From 75f7da5c2670cd8ff169bf8249d3147b055900a1 Mon Sep 17 00:00:00 2001
From: Toni <matzeton@googlemail.com>
Date: Mon, 4 Jul 2022 10:34:54 +0200
Subject: [PATCH] Added Psiphon detection patterns. See #566 and #1099. (#1631)

* The traces are not up to date, but this is the best we got so far.

Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
---
 src/include/ndpi_protocol_ids.h  |   1 +
 src/lib/ndpi_content_match.c.inc |   3 +++
 tests/pcap/psiphon3.pcap         | Bin 0 -> 12834 bytes
 tests/result/psiphon3.pcap.out   |  13 +++++++++++++
 tests/result/synscan.pcap.out    |   4 ++--
 5 files changed, 19 insertions(+), 2 deletions(-)
 create mode 100644 tests/pcap/psiphon3.pcap
 create mode 100644 tests/result/psiphon3.pcap.out

diff --git a/src/include/ndpi_protocol_ids.h b/src/include/ndpi_protocol_ids.h
index 858901110fe..dddd2711079 100644
--- a/src/include/ndpi_protocol_ids.h
+++ b/src/include/ndpi_protocol_ids.h
@@ -331,6 +331,7 @@ typedef enum {
   NDPI_PROTOCOL_CLOUDFLARE_WARP       = 300,
   NDPI_PROTOCOL_I3D                   = 301, /* i3d.net: Game Hosting service */
   NDPI_PROTOCOL_RIOTGAMES             = 302,
+  NDPI_PROTOCOL_PSIPHON               = 303,
 
 #ifdef CUSTOM_NDPI_PROTOCOLS
 #include "../../../nDPI-custom/custom_ndpi_protocol_ids.h"
diff --git a/src/lib/ndpi_content_match.c.inc b/src/lib/ndpi_content_match.c.inc
index d989dbf27a3..db535fa81c8 100644
--- a/src/lib/ndpi_content_match.c.inc
+++ b/src/lib/ndpi_content_match.c.inc
@@ -1697,6 +1697,9 @@ static ndpi_protocol_match host_match[] =
    { "ocsp.sectigo.com",                 "OCSP", NDPI_PROTOCOL_OCSP, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_DEFAULT_LEVEL },
    { "ocsp.quovadisglobal.com",          "OCSP", NDPI_PROTOCOL_OCSP, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_DEFAULT_LEVEL },
 
+   { "psiphon3.net",           "Psiphon", NDPI_PROTOCOL_PSIPHON, NDPI_PROTOCOL_CATEGORY_VPN, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL },
