From 35fdbc81480cdeaafc593fe952b2b28ebccbb0c2 Mon Sep 17 00:00:00 2001 From: Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> Date: Tue, 18 Oct 2022 16:40:15 +0200 Subject: [PATCH] TLS: explicit ignore client certificate (#1776) TLS classification usually stops after processing *server* certificates (if any). That means, that *client* certificate, if present, is usually ignored. However in some corner cases (i.e. unidirectional traffic) we might end up processing client certificate and exposing its metadata: the issue is that the application will think that this metadata are about the server and not about the client. So, for the time being, always ignore client certificate processing. As a future work, we might find an efficient way to process and export both certificates. --- src/include/ndpi_typedefs.h | 2 +- src/lib/protocols/tls.c | 14 ++++++-- ...certificate_with_missing_server_one.pcapng | Bin 0 -> 6328 bytes tests/pcap/tls_unidirectional.pcap | Bin 0 -> 15217 bytes ...ificate_with_missing_server_one.pcapng.out | 31 ++++++++++++++++++ tests/result/tls_unidirectional.pcap.out | 31 ++++++++++++++++++ 6 files changed, 74 insertions(+), 4 deletions(-) create mode 100644 tests/pcap/tls_client_certificate_with_missing_server_one.pcapng create mode 100644 tests/pcap/tls_unidirectional.pcap create mode 100644 tests/result/tls_client_certificate_with_missing_server_one.pcapng.out create mode 100644 tests/result/tls_unidirectional.pcap.out diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index f39b2b6bd..c83280e0a 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -1405,7 +1405,7 @@ struct ndpi_flow_struct { char ja3_client[33], ja3_server[33]; u_int16_t server_cipher; u_int8_t sha1_certificate_fingerprint[20]; - u_int8_t hello_processed:1, subprotocol_detected:1, fingerprint_set:1, _pad:5; + u_int8_t hello_processed:1, ch_direction:1, subprotocol_detected:1, fingerprint_set:1, _pad:4; #ifdef TLS_HANDLE_SIGNATURE_ALGORITMS /* Under #ifdef to save memory for those who do not need them */ diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index 55eed7ca9..a602fbeeb 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -861,6 +861,7 @@ static int processTLSBlock(struct ndpi_detection_module_struct *ndpi_struct, case 0x02: /* Server Hello */ processClientServerHello(ndpi_struct, flow, 0); flow->protos.tls_quic.hello_processed = 1; + flow->protos.tls_quic.ch_direction = (packet->payload[0] == 0x01 ? packet->packet_direction : !packet->packet_direction); ndpi_int_tls_add_connection(ndpi_struct, flow); #ifdef DEBUG_TLS @@ -882,10 +883,17 @@ static int processTLSBlock(struct ndpi_detection_module_struct *ndpi_struct, /* Important: populate the tls union fields only after * ndpi_int_tls_add_connection has been called */ if(flow->protos.tls_quic.hello_processed) { - ret = processCertificate(ndpi_struct, flow); - if(ret != 1) { + /* Only certificates from the server */ + if(flow->protos.tls_quic.ch_direction != packet->packet_direction) { + ret = processCertificate(ndpi_struct, flow); + if(ret != 1) { #ifdef DEBUG_TLS - printf("[TLS] Error processing certificate: %d\n", ret); + printf("[TLS] Error processing certificate: %d\n", ret); +#endif + } + } else { +#ifdef DEBUG_TLS + printf("[TLS] Certificate from client. Ignoring it\n"); #endif } flow->tls_quic.certificate_processed = 1; diff --git a/tests/pcap/tls_client_certificate_with_missing_server_one.pcapng b/tests/pcap/tls_client_certificate_with_missing_server_one.pcapng new file mode 100644 index 0000000000000000000000000000000000000000..40cb1eb30f71441759b0909ca1b22b817ccc2e2d GIT binary patch literal 6328 zcmeI0c{r3^|G>{Z_sm!_NVbqB#A6#Xc3G003`NM&GBL7m*^MPzsUD<7Po-3{L=n>a zl$VhfT9l%Nq^6>@Fo{Qq_uM>fdfw;y{qg>;>-W2^_gvSx?)%(l?)!7j_xnBHW%x-X z{=)zOx{<0B0rmAU;xR3>XtbSZk|U#$Hj$fDg{{!8w7s>(ti$x=uJf z^F9$?gRlW?^H`!1;UY=|J9v+Eqq2{si{BRQKAWm-zzZzl0{~2cE>W1$eC|vYyA(-5 zF4m_{Ypi5S<4Vd3MW(h(Uj+b%C)DC`y!?l6n(*t7F1&)ED9b2P>eG>n7zgrvQ-qOGYf&f#gcoDn$5^x9#u(|CaA3n2 zcCoqyZ#c&KTn6G2T8c6D1^p#M5*ZcA{K|NMF~m^>kwE|=iK0*1lJ2=JzcbC=%*rDQ zla|^$b1WLdqNuf^I_>YA8HNC)u&Hb{_AhJ&wkVq)oCGJpF>n+Ff&kzT{D1+_2YNu4 zt;wdaRoIGbAvOUN0ArxT)?ll$mDuv^1#CW01dfA3a0G0If?p0yfELgMG(ct3*y?O$ z_ENSW8xPIF2xzcH*t|d-EC9lQ#3r#(zz?S3mP5fjfJXs>gJT&W1r1^$yh;N}crOkF z0SV3vKx5$t@=#zTKnAizgoq=e1cZPipm+q2!=osI;!qTa;BYt;2tlDkh&T{kzzB)+ zVQvZ3(4}Zns2V}oiI|c7Ts^Mi4axt5qs$qvo2DPL(^>2;{*3Cr$T9YFcZ zKwUrhre^^R1RJL3;5C870RjM6pUWUT=2~Hlh1UO$!P@ziA&W7@Q53l00B}Z8Z*pUl z?ZOYyJRXh<0MR-s%fVU~OJEQk&_`2un zs0VX&@U`t*@<`QMC84nc8s)=|2PcOHH)JLYd>(9I?BCSybBxaK$IMr@yxUiv9d*TN zvZ8U0Y|vCFQQzH~HkZuNjO>kNzq(Z!o78D?q!L9_pA`sBScvmDUlWKPm2!$x_w5kV zkGMY`k-aEU!%JwMh-*f%kx94vX*0{}t)|N!T3DkFL6wKPqz+o=SsW@%Dv6 z?H&cz2usO1#c_S#k$@nDsgf5dtn9T_9U}B0)k7Dal*%bjPZp{6b!6O2xV<>!qVPU1 zfo4Sm=a#oDZBA@kw>_yZjFn$G_UstLgK{b@T*9KTVA6j6WUbeDbW`}k6AHP8j%Bym zLW{&Bs^1cBm4)8uGT)-jiuc-2y4Lup0m(hD?^&Of!RhW#UgNZ*p{Fd?rLD)LdXLjf zA${?-i#l!3j=CS~JwlSv4qd}%%E!6Rq>Gx_8=olO`eB&fbnx@t+|Gwp>qYq0nq4nH z={C=6I?a7HIng}0-6Nc+;C0@b5&GhSO?>Q5`G0N*nIF7v!n^hCTCsg66z|&CmAo)8 z>VNKDr@DcX9ri9(ZQ7;n@}#d{$ubMK54PtFE?VN%6z{PTAA9t++2-CBU1Z*CU76!D z!m>pRP9Sm>J5KKggw51cf;T)#D+_1b6d%|&K@vEBcIT__&4utEKT6tEZ5oZLsimi* zgB>L}q{5RmGyD%8+Ekp}_uD`S09w5epr+#ZahUnnimf1ZN!{}xPkribG3b{!KpEcD~mKNZ}q*ih`hN4GRvHtcc5R#{Guc$)S(v9OUHw+h~` zOJRA$9_J}K(>HdXHtv;h@u|m~)f)MYqZ3+6xit@8JiX;-7_cpepRs4e&0E1E$$J)cp&eH6J^V;#uZD#^_@=zEwT;GLOP z5tbgMq^@I}kWkuIZ4<|Z%+%F$?^hBdyyOxIill7Sg5*dkz_6SUbuoy5m-n3c;eT_GBV?NLhEt|nn#vIvi@#g#7rL^yF8K-6#JAY=lSV6{1!|{K|D8& z{9OTkKOEBKS@227CMexWb^CB%anV%g)&ui+291{Wdv)otlCBEgF+I8Ol+C_@96es; zE#~5FhFi~jDqp!RxAA7{SpofMd}iK$aFiPv>5yLfM{@mbiA%g^{VNLk*hO+5xNqg0 zCRV+)l3I_nU-el@sX8v<`pNF(0h06@M#J3$vQ5SUE=v|W@6bE{Du#Z zyuGBQJB+Um(s3xv66Poa#RTK}X&0$&Mf37`-upie??1Xb=cv53O`YH&+i<@)7-9|F;0EIjr(gII=GT0awac2RpHtA@rhT$Zq<|7 zR%epl^j0JN70H};o*&KjoV>;|wNPu$3ri(SOWx7HE?eVqOVH}`$Uo+LuGnjlc53`k z!