From 7fea11a30fa3cdb753660a1ad3a251cfb7f8e693 Mon Sep 17 00:00:00 2001 From: Nardi Ivan Date: Sun, 5 May 2024 13:32:14 +0200 Subject: [PATCH] TLS: fix Ja4 fingerprint computation The new values has been checked against the ones reported by Wireshark. Found while fixing a Use-of-uninitialized-value error reported by oss-fuzz ``` ==7582==WARNING: MemorySanitizer: use-of-uninitialized-value #0 0x5a6549abc368 in ndpi_compute_ja4 ndpi/src/lib/protocols/tls.c:1762:10 #1 0x5a6549ab88a0 in processClientServerHello ndpi/src/lib/protocols/tls.c:2863:10 #2 0x5a6549ac1452 in processTLSBlock ndpi/src/lib/protocols/tls.c:909:5 #3 0x5a6549abf588 in ndpi_search_tls_tcp ndpi/src/lib/protocols/tls.c:1098:2 #4 0x5a65499c53ec in check_ndpi_detection_func ndpi/src/lib/ndpi_main.c:7215:6 ``` See: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=68449&q=ndpi&can=1&sort=-id --- src/lib/protocols/tls.c | 4 ++-- tests/cfgs/caches_cfg/result/teams.pcap.out | 4 ++-- tests/cfgs/caches_global/result/teams.pcap.out | 4 ++-- tests/cfgs/default/result/443-curl.pcap.out | 2 +- tests/cfgs/default/result/443-git.pcap.out | 2 +- tests/cfgs/default/result/anyconnect-vpn.pcap.out | 2 +- tests/cfgs/default/result/dtls.pcap.out | 2 +- tests/cfgs/default/result/forticlient.pcap.out | 2 +- tests/cfgs/default/result/gaijin_mobile_mixed.pcap.out | 2 +- tests/cfgs/default/result/line.pcap.out | 2 +- tests/cfgs/default/result/long_tls_certificate.pcap.out | 2 +- tests/cfgs/default/result/mumble.pcapng.out | 2 +- tests/cfgs/default/result/pia.pcap.out | 2 +- tests/cfgs/default/result/roblox.pcapng.out | 2 +- tests/cfgs/default/result/selfsigned.pcap.out | 2 +- tests/cfgs/default/result/sites.pcapng.out | 8 ++++---- tests/cfgs/default/result/steam.pcapng.out | 6 +++--- tests/cfgs/default/result/teams.pcap.out | 4 ++-- tests/cfgs/default/result/tls_malicious_sha1.pcapng.out | 2 +- .../cfgs/default/result/tls_verylong_certificate.pcap.out | 2 +- tests/cfgs/default/result/vxlan.pcap.out | 4 ++-- tests/cfgs/default/result/zoom2.pcap.out | 2 +- .../result/tls_verylong_certificate.pcap.out | 2 +- .../stun_all_attributes_disabled/result/teams.pcap.out | 4 ++-- .../result/tls_verylong_certificate.pcap.out | 2 +- .../result/tls_verylong_certificate.pcap.out | 2 +- 26 files changed, 37 insertions(+), 37 deletions(-) diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index 0dd7ddd8354..975d7a8c6f6 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -2417,9 +2417,9 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, s_offset += 2; tot_signature_algorithms_len = ndpi_min((sizeof(ja.client.signature_algorithms_str) / 2) - 1, tot_signature_algorithms_len); +#ifdef TLS_HANDLE_SIGNATURE_ALGORITMS size_t sa_size = ndpi_min(tot_signature_algorithms_len / 2, MAX_NUM_TLS_SIGNATURE_ALGORITHMS); -#ifdef TLS_HANDLE_SIGNATURE_ALGORITMS if (s_offset + 2 * sa_size <= packet->payload_packet_len) { flow->protos.tls_quic.num_tls_signature_algorithms = sa_size; memcpy(flow->protos.tls_quic.client_signature_algorithms, @@ -2427,10 +2427,10 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, } #endif - ja.client.num_signature_algorithms = ndpi_min(sa_size, MAX_NUM_JA); for(i=0, id=0; ipayload[s_offset+i]); } + ja.client.num_signature_algorithms = id; for(i=0, id=0; i 52.114.250.123:443 [proto: 91.250/TLS.Teams][IP: 276/Azure][Encrypted][Confidence: DPI][DPI packets: 5][cat: Collaborative/15][20 pkts/1629 bytes <-> 13 pkts/7093 bytes][Goodput ratio: 29/90][1.92 sec][Hostname/SNI: euaz.tr.teams.microsoft.com][bytes ratio: -0.626 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 19/18 69/92 24/32][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 81/546 241/1506 48/564][Risk: ** TLS (probably) Not Carrying HTTPS **][Risk Score: 10][Risk Info: No ALPN][TLSv1.2][JA3C: e4d448cdfe06dc1243c1eb026c74ac9a][JA4: t12d220700_0d4ca5d4ec72_3304d8368043][Firefox][Plen Bins: 13,13,0,20,0,13,0,0,0,0,0,0,0,0,0,0,0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,0,0] 38 TCP 192.168.1.6:50021 <-> 52.114.250.123:443 [proto: 91.250/TLS.Teams][IP: 276/Azure][Encrypted][Confidence: DPI][DPI packets: 5][cat: Collaborative/15][18 pkts/1509 bytes <-> 13 pkts/7093 bytes][Goodput ratio: 32/90][0.66 sec][Hostname/SNI: euaz.tr.teams.microsoft.com][bytes ratio: -0.649 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 16/23 46/85 20/34][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 84/546 241/1506 50/564][Risk: ** TLS (probably) Not Carrying HTTPS **][Risk Score: 10][Risk Info: No ALPN][TLSv1.2][JA3C: e4d448cdfe06dc1243c1eb026c74ac9a][JA4: t12d220700_0d4ca5d4ec72_3304d8368043][Firefox][Plen Bins: 13,13,0,20,0,13,0,0,0,0,0,0,0,0,0,0,0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,0,0] 39 TCP 192.168.1.6:50014 <-> 52.114.250.152:443 [proto: 91.250/TLS.Teams][IP: 276/Azure][Encrypted][Confidence: DPI][DPI packets: 14][cat: Collaborative/15][14 pkts/1347 bytes <-> 11 pkts/6975 bytes][Goodput ratio: 42/91][0.22 sec][Hostname/SNI: 52.114.250.152][bytes ratio: -0.676 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 16/22 43/84 20/30][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 96/634 289/1506 73/570][Risk: ** TLS Cert Mismatch **** TLS (probably) Not Carrying HTTPS **][Risk Score: 110][Risk Info: No ALPN / 52.114.250.152 vs tr.teams.microsoft.com,*.tr.teams.microsoft.com,turn.teams.microsoft.com,*.turn.teams.microsoft.co][TLSv1.2][JA3C: e4d448cdfe06dc1243c1eb026c74ac9a][JA4: t12i220700_0d4ca5d4ec72_3304d8368043][ServerNames: tr.teams.microsoft.com,*.tr.teams.microsoft.com,turn.teams.microsoft.com,*.turn.teams.microsoft.com,*.relay.teams.microsoft.com][JA3S: 986571066668055ae9481cb84fda634a][Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 5][Subject: CN=tr.teams.microsoft.com][Certificate SHA-1: A7:90:8D:41:ED:24:D2:83:48:95:90:CE:18:D3:A6:C2:62:7A:07:75][Firefox][Validity: 2019-05-24 14:10:26 - 2021-05-24 14:10:26][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 7,14,0,14,0,14,0,7,0,0,0,0,0,0,0,0,0,21,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,21,0,0] - 40 TCP 192.168.1.6:60566 <-> 167.99.215.164:4434 [proto: 91.26/TLS.ntop][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 6][cat: Network/14][9 pkts/3029 bytes <-> 8 pkts/2213 bytes][Goodput ratio: 80/76][2.73 sec][Hostname/SNI: dati.ntop.org][(Advertised) ALPNs: h2;http/1.1][(Negotiated) ALPN: http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: 0.156 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/1 351/431 1977/2053 668/728][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 337/277 1012/1291 385/397][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][TLSv1.2][JA3C: 7120d65624bcd2e02ed4b01388d84cdb][JA4: t13d5713h2_131602cb7446_158b9cf6d7fa][JA3S: 410b9bedaf65dd26c6fe547154d60db4][Firefox][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 0,14,0,0,14,0,0,0,0,14,0,0,0,0,0,0,14,0,0,0,0,0,0,0,0,0,0,0,14,14,0,0,0,0,0,0,0,0,14,0,0,0,0,0,0,0,0,0] - 41 TCP 192.168.1.6:60546 <-> 167.99.215.164:4434 [proto: 91.26/TLS.ntop][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 6][cat: Network/14][10 pkts/2195 bytes <-> 10 pkts/2077 bytes][Goodput ratio: 69/68][5.38 sec][Hostname/SNI: dati.ntop.org][(Advertised) ALPNs: h2;http/1.1][(Negotiated) ALPN: http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: 0.028 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 650/754 5000/5000 1645/1734][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 220/208 1021/1292 308/364][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][TLSv1.2][JA3C: 7120d65624bcd2e02ed4b01388d84cdb][JA4: t13d5713h2_131602cb7446_158b9cf6d7fa][JA3S: 410b9bedaf65dd26c6fe547154d60db4][Firefox][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 16,16,0,0,16,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0] + 40 TCP 192.168.1.6:60566 <-> 167.99.215.164:4434 [proto: 91.26/TLS.ntop][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 6][cat: Network/14][9 pkts/3029 bytes <-> 8 pkts/2213 bytes][Goodput ratio: 80/76][2.73 sec][Hostname/SNI: dati.ntop.org][(Advertised) ALPNs: h2;http/1.1][(Negotiated) ALPN: http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: 0.156 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/1 351/431 1977/2053 668/728][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 337/277 1012/1291 385/397][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][TLSv1.2][JA3C: 7120d65624bcd2e02ed4b01388d84cdb][JA4: t13d5713h2_131602cb7446_e802cdec6a7f][JA3S: 410b9bedaf65dd26c6fe547154d60db4][Firefox][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 0,14,0,0,14,0,0,0,0,14,0,0,0,0,0,0,14,0,0,0,0,0,0,0,0,0,0,0,14,14,0,0,0,0,0,0,0,0,14,0,0,0,0,0,0,0,0,0] + 41 TCP 192.168.1.6:60546 <-> 167.99.215.164:4434 [proto: 91.26/TLS.ntop][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 6][cat: Network/14][10 pkts/2195 bytes <-> 10 pkts/2077 bytes][Goodput ratio: 69/68][5.38 sec][Hostname/SNI: dati.ntop.org][(Advertised) ALPNs: h2;http/1.1][(Negotiated) ALPN: http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: 0.028 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 650/754 5000/5000 1645/1734][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 220/208 1021/1292 308/364][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][TLSv1.2][JA3C: 7120d65624bcd2e02ed4b01388d84cdb][JA4: t13d5713h2_131602cb7446_e802cdec6a7f][JA3S: 410b9bedaf65dd26c6fe547154d60db4][Firefox][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 16,16,0,0,16,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0] 42 UDP 192.168.1.6:50036 <-> 52.114.250.137:3478 [proto: 78.38/STUN.Skype_TeamsCall][IP: 276/Azure][Stream Content: Audio][ClearText][Confidence: DPI][DPI packets: 7][cat: VoIP/10][5 pkts/1390 bytes <-> 4 pkts/733 bytes][Goodput ratio: 85/77][4.06 sec][bytes ratio: 0.309 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/100 1003/774 2235/2092 994/932][Pkt Len c2s/s2c min/avg/max/stddev: 228/174 278/183 314/198 33/10][Mapped IP/Port: 52.114.250.137:3480][Peer IP/Port: 201.221.32.65:43863][PLAIN TEXT (rtcmedia)][Plen Bins: 0,0,0,0,44,11,11,11,22,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 43 UDP 192.168.0.1:68 -> 255.255.255.255:67 [proto: 18/DHCP][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Network/14][6 pkts/1926 bytes -> 0 pkts/0 bytes][Goodput ratio: 87/0][25.01 sec][Hostname/SNI: tl-sg116e][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 4986/0 5001/0 5018/0 11/0][Pkt Len c2s/s2c min/avg/max/stddev: 321/0 321/0 321/0 0/0][DHCP Fingerprint: 1,3][DHCP Class Ident: TL-SG116E][Plen Bins: 0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 44 UDP 192.168.1.6:50016 <-> 52.114.250.141:3478 [proto: 78.38/STUN.Skype_TeamsCall][IP: 276/Azure][Stream Content: Audio][ClearText][Confidence: DPI][DPI packets: 7][cat: VoIP/10][4 pkts/1162 bytes <-> 3 pkts/546 bytes][Goodput ratio: 85/77][1.99 sec][bytes ratio: 0.361 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/98 611/101 1783/104 829/3][Pkt Len c2s/s2c min/avg/max/stddev: 256/174 290/182 314/198 25/11][Mapped IP/Port: 52.114.250.141:3480][Peer IP/Port: 22.64.154.119:29899][PLAIN TEXT (rtcmedia)][Plen Bins: 0,0,0,0,42,0,14,14,28,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/caches_global/result/teams.pcap.out b/tests/cfgs/caches_global/result/teams.pcap.out index cb895e234bd..b5ef9f8ebb7 100644 --- a/tests/cfgs/caches_global/result/teams.pcap.out +++ b/tests/cfgs/caches_global/result/teams.pcap.out @@ -94,8 +94,8 @@ JA3 Host Stats: 37 TCP 192.168.1.6:50018 <-> 52.114.250.123:443 [proto: 91.250/TLS.Teams][IP: 276/Azure][Encrypted][Confidence: DPI][DPI packets: 5][cat: Collaborative/15][20 pkts/1629 bytes <-> 13 pkts/7093 bytes][Goodput ratio: 29/90][1.92 sec][Hostname/SNI: euaz.tr.teams.microsoft.com][bytes ratio: -0.626 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 19/18 69/92 24/32][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 81/546 241/1506 48/564][Risk: ** TLS (probably) Not Carrying HTTPS **][Risk Score: 10][Risk Info: No ALPN][TLSv1.2][JA3C: e4d448cdfe06dc1243c1eb026c74ac9a][JA4: t12d220700_0d4ca5d4ec72_3304d8368043][Firefox][Plen Bins: 13,13,0,20,0,13,0,0,0,0,0,0,0,0,0,0,0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,0,0] 38 TCP 192.168.1.6:50021 <-> 52.114.250.123:443 [proto: 91.250/TLS.Teams][IP: 276/Azure][Encrypted][Confidence: DPI][DPI packets: 5][cat: Collaborative/15][18 pkts/1509 bytes <-> 13 pkts/7093 bytes][Goodput ratio: 32/90][0.66 sec][Hostname/SNI: euaz.tr.teams.microsoft.com][bytes ratio: -0.649 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 16/23 46/85 20/34][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 84/546 241/1506 50/564][Risk: ** TLS (probably) Not Carrying HTTPS **][Risk Score: 10][Risk Info: No ALPN][TLSv1.2][JA3C: e4d448cdfe06dc1243c1eb026c74ac9a][JA4: t12d220700_0d4ca5d4ec72_3304d8368043][Firefox][Plen Bins: 13,13,0,20,0,13,0,0,0,0,0,0,0,0,0,0,0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,0,0] 39 TCP 192.168.1.6:50014 <-> 52.114.250.152:443 [proto: 91.250/TLS.Teams][IP: 276/Azure][Encrypted][Confidence: DPI][DPI packets: 14][cat: Collaborative/15][14 pkts/1347 bytes <-> 11 pkts/6975 bytes][Goodput ratio: 42/91][0.22 sec][Hostname/SNI: 52.114.250.152][bytes ratio: -0.676 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 16/22 43/84 20/30][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 96/634 289/1506 73/570][Risk: ** TLS Cert Mismatch **** TLS (probably) Not Carrying HTTPS **][Risk Score: 110][Risk Info: No ALPN / 52.114.250.152 vs tr.teams.microsoft.com,*.tr.teams.microsoft.com,turn.teams.microsoft.com,*.turn.teams.microsoft.co][TLSv1.2][JA3C: e4d448cdfe06dc1243c1eb026c74ac9a][JA4: t12i220700_0d4ca5d4ec72_3304d8368043][ServerNames: tr.teams.microsoft.com,*.tr.teams.microsoft.com,turn.teams.microsoft.com,*.turn.teams.microsoft.com,*.relay.teams.microsoft.com][JA3S: 986571066668055ae9481cb84fda634a][Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 5][Subject: CN=tr.teams.microsoft.com][Certificate SHA-1: A7:90:8D:41:ED:24:D2:83:48:95:90:CE:18:D3:A6:C2:62:7A:07:75][Firefox][Validity: 2019-05-24 14:10:26 - 2021-05-24 14:10:26][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 7,14,0,14,0,14,0,7,0,0,0,0,0,0,0,0,0,21,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,21,0,0] - 40 TCP 192.168.1.6:60566 <-> 167.99.215.164:4434 [proto: 91.26/TLS.ntop][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 6][cat: Network/14][9 pkts/3029 bytes <-> 8 pkts/2213 bytes][Goodput ratio: 80/76][2.73 sec][Hostname/SNI: dati.ntop.org][(Advertised) ALPNs: h2;http/1.1][(Negotiated) ALPN: http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: 0.156 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/1 351/431 1977/2053 668/728][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 337/277 1012/1291 385/397][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][TLSv1.2][JA3C: 7120d65624bcd2e02ed4b01388d84cdb][JA4: t13d5713h2_131602cb7446_158b9cf6d7fa][JA3S: 410b9bedaf65dd26c6fe547154d60db4][Firefox][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 0,14,0,0,14,0,0,0,0,14,0,0,0,0,0,0,14,0,0,0,0,0,0,0,0,0,0,0,14,14,0,0,0,0,0,0,0,0,14,0,0,0,0,0,0,0,0,0] - 41 TCP 192.168.1.6:60546 <-> 167.99.215.164:4434 [proto: 91.26/TLS.ntop][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 6][cat: Network/14][10 pkts/2195 bytes <-> 10 pkts/2077 bytes][Goodput ratio: 69/68][5.38 sec][Hostname/SNI: dati.ntop.org][(Advertised) ALPNs: h2;http/1.1][(Negotiated) ALPN: http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: 0.028 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 650/754 5000/5000 1645/1734][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 220/208 1021/1292 308/364][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][TLSv1.2][JA3C: 7120d65624bcd2e02ed4b01388d84cdb][JA4: t13d5713h2_131602cb7446_158b9cf6d7fa][JA3S: 410b9bedaf65dd26c6fe547154d60db4][Firefox][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 16,16,0,0,16,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0] + 40 TCP 192.168.1.6:60566 <-> 167.99.215.164:4434 [proto: 91.26/TLS.ntop][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 6][cat: Network/14][9 pkts/3029 bytes <-> 8 pkts/2213 bytes][Goodput ratio: 80/76][2.73 sec][Hostname/SNI: dati.ntop.org][(Advertised) ALPNs: h2;http/1.1][(Negotiated) ALPN: http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: 0.156 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/1 351/431 1977/2053 668/728][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 337/277 1012/1291 385/397][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][TLSv1.2][JA3C: 7120d65624bcd2e02ed4b01388d84cdb][JA4: t13d5713h2_131602cb7446_e802cdec6a7f][JA3S: 410b9bedaf65dd26c6fe547154d60db4][Firefox][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 0,14,0,0,14,0,0,0,0,14,0,0,0,0,0,0,14,0,0,0,0,0,0,0,0,0,0,0,14,14,0,0,0,0,0,0,0,0,14,0,0,0,0,0,0,0,0,0] + 41 TCP 192.168.1.6:60546 <-> 167.99.215.164:4434 [proto: 91.26/TLS.ntop][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 6][cat: Network/14][10 pkts/2195 bytes <-> 10 pkts/2077 bytes][Goodput ratio: 69/68][5.38 sec][Hostname/SNI: dati.ntop.org][(Advertised) ALPNs: h2;http/1.1][(Negotiated) ALPN: http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: 0.028 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 650/754 5000/5000 1645/1734][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 220/208 1021/1292 308/364][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][TLSv1.2][JA3C: 7120d65624bcd2e02ed4b01388d84cdb][JA4: t13d5713h2_131602cb7446_e802cdec6a7f][JA3S: 410b9bedaf65dd26c6fe547154d60db4][Firefox][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 16,16,0,0,16,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0] 42 UDP 192.168.1.6:50036 <-> 52.114.250.137:3478 [proto: 78.38/STUN.Skype_TeamsCall][IP: 276/Azure][Stream Content: Audio][ClearText][Confidence: DPI][DPI packets: 7][cat: VoIP/10][5 pkts/1390 bytes <-> 4 pkts/733 bytes][Goodput ratio: 