| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
mis-mapping to s3 (#2684)
* JA4: Fix SSL 2 version constant to 0x0002
SSL 2 uses a version field of 0x0002, not 0x0200. This is confirmed not
only in the original Netscape spec [1] and RFC draft of the time [2],
but also in major implementations such as OpenSSL [3] and Wireshark [4].
An earlier version of the JA4 spec [5] also mistakenly used 0x0200 for
SSL 2 and 0x0100 for SSL 1. This was fixed in [6] in August 2024.
[1] https://www-archive.mozilla.org/projects/security/pki/nss/ssl/draft02.html
[2] https://datatracker.ietf.org/doc/html/draft-hickman-netscape-ssl-00
[3] https://github.com/openssl/openssl/blob/OpenSSL_0_9_6m/ssl/ssl2.h#L66-L71
[4] https://github.com/wireshark/wireshark/blob/release-4.4/epan/dissectors/packet-tls-utils.h#L266-L277
[5] https://github.com/FoxIO-LLC/ja4/blob/main/technical_details/JA4.md#tls-and-dtls-version
[6] FoxIO-LLC/ja4#150
* JA4: Remove fictional (and mis-mapped to "s3") SSL 1
SSL 1 was never actually deployed, the design was iterated upon to
become SSL 2 before it was released by Netscape [1] [2] [3] [4]. I
don't think it's public knowledge what the version field for SSL 1 would
have looked like, or if it even was two bytes large or at the same
offset on the wire; given that SSL 2 used 0x0002 it seems more likely to
have been 0x0001 than 0x0100.
Version field 0x0100, that is currently misattributed to SSL 1, was used
by an early pre-RFC4347 implementation of DTLS in OpenSSL before 0.9.8f
[5], when OpenSSL switched to the version field specified by RFC4347.
This use of 0x0100 is also reflected in Wireshark's TLS dissector [4]
(`DTLSV1DOT0_OPENSSL_VERSION`).
For these reasons, it seems to make sense to remove the fictional SSL 1
code entirely.
This also removes an issue where the resulting JA4 string would be "s3"
instead of the intended "s1".
An earlier version of the JA4 spec [6] also mistakenly used 0x0200 for
SSL 2 and 0x0100 for SSL 1. This was fixed in [7] in August 2024.
[1] https://www-archive.mozilla.org/projects/security/pki/nss/ssl/draft02.html
[2] https://datatracker.ietf.org/doc/html/draft-hickman-netscape-ssl-00
[3] https://github.com/openssl/openssl/blob/OpenSSL_0_9_6m/ssl/ssl2.h#L66-L71
[4] https://github.com/wireshark/wireshark/blob/release-4.4/epan/dissectors/packet-tls-utils.h#L266-L277
[5] https://github.com/openssl/openssl/compare/OpenSSL_0_9_8e...OpenSSL_0_9_8f
[6] https://github.com/FoxIO-LLC/ja4/blob/main/technical_details/JA4.md#tls-and-dtls-version
[7] FoxIO-LLC/ja4#150
* Fix tests where old DTLS (0x0100) was mis-identified as SSL 3.0
These two tests contain DTLS flows using a version field of 0x0100 as
used by OpenSSL pre 0.9.8f, before OpenSSL switched to the standardised
version code points for its DTLS implementation. The correct JA4
mapping is "d00", not "ds3".
|
| |
|
|
|
|
|
|
| |
Last step of removing JA3C fingerprint
Remove some duplicate tests: testing with ja4c/ja3s disabled is already
performed by `disable_metadata_and_flowrisks` configuration.
Close:#2551
|
| |
|
|
|
|
|
|
|
| |
It might be usefull to be able to match traffic against a list of
suspicious JA4C fingerprints
Use the same code/logic/infrastructure used for JA3C (note that we are
going to remove JA3C...)
See: #2551
|
| |
|
|
|
| |
In very old (G)QUIC versions by Google, the user agent was available on
plain text. That is not true anymore, since about end of 2021.
