From 63a3547f998bfbe52c2bc8a540e0f33d37f3ad88 Mon Sep 17 00:00:00 2001 From: Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> Date: Tue, 14 Jan 2025 12:05:03 +0100 Subject: Add (kind of) support for loading a list of JA4C malicious fingerprints (#2678) It might be usefull to be able to match traffic against a list of suspicious JA4C fingerprints Use the same code/logic/infrastructure used for JA3C (note that we are going to remove JA3C...) See: #2551 --- fuzz/Makefile.am | 28 ++++++++++++++-------------- fuzz/corpus/fuzz_filecfg_malicious_ja3/1 | 2 -- fuzz/corpus/fuzz_filecfg_malicious_ja3/2 | 1 - fuzz/corpus/fuzz_filecfg_malicious_ja4/1 | 2 ++ fuzz/corpus/fuzz_filecfg_malicious_ja4/2 | 1 + fuzz/fuzz_common_code.c | 2 +- fuzz/fuzz_config.cpp | 4 ++-- fuzz/fuzz_filecfg_malicious_ja3.c | 27 --------------------------- fuzz/fuzz_filecfg_malicious_ja4.c | 27 +++++++++++++++++++++++++++ fuzz/fuzz_ndpi_reader.c | 2 +- 10 files changed, 48 insertions(+), 48 deletions(-) delete mode 100644 fuzz/corpus/fuzz_filecfg_malicious_ja3/1 delete mode 100644 fuzz/corpus/fuzz_filecfg_malicious_ja3/2 create mode 100644 fuzz/corpus/fuzz_filecfg_malicious_ja4/1 create mode 100644 fuzz/corpus/fuzz_filecfg_malicious_ja4/2 delete mode 100644 fuzz/fuzz_filecfg_malicious_ja3.c create mode 100644 fuzz/fuzz_filecfg_malicious_ja4.c (limited to 'fuzz') diff --git a/fuzz/Makefile.am b/fuzz/Makefile.am index 86b3f9234..3d3c757a3 100644 --- a/fuzz/Makefile.am +++ b/fuzz/Makefile.am @@ -8,7 +8,7 @@ bin_PROGRAMS += fuzz_libinjection fuzz_binaryfusefilter #Internal crypto bin_PROGRAMS += fuzz_gcrypt_light fuzz_gcrypt_aes fuzz_gcrypt_gcm fuzz_gcrypt_cipher #Configuration files -bin_PROGRAMS += fuzz_filecfg_protocols fuzz_filecfg_categories fuzz_filecfg_malicious_sha1 fuzz_filecfg_malicious_ja3 fuzz_filecfg_risk_domains fuzz_filecfg_config fuzz_filecfg_category +bin_PROGRAMS += fuzz_filecfg_protocols fuzz_filecfg_categories fuzz_filecfg_malicious_sha1 fuzz_filecfg_malicious_ja4 fuzz_filecfg_risk_domains fuzz_filecfg_config fuzz_filecfg_category #Reader utils bin_PROGRAMS += fuzz_readerutils_workflow fuzz_readerutils_parseprotolist #Mutators @@ -623,18 +623,18 @@ fuzz_filecfg_malicious_sha1_LINK=$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAG $(LIBTOOLFLAGS) --mode=link $(CXX) @NDPI_CFLAGS@ $(AM_CXXFLAGS) $(CXXFLAGS) \ $(fuzz_filecfg_malicious_sha1_LDFLAGS) @NDPI_LDFLAGS@ $(LDFLAGS) -o $@ -fuzz_filecfg_malicious_ja3_SOURCES = fuzz_filecfg_malicious_ja3.c fuzz_common_code.c -fuzz_filecfg_malicious_ja3_CFLAGS = -I../src/lib/ @NDPI_CFLAGS@ $(CXXFLAGS) -DNDPI_LIB_COMPILATION -fuzz_filecfg_malicious_ja3_LDADD = ../src/lib/libndpi.a $(ADDITIONAL_LIBS) -fuzz_filecfg_malicious_ja3_LDFLAGS = $(LIBS) +fuzz_filecfg_malicious_ja4_SOURCES = fuzz_filecfg_malicious_ja4.c fuzz_common_code.c +fuzz_filecfg_malicious_ja4_CFLAGS = -I../src/lib/ @NDPI_CFLAGS@ $(CXXFLAGS) -DNDPI_LIB_COMPILATION +fuzz_filecfg_malicious_ja4_LDADD = ../src/lib/libndpi.a $(ADDITIONAL_LIBS) +fuzz_filecfg_malicious_ja4_LDFLAGS = $(LIBS) if HAS_FUZZLDFLAGS -fuzz_filecfg_malicious_ja3_CFLAGS += $(LIB_FUZZING_ENGINE) -fuzz_filecfg_malicious_ja3_LDFLAGS += $(LIB_FUZZING_ENGINE) +fuzz_filecfg_malicious_ja4_CFLAGS += $(LIB_FUZZING_ENGINE) +fuzz_filecfg_malicious_ja4_LDFLAGS += $(LIB_FUZZING_ENGINE) endif # force usage of CXX for linker -fuzz_filecfg_malicious_ja3_LINK=$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ +fuzz_filecfg_malicious_ja4_LINK=$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ $(LIBTOOLFLAGS) --mode=link $(CXX) @NDPI_CFLAGS@ $(AM_CXXFLAGS) $(CXXFLAGS) \ - $(fuzz_filecfg_malicious_ja3_LDFLAGS) @NDPI_LDFLAGS@ $(LDFLAGS) -o $@ + $(fuzz_filecfg_malicious_ja4_LDFLAGS) @NDPI_LDFLAGS@ $(LDFLAGS) -o $@ fuzz_filecfg_risk_domains_SOURCES = fuzz_filecfg_risk_domains.c fuzz_common_code.c fuzz_filecfg_risk_domains_CFLAGS = -I../src/lib/ @NDPI_CFLAGS@ $(CXXFLAGS) -DNDPI_LIB_COMPILATION @@ -874,9 +874,9 @@ files_corpus_fuzz_filecfg_malicious_sha1 := $(wildcard corpus/fuzz_filecfg_mali fuzz_filecfg_malicious_sha1_seed_corpus.zip: $(files_corpus_fuzz_filecfg_malicious_sha1) zip -j fuzz_filecfg_malicious_sha1_seed_corpus.zip $(files_corpus_fuzz_filecfg_malicious_sha1) -files_corpus_fuzz_filecfg_malicious_ja3 := $(wildcard corpus/fuzz_filecfg_malicious_ja3/*) -fuzz_filecfg_malicious_ja3_seed_corpus.zip: $(files_corpus_fuzz_filecfg_malicious_ja3) - zip -j fuzz_filecfg_malicious_ja3_seed_corpus.zip $(files_corpus_fuzz_filecfg_malicious_ja3) +files_corpus_fuzz_filecfg_malicious_ja4 := $(wildcard corpus/fuzz_filecfg_malicious_ja4/*) +fuzz_filecfg_malicious_ja4_seed_corpus.zip: $(files_corpus_fuzz_filecfg_malicious_ja4) + zip -j fuzz_filecfg_malicious_ja4_seed_corpus.zip $(files_corpus_fuzz_filecfg_malicious_ja4) files_corpus_fuzz_filecfg_risk_domains := $(wildcard corpus/fuzz_filecfg_risk_domains/*) fuzz_filecfg_risk_domains_seed_corpus.zip: $(files_corpus_fuzz_filecfg_risk_domains) @@ -906,7 +906,7 @@ files_corpus_fuzz_ds_domain_classify := $(wildcard corpus/fuzz_ds_domain_classi fuzz_ds_domain_classify_seed_corpus.zip: $(files_corpus_fuzz_ds_domain_classify) zip -j fuzz_ds_domain_classify_seed_corpus.zip $(files_corpus_fuzz_ds_domain_classify) -corpus: fuzz_ndpi_reader_seed_corpus.zip fuzz_ndpi_reader_alloc_fail_seed_corpus.zip fuzz_ndpi_reader_payload_analyzer_seed_corpus.zip fuzz_quic_get_crypto_data_seed_corpus.zip fuzz_alg_ses_des_seed_corpus.zip fuzz_alg_bins_seed_corpus.zip