diff --git a/example/ndpiReader.c b/example/ndpiReader.c index b0b5006b9..b910d0ea5 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -571,9 +571,6 @@ static void configure_ndpi(struct ndpi_detection_module_struct *ndpi_struct) { } } - if(_protoFilePath != NULL) - ndpi_load_protocols_file(ndpi_struct, _protoFilePath); - ndpi_set_config(ndpi_struct, NULL, "tcp_ack_payload_heuristic", "enable"); for(i = 0; i < num_cfgs; i++) { @@ -586,6 +583,9 @@ static void configure_ndpi(struct ndpi_detection_module_struct *ndpi_struct) { } } + if(_protoFilePath != NULL) + ndpi_load_protocols_file(ndpi_struct, _protoFilePath); + if(enable_doh_dot_detection) ndpi_set_config(ndpi_struct, "tls", "application_blocks_tracking", "enable"); @@ -2653,7 +2653,8 @@ static void printFlow(u_int32_t id, struct ndpi_flow_info *flow, u_int16_t threa if((flow->tls.num_blocks > 0) && (flow->tls.blocks != NULL)) { int i; - + u_char *enc = ndpi_encode_tls_blocks(flow->tls.blocks, flow->tls.num_blocks); + fprintf(out, "[TLS blocks: "); for(i=0; itls.num_blocks; i++) @@ -2661,7 +2662,9 @@ static void printFlow(u_int32_t id, struct ndpi_flow_info *flow, u_int16_t threa ndpi_print_encoded_tls_block_type(flow->tls.blocks[i].block_type, true), flow->tls.blocks[i].len); - fprintf(out, "]"); + fprintf(out, "][%s]", enc ? (char*)enc : ""); + + if(enc) ndpi_free(enc); } if(flow->flow_payload && (flow->flow_payload_len > 0)) { @@ -5932,12 +5935,11 @@ void automataDomainsUnitTest() { /* *********************************************** */ void blocksUnitTest() { - struct ndpi_tls_block a[] = { { 4, 1, 0, 1590, 0}, { 5, 1, 0, -1212, 0}, { 1, 1, 0, -1, 0}, { 16, 1, 0, -42, 0}, { 16, 1, 0, -53, 0} }; - struct ndpi_tls_block b[] = { { 4, 1, 0, 1591, 0}, { 5, 1, 0, -1212, 0}, { 1, 1, 0, -1, 0}, { 16, 1, 0, -42, 0}, { 16, 1, 0, -53, 0} }; - float multiplier[] = { 100, 100, 80, 40, 20}; - float ret = ndpi_tls_blocks_len_compare(a, b, multiplier, sizeof(multiplier) / sizeof(float)); + struct ndpi_tls_block a[] = { { 4, 1590, 0, 1, 0}, { 5, -1212, 0, 1, 0}, { 1, -1, 0, 1, 0}, { 16, -42, 0, 1, 0}, { 16, -53, 0, 1, 0} }; + struct ndpi_tls_block b[] = { { 4, 1590, 0, 1, 0}, { 5, -1212, 0, 1, 0}, { 1, -1, 0, 1, 0}, { 16, -42, 0, 1, 0}, { 16, -52, 0, 1, 0} }; + float ret = ndpi_tls_blocks_len_compare(a, b, 5 /* num_blocks */); - assert(ret == 20.0); + assert(ret == 1.0); } /* *********************************************** */ @@ -6123,7 +6125,7 @@ void hashUnitTest() { u_int8_t l = strlen(dict[i]); u_int64_t v; - assert(ndpi_hash_add_entry(&h, dict[i], l, i) == 0); + assert(ndpi_hash_add_entry(&h, dict[i], l, i, NULL) == 0); assert(ndpi_hash_find_entry(h, dict[i], l, &v) == 0); assert(v == i); } diff --git a/fuzz/fuzz_ds_hash.cpp b/fuzz/fuzz_ds_hash.cpp index 2bdcc2163..86b34da17 100644 --- a/fuzz/fuzz_ds_hash.cpp +++ b/fuzz/fuzz_ds_hash.cpp @@ -31,7 +31,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { data_len = fuzzed_data.ConsumeIntegralInRange(0, 127); std::vectordata = fuzzed_data.ConsumeBytes(data_len); - rc = ndpi_hash_add_entry(&h, data.data(), data.size(), i); + rc = ndpi_hash_add_entry(&h, data.data(), data.size(), i, NULL); /* Keep one random entry really added */ if (rc == 0 && fuzzed_data.ConsumeBool()) { value_added = data; diff --git a/src/include/ndpi_api.h b/src/include/ndpi_api.h index bbb5f910a..d4e0933da 100644 --- a/src/include/ndpi_api.h +++ b/src/include/ndpi_api.h @@ -1161,13 +1161,16 @@ extern "C" { char *ndpi_stack2str(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_proto_stack *stack, char *buf, u_int buf_len); - ndpi_tls_block_type ndpi_encode_tls_block_type(u_int8_t block_type, u_int8_t handshake_type); + ndpi_tls_block_type ndpi_encode_tls_block_type(u_int8_t block_type, u_int8_t handshake_type); const char* ndpi_print_encoded_tls_block_type(ndpi_tls_block_type block_type, bool numeric_mode); u_char* ndpi_encode_tls_blocks(struct ndpi_tls_block *tls_blocks, u_int8_t num_tls_blocks); struct ndpi_tls_block* ndpi_decode_tls_blocks(const u_char *encoded_blocks, u_int encoded_blocks_len, u_int8_t *num_tls_blocks); - + u_int64_t ndpi_compare_flow_tls_blocks(struct ndpi_detection_module_struct *ndpi_str, + struct ndpi_flow_struct *flow, + ndpi_list *extra_data, u_int64_t proto_id); + ndpi_proto_defaults_t* ndpi_get_proto_defaults(struct ndpi_detection_module_struct *ndpi_mod); u_int ndpi_get_ndpi_detection_module_size(void); @@ -2252,7 +2255,11 @@ extern "C" { * @return 0 if an entry with that key was found, 1 otherwise * */ - int ndpi_hash_find_entry(ndpi_str_hash *h, const char *key, u_int key_len, u_int64_t *value); + int ndpi_hash_find_entry(ndpi_str_hash *h, const char *key, u_int key_len, + u_int64_t *value /* out */); + int ndpi_hash_find_entry_extra(ndpi_str_hash *h, const char *key, u_int key_len, + u_int64_t *value /* out */, + ndpi_list **extra_data /* out */); /** * Add an entry to the hashmap. @@ -2265,7 +2272,8 @@ extern "C" { * @return 0 if the entry was added, 1 otherwise * */ - int ndpi_hash_add_entry(ndpi_str_hash **h, char *key, u_int8_t key_len, u_int64_t value); + int ndpi_hash_add_entry(ndpi_str_hash **h, char *key, u_int8_t key_len, u_int64_t value, + char *extra_data /* Allocated by caller */); typedef void (*ndpi_hash_walk_iter)(char *key, u_int64_t value64, void *data); void ndpi_hash_walk(ndpi_str_hash **h, ndpi_hash_walk_iter cb, void *data); @@ -2277,11 +2285,18 @@ extern "C" { /* ******************************* */ +#ifndef __KERNEL__ + char* ndpi_get_flow_name(struct ndpi_flow_struct *flow); /* ******************************* */ -#ifndef __KERNEL__ + void ndpi_list_init(ndpi_list *l); + void ndpi_list_free(ndpi_list *l); + bool ndpi_list_append(ndpi_list *l, void *value); + + /* ******************************* */ + int ndpi_load_geoip(struct ndpi_detection_module_struct *ndpi_str, const char *ip_city_data, const char *ip_as_data); void ndpi_free_geoip(struct ndpi_detection_module_struct *ndpi_str); @@ -2743,7 +2758,6 @@ extern "C" { #ifndef __KERNEL__ float ndpi_tls_blocks_len_compare(struct ndpi_tls_block *a, struct ndpi_tls_block *b, - float *multiplier, u_int8_t num_tls_blocks); #endif #ifdef __cplusplus diff --git a/src/include/ndpi_private.h b/src/include/ndpi_private.h index e47228359..28d4a5be4 100644 --- a/src/include/ndpi_private.h +++ b/src/include/ndpi_private.h @@ -147,11 +147,6 @@ struct ndpi_packet_struct { packet_direction:1, empty_line_position_set:1, http_check_content:1, pad:4; }; -typedef struct ndpi_list_struct { - char *value; - struct ndpi_list_struct *next; -} ndpi_list; - #ifdef HAVE_NBPF typedef struct { void *tree; /* cast to nbpf_filter* */ diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index 60646e073..2cfef7188 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -937,9 +937,10 @@ typedef enum { PACK_ON struct ndpi_tls_block { u_int8_t block_type /* ndpi_tls_block_type */; - u_int8_t same_pkt:1, _unused:7; int16_t len; /* + = src->dst, - = dst->src */ - u_int16_t msec_delta; + /* Optional, leave it at the end */ + u_int8_t same_pkt:1, _unused:7; + u_int16_t msec_delta; /* Used to store protocol_id in ja4 hash */ } PACK_OFF; struct ndpi_flow_tcp_struct { @@ -1390,6 +1391,11 @@ typedef struct _ndpi_automa { struct ndpi_automa_stats stats; } ndpi_automa; +typedef struct ndpi_list_struct { + char *value; + struct ndpi_list_struct *next; +} ndpi_list; + typedef struct ndpi_str_hash { void *priv; struct ndpi_str_hash_stats stats; diff --git a/src/lib/ndpi_config.c b/src/lib/ndpi_config.c index 525bf4616..c67b3b375 100644 --- a/src/lib/ndpi_config.c +++ b/src/lib/ndpi_config.c @@ -1007,7 +1007,7 @@ static AC_ERROR_t ac_walk_proto_id(AC_AUTOMATA_t *thiz, AC_NODE_t *n, int idx, v for(i=0; imatched_patterns->num; i++) { AC_PATTERN_t *p = &n->matched_patterns->patterns[i]; - ndpi_hash_add_entry(&h, p->astring, strlen(p->astring), p->rep.number); + ndpi_hash_add_entry(&h, p->astring, strlen(p->astring), p->rep.number, NULL); } } @@ -1028,7 +1028,7 @@ static AC_ERROR_t ac_walk_category_id(AC_AUTOMATA_t *thiz, AC_NODE_t *n, int idx for(i=0; imatched_patterns->num; i++) { AC_PATTERN_t *p = &n->matched_patterns->patterns[i]; - ndpi_hash_add_entry(&h, p->astring, strlen(p->astring), p->rep.category); + ndpi_hash_add_entry(&h, p->astring, strlen(p->astring), p->rep.category, NULL); } } diff --git a/src/lib/ndpi_domain_classify.c b/src/lib/ndpi_domain_classify.c index 303fa0d7d..a0c4fd833 100644 --- a/src/lib/ndpi_domain_classify.c +++ b/src/lib/ndpi_domain_classify.c @@ -93,11 +93,11 @@ bool ndpi_domain_classify_add(struct ndpi_detection_module_struct *ndpi_str, if(ndpi_str) { out_len = ndpi_encode_domain(ndpi_str, domain, out, sizeof(out)); - ndpi_hash_add_entry(&s->domains, out, out_len, class_id); + ndpi_hash_add_entry(&s->domains, out, out_len, class_id, NULL); } else - ndpi_hash_add_entry(&s->domains, domain, strlen(domain), class_id); + ndpi_hash_add_entry(&s->domains, domain, strlen(domain), class_id, NULL); #else - ndpi_hash_add_entry(&s->domains, domain, strlen(domain), class_id); + ndpi_hash_add_entry(&s->domains, domain, strlen(domain), class_id, NULL); #endif return(true); diff --git a/src/lib/ndpi_domains.c b/src/lib/ndpi_domains.c index da5c0d98c..59a860b49 100644 --- a/src/lib/ndpi_domains.c +++ b/src/lib/ndpi_domains.c @@ -69,7 +69,7 @@ int ndpi_load_domain_suffixes(struct ndpi_detection_module_struct *ndpi_str, line[len--] = '\0'; if(ndpi_hash_add_entry(&ndpi_str->public_domain_suffixes, - &line[offset], strlen(&line[offset]), domain_id) != 0) { + &line[offset], strlen(&line[offset]), domain_id, NULL) != 0) { NDPI_LOG_ERR(ndpi_str, "Error while processing domain %s\n", &line[offset]); } else diff --git a/src/lib/ndpi_fingerprint.c b/src/lib/ndpi_fingerprint.c index 0fc0e4df1..981eb24a7 100644 --- a/src/lib/ndpi_fingerprint.c +++ b/src/lib/ndpi_fingerprint.c @@ -91,7 +91,7 @@ int ndpi_add_tcp_fingerprint(struct ndpi_detection_module_struct *ndpi_str, return(-1); } else { if(ndpi_hash_add_entry(&ndpi_str->tcp_fingerprint_hashmap, fingerprint, len, - (u_int64_t)os) == 0) { + (u_int64_t)os, NULL) == 0) { return(0); } else return(-2); @@ -210,6 +210,42 @@ static char* ndpi_compute_tls_blocks_flow_fingerprint(struct ndpi_flow_struct *f /* **************************************** */ +u_int64_t ndpi_compare_flow_tls_blocks(struct ndpi_detection_module_struct *ndpi_str, + struct ndpi_flow_struct *flow, + ndpi_list *extra_data, + u_int64_t proto_id) { + if((flow->l4_proto == IPPROTO_TCP) + && (flow->l4.tcp.tls.num_tls_blocks == ndpi_str->cfg.tls_max_num_blocks_to_analyze) + && (ndpi_str->cfg.tls_max_num_blocks_to_analyze <= 8 /* (&) */) + && (flow->l4.tcp.tls.tls_blocks != NULL)) { + float best_res = 9999999.; + + while(extra_data != NULL) { + /* Multiple matches: let's find the best match (if any) */ + struct ndpi_tls_block *tls_blocks = (struct ndpi_tls_block*)extra_data->value; + + if(tls_blocks != NULL) { + float res = ndpi_tls_blocks_len_compare(flow->l4.tcp.tls.tls_blocks, tls_blocks, 8 /* (&) */); + + + if((res < 4) && (res < best_res)) { + best_res = res; + proto_id = tls_blocks->msec_delta; /* It stores the protocolId. See (*%*) in ndpi_main.c */ + + if(res == 0) /* identical TLS blocks */ + break; /* No match better than this ! */ + } + } + + extra_data = extra_data->next; + } + } + + return(proto_id); +} + +/* **************************************** */ + char* ndpi_compute_ndpi_flow_fingerprint(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_flow_struct *flow) { if(ndpi_str->cfg.ndpi_fingerprint_enabled && @@ -253,7 +289,8 @@ char* ndpi_compute_ndpi_flow_fingerprint(struct ndpi_detection_module_struct *nd } } - s = snprintf((char*)fp_buf, sizeof(fp_buf)-1, "%s-%s%s-%s", l4_fp, l7_pf, l7_pf_tls_blocks, l7_pf_server); + s = snprintf((char*)fp_buf, sizeof(fp_buf)-1, "%s-%s%s-%s", + l4_fp, l7_pf, l7_pf_tls_blocks, l7_pf_server); if(ndpi_str->cfg.tls_ndpifp_ignore_sni_extension) fp_buf[strlen(l4_fp)+4] = '_'; @@ -277,20 +314,26 @@ char* ndpi_compute_ndpi_flow_fingerprint(struct ndpi_detection_module_struct *nd flow->ndpi.fingerprint = ndpi_strdup((char*)fp_buf); - if(flow->ndpi.fingerprint != NULL && - ndpi_str->ndpifp_custom_protos != NULL) { + if((flow->ndpi.fingerprint != NULL) + && (ndpi_str->ndpifp_custom_protos != NULL)) { u_int64_t proto_id; - + ndpi_list *extra_data = NULL; + /* This protocol has been defined in protos.txt-like files */ - if(ndpi_hash_find_entry(ndpi_str->ndpifp_custom_protos, - flow->ndpi.fingerprint, strlen(flow->ndpi.fingerprint), - &proto_id) == 0) { - ndpi_set_detected_protocol(ndpi_str, flow, proto_id, - ndpi_get_master_proto(ndpi_str, flow), - NDPI_CONFIDENCE_CUSTOM_RULE); + if(ndpi_hash_find_entry_extra(ndpi_str->ndpifp_custom_protos, + flow->ndpi.fingerprint, strlen(flow->ndpi.fingerprint), + &proto_id, &extra_data) == 0) { - flow->category = ndpi_str->proto_defaults[proto_id].protoCategory, - flow->breed = ndpi_str->proto_defaults[proto_id].protoBreed; + proto_id = ndpi_compare_flow_tls_blocks(ndpi_str, flow, extra_data, proto_id); + + if(proto_id != NDPI_PROTOCOL_UNKNOWN) { + ndpi_set_detected_protocol(ndpi_str, flow, proto_id, + ndpi_get_master_proto(ndpi_str, flow), + NDPI_CONFIDENCE_CUSTOM_RULE); + + flow->category = ndpi_str->proto_defaults[proto_id].protoCategory, + flow->breed = ndpi_str->proto_defaults[proto_id].protoBreed; + } } } } diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 4f03eedb9..5de8f4cdc 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -397,7 +397,7 @@ void ndpi_add_user_proto_id_mapping(struct ndpi_detection_module_struct *ndpi_st } /* Note that this mean we need to register *all* the internal protocols before adding - *any* custom protocols... */ + *any* custom protocols... */ idx = ndpi_proto_id - ndpi_str->num_internal_protocols; if(idx >= ndpi_str->ndpi_to_user_proto_id_num_allocated) { @@ -477,9 +477,9 @@ u_int16_t ndpi_map_ndpi_id_to_user_proto_id(struct ndpi_detection_module_struct /* ************************************************************************************* */ ndpi_port_range *ndpi_build_default_ports_range(ndpi_port_range *ports, u_int16_t portA_low, u_int16_t portA_high, - u_int16_t portB_low, u_int16_t portB_high, u_int16_t portC_low, - u_int16_t portC_high, u_int16_t portD_low, u_int16_t portD_high, - u_int16_t portE_low, u_int16_t portE_high) { + u_int16_t portB_low, u_int16_t portB_high, u_int16_t portC_low, + u_int16_t portC_high, u_int16_t portD_low, u_int16_t portD_high, + u_int16_t portE_low, u_int16_t portE_high) { int i = 0; ports[i].port_low = portA_low, ports[i].port_high = portA_high, ports[i].is_custom = 0; @@ -553,7 +553,7 @@ int is_flow_addr_informative(const struct ndpi_flow_struct *flow) case NDPI_PROTOCOL_AMAZON_AWS: case NDPI_PROTOCOL_AWS_CLOUDFRONT: case NDPI_PROTOCOL_AWS_EC2: - /* TODO: do we need to add the other NDPI_PROTOCOL_AWS_* ? */ + /* TODO: do we need to add the other NDPI_PROTOCOL_AWS_* ? */ case NDPI_PROTOCOL_MICROSOFT_AZURE: case NDPI_PROTOCOL_CACHEFLY: case NDPI_PROTOCOL_CLOUDFLARE: @@ -702,14 +702,14 @@ static void load_default_ports(struct ndpi_detection_module_struct *ndpi_str) /* ********************************************************************************** */ int ndpi_set_proto_defaults(struct ndpi_detection_module_struct *ndpi_str, - u_int8_t is_cleartext, u_int8_t is_app_protocol, - ndpi_protocol_breed_t breed, - u_int16_t protoId, char *protoName, - ndpi_protocol_category_t protoCategory, - ndpi_protocol_qoe_category_t qoeCategory, - ndpi_port_range *tcpDefPorts, - ndpi_port_range *udpDefPorts, - u_int8_t is_custom_protocol) { + u_int8_t is_cleartext, u_int8_t is_app_protocol, + ndpi_protocol_breed_t breed, + u_int16_t protoId, char *protoName, + ndpi_protocol_category_t protoCategory, + ndpi_protocol_qoe_category_t qoeCategory, + ndpi_port_range *tcpDefPorts, + ndpi_port_range *udpDefPorts, + u_int8_t is_custom_protocol) { int j; /* There is no real limit on protocols number/id; the hard limit being the u_int16_t @@ -986,7 +986,7 @@ static int ndpi_add_host_url_subprotocol(struct ndpi_detection_module_struct *nd #endif return string_to_automa((AC_AUTOMATA_t *)ndpi_str->host_automa.ac_automa, - value, protocol_id, category, breed, level, 1); + value, protocol_id, category, breed, level, 1); } @@ -3386,7 +3386,7 @@ u_int8_t ndpi_is_public_ipv4(u_int32_t a /* host byte order */) { || ((a & 0xFFFF0000) == 0xC0A80000 /* 192.168.0.0/16 */) || ((a & 0xFF000000) == 0x7F000000 /* 127.0.0.0/8 */) || ((a & 0xF0000000) == 0xE0000000 /* 224.0.0.0/4 */) - ) + ) return(0); else return(1); @@ -3749,38 +3749,96 @@ static void ndpi_init_ptree_ipv6(struct ndpi_detection_module_struct *ndpi_str, static int ndpi_add_ja4_subprotocol(struct ndpi_detection_module_struct *ndpi_str, char *ja4, u_int16_t protocol_id) { - int ja4_len = strlen(ja4); + const u_int ja4_str_len = 36; /* size of JA4C */ + u_int ja4_len = strlen(ja4); + struct ndpi_tls_block *blocks = NULL; + u_int8_t num_tls_blocks; - if(ja4_len != 36 /* size of JA4C */) { + if(ja4_len == ja4_str_len) { + /* JA4 */ + ja4_len = ja4_str_len; + } else if(ja4_len > ja4_str_len) { + /* JA4 with blocks */ + if(ndpi_str->cfg.tls_max_num_blocks_to_analyze > 0) { + blocks = ndpi_decode_tls_blocks((const u_char*)&ja4[ja4_str_len+1 /* Skip divider */], + ja4_len - ja4_str_len - 1, &num_tls_blocks); + + if(blocks != NULL) { + if(num_tls_blocks < ndpi_str->cfg.tls_max_num_blocks_to_analyze) { + /* Invalid blocks lenght (too short): discarding it */ + ndpi_free(blocks); + blocks = NULL; + } else { + /* We jeopardize the msec_delta field to store the protocol_id (*%*) */ + blocks[0].msec_delta = protocol_id; + } + } + } else { + NDPI_LOG_ERR(ndpi_str, "JA4C with TLS blocks when TLS blocks are disabled [%s]\n", ja4); + return(-1); + } + + ja4_len = ja4_str_len; + } else { NDPI_LOG_ERR(ndpi_str, "Not a JA4C: [%s]\n", ja4); - return(-1); + return(-2); } if(ndpi_str->ja4_custom_protos == NULL) { if(ndpi_hash_init(&ndpi_str->ja4_custom_protos) != 0) - return(-2); + return(-3); } - return(ndpi_hash_add_entry(&ndpi_str->ja4_custom_protos, ja4, ja4_len, protocol_id)); + return(ndpi_hash_add_entry(&ndpi_str->ja4_custom_protos, + ja4, ja4_len, protocol_id, (void*)blocks)); } /* ******************************************* */ static int ndpi_add_ndpifp_subprotocol(struct ndpi_detection_module_struct *ndpi_str, char *ndpifp, u_int16_t protocol_id) { - int ndpifp_len = strlen(ndpifp); + const u_int ndpifp_str_len = 32; /* size of ndpifp */ + u_int ndpifp_len = strlen(ndpifp); + struct ndpi_tls_block *blocks = NULL; + u_int8_t num_tls_blocks; - if(ndpifp_len != 32 /* size of nDPI FP */) { - NDPI_LOG_ERR(ndpi_str, "Not a NDPIFPC: [%s]\n", ndpifp); - return(-1); + if(ndpifp_len == ndpifp_str_len) { + /* ndpifp */ + ndpifp_len = ndpifp_str_len; + } else if(ndpifp_len > ndpifp_str_len) { + /* ndpifp with blocks */ + if(ndpi_str->cfg.tls_max_num_blocks_to_analyze > 0) { + blocks = ndpi_decode_tls_blocks((const u_char*)&ndpifp[ndpifp_str_len+1 /* Skip divider */], + ndpifp_len - ndpifp_str_len - 1, &num_tls_blocks); + + if(blocks != NULL) { + if(num_tls_blocks < ndpi_str->cfg.tls_max_num_blocks_to_analyze) { + /* Invalid blocks lenght (too short): discarding it */ + ndpi_free(blocks); + blocks = NULL; + } else { + /* We jeopardize the msec_delta field to store the protocol_id (*%*) */ + blocks[0].msec_delta = protocol_id; + } + } + } else { + NDPI_LOG_ERR(ndpi_str, "ndpifp with TLS blocks when TLS blocks are disabled [%s]\n", ndpifp); + return(-1); + } + + ndpifp_len = ndpifp_str_len; + } else { + NDPI_LOG_ERR(ndpi_str, "Not a ndpifp: [%s]\n", ndpifp); + return(-2); } if(ndpi_str->ndpifp_custom_protos == NULL) { if(ndpi_hash_init(&ndpi_str->ndpifp_custom_protos) != 0) - return(-2); + return(-3); } - return(ndpi_hash_add_entry(&ndpi_str->ndpifp_custom_protos, ndpifp, ndpifp_len, protocol_id)); + return(ndpi_hash_add_entry(&ndpi_str->ndpifp_custom_protos, + ndpifp, ndpifp_len, protocol_id, (void*)blocks)); } /* ******************************************* */ @@ -3798,7 +3856,7 @@ static int ndpi_add_http_url_subprotocol(struct ndpi_detection_module_struct *nd id = (u_int64_t)(breed & 0xFFFF) << 32 | (category & 0xFFFF) << 16 | (protocol_id & 0xFFFF); - return(ndpi_hash_add_entry(&ndpi_str->http_url_hashmap, url, url_len, id)); + return(ndpi_hash_add_entry(&ndpi_str->http_url_hashmap, url, url_len, id, NULL)); } /* ******************************************* */ @@ -6636,7 +6694,7 @@ int load_malicious_ja4_file_fd(struct ndpi_detection_module_struct *ndpi_str, FI continue; } - if(ndpi_hash_add_entry(&ndpi_str->malicious_ja4_hashmap, line, len, 0) == 0) + if(ndpi_hash_add_entry(&ndpi_str->malicious_ja4_hashmap, line, len, 0, NULL) == 0) num++; } @@ -6714,7 +6772,7 @@ int load_malicious_sha1_file_fd(struct ndpi_detection_module_struct *ndpi_str, F first_comma[i] = toupper(first_comma[i]); if(ndpi_hash_add_entry(&ndpi_str->malicious_sha1_hashmap, first_comma, - second_comma - first_comma, 0) == 0) + second_comma - first_comma, 0, NULL) == 0) num++; } @@ -9564,7 +9622,7 @@ static void internal_giveup(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { if(flow->already_gaveup) { - NDPI_LOG_ERR(ndpi_struct, "Already called!\n"); /* We shoudn't be here ...*/ + NDPI_LOG_ERR(ndpi_struct, "%s() - Already called!\n", __FUNCTION__); /* We shoudn't be here ...*/ return; } flow->already_gaveup = 1; @@ -9598,8 +9656,8 @@ static void internal_giveup(struct ndpi_detection_module_struct *ndpi_struct, check_probing_attempt(ndpi_struct, flow); } - if(flow->confidence != NDPI_CONFIDENCE_MATCH_BY_PORT && - flow->confidence != NDPI_CONFIDENCE_MATCH_BY_IP) { + if((flow->confidence != NDPI_CONFIDENCE_MATCH_BY_PORT) + && (flow->confidence != NDPI_CONFIDENCE_MATCH_BY_IP)) { ndpi_compute_ndpi_flow_fingerprint(ndpi_struct, flow); } diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c index 8900d3884..4fb5c6b5e 100644 --- a/src/lib/ndpi_utils.c +++ b/src/lib/ndpi_utils.c @@ -86,6 +86,7 @@ struct pcre2_struct { typedef struct { char *key; u_int64_t value64; + ndpi_list value_list; UT_hash_handle hh; } ndpi_str_hash_priv; @@ -3160,7 +3161,9 @@ void ndpi_hash_free(ndpi_str_hash **h) { /* ******************************************************************** */ -int ndpi_hash_find_entry(ndpi_str_hash *h, const char *key, u_int key_len, u_int64_t *value) { +int ndpi_hash_find_entry_extra(ndpi_str_hash *h, const char *key, u_int key_len, + u_int64_t *value /* out */, + ndpi_list **extra_data /* out */) { ndpi_str_hash_priv *h_priv; ndpi_str_hash_priv *item; @@ -3176,6 +3179,9 @@ int ndpi_hash_find_entry(ndpi_str_hash *h, const char *key, u_int key_len, u_int if(value != NULL) *value = item->value64; + if(extra_data != NULL) + *extra_data = &item->value_list; + h->stats.n_found++; return 0; } else @@ -3184,7 +3190,15 @@ int ndpi_hash_find_entry(ndpi_str_hash *h, const char *key, u_int key_len, u_int /* ******************************************************************** */ -int ndpi_hash_add_entry(ndpi_str_hash **h, char *key, u_int8_t key_len, u_int64_t value) { +int ndpi_hash_find_entry(ndpi_str_hash *h, const char *key, + u_int key_len, u_int64_t *value /* out */) { + return(ndpi_hash_find_entry_extra(h, key, key_len, value, NULL)); +} + +/* ******************************************************************** */ + +int ndpi_hash_add_entry(ndpi_str_hash **h, char *key, u_int8_t key_len, + u_int64_t value, char *extra_data /* Allocated by caller */) { ndpi_str_hash_priv *h_priv; ndpi_str_hash_priv *item, *ret_found; @@ -3196,7 +3210,15 @@ int ndpi_hash_add_entry(ndpi_str_hash **h, char *key, u_int8_t key_len, u_int64_ HASH_FIND(hh, h_priv, key, key_len, item); if(item != NULL) { - item->value64 = value; + if(extra_data != NULL) { + /* + If there are extra blocks to handle value64 + (the protocol) is not overwritten (***) + */ + ndpi_list_append(&item->value_list, extra_data); + } else + item->value64 = value; + return(1); /* Entry already present */ } @@ -3204,6 +3226,7 @@ int ndpi_hash_add_entry(ndpi_str_hash **h, char *key, u_int8_t key_len, u_int64_ if(item == NULL) return(2); + ndpi_list_init(&item->value_list); item->key = ndpi_malloc(key_len+1); if(item->key == NULL) { @@ -3214,12 +3237,16 @@ int ndpi_hash_add_entry(ndpi_str_hash **h, char *key, u_int8_t key_len, u_int64_ item->key[key_len] = '\0'; } - item->value64 = value; + if(extra_data != NULL) /* Same as (***) above */ + ndpi_list_append(&item->value_list, extra_data); + else + item->value64 = value; HASH_ADD(hh, *(ndpi_str_hash_priv **)&((*h)->priv), key[0], key_len, item); HASH_FIND(hh, *(ndpi_str_hash_priv **)&((*h)->priv), key, key_len, ret_found); - if(ret_found == NULL) { /* The insertion failed (because of a memory allocation error) */ + if(ret_found == NULL) { + /* The insertion failed (because of a memory allocation error) */ ndpi_free(item->key); ndpi_free(item); return 4; @@ -3544,17 +3571,17 @@ void ndpi_set_risk(struct ndpi_detection_module_struct *ndpi_str, ) { char buf[1024]; - /* Concatenate risks info */ + /* Concatenate risks info */ snprintf(buf, sizeof(buf), "%s;%s", flow->risk_infos[i].info, risk_message); ndpi_free(flow->risk_infos[i].info); flow->risk_infos[i].info = ndpi_strdup(buf); } - + return; } - + /* Risk already set without any details, but now we have a specific risk_message that we want to save. This might happen with NDPI_HTTP_CRAWLER_BOT which might have been set early via @@ -4038,7 +4065,7 @@ char* ndpi_get_flow_risk_info(struct ndpi_flow_struct *flow, ordered_risk_infos = ndpi_malloc(sizeof(flow->risk_infos)); if(!ordered_risk_infos) return(NULL); - + memcpy(ordered_risk_infos, flow->risk_infos, sizeof(flow->risk_infos)); qsort(ordered_risk_infos, flow->num_risk_infos, sizeof(struct ndpi_risk_information), risk_infos_pair_cmp); @@ -5277,14 +5304,15 @@ const char* ndpi_print_encoded_tls_block_type(ndpi_tls_block_type block_type, bo u_char* ndpi_encode_tls_blocks(struct ndpi_tls_block *tls_blocks, u_int8_t num_tls_blocks) { u_char buf[512]; - u_int8_t i, offset=0, block_len = sizeof(struct ndpi_tls_block); + u_int8_t i, offset=0, block_len = 3 /* block_type(1) + len(2) */; u_int expected_len = num_tls_blocks * block_len; - + if(sizeof(buf) < expected_len) return(0); /* Buffer too short */ - + for(i=0; i> 8; + buf[offset++] = tls_blocks[i].len & 0xFF; } return(ndpi_hex_encode(buf, expected_len)); @@ -5298,23 +5326,28 @@ struct ndpi_tls_block* ndpi_decode_tls_blocks(const u_char *encoded_blocks, u_int8_t *num_tls_blocks) { size_t out_len; u_char *buf = ndpi_hex_decode(encoded_blocks, encoded_blocks_len, &out_len); - u_int8_t block_len = sizeof(struct ndpi_tls_block); - struct ndpi_tls_block *ret; - u_int expected_len; - + u_int8_t i, offset, block_len = 3; /* block_type(1) + len(2) */ + struct ndpi_tls_block *tls_blocks; + if(buf == NULL) return(NULL); if(out_len == 0) { ndpi_free(buf); return(NULL); } *num_tls_blocks = out_len / block_len; - expected_len = (*num_tls_blocks) * block_len; /* Avoid rounding problems */ - - ret = (struct ndpi_tls_block*)ndpi_malloc(expected_len); - if(ret == NULL) { ndpi_free(buf); return(NULL); } - memcpy(ret, buf, expected_len); + tls_blocks = (struct ndpi_tls_block*)ndpi_calloc(*num_tls_blocks, + sizeof(struct ndpi_tls_block)); + if(tls_blocks == NULL) { ndpi_free(buf); return(NULL); } + + for(i=0, offset=0; i<*num_tls_blocks; i++) { + tls_blocks[i].block_type = buf[offset] & 0x7F; + tls_blocks[i].same_pkt = (buf[offset] & 0x80) ? 1 : 0; + tls_blocks[i].len = (buf[offset+1] << 8) + buf[offset+2]; + offset += 3; + } + ndpi_free(buf); - return(ret); + return(tls_blocks); } /* ****************************************** */ @@ -6016,18 +6049,79 @@ const char* ndpi_tls_supported_version2str(u_int16_t version_id, char unknown_ve returns a distance values: 0 = vectors are identical, otherwise a value is returned. The higger is the value the more different are the vectors. - + */ float ndpi_tls_blocks_len_compare(struct ndpi_tls_block *a, struct ndpi_tls_block *b, - float *multiplier, /* length = num_tls_blocks */ u_int8_t num_tls_blocks) { float total = 0; u_int8_t n; - - for(n=0; nvalue = NULL, l->next = NULL; +} + +/* ****************************************** */ + +void ndpi_list_free(ndpi_list *l) { + while(l != NULL) { + ndpi_list *next = l->next; + + if(l->value != NULL) ndpi_free(l->value); + ndpi_free(l); + l = next; + } +} + +/* ****************************************** */ + +/* + NOTE: + *value must be allocated by the caller and + it will be freed by ndpi_list_free() +*/ +bool ndpi_list_append(ndpi_list *l, void *value) { + if(l->value == NULL) { + /* Empty list: let's use the first entry */ + l->value = value; + } else { + ndpi_list *new_tail = (ndpi_list*)ndpi_malloc(sizeof(ndpi_list)); + + if(new_tail == NULL) return(false); + new_tail->value = value, new_tail->next = NULL; + + /* Move to the end */ + while(l->next != NULL) l = l->next; + + if(l != NULL) + l->next = new_tail; + else + ndpi_free(new_tail); /* Something went wrong */ + } + + return(true); /* All good */ } #endif diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index 5297b24f1..887e6db49 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -1173,6 +1173,61 @@ void processCertificateElements(struct ndpi_detection_module_struct *ndpi_struct /* **************************************** */ +static void tls_match_ja4(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow) { + if(ndpi_struct->ja4_custom_protos != NULL) { + u_int64_t proto_id; + ndpi_list *extra_data = NULL; + + /* This protocol has been defined in protos.txt-like files */ + if(ndpi_hash_find_entry_extra(ndpi_struct->ja4_custom_protos, + flow->protos.tls_quic.ja4_client, + NDPI_ARRAY_LENGTH(flow->protos.tls_quic.ja4_client) - 1, + &proto_id, &extra_data) != 0) + return; /* Not found */ + else + proto_id = ndpi_compare_flow_tls_blocks(ndpi_struct, flow, extra_data, proto_id); + + if(proto_id != NDPI_PROTOCOL_UNKNOWN) + ndpi_set_detected_protocol(ndpi_struct, flow, proto_id, + ndpi_get_master_proto(ndpi_struct, flow), + NDPI_CONFIDENCE_CUSTOM_RULE); + } + +#ifndef __KERNEL__ + if(ndpi_struct->malicious_ja4_hashmap != NULL) { + u_int16_t rc1 = ndpi_hash_find_entry(ndpi_struct->malicious_ja4_hashmap, + flow->protos.tls_quic.ja4_client, + NDPI_ARRAY_LENGTH(flow->protos.tls_quic.ja4_client) - 1, + NULL); + + if(rc1 == 0) + ndpi_set_risk(ndpi_struct, flow, NDPI_MALICIOUS_FINGERPRINT, + flow->protos.tls_quic.ja4_client); + } +#else + { + static const char pref_str[]="RISK_JA4_"; + char risk_ja4_str[sizeof(pref_str) + sizeof(flow->protos.tls_quic.ja4_client) + 1]; + u_int32_t val; + u_int16_t rc1; + size_t len = sizeof(pref_str)-1,len2 = strlen(flow->protos.tls_quic.ja4_client); + + strcpy(risk_ja4_str,pref_str); + strncpy(&risk_ja4_str[len],flow->protos.tls_quic.ja4_client,len2); + len += len2; + risk_ja4_str[len] = '\0'; + + rc1 = ndpi_match_string_value(ndpi_struct->host_automa.ac_automa, + risk_ja4_str, len | AC_FEATURE_EXACT, &val) == -1; + if(rc1 == 0) + ndpi_set_risk(ndpi_struct, flow, NDPI_MALICIOUS_FINGERPRINT, flow->protos.tls_quic.ja4_client); + } +#endif +} + +/* **************************************** */ + /* See https://blog.catchpoint.com/2017/05/12/dissecting-tls-using-wireshark/ */ int processCertificate(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { @@ -1316,6 +1371,8 @@ int processCertificate(struct ndpi_detection_module_struct *ndpi_struct, printf("*** [TLS Block] Enough blocks dissected\n"); #endif + tls_match_ja4(ndpi_struct, flow); + flow->extra_packets_func = NULL; /* We're good now */ } @@ -1431,9 +1488,9 @@ static int processHandshakeTLSBlock(struct ndpi_detection_module_struct *ndpi_st if(!is_dtls && flow->protos.tls_quic.ssl_version >= 0x0304 /* TLS 1.3 */) flow->tls_quic.certificate_processed = 1; /* No Certificate with TLS 1.3+ */ - + if(is_dtls && flow->protos.tls_quic.ssl_version == 0xFEFC /* DTLS 1.3 */) - flow->tls_quic.certificate_processed = 1; /* No Certificate with DTLS 1.3+ */ + flow->tls_quic.certificate_processed = 1; /* No Certificate with DTLS 1.3+ */ checkTLSSubprotocol(ndpi_struct, flow, packet->payload[0] == 0x01); break; @@ -1731,7 +1788,10 @@ int ndpi_search_tls_tcp(struct ndpi_detection_module_struct *ndpi_struct, ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_OOKLA, NDPI_PROTOCOL_TLS, NDPI_CONFIDENCE_DPI_AGGRESSIVE); /* TLS over port 8080 usually triggers that risk; clear it */ ndpi_unset_risk(ndpi_struct, flow, NDPI_KNOWN_PROTOCOL_ON_NON_STANDARD_PORT); + + tls_match_ja4(ndpi_struct, flow); flow->extra_packets_func = NULL; + return(0); /* That's all */ /* Loook for TLS-in-TLS */ } else if((ndpi_struct->cfg.tls_heuristics & NDPI_HEURISTICS_TLS_OBFUSCATED_TLS) && /* Feature enabled */ @@ -1744,6 +1804,8 @@ int ndpi_search_tls_tcp(struct ndpi_detection_module_struct *ndpi_struct, switch_extra_dissection_to_tls_obfuscated_heur(ndpi_struct, flow); return(1); } else { + tls_match_ja4(ndpi_struct, flow); + flow->extra_packets_func = NULL; return(0); /* That's all */ } @@ -3613,49 +3675,7 @@ static int _processClientServerHello(struct ndpi_detection_module_struct *ndpi_s compute_ja4c: if(ndpi_struct->cfg.tls_ja4c_fingerprint_enabled) { ndpi_compute_ja4(ndpi_struct, flow, quic_version, ja); - - if(ndpi_struct->ja4_custom_protos != NULL) { - u_int64_t proto_id; - - /* This protocol has been defined in protos.txt-like files */ - if(ndpi_hash_find_entry(ndpi_struct->ja4_custom_protos, - flow->protos.tls_quic.ja4_client, - NDPI_ARRAY_LENGTH(flow->protos.tls_quic.ja4_client) - 1, - &proto_id) == 0) { - ndpi_set_detected_protocol(ndpi_struct, flow, proto_id, - ndpi_get_master_proto(ndpi_struct, flow), - NDPI_CONFIDENCE_CUSTOM_RULE); - } - } -#ifndef __KERNEL__ - if(ndpi_struct->malicious_ja4_hashmap != NULL) { - u_int16_t rc1 = ndpi_hash_find_entry(ndpi_struct->malicious_ja4_hashmap, - flow->protos.tls_quic.ja4_client, - NDPI_ARRAY_LENGTH(flow->protos.tls_quic.ja4_client) - 1, - NULL); - - if(rc1 == 0) - ndpi_set_risk(ndpi_struct, flow, NDPI_MALICIOUS_FINGERPRINT, flow->protos.tls_quic.ja4_client); - } -#else - { - static const char pref_str[]="RISK_JA4_"; - char risk_ja4_str[sizeof(pref_str) + sizeof(flow->protos.tls_quic.ja4_client) + 1]; - u_int32_t val; - u_int16_t rc1; - size_t len = sizeof(pref_str)-1,len2 = strlen(flow->protos.tls_quic.ja4_client); - - strcpy(risk_ja4_str,pref_str); - strncpy(&risk_ja4_str[len],flow->protos.tls_quic.ja4_client,len2); - len += len2; - risk_ja4_str[len] = '\0'; - - rc1 = ndpi_match_string_value(ndpi_struct->host_automa.ac_automa, - risk_ja4_str, len | AC_FEATURE_EXACT, &val) == -1; - if(rc1 == 0) - ndpi_set_risk(ndpi_struct, flow, NDPI_MALICIOUS_FINGERPRINT, flow->protos.tls_quic.ja4_client); - } -#endif + tls_match_ja4(ndpi_struct, flow); } if(ndpi_struct->cfg.tls_ja_data_enabled) { diff --git a/tests/cfgs/caches_cfg/result/ookla.pcap.out b/tests/cfgs/caches_cfg/result/ookla.pcap.out index c401473f8..2631aaaf2 100644 --- a/tests/cfgs/caches_cfg/result/ookla.pcap.out +++ b/tests/cfgs/caches_cfg/result/ookla.pcap.out @@ -22,11 +22,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 11/1 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 2/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 6/4 (search/found) Hash public domain suffix: 42/25 (search/found) -Hash ja4 custom protos: 2/0 (search/found) +Hash ja4 custom protos: 7/0 (search/found) Hash fp custom protos: 2/0 (search/found) Hash url custom protos: 1/0 (search/found) diff --git a/tests/cfgs/caches_cfg/result/teams.pcap.out b/tests/cfgs/caches_cfg/result/teams.pcap.out index 484074611..604f30613 100644 --- a/tests/cfgs/caches_cfg/result/teams.pcap.out +++ b/tests/cfgs/caches_cfg/result/teams.pcap.out @@ -25,11 +25,11 @@ Patricia risk: 1/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 119/49 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 38/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 18/0 (search/found) Hash TCP fingerprints: 38/0 (search/found) Hash public domain suffix: 961/531 (search/found) -Hash ja4 custom protos: 38/0 (search/found) +Hash ja4 custom protos: 75/0 (search/found) Hash fp custom protos: 38/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/caches_global/result/bittorrent.pcap.out b/tests/cfgs/caches_global/result/bittorrent.pcap.out index 4de4da12f..03ad781d2 100644 --- a/tests/cfgs/caches_global/result/bittorrent.pcap.out +++ b/tests/cfgs/caches_global/result/bittorrent.pcap.out @@ -23,7 +23,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 0/0 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 22/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/caches_global/result/mining.pcapng.out b/tests/cfgs/caches_global/result/mining.pcapng.out index b3dd265bc..db3ea0e87 100644 --- a/tests/cfgs/caches_global/result/mining.pcapng.out +++ b/tests/cfgs/caches_global/result/mining.pcapng.out @@ -23,7 +23,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 