deprecated + case 0x0403: return "ecdsa_sha256"; + case 0x0503: return "ecdsa_sha384"; + case 0x0603: return "ecdsa_sha512"; + + // Legacy RSASSA-PSS without MGF1 (deprecated) + case 0x0804: return "rsa_pss_sha256"; // Old format + case 0x0805: return "rsa_pss_sha384"; // Old format + case 0x0806: return "rsa_pss_sha512"; // Old format + + // EdDSA schemes (RFC 8422, RFC 8446) + case 0x0807: return "ed25519"; + case 0x0808: return "ed448"; + + // RSASSA-PSS with MGF1 (TLS 1.3, RFC 8446) + case 0x0809: return "rsa_pss_rsae_sha256"; + case 0x080A: return "rsa_pss_rsae_sha384"; + case 0x080B: return "rsa_pss_rsae_sha512"; + + // RSASSA-PSS with PSS padding only (RFC 8446) + case 0x080C: return "rsa_pss_pss_sha256"; + case 0x080D: return "rsa_pss_pss_sha384"; + case 0x080E: return "rsa_pss_pss_sha512"; + + // ECDSA_branchy (historical, not in standards) + case 0x080F: return "ecdsa_branchy"; + + // GOST R 34.10 schemes (RFC 9189) + case 0xEE01: return "gostr34102012_256"; + case 0xEE02: return "gostr34102012_512"; + + // SM2 signature scheme (Chinese standard) + case 0xEE03: return "sm2sig_sm3"; + + // Anonymous schemes (deprecated and insecure) + case 0x0200: return "anonymous_sha1"; // Deprecated + case 0x0300: return "anonymous_sha224"; // Deprecated + case 0x0400: return "anonymous_sha256"; // Deprecated + case 0x0500: return "anonymous_sha384"; // Deprecated + case 0x0600: return "anonymous_sha512"; // Deprecated + + // GREASE values for signature algorithms (RFC 8701) + case 0x0A0A: return "(GREASE)"; + case 0x1A1A: return "(GREASE)"; + case 0x2A2A: return "(GREASE)"; + case 0x3A3A: return "(GREASE)"; + case 0x4A4A: return "(GREASE)"; + case 0x5A5A: return "(GREASE)"; + case 0x6A6A: return "(GREASE)"; + case 0x7A7A: return "(GREASE)"; + case 0x8A8A: return "(GREASE)"; + case 0x9A9A: return "(GREASE)"; + case 0xAAAA: return "(GREASE)"; + case 0xBABA: return "(GREASE)"; + case 0xCACA: return "(GREASE)"; + case 0xDADA: return "(GREASE)"; + case 0xEAEA: return "(GREASE)"; + case 0xFAFA: return "(GREASE)"; + + default: + ndpi_snprintf(unknown_algo, 8, "0X%04X", algo_id); + return(unknown_algo); + } +} + +/* ****************************************** */ + +typedef struct { + unsigned short id; + const char* name; + const char* type; + int bits; + int deprecated; + int tls13_supported; +} tls_named_group_info; + +static const tls_named_group_info named_groups[] = { + // ========== Elliptic Curve Groups (ECDHE) ========== + // Deprecated binary/sect curves (RFC 4492) + {0x0001, "sect163k1", "EC", 163, 1, 0}, + {0x0002, "sect163r1", "EC", 163, 1, 0}, + {0x0003, "sect163r2", "EC", 163, 1, 0}, + {0x0004, "sect193r1", "EC", 193, 1, 0}, + {0x0005, "sect193r2", "EC", 193, 1, 0}, + {0x0006, "sect233k1", "EC", 233, 1, 0}, + {0x0007, "sect233r1", "EC", 233, 1, 0}, + {0x0008, "sect239k1", "EC", 239, 1, 0}, + {0x0009, "sect283k1", "EC", 283, 1, 0}, + {0x000A, "sect283r1", "EC", 283, 1, 0}, + {0x000B, "sect409k1", "EC", 409, 1, 0}, + {0x000C, "sect409r1", "EC", 409, 1, 0}, + {0x000D, "sect571k1", "EC", 571, 1, 0}, + {0x000E, "sect571r1", "EC", 571, 1, 0}, + + // Prime curves (secp*) + {0x000F, "secp160k1", "EC", 160, 1, 0}, + {0x0010, "secp160r1", "EC", 160, 1, 0}, + {0x0011, "secp160r2", "EC", 160, 1, 0}, + {0x0012, "secp192k1", "EC", 192, 1, 0}, + {0x0013, "secp192r1", "EC", 192, 1, 0}, // P-192, deprecated + {0x0014, "secp224k1", "EC", 224, 1, 0}, + {0x0015, "secp224r1", "EC", 224, 0, 1}, // P-224 + {0x0016, "secp256k1", "EC", 256, 1, 0}, // Bitcoin curve + {0x0017, "secp256r1", "EC", 256, 0, 1}, // P-256 (NIST), widely used + {0x0018, "secp384r1", "EC", 384, 0, 1}, // P-384 + {0x0019, "secp521r1", "EC", 521, 0, 1}, // P-521 + + // Brainpool curves (RFC 7027) + {0x001A, "brainpoolP256r1", "EC", 256, 1, 0}, + {0x001B, "brainpoolP384r1", "EC", 384, 1, 0}, + {0x001C, "brainpoolP512r1", "EC", 512, 1, 0}, + + // Montgomery curves (RFC 7748, RFC 8446) + {0x001D, "x25519", "EC", 255, 0, 1}, // Curve25519, recommended + {0x001E, "x448", "EC", 448, 0, 1}, // Curve448 + + // Reserved for brainpool in TLS 1.3 (not used) + {0x001F, "brainpoolP256r1tls13", "EC", 256, 1, 0}, + {0x0020, "brainpoolP384r1tls13", "EC", 384, 1, 0}, + {0x0021, "brainpoolP512r1tls13", "EC", 512, 1, 0}, + + // Hybrid post-quantum key exchange (RFC 9189) + {0x0022, "x25519kyber768", "PQ", 255, 0, 1}, + {0x0023, "secp256r1kyber768", "PQ", 256, 0, 1}, + {0x0024, "x25519kyber1024", "PQ", 255, 0, 1}, + {0x0025, "secp256r1kyber1024", "PQ", 256, 0, 1}, + {0x0026, "secp384r1kyber768", "PQ", 384, 0, 1}, + {0x0027, "secp384r1kyber1024", "PQ", 384, 0, 1}, + {0x0028, "secp521r1kyber1024", "PQ", 521, 0, 1}, + {0x0029, "x448kyber768", "PQ", 448, 0, 1}, + {0x002A, "x448kyber1024", "PQ", 448, 0, 1}, + + // ========== Finite Field Groups (FFDHE) ========== + {0x0100, "ffdhe2048", "DH", 2048, 0, 1}, + {0x0101, "ffdhe3072", "DH", 3072, 0, 1}, + {0x0102, "ffdhe4096", "DH", 4096, 0, 1}, + {0x0103, "ffdhe6144", "DH", 6144, 0, 1}, + {0x0104, "ffdhe8192", "DH", 8192, 0, 1}, + + // ========== Special Values ========== + {0xFF01, "arbitrary_explicit_prime_curves", "SPEC", 0, 1, 0}, + {0xFF02, "arbitrary_explicit_char2_curves", "SPEC", 0, 1, 0}, + + // Terminator + {0xFFFF, NULL, NULL, 0, 0, 0} +}; + +/* ****************************************** */ + +const char* ndpi_tls_elliptic_curve_groups2str(u_int16_t group_id, char unknown_group[8]) { + u_int16_t i; + + if(((group_id) & 0x0F0F) == 0x0A0A) + return("(GREASE)"); + + // Check for reserved ranges + if ((group_id >= 0x002B && group_id <= 0x003F) || // Reserved ECDHE + (group_id >= 0x0105 && group_id <= 0x01FF)) { // Reserved FFDHE + return("(Reserved)"); + } + + // Check for experimental/private use + if (group_id >= 0xFE00 && group_id <= 0xFEFF) { + return("(Experimental/Private Use)"); + } + + // Search in the table + for (i = 0; named_groups[i].name != NULL; i++) { + if (named_groups[i].id == group_id) { + return(named_groups[i].name); + } + } + + ndpi_snprintf(unknown_group, 8, "0X%04X", group_id); + return(unknown_group); +} + +/* ****************************************** */ + +typedef struct { + u_int16_t id; + const char* name; + const char* type; + int public_key_size; // Typical public key size in bytes + int shared_secret_size; // Typical shared secret size in bytes + int tls13_supported; + int requires_key_share; + const char* security_level; + const char* rfc; + int draft_version; +} key_share_group_info; + +// TLS 1.3 KeyShare groups - Complete and up-to-date +static const key_share_group_info key_share_groups[] = { + // ========== Traditional Elliptic Curve Groups (ECDHE) ========== + {0x0017, "secp256r1", "ECDHE", 65, 32, 1, 1, "128-bit", "RFC 8446", 0}, + {0x0018, "secp384r1", "ECDHE", 97, 48, 1, 1, "192-bit", "RFC 8446", 0}, + {0x0019, "secp521r1", "ECDHE", 133, 66, 1, 1, "256-bit", "RFC 8446", 0}, + + // Montgomery curves (RFC 7748, RFC 8446) + {0x001D, "x25519", "ECDHE", 32, 32, 1, 1, "128-bit", "RFC 8446", 0}, + {0x001E, "x448", "ECDHE", 56, 56, 1, 1, "224-bit", "RFC 8446", 0}, + + // ========== Finite Field Groups (FFDHE) ========== + {0x0100, "ffdhe2048", "FFDHE", 256, 256, 1, 0, "112-bit", "RFC 7919", 0}, + {0x0101, "ffdhe3072", "FFDHE", 384, 384, 1, 0, "128-bit", "RFC 7919", 0}, + {0x0102, "ffdhe4096", "FFDHE", 512, 512, 1, 0, "152-bit", "RFC 7919", 0}, + {0x0103, "ffdhe6144", "FFDHE", 768, 768, 1, 0, "176-bit", "RFC 7919", 0}, + {0x0104, "ffdhe8192", "FFDHE", 1024, 1024, 1, 0, "192-bit", "RFC 7919", 0}, + + // ========== Kyber-based Hybrid Groups (RFC 9189) ========== + {0x0022, "x25519kyber768", "PQ_HYBRID", 32+1184, 32+32, 1, 1, "128-bit + L3", "RFC 9189", 0}, + {0x0023, "secp256r1kyber768", "PQ_HYBRID", 65+1184, 32+32, 1, 1, "128-bit + L3", "RFC 9189", 0}, + {0x0024, "x25519kyber1024", "PQ_HYBRID", 32+1568, 32+32, 1, 1, "128-bit + L5", "RFC 9189", 0}, + {0x0025, "secp256r1kyber1024", "PQ_HYBRID", 65+1568, 32+32, 1, 1, "128-bit + L5", "RFC 9189", 0}, + {0x0026, "secp384r1kyber768", "PQ_HYBRID", 97+1184, 48+32, 1, 1, "192-bit + L3", "RFC 9189", 0}, + {0x0027, "secp384r1kyber1024", "PQ_HYBRID", 97+1568, 48+32, 1, 1, "192-bit + L5", "RFC 9189", 0}, + {0x0028, "secp521r1kyber1024", "PQ_HYBRID", 133+1568, 66+32, 1, 1, "256-bit + L5", "RFC 9189", 0}, + {0x0029, "x448kyber768", "PQ_HYBRID", 56+1184, 56+32, 1, 1, "224-bit + L3", "RFC 9189", 0}, + {0x002A, "x448kyber1024", "PQ_HYBRID", 56+1568, 56+32, 1, 1, "224-bit + L5", "RFC 9189", 0}, + + // ========== ML-KEM (FIPS 203, formerly Kyber) Hybrid Groups ========== + // IANA: https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-18 + {0x11EC, "X25519MLKEM768", "PQ_HYBRID", 32+1184, 32+32, 1, 1, "128-bit + L3", "draft-ietf-tls-hybrid-design", 10}, + {0x11ED, "P256MLKEM768", "PQ_HYBRID", 65+1184, 32+32, 1, 1, "128-bit + L3", "draft-ietf-tls-hybrid-design", 10}, + {0x11EE, "X25519MLKEM1024", "PQ_HYBRID", 32+1568, 32+32, 1, 1, "128-bit + L5", "draft-ietf-tls-hybrid-design", 10}, + {0x11EF, "P256MLKEM1024", "PQ_HYBRID", 65+1568, 32+32, 1, 1, "128-bit + L5", "draft-ietf-tls-hybrid-design", 10}, + {0x11F0, "X448MLKEM768", "PQ_HYBRID", 56+1184, 56+32, 1, 1, "224-bit + L3", "draft-ietf-tls-hybrid-design", 10}, + {0x11F1, "P384MLKEM768", "PQ_HYBRID", 97+1184, 48+32, 1, 1, "192-bit + L3", "draft-ietf-tls-hybrid-design", 10}, + {0x11F2, "X448MLKEM1024", "PQ_HYBRID", 56+1568, 56+32, 1, 1, "224-bit + L5", "draft-ietf-tls-hybrid-design", 10}, + {0x11F3, "P384MLKEM1024", "PQ_HYBRID", 97+1568, 48+32, 1, 1, "192-bit + L5", "draft-ietf-tls-hybrid-design", 10}, + {0x11F4, "P521MLKEM1024", "PQ_HYBRID", 133+1568, 66+32, 1, 1, "256-bit + L5", "draft-ietf-tls-hybrid-design", 10}, + + // ========== ML-KEM Only (non-hybrid) ========== + {0x11F5, "MLKEM512", "PQ_ONLY", 800, 32, 1, 1, "L1", "draft-ietf-tls-hybrid-design", 10}, + {0x11F6, "MLKEM768", "PQ_ONLY", 1184, 32, 1, 1, "L3", "draft-ietf-tls-hybrid-design", 10}, + {0x11F7, "MLKEM1024", "PQ_ONLY", 1568, 32, 1, 1, "L5", "draft-ietf-tls-hybrid-design", 10}, + + // ========== NTRU Hybrid Groups ========== + {0x11F8, "X25519NTRUHPS2048509", "PQ_HYBRID", 32+699, 32+32, 1, 1, "128-bit + L1", "draft-ietf-tls-hybrid-design", 10}, + {0x11F9, "P256NTRUHPS2048509", "PQ_HYBRID", 65+699, 32+32, 1, 1, "128-bit + L1", "draft-ietf-tls-hybrid-design", 10}, + {0x11FA, "X25519NTRUHPS2048677", "PQ_HYBRID", 32+930, 32+32, 1, 1, "128-bit + L3", "draft-ietf-tls-hybrid-design", 10}, + {0x11FB, "P256NTRUHPS2048677", "PQ_HYBRID", 65+930, 32+32, 1, 1, "128-bit + L3", "draft-ietf-tls-hybrid-design", 10}, + {0x11FC, "X448NTRUHPS2048677", "PQ_HYBRID", 56+930, 56+32, 1, 1, "224-bit + L3", "draft-ietf-tls-hybrid-design", 10}, + {0x11FD, "P384NTRUHPS2048677", "PQ_HYBRID", 97+930, 48+32, 1, 1, "192-bit + L3", "draft-ietf-tls-hybrid-design", 10}, + + // ========== NTRU Prime Hybrid Groups ========== + {0x11FE, "X25519NTRULPR653", "PQ_HYBRID", 32+897, 32+32, 1, 1, "128-bit", "draft-ietf-tls-hybrid-design", 10}, + {0x11FF, "P256NTRULPR653", "PQ_HYBRID", 65+897, 32+32, 1, 1, "128-bit", "draft-ietf-tls-hybrid-design", 10}, + {0x1200, "X25519NTRULPR761", "PQ_HYBRID", 32+1039, 32+32, 1, 1, "128-bit", "draft-ietf-tls-hybrid-design", 10}, + {0x1201, "P256NTRULPR761", "PQ_HYBRID", 65+1039, 32+32, 1, 1, "128-bit", "draft-ietf-tls-hybrid-design", 10}, + {0x1202, "X448NTRULPR761", "PQ_HYBRID", 56+1039, 56+32, 1, 1, "224-bit", "draft-ietf-tls-hybrid-design", 10}, + {0x1203, "P384NTRULPR761", "PQ_HYBRID", 97+1039, 48+32, 1, 1, "192-bit", "draft-ietf-tls-hybrid-design", 10}, + {0x1204, "P521NTRULPR761", "PQ_HYBRID", 133+1039, 66+32, 1, 1, "256-bit", "draft-ietf-tls-hybrid-design", 10}, + + // ========== Saber (LightSaber) Hybrid Groups ========== + {0x1205, "X25519LightSaber", "PQ_HYBRID", 32+672, 32+32, 1, 1, "128-bit + L1", "draft-ietf-tls-hybrid-design", 10}, + {0x1206, "P256LightSaber", "PQ_HYBRID", 65+672, 32+32, 1, 1, "128-bit + L1", "draft-ietf-tls-hybrid-design", 10}, + {0x1207, "X25519Saber", "PQ_HYBRID", 32+992, 32+32, 1, 1, "128-bit + L3", "draft-ietf-tls-hybrid-design", 10}, + {0x1208, "P256Saber", "PQ_HYBRID", 65+992, 32+32, 1, 1, "128-bit + L3", "draft-ietf-tls-hybrid-design", 10}, + {0x1209, "X448Saber", "PQ_HYBRID", 56+992, 56+32, 1, 1, "224-bit + L3", "draft-ietf-tls-hybrid-design", 10}, + {0x120A, "P384Saber", "PQ_HYBRID", 97+992, 48+32, 1, 1, "192-bit + L3", "draft-ietf-tls-hybrid-design", 10}, + + // ========== FrodoKEM Hybrid Groups ========== + {0x120B, "X25519Frodo640SHAKE", "PQ_HYBRID", 32+9616, 32+16, 1, 1, "128-bit + L1", "draft-ietf-tls-hybrid-design", 10}, + {0x120C, "P256Frodo640SHAKE", "PQ_HYBRID", 65+9616, 32+16, 1, 1, "128-bit + L1", "draft-ietf-tls-hybrid-design", 10}, + {0x120D, "X25519Frodo976SHAKE", "PQ_HYBRID", 32+15632, 32+24, 1, 1, "128-bit + L3", "draft-ietf-tls-hybrid-design", 10}, + {0x120E, "P256Frodo976SHAKE", "PQ_HYBRID", 65+15632, 32+24, 1, 1, "128-bit + L3", "draft-ietf-tls-hybrid-design", 10}, + {0x120F, "X448Frodo976SHAKE", "PQ_HYBRID", 56+15632, 56+24, 1, 1, "224-bit + L3", "draft-ietf-tls-hybrid-design", 10}, + {0x1210, "P384Frodo976SHAKE", "PQ_HYBRID", 97+15632, 48+24, 1, 1, "192-bit + L3", "draft-ietf-tls-hybrid-design", 10}, + {0x1211, "X25519Frodo1344SHAKE", "PQ_HYBRID", 32+21520, 32+32, 1, 1, "128-bit + L5", "draft-ietf-tls-hybrid-design", 10}, + {0x1212, "P256Frodo1344SHAKE", "PQ_HYBRID", 65+21520, 32+32, 1, 1, "128-bit + L5", "draft-ietf-tls-hybrid-design", 10}, + {0x1213, "P384Frodo1344SHAKE", "PQ_HYBRID", 97+21520, 48+32, 1, 1, "192-bit + L5", "draft-ietf-tls-hybrid-design", 10}, + {0x1214, "P521Frodo1344SHAKE", "PQ_HYBRID", 133+21520, 66+32, 1, 1, "256-bit + L5", "draft-ietf-tls-hybrid-design", 10}, + + // ========== BIKE Hybrid Groups ========== + {0x1215, "X25519BIKE1L1", "PQ_HYBRID", 32+1541, 32+32, 1, 1, "128-bit + L1", "draft-ietf-tls-hybrid-design", 10}, + {0x1216, "P256BIKE1L1", "PQ_HYBRID", 65+1541, 32+32, 1, 1, "128-bit + L1", "draft-ietf-tls-hybrid-design", 10}, + {0x1217, "X25519BIKE1L3", "PQ_HYBRID", 32+3083, 32+32, 1, 1, "128-bit + L3", "draft-ietf-tls-hybrid-design", 10}, + {0x1218, "P256BIKE1L3", "PQ_HYBRID", 65+3083, 32+32, 1, 1, "128-bit + L3", "draft-ietf-tls-hybrid-design", 10}, + {0x1219, "X448BIKE1L3", "PQ_HYBRID", 56+3083, 56+32, 1, 1, "224-bit + L3", "draft-ietf-tls-hybrid-design", 10}, + {0x121A, "P384BIKE1L3", "PQ_HYBRID", 97+3083, 48+32, 1, 1, "192-bit + L3", "draft-ietf-tls-hybrid-design", 10}, + + // ========== HQC Hybrid Groups ========== + {0x121B, "X25519HQCL1", "PQ_HYBRID", 32+2249, 32+64, 1, 1, "128-bit + L1", "draft-ietf-tls-hybrid-design", 10}, + {0x121C, "P256HQCL1", "PQ_HYBRID", 65+2249, 32+64, 1, 1, "128-bit + L1", "draft-ietf-tls-hybrid-design", 10}, + {0x121D, "X25519HQCL3", "PQ_HYBRID", 32+4522, 32+64, 1, 1, "128-bit + L3", "draft-ietf-tls-hybrid-design", 10}, + {0x121E, "P256HQCL3", "PQ_HYBRID", 65+4522, 32+64, 1, 1, "128-bit + L3", "draft-ietf-tls-hybrid-design", 10}, + {0x121F, "X448HQCL3", "PQ_HYBRID", 56+4522, 56+64, 1, 1, "224-bit + L3", "draft-ietf-tls-hybrid-design", 10}, + {0x1220, "P384HQCL3", "PQ_HYBRID", 97+4522, 48+64, 1, 1, "192-bit + L3", "draft-ietf-tls-hybrid-design", 10}, + + // ========== SIKE Hybrid Groups (NOTE: Broken in 2022, included for completeness) ========== + {0x1221, "X25519SIKEp434", "PQ_HYBRID_BROKEN", 32+330, 32+16, 0, 0, "128-bit + L1", "draft-ietf-tls-hybrid-design", 0}, + {0x1222, "P256SIKEp434", "PQ_HYBRID_BROKEN", 65+330, 32+16, 0, 0, "128-bit + L1", "draft-ietf-tls-hybrid-design", 0}, + {0x1223, "X25519SIKEp503", "PQ_HYBRID_BROKEN", 32+378, 32+24, 0, 0, "128-bit + L2", "draft-ietf-tls-hybrid-design", 0}, + {0x1224, "P256SIKEp503", "PQ_HYBRID_BROKEN", 65+378, 32+24, 0, 0, "128-bit + L2", "draft-ietf-tls-hybrid-design", 0}, + {0x1225, "X25519SIKEp610", "PQ_HYBRID_BROKEN", 32+462, 32+24, 0, 0, "128-bit + L3", "draft-ietf-tls-hybrid-design", 0}, + {0x1226, "P256SIKEp610", "PQ_HYBRID_BROKEN", 65+462, 32+24, 0, 0, "128-bit + L3", "draft-ietf-tls-hybrid-design", 0}, + {0x1227, "X448SIKEp610", "PQ_HYBRID_BROKEN", 56+462, 56+24, 0, 0, "224-bit + L3", "draft-ietf-tls-hybrid-design", 0}, + {0x1228, "P384SIKEp610", "PQ_HYBRID_BROKEN", 97+462, 48+24, 0, 0, "192-bit + L3", "draft-ietf-tls-hybrid-design", 0}, + {0x1229, "X25519SIKEp751", "PQ_HYBRID_BROKEN", 32+564, 32+32, 0, 0, "128-bit + L5", "draft-ietf-tls-hybrid-design", 0}, + {0x122A, "P256SIKEp751", "PQ_HYBRID_BROKEN", 65+564, 32+32, 0, 0, "128-bit + L5", "draft-ietf-tls-hybrid-design", 0}, + {0x122B, "P384SIKEp751", "PQ_HYBRID_BROKEN", 97+564, 48+32, 0, 0, "192-bit + L5", "draft-ietf-tls-hybrid-design", 0}, + {0x122C, "P521SIKEp751", "PQ_HYBRID_BROKEN", 133+564, 66+32, 0, 0, "256-bit + L5", "draft-ietf-tls-hybrid-design", 0}, + + // ========== Classic McEliece Hybrid Groups ========== + {0x122D, "X25519ClassicMcEliece348864", "PQ_HYBRID", 32+261120, 32+32, 1, 1, "128-bit + L1", "draft-ietf-tls-hybrid-design", 10}, + {0x122E, "P256ClassicMcEliece348864", "PQ_HYBRID", 65+261120, 32+32, 1, 1, "128-bit + L1", "draft-ietf-tls-hybrid-design", 10}, + {0x122F, "X25519ClassicMcEliece460896", "PQ_HYBRID", 32+524160, 32+32, 1, 1, "128-bit + L3", "draft-ietf-tls-hybrid-design", 10}, + {0x1230, "P256ClassicMcEliece460896", "PQ_HYBRID", 65+524160, 32+32, 1, 1, "128-bit + L3", "draft-ietf-tls-hybrid-design", 10}, + {0x1231, "X448ClassicMcEliece460896", "PQ_HYBRID", 56+524160, 56+32, 1, 1, "224-bit + L3", "draft-ietf-tls-hybrid-design", 10}, + {0x1232, "P384ClassicMcEliece460896", "PQ_HYBRID", 97+524160, 48+32, 1, 1, "192-bit + L3", "draft-ietf-tls-hybrid-design", 10}, + {0x1233, "X25519ClassicMcEliece6688128", "PQ_HYBRID", 32+1044992, 32+32, 1, 1, "128-bit + L5", "draft-ietf-tls-hybrid-design", 10}, + {0x1234, "P256ClassicMcEliece6688128", "PQ_HYBRID", 65+1044992, 32+32, 1, 1, "128-bit + L5", "draft-ietf-tls-hybrid-design", 10}, + {0x1235, "P384ClassicMcEliece6688128", "PQ_HYBRID", 97+1044992, 48+32, 1, 1, "192-bit + L5", "draft-ietf-tls-hybrid-design", 10}, + {0x1236, "P521ClassicMcEliece6688128", "PQ_HYBRID", 133+1044992, 66+32, 1, 1, "256-bit + L5", "draft-ietf-tls-hybrid-design", 10}, + + // ========== Other/Experimental Groups ========== + // Brainpool curves (not typically used in TLS 1.3) + {0x001A, "brainpoolP256r1", "ECDHE", 65, 32, 0, 0, "128-bit", "RFC 7027", 0}, + {0x001B, "brainpoolP384r1", "ECDHE", 97, 48, 0, 0, "192-bit", "RFC 7027", 0}, + {0x001C, "brainpoolP512r1", "ECDHE", 133, 64, 0, 0, "256-bit", "RFC 7027", 0}, + + // Terminator + {0x0000, NULL, NULL, 0, 0, 0, 0, NULL, NULL, 0} +}; + + +const char* ndpi_tls_key_share_group2str(u_int16_t group_id, char unknown_group[8]) { + u_int16_t i; + + if(((group_id) & 0x0F0F) == 0x0A0A) + return("(GREASE)"); + + if ((group_id >= 0x002B && group_id <= 0x003F) || // Reserved ECDHE + (group_id >= 0x0105 && group_id <= 0x01FF)) { // Reserved FFDHE + return("(Reserved)"); + } + + if (group_id >= 0xFE00 && group_id <= 0xFEFF) { + return("(Experimental/Private Use)"); + } + + for (i = 0; key_share_groups[i].name != NULL; i++) { + if (key_share_groups[i].id == group_id) { + return(key_share_groups[i].name); + } + } + + ndpi_snprintf(unknown_group, 8, "0X%04X", group_id); + return(unknown_group); +} + +/* ****************************************** */ + +typedef struct { + u_int16_t version; + const char* name; + const char* rfc; + int is_draft; + int deprecated; + int recommended; + const char* security_status; +} tls_version_info; + +// TLS versions table (RFC 5246, RFC 8446, and drafts) +static const tls_version_info tls_versions[] = { + // ========== SSL/TLS Legacy Versions ========== + {0x0200, "SSL 2.0", "Historical", 0, 1, 0, "INSECURE - MUST NOT USE"}, + {0x0300, "SSL 3.0", "Historical", 0, 1, 0, "INSECURE - MUST NOT USE"}, + + // ========== TLS 1.x Series ========== + {0x0301, "TLS 1.0", "RFC 2246", 0, 1, 0, "INSECURE - MUST NOT USE"}, + {0x0302, "TLS 1.1", "RFC 4346", 0, 1, 0, "WEAK - Should not use"}, + {0x0303, "TLS 1.2", "RFC 5246", 0, 0, 1, "SECURE - Widely supported"}, + {0x0304, "TLS 1.3", "RFC 8446", 0, 0, 1, "SECURE - Recommended"}, + + // ========== TLS 1.4 Drafts ========== + {0x7F00, "TLS 1.4 (draft-00)", "draft-ietf-tls-tls13", 1, 0, 0, "EXPERIMENTAL"}, + {0x7F01, "TLS 1.4 (draft-01)", "draft-ietf-tls-tls13", 1, 0, 0, "EXPERIMENTAL"}, + {0x7F02, "TLS 1.4 (draft-02)", "draft-ietf-tls-tls13", 1, 0, 0, "EXPERIMENTAL"}, + {0x7F03, "TLS 1.4 (draft-03)", "draft-ietf-tls-tls13", 1, 0, 0, "EXPERIMENTAL"}, + {0x7F04, "TLS 1.4 (draft-04)", "draft-ietf-tls-tls13", 1, 0, 0, "EXPERIMENTAL"}, + {0x7F05, "TLS 1.4 (draft-05)", "draft-ietf-tls-tls13", 1, 0, 0, "EXPERIMENTAL"}, + {0x7F06, "TLS 1.4 (draft-06)", "draft-ietf-tls-tls13", 1, 0, 0, "EXPERIMENTAL"}, + {0x7F07, "TLS 1.4 (draft-07)", "draft-ietf-tls-tls13", 1, 0, 0, "EXPERIMENTAL"}, + {0x7F08, "TLS 1.4 (draft-08)", "draft-ietf-tls-tls13", 1, 0, 0, "EXPERIMENTAL"}, + {0x7F09, "TLS 1.4 (draft-09)", "draft-ietf-tls-tls13", 1, 0, 0, "EXPERIMENTAL"}, + {0x7F0A, "TLS 1.4 (draft-10)", "draft-ietf-tls-tls13", 1, 0, 0, "EXPERIMENTAL"}, + {0x7F0B, "TLS 1.4 (draft-11)", "draft-ietf-tls-tls13", 1, 0, 0, "EXPERIMENTAL"}, + {0x7F0C, "TLS 1.4 (draft-12)", "draft-ietf-tls-tls13", 1, 0, 0, "EXPERIMENTAL"}, + {0x7F0D, "TLS 1.4 (draft-13)", "draft-ietf-tls-tls13", 1, 0, 0, "EXPERIMENTAL"}, + {0x7F0E, "TLS 1.4 (draft-14)", "draft-ietf-tls-tls13", 1, 0, 0, "EXPERIMENTAL"}, + {0x7F0F, "TLS 1.4 (draft-15)", "draft-ietf-tls-tls13", 1, 0, 0, "EXPERIMENTAL"}, + {0x7F10, "TLS 1.4 (draft-16)", "draft-ietf-tls-tls13", 1, 0, 0, "EXPERIMENTAL"}, + {0x7F11, "TLS 1.4 (draft-17)", "draft-ietf-tls-tls13", 1, 0, 0, "EXPERIMENTAL"}, + {0x7F12, "TLS 1.4 (draft-18)", "draft-ietf-tls-tls13", 1, 0, 0, "EXPERIMENTAL"}, + {0x7F13, "TLS 1.4 (draft-19)", "draft-ietf-tls-tls13", 1, 0, 0, "EXPERIMENTAL"}, + {0x7F14, "TLS 1.4 (draft-20)", "draft-ietf-tls-tls13", 1, 0, 0, "EXPERIMENTAL"}, + {0x7F15, "TLS 1.4 (draft-21)", "draft-ietf-tls-tls13", 1, 0, 0, "EXPERIMENTAL"}, + {0x7F16, "TLS 1.4 (draft-22)", "draft-ietf-tls-tls13", 1, 0, 0, "EXPERIMENTAL"}, + {0x7F17, "TLS 1.4 (draft-23)", "draft-ietf-tls-tls13", 1, 0, 0, "EXPERIMENTAL"}, + {0x7F18, "TLS 1.4 (draft-24)", "draft-ietf-tls-tls13", 1, 0, 0, "EXPERIMENTAL"}, + {0x7F19, "TLS 1.4 (draft-25)", "draft-ietf-tls-tls13", 1, 0, 0, "EXPERIMENTAL"}, + {0x7F1A, "TLS 1.4 (draft-26)", "draft-ietf-tls-tls13", 1, 0, 0, "EXPERIMENTAL"}, + {0x7F1B, "TLS 1.4 (draft-27)", "draft-ietf-tls-tls13", 1, 0, 0, "EXPERIMENTAL"}, + {0x7F1C, "TLS 1.4 (draft-28)", "draft-ietf-tls-tls13", 1, 0, 0, "EXPERIMENTAL"}, + {0x7F1D, "TLS 1.4 (draft-29)", "draft-ietf-tls-tls13", 1, 0, 0, "EXPERIMENTAL"}, + {0x7F1E, "TLS 1.4 (draft-30)", "draft-ietf-tls-tls13", 1, 0, 0, "EXPERIMENTAL"}, + + // ========== DTLS Versions ========== + {0xFEFF, "DTLS 1.0", "RFC 4347", 0, 1, 0, "WEAK"}, + {0xFEFD, "DTLS 1.2", "RFC 6347", 0, 0, 1, "SECURE"}, + {0xFEFC, "DTLS 1.3", "RFC 9147", 0, 0, 1, "SECURE - Recommended"}, + + // ========== Experimental/Private Use ========== + {0x0A0A, "(GREASE)", "RFC 8701", 0, 0, 0, "TESTING"}, + {0x1A1A, "(GREASE)", "RFC 8701", 0, 0, 0, "TESTING"}, + {0x2A2A, "(GREASE)", "RFC 8701", 0, 0, 0, "TESTING"}, + {0x3A3A, "(GREASE)", "RFC 8701", 0, 0, 0, "TESTING"}, + {0x4A4A, "(GREASE)", "RFC 8701", 0, 0, 0, "TESTING"}, + {0x5A5A, "(GREASE)", "RFC 8701", 0, 0, 0, "TESTING"}, + {0x6A6A, "(GREASE)", "RFC 8701", 0, 0, 0, "TESTING"}, + {0x7A7A, "(GREASE)", "RFC 8701", 0, 0, 0, "TESTING"}, + {0x8A8A, "(GREASE)", "RFC 8701", 0, 0, 0, "TESTING"}, + {0x9A9A, "(GREASE)", "RFC 8701", 0, 0, 0, "TESTING"}, + {0xAAAA, "(GREASE)", "RFC 8701", 0, 0, 0, "TESTING"}, + {0xBABA, "(GREASE)", "RFC 8701", 0, 0, 0, "TESTING"}, + {0xCACA, "(GREASE)", "RFC 8701", 0, 0, 0, "TESTING"}, + {0xDADA, "(GREASE)", "RFC 8701", 0, 0, 0, "TESTING"}, + {0xEAEA, "(GREASE)", "RFC 8701", 0, 0, 0, "TESTING"}, + {0xFAFA, "(GREASE)", "RFC 8701", 0, 0, 0, "TESTING"}, + + + // ========== QUIC Versions (used in TLS over QUIC) ========== + {0x00000001, "QUIC v1", "RFC 9000", 0, 0, 1, "TRANSPORT"}, + + // Terminator + {0x0000, NULL, NULL, 0, 0, 0, NULL} +}; + +const char* ndpi_tls_supported_version2str(u_int16_t version_id, char unknown_version[8]) { + u_int16_t i; + + if(((version_id) & 0x0F0F) == 0x0A0A) + return("(GREASE)"); + + for (i = 0; tls_versions[i].name != NULL; i++) { + if (tls_versions[i].version == version_id) { + return(tls_versions[i].name); + } + } + + ndpi_snprintf(unknown_version, 8, "0X%04X", version_id); + return(unknown_version); +} diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c index 8622dc8a6..f158a3ba4 100644 --- a/src/lib/protocols/http.c +++ b/src/lib/protocols/http.c @@ -1634,7 +1634,7 @@ static void parse_response_code(struct ndpi_detection_module_struct *ndpi_struct char buf[4]; char ec[48]; - if(packet->payload_packet_len >= 12) { + if(packet->payload_packet_len >= 12) { /* Set server HTTP response code */ strncpy(buf, (char*)&packet->payload[9], 3); buf[3] = '\0'; diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index fcab825f2..b702d4017 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -1374,6 +1374,19 @@ static int processTLSBlock(struct ndpi_detection_module_struct *ndpi_struct, switch(packet->payload[0] /* block type */) { case 0x01: /* Client Hello */ + if((flow->l4.tcp.three_way_handshake.syn_time != 0) /* Check only if 3WH was observed */ + && (flow->l4.tcp.three_way_handshake.ack_time != 0) + ) { + u_int64_t tdiff_ms = packet->current_time_ms - flow->l4.tcp.three_way_handshake.ack_time; + + if((tdiff_ms > 3000 /* 3 sec */) && (!ndpi_isset_risk(flow, NDPI_SLOW_DOS))) { + char buf[64]; + + snprintf(buf, sizeof(buf), "Slow TLS Request: %.1f sec", tdiff_ms/1000.); + ndpi_set_risk(ndpi_struct, flow, NDPI_SLOW_DOS, buf); + } + } + flow->protos.tls_quic.client_hello_processed = 1; flow->protos.tls_quic.ch_direction = packet->packet_direction; processClientServerHello(ndpi_struct, flow, 0); diff --git a/tests/cfgs/default/pcap/slowdos.pcap b/tests/cfgs/default/pcap/slowdos.pcap new file mode 100644 index 000000000..8730e745b Binary files /dev/null and b/tests/cfgs/default/pcap/slowdos.pcap differ diff --git a/tests/cfgs/default/pcap/slowloris.pcap b/tests/cfgs/default/pcap/slowloris.pcap new file mode 100644 index 000000000..2d8bb18ac Binary files /dev/null and b/tests/cfgs/default/pcap/slowloris.pcap differ diff --git a/tests/cfgs/default/result/KakaoTalk_talk.pcap.out b/tests/cfgs/default/result/KakaoTalk_talk.pcap.out index 82930363f..255b89ac2 100644 --- a/tests/cfgs/default/result/KakaoTalk_talk.pcap.out +++ b/tests/cfgs/default/result/KakaoTalk_talk.pcap.out @@ -66,7 +66,7 @@ JA Host Stats: 5 TCP 10.24.82.188:59954 <-> 173.252.88.128:443 [proto: 91/TLS][Stack: TLS][IP: 119/Facebook][Encrypted][Confidence: DPI][FPC: 119/Facebook, Confidence: IP address][DPI packets: 7][cat: Web/5][Breed: Safe][15 pkts/2932 bytes <-> 14 pkts/1092 bytes][Goodput ratio: 71/27][1.96 sec][bytes ratio: 0.457 (Upload)][IAT c2s/s2c min/avg/max/stddev: 2/0 141/117 494/295 163/92][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 195/78 735/189 228/35][Risk: ** Obsolete TLS (v1.1 or older) **][Risk Score: 100][Risk Info: TLSv1][nDPI Fingerprint: 3fa2b708ed3ea706563f903b3f766422][TCP Fingerprint: 2_64_14000_078416dac97d/Unknown][TLSv1][JA4: t10i350200_1f24bcc5f17d_33a13ba74d1c][JA3S: 07dddc59e60135c7b479d39c3ae686af][Cipher: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA][Plen Bins: 30,23,0,0,15,0,7,0,7,0,0,0,0,0,0,0,0,0,0,0,0,15,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 6 UDP 10.24.82.188:10269 <-> 1.201.1.174:23047 [proto: 194/KakaoTalk_Voice][Stack: KakaoTalk_Voice][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 194/KakaoTalk_Voice, Confidence: DPI][DPI packets: 1][cat: VoIP/10][Breed: Acceptable][12 pkts/1692 bytes <-> 10 pkts/1420 bytes][Goodput ratio: 69/69][45.10 sec][bytes ratio: 0.087 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 1062/3176 4203/4247 4716/5160 1131/719][Pkt Len c2s/s2c min/avg/max/stddev: 122/142 141/142 150/142 6/0][Plen Bins: 0,0,4,95,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 7 UDP 10.24.82.188:11321 <-> 1.201.1.174:23045 [proto: 194/KakaoTalk_Voice][Stack: KakaoTalk_Voice][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 194/KakaoTalk_Voice, Confidence: DPI][DPI packets: 1][cat: VoIP/10][Breed: Acceptable][11 pkts/1542 bytes <-> 11 pkts/1542 bytes][Goodput ratio: 69/69][43.84 sec][bytes ratio: 0.000 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 1105/1052 4266/3766 4903/4991 1245/1144][Pkt Len c2s/s2c min/avg/max/stddev: 122/122 140/140 142/142 6/6][Plen Bins: 0,0,9,90,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 8 TCP 10.24.82.188:48489 <-> 203.205.147.215:80 [proto: 131.48/HTTP_Proxy.QQ][Stack: HTTP_Proxy.QQ][IP: 285/Tencent][ClearText][Confidence: DPI][FPC: 285/Tencent, Confidence: IP address][DPI packets: 11][cat: Download/7][Breed: Fun][8 pkts/1117 bytes <-> 7 pkts/610 bytes][Goodput ratio: 54/34][3.79 sec][Hostname/SNI: hkminorshort.weixin.qq.com][bytes ratio: 0.294 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/51 406/439 2019/1166 732/515][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 140/87 665/262 199/71][URL: http://hkminorshort.weixin.qq.com/cgi-bin/micromsg-bin/rtkvreport][StatusCode: 200][Req Content-Type: application/octet-stream][Content-Type: application/octet-stream][User-Agent: MicroMessenger Client][Filename: micromsgresp.dat][Risk: ** Known Proto on Non Std Port **** Binary File/Data Transfer (Attempt) **][Risk Score: 100][Risk Info: Found binary mime octet-stream / Expected on port 8080,3128][TCP Fingerprint: 2_64_14000_f6101b157c46/Unknown][PLAIN TEXT (POST http)][Plen Bins: 0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 8 TCP 10.24.82.188:48489 <-> 203.205.147.215:80 [proto: 131.48/HTTP_Proxy.QQ][Stack: HTTP_Proxy.QQ][IP: 285/Tencent][ClearText][Confidence: DPI][FPC: 285/Tencent, Confidence: IP address][DPI packets: 11][cat: Download/7][Breed: Fun][8 pkts/1117 bytes <-> 7 pkts/610 bytes][Goodput ratio: 54/34][3.79 sec][Hostname/SNI: hkminorshort.weixin.qq.com][bytes ratio: 0.294 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/51 406/439 2019/1166 732/515][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 140/87 665/262 199/71][URL: http://hkminorshort.weixin.qq.com/cgi-bin/micromsg-bin/rtkvreport][StatusCode: 200][Req Content-Type: application/octet-stream][Content-Type: application/octet-stream][User-Agent: MicroMessenger Client][Filename: micromsgresp.dat][Risk: ** Known Proto on Non Std Port **** Binary File/Data Transfer (Attempt) **][Risk Score: 100][Risk Info: Found binary mime octet-stream|File download micromsgresp.dat / Expected on port 8080,3128][TCP Fingerprint: 2_64_14000_f6101b157c46/Unknown][PLAIN TEXT (POST http)][Plen Bins: 0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 9 TCP 10.24.82.188:51021 <-> 103.246.57.251:8080 [proto: 131/HTTP_Proxy][Stack: HTTP_Proxy][IP: 0/Unknown][ClearText][Confidence: Match by port][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 11][cat: Web/5][Breed: Acceptable][6 pkts/543 bytes <-> 5 pkts/945 bytes][Goodput