Skip to content

Commit

Permalink
Added support for printing JA4r when enabled
Browse files Browse the repository at this point in the history
  • Loading branch information
lucaderi committed Oct 11, 2024
1 parent 3e74c95 commit faaa5c5
Show file tree
Hide file tree
Showing 4 changed files with 17 additions and 4 deletions.
2 changes: 2 additions & 0 deletions example/ndpiReader.c
Original file line number Diff line number Diff line change
Expand Up @@ -2056,6 +2056,8 @@ static void printFlow(u_int32_t id, struct ndpi_flow_info *flow, u_int16_t threa
if(flow->ssh_tls.ja4_client[0] != '\0') fprintf(out, "[JA4: %s%s]", flow->ssh_tls.ja4_client,
print_cipher(flow->ssh_tls.client_unsafe_cipher));

if(flow->ssh_tls.ja4_client_raw != NULL) fprintf(out, "[JA4_r: %s]", flow->ssh_tls.ja4_client_raw);

if(flow->ssh_tls.server_info[0] != '\0') fprintf(out, "[Server: %s]", flow->ssh_tls.server_info);

if(flow->ssh_tls.server_names) fprintf(out, "[ServerNames: %s]", flow->ssh_tls.server_names);
Expand Down
11 changes: 10 additions & 1 deletion example/reader_util.c
Original file line number Diff line number Diff line change
Expand Up @@ -549,6 +549,11 @@ static void ndpi_free_flow_tls_data(struct ndpi_flow_info *flow) {
ndpi_free(flow->ssh_tls.encrypted_sni.esni);
flow->ssh_tls.encrypted_sni.esni = NULL;
}

if(flow->ssh_tls.ja4_client_raw) {
ndpi_free(flow->ssh_tls.ja4_client_raw);
flow->ssh_tls.ja4_client_raw = NULL;
}
}

/* ***************************************************** */
Expand Down Expand Up @@ -1353,7 +1358,11 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl
flow->ndpi_flow->protos.tls_quic.ja3_client);
ndpi_snprintf(flow->ssh_tls.ja4_client, sizeof(flow->ssh_tls.ja4_client), "%s",
flow->ndpi_flow->protos.tls_quic.ja4_client);
ndpi_snprintf(flow->ssh_tls.ja3_server, sizeof(flow->ssh_tls.ja3_server), "%s",

if(flow->ndpi_flow->protos.tls_quic.ja4_client_raw)
flow->ssh_tls.ja4_client_raw = strdup(flow->ndpi_flow->protos.tls_quic.ja4_client_raw);

ndpi_snprintf(flow->ssh_tls.ja3_server, sizeof(flow->ssh_tls.ja3_server), "%s",
flow->ndpi_flow->protos.tls_quic.ja3_server);
flow->ssh_tls.server_unsafe_cipher = flow->ndpi_flow->protos.tls_quic.server_unsafe_cipher;
flow->ssh_tls.server_cipher = flow->ndpi_flow->protos.tls_quic.server_cipher;
Expand Down
2 changes: 1 addition & 1 deletion example/reader_util.h
Original file line number Diff line number Diff line change
Expand Up @@ -275,7 +275,7 @@ typedef struct ndpi_flow_info {
client_hassh[33], server_hassh[33], *server_names,
*advertised_alpns, *negotiated_alpn, *tls_supported_versions,
*tls_issuerDN, *tls_subjectDN,
ja3_client[33], ja3_server[33], ja4_client[37],
ja3_client[33], ja3_server[33], ja4_client[37], *ja4_client_raw,
sha1_cert_fingerprint[20];
u_int8_t sha1_cert_fingerprint_set;
struct tls_heuristics browser_heuristics;
Expand Down
6 changes: 4 additions & 2 deletions src/lib/protocols/tls.c
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@
#include "ndpi_encryption.h"
#include "ndpi_private.h"

#define JA4R_DECIMAL 1
//#define JA4R_DECIMAL 1

static void ndpi_search_tls_wrapper(struct ndpi_detection_module_struct *ndpi_struct,
struct ndpi_flow_struct *flow);
Expand Down Expand Up @@ -2029,7 +2029,9 @@ static void ndpi_compute_ja4(struct ndpi_detection_module_struct *ndpi_struct,
_
(sha256 hash of the list of cipher hex codes sorted in hex order, truncated to 12 characters)
_
(sha256 hash of (the list of extension hex codes sorted in hex order)_(the list of signature algorithms), truncated to 12 characters)
(sha256 hash of (the list of extension hex codes sorted in hex order)
_
(the list of signature algorithms), truncated to 12 characters)
*/
ja_str[0] = is_dtls ? 'd' : ((quic_version != 0) ? 'q' : 't');

Expand Down

0 comments on commit faaa5c5

Please sign in to comment.