diff options
| author | Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> | 2024-04-25 11:23:05 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-04-25 11:23:05 +0200 |
| commit | d5bda47efea4613ee572655a412e28cd40695dab (patch) | |
| tree | ac68eb85d3044cfb3689461de88a9e3edb485df3 | |
| parent | 7040847eed6b73a5d77bd2effdc2c0c5773e62d1 (diff) | |
DTLS: add support for Alert message type (similar to TLS) (#2406)
| -rw-r--r-- | src/lib/protocols/tls.c | 13 | ||||
| -rw-r--r-- | tests/cfgs/default/pcap/dtls.pcap | bin | 450 -> 1712 bytes | |||
| -rw-r--r-- | tests/cfgs/default/result/dtls.pcap.out | 22 |
3 files changed, 24 insertions, 11 deletions
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index 54061d10c..f442a8abe 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -1194,7 +1194,7 @@ int is_dtls(const u_int8_t *buf, u_int32_t buf_len, u_int32_t *block_len) { if(buf_len <= 13) return 0; - if((buf[0] != 0x16 && buf[0] != 0x14 && buf[0] != 0x17) || /* Handshake, change-cipher-spec, Application-Data */ + if((buf[0] != 0x16 && buf[0] != 0x14 && buf[0] != 0x17 && buf[0] != 0x15) || /* Handshake, change-cipher-spec, Application-Data, Alert */ !((buf[1] == 0xfe && buf[2] == 0xff) || /* Versions */ (buf[1] == 0xfe && buf[2] == 0xfd) || (buf[1] == 0x01 && buf[2] == 0x00))) { @@ -1334,6 +1334,17 @@ static int ndpi_search_tls_udp(struct ndpi_detection_module_struct *ndpi_struct, processed += block_len + 13; flow->tls_quic.certificate_processed = 1; /* Fake, to avoid extra dissection */ break; + } else if(block[0] == 0x15 /* Alert */) { +#ifdef DEBUG_TLS + printf("[TLS] TLS Alert\n"); +#endif + + if(block_len == 2) { + u_int8_t alert_level = block[13]; + + if(alert_level == 2 /* Warning (1), Fatal (2) */) + ndpi_set_risk(flow, NDPI_TLS_FATAL_ALERT, "Found fatal TLS alert"); + } } else { #ifdef DEBUG_TLS printf("[TLS] Appllication Data\n"); diff --git a/tests/cfgs/default/pcap/dtls.pcap b/tests/cfgs/default/pcap/dtls.pcap Binary files differindex 2c2def228..a1b5f39d2 100644 --- a/tests/cfgs/default/pcap/dtls.pcap +++ b/tests/cfgs/default/pcap/dtls.pcap diff --git a/tests/cfgs/default/result/dtls.pcap.out b/tests/cfgs/default/result/dtls.pcap.out index 0b0e33e32..94c926478 100644 --- a/tests/cfgs/default/result/dtls.pcap.out +++ b/tests/cfgs/default/result/dtls.pcap.out @@ -1,11 +1,11 @@ -DPI Packets (UDP): 2 (2.00 pkts/flow) -Confidence DPI : 1 (flows) -Num dissector calls: 2 (2.00 diss/flow) +DPI Packets (UDP): 6 (3.00 pkts/flow) +Confidence DPI : 2 (flows) +Num dissector calls: 5 (2.50 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/0/0 (insert/search/found) LRU cache zoom: 0/0/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) -LRU cache tls_cert: 0/2/0 (insert/search/found) +LRU cache tls_cert: 0/5/0 (insert/search/found) LRU cache mining: 0/0/0 (insert/search/found) LRU cache msteams: 0/0/0 (insert/search/found) LRU cache stun_zoom: 0/0/0 (insert/search/found) @@ -14,20 +14,22 @@ Automa domain: 0/0 (search/found) Automa tls cert: 0/0 (search/found) Automa risk mask: 0/0 (search/found) Automa common alpns: 0/0 (search/found) -Patricia risk mask: 2/0 (search/found) +Patricia risk mask: 4/0 (search/found) Patricia risk mask IPv6: 0/0 (search/found) Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) -Patricia protocols: 2/0 (search/found) +Patricia protocols: 3/1 (search/found) Patricia protocols IPv6: 0/0 (search/found) -DTLS 2 394 1 +DTLS 6 1341 2 -Safe 2 394 1 +Safe 6 1341 2 JA3 Host Stats: IP Address # JA3C - 1 192.168.13.203 1 + 1 10.191.227.13 1 + 2 192.168.13.203 1 - 1 UDP 192.168.13.203:40739 -> 192.168.13.57:56515 [proto: 30/DTLS][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 2][cat: Web/5][2 pkts/394 bytes -> 0 pkts/0 bytes][Goodput ratio: 78/0][< 1 sec][Risk: ** TLS (probably) Not Carrying HTTPS **** Missing SNI TLS Extn **** Unidirectional Traffic **][Risk Score: 70][Risk Info: No server to client traffic / No ALPN / SNI should always be present][DTLSv1.2][JA3C: bd743610892cec1efed851b2b5efd4f5][JA4: t00d120700_7c0e62f61317_d9dd6182da81][Plen Bins: 0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 1 UDP 10.191.227.13:54162 <-> 157.240.16.128:3478 [VLAN: 10][proto: GTP:30/DTLS][IP: 119/Facebook][Encrypted][Confidence: DPI][DPI packets: 4][cat: Web/5][3 pkts/665 bytes <-> 1 pkts/282 bytes][Goodput ratio: 61/69][0.20 sec][Risk: ** TLS (probably) Not Carrying HTTPS **** Missing SNI TLS Extn **** TLS Fatal Alert **][Risk Score: 70][Risk Info: No ALPN / SNI should always be present / Found fatal TLS alert][DTLSv1.2][JA3C: b2a6643b6798940d25020cb4abe9e2aa][JA4: t00d160700_7c8d7d5e37b2_c38571a0f2a5][Firefox][Plen Bins: 25,0,0,0,0,0,75,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 2 UDP 192.168.13.203:40739 -> 192.168.13.57:56515 [proto: 30/DTLS][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 2][cat: Web/5][2 pkts/394 bytes -> 0 pkts/0 bytes][Goodput ratio: 78/0][< 1 sec][Risk: ** TLS (probably) Not Carrying HTTPS **** Missing SNI TLS Extn **** Unidirectional Traffic **][Risk Score: 70][Risk Info: No server to client traffic / No ALPN / SNI should always be present][DTLSv1.2][JA3C: bd743610892cec1efed851b2b5efd4f5][JA4: t00d120700_7c0e62f61317_d9dd6182da81][Plen Bins: 0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] |