diff --git a/example/reader_util.c b/example/reader_util.c index a6c472b3f8c..72e1843aee4 100644 --- a/example/reader_util.c +++ b/example/reader_util.c @@ -1353,7 +1353,7 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl flow->detected_protocol, &flow->ndpi_flow_serializer) != 0) { LOG(NDPI_LOG_ERROR, "flow2json failed\n"); - exit(-1); + return; } ndpi_serialize_string_uint32(&flow->ndpi_flow_serializer, "detection_completed", flow->detection_completed); diff --git a/fuzz/corpus/fuzz_serialization/b524f7bc777b60fa186852b7db1c961841e54205 b/fuzz/corpus/fuzz_serialization/b524f7bc777b60fa186852b7db1c961841e54205 deleted file mode 100644 index 7b17c654906..00000000000 Binary files a/fuzz/corpus/fuzz_serialization/b524f7bc777b60fa186852b7db1c961841e54205 and /dev/null differ diff --git a/fuzz/fuzz_alg_shoco.cpp b/fuzz/fuzz_alg_shoco.cpp index 40fe0f0f454..68d26266004 100644 --- a/fuzz/fuzz_alg_shoco.cpp +++ b/fuzz/fuzz_alg_shoco.cpp @@ -1,5 +1,6 @@ #include #include "shoco.h" +#include "ndpi_api.h" #include "fuzzer/FuzzedDataProvider.h" extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { @@ -7,16 +8,25 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { const char *in; size_t in_len, out_len; char out[8192], orig[8192]; + int higher_level_api; /* No memory allocations involved */ + higher_level_api = fuzzed_data.ConsumeBool(); + std::string s = fuzzed_data.ConsumeRemainingBytesAsString().c_str(); in = s.c_str(); in_len = strlen(in); - out_len = shoco_compress(in, in_len, out, sizeof(out)); - if(out_len <= sizeof(out)) /* No error */ - shoco_decompress(out, out_len, orig, sizeof(orig)); + if(!higher_level_api) { + out_len = shoco_compress(in, in_len, out, sizeof(out)); + if(out_len <= sizeof(out)) /* No error */ + shoco_decompress(out, out_len, orig, sizeof(orig)); + } else { + out_len = ndpi_compress_str(in, in_len, out, sizeof(out)); + if(out_len != 0) /* No error */ + ndpi_decompress_str(out, out_len, orig, sizeof(orig)); + } return 0; } diff --git a/fuzz/fuzz_config.cpp b/fuzz/fuzz_config.cpp index 4034874f16d..edfa42ceba6 100644 --- a/fuzz/fuzz_config.cpp +++ b/fuzz/fuzz_config.cpp @@ -518,6 +518,12 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { ndpi_severity2str(static_cast(fuzzed_data.ConsumeIntegral())); ndpi_risk2score(static_cast(fuzzed_data.ConsumeIntegral()), &unused1, &unused2); ndpi_http_method2str(static_cast(fuzzed_data.ConsumeIntegral())); + ndpi_confidence_get_name(static_cast(fuzzed_data.ConsumeIntegral())); + ndpi_get_proto_breed_name(static_cast(fuzzed_data.ConsumeIntegral())); + ndpi_get_l4_proto_name(static_cast(fuzzed_data.ConsumeIntegral())); + + char buf2[16]; + ndpi_entropy2str(fuzzed_data.ConsumeFloatingPoint(), fuzzed_data.ConsumeBool() ? buf2 : NULL, sizeof(buf2)); /* Basic code to try testing this "config" */ bool_value = fuzzed_data.ConsumeBool(); @@ -545,7 +551,6 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { ndpi_get_flow_ndpi_proto(&flow, &p2); ndpi_is_proto(p, NDPI_PROTOCOL_TLS); ndpi_http_method2str(flow.http.method); - ndpi_get_l4_proto_name(ndpi_get_l4_proto_info(ndpi_info_mod, p.app_protocol)); ndpi_is_subprotocol_informative(p.app_protocol); ndpi_get_http_method(bool_value ? &flow : NULL); ndpi_get_http_url(&flow); diff --git a/fuzz/fuzz_ds_ahocorasick.cpp b/fuzz/fuzz_ds_ahocorasick.cpp index 949cc4b6d3d..5a61f002207 100644 --- a/fuzz/fuzz_ds_ahocorasick.cpp +++ b/fuzz/fuzz_ds_ahocorasick.cpp @@ -44,7 +44,10 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { ac_automata_enable_debug(0); a = ac_automata_init(mc); - a2 = ndpi_init_automa(); + if (fuzzed_data.ConsumeBool()) + a2 = ndpi_init_automa(); + else + a2 = ndpi_init_automa_domain(); if (fuzzed_data.ConsumeBool()) ac_automata_feature(a, AC_FEATURE_DEBUG); diff --git a/fuzz/fuzz_ds_domain_classify.cpp b/fuzz/fuzz_ds_domain_classify.cpp index 8e19b4725b7..a53c8d130bd 100644 --- a/fuzz/fuzz_ds_domain_classify.cpp +++ b/fuzz/fuzz_ds_domain_classify.cpp @@ -47,7 +47,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { num_iteration = fuzzed_data.ConsumeIntegral(); for (i = 0; i < num_iteration; i++) { value = fuzzed_data.ConsumeBytesAsString(fuzzed_data.ConsumeIntegral()); - ndpi_domain_classify_hostname(ndpi_struct, d, &class_id, (char *)value.c_str()); + ndpi_domain_classify_hostname(fuzzed_data.ConsumeBool() ? ndpi_struct : NULL, d, &class_id, (char *)value.c_str()); } /* Search of an added entry */ diff --git a/fuzz/fuzz_gcrypt_cipher.cpp b/fuzz/fuzz_gcrypt_cipher.cpp index 703e480a7b5..520133aaef3 100644 --- a/fuzz/fuzz_gcrypt_cipher.cpp +++ b/fuzz/fuzz_gcrypt_cipher.cpp @@ -6,6 +6,7 @@ #define MBEDTLS_CHECK_RETURN_TYPICAL #define MBEDTLS_INTERNAL_VALIDATE_RET( cond, ret ) do { } while( 0 ) #include "gcrypt/cipher.h" +#include "gcrypt/error.h" #include "gcrypt/aes.h" extern int force_no_aesni; @@ -56,10 +57,17 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { mbedtls_cipher_info_get_type(ctx_e->cipher_info); mbedtls_cipher_info_get_name(ctx_e->cipher_info); mbedtls_cipher_info_has_variable_key_bitlen(ctx_e->cipher_info); + mbedtls_cipher_info_has_variable_iv_size(ctx_e->cipher_info); mbedtls_cipher_info_get_iv_size(ctx_e->cipher_info); mbedtls_cipher_info_get_block_size(ctx_e->cipher_info); mbedtls_cipher_get_cipher_mode(ctx_e); + mbedtls_cipher_get_iv_size(ctx_e); + mbedtls_cipher_get_type(ctx_e); + mbedtls_cipher_get_name(ctx_e); + mbedtls_cipher_get_key_bitlen(ctx_e); + mbedtls_cipher_get_operation(ctx_e); mbedtls_cipher_info_get_key_bitlen(ctx_e->cipher_info); + mbedtls_error_add(0, 0, NULL, 0); posix_memalign((void **)&ctx_e->cipher_ctx, 8, sizeof(mbedtls_aes_context)); posix_memalign((void **)&ctx_d->cipher_ctx, 8, sizeof(mbedtls_aes_context)); diff --git a/fuzz/fuzz_ndpi_reader.c b/fuzz/fuzz_ndpi_reader.c index 9d061e5ca5d..80ed1688695 100644 --- a/fuzz/fuzz_ndpi_reader.c +++ b/fuzz/fuzz_ndpi_reader.c @@ -15,7 +15,7 @@ struct ndpi_global_context *g_ctx; u_int8_t enable_payload_analyzer = 0; u_int8_t enable_flow_stats = 1; u_int8_t human_readeable_string_len = 5; -u_int8_t max_num_udp_dissected_pkts = 16 /* 8 is enough for most protocols, Signal requires more */, max_num_tcp_dissected_pkts = 80 /* due to telnet */; +u_int8_t max_num_udp_dissected_pkts = 0, max_num_tcp_dissected_pkts = 0; /* Disable limits at application layer */; int malloc_size_stats = 0; extern void ndpi_report_payload_stats(FILE *out); @@ -53,6 +53,8 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { workflow = ndpi_workflow_init(prefs, NULL /* pcap handler will be set later */, 0, ndpi_serialization_format_json, g_ctx); + ndpi_workflow_set_flow_callback(workflow, NULL, NULL); /* No real callback */ + ndpi_set_config(workflow->ndpi_struct, NULL, "log.level", "3"); ndpi_set_config(workflow->ndpi_struct, "all", "log", "1"); @@ -68,10 +70,12 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { