From 9c0caa536204e647518deab41e2cd5b7ff93c77d Mon Sep 17 00:00:00 2001 From: Nardi Ivan Date: Mon, 17 Oct 2022 15:05:23 +0200 Subject: TLS: allow sub-classification via ALPN In some rare cases, it is possible to sub-classify the flow via ALPN matching. This is particularly usefull for asymmetric traffic where the Client Hello doens't have the SNI. For the time being there is only one rule, about ANYDESK. --- src/lib/protocols/tls.c | 29 ++++++++++++++++++++++++++++- 1 file changed, 28 insertions(+), 1 deletion(-) (limited to 'src/lib') diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index a602fbeeb..869fe504b 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -1257,6 +1257,26 @@ void switch_extra_dissection_to_tls(struct ndpi_detection_module_struct *ndpi_st /* **************************************** */ +static void tls_subclassify_by_alpn(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow) { + /* Right now we have only one rule so we can keep it trivial */ + + if (!flow->protos.tls_quic.alpn) + return; + + if(strlen(flow->protos.tls_quic.alpn) > NDPI_STATICSTRING_LEN("anydesk/") && + strncmp(flow->protos.tls_quic.alpn, "anydesk/", NDPI_STATICSTRING_LEN("anydesk/")) == 0) { +#ifdef DEBUG_TLS + printf("Matching ANYDESK via alpn\n"); +#endif + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_ANYDESK, + __get_master(ndpi_struct, flow), NDPI_CONFIDENCE_DPI); + flow->protos.tls_quic.subprotocol_detected = 1; + } +} + +/* **************************************** */ + static void tlsCheckUncommonALPN(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { char * alpn_start = flow->protos.tls_quic.alpn; @@ -2182,9 +2202,16 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, #ifdef DEBUG_TLS printf("Client TLS [ALPN: %s][len: %u]\n", alpn_str, alpn_str_len); #endif - if(flow->protos.tls_quic.alpn == NULL) + if(flow->protos.tls_quic.alpn == NULL) { flow->protos.tls_quic.alpn = ndpi_strdup(alpn_str); + /* Without SNI matching we can try to sub-classify the flow via ALPN. + Note that this happens only on very rare cases, not the common ones + ("h2", "http/1.1", ...). Usefull for asymmetric traffic */ + if(!flow->protos.tls_quic.subprotocol_detected) + tls_subclassify_by_alpn(ndpi_struct, flow); + } + ndpi_snprintf(ja3.client.alpn, sizeof(ja3.client.alpn), "%s", alpn_str); /* Replace , with - as in JA3 */ -- cgit v1.2.3