diff options
| author | Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> | 2024-10-28 23:36:51 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-10-28 23:36:51 +0100 |
| commit | 9da99075aa174a7ecfc00fb9a18d32d3056d8db3 (patch) | |
| tree | e3ad461c6c651cc5b179f1c8dc7180523c1add69 /src | |
| parent | dc125dc2a8a3aebd9accfd2deaae7dbecb5aae5a (diff) | |
TLS: export heuristic fingerprint as metadata (#2609)
Diffstat (limited to 'src')
| -rw-r--r-- | src/include/ndpi_typedefs.h | 10 | ||||
| -rw-r--r-- | src/lib/ndpi_main.c | 2 | ||||
| -rw-r--r-- | src/lib/protocols/tls.c | 14 |
3 files changed, 24 insertions, 2 deletions
diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index fc6a6c837..d2931ece5 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -1260,6 +1260,11 @@ struct os_fingerprint { enum operating_system_hint os; }; +struct ndpi_tls_obfuscated_heuristic_matching_set { + u_int32_t bytes[4]; + u_int32_t pkts[4]; +}; + struct ndpi_flow_struct { u_int16_t detected_protocol_stack[NDPI_PROTOCOL_SIZE]; @@ -1373,6 +1378,7 @@ struct ndpi_flow_struct { message_t message[2]; /* Directions */ u_int8_t certificate_processed:1, change_cipher_from_client:1, change_cipher_from_server:1, from_opportunistic_tls:1, pad:4; struct tls_obfuscated_heuristic_state *obfuscated_heur_state; + struct ndpi_tls_obfuscated_heuristic_matching_set *obfuscated_heur_matching_set; } tls_quic; /* Used also by DTLS and POPS/IMAPS/SMTPS/FTPS */ union { @@ -1608,8 +1614,8 @@ struct ndpi_flow_struct { _Static_assert(sizeof(((struct ndpi_flow_struct *)0)->protos) <= 264, "Size of the struct member protocols increased to more than 264 bytes, " "please check if this change is necessary."); -_Static_assert(sizeof(struct ndpi_flow_struct) <= 1192, - "Size of the flow struct increased to more than 1192 bytes, " +_Static_assert(sizeof(struct ndpi_flow_struct) <= 1200, + "Size of the flow struct increased to more than 1200 bytes, " "please check if this change is necessary."); #endif #endif diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 5298f8291..98873e959 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -6817,6 +6817,8 @@ void ndpi_free_flow_data(struct ndpi_flow_struct* flow) { if(flow->tls_quic.obfuscated_heur_state) ndpi_free(flow->tls_quic.obfuscated_heur_state); + if(flow->tls_quic.obfuscated_heur_matching_set) + ndpi_free(flow->tls_quic.obfuscated_heur_matching_set); } } diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index 048060188..498147181 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -380,6 +380,20 @@ static int tls_obfuscated_heur_search(struct ndpi_detection_module_struct* ndpi_ NDPI_LOG_DBG2(ndpi_struct, "TLS-Obf-Heur: set %d completed\n", i); if(check_set(ndpi_struct, set)) { /* Heuristic match */ + + /* Export the matching set as metadata */ + flow->tls_quic.obfuscated_heur_matching_set = ndpi_calloc(1, sizeof(struct ndpi_tls_obfuscated_heuristic_matching_set)); + if(flow->tls_quic.obfuscated_heur_matching_set) { + flow->tls_quic.obfuscated_heur_matching_set->bytes[0] = set->bytes[0]; + flow->tls_quic.obfuscated_heur_matching_set->bytes[1] = set->bytes[1]; + flow->tls_quic.obfuscated_heur_matching_set->bytes[2] = set->bytes[2]; + flow->tls_quic.obfuscated_heur_matching_set->bytes[3] = set->bytes[3]; + flow->tls_quic.obfuscated_heur_matching_set->pkts[0] = set->pkts[0]; + flow->tls_quic.obfuscated_heur_matching_set->pkts[1] = set->pkts[1]; + flow->tls_quic.obfuscated_heur_matching_set->pkts[2] = set->pkts[2]; + flow->tls_quic.obfuscated_heur_matching_set->pkts[3] = set->pkts[3]; + } + return 2; /* Found */ } else { /* Close this set and open a new one... */ |