diff --git a/example/reader_util.c b/example/reader_util.c index 800305b456a..c50c3281f80 100644 --- a/example/reader_util.c +++ b/example/reader_util.c @@ -1140,7 +1140,16 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl ndpi_snprintf(flow->http.content_type, sizeof(flow->http.content_type), "%s", flow->ndpi_flow->http.content_type ? flow->ndpi_flow->http.content_type : ""); ndpi_snprintf(flow->http.request_content_type, sizeof(flow->http.request_content_type), "%s", flow->ndpi_flow->http.request_content_type ? flow->ndpi_flow->http.request_content_type : ""); } - } else if(is_ndpi_proto(flow, NDPI_PROTOCOL_TELNET)) { + } + /* COLLECTD */ + else if(is_ndpi_proto(flow, NDPI_PROTOCOL_COLLECTD)) { + flow->info_type = INFO_GENERIC; + if(flow->ndpi_flow->protos.collectd.client_username[0] != '\0') + ndpi_snprintf(flow->info, sizeof(flow->info), "Username: %s", + flow->ndpi_flow->protos.collectd.client_username); + } + /* TELNET */ + else if(is_ndpi_proto(flow, NDPI_PROTOCOL_TELNET)) { if(flow->ndpi_flow->protos.telnet.username[0] != '\0') flow->telnet.username = ndpi_strdup(flow->ndpi_flow->protos.telnet.username); if(flow->ndpi_flow->protos.telnet.password[0] != '\0') diff --git a/src/include/ndpi_protocol_ids.h b/src/include/ndpi_protocol_ids.h index 2d2eeae30f2..c8812915b05 100644 --- a/src/include/ndpi_protocol_ids.h +++ b/src/include/ndpi_protocol_ids.h @@ -326,6 +326,7 @@ typedef enum { NDPI_PROTOCOL_1KXUN = 295, NDPI_PROTOCOL_IP_PGM = 296, NDPI_PROTOCOL_IP_PIM = 297, + NDPI_PROTOCOL_COLLECTD = 298, #ifdef CUSTOM_NDPI_PROTOCOLS #include "../../../nDPI-custom/custom_ndpi_protocol_ids.h" diff --git a/src/include/ndpi_protocols.h b/src/include/ndpi_protocols.h index a0a8bfc40f2..25395c1fa11 100644 --- a/src/include/ndpi_protocols.h +++ b/src/include/ndpi_protocols.h @@ -228,6 +228,7 @@ void init_xiaomi_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_i void init_mpegdash_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_rsh_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_ipsec_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); +void init_collectd_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); /* ndpi_main.c */ extern u_int32_t ndpi_ip_port_hash_funct(u_int32_t ip, u_int16_t port); diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index 2f47a28b507..493fae6fba1 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -1191,7 +1191,7 @@ struct ndpi_flow_struct { char flow_extra_info[16]; /* General purpose field used to save mainly hostname/SNI information. - * In details it used for: DNS, SSDP and NETBIOS name, HTTP and DHCP hostname, + * In details it used for: COLLECTD, DNS, SSDP and NETBIOS name, HTTP and DHCP hostname, * WHOIS request, TLS/QUIC server name, XIAOMI domain and STUN realm. * * Please, think *very* hard before increasing its size! @@ -1297,6 +1297,10 @@ struct ndpi_flow_struct { char command[48]; } rsh; + struct { + char client_username[32]; + } collectd; + struct { char version[32]; } ubntac2; diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 83a0cb7ab70..182ad45e5e2 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -1916,9 +1916,13 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp ndpi_build_default_ports(ports_a, 514, 0, 0, 0, 0) /* TCP */, ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_IP_PIM, - "IP_PIM", NDPI_PROTOCOL_CATEGORY_NETWORK, - ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, - ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); + "IP_PIM", NDPI_PROTOCOL_CATEGORY_NETWORK, + ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, + ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); + ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_COLLECTD, + "collectd", NDPI_PROTOCOL_CATEGORY_SYSTEM_OS, + ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, + ndpi_build_default_ports(ports_b, 25826, 0, 0, 0, 0) /* UDP */); #ifdef CUSTOM_NDPI_PROTOCOLS #include "../../../nDPI-custom/custom_ndpi_main.c" @@ -4424,6 +4428,9 @@ static int ndpi_callback_init(struct ndpi_detection_module_struct *ndpi_str) { /* IPsec */ init_ipsec_dissector(ndpi_str, &a, detection_bitmask); + /* collectd */ + init_collectd_dissector(ndpi_str, &a, detection_bitmask); + #ifdef CUSTOM_NDPI_PROTOCOLS #include "../../../nDPI-custom/custom_ndpi_main_init.c" #endif diff --git a/src/lib/protocols/collectd.c b/src/lib/protocols/collectd.c new file mode 100644 index 00000000000..a97f8e2870f --- /dev/null +++ b/src/lib/protocols/collectd.c @@ -0,0 +1,209 @@ +/* + * collectd.c + * + * Copyright (C) 2022 - ntop.org + * + * nDPI is free software: you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * nDPI is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with nDPI. If not, see . + * + */ + + +#include "ndpi_protocol_ids.h" + +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_COLLECTD + +#include "ndpi_api.h" + +#define COLLECTD_MIN_BLOCKS_REQUIRED 3 +#define COLLECTD_MAX_BLOCKS_TO_DISSECT 5 + +#define COLLECTD_ENCR_AES256_MIN_BLOCK_SIZE 6 +#define COLLECTD_ENCR_AES256_IV_SIZE 16 + +enum collectd_type { + COLLECTD_TYPE_HOST = 0x0000, + COLLECTD_TYPE_TIME = 0x0001, + COLLECTD_TYPE_TIME_HR = 0x0008, + COLLECTD_TYPE_PLUGIN = 0x0002, + COLLECTD_TYPE_PLUGIN_INSTANCE = 0x0003, + COLLECTD_TYPE_TYPE = 0x0004, + COLLECTD_TYPE_TYPE_INSTANCE = 0x0005, + COLLECTD_TYPE_VALUES = 0x0006, + COLLECTD_TYPE_INTERVAL = 0x0007, + COLLECTD_TYPE_INTERVAL_HR = 0x0009, + COLLECTD_TYPE_MESSAGE = 0x0100, + COLLECTD_TYPE_SEVERITY = 0x0101, + COLLECTD_TYPE_SIGN_SHA256 = 0x0200, + COLELCTD_TYPE_ENCR_AES256 = 0x0210, +}; + +static u_int16_t const collectd_types[] = { + COLLECTD_TYPE_HOST, COLLECTD_TYPE_TIME, COLLECTD_TYPE_TIME_HR, COLLECTD_TYPE_PLUGIN, + COLLECTD_TYPE_PLUGIN_INSTANCE, COLLECTD_TYPE_TYPE, COLLECTD_TYPE_TYPE_INSTANCE, + COLLECTD_TYPE_VALUES, COLLECTD_TYPE_INTERVAL, COLLECTD_TYPE_INTERVAL_HR, + COLLECTD_TYPE_MESSAGE, COLLECTD_TYPE_SEVERITY, COLLECTD_TYPE_SIGN_SHA256, + COLELCTD_TYPE_ENCR_AES256 +}; +static const size_t collectd_types_length = NDPI_ARRAY_LENGTH(collectd_types); + +static void ndpi_int_collectd_add_connection(struct ndpi_detection_module_struct * const ndpi_struct, + struct ndpi_flow_struct * const flow) +{ + NDPI_LOG_INFO(ndpi_struct, "found collectd\n"); + ndpi_set_detected_protocol(ndpi_struct, flow, + NDPI_PROTOCOL_COLLECTD, + NDPI_PROTOCOL_UNKNOWN, + NDPI_CONFIDENCE_DPI); +} + +static u_int16_t npdi_int_collectd_block_size(struct ndpi_packet_struct const * const packet, + u_int16_t const block_offset) +{ + if (block_offset + 4 > packet->payload_packet_len) + { + return 0; + } + + u_int16_t next_block = ntohs(get_u_int16_t(packet->payload, block_offset + 2)); + if (block_offset + next_block > packet->payload_packet_len || + (u_int16_t)(block_offset + next_block) <= block_offset /* possible overflow or next_block is zero */) + { + return 0; + } + + return next_block; +} + +static int ndpi_int_collectd_check_type(u_int16_t block_type) +{ + size_t i; + + for (i = 0; i < collectd_types_length; ++i) + { + if (block_type == collectd_types[i]) + { + return 0; + } + } + + return 1; +} + +static int ndpi_int_collectd_dissect_hostname(struct ndpi_flow_struct * const flow, + struct ndpi_packet_struct const * const packet, + u_int16_t block_offset, u_int16_t block_length) +{ + return (ndpi_hostname_sni_set(flow, &packet->payload[4], block_length) == NULL); +} + +static int ndpi_int_collectd_dissect_username(struct ndpi_flow_struct * const flow, + struct ndpi_packet_struct const * const packet, + u_int16_t block_offset) +{ + u_int16_t username_length = ntohs(get_u_int16_t(packet->payload, 4)); + + if(username_length > packet->payload_packet_len - + COLLECTD_ENCR_AES256_MIN_BLOCK_SIZE - + COLLECTD_ENCR_AES256_IV_SIZE) + { + return 1; + } + + size_t sz_len = ndpi_min(sizeof(flow->protos.collectd.client_username) - 1, username_length); + memcpy(flow->protos.collectd.client_username, &packet->payload[6], sz_len); + flow->protos.collectd.client_username[sz_len] = '\0'; + + return 0; +} + +void ndpi_search_collectd(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow) +{ + struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; + u_int16_t num_blocks; + u_int16_t block_offset = 0, block_type, block_length; + u_int16_t hostname_offset, hostname_length = 0; + + NDPI_LOG_DBG(ndpi_struct, "search collectd\n"); + + for (num_blocks = 0; num_blocks < COLLECTD_MAX_BLOCKS_TO_DISSECT; + ++num_blocks, block_offset += block_length) + { + block_length = npdi_int_collectd_block_size(packet, block_offset); + if (block_length == 0) + { + break; + } + + block_type = ntohs(get_u_int16_t(packet->payload, block_offset)); + if (ndpi_int_collectd_check_type(block_type) != 0) + { + break; + } else { + if (block_type == COLLECTD_TYPE_HOST) + { + /* + * Dissect the hostname later, when we are sure that it is + * the collectd protocol. + */ + hostname_offset = block_offset; + hostname_length = block_length; + } else if (block_type == COLELCTD_TYPE_ENCR_AES256) { + /* + * The encrypted data block is a special case. + * It is the only dissectable block as everything else in it + * is encrypted. + */ + if (block_length != packet->payload_packet_len || + block_length < COLLECTD_ENCR_AES256_MIN_BLOCK_SIZE || + ndpi_int_collectd_dissect_username(flow, packet, block_offset) != 0) + { + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + } else { + ndpi_int_collectd_add_connection(ndpi_struct, flow); + } + return; + } + } + } + + if (num_blocks < COLLECTD_MIN_BLOCKS_REQUIRED) + { + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + return; + } + + if (hostname_length > 0 && + ndpi_int_collectd_dissect_hostname(flow, packet, hostname_offset, + hostname_length) != 0) + { + ndpi_set_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET, "Invalid collectd Header"); + } + + ndpi_int_collectd_add_connection(ndpi_struct, flow); +} + +void init_collectd_dissector(struct ndpi_detection_module_struct *ndpi_struct, + u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) +{ + ndpi_set_bitmask_protocol_detection("collectd", ndpi_struct, detection_bitmask, *id, + NDPI_PROTOCOL_COLLECTD, + ndpi_search_collectd, + NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, + SAVE_DETECTION_BITMASK_AS_UNKNOWN, + ADD_TO_DETECTION_BITMASK + ); + + *id += 1; +} diff --git a/tests/pcap/collectd.pcap b/tests/pcap/collectd.pcap new file mode 100644 index 00000000000..5621865c2fe Binary files /dev/null and b/tests/pcap/collectd.pcap differ diff --git a/tests/result/collectd.pcap.out b/tests/result/collectd.pcap.out new file mode 100644 index 00000000000..10f197e3a3f --- /dev/null +++ b/tests/result/collectd.pcap.out @@ -0,0 +1,16 @@ +Guessed flow protos: 3 + +DPI Packets (UDP): 13 (1.62 pkts/flow) +Confidence Match by port : 3 (flows) +Confidence DPI : 5 (flows) + +collectd 81 109386 8 + + 1 UDP 127.0.0.1:35988 -> 127.0.0.1:25826 [proto: 298/collectd][ClearText][Confidence: DPI][cat: System/18][49 pkts/66012 bytes -> 0 pkts/0 bytes][Goodput ratio: 97/0][406.49 sec][Hostname/SNI: devlap.fritz.box][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 8783/0 10000/0 3188/0][Pkt Len c2s/s2c min/avg/max/stddev: 193/0 1347/0 1388/0 167/0][PLAIN TEXT (devlap.fritz.box)][Plen Bins: 0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,83,10,0,0,0,0,0] + 2 UDP 127.0.0.1:36832 -> 127.0.0.1:25826 [proto: 298/collectd][ClearText][Confidence: DPI][cat: System/18][17 pkts/22755 bytes -> 0 pkts/0 bytes][Goodput ratio: 97/0][134.67 sec][Hostname/SNI: devlap.fritz.box][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 8311/0 10000/0 3518/0][Pkt Len c2s/s2c min/avg/max/stddev: 924/0 1339/0 1384/0 104/0][PLAIN TEXT (devlap.fritz.box)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,5,89,0,0,0,0,0,0] + 3 UDP 192.168.178.35:39576 -> 239.192.74.66:25826 [proto: 298/collectd][ClearText][Confidence: Match by port][cat: System/18][6 pkts/8363 bytes -> 0 pkts/0 bytes][Goodput ratio: 97/0][708570048.00 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 907/0 839078848/0 4195363456/0 1678142336/0][Pkt Len c2s/s2c min/avg/max/stddev: 1274/0 1394/0 1434/0 54/0][PLAIN TEXT (RmBJSP)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,33,50,0,0,0,0] + 4 UDP 127.0.0.1:54138 -> 127.0.0.1:25826 [proto: 298/collectd][ClearText][Confidence: DPI][cat: System/18][5 pkts/6744 bytes -> 0 pkts/0 bytes][Goodput ratio: 97/0][33.27 sec][Hostname/SNI: devlap.fritz.box][PLAIN TEXT (devlap.fritz.box)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,0,20,40,20,0,0,0,0,0] + 5 UDP 192.168.178.35:39577 -> 239.192.74.66:25826 [proto: 298/collectd][ClearText][Confidence: Match by port][cat: System/18][1 pkts/1408 bytes -> 0 pkts/0 bytes][Goodput ratio: 97/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0] + 6 UDP 127.0.0.1:36064 -> 127.0.0.1:25826 [proto: 298/collectd][ClearText][Confidence: DPI][cat: System/18][1 pkts/1368 bytes -> 0 pkts/0 bytes][Goodput ratio: 97/0][< 1 sec][Hostname/SNI: devlap.fritz.box][PLAIN TEXT (devlap.fritz.box)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0] + 7 UDP 127.0.0.1:36320 -> 127.0.0.1:25826 [proto: 298/collectd][ClearText][Confidence: Match by port][cat: System/18][1 pkts/1368 bytes -> 0 pkts/0 bytes][Goodput ratio: 97/0][< 1 sec][PLAIN TEXT (devlap.fritz.box)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0] + 8 UDP 127.0.0.1:36576 -> 127.0.0.1:25826 [proto: 298/collectd][ClearText][Confidence: DPI][cat: System/18][1 pkts/1368 bytes -> 0 