Merge pull request #138 from CESNET/tls_supported_ver_ext

hynekkar · web-flow · commit 32f0081d2e20 · 2023-03-23T10:45:02.000+01:00
Support of extraction TLS 1.3 version
diff --git a/pcaps/tls.pcap b/pcaps/tls.pcap
diff --git a/process/tls.cpp b/process/tls.cpp
@@ -83,7 +83,7 @@ int TLSPlugin::pre_update(Flow &rec, Packet &pkt)
    RecordExtTLS *ext = static_cast<RecordExtTLS *>(rec.get_extension(RecordExtTLS::REGISTERED_ID));
 
    if (ext != nullptr) {
-      if (ext->alpn[0] == 0) {
+      if (ext->server_hello_parsed == false) {
          // Add ALPN from server packet
          parse_tls(pkt.payload, pkt.payload_len, ext);
       }
@@ -119,9 +119,14 @@ bool TLSPlugin::obtain_tls_data(TLSData &payload, RecordExtTLS *rec, std::string
             ec_point_formats = tls_parser.tls_get_ja3_ec_point_formats(payload);
          }
       } else if (hs_type == TLS_HANDSHAKE_SERVER_HELLO) {
+         rec->server_hello_parsed = true;
          if (type == TLS_EXT_ALPN) {
             tls_parser.tls_get_alpn(payload, rec->alpn, BUFF_SIZE);
-            return true;
+            // not sure, but probably don`t return yet, as 
+            // this is not only field we want to parse
+            //return true;
+         } else if (type == TLS_EXT_SUPPORTED_VER){
+            tls_parser.tls_get_supp_ver(payload, rec->version);
          }
       }
       payload.start += length;
@@ -159,7 +164,7 @@ bool TLSPlugin::parse_tls(const uint8_t *data, uint16_t payload_len, RecordExtTL
    }
    tls_handshake tls_hs = tls_parser.tls_get_handshake();
 
-   rec->version = ((uint16_t) tls_hs.version.major << 8) | tls_hs.version.minor;
+   rec->version = (rec->version == 0)?(((uint16_t) tls_hs.version.major << 8) | tls_hs.version.minor) : rec->version;
    ja3 += std::to_string((uint16_t) tls_hs.version.version) + ',';
 
    if (!tls_parser.tls_skip_random(payload)) {
diff --git a/process/tls.hpp b/process/tls.hpp
@@ -58,6 +58,7 @@ struct RecordExtTLS : public RecordExt {
    char        ja3_hash[33]     = { 0 };
    uint8_t     ja3_hash_bin[16] = { 0 };
    std::string ja3;
+   bool        server_hello_parsed;
 
    /**
     * \brief Constructor.
@@ -67,6 +68,7 @@ struct RecordExtTLS : public RecordExt {
       alpn[0]     = 0;
       sni[0]      = 0;
       ja3_hash[0] = 0;
+      server_hello_parsed = false;
    }
 
    #ifdef WITH_NEMEA
@@ -144,6 +146,7 @@ struct RecordExtTLS : public RecordExt {
 #define TLS_EXT_ECLIPTIC_CURVES  10 // AKA supported_groups
 #define TLS_EXT_EC_POINT_FORMATS 11
 #define TLS_EXT_ALPN             16
+#define TLS_EXT_SUPPORTED_VER    43
 
 
 /**
diff --git a/process/tls_parser.cpp b/process/tls_parser.cpp
@@ -126,6 +126,13 @@ void TLSParser::tls_get_server_name(TLSData &data, char *buffer, size_t buffer_s
    return;
 }
 
+void TLSParser::tls_get_supp_ver(TLSData &data, uint16_t &version)
+{
+   tls_version* ext_ver = (tls_version *) data.start;
+   version = ((uint16_t) ext_ver->major << 8) | ext_ver->minor;
+   return;
+}
+
 void TLSParser::tls_get_alpn(TLSData &data, char *buffer, size_t buffer_size)
 {
    uint16_t list_len       = ntohs(*(uint16_t *) data.start);
diff --git a/process/tls_parser.hpp b/process/tls_parser.hpp
@@ -86,6 +86,7 @@ class TLSParser
    bool tls_check_rec(TLSData&);
    void tls_get_server_name(TLSData &, char *, size_t);
    void tls_get_alpn(TLSData &, char *, size_t);
+   void tls_get_supp_ver(TLSData &, uint16_t &);
 
