From 591a5d00bc8b38dade78295bb8ae7baf4bdab55f Mon Sep 17 00:00:00 2001 From: Nardi Ivan Date: Sat, 10 Jun 2023 12:56:11 +0200 Subject: [PATCH] Add detection of Roblox games --- doc/protocols.rst | 13 +++ src/include/ndpi_protocol_ids.h | 1 + src/include/ndpi_typedefs.h | 3 + src/lib/inc_generated/ndpi_asn_roblox.c.inc | 31 ++++++ src/lib/ndpi_content_match.c.inc | 3 + src/lib/ndpi_main.c | 6 ++ src/lib/protocols/raknet.c | 97 +++++++++++++----- tests/cfgs/default/pcap/roblox.pcapng | Bin 0 -> 36780 bytes ...om_rules_same-ip_multiple_ports.pcapng.out | 4 +- tests/cfgs/default/result/roblox.pcapng.out | 35 +++++++ tests/cfgs/default/result/synscan.pcap.out | 4 +- utils/asn_update.sh | 5 + 12 files changed, 175 insertions(+), 27 deletions(-) create mode 100644 src/lib/inc_generated/ndpi_asn_roblox.c.inc create mode 100644 tests/cfgs/default/pcap/roblox.pcapng create mode 100644 tests/cfgs/default/result/roblox.pcapng.out diff --git a/doc/protocols.rst b/doc/protocols.rst index 530a426661f..468489acfee 100644 --- a/doc/protocols.rst +++ b/doc/protocols.rst @@ -77,3 +77,16 @@ References: `Main site https://protonvpn.com/` Apache Thrift is a generic data interchange framework that supports a bunch of different languages and platforms. References: `Official site `_ `Github `_. + + +.. _Proto 346: + +`NDPI_PROTOCOL_ROBLOX` +===================== +Roblox is an online game platform and game creation system. + +References: `Main site `_. + +Notes: + +- Since Roblox games use a custom version of the RakNet protocol, some Roblox flows might be classified as RakNet. diff --git a/src/include/ndpi_protocol_ids.h b/src/include/ndpi_protocol_ids.h index 7f9bb7c50b9..099127dffee 100644 --- a/src/include/ndpi_protocol_ids.h +++ b/src/include/ndpi_protocol_ids.h @@ -374,6 +374,7 @@ typedef enum { NDPI_PROTOCOL_BITCOIN = 343, NDPI_PROTOCOL_PROTONVPN = 344, NDPI_PROTOCOL_APACHE_THRIFT = 345, + NDPI_PROTOCOL_ROBLOX = 346, #ifdef CUSTOM_NDPI_PROTOCOLS #include "../../../nDPI-custom/custom_ndpi_protocol_ids.h" diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index 9c1f353c67c..08ba99ef098 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -862,6 +862,9 @@ struct ndpi_flow_udp_struct { u_int32_t epicgames_stage:1; u_int32_t epicgames_word; + /* NDPI_PROTOCOL_RAKNET */ + u_int32_t raknet_custom:1; + /* NDPI_PROTOCOL_SKYPE */ u_int8_t skype_crc[4]; diff --git a/src/lib/inc_generated/ndpi_asn_roblox.c.inc b/src/lib/inc_generated/ndpi_asn_roblox.c.inc new file mode 100644 index 00000000000..402b65690d7 --- /dev/null +++ b/src/lib/inc_generated/ndpi_asn_roblox.c.inc @@ -0,0 +1,31 @@ +/* + * + * This file is generated automatically and part of nDPI + * + * nDPI is free software: you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * nDPI is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with nDPI. If not, see . + * + */ + +/* ****************************************************** */ + + +static ndpi_network ndpi_protocol_roblox_protocol_list[] = { + { 0x678C1C00 /* 103.140.28.0/23 */, 23, NDPI_PROTOCOL_ROBLOX }, + { 0x80740000 /* 128.116.0.0/17 */, 17, NDPI_PROTOCOL_ROBLOX }, + { 0x8DC10300 /* 141.193.3.0/24 */, 24, NDPI_PROTOCOL_ROBLOX }, + { 0xCDC93E00 /* 205.201.62.0/24 */, 24, NDPI_PROTOCOL_ROBLOX }, + { 0xD1CE2800 /* 209.206.40.0/21 */, 21, NDPI_PROTOCOL_ROBLOX }, + /* End */ + { 0x0, 0, 0 } +}; diff --git a/src/lib/ndpi_content_match.c.inc b/src/lib/ndpi_content_match.c.inc index f3731bfbf9f..f6faf72ca75 100644 --- a/src/lib/ndpi_content_match.c.inc +++ b/src/lib/ndpi_content_match.c.inc @@ -1396,6 +1396,9 @@ static ndpi_protocol_match host_match[] = { "proton.me", "ProtonVPN", NDPI_PROTOCOL_PROTONVPN, NDPI_PROTOCOL_CATEGORY_VPN, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL }, { "protonvpn.com", "ProtonVPN", NDPI_PROTOCOL_PROTONVPN, NDPI_PROTOCOL_CATEGORY_VPN, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL }, + { "roblox.com", "Roblox", NDPI_PROTOCOL_ROBLOX, NDPI_PROTOCOL_CATEGORY_GAME, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_DEFAULT_LEVEL }, + { "rbxcdn.com", "Roblox", NDPI_PROTOCOL_ROBLOX, NDPI_PROTOCOL_CATEGORY_GAME, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_DEFAULT_LEVEL }, + /* ADS/tracking/analytic */ diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 65257593eaa..83c3b786e98 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -110,6 +110,7 @@ #include "inc_generated/ndpi_asn_hulu.c.inc" #include "inc_generated/ndpi_asn_epicgames.c.inc" #include "inc_generated/ndpi_asn_nvidia.c.inc" +#include "inc_generated/ndpi_asn_roblox.c.inc" /* Third party libraries */ #include "third_party/include/ndpi_patricia.h" @@ -2108,6 +2109,10 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp "Thrift", NDPI_PROTOCOL_CATEGORY_RPC, ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); + ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 1 /* app proto */, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_ROBLOX, + "Roblox", NDPI_PROTOCOL_CATEGORY_GAME, + ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, + ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); #ifdef CUSTOM_NDPI_PROTOCOLS @@ -2874,6 +2879,7 @@ struct ndpi_detection_module_struct *ndpi_init_detection_module(ndpi_init_prefs ndpi_init_ptree_ipv4(ndpi_str, ndpi_str->protocols_ptree, ndpi_protocol_hulu_protocol_list); ndpi_init_ptree_ipv4(ndpi_str, ndpi_str->protocols_ptree, ndpi_protocol_epicgames_protocol_list); ndpi_init_ptree_ipv4(ndpi_str, ndpi_str->protocols_ptree, ndpi_protocol_nvidia_protocol_list); + ndpi_init_ptree_ipv4(ndpi_str, ndpi_str->protocols_ptree, ndpi_protocol_roblox_protocol_list); } if(prefs & ndpi_track_flow_payload) diff --git a/src/lib/protocols/raknet.c b/src/lib/protocols/raknet.c index d1deaec2243..49db3cc5576 100644 --- a/src/lib/protocols/raknet.c +++ b/src/lib/protocols/raknet.c @@ -46,6 +46,43 @@ static size_t raknet_dissect_ip(struct ndpi_packet_struct * const packet, size_t return (packet->payload[offset] == 0x04 ? 