aboutsummaryrefslogtreecommitdiff
path: root/tests/cfgs/default/result/dtls_old_version.pcapng.out
Commit message (Collapse)AuthorAge
* JA4: Fix SSL 2 version and remove fictional SSL 1 version along with ↵Daniel Roethlisberger2025-01-19
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | mis-mapping to s3 (#2684) * JA4: Fix SSL 2 version constant to 0x0002 SSL 2 uses a version field of 0x0002, not 0x0200. This is confirmed not only in the original Netscape spec [1] and RFC draft of the time [2], but also in major implementations such as OpenSSL [3] and Wireshark [4]. An earlier version of the JA4 spec [5] also mistakenly used 0x0200 for SSL 2 and 0x0100 for SSL 1. This was fixed in [6] in August 2024. [1] https://www-archive.mozilla.org/projects/security/pki/nss/ssl/draft02.html [2] https://datatracker.ietf.org/doc/html/draft-hickman-netscape-ssl-00 [3] https://github.com/openssl/openssl/blob/OpenSSL_0_9_6m/ssl/ssl2.h#L66-L71 [4] https://github.com/wireshark/wireshark/blob/release-4.4/epan/dissectors/packet-tls-utils.h#L266-L277 [5] https://github.com/FoxIO-LLC/ja4/blob/main/technical_details/JA4.md#tls-and-dtls-version [6] FoxIO-LLC/ja4#150 * JA4: Remove fictional (and mis-mapped to "s3") SSL 1 SSL 1 was never actually deployed, the design was iterated upon to become SSL 2 before it was released by Netscape [1] [2] [3] [4]. I don't think it's public knowledge what the version field for SSL 1 would have looked like, or if it even was two bytes large or at the same offset on the wire; given that SSL 2 used 0x0002 it seems more likely to have been 0x0001 than 0x0100. Version field 0x0100, that is currently misattributed to SSL 1, was used by an early pre-RFC4347 implementation of DTLS in OpenSSL before 0.9.8f [5], when OpenSSL switched to the version field specified by RFC4347. This use of 0x0100 is also reflected in Wireshark's TLS dissector [4] (`DTLSV1DOT0_OPENSSL_VERSION`). For these reasons, it seems to make sense to remove the fictional SSL 1 code entirely. This also removes an issue where the resulting JA4 string would be "s3" instead of the intended "s1". An earlier version of the JA4 spec [6] also mistakenly used 0x0200 for SSL 2 and 0x0100 for SSL 1. This was fixed in [7] in August 2024. [1] https://www-archive.mozilla.org/projects/security/pki/nss/ssl/draft02.html [2] https://datatracker.ietf.org/doc/html/draft-hickman-netscape-ssl-00 [3] https://github.com/openssl/openssl/blob/OpenSSL_0_9_6m/ssl/ssl2.h#L66-L71 [4] https://github.com/wireshark/wireshark/blob/release-4.4/epan/dissectors/packet-tls-utils.h#L266-L277 [5] https://github.com/openssl/openssl/compare/OpenSSL_0_9_8e...OpenSSL_0_9_8f [6] https://github.com/FoxIO-LLC/ja4/blob/main/technical_details/JA4.md#tls-and-dtls-version [7] FoxIO-LLC/ja4#150 * Fix tests where old DTLS (0x0100) was mis-identified as SSL 3.0 These two tests contain DTLS flows using a version field of 0x0100 as used by OpenSSL pre 0.9.8f, before OpenSSL switched to the standardised version code points for its DTLS implementation. The correct JA4 mapping is "d00", not "ds3".
* Remove JA3C output from ndpiReader (#2667)Ivan Nardi2025-01-12
| | | | | | | | | | | | | Removing JA3C is an big task. Let's start with a simple change having an huge impact on unit tests: remove printing of JA3C information from ndpiReader. This way, when we will delete the actual code, the unit tests diffs should be a lot simpler to look at. Note that the information if the client/server cipher is weak or obsolete is still available via flow risk See: #2551
* ndpiReader: update JA statistics (#2646)Ivan Nardi2025-01-06
| | | | Show JA4C and JA3S information (instead of JA3C and JA3S) See #2551 for context
* FPC: add DPI information (#2514)Ivan Nardi2024-07-23
| | | | If the flow is classified (via DPI) after the first packet, we should use this information as FPC
* FPC: small improvements (#2512)Ivan Nardi2024-07-22
| | | | Add printing of fpc_dns statistics and add a general cconfiguration option. Rework the code to be more generic and ready to handle other logics.
* Add infrastructure for explicit support of Fist Packet Classification (#2488)Ivan Nardi2024-07-03
| | | | | Let's start with some basic helpers and with FPC based on flow addresses. See: #2322
* Zoom: remove "stun_zoom" LRU cacheNardi Ivan2024-06-17
| | | | | Since 070a0908b we are able to detect P2P calls directly from the packet content, without any correlation among flows
* DTLS: fix JA4 fingerprint (#2446)Ivan Nardi2024-05-21
|
* Remove "zoom" cache (#2420)Ivan Nardi2024-05-06
| | | | | | | | | This cache was added in b6b4967aa, when there was no real Zoom support. With 63f349319, a proper identification of multimedia stream has been added, making this cache quite useless: any improvements on Zoom classification should be properly done in Zoom dissector. Tested for some months with a few 10Gbits links of residential traffic: the cache pretty much never returned a valid hit.
* ndpiReader: add breed stats on output used for CI (#2236)Ivan Nardi2024-01-05
|
* Implements JA4 Support (#2191)Luca Deri2023-12-22
|
* ndpiReader: fix `guessed_flow_protocols` statistic (#2203)Ivan Nardi2023-12-12
| | | Increment the counter only if the flow has been guessed
* IPv6: add support for IPv6 risk exceptions (#2122)Ivan Nardi2023-10-29
|
* IPv6: add support for IPv6 risk tree (#2118)Ivan Nardi2023-10-27
| | | Fix the script to download crawler addressess
* ipv6: add support for ipv6 addresses lists (#2113)Ivan Nardi2023-10-26
|
* Test multiple `ndpiReader` configurations (#1931)Ivan Nardi2023-04-06
Extend internal unit tests to handle multiple configurations. As some examples, add tests about: * disabling some protocols * disabling Ookla aggressiveness Every configurations data is stored in a dedicated directory under `tests\cfgs`
Powered by cgit, Themed by Ted Yin.