ratio: 25/64][24.77 sec][bytes ratio: -0.270 (Download)][IAT c2s/s2c min/avg/max/stddev: 77/47 4920/8061 17431/17434 6679/7163][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 90/189 130/504 24/164][Plen Bins: 16,51,0,16,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 10 TCP 139.150.0.125:443 <-> 10.24.82.188:46947 [proto: 91/TLS][Stack: TLS][IP: 0/Unknown][Encrypted][Confidence: Match by port][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 5][cat: Web/5][Breed: Safe][3 pkts/1044 bytes <-> 2 pkts/154 bytes][Goodput ratio: 84/27][51.90 sec][Risk: ** Susp Entropy **][Risk Score: 10][Risk Info: Entropy: 7.514 (Encrypted or Random?)][Plen Bins: 0,33,0,0,0,0,0,0,0,0,0,0,0,66,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 11 TCP 10.24.82.188:58916 <-> 54.255.185.236:5222 [proto: 461/AWS_EC2][Stack: AWS_EC2][IP: 461/AWS_EC2][Encrypted][Confidence: Match by IP][FPC: 461/AWS_EC2, Confidence: IP address][DPI packets: 4][cat: Cloud/13][Breed: Acceptable][2 pkts/225 bytes <-> 2 pkts/171 bytes][Goodput ratio: 39/20][0.46 sec][PLAIN TEXT (xiaomi.com)][Plen Bins: 0,50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/default/result/WebattackXSS.pcap.out b/tests/cfgs/default/result/WebattackXSS.pcap.out index 65729582e..d05bba5b4 100644 --- a/tests/cfgs/default/result/WebattackXSS.pcap.out +++ b/tests/cfgs/default/result/WebattackXSS.pcap.out @@ -36,24 +36,24 @@ Acceptable 9374 4721148 661 Web 9374 4721148 661 - 1 TCP 172.16.0.1:59042 <-> 192.168.10.50:80 [proto: 7/HTTP][Stack: HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][Breed: Acceptable][214 pkts/62915 bytes <-> 107 pkts/190654 bytes][Goodput ratio: 78/96][68.07 sec][Hostname/SNI: 205.174.165.68][bytes ratio: -0.504 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 340/680 4821/4822 530/629][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 294/1782 651/1935 251/393][URL: 205.174.165.68/dv/vulnerabilities/xss_r/][StatusCode: 200][Content-Type: text/html][Server: Apache/2.4.18 (Ubuntu)][User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0][Risk: ** HTTP/TLS/QUIC Numeric Hostname/SNI **** HTTP Susp Header **][Risk Score: 110][Risk Info: Expected 192.168.10.50, found 205.174.165.68 / Found host 205.174.165.68][TCP Fingerprint: 2_64_29200_2e3cee914fc1/Linux][PLAIN TEXT (GET /dv/vulnerabilities/xss)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,24,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,49] - 2 TCP 172.16.0.1:56306 <-> 192.168.10.50:80 [proto: 7/HTTP][Stack: HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][Breed: Acceptable][205 pkts/62321 bytes <-> 115 pkts/191204 bytes][Goodput ratio: 78/96][68.15 sec][Hostname/SNI: 205.174.165.68][bytes ratio: -0.508 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 354/600 4804/4805 540/628][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 304/1663 651/1936 252/500][URL: 205.174.165.68/dv/vulnerabilities/xss_r/][StatusCode: 200][Content-Type: text/html][Server: Apache/2.4.18 (Ubuntu)][User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0][Risk: ** HTTP/TLS/QUIC Numeric Hostname/SNI **** HTTP Susp Header **][Risk Score: 110][Risk Info: Expected 192.168.10.50, found 205.174.165.68 / Found host 205.174.165.68][TCP Fingerprint: 2_64_29200_2e3cee914fc1/Linux][PLAIN TEXT (GET /dv/vulnerabilities/xss)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,23,0,5,0,0,0,0,23,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,42] - 3 TCP 172.16.0.1:58360 <-> 192.168.10.50:80 [proto: 7/HTTP][Stack: HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][Breed: Acceptable][210 pkts/62853 bytes <-> 105 pkts/190635 bytes][Goodput ratio: 78/96][67.29 sec][Hostname/SNI: 205.174.165.68][bytes ratio: -0.504 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/2 346/635 3808/3809 494/543][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 299/1816 651/1936 252/351][URL: 205.174.165.68/dv/vulnerabilities/xss_r/?name=%3Cscript%3Econsole.log%28%27MRVS1VO9FLO4CFA5FLJ13I9GULOFH69WHOJQ0PH0OKE2FMG3MQ%27%29%3Bconsole.log%28document.cookie%29%3B%3C%2Fscript%3E][StatusCode: 200][Content-Type: text/html][Server: Apache/2.4.18 (Ubuntu)][User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0][Risk: ** XSS Attack **** HTTP/TLS/QUIC Numeric Hostname/SNI **** HTTP Susp Header **][Risk Score: 260][Risk Info: Expected 192.168.10.50, found 205.174.165.68 / Found host 205.174.165.68 / Suspicious URL [/dv/vulnerabilities/xss_r/?name=%3C][TCP Fingerprint: 2_64_29200_2e3cee914fc1/Linux][PLAIN TEXT (GET /dv/vulnerabilities/xss)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,24,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50] - 4 TCP 172.16.0.1:33580 <-> 192.168.10.50:80 [proto: 7/HTTP][Stack: HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][Breed: Acceptable][206 pkts/62387 bytes <-> 110 pkts/190854 bytes][Goodput ratio: 78/96][69.42 sec][Hostname/SNI: 205.174.165.68][bytes ratio: -0.507 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 343/690 4839/4840 532/624][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 303/1735 651/1935 252/442][URL: 205.174.165.68/dv/vulnerabilities/xss_r/][StatusCode: 200][Content-Type: text/html][Server: Apache/2.4.18 (Ubuntu)][User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0][Risk: ** HTTP/TLS/QUIC Numeric Hostname/SNI **** HTTP Susp Header **][Risk Score: 110][Risk Info: Expected 192.168.10.50, found 205.174.165.68 / Found host 205.174.165.68][TCP Fingerprint: 2_64_29200_2e3cee914fc1/Linux][PLAIN TEXT (GET /dv/vulnerabilities/xss)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,24,0,2,0,0,0,0,24,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,46] + 1 TCP 172.16.0.1:59042 <-> 192.168.10.50:80 [proto: 7/HTTP][Stack: HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][Breed: Acceptable][214 pkts/62915 bytes <-> 107 pkts/190654 bytes][Goodput ratio: 78/96][68.07 sec][Hostname/SNI: 205.174.165.68][bytes ratio: -0.504 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 340/680 4821/4822 530/629][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 294/1782 651/1935 251/393][URL: 205.174.165.68/dv/vulnerabilities/xss_r/][StatusCode: 200][Content-Type: text/html][Server: Apache/2.4.18 (Ubuntu)][User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0][Risk: ** HTTP/TLS/QUIC Numeric Hostname/SNI **** HTTP Susp Header **** (Possible) Slow DoS **][Risk Score: 210][Risk Info: Slow HTTP Req. (Slowloris): 4.8 sec / Expected 192.168.10.50, found 205.174.165.68 / Found host 205.174.165.68][TCP Fingerprint: 2_64_29200_2e3cee914fc1/Linux][PLAIN TEXT (GET /dv/vulnerabilities/xss)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,24,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,49] + 2 TCP 172.16.0.1:56306 <-> 192.168.10.50:80 [proto: 7/HTTP][Stack: HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][Breed: Acceptable][205 pkts/62321 bytes <-> 115 pkts/191204 bytes][Goodput ratio: 78/96][68.15 sec][Hostname/SNI: 205.174.165.68][bytes ratio: -0.508 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 354/600 4804/4805 540/628][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 304/1663 651/1936 252/500][URL: 205.174.165.68/dv/vulnerabilities/xss_r/][StatusCode: 200][Content-Type: text/html][Server: Apache/2.4.18 (Ubuntu)][User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0][Risk: ** HTTP/TLS/QUIC Numeric Hostname/SNI **** HTTP Susp Header **** (Possible) Slow DoS **][Risk Score: 210][Risk Info: Slow HTTP Req. (Slowloris): 4.8 sec / Expected 192.168.10.50, found 205.174.165.68 / Found host 205.174.165.68][TCP Fingerprint: 2_64_29200_2e3cee914fc1/Linux][PLAIN TEXT (GET /dv/vulnerabilities/xss)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,23,0,5,0,0,0,0,23,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,42] + 3 TCP 172.16.0.1:58360 <-> 192.168.10.50:80 [proto: 7/HTTP][Stack: HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][Breed: Acceptable][210 pkts/62853 bytes <-> 105 pkts/190635 bytes][Goodput ratio: 78/96][67.29 sec][Hostname/SNI: 205.174.165.68][bytes ratio: -0.504 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/2 346/635 3808/3809 494/543][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 299/1816 651/1936 252/351][URL: 205.174.165.68/dv/vulnerabilities/xss_r/?name=%3Cscript%3Econsole.log%28%27MRVS1VO9FLO4CFA5FLJ13I9GULOFH69WHOJQ0PH0OKE2FMG3MQ%27%29%3Bconsole.log%28document.cookie%29%3B%3C%2Fscript%3E][StatusCode: 200][Content-Type: text/html][Server: Apache/2.4.18 (Ubuntu)][User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0][Risk: ** XSS Attack **** HTTP/TLS/QUIC Numeric Hostname/SNI **** HTTP Susp Header **** (Possible) Slow DoS **][Risk Score: 360][Risk Info: Slow HTTP Req. (Slowloris): 3.8 sec / Expected 192.168.10.50, found 205.174.165.68 / Found host 205.174.165.68 / Suspicious UR][TCP Fingerprint: 2_64_29200_2e3cee914fc1/Linux][PLAIN TEXT (GET /dv/vulnerabilities/xss)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,24,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50] + 4 TCP 172.16.0.1:33580 <-> 192.168.10.50:80 [proto: 7/HTTP][Stack: HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][Breed: Acceptable][206 pkts/62387 bytes <-> 110 pkts/190854 bytes][Goodput ratio: 78/96][69.42 sec][Hostname/SNI: 205.174.165.68][bytes ratio: -0.507 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 343/690 4839/4840 532/624][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 303/1735 651/1935 252/442][URL: 205.174.165.68/dv/vulnerabilities/xss_r/][StatusCode: 200][Content-Type: text/html][Server: Apache/2.4.18 (Ubuntu)][User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0][Risk: ** HTTP/TLS/QUIC Numeric Hostname/SNI **** HTTP Susp Header **** (Possible) Slow DoS **][Risk Score: 210][Risk Info: Slow HTTP Req. (Slowloris): 4.8 sec / Expected 192.168.10.50, found 205.174.165.68 / Found host 205.174.165.68][TCP Fingerprint: 2_64_29200_2e3cee914fc1/Linux][PLAIN TEXT (GET /dv/vulnerabilities/xss)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,24,0,2,0,0,0,0,24,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,46] 5 TCP 172.16.0.1:34278 <-> 192.168.10.50:80 [proto: 7/HTTP][Stack: HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][Breed: Acceptable][206 pkts/62589 bytes <-> 105 pkts/190625 bytes][Goodput ratio: 78/96][67.05 sec][Hostname/SNI: 205.174.165.68][bytes ratio: -0.506 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/3 328/716 2587/2588 440/440][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 304/1815 651/1936 253/351][URL: 205.174.165.68/dv/vulnerabilities/xss_r/?name=%3Cscript%3Econsole.log%28%27TNRH0PFRPCFVXECFZU2OUYBTDZQVIWB8HBZ1VC7EXA9PGMGBWA%27%29%3Bconsole.log%28document.cookie%29%3B%3C%2Fscript%3E][StatusCode: 200][Content-Type: text/html][Server: Apache/2.4.18 (Ubuntu)][User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0][Risk: ** XSS Attack **** HTTP/TLS/QUIC Numeric Hostname/SNI **** HTTP Susp Header **][Risk Score: 260][Risk Info: Expected 192.168.10.50, found 205.174.165.68 / Found host 205.174.165.68 / Suspicious URL [/dv/vulnerabilities/xss_r/?name=%3C][TCP Fingerprint: 2_64_29200_2e3cee914fc1/Linux][PLAIN TEXT (GET /dv/vulnerabilities/xss)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,49] - 6 TCP 172.16.0.1:32906 <-> 192.168.10.50:80 [proto: 7/HTTP][Stack: HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][Breed: Acceptable][205 pkts/62523 bytes <-> 105 pkts/190638 bytes][Goodput ratio: 78/96][68.34 sec][Hostname/SNI: 205.174.165.68][bytes ratio: -0.506 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/1 377/619 3861/3861 508/538][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 305/1816 651/1936 253/351][URL: 205.174.165.68/dv/vulnerabilities/xss_r/?name=%3Cscript%3Econsole.log%28%27UQE70NGV80W4ZBVWQELDMRMBY9BF6W552ZBHL3F4W4MIP7R7K6%27%29%3Bconsole.log%28document.cookie%29%3B%3C%2Fscript%3E][StatusCode: 200][Content-Type: text/html][Server: Apache/2.4.18 (Ubuntu)][User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0][Risk: ** XSS Attack **** HTTP/TLS/QUIC Numeric Hostname/SNI **** HTTP Susp Header **][Risk Score: 260][Risk Info: Expected 192.168.10.50, found 205.174.165.68 / Found host 205.174.165.68 / Suspicious URL [/dv/vulnerabilities/xss_r/?name=%3C][TCP Fingerprint: 2_64_29200_2e3cee914fc1/Linux][PLAIN TEXT (GET /dv/vulnerabilities/xss)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50] - 7 TCP 172.16.0.1:56994 <-> 192.168.10.50:80 [proto: 7/HTTP][Stack: HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][Breed: Acceptable][205 pkts/62523 bytes <-> 105 pkts/190634 bytes][Goodput ratio: 78/96][67.00 sec][Hostname/SNI: 205.174.165.68][bytes ratio: -0.506 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/1 370/605 3818/3818 505/541][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 305/1816 651/1935 253/351][URL: 205.174.165.68/dv/vulnerabilities/xss_r/?name=%3Cscript%3Econsole.log%28%27AA0U7VCIO18AUKPZNB0ZXFCDF9PVHM0BRGOWM22EICNEPXK5UC%27%29%3Bconsole.log%28document.cookie%29%3B%3C%2Fscript%3E][StatusCode: 200][Content-Type: text/html][Server: Apache/2.4.18 (Ubuntu)][User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0][Risk: ** XSS Attack **** HTTP/TLS/QUIC Numeric Hostname/SNI **** HTTP Susp Header **][Risk Score: 260][Risk Info: Expected 192.168.10.50, found 205.174.165.68 / Found host 205.174.165.68 / Suspicious URL [/dv/vulnerabilities/xss_r/?name=%3C][TCP Fingerprint: 2_64_29200_2e3cee914fc1/Linux][PLAIN TEXT (GET /dv/vulnerabilities/xss)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50] - 8 TCP 172.16.0.1:52910 <-> 192.168.10.50:80 [proto: 7/HTTP][Stack: HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][Breed: Acceptable][205 pkts/62523 bytes <-> 105 pkts/190630 bytes][Goodput ratio: 78/96][68.12 sec][Hostname/SNI: 205.174.165.68][bytes ratio: -0.506 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/1 376/617 3808/3808 507/537][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 305/1816 651/1935 253/351][URL: 205.174.165.68/dv/vulnerabilities/xss_r/?name=%3Cscript%3Econsole.log%28%27AQ80NQUS4TAQLQVWHMAGXB11KUBK34NZA8RUUD143IFKQDS3P5%27%29%3Bconsole.log%28document.cookie%29%3B%3C%2Fscript%3E][StatusCode: 200][Content-Type: text/html][Server: Apache/2.4.18 (Ubuntu)][User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0][Risk: ** XSS Attack **** HTTP/TLS/QUIC Numeric Hostname/SNI **** HTTP Susp Header **][Risk Score: 260][Risk Info: Expected 192.168.10.50, found 205.174.165.68 / Found host 205.174.165.68 / Suspicious URL [/dv/vulnerabilities/xss_r/?name=%3C][TCP Fingerprint: 2_64_29200_2e3cee914fc1/Linux][PLAIN TEXT (GET /dv/vulnerabilities/xss)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50] - 9 TCP 172.16.0.1:55632 <-> 192.168.10.50:80 [proto: 7/HTTP][Stack: HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][Breed: Acceptable][205 pkts/62523 bytes <-> 105 pkts/190627 bytes][Goodput ratio: 78/96][67.55 sec][Hostname/SNI: 205.174.165.68][bytes ratio: -0.506 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/1 373/609 3784/3784 507/541][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 305/1815 651/1935 253/351][URL: 205.174.165.68/dv/vulnerabilities/xss_r/?name=%3Cscript%3Econsole.log%28%27JUL2D3WXHEGWRAFJE2PI7OS71Z4Z8RFUHXGNFLUFYVP6M3OL55%27%29%3Bconsole.log%28document.cookie%29%3B%3C%2Fscript%3E][StatusCode: 200][Content-Type: text/html][Server: Apache/2.4.18 (Ubuntu)][User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0][Risk: ** XSS Attack **** HTTP/TLS/QUIC Numeric Hostname/SNI **** HTTP Susp Header **][Risk Score: 260][Risk Info: Expected 192.168.10.50, found 205.174.165.68 / Found host 205.174.165.68 / Suspicious URL [/dv/vulnerabilities/xss_r/?name=%3C][TCP Fingerprint: 2_64_29200_2e3cee914fc1/Linux][PLAIN TEXT (GET /dv/vulnerabilities/xss)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50] - 10 TCP 172.16.0.1:54268 <-> 192.168.10.50:80 [proto: 7/HTTP][Stack: HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][Breed: Acceptable][205 pkts/62523 bytes <-> 105 pkts/190611 bytes][Goodput ratio: 78/96][67.52 sec][Hostname/SNI: 205.174.165.68][bytes ratio: -0.506 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/1 373/611 3826/3827 507/543][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 305/1815 651/1935 253/351][URL: 205.174.165.68/dv/vulnerabilities/xss_r/?name=%3Cscript%3Econsole.log%28%270XVM4C1CNSWY8VF443GGZ6W527WBY4H29E2XQNGG2QUPQEKW0U%27%29%3Bconsole.log%28document.cookie%29%3B%3C%2Fscript%3E][StatusCode: 200][Content-Type: text/html][Server: Apache/2.4.18 (Ubuntu)][User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0][Risk: ** XSS Attack **** HTTP/TLS/QUIC Numeric Hostname/SNI **** HTTP Susp Header **][Risk Score: 260][Risk Info: Expected 192.168.10.50, found 205.174.165.68 / Found host 205.174.165.68 / Suspicious URL [/dv/vulnerabilities/xss_r/?name=%3C][TCP Fingerprint: 2_64_29200_2e3cee914fc1/Linux][PLAIN TEXT (KGET /dv/vulnerabilities/xss)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50] - 11 TCP 172.16.0.1:53584 <-> 192.168.10.50:80 [proto: 7/HTTP][Stack: HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][Breed: Acceptable][205 pkts/62321 bytes <-> 107 pkts/190662 bytes][Goodput ratio: 78/96][69.30 sec][Hostname/SNI: 205.174.165.68][bytes ratio: -0.507 (Download)][IAT c2s/s2c min/avg/max/stddev: 3/0 354/685 4897/4898 539/630][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 304/1782 651/1935 252/393][URL: 205.174.165.68/dv/vulnerabilities/xss_r/][StatusCode: 200][Content-Type: text/html][Server: Apache/2.4.18 (Ubuntu)][User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0][Risk: ** HTTP/TLS/QUIC Numeric Hostname/SNI **** HTTP Susp Header **][Risk Score: 110][Risk Info: Expected 192.168.10.50, found 205.174.165.68 / Found host 205.174.165.68][TCP Fingerprint: 2_64_29200_2e3cee914fc1/Linux][PLAIN TEXT (GET /dv/vulnerabilities/xss)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,48] - 12 TCP 172.16.0.1:60464 <-> 192.168.10.50:80 [proto: 7/HTTP][Stack: HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][Breed: Acceptable][205 pkts/62321 bytes <-> 106 pkts/190596 bytes][Goodput ratio: 78/96][67.94 sec][Hostname/SNI: 205.174.165.68][bytes ratio: -0.507 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 340/695 3581/3582 475/513][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 304/1798 651/1936 252/373][URL: 205.174.165.68/dv/vulnerabilities/xss_r/][StatusCode: 200][Content-Type: text/html][Server: Apache/2.4.18 (Ubuntu)][User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0][Risk: ** HTTP/TLS/QUIC Numeric Hostname/SNI **** HTTP Susp Header **][Risk Score: 110][Risk Info: Expected 192.168.10.50, found 205.174.165.68 / Found host 205.174.165.68][TCP Fingerprint: 2_64_29200_2e3cee914fc1/Linux][PLAIN TEXT (GET /dv/vulnerabilities/xss)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,48] - 13 TCP 172.16.0.1:57684 <-> 192.168.10.50:80 [proto: 7/HTTP][Stack: HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][Breed: Acceptable][205 pkts/62321 bytes <-> 106 pkts/190590 bytes][Goodput ratio: 78/96][66.98 sec][Hostname/SNI: 205.174.165.68][bytes ratio: -0.507 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 339/669 3535/3536 477/517][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 304/1798 651/1935 252/373][URL: 205.174.165.68/dv/vulnerabilities/xss_r/][StatusCode: 200][Content-Type: text/html][Server: Apache/2.4.18 (Ubuntu)][User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0][Risk: ** HTTP/TLS/QUIC Numeric Hostname/SNI **** HTTP Susp Header **][Risk Score: 110][Risk Info: Expected 192.168.10.50, found 205.174.165.68 / Found host 205.174.165.68][TCP Fingerprint: 2_64_29200_2e3cee914fc1/Linux][PLAIN TEXT (GET /dv/vulnerabilities/xss)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,48] - 14 TCP 172.16.0.1:34940 <-> 192.168.10.50:80 [proto: 7/HTTP][Stack: HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][Breed: Acceptable][206 pkts/62387 bytes <-> 105 pkts/190510 bytes][Goodput ratio: 78/96][69.37 sec][Hostname/SNI: 205.174.165.68][bytes ratio: -0.507 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/3 368/664 4896/4897 547/631][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 303/1814 651/1935 252/351][URL: 205.174.165.68/dv/vulnerabilities/xss_r/][StatusCode: 200][Content-Type: text/html][Server: Apache/2.4.18 (Ubuntu)][User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0][Risk: ** HTTP/TLS/QUIC Numeric Hostname/SNI **** HTTP Susp Header **][Risk Score: 110][Risk Info: Expected 192.168.10.50, found 205.174.165.68 / Found host 205.174.165.68][TCP Fingerprint: 2_64_29200_2e3cee914fc1/Linux][PLAIN TEXT (GET /dv/vulnerabilities/xss)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,49] - 15 TCP 172.16.0.1:54956 <-> 192.168.10.50:80 [proto: 7/HTTP][Stack: HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][Breed: Acceptable][205 pkts/62321 bytes <-> 105 pkts/190525 bytes][Goodput ratio: 78/96][66.90 sec][Hostname/SNI: 205.174.165.68][bytes ratio: -0.507 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/1 325/707 3641/3642 473/524][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 304/1815 651/1935 252/351][URL: 205.174.165.68/dv/vulnerabilities/xss_r/][StatusCode: 200][Content-Type: text/html][Server: Apache/2.4.18 (Ubuntu)][User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0][Risk: ** HTTP/TLS/QUIC Numeric Hostname/SNI **** HTTP Susp Header **][Risk Score: 110][Risk Info: Expected 192.168.10.50, found 205.174.165.68 / Found host 205.174.165.68][TCP Fingerprint: 2_64_29200_2e3cee914fc1/Linux][PLAIN TEXT (GET /dv/vulnerabilities/xss)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50] - 16 TCP 172.16.0.1:59732 <-> 192.168.10.50:80 [proto: 7/HTTP][Stack: HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][Breed: Acceptable][206 pkts/62299 bytes <-> 106 pkts/190495 bytes][Goodput ratio: 78/96][70.21 sec][Hostname/SNI: 205.174.165.68][bytes ratio: -0.507 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/3 384/681 3766/3767 516/543][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 302/1797 651/1935 251/373][URL: 205.174.165.68/dv/vulnerabilities/xss_r/?name=%3Cscript%3Econsole.log%28%27SZGGJRXX6DR9VWKN864H8LTBEZ6QC3GJPC8TUUNAED3BBL4L8P%27%29%3Bconsole.log%28document.cookie%29%3B%3C%2Fscript%3E][StatusCode: 200][Content-Type: text/html][Server: Apache/2.4.18 (Ubuntu)][User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0][Risk: ** XSS Attack **** HTTP/TLS/QUIC Numeric Hostname/SNI **** HTTP Susp Header **][Risk Score: 260][Risk Info: Expected 192.168.10.50, found 205.174.165.68 / Found host 205.174.165.68 / Suspicious URL [/dv/vulnerabilities/xss_r/?name=%3C][TCP Fingerprint: 2_64_29200_2e3cee914fc1/Linux][PLAIN TEXT (GET /dv/vulnerabilities/xss)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,24,0,1,0,0,0,0,23,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50] + 6 TCP 172.16.0.1:32906 <-> 192.168.10.50:80 [proto: 7/HTTP][Stack: HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][Breed: Acceptable][205 pkts/62523 bytes <-> 105 pkts/190638 bytes][Goodput ratio: 78/96][68.34 sec][Hostname/SNI: 205.174.165.68][bytes ratio: -0.506 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/1 377/619 3861/3861 508/538][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 305/1816 651/1936 253/351][URL: 205.174.165.68/dv/vulnerabilities/xss_r/?name=%3Cscript%3Econsole.log%28%27UQE70NGV80W4ZBVWQELDMRMBY9BF6W552ZBHL3F4W4MIP7R7K6%27%29%3Bconsole.log%28document.cookie%29%3B%3C%2Fscript%3E][StatusCode: 200][Content-Type: text/html][Server: Apache/2.4.18 (Ubuntu)][User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0][Risk: ** XSS Attack **** HTTP/TLS/QUIC Numeric Hostname/SNI **** HTTP Susp Header **** (Possible) Slow DoS **][Risk Score: 360][Risk Info: Slow HTTP Req. (Slowloris): 3.9 sec / Expected 192.168.10.50, found 205.174.165.68 / Found host 205.174.165.68 / Suspicious UR][TCP Fingerprint: 2_64_29200_2e3cee914fc1/Linux][PLAIN TEXT (GET /dv/vulnerabilities/xss)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50] + 7 TCP 172.16.0.1:56994 <-> 192.168.10.50:80 [proto: 7/HTTP][Stack: HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][Breed: Acceptable][205 pkts/62523 bytes <-> 105 pkts/190634 bytes][Goodput ratio: 78/96][67.00 sec][Hostname/SNI: 205.174.165.68][bytes ratio: -0.506 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/1 370/605 3818/3818 505/541][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 305/1816 651/1935 253/351][URL: 205.174.165.68/dv/vulnerabilities/xss_r/?name=%3Cscript%3Econsole.log%28%27AA0U7VCIO18AUKPZNB0ZXFCDF9PVHM0BRGOWM22EICNEPXK5UC%27%29%3Bconsole.log%28document.cookie%29%3B%3C%2Fscript%3E][StatusCode: 200][Content-Type: text/html][Server: Apache/2.4.18 (Ubuntu)][User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0][Risk: ** XSS Attack **** HTTP/TLS/QUIC Numeric Hostname/SNI **** HTTP Susp Header **** (Possible) Slow DoS **][Risk Score: 360][Risk Info: Slow HTTP Req. (Slowloris): 3.8 sec / Expected 192.168.10.50, found 205.174.165.68 / Found host 205.174.165.68 / Suspicious UR][TCP Fingerprint: 2_64_29200_2e3cee914fc1/Linux][PLAIN TEXT (GET /dv/vulnerabilities/xss)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50] + 8 TCP 172.16.0.1:52910 <-> 192.168.10.50:80 [proto: 7/HTTP][Stack: HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][Breed: Acceptable][205 pkts/62523 bytes <-> 105 pkts/190630 bytes][Goodput ratio: 78/96][68.12 sec][Hostname/SNI: 205.174.165.68][bytes ratio: -0.506 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/1 376/617 3808/3808 507/537][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 305/1816 651/1935 253/351][URL: 205.174.165.68/dv/vulnerabilities/xss_r/?name=%3Cscript%3Econsole.log%28%27AQ80NQUS4TAQLQVWHMAGXB11KUBK34NZA8RUUD143IFKQDS3P5%27%29%3Bconsole.log%28document.cookie%29%3B%3C%2Fscript%3E][StatusCode: 200][Content-Type: text/html][Server: Apache/2.4.18 (Ubuntu)][User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0][Risk: ** XSS Attack **** HTTP/TLS/QUIC Numeric Hostname/SNI **** HTTP Susp Header **** (Possible) Slow DoS **][Risk Score: 360][Risk Info: Slow HTTP Req. (Slowloris): 3.8 sec / Expected 192.168.10.50, found 205.174.165.68 / Found host 205.174.165.68 / Suspicious UR][TCP Fingerprint: 2_64_29200_2e3cee914fc1/Linux][PLAIN TEXT (GET /dv/vulnerabilities/xss)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50] + 9 TCP 172.16.0.1:55632 <-> 192.168.10.50:80 [proto: 7/HTTP][Stack: HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][Breed: Acceptable][205 pkts/62523 bytes <-> 105 pkts/190627 bytes][Goodput ratio: 78/96][67.55 sec][Hostname/SNI: 205.174.165.68][bytes ratio: -0.506 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/1 373/609 3784/3784 507/541][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 305/1815 651/1935 253/351][URL: 205.174.165.68/dv/vulnerabilities/xss_r/?name=%3Cscript%3Econsole.log%28%27JUL2D3WXHEGWRAFJE2PI7OS71Z4Z8RFUHXGNFLUFYVP6M3OL55%27%29%3Bconsole.log%28document.cookie%29%3B%3C%2Fscript%3E][StatusCode: 200][Content-Type: text/html][Server: Apache/2.4.18 (Ubuntu)][User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0][Risk: ** XSS Attack **** HTTP/TLS/QUIC Numeric Hostname/SNI **** HTTP Susp Header **** (Possible) Slow DoS **][Risk Score: 360][Risk Info: Slow HTTP Req. (Slowloris): 3.8 sec / Expected 192.168.10.50, found 205.174.165.68 / Found host 205.174.165.68 / Suspicious UR][TCP Fingerprint: 2_64_29200_2e3cee914fc1/Linux][PLAIN TEXT (GET /dv/vulnerabilities/xss)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50] + 10 TCP 172.16.0.1:54268 <-> 192.168.10.50:80 [proto: 7/HTTP][Stack: HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][Breed: Acceptable][205 pkts/62523 bytes <-> 105 pkts/190611 bytes][Goodput ratio: 78/96][67.52 sec][Hostname/SNI: 205.174.165.68][bytes ratio: -0.506 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/1 373/611 3826/3827 507/543][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 305/1815 651/1935 253/351][URL: 205.174.165.68/dv/vulnerabilities/xss_r/?name=%3Cscript%3Econsole.log%28%270XVM4C1CNSWY8VF443GGZ6W527WBY4H29E2XQNGG2QUPQEKW0U%27%29%3Bconsole.log%28document.cookie%29%3B%3C%2Fscript%3E][StatusCode: 200][Content-Type: text/html][Server: Apache/2.4.18 (Ubuntu)][User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0][Risk: ** XSS Attack **** HTTP/TLS/QUIC Numeric Hostname/SNI **** HTTP Susp Header **** (Possible) Slow DoS **][Risk Score: 360][Risk Info: Slow HTTP Req. (Slowloris): 3.8 sec / Expected 192.168.10.50, found 205.174.165.68 / Found host 205.174.165.68 / Suspicious UR][TCP Fingerprint: 2_64_29200_2e3cee914fc1/Linux][PLAIN TEXT (KGET /dv/vulnerabilities/xss)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50] + 11 TCP 172.16.0.1:53584 <-> 192.168.10.50:80 [proto: 7/HTTP][Stack: HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][Breed: Acceptable][205 pkts/62321 bytes <-> 107 pkts/190662 bytes][Goodput ratio: 78/96][69.30 sec][Hostname/SNI: 205.174.165.68][bytes ratio: -0.507 (Download)][IAT c2s/s2c min/avg/max/stddev: 3/0 354/685 4897/4898 539/630][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 304/1782 651/1935 252/393][URL: 205.174.165.68/dv/vulnerabilities/xss_r/][StatusCode: 200][Content-Type: text/html][Server: Apache/2.4.18 (Ubuntu)][User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0][Risk: ** HTTP/TLS/QUIC Numeric Hostname/SNI **** HTTP Susp Header **** (Possible) Slow DoS **][Risk Score: 210][Risk Info: Slow HTTP Req. (Slowloris): 4.9 sec / Expected 192.168.10.50, found 205.174.165.68 / Found host 205.174.165.68][TCP Fingerprint: 2_64_29200_2e3cee914fc1/Linux][PLAIN TEXT (GET /dv/vulnerabilities/xss)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,48] + 12 TCP 172.16.0.1:60464 <-> 192.168.10.50:80 [proto: 7/HTTP][Stack: HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][Breed: Acceptable][205 pkts/62321 bytes <-> 106 pkts/190596 bytes][Goodput ratio: 78/96][67.94 sec][Hostname/SNI: 205.174.165.68][bytes ratio: -0.507 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 340/695 3581/3582 475/513][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 304/1798 651/1936 252/373][URL: 205.174.165.68/dv/vulnerabilities/xss_r/][StatusCode: 200][Content-Type: text/html][Server: Apache/2.4.18 (Ubuntu)][User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0][Risk: ** HTTP/TLS/QUIC Numeric Hostname/SNI **** HTTP Susp Header **** (Possible) Slow DoS **][Risk Score: 210][Risk Info: Slow HTTP Req. (Slowloris): 3.6 sec / Expected 192.168.10.50, found 205.174.165.68 / Found host 205.174.165.68][TCP Fingerprint: 2_64_29200_2e3cee914fc1/Linux][PLAIN TEXT (GET /dv/vulnerabilities/xss)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,48] + 13 TCP 172.16.0.1:57684 <-> 192.168.10.50:80 [proto: 7/HTTP][Stack: HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][Breed: Acceptable][205 pkts/62321 bytes <-> 106 pkts/190590 bytes][Goodput ratio: 78/96][66.98 sec][Hostname/SNI: 205.174.165.68][bytes ratio: -0.507 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 339/669 3535/3536 477/517][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 304/1798 651/1935 252/373][URL: 205.174.165.68/dv/vulnerabilities/xss_r/][StatusCode: 200][Content-Type: text/html][Server: Apache/2.4.18 (Ubuntu)][User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0][Risk: ** HTTP/TLS/QUIC Numeric Hostname/SNI **** HTTP Susp Header **** (Possible) Slow DoS **][Risk Score: 210][Risk Info: Slow HTTP Req. (Slowloris): 3.5 sec / Expected 192.168.10.50, found 205.174.165.68 / Found host 205.174.165.68][TCP Fingerprint: 2_64_29200_2e3cee914fc1/Linux][PLAIN TEXT (GET /dv/vulnerabilities/xss)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,48] + 14 TCP 172.16.0.1:34940 <-> 192.168.10.50:80 [proto: 7/HTTP][Stack: HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][Breed: Acceptable][206 pkts/62387 bytes <-> 105 pkts/190510 bytes][Goodput ratio: 78/96][69.37 sec][Hostname/SNI: 205.174.165.68][bytes ratio: -0.507 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/3 368/664 4896/4897 547/631][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 303/1814 651/1935 252/351][URL: 205.174.165.68/dv/vulnerabilities/xss_r/][StatusCode: 200][Content-Type: text/html][Server: Apache/2.4.18 (Ubuntu)][User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0][Risk: ** HTTP/TLS/QUIC Numeric Hostname/SNI **** HTTP Susp Header **** (Possible) Slow DoS **][Risk Score: 210][Risk Info: Slow HTTP Req. (Slowloris): 4.9 sec / Expected 192.168.10.50, found 205.174.165.68 / Found host 205.174.165.68][TCP Fingerprint: 2_64_29200_2e3cee914fc1/Linux][PLAIN TEXT (GET /dv/vulnerabilities/xss)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,49] + 15 TCP 172.16.0.1:54956 <-> 192.168.10.50:80 [proto: 7/HTTP][Stack: HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][Breed: Acceptable][205 pkts/62321 bytes <-> 105 pkts/190525 bytes][Goodput ratio: 78/96][66.90 sec][Hostname/SNI: 205.174.165.68][bytes ratio: -0.507 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/1 325/707 3641/3642 473/524][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 304/1815 651/1935 252/351][URL: 205.174.165.68/dv/vulnerabilities/xss_r/][StatusCode: 200][Content-Type: text/html][Server: Apache/2.4.18 (Ubuntu)][User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0][Risk: ** HTTP/TLS/QUIC Numeric Hostname/SNI **** HTTP Susp Header **** (Possible) Slow DoS **][Risk Score: 210][Risk Info: Slow HTTP Req. (Slowloris): 3.6 sec / Expected 192.168.10.50, found 205.174.165.68 / Found host 205.174.165.68][TCP Fingerprint: 2_64_29200_2e3cee914fc1/Linux][PLAIN TEXT (GET /dv/vulnerabilities/xss)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50] + 16 TCP 172.16.0.1:59732 <-> 192.168.10.50:80 [proto: 7/HTTP][Stack: HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][Breed: Acceptable][206 pkts/62299 bytes <-> 106 pkts/190495 bytes][Goodput ratio: 78/96][70.21 sec][Hostname/SNI: 205.174.165.68][bytes ratio: -0.507 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/3 384/681 3766/3767 516/543][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 302/1797 651/1935 251/373][URL: 205.174.165.68/dv/vulnerabilities/xss_r/?name=%3Cscript%3Econsole.log%28%27SZGGJRXX6DR9VWKN864H8LTBEZ6QC3GJPC8TUUNAED3BBL4L8P%27%29%3Bconsole.log%28document.cookie%29%3B%3C%2Fscript%3E][StatusCode: 200][Content-Type: text/html][Server: Apache/2.4.18 (Ubuntu)][User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0][Risk: ** XSS Attack **** HTTP/TLS/QUIC Numeric Hostname/SNI **** HTTP Susp Header **** (Possible) Slow DoS **][Risk Score: 360][Risk Info: Slow HTTP Req. (Slowloris): 3.8 sec / Expected 192.168.10.50, found 205.174.165.68 / Found host 205.174.165.68 / Suspicious UR][TCP Fingerprint: 2_64_29200_2e3cee914fc1/Linux][PLAIN TEXT (GET /dv/vulnerabilities/xss)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,24,0,1,0,0,0,0,23,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50] 17 TCP 172.16.0.1:52298 <-> 192.168.10.50:80 [proto: 7/HTTP][Stack: HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][Breed: Acceptable][208 pkts/61639 bytes <-> 107 pkts/190727 bytes][Goodput ratio: 78/96][60.17 sec][Hostname/SNI: 205.174.165.68][bytes ratio: -0.512 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 317/536 1046/1043 421/406][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 296/1782 651/4410 248/575][URL: 205.174.165.68/dv/vulnerabilities/xss_r/][StatusCode: 302][Content-Type: text/html][Server: Apache/2.4.18 (Ubuntu)][User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0][Risk: ** HTTP/TLS/QUIC Numeric Hostname/SNI **** HTTP Susp Header **][Risk Score: 110][Risk Info: Expected 192.168.10.50, found 205.174.165.68 / Found host 205.174.165.68][TCP Fingerprint: 2_64_29200_2e3cee914fc1/Linux][PLAIN TEXT (GET /dv/vulnerabilities/xss)][Plen Bins: 0,0,0,0,0,0,0,0,0,1,1,25,0,0,0,1,0,0,23,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,47] - 18 TCP 172.16.0.1:35626 <-> 192.168.10.50:80 [proto: 7/HTTP][Stack: HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][Breed: Acceptable][88 pkts/26722 bytes <-> 45 pkts/81226 bytes][Goodput ratio: 78/96][31.23 sec][Hostname/SNI: 205.174.165.68][bytes ratio: -0.505 (Download)][IAT c2s/s2c min/avg/max/stddev: 3/3 401/695 3953/3953 601/706][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 304/1805 651/1935 253/377][URL: 205.174.165.68/dv/vulnerabilities/xss_r/?name=%3Cscript%3Econsole.log%28%27KGE8ES9SCQ7FORY5VSPTYY4R4UHJNRQTPTAY6L9JR1OU40RPDA%27%29%3Bconsole.log%28document.cookie%29%3B%3C%2Fscript%3E][StatusCode: 200][Content-Type: text/html][Server: Apache/2.4.18 (Ubuntu)][User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0][Risk: ** XSS Attack **** HTTP/TLS/QUIC Numeric Hostname/SNI **** HTTP Susp Header **][Risk Score: 260][Risk Info: Expected 192.168.10.50, found 205.174.165.68 / Found host 205.174.165.68 / Suspicious URL [/dv/vulnerabilities/xss_r/?name=%3C][TCP Fingerprint: 2_64_29200_2e3cee914fc1/Linux][PLAIN TEXT (GET /dv/vulnerabilities/xss)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,24,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50] + 18 TCP 172.16.0.1:35626 <-> 192.168.10.50:80 [proto: 7/HTTP][Stack: HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][Breed: Acceptable][88 pkts/26722 bytes <-> 45 pkts/81226 bytes][Goodput ratio: 78/96][31.23 sec][Hostname/SNI: 205.174.165.68][bytes ratio: -0.505 (Download)][IAT c2s/s2c min/avg/max/stddev: 3/3 401/695 3953/3953 601/706][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 304/1805 651/1935 253/377][URL: 205.174.165.68/dv/vulnerabilities/xss_r/?name=%3Cscript%3Econsole.log%28%27KGE8ES9SCQ7FORY5VSPTYY4R4UHJNRQTPTAY6L9JR1OU40RPDA%27%29%3Bconsole.log%28document.cookie%29%3B%3C%2Fscript%3E][StatusCode: 200][Content-Type: text/html][Server: Apache/2.4.18 (Ubuntu)][User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0][Risk: ** XSS Attack **** HTTP/TLS/QUIC Numeric Hostname/SNI **** HTTP Susp Header **** (Possible) Slow DoS **][Risk Score: 360][Risk Info: Slow HTTP Req. (Slowloris): 4.0 sec / Expected 192.168.10.50, found 205.174.165.68 / Found host 205.174.165.68 / Suspicious UR][TCP Fingerprint: 2_64_29200_2e3cee914fc1/Linux][PLAIN TEXT (GET /dv/vulnerabilities/xss)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,24,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50] 19 TCP 172.16.0.1:52200 <-> 192.168.10.50:80 [proto: 7/HTTP][Stack: HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][Breed: Acceptable][21 pkts/4366 bytes <-> 12 pkts/14453 bytes][Goodput ratio: 68/94][4.02 sec][Hostname/SNI: 205.174.165.68][bytes ratio: -0.536 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 71/140 842/846 196/272][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 208/1204 625/7992 186/2089][URL: 205.174.165.68/dv/vulnerabilities/xss_r/][StatusCode: 302][Content-Type: text/html][Server: Apache/2.4.18 (Ubuntu)][User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0][Risk: ** HTTP/TLS/QUIC Numeric Hostname/SNI **** HTTP Susp Header **][Risk Score: 110][Risk Info: Expected 192.168.10.50, found 205.174.165.68 / Found host 205.174.165.68][TCP Fingerprint: 2_64_29200_2e3cee914fc1/Linux][PLAIN TEXT (GET /dv/vulnerabilities/xss)][Plen Bins: 0,0,0,0,0,0,0,0,0,12,12,18,5,0,0,12,12,5,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,5,0,5] 20 TCP 172.16.0.1:52098 <-> 192.168.10.50:80 [proto: 7/HTTP][Stack: HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][Breed: Acceptable][17 pkts/3745 bytes <-> 13 pkts/13999 bytes][Goodput ratio: 70/94][6.08 sec][Hostname/SNI: 205.174.165.68][bytes ratio: -0.578 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 431/104 5005/845 1286/263][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 220/1077 625/7306 191/1849][URL: 205.174.165.68/dv/vulnerabilities/xss_r/][StatusCode: 302][Content-Type: text/html][Server: Apache/2.4.18 (Ubuntu)][User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0][Risk: ** HTTP/TLS/QUIC Numeric Hostname/SNI **** HTTP Susp Header **][Risk Score: 110][Risk Info: Expected 192.168.10.50, found 205.174.165.68 / Found host 205.174.165.68][TCP Fingerprint: 2_64_29200_2e3cee914fc1/Linux][PLAIN TEXT (GET /dv/vulnerabilities/xss)][Plen Bins: 0,0,0,0,0,0,0,0,0,12,12,12,6,0,0,12,6,6,0,0,0,6,0,6,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,6,0,6] 21 TCP 172.16.0.1:52300 <-> 192.168.10.50:80 [proto: 7/HTTP][Stack: HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][Breed: Acceptable][7 pkts/1229 bytes <-> 6 pkts/6497 bytes][Goodput ratio: 62/94][6.24 sec][Hostname/SNI: 205.174.165.68][bytes ratio: -0.682 (Download)][IAT c2s/s2c min/avg/max/stddev: 8/0 246/308 1185/1186 470/507][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 176/1083 461/5396 171/1949][URL: 205.174.165.68/dv/dvwa/js/dvwaPage.js][StatusCode: 200][Content-Type: application/javascript][Server: Apache/2.4.18 (Ubuntu)][User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0][Risk: ** HTTP/TLS/QUIC Numeric Hostname/SNI **** HTTP Susp Header **][Risk Score: 110][Risk Info: Expected 192.168.10.50, found 205.174.165.68 / Found host 205.174.165.68][TCP Fingerprint: 2_64_29200_2e3cee914fc1/Linux][PLAIN TEXT (GET /dv/dvwa/js/dvwaPage.js HTT)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,25,25,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25] diff --git a/tests/cfgs/default/result/emotet.pcap.out b/tests/cfgs/default/result/emotet.pcap.out index 47bd9c7fa..69e715a62 100644 --- a/tests/cfgs/default/result/emotet.pcap.out +++ b/tests/cfgs/default/result/emotet.pcap.out @@ -46,6 +46,6 @@ JA Host Stats: 1 TCP 10.3.29.101:56309 <-> 104.161.127.22:80 [proto: 7/HTTP][Stack: HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][Breed: Acceptable][21 pkts/1592 bytes <-> 37 pkts/48623 bytes][Goodput ratio: 28/96][0.61 sec][Hostname/SNI: fkl.co.ke][bytes ratio: -0.937 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 26/7 204/204 57/36][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 76/1314 500/1415 95/343][URL: fkl.co.ke/wp-content/Elw3kPvOsZxM5/][StatusCode: 200][Content-Type: text/html][Server: LiteSpeed][User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36 Edg/99.0.1150.55][TCP Fingerprint: 2_128_64240_6bb88f5575fd/Windows][PLAIN TEXT (GET /wp)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,2,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,95,0,0,0,0,0] 2 TCP 10.2.25.102:57309 <-> 193.252.22.84:587 [proto: 3/SMTP][Stack: SMTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 19][cat: Email/3][Breed: Acceptable][23 pkts/16752 bytes <-> 27 pkts/1853 bytes][Goodput ratio: 93/21][8.35 sec][Hostname/SNI: opmta1mto02nd1][bytes ratio: 0.801 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 276/345 1205/3054 406/694][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 728/69 1514/214 702/33][TCP Fingerprint: 2_128_64240_6bb88f5575fd/Windows][PLAIN TEXT (220 opmta)][Plen Bins: 31,27,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,34,0,0] 3 TCP 10.4.25.101:49797 <-> 77.105.36.156:80 [proto: 7/HTTP][Stack: HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Download/7][Breed: Acceptable][5 pkts/452 bytes <-> 10 pkts/10518 bytes][Goodput ratio: 34/95][0.48 sec][Hostname/SNI: filmmogzivota.rs][bytes ratio: -0.918 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 159/37 292/171 121/64][Pkt Len c2s/s2c min/avg/max/stddev: 60/60 90/1052 206/1442 58/553][URL: filmmogzivota.rs/SpryAssets/gDR/][StatusCode: 200][Content-Type: application/x-msdownload][Server: Apache][User-Agent: vBKbaQgjyvRRbcgfvlsc][Filename: TfBXbg6gEAqeHioMEKOtCAAn73.dll][Risk: ** Binary App Transfer **** HTTP Susp User-Agent **** Binary File/Data Transfer (Attempt) **][Risk Score: 300][Risk Info: File download TfBXbg6gEAqeHioMEKOtCAAn73.dll / UA vBKbaQgjyvRRbcgfvlsc / Found mime exe x-msdownload][TCP Fingerprint: 2_128_64240_6bb88f5575fd/Windows][PLAIN TEXT (GET /SpryAssets/gDR/ HTTP/1.1)][Plen Bins: 0,0,0,0,11,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0,0,0,0,0,0,0,0,66,0,0,0,0] - 4 TCP 10.4.20.102:54319 <-> 107.161.178.210:80 [proto: 7/HTTP][Stack: HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 5][cat: Download/7][Breed: Acceptable][7 pkts/645 bytes <-> 7 pkts/8714 bytes][Goodput ratio: 35/96][0.38 sec][Hostname/SNI: gandhitoday.org][bytes ratio: -0.862 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 74/54 260/260 100/103][Pkt Len c2s/s2c min/avg/max/stddev: 60/62 92/1245 279/1442 76/483][URL: gandhitoday.org/video/6JvA8/][StatusCode: 200][Content-Type: application/x-msdownload][Server: Apache][User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko][Filename: EGh7x6aKN3ILP.dll][Risk: ** Binary App Transfer **** Binary File/Data Transfer (Attempt) **][Risk Score: 200][Risk Info: File download EGh7x6aKN3ILP.dll / Found mime exe x-msdownload][TCP Fingerprint: 2_128_65535_6bb88f5575fd/Windows][PLAIN TEXT (GET /video/6J)][Plen Bins: 0,0,0,0,0,0,0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,85,0,0,0,0] + 4 TCP 10.4.20.102:54319 <-> 107.161.178.210:80 [proto: 7/HTTP][Stack: HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 5][cat: Download/7][Breed: Acceptable][7 pkts/645 bytes <-> 7 pkts/8714 bytes][Goodput ratio: 35/96][0.38 sec][Hostname/SNI: gandhitoday.org][bytes ratio: -0.862 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 74/54 260/260 100/103][Pkt Len c2s/s2c min/avg/max/stddev: 60/62 92/1245 279/1442 76/483][URL: gandhitoday.org/video/6JvA8/][StatusCode: 200][Content-Type: application/x-msdownload][Server: Apache][User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko][Filename: EGh7x6aKN3ILP.dll][Risk: ** Binary App Transfer **** Binary File/Data Transfer (Attempt) **][Risk Score: 200][Risk Info: File download EGh7x6aKN3ILP.dll / Found mime exe x-msdownload|Found DOS/Windows Exe][TCP Fingerprint: 2_128_65535_6bb88f5575fd/Windows][PLAIN TEXT (GET /video/6J)][Plen Bins: 0,0,0,0,0,0,0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,85,0,0,0,0] 5 TCP 10.4.25.101:49803 <-> 138.197.147.101:443 [proto: 91/TLS][Stack: TLS][IP: 442/DigitalOcean][Encrypted][Confidence: DPI][FPC: 442/DigitalOcean, Confidence: IP address][DPI packets: 6][cat: Web/5][Breed: Safe][7 pkts/1130 bytes <-> 8 pkts/6240 bytes][Goodput ratio: 64/93][1.65 sec][bytes ratio: -0.693 (Download)][IAT c2s/s2c min/avg/max/stddev: 14/0 75/231 122/1117 39/400][Pkt Len c2s/s2c min/avg/max/stddev: 60/60 161/780 534/1442 161/663][Risk: ** Self-signed Cert **** TLS (probably) Not Carrying HTTPS **** Missing SNI TLS Extn **][Risk Score: 160][Risk Info: SNI should always be present / No ALPN / C=GB, ST=London, L=London, O=Global Security, OU=IT Department, CN=example.com][nDPI Fingerprint: fec4fed0c770c8818d187ce500187667][TCP Fingerprint: 2_128_65535_6bb88f5575fd/Windows][TLSv1.2][JA4: t12i190600_d83cc789557e_2dae41c691ec][JA3S: ec74a5c51106f0419184d0dd08fb05bc][Issuer: C=GB, ST=London, L=London, O=Global Security, OU=IT Department, CN=example.com][Subject: C=GB, ST=London, L=London, O=Global Security, OU=IT Department, CN=example.com][Certificate SHA-1: 43:A2:39:73:AC:4D:2C:15:7B:D6:4E:32:EA:22:11:B7:97:65:1A:93][Firefox][Validity: 2022-04-21 10:08:46 - 2023-04-21 10:08:46][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 0,0,12,0,12,0,0,12,0,0,0,0,0,0,0,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,51,0,0,0,0] 6 TCP 10.4.25.101:49804 <-> 138.197.147.101:443 [proto: 91/TLS][Stack: TLS][IP: 442/DigitalOcean][Encrypted][Confidence: DPI][FPC: 442/DigitalOcean, Confidence: IP address][DPI packets: 6][cat: Web/5][Breed: Safe][10 pkts/1517 bytes <-> 7 pkts/1208 bytes][Goodput ratio: 61/66][48.61 sec][bytes ratio: 0.113 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 5997/806 44782/3012 14692/1274][Pkt Len c2s/s2c min/avg/max/stddev: 60/60 152/173 607/714 179/224][Risk: ** TLS (probably) Not Carrying HTTPS **** Missing SNI TLS Extn **][Risk Score: 60][Risk Info: SNI should always be present / No ALPN][nDPI Fingerprint: fec4fed0c770c8818d187ce500187667][TCP Fingerprint: 2_128_65535_6bb88f5575fd/Windows][TLSv1.2][JA4: t12i190600_d83cc789557e_2dae41c691ec][JA3S: fd4bc6cea4877646ccd62f0792ec0b62][Firefox][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 16,16,0,16,0,0,0,0,0,0,16,0,0,0,0,0,0,16,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/default/result/false_positives2.pcapng.out b/tests/cfgs/default/result/false_positives2.pcapng.out index e0775a8c4..80601f2de 100644 --- a/tests/cfgs/default/result/false_positives2.pcapng.out +++ b/tests/cfgs/default/result/false_positives2.pcapng.out @@ -36,6 +36,6 @@ Unspecified 82 58035 3 Undetected flows: - 1 TCP 127.0.0.1:54900 <-> 127.0.0.1:1234 [proto: 0/Unknown][Stack: Unknown][IP: 0/Unknown][ClearText][Confidence: Unknown][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 27][Breed: Unrated][23 pkts/4536 bytes <-> 25 pkts/36959 bytes][Goodput ratio: 65/95][140.47 sec][bytes ratio: -0.781 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 7803/22 139814/295 32017/65][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 197/1478 866/9429 234/2245][TCP Fingerprint: 2_64_65495_db1b9381215d/Unknown][PLAIN TEXT (StFJbE.l)][Plen Bins: 0,0,0,13,4,0,13,0,0,0,8,0,0,4,0,0,0,0,4,0,0,0,0,0,8,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,34] + 1 TCP 127.0.0.1:54900 <-> 127.0.0.1:1234 [proto: 0/Unknown][Stack: Unknown][IP: 0/Unknown][ClearText][Confidence: Unknown][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 27][Breed: Unrated][23 pkts/4536 bytes <-> 25 pkts/36959 bytes][Goodput ratio: 65/95][140.47 sec][bytes ratio: -0.781 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 7803/22 139814/295 32017/65][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 197/1478 866/9429 234/2245][Risk: ** (Possible) Slow DoS **][Risk Score: 100][Risk Info: Slow TCP 3WH (ACK): 140.1 sec][TCP Fingerprint: 2_64_65495_db1b9381215d/Unknown][PLAIN TEXT (StFJbE.l)][Plen Bins: 0,0,0,13,4,0,13,0,0,0,8,0,0,4,0,0,0,0,4,0,0,0,0,0,8,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,34] 2 TCP 127.0.0.1:49996 <-> 127.0.0.1:1234 [proto: 0/Unknown][Stack: Unknown][IP: 0/Unknown][ClearText][Confidence: Unknown][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 19][Breed: Unrated][10 pkts/2323 bytes <-> 9 pkts/7085 bytes][Goodput ratio: 70/91][0.11 sec][bytes ratio: -0.506 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 13/14 79/79 25/27][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 232/787 856/2116 289/942][TCP Fingerprint: 2_64_65495_db1b9381215d/Unknown][Plen Bins: 0,0,11,22,0,0,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33] 3 TCP 127.0.0.1:33550 <-> 127.0.0.1:1234 [proto: 0/Unknown][Stack: Unknown][IP: 0/Unknown][ClearText][Confidence: Unknown][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 15][Breed: Unrated][8 pkts/1346 bytes <-> 7 pkts/5786 bytes][Goodput ratio: 59/92][2.18 sec][bytes ratio: -0.623 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 363/12 1127/43 497/18][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 168/827 862/2116 262/911][TCP Fingerprint: 2_64_65495_db1b9381215d/Unknown][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,50] diff --git a/tests/cfgs/default/result/ftp.pcap.out b/tests/cfgs/default/result/ftp.pcap.out index 58b8ba0a5..012259bb3 100644 --- a/tests/cfgs/default/result/ftp.pcap.out +++ b/tests/cfgs/default/result/ftp.pcap.out @@ -39,7 +39,8 @@ Unsafe 68 5571 1 Unspecified 132 118184 1 Download 77 7390 2 - 1 TCP 192.168.1.212:50694 <-> 90.130.70.73:21 [proto: 1/FTP_CONTROL][Stack: FTP_CONTROL][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 12][cat: Download/7][Breed: Unsafe][41 pkts/2892 bytes <-> 27 pkts/2679 bytes][Goodput ratio: 6/33][8.48 sec][User: anonymous][Pwd: NcFTP@][bytes ratio: 0.038 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 236/108 4743/1377 849/305][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 71/99 96/307 7/45][Risk: ** Unsafe Protocol **** Clear-Text Credentials **][Risk Score: 110][Risk Info: Found FTP username (anonymous)][TCP Fingerprint: 2_64_65535_15db81ff8b0d/Unknown][PLAIN TEXT (vsFTPd 3.0.3)][Plen Bins: 74,18,5,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 1 TCP 192.168.1.212:50694 <-> 90.130.70.73:21 [proto: 1/FTP_CONTROL][Stack: FTP_CONTROL][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 12][cat: Download/7][Breed: Unsafe][41 pkts/2892 bytes <-> 27 pkts/2679 bytes][Goodput ratio: 6/33][8.48 sec][User: anonymous][Pwd: NcFTP@][bytes ratio: 0.038 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 236/108 4743/1377 849/305][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 71/99 96/307 7/45][Risk: ** Unsafe Protocol **** Clear-Text Credentials **][Risk Score: 110][Risk Info: Found FTP username (anonymous)|Found IRC username (anonymous +)|Found username (anonymous)|Found password][TCP Fingerprint: 2_64_65535_15db81ff8b0d/Unknown][PLAIN TEXT (vsFTPd 3.0.3)][Plen Bins: 74,18,5,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 2 TCP 192.168.1.212:50695 <-> 90.130.70.73:25685 [proto: 175/FTP_DATA][Stack: FTP_DATA][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 4][cat: Download/7][Breed: Acceptable][5 pkts/342 bytes <-> 4 pkts/1477 bytes][Goodput ratio: 0/82][0.09 sec][bytes ratio: -0.624 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/28 14/28 29/29 14/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 68/369 78/1271 5/521][TCP Fingerprint: 2_64_65535_15db81ff8b0d/Unknown][PLAIN TEXT ( 1 0 0 1073741)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/default/result/ftp_failed.pcap.out b/tests/cfgs/default/result/ftp_failed.pcap.out index d6368ffc1..92b7dad66 100644 --- a/tests/cfgs/default/result/ftp_failed.pcap.out +++ b/tests/cfgs/default/result/ftp_failed.pcap.out @@ -33,4 +33,5 @@ Unsafe 18 1700 1 Download 18 1700 1 - 1 TCP [2a00:d40:1:3:192:12:193:11]:44724 <-> [2a00:800:1010::1]:21 [proto: 1/FTP_CONTROL][Stack: FTP_CONTROL][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 8][cat: Download/7][Breed: Unsafe][10 pkts/892 bytes <-> 8 pkts/808 bytes][Goodput ratio: 3/14][7.24 sec][User: hello][Pwd: ][Auth Failed][bytes ratio: 0.049 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 896/1442 5304/5318 1757/2052][Pkt Len c2s/s2c min/avg/max/stddev: 86/86 89/101 98/126 4/15][Risk: ** Unsafe Protocol **** Clear-Text Credentials **][Risk Score: 110][Risk Info: Found FTP username (hello)][TCP Fingerprint: 2_64_28800_83b2f9a5576c/Unknown][PLAIN TEXT (vsFTPd 3.0.3)][Plen Bins: 71,28,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 1 TCP [2a00:d40:1:3:192:12:193:11]:44724 <-> [2a00:800:1010::1]:21 [proto: 1/FTP_CONTROL][Stack: FTP_CONTROL][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 8][cat: Download/7][Breed: Unsafe][10 pkts/892 bytes <-> 8 pkts/808 bytes][Goodput ratio: 3/14][7.24 sec][User: hello][Pwd: ][Auth Failed][bytes ratio: 0.049 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 896/1442 5304/5318 1757/2052][Pkt Len c2s/s2c min/avg/max/stddev: 86/86 89/101 98/126 4/15][Risk: ** Unsafe Protocol **** Clear-Text Credentials **][Risk Score: 110][Risk Info: Found FTP username (hello)|Found IRC username (hello +)|Found username (hello)][TCP Fingerprint: 2_64_28800_83b2f9a5576c/Unknown][PLAIN TEXT (vsFTPd 3.0.3)][Plen Bins: 71,28,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/default/result/fuzz-2006-06-26-2594.pcap.out b/tests/cfgs/default/result/fuzz-2006-06-26-2594.pcap.out index e79b27b2f..ac8d9c9aa 100644 --- a/tests/cfgs/default/result/fuzz-2006-06-26-2594.pcap.out +++ b/tests/cfgs/default/result/fuzz-2006-06-26-2594.pcap.out @@ -89,7 +89,7 @@ System 109 10824 29 31 UDP 192.168.1.2:2742 -> 192.168.1.1:53 [proto: 5/DNS][Stack: DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 4][cat: Network/14][Breed: Acceptable][4 pkts/344 bytes -> 0 pkts/0 bytes][Goodput ratio: 51/0][9.01 sec][Hostname/SNI: _sip._udp.sip.cybercity.dk][0.0.0.0][DNS Id: 0xb3c0][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (cybercity)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 32 UDP 192.168.1.2:2750 -> 192.168.1.1:53 [proto: 5/DNS][Stack: DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 4][cat: Network/14][Breed: Acceptable][4 pkts/344 bytes -> 0 pkts/0 bytes][Goodput ratio: 51/0][9.01 sec][Hostname/SNI: _sip._udp.vo_s][0.0.0.0][DNS Id: 0x3fc8][Risk: ** Malformed Packet **** Non-Printable/Invalid Chars Detected **** Unidirectional Traffic **][Risk Score: 120][Risk Info: No server to client traffic / Invalid chars detected in domain name / Invalid DNS Header][PLAIN TEXT (brujula)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 33 UDP 192.168.1.2:2764 -> 192.168.1.1:53 [proto: 5/DNS][Stack: DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 4][cat: Network/14][Breed: Acceptable][4 pkts/344 bytes -> 0 pkts/0 bytes][Goodput ratio: 51/0][9.01 sec][Hostname/SNI: _sip._udp.s?p.cibercity.dk][0.0.0.0][DNS Id: 0xdffb][Risk: ** Malformed Packet **** Non-Printable/Invalid Chars Detected **** Unidirectional Traffic **][Risk Score: 120][Risk Info: No server to client traffic / Invalid chars detected in domain name / Invalid DNS Header][PLAIN TEXT (cybercity)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 34 UDP 192.168.1.2:2772 -> 192.168.1.1:53 [proto: 5/DNS][Stack: DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 4][cat: Network/14][Breed: Acceptable][4 pkts/344 bytes -> 0 pkts/0 bytes][Goodput ratio: 51/0][9.01 sec][0.0.0.0][DNS Id: 0x9de1][Risk: ** Malformed Packet **** Non-Printable/Invalid Chars Detected **** Unidirectional Traffic **][Risk Score: 120][Risk Info: No server to client traffic / Invalid chars detected in domain name / Invalid DNS Query Lenght][PLAIN TEXT (cybercity)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 34 UDP 192.168.1.2:2772 -> 192.168.1.1:53 [proto: 5/DNS][Stack: DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 4][cat: Network/14][Breed: Acceptable][4 pkts/344 bytes -> 0 pkts/0 bytes][Goodput ratio: 51/0][9.01 sec][0.0.0.0][DNS Id: 0x9de1][Risk: ** Malformed Packet **** Non-Printable/Invalid Chars Detected **** Unidirectional Traffic **][Risk Score: 120][Risk Info: No server to client traffic / Invalid chars detected in domain name / Invalid DNS Query Lenght|Invalid DNS Header][PLAIN TEXT (cybercity)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 35 UDP 192.168.1.2:2774 -> 192.168.1.1:53 [proto: 5/DNS][Stack: DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 4][cat: Network/14][Breed: Acceptable][4 pkts/344 bytes -> 0 pkts/0 bytes][Goodput ratio: 51/0][9.01 sec][Hostname/SNI: _sip._udp.sip.cybercity.dk][0.0.0.0][DNS Id: 0xd2e2][Risk: ** Malformed Packet **** Non-Printable/Invalid Chars Detected **** Unidirectional Traffic **][Risk Score: 120][Risk Info: No server to client traffic / Invalid chars detected in domain name / Invalid DNS Query Lenght][PLAIN TEXT (sipicybercity)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 36 UDP 192.168.1.2:2776 -> 192.168.1.1:53 [proto: 5/DNS][Stack: DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 4][cat: Network/14][Breed: Acceptable][4 pkts/344 bytes -> 0 pkts/0 bytes][Goodput ratio: 51/0][9.01 sec][Hostname/SNI: _sip._udp.sip.cybercity.dk][0.0.0.0][DNS Id: 0x2ee3][Risk: ** Malformed Packet **** Non-Printable/Invalid Chars Detected **** Unidirectional Traffic **][Risk Score: 120][Risk Info: No server to client traffic / Invalid chars detected in domain name / Invalid DNS Query Lenght][PLAIN TEXT (cybercity)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 37 UDP 192.168.1.2:2787 -> 192.168.1.1:53 [proto: 5/DNS][Stack: DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 4][cat: Network/14][Breed: Acceptable][4 pkts/344 bytes -> 0 pkts/0 bytes][Goodput ratio: 51/0][8.01 sec][Hostname/SNI: _sip._udp.sip.cybercity.dk][0.0.0.0][DNS Id: 0x34e8][Risk: ** Non-Printable/Invalid Chars Detected **** Unidirectional Traffic **][Risk Score: 110][Risk Info: No server to client traffic / Invalid chars detected in domain name][PLAIN TEXT (cybercity)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] @@ -144,7 +144,7 @@ System 109 10824 29 86 UDP 192.168.1.2:2760 -> 192.168.1.1:53 [proto: 5/DNS][Stack: DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][Breed: Acceptable][2 pkts/172 bytes -> 0 pkts/0 bytes][Goodput ratio: 51/0][6.01 sec][Hostname/SNI: _sip._udp.sip.cybercity.dk][0.0.0.0][DNS Id: 0xb9f4][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (cybercity)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 87 UDP 192.168.1.2:2766 -> 192.168.1.1:53 [proto: 5/DNS][Stack: DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][Breed: Acceptable][2 pkts/172 bytes -> 0 pkts/0 bytes][Goodput ratio: 51/0][2.00 sec][Hostname/SNI: _sip._udp.sip.cybe0city.dk][0.0.0.0][DNS Id: 0x7bfd][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (cybercity)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 88 UDP 192.168.1.2:2768 -> 192.168.1.1:53 [proto: 5/DNS][Stack: DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][Breed: Acceptable][2 pkts/172 bytes -> 0 pkts/0 bytes][Goodput ratio: 51/0][9.01 sec][Hostname/SNI: _sip._udp.sip.cybercity.dk][0.0.0.0][DNS Id: 0xf2fe][Risk: ** Malformed Packet **** Unidirectional Traffic **][Risk Score: 20][Risk Info: No server to client traffic / Invalid DNS Header][PLAIN TEXT (cybercity)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 89 UDP 192.168.1.2:2770 -> 192.168.1.1:53 [proto: 5/DNS][Stack: DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][Breed: Acceptable][2 pkts/172 bytes -> 0 pkts/0 bytes][Goodput ratio: 51/0][4.01 sec][0.0.0.0][DNS Id: 0xffff][Risk: ** Malformed Packet **** Unidirectional Traffic **][Risk Score: 20][Risk Info: No server to client