diff --git a/doc/configuration_parameters.md b/doc/configuration_parameters.md index 8d826c618587..2200c8385647 100644 --- a/doc/configuration_parameters.md +++ b/doc/configuration_parameters.md @@ -25,6 +25,8 @@ TODO | NULL | "lru.$CACHE_NAME.scope" | 0 | 0 | 1 | Set the scope of the specified LRU cache (0 = the cache is local, 1 = the cache is global). The keyword "$CACHE_NAME" is a placeholder for the cache name and the possible values are: ookla, bittorrent, stun, tls_cert, mining, msteams, fpc_dns. The global scope con be set only if a global context has been initialized | | "tls" | "certificate_expiration_threshold" | 30 | 0 | 365 | The threshold (in days) used to trigger the `NDPI_TLS_CERTIFICATE_ABOUT_TO_EXPIRE` flow risk | | "tls" | "application_blocks_tracking" | disable | NULL | NULL | Enable/disable processing of TLS Application Blocks (post handshake) to extract statistical information about the flow | +| "tls " | "dpi.heuristics", | 0x00 | 0x00 | 0x07 | Enable/disable some heuristics to detect encrypted/obfuscated/proxied TLS flows. The value is a bitmask. Values: 0x0 = disabled; 0x01 = enable basic detection (i.e. encrypted TLS without any encapsulation); 0x02 = enable detection over TLS (i.e. TLS-in-TLS); 0x04 = enable detection over HTTP (i.e. TLS-over-WebSocket). If enabled, some false positives are expected. See: https://www.usenix.org/conference/usenixsecurity24/presentation/xue-fingerprinting | +| "tls " | "dpi.heuristics.max_packets_extra_dissection", | 25 | 0 | 255 | If at least one TLS heuristics is enabled (see `tls,"dpi.heuristics"`, this parameter set the upper limit on the number of packets required/processed for each flow. Higher the value, lower the false positive rate but more packets are required by nDPI for processing. | | "tls" | "metadata.sha1_fingerprint" | enable | NULL | NULL | Enable/disable computation and export of SHA1 fingerprint for TLS flows. Note that if it is disable, the flow risk `NDPI_MALICIOUS_SHA1_CERTIFICATE` is not checked | | "tls" | "metadata.ja3c_fingerprint" | enable | NULL | NULL | Enable/disable computation and export of JA3C fingerprint for TLS flows. Note that if it is disable, the flow risk `NDPI_MALICIOUS_JA3` is not checked | | "tls" | "metadata.ja3s_fingerprint" | enable | NULL | NULL | Enable/disable computation and export of JA3S fingerprint for TLS flows | diff --git a/example/ndpiReader.c b/example/ndpiReader.c index 8afd2df3bc20..03aed729de6d 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -5946,6 +5946,25 @@ void memmemUnitTest(void) { /* *********************************************** */ +void mahalanobisUnitTest() +{ + /* Example based on: https://supplychenmanagement.com/2019/03/06/calculating-mahalanobis-distance/ */ + + const float i_s[3 * 3] = { 0.0482486100061447, -0.00420645518018837, -0.0138921893248235, + -0.00420645518018836, 0.00177288408892603, -0.00649813703331057, + -0.0138921893248235, -0.00649813703331056, 0.066800436339011 }; /* Inverted covar matrix */ + const float u[3] = { 22.8, 180.0, 9.2 }; /* Means vector */ + u_int32_t x[3] = { 26, 167, 12 }; /* Point */ + float md; + + md = ndpi_mahalanobis_distance(x, 3, u, i_s); + /* It is a bit tricky to test float equality on different archs -> loose check. + * md sholud be 1.3753 */ + assert(md >= 1.37 && md <= 1.38); +} + +/* *********************************************** */ + void filterUnitTest() { ndpi_filter* f = ndpi_filter_alloc(); u_int32_t v, i; @@ -6325,6 +6344,7 @@ int main(int argc, char **argv) { strnstrUnitTest(); strncasestrUnitTest(); memmemUnitTest(); + mahalanobisUnitTest(); #endif } diff --git a/fuzz/fuzz_config.cpp b/fuzz/fuzz_config.cpp index 4fdfea776f2f..0ef2e79bb5ea 100644 --- a/fuzz/fuzz_config.cpp +++ b/fuzz/fuzz_config.cpp @@ -129,6 +129,14 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { ndpi_set_config(ndpi_info_mod, "tls", "application_blocks_tracking", cfg_value); ndpi_get_config(ndpi_info_mod, "tls", "application_blocks_tracking", cfg_value, sizeof(cfg_value)); } + if(fuzzed_data.ConsumeBool()) { + value = fuzzed_data.ConsumeIntegralInRange(0, 0x07 + 1); + snprintf(cfg_value, sizeof(cfg_value), "%d", value); + ndpi_set_config(ndpi_info_mod, "tls", "dpi.heuristics", cfg_value); + value = fuzzed_data.ConsumeIntegralInRange(0, 255 + 1); + snprintf(cfg_value, sizeof(cfg_value), "%d", value); + ndpi_set_config(ndpi_info_mod, "tls", "dpi.heuristics.max_packets_extra_dissection", cfg_value); + } if(fuzzed_data.ConsumeBool()) { value = fuzzed_data.ConsumeIntegralInRange(0, 1 + 1); snprintf(cfg_value, sizeof(cfg_value), "%d", value); diff --git a/fuzz/fuzz_ndpi_reader.c b/fuzz/fuzz_ndpi_reader.c index f801b3f1c280..a85fc3aadcdc 100644 --- a/fuzz/fuzz_ndpi_reader.c +++ b/fuzz/fuzz_ndpi_reader.c @@ -88,6 +88,8 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { ndpi_set_config(workflow->ndpi_struct, "stun", "max_packets_extra_dissection", "255"); ndpi_set_config(workflow->ndpi_struct, "zoom", "max_packets_extra_dissection", "255"); ndpi_set_config(workflow->ndpi_struct, "rtp", "search_for_stun", "1"); + ndpi_set_config(workflow->ndpi_struct, "tls", "dpi.heuristics", "0x07"); + ndpi_set_config(workflow->ndpi_struct, "tls", "dpi.heuristics.max_packets_extra_dissection", "255"); ndpi_finalize_initialization(workflow->ndpi_struct); diff --git a/src/include/ndpi_api.h b/src/include/ndpi_api.h index 5ad1bca9c5f0..d90f6ca36e83 100644 --- a/src/include/ndpi_api.h +++ b/src/include/ndpi_api.h @@ -1848,6 +1848,11 @@ extern "C" { /* ******************************* */ + /* Mahalanobis distance (https://en.wikipedia.org/wiki/Mahalanobis_distance) between a point x and a distribution with mean u and inverted covariant matrix i_s */ + float ndpi_mahalanobis_distance(const u_int32_t *x, u_int32_t size, const float *u, const float *i_s); + + /* ******************************* */ + int ndpi_init_bin(struct ndpi_bin *b, enum ndpi_bin_family f, u_int16_t num_bins); void ndpi_free_bin(struct ndpi_bin *b); struct ndpi_bin* ndpi_clone_bin(struct ndpi_bin *b); diff --git a/src/include/ndpi_private.h b/src/include/ndpi_private.h index b9f197ad6121..5053546ec587 100644 --- a/src/include/ndpi_private.h +++ b/src/include/ndpi_private.h @@ -121,6 +121,7 @@ struct ndpi_packet_struct { struct ndpi_int_one_line_struct http_origin; struct ndpi_int_one_line_struct server_line; struct ndpi_int_one_line_struct http_method; + struct ndpi_int_one_line_struct upgrade_line; struct ndpi_int_one_line_struct http_response; /* the first "word" in this pointer is the response code in the packet (200, etc) */ @@ -232,6 +233,8 @@ struct ndpi_detection_module_config_struct { int tls_certificate_expire_in_x_days; int tls_app_blocks_tracking_enabled; + int tls_heuristics; + int tls_heuristics_max_packets; int tls_sha1_fingerprint_enabled; int tls_ja3c_fingerprint_enabled; int tls_ja3s_fingerprint_enabled; @@ -609,6 +612,8 @@ u_int ndpi_search_tcp_or_udp_raw(struct ndpi_detection_module_struct *ndpi_struc char* ndpi_intoav4(unsigned int addr, char* buf, u_int16_t bufLen); +int is_flow_addr_informative(const struct ndpi_flow_struct *flow); + u_int16_t icmp4_checksum(u_int8_t const * const buf, size_t len); ndpi_risk_enum ndpi_network_risk_ptree_match(struct ndpi_detection_module_struct *ndpi_str, @@ -637,7 +642,8 @@ void switch_to_tls(struct ndpi_detection_module_struct *ndpi_struct, int is_dtls(const u_int8_t *buf, u_int32_t buf_len, u_int32_t *block_len); void switch_extra_dissection_to_tls(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); - +void switch_extra_dissection_to_tls_obfuscated_heur(struct ndpi_detection_module_struct* ndpi_struct, + struct ndpi_flow_struct* flow); /* HTTP */ void http_process_user_agent(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index 18e93f66b696..314f7e4341b1 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -169,7 +169,8 @@ typedef enum { NDPI_MALWARE_HOST_CONTACTED, /* Flow client contacted a malware host */ NDPI_BINARY_DATA_TRANSFER, /* Attempt to transfer something in binary format */ NDPI_PROBING_ATTEMPT, /* Probing attempt (e.g. TCP connection with no data exchanged or unidirection traffic for bidirectional flows such as SSH) */ - + NDPI_OBFUSCATED_TRAFFIC, + /* Leave this as last member */ NDPI_MAX_RISK /* must be <= 63 due to (**) */ } ndpi_risk_enum; @@ -791,6 +792,13 @@ struct ndpi_lru_cache { /* Ookla */ #define NDPI_AGGRESSIVENESS_OOKLA_TLS 0x01 /* Enable detection over TLS (using ookla cache) */ +/* TLS */ +#define NDPI_HEURISTICS_TLS_OBFUSCATED_PLAIN 0x01 /* Enable heuristic to detect proxied/obfuscated TLS flows over generic/unknown flows */ +#define NDPI_HEURISTICS_TLS_OBFUSCATED_TLS 0x02 /* Enable heuristic to detect proxied/obfuscated TLS flows over TLS tunnels, i.e. TLS over TLS */ +#define NDPI_HEURISTICS_TLS_OBFUSCATED_HTTP 0x04 /* Enable heuristic to detect proxied/obfuscated TLS flows over HTTP/WebSocket */ + + + /* ************************************************** */ struct ndpi_flow_tcp_struct { @@ -1298,6 +1306,7 @@ struct ndpi_flow_struct { struct { ndpi_http_method method; u_int8_t request_version; /* 0=1.0 and 1=1.1. Create an enum for this? */ + u_int8_t websocket:1, _pad:7; u_int16_t response_status_code; /* 200, 404, etc. */ char *url, *content_type /* response */, *request_content_type /* e.g. for POST */, *user_agent, *server; char *detected_os; /* Via HTTP/QUIC User-Agent */ @@ -1324,7 +1333,8 @@ struct ndpi_flow_struct { struct { message_t message[2]; /* Directions */ - u_int8_t certificate_processed:1, _pad:7; + u_int8_t certificate_processed:1, change_cipher_from_client:1, change_cipher_from_server:1, from_opportunistic_tls:1, pad:4; + struct tls_obfuscated_heuristic_state *obfuscated_heur_state; } tls_quic; /* Used also by DTLS and POPS/IMAPS/SMTPS/FTPS */ union { @@ -1534,7 +1544,7 @@ struct ndpi_flow_struct { /* Flow payload */ u_int16_t flow_payload_len; char *flow_payload; - + /* Leave this field below at the end The field below can be used by third @@ -1548,8 +1558,8 @@ struct ndpi_flow_struct { _Static_assert(sizeof(((struct ndpi_flow_struct *)0)->protos) <= 264, "Size of the struct member protocols increased to more than 264 bytes, " "please check if this change is necessary."); -_Static_assert(sizeof(struct ndpi_flow_struct) <= 1128, - "Size of the flow struct increased to more than 1120 bytes, " +_Static_assert(sizeof(struct ndpi_flow_struct) <= 1136, + "Size of the flow struct increased to more than 1136 bytes, " "please check if this change is necessary."); #endif #endif diff --git a/src/lib/ndpi_analyze.c b/src/lib/ndpi_analyze.c index 519058a54d52..f1b6a2872b17 100644 --- a/src/lib/ndpi_analyze.c +++ b/src/lib/ndpi_analyze.c @@ -2078,3 +2078,45 @@ void ndpi_popcount_count(struct ndpi_popcount *h, const u_int8_t *buf, u_int32_t h->tot_bytes_count += buf_len; } + +/* ********************************************************************************* */ +/* ********************************************************************************* */ + + +/* It provides the Mahalanobis distance (https://en.wikipedia.org/wiki/Mahalanobis_distance) + between a point x and a distribution with mean u and inverted covariant matrix i_s. + Parameters: + x: input array (with dimension "size") + u: means array (with dimension "size") + i_s: inverted covariant matrix (with dimension "size" * "size") + + Bottom line: distance = sqrt([x - u] * [i_s] * [x - u]^T) +*/ +float ndpi_mahalanobis_distance(const u_int32_t *x, u_int32_t size, const float *u, const float *i_s) +{ + float md = 0; + float *diff; /* [x - u] */ + float *tmp; /* Result of [x - u] * [i_s] */ + u_int32_t i, j; + + /* Could we get rid of these allocations? */ + diff = ndpi_calloc(sizeof(float), size); + tmp = ndpi_calloc(sizeof(float), size); + if(diff && tmp) { + for (i = 0; i < size; i++) + diff[i] = x[i] - u[i]; + + /* Naive implementation of matrix multiplication(s) */ + for(i = 0; i < size; i++) { + for(j = 0; j < size; j++) { + tmp[i] += diff[j] * i_s[size * j + i]; + } + } + for(i = 0; i < size; i++) + md += tmp[i] * diff[i]; + } + ndpi_free(diff); + ndpi_free(tmp); + + return sqrt(md); +} diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index a61a8e8045df..925ddaa8390d 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -198,6 +198,7 @@ static ndpi_risk_info ndpi_known_risks[] = { { NDPI_MALWARE_HOST_CONTACTED, NDPI_RISK_SEVERE, CLIENT_HIGH_RISK_PERCENTAGE, NDPI_CLIENT_ACCOUNTABLE }, { NDPI_BINARY_DATA_TRANSFER, NDPI_RISK_MEDIUM, CLIENT_FAIR_RISK_PERCENTAGE, NDPI_CLIENT_ACCOUNTABLE }, { NDPI_PROBING_ATTEMPT, NDPI_RISK_MEDIUM, CLIENT_FAIR_RISK_PERCENTAGE, NDPI_CLIENT_ACCOUNTABLE }, + { NDPI_OBFUSCATED_TRAFFIC, NDPI_RISK_HIGH, CLIENT_HIGH_RISK_PERCENTAGE, NDPI_BOTH_ACCOUNTABLE }, /* Leave this as last member */ { NDPI_MAX_RISK, NDPI_RISK_LOW, CLIENT_FAIR_RISK_PERCENTAGE, NDPI_NO_ACCOUNTABILITY } @@ -438,6 +439,34 @@ void ndpi_set_proto_category(struct ndpi_detection_module_struct *ndpi_str, u_in /* ********************************************************************************** */ +int is_flow_addr_informative(const struct ndpi_flow_struct *flow) +{ + /* The ideas is to tell if the address itself carries some useful information or not. + Examples: + a flow to a Facebook address is quite likely related to some Facebook apps + a flow to an AWS address might be potentially anything + */ + + switch(flow->guessed_protocol_id_by_ip) { + case NDPI_PROTOCOL_UNKNOWN: + /* This is basically the list of cloud providers supported by nDPI */ + case NDPI_PROTOCOL_TENCENT: + case NDPI_PROTOCOL_EDGECAST: + case NDPI_PROTOCOL_ALIBABA: + case NDPI_PROTOCOL_YANDEX_CLOUD: + case NDPI_PROTOCOL_AMAZON_AWS: + case NDPI_PROTOCOL_MICROSOFT_AZURE: + case NDPI_PROTOCOL_CACHEFLY: + case NDPI_PROTOCOL_CLOUDFLARE: + case NDPI_PROTOCOL_GOOGLE_CLOUD: + return 0; + default: + return 1; + } +} + +/* ********************************************************************************** */ + /* There are some (master) protocols that are informative, meaning that it shows what is the subprotocol about, but also that the subprotocol isn't a real protocol. @@ -6736,6 +6765,9 @@ void ndpi_free_flow_data(struct ndpi_flow_struct* flow) { if(flow->flow_payload != NULL) ndpi_free(flow->flow_payload); + + if(flow->tls_quic.obfuscated_heur_state) + ndpi_free(flow->tls_quic.obfuscated_heur_state); } } @@ -8270,6 +8302,7 @@ static void ndpi_reset_packet_line_info(struct ndpi_packet_struct *packet) { packet->server_line.len = 0, packet->http_method.ptr = NULL, packet->http_method.len = 0, packet->http_response.ptr = NULL, packet->http_response.len = 0, packet->forwarded_line.ptr = NULL, packet->forwarded_line.len = 0; + packet->upgrade_line.ptr = NULL, packet->upgrade_line.len = 0; } /* ********************************************************************************* */ @@ -8976,6 +9009,7 @@ static void parse_single_packet_line(struct ndpi_detection_module_struct *ndpi_s { "Authorization:", &packet->authorization_line }, { NULL, NULL} }; struct header_line headers_u[] = { { "User-agent:", &packet->user_agent_line }, + { "Upgrade:", &packet->upgrade_line }, { NULL, NULL} }; struct header_line headers_c[] = { { "Content-Disposition:", &packet->content_disposition_line }, { "Content-type:", &packet->content_line }, @@ -11402,6 +11436,8 @@ static const struct cfg_param { { "tls", "certificate_expiration_threshold", "30", "0", "365", CFG_PARAM_INT, __OFF(tls_certificate_expire_in_x_days), NULL }, { "tls", "application_blocks_tracking", "disable", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(tls_app_blocks_tracking_enabled), NULL }, + { "tls", "dpi.heuristics", "0x00", "0", "0x07", CFG_PARAM_INT, __OFF(tls_heuristics), NULL }, + { "tls", "dpi.heuristics.max_packets_extra_dissection", "25", "0", "255", CFG_PARAM_INT, __OFF(tls_heuristics_max_packets), NULL }, { "tls", "metadata.sha1_fingerprint", "enable", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(tls_sha1_fingerprint_enabled), NULL }, { "tls", "metadata.ja3c_fingerprint", "enable", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(tls_ja3c_fingerprint_enabled), NULL }, { "tls", "metadata.ja3s_fingerprint", "enable", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(tls_ja3s_fingerprint_enabled), NULL }, diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c index 77305eb159e5..2ff62e8e168c 100644 --- a/src/lib/ndpi_utils.c +++ b/src/lib/ndpi_utils.c @@ -2097,6 +2097,9 @@ const char* ndpi_risk2str(ndpi_risk_enum risk) { case NDPI_PROBING_ATTEMPT: return("Probing Attempt"); + case NDPI_OBFUSCATED_TRAFFIC: + return("Obfuscated Traffic"); + default: ndpi_snprintf(buf, sizeof(buf), "%d", (int)risk); return(buf); @@ -2221,6 +2224,8 @@ const char* ndpi_risk2code(ndpi_risk_enum risk) { return STRINGIFY(NDPI_BINARY_DATA_TRANSFER); case NDPI_PROBING_ATTEMPT: return STRINGIFY(NDPI_PROBING_ATTEMPT); + case NDPI_OBFUSCATED_TRAFFIC: + return STRINGIFY(NDPI_OBFUSCATED_TRAFFIC); default: return("Unknown risk"); @@ -2342,6 +2347,8 @@ ndpi_risk_enum ndpi_code2risk(const char* risk) { return(NDPI_BINARY_DATA_TRANSFER); else if(strcmp(STRINGIFY(NDPI_PROBING_ATTEMPT), risk) == 0) return(NDPI_PROBING_ATTEMPT); + else if(strcmp(STRINGIFY(NDPI_OBFUSCATED_TRAFFIC), risk) == 0) + return(NDPI_OBFUSCATED_TRAFFIC); else return(NDPI_MAX_RISK); } diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c index bf26467da55c..57f71e2fe1ae 100644 --- a/src/lib/protocols/http.c +++ b/src/lib/protocols/http.c @@ -148,7 +148,19 @@ static int ndpi_search_http_tcp_again(struct ndpi_detection_module_struct *ndpi_ #endif if(flow->extra_packets_func == NULL) { - return(0); /* We're good now */ + /* HTTP stuff completed */ + + /* Loook for TLS over websocket */ + if((ndpi_struct->cfg.tls_heuristics & NDPI_HEURISTICS_TLS_OBFUSCATED_HTTP) && /* Feature enabled */ + (flow->host_server_name[0] != '\0' && + flow->http.response_status_code != 0) && /* Bidirectional HTTP traffic */ + flow->http.websocket) { + + switch_extra_dissection_to_tls_obfuscated_heur(ndpi_struct, flow); + return(1); + } + + return(0); /* We are good now */ } /* Possibly more processing */ @@ -954,6 +966,12 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ } } + if(packet->upgrade_line.ptr != NULL) { + if(flow->http.response_status_code == 101 && + memcmp((char *)packet->upgrade_line.ptr, "websocket", 9) == 0) + flow->http.websocket = 1; + } + if(packet->server_line.ptr != NULL) { if(flow->http.server == NULL) { len = packet->server_line.len + 1; @@ -1577,7 +1595,7 @@ static void ndpi_search_http_tcp(struct ndpi_detection_module_struct *ndpi_struc ndpi_check_http_tcp(ndpi_struct, flow); if((ndpi_struct->cfg.http_parse_response_enabled && - flow->host_server_name[0] != '\0'&& + flow->host_server_name[0] != '\0' && flow->http.response_status_code != 0) || (!ndpi_struct->cfg.http_parse_response_enabled && (flow->host_server_name[0] != '\0' || diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index b26a57998a22..ac8f476a25ae 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -151,6 +151,301 @@ static u_int32_t __get_master(struct ndpi_detection_module_struct *ndpi_struct, /* **************************************** */ +/* Heuristic to detect proxied/obfuscated TLS flows, based on + https://www.usenix.org/conference/usenixsecurity24/presentation/xue-fingerprinting. + Main differences between the paper and our implementation: + * only Mahalanobis Distance, no Chi-squared Test + * instead of 3-grams, we use 4-grams, always starting from the Client -> Server direction + * consecutive packets in the same direction always belong to the same burst/flight + + Core idea: + * the packets/bytes distribution of a TLS handshake is quite unique + * this fingerprint is still detectable if the handshake is + encrypted/proxied/obfuscated +*/ + +struct tls_obfuscated_heuristic_set { + u_int8_t stage; + u_int32_t bytes[4]; + u_int32_t pkts[4]; +}; + +struct tls_obfuscated_heuristic_state { + u_int8_t num_pkts; + + /* Burst/flight: consecutive packets in the same direction. + * Set: packet/bytes distribution of 4 consecutive bursts (always starting from C->S), + i.e. a 4-grams (using the paper terminology) + * We have up tp 2 sets contemporarily active. + * At the first pkt of a new C->S flight, we close the oldest set and open a new one */ + struct tls_obfuscated_heuristic_set sets[2]; +}; + +static int check_set(struct ndpi_detection_module_struct* ndpi_struct, + struct tls_obfuscated_heuristic_set *set) +{ + /* Model: TLS 1.2; Firefox; No session resumption/0rtt */ + const float i_s_tls_12[4 * 4] = { 0.000292421113167604, 4.43677617831228E-07, -5.69966093492813E-05, -2.18124698406311E-06, + 4.43677617831228E-07, 5.98954952745268E-07, -3.59798436724817E-07, 5.71638172955893E-07, + -5.69966093492813E-05, -3.59798436724817E-07, 0.00076893788148309, 2.22278496185964E-05, + -2.18124698406311E-06, 5.71638172955893E-07, 2.22278496185964E-05, 5.72770077086287E-05 }; + const float average_tls_12[4] = { 212.883690341977, 4514.71195039459, 107.770762871101, 307.580232995115 }; + const float distance_tls_12 = 3.5; + + /* Model: TLS 1.3; Firefox; No session resumption/0rtt; no PQ; ECH(-grease) enabled */ + const float i_s_tls_13[4 * 4] = { 3.08030337925007E-05, 1.16179172096944E-07, 1.05356744968627E-07, 3.8862884355278E-08, + 1.16179172096944E-07, 6.93179117519316E-07, 2.77413220880937E-08, -3.63723200682445E-09, + 1.05356744968627E-07, 2.77413220880937E-08, 1.0260950589675E-06, -1.08769813590053E-08, + 3.88628843552779E-08, -3.63723200682445E-09, -1.08769813590053E-08, 8.63307792288604E-08 }; + const float average_tls_13[4] = { 640.657378447541, 4649.30338356554, 448.408302530566, 1094.2013079329}; + const float distance_tls_13 = 3.0; + + /* Model: TLS 1.2/1.3; Chrome; No session resumption/0rtt; PQ; no ECH(-grease) */ + const float i_s_chrome[4 * 4] = { 6.72374390966642E-06, -2.32109583941723E-08, 6.67140014394388E-08, 1.2526322628285E-08, + -2.32109583941723E-08, 5.64668947932086E-07, 4.58963631972597E-08, 6.41254684791958E-09, + 6.67140014394388E-08, 4.58963631972597E-08, 6.04057768431344E-07, -9.1507432597718E-10, + 1.2526322628285E-08, 6.41254684791958E-09, -9.1507432597718E-10, 1.01184796635481E-07 }; + const float average_chrome[4] = { 1850.43045387994, 4903.07735480722, 785.25280624695, 1051.22303562714 }; + const float distance_chrome = 3.0; + + /* TODO: * ECH/PQ are still under development/deployment -> re-evaluate these models + * Session resumptions/0rtt + * Non-web traffic */ + + /* This is the only logic about pkts distributions. + ClientHello shoudn't be splitted in too many fragments: usually 1; 2 with PQ */ + if(set->pkts[0] > 3) { + NDPI_LOG_DBG2(ndpi_struct, "TLS-Obf-Heur: too many pkts in the first burst %d\n", set->pkts[0]); + return 0; + } + + if(ndpi_mahalanobis_distance(set->bytes, 4, average_chrome, i_s_chrome) < distance_chrome || + /* To avoid false positives: we didn't find TLS 1.3 CH smaller than 517 */ + (set->bytes[0] >= 517 && ndpi_mahalanobis_distance(set->bytes, 4, average_tls_13, i_s_tls_13) < distance_tls_13) || + ndpi_mahalanobis_distance(set->bytes, 4, average_tls_12, i_s_tls_12) < distance_tls_12) { + + NDPI_LOG_DBG(ndpi_struct, "TLS-Obf-Heur: md %f %f %f [%d/%d/%d/%d %d/%d/%d/%d] TCP? %d\n", + ndpi_mahalanobis_distance(set->bytes, 4, average_tls_12, i_s_tls_12), + ndpi_mahalanobis_distance(set->bytes, 4, average_tls_13, i_s_tls_13), + ndpi_mahalanobis_distance(set->bytes, 4, average_chrome, i_s_chrome), + set->pkts[0], set->pkts[1], set->pkts[2], set->pkts[3], + set->bytes[0], set->bytes[1], set->bytes[2], set->bytes[3], + !!packet->tcp); + return 1; + } + + return 0; +} + +static int tls_obfuscated_heur_search(struct ndpi_detection_module_struct* ndpi_struct, + struct ndpi_flow_struct* flow) { + struct ndpi_packet_struct* packet = &ndpi_struct->packet; + struct tls_obfuscated_heuristic_state *state = flow->tls_quic.obfuscated_heur_state; + struct tls_obfuscated_heuristic_set *set; + int i, j; + int is_tls_in_tls_heur = 0; + int byte_overhead; + + /* Stages: + 0: Unused/Start + 1: C->S : burst 1 + 2: S->C : burst 2 + 3: C->S : burst 3 + 4: S->C : burst 4 + 5: C->S : End + */ + + if(!state) + return 1; /* Exclude */ + + if(packet->payload_packet_len == 0) + return 0; /* Continue */ + + NDPI_LOG_DBG2(ndpi_struct, "TLS-Obf-Heur: num_pkts %d\n", state->num_pkts); + + if(flow->extra_packets_func && + (flow->detected_protocol_stack[0] == NDPI_PROTOCOL_TLS || + flow->detected_protocol_stack[1] == NDPI_PROTOCOL_TLS)) /* TLS-in-TLS heuristic */ + is_tls_in_tls_heur = 1; + + /* We try to keep into account the overhead (header/padding/mac/iv/nonce) of the + external layers (i.e. above the TLS hanshake we are trying to detect) */ + if(is_tls_in_tls_heur == 1) { + /* According to https://datatracker.ietf.org/doc/html/draft-mattsson-uta-tls-overhead-01 + the average packet overhead for TLS is 29 bytes. + TODO: this draft is OLD and about TLS 1.2 + Looking at real traffic, we found that we can have TLS packets 24 bytes long + */ + byte_overhead = 24; + } else { + /* The paper says that the overhead is usually quite small + ["typically ranging between 20 to 60 bytes"], without any citations. + From the tests, it seams that we can ignore it */ + byte_overhead = 0; + } + + if(packet->payload_packet_len < byte_overhead) { + NDPI_LOG_DBG2(ndpi_struct, "TLS-Obf-Heur: packet too small. Stop.\n"); + return 1; /* Exclude */ + } + + if(is_tls_in_tls_heur == 1) { + /* We usually stop processing TLS handshake (and switch to this extra dissection + data path) after the FIRST Change-Cipher message. However, for this + heuristic, we need to ignore all packets before a Change-Cipher is sent in the + same direction */ + if(current_pkt_from_client_to_server(ndpi_struct, flow) && + flow->tls_quic.change_cipher_from_client == 0) { + if(packet->payload[0] == 0x14) { + NDPI_LOG_DBG2(ndpi_struct, "TLS-Obf-Heur: Change-Cipher from client\n"); + flow->tls_quic.change_cipher_from_client = 1; + } + NDPI_LOG_DBG2(ndpi_struct, "TLS-Obf-Heur: skip\n"); + return 0; /* Continue */ + } + if(current_pkt_from_server_to_client(ndpi_struct, flow) && + flow->tls_quic.change_cipher_from_server == 0) { + if(packet->payload[0] == 0x14) { + flow->tls_quic.change_cipher_from_server = 1; + NDPI_LOG_DBG2(ndpi_struct, "TLS-Obf-Heur: Change-Cipher from server\n"); + } + NDPI_LOG_DBG2(ndpi_struct, "TLS-Obf-Heur: skip\n"); + return 0; /* Continue */ + } + } + + if(state->num_pkts++ > ndpi_struct->cfg.tls_heuristics_max_packets) { + NDPI_LOG_DBG2(ndpi_struct, "TLS-Obf-Heur: too many pkts. Stop\n"); + return 1; /* Exclude */ + } + + /* Update active sets */ + for(i = 0; i < 2; i ++) { + set = &state->sets[i]; + switch(set->stage) { + case 0: + /* This happen only at the beginning of the heuristic: after the first pkt + of the third (absolute) burst, we always have both sets used */ + if(i == 0 || state->sets[0].stage == 3) { + if(current_pkt_from_client_to_server(ndpi_struct, flow)) { + NDPI_LOG_DBG2(ndpi_struct, "TLS-Obf-Heur: open set %d\n", i); + set->stage = 1; + break; + } else { + /* First packet should be always from client. + This shortcut makes detection harder if, before the obfuscated TLS hanshake + there is random traffic */ + return 1; /* Exclude */ + } + } + continue; + case 1: + if(current_pkt_from_server_to_client(ndpi_struct, flow)) + set->stage = 2; + break; + case 2: + if(current_pkt_from_client_to_server(ndpi_struct, flow)) + set->stage = 3; + break; + case 3: + if(current_pkt_from_server_to_client(ndpi_struct, flow)) + set->stage = 4; + break; + case 4: + if(current_pkt_from_client_to_server(ndpi_struct, flow)) + set->stage = 5; + break; + /* We cant have 5 here */ + } + + if(set->stage != 5) { + set->bytes[set->stage - 1] += (packet->payload_packet_len - byte_overhead); + set->pkts[set->stage - 1] += 1; + } + + NDPI_LOG_DBG2(ndpi_struct, "TLS-Obf-Heur: set %d stage %d bytes %d/%d/%d/%d pkts %d/%d/%d/%d\n", + i, set->stage, + set->bytes[0], set->bytes[1], set->bytes[2], set->bytes[3], + set->pkts[0], set->pkts[1], set->pkts[2], set->pkts[3]); + + /* Check completed set */ + if(set->stage == 5) { + NDPI_LOG_DBG2(ndpi_struct, "TLS-Obf-Heur: set %d completed\n", i); + if(check_set(ndpi_struct, set)) { + /* Heuristic match */ + return 2; /* Found */ + } else { + /* Close this set and open a new one... */ + set->stage = 1; + set->bytes[0] = packet->payload_packet_len - byte_overhead; + set->pkts[0] = 1; + for(j = 1; j < 4; j++) { + set->bytes[j] = 0; + set->pkts[j] = 0; + } + NDPI_LOG_DBG2(ndpi_struct, "TLS-Obf-Heur: set %d closed and reused\n", i); + } + } + } + + return 0; /* Continue */ +} + +static int tls_obfuscated_heur_search_again(struct ndpi_detection_module_struct* ndpi_struct, + struct ndpi_flow_struct* flow) +{ + int rc; + + NDPI_LOG_DBG2(ndpi_struct, "TLS-Obf-Heur: extra dissection\n"); + + rc = tls_obfuscated_heur_search(ndpi_struct, flow); + if(rc == 0) + return 1; /* Keep working */ + if(rc == 2) { + NDPI_LOG_DBG(ndpi_struct, "TLS-Obf-Heur: found!\n"); + + /* Right now, if an heuritic matches, we set the classification/risk. + TODO: avoid false positives! + Some ideas: + * try to identify the servers: we wait for multiple sessions to the same server, + before to start marking the flows to that address + * consider the number of burst after TLS handshake (see Fig 8 paper) */ + + if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) { + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TLS, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI_AGGRESSIVE); + ndpi_set_risk(flow, NDPI_OBFUSCATED_TRAFFIC, "Obfuscated TLS traffic"); + } else { + flow->confidence = NDPI_CONFIDENCE_DPI_AGGRESSIVE; /* Update the value */ + if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_TLS || + flow->detected_protocol_stack[1] == NDPI_PROTOCOL_TLS) + ndpi_set_risk(flow, NDPI_OBFUSCATED_TRAFFIC, "Obfuscated TLS-in-TLS traffic"); + else + ndpi_set_risk(flow, NDPI_OBFUSCATED_TRAFFIC, "Obfuscated TLS-in-HTTP-WebSocket traffic"); + } + + ndpi_protocol ret = { { __get_master(ndpi_struct, flow), NDPI_PROTOCOL_UNKNOWN }, NDPI_PROTOCOL_UNKNOWN /* unused */, NDPI_PROTOCOL_CATEGORY_UNSPECIFIED, NULL}; + flow->category = ndpi_get_proto_category(ndpi_struct, ret); + } + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); /* Not necessary in extra-dissection data path, + but we need it with the plain heuristic */ + return 0; /* Stop */ +} + +void switch_extra_dissection_to_tls_obfuscated_heur(struct ndpi_detection_module_struct* ndpi_struct, + struct ndpi_flow_struct* flow) +{ + NDPI_LOG_DBG(ndpi_struct, "Switching to TLS Obfuscated heuristic\n"); + + flow->tls_quic.obfuscated_heur_state = ndpi_calloc(1, sizeof(struct tls_obfuscated_heuristic_state)); + + /* "* 2" to take into account ACKs. The "real" check is performend against + "tls_heuristics_max_packets" in tls_obfuscated_heur_search, as expected */ + flow->max_extra_packets_to_check = ndpi_struct->cfg.tls_heuristics_max_packets * 2; + flow->extra_packets_func = tls_obfuscated_heur_search_again; +} + +/* **************************************** */ + static int ndpi_search_tls_memory(const u_int8_t *payload, u_int16_t payload_len, u_int32_t seq, @@ -1019,7 +1314,6 @@ static int ndpi_search_tls_tcp(struct ndpi_detection_module_struct *ndpi_struct, https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-5 */ if(!(message->buffer[0] >= 20 && message->buffer[0] <= 26)) { - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); something_went_wrong = 1; } @@ -1067,6 +1361,10 @@ static int ndpi_search_tls_tcp(struct ndpi_detection_module_struct *ndpi_struct, */ flow->l4.tcp.tls.num_tls_blocks = 0; } + if(current_pkt_from_client_to_server(ndpi_struct, flow)) + flow->tls_quic.change_cipher_from_client = 1; + else + flow->tls_quic.change_cipher_from_server = 1; } else if(content_type == 0x15 /* Alert */) { /* https://techcommunity.microsoft.com/t5/iis-support-blog/ssl-tls-alert-protocol-and-the-alert-codes/ba-p/377132 */ #ifdef DEBUG_TLS @@ -1199,6 +1497,16 @@ static int ndpi_search_tls_tcp(struct ndpi_detection_module_struct *ndpi_struct, ndpi_unset_risk(flow, NDPI_KNOWN_PROTOCOL_ON_NON_STANDARD_PORT); flow->extra_packets_func = NULL; return(0); /* That's all */ + /* Loook for TLS-in-TLS */ + } else if((ndpi_struct->cfg.tls_heuristics & NDPI_HEURISTICS_TLS_OBFUSCATED_TLS) && /* Feature enabled */ + (!something_went_wrong && + flow->tls_quic.certificate_processed == 1 && + flow->protos.tls_quic.client_hello_processed == 1 && + flow->protos.tls_quic.server_hello_processed == 1) && /* TLS handshake found without errors */ + flow->tls_quic.from_opportunistic_tls == 0 && /* No from plaintext Mails or FTP */ + !is_flow_addr_informative(flow) /* The proxy server is likely hosted on some cloud providers */ ) { + switch_extra_dissection_to_tls_obfuscated_heur(ndpi_struct, flow); + return(1); } else { flow->extra_packets_func = NULL; return(0); /* That's all */ @@ -1394,7 +1702,6 @@ static int ndpi_search_tls_udp(struct ndpi_detection_module_struct *ndpi_struct, packet->payload_packet_len = p_len; /* Restore */ if(no_dtls || change_cipher_found || flow->tls_quic.certificate_processed) { - NDPI_EXCLUDE_PROTO_EXT(ndpi_struct, flow, NDPI_PROTOCOL_DTLS); return(0); /* That's all */ } else { return(1); /* Keep working */ @@ -1430,6 +1737,8 @@ void switch_extra_dissection_to_tls(struct ndpi_detection_module_struct *ndpi_st ndpi_free(flow->tls_quic.message[1].buffer); memset(&flow->tls_quic.message[1], '\0', sizeof(flow->tls_quic.message[1])); + flow->tls_quic.from_opportunistic_tls = 1; + tlsInitExtraPacketProcessing(ndpi_struct, flow); } @@ -1450,6 +1759,14 @@ void switch_to_tls(struct ndpi_detection_module_struct *ndpi_struct, if(flow->tls_quic.message[1].buffer) ndpi_free(flow->tls_quic.message[1].buffer); memset(&flow->tls_quic.message[1], '\0', sizeof(flow->tls_quic.message[1])); + + /* We will not check obfuscated heuristic (anymore) because we have been + called from the STUN code, but we need to clear the previous state + (if any) to trigger "standard" TLS/DTLS code */ + if(flow->tls_quic.obfuscated_heur_state) { + ndpi_free(flow->tls_quic.obfuscated_heur_state); + flow->tls_quic.obfuscated_heur_state = NULL; + } } ndpi_search_tls_wrapper(ndpi_struct, flow); @@ -2996,6 +3313,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, static void ndpi_search_tls_wrapper(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &ndpi_struct->packet; + int rc = 0; #ifdef DEBUG_TLS printf("==>> %s() %u [len: %u][version: %u]\n", @@ -3005,10 +3323,44 @@ static void ndpi_search_tls_wrapper(struct ndpi_detection_module_struct *ndpi_st flow->protos.tls_quic.ssl_version); #endif - if(packet->udp != NULL || flow->stun.maybe_dtls) - ndpi_search_tls_udp(ndpi_struct, flow); - else - ndpi_search_tls_tcp(ndpi_struct, flow); + /* It is not easy to handle "standard" TLS/DTLS detection and (plain) obfuscated + heuristic at the SAME time. Use a trivial logic: switch to heuristic + code only if the standard functions fail */ + + /* We might be in extra-dissection data-path here (if we have been + called from STUN or from Mails/FTP/...), but plain obfuscated heuristic + is always checked in "standard" data-path! */ + + if(flow->tls_quic.obfuscated_heur_state == NULL) { + if(packet->udp != NULL || flow->stun.maybe_dtls) + rc = ndpi_search_tls_udp(ndpi_struct, flow); + else + rc = ndpi_search_tls_tcp(ndpi_struct, flow); + + if(rc == 0) + flow->tls_quic.obfuscated_heur_state = ndpi_calloc(1, sizeof(struct tls_obfuscated_heuristic_state)); + } + + /* We should check for this TLS heuristic if: + * the feature is enabled + * this flow doesn't seem a real TLS/DTLS one + * we are not here from STUN code or from opportunistic tls path (mails/ftp) + * with TCP, we got the 3WHS (so that we can process the beginning of the flow) + */ + if(flow->tls_quic.obfuscated_heur_state && + (ndpi_struct->cfg.tls_heuristics & NDPI_HEURISTICS_TLS_OBFUSCATED_PLAIN) && + flow->stun.maybe_dtls == 0 && + flow->tls_quic.from_opportunistic_tls == 0 && + ((flow->l4_proto == IPPROTO_TCP && ndpi_seen_flow_beginning(flow)) || + flow->l4_proto == IPPROTO_UDP) && + !is_flow_addr_informative(flow) /* The proxy server is likely hosted on some cloud providers */ ) { + tls_obfuscated_heur_search_again(ndpi_struct, flow); + } else if(rc == 0) { + if(packet->udp != NULL || flow->stun.maybe_dtls) + NDPI_EXCLUDE_PROTO_EXT(ndpi_struct, flow, NDPI_PROTOCOL_DTLS); + else + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + } } /* **************************************** */ diff --git a/tests/cfgs/default/pcap/tls_obfuscated_heur__shadowsocks-tcp.pcapng b/tests/cfgs/default/pcap/tls_obfuscated_heur__shadowsocks-tcp.pcapng new file mode 100644 index 000000000000..25a368f3cf40 Binary files /dev/null and b/tests/cfgs/default/pcap/tls_obfuscated_heur__shadowsocks-tcp.pcapng differ diff --git a/tests/cfgs/default/pcap/tls_obfuscated_heur__trojan-tcp-tls.pcapng b/tests/cfgs/default/pcap/tls_obfuscated_heur__trojan-tcp-tls.pcapng new file mode 100644 index 000000000000..48ea475790c5 Binary files /dev/null and b/tests/cfgs/default/pcap/tls_obfuscated_heur__trojan-tcp-tls.pcapng differ diff --git a/tests/cfgs/default/pcap/tls_obfuscated_heur__vmess-tcp-tls.pcapng b/tests/cfgs/default/pcap/tls_obfuscated_heur__vmess-tcp-tls.pcapng new file mode 100644 index 000000000000..36fa9b1c7bfa Binary files /dev/null and b/tests/cfgs/default/pcap/tls_obfuscated_heur__vmess-tcp-tls.pcapng differ diff --git a/tests/cfgs/default/pcap/tls_obfuscated_heur__vmess-tcp.pcapng b/tests/cfgs/default/pcap/tls_obfuscated_heur__vmess-tcp.pcapng new file mode 100644 index 000000000000..1a5c7d0c5037 Binary files /dev/null and b/tests/cfgs/default/pcap/tls_obfuscated_heur__vmess-tcp.pcapng differ diff --git a/tests/cfgs/default/pcap/tls_obfuscated_heur__vmess-websocket.pcapng b/tests/cfgs/default/pcap/tls_obfuscated_heur__vmess-websocket.pcapng new file mode 100644 index 000000000000..03ae5a60500d Binary files /dev/null and b/tests/cfgs/default/pcap/tls_obfuscated_heur__vmess-websocket.pcapng differ diff --git a/tests/cfgs/default/result/tls_obfuscated_heur__shadowsocks-tcp.pcapng.out b/tests/cfgs/default/result/tls_obfuscated_heur__shadowsocks-tcp.pcapng.out new file mode 100644 index 000000000000..d6f43f7b6e56 --- /dev/null +++ b/tests/cfgs/default/result/tls_obfuscated_heur__shadowsocks-tcp.pcapng.out @@ -0,0 +1,44 @@ +DPI Packets (TCP): 34 (11.33 pkts/flow) +DPI Packets (UDP): 3 (3.00 pkts/flow) +Confidence Unknown : 1 (flows) +Confidence DPI : 3 (flows) +Num dissector calls: 413 (103.25 diss/flow) +LRU cache ookla: 0/0/0 (insert/search/found) +LRU cache bittorrent: 0/3/0 (insert/search/found) +LRU cache stun: 0/0/0 (insert/search/found) +LRU cache tls_cert: 0/0/0 (insert/search/found) +LRU cache mining: 0/1/0 (insert/search/found) +LRU cache msteams: 0/0/0 (insert/search/found) +LRU cache fpc_dns: 1/3/0 (insert/search/found) +Automa host: 4/4 (search/found) +Automa domain: 4/0 (search/found) +Automa tls cert: 0/0 (search/found) +Automa risk mask: 1/0 (search/found) +Automa common alpns: 2/2 (search/found) +Patricia risk mask: 2/0 (search/found) +Patricia risk mask IPv6: 0/0 (search/found) +Patricia risk: 0/0 (search/found) +Patricia risk IPv6: 1/0 (search/found) +Patricia protocols: 6/0 (search/found) +Patricia protocols IPv6: 1/1 (search/found) + +Unknown 25 22923 1 +YouTube 45 36920 2 +SOCKS 30 21330 1 + +Acceptable 30 21330 1 +Fun 45 36920 2 +Unrated 25 22923 1 + +JA3 Host Stats: + IP Address # JA3C + 1 2001:b07:a3d:c112:8628:88aa:8b00:913c 1 + + + 1 TCP [2001:b07:a3d:c112:8628:88aa:8b00:913c]:45334 <-> [2a00:1450:4002:416::200e]:443 [proto: 91.124/TLS.YouTube][IP: 126/Google][Encrypted][Confidence: DPI][FPC: 126/Google, Confidence: IP address][DPI packets: 6][cat: Media/1][20 pkts/2589 bytes <-> 21 pkts/33559 bytes][Goodput ratio: 32/94][0.12 sec][Hostname/SNI: www.youtube.com][(Advertised) ALPNs: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2][bytes ratio: -0.857 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 8/6 46/49 14/13][Pkt Len c2s/s2c min/avg/max/stddev: 88/88 129/1598 605/6128 124/1604][TLSv1.3][JA3C: 4ea056e63b7910cbf543f0c095064dfe][JA4: t13d3113h2_e8f1e7e78f70_ce5650b735ce][JA3S: 907bf3ecef1c987c889946b737b43de8][Firefox][Cipher: TLS_AES_256_GCM_SHA384][Plen Bins: 9,0,0,0,0,0,4,0,4,0,0,0,0,0,0,0,4,4,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,56,0,0,0,0,0,0,0,0,0,13] + 2 TCP 127.0.0.1:44424 <-> 127.0.0.1:1080 [proto: 172/SOCKS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][18 pkts/2079 bytes <-> 12 pkts/19251 bytes][Goodput ratio: 41/96][0.15 sec][bytes ratio: -0.805 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 9/7 46/50 16/15][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 116/1604 585/9955 117/2915][PLAIN TEXT (www.youtube.com)][Plen Bins: 37,24,5,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,5,0,0,0,0,0,0,0,11] + 3 UDP 127.0.0.1:41182 <-> 127.0.0.53:53 [proto: 5.124/DNS.YouTube][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5.124/DNS.YouTube, Confidence: DPI][DPI packets: 3][cat: Network/14][2 pkts/176 bytes <-> 2 pkts/596 bytes][Goodput ratio: 50/85][0.00 sec][Hostname/SNI: www.youtube.com][216.58.204.142][PLAIN TEXT (youtube)][Plen Bins: 0,50,0,0,0,25,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + + +Undetected flows: + 1 TCP 127.0.0.1:40164 <-> 127.0.0.1:1234 [proto: 0/Unknown][IP: 0/Unknown][ClearText][Confidence: Unknown][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 22][14 pkts/2036 bytes <-> 11 pkts/20887 bytes][Goodput ratio: 53/96][0.17 sec][bytes ratio: -0.822 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 16/21 52/52 19/20][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 145/1899 704/7496 163/2354][Risk: ** Fully Encrypted Flow **][Risk Score: 50][PLAIN TEXT (GYrp0@)][Plen Bins: 0,0,15,7,15,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,15,7,0,0,0,0,0,0,0,23] diff --git a/tests/cfgs/default/result/tls_obfuscated_heur__trojan-tcp-tls.pcapng.out b/tests/cfgs/default/result/tls_obfuscated_heur__trojan-tcp-tls.pcapng.out new file mode 100644 index 000000000000..fc61e30a9cfb --- /dev/null +++ b/tests/cfgs/default/result/tls_obfuscated_heur__trojan-tcp-tls.pcapng.out @@ -0,0 +1,48 @@ +DPI Packets (TCP): 18 (6.00 pkts/flow) +DPI Packets (UDP): 15 (2.14 pkts/flow) +Confidence DPI : 10 (flows) +Num dissector calls: 167 (16.70 diss/flow) +LRU cache ookla: 0/0/0 (insert/search/found) +LRU cache bittorrent: 0/0/0 (insert/search/found) +LRU cache stun: 0/0/0 (insert/search/found) +LRU cache tls_cert: 0/2/0 (insert/search/found) +LRU cache mining: 0/0/0 (insert/search/found) +LRU cache msteams: 0/0/0 (insert/search/found) +LRU cache fpc_dns: 3/3/1 (insert/search/found) +Automa host: 17/8 (search/found) +Automa domain: 17/0 (search/found) +Automa tls cert: 0/0 (search/found) +Automa risk mask: 7/0 (search/found) +Automa common alpns: 4/4 (search/found) +Patricia risk mask: 14/0 (search/found) +Patricia risk mask IPv6: 0/0 (search/found) +Patricia risk: 0/0 (search/found) +Patricia risk IPv6: 0/0 (search/found) +Patricia protocols: 19/1 (search/found) +Patricia protocols IPv6: 0/0 (search/found) + +DNS 8 680 4 +TLS 25 11617 1 +YouTube 40 17498 4 +SOCKS 27 9979 1 + +Safe 25 11617 1 +Acceptable 35 10659 5 +Fun 40 17498 4 + +JA3 Host Stats: + IP Address # JA3C + 1 127.0.0.1 1 + 2 192.168.1.183 1 + + + 1 TCP 192.168.1.183:58730 <-> 142.250.180.142:443 [proto: 91.124/TLS.YouTube][IP: 126/Google][Encrypted][Confidence: DPI][FPC: 124/YouTube, Confidence: DNS][DPI packets: 6][cat: Media/1][17 pkts/1985 bytes <-> 15 pkts/13936 bytes][Goodput ratio: 41/93][0.11 sec][Hostname/SNI: www.youtube.com][(Advertised) ALPNs: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2][bytes ratio: -0.751 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 5/9 31/70 9/20][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 117/929 585/1468 126/632][TLSv1.3][JA3C: 4ea056e63b7910cbf543f0c095064dfe][JA4: t13d3113h2_e8f1e7e78f70_ce5650b735ce][JA3S: 907bf3ecef1c987c889946b737b43de8][Firefox][Cipher: TLS_AES_256_GCM_SHA384][Plen Bins: 18,0,6,0,0,0,6,0,0,0,0,0,0,0,0,0,6,0,0,0,6,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,51,0,0,0,0] + 2 TCP 127.0.0.1:41796 <-> 127.0.0.1:1234 [proto: 91/TLS][IP: 0/Unknown][Encrypted][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][13 pkts/2233 bytes <-> 12 pkts/9384 bytes][Goodput ratio: 60/91][0.14 sec][Hostname/SNI: test.lan][(Advertised) ALPNs: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2][bytes ratio: -0.616 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 11/6 46/30 15/11][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 172/782 675/2138 165/744][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][TLSv1.3][JA3C: 7a15285d4efc355608b304698cd7f9ab][JA4: t13d1911h2_9dc949149365_e7c285222651][JA3S: f4febc55ea12b31ae17cfb7e614afda8][Firefox][Cipher: TLS_AES_128_GCM_SHA256][Plen