aboutsummaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorLuca Deri <deri@ntop.org>2021-05-13 20:00:27 +0200
committerLuca Deri <deri@ntop.org>2021-05-13 20:00:27 +0200
commitac1eaca8a6909932d29ae8ac9bae372ed3bf65a6 (patch)
tree7e7b84a0ab93ead281b2222fb6456467a5a48787 /src
parenta62be9b8ecd4d3bd885654ee27d7041c005d0121 (diff)
Added browser TLS heuristic
Diffstat (limited to 'src')
-rw-r--r--src/include/ndpi_typedefs.h2
-rw-r--r--src/lib/protocols/tls.c48
2 files changed, 34 insertions, 16 deletions
diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h
index 7f7a084e2..d863c4e24 100644
--- a/src/include/ndpi_typedefs.h
+++ b/src/include/ndpi_typedefs.h
@@ -1221,7 +1221,7 @@ struct tls_euristics {
TLS euristics for detecting browsers usage
NOTE: expect false positives
*/
- u_int8_t is_safari_tls:1, is_firefox_tls:1, notused:6;
+ u_int8_t is_safari_tls:1, is_firefox_tls:1, is_chrome_tls:1, notused:5;
};
/*
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index 7c4427a6f..871b6f435 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -1413,7 +1413,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
#endif
if((cipher_offset+cipher_len) <= total_len) {
- u_int8_t safari_ciphers = 0;
+ u_int8_t safari_ciphers = 0, chrome_ciphers = 0;
for(i=0; i<cipher_len;) {
u_int16_t *id = (u_int16_t*)&packet->payload[cipher_offset+i];
@@ -1440,25 +1440,37 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
switch(cipher_id) {
case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:
case TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:
+ safari_ciphers++;
+ break;
+
+ case TLS_CIPHER_GREASE_RESERVED_0:
+ case TLS_AES_128_GCM_SHA256:
+ case TLS_AES_256_GCM_SHA384:
+ case TLS_CHACHA20_POLY1305_SHA256:
+ chrome_ciphers++;
+ break;
+
case TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256:
- case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:
- case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:
- case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:
case TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:
+ case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:
case TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256:
+ case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:
+ case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:
case TLS_RSA_WITH_AES_128_CBC_SHA:
- case TLS_RSA_WITH_AES_128_GCM_SHA256:
case TLS_RSA_WITH_AES_256_CBC_SHA:
- case TLS_RSA_WITH_AES_256_GCM_SHA384:
- safari_ciphers++;
+ case TLS_RSA_WITH_AES_128_GCM_SHA256:
+ case TLS_RSA_WITH_AES_256_GCM_SHA384:
+ safari_ciphers++, chrome_ciphers++;
break;
}
}
i += 2;
} /* for */
-
- if(safari_ciphers == 12)
+
+ if(chrome_ciphers == 13)
+ flow->protos.tls_quic_stun.tls_quic.browser_euristics.is_chrome_tls = 1;
+ else if(safari_ciphers == 12)
flow->protos.tls_quic_stun.tls_quic.browser_euristics.is_safari_tls = 1;
} else {
invalid_ja3 = 1;
@@ -1648,7 +1660,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
#endif
}
} else if(extension_id == 13 /* signature algorithms */) {
- u_int16_t s_offset = offset+extension_offset, safari_signature_algorithms = 0;
+ u_int16_t s_offset = offset+extension_offset, safari_signature_algorithms = 0, chrome_signature_algorithms = 0;
u_int16_t tot_signature_algorithms_len = ntohs(*((u_int16_t*)&packet->payload[s_offset]));
#ifdef DEBUG_TLS
@@ -1689,15 +1701,21 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
case RSA_PSS_RSAE_SHA256:
case RSA_PSS_RSAE_SHA384:
case RSA_PSS_RSAE_SHA512:
- safari_signature_algorithms++;
+ chrome_signature_algorithms++, safari_signature_algorithms++;
break;
}
}
- if((safari_signature_algorithms != 8)
- || flow->protos.tls_quic_stun.tls_quic.browser_euristics.is_firefox_tls)
- flow->protos.tls_quic_stun.tls_quic.browser_euristics.is_safari_tls = 0;
-
+ if(flow->protos.tls_quic_stun.tls_quic.browser_euristics.is_firefox_tls)
+ flow->protos.tls_quic_stun.tls_quic.browser_euristics.is_safari_tls = 0,
+ flow->protos.tls_quic_stun.tls_quic.browser_euristics.is_chrome_tls = 0;
+
+ if(safari_signature_algorithms != 8)
+ flow->protos.tls_quic_stun.tls_quic.browser_euristics.is_safari_tls = 0;
+
+ if(chrome_signature_algorithms != 8)
+ flow->protos.tls_quic_stun.tls_quic.browser_euristics.is_chrome_tls = 0;
+
ja3.client.signature_algorithms[i*2] = '\0';
#ifdef DEBUG_TLS
Powered by cgit, Themed by Ted Yin.