+_4^YUwbu4(Z4ta_y{Ny1`JgU=?JxYm110>u|4(2HA{mdfpl88Rw< zqn^V1eWWWc6MNjQXS~6+cZxSrH07~$%t{y*3M=pqio={Fo>~!|?gRk=_uVcDg6K}) z1@n*px@3h;@{(|tl#AEMr^wAUkFK4qcg%6GDmpAquljANcSoW0Uix^09{d!-3v*aJ z5z5ubC^hG1O5lTckp}*Il!T0px%6UQ%W4Z55a%m$Y3V?3{wIww*9#}Q54y{*Sf+6@ zIN^2oUPrq!p>0RBBQF@M9cq**uA{_Vx;9+x{$WJIeBZ$lDYnnNv>p2QCRM+ z!#(~=F^NX0pVxbq2JNhQ;jz{t%ef@#_mIB#M`^U7$~ZUt}Amm82F;XQAxkY z%%JOJ?ri}^`&6>|u+ZX*mNMH!j?Pc1tiM}NNPg+udp+#B>;0`e6!D*%M%L|_&M$Ex zJSey#aZ41+6+tlR{*ompXjd!qi2qz*@17%TTpRDysKiSE$>jG2MS^eEJk=b{-HysX zR;L$!4t=XjTcraQ zVb6c8OTTB~@>ffJVa-xziQj5qQ(~Pi#=&^fM_vcqj7M4^k5(u$J>6{lja6{ad_Bg4 zELf0ZjJdLF8+VfWBDnkl?KBAVUFTeJ49uZeR_ojoO)B zQnql6^|=hhkQ;#Q1J=OO+rBcEVhpSXhFJ%gLeW8e{izW}O6HAqHkX*pPJX%^ z!>6Lrx778Gt)Zv)vY7uHHL%P7P7Mt838gSspF6UvzUuQQ+tKb4!esrJGRJmW4<#h& zrwD_JA=_D5Lpd{{PM3bur_Zc9XY{#5`0%2?v6?`HjTcuZ#d}AOFp7{+r+Y|IKd@qA>iI4gtw7>&@@g%X564G<0I(7UW1+3I)gA zc#ZNsNn-BK3v2l7XJ8jSMmU2~8{*Gk)B=5s!v!JEV2i|u* zaF{+Yw%Si6=bhB5iq7()#JI+)(C8Yi`-9$1Dr;I(>Xsa65FVuuhx)70>Ek)8RF)rC zw@>P13C8!I*E}tvdA$9@Xy-7Cl77lcqRN;nJ=QeTbaj(Ul0}H$;PMr$`bya$`lM>* zfbc|A*6tp1rmK6fRl|mXI6eN_{1(2>p^qHpN6Rg%?y9ro%W8s2<~QHe4D7p^mJZe( zS;H5e)S-a$9JoWcM{TU!Csd-!;#WAi@GL{vjq^i(_Ro>WV~yo49dfPj?_Xjt2;pvF zoA}ageOdt!i zVjmDqO@7SlKQ@uwsMI-rzrrC<>rw8N#+RmcF9JIc`%YZ4u?XAf7TA7wm7kCCMz3w} zZ69wu+kUgo$>cCcQ1(r57a={%ikq-n`L}nR>cRRZ_e-`Jdz-UjJ9>^tc+kUst@c(ld2@LZjn zQK*T#xtepDDsGXGh@D90E{QX5J1q@ulb=xJxtX2xH#@(}&r%I5)-9)`ApQ5?mvcI$R9sho7`_3k(9^$>%RcH9Q*|U literal 0 HcmV?d00001 diff --git a/tests/pcap/tls_unidirectional.pcap b/tests/pcap/tls_unidirectional.pcap new file mode 100644 index 0000000000000000000000000000000000000000..c4667408647fe8b11eef1f06cd8cca2c5d79c1b6 GIT binary patch literal 15217 zcmb`u2Rzl^A3y%S!`^#`%E-KAmYtc%$lh^nuDFN@S6Nxvql^$DWmU?!X^^7GNCSzI zy^F~2eXsFBef$6ZkH^pB@y`2o&g=a=uk$+RJYVN^j=G;z`7J;FtL}17>^I%X26iNd$ zCIzLZ-}L`Y3R(91X4N{ z4HU}B9m#dZ+t&xpWr+0lbFoMIaGg4JLW~YUgVTZ0k!qYVwjJC}xge5@SHn;XflM7Z7p6gNxXsJP>AJF%f7{hddNQNQ{4h zL5N@~09@OhDg8~Ybdg%*ukMzdKsuG=p|oZ4yAm{+Q&;Be!kKE|95l)@11w|T&zCnW z*413L9Y|j&jzODBNn=PWDHsYcWJw4NSv-OgY?p%y0@;AWVNjw_yd4}oaB>7GA+aDK zgn)nu20@VHl<06uPy~SBz)6&FMmRmE@7x!UN@^}8@a_4gUbZWc&wKv1+^b6-CIrtE++sF_I+!|qt;MoKg%Y(#dZT@|)I}VS-Utkd3eFrFIEF+P6eKZw z9E@QU5V7;}LV7y6cp`T>9z!A^a@N5UMDWAV3W(UdqkJ89S2KfU-Y9F+w9KCl5&c3?@7xXT{(|woVwMRhX9KN{(>>TX8 zTzqf~;Xms(OFS_&+e&^e4oDPU2RE`lXgjovy@x}L(<8!mo_6j5;0WzFl4aX1e^zaM1Nv`^ zV7HyW^Ua@CG@I@Cfi>IOJL9*za7zz2oBq(-UC6MBhw?(Zc(?>2w{@Aet=?Zj>wxk- z>yET{cd>WFDTCd|fFu8xQjjPd-F^O619Fnn-^wX>q2PuYoZ z9o=1=oYDAci&MhQ7W{@`Upcv*g9qyDb~7MD?U8XNZF40^ui(V-K%%`t=G^vR3Q7#U60kmjEx z&O8}0@A^EbJ1-3B zU{pi8qr8ybJA=CIaZe2UPNmOZYMHmTUfbw9-yyhh`#ml=D}ot8Oi1VyMh=1EHn61N zW)=?V4S*8B5OO#bPPilj+*0O=<_Sj#Zfz#*y+KOe*->upIz=6gPo6((EUb<8a07RJ z?g$J7{vR3~3J+U?hs^`CfG?n5aCd1P5^&Af~s|)i7pj=)8 zw{^Q6EY)tqYfkwYG`I4S_c{?p>G<|>OCMKkcL)Xi0reuI3E$PLT!