4 : 16); } +static int is_custom_version(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow) +{ + struct ndpi_packet_struct *packet = &ndpi_struct->packet; + unsigned char magic[] = { 0x00, 0xFF, 0xFF, 0x00, 0xFE, 0xFE, 0xFE, 0xFE, + 0xFD, 0xFD, 0xFD, 0xFD, 0x12, 0x34, 0x56, 0x78 }; + + if (packet->payload_packet_len >= 1200) /* Full MTU packet */ + { + /* Offset 32 has been found only in the traces; the other ones are present + also in the Raknet heuristic in Wireshark */ + if (memcmp(magic, &packet->payload[1], sizeof(magic)) == 0 || + memcmp(magic, &packet->payload[9], sizeof(magic)) == 0 || + memcmp(magic, &packet->payload[17], sizeof(magic)) == 0 || + memcmp(magic, &packet->payload[32], sizeof(magic)) == 0) + { + return 1; + } + } + return 0; +} + +static void exclude_proto(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow) +{ + if (flow->l4.udp.raknet_custom == 1) + { + NDPI_LOG_INFO(ndpi_struct, "found RakNet (custom version)\n"); + /* Classify as Raknet or as Roblox? + This pattern ha been observed with Roblox games but it might be used by + other protocols too. Keep the generic classification, for the time being */ + ndpi_int_raknet_add_connection(ndpi_struct, flow); + } else { + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + } +} + /* Reference: https://wiki.vg/Raknet_Protocol */ static void ndpi_search_raknet(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) @@ -55,9 +92,23 @@ static void ndpi_search_raknet(struct ndpi_detection_module_struct *ndpi_struct, NDPI_LOG_DBG(ndpi_struct, "search RakNet\n"); - if (packet->udp == NULL || packet->payload_packet_len < 7) + /* There are two "versions" of Raknet: + * plaintext one: we need multiple packets for classification and for extracting metadata + * custom/encrypted one: an extension used by Roblox games (and others?). + Only the first pkt is required. + The main issue is that these two versions "overlap", i.e. some plaintext flows might be wrongly + identified as encrypted one (losing their metadata). + Solution: check for the custoom/encrypted version, cache the result and use it only if/when the + standard detection ends. + */ + if (flow->packet_counter == 1) { - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + flow->l4.udp.raknet_custom = is_custom_version(ndpi_struct, flow); + } + + if (packet->payload_packet_len < 7) + { + exclude_proto(ndpi_struct, flow); return; } @@ -68,7 +119,7 @@ static void ndpi_search_raknet(struct ndpi_detection_module_struct *ndpi_struct, case 0x00: /* Connected Ping */ if (packet->payload_packet_len != 8) { - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + exclude_proto(ndpi_struct, flow); return; } required_packets = 6; @@ -78,7 +129,7 @@ static void ndpi_search_raknet(struct ndpi_detection_module_struct *ndpi_struct, case 0x02: /* Unconnected Ping */ if (packet->payload_packet_len != 32) { - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + exclude_proto(ndpi_struct, flow); return; } required_packets = 6; @@ -87,7 +138,7 @@ static void ndpi_search_raknet(struct ndpi_detection_module_struct *ndpi_struct, case 0x03: /* Connected Pong */ if (packet->payload_packet_len != 16) { - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + exclude_proto(ndpi_struct, flow); return; } required_packets = 6; @@ -97,7 +148,7 @@ static void ndpi_search_raknet(struct ndpi_detection_module_struct *ndpi_struct, if (packet->payload_packet_len < 18 || packet->payload[17] > 10 /* maximum supported protocol version */) { - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + exclude_proto(ndpi_struct, flow); return; } required_packets = 6; @@ -107,7 +158,7 @@ static void ndpi_search_raknet(struct ndpi_detection_module_struct *ndpi_struct, if (packet->payload_packet_len != 28 || packet->payload[25] > 0x01 /* connection uses encryption: bool -> 0x00 or 0x01 */) { - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + exclude_proto(ndpi_struct, flow); return; } @@ -115,7 +166,7 @@ static void ndpi_search_raknet(struct ndpi_detection_module_struct *ndpi_struct, u_int16_t mtu_size = ntohs(get_u_int16_t(packet->payload, 26)); if (mtu_size > 1500 /* Max. supported MTU, see: http://www.jenkinssoftware.com/raknet/manual/programmingtips.html */) { - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + exclude_proto(ndpi_struct, flow); return; } } @@ -128,7 +179,7 @@ static void ndpi_search_raknet(struct ndpi_detection_module_struct *ndpi_struct, !((ip_addr_offset == 16 && packet->payload_packet_len == 46) || (ip_addr_offset == 4 && packet->payload_packet_len == 34))) { - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + exclude_proto(ndpi_struct, flow); return; } @@ -136,7 +187,7 @@ static void ndpi_search_raknet(struct ndpi_detection_module_struct *ndpi_struct, u_int16_t mtu_size = ntohs(get_u_int16_t(packet->payload, 20 + ip_addr_offset)); if (mtu_size > 1500 /* Max. supported MTU, see: http://www.jenkinssoftware.com/raknet/manual/programmingtips.html */) { - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + exclude_proto(ndpi_struct, flow); return; } } @@ -148,7 +199,7 @@ static void ndpi_search_raknet(struct ndpi_detection_module_struct *ndpi_struct, !