diff --git a/include/ssl_decoder.h b/include/ssl_decoder.h index 2d35aab..8d0ab05 100644 --- a/include/ssl_decoder.h +++ b/include/ssl_decoder.h @@ -12,9 +12,9 @@ extern "C" enum ssl_message_type { - SSL_CLIENT_HELLO, - SSL_SERVER_HELLO, - SSL_CERTIFICATE, + SSL_MESSAGE_CLIENT_HELLO, + SSL_MESSAGE_SERVER_HELLO, + SSL_MESSAGE_CERTIFICATE, SSL_PROTECTED_PAYLOAD, SSL_MSG_MAX, }; @@ -22,22 +22,22 @@ enum ssl_message_type struct ssl_message; enum ssl_message_type ssl_message_type_get(const struct ssl_message *msg); -// SSL_CLIENT_HELLO +// SSL_MESSAGE_CLIENT_HELLO int32_t ssl_message_esni_is_true(const struct ssl_message *msg); int32_t ssl_message_ech_is_true(const struct ssl_message *msg); void ssl_message_sni_get0(const struct ssl_message *msg, char **value, size_t *value_sz); +void ssl_message_ja3hash_get0(const struct ssl_message *msg, char **value, size_t *value_sz); const char *ssl_message_readable_version_get0(const struct ssl_message *msg); -const char *ssl_message_readable_ja3hash_get0(const struct ssl_message *msg); -// SSL_SERVER_HELLO -const char *ssl_message_readable_ja3shash_get0(const struct ssl_message *msg); +// SSL_MESSAGE_SERVER_HELLO +void ssl_message_ja3shash_get0(const struct ssl_message *msg, char **value, size_t *value_sz); void ssl_message_extensions_next(const struct ssl_message *msg, char **value, size_t *value_sz); int ssl_message_reset_extensions_iter(struct ssl_message *msg); -// SSL_CERTIFICATE +// SSL_MESSAGE_CERTIFICATE enum ssl_certificate_type { SSL_CERTIFICATE_TYPE_UNKNOWN=0, diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index 9beb457..9ce76b0 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -6,7 +6,7 @@ include_directories(${PROJECT_SOURCE_DIR}/deps/) aux_source_directory(${PROJECT_SOURCE_DIR}/deps/toml DEPS_SRC) aux_source_directory(${PROJECT_SOURCE_DIR}/deps/yyjson DEPS_SRC) -set(SSL_DECODER_SRC ${DEPS_SRC} ssl_decoder.cpp) +set(SSL_DECODER_SRC ${DEPS_SRC} ssl_decoder.cpp ssl_export.cpp) add_library(ssl_decoder SHARED ${SSL_DECODER_SRC}) set_target_properties(ssl_decoder PROPERTIES LINK_FLAGS "-Wl,--version-script=${PROJECT_SOURCE_DIR}/src/version.map") diff --git a/src/ssl_decoder.cpp b/src/ssl_decoder.cpp index 3d86e50..ffbbe17 100644 --- a/src/ssl_decoder.cpp +++ b/src/ssl_decoder.cpp @@ -38,41 +38,14 @@ extern "C" #include "ssl_internal.h" #include "ssl_decoder.h" -#define SSL_DECODER_FALSE 0 -#define SSL_DECODER_TRUE 1 - -#define SSL_UUID_BYTES_SZ 16 - -#define SSL_RANDOM_TIME_LEN 4 -#define SSL_RANDOM_SIZE 28 - -#define SSL_HANDSHAKE_CLIENT_HELLO 1 -#define SSL_HANDSHAKE_SERVER_HELLO 2 -#define SSL_HANDSHAKE_CERTIFICATE 11 -#define SSL_HANDSHAKE_SERVER_KEY_EXCHANGE 12 - -#define SSL_CONTENT_TYPE_HANDSHAKE 0x16 -#define SSL_CONTENT_TYPE_ALERT 0x15 -#define SSL_CONTENT_TYPE_APPLICATION_DATA 0x17 -#define SSL_CONTENT_TYPE_CHANGE_CIPHER_SPEC 0x14 - -#define ALPN_EXT_TYPE 0x0010 -#define SERVER_NAME_EXT_TYPE 0x0000 -#define SERVER_NAME_HOST_TYPE 0x0000 -#define SERVER_NAME_OTHER_TYPE 0x0008 -#define SESSION_TICKET_EXT_TYPE 0x0023 -#define ENCRPTED_SERVER_NAME_EXT_TYPE 0xFFCE -#define ENCRPTED_CLIENT_HELLO_EXT_TYPE 0xFE0D -#define EC_POINT_FORMATS_EXT_TYPE 0x000B - -// https://datatracker.ietf.org/doc/html/rfc7919 -// Supported Groups -#define SUPPORTED_GROUPS_EXT_TYPE 0x000A - -#define SSL_DECODER_TOML_PATH "conf/ssl/ssl_decoder.toml" - UT_icd UT_ssl_hello_extension_icd={sizeof(struct ssl_decoder_ltv), NULL, NULL, NULL}; +struct ssl_certificate_chain +{ + uint8_t *data; + size_t data_sz; +}; + struct ssl_handshake_type { unsigned char content_type; @@ -133,15 +106,6 @@ struct ssl_decoder_context struct ssl_record_trunk record_trunk; }; -struct ssl_message -{ - int32_t magic; - enum ssl_message_type type; - char uuid_bytes[SSL_UUID_BYTES_SZ]; - struct session *ss; - struct ssl_decoder_plugin_env *plugin_env; -}; - void ssl_hello_md5sum(struct ssl_decoder_ltv *ltv, const char *str, size_t str_sz) { MD5_CTX ctx; @@ -169,7 +133,7 @@ void ssl_hello_md5sum(struct ssl_decoder_ltv *ltv, const char *str, size_t str_s // https://tools.ietf.org/html/draft-davidben-tls-grease-00 static int32_t ssl_is_grease_value(unsigned short val) { - if ((val & 0x0f)!=0x0a) + if((val & 0x0f)!=0x0a) { return SSL_DECODER_FALSE; } @@ -230,11 +194,6 @@ void ssl_recod_buff_get0(struct ssl_record_trunk *record_trunk, uint8_t **record (*record_buff_sz)=record_trunk->cache_len; } -void ssl_handshake_certificate_decode() -{ - -} - void ssl_handshake_server_key_exchange_decode() { @@ -348,6 +307,235 @@ int32_t ssl_decoder_ltv_get(struct ssl_decoder_ltv *ltv, uint16_t type, uint8_t return ret; } +uint32_t ssl_handshake_certificate_count_get(uint8_t *pdata, size_t pdata_sz, size_t *pdata_offset, struct ssl_certificate_chain *cert_chain, uint32_t cert_chain_num) +{ + if(NULL==pdata || 0==pdata_sz) + { + return 0; + } + + uint32_t count=0; + size_t offset=(*pdata_offset); + + while(pdata_sz > offset) + { + if(count>=cert_chain_num) + { + break; + } + + int32_t one_cert_sz=0; + int32_t ret=ssl_read_be_u24(pdata, pdata_sz, &offset, (uint8_t *)&(one_cert_sz)); + if(ret==SSL_DECODER_FALSE || one_cert_sz<=0 || (one_cert_sz+offset) > pdata_sz) + { + break; + } + + cert_chain[count].data=pdata+offset; + cert_chain[count].data_sz=one_cert_sz; + offset+=one_cert_sz; + count++; + } + + return count; +} + +enum ssl_certificate_type ssl_handshake_certificate_type_get(uint32_t count, uint32_t offset) +{ + if(offset>=count) + { + return SSL_CERTIFICATE_TYPE_UNKNOWN; + } + + switch(offset) + { + case 0: + return SSL_CERTIFICATE_TYPE_INDIVIDUAL; + case 1: + return ((count==2) ? SSL_CERTIFICATE_TYPE_ROOT : SSL_CERTIFICATE_TYPE_MIDDLE); + case 2: + return ((count==3) ? SSL_CERTIFICATE_TYPE_ROOT : SSL_CERTIFICATE_TYPE_CHAIN); + default: + break; + } + + return (offset==count-1) ? SSL_CERTIFICATE_TYPE_ROOT : SSL_CERTIFICATE_TYPE_CHAIN; +} + +int32_t ssl_x509_certificate_detail_decode(struct ssl_certificate *certificate, uint8_t *pdata, int32_t pdata_sz) +{ + X509_NAME *issuer=NULL; + X509_NAME *subject=NULL; + + ASN1_STRING *serial=NULL; + ASN1_STRING *san_name=NULL; + + GENERAL_NAME *generalName=NULL; + GENERAL_NAMES *subjectAltNames=NULL; + + ASN1_TIME *start=NULL; + ASN1_TIME *end=NULL; + + EVP_PKEY *pkey=NULL; + const ASN1_OBJECT *salg; + const X509_ALGOR *tsig_alg; + + X509 *x509_handle=d2i_X509(NULL, (unsigned char const **)&pdata, pdata_sz); + if(x509_handle==NULL) + { + return SSL_DECODER_FALSE; + } + + /*version*/ + certificate->version=X509_get_version(x509_handle); + if(certificate->version>SSL_CERTIFICATE_VERSION_MAX) + { + X509_free(x509_handle); + return SSL_DECODER_FALSE; + } + + /*serial num*/ + serial=X509_get_serialNumber(x509_handle); + if(NULL != serial) + { + certificate->serial.len=MIN(ASN1_STRING_length(serial), (int)(sizeof(certificate->serial.value)-1)); + memcpy(certificate->serial.value, ASN1_STRING_get0_data(serial), certificate->serial.len); + } + + /*SSL AgID*/ + tsig_alg=X509_get0_tbs_sigalg(x509_handle); + X509_ALGOR_get0(&salg, NULL, NULL, tsig_alg); + OBJ_obj2txt((char*)certificate->signature_algorithm.value, sizeof(certificate->signature_algorithm.value), salg, 1); + certificate->signature_algorithm.len=strlen((const char *)certificate->signature_algorithm.value); + + /*SSL Issuer*/ + issuer=X509_get_issuer_name(x509_handle); + if(NULL!=issuer) + { + X509_NAME_get_text_by_NID(issuer, NID_commonName, certificate->issuer.common, sizeof(certificate->issuer.common)); + X509_NAME_get_text_by_NID(issuer, NID_organizationName, certificate->issuer.organization, sizeof(certificate->issuer.organization)); + X509_NAME_get_text_by_NID(issuer, NID_organizationalUnitName, certificate->issuer.organizational_unit, sizeof(certificate->issuer.organizational_unit)); + X509_NAME_get_text_by_NID(issuer, NID_localityName, certificate->issuer.locality, sizeof(certificate->issuer.locality)); + X509_NAME_get_text_by_NID(issuer, NID_streetAddress, certificate->issuer.street_address, sizeof(certificate->issuer.street_address)); + X509_NAME_get_text_by_NID(issuer, NID_stateOrProvinceName, certificate->issuer.state_or_Province, sizeof(certificate->issuer.state_or_Province)); + X509_NAME_get_text_by_NID(issuer, NID_countryName, certificate->issuer.country, sizeof(certificate->issuer.country)); + + snprintf(certificate->issuer.rdn_sequence_list, + sizeof(certificate->issuer.rdn_sequence_list), + "%s;%s;%s;%s;%s;%s;%s", + certificate->issuer.common, + certificate->issuer.organization, + certificate->issuer.organizational_unit, + certificate->issuer.locality, + certificate->issuer.street_address, + certificate->issuer.state_or_Province, + certificate->issuer.country); + } + + /*SSL Subject*/ + subject=X509_get_subject_name(x509_handle); + if(NULL!