From b6c54fca4621300b6440bdf7568da4f7fa079d8a Mon Sep 17 00:00:00 2001 From: Nardi Ivan Date: Sat, 15 Jun 2024 21:28:44 +0200 Subject: [PATCH] fuzz: improve fuzzing coverage Remove some code never triggered AFP: the removed check is included in the following one MQTT: fix flags extraction --- example/reader_util.c | 2 +- .../b524f7bc777b60fa186852b7db1c961841e54205 | Bin 68 -> 0 bytes fuzz/fuzz_alg_shoco.cpp | 16 ++++++++-- fuzz/fuzz_config.cpp | 7 ++++- fuzz/fuzz_ds_ahocorasick.cpp | 5 ++- fuzz/fuzz_ds_domain_classify.cpp | 2 +- fuzz/fuzz_gcrypt_cipher.cpp | 8 +++++ fuzz/fuzz_ndpi_reader.c | 6 +++- fuzz/fuzz_serialization.cpp | 24 +++++++++------ src/lib/ndpi_main.c | 2 +- src/lib/protocols/afp.c | 14 --------- src/lib/protocols/mqtt.c | 9 ++---- src/lib/protocols/ssdp.c | 5 +-- src/lib/protocols/thrift.c | 3 -- src/lib/protocols/tls.c | 5 --- tests/cfgs/default/pcap/netbios.pcap | Bin 28866 -> 33344 bytes tests/cfgs/default/pcap/pgsql2.pcapng | Bin 0 -> 4112 bytes tests/cfgs/default/result/netbios.pcap.out | 29 +++++++++--------- tests/cfgs/default/result/pgsql2.pcapng.out | 26 ++++++++++++++++ 19 files changed, 97 insertions(+), 66 deletions(-) delete mode 100644 fuzz/corpus/fuzz_serialization/b524f7bc777b60fa186852b7db1c961841e54205 create mode 100644 tests/cfgs/default/pcap/pgsql2.pcapng create mode 100644 tests/cfgs/default/result/pgsql2.pcapng.out diff --git a/example/reader_util.c b/example/reader_util.c index a6c472b3f8c..72e1843aee4 100644 --- a/example/reader_util.c +++ b/example/reader_util.c @@ -1353,7 +1353,7 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl flow->detected_protocol, &flow->ndpi_flow_serializer) != 0) { LOG(NDPI_LOG_ERROR, "flow2json failed\n"); - exit(-1); + return; } ndpi_serialize_string_uint32(&flow->ndpi_flow_serializer, "detection_completed", flow->detection_completed); diff --git a/fuzz/corpus/fuzz_serialization/b524f7bc777b60fa186852b7db1c961841e54205 b/fuzz/corpus/fuzz_serialization/b524f7bc777b60fa186852b7db1c961841e54205 deleted file mode 100644 index 7b17c654906b4c8f642198497df990aa3b85d4f0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 68 scmZqiUdXXz$&&Lxj0PM~`D>RjKm~TlDXd^uQ;-lVPqn$Yi2rpd08eEk)Bpeg diff --git a/fuzz/fuzz_alg_shoco.cpp b/fuzz/fuzz_alg_shoco.cpp index 40fe0f0f454..68d26266004 100644 --- a/fuzz/fuzz_alg_shoco.cpp +++ b/fuzz/fuzz_alg_shoco.cpp @@ -1,5 +1,6 @@ #include #include "shoco.h" +#include "ndpi_api.h" #include "fuzzer/FuzzedDataProvider.h" extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { @@ -7,16 +8,25 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { const char *in; size_t in_len, out_len; char out[8192], orig[8192]; + int higher_level_api; /* No memory allocations involved */ + higher_level_api = fuzzed_data.ConsumeBool(); + std::string s = fuzzed_data.ConsumeRemainingBytesAsString().c_str(); in = s.c_str(); in_len = strlen(in); - out_len = shoco_compress(in, in_len, out, sizeof(out)); - if(out_len <= sizeof(out)) /* No error */ - shoco_decompress(out, out_len, orig, sizeof(orig)); + if(!higher_level_api) { + out_len = shoco_compress(in, in_len, out, sizeof(out)); + if(out_len <= sizeof(out)) /* No error */ + shoco_decompress(out, out_len, orig, sizeof(orig)); + } else { + out_len = ndpi_compress_str(in, in_len, out, sizeof(out)); + if(out_len != 0) /* No error */ + ndpi_decompress_str(out, out_len, orig, sizeof(orig)); + } return 0; } diff --git a/fuzz/fuzz_config.cpp b/fuzz/fuzz_config.cpp index 4034874f16d..edfa42ceba6 100644 --- a/fuzz/fuzz_config.cpp +++ b/fuzz/fuzz_config.cpp @@ -518,6 +518,12 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { ndpi_severity2str(static_cast(fuzzed_data.ConsumeIntegral())); ndpi_risk2score(static_cast(fuzzed_data.ConsumeIntegral()), &unused1, &unused2); ndpi_http_method2str(static_cast(fuzzed_data.ConsumeIntegral())); + ndpi_confidence_get_name(static_cast(fuzzed_data.ConsumeIntegral())); + ndpi_get_proto_breed_name(static_cast(fuzzed_data.ConsumeIntegral())); + ndpi_get_l4_proto_name(static_cast(fuzzed_data.ConsumeIntegral())); + + char buf2[16]; + ndpi_entropy2str(fuzzed_data.ConsumeFloatingPoint(), fuzzed_data.ConsumeBool() ? buf2 : NULL, sizeof(buf2)); /* Basic code to try testing this "config" */ bool_value = fuzzed_data.ConsumeBool(); @@ -545,7 +551,6 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { ndpi_get_flow_ndpi_proto(&flow, &p2); ndpi_is_proto(p, NDPI_PROTOCOL_TLS); ndpi_http_method2str(flow.http.method); - ndpi_get_l4_proto_name(ndpi_get_l4_proto_info(ndpi_info_mod, p.app_protocol)); ndpi_is_subprotocol_informative(p.app_protocol); ndpi_get_http_method(bool_value ? &flow : NULL); ndpi_get_http_url(&flow); diff --git a/fuzz/fuzz_ds_ahocorasick.cpp b/fuzz/fuzz_ds_ahocorasick.cpp index 949cc4b6d3d..5a61f002207 100644 --- a/fuzz/fuzz_ds_ahocorasick.cpp +++ b/fuzz/fuzz_ds_ahocorasick.cpp @@ -44,7 +44,10 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { ac_automata_enable_debug(0); a = ac_automata_init(mc); - a2 = ndpi_init_automa(); + if (fuzzed_data.ConsumeBool()) + a2 = ndpi_init_automa(); + else + a2 = ndpi_init_automa_domain(); if (fuzzed_data.ConsumeBool()) ac_automata_feature(a, AC_FEATURE_DEBUG); diff --git a/fuzz/fuzz_ds_domain_classify.cpp b/fuzz/fuzz_ds_domain_classify.cpp index 8e19b4725b7..a53c8d130bd 100644 --- a/fuzz/fuzz_ds_domain_classify.cpp +++ b/fuzz/fuzz_ds_domain_classify.cpp @@ -47,7 +47,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { num_iteration = fuzzed_data.ConsumeIntegral(); for (i = 0; i < num_iteration; i++) { value = fuzzed_data.ConsumeBytesAsString(fuzzed_data.ConsumeIntegral()); - ndpi_domain_classify_hostname(ndpi_struct, d, &class_id, (char *)value.c_str()); + ndpi_domain_classify_hostname(fuzzed_data.ConsumeBool() ? ndpi_struct : NULL, d, &class_id, (char *)value.c_str()); } /* Search of an added entry */ diff --git a/fuzz/fuzz_gcrypt_cipher.cpp b/fuzz/fuzz_gcrypt_cipher.cpp index 703e480a7b5..520133aaef3 100644 --- a/fuzz/fuzz_gcrypt_cipher.cpp +++ b/fuzz/fuzz_gcrypt_cipher.cpp @@ -6,6 +6,7 @@ #define MBEDTLS_CHECK_RETURN_TYPICAL #define MBEDTLS_INTERNAL_VALIDATE_RET( cond, ret ) do { } while( 0 ) #include "gcrypt/cipher.h" +#include "gcrypt/error.h" #include "gcrypt/aes.h" extern int force_no_aesni; @@ -56,10 +57,17 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { mbedtls_cipher_info_get_type(ctx_e->cipher_info); mbedtls_cipher_info_get_name(ctx_e->cipher_info); mbedtls_cipher_info_has_variable_key_bitlen(ctx_e->cipher_info); + mbedtls_cipher_info_has_variable_iv_size(ctx_e->cipher_info); mbedtls_cipher_info_get_iv_size(ctx_e->cipher_info); mbedtls_cipher_info_get_block_size(ctx_e->cipher_info); mbedtls_cipher_get_cipher_mode(ctx_e); + mbedtls_cipher_get_iv_size(ctx_e); + mbedtls_cipher_get_type(ctx_e); + mbedtls_cipher_get_name(ctx_e); + mbedtls_cipher_get_key_bitlen(ctx_e); + mbedtls_cipher_get_operation(ctx_e); mbedtls_cipher_info_get_key_bitlen(ctx_e->cipher_info); + mbedtls_error_add(0, 0, NULL, 0); posix_memalign((void **)&ctx_e->cipher_ctx, 8, sizeof(mbedtls_aes_context)); posix_memalign((void **)&ctx_d->cipher_ctx, 8, sizeof(mbedtls_aes_context)); diff --git a/fuzz/fuzz_ndpi_reader.c b/fuzz/fuzz_ndpi_reader.c index 9d061e5ca5d..80ed1688695 100644 --- a/fuzz/fuzz_ndpi_reader.c +++ b/fuzz/fuzz_ndpi_reader.c @@ -15,7 +15,7 @@ struct ndpi_global_context *g_ctx; u_int8_t enable_payload_analyzer = 0; u_int8_t enable_flow_stats = 1; u_int8_t human_readeable_string_len = 5; -u_int8_t max_num_udp_dissected_pkts = 16 /* 8 is enough for most protocols, Signal requires more */, max_num_tcp_dissected_pkts = 80 /* due to telnet */; +u_int8_t max_num_udp_dissected_pkts = 0, max_num_tcp_dissected_pkts = 0; /* Disable limits at application layer */; int malloc_size_stats = 0; extern void ndpi_report_payload_stats(FILE *out); @@ -53,6 +53,8 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { workflow = ndpi_workflow_init(prefs, NULL /* pcap handler will be set later */, 0, ndpi_serialization_format_json, g_ctx); + ndpi_workflow_set_flow_callback(workflow, NULL, NULL); /* No real callback */ + ndpi_set_config(workflow->ndpi_struct, NULL, "log.level", "3"); ndpi_set_config(workflow->ndpi_struct, "all", "log", "1"); @@ -68,10 +70,12 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { NDPI_BITMASK_SET_ALL(all); ndpi_set_protocol_detection_bitmask2(workflow->ndpi_struct, &all); + ndpi_set_config(workflow->ndpi_struct, NULL, "packets_limit_per_flow", "255"); ndpi_set_config(workflow->ndpi_struct, NULL, "flow.track_payload", "1"); ndpi_set_config(workflow->ndpi_struct, NULL, "tcp_ack_payload_heuristic", "1"); ndpi_set_config(workflow->ndpi_struct, "tls", "application_blocks_tracking", "1"); ndpi_set_config(workflow->ndpi_struct, "stun", "max_packets_extra_dissection", "255"); + ndpi_set_config(workflow->ndpi_struct, "zoom", "max_packets_extra_dissection", "255"); ndpi_set_config(workflow->ndpi_struct, "rtp", "search_for_stun", "1"); ndpi_finalize_initialization(workflow->ndpi_struct); diff --git a/fuzz/fuzz_serialization.cpp b/fuzz/fuzz_serialization.cpp index d097c683cd7..5b5de9fe09c 100644 --- a/fuzz/fuzz_serialization.cpp +++ b/fuzz/fuzz_serialization.cpp @@ -14,7 +14,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { int rc; std::vectord; char kbuf[32]; - u_int32_t buffer_len; + u_int32_t buffer_len, kbuf_len; /* To allow memory allocation failures */ fuzz_set_alloc_callbacks_and_seed(size); @@ -66,19 +66,23 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { ndpi_serialize_string_raw(&serializer, kbuf, d.data(), d.size()); ndpi_serialize_string_boolean(&serializer, kbuf, fuzzed_data.ConsumeIntegral()); - if (fuzzed_data.ConsumeBool()) + if (fuzzed_data.ConsumeBool()) { snprintf(kbuf, sizeof(kbuf), "%d", i); /* To trigger OPTIMIZE_NUMERIC_KEYS */ - ndpi_serialize_binary_uint32(&serializer, kbuf, sizeof(kbuf), fuzzed_data.ConsumeIntegral()); - ndpi_serialize_binary_int32(&serializer, kbuf, sizeof(kbuf), fuzzed_data.ConsumeIntegral()); - ndpi_serialize_binary_uint64(&serializer, kbuf, sizeof(kbuf), fuzzed_data.ConsumeIntegral()); - ndpi_serialize_binary_int64(&serializer, kbuf, sizeof(kbuf), fuzzed_data.ConsumeIntegral()); - ndpi_serialize_binary_float(&serializer, kbuf, sizeof(kbuf), fuzzed_data.ConsumeFloatingPoint(), "%f"); + kbuf_len = strlen(kbuf); + } else { + kbuf_len = sizeof(kbuf); + } + ndpi_serialize_binary_uint32(&serializer, kbuf, kbuf_len, fuzzed_data.ConsumeIntegral()); + ndpi_serialize_binary_int32(&serializer, kbuf, kbuf_len, fuzzed_data.ConsumeIntegral()); + ndpi_serialize_binary_uint64(&serializer, kbuf, kbuf_len, fuzzed_data.ConsumeIntegral()); + ndpi_serialize_binary_int64(&serializer, kbuf, kbuf_len, fuzzed_data.ConsumeIntegral()); + ndpi_serialize_binary_float(&serializer, kbuf, kbuf_len, fuzzed_data.ConsumeFloatingPoint(), "%f"); if (fmt != ndpi_serialization_format_tlv) - ndpi_serialize_binary_double(&serializer, kbuf, sizeof(kbuf), fuzzed_data.ConsumeFloatingPoint(), "%lf"); - ndpi_serialize_binary_boolean(&serializer, kbuf, sizeof(kbuf), fuzzed_data.ConsumeIntegral()); + ndpi_serialize_binary_double(&serializer, kbuf, kbuf_len, fuzzed_data.ConsumeFloatingPoint(), "%lf"); + ndpi_serialize_binary_boolean(&serializer, kbuf, kbuf_len, fuzzed_data.ConsumeIntegral()); d = fuzzed_data.ConsumeBytes(16); if (d.size()) - ndpi_serialize_binary_binary(&serializer, kbuf, sizeof(kbuf), d.data(), d.size()); + ndpi_serialize_binary_binary(&serializer, kbuf, kbuf_len, d.data(), d.size()); if ((i & 0x3) == 0x3) ndpi_serialize_end_of_record(&serializer); diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index c0cb12fa867..96e7955b0d9 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -4976,7 +4976,7 @@ int load_category_file_fd(struct ndpi_detection_module_struct *ndpi_str, continue; } - if(ndpi_load_category(ndpi_str, line, category_id, NULL) > 0) + if(ndpi_load_category(ndpi_str, line, category_id, NULL) >= 0) num_loaded++; } diff --git a/src/lib/protocols/afp.c b/src/lib/protocols/afp.c index 5b420f422b8..73d62345751 100644 --- a/src/lib/protocols/afp.c +++ b/src/lib/protocols/afp.c @@ -62,20 +62,6 @@ static void ndpi_search_afp(struct ndpi_detection_module_struct *ndpi_struct, st return; } - /* - * this will detect the OpenSession command of the Data Stream Interface (DSI) protocol - * which is exclusively used by the Apple Filing Protocol (AFP) on TCP/IP networks - */ - if (packet->payload_packet_len >= 22 && get_u_int16_t(packet->payload, 0) == htons(0x0004) && - get_u_int16_t(packet->payload, 