aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--src/lib/protocols/tls.c28
-rw-r--r--tests/result/long_tls_certificate.pcap.out2
-rw-r--r--tests/result/tls_certificate_too_long.pcap.out22
3 files changed, 27 insertions, 25 deletions
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index 7a3b5e44f..b2d3dc754 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -94,8 +94,8 @@ union ja3_info {
*/
#define NDPI_MAX_TLS_REQUEST_SIZE 10000
-#define TLS_THRESHOLD 34186659 // Threshold for certificate validity
-#define TLS_LIMIT_DATE 1598918400 // From 01/09/2020 TLS certificates lifespan is limited to 13 months
+#define TLS_THRESHOLD 34186659 /* Threshold for certificate validity */
+#define TLS_LIMIT_DATE 1598918400 /* From 01/09/2020 TLS certificates lifespan is limited to 13 months */
/* skype.c */
extern u_int8_t is_skype_flow(struct ndpi_detection_module_struct *ndpi_struct,
@@ -422,7 +422,7 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi
for(j=0; j<len; j++) printf("%c", packet->payload[i+4+j]);
printf("]\n");
#endif
-
+
if(len < (sizeof(utcDate)-1)) {
struct tm utc;
utc.tm_isdst = -1; /* Not set by strptime */
@@ -456,7 +456,7 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi
for(j=0; j<len; j++) printf("%c", packet->payload[offset+j]);
printf("]\n");
#endif
-
+
if(len < (sizeof(utcDate)-1)) {
struct tm utc;
utc.tm_isdst = -1; /* Not set by strptime */
@@ -474,13 +474,13 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi
}
}
- if (flow->protos.tls_quic_stun.tls_quic.notBefore > TLS_LIMIT_DATE)
- if((flow->protos.tls_quic_stun.tls_quic.notAfter-flow->protos.tls_quic_stun.tls_quic.notBefore) > TLS_THRESHOLD)
- ndpi_set_risk(flow, NDPI_TLS_CERT_VALIDITY_TOO_LONG); /* Certificate validity longer than 13 months*/
-
+ if (flow->protos.tls_quic_stun.tls_quic.notBefore > TLS_LIMIT_DATE)
+ if((flow->protos.tls_quic_stun.tls_quic.notAfter-flow->protos.tls_quic_stun.tls_quic.notBefore) > TLS_THRESHOLD)
+ ndpi_set_risk(flow, NDPI_TLS_CERT_VALIDITY_TOO_LONG); /* Certificate validity longer than 13 months*/
+
if((time_sec < flow->protos.tls_quic_stun.tls_quic.notBefore)
|| (time_sec > flow->protos.tls_quic_stun.tls_quic.notAfter))
- ndpi_set_risk(flow, NDPI_TLS_CERTIFICATE_EXPIRED); /* Certificate expired */
+ ndpi_set_risk(flow, NDPI_TLS_CERTIFICATE_EXPIRED); /* Certificate expired */
}
}
}
@@ -1467,7 +1467,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
for(i=0; i<cipher_len;) {
u_int16_t *id = (u_int16_t*)&packet->payload[cipher_offset+i];
u_int16_t cipher_id = ntohs(*id);
-
+
if(packet->payload[cipher_offset+i] != packet->payload[cipher_offset+i+1] /* Skip Grease */) {
/*
Skip GREASE [https://tools.ietf.org/id/draft-ietf-tls-grease-01.html]
@@ -1524,7 +1524,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
#if defined(DEBUG_TLS) || defined(DEBUG_HEURISTIC)
printf("Client TLS [GREASE cipher suite: %u/0x%04X] [%d/%u]\n", cipher_id, cipher_id, i, cipher_len);
#endif
-
+
this_is_not_safari = 1; /* NOTE: BugSur and up have grease support */
}
