diff --git a/doc/configuration_parameters.md b/doc/configuration_parameters.md index f42ba0d5900..85d7da81edd 100644 --- a/doc/configuration_parameters.md +++ b/doc/configuration_parameters.md @@ -33,9 +33,8 @@ List of the supported configuration options: | "tls " | "dpi.heuristics", | 0x00 | 0x00 | 0x07 | Enable/disable some heuristics to detect encrypted/obfuscated/proxied TLS flows. The value is a bitmask. Values: 0x0 = disabled; 0x01 = enable basic detection (i.e. encrypted TLS without any encapsulation); 0x02 = enable detection over TLS (i.e. TLS-in-TLS); 0x04 = enable detection over HTTP (i.e. TLS-over-WebSocket). If enabled, some false positives are expected. See: https://www.usenix.org/conference/usenixsecurity24/presentation/xue-fingerprinting | | "tls " | "dpi.heuristics.max_packets_extra_dissection", | 25 | 0 | 255 | If at least one TLS heuristics is enabled (see `tls,"dpi.heuristics"`, this parameter set the upper limit on the number of packets required/processed for each flow. Higher the value, lower the false positive rate but more packets are required by nDPI for processing. | | "tls" | "metadata.sha1_fingerprint" | enable | NULL | NULL | Enable/disable computation and export of SHA1 fingerprint for TLS flows. Note that if it is disable, the flow risk `NDPI_MALICIOUS_SHA1_CERTIFICATE` is not checked | -| "tls" | "metadata.ja3c_fingerprint" | enable | NULL | NULL | Enable/disable computation and export of JA3C fingerprint for TLS flows. Note that if it is disable, the flow risk `NDPI_MALICIOUS_JA3` is not checked | | "tls" | "metadata.ja3s_fingerprint" | enable | NULL | NULL | Enable/disable computation and export of JA3S fingerprint for TLS flows | -| "tls" | "metadata.ja4c_fingerprint" | enable | NULL | NULL | Enable/disable computation and export of JA4C fingerprint for TLS flows | +| "tls" | "metadata.ja4c_fingerprint" | enable | NULL | NULL | Enable/disable computation and export of JA4C fingerprint for TLS flows. Note that if it is disable, the flow risk `NDPI_MALICIOUS_FINGERPRINT` is not checked | | "tls" | "metadata.ja4r_fingerprint" | disable | NULL | NULL | Enable/disable computation and export of JA4C fingerprint for TLS flows also in raw format | | "tls" | "subclassification" | enable | NULL | NULL | Enable/disable sub-classification of TLS/DTLS flows | | "quic" | "subclassification" | enable | NULL | NULL | Enable/disable sub-classification of QUIC flows | diff --git a/example/reader_util.c b/example/reader_util.c index d03a376c28b..c7de6413bf6 100644 --- a/example/reader_util.c +++ b/example/reader_util.c @@ -1534,8 +1534,6 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl flow->ssh_tls.notBefore = flow->ndpi_flow->protos.tls_quic.notBefore; flow->ssh_tls.notAfter = flow->ndpi_flow->protos.tls_quic.notAfter; - ndpi_snprintf(flow->ssh_tls.ja3_client, sizeof(flow->ssh_tls.ja3_client), "%s", - flow->ndpi_flow->protos.tls_quic.ja3_client); ndpi_snprintf(flow->ssh_tls.ja4_client, sizeof(flow->ssh_tls.ja4_client), "%s", flow->ndpi_flow->protos.tls_quic.ja4_client); diff --git a/example/reader_util.h b/example/reader_util.h index 4086dd4b0c0..ca2449b4db2 100644 --- a/example/reader_util.h +++ b/example/reader_util.h @@ -292,7 +292,7 @@ typedef struct ndpi_flow_info { client_hassh[33], server_hassh[33], *server_names, *advertised_alpns, *negotiated_alpn, *tls_supported_versions, *tls_issuerDN, *tls_subjectDN, - ja3_client[33], ja3_server[33], ja4_client[37], *ja4_client_raw, + ja3_server[33], ja4_client[37], *ja4_client_raw, sha1_cert_fingerprint[20]; u_int8_t sha1_cert_fingerprint_set; struct tls_heuristics browser_heuristics; diff --git a/fuzz/fuzz_config.cpp b/fuzz/fuzz_config.cpp index a07ef100d83..981f3eb5234 100644 --- a/fuzz/fuzz_config.cpp +++ b/fuzz/fuzz_config.cpp @@ -143,11 +143,6 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { snprintf(cfg_value, sizeof(cfg_value), "%d", value); ndpi_set_config(ndpi_info_mod, "tls", "metadata.sha1_fingerprint", cfg_value); } - if(fuzzed_data.ConsumeBool()) { - value = fuzzed_data.ConsumeIntegralInRange(0, 1 + 1); - snprintf(cfg_value, sizeof(cfg_value), "%d", value); - ndpi_set_config(ndpi_info_mod, "tls", "metadata.ja3c_fingerprint", cfg_value); - } if(fuzzed_data.ConsumeBool()) { value = fuzzed_data.ConsumeIntegralInRange(0, 1 + 1); snprintf(cfg_value, sizeof(cfg_value), "%d", value); diff --git a/src/include/ndpi_private.h b/src/include/ndpi_private.h index 76c902fb6ae..c17d2bee9f4 100644 --- a/src/include/ndpi_private.h +++ b/src/include/ndpi_private.h @@ -243,7 +243,6 @@ struct ndpi_detection_module_config_struct { int tls_heuristics; int tls_heuristics_max_packets; int tls_sha1_fingerprint_enabled; - int tls_ja3c_fingerprint_enabled; int tls_ja3s_fingerprint_enabled; int tls_ja4c_fingerprint_enabled; int tls_ja4r_fingerprint_enabled; diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index 39c4a8c591c..861e040941c 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -1424,7 +1424,7 @@ struct ndpi_flow_struct { struct { char *server_names, *advertised_alpns, *negotiated_alpn, *tls_supported_versions, *issuerDN, *subjectDN; u_int32_t notBefore, notAfter; - char ja3_client[33], ja3_server[33], ja4_client[37], *ja4_client_raw; + char ja3_server[33], ja4_client[37], *ja4_client_raw; u_int16_t server_cipher; u_int8_t sha1_certificate_fingerprint[20]; u_int8_t client_hello_processed:1, ch_direction:1, subprotocol_detected:1, server_hello_processed:1, fingerprint_set:1, webrtc:1, _pad:2; diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index f25c50fc519..f4b8a561299 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -11562,7 +11562,6 @@ static const struct cfg_param { { "tls", "dpi.heuristics", "0x00", "0", "0x07", CFG_PARAM_INT, __OFF(tls_heuristics), NULL }, { "tls", "dpi.heuristics.max_packets_extra_dissection", "25", "0", "255", CFG_PARAM_INT, __OFF(tls_heuristics_max_packets), NULL }, { "tls", "metadata.sha1_fingerprint", "enable", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(tls_sha1_fingerprint_enabled), NULL }, - { "tls", "metadata.ja3c_fingerprint", "enable", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(tls_ja3c_fingerprint_enabled), NULL }, { "tls", "metadata.ja3s_fingerprint", "enable", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(tls_ja3s_fingerprint_enabled), NULL }, { "tls", "metadata.ja4c_fingerprint", "enable", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(tls_ja4c_fingerprint_enabled), NULL }, { "tls", "metadata.ja4r_fingerprint", "disable", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(tls_ja4r_fingerprint_enabled), NULL }, diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c index f71013793c8..3ea01c45714 100644 --- a/src/lib/ndpi_utils.c +++ b/src/lib/ndpi_utils.c @@ -1218,7 +1218,6 @@ static void ndpi_tls2json(ndpi_serializer *serializer, struct ndpi_flow_struct * ndpi_serialize_string_string(serializer, "notafter", notAfter); } - ndpi_serialize_string_string(serializer, "ja3", flow->protos.tls_quic.ja3_client); ndpi_serialize_string_string(serializer, "ja3s", flow->protos.tls_quic.ja3_server); ndpi_serialize_string_string(serializer, "ja4", flow->protos.tls_quic.ja4_client); ndpi_serialize_string_uint32(serializer, "unsafe_cipher", flow->protos.tls_quic.server_unsafe_cipher); diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index 8a00da661fb..6be99ecd07a 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -3184,71 +3184,9 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, } /* while */ if(!invalid_ja) { - /* Compute JA3 client */ - -compute_ja3c: - if(ndpi_struct->cfg.tls_ja3c_fingerprint_enabled) { - int rc; - u_int16_t ja_str_len; - char ja_str[JA_STR_LEN]; - ndpi_MD5_CTX ctx; - u_char md5_hash[16]; - - ja_str_len = ndpi_snprintf(ja_str, JA_STR_LEN, "%u,", ja.client.tls_handshake_version); - - for(i=0; i 0) ? "-" : "", ja.client.cipher[i]); - if((rc > 0) && (ja_str_len + rc < JA_STR_LEN)) ja_str_len += rc; else break; - } - - rc = ndpi_snprintf(&ja_str[ja_str_len], JA_STR_LEN-ja_str_len, ","); - if((rc > 0) && (ja_str_len + rc < JA_STR_LEN)) ja_str_len += rc; - - /* ********** */ - - for(i=0; i 0) ? "-" : "", ja.client.tls_extension[i]); - if((rc > 0) && (ja_str_len + rc < JA_STR_LEN)) ja_str_len += rc; else break; - } - - rc = ndpi_snprintf(&ja_str[ja_str_len], JA_STR_LEN-ja_str_len, ","); - if((rc > 0) && (ja_str_len + rc < JA_STR_LEN)) ja_str_len += rc; - - /* ********** */ - - for(i=0; i 0) ? "-" : "", ja.client.elliptic_curve[i]); - if((rc > 0) && (ja_str_len + rc < JA_STR_LEN)) ja_str_len += rc; else break; - } - - rc = ndpi_snprintf(&ja_str[ja_str_len], JA_STR_LEN-ja_str_len, ","); - if((rc > 0) && (ja_str_len + rc < JA_STR_LEN)) ja_str_len += rc; - - for(i=0; i 0) ? "-" : "", ja.client.elliptic_curve_point_format[i]); - if((rc > 0) && (ja_str_len + rc < JA_STR_LEN)) ja_str_len += rc; else break; - } - - ndpi_MD5Init(&ctx); - ndpi_MD5Update(&ctx, (const unsigned char *)ja_str, strlen(ja_str)); - ndpi_MD5Final(md5_hash, &ctx); - - for(i=0, j=0; i<16; i++) { - rc = ndpi_snprintf(&flow->protos.tls_quic.ja3_client[j], - sizeof(flow->protos.tls_quic.ja3_client)-j, "%02x", - md5_hash[i]); - if(rc > 0) j += rc; else break; - } - -#ifdef DEBUG_JA - printf("[JA3] Client: %s \n", flow->protos.tls_quic.ja3_client); -#endif - } + /* Compute JA4 client */ +compute_ja4c: if(ndpi_struct->cfg.tls_ja4c_fingerprint_enabled) { ndpi_compute_ja4(ndpi_struct, flow, quic_version, &ja); @@ -3262,7 +3200,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, ndpi_set_risk(ndpi_struct, flow, NDPI_MALICIOUS_FINGERPRINT, flow->protos.tls_quic.ja4_client); } } - /* End JA3/JA4 */ + /* End JA4 */ } /* Before returning to the caller we need to make a final check */ @@ -3307,7 +3245,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, } } else if(offset == total_len) { /* TLS does not have extensions etc */ - goto compute_ja3c; + goto compute_ja4c; } } else { #ifdef DEBUG_TLS diff --git a/tests/cfgs/disable_metadata_and_flowrisks/config.txt b/tests/cfgs/disable_metadata_and_flowrisks/config.txt index 7dae53d2fa4..1b4457a2e1f 100644 --- a/tests/cfgs/disable_metadata_and_flowrisks/config.txt +++ b/tests/cfgs/disable_metadata_and_flowrisks/config.txt @@ -1 +1 @@ ---cfg=tls,metadata.sha1_fingerprint,0 --cfg=tls,metadata.ja3c_fingerprint,0 --cfg=tls,metadata.ja3s_fingerprint,0 --cfg=tls,metadata.ja4c_fingerprint,0 --cfg=metadata.tcp_fingerprint,0 --cfg=sip,metadata.attribute.from,0 --cfg=sip,metadata.attribute.to,0 --cfg=flow_risk.all,0 +--cfg=tls,metadata.sha1_fingerprint,0 --cfg=tls,metadata.ja3s_fingerprint,0 --cfg=tls,metadata.ja4c_fingerprint,0 --cfg=metadata.tcp_fingerprint,0 --cfg=sip,metadata.attribute.from,0 --cfg=sip,metadata.attribute.to,0 --cfg=flow_risk.all,0 diff --git a/tests/cfgs/tls_ja3c_disabled/config.txt b/tests/cfgs/tls_ja3c_disabled/config.txt deleted file mode 100644 index 2d8e14d0e49..00000000000 --- a/tests/cfgs/tls_ja3c_disabled/config.txt +++ /dev/null @@ -1 +0,0 @@ ---cfg=tls,metadata.ja3c_fingerprint,0 diff --git a/tests/cfgs/tls_ja3c_disabled/pcap/tls_verylong_certificate.pcap b/tests/cfgs/tls_ja3c_disabled/pcap/tls_verylong_certificate.pcap deleted file mode 120000 index 2f722f28ed6..00000000000 --- a/tests/cfgs/tls_ja3c_disabled/pcap/tls_verylong_certificate.pcap +++ /dev/null @@ -1 +0,0 @@ -../../default/pcap/tls_verylong_certificate.pcap \ No newline at end of file diff --git a/tests/cfgs/tls_ja3c_disabled/result/tls_verylong_certificate.pcap.out b/tests/cfgs/tls_ja3c_disabled/result/tls_verylong_certificate.pcap.out deleted file mode 100644 index eb58330e558..00000000000 --- a/tests/cfgs/tls_ja3c_disabled/result/tls_verylong_certificate.pcap.out +++ /dev/null @@ -1,32 +0,0 @@ -DPI Packets (TCP): 11 (11.00 pkts/flow) -Confidence DPI : 1 (flows) -Num dissector calls: 1 (1.00 diss/flow) -LRU cache ookla: 0/0/0 (insert/search/found) -LRU cache bittorrent: 0/0/0 (insert/search/found) -LRU cache stun: 0/0/0 (insert/search/found) -LRU cache tls_cert: 0/0/0 (insert/search/found) -LRU cache mining: 0/0/0 (insert/search/found) -LRU cache msteams: 0/0/0 (insert/search/found) -LRU cache fpc_dns: 0/1/0 (insert/search/found) -Automa host: 1/1 (search/found) -Automa domain: 1/0 (search/found) -Automa tls cert: 0/0 (search/found) -Automa risk mask: 0/0 (search/found) -Automa common alpns: 1/1 (search/found) -Patricia risk mask: 0/0 (search/found) -Patricia risk mask IPv6: 0/0 (search/found) -Patricia risk: 0/0 (search/found) -Patricia risk IPv6: 0/0 (search/found) -Patricia protocols: 2/0 (search/found) -Patricia protocols IPv6: 0/0 (search/found) - -Cybersec 48 22229 1 - -Safe 48 22229 1 - -JA Host Stats: - IP Address # JA4C - 1 192.168.1.160 1 - - - 1 TCP 192.168.1.160:54804 <-> 151.101.66.49:443 [proto: 91.283/TLS.Cybersec][IP: 0/Unknown][Encrypted][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 11][cat: Cybersecurity/33][24 pkts/2404 bytes <-> 24 pkts/19825 bytes][Goodput ratio: 35/92][0.09 sec][Hostname/SNI: feodotracker.abuse.ch][(Advertised) ALPNs: http/1.1][(Negotiated) ALPN: http/1.1][bytes ratio: -0.784 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 4/4 15/21 5/7][Pkt Len c2s/s2c min/avg/max/stddev: 54/66 100/826 583/1434 109/662][TCP Fingerprint: 2_64_65535_15db81ff8b0d/Unknown][TLSv1.2][JA4: t12d6707ht_2955a3196ffa_c83f907a73d3][ServerNames: p2.shared.global.fastly.net,*.12wbt.com,*.2bleacherreport.com,*.3bleacherreport.com,*.4bleacherreport.com,*.8bleacherreport.com,*.abuse.ch,*.acdn-it.ps-pantheon.com,*.cdn.livingmap.com,*.content.plastiq.com,*.dimensions.ai,*.dollarshaveclub.co.uk,*.dollarshaveclub.com,*.dontpayfull.com,*.ebisubook.com,*.foreignaffairs.com,*.fs.jibjab.com,*.fs.unitprints.com,*.ggleap.com,*.goodeggs.com,*.huevosbuenos.com,*.indy.myomnigon.com,*.jwatch.org,*.kingsfordcharcoal.com.au,*.lancenters.com,*.madebywe.com,*.minirodini.com,*.modcloth.net,*.orionlabs.io,*.ps-pantheon.com,*.scodle.com,*.steelseries.com,*.theforeman.org,*.uploads.eversign.com,*.uploads.schoox.com,*.vts.com,*.x.stg1.ebisubook.com,*.yang2020.com,12wbt.com,2bleacherreport.com,3bleacherreport.com,4bleacherreport.com,8bleacherreport.com,abuse.ch,brita.com,cdn.fwupd.org,cdn.livingmap.com,cdn.seated.com,cdn.skillacademy.com,clinicaloptions.com,clorox.com,content-preprod.beaverbrooksweb2.co.uk,content.beaverbrooks.co.uk,content.plastiq.com,coolmathgames.com,copterroyale.coolmathgames.com,d8-dev.coolmathgames.com,deflyio.coolmathgames.com,delivery-api.evadacms.com,dimensions.ai,dollarshaveclub.co.uk,dollarshaveclub.com,dontpayfull.com,eluniverso.com,email.amg-group.co,email.tekoforlife.co.uk,feedmarket.fr,freshstep.com,ggleap.com,goodeggs.com,heap.io,huevosbuenos.com,identity.linuxfoundation.org,joebiden.com,jwatch.org,kingsford.co.nz,kingsfordcharcoal.com.au,lancenters.com,lists.linuxfoundation.org,m-stage.coolmathgames.com,m.coolmathgames.com,madebywe.com,minirodini.com,modcloth.net,orionlabs.io,puritanmedproducts.com,reviews.org,rg-video-staging.ruangguru.com,rg-video.ruangguru.com,ruangguru.com,scodle.com,stage.coolmathgames.com,staging.appblade.com,steelseries.com,stg.platform.eluniverso.com,test.brita.com,test.heap.io,test.joebiden.com,test.ruangguru.com,theforeman.org,video-cdn.quipper.com,videos.calcworkshop.com,vts.com,www.101network.com,www.autos101.com,www.brita.com,www.clorox.com,www.collider.com,www.coolmathgames.com,www.eluniverso.com,www.flinto.com,www.freshstep.com,www.heap.io,www.holagente.com,www.icsydney.com.au,www.joebiden.com,www.kingsford.co.nz,www.mrnatty.com,www.myjewellerystory.com.au,www.myjs.com,www.netacea.com,www.parenting101.com,www.puritanmedproducts.com,www.reviews.org,www.sba.sa,www.shashatcom.sa,www.uat.ontariocolleges.ca,www.vacation101.com,www.walterspeople.co.uk,www.westwayelectricsupply.com][JA3S: ae53107a2e47ea20c72ac44821a728bf][Issuer: C=BE, O=GlobalSign nv-sa, CN=GlobalSign CloudSSL CA - SHA256 - G3][Subject: C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=p2.shared.global.fastly.net][Certificate SHA-1: E9:34:DF:E0:C5:31:3C:59:7E:E2:57:44:F2:82:E9:80:F5:5D:05:4B][Firefox][Validity: 2019-11-19 01:31:22 - 2020-08-29 17:19:32][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 12,16,0,4,0,4,4,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,55,0,0,0,0,0] diff --git a/tests/cfgs/tls_ja3s_disabled/config.txt b/tests/cfgs/tls_ja3s_disabled/config.txt deleted file mode 100644 index 479b38f39c5..00000000000 --- a/tests/cfgs/tls_ja3s_disabled/config.txt +++ /dev/null @@ -1 +0,0 @@ ---cfg=tls,metadata.ja3s_fingerprint,0 diff --git a/tests/cfgs/tls_ja3s_disabled/pcap/tls_verylong_certificate.pcap b/tests/cfgs/tls_ja3s_disabled/pcap/tls_verylong_certificate.pcap deleted file mode 120000 index 2f722f28ed6..00000000000 --- a/tests/cfgs/tls_ja3s_disabled/pcap/tls_verylong_certificate.pcap +++ /dev/null @@ -1 +0,0 @@ -../../default/pcap/tls_verylong_certificate.pcap \ No newline at end of file diff --git a/tests/cfgs/tls_ja3s_disabled/result/tls_verylong_certificate.pcap.out