From 63a3547f998bfbe52c2bc8a540e0f33d37f3ad88 Mon Sep 17 00:00:00 2001
From: Ivan Nardi <12729895+IvanNardi@users.noreply.github.com>
Date: Tue, 14 Jan 2025 12:05:03 +0100
Subject: Add (kind of) support for loading a list of JA4C malicious
 fingerprints (#2678)

It might be usefull to be able to match traffic against a list of
suspicious JA4C fingerprints

Use the same code/logic/infrastructure used for JA3C (note that we are
going to remove JA3C...)

See: #2551
---
 src/lib/ndpi_main.c     | 22 +++++++++++-----------
 src/lib/protocols/tls.c | 20 ++++++++++----------
 2 files changed, 21 insertions(+), 21 deletions(-)

(limited to 'src/lib')

diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index 45b8991d1..f25c50fc5 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -3463,7 +3463,7 @@ struct ndpi_detection_module_struct *ndpi_init_detection_module(struct ndpi_glob
     return(NULL);
   }
 
-  ndpi_str->malicious_ja3_hashmap = NULL; /* Initialized on demand */
+  ndpi_str->malicious_ja4_hashmap = NULL; /* Initialized on demand */
   ndpi_str->malicious_sha1_hashmap = NULL; /* Initialized on demand */
   ndpi_str->risky_domain_automa.ac_automa = NULL; /* Initialized on demand */
   ndpi_str->trusted_issuer_dn = NULL;
@@ -4314,8 +4314,8 @@ void ndpi_exit_detection_module(struct ndpi_detection_module_struct *ndpi_str) {
     if(ndpi_str->tls_cert_subject_automa.ac_automa != NULL)
       ac_automata_release((AC_AUTOMATA_t *) ndpi_str->tls_cert_subject_automa.ac_automa, 0);
 
-    if(ndpi_str->malicious_ja3_hashmap != NULL)
-      ndpi_hash_free(&ndpi_str->malicious_ja3_hashmap);
+    if(ndpi_str->malicious_ja4_hashmap != NULL)
+      ndpi_hash_free(&ndpi_str->malicious_ja4_hashmap);
 
     if(ndpi_str->malicious_sha1_hashmap != NULL)
       ndpi_hash_free(&ndpi_str->malicious_sha1_hashmap);
@@ -5267,10 +5267,10 @@ int load_risk_domain_file_fd(struct ndpi_detection_module_struct *ndpi_str, FILE
 /*
  * Format:
  *
- * <ja3 hash>[,<other info>]
+ * <ja4 hash>[,<other info>]
  *
  */
-int ndpi_load_malicious_ja3_file(struct ndpi_detection_module_struct *ndpi_str, const char *path) {
+int ndpi_load_malicious_ja4_file(struct ndpi_detection_module_struct *ndpi_str, const char *path) {
   int rc;
   FILE *fd;
 
@@ -5283,7 +5283,7 @@ int ndpi_load_malicious_ja3_file(struct ndpi_detection_module_struct *ndpi_str,
     return -1;
   }
 
-  rc = load_malicious_ja3_file_fd(ndpi_str, fd);
+  rc = load_malicious_ja4_file_fd(ndpi_str, fd);
 
   fclose(fd);
 
@@ -5292,13 +5292,13 @@ int ndpi_load_malicious_ja3_file(struct ndpi_detection_module_struct *ndpi_str,
 
 /* ******************************************************************** */
 
-int load_malicious_ja3_file_fd(struct ndpi_detection_module_struct *ndpi_str, FILE *fd) {
+int load_malicious_ja4_file_fd(struct ndpi_detection_module_struct *ndpi_str, FILE *fd) {
   char buffer[128], *line;
   int len, num = 0;
 
   if(!ndpi_str || !fd)
     return(-1);
-  if(ndpi_str->malicious_ja3_hashmap == NULL && ndpi_hash_init(&ndpi_str->malicious_ja3_hashmap) != 0)
+  if(ndpi_str->malicious_ja4_hashmap == NULL && ndpi_hash_init(&ndpi_str->malicious_ja4_hashmap) != 0)
     return(-1);
 
   while(1) {
@@ -5321,12 +5321,12 @@ int load_malicious_ja3_file_fd(struct ndpi_detection_module_struct *ndpi_str, FI
 
     len = strlen(line);
 
-    if(len != 32 /* size of MD5 hash */) {
-      NDPI_LOG_ERR(ndpi_str, "Not a JA3 md5 hash: [%s]\n", line);
+    if(len != 36 /* size of JA4C */) {
+      NDPI_LOG_ERR(ndpi_str, "Not a JA4C: [%s]\n", line);
       continue;
     }
 
-    if(ndpi_hash_add_entry(&ndpi_str->malicious_ja3_hashmap, line, len, 0) == 0)
+    if(ndpi_hash_add_entry(&ndpi_str->malicious_ja4_hashmap, line, len, 0) == 0)
       num++;
   }
 
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index a1184cf27..8a00da661 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -3247,20 +3247,20 @@ compute_ja3c:
 #ifdef DEBUG_JA
 	        printf("[JA3] Client: %s \n", flow->protos.tls_quic.ja3_client);
 #endif
-
-	        if(ndpi_struct->malicious_ja3_hashmap != NULL) {
-	          u_int16_t rc1 = ndpi_hash_find_entry(ndpi_struct->malicious_ja3_hashmap,
-	                                               flow->protos.tls_quic.ja3_client,
-	                                               NDPI_ARRAY_LENGTH(flow->protos.tls_quic.ja3_client) - 1,
-	                                               NULL);
-
-	        if(rc1 == 0)
-	          ndpi_set_risk(ndpi_struct, flow, NDPI_MALICIOUS_FINGERPRINT, flow->protos.tls_quic.ja3_client);
-	        }
 	      }
 
 	      if(ndpi_struct->cfg.tls_ja4c_fingerprint_enabled) {
 	        ndpi_compute_ja4(ndpi_struct, flow, quic_version, &ja);
+
+                if(ndpi_struct->malicious_ja4_hashmap != NULL) {
+                  u_int16_t rc1 = ndpi_hash_find_entry(ndpi_struct->malicious_ja4_hashmap,
+                                                       flow->protos.tls_quic.ja4_client,
+                                                       NDPI_ARRAY_LENGTH(flow->protos.tls_quic.ja4_client) - 1,
+                                                       NULL);
+
+                  if(rc1 == 0)
+                    ndpi_set_risk(ndpi_struct, flow, NDPI_MALICIOUS_FINGERPRINT, flow->protos.tls_quic.ja4_client);
+                }
 	      }
 	      /* End JA3/JA4 */
 	    }
-- 
cgit v1.2.3