From af808a87147c49153ac9c9685189d87160754ef2 Mon Sep 17 00:00:00 2001
From: Toni Uhlig <matzeton@googlemail.com>
Date: Fri, 9 Feb 2024 07:47:22 +0100
Subject: [PATCH] Add PE32/PE32+ risk detection (detect transmitted windows
 executables).

Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
---
 src/lib/ndpi_main.c                           |  42 ++++++++++++++++++
 .../default/pcap/portable_executable.pcap     | Bin 0 -> 25564 bytes
 .../result/portable_executable.pcap.out       |  37 +++++++++++++++
 3 files changed, 79 insertions(+)
 create mode 100644 tests/cfgs/default/pcap/portable_executable.pcap
 create mode 100644 tests/cfgs/default/result/portable_executable.pcap.out

diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index 7e277d12195..1ebc851e123 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -8160,6 +8160,44 @@ static int ndpi_is_ntop_protocol(ndpi_protocol *ret) {
 
 /* ********************************************************************************* */
 
+/* PE32/PE32+ format specs: https://learn.microsoft.com/en-us/windows/win32/debug/pe-format */
+static void ndpi_search_portable_executable(struct ndpi_detection_module_struct *ndpi_struct,
+                                            struct ndpi_flow_struct *flow)
+{
+  struct ndpi_packet_struct const * const packet = &ndpi_struct->packet;
+  static const uint16_t dos_signature = 0x4d5a; /* MZ */
+  static const uint32_t pe_signature = 0x50450000; /* PE */
+
+  NDPI_LOG_DBG(ndpi_struct, "search Portable Executable (PE) file\n");
+
+  if (flow->packet_counter > 5)
+  {
+    return;
+  }
+
+  if (packet->payload_packet_len < 0x3C /* offset to PE header */ + 4)
+  {
+    return;
+  }
+
+  if (ntohs(get_u_int16_t(packet->payload, 0)) != dos_signature)
+  {
+    return;
+  }
+
+  uint32_t const pe_offset = le32toh(get_u_int32_t(packet->payload, 0x3C));
+  if (packet->payload_packet_len <= pe_offset + 4 ||
+      be32toh(get_u_int32_t(packet->payload, pe_offset)) != pe_signature)
+  {
+    return;
+  }
+
+  NDPI_LOG_INFO(ndpi_struct, "found Portable Executable (PE) file\n");
+  ndpi_set_risk(flow, NDPI_BINARY_APPLICATION_TRANSFER, "Portable Executable (PE32/PE32+) found");
+}
+
+/* ********************************************************************************* */
+
 static int ndpi_check_protocol_port_mismatch_exceptions(default_ports_tree_node_t *expected_proto,
 							ndpi_protocol *returned_proto) {
   /*
@@ -8553,6 +8591,10 @@ static ndpi_protocol ndpi_internal_detection_process_packet(struct ndpi_detectio
    flow->first_pkt_fully_encrypted = fully_enc_heuristic(ndpi_str, flow);
   }
 
+  if(ret.app_protocol == NDPI_PROTOCOL_UNKNOWN) {
+    ndpi_search_portable_executable(ndpi_str, flow);
+  }
+
   return(ret);
 }
 
diff --git a/tests/cfgs/default/pcap/portable_executable.pcap b/tests/cfgs/default/pcap/portable_executable.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..5f13f87fb6a773e72354094d60f2ff4ca085934d
GIT binary patch
literal 25564
zcmeHOe|%Kcm4BH`k|9i(0VX;?ibIVx0zzOQCX(9W$4g>0IAP2@(vU>N;P6z4;XR_Z
zLD(Va>+87vv}#?eU4PUqTl`sFi@!%<2`E~sR->@pw1T~HvUSuLr#AKN_uMy=OhU|O
z|Jpxv=0kYz{yO)ZbI<+WbI*M@zn~z$R}h5S%6T)h@HCRYEMb#Swdv|s&xZEa^-Aj%
zp3ATIT+`Zq<)+P7p6|)0l11lxl-8}v)`c53Ub%JQ6|EcBt5+)v+cvCkTiCXxU0Hwm
z)vYb9*R^g?`Rf8IFdHsD-?LD;2DMrjCv(wnwqO@7-n3c0&QrEv(E{&zR-r<uMSrc-
ztVG(>-nuokzWu6mJWCdM7nFKRw()2ChSGBvc^8$Pd*#NB8#XR2FJ0^{U0-$%=+Uni
ze<YJD`4j{zf6qnw3jERUp@(vWr!03*UV(S|^SxF)yK%QrwBk4GH`@eJ5SDEC#3$^?