    void tls_get_quic_user_agent(TLSData &, char *, size_t);
    bool tls_check_handshake(TLSData&);
diff --git a/tests/functional/reference/tls b/tests/functional/reference/tls
@@ -1,14 +1,29 @@
-160.85.255.180,192.168.88.244,672,208,0,2020-09-07T06:52:40.858429,2020-09-07T06:52:40.964957,d8:58:d7:00:c9:27,08:f8:bc:64:5e:6a,2,1,443,59673,771,0,6,24,24,"http/1.1",b32309a26951912be7dba376398abc3b,"ja3er.com"
-160.85.255.180,192.168.88.244,672,208,0,2020-09-07T06:52:40.858553,2020-09-07T06:52:40.965848,d8:58:d7:00:c9:27,08:f8:bc:64:5e:6a,2,1,443,59674,771,0,6,24,24,"http/1.1",b32309a26951912be7dba376398abc3b,"ja3er.com"
-160.85.255.180,192.168.88.244,672,208,0,2020-09-07T06:52:40.870218,2020-09-07T06:52:40.972697,d8:58:d7:00:c9:27,08:f8:bc:64:5e:6a,2,1,443,59675,771,0,6,24,24,"http/1.1",b32309a26951912be7dba376398abc3b,"ja3er.com"
-160.85.255.180,192.168.88.244,672,208,0,2020-09-07T06:52:40.870714,2020-09-07T06:52:40.973197,d8:58:d7:00:c9:27,08:f8:bc:64:5e:6a,2,1,443,59676,771,0,6,24,24,"http/1.1",b32309a26951912be7dba376398abc3b,"ja3er.com"
-160.85.255.180,192.168.88.244,672,208,0,2020-09-07T06:52:40.870851,2020-09-07T06:52:40.975124,d8:58:d7:00:c9:27,08:f8:bc:64:5e:6a,2,1,443,59677,771,0,6,24,24,"http/1.1",b32309a26951912be7dba376398abc3b,"ja3er.com"
-160.85.255.180,192.168.88.244,714,3436,0,2020-09-07T06:52:40.477735,2020-09-07T06:52:40.549534,d8:58:d7:00:c9:27,08:f8:bc:64:5e:6a,2,4,443,59672,771,0,6,24,24,"http/1.1",b32309a26951912be7dba376398abc3b,"ja3er.com"
-82.145.216.15,192.168.88.244,714,4308,0,2020-09-07T06:52:41.372241,2020-09-07T06:52:41.418203,d8:58:d7:00:c9:27,08:f8:bc:64:5e:6a,2,4,443,59678,771,0,6,24,24,"http/1.1",b32309a26951912be7dba376398abc3b,"af.opera.com"
-87.106.189.123,172.16.121.155,1085,4455,0,2015-10-20T07:09:33.614159,2015-10-20T07:09:34.161736,00:50:56:e5:80:5b,00:0c:29:9d:b9:d0,7,9,443,3923,771,0,6,26,26,"",9a7b51089c089491dbc4879218db549c,"asecuritysite.com"
-87.106.189.123,172.16.121.155,496,325,0,2015-10-20T07:09:33.611190,2015-10-20T07:09:33.712851,00:50:56:e5:80:5b,00:0c:29:9d:b9:d0,4,4,443,3919,771,0,6,26,26,"",9a7b51089c089491dbc4879218db549c,"asecuritysite.com"
-87.106.189.123,172.16.121.155,496,325,0,2015-10-20T07:09:33.612842,2015-10-20T07:09:33.714751,00:50:56:e5:80:5b,00:0c:29:9d:b9:d0,4,4,443,3920,771,0,6,26,26,"",9a7b51089c089491dbc4879218db549c,"asecuritysite.com"
-87.106.189.123,172.16.121.155,496,325,0,2015-10-20T07:09:33.613610,2015-10-20T07:09:33.716640,00:50:56:e5:80:5b,00:0c:29:9d:b9:d0,4,4,443,3921,771,0,6,26,26,"",9a7b51089c089491dbc4879218db549c,"asecuritysite.com"
-87.106.189.123,172.16.121.155,496,325,0,2015-10-20T07:09:33.613897,2015-10-20T07:09:33.713722,00:50:56:e5:80:5b,00:0c:29:9d:b9:d0,4,4,443,3922,771,0,6,26,26,"",9a7b51089c089491dbc4879218db549c,"asecuritysite.com"
-87.106.189.123,172.16.121.155,496,325,0,2015-10-20T07:09:33.614399,2015-10-20T07:09:33.715479,00:50:56:e5:80:5b,00:0c:29:9d:b9:d0,4,4,443,3924,771,0,6,26,26,"",9a7b51089c089491dbc4879218db549c,"asecuritysite.com"
+104.26.1.201,192.168.0.228,569,1460,0,2023-03-10T09:04:19.289282,2023-03-10T09:04:19.304938,90:5c:44:2e:bb:e0,08:f8:bc:64:5e:6a,1,1,443,52641,772,0,6,24,16,"",cd08e31494f9531f560d64c695473da9,"chrek.stdout.cz"