pkts/0 bytes][Goodput ratio: 97/0][< 1 sec][Hostname/SNI: devlap.fritz.box][PLAIN TEXT (devlap.fritz.box)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0] diff --git a/tests/result/synscan.pcap.out b/tests/result/synscan.pcap.out index b0061fcd245..7de10deaa5a 100644 --- a/tests/result/synscan.pcap.out +++ b/tests/result/synscan.pcap.out @@ -104,7 +104,7 @@ iSCSI 2 116 2 43 TCP 172.16.0.8:36050 -> 64.13.134.52:2605 [proto: 13/BGP][ClearText][Confidence: Match by port][cat: Network/14][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 44 TCP 172.16.0.8:36050 -> 64.13.134.52:3000 [proto: 26/ntop][ClearText][Confidence: Match by port][cat: Network/14][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 45 TCP 172.16.0.8:36050 -> 64.13.134.52:3128 [proto: 131/HTTP_Proxy][ClearText][Confidence: Match by port][cat: Web/5][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 46 TCP 172.16.0.8:36050 -> 64.13.134.52:3260 [proto: 298/iSCSI][ClearText][Confidence: Match by port][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 46 TCP 172.16.0.8:36050 -> 64.13.134.52:3260 [proto: 299/iSCSI][ClearText][Confidence: Match by port][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 47 TCP 172.16.0.8:36050 -> 64.13.134.52:3306 [proto: 20/MySQL][ClearText][Confidence: Match by port][cat: Database/11][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 48 TCP 172.16.0.8:36050 -> 64.13.134.52:3389 [proto: 88/RDP][ClearText][Confidence: Match by port][cat: RemoteAccess/12][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Desktop/File Sharing **][Risk Score: 10][Risk Info: Found RDP][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 49 TCP 172.16.0.8:36050 -> 64.13.134.52:4343 [proto: 170/Whois-DAS][ClearText][Confidence: Match by port][cat: Network/14][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] @@ -165,7 +165,7 @@ iSCSI 2 116 2 104 TCP 172.16.0.8:36051 -> 64.13.134.52:2605 [proto: 13/BGP][ClearText][Confidence: Match by port][cat: Network/14][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 105 TCP 172.16.0.8:36051 -> 64.13.134.52:3000 [proto: 26/ntop][ClearText][Confidence: Match by port][cat: Network/14][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 106 TCP 172.16.0.8:36051 -> 64.13.134.52:3128 [proto: 131/HTTP_Proxy][ClearText][Confidence: Match by port][cat: Web/5][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 107 TCP 172.16.0.8:36051 -> 64.13.134.52:3260 [proto: 298/iSCSI][ClearText][Confidence: Match by port][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 107 TCP 172.16.0.8:36051 -> 64.13.134.52:3260 [proto: 299/iSCSI][ClearText][Confidence: Match by port][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 108 TCP 172.16.0.8:36051 -> 64.13.134.52:3306 [proto: 20/MySQL][ClearText][Confidence: Match by port][cat: Database/11][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 109 TCP 172.16.0.8:36051 -> 64.13.134.52:3389 [proto: 88/RDP][ClearText][Confidence: Match by port][cat: RemoteAccess/12][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Desktop/File Sharing **][Risk Score: 10][Risk Info: Found RDP][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 110 TCP 172.16.0.8:36051 -> 64.13.134.52:4343 [proto: 170/Whois-DAS][ClearText][Confidence: Match by port][cat: Network/14][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]