`8m(JqS%!8Ah3 z=*D%e2bas{*SvmvXlylm2j8qFLLJHtT&HntGVvf;F5{;fF;1ciI{W-0^FZqpotQ?i zqs!5X1fa_0BhSKPxDxeTGrtYSi9P?c5!s}boq5J5QM0!rK@kJ&OO{|52$*}75<(Sa z5>IjJ_cQa2QZX*OU4GDdWvE;;lbEsfv1U8Jk$8vj!59eW0mt*mZc)G@Si*I*CsW1NHrYbnBbkN%;?`;sQ)RnmkHq zxp!u!-Ge(rk_5qB0g0bFr2VPBNub* z%xW*fb?Et*2sfwBM}q3h(ZMzbGSpc=12pcBZOF7mse6z}n%>HKADZhQNh3cJm@JoY z_SMHH?&Hs z2+|N3*u~8plL88>H#BpTXklK0=sE6l8A9X#e||}ipamx{m|v3N@=F603e9C8hEFgN z2pO@X2=GS&pI}NOWbqPC{C}3nVju^1_W?oxfWuA&fJ=fDiW~o>sKIY%V-HCGlvYU$ zagTiS3yI-bAA9LmxZ&~L{LpabGW+)=SSDQ%32Dr#O0Tu?;ah=6FL8E$cX?EYo-{e- z=$z~?ZDjacmRjeLIXf9c~)DdTdZ*L&)p)SQ?QDb|>|t4d@4u15LtCuM|YGF#LA zR{p7zUmdY^Cl{{B+q&-H8!|U}voxgjF;nR1CO{Nw`2qKQ;@#XPE9Qu!`_Yk$W7%uAvzrr!J$z}-9L+B!8 z{-bJ;_yrLB+a^FEjO;ipAMmhYhw*V|2tF=oly`vWuHdm9MxeXrK6pL^!+_3=4ld`i zB$sQ9BbB;7s6+!h)vQkci2iWdtlqhUA8tSO40%20ifRpKd)Es2L;j?rI_g#NiqiHFH?R<-)3 zKdO?)Aj@Wr=d#yz_&Z*Ev@m}B(b=n>UEJpO-Jfbb?;hKsa1LtLeiGo)km}nTzK5zM zB9^)C7Fttt3>l~c*DI+wxxMt4vOW>687&G@9`%2st0yDzs>QCWnWF={XhUpsuPHS{Jg{pIXs>FjdU%Cjeg`U}G$&nl@O>Mwo*2pmDm zKa0S?Pi|5^wSNPJ`v<8N)^TpCr?aMSDfZ18gvl<}S5XsVK``MMos^DR!yR?j&fU<( z$&<^|PuRy!j2ge#;be3~c%na{EXIal*`$BkUCLXPTTwttO!mJhAOjvV%4~`M@4^iR z`ezt`;=%wF3w>}t1{nNz>wnVA_v;4`_GnHQg%Yf$J=AN`_RNmtOy z?5;hzMv^#q-Qft&A)@@6E_o5#q1Rm`k&oInXLXvJ1EXRdJ$!A((t9W2F45f_u{q3R z?4Za^4|f*I+IJUuS=C_jcLNGj_-|8%@Q#)c|4ti|b51dw4nGzp$dE=-H53>t;@f*| zqS)9WA?>ttg?xJRr37rf5|+%eVL7r|(!HEnFXYnDsrIC|T;Gq@8)V)QuRT)DBT%Ec z;{CbJ;m21Db==tX=9s8e8ONA4`xVH_`SlBy{;PhGtCNG3lmV$GH4VHoy^zicM$$*| zWVO$p#Tb>nEg!$CedHBOp*WAOz#LNb4YcD{hgQvaZczALr3>Fqloh)dBm_r?t)42{ z=!t*Qp*>Xlt~y@rwI6m$NpRhe>TYq*af-^A8?XVf+pqk`Q5O_?2d^Ha{o1(tPJE5p zo?hR3z^a!qx#5WO(V1h8lSDDRgLHi+$n$&y)>`zy4Im_|g!^7;W$N9cItoUb_bu+4 za!NxNDa_lARxJ3$!cGFs@P>j=Xv;U@43~*#}8jku`T@$Q+@|z$RBI12+WXX zCP>{5gEC+kl=veIQsFose?(1yfPrytSCIQ_4BH*#Y%e&ns!^o3MeB(M!`mfFHrCd) z5w_cr0t|9z5C#aIZ5a%5EPoGjVEjQG*-?W=aO{t9PN0S;?jJBrp%LOZlR4pFXhVRZ zE$>hS_g{nCu5a8C$8q0q!NIG8{}G_b{>yW4@oJX{+ebwB9lJ!~flB^@H#L4tH^l;Dm)A|6Z<;- z4)(IZ?2@hv$yMRc&JP|7`h4&1Upt7E<|K3E(3*l8B{+Q+?|aMJC!s5<;mXx%M(wfVrPb2ko~RaHeCOWRqP~=r{jG<)(J_f7#mK$;NEO9nM~h*9 zElvKZ>wT<8y$!1|lCRHRd2#qk(S2F+M;8T@n+#sB-AKFFj8VkhGNH)C-D?i;_T#!|c3u$hhZgZay}?bKaf~#j9>JMFlL@{I78h z!zn=u^KIg?pYVqQC&72zQ+Tx!BOxnSx>&+Fxp^;#x~T*x5vE0AOCX_7YAf#6UxGYh zgBF+I_%9E-I;;8te=k>qyO)z$W_gAy2k+&GaLAYjD4+t$xaSXK2~;s2Ies5<>4vDb zBX}pbtU&sRNr57u0LTY&0XM)EZ~>eFSwIGm2Bfg!SP`rMmKRHfB>=7i@_-~(6f213!ydxY zVM%~OkdX3#9KZ=s0u%uS;3yythye(!7*-g21j~b^#KM7VfE*x-rNt5hjNr8*H9&!- zz`_7h-0dQO0&f?=c>sZeGCRNuUOKXXzu5q0@SPE$1Sr6Ia)1P^1@9k0i3>PD2qA7JAz&kn06m?ZXMh9J$4yj9L|gh9v{dmiU< z8*13U2C)=Bh_QQJUedN9s!s_H;*^rWj>{)Ommk0(M*SP{79R1+pNK~4AmZrp)jttc zIblE)7?g3({%HXZM3vzXlT`nT$P8H;1#hLdro{}-MsRgN?