From 1d56a6b03ea86cf345a3ff2482f757fe97fcaaa7 Mon Sep 17 00:00:00 2001
From: Nardi Ivan <nardi.ivan@gmail.com>
Date: Sat, 28 Oct 2023 17:30:40 +0200
Subject: [PATCH] IPv6: add support for custom categories

---
 .gitignore                                    |   2 +
 example/categories.txt                        |   3 +
 fuzz/Makefile.am                              |  22 ++-
 .../corpus/fuzz_filecfg_categories/domain.txt |   2 +
 fuzz/corpus/fuzz_filecfg_categories/ipv4.txt  |   1 +
 .../fuzz_filecfg_categories/ipv4_prefix.txt   |   1 +
 fuzz/corpus/fuzz_filecfg_categories/ipv6.txt  |   1 +
 .../fuzz_filecfg_categories/ipv6_prefix.txt   |   1 +
 fuzz/fuzz_config.cpp                          |   2 +
 fuzz/fuzz_filecfg_categories.c                |  46 +++++
 src/include/ndpi_api.h                        |   7 +
 src/include/ndpi_typedefs.h                   |   1 +
 src/lib/ndpi_main.c                           | 170 +++++++++++++++---
 .../default/pcap/custom_categories.pcapng     | Bin 0 -> 17592 bytes
 .../result/custom_categories.pcapng.out       |  32 ++++
 15 files changed, 266 insertions(+), 25 deletions(-)
 create mode 100644 fuzz/corpus/fuzz_filecfg_categories/domain.txt
 create mode 100644 fuzz/corpus/fuzz_filecfg_categories/ipv4.txt
 create mode 100644 fuzz/corpus/fuzz_filecfg_categories/ipv4_prefix.txt
 create mode 100644 fuzz/corpus/fuzz_filecfg_categories/ipv6.txt
 create mode 100644 fuzz/corpus/fuzz_filecfg_categories/ipv6_prefix.txt
 create mode 100644 fuzz/fuzz_filecfg_categories.c
 create mode 100644 tests/cfgs/default/pcap/custom_categories.pcapng
 create mode 100644 tests/cfgs/default/result/custom_categories.pcapng.out

diff --git a/.gitignore b/.gitignore
index e496d1b5340..c494b9ff71e 100644
--- a/.gitignore
+++ b/.gitignore
@@ -83,6 +83,7 @@
 /fuzz/fuzz_gcrypt_cipher
 /fuzz/fuzz_ndpi_reader_payload_analyzer
 /fuzz/fuzz_filecfg_protocols
+/fuzz/fuzz_filecfg_categories
 /fuzz/fuzz_readerutils_workflow
 /fuzz/fuzz_readerutils_parseprotolist
 /fuzz/fuzz_ndpi_reader_alloc_fail_seed_corpus.zip
@@ -108,6 +109,7 @@
 /fuzz/fuzz_libinjection_seed_corpus.zip
 /fuzz/fuzz_tls_certificate_seed_corpus.zip
 /fuzz/fuzz_filecfg_protocols_seed_corpus.zip
+/fuzz/fuzz_filecfg_categories_seed_corpus.zip
 /fuzz/fuzz_dga_seed_corpus.zip
 /fuzz/fuzz_ndpi_reader_payload_analyzer_seed_corpus.zip
 /fuzz/fuzz_readerutils_workflow_seed_corpus.zip
diff --git a/example/categories.txt b/example/categories.txt
index 6c5171c5387..815efad7404 100644
--- a/example/categories.txt
+++ b/example/categories.txt
@@ -1,3 +1,6 @@
 #  Format: name\tcategory_id
 internetbadguys.com	100
 144.139.247.220	100
+172.30.69.0/24	100
+[2001:1670:8:40a6:a08e:332b:aa69:18dc]	100
+[2001:db8:1::1]/127	100
diff --git a/fuzz/Makefile.am b/fuzz/Makefile.am
index 5f6fbb71cd2..360b39a46db 100644
--- a/fuzz/Makefile.am
+++ b/fuzz/Makefile.am
@@ -8,7 +8,7 @@ bin_PROGRAMS += fuzz_libinjection fuzz_binaryfusefilter
 #Internal crypto
 bin_PROGRAMS += fuzz_gcrypt_light fuzz_gcrypt_aes fuzz_gcrypt_gcm fuzz_gcrypt_cipher
 #Configuration files
-bin_PROGRAMS += fuzz_filecfg_protocols
+bin_PROGRAMS += fuzz_filecfg_protocols fuzz_filecfg_categories
 #Reader utils
 bin_PROGRAMS += fuzz_readerutils_workflow fuzz_readerutils_parseprotolist
 
@@ -485,6 +485,19 @@ fuzz_filecfg_protocols_LINK=$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
     $(LIBTOOLFLAGS) --mode=link $(CXX) @NDPI_CFLAGS@ $(AM_CXXFLAGS) $(CXXFLAGS) \
     $(fuzz_filecfg_protocols_LDFLAGS) @NDPI_LDFLAGS@ $(LDFLAGS) -o $@
 
+fuzz_filecfg_categories_SOURCES = fuzz_filecfg_categories.c fuzz_common_code.c
+fuzz_filecfg_categories_CFLAGS = @NDPI_CFLAGS@ $(CXXFLAGS)
+fuzz_filecfg_categories_LDADD = ../src/lib/libndpi.a $(ADDITIONAL_LIBS)
+fuzz_filecfg_categories_LDFLAGS = $(LIBS)
+if HAS_FUZZLDFLAGS
+fuzz_filecfg_categories_CFLAGS += $(LIB_FUZZING_ENGINE)
+fuzz_filecfg_categories_LDFLAGS += $(LIB_FUZZING_ENGINE)
+endif
+# force usage of CXX for linker
+fuzz_filecfg_categories_LINK=$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+    $(LIBTOOLFLAGS) --mode=link $(CXX) @NDPI_CFLAGS@ $(AM_CXXFLAGS) $(CXXFLAGS) \
+    $(fuzz_filecfg_categories_LDFLAGS) @NDPI_LDFLAGS@ $(LDFLAGS) -o $@
+
 fuzz_readerutils_workflow_SOURCES = fuzz_readerutils_workflow.cpp fuzz_common_code.c ../example/reader_util.c
 fuzz_readerutils_workflow_CXXFLAGS = -I../example/ @NDPI_CFLAGS@ $(CXXFLAGS) -DDISABLE_CUSTOM_ALLOCATOR_ON_READERUTILS
 fuzz_readerutils_workflow_CFLAGS = @NDPI_CFLAGS@ $(CXXFLAGS) -DDISABLE_CUSTOM_ALLOCATOR_ON_READERUTILS
@@ -606,6 +619,10 @@ files_corpus_fuzz_filecfg_protocols :=  $(wildcard corpus/fuzz_filecfg_protocols
 fuzz_filecfg_protocols_seed_corpus.zip: $(files_corpus_fuzz_filecfg_protocols)
 	zip -j fuzz_filecfg_protocols_seed_corpus.zip $(files_corpus_fuzz_filecfg_protocols)
 
+files_corpus_fuzz_filecfg_categories :=  $(wildcard corpus/fuzz_filecfg_categories/*)
+fuzz_filecfg_categories_seed_corpus.zip: $(files_corpus_fuzz_filecfg_categories)
+	zip -j fuzz_filecfg_categories_seed_corpus.zip $(files_corpus_fuzz_filecfg_categories)
+
 files_corpus_fuzz_readerutils_workflow :=  $(wildcard corpus/fuzz_readerutils_workflow/*)
 fuzz_readerutils_workflow_seed_corpus.zip: $(files_corpus_fuzz_readerutils_workflow)
 	zip -j fuzz_readerutils_workflow_seed_corpus.zip $(files_corpus_fuzz_readerutils_workflow)
@@ -622,7 +639,7 @@ files_corpus_fuzz_ds_domain_classify :=  $(wildcard corpus/fuzz_ds_domain_classi
 fuzz_ds_domain_classify_seed_corpus.zip: $(files_corpus_fuzz_ds_domain_classify)
 	zip -j fuzz_ds_domain_classify_seed_corpus.zip $(files_corpus_fuzz_ds_domain_classify)
 
