From ddd08f913c80289e13e9c000e11c473a21ec23ca Mon Sep 17 00:00:00 2001
From: Ivan Nardi <12729895+IvanNardi@users.noreply.github.com>
Date: Tue, 24 Sep 2024 14:20:31 +0200
Subject: Add some heuristics to detect encrypted/obfuscated/proxied TLS flows
 (#2553)

Based on the paper: "Fingerprinting Obfuscated Proxy Traffic with
Encapsulated TLS Handshakes".
See: https://www.usenix.org/conference/usenixsecurity24/presentation/xue-fingerprinting

Basic idea:
* the packets/bytes distribution of a TLS handshake is quite unique
* this fingerprint is still detectable if the handshake is
encrypted/proxied/obfuscated

All heuristics are disabled by default.
---
 tests/cfgs/tls_heuristics_enabled/config.txt | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 tests/cfgs/tls_heuristics_enabled/config.txt

(limited to 'tests/cfgs/tls_heuristics_enabled/config.txt')

diff --git a/tests/cfgs/tls_heuristics_enabled/config.txt b/tests/cfgs/tls_heuristics_enabled/config.txt
new file mode 100644
index 000000000..0fece59c0
--- /dev/null
+++ b/tests/cfgs/tls_heuristics_enabled/config.txt
@@ -0,0 +1 @@
+--cfg=tls,dpi.heuristics,0x07 --cfg=tls,dpi.heuristics.max_packets_extra_dissection,25
-- 
cgit v1.2.3