NDPI_BITMASK_SET_ALL(all); ndpi_set_protocol_detection_bitmask2(workflow->ndpi_struct, &all); + ndpi_set_config(workflow->ndpi_struct, NULL, "packets_limit_per_flow", "255"); ndpi_set_config(workflow->ndpi_struct, NULL, "flow.track_payload", "1"); ndpi_set_config(workflow->ndpi_struct, NULL, "tcp_ack_payload_heuristic", "1"); ndpi_set_config(workflow->ndpi_struct, "tls", "application_blocks_tracking", "1"); ndpi_set_config(workflow->ndpi_struct, "stun", "max_packets_extra_dissection", "255"); + ndpi_set_config(workflow->ndpi_struct, "zoom", "max_packets_extra_dissection", "255"); ndpi_set_config(workflow->ndpi_struct, "rtp", "search_for_stun", "1"); ndpi_finalize_initialization(workflow->ndpi_struct); diff --git a/fuzz/fuzz_serialization.cpp b/fuzz/fuzz_serialization.cpp index d097c683cd7..5b5de9fe09c 100644 --- a/fuzz/fuzz_serialization.cpp +++ b/fuzz/fuzz_serialization.cpp @@ -14,7 +14,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { int rc; std::vectord; char kbuf[32]; - u_int32_t buffer_len; + u_int32_t buffer_len, kbuf_len; /* To allow memory allocation failures */ fuzz_set_alloc_callbacks_and_seed(size); @@ -66,19 +66,23 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { ndpi_serialize_string_raw(&serializer, kbuf, d.data(), d.size()); ndpi_serialize_string_boolean(&serializer, kbuf, fuzzed_data.ConsumeIntegral()); - if (fuzzed_data.ConsumeBool()) + if (fuzzed_data.ConsumeBool()) { snprintf(kbuf, sizeof(kbuf), "%d", i); /* To trigger OPTIMIZE_NUMERIC_KEYS */ - ndpi_serialize_binary_uint32(&serializer, kbuf, sizeof(kbuf), fuzzed_data.ConsumeIntegral()); - ndpi_serialize_binary_int32(&serializer, kbuf, sizeof(kbuf), fuzzed_data.ConsumeIntegral()); - ndpi_serialize_binary_uint64(&serializer, kbuf, sizeof(kbuf), fuzzed_data.ConsumeIntegral()); - ndpi_serialize_binary_int64(&serializer, kbuf, sizeof(kbuf), fuzzed_data.ConsumeIntegral()); - ndpi_serialize_binary_float(&serializer, kbuf, sizeof(kbuf), fuzzed_data.ConsumeFloatingPoint(), "%f"); + kbuf_len = strlen(kbuf); + } else { + kbuf_len = sizeof(kbuf); + } + ndpi_serialize_binary_uint32(&serializer, kbuf, kbuf_len, fuzzed_data.ConsumeIntegral()); + ndpi_serialize_binary_int32(&serializer, kbuf, kbuf_len, fuzzed_data.ConsumeIntegral()); + ndpi_serialize_binary_uint64(&serializer, kbuf, kbuf_len, fuzzed_data.ConsumeIntegral()); + ndpi_serialize_binary_int64(&serializer, kbuf, kbuf_len, fuzzed_data.ConsumeIntegral()); + ndpi_serialize_binary_float(&serializer, kbuf, kbuf_len, fuzzed_data.ConsumeFloatingPoint(), "%f"); if (fmt != ndpi_serialization_format_tlv) - ndpi_serialize_binary_double(&serializer, kbuf, sizeof(kbuf), fuzzed_data.ConsumeFloatingPoint(), "%lf"); - ndpi_serialize_binary_boolean(&serializer, kbuf, sizeof(kbuf), fuzzed_data.ConsumeIntegral()); + ndpi_serialize_binary_double(&serializer, kbuf, kbuf_len, fuzzed_data.ConsumeFloatingPoint(), "%lf"); + ndpi_serialize_binary_boolean(&serializer, kbuf, kbuf_len, fuzzed_data.ConsumeIntegral()); d = fuzzed_data.ConsumeBytes(16); if (d.size()) - ndpi_serialize_binary_binary(&serializer, kbuf, sizeof(kbuf), d.data(), d.size()); + ndpi_serialize_binary_binary(&serializer, kbuf, kbuf_len, d.data(), d.size()); if ((i & 0x3) == 0x3) ndpi_serialize_end_of_record(&serializer); diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index c0cb12fa867..96e7955b0d9 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -4976,7 +4976,7 @@ int load_category_file_fd(struct