HTTP: improve detection of WindowsUpdate (#1658)

WindowsUpdate is also transported over HTTP, using a numeric IP as hostname (some kinds of CDN?)
2026-05-06 03:45:32 +00:00 · 2022-07-10 17:08:37 +02:00 · 2022-07-10 17:08:37 +02:00 · df599e5eff
commit df599e5eff
parent 1fcd03a6b6
3 changed files with 22 additions and 0 deletions
--- a/tests/pcap/windowsupdate_over_http.pcap
+++ b/tests/pcap/windowsupdate_over_http.pcap
--- a/tests/result/windowsupdate_over_http.pcap.out
+++ b/tests/result/windowsupdate_over_http.pcap.out
@ -0,0 +1,8 @@
+Guessed flow protos:	0
+
+DPI Packets (TCP):	6	(6.00 pkts/flow)
+Confidence DPI              : 1 (flows)
+
+WindowsUpdate	20	15975	1
+
+	1	TCP 10.0.2.15:49815 <-> 151.99.72.125:80 [proto: 7.147/HTTP.WindowsUpdate][ClearText][Confidence: DPI][cat: Download/7][8 pkts/923 bytes <-> 12 pkts/15052 bytes][Goodput ratio: 52/96][0.02 sec][Hostname/SNI: 151.99.72.125][bytes ratio: -0.884 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 2/1 9/8 4/2][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 115/1254 533/1514 158/536][URL: 151.99.72.125/data/0783dedfb62fa709/msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/d1d060c0-7ece-4b96-9558-4bd0f2326040?P1=1652084683&P2=404&P3=2&P4=GtXnDMvssaTVZE%2bliGRNZPdTCGZcdK3lsfQhBycGI5on2dyQK7mRzg%2fAP%2fOuVTebtfWU%2bfL%2bVp][StatusCode: 206][Content-Type: application/octet-stream][User-Agent: Microsoft-Delivery-Optimization/10.0][Risk: ** Binary App Transfer **** HTTP Numeric IP Address **][Risk Score: 260][Risk Info: Found host 151.99.72.125 / Found mime exe octet-stream][PLAIN TEXT (GET /data/0783dedfb)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,18,72,0,0]