From 9da99075aa174a7ecfc00fb9a18d32d3056d8db3 Mon Sep 17 00:00:00 2001
From: Ivan Nardi <12729895+IvanNardi@users.noreply.github.com>
Date: Mon, 28 Oct 2024 23:36:51 +0100
Subject: TLS: export heuristic fingerprint as metadata (#2609)

---
 src/lib/protocols/tls.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

(limited to 'src/lib/protocols')

diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index 048060188..498147181 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -380,6 +380,20 @@ static int tls_obfuscated_heur_search(struct ndpi_detection_module_struct* ndpi_
       NDPI_LOG_DBG2(ndpi_struct, "TLS-Obf-Heur: set %d completed\n", i);
       if(check_set(ndpi_struct, set)) {
         /* Heuristic match */
+
+        /* Export the matching set as metadata */
+        flow->tls_quic.obfuscated_heur_matching_set = ndpi_calloc(1, sizeof(struct ndpi_tls_obfuscated_heuristic_matching_set));
+        if(flow->tls_quic.obfuscated_heur_matching_set) {
+          flow->tls_quic.obfuscated_heur_matching_set->bytes[0] = set->bytes[0];
+          flow->tls_quic.obfuscated_heur_matching_set->bytes[1] = set->bytes[1];
+          flow->tls_quic.obfuscated_heur_matching_set->bytes[2] = set->bytes[2];
+          flow->tls_quic.obfuscated_heur_matching_set->bytes[3] = set->bytes[3];
+          flow->tls_quic.obfuscated_heur_matching_set->pkts[0] = set->pkts[0];
+          flow->tls_quic.obfuscated_heur_matching_set->pkts[1] = set->pkts[1];
+          flow->tls_quic.obfuscated_heur_matching_set->pkts[2] = set->pkts[2];
+          flow->tls_quic.obfuscated_heur_matching_set->pkts[3] = set->pkts[3];
+        }
+
         return 2; /* Found */
       } else {
         /* Close this set and open a new one... */
-- 
cgit v1.2.3