vrr/nDPI
2
0
Fork 0
mirror of https://github.com/vel21ripn/nDPI.git synced 2026-05-02 00:40:17 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 5

Add (kind of) support for loading a list of JA4C malicious fingerprints (#2678)

Browse source 
It might be usefull to be able to match traffic against a list of
suspicious JA4C fingerprints

Use the same code/logic/infrastructure used for JA3C (note that we are
going to remove JA3C...)

See: #2551
This commit is contained in:
Ivan Nardi 2025-01-14 12:05:03 +01:00 committed by GitHub
parent 69a4f8120a
commit 63a3547f99
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
33 changed files with 200 additions and 299 deletions
Download patch file Download diff file Expand all files Collapse all files

10
example/ndpiReader.c
View file

@ -79,7 +79,7 @@ static char *results_path = NULL;
static char * bpfFilter = NULL; /**< bpf filter */
static char *_protoFilePath = NULL; /**< Protocol file path */
static char *_customCategoryFilePath= NULL; /**< Custom categories file path */
static char *_maliciousJA3Path = NULL; /**< Malicious JA3 signatures */
static char *_maliciousJA4Path = NULL; /**< Malicious JA4 signatures */
static char *_maliciousSHA1Path = NULL; /**< Malicious SSL certificate SHA1 fingerprints */
static char *_riskyDomainFilePath = NULL; /**< Risky domain files */
static char *_domain_suffixes = NULL; /**< Domain suffixes file */
@ -684,7 +684,7 @@ static void help(u_int long_help) {
" -E <path> | Write flow fingerprints on the specified file\n"
" -r <path> | Load risky domain file\n"
" -R | Print detected realtime protocols\n"
" -j <path> | Load malicious JA3 fingeprints\n"
" -j <path> | Load malicious JA4 fingeprints\n"
" -S <path> | Load malicious SSL certificate SHA1 fingerprints\n"
" -G <dir> | Bind domain names to categories loading files from <dir>\n"
" -w <path> | Write test output on the specified file. This is useful for\n"
@ -1157,7 +1157,7 @@ static void parse_parameters(int argc, char **argv)
break;
case 'j':
_maliciousJA3Path = optarg;
_maliciousJA4Path = optarg;
break;
case 'S':
@ -2974,8 +2974,8 @@ static void setupDetection(u_int16_t thread_id, pcap_t * pcap_handle,
if(_riskyDomainFilePath)
ndpi_load_risk_domain_file(ndpi_thread_info[thread_id].workflow->ndpi_struct, _riskyDomainFilePath);
if(_maliciousJA3Path)
ndpi_load_malicious_ja3_file(ndpi_thread_info[thread_id].workflow->ndpi_struct, _maliciousJA3Path);
if(_maliciousJA4Path)
ndpi_load_malicious_ja4_file(ndpi_thread_info[thread_id].workflow->ndpi_struct, _maliciousJA4Path);
if(_maliciousSHA1Path)
ndpi_load_malicious_sha1_file(ndpi_thread_info[thread_id].workflow->ndpi_struct, _maliciousSHA1Path);