85/77][4.06 sec][bytes ratio: 0.309 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/100 1003/774 2235/2092 994/932][Pkt Len c2s/s2c min/avg/max/stddev: 228/174 278/183 314/198 33/10][Mapped IP/Port: 52.114.250.137:3480][Peer IP/Port: 201.221.32.65:43863][PLAIN TEXT (rtcmedia)][Plen Bins: 0,0,0,0,44,11,11,11,22,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 43 UDP 192.168.0.1:68 -> 255.255.255.255:67 [proto: 18/DHCP][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Network/14][6 pkts/1926 bytes -> 0 pkts/0 bytes][Goodput ratio: 87/0][25.01 sec][Hostname/SNI: tl-sg116e][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 4986/0 5001/0 5018/0 11/0][Pkt Len c2s/s2c min/avg/max/stddev: 321/0 321/0 321/0 0/0][DHCP Fingerprint: 1,3][DHCP Class Ident: TL-SG116E][Plen Bins: 0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 44 UDP 192.168.1.6:50016 <-> 52.114.250.141:3478 [proto: 78.38/STUN.Skype_TeamsCall][IP: 276/Azure][Stream Content: Audio][ClearText][Confidence: DPI][DPI packets: 7][cat: VoIP/10][4 pkts/1162 bytes <-> 3 pkts/546 bytes][Goodput ratio: 85/77][1.99 sec][bytes ratio: 0.361 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/98 611/101 1783/104 829/3][Pkt Len c2s/s2c min/avg/max/stddev: 256/174 290/182 314/198 25/11][Mapped IP/Port: 52.114.250.141:3480][Peer IP/Port: 22.64.154.119:29899][PLAIN TEXT (rtcmedia)][Plen Bins: 0,0,0,0,42,0,14,14,28,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/default/result/443-curl.pcap.out b/tests/cfgs/default/result/443-curl.pcap.out index 1416231874e..1bb0f535e8f 100644 --- a/tests/cfgs/default/result/443-curl.pcap.out +++ b/tests/cfgs/default/result/443-curl.pcap.out @@ -30,4 +30,4 @@ JA3 Host Stats: 1 192.168.1.13 1 - 1 TCP 192.168.1.13:55523 <-> 178.62.197.130:443 [proto: 91.26/TLS.ntop][IP: 26/ntop][Encrypted][Confidence: DPI][DPI packets: 7][cat: Network/14][51 pkts/4260 bytes <-> 58 pkts/69722 bytes][Goodput ratio: 22/94][1.10 sec][Hostname/SNI: www.ntop.org][(Advertised) ALPNs: h2;http/1.1][(Negotiated) ALPN: h2][bytes ratio: -0.885 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 25/19 784/784 122/114][Pkt Len c2s/s2c min/avg/max/stddev: 54/66 84/1202 583/1506 74/562][TLSv1.2][JA3C: 2a26b1a62e40d25d4de3babc9d532f30][JA4: t12d6707h2_2955a3196ffa_b1760ac0ffd7][ServerNames: www.ntop.org][JA3S: ae53107a2e47ea20c72ac44821a728bf][Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3][Subject: CN=www.ntop.org][Certificate SHA-1: DB:A7:E4:3E:6D:BB:21:AB:68:47:35:E8:0B:8F:15:DF:DB:C7:C9:6F][Firefox][Validity: 2019-12-17 01:17:28 - 2020-03-16 01:17:28][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 3,13,1,1,1,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,1,0,73,0,0] + 1 TCP 192.168.1.13:55523 <-> 178.62.197.130:443 [proto: 91.26/TLS.ntop][IP: 26/ntop][Encrypted][Confidence: DPI][DPI packets: 7][cat: Network/14][51 pkts/4260 bytes <-> 58 pkts/69722 bytes][Goodput ratio: 22/94][1.10 sec][Hostname/SNI: www.ntop.org][(Advertised) ALPNs: h2;http/1.1][(Negotiated) ALPN: h2][bytes ratio: -0.885 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 25/19 784/784 122/114][Pkt Len c2s/s2c min/avg/max/stddev: 54/66 84/1202 583/1506 74/562][TLSv1.2][JA3C: 2a26b1a62e40d25d4de3babc9d532f30][JA4: t12d6707h2_2955a3196ffa_c83f907a73d3][ServerNames: www.ntop.org][JA3S: ae53107a2e47ea20c72ac44821a728bf][Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3][Subject: CN=www.ntop.org][Certificate SHA-1: DB:A7:E4:3E:6D:BB:21:AB:68:47:35:E8:0B:8F:15:DF:DB:C7:C9:6F][Firefox][Validity: 2019-12-17 01:17:28 - 2020-03-16 01:17:28][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 3,13,1,1,1,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,1,0,73,0,0] diff --git a/tests/cfgs/default/result/443-git.pcap.out b/tests/cfgs/default/result/443-git.pcap.out index 42de493bb79..80d93968fb1 100644 --- a/tests/cfgs/default/result/443-git.pcap.out +++ b/tests/cfgs/default/result/443-git.pcap.out @@ -30,4 +30,4 @@ JA3 Host Stats: 1 192.168.1.13 1 - 1 TCP 192.168.1.13:55744 <-> 140.82.114.4:443 [proto: 91.203/TLS.Github][IP: 203/Github][Encrypted][Confidence: DPI][DPI packets: 7][cat: Collaborative/15][35 pkts/3167 bytes <-> 35 pkts/34022 bytes][Goodput ratio: 28/93][0.82 sec][Hostname/SNI: github.com][(Advertised) ALPNs: http/1.1][(Negotiated) ALPN: http/1.1][bytes ratio: -0.830 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 25/15 143/143 48/43][Pkt Len c2s/s2c min/avg/max/stddev: 54/66 90/972 583/1490 94/616][TLSv1.2][JA3C: 2a26b1a62e40d25d4de3babc9d532f30][JA4: t12d6707ht_2955a3196ffa_b1760ac0ffd7][ServerNames: github.com,www.github.com][JA3S: ae53107a2e47ea20c72ac44821a728bf][Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA][Subject: C=US, ST=California, L=San Francisco, O=GitHub, Inc., CN=github.com][Certificate SHA-1: CA:06:F5:6B:25:8B:7A:0D:4F:2B:05:47:09:39:47:86:51:15:19:84][Firefox][Validity: 2018-05-08 00:00:00 - 2020-06-03 12:00:00][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 5,8,2,5,0,0,2,0,0,2,0,2,0,2,0,0,2,2,0,2,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,54,0,0,0] + 1 TCP 192.168.1.13:55744 <-> 140.82.114.4:443 [proto: 91.203/TLS.Github][IP: 203/Github][Encrypted][Confidence: DPI][DPI packets: 7][cat: Collaborative/15][35 pkts/3167 bytes <-> 35 pkts/34022 bytes][Goodput ratio: 28/93][0.82 sec][Hostname/SNI: github.com][(Advertised) ALPNs: http/1.1][(Negotiated) ALPN: http/1.1][bytes ratio: -0.830 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 25/15 143/143 48/43][Pkt Len c2s/s2c min/avg/max/stddev: 54/66 90/972 583/1490 94/616][TLSv1.2][JA3C: 2a26b1a62e40d25d4de3babc9d532f30][JA4: t12d6707ht_2955a3196ffa_c83f907a73d3][ServerNames: github.com,www.github.com][JA3S: ae53107a2e47ea20c72ac44821a728bf][Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA][Subject: C=US, ST=California, L=San Francisco, O=GitHub, Inc., CN=github.com][Certificate SHA-1: CA:06:F5:6B:25:8B:7A:0D:4F:2B:05:47:09:39:47:86:51:15:19:84][Firefox][Validity: 2018-05-08 00:00:00 - 2020-06-03 12:00:00][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 5,8,2,5,0,0,2,0,0,2,0,2,0,2,0,0,2,2,0,2,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,54,0,0,0] diff --git a/tests/cfgs/default/result/anyconnect-vpn.pcap.out b/tests/cfgs/default/result/anyconnect-vpn.pcap.out index fe84a92c6d6..a8d1e680f21 100644 --- a/tests/cfgs/default/result/anyconnect-vpn.pcap.out +++ b/tests/cfgs/default/result/anyconnect-vpn.pcap.out @@ -56,7 +56,7 @@ JA3 Host Stats: 1 TCP 10.0.0.227:56929 <-> 8.37.102.91:443 [proto: 91/TLS][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 12][cat: Web/5][48 pkts/9073 bytes <-> 44 pkts/18703 bytes][Goodput ratio: 65/84][21.89 sec][bytes ratio: -0.347 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 11/11 97/138 21/26][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 189/425 1514/1514 246/579][Risk: ** Weak TLS Cipher **** TLS (probably) Not Carrying HTTPS **** Missing SNI TLS Extn **][Risk Score: 160][Risk Info: No ALPN / SNI should always be present / Cipher TLS_RSA_WITH_AES_256_CBC_SHA][TLSv1.2][JA3C: c9f0b47c9805f516e6d3900cb51f7841][JA4: t12d220300_95b9206a23eb_1ea9011b3dfa][ServerNames: *.pandion.viasat.com,pandion.viasat.com][JA3S: 82f0d8a75fa483d1cfe4b7085b784d7e (WEAK)][Issuer: C=US, O=Entrust, Inc., OU=See www.entrust.net/legal-terms, OU=(c) 2012 Entrust, Inc. - for authorized use only, CN=Entrust Certification Authority - L1K][Subject: C=US, ST=California, L=Carlsbad, O=Viasat Inc., CN=*.pandion.viasat.com][Certificate SHA-1: 92:70:CF:E3:69:4B:1D:F4:E2:DE:63:54:EC:DF:40:DB:F3:AC:D1:CA][Firefox][Validity: 2019-02-05 21:43:58 - 2021-02-05 22:13:57][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA][Plen Bins: 0,4,2,21,31,0,2,6,4,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,2,0,0,0,0,0,0,0,0,0,0,21,0,0] 2 TCP 10.0.0.227:56919 <-> 8.37.102.91:443 [proto: 91/TLS][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 12][cat: Web/5][28 pkts/9088 bytes <-> 26 pkts/16944 bytes][Goodput ratio: 80/90][23.14 sec][(Advertised) ALPNs: http/1.1][bytes ratio: -0.302 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1048/487 11570/9008 2987/2009][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 325/652 1514/1514 494/646][Risk: ** Weak TLS Cipher **** Missing SNI TLS Extn **** ALPN/SNI Mismatch **][Risk Score: 200][Risk Info: SNI should always be present / http/1.1 / Cipher TLS_RSA_WITH_AES_256_CBC_SHA][TLSv1.2][JA3C: 9f1a41f932f274fe47a992310a26a23a][JA4: t12d2204ht_95b9206a23eb_1ea9011b3dfa][ServerNames: *.pandion.viasat.com,pandion.viasat.com][JA3S: 82f0d8a75fa483d1cfe4b7085b784d7e (WEAK)][Issuer: C=US, O=Entrust, Inc., OU=See www.entrust.net/legal-terms, OU=(c) 2012 Entrust, Inc. - for authorized use only, CN=Entrust Certification Authority - L1K][Subject: C=US, ST=California, L=Carlsbad, O=Viasat Inc., CN=*.pandion.viasat.com][Certificate SHA-1: 92:70:CF:E3:69:4B:1D:F4:E2:DE:63:54:EC:DF:40:DB:F3:AC:D1:CA][Firefox][Validity: 2019-02-05 21:43:58 - 2021-02-05 22:13:57][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA][Plen Bins: 0,12,4,0,0,4,0,0,0,8,0,0,0,0,0,0,0,0,0,4,4,0,0,0,0,0,0,0,0,0,0,0,0,0,8,4,0,0,0,4,0,4,0,16,0,25,0,0] - 3 TCP 10.0.0.227:56921 <-> 8.37.96.194:4287 [proto: 91/TLS][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 6][cat: Web/5][29 pkts/5373 bytes <-> 28 pkts/7580 bytes][Goodput ratio: 64/75][2.30 sec][bytes ratio: -0.170 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/1 91/63 593/619 145/135][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 185/271 1261/1434 259/387][Risk: ** Known Proto on Non Std Port **** TLS (probably) Not Carrying HTTPS **** Missing SNI TLS Extn **** TLS Cert About To Expire **][Risk Score: 160][Risk Info: No ALPN / SNI should always be present / 29/Aug/2019 00:12:40 - 08/Oct/2019 00:12:40][TLSv1.2][JA3C: e3adec914f3893f18136762f1c0d7d81][JA4: t12d070500_c20ebc0cf62a_824431ce7cfe][JA3S: e54965894d6b45ecb4323c7ea3d6c115][Issuer: CN=813845657003339838, O=Code42, OU=TEST, ST=MN, C=US][Subject: CN=813845657003339838, O=Code42, OU=TEST, ST=MN, C=US][Certificate SHA-1: 86:2A:47:EF:00:68:79:60:7F:94:E2:91:6F:E0:38:82:37:8A:8E:2E][Firefox][Validity: 2019-08-29 00:12:40 - 2019-10-08 00:12:40][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 0,44,3,3,3,3,3,0,3,3,3,0,3,7,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,3,0,0,3,0,0,3,0,3,0,0,0,0,0] + 3 TCP 10.0.0.227:56921 <-> 8.37.96.194:4287 [proto: 91/TLS][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 6][cat: Web/5][29 pkts/5373 bytes <-> 28 pkts/7580 bytes][Goodput ratio: 64/75][2.30 sec][bytes ratio: -0.170 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/1 91/63 593/619 145/135][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 185/271 1261/1434 259/387][Risk: ** Known Proto on Non Std Port **** TLS (probably) Not Carrying HTTPS **** Missing SNI TLS Extn **** TLS Cert About To Expire **][Risk Score: 160][Risk Info: No ALPN / SNI should always be present / 29/Aug/2019 00:12:40 - 08/Oct/2019 00:12:40][TLSv1.2][JA3C: e3adec914f3893f18136762f1c0d7d81][JA4: t12d070500_c20ebc0cf62a_ed727256b201][JA3S: e54965894d6b45ecb4323c7ea3d6c115][Issuer: CN=813845657003339838, O=Code42, OU=TEST, ST=MN, C=US][Subject: CN=813845657003339838, O=Code42, OU=TEST, ST=MN, C=US][Certificate SHA-1: 86:2A:47:EF:00:68:79:60:7F:94:E2:91:6F:E0:38:82:37:8A:8E:2E][Firefox][Validity: 2019-08-29 00:12:40 - 2019-10-08 00:12:40][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 0,44,3,3,3,3,3,0,3,3,3,0,3,7,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,3,0,0,3,0,0,3,0,3,0,0,0,0,0] 4 TCP 10.0.0.227:56918 <-> 8.37.102.91:443 [proto: 91/TLS][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 12][cat: Web/5][16 pkts/2739 bytes <-> 14 pkts/7315 bytes][Goodput ratio: 61/87][0.35 sec][(Advertised) ALPNs: http/1.1][bytes ratio: -0.455 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 23/26 48/88 21/29][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 171/522 1175/1514 274/624][Risk: ** Weak TLS Cipher **** Missing SNI TLS Extn **** ALPN/SNI Mismatch **][Risk Score: 200][Risk Info: SNI should always be present / http/1.1 / Cipher TLS_RSA_WITH_AES_256_CBC_SHA][TLSv1.2][JA3C: 9f1a41f932f274fe47a992310a26a23a][JA4: t12d2204ht_95b9206a23eb_1ea9011b3dfa][ServerNames: *.pandion.viasat.com,pandion.viasat.com][JA3S: 82f0d8a75fa483d1cfe4b7085b784d7e (WEAK)][Issuer: C=US, O=Entrust, Inc., OU=See www.entrust.net/legal-terms, OU=(c) 2012 Entrust, Inc. - for authorized use only, CN=Entrust Certification Authority - L1K][Subject: C=US, ST=California, L=Carlsbad, O=Viasat Inc., CN=*.pandion.viasat.com][Certificate SHA-1: 92:70:CF:E3:69:4B:1D:F4:E2:DE:63:54:EC:DF:40:DB:F3:AC:D1:CA][Firefox][Validity: 2019-02-05 21:43:58 - 2021-02-05 22:13:57][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA][Plen Bins: 0,16,8,0,0,8,0,8,0,8,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,8,0,25,0,0] 5 UDP 10.0.0.227:54107 <-> 8.37.102.91:443 [proto: 30/DTLS][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 4][cat: Web/5][14 pkts/2322 bytes <-> 15 pkts/3787 bytes][Goodput ratio: 75/83][0.24 sec][bytes ratio: -0.240 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 21/16 47/46 19/20][Pkt Len c2s/s2c min/avg/max/stddev: 135/90 166/252 199/407 17/74][Risk: ** Obsolete TLS (v1.1 or older) **][Risk Score: 100][Risk Info: TLS (0100)][TLS (0100)][JA3C: ee2a8029d94a1e0f64493aac044a9a9e][JA4: ts3d010000_2cfe23c976cf_e3b0c44298fc][JA3S: cee68a158056f16c2d1b274dde4e2ec3][Cipher: TLS_DHE_RSA_WITH_AES_256_CBC_SHA][Plen Bins: 0,3,3,39,13,18,3,6,6,3,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 6 TCP 10.0.0.227:56920 <-> 99.86.34.156:443 [proto: 91.118/TLS.Slack][IP: 265/AmazonAWS][Encrypted][Confidence: DPI][DPI packets: 6][cat: Collaborative/15][16 pkts/2949 bytes <-> 11 pkts/1876 bytes][Goodput ratio: 64/61][11.47 sec][Hostname/SNI: slack.com][(Advertised) ALPNs: h2;http/1.1][(Negotiated) ALPN: h2][bytes ratio: 0.222 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 866/28 11074/80 2947/34][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 184/171 853/487 228/155][TLSv1.2][JA3C: d8dc5f8940df366b3a58b935569143e8][JA4: t12d1313h2_8b80da21ef18_e48c60694ef0][JA3S: 7bee5c1d424b7e5f943b06983bb11422][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,34,16,0,8,0,0,0,0,0,0,0,8,16,0,0,8,0,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/default/result/dtls.pcap.out b/tests/cfgs/default/result/dtls.pcap.out index 94c926478b1..406cf889532 100644 --- a/tests/cfgs/default/result/dtls.pcap.out +++ b/tests/cfgs/default/result/dtls.pcap.out @@ -31,5 +31,5 @@ JA3 Host Stats: 2 192.168.13.203 1 - 1 UDP 10.191.227.13:54162 <-> 157.240.16.128:3478 [VLAN: 10][proto: GTP:30/DTLS][IP: 119/Facebook][Encrypted][Confidence: DPI][DPI packets: 4][cat: Web/5][3 pkts/665 bytes <-> 1 pkts/282 bytes][Goodput ratio: 61/69][0.20 sec][Risk: ** TLS (probably) Not Carrying HTTPS **** Missing SNI TLS Extn **** TLS Fatal Alert **][Risk Score: 70][Risk Info: No ALPN / SNI should always be present / Found fatal TLS alert][DTLSv1.2][JA3C: b2a6643b6798940d25020cb4abe9e2aa][JA4: t00d160700_7c8d7d5e37b2_c38571a0f2a5][Firefox][Plen Bins: 25,0,0,0,0,0,75,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 1 UDP 10.191.227.13:54162 <-> 157.240.16.128:3478 [VLAN: 10][proto: GTP:30/DTLS][IP: 119/Facebook][Encrypted][Confidence: DPI][DPI packets: 4][cat: Web/5][3 pkts/665 bytes <-> 1 pkts/282 bytes][Goodput ratio: 61/69][0.20 sec][Risk: ** TLS (probably) Not Carrying HTTPS **** Missing SNI TLS Extn **** TLS Fatal Alert **][Risk Score: 70][Risk Info: No ALPN / SNI should always be present / Found fatal TLS alert][DTLSv1.2][JA3C: b2a6643b6798940d25020cb4abe9e2aa][JA4: t00d160700_7c8d7d5e37b2_ea2cef574603][Firefox][Plen Bins: 25,0,0,0,0,0,75,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 2 UDP 192.168.13.203:40739 -> 192.168.13.57:56515 [proto: 30/DTLS][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 2][cat: Web/5][2 pkts/394 bytes -> 0 pkts/0 bytes][Goodput ratio: 78/0][< 1 sec][Risk: ** TLS (probably) Not Carrying HTTPS **** Missing SNI TLS Extn **** Unidirectional Traffic **][Risk Score: 70][Risk Info: No server to client traffic / No ALPN / SNI should always be present][DTLSv1.2][JA3C: bd743610892cec1efed851b2b5efd4f5][JA4: t00d120700_7c0e62f61317_d9dd6182da81][Plen Bins: 0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/default/result/forticlient.pcap.out b/tests/cfgs/default/result/forticlient.pcap.out index 3921a3cc882..fa25f54dd09 100644 --- a/tests/cfgs/default/result/forticlient.pcap.out +++ b/tests/cfgs/default/result/forticlient.pcap.out @@ -31,7 +31,7 @@ JA3 Host Stats: 1 192.168.1.178 2 - 1 TCP 192.168.1.178:61820 <-> 82.81.46.13:10443 [proto: 91.259/TLS.FortiClient][IP: 0/Unknown][Encrypted][Confidence: DPI (cache)][DPI packets: 7][cat: VPN/2][1150 pkts/146555 bytes <-> 751 pkts/256436 bytes][Goodput ratio: 48/81][13.06 sec][Hostname/SNI: 82.81.46.13][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.273 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 12/19 5218/5218 173/225][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 127/341 1477/1506 88/427][Risk: ** Known Proto on Non Std Port **** TLS (probably) Not Carrying HTTPS **** Malicious JA3 Fingerp. **][Risk Score: 110][Risk Info: 40adfd923eb82b89d8836ba37a19bca1 / No ALPN][TLSv1.2][JA3C: 40adfd923eb82b89d8836ba37a19bca1][JA4: t13i311000_e8f1e7e78f70_033f6c5c7ec7][JA3S: e35df3e00ca4ef31d42b34bebaa2f86e][Issuer: C=US, ST=California, L=Sunnyvale, O=Fortinet, OU=Certificate Authority, CN=support][Subject: C=US, ST=California, L=Sunnyvale, O=Fortinet, OU=FortiGate, CN=FWF60E4Q16012050][Certificate SHA-1: AA:8A:CE:95:99:2A:E0:A4:11:42:E4:C8:40:D7:DB:87:1F:4A:23:45][Firefox][Validity: 2016-09-12 10:06:20 - 2038-01-19 03:14:07][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 0,19,33,15,17,6,0,3,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 1 TCP 192.168.1.178:61820 <-> 82.81.46.13:10443 [proto: 91.259/TLS.FortiClient][IP: 