Bins: 0,13,13,6,6,0,0,0,6,0,0,0,0,0,6,0,0,0,6,0,6,0,0,0,0,0,0,6,0,0,0,0,0,0,0,6,0,6,0,0,0,0,0,0,0,0,0,13] + 3 TCP 127.0.0.1:60654 <-> 127.0.0.1:1080 [proto: 172/SOCKS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][17 pkts/1999 bytes <-> 10 pkts/7980 bytes][Goodput ratio: 42/91][0.19 sec][bytes ratio: -0.599 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 9/7 46/43 16/15][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 118/798 585/4164 119/1276][PLAIN TEXT (www.youtube.com)][Plen Bins: 37,25,6,0,0,0,0,0,0,0,0,0,0,0,6,0,6,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12] + 4 UDP 127.0.0.1:52786 <-> 127.0.0.53:53 [proto: 5.124/DNS.YouTube][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5.124/DNS.YouTube, Confidence: DPI][DPI packets: 3][cat: Network/14][2 pkts/176 bytes <-> 2 pkts/468 bytes][Goodput ratio: 50/81][0.03 sec][Hostname/SNI: www.youtube.com][142.250.180.142][PLAIN TEXT (youtube)][Plen Bins: 0,50,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 5 UDP 192.168.1.183:46451 <-> 192.168.1.253:53 [proto: 5.124/DNS.YouTube][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5.124/DNS.YouTube, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/88 bytes <-> 1 pkts/413 bytes][Goodput ratio: 49/89][0.03 sec][Hostname/SNI: www.youtube.com][142.250.180.142][PLAIN TEXT (youtube)][Plen Bins: 0,50,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 6 UDP 192.168.1.183:54260 <-> 192.168.1.253:53 [proto: 5.124/DNS.YouTube][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5.124/DNS.YouTube, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/88 bytes <-> 1 pkts/344 bytes][Goodput ratio: 49/87][0.03 sec][Hostname/SNI: www.youtube.com][2a00:1450:4002:411::200e][PLAIN TEXT (youtube)][Plen Bins: 0,50,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 7 UDP 127.0.0.1:53154 <-> 127.0.0.53:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/81 bytes <-> 1 pkts/97 bytes][Goodput ratio: 45/54][0.00 sec][Hostname/SNI: test.lan][127.0.0.1][Risk: ** Minor Issues **][Risk Score: 10][Risk Info: DNS Record with zero TTL][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 8 UDP 192.168.1.183:39434 <-> 192.168.1.253:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/81 bytes <-> 1 pkts/97 bytes][Goodput ratio: 45/54][0.00 sec][Hostname/SNI: test.lan][127.0.0.1][Risk: ** Minor Issues **][Risk Score: 10][Risk Info: DNS Record with zero TTL][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 9 UDP 127.0.0.1:56496 <-> 127.0.0.53:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/81 bytes <-> 1 pkts/81 bytes][Goodput ratio: 45/45][0.00 sec][Hostname/SNI: test.lan][::][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 10 UDP 192.168.1.183:38613 <-> 192.168.1.253:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/81 bytes <-> 1 pkts/81 bytes][Goodput ratio: 45/45][< 1 sec][Hostname/SNI: test.lan][::][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/default/result/tls_obfuscated_heur__vmess-tcp-tls.pcapng.out b/tests/cfgs/default/result/tls_obfuscated_heur__vmess-tcp-tls.pcapng.out new file mode 100644 index 000000000000..43fc12589b50 --- /dev/null +++ b/tests/cfgs/default/result/tls_obfuscated_heur__vmess-tcp-tls.pcapng.out @@ -0,0 +1,48 @@ +DPI Packets (TCP): 18 (6.00 pkts/flow) +DPI Packets (UDP): 15 (2.14 pkts/flow) +Confidence DPI : 10 (flows) +Num dissector calls: 167 (16.70 diss/flow) +LRU cache ookla: 0/0/0 (insert/search/found) +LRU cache bittorrent: 0/0/0 (insert/search/found) +LRU cache stun: 0/0/0 (insert/search/found) +LRU cache tls_cert: 0/2/0 (insert/search/found) +LRU cache mining: 0/0/0 (insert/search/found) +LRU cache msteams: 0/0/0 (insert/search/found) +LRU cache fpc_dns: 3/3/1 (insert/search/found) +Automa host: 17/8 (search/found) +Automa domain: 17/0 (search/found) +Automa tls cert: 0/0 (search/found) +Automa risk mask: 7/0 (search/found) +Automa common alpns: 4/4 (search/found) +Patricia risk mask: 14/0 (search/found) +Patricia risk mask IPv6: 0/0 (search/found) +Patricia risk: 0/0 (search/found) +Patricia risk IPv6: 0/0 (search/found) +Patricia protocols: 19/1 (search/found) +Patricia protocols IPv6: 0/0 (search/found) + +DNS 8 680 4 +TLS 30 14152 1 +YouTube 34 22317 4 +SOCKS 28 10046 1 + +Safe 30 14152 1 +Acceptable 36 10726 5 +Fun 34 22317 4 + +JA3 Host Stats: + IP Address # JA3C + 1 127.0.0.1 1 + 2 192.168.1.183 1 + + + 1 TCP 192.168.1.183:58612 <-> 216.58.204.142:443 [proto: 91.124/TLS.YouTube][IP: 126/Google][Encrypted][Confidence: DPI][FPC: 124/YouTube, Confidence: DNS][DPI packets: 6][cat: Media/1][11 pkts/1577 bytes <-> 15 pkts/19414 bytes][Goodput ratio: 52/95][0.10 sec][Hostname/SNI: www.youtube.com][(Advertised) ALPNs: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2][bytes ratio: -0.850 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 12/8 74/66 24/18][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 143/1294 585/6668 151/1565][TLSv1.3][JA3C: 4ea056e63b7910cbf543f0c095064dfe][JA4: t13d3113h2_e8f1e7e78f70_ce5650b735ce][JA3S: 907bf3ecef1c987c889946b737b43de8][Firefox][Cipher: TLS_AES_256_GCM_SHA384][Plen Bins: 12,6,6,0,0,0,6,0,0,0,0,0,0,0,0,0,6,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,44,0,0,0,6] + 2 TCP 127.0.0.1:57874 <-> 127.0.0.1:1234 [proto: 91/TLS][IP: 0/Unknown][Encrypted][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][16 pkts/2501 bytes <-> 14 pkts/11651 bytes][Goodput ratio: 56/92][0.16 sec][Hostname/SNI: test.lan][(Advertised) ALPNs: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2][bytes ratio: -0.647 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 10/12 40/74 14/22][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 156/832 731/2138 166/797][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][TLSv1.3][JA3C: 7a15285d4efc355608b304698cd7f9ab][JA4: t13d1911h2_9dc949149365_e7c285222651][JA3S: f4febc55ea12b31ae17cfb7e614afda8][Firefox][Cipher: TLS_AES_128_GCM_SHA256][Plen Bins: 5,12,12,5,5,0,0,0,5,0,0,0,0,0,0,0,5,0,0,0,5,5,0,0,0,0,0,5,0,0,0,0,0,0,0,5,0,5,0,0,0,0,0,0,0,0,0,19] + 3 TCP 127.0.0.1:40136 <-> 127.0.0.1:1080 [proto: 172/SOCKS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][17 pkts/1999 bytes <-> 11 pkts/8047 bytes][Goodput ratio: 42/91][0.14 sec][bytes ratio: -0.602 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 8/1 40/4 14/2][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 118/732 585/2612 119/967][PLAIN TEXT (www.youtube.com)][Plen Bins: 37,25,6,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,18] + 4 UDP 127.0.0.1:46548 <-> 127.0.0.53:53 [proto: 5.124/DNS.YouTube][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5.124/DNS.YouTube, Confidence: DPI][DPI packets: 3][cat: Network/14][2 pkts/176 bytes <-> 2 pkts/484 bytes][Goodput ratio: 50/82][0.00 sec][Hostname/SNI: www.youtube.com][216.58.204.142][PLAIN TEXT (youtube)][Plen Bins: 0,50,0,0,0,25,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 5 UDP 192.168.1.183:49817 <-> 192.168.1.253:53 [proto: 5.124/DNS.YouTube][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5.124/DNS.YouTube, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/88 bytes <-> 1 pkts/253 bytes][Goodput ratio: 49/82][0.00 sec][Hostname/SNI: www.youtube.com][216.58.204.142][PLAIN TEXT (youtube)][Plen Bins: 0,50,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 6 UDP 192.168.1.183:41933 <-> 192.168.1.253:53 [proto: 5.124/DNS.YouTube][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5.124/DNS.YouTube, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/88 bytes <-> 1 pkts/237 bytes][Goodput ratio: 49/81][0.00 sec][Hostname/SNI: www.youtube.com][2a00:1450:4002:410::200e][PLAIN TEXT (youtube)][Plen Bins: 0,50,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 7 UDP 127.0.0.1:45262 <-> 127.0.0.53:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/81 bytes <-> 1 pkts/97 bytes][Goodput ratio: 45/54][0.00 sec][Hostname/SNI: test.lan][127.0.0.1][Risk: ** Minor Issues **][Risk Score: 10][Risk Info: DNS Record with zero TTL][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 8 UDP 192.168.1.183:42485 <-> 192.168.1.253:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/81 bytes <-> 1 pkts/97 bytes][Goodput ratio: 45/54][0.00 sec][Hostname/SNI: test.lan][127.0.0.1][Risk: ** Minor Issues **][Risk Score: 10][Risk Info: DNS Record with zero TTL][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 9 UDP 127.0.0.1:50125 <-> 127.0.0.53:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/81 bytes <-> 1 pkts/81 bytes][Goodput ratio: 45/45][0.00 sec][Hostname/SNI: test.lan][::][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 10 UDP 192.168.1.183:58009 <-> 192.168.1.253:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/81 bytes <-> 1 pkts/81 bytes][Goodput ratio: 45/45][< 1 sec][Hostname/SNI: test.lan][::][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/default/result/tls_obfuscated_heur__vmess-tcp.pcapng.out b/tests/cfgs/default/result/tls_obfuscated_heur__vmess-tcp.pcapng.out new file mode 100644 index 000000000000..6f3f08650f46 --- /dev/null +++ b/tests/cfgs/default/result/tls_obfuscated_heur__vmess-tcp.pcapng.out @@ -0,0 +1,44 @@ +DPI Packets (TCP): 38 (12.67 pkts/flow) +DPI Packets (UDP): 3 (3.00 pkts/flow) +Confidence Unknown : 1 (flows) +Confidence DPI : 3 (flows) +Num dissector calls: 416 (104.00 diss/flow) +LRU cache ookla: 0/0/0 (insert/search/found) +LRU cache bittorrent: 0/3/0 (insert/search/found) +LRU cache stun: 0/0/0 (insert/search/found) +LRU cache tls_cert: 0/0/0 (insert/search/found) +LRU cache mining: 0/1/0 (insert/search/found) +LRU cache msteams: 0/0/0 (insert/search/found) +LRU cache fpc_dns: 1/3/0 (insert/search/found) +Automa host: 4/4 (search/found) +Automa domain: 4/0 (search/found) +Automa tls cert: 0/0 (search/found) +Automa risk mask: 1/0 (search/found) +Automa common alpns: 2/2 (search/found) +Patricia risk mask: 2/0 (search/found) +Patricia risk mask IPv6: 0/0 (search/found) +Patricia risk: 0/0 (search/found) +Patricia risk IPv6: 1/0 (search/found) +Patricia protocols: 6/0 (search/found) +Patricia protocols IPv6: 1/1 (search/found) + +Unknown 29 22543 1 +YouTube 41 25855 2 +SOCKS 30 21345 1 + +Acceptable 30 21345 1 +Fun 41 25855 2 +Unrated 29 22543 1 + +JA3 Host Stats: + IP Address # JA3C + 1 2001:b07:a3d:c112:8628:88aa:8b00:913c 1 + + + 1 TCP [2001:b07:a3d:c112:8628:88aa:8b00:913c]:48302 <-> [2a00:1450:4006:80d::200e]:443 [proto: 91.124/TLS.YouTube][IP: 126/Google][Encrypted][Confidence: DPI][FPC: 126/Google, Confidence: IP address][DPI packets: 8][cat: Media/1][19 pkts/2517 bytes <-> 18 pkts/22438 bytes][Goodput ratio: 33/93][2.20 sec][Hostname/SNI: www.youtube.com][(Advertised) ALPNs: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2][bytes ratio: -0.798 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 146/10 1024/77 344/20][Pkt Len c2s/s2c min/avg/max/stddev: 88/88 132/1247 605/2504 117/854][TLSv1.3][JA3C: 4ea056e63b7910cbf543f0c095064dfe][JA4: t13d3113h2_e8f1e7e78f70_ce5650b735ce][JA3S: 907bf3ecef1c987c889946b737b43de8][Firefox][Cipher: TLS_AES_256_GCM_SHA384][Plen Bins: 10,5,5,0,5,0,0,5,0,0,0,0,0,0,0,0,5,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,30,0,5,0,0,0,0,0,0,0,25] + 2 TCP 127.0.0.1:37218 <-> 