traffic / Invalid DNS Query Lenght][PLAIN TEXT (cybercity)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 89 UDP 192.168.1.2:2770 -> 192.168.1.1:53 [proto: 5/DNS][Stack: DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][Breed: Acceptable][2 pkts/172 bytes -> 0 pkts/0 bytes][Goodput ratio: 51/0][4.01 sec][0.0.0.0][DNS Id: 0xffff][Risk: ** Malformed Packet **** Unidirectional Traffic **][Risk Score: 20][Risk Info: No server to client traffic / Invalid DNS Query Lenght|Invalid DNS Header][PLAIN TEXT (cybercity)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 90 UDP 192.168.1.2:2785 -> 192.168.1.1:53 [proto: 5/DNS][Stack: DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][Breed: Acceptable][2 pkts/172 bytes -> 0 pkts/0 bytes][Goodput ratio: 51/0][276.51 sec][Hostname/SNI: _sip._udp.sip.cybevcity.dk][0.0.0.0][DNS Id: 0x28e6][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (cybercity)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 91 UDP 192.168.1.2:2808 -> 192.168.1.1:53 [proto: 5/DNS][Stack: DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][Breed: Acceptable][2 pkts/172 bytes -> 0 pkts/0 bytes][Goodput ratio: 51/0][2.00 sec][Hostname/SNI: _sip._udp.sip.cybercity.dk][0.0.0.0][DNS Id: 0xeb1e][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (cybercity)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 92 UDP 192.168.1.2:2814 -> 192.168.1.1:53 [proto: 5/DNS][Stack: DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][Breed: Acceptable][2 pkts/172 bytes -> 0 pkts/0 bytes][Goodput ratio: 51/0][9.01 sec][Hostname/SNI: _sib._udp.sip.cybercity.dk][0.0.0.0][DNS Id: 0x3f05][Risk: ** Malformed Packet **** Unidirectional Traffic **][Risk Score: 20][Risk Info: No server to client traffic / Invalid DNS Query Lenght][PLAIN TEXT (cybercity)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/default/result/gnutella.pcap.out b/tests/cfgs/default/result/gnutella.pcap.out index 1e9ce574a..aed1edfdb 100644 --- a/tests/cfgs/default/result/gnutella.pcap.out +++ b/tests/cfgs/default/result/gnutella.pcap.out @@ -116,7 +116,7 @@ JA Host Stats: 50 UDP 10.0.2.15:28681 <-> 188.165.203.190:21995 [proto: 35/Gnutella][Stack: Gnutella][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 35/Gnutella, Confidence: DPI][DPI packets: 1][cat: Download/7][Breed: Potentially_Dangerous][4 pkts/414 bytes <-> 4 pkts/1836 bytes][Goodput ratio: 59/91][191.45 sec][bytes ratio: -0.632 (Download)][IAT c2s/s2c min/avg/max/stddev: 35550/35547 63808/63807 112098/112099 34311/34312][Pkt Len c2s/s2c min/avg/max/stddev: 70/149 104/459 123/769 22/310][Risk: ** Unsafe Protocol **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (u.GTKG)][Plen Bins: 12,12,25,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 51 UDP 10.0.2.15:28681 <-> 190.192.210.182:6754 [proto: 35/Gnutella][Stack: Gnutella][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 35/Gnutella, Confidence: DPI][DPI packets: 1][cat: Download/7][Breed: Potentially_Dangerous][3 pkts/525 bytes <-> 3 pkts/1686 bytes][Goodput ratio: 76/92][8.37 sec][bytes ratio: -0.525 (Download)][IAT c2s/s2c min/avg/max/stddev: 2425/2441 4050/4054 5674/5668 1624/1613][Pkt Len c2s/s2c min/avg/max/stddev: 123/148 175/562 274/769 70/293][Risk: ** Unsafe Protocol **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (.LGTKG)][Plen Bins: 0,0,33,16,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 52 UDP 10.0.2.15:28681 <-> 63.228.175.169:1936 [proto: 35/Gnutella][Stack: Gnutella][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 35/Gnutella, Confidence: DPI][DPI packets: 1][cat: Download/7][Breed: Potentially_Dangerous][3 pkts/520 bytes <-> 3 pkts/1686 bytes][Goodput ratio: 76/92][37.66 sec][bytes ratio: -0.529 (Download)][IAT c2s/s2c min/avg/max/stddev: 8739/8738 18728/18726 28718/28714 9990/9988][Pkt Len c2s/s2c min/avg/max/stddev: 123/148 173/562 274/769 71/293][Risk: ** Unsafe Protocol **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (u.GTKG)][Plen Bins: 0,0,33,16,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 53 TCP 10.0.2.15:50198 <-> 86.129.196.84:9915 [proto: 35/Gnutella][Stack: Gnutella][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Download/7][Breed: Potentially_Dangerous][7 pkts/1013 bytes <-> 5 pkts/772 bytes][Goodput ratio: 59/64][15.56 sec][bytes ratio: 0.135 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/1 3112/22 6485/43 2789/21][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 145/154 653/552 208/199][User-Agent: gtk-gnutella/1.2.2 (2022-02-25; GTK2; Windows x64)][Risk: ** Unsafe Protocol **][Risk Score: 10][TCP Fingerprint: 2_128_64240_6bb88f5575fd/Windows][PLAIN TEXT (GNUTELLA CONNECT/0.6)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 53 TCP 10.0.2.15:50198 <-> 86.129.196.84:9915 [proto: 35/Gnutella][Stack: Gnutella][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Download/7][Breed: Potentially_Dangerous][7 pkts/1013 bytes <-> 5 pkts/772 bytes][Goodput ratio: 59/64][15.56 sec][bytes ratio: 0.135 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/1 3112/22 6485/43 2789/21][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 145/154 653/552 208/199][User-Agent: gtk-gnutella/1.2.2 (2022-02-25; GTK2; Windows x64)][Risk: ** Unsafe Protocol **** (Possible) Slow DoS **][Risk Score: 110][Risk Info: Slow TCP 3WH (SYN|ACK): 6.5 sec][TCP Fingerprint: 2_128_64240_6bb88f5575fd/Windows][PLAIN TEXT (GNUTELLA CONNECT/0.6)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 54 UDP 10.0.2.15:28681 <-> 73.250.179.237:20848 [proto: 35/Gnutella][Stack: Gnutella][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 35/Gnutella, Confidence: DPI][DPI packets: 1][cat: Download/7][Breed: Potentially_Dangerous][2 pkts/246 bytes <-> 2 pkts/1538 bytes][Goodput ratio: 66/94][43.97 sec][Risk: ** Unsafe Protocol **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (u.GTKG)][Plen Bins: 0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 55 UDP 10.0.2.15:28681 <-> 92.217.84.16:20223 [proto: 35/Gnutella][Stack: Gnutella][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 35/Gnutella, Confidence: DPI][DPI packets: 1][cat: Download/7][Breed: Potentially_Dangerous][2 pkts/246 bytes <-> 2 pkts/1538 bytes][Goodput ratio: 66/94][44.00 sec][Risk: ** Unsafe Protocol **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (u.GTKG)][Plen Bins: 0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 56 UDP 10.0.2.15:28681 <-> 173.183.183.110:59920 [proto: 35/Gnutella][Stack: Gnutella][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 35/Gnutella, Confidence: DPI][DPI packets: 1][cat: Download/7][Breed: Potentially_Dangerous][2 pkts/246 bytes <-> 2 pkts/1538 bytes][Goodput ratio: 66/94][44.11 sec][Risk: ** Unsafe Protocol **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (u.GTKG)][Plen Bins: 0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] @@ -161,7 +161,7 @@ JA Host Stats: 95 UDP 10.0.2.15:28681 <-> 213.229.111.224:4876 [proto: 35/Gnutella][Stack: Gnutella][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 35/Gnutella, Confidence: DPI][DPI packets: 1][cat: Download/7][Breed: Potentially_Dangerous][6 pkts/555 bytes <-> 3 pkts/612 bytes][Goodput ratio: 54/79][388.82 sec][bytes ratio: -0.049 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 487/2153 77092/101426 199495/200699 72356/99273][Pkt Len c2s/s2c min/avg/max/stddev: 70/130 92/204 123/320 24/83][Risk: ** Unsafe Protocol **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (CEGTKGb)][Plen Bins: 33,11,33,11,0,0,0,0,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 96 TCP 10.0.2.15:50199 <-> 47.147.52.21:36728 [proto: 35/Gnutella][Stack: Gnutella][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 4][cat: Download/7][Breed: Potentially_Dangerous][5 pkts/880 bytes <-> 4 pkts/220 bytes][Goodput ratio: 68/0][0.44 sec][bytes ratio: 0.600 (Upload)][IAT c2s/s2c min/avg/max/stddev: 27/27 111/36 232/44 82/8][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 176/55 652/58 238/2][User-Agent: gtk-gnutella/1.2.2 (2022-02-25; GTK2; Windows x64)][Risk: ** Unsafe Protocol **][Risk Score: 10][TCP Fingerprint: 2_128_64240_6bb88f5575fd/Windows][PLAIN TEXT (GNUTELLA CONNECT/0.6)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 97 UDP 10.0.2.15:28681 <-> 14.200.255.229:37058 [proto: 35/Gnutella][Stack: Gnutella][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 35/Gnutella, Confidence: DPI][DPI packets: 1][cat: Download/7][Breed: Potentially_Dangerous][6 pkts/451 bytes <-> 6 pkts/641 bytes][Goodput ratio: 44/61][433.20 sec][bytes ratio: -0.174 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 6450/6454 93822/93822 203345/203341 72163/72161][Pkt Len c2s/s2c min/avg/max/stddev: 70/88 75/107 98/120 10/14][Risk: ** Unsafe Protocol **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (LOCCen)][Plen Bins: 41,33,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 98 TCP 10.0.2.15:50291 <-> 200.7.155.210:28365 [proto: 35/Gnutella][Stack: Gnutella][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Download/7][Breed: Potentially_Dangerous][5 pkts/905 bytes <-> 3 pkts/166 bytes][Goodput ratio: 66/0][24.54 sec][bytes ratio: 0.690 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1/2 3913/2 6610/2 2636/0][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 181/55 653/58 236/2][User-Agent: gtk-gnutella/1.2.2 (2022-02-25; GTK2; Windows x64)][Risk: ** Unsafe Protocol **][Risk Score: 10][TCP Fingerprint: 2_128_64240_6bb88f5575fd/Windows][PLAIN TEXT (GNUTELLA CONNECT/0.6)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 98 TCP 10.0.2.15:50291 <-> 200.7.155.210:28365 [proto: 35/Gnutella][Stack: Gnutella][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Download/7][Breed: Potentially_Dangerous][5 pkts/905 bytes <-> 3 pkts/166 bytes][Goodput ratio: 66/0][24.54 sec][bytes ratio: 0.690 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1/2 3913/2 6610/2 2636/0][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 181/55 653/58 236/2][User-Agent: gtk-gnutella/1.2.2 (2022-02-25; GTK2; Windows x64)][Risk: ** Unsafe Protocol **** (Possible) Slow DoS **][Risk Score: 110][Risk Info: Slow TCP 3WH (SYN|ACK): 6.6 sec][TCP Fingerprint: 2_128_64240_6bb88f5575fd/Windows][PLAIN TEXT (GNUTELLA CONNECT/0.6)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 99 UDP [fe80::c50d:519f:96a4:e108]:546 -> [ff02::1:2]:547 [proto: 103/DHCPV6][Stack: DHCPV6][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 103/DHCPV6, Confidence: DPI][DPI packets: 1][cat: Network/14][Breed: Acceptable][7 pkts/1071 bytes -> 0 pkts/0 bytes][Goodput ratio: 59/0][63.04 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 993/0 10506/0 32011/0 10831/0][Pkt Len c2s/s2c min/avg/max/stddev: 153/0 153/0 153/0 0/0][PLAIN TEXT (MSEDGEWIN)][Plen Bins: 0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 100 UDP 10.0.2.15:28681 <-> 149.28.163.175:49956 [proto: 35/Gnutella][Stack: Gnutella][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 35/Gnutella, Confidence: DPI][DPI packets: 1][cat: Download/7][Breed: Potentially_Dangerous][2 pkts/198 bytes <-> 1 pkts/769 bytes][Goodput ratio: 57/94][113.17 sec][Risk: ** Unsafe Protocol **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (.LGTKG)][Plen Bins: 33,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 101 UDP 10.0.2.15:28681 <-> 38.142.119.234:49732 [proto: 35/Gnutella][Stack: Gnutella][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 35/Gnutella, Confidence: DPI][DPI packets: 1][cat: Download/7][Breed: Potentially_Dangerous][2 pkts/193 bytes <-> 1 pkts/769 bytes][Goodput ratio: 56/94][163.26 sec][Risk: ** Unsafe Protocol **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (u.GTKG)][Plen Bins: 33,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] @@ -741,11 +741,11 @@ JA Host Stats: Undetected flows: - 1 TCP 10.0.2.15:50245 <-> 73.62.225.181:46843 [proto: 0/Unknown][Stack: Unknown][IP: 0/Unknown][ClearText][Confidence: Unknown][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 11][Breed: Unrated][3 pkts/198 bytes <-> 8 pkts/460 bytes][Goodput ratio: 0/0][122.56 sec][bytes ratio: -0.398 (Download)][IAT c2s/s2c min/avg/max/stddev: 3014/0 4514/0 6013/0 1499/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/54 66/58 66/58 0/1][Risk: ** TCP Connection Issues **** Probing Attempt **][Risk Score: 100][Risk Info: TCP probing attempt / Connection refused (server)][TCP Fingerprint: 2_128_64240_6bb88f5575fd/Windows][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 2 TCP 10.0.2.15:50190 <-> 80.140.63.147:29545 [proto: 0/Unknown][Stack: Unknown][IP: 0/Unknown][ClearText][Confidence: Unknown][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 9][Breed: Unrated][1 pkts/66 bytes <-> 8 pkts/460 bytes][Goodput ratio: 0/0][87.66 sec][bytes ratio: -0.749 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 0/0 0/0 0/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/54 66/58 66/58 0/1][Risk: ** TCP Connection Issues **** Probing Attempt **][Risk Score: 100][Risk Info: TCP probing attempt / Connection refused (server)][TCP Fingerprint: 2_128_64240_6bb88f5575fd/Windows][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 3 TCP 10.0.2.15:50191 <-> 207.38.163.228:6778 [proto: 0/Unknown][Stack: Unknown][IP: 0/Unknown][ClearText][Confidence: Unknown][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 9][Breed: Unrated][1 pkts/66 bytes <-> 8 pkts/460 bytes][Goodput ratio: 0/0][87.66 sec][bytes ratio: -0.749 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 0/0 0/0 0/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/54 66/58 66/58 0/1][Risk: ** TCP Connection Issues **** Probing Attempt **][Risk Score: 100][Risk Info: TCP probing attempt / Connection refused (server)][TCP Fingerprint: 2_128_64240_6bb88f5575fd/Windows][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 4 TCP 10.0.2.15:50192 <-> 45.65.87.24:16201 [proto: 0/Unknown][Stack: Unknown][IP: 0/Unknown][ClearText][Confidence: Unknown][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 9][Breed: Unrated][1 pkts/66 bytes <-> 8 pkts/460 bytes][Goodput ratio: 0/0][87.66 sec][bytes ratio: -0.749 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 0/0 0/0 0/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/54 66/58 66/58 0/1][Risk: ** TCP Connection Issues **** Probing Attempt **][Risk Score: 100][Risk Info: TCP probing attempt / Connection refused (server)][TCP Fingerprint: 2_128_64240_6bb88f5575fd/Windows][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 5 TCP 10.0.2.15:50193 <-> 89.75.52.19:46010 [proto: 0/Unknown][Stack: Unknown][IP: 0/Unknown][ClearText][Confidence: Unknown][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 9][Breed: Unrated][1 pkts/66 bytes <-> 8 pkts/460 bytes][Goodput ratio: 0/0][87.66 sec][bytes ratio: -0.749 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 0/0 0/0 0/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/54 66/58 66/58 0/1][Risk: ** TCP Connection Issues **** Probing Attempt **][Risk Score: 100][Risk Info: TCP probing attempt / Connection refused (server)][TCP Fingerprint: 2_128_64240_6bb88f5575fd/Windows][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 1 TCP 10.0.2.15:50245 <-> 73.62.225.181:46843 [proto: 0/Unknown][Stack: Unknown][IP: 0/Unknown][ClearText][Confidence: Unknown][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 11][Breed: Unrated][3 pkts/198 bytes <-> 8 pkts/460 bytes][Goodput ratio: 0/0][122.56 sec][bytes ratio: -0.398 (Download)][IAT c2s/s2c min/avg/max/stddev: 3014/0 4514/0 6013/0 1499/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/54 66/58 66/58 0/1][Risk: ** TCP Connection Issues **** Probing Attempt **** (Possible) Slow DoS **][Risk Score: 200][Risk Info: Slow TCP 3WH (SYN|ACK): 102.2 sec|Slow TCP 3WH (ACK): 11.3 sec / TCP probing attempt / Connection refused (server)][TCP Fingerprint: 2_128_64240_6bb88f5575fd/Windows][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 2 TCP 10.0.2.15:50190 <-> 80.140.63.147:29545 [proto: 0/Unknown][Stack: Unknown][IP: 0/Unknown][ClearText][Confidence: Unknown][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 9][Breed: Unrated][1 pkts/66 bytes <-> 8 pkts/460 bytes][Goodput ratio: 0/0][87.66 sec][bytes ratio: -0.749 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 0/0 0/0 0/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/54 66/58 66/58 0/1][Risk: ** TCP Connection Issues **** Probing Attempt **** (Possible) Slow DoS **][Risk Score: 200][Risk Info: Slow TCP 3WH (SYN|ACK): 76.7 sec|Slow TCP 3WH (ACK): 11.0 sec / TCP probing attempt / Connection refused (server)][TCP Fingerprint: 2_128_64240_6bb88f5575fd/Windows][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 3 TCP 10.0.2.15:50191 <-> 207.38.163.228:6778 [proto: 0/Unknown][Stack: Unknown][IP: 0/Unknown][ClearText][Confidence: Unknown][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 9][Breed: Unrated][1 pkts/66 bytes <-> 8 pkts/460 bytes][Goodput ratio: 0/0][87.66 sec][bytes ratio: -0.749 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 0/0 0/0 0/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/54 66/58 66/58 0/1][Risk: ** TCP Connection Issues **** Probing Attempt **** (Possible) Slow DoS **][Risk Score: 200][Risk Info: Slow TCP 3WH (SYN|ACK): 76.7 sec|Slow TCP 3WH (ACK): 11.0 sec / TCP probing attempt / Connection refused (server)][TCP Fingerprint: 2_128_64240_6bb88f5575fd/Windows][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 4 TCP 10.0.2.15:50192 <-> 45.65.87.24:16201 [proto: 0/Unknown][Stack: Unknown][IP: 0/Unknown][ClearText][Confidence: Unknown][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 9][Breed: Unrated][1 pkts/66 bytes <-> 8 pkts/460 bytes][Goodput ratio: 0/0][87.66 sec][bytes ratio: -0.749 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 0/0 0/0 0/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/54 66/58 66/58 0/1][Risk: ** TCP Connection Issues **** Probing Attempt **** (Possible) Slow DoS **][Risk Score: 200][Risk Info: Slow TCP 3WH (SYN|ACK): 76.7 sec|Slow TCP 3WH (ACK): 11.0 sec / TCP probing attempt / Connection refused (server)][TCP Fingerprint: 2_128_64240_6bb88f5575fd/Windows][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 5 TCP 10.0.2.15:50193 <-> 89.75.52.19:46010 [proto: 0/Unknown][Stack: Unknown][IP: 0/Unknown][ClearText][Confidence: Unknown][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 9][Breed: Unrated][1 pkts/66 bytes <-> 8 pkts/460 bytes][Goodput ratio: 0/0][87.66 sec][bytes ratio: -0.749 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 0/0 0/0 0/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/54 66/58 66/58 0/1][Risk: ** TCP Connection Issues **** Probing Attempt **** (Possible) Slow DoS **][Risk Score: 200][Risk Info: Slow TCP 3WH (SYN|ACK): 76.7 sec|Slow TCP 3WH (ACK): 11.0 sec / TCP probing attempt / Connection refused (server)][TCP Fingerprint: 2_128_64240_6bb88f5575fd/Windows][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 6 TCP 10.0.2.15:50202 <-> 61.238.173.128:57648 [proto: 0/Unknown][Stack: Unknown][IP: 0/Unknown][ClearText][Confidence: Unknown][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][Breed: Unrated][3 pkts/198 bytes <-> 3 pkts/162 bytes][Goodput ratio: 0/0][1.55 sec][bytes ratio: 0.100 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 686/0 686/0 686/0 0/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/54 66/54 66/54 0/0][TCP Fingerprint: 2_128_64240_6bb88f5575fd/Windows][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 7 TCP 10.0.2.15:50220 <-> 36.233.196.226:3820 [proto: 0/Unknown][Stack: Unknown][IP: 0/Unknown][ClearText][Confidence: Unknown][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][Breed: Unrated][3 pkts/198 bytes <-> 3 pkts/162 bytes][Goodput ratio: 0/0][2.38 sec][bytes ratio: 0.100 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 953/0 1015/0 1077/0 62/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/54 66/54 66/54 0/0][Risk: ** TCP Connection Issues **** Probing Attempt **][Risk Score: 100][Risk Info: TCP probing attempt / Connection refused (server)][TCP Fingerprint: 2_128_64240_6bb88f5575fd/Windows][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 8 TCP 10.0.2.15:50222 <-> 119.14.143.237:6523 [proto: 0/Unknown][Stack: Unknown][IP: 0/Unknown][ClearText][Confidence: Unknown][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][Breed: Unrated][3 pkts/198 bytes <-> 3 pkts/162 bytes][Goodput ratio: 0/0][2.12 sec][bytes ratio: 0.100 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 875/0 881/0 887/0 6/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/54 66/54 66/54 0/0][Risk: ** TCP Connection Issues **** Probing Attempt **][Risk Score: 100][Risk Info: TCP probing attempt / Connection refused (server)][TCP Fingerprint: 2_128_64240_6bb88f5575fd/Windows][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/default/result/heuristic_tcp_ack_payload.pcap.out b/tests/cfgs/default/result/heuristic_tcp_ack_payload.pcap.out index d413ace9d..19e81bd27 100644 --- a/tests/cfgs/default/result/heuristic_tcp_ack_payload.pcap.out +++ b/tests/cfgs/default/result/heuristic_tcp_ack_payload.pcap.out @@ -51,6 +51,6 @@ JA Host Stats: 1 TCP 194.226.199.61:27453 <-> 35.241.9.150:443 [proto: 91.125/TLS.Mozilla][Stack: TLS.Mozilla][IP: 284/GoogleCloud][Encrypted][Confidence: DPI][FPC: 284/GoogleCloud, Confidence: IP address][DPI packets: 8][cat: Web/5][Breed: Acceptable][36 pkts/3477 bytes <-> 42 pkts/37330 bytes][Goodput ratio: 44/94][171.42 sec][Hostname/SNI: firefox.settings.services.mozilla.com][(Advertised) ALPNs: h2;http/1.1][(Negotiated) ALPN: h2][bytes ratio: -0.830 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 4196/3653 58250/58245 14929/14067][Pkt Len c2s/s2c min/avg/max/stddev: 56/60 97/889 375/2878 73/1070][nDPI Fingerprint: 928424e934f386bb86d141f25fe4abbf][TCP Fingerprint: 2_128_8192_6bb88f5575fd/Unknown][TLSv1.2][JA4: t12d1410h2_c866b44c5a26_b5b8faed2b99][ServerNames: firefox.settings.services.mozilla.com,main-2-cdn.prod.kinto.prod.cloudops.mozgcp.net][JA3S: 9d9ce860f1b1cbef07b019450cb368d8][Issuer: C=US, O=Let's Encrypt, CN=R3][Subject: CN=main-2-cdn.prod.kinto.prod.cloudops.mozgcp.net][Certificate SHA-1: 30:0D:22:77:6E:DA:4E:99:3E:AF:8A:D0:5C:7D:97:51:8B:E6:22:11][Firefox][Validity: 2023-04-04 08:33:24 - 2023-07-03 08:33:23][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 49,16,2,0,3,3,1,0,1,0,2,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,11] 2 TCP 194.226.199.61:6946 <-> 2.22.40.186:443 [proto: 91.183/TLS.Pinterest][Stack: TLS.Pinterest][IP: 467/Akamai][Encrypted][Confidence: DPI][FPC: 467/Akamai, Confidence: IP address][DPI packets: 10][cat: SocialNetwork/6][Breed: Fun][41 pkts/7780 bytes <-> 47 pkts/26668 bytes][Goodput ratio: 70/90][18.13 sec][Hostname/SNI: ru.pinterest.com][(Advertised) ALPNs: h2;http/1.1][TLS Supported Versions: GREASE;TLSv1.3;TLSv1.2][bytes ratio: -0.548 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 404/181 3512/2129 852/406][Pkt Len c2s/s2c min/avg/max/stddev: 56/60 190/567 1514/2974 287/678][nDPI Fingerprint: aba5d0a8f961a4ec8f557e80f37f969f][TCP Fingerprint: 2_128_64240_6bb88f5575fd/Windows][TLSv1.3][JA4: t13d1516h2_8daaf6152771_9b887d9acb53][JA3S: 15af977ce25de452b96affa2addb1036][Chrome][Cipher: TLS_AES_256_GCM_SHA384][Plen Bins: 50,9,1,5,0,0,0,0,2,0,0,0,0,1,0,0,1,1,0,4,0,0,0,0,1,1,2,0,0,0,0,4,1,0,0,0,1,0,0,0,0,0,0,0,0,12,0,1] 3 TCP 194.226.199.21:58155 <-> 52.18.127.189:443 [proto: 91/TLS][Stack: TLS][IP: 461/AWS_EC2][Encrypted][Confidence: DPI][FPC: 461/AWS_EC2, Confidence: IP address][DPI packets: 13][cat: Web/5][Breed: Safe][28 pkts/6789 bytes <-> 35 pkts/8995 bytes][Goodput ratio: 78/79][130.64 sec][Hostname/SNI: bitrix.info][(Advertised) ALPNs: h2;http/1.1][(Negotiated) ALPN: h2][TLS Supported Versions: GREASE;TLSv1.3;TLSv1.2][bytes ratio: -0.140 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 5498/4834 45102/45058 12717/11564][Pkt Len c2s/s2c min/avg/max/stddev: 56/60 242/257 1547/2974 352/535][nDPI Fingerprint: ac1867928681fc04fd12abce7c094c79][TCP Fingerprint: 2_128_64240_6bb88f5575fd/Windows][TLSv1.2][JA4: t13d1516h2_8daaf6152771_e5627efa2ab1][JA3S: bfc90d56141386ee83b56cda231cccfc][Chrome][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 46,22,6,6,0,0,0,0,0,0,1,0,6,0,1,1,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,1,1] - 4 TCP 194.226.199.103:62580 <-> 217.69.139.59:443 [proto: 91/TLS][Stack: TLS][IP: 22/VK][Encrypted][Confidence: DPI][FPC: 22/VK, Confidence: IP address][DPI packets: 15][cat: Web/5][Breed: Safe][22 pkts/2692 bytes <-> 16 pkts/10450 bytes][Goodput ratio: 55/92][7.28 sec][Hostname/SNI: portal.mail.ru][(Advertised) ALPNs: h2;http/1.1][(Negotiated) ALPN: http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2][bytes ratio: -0.590 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 100/27 1559/213 357/70][Pkt Len c2s/s2c min/avg/max/stddev: 56/60 122/653 623/2897 162/957][nDPI Fingerprint: 39a72d7829fd33f03e867c5ab1f708a7][TCP Fingerprint: 2_128_8192_6bb88f5575fd/Unknown][TLSv1.2][JA4: t13d1714h2_5b57614c22b0_37205ffde759][ServerNames: *.mail.ru,mail.ru][JA3S: 2b33c1374db4ddf06942f92373c0b54b][Issuer: C=BE, O=GlobalSign nv-sa, CN=GlobalSign RSA OV SSL CA 2018][Subject: C=RU, ST=Moscow, L=Moscow, O=VK LLC, CN=*.mail.ru][Certificate SHA-1: 9F:A2:43:EA:AA:62:15:13:44:0D:15:75:17:47:4C:6B:E5:8E:10:1E][Firefox][Validity: 2022-10-20 09:52:31 - 2023-11-21 09:52:30][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 68,0,0,5,0,0,0,0,11,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,5] + 4 TCP 194.226.199.103:62580 <-> 217.69.139.59:443 [proto: 91/TLS][Stack: TLS][IP: 22/VK][Encrypted][Confidence: DPI][FPC: 22/VK, Confidence: IP address][DPI packets: 15][cat: Web/5][Breed: Safe][22 pkts/2692 bytes <-> 16 pkts/10450 bytes][Goodput ratio: 55/92][7.28 sec][Hostname/SNI: portal.mail.ru][(Advertised) ALPNs: h2;http/1.1][(Negotiated) ALPN: http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2][bytes ratio: -0.590 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 100/27 1559/213 357/70][Pkt Len c2s/s2c min/avg/max/stddev: 56/60 122/653 623/2897 162/957][Risk: ** (Possible) Slow DoS **][Risk Score: 100][Risk Info: Slow TCP 3WH (SYN|ACK): 1.6 sec][nDPI Fingerprint: 39a72d7829fd33f03e867c5ab1f708a7][TCP Fingerprint: 2_128_8192_6bb88f5575fd/Unknown][TLSv1.2][JA4: t13d1714h2_5b57614c22b0_37205ffde759][ServerNames: *.mail.ru,mail.ru][JA3S: 2b33c1374db4ddf06942f92373c0b54b][Issuer: C=BE, O=GlobalSign nv-sa, CN=GlobalSign RSA OV SSL CA 2018][Subject: C=RU, ST=Moscow, L=Moscow, O=VK LLC, CN=*.mail.ru][Certificate SHA-1: 9F:A2:43:EA:AA:62:15:13:44:0D:15:75:17:47:4C:6B:E5:8E:10:1E][Firefox][Validity: 2022-10-20 09:52:31 - 2023-11-21 09:52:30][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 68,0,0,5,0,0,0,0,11,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,5] 5 TCP 194.226.199.9:49756 <-> 92.223.106.21:443 [proto: 91/TLS][Stack: TLS][IP: 0/Unknown][Encrypted][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 9][cat: Web/5][Breed: Safe][9 pkts/1140 bytes <-> 8 pkts/5344 bytes][Goodput ratio: 54/91][0.28 sec][Hostname/SNI: moevideo.biz][(Advertised) ALPNs: http/1.1][(Negotiated) ALPN: http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1;SSLv3][bytes ratio: -0.648 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 20/6 44/20 18/8][Pkt Len c2s/s2c min/avg/max/stddev: 56/60 127/668 571/2690 159/894][nDPI Fingerprint: 8523452234b2178807578cbfc1da1749][TCP Fingerprint: 2_128_64240_6bb88f5575fd/Windows][TLSv1.2][JA4: t13d1613h1_1711a4c0508c_65df7edfe3b3][ServerNames: *.moevideo.biz,moevideo.biz][JA3S: d154fcfa5bb4f0748e1dd1992c681104][Issuer: C=BE, O=GlobalSign nv-sa, CN=AlphaSSL CA - SHA256 - G4][Subject: CN=*.moevideo.biz][Certificate SHA-1: FF:0C:ED:41:2C:7C:DA:BA:89:FE:7E:09:4A:2B:62:26:A0:20:AC:53][Safari][Validity: 2023-04-04 15:59:15 - 2024-05-05 15:59:14][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 51,0,8,0,0,0,0,0,8,0,0,0,0,0,0,8,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,8] 6 TCP 194.226.199.226:34101 <-> 8.247.226.126:80 [proto: 7.147/HTTP.WindowsUpdate][Stack: HTTP.WindowsUpdate][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 12][cat: SoftwareUpdate/19][Breed: Safe][7 pkts/896 bytes <-> 12 pkts/1742 bytes][Goodput ratio: 56/62][0.04 sec][Hostname/SNI: 3.tlu.dl.delivery.mp.microsoft.com][bytes ratio: -0.321 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 7/1 12/11 6/3][Pkt Len c2s/s2c min/avg/max/stddev: 56/60 128/145 550/1076 172/281][URL: 3.