From 76829b413fe5a6fce197d928fe8f27f9431c4ac9 Mon Sep 17 00:00:00 2001 From: Luca Deri Date: Sun, 29 Oct 2023 22:54:15 +0100 Subject: [PATCH] Implements support for symbolic host names (#2123) --- example/protos.txt | 7 +- src/lib/ndpi_main.c | 79 +++++++++++++------ tests/cfgs/default/result/443-chrome.pcap.out | 4 +- tests/cfgs/default/result/443-curl.pcap.out | 4 +- .../cfgs/default/result/443-firefox.pcap.out | 4 +- tests/cfgs/default/result/443-safari.pcap.out | 4 +- tests/cfgs/default/result/http_ipv6.pcap.out | 10 +-- 7 files changed, 75 insertions(+), 37 deletions(-) diff --git a/example/protos.txt b/example/protos.txt index 683107f7438..d8cde502276 100644 --- a/example/protos.txt +++ b/example/protos.txt @@ -46,7 +46,6 @@ host:"api-global.netflix.com"@Netflix # detected as .Google but only # as # - ip:213.75.170.11/32:443@CustomProtocol ip:8.248.73.247:443@AmazonPrime ip:54.80.47.130@AmazonPrime @@ -61,6 +60,12 @@ ipv6:[247f:855b:5e16:3caf::]/64@CustomProtocolF ipv6:[fe80::76ac:b9ff:fe6c:c124]:12717@CustomProtocolG ipv6:[fe80::76ac:b9ff:fe6c:c124]:12718@CustomProtocolH +# +# You can use symbolic IP addreses if you want +# +ip:www.ntop.org@ntop +ipv6:www.ntop.org@ntop + # # Risk Exceptions # diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 4a42a51121b..9a74b8b0256 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -191,7 +191,7 @@ static ndpi_risk_info ndpi_known_risks[] = { { NDPI_TCP_ISSUES, NDPI_RISK_MEDIUM, CLIENT_FAIR_RISK_PERCENTAGE, NDPI_CLIENT_ACCOUNTABLE }, { NDPI_FULLY_ENCRYPTED, NDPI_RISK_MEDIUM, CLIENT_FAIR_RISK_PERCENTAGE, NDPI_CLIENT_ACCOUNTABLE }, { NDPI_TLS_ALPN_SNI_MISMATCH, NDPI_RISK_MEDIUM, CLIENT_FAIR_RISK_PERCENTAGE, NDPI_CLIENT_ACCOUNTABLE }, - { NDPI_MALWARE_HOST_CONTACTED, NDPI_RISK_SEVERE, CLIENT_HIGH_RISK_PERCENTAGE, NDPI_CLIENT_ACCOUNTABLE }, + { NDPI_MALWARE_HOST_CONTACTED, NDPI_RISK_SEVERE, CLIENT_HIGH_RISK_PERCENTAGE, NDPI_CLIENT_ACCOUNTABLE }, /* Leave this as last member */ { NDPI_MAX_RISK, NDPI_RISK_LOW, CLIENT_FAIR_RISK_PERCENTAGE, NDPI_NO_ACCOUNTABILITY } @@ -2698,17 +2698,19 @@ static void ndpi_init_ptree_ipv6(struct ndpi_detection_module_struct *ndpi_str, /* ******************************************* */ static int ndpi_add_host_ip_subprotocol(struct ndpi_detection_module_struct *ndpi_str, - char *value, u_int16_t protocol_id) { + char *value, u_int16_t protocol_id, + u_int8_t is_ipv6) { ndpi_patricia_node_t *node; struct in_addr pin; struct in6_addr pin6; int bits = 32; - int is_ipv6 = 0; char *ptr = strrchr(value, '/'); u_int16_t port = 0; /* Format ip:8.248.73.247 */ /* Format ipv6:[fe80::76ac:b9ff:fe6c:c124]/64 */ char *double_column = NULL; - + struct hostent *h; + bool value_ready = false; + if(!ndpi_str->protocols_ptree) return(-1); @@ -2741,6 +2743,7 @@ static int ndpi_add_host_ip_subprotocol(struct ndpi_detection_module_struct *ndp } else { /* Let's check if there is the port defined + Example: ip:8.248.73.247:443@AmazonPrime Example: ipv6:[fe80::76ac:b9ff:fe6c:c124]:36818@CustomProtocolF */ @@ -2761,12 +2764,41 @@ static int ndpi_add_host_ip_subprotocol(struct ndpi_detection_module_struct *ndp } if(!is_ipv6) { - if(inet_pton(AF_INET, value, &pin) != 1) - return(-1); + /* Check if the IP address is symbolic or numeric */ + unsigned int d[4]; + char tail[16] = { '\0' }; + int c = sscanf(value, "%3u.%3u.%3u.