From d54d5083b3682b4223e1b8fb0b033b5c293174d5 Mon Sep 17 00:00:00 2001 From: Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> Date: Sat, 30 Jul 2022 12:05:43 +0200 Subject: [PATCH] SMTPS, POPS, IMAPS: fix classification and extra dissection (#1685) The big change in TLS code is to allow "master" protocols other than TLS/DTLS, like SMTPS, POPS and IMAPS. This change will allow, in a future, a proper and complete TLS dissection for all these protocols with "STARTTLS"-like messages. --- example/ndpiReader.c | 15 ++-- src/lib/ndpi_main.c | 3 + src/lib/protocols/tls.c | 98 +++++++++++----------- tests/pcap/imaps.pcap | Bin 5540 -> 10704 bytes tests/result/6in4tunnel.pcap.out | 4 +- tests/result/dtls2.pcap.out | 2 +- tests/result/dtls_certificate.pcapng.out | 2 +- tests/result/imaps.pcap.out | 25 +++--- tests/result/pops.pcapng.out | 6 +- tests/result/smtps.pcapng.out | 2 +- tests/result/whatsapp_login_call.pcap.out | 2 +- tests/result/zoom.pcap.out | 4 +- 12 files changed, 84 insertions(+), 79 deletions(-) diff --git a/example/ndpiReader.c b/example/ndpiReader.c index f4c0f427a9c..c06be673311 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -1588,15 +1588,12 @@ static void printFlow(u_int32_t id, struct ndpi_flow_info *flow, u_int16_t threa fprintf(out, "[ESNI Cipher: %s]", ndpi_cipher2str(flow->ssh_tls.encrypted_sni.cipher_suite)); } - if((flow->detected_protocol.master_protocol == NDPI_PROTOCOL_TLS) - || (flow->detected_protocol.app_protocol == NDPI_PROTOCOL_TLS)) { - if(flow->ssh_tls.sha1_cert_fingerprint_set) { - fprintf(out, "[Certificate SHA-1: "); - for(i=0; i<20; i++) - fprintf(out, "%s%02X", (i > 0) ? ":" : "", - flow->ssh_tls.sha1_cert_fingerprint[i] & 0xFF); - fprintf(out, "]"); - } + if(flow->ssh_tls.sha1_cert_fingerprint_set) { + fprintf(out, "[Certificate SHA-1: "); + for(i=0; i<20; i++) + fprintf(out, "%s%02X", (i > 0) ? ":" : "", + flow->ssh_tls.sha1_cert_fingerprint[i] & 0xFF); + fprintf(out, "]"); } #ifdef HEURISTICS_CODE diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 3c8d9181113..134af289998 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -8236,6 +8236,9 @@ u_int8_t ndpi_extra_dissection_possible(struct ndpi_detection_module_struct *ndp switch(proto) { case NDPI_PROTOCOL_TLS: case NDPI_PROTOCOL_DTLS: + case NDPI_PROTOCOL_MAIL_POPS: + case NDPI_PROTOCOL_MAIL_IMAPS: + case NDPI_PROTOCOL_MAIL_SMTPS: case NDPI_PROTOCOL_HTTP: case NDPI_PROTOCOL_HTTP_PROXY: case NDPI_PROTOCOL_HTTP_CONNECT: diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index 3e69869c347..99c469766e0 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -101,39 +101,49 @@ union ja3_info { static void ndpi_int_tls_add_connection(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow, u_int32_t protocol); + struct ndpi_flow_struct *flow); /* **************************************** */ static u_int32_t ndpi_tls_refine_master_protocol(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow, u_int32_t protocol) { + struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &ndpi_struct->packet; - - // protocol = NDPI_PROTOCOL_TLS; + u_int32_t protocol; if(packet->tcp != NULL) { - switch(protocol) { - case NDPI_PROTOCOL_TLS: - { - /* - In