diff options
| author | Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> | 2024-09-24 14:20:31 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-09-24 14:20:31 +0200 |
| commit | ddd08f913c80289e13e9c000e11c473a21ec23ca (patch) | |
| tree | 4ed5ba0fbaa250b5999c2d3bac91466dd12303ac /fuzz | |
| parent | 686d0e3839768dbbf1a073db9cb0cef58b6e5da8 (diff) | |
Add some heuristics to detect encrypted/obfuscated/proxied TLS flows (#2553)
Based on the paper: "Fingerprinting Obfuscated Proxy Traffic with
Encapsulated TLS Handshakes".
See: https://www.usenix.org/conference/usenixsecurity24/presentation/xue-fingerprinting
Basic idea:
* the packets/bytes distribution of a TLS handshake is quite unique
* this fingerprint is still detectable if the handshake is
encrypted/proxied/obfuscated
All heuristics are disabled by default.
Diffstat (limited to 'fuzz')
| -rw-r--r-- | fuzz/fuzz_config.cpp | 8 | ||||
| -rw-r--r-- | fuzz/fuzz_ndpi_reader.c | 2 |
2 files changed, 10 insertions, 0 deletions
diff --git a/fuzz/fuzz_config.cpp b/fuzz/fuzz_config.cpp index a23b74c30..0e8dda18d 100644 --- a/fuzz/fuzz_config.cpp +++ b/fuzz/fuzz_config.cpp @@ -130,6 +130,14 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { ndpi_get_config(ndpi_info_mod, "tls", "application_blocks_tracking", cfg_value, sizeof(cfg_value)); } if(fuzzed_data.ConsumeBool()) { + value = fuzzed_data.ConsumeIntegralInRange(0, 0x07 + 1); + snprintf(cfg_value, sizeof(cfg_value), "%d", value); + ndpi_set_config(ndpi_info_mod, "tls", "dpi.heuristics", cfg_value); + value = fuzzed_data.ConsumeIntegralInRange(0, 255 + 1); + snprintf(cfg_value, sizeof(cfg_value), "%d", value); + ndpi_set_config(ndpi_info_mod, "tls", "dpi.heuristics.max_packets_extra_dissection", cfg_value); + } + if(fuzzed_data.ConsumeBool()) { value = fuzzed_data.ConsumeIntegralInRange(0, 1 + 1); snprintf(cfg_value, sizeof(cfg_value), "%d", value); ndpi_set_config(ndpi_info_mod, "tls", "metadata.sha1_fingerprint", cfg_value); diff --git a/fuzz/fuzz_ndpi_reader.c b/fuzz/fuzz_ndpi_reader.c index 2db6f696b..784e506d9 100644 --- a/fuzz/fuzz_ndpi_reader.c +++ b/fuzz/fuzz_ndpi_reader.c @@ -92,6 +92,8 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { ndpi_set_config(workflow->ndpi_struct, "rtp", "search_for_stun", "1"); ndpi_set_config(workflow->ndpi_struct, "openvpn", "dpi.heuristics", "0x01"); ndpi_set_config(workflow->ndpi_struct, "openvpn", "dpi.heuristics.num_messages", "255"); + ndpi_set_config(workflow->ndpi_struct, "tls", "dpi.heuristics", "0x07"); + ndpi_set_config(workflow->ndpi_struct, "tls", "dpi.heuristics.max_packets_extra_dissection", "255"); ndpi_finalize_initialization(workflow->ndpi_struct); |