aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLuca Deri <deri@ntop.org>2019-09-19 00:01:44 +0200
committerLuca Deri <deri@ntop.org>2019-09-19 00:01:44 +0200
commit16da3f58ccfa430b0ed46f8d3ed9b84734c1760b (patch)
tree4fe4794edbd3c29a219f54a5ec5b0503fb84b9ad
parentcf0ca7db51518ad7ed67fc762c45ef542803344a (diff)
Fixed JA3C compuration wtih SSL (no TLS) traffic
Diffstat
-rw-r--r--src/lib/protocols/tls.c6
-rw-r--r--tests/result/KakaoTalk_chat.pcap.out4
-rw-r--r--tests/result/skype.pcap.out4
-rw-r--r--tests/result/skype_no_unknown.pcap.out4
4 files changed, 11 insertions, 7 deletions
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index a03e66f40..5be39c714 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -31,7 +31,7 @@
extern char *strptime(const char *s, const char *format, struct tm *tm);
-// #define DEBUG_TLS 1
+/* #define DEBUG_TLS 1 */
#define DEBUG_FINGERPRINT 1
@@ -647,6 +647,7 @@ int getTLScertificate(struct ndpi_detection_module_struct *ndpi_struct,
} /* while */
if(!invalid_ja3) {
+ compute_ja3c:
ja3_str_len = snprintf(ja3_str, sizeof(ja3_str), "%u,", ja3.tls_handshake_version);
for(i=0; i<ja3.num_cipher; i++) {
@@ -696,6 +697,9 @@ int getTLScertificate(struct ndpi_detection_module_struct *ndpi_struct,
return(2 /* Client Certificate */);
}
+ } else if(offset == total_len) {
+ /* SSL does not have extensions etc */
+ goto compute_ja3c;
}
}
}
diff --git a/tests/result/KakaoTalk_chat.pcap.out b/tests/result/KakaoTalk_chat.pcap.out
index cb301a6bc..871f981c8 100644
--- a/tests/result/KakaoTalk_chat.pcap.out
+++ b/tests/result/KakaoTalk_chat.pcap.out
@@ -10,7 +10,7 @@ KakaoTalk 55 9990 15
JA3 Host Stats:
IP Address # JA3C
- 1 10.24.82.188 2
+ 1 10.24.82.188 3
1 TCP 10.24.82.188:43581 <-> 31.13.68.70:443 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][17 pkts/3461 bytes <-> 17 pkts/6194 bytes][bytes ratio: -0.283 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 60.8/58.1 488/297 116.5/77.7][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 203.6/364.4 1053/1336 304.3/448.8][TLSv1.2][Client: graph.facebook.com][JA3C: 051d20e8adbe8dac78945de300764d5e][Server: *.facebook.com][JA3S: 6806b8fe92d7d465715d771eb102ff04][Organization: Facebook, Inc.][Certificate SHA-1: A4:FB:65:F8:A1:57:FE:0D:C0:17:C1:B5:51:62:63:3A:18:73:A0:B4][Validity: 2014-08-28 00:00:00 - 2015-10-28 12:00:00][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256]
@@ -22,7 +22,7 @@ JA3 Host Stats:
7 TCP 10.24.82.188:37821 <-> 210.103.240.15:443 [proto: 91.193/TLS.KakaoTalk][cat: Chat/9][13 pkts/2036 bytes <-> 14 pkts/5090 bytes][bytes ratio: -0.429 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 944.1/862.6 10357/10320 2839.5/2730.7][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 156.6/363.6 429/1336 151.9/450.9][TLSv1][JA3C: dff8a0aa1c904aaea76c5bf624e88333][Server: *.kakao.com][JA3S: 4192c0a946c5bd9b544b4656d9f624a4 (WEAK)][Certificate SHA-1: 0D:14:6D:8D:5E:EB:F5:F5:42:87:CD:AB:AE:A1:DC:AA:5A:76:6F:E4][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA]
8 TCP 10.24.82.188:51021 <-> 103.246.57.251:8080 [proto: 131/HTTP_Proxy][cat: Web/5][17 pkts/2231 bytes <-> 9 pkts/1695 bytes][bytes ratio: 0.137 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 50/36 2922.8/5819.6 12590/13598 3981.5/4890.9][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 131.2/188.3 657/274 136.4/75.5]
9 TCP 139.150.0.125:443 <-> 10.24.82.188:46947 [proto: 91/TLS][cat: Web/5][9 pkts/1737 bytes <-> 9 pkts/672 bytes][bytes ratio: 0.442 (Upload)][IAT c2s/s2c min/avg/max/stddev: 40/104 3064.0/3022.1 12765/12806 4269.0/4324.4][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 193.0/74.7 303/98 122.5/20.9]
