From f1b22b199f08469407c55dcd98ec24af85da0fd3 Mon Sep 17 00:00:00 2001 From: Luca Deri Date: Mon, 22 Feb 2021 23:19:23 +0100 Subject: Added NDPI_MALICIOUS_JA3 flow risk Added ndpi_load_malicious_ja3_file() API call --- example/ja3_fingerprints.csv | 109 +++++++++++++++++++++++++++++++++++++++++++ example/ndpiReader.c | 13 +++++- 2 files changed, 120 insertions(+), 2 deletions(-) create mode 100644 example/ja3_fingerprints.csv (limited to 'example') diff --git a/example/ja3_fingerprints.csv b/example/ja3_fingerprints.csv new file mode 100644 index 000000000..8f84aff3a --- /dev/null +++ b/example/ja3_fingerprints.csv @@ -0,0 +1,109 @@ +################################################################ +# abuse.ch Suricata JA3 Fingerprint Blacklist (CSV) # +# For Suricata 4.1.0 or newer # +# Last updated: 2020-04-09 06:48:14 UTC # +# # +# Terms Of Use: https://sslbl.abuse.ch/blacklist/ # +# For questions please contact sslbl [at] abuse.ch # +################################################################ +# +# ja3_md5,Firstseen,Lastseen,Listingreason +b386946a5a44d1ddcc843bc75336dfce,2017-07-14 18:08:15,2019-07-27 20:42:54,Dridex +8991a387e4cc841740f25d6f5139f92d,2017-07-14 19:02:03,2019-07-28 00:34:38,Adware +cb98a24ee4b9134448ffb5714fd870ac,2017-07-14 19:48:28,2019-05-22 03:22:38,Dridex +1aa7bf8b97e540ca5edd75f7b8384bfa,2017-07-14 20:23:38,2019-07-28 01:38:22,TrickBot +3d89c0dfb1fa44911b8fa7523ef8dedb,2017-07-15 04:23:45,2021-02-01 18:23:25,Adware +bc6c386f480ee97b9d9e52d472b772d8,2017-07-15 10:57:38,2021-02-21 13:13:30,Adware +8f52d1ce303fb4a6515836aec3cc16b1,2017-07-15 19:05:11,2019-07-27 20:00:57,TrickBot +d6f04b5a910115f4b50ecec09d40a1df,2017-07-15 19:42:24,2018-10-14 08:12:51,Dridex +35c0a31c481927f022a3b530255ac080,2017-07-15 19:43:19,2021-02-06 03:21:55,Tofsee +d551fafc4f40f1dec2bb45980bfa9492,2017-07-15 19:59:29,2020-11-16 13:06:20,Adware +e330bca99c8a5256ae126a55c4c725c5,2017-07-15 19:59:29,2021-01-13 00:29:37,Adware +b8f81673c0e1d29908346f3bab892b9b,2017-07-16 01:32:03,2018-12-17 06:08:03,Adware +83e04bc58d402f9633983cbf22724b02,2017-07-16 01:32:03,2021-01-14 14:23:42,Adware +70722097d1fe1d78d8c2164640ab6df4,2017-07-16 02:39:08,2021-02-22 04:56:57,Tofsee +9c2589e1c0e9f533a022c6205f9719e1,2017-07-16 08:37:17,2021-02-19 08:46:32,Adware +849b04bdbd1d2b983f6e8a457e0632a8,2017-07-16 08:37:17,2021-02-19 08:46:32,Adware +16efcf0e00504ddfedde13bfea997952,2017-07-16 19:45:45,2020-12-23 15:10:32,Adware +4d7a28d6f2263ed61de88ca66eb011e3,2017-07-16 21:20:29,2020-12-08 18:10:55,Tofsee +550dce18de1bb143e69d6dd9413b8355,2017-07-16 22:17:20,2018-12-21 07:04:50,Adware +c50f6a8b9173676b47ba6085bd0c6cee,2017-07-16 22:38:41,2019-05-21 09:42:17,TrickBot +20dd18bdd3209ea718989030a6f93364,2017-07-18 10:22:58,2019-04-28 09:23:31,Adware +8498fe4268764dbf926a38283e9d3d8f,2017-07-18 10:22:58,2020-12-31 02:06:27,Adware +590a232d04d56409fab72e752a8a2634,2017-07-18 