case of TLS there are probably sub-protocols - such as IMAPS that can be otherwise detected - */ - u_int16_t sport = ntohs(packet->tcp->source); - u_int16_t dport = ntohs(packet->tcp->dest); - - if((sport == 465) || (dport == 465) || (sport == 587) || (dport == 587)) - protocol = NDPI_PROTOCOL_MAIL_SMTPS; - else if((sport == 993) || (dport == 993) - || (flow->l4.tcp.mail_imap_starttls) - ) protocol = NDPI_PROTOCOL_MAIL_IMAPS; - else if((sport == 995) || (dport == 995)) protocol = NDPI_PROTOCOL_MAIL_POPS; - } - break; - } + /* + In case of TLS there are probably sub-protocols + such as IMAPS that can be otherwise detected + */ + u_int16_t sport = ntohs(packet->tcp->source); + u_int16_t dport = ntohs(packet->tcp->dest); + + if((sport == 465) || (dport == 465) || (sport == 587) || (dport == 587)) + protocol = NDPI_PROTOCOL_MAIL_SMTPS; + else if((sport == 993) || (dport == 993) || (flow->l4.tcp.mail_imap_starttls)) + protocol = NDPI_PROTOCOL_MAIL_IMAPS; + else if((sport == 995) || (dport == 995)) + protocol = NDPI_PROTOCOL_MAIL_POPS; + else + protocol = NDPI_PROTOCOL_TLS; + } else { + protocol = NDPI_PROTOCOL_DTLS; } - return(protocol); + return protocol; +} + +/* **************************************** */ + +static u_int32_t __get_master(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow) { + + if(flow->detected_protocol_stack[1] != NDPI_PROTOCOL_UNKNOWN) + return flow->detected_protocol_stack[1]; + if(flow->detected_protocol_stack[0] != NDPI_PROTOCOL_UNKNOWN) + return flow->detected_protocol_stack[0]; + + return ndpi_tls_refine_master_protocol(ndpi_struct, flow); } /* **************************************** */ @@ -301,9 +311,9 @@ static void checkTLSSubprotocol(struct ndpi_detection_module_struct *ndpi_struct if(ndpi_lru_find_cache(ndpi_struct->tls_cert_cache, key, &cached_proto, 0 /* Don't remove it as it can be used for other connections */)) { - ndpi_protocol ret = { NDPI_PROTOCOL_TLS, cached_proto, NDPI_PROTOCOL_CATEGORY_UNSPECIFIED, NULL}; + ndpi_protocol ret = { __get_master(ndpi_struct, flow), cached_proto, NDPI_PROTOCOL_CATEGORY_UNSPECIFIED, NULL}; - ndpi_set_detected_protocol(ndpi_struct, flow, cached_proto, NDPI_PROTOCOL_TLS, NDPI_CONFIDENCE_DPI_CACHE); + ndpi_set_detected_protocol(ndpi_struct, flow, cached_proto, __get_master(ndpi_struct, flow), NDPI_CONFIDENCE_DPI_CACHE); flow->category = ndpi_get_proto_category(ndpi_struct, ret); ndpi_check_subprotocol_risk(ndpi_struct, flow, cached_proto); } @@ -641,7 +651,7 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi } if(!flow->protos.tls_quic.subprotocol_detected) - if(ndpi_match_hostname_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TLS, dNSName, dNSName_len)) + if(ndpi_match_hostname_protocol(ndpi_struct, flow, __get_master(ndpi_struct, flow), dNSName, dNSName_len)) flow->protos.tls_quic.subprotocol_detected = 1; i += len; @@ -681,9 +691,9 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi if(rc == 0) { /* Match found */ u_int16_t proto_id = (u_int16_t)val; - ndpi_protocol ret = { NDPI_PROTOCOL_TLS, proto_id, NDPI_PROTOCOL_CATEGORY_UNSPECIFIED, NULL}; + ndpi_protocol ret = { __get_master(ndpi_struct, flow), proto_id, NDPI_PROTOCOL_CATEGORY_UNSPECIFIED, NULL}; - ndpi_set_detected_protocol(ndpi_struct, flow, proto_id, NDPI_PROTOCOL_TLS, NDPI_CONFIDENCE_DPI); + ndpi_set_detected_protocol(ndpi_struct, flow, proto_id, __get_master(ndpi_struct, flow), NDPI_CONFIDENCE_DPI); flow->category = ndpi_get_proto_category(ndpi_struct, ret); ndpi_check_subprotocol_risk(ndpi_struct, flow, proto_id); @@ -856,7 +866,7 @@ int processTLSBlock(struct ndpi_detection_module_struct *ndpi_struct, case 0x02: /* Server Hello */ processClientServerHello(ndpi_struct, flow, 0); flow->protos.tls_quic.hello_processed = 1; - ndpi_int_tls_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_TLS); + ndpi_int_tls_add_connection(ndpi_struct, flow); #ifdef DEBUG_TLS printf("*** TLS [version: %02X][%s Hello]\n", @@ -897,10 +907,8 @@ int processTLSBlock(struct ndpi_detection_module_struct *ndpi_struct, static void ndpi_looks_like_tls(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - // ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TLS, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); - if(flow->guessed_protocol_id == NDPI_PROTOCOL_UNKNOWN) - flow->guessed_protocol_id = NDPI_PROTOCOL_TLS; + flow->guessed_protocol_id = __get_master(ndpi_struct, flow); } /* **************************************** */ @@ -995,7 +1003,7 @@ static int ndpi_search_tls_tcp(struct ndpi_detection_module_struct *ndpi_struct, message->buffer[2] <= 0x04 && alert_len == (u_int32_t)message->buffer_used - 5) { - ndpi_int_tls_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_TLS); + ndpi_int_tls_add_connection(ndpi_struct, flow); } } @@ -1041,7 +1049,7 @@ static int ndpi_search_tls_tcp(struct ndpi_detection_module_struct *ndpi_struct, message->buffer[2] <= 0x04 && block_len == (u_int32_t)message->buffer_used - 5) { - ndpi_int_tls_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_TLS); + ndpi_int_tls_add_connection(ndpi_struct, flow); } if(flow->l4.tcp.tls.certificate_processed) { @@ -1254,27 +1262,21 @@ static void tlsCheckUncommonALPN(struct ndpi_detection_module_struct *ndpi_struc /* **************************************** */ static void ndpi_int_tls_add_connection(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow, u_int32_t protocol) { - struct ndpi_packet_struct *packet = &ndpi_struct->packet; + struct ndpi_flow_struct *flow) { + u_int32_t protocol; #if DEBUG_TLS printf("[TLS] %s()\n", __FUNCTION__); #endif - if((packet->udp != NULL) && (protocol == NDPI_PROTOCOL_TLS)) - protocol = NDPI_PROTOCOL_DTLS; - - if((flow->detected_protocol_stack[0] == protocol) - || (flow->detected_protocol_stack[1] == protocol)) { + if((flow->detected_protocol_stack[0] != NDPI_PROTOCOL_UNKNOWN) || + (flow->detected_protocol_stack[1] != NDPI_PROTOCOL_UNKNOWN)) { if(!flow->check_extra_packets) tlsInitExtraPacketProcessing(ndpi_struct, flow); return; } - if(protocol != NDPI_PROTOCOL_TLS) - ; - else - protocol = ndpi_tls_refine_master_protocol(ndpi_struct, flow, protocol); + protocol = __get_master(ndpi_struct, flow); ndpi_set_detected_protocol(ndpi_struct, flow, protocol, protocol, NDPI_CONFIDENCE_DPI); @@ -1883,7 +1885,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, } if(!is_quic) { - if(ndpi_match_hostname_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TLS, sni, sni_len)) + if(ndpi_match_hostname_protocol(ndpi_struct, flow, __get_master(ndpi_struct, flow), sni, sni_len)) flow->protos.tls_quic.subprotocol_detected = 1; } else { if(ndpi_match_hostname_protocol(ndpi_struct, flow, NDPI_PROTOCOL_QUIC, sni, sni_len)) @@ -1900,7 +1902,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, /* Check if it ends in .com or .net */ && ((strcmp(&sni[sni_len-4], ".com") == 0) || (strcmp(&sni[sni_len-4], ".net") == 0)) && (strncmp(sni, "www.", 4) == 0)) /* Not starting with www.... */ - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TOR, NDPI_PROTOCOL_TLS, NDPI_CONFIDENCE_DPI); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TOR, __get_master(ndpi_struct, flow), NDPI_CONFIDENCE_DPI); } else { #ifdef DEBUG_TLS printf("[TLS] SNI: (NO DGA) [%s]\n", sni); diff --git a/tests/pcap/imaps.pcap b/tests/pcap/imaps.pcap index c038b57e2a94c061dde0969bfa965557ba1e60f3..f0a2cdbe15c30599c9ae7336f3e699e0d4c56d2e 100644 GIT binary patch delta 5427 zcmcgv30PCd7M^==5+Gp@0-`_^ls(+Ah*&|9O;Ow^DioIx0z@$hSwOLHAr>u)6+{uY z2UM;5R?%t|i3$iVPZULPw^l{0eOfo%;LRkcsYUJgy;skdNit{q&zXDX%-nTu4N(-+ z$cVWb01!FY%?5+Non1r#D=bGS&sNz?w9@&z;aNx}pUU#^vU@UoQgO0h!eMRG|WZYb%N z{>DB*m?l^7<5Pq#Fb;r%LIGKH{Q?M!{xjf^!hz`e4|K5K=ZLtFGr>m7MbZ?FOe^)d z2c=o#p%ihEG(kr?7fG8VpcHYDbU1>9ggpDaI3nKdig{qYAOi{BH}_q7R9rL_*R`i1 z9Z1OjV#87K?p=5r9r{OnB+`|WXQ25myw~nS`ltV-qZ5M{(phGF7llCUCIlIhH=Fnt z9Wd#klZI}RO09}+lnp3ENGQt1-qqqFSJOQR0rB5YvWK7sCE2S8H}lj%C_(m+kc)Vv z;%}CTTp<4YE*3xOa?$cZ7kW>jimCYrT?9gTVKZ4&V{W4p!~+xoBoxG!Z)?Rxcg!#J z1c>{72&}wXjr~)$uD!m_N+*;GAoeN0?r)MGiN;UcM2BLiUH zJ~~iaG)hLpIT~F=2N#~?>w{1LhN90rXyaB*z zbQMMrbPUsHnp7-2jAS$%eIuNAc$5~f*yb;QhQNzVeg_!HNd7QjfCg~Z#{u7LB$S|Y z;5kVI3?u^LzoB;-4n`UB7)pJV9mx9*rznlEZ+}hW=UW;Y+TqYf~a?FEFpr%cuu7j6cz|V zY$`)q`!dcce%sdUa8-P4&p6KBK6y)*v=P^eS=I(_;VmIkRu)^9jGAk|w5Pr47H3%t z7_eXg8)M^aLhY`0JGn_ssy(Tb8`X|#2Q^b|pmtU}sV&rOum*O^0Jtu`z*DWSHU~_I zpBWpg$;KYo0$?MW$(M5ZauJ^^7YdZHVGCtxLK#;qRKPwDI-x!QOt{EQXk`mo)}SX~ z0UUDafDXSQ89}BcjiB^tG>lH*gg#xLPRH~a3=FE7Lj`Z(23(*$RJR43;^Wa0&toy= z=ObDxibuz7s4~}U;ojfXwrA}o`in0f83GUJ9)l(<=EaKyjUb>)EFuC~_W*}Ah~0ka z)L*yqf13IC@llbXeXCn+eSQB@Y;P-DTWo=h#COHkO|4O%v)H<+HR^K~TQ{{vea>R* zrkMWz^Y6y^|G@eH{+nWJpldNu&u*XEB-sw0qxH-O)B#JEC~Wk#sLLl2*S4a*BO0Nxidxwmb&{}TwZ(My3TED{)7mx zl37RAkL6TySevufm(DWFXjm}HsIbFIK)c8=cY9K&(_*wPT?U?VDaCuzhmaGf`N-ZLW%W6=Sb zQ_EwK1`Hya#$e;oQ9M)97)|uqdOtT~%wO zfHqu#WTvM~D3!=X3W;pCC(noULRJLZ?Va-|P3z?ZLvvB0NWfPJIYCNAvP33Q%;tD- z!o5g4D`{Rol|LN6~3I!s53MWJ| zlP?l;qTo>@5}@TAH7c0rK=#qD%SVo+qW-i#)c1O;PqX5pR+NXj-P@M9%iY25R_g41 zsbgR7PZ)qbNslo(93Ir)>}ikIVfu@V$-43!L72?V>D8ghPh4(~8@gJ3Do$4W=nC_| z@vyD)M}$bxg@Io|eCCdTvIL-}7k?m!ImmH^;SS>5#kIMTgJ(?5r#Hx9!)yylRjE zRT9*z>GJHg8T|F5u?K2aQ(N`oVda@m1z%?hj-Kf_;8Afh@TcHcg$94b8A{t~++ROX zzVPFAh6mkRVO6nmf!>N5EW&5oucw1+j8`~Wj(D;Bt5jRAKRgcswpK+*NEI=IG=$4$ z%f_%y8cu?u1UiR8MQ&??I5YyMmyutfxjhY59!ZvQ%iQN_3l`R^ETx-jl_!dlyyV^< zJT8=z@yM7%`-+SqM>AN{<_*W@y%uA7Rs=bO3}EQPdZW|zaLkgY*#u}0P;aaF6MKQw zW6+aw3^9z%QN8hmVYD<-LAt(~lh{1FF3%EyT-r^zWY}9>eBL0aOGyW5w_?{``a~3( zbYZFr(jKMiK!aN*+oE4+PV(6P0|UPBa6fcvdduE`-H8G+6e*a|0?EOuk5nn8vP(}- z=YIHRMcN`i#xzTsh4D>4_;v-`FuD)uwrKxpA8pYknikFabBpddUelr}*rO-GyB)d@ zyy?