ndpi_detection_module_struct *ndpi_str, continue; } - if(ndpi_load_category(ndpi_str, line, category_id, NULL) > 0) + if(ndpi_load_category(ndpi_str, line, category_id, NULL) >= 0) num_loaded++; } diff --git a/src/lib/protocols/afp.c b/src/lib/protocols/afp.c index 5b420f422b8..73d62345751 100644 --- a/src/lib/protocols/afp.c +++ b/src/lib/protocols/afp.c @@ -62,20 +62,6 @@ static void ndpi_search_afp(struct ndpi_detection_module_struct *ndpi_struct, st return; } - /* - * this will detect the OpenSession command of the Data Stream Interface (DSI) protocol - * which is exclusively used by the Apple Filing Protocol (AFP) on TCP/IP networks - */ - if (packet->payload_packet_len >= 22 && get_u_int16_t(packet->payload, 0) == htons(0x0004) && - get_u_int16_t(packet->payload, 2) == htons(0x0001) && get_u_int32_t(packet->payload, 4) == 0 && - get_u_int32_t(packet->payload, 8) == htonl(packet->payload_packet_len - 16) && - get_u_int32_t(packet->payload, 12) == 0 && get_u_int16_t(packet->payload, 16) == htons(0x0104)) { - - NDPI_LOG_INFO(ndpi_struct, "found AFP: DSI OpenSession\n"); - ndpi_int_afp_add_connection(ndpi_struct, flow); - return; - } - if((h->flags <= 1) && ((h->command >= 1) && (h->command <= 8)) && (h->reserved == 0) diff --git a/src/lib/protocols/mqtt.c b/src/lib/protocols/mqtt.c index c88844a091a..ea2390d371f 100644 --- a/src/lib/protocols/mqtt.c +++ b/src/lib/protocols/mqtt.c @@ -179,18 +179,13 @@ static void ndpi_search_mqtt(struct ndpi_detection_module_struct *ndpi_struct, } if (pt == PUBLISH) { // payload CAN be zero bytes length (section 3.3.3 of MQTT standard) - u_int8_t qos = (u_int8_t) (flags & 0x06); - u_int8_t dup = (u_int8_t) (flags & 0x04); + u_int8_t qos = (u_int8_t) (flags & 0x06) >> 1; + u_int8_t dup = (u_int8_t) (flags & 0x08) >> 3; if (qos > 2) { // qos values possible are 0,1,2 NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt invalid PUBLISH qos\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MQTT); return; } - if (dup > 1) { // dup flag possible 0,1 - NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt invalid PUBLISH dup\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MQTT); - return; - } if (qos == 0) { if (dup != 0) { NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt invalid PUBLISH qos0 and dup combination\n"); diff --git a/src/lib/protocols/ssdp.c b/src/lib/protocols/ssdp.c index 3e18edf50ab..90ce4c04c5e 100644 --- a/src/lib/protocols/ssdp.c +++ b/src/lib/protocols/ssdp.c @@ -47,10 +47,7 @@ static void ssdp_parse_lines(struct ndpi_detection_module_struct /* Save host which provides a service if available */ if (packet->host_line.ptr != NULL && packet->host_line.len > 0) { - if (ndpi_hostname_sni_set(flow, packet->host_line.ptr, packet->host_line.len, NDPI_HOSTNAME_NORM_ALL) == NULL) - { - NDPI_LOG_DBG2(ndpi_struct, "Could not set SSDP host\n"); - } + ndpi_hostname_sni_set(flow, packet->host_line.ptr, packet->host_line.len, NDPI_HOSTNAME_NORM_ALL); } } diff --git a/src/lib/protocols/thrift.c b/src/lib/protocols/thrift.c index d9be27ca514..79ee6ebb540 100644 --- a/src/lib/protocols/thrift.c +++ b/src/lib/protocols/thrift.c @@ -83,9 +83,6 @@ static void ndpi_int_thrift_add_connection(struct ndpi_detection_module_struct * case NDPI_PROTOCOL_HTTP: NDPI_LOG_DBG(ndpi_struct, "found Apache Thrift HTTP\n"); break; - default: - NDPI_LOG_DBG(ndpi_struct, "found Apache