From 890f17788bb4295b466f70bf8cd4908fd60f2b30 Mon Sep 17 00:00:00 2001
From: Ivan Nardi <12729895+IvanNardi@users.noreply.github.com>
Date: Fri, 14 Jul 2023 23:20:06 +0200
Subject: [PATCH] ndpireader: fix detection of DoH traffic based on packet
 distributions (#2045)

---
 example/ndpiReader.c                          |  60 +++++++++++-------
 tests/cfgs/default/pcap/doh.pcapng            | Bin 0 -> 18888 bytes
 tests/cfgs/default/result/doh.pcapng.out      |  30 +++++++++
 tests/cfgs/enable_doh_heuristic/config.txt    |   1 +
 .../cfgs/enable_doh_heuristic/pcap/doh.pcapng |   1 +
 .../result/doh.pcapng.out                     |  37 +++++++++++
 6 files changed, 105 insertions(+), 24 deletions(-)
 create mode 100644 tests/cfgs/default/pcap/doh.pcapng
 create mode 100644 tests/cfgs/default/result/doh.pcapng.out
 create mode 100644 tests/cfgs/enable_doh_heuristic/config.txt
 create mode 120000 tests/cfgs/enable_doh_heuristic/pcap/doh.pcapng
 create mode 100644 tests/cfgs/enable_doh_heuristic/result/doh.pcapng.out

diff --git a/example/ndpiReader.c b/example/ndpiReader.c
index 053cfe38b97..dfde22d6178 100644
--- a/example/ndpiReader.c
+++ b/example/ndpiReader.c
@@ -269,33 +269,37 @@ FILE *trace = NULL;
 
 #define NUM_DOH_BINS 2
 
-struct ndpi_bin doh_ndpi_bins[NUM_DOH_BINS];
+static struct ndpi_bin doh_ndpi_bins[NUM_DOH_BINS];
 
-u_int8_t doh_centroids[NUM_DOH_BINS][PLEN_NUM_BINS] = {
+static u_int8_t doh_centroids[NUM_DOH_BINS][PLEN_NUM_BINS] = {
   { 23,25,3,0,26,0,0,0,0,0,0,0,0,0,2,0,0,15,3,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 },
   { 35,30,21,0,0,0,2,4,0,0,5,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 }
 };
 
-float doh_max_distance = 35.5;
+static float doh_max_distance = 35.5;
 
-void init_doh_bins() {
+static void init_doh_bins() {
   u_int i;
 
   for(i=0; i<NUM_DOH_BINS; i++) {
     ndpi_init_bin(&doh_ndpi_bins[i], ndpi_bin_family8, PLEN_NUM_BINS);
+    ndpi_free_bin(&doh_ndpi_bins[i]); /* Hack: we use static bins (see below), so we need to free the dynamic ones just allocated */
     doh_ndpi_bins[i].u.bins8 = doh_centroids[i];
   }
 }
 
 /* *********************************************** */
 
-u_int check_bin_doh_similarity(struct ndpi_bin *bin, float *similarity) {
+static u_int check_bin_doh_similarity(struct ndpi_bin *bin, float *similarity) {
   u_int i;
   float lowest_similarity = 9999999999.0f;
 
   for(i=0; i<NUM_DOH_BINS; i++) {
     *similarity = ndpi_bin_similarity(&doh_ndpi_bins[i], bin, 0, 0);
 
+    if(*similarity < 0) /* Error */
+      return(0);
+
     if(*similarity <= doh_max_distance)
       return(1);
 
@@ -3402,7 +3406,7 @@ static void printFlowsStats() {
 
           ndpi_cluster_bins(bins, num_flow_bins, num_bin_clusters, cluster_ids, centroids);
 
-          printf("\n"
+          fprintf(out, "\n"
                  "\tBin clusters\n"
                  "\t------------\n");
 
@@ -3416,23 +3420,23 @@ static void printFlowsStats() {
               if(cluster_ids[i] != j) continue;
 
               if(num_printed == 0) {
-                printf("\tCluster %u [", j);
+                fprintf(out, "\tCluster %u [", j);
                 print_bin(out, NULL, &centroids[j]);
-                printf("]\n");
+                fprintf(out, "]\n");
               }
 
-              printf("\t%u\t%-10s\t%s:%u <-> %s:%u\t[",
-                     i,
-                     ndpi_protocol2name(ndpi_thread_info[0].workflow->ndpi_struct,
-                                        all_flows[i].flow->detected_protocol, buf, sizeof(buf)),
-                     all_flows[i].flow->src_name,
-                     ntohs(all_flows[i].flow->src_port),
-                     all_flows[i].flow->dst_name,
-                     ntohs(all_flows[i].flow->dst_port));
+              fprintf(out, "\t%u\t%-10s\t%s:%u <-> %s:%u\t[",
+                      i,
+                      ndpi_protocol2name(ndpi_thread_info[0].workflow->ndpi_struct,
+                                         all_flows[i].flow->detected_protocol, buf, sizeof(buf)),
+                      all_flows[i].flow->src_name,
+                      ntohs(all_flows[i].flow->src_port),
+                      all_flows[i].flow->dst_name,
+                      ntohs(all_flows[i].flow->dst_port));
 
               print_bin(out, NULL, &bins[i]);
-              printf("][similarity: %f]",
-                     (similarity = ndpi_bin_similarity(&centroids[j], &bins[i], 0, 0)));
+              fprintf(out, "][similarity: %f]",
+                      (similarity = ndpi_bin_similarity(&centroids[j], &bins[i], 0, 0)));
 
               if(all_flows[i].flow->host_server_name[0] != '\0')
                 fprintf(out, "[%s]", all_flows[i].flow->host_server_name);
@@ -3445,23 +3449,23 @@ static void printFlowsStats() {
                    && all_flows[i].flow->ssh_tls.advertised_alpns /* ALPN */
                    ) {
                   if(check_bin_doh_similarity(&bins[i], &s))
-                    printf("[DoH (%f distance)]", s);
+                    fprintf(out, "[DoH (%f distance)]", s);
                   else
-                    printf("[NO DoH (%f distance)]", s);
+                    fprintf(out, "[NO DoH (%f distance)]", s);
                 } else {
                   if(all_flows[i].flow->ssh_tls.advertised_alpns == NULL)
-                    printf("[NO DoH check: missing ALPN]");
+                    fprintf(out, "[NO DoH check: missing ALPN]");
                 }
               }
 