-mq(OlW5jP(%Uv^-6W#^gbI#PvYGMJif(KH*U;WQOC6AlrU1k%8|{RRaU){`ve zA7FofGD*rD>{~*6-s{@Fo9U;F>x?d&Lf@%*?b~j^7ZC!4lc6{##%*TcxRzY zpmrQ~`Zm1uj+tKWURj*_ZpYQzn=SA@;9zF?mw2(zxNJdfUSqTP-%0e~=-2xm-;Dnu zWA~)iZ5tu*ftG6r?H8o(DO&2VeDjhy;R7cwV{RGWYEw|0FyK48Gr3ye9e=z9?gJh@ zNC@TjeB9=p>zws+TEXuzEmY%@t(Auk*`1%;i!J>13eFjPFZrhR!2Co1s+1P=sgtB7 z4eC=}>z8hy>@g%TB)8BOD8U2^#!Al%M}BL3a-%Zj$G~G@Y5NbZFpE?FXK6`vQ(gmn zAwwBgSZaX7$Pk<(X=b=gA8~9^;{0;u?&7?~kwoLdi3RQ||`@3MD5eFFH|qR=Q{;l4V4#$F4-`pmI#jDQSkJN`GuGl z)T5to#Ph5(lbn|+%XcnLoFkar@0fuT%XXOYzS5m1-H*kYhL*=x7WTP*>A}Hecjuns z@0c+)fwyw=%6Yvj7n)Q%naSJY5_}tWR2^KoG_jFwcOd`%s=6(+Gs5$4b|^Mo;@gcC zuFEwm#a29M4STj+E=WIFw=8;dWRGpFQ=bi55=_OOpc$TR6|`2~j?RAUl0e@xXZ6>m zR=uSPkB2YMNnZE$$-2EReZTsge2C1^-aF#L{^8EP!)_fJdUoW?F`{}vr;#dnc&mt3 z?fH)By|++g&fQd9Kyu<3|>76l7Thf|du@p1*ZP-4f`pd@^ypStJ z6Y|%MnzAbIgyY;*zf8>hsoC7VK6mEhGuaQvuA0C79Ltpc(&=aCnO1ix03SE%y>_8pmw7Mvbo~Yu48r<26xL=>wA)jz<&g{IW>9&{PNC z&VpvwHH+@-ToO5$a%C1>K4lpud^YWyg=r%To#YlvuDAWZ*s^VrabTKNRc2mxc1Z9Y hkL$q(%8LV9w_VB`^klO6cMhhsxm|}ad@Dt5`@ikU{^tMy delta 373 zcmcZ*yhK~|%Hd55nHX3Y5P*e&5y%mka4Bx502hNFknK15pn%B4ySBU_L6hTL3|>G% zugQVTB9na?Ejd7<%|Ow~3mCn?9FuEY44YY)bQ!@s(*kaW$pOOBlhc{?!2-9|a5HS) z!2F68%rjUEl-|HBz4<)nc~-CuMnI8=KpP%{ZMevP0j#bFq)tK5bn-_5QLsQMM8FHI zr=OpPVJ%S4T98vG&lQ{lRw8Q83$Z$1NFS^$2`EqsR8|UBc2Ot=tgQbcSQ*45_De7& zApe~ehA6QEicVf2YBIS&L=3EFbqXKQ*&^4$9PU&gXMrfhfRtK3hNnO~o`UU=6}tjf NQo+y9FqubuIsg`@bD{tM diff --git a/tests/result/6in4tunnel.pcap.out b/tests/result/6in4tunnel.pcap.out index a8d2f8c3d05..f4522e3aa82 100644 --- a/tests/result/6in4tunnel.pcap.out +++ b/tests/result/6in4tunnel.pcap.out @@ -1,6 +1,6 @@ -Guessed flow protos: 0 +Guessed flow protos: 2 -DPI Packets (TCP): 27 (5.40 pkts/flow) +DPI Packets (TCP): 29 (5.80 pkts/flow) DPI Packets (UDP): 4 (2.00 pkts/flow) DPI Packets (other): 3 (1.00 pkts/flow) Confidence DPI : 10 (flows) diff --git a/tests/result/dtls2.pcap.out b/tests/result/dtls2.pcap.out index fc0e49fc2d1..9b15cb1b6af 100644 --- a/tests/result/dtls2.pcap.out +++ b/tests/result/dtls2.pcap.out @@ -26,4 +26,4 @@ JA3 Host Stats: 1 61.68.110.153 1 - 1 UDP 61.68.110.153:53045 <-> 212.32.214.39:61457 [proto: 30/DTLS][Encrypted][Confidence: DPI][cat: Web/5][14 pkts/2246 bytes <-> 16 pkts/2745 bytes][Goodput ratio: 74/75][382.15 sec][bytes ratio: -0.100 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 2/241 27857/28359 60550/60551 26256/25033][Pkt Len c2s/s2c min/avg/max/stddev: 123/102 160/172 325/867 46/180][Risk: ** Weak TLS Cipher **** TLS (probably) Not Carrying HTTPS **** Missing SNI TLS Extn **][Risk Score: 160][Risk Info: No ALPN / Cipher TLS_RSA_WITH_AES_256_CBC_SHA][DTLSv1.0][JA3C: 1b45c913a0c0fde5f263502e65999485][JA3S: 749bd1edea60396ffaa65213b7971718 (WEAK)][Issuer: C=US][Subject: C=US, CN=*.relay.ros.rockstargames.com][Validity: 2014-09-12 21:31:19 - 2037-02-15 21:31:19][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA][PLAIN TEXT (140912213119Z)][Plen Bins: 0,3,43,46,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 1 UDP 61.68.110.153:53045 <-> 212.32.214.39:61457 [proto: 30/DTLS][Encrypted][Confidence: DPI][cat: Web/5][14 pkts/2246 bytes <-> 16 pkts/2745 bytes][Goodput ratio: 74/75][382.15 sec][bytes ratio: -0.100 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 