127.0.0.1:1080 [proto: 172/SOCKS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][15 pkts/1875 bytes <-> 15 pkts/19470 bytes][Goodput ratio: 45/95][2.27 sec][bytes ratio: -0.824 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 185/178 2080/2039 572/561][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 125/1298 585/7183 125/2425][PLAIN TEXT (www.youtube.com)][Plen Bins: 34,26,6,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20] + 3 UDP 127.0.0.1:35957 <-> 127.0.0.53:53 [proto: 5.124/DNS.YouTube][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5.124/DNS.YouTube, Confidence: DPI][DPI packets: 3][cat: Network/14][2 pkts/176 bytes <-> 2 pkts/724 bytes][Goodput ratio: 50/88][0.00 sec][Hostname/SNI: www.youtube.com][172.217.18.46][PLAIN TEXT (youtube)][Plen Bins: 0,50,0,0,0,25,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + + +Undetected flows: + 1 TCP 127.0.0.1:40818 <-> 127.0.0.1:1234 [proto: 0/Unknown][IP: 0/Unknown][ClearText][Confidence: Unknown][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 24][13 pkts/2126 bytes <-> 16 pkts/20417 bytes][Goodput ratio: 58/95][2.27 sec][bytes ratio: -0.811 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 225/171 2079/2079 619/551][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 164/1276 749/4794 178/1603][Risk: ** Fully Encrypted Flow **][Risk Score: 50][PLAIN TEXT (Zy61zL)][Plen Bins: 0,0,6,20,13,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,6,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,33] diff --git a/tests/cfgs/default/result/tls_obfuscated_heur__vmess-websocket.pcapng.out b/tests/cfgs/default/result/tls_obfuscated_heur__vmess-websocket.pcapng.out new file mode 100644 index 000000000000..8ca0321df2dd --- /dev/null +++ b/tests/cfgs/default/result/tls_obfuscated_heur__vmess-websocket.pcapng.out @@ -0,0 +1,39 @@ +DPI Packets (TCP): 18 (6.00 pkts/flow) +DPI Packets (UDP): 2 (2.00 pkts/flow) +Confidence DPI : 4 (flows) +Num dissector calls: 173 (43.25 diss/flow) +LRU cache ookla: 0/0/0 (insert/search/found) +LRU cache bittorrent: 0/0/0 (insert/search/found) +LRU cache stun: 0/0/0 (insert/search/found) +LRU cache tls_cert: 0/0/0 (insert/search/found) +LRU cache mining: 0/0/0 (insert/search/found) +LRU cache msteams: 0/0/0 (insert/search/found) +LRU cache fpc_dns: 1/3/1 (insert/search/found) +Automa host: 4/3 (search/found) +Automa domain: 4/0 (search/found) +Automa tls cert: 0/0 (search/found) +Automa risk mask: 1/0 (search/found) +Automa common alpns: 2/2 (search/found) +Patricia risk mask: 2/0 (search/found) +Patricia risk mask IPv6: 0/0 (search/found) +Patricia risk: 0/0 (search/found) +Patricia risk IPv6: 0/0 (search/found) +Patricia protocols: 7/1 (search/found) +Patricia protocols IPv6: 0/0 (search/found) + +HTTP 35 22912 1 +YouTube 32 24681 2 +SOCKS 33 21475 1 + +Acceptable 68 44387 2 +Fun 32 24681 2 + +JA3 Host Stats: + IP Address # JA3C + 1 192.168.1.183 1 + + + 1 TCP 192.168.1.183:51390 <-> 142.250.180.142:443 [proto: 91.124/TLS.YouTube][IP: 126/Google][Encrypted][Confidence: DPI][FPC: 124/YouTube, Confidence: DNS][DPI packets: 6][cat: Media/1][11 pkts/1577 bytes <-> 17 pkts/22332 bytes][Goodput ratio: 52/95][0.14 sec][Hostname/SNI: www.youtube.com][(Advertised) ALPNs: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2][bytes ratio: -0.868 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 16/9 81/74 26/19][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 143/1314 585/6668 160/1472][TLSv1.3][JA3C: 4ea056e63b7910cbf543f0c095064dfe][JA4: t13d3113h2_e8f1e7e78f70_ce5650b735ce][JA3S: 907bf3ecef1c987c889946b737b43de8][Firefox][Cipher: TLS_AES_256_GCM_SHA384][Plen Bins: 18,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,5,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,55,0,0,0,5] + 2 TCP 127.0.0.1:33702 <-> 127.0.0.1:1234 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][19 pkts/2630 bytes <-> 16 pkts/20282 bytes][Goodput ratio: 51/95][0.17 sec][Hostname/SNI: 127.0.0.1][bytes ratio: -0.770 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 8/7 52/76 16/21][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 138/1268 767/2120 172/862][URL: 127.0.0.1:1234/][StatusCode: 101][User-Agent: Go-http-client/1.1][Risk: ** Known Proto on Non Std Port **** HTTP/TLS/QUIC Numeric Hostname/SNI **][Risk Score: 60][Risk Info: Found host 127.0.0.1][PLAIN TEXT (GET / HTTP/1.1)][Plen Bins: 0,0,11,0,5,5,0,0,0,0,0,5,0,0,5,0,0,0,0,0,5,11,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,45] + 3 TCP 127.0.0.1:44532 <-> 127.0.0.1:1080 [proto: 172/SOCKS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][20 pkts/2203 bytes <-> 13 pkts/19272 bytes][Goodput ratio: 38/95][0.17 sec][bytes ratio: -0.795 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 10/10 44/82 16/26][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 110/1482 585/4000 112/1624][PLAIN TEXT (www.youtube.com)][Plen Bins: 31,21,5,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,5,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,26] + 4 UDP 127.0.0.1:39646 <-> 127.0.0.53:53 [proto: 5.124/DNS.YouTube][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5.124/DNS.YouTube, Confidence: DPI][DPI packets: 2][cat: Network/14][2 pkts/176 bytes <-> 2 pkts/596 bytes][Goodput ratio: 50/85][0.00 sec][Hostname/SNI: www.youtube.com][142.250.180.142][PLAIN TEXT (youtube)][Plen Bins: 0,50,0,0,0,25,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/tls_obfuscated_heur_enabled/config.txt b/tests/cfgs/tls_obfuscated_heur_enabled/config.txt new file mode 100644 index 000000000000..0fece59c019e --- /dev/null +++ b/tests/cfgs/tls_obfuscated_heur_enabled/config.txt @@ -0,0 +1 @@ +--cfg=tls,dpi.heuristics,0x07 --cfg=tls,dpi.heuristics.max_packets_extra_dissection,25 diff --git a/tests/cfgs/tls_obfuscated_heur_enabled/pcap/tls_obfuscated_heur__shadowsocks-tcp.pcapng b/tests/cfgs/tls_obfuscated_heur_enabled/pcap/tls_obfuscated_heur__shadowsocks-tcp.pcapng new file mode 120000 index 000000000000..82f415daeda0 --- /dev/null +++ b/tests/cfgs/tls_obfuscated_heur_enabled/pcap/tls_obfuscated_heur__shadowsocks-tcp.pcapng @@ -0,0 +1 @@ +../../default/pcap/tls_obfuscated_heur__shadowsocks-tcp.pcapng \ No newline at end of file diff --git a/tests/cfgs/tls_obfuscated_heur_enabled/pcap/tls_obfuscated_heur__trojan-tcp-tls.pcapng b/tests/cfgs/tls_obfuscated_heur_enabled/pcap/tls_obfuscated_heur__trojan-tcp-tls.pcapng new file mode 120000 index 000000000000..6dbe41b9e4de --- /dev/null +++ b/tests/cfgs/tls_obfuscated_heur_enabled/pcap/tls_obfuscated_heur__trojan-tcp-tls.pcapng @@ -0,0 +1 @@ +../../default/pcap/tls_obfuscated_heur__trojan-tcp-tls.pcapng \ No newline at end of file diff --git a/tests/cfgs/tls_obfuscated_heur_enabled/pcap/tls_obfuscated_heur__vmess-tcp-tls.pcapng b/tests/cfgs/tls_obfuscated_heur_enabled/pcap/tls_obfuscated_heur__vmess-tcp-tls.pcapng new file mode 120000 index 000000000000..73eefba53ba4 --- /dev/null +++ b/tests/cfgs/tls_obfuscated_heur_enabled/pcap/tls_obfuscated_heur__vmess-tcp-tls.pcapng @@ -0,0 +1 @@ +../../default/pcap/tls_obfuscated_heur__vmess-tcp-tls.pcapng \ No newline at end of file diff --git a/tests/cfgs/tls_obfuscated_heur_enabled/pcap/tls_obfuscated_heur__vmess-tcp.pcapng b/tests/cfgs/tls_obfuscated_heur_enabled/pcap/tls_obfuscated_heur__vmess-tcp.pcapng new file mode 120000 index 000000000000..1b61b3518d25 --- /dev/null +++ b/tests/cfgs/tls_obfuscated_heur_enabled/pcap/tls_obfuscated_heur__vmess-tcp.pcapng @@ -0,0 +1 @@ +../../default/pcap/tls_obfuscated_heur__vmess-tcp.pcapng \ No newline at end of file diff --git a/tests/cfgs/tls_obfuscated_heur_enabled/pcap/tls_obfuscated_heur__vmess-websocket.pcapng b/tests/cfgs/tls_obfuscated_heur_enabled/pcap/tls_obfuscated_heur__vmess-websocket.pcapng new file mode 120000 index 000000000000..20feab0a9503 --- /dev/null +++ b/tests/cfgs/tls_obfuscated_heur_enabled/pcap/tls_obfuscated_heur__vmess-websocket.pcapng @@ -0,0 +1 @@ +../../default/pcap/tls_obfuscated_heur__vmess-websocket.pcapng \ No newline at end of file diff --git a/tests/cfgs/tls_obfuscated_heur_enabled/result/tls_obfuscated_heur__shadowsocks-tcp.pcapng.out b/tests/cfgs/tls_obfuscated_heur_enabled/result/tls_obfuscated_heur__shadowsocks-tcp.pcapng.out new file mode 100644 index 000000000000..4742eea683c8 --- /dev/null +++ b/tests/cfgs/tls_obfuscated_heur_enabled/result/tls_obfuscated_heur__shadowsocks-tcp.pcapng.out @@ -0,0 +1,41 @@ +DPI Packets (TCP): 27 (9.00 pkts/flow) +DPI Packets (UDP): 3 (3.00 pkts/flow) +Confidence DPI : 3 (flows) +Confidence DPI (aggressive) : 1 (flows) +Num dissector calls: 408 (102.00 diss/flow) +LRU cache ookla: 0/0/0 (insert/search/found) +LRU cache bittorrent: 0/3/0 (insert/search/found) +LRU cache stun: 0/0/0 (insert/search/found) +LRU cache tls_cert: 0/0/0 (insert/search/found) +LRU cache mining: 0/0/0 (insert/search/found) +LRU cache msteams: 0/0/0 (insert/search/found) +LRU cache fpc_dns: 1/3/0 (insert/search/found) +Automa host: 4/4 (search/found) +Automa domain: 4/0 (search/found) +Automa tls cert: 0/0 (search/found) +Automa risk mask: 1/0 (search/found) +Automa common alpns: 2/2 (search/found) +Patricia risk mask: 2/0 (search/found) +Patricia risk mask IPv6: 0/0 (search/found) +Patricia risk: 0/0 (search/found) +Patricia risk IPv6: 1/0 (search/found) +Patricia protocols: 6/0 (search/found) +Patricia protocols IPv6: 1/1 (search/found) + +TLS 25 22923 1 +YouTube 45 36920 2 +SOCKS 30 21330 1 + +Safe 25 22923 1 +Acceptable 30 21330 1 +Fun 45 36920 2 + +JA3 Host Stats: + IP Address # JA3C + 1 2001:b07:a3d:c112:8628:88aa:8b00:913c 1 + + + 1 TCP [2001:b07:a3d:c112:8628:88aa:8b00:913c]:45334 <-> [2a00:1450:4002:416::200e]:443 [proto: 91.124/TLS.YouTube][IP: 126/Google][Encrypted][Confidence: DPI][FPC: 126/Google, Confidence: IP address][DPI packets: 6][cat: Media/1][20 pkts/2589 bytes <-> 21 pkts/33559 bytes][Goodput ratio: 32/94][0.12 sec][Hostname/SNI: www.youtube.com][(Advertised) ALPNs: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2][bytes ratio: -0.857 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 8/6 46/49 14/13][Pkt Len c2s/s2c min/avg/max/stddev: 88/88 129/1598 605/6128 124/1604][TLSv1.3][JA3C: 4ea056e63b7910cbf543f0c095064dfe][JA4: t13d3113h2_e8f1e7e78f70_ce5650b735ce][JA3S: 907bf3ecef1c987c889946b737b43de8][Firefox][Cipher: TLS_AES_256_GCM_SHA384][Plen Bins: 9,0,0,0,0,0,4,0,4,0,0,0,0,0,0,0,4,4,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,56,0,0,0,0,0,0,0,0,0,13] + 2 TCP 127.0.0.1:40164 <-> 127.0.0.1:1234 [proto: 91/TLS][IP: 0/Unknown][Encrypted][Confidence: DPI (aggressive)][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 15][cat: Web/5][14 pkts/2036 bytes <-> 11 pkts/20887 bytes][Goodput ratio: 53/96][0.17 sec][bytes ratio: -0.822 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 16/21 52/52 19/20][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 145/1899 704/7496 163/2354][Risk: ** Known Proto on Non Std Port **** Obfuscated Traffic **][Risk Score: 150][Risk Info: Obfuscated TLS traffic][Plen Bins: 0,0,15,7,15,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,15,7,0,0,0,0,0,0,0,23] + 3 TCP 127.0.0.1:44424 <-> 127.0.0.1:1080 [proto: 172/SOCKS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][18 pkts/2079 