-              printf("\n");
+              fprintf(out, "\n");
               num_printed++;
               if(similarity > max_similarity) max_similarity = similarity;
             }
 
             if(num_printed) {
-              printf("\tMax similarity: %f\n", max_similarity);
-              printf("\n");
+              fprintf(out, "\tMax similarity: %f\n", max_similarity);
+              fprintf(out, "\n");
             }
           }
 
@@ -5414,6 +5418,14 @@ int main(int argc, char **argv) {
     exit(0);
   }
 
+  if(enable_doh_dot_detection) {
+    init_doh_bins();
+    /* Clusters are not really used in DoH/DoT detection, but because of how
+       the code has been written, we need to enable also clustering feature */
+    if(num_bin_clusters == 0)
+      num_bin_clusters = 1;
+  }
+
   if(!quiet_mode) {
     printf("\n-----------------------------------------------------------\n"
 	   "* NOTE: This is demo app to show *some* nDPI features.\n"
diff --git a/tests/cfgs/default/pcap/doh.pcapng b/tests/cfgs/default/pcap/doh.pcapng
new file mode 100644
index 0000000000000000000000000000000000000000..cdc166f9c846d715f0c0abfba2e54a75c92678fd
GIT binary patch
literal 18888
zcmbVz2|QH&_x~MZSF$D(WjB<4DZA`TqXlWPMumtZME1&(eG4H=NsB#Y$zIk9*&}<%
z5|UJs|NUIl)0n^K_kB*UGc)(%ectDN&iQ=q+?go1Zl$b%AP6VB2ZMs2SJsROl7uub
zIG(Y=9_3?GwsSax)x+_zSxE@&7nKm!XH!0`&!)&GA}A@WuHnjtb+&S}WYg7E6&Doc
zgCI1-4M~a%oVIdgGqAc~Vds2_O+=UtD=I83#kZI3^kpj>3pNocVR11y9x)^esa&?T
zH#f6q!x~sQoVjFa=5U^mO-xW+P?8Pngggrf3!IY_lh|iwE+Q^0ae6--16T#@fOFK^
zGe9GP@eEbYI9ZvWG1NJ%X5uCyp{6XRD!gAnN=-sZKwNphuz-?;vV?$=imHUFvZTbm
zeG=mCfHNhe>S%e!;lde5Hc<$ofRRaI+%5k@F7U4-T)^MifCJbLy&!>-Gs!}<;Mc(K
zhUfZ-OZBFUo^sG9hg2a*7IR$@QY1YUR*`{PM!^=8fGVl?SpkVb$wWV9TYf+g5i!XV
zVj^<Ng4qYj;5-VACR>dGVp)Jwuz^^k@5w@x;Mc%cqpU_mVu?eLBD9~>gB8R<;*|s?
zG<(%x;dn$|bSo>*n^$9@P{c%V49Zn(5W^65U?2u<KUs(@{2KU%e6W}sNIq$J`4GWz
z_zu&czAj}09AE$w!A5dj#eRV%50Qb7f#YMN1TcO8`(z?P>>a4Dwe%3Q9gRYPw)lxg
zkMEr@t-uwf*FLg0VSP$mT3pbJ8Dcs<>~>>i3(eHU3bwO*bhyx6VzI<Tj!Gd-@^MG@
zbaRSQLP;VLxWafn^{o)ktBh9<DugP8EA~|Et)Q=<s9>m|gc6`cNC=Xspo1vs(ex;K
zA~;+yL;{h(&#+O#|HvU$hzZ&OF+)@k`0-W<1MMIuCPtH!k&}><5~D~^q$m<JDVhjH
zgocX^{|XI64Q(N^6eYKGbhH-|5fp*wV6Z(91v#1+jYbopQIHtK198E~Y;<>21wJ-L
z*|cAirlC^tvde3@<wr3$;45UDGBf6vd;v0q0rBg$e;@hpx^3tUEKUmahVU$2Z}8Ro
zLS%<&Af=ziNOJJQdfm2w0I-3cFi|ECnIM56;P}`iy*O!ry+`K%hkf8Fs2dt`C4wL)
zG@AaZcr<o*tN1CS-p`poEr`3R4%Zua#F;~0Mk9Am`qKYv-RRK}BnYd8Xmyr-tBPaJ
z@zb78EsyU>ve!?g1c(Ig{q~FJK#;*?r^+^1Vj?s#0~{WOVnU;-o=&uMZ(T0Xd9m+h
z&kHH4g_?FW-=|AbILA3|Qk;Ota?`$srg?$wF7i7|Z>@N*@GMCl?eJ}J`x)XlnGsyH
zsD1Ez<zz~+cXCZ4)HJwfg2SnDn9Djl)u}nu>x1~#)PX#^+ia;Aj+0NtIw(fvg}&(u
znB}?WMui#YPq|c_{E&K$T0uI)_-R=&u^sw)*0~|-jG{4x9QWux(r+P(?PbeC-<~85
