diff options
| author | Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> | 2025-01-14 12:05:03 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2025-01-14 12:05:03 +0100 |
| commit | 63a3547f998bfbe52c2bc8a540e0f33d37f3ad88 (patch) | |
| tree | 782eac7281a01087a5cf374e7d0a3a76a7ebc552 /fuzz | |
| parent | 69a4f8120a3e335074fcc33f81e1d82dc0a88791 (diff) | |
Add (kind of) support for loading a list of JA4C malicious fingerprints (#2678)
It might be usefull to be able to match traffic against a list of
suspicious JA4C fingerprints
Use the same code/logic/infrastructure used for JA3C (note that we are
going to remove JA3C...)
See: #2551
Diffstat (limited to 'fuzz')
| -rw-r--r-- | fuzz/Makefile.am | 28 | ||||
| -rw-r--r-- | fuzz/corpus/fuzz_filecfg_malicious_ja3/1 | 2 | ||||
| -rw-r--r-- | fuzz/corpus/fuzz_filecfg_malicious_ja3/2 | 1 | ||||
| -rw-r--r-- | fuzz/corpus/fuzz_filecfg_malicious_ja4/1 | 2 | ||||
| -rw-r--r-- | fuzz/corpus/fuzz_filecfg_malicious_ja4/2 | 1 | ||||
| -rw-r--r-- | fuzz/fuzz_common_code.c | 2 | ||||
| -rw-r--r-- | fuzz/fuzz_config.cpp | 4 | ||||
| -rw-r--r-- | fuzz/fuzz_filecfg_malicious_ja4.c (renamed from fuzz/fuzz_filecfg_malicious_ja3.c) | 2 | ||||
| -rw-r--r-- | fuzz/fuzz_ndpi_reader.c | 2 |
9 files changed, 22 insertions, 22 deletions
diff --git a/fuzz/Makefile.am b/fuzz/Makefile.am index 86b3f9234..3d3c757a3 100644 --- a/fuzz/Makefile.am +++ b/fuzz/Makefile.am @@ -8,7 +8,7 @@ bin_PROGRAMS += fuzz_libinjection fuzz_binaryfusefilter #Internal crypto bin_PROGRAMS += fuzz_gcrypt_light fuzz_gcrypt_aes fuzz_gcrypt_gcm fuzz_gcrypt_cipher #Configuration files -bin_PROGRAMS += fuzz_filecfg_protocols fuzz_filecfg_categories fuzz_filecfg_malicious_sha1 fuzz_filecfg_malicious_ja3 fuzz_filecfg_risk_domains fuzz_filecfg_config fuzz_filecfg_category +bin_PROGRAMS += fuzz_filecfg_protocols fuzz_filecfg_categories fuzz_filecfg_malicious_sha1 fuzz_filecfg_malicious_ja4 fuzz_filecfg_risk_domains fuzz_filecfg_config fuzz_filecfg_category #Reader utils bin_PROGRAMS += fuzz_readerutils_workflow fuzz_readerutils_parseprotolist #Mutators @@ -623,18 +623,18 @@ fuzz_filecfg_malicious_sha1_LINK=$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAG $(LIBTOOLFLAGS) --mode=link $(CXX) @NDPI_CFLAGS@ $(AM_CXXFLAGS) $(CXXFLAGS) \ $(fuzz_filecfg_malicious_sha1_LDFLAGS) @NDPI_LDFLAGS@ $(LDFLAGS) -o $@ -fuzz_filecfg_malicious_ja3_SOURCES = fuzz_filecfg_malicious_ja3.c fuzz_common_code.c -fuzz_filecfg_malicious_ja3_CFLAGS = -I../src/lib/ @NDPI_CFLAGS@ $(CXXFLAGS) -DNDPI_LIB_COMPILATION -fuzz_filecfg_malicious_ja3_LDADD = ../src/lib/libndpi.a $(ADDITIONAL_LIBS) -fuzz_filecfg_malicious_ja3_LDFLAGS = $(LIBS) +fuzz_filecfg_malicious_ja4_SOURCES = fuzz_filecfg_malicious_ja4.c fuzz_common_code.c +fuzz_filecfg_malicious_ja4_CFLAGS = -I../src/lib/ @NDPI_CFLAGS@ $(CXXFLAGS) -DNDPI_LIB_COMPILATION +fuzz_filecfg_malicious_ja4_LDADD = ../src/lib/libndpi.a $(ADDITIONAL_LIBS) +fuzz_filecfg_malicious_ja4_LDFLAGS = $(LIBS) if HAS_FUZZLDFLAGS -fuzz_filecfg_malicious_ja3_CFLAGS += $(LIB_FUZZING_ENGINE) -fuzz_filecfg_malicious_ja3_LDFLAGS += $(LIB_FUZZING_ENGINE) +fuzz_filecfg_malicious_ja4_CFLAGS += $(LIB_FUZZING_ENGINE) +fuzz_filecfg_malicious_ja4_LDFLAGS += $(LIB_FUZZING_ENGINE) endif # force usage of CXX for linker -fuzz_filecfg_malicious_ja3_LINK=$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ +fuzz_filecfg_malicious_ja4_LINK=$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ $(LIBTOOLFLAGS) --mode=link $(CXX) @NDPI_CFLAGS@ $(AM_CXXFLAGS) $(CXXFLAGS) \ - $(fuzz_filecfg_malicious_ja3_LDFLAGS) @NDPI_LDFLAGS@ $(LDFLAGS) -o $@ + $(fuzz_filecfg_malicious_ja4_LDFLAGS) @NDPI_LDFLAGS@ $(LDFLAGS) -o $@ fuzz_filecfg_risk_domains_SOURCES = fuzz_filecfg_risk_domains.c fuzz_common_code.c fuzz_filecfg_risk_domains_CFLAGS = -I../src/lib/ @NDPI_CFLAGS@ $(CXXFLAGS) -DNDPI_LIB_COMPILATION @@ -874,9 +874,9 @@ files_corpus_fuzz_filecfg_malicious_sha1 := $(wildcard corpus/fuzz_filecfg_mali fuzz_filecfg_malicious_sha1_seed_corpus.zip: $(files_corpus_fuzz_filecfg_malicious_sha1) zip -j fuzz_filecfg_malicious_sha1_seed_corpus.zip $(files_corpus_fuzz_filecfg_malicious_sha1) -files_corpus_fuzz_filecfg_malicious_ja3 := $(wildcard corpus/fuzz_filecfg_malicious_ja3/*) -fuzz_filecfg_malicious_ja3_seed_corpus.zip: $(files_corpus_fuzz_filecfg_malicious_ja3) - zip -j fuzz_filecfg_malicious_ja3_seed_corpus.zip $(files_corpus_fuzz_filecfg_malicious_ja3) +files_corpus_fuzz_filecfg_malicious_ja4 := $(wildcard corpus/fuzz_filecfg_malicious_ja4/*) +fuzz_filecfg_malicious_ja4_seed_corpus.zip: $(files_corpus_fuzz_filecfg_malicious_ja4) + zip -j fuzz_filecfg_malicious_ja4_seed_corpus.zip $(files_corpus_fuzz_filecfg_malicious_ja4) files_corpus_fuzz_filecfg_risk_domains := $(wildcard corpus/fuzz_filecfg_risk_domains/*) fuzz_filecfg_risk_domains_seed_corpus.zip: $(files_corpus_fuzz_filecfg_risk_domains) @@ -906,7 +906,7 @@ files_corpus_fuzz_ds_domain_classify := $(wildcard corpus/fuzz_ds_domain_classi fuzz_ds_domain_classify_seed_corpus.zip: $(files_corpus_fuzz_ds_domain_classify) zip -j fuzz_ds_domain_classify_seed_corpus.zip $(files_corpus_fuzz_ds_domain_classify) -corpus: fuzz_ndpi_reader_seed_corpus.zip fuzz_ndpi_reader_alloc_fail_seed_corpus.zip fuzz_ndpi_reader_payload_analyzer_seed_corpus.zip fuzz_quic_get_crypto_data_seed_corpus.zip fuzz_alg_ses_des_seed_corpus.zip fuzz_alg_bins_seed_corpus.zip fuzz_alg_hll_seed_corpus.zip fuzz_alg_jitter_seed_corpus.zip fuzz_ds_libcache_seed_corpus.zip fuzz_community_id_seed_corpus.zip fuzz_serialization_seed_corpus.zip fuzz_ds_ptree_seed_corpus.zip fuzz_alg_crc32_md5_seed_corpus.zip fuzz_alg_bytestream_seed_corpus.zip fuzz_libinjection_seed_corpus.zip fuzz_tls_certificate_seed_corpus.zip fuzz_filecfg_protocols_seed_corpus.zip fuzz_readerutils_workflow_seed_corpus.zip fuzz_readerutils_parseprotolist_seed_corpus.zip fuzz_ds_bitmap64_fuse_seed_corpus.zip fuzz_ds_domain_classify_seed_corpus.zip fuzz_filecfg_protocols_seed_corpus.zip fuzz_is_stun_udp_seed_corpus.zip fuzz_is_stun_tcp_seed_corpus.zip