+   { ".psiphon3.net",          "Psiphon", NDPI_PROTOCOL_PSIPHON, NDPI_PROTOCOL_CATEGORY_VPN, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL },
+
 #ifdef CUSTOM_NDPI_PROTOCOLS
 #include "../../../nDPI-custom/custom_ndpi_content_match_host_match.c.inc"
 #endif
diff --git a/tests/pcap/psiphon3.pcap b/tests/pcap/psiphon3.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..a0ebc9ae4adae1e3195f7d21b1d1b2e3d6fdecc7
GIT binary patch
literal 12834
zcmeHN2|QG7+dngBW-#`hvP`yYamJdWFa|9|38hH(vJVkO6pE5$iPC7%rj<&PHA|0>
zgtVaOQK&HWs0iPEMym1jykB46^ZdT|{eBMj&zy7a|Fz%Oecjh+zMXdr3*n%tYhnU|
z+`vspHhDwpGYq5;KBI#Q{?OwMAw$Ar>#{SDho?Y#$x$Cnk+B*qgkrO?6BD?P5QN3y
zui~)mL`d?;QS><mhB;7L>>vL=T0wGHNDI(L2apT=F@*F9+h3qEp|W9$j{0<HB$fc#
zgm(x`OgM}&<qE}Ma9AJ@5tZlfprMLjAw?hqI)EIC^aQ4TT&LMb7|2p;#Rr`~+&5`g
z6xRqa=m5Az`d$?GsOX0{G3dP6eh3nQG0+JN1kqvm*b7r)W-W=Kx}}$wGo3Rs$FcqP
zYIyC47p2GHTFh+V1gSEWGWEK%b!W;{%aAf+8Aq95nGmE2=|Sp{Hbewu>>*JIn!rHd
zBN6<tLz3Wu7$gpHLRj!j7D&bi@jzTyPYrg@pdf#BvKkq}LwN8GT-;!)2oA=>1ehJi
zj%O#}FnA0BgN3me)V9BB7XhvR-*&0r$Qmz<dNghmWTwS!DTv!*5HH4u&rimSe8jKe
zat~mkr+A1ts1W`sqXFd?<MUVi)ML>&gCTP)1ew6_2J$XjiAdh~hs*YkK->;Vo!O)N
zWMX*lsdaAeD6bh9h00VQNa9-{eIGh_2nL}8h_RpKgxIqo_ACfjjYQ)r!0^llae~G2
zaVfU*NH6v`3a;Dgt-*a$8X*$cm1E5t3~(?OSxV+aI0*1+96=DfdKFn55k+r^f_xNj
zzhGB)Z|6WaRnih)7d0{okwRa=f}-DEp>If33WY>5nx~0KiE?Wo$b3W(VP0#&Eg8Kf
zgQp0x7V%-_^@TCJAeLf87D0qi>TH7CtDJpFrh(4BE?zVjzkel=6e2MxkTA{HOU>o0
zyfm7(nv0(gvIY?(urU?IV!mh$W7uG02&WyHe?M~>{(?ZxxJ!j?ny)+K_7jCu83ewV
za~wLu9UU)f^^7W7wk{Behu<s2Bvn>pYRuQaq~GIGl9ZHRPLnzj4Ra#VFdHHb1dx=)
zi6J68gmM~m`}!{j^Q3s}zDgZ=B*zz*CXGm<6L@eUIHA;Zz1|6rD$(97hy5?A_NN`^
zExC#;LSOUabP?_7A1e{f<xlhS_w@7CRP%KUisn&P`~Du`LGip8%mfbjl5NK%J9!*x
zOm-Cl29IZhf$CpAVUcijx->2b2}E?WwX-#2$!N}5pswx`=&h;d>gD0(;uaW$8c+S3
zkAaJUhfxQsfoXpRYW*Z|Im(=bqaqYUm%y<h)*KT%=8eH1%825Wh**q>1S$~?h!heM
zGL5j+DukUt@QC69L5*yg!hp?Y6XJ=;P2D4ySg|i!`MJ>iS!f`JUuR)swWf4;MwO<q
