ntop · IvanNardi · Jan 16, 2025
diff --git a/doc/configuration_parameters.md b/doc/configuration_parameters.md
@@ -33,6 +33,14 @@ List of the supported configuration options:
 | "tls  "      | "dpi.heuristics",                         | 0x00          | 0x00      | 0x07      | Enable/disable some heuristics to detect encrypted/obfuscated/proxied TLS flows. The value is a bitmask. Values: 0x0 = disabled; 0x01 = enable basic detection (i.e. encrypted TLS without any encapsulation); 0x02 = enable detection over TLS (i.e. TLS-in-TLS); 0x04 = enable detection over HTTP (i.e. TLS-over-WebSocket). If enabled, some false positives are expected. See: https://www.usenix.org/conference/usenixsecurity24/presentation/xue-fingerprinting |
 | "tls  "      | "dpi.heuristics.max_packets_extra_dissection",  | 25            | 0         | 255       | If at least one TLS heuristics is enabled (see `tls,"dpi.heuristics"`, this parameter set the upper limit on the number of packets required/processed for each flow. Higher the value, lower the false positive rate but more packets are required by nDPI for processing. |
 | "tls"        | "metadata.sha1_fingerprint"               | enable        | NULL      | NULL      | Enable/disable computation and export of SHA1 fingerprint for TLS flows. Note that if it is disable, the flow risk `NDPI_MALICIOUS_SHA1_CERTIFICATE` is not checked |
+| "tls"        | "metadata.versions_supported"             | enable        | NULL      | NULL      | Enable/disable export of supported versions metadata for TLS flows |
+| "tls"        | "metadata.alpn_negotiated"                | enable        | NULL      | NULL      | Enable/disable export of negotiated ALPN metadata for TLS flows |
+| "tls"        | "metadata.cipher"                         | enable        | NULL      | NULL      | Enable/disable export of negotiated cipher metadata for TLS flows |
+| "tls"        | "metadata.cert_server_names"              | enable        | NULL      | NULL      | Enable/disable export of server names list from certificate for TLS flows |
+| "tls"        | "metadata.cert_validity"                  | enable        | NULL      | NULL      | Enable/disable export of certificate validity timestamps for TLS flows |
+| "tls"        | "metadata.cert_issuer"                    | enable        | NULL      | NULL      | Enable/disable export of certificate issuer metadata for TLS flows |
+| "tls"        | "metadata.cert_subject"                   | enable        | NULL      | NULL      | Enable/disable export of certificaste subject metadata for TLS flows |
+| "tls"        | "metadata.browser"                        | enable        | NULL      | NULL      | Enable/disable an heurstic to determine the broswer used to generate this TLS flows |
 | "tls"        | "metadata.ja3s_fingerprint"               | enable        | NULL      | NULL      | Enable/disable computation and export of JA3S fingerprint for TLS flows |
 | "tls"        | "metadata.ja4c_fingerprint"               | enable        | NULL      | NULL      | Enable/disable computation and export of JA4C fingerprint for TLS flows. Note that if it is disable, the flow risk `NDPI_MALICIOUS_FINGERPRINT` is not checked |
 | "tls"        | "metadata.ja4r_fingerprint"               | disable       | NULL      | NULL      | Enable/disable computation and export of JA4C fingerprint for TLS flows also in raw format |