0/Unknown][Encrypted][Confidence: DPI (cache)][DPI packets: 7][cat: VPN/2][1150 pkts/146555 bytes <-> 751 pkts/256436 bytes][Goodput ratio: 48/81][13.06 sec][Hostname/SNI: 82.81.46.13][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.273 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 12/19 5218/5218 173/225][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 127/341 1477/1506 88/427][Risk: ** Known Proto on Non Std Port **** TLS (probably) Not Carrying HTTPS **** Malicious JA3 Fingerp. **][Risk Score: 110][Risk Info: 40adfd923eb82b89d8836ba37a19bca1 / No ALPN][TLSv1.2][JA3C: 40adfd923eb82b89d8836ba37a19bca1][JA4: t13i311000_e8f1e7e78f70_5ac7197df9d2][JA3S: e35df3e00ca4ef31d42b34bebaa2f86e][Issuer: C=US, ST=California, L=Sunnyvale, O=Fortinet, OU=Certificate Authority, CN=support][Subject: C=US, ST=California, L=Sunnyvale, O=Fortinet, OU=FortiGate, CN=FWF60E4Q16012050][Certificate SHA-1: AA:8A:CE:95:99:2A:E0:A4:11:42:E4:C8:40:D7:DB:87:1F:4A:23:45][Firefox][Validity: 2016-09-12 10:06:20 - 2038-01-19 03:14:07][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 0,19,33,15,17,6,0,3,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 2 TCP 192.168.1.178:61812 <-> 82.81.46.13:10443 [proto: 91.259/TLS.FortiClient][IP: 0/Unknown][Encrypted][Confidence: DPI (cache)][DPI packets: 7][cat: VPN/2][15 pkts/1753 bytes <-> 14 pkts/7481 bytes][Goodput ratio: 43/87][1.09 sec][Hostname/SNI: 82.81.46.13][bytes ratio: -0.620 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 79/81 336/340 94/113][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 117/534 450/1506 104/626][Risk: ** Known Proto on Non Std Port **** TLS (probably) Not Carrying HTTPS **][Risk Score: 60][Risk Info: No ALPN][TLSv1.2][JA3C: e4d448cdfe06dc1243c1eb026c74ac9a][JA4: t12i220700_0d4ca5d4ec72_3304d8368043][JA3S: 0debd3853f330c574b05e0b6d882dc27][Issuer: C=US, ST=California, L=Sunnyvale, O=Fortinet, OU=Certificate Authority, CN=support][Subject: C=US, ST=California, L=Sunnyvale, O=Fortinet, OU=FortiGate, CN=FWF60E4Q16012050][Certificate SHA-1: AA:8A:CE:95:99:2A:E0:A4:11:42:E4:C8:40:D7:DB:87:1F:4A:23:45][Firefox][Validity: 2016-09-12 10:06:20 - 2038-01-19 03:14:07][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 16,16,0,8,0,0,8,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,8,0,0,0,0,0,0,0,0,0,25,0,0] 3 TCP 192.168.1.178:61806 <-> 82.81.46.13:10443 [proto: 91.259/TLS.FortiClient][IP: 0/Unknown][Encrypted][Confidence: DPI (cache)][DPI packets: 7][cat: VPN/2][14 pkts/1462 bytes <-> 11 pkts/6959 bytes][Goodput ratio: 36/89][1.09 sec][Hostname/SNI: 82.81.46.13][bytes ratio: -0.653 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 93/89 336/401 92/145][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 104/633 269/1506 66/634][Risk: ** Known Proto on Non Std Port **** TLS (probably) Not Carrying HTTPS **][Risk Score: 60][Risk Info: No ALPN][TLSv1.2][JA3C: e4d448cdfe06dc1243c1eb026c74ac9a][JA4: t12i220700_0d4ca5d4ec72_3304d8368043][JA3S: 0debd3853f330c574b05e0b6d882dc27][Issuer: C=US, ST=California, L=Sunnyvale, O=Fortinet, OU=Certificate Authority, CN=support][Subject: C=US, ST=California, L=Sunnyvale, O=Fortinet, OU=FortiGate, CN=FWF60E4Q16012050][Certificate SHA-1: AA:8A:CE:95:99:2A:E0:A4:11:42:E4:C8:40:D7:DB:87:1F:4A:23:45][Firefox][Validity: 2016-09-12 10:06:20 - 2038-01-19 03:14:07][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 9,18,0,9,0,9,9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0,0,0,9,0,0,0,0,0,0,0,0,0,0,0,0,0,27,0,0] 4 TCP 192.168.1.178:61811 <-> 82.81.46.13:10443 [proto: 91.259/TLS.FortiClient][IP: 0/Unknown][Encrypted][Confidence: DPI (cache)][DPI packets: 7][cat: VPN/2][13 pkts/1582 bytes <-> 11 pkts/3875 bytes][Goodput ratio: 45/81][1.09 sec][Hostname/SNI: 82.81.46.13][bytes ratio: -0.420 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 102/102 203/231 56/98][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 122/352 269/1506 77/487][Risk: ** Known Proto on Non Std Port **** TLS (probably) Not Carrying HTTPS **][Risk Score: 60][Risk Info: No ALPN][TLSv1.2][JA3C: e4d448cdfe06dc1243c1eb026c74ac9a][JA4: t12i220700_0d4ca5d4ec72_3304d8368043][JA3S: 0debd3853f330c574b05e0b6d882dc27][Issuer: C=US, ST=California, L=Sunnyvale, O=Fortinet, OU=Certificate Authority, CN=support][Subject: C=US, ST=California, L=Sunnyvale, O=Fortinet, OU=FortiGate, CN=FWF60E4Q16012050][Certificate SHA-1: AA:8A:CE:95:99:2A:E0:A4:11:42:E4:C8:40:D7:DB:87:1F:4A:23:45][Firefox][Validity: 2016-09-12 10:06:20 - 2038-01-19 03:14:07][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 10,20,0,10,10,0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,0,0,0,0,0,0,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0] diff --git a/tests/cfgs/default/result/gaijin_mobile_mixed.pcap.out b/tests/cfgs/default/result/gaijin_mobile_mixed.pcap.out index ee1f3d6876e..daf8ea9e529 100644 --- a/tests/cfgs/default/result/gaijin_mobile_mixed.pcap.out +++ b/tests/cfgs/default/result/gaijin_mobile_mixed.pcap.out @@ -31,6 +31,6 @@ JA3 Host Stats: 1 10.215.173.1 2 - 1 TCP 10.215.173.1:47666 <-> 54.75.230.133:443 [proto: 91.396/TLS.GaijinEntertainment][IP: 265/AmazonAWS][Encrypted][Confidence: DPI][DPI packets: 7][cat: Game/8][4 pkts/697 bytes <-> 3 pkts/4256 bytes][Goodput ratio: 74/97][0.14 sec][Hostname/SNI: yupmaster.gaijinent.com][(Advertised) ALPNs: http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.719 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/3 25/34 72/65 33/31][Pkt Len c2s/s2c min/avg/max/stddev: 40/40 174/1419 552/4168 218/1944][TLSv1.2][JA3C: 4ea056e63b7910cbf543f0c095064dfe][JA4: t13d3113ht_e8f1e7e78f70_10734c531abe][ServerNames: *.gaijinent.com,gaijinent.com][JA3S: 303951d4c50efb2e991652225a6f02b1][Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=GeoTrust TLS RSA CA G1][Subject: CN=*.gaijinent.com][Certificate SHA-1: 27:23:37:24:85:95:B7:8F:75:BE:79:18:DF:DC:11:D8:04:F7:1E:A2][Firefox][Validity: 2023-12-19 00:00:00 - 2025-01-10 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33] + 1 TCP 10.215.173.1:47666 <-> 54.75.230.133:443 [proto: 91.396/TLS.GaijinEntertainment][IP: 265/AmazonAWS][Encrypted][Confidence: DPI][DPI packets: 7][cat: Game/8][4 pkts/697 bytes <-> 3 pkts/4256 bytes][Goodput ratio: 74/97][0.14 sec][Hostname/SNI: yupmaster.gaijinent.com][(Advertised) ALPNs: http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.719 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/3 25/34 72/65 33/31][Pkt Len c2s/s2c min/avg/max/stddev: 40/40 174/1419 552/4168 218/1944][TLSv1.2][JA3C: 4ea056e63b7910cbf543f0c095064dfe][JA4: t13d3113ht_e8f1e7e78f70_ce5650b735ce][ServerNames: *.gaijinent.com,gaijinent.com][JA3S: 303951d4c50efb2e991652225a6f02b1][Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=GeoTrust TLS RSA CA G1][Subject: CN=*.gaijinent.com][Certificate SHA-1: 27:23:37:24:85:95:B7:8F:75:BE:79:18:DF:DC:11:D8:04:F7:1E:A2][Firefox][Validity: 2023-12-19 00:00:00 - 2025-01-10 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33] 2 TCP 10.215.173.1:39314 <-> 81.171.31.37:443 [proto: 91.396/TLS.GaijinEntertainment][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 6][cat: Game/8][3 pkts/468 bytes <-> 3 pkts/4296 bytes][Goodput ratio: 70/97][0.09 sec][Hostname/SNI: ta-receiver-balancer-xom.crossout.net][bytes ratio: -0.804 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/48 22/24 45/48 22/24][Pkt Len c2s/s2c min/avg/max/stddev: 40/40 156/1432 368/4208 150/1963][Risk: ** TLS (probably) Not Carrying HTTPS **][Risk Score: 10][Risk Info: No ALPN][TLSv1.2][JA3C: 14a4b22e64580299d355a3a5449ef7be][JA4: t12d800700_ee0b5a6c69b8_cdbdbcd6f742][ServerNames: *.crossout.net,crossout.net][JA3S: 758945630046fd37070521b8544d1fe8][Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=GeoTrust TLS RSA CA G1][Subject: CN=*.crossout.net][Certificate SHA-1: 9D:3E:9C:5E:8D:F5:F0:D4:A7:71:3F:B3:CD:5A:DE:1B:E4:EA:12:92][Firefox][Validity: 2023-04-20 00:00:00 - 2024-05-18 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50] 3 UDP 10.215.173.1:42424 -> 95.211.246.178:20011 [proto: 396/GaijinEntertainment][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Game/8][5 pkts/837 bytes -> 0 pkts/0 bytes][Goodput ratio: 83/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (embeddedupdater.start)][Plen Bins: 0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/default/result/line.pcap.out b/tests/cfgs/default/result/line.pcap.out index 96f13e35a95..9bf4dae94e2 100644 --- a/tests/cfgs/default/result/line.pcap.out +++ b/tests/cfgs/default/result/line.pcap.out @@ -36,6 +36,6 @@ JA3 Host Stats: 1 UDP 10.200.3.125:51161 <-> 147.92.169.90:29070 [proto: 316/LineCall][IP: 315/Line][Encrypted][Confidence: DPI][DPI packets: 1][cat: VoIP/10][55 pkts/14935 bytes <-> 66 pkts/16136 bytes][Goodput ratio: 85/83][8.68 sec][bytes ratio: -0.039 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/1 22/145 225/7269 38/970][Pkt Len c2s/s2c min/avg/max/stddev: 72/72 272/244 895/584 229/209][Plen Bins: 2,28,23,15,1,0,0,0,0,0,1,0,0,0,0,0,28,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 2 TCP 10.200.3.125:57841 <-> 147.92.165.194:443 [proto: 91/TLS][IP: 315/Line][Encrypted][Confidence: DPI][DPI packets: 5][cat: Web/5][31 pkts/6628 bytes <-> 41 pkts/4871 bytes][Goodput ratio: 75/51][85.95 sec][bytes ratio: 0.153 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 1025/720 14545/14632 2971/2537][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 214/119 3192/388 546/101][Plen Bins: 0,50,10,15,0,5,2,0,5,5,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2] - 3 TCP 10.200.3.125:58160 <-> 147.92.242.232:443 [proto: 91.315/TLS.Line][IP: 315/Line][Encrypted][Confidence: DPI][DPI packets: 8][cat: Chat/9][16 pkts/4057 bytes <-> 21 pkts/5423 bytes][Goodput ratio: 78/78][70.05 sec][Hostname/SNI: uts-front.line-apps.com][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1][bytes ratio: -0.144 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 1/0 5755/2607 29999/29999 11001/7538][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 254/258 627/1514 230/419][Risk: ** TLS (probably) Not Carrying HTTPS **][Risk Score: 10][Risk Info: No ALPN][TLSv1.2][JA3C: ca75ea4a95a9164cc96e372d7d075183][JA4: t13d461100_5052069a8e11_6c96259584c4][ServerNames: *.line-apps.com,line-apps.com][JA3S: 567bb420d39046dbfd1f68b558d86382][Issuer: C=BE, O=GlobalSign nv-sa, CN=GlobalSign RSA OV SSL CA 2018][Subject: C=JP, ST=Tokyo-to, L=Shinjuku-ku, O=LINE Corporation, CN=*.line-apps.com][Certificate SHA-1: 3C:37:D7:AB:BE:E6:5A:A5:BE:14:62:C8:21:8C:BC:E3:3E:A8:3E:96][Firefox][Validity: 2020-08-17 06:21:02 - 2022-11-13 12:00:00][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 5,15,5,0,0,15,0,0,5,15,5,0,0,0,0,0,10,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0] + 3 TCP 10.200.3.125:58160 <-> 147.92.242.232:443 [proto: 91.315/TLS.Line][IP: 315/Line][Encrypted][Confidence: DPI][DPI packets: 8][cat: Chat/9][16 pkts/4057 bytes <-> 21 pkts/5423 bytes][Goodput ratio: 78/78][70.05 sec][Hostname/SNI: uts-front.line-apps.com][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1][bytes ratio: -0.144 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 1/0 5755/2607 29999/29999 11001/7538][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 254/258 627/1514 230/419][Risk: ** TLS (probably) Not Carrying HTTPS **][Risk Score: 10][Risk Info: No ALPN][TLSv1.2][JA3C: ca75ea4a95a9164cc96e372d7d075183][JA4: t13d461100_5052069a8e11_24695f2957a7][ServerNames: *.line-apps.com,line-apps.com][JA3S: 567bb420d39046dbfd1f68b558d86382][Issuer: C=BE, O=GlobalSign nv-sa, CN=GlobalSign RSA OV SSL CA 2018][Subject: C=JP, ST=Tokyo-to, L=Shinjuku-ku, O=LINE Corporation, CN=*.line-apps.com][Certificate SHA-1: 3C:37:D7:AB:BE:E6:5A:A5:BE:14:62:C8:21:8C:BC:E3:3E:A8:3E:96][Firefox][Validity: 2020-08-17 06:21:02 - 2022-11-13 12:00:00][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 5,15,5,0,0,15,0,0,5,15,5,0,0,0,0,0,10,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0] 4 UDP 10.0.2.15:50835 <-> 125.209.252.210:20610 [proto: 316/LineCall][IP: 315/Line][Encrypted][Confidence: DPI][DPI packets: 1][cat: VoIP/10][28 pkts/5296 bytes <-> 22 pkts/3942 bytes][Goodput ratio: 78/77][1.93 sec][bytes ratio: 0.147 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 64/59 602/533 152/133][Pkt Len c2s/s2c min/avg/max/stddev: 72/78 189/179 914/782 220/158][Plen Bins: 2,58,4,0,4,8,2,6,6,2,0,2,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 5 UDP 10.200.3.125:51170 <-> 147.92.169.90:29070 [proto: 316/LineCall][IP: 315/Line][Encrypted][Confidence: DPI][DPI packets: 1][cat: VoIP/10][5 pkts/898 bytes <-> 5 pkts/1046 bytes][Goodput ratio: 77/80][8.07 sec][bytes ratio: -0.076 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 1999/1999 2009/2009 2038/2037 17/16][Pkt Len c2s/s2c min/avg/max/stddev: 174/198 180/209 202/254 11/22][Plen Bins: 0,0,0,0,80,10,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/default/result/long_tls_certificate.pcap.out b/tests/cfgs/default/result/long_tls_certificate.pcap.out index 2c5de9b8529..2f8a662dc41 100644 --- a/tests/cfgs/default/result/long_tls_certificate.pcap.out +++ b/tests/cfgs/default/result/long_tls_certificate.pcap.out @@ -30,4 +30,4 @@ JA3 Host Stats: 1 192.168.1.60 1 - 1 TCP 192.168.1.60:55333 <-> 106.15.100.123:443 [proto: 91.274/TLS.Alibaba][IP: 274/Alibaba][Encrypted][Confidence: DPI][DPI packets: 12][cat: Web/5][24 pkts/2429 bytes <-> 23 pkts/12383 bytes][Goodput ratio: 44/89][1.86 sec][Hostname/SNI: beacon-api.aliyuncs.com][(Advertised) ALPNs: h2;http/1.1][(Negotiated) ALPN: h2][bytes ratio: -0.672 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 74/62 370/360 133/111][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 101/538 571/1506 104/641][TLSv1.2][JA3C: 2a26b1a62e40d25d4de3babc9d532f30][JA4: t12d6707h2_2955a3196ffa_b1760ac0ffd7][ServerNames: *.aliyun.com,manager.channel.aliyun.com,*.ace.aliyun.com,*.acs-internal.aliyuncs.com,*.acs.aliyun.com,*.aicrowd.aliyun.com,*.alibabacloud.co.in,*.alibabacloud.com,*.alibabacloud.com.au,*.alibabacloud.com.hk,*.alibabacloud.com.my,*.alibabacloud.com.sg,*.alibabacloud.com.tw,*.alicdn.com,*.alicloud.com,*.aligroup.aliyun.com,*.alimei.com,*.alink.aliyun.com,*.alios.aliyuncs.com,*.aliplus.com,*.alitranx.aliyun.com,*.aliyun-iot-share.com,*.aliyuncs.com,*.alyms.cn,*.ap-northeast-1.aliyuncs.com,*.ap-south-1.aliyuncs.com,*.ap-southeast-1.aliyuncs.com,*.ap-southeast-2.aliyuncs.com,*.ap-southeast-3.aliyuncs.com,*.ap-southeast-5.aliyuncs.com,*.api.aliyun.com,*.apm.aliyun.com,*.app.aliyun.com,*.asmlink.cn,*.banma.aliyuncs.com,*.base.shuju.aliyun.com,*.bi.aliyun.com,*.biz.aliyun.com,*.bridge.aliyun.com,*.ccc.aliyuncs.com,*.center.aliyun.com,*.citybrain.aliyun.com,*.cloudapp.aliyun.com,*.cloudeagle.cn,*.cloudgame.aliyun.com,*.cn-beijing.aliyuncs.com,*.cn-chengdu.aliyuncs.com,*.cn-guizhou.aliyuncs.com,*.cn-haidian.aliyuncs.com,*.cn-hangzhou-finance.aliyuncs.com,*.cn-hangzhou.aliyuncs.com,*.cn-hongkong.aliyuncs.com,*.cn-huhehaote.aliyuncs.com,*.cn-ningxia.aliyuncs.com,*.cn-north-2-gov-1.aliyuncs.com,*.cn-qingdao-nebula.aliyuncs.com,*.cn-qingdao.aliyuncs.com,*.cn-shanghai-finance-1.aliyuncs.com,*.cn-shanghai.aliyun.com,*.cn-shanghai.aliyuncs.com,*.cn-shenzhen-cloudstone.aliyuncs.com,*.cn-shenzhen-finance-1.aliyuncs.com,*.cn-shenzhen.aliyuncs.com,*.cn-sichuan.aliyuncs.com,*.cn-zhangjiakou.aliyuncs.com,*.connect.aliyun.com,*.console.alibabacloud.com,*.console.alicloud.com,*.console.aliyun.com,*.cs.aliyun.com,*.cschat-ccs.aliyun.com,*.data.aliyun.com,*.dataapi.aliyun.com,*.dataq.aliyuncs.com,*.datav.aliyun.com,*.datav.aliyuncs.com,*.devlops.aliyun.com,*.devops.aliyun.com,*.ditu.aliyun.com,*.domain.aliyun.com,*.dyiot.aliyun.com,*.ebs.aliyun.com,*.emas.aliyun.com,*.emr.aliyun.com,*.enterprise.aliyun.com,*.env.aliyun.com,*.et-industry.aliyun.com,*.eu-central-1.aliyuncs.com,*.eu-west-1.aliyuncs.com,*.fc.aliyun.com,*.feedback.console.aliyun.com,*.gts-x.aliyun.com,*.gts.aliyun.com,*.help-ccs.aliyun.com,*.ialicdn.com,*.in-mumbai.aliyuncs.com,*.iot.aliyun.com,*.jp-fudao.aliyuncs.com,*.linkedmall.aliyun.com,*.linkwan.aliyun.com,*.living.aliyun.com,*.luban.aliyun.com,*.m.aliyun.com,*.market.aliyun.com,*.maxcompute.aliyun.com,*.me-east-1.aliyuncs.com,*.media.aliyun.com,*.microdingtalk.aliyun.com,*.mit.aliyun.com,*.mobile.aliyun.com,*.msea.aliyun.com,*.mts.aliyun.com,*.mvp.aliyun.com,*.nebula.aliyun.com,*.nls.aliyuncs.com,*.odps.aliyun.com,*.ons.aliyun.com,*.ose.aliyun.com,*.pai.data.aliyun.com,*.pcs-gw-cn-beijing.aliyun.com,*.pcs-gw-cn-shanghai.aliyun.com,*.phpwind.com,*.phpwind.net,*.pre-sg-purchase.aliyun.com,*.prepub.aliyun.com,*.product.center.aliyun.com,*.pts.aliyun.com,*.r-app-cn-beijing-data.aliyun.com,*.r-app-cn-hangzhou-data.aliyun.com,*.r-app-cn-shenzhen-data.aliyun.com,*.r-app-data.aliyun.com,*.rdc.aliyun.com,*.rds.aliyun.com,*.reid.aliyun.com,*.sc-cmdb.aliyuncs.com,*.scsp.aliyun.com,*.sg.aliyuncs.com,*.shuju.aliyun.com,*.smart.aliyun.com,*.soc.aliyun.com,*.soc.aliyuncs.com,*.sparenode.com,*.supet.com,*.tburl.in,*.teambition.com,*.teambition.net,*.teambitionapis.com,*.tianchi.aliyun.com,*.toolkit.aliyun.com,*.tv.aliyun.com,*.tw-gaoxiong.aliyuncs.com,*.us-east-1.aliyuncs.com,*.us-west-1.aliyuncs.com,*.webide.aliyun.com,*.yuntu.aliyun.com,account.www.net.cn,alibabacloud.co.in,alibabacloud.com,alibabacloud.com.au,alibabacloud.com.hk,alibabacloud.com.my,alibabacloud.com.sg,alibabacloud.com.tw,alicdn.com,alicloud.com,alimei.com,aliyun-iot-share.com,aliyuncs.com,dc.www.net.cn,dmp.www.net.cn,dns.www.net.cn,panda.www.net.cn,pandavip.www.net.cn,phpwind.com,phpwind.net,scdnphi6.com,sparenode.com,supet.com,tburl.in,teambition.com,teambition.net,teambitionapis.com,tianchi-global.com,whois.www.net.cn,aliyun.com][JA3S: eee3d2bf5f17d17548ac36ba1872951f][Issuer: C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2][Subject: C=CN, ST=ZheJiang, L=HangZhou, O=Alibaba (China) Technology Co., Ltd., CN=*.aliyun.com][Certificate SHA-1: 2B:C6:82:22:E9:94:09:24:34:E1:5C:F1:24:76:98:75:45:78:53:DA][Firefox][Validity: 