=subject) + { + X509_NAME_get_text_by_NID(subject, NID_commonName, certificate->subject.common, sizeof(certificate->subject.common)); + X509_NAME_get_text_by_NID(subject, NID_organizationName, certificate->subject.organization, sizeof(certificate->subject.organization)); + X509_NAME_get_text_by_NID(subject, NID_countryName, certificate->subject.country, sizeof(certificate->subject.country)); + X509_NAME_get_text_by_NID(subject, NID_organizationalUnitName, certificate->subject.organizational_unit, sizeof(certificate->subject.organizational_unit)); + X509_NAME_get_text_by_NID(subject, NID_localityName, certificate->subject.locality, sizeof(certificate->subject.locality)); + X509_NAME_get_text_by_NID(subject, NID_streetAddress, certificate->subject.street_address, sizeof(certificate->subject.street_address)); + X509_NAME_get_text_by_NID(subject, NID_stateOrProvinceName, certificate->subject.state_or_Province, sizeof(certificate->subject.state_or_Province)); + + snprintf(certificate->subject.rdn_sequence_list, + sizeof(certificate->subject.rdn_sequence_list), + "%s;%s;%s;%s;%s;%s;%s", + certificate->subject.common, + certificate->subject.organization, + certificate->subject.organizational_unit, + certificate->subject.locality, + certificate->subject.street_address, + certificate->subject.state_or_Province, + certificate->subject.country); + } + + /*SSL Subject keyInfo*/ + pkey=X509_get_pubkey(x509_handle); + if(pkey!=NULL) + { + //https://www.openssl.org/docs/man3.0/man3/i2d_PublicKey.html + certificate->subject_key.len=i2d_PublicKey(pkey, NULL); + if(certificate->subject_key.len>0) + { + certificate->subject_key.value=(char *)malloc(certificate->subject_key.len); + int32_t ret=i2d_PublicKey(pkey, (unsigned char **)&(certificate->subject_key.value)); //!!! point32_t will be changed + if(ret>0) + { + certificate->subject_key.value=certificate->subject_key.value-certificate->subject_key.len; + } + else + { + free(certificate->subject_key.value); + certificate->subject_key.value=NULL; + certificate->subject_key.len=0; + } + } + EVP_PKEY_free(pkey); + } + + /*validity*/ + start=X509_get_notBefore(x509_handle); + end=X509_get_notAfter(x509_handle); + sprintf(certificate->validity.before, "%s", start->data); + sprintf(certificate->validity.after, "%s", end->data); + + /*subject bak*/ + subjectAltNames=(GENERAL_NAMES*)X509_get_ext_d2i(x509_handle, NID_subject_alt_name, NULL, NULL); + if(!subjectAltNames) + { + X509_free(x509_handle); + return SSL_DECODER_TRUE; + } + + int32_t san_count=sk_GENERAL_NAME_num(subjectAltNames); + if(san_count>0) + { + certificate->subject_alter.num=0; + certificate->subject_alter.name=(char (*)[MAX_ALTER_NAME_LEN])malloc(san_count * sizeof(char[MAX_ALTER_NAME_LEN])); + + for (int32_t i=0; itype) + { + san_name=(ASN1_STRING*)GENERAL_NAME_get0_value(generalName, NULL); + if(ASN1_STRING_length(san_name)>0) + { + char *san=(char*)ASN1_STRING_get0_data(san_name); + int32_t length=MIN(strlen(san), sizeof(certificate->subject_alter.name[certificate->subject_alter.num])-1); + memcpy(certificate->subject_alter.name[certificate->subject_alter.num], san, length); + certificate->subject_alter.name[certificate->subject_alter.num][length]='\0'; + certificate->subject_alter.num++; + } + } + } + } + + if(subjectAltNames) + { + GENERAL_NAMES_free(subjectAltNames); + } + + //https://www.openssl.org/docs/man1.1.1/man3/X509_ALGOR_get0.html + X509_ALGOR_get0(&salg, NULL, NULL, X509_get0_tbs_sigalg(x509_handle)); + OBJ_obj2txt(certificate->algorithm_identifier.value, sizeof(certificate->algorithm_identifier.value), salg, 1); + certificate->algorithm_identifier.len=strlen((const char *)certificate->algorithm_identifier.value); + + return SSL_DECODER_TRUE; +} + int32_t ssl_decoder_random_bytes_get(struct ssl_decoder_ltv *ltv, uint16_t type, uint8_t *pdata, size_t pdata_sz, size_t *pdata_offset) { if(pdata_sz<(*pdata_offset)+SSL_RANDOM_SIZE) @@ -402,18 +590,12 @@ int32_t ssl_server_name_decode(struct ssl_decoder_ltv *sni, uint8_t *pdata, uint struct ssl_server_hello *ssl_handshake_server_hello_decode(uint8_t *pdata, size_t pdata_sz, size_t *pdata_offset) { - int32_t total_len; //3 - int32_t ret=ssl_read_be_u24(pdata, pdata_sz, pdata_offset, (uint8_t *)&(total_len)); - if(total_len<0) /*CLIENT_HELLO_HDRLEN: 4 means client_type+len*/ - { - return NULL; - } - + int32_t ret=SSL_DECODER_FALSE; struct ssl_server_hello *shello=(struct ssl_server_hello *)CALLOC(struct ssl_server_hello, 1); ssl_read_be_u16(pdata, pdata_sz, pdata_offset, &(shello->version)); ssl_read_be_u32(pdata, pdata_sz, pdata_offset, &(shello->random_gmt_time)); - for(int i=1; iltv[i]); switch(i) @@ -481,18 +663,12 @@ struct ssl_server_hello *ssl_handshake_server_hello_decode(uint8_t *pdata, size_ struct ssl_client_hello *ssl_handshake_client_hello_decode(uint8_t *pdata, size_t pdata_sz, size_t *pdata_offset) { - int32_t total_len; //3 - int32_t ret=ssl_read_be_u24(pdata, pdata_sz, pdata_offset, (uint8_t *)&(total_len)); - if(total_len<0) /*CLIENT_HELLO_HDRLEN: 4 means client_type+len*/ - { - return NULL; - } - + int32_t ret=SSL_DECODER_FALSE; struct ssl_client_hello *chello=(struct ssl_client_hello *)CALLOC(struct ssl_client_hello, 1); ssl_read_be_u16(pdata, pdata_sz, pdata_offset, &(chello->version)); ssl_read_be_u32(pdata, pdata_sz, pdata_offset, &(chello->random_gmt_time)); - for(int i=1; iltv[i]); switch(i) @@ -724,29 +900,134 @@ int32_t ssl_client_hello_ja3_generate(struct ssl_client_hello *chello) return SSL_DECODER_TRUE; } -void ssl_handshake_decode(struct ssl_decoder_plugin_env *plugin_env, struct session *ss, uint8_t *segment_buff, size_t segment_buff_sz, size_t *segment_buff_offset) +void ssl_message_publish(struct ssl_decoder_plugin_env *plugin_env, struct session *ss, enum ssl_message_type type, void *data) { - if(segment_buff==NULL || ((*segment_buff_offset)+1>segment_buff_sz)) + struct ssl_message *message=(struct ssl_message *)malloc(sizeof(struct ssl_message)); + message->magic=SSL_MESSAGE_MAGIC; + message->type=type; + message->ss=ss; + message->plugin_env=plugin_env; + message->data=data; + + session_mq_publish_message(ss, plugin_env->ssl.topic_id, (void *)message); +} + + +void ssl_message_free(struct session *sess, void *msg, void *msg_free_arg) +{ + struct ssl_message *message=(struct ssl_message *)msg; + if(message==NULL || message->magic!=SSL_MESSAGE_MAGIC) + { + return ; + } + + if(message->data!=NULL) + { + switch(message->type) + { + case SSL_MESSAGE_CLIENT_HELLO: + { + struct ssl_client_hello *chello=(struct ssl_client_hello *)message->data; + if(chello->extensions!=NULL) + { + utarray_free(chello->extensions); + } + } + break; + case SSL_MESSAGE_SERVER_HELLO: + { + struct ssl_server_hello *shello=(struct ssl_server_hello *)message->data; + if(shello->extensions!=NULL) + { + utarray_free(shello->extensions); + } + } + break; + case SSL_MESSAGE_CERTIFICATE: + { + struct ssl_certificate *certificate=(struct ssl_certificate *)message->data; + if(certificate->subject_alter.name!=NULL) + { + FREE(certificate->subject_alter.name); + } + + if(certificate->subject_key.value!=NULL) + { + FREE(certificate->subject_key.value); + } + } + break; + default: + break; + } + + FREE(message->data); + } + + FREE(message); +} + + +void ssl_handshake_decode(struct ssl_decoder_plugin_env *plugin_env, struct session *ss, uint8_t *pdata, size_t pdata_sz, size_t *pdata_offset) +{ + if(pdata==NULL || ((*pdata_offset)+1>pdata_sz)) + { + return ; + } + + struct ssl_handshake_type *handshake_type=(struct ssl_handshake_type *)(pdata+(*pdata_offset)); + (*pdata_offset)+=sizeof(struct ssl_handshake_type); + + int32_t total_len=0; + int32_t ret=ssl_read_be_u24(pdata, pdata_sz, pdata_offset, (uint8_t *)&total_len); + if(ret==SSL_DECODER_FALSE || total_len<0 || total_len+(*pdata_offset)>pdata_sz) { return ; } - struct ssl_client_hello *chello=NULL; - struct ssl_server_hello *shello=NULL; - struct ssl_handshake_type *handshake_type=(struct ssl_handshake_type *)(segment_buff+(*segment_buff_offset)); - (*segment_buff_offset)+=sizeof(struct ssl_handshake_type); switch(handshake_type->content_type) { case SSL_HANDSHAKE_CLIENT_HELLO: - chello=ssl_handshake_client_hello_decode(segment_buff, segment_buff_sz, segment_buff_offset); - ssl_client_hello_ja3_generate(chello); + { + struct ssl_client_hello *chello=ssl_handshake_client_hello_decode(pdata, pdata_sz, pdata_offset); + ssl_client_hello_ja3_generate(chello); + ssl_message_publish(plugin_env, ss, SSL_MESSAGE_CLIENT_HELLO, (void *)chello); + } break; case SSL_HANDSHAKE_SERVER_HELLO: - shello=ssl_handshake_server_hello_decode(segment_buff, segment_buff_sz, segment_buff_offset); - ssl_server_hello_ja3s_generate(shello); + { + struct ssl_server_hello *shello=ssl_handshake_server_hello_decode(pdata, pdata_sz, pdata_offset); + ssl_server_hello_ja3s_generate(shello); + ssl_message_publish(plugin_env, ss, SSL_MESSAGE_SERVER_HELLO, (void *)shello); + } break; case SSL_HANDSHAKE_CERTIFICATE: - // ssl_handshake_certificate_decode(); + { + int32_t cert_total_len=0; + ret=ssl_read_be_u24(pdata, pdata_sz, pdata_offset, (uint8_t *)&cert_total_len); + if(ret==SSL_DECODER_FALSE || cert_total_len<0 || cert_total_len+(*pdata_offset)>pdata_sz || (cert_total_len+3)!