search

ntop / nDPI

Open Source Deep Packet Inspection Software Toolkit
http://www.ntop.org
GNU Lesser General Public License v3.0
3.7k stars 882 forks source link

HTTPS detects as TOR #154

Closed zar1n closed 8 years ago

zar1n commented 8 years ago

Hello,

Link to flow dump file - https://www.dropbox.com/s/aaz4cqse2cw2qs5/static1.e621.net.pcap?dl=0 URL - https://static1.e621.net/data/d1/00/d100146df07c78366c10ae89787dcbc8.jpg (nswf)

Detected protocols:
    Tor                  packets: 195           bytes: 11893         flows: 1            

Protocol statistics:
    Dangerous                    11893 bytes

    1   TCP 109.110.59.7:25225 <-> 104.25.119.23:443 [proto: 163/Tor][195 pkts/11893 bytes][SSL client: static1.e621.net]

And several URLs without flow dump files: https://casino.bwin.com https://ru.partypoker.com/

Used nDPI version 1.7.0 from sourcefordge.

Thank you.

kYroL01 commented 8 years ago

Investigate on this issue. Thanks for reporting.

kYroL01 commented 8 years ago

I check also others Tor pcap and a better detection is definitely needed.

afiaux commented 8 years ago

Hi,

The first thing you could do is revert commit 392a14241fa68512099ea6096a640275461af7d0.

Tor certificates common names DO start with "www." so currently no Tor traffic is detected as such, you only get false positives.

kYroL01 commented 8 years ago

@afiaux I'll check better. Thanks for suggestion.