Merge pull request #279 from vlvkobal/test-python

Author: vlvkobal

.github/workflows/python-test.yml

@@ -0,0 +1,31 @@
+name: Python - Test
+
+on:
+  push:
+    paths:
+      - '.github/workflows/python-test.yml'
+      - 'python/**'
+  pull_request:
+    paths:
+      - '.github/workflows/python-test.yml'
+      - 'python/**'
+
+jobs:
+  run-python-tests:
+    name: Run Python tests
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install required packages
+        run: |
+          sudo add-apt-repository ppa:wireshark-dev/stable
+          sudo apt update
+          sudo apt upgrade -y
+          sudo apt -y install \
+            tshark \
+            python3-pytest
+
+      - name: Run tests
+        run: pytest
+        working-directory: python/test

python/test/generate-output-files.sh

@@ -0,0 +1,24 @@
+#!/bin/bash
+
+# This script generates output files for the JA4 Python tests.
+# Run the script from its directory.
+
+PCAP_DIR="../../pcap"
+OUT_DIR="./testdata"
+JA4_SCRIPT="../ja4.py"
+
+mkdir -p "$OUT_DIR"
+
+# If arguments are given, use them as files; otherwise, use all files in $PCAP_DIR
+if [ "$#" -gt 0 ]; then
+    PCAP_FILES=("$@")
+else
+    PCAP_FILES=("$PCAP_DIR"/*.pcap*)
+fi
+
+# Loop through each pcap file and generate the output
+for pcap in "${PCAP_FILES[@]}"; do
+    base=$(basename "$pcap")
+    out="$OUT_DIR/${base}.json"
+    python3 "$JA4_SCRIPT" "$pcap" -J -f "$out"
+done

python/test/test_ja4_output.py

@@ -0,0 +1,48 @@
+import json
+import subprocess
+import sys
+from pathlib import Path
+
+import pytest
+
+SCRIPT_DIR = Path(__file__).resolve().parent
+ROOT_DIR = SCRIPT_DIR.parent.parent
+
+PCAP_DIR = ROOT_DIR / "pcap"
+EXPECTED_DIR = SCRIPT_DIR / "testdata"
+JA4_SCRIPT = ROOT_DIR / "python" / "ja4.py"
+
+pcap_files = sorted(PCAP_DIR.rglob("*.pcap*"))
+if not pcap_files:
+    pytest.fail(f"No PCAP files found in {PCAP_DIR.resolve()}")
+
+
+def get_expected_output(pcap_file: Path):
+    expected_file = EXPECTED_DIR / f"{pcap_file.name}.json"
+    with expected_file.open() as f:
+        return json.load(f)
+
+
+@pytest.mark.parametrize("pcap_file", pcap_files)
+def test_ja4_output_matches_expected(pcap_file, tmp_path):
+    output_file = tmp_path / f"{pcap_file.name}.json"
+    result = subprocess.run(
+        [
+            sys.executable,
+            str(JA4_SCRIPT),
+            str(pcap_file),
+            "-J",
+            "-f",
+            str(output_file),
+        ],
+        stdout=subprocess.PIPE,
+        stderr=subprocess.PIPE,
+        text=True,
+    )
+
+    assert result.returncode == 0, f"ja4.py failed: {result.stderr}"
+
+    actual = json.loads(output_file.read_text())
+    expected = get_expected_output(pcap_file)
+
+    assert actual == expected, f"Mismatch for {pcap_file.name}"

python/test/testdata/CVE-2018-6794.pcap.json

@@ -0,0 +1,18 @@
+[
+    {
+        "stream": 0,
+        "src": "192.168.235.136",
+        "dst": "192.168.235.1",
+        "srcport": "8089",
+        "dstport": "53649",
+        "JA4H": "ge11nn07ruru_6cd0fb54989b_000000000000_000000000000"
+    },
+    {
+        "stream": 1,
+        "src": "192.168.235.136",
+        "dst": "192.168.235.1",
+        "srcport": "8089",
+        "dstport": "53656",
+        "JA4H": "ge11nr06ruru_cc6ec9a91856_000000000000_000000000000"
+    }
+]

