From ca8ac946f48ab853f47b557ae643d36045d7ae95 Mon Sep 17 00:00:00 2001
From: lns <matzeton@googlemail.com>
Date: Sat, 4 Jun 2022 21:03:17 +0200
Subject: [PATCH] Fixed syslog false negatives.

 - RSH vs Syslog may still happen for midstream traffic

Signed-off-by: lns <matzeton@googlemail.com>
---
 src/lib/ndpi_main.c                           |   2 +-
 src/lib/protocols/syslog.c                    |   3 +-
 tests/pcap/syslog.pcap                        | Bin 19356 -> 21927 bytes
 .../result/rsh-syslog-false-positive.pcap.out |   6 +--
 tests/result/syslog.pcap.out                  |  50 +++++++++++-------
 5 files changed, 36 insertions(+), 25 deletions(-)

diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index 88730350ab0..9be024642a5 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -1032,7 +1032,7 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp
 			  ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
   ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_SYSLOG,
 			  "Syslog", NDPI_PROTOCOL_CATEGORY_SYSTEM_OS,
-			  ndpi_build_default_ports(ports_a, 514, 0, 0, 0, 0) /* TCP */,
+			  ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
 			  ndpi_build_default_ports(ports_b, 514, 0, 0, 0, 0) /* UDP */);
   ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DHCP,
 			  "DHCP", NDPI_PROTOCOL_CATEGORY_NETWORK,
diff --git a/src/lib/protocols/syslog.c b/src/lib/protocols/syslog.c
index 866e0a0c0c2..1b072de07b2 100644
--- a/src/lib/protocols/syslog.c
+++ b/src/lib/protocols/syslog.c
@@ -73,7 +73,8 @@ void ndpi_search_syslog(struct ndpi_detection_module_struct
         if (ndpi_isalnum(packet->payload[i]) == 0)
         {
             if (packet->payload[i] == ' ' || packet->payload[i] == ':' ||
-                packet->payload[i] == '=')
+                packet->payload[i] == '=' || packet->payload[i] == '[' ||
+                packet->payload[i] == '-')
             {
                 break;
             }
diff --git a/tests/pcap/syslog.pcap b/tests/pcap/syslog.pcap
index 3756ab66746615956e010ec0deb4f8ee422c9066..1e3f28ad6b794cf527c28eb04e4a6463858033de 100644
GIT binary patch
delta 4797
zcmchb4^R_V9>?D<2|N>M<&TyF?%dj<MV7F;Nj4Bu3W!=MQW~YTattB_MHCRIqi3#5
zh2Foa*WPOXsCZiHpB|}IQ^(rrDgK)(R9jmr&Xj9CIa)hf?WlvTciQ{CO>zkde@r`b
zFS88a-@d%h`~Kd)-E4Y=+R;WaT}StBrI8AGiwaR77Q=P%NiEv*>IXDl3gX-gTI5_F
z(nR5=kQi(Ag>WRV9u+UAs#}!+)fj=~%j*4#Sh*EMBaWB5L%Z=Gq55=H2$D0y<K^D4
zCMA%V2!Td?4X=i~4`!)JV+R#+<x3Ek)$y{V*`x$^)1j`$9@lo`m!NumG_W(nH!Gs-
zWe@}v9np=~!QH8zo{hVwRSEnh3_8<u&wfSxsm0y15AN;88=(53r7F@`oczh?W+m`|
z41wCnYxq2S+<NI6RJTVxiz8ExTNmX*pY2iLIl2sQ?l>@~?<44{Bl=B6d~pUuZOmH{
z`pyG$POYHP8c5n2c~5k#TsUTVgb|{(q6)P_v{i|!$F9XkAez)42Ca;3k09cy@59hZ
zsB%)?Gd5P<dfz*E^7yV__pA;>&f3_El%lFSh>8O>1@7H?k*EZ>`t~$YzXCNK?wy)T