bytes <-> 12 pkts/19251 bytes][Goodput ratio: 41/96][0.15 sec][bytes ratio: -0.805 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 9/7 46/50 16/15][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 116/1604 585/9955 117/2915][PLAIN TEXT (www.youtube.com)][Plen Bins: 37,24,5,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,5,0,0,0,0,0,0,0,11] + 4 UDP 127.0.0.1:41182 <-> 127.0.0.53:53 [proto: 5.124/DNS.YouTube][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5.124/DNS.YouTube, Confidence: DPI][DPI packets: 3][cat: Network/14][2 pkts/176 bytes <-> 2 pkts/596 bytes][Goodput ratio: 50/85][0.00 sec][Hostname/SNI: www.youtube.com][216.58.204.142][PLAIN TEXT (youtube)][Plen Bins: 0,50,0,0,0,25,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/tls_obfuscated_heur_enabled/result/tls_obfuscated_heur__trojan-tcp-tls.pcapng.out b/tests/cfgs/tls_obfuscated_heur_enabled/result/tls_obfuscated_heur__trojan-tcp-tls.pcapng.out new file mode 100644 index 000000000000..689acf8ab2bf --- /dev/null +++ b/tests/cfgs/tls_obfuscated_heur_enabled/result/tls_obfuscated_heur__trojan-tcp-tls.pcapng.out @@ -0,0 +1,49 @@ +DPI Packets (TCP): 35 (11.67 pkts/flow) +DPI Packets (UDP): 15 (2.14 pkts/flow) +Confidence DPI : 9 (flows) +Confidence DPI (aggressive) : 1 (flows) +Num dissector calls: 167 (16.70 diss/flow) +LRU cache ookla: 0/0/0 (insert/search/found) +LRU cache bittorrent: 0/0/0 (insert/search/found) +LRU cache stun: 0/0/0 (insert/search/found) +LRU cache tls_cert: 0/2/0 (insert/search/found) +LRU cache mining: 0/0/0 (insert/search/found) +LRU cache msteams: 0/0/0 (insert/search/found) +LRU cache fpc_dns: 3/3/1 (insert/search/found) +Automa host: 17/8 (search/found) +Automa domain: 17/0 (search/found) +Automa tls cert: 0/0 (search/found) +Automa risk mask: 7/0 (search/found) +Automa common alpns: 4/4 (search/found) +Patricia risk mask: 14/0 (search/found) +Patricia risk mask IPv6: 0/0 (search/found) +Patricia risk: 0/0 (search/found) +Patricia risk IPv6: 0/0 (search/found) +Patricia protocols: 19/1 (search/found) +Patricia protocols IPv6: 0/0 (search/found) + +DNS 8 680 4 +TLS 25 11617 1 +YouTube 40 17498 4 +SOCKS 27 9979 1 + +Safe 25 11617 1 +Acceptable 35 10659 5 +Fun 40 17498 4 + +JA3 Host Stats: + IP Address # JA3C + 1 127.0.0.1 1 + 2 192.168.1.183 1 + + + 1 TCP 192.168.1.183:58730 <-> 142.250.180.142:443 [proto: 91.124/TLS.YouTube][IP: 126/Google][Encrypted][Confidence: DPI][FPC: 124/YouTube, Confidence: DNS][DPI packets: 6][cat: Media/1][17 pkts/1985 bytes <-> 15 pkts/13936 bytes][Goodput ratio: 41/93][0.11 sec][Hostname/SNI: www.youtube.com][(Advertised) ALPNs: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2][bytes ratio: -0.751 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 5/9 31/70 9/20][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 117/929 585/1468 126/632][TLSv1.3][JA3C: 4ea056e63b7910cbf543f0c095064dfe][JA4: t13d3113h2_e8f1e7e78f70_ce5650b735ce][JA3S: 907bf3ecef1c987c889946b737b43de8][Firefox][Cipher: TLS_AES_256_GCM_SHA384][Plen Bins: 18,0,6,0,0,0,6,0,0,0,0,0,0,0,0,0,6,0,0,0,6,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,51,0,0,0,0] + 2 TCP 127.0.0.1:41796 <-> 127.0.0.1:1234 [proto: 91/TLS][IP: 0/Unknown][Encrypted][Confidence: DPI (aggressive)][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 23][cat: Web/5][13 pkts/2233 bytes <-> 12 pkts/9384 bytes][Goodput ratio: 60/91][0.14 sec][Hostname/SNI: test.lan][(Advertised) ALPNs: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2][bytes ratio: -0.616 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 11/6 46/30 15/11][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 172/782 675/2138 165/744][Risk: ** Known Proto on Non Std Port **** Obfuscated Traffic **][Risk Score: 150][Risk Info: Obfuscated TLS-in-TLS traffic][TLSv1.3][JA3C: 7a15285d4efc355608b304698cd7f9ab][JA4: t13d1911h2_9dc949149365_e7c285222651][JA3S: f4febc55ea12b31ae17cfb7e614afda8][Firefox][Cipher: TLS_AES_128_GCM_SHA256][Plen Bins: 0,13,13,6,6,0,0,0,6,0,0,0,0,0,6,0,0,0,6,0,6,0,0,0,0,0,0,6,0,0,0,0,0,0,0,6,0,6,0,0,0,0,0,0,0,0,0,13] + 3 TCP 127.0.0.1:60654 <-> 127.0.0.1:1080 [proto: 172/SOCKS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][17 pkts/1999 bytes <-> 10 pkts/7980 bytes][Goodput ratio: 42/91][0.19 sec][bytes ratio: -0.599 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 9/7 46/43 16/15][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 118/798 585/4164 119/1276][PLAIN TEXT (www.youtube.com)][Plen Bins: 37,25,6,0,0,0,0,0,0,0,0,0,0,0,6,0,6,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12] + 4 UDP 127.0.0.1:52786 <-> 127.0.0.53:53 [proto: 5.124/DNS.YouTube][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5.124/DNS.YouTube, Confidence: DPI][DPI packets: 3][cat: Network/14][2 pkts/176 bytes <-> 2 pkts/468 bytes][Goodput ratio: 50/81][0.03 sec][Hostname/SNI: www.youtube.com][142.250.180.142][PLAIN TEXT (youtube)][Plen Bins: 0,50,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 5 UDP 192.168.1.183:46451 <-> 192.168.1.253:53 [proto: 5.124/DNS.YouTube][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5.124/DNS.YouTube, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/88 bytes <-> 1 pkts/413 bytes][Goodput ratio: 49/89][0.03 sec][Hostname/SNI: www.youtube.com][142.250.180.142][PLAIN TEXT (youtube)][Plen Bins: 0,50,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 6 UDP 192.168.1.183:54260 <-> 192.168.1.253:53 [proto: 5.124/DNS.YouTube][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5.124/DNS.YouTube, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/88 bytes <-> 1 pkts/344 bytes][Goodput ratio: 49/87][0.03 sec][Hostname/SNI: www.youtube.com][2a00:1450:4002:411::200e][PLAIN TEXT (youtube)][Plen Bins: 0,50,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 7 UDP 127.0.0.1:53154 <-> 127.0.0.53:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/81 bytes <-> 1 pkts/97 bytes][Goodput ratio: 45/54][0.00 sec][Hostname/SNI: test.lan][127.0.0.1][Risk: ** Minor Issues **][Risk Score: 10][Risk Info: DNS Record with zero TTL][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 8 UDP 192.168.1.183:39434 <-> 192.168.1.253:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/81 bytes <-> 1 pkts/97 bytes][Goodput ratio: 45/54][0.00 sec][Hostname/SNI: test.lan][127.0.0.1][Risk: ** Minor Issues **][Risk Score: 10][Risk Info: DNS Record with zero TTL][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 9 UDP 127.0.0.1:56496 <-> 127.0.0.53:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/81 bytes <-> 1 pkts/81 bytes][Goodput ratio: 45/45][0.00 sec][Hostname/SNI: test.lan][::][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 10 UDP 192.168.1.183:38613 <-> 192.168.1.253:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/81 bytes <-> 1 pkts/81 bytes][Goodput ratio: 45/45][< 1 sec][Hostname/SNI: test.lan][::][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/tls_obfuscated_heur_enabled/result/tls_obfuscated_heur__vmess-tcp-tls.pcapng.out b/tests/cfgs/tls_obfuscated_heur_enabled/result/tls_obfuscated_heur__vmess-tcp-tls.pcapng.out new file mode 100644 index 000000000000..bbf0c5bd0cad --- /dev/null +++ b/tests/cfgs/tls_obfuscated_heur_enabled/result/tls_obfuscated_heur__vmess-tcp-tls.pcapng.out @@ -0,0 +1,49 @@ +DPI Packets (TCP): 36 (12.00 pkts/flow) +DPI Packets (UDP): 15 (2.14 pkts/flow) +Confidence DPI : 9 (flows) +Confidence DPI (aggressive) : 1 (flows) +Num dissector calls: 167 (16.70 diss/flow) +LRU cache ookla: 0/0/0 (insert/search/found) +LRU cache bittorrent: 0/0/0 (insert/search/found) +LRU cache stun: 0/0/0 (insert/search/found) +LRU cache tls_cert: 0/2/0 (insert/search/found) +LRU cache mining: 0/0/0 (insert/search/found) +LRU cache msteams: 0/0/0 (insert/search/found) +LRU cache fpc_dns: 3/3/1 (insert/search/found) +Automa host: 17/8 (search/found) +Automa domain: 17/0 (search/found) +Automa tls cert: 0/0 (search/found) +Automa risk mask: 7/0 (search/found) +Automa common alpns: 4/4 (search/found) +Patricia risk mask: 14/0 (search/found) +Patricia risk mask IPv6: 0/0 (search/found) +Patricia risk: 0/0 (search/found) +Patricia risk IPv6: 0/0 (search/found) +Patricia protocols: 19/1 (search/found) +Patricia protocols IPv6: 0/0 (search/found) + +DNS 8 680 4 +TLS 30 14152 1 +YouTube 34 22317 4 +SOCKS 28 10046 1 + +Safe 30 14152 1 +Acceptable 36 10726 5 +Fun 34 22317 4 + +JA3 Host Stats: + IP Address # JA3C + 1 127.0.0.1 1 + 2 192.168.1.183 1 + + + 1 TCP 192.168.1.183:58612 <-> 216.58.204.142:443 [proto: 91.124/TLS.YouTube][IP: 126/Google][Encrypted][Confidence: DPI][FPC: 124/YouTube, Confidence: DNS][DPI packets: 6][cat: Media/1][11 pkts/1577 bytes <-> 15 pkts/19414 bytes][Goodput ratio: 52/95][0.10 sec][Hostname/SNI: www.youtube.com][(Advertised) ALPNs: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2][bytes ratio: -0.850 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 12/8 74/66 24/18][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 143/1294 585/6668 151/1565][TLSv1.3][JA3C: 4ea056e63b7910cbf543f0c095064dfe][JA4: t13d3113h2_e8f1e7e78f70_ce5650b735ce][JA3S: 907bf3ecef1c987c889946b737b43de8][Firefox][Cipher: TLS_AES_256_GCM_SHA384][Plen Bins: 12,6,6,0,0,0,6,0,0,0,0,0,0,0,0,0,6,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,44,0,0,0,6] + 2 TCP 127.0.0.1:57874 <-> 127.0.0.1:1234 [proto: 91/TLS][IP: 0/Unknown][Encrypted][Confidence: DPI (aggressive)][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 24][cat: Web/5][16 pkts/2501 bytes <-> 14 pkts/11651 bytes][Goodput ratio: 56/92][0.16 sec][Hostname/SNI: test.lan][(Advertised) ALPNs: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2][bytes ratio: -0.647 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 10/12 40/74 14/22][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 156/832 731/2138 166/797][Risk: ** Known Proto on Non Std Port **** Obfuscated Traffic **][Risk Score: 150][Risk Info: Obfuscated TLS-in-TLS traffic][TLSv1.3][JA3C: 7a15285d4efc355608b304698cd7f9ab][JA4: t13d1911h2_9dc949149365_e7c285222651][JA3S: f4febc55ea12b31ae17cfb7e614afda8][Firefox][Cipher: TLS_AES_128_GCM_SHA256][Plen Bins: 5,12,12,5,5,0,0,0,5,0,0,0,0,0,0,0,5,0,0,0,5,5,0,0,0,0,0,5,0,0,0,0,0,0,0,5,0,5,0,0,0,0,0,0,0,0,0,19] + 3 TCP 127.0.0.1:40136 <-> 127.0.0.1:1080 [proto: 172/SOCKS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][17 pkts/1999 bytes <-> 11 pkts/8047 bytes][Goodput ratio: 42/91][0.14 sec][bytes ratio: -0.602 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 8/1 40/4 14/2][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 118/732 585/2612 119/967][PLAIN TEXT (www.youtube.com)][Plen Bins: 37,25,6,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,18] + 4 UDP 127.0.0.1:46548 <-> 127.0.0.53:53 [proto: 5.124/DNS.YouTube][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5.124/DNS.YouTube, Confidence: DPI][DPI packets: 3][cat: Network/14][2 pkts/176 bytes <-> 2 pkts/484 bytes][Goodput ratio: 50/82][0.00 sec][Hostname/SNI: www.youtube.com][216.58.204.142][PLAIN TEXT (youtube)][Plen Bins: 0,50,0,0,0,25,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 5 UDP 192.168.1.183:49817 <-> 192.168.1.253:53 [proto: 