2020-11-25 10:12:07 - 2021-12-27 10:06:06][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256][Plen Bins: 4,31,13,9,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0,0,0,0,0,0,0,0,0,0,0,27,0,0] + 1 TCP 192.168.1.60:55333 <-> 106.15.100.123:443 [proto: 91.274/TLS.Alibaba][IP: 274/Alibaba][Encrypted][Confidence: DPI][DPI packets: 12][cat: Web/5][24 pkts/2429 bytes <-> 23 pkts/12383 bytes][Goodput ratio: 44/89][1.86 sec][Hostname/SNI: beacon-api.aliyuncs.com][(Advertised) ALPNs: h2;http/1.1][(Negotiated) ALPN: h2][bytes ratio: -0.672 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 74/62 370/360 133/111][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 101/538 571/1506 104/641][TLSv1.2][JA3C: 2a26b1a62e40d25d4de3babc9d532f30][JA4: t12d6707h2_2955a3196ffa_c83f907a73d3][ServerNames: *.aliyun.com,manager.channel.aliyun.com,*.ace.aliyun.com,*.acs-internal.aliyuncs.com,*.acs.aliyun.com,*.aicrowd.aliyun.com,*.alibabacloud.co.in,*.alibabacloud.com,*.alibabacloud.com.au,*.alibabacloud.com.hk,*.alibabacloud.com.my,*.alibabacloud.com.sg,*.alibabacloud.com.tw,*.alicdn.com,*.alicloud.com,*.aligroup.aliyun.com,*.alimei.com,*.alink.aliyun.com,*.alios.aliyuncs.com,*.aliplus.com,*.alitranx.aliyun.com,*.aliyun-iot-share.com,*.aliyuncs.com,*.alyms.cn,*.ap-northeast-1.aliyuncs.com,*.ap-south-1.aliyuncs.com,*.ap-southeast-1.aliyuncs.com,*.ap-southeast-2.aliyuncs.com,*.ap-southeast-3.aliyuncs.com,*.ap-southeast-5.aliyuncs.com,*.api.aliyun.com,*.apm.aliyun.com,*.app.aliyun.com,*.asmlink.cn,*.banma.aliyuncs.com,*.base.shuju.aliyun.com,*.bi.aliyun.com,*.biz.aliyun.com,*.bridge.aliyun.com,*.ccc.aliyuncs.com,*.center.aliyun.com,*.citybrain.aliyun.com,*.cloudapp.aliyun.com,*.cloudeagle.cn,*.cloudgame.aliyun.com,*.cn-beijing.aliyuncs.com,*.cn-chengdu.aliyuncs.com,*.cn-guizhou.aliyuncs.com,*.cn-haidian.aliyuncs.com,*.cn-hangzhou-finance.aliyuncs.com,*.cn-hangzhou.aliyuncs.com,*.cn-hongkong.aliyuncs.com,*.cn-huhehaote.aliyuncs.com,*.cn-ningxia.aliyuncs.com,*.cn-north-2-gov-1.aliyuncs.com,*.cn-qingdao-nebula.aliyuncs.com,*.cn-qingdao.aliyuncs.com,*.cn-shanghai-finance-1.aliyuncs.com,*.cn-shanghai.aliyun.com,*.cn-shanghai.aliyuncs.com,*.cn-shenzhen-cloudstone.aliyuncs.com,*.cn-shenzhen-finance-1.aliyuncs.com,*.cn-shenzhen.aliyuncs.com,*.cn-sichuan.aliyuncs.com,*.cn-zhangjiakou.aliyuncs.com,*.connect.aliyun.com,*.console.alibabacloud.com,*.console.alicloud.com,*.console.aliyun.com,*.cs.aliyun.com,*.cschat-ccs.aliyun.com,*.data.aliyun.com,*.dataapi.aliyun.com,*.dataq.aliyuncs.com,*.datav.aliyun.com,*.datav.aliyuncs.com,*.devlops.aliyun.com,*.devops.aliyun.com,*.ditu.aliyun.com,*.domain.aliyun.com,*.dyiot.aliyun.com,*.ebs.aliyun.com,*.emas.aliyun.com,*.emr.aliyun.com,*.enterprise.aliyun.com,*.env.aliyun.com,*.et-industry.aliyun.com,*.eu-central-1.aliyuncs.com,*.eu-west-1.aliyuncs.com,*.fc.aliyun.com,*.feedback.console.aliyun.com,*.gts-x.aliyun.com,*.gts.aliyun.com,*.help-ccs.aliyun.com,*.ialicdn.com,*.in-mumbai.aliyuncs.com,*.iot.aliyun.com,*.jp-fudao.aliyuncs.com,*.linkedmall.aliyun.com,*.linkwan.aliyun.com,*.living.aliyun.com,*.luban.aliyun.com,*.m.aliyun.com,*.market.aliyun.com,*.maxcompute.aliyun.com,*.me-east-1.aliyuncs.com,*.media.aliyun.com,*.microdingtalk.aliyun.com,*.mit.aliyun.com,*.mobile.aliyun.com,*.msea.aliyun.com,*.mts.aliyun.com,*.mvp.aliyun.com,*.nebula.aliyun.com,*.nls.aliyuncs.com,*.odps.aliyun.com,*.ons.aliyun.com,*.ose.aliyun.com,*.pai.data.aliyun.com,*.pcs-gw-cn-beijing.aliyun.com,*.pcs-gw-cn-shanghai.aliyun.com,*.phpwind.com,*.phpwind.net,*.pre-sg-purchase.aliyun.com,*.prepub.aliyun.com,*.product.center.aliyun.com,*.pts.aliyun.com,*.r-app-cn-beijing-data.aliyun.com,*.r-app-cn-hangzhou-data.aliyun.com,*.r-app-cn-shenzhen-data.aliyun.com,*.r-app-data.aliyun.com,*.rdc.aliyun.com,*.rds.aliyun.com,*.reid.aliyun.com,*.sc-cmdb.aliyuncs.com,*.scsp.aliyun.com,*.sg.aliyuncs.com,*.shuju.aliyun.com,*.smart.aliyun.com,*.soc.aliyun.com,*.soc.aliyuncs.com,*.sparenode.com,*.supet.com,*.tburl.in,*.teambition.com,*.teambition.net,*.teambitionapis.com,*.tianchi.aliyun.com,*.toolkit.aliyun.com,*.tv.aliyun.com,*.tw-gaoxiong.aliyuncs.com,*.us-east-1.aliyuncs.com,*.us-west-1.aliyuncs.com,*.webide.aliyun.com,*.yuntu.aliyun.com,account.www.net.cn,alibabacloud.co.in,alibabacloud.com,alibabacloud.com.au,alibabacloud.com.hk,alibabacloud.com.my,alibabacloud.com.sg,alibabacloud.com.tw,alicdn.com,alicloud.com,alimei.com,aliyun-iot-share.com,aliyuncs.com,dc.www.net.cn,dmp.www.net.cn,dns.www.net.cn,panda.www.net.cn,pandavip.www.net.cn,phpwind.com,phpwind.net,scdnphi6.com,sparenode.com,supet.com,tburl.in,teambition.com,teambition.net,teambitionapis.com,tianchi-global.com,whois.www.net.cn,aliyun.com][JA3S: eee3d2bf5f17d17548ac36ba1872951f][Issuer: C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2][Subject: C=CN, ST=ZheJiang, L=HangZhou, O=Alibaba (China) Technology Co., Ltd., CN=*.aliyun.com][Certificate SHA-1: 2B:C6:82:22:E9:94:09:24:34:E1:5C:F1:24:76:98:75:45:78:53:DA][Firefox][Validity: 2020-11-25 10:12:07 - 2021-12-27 10:06:06][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256][Plen Bins: 4,31,13,9,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0,0,0,0,0,0,0,0,0,0,0,27,0,0] diff --git a/tests/cfgs/default/result/mumble.pcapng.out b/tests/cfgs/default/result/mumble.pcapng.out index 585cd446eec..c5374115f90 100644 --- a/tests/cfgs/default/result/mumble.pcapng.out +++ b/tests/cfgs/default/result/mumble.pcapng.out @@ -31,6 +31,6 @@ JA3 Host Stats: 1 192.168.88.208 1 - 1 TCP 192.168.88.208:50059 <-> 151.101.66.217:443 [proto: 91.387/TLS.Mumble][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 6][cat: VoIP/10][3 pkts/691 bytes <-> 3 pkts/1620 bytes][Goodput ratio: 75/89][< 1 sec][Hostname/SNI: publist.mumble.info][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.402 (Download)][IAT c2s/s2c min/avg/max/stddev: 2/36 21/146 40/255 19/110][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 230/540 571/1494 241/675][Risk: ** TLS (probably) Not Carrying HTTPS **][Risk Score: 10][Risk Info: No ALPN][TLSv1.2][JA3C: 57fbe0aefee44901190849b0e877a5e1][JA4: t13d571100_131602cb7446_6c96259584c4][JA3S: 1d8db21618511d0ab31a2c2a0de6d7a7][Firefox][Cipher: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0] + 1 TCP 192.168.88.208:50059 <-> 151.101.66.217:443 [proto: 91.387/TLS.Mumble][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 6][cat: VoIP/10][3 pkts/691 bytes <-> 3 pkts/1620 bytes][Goodput ratio: 75/89][< 1 sec][Hostname/SNI: publist.mumble.info][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.402 (Download)][IAT c2s/s2c min/avg/max/stddev: 2/36 21/146 40/255 19/110][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 230/540 571/1494 241/675][Risk: ** TLS (probably) Not Carrying HTTPS **][Risk Score: 10][Risk Info: No ALPN][TLSv1.2][JA3C: 57fbe0aefee44901190849b0e877a5e1][JA4: t13d571100_131602cb7446_24695f2957a7][JA3S: 1d8db21618511d0ab31a2c2a0de6d7a7][Firefox][Cipher: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0] 2 UDP 192.168.88.208:50085 <-> 5.39.185.162:64738 [proto: 387/Mumble][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 2][cat: VoIP/10][1 pkts/54 bytes <-> 1 pkts/66 bytes][Goodput ratio: 22/36][0.05 sec][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 3 UDP 192.168.88.208:50085 <-> 87.122.110.156:64738 [proto: 387/Mumble][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 2][cat: VoIP/10][1 pkts/54 bytes <-> 1 pkts/66 bytes][Goodput ratio: 22/36][0.05 sec][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/default/result/pia.pcap.out b/tests/cfgs/default/result/pia.pcap.out index 045be448f02..cf73a54799e 100644 --- a/tests/cfgs/default/result/pia.pcap.out +++ b/tests/cfgs/default/result/pia.pcap.out @@ -30,4 +30,4 @@ JA3 Host Stats: 1 192.168.88.3 1 - 1 TCP 192.168.88.3:56854 <-> 143.244.45.60:443 [proto: 91.384/TLS.PrivateInternetAccess][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 7][cat: VPN/2][5 pkts/948 bytes <-> 4 pkts/2894 bytes][Goodput ratio: 64/91][0.04 sec][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.507 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 9/6 19/15 8/6][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 190/724 583/1514 200/661][Risk: ** TLS (probably) Not Carrying HTTPS **** Missing SNI TLS Extn **][Risk Score: 60][Risk Info: No ALPN / SNI should always be present][TLSv1.2][JA3C: ee798410f39b7911fa5306cf3f3e6adc][JA4: t13d571000_131602cb7446_6c96259584c4][ServerNames: newjersey402][JA3S: ec74a5c51106f0419184d0dd08fb05bc][Issuer: C=US, ST=CA, L=LosAngeles, O=Private Internet Access, OU=Private Internet Access, CN=Private Internet Access][Subject: C=US, ST=CA, L=LosAngeles, O=Private Internet Access, OU=Private Internet Access, CN=newjersey402, C=US, ST=CA, L=LosAngeles, O=Private Internet Access, OU=Private Internet Access, CN=Private Internet Access][Certificate SHA-1: 15:93:3C:30:66:5E:3D:9D:AF:2D:89:56:75:07:DF:06:BB:D2:61:3F][Firefox][Validity: 2020-11-17 14:30:51 - 2021-05-16 14:30:51][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,25,0,0] + 1 TCP 192.168.88.3:56854 <-> 143.244.45.60:443 [proto: 91.384/TLS.PrivateInternetAccess][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 7][cat: VPN/2][5 pkts/948 bytes <-> 4 pkts/2894 bytes][Goodput ratio: 64/91][0.04 sec][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.507 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 9/6 19/15 8/6][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 190/724 583/1514 200/661][Risk: ** TLS (probably) Not Carrying HTTPS **** Missing SNI TLS Extn **][Risk Score: 60][Risk Info: No ALPN / SNI should always be present][TLSv1.2][JA3C: ee798410f39b7911fa5306cf3f3e6adc][JA4: t13d571000_131602cb7446_24695f2957a7][ServerNames: newjersey402][JA3S: ec74a5c51106f0419184d0dd08fb05bc][Issuer: C=US, ST=CA, L=LosAngeles, O=Private Internet Access, OU=Private Internet Access, CN=Private Internet Access][Subject: C=US, ST=CA, L=LosAngeles, O=Private Internet Access, OU=Private Internet Access, CN=newjersey402, C=US, ST=CA, L=LosAngeles, O=Private Internet Access, OU=Private Internet Access, CN=Private Internet Access][Certificate SHA-1: 15:93:3C:30:66:5E:3D:9D:AF:2D:89:56:75:07:DF:06:BB:D2:61:3F][Firefox][Validity: 2020-11-17 14:30:51 - 2021-05-16 14:30:51][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,25,0,0] diff --git a/tests/cfgs/default/result/roblox.pcapng.out b/tests/cfgs/default/result/roblox.pcapng.out index 71f5b96be50..ee3a3ce98cc 100644 --- a/tests/cfgs/default/result/roblox.pcapng.out +++ b/tests/cfgs/default/result/roblox.pcapng.out @@ -32,7 +32,7 @@ JA3 Host Stats: 1 192.168.12.156 1 - 1 TCP 192.168.12.156:39034 <-> 128.116.122.4:443 [proto: 91.346/TLS.Roblox][IP: 346/Roblox][Encrypted][Confidence: DPI][DPI packets: 5][cat: Game/8][19 pkts/3517 bytes <-> 15 pkts/8485 bytes][Goodput ratio: 65/88][12.24 sec][Hostname/SNI: assetgame.roblox.com][(Advertised) ALPNs: http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2][bytes ratio: -0.414 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 808/1277 10785/10000 2671/3298][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 185/566 1090/1514 279/584][TLSv1.3][JA3C: f436b9416f37d134cadd04886327d3e8][JA4: t13d3113ht_e8f1e7e78f70_b23652925e07][JA3S: f4febc55ea12b31ae17cfb7e614afda8][Firefox][Cipher: TLS_AES_128_GCM_SHA256][Plen Bins: 20,0,6,0,0,0,0,0,13,0,0,0,0,0,0,0,13,0,0,0,6,0,0,0,0,0,6,0,0,0,0,0,6,0,0,0,0,6,0,0,0,0,0,0,0,20,0,0] + 1 TCP 192.168.12.156:39034 <-> 128.116.122.4:443 [proto: 91.346/TLS.Roblox][IP: 346/Roblox][Encrypted][Confidence: DPI][DPI packets: 5][cat: Game/8][19 pkts/3517 bytes <-> 15 pkts/8485 bytes][Goodput ratio: 65/88][12.24 sec][Hostname/SNI: assetgame.roblox.com][(Advertised) ALPNs: http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2][bytes ratio: -0.414 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 808/1277 10785/10000 2671/3298][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 185/566 1090/1514 279/584][TLSv1.3][JA3C: f436b9416f37d134cadd04886327d3e8][JA4: t13d3113ht_e8f1e7e78f70_1b3407e2c936][JA3S: f4febc55ea12b31ae17cfb7e614afda8][Firefox][Cipher: TLS_AES_128_GCM_SHA256][Plen Bins: 20,0,6,0,0,0,0,0,13,0,0,0,0,0,0,0,13,0,0,0,6,0,0,0,0,0,6,0,0,0,0,0,6,0,0,0,0,6,0,0,0,0,0,0,0,20,0,0] 2 UDP 192.168.12.156:45693 <-> 128.116.44.33:53385 [proto: 286/RakNet][IP: 346/Roblox][ClearText][Confidence: DPI][DPI packets: 1][cat: Game/8][15 pkts/6993 bytes <-> 2 pkts/2748 bytes][Goodput ratio: 91/97][0.38 sec][bytes ratio: 0.436 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 25/0 127/0 36/0][Pkt Len c2s/s2c min/avg/max/stddev: 100/1374 466/1374 1398/1374 543/0][PLAIN TEXT (UniqueNumber)][Plen Bins: 0,30,18,5,0,5,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,18,11,0,0,0,0,0] 3 UDP 192.168.12.156:46507 <-> 128.116.44.33:51438 [proto: 286/RakNet][IP: 346/Roblox][ClearText][Confidence: DPI][DPI packets: 1][cat: Game/8][13 pkts/6771 bytes <-> 1 pkts/1374 bytes][Goodput ratio: 92/97][0.42 sec][bytes ratio: 0.663 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 28/0 196/0 56/0][Pkt Len c2s/s2c min/avg/max/stddev: 100/1374 521/1374 1398/1374 563/0][PLAIN TEXT (UniqueNumber9)][Plen Bins: 0,28,14,7,0,7,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,14,14,0,0,0,0,0] 4 UDP 192.168.12.156:42965 <-> 128.116.89.113:63862 [proto: 286/RakNet][IP: 346/Roblox][ClearText][Confidence: DPI][DPI packets: 1][cat: Game/8][6 pkts/3229 bytes <-> 7 pkts/792 bytes][Goodput ratio: 92/63][0.11 sec][bytes ratio: 0.606 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 20/11 34/29 13/14][Pkt Len c2s/s2c min/avg/max/stddev: 69/70 538/113 1398/180 609/46][PLAIN TEXT (UniqueNumber)][Plen Bins: 15,38,7,0,23,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,15,0,0,0,0,0] diff --git a/tests/cfgs/default/result/selfsigned.pcap.out b/tests/cfgs/default/result/selfsigned.pcap.out index cbc3d421e6d..e6d57878909 100644 --- a/tests/cfgs/default/result/selfsigned.pcap.out +++ b/tests/cfgs/default/result/selfsigned.pcap.out @@ -30,4 +30,4 @@ JA3 Host Stats: 1 127.0.0.1 1 - 1 TCP 127.0.0.1:51607 <-> 127.0.0.1:3001 [proto: 91.26/TLS.ntop][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 7][cat: Network/14][10 pkts/1421 bytes <-> 10 pkts/2345 bytes][Goodput ratio: 60/76][0.05 sec][Hostname/SNI: localhost][(Advertised) ALPNs: h2;http/1.1][bytes ratio: -0.245 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 5/7 32/32 10/11][Pkt Len c2s/s2c min/avg/max/stddev: 56/44 142/234 573/1413 156/408][Risk: ** Known Proto on Non Std Port **** Self-signed Cert **** TLS Cert Expired **][Risk Score: 250][Risk Info: 10/Oct/2015 15:55:47 - 09/Oct/2016 15:55:47 / C=IT, ST=Some-State, O=ntop.org][TLSv1.2][JA3C: 2a26b1a62e40d25d4de3babc9d532f30][JA4: t12d6707h2_2955a3196ffa_b1760ac0ffd7][JA3S: 0debd3853f330c574b05e0b6d882dc27][Issuer: C=IT, ST=Some-State, O=ntop.org][Subject: C=IT, ST=Some-State, O=ntop.org][Certificate SHA-1: AF:CC:98:49:F2:00:0E:05:21:18:6C:77:5F:2A:CF:10:44:6E:D8:8B][Firefox][Validity: 2015-10-10 15:55:47 - 2016-10-09 15:55:47][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 14,14,0,14,0,0,14,0,0,0,0,14,0,0,0,0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0,0,0,0] + 1 TCP 127.0.0.1:51607 <-> 127.0.0.1:3001 [proto: 91.26/TLS.ntop][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 7][cat: Network/14][10 pkts/1421 bytes <-> 10 pkts/2345 bytes][Goodput ratio: 60/76][0.05 sec][Hostname/SNI: localhost][(Advertised) ALPNs: h2;http/1.1][bytes ratio: -0.245 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 5/7 32/32 10/11][Pkt Len c2s/s2c min/avg/max/stddev: 56/44 142/234 573/1413 156/408][Risk: ** Known Proto on Non Std Port **** Self-signed Cert **** TLS Cert Expired **][Risk Score: 250][Risk Info: 10/Oct/2015 15:55:47 - 09/Oct/2016 15:55:47 / C=IT, ST=Some-State, O=ntop.org][TLSv1.2][JA3C: 2a26b1a62e40d25d4de3babc9d532f30][JA4: t12d6707h2_2955a3196ffa_c83f907a73d3][JA3S: 0debd3853f330c574b05e0b6d882dc27][Issuer: C=IT, ST=Some-State, O=ntop.org][Subject: C=IT, ST=Some-State, O=ntop.org][Certificate SHA-1: AF:CC:98:49:F2:00:0E:05:21:18:6C:77:5F:2A:CF:10:44:6E:D8:8B][Firefox][Validity: 2015-10-10 15:55:47 - 2016-10-09 15:55:47][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 14,14,0,14,0,0,14,0,0,0,0,14,0,0,0,0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0,0,0,0] diff --git a/tests/cfgs/default/result/sites.pcapng.out b/tests/cfgs/default/result/sites.pcapng.out index 6ebf7ae9238..798466bfe49 100644 --- a/tests/cfgs/default/result/sites.pcapng.out +++ b/tests/cfgs/default/result/sites.pcapng.out @@ -113,15 +113,15 @@ JA3 Host Stats: 22 TCP 192.168.1.128:56468 <-> 151.101.192.92:443 [proto: 91.186/TLS.Vevo][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 6][cat: Music/25][3 pkts/816 bytes <-> 5 pkts/4204 bytes][Goodput ratio: 75/92][0.04 sec][Hostname/SNI: vevo.com][(Advertised) ALPNs: h2;http/1.1][(Negotiated) ALPN: http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2][bytes ratio: -0.675 (Download)][IAT c2s/s2c min/avg/max/stddev: 10/0 14/7 18/18 4/7][Pkt Len c2s/s2c min/avg/max/stddev: 74/74 272/841 583/1406 223/551][TLSv1.2][JA3C: 579ccef312d18482fc42e2b822ca2430][JA4: t13d1715h2_5b57614c22b0_3d5424432f57][ServerNames: *.cache.vevo.com,*.cache.vevodev.com,*.cache.vevoprd.com,*.cache.vevostg.com,*.vevodev.com,*.vevoprd.com,*.vevostg.com,stg.vevo.ly,vevo.com,vevo.ly,vevo.pl,vevo.tv,vevoapi.com,vevocdn.com,vevolive.tv,vevosubmit.com,www.vevo.ly,www.vevo.pl,*.vevo.com,*.vevo.ly,*.vevo.pl,*.vevo.tv,*.vevoapi.com,*.vevocdn.com,*.vevolive.tv,*.vevosubmit.com][JA3S: 00447ab319e9d94ba2b4c1248e155917][Issuer: C=BE, O=GlobalSign nv-sa, CN=GlobalSign Atlas R3 DV TLS CA 2020][Subject: CN=*.cache.vevo.com][Certificate SHA-1: ED:55:58:0E:19:94:FE:95:93:86:88:FE:30:27:DF:43:EB:74:17:C2][Firefox][Validity: 2021-06-01 16:55:32 - 2022-07-03 16:55:31][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,0,16,0,0,0,0,0,16,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,34,0,0,0,0,0,0] 23 TCP [2001:b07:a3d:c112:9a00:ba78:86b1:e177]:48594 <-> [2001:67c:4e8:f004::9]:443 [proto: 91.185/TLS.Telegram][IP: 185/Telegram][Encrypted][Confidence: DPI][DPI packets: 6][cat: Chat/9][3 pkts/930 bytes <-> 3 pkts/3890 bytes][Goodput ratio: 71/93][0.04 sec][Hostname/SNI: web.telegram.org][(Advertised) ALPNs: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2][bytes ratio: -0.614 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 8/9 17/18 8/9][Pkt Len c2s/s2c min/avg/max/stddev: 86/86 310/1297 750/3710 311/1706][TLSv1.3][JA3C: b5001237acdf006056b409cc433726b0][JA4: t13d1715h2_5b57614c22b0_5c2c66f702b0][JA3S: 15af977ce25de452b96affa2addb1036][ECH: version 0xfe0d][Firefox][Cipher: TLS_AES_256_GCM_SHA384][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50] 24 TCP 192.168.1.128:53978 <-> 208.85.40.158:443 [proto: 91.187/TLS.Pandora][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 6][cat: Streaming/17][3 pkts/849 bytes <-> 5 pkts/3932 bytes][Goodput ratio: 76/91][0.68 sec][Hostname/SNI: pandora.com][(Advertised) ALPNs: h2;http/1.1][(Negotiated) ALPN: h2][TLS Supported Versions: TLSv1.3;TLSv1.2][bytes ratio: -0.645 (Download)][IAT c2s/s2c min/avg/max/stddev: 170/0 254/127 339/173 84/73][Pkt Len c2s/s2c min/avg/max/stddev: 74/74 283/786 583/1514 218/607][TLSv1.2][JA3C: 579ccef312d18482fc42e2b822ca2430][JA4: t13d1715h2_5b57614c22b0_3d5424432f57][ServerNames: *.pandora.com,pandora.com][JA3S: 7047b9d842ee4b3fba6a86353828c915][Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=GeoTrust TLS RSA CA G1][Subject: C=US, ST=California, L=Oakland, O=Pandora Media, LLC, CN=*.pandora.com][Certificate SHA-1: 40:BB:03:6C:E8:D4:7C:D7:72:59:2F:8D:DB:4B:64:4F:8F:C4:EB:AF][Firefox][Validity: 2021-05-12 00:00:00 - 2022-06-12 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 0,0,0,16,0,0,0,0,0,0,16,16,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,34,0,0] - 25 TCP 192.168.88.231:49950 <-> 159.153.191.240:443 [proto: 91.389/TLS.ElectronicArts][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 10][cat: Game/8][5 pkts/807 bytes <-> 5 pkts/3375 bytes][Goodput ratio: 64/91][< 1 sec][Hostname/SNI: accounts.ea.com][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.614 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 72/36 142/145 70/63][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 161/675 571/1384 205/599][Risk: ** Weak TLS Cipher **** TLS (probably) Not Carrying HTTPS **][Risk Score: 110][Risk Info: No ALPN / Cipher TLS_RSA_WITH_AES_256_CBC_SHA][TLSv1.2][JA3C: 57fbe0aefee44901190849b0e877a5e1][JA4: t13d571100_131602cb7446_6c96259584c4][ServerNames: accounts.ea.com][JA3S: 7b6819ed58e8d8415604b7dfcef92d55 (WEAK)][Issuer: C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA][Subject: C=US, ST=CALIFORNIA, L=Redwood City, O=Electronic Arts, Inc., CN=accounts.ea.com][Certificate SHA-1: 6E:9C:F6:59:DD:52:AA:1B:73:A6:B5:29:71:59:89:7D:B5:46:67:3D][Firefox][Validity: 2023-04-18 00:00:00 - 2024-05-18 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA][PLAIN TEXT (3.digicert.com/DigiCertGlobalRo)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0] + 25 TCP 192.168.88.231:49950 <-> 159.153.191.240:443 [proto: 91.389/TLS.ElectronicArts][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 10][cat: Game/8][5 pkts/807 bytes <-> 5 pkts/3375 bytes][Goodput ratio: 64/91][< 1 sec][Hostname/SNI: accounts.ea.com][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.614 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 72/36 142/145 70/63][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 161/675 571/1384 205/599][Risk: ** Weak TLS Cipher **** TLS (probably) Not Carrying HTTPS **][Risk Score: 110][Risk Info: No ALPN / Cipher TLS_RSA_WITH_AES_256_CBC_SHA][TLSv1.2][JA3C: 57fbe0aefee44901190849b0e877a5e1][JA4: t13d571100_131602cb7446_24695f2957a7][ServerNames: accounts.ea.com][JA3S: 7b6819ed58e8d8415604b7dfcef92d55 (WEAK)][Issuer: C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA][Subject: C=US, ST=CALIFORNIA, L=Redwood City, O=Electronic Arts, Inc., CN=accounts.ea.com][Certificate SHA-1: 6E:9C:F6:59:DD:52:AA:1B:73:A6:B5:29:71:59:89:7D:B5:46:67:3D][Firefox][Validity: 2023-04-18 00:00:00 - 2024-05-18 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA][PLAIN TEXT (3.digicert.com/DigiCertGlobalRo)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0] 26 TCP [2001:b07:a3d:c112:9a00:ba78:86b1:e177]:48624 <-> [2001:67c:4e8:f004::9]:443 [proto: 91.185/TLS.Telegram][IP: 185/Telegram][Encrypted][Confidence: DPI][DPI packets: 6][cat: Chat/9][4 pkts/1011 bytes <-> 3 pkts/2682 bytes][Goodput ratio: 65/90][0.04 sec][Hostname/SNI: telegram.me][(Advertised) ALPNs: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2][bytes ratio: -0.452 (Download)][IAT c2s/s2c min/avg/max/stddev: 1/0 12/10 18/20 8/10][Pkt Len c2s/s2c min/avg/max/stddev: 86/86 253/894 745/2502 284/1137][TLSv1.3][JA3C: b5001237acdf006056b409cc433726b0][JA4: t13d1715h2_5b57614c22b0_5c2c66f702b0][JA3S: 15af977ce25de452b96affa2addb1036][ECH: version 0xfe0d][Firefox][Cipher: TLS_AES_256_GCM_SHA384][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50] 27 UDP 192.168.1.128:36832 <-> 142.250.181.238:443 [proto: 188.126/QUIC.Google][IP: 126/Google][Encrypted][Confidence: DPI][DPI packets: 1][cat: Web/5][1 pkts/1399 bytes <-> 1 pkts/1399 bytes][Goodput ratio: 97/97][0.02 sec][Hostname/SNI: plus.google.com][(Advertised) ALPNs: h3][TLS Supported Versions: TLSv1.3][TLSv1.3][QUIC ver: V-1][JA3C: b719940c5ab9a3373cb4475d8143ff88][JA4: q13d0314h][Firefox][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0] 28 UDP 192.168.1.128:38642 <-> 216.58.212.142:443 [proto: 188.126/QUIC.Google][IP: 126/Google][Encrypted][Confidence: DPI][DPI packets: 1][cat: Web/5][1 pkts/1399 bytes <-> 1 pkts/1399 bytes][Goodput ratio: 97/97][0.03 sec][Hostname/SNI: hangouts.google.com][(Advertised) ALPNs: h3][TLS Supported Versions: TLSv1.3][TLSv1.3][QUIC ver: V-1][JA3C: 2a18e6bf307f97c5e27f0ab407dc65db][JA4: q13d0315h][Firefox][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0] - 29 TCP 192.168.88.171:55280 <-> 124.237.225.21:443 [proto: 91.54/TLS.iQIYI][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 7][cat: Streaming/17][3 pkts/691 bytes <-> 4 pkts/1680 bytes][Goodput ratio: 75/86][< 1 sec][Hostname/SNI: msg.qy.net][(Advertised) ALPNs: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.417 (Download)][IAT c2s/s2c min/avg/max/stddev: 295/2 296/198 297/297 1/138][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 230/420 571/1494 241/620][TLSv1.3][JA3C: f436b9416f37d134cadd04886327d3e8][JA4: t13d3113h2_e8f1e7e78f70_b23652925e07][JA3S: 15af977ce25de452b96affa2addb1036][Firefox][Cipher: TLS_AES_256_GCM_SHA384][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0] + 29 TCP 192.168.88.171:55280 <-> 124.237.225.21:443 [proto: 91.54/TLS.iQIYI][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 7][cat: Streaming/17][3 pkts/691 bytes <-> 4 pkts/1680 bytes][Goodput ratio: 75/86][< 1 sec][Hostname/SNI: msg.qy.net][(Advertised) ALPNs: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.417 (Download)][IAT c2s/s2c min/avg/max/stddev: 295/2 296/198 297/297 1/138][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 230/420 571/1494 241/620][TLSv1.3][JA3C: f436b9416f37d134cadd04886327d3e8][JA4: t13d3113h2_e8f1e7e78f70_1b3407e2c936][JA3S: 15af977ce25de452b96affa2addb1036][Firefox][Cipher: TLS_AES_256_GCM_SHA384][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0] 30 TCP 192.168.88.171:55468 <-> 184.86.2.194:443 [proto: 91.54/TLS.iQIYI][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 6][cat: Streaming/17][3 pkts/742 bytes <-> 3 pkts/1620 bytes][Goodput ratio: 76/89][0.05 sec][Hostname/SNI: stc.iqiyipic.com][(Advertised) ALPNs: h2;http/1.1][TLS Supported Versions: GREASE;TLSv1.3;TLSv1.2][bytes ratio: -0.372 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/1 12/12 23/23 12/11][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 247/540 622/1494 265/675][TLSv1.3][JA3C: 2aafde70b049185ef1cca0d7f821a8d7][JA4: t13d1516h2_8daaf6152771_02713d6af862][JA3S: 15af977ce25de452b96affa2addb1036][ECH: version 0xfe0d][Chrome][Cipher: TLS_AES_256_GCM_SHA384][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0] - 31 TCP 192.168.88.231:33920 <-> 185.5.161.203:443 [proto: 91.389/TLS.ElectronicArts][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 6][cat: Game/8][3 pkts/723 bytes <-> 3 pkts/1634 bytes][Goodput ratio: 71/87][0.08 sec][Hostname/SNI: origin-a.akamaihd.net][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.387 (Download)][IAT c2s/s2c min/avg/max/stddev: 6/19 16/24 26/28 10/4][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 241/545 583/1494 242/671][Risk: ** TLS (probably) Not Carrying HTTPS **][Risk Score: 10][Risk Info: No ALPN][TLSv1.3][JA3C: 57fbe0aefee44901190849b0e877a5e1][JA4: t13d571100_131602cb7446_6c96259584c4][JA3S: 15af977ce25de452b96affa2addb1036][Firefox][Cipher: TLS_AES_256_GCM_SHA384][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0] + 31 TCP 192.168.88.231:33920 <-> 185.5.161.203:443 [proto: 91.389/TLS.ElectronicArts][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 6][cat: Game/8][3 pkts/723 bytes <-> 3 pkts/1634 bytes][Goodput ratio: 71/87][0.08 sec][Hostname/SNI: origin-a.akamaihd.net][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.387 (Download)][IAT c2s/s2c min/avg/max/stddev: 6/19 16/24 26/28 10/4][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 241/545 583/1494 242/671][Risk: ** TLS (probably) Not Carrying HTTPS **][Risk Score: 10][Risk Info: No ALPN][TLSv1.3][JA3C: 57fbe0aefee44901190849b0e877a5e1][JA4: t13d571100_131602cb7446_24695f2957a7][JA3S: 15af977ce25de452b96affa2addb1036][Firefox][Cipher: TLS_AES_256_GCM_SHA384][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0] 32 TCP 192.168.88.171:49217 <-> 54.208.106.218:443 [proto: 91.59/TLS.AdobeConnect][IP: 265/AmazonAWS][Encrypted][Confidence: DPI][DPI packets: 6][cat: Video/26][3 pkts/691 bytes <-> 3 pkts/1620 bytes][Goodput ratio: 75/89][0.28 sec][Hostname/SNI: meet27083742.adobeconnect.com][(Advertised) ALPNs: h2;http/1.1][TLS Supported Versions: GREASE;TLSv1.3;TLSv1.2][bytes ratio: -0.402 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 69/70 138/139 69/70][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 230/540 571/1494 241/675][TLSv1.3][JA3C: cd08e31494f9531f560d64c695473da9][JA4: t13d1516h2_8daaf6152771_e5627efa2ab1][JA3S: f4febc55ea12b31ae17cfb7e614afda8][Chrome][Cipher: TLS_AES_128_GCM_SHA256][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0] - 33 TCP 192.168.88.171:55272 <-> 116.211.202.129:443 [proto: 91.54/TLS.iQIYI][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 6][cat: Streaming/17][3 pkts/691 bytes <-> 3 pkts/1620 bytes][Goodput ratio: 75/89][0.59 sec][Hostname/SNI: opportunarch.iqiyi.com][(Advertised) ALPNs: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.402 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 144/150 288/299 144/150][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 230/540 571/1494 241/675][TLSv1.3][JA3C: f436b9416f37d134cadd04886327d3e8][JA4: t13d3113h2_e8f1e7e78f70_b23652925e07][JA3S: 15af977ce25de452b96affa2addb1036][Firefox][Cipher: TLS_AES_256_GCM_SHA384][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0] + 33 TCP 192.168.88.171:55272 <-> 116.211.202.129:443 [proto: 91.54/TLS.iQIYI][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 6][cat: Streaming/17][3 pkts/691 bytes <-> 3 pkts/1620 bytes][Goodput ratio: 75/89][0.59 sec][Hostname/SNI: opportunarch.iqiyi.com][(Advertised) ALPNs: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.402 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 144/150 288/299 144/150][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 230/540 571/1494 241/675][TLSv1.3][JA3C: f436b9416f37d134cadd04886327d3e8][JA4: t13d3113h2_e8f1e7e78f70_1b3407e2c936][JA3S: 15af977ce25de452b96affa2addb1036][Firefox][Cipher: TLS_AES_256_GCM_SHA384][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0] 34 TCP 192.168.1.128:40832 <-> 2.17.141.49:443 [proto: 91.179/TLS.eBay][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 4][cat: Shopping/27][2 pkts/657 bytes <-> 2 pkts/1588 bytes][Goodput ratio: 79/91][0.04 sec][Hostname/SNI: www.ebay.com][(Advertised) ALPNs: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2][TLSv1.3][JA3C: 579ccef312d18482fc42e2b822ca2430][JA4: t13d1715h2_5b57614c22b0_3d5424432f57][JA3S: 15af977ce25de452b96affa2addb1036][Firefox][Cipher: TLS_AES_256_GCM_SHA384][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0] 35 TCP 192.168.1.128:42884 <-> 185.125.190.21:443 [proto: 91.169/TLS.UbuntuONE][IP: 169/UbuntuONE][Encrypted][Confidence: DPI][DPI packets: 4][cat: Cloud/13][2 pkts/657 bytes <-> 2 pkts/1588 bytes][Goodput ratio: 79/91][0.06 sec][Hostname/SNI: assets.ubuntu.com][(Advertised) ALPNs: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2][TLSv1.3][JA3C: 579ccef312d18482fc42e2b822ca2430][JA4: t13d1715h2_5b57614c22b0_3d5424432f57][JA3S: 15af977ce25de452b96affa2addb1036][Firefox][Cipher: TLS_AES_256_GCM_SHA384][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0] 36 TCP 192.168.1.128:45898 <-> 15.160.39.187:443 [proto: 91.254/TLS.AppleSiri][IP: 265/AmazonAWS][Encrypted][Confidence: DPI][DPI packets: 4][cat: VirtAssistant/32][2 pkts/657 bytes <-> 2 pkts/1588 bytes][Goodput ratio: 79/91][0.02 sec][Hostname/SNI: guzzoni.apple.com][(Advertised) ALPNs: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2][TLSv1.3][JA3C: 579ccef312d18482fc42e2b822ca2430][JA4: t13d1715h2_5b57614c22b0_3d5424432f57][JA3S: eb1d94daa7e0344597e756a1fb6e7054][Firefox][Cipher: TLS_AES_128_GCM_SHA256][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0] diff --git a/tests/cfgs/default/result/steam.pcapng.out b/tests/cfgs/default/result/steam.pcapng.out index bbd6b1b1905..fa9d64b3699 100644 --- a/tests/cfgs/default/result/steam.pcapng.out +++ b/tests/cfgs/default/result/steam.pcapng.out @@ -34,10 +34,10 @@ JA3 Host Stats: 2 162.254.198.46 1 - 1 TCP 192.168.88.231:57749 <-> 23.52.29.119:443 [proto: 91.74/TLS.Steam][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 6][cat: Game/8][5 pkts/1378 bytes <-> 5 pkts/1865 bytes][Goodput ratio: 75/82][< 1 sec][Hostname/SNI: api.steampowered.com][(Advertised) ALPNs: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.150 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 8/0 18/18 24/39 7/17][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 276/373 589/1494 253/562][TLSv1.3][JA3C: 07eb11020e4395f99e5ef70baf9c1d11][JA4: t13d3213h2_85d9c3ed342d_158b9cf6d7fa][JA3S: 15af977ce25de452b96affa2addb1036][Firefox][Cipher: TLS_AES_256_GCM_SHA384][PLAIN TEXT (67viP.eampowered.com)][Plen Bins: 0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0] - 2 TCP 192.168.88.231:54243 <-> 188.114.98.224:443 [proto: 91.386/TLS.Dota2][IP: 220/Cloudflare][Encrypted][Confidence: DPI][DPI packets: 6][cat: Game/8][5 pkts/1378 bytes <-> 5 pkts/1167 bytes][Goodput ratio: 75/71][< 1 sec][Hostname/SNI: www.dota2.com][(Advertised) ALPNs: http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: 0.083 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 13/47 43/68 98/94 32/17][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 276/233 589/796 253/284][TLSv1.3][JA3C: 07eb11020e4395f99e5ef70baf9c1d11][JA4: t13d3213ht_85d9c3ed342d_158b9cf6d7fa][JA3S: 15af977ce25de452b96affa2addb1036][Firefox][Cipher: TLS_AES_256_GCM_SHA384][Plen Bins: 0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 1 TCP 192.168.88.231:57749 <-> 23.52.29.119:443 [proto: 91.74/TLS.Steam][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 6][cat: Game/8][5 pkts/1378 bytes <-> 5 pkts/1865 bytes][Goodput ratio: 75/82][< 1 sec][Hostname/SNI: api.steampowered.com][(Advertised) ALPNs: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.150 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 8/0 18/18 24/39 7/17][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 276/373 589/1494 253/562][TLSv1.3][JA3C: 07eb11020e4395f99e5ef70baf9c1d11][JA4: t13d3213h2_85d9c3ed342d_e802cdec6a7f][JA3S: 15af977ce25de452b96affa2addb1036][Firefox][Cipher: TLS_AES_256_GCM_SHA384][PLAIN TEXT (67viP.eampowered.com)][Plen Bins: 0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0] + 2 TCP 192.168.88.231:54243 <-> 188.114.98.224:443 [proto: 91.386/TLS.Dota2][IP: 220/Cloudflare][Encrypted][Confidence: DPI][DPI packets: 6][cat: Game/8][5 pkts/1378 bytes <-> 5 pkts/1167 bytes][Goodput ratio: 75/71][< 1 sec][Hostname/SNI: www.dota2.com][(Advertised) ALPNs: http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: 0.083 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 13/47 43/68 98/94 32/17][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 276/233 589/796 253/284][TLSv1.3][JA3C: 07eb11020e4395f99e5ef70baf9c1d11][JA4: t13d3213ht_85d9c3ed342d_e802cdec6a7f][JA3S: 15af977ce25de452b96affa2addb1036][Firefox][Cipher: TLS_AES_256_GCM_SHA384][Plen Bins: 0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 3 TCP 192.168.88.231:42070 <-> 95.100.141.15:443 [proto: 91.74/TLS.Steam][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 6][cat: Game/8][3 pkts/723 bytes <-> 3 pkts/1634 bytes][Goodput ratio: 71/87][< 1 sec][Hostname/SNI: store.steampowered.com][(Advertised) ALPNs: h2;http/1.1][TLS Supported Versions: GREASE;TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.387 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/1 12/12 24/24 12/12][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 241/545 583/1494 242/671][TLSv1.3][JA3C: b32309a26951912be7dba376398abc3b][JA4: t13d1515h2_8daaf6152771_de4a06bb82e3][JA3S: 15af977ce25de452b96affa2addb1036][Chrome][Cipher: TLS_AES_256_GCM_SHA384][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0] - 4 TCP 162.254.198.46:27038 <-> 192.168.88.231:50983 [proto: 91.74/TLS.Steam][IP: 74/Steam][Encrypted][Confidence: DPI][DPI packets: 4][cat: Game/8][2 pkts/1560 bytes <-> 2 pkts/625 bytes][Goodput ratio: 92/83][< 1 sec][Hostname/SNI: ext3-sto1.steamserver.net][(Advertised) ALPNs: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][TLSv1.3][JA3C: 07eb11020e4395f99e5ef70baf9c1d11][JA4: t13d3213h2_85d9c3ed342d_158b9cf6d7fa][JA3S: 15af977ce25de452b96affa2addb1036][Firefox][Cipher: TLS_AES_256_GCM_SHA384][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0] + 4 TCP 162.254.198.46:27038 <-> 192.168.88.231:50983 [proto: 91.74/TLS.Steam][IP: 74/Steam][Encrypted][Confidence: DPI][DPI packets: 4][cat: Game/8][2 pkts/1560 bytes <-> 2 pkts/625 bytes][Goodput ratio: 92/83][< 1 sec][Hostname/SNI: ext3-sto1.steamserver.net][(Advertised) ALPNs: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][TLSv1.3][JA3C: 07eb11020e4395f99e5ef70baf9c1d11][JA4: t13d3213h2_85d9c3ed342d_e802cdec6a7f][JA3S: 15af977ce25de452b96affa2addb1036][Firefox][Cipher: TLS_AES_256_GCM_SHA384][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0] 5 TCP 192.168.88.231:59739 <-> 2.20.254.25:80 [proto: 7.74/HTTP.Steam][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 6][cat: Game/8][6 pkts/629 bytes <-> 4 pkts/559 bytes][Goodput ratio: 36/51][< 1 sec][Hostname/SNI: test.steampowered.com][bytes ratio: 0.059 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 6002/2 30001/3 12000/2][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 105/140 291/353 83/123][URL: test.steampowered.com/204][StatusCode: 204][Content-Type: text/plain][Server: AkamaiNetStorage][User-Agent: Valve/Steam HTTP Client 1.0][PLAIN TEXT (GET /204 HTTP/1.1)][Plen Bins: 0,0,0,0,0,0,0,50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 6 UDP 192.168.88.231:27036 -> 192.168.88.255:27036 [proto: 74/Steam][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 1][cat: Game/8][6 pkts/924 bytes -> 0 pkts/0 bytes][Goodput ratio: 73/0][22.02 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 4403/0 15014/0 5613/0][Pkt Len c2s/s2c min/avg/max/stddev: 82/0 154/0 226/0 72/0][PLAIN TEXT (localhost)][Plen Bins: 0,50,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 7 UDP 192.168.88.231:46604 -> 155.133.252.86:27045 [proto: 235/SteamDatagramRelay][IP: 74/Steam][ClearText][Confidence: DPI][DPI packets: 1][cat: Game/8][2 pkts/284 bytes -> 0 pkts/0 bytes][Goodput ratio: 70/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (sdping)][Plen Bins: 0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/default/result/teams.pcap.out b/tests/cfgs/default/result/teams.pcap.out index cb895e234bd..b5ef9f8ebb7 100644 --- a/tests/cfgs/default/result/teams.pcap.out +++ b/tests/cfgs/default/result/teams.pcap.out @@ -94,8 +94,8 @@ JA3 Host Stats: 37 TCP 192.168.1.6:50018 <-> 52.114.250.123:443 [proto: 91.250/TLS.Teams][IP: 276/Azure][Encrypted][Confidence: DPI][DPI packets: 5][cat: Collaborative/15][20 pkts/1629 bytes <-> 13 pkts/7093 bytes][Goodput ratio: 29/90][1.92 sec][Hostname/SNI: euaz.tr.teams.microsoft.com][bytes ratio: -0.626 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 19/18 69/92 24/32][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 81/546 241/1506 48/564][Risk: ** TLS (probably) Not Carrying HTTPS **][Risk Score: 10][Risk Info: No ALPN][TLSv1.2][JA3C: e4d448cdfe06dc1243c1eb026c74ac9a][JA4: t12d220700_0d4ca5d4ec72_3304d8368043][Firefox][Plen Bins: 13,13,0,20,0,13,0,0,0,0,0,0,0,0,0,0,0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,0,0] 38 TCP 192.168.1.6:50021 <-> 52.114.250.123:443 [proto: 91.250/TLS.Teams][IP: 276/Azure][Encrypted][Confidence: DPI][DPI packets: 5][cat: Collaborative/15][18 pkts/1509 bytes <-> 13 pkts/7093 bytes][Goodput ratio: 32/90][0.66 sec][Hostname/SNI: euaz.tr.teams.microsoft.com][bytes ratio: -0.649 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 16/23 46/85 20/34][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 84/546 241/1506 50/564][Risk: ** TLS (probably) Not Carrying HTTPS **][Risk Score: 10][Risk Info: No ALPN][TLSv1.2][JA3C: e4d448cdfe06dc1243c1eb026c74ac9a][JA4: t12d220700_0d4ca5d4ec72_3304d8368043][Firefox][Plen Bins: 13,13,0,20,0,13,0,0,0,0,0,0,0,0,0,0,0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,0,0] 39 TCP 192.168.1.6:50014 <-> 52.114.250.152:443 [proto: 91.250/TLS.Teams][IP: 276/Azure][Encrypted][Confidence: DPI][DPI packets: 14][cat: Collaborative/15][14 pkts/1347 bytes <-> 11 pkts/6975 bytes][Goodput ratio: 42/91][0.22 sec][Hostname/SNI: 52.114.250.152][bytes ratio: -0.676 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 16/22 43/84 20/30][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 96/634 289/1506 73/570][Risk: ** TLS Cert Mismatch **** TLS (probably) Not Carrying HTTPS **][Risk Score: 110][Risk Info: No ALPN / 52.114.250.152 vs tr.teams.microsoft.com,*.tr.teams.microsoft.com,turn.teams.microsoft.com,*.turn.teams.microsoft.co][TLSv1.2][JA3C: e4d448cdfe06dc1243c1eb026c74ac9a][JA4: t12i220700_0d4ca5d4ec72_3304d8368043][ServerNames: tr.teams.microsoft.com,*.tr.teams.microsoft.com,turn.teams.microsoft.com,*.turn.teams.microsoft.com,*.relay.teams.microsoft.com][JA3S: 986571066668055ae9481cb84fda634a][Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 5][Subject: CN=tr.teams.microsoft.com][Certificate SHA-1: A7:90:8D:41:ED:24:D2:83:48:95:90:CE:18:D3:A6:C2:62:7A:07:75][Firefox][Validity: 2019-05-24 14:10:26 - 2021-05-24 14:10:26][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 7,14,0,14,0,14,0,7,0,0,0,0,0,0,0,0,0,21,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,21,0,0] - 40 TCP 192.168.1.6:60566 <-> 167.99.215.164:4434 [proto: 91.26/TLS.ntop][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 6][cat: Network/14][9 pkts/3029 bytes <-> 8 pkts/2213 bytes][Goodput ratio: 80/76][2.73 sec][Hostname/SNI: dati.ntop.org][(Advertised) ALPNs: h2;http/1.1][(Negotiated) ALPN: http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: 0.156 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/1 351/431 1977/2053 668/728][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 337/277 1012/1291 385/397][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][TLSv1.2][JA3C: 7120d65624bcd2e02ed4b01388d84cdb][JA4: t13d5713h2_131602cb7446_158b9cf6d7fa][JA3S: 410b9bedaf65dd26c6fe547154d60db4][Firefox][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 0,14,0,0,14,0,0,0,0,14,0,0,0,0,0,0,14,0,0,0,0,0,0,0,0,0,0,0,14,14,0,0,0,0,0,0,0,0,14,0,0,0,0,0,0,0,0,0] - 41 TCP 192.168.1.6:60546 <-> 167.99.215.164:4434 [proto: 91.26/TLS.ntop][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 6][cat: Network/14][10 pkts/2195 bytes <-> 10 pkts/2077 bytes][Goodput ratio: 69/68][5.38 sec][Hostname/SNI: dati.ntop.org][(Advertised) ALPNs: h2;http/1.1][(Negotiated) ALPN: http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: 0.028 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 650/754 5000/5000 1645/1734][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 220/208 1021/1292 308/364][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][TLSv1.2][JA3C: 7120d65624bcd2e02ed4b01388d84cdb][JA4: t13d5713h2_131602cb7446_158b9cf6d7fa][JA3S: 410b9bedaf65dd26c6fe547154d60db4][Firefox][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 16,16,0,0,16,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0] + 40 TCP 192.168.1.6:60566 <-> 167.99.215.164:4434 [proto: 91.26/TLS.ntop][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 6][cat: Network/14][9 pkts/3029 bytes <-> 8 pkts/2213 bytes][Goodput ratio: 80/76][2.73 sec][Hostname/SNI: dati.ntop.org][(Advertised) ALPNs: h2;http/1.1][(Negotiated) ALPN: http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: 0.156 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/1 351/431 1977/2053 668/728][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 337/277 1012/1291 385/397][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][TLSv1.2][JA3C: 7120d65624bcd2e02ed4b01388d84cdb][JA4: t13d5713h2_131602cb7446_e802cdec6a7f][JA3S: 410b9bedaf65dd26c6fe547154d60db4][Firefox][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 0,14,0,0,14,0,0,0,0,14,0,0,0,0,0,0,14,0,0,0,0,0,0,0,0,0,0,0,14,14,0,0,0,0,0,0,0,0,14,0,0,0,0,0,0,0,0,0] + 41 TCP 192.168.1.6:60546 <-> 167.99.215.164:4434 [proto: 91.26/TLS.ntop][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 6][cat: Network/14][10 pkts/2195 bytes <-> 10 pkts/2077 bytes][Goodput ratio: 69/68][5.38 sec][Hostname/SNI: dati.ntop.org][(Advertised) ALPNs: h2;http/1.1][(Negotiated) ALPN: http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: 0.028 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 650/754 5000/5000 1645/1734][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 220/208 1021/1292 308/364][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][TLSv1.2][JA3C: 7120d65624bcd2e02ed4b01388d84cdb][JA4: t13d5713h2_131602cb7446_e802cdec6a7f][JA3S: 410b9bedaf65dd26c6fe547154d60db4][Firefox][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 16,16,0,0,16,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0] 42 UDP 192.168.1.6:50036 <-> 52.114.250.137:3478 [proto: 78.38/STUN.Skype_TeamsCall][IP: 276/Azure][Stream Content: Audio][ClearText][Confidence: DPI][DPI packets: 7][cat: VoIP/10][5 pkts/1390 bytes <-> 4 pkts/733 bytes][Goodput ratio: 85/77][4.06 sec][bytes ratio: 0.309 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/100 1003/774 2235/2092 994/932][Pkt Len c2s/s2c min/avg/max/stddev: 228/174 278/183 314/198 33/10][Mapped IP/Port: 52.114.250.137:3480][Peer IP/Port: 201.221.32.65:43863][PLAIN TEXT (rtcmedia)][Plen Bins: 0,0,0,0,44,11,11,11,22,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 43 UDP 192.168.0.1:68 -> 255.255.255.255:67 [proto: 18/DHCP][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Network/14][6 pkts/1926 bytes -> 0 pkts/0 bytes][Goodput ratio: 87/0][25.01 sec][Hostname/SNI: tl-sg116e][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 4986/0 5001/0 5018/0 11/0][Pkt Len c2s/s2c min/avg/max/stddev: 321/0 321/0 321/0 0/0][DHCP Fingerprint: 1,3][DHCP Class Ident: TL-SG116E][Plen Bins: 0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 44 UDP 192.168.1.6:50016 <-> 52.114.250.141:3478 [proto: 78.38/STUN.Skype_TeamsCall][IP: 276/Azure][Stream Content: Audio][ClearText][Confidence: DPI][DPI packets: 7][cat: VoIP/10][4 pkts/1162 bytes <-> 3 pkts/546 bytes][Goodput ratio: 85/77][1.99 sec][bytes ratio: 0.361 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/98 611/101 1783/104 829/3][Pkt Len c2s/s2c min/avg/max/stddev: 256/174 290/182 314/198 25/11][Mapped IP/Port: 52.114.250.141:3480][Peer IP/Port: 22.64.154.119:29899][PLAIN TEXT (rtcmedia)][Plen Bins: 0,0,0,0,42,0,14,14,28,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/default/result/tls_malicious_sha1.pcapng.out b/tests/cfgs/default/result/tls_malicious_sha1.pcapng.out index 98a7b5d84f0..68c47653f9a 100644 --- a/tests/cfgs/default/result/tls_malicious_sha1.pcapng.out +++ b/tests/cfgs/default/result/tls_malicious_sha1.pcapng.out @@ -30,4 +30,4 @@ JA3 Host Stats: 1 2001:b07:a3d:c112:9726:f643:a838:b0c4 1 - 1 TCP [2001:b07:a3d:c112:9726:f643:a838:b0c4]:40294 <-> [2a00:1450:4002:414::2013]:443 [proto: 91/TLS][IP: 126/Google][Encrypted][Confidence: DPI][DPI packets: 8][cat: Web/5][12 pkts/1574 bytes <-> 10 pkts/5630 bytes][Goodput ratio: 34/85][0.12 sec][Hostname/SNI: www.prbtest.dev][(Advertised) ALPNs: h2;http/1.1][(Negotiated) ALPN: h2][bytes ratio: -0.563 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 4/6 23/20 7/7][Pkt Len c2s/s2c min/avg/max/stddev: 86/86 131/563 316/2502 62/920][Risk: ** Malicious SSL Cert/SHA1 Fingerp. **][Risk Score: 50][Risk Info: 0DDB34F875632C7E1EC09D75827F82D2336DFEB6][TLSv1.2][JA3C: 00bcd759cb8ad485fdbf1e7a0c5b94b4][JA4: t12d2808h2_d943125447b4_67c11e811542][ServerNames: www.prbtest.dev][JA3S: e2bc06b738d7e5d2b0cec5d2196b1d80][Issuer: C=US, O=Google Trust Services LLC, CN=GTS CA 1D4][Subject: CN=www.prbtest.dev][Certificate SHA-1: 0D:DB:34:F8:75:63:2C:7E:1E:C0:9D:75:82:7F:82:D2:33:6D:FE:B6][Firefox][Validity: 2023-11-28 12:50:11 - 2024-02-26 13:39:22][Cipher: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256][Plen Bins: 16,51,8,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16] + 1 TCP [2001:b07:a3d:c112:9726:f643:a838:b0c4]:40294 <-> [2a00:1450:4002:414::2013]:443 [proto: 91/TLS][IP: 126/Google][Encrypted][Confidence: DPI][DPI packets: 8][cat: Web/5][12 pkts/1574 bytes <-> 10 pkts/5630 bytes][Goodput ratio: 34/85][0.12 sec][Hostname/SNI: www.prbtest.dev][(Advertised) ALPNs: h2;http/1.1][(Negotiated) ALPN: h2][bytes ratio: -0.563 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 4/6 23/20 7/7][Pkt Len c2s/s2c min/avg/max/stddev: 86/86 131/563 316/2502 62/920][Risk: ** Malicious SSL Cert/SHA1 Fingerp. **][Risk Score: 50][Risk Info: 0DDB34F875632C7E1EC09D75827F82D2336DFEB6][TLSv1.2][JA3C: 00bcd759cb8ad485fdbf1e7a0c5b94b4][JA4: t12d2808h2_d943125447b4_dd0a478c1db3][ServerNames: www.prbtest.dev][JA3S: e2bc06b738d7e5d2b0cec5d2196b1d80][Issuer: C=US, O=Google Trust Services LLC, CN=GTS CA 1D4][Subject: CN=www.prbtest.dev][Certificate SHA-1: 0D:DB:34:F8:75:63:2C:7E:1E:C0:9D:75:82:7F:82:D2:33:6D:FE:B6][Firefox][Validity: 2023-11-28 12:50:11 - 2024-02-26 13:39:22][Cipher: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256][Plen Bins: 16,51,8,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16] diff --git a/tests/cfgs/default/result/tls_verylong_certificate.pcap.out b/tests/cfgs/default/result/tls_verylong_certificate.pcap.out index dc67b13eef5..7a0b426b776 100644 --- a/tests/cfgs/default/result/tls_verylong_certificate.pcap.out +++ b/tests/cfgs/default/result/tls_verylong_certificate.pcap.out @@ -30,4 +30,4 @@ JA3 Host Stats: 1 192.168.1.160 1 - 1 TCP 192.168.1.160:54804 <-> 151.101.66.49:443 [proto: 91.283/TLS.Cybersec][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 11][cat: Cybersecurity/33][24 pkts/2404 bytes <-> 24 pkts/19825 bytes][Goodput ratio: 35/92][0.09 sec][Hostname/SNI: feodotracker.abuse.ch][(Advertised) ALPNs: http/1.1][(Negotiated) ALPN: http/1.1][bytes ratio: -0.784 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 4/4 15/21 5/7][Pkt Len c2s/s2c min/avg/max/stddev: 54/66 100/826 583/1434 109/662][TLSv1.2][JA3C: 2a26b1a62e40d25d4de3babc9d532f30][JA4: t12d6707ht_2955a3196ffa_b1760ac0ffd7][ServerNames: p2.shared.global.fastly.net,*.12wbt.com,*.2bleacherreport.com,*.3bleacherreport.com,*.4bleacherreport.com,*.8bleacherreport.com,*.abuse.ch,*.acdn-it.ps-pantheon.com,*.cdn.livingmap.com,*.content.plastiq.com,*.dimensions.ai,*.dollarshaveclub.co.uk,*.dollarshaveclub.com,*.dontpayfull.com,*.ebisubook.com,*.foreignaffairs.com,*.fs.jibjab.com,*.fs.unitprints.com,*.ggleap.com,*.goodeggs.com,*.huevosbuenos.com,*.indy.myomnigon.com,*.jwatch.org,*.kingsfordcharcoal.com.au,*.lancenters.com,*.madebywe.com,*.minirodini.com,*.modcloth.net,*.orionlabs.io,*.ps-pantheon.com,*.scodle.com,*.steelseries.com,*.theforeman.org,*.uploads.eversign.com,*.uploads.schoox.com,*.vts.com,*.x.stg1.ebisubook.com,*.yang2020.com,12wbt.com,2bleacherreport.com,3bleacherreport.com,4bleacherreport.com,8bleacherreport.com,abuse.ch,brita.com,cdn.fwupd.org,cdn.livingmap.com,cdn.seated.com,cdn.skillacademy.com,clinicaloptions.com,clorox.com,content-preprod.beaverbrooksweb2.co.uk,content.beaverbrooks.co.uk,content.plastiq.com,coolmathgames.com,copterroyale.coolmathgames.com,d8-dev.coolmathgames.com,deflyio.coolmathgames.com,delivery-api.evadacms.com,dimensions.ai,dollarshaveclub.co.uk,dollarshaveclub.com,dontpayfull.com,eluniverso.com,email.amg-group.co,email.tekoforlife.co.uk,feedmarket.fr,freshstep.com,ggleap.com,goodeggs.com,heap.io,huevosbuenos.com,identity.linuxfoundation.org,joebiden.com,jwatch.org,kingsford.co.nz,kingsfordcharcoal.com.au,lancenters.com,lists.linuxfoundation.org,m-stage.coolmathgames.com,m.coolmathgames.com,madebywe.com,minirodini.com,modcloth.net,orionlabs.io,puritanmedproducts.com,reviews.org,rg-video-staging.ruangguru.com,rg-video.ruangguru.com,ruangguru.com,scodle.com,stage.coolmathgames.com,staging.appblade.com,steelseries.com,stg.platform.eluniverso.com,test.brita.com,test.heap.io,test.joebiden.com,test.ruangguru.com,theforeman.org,video-cdn.quipper.com,videos.calcworkshop.com,vts.com,www.101network.com,www.autos101.com,www.brita.com,www.clorox.com,www.collider.com,www.coolmathgames.com,www.eluniverso.com,www.flinto.com,www.freshstep.com,www.heap.io,www.holagente.com,www.icsydney.com.au,www.joebiden.com,www.kingsford.co.nz,www.mrnatty.com,www.myjewellerystory.com.au,www.myjs.com,www.netacea.com,www.parenting101.com,www.puritanmedproducts.com,www.reviews.org,www.sba.sa,www.shashatcom.sa,www.uat.ontariocolleges.ca,www.vacation101.com,www.walterspeople.co.uk,www.westwayelectricsupply.com][JA3S: ae53107a2e47ea20c72ac44821a728bf][Issuer: C=BE, O=GlobalSign nv-sa, CN=GlobalSign CloudSSL CA - SHA256 - G3][Subject: C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=p2.shared.global.fastly.net][Certificate SHA-1: E9:34:DF:E0:C5:31:3C:59:7E:E2:57:44:F2:82:E9:80:F5:5D:05:4B][Firefox][Validity: 2019-11-19 01:31:22 - 2020-08-29 17:19:32][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 12,16,0,4,0,4,4,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,55,0,0,0,0,0] + 1 TCP 192.168.1.160:54804 <-> 151.101.66.49:443 [proto: 91.283/TLS.Cybersec][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 11][cat: Cybersecurity/33][24 pkts/2404 bytes <-> 24 pkts/19825 bytes][Goodput ratio: 35/92][0.09 sec][Hostname/SNI: feodotracker.abuse.ch][(Advertised) ALPNs: http/1.1][(Negotiated) ALPN: http/1.1][bytes ratio: -0.784 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 4/4 15/21 5/7][Pkt Len c2s/s2c min/avg/max/stddev: 54/66 100/826 583/1434 109/662][TLSv1.2][JA3C: 2a26b1a62e40d25d4de3babc9d532f30][JA4: t12d6707ht_2955a3196ffa_c83f907a73d3][ServerNames: p2.shared.global.fastly.net,*.12wbt.com,*.2bleacherreport.com,*.3bleacherreport.com,*.4bleacherreport.com,*.8bleacherreport.com,*.abuse.ch,*.acdn-it.ps-pantheon.com,*.cdn.livingmap.com,*.content.plastiq.com,*.dimensions.ai,*.dollarshaveclub.co.uk,*.dollarshaveclub.com,*.dontpayfull.com,*.ebisubook.com,*.foreignaffairs.com,*.fs.jibjab.com,*.fs.unitprints.com,*.ggleap.com,*.goodeggs.com,*.huevosbuenos.com,*.indy.myomnigon.com,*.jwatch.org,*.kingsfordcharcoal.com.au,*.lancenters.com,*.madebywe.com,*.minirodini.com,*.modcloth.net,*.orionlabs.io,*.ps-pantheon.com,*.scodle.com,*.steelseries.com,*.theforeman.org,*.uploads.eversign.com,*.uploads.schoox.com,*.vts.com,*.x.stg1.ebisubook.com,*.yang2020.com,12wbt.com,2bleacherreport.com,3bleacherreport.com,4bleacherreport.com,8bleacherreport.com,abuse.ch,brita.com,cdn.fwupd.org,cdn.livingmap.com,cdn.seated.com,cdn.skillacademy.com,clinicaloptions.com,clorox.com,content-preprod.beaverbrooksweb2.co.uk,content.beaverbrooks.co.uk,content.plastiq.com,coolmathgames.com,copterroyale.coolmathgames.com,d8-dev.coolmathgames.com,deflyio.coolmathgames.com,delivery-api.evadacms.com,dimensions.ai,dollarshaveclub.co.uk,dollarshaveclub.com,dontpayfull.com,eluniverso.com,email.amg-group.co,email.tekoforlife.co.uk,feedmarket.fr,freshstep.com,ggleap.com,goodeggs.com,heap.io,huevosbuenos.com,identity.linuxfoundation.org,joebiden.com,jwatch.org,kingsford.co.nz,kingsfordcharcoal.com.au,lancenters.com,lists.linuxfoundation.org,m-stage.coolmathgames.com,m.coolmathgames.com,madebywe.com,minirodini.com,modcloth.net,orionlabs.io,puritanmedproducts.com,reviews.org,rg-video-staging.ruangguru.com,rg-video.ruangguru.com,ruangguru.com,scodle.com,stage.coolmathgames.com,staging.appblade.com,steelseries.com,stg.platform.eluniverso.com,test.brita.com,test.heap.io,test.joebiden.com,test.ruangguru.com,theforeman.org,video-cdn.quipper.com,videos.calcworkshop.com,vts.com,www.101network.com,www.autos101.com,www.brita.com,www.clorox.com,www.collider.com,www.coolmathgames.com,www.eluniverso.com,www.flinto.com,www.freshstep.com,www.heap.io,www.holagente.com,www.icsydney.com.au,www.joebiden.com,www.kingsford.co.nz,www.mrnatty.com,www.myjewellerystory.com.au,www.myjs.com,www.netacea.com,www.parenting101.com,www.puritanmedproducts.com,www.reviews.org,www.sba.sa,www.shashatcom.sa,www.uat.ontariocolleges.ca,www.vacation101.com,www.walterspeople.co.uk,www.westwayelectricsupply.com][JA3S: ae53107a2e47ea20c72ac44821a728bf][Issuer: C=BE, O=GlobalSign nv-sa, CN=GlobalSign CloudSSL CA - SHA256 - G3][Subject: C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=p2.shared.global.fastly.net][Certificate SHA-1: E9:34:DF:E0:C5:31:3C:59:7E:E2:57:44:F2:82:E9:80:F5:5D:05:4B][Firefox][Validity: 2019-11-19 01:31:22 - 2020-08-29 17:19:32][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 12,16,0,4,0,4,4,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,55,0,0,0,0,0] diff --git a/tests/cfgs/default/result/vxlan.pcap.out b/tests/cfgs/default/result/vxlan.pcap.out index 171e01703a6..2cf9b3f49cd 100644 --- a/tests/cfgs/default/result/vxlan.pcap.out +++ b/tests/cfgs/default/result/vxlan.pcap.out @@ -31,7 +31,7 @@ JA3 Host Stats: 1 10.10.20.4 1 - 1 TCP 10.10.20.4:45228 <-> 157.240.224.35:443 [VLAN: 5][proto: VXLAN:91.119/TLS.Facebook][IP: 119/Facebook][Encrypted][Confidence: DPI][DPI packets: 6][cat: SocialNetwork/6][35 pkts/4938 bytes <-> 56 pkts/71223 bytes][Goodput ratio: 15/91][0.34 sec][Hostname/SNI: www.facebook.com][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.870 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 7/6 81/140 17/26][Pkt Len c2s/s2c min/avg/max/stddev: 120/120 141/1272 438/1500 66/477][Risk: ** TLS (probably) Not Carrying HTTPS **** Malicious JA3 Fingerp. **][Risk Score: 60][Risk Info: 40adfd923eb82b89d8836ba37a19bca1 / No ALPN][TLSv1.3][JA3C: 40adfd923eb82b89d8836ba37a19bca1][JA4: t13d311000_e8f1e7e78f70_033f6c5c7ec7][JA3S: 475c9302dc42b2751db9edcac3b74891][Firefox][Cipher: TLS_CHACHA20_POLY1305_SHA256][Plen Bins: 0,0,1,0,0,5,0,0,0,1,0,0,0,0,3,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,87,0,0,0,0] - 2 TCP 10.10.20.4:45226 <-> 157.240.224.35:443 [VLAN: 5][proto: VXLAN:91.119/TLS.Facebook][IP: 119/Facebook][Encrypted][Confidence: DPI][DPI packets: 6][cat: SocialNetwork/6][15 pkts/2335 bytes <-> 13 pkts/5656 bytes][Goodput ratio: 24/72][0.38 sec][Hostname/SNI: facebook.com][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.416 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 32/15 224/113 62/35][Pkt Len c2s/s2c min/avg/max/stddev: 108/120 156/435 434/1500 86/497][Risk: ** TLS (probably) Not Carrying HTTPS **** Malicious JA3 Fingerp. **][Risk Score: 60][Risk Info: 40adfd923eb82b89d8836ba37a19bca1 / No ALPN][TLSv1.3][JA3C: 40adfd923eb82b89d8836ba37a19bca1][JA4: t13d311000_e8f1e7e78f70_033f6c5c7ec7][JA3S: 475c9302dc42b2751db9edcac3b74891][Firefox][Cipher: TLS_CHACHA20_POLY1305_SHA256][Plen Bins: 20,0,10,0,0,20,0,0,0,10,0,0,0,0,10,0,0,0,0,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,0,0,0,0] + 1 TCP 10.10.20.4:45228 <-> 157.240.224.35:443 [VLAN: 5][proto: VXLAN:91.119/TLS.Facebook][IP: 119/Facebook][Encrypted][Confidence: DPI][DPI packets: 6][cat: SocialNetwork/6][35 pkts/4938 bytes <-> 56 pkts/71223 bytes][Goodput ratio: 15/91][0.34 sec][Hostname/SNI: www.facebook.com][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.870 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 7/6 81/140 17/26][Pkt Len c2s/s2c min/avg/max/stddev: 120/120 141/1272 438/1500 66/477][Risk: ** TLS (probably) Not Carrying HTTPS **** Malicious JA3 Fingerp. **][Risk Score: 60][Risk Info: 40adfd923eb82b89d8836ba37a19bca1 / No ALPN][TLSv1.3][JA3C: 40adfd923eb82b89d8836ba37a19bca1][JA4: t13d311000_e8f1e7e78f70_5ac7197df9d2][JA3S: 475c9302dc42b2751db9edcac3b74891][Firefox][Cipher: TLS_CHACHA20_POLY1305_SHA256][Plen Bins: 0,0,1,0,0,5,0,0,0,1,0,0,0,0,3,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,87,0,0,0,0] + 2 TCP 10.10.20.4:45226 <-> 157.240.224.35:443 [VLAN: 5][proto: VXLAN:91.119/TLS.Facebook][IP: 119/Facebook][Encrypted][Confidence: DPI][DPI packets: 6][cat: SocialNetwork/6][15 pkts/2335 bytes <-> 13 pkts/5656 bytes][Goodput ratio: 24/72][0.38 sec][Hostname/SNI: facebook.com][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.416 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 32/15 224/113 62/35][Pkt Len c2s/s2c min/avg/max/stddev: 108/120 156/435 434/1500 86/497][Risk: ** TLS (probably) Not Carrying HTTPS **** Malicious JA3 Fingerp. **][Risk Score: 60][Risk Info: 40adfd923eb82b89d8836ba37a19bca1 / No ALPN][TLSv1.3][JA3C: 40adfd923eb82b89d8836ba37a19bca1][JA4: t13d311000_e8f1e7e78f70_5ac7197df9d2][JA3S: 475c9302dc42b2751db9edcac3b74891][Firefox][Cipher: TLS_CHACHA20_POLY1305_SHA256][Plen Bins: 20,0,10,0,0,20,0,0,0,10,0,0,0,0,10,0,0,0,0,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,0,0,0,0] 3 UDP 10.10.20.4:32860 <-> 8.8.8.8:53 [VLAN: 5][proto: VXLAN:5.119/DNS.Facebook][IP: 126/Google][ClearText][Confidence: DPI][DPI packets: 3][cat: Network/14][2 pkts/260 bytes <-> 2 pkts/362 bytes][Goodput ratio: 26/47][0.07 sec][Hostname/SNI: www.facebook.com][157.240.224.35][PLAIN TEXT (facebook)][Plen Bins: 0,50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 4 UDP 10.10.20.4:44437 <-> 8.8.8.8:53 [VLAN: 5][proto: VXLAN:5.119/DNS.Facebook][IP: 126/Google][ClearText][Confidence: DPI][DPI packets: 3][cat: Network/14][2 pkts/252 bytes <-> 2 pkts/296 bytes][Goodput ratio: 24/35][0.07 sec][Hostname/SNI: facebook.com][157.240.224.35][PLAIN TEXT (facebook)][Plen Bins: 50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/default/result/zoom2.pcap.out b/tests/cfgs/default/result/zoom2.pcap.out index a4992a4a936..23595bed4b4 100644 --- a/tests/cfgs/default/result/zoom2.pcap.out +++ b/tests/cfgs/default/result/zoom2.pcap.out @@ -34,4 +34,4 @@ JA3 Host Stats: 1 UDP 192.168.1.178:60653 <-> 144.195.73.154:8801 [proto: 338.189/SRTP.Zoom][IP: 189/Zoom][Encrypted][Confidence: DPI][DPI packets: 5][cat: Video/26][7 pkts/2996 bytes <-> 66 pkts/64200 bytes][Goodput ratio: 90/96][0.82 sec][bytes ratio: -0.911 (Download)][IAT c2s/s2c min/avg/max/stddev: 12/0 72/10 101/100 36/15][Pkt Len c2s/s2c min/avg/max/stddev: 165/60 428/973 1078/1078 411/306][PLAIN TEXT (replace)][Plen Bins: 2,6,0,2,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,85,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 2 UDP 192.168.1.178:58117 <-> 144.195.73.154:8801 [proto: 338.189/SRTP.Zoom][IP: 189/Zoom][Encrypted][Confidence: DPI][DPI packets: 5][cat: Video/26][64 pkts/9307 bytes <-> 98 pkts/17843 bytes][Goodput ratio: 71/77][4.02 sec][bytes ratio: -0.314 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 58/36 141/131 42/37][Pkt Len c2s/s2c min/avg/max/stddev: 106/60 145/182 209/368 23/79][PLAIN TEXT (replace)][Plen Bins: 1,3,44,26,10,1,0,5,6,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 3 UDP 192.168.1.178:57953 <-> 144.195.73.154:8801 [proto: 338.189/SRTP.Zoom][IP: 189/Zoom][Stream Content: Screen Sharing][Encrypted][Confidence: DPI][DPI packets: 5][cat: Video/26][43 pkts/5229 bytes <-> 44 pkts/4520 bytes][Goodput ratio: 65/59][39.68 sec][bytes ratio: 0.073 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 941/849 3580/3749 1440/1522][Pkt Len c2s/s2c min/avg/max/stddev: 69/60 122/103 185/133 41/28][PLAIN TEXT (replace)][Plen Bins: 35,2,43,13,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 4 TCP 192.168.1.178:50076 <-> 144.195.73.154:443 [proto: 91.189/TLS.Zoom][IP: 189/Zoom][Encrypted][Confidence: DPI][DPI packets: 8][cat: Video/26][12 pkts/3043 bytes <-> 8 pkts/5520 bytes][Goodput ratio: 74/90][0.73 sec][Hostname/SNI: zoomsjccv154mmr.sjc.zoom.us][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.289 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 72/58 175/174 83/82][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 254/690 1506/1506 404/622][Risk: ** TLS (probably) Not Carrying HTTPS **][Risk Score: 10][Risk Info: No ALPN][TLSv1.2][JA3C: 832952db10f1453442636675bed2702b][JA4: t13d141200_ad449869e501_07d3b7c743d3][ServerNames: *.sjc.zoom.us][JA3S: 8aca82d60194883e764ab2743e60c380][Issuer: C=US, O=DigiCert Inc, CN=DigiCert TLS RSA SHA256 2020 CA1][Subject: C=US, ST=California, L=San Jose, O=Zoom Video Communications, Inc., CN=*.sjc.zoom.us][Certificate SHA-1: 43:42:0A:34:FD:F6:7A:FC:E9:C1:95:D8:E0:79:7E:17:B9:65:B0:A7][Firefox][Validity: 2021-04-13 00:00:00 - 2022-04-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 0,10,10,10,10,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,0,0,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,0,0,0,30,0,0] + 4 TCP 192.168.1.178:50076 <-> 144.195.73.154:443 [proto: 91.189/TLS.Zoom][IP: 189/Zoom][Encrypted][Confidence: DPI][DPI packets: 8][cat: Video/26][12 pkts/3043 bytes <-> 8 pkts/5520 bytes][Goodput ratio: 74/90][0.73 sec][Hostname/SNI: zoomsjccv154mmr.sjc.zoom.us][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.289 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 72/58 175/174 83/82][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 254/690 1506/1506 404/622][Risk: ** TLS (probably) Not Carrying HTTPS **][Risk Score: 10][Risk Info: No ALPN][TLSv1.2][JA3C: 832952db10f1453442636675bed2702b][JA4: t13d141200_ad449869e501_b11171733d3d][ServerNames: *.sjc.zoom.us][JA3S: 8aca82d60194883e764ab2743e60c380][Issuer: C=US, O=DigiCert Inc, CN=DigiCert TLS RSA SHA256 2020 CA1][Subject: C=US, ST=California, L=San Jose, O=Zoom Video Communications, Inc., CN=*.sjc.zoom.us][Certificate SHA-1: 43:42:0A:34:FD:F6:7A:FC:E9:C1:95:D8:E0:79:7E:17:B9:65:B0:A7][Firefox][Validity: 2021-04-13 00:00:00 - 2022-04-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 0,10,10,10,10,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,0,0,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,0,0,0,30,0,0] diff --git a/tests/cfgs/packets_limit_per_flow/result/tls_verylong_certificate.pcap.out b/tests/cfgs/packets_limit_per_flow/result/tls_verylong_certificate.pcap.out index 19f14763701..8fb20ad7c05 100644 --- a/tests/cfgs/packets_limit_per_flow/result/tls_verylong_certificate.pcap.out +++ b/tests/cfgs/packets_limit_per_flow/result/tls_verylong_certificate.pcap.out @@ -30,4 +30,4 @@ JA3 Host Stats: 1 192.168.1.160 1 - 1 TCP 192.168.1.160:54804 <-> 151.101.66.49:443 [proto: 91.283/TLS.Cybersec][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 5][cat: Cybersecurity/33][24 pkts/2404 bytes <-> 24 pkts/19825 bytes][Goodput ratio: 35/92][0.09 sec][Hostname/SNI: feodotracker.abuse.ch][(Advertised) ALPNs: http/1.1][bytes ratio: -0.784 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 4/4 15/21 5/7][Pkt Len c2s/s2c min/avg/max/stddev: 54/66 100/826 583/1434 109/662][TLSv1.2][JA3C: 2a26b1a62e40d25d4de3babc9d532f30][JA4: t12d6707ht_2955a3196ffa_b1760ac0ffd7][Firefox][Plen Bins: 12,16,0,4,0,4,4,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,55,0,0,0,0,0] + 1 TCP 192.168.1.160:54804 <-> 151.101.66.49:443 [proto: 91.283/TLS.Cybersec][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 5][cat: Cybersecurity/33][24 pkts/2404 bytes <-> 24 pkts/19825 bytes][Goodput ratio: 35/92][0.09 sec][Hostname/SNI: feodotracker.abuse.ch][(Advertised) ALPNs: http/1.1][bytes ratio: -0.784 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 4/4 15/21 5/7][Pkt Len c2s/s2c min/avg/max/stddev: 54/66 100/826 583/1434 109/662][TLSv1.2][JA3C: 2a26b1a62e40d25d4de3babc9d532f30][JA4: t12d6707ht_2955a3196ffa_c83f907a73d3][Firefox][Plen Bins: 12,16,0,4,0,4,4,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,55,0,0,0,0,0] diff --git a/tests/cfgs/stun_all_attributes_disabled/result/teams.pcap.out b/tests/cfgs/stun_all_attributes_disabled/result/teams.pcap.out index 0e8c59582d4..f8014dbeacf 100644 --- a/tests/cfgs/stun_all_attributes_disabled/result/teams.pcap.out +++ b/tests/cfgs/stun_all_attributes_disabled/result/teams.pcap.out @@ -94,8 +94,8 @@ JA3 Host Stats: 37 TCP 192.168.1.6:50018 <-> 52.114.250.123:443 [proto: 91.250/TLS.Teams][IP: 276/Azure][Encrypted][Confidence: DPI][DPI packets: 5][cat: Collaborative/15][20 pkts/1629 bytes <-> 13 pkts/7093 bytes][Goodput ratio: 29/90][1.92 sec][Hostname/SNI: euaz.tr.teams.microsoft.com][bytes ratio: -0.626 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 19/18 69/92 24/32][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 81/546 241/1506 48/564][Risk: ** TLS (probably) Not Carrying HTTPS **][Risk Score: 10][Risk Info: No ALPN][TLSv1.2][JA3C: e4d448cdfe06dc1243c1eb026c74ac9a][JA4: t12d220700_0d4ca5d4ec72_3304d8368043][Firefox][Plen Bins: 13,13,0,20,0,13,0,0,0,0,0,0,0,0,0,0,0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,0,0] 38 TCP 192.168.1.6:50021 <-> 52.114.250.123:443 [proto: 91.250/TLS.Teams][IP: 276/Azure][Encrypted][Confidence: DPI][DPI packets: 5][cat: Collaborative/15][18 pkts/1509 bytes <-> 13 pkts/7093 bytes][Goodput ratio: 32/90][0.66 sec][Hostname/SNI: euaz.tr.teams.microsoft.com][bytes ratio: -0.649 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 16/23 46/85 20/34][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 84/546 241/1506 50/564][Risk: ** TLS (probably) Not Carrying HTTPS **][Risk Score: 10][Risk Info: No ALPN][TLSv1.2][JA3C: e4d448cdfe06dc1243c1eb026c74ac9a][JA4: t12d220700_0d4ca5d4ec72_3304d8368043][Firefox][Plen Bins: 13,13,0,20,0,13,0,0,0,0,0,0,0,0,0,0,0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,0,0] 39 TCP 192.168.1.6:50014 <-> 52.114.250.152:443 [proto: 91.250/TLS.Teams][IP: 276/Azure][Encrypted][Confidence: DPI][DPI packets: 14][cat: Collaborative/15][14 pkts/1347 bytes <-> 11 pkts/6975 bytes][Goodput ratio: 42/91][0.22 sec][Hostname/SNI: 52.114.250.152][bytes ratio: -0.676 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 16/22 43/84 20/30][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 96/634 289/1506 73/570][Risk: ** TLS Cert Mismatch **** TLS (probably) Not Carrying HTTPS **][Risk Score: 110][Risk Info: No ALPN / 52.114.250.152 vs tr.teams.microsoft.com,*.tr.teams.microsoft.com,turn.teams.microsoft.com,*.turn.teams.microsoft.co][TLSv1.2][JA3C: e4d448cdfe06dc1243c1eb026c74ac9a][JA4: t12i220700_0d4ca5d4ec72_3304d8368043][ServerNames: tr.teams.microsoft.com,*.tr.teams.microsoft.com,turn.teams.microsoft.com,*.turn.teams.microsoft.com,*.relay.teams.microsoft.com][JA3S: 986571066668055ae9481cb84fda634a][Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 5][Subject: CN=tr.teams.microsoft.com][Certificate SHA-1: A7:90:8D:41:ED:24:D2:83:48:95:90:CE:18:D3:A6:C2:62:7A:07:75][Firefox][Validity: 2019-05-24 14:10:26 - 2021-05-24 14:10:26][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 7,14,0,14,0,14,0,7,0,0,0,0,0,0,0,0,0,21,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,21,0,0] - 40 TCP 192.168.1.6:60566 <-> 167.99.215.164:4434 [proto: 91.26/TLS.ntop][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 6][cat: Network/14][9 pkts/3029 bytes <-> 8 pkts/2213 bytes][Goodput ratio: 80/76][2.73 sec][Hostname/SNI: dati.ntop.org][(Advertised) ALPNs: h2;http/1.1][(Negotiated) ALPN: http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: 0.156 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/1 351/431 1977/2053 668/728][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 337/277 1012/1291 385/397][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][TLSv1.2][JA3C: 7120d65624bcd2e02ed4b01388d84cdb][JA4: t13d5713h2_131602cb7446_158b9cf6d7fa][JA3S: 410b9bedaf65dd26c6fe547154d60db4][Firefox][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 0,14,0,0,14,0,0,0,0,14,0,0,0,0,0,0,14,0,0,0,0,0,0,0,0,0,0,0,14,14,0,0,0,0,0,0,0,0,14,0,0,0,0,0,0,0,0,0] - 41 TCP 192.168.1.6:60546 <-> 167.99.215.164:4434 [proto: 91.26/TLS.ntop][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 6][cat: Network/14][10 pkts/2195 bytes <-> 10 pkts/2077 bytes][Goodput ratio: 69/68][5.38 sec][Hostname/SNI: dati.ntop.org][(Advertised) ALPNs: h2;http/1.1][(Negotiated) ALPN: http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: 0.028 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 650/754 5000/5000 1645/1734][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 220/208 1021/1292 308/364][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][TLSv1.2][JA3C: 7120d65624bcd2e02ed4b01388d84cdb][JA4: t13d5713h2_131602cb7446_158b9cf6d7fa][JA3S: 410b9bedaf65dd26c6fe547154d60db4][Firefox][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 