((ip_addr_offset == 16 && packet->payload_packet_len == 47) || (ip_addr_offset == 4 && packet->payload_packet_len == 35))) { - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + exclude_proto(ndpi_struct, flow); return; } @@ -156,7 +207,7 @@ static void ndpi_search_raknet(struct ndpi_detection_module_struct *ndpi_struct, u_int16_t mtu_size = ntohs(get_u_int16_t(packet->payload, 28 + ip_addr_offset)); if (mtu_size > 1500 /* Max. supported MTU, see: http://www.jenkinssoftware.com/raknet/manual/programmingtips.html */) { - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + exclude_proto(ndpi_struct, flow); return; } } @@ -179,7 +230,7 @@ static void ndpi_search_raknet(struct ndpi_detection_module_struct *ndpi_struct, ip_addr_offset += 16; if (ip_addr_offset != packet->payload_packet_len) { - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + exclude_proto(ndpi_struct, flow); return; } } @@ -207,7 +258,7 @@ static void ndpi_search_raknet(struct ndpi_detection_module_struct *ndpi_struct, u_int8_t msg_flags = get_u_int8_t(packet->payload, frame_offset); if ((msg_flags & 0x0F) != 0) { - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + exclude_proto(ndpi_struct, flow); return; } @@ -215,7 +266,7 @@ static void ndpi_search_raknet(struct ndpi_detection_module_struct *ndpi_struct, msg_size /= 8; if (msg_size == 0) { - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + exclude_proto(ndpi_struct, flow); break; } @@ -245,7 +296,7 @@ static void ndpi_search_raknet(struct ndpi_detection_module_struct *ndpi_struct, { ndpi_int_raknet_add_connection(ndpi_struct, flow); } else { - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + exclude_proto(ndpi_struct, flow); } return; } @@ -254,7 +305,7 @@ static void ndpi_search_raknet(struct ndpi_detection_module_struct *ndpi_struct, case 0x09: /* Connection Request */ if (packet->payload_packet_len != 16) { - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + exclude_proto(ndpi_struct, flow); return; } required_packets = 6; @@ -268,7 +319,7 @@ static void ndpi_search_raknet(struct ndpi_detection_module_struct *ndpi_struct, if (packet->payload_packet_len != 25 || packet->payload[17] > 10) { - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + exclude_proto(ndpi_struct, flow); return; } break; @@ -276,7 +327,7 @@ static void ndpi_search_raknet(struct ndpi_detection_module_struct *ndpi_struct, case 0x1c: /* Unconnected Pong */ if (packet->payload_packet_len < 35) { - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + exclude_proto(ndpi_struct, flow); return; } @@ -285,7 +336,7 @@ static void ndpi_search_raknet(struct ndpi_detection_module_struct *ndpi_struct, if (motd_len == 0 || motd_len + 35 != packet->payload_packet_len) { - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + exclude_proto(ndpi_struct, flow); return; } } @@ -305,7 +356,7 @@ static void ndpi_search_raknet(struct ndpi_detection_module_struct *ndpi_struct, { record_offset += 4; } else { - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + exclude_proto(ndpi_struct, flow); return; } } while (++record_index < record_count && @@ -315,7 +366,7 @@ static void ndpi_search_raknet(struct ndpi_detection_module_struct *ndpi_struct, { ndpi_int_raknet_add_connection(ndpi_struct, flow); } else { - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + exclude_proto(ndpi_struct, flow); } return; } @@ -326,7 +377,7 @@ static void ndpi_search_raknet(struct ndpi_detection_module_struct *ndpi_struct, break; default: /* Invalid RakNet packet */ - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + exclude_proto(ndpi_struct, flow); return; } diff --git a/tests/cfgs/default/pcap/roblox.pcapng b/tests/cfgs/default/pcap/roblox.pcapng new file mode 100644 index 0000000000000000000000000000000000000000..0715584ee5f1632caa3db787e489fc6a9219332e GIT binary patch literal 36780 zcmeFZ1yGzx7dAS$ySo!CxVr?0KyY^t?!n#N-GaNjyF;)939bo20|bKnGuhp5H`!0_ zy>;tW-Ky=XGxQ5XKj%Ds`sseV=N)(?B={@<03gp#j}Hd?`Sg2%0N?=RENxxfNjVr< zI2f6qb22|SH?=i&v@`}l0(1cKrjF*O#)kH!H0qX)rcM@yj<0D+*%&z)xkzawEuBeS zf2-RY8oxF)H#H$Obo%YD&slt2j9hG;U09hJnb{ec>D~VLcN0@rCuc(=Yg1aF8vu|` zAb%8p{|Nx1f&)+hZr1M1+(xE`#>_@6T%4u=IN-bBfbT*4Fa84m{G%Oc;LkKD&=mmC z_GE^$wc^z23cLmxYh z{|Lj?{h#$e<^^yDKoiFKS^wvR-G9Y_&;sZJprTwhY{eQZ@gef_!#cBXm>HG0!6%Uv zSC8|N18Ly^1h8Z@%;NP}qc5gXsXY6_=k)@h?WTNpM@dSO6UXe+vsM$pE$q#3o@owX z!Ll>rxanSfR99bZ{|!>0)DK>ey~-6n}St z@HoHtN)Dx~5bfD!{k=V3Pq(M3 z>^ZHhI7tLWUrOiQ!Mu~f!l2<|`09eh@$zLU#=Yd+ZsNr8WVtkIhe2nK9;GSDU$wNd zzq|{>RovvWZH46M4n!-^XHYDlxyBD@paP0%`ru=a0k96TU+*;lN-@BRO&Cp_;jeQI zKyX>wz+_1it!-yb$5xFDJ7i5n37VcIg(&1oXkOA<_Ao=e*;SrV)z&-bW_2_QA&Xn? z8^)Z4UZ)=r1B7o4G*AKIpGmRy$pY&j`x~bMf&@P}ef<-sv@kE;ZRAC;klWK(MzwQi zttqP7YCJd;p0!7Ckx+R1;`}W34dUL{e+b;A$Klq za9C%RD3^!$zC#@WTD4u;D~42Wq}oHBis*F(ZqM;>>`s{LT7-v^+x?M~xSxH}Dzgz; zHSR(q^$_p8dTkoX)0~7eDVB8LS&PPN6>Pk(q(Q5R9&i|YjZi97nN@e?%=!p&58*5N z8;A?$n#oDd{qN+qo5<8`m03*!R|`i)jKA*Rrx)Nr{n3A$K>tAn#GeP#eqT4R4zj=X zUu}#OsQ+F}{M3J0gxXR|7hmd*|h|S@1Nt8w1+Q zlS(kkufytSSoaLfba)*JBuIFWPihR7bO3INBa|=iR4V)8(*C%MhE%^zNT3J>z*K`#S6Y3M)8EN-b<$> z*RW0$c&k!q0_PuW-Nw-RC$(ur#msUt6G*#_6W&OXsvIU7Z_z+!q8Pr_DABNGibD%& zcV@1A8;+)+(v1To2ISwbyySNZ{5M`Ge)wtdlb;NE!