Add some heuristics to detect encrypted/obfuscated/proxied TLS flows (#2553)

Based on the paper: "Fingerprinting Obfuscated Proxy Traffic with Encapsulated TLS Handshakes". See: https://www.usenix.org/conference/usenixsecurity24/presentation/xue-fingerprinting Basic idea: * the packets/bytes distribution of a TLS handshake is quite unique * this fingerprint is still detectable if the handshake is encrypted/proxied/obfuscated All heuristics are disabled by default.
author: Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> 2024-09-24 14:20:31 +0200
committer: GitHub <noreply@github.com> 2024-09-24 14:20:31 +0200
commit: ddd08f913c80289e13e9c000e11c473a21ec23ca (patch)
tree: 4ed5ba0fbaa250b5999c2d3bac91466dd12303ac /tests/cfgs/tls_heuristics_enabled/config.txt
parent: 686d0e3839768dbbf1a073db9cb0cef58b6e5da8 (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/tests/cfgs/tls_heuristics_enabled/config.txt b/tests/cfgs/tls_heuristics_enabled/config.txt
new file mode 100644
index 000000000..0fece59c0
--- /dev/null
+++ b/tests/cfgs/tls_heuristics_enabled/config.txt
@@ -0,0 +1 @@
+--cfg=tls,dpi.heuristics,0x07 --cfg=tls,dpi.heuristics.max_packets_extra_dissection,25
author	Ivan Nardi <12729895+IvanNardi@users.noreply.github.com>	2024-09-24 14:20:31 +0200
committer	GitHub <noreply@github.com>	2024-09-24 14:20:31 +0200
commit	ddd08f913c80289e13e9c000e11c473a21ec23ca (patch)
tree	4ed5ba0fbaa250b5999c2d3bac91466dd12303ac /tests/cfgs/tls_heuristics_enabled/config.txt
parent	686d0e3839768dbbf1a073db9cb0cef58b6e5da8 (diff)