z6mvhVs83!6<roiY#qG+H*Z%-MFFx3ee*<E3K8WVTo%mxATqlL(oC(|U84xonXe6s9
zHsQuQl_ghKK(#Fs|E!27R)To+p>6mvw5VheB-x3R=2O@PDrbfYIh!ZNxD+)GxVw|b
zQn&){y|ynDInT4dpztbC6E<mJ_&CU^ZWVq30?CJ<)em)tBUXdp{-Z|kLN?x&&*)<0
z!>K#)8i<BmgiJSbEqEJ<%L}xme!M)3-;Vb}U{pm2a>fW0g`J?PGC^^An!+Y(QOSbe
z!EojoZbw)^ob6GgerUX3e!>tV|JK-tABL!djHz9`EqxSapVu{a6e@!%<Z>5`zWRLv
zMpF?gL?{zkBH!+H#PuC?+*fdnhJvzmUs?2AMt${?+VUbX-6$5DnJG2Z)wZ&R%9?7X
zqON8MQ<zg=W{P;hq~qYj7n=oM&-09iAlJV?3e^HjB7fY)%bf3Ko*lr<H(v^1T5V;v
z%4N24W>)^p0;aaKtjgB#P<_(K9mv0~c$WU3ruT{(|2#`x(?cXW>0E&6krSO}Of$F=
zy+G0^i5?=)l524N63qq<Zjg!gcA))ufN3Ak(%`d;J^K?(ryJ4*muWd%JDh1B&(i;9
zbpE7o0+>OXc6HzjnBFnnce$b@pC!eA9ngUhN1Eq29!wMFQ@<Q`q<u_#Jx`Xd1Tcd$
z?b89Oe7KPwe4wSDX}Yv6cxK`SuV?9Q_b$=E3F)pxC*BA?(V`F2ja2e1-Syt((}C+I
zt^Ypav!n)3w9xA{?c-S*cEjd5-pIL3pRnKUlJd?j)71c`|KyT}->}^s_!6e~*Utt&
z(nFZ`@hk<NQf}rIU}l{Qp2_wFm>y;oOYW1A6ZMd2!mLaSKGEqvdFzrqN3*vBGhw8I
zeHsYPw2x=WWqQJq;F(E1!6e$nG>D=IPaq`ECE9Q}BjEfQ;$$3jzvO=I!RYRQG1@-w
zje{Cw1wOKR9)J)EgMUMxL+T64qgUpX)0yaz(3LHk_ntZOrq25M(S*)Zx^L!mkuU6~
zfBf<7Duig2`W-4HL=8`Z8ug5;v&cOajgSb4UH<?C=%EQxUJF6gogNC&*5r@4KG}mX
z0b(O@F)U(x8zIED4@!{0#g2{sh?@_15NUuoF(TsA8w7D_*`Np@v^xC>|JJ$)kpFZ*
zbiFc?3+LYnLc41y#9ur75qEBQOqhWn%YzampV5xXC5UbJ4~5ux!4Hv3_jnK%Ky>sC
zitr({H4sAdO)o(jIHA@>`6DzA4<Zu~w?~{%D4rk=6?hQ?3C(o_2$Dvf8<*#cu%mlX
zJ_N|+E@Z60MOdA(DlFuHOAh_ChO7vJ={$8b;nt0!*I;FQwk2vQbCXpN%T+YiY;lNV
z2mw}zCJPK4SsQ{*Lv!RJg{;4Ui|+kZ{lvlKAN(AA28a!fv7=+{4<n>3w%mjQ(!50w
zGI&Pd1U`i`r0{98d4t)=n+<8noWaa-Ol85snrfSg6_~P`CA#v4dR;}G%~nxaXKPr<
zNGS~Y6!AI{UXfA^uuU0@8H>nePc!ibeF|?dWH6TGqHLROcIo0OW?^Y{`C?m6WqGy@
zTC-)r>((+`u~{$h8Jb(*Z<-0AY2b-m?lRDxA*qnqdwIOep5)n7o-S7WMUIZ$TkZCj
zcNuMQq@_-XvCsSPTN>?y_Q>Tfo+pm;XotBMp*xWW_P6i6({k*)>~)7b;SEvF`<sQ=
zL+`zrVR)mN7tDH3W_V5~@q(xmIGvcr<kc)-8B#=Jy57KYsrpndm170LpcBYP&$B%1
z+nC<f*npTDz!q2^pKi^XnF4Q|>?D@w*>(MUO2ZG(=m*#u$>lE2R?{^ax7LrFADsd}
z{OmT5q467_UX<a5`n;usQq&;_+&h+W(xndX0<|+Uj>fZkC(i#@9sF+7ll@Wz5p!3D
zqP5WUTKS*ZvGTSlE0pNx5M2+^^-8obr&0OhNeRCAUCus5Y<M0-`&1dvhE~`U@Jqtt
HX{`FcpBW22

delta 2204
zcmZ{k4@{JG7{}lD?q0MLBJ{+&dr@ETRQ}vucX0eOHo;<c1uC0cNPiZ>sgMf845!Ve
zxZ+BK_^m%oOz8s4V&UFO=gN-eX1TSQu7qakKnD|&Qj^hi^n8!^^cVA<?Y;N+dp_Ui
zdA{$Tdk=pmw!JUDW{in3)(V19oR?-5={%u@UN8woRhzeNQ!<_I9H-k+URSZf?Qk0e
zk5KHZTkoqVuT_$tsjBmB*-&2hQi_t{%yMQb$;+!=Rw`;XZK6}UdtG*JW#wAmy0w)l
z)LOtC%rI$ZK`>ZCn<z?L*3pj^L*5-xN0rk$ODGH4hB__GXHG|{qq+vs5=sO2YN+ap
zL2&v%>Sx;xC#{od;Ika=Srq7J`O+~<C<_{`^+xeyPZFJwZcs7Oz{k1bH*#+Ev+<}8
z2_rqV+P8-A!D)Oo@648G8z5&g`*M09g1hU#ktAP|+4hIp9_+CDE-5BRk!!pV!KJ#U
zet=xcEMrDP1gC+EBte(H8GIMsZQ*Fgq}%h+k=(YJIw#$>#zb)Y<`Gh0PU*w^9R8jz
zjUFFh*|CxCX~02vLb9^4*k0~>KhU1a_;rIYe9f55o{y8+jYld-0)!{SOOE_CoJx|N
z^Y7zRT8Cb*B=|DMZno3DovoN<Zkf4Pp*1+#{6Gf+x)(CXZg$YR13GqeX0uEi2q5gH
z0|DW_jlbMs-dXP|v_~GCAK2aX&z%6}0-;8F)7zGN^Li<b=%Y5DUVBkut)`$EN%R;2