zefP+N&JBls?_E`$dtmCi-_Ct8Os#iVK98SWD+m^A&J$VL*|w}KtHq=}wvYdubl-3v
zCUvtXvk&wul;++NCHmCQ)OEQBLNjvjMnAiDOlx<p@KPUEM)c87-bf$ohz<Nmjz8w#
zH@On;^mmFJB^w5~9B+@2V;B1Qh2Lq-iq{Yw-_*{hi6-%%PTM+r&*bxwM}MdAKmP`i
z_;-cJ@c#?q-|rSqKD0*=Rz3>VaGFHhmqUb1zKcM6Hq!JrmUfQwhAN`%_{A97_i@@z
z;pACcV7=dCM67X*Sg)Pjx&JMUr18ei{bz2n2->oMZ1o#QseIgD0=ZMpczTNP#H3f}
z?900N)j5}jHf{B^wQsqyef>3_4eK{=-lBLeZ}qgRn?0L0dsbZ%@LaRyiq-{~ImJne
z&xm{KjpBp3slTVxvvZFj{ggT*m+|Mfa(}?fyK}#d=is{f+`satnEM5uA8(tHe10qU
zJ)WMKOuPAW&87_@qCHjszbFV7XIX`^hX<QeWxaxB&g3k+APmCxKQMC(EAZ~byOYKM
zZ}g7W<RD;PB!A9qnk2&3;%q858&O?qz@O$LE?I<n<kqaU2u~!Nj{AsP1pn#dmW;}b
z2P}dwJqLUaa8}bZN8T4Gt=B0?Ui@iNE|PUv2(z9?5H4HLe#Lray&(L0E%HeA@8S75
z>ZbjCFvbODHQ|a56ttlpGKEV=Gk~n<g7(&{w`>qhnIN0sM!j24skZ{Tncx4T2I}?x
zpsv~^uTgP<a=L!d&j<snH+BCKkB01n;c`KZwKO;FKeghfFRv)QK+PqlzAp%RyrFAQ
z&5><uV`Y+|+JY>B+<WhN*y0Qyuy;k3$=aj$pthOwZ}ci?yYIsP-l(>eswKM*1a+Q#
z=EtyCFdUnyi#DUoC}p4ZgVzR-nxcQ9KS@o|<DX-tIw#X*C^ij-i77i4KNn1lpVb^c
z?;eexlYf}P&yJe~;U?-WmUBPxnd~mA<ZAowL3WVcb`p$vkF_-G`x~3~$7afcvGkXy
z$sVsra-8R9({I6hGQXYjyQ1n_r0;OQQ_?%_5i#x$WdTy8ZgGfaAj_I72wZoLuHPUH
z#i)rO3j%?HdJnrDPbj^i>zKL}dRQT`&1ZpXMaz6;n!Gq<1wQ%N>a#hC*j7J=L|)AP
zGLOb9fr_yvDZprKNu%nDu0f?h3NnHLp0Ox=<9tD#C)-&31g0~MsOAn$oh~@FHY;2G
zBO>d<P|WnR50GexP340gU=gsci9_K7&gMp49BR=|HtqLD=^sQjR6F~)1VjFMgI;T!