-corpus: fuzz_ndpi_reader_seed_corpus.zip fuzz_ndpi_reader_alloc_fail_seed_corpus.zip fuzz_ndpi_reader_payload_analyzer_seed_corpus.zip fuzz_quic_get_crypto_data_seed_corpus.zip fuzz_config_seed_corpus.zip fuzz_ds_patricia_seed_corpus.zip fuzz_ds_ahocorasick_seed_corpus.zip fuzz_alg_ses_des_seed_corpus.zip fuzz_alg_hw_rsi_outliers_da_seed_corpus.zip fuzz_alg_bins_seed_corpus.zip fuzz_alg_hll_seed_corpus.zip fuzz_alg_jitter_seed_corpus.zip fuzz_ds_libcache_seed_corpus.zip fuzz_community_id_seed_corpus.zip fuzz_ds_tree_seed_corpus.zip fuzz_serialization_seed_corpus.zip fuzz_ds_ptree_seed_corpus.zip fuzz_alg_crc32_md5_seed_corpus.zip fuzz_alg_bytestream_seed_corpus.zip fuzz_libinjection_seed_corpus.zip fuzz_tls_certificate_seed_corpus.zip fuzz_filecfg_protocols_seed_corpus.zip fuzz_readerutils_workflow_seed_corpus.zip fuzz_readerutils_parseprotolist_seed_corpus.zip fuzz_ds_bitmap64_seed_corpus.zip fuzz_ds_domain_classify_seed_corpus.zip
+corpus: fuzz_ndpi_reader_seed_corpus.zip fuzz_ndpi_reader_alloc_fail_seed_corpus.zip fuzz_ndpi_reader_payload_analyzer_seed_corpus.zip fuzz_quic_get_crypto_data_seed_corpus.zip fuzz_config_seed_corpus.zip fuzz_ds_patricia_seed_corpus.zip fuzz_ds_ahocorasick_seed_corpus.zip fuzz_alg_ses_des_seed_corpus.zip fuzz_alg_hw_rsi_outliers_da_seed_corpus.zip fuzz_alg_bins_seed_corpus.zip fuzz_alg_hll_seed_corpus.zip fuzz_alg_jitter_seed_corpus.zip fuzz_ds_libcache_seed_corpus.zip fuzz_community_id_seed_corpus.zip fuzz_ds_tree_seed_corpus.zip fuzz_serialization_seed_corpus.zip fuzz_ds_ptree_seed_corpus.zip fuzz_alg_crc32_md5_seed_corpus.zip fuzz_alg_bytestream_seed_corpus.zip fuzz_libinjection_seed_corpus.zip fuzz_tls_certificate_seed_corpus.zip fuzz_filecfg_protocols_seed_corpus.zip fuzz_readerutils_workflow_seed_corpus.zip fuzz_readerutils_parseprotolist_seed_corpus.zip fuzz_ds_bitmap64_seed_corpus.zip fuzz_ds_domain_classify_seed_corpus.zip fuzz_filecfg_protocols_seed_corpus.zip
 	cp corpus/fuzz_*seed_corpus.zip .
 
 #Create dictionaries exactly as expected by oss-fuzz.
@@ -651,6 +668,7 @@ distdir:
 		-o -path './corpus/fuzz_*.zip' \
 		-o -path './corpus/fuzz_quic_get_crypto_data/*' \
 		-o -path './corpus/fuzz_filecfg_protocols/*' \
+		-o -path './corpus/fuzz_filecfg_categories/*' \
 		-o -path './corpus/fuzz_readerutils_workflow/*' \
 		-o -path './corpus/fuzz_readerutils_parseprotolist/*' \
 		-o -path './corpus/fuzz_config/*' \
diff --git a/fuzz/corpus/fuzz_filecfg_categories/domain.txt b/fuzz/corpus/fuzz_filecfg_categories/domain.txt
new file mode 100644
index 00000000000..2598e8dc4a3
--- /dev/null
+++ b/fuzz/corpus/fuzz_filecfg_categories/domain.txt
@@ -0,0 +1,2 @@
+#  Format: name\tcategory_id
+internetbadguys.com	100
diff --git a/fuzz/corpus/fuzz_filecfg_categories/ipv4.txt b/fuzz/corpus/fuzz_filecfg_categories/ipv4.txt
new file mode 100644
index 00000000000..5f44509573f
--- /dev/null
+++ b/fuzz/corpus/fuzz_filecfg_categories/ipv4.txt
@@ -0,0 +1 @@
+144.139.247.220	100
diff --git a/fuzz/corpus/fuzz_filecfg_categories/ipv4_prefix.txt b/fuzz/corpus/fuzz_filecfg_categories/ipv4_prefix.txt
new file mode 100644
index 00000000000..40758d9e53b
--- /dev/null
+++ b/fuzz/corpus/fuzz_filecfg_categories/ipv4_prefix.txt
@@ -0,0 +1 @@
+144.139.247.220/24	100
diff --git a/fuzz/corpus/fuzz_filecfg_categories/ipv6.txt b/fuzz/corpus/fuzz_filecfg_categories/ipv6.txt
new file mode 100644
index 00000000000..4a638c09af1
--- /dev/null
+++ b/fuzz/corpus/fuzz_filecfg_categories/ipv6.txt
@@ -0,0 +1 @@
+[3ffe:507:0:1:200:86ff:fe05:80da]	100
diff --git a/fuzz/corpus/fuzz_filecfg_categories/ipv6_prefix.txt b/fuzz/corpus/fuzz_filecfg_categories/ipv6_prefix.txt
new file mode 100644
index 00000000000..05adf16028f
--- /dev/null
+++ b/fuzz/corpus/fuzz_filecfg_categories/ipv6_prefix.txt
@@ -0,0 +1 @@
+[3ffe:507:0:1:200:86ff:fe05:80da]/64	100
diff --git a/fuzz/fuzz_config.cpp b/fuzz/fuzz_config.cpp
index 53d5c2fd825..53df3a8c322 100644
--- a/fuzz/fuzz_config.cpp
+++ b/fuzz/fuzz_config.cpp
@@ -220,6 +220,8 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
                                         flow.l4_proto,
                                         flow.c_address.v4, flow.c_port,
                                         flow.s_address.v4, flow.s_port);
+    } else {
+      ndpi_find_ipv6_category_userdata(ndpi_info_mod, (struct in6_addr *)flow.c_address.v6);
     }
     /* Another "strange" function: fuzz it here, for lack of a better alternative */
     ndpi_search_tcp_or_udp(ndpi_info_mod, &flow);
diff --git a/fuzz/fuzz_filecfg_categories.c b/fuzz/fuzz_filecfg_categories.c
new file mode 100644
index 00000000000..d2e43c99cea
--- /dev/null
+++ b/fuzz/fuzz_filecfg_categories.c
@@ -0,0 +1,46 @@
+#include "ndpi_api.h"
+#include "fuzz_common_code.h"
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+  struct ndpi_detection_module_struct *ndpi_struct;
+  FILE *fd;
+  /* Try to be fast */
+  ndpi_init_prefs prefs = ndpi_dont_load_tor_list |
+			  ndpi_dont_load_azure_list |
+			  ndpi_dont_load_whatsapp_list |
+			  ndpi_dont_load_amazon_aws_list |
+			  ndpi_dont_load_ethereum_list |
+			  ndpi_dont_load_zoom_list |
+			  ndpi_dont_load_cloudflare_list |
+			  ndpi_dont_load_microsoft_list |
+			  ndpi_dont_load_google_list |
+			  ndpi_dont_load_google_cloud_list |
+			  ndpi_dont_load_asn_lists |
+			  ndpi_dont_init_risk_ptree |
+			  ndpi_dont_load_cachefly_list |
+			  ndpi_dont_load_protonvpn_list |
+			  ndpi_dont_load_mullvad_list;
+  NDPI_PROTOCOL_BITMASK all;
+  NDPI_PROTOCOL_BITMASK debug_bitmask;
+
+  /* To allow memory allocation failures */
+  fuzz_set_alloc_callbacks_and_seed(size);
+
+  ndpi_struct = ndpi_init_detection_module(prefs);
+  NDPI_BITMASK_SET_ALL(all);
+  ndpi_set_protocol_detection_bitmask2(ndpi_struct, &all);
+
+  NDPI_BITMASK_SET_ALL(debug_bitmask);
+  ndpi_set_log_level(ndpi_struct, 4);
+  ndpi_set_debug_bitmask(ndpi_struct, debug_bitmask);
+
+  fd = buffer_to_file(data, size);
+  ndpi_load_categories_file2(ndpi_struct, fd, NULL);
+  if(fd)
+    fclose(fd);
+
+  /* We don't really need to call ndpi_finalize_initialization */
+
+  ndpi_exit_detection_module(ndpi_struct);
+  return 0;
+}
diff --git a/src/include/ndpi_api.h b/src/include/ndpi_api.h
index 35fbde85cdb..ee77b537aa9 100644
--- a/src/include/ndpi_api.h
+++ b/src/include/ndpi_api.h
@@ -810,6 +810,7 @@ extern "C" {
    *          -1 else
    */
   int ndpi_load_categories_file(struct ndpi_detection_module_struct *ndpi_str, const char* path, void *user_data);
+  int ndpi_load_categories_file2(struct ndpi_detection_module_struct *ndpi_str, FILE *fd, void *user_data);
 