*Nqx2N;czyJ!NkQSdXH#hF){ zws8`xv3gaolk*W0h^NBI!hiDeSN%EFJRAjfDgb1E%P)Ry8)1MjG)}^A{p|sn<^k4m z+vzw0d@~>q{OL)j761T;gldEYhlO8EloSK~9t;8kxbXwR0LAuKthSbn@jtNs)(8B+ z%mQ#gdq4R(dq9Hlz&g@A;;h6z1Mx=l&?9GG7yrO=2VsdYE3AU>fLMrsVwr&8fd$mx zr`jG1z*GQ$>~C?gYuo;aEB%+aMuB+8eyD&-${b)EV4#?!pg>pv0H|$HJQm=<7hnNl zh<)l`lmuRb>{kqM9&I}i23F#~#lQtrQt18*g8+nq4FLuY+%yBbhk!`tpGr@>`5Iba zQWh15u)W?@z#VCpippNTxzVkES)UxrSD||Vgh)2;d(Iu zY=CUw)}8=>AHV@%0z3iTZ~+F12i&{^U>Z6(nL3*r+L$sr+8J5fxicEu*#Hm#kPrZ% z!|=czK6n5T@QuX4x8t%o1OE*b_*Xbs3ukA0CKg5(05HUnK^}W2M4Y*fa&@FvjWO5 zP@W-zUVsIZXRn-G-+zJv06_NZxPe+j=Ld}&Gm2lv&GBug^As?b;m(47%QF#X#RgzL z6JP_G^Z=r`LO^_jayr8kU{?uv+fVou2HU5frX#9INiv?qWSAzN9ggxp^9%#H70d|i zAaDpsV88t6mD9VyhLsV4EO6Hm=w(h=+_zVg0_u|uTFc)wjJR!&Z83rHU|=}FSGw4p zOa(7$ak$E&g6{Hq{8=TW700sh{#uhZ8#iUSKxzlUnYi6|+BD-$z_(+sPla*kLsPB~ z7;tF%uOq5!@3|jzmAu@xelXQyjZ`H%Mkr6qO$$=&X`=lcgfejz2&-=_W~7oEBAW17 zX+hGyk}qLtNH0)vu3W3m%7J<4l5liz)p11`r|6LCeP@t1Rh48!5Nt{`g>-N&TCoS& zJ|*P=+pA(0D}hBE^{pWrt90_66j4kK4V)G-s{?cy9Ap#KpwITXW}zZy$m|+}W!En+ z6Q32=;I!pRdJI`&a}CaT=$t_xlr5F5yA_jW^f#~ zSIANB$NWvjxGW>#JmeI^{rMG^A$f#S-)dOk+6t8XTkUjpyxM!vpjgzB+aAc-8T5+vYEcjE^CjE(Ym+mr6fu*OvB&{#d5|z2dxeJJ)Hlt4Td? z6A4lG!;Q_OlJSIiL7USn&7iTXLiDQ>Qd?zfBQB^$jL3U$n5tQJE-&K44@2FsbYMva z_b+V~7$)sf)>BMl@l#K>OFG~1`RS#|D*HSE|IgMxk~vAm#zndUX1BBJ$8AbnJl zpU5n!3p#nKwDobICC*+kS%ZUp{swWZ{hDElGPpsG5DEJ0teeD8-7|sg3sD_omlIT* z^|17rNqlw)EU%97_Z`gQ2l-!w=suR@Rg!Vee<1JTS(DFtBl4MQSMNx^lh&?pi@7k< z>^@4aJ|B`NOuoLGIjCw$@X}MicpBkG(U-a|{XPxMz|C3Hm(naVbpkGrICn6`9{>Z- zxFD<>9tr)Jo?&LZXC3gRbGaAq5Z=gaw7;o#Xtqarch4A$QtS)*z51M&bQ+iGF3@Cf%nZ`Nlzc*lgW=XvM z)z$KQQ)b4>`pLtj*ppPX?cQ??E_5}>{w|!oXxp!OBa3;JRv~TTpBYCIFkCz~V62IwoBxR0YwHUIe z?|z1!4j)BbamzV&=oLYxnjPd8gHFiIpuQXVakWl>z`X{Za`JB7f$3cUaue86Jt-pu zypxQ>SPRd_a<*VA8A@-z0fShZdV`-^7E2|!)Y*xX4c381Lg^k6H%Wmiu?4W(Lv2cItxuzuP z{pu?{8YYuZtxzEf&uN_Q!75NCYSCZ0^o_)9gV_ZsZR2d@+Q zCy5mE5oRlhjeQ5+VR}EYVck+Ta-)eJ$qiRb+3fcfR+Z*fB_i$d(K*z#8{69-jOpuG z7%_-gLWS9*TSqLQ;mzhmGnw7a zaJ@=cC$DgaQGGt(`-pleTS7wKlUO8oFIbdTkdDNU^KRjjJs;qQ$vwX4+e6uP@0EH{ z(TRbSLiQvz6>HpbLFCP|^<6jZx_7-hi0bxaqQvE3F32o@OyJY{vQnd^?uP7Zh?}D3 z?-6L@G$+TUN1=pSI0+x2=92qfhF!9!GFiWUacF4D?OsW6wez+dhazQ{gt*!T@eKX_ zih~H$=d&zv0h6tKbr1RFFEC{ZY{<+UnSEcMg66pPVXpaZ%M;u!GZ`X}uwM9G=?iFtH}+G7$7EaFVO=cF`LkD_m5YK zw`7&hJbE6{4FT=YYqnAGLhAApivbI>XsAcE922(g3aMOI@9HX?A}&izUfi**pX0st zu)@jXX_>?(M@@kKKz6~mCy|t{lnq_G*t&caWqV|eCfZ`q*FpalAG%)$Fbz zhR%9)3e6akZNDI1+MK&_TdO_dT4)k69`L!CDdE~VD{)MSR)`ZwB8jb~ts1xP_FT4S zq@INPF{`{isYf_j)P`}K_A{Gxj2zQb^Tygewd!SF*ds$>xDSuWD;{N7wt>@0!N|&a zdk7TSLzfhEEJ=(PUmTi5u8GDFMf_S{2-#shu*1jh^kKg&M!ZC%hSJ*!q%@wK@k=N* z-6_5E$Mi(twNuL%JouoxGdAcES7cf~TISl;K`k>eY5FK4=e~(#Bj?53-j$~9KsZ9d zHr(wPhP{m%XBIi^`?(Xp+3oZqoqwvba%HhFI!9E21(JRR?2l@)y#-6ZR~{59O^cUN2W%$CrW?ikeM z@a)%yA3Bxd-BR=VD(os*$PW|8pTCY-7`$DNT#v`N0zmkdA*g<@Yl-W3C8&DfYj-7! zQCZp1OdIPkYR$>bB3?JM;5L9{`eD4s}l8*g1XL-QHe3X%vND2H*XnL-Ht~K z;c`;|W9TL3?mFu*+~+44h_76w^-uu`tZ7&#X_JX|rLGgNcHh0r2GVt5DH3aW~wvkayREKr>2cF zVtg9ju&ITMWh$*<8?h8)EHc<6x2S+r2q@$nQyrbop+!%<_qUZKD;-KvNZJIG)p4D| zPM3iQ2rxR{Y@N=*|E3wpUw)@MeM zlRYrL_5Bt0%eG>6908v(^Ik#98nUntZj!WF+{v@zlS5^;Izny1#fHsupSk_iL5gx>*JG;NMT{^OY;^&L&wCI=@F7U|pd-=+lx>?wS z|H&&mZ!Gh#I9E(xRMq_XHkKvx<5weW`sNZQ0|6b-Uv)bLS@)sbHlVi3l(7tRGn%U+1N8) zY7j-y+a2r`m>w1gZWZ!x#cvUPW14-wA+_c7*5Mh+oY%Pd!4qPSdY{1>13_bV)!9sv z{`dS%yibPTwPsVN%khvORZCS19%Y#M2&cOxWCOW%xRYA#2TGSBRvdQ*I-HMnY0 z4D_ZIA~XM(V23?T#JW(9wlz-FPV|`=eRR}R0)T2w=A50L7B7CCQ;>-YTO?(~lH#Om z75Ao*O{%SruG)~uZC_q(Iw0Qdt3$mF@oJ>i*2PLC1MH*5^g%K1rHMUc*TZru?O;i}J;aX!>Wz|gV z^>J=R3=+Vm98*}(ZJq)Jq}N6};I%@_k&mWvY#zLc6<*@7RDDu5yC^XZLW>PUpvt-Y zR;(DDz*U>L~IopLMCFZkMw*+2)pH-sMiDXbL+|KJ99nHTV4S z^RU28l{97km1)_xdzMFyJgXOL1^gXmN1U4-=-i{O#77g8b{YcOTy1XLMvXA}hPcc< zn~Yi=ABYP9>a#U#p+M}A7qwrI3pVQt%i%WeHk)iH7V;pUSgFbGDya&^n#CS57RLmQjZ4$2H#?hlp{t$|G(Kk>krkj>6rQ3{9DkAZsrHzx{7;AckElYHM2t{*D(9IO)4N;VSo+=5QqTT; z`k>s7)uxCOEKH3_-#M~%g}}+$jbqGT5`mX__2d@^%u6qm5F*wp30Han3b4FX87x?`2H?x)oZY$cV!ny ziPE|o`B*DT=lr{-xP7-CZKcev8uQr*6cO zXYXke5YvuUC260G$WuRm#H{6L;bHGIsI7Zz*zy7#poGW_tE~83_!H`^_1o}`LQ!lQ z7}LSFwlzm>!>*TDEwK9~YRC<-omG6KUCpv7I6C{>i}@-~V~EYVW_=mjZx}}h1=8K| zvAHryh;M2L*Y9!DD99VtKCIarR%4MDMjustJrhDHAdh=`wqv6zRwujAIn>Vj#gvM; z#mm4=*Ze6b73*yD20(^HGdy6>gLa?GR1H3#HW3RsTuR8p`$vkX{zEI~}m z_WlrGtsYx?@|$m5viuz%x@KX7rPU%*2iiKn&l9ip-$e4dsYz~Szr@cmvU`^oXWVdC zbrvFL;=?Cvppr4ofGT|+DzQsJmwT#r?edRzbg|lu#UZ==#}t zo8346h8>j%lBrK;T@F3N(MVNS&{BtTB^{z*RmB~{5}&glc+ED34@F$8M3CuwJE&sov@hMl4yg2&Geza@uR;j=lmA>FS3>-`J~ox} zc^?kE2HCIcV+c=lVbEM);rH`gp!u)85{J(}&jonwr`0jLavza#rVeY-(J9YVo^F{$ z^V}~rvl`jDHNM-Nrp3N$U8(V>tU+K#yBq9l*(2PK<&!1W2p`oOp+Bx!<9X*k*IB&w z%5%2EQD=d`RH|Vs2nV+ig;{@b(=XKzo}d+c(%q=~D#Dj$bn|7Yrr-KVdWe#7fj9L) ze5Ls#;X$rAe+UbmivdQggBAZa^3$1DT7p26{PK}o!Po3-_cJE(Ehz{(XyXTyPw~Rf zSM&~WRGbbsU}qG!x}Ypb2Sw9(_Z3sn6K%FT7Nhc2%sWSneXT#z*BJ7a;6ufEQW4*? zCla3UqUm{#6_Hk-YnSlN_O!e<&)>djD~)~^P%`W4 z!!Y$U_jrXPQMT1=H@(@YiTyfD@L1m=StsGCYtQuhx%p%7?@B4}t8n0q^3dY9# z16&d8UaXOGcYJgj=FQcztDQ04@R7$SB{8&+mt9iN==Hs%l;*m-ia#9AxdvxXXLB{k z3s((G7xnS@Eb3nZG^))Q#)EXrlhpbQuIE2*j*gDTRaHFt<@r<{y`{UMhtbN)1+xl9 z3}G8-qqOn_9yx&FDbr#ktTPe8&?80>xy|tBs=i%~ z3T4$kY%Xb`&N&^?79YfPN|wg?HPanl#h%CuBB$#$iWiuQt@K)G@iH*TH8JwZe?Pve zkkN&{dKtPmE_5QmJcBjP=OM^Z*BXU>)v73am{jWHeJ}`XSA%psA0~ro6L)@ahk0R^bWczKe!o)T zO-@1FXeKyD$CuuhNQ?f-lf0o2jY5ERkxLa}|G6x~R&apIVxj^F6$Qrpv5k%GUwjjjLd&sP0)?Co}4F?l>XZoX)&~v1MJqn88 z$&(;R9VflqaWceL^qS0}2lc(La!fGqYT>EGDxqGCNUWheqhY524o}b+1+CjaXR4qA zI^#0>qV!P|SO?j!XQ=>oZTlbRwW&X!r8-Z=SxF}W&$#Lce199Oz%^S2=$z}%^V+{+ zREe7XHw=d#7%6|pP~Zn*v|#F*etAg=lmfFJkx9U~Wr0sJr!h@)ToBjWA$f5UM8f$_`PHmE;z zR)H9!uz$w!