2/241 27857/28359 60550/60551 26256/25033][Pkt Len c2s/s2c min/avg/max/stddev: 123/102 160/172 325/867 46/180][Risk: ** Weak TLS Cipher **** TLS (probably) Not Carrying HTTPS **** Missing SNI TLS Extn **][Risk Score: 160][Risk Info: No ALPN / Cipher TLS_RSA_WITH_AES_256_CBC_SHA][DTLSv1.0][JA3C: 1b45c913a0c0fde5f263502e65999485][JA3S: 749bd1edea60396ffaa65213b7971718 (WEAK)][Issuer: C=US][Subject: C=US, CN=*.relay.ros.rockstargames.com][Certificate SHA-1: AB:59:0E:11:EC:94:4D:D5:D3:40:7E:6E:3B:8B:6A:19:CA:B7:85:2C][Validity: 2014-09-12 21:31:19 - 2037-02-15 21:31:19][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA][PLAIN TEXT (140912213119Z)][Plen Bins: 0,3,43,46,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/result/dtls_certificate.pcapng.out b/tests/result/dtls_certificate.pcapng.out index b2a46769f79..0437a2c59bc 100644 --- a/tests/result/dtls_certificate.pcapng.out +++ b/tests/result/dtls_certificate.pcapng.out @@ -25,4 +25,4 @@ JA3 Host Stats: IP Address # JA3C - 1 UDP 191.62.60.190:443 -> 163.205.15.180:38876 [proto: 91.147/TLS.WindowsUpdate][Encrypted][Confidence: DPI][cat: SoftwareUpdate/19][1 pkts/1486 bytes -> 0 pkts/0 bytes][Goodput ratio: 97/0][< 1 sec][Risk: ** TLS Cert Expired **** Unidirectional Traffic **][Risk Score: 110][Risk Info: No client to server traffic / 27/Feb/2017 12:00:00 - 27/Feb/2019 00:00:00][JA3S: 953c1507994f72697446de4eff6e300b][Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Update Secure Server CA 1][Subject: C=US, ST=Washington, L=Redmond, O=Microsoft, OU=DSP, CN=www.update.microsoft.com][Certificate SHA-1: D1:88:0F:51:C1:01:91:72:A1:A4:6E:69:F4:33:7F:FE:3E:C4:F0:39][Validity: 2017-02-27 12:00:00 - 2019-02-27 00:00:00][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][PLAIN TEXT (Washington1)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0] + 1 UDP 191.62.60.190:443 -> 163.205.15.180:38876 [proto: 30.147/DTLS.WindowsUpdate][Encrypted][Confidence: DPI][cat: SoftwareUpdate/19][1 pkts/1486 bytes -> 0 pkts/0 bytes][Goodput ratio: 97/0][< 1 sec][Risk: ** TLS Cert Expired **** Unidirectional Traffic **][Risk Score: 110][Risk Info: No client to server traffic / 27/Feb/2017 12:00:00 - 27/Feb/2019 00:00:00][JA3S: 953c1507994f72697446de4eff6e300b][Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Update Secure Server CA 1][Subject: C=US, ST=Washington, L=Redmond, O=Microsoft, OU=DSP, CN=www.update.microsoft.com][Certificate SHA-1: D1:88:0F:51:C1:01:91:72:A1:A4:6E:69:F4:33:7F:FE:3E:C4:F0:39][Validity: 2017-02-27 12:00:00 - 2019-02-27 00:00:00][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][PLAIN TEXT (Washington1)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0] diff --git a/tests/result/imaps.pcap.out b/tests/result/imaps.pcap.out index bb044d89386..27dbdd66943 100644 --- a/tests/result/imaps.pcap.out +++ b/tests/result/imaps.pcap.out @@ -1,8 +1,8 @@ -Guessed flow protos: 0 +Guessed flow protos: 1 -DPI Packets (TCP): 7 (7.00 pkts/flow) -Confidence DPI : 1 (flows) -Num dissector calls: 3 (3.00 diss/flow) +DPI Packets (TCP): 15 (7.50 pkts/flow) +Confidence DPI : 2 (flows) +Num dissector calls: 6 (3.00 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/0/0 (insert/search/found) LRU cache zoom: 0/0/0 (insert/search/found) @@ -10,20 +10,23 @@ LRU cache stun: 0/0/0 (insert/search/found) LRU cache tls_cert: 0/0/0 (insert/search/found) LRU cache mining: 0/0/0 (insert/search/found) LRU cache msteams: 0/0/0 (insert/search/found) -Automa host: 1/1 (search/found) -Automa domain: 1/0 (search/found) +Automa host: 3/1 (search/found) +Automa domain: 2/0 (search/found) Automa tls cert: 0/0 (search/found) -Automa risk mask: 1/0 (search/found) +Automa risk mask: 2/0 (search/found) Automa common alpns: 0/0 (search/found) -Patricia risk mask: 2/0 (search/found) +Patricia risk mask: 6/0 (search/found) Patricia risk: 0/0 (search/found) -Patricia protocols: 4/0 (search/found) +Patricia protocols: 12/0 (search/found) ntop 20 5196 1 +IMAPS 8 4378 1 JA3 Host Stats: IP Address # JA3C - 1 192.168.1.8 1 + 1 192.168.0.1 1 + 2 192.168.1.8 1 - 1 TCP 192.168.1.8:50506 <-> 167.99.215.164:993 [proto: 91.26/TLS.ntop][Encrypted][Confidence: DPI][cat: Network/14][10 pkts/1220 bytes <-> 10 pkts/3976 bytes][Goodput ratio: 45/83][0.33 sec][Hostname/SNI: mail.ntop.org][bytes ratio: -0.530 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 33/22 77/43 26/19][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 122/398 293/1506 78/557][Risk: ** TLS (probably) Not Carrying HTTPS **][Risk Score: 10][Risk Info: No ALPN][TLSv1.2][JA3C: 4923a265be4d81c68ecda45bb89cdf6a][ServerNames: mail.ntop.org][JA3S: b653c251b0ee54c3088fe7bb997cf59d][Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3][Subject: CN=mail.ntop.org][Certificate SHA-1: F1:9A:35:30:96:57:5E:56:81:28:2C:D9:45:A5:83:21:9E:E8:C5:DF][Firefox][Validity: 2020-04-18 00:15:22 - 2020-07-17 00:15:22][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 0,20,10,10,20,10,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,0,0] + 1 TCP 192.168.1.8:50506 <-> 167.99.215.164:993 [proto: 51.26/IMAPS.ntop][Encrypted][Confidence: DPI][cat: Email/3][10 pkts/1220 bytes <-> 10 pkts/3976 bytes][Goodput ratio: 45/83][0.33 sec][Hostname/SNI: mail.ntop.org][bytes ratio: -0.530 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 33/22 77/43 26/19][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 122/398 293/1506 78/557][Risk: ** TLS (probably) Not Carrying HTTPS **][Risk Score: 10][Risk Info: No ALPN][TLSv1.2][JA3C: 4923a265be4d81c68ecda45bb89cdf6a][ServerNames: mail.ntop.org][JA3S: b653c251b0ee54c3088fe7bb997cf59d][Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3][Subject: CN=mail.ntop.org][Certificate SHA-1: F1:9A:35:30:96:57:5E:56:81:28:2C:D9:45:A5:83:21:9E:E8:C5:DF][Firefox][Validity: 2020-04-18 00:15:22 - 2020-07-17 00:15:22][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][PLAIN TEXT (mail.ntop.org)][Plen Bins: 0,20,10,10,20,10,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,0,0] + 2 TCP 192.168.0.1:51529 <-> 10.10.10.1:993 [proto: 51/IMAPS][Encrypted][Confidence: DPI][cat: Email/3][4 pkts/1322 bytes <-> 4 pkts/3056 bytes][Goodput ratio: 78/91][0.22 sec][Hostname/SNI: imap.asia.secureserver.net][bytes ratio: -0.396 (Download)][IAT c2s/s2c min/avg/max/stddev: 1/0 46/68 136/135 64/68][Pkt Len c2s/s2c min/avg/max/stddev: 78/74 330/764 583/1454 