diff --git a/doc/flow_risks.rst b/doc/flow_risks.rst index b84bda0fac0..0ea9e2d7c83 100644 --- a/doc/flow_risks.rst +++ b/doc/flow_risks.rst @@ -339,4 +339,10 @@ HTTP only: this risk indicates that a binary file/data application transfer (att NDPI_PROBING_ATTEMPT ==================== -Connection with no data exchagef that looks like a probing attempt +Connection with no data exchaged that looks like a probing attempt + +.. _Risk 056: + +NDPI_OBFUSCATED_TRAFFIC +======================= +This risk is triggered when a connection is likely using some obfuscation technique to try to "look like" something else, hiding its true nature diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index 44736a3a256..db88972c469 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -3197,6 +3197,15 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, } s_offset += param_len; } + } else if(extension_id == 21) { /* Padding */ + /* Padding is usually some hundreds byte long. Longer padding + might be used as obfuscation technique to force unusual CH fragmentation */ + if(extension_len > 500 /* Arbitrary value */) { +#ifdef DEBUG_TLS + printf("Padding length: %d\n", extension_len); +#endif + ndpi_set_risk(flow, NDPI_OBFUSCATED_TRAFFIC, "Abnormal ClientHello/Padding length"); + } } extension_offset += extension_len; /* Move to the next extension */ diff --git a/tests/cfgs/default/pcap/tls_with_huge_ch.pcapng b/tests/cfgs/default/pcap/tls_with_huge_ch.pcapng new file mode 100644 index 00000000000..383243484a6 Binary files /dev/null and b/tests/cfgs/default/pcap/tls_with_huge_ch.pcapng differ diff --git a/tests/cfgs/default/result/tls_with_huge_ch.pcapng.out b/tests/cfgs/default/result/tls_with_huge_ch.pcapng.out new file mode 100644 index 00000000000..6909aff5160 --- /dev/null +++ b/tests/cfgs/default/result/tls_with_huge_ch.pcapng.out @@ -0,0 +1,32 @@ +DPI Packets (TCP): 32 (32.00 pkts/flow) +Confidence DPI : 1 (flows) +Num dissector calls: 284 (284.00 diss/flow) +LRU cache ookla: 0/0/0 (insert/search/found) +LRU cache bittorrent: 0/3/0 (insert/search/found) +LRU cache stun: 0/0/0 (insert/search/found) +LRU cache tls_cert: 0/1/0 (insert/search/found) +LRU cache mining: 0/0/0 (insert/search/found) +LRU cache msteams: 0/0/0 (insert/search/found) +LRU cache fpc_dns: 0/1/0 (insert/search/found) +Automa host: 0/0 (search/found) +Automa domain: 0/0 (search/found) +Automa tls cert: 0/0 (search/found) +Automa risk mask: 0/0 (search/found) +Automa common alpns: 2/2 (search/found) +Patricia risk mask: 2/0 (search/found) +Patricia risk mask IPv6: 0/0 (search/found) +Patricia risk: 0/0 (search/found) +Patricia risk IPv6: 0/0 (search/found) +Patricia protocols: 2/0 (search/found) +Patricia protocols IPv6: 0/0 (search/found) + +TLS 428 119100 1 + +Safe 428 119100 1 + +JA3 Host Stats: + IP Address # JA3C + 1 172.30.84.193 1 + + + 1 TCP 172.30.84.193:40640 <-> 208.253.217.142:443 [proto: 91/TLS][IP: 0/Unknown][Encrypted][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 32][cat: Web/5][194 pkts/51762 bytes <-> 234 pkts/67338 bytes][Goodput ratio: 75/77][31.67 sec][(Advertised) ALPNs: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.131 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 135/123 2012/2189 352/307][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 267/288 1090/1514 287/409][Risk: ** Missing SNI TLS Extn **** ALPN/SNI Mismatch **** Obfuscated Traffic **][Risk Score: 200][Risk Info: Abnormal ClientHello/Padding length / SNI should always be present / h2][TLSv1.2][JA3C: 66d6080b942b0b593896bf729f3fd326][JA4: t13d1811h2_f71e3e15ae0d_5c3a8cf9b2bc][Firefox][Plen Bins: 0,0,7,52,4,3,7,1,2,0,2,0,1,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,10,0,0,1,0,0,0,0,0,0,1,0,0,1,0,0]