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/b4f27514-1618-47a0-bcd4-5fcb469edb63?P1=1681888058&P2=404&P3=2&P4=VJ2Qv%2bUXzBGOULZmyshxlc8XXx4pLl7hoFcLgf1iS33rDGfm0tCVrTPvZN8tn8yWBSrA0idwdtOBFLQMjZCUkw%3d%3d][Nat-IP: 10.13.38.160][User-Agent: Microsoft-Delivery-Optimization/10.0][TCP Fingerprint: 2_64_64240_565ad129ac37/Unknown][PLAIN TEXT (GET /filestreamingservice/files)][Plen Bins: 89,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/default/result/http-basic-auth.pcap.out b/tests/cfgs/default/result/http-basic-auth.pcap.out index 8d8e3346b..5693691b1 100644 --- a/tests/cfgs/default/result/http-basic-auth.pcap.out +++ b/tests/cfgs/default/result/http-basic-auth.pcap.out @@ -37,11 +37,11 @@ Acceptable 688 353898 25 Web 688 353898 25 1 TCP 192.168.0.4:54340 <-> 192.254.189.169:80 [proto: 7/HTTP][Stack: HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][Breed: Acceptable][58 pkts/9591 bytes <-> 74 pkts/74782 bytes][Goodput ratio: 60/93][20.90 sec][Username: test][Password: test][Hostname/SNI: browserspy.dk][bytes ratio: -0.773 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 397/166 4647/4811 1045/722][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 165/1011 805/1514 248/628][URL: browserspy.dk/theme/default.css][StatusCode: 304][Server: Apache][User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36][Risk: ** Clear-Text Credentials **][Risk Score: 100][Risk Info: Found credentials in HTTP Auth Line][TCP Fingerprint: 2_64_65535_09b18f059744/macOS][PLAIN TEXT (GET /theme/default.css HTTP/1.1)][Plen Bins: 0,0,5,0,4,0,4,2,2,2,0,1,0,0,0,0,0,2,1,0,0,0,8,2,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,63,0,0] - 2 TCP 192.168.0.4:54338 <-> 192.254.189.169:80 [proto: 7/HTTP][Stack: HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 8][cat: Web/5][Breed: Acceptable][31 pkts/4999 bytes <-> 40 pkts/37974 bytes][Goodput ratio: 59/93][17.45 sec][Username: test][Password: fail3][Hostname/SNI: browserspy.dk][bytes ratio: -0.767 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 716/350 5396/5591 1514/1171][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 161/949 805/1514 246/645][URL: browserspy.dk/password-ok.php][StatusCode: 401][Content-Type: text/html][Server: Apache][User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36][Risk: ** Clear-Text Credentials **** Error Code **][Risk Score: 110][Risk Info: HTTP Error Code 401 / Found credentials in HTTP Auth Line][TCP Fingerprint: 2_64_65535_09b18f059744/macOS][PLAIN TEXT (GET /password)][Plen Bins: 0,0,5,0,5,0,5,0,2,2,0,0,0,0,0,2,0,0,0,2,0,0,5,5,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,62,0,0] + 2 TCP 192.168.0.4:54338 <-> 192.254.189.169:80 [proto: 7/HTTP][Stack: HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 8][cat: Web/5][Breed: Acceptable][31 pkts/4999 bytes <-> 40 pkts/37974 bytes][Goodput ratio: 59/93][17.45 sec][Username: test][Password: fail3][Hostname/SNI: browserspy.dk][bytes ratio: -0.767 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 716/350 5396/5591 1514/1171][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 161/949 805/1514 246/645][URL: browserspy.dk/password-ok.php][StatusCode: 401][Content-Type: text/html][Server: Apache][User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36][Risk: ** Clear-Text Credentials **** Error Code **** (Possible) Slow DoS **][Risk Score: 210][Risk Info: Slow HTTP Req. (Slowloris): 6.9 sec / HTTP Error Code 401 / Found credentials in HTTP Auth Line][TCP Fingerprint: 2_64_65535_09b18f059744/macOS][PLAIN TEXT (GET /password)][Plen Bins: 0,0,5,0,5,0,5,0,2,2,0,0,0,0,0,2,0,0,0,2,0,0,5,5,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,62,0,0] 3 TCP 192.168.0.4:54584 <-> 192.254.189.169:80 [proto: 7/HTTP][Stack: HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][Breed: Acceptable][27 pkts/3947 bytes <-> 36 pkts/37139 bytes][Goodput ratio: 55/94][15.57 sec][Username: test][Password: test][Hostname/SNI: browserspy.dk][bytes ratio: -0.808 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 502/211 4249/2440 1050/592][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 146/1032 797/1514 225/628][URL: browserspy.dk/pics/logo.png][StatusCode: 304][Server: Apache][User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36][Risk: ** Clear-Text Credentials **][Risk Score: 100][Risk Info: Found credentials in HTTP Auth Line][TCP Fingerprint: 2_64_65535_09b18f059744/macOS][PLAIN TEXT (GET /pics/logo.png HTTP/1.1)][Plen Bins: 0,0,6,0,3,0,3,0,3,0,0,0,0,0,0,0,0,3,0,0,0,0,12,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,66,0,0] 4 TCP 192.168.0.4:54505 <-> 192.254.189.169:80 [proto: 7/HTTP][Stack: HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][Breed: Acceptable][27 pkts/3165 bytes <-> 36 pkts/37069 bytes][Goodput ratio: 43/94][10.97 sec][Username: test][Password: test][Hostname/SNI: browserspy.dk][bytes ratio: -0.843 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 298/138 2784/2976 683/551][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 117/1030 775/1514 180/625][URL: browserspy.dk/password.php][StatusCode: 200][Content-Type: text/html][Server: Apache][User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36][Risk: ** Clear-Text Credentials **][Risk Score: 100][Risk Info: Found credentials in HTTP Auth Line][TCP Fingerprint: 2_64_65535_09b18f059744/macOS][PLAIN TEXT (GET /password.php HTTP/1.1)][Plen Bins: 0,0,6,0,0,0,6,3,3,3,0,0,0,0,0,0,0,3,0,0,3,0,3,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,66,0,0] - 5 TCP 192.168.0.4:54506 <-> 192.254.189.169:80 [proto: 7/HTTP][Stack: HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 8][cat: Web/5][Breed: Acceptable][16 pkts/1711 bytes <-> 20 pkts/21882 bytes][Goodput ratio: 38/94][18.69 sec][Hostname/SNI: browserspy.dk][bytes ratio: -0.855 (Download)][IAT c2s/s2c min/avg/max/stddev: 3/2 1542/885 9336/9536 2720/2475][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 107/1094 709/1514 155/644][URL: browserspy.dk/?_=1381844104551][StatusCode: 200][Content-Type: text/html][Server: Apache][User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36][TCP Fingerprint: 2_64_65535_09b18f059744/macOS][PLAIN TEXT (yGET /)][Plen Bins: 0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,87,0,0] - 6 TCP 192.168.0.4:54318 <-> 192.254.189.169:80 [proto: 7/HTTP][Stack: HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 8][cat: Web/5][Breed: Acceptable][15 pkts/1737 bytes <-> 20 pkts/19002 bytes][Goodput ratio: 42/93][15.29 sec][Username: test][Password: fail][Hostname/SNI: browserspy.dk][bytes ratio: -0.832 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1372/588 7743/7938 2428/1969][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 116/950 801/1514 183/656][URL: browserspy.dk/password-ok.php][StatusCode: 401][Content-Type: text/html][Server: Apache][User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36][Risk: ** Clear-Text Credentials **** Error Code **][Risk Score: 110][Risk Info: HTTP Error Code 401 / Found credentials in HTTP Auth Line][TCP Fingerprint: 2_64_65535_09b18f059744/macOS][PLAIN TEXT (GET /password)][Plen Bins: 0,0,6,0,0,0,6,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,6,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,69,0,0] + 5 TCP 192.168.0.4:54506 <-> 192.254.189.169:80 [proto: 7/HTTP][Stack: HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 8][cat: Web/5][Breed: Acceptable][16 pkts/1711 bytes <-> 20 pkts/21882 bytes][Goodput ratio: 38/94][18.69 sec][Hostname/SNI: browserspy.dk][bytes ratio: -0.855 (Download)][IAT c2s/s2c min/avg/max/stddev: 3/2 1542/885 9336/9536 2720/2475][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 107/1094 709/1514 155/644][URL: browserspy.dk/?_=1381844104551][StatusCode: 200][Content-Type: text/html][Server: Apache][User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36][Risk: ** (Possible) Slow DoS **][Risk Score: 100][Risk Info: Slow HTTP Req. (Slowloris): 11.0 sec][TCP Fingerprint: 2_64_65535_09b18f059744/macOS][PLAIN TEXT (yGET /)][Plen Bins: 0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,87,0,0] + 6 TCP 192.168.0.4:54318 <-> 192.254.189.169:80 [proto: 7/HTTP][Stack: HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 8][cat: Web/5][Breed: Acceptable][15 pkts/1737 bytes <-> 20 pkts/19002 bytes][Goodput ratio: 42/93][15.29 sec][Username: test][Password: fail][Hostname/SNI: browserspy.dk][bytes ratio: -0.832 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1372/588 7743/7938 2428/1969][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 116/950 801/1514 183/656][URL: browserspy.dk/password-ok.php][StatusCode: 401][Content-Type: text/html][Server: Apache][User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36][Risk: ** Clear-Text Credentials **** Error Code **** (Possible) Slow DoS **][Risk Score: 210][Risk Info: Slow HTTP Req. (Slowloris): 9.5 sec|Slow TCP 3WH (SYN|ACK): 1.6 sec / HTTP Error Code 401 / Found credentials in HTTP Auth Li][TCP Fingerprint: 2_64_65535_09b18f059744/macOS][PLAIN TEXT (GET /password)][Plen Bins: 0,0,6,0,0,0,6,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,6,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,69,0,0] 7 TCP 192.168.0.4:54337 <-> 192.254.189.169:80 [proto: 7/HTTP][Stack: HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][Breed: Acceptable][14 pkts/1675 bytes <-> 19 pkts/18899 bytes][Goodput ratio: 44/93][7.10 sec][Username: test][Password: fail2][Hostname/SNI: browserspy.dk][bytes ratio: -0.837 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 204/31 1269/206 376/69][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 120/995 805/1514 190/642][URL: browserspy.dk/password-ok.php][StatusCode: 401][Content-Type: text/html][Server: Apache][User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36][Risk: ** Clear-Text Credentials **** Error Code **][Risk Score: 110][Risk Info: HTTP Error Code 401 / Found credentials in HTTP Auth Line][TCP Fingerprint: 2_64_65535_09b18f059744/macOS][PLAIN TEXT (GET /password)][Plen Bins: 0,0,6,0,0,0,6,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,6,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,69,0,0] 8 TCP 192.168.0.4:54317 <-> 192.254.189.169:80 [proto: 7/HTTP][Stack: HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][Breed: Acceptable][14 pkts/1636 bytes <-> 19 pkts/18925 bytes][Goodput ratio: 43/93][9.56 sec][Hostname/SNI: browserspy.dk][bytes ratio: -0.841 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 454/33 3673/227 1082/74][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 117/996 766/1514 180/642][URL: browserspy.dk/password-ok.php][StatusCode: 401][Content-Type: text/html][Server: Apache][User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36][Risk: ** Error Code **][Risk Score: 10][Risk Info: HTTP Error Code 401][TCP Fingerprint: 2_64_65535_09b18f059744/macOS][PLAIN TEXT (GET /password)][Plen Bins: 0,0,6,0,0,0,6,0,0,0,0,0,0,0,0,6,0,0,0,0,0,6,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,69,0,0] 9 TCP 192.168.0.4:54487 <-> 192.254.189.169:80 [proto: 7/HTTP][Stack: HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][Breed: Acceptable][15 pkts/1711 bytes <-> 19 pkts/18579 bytes][Goodput ratio: 41/93][11.68 sec][Username: test][Password: test][Hostname/SNI: browserspy.dk][bytes ratio: -0.831 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 605/442 5841/6025 1661/1494][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 114/978 775/1514 177/643][URL: browserspy.dk/password.php][StatusCode: 200][Content-Type: text/html][Server: Apache][User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36][Risk: ** Clear-Text Credentials **][Risk Score: 100][Risk Info: Found credentials in HTTP Auth Line][TCP Fingerprint: 2_64_65535_09b18f059744/macOS][PLAIN TEXT (GET /password.php HTTP/1.1)][Plen Bins: 0,0,6,0,0,0,0,0,0,0,6,0,0,6,0,0,0,6,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,69,0,0] @@ -54,10 +54,10 @@ Web 688 353898 25 16 TCP 192.168.0.4:54583 <-> 192.254.189.169:80 [proto: 7/HTTP][Stack: HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][Breed: Acceptable][6 pkts/1121 bytes <-> 5 pkts/475 bytes][Goodput ratio: 64/29][15.57 sec][Username: test][Password: test][Hostname/SNI: browserspy.dk][bytes ratio: 0.405 (Upload)][IAT c2s/s2c min/avg/max/stddev: 191/2 3074/332 9499/662 3700/330][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 187/95 779/203 265/54][URL: browserspy.dk/js/jquery.js][StatusCode: 304][Server: Apache][User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36][Risk: ** Clear-Text Credentials **][Risk Score: 100][Risk Info: Found credentials in HTTP Auth Line][TCP Fingerprint: 2_64_65535_09b18f059744/macOS][PLAIN TEXT (GET /js/j)][Plen Bins: 0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 17 TCP 192.168.0.4:54319 <-> 192.254.189.169:80 [proto: 7/HTTP][Stack: HTTP][IP: 0/Unknown][ClearText][Confidence: Match by port][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 9][cat: Web/5][Breed: Acceptable][5 pkts/342 bytes <-> 4 pkts/280 bytes][Goodput ratio: 0/0][12.83 sec][bytes ratio: 0.100 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 245/1181 3160/1181 10225/1181 4094/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 68/70 78/74 5/4][TCP Fingerprint: 2_64_65535_09b18f059744/macOS][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 18 TCP 192.168.0.4:54320 <-> 192.254.189.169:80 [proto: 7/HTTP][Stack: HTTP][IP: 0/Unknown][ClearText][Confidence: Match by port][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 9][cat: Web/5][Breed: Acceptable][5 pkts/342 bytes <-> 4 pkts/280 bytes][Goodput ratio: 0/0][12.84 sec][bytes ratio: 0.100 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 246/1178 3161/1178 10229/1178 4096/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 68/70 78/74 5/4][TCP Fingerprint: 2_64_65535_09b18f059744/macOS][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 19 TCP 192.168.0.4:54321 <-> 192.254.189.169:80 [proto: 7/HTTP][Stack: HTTP][IP: 0/Unknown][ClearText][Confidence: Match by port][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 9][cat: Web/5][Breed: Acceptable][5 pkts/342 bytes <-> 4 pkts/280 bytes][Goodput ratio: 0/0][12.84 sec][bytes ratio: 0.100 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 246/940 3160/940 10267/940 4123/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 68/70 78/74 5/4][TCP Fingerprint: 2_64_65535_09b18f059744/macOS][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 20 TCP 192.168.0.4:54322 <-> 192.254.189.169:80 [proto: 7/HTTP][Stack: HTTP][IP: 0/Unknown][ClearText][Confidence: Match by port][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 9][cat: Web/5][Breed: Acceptable][5 pkts/342 bytes <-> 4 pkts/280 bytes][Goodput ratio: 0/0][12.84 sec][bytes ratio: 0.100 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 248/760 3160/760 10249/760 4122/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 68/70 78/74 5/4][TCP Fingerprint: 2_64_65535_09b18f059744/macOS][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 19 TCP 192.168.0.4:54321 <-> 192.254.189.169:80 [proto: 7/HTTP][Stack: HTTP][IP: 0/Unknown][ClearText][Confidence: Match by port][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 9][cat: Web/5][Breed: Acceptable][5 pkts/342 bytes <-> 4 pkts/280 bytes][Goodput ratio: 0/0][12.84 sec][bytes ratio: 0.100 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 246/940 3160/940 10267/940 4123/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 68/70 78/74 5/4][Risk: ** (Possible) Slow DoS **][Risk Score: 100][Risk Info: Slow TCP 3WH (SYN|ACK): 1.6 sec][TCP Fingerprint: 2_64_65535_09b18f059744/macOS][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 20 TCP 192.168.0.4:54322 <-> 192.254.189.169:80 [proto: 7/HTTP][Stack: HTTP][IP: 0/Unknown][ClearText][Confidence: Match by port][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 9][cat: Web/5][Breed: Acceptable][5 pkts/342 bytes <-> 4 pkts/280 bytes][Goodput ratio: 0/0][12.84 sec][bytes ratio: 0.100 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 248/760 3160/760 10249/760 4122/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 68/70 78/74 5/4][Risk: ** (Possible) Slow DoS **][Risk Score: 100][Risk Info: Slow TCP 3WH (SYN|ACK): 1.8 sec|Slow TCP 3WH (ACK): 1.6 sec][TCP Fingerprint: 2_64_65535_09b18f059744/macOS][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 21 TCP 192.168.0.4:54354 <-> 192.254.189.169:80 [proto: 7/HTTP][Stack: HTTP][IP: 0/Unknown][ClearText][Confidence: Match by port][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 9][cat: Web/5][Breed: Acceptable][5 pkts/342 bytes <-> 4 pkts/280 bytes][Goodput ratio: 0/0][14.68 sec][bytes ratio: 0.100 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 202/3082 3577/3082 10249/3082 3955/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 68/70 78/74 5/4][TCP Fingerprint: 2_64_65535_09b18f059744/macOS][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 22 TCP 192.168.0.4:54507 <-> 192.254.189.169:80 [proto: 7/HTTP][Stack: HTTP][IP: 0/Unknown][ClearText][Confidence: Match by port][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 9][cat: Web/5][Breed: Acceptable][5 pkts/342 bytes <-> 4 pkts/280 bytes][Goodput ratio: 0/0][14.09 sec][bytes ratio: 0.100 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 204/2408 3474/2408 10240/2408 3970/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 68/70 78/74 5/4][TCP Fingerprint: 2_64_65535_09b18f059744/macOS][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 23 TCP 192.168.0.4:54508 <-> 192.254.189.169:80 [proto: 7/HTTP][Stack: HTTP][IP: 0/Unknown][ClearText][Confidence: Match by port][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 9][cat: Web/5][Breed: Acceptable][5 pkts/342 bytes <-> 4 pkts/280 bytes][Goodput ratio: 0/0][14.09 sec][bytes ratio: 0.100 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 204/2410 3475/2410 10240/2410 3970/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 68/70 78/74 5/4][TCP Fingerprint: 2_64_65535_09b18f059744/macOS][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 24 TCP 192.168.0.4:54509 <-> 192.254.189.169:80 [proto: 7/HTTP][Stack: HTTP][IP: 0/Unknown][ClearText][Confidence: Match by port][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 9][cat: Web/5][Breed: Acceptable][5 pkts/342 bytes <-> 4 pkts/280 bytes][Goodput ratio: 0/0][14.10 sec][bytes ratio: 0.100 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 204/2207 3474/2207 10236/2207 3958/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 68/70 78/74 5/4][TCP Fingerprint: 2_64_65535_09b18f059744/macOS][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 25 TCP 192.168.0.4:54596 <-> 192.254.189.169:80 [proto: 7/HTTP][Stack: HTTP][IP: 0/Unknown][ClearText][Confidence: Match by port][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 9][cat: Web/5][Breed: Acceptable][5 pkts/342 bytes <-> 4 pkts/280 bytes][Goodput ratio: 0/0][15.49 sec][bytes ratio: 0.100 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 194/3741 3824/3741 10228/3741 3889/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 68/70 78/74 5/4][TCP Fingerprint: 2_64_65535_09b18f059744/macOS][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 24 TCP 192.168.0.4:54509 <-> 192.254.189.169:80 [proto: 7/HTTP][Stack: HTTP][IP: 0/Unknown][ClearText][Confidence: Match by port][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 9][cat: Web/5][Breed: Acceptable][5 pkts/342 bytes <-> 4 pkts/280 bytes][Goodput ratio: 0/0][14.10 sec][bytes ratio: 0.100 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 204/2207 3474/2207 10236/2207 3958/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 68/70 78/74 5/4][Risk: ** (Possible) Slow DoS **][Risk Score: 100][Risk Info: Slow TCP 3WH (SYN|ACK): 1.7 sec][TCP Fingerprint: 2_64_65535_09b18f059744/macOS][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 25 TCP 192.168.0.4:54596 <-> 192.254.189.169:80 [proto: 7/HTTP][Stack: HTTP][IP: 0/Unknown][ClearText][Confidence: Match by port][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 9][cat: Web/5][Breed: Acceptable][5 pkts/342 bytes <-> 4 pkts/280 bytes][Goodput ratio: 0/0][15.49 sec][bytes ratio: 0.100 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 194/3741 3824/3741 10228/3741 3889/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 68/70 78/74 5/4][Risk: ** (Possible) Slow DoS **][Risk Score: 100][Risk Info: Slow TCP 3WH (SYN|ACK): 1.5 sec][TCP Fingerprint: 2_64_65535_09b18f059744/macOS][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/default/result/http_connect.pcap.out b/tests/cfgs/default/result/http_connect.pcap.out index 9c7effe9b..0b2b29215 100644 --- a/tests/cfgs/default/result/http_connect.pcap.out +++ b/tests/cfgs/default/result/http_connect.pcap.out @@ -47,5 +47,5 @@ JA Host Stats: 1 TCP 192.168.1.146:35968 <-> 151.101.2.132:443 [proto: 91/TLS][Stack: TLS][IP: 0/Unknown][Encrypted][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][Breed: Safe][28 pkts/3557 bytes <-> 30 pkts/32939 bytes][Goodput ratio: 48/94][0.11 sec][Hostname/SNI: apache.org][(Advertised) ALPNs: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2][bytes ratio: -0.805 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 5/4 53/54 11/11][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 127/1098 583/1450 129/576][nDPI Fingerprint: 6def9cba39e7d96f14bb96e41556e944][TCP Fingerprint: 2_64_64240_2e3cee914fc1/Linux][TLSv1.3][JA4: t13d1813h2_e8a523a41297_f81080dfc557][JA3S: f4febc55ea12b31ae17cfb7e614afda8][Firefox][Cipher: TLS_AES_128_GCM_SHA256][Plen Bins: 2,2,8,8,2,0,0,0,0,0,0,0,0,0,0,2,2,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,66,0,0,0,0] 2 TCP 192.168.1.103:1714 <-> 192.168.1.146:8080 [proto: 130/HTTP_Connect][Stack: HTTP_Connect][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][Breed: Acceptable][18 pkts/2918 bytes <-> 22 pkts/23923 bytes][Goodput ratio: 65/95][0.11 sec][Hostname/SNI: apache.org][bytes ratio: -0.783 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 6/5 50/53 13/12][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 162/1087 571/5590 128/1857][URL: apache.org:443][StatusCode: 200][User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0][Risk: ** Susp Entropy **][Risk Score: 10][Risk Info: Entropy: 5.267 (Executable?)][TCP Fingerprint: 2_128_64240_6bb88f5575fd/Windows][PLAIN TEXT (CONNECT apache.org)][Plen Bins: 4,4,20,15,4,4,4,0,0,4,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0,0,20] - 3 TCP 10.10.109.10:3128 <-> 10.100.3.133:50474 [VLAN: 1606][proto: 130.147/HTTP_Connect.WindowsUpdate][Stack: HTTP_Connect.WindowsUpdate][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 8][cat: SoftwareUpdate/19][Breed: Safe][6 pkts/4297 bytes <-> 2 pkts/227 bytes][Goodput ratio: 91/43][502.21 sec][Hostname/SNI: fe3cr.delivery.mp.microsoft.com][bytes ratio: 0.900 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/4 100441/4 502189/4 200874/0][Pkt Len c2s/s2c min/avg/max/stddev: 64/70 716/114 1518/157 666/44][URL: fe3cr.delivery.mp.microsoft.com:443][Risk: ** Known Proto on Non Std Port **** HTTP Susp User-Agent **** Susp Entropy **][Risk Score: 160][Risk Info: Entropy: 5.246 (Executable?) / Empty or missing User-Agent / Expected on port 80][TCP Fingerprint: 2_128_64240_6bb88f5575fd/Windows][PLAIN TEXT (HTTP/1.1 407 Proxy Authenticati)][Plen Bins: 0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0] + 3 TCP 10.10.109.10:3128 <-> 10.100.3.133:50474 [VLAN: 1606][proto: 130.147/HTTP_Connect.WindowsUpdate][Stack: HTTP_Connect.WindowsUpdate][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 8][cat: SoftwareUpdate/19][Breed: Safe][6 pkts/4297 bytes <-> 2 pkts/227 bytes][Goodput ratio: 91/43][502.21 sec][Hostname/SNI: fe3cr.delivery.mp.microsoft.com][bytes ratio: 0.900 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/4 100441/4 502189/4 200874/0][Pkt Len c2s/s2c min/avg/max/stddev: 64/70 716/114 1518/157 666/44][URL: fe3cr.delivery.mp.microsoft.com:443][Risk: ** Known Proto on Non Std Port **** HTTP Susp User-Agent **** Susp Entropy **** (Possible) Slow DoS **][Risk Score: 260][Risk Info: Slow TCP 3WH (ACK): 502.2 sec / Entropy: 5.246 (Executable?) / Empty or missing User-Agent / Expected on port 80][TCP Fingerprint: 2_128_64240_6bb88f5575fd/Windows][PLAIN TEXT (HTTP/1.1 407 Proxy Authenticati)][Plen Bins: 0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0] 4 UDP 192.168.1.146:47767 <-> 192.168.1.2:53 [proto: 5/DNS][Stack: DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][Breed: Acceptable][1 pkts/81 bytes <-> 1 pkts/97 bytes][Goodput ratio: 48/56][< 1 sec][Hostname/SNI: apache.org][151.101.2.132][DNS Id: 0xf5b7][PLAIN TEXT (apache)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/default/result/irc.pcap.out b/tests/cfgs/default/result/irc.pcap.out index 84cb59563..e67a683f5 100644 --- a/tests/cfgs/default/result/irc.pcap.out +++ b/tests/cfgs/default/result/irc.pcap.out @@ -33,4 +33,4 @@ Unsafe 29 8945 1 Chat 29 8945 1 - 1 TCP 10.180.156.249:45921 <-> 38.229.70.20:8000 [proto: 65/IRC][Stack: IRC][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 7][cat: Chat/9][Breed: Unsafe][14 pkts/1046 bytes <-> 15 pkts/7899 bytes][Goodput ratio: 11/87][14.57 sec][bytes ratio: -0.766 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1314/1206 8864/8864 2852/2736][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 75/527 107/1514 14/611][Risk: ** Known Proto on Non Std Port **** Unsafe Protocol **** Clear-Text Credentials **][Risk Score: 160][Risk Info: Found IRC username (xxxxx) / Expected on port 194][TCP Fingerprint: 2_64_14600_2e3cee914fc1/Unknown][PLAIN TEXT (USER xx)][Plen Bins: 13,41,6,0,0,0,0,0,6,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,26,0,0] + 1 TCP 10.180.156.249:45921 <-> 38.229.70.20:8000 [proto: 65/IRC][Stack: IRC][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 7][cat: Chat/9][Breed: Unsafe][14 pkts/1046 bytes <-> 15 pkts/7899 bytes][Goodput ratio: 11/87][14.57 sec][bytes ratio: -0.766 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1314/1206 8864/8864 2852/2736][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 75/527 107/1514 14/611][Risk: ** Known Proto on Non Std Port **** Unsafe Protocol **** Clear-Text Credentials **][Risk Score: 160][Risk Info: Found IRC username (xxxxx)|Found username (xxxxx +iw xxxxx :Xxxxxx Xxxx)|Found FTP username (xxxxx +iw xxxxx :Xxxxxx Xxxx) / E][TCP Fingerprint: 2_64_14600_2e3cee914fc1/Unknown][PLAIN TEXT (USER xx)][Plen Bins: 13,41,6,0,0,0,0,0,6,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,26,0,0] diff --git a/tests/cfgs/default/result/log4j-webapp-exploit.pcap.out b/tests/cfgs/default/result/log4j-webapp-exploit.pcap.out index 0792421e4..d8a9e7a0f 100644 --- a/tests/cfgs/default/result/log4j-webapp-exploit.pcap.out +++ b/tests/cfgs/default/result/log4j-webapp-exploit.pcap.out @@ -42,7 +42,7 @@ System 32 2796 2 1 TCP 172.16.238.10:48534 <-> 172.16.238.11:80 [proto: 7/HTTP][Stack: HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Download/7][Breed: Acceptable][7 pkts/692 bytes <-> 6 pkts/1964 bytes][Goodput ratio: 30/79][0.00 sec][Hostname/SNI: 172.16.238.11][bytes ratio: -0.479 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 0/0 1/1 0/0][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 99/327 276/1420 72/494][URL: 172.16.238.11/Exploit.class][StatusCode: 200][Content-Type: application/java-vm][Server: SimpleHTTP/0.6 Python/3.4.2][User-Agent: Java/1.8.0_51][Risk: ** Binary App Transfer **** HTTP/TLS/QUIC Numeric Hostname/SNI **** Possible Exploit Attempt **][Risk Score: 310][Risk Info: Suspicious Log4J / Found host 172.16.238.11 / Found mime exe java-vm][TCP Fingerprint: 2_64_29200_2e3cee914fc1/Linux][PLAIN TEXT (GET /Exploit.class HTTP/1.1)][Plen Bins: 0,0,0,0,0,0,66,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0,0,0,0] 2 TCP 172.16.238.10:48444 <-> 172.16.238.11:80 [proto: 7/HTTP][Stack: HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Download/7][Breed: Acceptable][6 pkts/624 bytes <-> 6 pkts/1964 bytes][Goodput ratio: 33/79][0.01 sec][Hostname/SNI: 172.16.238.11][bytes ratio: -0.518 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1/2 3/3 1/1][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 104/327 276/1420 77/494][URL: 172.16.238.11/Exploit.class][StatusCode: 200][Content-Type: application/java-vm][Server: SimpleHTTP/0.6 Python/3.4.2][User-Agent: Java/1.8.0_51][Risk: ** Binary App Transfer **** HTTP/TLS/QUIC Numeric Hostname/SNI **** Possible Exploit Attempt **][Risk Score: 310][Risk Info: Suspicious Log4J / Found host 172.16.238.11 / Found mime exe java-vm][TCP Fingerprint: 2_64_29200_2e3cee914fc1/Linux][PLAIN TEXT (GGET /Exploit.class HTTP/1.1)][Plen Bins: 0,0,0,0,0,0,66,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0,0,0,0] - 3 TCP 172.16.238.1:1984 <-> 172.16.238.10:8080 [proto: 7/HTTP][Stack: HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 8][cat: Web/5][Breed: Acceptable][5 pkts/994 bytes <-> 4 pkts/503 bytes][Goodput ratio: 65/44][19.29 sec][Hostname/SNI: 192.168.13.31][bytes ratio: 0.328 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1/7 4822/6428 10256/10256 4838/4568][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 199/126 714/291 258/95][URL: 192.168.13.31:8080/log4shell/login][StatusCode: 200][Req Content-Type: application/x-www-form-urlencoded][Content-Type: text/html][User-Agent: jndi:ldap://172.16.238.11:1389/a][Risk: ** Known Proto on Non Std Port **** HTTP/TLS/QUIC Numeric Hostname/SNI **** HTTP Susp Header **** Possible Exploit Attempt **][Risk Score: 310][Risk Info: Suspicious Log4J / Expected 172.16.238.10, found 192.168.13.31 / Found host 192.168.13.31 / Expected on port 80][TCP Fingerprint: 2_64_64240_2e3cee914fc1/Linux][PLAIN TEXT (POST /log)][Plen Bins: 0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 3 TCP 172.16.238.1:1984 <-> 172.16.238.10:8080 [proto: 7/HTTP][Stack: HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 8][cat: Web/5][Breed: Acceptable][5 pkts/994 bytes <-> 4 pkts/503 bytes][Goodput ratio: 65/44][19.29 sec][Hostname/SNI: 192.168.13.31][bytes ratio: 0.328 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1/7 4822/6428 10256/10256 4838/4568][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 199/126 714/291 258/95][URL: 192.168.13.31:8080/log4shell/login][StatusCode: 200][Req Content-Type: application/x-www-form-urlencoded][Content-Type: text/html][User-Agent: jndi:ldap://172.16.238.11:1389/a][Risk: ** Known Proto on Non Std Port **** HTTP/TLS/QUIC Numeric Hostname/SNI **** HTTP Susp Header **** Possible Exploit Attempt **** (Possible) Slow DoS **][Risk Score: 410][Risk Info: Slow HTTP Req. (Slowloris): 19.3 sec / Suspicious Log4J / Expected 172.16.238.10, found 192.168.13.31 / Found host 192.168.13.][TCP Fingerprint: 2_64_64240_2e3cee914fc1/Linux][PLAIN TEXT (POST /log)][Plen Bins: 0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 4 TCP 172.16.238.10:57650 <-> 172.16.238.11:1389 [proto: 112/LDAP][Stack: LDAP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 4][cat: System/18][Breed: Acceptable][9 pkts/739 bytes <-> 8 pkts/727 bytes][Goodput ratio: 16/24][17.91 sec][bytes ratio: 0.008 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/5 2545/3580 17700/17700 6187/7060][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 82/91 137/215 22/47][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Risk Info: Expected on port 389][TCP Fingerprint: 2_64_29200_2e3cee914fc1/Linux][PLAIN TEXT (objectClass)][Plen Bins: 51,16,16,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 5 TCP 172.16.238.10:57742 <-> 172.16.238.11:1389 [proto: 112/LDAP][Stack: LDAP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 4][cat: System/18][Breed: Acceptable][9 pkts/739 bytes <-> 6 pkts/591 bytes][Goodput ratio: 16/30][0.02 sec][bytes ratio: 0.111 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 2/1 11/2 4/1][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 82/98 137/215 22/52][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Risk Info: Expected on port 389][TCP Fingerprint: 2_64_29200_2e3cee914fc1/Linux][PLAIN TEXT (objectClass)][Plen Bins: 51,16,16,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/default/result/pop3.pcap.out b/tests/cfgs/default/result/pop3.pcap.out index 3008ece58..e8c673b9c 100644 --- a/tests/cfgs/default/result/pop3.pcap.out +++ b/tests/cfgs/default/result/pop3.pcap.out @@ -34,7 +34,7 @@ Unsafe 144 31172 6 Email 144 31172 6 1 TCP 192.168.0.4:26383 <-> 212.227.15.166:110 [proto: 2/POP3][Stack: POP3][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 16][cat: Email/3][Breed: Unsafe][22 pkts/1338 bytes <-> 30 pkts/21359 bytes][Goodput ratio: 10/92][1.26 sec][bytes ratio: -0.882 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 59/41 97/111 37/39][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 61/712 120/1514 14/680][Risk: ** Unsafe Protocol **][Risk Score: 10][TCP Fingerprint: 2_128_8192_4697958db063/Windows][PLAIN TEXT (OK POP server ready H mimap)][Plen Bins: 47,5,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,2,0,0,2,0,0,0,0,0,0,0,30,0,0] - 2 TCP 143.225.229.181:35287 <-> 74.208.5.28:110 [proto: 2/POP3][Stack: POP3][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 10][cat: Email/3][Breed: Unsafe][18 pkts/1269 bytes <-> 13 pkts/2646 bytes][Goodput ratio: 6/67][27.32 sec][User: cicciopernacchio@mail.com][Pwd: pippozzo][bytes ratio: -0.352 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1792/2973 5526/5668 2204/2427][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 70/204 98/1514 8/379][Risk: ** Unsafe Protocol **** Clear-Text Credentials **][Risk Score: 110][Risk Info: Found username (cicciopernacchio@mail.com)][TCP Fingerprint: 2_64_5840_8c07a80cc645/Unknown][PLAIN TEXT (OK POP server ready H migmxus)][Plen Bins: 60,20,13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0] + 2 TCP 143.225.229.181:35287 <-> 74.208.5.28:110 [proto: 2/POP3][Stack: POP3][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 10][cat: Email/3][Breed: Unsafe][18 pkts/1269 bytes <-> 13 pkts/2646 bytes][Goodput ratio: 6/67][27.32 sec][User: cicciopernacchio@mail.com][Pwd: pippozzo][bytes ratio: -0.352 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1792/2973 5526/5668 2204/2427][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 70/204 98/1514 8/379][Risk: ** Unsafe Protocol **** Clear-Text Credentials **][Risk Score: 110][Risk Info: Found username (cicciopernacchio@mail.com)|Found password][TCP Fingerprint: 2_64_5840_8c07a80cc645/Unknown][PLAIN TEXT (OK POP server ready H migmxus)][Plen Bins: 60,20,13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0] 3 TCP 192.168.0.4:26308 <-> 212.227.15.166:110 [proto: 2/POP3][Stack: POP3][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 16][cat: Email/3][Breed: Unsafe][9 pkts/594 bytes <-> 10 pkts/881 bytes][Goodput ratio: 16/34][0.59 sec][bytes ratio: -0.195 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 29/0 64/64 81/88 18/29][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 66/88 120/145 20/32][Risk: ** Unsafe Protocol **][Risk Score: 10][TCP Fingerprint: 2_128_8192_4697958db063/Windows][PLAIN TEXT (OK POP server ready H mimap)][Plen Bins: 63,9,27,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 4 TCP 192.168.0.4:26284 <-> 212.227.15.166:110 [proto: 2/POP3][Stack: POP3][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 17][cat: Email/3][Breed: Unsafe][9 pkts/596 bytes <-> 9 pkts/735 bytes][Goodput ratio: 14/28][3.52 sec][bytes ratio: -0.104 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 33/1 484/65 2995/98 1025/32][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 66/82 116/145 18/27][Risk: ** Unsafe Protocol **][Risk Score: 10][TCP Fingerprint: 2_128_8192_4697958db063/Windows][PLAIN TEXT (OK POP server ready H mimap)][Plen Bins: 66,22,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 5 TCP 192.168.0.4:26272 <-> 212.227.15.166:110 [proto: 2/POP3][Stack: POP3][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 12][cat: Email/3][Breed: Unsafe][6 pkts/348 bytes <-> 6 pkts/529 bytes][Goodput ratio: 3/33][0.21 sec][bytes ratio: -0.206 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/1 40/32 65/48 24/22][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 58/88 66/145 4/31][Risk: ** Unsafe Protocol **][Risk Score: 10][TCP Fingerprint: 2_128_8192_4697958db063/Windows][PLAIN TEXT (OK POP server ready H mimap)][Plen Bins: 60,20,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/default/result/quickplay.pcap.out b/tests/cfgs/default/result/quickplay.pcap.out index e5bf2ab60..5c442f539 100644 --- a/tests/cfgs/default/result/quickplay.pcap.out +++ b/tests/cfgs/default/result/quickplay.pcap.out @@ -56,10 +56,10 @@ ConnCheck 2 378 1 10 TCP 10.54.169.250:44256 <-> 120.28.5.41:80 [proto: 7/HTTP][Stack: HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 7/HTTP, Confidence: DPI][DPI packets: 3][cat: Streaming/17][Breed: Fun][2 pkts/1086 bytes <-> 1 pkts/1225 bytes][Goodput ratio: 90/95][0.64 sec][Hostname/SNI: play-singtelhawk.quickplay.com][URL: play-singtelhawk.quickplay.com/vstb/playlist_5_6241_357.m3u8?action=145&appId=5006&carrierId=23&appVersion=1.0&contentId=6241&contentTypeId=3&deviceName=androidmobile&encodingId=357&drmId=4&drmVersion=1.5&delivery=5&prefLanguage=eng&webvtt=true&userid=091][User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; MI 3W Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobile Safari/537.36][PLAIN TEXT (GET /vstb/playlist)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,66,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,0,0] 11 TCP 10.54.169.250:56381 <-> 54.179.140.65:80 [proto: 7.287/HTTP.Xiaomi][Stack: HTTP.Xiaomi][IP: 461/AWS_EC2][ClearText][Confidence: DPI][FPC: 7.287/HTTP.Xiaomi, Confidence: DPI][DPI packets: 2][cat: Web/5][Breed: Fun][1 pkts/638 bytes <-> 1 pkts/831 bytes][Goodput ratio: 91/93][0.32 sec][Hostname/SNI: api.account.xiaomi.com][URL: api.account.xiaomi.com/pass/v2/safe/user/coreInfo?signature=u%2F73dEXBHbejev0ISNwnGyyfeTw%3D&userId=Mz5Xr5UXKuw83hxd6Yms2w%3D%3D][StatusCode: 200][Req Content-Type: application/x-www-form-urlencoded][Content-Type: application/json][Server: Tengine/2.0.1][User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 3W MIUI/V6.4.2.0.KXDMICB)][PLAIN TEXT (GET /pass/v)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 12 TCP 10.54.169.250:54883 <-> 203.205.151.160:80 [proto: 131.48/HTTP_Proxy.QQ][Stack: HTTP_Proxy.QQ][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 131.48/HTTP_Proxy.QQ, Confidence: DPI][DPI packets: 3][cat: Chat/9][Breed: Fun][2 pkts/1192 bytes <-> 1 pkts/145 bytes][Goodput ratio: 91/61][2.08 sec][Hostname/SNI: hkextshort.weixin.qq.com][URL: http://hkextshort.weixin.qq.com/cgi-bin/micromsg-bin/mmsnssync][Req Content-Type: application/octet-stream][User-Agent: MicroMessenger Client][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Risk Info: Expected on port 8080,3128][PLAIN TEXT (POST http)][Plen Bins: 0,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,66,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 13 TCP 10.54.169.250:54885 <-> 203.205.151.160:80 [proto: 131.48/HTTP_Proxy.QQ][Stack: HTTP_Proxy.QQ][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 131.48/HTTP_Proxy.QQ, Confidence: DPI][DPI packets: 2][cat: Download/7][Breed: Fun][1 pkts/461 bytes <-> 2 pkts/522 bytes][Goodput ratio: 88/78][2.81 sec][Hostname/SNI: hkextshort.weixin.qq.com][URL: http://hkextshort.weixin.qq.com/cgi-bin/micromsg-bin/getcontactlabellist][StatusCode: 200][Req Content-Type: application/octet-stream][Content-Type: application/octet-stream][User-Agent: MicroMessenger Client][Filename: micromsgresp.dat][Risk: ** Known Proto on Non Std Port **** Binary File/Data Transfer (Attempt) **][Risk Score: 100][Risk Info: Found binary mime octet-stream / Expected on port 8080,3128][PLAIN TEXT (POST http)][Plen Bins: 0,0,0,0,0,0,66,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 14 TCP 10.54.169.250:35670 <-> 203.205.147.215:80 [proto: 131.48/HTTP_Proxy.QQ][Stack: HTTP_Proxy.QQ][IP: 285/Tencent][ClearText][Confidence: DPI][FPC: 131.48/HTTP_Proxy.QQ, Confidence: DPI][DPI packets: 2][cat: Download/7][Breed: Fun][1 pkts/681 bytes <-> 1 pkts/262 bytes][Goodput ratio: 92/78][0.14 sec][Hostname/SNI: hkminorshort.weixin.qq.com][URL: http://hkminorshort.weixin.qq.com/cgi-bin/micromsg-bin/rtkvreport][StatusCode: 200][Req Content-Type: application/octet-stream][Content-Type: application/octet-stream][User-Agent: MicroMessenger Client][Filename: micromsgresp.dat][Risk: ** Known Proto on Non Std Port **** Binary File/Data Transfer (Attempt) **][Risk Score: 100][Risk Info: Found binary mime octet-stream / Expected on port 8080,3128][PLAIN TEXT (POST http)][Plen Bins: 0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 15 TCP 10.54.169.250:42762 <-> 203.205.129.101:80 [proto: 131.48/HTTP_Proxy.QQ][Stack: HTTP_Proxy.QQ][IP: 285/Tencent][ClearText][Confidence: DPI][FPC: 131.48/HTTP_Proxy.QQ, Confidence: DPI][DPI packets: 2][cat: Download/7][Breed: Fun][1 pkts/616 bytes <-> 1 pkts/261 bytes][Goodput ratio: 91/78][0.37 sec][Hostname/SNI: hkextshort.weixin.qq.com][URL: http://hkextshort.weixin.qq.com/cgi-bin/micromsg-bin/androidgcmreg][StatusCode: 200][Req Content-Type: application/octet-stream][Content-Type: application/octet-stream][User-Agent: MicroMessenger Client][Filename: micromsgresp.dat][Risk: ** Known Proto on Non Std Port **** Binary File/Data Transfer (Attempt) **][Risk Score: 100][Risk Info: Found binary mime octet-stream / Expected on port 8080,3128][PLAIN TEXT (POST http)][Plen Bins: 0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 16 TCP 10.54.169.250:42761 <-> 203.205.129.101:80 [proto: 131.48/HTTP_Proxy.QQ][Stack: HTTP_Proxy.QQ][IP: 285/Tencent][ClearText][Confidence: DPI][FPC: 131.48/HTTP_Proxy.QQ, Confidence: DPI][DPI packets: 2][cat: Download/7][Breed: Fun][1 pkts/380 bytes <-> 1 pkts/261 bytes][Goodput ratio: 85/78][0.34 sec][Hostname/SNI: hkextshort.weixin.qq.com][URL: http://hkextshort.weixin.qq.com/cgi-bin/micromsg-bin/mmbatchemojidownload][StatusCode: 200][Req Content-Type: application/octet-stream][Content-Type: application/octet-stream][User-Agent: MicroMessenger Client][Filename: micromsgresp.dat][Risk: ** Known Proto on Non Std Port **** Binary File/Data Transfer (Attempt) **][Risk Score: 100][Risk Info: Found binary mime octet-stream / Expected on port 8080,3128][PLAIN TEXT (POST http)][Plen Bins: 0,0,0,0,0,0,50,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 13 TCP 10.54.169.250:54885 <-> 203.205.151.160:80 [proto: 131.48/HTTP_Proxy.QQ][Stack: HTTP_Proxy.QQ][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 131.48/HTTP_Proxy.QQ, Confidence: DPI][DPI packets: 2][cat: Download/7][Breed: Fun][1 pkts/461 bytes <-> 2 pkts/522 bytes][Goodput ratio: 88/78][2.81 sec][Hostname/SNI: hkextshort.weixin.qq.com][URL: http://hkextshort.weixin.qq.com/cgi-bin/micromsg-bin/getcontactlabellist][StatusCode: 200][Req Content-Type: application/octet-stream][Content-Type: application/octet-stream][User-Agent: MicroMessenger Client][Filename: micromsgresp.dat][Risk: ** Known Proto on Non Std Port **** Binary File/Data Transfer (Attempt) **][Risk Score: 100][Risk Info: Found binary mime octet-stream|File download micromsgresp.dat / Expected on port 8080,3128][PLAIN TEXT (POST http)][Plen Bins: 0,0,0,0,0,0,66,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 14 TCP 10.54.169.250:35670 <-> 203.205.147.215:80 [proto: 131.48/HTTP_Proxy.QQ][Stack: HTTP_Proxy.QQ][IP: 285/Tencent][ClearText][Confidence: DPI][FPC: 131.48/HTTP_Proxy.QQ, Confidence: DPI][DPI packets: 2][cat: Download/7][Breed: Fun][1 pkts/681 bytes <-> 1 pkts/262 bytes][Goodput ratio: 92/78][0.14 sec][Hostname/SNI: hkminorshort.weixin.qq.com][URL: http://hkminorshort.weixin.qq.com/cgi-bin/micromsg-bin/rtkvreport][StatusCode: 200][Req Content-Type: application/octet-stream][Content-Type: application/octet-stream][User-Agent: MicroMessenger Client][Filename: micromsgresp.dat][Risk: ** Known Proto on Non Std Port **** Binary File/Data Transfer (Attempt) **][Risk Score: 100][Risk Info: Found binary mime octet-stream|File download micromsgresp.dat / Expected on port 8080,3128][PLAIN TEXT (POST http)][Plen Bins: 0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 15 TCP 10.54.169.250:42762 <-> 203.205.129.101:80 [proto: 131.48/HTTP_Proxy.QQ][Stack: HTTP_Proxy.QQ][IP: 285/Tencent][ClearText][Confidence: DPI][FPC: 131.48/HTTP_Proxy.QQ, Confidence: DPI][DPI packets: 2][cat: Download/7][Breed: Fun][1 pkts/616 bytes <-> 1 pkts/261 bytes][Goodput ratio: 91/78][0.37 sec][Hostname/SNI: hkextshort.weixin.qq.com][URL: http://hkextshort.weixin.qq.com/cgi-bin/micromsg-bin/androidgcmreg][StatusCode: 200][Req Content-Type: application/octet-stream][Content-Type: application/octet-stream][User-Agent: MicroMessenger Client][Filename: micromsgresp.dat][Risk: ** Known Proto on Non Std Port **** Binary File/Data Transfer (Attempt) **][Risk Score: 100][Risk Info: Found binary mime octet-stream|File download micromsgresp.dat / Expected on port 8080,3128][PLAIN TEXT (POST http)][Plen Bins: 0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 16 TCP 10.54.169.250:42761 <-> 203.205.129.101:80 [proto: 131.48/HTTP_Proxy.QQ][Stack: HTTP_Proxy.QQ][IP: 285/Tencent][ClearText][Confidence: DPI][FPC: 131.48/HTTP_Proxy.QQ, Confidence: DPI][DPI packets: 2][cat: Download/7][Breed: Fun][1 pkts/380 bytes <-> 1 pkts/261 bytes][Goodput ratio: 85/78][0.34 sec][Hostname/SNI: hkextshort.weixin.qq.com][URL: http://hkextshort.weixin.qq.com/cgi-bin/micromsg-bin/mmbatchemojidownload][StatusCode: 200][Req Content-Type: application/octet-stream][Content-Type: application/octet-stream][User-Agent: MicroMessenger Client][Filename: micromsgresp.dat][Risk: ** Known Proto on Non Std Port **** Binary File/Data Transfer (Attempt) **][Risk Score: 100][Risk Info: Found binary mime octet-stream|File download micromsgresp.dat / Expected on port 8080,3128][PLAIN TEXT (POST http)][Plen Bins: 0,0,0,0,0,0,50,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 17 TCP 10.54.169.250:52285 <-> 173.252.74.22:80 [proto: 7.119/HTTP.Facebook][Stack: HTTP.Facebook][IP: 119/Facebook][ClearText][Confidence: DPI][FPC: 7.119/HTTP.Facebook, Confidence: DPI][DPI packets: 2][cat: SocialNetwork/6][Breed: Fun][1 pkts/243 bytes <-> 1 pkts/339 bytes][Goodput ratio: 77/83][0.46 sec][Hostname/SNI: www.facebook.com][URL: www.facebook.com/mobile/status.php][StatusCode: 204][User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 3W MIUI/V6.4.2.0.KXDMICB)][PLAIN TEXT (GET /mobile/status.php HTTP/1.1)][Plen Bins: 0,0,0,0,0,50,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 18 TCP 10.54.169.250:52288 <-> 173.252.74.22:80 [proto: 7.119/HTTP.Facebook][Stack: HTTP.Facebook][IP: 119/Facebook][ClearText][Confidence: DPI][FPC: 7.119/HTTP.Facebook, Confidence: DPI][DPI packets: 2][cat: SocialNetwork/6][Breed: Fun][1 pkts/243 bytes <-> 1 pkts/339 bytes][Goodput ratio: 77/83][0.46 sec][Hostname/SNI: www.facebook.com][URL: www.facebook.com/mobile/status.php][StatusCode: 204][User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 3W MIUI/V6.4.2.0.KXDMICB)][PLAIN TEXT (GET /mobile/status.php HTTP/1.1)][Plen Bins: 0,0,0,0,0,50,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 19 TCP 10.54.169.250:44793 <-> 31.13.68.49:80 [proto: 7.119/HTTP.Facebook][Stack: HTTP.Facebook][IP: 119/Facebook][ClearText][Confidence: DPI][FPC: 7.119/HTTP.Facebook, Confidence: DPI][DPI packets: 2][cat: SocialNetwork/6][Breed: Fun][1 pkts/237 bytes <-> 1 pkts/339 bytes][Goodput ratio: 76/83][0.34 sec][Hostname/SNI: www.facebook.com][URL: www.facebook.com/mobile/status.php][StatusCode: 204][User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.2; GT-I9505 Build/KOT49H)][PLAIN TEXT (GET /mobile/status.php HTTP/1.1)][Plen Bins: 0,0,0,0,0,50,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/default/result/slowdos.pcap.out b/tests/cfgs/default/result/slowdos.pcap.out new file mode 100644 index 000000000..5d0325026 --- /dev/null +++ b/tests/cfgs/default/result/slowdos.pcap.out @@ -0,0 +1,38 @@ +DPI Packets (TCP): 37 (12.33 pkts/flow) +Confidence DPI : 3 (flows) +Num dissector calls: 39 (13.00 diss/flow) +LRU cache ookla: 0/0/0 (insert/search/found) +LRU cache bittorrent: 0/0/0 (insert/search/found) +LRU cache stun: 0/0/0 (insert/search/found) +LRU cache tls_cert: 0/0/0 (insert/search/found) +LRU cache mining: 0/0/0 (insert/search/found) +LRU cache msteams: 0/0/0 (insert/search/found) +LRU cache fpc_dns: 0/3/0 (insert/search/found) +Automa host: 6/0 (search/found) +Automa domain: 3/0 (search/found) +Automa tls cert: 0/0 (search/found) +Automa risk mask: 0/0 (search/found) +Automa common alpns: 0/0 (search/found) +Patricia risk mask: 0/0 (search/found) +Patricia risk mask IPv6: 0/0 (search/found) +Patricia risk: 0/0 (search/found) +Patricia risk IPv6: 0/0 (search/found) +Patricia protocols: 6/0 (search/found) +Patricia protocols IPv6: 0/0 (search/found) +Hash malicious ja4: 0/0 (search/found) +Hash malicious sha1: 0/0 (search/found) +Hash TCP fingerprints: 3/3 (search/found) +Hash public domain suffix: 0/0 (search/found) +Hash ja4 custom protos: 0/0 (search/found) +Hash fp custom protos: 0/0 (search/found) +Hash url custom protos: 4/0 (search/found) + +HTTP 77 24228 3 + +Acceptable 77 24228 3 + +Web 77 24228 3 + + 1 TCP 192.168.1.66:35276 <-> 192.168.10.124:80 [proto: 7/HTTP][Stack: HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 13][cat: Web/5][Breed: Acceptable][22 pkts/3662 bytes <-> 12 pkts/11981 bytes][Goodput ratio: 61/93][51856.96 sec][Hostname/SNI: 192.168.10.124][bytes ratio: -0.532 (Download)][IAT c2s/s2c min/avg/max/stddev: 4265/5 1682988/2370751 15055176/17341811 3747803/5683438][Pkt Len c2s/s2c min/avg/max/stddev: 60/66 166/998 347/1514 137/666][URL: 192.168.10.124/][User-Agent: Opera/9.80 (Macintosh; Intel Mac OS X 10.7.0; U; Edition MacAppStore; en) Mozilla/5.0 (Macintosh; Intel Mac OS X) AppleWebKit/534.34 (KHTML,like Gecko) PhantomJS/1.9.0 (development) Safari/534.34][Risk: ** HTTP/TLS/QUIC Numeric Hostname/SNI **** (Possible) Slow DoS **][Risk Score: 110][Risk Info: Slow TCP 3WH (SYN|ACK): 31609.6 sec|Slow TCP 3WH (ACK): 31550.5 sec / Found host 192.168.10.124][TCP Fingerprint: 2_64_64240_2e3cee914fc1/Linux][PLAIN TEXT (TGET / HTTP/1.1)][Plen Bins: 0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,43,0,0] + 2 TCP 192.168.1.68:35276 <-> 192.168.10.124:80 [proto: 7/HTTP][Stack: HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 9][cat: Web/5][Breed: Acceptable][10 pkts/1035 bytes <-> 8 pkts/4896 bytes][Goodput ratio: 36/89][2896.03 sec][Hostname/SNI: 192.168.10.124][bytes ratio: -0.651 (Download)][IAT c2s/s2c min/avg/max/stddev: 81/25 288427/150920 1067288/601684 389140/260249][Pkt Len c2s/s2c min/avg/max/stddev: 60/66 104/612 443/1514 113/699][URL: 192.168.10.124:80/?NYR=SVPWCP][StatusCode: 200][Content-Type: text/html][Server: Apache/2.4.41 (Ubuntu)][User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/532.1 (KHTML, like Gecko) Chrome/4.0.219.6 Safari/532.1][Risk: ** HTTP/TLS/QUIC Numeric Hostname/SNI **** (Possible) Slow DoS **][Risk Score: 110][Risk Info: Slow TCP 3WH (ACK): 599.8 sec / Found host 192.168.10.124][TCP Fingerprint: 2_64_64240_2e3cee914fc1/Linux][PLAIN TEXT (P HTTP/1.1)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,75,0,0] + 3 TCP 192.168.1.64:35276 <-> 192.168.10.124:80 [proto: 7/HTTP][Stack: HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 15][cat: Web/5][Breed: Acceptable][14 pkts/1438 bytes <-> 11 pkts/1216 bytes][Goodput ratio: 33/40][70785.80 sec][Hostname/SNI: 192.168.10.124][bytes ratio: 0.084 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 3333/14276 4670506/6312836 10192148/10192169 4225333/4397107][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 103/111 345/548 69/138][URL: 192.168.10.124/][User-Agent: Opera/9.80 (Macintosh; Intel Mac OS X 10.7.0; U; Edition MacAppStore; en) Mozilla/5.0 (Macintosh; Intel Mac OS X) AppleWebKit/534.34 (KHTML,like Gecko) PhantomJS/1.9.0 (development) Safari/534.34][Risk: ** HTTP/TLS/QUIC Numeric Hostname/SNI **** (Possible) Slow DoS **][Risk Score: 110][Risk Info: Slow HTTP Req. (Slowloris): 4425.9 sec|Slow TCP 3WH (ACK): 3.3 sec / Found host 192.168.10.124][TCP Fingerprint: 2_64_64240_2e3cee914fc1/Linux][PLAIN TEXT (GET / HTTP/1.1)][Plen Bins: 12,63,0,0,0,0,0,0,12,0,0,0,0,0,0,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/default/result/slowloris.pcap.out b/tests/cfgs/default/result/slowloris.pcap.out new file mode 100644 index 000000000..e9114b9e8 --- /dev/null +++ b/tests/cfgs/default/result/slowloris.pcap.out @@ -0,0 +1,36 @@ +DPI Packets (TCP): 10 (10.00 pkts/flow) +Confidence DPI : 1 (flows) +Num dissector calls: 13 (13.00 diss/flow) +LRU cache ookla: 0/0/0 (insert/search/found) +LRU cache bittorrent: 0/0/0 (insert/search/found) +LRU cache stun: 0/0/0 (insert/search/found) +LRU cache tls_cert: 0/0/0 (insert/search/found) +LRU cache mining: 0/0/0 (insert/search/found) +LRU cache msteams: 0/0/0 (insert/search/found) +LRU cache fpc_dns: 0/1/0 (insert/search/found) +Automa host: 1/1 (search/found) +Automa domain: 1/0 (search/found) +Automa tls cert: 0/0 (search/found) +Automa risk mask: 0/0 (search/found) +Automa common alpns: 0/0 (search/found) +Patricia risk mask: 0/0 (search/found) +Patricia risk mask IPv6: 0/0 (search/found) +Patricia risk: 0/0 (search/found) +Patricia risk IPv6: 0/0 (search/found) +Patricia protocols: 1/1 (search/found) +Patricia protocols IPv6: 0/0 (search/found) +Hash malicious ja4: 0/0 (search/found) +Hash malicious sha1: 0/0 (search/found) +Hash TCP fingerprints: 1/1 (search/found) +Hash public domain suffix: 0/0 (search/found) +Hash ja4 custom protos: 0/0 (search/found) +Hash fp custom protos: 0/0 (search/found) +Hash url custom protos: 1/0 (search/found) + +ntop 14 1712 1 + +Safe 14 1712 1 + +Network 14 1712 1 + + 1 TCP 192.168.2.61:39970 <-> 116.203.142.127:80 [proto: 7.26/HTTP.ntop][Stack: HTTP.ntop][IP: 26/ntop][ClearText][Confidence: DPI][FPC: 26/ntop, Confidence: IP address][DPI packets: 10][cat: Network/14][Breed: Safe][7 pkts/717 bytes <-> 7 pkts/995 bytes][Goodput ratio: 34/53][20.90 sec][Hostname/SNI: packages.ntop.org][bytes ratio: -0.162 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/19 3971/4176 9999/10002 4856/4705][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 102/142 223/591 53/183][URL: packages.ntop.org/][StatusCode: 408][Content-Type: text/html][Server: Apache/2.4.66 (Debian)][User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2)][Risk: ** Error Code **** (Possible) Slow DoS **][Risk Score: 110][Risk Info: Slow HTTP Req. (Slowloris): 9.8 sec / HTTP Error Code 408][TCP Fingerprint: 2_64_64240_2e3cee914fc1/Linux][PLAIN TEXT (GET / HTTP/1.1)][Plen Bins: 0,50,0,0,25,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/default/result/soap.pcap.out b/tests/cfgs/default/result/soap.pcap.out index 15788d5f3..19e973f2b 100644 --- a/tests/cfgs/default/result/soap.pcap.out +++ b/tests/cfgs/default/result/soap.pcap.out @@ -34,6 +34,6 @@ Acceptable 20 10948 3 Collaborative 1 1506 1 RPC 19 9442 2 - 1 TCP 192.168.2.100:50100 <-> 23.2.213.165:80 [proto: 253/SOAP][Stack: SOAP][IP: 467/Akamai][ClearText][Confidence: DPI][FPC: 467/Akamai, Confidence: IP address][DPI packets: 5][cat: RPC/16][Breed: Acceptable][7 pkts/4746 bytes <-> 7 pkts/752 bytes][Goodput ratio: 92/39][5.01 sec][bytes ratio: 0.726 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/1 989/1236 2486/2486 1098/1096][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 678/107 1506/362 717/104][TCP Fingerprint: 2_128_64240_6bb88f5575fd/Windows][PLAIN TEXT (POST /fwlink/)][Plen Bins: 0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,75,0,0] + 1 TCP 192.168.2.100:50100 <-> 23.2.213.165:80 [proto: 253/SOAP][Stack: SOAP][IP: 467/Akamai][ClearText][Confidence: DPI][FPC: 467/Akamai, Confidence: IP address][DPI packets: 5][cat: RPC/16][Breed: Acceptable][7 pkts/4746 bytes <-> 7 pkts/752 bytes][Goodput ratio: 92/39][5.01 sec][bytes ratio: 0.726 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/1 989/1236 2486/2486 1098/1096][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 678/107 1506/362 717/104][Risk: ** (Possible) Slow DoS **][Risk Score: 100][Risk Info: Slow TCP 3WH (ACK): 2.5 sec][TCP Fingerprint: 2_128_64240_6bb88f5575fd/Windows][PLAIN TEXT (POST /fwlink/)][Plen Bins: 0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,75,0,0] 2 TCP 185.32.192.30:80 <-> 85.154.114.113:56028 [VLAN: 808][proto: 253/SOAP][Stack: SOAP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 5][cat: RPC/16][Breed: Acceptable][3 pkts/2487 bytes <-> 2 pkts/1457 bytes][Goodput ratio: 92/92][0.34 sec][PLAIN TEXT (xml version)][Plen Bins: 0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,50,0,0,0,0,0,0,0,0,0] 3 TCP 192.168.2.100:50100 -> 23.2.213.165:4176 [proto: 7.253/HTTP.SOAP][Stack: HTTP.Microsoft365.SOAP][IP: 467/Akamai][ClearText][Confidence: DPI][FPC: 7.253/HTTP.SOAP, Confidence: DPI][DPI packets: 1][cat: Collaborative/15][Breed: Acceptable][1 pkts/1506 bytes -> 0 pkts/0 bytes][Goodput ratio: 96/0][< 1 sec][Hostname/SNI: go.microsoft.com][URL: go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409][Req Content-Type: text/xml][User-Agent: MICROSOFT_DEVICE_METADATA_RETRIEVAL_CLIENT][Risk: ** Known Proto on Non Std Port **** Unidirectional Traffic **][Risk Score: 60][Risk Info: No server to client traffic / Expected on port 80][PLAIN TEXT (POST /fwlink/)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0] diff --git a/tests/cfgs/default/result/synscan.pcap.out b/tests/cfgs/default/result/synscan.pcap.out index 068474d4e..349ab39dd 100644 --- a/tests/cfgs/default/result/synscan.pcap.out +++ b/tests/cfgs/default/result/synscan.pcap.out @@ -121,9 +121,9 @@ System 12 696 12 IoT-Scada 4 232 4 Crypto_Currency 2 116 2 - 1 TCP 172.16.0.8:36050 <-> 64.13.134.52:22 [proto: 92/SSH][Stack: SSH][IP: 0/Unknown][Encrypted][Confidence: Match by port][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 5][cat: RemoteAccess/12][Breed: Acceptable][1 pkts/58 bytes <-> 4 pkts/240 bytes][Goodput ratio: 0/0][21.68 sec][TCP Fingerprint: 2_64_1024_6bbe28597824/Unknown][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 2 TCP 172.16.0.8:36050 <-> 64.13.134.52:53 [proto: 5/DNS][Stack: DNS][IP: 0/Unknown][ClearText][Confidence: Match by port][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 5][cat: Network/14][Breed: Acceptable][1 pkts/58 bytes <-> 4 pkts/240 bytes][Goodput ratio: 0/0][21.09 sec][0.0.0.0][TCP Fingerprint: 2_64_3072_6bbe28597824/Unknown][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 3 TCP 172.16.0.8:36050 <-> 64.13.134.52:80 [proto: 7/HTTP][Stack: HTTP][IP: 0/Unknown][ClearText][Confidence: Match by port][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 5][cat: Web/5][Breed: Acceptable][1 pkts/58 bytes <-> 4 pkts/240 bytes][Goodput ratio: 0/0][21.27 sec][TCP Fingerprint: 2_64_3072_6bbe28597824/Unknown][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 1 TCP 172.16.0.8:36050 <-> 64.13.134.52:22 [proto: 92/SSH][Stack: SSH][IP: 0/Unknown][Encrypted][Confidence: Match by port][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 5][cat: RemoteAccess/12][Breed: Acceptable][1 pkts/58 bytes <-> 4 pkts/240 bytes][Goodput ratio: 0/0][21.68 sec][Risk: ** (Possible) Slow DoS **][Risk Score: 100][Risk Info: Slow TCP 3WH (SYN|ACK): 21.7 sec][TCP Fingerprint: 2_64_1024_6bbe28597824/Unknown][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 2 TCP 172.16.0.8:36050 <-> 64.13.134.52:53 [proto: 5/DNS][Stack: DNS][IP: 0/Unknown][ClearText][Confidence: Match by port][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 5][cat: Network/14][Breed: Acceptable][1 pkts/58 bytes <-> 4 pkts/240 bytes][Goodput ratio: 0/0][21.09 sec][0.0.0.0][Risk: ** (Possible) Slow DoS **][Risk Score: 100][Risk Info: Slow TCP 3WH (SYN|ACK): 21.1 sec][TCP Fingerprint: 2_64_3072_6bbe28597824/Unknown][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 3 TCP 172.16.0.8:36050 <-> 64.13.134.52:80 [proto: 7/HTTP][Stack: HTTP][IP: 0/Unknown][ClearText][Confidence: Match by port][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 5][cat: Web/5][Breed: Acceptable][1 pkts/58 bytes <-> 4 pkts/240 bytes][Goodput ratio: 0/0][21.27 sec][Risk: ** (Possible) Slow DoS **][Risk Score: 100][Risk Info: Slow TCP 3WH (SYN|ACK): 21.3 sec][TCP Fingerprint: 2_64_3072_6bbe28597824/Unknown][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 4 TCP 172.16.0.8:36050 <-> 64.13.134.52:25 [proto: 3/SMTP][Stack: SMTP][IP: 0/Unknown][ClearText][Confidence: Match by port][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 2][cat: Email/3][Breed: Acceptable][1 pkts/58 bytes <-> 1 pkts/60 bytes][Goodput ratio: 0/0][0.06 sec][Risk: ** TCP Connection Issues **** Probing Attempt **][Risk Score: 100][Risk Info: TCP probing attempt / Connection refused (server)][TCP Fingerprint: 2_64_3072_6bbe28597824/Unknown][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 5 TCP 172.16.0.8:36050 -> 64.13.134.52:20 [proto: 175/FTP_DATA][Stack: FTP_DATA][IP: 0/Unknown][ClearText][Confidence: Match by port][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 1][cat: Download/7][Breed: Acceptable][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][TCP Fingerprint: 2_64_3072_6bbe28597824/Unknown][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 6 TCP 172.16.0.8:36050 -> 64.13.134.52:21 [proto: 1/FTP_CONTROL][Stack: FTP_CONTROL][IP: 0/Unknown][ClearText][Confidence: Match by port][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 1][cat: Download/7][Breed: Unsafe][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unsafe Protocol **** Unidirectional Traffic **][Risk Score: 20][Risk Info: No server to client traffic][TCP Fingerprint: 2_64_4096_6bbe28597824/Unknown][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/default/result/tcp_scan.pcapng.out b/tests/cfgs/default/result/tcp_scan.pcapng.out index 20753f54e..272f3b66f 100644 --- a/tests/cfgs/default/result/tcp_scan.pcapng.out +++ b/tests/cfgs/default/result/tcp_scan.pcapng.out @@ -52,6 +52,6 @@ System 2 138 1 Undetected flows: - 1 TCP 192.168.1.178:57916 <-> 192.168.1.2:3391 [proto: 0/Unknown][Stack: Unknown][IP: 0/Unknown][ClearText][Confidence: Unknown][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 2][Breed: Unrated][1 pkts/54 bytes <-> 1 pkts/60 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** TCP Connection Issues **** Probing Attempt **][Risk Score: 100][Risk Info: TCP probing attempt / TCP NULL scan][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 2 TCP 192.168.1.178:62971 <-> 192.168.1.2:3390 [proto: 0/Unknown][Stack: Unknown][IP: 0/Unknown][ClearText][Confidence: Unknown][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 2][Breed: Unrated][1 pkts/54 bytes <-> 1 pkts/60 bytes][Goodput ratio: 0/0][0.00 sec][Risk: ** TCP Connection Issues **** Probing Attempt **][Risk Score: 100][Risk Info: TCP probing attempt / TCP FIN scan][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 3 TCP 192.168.1.178:63243 <-> 192.168.1.2:3392 [proto: 0/Unknown][Stack: Unknown][IP: 0/Unknown][ClearText][Confidence: Unknown][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 2][Breed: Unrated][1 pkts/54 bytes <-> 1 pkts/60 bytes][Goodput ratio: 0/0][0.00 sec][Risk: ** TCP Connection Issues **** Probing Attempt **][Risk Score: 100][Risk Info: TCP probing attempt / TCP XMAS scan][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 1 TCP 192.168.1.178:57916 <-> 192.168.1.2:3391 [proto: 0/Unknown][Stack: Unknown][IP: 0/Unknown][ClearText][Confidence: Unknown][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 2][Breed: Unrated][1 pkts/54 bytes <-> 1 pkts/60 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** TCP Connection Issues **** Probing Attempt **][Risk Score: 100][Risk Info: TCP probing attempt / TCP NULL scan|Connection refused][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 2 TCP 192.168.1.178:62971 <-> 192.168.1.2:3390 [proto: 0/Unknown][Stack: Unknown][IP: 0/Unknown][ClearText][Confidence: Unknown][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 