2) == htons(0x0001) && get_u_int32_t(packet->payload, 4) == 0 && - get_u_int32_t(packet->payload, 8) == htonl(packet->payload_packet_len - 16) && - get_u_int32_t(packet->payload, 12) == 0 && get_u_int16_t(packet->payload, 16) == htons(0x0104)) { - - NDPI_LOG_INFO(ndpi_struct, "found AFP: DSI OpenSession\n"); - ndpi_int_afp_add_connection(ndpi_struct, flow); - return; - } - if((h->flags <= 1) && ((h->command >= 1) && (h->command <= 8)) && (h->reserved == 0) diff --git a/src/lib/protocols/mqtt.c b/src/lib/protocols/mqtt.c index c88844a091a..ea2390d371f 100644 --- a/src/lib/protocols/mqtt.c +++ b/src/lib/protocols/mqtt.c @@ -179,18 +179,13 @@ static void ndpi_search_mqtt(struct ndpi_detection_module_struct *ndpi_struct, } if (pt == PUBLISH) { // payload CAN be zero bytes length (section 3.3.3 of MQTT standard) - u_int8_t qos = (u_int8_t) (flags & 0x06); - u_int8_t dup = (u_int8_t) (flags & 0x04); + u_int8_t qos = (u_int8_t) (flags & 0x06) >> 1; + u_int8_t dup = (u_int8_t) (flags & 0x08) >> 3; if (qos > 2) { // qos values possible are 0,1,2 NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt invalid PUBLISH qos\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MQTT); return; } - if (dup > 1) { // dup flag possible 0,1 - NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt invalid PUBLISH dup\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MQTT); - return; - } if (qos == 0) { if (dup != 0) { NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt invalid PUBLISH qos0 and dup combination\n"); diff --git a/src/lib/protocols/ssdp.c b/src/lib/protocols/ssdp.c index 3e18edf50ab..90ce4c04c5e 100644 --- a/src/lib/protocols/ssdp.c +++ b/src/lib/protocols/ssdp.c @@ -47,10 +47,7 @@ static void ssdp_parse_lines(struct ndpi_detection_module_struct /* Save host which provides a service if available */ if (packet->host_line.ptr != NULL && packet->host_line.len > 0) { - if (ndpi_hostname_sni_set(flow, packet->host_line.ptr, packet->host_line.len, NDPI_HOSTNAME_NORM_ALL) == NULL) - { - NDPI_LOG_DBG2(ndpi_struct, "Could not set SSDP host\n"); - } + ndpi_hostname_sni_set(flow, packet->host_line.ptr, packet->host_line.len, NDPI_HOSTNAME_NORM_ALL); } } diff --git a/src/lib/protocols/thrift.c b/src/lib/protocols/thrift.c index d9be27ca514..79ee6ebb540 100644 --- a/src/lib/protocols/thrift.c +++ b/src/lib/protocols/thrift.c @@ -83,9 +83,6 @@ static void ndpi_int_thrift_add_connection(struct ndpi_detection_module_struct * case NDPI_PROTOCOL_HTTP: NDPI_LOG_DBG(ndpi_struct, "found Apache Thrift HTTP\n"); break; - default: - NDPI_LOG_DBG(ndpi_struct, "found Apache Thrift\n"); - break; } ndpi_set_detected_protocol(ndpi_struct, flow, diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index ca23da4f85b..2d8247d515b 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -1032,10 +1032,6 @@ static int ndpi_search_tls_tcp(struct ndpi_detection_module_struct *ndpi_struct, break; } - if(len == 0) { - something_went_wrong = 1; - break; - } #ifdef DEBUG_TLS_MEMORY printf("[TLS Mem] Processing %u bytes message\n", len); @@ -1638,7 +1634,6 @@ static bool is_grease_version(u_int16_t version) { case 0xeaea: case 0xfafa: return(true); - break; default: return(false); diff --git a/tests/cfgs/default/pcap/netbios.pcap b/tests/cfgs/default/pcap/netbios.pcap index 1e8ee3920cad7e8dd79334bf6be00c7e41b02601..b143112fdb15c7132de742aaa43682d5bfa4d465 100644 GIT binary patch literal 33344 zcmds=30PHC*T)YEC^!HPuQ+x?dqqtYb4W#Hx))F;MMM*oL1b_M5z$l<98;U;Zf0ug zQOlH>97xR^GBxbgGKbKda3am2aC-M%7jWH0?ziu_@AExRhpt@Ua)12)Ywc;BeNOfb z8rZ*~C`yn=rxsT1^TW!cw&JV=CQh0ah3uZ)!*na}M9bvat2g+d2$`-OKfZdj`pHls0 zurs!d6zGm^3~YPCmgISD_bAFP%_`jexhdWq&v1765fq8BL^eDnr zkv4ty4ti|7=U`mXD`w6mPd&&c4EQTO!`;M^2(_9Pjp^`!>-nDc-~1NfxnPfqjdxCB^%6 z@MICY6R>X(wxoE^d1Z=-{VcGr6Lt$VNJg%uHkwA+DA&4WbM{4B%jDW!o0*i2bFDAv zK0|a%iuXs`XNlMzz&=gblH$Gc-b*5OKVX*+kG2e^kzyy83U*eh0?TbD^Je_P0Y>p0lxx&6yUnkCIS> zQ^TD%`S;jYTi6h(4>9-|e0(1}jIrB zE5XBt^sf2^{@K>5j-!?0U=_Ze%_G_G(z%?c?lqbVsO=B1=bjwjK-&KAMjeWW=6S`M z==UfaxBV>0g{AUxfzM_6!E<5U>mO1!((Uy=XCKp9MtAdOA5k{e{W|D=jp%k(Ly+g1 z=QQJgSRrD60POjM{RHg~d!A&qnzE7SzH9=T>2x&7GM-1 z*0n9Dd@ES%@%D?