}692RRHu304)c179}9- zCqf~ReI$lp5o1Cy;P*u2l**m~s-XM0PT-H45M20sR#~y5V$$GUtC%@6l{i9L93gX5 zY^&g3AOC-)x~+18#>Z8 zbMXssf6c-K@eCK~py4C}mmj72%PObi4JX@y;y?n~)!@V5wdkSmEi8G>F*m=Qk_sj& zqo1ie44Yo?d~b1mg-X-?l7V2%ER4e5ODpe=Iu29xp1$)XGjwlj8(T^R=+%aa>%a~j4--yieW$#JB)`)=@j zL{m}<1y79p^BEm{G~PED_=sY>5=+sc{6vw=K5cO!E%$0d?ja4e8`izF6i>`vcfA>M zWw=z4@8Fk;{O}(0t4W5aZrE-p@%3i7QyWO&MAQ6;&kB}hqC=t+_nhKr5)jZE8tYV&qV_4TC(G#1J!s^Pa*vm3`H zpN0&s9^qVxL&P+SM%#u*1n3ygR}1}C{TU_{+ZJtg)kb!Jftz90wNM7)`qBeq>|9p% z$wZgvcg5USv2Kpfk~PvPmBM!%DVS7~8y(KF2fTR8?Z(J)LFeWRq}q{A-plL)&dV0m zX%1}VPYFMnv|XNncJ?qn77;&$BX)Iaka3may1Wa+7l~?UB|lssCpWulbb%6f#gUHY zMjW@YWC-`UAXX#Gr4_VOb$?4`{pkd=yM@;nb?#>J*mvi#rRc0SN`p`kVvru-VB!wQ z$zc*+g}U`kp=Di?`KaXO=X7oot5vD80|Ab-%{=3S=_{f?jUN_#$TB;md`z^+o%C2bH=#oO|?KE6TloYEn7%Aab`$-IWY=$=p%1Ej_EiY z|H+-@c&3Zq%S*SZH$;sBK&D%gR^8?$Rw&3zk~l=Ie>$E$HZp-Oir;b(StE&jG3Kqnw<`5FHa+o!$0a-E zk1`sVn0j2|m2t@u*G(9HKP@#Q$lT#XQM6o2&-h`UU?%8#Za)25Rk``Z^AytuDYFI# zT|ajYrri6v)T&I~8u|ODL)PQ383RT&9S>%NOszl93Y67;8csYAFEObgcml@#wc!zR ztcbGt*s6+q=bf}@uj4qkRj0!L6~yk~-4?O0lLZ^1#z#T7ElOJLbn-OV$#5Lvt!y}u z4!R8Y{Nc7})LlFx;;)FH+s^I;F;;yXBF=4kTW%x&%&*Jmnk4%!#{L({&@Yh>X;#in z$4=iKp)?;c8Hu6@Dzm*sKWoKn;{hLZTAdANm-^~8Ofa-WkMew=al@=Mqw$;DiuvcR zC7hX95@KMS0Kh-{%_R7Us>GR@_;H_^Kf#VC;^xZ$>2}B2#IL!X)T7 z6^Gr;yyfq~iuZEVo($*KvE{{RH=g@Vn>z6J07DTbZBZxPZRCs9mt!=~bxpq9${Vxj zAf<$CJfI8-Y^uyBZU1#9gVApNW9nI9Qx*4~(a za*+p~M(!F%Xr5~BQbv4n-i;y*LqY#tBIw=Y(?Wb?rdB2=Z87W4b>fbt)~n9Uw@&l2 z*2i-9EdCw}F~0ZdLonG;Mc-%_&7?hnK?^8BSlfG9&PgF@z>U8M3P?) zg%XZw%%}4U3qlNk6q2|4mpxRg7w+qsY=jLfaV`nlj56JZ*PU*7_HN14yOukFabEqp zdYxJgw)TR zm;6AuzkqBiq}yMMTH*7>TnjsqL)}mZ>6nxJfaMYSkFCK(;nfVywt1}-vN~pTvbXzr z%{(90sNPSM)bS_m=9`){pWX?h zh2kjk+AbcN#%hRSqI zOFKZIj^|sp_Yko3qM6%VS;&cEq`NCru<};I!8*OjIr*7~GWV^n@rlJPGraQixEy&U z#iokkt6}2HUjp^g^t>GWM_Zt3ok>S*FT7IDcz;%QAV0*?;)o%!ENR!XS&1j;4Z_9= z+WfU=o;|k`CKm|VmK2Ppms1&oEi^M}ovDP1m@!@t(jiLq8gXwqY97Aj|Ea^uI;tC# z@r=|-GS?x8fL5NQFvsa(M>FY=(o>;Rh^7tMvYu}-N;%5P?Q z^0jH>DZ+K}aFYW6w21fMJQW%2XK;*rzUMI(5%u~9SLfaosXm%eRmN7`o9H@s&%D6j zosL_mF-H%Ewv*J50TvlPMKP!kJC-tjZ@*=F>apdRw#w-_%BjXaV|lC;%eb{LI}2jb zaA^8W$7hXMsY8YV36&ZFjH4>V4xjI~L^-X~39tE(<~Utkn|h0(JNXhDc-;F)S6RjV z3dZU%YyAcd;*Gl+rYN#HEUFi)q$KuXi@lf28{ET%z!u+=c(TBsTAtP3!1# z-^vM^=go?|ndK4b@vr?CR&CRpxY~<<>G~22Q4#nyQoqSC5LHiF?1fYaIV10BsJ(=| z6<)F}Y)(B!s?qtj8 zMaZyiRCrszEHEgp?znT{Q3$ozy>uq`nvF5w73}@ZS2gc2bE(Qb_MJYAL78Ot59*!7 zG5?!?Gk+DH`9JJs{_4DK=6{9V%lr!d=YRaR4LGS5B^&WJN$S17cnRX-g5heS%fpvd zRDA4?rw+=CsXM%0U`kMcFxVBVM!)?4vXz5V)hj&UQ?VZ&7ElTXX|jYR?Ni}a_7f;}mh zliIMpZ{Nk!6q^NU4I+%=^SiB)UN+tKztTca8%+1e7}~r{<-;Q9p>kio8w}KToqy?W zeuixMTIrRUHWpf>Si->30chOGK*x6{s;2{#s2*yTbX^S@`Ed8fYPy|4?7JET=Y}-8 zqi+<<;%j6cXQXLqge=9UQSq*fcSkat|9+QfZnL~JF&=N-Q5irrsPtI(m(hzhx{AuA zJM)M$225D%VV=ZnWA=$$X-kFv1Fr+wPxWxM6+avv@gP8YGT5G84>u07J~=)d{G3M0 z%KpMvdhK>5xhIyihWyrQ-r3&qZ6a?Dk>O5_IMa1-YfeA;iw}Nz2qTc-%+#d|D zjBwjN%B>qvx^4PQx~f`j+VfeZh0jPw&h2qneC@yo(hoOCm7AmGI9S8$i?3Le@f>G2 z=^HY$Q|n;0BKam^{33>Qs<*&RzkryoNc-OJ8RC0!vNQuW>L&V;p>GQ?4sq_b?WJrV zxYWMiS?FR|xk%IdS>QXpGK0B5)|EW#p zYqeb9*yyb_hnmZd^rfUf8aWSy*+qsKRw;5Ys^kbAa*Rgy`>&TfM^$tmRv!