Add (kind of) support for loading a list of JA4C malicious fingerprints

It might be usefull to be able to match traffic against a list of
suspicious JA4C fingerprints

Use the same code/logic/infrastructure used for JA3C (note that we are
going to remove JA3C...)

See: #2551

.gitignore

@@ -103,7 +103,7 @@
 /fuzz/fuzz_filecfg_categories
 /fuzz/fuzz_filecfg_category
 /fuzz/fuzz_filecfg_malicious_sha1
-/fuzz/fuzz_filecfg_malicious_ja3
+/fuzz/fuzz_filecfg_malicious_ja4
 /fuzz/fuzz_filecfg_risk_domains
 /fuzz/fuzz_filecfg_config
 /fuzz/fuzz_readerutils_workflow
@@ -136,7 +136,7 @@
 /fuzz/fuzz_filecfg_categories_seed_corpus.zip
 /fuzz/fuzz_filecfg_category_seed_corpus.zip
 /fuzz/fuzz_filecfg_malicious_sha1_seed_corpus.zip
-/fuzz/fuzz_filecfg_malicious_ja3_seed_corpus.zip
+/fuzz/fuzz_filecfg_malicious_ja4_seed_corpus.zip
 /fuzz/fuzz_filecfg_risk_domains_seed_corpus.zip
 /fuzz/fuzz_filecfg_config_seed_corpus.zip
 /fuzz/fuzz_dga_seed_corpus.zip

example/ja4_fingerprints.csv

@@ -0,0 +1,9 @@
+################################################################
+# List of malicious/suspicious JA4C fingerprints               #
+#                                                              #
+# This is only an example. You can extend this list, putting   #
+# one fingeprint per row                                       #
+################################################################
+#
+# ja4c,comment
+t13d1517h2_8daaf6152771_b0da82dd1658,this_is_not_a_real_malicious_fingerprint!!!!!

example/ndpiReader.c

@@ -79,7 +79,7 @@ static char *results_path           = NULL;
 static char * bpfFilter             = NULL; /**< bpf filter  */
 static char *_protoFilePath         = NULL; /**< Protocol file path */
 static char *_customCategoryFilePath= NULL; /**< Custom categories file path  */
-static char *_maliciousJA3Path      = NULL; /**< Malicious JA3 signatures */
+static char *_maliciousJA4Path      = NULL; /**< Malicious JA4 signatures */
 static char *_maliciousSHA1Path     = NULL; /**< Malicious SSL certificate SHA1 fingerprints */
 static char *_riskyDomainFilePath   = NULL; /**< Risky domain files */
 static char *_domain_suffixes       = NULL; /**< Domain suffixes file */
@@ -684,7 +684,7 @@ static void help(u_int long_help) {
 	 "  -E <path>                 | Write flow fingerprints on the specified file\n"
          "  -r <path>                 | Load risky domain file\n"
          "  -R                        | Print detected realtime protocols\n"
-         "  -j <path>                 | Load malicious JA3 fingeprints\n"
+         "  -j <path>                 | Load malicious JA4 fingeprints\n"
          "  -S <path>                 | Load malicious SSL certificate SHA1 fingerprints\n"
 	 "  -G <dir>                  | Bind domain names to categories loading files from <dir>\n"
          "  -w <path>                 | Write test output on the specified file. This is useful for\n"
@@ -1157,7 +1157,7 @@ static void parse_parameters(int argc, char **argv)
       break;
 
     case 'j':
-      _maliciousJA3Path = optarg;
+      _maliciousJA4Path = optarg;
       break;
 
     case 'S':
@@ -2974,8 +2974,8 @@ static void setupDetection(u_int16_t thread_id, pcap_t * pcap_handle,
   if(_riskyDomainFilePath)
     ndpi_load_risk_domain_file(ndpi_thread_info[thread_id].workflow->ndpi_struct, _riskyDomainFilePath);
 