fuzz_ndpi_reader_pl7m_simplest_seed_corpus.zip fuzz_ndpi_reader_pl7m_seed_corpus.zip fuzz_ndpi_reader_pl7m_64k_seed_corpus.zip fuzz_ndpi_reader_pl7m_simplest_internal_seed_corpus.zip fuzz_ndpi_reader_pl7m_internal_seed_corpus.zip +corpus: fuzz_ndpi_reader_seed_corpus.zip fuzz_ndpi_reader_alloc_fail_seed_corpus.zip fuzz_ndpi_reader_payload_analyzer_seed_corpus.zip fuzz_quic_get_crypto_data_seed_corpus.zip fuzz_alg_ses_des_seed_corpus.zip fuzz_alg_bins_seed_corpus.zip fuzz_alg_hll_seed_corpus.zip fuzz_alg_jitter_seed_corpus.zip fuzz_ds_libcache_seed_corpus.zip fuzz_community_id_seed_corpus.zip fuzz_serialization_seed_corpus.zip fuzz_ds_ptree_seed_corpus.zip fuzz_alg_crc32_md5_seed_corpus.zip fuzz_alg_bytestream_seed_corpus.zip fuzz_libinjection_seed_corpus.zip fuzz_tls_certificate_seed_corpus.zip fuzz_filecfg_protocols_seed_corpus.zip fuzz_readerutils_workflow_seed_corpus.zip fuzz_readerutils_parseprotolist_seed_corpus.zip fuzz_ds_bitmap64_fuse_seed_corpus.zip fuzz_ds_domain_classify_seed_corpus.zip fuzz_filecfg_protocols_seed_corpus.zip fuzz_is_stun_udp_seed_corpus.zip fuzz_is_stun_tcp_seed_corpus.zip fuzz_ndpi_reader_pl7m_simplest_seed_corpus.zip fuzz_ndpi_reader_pl7m_seed_corpus.zip fuzz_ndpi_reader_pl7m_64k_seed_corpus.zip fuzz_ndpi_reader_pl7m_simplest_internal_seed_corpus.zip fuzz_ndpi_reader_pl7m_internal_seed_corpus.zip fuzz_filecfg_malicious_ja4_seed_corpus.zip fuzz_filecfg_malicious_sha1_seed_corpus.zip fuzz_filecfg_categories_seed_corpus.zip cp corpus/fuzz_*seed_corpus.zip . #Create dictionaries exactly as expected by oss-fuzz. @@ -938,7 +938,7 @@ distdir: -o -path './corpus/fuzz_filecfg_protocols/*' \ -o -path './corpus/fuzz_filecfg_categories/*' \ -o -path './corpus/fuzz_filecfg_malicious_sha1/*' \ - -o -path './corpus/fuzz_filecfg_malicious_ja3/*' \ + -o -path './corpus/fuzz_filecfg_malicious_ja4/*' \ -o -path './corpus/fuzz_filecfg_risk_domains/*' \ -o -path './corpus/fuzz_filecfg_config/*' \ -o -path './corpus/fuzz_filecfg_category/*' \ diff --git a/fuzz/corpus/fuzz_filecfg_malicious_ja3/1 b/fuzz/corpus/fuzz_filecfg_malicious_ja3/1 deleted file mode 100644 index 6cebd9e6e..000000000 --- a/fuzz/corpus/fuzz_filecfg_malicious_ja3/1 +++ /dev/null @@ -1,2 +0,0 @@ -# ja3_md5,Firstseen,Lastseen,Listingreason -b386946a5a44d1ddcc843bc75336dfce,2017-07-14 18:08:15,2019-07-27 20:42:54,Dridex diff --git a/fuzz/corpus/fuzz_filecfg_malicious_ja3/2 b/fuzz/corpus/fuzz_filecfg_malicious_ja3/2 deleted file mode 100644 index b169853f2..000000000 --- a/fuzz/corpus/fuzz_filecfg_malicious_ja3/2 +++ /dev/null @@ -1 +0,0 @@ -8991a387e4cc841740f25d6f5139f92d8991a387e4cc841740f25d6f5139f92d,2017-07-14 19:02:03,2019-07-28 00:34:38,Adware diff --git a/fuzz/corpus/fuzz_filecfg_malicious_ja4/1 b/fuzz/corpus/fuzz_filecfg_malicious_ja4/1 new file mode 100644 index 000000000..5b788c0e9 --- /dev/null +++ b/fuzz/corpus/fuzz_filecfg_malicious_ja4/1 @@ -0,0 +1,2 @@ +# ja4c,comment +t13d1517h2_8daaf6152771_b0da82dd1658,comment diff --git a/fuzz/corpus/fuzz_filecfg_malicious_ja4/2 