4/4 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 4/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/caches_global/result/ookla.pcap.out b/tests/cfgs/caches_global/result/ookla.pcap.out index df4e5d465..6a35f0a22 100644 --- a/tests/cfgs/caches_global/result/ookla.pcap.out +++ b/tests/cfgs/caches_global/result/ookla.pcap.out @@ -23,11 +23,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 11/1 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 2/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 6/4 (search/found) Hash public domain suffix: 42/25 (search/found) -Hash ja4 custom protos: 2/0 (search/found) +Hash ja4 custom protos: 7/0 (search/found) Hash fp custom protos: 2/0 (search/found) Hash url custom protos: 1/0 (search/found) diff --git a/tests/cfgs/caches_global/result/teams.pcap.out b/tests/cfgs/caches_global/result/teams.pcap.out index 41b7770fe..5050fbe75 100644 --- a/tests/cfgs/caches_global/result/teams.pcap.out +++ b/tests/cfgs/caches_global/result/teams.pcap.out @@ -26,11 +26,11 @@ Patricia risk: 1/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 119/49 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 38/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 18/0 (search/found) Hash TCP fingerprints: 38/0 (search/found) Hash public domain suffix: 961/531 (search/found) -Hash ja4 custom protos: 38/0 (search/found) +Hash ja4 custom protos: 75/0 (search/found) Hash fp custom protos: 38/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/classification_only/result/bittorrent.pcap.out b/tests/cfgs/classification_only/result/bittorrent.pcap.out index 4194af56f..660e476c3 100644 --- a/tests/cfgs/classification_only/result/bittorrent.pcap.out +++ b/tests/cfgs/classification_only/result/bittorrent.pcap.out @@ -23,7 +23,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 0/0 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 22/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/classification_only/result/bittorrent_tcp_miss.pcapng.out b/tests/cfgs/classification_only/result/bittorrent_tcp_miss.pcapng.out index 16094146c..14080415e 100644 --- a/tests/cfgs/classification_only/result/bittorrent_tcp_miss.pcapng.out +++ b/tests/cfgs/classification_only/result/bittorrent_tcp_miss.pcapng.out @@ -23,7 +23,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 0/0 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 1/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/classification_only/result/forticlient.pcap.out b/tests/cfgs/classification_only/result/forticlient.pcap.out index 7c85439a4..3c1b2670e 100644 --- a/tests/cfgs/classification_only/result/forticlient.pcap.out +++ b/tests/cfgs/classification_only/result/forticlient.pcap.out @@ -20,11 +20,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 10/0 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 5/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 0/0 (search/found) Hash public domain suffix: 3/0 (search/found) -Hash ja4 custom protos: 5/0 (search/found) +Hash ja4 custom protos: 10/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/classification_only/result/ookla.pcap.out b/tests/cfgs/classification_only/result/ookla.pcap.out index de7e1b3e0..acefc7e64 100644 --- a/tests/cfgs/classification_only/result/ookla.pcap.out +++ b/tests/cfgs/classification_only/result/ookla.pcap.out @@ -23,11 +23,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 11/1 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 2/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 0/0 (search/found) Hash public domain suffix: 42/25 (search/found) -Hash ja4 custom protos: 2/0 (search/found) +Hash ja4 custom protos: 7/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 1/0 (search/found) diff --git a/tests/cfgs/classification_only/result/teams.pcap.out b/tests/cfgs/classification_only/result/teams.pcap.out index 8466485c9..a5b5262ba 100644 --- a/tests/cfgs/classification_only/result/teams.pcap.out +++ b/tests/cfgs/classification_only/result/teams.pcap.out @@ -26,11 +26,11 @@ Patricia risk: 1/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 119/49 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 38/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 0/0 (search/found) Hash public domain suffix: 716/393 (search/found) -Hash ja4 custom protos: 38/0 (search/found) +Hash ja4 custom protos: 78/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/classification_only/result/tls_1.2_unidir_client_no_cert.pcapng.out b/tests/cfgs/classification_only/result/tls_1.2_unidir_client_no_cert.pcapng.out index f5692f091..bd09595c7 100644 --- a/tests/cfgs/classification_only/result/tls_1.2_unidir_client_no_cert.pcapng.out +++ b/tests/cfgs/classification_only/result/tls_1.2_unidir_client_no_cert.pcapng.out @@ -19,7 +19,7 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 1/1 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 0/0 (search/found) Hash public domain suffix: 18/11 (search/found) diff --git a/tests/cfgs/classification_only/result/tls_1.2_unidirectional_client.pcapng.out b/tests/cfgs/classification_only/result/tls_1.2_unidirectional_client.pcapng.out index b2dcf4670..9c6c5f66a 100644 --- a/tests/cfgs/classification_only/result/tls_1.2_unidirectional_client.pcapng.out +++ b/tests/cfgs/classification_only/result/tls_1.2_unidirectional_client.pcapng.out @@ -19,11 +19,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 1/1 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 0/0 (search/found) Hash public domain suffix: 9/5 (search/found) -Hash ja4 custom protos: 1/0 (search/found) +Hash ja4 custom protos: 2/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/classification_only/result/tls_1.2_unidirectional_server.pcapng.out b/tests/cfgs/classification_only/result/tls_1.2_unidirectional_server.pcapng.out index 9b234aadf..c4f1b9b2f 100644 --- a/tests/cfgs/classification_only/result/tls_1.2_unidirectional_server.pcapng.out +++ b/tests/cfgs/classification_only/result/tls_1.2_unidirectional_server.pcapng.out @@ -23,7 +23,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 0/0 (search/found) Hash public domain suffix: 7/4 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 1/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/classification_only/result/tls_1.3_unidirectional_client.pcapng.out b/tests/cfgs/classification_only/result/tls_1.3_unidirectional_client.pcapng.out index 569aa2f77..661fcba6e 100644 --- a/tests/cfgs/classification_only/result/tls_1.3_unidirectional_client.pcapng.out +++ b/tests/cfgs/classification_only/result/tls_1.3_unidirectional_client.pcapng.out @@ -19,11 +19,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 1/1 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 0/0 (search/found) Hash public domain suffix: 9/5 (search/found) -Hash ja4 custom protos: 1/0 (search/found) +Hash ja4 custom protos: 2/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/classification_only/result/tls_ech.pcapng.out b/tests/cfgs/classification_only/result/tls_ech.pcapng.out index 003d704d4..ec5eff7a7 100644 --- a/tests/cfgs/classification_only/result/tls_ech.pcapng.out +++ b/tests/cfgs/classification_only/result/tls_ech.pcapng.out @@ -19,11 +19,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 1/0 (search/found) Patricia protocols: 0/0 (search/found) Patricia protocols IPv6: 1/1 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 0/0 (search/found) Hash public domain suffix: 11/6 (search/found) -Hash ja4 custom protos: 1/0 (search/found) +Hash ja4 custom protos: 2/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/classification_only/result/tls_verylong_certificate.pcap.out b/tests/cfgs/classification_only/result/tls_verylong_certificate.pcap.out index bf50e4737..30ed11a96 100644 --- a/tests/cfgs/classification_only/result/tls_verylong_certificate.pcap.out +++ b/tests/cfgs/classification_only/result/tls_verylong_certificate.pcap.out @@ -19,11 +19,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 2/0 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 0/0 (search/found) Hash public domain suffix: 9/5 (search/found) -Hash ja4 custom protos: 1/0 (search/found) +Hash ja4 custom protos: 2/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/classification_only/result/waze.pcap.out b/tests/cfgs/classification_only/result/waze.pcap.out index 4c032fb88..c2be8dc32 100644 --- a/tests/cfgs/classification_only/result/waze.pcap.out +++ b/tests/cfgs/classification_only/result/waze.pcap.out @@ -24,11 +24,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 46/20 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 13/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 0/0 (search/found) Hash public domain suffix: 153/91 (search/found) -Hash ja4 custom protos: 13/0 (search/found) +Hash ja4 custom protos: 28/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 8/0 (search/found) diff --git a/tests/cfgs/custom_rules/result/custom_rules_overwrite_domains.pcap.out b/tests/cfgs/custom_rules/result/custom_rules_overwrite_domains.pcap.out index e7ef0dedb..e627a0add 100644 --- a/tests/cfgs/custom_rules/result/custom_rules_overwrite_domains.pcap.out +++ b/tests/cfgs/custom_rules/result/custom_rules_overwrite_domains.pcap.out @@ -19,7 +19,7 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 3/3 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 3/0 (search/found) +Hash malicious ja4: 6/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 3/3 (search/found) Hash public domain suffix: 34/22 (search/found) diff --git a/tests/cfgs/default/result/1kxun.pcap.out b/tests/cfgs/default/result/1kxun.pcap.out index eadbb9ff1..d53e6456d 100644 --- a/tests/cfgs/default/result/1kxun.pcap.out +++ b/tests/cfgs/default/result/1kxun.pcap.out @@ -24,11 +24,11 @@ Patricia risk: 3/0 (search/found) Patricia risk IPv6: 25/0 (search/found) Patricia protocols: 286/58 (search/found) Patricia protocols IPv6: 50/0 (search/found) -Hash malicious ja4: 4/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 22/0 (search/found) Hash public domain suffix: 1248/684 (search/found) -Hash ja4 custom protos: 4/0 (search/found) +Hash ja4 custom protos: 11/0 (search/found) Hash fp custom protos: 4/0 (search/found) Hash url custom protos: 85/0 (search/found) diff --git a/tests/cfgs/default/result/443-chrome.pcap.out b/tests/cfgs/default/result/443-chrome.pcap.out index 1ca61c0be..9e8b204e9 100644 --- a/tests/cfgs/default/result/443-chrome.pcap.out +++ b/tests/cfgs/default/result/443-chrome.pcap.out @@ -25,7 +25,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 0/0 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 1/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/443-curl.pcap.out b/tests/cfgs/default/result/443-curl.pcap.out index 7cd3faa0f..5bd99d426 100644 --- a/tests/cfgs/default/result/443-curl.pcap.out +++ b/tests/cfgs/default/result/443-curl.pcap.out @@ -19,11 +19,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 1/1 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 1/0 (search/found) Hash TCP fingerprints: 1/0 (search/found) Hash public domain suffix: 9/5 (search/found) -Hash ja4 custom protos: 1/0 (search/found) +Hash ja4 custom protos: 2/0 (search/found) Hash fp custom protos: 1/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/443-firefox.pcap.out b/tests/cfgs/default/result/443-firefox.pcap.out index 8bd43c9a0..63d92c2de 100644 --- a/tests/cfgs/default/result/443-firefox.pcap.out +++ b/tests/cfgs/default/result/443-firefox.pcap.out @@ -19,11 +19,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 1/1 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 1/0 (search/found) Hash TCP fingerprints: 1/0 (search/found) Hash public domain suffix: 9/5 (search/found) -Hash ja4 custom protos: 1/0 (search/found) +Hash ja4 custom protos: 2/0 (search/found) Hash fp custom protos: 1/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/443-git.pcap.out b/tests/cfgs/default/result/443-git.pcap.out index e10a67400..60f324fb6 100644 --- a/tests/cfgs/default/result/443-git.pcap.out +++ b/tests/cfgs/default/result/443-git.pcap.out @@ -19,11 +19,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 1/1 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 1/0 (search/found) Hash TCP fingerprints: 1/0 (search/found) Hash public domain suffix: 4/4 (search/found) -Hash ja4 custom protos: 1/0 (search/found) +Hash ja4 custom protos: 2/0 (search/found) Hash fp custom protos: 1/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/443-opvn.pcap.out b/tests/cfgs/default/result/443-opvn.pcap.out index 2f30b3fd3..2db6284d6 100644 --- a/tests/cfgs/default/result/443-opvn.pcap.out +++ b/tests/cfgs/default/result/443-opvn.pcap.out @@ -23,7 +23,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 1/0 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 1/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/443-safari.pcap.out b/tests/cfgs/default/result/443-safari.pcap.out index be271a575..2c799492f 100644 --- a/tests/cfgs/default/result/443-safari.pcap.out +++ b/tests/cfgs/default/result/443-safari.pcap.out @@ -19,11 +19,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 1/1 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 1/0 (search/found) Hash TCP fingerprints: 1/0 (search/found) Hash public domain suffix: 9/5 (search/found) -Hash ja4 custom protos: 1/0 (search/found) +Hash ja4 custom protos: 2/0 (search/found) Hash fp custom protos: 1/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/4in6tunnel.pcap.out b/tests/cfgs/default/result/4in6tunnel.pcap.out index 8e14357d5..808bdab7f 100644 --- a/tests/cfgs/default/result/4in6tunnel.pcap.out +++ b/tests/cfgs/default/result/4in6tunnel.pcap.out @@ -19,7 +19,7 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 2/0 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 1/0 (search/found) Hash public domain suffix: 9/5 (search/found) diff --git a/tests/cfgs/default/result/6in4tunnel.pcap.out b/tests/cfgs/default/result/6in4tunnel.pcap.out index cebd0e1b4..201613674 100644 --- a/tests/cfgs/default/result/6in4tunnel.pcap.out +++ b/tests/cfgs/default/result/6in4tunnel.pcap.out @@ -21,11 +21,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 10/1 (search/found) Patricia protocols: 0/0 (search/found) Patricia protocols IPv6: 11/10 (search/found) -Hash malicious ja4: 2/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 2/0 (search/found) Hash TCP fingerprints: 3/0 (search/found) Hash public domain suffix: 105/62 (search/found) -Hash ja4 custom protos: 2/0 (search/found) +Hash ja4 custom protos: 4/0 (search/found) Hash fp custom protos: 2/0 (search/found) Hash url custom protos: 1/0 (search/found) diff --git a/tests/cfgs/default/result/KakaoTalk_chat.pcap.out b/tests/cfgs/default/result/KakaoTalk_chat.pcap.out index fea0a1e8c..b19ddf3ca 100644 --- a/tests/cfgs/default/result/KakaoTalk_chat.pcap.out +++ b/tests/cfgs/default/result/KakaoTalk_chat.pcap.out @@ -24,11 +24,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 62/14 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 8/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 7/0 (search/found) Hash TCP fingerprints: 11/0 (search/found) Hash public domain suffix: 376/216 (search/found) -Hash ja4 custom protos: 8/0 (search/found) +Hash ja4 custom protos: 19/0 (search/found) Hash fp custom protos: 8/0 (search/found) Hash url custom protos: 2/0 (search/found) diff --git a/tests/cfgs/default/result/KakaoTalk_talk.pcap.out b/tests/cfgs/default/result/KakaoTalk_talk.pcap.out index 5b40c94da..bd99029bf 100644 --- a/tests/cfgs/default/result/KakaoTalk_talk.pcap.out +++ b/tests/cfgs/default/result/KakaoTalk_talk.pcap.out @@ -24,11 +24,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 31/9 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 3/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 2/0 (search/found) Hash TCP fingerprints: 4/0 (search/found) Hash public domain suffix: 27/15 (search/found) -Hash ja4 custom protos: 3/0 (search/found) +Hash ja4 custom protos: 10/0 (search/found) Hash fp custom protos: 3/0 (search/found) Hash url custom protos: 1/0 (search/found) diff --git a/tests/cfgs/default/result/Oscar.pcap.out b/tests/cfgs/default/result/Oscar.pcap.out index 396a3d12d..4cdb04ed5 100644 --- a/tests/cfgs/default/result/Oscar.pcap.out +++ b/tests/cfgs/default/result/Oscar.pcap.out @@ -25,7 +25,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 1/0 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 1/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/alexa-app.pcapng.out b/tests/cfgs/default/result/alexa-app.pcapng.out index c4e6c510f..7f60dec55 100644 --- a/tests/cfgs/default/result/alexa-app.pcapng.out +++ b/tests/cfgs/default/result/alexa-app.pcapng.out @@ -25,11 +25,11 @@ Patricia risk: 1/0 (search/found) Patricia risk IPv6: 4/0 (search/found) Patricia protocols: 196/116 (search/found) Patricia protocols IPv6: 8/0 (search/found) -Hash malicious ja4: 88/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 34/0 (search/found) Hash TCP fingerprints: 121/121 (search/found) Hash public domain suffix: 1447/806 (search/found) -Hash ja4 custom protos: 88/0 (search/found) +Hash ja4 custom protos: 177/0 (search/found) Hash fp custom protos: 88/0 (search/found) Hash url custom protos: 19/2 (search/found) diff --git a/tests/cfgs/default/result/alicloud.pcap.out b/tests/cfgs/default/result/alicloud.pcap.out index 911034a66..cfa630070 100644 --- a/tests/cfgs/default/result/alicloud.pcap.out +++ b/tests/cfgs/default/result/alicloud.pcap.out @@ -23,7 +23,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 15/15 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 15/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/amqp.pcap.out b/tests/cfgs/default/result/amqp.pcap.out index d817894b4..10c28dbf9 100644 --- a/tests/cfgs/default/result/amqp.pcap.out +++ b/tests/cfgs/default/result/amqp.pcap.out @@ -23,7 +23,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 0/0 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 3/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/android.pcap.out b/tests/cfgs/default/result/android.pcap.out index d9aa18946..8324ee837 100644 --- a/tests/cfgs/default/result/android.pcap.out +++ b/tests/cfgs/default/result/android.pcap.out @@ -25,11 +25,11 @@ Patricia risk: 1/0 (search/found) Patricia risk IPv6: 5/0 (search/found) Patricia protocols: 87/29 (search/found) Patricia protocols IPv6: 10/0 (search/found) -Hash malicious ja4: 18/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 5/0 (search/found) Hash TCP fingerprints: 24/24 (search/found) Hash public domain suffix: 541/302 (search/found) -Hash ja4 custom protos: 18/0 (search/found) +Hash ja4 custom protos: 38/0 (search/found) Hash fp custom protos: 18/0 (search/found) Hash url custom protos: 3/0 (search/found) diff --git a/tests/cfgs/default/result/anyconnect-vpn.pcap.out b/tests/cfgs/default/result/anyconnect-vpn.pcap.out index aa7057646..2e5412d1b 100644 --- a/tests/cfgs/default/result/anyconnect-vpn.pcap.out +++ b/tests/cfgs/default/result/anyconnect-vpn.pcap.out @@ -25,11 +25,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 3/0 (search/found) Patricia protocols: 122/10 (search/found) Patricia protocols IPv6: 6/0 (search/found) -Hash malicious ja4: 7/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 4/0 (search/found) Hash TCP fingerprints: 8/0 (search/found) Hash public domain suffix: 541/305 (search/found) -Hash ja4 custom protos: 7/0 (search/found) +Hash ja4 custom protos: 19/0 (search/found) Hash fp custom protos: 6/0 (search/found) Hash url custom protos: 4/0 (search/found) diff --git a/tests/cfgs/default/result/anydesk.pcapng.out b/tests/cfgs/default/result/anydesk.pcapng.out index 1d6a30350..55db51e29 100644 --- a/tests/cfgs/default/result/anydesk.pcapng.out +++ b/tests/cfgs/default/result/anydesk.pcapng.out @@ -20,11 +20,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 12/2 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 4/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 4/0 (search/found) Hash TCP fingerprints: 4/3 (search/found) Hash public domain suffix: 40/22 (search/found) -Hash ja4 custom protos: 4/0 (search/found) +Hash ja4 custom protos: 9/0 (search/found) Hash fp custom protos: 4/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/apple_push.pcap.out b/tests/cfgs/default/result/apple_push.pcap.out index ef389e853..5a2572e15 100644 --- a/tests/cfgs/default/result/apple_push.pcap.out +++ b/tests/cfgs/default/result/apple_push.pcap.out @@ -19,11 +19,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 1/1 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 1/1 (search/found) Hash public domain suffix: 11/6 (search/found) -Hash ja4 custom protos: 1/0 (search/found) +Hash ja4 custom protos: 2/0 (search/found) Hash fp custom protos: 1/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/atg.pcap.out b/tests/cfgs/default/result/atg.pcap.out index a1433d47a..0ebae81c4 100644 --- a/tests/cfgs/default/result/atg.pcap.out +++ b/tests/cfgs/default/result/atg.pcap.out @@ -23,7 +23,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 1/1 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 2/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/avast.pcap.out b/tests/cfgs/default/result/avast.pcap.out index cc49a573e..c3d1b78e5 100644 --- a/tests/cfgs/default/result/avast.pcap.out +++ b/tests/cfgs/default/result/avast.pcap.out @@ -23,7 +23,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 10/10 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 10/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/bets.pcapng.out b/tests/cfgs/default/result/bets.pcapng.out index 96f211f75..f68c84d4c 100644 --- a/tests/cfgs/default/result/bets.pcapng.out +++ b/tests/cfgs/default/result/bets.pcapng.out @@ -19,11 +19,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 1/1 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 1/1 (search/found) Hash public domain suffix: 7/4 (search/found) -Hash ja4 custom protos: 1/0 (search/found) +Hash ja4 custom protos: 2/0 (search/found) Hash fp custom protos: 1/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/bfcp.pcapng.out b/tests/cfgs/default/result/bfcp.pcapng.out index 2c1f07a6b..70d9832a3 100644 --- a/tests/cfgs/default/result/bfcp.pcapng.out +++ b/tests/cfgs/default/result/bfcp.pcapng.out @@ -24,7 +24,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 1/0 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 1/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/bittorrent.pcap.out b/tests/cfgs/default/result/bittorrent.pcap.out index 4de4da12f..03ad781d2 100644 --- a/tests/cfgs/default/result/bittorrent.pcap.out +++ b/tests/cfgs/default/result/bittorrent.pcap.out @@ -23,7 +23,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 0/0 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 22/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/bittorrent_tcp_miss.pcapng.out b/tests/cfgs/default/result/bittorrent_tcp_miss.pcapng.out index d8e8054f7..e4475e555 100644 --- a/tests/cfgs/default/result/bittorrent_tcp_miss.pcapng.out +++ b/tests/cfgs/default/result/bittorrent_tcp_miss.pcapng.out @@ -23,7 +23,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 1/1 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 1/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/blizzard.pcap.out b/tests/cfgs/default/result/blizzard.pcap.out index 8418be71c..840205597 100644 --- a/tests/cfgs/default/result/blizzard.pcap.out +++ b/tests/cfgs/default/result/blizzard.pcap.out @@ -24,7 +24,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 5/5 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 1/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/cachefly.pcapng.out b/tests/cfgs/default/result/cachefly.pcapng.out index 1e34c1abe..0f2ccfff7 100644 --- a/tests/cfgs/default/result/cachefly.pcapng.out +++ b/tests/cfgs/default/result/cachefly.pcapng.out @@ -19,11 +19,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 2/0 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 1/0 (search/found) Hash TCP fingerprints: 0/0 (search/found) Hash public domain suffix: 9/5 (search/found) -Hash ja4 custom protos: 1/0 (search/found) +Hash ja4 custom protos: 2/0 (search/found) Hash fp custom protos: 1/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/capwap_data.pcapng.out b/tests/cfgs/default/result/capwap_data.pcapng.out index 562f291e3..889f1d6cd 100644 --- a/tests/cfgs/default/result/capwap_data.pcapng.out +++ b/tests/cfgs/default/result/capwap_data.pcapng.out @@ -19,7 +19,7 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 3/3 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 3/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 3/3 (search/found) Hash public domain suffix: 27/15 (search/found) diff --git a/tests/cfgs/default/result/cassandra.pcap.out b/tests/cfgs/default/result/cassandra.pcap.out index 5c2f1fd7a..76d55b95b 100644 --- a/tests/cfgs/default/result/cassandra.pcap.out +++ b/tests/cfgs/default/result/cassandra.pcap.out @@ -23,7 +23,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 3/2 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 2/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/chrome.pcap.out b/tests/cfgs/default/result/chrome.pcap.out index 075ef510e..f7bc59d1d 100644 --- a/tests/cfgs/default/result/chrome.pcap.out +++ b/tests/cfgs/default/result/chrome.pcap.out @@ -19,11 +19,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 12/0 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 6/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 6/0 (search/found) Hash public domain suffix: 132/78 (search/found) -Hash ja4 custom protos: 6/0 (search/found) +Hash ja4 custom protos: 12/0 (search/found) Hash fp custom protos: 6/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/cloudflare-warp.pcap.out b/tests/cfgs/default/result/cloudflare-warp.pcap.out index 3d00a398d..0ed3840d2 100644 --- a/tests/cfgs/default/result/cloudflare-warp.pcap.out +++ b/tests/cfgs/default/result/cloudflare-warp.pcap.out @@ -24,11 +24,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 10/8 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 4/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 2/0 (search/found) Hash TCP fingerprints: 6/6 (search/found) Hash public domain suffix: 36/20 (search/found) -Hash ja4 custom protos: 4/0 (search/found) +Hash ja4 custom protos: 8/0 (search/found) Hash fp custom protos: 4/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/coap_mqtt.pcap.out b/tests/cfgs/default/result/coap_mqtt.pcap.out index 5bfc41adb..85e04dcf8 100644 --- a/tests/cfgs/default/result/coap_mqtt.pcap.out +++ b/tests/cfgs/default/result/coap_mqtt.pcap.out @@ -24,7 +24,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 1/0 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 2/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/codm.pcap.out b/tests/cfgs/default/result/codm.pcap.out index d1146277b..694ab3f93 100644 --- a/tests/cfgs/default/result/codm.pcap.out +++ b/tests/cfgs/default/result/codm.pcap.out @@ -20,7 +20,7 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 4/2 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 1/0 (search/found) Hash public domain suffix: 9/5 (search/found) diff --git a/tests/cfgs/default/result/conncheck.pcap.out b/tests/cfgs/default/result/conncheck.pcap.out index abd847be4..8a65dad53 100644 --- a/tests/cfgs/default/result/conncheck.pcap.out +++ b/tests/cfgs/default/result/conncheck.pcap.out @@ -21,11 +21,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 13/9 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 1/0 (search/found) Hash TCP fingerprints: 9/9 (search/found) Hash public domain suffix: 118/69 (search/found) -Hash ja4 custom protos: 1/0 (search/found) +Hash ja4 custom protos: 2/0 (search/found) Hash fp custom protos: 1/0 (search/found) Hash url custom protos: 9/1 (search/found) diff --git a/tests/cfgs/default/result/corba.pcap.out b/tests/cfgs/default/result/corba.pcap.out index 94c699d6d..d4f23cb98 100644 --- a/tests/cfgs/default/result/corba.pcap.out +++ b/tests/cfgs/default/result/corba.pcap.out @@ -24,7 +24,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 1/0 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 1/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/crossfire.pcapng.out b/tests/cfgs/default/result/crossfire.pcapng.out index 0a2de1b4a..5f99bfd1c 100644 --- a/tests/cfgs/default/result/crossfire.pcapng.out +++ b/tests/cfgs/default/result/crossfire.pcapng.out @@ -24,7 +24,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 1/1 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 1/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/custom_categories.pcapng.out b/tests/cfgs/default/result/custom_categories.pcapng.out index 8622967bd..81ce860b1 100644 --- a/tests/cfgs/default/result/custom_categories.pcapng.out +++ b/tests/cfgs/default/result/custom_categories.pcapng.out @@ -21,11 +21,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 2/0 (search/found) Patricia protocols: 3/1 (search/found) Patricia protocols IPv6: 4/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 2/0 (search/found) Hash public domain suffix: 12/7 (search/found) -Hash ja4 custom protos: 1/0 (search/found) +Hash ja4 custom protos: 3/0 (search/found) Hash fp custom protos: 1/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/custom_fingerprint.pcap.out b/tests/cfgs/default/result/custom_fingerprint.pcap.out index c87fd1505..1f0b22288 100644 --- a/tests/cfgs/default/result/custom_fingerprint.pcap.out +++ b/tests/cfgs/default/result/custom_fingerprint.pcap.out @@ -19,11 +19,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 2/0 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 1/0 (search/found) Hash TCP fingerprints: 1/1 (search/found) Hash public domain suffix: 4/4 (search/found) -Hash ja4 custom protos: 1/0 (search/found) +Hash ja4 custom protos: 2/0 (search/found) Hash fp custom protos: 1/1 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/custom_ja4.pcap.out b/tests/cfgs/default/result/custom_ja4.pcap.out index 7f1218511..1a6dac188 100644 --- a/tests/cfgs/default/result/custom_ja4.pcap.out +++ b/tests/cfgs/default/result/custom_ja4.pcap.out @@ -13,17 +13,17 @@ Automa domain: 0/0 (search/found) Automa tls cert: 0/0 (search/found) Automa risk mask: 0/0 (search/found) Automa common alpns: 2/2 (search/found) -Patricia risk mask: 0/0 (search/found) +Patricia risk mask: 2/0 (search/found) Patricia risk mask IPv6: 0/0 (search/found) Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 2/0 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 2/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 1/1 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 1/1 (search/found) +Hash ja4 custom protos: 2/2 (search/found) Hash fp custom protos: 1/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/custom_rules_overwrite_domains.pcap.out b/tests/cfgs/default/result/custom_rules_overwrite_domains.pcap.out index 4c7a4bfcb..23d596b47 100644 --- a/tests/cfgs/default/result/custom_rules_overwrite_domains.pcap.out +++ b/tests/cfgs/default/result/custom_rules_overwrite_domains.pcap.out @@ -19,11 +19,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 3/3 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 3/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 3/3 (search/found) Hash public domain suffix: 22/14 (search/found) -Hash ja4 custom protos: 3/0 (search/found) +Hash ja4 custom protos: 6/0 (search/found) Hash fp custom protos: 3/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/dazn.pcapng.out b/tests/cfgs/default/result/dazn.pcapng.out index e12414c81..5c0a640e4 100644 --- a/tests/cfgs/default/result/dazn.pcapng.out +++ b/tests/cfgs/default/result/dazn.pcapng.out @@ -19,11 +19,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 3/3 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 3/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 3/3 (search/found) Hash public domain suffix: 29/16 (search/found) -Hash ja4 custom protos: 3/0 (search/found) +Hash ja4 custom protos: 6/0 (search/found) Hash fp custom protos: 3/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/dingtalk.pcap.out b/tests/cfgs/default/result/dingtalk.pcap.out index 6991da2ff..92174fbad 100644 --- a/tests/cfgs/default/result/dingtalk.pcap.out +++ b/tests/cfgs/default/result/dingtalk.pcap.out @@ -19,11 +19,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 3/1 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 2/0 (search/found) Hash public domain suffix: 9/5 (search/found) -Hash ja4 custom protos: 1/0 (search/found) +Hash ja4 custom protos: 3/0 (search/found) Hash fp custom protos: 1/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/discord.pcap.out b/tests/cfgs/default/result/discord.pcap.out index 1dba2108a..3a0d573b1 100644 --- a/tests/cfgs/default/result/discord.pcap.out +++ b/tests/cfgs/default/result/discord.pcap.out @@ -20,11 +20,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 34/34 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 1/0 (search/found) Hash TCP fingerprints: 1/1 (search/found) Hash public domain suffix: 4/4 (search/found) -Hash ja4 custom protos: 1/0 (search/found) +Hash ja4 custom protos: 2/0 (search/found) Hash fp custom protos: 1/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/dlms.pcap.out b/tests/cfgs/default/result/dlms.pcap.out index c33e1c5ee..49fe3dae1 100644 --- a/tests/cfgs/default/result/dlms.pcap.out +++ b/tests/cfgs/default/result/dlms.pcap.out @@ -24,7 +24,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 1/0 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 1/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/dlt_ppp.pcap.out b/tests/cfgs/default/result/dlt_ppp.pcap.out index 3841eca1b..0c110a130 100644 --- a/tests/cfgs/default/result/dlt_ppp.pcap.out +++ b/tests/cfgs/default/result/dlt_ppp.pcap.out @@ -19,7 +19,7 @@ Patricia risk: 1/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 2/0 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 0/0 (search/found) Hash public domain suffix: 0/0 (search/found) diff --git a/tests/cfgs/default/result/dns2tcp_tunnel.pcap.out b/tests/cfgs/default/result/dns2tcp_tunnel.pcap.out index e0ddb1c4d..6d6a18ca5 100644 --- a/tests/cfgs/default/result/dns2tcp_tunnel.pcap.out +++ b/tests/cfgs/default/result/dns2tcp_tunnel.pcap.out @@ -19,11 +19,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 2/0 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 1/1 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 1/0 (search/found) +Hash ja4 custom protos: 2/0 (search/found) Hash fp custom protos: 1/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/dns_doh.pcap.out b/tests/cfgs/default/result/dns_doh.pcap.out index 09423b53e..ecb436045 100644 --- a/tests/cfgs/default/result/dns_doh.pcap.out +++ b/tests/cfgs/default/result/dns_doh.pcap.out @@ -19,11 +19,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 1/1 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 1/1 (search/found) Hash public domain suffix: 9/5 (search/found) -Hash ja4 custom protos: 1/0 (search/found) +Hash ja4 custom protos: 2/0 (search/found) Hash fp custom protos: 1/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/dns_dot.pcap.out b/tests/cfgs/default/result/dns_dot.pcap.out index 1eda58a1c..6630de1ea 100644 --- a/tests/cfgs/default/result/dns_dot.pcap.out +++ b/tests/cfgs/default/result/dns_dot.pcap.out @@ -19,11 +19,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 1/1 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 1/0 (search/found) Hash TCP fingerprints: 1/1 (search/found) Hash public domain suffix: 2/2 (search/found) -Hash ja4 custom protos: 1/0 (search/found) +Hash ja4 custom protos: 2/0 (search/found) Hash fp custom protos: 1/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/dnscrypt-v2-doh.pcap.out b/tests/cfgs/default/result/dnscrypt-v2-doh.pcap.out index 9ff4a9b85..94ca64b79 100644 --- a/tests/cfgs/default/result/dnscrypt-v2-doh.pcap.out +++ b/tests/cfgs/default/result/dnscrypt-v2-doh.pcap.out @@ -19,11 +19,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 68/0 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 34/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 3/0 (search/found) Hash TCP fingerprints: 0/0 (search/found) Hash public domain suffix: 311/177 (search/found) -Hash ja4 custom protos: 34/0 (search/found) +Hash ja4 custom protos: 68/0 (search/found) Hash fp custom protos: 34/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/dofus.pcap.out b/tests/cfgs/default/result/dofus.pcap.out index ad41e7b0a..b11d91890 100644 --- a/tests/cfgs/default/result/dofus.pcap.out +++ b/tests/cfgs/default/result/dofus.pcap.out @@ -19,11 +19,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 