See: https://github.com/google/quiche/commit/f282c934f4731a9f4be93409c9f3e8687f0566a7
|
| |
|
| |
Add a new variable to keep track of internal partial classification
|
| | |
|
| |
|
|
|
| |
Even if it is only the proposed value by the client (and not the
negotiated one), it might be use as hint for timeout by the (external)
flows manager
|
| |
|
|
| |
We should set it also for "obsolete"/"insecure" ciphers, not only for
the "weak" ones.
|
| |
|
|
|
| |
ESNI has been superseded by ECH for years, now.
See: https://blog.cloudflare.com/encrypted-client-hello/
Set the existing flow risk if we still found this extension.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
Padding is usually some hundreds byte long. Longer padding might be used
as obfuscation technique to force unusual CH fragmentation
|
| |
|
|
| |
Allocate heuristics state only if really needed.
Fix memory leak (it happened with WebSocket traffic on port 443)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Based on the paper: "Fingerprinting Obfuscated Proxy Traffic with
Encapsulated TLS Handshakes".
See: https://www.usenix.org/conference/usenixsecurity24/presentation/xue-fingerprinting
Basic idea:
* the packets/bytes distribution of a TLS handshake is quite unique
* this fingerprint is still detectable if the handshake is
encrypted/proxied/obfuscated
All heuristics are disabled by default.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* Revert "Added fix for handling Server Hello before CLient Hello"
This reverts commit eb15b22e7757cb70894fdcde440e62bc40f22df1.
* TLS: add some tests with unidirectional traffic
* TLS: another attempt to process CH received after the SH
Obviously, we will process unidirectional traffic longer, because we are
now waiting for messages in both directions
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
```
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior protocols/tls.c:1812:22
=================================================================
==97754==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ba835bde8e5 at pc 0x557ebb644241 bp 0x7ffec04b0ea0 sp 0x7ffec04b0648
WRITE of size 7 at 0x7ba835bde8e5 thread T0
#0 0x557ebb644240 in vsnprintf (/home/ivan/svnrepos/nDPI/fuzz/fuzz_quic_get_crypto_data+0x6bf240) (BuildId: ce17f7c48055e1f051360bed543c1e18c05f684f)
#1 0x557ebb645b1d in snprintf (/home/ivan/svnrepos/nDPI/fuzz/fuzz_quic_get_crypto_data+0x6c0b1d) (BuildId: ce17f7c48055e1f051360bed543c1e18c05f684f)
#2 0x557ebb749dbc in ndpi_compute_ja4 /home/ivan/svnrepos/nDPI/src/lib/protocols/tls.c:1812:12
#3 0x557ebb7445a7 in processClientServerHello /home/ivan/svnrepos/nDPI/src/lib/protocols/tls.c:2946:10
#4 0x557ebb7073c9 in process_tls /home/ivan/svnrepos/nDPI/src/lib/protocols/quic.c:1397:3
#5 0x557ebb6ff815 in LLVMFuzzerTestOneInput /home/ivan/svnrepos/nDPI/fuzz/fuzz_quic_get_crypto_data.c:46:7
#6 0x557ebb602dcb in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/ivan/svnrepos/nDPI/fuzz/fuzz_quic_get_crypto_data+0x67ddcb) (BuildId: ce17f7c48055e1f051360bed543c1e18c05f684f)
#7 0x557ebb5ecea8 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/ivan/svnrepos/nDPI/fuzz/fuzz_quic_get_crypto_data+0x667ea8) (BuildId: ce17f7c48055e1f051360bed543c1e18c05f684f)
#8 0x557ebb5f299a in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/ivan/svnrepos/nDPI/fuzz/fuzz_quic_get_crypto_data+0x66d99a) (BuildId: ce17f7c48055e1f051360bed543c1e18c05f684f)
#9 0x557ebb61c482 in main (/home/ivan/svnrepos/nDPI/fuzz/fuzz_quic_get_crypto_data+0x697482) (BuildId: ce17f7c48055e1f051360bed543c1e18c05f684f)
#10 0x7fa837e27082 in __libc_start_main /build/glibc-LcI20x/glibc-2.31/csu/../csu/libc-start.c:308:16
#11 0x557ebb5e7b5d in _start (/home/ivan/svnrepos/nDPI/fuzz/fuzz_quic_get_crypto_data+0x662b5d) (BuildId: ce17f7c48055e1f051360bed543c1e18c05f684f)