-  if(_maliciousJA3Path)
-    ndpi_load_malicious_ja3_file(ndpi_thread_info[thread_id].workflow->ndpi_struct, _maliciousJA3Path);
+  if(_maliciousJA4Path)
+    ndpi_load_malicious_ja4_file(ndpi_thread_info[thread_id].workflow->ndpi_struct, _maliciousJA4Path);
 
   if(_maliciousSHA1Path)
     ndpi_load_malicious_sha1_file(ndpi_thread_info[thread_id].workflow->ndpi_struct, _maliciousSHA1Path);

fuzz/Makefile.am

@@ -8,7 +8,7 @@ bin_PROGRAMS += fuzz_libinjection fuzz_binaryfusefilter
 #Internal crypto
 bin_PROGRAMS += fuzz_gcrypt_light fuzz_gcrypt_aes fuzz_gcrypt_gcm fuzz_gcrypt_cipher
 #Configuration files
-bin_PROGRAMS += fuzz_filecfg_protocols fuzz_filecfg_categories fuzz_filecfg_malicious_sha1 fuzz_filecfg_malicious_ja3 fuzz_filecfg_risk_domains fuzz_filecfg_config fuzz_filecfg_category
+bin_PROGRAMS += fuzz_filecfg_protocols fuzz_filecfg_categories fuzz_filecfg_malicious_sha1 fuzz_filecfg_malicious_ja4 fuzz_filecfg_risk_domains fuzz_filecfg_config fuzz_filecfg_category
 #Reader utils
 bin_PROGRAMS += fuzz_readerutils_workflow fuzz_readerutils_parseprotolist
 #Mutators
@@ -623,18 +623,18 @@ fuzz_filecfg_malicious_sha1_LINK=$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAG
     $(LIBTOOLFLAGS) --mode=link $(CXX) @NDPI_CFLAGS@ $(AM_CXXFLAGS) $(CXXFLAGS) \
     $(fuzz_filecfg_malicious_sha1_LDFLAGS) @NDPI_LDFLAGS@ $(LDFLAGS) -o $@
 
-fuzz_filecfg_malicious_ja3_SOURCES = fuzz_filecfg_malicious_ja3.c fuzz_common_code.c
-fuzz_filecfg_malicious_ja3_CFLAGS = -I../src/lib/ @NDPI_CFLAGS@ $(CXXFLAGS) -DNDPI_LIB_COMPILATION
-fuzz_filecfg_malicious_ja3_LDADD = ../src/lib/libndpi.a $(ADDITIONAL_LIBS)
-fuzz_filecfg_malicious_ja3_LDFLAGS = $(LIBS)
+fuzz_filecfg_malicious_ja4_SOURCES = fuzz_filecfg_malicious_ja4.c fuzz_common_code.c
+fuzz_filecfg_malicious_ja4_CFLAGS = -I../src/lib/ @NDPI_CFLAGS@ $(CXXFLAGS) -DNDPI_LIB_COMPILATION
+fuzz_filecfg_malicious_ja4_LDADD = ../src/lib/libndpi.a $(ADDITIONAL_LIBS)
+fuzz_filecfg_malicious_ja4_LDFLAGS = $(LIBS)
 if HAS_FUZZLDFLAGS
-fuzz_filecfg_malicious_ja3_CFLAGS += $(LIB_FUZZING_ENGINE)
-fuzz_filecfg_malicious_ja3_LDFLAGS += $(LIB_FUZZING_ENGINE)
+fuzz_filecfg_malicious_ja4_CFLAGS += $(LIB_FUZZING_ENGINE)
+fuzz_filecfg_malicious_ja4_LDFLAGS += $(LIB_FUZZING_ENGINE)
 endif
 # force usage of CXX for linker
-fuzz_filecfg_malicious_ja3_LINK=$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+fuzz_filecfg_malicious_ja4_LINK=$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
     $(LIBTOOLFLAGS) --mode=link $(CXX) @NDPI_CFLAGS@ $(AM_CXXFLAGS) $(CXXFLAGS) \
-    $(fuzz_filecfg_malicious_ja3_LDFLAGS) @NDPI_LDFLAGS@ $(LDFLAGS) -o $@
+    $(fuzz_filecfg_malicious_ja4_LDFLAGS) @NDPI_LDFLAGS@ $(LDFLAGS) -o $@
 
 fuzz_filecfg_risk_domains_SOURCES = fuzz_filecfg_risk_domains.c fuzz_common_code.c
 fuzz_filecfg_risk_domains_CFLAGS = -I../src/lib/ @NDPI_CFLAGS@ $(CXXFLAGS) -DNDPI_LIB_COMPILATION
@@ -874,9 +874,9 @@ files_corpus_fuzz_filecfg_malicious_sha1 :=  $(wildcard corpus/fuzz_filecfg_mali
 fuzz_filecfg_malicious_sha1_seed_corpus.zip: $(files_corpus_fuzz_filecfg_malicious_sha1)
 	zip -j fuzz_filecfg_malicious_sha1_seed_corpus.zip $(files_corpus_fuzz_filecfg_malicious_sha1)
 