zp#Z!vLa==H&+vdexS;)uwlqpYTS@7lx+H!`G$T8erZo{wHAkQ))}I?xt=0&%tAnU9
zfunic+<i-8htz-PChA}e0Hb+9%Qg}$Q2sAygL{g>FC?Mgd}|sjO4>6QNmK{vKmg85
z)K5P|>qD$0$;AFnYBC3DH&x}jq{Ohs1)cOhgfTzC|BWk#W!W0&6QUJ=LT3a<j9S{~
zupV2JML>3H>k^r0>B0_$SWx4yYTpo4r`AdtWwbA2&B-Qp-XgC^CLll~J15+;(eF`f
z7MnyfvY;-G7A)KAQQu0A7wMfv9^Aumi@e_xNBcO834EU-;&wv-;c+?;@Y9+9R91^a
zW>-^pLjnZJMLH0W3?KU`i`As{fFlnceh<N2*?(lQ9Q*zEknjJv?@#J~AX0C;T%JR{
zWfpXF^8FLIYw^D_KUdxC6hqel00X=rjX87G`bTxRm0@n?8Z6e$DPX%?cNMBb9`!u`
zHSlb~ZOYwd@1&d9LHAYa^B~<wZ#DYJ>~MNN%!V}ydfHHYbxsnZUq2aCpIavCAppQI
zm-Yw9>yw1@a$&XVE1Vtr0{}p9MRN;5^Qoe0b@%c!xEkcA^6!3MU9GP6{usI)VS$I6
z&~u3d3!k>?6nf;^fX`_N;#(T<aaX;~Piw!xcCCtM6~$ZO6$*?Bf2g3eeqC>4my6#c
zC*ki@_}K#Q2j02jKq8feU!1eFMu7WI)Z4mf-8DIA>B?3Nf&znhOJzX}TFET;Y&;>6
SgaUo+g^f0K$11yIK=wbgzt1`V

diff --git a/tests/result/rsh-syslog-false-positive.pcap.out b/tests/result/rsh-syslog-false-positive.pcap.out
index a8c44d323a5..99ddc97930d 100644
--- a/tests/result/rsh-syslog-false-positive.pcap.out
+++ b/tests/result/rsh-syslog-false-positive.pcap.out
@@ -1,8 +1,8 @@
 Guessed flow protos:	0
 
-DPI Packets (TCP):	6	(6.00 pkts/flow)
+DPI Packets (TCP):	1	(1.00 pkts/flow)
 Confidence DPI              : 1 (flows)
 
-RSH	6	3335	1
+Syslog	6	3335	1
 
-	1	TCP 172.31.78.129:9039 -> 172.29.43.201:514 [proto: 294/RSH][ClearText][Confidence: DPI][cat: RemoteAccess/12][6 pkts/3335 bytes -> 0 pkts/0 bytes][Goodput ratio: 91/0][0.08 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 11/0 16/0 26/0 6/0][Pkt Len c2s/s2c min/avg/max/stddev: 292/0 556/0 844/0 212/0][Risk: ** Unsafe Protocol **][Risk Score: 10][PLAIN TEXT (52.926451)][Plen Bins: 0,0,0,0,0,0,0,34,0,0,0,0,0,16,0,0,0,0,16,0,0,16,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	1	TCP 172.31.78.129:9039 -> 172.29.43.201:514 [proto: 17/Syslog][ClearText][Confidence: DPI][cat: System/18][6 pkts/3335 bytes -> 0 pkts/0 bytes][Goodput ratio: 91/0][0.08 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 11/0 16/0 26/0 6/0][Pkt Len c2s/s2c min/avg/max/stddev: 292/0 556/0 844/0 212/0][PLAIN TEXT (52.926451)][Plen Bins: 0,0,0,0,0,0,0,34,0,0,0,0,0,16,0,0,0,0,16,0,0,16,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
diff --git a/tests/result/syslog.pcap.out b/tests/result/syslog.pcap.out
index 108bb484273..7bf1b899ee9 100644
--- a/tests/result/syslog.pcap.out
+++ b/tests/result/syslog.pcap.out
@@ -1,25 +1,35 @@
-Guessed flow protos:	0
+Guessed flow protos:	1
 
-DPI Packets (UDP):	18	(1.00 pkts/flow)
-Confidence DPI              : 18 (flows)
+DPI Packets (TCP):	10	(5.00 pkts/flow)
+DPI Packets (UDP):	20	(1.00 pkts/flow)
+Confidence Unknown          : 1 (flows)
+Confidence DPI              : 21 (flows)
 
-Syslog	62	17124	18
+Unknown	1	78	1
+Syslog	93	20321	21
 