+104.26.6.183,192.168.0.228,599,264,0,2023-03-10T09:04:17.091196,2023-03-10T09:04:17.110050,90:5c:44:2e:bb:e0,08:f8:bc:64:5e:6a,1,1,443,52635,772,0,6,24,24,"",598872011444709307b861ae817a4b60,"cdn.xsd.cz"
+104.26.8.145,192.168.0.228,604,264,0,2023-03-10T09:04:16.211748,2023-03-10T09:04:16.225609,90:5c:44:2e:bb:e0,08:f8:bc:64:5e:6a,1,1,443,52627,772,0,6,24,24,"",598872011444709307b861ae817a4b60,"www.aktualne.cz"
+160.85.255.180,192.168.88.244,1344,416,0,2020-09-07T06:52:40.858429,2020-09-07T06:52:40.964957,d8:58:d7:00:c9:27,08:f8:bc:64:5e:6a,4,2,443,59673,771,0,6,24,24,"http/1.1",b32309a26951912be7dba376398abc3b,"ja3er.com"
+160.85.255.180,192.168.88.244,1344,416,0,2020-09-07T06:52:40.858553,2020-09-07T06:52:40.965848,d8:58:d7:00:c9:27,08:f8:bc:64:5e:6a,4,2,443,59674,771,0,6,24,24,"http/1.1",b32309a26951912be7dba376398abc3b,"ja3er.com"
+160.85.255.180,192.168.88.244,1344,416,0,2020-09-07T06:52:40.870218,2020-09-07T06:52:40.972697,d8:58:d7:00:c9:27,08:f8:bc:64:5e:6a,4,2,443,59675,771,0,6,24,24,"http/1.1",b32309a26951912be7dba376398abc3b,"ja3er.com"
+160.85.255.180,192.168.88.244,1344,416,0,2020-09-07T06:52:40.870714,2020-09-07T06:52:40.973197,d8:58:d7:00:c9:27,08:f8:bc:64:5e:6a,4,2,443,59676,771,0,6,24,24,"http/1.1",b32309a26951912be7dba376398abc3b,"ja3er.com"
+160.85.255.180,192.168.88.244,1344,416,0,2020-09-07T06:52:40.870851,2020-09-07T06:52:40.975124,d8:58:d7:00:c9:27,08:f8:bc:64:5e:6a,4,2,443,59677,771,0,6,24,24,"http/1.1",b32309a26951912be7dba376398abc3b,"ja3er.com"
+160.85.255.180,192.168.88.244,1428,6872,0,2020-09-07T06:52:40.477735,2020-09-07T06:52:40.549534,d8:58:d7:00:c9:27,08:f8:bc:64:5e:6a,4,8,443,59672,771,0,6,24,24,"http/1.1",b32309a26951912be7dba376398abc3b,"ja3er.com"
+172.67.69.20,192.168.0.228,610,264,0,2023-03-10T09:04:18.815874,2023-03-10T09:04:18.836732,90:5c:44:2e:bb:e0,08:f8:bc:64:5e:6a,1,1,443,52640,772,0,6,24,24,"",598872011444709307b861ae817a4b60,"recommend.aktualne.cz"
+172.67.73.164,192.168.0.228,616,264,0,2023-03-10T09:04:16.603334,2023-03-10T09:04:16.622460,90:5c:44:2e:bb:e0,08:f8:bc:64:5e:6a,1,1,443,52629,772,0,6,24,24,"",598872011444709307b861ae817a4b60,"prod-snowly-sasic.stdout.cz"
+18.66.15.50,192.168.0.228,569,286,0,2023-03-10T09:04:17.214373,2023-03-10T09:04:17.235193,90:5c:44:2e:bb:e0,08:f8:bc:64:5e:6a,1,1,443,52637,772,0,6,24,24,"",0d69ff451640d67ee8b5122752834766,"sdk.privacy-center.org"
+185.26.182.106,192.168.0.228,569,0,0,2023-03-10T09:04:00.558609,2023-03-10T09:04:00.558609,90:5c:44:2e:bb:e0,08:f8:bc:64:5e:6a,1,0,443,52614,771,0,6,24,0,"",cd08e31494f9531f560d64c695473da9,"features.opera-api.com"
+185.59.208.153,192.168.0.228,682,2025,0,2023-03-10T09:04:16.701535,2023-03-10T09:04:16.737482,90:5c:44:2e:bb:e0,08:f8:bc:64:5e:6a,2,3,443,52630,771,0,6,24,24,"h2",cd08e31494f9531f560d64c695473da9,"delivery.r2b2.cz"
+23.218.208.236,192.168.0.228,672,316,0,2023-03-10T09:04:16.722338,2023-03-10T09:04:16.744620,90:5c:44:2e:bb:e0,08:f8:bc:64:5e:6a,1,1,443,52631,772,0,6,24,24,"",598872011444709307b861ae817a4b60,"assets.adobedtm.com"