5/5 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 3/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 2/0 (search/found) Hash TCP fingerprints: 5/3 (search/found) Hash public domain suffix: 29/16 (search/found) -Hash ja4 custom protos: 3/0 (search/found) +Hash ja4 custom protos: 8/0 (search/found) Hash fp custom protos: 3/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/doh.pcapng.out b/tests/cfgs/default/result/doh.pcapng.out index cf70a5361..b2a820228 100644 --- a/tests/cfgs/default/result/doh.pcapng.out +++ b/tests/cfgs/default/result/doh.pcapng.out @@ -19,11 +19,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 2/0 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 1/1 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 1/0 (search/found) +Hash ja4 custom protos: 2/0 (search/found) Hash fp custom protos: 1/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/doq.pcapng.out b/tests/cfgs/default/result/doq.pcapng.out index 10201bfe3..fb3b03df5 100644 --- a/tests/cfgs/default/result/doq.pcapng.out +++ b/tests/cfgs/default/result/doq.pcapng.out @@ -20,7 +20,7 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 2/0 (search/found) Patricia protocols: 0/0 (search/found) Patricia protocols IPv6: 4/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 0/0 (search/found) Hash public domain suffix: 0/0 (search/found) diff --git a/tests/cfgs/default/result/doq_adguard.pcapng.out b/tests/cfgs/default/result/doq_adguard.pcapng.out index 15516ac52..697706ff6 100644 --- a/tests/cfgs/default/result/doq_adguard.pcapng.out +++ b/tests/cfgs/default/result/doq_adguard.pcapng.out @@ -19,7 +19,7 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 2/0 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 0/0 (search/found) Hash public domain suffix: 9/5 (search/found) diff --git a/tests/cfgs/default/result/drda_db2.pcap.out b/tests/cfgs/default/result/drda_db2.pcap.out index 30c917d17..3cd9a04c7 100644 --- a/tests/cfgs/default/result/drda_db2.pcap.out +++ b/tests/cfgs/default/result/drda_db2.pcap.out @@ -23,7 +23,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 1/0 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 1/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/dtls.pcap.out b/tests/cfgs/default/result/dtls.pcap.out index 1c59df4c6..1e437b5b7 100644 --- a/tests/cfgs/default/result/dtls.pcap.out +++ b/tests/cfgs/default/result/dtls.pcap.out @@ -19,7 +19,7 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 5/1 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 6/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 0/0 (search/found) Hash public domain suffix: 0/0 (search/found) diff --git a/tests/cfgs/default/result/dtls2.pcap.out b/tests/cfgs/default/result/dtls2.pcap.out index 6098cedcf..1068465cd 100644 --- a/tests/cfgs/default/result/dtls2.pcap.out +++ b/tests/cfgs/default/result/dtls2.pcap.out @@ -19,7 +19,7 @@ Patricia risk: 1/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 2/0 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 2/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 1/0 (search/found) Hash TCP fingerprints: 0/0 (search/found) Hash public domain suffix: 0/0 (search/found) diff --git a/tests/cfgs/default/result/dtls_certificate_fragments.pcap.out b/tests/cfgs/default/result/dtls_certificate_fragments.pcap.out index 2a07adddf..428307c66 100644 --- a/tests/cfgs/default/result/dtls_certificate_fragments.pcap.out +++ b/tests/cfgs/default/result/dtls_certificate_fragments.pcap.out @@ -19,7 +19,7 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 2/2 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 4/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 2/0 (search/found) Hash TCP fingerprints: 0/0 (search/found) Hash public domain suffix: 15/15 (search/found) diff --git a/tests/cfgs/default/result/dtls_old_version.pcapng.out b/tests/cfgs/default/result/dtls_old_version.pcapng.out index 2290d4e33..af19f3dee 100644 --- a/tests/cfgs/default/result/dtls_old_version.pcapng.out +++ b/tests/cfgs/default/result/dtls_old_version.pcapng.out @@ -19,7 +19,7 @@ Patricia risk: 1/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 2/0 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 4/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 0/0 (search/found) Hash public domain suffix: 0/0 (search/found) diff --git a/tests/cfgs/default/result/dtls_session_id_and_coockie_both.pcap.out b/tests/cfgs/default/result/dtls_session_id_and_coockie_both.pcap.out index 289c12a94..cf7277ccd 100644 --- a/tests/cfgs/default/result/dtls_session_id_and_coockie_both.pcap.out +++ b/tests/cfgs/default/result/dtls_session_id_and_coockie_both.pcap.out @@ -19,7 +19,7 @@ Patricia risk: 1/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 2/0 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 2/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 0/0 (search/found) Hash public domain suffix: 0/0 (search/found) diff --git a/tests/cfgs/default/result/edonkey.pcap.out b/tests/cfgs/default/result/edonkey.pcap.out index 709d79e75..6d37f68f2 100644 --- a/tests/cfgs/default/result/edonkey.pcap.out +++ b/tests/cfgs/default/result/edonkey.pcap.out @@ -23,7 +23,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 1/0 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 1/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/elasticsearch.pcap.out b/tests/cfgs/default/result/elasticsearch.pcap.out index 1a3169be6..a2a26ff57 100644 --- a/tests/cfgs/default/result/elasticsearch.pcap.out +++ b/tests/cfgs/default/result/elasticsearch.pcap.out @@ -23,7 +23,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 3/0 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 7/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/elf.pcap.out b/tests/cfgs/default/result/elf.pcap.out index 08e96ef55..18f48ce36 100644 --- a/tests/cfgs/default/result/elf.pcap.out +++ b/tests/cfgs/default/result/elf.pcap.out @@ -24,7 +24,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 1/0 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 1/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/emotet.pcap.out b/tests/cfgs/default/result/emotet.pcap.out index 7d41f95aa..df5e55aee 100644 --- a/tests/cfgs/default/result/emotet.pcap.out +++ b/tests/cfgs/default/result/emotet.pcap.out @@ -19,11 +19,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 10/2 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 2/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 1/0 (search/found) Hash TCP fingerprints: 6/6 (search/found) Hash public domain suffix: 30/30 (search/found) -Hash ja4 custom protos: 2/0 (search/found) +Hash ja4 custom protos: 5/0 (search/found) Hash fp custom protos: 2/0 (search/found) Hash url custom protos: 3/0 (search/found) diff --git a/tests/cfgs/default/result/encrypted_sni.pcap.out b/tests/cfgs/default/result/encrypted_sni.pcap.out index fc489fe58..2d0e0c0bb 100644 --- a/tests/cfgs/default/result/encrypted_sni.pcap.out +++ b/tests/cfgs/default/result/encrypted_sni.pcap.out @@ -19,7 +19,7 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 3/3 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 3/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 0/0 (search/found) Hash public domain suffix: 0/0 (search/found) diff --git a/tests/cfgs/default/result/facebook.pcap.out b/tests/cfgs/default/result/facebook.pcap.out index 3d228d487..3ae9d2980 100644 --- a/tests/cfgs/default/result/facebook.pcap.out +++ b/tests/cfgs/default/result/facebook.pcap.out @@ -19,11 +19,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 2/2 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 2/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 1/0 (search/found) Hash TCP fingerprints: 2/2 (search/found) Hash public domain suffix: 13/9 (search/found) -Hash ja4 custom protos: 2/0 (search/found) +Hash ja4 custom protos: 4/0 (search/found) Hash fp custom protos: 2/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/false_positives.pcapng.out b/tests/cfgs/default/result/false_positives.pcapng.out index 3c53dd118..b03e04210 100644 --- a/tests/cfgs/default/result/false_positives.pcapng.out +++ b/tests/cfgs/default/result/false_positives.pcapng.out @@ -21,11 +21,11 @@ Patricia risk: 1/0 (search/found) Patricia risk IPv6: 1/0 (search/found) Patricia protocols: 20/2 (search/found) Patricia protocols IPv6: 2/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 3/0 (search/found) Hash public domain suffix: 35/21 (search/found) -Hash ja4 custom protos: 1/0 (search/found) +Hash ja4 custom protos: 4/0 (search/found) Hash fp custom protos: 1/0 (search/found) Hash url custom protos: 1/0 (search/found) diff --git a/tests/cfgs/default/result/false_positives2.pcapng.out b/tests/cfgs/default/result/false_positives2.pcapng.out index 8c961dfbc..d36f61acc 100644 --- a/tests/cfgs/default/result/false_positives2.pcapng.out +++ b/tests/cfgs/default/result/false_positives2.pcapng.out @@ -23,7 +23,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 3/0 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 3/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/fastcgi.pcap.out b/tests/cfgs/default/result/fastcgi.pcap.out index 003b665f2..c1567be64 100644 --- a/tests/cfgs/default/result/fastcgi.pcap.out +++ b/tests/cfgs/default/result/fastcgi.pcap.out @@ -23,7 +23,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 1/0 (search/found) Hash public domain suffix: 16/10 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 1/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/firefox.pcap.out b/tests/cfgs/default/result/firefox.pcap.out index 65d35aa63..ddd2f731b 100644 --- a/tests/cfgs/default/result/firefox.pcap.out +++ b/tests/cfgs/default/result/firefox.pcap.out @@ -19,11 +19,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 12/0 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 6/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 6/0 (search/found) Hash public domain suffix: 132/78 (search/found) -Hash ja4 custom protos: 6/0 (search/found) +Hash ja4 custom protos: 12/0 (search/found) Hash fp custom protos: 6/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/fix.pcap.out b/tests/cfgs/default/result/fix.pcap.out index 8550a4883..c83784688 100644 --- a/tests/cfgs/default/result/fix.pcap.out +++ b/tests/cfgs/default/result/fix.pcap.out @@ -23,7 +23,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 0/0 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 12/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/fix2.pcap.out b/tests/cfgs/default/result/fix2.pcap.out index f6e8a0cec..87a095944 100644 --- a/tests/cfgs/default/result/fix2.pcap.out +++ b/tests/cfgs/default/result/fix2.pcap.out @@ -23,7 +23,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 2/0 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 2/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/forticlient.pcap.out b/tests/cfgs/default/result/forticlient.pcap.out index ec83828b4..e752c9c1d 100644 --- a/tests/cfgs/default/result/forticlient.pcap.out +++ b/tests/cfgs/default/result/forticlient.pcap.out @@ -20,11 +20,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 10/0 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 5/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 5/0 (search/found) Hash TCP fingerprints: 5/0 (search/found) Hash public domain suffix: 3/0 (search/found) -Hash ja4 custom protos: 5/0 (search/found) +Hash ja4 custom protos: 10/0 (search/found) Hash fp custom protos: 5/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/ftp-start-tls.pcap.out b/tests/cfgs/default/result/ftp-start-tls.pcap.out index d58096225..493d6f60c 100644 --- a/tests/cfgs/default/result/ftp-start-tls.pcap.out +++ b/tests/cfgs/default/result/ftp-start-tls.pcap.out @@ -19,11 +19,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 2/0 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 1/0 (search/found) Hash TCP fingerprints: 1/0 (search/found) Hash public domain suffix: 5/3 (search/found) -Hash ja4 custom protos: 1/0 (search/found) +Hash ja4 custom protos: 3/0 (search/found) Hash fp custom protos: 1/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/ftp.pcap.out b/tests/cfgs/default/result/ftp.pcap.out index 3a5e7ada4..26e9ecea1 100644 --- a/tests/cfgs/default/result/ftp.pcap.out +++ b/tests/cfgs/default/result/ftp.pcap.out @@ -24,7 +24,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 3/0 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 3/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/ftp_failed.pcap.out b/tests/cfgs/default/result/ftp_failed.pcap.out index 1058f583d..074d82c4f 100644 --- a/tests/cfgs/default/result/ftp_failed.pcap.out +++ b/tests/cfgs/default/result/ftp_failed.pcap.out @@ -23,7 +23,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 1/0 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 1/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/fuzz-2006-06-26-2594.pcap.out b/tests/cfgs/default/result/fuzz-2006-06-26-2594.pcap.out index ac99fa373..cd8d20c6e 100644 --- a/tests/cfgs/default/result/fuzz-2006-06-26-2594.pcap.out +++ b/tests/cfgs/default/result/fuzz-2006-06-26-2594.pcap.out @@ -29,7 +29,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 5/0 (search/found) Hash public domain suffix: 3037/1787 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 10/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/fuzz-2006-09-29-28586.pcap.out b/tests/cfgs/default/result/fuzz-2006-09-29-28586.pcap.out index fff54520b..8d68c1e6a 100644 --- a/tests/cfgs/default/result/fuzz-2006-09-29-28586.pcap.out +++ b/tests/cfgs/default/result/fuzz-2006-09-29-28586.pcap.out @@ -29,7 +29,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 8/0 (search/found) Hash public domain suffix: 8/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 5/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 4/0 (search/found) diff --git a/tests/cfgs/default/result/fuzz-2021-10-13.pcap.out b/tests/cfgs/default/result/fuzz-2021-10-13.pcap.out index 3529f31f7..2dbb12190 100644 --- a/tests/cfgs/default/result/fuzz-2021-10-13.pcap.out +++ b/tests/cfgs/default/result/fuzz-2021-10-13.pcap.out @@ -23,7 +23,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 0/0 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 1/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/gaijin_mobile_mixed.pcap.out b/tests/cfgs/default/result/gaijin_mobile_mixed.pcap.out index e4c0f2073..90994f0c9 100644 --- a/tests/cfgs/default/result/gaijin_mobile_mixed.pcap.out +++ b/tests/cfgs/default/result/gaijin_mobile_mixed.pcap.out @@ -20,11 +20,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 5/1 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 2/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 2/0 (search/found) Hash TCP fingerprints: 2/0 (search/found) Hash public domain suffix: 18/10 (search/found) -Hash ja4 custom protos: 2/0 (search/found) +Hash ja4 custom protos: 4/0 (search/found) Hash fp custom protos: 2/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/gearup_booster.pcap.out b/tests/cfgs/default/result/gearup_booster.pcap.out index b9b52a88e..c1bd0661a 100644 --- a/tests/cfgs/default/result/gearup_booster.pcap.out +++ b/tests/cfgs/default/result/gearup_booster.pcap.out @@ -23,11 +23,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 267/117 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 5/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 5/0 (search/found) Hash public domain suffix: 55/30 (search/found) -Hash ja4 custom protos: 5/0 (search/found) +Hash ja4 custom protos: 10/0 (search/found) Hash fp custom protos: 5/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/geforcenow.pcapng.out b/tests/cfgs/default/result/geforcenow.pcapng.out index 97233c649..2f649f9c0 100644 --- a/tests/cfgs/default/result/geforcenow.pcapng.out +++ b/tests/cfgs/default/result/geforcenow.pcapng.out @@ -20,11 +20,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 2/2 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 5/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 2/0 (search/found) Hash TCP fingerprints: 1/1 (search/found) Hash public domain suffix: 11/6 (search/found) -Hash ja4 custom protos: 5/0 (search/found) +Hash ja4 custom protos: 6/0 (search/found) Hash fp custom protos: 2/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/genshin-impact.pcap.out b/tests/cfgs/default/result/genshin-impact.pcap.out index a9c558366..9238d6e3d 100644 --- a/tests/cfgs/default/result/genshin-impact.pcap.out +++ b/tests/cfgs/default/result/genshin-impact.pcap.out @@ -24,7 +24,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 3/3 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 3/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/gnutella.pcap.out b/tests/cfgs/default/result/gnutella.pcap.out index 0d165ce50..f61cedfc4 100644 --- a/tests/cfgs/default/result/gnutella.pcap.out +++ b/tests/cfgs/default/result/gnutella.pcap.out @@ -22,11 +22,11 @@ Patricia risk: 1/0 (search/found) Patricia risk IPv6: 12/0 (search/found) Patricia protocols: 1495/1 (search/found) Patricia protocols IPv6: 24/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 1/0 (search/found) Hash TCP fingerprints: 137/137 (search/found) Hash public domain suffix: 31/0 (search/found) -Hash ja4 custom protos: 1/0 (search/found) +Hash ja4 custom protos: 54/0 (search/found) Hash fp custom protos: 1/0 (search/found) Hash url custom protos: 3/0 (search/found) diff --git a/tests/cfgs/default/result/google_chat.pcapng.out b/tests/cfgs/default/result/google_chat.pcapng.out index d9b86fa0e..49d96457e 100644 --- a/tests/cfgs/default/result/google_chat.pcapng.out +++ b/tests/cfgs/default/result/google_chat.pcapng.out @@ -19,11 +19,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 1/1 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 1/1 (search/found) Hash public domain suffix: 9/5 (search/found) -Hash ja4 custom protos: 1/0 (search/found) +Hash ja4 custom protos: 2/0 (search/found) Hash fp custom protos: 1/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/google_meet.pcapng.out b/tests/cfgs/default/result/google_meet.pcapng.out index cdaef5494..383a24db9 100644 --- a/tests/cfgs/default/result/google_meet.pcapng.out +++ b/tests/cfgs/default/result/google_meet.pcapng.out @@ -20,11 +20,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 2/2 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 2/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 1/1 (search/found) Hash public domain suffix: 18/10 (search/found) -Hash ja4 custom protos: 2/0 (search/found) +Hash ja4 custom protos: 3/0 (search/found) Hash fp custom protos: 2/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/google_ssl.pcap.out b/tests/cfgs/default/result/google_ssl.pcap.out index 1a87c2ac5..359c7f57f 100644 --- a/tests/cfgs/default/result/google_ssl.pcap.out +++ b/tests/cfgs/default/result/google_ssl.pcap.out @@ -25,7 +25,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 1/0 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 1/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/googledns_android10.pcap.out b/tests/cfgs/default/result/googledns_android10.pcap.out index 7842573c9..e2e176934 100644 --- a/tests/cfgs/default/result/googledns_android10.pcap.out +++ b/tests/cfgs/default/result/googledns_android10.pcap.out @@ -23,11 +23,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 8/8 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 5/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 4/0 (search/found) Hash TCP fingerprints: 5/5 (search/found) Hash public domain suffix: 20/20 (search/found) -Hash ja4 custom protos: 5/0 (search/found) +Hash ja4 custom protos: 10/0 (search/found) Hash fp custom protos: 5/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/h323.pcap.out b/tests/cfgs/default/result/h323.pcap.out index 01d248a0d..71a5b4a3e 100644 --- a/tests/cfgs/default/result/h323.pcap.out +++ b/tests/cfgs/default/result/h323.pcap.out @@ -24,7 +24,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 3/0 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 1/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/hamachi.pcapng.out b/tests/cfgs/default/result/hamachi.pcapng.out index b839ac7a4..3cb688b2d 100644 --- a/tests/cfgs/default/result/hamachi.pcapng.out +++ b/tests/cfgs/default/result/hamachi.pcapng.out @@ -20,7 +20,7 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 6/0 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 2/2 (search/found) Hash public domain suffix: 9/5 (search/found) diff --git a/tests/cfgs/default/result/haproxy.pcap.out b/tests/cfgs/default/result/haproxy.pcap.out index 76353bf52..b4deb64d7 100644 --- a/tests/cfgs/default/result/haproxy.pcap.out +++ b/tests/cfgs/default/result/haproxy.pcap.out @@ -23,7 +23,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 0/0 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 1/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/heuristic_tcp_ack_payload.pcap.out b/tests/cfgs/default/result/heuristic_tcp_ack_payload.pcap.out index 952cd3507..822f9ad5e 100644 --- a/tests/cfgs/default/result/heuristic_tcp_ack_payload.pcap.out +++ b/tests/cfgs/default/result/heuristic_tcp_ack_payload.pcap.out @@ -19,11 +19,11 @@ Patricia risk: 6/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 8/4 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 5/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 3/0 (search/found) Hash TCP fingerprints: 6/3 (search/found) Hash public domain suffix: 89/64 (search/found) -Hash ja4 custom protos: 5/0 (search/found) +Hash ja4 custom protos: 10/0 (search/found) Hash fp custom protos: 5/0 (search/found) Hash url custom protos: 1/0 (search/found) diff --git a/tests/cfgs/default/result/hl7.pcap.out b/tests/cfgs/default/result/hl7.pcap.out index 345978474..eec99e678 100644 --- a/tests/cfgs/default/result/hl7.pcap.out +++ b/tests/cfgs/default/result/hl7.pcap.out @@ -23,7 +23,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 3/0 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 3/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/hpvirtgrp.pcap.out b/tests/cfgs/default/result/hpvirtgrp.pcap.out index e1e236506..d2b1f9609 100644 --- a/tests/cfgs/default/result/hpvirtgrp.pcap.out +++ b/tests/cfgs/default/result/hpvirtgrp.pcap.out @@ -23,7 +23,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 9/9 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 9/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/http2.pcapng.out b/tests/cfgs/default/result/http2.pcapng.out index c5358fc7e..d74e0e3fd 100644 --- a/tests/cfgs/default/result/http2.pcapng.out +++ b/tests/cfgs/default/result/http2.pcapng.out @@ -23,7 +23,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 0/0 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 1/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/http_connect.pcap.out b/tests/cfgs/default/result/http_connect.pcap.out index bcafe606f..a94d19683 100644 --- a/tests/cfgs/default/result/http_connect.pcap.out +++ b/tests/cfgs/default/result/http_connect.pcap.out @@ -20,11 +20,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 8/0 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 3/3 (search/found) Hash public domain suffix: 36/30 (search/found) -Hash ja4 custom protos: 1/0 (search/found) +Hash ja4 custom protos: 2/0 (search/found) Hash fp custom protos: 1/0 (search/found) Hash url custom protos: 2/0 (search/found) diff --git a/tests/cfgs/default/result/http_guessed_host_and_guessed.pcapng.out b/tests/cfgs/default/result/http_guessed_host_and_guessed.pcapng.out index 890c94f45..f5c995fa2 100644 --- a/tests/cfgs/default/result/http_guessed_host_and_guessed.pcapng.out +++ b/tests/cfgs/default/result/http_guessed_host_and_guessed.pcapng.out @@ -25,7 +25,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 0/0 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 1/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/http_ipv6.pcap.out b/tests/cfgs/default/result/http_ipv6.pcap.out index 69f56b39b..e88a34cb9 100644 --- a/tests/cfgs/default/result/http_ipv6.pcap.out +++ b/tests/cfgs/default/result/http_ipv6.pcap.out @@ -23,11 +23,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 15/0 (search/found) Patricia protocols: 2/0 (search/found) Patricia protocols IPv6: 15/15 (search/found) -Hash malicious ja4: 6/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 6/0 (search/found) Hash TCP fingerprints: 7/0 (search/found) Hash public domain suffix: 67/37 (search/found) -Hash ja4 custom protos: 6/0 (search/found) +Hash ja4 custom protos: 13/0 (search/found) Hash fp custom protos: 6/0 (search/found) Hash url custom protos: 1/0 (search/found) diff --git a/tests/cfgs/default/result/imap-starttls.pcap.out b/tests/cfgs/default/result/imap-starttls.pcap.out index feb7fbf90..3ac6c172c 100644 --- a/tests/cfgs/default/result/imap-starttls.pcap.out +++ b/tests/cfgs/default/result/imap-starttls.pcap.out @@ -19,11 +19,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 2/0 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 1/0 (search/found) Hash TCP fingerprints: 1/1 (search/found) Hash public domain suffix: 18/12 (search/found) -Hash ja4 custom protos: 1/0 (search/found) +Hash ja4 custom protos: 3/0 (search/found) Hash fp custom protos: 1/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/imap.pcap.out b/tests/cfgs/default/result/imap.pcap.out index a6779b397..17936b908 100644 --- a/tests/cfgs/default/result/imap.pcap.out +++ b/tests/cfgs/default/result/imap.pcap.out @@ -23,7 +23,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 1/0 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 1/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/imaps.pcap.out b/tests/cfgs/default/result/imaps.pcap.out index 3180c8bb7..75f24763d 100644 --- a/tests/cfgs/default/result/imaps.pcap.out +++ b/tests/cfgs/default/result/imaps.pcap.out @@ -19,11 +19,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 3/1 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 2/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 1/0 (search/found) Hash TCP fingerprints: 2/0 (search/found) Hash public domain suffix: 32/19 (search/found) -Hash ja4 custom protos: 2/0 (search/found) +Hash ja4 custom protos: 3/0 (search/found) Hash fp custom protos: 2/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/instagram.pcap.out b/tests/cfgs/default/result/instagram.pcap.out index 27a495f7b..c5401c376 100644 --- a/tests/cfgs/default/result/instagram.pcap.out +++ b/tests/cfgs/default/result/instagram.pcap.out @@ -25,11 +25,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 58/18 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 11/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 4/0 (search/found) Hash TCP fingerprints: 11/11 (search/found) Hash public domain suffix: 235/130 (search/found) -Hash ja4 custom protos: 11/0 (search/found) +Hash ja4 custom protos: 31/0 (search/found) Hash fp custom protos: 11/0 (search/found) Hash url custom protos: 7/0 (search/found) diff --git a/tests/cfgs/default/result/iphone.pcap.out b/tests/cfgs/default/result/iphone.pcap.out index ab064b0ce..40e78432b 100644 --- a/tests/cfgs/default/result/iphone.pcap.out +++ b/tests/cfgs/default/result/iphone.pcap.out @@ -24,11 +24,11 @@ Patricia risk: 1/0 (search/found) Patricia risk IPv6: 5/0 (search/found) Patricia protocols: 77/15 (search/found) Patricia protocols IPv6: 10/0 (search/found) -Hash malicious ja4: 14/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 7/0 (search/found) Hash TCP fingerprints: 15/1 (search/found) Hash public domain suffix: 508/266 (search/found) -Hash ja4 custom protos: 14/0 (search/found) +Hash ja4 custom protos: 28/0 (search/found) Hash fp custom protos: 14/0 (search/found) Hash url custom protos: 1/0 (search/found) diff --git a/tests/cfgs/default/result/irc.pcap.out b/tests/cfgs/default/result/irc.pcap.out index 0b2e78be6..3c7340778 100644 --- a/tests/cfgs/default/result/irc.pcap.out +++ b/tests/cfgs/default/result/irc.pcap.out @@ -23,7 +23,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 1/0 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 1/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/iso9506-1-mms.pcap.out b/tests/cfgs/default/result/iso9506-1-mms.pcap.out index 52b2cabbd..841454667 100644 --- a/tests/cfgs/default/result/iso9506-1-mms.pcap.out +++ b/tests/cfgs/default/result/iso9506-1-mms.pcap.out @@ -23,7 +23,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 1/0 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 1/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/ja3_lots_of_cipher_suites.pcap.out b/tests/cfgs/default/result/ja3_lots_of_cipher_suites.pcap.out index 708cd61a3..683299fd1 100644 --- a/tests/cfgs/default/result/ja3_lots_of_cipher_suites.pcap.out +++ b/tests/cfgs/default/result/ja3_lots_of_cipher_suites.pcap.out @@ -23,7 +23,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 1/0 (search/found) Hash TCP fingerprints: 1/0 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 1/0 (search/found) Hash fp custom protos: 1/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/ja3_lots_of_cipher_suites_2_anon.pcap.out b/tests/cfgs/default/result/ja3_lots_of_cipher_suites_2_anon.pcap.out index 7526b021f..4452c228a 100644 --- a/tests/cfgs/default/result/ja3_lots_of_cipher_suites_2_anon.pcap.out +++ b/tests/cfgs/default/result/ja3_lots_of_cipher_suites_2_anon.pcap.out @@ -23,7 +23,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 1/0 (search/found) Hash TCP fingerprints: 1/0 (search/found) Hash public domain suffix: 3/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 1/0 (search/found) Hash fp custom protos: 1/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/ja4.pcapng.out b/tests/cfgs/default/result/ja4.pcapng.out index da6bbac23..fe5d331b7 100644 --- a/tests/cfgs/default/result/ja4.pcapng.out +++ b/tests/cfgs/default/result/ja4.pcapng.out @@ -19,11 +19,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 6/6 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 6/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 6/6 (search/found) Hash public domain suffix: 54/30 (search/found) -Hash ja4 custom protos: 6/0 (search/found) +Hash ja4 custom protos: 12/0 (search/found) Hash fp custom protos: 6/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/jabber.pcap.out b/tests/cfgs/default/result/jabber.pcap.out index a70fa04b0..941e6ccf1 100644 --- a/tests/cfgs/default/result/jabber.pcap.out +++ b/tests/cfgs/default/result/jabber.pcap.out @@ -23,7 +23,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 9/8 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 12/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/json.pcapng.out b/tests/cfgs/default/result/json.pcapng.out index af4a80ebd..63f9362da 100644 --- a/tests/cfgs/default/result/json.pcapng.out +++ b/tests/cfgs/default/result/json.pcapng.out @@ -24,7 +24,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 30/0 (search/found) Hash public domain suffix: 4/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 24/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 2/0 (search/found) diff --git a/tests/cfgs/default/result/jsonrpc.pcap.out b/tests/cfgs/default/result/jsonrpc.pcap.out index b238edacf..acebb2540 100644 --- a/tests/cfgs/default/result/jsonrpc.pcap.out +++ b/tests/cfgs/default/result/jsonrpc.pcap.out @@ -23,7 +23,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 2/1 (search/found) Hash public domain suffix: 18/11 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 1/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 1/0 (search/found) diff --git a/tests/cfgs/default/result/kafka.pcapng.out b/tests/cfgs/default/result/kafka.pcapng.out index 9d518bd43..02c49cedd 100644 --- a/tests/cfgs/default/result/kafka.pcapng.out +++ b/tests/cfgs/default/result/kafka.pcapng.out @@ -26,7 +26,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 1/0 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 1/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/kerberos.pcap.out b/tests/cfgs/default/result/kerberos.pcap.out index 61232db84..6022d2cda 100644 --- a/tests/cfgs/default/result/kerberos.pcap.out +++ b/tests/cfgs/default/result/kerberos.pcap.out @@ -27,7 +27,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 0/0 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 25/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/kismet.pcap.out b/tests/cfgs/default/result/kismet.pcap.out index ea94825b0..c5e5bb7af 100644 --- a/tests/cfgs/default/result/kismet.pcap.out +++ b/tests/cfgs/default/result/kismet.pcap.out @@ -23,7 +23,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 1/0 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 1/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/lagofast.pcap.out b/tests/cfgs/default/result/lagofast.pcap.out index 07c20775d..283b026ec 100644 --- a/tests/cfgs/default/result/lagofast.pcap.out +++ b/tests/cfgs/default/result/lagofast.pcap.out @@ -20,7 +20,7 @@ Patricia risk: 24/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 58/3 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 8/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 0/0 (search/found) Hash public domain suffix: 117/65 (search/found) diff --git a/tests/cfgs/default/result/line.pcap.out b/tests/cfgs/default/result/line.pcap.out index 5b0fe6698..e0cc7b0a3 100644 --- a/tests/cfgs/default/result/line.pcap.out +++ b/tests/cfgs/default/result/line.pcap.out @@ -20,11 +20,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 5/5 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 1/0 (search/found) Hash TCP fingerprints: 1/1 (search/found) Hash public domain suffix: 9/5 (search/found) -Hash ja4 custom protos: 1/0 (search/found) +Hash ja4 custom protos: 3/0 (search/found) Hash fp custom protos: 1/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/lisp_registration.pcap.out b/tests/cfgs/default/result/lisp_registration.pcap.out index 5f130883f..6786cd2b8 100644 --- a/tests/cfgs/default/result/lisp_registration.pcap.out +++ b/tests/cfgs/default/result/lisp_registration.pcap.out @@ -24,7 +24,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 2/0 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 2/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/log4j-webapp-exploit.pcap.out b/tests/cfgs/default/result/log4j-webapp-exploit.pcap.out index bb61a0204..aae124f77 100644 --- a/tests/cfgs/default/result/log4j-webapp-exploit.pcap.out +++ b/tests/cfgs/default/result/log4j-webapp-exploit.pcap.out @@ -24,7 +24,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 7/7 (search/found) Hash public domain suffix: 9/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 3/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 3/0 (search/found) diff --git a/tests/cfgs/default/result/long_tls_certificate.pcap.out b/tests/cfgs/default/result/long_tls_certificate.pcap.out index 8c2490fb1..2f23277ad 100644 --- a/tests/cfgs/default/result/long_tls_certificate.pcap.out +++ b/tests/cfgs/default/result/long_tls_certificate.pcap.out @@ -19,11 +19,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 1/1 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 1/0 (search/found) Hash TCP fingerprints: 1/0 (search/found) Hash public domain suffix: 9/5 (search/found) -Hash ja4 custom protos: 1/0 (search/found) +Hash ja4 custom protos: 2/0 (search/found) Hash fp custom protos: 1/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/lustre.pcapng.out b/tests/cfgs/default/result/lustre.pcapng.out index fff5df4fe..a4073f95a 100644 --- a/tests/cfgs/default/result/lustre.pcapng.out +++ b/tests/cfgs/default/result/lustre.pcapng.out @@ -23,7 +23,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 1/1 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 2/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/malware.pcap.out b/tests/cfgs/default/result/malware.pcap.out index 8933039ef..678371951 100644 --- a/tests/cfgs/default/result/malware.pcap.out +++ b/tests/cfgs/default/result/malware.pcap.out @@ -24,11 +24,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 12/0 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 2/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 2/0 (search/found) Hash TCP fingerprints: 3/0 (search/found) Hash public domain suffix: 36/25 (search/found) -Hash ja4 custom protos: 2/0 (search/found) +Hash ja4 custom protos: 4/0 (search/found) Hash fp custom protos: 2/0 (search/found) Hash url custom protos: 1/0 (search/found) diff --git a/tests/cfgs/default/result/melsec.pcapng.out b/tests/cfgs/default/result/melsec.pcapng.out index bd17d2e05..3463f6718 100644 --- a/tests/cfgs/default/result/melsec.pcapng.out +++ b/tests/cfgs/default/result/melsec.pcapng.out @@ -24,7 +24,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 1/1 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 1/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/memcached.cap.out b/tests/cfgs/default/result/memcached.cap.out index 115c6b652..4c7a9641d 100644 --- a/tests/cfgs/default/result/memcached.cap.out +++ b/tests/cfgs/default/result/memcached.cap.out @@ -23,7 +23,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 1/0 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 1/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/mining.pcapng.out b/tests/cfgs/default/result/mining.pcapng.out index b3dd265bc..db3ea0e87 100644 --- a/tests/cfgs/default/result/mining.pcapng.out +++ b/tests/cfgs/default/result/mining.pcapng.out @@ -23,7 +23,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 4/4 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 4/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/mismatching_hostname.pcap.out b/tests/cfgs/default/result/mismatching_hostname.pcap.out index 0015843ba..cb7a8102f 100644 --- a/tests/cfgs/default/result/mismatching_hostname.pcap.out +++ b/tests/cfgs/default/result/mismatching_hostname.pcap.out @@ -19,11 +19,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 2/0 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 1/1 (search/found) Hash public domain suffix: 4/4 (search/found) -Hash ja4 custom protos: 1/0 (search/found) +Hash ja4 custom protos: 2/0 (search/found) Hash fp custom protos: 1/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/monero.pcap.out b/tests/cfgs/default/result/monero.pcap.out index 13efb8e9d..fd910de09 100644 --- a/tests/cfgs/default/result/monero.pcap.out +++ b/tests/cfgs/default/result/monero.pcap.out @@ -23,7 +23,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 4/0 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 4/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/mongo_false_positive.pcapng.out b/tests/cfgs/default/result/mongo_false_positive.pcapng.out index 4907ab9ad..08931efb3 100644 --- a/tests/cfgs/default/result/mongo_false_positive.pcapng.out +++ b/tests/cfgs/default/result/mongo_false_positive.pcapng.out @@ -25,7 +25,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 1/0 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 1/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/mongodb.pcap.out b/tests/cfgs/default/result/mongodb.pcap.out index 1fa79967c..f322e3ce6 100644 --- a/tests/cfgs/default/result/mongodb.pcap.out +++ b/tests/cfgs/default/result/mongodb.pcap.out @@ -27,7 +27,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 8/0 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 1/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/msgpack.pcap.out b/tests/cfgs/default/result/msgpack.pcap.out index 2a944cf77..6b77b215d 100644 --- a/tests/cfgs/default/result/msgpack.pcap.out +++ b/tests/cfgs/default/result/msgpack.pcap.out @@ -25,7 +25,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 2/0 (search/found) Hash public domain suffix: 2/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 3/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 1/0 (search/found) diff --git a/tests/cfgs/default/result/mssql_tds.pcap.out b/tests/cfgs/default/result/mssql_tds.pcap.out index 8f6ca16b8..757035792 100644 --- a/tests/cfgs/default/result/mssql_tds.pcap.out +++ b/tests/cfgs/default/result/mssql_tds.pcap.out @@ -26,7 +26,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 0/0 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 1/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/mudfish.pcap.out b/tests/cfgs/default/result/mudfish.pcap.out index c89585ac6..5bd0a3541 100644 --- a/tests/cfgs/default/result/mudfish.pcap.out +++ b/tests/cfgs/default/result/mudfish.pcap.out @@ -24,7 +24,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 1/1 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 1/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/mumble.pcapng.out b/tests/cfgs/default/result/mumble.pcapng.out index 405464542..6ec51f333 100644 --- a/tests/cfgs/default/result/mumble.pcapng.out +++ b/tests/cfgs/default/result/mumble.pcapng.out @@ -20,7 +20,7 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 6/0 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 1/1 (search/found) Hash public domain suffix: 9/5 (search/found) diff --git a/tests/cfgs/default/result/nats.pcap.out b/tests/cfgs/default/result/nats.pcap.out index 07f19b6bf..c0e5d3a48 100644 --- a/tests/cfgs/default/result/nats.pcap.out +++ b/tests/cfgs/default/result/nats.pcap.out @@ -23,7 +23,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 2/0 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 2/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/naver.pcap.out b/tests/cfgs/default/result/naver.pcap.out index e3adadf99..c9abf5662 100644 --- a/tests/cfgs/default/result/naver.pcap.out +++ b/tests/cfgs/default/result/naver.pcap.out @@ -19,11 +19,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 4/2 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 3/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 2/0 (search/found) Hash TCP fingerprints: 3/0 (search/found) Hash public domain suffix: 29/16 (search/found) -Hash ja4 custom protos: 3/0 (search/found) +Hash ja4 custom protos: 5/0 (search/found) Hash fp custom protos: 3/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/nest_log_sink.pcap.out b/tests/cfgs/default/result/nest_log_sink.pcap.out index 4ef3aded5..8103b4e68 100644 --- a/tests/cfgs/default/result/nest_log_sink.pcap.out +++ b/tests/cfgs/default/result/nest_log_sink.pcap.out @@ -27,7 +27,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 12/0 (search/found) Hash public domain suffix: 24/15 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 12/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/netease_games.pcapng.out b/tests/cfgs/default/result/netease_games.pcapng.out index 8aa9b0f8d..ed3f19351 100644 --- a/tests/cfgs/default/result/netease_games.pcapng.out +++ b/tests/cfgs/default/result/netease_games.pcapng.out @@ -20,7 +20,7 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 6/4 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 1/1 (search/found) Hash public domain suffix: 40/22 (search/found) diff --git a/tests/cfgs/default/result/netflix.pcap.out b/tests/cfgs/default/result/netflix.pcap.out index 457ff018d..447a8e0a4 100644 --- a/tests/cfgs/default/result/netflix.pcap.out +++ b/tests/cfgs/default/result/netflix.pcap.out @@ -24,11 +24,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 75/47 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 20/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 16/0 (search/found) Hash TCP fingerprints: 46/0 (search/found) Hash public domain suffix: 609/307 (search/found) -Hash ja4 custom protos: 20/0 (search/found) +Hash ja4 custom protos: 40/0 (search/found) Hash fp custom protos: 20/0 (search/found) Hash url custom protos: 26/0 (search/found) diff --git a/tests/cfgs/default/result/nexon.pcapng.out b/tests/cfgs/default/result/nexon.pcapng.out index 8b737554f..94f4e6887 100644 --- a/tests/cfgs/default/result/nexon.pcapng.out +++ b/tests/cfgs/default/result/nexon.pcapng.out @@ -23,7 +23,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 2/2 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 2/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/nintendo.pcap.out b/tests/cfgs/default/result/nintendo.pcap.out index 78bd35347..5d3bf4240 100644 --- a/tests/cfgs/default/result/nintendo.pcap.out +++ b/tests/cfgs/default/result/nintendo.pcap.out @@ -25,11 +25,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 32/10 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 2/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 2/0 (search/found) Hash TCP fingerprints: 2/0 (search/found) Hash public domain suffix: 108/59 (search/found) -Hash ja4 custom protos: 2/0 (search/found) +Hash ja4 custom protos: 5/0 (search/found) Hash fp custom protos: 2/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/nntp.pcap.out b/tests/cfgs/default/result/nntp.pcap.out index c531f92c6..bc93fc317 100644 --- a/tests/cfgs/default/result/nntp.pcap.out +++ b/tests/cfgs/default/result/nntp.pcap.out @@ -23,7 +23,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 1/0 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 1/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/no_sni.pcap.out b/tests/cfgs/default/result/no_sni.pcap.out index d12440bef..594e3a5d3 100644 --- a/tests/cfgs/default/result/no_sni.pcap.out +++ b/tests/cfgs/default/result/no_sni.pcap.out @@ -19,11 +19,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 8/8 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 7/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 7/7 (search/found) Hash public domain suffix: 61/35 (search/found) -Hash ja4 custom protos: 7/0 (search/found) +Hash ja4 custom protos: 14/0 (search/found) Hash fp custom protos: 7/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/nordvpn.pcap.out b/tests/cfgs/default/result/nordvpn.pcap.out index faa291d7e..221fe31cb 100644 --- a/tests/cfgs/default/result/nordvpn.pcap.out +++ b/tests/cfgs/default/result/nordvpn.pcap.out @@ -24,11 +24,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 4/4 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 2/1 (search/found) Hash public domain suffix: 9/5 (search/found) -Hash ja4 custom protos: 1/0 (search/found) +Hash ja4 custom protos: 3/0 (search/found) Hash fp custom protos: 1/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/ocs.pcap.out b/tests/cfgs/default/result/ocs.pcap.out index 5fb08dbf0..f5351a5e5 100644 --- a/tests/cfgs/default/result/ocs.pcap.out +++ b/tests/cfgs/default/result/ocs.pcap.out @@ -23,7 +23,7 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 20/20 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 5/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 12/12 (search/found) Hash public domain suffix: 186/106 (search/found) diff --git a/tests/cfgs/default/result/ookla.pcap.out b/tests/cfgs/default/result/ookla.pcap.out index df4e5d465..6a35f0a22 100644 --- a/tests/cfgs/default/result/ookla.pcap.out +++ b/tests/cfgs/default/result/ookla.pcap.out @@ -23,11 +23,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 11/1 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 2/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 6/4 (search/found) Hash public domain suffix: 42/25 (search/found) -Hash ja4 custom protos: 2/0 (search/found) +Hash ja4 custom protos: 7/0 (search/found) Hash fp custom protos: 2/0 (search/found) Hash url custom protos: 1/0 (search/found) diff --git a/tests/cfgs/default/result/openvpn.pcap.out b/tests/cfgs/default/result/openvpn.pcap.out index 7b2833206..94dd556db 100644 --- a/tests/cfgs/default/result/openvpn.pcap.out +++ b/tests/cfgs/default/result/openvpn.pcap.out @@ -24,7 +24,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 3/1 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 3/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/openvpn_nohmac_tcp.pcapng.out b/tests/cfgs/default/result/openvpn_nohmac_tcp.pcapng.out index 94f7b6f73..cafc07400 100644 --- a/tests/cfgs/default/result/openvpn_nohmac_tcp.pcapng.out +++ b/tests/cfgs/default/result/openvpn_nohmac_tcp.pcapng.out @@ -23,7 +23,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 1/0 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 1/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/openvpn_obfuscated.pcapng.out b/tests/cfgs/default/result/openvpn_obfuscated.pcapng.out index 18cba0f59..aad3fb4b6 100644 --- a/tests/cfgs/default/result/openvpn_obfuscated.pcapng.out +++ b/tests/cfgs/default/result/openvpn_obfuscated.pcapng.out @@ -27,7 +27,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 1/1 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 2/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/opera-vpn.pcapng.out b/tests/cfgs/default/result/opera-vpn.pcapng.out index c5fb17daf..21f80c467 100644 --- a/tests/cfgs/default/result/opera-vpn.pcapng.out +++ b/tests/cfgs/default/result/opera-vpn.pcapng.out @@ -22,11 +22,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 124/0 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 61/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 62/62 (search/found) Hash public domain suffix: 549/305 (search/found) -Hash ja4 custom protos: 61/0 (search/found) +Hash ja4 custom protos: 122/0 (search/found) Hash fp custom protos: 61/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/os_detected.pcapng.out b/tests/cfgs/default/result/os_detected.pcapng.out index 9ff1c54e7..0ea982033 100644 --- a/tests/cfgs/default/result/os_detected.pcapng.out +++ b/tests/cfgs/default/result/os_detected.pcapng.out @@ -19,7 +19,7 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 1/1 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 0/0 (search/found) Hash public domain suffix: 0/0 (search/found) diff --git a/tests/cfgs/default/result/ossfuzz_seed_fake_traces_1.pcapng.out b/tests/cfgs/default/result/ossfuzz_seed_fake_traces_1.pcapng.out index c0d184b03..37481a3e7 100644 --- a/tests/cfgs/default/result/ossfuzz_seed_fake_traces_1.pcapng.out +++ b/tests/cfgs/default/result/ossfuzz_seed_fake_traces_1.pcapng.out @@ -28,7 +28,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 0/0 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 6/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/ossfuzz_seed_fake_traces_2.pcapng.out b/tests/cfgs/default/result/ossfuzz_seed_fake_traces_2.pcapng.out index 07dd42044..71ca2ef96 100644 --- a/tests/cfgs/default/result/ossfuzz_seed_fake_traces_2.pcapng.out +++ b/tests/cfgs/default/result/ossfuzz_seed_fake_traces_2.pcapng.out @@ -27,7 +27,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 6/2 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 6/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/paltalk.pcapng.out b/tests/cfgs/default/result/paltalk.pcapng.out index f0e5791e3..901c9aaf6 100644 --- a/tests/cfgs/default/result/paltalk.pcapng.out +++ b/tests/cfgs/default/result/paltalk.pcapng.out @@ -19,11 +19,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 6/2 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 3/3 (search/found) Hash public domain suffix: 13/9 (search/found) -Hash ja4 custom protos: 1/0 (search/found) +Hash ja4 custom protos: 3/0 (search/found) Hash fp custom protos: 1/0 (search/found) Hash url custom protos: 1/0 (search/found) diff --git a/tests/cfgs/default/result/path_of_exile.pcapng.out b/tests/cfgs/default/result/path_of_exile.pcapng.out index 189a8f690..efd8307f3 100644 --- a/tests/cfgs/default/result/path_of_exile.pcapng.out +++ b/tests/cfgs/default/result/path_of_exile.pcapng.out @@ -23,7 +23,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 4/4 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 4/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/pgsql.pcap.out b/tests/cfgs/default/result/pgsql.pcap.out index 437c34950..686ce5b23 100644 --- a/tests/cfgs/default/result/pgsql.pcap.out +++ b/tests/cfgs/default/result/pgsql.pcap.out @@ -23,7 +23,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 6/4 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 6/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/pgsql2.pcapng.out b/tests/cfgs/default/result/pgsql2.pcapng.out index 27dd33e58..aa423451d 100644 --- a/tests/cfgs/default/result/pgsql2.pcapng.out +++ b/tests/cfgs/default/result/pgsql2.pcapng.out @@ -23,7 +23,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 1/0 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 1/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/pia.pcap.out b/tests/cfgs/default/result/pia.pcap.out index 9b480e0a2..02a51115b 100644 --- a/tests/cfgs/default/result/pia.pcap.out +++ b/tests/cfgs/default/result/pia.pcap.out @@ -19,11 +19,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 2/0 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 1/0 (search/found) Hash TCP fingerprints: 1/1 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 1/0 (search/found) +Hash ja4 custom protos: 2/0 (search/found) Hash fp custom protos: 1/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/pinterest.pcap.out b/tests/cfgs/default/result/pinterest.pcap.out index 5b929d1b5..5ea7191ee 100644 --- a/tests/cfgs/default/result/pinterest.pcap.out +++ b/tests/cfgs/default/result/pinterest.pcap.out @@ -22,11 +22,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 37/0 (search/found) Patricia protocols: 0/0 (search/found) Patricia protocols IPv6: 54/20 (search/found) -Hash malicious ja4: 20/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 11/0 (search/found) Hash TCP fingerprints: 20/20 (search/found) Hash public domain suffix: 199/113 (search/found) -Hash ja4 custom protos: 20/0 (search/found) +Hash ja4 custom protos: 41/0 (search/found) Hash fp custom protos: 20/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/plugin.pcapng.out b/tests/cfgs/default/result/plugin.pcapng.out index 2be0ebdd9..de4b85d3d 100644 --- a/tests/cfgs/default/result/plugin.pcapng.out +++ b/tests/cfgs/default/result/plugin.pcapng.out @@ -25,7 +25,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 1/0 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 1/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/pluralsight.pcap.out b/tests/cfgs/default/result/pluralsight.pcap.out index 14ae77b0c..5c744cd64 100644 --- a/tests/cfgs/default/result/pluralsight.pcap.out +++ b/tests/cfgs/default/result/pluralsight.pcap.out @@ -19,11 +19,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 8/4 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 6/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 4/0 (search/found) Hash TCP fingerprints: 6/6 (search/found) Hash public domain suffix: 47/28 (search/found) -Hash ja4 custom protos: 6/0 (search/found) +Hash ja4 custom protos: 12/0 (search/found) Hash fp custom protos: 6/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/pop3.pcap.out b/tests/cfgs/default/result/pop3.pcap.out index e0e4bafe0..5205ba76e 100644 --- a/tests/cfgs/default/result/pop3.pcap.out +++ b/tests/cfgs/default/result/pop3.pcap.out @@ -23,7 +23,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 6/5 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 6/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/pop3_stls.pcap.out b/tests/cfgs/default/result/pop3_stls.pcap.out index 70ea3a9fe..571faf9ed 100644 --- a/tests/cfgs/default/result/pop3_stls.pcap.out +++ b/tests/cfgs/default/result/pop3_stls.pcap.out @@ -19,11 +19,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 2/0 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 1/0 (search/found) Hash TCP fingerprints: 1/1 (search/found) Hash public domain suffix: 20/16 (search/found) -Hash ja4 custom protos: 1/0 (search/found) +Hash ja4 custom protos: 3/0 (search/found) Hash fp custom protos: 1/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/pops.pcapng.out b/tests/cfgs/default/result/pops.pcapng.out index 82eb809ee..1e396c3ba 100644 --- a/tests/cfgs/default/result/pops.pcapng.out +++ b/tests/cfgs/default/result/pops.pcapng.out @@ -19,7 +19,7 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 2/0 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 1/0 (search/found) Hash public domain suffix: 16/10 (search/found) diff --git a/tests/cfgs/default/result/portable_executable.pcap.out b/tests/cfgs/default/result/portable_executable.pcap.out index 54c970253..9513544f2 100644 --- a/tests/cfgs/default/result/portable_executable.pcap.out +++ b/tests/cfgs/default/result/portable_executable.pcap.out @@ -26,7 +26,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 1/1 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 2/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/pptp.pcap.out b/tests/cfgs/default/result/pptp.pcap.out index 888464f52..03a2a8ddb 100644 --- a/tests/cfgs/default/result/pptp.pcap.out +++ b/tests/cfgs/default/result/pptp.pcap.out @@ -23,7 +23,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 1/0 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 1/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/protobuf.pcap.out b/tests/cfgs/default/result/protobuf.pcap.out index 11b6d406e..781b771ee 100644 --- a/tests/cfgs/default/result/protobuf.pcap.out +++ b/tests/cfgs/default/result/protobuf.pcap.out @@ -23,7 +23,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 5/0 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 5/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/protonvpn.pcap.out b/tests/cfgs/default/result/protonvpn.pcap.out index 45bf2e420..1545d19c8 100644 --- a/tests/cfgs/default/result/protonvpn.pcap.out +++ b/tests/cfgs/default/result/protonvpn.pcap.out @@ -23,11 +23,11 @@ Patricia risk: 1/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 5/1 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 1/0 (search/found) Hash TCP fingerprints: 2/2 (search/found) Hash public domain suffix: 9/5 (search/found) -Hash ja4 custom protos: 1/0 (search/found) +Hash ja4 custom protos: 2/0 (search/found) Hash fp custom protos: 1/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/psiphon3.pcap.out b/tests/cfgs/default/result/psiphon3.pcap.out index 3e013121b..e99d4fa86 100644 --- a/tests/cfgs/default/result/psiphon3.pcap.out +++ b/tests/cfgs/default/result/psiphon3.pcap.out @@ -19,11 +19,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 1/1 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 1/0 (search/found) Hash TCP fingerprints: 1/1 (search/found) Hash public domain suffix: 11/8 (search/found) -Hash ja4 custom protos: 1/0 (search/found) +Hash ja4 custom protos: 2/0 (search/found) Hash fp custom protos: 1/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/quic-23.pcap.out b/tests/cfgs/default/result/quic-23.pcap.out index 90f04ea48..9674a98e1 100644 --- a/tests/cfgs/default/result/quic-23.pcap.out +++ b/tests/cfgs/default/result/quic-23.pcap.out @@ -19,7 +19,7 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 1/0 (search/found) Patricia protocols: 0/0 (search/found) Patricia protocols IPv6: 2/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 0/0 (search/found) Hash public domain suffix: 18/11 (search/found) diff --git a/tests/cfgs/default/result/quic-24.pcap.out b/tests/cfgs/default/result/quic-24.pcap.out index b330a0a58..535ff49ee 100644 --- a/tests/cfgs/default/result/quic-24.pcap.out +++ b/tests/cfgs/default/result/quic-24.pcap.out @@ -19,7 +19,7 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 2/0 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 0/0 (search/found) Hash public domain suffix: 0/0 (search/found) diff --git a/tests/cfgs/default/result/quic-27.pcap.out b/tests/cfgs/default/result/quic-27.pcap.out index 096ccfb0f..0c53d1cd8 100644 --- a/tests/cfgs/default/result/quic-27.pcap.out +++ b/tests/cfgs/default/result/quic-27.pcap.out @@ -19,7 +19,7 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 1/0 (search/found) Patricia protocols: 0/0 (search/found) Patricia protocols IPv6: 2/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 0/0 (search/found) Hash public domain suffix: 9/5 (search/found) diff --git a/tests/cfgs/default/result/quic-28.pcap.out b/tests/cfgs/default/result/quic-28.pcap.out index 6603ecf63..7e1091dfa 100644 --- a/tests/cfgs/default/result/quic-28.pcap.out +++ b/tests/cfgs/default/result/quic-28.pcap.out @@ -19,7 +19,7 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 1/1 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 0/0 (search/found) Hash public domain suffix: 18/11 (search/found) diff --git a/tests/cfgs/default/result/quic-29.pcap.out b/tests/cfgs/default/result/quic-29.pcap.out index 35aaab0e1..4b881f0f6 100644 --- a/tests/cfgs/default/result/quic-29.pcap.out +++ b/tests/cfgs/default/result/quic-29.pcap.out @@ -19,7 +19,7 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 2/0 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 0/0 (search/found) Hash public domain suffix: 0/0 (search/found) diff --git a/tests/cfgs/default/result/quic-33.pcapng.out b/tests/cfgs/default/result/quic-33.pcapng.out index d353e5740..4deca1dc7 100644 --- a/tests/cfgs/default/result/quic-33.pcapng.out +++ b/tests/cfgs/default/result/quic-33.pcapng.out @@ -19,7 +19,7 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 1/0 (search/found) Patricia protocols: 0/0 (search/found) Patricia protocols IPv6: 2/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 0/0 (search/found) Hash public domain suffix: 0/0 (search/found) diff --git a/tests/cfgs/default/result/quic-34.pcap.out b/tests/cfgs/default/result/quic-34.pcap.out index 7ddacba92..4b4079d0f 100644 --- a/tests/cfgs/default/result/quic-34.pcap.out +++ b/tests/cfgs/default/result/quic-34.pcap.out @@ -19,7 +19,7 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 2/0 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 0/0 (search/found) Hash public domain suffix: 0/0 (search/found) diff --git a/tests/cfgs/default/result/quic-forcing-vn-with-data.pcapng.out b/tests/cfgs/default/result/quic-forcing-vn-with-data.pcapng.out index 3880401f4..f43e37301 100644 --- a/tests/cfgs/default/result/quic-forcing-vn-with-data.pcapng.out +++ b/tests/cfgs/default/result/quic-forcing-vn-with-data.pcapng.out @@ -19,7 +19,7 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 2/0 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 0/0 (search/found) Hash public domain suffix: 0/0 (search/found) diff --git a/tests/cfgs/default/result/quic-mvfst-22.pcap.out b/tests/cfgs/default/result/quic-mvfst-22.pcap.out index 6f81fdd70..f2cfbbed9 100644 --- a/tests/cfgs/default/result/quic-mvfst-22.pcap.out +++ b/tests/cfgs/default/result/quic-mvfst-22.pcap.out @@ -19,7 +19,7 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 1/1 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 0/0 (search/found) Hash public domain suffix: 9/5 (search/found) diff --git a/tests/cfgs/default/result/quic-mvfst-27.pcapng.out b/tests/cfgs/default/result/quic-mvfst-27.pcapng.out index 8c7a41dff..e926a4a2e 100644 --- a/tests/cfgs/default/result/quic-mvfst-27.pcapng.out +++ b/tests/cfgs/default/result/quic-mvfst-27.pcapng.out @@ -19,7 +19,7 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 1/1 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 0/0 (search/found) Hash public domain suffix: 9/5 (search/found) diff --git a/tests/cfgs/default/result/quic-mvfst-exp.pcap.out b/tests/cfgs/default/result/quic-mvfst-exp.pcap.out index 637bcfcfa..bfac41afc 100644 --- a/tests/cfgs/default/result/quic-mvfst-exp.pcap.out +++ b/tests/cfgs/default/result/quic-mvfst-exp.pcap.out @@ -19,7 +19,7 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 1/0 (search/found) Patricia protocols: 0/0 (search/found) Patricia protocols IPv6: 2/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 0/0 (search/found) Hash public domain suffix: 13/7 (search/found) diff --git a/tests/cfgs/default/result/quic-v2.pcapng.out b/tests/cfgs/default/result/quic-v2.pcapng.out index 551c20b11..47dd5c2e4 100644 --- a/tests/cfgs/default/result/quic-v2.pcapng.out +++ b/tests/cfgs/default/result/quic-v2.pcapng.out @@ -19,7 +19,7 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 1/0 (search/found) Patricia protocols: 0/0 (search/found) Patricia protocols IPv6: 2/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 0/0 (search/found) Hash public domain suffix: 0/0 (search/found) diff --git a/tests/cfgs/default/result/quic_0RTT.pcap.out b/tests/cfgs/default/result/quic_0RTT.pcap.out index d648c39c4..cb441fc9d 100644 --- a/tests/cfgs/default/result/quic_0RTT.pcap.out +++ b/tests/cfgs/default/result/quic_0RTT.pcap.out @@ -19,7 +19,7 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 1/0 (search/found) Patricia protocols: 1/1 (search/found) Patricia protocols IPv6: 2/0 (search/found) -Hash malicious ja4: 2/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 0/0 (search/found) Hash public domain suffix: 9/5 (search/found) diff --git a/tests/cfgs/default/result/quic_crypto_aes_auth_size.pcap.out b/tests/cfgs/default/result/quic_crypto_aes_auth_size.pcap.out index 0a151782a..41d820c0e 100644 --- a/tests/cfgs/default/result/quic_crypto_aes_auth_size.pcap.out +++ b/tests/cfgs/default/result/quic_crypto_aes_auth_size.pcap.out @@ -19,7 +19,7 @@ Patricia risk: 2/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 4/0 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 2/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 0/0 (search/found) Hash public domain suffix: 20/11 (search/found) diff --git a/tests/cfgs/default/result/quic_frags_ch_in_multiple_packets.pcapng.out b/tests/cfgs/default/result/quic_frags_ch_in_multiple_packets.pcapng.out index acbfba6a6..3efaf5c54 100644 --- a/tests/cfgs/default/result/quic_frags_ch_in_multiple_packets.pcapng.out +++ b/tests/cfgs/default/result/quic_frags_ch_in_multiple_packets.pcapng.out @@ -19,7 +19,7 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 1/0 (search/found) Patricia protocols: 0/0 (search/found) Patricia protocols IPv6: 2/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 0/0 (search/found) Hash public domain suffix: 0/0 (search/found) diff --git a/tests/cfgs/default/result/quic_frags_ch_out_of_order_same_packet_craziness.pcapng.out b/tests/cfgs/default/result/quic_frags_ch_out_of_order_same_packet_craziness.pcapng.out index abeb7aaf8..2b0f9b243 100644 --- a/tests/cfgs/default/result/quic_frags_ch_out_of_order_same_packet_craziness.pcapng.out +++ b/tests/cfgs/default/result/quic_frags_ch_out_of_order_same_packet_craziness.pcapng.out @@ -19,7 +19,7 @@ Patricia risk: 103/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 221/16 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 113/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 0/0 (search/found) Hash public domain suffix: 1044/599 (search/found) diff --git a/tests/cfgs/default/result/quic_frags_different_dcid.pcapng.out b/tests/cfgs/default/result/quic_frags_different_dcid.pcapng.out index 148562be8..12a68e3fe 100644 --- a/tests/cfgs/default/result/quic_frags_different_dcid.pcapng.out +++ b/tests/cfgs/default/result/quic_frags_different_dcid.pcapng.out @@ -19,7 +19,7 @@ Patricia risk: 1/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 2/0 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 0/0 (search/found) Hash public domain suffix: 9/5 (search/found) diff --git a/tests/cfgs/default/result/quic_t50.pcap.out b/tests/cfgs/default/result/quic_t50.pcap.out index 1c455ffea..f8e7efe01 100644 --- a/tests/cfgs/default/result/quic_t50.pcap.out +++ b/tests/cfgs/default/result/quic_t50.pcap.out @@ -19,7 +19,7 @@ Patricia risk: 1/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 2/0 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 0/0 (search/found) Hash public domain suffix: 9/5 (search/found) diff --git a/tests/cfgs/default/result/quic_t51.pcap.out b/tests/cfgs/default/result/quic_t51.pcap.out index 5143b1522..09705abfe 100644 --- a/tests/cfgs/default/result/quic_t51.pcap.out +++ b/tests/cfgs/default/result/quic_t51.pcap.out @@ -19,7 +19,7 @@ Patricia risk: 1/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 2/0 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 0/0 (search/found) Hash public domain suffix: 9/5 (search/found) diff --git a/tests/cfgs/default/result/radmin3.pcapng.out b/tests/cfgs/default/result/radmin3.pcapng.out index 5248bf813..44ae33b39 100644 --- a/tests/cfgs/default/result/radmin3.pcapng.out +++ b/tests/cfgs/default/result/radmin3.pcapng.out @@ -23,7 +23,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 2/2 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 2/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/raft.pcap.out b/tests/cfgs/default/result/raft.pcap.out index e2601d6a9..9a4901ddb 100644 --- a/tests/cfgs/default/result/raft.pcap.out +++ b/tests/cfgs/default/result/raft.pcap.out @@ -23,7 +23,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 2/0 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 2/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/rdp.pcap.out b/tests/cfgs/default/result/rdp.pcap.out index dd4092741..359b6e359 100644 --- a/tests/cfgs/default/result/rdp.pcap.out +++ b/tests/cfgs/default/result/rdp.pcap.out @@ -23,7 +23,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 1/0 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 1/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/rdp3.pcap.out b/tests/cfgs/default/result/rdp3.pcap.out index 6d518bba4..95c185154 100644 --- a/tests/cfgs/default/result/rdp3.pcap.out +++ b/tests/cfgs/default/result/rdp3.pcap.out @@ -23,7 +23,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 1/0 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 1/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/rdp_over_http.pcapng.out b/tests/cfgs/default/result/rdp_over_http.pcapng.out index 50decc243..3c9684eb4 100644 --- a/tests/cfgs/default/result/rdp_over_http.pcapng.out +++ b/tests/cfgs/default/result/rdp_over_http.pcapng.out @@ -23,7 +23,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 1/1 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 1/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/rdp_over_tls.pcap.out b/tests/cfgs/default/result/rdp_over_tls.pcap.out index e5cd39553..ab7544426 100644 --- a/tests/cfgs/default/result/rdp_over_tls.pcap.out +++ b/tests/cfgs/default/result/rdp_over_tls.pcap.out @@ -19,11 +19,11 @@ Patricia risk: 1/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 2/0 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 1/0 (search/found) Hash TCP fingerprints: 1/0 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 1/0 (search/found) +Hash ja4 custom protos: 2/0 (search/found) Hash fp custom protos: 1/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/reasm_crash_anon.pcapng.out b/tests/cfgs/default/result/reasm_crash_anon.pcapng.out index a8d049f35..c757d81a7 100644 --- a/tests/cfgs/default/result/reasm_crash_anon.pcapng.out +++ b/tests/cfgs/default/result/reasm_crash_anon.pcapng.out @@ -23,7 +23,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 0/0 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 1/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/reasm_segv_anon.pcapng.out b/tests/cfgs/default/result/reasm_segv_anon.pcapng.out index 03af4493e..a2472c50b 100644 --- a/tests/cfgs/default/result/reasm_segv_anon.pcapng.out +++ b/tests/cfgs/default/result/reasm_segv_anon.pcapng.out @@ -25,7 +25,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 0/0 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 1/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/reddit.pcap.out b/tests/cfgs/default/result/reddit.pcap.out index d02a46242..a72da4cd5 100644 --- a/tests/cfgs/default/result/reddit.pcap.out +++ b/tests/cfgs/default/result/reddit.pcap.out @@ -22,11 +22,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 60/0 (search/found) Patricia protocols: 0/0 (search/found) Patricia protocols IPv6: 94/26 (search/found) -Hash malicious ja4: 59/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 25/0 (search/found) Hash TCP fingerprints: 60/60 (search/found) Hash public domain suffix: 659/389 (search/found) -Hash ja4 custom protos: 59/0 (search/found) +Hash ja4 custom protos: 118/0 (search/found) Hash fp custom protos: 59/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/roblox.pcapng.out b/tests/cfgs/default/result/roblox.pcapng.out index b0d3860aa..ae22e8147 100644 --- a/tests/cfgs/default/result/roblox.pcapng.out +++ b/tests/cfgs/default/result/roblox.pcapng.out @@ -20,11 +20,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 4/4 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 1/1 (search/found) Hash public domain suffix: 9/5 (search/found) -Hash ja4 custom protos: 1/0 (search/found) +Hash ja4 custom protos: 2/0 (search/found) Hash fp custom protos: 1/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/rockstar_games.pcapng.out b/tests/cfgs/default/result/rockstar_games.pcapng.out index 8fe2b9541..bb8407fdb 100644 --- a/tests/cfgs/default/result/rockstar_games.pcapng.out +++ b/tests/cfgs/default/result/rockstar_games.pcapng.out @@ -20,11 +20,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 6/2 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 5/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 1/0 (search/found) Hash TCP fingerprints: 3/3 (search/found) Hash public domain suffix: 27/15 (search/found) -Hash ja4 custom protos: 5/0 (search/found) +Hash ja4 custom protos: 6/0 (search/found) Hash fp custom protos: 4/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/rsh.pcap.out b/tests/cfgs/default/result/rsh.pcap.out index f4a81f273..c9eebc2ae 100644 --- a/tests/cfgs/default/result/rsh.pcap.out +++ b/tests/cfgs/default/result/rsh.pcap.out @@ -23,7 +23,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 2/0 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 2/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/rtmp.pcap.out b/tests/cfgs/default/result/rtmp.pcap.out index 3ea748cd8..39d42147e 100644 --- a/tests/cfgs/default/result/rtmp.pcap.out +++ b/tests/cfgs/default/result/rtmp.pcap.out @@ -23,7 +23,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 3/1 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 3/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/rtp.pcapng.out b/tests/cfgs/default/result/rtp.pcapng.out index 13da550b7..b1f981023 100644 --- a/tests/cfgs/default/result/rtp.pcapng.out +++ b/tests/cfgs/default/result/rtp.pcapng.out @@ -24,7 +24,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 1/0 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 1/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/rtsp.pcap.out b/tests/cfgs/default/result/rtsp.pcap.out index 085ee7631..78c126a89 100644 --- a/tests/cfgs/default/result/rtsp.pcap.out +++ b/tests/cfgs/default/result/rtsp.pcap.out @@ -23,7 +23,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 6/6 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 7/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/rtsp_setup_http.pcapng.out b/tests/cfgs/default/result/rtsp_setup_http.pcapng.out index 5ce5cc37e..78cbd6797 100644 --- a/tests/cfgs/default/result/rtsp_setup_http.pcapng.out +++ b/tests/cfgs/default/result/rtsp_setup_http.pcapng.out @@ -23,7 +23,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 0/0 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 1/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/s7comm-plus.pcap.out b/tests/cfgs/default/result/s7comm-plus.pcap.out index b5c46a430..d0e99ca60 100644 --- a/tests/cfgs/default/result/s7comm-plus.pcap.out +++ b/tests/cfgs/default/result/s7comm-plus.pcap.out @@ -23,7 +23,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 1/0 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 1/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/s7comm.pcap.out b/tests/cfgs/default/result/s7comm.pcap.out index 85a003b9d..4e0dfe308 100644 --- a/tests/cfgs/default/result/s7comm.pcap.out +++ b/tests/cfgs/default/result/s7comm.pcap.out @@ -23,7 +23,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 2/0 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 4/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/safari.pcap.out b/tests/cfgs/default/result/safari.pcap.out index 6ea7129ef..2344428a5 100644 --- a/tests/cfgs/default/result/safari.pcap.out +++ b/tests/cfgs/default/result/safari.pcap.out @@ -19,11 +19,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 14/0 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 7/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 2/0 (search/found) Hash TCP fingerprints: 7/0 (search/found) Hash public domain suffix: 176/105 (search/found) -Hash ja4 custom protos: 7/0 (search/found) +Hash ja4 custom protos: 14/0 (search/found) Hash fp custom protos: 7/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/salesforce.pcap.out b/tests/cfgs/default/result/salesforce.pcap.out index 6c7547a60..965f07d9d 100644 --- a/tests/cfgs/default/result/salesforce.pcap.out +++ b/tests/cfgs/default/result/salesforce.pcap.out @@ -19,11 +19,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 2/0 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 1/0 (search/found) Hash TCP fingerprints: 1/0 (search/found) Hash public domain suffix: 9/5 (search/found) -Hash ja4 custom protos: 1/0 (search/found) +Hash ja4 custom protos: 2/0 (search/found) Hash fp custom protos: 1/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/selfsigned.pcap.out b/tests/cfgs/default/result/selfsigned.pcap.out index 05a7e3b27..3fa031bdd 100644 --- a/tests/cfgs/default/result/selfsigned.pcap.out +++ b/tests/cfgs/default/result/selfsigned.pcap.out @@ -19,11 +19,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 2/0 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 1/0 (search/found) Hash TCP fingerprints: 1/0 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 1/0 (search/found) +Hash ja4 custom protos: 2/0 (search/found) Hash fp custom protos: 1/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/shadowsocks.pcap.out b/tests/cfgs/default/result/shadowsocks.pcap.out index 0f2514c7d..18fcfa2db 100644 --- a/tests/cfgs/default/result/shadowsocks.pcap.out +++ b/tests/cfgs/default/result/shadowsocks.pcap.out @@ -24,7 +24,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 2/0 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 1/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/shell.pcap.out b/tests/cfgs/default/result/shell.pcap.out index 437442fb3..7e754d968 100644 --- a/tests/cfgs/default/result/shell.pcap.out +++ b/tests/cfgs/default/result/shell.pcap.out @@ -24,7 +24,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 2/0 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 2/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/signal.pcap.out b/tests/cfgs/default/result/signal.pcap.out index 933ab4248..8bcb7587f 100644 --- a/tests/cfgs/default/result/signal.pcap.out +++ b/tests/cfgs/default/result/signal.pcap.out @@ -21,11 +21,11 @@ Patricia risk: 1/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 23/15 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 12/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 10/0 (search/found) Hash TCP fingerprints: 12/2 (search/found) Hash public domain suffix: 152/86 (search/found) -Hash ja4 custom protos: 12/0 (search/found) +Hash ja4 custom protos: 27/0 (search/found) Hash fp custom protos: 12/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/signal_audiocall_2.pcapng.out b/tests/cfgs/default/result/signal_audiocall_2.pcapng.out index e94d7345e..ec09cd60f 100644 --- a/tests/cfgs/default/result/signal_audiocall_2.pcapng.out +++ b/tests/cfgs/default/result/signal_audiocall_2.pcapng.out @@ -21,11 +21,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 7/3 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 2/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 2/2 (search/found) Hash public domain suffix: 20/11 (search/found) -Hash ja4 custom protos: 2/0 (search/found) +Hash ja4 custom protos: 4/0 (search/found) Hash fp custom protos: 2/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/simple-dnscrypt.pcap.out b/tests/cfgs/default/result/simple-dnscrypt.pcap.out index d8dff7ae8..c04d00405 100644 --- a/tests/cfgs/default/result/simple-dnscrypt.pcap.out +++ b/tests/cfgs/default/result/simple-dnscrypt.pcap.out @@ -20,11 +20,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 8/0 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 4/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 4/0 (search/found) Hash TCP fingerprints: 4/0 (search/found) Hash public domain suffix: 70/58 (search/found) -Hash ja4 custom protos: 4/0 (search/found) +Hash ja4 custom protos: 8/0 (search/found) Hash fp custom protos: 4/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/sites.pcapng.out b/tests/cfgs/default/result/sites.pcapng.out index 4099c0206..c13f24c38 100644 --- a/tests/cfgs/default/result/sites.pcapng.out +++ b/tests/cfgs/default/result/sites.pcapng.out @@ -23,11 +23,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 6/0 (search/found) Patricia protocols: 82/50 (search/found) Patricia protocols IPv6: 7/5 (search/found) -Hash malicious ja4: 66/1 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 16/0 (search/found) Hash TCP fingerprints: 67/60 (search/found) Hash public domain suffix: 795/528 (search/found) -Hash ja4 custom protos: 66/0 (search/found) +Hash ja4 custom protos: 123/0 (search/found) Hash fp custom protos: 66/0 (search/found) Hash url custom protos: 2/0 (search/found) @@ -130,7 +130,7 @@ JA Host Stats: 2 TCP 192.168.1.250:39890 <-> 45.82.241.51:80 [proto: 7.261/HTTP.Likee][Stack: HTTP.Likee][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: SocialNetwork/6][Breed: Fun][58 pkts/4414 bytes <-> 54 pkts/74431 bytes][Goodput ratio: 22/96][182.93 sec][Hostname/SNI: videosnap.like.video][bytes ratio: -0.888 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 58/40 1449/1478 252/226][Pkt Len c2s/s2c min/avg/max/stddev: 60/60 76/1378 244/1514 52/370][URL: videosnap.like.video/eu_live/5uz/1YOmxT.webp?type=8&resize=1&dw=360][StatusCode: 200][Content-Type: image/webp][Server: openresty][User-Agent: Like-Android][TCP Fingerprint: 2_64_65535_685ad951a756/Android][PLAIN TEXT (GET /eu)][Plen Bins: 0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,3,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,85,0,0] 3 TCP 192.168.1.128:50620 <-> 91.198.174.208:443 [proto: 91.176/TLS.Wikipedia][Stack: TLS.Wikipedia][IP: 0/Unknown][Encrypted][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][Breed: Safe][28 pkts/3033 bytes <-> 24 pkts/18149 bytes][Goodput ratio: 39/91][170.60 sec][Hostname/SNI: upload.wikimedia.org][(Advertised) ALPNs: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2][bytes ratio: -0.714 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 5077/6202 58326/58377 16039/17553][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 108/756 583/1514 106/683][nDPI Fingerprint: d122b7aad3b4dbc2e5fd4d535f07285b][TCP Fingerprint: 2_64_64240_2e3cee914fc1/Linux][TLSv1.3][JA4: t13d1815h2_e8a523a41297_3d5424432f57][JA3S: 15af977ce25de452b96affa2addb1036][Firefox][Cipher: TLS_AES_256_GCM_SHA384][Plen Bins: 11,23,3,3,0,3,0,3,0,3,3,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,39,0,0] 4 TCP 192.168.1.245:49558 <-> 80.158.42.215:443 [proto: 91.399/TLS.HuaweiCloud][Stack: TLS.HuaweiCloud][IP: 0/Unknown][Encrypted][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Cloud/13][Breed: Acceptable][14 pkts/4392 bytes <-> 9 pkts/12610 bytes][Goodput ratio: 82/96][0.62 sec][Hostname/SNI: id7.cloud.huawei.com][(Advertised) ALPNs: h2;http/1.1][(Negotiated) ALPN: http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2][bytes ratio: -0.483 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 51/93 439/462 123/166][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 314/1401 1081/3954 396/1672][nDPI Fingerprint: 6fd4981632b662065dfd7e0896907b0e][TCP Fingerprint: 2_64_64240_2e3cee914fc1/Linux][TLSv1.2][JA4: t13d1715h2_5b57614c22b0_5c2c66f702b0][ServerNames: avatar.id.huawei.com,hts.huawei.com.cn,*.cdn.hicloud.com,*.cloud.dbankcloud.com,*.cloud.hicloud.com,*.cloud.huawei.asia,*.cloud.huawei.com,*.cloud.huawei.com.au,*.cloud.huawei.com.cn,*.cloud.huawei.eu,*.cloud.huawei.ru,*.dbankcloud.cn,*.dbankcloud.com,*.hicloud.com,*.hms.dbankcloud.cn,*.huawei.com,*.platform.dbankcloud.cn,*.platform.dbankcloud.com,*.platform.dbankcloud.ru,*.platform.hicloud.com,*.vmall.com][JA3S: eb7ce657b6814e1bc6402d66a2309dc6][Issuer: C=BE, O=GlobalSign nv-sa, CN=GlobalSign RSA OV SSL CA 2018][Subject: C=CN, ST=Jiangsu, L=Nanjing, O=Huawei Software Technologies Co., Ltd., CN=avatar.id.huawei.com][ECH: version 0xfe0d][Certificate SHA-1: 4F:6B:EE:C1:86:C1:2D:DB:AB:BF:DB:90:42:2D:06:A9:63:FF:76:52][Firefox][Validity: 2023-07-26 01:16:11 - 2024-08-26 01:16:10][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 8,8,8,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,8,0,8,0,0,8,0,0,0,0,8,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25] - 5 TCP 192.168.1.183:44102 <-> 146.70.182.51:443 [proto: 91.427/TLS.SurfShark][Stack: TLS.SurfShark][IP: 0/Unknown][Encrypted][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 7][cat: VPN/2][Breed: Acceptable][11 pkts/5817 bytes <-> 10 pkts/7012 bytes][Goodput ratio: 87/90][0.21 sec][Hostname/SNI: it-mil-v086.prod.surfshark.com][(Advertised) ALPNs: h2;http/1.1][TLS Supported Versions: GREASE;TLSv1.3;TLSv1.2][bytes ratio: -0.093 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 14/24 99/96 32/39][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 529/701 2022/3526 696/1053][Risk: ** Malicious Fingerprint **][Risk Score: 100][Risk Info: t13d1517h2_8daaf6152771_b0da82dd1658][nDPI Fingerprint: 3f9486b79472e2d417452cb4066685f7][TCP Fingerprint: 2_64_64240_2e3cee914fc1/Linux][TLSv1.3][JA4: t13d1517h2_8daaf6152771_b0da82dd1658][JA3S: fcb2d4d0991292272fcb1e464eedfd43][ECH: version 0xfe0d][Chrome][Cipher: TLS_AES_128_GCM_SHA256][Plen Bins: 0,0,8,25,0,0,0,0,0,0,8,0,8,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,25] + 5 TCP 192.168.1.183:44102 <-> 146.70.182.51:443 [proto: 91.427/TLS.SurfShark][Stack: TLS.SurfShark][IP: 0/Unknown][Encrypted][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 7][cat: VPN/2][Breed: Acceptable][11 pkts/5817 bytes <-> 10 pkts/7012 bytes][Goodput ratio: 87/90][0.21 sec][Hostname/SNI: it-mil-v086.prod.surfshark.com][(Advertised) ALPNs: h2;http/1.1][TLS Supported Versions: GREASE;TLSv1.3;TLSv1.2][bytes ratio: -0.093 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 14/24 99/96 32/39][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 529/701 2022/3526 696/1053][nDPI Fingerprint: 3f9486b79472e2d417452cb4066685f7][TCP Fingerprint: 2_64_64240_2e3cee914fc1/Linux][TLSv1.3][JA4: t13d1517h2_8daaf6152771_b0da82dd1658][JA3S: fcb2d4d0991292272fcb1e464eedfd43][ECH: version 0xfe0d][Chrome][Cipher: TLS_AES_128_GCM_SHA256][Plen Bins: 0,0,8,25,0,0,0,0,0,0,8,0,8,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,25] 6 TCP 192.168.1.245:54690 <-> 160.44.196.198:443 [proto: 91.399/TLS.HuaweiCloud][Stack: TLS.HuaweiCloud][IP: 0/Unknown][Encrypted][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Cloud/13][Breed: Acceptable][8 pkts/1733 bytes <-> 7 pkts/9520 bytes][Goodput ratio: 74/96][0.18 sec][Hostname/SNI: cloud.huawei.com][(Advertised) ALPNs: h2;http/1.1][(Negotiated) ALPN: http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2][bytes ratio: -0.692 (Download)][IAT c2s/s2c min/avg/max/stddev: 1/0 22/12 40/30 15/14][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 217/1360 718/4434 253/1807][nDPI Fingerprint: 6fd4981632b662065dfd7e0896907b0e][TCP Fingerprint: 2_64_64240_2e3cee914fc1/Linux][TLSv1.2][JA4: t13d1715h2_5b57614c22b0_5c2c66f702b0][ServerNames: cloud.huawei.asia,cloud.huawei.com.cn,cloud.huawei.com,cloud.huawei.com.au,cloud.huawei.eu,cloud.huawei.lat,cloud.huawei.ru,*.dbank.com,*.hicloud.com,*.cloud.dbankcloud.cn,*.cloud.dbankcloud.com,*.cloud.dbankcloud.ru,*.cloud.hicloud.com,*.cloud.huawei.asia,*.cloud.huawei.com,*.cloud.huawei.com.au,*.cloud.huawei.com.cn,*.cloud.huawei.eu,*.cloud.huawei.lat,*.cloud.huawei.ru,*.platform.dbankcloud.cn,*.platform.hicloud.com][JA3S: eb7ce657b6814e1bc6402d66a2309dc6][Issuer: C=BE, O=GlobalSign nv-sa, CN=GlobalSign RSA OV SSL CA 2018][Subject: C=CN, ST=Jiangsu, L=Nanjing, O=Huawei Software Technologies Co., Ltd., CN=cloud.huawei.asia][ECH: version 0xfe0d][Certificate SHA-1: 94:8E:17:DA:5F:C7:62:E4:1E:F0:A5:AB:A0:B9:7B:DE:A5:F4:75:33][Firefox][Validity: 2023-08-11 07:21:05 - 2024-09-11 07:21:04][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 0,12,12,0,0,0,0,0,12,0,0,0,0,0,0,0,25,0,0,0,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25] 7 TCP 192.168.1.245:58624 <-> 104.16.156.111:443 [proto: 91.426/TLS.NordVPN][Stack: TLS.NordVPN][IP: 220/Cloudflare][Encrypted][Confidence: DPI][FPC: 220/Cloudflare, Confidence: IP address][DPI packets: 6][cat: VPN/2][Breed: Acceptable][11 pkts/2405 bytes <-> 11 pkts/8192 bytes][Goodput ratio: 69/91][0.13 sec][Hostname/SNI: s1.nordcdn.com][(Advertised) ALPNs: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2][bytes ratio: -0.546 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 8/5 22/22 10/9][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 219/745 1219/2848 330/829][nDPI Fingerprint: 3f11c7bcdc4c8f291d263ae2803ca4e1][TCP Fingerprint: 2_64_64240_2e3cee914fc1/Linux][TLSv1.3][JA4: t13d1715h2_5b57614c22b0_7121afd63204][JA3S: 2b0648ab686ee45e0e7c35fcfb0eea7e][ECH: version 0xfe0d][Firefox][Cipher: TLS_AES_128_GCM_SHA256][Plen Bins: 16,0,16,0,0,0,0,0,7,0,7,0,0,0,7,0,7,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,7,0,7,0,7] 8 TCP 192.168.1.250:41878 <-> 92.122.95.99:443 [proto: 91.49/TLS.TikTok][Stack: TLS.TikTok][IP: 467/Akamai][Encrypted][Confidence: DPI][FPC: 467/Akamai, Confidence: IP address][DPI packets: 6][cat: SocialNetwork/6][Breed: Fun][16 pkts/3550 bytes <-> 15 pkts/7010 bytes][Goodput ratio: 70/86][16.63 sec][Hostname/SNI: vcs-va.tiktokv.com][(Advertised) ALPNs: h2;http/1.1][TLS Supported Versions: GREASE;TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.328 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1381/1506 16408/16423 4531/4717][Pkt Len c2s/s2c min/avg/max/stddev: 60/66 222/467 1090/1514 286/552][nDPI Fingerprint: 8406ed33839f2d0d8e65998d19394677][TCP Fingerprint: 2_64_65535_685ad951a756/Android][TLSv1.3][JA4: t13d1615h2_46e7e9700bed_45f260be83e2][JA3S: 15af977ce25de452b96affa2addb1036][Chrome][Cipher: TLS_AES_256_GCM_SHA384][Plen Bins: 7,0,7,0,0,0,0,0,24,0,0,0,7,0,7,0,7,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,7,0,0,0,0,0,0,0,7,0,0,0,0,15,0,0] diff --git a/tests/cfgs/default/result/sites2.pcapng.out b/tests/cfgs/default/result/sites2.pcapng.out index ccf3f64ef..c4e84a0eb 100644 --- a/tests/cfgs/default/result/sites2.pcapng.out +++ b/tests/cfgs/default/result/sites2.pcapng.out @@ -19,11 +19,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 6/4 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 4/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 1/0 (search/found) Hash TCP fingerprints: 5/5 (search/found) Hash public domain suffix: 45/25 (search/found) -Hash ja4 custom protos: 4/0 (search/found) +Hash ja4 custom protos: 7/0 (search/found) Hash fp custom protos: 4/0 (search/found) Hash url custom protos: 1/0 (search/found) diff --git a/tests/cfgs/default/result/sites3.pcapng.out b/tests/cfgs/default/result/sites3.pcapng.out index 0b4be1bd3..7f64243af 100644 --- a/tests/cfgs/default/result/sites3.pcapng.out +++ b/tests/cfgs/default/result/sites3.pcapng.out @@ -19,11 +19,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 10/6 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 8/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 8/5 (search/found) Hash public domain suffix: 69/42 (search/found) -Hash ja4 custom protos: 8/0 (search/found) +Hash ja4 custom protos: 16/0 (search/found) Hash fp custom protos: 8/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/smb_frags.pcap.out b/tests/cfgs/default/result/smb_frags.pcap.out index fc0266cfe..064ef52d4 100644 --- a/tests/cfgs/default/result/smb_frags.pcap.out +++ b/tests/cfgs/default/result/smb_frags.pcap.out @@ -23,7 +23,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 1/0 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 1/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/smbv1.pcap.out b/tests/cfgs/default/result/smbv1.pcap.out index 256cccf49..b5a33f695 100644 --- a/tests/cfgs/default/result/smbv1.pcap.out +++ b/tests/cfgs/default/result/smbv1.pcap.out @@ -23,7 +23,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 0/0 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 1/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/smpp_in_general.pcap.out b/tests/cfgs/default/result/smpp_in_general.pcap.out index 1990be8d1..fd8b08e78 100644 --- a/tests/cfgs/default/result/smpp_in_general.pcap.out +++ b/tests/cfgs/default/result/smpp_in_general.pcap.out @@ -23,7 +23,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 1/0 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 1/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/smtp-starttls.pcap.out b/tests/cfgs/default/result/smtp-starttls.pcap.out index 2e944026a..326a563cd 100644 --- a/tests/cfgs/default/result/smtp-starttls.pcap.out +++ b/tests/cfgs/default/result/smtp-starttls.pcap.out @@ -19,11 +19,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 1/0 (search/found) Patricia protocols: 1/1 (search/found) Patricia protocols IPv6: 2/0 (search/found) -Hash malicious ja4: 2/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 2/0 (search/found) Hash TCP fingerprints: 2/0 (search/found) Hash public domain suffix: 35/22 (search/found) -Hash ja4 custom protos: 2/0 (search/found) +Hash ja4 custom protos: 5/0 (search/found) Hash fp custom protos: 2/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/smtp.pcap.out b/tests/cfgs/default/result/smtp.pcap.out index 0f8b935ed..432f3f0db 100644 --- a/tests/cfgs/default/result/smtp.pcap.out +++ b/tests/cfgs/default/result/smtp.pcap.out @@ -23,7 +23,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 1/0 (search/found) Hash public domain suffix: 20/12 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 1/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/smtps.pcapng.out b/tests/cfgs/default/result/smtps.pcapng.out index d7bdd87a2..41e0672a2 100644 --- a/tests/cfgs/default/result/smtps.pcapng.out +++ b/tests/cfgs/default/result/smtps.pcapng.out @@ -19,11 +19,11 @@ Patricia risk: 1/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 2/0 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 1/0 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 1/0 (search/found) +Hash ja4 custom protos: 2/0 (search/found) Hash fp custom protos: 1/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/snapchat.pcap.out b/tests/cfgs/default/result/snapchat.pcap.out index 103e875e6..3be82b755 100644 --- a/tests/cfgs/default/result/snapchat.pcap.out +++ b/tests/cfgs/default/result/snapchat.pcap.out @@ -19,11 +19,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 3/3 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 3/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 3/0 (search/found) Hash public domain suffix: 18/10 (search/found) -Hash ja4 custom protos: 3/0 (search/found) +Hash ja4 custom protos: 6/0 (search/found) Hash fp custom protos: 3/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/snapchat_call_v1.pcapng.out b/tests/cfgs/default/result/snapchat_call_v1.pcapng.out index b7a1760cc..046d548fa 100644 --- a/tests/cfgs/default/result/snapchat_call_v1.pcapng.out +++ b/tests/cfgs/default/result/snapchat_call_v1.pcapng.out @@ -19,7 +19,7 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 1/1 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 0/0 (search/found) Hash public domain suffix: 9/5 (search/found) diff --git a/tests/cfgs/default/result/soap.pcap.out b/tests/cfgs/default/result/soap.pcap.out index be5fbbd05..654018284 100644 --- a/tests/cfgs/default/result/soap.pcap.out +++ b/tests/cfgs/default/result/soap.pcap.out @@ -23,7 +23,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 1/1 (search/found) Hash public domain suffix: 9/5 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 2/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 1/0 (search/found) diff --git a/tests/cfgs/default/result/socks.pcap.out b/tests/cfgs/default/result/socks.pcap.out index 33c269d5d..752a69d64 100644 --- a/tests/cfgs/default/result/socks.pcap.out +++ b/tests/cfgs/default/result/socks.pcap.out @@ -23,7 +23,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 4/3 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 2/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/sonos.pcapng.out b/tests/cfgs/default/result/sonos.pcapng.out index c5103a1e7..ffa4b2eff 100644 --- a/tests/cfgs/default/result/sonos.pcapng.out +++ b/tests/cfgs/default/result/sonos.pcapng.out @@ -20,11 +20,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 4/0 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 1/0 (search/found) Hash TCP fingerprints: 1/1 (search/found) Hash public domain suffix: 3/0 (search/found) -Hash ja4 custom protos: 1/0 (search/found) +Hash ja4 custom protos: 2/0 (search/found) Hash fp custom protos: 1/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/spotify_tcp.pcap.out b/tests/cfgs/default/result/spotify_tcp.pcap.out index 80eb150e4..02eb9b549 100644 --- a/tests/cfgs/default/result/spotify_tcp.pcap.out +++ b/tests/cfgs/default/result/spotify_tcp.pcap.out @@ -23,7 +23,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 1/1 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 1/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/ssh.pcap.out b/tests/cfgs/default/result/ssh.pcap.out index dc70d53cf..34e4b7c86 100644 --- a/tests/cfgs/default/result/ssh.pcap.out +++ b/tests/cfgs/default/result/ssh.pcap.out @@ -23,7 +23,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 3/0 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 3/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/ssh_unidirectional.pcap.out b/tests/cfgs/default/result/ssh_unidirectional.pcap.out index 959e56fb5..afdfaa75f 100644 --- a/tests/cfgs/default/result/ssh_unidirectional.pcap.out +++ b/tests/cfgs/default/result/ssh_unidirectional.pcap.out @@ -25,7 +25,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 1/1 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 1/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/ssl-cert-name-mismatch.pcap.out b/tests/cfgs/default/result/ssl-cert-name-mismatch.pcap.out index 34a92bada..2429bb49e 100644 --- a/tests/cfgs/default/result/ssl-cert-name-mismatch.pcap.out +++ b/tests/cfgs/default/result/ssl-cert-name-mismatch.pcap.out @@ -19,11 +19,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 1/1 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 1/0 (search/found) Hash TCP fingerprints: 1/1 (search/found) Hash public domain suffix: 31/22 (search/found) -Hash ja4 custom protos: 1/0 (search/found) +Hash ja4 custom protos: 2/0 (search/found) Hash fp custom protos: 1/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/starcraft_battle.pcap.out b/tests/cfgs/default/result/starcraft_battle.pcap.out index b80cd78de..ef2e84f6e 100644 --- a/tests/cfgs/default/result/starcraft_battle.pcap.out +++ b/tests/cfgs/default/result/starcraft_battle.pcap.out @@ -29,7 +29,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 22/2 (search/found) Hash public domain suffix: 344/199 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 11/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 20/0 (search/found) diff --git a/tests/cfgs/default/result/steam.pcapng.out b/tests/cfgs/default/result/steam.pcapng.out index 53c62339a..6780cc22d 100644 --- a/tests/cfgs/default/result/steam.pcapng.out +++ b/tests/cfgs/default/result/steam.pcapng.out @@ -20,11 +20,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 8/6 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 4/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 4/1 (search/found) Hash public domain suffix: 45/25 (search/found) -Hash ja4 custom protos: 4/0 (search/found) +Hash ja4 custom protos: 8/0 (search/found) Hash fp custom protos: 4/0 (search/found) Hash url custom protos: 1/0 (search/found) diff --git a/tests/cfgs/default/result/stun.pcap.out b/tests/cfgs/default/result/stun.pcap.out index a7562f7d9..70d2d80e9 100644 --- a/tests/cfgs/default/result/stun.pcap.out +++ b/tests/cfgs/default/result/stun.pcap.out @@ -21,11 +21,11 @@ Patricia risk: 1/0 (search/found) Patricia risk IPv6: 2/0 (search/found) Patricia protocols: 9/5 (search/found) Patricia protocols IPv6: 4/1 (search/found) -Hash malicious ja4: 2/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 1/0 (search/found) Hash TCP fingerprints: 1/0 (search/found) Hash public domain suffix: 4/2 (search/found) -Hash ja4 custom protos: 2/0 (search/found) +Hash ja4 custom protos: 3/0 (search/found) Hash fp custom protos: 2/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/stun_dtls_rtp.pcapng.out b/tests/cfgs/default/result/stun_dtls_rtp.pcapng.out index f007dc3f6..c43f9f4e3 100644 --- a/tests/cfgs/default/result/stun_dtls_rtp.pcapng.out +++ b/tests/cfgs/default/result/stun_dtls_rtp.pcapng.out @@ -20,7 +20,7 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 2/2 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 1/0 (search/found) Hash TCP fingerprints: 1/1 (search/found) Hash public domain suffix: 2/1 (search/found) diff --git a/tests/cfgs/default/result/stun_dtls_unidirectional_client.pcap.out b/tests/cfgs/default/result/stun_dtls_unidirectional_client.pcap.out index 5978a94dd..d5e2b5998 100644 --- a/tests/cfgs/default/result/stun_dtls_unidirectional_client.pcap.out +++ b/tests/cfgs/default/result/stun_dtls_unidirectional_client.pcap.out @@ -19,7 +19,7 @@ Patricia risk: 1/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 2/0 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 0/0 (search/found) Hash public domain suffix: 0/0 (search/found) diff --git a/tests/cfgs/default/result/stun_google_meet.pcapng.out b/tests/cfgs/default/result/stun_google_meet.pcapng.out index f38a23803..6c55955e5 100644 --- a/tests/cfgs/default/result/stun_google_meet.pcapng.out +++ b/tests/cfgs/default/result/stun_google_meet.pcapng.out @@ -20,7 +20,7 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 1/0 (search/found) Patricia protocols: 6/6 (search/found) Patricia protocols IPv6: 1/1 (search/found) -Hash malicious ja4: 2/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 2/0 (search/found) Hash TCP fingerprints: 0/0 (search/found) Hash public domain suffix: 0/0 (search/found) diff --git a/tests/cfgs/default/result/stun_signal_tcp.pcapng.out b/tests/cfgs/default/result/stun_signal_tcp.pcapng.out index ce48b6af9..db9c777aa 100644 --- a/tests/cfgs/default/result/stun_signal_tcp.pcapng.out +++ b/tests/cfgs/default/result/stun_signal_tcp.pcapng.out @@ -23,7 +23,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 1/1 (search/found) Hash public domain suffix: 1/1 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 1/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/stun_tcp_multiple_msgs_same_pkt.pcap.out b/tests/cfgs/default/result/stun_tcp_multiple_msgs_same_pkt.pcap.out index bd867ec96..d22a1fdb8 100644 --- a/tests/cfgs/default/result/stun_tcp_multiple_msgs_same_pkt.pcap.out +++ b/tests/cfgs/default/result/stun_tcp_multiple_msgs_same_pkt.pcap.out @@ -23,7 +23,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 0/0 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 1/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/stun_zoom.pcapng.out b/tests/cfgs/default/result/stun_zoom.pcapng.out index 160d7317b..d944e0fed 100644 --- a/tests/cfgs/default/result/stun_zoom.pcapng.out +++ b/tests/cfgs/default/result/stun_zoom.pcapng.out @@ -19,7 +19,7 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 2/2 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 7/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 1/0 (search/found) Hash TCP fingerprints: 0/0 (search/found) Hash public domain suffix: 7/4 (search/found) diff --git a/tests/cfgs/default/result/syslog.pcap.out b/tests/cfgs/default/result/syslog.pcap.out index 2df4729f0..3d087601b 100644 --- a/tests/cfgs/default/result/syslog.pcap.out +++ b/tests/cfgs/default/result/syslog.pcap.out @@ -25,7 +25,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 1/0 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 1/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/teams.pcap.out b/tests/cfgs/default/result/teams.pcap.out index 41b7770fe..5050fbe75 100644 --- a/tests/cfgs/default/result/teams.pcap.out +++ b/tests/cfgs/default/result/teams.pcap.out @@ -26,11 +26,11 @@ Patricia risk: 1/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 119/49 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 38/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 18/0 (search/found) Hash TCP fingerprints: 38/0 (search/found) Hash public domain suffix: 961/531 (search/found) -Hash ja4 custom protos: 38/0 (search/found) +Hash ja4 custom protos: 75/0 (search/found) Hash fp custom protos: 38/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/telegram_videocall.pcapng.out b/tests/cfgs/default/result/telegram_videocall.pcapng.out index eb6ae6bb3..29546b7fd 100644 --- a/tests/cfgs/default/result/telegram_videocall.pcapng.out +++ b/tests/cfgs/default/result/telegram_videocall.pcapng.out @@ -30,7 +30,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 8/8 (search/found) Hash public domain suffix: 12/6 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 9/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/tencent_games.pcap.out b/tests/cfgs/default/result/tencent_games.pcap.out index 6d5568e0f..d51c976dd 100644 --- a/tests/cfgs/default/result/tencent_games.pcap.out +++ b/tests/cfgs/default/result/tencent_games.pcap.out @@ -23,7 +23,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 4/0 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 4/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/teso.pcapng.out b/tests/cfgs/default/result/teso.pcapng.out index 25ee02c6f..87275de07 100644 --- a/tests/cfgs/default/result/teso.pcapng.out +++ b/tests/cfgs/default/result/teso.pcapng.out @@ -23,7 +23,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 2/2 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 2/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/threema.pcap.out b/tests/cfgs/default/result/threema.pcap.out index 5e8770841..cefff0a28 100644 --- a/tests/cfgs/default/result/threema.pcap.out +++ b/tests/cfgs/default/result/threema.pcap.out @@ -26,7 +26,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 6/6 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 6/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/thrift.pcap.out b/tests/cfgs/default/result/thrift.pcap.out index f19cf7c40..440541a2d 100644 --- a/tests/cfgs/default/result/thrift.pcap.out +++ b/tests/cfgs/default/result/thrift.pcap.out @@ -24,7 +24,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 1/0 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 1/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/tinc.pcap.out b/tests/cfgs/default/result/tinc.pcap.out index 514203147..bfc960ea2 100644 --- a/tests/cfgs/default/result/tinc.pcap.out +++ b/tests/cfgs/default/result/tinc.pcap.out @@ -25,7 +25,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 2/2 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 2/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/tls-appdata.pcap.out b/tests/cfgs/default/result/tls-appdata.pcap.out index ddd0022b9..acd6c45d1 100644 --- a/tests/cfgs/default/result/tls-appdata.pcap.out +++ b/tests/cfgs/default/result/tls-appdata.pcap.out @@ -23,7 +23,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 0/0 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 1/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/tls-esni-fuzzed.pcap.out b/tests/cfgs/default/result/tls-esni-fuzzed.pcap.out index fc489fe58..2d0e0c0bb 100644 --- a/tests/cfgs/default/result/tls-esni-fuzzed.pcap.out +++ b/tests/cfgs/default/result/tls-esni-fuzzed.pcap.out @@ -19,7 +19,7 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 3/3 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 3/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 0/0 (search/found) Hash public domain suffix: 0/0 (search/found) diff --git a/tests/cfgs/default/result/tls-rdn-extract.pcap.out b/tests/cfgs/default/result/tls-rdn-extract.pcap.out index 87154d531..114a4cddb 100644 --- a/tests/cfgs/default/result/tls-rdn-extract.pcap.out +++ b/tests/cfgs/default/result/tls-rdn-extract.pcap.out @@ -19,11 +19,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 2/0 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 1/0 (search/found) Hash TCP fingerprints: 0/0 (search/found) Hash public domain suffix: 25/15 (search/found) -Hash ja4 custom protos: 1/0 (search/found) +Hash ja4 custom protos: 2/0 (search/found) Hash fp custom protos: 1/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/tls_1.2_unidirectional_client.pcapng.out b/tests/cfgs/default/result/tls_1.2_unidirectional_client.pcapng.out index 40a2e3dd9..80d88574c 100644 --- a/tests/cfgs/default/result/tls_1.2_unidirectional_client.pcapng.out +++ b/tests/cfgs/default/result/tls_1.2_unidirectional_client.pcapng.out @@ -19,7 +19,7 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 1/1 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 1/1 (search/found) Hash public domain suffix: 9/5 (search/found) diff --git a/tests/cfgs/default/result/tls_1.2_unidirectional_client_no_cert.pcapng.out b/tests/cfgs/default/result/tls_1.2_unidirectional_client_no_cert.pcapng.out index 99862fc59..d8cf532a2 100644 --- a/tests/cfgs/default/result/tls_1.2_unidirectional_client_no_cert.pcapng.out +++ b/tests/cfgs/default/result/tls_1.2_unidirectional_client_no_cert.pcapng.out @@ -19,7 +19,7 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 1/1 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 1/1 (search/found) Hash public domain suffix: 18/11 (search/found) diff --git a/tests/cfgs/default/result/tls_1.3_unidirectional_client.pcapng.out b/tests/cfgs/default/result/tls_1.3_unidirectional_client.pcapng.out index b59a49fc1..1b071c07d 