Thrift\n"); - break; } ndpi_set_detected_protocol(ndpi_struct, flow, diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index ca23da4f85b..2d8247d515b 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -1032,10 +1032,6 @@ static int ndpi_search_tls_tcp(struct ndpi_detection_module_struct *ndpi_struct, break; } - if(len == 0) { - something_went_wrong = 1; - break; - } #ifdef DEBUG_TLS_MEMORY printf("[TLS Mem] Processing %u bytes message\n", len); @@ -1638,7 +1634,6 @@ static bool is_grease_version(u_int16_t version) { case 0xeaea: case 0xfafa: return(true); - break; default: return(false); diff --git a/tests/cfgs/default/pcap/netbios.pcap b/tests/cfgs/default/pcap/netbios.pcap index 1e8ee3920ca..b143112fdb1 100644 Binary files a/tests/cfgs/default/pcap/netbios.pcap and b/tests/cfgs/default/pcap/netbios.pcap differ diff --git a/tests/cfgs/default/pcap/pgsql2.pcapng b/tests/cfgs/default/pcap/pgsql2.pcapng new file mode 100644 index 00000000000..3ff36162343 Binary files /dev/null and b/tests/cfgs/default/pcap/pgsql2.pcapng differ diff --git a/tests/cfgs/default/result/netbios.pcap.out b/tests/cfgs/default/result/netbios.pcap.out index 3f59e3a00f9..1934e8825ad 100644 --- a/tests/cfgs/default/result/netbios.pcap.out +++ b/tests/cfgs/default/result/netbios.pcap.out @@ -1,10 +1,10 @@ Guessed flow protos: 1 -DPI Packets (TCP): 2 (2.00 pkts/flow) +DPI Packets (TCP): 3 (1.50 pkts/flow) DPI Packets (UDP): 14 (1.00 pkts/flow) Confidence Match by port : 1 (flows) -Confidence DPI : 14 (flows) -Num dissector calls: 164 (10.93 diss/flow) +Confidence DPI : 15 (flows) +Num dissector calls: 165 (10.31 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/3/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) @@ -16,17 +16,17 @@ Automa domain: 0/0 (search/found) Automa tls cert: 0/0 (search/found) Automa risk mask: 5/0 (search/found) Automa common alpns: 0/0 (search/found) -Patricia risk mask: 12/0 (search/found) +Patricia risk mask: 14/0 (search/found) Patricia risk mask IPv6: 0/0 (search/found) Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) -Patricia protocols: 30/0 (search/found) +Patricia protocols: 32/0 (search/found) Patricia protocols IPv6: 0/0 (search/found) -NetBIOS 258 24196 13 +NetBIOS 259 24326 14 SMBv1 2 486 2 -Acceptable 258 24196 13 +Acceptable 259 24326 14 Dangerous 2 486 2 1 UDP 10.0.4.131:137 -> 10.0.5.255:137 [proto: 10/NetBIOS][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: System/18][181 pkts/16652 bytes -> 0 pkts/0 bytes][Goodput ratio: 54/0][59.62 sec][Hostname/SNI: xstream_hy][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 10/0 328/0 929/0 225/0][Pkt Len c2s/s2c min/avg/max/stddev: 92/0 92/0 92/0 0/0][PLAIN TEXT ( FIFDFEFCEFEBENFPEIFJ)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] @@ -37,10 +37,11 @@ Dangerous 2 486 2 6 UDP 10.0.5.9:138 -> 10.0.5.255:138 [proto: 10.16/NetBIOS.SMBv1][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: System/18][1 pkts/243 bytes -> 0 pkts/0 bytes][Goodput ratio: 82/0][< 1 sec][Hostname/SNI: nvr9][Risk: ** Unsafe Protocol **][Risk Score: 10][PLAIN TEXT ( EOFGFCDJ)][Plen Bins: 0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 7 UDP 10.0.5.93:138 -> 10.0.5.255:138 [proto: 10.16/NetBIOS.SMBv1][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: System/18][1 pkts/243 bytes -> 0 pkts/0 bytes][Goodput ratio: 82/0][< 1 sec][Hostname/SNI: bowie][Risk: ** Unsafe Protocol **][Risk Score: 10][PLAIN TEXT ( ECEPFHEJEFCACACACACACACACACACA)][Plen Bins: 