z27Rtq7LE73w#P=BGRe(R-)sxRk#=75rSQ_hUtwE{ai=L)t{WD-Az_FQNU=eeMjw;N
zMh}OTn;q%ebD~>~d!^ax2v@3(1Y`7qV2e!Ln;oIX1_hPS_T$5j0y4upqEf%#^K2Uv
z^k7x7x>sc=TzB!ujLB0?C$orSqYF8$bGCJL0%F>oZ$2J;GVtT^+onhlZRXHpd#l-Y
zn-uBLsEJQ7zuM|vl-T1c;%?#~W?UIn9B9%qShs-T>x!+Maktdssi>`Xpy^2VEm<5j
zy(H*adL5^_^xVRBw(m_1Yb?8^u(G*_!0eM}`Agf?^{>Y>y%OhKCVSMJ-9J2ZCYhH;
zTMETqUh{#O)}6EU!pRJ7g%znbG97MDfA4O~#|#qDnVrWioBU+FjEA;gi~Sgz)%q#w
zb*1;RWR3X+oj25COz-yfr@c^{G26*2QElVD9PjuI8XQ+HOF)Youc(VF7tK06J8kcj
z>`oouP+K`&#mX34?o>MT9h1_wjg@co%e9d(du`dA>>Jx2wAs0q1a?+6P933d>~z`A
zvA9k4)hEg%nlnj4Z6t;PqK$j+$^_tYo(n1EK`f=UvBEZe{U2EecS~GW*DX*9J-sin
zm@RZDlcynbT)f&~+UU#mVM-Z;mzo|{ETrZP^P?|M5lKr$7#@$W&iL#i$cj$(e6ri6
zcusDqwx!HdDBx85U0g_nTCDDz7O{oe<6N=x3`EQ$QiC_-FR9AKP%(VF|HiLwCr3^C
z(Dx>-v6RNGSn(_FMl`Ki@-0eR?1`VS+TV8E)qOv5=7r=Cwf2=}=f;?Xb4ft~?MdU@
zfr;`treV?-#XH|FDeUp9$nB6TO`OzG`*>nH;7*dz(}8anKG?_k7=5dApR~57>m0q&
z5&nqR{)F1Yt@L&*)kBBgbvCjoC26*Dv~6Y5$P<inrLAa}w$F%)p|!wvJvzbDIVaT}
zW`Ijr7+{Fsoyl`Hyn1h)You4gjbB*dZ6cLgoaHu-uW#<-%N(gSz19<7g1J_f_H*ub
z7l-XHWi{4Jz5cM*&`-ws;3)?inv!FwOgle3aM7d9&wF0epV;hhP@9RWz2(~NOBa|(
zGv~{n%F~}_LFEKHesFj#r`N$F$G|&|HQ8}sM~hF4$7Bvh>dY{cU$CaE`J#vT!~R9-
zk_h>2-`N>Z-oB#cft86CCyreXV|8Zs@^>a@?YZ-vrbe7C=FUM>YgQT6Tvw{Nj)BdS
z>wZK}4MnVMcb&4kl`AZ6mu5RlQ+h*AFPWA|??4?S@RGk*ziw!|M43pLKkBpby?m^o
ze|nircFP5KIbk8W=~0Y>o;5a>mLbj2w3<Ogvs_@j<STLUggb-NL8*EF^l9#AwQ)x>
z-4A53=}t)xOQvbk(R^=X^rY(V|2#6<)AB_?cDGTQ)?v-%x{8>+TNDhnEsArV7tPG(
z<<-f)+MCbB@__F|Qj|dbu+tNsk4c8|y|E+9CQO+!DVGw0YbnhYQZx9>IwdS0-ni9a
zeq%6^DBR$ao25<23caWtZ^C2BlDoFjspm;ty{w)(h%fHff#B;2um|ApGhi>+<oduL
zxjsnwYY&I_m}alW_we<>!k5L>UFARRGcw3NBmMV2)A)XU4-*fApf1@mF;eQ*Nro{y
zZyQI(PNzL9M{g}!Tv;4t++K=3Bxpf8QlzUP;p<c@8uJacgw0<`q4~hRlk5a*r$qA-
z)zRLHLy#Ef!h2`&X$S9$CT0EiStiHnmQBl4Vws=ux=G)sEK4@5N@(<AwVH}I$+^7s
z$vxsN7f&CV&{B*joH_c2ZoJW}!^`ndnl(*(RD*ve|8;wo2yac%vP7O6*S7lz9aP~p
zV$@W8O=A7nFC<QlLG|`liq9cbDc6nLZ1%ecvD0EOO=s^?U7@lW6H8P3)yp}N{ZKwQ
z>yEE)O68MBiHdZ4eR`R$oG;m8)i%YZ30bs+@-#0NP_urfh@c)nne>gntyE`3tA|CP
zqrvg(rSfUpX`xwV)i#oF$=iwgS8+ZaMlMvL5gCtu#2emMV>(dB@pi|xUXyL+4HmNZ
znUW9dd^iv^#KTX`a>~MWThcvIUMtn6vz@kg4#=^Hmws278#?+h$t!3%9b28z-7+_S
zR6gV6BQu`I<kz;Wd>XWTXb9()&&#e@mBUDLpZSNjMjfN#Rdl*Eec8nw?;_}K?zPyL
z>+PcIzlZ3o`Om8vT0Og}3NEqu(T`7sY4F<JH@`vc73nXptFZsP+e+8qKAnq&-hS^|
zMm1RD`71@q&RQQ=!0uKhvEdioBZrpNOUf%uqmk;cyPIRk^_BSO&U2HAgBSECzot9Q
zwLYMwth%dpu}|BuAVG0iSx$Rr>+-Dd0^|6-EZ=#ICn;YTmfwh3CjP2<ZVS7?8+|8e
z|9h`HOOtkHcRpR0RK8RkH$JhA*;7qAx%t|}6WUov86(#iTb-$D4e_`E%i|BYx<wSt
zNq(BXZd*yD4a?)QroPa+BB2|o)}B6fQHH_RTfwXJL)bxKD6S_)GKf2eW&))mIwq47
zJFF@9BQa7<5iR<YQm8c#W#zCpFOqE*n?)0^U^c=ztLf{I+v)t`JImJQ;F#9k+95~w
zJ#)MEW7NCedEcC9ZVXQ6qt6jDa-oCY#uyG7aSU2Wx_O=`Ae*;aq7rygbXnl-p7^{H