   /**
    * Loads a file (separated by <cr>) of domain names associated with the specified category
@@ -1028,11 +1029,17 @@ extern "C" {
   int ndpi_enable_loaded_categories(struct ndpi_detection_module_struct *ndpi_struct);
   void* ndpi_find_ipv4_category_userdata(struct ndpi_detection_module_struct *ndpi_str,
 					 u_int32_t saddr);
+  void* ndpi_find_ipv6_category_userdata(struct ndpi_detection_module_struct *ndpi_str,
+					 struct in6_addr *saddr);
   int ndpi_fill_ip_protocol_category(struct ndpi_detection_module_struct *ndpi_struct,
 				     struct ndpi_flow_struct *flow,
 				     u_int32_t saddr,
 				     u_int32_t daddr,
 				     ndpi_protocol *ret);
+  int ndpi_fill_ip6_protocol_category(struct ndpi_detection_module_struct *ndpi_str,
+				      struct ndpi_flow_struct *flow,
+				      struct in6_addr *saddr, struct in6_addr *daddr,
+				      ndpi_protocol *ret);
   int ndpi_match_custom_category(struct ndpi_detection_module_struct *ndpi_struct,
 				 char *name, u_int name_len, ndpi_protocol_category_t *id);
   void ndpi_fill_protocol_category(struct ndpi_detection_module_struct *ndpi_struct,
diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h
index 25702308027..365638aa38b 100644
--- a/src/include/ndpi_typedefs.h
+++ b/src/include/ndpi_typedefs.h
@@ -1327,6 +1327,7 @@ struct ndpi_detection_module_struct {
     ndpi_domain_classify *sc_hostnames, *sc_hostnames_shadow;
 #endif
     void *ipAddresses, *ipAddresses_shadow; /* Patricia */
+    void *ipAddresses6, *ipAddresses6_shadow; /* Patricia IPv6*/
     u_int8_t categories_loaded;
   } custom_categories;
 
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index 16cffe7868a..a0fb3a1a6cd 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -3267,6 +3267,8 @@ struct ndpi_detection_module_struct *ndpi_init_detection_module(ndpi_init_prefs
 
   ndpi_str->custom_categories.ipAddresses = ndpi_patricia_new(32 /* IPv4 */);
   ndpi_str->custom_categories.ipAddresses_shadow = ndpi_patricia_new(32 /* IPv4 */);
+  ndpi_str->custom_categories.ipAddresses6 = ndpi_patricia_new(128 /* IPv6 */);
+  ndpi_str->custom_categories.ipAddresses6_shadow = ndpi_patricia_new(128 /* IPv6 */);
 
   if(ndpi_str->host_automa.ac_automa)
     ac_automata_feature(ndpi_str->host_automa.ac_automa,AC_FEATURE_LC);
@@ -3294,7 +3296,8 @@ struct ndpi_detection_module_struct *ndpi_init_detection_module(ndpi_init_prefs
   if(ndpi_str->common_alpns_automa.ac_automa)
     ac_automata_name(ndpi_str->common_alpns_automa.ac_automa,"content",AC_FEATURE_DEBUG);
 
-  if((ndpi_str->custom_categories.ipAddresses == NULL) || (ndpi_str->custom_categories.ipAddresses_shadow == NULL)) {
+  if((ndpi_str->custom_categories.ipAddresses == NULL) || (ndpi_str->custom_categories.ipAddresses_shadow == NULL) ||
+     (ndpi_str->custom_categories.ipAddresses6 == NULL) || (ndpi_str->custom_categories.ipAddresses6_shadow == NULL)) {
     NDPI_LOG_ERR(ndpi_str, "[NDPI] Error allocating Patricia trees\n");
     ndpi_exit_detection_module(ndpi_str);
     return(NULL);
@@ -3686,6 +3689,9 @@ int ndpi_get_custom_category_match(struct ndpi_detection_module_struct *ndpi_str
 				   ndpi_protocol_category_t *id) {
   char ipbuf[64], *ptr;
   struct in_addr pin;
+  struct in6_addr pin6;
+  ndpi_prefix_t prefix;
+  ndpi_patricia_node_t *node;
   u_int cp_len = ndpi_min(sizeof(ipbuf) - 1, name_len);
 
   if(!ndpi_str->custom_categories.categories_loaded)
@@ -3694,8 +3700,9 @@ int ndpi_get_custom_category_match(struct ndpi_detection_module_struct *ndpi_str
   if(cp_len > 0) {
     memcpy(ipbuf, name_or_ip, cp_len);
     ipbuf[cp_len] = '\0';
-  } else
+  } else {
     ipbuf[0] = '\0';
+  }
 
   ptr = strrchr(ipbuf, '/');
 
@@ -3703,9 +3710,7 @@ int ndpi_get_custom_category_match(struct ndpi_detection_module_struct *ndpi_str
     ptr[0] = '\0';
 
   if(inet_pton(AF_INET, ipbuf, &pin) == 1) {
-    /* Search IP */
-    ndpi_prefix_t prefix;
-    ndpi_patricia_node_t *node;
+    /* Search IPv4 */
 
     /* Make sure all in network byte order otherwise compares wont work */
     ndpi_fill_prefix_v4(&prefix, &pin, 32, ((ndpi_patricia_tree_t *) ndpi_str->custom_categories.ipAddresses)->maxbits);
@@ -3713,10 +3718,18 @@ int ndpi_get_custom_category_match(struct ndpi_detection_module_struct *ndpi_str
 
     if(node) {
       *id = node->value.u.uv32.user_value;
-
       return(0);
     }
+    return(-1);
+  } else if(inet_pton(AF_INET6, ipbuf, &pin6) == 1) {
+    /* Search IPv6 */
+    ndpi_fill_prefix_v6(&prefix, &pin6, 128, ((ndpi_patricia_tree_t *) ndpi_str->custom_categories.ipAddresses6)->maxbits);
+    node = ndpi_patricia_search_best(ndpi_str->custom_categories.ipAddresses6, &prefix);
 
+    if(node) {
+      *id = node->value.u.uv32.user_value;
+      return(0);
+    }
     return(-1);
   } else {
     /* Search Host */
@@ -3827,6 +3840,12 @@ void ndpi_exit_detection_module(struct ndpi_detection_module_struct *ndpi_str) {
     if(ndpi_str->custom_categories.ipAddresses_shadow != NULL)
       ndpi_patricia_destroy((ndpi_patricia_tree_t *) ndpi_str->custom_categories.ipAddresses_shadow, free_ptree_data);
 
+    if(ndpi_str->custom_categories.ipAddresses6 != NULL)
+      ndpi_patricia_destroy((ndpi_patricia_tree_t *) ndpi_str->custom_categories.ipAddresses6, free_ptree_data);
+
+    if(ndpi_str->custom_categories.ipAddresses6_shadow != NULL)
+      ndpi_patricia_destroy((ndpi_patricia_tree_t *) ndpi_str->custom_categories.ipAddresses6_shadow, free_ptree_data);
+
     if(ndpi_str->host_risk_mask_automa.ac_automa != NULL)
       ac_automata_release((AC_AUTOMATA_t *) ndpi_str->host_risk_mask_automa.ac_automa,
 			  1 /* free patterns strings memory */);
@@ -4384,20 +4403,33 @@ int ndpi_handle_rule(struct ndpi_detection_module_struct *ndpi_str,
  */
 int ndpi_load_categories_file(struct ndpi_detection_module_struct *ndpi_str,
 			      const char *path, void *user_data) {
-  char buffer[512], *line, *name, *category, *saveptr;
+  int rc;
   FILE *fd;
-  int len, num = 0;
 
   if(!ndpi_str || !path)
     return(-1);
 
   fd = fopen(path, "r");
-
   if(fd == NULL) {
     NDPI_LOG_ERR(ndpi_str, "Unable to open file %s [%s]\n", path, strerror(errno));
-    return(-1);
+    return -1;
   }
 
+  rc = ndpi_load_categories_file2(ndpi_str, fd, user_data);
+
+  fclose(fd);
+
+  return rc;
+}
+
+int ndpi_load_categories_file2(struct ndpi_detection_module_struct *ndpi_str,
+			       FILE *fd, void *user_data) {
+  char buffer[512], *line, *name, *category, *saveptr;
+  int len, num = 0;
+
+  if(!ndpi_str || !fd)
+    return(-1);
+
   while(1) {
     line = fgets(buffer, sizeof(buffer), fd);
 