=total_len) + { + return ; + } + + struct ssl_certificate_chain cert_unit[SSL_CERTIFICATE_NUM_MAX]; + uint32_t cert_count=ssl_handshake_certificate_count_get(pdata, pdata_sz, pdata_offset, cert_unit, SSL_CERTIFICATE_NUM_MAX); + + for(uint32_t i=0, cert_offset=0; itype=ssl_handshake_certificate_type_get(cert_count, cert_offset); + int32_t state=ssl_x509_certificate_detail_decode(certificate, cert_unit[i].data, cert_unit[i].data_sz); + if(state==SSL_DECODER_FALSE) + { + FREE(certificate); + return ; + } + + ssl_message_publish(plugin_env, ss, SSL_MESSAGE_CERTIFICATE, (void *)certificate); + } + } break; case SSL_HANDSHAKE_SERVER_KEY_EXCHANGE: // ssl_handshake_server_key_exchange_decode(); @@ -773,11 +1054,11 @@ int32_t ssl_record_header_get(struct ssl_record_header *record_hdr, uint8_t *pda void ssl_tcp_stream_session_segment_data_cb(struct session *ss, int32_t topic_id, const void *msg, void *per_session_ctx, void *penv) { - size_t segment_buff_offset=0; - size_t segment_buff_sz=0; - uint8_t *segment_buff=NULL; - segment_buff=(uint8_t *)session_get0_current_payload(ss, &segment_buff_sz); - if(segment_buff_sz==0 || segment_buff==NULL) + size_t pdata_offset=0; + size_t pdata_sz=0; + uint8_t *pdata=NULL; + pdata=(uint8_t *)session_get0_current_payload(ss, &pdata_sz); + if(pdata_sz==0 || pdata==NULL) { return ; } @@ -790,17 +1071,17 @@ void ssl_tcp_stream_session_segment_data_cb(struct session *ss, int32_t topic_id struct ssl_decoder_context *per_ss_ctx=(struct ssl_decoder_context *)(per_session_ctx); - ssl_recod_buff_get0(&(per_ss_ctx->record_trunk), &segment_buff, &segment_buff_sz); - if(segment_buff_sz<=SSL_RECORD_HEADER_SZ) + ssl_recod_buff_get0(&(per_ss_ctx->record_trunk), &pdata, &pdata_sz); + if(pdata_sz<=SSL_RECORD_HEADER_SZ) { return ; } struct ssl_record_header record_hdr={0}; - ssl_record_header_get(&record_hdr, segment_buff, segment_buff_sz, &segment_buff_offset); - if(!is_trunk_cache(&(per_ss_ctx->record_trunk)) && segment_buff_szrecord_trunk)) && pdata_szrecord_trunk), segment_buff, segment_buff_sz); + ssl_trunk_cache(&(per_ss_ctx->record_trunk), pdata, pdata_sz); return ; } @@ -809,7 +1090,7 @@ void ssl_tcp_stream_session_segment_data_cb(struct session *ss, int32_t topic_id switch(record_hdr.content_type) { case SSL_CONTENT_TYPE_HANDSHAKE: - ssl_handshake_decode(plugin_env, ss, segment_buff, segment_buff_sz, &segment_buff_offset); + ssl_handshake_decode(plugin_env, ss, pdata, pdata_sz, &pdata_offset); break; case SSL_CONTENT_TYPE_ALERT: break; @@ -827,11 +1108,6 @@ void ssl_tcp_stream_session_segment_data_cb(struct session *ss, int32_t topic_id } } -void ssl_message_free(struct session *sess, void *msg, void *msg_free_arg) -{ - -} - void *ssl_decoder_per_session_context_new(struct session *ss, void *penv) { uint64_t inner_flag=0; @@ -858,7 +1134,7 @@ void ssl_decoder_per_session_context_free(struct session *ss, void *per_session_ int32_t ssl_decoder_config_load(const char *cfg_path, struct ssl_decoder_plugin_env *plugin_env) { FILE *fp=fopen(cfg_path, "r"); - if (NULL==fp) + if(NULL==fp) { fprintf(stderr, "[%s:%d] Can't open config file: %s", __FUNCTION__, __LINE__, cfg_path); return -1; diff --git a/src/ssl_export.cpp b/src/ssl_export.cpp new file mode 100644 index 0000000..a87bf2e --- /dev/null +++ b/src/ssl_export.cpp @@ -0,0 +1,255 @@ +#include +#include +#include + +#include "ssl_internal.h" +#include "ssl_decoder.h" + +enum ssl_message_type ssl_message_type_get(const struct ssl_message *msg) +{ + return ((msg==NULL || msg->magic!=SSL_MESSAGE_MAGIC) ? SSL_MSG_MAX : msg->type); +} + +// SSL_MESSAGE_CLIENT_HELLO +int32_t ssl_message_esni_is_true(const struct ssl_message *msg) +{ + if(msg==NULL || msg->magic!=SSL_MESSAGE_MAGIC || msg->type!=SSL_MESSAGE_CLIENT_HELLO) + { + return -1; + } + + return ((msg->chello->esni==NULL) ? 1 : 0); +} + +int32_t ssl_message_ech_is_true(const struct ssl_message *msg) +{ + if(msg==NULL || msg->magic!=SSL_MESSAGE_MAGIC || msg->type!=SSL_MESSAGE_CLIENT_HELLO) + { + return -1; + } + + return ((msg->chello->ech==NULL) ? 1 : 0); +} + +void ssl_message_sni_get0(const struct ssl_message *msg, char **value, size_t *value_sz) +{ + if(msg==NULL || msg->magic!=SSL_MESSAGE_MAGIC || msg->type!=SSL_MESSAGE_CLIENT_HELLO) + { + return; + } + + if(msg->chello->sni==NULL) + { + return; + } + + *value=(char *)msg->chello->sni->value; + *value_sz=msg->chello->sni->lv_u32; +} + +const char *ssl_message_readable_version_get0(const struct ssl_message *msg) +{ + if(msg==NULL || msg->magic!=SSL_MESSAGE_MAGIC) + { + return NULL; + } + + uint16_t version=0; + switch(msg->type) + { + case SSL_MESSAGE_CLIENT_HELLO: + if(msg->chello==NULL) + { + return NULL; + } + version=msg->chello->version; + break; + case SSL_MESSAGE_SERVER_HELLO: + if(msg->shello==NULL) + { + return NULL; + } + version=msg->shello->version; + break; + default: + return NULL; + } + + switch(version) + { + case SSL_DECODER_VERSION_SSL_V2_0: + return "SSLv2.0"; + case SSL_DECODER_VERSION_SSL_V3_0: + return "SSLv3.0"; + case SSL_DECODER_VERSION_TLS_V1_0: + return "TLSv1.0"; + case SSL_DECODER_VERSION_TLS_V1_1: + return "TLSv1.1"; + case SSL_DECODER_VERSION_TLS_V1_2: + return "TLSv1.2"; + case SSL_DECODER_VERSION_TLS_V1_3: + return "TLSv1.3"; + case SSL_DECODER_VERSION_TLCP_V1_0: + return "TLCPv1.0"; + default: + break; + } + + return NULL; +} + +void ssl_message_ja3hash_get0(const struct ssl_message *msg, char **value, size_t *value_sz) +{ + if(msg==NULL || msg->magic!=SSL_MESSAGE_MAGIC || msg->type!=SSL_MESSAGE_CLIENT_HELLO) + { + *value=NULL; + *value_sz=0; + return ; + } + + if(msg->chello->ja3.value==NULL || msg->chello->ja3.lv_u32==0) + { + *value=NULL; + *value_sz=0; + return ; + } + + *value=(char *)msg->chello->ja3.value; + *value_sz=msg->chello->ja3.lv_u32; +} + +// SSL_MESSAGE_SERVER_HELLO +void ssl_message_ja3shash_get0(const struct ssl_message *msg, char **value, size_t *value_sz) +{ + if(msg==NULL || msg->magic!=SSL_MESSAGE_MAGIC || msg->type!=SSL_MESSAGE_SERVER_HELLO) + { + *value=NULL; + *value_sz=0; + return; + } + + if(msg->shello->ja3s.value==NULL || msg->shello->ja3s.lv_u32==0) + { + *value=NULL; + *value_sz=0; + return; + } + + *value=(char *)msg->shello->ja3s.value; + *value_sz=msg->shello->ja3s.lv_u32; +} + +void ssl_message_extensions_next(const struct ssl_message *msg, char **value, size_t *value_sz) +{ + +} + +int ssl_message_reset_extensions_iter(struct ssl_message *msg) +{ + return 0; +} + +enum ssl_certificate_type ssl_certificate_type_get(const struct ssl_message *msg) +{ + return ((msg==NULL || msg->magic!=SSL_MESSAGE_MAGIC || msg->type!=SSL_MESSAGE_CERTIFICATE) ? msg->certificate->type : SSL_CERTIFICATE_TYPE_UNKNOWN); +} + +void ssl_message_validity_before_get0(const struct ssl_message *msg, char **value, size_t *value_sz) +{ + +} + +void ssl_message_validity_after_get0(const struct ssl_message *msg, char **value, size_t *value_sz) +{ + +} + +void ssl_message_issuer_serial_number_get0(const struct ssl_message *msg, char **value, size_t *value_sz) +{ + +} + +void ssl_message_subject_public_key_algorithm_get0(const struct ssl_message *msg, char **value, size_t *value_sz) +{ + +} + +void ssl_message_ssl_algorithm_identifier_get0(const struct ssl_message *msg, char **value, size_t *value_sz) +{ + +} + +void ssl_message_ssl_signature_algorithm_id_get0(const struct ssl_message *msg, char **value, size_t *value_sz) +{ + +} + +void ssl_message_subject_alter_next(const struct ssl_message *msg, char **value, size_t *value_sz) +{ + +} + +int ssl_message_reset_subject_alter_iter(struct ssl_message *msg) +{ + return 0; +} + +struct ssl_rdn_sequence *ssl_message_issuer_rdn_sequence_get0(const struct ssl_message *msg) +{ + return ((msg==NULL || msg->magic!=SSL_MESSAGE_MAGIC || msg->type!