zO#CbLgAguM3qjQ4SOh|%F))D$%!|XcZpGrTxTyEIs3B+o+5!!)OHsccg2)Kjh_NFn
zwu#*qg5sK`om}c9&N|B>*KV+5(;nPtx&}cw7&1esSQ6(AZYwi~EEA8N;yM-f2%*rn
zvzbKf&iPFtN%w-FZ#Z@ibf~Z-^OL8JGJa9!-Pf~=EzZ%S+w0Euo?IJr(tSex-~lKY
zTKANaJl>N_HM!!L*=*axr#sp*V)pbHEhW#fXSjx^_6y%9OunXw36><fFeXds)(G+4
zR@z|xeaU_<mEPP!fBGiM)gF<)KJANG(wu8?=eFC;Ke@3mCP?>E(M7QbgXH{doQ%{t
z(Xvos6YTd11vZCJWh9D2_0$6Hq--H<NGi{G;jP>{y5Fh!R!mmH$A;_GouxpTG2+@w
z7@Ay}FPBuMZ!#>hUC?vcngqLrYtBbi`@RY`h2Z;OjnyO3*lS-B8BsUR)zRtdUKz`=
z*>8ln^bu|X2Uy>+AGk3XPCSIH{Vu;Op^^m<KHw~n%Q%dky@R}b`~uy`f(SqQj8l+E
z*}Bm!&?YdL7DSdoNa#aYQ2gse(zn;7m41Ff%-n|VxoEEMgCXXiLU14B9-8ap99eUH
z3XQq9h(X5pz!r}nWDQ-ihSq#!KAID?$Qqj9S6fe8Z|&cjfB!n+6<)A#&k*7?eJvez
zU)f433l>(_64*X3?Z)o;hhv=fmljzJIGa}fMr)Q^@$9WcgLl4lfcmDl%kdl`4+1xy
zJpAxPG{zGIyX$xP?1$;@`+WF&)*2+*%)ajY2)m6=Z1{p}IEz8ngoTOy?-G{4*VV?3
z5Wu1XH4~yWwT8jUS40$ka^){TDM{lr5i+8lJuh1&R%vSa|0(sY@bUEu1U}b5G_;v1
z&j-blaPElfuV*gKZz&J^HH~4ue){$do)*<`GzJ6V<s{o@Usmov)Ed*RXW_WnE-TvZ
zbN?&yal0fpe2Iw3{Iwz2!h3wi)z6bpc2nnmgv?Yu&)8<Hve|#(s9|{{@AZe=ob%1S
ztyGsJ5gc446Y9(nwGQ^K!%Jk!lDYUD(~?tKK9io>djFn$ury4fOt(8`iSUTZ^B_Gj
z-h#*Pj@#L9SW%al0(~|O*CH>nFpG{_aQFS5^*jR>+`dO<N6WQq$gk%QwdOO()|SPo
zyZId{zfXDCDD{r)v1V@j=B8kdgZy%GLidzPdSq|k*dMsKm+g+6$*QpYLT9&Q%XzBJ
zq2GdC@Nxdsl{+7#W>NbFUy&svIHZZ=i`viWI|enKzk*gvfm{&e3qz8m&%2Z^yCWyZ
zAJaYRLWRul<gO!Ne^)6_a*|cqudz))A0$*}Vk5_n5_HeF5p0r&iQ>7AAE?FFnd^A6
zcXPb!I9rJAJBTI8&${*6PA#v@LGlPOWZ{}*>a&Lx_nn*`^GQJE`&VyDK-uDWKp{T0
z@@J~NnJRCl%KKO4;Y^h`Q|0~VS9xw(GgTh*)H+k;{g2M4GgaPydX;AZy7Vl)=6%dw
z^TugC<KhmD6dLFqUP;|ESsl(gI}Mk}#5w;NcSsxH3J#P{;u^0`!~G<`n>VK6ev%)G
zivblaIzUf6hQ6OEC;US>#h`*qdXv3Mc|Hi5Lt4tVaX8?PyadP1+oP)0FZ>hD4u`CU
zxg#IG)ZKx{zjqY^1v3VNmd&UQnOA++5xS1?^O3~D*Ed!8&%b@%?4WrfLV2~WeMZ2?
z=C!xc(psqb-%u!L?4%Y`-#RcFnO$UQ)|37rZDTduEVPS!;L)T<e-+oj21ClA?~e{D
zgi&VPNBPA|{E#2$EK~<hdZre9sZ<R?V<f07bdJn*cm7J<=gV8j7r8#L@#n3~Yi?Bt
zX$x(0v2HPqY1&!j*2Y_J+wSq6eVu?3c3<3Qy4QZQvFt190Rgfr3v<^5_?9HR^xT9q
z@-N=IxxYVO^)O+>V5Q}aPepSq26tve`*eDobZ9h6Fmw%;b<o-T;pvO#W11i5Ub;a!
