diff options
| author | Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> | 2024-10-01 17:15:03 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-10-01 17:15:03 +0200 |
| commit | 623b7e236f52af5447beae39f97f2fd0feaf65e2 (patch) | |
| tree | 3fab86995033e186e9658bd71f68aeb60ef20050 /src | |
| parent | 8972b74fd072286bf7ada214e96a50445b69abaf (diff) | |
TLS: detect abnormal padding usage (#2579)
Padding is usually some hundreds byte long. Longer padding might be used
as obfuscation technique to force unusual CH fragmentation
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/protocols/tls.c | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index 44736a3a2..b42d200fc 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -3197,6 +3197,15 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, } s_offset += param_len; } + } else if(extension_id == 21) { /* Padding */ + /* Padding is usually some hundreds byte long. Longer padding + might be used as obfuscation technique to force unusual CH fragmentation */ + if(extension_len > 500 /* Arbitrary value */) { +#ifdef DEBUG_TLS + printf("Padding length: %d\n", extension_len); +#endif + ndpi_set_risk(flow, NDPI_OBFUSCATED_TRAFFIC, "Abnormal Client Hello/Padding length"); + } } extension_offset += extension_len; /* Move to the next extension */ |