b/fuzz/corpus/fuzz_filecfg_malicious_ja4/2 new file mode 100644 index 000000000..324017530 --- /dev/null +++ b/fuzz/corpus/fuzz_filecfg_malicious_ja4/2 @@ -0,0 +1 @@ +t13d1517h2_8daaf6152771_b0da82dd1658,comment diff --git a/fuzz/fuzz_common_code.c b/fuzz/fuzz_common_code.c index 647a28413..0c2febce8 100644 --- a/fuzz/fuzz_common_code.c +++ b/fuzz/fuzz_common_code.c @@ -53,7 +53,7 @@ void fuzz_init_detection_module(struct ndpi_detection_module_struct **ndpi_info_ ndpi_load_protocols_file(*ndpi_info_mod, "protos.txt"); ndpi_load_categories_file(*ndpi_info_mod, "categories.txt", NULL); ndpi_load_risk_domain_file(*ndpi_info_mod, "risky_domains.txt"); - ndpi_load_malicious_ja3_file(*ndpi_info_mod, "ja3_fingerprints.csv"); + ndpi_load_malicious_ja4_file(*ndpi_info_mod, "ja4_fingerprints.csv"); ndpi_load_malicious_sha1_file(*ndpi_info_mod, "sha1_fingerprints.csv"); ndpi_set_config(*ndpi_info_mod, NULL, "filename.config", "config.txt"); diff --git a/fuzz/fuzz_config.cpp b/fuzz/fuzz_config.cpp index 8ced9381b..a07ef100d 100644 --- a/fuzz/fuzz_config.cpp +++ b/fuzz/fuzz_config.cpp @@ -87,9 +87,9 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { if(fuzzed_data.ConsumeBool()) ndpi_load_risk_domain_file(ndpi_info_mod, fuzzed_data.ConsumeBool() ? NULL : "invalid_filename"); /* Error */ if(fuzzed_data.ConsumeBool()) - ndpi_load_malicious_ja3_file(ndpi_info_mod, "ja3_fingerprints.csv"); + ndpi_load_malicious_ja4_file(ndpi_info_mod, "ja4_fingerprints.csv"); if(fuzzed_data.ConsumeBool()) - ndpi_load_malicious_ja3_file(ndpi_info_mod, fuzzed_data.ConsumeBool() ? NULL : "invalid_filename"); /* Error */ + ndpi_load_malicious_ja4_file(ndpi_info_mod, fuzzed_data.ConsumeBool() ? NULL : "invalid_filename"); /* Error */ if(fuzzed_data.ConsumeBool()) ndpi_load_malicious_sha1_file(ndpi_info_mod, "sha1_fingerprints.csv"); if(fuzzed_data.ConsumeBool()) diff --git a/fuzz/fuzz_filecfg_malicious_ja3.c b/fuzz/fuzz_filecfg_malicious_ja4.c index 3d7b4e70b..c299382a8 100644 --- a/fuzz/fuzz_filecfg_malicious_ja3.c +++ b/fuzz/fuzz_filecfg_malicious_ja4.c @@ -18,7 +18,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { ndpi_set_config(ndpi_struct, "all", "log", "1"); fd = buffer_to_file(data, size); - load_malicious_ja3_file_fd(ndpi_struct, fd); + load_malicious_ja4_file_fd(ndpi_struct, fd); if(fd) fclose(fd); diff --git a/fuzz/fuzz_ndpi_reader.c b/fuzz/fuzz_ndpi_reader.c index de38f95ac..6c5be9c40 100644 --- a/fuzz/fuzz_ndpi_reader.c +++ b/fuzz/fuzz_ndpi_reader.c @@ -78,7 +78,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { ndpi_load_protocols_file(workflow->ndpi_struct, "protos.txt"); ndpi_load_categories_file(workflow->ndpi_struct, "categories.txt", NULL); ndpi_load_risk_domain_file(workflow->ndpi_struct, "risky_domains.txt"); - ndpi_load_malicious_ja3_file(workflow->ndpi_struct, "ja3_fingerprints.csv"); + ndpi_load_malicious_ja4_file(workflow->ndpi_struct, "ja4_fingerprints.csv"); ndpi_load_malicious_sha1_file(workflow->ndpi_struct, "sha1_fingerprints.csv"); // enable all protocols |