zpkr_~TH`X+!M@*8VY3ru=uHVb(f+!6*~d=Rp6YXpE4#+_hJ9$+gS#Z-d#TCBXVJso
zy6lvSa(Ast*bRG!U6ztmvHL;z>@gi(mL?iT<0zWnwPClvK}FcXIDw)=brHYWaqEV<
z&O*ZnwVV$KHgtfP_F*(JE!W0sxeQ&Vr-0>@r6EWZ#Hb-NKtV@r?TRbqne+Nr8Su1d
z-qv}mxMje8qSA>g=Ysayq09##QoTkty}cXQldSvXB6rE#16i{u53tXJmuXHhpK;st
zRsS<?%M$%RbepO?>*}T_G4r4kYaYbS>d?s823B`*68Ihub+?|<ui;j-!>oDt0Fxi)
zhy28#;<QtfF={^*qXx}Aw;PYIc%9#(Yq7M;&?iaqRfmosQF{x+mk;~CHNrRo9=f8>
z9bCKlh0^is?oKuB4ld<O@8rDGwi>NyuJBSxikCYUsa~7OCLC-iuOf>oGygdZ9RukG
z9U$c#qbH+6wY``oR0z`uKq$d@rcjumFG6AcCB5y`*@7;K73?VAA*T>v9_POB+<VXB
z8e#vpwR_UDFLnh&!wgQfCdu`YTs?h7#!<(m8jHtMa04*3b5Y#vhR@xmuPQ^hc?N7R
z#bYtZn3R3Z+n0~>b0s3)e;&7)Fk09jdeoSE`_>TO`*}AW>`O5*6~<+7<n%1e-FdO*
zK!2hUR>-NwJK(lJdvw*dl#0z&K8IUh^!tf9H4NPEEM*+KUleXLF4~KmYb##fQ@S7}
z&eBL*&!G4%>}<T)c-{_*uF;O#8lIfxtr9&3N)PqLoM{3h5w$C&lMHFs(|Pkp>du5>
zx(qQzob=V7AP>RKeN^iSEpPqmwmb|pFt<wlVy}UDMmmOHap<$_`}XJ5h-)dg73Moy
z7`xOT8feqr5wJ;OjsClqp^185wdy`C`J<lWmHE5;bI-QOFfLph-OatSch0E1((u#V
zMAC$HRp>BvcG{AH%4>?o`j0LYkX#3b>GvefEA>PdW2YQu35<^pkm)Sx2boc%!|E{n
z;FQA-U7w7iIbR$Ghi{cQC}NW{6n?f}KW&4Ps?qInOO8uP>i4Foi-Fw)9aIP>Mo&Sh
zw{B*oP7s-*E~L(+4)=edj{80R%#%}2m&0V#?T3myOF3gw>#URK`h8feOHahN+M5-h
zKM<V8<yCLEN_lHsFvpw*TW*na^|c-)z2!rU7#ms~KZCw>S5-~s@rvioys=OEQ@g~a
zoG(5J+c@-jp}S*Qyx-{;8TrEg>gom;;OtlZd^a6kUIs0%y<-;`w%!+U&y(rbzjezq
zI`d6;mhAWl7yfX&>47#qo_Rh`*sdm3+;j1Xc|7#Yv^8fWTsZGl=PVn4J-228+v3^+
zLex>l;F4C2)7Q1{>b_wQQ(fqOcagsYNj4<v#Ko$y#6Dv_uL6I?^-*j{N4`mOr{oKc
ztKM1(?{!CV+x24puu>h13UE&dvEnWqa9VGfEg`+wuP)C>BC75B@l?97Q;ueLcGIwd
zoHFvP<TrnXeG%nd5$BGG-^{t2tFHhD%6iy-xOHUkL?Wf-Nyf!_1NH~mZfYPeKUwoq
z)(G+Kt5#Mb?7Z?wD0@43u42yljD*!GM=vYRc5M@{Ta+|R-xhgM;PRuncQH-NE#JDi
zSqE~|ziDifKlT3OrY)arIt$@)T$6cJd=qiq(w(I_+ik6_>$3D#o=A+f30-o^Y||KG
zGh2uzsx*gvANEFO228@8_qM$05qjFWHcxRuj|}&tfZ92Yq$CpozdshfiRE$};3arD
z>>|i&T{x4p{ECd*fJ<$O@m-s^1b6$cH2<g8j@x=75t~z^X{s9q3H%n%H(sB0=h1;e
z(Rgj;P>OumGu}8uenELYb1iGXo{wUCd7M_x8u1NGPr7%Du}E)Be&SuNID6`|8skf^
zRwP842J12mpJ}vb@<g81F^T-6p_`amQn$xmqW-}f#zVS+AN51P`m*7H4ErUegXeYi
zk^|%g3+5V{Y;Ce0ic!&e){vFDtH!2;wrxpW)12kD%M#`a5!K`t7;6WL;+|DJD{84~
z;3ZSSFI8zZMeWnBkGK1D?er#v+Tho{en+~D4EAIwP%f<0(G%DK+xO8oog@rtq)UB%
ztHyV&iRTlsHay#T^We*kaYvjaotoAOdvy0js$_}?H8tyJU)DQn$glSL-ovK!_ZJ2!
