Insert ja3 filter code

phaag · Mar 1, 2024 · 539902c · 539902c
1 parent 4115a8b
commit 539902c
Show file tree

Hide file tree

Showing 4 changed files with 25 additions and 3 deletions.
diff --git a/src/lib/decode/ssl.c b/src/lib/decode/ssl.c
@@ -282,8 +282,8 @@ static int sslParseServerHandshake(ssl_t *ssl, BytesStream_t sslStream, uint32_t
         ByteStream_GET_u16(sslStream, exType);
         ByteStream_GET_u16(sslStream, exLength);
 
+        sizeLeft -= (4 + exLength);
         if (checkGREASE(exType)) {
-            extensionLength -= (4 + exLength);
             continue;
         }
 

diff --git a/src/lib/filter/filter.c b/src/lib/filter/filter.c
@@ -43,6 +43,7 @@
 #include <unistd.h>
 
 #include "filter.h"
+#include "ja3.h"
 #include "maxmind.h"
 #include "sgregex.h"
 #include "util.h"
@@ -103,6 +104,7 @@ static uint64_t mpls_exp_function(void *dataPtr, uint32_t length, data_t data, r
 static uint64_t mpls_any_function(void *dataPtr, uint32_t length, data_t data, recordHandle_t *handle);
 static uint64_t pblock_function(void *dataPtr, uint32_t length, data_t data, recordHandle_t *handle);
 static uint64_t mmASLookup_function(void *dataPtr, uint32_t length, data_t data, recordHandle_t *handle);
+static uint64_t ja3_function(void *dataPtr, uint32_t length, data_t data, recordHandle_t *handle);
 
 /*
  * flow processing function table:
@@ -123,6 +125,7 @@ static struct flow_procs_map_s {
                       {FUNC_MPLS_ANY, "mpls any", mpls_any_function},
                       {FUNC_PBLOCK, "pblock", pblock_function},
                       {FUNC_MMAS_LOOKUP, "AS Lockup", mmASLookup_function},
+                      {FUNC_JA3, "ja3", ja3_function},
                       {0, NULL, NULL}};
 
 // 128bit compare for IPv6
@@ -277,6 +280,24 @@ static uint64_t mmASLookup_function(void *dataPtr, uint32_t length, data_t data,
     return as;
 }  // End of mmASLookup_function
 
+static uint64_t ja3_function(void *dataPtr, uint32_t length, data_t data, recordHandle_t *recordHandle) {
+    const uint8_t *payload = (const uint8_t *)recordHandle->extensionList[EXinPayloadID];
+
+    // check if ja3 already exists or no payload exists
+    if (recordHandle->ja3[0] != '\0' || payload == NULL) return 1;
+
+    uint32_t len = ExtensionLength(payload);
+    ja3_t *ja3 = ja3Process(payload, len);
+    if (ja3) {
+        recordHandle->ja3Info = (void *)ja3;
+        memcpy((void *)recordHandle->ja3, ja3->md5Hash, sizeof(recordHandle->ja3));
+        return 1;
+    }
+    // else - not a valid ssl handshare for ja3
+    return 0;
+
+}  // End of ja3_function
+
 static int geoLookup(char *geoChar, uint64_t direction, recordHandle_t *recordHandle) {
     geoChar[0] = geoChar[1] = '.';
     switch (direction) {

diff --git a/src/lib/filter/filter.h b/src/lib/filter/filter.h
@@ -105,6 +105,7 @@ typedef enum {
     FUNC_MPLS_ANY,     // function code for matching any MPLS label
     FUNC_PBLOCK,       // function code for matching ports against pblock start
     FUNC_MMAS_LOOKUP,  // function code for optional maxmind AS lookup
+    FUNC_JA3,          // function code for ja3 calc
 } filterFunction_t;
 
 #define FULLMASK FFFFFFFFFFFFFFFFLL

diff --git a/src/lib/filter/grammar.y b/src/lib/filter/grammar.y
@@ -1226,7 +1226,7 @@ static int AddPayload(char *type, char *arg, char *opt) {
 			}
 			data_t data = {.dataPtr=md5};
 			if (strcasecmp(arg, "defined") == 0) {
-				return Invert(NewElement(EXlocal, OFFja3, SIZEja3, 0, CMP_BINARY, FUNC_NONE, data));
+				return Invert(NewElement(EXlocal, OFFja3, SIZEja3, 0, CMP_BINARY, FUNC_JA3, data));
 			} else {
 				if (IsMD5(arg) == 0) {
 					yyerror("ja3 string %s is not an MD5 sum", arg);
@@ -1237,7 +1237,7 @@ static int AddPayload(char *type, char *arg, char *opt) {
 					sscanf(arg, "%2hhx", &md5[count]);
 					arg += 2;
 				}
-				return NewElement(EXlocal, OFFja3, SIZEja3, 0, CMP_BINARY, FUNC_NONE, data);
+				return NewElement(EXlocal, OFFja3, SIZEja3, 0, CMP_BINARY, FUNC_JA3, data);
 			}
 	} else {
 		yyerror("Unknown PAYLOAD argument: %s\n", type);