@@ -1539,7 +1539,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
flow->protos.tls_quic_stun.tls_quic.browser_euristics.is_safari_tls = 0;
else if((safari_ciphers == 12) || (this_is_not_safari && looks_like_safari_on_big_sur))
flow->protos.tls_quic_stun.tls_quic.browser_euristics.is_safari_tls = 1;
-
+
if(chrome_ciphers == 13)
flow->protos.tls_quic_stun.tls_quic.browser_euristics.is_chrome_tls = 1;
@@ -1784,7 +1784,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
#ifdef DEBUG_HEURISTIC
printf("[SIGNATURE] [TLS Signature Algorithm] Skipping duplicate 0x%04X\n", signature_algo);
#endif
-
+
duplicate_found = 1, all_ok = 0;
break;
}
@@ -1845,7 +1845,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
if((flow->protos.tls_quic_stun.tls_quic.browser_euristics.is_chrome_tls == 0)
&& duplicate_found)
flow->protos.tls_quic_stun.tls_quic.browser_euristics.is_safari_tls = 1; /* Safari */
-
+
#ifdef DEBUG_HEURISTIC
printf("[SIGNATURE] [is_firefox_tls: %u][is_chrome_tls: %u][is_safari_tls: %u][duplicate_found: %u]\n",
flow->protos.tls_quic_stun.tls_quic.browser_euristics.is_firefox_tls,
diff --git a/tests/result/long_tls_certificate.pcap.out b/tests/result/long_tls_certificate.pcap.out
index 7bd0710f7..c8a9b80c8 100644
--- a/tests/result/long_tls_certificate.pcap.out
+++ b/tests/result/long_tls_certificate.pcap.out
@@ -9,4 +9,4 @@ JA3 Host Stats:
1 192.168.1.60 1
- 1 TCP 192.168.1.60:55333 <-> 106.15.100.123:443 [proto: 91/TLS][cat: Web/5][24 pkts/2429 bytes <-> 23 pkts/12383 bytes][Goodput ratio: 44/89][1.86 sec][ALPN: h2;http/1.1][bytes ratio: -0.672 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 74/62 370/360 133/111][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 101/538 571/1506 104/641][TLSv1.2][Client: beacon-api.aliyuncs.com][JA3C: 2a26b1a62e40d25d4de3babc9d532f30][ServerNames: *.aliyun.com,manager.channel.aliyun.com,*.ace.aliyun.com,*.acs-internal.aliyuncs.com,*.acs.aliyun.com,*.aicrowd.aliyun.com,*.alibabacloud.co.in,*.alibabacloud.com,*.alibabacloud.com.au,*.alibabacloud.com.hk,*.alibabacloud.com.my,*.alibabacloud.com.sg,*.alibabacloud.com.tw,*.alicdn.com,*.alicloud.com,*.aligroup.aliyun.com,*.alimei.com,*.alink.aliyun.com,*.alios.aliyuncs.com,*.aliplus.com,*.alitranx.aliyun.com,*.aliyun-iot-share.com,*.aliyuncs.com,*.alyms.cn,*.ap-northeast-1.aliyuncs.com,*.ap-south-1.aliyuncs.com,*.ap-southeast-1.aliyuncs.com,*.ap-southeast-2.aliyuncs.com,*.ap-southeast-3.aliyuncs.com,*.ap-southeast-5.aliyuncs.com,*.api.aliyun.com,*.apm.aliyun.com,*.app.aliyun.com,*.asmlink.cn,*.banma.aliyuncs.com,*.base.shuju.aliyun.com,*.bi.aliyun.com,*.biz.aliyun.com,*.bridge.aliyun.com,*.ccc.aliyuncs.com,*.center.aliyun.com,*.citybrain.aliyun.com,*.cloudapp.aliyun.com,*.cloudeagle.cn,*.cloudgame.aliyun.com,*.cn-beijing.aliyuncs.com,*.cn-chengdu.aliyuncs.com,*.cn-guizhou.aliyuncs.com,*.cn-haidian.aliyuncs.com,*.cn-hangzhou-finance.aliyuncs.com,*.cn-hangzhou.aliyuncs.com,*.cn-hongkong.aliyuncs.com,*.cn-huhehaote.aliyuncs.com,*.cn-ningxia.aliyuncs.com,*.cn-north-2-gov-1.