```
|
| | |
|
| | |
|
| |
|
|
|
| |
Example:
./example/ndpiReader -i tests/pcap/safari.pcap --cfg=tls,metadata.ja4r_fingerprint,1
|
| |
|
|
| |
Keep track if we received CH or/and SH messsages: usefull with
unidirectional flows
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
Remove some code never triggered
AFP: the removed check is included in the following one
MQTT: fix flags extraction
|
| |
|
|
|
| |
TODO: TCP reassembler on top of UDP reassembler
See: #2414
|
| | |
|
| | |
|
| |
|
|
|
|
| |
See RFC8122: it is quite likely that STUN/DTLS/SRTP flows use
self-signed certificates
Follow-up of b287d6ec8
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The new values has been checked against the ones reported by Wireshark.
Found while fixing a Use-of-uninitialized-value error reported by
oss-fuzz
```
==7582==WARNING: MemorySanitizer: use-of-uninitialized-value
#0 0x5a6549abc368 in ndpi_compute_ja4 ndpi/src/lib/protocols/tls.c:1762:10
#1 0x5a6549ab88a0 in processClientServerHello ndpi/src/lib/protocols/tls.c:2863:10
#2 0x5a6549ac1452 in processTLSBlock ndpi/src/lib/protocols/tls.c:909:5
#3 0x5a6549abf588 in ndpi_search_tls_tcp ndpi/src/lib/protocols/tls.c:1098:2
#4 0x5a65499c53ec in check_ndpi_detection_func ndpi/src/lib/ndpi_main.c:7215:6
```
See: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=68449&q=ndpi&can=1&sort=-id
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Added
size_t ndpi_compress_str(const char * in, size_t len, char * out, size_t bufsize);
size_t ndpi_decompress_str(const char * in, size_t len, char * out, size_t bufsize);
used to compress short strings such as domain names. This code is based on
https://github.com/Ed-von-Schleck/shoco
* Major code rewrite for ndpi_hash and ndpi_domain_classify
* Improvements to make sure custom categories are loaded and enabled
* Fixed string encoding
* Extended SalesForce/Cloudflare domains list
|
| |
|
|
|
| |
* unused parameters and functions pollute the code and decrease readability
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
|
| |
|
|
|
|
| |
Tradeoff between key comparison efficiency (i.e. no `memcmp`) and key
length.
At least in the ipv4 cases, we have no more different entries with the
same key.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
```
Direct leak of 12 byte(s) in 1 object(s) allocated from:
#0 0x55779e1a46ff in malloc (/home/ivan/svnrepos/nDPI/example/ndpiReader+0x8706ff) (BuildId: 14c2fc626744710d49d652ea1c5bbb24a8cbab4f)
#1 0x55779e2120c7 in ndpi_malloc_wrapper /home/ivan/svnrepos/nDPI/example/ndpiReader.c:298:10
#2 0x55779e5fa215 in ndpi_malloc /home/ivan/svnrepos/nDPI/src/lib/ndpi_memory.c:60:25
#3 0x55779e5fa500 in ndpi_strdup /home/ivan/svnrepos/nDPI/src/lib/ndpi_memory.c:113:13
#4 0x55779e42153c in processClientServerHello /home/ivan/svnrepos/nDPI/src/lib/protocols/tls.c:2554:46
#5 0x55779e4359a1 in processTLSBlock /home/ivan/svnrepos/nDPI/src/lib/protocols/tls.c:908:5
#6 0x55779e432de7 in ndpi_search_tls_tcp /home/ivan/svnrepos/nDPI/src/lib/protocols/tls.c:1097:2
#7 0x55779e4133f9 in ndpi_search_tls_wrapper /home/ivan/svnrepos/nDPI/src/lib/protocols/tls.c:2913:5
```
Found by oss-fuzz
See: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=67250
|
| |
|
|
|
| |
Is quite rare to have a SNI or an ALPN on Client Hello of STUN/DTLS/SRTP
traffic
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Follow-up of 4543385d107fcc5a7e8632e35d9a60bcc40cb4f4
Remove trailing spaces for any HTTP header (we already remove leading
spaces)
We want:
* a "normalized" string in `flow->host_server_name`, but
* to parse the original string for flow risk checking
`ndpi_hostname_sni_set()` is a private function, so there is no need to
export its flags.