z_mbkOQEXv0NwL?cITdx6s*}9Yru`LlHsxb))W@wc-0up4w4FVTb`9Rc`rpEdETtfv
zn5@`f7~!Zjmdl@h^s0Xp5&N~;gukvX*4$;No4|qYs{x<W&w}6PSQc0FKRXB+oyuzO
zAnHObc6KdMZumCAxjKU~*}0TMHjDPM)UvFtrhT?9CL*={byYqY@+Ek~`%w*oqT)~W
zZj3%eP0k-a6>`_cIs<yM6C-4mb7OYB%B6`mXgfzPSQ}d}>D%4l(JB|jX535Wf|BX%
z_ho``e=?OLgG71I&n)FwuT@*X=&%~+F_?uAOj^=M=Mf7Yu#gvIujyc0V!7{;rlKv4
z%}p;^1-T@2*`=_>d$H7Yizmpkpf62)Qy1-;*b{CY61>NB)ulD{hW~DHgnvpEesK4j
zU4~=VPF~rm*LW&wij=%Mqp-$laRw!};S0myc5-=;&4G<IXyS4GP`FP}W?hI8?VF@b
zzfi5xt1pF2&Y+<>4apx{q*p_F<;+N}t&Zm%O(H|M^Ms(}V8mk<fPr`-W;dHyLDtr=
zvTr@cE+QWChb$PPAnW@UH)>c=SJbhp_NXo%C!5HDO{i154l4zmI{Qy^`h;tTjMx+q
z-><haN<h}|b{IDl_Te|dx-OnzFZ2llA3N`$RI$|AW^pR#yg(1V8+r%!yunbDOu}8Y
z=^&wAWCs-!ZvGLf26CF&+1;^^xeag(i=9TT%h+wH){bG^dfyvGBmH3PZ>TOi<t%nB
z2B-n^!med;8=0~e<)W>d`xP`VP;qB}DNvEdjL^U?g&xU*M!Lm*8(3nEP)z7ISr(2D
zKSM%KgdU@$*2&mSRQOw-665T8O6@aK33e4y;R7Z5q4Dw4H!*(JaQwV$G=4hUQ~2px
z4WKr(+5x@Ornq#GY1ONk4HlhUy-Keg(5h>~opC{(q*q&Y-x5uXhdUFgWI3i<*WqMY
zr6vw^9dqpZ2sSKdho0SGaR%6Tp*7QtT(UKEfajH^@>Izi4dp{){*7AK(Z9orx?acs
ze)c2O(8ahW!gvyVE)0aoKf;8F@QMLHW4-7`Fp~g4sWN<^7#P#HnYzyj9pzoU0>cSC
zN`t_b0#!p#&?_bbJDXDfVWt?HL8&LrR6m<csmI}#qUI3$KBb;A%TBNli%A}c+WY)B
zF{rS(Nq%-QdTGdx2Vo`m!<6(mcn<;KVFlW5;+v${ZRIZm+HM<O*p+CbH!*_gW6G@1
z4zk(Zc9cN0i%=F|W&cfGIrXM~)Nso_6zA~b`Mmh_RPj)%_(x`O0WVJcG1>Y!r;nLQ
z^m93Z7?=#Ow~{r)6Odw>?DC@=BKg@ZoU&aPdr{y(wufg|p;beJECBDNO0Jq)O$y=G
zenGEw(sI(QW$9vnV-jk^{q_K$!tOoB4$mgNXljDo5Swgk?7I*gN$g*jBEQq7Us5yg
zP@OqB*pEHPyU_}>(K-j1`wVK?HR#xthZaW1d~;GU0kw>dCFTrb>v*c%oIz|gPgR;T
zi1~<KUid(1O^q@s%&d;Cdj#ZEm(r3{;{qg2t4kWmUh0gNM>{~(EZ`=?ev(#DY!-0q
zVb`Y>l$ZtFkl1Bu1$Gp;WLKSORczXvWG_zLHy=87ZLDxZ(WaHLv(XR?1Vc|}2|hzj