aliyuncs.com,*.cn-qingdao-nebula.aliyuncs.com,*.cn-qingdao.aliyuncs.com,*.cn-shanghai-finance-1.aliyuncs.com,*.cn-shanghai.aliyun.com,*.cn-shanghai.aliyuncs.com,*.cn-shenzhen-cloudstone.aliyuncs.com,*.cn-shenzhen-finance-1.aliyuncs.com,*.cn-shenzhen.aliyuncs.com,*.cn-sichuan.aliyuncs.com,*.cn-zhangjiakou.aliyuncs.com,*.connect.aliyun.com,*.console.alibabacloud.com,*.console.alicloud.com,*.console.aliyun.com,*.cs.aliyun.com,*.cschat-ccs.aliyun.com,*.data.aliyun.com,*.dataapi.aliyun.com,*.dataq.aliyuncs.com,*.datav.aliyun.com,*.datav.aliyuncs.com,*.devlops.aliyun.com,*.devops.aliyun.com,*.ditu.aliyun.com,*.domain.aliyun.com,*.dyiot.aliyun.com,*.ebs.aliyun.com,*.emas.aliyun.com,*.emr.aliyun.com,*.enterprise.aliyun.com,*.env.aliyun.com,*.et-industry.aliyun.com,*.eu-central-1.aliyuncs.com,*.eu-west-1.aliyuncs.com,*.fc.aliyun.com,*.feedback.console.aliyun.com,*.gts-x.aliyun.com,*.gts.aliyun.com,*.help-ccs.aliyun.com,*.ialicdn.com,*.in-mumbai.aliyuncs.com,*.iot.aliyun.com,*.jp-fudao.aliyuncs.com,*.linkedmall.aliyun.com,*.linkwan.aliyun.com,*.living.aliyun.com,*.luban.aliyun.com,*.m.aliyun.com,*.market.aliyun.com,*.maxcompute.aliyun.com,*.me-east-1.aliyuncs.com,*.media.aliyun.com,*.microdingtalk.aliyun.com,*.mit.aliyun.com,*.mobile.aliyun.com,*.msea.aliyun.com,*.mts.aliyun.com,*.mvp.aliyun.com,*.nebula.aliyun.com,*.nls.aliyuncs.com,*.odps.aliyun.com,*.ons.aliyun.com,*.ose.aliyun.com,*.pai.data.aliyun.com,*.pcs-gw-cn-beijing.aliyun.com,*.pcs-gw-cn-shanghai.aliyun.com,*.phpwind.com,*.phpwind.net,*.pre-sg-purchase.aliyun.com,*.prepub.aliyun.com,*.product.center.aliyun.com,*.pts.aliyun.com,*.r-app-cn-beijing-data.aliyun.com,*.r-app-cn-hangzhou-data.aliyun.com,*.r-app-cn-shenzhen-data.aliyun.com,*.r-app-data.aliyun.com,*.rdc.aliyun.com,*.rds.aliyun.com,*.reid.aliyun.com,*.sc-cmdb.aliyuncs.com,*.scsp.aliyun.com,*.sg.aliyuncs.com,*.shuju.aliyun.com,*.smart.aliyun.com,*.soc.aliyun.com,*.soc.aliyuncs.com,*.sparenode.com,*.supet.com,*.tburl.in,*.teambition.com,*.teambition.net,*.teambitionapis.com,*.tianchi.aliyun.com,*.toolkit.aliyun.com,*.tv.aliyun.com,*.tw-gaoxiong.aliyuncs.com,*.us-east-1.aliyuncs.com,*.us-west-1.aliyuncs.com,*.webide.aliyun.com,*.yuntu.aliyun.com,account.www.net.cn,alibabacloud.co.in,alibabacloud.com,alibabacloud.com.au,alibabacloud.com.hk,alibabacloud.com.my,alibabacloud.com.sg,alibabacloud.com.tw,alicdn.com,alicloud.com,alimei.com,aliyun-iot-share.com,aliyuncs.com,dc.www.net.cn,dmp.www.net.cn,dns.www.net.cn,panda.www.net.cn,pandavip.www.net.cn,phpwind.com,phpwind.net,scdnphi6.com,sparenode.com,supet.com,tburl.in,teambition.com,teambition.net,teambitionapis.com,tianchi-global.com,whois.www.net.cn,aliyun.com][JA3S: eee3d2bf5f17d17548ac36ba1872951f][Issuer: C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2][Subject: C=CN, ST=ZheJiang, L=HangZhou, O=Alibaba (China) Technology Co., Ltd., CN=*.aliyun.com][Certificate SHA-1: 2B:C6:82:22:E9:94:09:24:34:E1:5C:F1:24:76:98:75:45:78:53:DA][Firefox][Validity: 2020-11-25 10:12:07 - 2021-12-27 10:06:06][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256][Plen Bins: 4,31,13,9,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0,0,0,0,0,0,0,0,0,0,0,27,0,0]
