diff options
| author | Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> | 2024-09-24 14:20:31 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-09-24 14:20:31 +0200 |
| commit | ddd08f913c80289e13e9c000e11c473a21ec23ca (patch) | |
| tree | 4ed5ba0fbaa250b5999c2d3bac91466dd12303ac /src/lib/ndpi_main.c | |
| parent | 686d0e3839768dbbf1a073db9cb0cef58b6e5da8 (diff) | |
Add some heuristics to detect encrypted/obfuscated/proxied TLS flows (#2553)
Based on the paper: "Fingerprinting Obfuscated Proxy Traffic with
Encapsulated TLS Handshakes".
See: https://www.usenix.org/conference/usenixsecurity24/presentation/xue-fingerprinting
Basic idea:
* the packets/bytes distribution of a TLS handshake is quite unique
* this fingerprint is still detectable if the handshake is
encrypted/proxied/obfuscated
All heuristics are disabled by default.
Diffstat (limited to 'src/lib/ndpi_main.c')
| -rw-r--r-- | src/lib/ndpi_main.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index b3b70de5a..e70fb87ec 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -198,7 +198,7 @@ static ndpi_risk_info ndpi_known_risks[] = { { NDPI_MALWARE_HOST_CONTACTED, NDPI_RISK_SEVERE, CLIENT_HIGH_RISK_PERCENTAGE, NDPI_CLIENT_ACCOUNTABLE }, { NDPI_BINARY_DATA_TRANSFER, NDPI_RISK_MEDIUM, CLIENT_FAIR_RISK_PERCENTAGE, NDPI_CLIENT_ACCOUNTABLE }, { NDPI_PROBING_ATTEMPT, NDPI_RISK_MEDIUM, CLIENT_FAIR_RISK_PERCENTAGE, NDPI_CLIENT_ACCOUNTABLE }, - { NDPI_OBFUSCATED_TRAFFIC, NDPI_RISK_HIGH, CLIENT_HIGH_RISK_PERCENTAGE, NDPI_BOTH_ACCOUNTABLE }, + { NDPI_OBFUSCATED_TRAFFIC, NDPI_RISK_HIGH, CLIENT_HIGH_RISK_PERCENTAGE, NDPI_BOTH_ACCOUNTABLE }, /* Leave this as last member */ { NDPI_MAX_RISK, NDPI_RISK_LOW, CLIENT_FAIR_RISK_PERCENTAGE, NDPI_NO_ACCOUNTABILITY } @@ -6769,6 +6769,9 @@ void ndpi_free_flow_data(struct ndpi_flow_struct* flow) { if(flow->flow_payload != NULL) ndpi_free(flow->flow_payload); + + if(flow->tls_quic.obfuscated_heur_state) + ndpi_free(flow->tls_quic.obfuscated_heur_state); } } @@ -8320,6 +8323,7 @@ static void ndpi_reset_packet_line_info(struct ndpi_packet_struct *packet) { packet->server_line.len = 0, packet->http_method.ptr = NULL, packet->http_method.len = 0, packet->http_response.ptr = NULL, packet->http_response.len = 0, packet->forwarded_line.ptr = NULL, packet->forwarded_line.len = 0; + packet->upgrade_line.ptr = NULL, packet->upgrade_line.len = 0; } /* ********************************************************************************* */ @@ -9026,6 +9030,7 @@ static void parse_single_packet_line(struct ndpi_detection_module_struct *ndpi_s { "Authorization:", &packet->authorization_line }, { NULL, NULL} }; struct header_line headers_u[] = { { "User-agent:", &packet->user_agent_line }, + { "Upgrade:", &packet->upgrade_line }, { NULL, NULL} }; struct header_line headers_c[] = { { "Content-Disposition:", &packet->content_disposition_line }, { "Content-type:", &packet->content_line }, @@ -11452,6 +11457,8 @@ static const struct cfg_param { { "tls", "certificate_expiration_threshold", "30", "0", "365", CFG_PARAM_INT, __OFF(tls_certificate_expire_in_x_days), NULL }, { "tls", "application_blocks_tracking", "disable", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(tls_app_blocks_tracking_enabled), NULL }, + { "tls", "dpi.heuristics", "0x00", "0", "0x07", CFG_PARAM_INT, __OFF(tls_heuristics), NULL }, + { "tls", "dpi.heuristics.max_packets_extra_dissection", "25", "0", "255", CFG_PARAM_INT, __OFF(tls_heuristics_max_packets), NULL }, { "tls", "metadata.sha1_fingerprint", "enable", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(tls_sha1_fingerprint_enabled), NULL }, { "tls", "metadata.ja3c_fingerprint", "enable", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(tls_ja3c_fingerprint_enabled), NULL }, { "tls", "metadata.ja3s_fingerprint", "enable", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(tls_ja3s_fingerprint_enabled), NULL }, |