zuvbWTH?BfnMdyH{>jQv0vT4C#Q;K<A?%E`k4%`LyIQ8XL-M?ztORB9q7kU$7xmukq
z{4D{lnrg3OQL~{pT9NCxji3(bmEN-EOIz+9r)3}r7s-Zos>8Z$TaB8%GFHn+iI(r@
zAZ!Dz6vnpsezyN4r66;GzHQaA4y!U97#cf4Z<ENdd<_k;Y*~VDLTeHHveM&d5C9>G
z+0CBy{VmP#<G^rTFd`1oQV(6QKYVT&dYsISQoU!AV%++{)Uwa*WPJQwGckT%$no>%
zqw%xwdnx?%!qFo+x6z>1+TdKOc5S&G`mfWL+t?#uL>J*?yTTs$(k9=uLV$IyHR4}l
zTZntr$rD;GyWV6!e1V|m!ydJ2n>QNE#wt1N#$axdtnAP%g2e&y5;3is``}{;G#G&E
zaCxqhBj-2At`2a+qv|<)H1tcXdXINdU(Tn15B|Tp5HPV&b}|1kqK9cpevqv>hCCqB
z8_3mb`Mdy>Ew{(qsGj#c&7)X>pS|}k1_|Zbwf06s9e}6$D*A!Jwu}sb=_bwqyE>>F
zCiSv_-el8P602&F?kf#nXBU*|vdd_*bCxA`0gN9gD0v41LDpeXZ6vZ>li~hV0dJJA
zwLqkP9g9T|W;F!BLZyj}{rgPx*F#=7*UoBya_A?tuCjxeW}(~6CAOFCqts8$)N%G}
zO5K{m{CSjm)m#sbu>F*})2#U>+d-+Hn>7d6uaF8KD95@*eyUtz6dr;@<~Isg;o%*G
zMX&NkBc0K`d-q1fs6TWZixk|0XS1NkZt)P96O6)2)J4sy!63~0SwBX(-zfAUlfS&l
zUwVU~8?03M0FrtF>MSq{kI;L(PX;w?CL<#A)278x-wYb3=~ci}c!~s3u1NjRnn-<O
z4IKAgzwvw6X3Rk|DFVltJ^LB?jvR5j&H$+(mbIW!cpSu`TrhUKY@r-=NP=KV`Fc<a
zZ*Nxzpb0KSws<029LN?EvM(f*Vokx|7e+aI1mty8tA0SQO~AIZUzUY6hI%ynwV<Tc
z*o?xXNm}zbtpS=)iR^>u53Bre;S^ptM1>~|^@!1CODp^c2notm$P6{E`)pt+z4cKJ
zp+jt54^#z450aLTOMn?0dn=#Dun2;FbEF80GD}}T?2?x{x^xin4w7@E6rdOO$G1_`
z8pqCLP??J9Q9$H^Y(F<(JNCbMV3CGT=W5J@_RJKGwnZ!TM!N=Ent{e6%cqmOk=|pN
zP`wC4nG=Vvp6|d^lFQ{kituXsk#JW&q*T(6Ot3#uD(OcKus4u`Wne>s*#QNi-zi$v
zD%QRL-X3O6RSkv&1~L`aqSY*6-$TB>+Nv%0!4X70yoc2OeI5FzAH{74fS;9kr@wLH
zwx9Ya{`}Udaod?IC~kZFmqf=m_5A{(i7rOPRxREMW2@ig*nH<`Y@WFyh0S+FAOOiy
zuGhv%0G_C1OSxdfE{DX<nZYX>ZKgjVF?TA%bSWg3m&!1`3W*K60kpvY``I_hA}Z6D
z;E)&Y7NP9}Ks&zL<?W+zNz?v-6q+Sic-iMDLmh+)o;nSkCxDi)k(z)ku*G&{^q}D}
zr94!Ytp76V2eg$|_F@4hRA@1>C3Y>Cz%mE0p2mX!tb%i6#~Nx|+hVSgL0%VKc?Vfn
zk|7g)r(*AVa5AwdW3_E?tompKS6x`sNrWOWN6VGo(`_xLPAT&Oknsa#*@kJutgCs?
