Improved Tor detection

author: Luca Deri <deri@ntop.org> 2025-02-24 22:14:41 +0100
committer: Luca Deri <deri@ntop.org> 2025-02-24 22:14:41 +0100
commit: beea70d68906c6405859cc04a63139bbf67c3ffe (patch)
tree: e55ce9d86eaa33ddbc24d2fa3935029831bb210e
parent: 78c648d0fa4a89710a006831f83bd9762511d68a (diff)
3 files changed, 81 insertions, 4 deletions
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index 8d2f4dd7f..a973074f6 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -29,7 +29,7 @@
 #include "ndpi_encryption.h"
 #include "ndpi_private.h"
 
-//#define JA4R_DECIMAL 1 
+//#define JA4R_DECIMAL 1
 
 static void ndpi_search_tls_wrapper(struct ndpi_detection_module_struct *ndpi_struct,
 				    struct ndpi_flow_struct *flow);
@@ -107,6 +107,19 @@ static void ndpi_int_tls_add_connection(struct ndpi_detection_module_struct *ndp
 
 /* **************************************** */
 
+static bool str_contains_digit(char *str) {
+  u_int i = 0;
+
+  for(i=0; (str[i] != '.') && (str[i] != '\0'); i++) {
+    if(isdigit(str[i]))
+      return(true);
+  }
+
+  return(false);
+}
+
+/* **************************************** */
+
 static u_int32_t ndpi_tls_refine_master_protocol(struct ndpi_detection_module_struct *ndpi_struct,
 						 struct ndpi_flow_struct *flow) {
   struct ndpi_packet_struct *packet = &ndpi_struct->packet;
@@ -1934,12 +1947,12 @@ static void ndpi_int_tls_add_connection(struct ndpi_detection_module_struct *ndp
 			       NDPI_PROTOCOL_RDP, NDPI_PROTOCOL_TLS, NDPI_CONFIDENCE_DPI);
     return;
   }
-  
+
   if((flow->detected_protocol_stack[0] != NDPI_PROTOCOL_UNKNOWN) ||
      (flow->detected_protocol_stack[1] != NDPI_PROTOCOL_UNKNOWN)) {
     if(!flow->extra_packets_func)
       tlsInitExtraPacketProcessing(ndpi_struct, flow);
-    
+
     return;
   }
 
@@ -2821,7 +2834,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
 		      if((sni_len >= 4)
 		         /* Check if it ends in .com or .net */
 		         && ((strcmp(&sni[sni_len-4], ".com") == 0) || (strcmp(&sni[sni_len-4], ".net") == 0))
-		         && (strncmp(sni, "www.", 4) == 0)) /* Not starting with www.... */
+		         && (strncmp(sni, "www.", 4) == 0)) /* Starting with www.... */
 		        ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TOR, __get_master(ndpi_struct, flow), NDPI_CONFIDENCE_DPI);
 		    } else {
 #ifdef DEBUG_TLS
@@ -3226,6 +3239,22 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
 #endif
 		  ndpi_set_risk(ndpi_struct, flow, NDPI_OBFUSCATED_TRAFFIC, "Abnormal Client Hello/Padding length");
 		}
+	      } else if(extension_id == 22) { /* Encrypt-then-MAC */
+		if(extension_len == 0) {
+		  char *sni     = flow->host_server_name;
+
+		  if(sni != NULL) {
+		    u_int sni_len = strlen(sni);
+		    
+		    if((flow->protos.tls_quic.advertised_alpns == NULL) /* No ALPN */
+		       && (sni_len > 8)
+		       && ((strcmp(&sni[sni_len-4], ".com") == 0) || (strcmp(&sni[sni_len-4], ".net") == 0))
+		       && (strncmp(sni, "www.", 4) == 0) /* Starting with www.... */
+		       && str_contains_digit(&sni[4])) {
+		      ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TOR, __get_master(ndpi_struct, flow), NDPI_CONFIDENCE_DPI);
+		    }
+		  }
+		}
 	      }
 