@@ -4426,8 +4458,6 @@ int ndpi_load_categories_file(struct ndpi_detection_module_struct *ndpi_str,
     }
   }
 
-  fclose(fd);
-
   /*
     Not necessay to call ndpi_enable_loaded_categories() as
     ndpi_set_protocol_detection_bitmask2() will do that
@@ -7139,14 +7169,16 @@ int ndpi_load_ip_category(struct ndpi_detection_module_struct *ndpi_str,
 			  const char *ip_address_and_mask,
 			  ndpi_protocol_category_t category,
 			  void *user_data) {
-  ndpi_patricia_node_t *node;
-  struct in_addr pin;
-  int bits = 32;
+  ndpi_patricia_node_t *node = NULL;
+  int bits = 32, is_ipv6 = 0;
   char *ptr;
-  char ipbuf[64];
+  char ipbuf[128];
 
-  if(!ndpi_str->custom_categories.ipAddresses_shadow)
-    return(-1);
+  if(ip_address_and_mask[0] == '[') {
+    is_ipv6 = 1;
+    bits = 128;
+    ip_address_and_mask++; /* Strip '[' */
+  }
 
   strncpy(ipbuf, ip_address_and_mask, sizeof(ipbuf) - 1);
   ipbuf[sizeof(ipbuf) - 1] = '\0';
@@ -7158,13 +7190,31 @@ int ndpi_load_ip_category(struct ndpi_detection_module_struct *ndpi_str,
     if(atoi(ptr) >= 0 && atoi(ptr) <= 32)
       bits = atoi(ptr);
   }
+  ptr = strrchr(ipbuf, ']');
+  if(ptr)
+    *ptr = '\0'; /* Strip ']' */
+
+  if(!is_ipv6 && ndpi_str->custom_categories.ipAddresses_shadow) {
+    struct in_addr pin;
 
-  if(inet_pton(AF_INET, ipbuf, &pin) != 1) {
-    NDPI_LOG_DBG2(ndpi_str, "Invalid ip/ip+netmask: %s\n", ip_address_and_mask);
+    if(inet_pton(AF_INET, ipbuf, &pin) != 1) {
+      NDPI_LOG_DBG2(ndpi_str, "Invalid ip4/ip4+netmask: %s\n", ip_address_and_mask);
+      return(-1);
+    }
+    node = add_to_ptree(ndpi_str->custom_categories.ipAddresses_shadow, AF_INET, &pin, bits);
+  } else if(is_ipv6 && ndpi_str->custom_categories.ipAddresses6_shadow) {
+    struct in6_addr pin6;
+
+    if(inet_pton(AF_INET6, ipbuf, &pin6) != 1) {
+      NDPI_LOG_DBG2(ndpi_str, "Invalid ip6/ip6+netmask: %s\n", ip_address_and_mask);
+      return(-1);
+    }
+    node = add_to_ptree(ndpi_str->custom_categories.ipAddresses6_shadow, AF_INET6, &pin6, bits);
+  } else {
     return(-1);
   }
 
-  if((node = add_to_ptree(ndpi_str->custom_categories.ipAddresses_shadow, AF_INET, &pin, bits)) != NULL) {
+  if(node != NULL) {
     node->value.u.uv32.user_value = (u_int16_t)category, node->value.u.uv32.additional_user_value = 0;
     node->custom_user_data = user_data;
   }
@@ -7260,9 +7310,15 @@ int ndpi_enable_loaded_categories(struct ndpi_detection_module_struct *ndpi_str)
   if(ndpi_str->custom_categories.ipAddresses != NULL)
     ndpi_patricia_destroy((ndpi_patricia_tree_t *) ndpi_str->custom_categories.ipAddresses, free_ptree_data);
 
+  if(ndpi_str->custom_categories.ipAddresses6 != NULL)
+    ndpi_patricia_destroy((ndpi_patricia_tree_t *) ndpi_str->custom_categories.ipAddresses6, free_ptree_data);
+
   ndpi_str->custom_categories.ipAddresses = ndpi_str->custom_categories.ipAddresses_shadow;
   ndpi_str->custom_categories.ipAddresses_shadow = ndpi_patricia_new(32 /* IPv4 */);
 
+  ndpi_str->custom_categories.ipAddresses6 = ndpi_str->custom_categories.ipAddresses6_shadow;
+  ndpi_str->custom_categories.ipAddresses6_shadow = ndpi_patricia_new(128 /* IPv6 */);
+
   ndpi_str->custom_categories.categories_loaded = 1;
 
   return(0);
@@ -7288,6 +7344,26 @@ void* ndpi_find_ipv4_category_userdata(struct ndpi_detection_module_struct *ndpi
   return(node ? node->custom_user_data : NULL);
 }
 
+/* ********************************************************************************* */
+
+void* ndpi_find_ipv6_category_userdata(struct ndpi_detection_module_struct *ndpi_str,
+				       struct in6_addr *saddr) {
+  ndpi_patricia_node_t *node;
+
+  if(!saddr || !ndpi_str || !ndpi_str->custom_categories.ipAddresses6)
+    node = NULL;
+  else {
+    ndpi_prefix_t prefix;
+
+    ndpi_fill_prefix_v6(&prefix, saddr, 128,
+			((ndpi_patricia_tree_t *) ndpi_str->custom_categories.ipAddresses6)->maxbits);
+    node = ndpi_patricia_search_best(ndpi_str->custom_categories.ipAddresses6, &prefix);
+  }
+
+  return(node ? node->custom_user_data : NULL);
+}
+
+
 /* ********************************************************************************* */
 
 /* NOTE u_int32_t is represented in network byte order */
@@ -7344,6 +7420,52 @@ int ndpi_fill_ip_protocol_category(struct ndpi_detection_module_struct *ndpi_str
 
 /* ********************************************************************************* */
 
+int ndpi_fill_ip6_protocol_category(struct ndpi_detection_module_struct *ndpi_str,
+				    struct ndpi_flow_struct *flow,
+				    struct in6_addr *saddr, struct in6_addr *daddr,
+				    ndpi_protocol *ret) {
+  bool match_client = true;
+
+  ret->custom_category_userdata = NULL;
+
+  if(ndpi_str->custom_categories.categories_loaded &&
+     ndpi_str->custom_categories.ipAddresses6) {
+
+    ndpi_prefix_t prefix;
+    ndpi_patricia_node_t *node;
+
+    ndpi_fill_prefix_v6(&prefix, saddr, 128,
+                        ((ndpi_patricia_tree_t *) ndpi_str->custom_categories.ipAddresses6)->maxbits);
+    node = ndpi_patricia_search_best(ndpi_str->custom_categories.ipAddresses6, &prefix);
+
+    if(node == NULL) {
+      ndpi_fill_prefix_v6(&prefix, daddr, 128,
+                          ((ndpi_patricia_tree_t *) ndpi_str->custom_categories.ipAddresses6)->maxbits);
+      node = ndpi_patricia_search_best(ndpi_str->custom_categories.ipAddresses6, &prefix);
+      match_client = false;
+    } else {
+      match_client = true;
+    }
+
+    if(node) {
+      ret->category = (ndpi_protocol_category_t) node->value.u.uv32.user_value;
+      ret->custom_category_userdata = node->custom_user_data;
+
+      if((ret->category == CUSTOM_CATEGORY_MALWARE) && (match_client == false)) {
+	ndpi_set_risk(ndpi_str, flow, NDPI_MALWARE_HOST_CONTACTED, "Client contacted malware host");
+      }
+
+      return(1);
+    }
+  }
+
+  ret->category = ndpi_get_proto_category(ndpi_str, *ret);
+
+  return(0);
+}
+
+/* ********************************************************************************* */
+
 void ndpi_fill_protocol_category(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_flow_struct *flow,
 				 ndpi_protocol *ret) {
   if((ret->master_protocol == NDPI_PROTOCOL_UNKNOWN) && (ret->app_protocol == NDPI_PROTOCOL_UNKNOWN))
@@ -7442,9 +7564,11 @@ static int ndpi_do_guess(struct ndpi_detection_module_struct *ndpi_str, struct n
 
     ret->protocol_by_ip = flow->guessed_protocol_id_by_ip;
 