zlZ>$~Mu&_2;`?wn0fC_<aDS<Vhj2I!2!i{!N@B|)19<_(dNs{7ccgZxj^IrlFgo0*
zFB#Z;x?^s6adWKDT;!=xVgqPMKo+N7R-+eE(ma4eXa;x-u*)z_fEQfk09%8UISW4m
z$Jij~aauaYPOu;=D<q9;O<0-uO0l+&BF+*g8f2G%c}@{)%m7=C6oiknjZ;nGU4Y+w
zE_@$NOD_Kn#Kr)7@=c;kBWbQb_n};3D>1$#{W;-8wqlhR$KKbgOOSS%Y8XHu!42(m
z6`V#Ym~N_IARsYUN&!%$RG|(jYve46<rBq*T~Xy+*&?waKBiDg06BRy2A)_>awrn)
z9w-GW^bW>O_eQZi3<do7-zKrnDO6Bo>h|O7P2J`N*i&!dRd0gFnbPv-P!}LCspWp8
zOfBnB4YUmZEa{9Ujp*&^Sl>+Z(LshR@$ax)y(hrtAS_R&A5GcMY?S-iwLoF0%}~A>
z;Jrv}H+nJWh=a$n*lgaJJvpS@9Y{CzJJErkz2q1}eljONjgwDVJ9l5<gq5bT*(0&F
zoWc%JAj`Ew;dw7`6JKL&bFpWxquAngoDjxQT@>D4Dk$?pReWL=p>0EhKUB?AQ_PgH
z%`F9uU?~<{J%K5@xP=Ja3_|4LVgxP%$e<^RRwX^$qylfpJUe9;?!!R(SuaM7&_fu;
zX2NLt5jM}97(XxK`1voR@$-ziDg3nFF9<-T)X-FtY0m<?66={n@{!!L^lH9`;kG+6
zc`-#v!e(mnMF%RA_1Fa)=4d+(G);SX9D3ni`iRBUB_$rh<T^#-*<9kPq{L%6+lg-A
zFs5_1WO!DM&lw$<aL#HtdfWg5Fgcqs4rg^HB3{lpOF-#qh`0+d$;E?t>2Wp>j0SJU
za(pMID_M^VPC+$|_VI1#5q4c1WVd2lO)xM+uPVl48Z-n80f8V*eRx|5$CJRtAbS86
zsqK?!3-ciJr+uM{PLQPdRw}lM#_T1`C^<`yb9REv3Yp;DU}M5op#k5E6!E=?=|b=9
z-vL_*NOF$%^+@NgMuhn4cgVR7pX}A@_rX`y>Yv3M)9Q!z?q#=NUjn|!)!PeiHQedO
ze!oZ)_vxaCcAc6SJt!W6FT0}%MAhjCeeL-ti?drC_!Q|rpdq!fIJ#a3yoOuv5+a@V
zpf7I}74HdKoS*D{{#LX8DpZJc9!WZo4}=5{6db=zxaxri9@zK*x`Izi9wmU7xcMQf
z%SDmeyXxS|6~>b;q=H;S-NSDB9nBG_-LY%EnHBmmSdrLG0Bop`JjFdwYaDG;?q@ks
z6y#|U@rYj+_k^Q=&4xFfR^fD1z=HG|1~GJE7u@qg+f?F*5kH@Ue5fC}@bXS@HW5s5
z?0OH`AZleRULlUO&LPaM$)@Yx2PUy-?(j=&E=pk$e}My<R6scD@+0(;l9@s_hvAgT
z0xg>nSC&7h)yGrJD-WX&S47+gTptlhxkDFS72=Q73k~&VSqK@~XJ7*{Kn^LwD~cDy
zhmZ({6Ncg;`??8(O#vU$P8@!A(5QzHYQFbaEZ6j1O>Y0`W#U%7H#S|)HwqJ=k=%=P
z4(UBu`4&|)*_8Q+hoYCWWJ~CFzW<s6GbOtWu!n#LK!MOv_|`_D6-uPuH==ibYNgE4
zI}>0|Kmi`)GfS){RjQuUJBO(L*>k`xP8HJJY>Wg#2u5KqngmSFT5txGoGf*i&)&hH
zY&Fy(1g6Hv&vPfn&x<*J-Z2_Ki>IaV(|d^Q&mE#uXGGcApU$UIhpgtnmxnuDm<wcz
zSm3+G1T0Fxm=&Q7Ro{suxlB0e7}jX)LdaX8+LVPAs$H22$+<ph;=8a?;R&4v*<+aX
zqjieS2Wb$a3-n0t71Oi@&C<xFHteYyvA^)Jwi}!ULr(mUbD6Gw?0n!l-uD)tJl$Ok
zX&1^O{0$0Epd(ns$ext!KKvZD%TcF?pNr$gqUOsvW~Z^Y1Csu2hVGxC-J<LZ$ZKG9
zZ(}DviptMH1%)9B9a1^p_`>AOjc=?)UK4WeB<mSsyN_W0or8Lz5OO584Qa%bBL7Nx
zbGEu^46^BnWhIWOoB>H&=``x8w-Kg(rC;PmaGTDC{s%Khv+3XH2a6%W$9o4@zXAQ_
zC)1MgMoS|cieckIWWyfx4r<sZ>t9e@oDi@=bvkzS<0Zg;-8~#=$*t;pA9*xzU%su!