 	      extension_offset += extension_len; /* Move to the next extension */
diff --git a/tests/cfgs/default/pcap/tor-browser.pcap b/tests/cfgs/default/pcap/tor-browser.pcap
new file mode 100644
index 000000000..581f96564
--- /dev/null
+++ b/tests/cfgs/default/pcap/tor-browser.pcap
diff --git a/tests/cfgs/default/result/tor-browser.pcap.out b/tests/cfgs/default/result/tor-browser.pcap.out
new file mode 100644
index 000000000..4e8477973
--- /dev/null
+++ b/tests/cfgs/default/result/tor-browser.pcap.out
@@ -0,0 +1,48 @@
+DPI Packets (TCP):	58	(8.29 pkts/flow)
+DPI Packets (UDP):	2	(2.00 pkts/flow)
+DPI Packets (other):	1	(1.00 pkts/flow)
+Confidence DPI              : 9 (flows)
+Num dissector calls: 9 (1.00 diss/flow)
+LRU cache ookla:      0/0/0 (insert/search/found)
+LRU cache bittorrent: 0/0/0 (insert/search/found)
+LRU cache stun:       0/0/0 (insert/search/found)
+LRU cache tls_cert:   0/0/0 (insert/search/found)
+LRU cache mining:     0/0/0 (insert/search/found)
+LRU cache msteams:    0/0/0 (insert/search/found)
+LRU cache fpc_dns:    1/6/1 (insert/search/found)
+Automa host:          8/3 (search/found)
+Automa domain:        8/0 (search/found)
+Automa tls cert:      0/0 (search/found)
+Automa risk mask:     4/0 (search/found)
+Automa common alpns:  2/2 (search/found)
+Patricia risk mask:   12/0 (search/found)
+Patricia risk mask IPv6: 0/0 (search/found)
+Patricia risk:        0/0 (search/found)
+Patricia risk IPv6:   0/0 (search/found)
+Patricia protocols:   11/7 (search/found)
+Patricia protocols IPv6: 0/0 (search/found)
+
+DNS	2	295	1
+ICMP	19	10194	1
+TLS	2	168	1
+Tor	113	57510	5
+Microsoft365	29	10820	1
+
+Safe                             2 168           1            
+Acceptable                      50 21309         3            
+Potentially Dangerous           113 57510         5            
+
+JA Host Stats: 
+		 IP Address                  	 # JA4C     
+	1	 192.168.0.123            	 2      
+
+
+	1	TCP 192.168.0.123:64623 <-> 86.3.18.251:443 [proto: 91.163/TLS.Tor][IP: 163/Tor][Encrypted][Confidence: DPI][FPC: 163/Tor, Confidence: IP address][DPI packets: 6][cat: VPN/2][21 pkts/11828 bytes <-> 26 pkts/12847 bytes][Goodput ratio: 90/89][4.45 sec][Hostname/SNI: www.sodinn6.com][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.041 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 248/190 2373/2352 553/486][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 563/494 2132/1414 515/421][Risk: ** TLS (probably) Not Carrying HTTPS **** Unsafe Protocol **][Risk Score: 20][Risk Info: No ALPN][TCP Fingerprint: 2_128_64240_6bb88f5575fd/Windows][TLSv1.3][JA4: t13d181100_6c2ba73853a4_d41ae481755e][JA3S: 15af977ce25de452b96affa2addb1036][Firefox][Cipher: TLS_AES_256_GCM_SHA384][Plen Bins: 0,2,8,0,0,0,2,0,0,0,0,0,0,0,0,0,67,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,2,2,0,0,2,0,0,0,0,0,5,0,0,0,0,5]
+	2	TCP 192.168.0.123:64624 <-> 178.17.170.254:443 [proto: 91.163/TLS.Tor][IP: 163/Tor][Encrypted][Confidence: DPI][FPC: 163/Tor, Confidence: IP address][DPI packets: 6][cat: VPN/2][16 pkts/9928 bytes <-> 19 pkts/10825 bytes][Goodput ratio: 91/90][1.05 sec][Hostname/SNI: www.2xik.com][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.043 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 60/59 96/101 29/29][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 620/570 2132/1414 589/475][Risk: ** TLS (probably) Not Carrying HTTPS **** Unsafe Protocol **][Risk Score: 20][Risk Info: No ALPN][TCP Fingerprint: 2_128_64240_6bb88f5575fd/Windows][TLSv1.3][JA4: t13d181100_6c2ba73853a4_d41ae481755e][JA3S: 15af977ce25de452b96affa2addb1036][Firefox][Cipher: TLS_AES_256_GCM_SHA384][Plen Bins: 0,3,11,0,0,0,3,0,0,0,0,0,0,0,0,0,45,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,7,7,0,0,3,0,0,0,0,0,7,0,0,0,0,7]