%3u%s", &d[0], &d[1], &d[2], &d[3], tail); + + if ((c != 4) || tail[0]) { + /* This might be a symbolic IPv4 address */ + + if((h = gethostbyname2(value, AF_INET)) != NULL) { + memcpy(&pin, h->h_addr_list[0], sizeof(pin)); + value_ready = true; + } + } + + if(!value_ready) { + if(inet_pton(AF_INET, value, &pin) != 1) + return(-1); + } + node = add_to_ptree(ndpi_str->protocols_ptree, AF_INET, &pin, bits); } else { - if(inet_pton(AF_INET6, value, &pin6) != 1) - return(-1); + if(strchr(value, ':') == NULL) { + /* This might be a symbolic IPv6 address */ + + if((h = gethostbyname2(value, AF_INET6)) != NULL) { + memcpy(&pin6, h->h_addr_list[0], sizeof(pin6)); + value_ready = true; + } + } + + if(!value_ready) { + if(inet_pton(AF_INET6, value, &pin6) != 1) + return(-1); + } + node = add_to_ptree(ndpi_str->protocols_ptree6, AF_INET6, &pin6, bits); } @@ -3668,16 +3700,16 @@ int ndpi_match_custom_category(struct ndpi_detection_module_struct *ndpi_str, char buf[128]; u_int8_t class_id; u_int max_len = sizeof(buf)-1; - + if(name_len > max_len) name_len = max_len; memcpy(buf, name, name_len); buf[name_len] = '\0'; - + if(ndpi_domain_classify_contains(ndpi_str->custom_categories.sc_hostnames, &class_id, buf)) { *category = (ndpi_protocol_category_t)class_id; return(0); - } else + } else return(-1); /* Not found */ #endif } @@ -4300,13 +4332,14 @@ int ndpi_handle_rule(struct ndpi_detection_module_struct *ndpi_str, char *attr = elem, *value = NULL; ndpi_port_range range; int is_tcp = 0, is_udp = 0, is_ip = 0; + u_int8_t is_ipv6_ip = 0; if(strncmp(attr, "tcp:", 4) == 0) is_tcp = 1, value = &attr[4]; else if(strncmp(attr, "udp:", 4) == 0) is_udp = 1, value = &attr[4]; else if(strncmp(attr, "ipv6:", 5) == 0) - is_ip = 1, value = &attr[5]; + is_ip = 1, is_ipv6_ip = 1, value = &attr[5]; else if(strncmp(attr, "ip:", 3) == 0) is_ip = 1, value = &attr[3]; else if(strncmp(attr, "host:", 5) == 0) { @@ -4374,7 +4407,7 @@ int ndpi_handle_rule(struct ndpi_detection_module_struct *ndpi_str, if(rc != 0) ret = rc; } else if(is_ip) { - int rc = ndpi_add_host_ip_subprotocol(ndpi_str, value, subprotocol_id); + int rc = ndpi_add_host_ip_subprotocol(ndpi_str, value, subprotocol_id, is_ipv6_ip); if(rc != 0) return(rc); @@ -4510,10 +4543,10 @@ int ndpi_load_category_file(struct ndpi_detection_module_struct *ndpi_str, while((line[len] == '\n') || (line[len] == '\r')) line[len--] = '\0'; - + while((line[0] == '-') || (line[0] == '.')) line++; - + if(ndpi_load_category(ndpi_str, line, category_id, NULL) > 0) num_loaded++; } @@ -7372,7 +7405,7 @@ int ndpi_fill_ip_protocol_category(struct ndpi_detection_module_struct *ndpi_str u_int32_t saddr, u_int32_t daddr, ndpi_protocol *ret) { bool match_client = true; - + ret->custom_category_userdata = NULL; if(ndpi_str->custom_categories.categories_loaded && @@ -7408,7 +7441,7 @@ int ndpi_fill_ip_protocol_category(struct ndpi_detection_module_struct *ndpi_str if((ret->category == CUSTOM_CATEGORY_MALWARE) && (match_client == false)) { ndpi_set_risk(ndpi_str, flow, NDPI_MALWARE_HOST_CONTACTED, "Client contacted malware host"); } - + return(1); } } @@ -7674,7 +7707,7 @@ static ndpi_protocol ndpi_internal_detection_process_packet(struct ndpi_detectio if(flow->num_processed_pkts == 1) { /* first packet of this flow to be analyzed */ - + #ifdef HAVE_NBPF if(ndpi_str->nbpf_custom_proto[0].tree != NULL) { u_int8_t i; @@ -7715,7 +7748,7 @@ static ndpi_protocol ndpi_internal_detection_process_packet(struct ndpi_detectio } #endif } - + ndpi_connection_tracking(ndpi_str, flow); /* build ndpi_selection packet bitmask */ @@ -7763,7 +7796,7 @@ static ndpi_protocol ndpi_internal_detection_process_packet(struct ndpi_detectio ndpi_fill_protocol_category(ndpi_str, flow, &ret); else ret.category = flow->category; - + if((!flow->risk_checked) && ((ret.master_protocol != NDPI_PROTOCOL_UNKNOWN) || (ret.app_protocol != NDPI_PROTOCOL_UNKNOWN)) ) { @@ -10188,7 +10221,7 @@ int ndpi_check_dga_name(struct ndpi_detection_module_struct *ndpi_str, u_int i, j, max_tmp_len = sizeof(tmp)-1; len = ndpi_snprintf(tmp, max_tmp_len, "%s", name); - + if(len < 0) { NDPI_LOG_DBG2(ndpi_str, "[DGA] too short"); return(0); @@ -10298,7 +10331,7 @@ int ndpi_check_dga_name(struct ndpi_detection_module_struct *ndpi_str, for(word = strtok_r(tmp, ".", &tok_tmp); ; word = strtok_r(NULL, ".", &tok_tmp)) { u_int