- 10 TCP 10.24.82.188:58964 <-> 54.255.253.199:5223 [proto: 91.178/TLS.Amazon][cat: Web/5][3 pkts/290 bytes <-> 3 pkts/1600 bytes][bytes ratio: -0.693 (Download)][IAT c2s/s2c min/avg/max/stddev: 15/5 107.0/56.5 199/108 92.0/51.5][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 96.7/533.3 146/1456 35.0/652.4][TLSv1][Server: *.push.samsungosp.com][JA3S: 986d18bb49fadf70a73a06ead3780d55 (INSECURE)][Certificate SHA-1: CE:C6:14:8F:23:A0:C2:C9:C5:9A:B0:BB:EC:1D:4A:7E:33:2A:43:12][Cipher: TLS_RSA_WITH_RC4_128_MD5][PLAIN TEXT (Gyeonggi do)]
+ 10 TCP 10.24.82.188:58964 <-> 54.255.253.199:5223 [proto: 91.178/TLS.Amazon][cat: Web/5][3 pkts/290 bytes <-> 3 pkts/1600 bytes][bytes ratio: -0.693 (Download)][IAT c2s/s2c min/avg/max/stddev: 15/5 107.0/56.5 199/108 92.0/51.5][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 96.7/533.3 146/1456 35.0/652.4][TLSv1][JA3C: d9ce50c62ab1fd5932da3c6b6d406c65][Server: *.push.samsungosp.com][JA3S: 986d18bb49fadf70a73a06ead3780d55 (INSECURE)][Certificate SHA-1: CE:C6:14:8F:23:A0:C2:C9:C5:9A:B0:BB:EC:1D:4A:7E:33:2A:43:12][Cipher: TLS_RSA_WITH_RC4_128_MD5][PLAIN TEXT (Gyeonggi do)]
11 TCP 10.24.82.188:37557 <-> 31.13.68.84:80 [proto: 7.119/HTTP.Facebook][cat: SocialNetwork/6][5 pkts/487 bytes <-> 6 pkts/627 bytes][Host: www.facebook.com][bytes ratio: -0.126 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 40/0 5491.0/4361.0 21620/21500 9312.5/8569.8][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 97.4/104.5 243/339 73.2/104.9][PLAIN TEXT (GET /mobile/status.php HTTP/1.1)]
12 TCP 10.24.82.188:37553 <-> 31.13.68.84:80 [proto: 7.119/HTTP.Facebook][cat: SocialNetwork/6][5 pkts/487 bytes <-> 5 pkts/571 bytes][Host: www.facebook.com][bytes ratio: -0.079 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 43/38 5451.5/5418.0 21457/21368 9241.2/9209.0][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 97.4/114.2 243/339 73.2/112.4][PLAIN TEXT (GET /mobile/status.php HTTP/1.1)]
13 TCP 216.58.221.10:80 <-> 10.24.82.188:35922 [proto: 7.126/HTTP.Google][cat: Web/5][7 pkts/392 bytes <-> 7 pkts/392 bytes][bytes ratio: 0.000 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 136/98 4276.2/4284.2 13075/13111 4413.9/4432.7][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 56.0/56.0 56/56 0.0/0.0]
diff --git a/tests/result/skype.pcap.out b/tests/result/skype.pcap.out
index 84ede744c..fbd6d8290 100644
--- a/tests/result/skype.pcap.out
+++ b/tests/result/skype.pcap.out
@@ -17,10 +17,10 @@ ApplePush 12 1877 1
JA3 Host Stats:
IP Address # JA3C
- 1 192.168.1.34 1
+ 1 192.168.1.34 2
- 1 TCP 192.168.1.34:50028 <-> 157.56.126.211:443 [proto: 91.221/TLS.MS_OneDrive][cat: Cloud/13][187 pkts/42539 bytes <-> 200 pkts/155551 bytes][bytes ratio: -0.571 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 893.0/683.9 30166/30261 4224.2/3588.2][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 227.5/777.8 1506/1506 423.1/552.7][TLSv1][Server: *.gateway.messenger.live.com][JA3S: d9699a2032a6c5371343b7f7dfd94abe][Cipher: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA]
+ 1 TCP 192.168.1.34:50028 <-> 157.56.126.211:443 [proto: 91.221/TLS.MS_OneDrive][cat: Cloud/13][187 pkts/42539 bytes <-> 200 pkts/155551 bytes][bytes ratio: -0.571 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 893.0/683.9 30166/30261 4224.2/3588.2][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 227.5/777.8 1506/1506 423.1/552.7][TLSv1][JA3C: 06207a1730b5deeb207b0556e102ded2][Server: *.gateway.messenger.live.com][JA3S: d9699a2032a6c5371343b7f7dfd94abe][Cipher: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA]