 	1	UDP [2001:470:6c:a1::2]:38159 -> [2001:470:765b::b15:22]:514 [proto: 17/Syslog][ClearText][Confidence: DPI][cat: System/18][6 pkts/2994 bytes -> 0 pkts/0 bytes][Goodput ratio: 84/0][12.00 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 15/0 2400/0 7985/0 3185/0][Pkt Len c2s/s2c min/avg/max/stddev: 480/0 499/0 537/0 27/0][PLAIN TEXT ( NetScreen device)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,66,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	2	UDP 172.20.51.54:514 -> 172.31.110.40:514 [proto: 17/Syslog][ClearText][Confidence: DPI][cat: System/18][15 pkts/2925 bytes -> 0 pkts/0 bytes][Goodput ratio: 78/0][22.45 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 8/0 1495/0 5398/0 2274/0][Pkt Len c2s/s2c min/avg/max/stddev: 150/0 195/0 234/0 34/0][PLAIN TEXT (854 08/20/2013)][Plen Bins: 0,0,0,20,40,0,40,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	3	UDP 195.120.165.134:514 -> 83.235.169.221:11000 [proto: 17/Syslog][ClearText][Confidence: DPI][cat: System/18][4 pkts/1954 bytes -> 0 pkts/0 bytes][Goodput ratio: 90/0][1.03 sec][PLAIN TEXT (1 2022)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,50,0,25,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	4	UDP 10.94.80.60:39438 -> 10.94.150.22:514 [VLAN: 2005][proto: 17/Syslog][ClearText][Confidence: DPI][cat: System/18][1 pkts/1316 bytes -> 0 pkts/0 bytes][Goodput ratio: 96/0][< 1 sec][PLAIN TEXT (Mar  9 04)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0]
-	5	UDP 192.168.126.102:57166 -> 172.19.177.230:514 [proto: 17/Syslog][ClearText][Confidence: DPI][cat: System/18][4 pkts/1157 bytes -> 0 pkts/0 bytes][Goodput ratio: 85/0][26.59 sec][PLAIN TEXT (syslog@9 s)][Plen Bins: 0,0,0,0,0,0,0,75,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	6	UDP 10.22.179.215:57166 -> 172.26.54.76:514 [proto: 17/Syslog][ClearText][Confidence: DPI][cat: System/18][5 pkts/852 bytes -> 0 pkts/0 bytes][Goodput ratio: 75/0][35.05 sec][PLAIN TEXT (syslog@9 s)][Plen Bins: 0,0,0,40,60,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	7	UDP 10.11.105.154:20627 -> 10.6.15.11:514 [VLAN: 408][proto: 17/Syslog][ClearText][Confidence: DPI][cat: System/18][1 pkts/761 bytes -> 0 pkts/0 bytes][Goodput ratio: 87/0][< 1 sec][PLAIN TEXT (09 time)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	8	UDP 10.94.232.21:57374 -> 10.94.150.21:514 [VLAN: 2005][proto: 17/Syslog][ClearText][Confidence: DPI][cat: System/18][5 pkts/740 bytes -> 0 pkts/0 bytes][Goodput ratio: 69/0][0.00 sec][PLAIN TEXT (Mar  9 04)][Plen Bins: 0,0,40,60,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	9	UDP 10.224.43.149:57166 -> 172.23.243.89:514 [proto: 17/Syslog][ClearText][Confidence: DPI][cat: System/18][3 pkts/736 bytes -> 0 pkts/0 bytes][Goodput ratio: 83/0][5.49 sec][PLAIN TEXT (facility)][Plen