+46.255.231.124,192.168.0.228,594,255,0,2023-03-10T09:04:17.063884,2023-03-10T09:04:17.089634,90:5c:44:2e:bb:e0,08:f8:bc:64:5e:6a,1,1,443,52634,772,0,6,24,24,"",598872011444709307b861ae817a4b60,"i0.cz"
+46.255.231.204,192.168.0.228,615,255,0,2023-03-10T09:04:17.338077,2023-03-10T09:04:17.355878,90:5c:44:2e:bb:e0,08:f8:bc:64:5e:6a,1,1,443,52638,772,0,6,24,24,"",598872011444709307b861ae817a4b60,"pocasi-backend.aktualne.cz"
+52.84.193.121,192.168.0.228,569,286,0,2023-03-10T09:04:16.968115,2023-03-10T09:04:17.000426,90:5c:44:2e:bb:e0,08:f8:bc:64:5e:6a,1,1,443,52632,772,0,6,24,24,"",0d69ff451640d67ee8b5122752834766,"d27xxe7juh1us6.cloudfront.net"
+54.226.148.116,192.168.0.228,747,1689,0,2023-03-10T09:04:17.182933,2023-03-10T09:04:17.411187,90:5c:44:2e:bb:e0,08:f8:bc:64:5e:6a,2,6,443,52636,771,0,6,24,24,"h2",cd08e31494f9531f560d64c695473da9,"goldengate.grammarly.com"
+82.145.216.15,192.168.88.244,1428,8616,0,2020-09-07T06:52:41.372241,2020-09-07T06:52:41.418203,d8:58:d7:00:c9:27,08:f8:bc:64:5e:6a,4,8,443,59678,771,0,6,24,24,"http/1.1",b32309a26951912be7dba376398abc3b,"af.opera.com"
+82.145.216.16,192.168.0.228,569,1340,0,2023-03-10T09:04:16.204659,2023-03-10T09:04:16.235645,90:5c:44:2e:bb:e0,08:f8:bc:64:5e:6a,1,1,443,52626,772,0,6,24,16,"",cd08e31494f9531f560d64c695473da9,"sitecheck.opera.com"
+82.145.216.16,192.168.0.228,569,1460,0,2023-03-10T09:04:17.460626,2023-03-10T09:04:17.499628,90:5c:44:2e:bb:e0,08:f8:bc:64:5e:6a,1,1,443,52639,772,0,6,24,16,"",cd08e31494f9531f560d64c695473da9,"af.opera.com"
+87.106.189.123,172.16.121.155,2170,8910,0,2015-10-20T07:09:33.614159,2015-10-20T07:09:34.161736,00:50:56:e5:80:5b,00:0c:29:9d:b9:d0,14,18,443,3923,771,0,6,26,26,"",9a7b51089c089491dbc4879218db549c,"asecuritysite.com"
+87.106.189.123,172.16.121.155,992,650,0,2015-10-20T07:09:33.611190,2015-10-20T07:09:33.712851,00:50:56:e5:80:5b,00:0c:29:9d:b9:d0,8,8,443,3919,771,0,6,26,26,"",9a7b51089c089491dbc4879218db549c,"asecuritysite.com"
+87.106.189.123,172.16.121.155,992,650,0,2015-10-20T07:09:33.612842,2015-10-20T07:09:33.714751,00:50:56:e5:80:5b,00:0c:29:9d:b9:d0,8,8,443,3920,771,0,6,26,26,"",9a7b51089c089491dbc4879218db549c,"asecuritysite.com"
+87.106.189.123,172.16.121.155,992,650,0,2015-10-20T07:09:33.613610,2015-10-20T07:09:33.716640,00:50:56:e5:80:5b,00:0c:29:9d:b9:d0,8,8,443,3921,771,0,6,26,26,"",9a7b51089c089491dbc4879218db549c,"asecuritysite.com"
+87.106.189.123,172.16.121.155,992,650,0,2015-10-20T07:09:33.613897,2015-10-20T07:09:33.713722,00:50:56:e5:80:5b,00:0c:29:9d:b9:d0,8,8,443,3922,771,0,6,26,26,"",9a7b51089c089491dbc4879218db549c,"asecuritysite.com"
+87.106.189.123,172.16.121.155,992,650,0,2015-10-20T07:09:33.614399,2015-10-20T07:09:33.715479,00:50:56:e5:80:5b,00:0c:29:9d:b9:d0,8,8,443,3924,771,0,6,26,26,"",9a7b51089c089491dbc4879218db549c,"asecuritysite.com"
 ipaddr DST_IP,ipaddr SRC_IP,uint64 BYTES,uint64 BYTES_REV,uint64 LINK_BIT_FIELD,time TIME_FIRST,time TIME_LAST,macaddr DST_MAC,macaddr SRC_MAC,uint32 PACKETS,uint32 PACKETS_REV,uint16 DST_PORT,uint16 SRC_PORT,uint16 TLS_VERSION,uint8 DIR_BIT_FIELD,uint8 PROTOCOL,uint8 TCP_FLAGS,uint8 TCP_FLAGS_REV,string TLS_ALPN,bytes TLS_JA3,string TLS_SNI