+	3	TCP 192.168.0.123:64613 <-> 172.211.159.152:443 [proto: 91.219/TLS.Microsoft365][IP: 276/Azure][Encrypted][Confidence: DPI][FPC: 219/Microsoft365, Confidence: DNS][DPI packets: 13][cat: Web/5][15 pkts/3053 bytes <-> 14 pkts/7767 bytes][Goodput ratio: 73/90][0.15 sec][Hostname/SNI: checkappexec.microsoft.com][(Advertised) ALPNs: h2;http/1.1][(Negotiated) ALPN: h2][bytes ratio: -0.436 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 9/7 30/40 12/14][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 204/555 1553/1414 369/578][TCP Fingerprint: 2_128_65535_6bb88f5575fd/Windows][TLSv1.2][JA4: t12d1909h2_d83cc789557e_7af1ed941c26][ServerNames: smartscreen.microsoft.com,*.wds.microsoft.com,*.urs.microsoft.com,*.smartscreen.microsoft.com,apprep.smartscreen.microsoft.com,beta.apprep.smartscreen.microsoft.com,beta.w.apprep.smartscreen.microsoft.com,w.apprep.smartscreen.microsoft.com,urs.microsoft.com,beta.urs.microsoft.com,c.urs.microsoft.com,i.apprep.smartscreen.microsoft.com,i.w.apprep.smartscreen.microsoft.com,t.urs.microsoft.com,beta.t.urs.microsoft.com,telemetry.urs.microsoft.com,d.urs.microsoft.com,x.urs.microsoft.com,p.urs.microsoft.com,api.smartscreen.microsoft.com,urs.smartscreen.microsoft.com,ars.smartscreen.microsoft.com,cp.smartscreen.microsoft.com,checkappexec.microsoft.com,data.checkappexec.microsoft.com,ping.checkappexec.microsoft.com,t.checkappexec.microsoft.com,pf.checkappexec.microsoft.com,sl.smartscreen.microsoft.com,ping.smartscreen.microsoft.com,nf.smartscreen.microsoft.com,data.nf.smartscreen.microsoft.com,ping.nf.smartscreen.microsoft.com,t.nf.smartscreen.microsoft.com,nav.smartscreen.microsoft.com,data.nav.smartscreen.microsoft.com,ping.nav.smartscreen.microsoft.com,t.nav.smartscreen.microsoft.com,bf.smartscreen.microsoft.com,t.bf.smartscreen.microsoft.com,smartscreen-prod.microsoft.com,*.smartscreen-prod.microsoft.com][JA3S: 00447ab319e9d94ba2b4c1248e155917][Issuer: C=US, O=Microsoft Corporation, CN=Microsoft Azure RSA TLS Issuing CA 04][Subject: C=US, ST=WA, L=Redmond, O=Microsoft Corporation, CN=smartscreen.microsoft.com][Certificate SHA-1: 83:0D:87:5A:F6:F1:FA:DC:94:4D:7E:AD:7C:8B:71:47:6A:BB:DC:2B][Firefox][Validity: 2025-01-16 14:02:54 - 2025-07-15 14:02:54][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 5,18,18,0,0,0,5,0,5,5,0,5,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,5,0]
+	4	ICMP 192.168.0.16:0 -> 192.168.0.123:0 [proto: 81/ICMP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 81/ICMP, Confidence: DPI][DPI packets: 1][cat: Network/14][19 pkts/10194 bytes -> 0 pkts/0 bytes][Goodput ratio: 92/0][23.29 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 6/0 1228/0 7220/0 1704/0][Pkt Len c2s/s2c min/avg/max/stddev: 82/0 537/0 590/0 156/0][Risk: ** Susp Entropy **** Unidirectional Traffic **][Risk Score: 20][Risk Info: No server to client traffic / Entropy: 4.948 (Executable?)][PLAIN TEXT ( www.v2)][Plen Bins: 0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,89,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	