~dm(;rcvrLzbd6Q{d(WuMC2MD!bY%&DU-tfeLmlt7*F8_)dsgK) zcpF*SdXvbrwcy!Q;#o5_R7#%S&K9xP0XvPbpCDdXciY#uh}gS<9YNTVbUQTJO4+E5 z1c2uy4y27-H@YCtHTTCSi+55sZX>^d?*2sgztq8qt+`*yQTB+~*MQxHuqAn(IHv|1 zc^(+b*$3k-r*Y>mR$X9-(Yyi>1>*q*>XN!X3la1?LN<5>5M zTa=A*ZR8Tp{_0uFKZbz`t2#&1YSc&JX9 zr;yj^YP_ZmgPWE}@UDOBAFi3!OxU7oTO|8Fe^l0yO0%Z6vo-nd0&V=yO-y?nYv+~c z-mXNy-vi|vJKttt^`Xa9kp$=77M1@6yZSuPX!a*%I&B?knf|5aIvc7RxACEzUAT|r zx}I=Os9IujLmCLD(>VIK*oyVrrFQ zh6gzBc0%mgxMDVsk(76hhxMlZWA+|k4yZ9id4%C*ybW{B7$fxVNkCFR=3E*T;=)F29W5VoXTyFX$!Wush6f&F6Z zXIUoK>}JOhy7Q*&l*1?>x5Z+ zj?WIhPFU=hNp<5q9|iH=PCS>C=OcSB5V7NdT|n59a;cwT>@4t{?v0YfPCmGTvXSR$bvSzst8be1=NF96 zBHfz%^F6_>Dl4;RI;}co z8PB_9T91Hu8Kr)I3()vW(|8i;F4y z(Vnni?-H*2SRvER>ONIt$)EL>9Yvn=y3gMpOL)zPAABtNl(AXoWvV#=^~&1uH>0M( zIQGJGi#WTC?KQWt;(Sxh>4&Dvj*^?29+ZPXa# zf#&vh;j)mu7uey1Eh*=1zS&M=k9F?{_7K9Bl=J-`>=Uus)@Zga>`2&>JTDpbt%&_6 zu-gL^mIe!sK*(6+zW`@IHo{@kQY&iY0rtZ}JWSUwO3K46ulyup*9CS{l84r6EYhvH-|>6?IAtTxGcq~*<6ca2*(2Sh zk~}~7pOci0J#PTI9f|JR>R1`N?e6|6Vmku60bxt>y#D(0l#M*M?aA3q=2*t_+WIoe z#-2NY?)pTxB+tk8yDDNg0(L#ZuBFDwi1(`3gzUz^rq{|^spDj@-&s0bLql6ZyCG%6ZSzB8z1>z^Bx4_pbnT%>wtjW2zhNH5|*jB6i-EU8afm8s3b0zbDQ$;T5Zbn)8gA zO(+}BU1oykD@nX1d47L+4L0(;*(J`db9cNd(Pjr_WpF?cT{aTT;8)f5otDrmGGP>tJ=PqJz0`^40exN2I-I_hmYS@di zk>~ANarW(xEaUmm#l0yTdk)uNx_7+m=8=?*@;n~yos>uJom6~RoggF6dww`t#D@JSdE`Dm zvf9{at2oL=p7%b*Juf{*`W8u^@9r2++1T^moSk=;#Y}oshNA^Ay|EW%r!R|ICg|bn+JxaOmlRsJ}-X2R+DI3SzA3Q%oJeL&jy+_kT zY}j{|_dQ|%p(e}l{MK9PB6cw7K1A4(a&2d~=^{4l0m}Q1uqEYMgdtPJo(Q@(5w;}H zU$&kjVow4#+ed3QhD!2$=&HFQb~3QPAZ$sV4_vsAvQhi?Zpqm{v3)pZbHx+JUMSBs zug8uQE}?APz88Y-_lRyu@t*SCnEW$GFtaExk zWh31|GdTM|Kcf4Xu@7qFn)|l?rwS+=>%IcI-HGno>SV;$+`stGEE2J=0=p|=-%?X$ zuul!&EMmj;M|tG>qvD(D6dCLe7q(M2iud45u6tiE%f$P9;7-cM@xBS3cOafiiudY^ zUyInV{?DW9e@XGq*!PWy4fm_gBloM874M(F*jvr69Lv!CA)aA%&Dl=(n^fH&;*1yE zA7YH0`$Gh8-1}%O11df*>gnsra&37si#Hp~`28Umz3}bd{~7m(7(C*;YTv8x4^e%O zhH%LBU0++KoeeKOK-s9BCBSuldE`33VoB{R=!HWfwl%cz=A?~FYG;l5mWbGPz-GB_ zwmy;6uWtF|n222;*iMA~yP77WPY|C~&%uM$Ub*c>Z;iO+F8;vKClR3NC zK=S-YqX%MZo>RWvk$!Y-nQF9%fkOA!Fgk7#qm!UgkSsfAkJzy^+Y)PK)%cw76e+ujw zge^&T!3ZbHMtL5yl(UOkk~}|R?2kOxJdT}oXiV8S&)0+QDMYs<&wG|P6R|%7b}C^@ z^1T1PR+NoAk6p*vg?#@Uo4Zu)p(~Z-c}eqsQ#SS-&cWx>bMV*H7g4-5kD>kgx>7dM zJ=V16f}Iz&gzm3icBgEt8_rGU^1WnpA9-FZN%u?M&x_diA=lXb_RZK=)fqB8_pa~| zuoGczkW1GFl60p94xnrl@A#u!cg|@N?;nhwNVn#`Wy3Eu*eKqK4Z(8<;`tSICSq&O z^Urd8sBX-Lxngcz!j=^8W?KhRHu5~-JlCCFVj0gjwI4*;Sa&P%+=}SFtj?0*`H2uA zyEU-+9l&t=mK5(n?LtJlb)20;uDK|d6mJi=VU&&HodomqO;MJK_rmvUuyMSf2Hp3F z=aS-`wnNB<`|RZ0C2UFYo;p8*dX9Cs1>F^deM!xbk>?S1F(Nj*u7l;;HNuwUxq3^; z?gs43ge^(;jO*h>x(5OKFkzReFUjz{z-uC9qc%1nm$SdHCT*<5=#AK#$FafjlPDYK zS{Ug5mgtt`d9Cg#A~w_=a%kP*qB5A2LL2*lUtQ_nJuZ{NTK~B6b?+UPp9aP%~xZ+P|Ke zN7*ReDXbci>9n4CZniFw)V>RwETn84Z@A7Rhg@e;EGga{Z@(sD!*ygiuUf|Q;Xdz* z*!d9e1j0VAX32=RUxHD@-VE$m!j_b4HeElWY?N#1A8_`nr%0|HGWsIjn#YoNvzJpg z&Nb-Qa)uGzl00v-Yz<{2-P71Mo=m4tpRMA9md%VmpK9Z2z9w8u(Xro(#`VwBASAD9>$R?_g8fuN^QN z5L@vi7mB4WcjG@GtNCFS|f4-Sjiunx_p>rhGY9`x#e zC>zDQZVb=0Mr zCGBG7CG5D~;!dcumGbOBMafbWUmd%TlMj3N=>rVjzU;%`Z}9c?^7ZlcHQkew-OY*L a@5#6F6<)snm9Oyf)$>>IE2kCyxBVB+qK-BI delta 4102 zcmXw+c~Do^6~})p!bK4f6)e952`;FpAR@RRpeXpBC@9JzhDEL-Zs3a6phPNKQlVAxLo6DGWWcTUa+L63n++ESW5wEF&EmWJvh$Gcwi<)%lef&yo$eNcjM-Sd zss|d{L%@ZVICxbL&C%ontWHtio)Z1_A6*610VJWIyPmon=5+M5Stq}R&6k8|7H@1u zCn)`Kh`7}+*c*Z6p(g#dsdpD(Eb2Wtg8R(wrCDrlqsxW;hh7q08j0!z%6=o@Q6&bB zz_$k6>4oj5hDm}M*K`-q`RFfmsexmeG|f*sV~?Jtp1pg<`=X|#wPx}8`D5l zGhVb9R8BJMwi+-pFi;#R;g(84O4$2w>a`WOnTHyl3r?Kb0v%1P7}a5)H|Mz)x0A$i(VNJwUJdU((}wt`}7fO zTb*h7UV!n)z3zCpcJ$T!|FN0o_8a?3aO)+x&ftDF8wPrtt!(dSsWfDts>Vs~_0ueN zy1e-E>-*cRo#9yP!a%p<6(#PPTbLgL>kW8+8BTINN~;N|H6Rz)OVR297K6F(VO|LQ zVt~ha+!=w&f#TTlDfV+=pjH!+zxWlCUp~lUu;((~A7sB_!1F*~-e6I*&4!967?+l4 zNq_p#>^5((r0@Tci@TjRfOIVIVkaDy>SYZPP?LngXda?D`ukFd!9zuK9%Pno9V*r< zZrmv4ro;%SI7IKD7_Bl;xwtEGDVi8-G03bzl)w>yNpMsSmaPvRX0tx?SDKJvnnn0{ zj32q9;w)vs9aJDUaUjlSeRr2RTkqjw$f-mpYlmx&_WmM(+Y%CQD;wDx%PEhWcxfXOJfZYNDhf@aa}q3PhJM2TL?gZ*aW zQ;zN`k~4;kvRS)*aRDVsc-@b(R3>VjXvgb{K;UQr8C&Ve9IZKeZXjlzqP}A!