zu!wEXl80yZcGI@RJ9dg?R5{f3yRCUbsK@uT>=1mns&LEUTw{gC+3DL3S;>^1oZr9T
z<@K<reP{W$o3?!na?a49?)v=4yI8ZTrP10FnG=<6Qr89^-)|Zof6RG$EUIGz-77wA
zpabJm+V|1&<du1Zo^$eX1%=74#M5OhmwC<(6kiy5Y_DCQtZ??-(}Wd|y9*11;$FGu
z<%eR5%g@A#ty6tnFd9s4eV!-Ra1e9dS<ON<Q;6qo+mkI-J^Hxt%GKfPC7ktZ&X`Z-
z3H1Dc4v>Xn=>HCTnauAqd)a@~UdG-FGxxE7W-n_Vgqi!;%w9ILm(A>DGke)z?PVF_
zIF^1N;{mhFGp*~Au?_SNLeMTxlJ?{|@PC8*zJg~oGkX<(OzTxl@&mn!#T3>G9=qh~
z)zVZWuJJ9D?n6q8o4tA+Z?68d@mxg|x-<Vtsurd;v!+o$ZmdQS0oqU!{U){9C5dCn
z#ec6<K69qo_$Q?bzQ&59r!r4FYgx}DL;^UE97oUS@%Tw?eicWmV&%tZWm-@C&(<Rn
z06%K{_DOz>x?jTuujhhRf*J}PppIHePh;w*{zLu1@!R^)WGu*o`RIjri#X`8c)QC7
zduy9SE5bta^Dj4RM|3r0*sHo+F-GG7<zNP8q62U+qo*@D=uP8*Ff9l;RDy1{FzAfU
zLdk=RVAtT>Sah{9L7F$MZ1$r!H)NJik!5L;A7YZVn?`m8lPo_}yr*c=P=2xhw8FOW
z|A@ki61iBi1pOx!rsuQb7!R2dCH8}eLYNV?YSK`<3w{mfS2PXR#^fjZ1AZ%*{J{V8
zqYkw%orZhF#EJY6#}6W3^Dl6ZnK<ETxD&=|L@OpgjY*tx%`|>LDd)z9X}F)1b5#>7
nj-J5`Slej<YXt)K1dy|M&&^3W^;%hRjGxpmq=yyvGyMJwd-2W1

literal 0
HcmV?d00001

diff --git a/tests/result/psiphon3.pcap.out b/tests/result/psiphon3.pcap.out
new file mode 100644
index 00000000000..12cf4ebc438
--- /dev/null
+++ b/tests/result/psiphon3.pcap.out
@@ -0,0 +1,13 @@
+Guessed flow protos:	0
+
+DPI Packets (TCP):	12	(12.00 pkts/flow)
+Confidence DPI              : 1 (flows)
+
+Psiphon	62	11818	1
+
+JA3 Host Stats: 
+		 IP Address                  	 # JA3C     
+	1	 192.168.0.103            	 1      
+
+
+	1	TCP 192.168.0.103:40557 <-> 104.18.151.190:443 [proto: 91.301/TLS.Psiphon][Encrypted][Confidence: DPI][cat: VPN/2][32 pkts/5020 bytes <-> 30 pkts/6798 bytes][Goodput ratio: 74/82][0.72 sec][ALPN: h2;http/1.1][bytes ratio: -0.150 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 24/4 501/41 98/9][Pkt Len c2s/s2c min/avg/max/stddev: 40/40 157/227 1048/1500 249/417][Risk: ** Missing SNI TLS Extn **][Risk Score: 50][Risk Info: No client to server traffic][TLSv1.2][JA3C: 2d703033628575a99d44820c43b84876][ServerNames: sni.cloudflaressl.com,psiphon3.net,*.psiphon3.net][JA3S: eca9b8f0f3eae50309eaf901cb822d9b][Issuer: C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3][Subject: C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com][Certificate SHA-1: 49:30:DE:8F:B7:AF:C3:76:40:09:44:15:B4:6B:D9:8F:BE:0C:6B:0C][Firefox][Validity: 2020-08-09 00:00:00 - 2021-08-09 12:00:00][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256][Plen Bins: 7,24,24,0,0,7,0,0,7,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,7,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0]
diff --git a/tests/result/synscan.pcap.out b/tests/result/synscan.pcap.out
index 0a43b4fac24..9b4fe141ec2 100644
--- a/tests/result/synscan.pcap.out
+++ b/tests/result/synscan.pcap.out
@@ -103,7 +103,7 @@ iSCSI	2	116	2
 	43	TCP 172.16.0.8:36050 -> 64.13.134.52:2605 [proto: 13/BGP][ClearText][Confidence: Match by port][cat: Network/14][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No client to server traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	44	TCP 172.16.0.8:36050 -> 64.13.134.52:3000 [proto: 26/ntop][ClearText][Confidence: Match by port][cat: Network/14][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No client to server traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	45	TCP 172.16.0.8:36050 -> 64.13.134.52:3128 [proto: 131/HTTP_Proxy][ClearText][Confidence: Match by port][cat: Web/5][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No client to server traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	