_GgSjAQq^A`W(L%emwwK2if2H+*#Y@2Zqw$;{amd0!9~@{uM_t2;b9w31gU;+6U9EH9v3cLo{uRcPuYrBGc#EAddM;D|YJOF(ZZu{9s;IM%X zj)JRQ;T1?Cg#Hv!qLU^tZF8e#jw`km2+%s{cMl>C^iGml1c!}?z{+JvCaSYXA)W1J z&3y)L&~OAe30BzKr?ko?_FC>q z*p^OWX;}u8;CS+T+rEY6I?1|Cblu)fHc!6L>&&A7OwQ5JzOmCmKqLjfl z_km!G8;Y{-G8n0sUx0TDm=MZD?_-}xo$pFFdvL2;t?W)+<)U6V`9&Jel5ZAm=SHi@ znF`S)A?nvCoT%CD>y_mWDwJ*~w+TngxEEjS+2f3Yr&Bk=-5>V%7cCqkI#Z0hk zuU_kQ)^ppnwL#In#PYn`*PpxKRGqwAFyy>0(QM1^KaG+ME%BcU3#?S9OBOtiG;XpH`O+2< zpN1@w@ADugQ1fscO;PkD9#M&JYElq?a(D^teafxfT_SVNg=JClndd@@egPTV2FW{r z%cwWX#=VtvAiS@9Kl_Bk=UEeF-NUzz1_d~HMH#xAjanKGQZCwp5Q0={{8Gx#ftVu3 z5FH%E)K<+(og$Vceg0%RR$aOH4=*K|tIg}w0#eoT9Jgj{JwsQjg3Q)}c&ZVEv8cl4 zbDAolbqO?#v!1;eNB*!A)|TuP-OeR^4@X_)T>w9@(W*^H04}ef6`j}}wk>GjT%c!W zZl~dxMZ+#^beqFJ^tjy7tR0w71)0%T<0J%T6JV`_QLYVlHzTjSFn-w20`-NCd9;>D z;mchJ`u*cf7i6f?t*CU0FEX+{Z_P;*N#VYEfo^;^9&B>H0I5MRG#h{2ATB`f>8DMvNvO`s35Q^}u+5pMWs|>Ig_+O2=3D4gj6G zEch;U*72FcVo{L;a+E%Khs6;Z-(61;(h{zum#oY+`nPoDU)%6Xx5-zA@rv=6!A`f> zy;W$V@c@fimQCjsj`FMTiGcbN{;BGyteJ?9f267wJ1QgSSxkp9f4w;!0PTR2CHD1z^o67|H9Q_Bc$m$bzrgy}9fz9_9XI2Os|hoQl1z zqau^Of{eawRw4wLpqkVtu?hk8gVU1Q)F^K~!#eEPaqD(>90w^@PCW&RFcamf5iBLt zUIntenb{ZAafqYeCA9?;sJMHbipor3EVEvFl#VoG7>MZ$VRCoTyn&OPCUV%cF_69} zg4OH(rB8a)gLb=k^QyaQ znfaH8qFnFeDjO=k(j~dn^_@M{RxobtPYiBtly*AQwcv815hti&Y#-P9t8{)7FDwp+ zNUXas9WS+(^Vg>*Ck;7xgr5(7J}en*yl5{gs51oUak0a_?0qhj%bx0{k|RweSvk^K zZ5k=c2sh-l^3fwBbmK;~o2PxpMb|K+MXyGW#n~K8z>R9S&iuVjR2@WPr=6l*{1gk= zu;KlP=8mbd<%tIiH$Umy7!L*$svtQT6B=111gGwbJunI^p!t-IvU%eb@ET;l-jjiep^Jd-$*fv_z9-XJz3p^C z0?zqxQy0I@ry|U+1cB?YV$dQT{s!}S3D(X|W(>?=b0){LlG8pX42rVL2<`4hR#5O5yX51oZtl$4@<)6q10$`{ah(+)76 zZ#H__qSA83W;<24HsnN^NJRk8m)~;U>{q`WEtZc|H^cG6Vj3ANd%qY@GyjPkYI72XruKF}Ka^8ItnjdQVLvz4Q6zE!Y1;qSp< z3LCmBFnsa)QUXvTKCASRAua8A0WY?@*&;HwfEj%^C)5C*$l$j$>E|{^=1XGWY&yU$3eFu$$y=PRBLz zrYoCK+Yi&x9NVJ?7`9b=0Yh&R0BueXgF9`16P#>6B03Up{H@WLF(9k%z+D?WWx{8A ze%$kP0gDDsK?lt3v!BKJ+eO(=Y9GO|ri8`iKUP4{*9R~fgd61giIabS%yKU8p4@TJ zx8WGJ8cFRL4L&}9^%u@ffOSv-<+(*&--al#4zgeK9Ken)2IBnn;Ln`v-QIS3rUKW` za8LUG;#>%n=l_0EFfy9It0w|B9pR_wfo2Hy$sI>WU2Z z^d(nxw%NAaighjW%v52$7)i1L>seaD*wsKit8t2Lu9yq7i078f9p()>MxaGR&HLs> z8Y5i8h4_Vt+FcynFaoSc%1JwHW9NLMRQrlEk9Gdj7I!>h=HOp8EtDX+MX6QXh zcUwSM27YxZC7`^`qV_xJB3=a}ee1Bs6mBT~oXZHVvL#ZDaCBI<&#vvX6&T;M! z3@@?&`y9TTo^tpjzJHS=9zSv<`rqUT2`ER(fD!$+|KYR)>ccBYwfIiL){!^}_^m_^008BP55_M!LJE8{KoJrE&@l$pK<$CX&|ljv+O_un zqusyp_M=^4XeW$cd`|_n25R?1I;i&V+7%cKDfoY@-9Nt1gc{BqCw;T&?ms`z4&p%= zt)t>Me;LT?y=TLrRNkKh7jh(EXkc%_8D;&V-;Nz>B~#6}K2(82!@~jMX2bvax)V@0 z{!{*8;2#G5Vc>r<@W=D)f9Ucvpe`r5$bkQ6T@DTbDl?iZ)z7-Dp!+{``9FLONn*r% zYPh;`_-U1GkIU!-%*eRFs{+Pds(TeqRc1sbYFILk6dP7t7A9w8vpdKSnH!hTD1!+L zWDZmF4>%KVRXF%P2=0__zW96-$=cau4ezk5Kv!fM1@E-^woS<;lW7tX)rm8x8?m47 z?mW-qnG&4_bu&A@9gHSIZi>`<-aq%=BXD19dv}+a@vGhNt)dpQu?LQmp4)o`)N9X{dQajT-*7_>NsN;F!0g z=L*uy$*HqI4C-YB6m4tfsW6vyoq7j(==-7-nshTlteTK?rLV_D_T9?Q?s=6@9J?7v z%(P;8H)PyC5vti@EvsV-?cg+EsPHqFLaz#dA_lq*ia!oi2NqEL(EvI)8(>r|^;+JhE{~z%~tn>}~Jv3BHw!-bU(jqHV=Be8rLz{bLyH=@D;1x9kE&pHru?bO-8UeAa7pGx6itw>| zhU3*^!D>4}6>M)O2pi-B?(ffHfP64!XM_6&2>^iXS05lh1q1InfoqAlzj6Y(RG9rg zI2kVSSKo9+uP=mv3yryiDLcy^0q(<8Yd~ZyeTyF`V$tn@Aq%5`19(ph^r^Hs8{bMsJ(G+ zj6-n8kv(ynFO5s|*ItP~&ciS&cAE^5L`TQt_W31j9bL=Sn4shMT}3R_myCam5`;9} zUb8P}i#H`(#Z0;jT$+F?8Ai0eUV&L*dBI@q7>yl0sP@WbL2|C=TZ(%b_cNWWK+9TH zYlo~k=>0XE!~$U{56z@g3}c*|t@9e^ZyfCW`NZJ&=-=TsvmI@1ff4FBpPwh7eAJa1sY13jHnAh>Neya;s3l(1rbE{KD1sBE z0a8{Q-M0xFP~y~Mey@|@yXz)y{2CD%sXi0)$xgUUF6?~STW0)o%aa$`u>C1<0S4C5 zY3O{%-E1elbU;`#BIKZ&3^K=uCC3JxwH`wuSm>;(lO9%}NkxHE>f5a?{UMlJo0JwXHk8)K|elDW2(#>z*p zts*(zNRO#=@;=OP%xIG=p)1c!lLPHwFsw)y^7WdICS59H1ts5T9t9DXI(5*Dt}~&; zqsJZhLtV83R~muJg8J~ugRA^OFl|P;=9?|x5iF4=CvAWN^NX)p>gB$U{Y#{=iln(| zRSrg|xH=`_)EdDARuD=hdb2i!8o9WnU$D47OQ`E+SCbKM!@WftsqG%_&zTz33ArJ@ zeB14b2Zyu3b=hR$n0ji>71XC59rKz;t?9$PV729|*{&=EyHu#z`&T(gd)cX-gI3z@ z!EW(GL}Naqug;NT99Azv-m3RH+DG-djm!)|dbG7A(A3_6_{OD1FD~M%Q z0{kQyt+2Y#eZIVew~|ryB5c_ub-IyIh1rnR(HoPBOtbKtYiQNWIpBqjuB|&^Z1Mra zUSQNv%_|B^3HwOl5&orc{nfcQVh=cp^LPC)kP@&Qu+U(i--f{ z-aJm&0|XIQqDYij>ja5ZNJ9+AT*BuiuxXQsFCHGR+ad=Dd<2HxF-2p%WB;t^&DJ*3 zTYTbE6r##1=*v0DWzF42sttczFP)F^Ud7UgB-T3?#;&I=yhTQ(DvbywnavdyAnK6e z%7xV*hCx5kHZ;c8xnenvVOhpvjpnOznGSr;RY+j?-iMY&dWK{H=1UlXiS>q0PBW*b z_iKmT_|MuA?;NCQ5&5DaFBL*42O5~gs;xRa+&|Chm&~a7gCpPJjY&MOzn8$-FoDqcYGug2`A6UTY&?^mYV$Kd1ZQo$Im4%|+1hxlC^;Bf=LKs827qohb!-m^??4 z<8;k!N11ZPAXWt~{NCdeP%l$OWHdeJSmgnz1LpaHq+N~S;PtsuC=~PJ$UFOpr?rPR#cNC#M6;g3#vhGos1g5s7y0;!Z;q#!@QYZ zmGa3g=fYLuhIL>C4=)M3@%I_HA8}#J{HQ*QO^AjJW&FX7@%u>0p4Rn)|AGWFJMo;w zAOlYKXTsy#gAuZa9I*g<>tTygDGzy^--9uP|)+lP`Vs5&$KOg2lqA z?e3n0^STCc4c^qoXBpM6%&=3P`Ne#0QraW8Ks-@Q`7N(ChtN0Pqcf+iU-m0p3lhU-cVy1_C@rxl4qi{oC-$l~eSE~( z%lhc3a$Z_ByllEh=VzZ1qWsowdY)f+WdQk<+piNFj4m$k00}095+!9O)tk`ggywQb z-6Q9HV!z6^pA-@+PFDGiV_ypF2%La_-%?|p=klAeI=-8N8;I%&eSS|9w(N& znNPjkU-#gZ!^_Bq%Nm5^F(~#zICNU zqgjXazxNOR7Po}(K&0g!%vOFY@9a6mkeW5f@z$wP;`ZKgl1ct(TFhl?V_|xAK-Wcs zA++!8`M{P;Z$7-|q_P@>g4$`x8#-t{8E`q+3x@l%3U__ucx`b_=8EYeKf#tvYqL67N zRs4yKhDNtFEHQA6`jrfy!IiR^TqFYk?6SF!C{gS3D-TO)0o|u2E!(`t@IDaeOwBrnD$DEFX$U zx~^RvIa%fY&{yh}H7s}ule`2oiyalB*JM=K;h8^*tDzHq`L+0SFi&O5PFB9Pr}}C@ z3BXXM-9&(Q=$jAxm)h$XPA-xRf$J(xxlQZH)=G|dfL1eJ2TbUL{eX%3&avTm@K@$O zW192+ABTjlnMrxa9dL>8!uIZbVhDm0s0;uq)~oi8DhLIB+}od}$JbX%)V|gP0yJMT zX}DdBWpo$Jxoll(+o}r&$eX`>=JL(I^%>NB4)80+esKEh+(yRXi}1(X_Uri;lp+f7 zyVF?EI@J7}8OT8V&W6`}L-DJhLxm*F)}^cnt1zEt5|dym&h9NgKN9+A&SSS#Sy0$_ zinz#zy)VY=g3ov87S$1|l8Rhwa(Lia$bLw_u3u7?wIkcgBNQcu1~Y+R?