D4
/
sensor-d4-tls-fingerprinting
mirror of https://github.com/D4-project/sensor-d4-tls-fingerprinting
2
0
Fork 0
Code Issues Releases Wiki Activity

Adds basic tlsh support

DecodingLayerParser
Jean-Louis Huynen 2019-02-02 00:08:34 +01:00
parent 3cf6ece2e4
commit c748b4923b
2 changed files with 20 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
README.md
View File

@ -6,6 +6,7 @@ This project is currently in its very early stage and should not be used in prod
## Install dependencies & go get ## Install dependencies & go get
``` shell ``` shell
$go get github.com/google/gopacket $go get github.com/google/gopacket
$go get github.com/glaslos/tlsh
$go get github.com/D4-project/sensor-d4-tls-fingerprinting $go get github.com/D4-project/sensor-d4-tls-fingerprinting
``` ```
make allows to compile for amd64 and arm ATM. make allows to compile for amd64 and arm ATM.

23
d4-tlsf.go
View File

@ -21,6 +21,7 @@ import (
"sync" "sync"
"time" "time"
"github.com/glaslos/tlsh"
"github.com/google/gopacket" "github.com/google/gopacket"
"github.com/google/gopacket/examples/util" "github.com/google/gopacket/examples/util"
"github.com/google/gopacket/ip4defrag" "github.com/google/gopacket/ip4defrag"
@ -28,8 +29,6 @@ import (
"github.com/google/gopacket/pcap" "github.com/google/gopacket/pcap"
"github.com/google/gopacket/reassembly" "github.com/google/gopacket/reassembly"
// My Extended TLS layer
"github.com/D4-project/sensor-d4-tls-fingerprinting/etls" "github.com/D4-project/sensor-d4-tls-fingerprinting/etls"
) )
@ -59,7 +58,7 @@ type SessionRecord struct {
ServerPort string ServerPort string
ClientIP string ClientIP string
ClientPort string ClientPort string
TLSHDigest string TLSH string
Timestamp time.Time Timestamp time.Time
JA3 string JA3 string
JA3Digest string JA3Digest string
@ -94,6 +93,7 @@ func (t *TLSSession) String() string {
buf.WriteString(fmt.Sprintf("Time: %d\n", t.record.Timestamp)) buf.WriteString(fmt.Sprintf("Time: %d\n", t.record.Timestamp))
buf.WriteString(fmt.Sprintf("Client: %v:%v\n", t.record.ClientIP, t.record.ClientPort)) buf.WriteString(fmt.Sprintf("Client: %v:%v\n", t.record.ClientIP, t.record.ClientPort))
buf.WriteString(fmt.Sprintf("Server: %v:%v\n", t.record.ServerIP, t.record.ServerPort)) buf.WriteString(fmt.Sprintf("Server: %v:%v\n", t.record.ServerIP, t.record.ServerPort))
buf.WriteString(fmt.Sprintf("TLSH: %q\n", t.record.TLSH))
buf.WriteString(fmt.Sprintf("ja3: %q\n", t.record.JA3)) buf.WriteString(fmt.Sprintf("ja3: %q\n", t.record.JA3))
buf.WriteString(fmt.Sprintf("ja3 Digest: %q\n", t.record.JA3Digest)) buf.WriteString(fmt.Sprintf("ja3 Digest: %q\n", t.record.JA3Digest))
buf.WriteString(fmt.Sprintf("ja3s: %q\n", t.record.JA3S)) buf.WriteString(fmt.Sprintf("ja3s: %q\n", t.record.JA3S))
@ -263,7 +263,6 @@ func (t *tcpStream) ReassembledSG(sg reassembly.ScatterGather, ac reassembly.Ass
t.tlsSession.gatherJa3s() t.tlsSession.gatherJa3s()
// Server Certificate // Server Certificate
case 11: case 11:
//certs := make([]*x509.Certificate, len(tlsrecord.TLSHandshakeCertificate.Certificates))
for _, asn1Data := range tlsrecord.ETLSHandshakeCertificate.Certificates { for _, asn1Data := range tlsrecord.ETLSHandshakeCertificate.Certificates {
cert, err := x509.ParseCertificate(asn1Data) cert, err := x509.ParseCertificate(asn1Data)
if err != nil { if err != nil {
@ -272,6 +271,10 @@ func (t *tcpStream) ReassembledSG(sg reassembly.ScatterGather, ac reassembly.Ass
t.tlsSession.record.Certificates = append(t.tlsSession.record.Certificates, cert) t.tlsSession.record.Certificates = append(t.tlsSession.record.Certificates, cert)
} }
} }
// We compute ja3jl
out, _ := tlsh.HashBytes(t.tlsSession.record.ja3jl())
t.tlsSession.record.TLSH = out.String()
// If we get a cert, we consider the handshake as finished and ready to ship to D4 // If we get a cert, we consider the handshake as finished and ready to ship to D4
queueSession(t.tlsSession) queueSession(t.tlsSession)
default: default:
@ -294,6 +297,18 @@ func getIPPorts(t *tcpStream) (string, string, string, string) {
return ipc, ips, cp, ps return ipc, ips, cp, ps
} }
func (sr *SessionRecord) ja3jl() []byte {
buf := sr.JA3 + sr.JA3S
for _, cert := range sr.Certificates {
buf += fmt.Sprintf("%q", cert.Issuer) + fmt.Sprintf("%q", cert.Subject)
}
buf = strings.Replace(buf, "-", "", -1)
buf = strings.Replace(buf, ",", "", -1)
buf = strings.Replace(buf, "\"", "", -1)
return []byte(buf)
}
func (ts *TLSSession) gatherJa3s() bool { func (ts *TLSSession) gatherJa3s() bool {
var buf []byte var buf []byte
buf = strconv.AppendInt(buf, int64(ts.tlsHdskR.ETLSHandshakeServerHello.Vers), 10) buf = strconv.AppendInt(buf, int64(ts.tlsHdskR.ETLSHandshakeServerHello.Vers), 10)