zqWO_Wjs-o7a&ecR)6IV7TD%ed$T-#YP%ir|+7o0wAtX#Gv(BRt^~Qcz6p5cQSBw^g
z*-go(Tq3#mVm?prlO=BG%hf!y^NL0)6$ePT_wKGYf2kzzBQ?f<tw3$b4U$N&4JxO7
zhuh`bbI0RC-rho&!|$FcEIrfx%Dt;^#Fh5Bv9|+<lLnWC<?#IzcY~6rJ&vbKy*?ZL
zbN+$aqesO-2`X~~_nXh<UXlCtxJrOLs&__xAt&y-7Hu0v`3?ihF`e%*nkz!jd*Wp~
z^+{~fKfGY)m!x9&Y@t{^?oRtFRNg>aRw~d`fb5u^m8O|FU1gtMgGUiZ2|K^O;t9wm
zdVo&lRI)^cgbwdDe+Px&Q!9$&l^QK$9`_mE_P2MCu??sXng;ODJ9nTO_PyFoPSg79
zuAqCU+IF?ap~ixHpJ`BX4o4oYQ^)p~-}i0$n!P1AEu9P!ICEfmv`292!;gy8a8>#3
zbM`{t`a3<3)J*FrO5B~3+-~k8?Rz^fwJ{;pMu;x9up^5xO2J;Hp)5D}%KL=9hBqgk
zN%L8LqVR|mZ%d}Ra!_0{;@7*ptklKrJq5ilzLlj7`3yuiHin<2o3^5C?u#|fdUM=c
zgwmv<;eEKtJvC?RaJ_d~GGaIH#fg$Ue;xX;{e8;7hfji{E<Mwg*~EMOIE(LE3fi$#
zo1e1M?J?4H<vg`3`gY;|3QKC`v6i{_EJspeI8NUBRmExF{8>G`?sjkgViwES?2ynU
z<4dpn-HiwP(7nae+N9`L9ISg2FS6Lbkf|^5XeHtiTS^XiWWGm)em-A~&QZv#(WT#|
z{;1!W1ow{Ir4v^gr6-7YjmBki?xiq(z%AHyWr=G{uhJiN&q8-@(mnant$gm~+?lg4
zq*MxDbP3d-@^9kpCi*a?=(G2j2dxSA_^*De|Fq8pAp1=6#(kzG9NuT9XSDJ68DaQ6
z6EN_8Mq8CUgc?2uj{klJ1>Y?}-YYTwz0b6SBm2w_Na<Ax1f8U#o+okKlO<EIJ5xr(
zqttLluX3hfL4&;`c%)bsT{Y1CUE{QrV0?$%_rPQPPi%@SP|fvhdOCAg_U1KeVt%F0
zZVPbxaCcb(Dhf5(LfW>y8|8VO%lWy7!&o@8?0yeQ((VA3a7V^1wR#%4listtNJW|h
zE=$e?UXHajlVc}USvh&V?Cn=N+D;4H1H1PuX@&bfmy><hm;WX#i#u5K%XO6A`=dHv
zd6&C%T-#CiT`vyPaK0Z_@O`GMUR6rLy+9F6v(MrY5$bk)uREzyUVCcQy`Gqx;BExa
z34hNAdTp}j2O_n&v#}O$t>9WreR5n?{?DEtyLJN9g8VK`h!cDa9RHpGWQn<nU>g&}
z-ho=sjDeuvZ|)$8tkO><W9c@pwlK}-?4J`dkB-8iU)N}rvSioU^QMmPJiFq2Q=B6C
z=GnzV(igwAeX&`JUwH;WfDg#|G3>zBc?H3*fp6gDfeAu*spIidZ}x(7hIt)QhamXv
zCUj)m0i|}wnvh!BMFH0lQ`AHfxygJ7b<5}qORrjC#!y6Y(HB#i$V@>Aj+LM$s$I<e
zQNlD|J>Oi8i%5`je{*HI_^#N%!n4s95*PPpG=;+EjesNIS_nHZz_tG#O$aOm1bhQm
ze@rmKRThtH;yTwm%Bx&YnM|A+5ys_d1<nc3xhW>r8U|T;RJ}eMuYQ}+(5JbNYN6Hk
zI(y^kT2?mAo|4w&#?kS!yP^&~+;4aKCAM&zN_%`<b3~|dpEe6_`I}*e@q32DD+|Xc
zjcY{vr&sv`-U+Y+Tj%WxzXra6w+$u);cbA&dwHGr8_8AP3Xfeb-VB|}%oqI9=6BPa
zZOVu;gqfViz|+gcv$m46F+Ik4cZKWScsF()shw;*I59_u*HhtciEa1$P=UO``&K#O
z_k7A5n%_N-zeYe<oE)-7O#Qt^ytRVY2z78jWu_102yFd+3U~$v^8OcWc?5fs0CpmR
z?Z1lj2RnJ~1i;p5rU`*>c|yQ9@V3J#AlPXHvEjAN7*+%HtrERtF=fGut@&=5w+Hif
z=r0C4$YP9V*d_e$D1`0^NZG4zS@ff}mZ+nCENw+=;(`x<*dWgp?(w@H$@=x89?Kn5
z6oBI=!;Y^j;3o^82fm@^SWGBV^Z37OjyeF>JO{jgn3{n93^AZ5z;;<ZM05q%`tULE
z4cO|KFa+C`AT~U+jL%nd$MAB~>rqmZL`3y>%t;V^qGP?^8PRUZFE3fO77srsqPKr?
z+MqcWr-*3&5l{0RxL1}zJwFYur9iM({ssF0f<3+w8+8D|PQ=H)3$O3MK(9!=rwQ?f
zkAdU!MqR=w0c@cJg4l4c@G~HKq11#pznKi2zelsM|8)PoLl4*~l>7P5tAF{#RGFX5
zoz-tPa*I6q&H4Ei<qN~bW}5GZnlswJaPgmO=Nv74qq>w9iFtbV0m{FstR`BXWv-#(
z#_MsKVD7g@@xBLK>CB=fyK2xR@;gZi%5J<@)S+|SvJe@N5^^tll0wzWtT?gp#&@>b
z3->;zAC(s2(+s-CJ4$A%a3tdD?W!;_@?&3XpAHQh)!#M^rykT~Nw~6Ty7MFD+`ZAz
z(iEcSQcd!6OEqt<-e@e<bxf$aJaOOXSF0OK0cWGi=K_5vBkfyzw|H8W%$q(GIQcr^
zkh%mkAV(HbmqgO^Yy5C#*loHZ1+V4S&xX$Sd44sLrq>Vo?^)60qVb>*#xBsL|EP8k