Bins: 0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	10	UDP 95.136.242.54:514 -> 93.20.126.110:514 [proto: 17/Syslog][ClearText][Confidence: DPI][cat: System/18][1 pkts/703 bytes -> 0 pkts/0 bytes][Goodput ratio: 93/0][< 1 sec][PLAIN TEXT (Jan 01 00)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	11	UDP 192.168.121.10:50080 -> 192.168.120.10:514 [VLAN: 121][proto: 17/Syslog][ClearText][Confidence: DPI][cat: System/18][4 pkts/630 bytes -> 0 pkts/0 bytes][Goodput ratio: 71/0][150.90 sec][PLAIN TEXT ( Mar  3 19)][Plen Bins: 0,0,25,75,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	12	UDP 192.168.45.162:57166 -> 10.208.120.95:514 [proto: 17/Syslog][ClearText][Confidence: DPI][cat: System/18][2 pkts/499 bytes -> 0 pkts/0 bytes][Goodput ratio: 83/0][0.99 sec][PLAIN TEXT (facility)][Plen Bins: 0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	13	UDP 192.168.121.2:50352 -> 192.168.120.10:514 [VLAN: 121][proto: 17/Syslog][ClearText][Confidence: DPI][cat: System/18][2 pkts/385 bytes -> 0 pkts/0 bytes][Goodput ratio: 76/0][0.00 sec][PLAIN TEXT ( Mar  3 20)][Plen Bins: 0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	14	UDP 95.136.242.54:514 -> 93.20.126.48:514 [proto: 17/Syslog][ClearText][Confidence: DPI][cat: System/18][1 pkts/379 bytes -> 0 pkts/0 bytes][Goodput ratio: 87/0][< 1 sec][PLAIN TEXT (Jan 01 00)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	15	UDP 192.168.67.241:62679 -> 10.193.53.6:514 [proto: 17/Syslog][ClearText][Confidence: DPI][cat: System/18][2 pkts/292 bytes -> 0 pkts/0 bytes][Goodput ratio: 71/0][< 1 sec][PLAIN TEXT (Sep 22 13)][Plen Bins: 0,0,50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	16	UDP 172.21.251.36:62679 -> 172.19.196.11:514 [proto: 17/Syslog][ClearText][Confidence: DPI][cat: System/18][2 pkts/284 bytes -> 0 pkts/0 bytes][Goodput ratio: 70/0][0.99 sec][PLAIN TEXT (Sep 22 13)][Plen Bins: 0,0,50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	17	UDP 192.168.72.140:62679 -> 192.168.178.148:514 [proto: 17/Syslog][ClearText][Confidence: DPI][cat: System/18][2 pkts/281 bytes -> 0 pkts/0 bytes][Goodput ratio: 70/0][1.04 sec][PLAIN TEXT (Sep 22 13)][Plen Bins: 0,0,50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	18	UDP 10.251.23.139:59194 -> 62.39.3.142:514 [proto: 17/Syslog][ClearText][Confidence: DPI][cat: System/18][2 pkts/236 bytes -> 0 pkts/0 bytes][Goodput ratio: 64/0][48.30 sec][PLAIN TEXT (Jan  2 10)][Plen Bins: 0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	3	UDP 172.26.229.190:514 -> 172.23.80.196:514 [proto: 17/Syslog][ClearText][Confidence: DPI][cat: System/18][20 pkts/2084 bytes -> 0 pkts/0 bytes][Goodput ratio: 60/0][31.18 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 14/0 1731/0 