5.124/DNS.YouTube][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5.124/DNS.YouTube, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/88 bytes <-> 1 pkts/253 bytes][Goodput ratio: 49/82][0.00 sec][Hostname/SNI: www.youtube.com][216.58.204.142][PLAIN TEXT (youtube)][Plen Bins: 0,50,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 6 UDP 192.168.1.183:41933 <-> 192.168.1.253:53 [proto: 5.124/DNS.YouTube][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5.124/DNS.YouTube, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/88 bytes <-> 1 pkts/237 bytes][Goodput ratio: 49/81][0.00 sec][Hostname/SNI: www.youtube.com][2a00:1450:4002:410::200e][PLAIN TEXT (youtube)][Plen Bins: 0,50,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 7 UDP 127.0.0.1:45262 <-> 127.0.0.53:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/81 bytes <-> 1 pkts/97 bytes][Goodput ratio: 45/54][0.00 sec][Hostname/SNI: test.lan][127.0.0.1][Risk: ** Minor Issues **][Risk Score: 10][Risk Info: DNS Record with zero TTL][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 8 UDP 192.168.1.183:42485 <-> 192.168.1.253:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/81 bytes <-> 1 pkts/97 bytes][Goodput ratio: 45/54][0.00 sec][Hostname/SNI: test.lan][127.0.0.1][Risk: ** Minor Issues **][Risk Score: 10][Risk Info: DNS Record with zero TTL][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 9 UDP 127.0.0.1:50125 <-> 127.0.0.53:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/81 bytes <-> 1 pkts/81 bytes][Goodput ratio: 45/45][0.00 sec][Hostname/SNI: test.lan][::][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 10 UDP 192.168.1.183:58009 <-> 192.168.1.253:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/81 bytes <-> 1 pkts/81 bytes][Goodput ratio: 45/45][< 1 sec][Hostname/SNI: test.lan][::][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/tls_obfuscated_heur_enabled/result/tls_obfuscated_heur__vmess-tcp.pcapng.out b/tests/cfgs/tls_obfuscated_heur_enabled/result/tls_obfuscated_heur__vmess-tcp.pcapng.out new file mode 100644 index 000000000000..36c68d4c40b3 --- /dev/null +++ b/tests/cfgs/tls_obfuscated_heur_enabled/result/tls_obfuscated_heur__vmess-tcp.pcapng.out @@ -0,0 +1,41 @@ +DPI Packets (TCP): 35 (11.67 pkts/flow) +DPI Packets (UDP): 3 (3.00 pkts/flow) +Confidence DPI : 3 (flows) +Confidence DPI (aggressive) : 1 (flows) +Num dissector calls: 421 (105.25 diss/flow) +LRU cache ookla: 0/0/0 (insert/search/found) +LRU cache bittorrent: 0/3/0 (insert/search/found) +LRU cache stun: 0/0/0 (insert/search/found) +LRU cache tls_cert: 0/0/0 (insert/search/found) +LRU cache mining: 0/0/0 (insert/search/found) +LRU cache msteams: 0/0/0 (insert/search/found) +LRU cache fpc_dns: 1/3/0 (insert/search/found) +Automa host: 4/4 (search/found) +Automa domain: 4/0 (search/found) +Automa tls cert: 0/0 (search/found) +Automa risk mask: 1/0 (search/found) +Automa common alpns: 2/2 (search/found) +Patricia risk mask: 2/0 (search/found) +Patricia risk mask IPv6: 0/0 (search/found) +Patricia risk: 0/0 (search/found) +Patricia risk IPv6: 1/0 (search/found) +Patricia protocols: 6/0 (search/found) +Patricia protocols IPv6: 1/1 (search/found) + +TLS 29 22543 1 +YouTube 41 25855 2 +SOCKS 30 21345 1 + +Safe 29 22543 1 +Acceptable 30 21345 1 +Fun 41 25855 2 + +JA3 Host Stats: + IP Address # JA3C + 1 2001:b07:a3d:c112:8628:88aa:8b00:913c 1 + + + 1 TCP [2001:b07:a3d:c112:8628:88aa:8b00:913c]:48302 <-> [2a00:1450:4006:80d::200e]:443 [proto: 91.124/TLS.YouTube][IP: 126/Google][Encrypted][Confidence: DPI][FPC: 126/Google, Confidence: IP address][DPI packets: 8][cat: Media/1][19 pkts/2517 bytes <-> 18 pkts/22438 bytes][Goodput ratio: 33/93][2.20 sec][Hostname/SNI: www.youtube.com][(Advertised) ALPNs: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2][bytes ratio: -0.798 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 146/10 1024/77 344/20][Pkt Len c2s/s2c min/avg/max/stddev: 88/88 132/1247 605/2504 117/854][TLSv1.3][JA3C: 4ea056e63b7910cbf543f0c095064dfe][JA4: t13d3113h2_e8f1e7e78f70_ce5650b735ce][JA3S: 907bf3ecef1c987c889946b737b43de8][Firefox][Cipher: TLS_AES_256_GCM_SHA384][Plen Bins: 10,5,5,0,5,0,0,5,0,0,0,0,0,0,0,0,5,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,30,0,5,0,0,0,0,0,0,0,25] + 2 TCP 127.0.0.1:40818 <-> 127.0.0.1:1234 [proto: 91/TLS][IP: 0/Unknown][Encrypted][Confidence: DPI (aggressive)][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 21][cat: Web/5][13 pkts/2126 bytes <-> 16 pkts/20417 bytes][Goodput ratio: 58/95][2.27 sec][bytes ratio: -0.811 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 225/171 2079/2079 619/551][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 164/1276 749/4794 178/1603][Risk: ** Known Proto on Non Std Port **** Obfuscated Traffic **][Risk Score: 150][Risk Info: Obfuscated TLS traffic][Plen Bins: 0,0,6,20,13,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,6,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,34] + 3 TCP 127.0.0.1:37218 <-> 127.0.0.1:1080 [proto: 172/SOCKS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][15 pkts/1875 bytes <-> 15 pkts/19470 bytes][Goodput ratio: 45/95][2.27 sec][bytes ratio: -0.824 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 185/178 2080/2039 572/561][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 125/1298 585/7183 125/2425][PLAIN TEXT (www.youtube.com)][Plen Bins: 34,26,6,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20] + 4 UDP 127.0.0.1:35957 <-> 127.0.0.53:53 [proto: 5.124/DNS.YouTube][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5.124/DNS.YouTube, Confidence: DPI][DPI packets: 3][cat: Network/14][2 pkts/176 bytes <-> 2 pkts/724 bytes][Goodput ratio: 50/88][0.00 sec][Hostname/SNI: www.youtube.com][172.217.18.46][PLAIN TEXT (youtube)][Plen Bins: 0,50,0,0,0,25,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/tls_obfuscated_heur_enabled/result/tls_obfuscated_heur__vmess-websocket.pcapng.out b/tests/cfgs/tls_obfuscated_heur_enabled/result/tls_obfuscated_heur__vmess-websocket.pcapng.out new file mode 100644 index 000000000000..e93257b15bd5 --- /dev/null +++ b/tests/cfgs/tls_obfuscated_heur_enabled/result/tls_obfuscated_heur__vmess-websocket.pcapng.out @@ -0,0 +1,40 @@ +DPI Packets (TCP): 31 (10.33 pkts/flow) +DPI Packets (UDP): 2 (2.00 pkts/flow) +Confidence DPI : 3 (flows) +Confidence DPI (aggressive) : 1 (flows) +Num dissector calls: 173 (43.25 diss/flow) +LRU cache ookla: 0/0/0 (insert/search/found) +LRU cache bittorrent: 0/0/0 (insert/search/found) +LRU cache stun: 0/0/0 (insert/search/found) +LRU cache tls_cert: 0/0/0 (insert/search/found) +LRU cache mining: 0/0/0 (insert/search/found) +LRU cache msteams: 0/0/0 (insert/search/found) +LRU cache fpc_dns: 1/3/1 (insert/search/found) +Automa host: 4/3 (search/found) +Automa domain: 4/0 (search/found) +Automa tls cert: 0/0 (search/found) +Automa risk mask: 1/0 (search/found) +Automa common alpns: 2/2 (search/found) +Patricia risk mask: 2/0 (search/found) +Patricia risk mask IPv6: 0/0 (search/found) +Patricia risk: 0/0 (search/found) +Patricia risk IPv6: 0/0 (search/found) +Patricia protocols: 7/1 (search/found) +Patricia protocols IPv6: 0/0 (search/found) + +HTTP 35 22912 1 +YouTube 32 24681 2 +SOCKS 33 21475 1 + +Acceptable 68 44387 2 +Fun 32 24681 2 + +JA3 Host Stats: + IP Address # JA3C + 1 192.168.1.183 1 + + + 1 TCP 192.168.1.183:51390 <-> 142.250.180.142:443 [proto: 91.124/TLS.YouTube][IP: 126/Google][Encrypted][Confidence: DPI][FPC: 124/YouTube, Confidence: DNS][DPI packets: 6][cat: Media/1][11 pkts/1577 bytes <-> 17 pkts/22332 bytes][Goodput ratio: 52/95][0.14 sec][Hostname/SNI: www.youtube.com][(Advertised) ALPNs: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2][bytes ratio: -0.868 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 16/9 81/74 26/19][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 143/1314 585/6668 160/1472][TLSv1.3][JA3C: 4ea056e63b7910cbf543f0c095064dfe][JA4: t13d3113h2_e8f1e7e78f70_ce5650b735ce][JA3S: 907bf3ecef1c987c889946b737b43de8][Firefox][Cipher: TLS_AES_256_GCM_SHA384][Plen Bins: 18,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,5,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,55,0,0,0,5] + 2 TCP 127.0.0.1:33702 <-> 127.0.0.1:1234 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI (aggressive)][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 19][cat: Web/5][19 pkts/2630 bytes <-> 16 pkts/20282 bytes][Goodput ratio: 51/95][0.17 sec][Hostname/SNI: 127.0.0.1][bytes ratio: -0.770 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 8/7 52/76 16/21][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 138/1268 767/2120 172/862][URL: 127.0.0.1:1234/][StatusCode: 101][User-Agent: Go-http-client/1.1][Risk: ** Known Proto on Non Std Port **** HTTP/TLS/QUIC Numeric Hostname/SNI **** Obfuscated Traffic **][Risk Score: 160][Risk Info: Found host 127.0.0.1 / Obfuscated TLS-in-HTTP-WebSocket traffic][PLAIN TEXT (GET / HTTP/1.1)][Plen Bins: 0,0,11,0,5,5,0,0,0,0,0,5,0,0,5,0,0,0,0,0,5,11,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,45] + 3 TCP 127.0.0.1:44532 <-> 127.0.0.1:1080 [proto: 172/SOCKS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][20 pkts/2203 bytes <-> 13 pkts/19272 bytes][Goodput ratio: 38/95][0.17 sec][bytes ratio: -0.795 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 10/10 44/82 16/26][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 110/1482 585/4000 112/1624][PLAIN TEXT (www.youtube.com)][Plen Bins: 31,21,5,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,5,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,26] + 4 UDP 127.0.0.1:39646 <-> 127.0.0.53:53 [proto: 5.124/DNS.YouTube][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5.124/DNS.YouTube, Confidence: DPI][DPI packets: 2][cat: Network/14][2 pkts/176 bytes <-> 2 pkts/596 bytes][Goodput ratio: 50/85][0.00 sec][Hostname/SNI: www.youtube.com][142.250.180.142][PLAIN TEXT (youtube)][Plen Bins: 0,50,0,0,0,25,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/wireshark/ndpi.lua b/wireshark/ndpi.lua index 9c80666bcfa4..41424ead2a6c 100644 --- a/wireshark/ndpi.lua +++ b/wireshark/ndpi.lua @@ -118,9 +118,10 @@ flow_risks[52] = ProtoField.bool("ndpi.flow_risk.tls_alpn_sni_mismatch", "ALPN/S flow_risks[53] = ProtoField.bool("ndpi.flow_risk.malware_contact", "Contact with a malware host", num_bits_flow_risks, nil, bit(53), "nDPI Flow Risk: Malware host contacted") flow_risks[54] = ProtoField.bool("ndpi.flow_risk.binary_data_transfer", "Attempt to transfer a binary file", num_bits_flow_risks, nil, bit(54), "nDPI Flow Risk: binary data file transfer") flow_risks[55] = ProtoField.bool("ndpi.flow_risk.probing_attempt", "Probing attempt", num_bits_flow_risks, nil, bit(55), "nDPI Flow Risk: probing attempt") +flow_risks[56] = ProtoField.bool("ndpi.flow_risk.obfuscated_traffic", "Obfuscated traffic", num_bits_flow_risks, nil, bit(56), "nDPI Flow Risk: obfuscated traffic") -- Last one: keep in sync the bitmask when adding new risks!! -flow_risks[64] = ProtoField.new("Unused", "ndpi.flow_risk.unused", ftypes.UINT64, nil, base.HEX, bit(64) - bit(56)) +flow_risks[64] = ProtoField.new("Unused", "ndpi.flow_risk.unused", ftypes.UINT64, nil, base.HEX, bit(64) - bit(57)) for _,v in pairs(flow_risks) do ndpi_fds[#ndpi_fds + 1] = v