TLS: detect abnormal padding usage (#2579)

Padding is usually some hundreds byte long. Longer padding might be used as obfuscation technique to force unusual CH fragmentation
author: Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> 2024-10-01 17:15:03 +0200
committer: GitHub <noreply@github.com> 2024-10-01 17:15:03 +0200
commit: 623b7e236f52af5447beae39f97f2fd0feaf65e2 (patch)
tree: 3fab86995033e186e9658bd71f68aeb60ef20050 /src/lib/protocols
parent: 8972b74fd072286bf7ada214e96a50445b69abaf (diff)
1 files changed, 9 insertions, 0 deletions
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index 44736a3a2..b42d200fc 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -3197,6 +3197,15 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
 		  }
 		  s_offset += param_len;
 		}
+	      } else if(extension_id == 21) { /* Padding */
+		/* Padding is usually some hundreds byte long. Longer padding
+		   might be used as obfuscation technique to force unusual CH fragmentation */
+		if(extension_len > 500 /* Arbitrary value */) {
+#ifdef DEBUG_TLS
+		  printf("Padding length: %d\n", extension_len);
+#endif
+		  ndpi_set_risk(flow, NDPI_OBFUSCATED_TRAFFIC, "Abnormal Client Hello/Padding length");
+		}
 	      }
 
 	      extension_offset += extension_len; /* Move to the next extension */
author	Ivan Nardi <12729895+IvanNardi@users.noreply.github.com>	2024-10-01 17:15:03 +0200
committer	GitHub <noreply@github.com>	2024-10-01 17:15:03 +0200
commit	623b7e236f52af5447beae39f97f2fd0feaf65e2 (patch)
tree	3fab86995033e186e9658bd71f68aeb60ef20050 /src/lib/protocols
parent	8972b74fd072286bf7ada214e96a50445b69abaf (diff)