5	TCP 192.168.0.123:64622 <-> 178.17.170.254:443 [proto: 91.163/TLS.Tor][IP: 163/Tor][Encrypted][Confidence: DPI][FPC: 163/Tor, Confidence: IP address][DPI packets: 13][cat: VPN/2][12 pkts/5313 bytes <-> 1 pkts/62 bytes][Goodput ratio: 88/0][21.70 sec][Hostname/SNI: www.v2trefdg62xsck3upw2iad5y.com][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: 0.977 (Upload)][IAT c2s/s2c min/avg/max/stddev: 14/0 1929/0 9605/0 2882/0][Pkt Len c2s/s2c min/avg/max/stddev: 54/62 443/62 571/62 222/0][Risk: ** TLS (probably) Not Carrying HTTPS **** Susp DGA Domain name **** Unsafe Protocol **][Risk Score: 120][Risk Info: v2trefdg62xsck3upw2iad5y.com / No ALPN][TCP Fingerprint: 2_128_64240_6bb88f5575fd/Windows][TLSv1.2][JA4: t13d181100_6c2ba73853a4_d41ae481755e][Firefox][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	6	TCP 192.168.0.123:64621 <-> 86.3.18.251:443 [proto: 91.163/TLS.Tor][IP: 163/Tor][Encrypted][Confidence: DPI][FPC: 163/Tor, Confidence: IP address][DPI packets: 11][cat: VPN/2][10 pkts/4171 bytes <-> 1 pkts/66 bytes][Goodput ratio: 87/0][19.33 sec][Hostname/SNI: www.w2f34byk6sroic.com][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: 0.969 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 1214/0 4813/0 1548/0][Pkt Len c2s/s2c min/avg/max/stddev: 54/66 417/66 571/66 235/0][Risk: ** TLS (probably) Not Carrying HTTPS **** Susp DGA Domain name **** Unsafe Protocol **][Risk Score: 120][Risk Info: w2f34byk6sroic.com / No ALPN][TCP Fingerprint: 2_128_64240_6bb88f5575fd/Windows][TLSv1.2][JA4: t13d181100_6c2ba73853a4_d41ae481755e][Firefox][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	7	TCP 192.168.0.123:64625 <-> 194.164.197.45:443 [proto: 91.163/TLS.Tor][IP: 163/Tor][Encrypted][Confidence: DPI][FPC: 163/Tor, Confidence: IP address][DPI packets: 7][cat: VPN/2][6 pkts/2404 bytes <-> 1 pkts/66 bytes][Goodput ratio: 86/0][1.18 sec][Hostname/SNI: www.raww4onzy3tam7cip372snd.com][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: 0.947 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 236/0 601/0 217/0][Pkt Len c2s/s2c min/avg/max/stddev: 54/66 401/66 571/66 241/0][Risk: ** TLS (probably) Not Carrying HTTPS **** Susp DGA Domain name **** Unsafe Protocol **][Risk Score: 120][Risk Info: raww4onzy3tam7cip372snd.com / No ALPN][TCP Fingerprint: 2_128_64240_6bb88f5575fd/Windows][TLSv1.2][JA4: t13d181100_6c2ba73853a4_d41ae481755e][Firefox][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	8	UDP 192.168.0.123:55566 <-> 192.168.0.16:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/86 bytes <-> 1 pkts/209 bytes][Goodput ratio: 51/80][0.00 sec][Hostname/SNI: checkappexec.microsoft.com][172.211.159.152][DNS Id: 0x67d4][PLAIN TEXT (checkappexec)][Plen Bins: 0,50,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	9	TCP 192.168.0.123:64282 <-> 155.133.248.43:443 [proto: 91/TLS][IP: 74/Steam][Encrypted][Confidence: DPI][FPC: 91/TLS, Confidence: DPI][DPI packets: 2][cat: Web/5][1 pkts/108 bytes <-> 1 pkts/60 bytes][Goodput ratio: 50/0][0.03 sec][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
author	Luca Deri <deri@ntop.org>	2025-02-24 22:14:41 +0100
committer	Luca Deri <deri@ntop.org>	2025-02-24 22:14:41 +0100
commit	beea70d68906c6405859cc04a63139bbf67c3ffe (patch)
tree	e55ce9d86eaa33ddbc24d2fa3935029831bb210e
parent	78c648d0fa4a89710a006831f83bd9762511d68a (diff)