2][Breed: Unrated][1 pkts/54 bytes <-> 1 pkts/60 bytes][Goodput ratio: 0/0][0.00 sec][Risk: ** TCP Connection Issues **** Probing Attempt **][Risk Score: 100][Risk Info: TCP probing attempt / TCP FIN scan|Connection refused][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 3 TCP 192.168.1.178:63243 <-> 192.168.1.2:3392 [proto: 0/Unknown][Stack: Unknown][IP: 0/Unknown][ClearText][Confidence: Unknown][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 2][Breed: Unrated][1 pkts/54 bytes <-> 1 pkts/60 bytes][Goodput ratio: 0/0][0.00 sec][Risk: ** TCP Connection Issues **** Probing Attempt **][Risk Score: 100][Risk Info: TCP probing attempt / TCP XMAS scan|Connection refused][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/default/result/telnet.pcap.out b/tests/cfgs/default/result/telnet.pcap.out index 2f8f1f595..d41e52d0e 100644 --- a/tests/cfgs/default/result/telnet.pcap.out +++ b/tests/cfgs/default/result/telnet.pcap.out @@ -34,4 +34,4 @@ Unsafe 127 11528 2 RemoteAccess 127 11528 2 1 TCP 192.168.0.2:1550 <-> 192.168.0.1:23 [proto: 77/Telnet][Stack: Telnet][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 32][cat: RemoteAccess/12][Breed: Unsafe][43 pkts/3135 bytes <-> 44 pkts/4283 bytes][Goodput ratio: 9/32][39.57 sec][Username: fake][bytes ratio: -0.155 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 1130/544 14699/8799 2838/1502][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 73/97 151/554 17/76][Risk: ** Unsafe Protocol **][Risk Score: 10][TCP Fingerprint: 2_64_32120_615eac77f548/Unknown][PLAIN TEXT (bam.zing.org)][Plen Bins: 70,6,19,0,2,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 2 TCP 10.17.167.141:5355 <-> 20.1.178.225:23 [proto: 77/Telnet][Stack: Telnet][IP: 276/Azure][ClearText][Confidence: DPI][FPC: 276/Azure, Confidence: IP address][DPI packets: 26][cat: RemoteAccess/12][Breed: Unsafe][31 pkts/2097 bytes <-> 9 pkts/2013 bytes][Goodput ratio: 2/70][< 1 sec][Password: usernamepassword][bytes ratio: 0.020 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 0/0 0/0 0/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 68/224 87/1441 4/430][Risk: ** Unsafe Protocol **** Clear-Text Credentials **][Risk Score: 110][Risk Info: Found Telnet username ()][TCP Fingerprint: 2_32_5792_13ad4065e152/Unknown][PLAIN TEXT (TPassword)][Plen Bins: 96,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0] + 2 TCP 10.17.167.141:5355 <-> 20.1.178.225:23 [proto: 77/Telnet][Stack: Telnet][IP: 276/Azure][ClearText][Confidence: DPI][FPC: 276/Azure, Confidence: IP address][DPI packets: 26][cat: RemoteAccess/12][Breed: Unsafe][31 pkts/2097 bytes <-> 9 pkts/2013 bytes][Goodput ratio: 2/70][< 1 sec][Password: usernamepassword][bytes ratio: 0.020 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 0/0 0/0 0/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 68/224 87/1441 4/430][Risk: ** Unsafe Protocol **** Clear-Text Credentials **][Risk Score: 110][Risk Info: Found Telnet username ()|Found password][TCP Fingerprint: 2_32_5792_13ad4065e152/Unknown][PLAIN TEXT (TPassword)][Plen Bins: 96,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0] diff --git a/tests/cfgs/default/result/tls_port_80.pcapng.out b/tests/cfgs/default/result/tls_port_80.pcapng.out index 0314df9ec..107a34b0f 100644 --- a/tests/cfgs/default/result/tls_port_80.pcapng.out +++ b/tests/cfgs/default/result/tls_port_80.pcapng.out @@ -38,4 +38,4 @@ JA Host Stats: 1 57.91.202.194 1 - 1 TCP 57.91.202.194:50541 <-> 132.49.141.56:80 [proto: 91/TLS][Stack: TLS][IP: 0/Unknown][Encrypted][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 13][cat: Web/5][Breed: Safe][5 pkts/563 bytes <-> 8 pkts/1876 bytes][Goodput ratio: 43/72][14.65 sec][bytes ratio: -0.538 (Download)][IAT c2s/s2c min/avg/max/stddev: 1011/3433 2355/3433 3621/3433 1067/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 113/234 299/1414 93/446][Risk: ** Known Proto on Non Std Port **** TLS (probably) Not Carrying HTTPS **** Missing SNI TLS Extn **][Risk Score: 110][Risk Info: SNI should always be present / No ALPN / Expected on port 443][nDPI Fingerprint: ab49185fadc49dfb8599a7658ba655c0][TCP Fingerprint: 2_128_64240_5e2eda046ca7/Unknown][TLSv1.2][JA4: t12i550500_168bb377f8c8_a1e935682795][JA3S: 107030a763c7224285717ff1569a17f3][Firefox][Cipher: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384][PLAIN TEXT (AnyNet Root CA1 0)][Plen Bins: 0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0] + 1 TCP 57.91.202.194:50541 <-> 132.49.141.56:80 [proto: 91/TLS][Stack: TLS][IP: 0/Unknown][Encrypted][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 13][cat: Web/5][Breed: Safe][5 pkts/563 bytes <-> 8 pkts/1876 bytes][Goodput ratio: 43/72][14.65 sec][bytes ratio: -0.538 (Download)][IAT c2s/s2c min/avg/max/stddev: 1011/3433 2355/3433 3621/3433 1067/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 113/234 299/1414 93/446][Risk: ** Known Proto on Non Std Port **** TLS (probably) Not Carrying HTTPS **** Missing SNI TLS Extn **** (Possible) Slow DoS **][Risk Score: 210][Risk Info: Slow TCP 3WH (SYN|ACK): 4.2 sec|Slow TCP 3WH (ACK): 3.3 sec / SNI should always be present / No ALPN / Expected on port 443][nDPI Fingerprint: ab49185fadc49dfb8599a7658ba655c0][TCP Fingerprint: 2_128_64240_5e2eda046ca7/Unknown][TLSv1.2][JA4: t12i550500_168bb377f8c8_a1e935682795][JA3S: 107030a763c7224285717ff1569a17f3][Firefox][Cipher: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384][PLAIN TEXT (AnyNet Root CA1 0)][Plen Bins: 0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0] diff --git a/tests/cfgs/default/result/waze.pcap.out b/tests/cfgs/default/result/waze.pcap.out index 2730f53be..56391495a 100644 --- a/tests/cfgs/default/result/waze.pcap.out +++ b/tests/cfgs/default/result/waze.pcap.out @@ -55,7 +55,7 @@ JA Host Stats: 1 TCP 10.8.0.1:36100 <-> 46.51.173.182:443 [proto: 91.135/TLS.Waze][Stack: TLS.Waze][IP: 461/AWS_EC2][Encrypted][Confidence: DPI][FPC: 461/AWS_EC2, Confidence: IP address][DPI packets: 6][cat: Web/5][Breed: Acceptable][52 pkts/10860 bytes <-> 55 pkts/74852 bytes][Goodput ratio: 74/96][19.68 sec][bytes ratio: -0.747 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 288/329 3806/5018 686/820][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 209/1361 590/17258 183/3378][Risk: ** Obsolete TLS (v1.1 or older) **** Weak TLS Cipher **][Risk Score: 200][Risk Info: Cipher TLS_RSA_WITH_AES_256_CBC_SHA / TLSv1][nDPI Fingerprint: 126eed69a38ebd23005a494940abe14f][TCP Fingerprint: 2_64_65535_41a9d5af7dd3/Android][TLSv1][JA4: t10i320300_771403ec58f7_a875e5012fde][ServerNames: *.world.waze.com][JA3S: 714ac86d50db68420429ca897688f5f3][Issuer: C=US, O=Google Inc, CN=Google Internet Authority G2][Subject: C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.world.waze.com][Certificate SHA-1: 30:50:FA:42:94:E4:1A:34:9B:23:55:CB:7B:F2:0D:76:FA:1C:58:4B][Validity: 2014-11-06 16:09:20 - 2015-11-06 16:09:20][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA][Plen Bins: 0,5,0,0,21,1,5,3,3,1,10,1,0,0,0,0,14,0,0,0,0,0,1,0,1,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,23] - 2 TCP 10.8.0.1:54915 <-> 65.39.128.135:80 [proto: 7/HTTP][Stack: HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Download/7][Breed: Acceptable][19 pkts/1309 bytes <-> 18 pkts/61896 bytes][Goodput ratio: 20/98][5.27 sec][Hostname/SNI: xtra1.gpsonextra.net][bytes ratio: -0.959 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/1 321/373 3680/3677 903/960][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 69/3439 317/11833 59/3468][URL: xtra1.gpsonextra.net/xtra2.bin][StatusCode: 200][Content-Type: application/octet-stream][Server: Cherokee][User-Agent: Android][Risk: ** Binary File/Data Transfer (Attempt) **][Risk Score: 50][Risk Info: Found binary mime octet-stream][TCP Fingerprint: 2_64_65535_41a9d5af7dd3/Android][PLAIN TEXT (GET /xtra)][Plen Bins: 0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,21,0,0,0,0,71] + 2 TCP 10.8.0.1:54915 <-> 65.39.128.135:80 [proto: 7/HTTP][Stack: HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Download/7][Breed: Acceptable][19 pkts/1309 bytes <-> 18 pkts/61896 bytes][Goodput ratio: 20/98][5.27 sec][Hostname/SNI: xtra1.gpsonextra.net][bytes ratio: -0.959 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/1 321/373 3680/3677 903/960][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 69/3439 317/11833 59/3468][URL: xtra1.gpsonextra.net/xtra2.bin][StatusCode: 200][Content-Type: application/octet-stream][Server: Cherokee][User-Agent: Android][Risk: ** Binary File/Data Transfer (Attempt) **** (Possible) Slow DoS **][Risk Score: 150][Risk Info: Slow HTTP Req. (Slowloris): 3.7 sec / Found binary mime octet-stream][TCP Fingerprint: 2_64_65535_41a9d5af7dd3/Android][PLAIN TEXT (GET /xtra)][Plen Bins: 0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,21,0,0,0,0,71] 3 TCP 10.8.0.1:39021 <-> 52.17.114.219:443 [proto: 91.135/TLS.Waze][Stack: TLS.Waze][IP: 461/AWS_EC2][Encrypted][Confidence: DPI][FPC: 461/AWS_EC2, Confidence: IP address][DPI packets: 8][cat: Web/5][Breed: Acceptable][17 pkts/1962 bytes <-> 16 pkts/56934 bytes][Goodput ratio: 52/98][2.64 sec][bytes ratio: -0.933 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 155/189 387/415 137/131][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 115/3558 590/21942 132/6125][Risk: ** Obsolete TLS (v1.1 or older) **][Risk Score: 100][Risk Info: TLSv1][nDPI Fingerprint: 126eed69a38ebd23005a494940abe14f][TCP Fingerprint: 2_64_65535_41a9d5af7dd3/Android][TLSv1][JA4: t10i320300_771403ec58f7_a875e5012fde][ServerNames: *.world.waze.com][JA3S: 39f74f5618836d3c5f7dcccc9f67ba75][Issuer: C=US, O=Google Inc, CN=Google Internet Authority G2][Subject: C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.world.waze.com][Certificate SHA-1: 30:50:FA:42:94:E4:1A:34:9B:23:55:CB:7B:F2:0D:76:FA:1C:58:4B][Validity: 2014-11-06 16:09:20 - 2015-11-06 16:09:20][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 7,0,0,0,15,7,0,7,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,15,0,0,0,0,39] 4 TCP 10.8.0.1:36312 <-> 176.34.186.180:443 [proto: 91.135/TLS.Waze][Stack: TLS.Waze][IP: 461/AWS_EC2][Encrypted][Confidence: DPI][FPC: 461/AWS_EC2, Confidence: IP address][DPI packets: 8][cat: Web/5][Breed: Acceptable][17 pkts/2176 bytes <-> 15 pkts/42443 bytes][Goodput ratio: 57/98][3.70 sec][bytes ratio: -0.902 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 218/126 1449/293 383/116][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 128/2830 590/11186 147/3901][Risk: ** Obsolete TLS (v1.1 or older) **][Risk Score: 100][Risk Info: TLSv1][nDPI Fingerprint: 126eed69a38ebd23005a494940abe14f][TCP Fingerprint: 2_64_65535_41a9d5af7dd3/Android][TLSv1][JA4: t10i320300_771403ec58f7_a875e5012fde][ServerNames: *.world.waze.com][JA3S: 39f74f5618836d3c5f7dcccc9f67ba75][Issuer: C=US, O=Google Inc, CN=Google Internet Authority G2][Subject: C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.world.waze.com][Certificate SHA-1: 30:50:FA:42:94:E4:1A:34:9B:23:55:CB:7B:F2:0D:76:FA:1C:58:4B][Validity: 2014-11-06 16:09:20 - 2015-11-06 16:09:20][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,7,0,0,7,7,0,7,0,0,7,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,21,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,35] 5 TCP 10.8.0.1:36316 <-> 176.34.186.180:443 [proto: 91.135/TLS.Waze][Stack: TLS.Waze][IP: 461/AWS_EC2][Encrypted][Confidence: DPI][FPC: 461/AWS_EC2, Confidence: IP address][DPI packets: 6][cat: Web/5][Breed: Acceptable][15 pkts/1540 bytes <-> 13 pkts/26346 bytes][Goodput ratio: 46/97][3.22 sec][bytes ratio: -0.890 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 237/155 1289/609 359/182][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 103/2027 411/8150 98/2612][Risk: ** Obsolete TLS (v1.1 or older) **][Risk Score: 100][Risk Info: TLSv1][nDPI Fingerprint: 126eed69a38ebd23005a494940abe14f][TCP Fingerprint: 2_64_65535_41a9d5af7dd3/Android][TLSv1][JA4: t10i320300_771403ec58f7_a875e5012fde][ServerNames: *.world.waze.com][JA3S: 39f74f5618836d3c5f7dcccc9f67ba75][Issuer: C=US, O=Google Inc, CN=Google Internet Authority G2][Subject: C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.world.waze.com][Certificate SHA-1: 30:50:FA:42:94:E4:1A:34:9B:23:55:CB:7B:F2:0D:76:FA:1C:58:4B][Validity: 2014-11-06 16:09:20 - 2015-11-06 16:09:20][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,8,0,0,8,8,0,8,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33] diff --git a/tests/cfgs/default/result/wechat.pcap.out b/tests/cfgs/default/result/wechat.pcap.out index 775f925ec..c70a8d439 100644 --- a/tests/cfgs/default/result/wechat.pcap.out +++ b/tests/cfgs/default/result/wechat.pcap.out @@ -17,9 +17,9 @@ LRU cache fpc_dns: 15/57/7 (insert/search/found) Automa host: 138/51 (search/found) Automa domain: 94/0 (search/found) Automa tls cert: 0/0 (search/found) -Automa risk mask: 0/0 (search/found) +Automa risk mask: 1/0 (search/found) Automa common alpns: 56/56 (search/found) -Patricia risk mask: 0/0 (search/found) +Patricia risk mask: 2/0 (search/found) Patricia risk mask IPv6: 0/0 (search/found) Patricia risk: 1/0 (search/found) Patricia risk IPv6: 8/0 (search/found) @@ -73,7 +73,7 @@ JA Host Stats: 6 TCP 192.168.1.103:54119 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][Stack: TLS.WeChat][IP: 0/Unknown][Encrypted][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 8][cat: Chat/9][Breed: Fun][26 pkts/8129 bytes <-> 24 pkts/22836 bytes][Goodput ratio: 79/93][28.03 sec][Hostname/SNI: web.wechat.com][(Advertised) ALPNs: h2;http/1.1][bytes ratio: -0.475 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1291/951 9696/8423 2840/2427][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 313/952 1306/2922 423/964][nDPI Fingerprint: acd10ce93e8e3b54d93451e997df2ff0][TCP Fingerprint: 2_64_29200_2e3cee914fc1/Linux][TLSv1.2][JA4: t12d1511h2_f0daf39aad75_eb7c9aabf852][ServerNames: webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Issuer: C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3][Subject: C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,8,0,4,0,0,4,4,4,0,0,4,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,4,0,0,8,0,8,0,0,0,0,0,28,0,0,12] 7 TCP 192.168.1.103:58038 <-> 203.205.147.171:443 [proto: 91.197/TLS.WeChat][Stack: TLS.WeChat][IP: 285/Tencent][Encrypted][Confidence: DPI][FPC: 197/WeChat, Confidence: DNS][DPI packets: 8][cat: Chat/9][Breed: Fun][34 pkts/17556 bytes <-> 25 pkts/12172 bytes][Goodput ratio: 87/86][38.16 sec][Hostname/SNI: web.wechat.com][(Advertised) ALPNs: h2;http/1.1][bytes ratio: 0.181 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 1114/1110 15327/15635 3311/3567][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 516/487 1306/1754 494/579][nDPI Fingerprint: acd10ce93e8e3b54d93451e997df2ff0][TCP Fingerprint: 2_64_29200_2e3cee914fc1/Linux][TLSv1.2][JA4: t12d1511h2_f0daf39aad75_eb7c9aabf852][ServerNames: webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Issuer: C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3][Subject: C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,3,0,3,0,0,9,3,0,0,0,9,0,0,18,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0,0,0,0,0,9,0,18,0,3,6,0,0,3,0,0,3] 8 TCP 192.168.1.103:54089 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][Stack: TLS.WeChat][IP: 0/Unknown][Encrypted][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 8][cat: Chat/9][Breed: Fun][21 pkts/7826 bytes <-> 20 pkts/18761 bytes][Goodput ratio: 82/93][13.58 sec][Hostname/SNI: web.wechat.com][(Advertised) ALPNs: h2;http/1.1][bytes ratio: -0.411 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 777/120 9999/394 2313/166][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 373/938 1306/5892 454/1304][nDPI Fingerprint: acd10ce93e8e3b54d93451e997df2ff0][TCP Fingerprint: 2_64_29200_2e3cee914fc1/Linux][TLSv1.2][JA4: t12d1511h2_f0daf39aad75_eb7c9aabf852][ServerNames: webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Issuer: C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3][Subject: C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,4,0,4,0,4,4,4,4,0,0,4,0,0,9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,4,0,4,0,9,0,0,0,0,0,33,0,0,4] - 9 TCP 192.168.1.103:54095 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][Stack: TLS.WeChat][IP: 0/Unknown][Encrypted][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 10][cat: Chat/9][Breed: Fun][21 pkts/7825 bytes <-> 18 pkts/17898 bytes][Goodput ratio: 82/93][22.24 sec][Hostname/SNI: web.wechat.com][(Advertised) ALPNs: h2;http/1.1][bytes ratio: -0.392 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1174/416 10039/3644 2412/985][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 373/994 1306/8291 454/1871][nDPI Fingerprint: acd10ce93e8e3b54d93451e997df2ff0][TCP Fingerprint: 2_64_29200_2e3cee914fc1/Linux][TLSv1.2][JA4: t12d1511h2_f0daf39aad75_eb7c9aabf852][ServerNames: webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Issuer: C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3][Subject: C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,5,0,5,0,0,5,5,5,0,0,5,0,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,5,0,0,5,0,10,0,5,0,0,0,21,0,0,5] + 9 TCP 192.168.1.103:54095 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][Stack: TLS.WeChat][IP: 0/Unknown][Encrypted][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 10][cat: Chat/9][Breed: Fun][21 pkts/7825 bytes <-> 18 pkts/17898 bytes][Goodput ratio: 82/93][22.24 sec][Hostname/SNI: web.wechat.com][(Advertised) ALPNs: h2;http/1.1][bytes ratio: -0.392 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1174/416 10039/3644 2412/985][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 373/994 1306/8291 454/1871][Risk: ** (Possible) Slow DoS **][Risk Score: 100][Risk Info: Slow TCP 3WH (SYN|ACK): 1.5 sec][nDPI Fingerprint: acd10ce93e8e3b54d93451e997df2ff0][TCP Fingerprint: 2_64_29200_2e3cee914fc1/Linux][TLSv1.2][JA4: t12d1511h2_f0daf39aad75_eb7c9aabf852][ServerNames: webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Issuer: C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3][Subject: C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,5,0,5,0,0,5,5,5,0,0,5,0,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,5,0,0,5,0,10,0,5,0,0,0,21,0,0,5] 10 TCP 192.168.1.103:58040 <-> 203.205.147.171:443 [proto: 91.197/TLS.WeChat][Stack: TLS.WeChat][IP: 285/Tencent][Encrypted][Confidence: DPI][FPC: 285/Tencent, Confidence: IP address][DPI packets: 8][cat: Chat/9][Breed: Fun][29 pkts/17545 bytes <-> 20 pkts/6923 bytes][Goodput ratio: 89/81][31.02 sec][Hostname/SNI: web.wechat.com][(Advertised) ALPNs: h2;http/1.1][bytes ratio: 0.434 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 1265/1401 15319/15624 3541/3988][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 605/346 1494/1494 586/472][nDPI Fingerprint: acd10ce93e8e3b54d93451e997df2ff0][TCP Fingerprint: 2_64_29200_2e3cee914fc1/Linux][TLSv1.2][JA4: t12d1511h2_f0daf39aad75_eb7c9aabf852][ServerNames: webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Issuer: C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3][Subject: C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,3,3,3,0,0,0,11,7,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,11,0,7,0,0,0,0,0,27,0,0,0] 11 TCP 192.168.1.103:54097 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][Stack: TLS.WeChat][IP: 0/Unknown][Encrypted][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 8][cat: Chat/9][Breed: Fun][25 pkts/12063 bytes <-> 19 pkts/7932 bytes][Goodput ratio: 86/84][47.29 sec][Hostname/SNI: web.wechat.com][(Advertised) ALPNs: h2;http/1.1][bytes ratio: 0.207 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 1388/1930 15313/15715 3511/4240][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 483/417 1306/1754 480/530][nDPI Fingerprint: acd10ce93e8e3b54d93451e997df2ff0][TCP Fingerprint: 2_64_29200_2e3cee914fc1/Linux][TLSv1.2][JA4: t12d1511h2_f0daf39aad75_eb7c9aabf852][ServerNames: webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Issuer: C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3][Subject: C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,4,0,4,0,0,0,17,0,0,0,0,0,0,26,0,0,0,0,0,0,0,0,0,0,0,0,0,0,13,0,0,0,0,0,0,13,0,13,0,0,0,0,0,4,0,0,4] 12 TCP 192.168.1.103:54094 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][Stack: TLS.WeChat][IP: 0/Unknown][Encrypted][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 8][cat: Chat/9][Breed: Fun][22 pkts/10193 bytes <-> 18 pkts/8262 bytes][Goodput ratio: 86/86][22.50 sec][Hostname/SNI: web.wechat.com][(Advertised) ALPNs: h2;http/1.1][bytes ratio: 0.105 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 1165/786 10037/4544 2455/1496][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 463/459 1306/1754 478/579][nDPI Fingerprint: acd10ce93e8e3b54d93451e997df2ff0][TCP Fingerprint: 2_64_29200_2e3cee914fc1/Linux][TLSv1.2][JA4: t12d1511h2_f0daf39aad75_eb7c9aabf852][ServerNames: webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Issuer: C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3][Subject: C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,4,0,4,0,4,4,9,0,0,0,4,0,0,15,4,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0,0,0,0,0,9,0,15,0,0,0,0,0,9,0,0,4] @@ -82,15 +82,15 @@ JA Host Stats: 15 TCP 192.168.1.103:54117 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][Stack: TLS.WeChat][IP: 0/Unknown][Encrypted][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 8][cat: Chat/9][Breed: Fun][20 pkts/8397 bytes <-> 16 pkts/6566 bytes][Goodput ratio: 84/84][25.19 sec][Hostname/SNI: web.wechat.com][(Advertised) ALPNs: h2;http/1.1][bytes ratio: 0.122 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 1503/1316 9999/7806 2987/2505][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 420/410 1306/1494 462/507][nDPI Fingerprint: acd10ce93e8e3b54d93451e997df2ff0][TCP Fingerprint: 2_64_29200_2e3cee914fc1/Linux][TLSv1.2][JA4: t12d1511h2_f0daf39aad75_eb7c9aabf852][ServerNames: webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Issuer: C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3][Subject: C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,5,0,5,0,0,0,16,5,0,0,0,0,0,22,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0,0,0,0,0,11,0,11,0,0,0,0,0,11,0,0,0] 16 TCP 192.168.1.103:58036 <-> 203.205.147.171:443 [proto: 91.197/TLS.WeChat][Stack: TLS.WeChat][IP: 285/Tencent][Encrypted][Confidence: DPI][FPC: 197/WeChat, Confidence: DNS][DPI packets: 8][cat: Chat/9][Breed: Fun][15 pkts/6450 bytes <-> 11 pkts/5068 bytes][Goodput ratio: 85/86][11.52 sec][Hostname/SNI: web.wechat.com][(Advertised) ALPNs: h2;http/1.1][bytes ratio: 0.120 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 931/134 9811/287 2681/130][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 430/461 1306/1494 463/553][nDPI Fingerprint: acd10ce93e8e3b54d93451e997df2ff0][TCP Fingerprint: 2_64_29200_2e3cee914fc1/Linux][TLSv1.2][JA4: t12d1511h2_f0daf39aad75_eb7c9aabf852][ServerNames: webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Issuer: C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3][Subject: C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,7,0,7,0,0,0,14,7,0,0,0,0,0,14,7,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,7,0,14,0,0,0,0,0,14,0,0,0] 17 TCP 192.168.1.103:54092 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][Stack: TLS.WeChat][IP: 0/Unknown][Encrypted][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 8][cat: Chat/9][Breed: Fun][15 pkts/6438 bytes <-> 11 pkts/5068 bytes][Goodput ratio: 84/86][11.77 sec][Hostname/SNI: web.wechat.com][(Advertised) ALPNs: h2;http/1.1][bytes ratio: 0.119 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 947/155 9639/333 2626/154][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 429/461 1306/1494 463/553][nDPI Fingerprint: acd10ce93e8e3b54d93451e997df2ff0][TCP Fingerprint: 2_64_29200_2e3cee914fc1/Linux][TLSv1.2][JA4: t12d1511h2_f0daf39aad75_eb7c9aabf852][ServerNames: webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Issuer: C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3][Subject: C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,7,0,7,0,0,0,14,7,0,0,0,0,0,21,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,7,0,14,0,0,0,0,0,14,0,0,0] - 18 TCP 192.168.1.103:54100 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][Stack: TLS.WeChat][IP: 0/Unknown][Encrypted][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 10][cat: Chat/9][Breed: Fun][15 pkts/4627 bytes <-> 12 pkts/5905 bytes][Goodput ratio: 78/86][14.48 sec][Hostname/SNI: web.wechat.com][(Advertised) ALPNs: h2;http/1.1][bytes ratio: -0.121 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 1/0 1140/318 10004/1570 2698/530][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 308/492 1306/1798 406/692][nDPI Fingerprint: acd10ce93e8e3b54d93451e997df2ff0][TCP Fingerprint: 2_64_29200_2e3cee914fc1/Linux][TLSv1.2][JA4: t12d1511h2_f0daf39aad75_eb7c9aabf852][ServerNames: webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Issuer: C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3][Subject: C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,9,0,9,0,0,9,9,0,0,0,9,0,0,9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,9,0,0,0,0,0,9,0,0,18] + 18 TCP 192.168.1.103:54100 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][Stack: TLS.WeChat][IP: 0/Unknown][Encrypted][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 10][cat: Chat/9][Breed: Fun][15 pkts/4627 bytes <-> 12 pkts/5905 bytes][Goodput ratio: 78/86][14.48 sec][Hostname/SNI: web.wechat.com][(Advertised) ALPNs: h2;http/1.1][bytes ratio: -0.121 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 1/0 1140/318 10004/1570 2698/530][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 308/492 1306/1798 406/692][Risk: ** (Possible) Slow DoS **][Risk Score: 100][Risk Info: Slow TCP 3WH (SYN|ACK): 1.5 sec][nDPI Fingerprint: acd10ce93e8e3b54d93451e997df2ff0][TCP Fingerprint: 2_64_29200_2e3cee914fc1/Linux][TLSv1.2][JA4: t12d1511h2_f0daf39aad75_eb7c9aabf852][ServerNames: webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Issuer: C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3][Subject: C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,9,0,9,0,0,9,9,0,0,0,9,0,0,9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,9,0,0,0,0,0,9,0,0,18] 19 TCP 192.168.1.103:54111 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][Stack: TLS.WeChat][IP: 0/Unknown][Encrypted][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 8][cat: Chat/9][Breed: Fun][14 pkts/4626 bytes <-> 12 pkts/5135 bytes][Goodput ratio: 80/84][22.95 sec][Hostname/SNI: web.wechat.com][(Advertised) ALPNs: h2;http/1.1][bytes ratio: -0.052 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 2021/1536 10879/11228 3976/3666][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 330/428 1306/1494 416/541][nDPI Fingerprint: acd10ce93e8e3b54d93451e997df2ff0][TCP Fingerprint: 2_64_29200_2e3cee914fc1/Linux][TLSv1.2][JA4: t12d1511h2_f0daf39aad75_eb7c9aabf852][ServerNames: webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Issuer: C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3][Subject: C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,8,0,8,0,0,0,16,8,0,0,0,0,8,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0,0,0,8,0,8,0,0,0,0,0,16,0,0,0] 20 TCP 192.168.1.103:58042 <-> 203.205.147.171:443 [proto: 91.197/TLS.WeChat][Stack: TLS.WeChat][IP: 285/Tencent][Encrypted][Confidence: DPI][FPC: 285/Tencent, Confidence: IP address][DPI packets: 8][cat: Chat/9][Breed: Fun][12 pkts/4516 bytes <-> 10 pkts/5004 bytes][Goodput ratio: 82/87][11.54 sec][Hostname/SNI: web.wechat.com][(Advertised) ALPNs: h2;http/1.1][bytes ratio: -0.051 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 140/136 356/292 157/130][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 376/500 1306/1754 434/627][nDPI Fingerprint: acd10ce93e8e3b54d93451e997df2ff0][TCP Fingerprint: 2_64_29200_2e3cee914fc1/Linux][TLSv1.2][JA4: t12d1511h2_f0daf39aad75_eb7c9aabf852][ServerNames: webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Issuer: C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3][Subject: C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,9,0,9,0,0,0,18,0,0,0,0,0,0,18,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0,0,0,0,0,9,0,9,0,0,0,0,0,9,0,0,9] 21 TCP 192.168.1.103:43850 <-> 203.205.158.34:443 [proto: 91.48/TLS.QQ][Stack: TLS.QQ][IP: 0/Unknown][Encrypted][Confidence: DPI][FPC: 48/QQ, Confidence: DNS][DPI packets: 8][cat: Chat/9][Breed: Fun][12 pkts/2005 bytes <-> 12 pkts/6787 bytes][Goodput ratio: 67/90][72.13 sec][Hostname/SNI: res.wx.qq.com][(Advertised) ALPNs: h2;http/1.1][(Negotiated) ALPN: http/1.1][bytes ratio: -0.544 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 7939/7944 44960/45306 14472/14557][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 167/566 571/3484 197/987][Risk: ** Weak TLS Cipher **][Risk Score: 100][Risk Info: Cipher TLS_RSA_WITH_AES_256_GCM_SHA384][nDPI Fingerprint: 19caae3f2d2c8820bcc690a095de5718][TCP Fingerprint: 2_64_29200_2e3cee914fc1/Linux][TLSv1.2][JA4: t12d1512h2_f0daf39aad75_1c0c7ba38891][ServerNames: wx1.qq.com,webpush.wx.qq.com,webpush1.weixin.qq.com,loginpoll.weixin.qq.com,login.wx.qq.com,file.wx2.qq.com,wx2.qq.com,login.wx2.qq.com,wxitil.qq.com,file.wx.qq.com,login.weixin.qq.com,webpush2.weixin.qq.com,webpush.wx2.qq.com,webpush.weixin.qq.com,web.weixin.qq.com,res.wx.qq.com,wx.qq.com][JA3S: 290adf098a54ade688d1df074dbecbf2][Issuer: C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3][Subject: C=CN, ST=Guangdong, L=Shenzhen, O=Shenzhen Tencent Computer Systems Company Limited, OU=R&D, CN=wx.qq.com][Certificate SHA-1: 67:53:57:7F:22:BB:D0:A6:D4:5F:A6:D4:B3:0A:13:73:29:23:D0:C9][Validity: 2016-05-10 00:00:00 - 2018-08-09 23:59:59][Cipher: TLS_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 12,0,0,0,0,0,0,0,12,12,0,0,0,0,0,12,12,0,0,0,0,0,0,0,0,0,0,0,0,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,12] 22 TCP 192.168.1.103:38657 <-> 172.217.22.14:443 [proto: 91.126/TLS.Google][Stack: TLS.Google][IP: 126/Google][Encrypted][Confidence: DPI][FPC: 126/Google, Confidence: DNS][DPI packets: 10][cat: Web/5][Breed: Acceptable][17 pkts/2413 bytes <-> 17 pkts/6268 bytes][Goodput ratio: 53/82][135.40 sec][Hostname/SNI: safebrowsing.googleusercontent.com][(Advertised) ALPNs: h2;http/1.1][(Negotiated) ALPN: h2][bytes ratio: -0.444 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 6942/6942 45055/45055 16249/16250][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 142/369 895/1484 196/525][nDPI Fingerprint: c612d6fd18e55b74f65e6d3e2a340bc7][TCP Fingerprint: 2_64_29200_2e3cee914fc1/Linux][TLSv1.2][JA4: t12d1510h2_f0daf39aad75_e69ac49eb88f][ServerNames: *.googleusercontent.com,*.apps.googleusercontent.com,*.appspot.com.storage.googleapis.com,*.blogspot.com,*.bp.blogspot.com,*.commondatastorage.googleapis.com,*.content-storage-download.googleapis.com,*.content-storage-upload.googleapis.com,*.content-storage.googleapis.com,*.doubleclickusercontent.com,*.ggpht.com,*.googledrive.com,*.googlesyndication.com,*.googleweblight.com,*.safenup.googleusercontent.com,*.sandbox.googleusercontent.com,*.storage-download.googleapis.com,*.storage-upload.googleapis.com,*.storage.googleapis.com,*.storage.select.googleapis.com,blogspot.com,bp.blogspot.com,commondatastorage.googleapis.com,doubleclickusercontent.com,ggpht.com,googledrive.com,googleusercontent.com,googleweblight.com,static.panoramio.com.storage.googleapis.com,storage.googleapis.com,storage.select.googleapis.com,unfiltered.news][JA3S: d655f7cd00e93ea8969c3c6e06f0156f][Issuer: C=US, O=Google Inc, CN=Google Internet Authority G2][Subject: C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.googleusercontent.com][Certificate SHA-1: 8B:36:AF:31:A2:4C:EE:50:CC:6F:34:F7:2C:A3:C5:B6:4B:02:AC:53][Validity: 2017-04-05 17:14:46 - 2017-06-28 16:57:00][Cipher: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256][Plen Bins: 12,38,6,0,0,0,6,0,6,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,12,0,0,0] 23 UDP 192.168.1.103:51507 <-> 172.217.23.67:443 [proto: 188.126/QUIC.Google][Stack: QUIC.Google][IP: 126/Google][Encrypted][Confidence: DPI][FPC: 188.126/QUIC.Google, Confidence: DPI][DPI packets: 1][cat: Web/5][Breed: Acceptable][7 pkts/3507 bytes <-> 6 pkts/3329 bytes][Goodput ratio: 92/92][0.18 sec][Hostname/SNI: ssl.gstatic.com][bytes ratio: 0.026 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 3/0 27/2 76/4 27/1][Pkt Len c2s/s2c min/avg/max/stddev: 80/72 501/555 1392/1392 574/599][QUIC ver: Q035][Idle Timeout: 30][PLAIN TEXT (ssl.gstatic.com)][Plen Bins: 23,30,0,0,0,0,0,0,7,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,30,0,0,0,0,0] 24 UDP 192.168.1.103:57591 <-> 216.58.198.46:443 [proto: 188.241/QUIC.GoogleDocs][Stack: QUIC.GoogleDocs][IP: 126/Google][Encrypted][Confidence: DPI][FPC: 188.241/QUIC.GoogleDocs, Confidence: DPI][DPI packets: 1][cat: Collaborative/15][Breed: Acceptable][6 pkts/2687 bytes <-> 7 pkts/2125 bytes][Goodput ratio: 91/86][1.33 sec][Hostname/SNI: docs.google.com][bytes ratio: 0.117 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 21/248 55/1178 23/465][Pkt Len c2s/s2c min/avg/max/stddev: 77/70 448/304 1392/1392 532/455][QUIC ver: Q035][Idle Timeout: 30][PLAIN TEXT (docs.google.comr)][Plen Bins: 30,39,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,15,0,0,0,0,0] - 25 TCP 192.168.1.103:54120 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][Stack: TLS.WeChat][IP: 0/Unknown][Encrypted][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 10][cat: Chat/9][Breed: Fun][10 pkts/1032 bytes <-> 8 pkts/3711 bytes][Goodput ratio: 35/85][27.78 sec][Hostname/SNI: web.wechat.com][(Advertised) ALPNs: h2;http/1.1][bytes ratio: -0.565 (Download)][IAT c2s/s2c min/avg/max/stddev: 2/0 3428/1426 19999/5411 6454/2304][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 103/464 304/1754 77/673][nDPI Fingerprint: acd10ce93e8e3b54d93451e997df2ff0][TCP Fingerprint: 2_64_29200_2e3cee914fc1/Linux][TLSv1.2][JA4: t12d1511h2_f0daf39aad75_eb7c9aabf852][ServerNames: webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Issuer: C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3][Subject: C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,20,0,20,0,0,0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,0,0,20] - 26 TCP 192.168.1.103:58041 <-> 203.205.147.171:443 [proto: 91.197/TLS.WeChat][Stack: TLS.WeChat][IP: 285/Tencent][Encrypted][Confidence: DPI][FPC: 285/Tencent, Confidence: IP address][DPI packets: 10][cat: Chat/9][Breed: Fun][10 pkts/1032 bytes <-> 8 pkts/3711 bytes][Goodput ratio: 35/85][30.78 sec][Hostname/SNI: web.wechat.com][(Advertised) ALPNs: h2;http/1.1][bytes ratio: -0.565 (Download)][IAT c2s/s2c min/avg/max/stddev: 2/0 3813/2235 20004/5405 6348/2331][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 103/464 304/1754 77/673][nDPI Fingerprint: acd10ce93e8e3b54d93451e997df2ff0][TCP Fingerprint: 2_64_29200_2e3cee914fc1/Linux][TLSv1.2][JA4: t12d1511h2_f0daf39aad75_eb7c9aabf852][ServerNames: webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Issuer: C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3][Subject: C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,20,0,20,0,0,0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,0,0,20] + 25 TCP 192.168.1.103:54120 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][Stack: TLS.WeChat][IP: 0/Unknown][Encrypted][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 10][cat: Chat/9][Breed: Fun][10 pkts/1032 bytes <-> 8 pkts/3711 bytes][Goodput ratio: 35/85][27.78 sec][Hostname/SNI: web.wechat.com][(Advertised) ALPNs: h2;http/1.1][bytes ratio: -0.565 (Download)][IAT c2s/s2c min/avg/max/stddev: 2/0 3428/1426 19999/5411 6454/2304][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 103/464 304/1754 77/673][Risk: ** (Possible) Slow DoS **][Risk Score: 100][Risk Info: Slow TCP 3WH (SYN|ACK): 1.7 sec][nDPI Fingerprint: acd10ce93e8e3b54d93451e997df2ff0][TCP Fingerprint: 2_64_29200_2e3cee914fc1/Linux][TLSv1.2][JA4: t12d1511h2_f0daf39aad75_eb7c9aabf852][ServerNames: webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Issuer: C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3][Subject: C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,20,0,20,0,0,0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,0,0,20] + 26 TCP 192.168.1.103:58041 <-> 203.205.147.171:443 [proto: 91.197/TLS.WeChat][Stack: TLS.WeChat][IP: 285/Tencent][Encrypted][Confidence: DPI][FPC: 285/Tencent, Confidence: IP address][DPI packets: 10][cat: Chat/9][Breed: Fun][10 pkts/1032 bytes <-> 8 pkts/3711 bytes][Goodput ratio: 35/85][30.78 sec][Hostname/SNI: web.wechat.com][(Advertised) ALPNs: h2;http/1.1][bytes ratio: -0.565 (Download)][IAT c2s/s2c min/avg/max/stddev: 2/0 3813/2235 20004/5405 6348/2331][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 103/464 304/1754 77/673][Risk: ** (Possible) Slow DoS **][Risk Score: 100][Risk Info: Slow TLS Request: 4.6 sec|Slow TCP 3WH (SYN|ACK): 1.6 sec][nDPI Fingerprint: acd10ce93e8e3b54d93451e997df2ff0][TCP Fingerprint: 2_64_29200_2e3cee914fc1/Linux][TLSv1.2][JA4: t12d1511h2_f0daf39aad75_eb7c9aabf852][ServerNames: webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Issuer: C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3][Subject: C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,20,0,20,0,0,0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,0,0,20] 27 TCP 192.168.1.103:54118 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][Stack: TLS.WeChat][IP: 0/Unknown][Encrypted][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 8][cat: Chat/9][Breed: Fun][10 pkts/1032 bytes <-> 8 pkts/3703 bytes][Goodput ratio: 35/86][24.98 sec][Hostname/SNI: web.wechat.com][(Advertised) ALPNs: h2;http/1.1][bytes ratio: -0.564 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 3076/848 20000/3092 6448/1207][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 103/463 304/1494 77/601][nDPI Fingerprint: acd10ce93e8e3b54d93451e997df2ff0][TCP Fingerprint: 2_64_29200_2e3cee914fc1/Linux][TLSv1.2][JA4: t12d1511h2_f0daf39aad75_eb7c9aabf852][ServerNames: webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Issuer: C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3][Subject: C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,16,0,16,0,0,0,16,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,34,0,0,0] 28 TCP 192.168.1.103:54090 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][Stack: TLS.WeChat][IP: 0/Unknown][Encrypted][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 8][cat: Chat/9][Breed: Fun][10 pkts/1032 bytes <-> 7 pkts/3637 bytes][Goodput ratio: 35/87][13.33 sec][Hostname/SNI: web.wechat.com][(Advertised) ALPNs: h2;http/1.1][bytes ratio: -0.558 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1665/362 10763/1441 3453/623][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 103/520 304/1494 77/622][nDPI Fingerprint: acd10ce93e8e3b54d93451e997df2ff0][TCP Fingerprint: 2_64_29200_2e3cee914fc1/Linux][TLSv1.2][JA4: t12d1511h2_f0daf39aad75_eb7c9aabf852][ServerNames: webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Issuer: C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3][Subject: C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,16,0,16,0,0,0,16,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,34,0,0,0] 29 TCP 192.168.1.103:54096 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][Stack: TLS.WeChat][IP: 0/Unknown][Encrypted][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 8][cat: Chat/9][Breed: Fun][10 pkts/1032 bytes <-> 7 pkts/3637 bytes][Goodput ratio: 35/87][20.54 sec][Hostname/SNI: web.wechat.com][(Advertised) ALPNs: h2;http/1.1][bytes ratio: -0.558 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 2567/80 19243/317 6305/137][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 103/520 304/1494 77/622][nDPI Fingerprint: acd10ce93e8e3b54d93451e997df2ff0][TCP Fingerprint: 2_64_29200_2e3cee914fc1/Linux][TLSv1.2][JA4: t12d1511h2_f0daf39aad75_eb7c9aabf852][ServerNames: webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Issuer: C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3][Subject: C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,16,0,16,0,0,0,16,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,34,0,0,0] @@ -103,14 +103,14 @@ JA Host Stats: 36 UDP [fe80::91f9:3df3:7436:6cd6]:5353 -> [ff02::fb]:5353 [proto: 8/MDNS][Stack: MDNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 8/MDNS, Confidence: DPI][DPI packets: 6][cat: Network/14][Breed: Acceptable][14 pkts/1428 bytes -> 0 pkts/0 bytes][Goodput ratio: 39/0][123.08 sec][Hostname/SNI: _googlecast._tcp.local][_googlecast._tcp.local][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1/0 4608/0 45060/0 12222/0][Pkt Len c2s/s2c min/avg/max/stddev: 102/0 102/0 102/0 0/0][PLAIN TEXT (googlecast)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 37 TCP 192.168.1.103:36017 <-> 64.233.167.188:5228 [proto: 126/Google][Stack: Google][IP: 126/Google][Encrypted][Confidence: Match by IP][FPC: 126/Google, Confidence: IP address][DPI packets: 20][cat: Web/5][Breed: Acceptable][10 pkts/660 bytes <-> 10 pkts/660 bytes][Goodput ratio: 0/0][540.78 sec][bytes ratio: 0.000 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 45051/45051 61959/61957 180207/180208 44694/44695][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 66/66 66/66 0/0][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 38 UDP 192.168.1.100:5353 -> 224.0.0.251:5353 [proto: 8/MDNS][Stack: MDNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 8/MDNS, Confidence: DPI][DPI packets: 6][cat: Network/14][Breed: Acceptable][14 pkts/1148 bytes -> 0 pkts/0 bytes][Goodput ratio: 49/0][123.08 sec][Hostname/SNI: _googlecast._tcp.local][_googlecast._tcp.local][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1/0 4608/0 45058/0 12221/0][Pkt Len c2s/s2c min/avg/max/stddev: 82/0 82/0 82/0 0/0][PLAIN TEXT (googlecast)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 39 TCP 192.168.1.103:58039 <-> 203.205.147.171:443 [proto: 91/TLS][Stack: TLS][IP: 285/Tencent][Encrypted][Confidence: Match by port][FPC: 197/WeChat, Confidence: DNS][DPI packets: 17][cat: Web/5][Breed: Safe][13 pkts/866 bytes <-> 4 pkts/280 bytes][Goodput ratio: 0/0][140.92 sec][bytes ratio: 0.511 (Upload)][IAT c2s/s2c min/avg/max/stddev: 272/45308 12755/45308 45020/45308 13611/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 67/70 74/74 2/4][TCP Fingerprint: 2_64_29200_2e3cee914fc1/Linux][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 39 TCP 192.168.1.103:58039 <-> 203.205.147.171:443 [proto: 91/TLS][Stack: TLS][IP: 285/Tencent][Encrypted][Confidence: Match by port][FPC: 197/WeChat, Confidence: DNS][DPI packets: 17][cat: Web/5][Breed: Safe][13 pkts/866 bytes <-> 4 pkts/280 bytes][Goodput ratio: 0/0][140.92 sec][bytes ratio: 0.511 (Upload)][IAT c2s/s2c min/avg/max/stddev: 272/45308 12755/45308 45020/45308 13611/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 67/70 74/74 2/4][Risk: ** (Possible) Slow DoS **][Risk Score: 100][Risk Info: Slow TCP 3WH (SYN|ACK): 1.7 sec][TCP Fingerprint: 2_64_29200_2e3cee914fc1/Linux][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 40 TCP 192.168.1.103:58143 -> 216.58.205.131:443 [proto: 91/TLS][Stack: TLS][IP: 126/Google][Encrypted][Confidence: DPI][FPC: 126/Google, Confidence: IP address][DPI packets: 3][cat: Web/5][Breed: Safe][3 pkts/1078 bytes -> 0 pkts/0 bytes][Goodput ratio: 82/0][92.69 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 41 TCP 203.205.151.162:443 <-> 192.168.1.103:54084 [proto: 91/TLS][Stack: TLS][IP: 0/Unknown][Encrypted][Confidence: Match by port][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][Breed: Safe][3 pkts/802 bytes <-> 3 pkts/198 bytes][Goodput ratio: 75/0][16.21 sec][bytes ratio: 0.604 (Upload)][IAT c2s/s2c min/avg/max/stddev: 6562/9679 8102/9679 9642/9679 1540/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 267/66 670/66 285/0][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 42 UDP 192.168.1.100:137 -> 192.168.1.255:137 [proto: 10/NetBIOS][Stack: NetBIOS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 10/NetBIOS, Confidence: DPI][DPI packets: 1][cat: System/18][Breed: Acceptable][9 pkts/828 bytes -> 0 pkts/0 bytes][Goodput ratio: 54/0][1.44 sec][Hostname/SNI: lbjamwptxz][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1/0 179/0 816/0 313/0][Pkt Len c2s/s2c min/avg/max/stddev: 92/0 92/0 92/0 0/0][PLAIN TEXT ( EMECEKEBENFHFAFEFIFKCACACACACA)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 43 IGMP 192.168.1.100:0 -> 224.0.0.22:0 [proto: 82/IGMP][Stack: IGMP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 82/IGMP, Confidence: DPI][DPI packets: 1][cat: Network/14][Breed: Acceptable][15 pkts/810 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][3769.99 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 409/0 289920/0 3384346/0 895904/0][Pkt Len c2s/s2c min/avg/max/stddev: 54/0 54/0 54/0 0/0][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 44 UDP 192.168.1.100:138 -> 192.168.1.255:138 [proto: 10.16/NetBIOS.SMBv1][Stack: NetBIOS.SMBv1][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 10.16/NetBIOS.SMBv1, Confidence: DPI][DPI packets: 1][cat: System/18][Breed: Dangerous][3 pkts/751 bytes -> 0 pkts/0 bytes][Goodput ratio: 83/0][3600.00 sec][Hostname/SNI: giovanni-pc][PLAIN TEXT ( EHEJEPFGEBEOEOEJ)][Plen Bins: 0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 45 TCP 192.168.1.103:54112 <-> 203.205.151.162:443 [proto: 91/TLS][Stack: TLS][IP: 0/Unknown][Encrypted][Confidence: Match by port][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 9][cat: Web/5][Breed: Safe][5 pkts/338 bytes <-> 4 pkts/280 bytes][Goodput ratio: 0/0][22.72 sec][bytes ratio: 0.094 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 351/910 5597/910 20327/910 8509/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 68/70 74/74 3/4][TCP Fingerprint: 2_64_29200_2e3cee914fc1/Linux][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 46 TCP 192.168.1.103:54114 <-> 203.205.151.162:443 [proto: 91/TLS][Stack: TLS][IP: 0/Unknown][Encrypted][Confidence: Match by port][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 9][cat: Web/5][Breed: Safe][5 pkts/338 bytes <-> 4 pkts/280 bytes][Goodput ratio: 0/0][55.41 sec][bytes ratio: 0.094 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 312/33511 13774/33511 33196/33511 13762/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 68/70 74/74 3/4][TCP Fingerprint: 2_64_29200_2e3cee914fc1/Linux][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 46 TCP 192.168.1.103:54114 <-> 203.205.151.162:443 [proto: 91/TLS][Stack: TLS][IP: 0/Unknown][Encrypted][Confidence: Match by port][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 9][cat: Web/5][Breed: Safe][5 pkts/338 bytes <-> 4 pkts/280 bytes][Goodput ratio: 0/0][55.41 sec][bytes ratio: 0.094 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 312/33511 13774/33511 33196/33511 13762/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 68/70 74/74 3/4][Risk: ** (Possible) Slow DoS **][Risk Score: 100][Risk Info: Slow TCP 3WH (SYN|ACK): 1.6 sec][TCP Fingerprint: 2_64_29200_2e3cee914fc1/Linux][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 47 UDP 192.168.1.103:19041 <-> 192.168.1.254:53 [proto: 5/DNS][Stack: DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][Breed: Acceptable][1 pkts/73 bytes <-> 1 pkts/537 bytes][Goodput ratio: 42/92][0.03 sec][Hostname/SNI: res.wx.qq.com][203.205.158.34][DNS Id: 0x30dd][Plen Bins: 50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 48 TCP 192.168.1.103:34981 -> 95.101.34.33:80 [proto: 7/HTTP][Stack: HTTP][IP: 467/Akamai][ClearText][Confidence: Match by port][FPC: 467/Akamai, Confidence: IP address][DPI packets: 9][cat: Web/5][Breed: Acceptable][9 pkts/594 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][100.37 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 259/0 12546/0 83360/0 26898/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/0 66/0 66/0 0/0][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 49 TCP 192.168.1.103:34996 -> 95.101.34.33:80 [proto: 7/HTTP][Stack: HTTP][IP: 467/Akamai][ClearText][Confidence: Match by port][FPC: 467/Akamai, Confidence: IP address][DPI packets: 9][cat: Web/5][Breed: Acceptable][9 pkts/594 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][100.98 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 252/0 12622/0 82310/0 26534/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/0 66/0 66/0 0/0][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] @@ -119,8 +119,8 @@ JA Host Stats: 52 TCP 192.168.1.103:39207 -> 95.101.34.34:80 [proto: 7/HTTP][Stack: HTTP][IP: 467/Akamai][ClearText][Confidence: Match by port][FPC: 467/Akamai, Confidence: IP address][DPI packets: 9][cat: Web/5][Breed: Acceptable][9 pkts/594 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][104.22 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 239/0 13028/0 84664/0 27320/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/0 66/0 66/0 0/0][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 53 TCP 192.168.1.103:39231 -> 95.101.34.34:80 [proto: 7/HTTP][Stack: HTTP][IP: 467/Akamai][ClearText][Confidence: Match by port][FPC: 467/Akamai, Confidence: IP address][DPI packets: 9][cat: Web/5][Breed: Acceptable][9 pkts/594 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][99.19 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 255/0 12398/0 82310/0 26558/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/0 66/0 66/0 0/0][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (PLTbOhOof)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 54 TCP 192.168.1.103:53220 <-> 172.217.23.78:443 [proto: 91/TLS][Stack: TLS][IP: 126/Google][Encrypted][Confidence: DPI][FPC: 126/Google, Confidence: IP address][DPI packets: 8][cat: Web/5][Breed: Safe][4 pkts/264 bytes <-> 4 pkts/319 bytes][Goodput ratio: 0/17][14.77 sec][bytes ratio: -0.094 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/39 4910/7364 14730/14688 6944/7324][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 66/80 66/121 0/24][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 55 TCP 192.168.1.103:54093 <-> 203.205.151.162:443 [proto: 91/TLS][Stack: TLS][IP: 0/Unknown][Encrypted][Confidence: Match by port][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 8][cat: Web/5][Breed: Safe][5 pkts/338 bytes <-> 3 pkts/214 bytes][Goodput ratio: 0/0][11.84 sec][bytes ratio: 0.225 (Upload)][IAT c2s/s2c min/avg/max/stddev: 325/0 2960/0 9935/0 4045/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 68/71 74/74 3/4][TCP Fingerprint: 2_64_29200_2e3cee914fc1/Linux][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 56 TCP 192.168.1.103:58037 <-> 203.205.147.171:443 [proto: 91/TLS][Stack: TLS][IP: 285/Tencent][Encrypted][Confidence: Match by port][FPC: 197/WeChat, Confidence: DNS][DPI packets: 8][cat: Web/5][Breed: Safe][5 pkts/338 bytes <-> 3 pkts/214 bytes][Goodput ratio: 0/0][11.56 sec][bytes ratio: 0.225 (Upload)][IAT c2s/s2c min/avg/max/stddev: 267/0 2890/0 9679/0 3944/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 68/71 74/74 3/4][TCP Fingerprint: 2_64_29200_2e3cee914fc1/Linux][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 55 TCP 192.168.1.103:54093 <-> 203.205.151.162:443 [proto: 91/TLS][Stack: TLS][IP: 0/Unknown][Encrypted][Confidence: Match by port][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 8][cat: Web/5][Breed: Safe][5 pkts/338 bytes <-> 3 pkts/214 bytes][Goodput ratio: 0/0][11.84 sec][bytes ratio: 0.225 (Upload)][IAT c2s/s2c min/avg/max/stddev: 325/0 2960/0 9935/0 4045/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 68/71 74/74 3/4][Risk: ** (Possible) Slow DoS **][Risk Score: 100][Risk Info: Slow TCP 3WH (SYN|ACK): 1.6 sec][TCP Fingerprint: 2_64_29200_2e3cee914fc1/Linux][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 56 TCP 192.168.1.103:58037 <-> 203.205.147.171:443 [proto: 91/TLS][Stack: TLS][IP: 285/Tencent][Encrypted][Confidence: Match by port][FPC: 197/WeChat, Confidence: DNS][DPI packets: 8][cat: Web/5][Breed: Safe][5 pkts/338 bytes <-> 3 pkts/214 bytes][Goodput ratio: 0/0][11.56 sec][bytes ratio: 0.225 (Upload)][IAT c2s/s2c min/avg/max/stddev: 267/0 2890/0 9679/0 3944/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 68/71 74/74 3/4][Risk: ** (Possible) Slow DoS **][Risk Score: 100][Risk Info: Slow TCP 3WH (SYN|ACK): 1.6 sec][TCP Fingerprint: 2_64_29200_2e3cee914fc1/Linux][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 57 TCP 192.168.1.103:39195 -> 95.101.34.34:80 [proto: 7/HTTP][Stack: HTTP][IP: 467/Akamai][ClearText][Confidence: Match by port][FPC: 467/Akamai, Confidence: IP address][DPI packets: 8][cat: Web/5][Breed: Acceptable][8 pkts/528 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][90.80 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 232/0 12972/0 83248/0 28714/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/0 66/0 66/0 0/0][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 58 TCP 192.168.1.103:52020 -> 95.101.180.179:80 [proto: 7/HTTP][Stack: HTTP][IP: 467/Akamai][ClearText][Confidence: Match by port][FPC: 467/Akamai, Confidence: IP address][DPI packets: 8][cat: Web/5][Breed: Acceptable][8 pkts/528 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][94.52 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 267/0 13502/0 85920/0 29594/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/0 66/0 66/0 0/0][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 59 TCP 192.168.1.103:43851 <-> 203.205.158.34:443 [proto: 91/TLS][Stack: TLS][IP: 0/Unknown][Encrypted][Confidence: Match by port][FPC: 48/QQ, Confidence: DNS][DPI packets: 9][cat: Web/5][Breed: Safe][5 pkts/290 bytes <-> 4 pkts/234 bytes][Goodput ratio: 0/0][47.04 sec][bytes ratio: 0.107 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 301/1307 11760/23331 45054/45355 19226/22024][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 58/58 74/66 8/5][TCP Fingerprint: 2_64_29200_2e3cee914fc1/Linux][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] @@ -130,7 +130,7 @@ JA Host Stats: 63 TCP 192.168.1.103:49787 <-> 216.58.205.142:443 [proto: 91/TLS][Stack: TLS][IP: 126/Google][Encrypted][Confidence: Match by port][FPC: 126/Google, Confidence: IP address][DPI packets: 6][cat: Web/5][Breed: Safe][3 pkts/198 bytes <-> 3 pkts/198 bytes][Goodput ratio: 0/0][90.15 sec][bytes ratio: 0.000 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 45055/45054 45056/45055 45056/45056 0/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 66/66 66/66 0/0][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 64 TCP 192.168.1.103:58226 -> 203.205.147.171:443 [proto: 91/TLS][Stack: TLS][IP: 285/Tencent][Encrypted][Confidence: Match by port][FPC: 285/Tencent, Confidence: IP address][DPI packets: 6][cat: Web/5][Breed: Safe][6 pkts/396 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][92.42 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 607/0 18483/0 85584/0 33566/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/0 66/0 66/0 0/0][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 65 UDP 192.168.1.103:53734 <-> 192.168.1.254:53 [proto: 5/DNS][Stack: DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][Breed: Acceptable][1 pkts/94 bytes <-> 1 pkts/272 bytes][Goodput ratio: 55/84][0.04 sec][Hostname/SNI: safebrowsing.googleusercontent.com][172.217.22.14][DNS Id: 0x3c19][PLAIN TEXT (safebrowsing)][Plen Bins: 0,50,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 66 TCP 192.168.1.103:58043 <-> 203.205.147.171:443 [proto: 91/TLS][Stack: TLS][IP: 285/Tencent][Encrypted][Confidence: Match by port][FPC: 285/Tencent, Confidence: IP address][DPI packets: 5][cat: Web/5][Breed: Safe][3 pkts/206 bytes <-> 2 pkts/148 bytes][Goodput ratio: 0/0][1.65 sec][TCP Fingerprint: 2_64_29200_2e3cee914fc1/Linux][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 66 TCP 192.168.1.103:58043 <-> 203.205.147.171:443 [proto: 91/TLS][Stack: TLS][IP: 285/Tencent][Encrypted][Confidence: Match by port][FPC: 285/Tencent, Confidence: IP address][DPI packets: 5][cat: Web/5][Breed: Safe][3 pkts/206 bytes <-> 2 pkts/148 bytes][Goodput ratio: 0/0][1.65 sec][Risk: ** (Possible) Slow DoS **][Risk Score: 100][Risk Info: Slow TCP 3WH (SYN|ACK): 1.6 sec][TCP Fingerprint: 2_64_29200_2e3cee914fc1/Linux][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 67 UDP 0.0.0.0:68 -> 255.255.255.255:67 [proto: 18/DHCP][Stack: DHCP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 18/DHCP, Confidence: DPI][DPI packets: 1][cat: Network/14][Breed: Acceptable][1 pkts/342 bytes -> 0 pkts/0 bytes][Goodput ratio: 87/0][< 1 sec][Hostname/SNI: iphonedimonica][DHCP Fingerprint: 1,121,3,6,15,119,252][PLAIN TEXT (iPhonediMonica)][Plen Bins: 0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 68 UDP 192.168.1.103:46078 <-> 192.168.1.254:53 [proto: 5/DNS][Stack: DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][Breed: Acceptable][1 pkts/75 bytes <-> 1 pkts/234 bytes][Goodput ratio: 43/82][0.04 sec][Hostname/SNI: ssl.gstatic.com][172.217.23.67][DNS Id: 0x6602][PLAIN TEXT (gstatic)][Plen Bins: 0,50,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 69 UDP 192.168.1.103:60562 <-> 192.168.1.254:53 [proto: 5/DNS][Stack: DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][Breed: Acceptable][1 pkts/75 bytes <-> 1 pkts/234 bytes][Goodput ratio: 43/82][0.03 sec][Hostname/SNI: ssl.gstatic.com][172.217.23.67][DNS Id: 0x2b39][PLAIN TEXT (gstatic)][Plen Bins: 0,50,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/disable_protocols/result/soap.pcap.out b/tests/cfgs/disable_protocols/result/soap.pcap.out index f9a44f770..70d671f52 100644 --- a/tests/cfgs/disable_protocols/result/soap.pcap.out +++ b/tests/cfgs/disable_protocols/result/soap.pcap.out @@ -38,6 +38,6 @@ Acceptable 20 10948 3 Web 19 9442 2 Collaborative 1 1506 1 - 1 TCP 192.168.2.100:50100 <-> 23.2.213.165:80 [proto: 7/HTTP][Stack: HTTP][IP: 467/Akamai][ClearText][Confidence: Match by port][FPC: 467/Akamai, Confidence: IP address][DPI packets: 14][cat: Web/5][Breed: Acceptable][7 pkts/4746 bytes <-> 7 pkts/752 bytes][Goodput ratio: 92/39][5.01 sec][bytes ratio: 0.726 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/1 989/1236 2486/2486 1098/1096][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 678/107 1506/362 717/104][TCP Fingerprint: 2_128_64240_6bb88f5575fd/Windows][PLAIN TEXT (POST /fwlink/)][Plen Bins: 0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,75,0,0] + 1 TCP 192.168.2.100:50100 <-> 23.2.213.165:80 [proto: 7/HTTP][Stack: HTTP][IP: 467/Akamai][ClearText][Confidence: Match by port][FPC: 467/Akamai, Confidence: IP address][DPI packets: 14][cat: Web/5][Breed: Acceptable][7 pkts/4746 bytes <-> 7 pkts/752 bytes][Goodput ratio: 92/39][5.01 sec][bytes ratio: 0.726 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/1 989/1236 2486/2486 1098/1096][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 678/107 1506/362 717/104][Risk: ** (Possible) Slow DoS **][Risk Score: 100][Risk Info: Slow TCP 3WH (ACK): 2.5 sec][TCP Fingerprint: 2_128_64240_6bb88f5575fd/Windows][PLAIN TEXT (POST /fwlink/)][Plen Bins: 0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,75,0,0] 2 TCP 185.32.192.30:80 <-> 85.154.114.113:56028 [VLAN: 808][proto: 7/HTTP][Stack: HTTP][IP: 0/Unknown][ClearText][Confidence: Match by port][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 5][cat: Web/5][Breed: Acceptable][3 pkts/2487 bytes <-> 2 pkts/1457 bytes][Goodput ratio: 92/92][0.34 sec][Risk: ** Susp Entropy **][Risk Score: 10][Risk Info: Entropy: 6.075 (Executable?)][PLAIN TEXT (xml version)][Plen Bins: 0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,50,0,0,0,0,0,0,0,0,0] 3 TCP 192.168.2.100:50100 -> 23.2.213.165:4176 [proto: 7.219/HTTP.Microsoft365][Stack: HTTP.Microsoft365][IP: 467/Akamai][ClearText][Confidence: DPI][FPC: 7.219/HTTP.Microsoft365, Confidence: DPI][DPI packets: 1][cat: Collaborative/15][Breed: Acceptable][1 pkts/1506 bytes -> 0 pkts/0 bytes][Goodput ratio: 96/0][< 1 sec][Hostname/SNI: go.microsoft.com][URL: go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409][Req Content-Type: text/xml][User-Agent: MICROSOFT_DEVICE_METADATA_RETRIEVAL_CLIENT][Risk: ** Known Proto on Non Std Port **** Mismatching Protocol with server IP address **** Unidirectional Traffic **][Risk Score: 160][Risk Info: No server to client traffic / nDPI protocol does not match the server IP address / Expected on port 80][PLAIN TEXT (POST /fwlink/)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0] diff --git a/wireshark/ndpi.lua b/wireshark/ndpi.lua index e5f04ac37..2ad1504fc 100644 --- a/wireshark/ndpi.lua +++ b/wireshark/ndpi.lua @@ -140,6 +140,7 @@ flow_risks[53] = ProtoField.bool("ndpi.flow_risk.malware_contact", "Contact with flow_risks[54] = ProtoField.bool("ndpi.flow_risk.binary_data_transfer", "Attempt to transfer a binary file", num_bits_flow_risks, nil, bit(54), "nDPI Flow Risk: binary data file transfer") flow_risks[55] = ProtoField.bool("ndpi.flow_risk.probing_attempt", "Probing attempt", num_bits_flow_risks, nil, bit(55), "nDPI Flow Risk: probing attempt") flow_risks[56] = ProtoField.bool("ndpi.flow_risk.obfuscated_traffic", "Obfuscated Traffic", num_bits_flow_risks, nil, bit(56), "nDPI Flow Risk: obfuscated traffic") +flow_risks[57] = ProtoField.bool("ndpi.flow_risk.slow_dos", "Slow DoS", num_bits_flow_risks, nil, bit(56), "nDPI Flow Risk: slow DoS attempt") -- Last one: keep in sync the bitmask when adding new risks!! flow_risks[64] = ProtoField.new("Unused", "ndpi.flow_risk.unused", ftypes.UINT64, nil, base.HEX, bit(64) - bit(57))