vrr/nDPI
2
0
Fork 0
mirror of https://github.com/vel21ripn/nDPI.git synced 2026-04-29 07:29:39 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 6

TLS: fix JA4 when there are no ciphers or extensions (#3084)

Browse source
This commit is contained in:
Ivan Nardi 2026-01-13 18:33:23 +00:00 committed by GitHub
parent 6828c1ef30
commit d6cbd624d0
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
8 changed files with 17 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

2
tests/cfgs/default/result/false_positives.pcapng.out
View file

@ -56,7 +56,7 @@ JA Host Stats:
3 UDP 10.126.70.67:23784 <-> 10.236.7.225:50160 [VLAN: 107][proto: 87/RTP][Stack: RTP][IP: 0/Unknown][Stream Content: Audio][Payload Type: ITU-T G.711 PCMA (8.0) / ITU-T G.711 PCMA (8.0)][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 7][cat: Media/1][Breed: Acceptable][18 pkts/3924 bytes <-> 12 pkts/2616 bytes][Goodput ratio: 79/79][0.34 sec][bytes ratio: 0.200 (Upload)][IAT c2s/s2c min/avg/max/stddev: 19/19 20/20 20/20 0/0][Pkt Len c2s/s2c min/avg/max/stddev: 218/218 218/218 218/218 0/0][PLAIN TEXT (UUUUUUUUU)][Plen Bins: 0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
4 UDP 10.102.45.249:31046 <-> 10.133.48.100:21176 [VLAN: 10][proto: GTP:87/RTP][Stack: RTP][IP: 0/Unknown][Payload Type: Unknown (102.0) / Unknown (102.0)][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 17][cat: Media/1][Breed: Acceptable][22 pkts/2860 bytes <-> 8 pkts/989 bytes][Goodput ratio: 34/30][0.44 sec][bytes ratio: 0.486 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/19 22/19 44/20 15/0][Pkt Len c2s/s2c min/avg/max/stddev: 130/113 130/124 130/130 0/8][Plen Bins: 10,90,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
5 UDP 10.133.32.101:36408 -> 10.110.31.25:1272 [VLAN: 10][proto: GTP:87/RTP][Stack: RTP][IP: 0/Unknown][Payload Type: AMR (118.0)][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 20][cat: Media/1][Breed: Acceptable][20 pkts/2260 bytes -> 0 pkts/0 bytes][Goodput ratio: 24/0][0.38 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 19/0 20/0 21/0 1/0][Pkt Len c2s/s2c min/avg/max/stddev: 113/0 113/0 113/0 0/0][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
6 TCP 91.238.181.21:35888 <-> 89.31.79.12:3389 [VLAN: 77][proto: 91.88/TLS.RDP][Stack: RDP.TLS][IP: 0/Unknown][Encrypted][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 5][cat: RemoteAccess/12][Breed: Acceptable][3 pkts/239 bytes <-> 2 pkts/1332 bytes][Goodput ratio: 20/91][0.07 sec][Risk: ** TLS (probably) Not Carrying HTTPS **** Missing SNI TLS Extn **** Desktop/File Sharing **** TLS Susp Extn **** Non-Printable/Invalid Chars Detected **** Possible Exploit Attempt **][Risk Score: 420][Risk Info: Invalid chars found in SNI: exploit or misconfiguration? / xsen??????????????????tsp:8/w-speedtest.:find_????tsp:32766/w-speed][nDPI Fingerprint: 4b1df66adac4158c4dff9d37fd37ae88][TCP Fingerprint: 194_128_8192_6bb88f5575fd/Unknown][TLS (0589)][JA4: t00i001700_e3b0c44298fc_6d0650a004ef][PLAIN TEXT (Cookie)][Plen Bins: 33,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,0]
6 TCP 91.238.181.21:35888 <-> 89.31.79.12:3389 [VLAN: 77][proto: 91.88/TLS.RDP][Stack: RDP.TLS][IP: 0/Unknown][Encrypted][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 5][cat: RemoteAccess/12][Breed: Acceptable][3 pkts/239 bytes <-> 2 pkts/1332 bytes][Goodput ratio: 20/91][0.07 sec][Risk: ** TLS (probably) Not Carrying HTTPS **** Missing SNI TLS Extn **** Desktop/File Sharing **** TLS Susp Extn **** Non-Printable/Invalid Chars Detected **** Possible Exploit Attempt **][Risk Score: 420][Risk Info: Invalid chars found in SNI: exploit or misconfiguration? / xsen??????????????????tsp:8/w-speedtest.:find_????tsp:32766/w-speed][nDPI Fingerprint: 0730f697da254240142402f488cb15bb][TCP Fingerprint: 194_128_8192_6bb88f5575fd/Unknown][TLS (0589)][JA4: t00i001700_000000000000_6d0650a004ef][PLAIN TEXT (Cookie)][Plen Bins: 33,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,0]
7 UDP 192.168.12.67:48612 <-> 93.38.195.192:42034 [proto: 216/IMO][Stack: IMO][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 3][cat: VoIP/10][Breed: Acceptable][10 pkts/728 bytes <-> 11 pkts/784 bytes][Goodput ratio: 42/41][0.77 sec][bytes ratio: -0.037 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 89/26 340/101 102/37][Pkt Len c2s/s2c min/avg/max/stddev: 43/43 73/71 278/167 68/45][Plen Bins: 86,0,0,9,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
8 TCP 10.140.231.26:61202 <-> 159.65.12.169:443 [VLAN: 113][proto: GTP:7.251/HTTP.WebSocket][Stack: HTTP.WebSocket][IP: 442/DigitalOcean][ClearText][Confidence: DPI][FPC: 442/DigitalOcean, Confidence: IP address][DPI packets: 4][cat: Web/5][Breed: Acceptable][2 pkts/557 bytes <-> 2 pkts/416 bytes][Goodput ratio: 58/45][0.20 sec][Hostname/SNI: wludo.superkinglabs.com][URL: wludo.superkinglabs.com:443/ws][StatusCode: 101][Server: nginx/1.12.2][Risk: ** Known Proto on Non Std Port **** HTTP Susp User-Agent **** HTTP Obsolete Server **][Risk Score: 200][Risk Info: Obsolete nginx server 1.12.2 / Empty or missing User-Agent / Expected on port 80][TCP Fingerprint: 2_64_65535_15db81ff8b0d/Unknown][PLAIN TEXT (GET /ws HTTP/1.1)][Plen Bins: 0,0,0,0,0,50,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]