zU~%xHkD4A+xb($h{z0@&*QKF%C0<2Ja>>q0wQehCZ_Q@uH5?f@?~>c;atf{qs11Hk
zgBq>(G=7aBb(}I%|JuK6)Vfsf3)dg6(Ky_)V4g8o$V6oxFfLzoCNpPO+NSbRWa0P_
zJu&Ch919#5%n*K0gScQufp3^4EG8V8rC7XKGHv#1T>^7D=>`88VutYJ|A-xdVBgw^
z-G)K1&DNj^&P!1W?Qh;2^upp)5WPP9tydcc*2@&k%QW26t44@7ZQ|G8*aS3*M0m&G
z@iuApTH}3sGwhYRKiC9#t0KHd{u^)U%z@BNY8i#_j{a}FOS}GH6X30e@E-neysvI)
z4BLcvG{QUTzwwrn`h!h?w>rXm=)dvywk`<Ygm(<WJMzErE{XYrO@Oxs!h7()@qSo$
zCt?%cw-DYD|Bbizmp|A9cxxiO2mTvxR^GtKO?by5yu<$+?*-jI*aUcMA-wzl8*i5Y
z$EZzs$05A`{_NNn^?zJXUO)YVO@OyH!n^PP&f9Bk@j|ZK-_S>!z{kKhtb<1|@d)p;
zczVNo1H2Bx*IEAXeOj<5aoxUG&z*jZBHgGZl*3xFwSYZ=CZ%21wDvKsD`3v`*R4l(
zZRHS%3-*s#*nxrg9<B7zm*LmIH^e`OxsAj>gcm<xJ${1CYJ6#7zj7D3*2r*?LuR%U
z`WI4*p4WFkL`rhSolmGLC5qg8x9#j>4<oZ4j$wJx(;xYE9OCfNI@6M7y8y=pd;l*m
z*nzF{+C-NGgqH;#uex<!<ST2s3|MA->QbZ;W-FsE-Nx5+uqjAI>1|_(aUr$&4%^v|
zZZbvdKf2sq4UfdH@1&2u1|I|8po<eG5s5F47k_R&K9AdKd`%3)+wsw}tcr#owZ5JF
zveZZMah%!Je9Hl%?k^ISWyX((?x;xZk2ov-EPIi0K}~NLsUWjwgO&=V?(S-nHl-D|
zwxj2(r{s!<m;pEZy?@J3`snqZC(xG%k-mISpf3Z!{ya6gmM+1)p9saU88!~V?j?X-
zhhT%Z)`%IxkNCX*1zQKf?je9ZhhY1zLH`%thY;*{8?lKL5Nrv2?4N5VKu?a7FhqC5
z$G|t}-H1DkU`rCjhOZx|Zmjl1(!-~W?05EAyuDN-p!iZit9on95pSPbN8TcoT3QF6
ztij8$g7K3*RF2`gm$yD-?G@c0a$@_1D}gKuMK@o&AHNaocAdx1f!*FNb%L*R)Fao|
zqsSe7t#Lb6NSB$34tHsM)>}mD<;7y7!5<$qyD3uN)Ro*g_QQ_*h*OY@(}VZZ?sr4T
zB60?HpD1xb#lN_vbH+6`6+JZFDEoL|=8Fg1xDd!0)C^q90$a~rAASvdL+<LhBS`K=
zc)6F>`@*`yxfhSG=8n;My<Ista<Dlx@kPSLpJG!D;UAt=alJfxB@M;}@$h>EXujU#
z8|Dy;NkZoE=HGKjqyW!hDY(A<*bhS@W(Yt2kJxt*>_7t8y$E*2D)OIu2Vd4s0KLqq
z7@}L?W8fR~s>U5f^peHXt9M<mjAN^M#WZ_+zZCP|m%d|1g)q}ANOkA;;~L3R7h4(Y
zZAr68()}mr!-yCxn8u`@%0!_p`Tg`=#ols3nXaM?R~yf?Xe32k>rv&f@^UkBR0ur#
zBt~C|%5nD2-0s%TF^nyh-G$bq$8SrImLJy~TeRXGn4ebsZXG>u{?ST8>E7+H+6JEY
z0^c3&<0F&$JiumKC9-l=nbz1ukwX~H3FM03BOvEZdPEn=`Ptt&w>z)r%m9}ed4E;8
zlKT9iTgoT0$&&Q@ePj8%jBa)wOF1;l8V<)K)FUA7COwjj)G=UV9owCeI&#CXh!N_M
zf5A>cu>A>O#~|21qQ9`c){a4sB<|j|+1{UuVB_7d1-;!K1NQ#?cUJY{ausXn%9GmT
zW4=^V)f(~Hc{av}i9e}b)O^?Lk$A&0Z$^IVV-Sc7$UK1^*m``RDew)m<%>x};_t!B
z&2l~dp3>F$$K2XorgjGA(=O)d;f5+y^Tdev3hk>hBbR7gEN=`l9%KJ(zc7v~^!i>y
z(~MmxDpH=Pe0<BT>U>}6CsA*=s-BTBMrVJAPju-;mpM=PeI&QaIo!hp-#kOO;?Jz~
z!Ck*=y<x7fI6b7t+VOfU2JSISu)a^g*GsELsMi02t&d>05x}lSus7@-dhk66U_fj2
z<GZ3o;A7zUyiuIEV*p#Iiy$_<em+cH)%vT%>0;drcU%L<*kba87G61?Ia0%xn089M
z<$i8X`wo|p8R4OWZKiJZque^zBHfGcpRT%7z`d(elxM!wTsDZISJOa>*<JhI^;`Ke
zdz)0EZR?%4e6YUM^!OgzmF{aVG;?o+r;r%ld~@{6sH@DB!km8I`FxR;U(2o~l_`rw
zYMeV9O+3f%U0$?cGGFlLGLhF;zfaM0F34--{L}f2op+|yG$vww^dFdMh~!Q-Oxa&P
zdgc8uFaKxP`$tMR-vkXsI9Ow^UyYrw$mCq)dX^CP0%vKPGLY_`@5$B_I1F7R?^*iZ
zkVW_7824dc@)X|st7L_rI6B%jU=4wm`0EYObd&YQ0I660-<o#7pFI&(gFPvFO;b$9
z4(cnaHEFy~mtV*6mMsgs$P#u))gK@FpasVzwBCTYo2)l?k-52!H#gPIULD}`w1qK0