z0*~e{<s!t<NlS+6Vvqg-Ht!qWU60k*ZZyFZgNtF-!z*+%yir!(N`eb)Eww?{M7Uzg
zb7<uZjO>_|2car#=k+Eyi|{vtaD?s5`47W@9#P+eMbj>4K>!pn<8PEte!Z=)4f}Li
zN}rbL4!9)y*h-)W$7ZE55R`r1V{me7$Zf{yA@>U>-}@j=-+cGe|5_f6S&Ln(c4{qF
zcH0&Vg(uSC)~c~zVN=m8^!`GDj=-M7@+7ebv7ZDh@JG8_Ob^kVAnZnpAJFmapfWey
z=@cSW?(QlpYy+El85ZR9bH-x%vPXuK_1ibNsiz!9sE0=xE5@aQo=2$s<1qF_Nh;Tl
zPvsNLh9oZ~BfMmTitNG6CtiL_RIr5O>~jnaiuFnCUR0)#-CVtzT!}NihoO|Zx;i=A
z=qNF_5=96mD&N3q*PQ^RhS+qy+Jl<*wEY%5;QQe^lE)@*ChfJMCdMFn@{a-0v4sU5
zV5PT(x7!3|lCjOkzDxAN8^_1b?@WxJwH!ZxHX1)mK2PDN?^OXFW4IGRLFn7gR%3u0
zv?^ONUJZtPHqH_8=CcmJ;*hS!Ih^u2&lK(RMEhqwvy!LQy!uE5s%{^tZoY>5i-IA0
zm&FOkX&+W5bA)K)yf&r~Gs`jf4FJ14rqQZD1O%5Y$nO>zZIf}9i`_7srGBQO;;!h^
zv<(A}JVje#cr6a`Wgrinsfc(&w)jI!p}-)H;aCy26nt8#1#mYIk-7%{E`}imEttiK
zGs7&<S!B5zonBkwuQTe3Vdz|lu@$mTt$-L5DA>bMHzMrd6XZwaFByI%#khx4zSJu|
z3z$)(o@=O{)LO-71D$KdfH0$Tujk}l$<TMWA3IyGAxZ2COwDwit^<aUNI~`%Ja|Me
zpP{cU{Fv7LDTOGG&|Mf1WPQfNaQ4QEPM2~TA>2Cjf<uOZNaq07(d?yy6FV*FZV}%u
z!-SK#JktLOn0m5*MAX*y?Zjw-1@P|-vcMP?Hl?xfsL6t2vOt}j2Ou;fGC}qiWYdyQ
z;fNr6hgT{BpGCxH5qkpD`cyvcOv47APqkC{tQ^DV<LP|vwT)KQi{RUYWJl<L$>$Lc
zfqa1ed1!>s?|?J1R|Gtfi#7<{lix8mVt_3!`hXWgRabKYrf6Sqy3UGD4@u@>?*jJ5
zlk5=$BgU8Pa*SEJ1#BHw|C?Yg-2y(~EYM2h2=$m^eG0XJEOE7u&Wz3Y3=5fDLE&y<
z%gt7P30v+jW$P6T(U%&=`C~Zqr*YPAa@IJ)+3YmVUPCq+2JL}^Y&PdJ%`o8Gq++Y-
z`}ewu@pCoD&)Y}i=ed7Q;pfj_ELhXV8<sY1(IXS%-aY&i7ks=`Ypbv+dAhF>>&d5l
z^7FEoZJB6OCYkvI^wp5hM1}%t2|Pi3b&|HcT<7WVW#xiaQ+Yp?nbm4-dR@7`yt3<c
zB}ZFPiLbSIyE@9q)t8rRE6S4<o%Bh;Q?!nIUyo($^*D*PX?|x4qs>n%^iCH-)7igU
zw%WFBwf@e|_Y8QyJNMJq7}@X8;uKKwvDh8P3ephEVUd^cgg~<^a<QbAF%fB;hBnA9
z?5fz!@D5>2u`{(?t=XpMW>;CU8^pT%A*y9<r=w_HB=fUq<*CpN7C{$%7>1)uM|Foa
zXq<-@?0GbxqqhV0WpQPi?wEJbAF(d-*Rcnv!vpqnI;<&5rKu14WH<Zki`?emjZBf@
z`on=&&H5>iBis)smD@NVlFfz{`dJnE4NWdk#qz@=QxLE)<RLR;U56krBzAON1Pcg;
zmhjvy$i?273e?F6hEq9t^`RPG?B|WVhf%6lthOm_9LCV2hU5Kr*sox;aMdV$F;`;e
z6VG(CrhG$^;n1$crZplu{ZPsfe7ILkFAxJr`!npnu%{{Gp^G3KJ2!lH_{6^=Fk}0o
z;I)su`_MYh$DwYMd9}Kt%C4;7-`)}GknCmV^a6|1arR<uFTlqYMyXMFE0$sUKndOX
z)B3X0>DKa48>icrqMN5z(FVmG+QswNrt)XvBQOl}bPyo6O@1jDqvO-Qsl;Y8Jjv7!
