diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/include/ndpi_api.h | 4 | ||||
| -rw-r--r-- | src/include/ndpi_private.h | 4 | ||||
| -rw-r--r-- | src/lib/ndpi_main.c | 22 | ||||
| -rw-r--r-- | src/lib/protocols/tls.c | 20 |
4 files changed, 25 insertions, 25 deletions
diff --git a/src/include/ndpi_api.h b/src/include/ndpi_api.h index f1f016be0..48b225d77 100644 --- a/src/include/ndpi_api.h +++ b/src/include/ndpi_api.h @@ -850,14 +850,14 @@ extern "C" { int ndpi_load_risk_domain_file(struct ndpi_detection_module_struct *ndpi_str, const char* path); /** - * Read a file and load the list of malicious JA3 signatures + * Read a file and load the list of malicious JA4 signatures * * @par ndpi_mod = the detection module * @par path = the path of the file * @return 0 if the file is loaded correctly; * -1 else */ - int ndpi_load_malicious_ja3_file(struct ndpi_detection_module_struct *ndpi_str, const char *path); + int ndpi_load_malicious_ja4_file(struct ndpi_detection_module_struct *ndpi_str, const char *path); /** * Read a file and load the list of malicious SSL certificate SHA1 fingerprints. diff --git a/src/include/ndpi_private.h b/src/include/ndpi_private.h index 22f6e5605..76c902fb6 100644 --- a/src/include/ndpi_private.h +++ b/src/include/ndpi_private.h @@ -352,7 +352,7 @@ struct ndpi_detection_module_struct { * update automa_type above */ - ndpi_str_hash *malicious_ja3_hashmap, *malicious_sha1_hashmap; + ndpi_str_hash *malicious_ja4_hashmap, *malicious_sha1_hashmap; ndpi_list *trusted_issuer_dn; @@ -633,7 +633,7 @@ ndpi_risk_enum ndpi_network_risk_ptree_match(struct ndpi_detection_module_struct int load_protocols_file_fd(struct ndpi_detection_module_struct *ndpi_mod, FILE *fd); int load_categories_file_fd(struct ndpi_detection_module_struct *ndpi_str, FILE *fd, void *user_data); int load_malicious_sha1_file_fd(struct ndpi_detection_module_struct *ndpi_str, FILE *fd); -int load_malicious_ja3_file_fd(struct ndpi_detection_module_struct *ndpi_str, FILE *fd); +int load_malicious_ja4_file_fd(struct ndpi_detection_module_struct *ndpi_str, FILE *fd); int load_risk_domain_file_fd(struct ndpi_detection_module_struct *ndpi_str, FILE *fd); int load_config_file_fd(struct ndpi_detection_module_struct *ndpi_str, FILE *fd); int load_category_file_fd(struct ndpi_detection_module_struct *ndpi_str, diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 45b8991d1..f25c50fc5 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -3463,7 +3463,7 @@ struct ndpi_detection_module_struct *ndpi_init_detection_module(struct ndpi_glob return(NULL); } - ndpi_str->malicious_ja3_hashmap = NULL; /* Initialized on demand */ + ndpi_str->malicious_ja4_hashmap = NULL; /* Initialized on demand */ ndpi_str->malicious_sha1_hashmap = NULL; /* Initialized on demand */ ndpi_str->risky_domain_automa.ac_automa = NULL; /* Initialized on demand */ ndpi_str->trusted_issuer_dn = NULL; @@ -4314,8 +4314,8 @@ void ndpi_exit_detection_module(struct ndpi_detection_module_struct *ndpi_str) { if(ndpi_str->tls_cert_subject_automa.ac_automa != NULL) ac_automata_release((AC_AUTOMATA_t *) ndpi_str->tls_cert_subject_automa.ac_automa, 0); - if(ndpi_str->malicious_ja3_hashmap != NULL) - ndpi_hash_free(&ndpi_str->malicious_ja3_hashmap); + if(ndpi_str->malicious_ja4_hashmap != NULL) + ndpi_hash_free(&ndpi_str->malicious_ja4_hashmap); if(ndpi_str->malicious_sha1_hashmap != NULL) ndpi_hash_free(&ndpi_str->malicious_sha1_hashmap); @@ -5267,10 +5267,10 @@ int load_risk_domain_file_fd(struct ndpi_detection_module_struct *ndpi_str, FILE /* * Format: * - * <ja3 hash>[,<other info>] + * <ja4 hash>[,<other info>] * */ -int ndpi_load_malicious_ja3_file(struct ndpi_detection_module_struct *ndpi_str, const char *path) { +int ndpi_load_malicious_ja4_file(struct ndpi_detection_module_struct *ndpi_str, const char *path) { int rc; FILE *fd; @@ -5283,7 +5283,7 @@ int ndpi_load_malicious_ja3_file(struct ndpi_detection_module_struct *ndpi_str, return -1; } - rc = load_malicious_ja3_file_fd(ndpi_str, fd); + rc = load_malicious_ja4_file_fd(ndpi_str, fd); fclose(fd); @@ -5292,13 +5292,13 @@ int ndpi_load_malicious_ja3_file(struct ndpi_detection_module_struct *ndpi_str, /* ******************************************************************** */ -int load_malicious_ja3_file_fd(struct ndpi_detection_module_struct *ndpi_str, FILE *fd) { +int load_malicious_ja4_file_fd(struct ndpi_detection_module_struct *ndpi_str, FILE *fd) { char buffer[128], *line; int len, num = 0; if(!ndpi_str || !fd) return(-1); - if(ndpi_str->malicious_ja3_hashmap == NULL && ndpi_hash_init(&ndpi_str->malicious_ja3_hashmap) != 0) + if(ndpi_str->malicious_ja4_hashmap == NULL && ndpi_hash_init(&ndpi_str->malicious_ja4_hashmap) != 0) return(-1); while(1) { @@ -5321,12 +5321,12 @@ int load_malicious_ja3_file_fd(struct ndpi_detection_module_struct *ndpi_str, FI len = strlen(line); - if(len != 32 /* size of MD5 hash */) { - NDPI_LOG_ERR(ndpi_str, "Not a JA3 md5 hash: [%s]\n", line); + if(len != 36 /* size of JA4C */) { + NDPI_LOG_ERR(ndpi_str, "Not a JA4C: [%s]\n", line); continue; } - if(ndpi_hash_add_entry(&ndpi_str->malicious_ja3_hashmap, line, len, 0) == 0) + if(ndpi_hash_add_entry(&ndpi_str->malicious_ja4_hashmap, line, len, 0) == 0) num++; } diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index a1184cf27..8a00da661 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -3247,20 +3247,20 @@ compute_ja3c: #ifdef DEBUG_JA printf("[JA3] Client: %s \n", flow->protos.tls_quic.ja3_client); #endif - - if(ndpi_struct->malicious_ja3_hashmap != NULL) { - u_int16_t rc1 = ndpi_hash_find_entry(ndpi_struct->malicious_ja3_hashmap, - flow->protos.tls_quic.ja3_client, - NDPI_ARRAY_LENGTH(flow->protos.tls_quic.ja3_client) - 1, - NULL); - - if(rc1 == 0) - ndpi_set_risk(ndpi_struct, flow, NDPI_MALICIOUS_FINGERPRINT, flow->protos.tls_quic.ja3_client); - } } if(ndpi_struct->cfg.tls_ja4c_fingerprint_enabled) { ndpi_compute_ja4(ndpi_struct, flow, quic_version, &ja); + + if(ndpi_struct->malicious_ja4_hashmap != NULL) { + u_int16_t rc1 = ndpi_hash_find_entry(ndpi_struct->malicious_ja4_hashmap, + flow->protos.tls_quic.ja4_client, + NDPI_ARRAY_LENGTH(flow->protos.tls_quic.ja4_client) - 1, + NULL); + + if(rc1 == 0) + ndpi_set_risk(ndpi_struct, flow, NDPI_MALICIOUS_FINGERPRINT, flow->protos.tls_quic.ja4_client); + } } /* End JA3/JA4 */ } |