Comments (7)
I can only analyze this issue after I successfully update to commit bdb73db
Commit b08c787 contains too many changes.
from ndpi.
Thank you.
from ndpi.
It looks like there is such a problem.
I have half of the records with a host name marked risk 27.
from ndpi.
I found and corrected several errors related to the determination of risky domain certificate hashes and the ja3 hash.
Try updating to commit 4e0fd2c
from ndpi.
Thank you, seems to be matching Microsoft related domains at the moment.
Log Result:
cat /proc/net/xt_ndpi/flows > /var/log/flowinfo.log
grep "R=27" /var/log/flowinfo.log
1702280395 1702280396 4 6 192.168.2.3 53293 13.107.213.55 443 553 6282 6 7 I=2,3 SN=192.168.10.1,53293 P=Azure,TLS H=edge-mobile-static.azureedge.net C=4f2d63c6a35e03e0917bcb5c7d1d6540 V=TLSv1.2 R=27
1702280388 1702280392 4 6 192.168.2.3 53274 13.107.42.16 443 2292 20893 16 19 I=2,3 SN=192.168.10.1,53274 P=Skype_Teams,TLS H=config.edge.skype.com C=c2a302941bd296cf34894fd4821cea43 V=TLSv1.2 R=27
1702280625 1702280687 4 6 192.168.2.3 53381 204.79.197.203 443 2509 18429 20 21 I=2,3 SN=192.168.10.1,53381 P=Microsoft,TLS H=api.msn.com C=28a2c9bd18a11de089ef85a160da29e4 V=TLSv1.2 R=27
1702280625 1702280647 4 6 192.168.2.3 53380 204.79.197.200 443 2394 8757 15 12 I=2,3 SN=192.168.10.1,53380 P=Microsoft,TLS H=g.bing.com S=a66ea560599a2f5c89eec8c3a0d69cee C=28a2c9bd18a11de089ef85a160da29e4 F=a5ec341fabb36971548869ba64cce29b32b665cd V=TLSv1.2 R=27
1702280620 1702280681 4 6 192.168.2.3 53361 20.199.58.43 443 2522 7287 15 10 I=2,3 SN=192.168.10.1,53361 P=Microsoft,TLS H=fd.api.iris.microsoft.com S=67bfe5d15ae567fb35fd7837f0116eec C=28a2c9bd18a11de089ef85a160da29e4 F=e3b9a18ee84960da301cb8e8fcc92bb3e64146a5 V=TLSv1.2 R=27
1702281669 1702281778 4 6 192.168.2.3 53615 192.229.221.95 80 569 909 6 4 I=2,3 SN=192.168.10.1,53615 P=OCSP,HTTP H=ocsp.digicert.com R=27
1702284055 1702284165 4 6 192.168.2.3 54052 2.16.162.136 80 33316 9600358 649 1189 I=2,3 SN=192.168.10.1,54052 P=WindowsUpdate,HTTP H=msedge.b.tlu.dl.delivery.mp.microsoft.com R=27
1702285341 1702285401 4 6 192.168.2.3 54214 165.165.47.35 80 534 443 6 4 I=2,3 SN=192.168.10.1,54214 P=WindowsUpdate,HTTP H=ctldl.windowsupdate.com R=27
1702285272 1702285441 4 6 192.168.2.3 54187 2.16.141.60 443 3818 163958 46 53 I=2,3 SN=192.168.10.1,54187 P=Microsoft,TLS H=oneclient.sfx.ms S=19e4a55cecd087d9ebf88da03db13a0f C=28a2c9bd18a11de089ef85a160da29e4 F=fa0c18fd5ab3c3988928f6a45c5927fe190e5d43 V=TLSv1.2 R=27
1702286980 1702286980 4 6 192.168.2.3 54460 165.165.47.27 80 458 398 4 3 I=2,3 SN=192.168.10.1,54460 P=WindowsUpdate,HTTP H=ctldl.windowsupdate.com R=27
1702289532 1702289638 4 6 192.168.2.3 54733 20.54.24.79 443 1877 3473 14 9 I=2,3 SN=192.168.10.1,54733 P=WindowsUpdate,TLS H=array611.prod.do.dsp.mp.microsoft.com S=a02d7ceb8c8cbb4da2e6007f5a1c91e4 C=28a2c9bd18a11de089ef85a160da29e4 F=b3a86b806c43b6e2fc49842b73e7387d0b67bd52 V=TLSv1.2 R=27
from ndpi.
I repeated the experiment and found RISK=27 even though it is not configured :(
from ndpi.
No more R=27 in flowinfo log on latest commit.
from ndpi.
Related Issues (20)
- bittorrent.c: detected write beyond size of field HOT 1
- ndpi_network_list.c.inc can no longer be compiled after merge HOT 2
- Question about echo command HOT 1
- Seeking Advice on Updating nDPI on VPS Servers HOT 1
- unresolved symbol __aarch64_ldadd8_sync on aarch64 HOT 4
- Inconsistent BitTorrent Filtering with nDPI HOT 4
- Handling large host_proto lists HOT 2
- Linux 6.7: build error HOT 6
- Please help filter iptables DNAT traffic
- iptables 1.8.10 causes ksoftirqd 100% CPU HOT 5
- /root/nDPI/ndpi-netfilter/src/../../src/lib/ndpi_main.c:1040:5: error: �for� loop initial declarations are only allowed in C99 or C11 mode
- Error compiling kernel modules under arm32 bit HOT 5
- host_proto wildcard options. HOT 2
- Compile error message HOT 10
- Compile error about /src/lib/ndpi_network_list_compile.h HOT 1
- These are some protocols updated in the new version of ndpi_network_list_compile.h, please update them. HOT 1
- Проходит трафик несоответствующий правилу HOT 21
- The Google Drive traffic isn't caught HOT 3
- Failed to match traffic with manually patched kernel v6.6.37 HOT 1
- Traffic from Google sites not being detected
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ndpi.