TLS: extract JA3 signatures in some corner cases

In some (rare) cases, Client Hello message contains lots of cipher
suits.

4 files changed, 16 insertions, 0 deletions

diff --git a/tests/pcap/ja3_lots_of_cipher_suites.pcap b/tests/pcap/ja3_lots_of_cipher_suites.pcap
new file mode 100644
index 000000000..86fc74712
--- /dev/null
+++ b/tests/pcap/ja3_lots_of_cipher_suites.pcap
diff --git a/tests/pcap/ja3_lots_of_cipher_suites_2_anon.pcap b/tests/pcap/ja3_lots_of_cipher_suites_2_anon.pcap
new file mode 100644
index 000000000..7286f3a73
--- /dev/null
+++ b/tests/pcap/ja3_lots_of_cipher_suites_2_anon.pcap
diff --git a/tests/result/ja3_lots_of_cipher_suites.pcap.out b/tests/result/ja3_lots_of_cipher_suites.pcap.out
new file mode 100644
index 000000000..46d0c9b8b
--- /dev/null
+++ b/tests/result/ja3_lots_of_cipher_suites.pcap.out
@@ -0,0 +1,8 @@
+TLS	11	5132	1
+
+JA3 Host Stats: 
+		 IP Address                  	 # JA3C     
+	1	 10.206.131.18            	 1      
+
+
+	1	TCP 10.206.131.18:58657 <-> 10.206.65.249:443 [VLAN: 258][proto: 91/TLS][cat: Web/5][5 pkts/1144 bytes <-> 6 pkts/3988 bytes][Goodput ratio: 70/90][0.22 sec][bytes ratio: -0.554 (Download)][IAT c2s/s2c min/avg/max/stddev: 1/0 64/39 164/136 72/50][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 229/665 866/1522 319/650][Risk: ** TLS Certificate Mismatch **][TLSv1.2][JA3C: 0463681bfef175d3d61ec414c65e482c][JA3S: 9d456958a9e86bb0d503543beaf1a65b][Issuer: C=US, ST=New York, L=Rochester, O=Xerox Corporation, OU=Generic Root Certificate Authority, CN=Xerox Generic Root Certificate Authority][Subject: C=US, ST=Connecticut, L=Norwalk, O=Xerox Corporation, OU=Global Product Delivery Group, CN=XRX9C934E949FEF, C=US, ST=Connecticut, L=Norwalk, O=Xerox Corporation, OU=Global Product Delivery Group, CN=XRX9C934E949FEF][Certificate SHA-1: 3B:2B:5E:58:6E:3E:30:1F:52:BF:9B:81:20:47:DE:10:A0:67:8E:FA][Validity: 2018-11-29 18:57:22 - 2023-11-29 18:57:22][Cipher: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA]
diff --git a/tests/result/ja3_lots_of_cipher_suites_2_anon.pcap.out b/tests/result/ja3_lots_of_cipher_suites_2_anon.pcap.out
new file mode 100644
index 000000000..3f789f4cd
--- /dev/null
+++ b/tests/result/ja3_lots_of_cipher_suites_2_anon.pcap.out
@@ -0,0 +1,8 @@
+TLS	27	6966	1
+
+JA3 Host Stats: 
+		 IP Address                  	 # JA3C     
+	1	 192.168.147.177          	 1      
+
+
+	1	TCP 192.168.147.177:58496 <-> 151.121.193.160:443 [proto: GTP:91/TLS][cat: Web/5][13 pkts/3520 bytes <-> 14 pkts/3446 bytes][Goodput ratio: 60/59][5.96 sec][bytes ratio: 0.011 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 479/256 1619/1072 582/419][Pkt Len c2s/s2c min/avg/max/stddev: 106/90 271/246 1202/1490 315/354][Risk: ** Self-signed Certificate **** Weak TLS cipher **][TLSv1.2][Client: 192.69.136.179][JA3C: 50221ef5bde0fcee8864bbcea5211d51][JA3S: 7c02dbae662670040c7af9bd15fb7e2f (WEAK)][Issuer: C=DE, ST=Munich, L=Grenoble, O=Munniccan Establishment GmBH, OU=Munnican Workforce, CN=munniccan.de][Subject: C=DE, ST=Munich, L=Grenoble, O=Munniccan Establishment GmBH, OU=Munnican Workforce, CN=munniccan.de][Certificate SHA-1: 91:0C:1D:82:6B:28:01:8F:55:03:28:5B:90:A9:18:B9:ED:72:01:37][Validity: 2016-12-21 19:19:24 - 2019-09-16 19:19:24][Cipher: TLS_RSA_WITH_AES_256_GCM_SHA384]