15022/0 4686/0][Pkt Len c2s/s2c min/avg/max/stddev: 99/0 104/0 112/0 6/0][PLAIN TEXT ( Connection from UDP)][Plen Bins: 0,60,40,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	4	UDP 195.120.165.134:514 -> 83.235.169.221:11000 [proto: 17/Syslog][ClearText][Confidence: DPI][cat: System/18][4 pkts/1954 bytes -> 0 pkts/0 bytes][Goodput ratio: 90/0][1.03 sec][PLAIN TEXT (1 2022)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,50,0,25,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	5	UDP 10.94.80.60:39438 -> 10.94.150.22:514 [VLAN: 2005][proto: 17/Syslog][ClearText][Confidence: DPI][cat: System/18][1 pkts/1316 bytes -> 0 pkts/0 bytes][Goodput ratio: 96/0][< 1 sec][PLAIN TEXT (Mar  9 04)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0]
+	6	UDP 192.168.126.102:57166 -> 172.19.177.230:514 [proto: 17/Syslog][ClearText][Confidence: DPI][cat: System/18][4 pkts/1157 bytes -> 0 pkts/0 bytes][Goodput ratio: 85/0][26.59 sec][PLAIN TEXT (syslog@9 s)][Plen Bins: 0,0,0,0,0,0,0,75,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	7	TCP 10.186.117.194:49948 -> 169.46.82.162:52173 [VLAN: 1506][proto: 17/Syslog][ClearText][Confidence: DPI][cat: System/18][10 pkts/932 bytes -> 0 pkts/0 bytes][Goodput ratio: 15/0][196.31 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 520/0 21812/0 184780/0 57626/0][Pkt Len c2s/s2c min/avg/max/stddev: 70/0 93/0 206/0 38/0][PLAIN TEXT (1 2021)][Plen Bins: 0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	8	UDP 10.22.179.215:57166 -> 172.26.54.76:514 [proto: 17/Syslog][ClearText][Confidence: DPI][cat: System/18][5 pkts/852 bytes -> 0 pkts/0 bytes][Goodput ratio: 75/0][35.05 sec][PLAIN TEXT (syslog@9 s)][Plen Bins: 0,0,0,40,60,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	9	UDP 10.11.105.154:20627 -> 10.6.15.11:514 [VLAN: 408][proto: 17/Syslog][ClearText][Confidence: DPI][cat: System/18][1 pkts/761 bytes -> 0 pkts/0 bytes][Goodput ratio: 87/0][< 1 sec][PLAIN TEXT (09 time)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	10	UDP 10.94.232.21:57374 -> 10.94.150.21:514 [VLAN: 2005][proto: 17/Syslog][ClearText][Confidence: DPI][cat: System/18][5 pkts/740 bytes -> 0 pkts/0 bytes][Goodput ratio: 69/0][0.00 sec][PLAIN TEXT (Mar  9 04)][Plen Bins: 0,0,40,60,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	11	UDP 10.224.43.149:57166 -> 172.23.243.89:514 [proto: 17/Syslog][ClearText][Confidence: DPI][cat: System/18][3 pkts/736 bytes -> 0 pkts/0 bytes][Goodput ratio: 83/0][5.49 sec][PLAIN TEXT (facility)][Plen Bins: 0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	12	UDP 95.136.242.54:514 -> 93.20.126.110:514 [proto: 17/Syslog][ClearText][Confidence: DPI][cat: System/18][1 pkts/703 bytes -> 0 pkts/0 bytes][Goodput ratio: 93/0][< 1 