-files_corpus_fuzz_filecfg_malicious_ja3 :=  $(wildcard corpus/fuzz_filecfg_malicious_ja3/*)
-fuzz_filecfg_malicious_ja3_seed_corpus.zip: $(files_corpus_fuzz_filecfg_malicious_ja3)
-	zip -j fuzz_filecfg_malicious_ja3_seed_corpus.zip $(files_corpus_fuzz_filecfg_malicious_ja3)
+files_corpus_fuzz_filecfg_malicious_ja4 :=  $(wildcard corpus/fuzz_filecfg_malicious_ja4/*)
+fuzz_filecfg_malicious_ja4_seed_corpus.zip: $(files_corpus_fuzz_filecfg_malicious_ja4)
+	zip -j fuzz_filecfg_malicious_ja4_seed_corpus.zip $(files_corpus_fuzz_filecfg_malicious_ja4)
 
 files_corpus_fuzz_filecfg_risk_domains :=  $(wildcard corpus/fuzz_filecfg_risk_domains/*)
 fuzz_filecfg_risk_domains_seed_corpus.zip: $(files_corpus_fuzz_filecfg_risk_domains)
@@ -906,7 +906,7 @@ files_corpus_fuzz_ds_domain_classify :=  $(wildcard corpus/fuzz_ds_domain_classi
 fuzz_ds_domain_classify_seed_corpus.zip: $(files_corpus_fuzz_ds_domain_classify)
 	zip -j fuzz_ds_domain_classify_seed_corpus.zip $(files_corpus_fuzz_ds_domain_classify)
 
-corpus: fuzz_ndpi_reader_seed_corpus.zip fuzz_ndpi_reader_alloc_fail_seed_corpus.zip fuzz_ndpi_reader_payload_analyzer_seed_corpus.zip fuzz_quic_get_crypto_data_seed_corpus.zip fuzz_alg_ses_des_seed_corpus.zip fuzz_alg_bins_seed_corpus.zip fuzz_alg_hll_seed_corpus.zip fuzz_alg_jitter_seed_corpus.zip fuzz_ds_libcache_seed_corpus.zip fuzz_community_id_seed_corpus.zip fuzz_serialization_seed_corpus.zip fuzz_ds_ptree_seed_corpus.zip fuzz_alg_crc32_md5_seed_corpus.zip fuzz_alg_bytestream_seed_corpus.zip fuzz_libinjection_seed_corpus.zip fuzz_tls_certificate_seed_corpus.zip fuzz_filecfg_protocols_seed_corpus.zip fuzz_readerutils_workflow_seed_corpus.zip fuzz_readerutils_parseprotolist_seed_corpus.zip fuzz_ds_bitmap64_fuse_seed_corpus.zip fuzz_ds_domain_classify_seed_corpus.zip fuzz_filecfg_protocols_seed_corpus.zip fuzz_is_stun_udp_seed_corpus.zip fuzz_is_stun_tcp_seed_corpus.zip fuzz_ndpi_reader_pl7m_simplest_seed_corpus.zip fuzz_ndpi_reader_pl7m_seed_corpus.zip fuzz_ndpi_reader_pl7m_64k_seed_corpus.zip fuzz_ndpi_reader_pl7m_simplest_internal_seed_corpus.zip fuzz_ndpi_reader_pl7m_internal_seed_corpus.zip
+corpus: fuzz_ndpi_reader_seed_corpus.zip fuzz_ndpi_reader_alloc_fail_seed_corpus.zip fuzz_ndpi_reader_payload_analyzer_seed_corpus.zip fuzz_quic_get_crypto_data_seed_corpus.zip fuzz_alg_ses_des_seed_corpus.zip fuzz_alg_bins_seed_corpus.zip fuzz_alg_hll_seed_corpus.zip fuzz_alg_jitter_seed_corpus.zip fuzz_ds_libcache_seed_corpus.zip fuzz_community_id_seed_corpus.zip fuzz_serialization_seed_corpus.zip fuzz_ds_ptree_seed_corpus.zip fuzz_alg_crc32_md5_seed_corpus.zip fuzz_alg_bytestream_seed_corpus.zip fuzz_libinjection_seed_corpus.zip fuzz_tls_certificate_seed_corpus.zip fuzz_filecfg_protocols_seed_corpus.zip fuzz_readerutils_workflow_seed_corpus.zip fuzz_readerutils_parseprotolist_seed_corpus.zip fuzz_ds_bitmap64_fuse_seed_corpus.zip fuzz_ds_domain_classify_seed_corpus.zip fuzz_filecfg_protocols_seed_corpus.zip fuzz_is_stun_udp_seed_corpus.zip fuzz_is_stun_tcp_seed_corpus.zip fuzz_ndpi_reader_pl7m_simplest_seed_corpus.zip fuzz_ndpi_reader_pl7m_seed_corpus.zip fuzz_ndpi_reader_pl7m_64k_seed_corpus.zip fuzz_ndpi_reader_pl7m_simplest_internal_seed_corpus.zip fuzz_ndpi_reader_pl7m_internal_seed_corpus.zip fuzz_filecfg_malicious_ja4_seed_corpus.zip fuzz_filecfg_malicious_sha1_seed_corpus.zip fuzz_filecfg_categories_seed_corpus.zip
 	cp corpus/fuzz_*seed_corpus.zip .
 