+ 1 TCP 192.168.1.60:55333 <-> 106.15.100.123:443 [proto: 91/TLS][cat: Web/5][24 pkts/2429 bytes <-> 23 pkts/12383 bytes][Goodput ratio: 44/89][1.86 sec][ALPN: h2;http/1.1][bytes ratio: -0.672 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 74/62 370/360 133/111][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 101/538 571/1506 104/641][Risk: ** TLS certificate validity longer than 13 months **][Risk Score: 50][TLSv1.2][Client: beacon-api.aliyuncs.com][JA3C: 2a26b1a62e40d25d4de3babc9d532f30][ServerNames: *.aliyun.com,manager.channel.aliyun.com,*.ace.aliyun.com,*.acs-internal.aliyuncs.com,*.acs.aliyun.com,*.aicrowd.aliyun.com,*.alibabacloud.co.in,*.alibabacloud.com,*.alibabacloud.com.au,*.alibabacloud.com.hk,*.alibabacloud.com.my,*.alibabacloud.com.sg,*.alibabacloud.com.tw,*.alicdn.com,*.alicloud.com,*.aligroup.aliyun.com,*.alimei.com,*.alink.aliyun.com,*.alios.aliyuncs.com,*.aliplus.com,*.alitranx.aliyun.com,*.aliyun-iot-share.com,*.aliyuncs.com,*.alyms.cn,*.ap-northeast-1.aliyuncs.com,*.ap-south-1.aliyuncs.com,*.ap-southeast-1.aliyuncs.com,*.ap-southeast-2.aliyuncs.com,*.ap-southeast-3.aliyuncs.com,*.ap-southeast-5.aliyuncs.com,*.api.aliyun.com,*.apm.aliyun.com,*.app.aliyun.com,*.asmlink.cn,*.banma.aliyuncs.com,*.base.shuju.aliyun.com,*.bi.aliyun.com,*.biz.aliyun.com,*.bridge.aliyun.com,*.ccc.aliyuncs.com,*.center.aliyun.com,*.citybrain.aliyun.com,*.cloudapp.aliyun.com,*.cloudeagle.cn,*.cloudgame.aliyun.com,*.cn-beijing.aliyuncs.com,*.cn-chengdu.aliyuncs.com,*.cn-guizhou.aliyuncs.com,*.cn-haidian.aliyuncs.com,*.cn-hangzhou-finance.aliyuncs.com,*.cn-hangzhou.aliyuncs.com,*.cn-hongkong.aliyuncs.com,*.cn-huhehaote.aliyuncs.com,*.cn-ningxia.aliyuncs.com,*.cn-north-2-gov-1.aliyuncs.com,*.cn-qingdao-nebula.aliyuncs.com,*.cn-qingdao.aliyuncs.com,*.cn-shanghai-finance-1.aliyuncs.com,*.cn-shanghai.aliyun.com,*.cn-shanghai.aliyuncs.com,*.cn-shenzhen-cloudstone.aliyuncs.com,*.cn-shenzhen-finance-1.aliyuncs.com,*.cn-shenzhen.aliyuncs.com,*.cn-sichuan.aliyuncs.com,*.cn-zhangjiakou.aliyuncs.com,*.connect.aliyun.com,*.console.alibabacloud.com,*.console.alicloud.com,*.console.aliyun.com,*.cs.aliyun.com,*.cschat-ccs.aliyun.com,*.data.aliyun.com,*.dataapi.aliyun.com,*.dataq.aliyuncs.com,*.datav.aliyun.com,*.datav.aliyuncs.com,*.devlops.aliyun.com,*.devops.aliyun.com,*.ditu.aliyun.com,*.domain.aliyun.com,*.dyiot.aliyun.com,*.ebs.aliyun.com,*.emas.aliyun.com,*.emr.aliyun.com,*.enterprise.aliyun.com,*.env.aliyun.com,*.et-industry.aliyun.com,*.eu-central-1.aliyuncs.com,*.eu-west-1.aliyuncs.com,*.fc.aliyun.com,*.feedback.console.aliyun.com,*.gts-x.aliyun.com,*.gts.aliyun.com,*.help-ccs.aliyun.com,*.ialicdn.com,*.in-mumbai.aliyuncs.com,*.iot.aliyun.com,*.jp-fudao.aliyuncs.com,*.linkedmall.aliyun.com,*.linkwan.aliyun.com,*.living.aliyun.com,*.luban.aliyun.com,*.m.aliyun.com,*.market.aliyun.com,*.maxcompute.aliyun.com,*.me-east-1.