fuzz_alg_hll_seed_corpus.zip fuzz_alg_jitter_seed_corpus.zip fuzz_ds_libcache_seed_corpus.zip fuzz_community_id_seed_corpus.zip fuzz_serialization_seed_corpus.zip fuzz_ds_ptree_seed_corpus.zip fuzz_alg_crc32_md5_seed_corpus.zip fuzz_alg_bytestream_seed_corpus.zip fuzz_libinjection_seed_corpus.zip fuzz_tls_certificate_seed_corpus.zip fuzz_filecfg_protocols_seed_corpus.zip fuzz_readerutils_workflow_seed_corpus.zip fuzz_readerutils_parseprotolist_seed_corpus.zip fuzz_ds_bitmap64_fuse_seed_corpus.zip fuzz_ds_domain_classify_seed_corpus.zip fuzz_filecfg_protocols_seed_corpus.zip fuzz_is_stun_udp_seed_corpus.zip fuzz_is_stun_tcp_seed_corpus.zip fuzz_ndpi_reader_pl7m_simplest_seed_corpus.zip fuzz_ndpi_reader_pl7m_seed_corpus.zip fuzz_ndpi_reader_pl7m_64k_seed_corpus.zip fuzz_ndpi_reader_pl7m_simplest_internal_seed_corpus.zip fuzz_ndpi_reader_pl7m_internal_seed_corpus.zip +corpus: fuzz_ndpi_reader_seed_corpus.zip fuzz_ndpi_reader_alloc_fail_seed_corpus.zip fuzz_ndpi_reader_payload_analyzer_seed_corpus.zip fuzz_quic_get_crypto_data_seed_corpus.zip fuzz_alg_ses_des_seed_corpus.zip fuzz_alg_bins_seed_corpus.zip fuzz_alg_hll_seed_corpus.zip fuzz_alg_jitter_seed_corpus.zip fuzz_ds_libcache_seed_corpus.zip fuzz_community_id_seed_corpus.zip fuzz_serialization_seed_corpus.zip fuzz_ds_ptree_seed_corpus.zip fuzz_alg_crc32_md5_seed_corpus.zip fuzz_alg_bytestream_seed_corpus.zip fuzz_libinjection_seed_corpus.zip fuzz_tls_certificate_seed_corpus.zip fuzz_filecfg_protocols_seed_corpus.zip fuzz_readerutils_workflow_seed_corpus.zip fuzz_readerutils_parseprotolist_seed_corpus.zip fuzz_ds_bitmap64_fuse_seed_corpus.zip fuzz_ds_domain_classify_seed_corpus.zip fuzz_filecfg_protocols_seed_corpus.zip fuzz_is_stun_udp_seed_corpus.zip fuzz_is_stun_tcp_seed_corpus.zip fuzz_ndpi_reader_pl7m_simplest_seed_corpus.zip fuzz_ndpi_reader_pl7m_seed_corpus.zip fuzz_ndpi_reader_pl7m_64k_seed_corpus.zip fuzz_ndpi_reader_pl7m_simplest_internal_seed_corpus.zip fuzz_ndpi_reader_pl7m_internal_seed_corpus.zip fuzz_filecfg_malicious_ja4_seed_corpus.zip fuzz_filecfg_malicious_sha1_seed_corpus.zip fuzz_filecfg_categories_seed_corpus.zip cp corpus/fuzz_*seed_corpus.zip . #Create dictionaries exactly as expected by oss-fuzz. @@ -938,7 +938,7 @@ distdir: -o -path './corpus/fuzz_filecfg_protocols/*' \ -o -path './corpus/fuzz_filecfg_categories/*' \ -o -path './corpus/fuzz_filecfg_malicious_sha1/*' \ - -o -path './corpus/fuzz_filecfg_malicious_ja3/*' \ + -o -path './corpus/fuzz_filecfg_malicious_ja4/*' \ -o -path './corpus/fuzz_filecfg_risk_domains/*' \ -o -path './corpus/fuzz_filecfg_config/*' \ -o -path './corpus/fuzz_filecfg_category/*' \ diff --git a/fuzz/corpus/fuzz_filecfg_malicious_ja3/1 