18:53:24,2020-10-11 20:48:33,Tofsee +51a7ad14509fd614c7bb3a50c4982b8c,2017-07-19 07:28:19,2019-07-14 11:58:32,JBifrost +96eba628dcb2b47607192ba74a3b55ba,2017-07-19 18:53:48,2021-01-04 12:45:08,Tofsee +df5c30e670dba99f9270ed36060cf054,2017-07-20 17:44:07,2018-04-11 15:57:59,Tofsee +098f55e27d8c4b0a590102cbdb3a5f3a,2017-07-21 09:52:01,2019-04-08 01:09:54,Adware +46efd49abcca8ea9baa932da68fdb529,2017-07-22 14:07:36,2021-02-20 20:45:32,Adware +29085f03f8e8a03f0b399c5c7cf0b0b8,2017-07-22 14:07:36,2021-02-21 20:56:01,Adware +d7150af4514b868defb854db0f62a441,2017-07-23 09:39:24,2018-07-24 01:04:58,Tofsee +03e186a7f83285e93341de478334006e,2017-07-24 18:17:14,2021-02-13 23:55:58,Tofsee +3cda52da4ade09f1f781ad2e82dcfa20,2017-07-30 18:41:36,2019-05-21 17:34:18,Quakbot +b13d01846ad7a14a70bf030a16775c78,2017-08-08 07:12:49,2021-02-21 01:32:12,Adware +1543a7c46633acf71e8401baccbd0568,2017-08-08 21:32:28,2020-11-10 05:30:17,Tofsee +1d095e68489d3c535297cd8dffb06cb9,2017-08-12 19:56:28,2020-10-28 11:06:23,Tofsee +93d056782d649deb51cda44ecb714bb0,2017-08-28 12:20:47,2019-04-15 23:47:27,Adware +698e36219f3979420fa2581b21dac7ec,2017-08-28 12:20:47,2020-12-31 02:06:31,Adware +1712287800ac91b34cadd5884ce85568,2017-08-28 16:01:59,2021-01-23 09:36:32,TorrentLocker +5e573c9c9f8ba720ef9b18e9fce2e2f7,2017-08-30 13:44:56,2021-02-17 17:11:34,Adware +f6fd83a21f9f3c5f9ff7b5c63bbc179d,2017-10-20 08:03:21,2018-11-06 06:42:12,Adware +92579701f145605e9edc0b01a901c6d5,2017-10-23 00:10:48,2021-02-18 22:56:49,Adware +a61299f9b501adcf680b9275d79d4ac6,2017-11-04 18:03:59,2020-04-21 17:08:24,Tofsee +b2b61db7b9490a60d270ccb20b462826,2017-11-14 20:12:03,2021-02-18 22:56:49,Adware +7dcce5b76c8b17472d024758970a406b,2017-11-22 12:42:46,2020-12-22 15:15:49,Tofsee +534ce2dbc413c68e908363b5df0ae5e0,2017-12-22 09:36:21,2019-07-27 15:22:33,TrickBot +fb00055a1196aeea8d1bc609885ba953,2018-01-01 22:49:25,2019-04-09 06:58:58,TrickBot +a50a861119aceb0ccc74902e8fddb618,2018-01-02 08:16:23,2018-07-05 02:33:08,Tofsee +e7643725fcff971e3051fe0e47fc2c71,2018-01-31 08:06:13,2020-03-25 16:19:48,Tofsee +7c410ce832e848a3321432c9a82e972b,2018-01-31 20:04:25,2021-02-21 22:51:31,Tofsee +da949afd9bd6df820730f8f171584a71,2018-02-03 05:19:37,2021-02-21 05:20:43,Tofsee +906004246f3ba5e755b043c057254a29,2018-03-11 08:25:38,2018-04-14 00:59:16,Tofsee +fd80fa9c6120cdeea8520510f3c644ac,2018-03-11 09:34:30,2021-02-21 22:16:39,Tofsee +b90bdbe961a648f0427db21aaa6ccb59,2018-03-11 10:37:43,2020-05-29 23:39:01,Tofsee +1fe4c7a3544eb27afec2adfb3a3dbf60,2018-03-11 19:23:08,2021-02-20 11:19:52,Tofsee +c201b92f8b483fa388be174d6689f534,2018-03-12 13:43:52,2021-01-28 06:17:06,Gozi +9f62c4f26b90d3d757bea609e82f2eaf,2018-03-13 06:23:41,2020-12-18 16:07:31,Tofsee +1be3ecebe5aa9d3654e6e703d81f6928,2018-03-13 11:50:02,2021-02-14 23:03:13,Ransomware.Troldesh +e3b2ab1f9a56f2fb4c9248f2f41631fa,2018-03-15 01:06:34,2021-02-22 10:36:48,Tofsee +dff8a0aa1c904aaea76c5bf624e88333,2018-03-18 09:41:15,2020-10-27 09:50:24,Tofsee +17fd49722f8d11f3d76dce84f8e099a7,2018-03-19 23:02:27,2020-12-09 11:32:21,Tofsee +911479ac8a0813ed1241b3686ccdade9,2018-03-19 23:24:59,2020-03-30 04:09:18,Tofsee +c5deb9465d47232dd48772f9c4d14679,2018-03-22 15:42:48,2021-02-17 07:39:32,Tofsee +f22bdd57e3a52de86cda40da2d84e83b,2018-03-27 13:40:19,2019-01-20 14:31:39,Tofsee +d18a4da84af59e1108862a39bae7c9d4,2018-04-03 00:40:51,2021-02-06 01:53:12,Tofsee +2d8794cb7b52b777bee2695e79c15760,2018-04-04 06:56:37,2021-02-10 08:22:31,Ransomware +40adfd923eb82b89d8836ba37a19bca1,2018-04-15 15:49:08,2021-02-21 22:22:56,CoinMiner +1aee0238942d453d679fc1e37a303387,2018-05-13 01:59:49,2021-02-10 13:19:24,Tofsee +2092e1fffb45d7e4a19a57f9bc5e203a,2018-05-16 21:59:36,2018-09-05 01:58:33,Adware +bffa4501966196d3d6e90cee1f88fc89,2018-06-07 15:08:04,2020-03-16 00:03:44,Tofsee +807fca46d9d0cf63adf4e5e80e414bbe,2018-06-07 16:51:03,2021-02-20 03:15:38,Tofsee +fb58831f892190644fe44e25bc830b45,2018-06-08 12:07:59,2019-05-31 21:02:37,Adware +0cc1e84568e471aa1d62ad4158ade6b5,2018-06-24 10:50:47,2021-02-10 21:48:57,Tofsee +d2935c58fe676744fecc8614ee5356c7,2018-08-14 21:48:41,2021-02-21 21:44:55,Adwind +8916410db85077a5460817142dcbc8de,2018-08-21 12:32:28,2021-02-21 20:02:19,TrickBot +c5235d3a8b9934b7fbbd204d50bc058d,2018-08-23 17:36:08,2019-10-13 05:11:09,Gootkit +57f3642b4e37e28f5cbe3020c9331b4c,2018-08-28 15:54:53,2021-02-22 11:09:43,Gozi +e62a5f4d538cbf169c2af71bec2399b4,2018-08-30 15:45:40,2021-02-21 20:36:55,TrickBot +51c64c77e60f3980eea90869b68c58a8,2018-08-30 21:04:57,2021-02-21 22:09:16,Dridex +7691297bcb20a41233fd0a0baa0a3628,2018-09-17 02:50:05,2021-02-21 17:05:57,Adware +7dd50e112cd23734a310b90f6f44a7cd,2018-09-17 17:54:58,2021-02-22 11:14:04,Quakbot +52c7396a501e4fecbdfa99c5408334ac,2018-09-18 00:29:04,2019-12-03 17:24:02,Tofsee +f735bbc6b69723b9df7b0e7ef27872af,2018-10-02 18:04:16,2021-02-19 06:55:39,TrickBot +49ed2ef3f1321e5f044f1e71b0e6fdd5,2018-10-02 18:04:17,2021-02-19 06:55:39,TrickBot +d76ee64fb7273733cbe455ac81c292e6,2018-11-16 13:26:39,2018-11-18 19:19:36,Tofsee +8f6c918dcb585ebbea05e2cc94530e3d,2018-11-16 13:26:41,2020-05-06 15:45:21,Tofsee +34f14a69ad7009ca5863379218af17f3,2018-11-17 05:17:22,2021-01-28 08:19:18,Tofsee +c2b4710c6888a5d47befe865c8e6fb19,2018-11-29 20:46:04,2020-12-16 15:08:09,Tofsee +decfb48a53789ebe081b88aabb58ee34,2018-12-21 09:06:16,2021-02-16 12:28:53,Adwind +08a8a4e85b25ac42e1490bc85cfdb5ce,2019-01-30 02:48:34,2020-10-27 09:50:19,Tofsee +c0220cd64849a629397a9cb68f78a0ea,2019-03-24 00:12:32,2021-02-13 05:13:33,Tofsee +7a29c223fb122ec64d10f0a159e07996,2019-06-09 22:55:29,2020-10-27 09:50:26,Tofsee +44dab16d680ef93487bc16ad23b3ffb1,2019-06-09 22:55:29,2020-10-27 09:50:25,Tofsee +70a04365be5bbd4653698bebeb43ce68,2019-07-02 06:26:56,2020-05-30 04:19:00,Tofsee +d81d654effb94714a4086734fa0adad9,2019-07-16 