=SSL_MESSAGE_CERTIFICATE) ? &(msg->certificate->issuer) : NULL); +} + +struct ssl_rdn_sequence *ssl_message_subject_rdn_sequence_get0(const struct ssl_message *msg) +{ + return ((msg==NULL || msg->magic!=SSL_MESSAGE_MAGIC || msg->type!=SSL_MESSAGE_CERTIFICATE) ? &(msg->certificate->subject) : NULL); +} + +void ssl_rdn_sequence_common_get0(struct ssl_rdn_sequence *rdn, char **value, size_t *value_sz) +{ + +} + +void ssl_rdn_sequence_country_get0(struct ssl_rdn_sequence *rdn, char **value, size_t *value_sz) +{ + +} + +void ssl_rdn_sequence_locality_get0(struct ssl_rdn_sequence *rdn, char **value, size_t *value_sz) +{ + +} + +void ssl_rdn_sequence_postal_code_get0(struct ssl_rdn_sequence *rdn, char **value, size_t *value_sz) +{ + +} + +void ssl_rdn_sequence_organization_get0(struct ssl_rdn_sequence *rdn, char **value, size_t *value_sz) +{ + +} + +void ssl_rdn_sequence_street_address_get0(struct ssl_rdn_sequence *rdn, char **value, size_t *value_sz) +{ + +} + +void ssl_rdn_sequence_state_or_province_get0(struct ssl_rdn_sequence *rdn, char **value, size_t *value_sz) +{ + +} + +void ssl_rdn_sequence_organizational_unit_get0(struct ssl_rdn_sequence *rdn, char **value, size_t *value_sz) +{ + +} + +void ssl_rdn_sequence_list_get0(struct ssl_rdn_sequence *rdn, char **value, size_t *value_sz) +{ + +} + +void ssl_message_protected_payload_get0(const struct ssl_message *msg, char **value, size_t *value_sz) +{ + +} \ No newline at end of file diff --git a/src/ssl_internal.h b/src/ssl_internal.h index 9e7dad1..2891b68 100644 --- a/src/ssl_internal.h +++ b/src/ssl_internal.h @@ -4,6 +4,44 @@ #include #include +#include "ssl_decoder.h" + +#define SSL_DECODER_TOML_PATH "conf/ssl/ssl_decoder.toml" + +#define SSL_DECODER_FALSE 0 +#define SSL_DECODER_TRUE 1 + +#define SSL_UUID_BYTES_SZ 16 + +#define SSL_RANDOM_TIME_LEN 4 +#define SSL_RANDOM_SIZE 28 + +#define SSL_HANDSHAKE_CLIENT_HELLO 1 +#define SSL_HANDSHAKE_SERVER_HELLO 2 +#define SSL_HANDSHAKE_CERTIFICATE 11 +#define SSL_HANDSHAKE_SERVER_KEY_EXCHANGE 12 + +#define SSL_CONTENT_TYPE_HANDSHAKE 0x16 +#define SSL_CONTENT_TYPE_ALERT 0x15 +#define SSL_CONTENT_TYPE_APPLICATION_DATA 0x17 +#define SSL_CONTENT_TYPE_CHANGE_CIPHER_SPEC 0x14 + +#define ALPN_EXT_TYPE 0x0010 +#define SERVER_NAME_EXT_TYPE 0x0000 +#define SERVER_NAME_HOST_TYPE 0x0000 +#define SERVER_NAME_OTHER_TYPE 0x0008 +#define SESSION_TICKET_EXT_TYPE 0x0023 +#define ENCRPTED_SERVER_NAME_EXT_TYPE 0xFFCE +#define ENCRPTED_CLIENT_HELLO_EXT_TYPE 0xFE0D +#define EC_POINT_FORMATS_EXT_TYPE 0x000B + +// https://datatracker.ietf.org/doc/html/rfc7919 +// Supported Groups +#define SUPPORTED_GROUPS_EXT_TYPE 0x000A + + +#define SSL_CERTIFICATE_NUM_MAX 8 +#define SSL_CERTIFICATE_VERSION_MAX 3 #define SSL_DECODER_VERSION_UNKNOWN 0x0000 #define SSL_DECODER_VERSION_SSL_V2_0 0x0002 @@ -132,11 +170,8 @@ struct ssl_algorithm_identifier struct ssl_certificate { - int total_len; - int cert_len; - char cert_type; - - //struct ssl_l1v version; + uint16_t version; + enum ssl_certificate_type type; struct ssl_validity validity; struct ssl_serial_number serial; struct ssl_rdn_sequence issuer; @@ -147,3 +182,23 @@ struct ssl_certificate struct ssl_algorithm_identifier algorithm_identifier; struct ssl_signature_algorithm_id signature_algorithm; }; + + +#define SSL_MESSAGE_MAGIC 0xEF53534C + +struct ssl_message +{ + uint32_t magic; + enum ssl_message_type type; + char uuid_bytes[SSL_UUID_BYTES_SZ]; + struct session *ss; + struct ssl_decoder_plugin_env *plugin_env; + union + { + struct ssl_client_hello *chello; + struct ssl_server_hello *shello; + struct ssl_certificate *certificate; + void *data; + }; + +}; diff --git a/src/version.map b/src/version.map index 9df1ad1..ed97cda 100644 --- a/src/version.map +++ b/src/version.map @@ -4,19 +4,15 @@ global: *ssl_decoder_init*; *ssl_decoder_exit*; *ssl_message_type_get*; - *ssl_message_header_id_get*; - *ssl_message_header_flag_get0*; - *ssl_message_query_question_get0*; - *ssl_query_question_qname_get0*; - *ssl_query_question_qtype_get0*; - *ssl_query_question_qclass_get0*; - *ssl_message_answer_resource_record_get0*; - *ssl_message_authority_resource_record_get0*; - *ssl_message_additional_resource_record_get0*; - *ssl_message_resource_record_json_exporter*; *ssl_message_uuid_get0*; - *ssl_message_resource_record_is_sslsec*; - *ssl_message_resource_record_cname_json_exporter*; + *ssl_message_esni_is_true*; + *ssl_message_ech_is_true*; + *ssl_message_sni_get0*; + *ssl_message_ja3hash_get0*; + *ssl_message_readable_version_get0*; + *ssl_message_ja3shash_get0*; + *ssl_message_extensions_next*; + *ssl_message_reset_extensions_iter*; *GIT*; }; local: *; diff --git a/test/CMakeLists.txt b/test/CMakeLists.txt index 2637478..97845cd 100644 --- a/test/CMakeLists.txt +++ b/test/CMakeLists.txt @@ -4,7 +4,7 @@ aux_source_directory(${PROJECT_SOURCE_DIR}/deps/yyjson DEPS_SRC) add_library(${PROJECT_NAME}_test_plug SHARED ssl_decoder_test.cpp ${DEPS_SRC}) add_dependencies(${PROJECT_NAME}_test_plug ${PROJECT_NAME}) -target_link_libraries(${PROJECT_NAME}_test_plug cjson) +target_link_libraries(${PROJECT_NAME}_test_plug cjson -Wl,--no-whole-archive openssl-crypto-static -Wl,--no-whole-archive openssl-ssl-static) set_target_properties(${PROJECT_NAME}_test_plug PROPERTIES PREFIX "") add_executable(ssl_decoder_perf_test @@ -12,9 +12,10 @@ add_executable(ssl_decoder_perf_test ssl_decoder_perf_dummy.cpp ${DEPS_SRC} ssl_decoder_test.cpp ${PROJECT_SOURCE_DIR}/src/ssl_decoder.cpp + ${PROJECT_SOURCE_DIR}/src/ssl_export.cpp ) -target_link_libraries(ssl_decoder_perf_test fieldstat4 pthread cjson -Wl,--no-whole-archive openssl-crypto-static -Wl,--no-whole-archive openssl-ssl-static) +target_link_libraries(ssl_decoder_perf_test fieldstat4 pthread cjson -Wl,--no-whole-archive openssl-crypto-static -Wl,--no-whole-archive openssl-ssl-static -ldl) set(TEST_RUN_DIR ${CMAKE_CURRENT_BINARY_DIR}/sapp) set(TEST_MAIN ${TEST_RUN_DIR}/plugin_test_main) @@ -47,46 +48,27 @@ add_test(NAME UPDATE_TEST_SO COMMAND sh -c "cp ${CMAKE_CURRENT_BINARY_DIR}/${PRO add_test(NAME MKDIR_PLUG_CONF COMMAND sh -c "mkdir -p ${TEST_RUN_DIR}/etc/ssl/") add_test(NAME UPDATE_PLUG_CONF COMMAND sh -c "cp ${PROJECT_SOURCE_DIR}/bin/${PROJECT_NAME}.toml ${TEST_RUN_DIR}/etc/ssl/${PROJECT_NAME}.toml") -# set_tests_properties(INSTALL_TEST_MAIN INSTALL_STELLAR UPDATE_SAPP_LOG COPY_CONFLIST COPY_INF COPY_TEST_MAIN COPY_SPEC UPDATE_PLUG_SO UPDATE_TEST_SO MKDIR_PLUG_CONF UPDATE_PLUG_CONF PROPERTIES FIXTURES_SETUP TestFixture) +set_tests_properties(INSTALL_TEST_MAIN INSTALL_STELLAR UPDATE_SAPP_LOG COPY_CONFLIST COPY_INF COPY_TEST_MAIN COPY_SPEC UPDATE_PLUG_SO UPDATE_TEST_SO MKDIR_PLUG_CONF UPDATE_PLUG_CONF PROPERTIES FIXTURES_SETUP TestFixture) # # run tests -# add_test(NAME MKDIR_METRICS COMMAND sh -c "mkdir -p ${TEST_RUN_DIR}/metrics/") -# add_test(NAME ssl_QUERY COMMAND ${TEST_MAIN} ${CMAKE_CURRENT_SOURCE_DIR}/case/query/query_result.json -f "find ${CMAKE_CURRENT_SOURCE_DIR}/case/query/ -name *.pcap|sort -V" WORKING_DIRECTORY ${TEST_RUN_DIR}) -# add_test(NAME ssl_CNAME COMMAND ${TEST_MAIN} ${CMAKE_CURRENT_SOURCE_DIR}/case/cname/cname_result.json -f "find ${CMAKE_CURRENT_SOURCE_DIR}/case/cname/ -name *.pcap|sort -V" WORKING_DIRECTORY ${TEST_RUN_DIR}) -# add_test(NAME ssl_NSEC_RR COMMAND ${TEST_MAIN} ${CMAKE_CURRENT_SOURCE_DIR}/case/nsec/nsec_result.json -f "find ${CMAKE_CURRENT_SOURCE_DIR}/case/nsec/ -name *.pcap|sort -V" WORKING_DIRECTORY ${TEST_RUN_DIR}) -# add_test(NAME ssl_NSEC_10_1_RR COMMAND ${TEST_MAIN} ${CMAKE_CURRENT_SOURCE_DIR}/case/nsec_10_1/nsec_result.json -f "find ${CMAKE_CURRENT_SOURCE_DIR}/case/nsec_10_1/ -name *.pcap|sort -V" WORKING_DIRECTORY ${TEST_RUN_DIR}) -# add_test(NAME ssl_NSEC3_RR COMMAND ${TEST_MAIN} ${CMAKE_CURRENT_SOURCE_DIR}/case/nsec3/nsec3_result.json -f "find ${CMAKE_CURRENT_SOURCE_DIR}/case/nsec3/ -name *.pcap|sort -V" WORKING_DIRECTORY ${TEST_RUN_DIR}) -# add_test(NAME ssl_PTR COMMAND ${TEST_MAIN} ${CMAKE_CURRENT_SOURCE_DIR}/case/ptr/ptr_result.json -f "find ${CMAKE_CURRENT_SOURCE_DIR}/case/ptr/ -name *.pcap|sort -V" WORKING_DIRECTORY ${TEST_RUN_DIR}) -# add_test(NAME ssl_SRV COMMAND ${TEST_MAIN} ${CMAKE_CURRENT_SOURCE_DIR}/case/srv/srv_result.json -f "find ${CMAKE_CURRENT_SOURCE_DIR}/case/srv/ -name *.pcap|sort -V" WORKING_DIRECTORY ${TEST_RUN_DIR}) -# add_test(NAME ssl_TXT COMMAND ${TEST_MAIN} ${CMAKE_CURRENT_SOURCE_DIR}/case/txt/txt_result.json -f "find ${CMAKE_CURRENT_SOURCE_DIR}/case/txt/ -name *.pcap|sort -V" WORKING_DIRECTORY ${TEST_RUN_DIR}) -# add_test(NAME ssl_HTTPS COMMAND ${TEST_MAIN} ${CMAKE_CURRENT_SOURCE_DIR}/case/https/https_result.json -f "find ${CMAKE_CURRENT_SOURCE_DIR}/case/https/ -name *.pcap|sort -V" WORKING_DIRECTORY ${TEST_RUN_DIR}) -# add_test(NAME ssl_CERT1 COMMAND ${TEST_MAIN} ${CMAKE_CURRENT_SOURCE_DIR}/case/cernet1/cernet1_result.json -f "find ${CMAKE_CURRENT_SOURCE_DIR}/case/cernet1/ -name *.pcap|sort -V" WORKING_DIRECTORY ${TEST_RUN_DIR}) -# add_test(NAME ssl_CERT2 COMMAND ${TEST_MAIN} ${CMAKE_CURRENT_SOURCE_DIR}/case/cernet2/cernet2_result.json -f "find ${CMAKE_CURRENT_SOURCE_DIR}/case/cernet2/ -name *.pcap|sort -V" WORKING_DIRECTORY ${TEST_RUN_DIR}) -# add_test(NAME ssl_SEC COMMAND ${TEST_MAIN} ${CMAKE_CURRENT_SOURCE_DIR}/case/sslsec/sslsec_result.json -f "find ${CMAKE_CURRENT_SOURCE_DIR}/case/sslsec/ -name *.pcap|sort -V" WORKING_DIRECTORY ${TEST_RUN_DIR}) -# add_test(NAME ssl_TCP_MULTI_TRANSCATION COMMAND ${TEST_MAIN} ${CMAKE_CURRENT_SOURCE_DIR}/case/multi_transcation/multi_transcation_result.json -f "find ${CMAKE_CURRENT_SOURCE_DIR}/case/multi_transcation/ -name *.pcap|sort -V" WORKING_DIRECTORY ${TEST_RUN_DIR}) -# add_test(NAME ssl_TCP_MULTI_PKT_TRANS_2BYTES COMMAND ${TEST_MAIN} ${CMAKE_CURRENT_SOURCE_DIR}/case/multi_pkt_trans_2bytes/multi_pkt_trans_2bytes_result.json -f "find ${CMAKE_CURRENT_SOURCE_DIR}/case/multi_pkt_trans_2bytes/ -name *.pcap|sort -V" WORKING_DIRECTORY ${TEST_RUN_DIR}) -# add_test(NAME ssl_TCP_LOST_PKT COMMAND ${TEST_MAIN} ${CMAKE_CURRENT_SOURCE_DIR}/case/tcp_lost_pkt/lost_pkt_result.json -f "find ${CMAKE_CURRENT_SOURCE_DIR}/case/tcp_lost_pkt/ -name *.pcap|sort -V" WORKING_DIRECTORY ${TEST_RUN_DIR}) -# add_test(NAME ssl_MULTI_SESSION COMMAND ${TEST_MAIN} ${CMAKE_CURRENT_SOURCE_DIR}/case/multi_session/multi_session_result.json -f "find ${CMAKE_CURRENT_SOURCE_DIR}/case/multi_session/ -name *.pcap|sort -V" WORKING_DIRECTORY ${TEST_RUN_DIR}) -# add_test(NAME ssl_NS_NSEC3_RRSIG_A_OPT COMMAND ${TEST_MAIN} ${CMAKE_CURRENT_SOURCE_DIR}/case/ns_nsec3_rrsig_a_opt/ns_nsec3_rrsig_a_opt_result.json -f "find ${CMAKE_CURRENT_SOURCE_DIR}/case/ns_nsec3_rrsig_a_opt/ -name *.pcap|sort -V" WORKING_DIRECTORY ${TEST_RUN_DIR}) -# add_test(NAME ssl_PORT5353 COMMAND ${TEST_MAIN} ${CMAKE_CURRENT_SOURCE_DIR}/case/port5353/port5353_result.json -f "find ${CMAKE_CURRENT_SOURCE_DIR}/case/port5353/ -name *.pcap|sort -V" WORKING_DIRECTORY ${TEST_RUN_DIR}) +add_test(NAME RUN_SSL_TEST COMMAND ${TEST_MAIN} ${CMAKE_CURRENT_SOURCE_DIR}/case/ssl/ssl_result.json -f "find ${CMAKE_CURRENT_SOURCE_DIR}/case/ssl -name '*.pcap' | sort -V" WORKING_DIRECTORY ${TEST_RUN_DIR}) +add_test(NAME RUN_E21_BUG_E21_TEST COMMAND ${TEST_MAIN} ${CMAKE_CURRENT_SOURCE_DIR}/case/e21/ssl_e21_target_result.json -f "find ${CMAKE_CURRENT_SOURCE_DIR}/case/e21/ -name '*.pcap' | sort -V" WORKING_DIRECTORY ${TEST_RUN_DIR}) +add_test(NAME RUN_E21_BUG_XXG_TEST COMMAND ${TEST_MAIN} ${CMAKE_CURRENT_SOURCE_DIR}/case/xxg/ssl_xxg_target_result.json -f "find ${CMAKE_CURRENT_SOURCE_DIR}/case/xxg/ -name '*.pcap' | sort -V" WORKING_DIRECTORY ${TEST_RUN_DIR}) +add_test(NAME RUN_BUG_TEST COMMAND ${TEST_MAIN} ${CMAKE_CURRENT_SOURCE_DIR}/case/bug/ssl_bug_result.json -f "find ${CMAKE_CURRENT_SOURCE_DIR}/case/bug/ -name '*.pcap' | sort -V" WORKING_DIRECTORY ${TEST_RUN_DIR}) +add_test(NAME RUN_MULTIPLE_HANDSHAKE_TEST COMMAND ${TEST_MAIN} ${CMAKE_CURRENT_SOURCE_DIR}/case/multiple_handshake/ssl_multiple_handshake_result.json -f "find ${CMAKE_CURRENT_SOURCE_DIR}/case/multiple_handshake/ -name '*.pcap' | sort -V" WORKING_DIRECTORY ${TEST_RUN_DIR}) +add_test(NAME RUN_CLOSE_CONTAINS_PAYLOAD_TEST COMMAND ${TEST_MAIN} ${CMAKE_CURRENT_SOURCE_DIR}/case/close_contains_payload/ssl_close_contains_payload_result.json -f "find ${CMAKE_CURRENT_SOURCE_DIR}/case/close_contains_payload/ -name '*.pcap' | sort -V" WORKING_DIRECTORY ${TEST_RUN_DIR}) +add_test(NAME RUN_EXTENSION_EXCEED_16 COMMAND ${TEST_MAIN} ${CMAKE_CURRENT_SOURCE_DIR}/case/extensions_exceed_16/extensions_exceed_16_result.json -f "find ${CMAKE_CURRENT_SOURCE_DIR}/case/extensions_exceed_16/ -name '*.pcap' | sort -V" WORKING_DIRECTORY ${TEST_RUN_DIR}) +add_test(NAME RUN_CLIENT_HELLO_FRAGMENT COMMAND ${TEST_MAIN} ${CMAKE_CURRENT_SOURCE_DIR}/case/client_hello_fragment/ssl_client_hello_fragment_result.json -f "find ${CMAKE_CURRENT_SOURCE_DIR}/case/client_hello_fragment/ -name '*.pcap' | sort -V" WORKING_DIRECTORY ${TEST_RUN_DIR}) +add_test(NAME RUN_ACK_CONTAINS_PAYLOAD COMMAND ${TEST_MAIN} ${CMAKE_CURRENT_SOURCE_DIR}/case/tcp_ack_contians_payload/ssl_tcp_ack_contians_payload_result.json -f "find ${CMAKE_CURRENT_SOURCE_DIR}/case/tcp_ack_contians_payload/ -name '*.pcap' | sort -V" WORKING_DIRECTORY ${TEST_RUN_DIR}) -# set_tests_properties(ssl_QUERY -# ssl_CNAME -# ssl_NSEC_RR -# ssl_NSEC_10_1_RR -# ssl_NSEC3_RR -# ssl_PTR -# ssl_SRV -# ssl_TXT -# ssl_HTTPS -# ssl_CERT1 -# ssl_CERT2 -# ssl_SEC -# ssl_TCP_MULTI_TRANSCATION -# ssl_TCP_MULTI_PKT_TRANS_2BYTES -# ssl_TCP_LOST_PKT -# ssl_MULTI_SESSION -# ssl_NS_NSEC3_RRSIG_A_OPT -# ssl_PORT5353 -# PROPERTIES FIXTURES_REQUIRED TestFixture -# ) \ No newline at end of file +set_tests_properties(RUN_SSL_TEST + RUN_E21_BUG_E21_TEST + RUN_E21_BUG_XXG_TEST + RUN_BUG_TEST + RUN_MULTIPLE_HANDSHAKE_TEST + RUN_CLOSE_CONTAINS_PAYLOAD_TEST + RUN_EXTENSION_EXCEED_16 + RUN_CLIENT_HELLO_FRAGMENT + RUN_ACK_CONTAINS_PAYLOAD + PROPERTIES FIXTURES_REQUIRED TestFixture + ) \ No newline at end of file diff --git a/test/case/bug/1-ssl-192.168.50.52.17434.15.197.193.217.443.pcap b/test/case/bug/1-ssl-192.168.50.52.17434.15.197.193.217.443.pcap new file mode 100644 index 0000000..56a1224 Binary files /dev/null and b/test/case/bug/1-ssl-192.168.50.52.17434.15.197.193.217.443.pcap differ diff --git a/test/case/bug/ssl_bug_result.json b/test/case/bug/ssl_bug_result.json new file mode 100644 index 0000000..75cec24 --- /dev/null +++ b/test/case/bug/ssl_bug_result.json @@ -0,0 +1,23 @@ +[ + { + "Tuple4": "192.168.50.52.17434>15.197.193.217.443", + "ssl_sni": "match.adsrvr.org", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "ssl_ja3s_hash": "8d2a028aa94425f76ced7826b1f39039", + "ssl_cert_version": "v3", + "ssl_cert_Issuer": "GlobalSign GCC R3 DV TLS CA 2020;GlobalSign nv-sa;;;;;BE", + "ssl_cert_IssuerCN": "GlobalSign GCC R3 DV TLS CA 2020", + "ssl_cert_IssuerO": "GlobalSign nv-sa", + "ssl_cert_IssuerC": "BE", + "ssl_cert_Sub": "*.adsrvr.org;;;;;;", + "ssl_cert_SubCN": "*.adsrvr.org", + "ssl_cert_SubAltName": "*.adsrvr.org;adsrvr.org", + "ssl_cert_SerialNum": "0x2ddaa6f359d4ce458fe983f1", + "ssl_cert_AgID": "1.2.840.113549.1.1.11", + "ssl_cert_From": "220331203750Z", + "ssl_cert_To": "230502203749Z", + "ssl_cert_SSLFPAg": "1.2.840.113549.1.1.11", + "name": "SSL_RESULT_1" + } +] \ No newline at end of file diff --git a/test/case/client_hello_fragment/1-ssl.client.hello.fragment.192.168.56.31.53868.74.118.186.107.443.pcap b/test/case/client_hello_fragment/1-ssl.client.hello.fragment.192.168.56.31.53868.74.118.186.107.443.pcap new file mode 100644 index 0000000..8e0001c Binary files /dev/null and b/test/case/client_hello_fragment/1-ssl.client.hello.fragment.192.168.56.31.53868.74.118.186.107.443.pcap differ diff --git a/test/case/client_hello_fragment/2-sni.client.hello.fragment.192.168.58.17.49218-23.216.55.29.443.pcap b/test/case/client_hello_fragment/2-sni.client.hello.fragment.192.168.58.17.49218-23.216.55.29.443.pcap new file mode 100644 index 0000000..6782478 Binary files /dev/null and b/test/case/client_hello_fragment/2-sni.client.hello.fragment.192.168.58.17.49218-23.216.55.29.443.pcap differ diff --git a/test/case/client_hello_fragment/3-ssl.client.hello.fragment.36.251.161.167.39777-143.92.57.79.443.pcap b/test/case/client_hello_fragment/3-ssl.client.hello.fragment.36.251.161.167.39777-143.92.57.79.443.pcap new file mode 100644 index 0000000..f81b4fe Binary files /dev/null and b/test/case/client_hello_fragment/3-ssl.client.hello.fragment.36.251.161.167.39777-143.92.57.79.443.pcap differ diff --git a/test/case/client_hello_fragment/ssl_client_hello_fragment_result.json b/test/case/client_hello_fragment/ssl_client_hello_fragment_result.json new file mode 100644 index 0000000..b392285 --- /dev/null +++ b/test/case/client_hello_fragment/ssl_client_hello_fragment_result.json @@ -0,0 +1,58 @@ +[ + { + "Tuple4": "192.168.56.31.53868>74.118.186.107.443", + "ssl_sni": "sync.targeting.unrulymedia.