b/fuzz/corpus/fuzz_filecfg_malicious_ja3/1 deleted file mode 100644 index 6cebd9e6e..000000000 --- a/fuzz/corpus/fuzz_filecfg_malicious_ja3/1 +++ /dev/null @@ -1,2 +0,0 @@ -# ja3_md5,Firstseen,Lastseen,Listingreason -b386946a5a44d1ddcc843bc75336dfce,2017-07-14 18:08:15,2019-07-27 20:42:54,Dridex diff --git a/fuzz/corpus/fuzz_filecfg_malicious_ja3/2 b/fuzz/corpus/fuzz_filecfg_malicious_ja3/2 deleted file mode 100644 index b169853f2..000000000 --- a/fuzz/corpus/fuzz_filecfg_malicious_ja3/2 +++ /dev/null @@ -1 +0,0 @@ -8991a387e4cc841740f25d6f5139f92d8991a387e4cc841740f25d6f5139f92d,2017-07-14 19:02:03,2019-07-28 00:34:38,Adware diff --git a/fuzz/corpus/fuzz_filecfg_malicious_ja4/1 b/fuzz/corpus/fuzz_filecfg_malicious_ja4/1 new file mode 100644 index 000000000..5b788c0e9 --- /dev/null +++ b/fuzz/corpus/fuzz_filecfg_malicious_ja4/1 @@ -0,0 +1,2 @@ +# ja4c,comment +t13d1517h2_8daaf6152771_b0da82dd1658,comment diff --git a/fuzz/corpus/fuzz_filecfg_malicious_ja4/2 b/fuzz/corpus/fuzz_filecfg_malicious_ja4/2 new file mode 100644 index 000000000..324017530 --- /dev/null +++ b/fuzz/corpus/fuzz_filecfg_malicious_ja4/2 @@ -0,0 +1 @@ +t13d1517h2_8daaf6152771_b0da82dd1658,comment diff --git a/fuzz/fuzz_common_code.c b/fuzz/fuzz_common_code.c index 647a28413..0c2febce8 100644 --- a/fuzz/fuzz_common_code.c +++ b/fuzz/fuzz_common_code.c @@ -53,7 +53,7 @@ void fuzz_init_detection_module(struct ndpi_detection_module_struct **ndpi_info_ ndpi_load_protocols_file(*ndpi_info_mod, "protos.txt"); ndpi_load_categories_file(*ndpi_info_mod, "categories.txt", NULL); ndpi_load_risk_domain_file(*ndpi_info_mod, "risky_domains.txt"); - ndpi_load_malicious_ja3_file(*ndpi_info_mod, "ja3_fingerprints.csv"); + ndpi_load_malicious_ja4_file(*ndpi_info_mod, "ja4_fingerprints.csv"); ndpi_load_malicious_sha1_file(*ndpi_info_mod, "sha1_fingerprints.csv"); ndpi_set_config(*ndpi_info_mod, NULL, "filename.config", "config.txt"); diff --git a/fuzz/fuzz_config.cpp b/fuzz/fuzz_config.cpp index 8ced9381b..a07ef100d 100644 --- a/fuzz/fuzz_config.cpp +++ b/fuzz/fuzz_config.cpp @@ -87,9 +87,9 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { if(fuzzed_data.ConsumeBool()) ndpi_load_risk_domain_file(ndpi_info_mod, fuzzed_data.ConsumeBool() ? NULL : "invalid_filename"); /* Error */ if(fuzzed_data.ConsumeBool()) - ndpi_load_malicious_ja3_file(ndpi_info_mod, "ja3_fingerprints.csv"); + ndpi_load_malicious_ja4_file(ndpi_info_mod, "ja4_fingerprints.csv"); if(fuzzed_data.ConsumeBool()) - ndpi_load_malicious_ja3_file(ndpi_info_mod, fuzzed_data.ConsumeBool() ? NULL : "invalid_filename"); /* Error */ + ndpi_load_malicious_ja4_file(ndpi_info_mod, fuzzed_data.ConsumeBool() ? NULL : "invalid_filename"); /* Error */ if(fuzzed_data.ConsumeBool()) ndpi_load_malicious_sha1_file(ndpi_info_mod, "sha1_fingerprints.csv"); if(fuzzed_data.ConsumeBool()) diff --git a/fuzz/fuzz_filecfg_malicious_ja3.c b/fuzz/fuzz_filecfg_malicious_ja3.c deleted file mode 100644 index 3d7b4e70b..000000000 --- a/fuzz/fuzz_filecfg_malicious_ja3.c +++ /dev/null @@ -1,27 +0,0 @@ -#include "ndpi_api.h" -#include "ndpi_private.h" -#include "fuzz_common_code.h" - -int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { - struct ndpi_detection_module_struct *ndpi_struct; - FILE *fd; - NDPI_PROTOCOL_BITMASK all; - - /* To allow memory allocation failures */ - fuzz_set_alloc_callbacks_and_seed(size); - - ndpi_struct = ndpi_init_detection_module(NULL); - NDPI_BITMASK_SET_ALL(all); - ndpi_set_protocol_detection_bitmask2(ndpi_struct, &all); - - ndpi_set_config(ndpi_struct, NULL, "log.level", "3"); - ndpi_set_config(ndpi_struct, "all", "log", "1"); - - fd = buffer_to_file(data, size); - load_malicious_ja3_file_fd(ndpi_struct, fd); - if(fd) - fclose(fd); - - ndpi_exit_detection_module(ndpi_struct); - return 0; -} diff --git a/fuzz/fuzz_filecfg_malicious_ja4.c b/fuzz/fuzz_filecfg_malicious_ja4.c new file mode 100644 index 000000000..c299382a8 --- /dev/null +++ b/fuzz/fuzz_filecfg_malicious_ja4.c @@ -0,0 +1,27 @@ +#include "ndpi_api.h" +#include "ndpi_private.h" +#include "fuzz_common_code.h" + +int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { + struct ndpi_detection_module_struct *ndpi_struct; + FILE *fd; + NDPI_PROTOCOL_BITMASK all; + + /* To allow memory allocation failures */ + fuzz_set_alloc_callbacks_and_seed(size); + + ndpi_struct = ndpi_init_detection_module(NULL); + NDPI_BITMASK_SET_ALL(all); + ndpi_set_protocol_detection_bitmask2(ndpi_struct, &all); + + ndpi_set_config(ndpi_struct, NULL, "log.level", "3"); + ndpi_set_config(ndpi_struct, "all", "log", "1"); + + fd = buffer_to_file(data, size); + load_malicious_ja4_file_fd(ndpi_struct, fd); + if(fd) + fclose(fd); + + ndpi_exit_detection_module(ndpi_struct); + return 0; +} diff --git a/fuzz/fuzz_ndpi_reader.c b/fuzz/fuzz_ndpi_reader.c index de38f95ac..6c5be9c40 100644 --- a/fuzz/fuzz_ndpi_reader.c +++ b/fuzz/fuzz_ndpi_reader.c @@ -78,7 +78,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { ndpi_load_protocols_file(workflow->ndpi_struct, "protos.txt"); ndpi_load_categories_file(workflow->ndpi_struct, "categories.txt", NULL); ndpi_load_risk_domain_file(workflow->ndpi_struct, "risky_domains.txt"); - ndpi_load_malicious_ja3_file(workflow->ndpi_struct, "ja3_fingerprints.csv"); + ndpi_load_malicious_ja4_file(workflow->ndpi_struct, "ja4_fingerprints.csv"); ndpi_load_malicious_sha1_file(workflow->ndpi_struct, "sha1_fingerprints.csv"); // enable all protocols -- cgit v1.2.3