100644 --- a/tests/cfgs/default/result/tls_1.3_unidirectional_client.pcapng.out +++ b/tests/cfgs/default/result/tls_1.3_unidirectional_client.pcapng.out @@ -19,7 +19,7 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 1/1 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 1/1 (search/found) Hash public domain suffix: 9/5 (search/found) diff --git a/tests/cfgs/default/result/tls_2_reasms.pcapng.out b/tests/cfgs/default/result/tls_2_reasms.pcapng.out index b1d302747..3eb072823 100644 --- a/tests/cfgs/default/result/tls_2_reasms.pcapng.out +++ b/tests/cfgs/default/result/tls_2_reasms.pcapng.out @@ -19,11 +19,11 @@ Patricia risk: 1/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 2/0 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 0/0 (search/found) Hash public domain suffix: 9/5 (search/found) -Hash ja4 custom protos: 1/0 (search/found) +Hash ja4 custom protos: 2/0 (search/found) Hash fp custom protos: 1/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/tls_2_reasms_b.pcapng.out b/tests/cfgs/default/result/tls_2_reasms_b.pcapng.out index 4bb38ca7a..0867d1baa 100644 --- a/tests/cfgs/default/result/tls_2_reasms_b.pcapng.out +++ b/tests/cfgs/default/result/tls_2_reasms_b.pcapng.out @@ -19,11 +19,11 @@ Patricia risk: 1/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 2/0 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 0/0 (search/found) Hash public domain suffix: 13/7 (search/found) -Hash ja4 custom protos: 1/0 (search/found) +Hash ja4 custom protos: 2/0 (search/found) Hash fp custom protos: 1/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/tls_alert.pcap.out b/tests/cfgs/default/result/tls_alert.pcap.out index d7b848fd8..e349459d7 100644 --- a/tests/cfgs/default/result/tls_alert.pcap.out +++ b/tests/cfgs/default/result/tls_alert.pcap.out @@ -19,11 +19,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 4/0 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 1/0 (search/found) Hash public domain suffix: 9/5 (search/found) -Hash ja4 custom protos: 1/0 (search/found) +Hash ja4 custom protos: 3/0 (search/found) Hash fp custom protos: 1/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/tls_certificate_too_long.pcap.out b/tests/cfgs/default/result/tls_certificate_too_long.pcap.out index 7596a8c74..5318b18be 100644 --- a/tests/cfgs/default/result/tls_certificate_too_long.pcap.out +++ b/tests/cfgs/default/result/tls_certificate_too_long.pcap.out @@ -25,11 +25,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 1/0 (search/found) Patricia protocols: 39/29 (search/found) Patricia protocols IPv6: 2/0 (search/found) -Hash malicious ja4: 8/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 8/0 (search/found) Hash TCP fingerprints: 10/10 (search/found) Hash public domain suffix: 317/178 (search/found) -Hash ja4 custom protos: 8/0 (search/found) +Hash ja4 custom protos: 21/0 (search/found) Hash fp custom protos: 8/0 (search/found) Hash url custom protos: 2/0 (search/found) diff --git a/tests/cfgs/default/result/tls_cipher_lens.pcap.out b/tests/cfgs/default/result/tls_cipher_lens.pcap.out index 408d35525..0a6e86236 100644 --- a/tests/cfgs/default/result/tls_cipher_lens.pcap.out +++ b/tests/cfgs/default/result/tls_cipher_lens.pcap.out @@ -19,7 +19,7 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 5/5 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 2/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 0/0 (search/found) Hash public domain suffix: 9/5 (search/found) diff --git a/tests/cfgs/default/result/tls_client_certificate_with_missing_server_one.pcapng.out b/tests/cfgs/default/result/tls_client_certificate_with_missing_server_one.pcapng.out index f9c25c488..67b51a492 100644 --- a/tests/cfgs/default/result/tls_client_certificate_with_missing_server_one.pcapng.out +++ b/tests/cfgs/default/result/tls_client_certificate_with_missing_server_one.pcapng.out @@ -19,11 +19,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 4/0 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 2/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 1/1 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 2/0 (search/found) +Hash ja4 custom protos: 4/0 (search/found) Hash fp custom protos: 2/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/tls_ech.pcapng.out b/tests/cfgs/default/result/tls_ech.pcapng.out index f8e4337fc..f505f689b 100644 --- a/tests/cfgs/default/result/tls_ech.pcapng.out +++ b/tests/cfgs/default/result/tls_ech.pcapng.out @@ -19,11 +19,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 1/0 (search/found) Patricia protocols: 0/0 (search/found) Patricia protocols IPv6: 1/1 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 1/0 (search/found) Hash public domain suffix: 11/6 (search/found) -Hash ja4 custom protos: 1/0 (search/found) +Hash ja4 custom protos: 2/0 (search/found) Hash fp custom protos: 1/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/tls_esni_sni_both.pcap.out b/tests/cfgs/default/result/tls_esni_sni_both.pcap.out index aec741afe..494b29a3f 100644 --- a/tests/cfgs/default/result/tls_esni_sni_both.pcap.out +++ b/tests/cfgs/default/result/tls_esni_sni_both.pcap.out @@ -19,11 +19,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 2/2 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 2/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 2/2 (search/found) Hash public domain suffix: 14/14 (search/found) -Hash ja4 custom protos: 2/0 (search/found) +Hash ja4 custom protos: 4/0 (search/found) Hash fp custom protos: 2/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/tls_false_positives.pcapng.out b/tests/cfgs/default/result/tls_false_positives.pcapng.out index 2ed8df0a7..fc1869c87 100644 --- a/tests/cfgs/default/result/tls_false_positives.pcapng.out +++ b/tests/cfgs/default/result/tls_false_positives.pcapng.out @@ -23,7 +23,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 0/0 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 1/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/tls_heur__shadowsocks-tcp.pcapng.out b/tests/cfgs/default/result/tls_heur__shadowsocks-tcp.pcapng.out index cbe095d4a..9e33c662f 100644 --- a/tests/cfgs/default/result/tls_heur__shadowsocks-tcp.pcapng.out +++ b/tests/cfgs/default/result/tls_heur__shadowsocks-tcp.pcapng.out @@ -21,11 +21,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 1/0 (search/found) Patricia protocols: 6/0 (search/found) Patricia protocols IPv6: 1/1 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 3/0 (search/found) Hash public domain suffix: 32/18 (search/found) -Hash ja4 custom protos: 1/0 (search/found) +Hash ja4 custom protos: 3/0 (search/found) Hash fp custom protos: 1/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/tls_heur__trojan-tcp-tls.pcapng.out b/tests/cfgs/default/result/tls_heur__trojan-tcp-tls.pcapng.out index 59a461c8a..622991f41 100644 --- a/tests/cfgs/default/result/tls_heur__trojan-tcp-tls.pcapng.out +++ b/tests/cfgs/default/result/tls_heur__trojan-tcp-tls.pcapng.out @@ -20,11 +20,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 19/1 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 2/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 3/1 (search/found) Hash public domain suffix: 107/36 (search/found) -Hash ja4 custom protos: 2/0 (search/found) +Hash ja4 custom protos: 4/0 (search/found) Hash fp custom protos: 2/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/tls_heur__vmess-tcp-tls.pcapng.out b/tests/cfgs/default/result/tls_heur__vmess-tcp-tls.pcapng.out index f1bb77eca..41aa7bafb 100644 --- a/tests/cfgs/default/result/tls_heur__vmess-tcp-tls.pcapng.out +++ b/tests/cfgs/default/result/tls_heur__vmess-tcp-tls.pcapng.out @@ -20,11 +20,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 19/1 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 2/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 3/3 (search/found) Hash public domain suffix: 107/36 (search/found) -Hash ja4 custom protos: 2/0 (search/found) +Hash ja4 custom protos: 4/0 (search/found) Hash fp custom protos: 2/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/tls_heur__vmess-tcp.pcapng.out b/tests/cfgs/default/result/tls_heur__vmess-tcp.pcapng.out index 0024ab1fb..efbc2a570 100644 --- a/tests/cfgs/default/result/tls_heur__vmess-tcp.pcapng.out +++ b/tests/cfgs/default/result/tls_heur__vmess-tcp.pcapng.out @@ -21,11 +21,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 1/0 (search/found) Patricia protocols: 6/0 (search/found) Patricia protocols IPv6: 1/1 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 3/0 (search/found) Hash public domain suffix: 32/18 (search/found) -Hash ja4 custom protos: 1/0 (search/found) +Hash ja4 custom protos: 3/0 (search/found) Hash fp custom protos: 1/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/tls_heur__vmess-websocket.pcapng.out b/tests/cfgs/default/result/tls_heur__vmess-websocket.pcapng.out index fbef5a190..b4d8be237 100644 --- a/tests/cfgs/default/result/tls_heur__vmess-websocket.pcapng.out +++ b/tests/cfgs/default/result/tls_heur__vmess-websocket.pcapng.out @@ -20,11 +20,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 7/1 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 3/1 (search/found) Hash public domain suffix: 27/14 (search/found) -Hash ja4 custom protos: 1/0 (search/found) +Hash ja4 custom protos: 2/0 (search/found) Hash fp custom protos: 1/0 (search/found) Hash url custom protos: 1/0 (search/found) diff --git a/tests/cfgs/default/result/tls_invalid_reads.pcap.out b/tests/cfgs/default/result/tls_invalid_reads.pcap.out index 0eab9ed29..c7ff2c701 100644 --- a/tests/cfgs/default/result/tls_invalid_reads.pcap.out +++ b/tests/cfgs/default/result/tls_invalid_reads.pcap.out @@ -22,11 +22,11 @@ Patricia risk: 1/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 5/1 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 2/0 (search/found) Hash public domain suffix: 9/5 (search/found) -Hash ja4 custom protos: 1/0 (search/found) +Hash ja4 custom protos: 3/0 (search/found) Hash fp custom protos: 2/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/tls_long_cert.pcap.out b/tests/cfgs/default/result/tls_long_cert.pcap.out index d6907afc1..a1fd51a60 100644 --- a/tests/cfgs/default/result/tls_long_cert.pcap.out +++ b/tests/cfgs/default/result/tls_long_cert.pcap.out @@ -19,11 +19,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 1/1 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 1/0 (search/found) Hash TCP fingerprints: 1/1 (search/found) Hash public domain suffix: 539/354 (search/found) -Hash ja4 custom protos: 1/0 (search/found) +Hash ja4 custom protos: 2/0 (search/found) Hash fp custom protos: 1/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/tls_malicious_sha1.pcapng.out b/tests/cfgs/default/result/tls_malicious_sha1.pcapng.out index b613eafbc..2cd6b66df 100644 --- a/tests/cfgs/default/result/tls_malicious_sha1.pcapng.out +++ b/tests/cfgs/default/result/tls_malicious_sha1.pcapng.out @@ -19,11 +19,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 1/0 (search/found) Patricia protocols: 0/0 (search/found) Patricia protocols IPv6: 1/1 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 1/1 (search/found) Hash TCP fingerprints: 1/0 (search/found) Hash public domain suffix: 27/17 (search/found) -Hash ja4 custom protos: 1/0 (search/found) +Hash ja4 custom protos: 2/0 (search/found) Hash fp custom protos: 1/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/tls_multiple_synack_different_seq.pcapng.out b/tests/cfgs/default/result/tls_multiple_synack_different_seq.pcapng.out index 7e28309b8..dc589046e 100644 --- a/tests/cfgs/default/result/tls_multiple_synack_different_seq.pcapng.out +++ b/tests/cfgs/default/result/tls_multiple_synack_different_seq.pcapng.out @@ -19,11 +19,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 2/0 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 1/0 (search/found) Hash TCP fingerprints: 0/0 (search/found) Hash public domain suffix: 13/7 (search/found) -Hash ja4 custom protos: 1/0 (search/found) +Hash ja4 custom protos: 2/0 (search/found) Hash fp custom protos: 1/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/tls_port_80.pcapng.out b/tests/cfgs/default/result/tls_port_80.pcapng.out index d14ff32e9..385677bbc 100644 --- a/tests/cfgs/default/result/tls_port_80.pcapng.out +++ b/tests/cfgs/default/result/tls_port_80.pcapng.out @@ -19,7 +19,7 @@ Patricia risk: 1/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 2/0 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 1/0 (search/found) Hash public domain suffix: 0/0 (search/found) diff --git a/tests/cfgs/default/result/tls_torrent.pcapng.out b/tests/cfgs/default/result/tls_torrent.pcapng.out index 8b77a39ee..864f7e2e1 100644 --- a/tests/cfgs/default/result/tls_torrent.pcapng.out +++ b/tests/cfgs/default/result/tls_torrent.pcapng.out @@ -19,11 +19,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 2/0 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 1/0 (search/found) Hash TCP fingerprints: 0/0 (search/found) Hash public domain suffix: 9/5 (search/found) -Hash ja4 custom protos: 1/0 (search/found) +Hash ja4 custom protos: 2/0 (search/found) Hash fp custom protos: 1/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/tls_verylong_certificate.pcap.out b/tests/cfgs/default/result/tls_verylong_certificate.pcap.out index 376e59be9..500d3f53a 100644 --- a/tests/cfgs/default/result/tls_verylong_certificate.pcap.out +++ b/tests/cfgs/default/result/tls_verylong_certificate.pcap.out @@ -19,11 +19,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 2/0 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 1/0 (search/found) Hash TCP fingerprints: 1/0 (search/found) Hash public domain suffix: 9/5 (search/found) -Hash ja4 custom protos: 1/0 (search/found) +Hash ja4 custom protos: 2/0 (search/found) Hash fp custom protos: 1/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/tls_with_huge_ch.pcapng.out b/tests/cfgs/default/result/tls_with_huge_ch.pcapng.out index 157d5367d..5dfacbc6e 100644 --- a/tests/cfgs/default/result/tls_with_huge_ch.pcapng.out +++ b/tests/cfgs/default/result/tls_with_huge_ch.pcapng.out @@ -19,7 +19,7 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 2/0 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 1/1 (search/found) Hash public domain suffix: 0/0 (search/found) diff --git a/tests/cfgs/default/result/tls_with_more_than_99_ciphers.pcapng.out b/tests/cfgs/default/result/tls_with_more_than_99_ciphers.pcapng.out index 71b0172ee..d42ddc64e 100644 --- a/tests/cfgs/default/result/tls_with_more_than_99_ciphers.pcapng.out +++ b/tests/cfgs/default/result/tls_with_more_than_99_ciphers.pcapng.out @@ -19,7 +19,7 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 1/1 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 0/0 (search/found) Hash public domain suffix: 4/4 (search/found) diff --git a/tests/cfgs/default/result/tor-browser.pcap.out b/tests/cfgs/default/result/tor-browser.pcap.out index 5ada841d5..1a569e667 100644 --- a/tests/cfgs/default/result/tor-browser.pcap.out +++ b/tests/cfgs/default/result/tor-browser.pcap.out @@ -21,11 +21,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 13/5 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 6/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 1/0 (search/found) Hash TCP fingerprints: 6/6 (search/found) Hash public domain suffix: 115/69 (search/found) -Hash ja4 custom protos: 6/0 (search/found) +Hash ja4 custom protos: 9/0 (search/found) Hash fp custom protos: 6/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/tor.pcap.out b/tests/cfgs/default/result/tor.pcap.out index 72affdad2..e8cf6afb4 100644 --- a/tests/cfgs/default/result/tor.pcap.out +++ b/tests/cfgs/default/result/tor.pcap.out @@ -23,11 +23,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 1/0 (search/found) Patricia protocols: 19/1 (search/found) Patricia protocols IPv6: 2/0 (search/found) -Hash malicious ja4: 7/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 7/0 (search/found) Hash TCP fingerprints: 7/0 (search/found) Hash public domain suffix: 126/77 (search/found) -Hash ja4 custom protos: 7/0 (search/found) +Hash ja4 custom protos: 14/0 (search/found) Hash fp custom protos: 7/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/tumblr.pcap.out b/tests/cfgs/default/result/tumblr.pcap.out index 815625061..03dce3a31 100644 --- a/tests/cfgs/default/result/tumblr.pcap.out +++ b/tests/cfgs/default/result/tumblr.pcap.out @@ -22,11 +22,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 47/0 (search/found) Patricia protocols: 0/0 (search/found) Patricia protocols IPv6: 73/21 (search/found) -Hash malicious ja4: 9/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 1/0 (search/found) Hash TCP fingerprints: 9/9 (search/found) Hash public domain suffix: 107/61 (search/found) -Hash ja4 custom protos: 9/0 (search/found) +Hash ja4 custom protos: 25/0 (search/found) Hash fp custom protos: 9/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/tunnelbear.pcap.out b/tests/cfgs/default/result/tunnelbear.pcap.out index 414344061..842307ea5 100644 --- a/tests/cfgs/default/result/tunnelbear.pcap.out +++ b/tests/cfgs/default/result/tunnelbear.pcap.out @@ -23,11 +23,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 24/20 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 20/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 9/0 (search/found) Hash TCP fingerprints: 19/19 (search/found) Hash public domain suffix: 203/116 (search/found) -Hash ja4 custom protos: 20/0 (search/found) +Hash ja4 custom protos: 38/0 (search/found) Hash fp custom protos: 20/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/ultrasurf.pcap.out b/tests/cfgs/default/result/ultrasurf.pcap.out index 131f57b2f..ab64dae65 100644 --- a/tests/cfgs/default/result/ultrasurf.pcap.out +++ b/tests/cfgs/default/result/ultrasurf.pcap.out @@ -19,11 +19,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 6/0 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 2/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 2/0 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 2/0 (search/found) +Hash ja4 custom protos: 5/0 (search/found) Hash fp custom protos: 2/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/viber.pcap.out b/tests/cfgs/default/result/viber.pcap.out index fb849b9de..69c4e017c 100644 --- a/tests/cfgs/default/result/viber.pcap.out +++ b/tests/cfgs/default/result/viber.pcap.out @@ -24,11 +24,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 1/0 (search/found) Patricia protocols: 40/18 (search/found) Patricia protocols IPv6: 2/0 (search/found) -Hash malicious ja4: 7/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 4/0 (search/found) Hash TCP fingerprints: 11/11 (search/found) Hash public domain suffix: 267/164 (search/found) -Hash ja4 custom protos: 7/0 (search/found) +Hash ja4 custom protos: 15/0 (search/found) Hash fp custom protos: 7/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/vivox.pcapng.out b/tests/cfgs/default/result/vivox.pcapng.out index d2b191f38..08a57ae9b 100644 --- a/tests/cfgs/default/result/vivox.pcapng.out +++ b/tests/cfgs/default/result/vivox.pcapng.out @@ -20,7 +20,7 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 2/2 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 1/1 (search/found) Hash public domain suffix: 11/6 (search/found) diff --git a/tests/cfgs/default/result/vk.pcapng.out b/tests/cfgs/default/result/vk.pcapng.out index eb929d41f..67be2eaea 100644 --- a/tests/cfgs/default/result/vk.pcapng.out +++ b/tests/cfgs/default/result/vk.pcapng.out @@ -19,7 +19,7 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 10/10 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 4/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 4/4 (search/found) Hash public domain suffix: 36/20 (search/found) diff --git a/tests/cfgs/default/result/vnc.pcap.out b/tests/cfgs/default/result/vnc.pcap.out index 75f06e96c..840166e5e 100644 --- a/tests/cfgs/default/result/vnc.pcap.out +++ b/tests/cfgs/default/result/vnc.pcap.out @@ -23,7 +23,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 2/0 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 2/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/vxlan.pcap.out b/tests/cfgs/default/result/vxlan.pcap.out index fc7b52044..c65f44ec6 100644 --- a/tests/cfgs/default/result/vxlan.pcap.out +++ b/tests/cfgs/default/result/vxlan.pcap.out @@ -20,11 +20,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 4/4 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 2/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 2/0 (search/found) Hash public domain suffix: 46/32 (search/found) -Hash ja4 custom protos: 2/0 (search/found) +Hash ja4 custom protos: 4/0 (search/found) Hash fp custom protos: 2/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/wa_video.pcap.out b/tests/cfgs/default/result/wa_video.pcap.out index 076a85371..52b139754 100644 --- a/tests/cfgs/default/result/wa_video.pcap.out +++ b/tests/cfgs/default/result/wa_video.pcap.out @@ -28,7 +28,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 0/0 (search/found) Hash public domain suffix: 9/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 1/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/wa_voice.pcap.out b/tests/cfgs/default/result/wa_voice.pcap.out index 7ed283403..347a80a43 100644 --- a/tests/cfgs/default/result/wa_voice.pcap.out +++ b/tests/cfgs/default/result/wa_voice.pcap.out @@ -23,11 +23,11 @@ Patricia risk: 1/0 (search/found) Patricia risk IPv6: 1/0 (search/found) Patricia protocols: 44/10 (search/found) Patricia protocols IPv6: 2/0 (search/found) -Hash malicious ja4: 2/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 3/1 (search/found) Hash public domain suffix: 125/49 (search/found) -Hash ja4 custom protos: 2/0 (search/found) +Hash ja4 custom protos: 7/0 (search/found) Hash fp custom protos: 2/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/waze.pcap.out b/tests/cfgs/default/result/waze.pcap.out index c39311efc..1d9028568 100644 --- a/tests/cfgs/default/result/waze.pcap.out +++ b/tests/cfgs/default/result/waze.pcap.out @@ -24,11 +24,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 46/20 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 13/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 12/0 (search/found) Hash TCP fingerprints: 22/22 (search/found) Hash public domain suffix: 153/91 (search/found) -Hash ja4 custom protos: 13/0 (search/found) +Hash ja4 custom protos: 28/0 (search/found) Hash fp custom protos: 13/0 (search/found) Hash url custom protos: 8/0 (search/found) diff --git a/tests/cfgs/default/result/webex.pcap.out b/tests/cfgs/default/result/webex.pcap.out index b24fb07a3..c1517b3a4 100644 --- a/tests/cfgs/default/result/webex.pcap.out +++ b/tests/cfgs/default/result/webex.pcap.out @@ -24,11 +24,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 68/46 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 49/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 28/0 (search/found) Hash TCP fingerprints: 52/52 (search/found) Hash public domain suffix: 322/252 (search/found) -Hash ja4 custom protos: 49/0 (search/found) +Hash ja4 custom protos: 86/0 (search/found) Hash fp custom protos: 49/0 (search/found) Hash url custom protos: 2/0 (search/found) diff --git a/tests/cfgs/default/result/websocket.pcap.out b/tests/cfgs/default/result/websocket.pcap.out index e6a9450ef..9bd261b77 100644 --- a/tests/cfgs/default/result/websocket.pcap.out +++ b/tests/cfgs/default/result/websocket.pcap.out @@ -23,7 +23,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 0/0 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 1/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/wechat.pcap.out b/tests/cfgs/default/result/wechat.pcap.out index d7d865b02..cae5b0d61 100644 --- a/tests/cfgs/default/result/wechat.pcap.out +++ b/tests/cfgs/default/result/wechat.pcap.out @@ -25,11 +25,11 @@ Patricia risk: 1/0 (search/found) Patricia risk IPv6: 8/0 (search/found) Patricia protocols: 163/27 (search/found) Patricia protocols IPv6: 16/0 (search/found) -Hash malicious ja4: 28/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 28/0 (search/found) Hash TCP fingerprints: 35/35 (search/found) Hash public domain suffix: 665/295 (search/found) -Hash ja4 custom protos: 28/0 (search/found) +Hash ja4 custom protos: 59/0 (search/found) Hash fp custom protos: 28/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/weibo.pcap.out b/tests/cfgs/default/result/weibo.pcap.out index 7ab303d11..d74e29dea 100644 --- a/tests/cfgs/default/result/weibo.pcap.out +++ b/tests/cfgs/default/result/weibo.pcap.out @@ -23,7 +23,7 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 72/16 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 24/24 (search/found) Hash public domain suffix: 298/171 (search/found) diff --git a/tests/cfgs/default/result/whatsapp.pcap.out b/tests/cfgs/default/result/whatsapp.pcap.out index 40d712b2a..44551dae2 100644 --- a/tests/cfgs/default/result/whatsapp.pcap.out +++ b/tests/cfgs/default/result/whatsapp.pcap.out @@ -23,7 +23,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 86/86 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 86/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/whatsapp_login_call.pcap.out b/tests/cfgs/default/result/whatsapp_login_call.pcap.out index 8749c9970..f25b39f37 100644 --- a/tests/cfgs/default/result/whatsapp_login_call.pcap.out +++ b/tests/cfgs/default/result/whatsapp_login_call.pcap.out @@ -25,11 +25,11 @@ Patricia risk: 1/0 (search/found) Patricia risk IPv6: 2/0 (search/found) Patricia protocols: 72/38 (search/found) Patricia protocols IPv6: 4/0 (search/found) -Hash malicious ja4: 3/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 1/0 (search/found) Hash TCP fingerprints: 5/5 (search/found) Hash public domain suffix: 89/38 (search/found) -Hash ja4 custom protos: 3/0 (search/found) +Hash ja4 custom protos: 10/0 (search/found) Hash fp custom protos: 3/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/whatsapp_login_chat.pcap.out b/tests/cfgs/default/result/whatsapp_login_chat.pcap.out index 0be0fa197..ab8ad6a83 100644 --- a/tests/cfgs/default/result/whatsapp_login_chat.pcap.out +++ b/tests/cfgs/default/result/whatsapp_login_chat.pcap.out @@ -24,7 +24,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 1/1 (search/found) Hash public domain suffix: 22/9 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 3/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/whatsapp_voice_and_message.pcap.out b/tests/cfgs/default/result/whatsapp_voice_and_message.pcap.out index 49920a69c..21ccedf8a 100644 --- a/tests/cfgs/default/result/whatsapp_voice_and_message.pcap.out +++ b/tests/cfgs/default/result/whatsapp_voice_and_message.pcap.out @@ -24,7 +24,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 5/0 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 5/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/whatsappfiles.pcap.out b/tests/cfgs/default/result/whatsappfiles.pcap.out index 35bb0e962..6161a0b77 100644 --- a/tests/cfgs/default/result/whatsappfiles.pcap.out +++ b/tests/cfgs/default/result/whatsappfiles.pcap.out @@ -19,11 +19,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 2/2 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 2/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 1/0 (search/found) Hash TCP fingerprints: 2/2 (search/found) Hash public domain suffix: 18/10 (search/found) -Hash ja4 custom protos: 2/0 (search/found) +Hash ja4 custom protos: 4/0 (search/found) Hash fp custom protos: 2/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/whois.pcapng.out b/tests/cfgs/default/result/whois.pcapng.out index a82e2e8ee..abc07e8a9 100644 --- a/tests/cfgs/default/result/whois.pcapng.out +++ b/tests/cfgs/default/result/whois.pcapng.out @@ -22,11 +22,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 6/0 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 1/0 (search/found) Hash TCP fingerprints: 2/0 (search/found) Hash public domain suffix: 3/3 (search/found) -Hash ja4 custom protos: 1/0 (search/found) +Hash ja4 custom protos: 3/0 (search/found) Hash fp custom protos: 1/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/windscribe.pcapng.out b/tests/cfgs/default/result/windscribe.pcapng.out index 458c5d735..18a8be323 100644 --- a/tests/cfgs/default/result/windscribe.pcapng.out +++ b/tests/cfgs/default/result/windscribe.pcapng.out @@ -19,11 +19,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 2/0 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 1/0 (search/found) Hash TCP fingerprints: 1/1 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 1/0 (search/found) +Hash ja4 custom protos: 2/0 (search/found) Hash fp custom protos: 1/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/xiaomi.pcap.out b/tests/cfgs/default/result/xiaomi.pcap.out index 1747e58b6..c111d8abd 100644 --- a/tests/cfgs/default/result/xiaomi.pcap.out +++ b/tests/cfgs/default/result/xiaomi.pcap.out @@ -23,7 +23,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 3/3 (search/found) Hash public domain suffix: 31/12 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 6/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 1/0 (search/found) diff --git a/tests/cfgs/default/result/yandex.pcapng.out b/tests/cfgs/default/result/yandex.pcapng.out index 78c4919a1..c0e128076 100644 --- a/tests/cfgs/default/result/yandex.pcapng.out +++ b/tests/cfgs/default/result/yandex.pcapng.out @@ -19,11 +19,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 9/9 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 9/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 2/0 (search/found) Hash TCP fingerprints: 9/9 (search/found) Hash public domain suffix: 77/46 (search/found) -Hash ja4 custom protos: 9/0 (search/found) +Hash ja4 custom protos: 14/0 (search/found) Hash fp custom protos: 9/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/youtubeupload.pcap.out b/tests/cfgs/default/result/youtubeupload.pcap.out index d529bbd9c..1595295ad 100644 --- a/tests/cfgs/default/result/youtubeupload.pcap.out +++ b/tests/cfgs/default/result/youtubeupload.pcap.out @@ -20,11 +20,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 3/3 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 1/0 (search/found) Hash TCP fingerprints: 1/1 (search/found) Hash public domain suffix: 27/15 (search/found) -Hash ja4 custom protos: 1/0 (search/found) +Hash ja4 custom protos: 2/0 (search/found) Hash fp custom protos: 1/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/z3950.pcapng.out b/tests/cfgs/default/result/z3950.pcapng.out index 0b2f2c125..b174d2555 100644 --- a/tests/cfgs/default/result/z3950.pcapng.out +++ b/tests/cfgs/default/result/z3950.pcapng.out @@ -26,7 +26,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 2/1 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 2/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/zattoo.pcap.out b/tests/cfgs/default/result/zattoo.pcap.out index 66f5822de..b3d9bbbed 100644 --- a/tests/cfgs/default/result/zattoo.pcap.out +++ b/tests/cfgs/default/result/zattoo.pcap.out @@ -19,11 +19,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 4/0 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 1/0 (search/found) Hash TCP fingerprints: 2/0 (search/found) Hash public domain suffix: 13/9 (search/found) -Hash ja4 custom protos: 1/0 (search/found) +Hash ja4 custom protos: 2/0 (search/found) Hash fp custom protos: 1/0 (search/found) Hash url custom protos: 1/0 (search/found) diff --git a/tests/cfgs/default/result/zeromq.pcapng.out b/tests/cfgs/default/result/zeromq.pcapng.out index 8732af1e2..cfb45e56f 100644 --- a/tests/cfgs/default/result/zeromq.pcapng.out +++ b/tests/cfgs/default/result/zeromq.pcapng.out @@ -23,7 +23,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 1/0 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 1/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/zoom.pcap.out b/tests/cfgs/default/result/zoom.pcap.out index bfb5a9728..096cc62f7 100644 --- a/tests/cfgs/default/result/zoom.pcap.out +++ b/tests/cfgs/default/result/zoom.pcap.out @@ -24,11 +24,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 52/16 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 10/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 8/0 (search/found) Hash TCP fingerprints: 9/0 (search/found) Hash public domain suffix: 169/93 (search/found) -Hash ja4 custom protos: 10/0 (search/found) +Hash ja4 custom protos: 21/0 (search/found) Hash fp custom protos: 10/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/default/result/zoom2.pcap.out b/tests/cfgs/default/result/zoom2.pcap.out index 800e7ac79..db5b544b5 100644 --- a/tests/cfgs/default/result/zoom2.pcap.out +++ b/tests/cfgs/default/result/zoom2.pcap.out @@ -20,11 +20,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 4/4 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 1/0 (search/found) Hash TCP fingerprints: 1/0 (search/found) Hash public domain suffix: 11/6 (search/found) -Hash ja4 custom protos: 1/0 (search/found) +Hash ja4 custom protos: 2/0 (search/found) Hash fp custom protos: 1/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/disable_aggressiveness/result/ookla.pcap.out b/tests/cfgs/disable_aggressiveness/result/ookla.pcap.out index 7b827f87e..b0715108a 100644 --- a/tests/cfgs/disable_aggressiveness/result/ookla.pcap.out +++ b/tests/cfgs/disable_aggressiveness/result/ookla.pcap.out @@ -22,11 +22,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 11/1 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 2/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 6/4 (search/found) Hash public domain suffix: 42/25 (search/found) -Hash ja4 custom protos: 2/0 (search/found) +Hash ja4 custom protos: 7/0 (search/found) Hash fp custom protos: 2/0 (search/found) Hash url custom protos: 1/0 (search/found) diff --git a/tests/cfgs/disable_protocols/result/pluralsight.pcap.out b/tests/cfgs/disable_protocols/result/pluralsight.pcap.out index 229f8f3a4..35918ce4d 100644 --- a/tests/cfgs/disable_protocols/result/pluralsight.pcap.out +++ b/tests/cfgs/disable_protocols/result/pluralsight.pcap.out @@ -19,11 +19,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 8/4 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 6/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 4/0 (search/found) Hash TCP fingerprints: 6/6 (search/found) Hash public domain suffix: 140/106 (search/found) -Hash ja4 custom protos: 6/0 (search/found) +Hash ja4 custom protos: 12/0 (search/found) Hash fp custom protos: 6/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/disable_protocols/result/soap.pcap.out b/tests/cfgs/disable_protocols/result/soap.pcap.out index 07982e43a..8ab4a3b5e 100644 --- a/tests/cfgs/disable_protocols/result/soap.pcap.out +++ b/tests/cfgs/disable_protocols/result/soap.pcap.out @@ -26,7 +26,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 1/1 (search/found) Hash public domain suffix: 9/5 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 2/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 1/0 (search/found) diff --git a/tests/cfgs/disable_use_client_port/result/iphone.pcap.out b/tests/cfgs/disable_use_client_port/result/iphone.pcap.out index 571475635..56f4a54e6 100644 --- a/tests/cfgs/disable_use_client_port/result/iphone.pcap.out +++ b/tests/cfgs/disable_use_client_port/result/iphone.pcap.out @@ -22,11 +22,11 @@ Patricia risk: 1/0 (search/found) Patricia risk IPv6: 5/0 (search/found) Patricia protocols: 77/15 (search/found) Patricia protocols IPv6: 10/0 (search/found) -Hash malicious ja4: 14/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 7/0 (search/found) Hash TCP fingerprints: 15/1 (search/found) Hash public domain suffix: 508/266 (search/found) -Hash ja4 custom protos: 14/0 (search/found) +Hash ja4 custom protos: 28/0 (search/found) Hash fp custom protos: 14/0 (search/found) Hash url custom protos: 1/0 (search/found) diff --git a/tests/cfgs/enable_doh_heuristic/result/doh.pcapng.out b/tests/cfgs/enable_doh_heuristic/result/doh.pcapng.out index fac35fa0a..577e2c33f 100644 --- a/tests/cfgs/enable_doh_heuristic/result/doh.pcapng.out +++ b/tests/cfgs/enable_doh_heuristic/result/doh.pcapng.out @@ -19,11 +19,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 2/0 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 1/1 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 1/0 (search/found) +Hash ja4 custom protos: 2/0 (search/found) Hash fp custom protos: 1/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/enable_payload_stat/result/1kxun.pcap.out b/tests/cfgs/enable_payload_stat/result/1kxun.pcap.out index 62146bae7..db468cb5a 100644 --- a/tests/cfgs/enable_payload_stat/result/1kxun.pcap.out +++ b/tests/cfgs/enable_payload_stat/result/1kxun.pcap.out @@ -24,11 +24,11 @@ Patricia risk: 3/0 (search/found) Patricia risk IPv6: 25/0 (search/found) Patricia protocols: 286/58 (search/found) Patricia protocols IPv6: 50/0 (search/found) -Hash malicious ja4: 4/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 22/0 (search/found) Hash public domain suffix: 1248/684 (search/found) -Hash ja4 custom protos: 4/0 (search/found) +Hash ja4 custom protos: 11/0 (search/found) Hash fp custom protos: 4/0 (search/found) Hash url custom protos: 85/0 (search/found) diff --git a/tests/cfgs/flow_risk_infos_disabled/result/tls_malicious_sha1.pcapng.out b/tests/cfgs/flow_risk_infos_disabled/result/tls_malicious_sha1.pcapng.out index d6beab6db..12d01f844 100644 --- a/tests/cfgs/flow_risk_infos_disabled/result/tls_malicious_sha1.pcapng.out +++ b/tests/cfgs/flow_risk_infos_disabled/result/tls_malicious_sha1.pcapng.out @@ -19,11 +19,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 1/0 (search/found) Patricia protocols: 0/0 (search/found) Patricia protocols IPv6: 1/1 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 1/1 (search/found) Hash TCP fingerprints: 1/0 (search/found) Hash public domain suffix: 27/17 (search/found) -Hash ja4 custom protos: 1/0 (search/found) +Hash ja4 custom protos: 2/0 (search/found) Hash fp custom protos: 1/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/fpc/result/1kxun.pcap.out b/tests/cfgs/fpc/result/1kxun.pcap.out index 231ca9320..d97a42f17 100644 --- a/tests/cfgs/fpc/result/1kxun.pcap.out +++ b/tests/cfgs/fpc/result/1kxun.pcap.out @@ -28,11 +28,11 @@ Patricia risk: 3/0 (search/found) Patricia risk IPv6: 25/0 (search/found) Patricia protocols: 286/58 (search/found) Patricia protocols IPv6: 50/0 (search/found) -Hash malicious ja4: 4/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 22/0 (search/found) Hash public domain suffix: 1248/684 (search/found) -Hash ja4 custom protos: 4/0 (search/found) +Hash ja4 custom protos: 11/0 (search/found) Hash fp custom protos: 4/0 (search/found) Hash url custom protos: 85/0 (search/found) diff --git a/tests/cfgs/fpc_disabled/result/teams.pcap.out b/tests/cfgs/fpc_disabled/result/teams.pcap.out index 9137a3787..bafb5dfcc 100644 --- a/tests/cfgs/fpc_disabled/result/teams.pcap.out +++ b/tests/cfgs/fpc_disabled/result/teams.pcap.out @@ -26,11 +26,11 @@ Patricia risk: 1/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 119/49 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 38/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 18/0 (search/found) Hash TCP fingerprints: 38/0 (search/found) Hash public domain suffix: 961/531 (search/found) -Hash ja4 custom protos: 38/0 (search/found) +Hash ja4 custom protos: 75/0 (search/found) Hash fp custom protos: 38/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/guess_ip_before_port_enabled/result/1kxun.pcap.out b/tests/cfgs/guess_ip_before_port_enabled/result/1kxun.pcap.out index d6dbc3732..098e7859a 100644 --- a/tests/cfgs/guess_ip_before_port_enabled/result/1kxun.pcap.out +++ b/tests/cfgs/guess_ip_before_port_enabled/result/1kxun.pcap.out @@ -25,11 +25,11 @@ Patricia risk: 3/0 (search/found) Patricia risk IPv6: 25/0 (search/found) Patricia protocols: 286/58 (search/found) Patricia protocols IPv6: 50/0 (search/found) -Hash malicious ja4: 4/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 22/0 (search/found) Hash public domain suffix: 1248/684 (search/found) -Hash ja4 custom protos: 4/0 (search/found) +Hash ja4 custom protos: 11/0 (search/found) Hash fp custom protos: 4/0 (search/found) Hash url custom protos: 85/0 (search/found) diff --git a/tests/cfgs/guessing_disable/result/webex.pcap.out b/tests/cfgs/guessing_disable/result/webex.pcap.out index ac58a4c24..ce81009a1 100644 --- a/tests/cfgs/guessing_disable/result/webex.pcap.out +++ b/tests/cfgs/guessing_disable/result/webex.pcap.out @@ -21,11 +21,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 68/46 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 49/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 28/0 (search/found) Hash TCP fingerprints: 52/52 (search/found) Hash public domain suffix: 322/252 (search/found) -Hash ja4 custom protos: 49/0 (search/found) +Hash ja4 custom protos: 86/0 (search/found) Hash fp custom protos: 49/0 (search/found) Hash url custom protos: 2/0 (search/found) diff --git a/tests/cfgs/hostname_dns_check/result/netflix.pcap.out b/tests/cfgs/hostname_dns_check/result/netflix.pcap.out index 50a80dfc7..525377787 100644 --- a/tests/cfgs/hostname_dns_check/result/netflix.pcap.out +++ b/tests/cfgs/hostname_dns_check/result/netflix.pcap.out @@ -24,11 +24,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 75/47 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 20/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 16/0 (search/found) Hash TCP fingerprints: 46/0 (search/found) Hash public domain suffix: 609/307 (search/found) -Hash ja4 custom protos: 20/0 (search/found) +Hash ja4 custom protos: 40/0 (search/found) Hash fp custom protos: 20/0 (search/found) Hash url custom protos: 26/0 (search/found) diff --git a/tests/cfgs/ip_lists_disable/result/1kxun.pcap.out b/tests/cfgs/ip_lists_disable/result/1kxun.pcap.out index e4e666e6e..65d8d5e7f 100644 --- a/tests/cfgs/ip_lists_disable/result/1kxun.pcap.out +++ b/tests/cfgs/ip_lists_disable/result/1kxun.pcap.out @@ -24,11 +24,11 @@ Patricia risk: 3/0 (search/found) Patricia risk IPv6: 25/0 (search/found) Patricia protocols: 344/0 (search/found) Patricia protocols IPv6: 50/0 (search/found) -Hash malicious ja4: 4/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 22/0 (search/found) Hash public domain suffix: 1248/684 (search/found) -Hash ja4 custom protos: 4/0 (search/found) +Hash ja4 custom protos: 11/0 (search/found) Hash fp custom protos: 4/0 (search/found) Hash url custom protos: 85/0 (search/found) diff --git a/tests/cfgs/monitoring/result/s7comm.pcap.out b/tests/cfgs/monitoring/result/s7comm.pcap.out index 0a0258f7e..b2f1377a9 100644 --- a/tests/cfgs/monitoring/result/s7comm.pcap.out +++ b/tests/cfgs/monitoring/result/s7comm.pcap.out @@ -23,7 +23,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 2/0 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 4/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/monitoring/result/stun.pcap.out b/tests/cfgs/monitoring/result/stun.pcap.out index aed0058b6..4273b914d 100644 --- a/tests/cfgs/monitoring/result/stun.pcap.out +++ b/tests/cfgs/monitoring/result/stun.pcap.out @@ -21,11 +21,11 @@ Patricia risk: 1/0 (search/found) Patricia risk IPv6: 2/0 (search/found) Patricia protocols: 9/5 (search/found) Patricia protocols IPv6: 4/1 (search/found) -Hash malicious ja4: 2/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 1/0 (search/found) Hash TCP fingerprints: 1/0 (search/found) Hash public domain suffix: 4/2 (search/found) -Hash ja4 custom protos: 2/0 (search/found) +Hash ja4 custom protos: 3/0 (search/found) Hash fp custom protos: 2/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/monitoring/result/stun_google_meet.pcapng.out b/tests/cfgs/monitoring/result/stun_google_meet.pcapng.out index fe77fdf66..22e56993a 100644 --- a/tests/cfgs/monitoring/result/stun_google_meet.pcapng.out +++ b/tests/cfgs/monitoring/result/stun_google_meet.pcapng.out @@ -20,7 +20,7 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 1/0 (search/found) Patricia protocols: 6/6 (search/found) Patricia protocols IPv6: 1/1 (search/found) -Hash malicious ja4: 2/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 2/0 (search/found) Hash TCP fingerprints: 0/0 (search/found) Hash public domain suffix: 0/0 (search/found) diff --git a/tests/cfgs/monitoring/result/stun_zoom.pcapng.out b/tests/cfgs/monitoring/result/stun_zoom.pcapng.out index a149bae98..8cf6cc7da 100644 --- a/tests/cfgs/monitoring/result/stun_zoom.pcapng.out +++ b/tests/cfgs/monitoring/result/stun_zoom.pcapng.out @@ -19,7 +19,7 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 2/2 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 7/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 2/0 (search/found) Hash TCP fingerprints: 0/0 (search/found) Hash public domain suffix: 14/8 (search/found) diff --git a/tests/cfgs/monitoring/result/teams.pcap.out b/tests/cfgs/monitoring/result/teams.pcap.out index bfeceebfc..f5da9ec29 100644 --- a/tests/cfgs/monitoring/result/teams.pcap.out +++ b/tests/cfgs/monitoring/result/teams.pcap.out @@ -26,11 +26,11 @@ Patricia risk: 1/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 119/49 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 38/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 18/0 (search/found) Hash TCP fingerprints: 38/0 (search/found) Hash public domain suffix: 961/531 (search/found) -Hash ja4 custom protos: 38/0 (search/found) +Hash ja4 custom protos: 75/0 (search/found) Hash fp custom protos: 38/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/monitoring/result/telegram_videocall.pcapng.out b/tests/cfgs/monitoring/result/telegram_videocall.pcapng.out index 414b6ab15..662a8a0c3 100644 --- a/tests/cfgs/monitoring/result/telegram_videocall.pcapng.out +++ b/tests/cfgs/monitoring/result/telegram_videocall.pcapng.out @@ -30,7 +30,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 8/8 (search/found) Hash public domain suffix: 12/6 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 9/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/monitoring/result/telegram_videocall_2.pcapng.out b/tests/cfgs/monitoring/result/telegram_videocall_2.pcapng.out index 3e0766c8a..6b6a9e26b 100644 --- a/tests/cfgs/monitoring/result/telegram_videocall_2.pcapng.out +++ b/tests/cfgs/monitoring/result/telegram_videocall_2.pcapng.out @@ -19,7 +19,7 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 1/0 (search/found) Patricia protocols: 8/6 (search/found) Patricia protocols IPv6: 2/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 1/0 (search/found) Hash TCP fingerprints: 0/0 (search/found) Hash public domain suffix: 6/0 (search/found) diff --git a/tests/cfgs/monitoring/result/telegram_voice.pcapng.out b/tests/cfgs/monitoring/result/telegram_voice.pcapng.out index f74e83bf5..aa0ba37dc 100644 --- a/tests/cfgs/monitoring/result/telegram_voice.pcapng.out +++ b/tests/cfgs/monitoring/result/telegram_voice.pcapng.out @@ -20,7 +20,7 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 1/0 (search/found) Patricia protocols: 11/7 (search/found) Patricia protocols IPv6: 2/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 1/0 (search/found) Hash TCP fingerprints: 0/0 (search/found) Hash public domain suffix: 24/11 (search/found) diff --git a/tests/cfgs/ndpireader_conf_file/result/openvpn_obfuscated.pcapng.out b/tests/cfgs/ndpireader_conf_file/result/openvpn_obfuscated.pcapng.out index 443daa575..51ba7985c 100644 --- a/tests/cfgs/ndpireader_conf_file/result/openvpn_obfuscated.pcapng.out +++ b/tests/cfgs/ndpireader_conf_file/result/openvpn_obfuscated.pcapng.out @@ -24,7 +24,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 1/1 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 2/0 (search/found) Hash fp custom protos: 1/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/ndpireader_conf_file/result/shadowsocks.pcap.out b/tests/cfgs/ndpireader_conf_file/result/shadowsocks.pcap.out index 763de8bf1..ee0feae86 100644 --- a/tests/cfgs/ndpireader_conf_file/result/shadowsocks.pcap.out +++ b/tests/cfgs/ndpireader_conf_file/result/shadowsocks.pcap.out @@ -24,7 +24,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 2/0 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 1/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/ndpireader_conf_file/result/stun_signal_tcp.pcapng.out b/tests/cfgs/ndpireader_conf_file/result/stun_signal_tcp.pcapng.out index 0b9e7d23e..a209e1cb4 100644 --- a/tests/cfgs/ndpireader_conf_file/result/stun_signal_tcp.pcapng.out +++ b/tests/cfgs/ndpireader_conf_file/result/stun_signal_tcp.pcapng.out @@ -23,7 +23,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 1/1 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 1/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/openvpn_heuristic_enabled/result/openvpn_obfuscated.pcapng.out b/tests/cfgs/openvpn_heuristic_enabled/result/openvpn_obfuscated.pcapng.out index f92474ea2..d7fe54931 100644 --- a/tests/cfgs/openvpn_heuristic_enabled/result/openvpn_obfuscated.pcapng.out +++ b/tests/cfgs/openvpn_heuristic_enabled/result/openvpn_obfuscated.pcapng.out @@ -24,7 +24,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 1/1 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 2/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/plugins/result/plugin.pcapng.out b/tests/cfgs/plugins/result/plugin.pcapng.out index da4bd6fbb..87899d2a1 100644 --- a/tests/cfgs/plugins/result/plugin.pcapng.out +++ b/tests/cfgs/plugins/result/plugin.pcapng.out @@ -23,7 +23,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 1/0 (search/found) Hash public domain suffix: 0/0 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 1/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/stun_extra_dissection/result/stun_dtls_rtp.pcapng.out b/tests/cfgs/stun_extra_dissection/result/stun_dtls_rtp.pcapng.out index 9a52f0594..baf2bb936 100644 --- a/tests/cfgs/stun_extra_dissection/result/stun_dtls_rtp.pcapng.out +++ b/tests/cfgs/stun_extra_dissection/result/stun_dtls_rtp.pcapng.out @@ -20,7 +20,7 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 2/2 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 2/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 2/0 (search/found) Hash TCP fingerprints: 1/1 (search/found) Hash public domain suffix: 0/0 (search/found) diff --git a/tests/cfgs/stun_extra_dissection/result/stun_dtls_rtp_unidir.pcapng.out b/tests/cfgs/stun_extra_dissection/result/stun_dtls_rtp_unidir.pcapng.out index 55990ee12..f6312d3ff 100644 --- a/tests/cfgs/stun_extra_dissection/result/stun_dtls_rtp_unidir.pcapng.out +++ b/tests/cfgs/stun_extra_dissection/result/stun_dtls_rtp_unidir.pcapng.out @@ -19,7 +19,7 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 4/0 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 4/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 1/0 (search/found) Hash TCP fingerprints: 0/0 (search/found) Hash public domain suffix: 0/0 (search/found) diff --git a/tests/cfgs/stun_extra_dissection/result/stun_zoom.pcapng.out b/tests/cfgs/stun_extra_dissection/result/stun_zoom.pcapng.out index 8daf4e78a..70b238170 100644 --- a/tests/cfgs/stun_extra_dissection/result/stun_zoom.pcapng.out +++ b/tests/cfgs/stun_extra_dissection/result/stun_zoom.pcapng.out @@ -19,7 +19,7 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 2/2 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 7/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 2/0 (search/found) Hash TCP fingerprints: 0/0 (search/found) Hash public domain suffix: 14/8 (search/found) diff --git a/tests/cfgs/stun_only_peer_address_enabled/result/telegram_videocall.pcapng.out b/tests/cfgs/stun_only_peer_address_enabled/result/telegram_videocall.pcapng.out index 113bbff47..a41064205 100644 --- a/tests/cfgs/stun_only_peer_address_enabled/result/telegram_videocall.pcapng.out +++ b/tests/cfgs/stun_only_peer_address_enabled/result/telegram_videocall.pcapng.out @@ -30,7 +30,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 8/8 (search/found) Hash public domain suffix: 12/6 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 9/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/subclassification_disable/result/anydesk.pcapng.out b/tests/cfgs/subclassification_disable/result/anydesk.pcapng.out index 6b4278614..4f6eae696 100644 --- a/tests/cfgs/subclassification_disable/result/anydesk.pcapng.out +++ b/tests/cfgs/subclassification_disable/result/anydesk.pcapng.out @@ -20,11 +20,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 12/2 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 4/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 4/0 (search/found) Hash TCP fingerprints: 4/3 (search/found) Hash public domain suffix: 40/22 (search/found) -Hash ja4 custom protos: 4/0 (search/found) +Hash ja4 custom protos: 9/0 (search/found) Hash fp custom protos: 4/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/subclassification_disable/result/quic-mvfst-27.pcapng.out b/tests/cfgs/subclassification_disable/result/quic-mvfst-27.pcapng.out index 9ae07cdd9..57d6f6bc5 100644 --- a/tests/cfgs/subclassification_disable/result/quic-mvfst-27.pcapng.out +++ b/tests/cfgs/subclassification_disable/result/quic-mvfst-27.pcapng.out @@ -19,7 +19,7 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 1/1 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 0/0 (search/found) Hash public domain suffix: 9/5 (search/found) diff --git a/tests/cfgs/subclassification_disable/result/tls_ech.pcapng.out b/tests/cfgs/subclassification_disable/result/tls_ech.pcapng.out index 9dca014d5..ebb6509cb 100644 --- a/tests/cfgs/subclassification_disable/result/tls_ech.pcapng.out +++ b/tests/cfgs/subclassification_disable/result/tls_ech.pcapng.out @@ -19,11 +19,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 1/0 (search/found) Patricia protocols: 0/0 (search/found) Patricia protocols IPv6: 1/1 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 1/0 (search/found) Hash public domain suffix: 11/6 (search/found) -Hash ja4 custom protos: 1/0 (search/found) +Hash ja4 custom protos: 2/0 (search/found) Hash fp custom protos: 1/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/tls_analysis/result/ookla.pcap.out b/tests/cfgs/tls_analysis/result/ookla.pcap.out index 61cd3c294..9febe0752 100644 --- a/tests/cfgs/tls_analysis/result/ookla.pcap.out +++ b/tests/cfgs/tls_analysis/result/ookla.pcap.out @@ -23,11 +23,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 11/1 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 2/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 6/4 (search/found) Hash public domain suffix: 42/25 (search/found) -Hash ja4 custom protos: 2/0 (search/found) +Hash ja4 custom protos: 6/0 (search/found) Hash fp custom protos: 2/0 (search/found) Hash url custom protos: 1/0 (search/found) @@ -43,8 +43,8 @@ JA Host Stats: 1 192.168.1.128 2 - 1 TCP 192.168.1.128:35830 <-> 89.96.108.170:8080 [proto: 91.191/TLS.Ookla][Stack: TLS.Ookla][IP: 0/Unknown][Encrypted][Confidence: DPI (aggressive)][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 9][cat: Web/5][Breed: Safe][21 pkts/21216 bytes <-> 8 pkts/1950 bytes][Goodput ratio: 93/72][0.32 sec][Hostname/SNI: spd-pub-mi-01-01.fastwebnet.it][(Advertised) ALPNs: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2][bytes ratio: 0.832 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 17/61 274/280 62/109][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 1010/244 1514/387 612/138][nDPI Fingerprint: f861d648f62150ae6a4f698b5b0b4477][TCP Fingerprint: 2_64_64240_2e3cee914fc1/Linux][TLSv1.3][JA4: t13d1714h2_5b57614c22b0_8f66f9ee9c6c][JA3S: fcb2d4d0991292272fcb1e464eedfd43][Firefox][Cipher: TLS_AES_128_GCM_SHA256][Plen Bins: 0,0,4,0,0,0,0,4,9,0,9,0,0,0,0,0,4,0,0,13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,55,0,0][TLS blocks: 22:1=314,22:2=-157,20=-1,23=-23,23=-53,20=1,23=53,23=521] - 2 TCP 192.168.1.128:48854 <-> 104.16.209.12:443 [proto: 91.191/TLS.Ookla][Stack: TLS.Ookla][IP: 220/Cloudflare][Encrypted][Confidence: DPI][FPC: 220/Cloudflare, Confidence: IP address][DPI packets: 14][cat: Network/14][Breed: Safe][8 pkts/1620 bytes <-> 6 pkts/3818 bytes][Goodput ratio: 67/89][0.06 sec][Hostname/SNI: www.speedtest.net][(Advertised) ALPNs: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2][bytes ratio: -0.404 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 7/5 18/15 7/6][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 202/636 583/1514 181/646][nDPI Fingerprint: aac0af180be367673e460309fe548c48][TCP Fingerprint: 2_64_64240_2e3cee914fc1/Linux][TLSv1.3][JA4: t13d1715h2_5b57614c22b0_3d5424432f57][JA3S: eb1d94daa7e0344597e756a1fb6e7054][Firefox][Cipher: TLS_AES_128_GCM_SHA256][PLAIN TEXT (@oTAgOeedtest.net)][Plen Bins: 0,0,14,0,0,14,0,0,0,0,14,0,0,0,0,0,28,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,28,0,0][TLS blocks: 22:1=314,22:2=-118,20=-1,23=-2755,20=1,23=53,23=165,23=328] + 1 TCP 192.168.1.128:35830 <-> 89.96.108.170:8080 [proto: 91.191/TLS.Ookla][Stack: TLS.Ookla][IP: 0/Unknown][Encrypted][Confidence: DPI (aggressive)][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 9][cat: Web/5][Breed: Safe][21 pkts/21216 bytes <-> 8 pkts/1950 bytes][Goodput ratio: 93/72][0.32 sec][Hostname/SNI: spd-pub-mi-01-01.fastwebnet.it][(Advertised) ALPNs: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2][bytes ratio: 0.832 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 17/61 274/280 62/109][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 1010/244 1514/387 612/138][nDPI Fingerprint: f861d648f62150ae6a4f698b5b0b4477][TCP Fingerprint: 2_64_64240_2e3cee914fc1/Linux][TLSv1.3][JA4: t13d1714h2_5b57614c22b0_8f66f9ee9c6c][JA3S: fcb2d4d0991292272fcb1e464eedfd43][Firefox][Cipher: TLS_AES_128_GCM_SHA256][Plen Bins: 0,0,4,0,0,0,0,4,9,0,9,0,0,0,0,0,4,0,0,13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,55,0,0][TLS blocks: 22:1=314,22:2=-157,20=-1,23=-23,23=-53,20=1,23=53,23=521][84013a85ff6381ffff8fffe98fffcb8100018f00358f0209] + 2 TCP 192.168.1.128:48854 <-> 104.16.209.12:443 [proto: 91.191/TLS.Ookla][Stack: TLS.Ookla][IP: 220/Cloudflare][Encrypted][Confidence: DPI][FPC: 220/Cloudflare, Confidence: IP address][DPI packets: 14][cat: Network/14][Breed: Safe][8 pkts/1620 bytes <-> 6 pkts/3818 bytes][Goodput ratio: 67/89][0.06 sec][Hostname/SNI: www.speedtest.net][(Advertised) ALPNs: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2][bytes ratio: -0.404 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 7/5 18/15 7/6][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 202/636 583/1514 181/646][nDPI Fingerprint: aac0af180be367673e460309fe548c48][TCP Fingerprint: 2_64_64240_2e3cee914fc1/Linux][TLSv1.3][JA4: t13d1715h2_5b57614c22b0_3d5424432f57][JA3S: eb1d94daa7e0344597e756a1fb6e7054][Firefox][Cipher: TLS_AES_128_GCM_SHA256][PLAIN TEXT (@oTAgOeedtest.net)][Plen Bins: 0,0,14,0,0,14,0,0,0,0,14,0,0,0,0,0,28,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,28,0,0][TLS blocks: 22:1=314,22:2=-118,20=-1,23=-2755,20=1,23=53,23=165,23=328][84013a85ff8a81ffff8ff53d8100018f00358f00a58f0148] 3 TCP 192.168.1.7:51207 <-> 46.44.253.187:80 [proto: 7.191/HTTP.Ookla][Stack: HTTP.Ookla][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Network/14][Breed: Safe][12 pkts/2238 bytes <-> 8 pkts/2082 bytes][Goodput ratio: 64/74][5.33 sec][Hostname/SNI: massarosa-1.speedtest.welcomeitalia.it][bytes ratio: 0.036 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/4 528/47 5005/84 1493/28][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 186/260 430/523 168/194][URL: massarosa-1.speedtest.welcomeitalia.it/crossdomain.xml][StatusCode: 200][Content-Type: application/xml][Server: Apache/2.2.22 (Ubuntu)][User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/602.4.8 (KHTML, like Gecko) Version/10.0.3 Safari/602.4.8][Risk: ** HTTP Obsolete Server **][Risk Score: 50][Risk Info: Obsolete Apache server 2.2.22][TCP Fingerprint: 2_64_65535_15db81ff8b0d/Unknown][PLAIN TEXT (GET /crossdomain.xml HTTP/1.1)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,12,75,0,0,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 4 TCP 192.168.1.192:51156 <-> 89.96.108.170:8080 [proto: 191/Ookla][Stack: Ookla][IP: 0/Unknown][ClearText][Confidence: DPI (partial cache)][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 10][cat: Network/14][Breed: Safe][6 pkts/591 bytes <-> 4 pkts/1784 bytes][Goodput ratio: 32/85][0.05 sec][bytes ratio: -0.502 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 9/10 15/20 6/8][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 98/446 143/1514 31/617][Risk: ** Susp Entropy **][Risk Score: 10][Risk Info: Entropy: 5.470 (Executable?)][TCP Fingerprint: 2_64_64240_2e3cee914fc1/Linux][PLAIN TEXT (gKRZvA)][Plen Bins: 0,40,40,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,0,0] 5 TCP 192.168.1.7:51215 <-> 46.44.253.187:8080 [proto: 191/Ookla][Stack: Ookla][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Network/14][Breed: Safe][19 pkts/1421 bytes <-> 11 pkts/920 bytes][Goodput ratio: 11/20][0.80 sec][bytes ratio: 0.214 (Upload)][IAT c2s/s2c min/avg/max/stddev: 26/0 44/75 103/137 23/41][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 75/84 85/100 9/8][TCP Fingerprint: 2_64_65535_15db81ff8b0d/Unknown][PLAIN TEXT ( 6HELLO 2.4 2016)][Plen Bins: 94,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/tls_analysis/result/tls-appdata.pcap.out b/tests/cfgs/tls_analysis/result/tls-appdata.pcap.out index bdbdff3bf..100f183d6 100644 --- a/tests/cfgs/tls_analysis/result/tls-appdata.pcap.out +++ b/tests/cfgs/tls_analysis/result/tls-appdata.pcap.out @@ -33,5 +33,5 @@ Safe 120 119945 2 Web 120 119945 2 - 1 TCP 192.168.2.100:58976 <-> 52.223.198.7:443 [proto: 91/TLS][Stack: TLS][IP: 195/Twitch][Encrypted][Confidence: DPI][FPC: 195/Twitch, Confidence: IP address][DPI packets: 32][cat: Web/5][Breed: Safe][65 pkts/15286 bytes <-> 49 pkts/103870 bytes][Goodput ratio: 77/97][4470.16 sec][bytes ratio: -0.743 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 86847/10887 1637911/18446744073709505728 325792/64809][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 235/2120 1506/2958 476/1092][Plen Bins: 14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,33,0,51][TLS blocks: 23=1467,23=-12990] - 2 TCP 179.60.195.173:443 <-> 192.168.2.100:60636 [proto: 91/TLS][Stack: TLS][IP: 119/Facebook][Encrypted][Confidence: DPI][FPC: 91/TLS, Confidence: DPI][DPI packets: 6][cat: Web/5][Breed: Safe][3 pkts/627 bytes <-> 3 pkts/162 bytes][Goodput ratio: 68/0][0.22 sec][bytes ratio: 0.589 (Upload)][IAT c2s/s2c min/avg/max/stddev: 11/0 56/0 101/0 45/0][Pkt Len c2s/s2c min/avg/max/stddev: 201/54 209/54 225/54 11/0][Plen Bins: 0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0][TLS blocks: 23=-154,23=-130] + 1 TCP 192.168.2.100:58976 <-> 52.223.198.7:443 [proto: 91/TLS][Stack: TLS][IP: 195/Twitch][Encrypted][Confidence: DPI][FPC: 195/Twitch, Confidence: IP address][DPI packets: 32][cat: Web/5][Breed: Safe][65 pkts/15286 bytes <-> 49 pkts/103870 bytes][Goodput ratio: 77/97][4470.16 sec][bytes ratio: -0.743 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 86847/10887 1637911/18446744073709505728 325792/64809][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 235/2120 1506/2958 476/1092][Plen Bins: 14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,33,0,51][TLS blocks: 23=1467,23=-12990][8f05bb8fcd42] + 2 TCP 179.60.195.173:443 <-> 192.168.2.100:60636 [proto: 91/TLS][Stack: TLS][IP: 119/Facebook][Encrypted][Confidence: DPI][FPC: 91/TLS, Confidence: DPI][DPI packets: 6][cat: Web/5][Breed: Safe][3 pkts/627 bytes <-> 3 pkts/162 bytes][Goodput ratio: 68/0][0.22 sec][bytes ratio: 0.589 (Upload)][IAT c2s/s2c min/avg/max/stddev: 11/0 56/0 101/0 45/0][Pkt Len c2s/s2c min/avg/max/stddev: 201/54 209/54 225/54 11/0][Plen Bins: 0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0][TLS blocks: 23=-154,23=-130][8fff668fff7e] diff --git a/tests/cfgs/tls_analysis/result/tls_1.2_unidirectional_client.pcapng.out b/tests/cfgs/tls_analysis/result/tls_1.2_unidirectional_client.pcapng.out index a50145064..928e9a996 100644 --- a/tests/cfgs/tls_analysis/result/tls_1.2_unidirectional_client.pcapng.out +++ b/tests/cfgs/tls_analysis/result/tls_1.2_unidirectional_client.pcapng.out @@ -19,11 +19,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 1/1 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 1/1 (search/found) Hash public domain suffix: 9/5 (search/found) -Hash ja4 custom protos: 1/0 (search/found) +Hash ja4 custom protos: 2/0 (search/found) Hash fp custom protos: 1/0 (search/found) Hash url custom protos: 0/0 (search/found) @@ -38,4 +38,4 @@ JA Host Stats: 1 192.168.12.156 1 - 1 TCP 192.168.12.156:43854 -> 216.58.209.42:443 [proto: 91.239/TLS.GoogleServices][Stack: TLS.GoogleServices][IP: 126/Google][Encrypted][Confidence: DPI][FPC: 126/Google, Confidence: IP address][DPI packets: 13][cat: Web/5][Breed: Acceptable][17 pkts/3004 bytes -> 0 pkts/0 bytes][Goodput ratio: 62/0][11.30 sec][Hostname/SNI: notifications-pa.googleapis.com][(Advertised) ALPNs: h2;http/1.1][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 753/0 10866/0 2704/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/0 177/0 1090/0 251/0][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][nDPI Fingerprint: aa392a05c90f08b9dfcea6e04b805b23][TCP Fingerprint: 2_64_65535_685ad951a756/Android][TLSv1.2][JA4: t12d0409h2_dd22d19553a2_b39be8c56a14][Plen Bins: 0,42,14,0,0,14,0,0,0,0,0,0,0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0][TLS blocks: 22:1=115,22:16=33,20=1,22:0=40,23=48,23=39,23=37,23=1361] + 1 TCP 192.168.12.156:43854 -> 216.58.209.42:443 [proto: 91.239/TLS.GoogleServices][Stack: TLS.GoogleServices][IP: 126/Google][Encrypted][Confidence: DPI][FPC: 126/Google, Confidence: IP address][DPI packets: 13][cat: Web/5][Breed: Acceptable][17 pkts/3004 bytes -> 0 pkts/0 bytes][Goodput ratio: 62/0][11.30 sec][Hostname/SNI: notifications-pa.googleapis.com][(Advertised) ALPNs: h2;http/1.1][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 753/0 10866/0 2704/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/0 177/0 1090/0 251/0][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][nDPI Fingerprint: aa392a05c90f08b9dfcea6e04b805b23][TCP Fingerprint: 2_64_65535_685ad951a756/Android][TLSv1.2][JA4: t12d0409h2_dd22d19553a2_b39be8c56a14][Plen Bins: 0,42,14,0,0,14,0,0,0,0,0,0,0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0][TLS blocks: 22:1=115,22:16=33,20=1,22:0=40,23=48,23=39,23=37,23=1361][8400738d00218100018300288f00308f00278f00258f0551] diff --git a/tests/cfgs/tls_analysis/result/tls_1.2_unidirectional_client_no_cert.pcapng.out b/tests/cfgs/tls_analysis/result/tls_1.2_unidirectional_client_no_cert.pcapng.out index 505232521..ac9aec000 100644 --- a/tests/cfgs/tls_analysis/result/tls_1.2_unidirectional_client_no_cert.pcapng.out +++ b/tests/cfgs/tls_analysis/result/tls_1.2_unidirectional_client_no_cert.pcapng.out @@ -19,7 +19,7 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 1/1 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 1/1 (search/found) Hash public domain suffix: 18/11 (search/found) @@ -38,4 +38,4 @@ JA Host Stats: 1 192.168.12.156 1 - 1 TCP 192.168.12.156:39958 -> 172.67.21.133:443 [proto: 91/TLS][Stack: TLS][IP: 220/Cloudflare][Encrypted][Confidence: DPI][FPC: 220/Cloudflare, Confidence: IP address][DPI packets: 10][cat: Web/5][Breed: Safe][10 pkts/1549 bytes -> 0 pkts/0 bytes][Goodput ratio: 64/0][0.30 sec][Hostname/SNI: sb.adtidy.org][(Advertised) ALPNs: http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 33/0 154/0 47/0][Pkt Len c2s/s2c min/avg/max/stddev: 54/0 155/0 571/0 179/0][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][nDPI Fingerprint: 6ff9dd7d75f3c03976cdd8c1be1bbb55][TCP Fingerprint: 2_64_65535_685ad951a756/Android][TLSv1.2][JA4: t13d1713h1_5b57614c22b0_eca864cca44a][Safari][Plen Bins: 25,25,0,0,0,0,0,0,0,0,0,0,25,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0][TLS blocks: 22:1=218,20=1,22:0=40,23=385,21=26] + 1 TCP 192.168.12.156:39958 -> 172.67.21.133:443 [proto: 91/TLS][Stack: TLS][IP: 220/Cloudflare][Encrypted][Confidence: DPI][FPC: 220/Cloudflare, Confidence: IP address][DPI packets: 10][cat: Web/5][Breed: Safe][10 pkts/1549 bytes -> 0 pkts/0 bytes][Goodput ratio: 64/0][0.30 sec][Hostname/SNI: sb.adtidy.org][(Advertised) ALPNs: http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 33/0 154/0 47/0][Pkt Len c2s/s2c min/avg/max/stddev: 54/0 155/0 571/0 179/0][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][nDPI Fingerprint: 6ff9dd7d75f3c03976cdd8c1be1bbb55][TCP Fingerprint: 2_64_65535_685ad951a756/Android][TLSv1.2][JA4: t13d1713h1_5b57614c22b0_eca864cca44a][Safari][Plen Bins: 25,25,0,0,0,0,0,0,0,0,0,0,25,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0][TLS blocks: 22:1=218,20=1,22:0=40,23=385,21=26][8400da8100018300288f018182001a] diff --git a/tests/cfgs/tls_analysis/result/tls_1.2_unidirectional_server.pcapng.out b/tests/cfgs/tls_analysis/result/tls_1.2_unidirectional_server.pcapng.out index 6648a921d..4dca6e0cf 100644 --- a/tests/cfgs/tls_analysis/result/tls_1.2_unidirectional_server.pcapng.out +++ b/tests/cfgs/tls_analysis/result/tls_1.2_unidirectional_server.pcapng.out @@ -23,7 +23,7 @@ Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 1/0 (search/found) Hash TCP fingerprints: 0/0 (search/found) Hash public domain suffix: 7/4 (search/found) -Hash ja4 custom protos: 0/0 (search/found) +Hash ja4 custom protos: 1/0 (search/found) Hash fp custom protos: 0/0 (search/found) Hash url custom protos: 0/0 (search/found) @@ -37,4 +37,4 @@ JA Host Stats: IP Address # JA4C - 1 TCP 216.58.209.42:443 -> 192.168.12.156:43854 [proto: 91.136/TLS.YouTubeUpload][Stack: TLS.YouTubeUpload][IP: 126/Google][Encrypted][Confidence: DPI][FPC: 126/Google, Confidence: IP address][DPI packets: 8][cat: Media/1][Breed: Fun][18 pkts/7218 bytes -> 0 pkts/0 bytes][Goodput ratio: 83/0][0.43 sec][(Negotiated) ALPN: h2][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 26/0 233/0 57/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/0 401/0 1484/0 503/0][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No client to server traffic][TLSv1.2][ServerNames: upload.video.google.com,*.clients.google.com,*.docs.google.com,*.drive.google.com,*.gdata.youtube.com,*.googleapis.com,*.photos.google.com,*.youtube-3rd-party.com,upload.google.com,*.upload.google.com,upload.youtube.com,*.upload.youtube.com,uploads.stage.gdata.youtube.com,bg-call-donation.goog,bg-call-donation-alpha.goog,bg-call-donation-canary.goog,bg-call-donation-dev.goog][JA3S: eca9b8f0f3eae50309eaf901cb822d9b][Issuer: C=US, O=Google Trust Services LLC, CN=GTS CA 1C3][Subject: CN=upload.video.google.com][Certificate SHA-1: A9:8F:37:B3:54:4F:D0:01:B7:8D:0F:88:21:37:4A:EB:F7:E3:D3:F2][Validity: 2022-06-06 09:17:59 - 2022-08-29 09:17:58][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,25,8,0,8,0,0,0,0,8,16,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0][TLS blocks: 22:2=-68,22:11=-4387,22:12=-110,22:14=0,22:4=-232,20=-1,22:0=-40,23=-64] + 1 TCP 216.58.209.42:443 -> 192.168.12.156:43854 [proto: 91.136/TLS.YouTubeUpload][Stack: TLS.YouTubeUpload][IP: 126/Google][Encrypted][Confidence: DPI][FPC: 126/Google, Confidence: IP address][DPI packets: 8][cat: Media/1][Breed: Fun][18 pkts/7218 bytes -> 0 pkts/0 bytes][Goodput ratio: 83/0][0.43 sec][(Negotiated) ALPN: h2][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 26/0 233/0 57/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/0 401/0 1484/0 503/0][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No client to server traffic][TLSv1.2][ServerNames: upload.video.google.com,*.clients.google.com,*.docs.google.com,*.drive.google.com,*.gdata.youtube.com,*.googleapis.com,*.photos.google.com,*.youtube-3rd-party.com,upload.google.com,*.upload.google.com,upload.youtube.com,*.upload.youtube.com,uploads.stage.gdata.youtube.com,bg-call-donation.goog,bg-call-donation-alpha.goog,bg-call-donation-canary.goog,bg-call-donation-dev.goog][JA3S: eca9b8f0f3eae50309eaf901cb822d9b][Issuer: C=US, O=Google Trust Services LLC, CN=GTS CA 1C3][Subject: CN=upload.video.google.com][Certificate SHA-1: A9:8F:37:B3:54:4F:D0:01:B7:8D:0F:88:21:37:4A:EB:F7:E3:D3:F2][Validity: 2022-06-06 09:17:59 - 2022-08-29 09:17:58][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,25,8,0,8,0,0,0,0,8,16,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0][TLS blocks: 22:2=-68,22:11=-4387,22:12=-110,22:14=0,22:4=-232,20=-1,22:0=-40,23=-64][85ffbc88eedd89ff928b000086ff1881ffff83ffd88fffc0] diff --git a/tests/cfgs/tls_analysis/result/tls_1.2_unidirectional_server_no_cert.pcapng.out b/tests/cfgs/tls_analysis/result/tls_1.2_unidirectional_server_no_cert.pcapng.out index fc01a35ea..453e0289e 100644 --- a/tests/cfgs/tls_analysis/result/tls_1.2_unidirectional_server_no_cert.pcapng.out +++ b/tests/cfgs/tls_analysis/result/tls_1.2_unidirectional_server_no_cert.pcapng.out @@ -37,4 +37,4 @@ JA Host Stats: IP Address # JA4C - 1 TCP 172.67.21.133:443 -> 192.168.12.156:39958 [proto: 91/TLS][Stack: TLS][IP: 220/Cloudflare][Encrypted][Confidence: DPI][FPC: 220/Cloudflare, Confidence: IP address][DPI packets: 10][cat: Web/5][Breed: Safe][10 pkts/1978 bytes -> 0 pkts/0 bytes][Goodput ratio: 72/0][0.30 sec][(Negotiated) ALPN: http/1.1][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 33/0 88/0 32/0][Pkt Len c2s/s2c min/avg/max/stddev: 54/0 198/0 1284/0 365/0][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No