 #Create dictionaries exactly as expected by oss-fuzz.
@@ -938,7 +938,7 @@ distdir:
 		-o -path './corpus/fuzz_filecfg_protocols/*' \
 		-o -path './corpus/fuzz_filecfg_categories/*' \
 		-o -path './corpus/fuzz_filecfg_malicious_sha1/*' \
-		-o -path './corpus/fuzz_filecfg_malicious_ja3/*' \
+		-o -path './corpus/fuzz_filecfg_malicious_ja4/*' \
 		-o -path './corpus/fuzz_filecfg_risk_domains/*' \
 		-o -path './corpus/fuzz_filecfg_config/*' \
 		-o -path './corpus/fuzz_filecfg_category/*' \

fuzz/corpus/fuzz_filecfg_malicious_ja4/1

@@ -0,0 +1,2 @@
+# ja4c,comment
+t13d1517h2_8daaf6152771_b0da82dd1658,comment

fuzz/corpus/fuzz_filecfg_malicious_ja4/2

@@ -0,0 +1 @@
+t13d1517h2_8daaf6152771_b0da82dd1658,comment

fuzz/fuzz_common_code.c

@@ -53,7 +53,7 @@ void fuzz_init_detection_module(struct ndpi_detection_module_struct **ndpi_info_
     ndpi_load_protocols_file(*ndpi_info_mod, "protos.txt");
     ndpi_load_categories_file(*ndpi_info_mod, "categories.txt", NULL);
     ndpi_load_risk_domain_file(*ndpi_info_mod, "risky_domains.txt");
-    ndpi_load_malicious_ja3_file(*ndpi_info_mod, "ja3_fingerprints.csv");
+    ndpi_load_malicious_ja4_file(*ndpi_info_mod, "ja4_fingerprints.csv");
     ndpi_load_malicious_sha1_file(*ndpi_info_mod, "sha1_fingerprints.csv");
 
     ndpi_set_config(*ndpi_info_mod, NULL, "filename.config", "config.txt");

fuzz/fuzz_config.cpp

@@ -87,9 +87,9 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
   if(fuzzed_data.ConsumeBool())
     ndpi_load_risk_domain_file(ndpi_info_mod, fuzzed_data.ConsumeBool() ? NULL : "invalid_filename"); /* Error */
   if(fuzzed_data.ConsumeBool())
-    ndpi_load_malicious_ja3_file(ndpi_info_mod, "ja3_fingerprints.csv");
+    ndpi_load_malicious_ja4_file(ndpi_info_mod, "ja4_fingerprints.csv");
   if(fuzzed_data.ConsumeBool())
-    ndpi_load_malicious_ja3_file(ndpi_info_mod, fuzzed_data.ConsumeBool() ? NULL : "invalid_filename"); /* Error */
+    ndpi_load_malicious_ja4_file(ndpi_info_mod, fuzzed_data.ConsumeBool() ? NULL : "invalid_filename"); /* Error */
   if(fuzzed_data.ConsumeBool())
     ndpi_load_malicious_sha1_file(ndpi_info_mod, "sha1_fingerprints.csv");
   if(fuzzed_data.ConsumeBool())