sec][PLAIN TEXT (Jan 01 00)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	13	UDP 192.168.121.10:50080 -> 192.168.120.10:514 [VLAN: 121][proto: 17/Syslog][ClearText][Confidence: DPI][cat: System/18][4 pkts/630 bytes -> 0 pkts/0 bytes][Goodput ratio: 71/0][150.90 sec][PLAIN TEXT ( Mar  3 19)][Plen Bins: 0,0,25,75,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	14	UDP 192.168.45.162:57166 -> 10.208.120.95:514 [proto: 17/Syslog][ClearText][Confidence: DPI][cat: System/18][2 pkts/499 bytes -> 0 pkts/0 bytes][Goodput ratio: 83/0][0.99 sec][PLAIN TEXT (facility)][Plen Bins: 0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	15	UDP 192.168.121.2:50352 -> 192.168.120.10:514 [VLAN: 121][proto: 17/Syslog][ClearText][Confidence: DPI][cat: System/18][2 pkts/385 bytes -> 0 pkts/0 bytes][Goodput ratio: 76/0][0.00 sec][PLAIN TEXT ( Mar  3 20)][Plen Bins: 0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	16	UDP 95.136.242.54:514 -> 93.20.126.48:514 [proto: 17/Syslog][ClearText][Confidence: DPI][cat: System/18][1 pkts/379 bytes -> 0 pkts/0 bytes][Goodput ratio: 87/0][< 1 sec][PLAIN TEXT (Jan 01 00)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	17	UDP 192.168.67.241:62679 -> 10.193.53.6:514 [proto: 17/Syslog][ClearText][Confidence: DPI][cat: System/18][2 pkts/292 bytes -> 0 pkts/0 bytes][Goodput ratio: 71/0][< 1 sec][PLAIN TEXT (Sep 22 13)][Plen Bins: 0,0,50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	18	UDP 172.21.251.36:62679 -> 172.19.196.11:514 [proto: 17/Syslog][ClearText][Confidence: DPI][cat: System/18][2 pkts/284 bytes -> 0 pkts/0 bytes][Goodput ratio: 70/0][0.99 sec][PLAIN TEXT (Sep 22 13)][Plen Bins: 0,0,50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	19	UDP 192.168.72.140:62679 -> 192.168.178.148:514 [proto: 17/Syslog][ClearText][Confidence: DPI][cat: System/18][2 pkts/281 bytes -> 0 pkts/0 bytes][Goodput ratio: 70/0][1.04 sec][PLAIN TEXT (Sep 22 13)][Plen Bins: 0,0,50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	20	UDP 10.251.23.139:59194 -> 62.39.3.142:514 [proto: 17/Syslog][ClearText][Confidence: DPI][cat: System/18][2 pkts/236 bytes -> 0 pkts/0 bytes][Goodput ratio: 64/0][48.30 sec][PLAIN TEXT (Jan  2 10)][Plen Bins: 0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	21	UDP 192.168.254.157:49611 -> 196.240.66.148:514 [proto: 17/Syslog][ClearText][Confidence: DPI][cat: System/18][1 pkts/181 bytes -> 0 pkts/0 bytes][Goodput ratio: 76/0][< 1 sec][PLAIN TEXT (00 10.126.20.68 Log)][Plen Bins: 0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+
+
+Undetected flows:
+	1	TCP 169.46.82.162:52173 -> 10.186.117.194:49948 [VLAN: 1906][proto: 0/Unknown][ClearText][Confidence: Unknown][1 pkts/78 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]