-    if(ndpi_str->custom_categories.categories_loaded && packet->iph) {
-      if(ndpi_str->ndpi_num_custom_protocols != 0)
+    if(ndpi_str->custom_categories.categories_loaded) {
+      if(packet->iph)
 	ndpi_fill_ip_protocol_category(ndpi_str, flow, flow->c_address.v4, flow->s_address.v4, ret);
+      else
+        ndpi_fill_ip6_protocol_category(ndpi_str, flow, (struct in6_addr *)flow->c_address.v6, (struct in6_addr *)flow->s_address.v6, ret);
       flow->guessed_header_category = ret->category;
     } else
       flow->guessed_header_category = NDPI_PROTOCOL_CATEGORY_UNSPECIFIED;
diff --git a/tests/cfgs/default/pcap/custom_categories.pcapng b/tests/cfgs/default/pcap/custom_categories.pcapng
new file mode 100644
index 0000000000000000000000000000000000000000..293565ff8443ab38eea1f97672d78db2ee38497e
GIT binary patch
literal 17592
zcmeHu2RN7C-~atFvL!ntD<gYmXOAMAL}ib%MMz~!k)-TIq-9G*Mpnt*$}S}m4O_!=
zj`=Zu-@oVj_FUKhxvuA2*WsM|zMa?m{d$ix?i)T45&jJXLDVHVX;9$z!g9exs1P+<
z2R9D}VIF>A9zJf-1Kie@4wf#q<_H#|gQ#1&SX-K#Ix(;t*t%G{+L*eW=3o%w;o}iu
zU{|(1!{ENub}}_TZE9_4!C>mTbeEg|f~AKO{{=TQH-|HB0(?At;K2({PNw`E03AV~
zEKm;e<=+bnOYI$??*l3<HHw%B-o1R;6QB(%ViKLH`W``oFcP$adQIRJ_8l?|D57VJ
zL%}{66!tL|n~OhCznZiHI@~81VJ``T0U0$!5DYBrBornlf<ocqBe*pNOON}2UmNk$
z0-vnmFCs5Vv5GIX5pSbBS^>YB2)(cefecJZq>RRniVz>GaupwCyKhN`6?~5+aTfKj
z41OZ35Bjifp+Cd6^=ASyeDEP*G>+R1NLtYwVj~a_>U{}ffC72XEPg6$3EHqOF}_Z3
z-W}W3`vcV5hnmrNHgXwvSzjF;6>feWVNeBl1Vr!w3dG+i$Ez|lIX2s$_rIn8#G)Jl
z>-GQ7a)d$$1qJfKLsKAo3iM&!%m+$n+k8v_KKP*=seJ4C06hXYHiCg8!J9emM(B(n
zn1B#wOr(J-TKr>>o%Um+@fk|L(*cGb39>!*b0lFMtB5hWEWo0PHIMte!N|?YD%n`=
zD0S_qM*VZ<2`t5qu7?y~Pbk-Br%EJJwLM22XlMv?5g5R@AAUG5RG;!d_PtL|(=+l~
z2ncm#$385i`e#({l`DuluVYsRZ(+}^YL!O3(mk;WeXZYKog+}`oG`4|CAXJvU)+&r
z=Q~^M(w`*}#AS%hrlx0@1eIccPF7&|CiA{u6Wtg8$#=(2eJnhka~`kWGS1(!)GfAh
zswx}{e;w^cdz^FcL5(K%s6M99^oBB)gR#;0gS576QYKHK_MjdDm5#<f#tT894WLhu
zquHXRzd-f}xCZMMF;TQ_pWr9-!oh*I_zjZMa!edW7Gq*DK_Qr^6<c5~IPIJ$eCHc4
zKxTD>I(qP!9eG3%7H<8ygNo5rHg8J3_dR?R;$6Y`gSxRH#OsA+rv%5{it6M`r5a{|
zP2PXf7=OEbW<J8dlhU<`=u>k1yR2V00h29nte&1t=sm%}^x3ep!Uvm#)PhJgA^wPc
z1jGH4^`4EvJ=H9Z0Y>p8Y+bL+fUcO~_zhW0TtH6H^MuDt(ORC^oTnJJ>z_C{z(4C@
zo`_Lh^-oripN_8O2@pVw1;)k4(o$I{8myb+0^#~^;sRUz8QzGCU^6tP6gRP8MIi{p
zhPsDBI8dMr78Rwkr$8IlE&M@f+x}1w{DBPm1E0dGKNtdkU<KpuoV!Su*Zs5D=p@bV
z&Y1o8z%?iXlm(rSIF_=%!v`6#!#gNT8`nBM!0d%!KX6q$*y%W3y2b|`T73NCDU+QC
zkHNYHAC=qY;~n5*FO=a(;3hs|NMHTYnwfQ&@C%O(2^RKd%tB2mbDln}@I%=(X8%(`
zk%-Yt9L|%uH9mL0M<1idc_(f@s8wzyBfZasG%xH2n|5^32-{ruSe#0&kIP%bJ6B1M
zyQ5@}$b7Ue_L|`=60Hz=_`tO++VgUf$>IFONP(8gLSv?Px#ugfK2RCt8kS$pr*h!8
z_cTrUocUF#qnGQ`edY6MFZNr6ItG3EZS^}T9Hfxt+(C%OjaF2->}Nm=tXuf&<8Axv
z-VXQ4K*$Xx7-uneKtI8)f%dstn9hQ|*Hp%)G@j>?Xu$QNx3}}_Fjz<Jy;TV{2a{ji
zf7>acJ6Vf0sos)hA9t?O*U_f34f{^_5t8u1lbXU=!s8lQYI90go+n`hob_drEQ+1s
z;=}*!9vmH7DD&i&PQ|Z`sEg9k`pM~`_GjYv=~K_QsNF7C@NjgvnIksoC(C@RE702h
z9^0V~+>-;mpJK8R1abg<6+LG#(p0YHjLmcFw$~Pufxu7lV9tp8u+dK--o_Z|qpA8k
zF_O1pgW8l;8?Y_g09(DR^48No$m_Kj!9w$c^Ga2+?}2QvZV@Bt+l`S$-Akb#L@2J)
zoehi|eB1B(i@Cfk`Bb5yd{dcfq<wmvKg(T`a3WU4w+5jo$9(l&>%BVnNb-Vqq`6Kj
z;|pc_)`wTqW8U#q28`x8vIb8yU+K0(VLE-sq7|%&ODs()Wsf3Bl65+kWW{w_G>D8%
z$?xm+0LuApX8PMoqc=%YM$$_3Rbt|dc=+B0TJNb$;cz}u(*g1X)E(LZodf*Jmunns
zo-@+79Sfx$?o+!U2kg<C><}ElDVLVRpLzJhkNJ#{%XVFu);nxwGkVS&m$#4`%@DL;
zR(sVGOudkwN#s1Jz|%4=_vnn&RK<v2l!ED$Cwa~ci@MPXy(8@>4f``Y7`hT<A|Bm6
z{#l~^(?W`1WLrrF{kuB}wGVb*=cs?`efYdl->y2&Pf?#Vrns-wI5k>I8~vaj^Kh@y
zil$lP06hktalHB~F)+1@&<po4jDeeg?d7!uoI8LYti%A^^S}b<EZX*JSr^cTbqoKK
z+^+vE;{xu>@>g+>E#V>*+E#JzhqD5wN`(a7tu!0MaJ86;s8|WxmiAxJA5tMcC{U)3
zhS#!wpbhI5xlwJq{(yTJ_yafe2b;2W{%{NoyYJGD=EsHj{G+jo`oi>twQNK5jdk>#
z=XRYrZ_iRM^1Y9*K7Ev%iOhaUwv9O}LbT@Z*ozz3>+GVv+&A*JVlVW0om0B@ujDM;
zvn$+8uJ{ScmL23Q$PKpoA*t@vbf=oFbJiv0+O>GyoUgZ?v!<Z#{?I;QU>aQZRp>M9
zKn8zHiZ?}#AEGSg4){*%UnV|$3hT=e{u6B&a#+-i!~=2FZhFKD=PeU-n<GPgvT+rD
z+B(%#vo$4V=m*e93EZ}*2&%px+7KUU+GW>E8#RRL)AGYHXMc3(h&$)(fuk4?TVgAl
zY*kfC3n@<Dc<r1NsEB3#WuGv2hi;C-!*joJ52<0sCx)=4Nr1)GO3p&JgMvxj-?4)~
zutNdlz-(&OM_27|-Ubs9zI3i{%?{`?T=zngVY3~$wjH|#zz*S124>++cEAoS)csI3
z*90sCu{X}49AOQAhlg;$Llu-^x^goQz7eXzQ4~^OU%HhHr{d9M_%}RM0UqL^3<kgh
zH~1sA+}RiQd$9LhU6Uaj0}uiV%vojmO|n-(AJ)w|3*+dvb5=ayp&80hJhzbt47{Ej
zZ~as-eN^3_DO(@=n&Xs?$Jmn6i)#DB;eY>@MM5IM?BVX$8W(k%>Sndc_S*YgDI6SW
zpYJ<?&p%wlByv;#;2X7x&#xbsT_DyevZO3F;FasorNuEVnEsvogv`aR<_QZTQ#X6=
zN{O`Y9;KH1_r)oFc!rLSrusy8hx)d*=;d%c)iGsZWTk&*+O0%y8!t7jXCmgL`7KP~