>X(gi zBT#36|8qHL#~52pLA};IOiW3VX3;m>q(4rw80h^5EFUXi=6cK{)w^pz-RIa~cCuDe zQS4d`7sJ~r*y0(NHMutB+D&b1Vq9X}IDO>Jk9ybyw_=ZzEl%?4@5#c|^P z&J%YQKVDWla2HEA8?h~gUI<9dNV8NH_VTb1eId|lK-@_gh~x=28!Cp-^i9w#j{9MJ z$elP*(#OUG@<1G(Xsc|LTl~OWL`=G+rU5*A4|{D$*DO{?ViYMoDnp`aV~xEDU^?s` z|CH6kC)unoO+#mECutU!M`JcAJ=79+pvu8=&EeZqH6^N zrTb16_trNJr~{aR^eYQ6bmVw$z|vg=GBroDFH4snW!kJ`f5qyt)A5@$MbZivoItS z{VH3clXjvyft+aqR#LMFoHtk88)_4lVD0*hP#o)7AQ!p(@z#k(_!A}g> z;)OAem?8N+Ah8?SxkA2Ue-l!r@Yu=5WEP>61ZW&i3`{yf#MQNy^MO@ z={u{XM6=jYAcxK^wOK#xz@Et6Rx0kJ^qEB0BJi*44;>A2kNC7Q+6B`ol?FA?|T zG*hpv(o%Dg{;V@Tr|_=2R%x@&Sb_beR%sUTdmw1Bud2j7Vh);5AZMw7(C=~e1kM{! zei8eNU8dDM6o2xXv7cFHF-W+Ivt5sJJ88=WeCdJyQ2r+dY&eGpC}M@=mpwCwJ+{J9 z#5Z;e(9 zkiI8I_FDg2oAozG%~8G9T52H-4aL&>b!%_Q@C%ev(#eLJMNs9N2ng-ju diff --git a/tests/cfgs/default/pcap/pgsql2.pcapng b/tests/cfgs/default/pcap/pgsql2.pcapng new file mode 100644 index 0000000000000000000000000000000000000000..3ff361623433107bd0e45f17f62f574580b48997 GIT binary patch literal 4112 zcmd5njEOd1{-0f(*8AzNr}+Ne!LWC+dONgE9_p)*ZP7^scwTGSF{>aiGh z_Hig}TUhial*3`O^bEBj1_CsJF^e7;7L9s@Z4Hjt7KIuxP@18Ey`i=)8W<9J<`EVd616EHlB?{n&6PrLY`$Pl>%&9_CIK~_goecnsf6o#K;6ie@f(_A26Eo?Ok1-$8@eT>|-u3HIT?aB*Mb zIzoKRFuuwws6t&h#(a`5jo&>Tcam=x#MX9|rGE6x0RY3mIJ!f}48wW@v9LU1K8eNP z_soK&O#Qeb3EK@wgbqc03=6~jnjd2EH~bz<$DGuy4Rv?B$|jG2v?+eB7&bZ*O$Xv(al`zt*!51wn~YsIjNQ^Nu}h!g#={C0 z8piFZ3svX@=a`GJa1Q*wS+HR2+(-Z@A~@Va9Kb0f$dh7pomtcM@KXP|%(Te23(xCh zIQL)sm6TV15Uugr5Q$a^!cupY&z-Bc^G3b&#tTI+d%Y5~ONwrvTd_oPejVNo*i-Nn zgo2|GM7knI+p)HCQKd*nq%S%l(hyNaWRZeMN<;w#q5_aF$_FceIcyC2ps1}vR0Ik| zg@6k}!7{)E6Hr77e7Oh+z~KQIzF1_S3Y35vPyxz714>qet^{2gXn`dJgosEWBuNs9 zBt;^S$Rr|Z4oQN5BjP0BD}mtf2p$J?0Fi(Y5CmoqkHf)3;6@0F&Tl=_79JD#IB=nt zxo^zfLVSwCO)ik_X$my)} zC31>!XVUy63#EEn%9;89Hg^<=GZzL4j}TyN@IXlcg2OmrJZEb6hJ3%#{&YHDaoyIA z!@Avz)vX74O8b5oPs}jw4Q^CnG@N5TS+_j?z${p>Zr8j7Kuixt0Jj2G@3Q~5>Mj3Y zSFats8I*t(!Q+zJ%XL0h5{>?)A+Hh^NQv&r7bKjh<6gS)Al~|RHQ$}%(OpkhzV00w z93{2MU#q0x*plX+_B730kqljCbQhM3nfbj8bMj4o2dC#`vbOhfM(WwFvPsQ<4o~Hm zN1V#Mx2a#AzRL0sF1;D#IoG45{K@whc^;BvKVx09*j`uDQ* z7L#aSp6iJ_q@>(3^Z%%}UH+has z0Uht!OB(ANVu#d^8a3@s6|gn8>aNWjZuciQ)!$$4cf;&R(tBg!-Z|v{i};(vRAzAC zZkr{&!7OEczDo&9*z=o2kkq*pdUz~Ly$(^=Qc>gIsTeDpkZ9z(m<*-=bYNX&7HQ7L zjtTbblU#YSAk#yGPnifAyh_u*lqgHnO1qU&rR8fabz$*33ucv^(!z#;TFsl;s|Osa z-O_Hv1)NY1h?9A6)Ott!mCc*1H7t_rq3ymIvDzU zK;QtkSX%cX-soG z0tZ$}0_$9Dm$&=wzI}!4e}LGSbAud3(QElLlA?ogOK&XjkWmZMD$WSeKAYzmk!O^h zYp(M~KB=XMeR}=nUJK@OzxNzU3?q-DuuZlzwVjd3tE+ibJb!z!A|-SwC%6ai?YJc& zF-4#mYu9;DQ>oO{$f9re>aLjhuH(aA6(Ng6(ZiW-%?5w)a-{asdoI}OoVxgn-27$f zZlx|g-nV?S>ha_OiPfFT0hU|(TZEeZL9KS`Yn5!@@pkSTyLs+z%Hsu$4}umeRlh?S zMM`(B9M8uS+3F86?-oiFydDlh%NUJ!G^tjGUF|FEFKUbIZpjbyTA%)G{Q0&V&fUo0 z{GiwU_4BT-T5vY85{=hNSc~&na(K@k$qVe?9}Q+$*p&E~XmVGz2-g~!3=?(DeSh?9 zNijt;$HrGW7wqY~QrvLrgXulDXE(QBd-~+8;cm;i?JsMF?3IX4{{n z#?>w zeqa5hcTH(ge_Pr`Gh(>*qM;FD&VaS>wLg>PsKOe!W0B)OdVIf1a&+8Bqsa3v1D0b$ zdh?EKmDT9^RAjmP(@zSy&sC(Q!q0Wf>+9|FI$oJxJJ>GkeCvL4pZBuw%RLI;>pdc@ zO3VLlm9B7w((*b6ZD(ZG*0qHvk7%mAt$HZy;3YNZdWoXbM3mh9L$#e0HN%@4^AvGq z5);`3)psbz2KGltM-+L zh2Cv4V`i&tb!8sem1X}k2J5pkdv`bNx8L;c=hOSG_-?Le=f(5iYJ6GJg zzue8LepF#BoMSHT-5`?xViqiA>iZ)2yX1?)y}#;5)CQdo`X$fPFJBT_>}uQ@(VD2P z@06!G#5KCFpwuZ4xCxY^b{n30D$Uz@tVfzJ?UHRfZlFKf>{U^!C3pCG=3W3WJ~K7y zLtfu#d^w$$_}gOvw2J5xU<-lpLLK8M=#n3 zzB-%9Js28Ajkc|LK>s1q;I323rBV6T*NF$zy7w_zMENmqdn7+)vAGLVM-y_wxX#oc z@^|`&rgQ#E|9hyP_i>w8KP(xr1v+Nf@2>=*rw|7g0-J~!_zyiY3gtyc#D)cj1fzl5 j(O~hPX*?i(S^MbFt2|_KjO`=9@p3T~Aj0w2hMn;*U<6;J literal 0 HcmV?d00001 diff --git a/tests/cfgs/default/result/netbios.pcap.out b/tests/cfgs/default/result/netbios.pcap.out index 3f59e3a00f9..1934e8825ad 100644 --- a/tests/cfgs/default/result/netbios.pcap.out +++ b/tests/cfgs/default/result/netbios.pcap.out @@ -1,10 +1,10 @@ Guessed flow protos: 1 -DPI Packets (TCP): 2 (2.00 pkts/flow) +DPI Packets (TCP): 3 (1.50 pkts/flow) DPI Packets (UDP): 14 (1.00 pkts/flow) Confidence Match by port : 1 (flows) -Confidence DPI : 14 (flows) -Num dissector calls: 164 (10.93 diss/flow) +Confidence DPI : 15 (flows) +Num dissector calls: 165 (10.31 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/3/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) @@ -16,17 +16,17 @@ Automa domain: 0/0 (search/found) Automa tls cert: 0/0 (search/found) Automa risk mask: 5/0 (search/found) Automa common alpns: 0/0 (search/found) -Patricia risk mask: 12/0 (search/found) +Patricia risk mask: 14/0 (search/found) Patricia risk mask IPv6: 0/0 (search/found) Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) -Patricia protocols: 30/0 (search/found) +Patricia protocols: 32/0 (search/found) Patricia protocols IPv6: 0/0 (search/found) -NetBIOS 258 24196 13 +NetBIOS 259 24326 14 SMBv1 2 486 2 -Acceptable 258 24196 13 +Acceptable 259 24326 14 Dangerous 2 486 2 1 UDP 10.0.4.131:137 -> 10.0.5.255:137 [proto: 10/NetBIOS][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: System/18][181 pkts/16652 bytes -> 0 pkts/0 bytes][Goodput ratio: 54/0][59.62 sec][Hostname/SNI: xstream_hy][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 10/0 328/0 929/0 225/0][Pkt Len c2s/s2c min/avg/max/stddev: 92/0 92/0 92/0 0/0][PLAIN TEXT ( FIFDFEFCEFEBENFPEIFJ)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] @@ -37,10 +37,11 @@ Dangerous 2 486 2 6 UDP 10.0.5.9:138 -> 10.0.5.255:138 [proto: 10.16/NetBIOS.SMBv1][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: System/18][1 pkts/243 bytes -> 0 pkts/0 bytes][Goodput ratio: 82/0][< 1 sec][Hostname/SNI: nvr9][Risk: ** Unsafe Protocol **][Risk Score: 10][PLAIN TEXT ( EOFGFCDJ)][Plen Bins: 0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 7 UDP 10.0.5.93:138 -> 10.0.5.255:138 [proto: 10.16/NetBIOS.SMBv1][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: System/18][1 pkts/243 bytes -> 0 pkts/0 bytes][Goodput ratio: 82/0][< 1 sec][Hostname/SNI: bowie][Risk: ** Unsafe Protocol **][Risk Score: 10][PLAIN TEXT ( ECEPFHEJEFCACACACACACACACACACA)][Plen Bins: 0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 8 UDP 10.0.4.101:137 -> 10.0.5.255:137 [proto: 10/NetBIOS][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: System/18][2 pkts/184 bytes -> 0 pkts/0 bytes][Goodput ratio: 54/0][18.05 sec][Hostname/SNI: muli][PLAIN TEXT ( ENFFEMEJ)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 9 TCP 10.0.4.24:139 <-> 10.0.4.131:1398 [proto: 10/NetBIOS][IP: 0/Unknown][ClearText][Confidence: Match by port][DPI packets: 2][cat: System/18][1 pkts/60 bytes <-> 1 pkts/60 bytes][Goodput ratio: 2/0][< 1 sec][Risk: ** Probing attempt **][Risk Score: 50][Risk Info: TCP connection with unidirectional traffic][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 10 UDP 10.0.4.24:137 -> 10.0.4.165:137 [proto: 10/NetBIOS][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: System/18][1 pkts/104 bytes -> 0 pkts/0 bytes][Goodput ratio: 59/0][< 1 sec][Hostname/SNI: gunnar][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT ( EHFFEOEOEBFCCACACACACACACACACA)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 11 UDP 10.0.5.1:137 -> 10.0.4.24:137 [proto: 10/NetBIOS][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: System/18][1 pkts/104 bytes -> 0 pkts/0 bytes][Goodput ratio: 59/0][< 1 sec][Hostname/SNI: guru][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT ( EHFFFC)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 12 UDP 10.0.4.14:137 -> 10.0.5.255:137 [proto: 10/NetBIOS][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: System/18][1 pkts/92 bytes -> 0 pkts/0 bytes][Goodput ratio: 54/0][< 1 sec][Hostname/SNI: guru][PLAIN TEXT ( EHFFFC)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 13 UDP 10.0.4.24:137 -> 10.0.5.255:137 [proto: 10/NetBIOS][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: System/18][1 pkts/92 bytes -> 0 pkts/0 bytes][Goodput ratio: 54/0][< 1 sec][Hostname/SNI: guru][PLAIN TEXT ( EHFFFC)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 14 UDP 10.0.4.66:137 -> 10.0.5.255:137 [proto: 10/NetBIOS][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: System/18][1 pkts/92 bytes -> 0 pkts/0 bytes][Goodput ratio: 54/0][< 1 sec][Hostname/SNI: guru][PLAIN TEXT ( EHFFFC)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 15 UDP 10.0.4.165:137 -> 10.0.5.255:137 [proto: 10/NetBIOS][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: System/18][1 pkts/92 bytes -> 0 pkts/0 bytes][Goodput ratio: 54/0][< 1 sec][Hostname/SNI: gunnar][PLAIN TEXT ( EHFFEOEOEBFCCACACACACACACACACA)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 9 TCP 10.19.71.184:55489 -> 10.17.113.129:139 [VLAN: 2308][proto: 10/NetBIOS][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: System/18][1 pkts/130 