client to server traffic][TLSv1.2][JA3S: 5badad76fbdd6e8b6296e2e9f4024401][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,33,0,0,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0][TLS blocks: 22:2=-102,20=-1,22:0=-40,23=-1225,23=-29] + 1 TCP 172.67.21.133:443 -> 192.168.12.156:39958 [proto: 91/TLS][Stack: TLS][IP: 220/Cloudflare][Encrypted][Confidence: DPI][FPC: 220/Cloudflare, Confidence: IP address][DPI packets: 10][cat: Web/5][Breed: Safe][10 pkts/1978 bytes -> 0 pkts/0 bytes][Goodput ratio: 72/0][0.30 sec][(Negotiated) ALPN: http/1.1][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 33/0 88/0 32/0][Pkt Len c2s/s2c min/avg/max/stddev: 54/0 198/0 1284/0 365/0][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No client to server traffic][TLSv1.2][JA3S: 5badad76fbdd6e8b6296e2e9f4024401][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,33,0,0,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0][TLS blocks: 22:2=-102,20=-1,22:0=-40,23=-1225,23=-29][85ff9a81ffff83ffd88ffb378fffe3] diff --git a/tests/cfgs/tls_analysis/result/tls_1.3_unidirectional_client.pcapng.out b/tests/cfgs/tls_analysis/result/tls_1.3_unidirectional_client.pcapng.out index 3d94762c1..5826af835 100644 --- a/tests/cfgs/tls_analysis/result/tls_1.3_unidirectional_client.pcapng.out +++ b/tests/cfgs/tls_analysis/result/tls_1.3_unidirectional_client.pcapng.out @@ -19,7 +19,7 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 1/1 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 1/1 (search/found) Hash public domain suffix: 9/5 (search/found) @@ -38,4 +38,4 @@ JA Host Stats: 1 192.168.12.156 1 - 1 TCP 192.168.12.156:39750 -> 142.250.184.68:443 [proto: 91.126/TLS.Google][Stack: TLS.Google][IP: 126/Google][Encrypted][Confidence: DPI][FPC: 126/Google, Confidence: IP address][DPI packets: 9][cat: Web/5][Breed: Acceptable][9 pkts/1488 bytes -> 0 pkts/0 bytes][Goodput ratio: 60/0][0.07 sec][Hostname/SNI: www.google.com][(Advertised) ALPNs: http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 8/0 25/0 7/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/0 165/0 630/0 179/0][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][nDPI Fingerprint: d9af852073aac86cd357583ef3fa68a3][TCP Fingerprint: 2_64_65535_685ad951a756/Android][TLSv1.2][JA4: t13d1713h1_5b57614c22b0_352634941f3a][Safari][Plen Bins: 25,0,25,0,0,0,0,25,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0][TLS blocks: 22:1=218,20=1,23=53,23=229,23=19] + 1 TCP 192.168.12.156:39750 -> 142.250.184.68:443 [proto: 91.126/TLS.Google][Stack: TLS.Google][IP: 126/Google][Encrypted][Confidence: DPI][FPC: 126/Google, Confidence: IP address][DPI packets: 9][cat: Web/5][Breed: Acceptable][9 pkts/1488 bytes -> 0 pkts/0 bytes][Goodput ratio: 60/0][0.07 sec][Hostname/SNI: www.google.com][(Advertised) ALPNs: http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 8/0 25/0 7/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/0 165/0 630/0 179/0][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][nDPI Fingerprint: d9af852073aac86cd357583ef3fa68a3][TCP Fingerprint: 2_64_65535_685ad951a756/Android][TLSv1.2][JA4: t13d1713h1_5b57614c22b0_352634941f3a][Safari][Plen Bins: 25,0,25,0,0,0,0,25,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0][TLS blocks: 22:1=218,20=1,23=53,23=229,23=19][8400da8100018f00358f00e58f0013] diff --git a/tests/cfgs/tls_analysis/result/tls_1.3_unidirectional_server.pcapng.out b/tests/cfgs/tls_analysis/result/tls_1.3_unidirectional_server.pcapng.out index 1c3970b68..a7b5f4478 100644 --- a/tests/cfgs/tls_analysis/result/tls_1.3_unidirectional_server.pcapng.out +++ b/tests/cfgs/tls_analysis/result/tls_1.3_unidirectional_server.pcapng.out @@ -37,4 +37,4 @@ JA Host Stats: IP Address # JA4C - 1 TCP 142.250.184.68:443 -> 192.168.12.156:39750 [proto: 91/TLS][Stack: TLS][IP: 126/Google][Encrypted][Confidence: DPI][FPC: 126/Google, Confidence: IP address][DPI packets: 9][cat: Web/5][Breed: Safe][9 pkts/1651 bytes -> 0 pkts/0 bytes][Goodput ratio: 65/0][0.07 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 8/0 20/0 7/0][Pkt Len c2s/s2c min/avg/max/stddev: 54/0 183/0 921/0 270/0][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No client to server traffic][TLSv1.3][JA3S: 2b0648ab686ee45e0e7c35fcfb0eea7e][Cipher: TLS_AES_128_GCM_SHA256][Plen Bins: 0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0][TLS blocks: 22:2=-124,20=-1,23=-74,23=-553,23=-292] + 1 TCP 142.250.184.68:443 -> 192.168.12.156:39750 [proto: 91/TLS][Stack: TLS][IP: 126/Google][Encrypted][Confidence: DPI][FPC: 126/Google, Confidence: IP address][DPI packets: 9][cat: Web/5][Breed: Safe][9 pkts/1651 bytes -> 0 pkts/0 bytes][Goodput ratio: 65/0][0.07 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 8/0 20/0 7/0][Pkt Len c2s/s2c min/avg/max/stddev: 54/0 183/0 921/0 270/0][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No client to server traffic][TLSv1.3][JA3S: 2b0648ab686ee45e0e7c35fcfb0eea7e][Cipher: TLS_AES_128_GCM_SHA256][Plen Bins: 0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0][TLS blocks: 22:2=-124,20=-1,23=-74,23=-553,23=-292][85ff8481ffff8fffb68ffdd78ffedc] diff --git a/tests/cfgs/tls_analysis/result/tls_alert.pcap.out b/tests/cfgs/tls_analysis/result/tls_alert.pcap.out index 834789939..de2bc3e0a 100644 --- a/tests/cfgs/tls_analysis/result/tls_alert.pcap.out +++ b/tests/cfgs/tls_analysis/result/tls_alert.pcap.out @@ -19,7 +19,7 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 4/0 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 1/0 (search/found) Hash public domain suffix: 9/5 (search/found) @@ -41,5 +41,5 @@ JA Host Stats: 1 192.168.1.192 1 - 1 TCP 192.168.1.192:63158 <-> 192.168.1.20:443 [proto: 91.126/TLS.Google][Stack: TLS.Google][IP: 0/Unknown][Encrypted][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 11][cat: Advertisement/101][Breed: Tracker_Ads][6 pkts/607 bytes <-> 5 pkts/345 bytes][Goodput ratio: 33/2][0.00 sec][Hostname/SNI: www.google-analytics.com][(Advertised) ALPNs: h2;h2-16;h2-15;h2-14;spdy/3.1;spdy/3;http/1.1][bytes ratio: 0.275 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 0/0 0/0 0/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 101/69 265/74 73/4][Risk: ** Obsolete TLS (v1.1 or older) **** Mismatching Protocol with server IP address **** TLS Fatal Alert **][Risk Score: 210][Risk Info: Found fatal TLS alert;nDPI protocol does not match the server IP address;TLSv1][nDPI Fingerprint: 455d471e55cf282acd5faf774899498f][TCP Fingerprint: 2_64_65535_15db81ff8b0d/Unknown][TLSv1][JA4: t10d0909h2_61c4dbd01224_cc731f12afbb][Plen Bins: 50,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0][TLS blocks: 22:1=143,21=-2] - 2 TCP 192.168.2.100:37780 -> 160.44.202.202:443 [proto: 91/TLS][Stack: TLS][IP: 0/Unknown][Encrypted][Confidence: DPI][FPC: 91/TLS, Confidence: DPI][DPI packets: 7][cat: Web/5][Breed: Safe][7 pkts/533 bytes -> 0 pkts/0 bytes][Goodput ratio: 29/0][3.67 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 3/0 612/0 1878/0 656/0][Pkt Len c2s/s2c min/avg/max/stddev: 54/0 76/0 85/0 14/0][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0][TLS blocks: 21=26] + 1 TCP 192.168.1.192:63158 <-> 192.168.1.20:443 [proto: 91.126/TLS.Google][Stack: TLS.Google][IP: 0/Unknown][Encrypted][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 11][cat: Advertisement/101][Breed: Tracker_Ads][6 pkts/607 bytes <-> 5 pkts/345 bytes][Goodput ratio: 33/2][0.00 sec][Hostname/SNI: www.google-analytics.com][(Advertised) ALPNs: h2;h2-16;h2-15;h2-14;spdy/3.1;spdy/3;http/1.1][bytes ratio: 0.275 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 0/0 0/0 0/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 101/69 265/74 73/4][Risk: ** Obsolete TLS (v1.1 or older) **** Mismatching Protocol with server IP address **** TLS Fatal Alert **][Risk Score: 210][Risk Info: Found fatal TLS alert;nDPI protocol does not match the server IP address;TLSv1][nDPI Fingerprint: 455d471e55cf282acd5faf774899498f][TCP Fingerprint: 2_64_65535_15db81ff8b0d/Unknown][TLSv1][JA4: t10d0909h2_61c4dbd01224_cc731f12afbb][Plen Bins: 50,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0][TLS blocks: 22:1=143,21=-2][84008f82fffe] + 2 TCP 192.168.2.100:37780 -> 160.44.202.202:443 [proto: 91/TLS][Stack: TLS][IP: 0/Unknown][Encrypted][Confidence: DPI][FPC: 91/TLS, Confidence: DPI][DPI packets: 7][cat: Web/5][Breed: Safe][7 pkts/533 bytes -> 0 pkts/0 bytes][Goodput ratio: 29/0][3.67 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 3/0 612/0 1878/0 656/0][Pkt Len c2s/s2c min/avg/max/stddev: 54/0 76/0 85/0 14/0][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0][TLS blocks: 21=26][82001a] diff --git a/tests/cfgs/tls_analysis/result/tls_change_cipher.pcap.out b/tests/cfgs/tls_analysis/result/tls_change_cipher.pcap.out index 0334297d6..7a6ce3b04 100644 --- a/tests/cfgs/tls_analysis/result/tls_change_cipher.pcap.out +++ b/tests/cfgs/tls_analysis/result/tls_change_cipher.pcap.out @@ -33,4 +33,4 @@ Safe 14 13753 1 Web 14 13753 1 - 1 TCP 18.139.7.8:443 <-> 172.29.190.157:62797 [VLAN: 113][proto: GTP:91/TLS][Stack: TLS][IP: 461/AWS_EC2][Encrypted][Confidence: DPI][FPC: 461/AWS_EC2, Confidence: IP address][DPI packets: 14][cat: Web/5][Breed: Safe][1 pkts/134 bytes <-> 13 pkts/13619 bytes][Goodput ratio: 0/88][4.99 sec][bytes ratio: -0.981 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 0/438 0/4677 0/1341][Pkt Len c2s/s2c min/avg/max/stddev: 134/194 134/1048 134/1458 0/494][PLAIN TEXT (oCpI.P7)][Plen Bins: 0,0,7,0,7,0,0,0,7,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,7,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,55,0,0,0,0,0,0][TLS blocks: 20=1,23=53,23=416,23=900,23=278,23=815,23=135] + 1 TCP 18.139.7.8:443 <-> 172.29.190.157:62797 [VLAN: 113][proto: GTP:91/TLS][Stack: TLS][IP: 461/AWS_EC2][Encrypted][Confidence: DPI][FPC: 461/AWS_EC2, Confidence: IP address][DPI packets: 14][cat: Web/5][Breed: Safe][1 pkts/134 bytes <-> 13 pkts/13619 bytes][Goodput ratio: 0/88][4.99 sec][bytes ratio: -0.981 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 0/438 0/4677 0/1341][Pkt Len c2s/s2c min/avg/max/stddev: 134/194 134/1048 134/1458 0/494][PLAIN TEXT (oCpI.P7)][Plen Bins: 0,0,7,0,7,0,0,0,7,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,7,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,55,0,0,0,0,0,0][TLS blocks: 20=1,23=53,23=416,23=900,23=278,23=815,23=135][8100018f00358f01a08f03848f01168f032f8f0087] diff --git a/tests/cfgs/tls_analysis/result/tls_heur__trojan-tcp-tls.pcapng.out b/tests/cfgs/tls_analysis/result/tls_heur__trojan-tcp-tls.pcapng.out index fc40fca3c..2b2f1423e 100644 --- a/tests/cfgs/tls_analysis/result/tls_heur__trojan-tcp-tls.pcapng.out +++ b/tests/cfgs/tls_analysis/result/tls_heur__trojan-tcp-tls.pcapng.out @@ -21,11 +21,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 19/1 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 2/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 3/1 (search/found) Hash public domain suffix: 107/36 (search/found) -Hash ja4 custom protos: 2/0 (search/found) +Hash ja4 custom protos: 3/0 (search/found) Hash fp custom protos: 2/0 (search/found) Hash url custom protos: 0/0 (search/found) @@ -48,8 +48,8 @@ JA Host Stats: 2 192.168.1.183 1 - 1 TCP 192.168.1.183:58730 <-> 142.250.180.142:443 [proto: 91.124/TLS.YouTube][Stack: TLS.YouTube][IP: 126/Google][Encrypted][Confidence: DPI][FPC: 124/YouTube, Confidence: DNS][DPI packets: 17][cat: Media/1][Breed: Fun][17 pkts/1985 bytes <-> 15 pkts/13936 bytes][Goodput ratio: 41/93][0.11 sec][Hostname/SNI: www.youtube.com][(Advertised) ALPNs: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2][bytes ratio: -0.751 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 5/9 31/70 9/20][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 117/929 585/1468 126/632][nDPI Fingerprint: a1e67b3f0c55cd1d375db3c4c4a8951f][TCP Fingerprint: 2_64_64240_2e3cee914fc1/Linux][TLSv1.3][JA4: t13d3113h2_e8f1e7e78f70_ce5650b735ce][JA3S: 907bf3ecef1c987c889946b737b43de8][Firefox][Cipher: TLS_AES_256_GCM_SHA384][Plen Bins: 18,0,6,0,0,0,6,0,0,0,0,0,0,0,0,0,6,0,0,0,6,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,51,0,0,0,0][TLS blocks: 22:1=271,22:2=-118,20=-1,23=-6463,20=1,23=69,23=41,23=44] - 2 TCP 127.0.0.1:41796 <-> 127.0.0.1:1234 [proto: 91/TLS][Stack: TLS][IP: 0/Unknown][Encrypted][Confidence: DPI (aggressive)][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 23][cat: Web/5][Breed: Safe][13 pkts/2233 bytes <-> 12 pkts/9384 bytes][Goodput ratio: 60/91][0.14 sec][Hostname/SNI: test.lan][(Advertised) ALPNs: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2][bytes ratio: -0.616 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 11/6 46/30 15/11][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 172/782 675/2138 165/744][Risk: ** Known Proto on Non Std Port **** Obfuscated Traffic **][Risk Score: 150][Risk Info: Obfuscated TLS-in-TLS traffic;Expected on port 443][nDPI Fingerprint: 47b02047f524520c12f153638e9639f8][TCP Fingerprint: 2_64_65495_db1b9381215d/Unknown][TLSv1.3][JA4: t13d1911h2_9dc949149365_e7c285222651][JA3S: f4febc55ea12b31ae17cfb7e614afda8][Firefox][Cipher: TLS_AES_128_GCM_SHA256][Plen Bins: 0,13,13,6,6,0,0,0,6,0,0,0,0,0,6,0,0,0,6,0,6,0,0,0,0,0,0,6,0,0,0,0,0,0,0,6,0,6,0,0,0,0,0,0,0,0,0,13][TLS blocks: 22:1=229,22:2=-118,20=-1,23=-38,23=-754,23=-128,23=-53,20=1] + 1 TCP 192.168.1.183:58730 <-> 142.250.180.142:443 [proto: 91.124/TLS.YouTube][Stack: TLS.YouTube][IP: 126/Google][Encrypted][Confidence: DPI][FPC: 124/YouTube, Confidence: DNS][DPI packets: 17][cat: Media/1][Breed: Fun][17 pkts/1985 bytes <-> 15 pkts/13936 bytes][Goodput ratio: 41/93][0.11 sec][Hostname/SNI: www.youtube.com][(Advertised) ALPNs: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2][bytes ratio: -0.751 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 5/9 31/70 9/20][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 117/929 585/1468 126/632][nDPI Fingerprint: a1e67b3f0c55cd1d375db3c4c4a8951f][TCP Fingerprint: 2_64_64240_2e3cee914fc1/Linux][TLSv1.3][JA4: t13d3113h2_e8f1e7e78f70_ce5650b735ce][JA3S: 907bf3ecef1c987c889946b737b43de8][Firefox][Cipher: TLS_AES_256_GCM_SHA384][Plen Bins: 18,0,6,0,0,0,6,0,0,0,0,0,0,0,0,0,6,0,0,0,6,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,51,0,0,0,0][TLS blocks: 22:1=271,22:2=-118,20=-1,23=-6463,20=1,23=69,23=41,23=44][84010f85ff8a81ffff8fe6c18100018f00458f00298f002c] + 2 TCP 127.0.0.1:41796 <-> 127.0.0.1:1234 [proto: 91/TLS][Stack: TLS][IP: 0/Unknown][Encrypted][Confidence: DPI (aggressive)][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 23][cat: Web/5][Breed: Safe][13 pkts/2233 bytes <-> 12 pkts/9384 bytes][Goodput ratio: 60/91][0.14 sec][Hostname/SNI: test.lan][(Advertised) ALPNs: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2][bytes ratio: -0.616 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 11/6 46/30 15/11][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 172/782 675/2138 165/744][Risk: ** Known Proto on Non Std Port **** Obfuscated Traffic **][Risk Score: 150][Risk Info: Obfuscated TLS-in-TLS traffic;Expected on port 443][nDPI Fingerprint: 47b02047f524520c12f153638e9639f8][TCP Fingerprint: 2_64_65495_db1b9381215d/Unknown][TLSv1.3][JA4: t13d1911h2_9dc949149365_e7c285222651][JA3S: f4febc55ea12b31ae17cfb7e614afda8][Firefox][Cipher: TLS_AES_128_GCM_SHA256][Plen Bins: 0,13,13,6,6,0,0,0,6,0,0,0,0,0,6,0,0,0,6,0,6,0,0,0,0,0,0,6,0,0,0,0,0,0,0,6,0,6,0,0,0,0,0,0,0,0,0,13][TLS blocks: 22:1=229,22:2=-118,20=-1,23=-38,23=-754,23=-128,23=-53,20=1][8400e585ff8a81ffff8fffda8ffd0e8fff808fffcb810001] 3 TCP 127.0.0.1:60654 <-> 127.0.0.1:1080 [proto: 172/SOCKS][Stack: SOCKS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][Breed: Acceptable][17 pkts/1999 bytes <-> 10 pkts/7980 bytes][Goodput ratio: 42/91][0.19 sec][bytes ratio: -0.599 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 9/7 46/43 16/15][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 118/798 585/4164 119/1276][TCP Fingerprint: 2_64_65495_db1b9381215d/Unknown][PLAIN TEXT (www.youtube.com)][Plen Bins: 37,25,6,0,0,0,0,0,0,0,0,0,0,0,6,0,6,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12] 4 UDP 127.0.0.1:52786 <-> 127.0.0.53:53 [proto: 5/DNS][Stack: DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 3][cat: Network/14][Breed: Acceptable][2 pkts/176 bytes <-> 2 pkts/468 bytes][Goodput ratio: 50/81][0.03 sec][Hostname/SNI: www.youtube.com][142.250.180.142][DNS Id: 0xbe79][PLAIN TEXT (youtube)][Plen Bins: 0,50,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 5 UDP 192.168.1.183:46451 <-> 192.168.1.253:53 [proto: 5/DNS][Stack: DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][Breed: Acceptable][1 pkts/88 bytes <-> 1 pkts/413 bytes][Goodput ratio: 49/89][0.03 sec][Hostname/SNI: www.youtube.com][142.250.180.142][DNS Id: 0x7aab][PLAIN TEXT (youtube)][Plen Bins: 0,50,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/tls_analysis/result/tls_heur__vmess-tcp-tls.pcapng.out b/tests/cfgs/tls_analysis/result/tls_heur__vmess-tcp-tls.pcapng.out index a20b5a82c..de336dfaa 100644 --- a/tests/cfgs/tls_analysis/result/tls_heur__vmess-tcp-tls.pcapng.out +++ b/tests/cfgs/tls_analysis/result/tls_heur__vmess-tcp-tls.pcapng.out @@ -21,11 +21,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 19/1 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 2/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 3/3 (search/found) Hash public domain suffix: 107/36 (search/found) -Hash ja4 custom protos: 2/0 (search/found) +Hash ja4 custom protos: 3/0 (search/found) Hash fp custom protos: 2/0 (search/found) Hash url custom protos: 0/0 (search/found) @@ -48,8 +48,8 @@ JA Host Stats: 2 192.168.1.183 1 - 1 TCP 192.168.1.183:58612 <-> 216.58.204.142:443 [proto: 91.124/TLS.YouTube][Stack: TLS.YouTube][IP: 126/Google][Encrypted][Confidence: DPI][FPC: 124/YouTube, Confidence: DNS][DPI packets: 9][cat: Media/1][Breed: Fun][11 pkts/1577 bytes <-> 15 pkts/19414 bytes][Goodput ratio: 52/95][0.10 sec][Hostname/SNI: www.youtube.com][(Advertised) ALPNs: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2][bytes ratio: -0.850 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 12/8 74/66 24/18][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 143/1294 585/6668 151/1565][nDPI Fingerprint: 533e41d87f62904435b47a19b9aada05][TCP Fingerprint: 2_64_64240_2e3cee914fc1/Linux][TLSv1.3][JA4: t13d3113h2_e8f1e7e78f70_ce5650b735ce][JA3S: 907bf3ecef1c987c889946b737b43de8][Firefox][Cipher: TLS_AES_256_GCM_SHA384][Plen Bins: 12,6,6,0,0,0,6,0,0,0,0,0,0,0,0,0,6,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,44,0,0,0,6][TLS blocks: 22:1=271,22:2=-118,20=-1,23=-6462,20=1,23=69,23=41,23=44] - 2 TCP 127.0.0.1:57874 <-> 127.0.0.1:1234 [proto: 91/TLS][Stack: TLS][IP: 0/Unknown][Encrypted][Confidence: DPI (aggressive)][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 24][cat: Web/5][Breed: Safe][16 pkts/2501 bytes <-> 14 pkts/11651 bytes][Goodput ratio: 56/92][0.16 sec][Hostname/SNI: test.lan][(Advertised) ALPNs: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2][bytes ratio: -0.647 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 10/12 40/74 14/22][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 156/832 731/2138 166/797][Risk: ** Known Proto on Non Std Port **** Obfuscated Traffic **][Risk Score: 150][Risk Info: Obfuscated TLS-in-TLS traffic;Expected on port 443][nDPI Fingerprint: 3118c803438e45d927fc3452c302bc5c][TCP Fingerprint: 2_64_64240_2e3cee914fc1/Linux][TLSv1.3][JA4: t13d1911h2_9dc949149365_e7c285222651][JA3S: f4febc55ea12b31ae17cfb7e614afda8][Firefox][Cipher: TLS_AES_128_GCM_SHA256][Plen Bins: 5,12,12,5,5,0,0,0,5,0,0,0,0,0,0,0,5,0,0,0,5,5,0,0,0,0,0,5,0,0,0,0,0,0,0,5,0,5,0,0,0,0,0,0,0,0,0,19][TLS blocks: 22:1=229,22:2=-118,20=-1,23=-32,23=-754,23=-128,23=-53,20=1] + 1 TCP 192.168.1.183:58612 <-> 216.58.204.142:443 [proto: 91.124/TLS.YouTube][Stack: TLS.YouTube][IP: 126/Google][Encrypted][Confidence: DPI][FPC: 124/YouTube, Confidence: DNS][DPI packets: 9][cat: Media/1][Breed: Fun][11 pkts/1577 bytes <-> 15 pkts/19414 bytes][Goodput ratio: 52/95][0.10 sec][Hostname/SNI: www.youtube.com][(Advertised) ALPNs: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2][bytes ratio: -0.850 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 12/8 74/66 24/18][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 143/1294 585/6668 151/1565][nDPI Fingerprint: 533e41d87f62904435b47a19b9aada05][TCP Fingerprint: 2_64_64240_2e3cee914fc1/Linux][TLSv1.3][JA4: t13d3113h2_e8f1e7e78f70_ce5650b735ce][JA3S: 907bf3ecef1c987c889946b737b43de8][Firefox][Cipher: TLS_AES_256_GCM_SHA384][Plen Bins: 12,6,6,0,0,0,6,0,0,0,0,0,0,0,0,0,6,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,44,0,0,0,6][TLS blocks: 22:1=271,22:2=-118,20=-1,23=-6462,20=1,23=69,23=41,23=44][84010f85ff8a81ffff8fe6c28100018f00458f00298f002c] + 2 TCP 127.0.0.1:57874 <-> 127.0.0.1:1234 [proto: 91/TLS][Stack: TLS][IP: 0/Unknown][Encrypted][Confidence: DPI (aggressive)][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 24][cat: Web/5][Breed: Safe][16 pkts/2501 bytes <-> 14 pkts/11651 bytes][Goodput ratio: 56/92][0.16 sec][Hostname/SNI: test.lan][(Advertised) ALPNs: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2][bytes ratio: -0.647 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 10/12 40/74 14/22][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 156/832 731/2138 166/797][Risk: ** Known Proto on Non Std Port **** Obfuscated Traffic **][Risk Score: 150][Risk Info: Obfuscated TLS-in-TLS traffic;Expected on port 443][nDPI Fingerprint: 3118c803438e45d927fc3452c302bc5c][TCP Fingerprint: 2_64_64240_2e3cee914fc1/Linux][TLSv1.3][JA4: t13d1911h2_9dc949149365_e7c285222651][JA3S: f4febc55ea12b31ae17cfb7e614afda8][Firefox][Cipher: TLS_AES_128_GCM_SHA256][Plen Bins: 5,12,12,5,5,0,0,0,5,0,0,0,0,0,0,0,5,0,0,0,5,5,0,0,0,0,0,5,0,0,0,0,0,0,0,5,0,5,0,0,0,0,0,0,0,0,0,19][TLS blocks: 22:1=229,22:2=-118,20=-1,23=-32,23=-754,23=-128,23=-53,20=1][8400e585ff8a81ffff8fffe08ffd0e8fff808fffcb810001] 3 TCP 127.0.0.1:40136 <-> 127.0.0.1:1080 [proto: 172/SOCKS][Stack: SOCKS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][Breed: Acceptable][17 pkts/1999 bytes <-> 11 pkts/8047 bytes][Goodput ratio: 42/91][0.14 sec][bytes ratio: -0.602 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 8/1 40/4 14/2][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 118/732 585/2612 119/967][TCP Fingerprint: 2_64_64240_2e3cee914fc1/Linux][PLAIN TEXT (www.youtube.com)][Plen Bins: 37,25,6,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,18] 4 UDP 127.0.0.1:46548 <-> 127.0.0.53:53 [proto: 5/DNS][Stack: DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 3][cat: Network/14][Breed: Acceptable][2 pkts/176 bytes <-> 2 pkts/484 bytes][Goodput ratio: 50/82][0.00 sec][Hostname/SNI: www.youtube.com][216.58.204.142][DNS Id: 0xedd1][PLAIN TEXT (youtube)][Plen Bins: 0,50,0,0,0,25,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 5 UDP 192.168.1.183:49817 <-> 192.168.1.253:53 [proto: 5/DNS][Stack: DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][Breed: Acceptable][1 pkts/88 bytes <-> 1 pkts/253 bytes][Goodput ratio: 49/82][0.00 sec][Hostname/SNI: www.youtube.com][216.58.204.142][DNS Id: 0xc48a][PLAIN TEXT (youtube)][Plen Bins: 0,50,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/tls_analysis/result/tls_verylong_certificate.pcap.out b/tests/cfgs/tls_analysis/result/tls_verylong_certificate.pcap.out index 104117b47..993456754 100644 --- a/tests/cfgs/tls_analysis/result/tls_verylong_certificate.pcap.out +++ b/tests/cfgs/tls_analysis/result/tls_verylong_certificate.pcap.out @@ -19,7 +19,7 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 2/0 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 1/0 (search/found) Hash TCP fingerprints: 1/0 (search/found) Hash public domain suffix: 9/5 (search/found) @@ -38,4 +38,4 @@ JA Host Stats: 1 192.168.1.160 1 - 1 TCP 192.168.1.160:54804 <-> 151.101.66.49:443 [proto: 91.283/TLS.Cybersec][Stack: TLS.Cybersec][IP: 0/Unknown][Encrypted][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 32][cat: Cybersecurity/33][Breed: Safe][24 pkts/2404 bytes <-> 24 pkts/19825 bytes][Goodput ratio: 35/92][0.09 sec][Hostname/SNI: feodotracker.abuse.ch][(Advertised) ALPNs: http/1.1][(Negotiated) ALPN: http/1.1][bytes ratio: -0.784 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 4/4 15/21 5/7][Pkt Len c2s/s2c min/avg/max/stddev: 54/66 100/826 583/1434 109/662][nDPI Fingerprint: 0ce40ba865c98f9c6d651c6a7ad11597][TCP Fingerprint: 2_64_65535_15db81ff8b0d/Unknown][TLSv1.2][JA4: t12d6707h1_2955a3196ffa_c83f907a73d3][ServerNames: p2.shared.global.fastly.net,*.12wbt.com,*.2bleacherreport.com,*.3bleacherreport.com,*.4bleacherreport.com,*.8bleacherreport.com,*.abuse.ch,*.acdn-it.ps-pantheon.com,*.cdn.livingmap.com,*.content.plastiq.com,*.dimensions.ai,*.dollarshaveclub.co.uk,*.dollarshaveclub.com,*.dontpayfull.com,*.ebisubook.com,*.foreignaffairs.com,*.fs.jibjab.com,*.fs.unitprints.com,*.ggleap.com,*.goodeggs.com,*.huevosbuenos.com,*.indy.myomnigon.com,*.jwatch.org,*.kingsfordcharcoal.com.au,*.lancenters.com,*.madebywe.com,*.minirodini.com,*.modcloth.net,*.orionlabs.io,*.ps-pantheon.com,*.scodle.com,*.steelseries.com,*.theforeman.org,*.uploads.eversign.com,*.uploads.schoox.com,*.vts.com,*.x.stg1.ebisubook.com,*.yang2020.com,12wbt.com,2bleacherreport.com,3bleacherreport.com,4bleacherreport.com,8bleacherreport.com,abuse.ch,brita.com,cdn.fwupd.org,cdn.livingmap.com,cdn.seated.com,cdn.skillacademy.com,clinicaloptions.com,clorox.com,content-preprod.beaverbrooksweb2.co.uk,content.beaverbrooks.co.uk,content.plastiq.com,coolmathgames.com,copterroyale.coolmathgames.com,d8-dev.coolmathgames.com,deflyio.coolmathgames.com,delivery-api.evadacms.com,dimensions.ai,dollarshaveclub.co.uk,dollarshaveclub.com,dontpayfull.com,eluniverso.com,email.amg-group.co,email.tekoforlife.co.uk,feedmarket.fr,freshstep.com,ggleap.com,goodeggs.com,heap.io,huevosbuenos.com,identity.linuxfoundation.org,joebiden.com,jwatch.org,kingsford.co.nz,kingsfordcharcoal.com.au,lancenters.com,lists.linuxfoundation.org,m-stage.coolmathgames.com,m.coolmathgames.com,madebywe.com,minirodini.com,modcloth.net,orionlabs.io,puritanmedproducts.com,reviews.org,rg-video-staging.ruangguru.com,rg-video.ruangguru.com,ruangguru.com,scodle.com,stage.coolmathgames.com,staging.appblade.com,steelseries.com,stg.platform.eluniverso.com,test.brita.com,test.heap.io,test.joebiden.com,test.ruangguru.com,theforeman.org,video-cdn.quipper.com,videos.calcworkshop.com,vts.com,www.101network.com,www.autos101.com,www.brita.com,www.clorox.com,www.collider.com,www.coolmathgames.com,www.eluniverso.com,www.flinto.com,www.freshstep.com,www.heap.io,www.holagente.com,www.icsydney.com.au,www.joebiden.com,www.kingsford.co.nz,www.mrnatty.com,www.myjewellerystory.com.au,www.myjs.com,www.netacea.com,www.parenting101.com,www.puritanmedproducts.com,www.reviews.org,www.sba.sa,www.shashatcom.sa,www.uat.ontariocolleges.ca,www.vacation101.com,www.walterspeople.co.uk,www.westwayelectricsupply.com][JA3S: ae53107a2e47ea20c72ac44821a728bf][Issuer: C=BE, O=GlobalSign nv-sa, CN=GlobalSign CloudSSL CA - SHA256 - G3][Subject: C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=p2.shared.global.fastly.net][Certificate SHA-1: E9:34:DF:E0:C5:31:3C:59:7E:E2:57:44:F2:82:E9:80:F5:5D:05:4B][Firefox][Validity: 2019-11-19 01:31:22 - 2020-08-29 17:19:32][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 12,16,0,4,0,4,4,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,55,0,0,0,0,0][TLS blocks: 22:1=244,22:2=-104,22:11=-5213,22:12=-329,22:14=0,22:16=66,20=1,22:0=40] + 1 TCP 192.168.1.160:54804 <-> 151.101.66.49:443 [proto: 91.283/TLS.Cybersec][Stack: TLS.Cybersec][IP: 0/Unknown][Encrypted][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 32][cat: Cybersecurity/33][Breed: Safe][24 pkts/2404 bytes <-> 24 pkts/19825 bytes][Goodput ratio: 35/92][0.09 sec][Hostname/SNI: feodotracker.abuse.ch][(Advertised) ALPNs: http/1.1][(Negotiated) ALPN: http/1.1][bytes ratio: -0.784 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 4/4 15/21 5/7][Pkt Len c2s/s2c min/avg/max/stddev: 54/66 100/826 583/1434 109/662][nDPI Fingerprint: 0ce40ba865c98f9c6d651c6a7ad11597][TCP Fingerprint: 2_64_65535_15db81ff8b0d/Unknown][TLSv1.2][JA4: t12d6707h1_2955a3196ffa_c83f907a73d3][ServerNames: p2.shared.global.fastly.net,*.12wbt.com,*.2bleacherreport.com,*.3bleacherreport.com,*.4bleacherreport.com,*.8bleacherreport.com,*.abuse.ch,*.acdn-it.ps-pantheon.com,*.cdn.livingmap.com,*.content.plastiq.com,*.dimensions.ai,*.dollarshaveclub.co.uk,*.dollarshaveclub.com,*.dontpayfull.com,*.ebisubook.com,*.foreignaffairs.com,*.fs.jibjab.com,*.fs.unitprints.com,*.ggleap.com,*.goodeggs.com,*.huevosbuenos.com,*.indy.myomnigon.com,*.jwatch.org,*.kingsfordcharcoal.com.au,*.lancenters.com,*.madebywe.com,*.minirodini.com,*.modcloth.net,*.orionlabs.io,*.ps-pantheon.com,*.scodle.com,*.steelseries.com,*.theforeman.org,*.uploads.eversign.com,*.uploads.schoox.com,*.vts.com,*.x.stg1.ebisubook.com,*.yang2020.com,12wbt.com,2bleacherreport.com,3bleacherreport.com,4bleacherreport.com,8bleacherreport.com,abuse.ch,brita.com,cdn.fwupd.org,cdn.livingmap.com,cdn.seated.com,cdn.skillacademy.com,clinicaloptions.com,clorox.com,content-preprod.beaverbrooksweb2.co.uk,content.beaverbrooks.co.uk,content.plastiq.com,coolmathgames.com,copterroyale.coolmathgames.com,d8-dev.coolmathgames.com,deflyio.coolmathgames.com,delivery-api.evadacms.com,dimensions.ai,dollarshaveclub.co.uk,dollarshaveclub.com,dontpayfull.com,eluniverso.com,email.amg-group.co,email.tekoforlife.co.uk,feedmarket.fr,freshstep.com,ggleap.com,goodeggs.com,heap.io,huevosbuenos.com,identity.linuxfoundation.org,joebiden.com,jwatch.org,kingsford.co.nz,kingsfordcharcoal.com.au,lancenters.com,lists.linuxfoundation.org,m-stage.coolmathgames.com,m.coolmathgames.com,madebywe.com,minirodini.com,modcloth.net,orionlabs.io,puritanmedproducts.com,reviews.org,rg-video-staging.ruangguru.com,rg-video.ruangguru.com,ruangguru.com,scodle.com,stage.coolmathgames.com,staging.appblade.com,steelseries.com,stg.platform.eluniverso.com,test.brita.com,test.heap.io,test.joebiden.com,test.ruangguru.com,theforeman.org,video-cdn.quipper.com,videos.calcworkshop.com,vts.com,www.101network.com,www.autos101.com,www.brita.com,www.clorox.com,www.collider.com,www.coolmathgames.com,www.eluniverso.com,www.flinto.com,www.freshstep.com,www.heap.io,www.holagente.com,www.icsydney.com.au,www.joebiden.com,www.kingsford.co.nz,www.mrnatty.com,www.myjewellerystory.com.au,www.myjs.com,www.netacea.com,www.parenting101.com,www.puritanmedproducts.com,www.reviews.org,www.sba.sa,www.shashatcom.sa,www.uat.ontariocolleges.ca,www.vacation101.com,www.walterspeople.co.uk,www.westwayelectricsupply.com][JA3S: ae53107a2e47ea20c72ac44821a728bf][Issuer: C=BE, O=GlobalSign nv-sa, CN=GlobalSign CloudSSL CA - SHA256 - G3][Subject: C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=p2.shared.global.fastly.net][Certificate SHA-1: E9:34:DF:E0:C5:31:3C:59:7E:E2:57:44:F2:82:E9:80:F5:5D:05:4B][Firefox][Validity: 2019-11-19 01:31:22 - 2020-08-29 17:19:32][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 12,16,0,4,0,4,4,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,55,0,0,0,0,0][TLS blocks: 22:1=244,22:2=-104,22:11=-5213,22:12=-329,22:14=0,22:16=66,20=1,22:0=40][8400f485ff9888eba389feb78b00008d0042810001830028] diff --git a/tests/cfgs/tls_heuristics_enabled/result/tls_heur__shadowsocks-tcp.pcapng.out b/tests/cfgs/tls_heuristics_enabled/result/tls_heur__shadowsocks-tcp.pcapng.out index 6efc5bdf5..4b8bd7a30 100644 --- a/tests/cfgs/tls_heuristics_enabled/result/tls_heur__shadowsocks-tcp.pcapng.out +++ b/tests/cfgs/tls_heuristics_enabled/result/tls_heur__shadowsocks-tcp.pcapng.out @@ -21,11 +21,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 1/0 (search/found) Patricia protocols: 6/0 (search/found) Patricia protocols IPv6: 1/1 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 3/0 (search/found) Hash public domain suffix: 32/18 (search/found) -Hash ja4 custom protos: 1/0 (search/found) +Hash ja4 custom protos: 3/0 (search/found) Hash fp custom protos: 2/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/tls_heuristics_enabled/result/tls_heur__trojan-tcp-tls.pcapng.out b/tests/cfgs/tls_heuristics_enabled/result/tls_heur__trojan-tcp-tls.pcapng.out index a1b86535b..cee4a2153 100644 --- a/tests/cfgs/tls_heuristics_enabled/result/tls_heur__trojan-tcp-tls.pcapng.out +++ b/tests/cfgs/tls_heuristics_enabled/result/tls_heur__trojan-tcp-tls.pcapng.out @@ -21,11 +21,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 19/1 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 2/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 3/1 (search/found) Hash public domain suffix: 107/36 (search/found) -Hash ja4 custom protos: 2/0 (search/found) +Hash ja4 custom protos: 3/0 (search/found) Hash fp custom protos: 2/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/tls_heuristics_enabled/result/tls_heur__vmess-tcp-tls.pcapng.out b/tests/cfgs/tls_heuristics_enabled/result/tls_heur__vmess-tcp-tls.pcapng.out index b77183d34..b62c5f757 100644 --- a/tests/cfgs/tls_heuristics_enabled/result/tls_heur__vmess-tcp-tls.pcapng.out +++ b/tests/cfgs/tls_heuristics_enabled/result/tls_heur__vmess-tcp-tls.pcapng.out @@ -21,11 +21,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 19/1 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 2/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 3/3 (search/found) Hash public domain suffix: 107/36 (search/found) -Hash ja4 custom protos: 2/0 (search/found) +Hash ja4 custom protos: 3/0 (search/found) Hash fp custom protos: 2/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/tls_heuristics_enabled/result/tls_heur__vmess-tcp.pcapng.out b/tests/cfgs/tls_heuristics_enabled/result/tls_heur__vmess-tcp.pcapng.out index 03504c75c..ed3d26419 100644 --- a/tests/cfgs/tls_heuristics_enabled/result/tls_heur__vmess-tcp.pcapng.out +++ b/tests/cfgs/tls_heuristics_enabled/result/tls_heur__vmess-tcp.pcapng.out @@ -21,11 +21,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 1/0 (search/found) Patricia protocols: 6/0 (search/found) Patricia protocols IPv6: 1/1 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 3/0 (search/found) Hash public domain suffix: 32/18 (search/found) -Hash ja4 custom protos: 1/0 (search/found) +Hash ja4 custom protos: 3/0 (search/found) Hash fp custom protos: 2/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/tls_heuristics_enabled/result/tls_heur__vmess-websocket.pcapng.out b/tests/cfgs/tls_heuristics_enabled/result/tls_heur__vmess-websocket.pcapng.out index 84a38439d..b9a6494ca 100644 --- a/tests/cfgs/tls_heuristics_enabled/result/tls_heur__vmess-websocket.pcapng.out +++ b/tests/cfgs/tls_heuristics_enabled/result/tls_heur__vmess-websocket.pcapng.out @@ -21,11 +21,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 7/1 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 0/0 (search/found) Hash TCP fingerprints: 3/1 (search/found) Hash public domain suffix: 27/14 (search/found) -Hash ja4 custom protos: 1/0 (search/found) +Hash ja4 custom protos: 2/0 (search/found) Hash fp custom protos: 1/0 (search/found) Hash url custom protos: 1/0 (search/found) diff --git a/tests/cfgs/zoom_extra_dissection/result/zoom.pcap.out b/tests/cfgs/zoom_extra_dissection/result/zoom.pcap.out index 20dd9b4a4..9481c9460 100644 --- a/tests/cfgs/zoom_extra_dissection/result/zoom.pcap.out +++ b/tests/cfgs/zoom_extra_dissection/result/zoom.pcap.out @@ -24,11 +24,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 52/16 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 10/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 8/0 (search/found) Hash TCP fingerprints: 9/0 (search/found) Hash public domain suffix: 169/93 (search/found) -Hash ja4 custom protos: 10/0 (search/found) +Hash ja4 custom protos: 21/0 (search/found) Hash fp custom protos: 10/0 (search/found) Hash url custom protos: 0/0 (search/found) diff --git a/tests/cfgs/zoom_extra_dissection/result/zoom2.pcap.out b/tests/cfgs/zoom_extra_dissection/result/zoom2.pcap.out index 664df9fa0..116f24cad 100644 --- a/tests/cfgs/zoom_extra_dissection/result/zoom2.pcap.out +++ b/tests/cfgs/zoom_extra_dissection/result/zoom2.pcap.out @@ -20,11 +20,11 @@ Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) Patricia protocols: 4/4 (search/found) Patricia protocols IPv6: 0/0 (search/found) -Hash malicious ja4: 1/0 (search/found) +Hash malicious ja4: 0/0 (search/found) Hash malicious sha1: 1/0 (search/found) Hash TCP fingerprints: 1/0 (search/found) Hash public domain suffix: 11/6 (search/found) -Hash ja4 custom protos: 1/0 (search/found) +Hash ja4 custom protos: 2/0 (search/found) Hash fp custom protos: 1/0 (search/found) Hash url custom protos: 0/0 (search/found)