b/tests/cfgs/tls_ja3s_disabled/result/tls_verylong_certificate.pcap.out deleted file mode 100644 index b30d4491eb2..00000000000 --- a/tests/cfgs/tls_ja3s_disabled/result/tls_verylong_certificate.pcap.out +++ /dev/null @@ -1,32 +0,0 @@ -DPI Packets (TCP): 11 (11.00 pkts/flow) -Confidence DPI : 1 (flows) -Num dissector calls: 1 (1.00 diss/flow) -LRU cache ookla: 0/0/0 (insert/search/found) -LRU cache bittorrent: 0/0/0 (insert/search/found) -LRU cache stun: 0/0/0 (insert/search/found) -LRU cache tls_cert: 0/0/0 (insert/search/found) -LRU cache mining: 0/0/0 (insert/search/found) -LRU cache msteams: 0/0/0 (insert/search/found) -LRU cache fpc_dns: 0/1/0 (insert/search/found) -Automa host: 1/1 (search/found) -Automa domain: 1/0 (search/found) -Automa tls cert: 0/0 (search/found) -Automa risk mask: 0/0 (search/found) -Automa common alpns: 1/1 (search/found) -Patricia risk mask: 0/0 (search/found) -Patricia risk mask IPv6: 0/0 (search/found) -Patricia risk: 0/0 (search/found) -Patricia risk IPv6: 0/0 (search/found) -Patricia protocols: 2/0 (search/found) -Patricia protocols IPv6: 0/0 (search/found) - -Cybersec 48 22229 1 - -Safe 48 22229 1 - -JA Host Stats: - IP Address # JA4C - 1 192.168.1.160 1 - - - 1 TCP 192.168.1.160:54804 <-> 151.101.66.49:443 [proto: 91.283/TLS.Cybersec][IP: 0/Unknown][Encrypted][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 11][cat: Cybersecurity/33][24 pkts/2404 bytes <-> 24 pkts/19825 bytes][Goodput ratio: 35/92][0.09 sec][Hostname/SNI: feodotracker.abuse.ch][(Advertised) ALPNs: http/1.1][(Negotiated) ALPN: http/1.1][bytes ratio: -0.784 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 4/4 15/21 5/7][Pkt Len c2s/s2c min/avg/max/stddev: 54/66 100/826 583/1434 109/662][TCP Fingerprint: 2_64_65535_15db81ff8b0d/Unknown][TLSv1.2][JA4: t12d6707ht_2955a3196ffa_c83f907a73d3][ServerNames: p2.shared.global.fastly.net,*.12wbt.com,*.2bleacherreport.com,*.3bleacherreport.com,*.4bleacherreport.com,*.8bleacherreport.com,*.abuse.ch,*.acdn-it.ps-pantheon.com,*.cdn.livingmap.com,*.content.plastiq.com,*.dimensions.ai,*.dollarshaveclub.co.uk,*.dollarshaveclub.com,*.dontpayfull.com,*.ebisubook.com,*.foreignaffairs.com,*.fs.jibjab.com,*.fs.unitprints.com,*.ggleap.com,*.goodeggs.com,*.huevosbuenos.com,*.indy.myomnigon.com,*.jwatch.org,*.kingsfordcharcoal.com.au,*.lancenters.com,*.madebywe.com,*.minirodini.com,*.modcloth.net,*.orionlabs.io,*.ps-pantheon.com,*.scodle.com,*.steelseries.com,*.theforeman.org,*.uploads.eversign.com,*.uploads.schoox.com,*.vts.com,*.x.stg1.ebisubook.com,*.yang2020.com,12wbt.com,2bleacherreport.com,3bleacherreport.com,4bleacherreport.com,8bleacherreport.com,abuse.ch,brita.com,cdn.fwupd.org,cdn.livingmap.com,cdn.seated.com,cdn.skillacademy.com,clinicaloptions.com,clorox.com,content-preprod.beaverbrooksweb2.co.uk,content.beaverbrooks.co.uk,content.plastiq.com,coolmathgames.com,copterroyale.coolmathgames.com,d8-dev.coolmathgames.com,deflyio.coolmathgames.com,delivery-api.evadacms.com,dimensions.ai,dollarshaveclub.co.uk,dollarshaveclub.com,dontpayfull.com,eluniverso.com,email.amg-group.co,email.tekoforlife.co.uk,feedmarket.fr,freshstep.com,ggleap.com,goodeggs.com,heap.io,huevosbuenos.com,identity.linuxfoundation.org,joebiden.com,jwatch.org,kingsford.co.nz,kingsfordcharcoal.com.au,lancenters.com,lists.linuxfoundation.org,m-stage.coolmathgames.com,m.coolmathgames.com,madebywe.com,minirodini.com,modcloth.net,orionlabs.io,puritanmedproducts.com,reviews.org,rg-video-staging.ruangguru.com,rg-video.ruangguru.com,ruangguru.com,scodle.com,stage.coolmathgames.com,staging.appblade.com,steelseries.com,stg.platform.eluniverso.com,test.brita.com,test.heap.io,test.joebiden.com,test.ruangguru.com,theforeman.org,video-cdn.quipper.com,videos.calcworkshop.com,vts.com,www.101network.com,www.autos101.com,www.brita.com,www.clorox.com,www.collider.com,www.coolmathgames.com,www.eluniverso.com,www.flinto.com,www.freshstep.com,www.heap.io,www.holagente.com,www.icsydney.com.au,www.joebiden.com,www.kingsford.co.nz,www.mrnatty.com,www.myjewellerystory.com.au,www.myjs.com,www.netacea.com,www.parenting101.com,www.puritanmedproducts.com,www.reviews.org,www.sba.sa,www.shashatcom.sa,www.uat.ontariocolleges.ca,www.vacation101.com,www.walterspeople.co.uk,www.westwayelectricsupply.com][Issuer: C=BE, O=GlobalSign nv-sa, CN=GlobalSign CloudSSL CA - SHA256 - G3][Subject: C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=p2.shared.global.fastly.net][Certificate SHA-1: E9:34:DF:E0:C5:31:3C:59:7E:E2:57:44:F2:82:E9:80:F5:5D:05:4B][Firefox][Validity: 2019-11-19 01:31:22 - 2020-08-29 17:19:32][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 12,16,0,4,0,4,4,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,55,0,0,0,0,0] diff --git a/tests/cfgs/tls_ja4c_disabled/config.txt b/tests/cfgs/tls_ja4c_disabled/config.txt deleted file mode 100644 index ba29c876c88..00000000000 --- a/tests/cfgs/tls_ja4c_disabled/config.txt +++ /dev/null @@ -1 +0,0 @@ ---cfg=tls,metadata.ja4c_fingerprint,0 diff --git a/tests/cfgs/tls_ja4c_disabled/pcap/tls_verylong_certificate.pcap b/tests/cfgs/tls_ja4c_disabled/pcap/tls_verylong_certificate.pcap deleted file mode 120000 index 2f722f28ed6..00000000000 --- a/tests/cfgs/tls_ja4c_disabled/pcap/tls_verylong_certificate.pcap +++ /dev/null @@ -1 +0,0 @@ -../../default/pcap/tls_verylong_certificate.pcap \ No newline at end of file diff --git a/tests/cfgs/tls_ja4c_disabled/result/tls_verylong_certificate.pcap.out b/tests/cfgs/tls_ja4c_disabled/result/tls_verylong_certificate.pcap.out deleted file mode 100644 index fe3485fe1e0..00000000000 --- a/tests/cfgs/tls_ja4c_disabled/result/tls_verylong_certificate.pcap.out +++ /dev/null @@ -1,31 +0,0 @@ -DPI Packets (TCP): 11 (11.00 pkts/flow) -Confidence DPI : 1 (flows) -Num dissector calls: 1 (1.00 diss/flow) -LRU cache ookla: 0/0/0 (insert/search/found) -LRU cache bittorrent: 0/0/0 (insert/search/found) -LRU cache stun: 0/0/0 (insert/search/found) -LRU cache tls_cert: 0/0/0 (insert/search/found) -LRU cache mining: 0/0/0 (insert/search/found) -LRU cache msteams: 0/0/0 (insert/search/found) -LRU cache fpc_dns: 0/1/0 (insert/search/found) -Automa host: 1/1 (search/found) -Automa domain: 1/0 (search/found) -Automa tls cert: 0/0 (search/found) -Automa risk mask: 0/0 (search/found) -Automa common alpns: 1/1 (search/found) -Patricia risk mask: 0/0 (search/found) -Patricia risk mask IPv6: 0/0 (search/found) -Patricia risk: 0/0 (search/found) -Patricia risk IPv6: 0/0 (search/found) -Patricia protocols: 2/0 (search/found) -Patricia protocols IPv6: 0/0 (search/found) - -Cybersec 48 22229 1 - -Safe 48 22229 1 - -JA Host Stats: - IP Address # JA4C - - - 1 TCP 192.168.1.160:54804 <-> 151.101.66.49:443 [proto: 91.283/TLS.Cybersec][IP: 