bytes -> 0 pkts/0 bytes][Goodput ratio: 55/0][< 1 sec][Risk: ** Unidirectional Traffic **** Probing attempt **][Risk Score: 60][Risk Info: No server to client traffic / TCP connection with unidirectional traffic][PLAIN TEXT (D EJECEJEGEIFBDBDBFHFDDADCDDCAC)][Plen Bins: 0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 10 TCP 10.0.4.24:139 <-> 10.0.4.131:1398 [proto: 10/NetBIOS][IP: 0/Unknown][ClearText][Confidence: Match by port][DPI packets: 2][cat: System/18][1 pkts/60 bytes <-> 1 pkts/60 bytes][Goodput ratio: 2/0][< 1 sec][Risk: ** Probing attempt **][Risk Score: 50][Risk Info: TCP connection with unidirectional traffic][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 11 UDP 10.0.4.24:137 -> 10.0.4.165:137 [proto: 10/NetBIOS][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: System/18][1 pkts/104 bytes -> 0 pkts/0 bytes][Goodput ratio: 59/0][< 1 sec][Hostname/SNI: gunnar][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT ( EHFFEOEOEBFCCACACACACACACACACA)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 12 UDP 10.0.5.1:137 -> 10.0.4.24:137 [proto: 10/NetBIOS][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: System/18][1 pkts/104 bytes -> 0 pkts/0 bytes][Goodput ratio: 59/0][< 1 sec][Hostname/SNI: guru][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT ( EHFFFC)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 13 UDP 10.0.4.14:137 -> 10.0.5.255:137 [proto: 10/NetBIOS][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: System/18][1 pkts/92 bytes -> 0 pkts/0 bytes][Goodput ratio: 54/0][< 1 sec][Hostname/SNI: guru][PLAIN TEXT ( EHFFFC)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 14 UDP 10.0.4.24:137 -> 10.0.5.255:137 [proto: 10/NetBIOS][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: System/18][1 pkts/92 bytes -> 0 pkts/0 bytes][Goodput ratio: 54/0][< 1 sec][Hostname/SNI: guru][PLAIN TEXT ( EHFFFC)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 15 UDP 10.0.4.66:137 -> 10.0.5.255:137 [proto: 10/NetBIOS][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: System/18][1 pkts/92 bytes -> 0 pkts/0 bytes][Goodput ratio: 54/0][< 1 sec][Hostname/SNI: guru][PLAIN TEXT ( EHFFFC)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 16 UDP 10.0.4.165:137 -> 10.0.5.255:137 [proto: 10/NetBIOS][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: System/18][1 pkts/92 bytes -> 0 pkts/0 bytes][Goodput ratio: 54/0][< 1 sec][Hostname/SNI: gunnar][PLAIN TEXT ( EHFFEOEOEBFCCACACACACACACACACA)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/default/result/pgsql2.pcapng.out b/tests/cfgs/default/result/pgsql2.pcapng.out new file mode 100644 index 00000000000..c8d4fc837b8 --- /dev/null +++ b/tests/cfgs/default/result/pgsql2.pcapng.out @@ -0,0 +1,26 @@ +DPI Packets (TCP): 6 (6.00 pkts/flow) +Confidence DPI : 1 (flows) +Num dissector calls: 157 (157.00 diss/flow) +LRU cache ookla: 0/0/0 (insert/search/found) +LRU cache bittorrent: 0/0/0 (insert/search/found) +LRU cache stun: 0/0/0 (insert/search/found) +LRU cache tls_cert: 0/0/0 (insert/search/found) +LRU cache mining: 0/0/0 (insert/search/found) +LRU cache msteams: 0/0/0 (insert/search/found) +Automa host: 0/0 (search/found) +Automa domain: 0/0 (search/found) +Automa tls cert: 0/0 (search/found) +Automa risk mask: 0/0 (search/found) +Automa common alpns: 0/0 (search/found) +Patricia risk mask: 0/0 (search/found) +Patricia risk mask IPv6: 0/0 (search/found) +Patricia risk: 0/0 (search/found) +Patricia risk IPv6: 0/0 (search/found) +Patricia protocols: 2/0 (search/found) +Patricia protocols IPv6: 0/0 (search/found) + +PostgreSQL 19 3076 1 + +Acceptable 19 3076 1 + + 1 TCP 10.220.20.67:58574 <-> 10.220.20.67:60102 [proto: 19/PostgreSQL][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 6][cat: Database/11][10 pkts/1252 bytes <-> 9 pkts/1824 bytes][Goodput ratio: 64/78][0.01 sec][bytes ratio: -0.186 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 1/1 2/2 1/1][Pkt Len c2s/s2c min/avg/max/stddev: 44/44 125/203 372/1360 119/410][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Plen Bins: 25,0,12,25,0,0,0,0,0,12,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,0,0,0,0,0]