Added NDPI_MALICIOUS_JA3 flow risk

Added ndpi_load_malicious_ja3_file() API call
author: Luca Deri <deri@ntop.org> 2021-02-22 23:19:23 +0100
committer: Luca Deri <deri@ntop.org> 2021-02-22 23:19:23 +0100
commit: f1b22b199f08469407c55dcd98ec24af85da0fd3 (patch)
tree: 9311e4920c5fe876624f6ca2b0185456fd14c8cf /src/lib/protocols/tls.c
parent: fc3db8f1691e913b03ca88a47770c5abf3104ef8 (diff)
1 files changed, 9 insertions, 0 deletions
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index 99f5f5649..f38f4f87d 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -1576,9 +1576,18 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
 			      md5_hash[i]);
 		if(rc > 0) j += rc; else break;
 	      }
+	      
 #ifdef DEBUG_TLS
 	      printf("[JA3] Client: %s \n", flow->protos.tls_quic_stun.tls_quic.ja3_client);
 #endif
+	      
+	      if(ndpi_struct->malicious_ja3_automa.ac_automa != NULL) {
+		u_int16_t rc1 = ndpi_match_string(ndpi_struct->malicious_ja3_automa.ac_automa,
+						  flow->protos.tls_quic_stun.tls_quic.ja3_client);
+		
+		if(rc1 > 0)
+		  NDPI_SET_BIT(flow->risk, NDPI_MALICIOUS_JA3);
+	      }	      
 	    }
 
 	    /* Before returning to the caller we need to make a final check */
author	Luca Deri <deri@ntop.org>	2021-02-22 23:19:23 +0100
committer	Luca Deri <deri@ntop.org>	2021-02-22 23:19:23 +0100
commit	f1b22b199f08469407c55dcd98ec24af85da0fd3 (patch)
tree	9311e4920c5fe876624f6ca2b0185456fd14c8cf /src/lib/protocols/tls.c
parent	fc3db8f1691e913b03ca88a47770c5abf3104ef8 (diff)