aliyuncs.com,*.media.aliyun.com,*.microdingtalk.aliyun.com,*.mit.aliyun.com,*.mobile.aliyun.com,*.msea.aliyun.com,*.mts.aliyun.com,*.mvp.aliyun.com,*.nebula.aliyun.com,*.nls.aliyuncs.com,*.odps.aliyun.com,*.ons.aliyun.com,*.ose.aliyun.com,*.pai.data.aliyun.com,*.pcs-gw-cn-beijing.aliyun.com,*.pcs-gw-cn-shanghai.aliyun.com,*.phpwind.com,*.phpwind.net,*.pre-sg-purchase.aliyun.com,*.prepub.aliyun.com,*.product.center.aliyun.com,*.pts.aliyun.com,*.r-app-cn-beijing-data.aliyun.com,*.r-app-cn-hangzhou-data.aliyun.com,*.r-app-cn-shenzhen-data.aliyun.com,*.r-app-data.aliyun.com,*.rdc.aliyun.com,*.rds.aliyun.com,*.reid.aliyun.com,*.sc-cmdb.aliyuncs.com,*.scsp.aliyun.com,*.sg.aliyuncs.com,*.shuju.aliyun.com,*.smart.aliyun.com,*.soc.aliyun.com,*.soc.aliyuncs.com,*.sparenode.com,*.supet.com,*.tburl.in,*.teambition.com,*.teambition.net,*.teambitionapis.com,*.tianchi.aliyun.com,*.toolkit.aliyun.com,*.tv.aliyun.com,*.tw-gaoxiong.aliyuncs.com,*.us-east-1.aliyuncs.com,*.us-west-1.aliyuncs.com,*.webide.aliyun.com,*.yuntu.aliyun.com,account.www.net.cn,alibabacloud.co.in,alibabacloud.com,alibabacloud.com.au,alibabacloud.com.hk,alibabacloud.com.my,alibabacloud.com.sg,alibabacloud.com.tw,alicdn.com,alicloud.com,alimei.com,aliyun-iot-share.com,aliyuncs.com,dc.www.net.cn,dmp.www.net.cn,dns.www.net.cn,panda.www.net.cn,pandavip.www.net.cn,phpwind.com,phpwind.net,scdnphi6.com,sparenode.com,supet.com,tburl.in,teambition.com,teambition.net,teambitionapis.com,tianchi-global.com,whois.www.net.cn,aliyun.com][JA3S: eee3d2bf5f17d17548ac36ba1872951f][Issuer: C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2][Subject: C=CN, ST=ZheJiang, L=HangZhou, O=Alibaba (China) Technology Co., Ltd., CN=*.aliyun.com][Certificate SHA-1: 2B:C6:82:22:E9:94:09:24:34:E1:5C:F1:24:76:98:75:45:78:53:DA][Firefox][Validity: 2020-11-25 10:12:07 - 2021-12-27 10:06:06][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256][Plen Bins: 4,31,13,9,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0,0,0,0,0,0,0,0,0,0,0,27,0,0]
diff --git a/tests/result/tls_certificate_too_long.pcap.out b/tests/result/tls_certificate_too_long.pcap.out
index d33fb0405..8c8868266 100644
--- a/tests/result/tls_certificate_too_long.pcap.out
+++ b/tests/result/tls_certificate_too_long.pcap.out
@@ -1,15 +1,17 @@
-Protocol statistics:
- Safe 49251 bytes
- Acceptable 54851 bytes
- Tracker/Ads 3310 bytes
- Unrated 5582 bytes
+Guessed flow protos: 8
-Risk stats [found 10 (28.6 %) flows with risks]:
- Binary application transfer 2 [20.0 %]
- TLS certificate validity longer than 13 months 8 [80.0 %]
+DPI Packets (TCP): 220 (13.75 pkts/flow)
+DPI Packets (UDP): 33 (1.94 pkts/flow)
+DPI Packets (other): 2 (1.00 pkts/flow)
- NOTE: as one flow can have multiple risks set, the sum of the
- last column can exceed the number of flows with risks.
+Unknown 13 5582 1
+MDNS 5 983 3
+IGMP 2 92 2
+TLS 6 391 2
+Google 30 3310 5
+Apple 10 993 5
+Microsoft 123 47867 15
+Microsoft365 126 53776 2
JA3 Host Stats:
IP Address # JA3C
Powered by cgit, Themed by Ted Yin.