diff options
| author | Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> | 2024-10-28 23:36:51 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-10-28 23:36:51 +0100 |
| commit | 9da99075aa174a7ecfc00fb9a18d32d3056d8db3 (patch) | |
| tree | e3ad461c6c651cc5b179f1c8dc7180523c1add69 /example/ndpiReader.c | |
| parent | dc125dc2a8a3aebd9accfd2deaae7dbecb5aae5a (diff) | |
TLS: export heuristic fingerprint as metadata (#2609)
Diffstat (limited to 'example/ndpiReader.c')
| -rw-r--r-- | example/ndpiReader.c | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/example/ndpiReader.c b/example/ndpiReader.c index 0de290724..65ddb4ca3 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -228,6 +228,7 @@ struct receiver *receivers = NULL, *topReceivers = NULL; #define WIRESHARK_METADATA_SERVERNAME 0x01 #define WIRESHARK_METADATA_JA4C 0x02 +#define WIRESHARK_METADATA_TLS_HEURISTICS_MATCHING_FINGERPRINT 0x03 struct ndpi_packet_tlv { u_int16_t type; @@ -4674,6 +4675,22 @@ static void ndpi_process_packet(u_char *args, tot_len += 4 + htons(tlv->length); tlv = (struct ndpi_packet_tlv *)&trailer->metadata[tot_len]; } + if(flow->ssh_tls.obfuscated_heur_matching_set.pkts[0] != 0) { + tlv->type = ntohs(WIRESHARK_METADATA_TLS_HEURISTICS_MATCHING_FINGERPRINT); + tlv->length = ntohs(sizeof(struct ndpi_tls_obfuscated_heuristic_matching_set)); + struct ndpi_tls_obfuscated_heuristic_matching_set *s = (struct ndpi_tls_obfuscated_heuristic_matching_set *)tlv->data; + s->bytes[0] = ntohl(flow->ssh_tls.obfuscated_heur_matching_set.bytes[0]); + s->bytes[1] = ntohl(flow->ssh_tls.obfuscated_heur_matching_set.bytes[1]); + s->bytes[2] = ntohl(flow->ssh_tls.obfuscated_heur_matching_set.bytes[2]); + s->bytes[3] = ntohl(flow->ssh_tls.obfuscated_heur_matching_set.bytes[3]); + s->pkts[0] = ntohl(flow->ssh_tls.obfuscated_heur_matching_set.pkts[0]); + s->pkts[1] = ntohl(flow->ssh_tls.obfuscated_heur_matching_set.pkts[1]); + s->pkts[2] = ntohl(flow->ssh_tls.obfuscated_heur_matching_set.pkts[2]); + s->pkts[3] = ntohl(flow->ssh_tls.obfuscated_heur_matching_set.pkts[3]); + /* TODO: boundary check */ + tot_len += 4 + htons(tlv->length); + tlv = (struct ndpi_packet_tlv *)&trailer->metadata[tot_len]; + } flow->detection_completed = 2; /* Avoid exporting metadata again. If we really want to have the metadata on Wireshark for *all* |