}O&YX@L zxhw2zx?ZP{BBeY7)8b&4J+d&V6?D)6p!dI4Z;%tTv2DyD+7a?-~ZrxEhk%=CIrthcx7wjkLs zv=wVA$qu|$bRiiPHs|w!R$H-aOIX!Q0h(FRX}=)8t1t~eqvMuFZ+iiK#gD00;`)8J zOXh~W9<4LiUVHcM1v&7Id8DTNflrtInHOJZJ6CRD%^5iTg?w)+Mq7FsMUcjR|7lD8 z=xM9nE9EZ?J=IT--AdCG;jSRFyZnCo*8#I=n_$nAUbNyX)baWa59gC?9|p7e30Xqq z`uI%ro941i$ye3v(0qi|?CNSqA6L9|ViaGGy7uIH{e-@1!XXRqQMOuA6E)M5UGIXW zeF}NsOuuwjZ#a0%*>T8T>A|Th9uFyWTeSp8Ba-1?a)W2hMoD6%xyI+|#Nf0kpFaU9 z3FiI_I=`!KTeOblS*B{e>N=S1mH+9`$OngTpYJQ01>m2Q8CHmO+;oB%K_tCRD4ik~ zY|^aKn3VMT-YdOfn|QJ;7A4W0G{KGe#bm}MAuasz#jNU%mdwomv6a}Qm*Ot|O@!z=^ zrWQ)YIz44E-zrhIr1?Z* zR86;d;n~Onk7KzcE@xARFDSj13s=;wBQb8`>$Q$|6-@futz=0DNEKB@(bn@G(OfMOW zUCv7Dy>qzhqxzv=3Vy_MUkjwDqb}&w3Hb@gs&N}T{p=5(W$*rWv9979N0_aehTekI zoKyB;^_(0YW^wyEy^qKh9lYM#f7XP-1+e?7^9rQ#a;ol2o5`n84=$Nb$O^Amx4 ze%!Nv&ktWgRpXfdYQtXUuhYacKbV>jkMCvvm-j5)O{Eo6`v=lqcaYwY6j~18nG^rS z(M0TgHEgWmGs#%s^7O0Ll>9!vsf#USpOKl|XM5@-1oW;djIBCbbeBh(k6Xj!sHKbK zE4X_?01~Mbqp;Pc2ZM}Bac5LG?5`Kw@ zBP}qxs1mwVnenp`IpbI!aO7T?^c`O`nX*&9GHYi=*8y*=;hSUD$GU|`RJl5R3^ehZtw%6=Bs%wf*XX^bs%4iv{$lJbHig7HtV%{a zsUqTfL+(rAWbcAPVR?C#Ud4yjFLEL?nH=8chAQ~AM0q4KWF4`Mx)JX((e_rq#}25$ zqz=NVyB;`KkyWngJ_@#+?O|&AA|GK^w7|9$pl0e{aqfoeWeDs0Z?soe?re1DAB4<0 zsAes~B1^`8WsFp~t)7u-p)>$mM{nF^8W$}R8I;Fr{%?(KNojJiZ>+1Wa?o1P?zEPJeBu3Q(z|vo(ht7EQPrb!wP8% zL>%3C7ZVCz@Y+MPCS|J3-yVG!x}Z(uIxY&h_$D8Vimhmx#YDOBpFJrtIz=^VT`nvT z6jFE|9>aR&#RGi-#0=0OM;7~DP4`Zp*NsegQ6jq%l5&hy{3m~`LLCRUHgi_0^3Rz7 zoAxIfC>ir$q0CD)tBOpwiM>nf3ek&c^93PN!TH=qH@~_4l&zzs)KRI8e-y1z^SIVD zSL5@~^U9T9;h%pKtZPwAdAV;(gyxne&{HB?UE%Rqb_h3R>+2Op!S%P?MR~^!D@c2Pdlu zZwFU#KmP!kwxvJbhE=ndj1D|H6VB-+Ns%)i;hOePo}oOxPlp+`b#=zC?N@5(FfTr>2Dr^rLIysLD!dS+ifHTPbT@KB#Mcm#F2^A;tqF z%vPeP(QGn7n<}{A&%x`>sy}L1KQ*2k``KiEDszME){&y-%d2bAJ=YK4Ab$2ON=QT~ zKH0CAy+?;VTY;a4kfzF!*I|U4+N_Q{PP1DudSN*0pt=4h9oL?glLZH{LyW&uyXPn0 zNCK@18U0Z7>LIm49-+`~=BVjj)a2EJjNDY+6a< zy!rcu;wc@yZ?^^u>L}B4Kic2M(W2N1l7F26)!t z_e*U5*Gdkr{<&w}HNr92%&=OX$2#ZlOO(tgr1e@7i(` z%gaK8I5XW+3I5gbdw4TL_L+HhL)63y*YS_J+h)qwU3+CWi9^iJAOL*8gD>2(Kf(Y= z)O|dn&R-G1j<1gHAU?z);yNz0b*e;la2onm&-rI0MIZxL@~8L*(yfLUnq2fZ4#)cy zGz*(wB~eiqi2_ZaR44vdryk%<2;OHx(srk6a<)xC27o54;}F+w{}Ztej~KKMF?ky? zws{9J<=U(0h9nR%Y=-P#Ha^57Uf74YW23{sHewuT<0c}3J^8;7AK?)L_aW}sDA%-u zn11b5Wy5vQMn~h#``Q0-M_Z3a4A_UbVe z#Pn 192.168.1.128:48260 [proto: 91/TLS][IP: 0/Unknown][Encrypted][Confidence: DPI][cat: Web/5][3 pkts/1654 bytes <-> 6 pkts/1779 bytes][Goodput ratio: 87/78][0.04 sec][ALPN: anydesk/6.2.0/linux][bytes ratio: -0.036 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 3/0 10/8 17/20 7/9][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 551/296 1514/1160 681/400][Risk: ** Missing SNI TLS Extn **][Risk Score: 50][TLSv1.2][JA3C: 