+5dZeqhx0 zg%$d#AJnRKsd^HEn)5%h+)mTIijG+@UA!(|z6IqVvORKx_yX<%y3^7f7fD}6R`IEyg?j!H;& zfoqaZrgCu;-{w-L*|_CAxh+HF+C|;7ryE9%P5U1@Bzb3?ZU&rC;T9)~me*4*hYb8- z>dB#vNx%}u?0bk=E5&9^@+)3rltKr4a%ALGp|_*pYVWE#gd}G4w%aerh%tV0q>2mI z6Hi+xKPkCH3{XD`W1dq;prbf@DOUDEF}2d+J5M9gkg^4eTfX!xX^7Fy($<5!ECldF zz=dSmwXvCmE~x1;1=;q#WeG{oLK<2d=e-Fht+xqxcKjBcg|ug_jno@W+0lj3a=}L^ zA(*B%>|3nb4KWNNC8NSE*pKv(zS>UEGPJT+q?>2R#pK<6b8!F60M?wjJ}VT^^qPro z|1HvvP%t6zGa2Jb1FU!xkNuBpx)LOC>Ii~Y2WU42MFLD_DAt~c#X_SO+d*E#ibw6` zx!Xa_mwXpp{4ptW7xOY{Rc#Rt32IMXEF;Jd&E9uvscq%&F6kI@?qqljlLm_|>XIWu z^>`)53Sm3Co0{1mz>(33B>HPZ&*Wz#9m^m&QplOy!SUkgX^{}KE`zS!Hl0b2rDjF< zf|k`uv~+o^T<=kR3mOkYMqhrDVqPdVD3I>Q-T;fI7(`WJ^2cKRU;(=-jc8Y@l*g03 z+{SNO@Hm(11@Tp`*nU=zC51S|ple?`-zk>e!(AF7aUwcM_R5xtCWpECEBEuRS;CBm z2VZLxVeW)&ujsa~hjMc`EkP`ip2rBGT>% zqaZy=F$J_nhR65n=DwVy!jrfu8A51hc*5TbTfq6zI1Sdetq3-n%3I`1jk}_ZDDN+e z+wJ`^IljDVCQB+0HMOHGGGse|u?dJwrqf^ZZOPslz}N*>F}v1&REF|l2&JLXs>AcW1Wb721{TP`o((9;c1a`kaqj!Aq1wsd`N5^H3-xpb# zL`67AD&8`;2>mfY>r{xaXJ=30o|FJ@MquY9!?tDh-qsLBA<}e~x$Ph%Hn`8c0w$)F z*zAMGxa51zcN~nqlxmI-|EImP4vM;K|1jMl9TL)AOLs3NNOv~~ONY`8QWDY~($d`^ z(xsFV3kuSmQvO)q*Z0xq86W5Ozh~ymEVH|_*Y}>C`#O8hhuu)Hi`i*t6vh>Lplz-w z$wsGwz_Qv`u8w=hGA%|0U(lodL|` zNX9p}?fmFAD35ZP-?;6J&*Y0=4G>nT<7mV)gtrjrq(R|-gt+3)rz*Q0mdUj^lr2+r ziYGd;ENy07zV#(j#jEn|7H&k7c*;i{WPQ-;J6E$q+%-jAwJE69;>O`SHV8As9pQHq zG9X^IOdCVDy1NaT|6tb%$%L@~Z4XU)Bkecr&~7${pJ)5ez@9p-1|S(2quA%qGrMiw zG`aZUmEL`O{l9aJ=XYWJ3&&ly{Emab zg|dXQ^;b1yJJ$bk{P;PMQ>P2_UtAjV&86HwyVUXuzRcN#wUTdSHq1Aypy&wwmBd2* zxXQ|H>yvx1>TQ$Gu+-98VIrt~!tY732zWVQNa)AVc_Lh>rUiVB_RjqtDJutpS<_nu zhpw#o1GJ_(IzrUGg!|W^q1{J=-UJ5B)nPF4q5zVr*(mg(tFUvdZXSuMf4~@PDSiBM zpyd_*BR?0iv4`jK?a3-wdgy09n~J1|@1DOx7N^eeHevM4P9fl9NoBrt7%y0&jWy_* zc_l4JA9nEO+L;a~eaOdYTR_qD&9e(iVXb$SWoPTSQdL;G(~5GbHJMTb4_ENDPd7Qq zLO+|%N%>kQbMbc`aoZH=iYyWI1mNPZ(9^^t8zO}4u0^CZYk*U6tC_H|`Gf=N!>_A$ zT9Al)P~+zlUX*&9?P=!fvSefT@dZ_(5ndwu6ci&yfKQpK1ZoUuZQID5lvC{H2Pql1 z$uOA2%x?VN+k7^JzDj(efjiQrLMoG1Nk$9WN{CD{4H>={URrWOc3>R<)%JEp4bhPl z&n4}NFrvxigT4!x_(K<-PF~9u{H{R$4!-4RCVAuBbdtb^vKEANBAXU|a3q1{O96b? zVk4EBE8>;F#cAtvtxl&0`N}S-BouulXYERKr0eJ&Q!I~IJ>m0M`e`ztuUW59 zv-*Q`Yf>6F3zJO480Gt?_rg@Kq%Ej%6Lm3^jTRN4Q#mpo%w-!lXCzaNz*e1{Tup8m z9Ux{oabIFirCQ@w)x3XtC&{Vd0Wp7P4pQWB^~wZufk{lHt0*qe$=G~){cRJ|E0P2W zU6l>ito$19Crat0IN~F_7fV2#f|pXNioit=TkAPetNM72O`&#LDdIx`8JlD!cD6SH zoe!RQv8Rij4iM64G>tdgRRW-`4>&p3@%&6B;I^JHz!iF1u3ENp{1fGhnu!D zlIzdlqr*2Q7P2;7>OaJRb>N(wYTwK^S)r=)YmK5P*<*^#B+w$Q;2i>zWu^|%6Us?z&P$Q{J#{@%E3 z{e*R>Mx~Qq^hrNHgH306f|T~q068OpX~OSP#drdPUVEKt2BqR*V0bapC#a8Js<*zy z7PCqiU2hvdHLFRl*o8S(;CgewxxiR65msN=p4=y9RAz^+%C0)GoKrH@d7hFQEz8=E z+Wb`o0K@x!qlpC3g3UzFhKGi0l!q+S+?T#FC=%`|`(>nEU(5M)@_LRhrgYXvcDbip zP-2aF>96Q&ud({THq*KHdB-*t`4CYvS*^u)v7Ij8h4;QCBHPFFHS7ZUR6T68%RGuO zd8j2TT{%aAE#p$hF^b((P?{h1#XPOpD^CfClijDRhu0Y~LqBrl&Du+$Iggk-$ziT| zU+AKAFZjjHYkNC|(o_A{@50VrEWrmb0YD&l=`N|R8`9AZ8iE~m+kFRXTCE|Z%4uvr zDhAE~P*;Ahmvi%{uCJTz6}UJd(SN!0M;{gVQeyp!2eQ9;;Qr4Z2+IGB2iWY=-Nid+ zi(2yEry7A?G7?qKBfdTLBD3mR%4_fVp9g;AAngkHH;&wI97I2JygU012X8!bxOZQT zr~GK0u`wtjeEF4(GuDk*y^#vyAdmY0IPOB5-v-3b98|$ru6KVy=0E&w8It#n1NA2k z)j9aza1c9VIxseW_=+0+W%NUZzxgtJ2y^Ua(auK`(Bpeya~9BG@C8P09+EX^9l`=} z_4mAr9;Ow+g9=TSU*}csi0)kdSB|j0Y+w&wU18-vOwbW>mpFuK##@9GH6MKOd{ZFj zq6n}9dw+6-cUAr~{#4*k1^!gv_Z9e_SNX9oOAa!!{<<$ae1Nzja`L+?{?nH)J$}=d ze~}|xp}~5h_k@}vs7|ZYIMy%&$f$DR+u>&`ks7@N(- zXaxa`Pp@#&kYN~4XBLY}-*i@VKr1d>iI;(9EANbu0|kTY$cjLHggvZEvl{y0t0&O~ z>h@BrIa_2OU|xDbp?~gz(d;l{)4+XYm$TT6W@NX@Tql(|t;`_K>DIGw+KSMJ#64>y z)bZ$@u0adok2ykq%GoZ!Vk!r);uhi4rWWGwtNZ5>e=6{&0)Hy-|F6LJzMS*lr$W}t zanj6yU*`xN<{^FgdH;`n8OorR^uKF(d4zju_f-XZqwP9IrbgQ_zOR?3pA8Y2gOef< z+i+i=NIorIA{1WmkwLWF%i6OVN4cdmvC@^+07)VXHjGUys`F0P zIYJ0uV(*ghuXBVBpT6;#{KVG^#q=9Kq!|I}wr0C>U%@$emNsRDaV(tcepkx($Gd1T zs$2bH;*{xA!%`s;-sWkK4Re$eT1l zvpg?#Y}tPuH)opZA;V_n<>QE*BQX zbkZZ6cheL}us78L`JphG*YLG|=qC1jM)kR6`3~prIYJ0eITE9Y`Q3ex`H#OA+S6 z>;Y7`3p6_xlh%sv2)VoOW^c0GcB4(n(^ZHp62%(YnpBn-bH!(4992FW@$0f~6kK2M` zK3t`?_pVFNMC0UFq|rXUzih@3PyVTZ*K6C;{y7ljSXC@(S)YZ6>ll6&uyL5oM_^r6 zlfmIvYl%uZ-5M8+*`Y2QJ;=^JBiKp6I;7&uknBbn^{AFAvc6bc~0sv8p)Ry+Ib&5!>V`H@u;UI3?Lj@4J#DAoX&ac-vqZpnw{zosmQUl`|mIy)E1N2b&RT5 z#KpbVhH7nYBVUf1p3z?IQ_QxV6@F&4&%c$TU$(JCVBF3MpU&Zmn2w#`F}qinevhe& z3{^!DlNN&_ug1z@=D{K$q+0*A)Ki&$L%~Kh|K`Ry#=U^i z8$5h3sp6uJz-k8%XqPy7yZfG=&_GaT0^eyiE0Fj3#b4QEMZ*{I}YUrv4nPW)nbss0-OQRYPXmQQ7^S=QW0^d)^nr8dpd=Ikt5 zF&lvr@oiUn9JUUqb2i>W7t>~;B#kA5*A7?!>4%WM`2Bnc(ia7~u0+0{5BjIO8}9H;%<`o7hhU}%PC>Q|zZaSu!udqeOHelK+vqzB=p5!+F!VQalTmI_<011%rcHQ~49ZL5S97A33(V+<_BvdDSer3A9DmBcp7&`Jnh;oFsCLllK${xU9Q2S+!#?cmn&p_8qb?WRD#@c!(k2cYyE3az)y zwdD&qwOgVAqTb5SU|#n`D7kMJ`=6vcT}Pa{C>JnLDlgZik!ot4nADvN=y{K|<`?bp z!j#m=bH$Xi8uXAQM9rz>Abw~T{q&|I5unxP{+6(TUqIgS$^_qnS&BUYC|FpbPC-(d{MKkZ{3CnLW3V3UiTvJbWt1@2uBW zpLn3Pwk&8mYwjzVS`*jYiKM_9ozvS<@rr5fcwYR=32}MF4LOtFG89P{*IPnSBMHY_ z-WfUeC}jtXsxPcw2w$GIZV-5kBqDOTD|YTmq(`GNEKhrNoE~|;-CF;TYXL)5@1c;G z2B&gRQc3ZrnKT;7o!S z{vcLM>A93v9}l0M>6dt!3AW%TfkHaqeTD z)anuDuJ0eXbdsY4&@Vh$5Z`<-n~;o3X%n;Z5cYagMnX}O$r?}|k+-FgU!*{{Y}nJ0 z50n6jJ-{i?kW^#muR1V@h_W*3?7+>LR~Ih2w(Z@Z0}o$5U>+Z)L-Gm&*cqlPmeZ0$ zQ>~PYj0hKS5`Xl|-mvkvE}WuPBGWeU(Cm~~KD)m)Q1In-oNV%$L900tLY4=o(y)8* zl(2nVX1PpQ{??=;OyLAxp!ZaA4KGusm8B-~_EZLm$iE;qHjF!bt zM6c%sJH4`A9!HZBL~3LoE)_I9poJMCNongVNJzRhu1S3?y(aC_B{AC~Zc$RHN-yWc zQ+VYATNhWsW3X*v54TH|mU;r>Bol#|(I$ zeP(3LkF&m^5N`Y<8O*8tsk#Dz!quf7akNF)+rOw+*W3q5xo`0ZeRxD=rKajZ5+m#5v)tSnWRi3<4X zr>iS33#)Q)iEUU?