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "bc93a67ef4492974195865dc0262e65e", + "ssl_ja3s_hash": "b898351eb5e266aefd3723d466935494", + "ssl_cert_version": "v3", + "ssl_cert_Issuer": "Sectigo RSA Domain Validation Secure Server CA;Sectigo Limited;;Salford;;Greater Manchester;GB", + "ssl_cert_IssuerCN": "Sectigo RSA Domain Validation Secure Server CA", + "ssl_cert_IssuerO": "Sectigo Limited", + "ssl_cert_IssuerC": "GB", + "ssl_cert_IssuerP": "Greater Manchester", + "ssl_cert_IssuerL": "Salford", + "ssl_cert_Sub": "*.targeting.unrulymedia.com;;;;;;", + "ssl_cert_SubCN": "*.targeting.unrulymedia.com", + "ssl_cert_SubAltName": "*.targeting.unrulymedia.com;targeting.unrulymedia.com", + "ssl_cert_SerialNum": "0x888d5e51787e0f1f485dc542465d2034", + "ssl_cert_AgID": "1.2.840.113549.1.1.11", + "ssl_cert_From": "230510000000Z", + "ssl_cert_To": "240510235959Z", + "ssl_cert_SSLFPAg": "1.2.840.113549.1.1.11", + "name": "SSL_RESULT_1" + }, + { + "Tuple4": "192.168.58.17.49218>23.216.55.29.443", + "ssl_sni": "www.missionsports.org", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "a69708a64f853c3bcc214c2c5faf84f3", + "ssl_ja3s_hash": "10a2ad147a870ef37af153dea9fe4dd3", + "ssl_cert_version": "v3", + "ssl_cert_Issuer": "DigiCert TLS RSA SHA256 2020 CA1;DigiCert Inc;;;;;US", + "ssl_cert_IssuerCN": "DigiCert TLS RSA SHA256 2020 CA1", + "ssl_cert_IssuerO": "DigiCert Inc", + "ssl_cert_IssuerC": "US", + "ssl_cert_Sub": "a248.e.akamai.net;Akamai Technologies, Inc.;;Cambridge;;Massachusetts;US", + "ssl_cert_SubCN": "a248.e.akamai.net", + "ssl_cert_SubO": "Akamai Technologies, Inc.", + "ssl_cert_SubC": "US", + "ssl_cert_SubP": "Massachusetts", + "ssl_cert_SubL": "Cambridge", + "ssl_cert_SubAltName": "a248.e.akamai.net;*.akamaized.net;*.akamaized-staging.net;*.akamaihd.net;*.akamaihd-staging.net", + "ssl_cert_SerialNum": "0x0d61f7742d583251a2b8d5a26a1dda0b", + "ssl_cert_AgID": "1.2.840.113549.1.1.11", + "ssl_cert_From": "230516000000Z", + "ssl_cert_To": "240515235959Z", + "ssl_cert_SSLFPAg": "1.2.840.113549.1.1.11", + "name": "SSL_RESULT_2" + }, + { + "Tuple4": "36.251.161.167.39777>143.92.57.79.443", + "ssl_sni": "a.ywgyuv.cn", + "ssl_ech": "1", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "c3db97da3b30171e5cf9de314584b555", + "name": "SSL_RESULT_3" + } +] \ No newline at end of file diff --git a/test/case/close_contains_payload/1-TachyonVPN-192.168.50.28.63669-18.163.185.193.443.pcap b/test/case/close_contains_payload/1-TachyonVPN-192.168.50.28.63669-18.163.185.193.443.pcap new file mode 100644 index 0000000..514ed60 Binary files /dev/null and b/test/case/close_contains_payload/1-TachyonVPN-192.168.50.28.63669-18.163.185.193.443.pcap differ diff --git a/test/case/close_contains_payload/ssl_close_contains_payload_result.json b/test/case/close_contains_payload/ssl_close_contains_payload_result.json new file mode 100644 index 0000000..6f2fb4d --- /dev/null +++ b/test/case/close_contains_payload/ssl_close_contains_payload_result.json @@ -0,0 +1,28 @@ +[ + { + "Tuple4": "192.168.50.28.63669>18.163.185.193.443", + "ssl_sni": "www.firefox.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "45b1a0eca9605cd8789cd7e1a5ccd9b0", + "ssl_ja3s_hash": "9a1de6823a92d66172ce93d309e73e4e", + "ssl_cert_version": "v3", + "ssl_cert_Issuer": "DigiCert SHA2 Secure Server CA;DigiCert Inc;;;;;US", + "ssl_cert_IssuerCN": "DigiCert SHA2 Secure Server CA", + "ssl_cert_IssuerO": "DigiCert Inc", + "ssl_cert_IssuerC": "US", + "ssl_cert_Sub": "redirect-san.mozilla.org;Mozilla Corporation;WebOps;Mountain View;;California;US", + "ssl_cert_SubCN": "redirect-san.mozilla.org", + "ssl_cert_SubO": "Mozilla Corporation", + "ssl_cert_SubC": "US", + "ssl_cert_SubP": "California", + "ssl_cert_SubL": "Mountain View", + "ssl_cert_SubU": "WebOps", + "ssl_cert_SubAltName": "leandatapractices.org;leandatapractices.com;mozilla-podcasts.org;mozilla.com;gv.dev;getfirefox.com;geckoview.dev;firefoxquantum.com;firefox.com;taskcluster.net;contributejson.org;www.firefox.com;masterfirefoxos.mozilla.org;mobilepartners.mozilla.org;www.leandatapractices.org;www.leandatapractices.com;www.getfirefox.com;mozilla.org.uk;webwewant.mozilla.org;thehub.mozilla.com;nightly.mozilla.org;pontoon.mozillalabs.com;videos.mozilla.org;videos-cdn.mozilla.net;treestatus.mozilla.org;techspeakers.mozilla.org;redirect-san.mozilla.org;input.mozilla.com;join.mozilla.org;content.mozilla.org;activations.mozilla.org;addons.mozilla.com;airmo.mozilla.org;ask.mozilla.org;aurora.mozilla.org;beta.mozilla.org;careers.mozilla.com;designlanguage.mozilla.org;input.mozilla.org;dnt.mozilla.org;events.mozilla.org;forums.mozilla.org;friends.mozilla.org;git.mozilla.org;hub.mozilla.com;hub.mozilla.org;activations.mozilla.com;www.mozilla.com", + "ssl_cert_SerialNum": "0x019d2b994ec99445c735d2a6d739e43a", + "ssl_cert_AgID": "1.2.840.113549.1.1.11", + "ssl_cert_From": "200406000000Z", + "ssl_cert_To": "210414120000Z", + "ssl_cert_SSLFPAg": "1.2.840.113549.1.1.11", + "name": "SSL_RESULT_1" + } +] \ No newline at end of file diff --git a/test/case/e21/1-E21-target.com-196.188.136.150-151.101.2.187.443.pcap b/test/case/e21/1-E21-target.com-196.188.136.150-151.101.2.187.443.pcap new file mode 100644 index 0000000..8db407f Binary files /dev/null and b/test/case/e21/1-E21-target.com-196.188.136.150-151.101.2.187.443.pcap differ diff --git a/test/case/e21/ssl_e21_target_result.json b/test/case/e21/ssl_e21_target_result.json new file mode 100644 index 0000000..6b8547e --- /dev/null +++ b/test/case/e21/ssl_e21_target_result.json @@ -0,0 +1,502 @@ +[ + { + "Tuple4": "10.10.10.162.55173>151.101.2.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_1" + }, + { + "Tuple4": "10.10.10.162.55174>151.101.2.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_2" + }, + { + "Tuple4": "10.10.10.162.55176>151.101.2.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_3" + }, + { + "Tuple4": "10.10.10.162.55177>151.101.2.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_4" + }, + { + "Tuple4": "10.10.10.162.55178>151.101.2.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_5" + }, + { + "Tuple4": "10.10.10.162.55179>151.101.2.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_6" + }, + { + "Tuple4": "10.10.10.162.55180>151.101.2.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_7" + }, + { + "Tuple4": "10.10.10.162.55181>151.101.2.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_8" + }, + { + "Tuple4": "10.10.10.162.55182>151.101.2.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_9" + }, + { + "Tuple4": "10.10.10.162.55184>151.101.2.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_10" + }, + { + "Tuple4": "10.10.10.162.55214>151.101.2.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_11" + }, + { + "Tuple4": "10.10.10.162.55215>151.101.2.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_12" + }, + { + "Tuple4": "10.10.10.162.55183>151.101.2.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "ssl_ja3s_hash": "16c0b3e6a7b8173c16d944cfeaeee9cf", + "ssl_cert_version": "v3", + "ssl_cert_Issuer": "GlobalSign Atlas R3 OV TLS CA H2 2021;GlobalSign nv-sa;;;;;BE", + "ssl_cert_IssuerCN": "GlobalSign Atlas R3 OV TLS CA H2 2021", + "ssl_cert_IssuerO": "GlobalSign nv-sa", + "ssl_cert_IssuerC": "BE", + "ssl_cert_Sub": "sites.target.com;Target Corporation;;Minneapolis;;Minnesota;US", + "ssl_cert_SubCN": "sites.target.com", + "ssl_cert_SubO": "Target Corporation", + "ssl_cert_SubC": "US", + "ssl_cert_SubP": "Minnesota", + "ssl_cert_SubL": "Minneapolis", + "ssl_cert_SubCN": "sites.target.com", + "ssl_cert_SubAltName": "sites.target.com;affiliate.target.com;android.studioconnect.live;api.studioconnect.live;apollo-metrics.target.com;assethub.partnersonline.com;assethub.target.com;awesomeshop.target.com;bex.partnersonline.com;bex.target.com;cartster.target.com;cartwheel.target.com;cartwheelws-secure.target.com;circle.target.com;connect.roundel.com;connectedcommerce.target.com;corporate.target.com;developer.target.com;dojo.target.com;doppler.partnersonline.com;elevate.target.com;extgargantua.partnersonline.com;factorial.partnersonline.com;finds.target.com;gql.studioconnect.live;greenfield.partnersonline.com;greenfield.target.com;hrocdocrequest.target.com;iccon.target.com;incubator.target.com;india.target.com;ios.studioconnect.live;jira.target.com;launchpad.partnersonline.com;launchpad.target.com;leads.studioconnect.live;m.target.com;marketinghub.target.com;mercury.partnersonline.com;mickra.target.com;mickradashboard.target.com;mvs.partnersonline.com;mytime.target.com;nic.target;openhouse.target.com;opensource.target.com;osmosis.partnersonline.com;partnersonline.com;pcn.partnersonline.com;peg.partnersonline.com;photosubmission.target.com;pid.partnersonline.com;plus.target.com;pmworkorderadmin.partnersonline.com;poladmin.partnersonline.com;pop.partnersonline.com;qmp.partnersonline.com;qr.target.com;r2d2.target.com;rdmplus.target.com;recognize.target.com;redcard.target.com;redirect.studioconnect.live;rik.roundel.com;roundel.com;rubix.partnersonline.com;rubix.target.com;security.target.com;servicetech.target.com;sm.partnersonline.com;spark.partnersonline.com;spark.target.com;studioconnect.live;stylehub.target.com;synergy.partnersonline.com;target.com;targetmedianetwork.target.com;targetopenhouse.com;tepagent.target.com;tgt-files.target.com;tgtdriver.partnersonline.com;ti-event-prod.target.com;tiam.target.com;tiiam.target.com;tvi.partnersonline.com;viewpoint.target.com;weeklyad.target.com;www.partnersonline.com;www.roundel.com;www.target.com;www.targetopenhouse.com", + "ssl_cert_SerialNum": "0x012ede33fc9283773396e9b1ff995262", + "ssl_cert_AgID": "1.2.840.113549.1.1.11", + "ssl_cert_From": "210928164609Z", + "ssl_cert_To": "221030164608Z", + "ssl_cert_SSLFPAg": "1.2.840.113549.1.1.11", + "name": "SSL_RESULT_13" + }, + { + "Tuple4": "10.10.10.162.55242>151.101.2.