num_consecutive_digits = 0, word_len; - + if(!word) break; else num_word++; num_words++; @@ -10310,7 +10343,7 @@ int ndpi_check_dga_name(struct ndpi_detection_module_struct *ndpi_str, if((word_len < 10) && (ndpi_ends_with(ndpi_str, word, "cdn") /* Content Delivery Network ? */)) continue; /* Ignore names (not too long) that end with cdn [ ssl.p.jwpcdn.com or www.awxcdn.com ] */ - + NDPI_LOG_DBG2(ndpi_str, "[DGA] word(%s) [%s][len: %u]\n", word, name, (unsigned int)strlen(word)); trigram_char_skip = 0; diff --git a/tests/cfgs/default/result/443-chrome.pcap.out b/tests/cfgs/default/result/443-chrome.pcap.out index 44ebb73c39c..79a56e78055 100644 --- a/tests/cfgs/default/result/443-chrome.pcap.out +++ b/tests/cfgs/default/result/443-chrome.pcap.out @@ -20,9 +20,9 @@ Patricia risk mask: 2/0 (search/found) Patricia risk mask IPv6: 0/0 (search/found) Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) -Patricia protocols: 2/0 (search/found) +Patricia protocols: 1/1 (search/found) Patricia protocols IPv6: 0/0 (search/found) TLS 1 1506 1 - 1 TCP 178.62.197.130:443 -> 192.168.1.13:53059 [proto: 91/TLS][IP: 0/Unknown][Encrypted][Confidence: Match by port][DPI packets: 1][cat: Web/5][1 pkts/1506 bytes -> 0 pkts/0 bytes][Goodput ratio: 96/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No client to server traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0] + 1 TCP 178.62.197.130:443 -> 192.168.1.13:53059 [proto: 91/TLS][IP: 26/ntop][Encrypted][Confidence: Match by port][DPI packets: 1][cat: Web/5][1 pkts/1506 bytes -> 0 pkts/0 bytes][Goodput ratio: 96/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No client to server traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0] diff --git a/tests/cfgs/default/result/443-curl.pcap.out b/tests/cfgs/default/result/443-curl.pcap.out index 9296d7a8ee4..13acd542261 100644 --- a/tests/cfgs/default/result/443-curl.pcap.out +++ b/tests/cfgs/default/result/443-curl.pcap.out @@ -20,7 +20,7 @@ Patricia risk mask: 0/0 (search/found) Patricia risk mask IPv6: 0/0 (search/found) Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) -Patricia protocols: 2/0 (search/found) +Patricia protocols: 1/1 (search/found) Patricia protocols IPv6: 0/0 (search/found) ntop 109 73982 1 @@ -30,4 +30,4 @@ JA3 Host Stats: 1 192.168.1.13 1 - 1 TCP 192.168.1.13:55523 <-> 178.62.197.130:443 [proto: 91.26/TLS.ntop][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 7][cat: Network/14][51 pkts/4260 bytes <-> 58 pkts/69722 bytes][Goodput ratio: 22/94][1.10 sec][Hostname/SNI: www.ntop.org][(Advertised) ALPNs: h2;http/1.1][(Negotiated) ALPN: h2][bytes ratio: -0.885 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 25/19 784/784 122/114][Pkt Len c2s/s2c min/avg/max/stddev: 54/66 84/1202 583/1506 74/562][TLSv1.2][JA3C: 2a26b1a62e40d25d4de3babc9d532f30][ServerNames: www.ntop.org][JA3S: ae53107a2e47ea20c72ac44821a728bf][Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3][Subject: CN=www.ntop.org][Certificate SHA-1: DB:A7:E4:3E:6D:BB:21:AB:68:47:35:E8:0B:8F:15:DF:DB:C7:C9:6F][Firefox][Validity: 2019-12-17 01:17:28 - 2020-03-16 01:17:28][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 3,13,1,1,1,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,1,0,73,0,0] + 1 TCP 192.168.1.13:55523 <-> 178.62.197.130:443 [proto: 91.26/TLS.ntop][IP: 26/ntop][Encrypted][Confidence: DPI][DPI packets: 7][cat: Network/14][51 pkts/4260 bytes <-> 58 pkts/69722 bytes][Goodput ratio: 22/94][1.10 sec][Hostname/SNI: www.ntop.org][(Advertised) ALPNs: h2;http/1.1][(Negotiated) ALPN: h2][bytes ratio: -0.885 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 25/19 784/784 122/114][Pkt Len c2s/s2c min/avg/max/stddev: 54/66 84/1202 583/1506 74/562][TLSv1.2][JA3C: 2a26b1a62e40d25d4de3babc9d532f30][ServerNames: www.ntop.org][JA3S: ae53107a2e47ea20c72ac44821a728bf][Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3][Subject: CN=www.ntop.org][Certificate SHA-1: DB:A7:E4:3E:6D:BB:21:AB:68:47:35:E8:0B:8F:15:DF:DB:C7:C9:6F][Firefox][Validity: 2019-12-17 01:17:28 - 2020-03-16 01:17:28][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 3,13,1,1,1,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,1,0,73,0,0] diff --git a/tests/cfgs/default/result/443-firefox.pcap.out b/tests/cfgs/default/result/443-firefox.pcap.out index ff6143679e2..c31e42511df 100644 --- a/tests/cfgs/default/result/443-firefox.pcap.out +++ b/tests/cfgs/default/result/443-firefox.pcap.out @@ -20,7 +20,7 @@ Patricia risk mask: 0/0 (search/found) Patricia risk mask IPv6: 0/0 (search/found) Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) -Patricia protocols: 2/0 (search/found) +Patricia protocols: 1/1 (search/found) Patricia protocols IPv6: 0/0 (search/found) ntop 667 458067 1 @@ -30,4 +30,4 @@ JA3 Host Stats: 1 192.168.1.13 1 - 1 TCP 192.168.1.13:53096 <-> 178.62.197.130:443 [proto: 91.26/TLS.ntop][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 7][cat: Network/14][316 pkts/28495 bytes <-> 351 pkts/429572 bytes][Goodput ratio: 27/95][8.44 sec][Hostname/SNI: www.ntop.org][(Advertised) ALPNs: h2;http/1.1][(Negotiated) ALPN: h2][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.876 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 32/20 4007/4045 285/250][Pkt Len c2s/s2c min/avg/max/stddev: 54/66 90/1224 583/1506 58/472][TLSv1.2][JA3C: b20b44b18b853ef29ab773e921b03422][ServerNames: www.ntop.org][JA3S: 3653a20186a5b490426131a611e01992][Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3][Subject: CN=www.ntop.org][Certificate SHA-1: DB:A7:E4:3E:6D:BB:21:AB:68:47:35:E8:0B:8F:15:DF:DB:C7:C9:6F][Firefox][Validity: 2019-12-17 01:17:28 - 2020-03-16 01:17:28][Cipher: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256][Plen Bins: 1,0,1,6,7,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,1,0,0,0,0,1,70,0,0] + 1 TCP 192.168.1.13:53096 <-> 178.62.197.130:443 [proto: 91.26/TLS.ntop][IP: 26/ntop][Encrypted][Confidence: DPI][DPI packets: 7][cat: Network/14][316 pkts/28495 bytes <-> 351 pkts/429572 bytes][Goodput ratio: 27/95][8.44 sec][Hostname/SNI: www.ntop.org][(Advertised) ALPNs: h2;http/1.1][(Negotiated) ALPN: h2][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.876 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 32/20 4007/4045 285/250][Pkt Len c2s/s2c min/avg/max/stddev: 54/66 90/1224 583/1506 58/472][TLSv1.2][JA3C: b20b44b18b853ef29ab773e921b03422][ServerNames: www.ntop.org][JA3S: 3653a20186a5b490426131a611e01992][Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3][Subject: CN=www.ntop.org][Certificate SHA-1: DB:A7:E4:3E:6D:BB:21:AB:68:47:35:E8:0B:8F:15:DF:DB:C7:C9:6F][Firefox][Validity: 2019-12-17 01:17:28 - 2020-03-16 01:17:28][Cipher: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256][Plen Bins: 1,0,1,6,7,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,1,0,0,0,0,1,70,0,0] diff --git a/tests/cfgs/default/result/443-safari.pcap.out b/tests/cfgs/default/result/443-safari.pcap.out index 7775f61476b..c95c3ece3fc 100644 --- a/tests/cfgs/default/result/443-safari.pcap.out +++ b/tests/cfgs/default/result/443-safari.pcap.out @@ -20,7 +20,7 @@ Patricia risk mask: 0/0 (search/found) Patricia risk mask IPv6: 0/0 (search/found) Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) -Patricia protocols: 2/0 (search/found) +Patricia protocols: 1/1 (search/found) Patricia protocols IPv6: 0/0 (search/found) ntop 41 19929 1 @@ -30,4 +30,4 @@ JA3 Host Stats: 1 192.168.1.13 1 - 1 TCP 192.168.1.13:53031 <-> 178.62.197.130:443 [proto: 91.26/TLS.ntop][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 7][cat: Network/14][21 pkts/2195 bytes <-> 20 pkts/17734 bytes][Goodput ratio: 36/93][1.10 sec][Hostname/SNI: www.ntop.org][(Advertised) ALPNs: h2;h2-16;h2-15;h2-14;spdy/3.1;spdy/3;http/1.1][(Negotiated) ALPN: h2][bytes ratio: -0.780 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 51/47 695/695 167/168][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 105/887 394/1506 83/661][TLSv1.2][JA3C: a69708a64f853c3bcc214c2c5faf84f3][ServerNames: www.ntop.org][JA3S: f9fcb52580329fb6a9b61d7542087b90][Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3][Subject: CN=www.ntop.org][Certificate SHA-1: DB:A7:E4:3E:6D:BB:21:AB:68:47:35:E8:0B:8F:15:DF:DB:C7:C9:6F][Safari][Validity: 2019-12-17 01:17:28 - 2020-03-16 01:17:28][Cipher: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256][Plen Bins: 8,21,4,4,0,0,0,4,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,4,0,0,0,0,40,0,0] + 1 TCP 192.168.1.13:53031 <-> 178.62.197.130:443 [proto: 91.26/TLS.ntop][IP: 26/ntop][Encrypted][Confidence: DPI][DPI packets: 7][cat: Network/14][21 pkts/2195 bytes <-> 20 pkts/17734 bytes][Goodput ratio: 36/93][1.10 sec][Hostname/SNI: www.ntop.org][(Advertised) ALPNs: h2;h2-16;h2-15;h2-14;spdy/3.1;spdy/3;http/1.1][(Negotiated) ALPN: h2][bytes ratio: -0.780 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 51/47 695/695 167/168][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 105/887 394/1506 83/661][TLSv1.2][JA3C: a69708a64f853c3bcc214c2c5faf84f3][ServerNames: www.ntop.org][JA3S: f9fcb52580329fb6a9b61d7542087b90][Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3][Subject: CN=www.ntop.org][Certificate SHA-1: DB:A7:E4:3E:6D:BB:21:AB:68:47:35:E8:0B:8F:15:DF:DB:C7:C9:6F][Safari][Validity: 2019-12-17 01:17:28 - 2020-03-16 01:17:28][Cipher: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256][Plen Bins: 8,21,4,4,0,0,0,4,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,4,0,0,0,0,40,0,0] diff --git a/tests/cfgs/default/result/http_ipv6.pcap.out b/tests/cfgs/default/result/http_ipv6.pcap.out index baf6673e3f9..3a6a53798ee 100644 --- a/tests/cfgs/default/result/http_ipv6.pcap.out +++ b/tests/cfgs/default/result/http_ipv6.pcap.out @@ -23,7 +23,7 @@ Patricia risk mask IPv6: 4/0 (search/found) Patricia risk: 0/0 (search/found) Patricia risk IPv6: 15/0 (search/found) Patricia protocols: 0/0 (search/found) -Patricia protocols IPv6: 22/8 (search/found) +Patricia protocols IPv6: 18/12 (search/found) ntop 80 36401 4 TLS 26 3245 7 @@ -37,10 +37,10 @@ JA3 Host Stats: 1 UDP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:45931 <-> [2a00:1450:4001:803::1017]:443 [proto: 188.126/QUIC.Google][IP: 126/Google][Encrypted][Confidence: DPI][DPI packets: 1][cat: Web/5][33 pkts/7741 bytes <-> 29 pkts/8236 bytes][Goodput ratio: 74/78][11.12 sec][Hostname/SNI: www.google.it][bytes ratio: -0.031 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 11/2 412/168 6008/1778 1177/366][Pkt Len c2s/s2c min/avg/max/stddev: 99/91 235/284 1412/1412 286/301][User-Agent: Chrome/46.0.2490.80 Linux x86_64][QUIC ver: Q025][PLAIN TEXT (www.google.it)][Plen Bins: 8,54,0,0,0,1,18,4,0,0,0,0,0,0,0,1,6,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,3,0,0,0,0,0] - 2 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:37506 <-> [2a03:b0c0:3:d0::70:1001]:443 [proto: 91.26/TLS.ntop][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 12][cat: Network/14][14 pkts/3969 bytes <-> 12 pkts/11648 bytes][Goodput ratio: 69/91][0.43 sec][Hostname/SNI: www.ntop.org][(Advertised) ALPNs: http/1.1;spdy/3.1;h2-14;h2][bytes ratio: -0.492 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 37/44 229/290 62/88][Pkt Len c2s/s2c min/avg/max/stddev: 86/86 284/971 919/1514 324/539][Risk: ** TLS Cert Mismatch **][Risk Score: 100][Risk Info: www.ntop.org vs shop.ntop.org,www.shop.ntop.org][TLSv1.2][JA3C: d3e627f423a33ea41841c19b8af79293][ServerNames: shop.ntop.org,www.shop.ntop.org][JA3S: 389ed42c02ebecc32e73aa31def07e14][Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA][Subject: OU=Domain Control Validated, OU=PositiveSSL, CN=shop.ntop.org][Certificate SHA-1: FB:A6:FF:A7:58:F3:9D:54:24:45:E5:A0:C4:04:18:D5:58:91:E0:34][Firefox][Validity: 2015-11-15 00:00:00 - 2018-11-14 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,0,0,6,0,0,6,0,6,0,0,0,0,0,0,0,0,6,0,0,6,0,0,0,6,6,6,0,0,0,0,6,0,0,0,0,6,0,6,0,0,0,0,0,28,0,0,0] - 3 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:37486 <-> [2a03:b0c0:3:d0::70:1001]:443 [proto: 91.26/TLS.ntop][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 12][cat: Network/14][11 pkts/1292 bytes <-> 8 pkts/5722 bytes][Goodput ratio: 26/88][0.17 sec][Hostname/SNI: www.ntop.org][(Advertised) ALPNs: http/1.1;spdy/3.1;h2-14;h2][bytes ratio: -0.632 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 18/11 64/27 19/12][Pkt Len c2s/s2c min/avg/max/stddev: 86/86 117/715 298/1514 67/608][Risk: ** TLS Cert Mismatch **][Risk Score: 100][Risk Info: www.ntop.org vs shop.ntop.org,www.shop.ntop.org][TLSv1.2][JA3C: d3e627f423a33ea41841c19b8af79293][ServerNames: shop.ntop.org,www.shop.ntop.org][JA3S: 389ed42c02ebecc32e73aa31def07e14][Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA][Subject: OU=Domain Control Validated, OU=PositiveSSL, CN=shop.ntop.org][Certificate SHA-1: FB:A6:FF:A7:58:F3:9D:54:24:45:E5:A0:C4:04:18:D5:58:91:E0:34][Firefox][Validity: 2015-11-15 00:00:00 - 2018-11-14 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,0,0,14,0,0,14,0,14,0,0,0,0,0,0,0,0,0,0,0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0,0,0,0,28,0,0,0] - 4 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:37494 <-> [2a03:b0c0:3:d0::70:1001]:443 [proto: 91.26/TLS.ntop][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 12][cat: Network/14][10 pkts/1206 bytes <-> 8 pkts/5722 bytes][Goodput ratio: 28/88][0.12 sec][Hostname/SNI: www.ntop.org][(Advertised) ALPNs: http/1.1;spdy/3.1;h2-14;h2][bytes ratio: -0.652 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 15/9 50/23 16/10][Pkt Len c2s/s2c min/avg/max/stddev: 86/86 121/715 298/1514 70/608][Risk: ** TLS Cert Mismatch **][Risk Score: 100][Risk Info: www.ntop.org vs shop.ntop.org,www.shop.ntop.org][TLSv1.2][JA3C: d3e627f423a33ea41841c19b8af79293][ServerNames: shop.ntop.org,www.shop.ntop.org][JA3S: 389ed42c02ebecc32e73aa31def07e14][Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA][Subject: OU=Domain Control Validated, OU=PositiveSSL, CN=shop.ntop.org][Certificate SHA-1: FB:A6:FF:A7:58:F3:9D:54:24:45:E5:A0:C4:04:18:D5:58:91:E0:34][Firefox][Validity: 2015-11-15 00:00:00 - 2018-11-14 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,0,0,14,0,0,14,0,14,0,0,0,0,0,0,0,0,0,0,0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0,0,0,0,28,0,0,0] - 5 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:37488 <-> [2a03:b0c0:3:d0::70:1001]:443 [proto: 91.26/TLS.ntop][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 10][cat: Network/14][10 pkts/1206 bytes <-> 7 pkts/5636 bytes][Goodput ratio: 28/89][0.17 sec][Hostname/SNI: www.ntop.org][(Advertised) ALPNs: http/1.1;spdy/3.1;h2-14;h2][bytes ratio: -0.647 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 20/9 63/25 20/10][Pkt Len c2s/s2c min/avg/max/stddev: 86/86 121/805 298/2754 70/929][Risk: ** TLS Cert Mismatch **][Risk Score: 100][Risk Info: www.ntop.org vs shop.ntop.org,www.shop.ntop.org][TLSv1.2][JA3C: d3e627f423a33ea41841c19b8af79293][ServerNames: shop.ntop.org,www.shop.ntop.org][JA3S: 389ed42c02ebecc32e73aa31def07e14][Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA][Subject: OU=Domain Control Validated, OU=PositiveSSL, CN=shop.ntop.org][Certificate SHA-1: FB:A6:FF:A7:58:F3:9D:54:24:45:E5:A0:C4:04:18:D5:58:91:E0:34][Firefox][Validity: 2015-11-15 00:00:00 - 2018-11-14 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,0,0,16,0,0,16,0,16,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0,16] + 