Original file line number	Diff line number	Diff line change
`@@ -83,7 +83,7 @@ int TLSPlugin::pre_update(Flow &rec, Packet &pkt)`
`83`	`83`	`RecordExtTLS ext = static_cast<RecordExtTLS >(rec.get_extension(RecordExtTLS::REGISTERED_ID));`
`84`	`84`
`85`	`85`	`if (ext != nullptr) {`
`86`		`- if (ext->alpn[0] == 0) {`
	`86`	`+ if (ext->server_hello_parsed == false) {`
`87`	`87`	`// Add ALPN from server packet`
`88`	`88`	`parse_tls(pkt.payload, pkt.payload_len, ext);`
`89`	`89`	`}`
`@@ -119,9 +119,14 @@ bool TLSPlugin::obtain_tls_data(TLSData &payload, RecordExtTLS *rec, std::string`
`119`	`119`	`ec_point_formats = tls_parser.tls_get_ja3_ec_point_formats(payload);`
`120`	`120`	`}`
`121`	`121`	`} else if (hs_type == TLS_HANDSHAKE_SERVER_HELLO) {`
	`122`	`+ rec->server_hello_parsed = true;`
`122`	`123`	`if (type == TLS_EXT_ALPN) {`
`123`	`124`	`tls_parser.tls_get_alpn(payload, rec->alpn, BUFF_SIZE);`
`124`		`- return true;`
	`125`	+ // not sure, but probably don`t return yet, as
	`126`	`+ // this is not only field we want to parse`
	`127`	`+ //return true;`
	`128`	`+ } else if (type == TLS_EXT_SUPPORTED_VER){`
	`129`	`+ tls_parser.tls_get_supp_ver(payload, rec->version);`
`125`	`130`	`}`
`126`	`131`	`}`
`127`	`132`	`payload.start += length;`
`@@ -159,7 +164,7 @@ bool TLSPlugin::parse_tls(const uint8_t *data, uint16_t payload_len, RecordExtTL`
`159`	`164`	`}`
`160`	`165`	`tls_handshake tls_hs = tls_parser.tls_get_handshake();`
`161`	`166`
`162`		`- rec->version = ((uint16_t) tls_hs.version.major << 8) \| tls_hs.version.minor;`
	`167`	`+ rec->version = (rec->version == 0)?(((uint16_t) tls_hs.version.major << 8) \| tls_hs.version.minor) : rec->version;`
`163`	`168`	`ja3 += std::to_string((uint16_t) tls_hs.version.version) + ',';`
`164`	`169`
`165`	`170`	`if (!tls_parser.tls_skip_random(payload)) {`
Original file line number	Diff line number	Diff line change
`@@ -126,6 +126,13 @@ void TLSParser::tls_get_server_name(TLSData &data, char *buffer, size_t buffer_s`
`126`	`126`	`return;`
`127`	`127`	`}`
`128`	`128`
	`129`	`+void TLSParser::tls_get_supp_ver(TLSData &data, uint16_t &version)`
	`130`	`+{`
	`131`	`+ tls_version* ext_ver = (tls_version *) data.start;`
	`132`	`+ version = ((uint16_t) ext_ver->major << 8) \| ext_ver->minor;`
	`133`	`+ return;`
	`134`	`+}`
	`135`	`+`
`129`	`136`	`void TLSParser::tls_get_alpn(TLSData &data, char *buffer, size_t buffer_size)`
`130`	`137`	`{`
`131`	`138`	`uint16_t list_len = ntohs((uint16_t ) data.start);`