From 4c00ff89dfa64f1026c2f1d267dc081a86b45243 Mon Sep 17 00:00:00 2001
From: Ivan Nardi <12729895+IvanNardi@users.noreply.github.com>
Date: Tue, 2 Mar 2021 21:15:40 +0100
Subject: DTLS: improve support (#1146)

* DTLS: add some pcap tests

* DTLS: fix parsing of Client/Server Helllo message

* DTLS: add parsing of server certificates
---
 tests/pcap/dtls2.pcap                                  | Bin 0 -> 5495 bytes
 tests/pcap/dtls_certificate_fragments.pcap             | Bin 0 -> 6322 bytes
 tests/pcap/dtls_session_id_and_coockie_both.pcap       | Bin 0 -> 692 bytes
 tests/result/dtls2.pcap.out                            |   8 ++++++++
 tests/result/dtls_certificate_fragments.pcap.out       |   8 ++++++++
 tests/result/dtls_session_id_and_coockie_both.pcap.out |   8 ++++++++
 6 files changed, 24 insertions(+)
 create mode 100644 tests/pcap/dtls2.pcap
 create mode 100644 tests/pcap/dtls_certificate_fragments.pcap
 create mode 100644 tests/pcap/dtls_session_id_and_coockie_both.pcap
 create mode 100644 tests/result/dtls2.pcap.out
 create mode 100644 tests/result/dtls_certificate_fragments.pcap.out
 create mode 100644 tests/result/dtls_session_id_and_coockie_both.pcap.out

(limited to 'tests')

diff --git a/tests/pcap/dtls2.pcap b/tests/pcap/dtls2.pcap
new file mode 100644
index 000000000..68be6c38d
Binary files /dev/null and b/tests/pcap/dtls2.pcap differ
diff --git a/tests/pcap/dtls_certificate_fragments.pcap b/tests/pcap/dtls_certificate_fragments.pcap
new file mode 100644
index 000000000..5551b5cab
Binary files /dev/null and b/tests/pcap/dtls_certificate_fragments.pcap differ
diff --git a/tests/pcap/dtls_session_id_and_coockie_both.pcap b/tests/pcap/dtls_session_id_and_coockie_both.pcap
new file mode 100644
index 000000000..932f96e44
Binary files /dev/null and b/tests/pcap/dtls_session_id_and_coockie_both.pcap differ
diff --git a/tests/result/dtls2.pcap.out b/tests/result/dtls2.pcap.out
new file mode 100644
index 000000000..cf26153f5
--- /dev/null
+++ b/tests/result/dtls2.pcap.out
@@ -0,0 +1,8 @@
+DTLS	30	4991	1
+
+JA3 Host Stats: 
+		 IP Address                  	 # JA3C     
+	1	 61.68.110.153            	 1      
+
+
+	1	UDP 61.68.110.153:53045 <-> 212.32.214.39:61457 [proto: 30/DTLS][cat: Web/5][14 pkts/2246 bytes <-> 16 pkts/2745 bytes][Goodput ratio: 74/75][382.15 sec][bytes ratio: -0.100 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 2/241 27857/28359 60550/60551 26256/25033][Pkt Len c2s/s2c min/avg/max/stddev: 123/102 160/172 325/867 46/180][Risk: ** Weak TLS cipher **** TLS (probably) not carrying HTTPS **** SNI TLS extension was missing **][DTLSv1.0][JA3C: 1b45c913a0c0fde5f263502e65999485][JA3S: 749bd1edea60396ffaa65213b7971718 (WEAK)][Issuer: C=US][Subject: C=US, CN=*.relay.ros.rockstargames.com][Validity: 2014-09-12 21:31:19 - 2037-02-15 21:31:19][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA][PLAIN TEXT (140912213119Z)][Plen Bins: 0,3,43,46,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
diff --git a/tests/result/dtls_certificate_fragments.pcap.out b/tests/result/dtls_certificate_fragments.pcap.out
new file mode 100644
index 000000000..e9461e6c9
--- /dev/null
+++ b/tests/result/dtls_certificate_fragments.pcap.out
@@ -0,0 +1,8 @@
+DTLS	20	5978	1
+
+JA3 Host Stats: 
+		 IP Address                  	 # JA3C     
+	1	 10.186.198.149           	 1      
+
+
+	1	UDP 10.186.198.149:39347 <-> 35.210.59.134:44443 [proto: 30/DTLS][cat: Web/5][11 pkts/2624 bytes <-> 9 pkts/3354 bytes][Goodput ratio: 82/89][2.92 sec][bytes ratio: -0.122 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 324/76 2179/186 659/75][Pkt Len c2s/s2c min/avg/max/stddev: 167/90 239/373 416/1454 97/388][Risk: ** Weak TLS cipher **** TLS (probably) not carrying HTTPS **** SNI TLS extension was missing **][DTLSv1.0][JA3C: 3c3d129780d0066cd8936a6291a8d44f][JA3S: d45798bc098cd930de7eb2f5f866e994 (WEAK)][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA][PLAIN TEXT (Opera Software ASA1)][Plen Bins: 0,5,0,35,5,10,10,0,10,10,5,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0]
diff --git a/tests/result/dtls_session_id_and_coockie_both.pcap.out b/tests/result/dtls_session_id_and_coockie_both.pcap.out
new file mode 100644
index 000000000..d729967ea
--- /dev/null
+++ b/tests/result/dtls_session_id_and_coockie_both.pcap.out
@@ -0,0 +1,8 @@
+DTLS	4	604	1
+
+JA3 Host Stats: 
+		 IP Address                  	 # JA3C     
+	1	 185.196.113.239          	 1      
+
+
+	1	UDP 185.196.113.239:50257 <-> 223.116.105.247:44443 [proto: 30/DTLS][cat: Web/5][2 pkts/302 bytes <-> 2 pkts/302 bytes][Goodput ratio: 72/72][0.06 sec][Risk: ** TLS (probably) not carrying HTTPS **** SNI TLS extension was missing **][DTLSv1.2][JA3C: e15c510766789ed8f49de0e37951c1da][JA3S: a1d48eca741e476d8ee735578a26bdbd][Cipher: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384][Plen Bins: 0,25,0,50,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-- 
cgit v1.2.3