%CW51OKR@dM#DrOl?~4V8J2zb@sOxbkhf-yuLjniI0vN#^6BB{;Ftoz=mcu+5c2Dio0WE4Y*5!<@8uk48Y*MO( zn_?4q0X=9ZqBGehhuMvT3_rBXPk{~KxZ6;ljyX6cMn;WG@x^D~W8WN#*kqPWAlPZr zd_z9B=0uys6M?vIhoI2t2^lVM!F7ln{bX^K7lT5kCI&u5C#~@E(8QY<7mboCeOZG` z2?eN52`woI06OA$y~x}nK?#nc=wMG?=yUV79HwRKaI}ziW{XkM(Di{254c?N&8I9j zOkKlvDysEJFTxk$yT=@Uf49i80Tm5lkW)vUh;A)?NDuGv=ZELbj=(XDf$|0~a=Ax? zmXyztjTK~J2WT`|8c>73`m3k0kvGk5v#@OiKYhS^l}eA`*mUViMfYrx7Vaf`0Pb^K zOq=%j;Oq6yK^0e`y#16>43$OaRtMbP+zEN!ID|LX9Iqe1$*a96@Cd*eG!#{HM~xfi z(+V-Kc&t3l;41z|0XU%@6B;O>nKv)$)mm+^MQJm_RN+3nB?smW$}Gp&pYPdDs{ddj zY@97*sn7zyxv$C5X2PXqiyhdH`eZ4oLp*ALsJh$E9ec5X)K?{ngGdZO>ND352%Ts} zLE_9qD?M;P#;euZ9IZcCXP4}dz{6M3Z1NLwvRm7fm*Ep+OpICuGCXY`S&J?NOY%}5 zc4k%y2J%X8&cCVXi8o8JY|1HSINx@9-d}NHq^y(8j3m3w@Q%x;Yh?m^&nk^7j)?Pt z0nQ7nsF+cMTz50ujR_1L{mWV9q)2lL5y`P!dTZ{J9U)O1V2W3X%wk+DHnMk)oTW+Q z%4sb3b%T^6I0$7`Z7qj@4Ho#0H@5LEWfqMx#0F=E8^U@pQzwe0`sB6l``3o=khn~0 zTGyeG(@9u$Y}NWW=(6J!dzx*#F-qSjiSzL_V0y6;NHBr$jaO(BQMMG??5^neQ?Fx( z@N6q82CL;Np@kXCr>myWV)HA6{O~SU+5|5kNQjY;8o5EweYhDzS)Gpo~p9=SR9=K()<8noJ zurz1^LaCMxC3l#nlz)Y0*O8(%s!8rDN>OMyUcz%?Gymb8ACDW7n=v#(#}h7$^G0#g z_fx7xeC=Ot8Qnnr{&Omp{6+3)Z(+AIW7QB|L|OP3ITa@G3ax@|@ufsIl{{~7T`q2c zK^X}}#0^*g_1Ow?o9X(8{1^)nxHS)Y9f%xYwqYoUne8oGD|IX@d(m+*rK*cnU0ifE zUaU?76+5VdiTezm3y~oTsH1}-La=-_@T;|mFRL0~4l>&m_1wG9j;T)Z-iGD2-}sru zr-q8CnBH6cg3?^9zPynFS(Imbur{`nx~|?i=2bZlse&V2yP1lXt*)qSnUL>k^*Kn; zegWD)6wY@Vk$N9Jl|$9Z0jpv9S*;_?Z4kW&P)M0zk%|oPyLPCZc=9fb({0WKtxX- zxz^ZwOvfl`lv~3fKm*N(?Zw6B3+O6@SyP>L#~Ckj26XLvMaNmG{9m)vl%&X>Rk`Sc zgsghZIGzdOb0mzfDb_yWymQCjbA%A~3HCneU*|R)j=r%E{ODyUX)dDQu(y+xt?EQV zaZ}=7Bp84KKT>`^I8h7Ztgg^*t$51xzq|xw{|Yi790=v=z<=30JO0Ko^b?0fW7K~+ zc#x#*bGZ}vFV_}D+T**7zwfnvp-~U4k(Z~tF$4`j^)ulqDpw3mikZe 3.3.3.3:443 [proto: 91.352/TLS.CustomProtocolA][IP: 352/CustomProtocolA][Encrypted][Confidence: Unknown][DPI packets: 1][cat: Web/5][3 pkts/222 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][3.05 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 2 TCP 192.168.1.245:59682 -> 3.3.3.3:444 [proto: 353/CustomProtocolB][IP: 353/CustomProtocolB][ClearText][Confidence: Unknown][DPI packets: 1][2 pkts/148 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][1.02 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 1 TCP 192.168.1.245:56866 -> 3.3.3.3:443 [proto: 91.353/TLS.CustomProtocolA][IP: 353/CustomProtocolA][Encrypted][Confidence: Unknown][DPI packets: 1][cat: Web/5][3 pkts/222 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][3.05 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 2 TCP 192.168.1.245:59682 -> 3.3.3.3:444 [proto: 354/CustomProtocolB][IP: 354/CustomProtocolB][ClearText][Confidence: Unknown][DPI packets: 1][2 pkts/148 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][1.02 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/default/result/roblox.pcapng.out b/tests/cfgs/default/result/roblox.pcapng.out new file mode 100644 index 00000000000..a32f16f767f --- /dev/null +++ b/tests/cfgs/default/result/roblox.pcapng.out @@ -0,0 +1,35 @@ +Guessed flow protos: 0 + +DPI Packets (TCP): 5 (5.00 pkts/flow) +DPI Packets (UDP): 3 (1.00 pkts/flow) +Confidence DPI : 4 (flows) +Num dissector calls: 268 (67.00 diss/flow) +LRU cache ookla: 0/0/0 (insert/search/found) +LRU cache bittorrent: 0/0/0 (insert/search/found) +LRU cache zoom: 0/0/0 (insert/search/found) +LRU cache stun: 0/0/0 (insert/search/found) +LRU cache tls_cert: 0/0/0 (insert/search/found) +LRU cache mining: 0/0/0 (insert/search/found) +LRU cache msteams: 0/0/0 (insert/search/found) +LRU cache stun_zoom: 0/0/0 (insert/search/found) +Automa host: 1/1 (search/found) +Automa domain: 1/0 (search/found) +Automa tls cert: 0/0 (search/found) +Automa risk mask: 0/0 (search/found) +Automa common alpns: 1/1 (search/found) +Patricia risk mask: 6/0 (search/found) +Patricia risk: 0/0 (search/found) +Patricia protocols: 4/4 (search/found) + +RakNet 44 21907 3 +Roblox 34 12002 1 + +JA3 Host Stats: + IP Address # JA3C + 1 192.168.12.156 1 + + + 1 TCP 192.168.12.156:39034 <-> 128.116.122.4:443 [proto: 91.346/TLS.Roblox][IP: 346/Roblox][Encrypted][Confidence: DPI][DPI packets: 5][cat: Game/8][19 pkts/3517 bytes <-> 15 pkts/8485 bytes][Goodput ratio: 65/88][12.24 sec][Hostname/SNI: assetgame.roblox.com][(Advertised) ALPNs: http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2][bytes ratio: -0.414 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 808/1277 10785/10000 2671/3298][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 185/566 1090/1514 279/584][TLSv1.3][JA3C: f436b9416f37d134cadd04886327d3e8][JA3S: f4febc55ea12b31ae17cfb7e614afda8][Firefox][Cipher: TLS_AES_128_GCM_SHA256][Plen Bins: 20,0,6,0,0,0,0,0,13,0,0,0,0,0,0,0,13,0,0,0,6,0,0,0,0,0,6,0,0,0,0,0,6,0,0,0,0,6,0,0,0,0,0,0,0,20,0,0] + 2 UDP 192.168.12.156:45693 <-> 128.116.44.33:53385 [proto: 286/RakNet][IP: 346/Roblox][ClearText][Confidence: DPI][DPI packets: 1][cat: Game/8][15 pkts/6993 bytes <-> 2 pkts/2748 bytes][Goodput ratio: 91/97][0.38 sec][bytes ratio: 0.436 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 25/0 127/0 36/0][Pkt Len c2s/s2c min/avg/max/stddev: 100/1374 466/1374 1398/1374 543/0][PLAIN TEXT (UniqueNumber)][Plen Bins: 0,30,18,5,0,5,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,18,11,0,0,0,0,0] + 3 UDP 192.168.12.156:46507 <-> 128.116.44.33:51438 [proto: 286/RakNet][IP: 346/Roblox][ClearText][Confidence: DPI][DPI packets: 1][cat: Game/8][13 pkts/6771 