252/690][Risk: ** TLS (probably) Not Carrying HTTPS **][Risk Score: 10][Risk Info: No ALPN][TLSv1.2][JA3C: 66b2d7acea2c20aeeebd69c8d44089d7][JA3S: a9e3ed16ee3208291487c8d2aa2ad924][Safari][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][PLAIN TEXT (imap.asia.secureserver.net)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0] diff --git a/tests/result/pops.pcapng.out b/tests/result/pops.pcapng.out index 862267786ab..0b147047485 100644 --- a/tests/result/pops.pcapng.out +++ b/tests/result/pops.pcapng.out @@ -1,6 +1,6 @@ -Guessed flow protos: 0 +Guessed flow protos: 1 -DPI Packets (TCP): 3 (3.00 pkts/flow) +DPI Packets (TCP): 5 (5.00 pkts/flow) Confidence DPI : 1 (flows) Num dissector calls: 3 (3.00 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) @@ -26,4 +26,4 @@ JA3 Host Stats: 1 192.168.0.1 1 - 1 TCP 192.168.0.1:55077 <-> 10.10.10.1:995 [proto: 23/POPS][Encrypted][Confidence: DPI][cat: Email/3][2 pkts/304 bytes <-> 3 pkts/2694 bytes][Goodput ratio: 60/94][0.55 sec][Hostname/SNI: pop.secureserver.net][Risk: ** TLS (probably) Not Carrying HTTPS **][Risk Score: 10][Risk Info: No ALPN][TLSv1.2][JA3C: 36f7277af969a6947a61ae0b815907a1][Firefox][PLAIN TEXT (pop.secureserver.net)][Plen Bins: 0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,66,0,0,0,0,0,0,0,0] + 1 TCP 192.168.0.1:55077 <-> 10.10.10.1:995 [proto: 23/POPS][Encrypted][Confidence: DPI][cat: Email/3][2 pkts/304 bytes <-> 3 pkts/2694 bytes][Goodput ratio: 60/94][0.55 sec][Hostname/SNI: pop.secureserver.net][Risk: ** TLS (probably) Not Carrying HTTPS **][Risk Score: 10][Risk Info: No ALPN][TLSv1.2][JA3C: 36f7277af969a6947a61ae0b815907a1][JA3S: 245de059547a730e42852c315cdc5a02][Firefox][Cipher: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384][PLAIN TEXT (pop.secureserver.net)][Plen Bins: 0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,66,0,0,0,0,0,0,0,0] diff --git a/tests/result/smtps.pcapng.out b/tests/result/smtps.pcapng.out index 48121197c3a..4f927c988e0 100644 --- a/tests/result/smtps.pcapng.out +++ b/tests/result/smtps.pcapng.out @@ -1,6 +1,6 @@ Guessed flow protos: 0 -DPI Packets (TCP): 3 (3.00 pkts/flow) +DPI Packets (TCP): 4 (4.00 pkts/flow) Confidence DPI : 1 (flows) Num dissector calls: 3 (3.00 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) diff --git a/tests/result/whatsapp_login_call.pcap.out b/tests/result/whatsapp_login_call.pcap.out index 0f0eb203985..922c4b1bcae 100644 --- a/tests/result/whatsapp_login_call.pcap.out +++ b/tests/result/whatsapp_login_call.pcap.out @@ -1,6 +1,6 @@ Guessed flow protos: 20 -DPI Packets (TCP): 93 (3.44 pkts/flow) +DPI Packets (TCP): 105 (3.89 pkts/flow) DPI Packets (UDP): 35 (1.21 pkts/flow) DPI Packets (other): 1 (1.00 pkts/flow) Confidence Match by port : 4 (flows) diff --git a/tests/result/zoom.pcap.out b/tests/result/zoom.pcap.out index 4da11fe917f..85d5641f36f 100644 --- a/tests/result/zoom.pcap.out +++ b/tests/result/zoom.pcap.out @@ -1,6 +1,6 @@ -Guessed flow protos: 4 +Guessed flow protos: 5 -DPI Packets (TCP): 118 (8.43 pkts/flow) +DPI Packets (TCP): 119 (8.50 pkts/flow) DPI Packets (UDP): 25 (1.47 pkts/flow) DPI Packets (other): 2 (1.00 pkts/flow) Confidence Match by IP : 2 (flows)