29b5a018fa5992fe23560c16af0dc9fc][JA3S: e58f0b3c1e9eefb8ee4f92aeceee5858][Firefox][Cipher: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384][Plen Bins: 0,0,0,0,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,0,33,0,0] + 2 TCP 192.168.1.128:59754 <-> 192.168.1.181:7070 [proto: 91/TLS][IP: 0/Unknown][Encrypted][Confidence: DPI][cat: Web/5][6 pkts/1953 bytes <-> 2 pkts/140 bytes][Goodput ratio: 79/0][0.08 sec][bytes ratio: 0.866 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/6 15/6 54/6 20/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 326/70 1352/74 469/4][Risk: ** Known Proto on Non Std Port **** TLS (probably) Not Carrying HTTPS **** Missing SNI TLS Extn **][Risk Score: 110][Risk Info: No ALPN][TLSv1.2][JA3C: 201999283915cc31cee6b15472ef3332][Firefox][Plen Bins: 0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0] diff --git a/tests/result/tls_unidirectional.pcap.out b/tests/result/tls_unidirectional.pcap.out new file mode 100644 index 000000000..4f8fa35e7 --- /dev/null +++ b/tests/result/tls_unidirectional.pcap.out @@ -0,0 +1,31 @@ +Guessed flow protos: 0 + +DPI Packets (TCP): 12 (6.00 pkts/flow) +Confidence DPI : 2 (flows) +Num dissector calls: 4 (2.00 diss/flow) +LRU cache ookla: 0/0/0 (insert/search/found) +LRU cache bittorrent: 0/0/0 (insert/search/found) +LRU cache zoom: 0/0/0 (insert/search/found) +LRU cache stun: 0/0/0 (insert/search/found) +LRU cache tls_cert: 0/2/0 (insert/search/found) +LRU cache mining: 0/0/0 (insert/search/found) +LRU cache msteams: 0/0/0 (insert/search/found) +Automa host: 1/1 (search/found) +Automa domain: 1/0 (search/found) +Automa tls cert: 0/0 (search/found) +Automa risk mask: 0/0 (search/found) +Automa common alpns: 0/0 (search/found) +Patricia risk mask: 4/0 (search/found) +Patricia risk: 0/0 (search/found) +Patricia protocols: 3/1 (search/found) + +TLS 27 7693 1 +Google 6 6972 1 + +JA3 Host Stats: + IP Address # JA3C + 1 192.168.1.128 1 + + + 1 TCP 192.168.1.128:48260 -> 195.181.174.176:443 [proto: 91/TLS][IP: 0/Unknown][Encrypted][Confidence: DPI][cat: Web/5][27 pkts/7693 bytes -> 0 pkts/0 bytes][Goodput ratio: 77/0][58.79 sec][ALPN: anydesk/6.2.0/linux][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 2023/0 10210/0 3873/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/0 285/0 1514/0 460/0][Risk: ** Missing SNI TLS Extn **** Unidirectional Traffic **][Risk Score: 60][Risk Info: No server to client traffic][TLSv1.2][JA3C: 29b5a018fa5992fe23560c16af0dc9fc][Firefox][Plen Bins: 0,20,20,0,10,0,0,0,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,10,0,0,0,0,0,0,20,0,0] + 2 TCP 142.250.27.188:5228 -> 10.140.72.24:12654 [VLAN: 308][proto: 91.126/TLS.Google][IP: 126/Google][Encrypted][Confidence: DPI][cat: Web/5][6 pkts/6972 bytes -> 0 pkts/0 bytes][Goodput ratio: 94/0][0.16 