2 TCP 192.168.1.34:50108 <-> 157.56.52.28:40009 [proto: 125/Skype][cat: VoIP/10][231 pkts/60232 bytes <-> 241 pkts/104395 bytes][bytes ratio: -0.268 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 418.8/332.6 8300/8646 1054.3/998.7][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 260.7/433.2 1506/1506 342.9/569.4][PLAIN TEXT ( 0sKWL)]
3 UDP 192.168.0.254:1025 -> 239.255.255.250:1900 [proto: 12/SSDP][cat: System/18][79 pkts/29479 bytes -> 0 pkts/0 bytes][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 2052.4/0.0 19950/0 6020.9/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 327/0 373.2/0.0 405/0 28.8/0.0][PLAIN TEXT (NOTIFY )]
4 TCP 192.168.1.34:50128 <-> 17.172.100.36:443 [proto: 91.143/TLS.AppleiCloud][cat: Web/5][43 pkts/9635 bytes <-> 43 pkts/10651 bytes][bytes ratio: -0.050 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 1102.2/1098.6 41869/42024 6370.8/6397.3][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 224.1/247.7 680/1494 261.3/323.6][TLSv1.2][Client: p05-keyvalueservice.icloud.com][JA3C: 799135475da362592a4be9199d258726][JA3S: c253ec3ad88e42f8da4032682892f9a0 (INSECURE)][Cipher: TLS_RSA_WITH_RC4_128_MD5]
diff --git a/tests/result/skype_no_unknown.pcap.out b/tests/result/skype_no_unknown.pcap.out
index 9c208e01d..3ceba1f69 100644
--- a/tests/result/skype_no_unknown.pcap.out
+++ b/tests/result/skype_no_unknown.pcap.out
@@ -15,10 +15,10 @@ ApplePush 8 1118 1
JA3 Host Stats:
IP Address # JA3C
- 1 192.168.1.34 1
+ 1 192.168.1.34 2
- 1 TCP 192.168.1.34:51230 <-> 157.56.126.211:443 [proto: 91.221/TLS.MS_OneDrive][cat: Cloud/13][166 pkts/39042 bytes <-> 182 pkts/142645 bytes][bytes ratio: -0.570 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 310.0/282.2 45360/45460 3520.1/3369.6][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 235.2/783.8 1506/1506 432.7/564.7][TLSv1][Server: *.gateway.messenger.live.com][JA3S: d9699a2032a6c5371343b7f7dfd94abe][Cipher: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA]
+ 1 TCP 192.168.1.34:51230 <-> 157.56.126.211:443 [proto: 91.221/TLS.MS_OneDrive][cat: Cloud/13][166 pkts/39042 bytes <-> 182 pkts/142645 bytes][bytes ratio: -0.570 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 310.0/282.2 45360/45460 3520.1/3369.6][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 235.2/783.8 1506/1506 432.7/564.7][TLSv1][JA3C: 06207a1730b5deeb207b0556e102ded2][Server: *.gateway.messenger.live.com][JA3S: d9699a2032a6c5371343b7f7dfd94abe][Cipher: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA]
2 TCP 192.168.1.34:51279 <-> 111.221.74.48:40008 [proto: 125/Skype][cat: VoIP/10][101 pkts/30681 bytes <-> 98 pkts/59934 bytes][bytes ratio: -0.323 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 227.1/220.7 3095/3095 375.1/372.4][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 303.8/611.6 1506/1506 405.8/625.9][PLAIN TEXT (nZREBS)]
3 TCP 192.168.1.34:51227 <-> 17.172.100.36:443 [proto: 91.140/TLS.Apple][cat: Web/5][38 pkts/9082 bytes <-> 38 pkts/10499 bytes][bytes ratio: -0.072 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 1847.3/1843.3 55625/55761 9059.8/9088.0][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 239.0/276.3 680/1494 273.4/358.4]
4 UDP 192.168.0.254:1025 -> 239.255.255.250:1900 [proto: 12/SSDP][cat: System/18][36 pkts/13402 bytes -> 0 pkts/0 bytes][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 1714.9/0.0 19856/0 5553.3/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 327/0 372.3/0.0 405/0 28.7/0.0][PLAIN TEXT (NOTIFY )]
Powered by cgit, Themed by Ted Yin.