46	TCP 172.16.0.8:36050 -> 64.13.134.52:3260 [proto: 303/iSCSI][ClearText][Confidence: Match by port][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No client to server traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	46	TCP 172.16.0.8:36050 -> 64.13.134.52:3260 [proto: 304/iSCSI][ClearText][Confidence: Match by port][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No client to server traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	47	TCP 172.16.0.8:36050 -> 64.13.134.52:3306 [proto: 20/MySQL][ClearText][Confidence: Match by port][cat: Database/11][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No client to server traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	48	TCP 172.16.0.8:36050 -> 64.13.134.52:3389 [proto: 88/RDP][ClearText][Confidence: Match by port][cat: RemoteAccess/12][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Desktop/File Sharing **** Unidirectional Traffic **][Risk Score: 20][Risk Info: No client to server traffic / Found RDP][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	49	TCP 172.16.0.8:36050 -> 64.13.134.52:4343 [proto: 170/Whois-DAS][ClearText][Confidence: Match by port][cat: Network/14][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No client to server traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
@@ -164,7 +164,7 @@ iSCSI	2	116	2
 	104	TCP 172.16.0.8:36051 -> 64.13.134.52:2605 [proto: 13/BGP][ClearText][Confidence: Match by port][cat: Network/14][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No client to server traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	105	TCP 172.16.0.8:36051 -> 64.13.134.52:3000 [proto: 26/ntop][ClearText][Confidence: Match by port][cat: Network/14][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No client to server traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	106	TCP 172.16.0.8:36051 -> 64.13.134.52:3128 [proto: 131/HTTP_Proxy][ClearText][Confidence: Match by port][cat: Web/5][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No client to server traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	107	TCP 172.16.0.8:36051 -> 64.13.134.52:3260 [proto: 303/iSCSI][ClearText][Confidence: Match by port][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No client to server traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	107	TCP 172.16.0.8:36051 -> 64.13.134.52:3260 [proto: 304/iSCSI][ClearText][Confidence: Match by port][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No client to server traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	108	TCP 172.16.0.8:36051 -> 64.13.134.52:3306 [proto: 20/MySQL][ClearText][Confidence: Match by port][cat: Database/11][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No client to server traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	109	TCP 172.16.0.8:36051 -> 64.13.134.52:3389 [proto: 88/RDP][ClearText][Confidence: Match by port][cat: RemoteAccess/12][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Desktop/File Sharing **** Unidirectional Traffic **][Risk Score: 20][Risk Info: No client to server traffic / Found RDP][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	110	TCP 172.16.0.8:36051 -> 64.13.134.52:4343 [proto: 170/Whois-DAS][ClearText][Confidence: Match by port][cat: Network/14][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No client to server traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]