zHpvrJcd@i_H`#MGw8|nB`xA{h4}b3W=pG`BRN<NJ$Lk1u@%=!A534ILP469Dg3F=j
z8~5A^U{<D_ZY26P&(?nY{IP365(N8L7G7#4+WX2Yk~ND~m^B1Op8eDLgD}a`o5rpL
zk#>yEIc3BXdFl#%7q+TIXv1w%x6j7J<Q+UN2I|-k>!_j>P~yhM2L^vSL|!=HDJm3D
zcDDcO0N*nW*>J(kE)A@Uu_}0dcpk&H2@Wdfw9Zv?yq@@0daz`8+;u`<+v-k=dC%SN
zsRj8V4#oIAIc&iXk0;rmKL0VIsfAG8*w609QRfJgb2;<IcLWoxQigBxAO2*iB@yj?
zNmL!%{Ke$V;6$DKpL{iC)zBdogFAr>9EyfQXFSH-TgrbXD+h;ghH$pOuQf+$*i2@7
zpDl>$X8JiPzANp7(gkCE2F_<nqW1n5Z-i9jcU-cv7k;m#&?-SHS=!|nJDIf8gkeOV
z<bkLr0UyS0oE`S*58c$;F+adypdG(IcBmAC@%&pa##ZqcS00S1ePeEBPnhhy=BZWW
z)Oim<pr3A>zs_5={+;=&na~Tr70zGR&#cCb(NYdynZMB28=^<r*47)F*LsrMjT8LV
zl{is9v>GQI%kvk-z!%?Mj?eqzJYMxsPo&F>hLMbqpV6kgvbNqpUwZ|+b^JXpzAkbB
zPI8y?2jl{r>a1{)3ey89FlS&{cK(%h4*u5_E*{xz;({$r=ESeS7=pP2jai>ZY_aVW
zm6L>3vg@=3dAm$^Y36$Fyy!E6?L+0d^*ZNiz}vsZ4FT;UH~Uw)F<#FN`dP|*tS^7%
zEM*G#C%^^yG!QItmu+%l2^Ya{L5>@Xmss20Hr!uSZjuQcb>%DtU6$G-V{5W(_StQp
zxf0L<JAH(*3^}gai3|8Fe5ruX{t3@mL+;7NIqNX_p?U14tz}WxLX&0lT(|8rrm2sB
z7hWKXig(XCUbvtvbya%p33RgNZZ$rL*6xO#TgxJOfBf(8!V7qrgS>dlZ|22LXKzvY
zn*{4;J(Ug4$>M`+vLpdfVS%yq_Tjkf1<;0di+zmBw%0;)fERhl3xDt`FDHS&Eb{XG
zT7-VF_=L~XQz)63QoSL7g`e)mwjd>FT;0JGbXESE`&saI2V92v7Tt%`sK5OkuH-x1
zrx_tv@Q{AdpP_8HH77xrV34M#<X-p*q{{5itCtlb+-qE+%W~EVO_qP*L(`0aD+4G?
z^u%VauK7DN)Nsx2PZ(eq{M3Fac57Mm9)JHkychspgrO{%;5EWBFWk$#;Lmy#+mM+U
z;HC3ao{AnQRN7jWf+uLQ{2N|`0WYVa50%KQ;|16Q!GDp&`mN<fs$E!rJs*`G3as*=
zZ8rLg!_1Gr!^>&Fiz?*BpKLQP?T6D_^>b{Z#7xcikYw%!Yul}4>6t^5<=^n43V68)
zc_~%c%*&w&F^NZ>F1ouPu<wzS%T?c6mVon<e}|WgfS2QtmzPgA^K#Pr_3H=Ea<5HL
zedFG(qr$VbEZ;Ap$?|V_ISzP<guK{~Zsw(8H^T>u5W#X!-h;tPnfJgvy<#Ku{YP}b
z^k3P35JUoAoFOmGj2n5uz+=IF&pLYQJJAJZvb>XV)E7>*bw3E)d0&A(^MJ#|N21$j
z-}AM^z48(Mo?n7X<^7IPlfQ<j^m~cxh}eUuB9)kgA#FkOCs>c@A_p*PsC;W;&yHFI
z6N{)5=brx3?A$M{pCj#aLdEU7=8quJDLySvV~weSpS}au$FqL2Yr1tRkaSMaA9}0a
zdFRStY=&z86sgEBYobdUH|O$PhnVO0rIuSi6rZ)IJWXZ3&{1~5F1to}h{VtHpvFXt
zVe{3XUr+snUd?I^2iuR-+Y?={o=lSeNOXq!@?)Qy%JV<J=7!{T6`vGmE3l*uW2cDI
z$+{cZ=xfq0)}A3=?e{+D%-9>&d&GH+XC?WH`iCnl5(W@&ngPy~)brIpnRPqe*!n34
z8^AmL-FT0G>wK-j{8Oo%7^jpFul?b!0&RNnIH9GDQ0#1+7@l^&##dBhO0-P_k^1Eq
z0lL{J&YQQIBTw~{t5;B5Q>$jy3_B+}AhGwdfNr8s^4!}z!C7WLhx@Is>9xuqJh?V8
z?U6tdM77t3bj;Aj1+VWbm%`JKpCZy&uY95cFR64S<JhnUCQD1>G7$L3<V`f$N5<X$
zn5c&l(Kqtr{9cFfinDZ%B&Yg+AC>ZADgLEuLod=HGL1bDOc-1}Py72ydEKzuRYt3K
zwP|%VEHOX0>{1sR^E)}F#k;$Of=klIu&l~M#bmleM(No^g?EF*MV&=hT2-qn?@#@j
zBzHWwip90j>V?t4_@UqV#&@$qs=zvCW&gp44W0)D&euW|v$DjX59{XrGS-{z?gNNw
z7yT9NKZK5M_Sf*E{5hgI0r*GfzmC5wqH=yi{Kdgx%4kqZ?t1IAH}*J-6!FD7@9xZ&
zM#POB3coz@KA_|^XO{ZAq|;s%e6K4WDhe6RCFl6(?(E|9m+}lHD~#90Ijl_QmGGUJ
zf$mc8>oc#OCdYJ#tKjeb^U8%vjbo&2&u|u-DU(7=mzPd|rw!}vF~=*s>DqVqI1hd-
zRS9{xqdsx`dFY$pOfes*ujC#j^ODubdpQz>O4&_oJfily@OSG(&DHUN5r*7Hx#EPu
z3H&cDt`W!P${#6}<ha=ISmBblqh{|7nua0ua-rsze;!}&9^P$X!|VREu2s9|)@gjM
zAN6#*W<EyM_vYdkw&52>jH_FA-)0`}c^cls?fi1jy`7gv+xhTKgl5VrQXdFBqiYLL
z6488y`P$=j&pja?H`9Bf%_vjR`N8~DzuOu$q*@+oMeQ>K_9q()jNT9p8nAw1B$B+V
z@>3>0GG1S#ufLt0|G2(L@a~UU`hr>0FEbCZ%AzWdC{6m?j2#$MNM8`o4GjDurC1VI
z9`9DgJAxVB;zd@Pg`2cv<o6k2_Mw?5S%udWrp7T>1#@cIwMrU=9hAjb+N@shIl%Cd
z2E(_xC+qB|eL^xcdY7t-DKn1i7&u$c$n(fh@T>LC7=%%mH01V$gt3agICS%(s;SRm
zZ|_{UkKvbZA%)V8!3uuHbP9T?7dibt6X&etn_{!zxgukNylB-U@9STM{HF*+iJ#w^
zuu?1u=QPY>6uRpXvP-MliyKikJHZa#<Y3_OC5!K*uF*9<-C7pc|Ermx(X<eM$c{lZ
zFw+0|!Lt{PPMXF#@raUzO**O6Woa0U6=aXA%Uf^@iJbnRQZ!v@J98J`!TYxHa5RM)
ztJ#HY+cL&0N_^^CQ|u0=KksX`OTRe5dJ@k(uzi@`-&r*qd-|uie$6qhwj=Ce#dUZB
zi0KZZItdxxl0eVbT6=Xz9-L=AN)&yhis)zauYuv`e{{{~W`#WLvl(3O@&!*dNxN&F
z;H9nLxNRRW^6Z__aQ!QX`EZuU)|XtGgzD3T95v2M7V{k_P3~+JwazbbrFwH(xzZD*
zI-o8hU^Y4MlB~#oVJ{}*TYJAMqb_`*FV86!W{dg<4>Pdf?b|Ix^e(TKCTX^<S@d{9
zc)7vhqY=2hmrph`rr{!wl>~k0M)yXu?$u%X`Jhix&_#aI{-xeivUil{rn~!+gU&P5
zw=iB*WA;BvN^F%Pa_|O@+JHimPkg5%KKAR|;rv**JH9ZA{gxn`J$BaNM?~+=<bs87
z%@@C<5#}g3I!F(kkajT3;h%6b|Ki8GPqrvyGUPcbK2KQEhntV|(@14{ey-0wNA-Y=
zH&oezyBzP+sf9B8U$dWMGRie;d&Hvo+w#G*P2a@8tM`ezu`lxygoLaZ2laWg$}w!O
zUM|HDR5CFW6*An%q;q3NOZ8PgYsR4Dt@HN#J0GN}zqw{tC&$N{9#>_}zEd{<tksai
zcpP)|EO$`B74v)4@a<5<ElhS;IboT-1wA{Cr!(FQOVGVCt{ih#Q83pbYe?c#-;L`+
zeMQ}SJY}!p>S-Ogrh1LoCJHy=Xzt`ARd>BT91$REy=6S%^z6<@juMd+D?J2(c@nM%
z(a$Iz(#`&refYF9p%<w?+=pKVZ=#m>!zN&V1J<T1XB28^=bB%`=4AJSKCGMbG-`6Y
zd72cQb1$tc@Q$zMX&$&fzfyE^?~S_Kq;k<=OvIdfCdDE#CYX;c$VKZ#=FUCE9kjaj
z#@Xmg6?0L|%y|k`l>E?l9m*&43q2Y(0`3A2_0pzmYMK?EQ<CPEoNIWkSllhbZf|iD
z1JlpCfFfY$TN7`U=(bZNNyicb{tO31l>8cO46V~scA{?&zGHam*eB_fdJBaz>_G~r
zI5%M?7qXaMfp~XYt%v(Nt#14#=Q<<kaDhYqOD~Iv*IQzY-qF#{%U^J_LMx-#HFgMJ
z!&c-{E2|Vcas6>i$Tx%i5BJQwkFtNEp*C-&4U>CTK+ULl*{43_kY|i$?@KB!;~|5f
