Add ja4s to filter syntax

phaag · Mar 16, 2024 · 8c18cff · 8c18cff
1 parent 23fd4a2
commit 8c18cff
Show file tree

Hide file tree

Showing 4 changed files with 54 additions and 24 deletions.
diff --git a/src/libnfdump/filter/grammar.y b/src/libnfdump/filter/grammar.y
@@ -1243,6 +1243,13 @@ static int AddPayload(char *type, char *arg, char *opt) {
 		}
 		data_t data = {.dataPtr=strdup(arg)};
 		return NewElement(JA4index, OFFja4String, SIZEja4String, 0, CMP_STRING, FUNC_NONE, data);
+	} else if (strcasecmp(type, "ja4s") == 0) {
+		if ( ja4sCheck(arg) == 0 ){
+			yyerror("String %s is not a valid ja4s string", arg);
+			return -1;
+		}
+		data_t data = {.dataPtr=strdup(arg)};
+		return NewElement(JA4index, OFFja4String, SIZEja4String, 0, CMP_STRING, FUNC_NONE, data);
 	} else {
 		yyerror("Unknown PAYLOAD argument: %s\n", type);
 		return -1;

diff --git a/src/libnfdump/ja4/ja4.h b/src/libnfdump/ja4/ja4.h
@@ -36,41 +36,45 @@
 
 #include "ssl/ssl.h"
 
-/*
-
-example fingerprint:
-t13d1516h2_8daaf6152771_b186095e22b6
+typedef enum { TYPE_UNDEF = 0, TYPE_JA4, TYPE_JA4S } ja4Type_t;
 
-(QUIC=”q” or TCP=”t”)
-(2 character TLS version)
-(SNI=”d” defined or SNI=”i” no SNI defined)
-(2 character count of ciphers)
-(2 character count of extensions)
-(first and last characters of first ALPN extension value)
-_
-(sha256 hash of the list of cipher hex codes sorted in hex order, truncated to 12 characters)
-_
-(sha256 hash of (the list of extension hex codes sorted in hex order)_(the list of signature algorithms), truncated to 12 characters)
-
-*/
-
-typedef enum { TYPE_UNDEF = 0,
-               TYPE_JA4,
-               TYPE_JA4S } ja4Type_t;
-
-// ex. t13d1516h2_8daaf6152771_b186095e22bb
+// one struct for all types of ja4
 typedef struct ja4_s {
     ja4Type_t type;
     char string[];
 } ja4_t;
 #define OFFja4String offsetof(ja4_t, string)
 #define SIZEja4String 36
 
+/*
+  JA4:
+  example fingerprint:
+
+       + ------ Protocol, TCP = "I" QUIC= "q"
+       | + ---- TLS version, 1.2 = "12", 1.3 = "13"
+       | |+ --- SNI=”d” defined or SNI=”i” no SNI defined
+       | || +-- Character count of ciphers
+       | || | +- Character count of extensions
+       | || | | +- ALPN Chosen (00 if no ALPN)
+       | || | | |            +- sha256 hash of the list of cipher hex codes
+       | || | | |            |  sorted in hex order, truncated to 12 characters
+       | || | | |            |
+   JA4=t13d1516h2_8daaf6152771_b186095e22b6
+           ja4s_a       ja4s_b       ja4s_c
+                                          |
+                                          +- sha256 hash of (the list of extension hex codes
+                                             sorted in hex order)_(the list of signature algorithms),
+                                             truncated to 12 characters
+*/
+
 int ja4Check(char *ja4String);
 
 ja4_t *ja4Process(ssl_t *ssl, uint8_t proto);
 
 /*
+  JA4s:
+  example fingerprint:
+
        + ------ Protocol, TCP = "I" QUIC= "q"
        | + ---- TLS version, 1.2 = "12", 1.3 = "13"
        | | + -- Number of Extensions
@@ -86,6 +90,8 @@ ja4_t *ja4Process(ssl_t *ssl, uint8_t proto);
 
 #define SIZEja4sString 25
 
+int ja4sCheck(char *ja4sString);
+
 ja4_t *ja4sProcess(ssl_t *ssl, uint8_t proto);
 
 #endif
diff --git a/src/libnfdump/ja4/ja4s.c b/src/libnfdump/ja4/ja4s.c
@@ -28,6 +28,7 @@
  *
  */
 
+#include <ctype.h>
 #include <errno.h>
 #include <netinet/in.h>
 #include <stdarg.h>
@@ -131,6 +132,22 @@ ja4_t *ja4sProcess(ssl_t *ssl, uint8_t proto) {
 
 }  // End of ja4Process
 
+// ex. ja4s: t130200_1301_234ea6891581
+// input validation  - is ja4sString valid?
+int ja4sCheck(char *ja4sString) {
+    if (ja4sString == NULL || strlen(ja4sString) != SIZEja4sString) return 0;
+    if (ja4sString[0] != 't' && ja4sString[0] != 'q') return 0;
+    if (ja4sString[7] != '_' || ja4sString[12] != '_') return 0;
+
+    for (int i = 1; i < 7; i++)
+        if (!isascii(ja4sString[i])) return 0;
+    for (int i = 8; i < 12; i++)
+        if (!isxdigit(ja4sString[i])) return 0;
+    for (int i = 13; i < SIZEja4sString; i++)
+        if (!isxdigit(ja4sString[i])) return 0;
+    return 1;
+}  // End of ja4Check
+
 #ifdef MAIN
 
 int main(int argc, char **argv) {

diff --git a/src/nfdump/nfstat.c b/src/nfdump/nfstat.c
@@ -182,8 +182,8 @@ struct StatParameter_s {
     {"al", "Application Latency", {EXlatencyID, OFFusecApplLatency, SIZEusecApplLatency, 0}, IS_LATENCY, NOPROC},
     {"nbar", "Nbar", {EXnbarAppID, OFFnbarAppID, SIZEnbarAppID, 0}, IS_NBAR, NOPROC},
     {"ja3", "ja3                             ", {JA3index, OFFja3String, SIZEja3String + 1, 0}, IS_JA3, JA3},
-    {"ja4", "ja4                             ", {JA4index, OFFja4String, SIZEja4String + 1, 0}, IS_JA4, JA4},
-    {"ja4s", "ja4s                           ", {JA4index, OFFja4String, SIZEja4sString + 1, 0}, IS_JA4S, JA4S},
+    {"ja4", "ja4                                ", {JA4index, OFFja4String, SIZEja4String + 1, 0}, IS_JA4, JA4},
+    {"ja4s", "ja4s                    ", {JA4index, OFFja4String, SIZEja4sString + 1, 0}, IS_JA4S, JA4S},
     {"odid", "Obs DomainID", {EXobservationID, OFFdomainID, SIZEdomainID, 0}, IS_HEXNUMBER, NOPROC},
     {"opid", "Obs PointID", {EXobservationID, OFFpointID, SIZEpointID, 0}, IS_HEXNUMBER, NOPROC},
     {"event", " Event", {EXnselCommonID, OFFfwEvent, SIZEfwEvent, 0}, IS_EVENT, NOPROC},