zQj(XjCCD`0SHHYOhSOB}G9PFen=JASFqm4k+k6jS=@G(L7ITM2t1eO~)M<WG$hKn;
zFp%hblEj{YCK|j(%4fxz#UqsP^W1<;@1Q)np(>onkB9@wPZANiXJveyC8@p(CqKy6
zjrgV&gr)RxmLKCXh1a8i>nv>Rv6g0=UDFqZ%2chRRNGz}n}m=!XJT;JT@OOo>K7m^
z|B}?wyr0AkvRZhi;f;{%fIYmiSb)8zJVY3CXL!3uP~670Vr<v8d6);4>Dm1}N$U)6
zFA<a~$=FuHb|3~2n;ZU)0MzcVqV{?06Br{NKR4@2>?e4ks`aSaz*VmPj?!g_jW)E%
zBlt<@Nc5xl=SkovolDW*IA>FX{A}tEr=CqMewogu4j_uP`$Ox-f&|fo^^dxD(KWNz
zu>yJYhwuImuU~oUorr(FF^SFj!qOK9`i7P~TJ3!3hdb7^JFh<Yf4LJ8nbqq!g@5$K
z?_HE!@;34R;p5;xpZa-mKv+uj(a&RkXO?v~;>p^7;X4u`#XmjiN4n{~@1z3(iPW8l
zbp9>E{J{@tZMoyNG5kM9^yyAS&-W*~6XAUDq$BN4#3<T1&cQg*{^_G*X#WSNjXM#3
zs5EmYB6BAKJEc)SkC3?&F-jp{;Y2dd@HM>?an{86`4Pv@M@Hjk#oa0Vyst5HCxTqf
z%$<nLoruhxh_B0?h;-lfD&Xe?esd4^n}2hv-+VzA`OPj7TMZ-T)Yhf^=Jc4%yAMz3
z+kVWk`Qg#nd_h+Vo4+$BbKfF!-y(D0g1(t%nfn&Wn;KuI`xYNejGv!y{CsFMey+SG
zg`Z9M>VV>anfn%*`xcq|78K;o+_(7Z-?vEjKR=roKL<E|J~$dbYwA<@x&Jc6@H2NJ
zl2;ircOo)(BJlBO=1zp4eQoYUOnPL({rjgJKlhHt&)RRN@N?m|%$<ng`#tmxH96y%
zI}w>X5p=&Hb0@<2)xQ&Q+Qj&YZz^!M|Lf8Cx#p}Cem3JfANme1b0-3ax0yQ;nL825
zTQ?&gm1XWk*w|P3PDItj`1u*f&wn3{pHe{zKd-tcb0;EmCn9qvBK;Hn%$*2+E9NVF
zCnEi9|8n5x1ZVs2@U#8LPCeVNsi(93d{q#hJn|xQd&fK5C)yKyx0>MCyk|5vH-4JJ
z=9hM7?pxqv?96?O%zcZ@eT%Q<eT!Qr#^!f9Ha~hQHaC7s*gW_q_QXO&DPBd`{J;Ku
Btj_=d

literal 0
HcmV?d00001

diff --git a/tests/cfgs/default/result/portable_executable.pcap.out b/tests/cfgs/default/result/portable_executable.pcap.out
new file mode 100644
index 00000000000..223f463099a
--- /dev/null
+++ b/tests/cfgs/default/result/portable_executable.pcap.out
@@ -0,0 +1,37 @@
+Guessed flow protos:	1
+
+DPI Packets (TCP):	30	(15.00 pkts/flow)
+Confidence Unknown          : 1 (flows)
+Confidence Match by port    : 1 (flows)
+Num dissector calls: 504 (252.00 diss/flow)
+LRU cache ookla:      0/0/0 (insert/search/found)
+LRU cache bittorrent: 0/6/0 (insert/search/found)
+LRU cache zoom:       0/0/0 (insert/search/found)
+LRU cache stun:       0/0/0 (insert/search/found)
+LRU cache tls_cert:   0/0/0 (insert/search/found)
+LRU cache mining:     0/2/0 (insert/search/found)