16,16,0,0,16,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0] + 40 TCP 192.168.1.6:60566 <-> 167.99.215.164:4434 [proto: 91.26/TLS.ntop][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 6][cat: Network/14][9 pkts/3029 bytes <-> 8 pkts/2213 bytes][Goodput ratio: 80/76][2.73 sec][Hostname/SNI: dati.ntop.org][(Advertised) ALPNs: h2;http/1.1][(Negotiated) ALPN: http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: 0.156 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/1 351/431 1977/2053 668/728][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 337/277 1012/1291 385/397][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][TLSv1.2][JA3C: 7120d65624bcd2e02ed4b01388d84cdb][JA4: t13d5713h2_131602cb7446_e802cdec6a7f][JA3S: 410b9bedaf65dd26c6fe547154d60db4][Firefox][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 0,14,0,0,14,0,0,0,0,14,0,0,0,0,0,0,14,0,0,0,0,0,0,0,0,0,0,0,14,14,0,0,0,0,0,0,0,0,14,0,0,0,0,0,0,0,0,0] + 41 TCP 192.168.1.6:60546 <-> 167.99.215.164:4434 [proto: 91.26/TLS.ntop][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 6][cat: Network/14][10 pkts/2195 bytes <-> 10 pkts/2077 bytes][Goodput ratio: 69/68][5.38 sec][Hostname/SNI: dati.ntop.org][(Advertised) ALPNs: h2;http/1.1][(Negotiated) ALPN: http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: 0.028 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 650/754 5000/5000 1645/1734][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 220/208 1021/1292 308/364][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][TLSv1.2][JA3C: 7120d65624bcd2e02ed4b01388d84cdb][JA4: t13d5713h2_131602cb7446_e802cdec6a7f][JA3S: 410b9bedaf65dd26c6fe547154d60db4][Firefox][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 16,16,0,0,16,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0] 42 UDP 192.168.1.6:50036 <-> 52.114.250.137:3478 [proto: 78.38/STUN.Skype_TeamsCall][IP: 276/Azure][Stream Content: Audio][ClearText][Confidence: DPI][DPI packets: 1][cat: VoIP/10][5 pkts/1390 bytes <-> 4 pkts/733 bytes][Goodput ratio: 85/77][4.06 sec][bytes ratio: 0.309 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/100 1003/774 2235/2092 994/932][Pkt Len c2s/s2c min/avg/max/stddev: 228/174 278/183 314/198 33/10][PLAIN TEXT (rtcmedia)][Plen Bins: 0,0,0,0,44,11,11,11,22,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 43 UDP 192.168.0.1:68 -> 255.255.255.255:67 [proto: 18/DHCP][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Network/14][6 pkts/1926 bytes -> 0 pkts/0 bytes][Goodput ratio: 87/0][25.01 sec][Hostname/SNI: tl-sg116e][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 4986/0 5001/0 5018/0 11/0][Pkt Len c2s/s2c min/avg/max/stddev: 321/0 321/0 321/0 0/0][DHCP Fingerprint: 1,3][DHCP Class Ident: TL-SG116E][Plen Bins: 0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 44 UDP 192.168.1.6:50016 <-> 52.114.250.141:3478 [proto: 78.38/STUN.Skype_TeamsCall][IP: 276/Azure][Stream Content: Audio][ClearText][Confidence: DPI][DPI packets: 1][cat: VoIP/10][4 pkts/1162 bytes <-> 3 pkts/546 bytes][Goodput ratio: 85/77][1.99 sec][bytes ratio: 0.361 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/98 611/101 1783/104 829/3][Pkt Len c2s/s2c min/avg/max/stddev: 256/174 290/182 314/198 25/11][PLAIN TEXT (rtcmedia)][Plen Bins: 0,0,0,0,42,0,14,14,28,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/tls_ja3c_disabled/result/tls_verylong_certificate.pcap.out b/tests/cfgs/tls_ja3c_disabled/result/tls_verylong_certificate.pcap.out index f8e9b1ceb5a..d248f92b187 100644 --- a/tests/cfgs/tls_ja3c_disabled/result/tls_verylong_certificate.pcap.out +++ b/tests/cfgs/tls_ja3c_disabled/result/tls_verylong_certificate.pcap.out @@ -29,4 +29,4 @@ JA3 Host Stats: IP Address # JA3C - 1 TCP 192.168.1.160:54804 <-> 151.101.66.49:443 [proto: 91.283/TLS.Cybersec][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 11][cat: Cybersecurity/33][24 pkts/2404 bytes <-> 24 pkts/19825 bytes][Goodput ratio: 35/92][0.09 sec][Hostname/SNI: feodotracker.abuse.ch][(Advertised) ALPNs: http/1.1][(Negotiated) ALPN: http/1.1][bytes ratio: -0.784 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 4/4 15/21 5/7][Pkt Len c2s/s2c min/avg/max/stddev: 54/66 100/826 583/1434 109/662][TLSv1.2][JA4: t12d6707ht_2955a3196ffa_b1760ac0ffd7][ServerNames: p2.shared.global.fastly.net,*.12wbt.com,*.2bleacherreport.com,*.3bleacherreport.com,*.4bleacherreport.com,*.8bleacherreport.com,*.abuse.ch,*.acdn-it.ps-pantheon.com,*.cdn.livingmap.com,*.content.plastiq.com,*.dimensions.ai,*.dollarshaveclub.co.uk,*.dollarshaveclub.com,*.dontpayfull.com,*.ebisubook.com,*.foreignaffairs.com,*.fs.jibjab.com,*.fs.unitprints.com,*.ggleap.com,*.goodeggs.com,*.huevosbuenos.com,*.indy.myomnigon.com,*.jwatch.org,*.kingsfordcharcoal.com.au,*.lancenters.com,*.madebywe.com,*.minirodini.com,*.modcloth.net,*.orionlabs.io,*.ps-pantheon.com,*.scodle.com,*.steelseries.com,*.theforeman.org,*.uploads.eversign.com,*.uploads.schoox.com,*.vts.com,*.x.stg1.ebisubook.com,*.yang2020.com,12wbt.com,2bleacherreport.com,3bleacherreport.com,4bleacherreport.com,8bleacherreport.com,abuse.ch,brita.com,cdn.fwupd.org,cdn.livingmap.com,cdn.seated.com,cdn.skillacademy.com,clinicaloptions.com,clorox.com,content-preprod.beaverbrooksweb2.co.uk,content.beaverbrooks.co.uk,content.plastiq.com,coolmathgames.com,copterroyale.coolmathgames.com,d8-dev.coolmathgames.com,deflyio.coolmathgames.com,delivery-api.evadacms.com,dimensions.ai,dollarshaveclub.co.uk,dollarshaveclub.com,dontpayfull.com,eluniverso.com,email.amg-group.co,email.tekoforlife.co.uk,feedmarket.fr,freshstep.com,ggleap.com,goodeggs.com,heap.io,huevosbuenos.com,identity.linuxfoundation.org,joebiden.com,jwatch.org,kingsford.co.nz,kingsfordcharcoal.com.au,lancenters.com,lists.linuxfoundation.org,m-stage.coolmathgames.com,m.coolmathgames.com,madebywe.com,minirodini.com,modcloth.net,orionlabs.io,puritanmedproducts.com,reviews.org,rg-video-staging.ruangguru.com,rg-video.ruangguru.com,ruangguru.com,scodle.com,stage.coolmathgames.com,staging.appblade.com,steelseries.com,stg.platform.eluniverso.com,test.brita.com,test.heap.io,test.joebiden.com,test.ruangguru.com,theforeman.org,video-cdn.quipper.com,videos.calcworkshop.com,vts.com,www.101network.com,www.autos101.com,www.brita.com,www.clorox.com,www.collider.com,www.coolmathgames.com,www.eluniverso.com,www.flinto.com,www.freshstep.com,www.heap.io,www.holagente.com,www.icsydney.com.au,www.joebiden.com,www.kingsford.co.nz,www.mrnatty.com,www.myjewellerystory.com.au,www.myjs.com,www.netacea.com,www.parenting101.com,www.puritanmedproducts.com,www.reviews.org,www.sba.sa,www.shashatcom.sa,www.uat.ontariocolleges.ca,www.vacation101.com,www.walterspeople.co.uk,www.westwayelectricsupply.com][JA3S: ae53107a2e47ea20c72ac44821a728bf][Issuer: C=BE, O=GlobalSign nv-sa, CN=GlobalSign CloudSSL CA - SHA256 - G3][Subject: C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=p2.shared.global.fastly.net][Certificate SHA-1: E9:34:DF:E0:C5:31:3C:59:7E:E2:57:44:F2:82:E9:80:F5:5D:05:4B][Firefox][Validity: 2019-11-19 01:31:22 - 2020-08-29 17:19:32][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 12,16,0,4,0,4,4,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,55,0,0,0,0,0] + 1 TCP 192.168.1.160:54804 <-> 151.101.66.49:443 [proto: 91.283/TLS.Cybersec][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 11][cat: Cybersecurity/33][24 pkts/2404 bytes <-> 24 pkts/19825 bytes][Goodput ratio: 35/92][0.09 sec][Hostname/SNI: feodotracker.abuse.ch][(Advertised) ALPNs: http/1.1][(Negotiated) ALPN: http/1.1][bytes ratio: -0.784 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 4/4 15/21 5/7][Pkt Len c2s/s2c min/avg/max/stddev: 54/66 100/826 583/1434 109/662][TLSv1.2][JA4: t12d6707ht_2955a3196ffa_c83f907a73d3][ServerNames: p2.shared.global.fastly.net,*.12wbt.com,*.2bleacherreport.com,*.3bleacherreport.com,*.4bleacherreport.com,*.8bleacherreport.com,*.abuse.ch,*.acdn-it.ps-pantheon.com,*.cdn.livingmap.com,*.content.plastiq.com,*.dimensions.ai,*.dollarshaveclub.co.uk,*.dollarshaveclub.com,*.dontpayfull.com,*.ebisubook.com,*.foreignaffairs.com,*.fs.jibjab.com,*.fs.unitprints.com,*.ggleap.com,*.goodeggs.com,*.huevosbuenos.com,*.indy.myomnigon.com,*.jwatch.org,*.kingsfordcharcoal.com.au,*.lancenters.com,*.madebywe.com,*.minirodini.com,*.modcloth.net,*.orionlabs.io,*.ps-pantheon.com,*.scodle.com,*.steelseries.com,*.theforeman.org,*.uploads.eversign.com,*.uploads.schoox.com,*.vts.com,*.x.stg1.ebisubook.com,*.yang2020.com,12wbt.com,2bleacherreport.com,3bleacherreport.com,4bleacherreport.com,8bleacherreport.com,abuse.ch,brita.com,cdn.fwupd.org,cdn.livingmap.com,cdn.seated.com,cdn.skillacademy.com,clinicaloptions.com,clorox.com,content-preprod.beaverbrooksweb2.co.uk,content.beaverbrooks.co.uk,content.plastiq.com,coolmathgames.com,copterroyale.coolmathgames.com,d8-dev.coolmathgames.com,deflyio.coolmathgames.com,delivery-api.evadacms.com,dimensions.ai,dollarshaveclub.co.uk,dollarshaveclub.com,dontpayfull.com,eluniverso.com,email.amg-group.co,email.tekoforlife.co.uk,feedmarket.fr,freshstep.com,ggleap.com,goodeggs.com,heap.io,huevosbuenos.com,identity.linuxfoundation.org,joebiden.com,jwatch.org,kingsford.co.nz,kingsfordcharcoal.com.au,lancenters.com,lists.linuxfoundation.org,m-stage.coolmathgames.com,m.coolmathgames.com,madebywe.com,minirodini.com,modcloth.net,orionlabs.io,puritanmedproducts.com,reviews.org,rg-video-staging.ruangguru.com,rg-video.ruangguru.com,ruangguru.com,scodle.com,stage.coolmathgames.com,staging.appblade.com,steelseries.com,stg.platform.eluniverso.com,test.brita.com,test.heap.io,test.joebiden.com,test.ruangguru.com,theforeman.org,video-cdn.quipper.com,videos.calcworkshop.com,vts.com,www.101network.com,www.autos101.com,www.brita.com,www.clorox.com,www.collider.com,www.coolmathgames.com,www.eluniverso.com,www.flinto.com,www.freshstep.com,www.heap.io,www.holagente.com,www.icsydney.com.au,www.joebiden.com,www.kingsford.co.nz,www.mrnatty.com,www.myjewellerystory.com.au,www.myjs.com,www.netacea.com,www.parenting101.com,www.puritanmedproducts.com,www.reviews.org,www.sba.sa,www.shashatcom.sa,www.uat.ontariocolleges.ca,www.vacation101.com,www.walterspeople.co.uk,www.westwayelectricsupply.com][JA3S: ae53107a2e47ea20c72ac44821a728bf][Issuer: C=BE, O=GlobalSign nv-sa, CN=GlobalSign CloudSSL CA - SHA256 - G3][Subject: C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=p2.shared.global.fastly.net][Certificate SHA-1: E9:34:DF:E0:C5:31:3C:59:7E:E2:57:44:F2:82:E9:80:F5:5D:05:4B][Firefox][Validity: 2019-11-19 01:31:22 - 2020-08-29 17:19:32][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 12,16,0,4,0,4,4,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,55,0,0,0,0,0] diff --git a/tests/cfgs/tls_ja3s_disabled/result/tls_verylong_certificate.pcap.out b/tests/cfgs/tls_ja3s_disabled/result/tls_verylong_certificate.pcap.out index 18b742537a0..b8849bf2a96 100644 --- a/tests/cfgs/tls_ja3s_disabled/result/tls_verylong_certificate.pcap.out +++ b/tests/cfgs/tls_ja3s_disabled/result/tls_verylong_certificate.pcap.out @@ -30,4 +30,4 @@ JA3 Host Stats: 1 192.168.1.160 1 - 1 TCP 192.168.1.160:54804 <-> 151.101.66.49:443 [proto: 91.283/TLS.Cybersec][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 11][cat: Cybersecurity/33][24 pkts/2404 bytes <-> 24 pkts/19825 bytes][Goodput ratio: 35/92][0.09 sec][Hostname/SNI: feodotracker.abuse.ch][(Advertised) ALPNs: http/1.1][(Negotiated) ALPN: http/1.1][bytes ratio: -0.784 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 4/4 15/21 5/7][Pkt Len c2s/s2c min/avg/max/stddev: 54/66 100/826 583/1434 109/662][TLSv1.2][JA3C: 2a26b1a62e40d25d4de3babc9d532f30][JA4: t12d6707ht_2955a3196ffa_b1760ac0ffd7][ServerNames: p2.shared.global.fastly.net,*.12wbt.com,*.2bleacherreport.com,*.3bleacherreport.com,*.4bleacherreport.com,*.8bleacherreport.com,*.abuse.ch,*.acdn-it.ps-pantheon.com,*.cdn.livingmap.com,*.content.plastiq.com,*.dimensions.ai,*.dollarshaveclub.co.uk,*.dollarshaveclub.com,*.dontpayfull.com,*.ebisubook.com,*.foreignaffairs.com,*.fs.jibjab.com,*.fs.unitprints.com,*.ggleap.com,*.goodeggs.com,*.huevosbuenos.com,*.indy.myomnigon.com,*.jwatch.org,*.kingsfordcharcoal.com.au,*.lancenters.com,*.madebywe.com,*.minirodini.com,*.modcloth.net,*.orionlabs.io,*.ps-pantheon.com,*.scodle.com,*.steelseries.com,*.theforeman.org,*.uploads.eversign.com,*.uploads.schoox.com,*.vts.com,*.x.stg1.ebisubook.com,*.yang2020.com,12wbt.com,2bleacherreport.com,3bleacherreport.com,4bleacherreport.com,8bleacherreport.com,abuse.ch,brita.com,cdn.fwupd.org,cdn.livingmap.com,cdn.seated.com,cdn.skillacademy.com,clinicaloptions.com,clorox.com,content-preprod.beaverbrooksweb2.co.uk,content.beaverbrooks.co.uk,content.plastiq.com,coolmathgames.com,copterroyale.coolmathgames.com,d8-dev.coolmathgames.com,deflyio.coolmathgames.com,delivery-api.evadacms.com,dimensions.ai,dollarshaveclub.co.uk,dollarshaveclub.com,dontpayfull.com,eluniverso.com,email.amg-group.co,email.tekoforlife.co.uk,feedmarket.fr,freshstep.com,ggleap.com,goodeggs.com,heap.io,huevosbuenos.com,identity.linuxfoundation.org,joebiden.com,jwatch.org,kingsford.co.nz,kingsfordcharcoal.com.au,lancenters.com,lists.linuxfoundation.org,m-stage.coolmathgames.com,m.coolmathgames.com,madebywe.com,minirodini.com,modcloth.net,orionlabs.io,puritanmedproducts.com,reviews.org,rg-video-staging.ruangguru.com,rg-video.ruangguru.com,ruangguru.com,scodle.com,stage.coolmathgames.com,staging.appblade.com,steelseries.com,stg.platform.eluniverso.com,test.brita.com,test.heap.io,test.joebiden.com,test.ruangguru.com,theforeman.org,video-cdn.quipper.com,videos.calcworkshop.com,vts.com,www.101network.com,www.autos101.com,www.brita.com,www.clorox.com,www.collider.com,www.coolmathgames.com,www.eluniverso.com,www.flinto.com,www.freshstep.com,www.heap.io,www.holagente.com,www.icsydney.com.au,www.joebiden.com,www.kingsford.co.nz,www.mrnatty.com,www.myjewellerystory.com.au,www.myjs.com,www.netacea.com,www.parenting101.com,www.puritanmedproducts.com,www.reviews.org,www.sba.sa,www.shashatcom.sa,www.uat.ontariocolleges.ca,www.vacation101.com,www.walterspeople.co.uk,www.westwayelectricsupply.com][Issuer: C=BE, O=GlobalSign nv-sa, CN=GlobalSign CloudSSL CA - SHA256 - G3][Subject: C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=p2.shared.global.fastly.net][Certificate SHA-1: E9:34:DF:E0:C5:31:3C:59:7E:E2:57:44:F2:82:E9:80:F5:5D:05:4B][Firefox][Validity: 2019-11-19 01:31:22 - 2020-08-29 17:19:32][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 12,16,0,4,0,4,4,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,55,0,0,0,0,0] + 1 TCP 192.168.1.160:54804 <-> 151.101.66.49:443 [proto: 91.283/TLS.Cybersec][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 11][cat: Cybersecurity/33][24 pkts/2404 bytes <-> 24 pkts/19825 bytes][Goodput ratio: 35/92][0.09 sec][Hostname/SNI: feodotracker.abuse.ch][(Advertised) ALPNs: http/1.1][(Negotiated) ALPN: http/1.1][bytes ratio: -0.784 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 4/4 15/21 5/7][Pkt Len c2s/s2c min/avg/max/stddev: 54/66 100/826 583/1434 109/662][TLSv1.2][JA3C: 2a26b1a62e40d25d4de3babc9d532f30][JA4: t12d6707ht_2955a3196ffa_c83f907a73d3][ServerNames: p2.shared.global.fastly.net,*.12wbt.com,*.2bleacherreport.com,*.3bleacherreport.com,*.4bleacherreport.com,*.8bleacherreport.com,*.abuse.ch,*.acdn-it.ps-pantheon.com,*.cdn.livingmap.com,*.content.plastiq.com,*.dimensions.ai,*.dollarshaveclub.co.uk,*.dollarshaveclub.com,*.dontpayfull.com,*.ebisubook.com,*.foreignaffairs.com,*.fs.jibjab.com,*.fs.unitprints.com,*.ggleap.com,*.goodeggs.com,*.huevosbuenos.com,*.indy.myomnigon.com,*.jwatch.org,*.kingsfordcharcoal.com.au,*.lancenters.com,*.madebywe.com,*.minirodini.com,*.modcloth.net,*.orionlabs.io,*.ps-pantheon.com,*.scodle.com,*.steelseries.com,*.theforeman.org,*.uploads.eversign.com,*.uploads.schoox.com,*.vts.com,*.x.stg1.ebisubook.com,*.yang2020.com,12wbt.com,2bleacherreport.com,3bleacherreport.com,4bleacherreport.com,8bleacherreport.com,abuse.ch,brita.com,cdn.fwupd.org,cdn.livingmap.com,cdn.seated.com,cdn.skillacademy.com,clinicaloptions.com,clorox.com,content-preprod.beaverbrooksweb2.co.uk,content.beaverbrooks.co.uk,content.plastiq.com,coolmathgames.com,copterroyale.coolmathgames.com,d8-dev.coolmathgames.com,deflyio.coolmathgames.com,delivery-api.evadacms.com,dimensions.ai,dollarshaveclub.co.uk,dollarshaveclub.com,dontpayfull.com,eluniverso.com,email.amg-group.co,email.tekoforlife.co.uk,feedmarket.fr,freshstep.com,ggleap.com,goodeggs.com,heap.io,huevosbuenos.com,identity.linuxfoundation.org,joebiden.com,jwatch.org,kingsford.co.nz,kingsfordcharcoal.com.au,lancenters.com,lists.linuxfoundation.org,m-stage.coolmathgames.com,m.coolmathgames.com,madebywe.com,minirodini.com,modcloth.net,orionlabs.io,puritanmedproducts.com,reviews.org,rg-video-staging.ruangguru.com,rg-video.ruangguru.com,ruangguru.com,scodle.com,stage.coolmathgames.com,staging.appblade.com,steelseries.com,stg.platform.eluniverso.com,test.brita.com,test.heap.io,test.joebiden.com,test.ruangguru.com,theforeman.org,video-cdn.quipper.com,videos.calcworkshop.com,vts.com,www.101network.com,www.autos101.com,www.brita.com,www.clorox.com,www.collider.com,www.coolmathgames.com,www.eluniverso.com,www.flinto.com,www.freshstep.com,www.heap.io,www.holagente.com,www.icsydney.com.au,www.joebiden.com,www.kingsford.co.nz,www.mrnatty.com,www.myjewellerystory.com.au,www.myjs.com,www.netacea.com,www.parenting101.com,www.puritanmedproducts.com,www.reviews.org,www.sba.sa,www.shashatcom.sa,www.uat.ontariocolleges.ca,www.vacation101.com,www.walterspeople.co.uk,www.westwayelectricsupply.com][Issuer: C=BE, O=GlobalSign nv-sa, CN=GlobalSign CloudSSL CA - SHA256 - G3][Subject: C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=p2.shared.global.fastly.net][Certificate SHA-1: E9:34:DF:E0:C5:31:3C:59:7E:E2:57:44:F2:82:E9:80:F5:5D:05:4B][Firefox][Validity: 2019-11-19 01:31:22 - 2020-08-29 17:19:32][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 12,16,0,4,0,4,4,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,55,0,0,0,0,0]