0/Unknown][Encrypted][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 11][cat: Cybersecurity/33][24 pkts/2404 bytes <-> 24 pkts/19825 bytes][Goodput ratio: 35/92][0.09 sec][Hostname/SNI: feodotracker.abuse.ch][(Advertised) ALPNs: http/1.1][(Negotiated) ALPN: http/1.1][bytes ratio: -0.784 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 4/4 15/21 5/7][Pkt Len c2s/s2c min/avg/max/stddev: 54/66 100/826 583/1434 109/662][TCP Fingerprint: 2_64_65535_15db81ff8b0d/Unknown][TLSv1.2][ServerNames: p2.shared.global.fastly.net,*.12wbt.com,*.2bleacherreport.com,*.3bleacherreport.com,*.4bleacherreport.com,*.8bleacherreport.com,*.abuse.ch,*.acdn-it.ps-pantheon.com,*.cdn.livingmap.com,*.content.plastiq.com,*.dimensions.ai,*.dollarshaveclub.co.uk,*.dollarshaveclub.com,*.dontpayfull.com,*.ebisubook.com,*.foreignaffairs.com,*.fs.jibjab.com,*.fs.unitprints.com,*.ggleap.com,*.goodeggs.com,*.huevosbuenos.com,*.indy.myomnigon.com,*.jwatch.org,*.kingsfordcharcoal.com.au,*.lancenters.com,*.madebywe.com,*.minirodini.com,*.modcloth.net,*.orionlabs.io,*.ps-pantheon.com,*.scodle.com,*.steelseries.com,*.theforeman.org,*.uploads.eversign.com,*.uploads.schoox.com,*.vts.com,*.x.stg1.ebisubook.com,*.yang2020.com,12wbt.com,2bleacherreport.com,3bleacherreport.com,4bleacherreport.com,8bleacherreport.com,abuse.ch,brita.com,cdn.fwupd.org,cdn.livingmap.com,cdn.seated.com,cdn.skillacademy.com,clinicaloptions.com,clorox.com,content-preprod.beaverbrooksweb2.co.uk,content.beaverbrooks.co.uk,content.plastiq.com,coolmathgames.com,copterroyale.coolmathgames.com,d8-dev.coolmathgames.com,deflyio.coolmathgames.com,delivery-api.evadacms.com,dimensions.ai,dollarshaveclub.co.uk,dollarshaveclub.com,dontpayfull.com,eluniverso.com,email.amg-group.co,email.tekoforlife.co.uk,feedmarket.fr,freshstep.com,ggleap.com,goodeggs.com,heap.io,huevosbuenos.com,identity.linuxfoundation.org,joebiden.com,jwatch.org,kingsford.co.nz,kingsfordcharcoal.com.au,lancenters.com,lists.linuxfoundation.org,m-stage.coolmathgames.com,m.coolmathgames.com,madebywe.com,minirodini.com,modcloth.net,orionlabs.io,puritanmedproducts.com,reviews.org,rg-video-staging.ruangguru.com,rg-video.ruangguru.com,ruangguru.com,scodle.com,stage.coolmathgames.com,staging.appblade.com,steelseries.com,stg.platform.eluniverso.com,test.brita.com,test.heap.io,test.joebiden.com,test.ruangguru.com,theforeman.org,video-cdn.quipper.com,videos.calcworkshop.com,vts.com,www.101network.com,www.autos101.com,www.brita.com,www.clorox.com,www.collider.com,www.coolmathgames.com,www.eluniverso.com,www.flinto.com,www.freshstep.com,www.heap.io,www.holagente.com,www.icsydney.com.au,www.joebiden.com,www.kingsford.co.nz,www.mrnatty.com,www.myjewellerystory.com.au,www.myjs.com,www.netacea.com,www.parenting101.com,www.puritanmedproducts.com,www.reviews.org,www.sba.sa,www.shashatcom.sa,www.uat.ontariocolleges.ca,www.vacation101.com,www.walterspeople.co.uk,www.westwayelectricsupply.com][JA3S: ae53107a2e47ea20c72ac44821a728bf][Issuer: C=BE, O=GlobalSign nv-sa, CN=GlobalSign CloudSSL CA - SHA256 - G3][Subject: C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=p2.shared.global.fastly.net][Certificate SHA-1: E9:34:DF:E0:C5:31:3C:59:7E:E2:57:44:F2:82:E9:80:F5:5D:05:4B][Firefox][Validity: 2019-11-19 01:31:22 - 2020-08-29 17:19:32][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 12,16,0,4,0,4,4,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,55,0,0,0,0,0]