+LRU cache msteams:    0/0/0 (insert/search/found)
+LRU cache stun_zoom:  0/0/0 (insert/search/found)
+Automa host:          0/0 (search/found)
+Automa domain:        0/0 (search/found)
+Automa tls cert:      0/0 (search/found)
+Automa risk mask:     0/0 (search/found)
+Automa common alpns:  0/0 (search/found)
+Patricia risk mask:   2/0 (search/found)
+Patricia risk mask IPv6: 0/0 (search/found)
+Patricia risk:        0/0 (search/found)
+Patricia risk IPv6:   0/0 (search/found)
+Patricia protocols:   4/0 (search/found)
+Patricia protocols IPv6: 0/0 (search/found)
+
+Unknown	15	12160	1
+DNS	15	12154	1
+
+Acceptable                      15 12154         1            
+Unrated                         15 12160         1            
+
+	1	TCP 64.227.107.71:53 <-> 172.16.99.10:49652 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: Match by port][DPI packets: 15][cat: Network/14][11 pkts/11914 bytes <-> 4 pkts/240 bytes][Goodput ratio: 95/0][0.37 sec][::][bytes ratio: 0.961 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 40/182 362/364 114/182][Pkt Len c2s/s2c min/avg/max/stddev: 58/60 1083/60 1310/60 481/0][Risk: ** Binary App Transfer **** Malformed Packet **][Risk Score: 160][Risk Info: Invalid DNS Header / Portable Executable (PE32/PE32+) found][PLAIN TEXT (This program cannot be run in D)][Plen Bins: 10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,90,0,0,0,0,0,0,0,0]
+
+
+Undetected flows:
+	1	TCP 172.16.99.201:1732 <-> 64.227.107.71:4444 [proto: 0/Unknown][IP: 0/Unknown][ClearText][Confidence: Unknown][DPI packets: 15][4 pkts/246 bytes <-> 11 pkts/11914 bytes][Goodput ratio: 0/95][0.73 sec][bytes ratio: -0.960 (Download)][IAT c2s/s2c min/avg/max/stddev: 329/0 364/45 398/398 34/125][Pkt Len c2s/s2c min/avg/max/stddev: 60/58 62/1083 66/1310 3/481][Risk: ** Binary App Transfer **][Risk Score: 150][Risk Info: Portable Executable (PE32/PE32+) found][PLAIN TEXT (This program cannot be run in D)][Plen Bins: 10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,90,0,0,0,0,0,0,0,0]