2 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:37506 <-> [2a03:b0c0:3:d0::70:1001]:443 [proto: 91.26/TLS.ntop][IP: 26/ntop][Encrypted][Confidence: DPI][DPI packets: 12][cat: Network/14][14 pkts/3969 bytes <-> 12 pkts/11648 bytes][Goodput ratio: 69/91][0.43 sec][Hostname/SNI: www.ntop.org][(Advertised) ALPNs: http/1.1;spdy/3.1;h2-14;h2][bytes ratio: -0.492 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 37/44 229/290 62/88][Pkt Len c2s/s2c min/avg/max/stddev: 86/86 284/971 919/1514 324/539][Risk: ** TLS Cert Mismatch **][Risk Score: 100][Risk Info: www.ntop.org vs shop.ntop.org,www.shop.ntop.org][TLSv1.2][JA3C: d3e627f423a33ea41841c19b8af79293][ServerNames: shop.ntop.org,www.shop.ntop.org][JA3S: 389ed42c02ebecc32e73aa31def07e14][Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA][Subject: OU=Domain Control Validated, OU=PositiveSSL, CN=shop.ntop.org][Certificate SHA-1: FB:A6:FF:A7:58:F3:9D:54:24:45:E5:A0:C4:04:18:D5:58:91:E0:34][Firefox][Validity: 2015-11-15 00:00:00 - 2018-11-14 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,0,0,6,0,0,6,0,6,0,0,0,0,0,0,0,0,6,0,0,6,0,0,0,6,6,6,0,0,0,0,6,0,0,0,0,6,0,6,0,0,0,0,0,28,0,0,0] + 3 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:37486 <-> [2a03:b0c0:3:d0::70:1001]:443 [proto: 91.26/TLS.ntop][IP: 26/ntop][Encrypted][Confidence: DPI][DPI packets: 12][cat: Network/14][11 pkts/1292 bytes <-> 8 pkts/5722 bytes][Goodput ratio: 26/88][0.17 sec][Hostname/SNI: www.ntop.org][(Advertised) ALPNs: http/1.1;spdy/3.1;h2-14;h2][bytes ratio: -0.632 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 18/11 64/27 19/12][Pkt Len c2s/s2c min/avg/max/stddev: 86/86 117/715 298/1514 67/608][Risk: ** TLS Cert Mismatch **][Risk Score: 100][Risk Info: www.ntop.org vs shop.ntop.org,www.shop.ntop.org][TLSv1.2][JA3C: d3e627f423a33ea41841c19b8af79293][ServerNames: shop.ntop.org,www.shop.ntop.org][JA3S: 389ed42c02ebecc32e73aa31def07e14][Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA][Subject: OU=Domain Control Validated, OU=PositiveSSL, CN=shop.ntop.org][Certificate SHA-1: FB:A6:FF:A7:58:F3:9D:54:24:45:E5:A0:C4:04:18:D5:58:91:E0:34][Firefox][Validity: 2015-11-15 00:00:00 - 2018-11-14 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,0,0,14,0,0,14,0,14,0,0,0,0,0,0,0,0,0,0,0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0,0,0,0,28,0,0,0] + 4 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:37494 <-> [2a03:b0c0:3:d0::70:1001]:443 [proto: 91.26/TLS.ntop][IP: 26/ntop][Encrypted][Confidence: DPI][DPI packets: 12][cat: Network/14][10 pkts/1206 bytes <-> 8 pkts/5722 bytes][Goodput ratio: 28/88][0.12 sec][Hostname/SNI: www.ntop.org][(Advertised) ALPNs: http/1.1;spdy/3.1;h2-14;h2][bytes ratio: -0.652 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 15/9 50/23 16/10][Pkt Len c2s/s2c min/avg/max/stddev: 86/86 121/715 298/1514 70/608][Risk: ** TLS Cert Mismatch **][Risk Score: 100][Risk Info: www.ntop.org vs shop.ntop.org,www.shop.ntop.org][TLSv1.2][JA3C: d3e627f423a33ea41841c19b8af79293][ServerNames: shop.ntop.org,www.shop.ntop.org][JA3S: 389ed42c02ebecc32e73aa31def07e14][Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA][Subject: OU=Domain Control Validated, OU=PositiveSSL, CN=shop.ntop.org][Certificate SHA-1: FB:A6:FF:A7:58:F3:9D:54:24:45:E5:A0:C4:04:18:D5:58:91:E0:34][Firefox][Validity: 2015-11-15 00:00:00 - 2018-11-14 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,0,0,14,0,0,14,0,14,0,0,0,0,0,0,0,0,0,0,0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0,0,0,0,28,0,0,0] + 5 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:37488 <-> [2a03:b0c0:3:d0::70:1001]:443 [proto: 91.26/TLS.ntop][IP: 26/ntop][Encrypted][Confidence: DPI][DPI packets: 10][cat: Network/14][10 pkts/1206 bytes <-> 7 pkts/5636 bytes][Goodput ratio: 28/89][0.17 sec][Hostname/SNI: www.ntop.org][(Advertised) ALPNs: http/1.1;spdy/3.1;h2-14;h2][bytes ratio: -0.647 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 20/9 63/25 20/10][Pkt Len c2s/s2c min/avg/max/stddev: 86/86 121/805 298/2754 70/929][Risk: ** TLS Cert Mismatch **][Risk Score: 100][Risk Info: www.ntop.org vs shop.ntop.org,www.shop.ntop.org][TLSv1.2][JA3C: d3e627f423a33ea41841c19b8af79293][ServerNames: shop.ntop.org,www.shop.ntop.org][JA3S: 389ed42c02ebecc32e73aa31def07e14][Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA][Subject: OU=Domain Control Validated, OU=PositiveSSL, CN=shop.ntop.org][Certificate SHA-1: FB:A6:FF:A7:58:F3:9D:54:24:45:E5:A0:C4:04:18:D5:58:91:E0:34][Firefox][Validity: 2015-11-15 00:00:00 - 2018-11-14 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,0,0,16,0,0,16,0,16,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0,16] 6 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:53132 <-> [2a02:26f0:ad:197::236]:443 [proto: 91.119/TLS.Facebook][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 8][cat: SocialNetwork/6][7 pkts/960 bytes <-> 5 pkts/4227 bytes][Goodput ratio: 36/90][0.06 sec][Hostname/SNI: s-static.ak.facebook.com][(Advertised) ALPNs: http/1.1;spdy/3.1;h2-14;h2][(Negotiated) ALPN: http/1.1][bytes ratio: -0.630 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 3/3 8/7 3/3][Pkt Len c2s/s2c min/avg/max/stddev: 86/86 137/845 310/2942 83/1078][TLSv1.2][JA3C: d3e627f423a33ea41841c19b8af79293][ServerNames: *.ak.fbcdn.net,s-static.ak.fbcdn.net,igsonar.com,*.igsonar.com,ak.facebook.com,*.ak.facebook.com,*.s-static.ak.facebook.com,connect.facebook.net,s-static.ak.facebook.com][JA3S: b898351eb5e266aefd3723d466935494][Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance CA-3][Subject: C=US, ST=CA, L=Menlo Park, O=Facebook, Inc., CN=*.ak.fbcdn.net][Certificate SHA-1: E7:62:76:74:8D:09:F7:E9:69:05:B8:1A:37:A1:30:2D:FF:3B:BC:0A][Firefox][Validity: 2015-08-12 00:00:00 - 2015-12-31 12:00:00][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,0,0,20,0,0,0,40,0,0,0,0,0,0,0,0,0,0,0,0,0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20] 7 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:53134 <-> [2a02:26f0:ad:197::236]:443 [proto: 91.119/TLS.Facebook][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 6][cat: SocialNetwork/6][6 pkts/874 bytes <-> 4 pkts/4141 bytes][Goodput ratio: 40/91][0.06 sec][Hostname/SNI: s-static.ak.facebook.com][(Advertised) ALPNs: http/1.1;spdy/3.1;h2-14;h2][(Negotiated) ALPN: http/1.1][bytes ratio: -0.651 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/1 12/5 43/8 16/3][Pkt Len c2s/s2c min/avg/max/stddev: 86/86 146/1035 310/3633 86/1503][TLSv1.2][JA3C: d3e627f423a33ea41841c19b8af79293][ServerNames: *.ak.fbcdn.net,s-static.ak.fbcdn.net,igsonar.com,*.igsonar.com,ak.facebook.com,*.ak.facebook.com,*.s-static.ak.facebook.com,connect.facebook.net,s-static.ak.facebook.com][JA3S: b898351eb5e266aefd3723d466935494][Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance CA-3][Subject: C=US, ST=CA, L=Menlo Park, O=Facebook, Inc., CN=*.ak.fbcdn.net][Certificate SHA-1: E7:62:76:74:8D:09:F7:E9:69:05:B8:1A:37:A1:30:2D:FF:3B:BC:0A][Firefox][Validity: 2015-08-12 00:00:00 - 2015-12-31 12:00:00][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,0,0,25,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25] 8 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:41776 <-> [2a00:1450:4001:803::1017]:443 [proto: 91/TLS][IP: 126/Google][Encrypted][Confidence: DPI][DPI packets: 5][cat: Web/5][7 pkts/860 bytes <-> 7 pkts/1353 bytes][Goodput ratio: 30/55][0.12 sec][bytes ratio: -0.223 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 11/6 30/30 13/12][Pkt Len c2s/s2c min/avg/max/stddev: 86/86 123/193 268/592 62/172][Plen Bins: 0,57,0,0,0,28,0,0,0,0,0,0,0,0,0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]