0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 8 UDP 10.0.4.101:137 -> 10.0.5.255:137 [proto: 10/NetBIOS][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: System/18][2 pkts/184 bytes -> 0 pkts/0 bytes][Goodput ratio: 54/0][18.05 sec][Hostname/SNI: muli][PLAIN TEXT ( ENFFEMEJ)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 9 TCP 10.0.4.24:139 <-> 10.0.4.131:1398 [proto: 10/NetBIOS][IP: 0/Unknown][ClearText][Confidence: Match by port][DPI packets: 2][cat: System/18][1 pkts/60 bytes <-> 1 pkts/60 bytes][Goodput ratio: 2/0][< 1 sec][Risk: ** Probing attempt **][Risk Score: 50][Risk Info: TCP connection with unidirectional traffic][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 10 UDP 10.0.4.24:137 -> 10.0.4.165:137 [proto: 10/NetBIOS][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: System/18][1 pkts/104 bytes -> 0 pkts/0 bytes][Goodput ratio: 59/0][< 1 sec][Hostname/SNI: gunnar][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT ( EHFFEOEOEBFCCACACACACACACACACA)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 11 UDP 10.0.5.1:137 -> 10.0.4.24:137 [proto: 10/NetBIOS][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: System/18][1 pkts/104 bytes -> 0 pkts/0 bytes][Goodput ratio: 59/0][< 1 sec][Hostname/SNI: guru][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT ( EHFFFC)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 12 UDP 10.0.4.14:137 -> 10.0.5.255:137 [proto: 10/NetBIOS][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: System/18][1 pkts/92 bytes -> 0 pkts/0 bytes][Goodput ratio: 54/0][< 1 sec][Hostname/SNI: guru][PLAIN TEXT ( EHFFFC)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 13 UDP 10.0.4.24:137 -> 10.0.5.255:137 [proto: 10/NetBIOS][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: System/18][1 pkts/92 bytes -> 0 pkts/0 bytes][Goodput ratio: 54/0][< 1 sec][Hostname/SNI: guru][PLAIN TEXT ( EHFFFC)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 14 UDP 10.0.4.66:137 -> 10.0.5.255:137 [proto: 10/NetBIOS][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: System/18][1 pkts/92 bytes -> 0 pkts/0 bytes][Goodput ratio: 54/0][< 1 sec][Hostname/SNI: guru][PLAIN TEXT ( EHFFFC)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 15 UDP 10.0.4.165:137 -> 10.0.5.255:137 [proto: 10/NetBIOS][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: System/18][1 pkts/92 bytes -> 0 pkts/0 bytes][Goodput ratio: 54/0][< 1 sec][Hostname/SNI: gunnar][PLAIN TEXT ( EHFFEOEOEBFCCACACACACACACACACA)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 9 TCP 10.19.71.184:55489 -> 10.17.113.129:139 [VLAN: 2308][proto: 10/NetBIOS][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: System/18][1 pkts/130 bytes -> 0 pkts/0 bytes][Goodput ratio: 55/0][< 1 sec][Risk: ** Unidirectional Traffic **** Probing attempt **][Risk Score: 60][Risk Info: No server to client traffic / TCP connection with unidirectional traffic][PLAIN TEXT (D EJECEJEGEIFBDBDBFHFDDADCDDCAC)][Plen Bins: 0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 10 TCP 10.0.4.24:139 <-> 10.0.4.131:1398 [proto: 10/NetBIOS][IP: 0/Unknown][ClearText][Confidence: Match by port][DPI packets: 2][cat: System/18][1 pkts/60 bytes <-> 1 pkts/60 bytes][Goodput ratio: 2/0][< 1 sec][Risk: ** Probing attempt **][Risk Score: 50][Risk Info: TCP connection with unidirectional traffic][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 11 UDP 10.0.4.24:137 -> 10.0.4.165:137 [proto: 10/NetBIOS][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: System/18][1 pkts/104 bytes -> 0 pkts/0 bytes][Goodput ratio: 59/0][< 1 sec][Hostname/SNI: gunnar][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT ( EHFFEOEOEBFCCACACACACACACACACA)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 12 UDP 10.0.5.1:137 -> 10.0.4.24:137 [proto: 10/NetBIOS][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: System/18][1 pkts/104 bytes -> 0 pkts/0 bytes][Goodput ratio: 59/0][< 1 sec][Hostname/SNI: guru][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT ( EHFFFC)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 13 UDP 10.0.4.14:137 -> 10.0.5.255:137 [proto: 10/NetBIOS][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: System/18][1 pkts/92 bytes -> 0 pkts/0 bytes][Goodput ratio: 54/0][< 1 sec][Hostname/SNI: guru][PLAIN TEXT ( EHFFFC)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 14 UDP 10.0.4.24:137 -> 10.0.5.255:137 [proto: 10/NetBIOS][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: System/18][1 pkts/92 bytes -> 0 pkts/0 bytes][Goodput ratio: 54/0][< 1 sec][Hostname/SNI: guru][PLAIN TEXT ( EHFFFC)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 15 UDP 10.0.4.66:137 -> 10.0.5.255:137 [proto: 10/NetBIOS][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: System/18][1 pkts/92 bytes -> 0 pkts/0 bytes][Goodput ratio: 54/0][< 1 sec][Hostname/SNI: guru][PLAIN TEXT ( EHFFFC)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 16 UDP 10.0.4.165:137 -> 10.0.5.255:137 [proto: 10/NetBIOS][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: System/18][1 pkts/92 bytes -> 0 pkts/0 bytes][Goodput ratio: 54/0][< 1 sec][Hostname/SNI: gunnar][PLAIN TEXT ( EHFFEOEOEBFCCACACACACACACACACA)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/default/result/pgsql2.pcapng.out b/tests/cfgs/default/result/pgsql2.pcapng.out new file mode 100644 index 00000000000..c8d4fc837b8 --- /dev/null +++ b/tests/cfgs/default/result/pgsql2.pcapng.out @@ -0,0 +1,26 @@ +DPI Packets (TCP): 6 (6.00 pkts/flow) +Confidence DPI : 1 (flows) +Num dissector calls: 157 (157.00 diss/flow) +LRU cache ookla: 0/0/0 (insert/search/found) +LRU cache bittorrent: 0/0/0 (insert/search/found) +LRU cache stun: 0/0/0 (insert/search/found) +LRU cache tls_cert: 0/0/0 (insert/search/found) +LRU cache mining: 0/0/0 (insert/search/found) +LRU cache msteams: 0/0/0 (insert/search/found) +Automa host: 0/0 (search/found) +Automa domain: 0/0 (search/found) +Automa tls cert: 0/0 (search/found) +Automa risk mask: 0/0 (search/found) +Automa common alpns: 0/0 (search/found) +Patricia risk mask: 0/0 (search/found) +Patricia risk mask IPv6: 0/0 (search/found) +Patricia risk: 0/0 (search/found) +Patricia risk IPv6: 0/0 (search/found) +Patricia protocols: 2/0 (search/found) +Patricia protocols IPv6: 0/0 (search/found) + +PostgreSQL 19 3076 1 + +Acceptable 19 3076 1 + + 1 TCP 10.220.20.67:58574 <-> 10.220.20.67:60102 [proto: 19/PostgreSQL][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 6][cat: Database/11][10 pkts/1252 bytes <-> 9 pkts/1824 bytes][Goodput ratio: 64/78][0.01 sec][bytes ratio: -0.186 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 1/1 2/2 1/1][Pkt Len c2s/s2c min/avg/max/stddev: 44/44 125/203 372/1360 119/410][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Plen Bins: 25,0,12,25,0,0,0,0,0,12,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,0,0,0,0,0]