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "ssl_ja3s_hash": "16c0b3e6a7b8173c16d944cfeaeee9cf", + "ssl_cert_version": "v3", + "ssl_cert_Issuer": "GlobalSign Atlas R3 OV TLS CA H2 2021;GlobalSign nv-sa;;;;;BE", + "ssl_cert_IssuerCN": "GlobalSign Atlas R3 OV TLS CA H2 2021", + "ssl_cert_IssuerO": "GlobalSign nv-sa", + "ssl_cert_IssuerC": "BE", + "ssl_cert_Sub": "sites.target.com;Target Corporation;;Minneapolis;;Minnesota;US", + "ssl_cert_SubCN": "sites.target.com", + "ssl_cert_SubO": "Target Corporation", + "ssl_cert_SubC": "US", + "ssl_cert_SubP": "Minnesota", + "ssl_cert_SubL": "Minneapolis", + "ssl_cert_SubCN": "sites.target.com", + "ssl_cert_SubAltName": "sites.target.com;affiliate.target.com;android.studioconnect.live;api.studioconnect.live;apollo-metrics.target.com;assethub.partnersonline.com;assethub.target.com;awesomeshop.target.com;bex.partnersonline.com;bex.target.com;cartster.target.com;cartwheel.target.com;cartwheelws-secure.target.com;circle.target.com;connect.roundel.com;connectedcommerce.target.com;corporate.target.com;developer.target.com;dojo.target.com;doppler.partnersonline.com;elevate.target.com;extgargantua.partnersonline.com;factorial.partnersonline.com;finds.target.com;gql.studioconnect.live;greenfield.partnersonline.com;greenfield.target.com;hrocdocrequest.target.com;iccon.target.com;incubator.target.com;india.target.com;ios.studioconnect.live;jira.target.com;launchpad.partnersonline.com;launchpad.target.com;leads.studioconnect.live;m.target.com;marketinghub.target.com;mercury.partnersonline.com;mickra.target.com;mickradashboard.target.com;mvs.partnersonline.com;mytime.target.com;nic.target;openhouse.target.com;opensource.target.com;osmosis.partnersonline.com;partnersonline.com;pcn.partnersonline.com;peg.partnersonline.com;photosubmission.target.com;pid.partnersonline.com;plus.target.com;pmworkorderadmin.partnersonline.com;poladmin.partnersonline.com;pop.partnersonline.com;qmp.partnersonline.com;qr.target.com;r2d2.target.com;rdmplus.target.com;recognize.target.com;redcard.target.com;redirect.studioconnect.live;rik.roundel.com;roundel.com;rubix.partnersonline.com;rubix.target.com;security.target.com;servicetech.target.com;sm.partnersonline.com;spark.partnersonline.com;spark.target.com;studioconnect.live;stylehub.target.com;synergy.partnersonline.com;target.com;targetmedianetwork.target.com;targetopenhouse.com;tepagent.target.com;tgt-files.target.com;tgtdriver.partnersonline.com;ti-event-prod.target.com;tiam.target.com;tiiam.target.com;tvi.partnersonline.com;viewpoint.target.com;weeklyad.target.com;www.partnersonline.com;www.roundel.com;www.target.com;www.targetopenhouse.com", + "ssl_cert_SerialNum": "0x012ede33fc9283773396e9b1ff995262", + "ssl_cert_AgID": "1.2.840.113549.1.1.11", + "ssl_cert_From": "210928164609Z", + "ssl_cert_To": "221030164608Z", + "ssl_cert_SSLFPAg": "1.2.840.113549.1.1.11", + "name": "SSL_RESULT_14" + }, + { + "Tuple4": "10.10.10.162.55241>151.101.2.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_15" + }, + { + "Tuple4": "10.10.10.162.55274>151.101.2.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_16" + }, + { + "Tuple4": "10.10.10.162.55273>151.101.2.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_17" + }, + { + "Tuple4": "10.10.10.162.55279>151.101.2.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_18" + }, + { + "Tuple4": "10.10.10.162.55282>151.101.2.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_19" + }, + { + "Tuple4": "10.10.10.162.55283>151.101.2.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_20" + }, + { + "Tuple4": "10.10.10.162.55284>151.101.2.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_21" + }, + { + "Tuple4": "10.10.10.162.55285>151.101.2.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_22" + }, + { + "Tuple4": "10.10.10.162.55286>151.101.2.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_23" + }, + { + "Tuple4": "10.10.10.162.55287>151.101.2.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_24" + }, + { + "Tuple4": "10.10.10.162.55288>151.101.2.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_25" + }, + { + "Tuple4": "10.10.10.162.55289>151.101.2.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_26" + }, + { + "Tuple4": "10.10.10.162.55296>151.101.2.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_27" + }, + { + "Tuple4": "10.10.10.162.55297>151.101.2.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_28" + }, + { + "Tuple4": "10.10.10.162.55298>151.101.2.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_29" + }, + { + "Tuple4": "10.10.10.162.55299>151.101.2.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_30" + }, + { + "Tuple4": "10.10.10.162.55300>151.101.2.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_31" + }, + { + "Tuple4": "10.10.10.162.55301>151.101.2.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_32" + }, + { + "Tuple4": "10.10.10.162.55306>151.101.2.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_33" + }, + { + "Tuple4": "10.10.10.162.55307>151.101.2.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_34" + }, + { + "Tuple4": "10.10.10.162.55308>151.101.2.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_35" + }, + { + "Tuple4": "10.10.10.162.55309>151.101.2.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_36" + }, + { + "Tuple4": "10.10.10.162.55311>151.101.2.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_37" + }, + { + "Tuple4": "10.10.10.162.55312>151.101.2.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_38" + }, + { + "Tuple4": "10.10.10.162.55321>151.101.2.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_39" + }, + { + "Tuple4": "10.10.10.162.55322>151.101.2.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_40" + }, + { + "Tuple4": "10.10.10.162.55323>151.101.2.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_41" + }, + { + "Tuple4": "10.10.10.162.55324>151.101.2.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_42" + }, + { + "Tuple4": "10.10.10.162.55325>151.101.2.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_43" + }, + { + "Tuple4": "10.10.10.162.55326>151.101.2.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_44" + }, + { + "Tuple4": "10.10.10.162.55327>151.101.2.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_45" + }, + { + "Tuple4": "10.10.10.162.55328>151.101.2.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_46" + }, + { + "Tuple4": "10.10.10.162.55330>151.101.2.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_47" + }, + { + "Tuple4": "10.10.10.162.55331>151.101.2.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_48" + }, + { + "Tuple4": "10.10.10.162.55332>151.101.2.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_49" + }, + { + "Tuple4": "10.10.10.162.55334>151.101.2.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_50" + }, + { + "Tuple4": "10.10.10.162.55336>151.101.2.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_51" + }, + { + "Tuple4": "10.10.10.162.55337>151.101.2.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_52" + }, + { + "Tuple4": "10.10.10.162.55338>151.101.2.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_53" + }, + { + "Tuple4": "10.10.10.162.55343>151.101.2.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_54" + }, + { + "Tuple4": "10.10.10.162.55344>151.101.2.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_55" + }, + { + "Tuple4": "10.10.10.162.55345>151.101.2.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_56" + }, + { + "Tuple4": "10.10.10.162.55346>151.101.2.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_57" + }, + { + "Tuple4": "10.10.10.162.55349>151.101.2.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_58" + }, + { + "Tuple4": "10.10.10.162.55348>151.101.2.