Ja3 blocking with custom list

alessio-perugini · Oct 1, 2020 · d4386b0 · d4386b0
1 parent fb31042
commit d4386b0
Show file tree

Hide file tree

Showing 3 changed files with 69 additions and 8 deletions.
diff --git a/cmd/peng/main.go b/cmd/peng/main.go
@@ -24,7 +24,9 @@ var (
 		UseInflux:          false,
 		Verbose:            uint(0),
 		NetworkInterface:   "",
+		Ja3BlackListFile:   "",
 	}
+
 	timeFrame = "1m"
 
 	showInterfaceNames bool
@@ -52,6 +54,7 @@ func init() {
 	flag.UintVar(&config.Verbose, "verbose", 1, "set verbose level (1-3)")
 	flag.StringVar(&config.NetworkInterface, "network", "", "name of your network interface")
 	flag.BoolVar(&showInterfaceNames, "interfaces", false, "show the list of all your network interfaces")
+	flag.StringVar(&config.Ja3BlackListFile, "ja3", "", "file path of malicious ja3 fingerprints")
 }
 
 func flagConfig() {
@@ -118,8 +121,19 @@ func flagConfig() {
 	fmt.Printf("%s\n", appString)
 }
 
+//var cpuprofile = flag.String("cpuprofile", "", "write cpu profile to file")
+
 func main() {
 	flagConfig()
+	/*
+		if *cpuprofile != "" {
+			f, err := os.Create(*cpuprofile)
+			if err != nil {
+				log.Fatal(err)
+			}
+			pprof.StartCPUProfile(f)
+			defer pprof.StopCPUProfile()
+		}*/
 
 	peng := p.New(&config)
 	peng.Start()

diff --git a/pkg/peng/inspection.go b/pkg/peng/inspection.go
@@ -56,17 +56,33 @@ func (p *Peng) inspect(packet gopacket.Packet) {
 
 			if
 		}*/
-	//TODO add blacklist check
-	ja3string := ja3.DigestHexPacket(packet)
-	ja3sstring := ja3.DigestHexPacketJa3s(packet)
-	if p.Config.Verbose == 2 {
-		if ja3string != "" {
-			fmt.Printf("J1: %s\n", ja3string)
+
+	if len(ja3BlackList) != 0 {
+		ja3md5 := ja3.DigestHexPacket(packet) //TODO replace this in the previous tcp handler
+		ja3smd5 := ja3.DigestHexPacketJa3s(packet)
+
+		if p.Config.Verbose == 2 {
+			if ja3md5 != "" {
+				fmt.Printf("J:  %s\n", ja3md5)
+			}
+			if ja3smd5 != "" {
+				fmt.Printf("JS: %s\n", ja3smd5)
+			}
 		}
-		if ja3sstring != "" {
-			fmt.Printf("J2: %s\n", ja3sstring)
+
+		maliciousIp := ipv4.DstIP.String()
+		if packetDestToMyPc {
+			maliciousIp = ipv4.SrcIP.String()
+		}
+
+		if name, ok := ja3BlackList[ja3md5]; ok {
+			fmt.Printf("[%s] %s appears in the blocked Ja3 list as %s!\n", maliciousIp, ja3md5, name)
+		}
+		if name, ok := ja3BlackList[ja3smd5]; ok {
+			fmt.Printf("[%s] %s appears in the blocked Ja3 list as %s!\n", maliciousIp, ja3smd5, name)
 		}
 	}
+
 }
 
 func (p *Peng) PortScanningHandler(port uint16, incomingPck bool) {

diff --git a/pkg/peng/peng.go b/pkg/peng/peng.go
@@ -1,6 +1,7 @@
 package peng
 
 import (
+	"encoding/csv"
 	"fmt"
 	"github.com/alessio-perugini/peng/pkg/portbitmap"
 	"github.com/google/gopacket"
@@ -31,8 +32,11 @@ type Config struct {
 	InfluxAuthToken    string
 	Verbose            uint
 	TimeFrame          time.Duration
+	Ja3BlackListFile   string
 }
 
+var ja3BlackList map[string]string
+
 func New(cfg *Config) *Peng {
 	cfg.NumberOfBits = cfg.SizeBitmap / cfg.NumberOfBin
 	bitmapConfig := &portbitmap.Config{
@@ -51,6 +55,7 @@ func New(cfg *Config) *Peng {
 
 func (p *Peng) Start() {
 	getMyIp()
+	p.LoadBlackListJa3InMemory()
 
 	pHandle, err := pcap.OpenLive(
 		p.Config.NetworkInterface,
@@ -77,6 +82,32 @@ func (p *Peng) Start() {
 	log.Println("Quitting Peng, bye!")
 }
 
+func (p *Peng) LoadBlackListJa3InMemory() {
+	file, err := os.OpenFile(p.Config.Ja3BlackListFile, os.O_RDONLY, 0777)
+	defer file.Close()
+
+	if err != nil {
+		log.Println(err)
+		return
+	}
+
+	r := csv.NewReader(file)
+	ja3BlackList = make(map[string]string)
+	r.Comment = '#'
+	for {
+		csvField, err := r.Read()
+		if err != nil {
+			break
+		}
+
+		//Parse csv fields
+		md5h := csvField[0] //md5 hash
+		name := csvField[3] //malware name
+
+		ja3BlackList[md5h] = name
+	}
+}
+
 func (p *Peng) PrintAllInfo() {
 	allPortTraffic := []*portbitmap.PortBitmap{p.ClientTraffic, p.ServerTraffic}
 	for i, v := range allPortTraffic {