diff --git a/example/only_classification.conf b/example/only_classification.conf
@@ -0,0 +1,17 @@
+#Example of configuration if you are interested ONLY in flow (sub)-classification
+#(i.e. no metadata at all and no flow risks)
+
+#No flow risks
+--cfg=flow_risk.all,0
+
+#General metadata
+--cfg=metadata.tcp_fingerprint,0
+#TLS
+--cfg=tls,metadata.sha1_fingerprint,0 --cfg=tls,metadata.ja3s_fingerprint,0 --cfg=tls,metadata.ja4c_fingerprint,0 --cfg=tls,metadata.cert_server_names,0 --cfg=tls,metadata.cert_validity,0 --cfg=tls,metadata.cert_issuer,0 --cfg=tls,metadata.cert_subject,0 --cfg=tls,metadata.alpn_negotiated,0 --cfg=tls,metadata.versions_supported,0 --cfg=tls,metadata.cipher,0 --cfg=tls,metadata.browser,0
+#SIP
+--cfg=sip,metadata.attribute.from,0 --cfg=sip,metadata.attribute.to,0
+#STUN
+--cfg=stun,metadata.attribute.mapped_address,0 --cfg=stun,metadata.attribute.peer_address,0 --cfg=stun,metadata.attribute.relayed_address,0 --cfg=stun,metadata.attribute.response_origin,0 --cfg=stun,metadata.attribute.other_address,0
+
+#DNS:we need only the request for sub-classification
+--cfg=dns,process_response,0 #Note that this option has an huge impact on FPC!
diff --git a/fuzz/fuzz_config.cpp b/fuzz/fuzz_config.cpp
@@ -143,6 +143,46 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
     snprintf(cfg_value, sizeof(cfg_value), "%d", value);
     ndpi_set_config(ndpi_info_mod, "tls", "metadata.sha1_fingerprint", cfg_value);
   }
+  if(fuzzed_data.ConsumeBool()) {
+    value = fuzzed_data.ConsumeIntegralInRange(0, 1 + 1);
+    snprintf(cfg_value, sizeof(cfg_value), "%d", value);
+    ndpi_set_config(ndpi_info_mod, "tls", "metadata.versions_supported", cfg_value);
+  }
+  if(fuzzed_data.ConsumeBool()) {
+    value = fuzzed_data.ConsumeIntegralInRange(0, 1 + 1);
+    snprintf(cfg_value, sizeof(cfg_value), "%d", value);
+    ndpi_set_config(ndpi_info_mod, "tls", "metadata.alpn_negotiated", cfg_value);
+  }
+  if(fuzzed_data.ConsumeBool()) {
+    value = fuzzed_data.ConsumeIntegralInRange(0, 1 + 1);
+    snprintf(cfg_value, sizeof(cfg_value), "%d", value);
+    ndpi_set_config(ndpi_info_mod, "tls", "metadata.cipher", cfg_value);
+  }
+  if(fuzzed_data.ConsumeBool()) {
+    value = fuzzed_data.ConsumeIntegralInRange(0, 1 + 1);
+    snprintf(cfg_value, sizeof(cfg_value), "%d", value);
+    ndpi_set_config(ndpi_info_mod, "tls", "metadata.cert_server_names", cfg_value);
+  }
+  if(fuzzed_data.ConsumeBool()) {
+    value = fuzzed_data.ConsumeIntegralInRange(0, 1 + 1);
+    snprintf(cfg_value, sizeof(cfg_value), "%d", value);
+    ndpi_set_config(ndpi_info_mod, "tls", "metadata.cert_validity", cfg_value);
+  }
+  if(fuzzed_data.ConsumeBool()) {
+    value = fuzzed_data.ConsumeIntegralInRange(0, 1 + 1);
+    snprintf(cfg_value, sizeof(cfg_value), "%d", value);
+    ndpi_set_config(ndpi_info_mod, "tls", "metadata.cert_issuer", cfg_value);
+  }
+  if(fuzzed_data.ConsumeBool()) {
+    value = fuzzed_data.ConsumeIntegralInRange(0, 1 + 1);
+    snprintf(cfg_value, sizeof(cfg_value), "%d", value);
+    ndpi_set_config(ndpi_info_mod, "tls", "metadata.cert_subject", cfg_value);
+  }
+  if(fuzzed_data.ConsumeBool()) {
+    value = fuzzed_data.ConsumeIntegralInRange(0, 1 + 1);
+    snprintf(cfg_value, sizeof(cfg_value), "%d", value);
+    ndpi_set_config(ndpi_info_mod, "tls", "metadata.browser", cfg_value);
+  }
   if(fuzzed_data.ConsumeBool()) {
     value = fuzzed_data.ConsumeIntegralInRange(0, 1 + 1);
     snprintf(cfg_value, sizeof(cfg_value), "%d", value);

diff --git a/src/include/ndpi_private.h b/src/include/ndpi_private.h
@@ -242,7 +242,15 @@ struct ndpi_detection_module_config_struct {
   int tls_app_blocks_tracking_enabled;
   int tls_heuristics;
   int tls_heuristics_max_packets;
+  int tls_versions_supported_enabled;
+  int tls_alpn_negotiated_enabled;
+  int tls_cipher_enabled;
   int tls_sha1_fingerprint_enabled;
+  int tls_cert_server_names_enabled;
+  int tls_cert_validity_enabled;
+  int tls_cert_issuer_enabled;
+  int tls_cert_subject_enabled;
+  int tls_broswer_enabled;
   int tls_ja3s_fingerprint_enabled;
   int tls_ja4c_fingerprint_enabled;
   int tls_ja4r_fingerprint_enabled;

diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
@@ -11552,6 +11552,14 @@ static const struct cfg_param {
   { "tls",           "dpi.heuristics",                          "0x00", "0", "0x07", CFG_PARAM_INT, __OFF(tls_heuristics), NULL },
   { "tls",           "dpi.heuristics.max_packets_extra_dissection", "25", "0", "255", CFG_PARAM_INT, __OFF(tls_heuristics_max_packets), NULL },
   { "tls",           "metadata.sha1_fingerprint",               "enable", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(tls_sha1_fingerprint_enabled), NULL },
+  { "tls",           "metadata.versions_supported",             "enable", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(tls_versions_supported_enabled), NULL },
+  { "tls",           "metadata.alpn_negotiated",                "enable", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(tls_alpn_negotiated_enabled), NULL },
+  { "tls",           "metadata.cipher",                         "enable", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(tls_cipher_enabled), NULL },
+  { "tls",           "metadata.cert_server_names",              "enable", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(tls_cert_server_names_enabled), NULL },
+  { "tls",           "metadata.cert_validity",                  "enable", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(tls_cert_validity_enabled), NULL },
+  { "tls",           "metadata.cert_issuer",                    "enable", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(tls_cert_issuer_enabled), NULL },
+  { "tls",           "metadata.cert_subject",                   "enable", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(tls_cert_subject_enabled), NULL },
+  { "tls",           "metadata.browser",                        "enable", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(tls_broswer_enabled), NULL },
   { "tls",           "metadata.ja3s_fingerprint",               "enable", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(tls_ja3s_fingerprint_enabled), NULL },
   { "tls",           "metadata.ja4c_fingerprint",               "enable", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(tls_ja4c_fingerprint_enabled), NULL },
   { "tls",           "metadata.ja4r_fingerprint",               "disable", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(tls_ja4r_fingerprint_enabled), NULL },