z&=bH2_29o?-$Ssk5x_?7>5f^hBLBg@x^@Eepi}IwXb=<lhI!Y)q$Aiy1hL`uCT(pG
zXCKlGuYIs!uld&Oyo<7aLQ8)Ui*S-{zww&|Nj=4x^cq<Z6MwA%u{T+3?jx~z@nV03
zHOm2O9V_$NTGLa~tIKhR-8j1}hy{9=^~?TIhfVp<yy*+{C;gI|roSk^oOblOrtvVO
zfm^VGQL=u#f3P^~d1F3BlplJ!igTf9uGnIbGX8|>lgsBF3V$+F;U1Qs7=-zPbrFB9
z(SG@-&iFG6e{OLc>8}>N{(|pC6MY2h!T16Ui5SrPf5bk4U^j2XMynv$@oUh(duTsA
zAHYDJiF<ZMZ-<Y8<MT$5<4z)L%?v?ocrKnqu4>)0SD^5~xt9xC%lc_Q3N^=Csp&J#
z<HmigJ;{ks4_Vyu_HnxEc<2c=78rA8H;(Pe-nw|M$`5<PI?s;i*w?or`G<eFl^vq1
zc^f*tBEWy@fOo{LG8u)Jug-moXd>l!e9^gaS~@tQru&x{&6kNzHqzMqYLlqiuU5CZ
zyUaQtO}~Y5)TP@E=qT&2L<iQzsC=uK<&t!^_5Aq*byw`hTmjFm0F?hXmXp#hwslbz
z?3XW*JAV3{eThm}KVi9-GjZaP9&6wGSQFPbeOikRJZY(l?ro+)-}+x3^}MAa0zp78
z{F(sWWMK_~Z<r4(CIjhF@4tH#t<vn(83yKhlnm$(Y`xxK?Eto3lTFsDQ%JqD|E@`A
zSiLV?Z@4C0jH@-lY`=c9H;c|fA@4ByCk|y!%B?HV#-ogC`2aqoC$v@-^lqBd10*Le
z0y$-aoIb!aziR6_d959ToJ=0_ZFc?g5Wzl15F4IpbkS-~TsIr3N?pXg4@YVWTHaSn
z%9m{{=(5w2L)T3uaA#}uAA3VYr1JavCH5cj_dMc@c7~6EZ>X0Q<`EKK4llkfT(4}f
zrYKRb#+MBV^3Pq=uFL!s%10*Vq%hN-a=zUBi|rG^BJW2B<heC!&r_~&kkPf~{R$Cz
z{Q^t+O1!rAi<qMnkC*fJ-}f$nKEQx3BHety`v`yj;B~_gsr75TT4%$x&H}SN26yMG
zt!sYpAG3YqCtox_d<+~P8^wY%LS`H9I-+wG8}6epiq)KFh$ZPxeY@S8*s%CUC~q8c
z`H1C77Oi-$9n{RR+oqK6@y%ji!79dg<3z-wBL;F-c_F8CWc>!-SQD!_d(CIs{&bri
zRX;6r!Qw(vfzX?6oV!F=!nD=<nI`OLcl-CLk$)1S4E{mU)0!1Cuc+|O!k0p;a6$BH
z7R6l2i<`^Rg-zr4D`#dg!$&RhScZv}Cn#vhEHl3!{-KGxe~!j`TU=NAx%&_1K29+U
z%?~^3XV*pyOlUPKR-jG3ANcw4=ww3O&JZeGplg)oRsBym`+B?PcRlq5SE|hvyYuBp
z9|kC=<b<DZwe<3N-DuW+`AkQS5(EJa@#h_ADGN&td_(_WF^`e{amVYQtY)vSG%y<@
zfoo+VIPU;^lX*8rdf@TjJ<yeg^Z;BZ+Mcy}Pp@1~Jx<bIKSaZ(CF<ff{gIBDbNAE4
z?62G4;DqM=UvkPsa=J<&rz#|;^Y}SkT{{8#`d+EXX4el{2(~^!Y<S*Sq*rrdAMx(x
z#_?{WpxV<%TK#zOV6}YBAv&4dGE->>M+@${J@X(YsMSAb9mL*b*0Yh=Qh2f3;96CI
zSr;E$oAoaZabF|__2c)EUN-PQ)^N$yUkSxK+;d>t8Ggu8>vQLMt5GI@t=ZOsa{(#$
z4|!6n$t$KjtACUItIkrB;H+0ni2Uv${CR|D-2|y~174l0>V1hB!K{CHhOamAKW3ed
zN;G;1{srJ0u-kB^2sYmTQR-U7hI^=cZGF3cMDm+-V%P<qyL~!}T0Doa3msw12c>U`
zeW%VoP~~GdVI7)_Ays{{%u&L9&c;=rW>@FaxsO}up6fP_?HAQ6kYZQTrd*B+kq!9T
zrI@aD7aeoI3bRAm>I|`p7aP}^;xt{IK%BV3p*$|q4;_|)fyAk=x7IaYhzMNKdBkkg
zCNyl&7Jtsr;STnP-cy?x&Vk7;Do2;eyeO+Z*;OUK-tqnn?A!O8EUXg#UukPI3i=ut
z=sBRlCUazlXz<`~eY-Cp`obFUTw0qWneR&_9=-X3+xIY^4%u3Y)gjU={4m3w)t?E+
zAv8xIE?5_U6IdH^kbb-JcfS!cHhXnn0CO~a9R4%J4B<!ob?0BOa}jJ80@%R_w$vK*
z?{&v(?F7*4!LdV|?a6rvwhlpTcuszOUDb=rX}W=-gDlm4V)t7MEHSIG_{GX!57jNi
zdf$fQ3{uQEf@b2c|K5``@Zw*GkAZK{%^8!A#K*hNCzgkG3kGxQ4&RFb_kgrQVn522
zkNX$7^80Vi^cbF*=ei^sxkQy}bjCGU<r1}Dy>;mADs0JPYP%cpi3i2EUy4rI{nEVG
zG2o=na~df9b((UQhv(#S^Qjt`2jGWa1AX5^zw5hUwy?O<NMGT77oa;B?kl(kkkW`F
z42jr!eYgB$ZY4txMNhy#1-=2h7iW%O)8X~(DmL7+maMB9WXE3rl%neS&M8)Gx2%O^
zV%OrhyvAoV4|+ek^io-GpNwQG!&%kOAMz#*x|JW~v0nRR7TZ=Z@yuaCRZoWGWt;M|
zQ*`~*R3eXGvgKT9M&G0mCgLQXofvf2dPboWXLHJZ_+lfqr&nk$@#V$b{K%`a&l%-?
