diff options
| author | Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> | 2024-10-01 17:15:03 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-10-01 17:15:03 +0200 |
| commit | 623b7e236f52af5447beae39f97f2fd0feaf65e2 (patch) | |
| tree | 3fab86995033e186e9658bd71f68aeb60ef20050 /tests | |
| parent | 8972b74fd072286bf7ada214e96a50445b69abaf (diff) | |
TLS: detect abnormal padding usage (#2579)
Padding is usually some hundreds byte long. Longer padding might be used
as obfuscation technique to force unusual CH fragmentation
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/cfgs/default/pcap/tls_with_huge_ch.pcapng | bin | 0 -> 138936 bytes | |||
| -rw-r--r-- | tests/cfgs/default/result/tls_with_huge_ch.pcapng.out | 32 |
2 files changed, 32 insertions, 0 deletions
diff --git a/tests/cfgs/default/pcap/tls_with_huge_ch.pcapng b/tests/cfgs/default/pcap/tls_with_huge_ch.pcapng Binary files differnew file mode 100644 index 000000000..383243484 --- /dev/null +++ b/tests/cfgs/default/pcap/tls_with_huge_ch.pcapng diff --git a/tests/cfgs/default/result/tls_with_huge_ch.pcapng.out b/tests/cfgs/default/result/tls_with_huge_ch.pcapng.out new file mode 100644 index 000000000..e07fecb15 --- /dev/null +++ b/tests/cfgs/default/result/tls_with_huge_ch.pcapng.out @@ -0,0 +1,32 @@ +DPI Packets (TCP): 32 (32.00 pkts/flow) +Confidence DPI : 1 (flows) +Num dissector calls: 284 (284.00 diss/flow) +LRU cache ookla: 0/0/0 (insert/search/found) +LRU cache bittorrent: 0/3/0 (insert/search/found) +LRU cache stun: 0/0/0 (insert/search/found) +LRU cache tls_cert: 0/1/0 (insert/search/found) +LRU cache mining: 0/0/0 (insert/search/found) +LRU cache msteams: 0/0/0 (insert/search/found) +LRU cache fpc_dns: 0/1/0 (insert/search/found) +Automa host: 0/0 (search/found) +Automa domain: 0/0 (search/found) +Automa tls cert: 0/0 (search/found) +Automa risk mask: 0/0 (search/found) +Automa common alpns: 2/2 (search/found) +Patricia risk mask: 2/0 (search/found) +Patricia risk mask IPv6: 0/0 (search/found) +Patricia risk: 0/0 (search/found) +Patricia risk IPv6: 0/0 (search/found) +Patricia protocols: 2/0 (search/found) +Patricia protocols IPv6: 0/0 (search/found) + +TLS 428 119100 1 + +Safe 428 119100 1 + +JA3 Host Stats: + IP Address # JA3C + 1 172.30.84.193 1 + + + 1 TCP 172.30.84.193:40640 <-> 208.253.217.142:443 [proto: 91/TLS][IP: 0/Unknown][Encrypted][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 32][cat: Web/5][194 pkts/51762 bytes <-> 234 pkts/67338 bytes][Goodput ratio: 75/77][31.67 sec][(Advertised) ALPNs: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.131 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 135/123 2012/2189 352/307][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 267/288 1090/1514 287/409][Risk: ** Missing SNI TLS Extn **** ALPN/SNI Mismatch **** Obfuscated Traffic **][Risk Score: 200][Risk Info: Abnormal Client Hello/Padding length / SNI should always be present / h2][TLSv1.2][JA3C: 66d6080b942b0b593896bf729f3fd326][JA4: t13d1811h2_f71e3e15ae0d_5c3a8cf9b2bc][Firefox][Plen Bins: 0,0,7,52,4,3,7,1,2,0,2,0,1,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,10,0,0,1,0,0,0,0,0,0,1,0,0,1,0,0] |