zCM(o~iJM<}HJLkN-`P=`H`M0TqzY5N<Tsa+c2R%i{l(j~mCqj)>4Zb3db2*`;B8@2
zsjvNbuY+oEj?=rBbKRQrKa00J>!Ap>RIMRxO#v_E=K`h5FTSO*Aq{)ZMFlj?*$_C4
z2fTY3Yj>*n!*F~MYxCjAmWCdCi4Y^kT{h;KH}PmaG`-rz_lx3BCZv3hs#JYXpm>5b
zzJHW@yn%%B)s-?OrqUGQn=~FXt}SO0wMiwogWhnH>mX^zD7piEFW(~C`~8)AwX-jU
zv&dI1X8g~BDI>h3T~;P{TKg2EqHq)Hcb>Nf=LOJ*Hu~@Y=g+_9!{i3ghc79v^I@<~
zU-4nMMur8hHQs$h$(;giShqME*!GzTj2(ar*2X`;@XN7d3StM~BKWOL$A!=GYia2H
zCTrv9!^2x!r=y>Lnti~KTYcZU`7CMM=bz+ozq|O|M_%V@Jn@2fG6k|w6ipndd2I2%
zrSK+e7gxG>(08KYKmEC1UT%H<>12o{rw{%N)-Cwi_V*Xl;QI@5*G0Rm>@}f0C|lmG
z?Q&NId(AGJx!Cr(8oBEV7iqqmxWFsMq)TG!qdTc_narbHC{cIKF7Wsq7U&~PYS?mS
zpbhI59Blht+9C(R&_^=BP|H4Iw!{H~E#otN>A<bi;KU7LZ;X!;{2hPC4iUf(!9Kef
zjf1~$lwl=4(B~FMDKy;8cG&hed*s2u4iNxXGx+y9I{+rO!c9GhhP!$HynVle`d$LK
zM%&Xj@&g*~zt#6Tz}48EzM?~Dxc^4q>x=r5Y**hfI-E7X`ZxMs0`|QQ;`<-;wS(~k
z%5*;#LPX+=2VTw~up-2S?-gkg=3^I~qj3?Cwk5}EWDuDhZ7k_D-CXJPiq;=@B9v{d
z54zyPNf=_dl{xVHbnM4i7`XTxHx)?Wb?~h^4uU`o7(3`#$>>;%C`*V-SO@~K%DzGz
zh=)*q+-W&e=mhY(lSnC(o?xtD;pXCefq3h&EFe56P_LH&OAfSQ-K3Y$SnZ--oE!A&
z26)asB#7($&!yOa7!V6V;MnN70Ajoo_r(J*kq}sySVPlCwfGjqz*5|xk2BQAhZ^De
z<GF+Z#-D~bOW&4@iE(Q<Svr8uNg*CV{MDF5*Nsi$A9br+)NTJ3x&<xj*1W14EyUhh
zH(P+Qs@q1tP#vpZ#30`igBo#_AY6|DbrS&pFtVbW2oFEe*18EvqUpBLM}&$K7dbWD
zz-bWR^c&EP2bgU!p98&S0H?HTy0KtEBQ5!cI>5jHeONd82Ik~g1H@>u*`V7u;2S}}
zZm!XfS9PO<IN($3A}n&<NPOBjR_4RjJ2QDrT`elX$QLYZt*mS<xos@%?Ceb)xUF3r
z-JG~BJ<M%P9jq<6!T-ky2#aw2KOf@X@)3R^IKY3nw|EOk;P2{c!|mc~%584xa)#TT
zk6*?S_!hXxWA13rwc#e;RyP+PvT$|%&m*AS+&luf3B<T%YU#=^Aj)li#)S(u#ROKG
zfPkf@i@BAfn+xQ_bg2oRUwjt+nVC74poJxn0W{3)9M4+W0<~br+|>2V;=rK2GVoG!
zabVb78jZ`v_LPH#sihtKGZ{NiSJN|&E<AR&Zal7*{~H7hw6Qle=eD;H=2~nlTHXy_
z5)oQwwUxU9+>pw(o-n__QqRTK$<p3}UxaT%cgs=uxy6<T0mz^YnEL-l5E=(Z2TLw5
zJ6p4LqQeV7%zwTM9#~gkZh*PnV)-h}?Zs06n1^mJ=AomT^H4@M$U{;yeCzTM9a<j3
zTmpd@Uz9-}0)1FF&L0?)#YqqY6}=?}H6qoyXBA@}<T`+XQG`QoWZBt@-{aHIwGT(i
zBFgd;7}@ZDGR5p%&LS&`0^t2$xWnA^Z}O4e7U8~l>EDL$|JcA3TZSWWhW~g2+}l`K
zKpen0^j^LJV?<lU7Y}~!3hTzX8c`c-gfY^#bNyVMk!?9stOVxj3stSFbM;;@SI>hn
z$agS-uSG!vRt8X)3dDrizn1$D8`r=W4=#0K-58%pU2!tR#w=MMpT$aTtr^t-Tgs7Q
zH9r4<_}mM|xPc3Q`XV(My<aG;f7#^EQ?yGSp%Cb0(Wjx|R!-(ZJ^D<KxbC%Od{~Ji
z$G^8f(fsgJGTL#PA2O^Ix}tFrSo;PPhC}@gvq`2hIDOtH<lN0>%ej?^N}CpURQ%XE
z#yfo{30G6|UQ;8Vw^aTfmTSU>IFIGLnID9GAH7`iqmUu~X?A@eT-Tw%`Q=K1Iz!zj
zmoGrwzZ&}DwSYdXn|QArYl6DBMs47|8t~o+bPw@kTjiY@@csvk5sJ+Ke)=K>x$4*@
zV@LBb-3%_=#FX5rAa;;2wuFDm=T!0g1s5k$Zt~X03+xpFJgQ~B`zC+=6xTC<$oHH!
zl-uYjhP2pa)n@C`9Ter3gJ-U`{hFmBI~kA>svs6KL|Qq}C;9p5xPuAr2TN^tqU4d_
zF!y=F=MopA#pOf&AE_(EvSjV2H4_IyzyfuJItyXI-qO0z+S(V76!c-;Xm1Rx;yX}h
zjKB@{?rUq!JPLGHGwoinH!cRSH#6uJ;eq$F$W2gjmeV9?qQD)%!xt)p*XlQT2pY|u
z79OiyKZa-4b&H|l3r!8q87o)PVA2ptGszpGG$vC&@eiPkDs38@D+628dMe&n#>SIH
z=+@;wB_%ML)>jG{_Hw!*K%8yuEuGkVHzFq7q2)?`(Qz%)xGH-!7s-2*(>evEbU(b3
zEHJE(K1lmvGG6V98da`e6r!N4RY0PW-cs=d#<|MCOAlTP3uTuf<5x(iP|3YUsG;li
zf*N;!^3S$v*9nw69by}urW|-P`Po6jHhxZYCPhFSVI;1tHydtcvK;L{smV)}mzB^_
zRjDa#%5}ffE4F>yrM*J)IsW{eZ?r*@WuNuWT4*dV%M$(3e)JYwTk*p%5F#8@G<JN-
zANaPmU1Vr$J0Z&E?PB)q#1SIlGDDGQ0TzPnpgo5*ZYRvMVGfH+jfiTv462XNJxG`O
z9L8jL!rNhzzs-|N(>H0Dc>ZILP0RkggJy}ZiubCTN90prhQv#{s~)Cp`bl+hxLqK)
z$Kso*e4Y#g0lA4m`bRO$f#l~6a_=%mKWhMSRtq6Mh~c#YeFgf=ndM6`PKF$P@w7o7
z)=hDuFxI@7pD5PHN#;?@nbJ()GdG5wt;PulZZ0nLyA7BS3u2<LO*9Go*7mlW_ed!a
z6H9l!pO$6<KeYjC6SZ#(tA5G_{1klm2*-vPH$a62>J<$zTtFMvO?p|3wJgT}<OaQL
zR`iN8TGdMn=*4v)<VR$jtiubs;@td6?Ys9FXH+A;(+Qqr#`mk<J?`nCL+$ZPbqC+1
zmrT}<rrgH@YiFS7db1Gzqu!~Ddh2YVcg&*R_txpHwYA=!0Ap3}joexk-(AFD+7big
zfQ$RrW6ak3yl+dTO;_R0?y9o=Whp#Jr$M3q=til{*DLP%`LAkYgZ3LX68GPA;on1y
zlnk!voeFse1=@mhmmi)VXv4b67H7s<7i}@P!4@&V7BCmzC~;r4g*LRs+acFz^8#O&
z(!(`z??#M!P-kfMxQAUbTS8jn*mUTO6BANH1*AxLS-Wn<o&2qLt)5Lz!D)se7~@5#
zbM1U2*abk@puaqZ@_+(moFMnZyAIm0Zp@uXKylh4Z>SBt!QA-<=FaTpZ)$*iJisTl
zcP?E0-Q6*A!1JfvJpvz5`9YE5CpYm5<NI~`i>b{Xb-(PajK0%U#@fYrS0b4|O<v@z
zbmRDrb1&@2E<ASb42(LE<(KoGzMrduHgwe1`!0xLDC@>J^2$Q<r;TSELSt=E<~F7c
zyuPuVdBFqx>Bd*EwS{NLK;Cmu?lph%MnMt~q|gl;DSfNfat!og1%(80Zo4r|oKfS8
zp!WD8i037XT?nHaN*XaR*%^R|A{P+Yk0KWO>L@RBqvUvcIetqL1B%iK!Ieo%x+=)|
z(3ZM~>nLv_7zs5aP1w#zPm?O4d+=AmmAg8aO013zoG;U=3uoGooD6v-ozB>tU)tJR
zjeQ_5?NL9KbN%J}De>;61v2r>DEfOj6<;~D3wB|N;I|LRTc<|xilJ-{F1(S?BCJpk
zz;LS<Ej{t;iqQnI$-TBCel11@<P%uaf-TeD_lG}<?oOzEXBOz`*<jc&(sZ9Mv;xCf
ztt+nUgIss1&7BHnA$+AnWFO4?Wl}nHqIoitpMIKYe<mGTpeH(|`(!4iyXjHx+-O3+
zl7&C>3$c!C^_HK$cQ%^{-&82b68HFlqPmq}cdqmr78%hFQ9b$h3f@7@nO@WEiGlu1
iifI+MdkULX@*)-6ry{%^ZVFTT`sxN-fi)xG_rCytuU0|;