z0*Cip3XdANIb$8O<>9ki94|zkd_Sjam{+{lY|28aXeP}ct*ib1#m<b2WX;W_trk0*
zF8{Jqri;>`I{<(8l)(G~EjF273q*_bzqNRG0MQxNBHn*(e#MPGSw?mL(9q|KmH%W>
zTqMS8td?>+!WrU+H6}E_Anqpf`vmF3%Xo7T-0bxZ{;m&dVQ4E-T=-$VzTg=cm@)6L
zO|c6QY)1mv@b@B63xl6lk^W#`T{{7=e}*55J^>#C-!MPgn5PK#VS?E3{G{Do)oa%l
z%Lz%Vhg03JxSPDIe98uI#C3OF|H(y6w3Rc-yAZ|(G4W^OyYb=Qnr-M?Eba_as~32+
zGKFge-+O?RhCN_N#MU+YXI>Z2AKmQQ;Te+GLA<<j;Ch&XbwQ?cH81uRYoq7QDK*-c
z@&{>&k{<uswPY$;Uv84iabD9P#BCql+<IOKYg~Y)Ahs)f419y8Hkd*rwg6u2j`i3R
z%&V~#R0?kmEWRx_Czf)Ty&K;mfwC2P<!3@)SgCk+PLl6X=y7(2^2E@LA6ZPr<pCMH
zat9larZ@?_94U`;ljA;_O8C2xMYoP_rukV!^J)T`cOaT?y3hOz_BjN*Y9lrY{M{h9
zo(yXe{+@vy|5)RWCm)Sognt3}hF<xIvqZ4r|0w#;|3Cc>?iCmtp6f60du6cBKW{ns
zNR%~y&#4Q!F4@GFJNg^LVib32G^{8G_1c}kb+RwVfQ?u)T}{9>`QA96Uf@v<aebzA
zUxAUxL=`T5^ZIfIb+^~|p6300P=V<btYq%wa~AB3W4v3{(Sr`LJK4tlA?>mGkKQot
zlo9F>x&?d1!Gqp)Z_Rha9GfGdOLBl`ZMOSMuDY5>5xuetvGjw<8>A6R+jT91JX3G5
z$`rlJu&EtjZ_U8Oo+6jq<zKT8vcNPvAG~SV!ZLZN6aspH83OAMFwkp2mrd3?D@2!+
zzjf(hU)SZul~r9ZNf+c(_$k>JI}<HGYc#TvQ`$0Xg-Czv6-|fZ5L)j*Tv_;Mz&G?b
z7E^@uxc%QfPJ(In>QMx1(ttPoXNVcXk07V3tA|KV0}GqZZZU$bNe~;J-Di_)v+GWO
z4wWk+zoao?`!j%px*HWov2U;2#Gz#S!1{>PoWpq_CWsx27yB}N417ag=P)HmY$3eZ
zib!5?>^tMDv88|2D~0EgE{E#|JYt)a%-}5g+3ai&?TcviO|Odbn%#Q*uC2rKUg?*@
zubg*KIQ^KW=EZp_aW<Gf1baB(19$;#fPp%{V$=Pt_lEw*;;fN6m*dr05w0_=H>5NK
zUz@Mmy59f9rsdca`#geOMgZFrU=KFoWB*(`0eH6y>qftWkAZLC{R(G;U^5fMhUYc|
zyQ=4%AN8b+ht&fEtxnf@(;L<&Hph{LTzJUqXU&15^wD3UW{cF^CV!pD6sOAVv*XMz
zubZDe8+ykww0AUBH=gbbtzJ;c^01?=Hw`~l`0?t5agnuT+F_A9drj$1f6G~5UNMt-
z8mo<qE1)q~q?r_9l$jluf6yOTm?2xZ%Z0^*{i8I;9h*-o{QTzGffZM-jdUHk`RxIP
zrVq(fROZ|4zPbRypJ5A%>TWihwn*-Yc)5?jHS+{(R%7nkY+Crl;jDeXvswE&YIRT3
ztaM4bVSR9Jnyt@ZO$p5=h${>K4ETl~#$ui$J#35D!=BAvy=X9-{oqmnG0-ER55171
z)jrhG(cA2LzZAh%CWsBshxftNoVY|j2sqC^Y}!|F&LWbBXTRj&v$icFxLB|Ibs28A
z;;!i2eATx6`+7eaFTOi`417awc9=3GJ{Mm63?w%=zF_fce5EC0iTq!Isa3&Gc{16I
zPPH$UZrPgbb0kyf+8gNt{q0d~A9N>zoxI2et(W~Y@1O7?_R3#rW{EswgL~eS6*)Du
zCku|B3_Jduwp`Kst^J06$Koy^H81(Q=DldR<{4m?28Lls#MZS3&%nSe{R_4of?Z4i
zdj`QySVj7C9mw*J{go_KFZu`k3&1z<p2FD!Y@r2$*l@2(8m#JCeu|4x^|9--hkO}y
zf^*W?EW3tnUU^y%d}6xAnCK^Gtr(y8+=-ztHttKPHVB@g+5YIc_m}=}^5GQ5eoVpL
z{Tc~ug(R4>bbYg;?c%&|9~C&BIu=mqc3dVhK{O%FLY||(ka|bQb4W~^qRhZ)@T@hX
zRFzj*JPEhm$T_;PvBc&4ZS+o(4iEf~Ch^$hbicZ_{cRs5W8<}o(~?Ttj_*HwSVTk3
zP`D#EXk^=4dii_RXT3ur6a90EW9%7}1nK4qAqZ#!Y6|8G7|<PPv&kNN5z##kPn%k}
zrZZrURpIMY<a-9gR+P?Mc0`Ns{91gC(_i^URu|gPP$iaYf(vv)a}46j!aoDPq1UmP
za-`R-@p^p*?)6bH$9*6T#6S<>&#@HEiOuG?0>M@!hz-vX{n~vFt_Rx`Ronss)C=vu
z(I!--(8$!Bqx@{4uINX+^VNwZ7LL;u{L{bZc)bCErXW6i@c{wfklT4oB@&<e@A#xU
zklf(-=#*7W<zEakd}$Hp*h(qp%{;?@Fv7$qm_MgoVd9X2e>iD@@-<&<-@|@KX^lyp
z+W~X)ci&1lwUiq5VvCgJnC82x;n;u^{tOSQp7^c%hFQSk9FThBeXpc<wBDEW6qvJq
L91MvV(Ea}b{XU<y