python/test/testdata/badcurveball.pcap.json

@@ -0,0 +1,21 @@
+[
+    {
+        "stream": 0,
+        "src": "172.130.128.76",
+        "dst": "54.226.182.138",
+        "srcport": "55318",
+        "dstport": "443",
+        "client_ttl": "64",
+        "server_ttl": "238",
+        "JA4L-S": "781_238",
+        "JA4L-C": "2181_64",
+        "domain": "bad.curveballtest.com",
+        "JA4.1": "t00d1715h2_dd2c26892b57_8201b1be11a4",
+        "JA4_r.1": "t00d1715h2_,,,171,172,195,196,199,200,392,393,6,65,66,67,690,7_0005,000a,000b,000d,0012,0015,0017,001b,0023,002b,002d,0033,ff01_27,52,25,83,53,81,54,37,3",
+        "JA4_o.1": "t00d1715h2_6c4ba73770eb_4848efb2a220",
+        "JA4_ro.1": "t00d1715h2_690,65,66,67,195,199,196,200,393,392,171,172,6,7,,,_0000,0017,ff01,000a,000b,0023,0010,0005,000d,0012,0033,002d,002b,001b,0015_27,52,25,83,53,81,54,37,3",
+        "JA4S": "t0005h1_195_845f7282a956",
+        "JA4X.1": "2e9214a636bc_a373a9f83c6b_0e17604154c5",
+        "JA4X.2": "2e9214a636bc_2e9214a636bc_795797892f9c"
+    }
+]

python/test/testdata/browsers-x509.pcapng.json

@@ -0,0 +1,59 @@
+[
+    {
+        "stream": 0,
+        "src": "172.27.7.31",
+        "dst": "13.107.21.239",
+        "srcport": "54524",
+        "dstport": "443",
+        "client_ttl": "128",
+        "server_ttl": "112",
+        "JA4L-S": "1907_112",
+        "JA4L-C": "278_128",
+        "domain": "edge.microsoft.com",
+        "JA4.1": "t00d1616h2_4109672baa2e_bed3546ee6f4",
+        "JA4_r.1": "t00d1616h2_,,171,172,195,196,199,200,392,393,6,65,66,67,690,7_0005,000a,000b,000d,0012,0015,0017,001b,0023,002b,002d,0033,4469,ff01_27,52,25,83,53,81,54,37",
+        "JA4_o.1": "t00d1616h2_0200e8047a78_8a0afe6f3afd",
+        "JA4_ro.1": "t00d1616h2_690,65,66,67,195,199,196,200,393,392,171,172,6,7,,_000d,0000,000a,0005,000b,002b,001b,ff01,0033,4469,002d,0023,0017,0012,0010,0015_27,52,25,83,53,81,54,37",
+        "JA4X.1": "a373a9f83c6b_2bab15409345_0f2217ba412e",
+        "JA4X.2": "7d5dbb3783b4_a373a9f83c6b_c34b04c10969"
+    },
+    {
+        "stream": 1,
+        "src": "172.27.7.31",
+        "dst": "68.67.160.117",
+        "srcport": "54525",
+        "dstport": "443",
+        "client_ttl": "128",
+        "server_ttl": "41",
+        "JA4L-S": "7166_41",
+        "JA4L-C": "349_128",
+        "domain": "nym1-ib.adnxs.com",
+        "JA4.1": "t00d1616h2_c4e216e269f4_bed3546ee6f4",
+        "JA4_r.1": "t00d1616h2_,,171,172,195,196,199,200,354,392,393,6,65,66,67,7_0005,000a,000b,000d,0012,0015,0017,001b,0023,002b,002d,0033,4469,ff01_27,52,25,83,53,81,54,37",
+        "JA4_o.1": "t00d1616h2_00d8772d9166_548bd83a577c",
+        "JA4_ro.1": "t00d1616h2_354,65,66,67,195,199,196,200,393,392,171,172,6,7,,_002b,4469,000b,0017,000d,0000,001b,0005,0033,ff01,0010,000a,002d,0012,0023,0015_27,52,25,83,53,81,54,37",
+        "JA4S": "t0007h2_195_cf25e267ce22",
+        "JA4X.1": "7d5dbb3783b4_2bab15409345_7bf9a7bf7029",
+        "JA4X.2": "7d5dbb3783b4_7d5dbb3783b4_44440d41940c"
+    },
+    {
+        "stream": 2,
+        "src": "172.27.7.31",
+        "dst": "103.42.133.15",
+        "srcport": "54603",
+        "dstport": "443",
+        "client_ttl": "128",
+        "server_ttl": "229",
+        "JA4L-S": "2948_229",
+        "JA4L-C": "247_128",
+        "domain": "lptag.liveperson.net",
+        "JA4.1": "t00d1616h2_73d9d18e4e10_bed3546ee6f4",
+        "JA4_r.1": "t00d1616h2_,,018,171,172,195,196,199,200,392,393,6,65,66,67,7_0005,000a,000b,000d,0012,0015,0017,001b,0023,002b,002d,0033,4469,ff01_27,52,25,83,53,81,54,37",
+        "JA4_o.1": "t00d1616h2_828fc7e24cd3_0069bd55eedf",
+        "JA4_ro.1": "t00d1616h2_018,65,66,67,195,199,196,200,393,392,171,172,6,7,,_0000,0033,0010,0017,ff01,0012,002b,000d,000a,002d,0005,0023,000b,4469,001b,0015_27,52,25,83,53,81,54,37",
+        "JA4S": "t0005h2_199_845f7282a956",
+        "JA4X.1": "2bab15409345_2e9214a636bc_b891c0ad6f32",
+        "JA4X.2": "2bab15409345_2bab15409345_2367ce7fbc5b",
+        "JA4X.3": "2bab15409345_2bab15409345_2030e37f3421"
+    }
+]