|
| |
|
|
|
|
|
|
|
| |
* Normalization of host_server_name
The ndpi_hostname_sni_set() function replaces all non-printable
characters with the "?" character and removing whitespace characters
at the end of the line.
* Added conditional hostname normalization.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* additional JA4 string buffer is not needed and may cause a string truncation warning
```
protocols/tls.c: In function ‘ndpi_compute_ja4’:
protocols/tls.c:1738:3: warning: ‘strncpy’ output may be truncated copying 36 bytes from a string of length 1023 [-Wstringop-truncation]
1738 | strncpy(flow->protos.tls_quic.ja4_client, ja_str, 36);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
```
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is the first step into providing (more) configuration options in nDPI.
The idea is to have a simple way to configure (most of) nDPI: only one
function (`ndpi_set_config()`) to set any configuration parameters
(in the present or on in the future) and we try to keep this function
prototype as agnostic as possible.
You can configure the library:
* via API, using `ndpi_set_config()`
* via a configuration file, in a text format
This way, anytime we need to add a new configuration parameter:
* we don't need to add two public functions (a getter and a setter)
* we don't break API/ABI compatibility of the library; even changing
the parameter type (from integer to a list of integer, for example)
doesn't break the compatibility.
The complete list of configuration options is provided in
`doc/configuration_parameters.md`.
As a first example, two configuration knobs are provided:
* the ability to enable/disable the extraction of the sha1 fingerprint of
the TLS certificates.
* the upper limit on the number of packets per flow that will be subject
to inspection
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
```
==53992==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x511000007e04 at pc 0x555da2165fd0 bp 0x7ffddf7e3990 sp 0x7ffddf7e3988
READ of size 2 at 0x511000007e04 thread T0
#0 0x555da2165fcf in processClientServerHello /home/ivan/svnrepos/nDPI/src/lib/protocols/tls.c:2384:50
#1 0x555da217c31f in processTLSBlock /home/ivan/svnrepos/nDPI/src/lib/protocols/tls.c:908:5
#2 0x555da2176720 in ndpi_search_tls_udp /home/ivan/svnrepos/nDPI/src/lib/protocols/tls.c:1273:11
#3 0x555da215a628 in ndpi_search_tls_wrapper /home/ivan/svnrepos/nDPI/src/lib/protocols/tls.c:2883:5
#4 0x555da1e95c30 in check_ndpi_detection_func /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:6720:6
#5 0x555da1e969f3 in check_ndpi_udp_flow_func /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:6756:10
#6 0x555da1e96394 in ndpi_check_flow_func /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:6789:12
#7 0x555da1ea7991 in ndpi_internal_detection_process_packet /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:7929:15
#8 0x555da1ea547f in ndpi_detection_process_packet /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:8104:22
#9 0x555da1de137f in packet_processing /home/ivan/svnrepos/nDPI/fuzz/../example/reader_util.c:1721:31
#10 0x555da1de137f in ndpi_workflow_process_packet /home/ivan/svnrepos/nDPI/fuzz/../example/reader_util.c:2438:1
```
Found by oss-fuzzer
See: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=65362
|