literal 0
HcmV?d00001

diff --git a/tests/cfgs/default/result/doh.pcapng.out b/tests/cfgs/default/result/doh.pcapng.out
new file mode 100644
index 00000000000..31df8bc956b
--- /dev/null
+++ b/tests/cfgs/default/result/doh.pcapng.out
@@ -0,0 +1,30 @@
+Guessed flow protos:	0
+
+DPI Packets (TCP):	6	(6.00 pkts/flow)
+Confidence DPI              : 1 (flows)
+Num dissector calls: 1 (1.00 diss/flow)
+LRU cache ookla:      0/0/0 (insert/search/found)
+LRU cache bittorrent: 0/0/0 (insert/search/found)
+LRU cache zoom:       0/0/0 (insert/search/found)
+LRU cache stun:       0/0/0 (insert/search/found)
+LRU cache tls_cert:   0/2/0 (insert/search/found)
+LRU cache mining:     0/0/0 (insert/search/found)
+LRU cache msteams:    0/0/0 (insert/search/found)
+LRU cache stun_zoom:  0/0/0 (insert/search/found)
+Automa host:          0/0 (search/found)
+Automa domain:        0/0 (search/found)
+Automa tls cert:      0/0 (search/found)
+Automa risk mask:     0/0 (search/found)
+Automa common alpns:  2/2 (search/found)
+Patricia risk mask:   2/0 (search/found)
+Patricia risk:        0/0 (search/found)
+Patricia protocols:   2/0 (search/found)
+
+TLS	120	14592	1
+
+JA3 Host Stats: 
+		 IP Address                  	 # JA3C     
+	1	 192.168.1.253            	 1      
+
+
+	1	TCP 192.168.1.253:35996 <-> 1.1.1.1:443 [proto: 91/TLS][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 6][cat: Web/5][61 pkts/5381 bytes <-> 59 pkts/9211 bytes][Goodput ratio: 35/63][122.79 sec][(Advertised) ALPNs: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.262 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1965/1934 15360/15360 4993/4853][Pkt Len c2s/s2c min/avg/max/stddev: 60/60 88/156 315/1514 41/267][Risk: ** Missing SNI TLS Extn **][Risk Score: 50][TLSv1.3][JA3C: 7c1e207beb00684bbbe144f1b0abe1d5][JA3S: d75f9129bb5d05492a65ff78e081bcb2][Firefox][Cipher: TLS_CHACHA20_POLY1305_SHA256][Plen Bins: 22,26,24,1,1,7,5,5,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0]
diff --git a/tests/cfgs/enable_doh_heuristic/config.txt b/tests/cfgs/enable_doh_heuristic/config.txt
new file mode 100644
index 00000000000..eb11be00044
--- /dev/null
+++ b/tests/cfgs/enable_doh_heuristic/config.txt
@@ -0,0 +1 @@
+-D
diff --git a/tests/cfgs/enable_doh_heuristic/pcap/doh.pcapng b/tests/cfgs/enable_doh_heuristic/pcap/doh.pcapng
new file mode 120000
index 00000000000..d03d021aa42
--- /dev/null
+++ b/tests/cfgs/enable_doh_heuristic/pcap/doh.pcapng
@@ -0,0 +1 @@
+../../default/pcap/doh.pcapng
\ No newline at end of file
diff --git a/tests/cfgs/enable_doh_heuristic/result/doh.pcapng.out b/tests/cfgs/enable_doh_heuristic/result/doh.pcapng.out
new file mode 100644
index 00000000000..d301dba2478
--- /dev/null
+++ b/tests/cfgs/enable_doh_heuristic/result/doh.pcapng.out
@@ -0,0 +1,37 @@
+Guessed flow protos:	0
+
+DPI Packets (TCP):	24	(24.00 pkts/flow)
+Confidence DPI              : 1 (flows)
+Num dissector calls: 1 (1.00 diss/flow)
+LRU cache ookla:      0/0/0 (insert/search/found)
+LRU cache bittorrent: 0/0/0 (insert/search/found)
+LRU cache zoom:       0/0/0 (insert/search/found)
+LRU cache stun:       0/0/0 (insert/search/found)
+LRU cache tls_cert:   0/2/0 (insert/search/found)
+LRU cache mining:     0/0/0 (insert/search/found)
+LRU cache msteams:    0/0/0 (insert/search/found)
+LRU cache stun_zoom:  0/0/0 (insert/search/found)
+Automa host:          0/0 (search/found)
+Automa domain:        0/0 (search/found)
+Automa tls cert:      0/0 (search/found)
+Automa risk mask:     0/0 (search/found)
+Automa common alpns:  2/2 (search/found)
+Patricia risk mask:   2/0 (search/found)
+Patricia risk:        0/0 (search/found)
+Patricia protocols:   2/0 (search/found)
+
+TLS	120	14592	1
+
+JA3 Host Stats: 
+		 IP Address                  	 # JA3C     
+	1	 192.168.1.253            	 1      
+
+
+	1	TCP 192.168.1.253:35996 <-> 1.1.1.1:443 [proto: 91/TLS][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 24][cat: Web/5][61 pkts/5381 bytes <-> 59 pkts/9211 bytes][Goodput ratio: 35/63][122.79 sec][(Advertised) ALPNs: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.262 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1965/1934 15360/15360 4993/4853][Pkt Len c2s/s2c min/avg/max/stddev: 60/60 88/156 315/1514 41/267][Risk: ** Missing SNI TLS Extn **][Risk Score: 50][TLSv1.3][JA3C: 7c1e207beb00684bbbe144f1b0abe1d5][JA3S: d75f9129bb5d05492a65ff78e081bcb2][Firefox][Cipher: TLS_CHACHA20_POLY1305_SHA256][Plen Bins: 24,32,24,0,1,7,3,5,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+
+	Bin clusters
+	------------
+	Cluster 0 [24;32;24;0;1;7;3;5;0;0;1;0;0;0;0;0;0;0;0;0;0;0;0;0;0;0;0;0;0;0;0;0;0;0;0;0;0;0;0;0;0;0;0;0;0;0;0;0]
+	0	TLS       	192.168.1.253:35996 <-> 1.1.1.1:443	[24;32;24;0;1;7;3;5;0;0;1;0;0;0;0;0;0;0;0;0;0;0;0;0;0;0;0;0;0;0;0;0;0;0;0;0;0;0;0;0;0;0;0;0;0;0;0;0][similarity: 0.000000][DoH (14.247807 distance)]
+	Max similarity: 0.000000
+