python/test/testdata/chrome-cloudflare-quic-with-secrets.pcapng.json

@@ -0,0 +1,40 @@
+[
+    {
+        "stream": 0,
+        "src": "2001:db8:1::1",
+        "dst": "2606:4700:10::6816:826",
+        "srcport": "57098",
+        "dstport": "443",
+        "client_ttl": "64",
+        "server_ttl": "56",
+        "JA4L-S": "5749_56",
+        "JA4L-C": "149_64",
+        "domain": "cloudflare-quic.com",
+        "JA4.1": "t00d1616h2_06835249484a_bed3546ee6f4",
+        "JA4_r.1": "t00d1616h2_,,171,172,195,196,199,200,392,393,6,65,66,67,7,802_0005,000a,000b,000d,0012,0015,0017,001b,0023,002b,002d,0033,4469,ff01_27,52,25,83,53,81,54,37",
+        "JA4_o.1": "t00d1616h2_572e68ba0241_ac2009940b69",
+        "JA4_ro.1": "t00d1616h2_802,65,66,67,195,199,196,200,393,392,171,172,6,7,,_0000,0017,ff01,000a,000b,0023,0010,0005,000d,0012,0033,002d,002b,001b,4469,0015_27,52,25,83,53,81,54,37",
+        "JA4S": "t000200_65_234ea6891581",
+        "JA4X.1": "a373a9f83c6b_2bab15409345_7bf9a7bf7029",
+        "JA4X.2": "7d5dbb3783b4_a373a9f83c6b_44440d41940c"
+    },
+    {
+        "stream": 0,
+        "src": "2001:db8:1::1",
+        "dst": "2606:4700:10::6816:826",
+        "srcport": "57098",
+        "dstport": "443",
+        "JA4H": "ge20nn12enus_60f823d07c94_000000000000_000000000000"
+    },
+    {
+        "stream": 0,
+        "src": "2001:db8:1::1",
+        "dst": "2606:4700:10::6816:826",
+        "srcport": "50280",
+        "dstport": "443",
+        "client_ttl": "64",
+        "server_ttl": "56",
+        "JA4L-S": "10990_56",
+        "JA4L-C": "113_64"
+    }
+]

python/test/testdata/dhcp.pcapng.json

@@ -0,0 +1 @@
+[]

python/test/testdata/dhcpv6.pcap.json

@@ -0,0 +1 @@
+[]

python/test/testdata/gre-erspan-vxlan.pcap.json

@@ -0,0 +1,13 @@
+[
+    {
+        "stream": 0,
+        "src": "100.20.9.2",
+        "dst": "100.20.9.1",
+        "srcport": "65174",
+        "dstport": "80",
+        "client_ttl": "64",
+        "server_ttl": "64",
+        "JA4L-S": "997_64",
+        "JA4L-C": "953_64"
+    }
+]