bytes <-> 1 pkts/1374 bytes][Goodput ratio: 92/97][0.42 sec][bytes ratio: 0.663 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 28/0 196/0 56/0][Pkt Len c2s/s2c min/avg/max/stddev: 100/1374 521/1374 1398/1374 563/0][PLAIN TEXT (UniqueNumber9)][Plen Bins: 0,28,14,7,0,7,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,14,14,0,0,0,0,0] + 4 UDP 192.168.12.156:42965 <-> 128.116.89.113:63862 [proto: 286/RakNet][IP: 346/Roblox][ClearText][Confidence: DPI][DPI packets: 1][cat: Game/8][6 pkts/3229 bytes <-> 7 pkts/792 bytes][Goodput ratio: 92/63][0.11 sec][bytes ratio: 0.606 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 20/11 34/29 13/14][Pkt Len c2s/s2c min/avg/max/stddev: 69/70 538/113 1398/180 609/46][PLAIN TEXT (UniqueNumber)][Plen Bins: 15,38,7,0,23,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,15,0,0,0,0,0] diff --git a/tests/cfgs/default/result/synscan.pcap.out b/tests/cfgs/default/result/synscan.pcap.out index 67450060046..02aab79fd9b 100644 --- a/tests/cfgs/default/result/synscan.pcap.out +++ b/tests/cfgs/default/result/synscan.pcap.out @@ -124,7 +124,7 @@ iSCSI 2 116 2 44 TCP 172.16.0.8:36050 -> 64.13.134.52:2605 [proto: 13/BGP][IP: 0/Unknown][ClearText][Confidence: Match by port][DPI packets: 1][cat: Network/14][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 45 TCP 172.16.0.8:36050 -> 64.13.134.52:3000 [proto: 26/ntop][IP: 0/Unknown][ClearText][Confidence: Match by port][DPI packets: 1][cat: Network/14][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 46 TCP 172.16.0.8:36050 -> 64.13.134.52:3128 [proto: 131/HTTP_Proxy][IP: 0/Unknown][ClearText][Confidence: Match by port][DPI packets: 1][cat: Web/5][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 47 TCP 172.16.0.8:36050 -> 64.13.134.52:3260 [proto: 346/iSCSI][IP: 0/Unknown][ClearText][Confidence: Match by port][DPI packets: 1][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 47 TCP 172.16.0.8:36050 -> 64.13.134.52:3260 [proto: 347/iSCSI][IP: 0/Unknown][ClearText][Confidence: Match by port][DPI packets: 1][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 48 TCP 172.16.0.8:36050 -> 64.13.134.52:3306 [proto: 20/MySQL][IP: 0/Unknown][ClearText][Confidence: Match by port][DPI packets: 1][cat: Database/11][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 49 TCP 172.16.0.8:36050 -> 64.13.134.52:3389 [proto: 88/RDP][IP: 0/Unknown][ClearText][Confidence: Match by port][DPI packets: 1][cat: RemoteAccess/12][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Desktop/File Sharing **** Unidirectional Traffic **][Risk Score: 20][Risk Info: No server to client traffic / Found RDP][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 50 TCP 172.16.0.8:36050 -> 64.13.134.52:4343 [proto: 170/Whois-DAS][IP: 0/Unknown][ClearText][Confidence: Match by port][DPI packets: 1][cat: Network/14][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] @@ -188,7 +188,7 @@ iSCSI 2 116 2 108 TCP 172.16.0.8:36051 -> 64.13.134.52:2605 [proto: 13/BGP][IP: 0/Unknown][ClearText][Confidence: Match by port][DPI packets: 1][cat: Network/14][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 109 TCP 172.16.0.8:36051 -> 64.13.134.52:3000 [proto: 26/ntop][IP: 0/Unknown][ClearText][Confidence: Match by port][DPI packets: 1][cat: Network/14][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 110 TCP 172.16.0.8:36051 -> 64.13.134.52:3128 [proto: 131/HTTP_Proxy][IP: 0/Unknown][ClearText][Confidence: Match by port][DPI packets: 1][cat: Web/5][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 111 TCP 172.16.0.8:36051 -> 64.13.134.52:3260 [proto: 346/iSCSI][IP: 0/Unknown][ClearText][Confidence: Match by port][DPI packets: 1][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 111 TCP 172.16.0.8:36051 -> 64.13.134.52:3260 [proto: 347/iSCSI][IP: 0/Unknown][ClearText][Confidence: Match by port][DPI packets: 1][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 112 TCP 172.16.0.8:36051 -> 64.13.134.52:3306 [proto: 20/MySQL][IP: 0/Unknown][ClearText][Confidence: Match by port][DPI packets: 1][cat: Database/11][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 113 TCP 172.16.0.8:36051 -> 64.13.134.52:3389 [proto: 88/RDP][IP: 0/Unknown][ClearText][Confidence: Match by port][DPI packets: 1][cat: RemoteAccess/12][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Desktop/File Sharing **** Unidirectional Traffic **][Risk Score: 20][Risk Info: No server to client traffic / Found RDP][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 114 TCP 172.16.0.8:36051 -> 64.13.134.52:4343 [proto: 170/Whois-DAS][IP: 0/Unknown][ClearText][Confidence: Match by port][DPI packets: 1][cat: Network/14][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/utils/asn_update.sh b/utils/asn_update.sh index 748358f3c6b..7385d80b73a 100755 --- a/utils/asn_update.sh +++ b/utils/asn_update.sh @@ -202,6 +202,11 @@ DEST=../src/lib/inc_generated/ndpi_asn_nvidia.c.inc create_list NDPI_PROTOCOL_NVIDIA $DEST "" "AS60977" "AS50889" "AS20347" "AS11414" echo "(3) Nvidia IPs are available in $DEST" +echo "(1) Downloading Roblox..." +DEST=../src/lib/inc_generated/ndpi_asn_roblox.c.inc +create_list NDPI_PROTOCOL_ROBLOX $DEST "" "AS22697" +echo "(3) Roblox IPs are available in $DEST" + if [ ${TOTAL_ASN} -eq 0 -o ${TOTAL_ASN} -eq ${FAILED_ASN} ]; then printf '%s: %s\n' "${0}" "All download(s) failed, ./get_routes_by_asn.sh broken?" exit 1