diff options
| author | Nardi Ivan <nardi.ivan@gmail.com> | 2022-10-17 15:05:23 +0200 |
|---|---|---|
| committer | Toni <matzeton@googlemail.com> | 2022-10-20 22:00:12 +0200 |
| commit | 9c0caa536204e647518deab41e2cd5b7ff93c77d (patch) | |
| tree | 7f8d8a227aa8ae4aac1742a7ef269e6131550d15 /src/lib/protocols/tls.c | |
| parent | c1b6aa948308dc3e003d540ceba536f891ef7df4 (diff) | |
TLS: allow sub-classification via ALPN
In some rare cases, it is possible to sub-classify the flow via ALPN
matching. This is particularly usefull for asymmetric traffic where the
Client Hello doens't have the SNI.
For the time being there is only one rule, about ANYDESK.
Diffstat (limited to 'src/lib/protocols/tls.c')
| -rw-r--r-- | src/lib/protocols/tls.c | 29 |
1 files changed, 28 insertions, 1 deletions
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index a602fbeeb..869fe504b 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -1257,6 +1257,26 @@ void switch_extra_dissection_to_tls(struct ndpi_detection_module_struct *ndpi_st /* **************************************** */ +static void tls_subclassify_by_alpn(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow) { + /* Right now we have only one rule so we can keep it trivial */ + + if (!flow->protos.tls_quic.alpn) + return; + + if(strlen(flow->protos.tls_quic.alpn) > NDPI_STATICSTRING_LEN("anydesk/") && + strncmp(flow->protos.tls_quic.alpn, "anydesk/", NDPI_STATICSTRING_LEN("anydesk/")) == 0) { +#ifdef DEBUG_TLS + printf("Matching ANYDESK via alpn\n"); +#endif + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_ANYDESK, + __get_master(ndpi_struct, flow), NDPI_CONFIDENCE_DPI); + flow->protos.tls_quic.subprotocol_detected = 1; + } +} + +/* **************************************** */ + static void tlsCheckUncommonALPN(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { char * alpn_start = flow->protos.tls_quic.alpn; @@ -2182,9 +2202,16 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, #ifdef DEBUG_TLS printf("Client TLS [ALPN: %s][len: %u]\n", alpn_str, alpn_str_len); #endif - if(flow->protos.tls_quic.alpn == NULL) + if(flow->protos.tls_quic.alpn == NULL) { flow->protos.tls_quic.alpn = ndpi_strdup(alpn_str); + /* Without SNI matching we can try to sub-classify the flow via ALPN. + Note that this happens only on very rare cases, not the common ones + ("h2", "http/1.1", ...). Usefull for asymmetric traffic */ + if(!flow->protos.tls_quic.subprotocol_detected) + tls_subclassify_by_alpn(ndpi_struct, flow); + } + ndpi_snprintf(ja3.client.alpn, sizeof(ja3.client.alpn), "%s", alpn_str); /* Replace , with - as in JA3 */ |