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 32/0 160/0 64/0][Pkt Len c2s/s2c min/avg/max/stddev: 78/0 1162/0 1418/0 490/0][Risk: ** Known Proto on Non Std Port **** Unidirectional Traffic **][Risk Score: 60][Risk Info: No client to server traffic][ServerNames: *.google.com,*.appengine.google.com,*.bdn.dev,*.cloud.google.com,*.crowdsource.google.com,*.datacompute.google.com,*.google.ca,*.google.cl,*.google.co.in,*.google.co.jp,*.google.co.uk,*.google.com.ar,*.google.com.au,*.google.com.br,*.google.com.co,*.google.com.mx,*.google.com.tr,*.google.com.vn,*.google.de,*.google.es,*.google.fr,*.google.hu,*.google.it,*.google.nl,*.google.pl,*.google.pt,*.googleadapis.com,*.googleapis.cn,*.googlevideo.com,*.gstatic.cn,*.gstatic-cn.com,googlecnapps.cn,*.googlecnapps.cn,googleapps-cn.com,*.googleapps-cn.com,gkecnapps.cn,*.gkecnapps.cn,googledownloads.cn,*.googledownloads.cn,recaptcha.net.cn,*.recaptcha.net.cn,widevine.cn,*.widevine.cn,ampproject.org.cn,*.ampproject.org.cn,ampproject.net.cn,*.ampproject.net.cn,google-analytics-cn.com,*.google-analytics-cn.com,googleadservices-cn.com,*.googleadservices-cn.com,googlevads-cn.com,*.googlevads-cn.com,googleapis-cn.com,*.googleapis-cn.com,googleoptimize-cn.com,*.googleoptimize-cn.com,doubleclick-cn.net,*.doubleclick-cn.net,*.fls.doubleclick-cn.net,*.g.doubleclick-cn.net,doubleclick.cn,*.doubleclick.cn,*.fls.doubleclick.cn,*.g.doubleclick.cn,dartsearch-cn.net,*.dartsearch-cn.net,googletraveladservices-cn.com,*.googletraveladservices-cn.com,googletagservices-cn.com,*.googletagservices-cn.com,googletagmanager-cn.com,*.googletagmanager-cn.com,googlesyndication-cn.com,*.googlesyndication-cn.com,*.safeframe.googlesyndication-cn.com,app-measurement-cn.com,*.app-measurement-cn.com,gvt1-cn.com,*.gvt1-cn.com,gvt2-cn.com,*.gvt2-cn.com,2mdn-cn.net,*.2mdn-cn.net,googleflights-cn.net,*.googleflights-cn.net,admob-cn.com,*.admob-cn.com,*.gstatic.com,*.metric.gstatic.com,*.gvt1.com,*.gcpcdn.gvt1.com,*.gvt2.com,*.gcp.gvt2.com,*.url.google.com,*.youtube-nocookie.com,*.ytimg.com,android.com,*.android.com,*.flash.android.com,g.cn,*.g.cn,g.co,*.g.co,goo.gl,www.goo.gl,google-analytics.com,*.google-analytics.com,google.com,googlecommerce.com,*.googlecommerce.com,ggpht.cn,*.ggpht.cn,urchin.com,*.urchin.com,youtu.be,youtube.com,*.youtube.com,youtubeeducation.com,*.youtubeeducation.com,youtubekids.com,*.youtubekids.com,yt.be,*.yt.be,android.clients.google.com,developer.android.google.cn,developers.android.google.cn,source.android.google.cn][JA3S: 84aaf6d03fc8c5bfb56d1d188735b268][Issuer: C=US, O=Google Trust Services LLC, CN=GTS CA 1C3][Subject: CN=*.google.com][Certificate SHA-1: 02:64:CA:2E:8A:2F:BB:C4:97:9D:A7:AC:2B:47:FF:DE:28:0E:71:B1][Validity: 2021-11-01 02:19:52 - 2022-01-24 02:19:51][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,0,0,0,0,0,80,0,0,0,0,0]