literal 0
HcmV?d00001

diff --git a/tests/cfgs/default/result/custom_categories.pcapng.out b/tests/cfgs/default/result/custom_categories.pcapng.out
new file mode 100644
index 00000000000..25423013227
--- /dev/null
+++ b/tests/cfgs/default/result/custom_categories.pcapng.out
@@ -0,0 +1,32 @@
+Guessed flow protos:	0
+
+DPI Packets (TCP):	26	(13.00 pkts/flow)
+DPI Packets (other):	1	(1.00 pkts/flow)
+Confidence DPI              : 3 (flows)
+Num dissector calls: 23 (7.67 diss/flow)
+LRU cache ookla:      0/0/0 (insert/search/found)
+LRU cache bittorrent: 0/0/0 (insert/search/found)
+LRU cache zoom:       0/0/0 (insert/search/found)
+LRU cache stun:       0/0/0 (insert/search/found)
+LRU cache tls_cert:   0/0/0 (insert/search/found)
+LRU cache mining:     0/0/0 (insert/search/found)
+LRU cache msteams:    0/0/0 (insert/search/found)
+LRU cache stun_zoom:  0/0/0 (insert/search/found)
+Automa host:          0/0 (search/found)
+Automa domain:        0/0 (search/found)
+Automa tls cert:      0/0 (search/found)
+Automa risk mask:     0/0 (search/found)
+Automa common alpns:  0/0 (search/found)
+Patricia risk mask:   2/0 (search/found)
+Patricia risk mask IPv6: 2/0 (search/found)
+Patricia risk:        0/0 (search/found)
+Patricia risk IPv6:   2/0 (search/found)
+Patricia protocols:   2/0 (search/found)
+Patricia protocols IPv6: 4/0 (search/found)
+
+IPSec	1	346	1
+SSH	84	14188	2
+
+	1	TCP [2001:db8:1::1]:64720 <-> [2001:db8:200::1]:20868 [proto: 92/SSH][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 16][cat: Malware/100][32 pkts/3639 bytes <-> 30 pkts/6335 bytes][Goodput ratio: 24/59][5.34 sec][Hostname/SNI: SSH-1.5-1.2.26][bytes ratio: -0.270 (Download)][IAT c2s/s2c min/avg/max/stddev: 13/74 184/193 1212/1436 234/283][Pkt Len c2s/s2c min/avg/max/stddev: 86/86 114/211 250/1294 47/257][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Server: SSH-1.5-1.2.26][Plen Bins: 69,6,0,0,11,2,0,0,2,0,0,0,0,0,2,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0]
+	2	TCP 172.26.219.44:58639 <-> 172.30.69.103:22 [proto: 92/SSH][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 10][cat: Malware/100][11 pkts/2011 bytes <-> 11 pkts/2203 bytes][Goodput ratio: 63/67][0.11 sec][Hostname/SNI: SSH-1.99-OpenSSH_4.3][bytes ratio: -0.046 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 7/7 39/41 12/13][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 183/200 1026/770 270/223][Risk: ** SSH Obsolete Cli Vers/Cipher **** SSH Obsolete Ser Vers/Cipher **** Client contacted a malware host **][Risk Score: 300][Risk Info: Client contacted malware host / Found cipher arcfour128 / Found cipher arcfour128][HASSH-C: D6593B3202A30B2AA9793A00F8647A0A][Server: SSH-2.0-OpenSSH_6.1][HASSH-S: 500033A73A293E7C36743693D0D4596B][Plen Bins: 31,15,15,0,15,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	3	ESP [2a01:e34:ef6f:4340:94be:5dac:c20a:d2a0]:0 -> [2001:1670:8:40a6:a08e:332b:aa69:18dc]:0 [VLAN: 121][proto: 79/IPSec][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 1][cat: Malware/100][1 pkts/346 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unidirectional Traffic **** Client contacted a malware host **][Risk Score: 160][Risk Info: No server to client traffic / Client contacted malware host][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]