23:29:02,2020-10-27 09:50:21,Tofsee +25d74b7b4b779eb1efd4b31d26d651c6,2019-08-03 20:15:33,2020-07-14 21:43:25,Tofsee +fc2299d5b2964cd242c5a2c8c531a5f0,2019-08-09 23:56:32,2021-02-22 08:49:18,Tofsee +32926ca3e59f0413d0b98725454594f5,2019-09-12 06:56:10,2020-10-27 21:49:31,Tofsee +ffefafdb86336d057eda5fdf02b3d5ce,2019-10-26 07:31:49,2020-07-25 00:14:09,Tofsee +# END (98) entries \ No newline at end of file diff --git a/example/ndpiReader.c b/example/ndpiReader.c index 729d04d52..abb5ddb3d 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -67,6 +67,7 @@ static char *results_path = NULL; static char * bpfFilter = NULL; /**< bpf filter */ static char *_protoFilePath = NULL; /**< Protocol file path */ static char *_customCategoryFilePath= NULL; /**< Custom categories file path */ +static char *_maliciousJA3Path = NULL; /**< Malicious JA3 signatures */ static char *_riskyDomainFilePath = NULL; /**< Risky domain files */ static u_int8_t live_capture = 0; static u_int8_t undetected_flows_deleted = 0; @@ -438,7 +439,7 @@ static void help(u_int long_help) { "[-f ][-s ][-m ][-b ]\n" " [-p ][-l [-q][-d][-J][-h][-D][-e ][-t][-v ]\n" " [-n ][-w ][-c ][-C ][-j ][-x ]\n" - " [-r ][-T ][-U ] [-x ]\n\n" + " [-r ][-j ][-T ][-U ] [-x ]\n\n" "Usage:\n" " -i | Specify a pcap file/playlist to read packets from or a\n" " | device for live capture (comma-separated list)\n" @@ -469,6 +470,7 @@ static void help(u_int long_help) { " -c | Load custom categories from the specified file\n" " -C | Write output in CSV format on the specified file\n" " -r | Load risky domain file\n" + " -j | Load malicious JA3 fingeprints\n" " -w | Write test output on the specified file. This is useful for\n" " | testing purposes in order to compare results across runs\n" " -h | This help\n" @@ -763,7 +765,7 @@ static void parseOptions(int argc, char **argv) { } #endif - while((opt = getopt_long(argc, argv, "b:e:c:C:dDf:g:i:Ihp:P:l:r:s:tu:v:V:n:Jrp:x:w:q0123:456:7:89:m:T:U:", + while((opt = getopt_long(argc, argv, "b:e:c:C:dDf:g:i:Ij:hp:P:l:r:s:tu:v:V:n:Jrp:x:w:q0123:456:7:89:m:T:U:", longopts, &option_idx)) != EOF) { #ifdef DEBUG_TRACE if(trace) fprintf(trace, " #### -%c [%s] #### \n", opt, optarg ? optarg : ""); @@ -796,6 +798,10 @@ static void parseOptions(int argc, char **argv) { ignore_vlanid = 1; break; + case 'j': + _maliciousJA3Path = optarg; + break; + case 'm': pcap_analysis_duration = atol(optarg); break; @@ -2060,6 +2066,9 @@ static void setupDetection(u_int16_t thread_id, pcap_t * pcap_handle) { if(_riskyDomainFilePath) ndpi_load_risk_domain_file(ndpi_thread_info[thread_id].workflow->ndpi_struct, _riskyDomainFilePath); + if(_maliciousJA3Path) + ndpi_load_malicious_ja3_file(ndpi_thread_info[thread_id].workflow->ndpi_struct, _maliciousJA3Path); + ndpi_finalize_initialization(ndpi_thread_info[thread_id].workflow->ndpi_struct); if(enable_doh_dot_detection) -- cgit v1.2.3