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_59" + }, + { + "Tuple4": "10.10.10.162.55352>151.101.2.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_60" + }, + { + "Tuple4": "10.10.10.162.55353>151.101.2.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_61" + }, + { + "Tuple4": "10.10.10.162.55356>151.101.2.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_62" + }, + { + "Tuple4": "10.10.10.162.55357>151.101.2.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_63" + }, + { + "Tuple4": "10.10.10.162.55359>151.101.2.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_64" + }, + { + "Tuple4": "10.10.10.162.55358>151.101.2.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_65" + }, + { + "Tuple4": "10.10.10.162.55364>151.101.2.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_66" + } +] \ No newline at end of file diff --git a/test/case/extensions_exceed_16/1-ssl.ex.exceed16-192.168.64.8.53446-185.63.190.2.443.pcap b/test/case/extensions_exceed_16/1-ssl.ex.exceed16-192.168.64.8.53446-185.63.190.2.443.pcap new file mode 100644 index 0000000..79f6f41 Binary files /dev/null and b/test/case/extensions_exceed_16/1-ssl.ex.exceed16-192.168.64.8.53446-185.63.190.2.443.pcap differ diff --git a/test/case/extensions_exceed_16/extensions_exceed_16_result.json b/test/case/extensions_exceed_16/extensions_exceed_16_result.json new file mode 100644 index 0000000..c5416e0 --- /dev/null +++ b/test/case/extensions_exceed_16/extensions_exceed_16_result.json @@ -0,0 +1,10 @@ +[ + { + "Tuple4": "192.168.64.8.53466>185.63.190.2.443", + "ssl_sni": "fermer.ru", + "ssl_ech": "1", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "afa0d02228072fc4b02a7772a668c64a", + "name": "SSL_RESULT_1" + } +] \ No newline at end of file diff --git a/test/case/multiple_handshake/3-ssl-with-cert.pcap b/test/case/multiple_handshake/3-ssl-with-cert.pcap new file mode 100644 index 0000000..d386c5a Binary files /dev/null and b/test/case/multiple_handshake/3-ssl-with-cert.pcap differ diff --git a/test/case/multiple_handshake/ssl_multiple_handshake_result.json b/test/case/multiple_handshake/ssl_multiple_handshake_result.json new file mode 100644 index 0000000..196135d --- /dev/null +++ b/test/case/multiple_handshake/ssl_multiple_handshake_result.json @@ -0,0 +1,23 @@ +[ + { + "Tuple4": "192.168.32.27.52705>202.89.233.101.443", + "ssl_sni": "cn.bing.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "ssl_ja3s_hash": "67bfe5d15ae567fb35fd7837f0116eec", + "ssl_cert_version": "v3", + "ssl_cert_Issuer": "Microsoft RSA TLS CA 02;Microsoft Corporation;;;;;US", + "ssl_cert_IssuerCN": "Microsoft RSA TLS CA 02", + "ssl_cert_IssuerO": "Microsoft Corporation", + "ssl_cert_IssuerC": "US", + "ssl_cert_Sub": "www.bing.com;;;;;;", + "ssl_cert_SubCN": "www.bing.com", + "ssl_cert_SubAltName": "www.bing.com;dict.bing.com.cn;*.platform.bing.com;*.bing.com;bing.com;ieonline.microsoft.com;*.windowssearch.com;cn.ieonline.microsoft.com;*.origin.bing.com;*.mm.bing.net;*.api.bing.com;ecn.dev.virtualearth.net;*.cn.bing.net;*.cn.bing.com;ssl-api.bing.com;ssl-api.bing.net;*.api.bing.net;*.bingapis.com;bingsandbox.com;feedback.microsoft.com;insertmedia.bing.office.net;r.bat.bing.com;*.r.bat.bing.com;*.dict.bing.com.cn;*.dict.bing.com;*.ssl.bing.com;*.appex.bing.com;*.platform.cn.bing.com;wp.m.bing.com;*.m.bing.com;global.bing.com;windowssearch.com;search.msn.com;*.bingsandbox.com;*.api.tiles.ditu.live.com;*.ditu.live.com;*.t0.tiles.ditu.live.com;*.t1.tiles.ditu.live.com;*.t2.tiles.ditu.live.com;*.t3.tiles.ditu.live.com;*.tiles.ditu.live.com;3d.live.com;api.search.live.com;beta.search.live.com;cnweb.search.live.com;dev.live.com;ditu.live.com;farecast.live.com;image.live.com;images.live.com;local.live.com.au;localsearch.live.com;ls4d.search.live.com;mail.live.com;mapindia.live.com;local.live.com;maps.live.com;maps.live.com.au;mindia.live.com;news.live.com;origin.cnweb.search.live.com;preview.local.live.com;search.live.com;test.maps.live.com;video.live.com;videos.live.com;virtualearth.live.com;wap.live.com;webmaster.live.com;webmasters.live.com;www.local.live.com.au;www.maps.live.com.au", + "ssl_cert_SerialNum": "0x7f0012e261129541195fac1a6000000012e261", + "ssl_cert_AgID": "1.2.840.113549.1.1.11", + "ssl_cert_From": "210706015313Z", + "ssl_cert_To": "220106015313Z", + "ssl_cert_SSLFPAg": "1.2.840.113549.1.1.11", + "name": "SSL_RESULT_1" + } +] \ No newline at end of file diff --git a/test/case/ssl/1-ssl-sun9-20.userapi.com-90.143.182.94.55835-93.186.227.131.443.pcap b/test/case/ssl/1-ssl-sun9-20.userapi.com-90.143.182.94.55835-93.186.227.131.443.pcap new file mode 100644 index 0000000..3969116 Binary files /dev/null and b/test/case/ssl/1-ssl-sun9-20.userapi.com-90.143.182.94.55835-93.186.227.131.443.pcap differ diff --git a/test/case/ssl/2-ssl-v1.3-esni-192.168.50.38.52391-104.16.123.96.443.pcap b/test/case/ssl/2-ssl-v1.3-esni-192.168.50.38.52391-104.16.123.96.443.pcap new file mode 100644 index 0000000..e5e20b5 Binary files /dev/null and b/test/case/ssl/2-ssl-v1.3-esni-192.168.50.38.52391-104.16.123.96.443.pcap differ diff --git a/test/case/ssl/3-tls_ech.pcap b/test/case/ssl/3-tls_ech.pcap new file mode 100644 index 0000000..0cb473f Binary files /dev/null and b/test/case/ssl/3-tls_ech.pcap differ diff --git a/test/case/ssl/ssl_result.json b/test/case/ssl/ssl_result.json new file mode 100644 index 0000000..8afb659 --- /dev/null +++ b/test/case/ssl/ssl_result.json @@ -0,0 +1,53 @@ +[ + { + "Tuple4": "192.168.50.38.52391>104.16.123.96.443", + "ssl_sni": "ESNI", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "62a4a00de930bd0a5bee0309cc8362ed", + "ssl_ja3s_hash": "eb1d94daa7e0344597e756a1fb6e7054", + "name": "SSL_RESULT_1" + }, + { + "Tuple4": "192.168.2.102.56768>34.138.246.121.443", + "ssl_sni": "public.tls-ech.dev", + "ssl_ech": "1", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "a195b9c006fcb23ab9a2343b0871e362", + "ssl_ja3s_hash": "2b0648ab686ee45e0e7c35fcfb0eea7e", + "name": "SSL_RESULT_2" + }, + { + "Tuple4": "90.143.182.94.55835>93.186.227.131.443", + "ssl_sni": "sun9-20.userapi.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "6f5e62edfa5933b1332ddf8b9fb3ef9d", + "ssl_ja3s_hash": "2d1eb5817ece335c24904f516ad5da12", + "ssl_cert_version": "v3", + "ssl_cert_Issuer": "GlobalSign Organization Validation CA - SHA256 - G2;GlobalSign nv-sa;;;;;BE", + "ssl_cert_IssuerCN": "GlobalSign Organization Validation CA - SHA256 - G2", + "ssl_cert_IssuerO": "GlobalSign nv-sa", + "ssl_cert_IssuerC": "BE", + "ssl_cert_Sub": "*.userapi.com;V Kontakte LLC;;Saint-Petersburg;;Saint-Petersburg;RU", + "ssl_cert_SubCN": "*.userapi.com", + "ssl_cert_SubO": "V Kontakte LLC", + "ssl_cert_SubC": "RU", + "ssl_cert_SubP": "Saint-Petersburg", + "ssl_cert_SubL": "Saint-Petersburg", + "ssl_cert_SubAltName": "*.userapi.com;vk.me;*.vk-cdn.net;*.vkuserlive.com;*.vkuserlive.net;*.vkuseraudio.net;*.vkuseraudio.com;*.vkuservideo.net;*.vkuservideo.com;*.vk.me;userapi.com", + "ssl_cert_SerialNum": "0x5afa3a189e6a5c11e1e18b0f", + "ssl_cert_AgID": "1.2.840.113549.1.1.11", + "ssl_cert_From": "180717083809Z", + "ssl_cert_To": "190714162604Z", + "ssl_cert_SSLFPAg": "1.2.840.113549.1.1.11", + "name": "SSL_RESULT_3" + }, + { + "Tuple4": "192.168.2.102.56776>34.138.246.121.443", + "ssl_sni": "public.tls-ech.dev", + "ssl_ech": "1", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "a195b9c006fcb23ab9a2343b0871e362", + "ssl_ja3s_hash": "2b0648ab686ee45e0e7c35fcfb0eea7e", + "name": "SSL_RESULT_4" + } +] \ No newline at end of file diff --git a/test/case/tcp_ack_contians_payload/1-tcp_ack_contains_payload.pcap b/test/case/tcp_ack_contians_payload/1-tcp_ack_contains_payload.pcap new file mode 100644 index 0000000..199f7ee Binary files /dev/null and b/test/case/tcp_ack_contians_payload/1-tcp_ack_contains_payload.pcap differ diff --git a/test/case/tcp_ack_contians_payload/ssl_tcp_ack_contians_payload_result.json b/test/case/tcp_ack_contians_payload/ssl_tcp_ack_contians_payload_result.json new file mode 100644 index 0000000..9632ce8 --- /dev/null +++ b/test/case/tcp_ack_contians_payload/ssl_tcp_ack_contians_payload_result.json @@ -0,0 +1,114 @@ +[ + { + "Tuple4": "36.251.161.167.39018>143.92.57.79.443", + "ssl_sni": "a.ywgyuv.cn", + "ssl_ech": "1", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "6f7971785f5cbbcb21819b6639f0e8f7", + "name": "SSL_RESULT_1" + }, + { + "Tuple4": "36.251.161.167.39025>143.92.57.79.443", + "ssl_sni": "a.ywgyuv.cn", + "ssl_ech": "1", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "0ac1d260c0b1f0e3bf645d6580ea6343", + "name": "SSL_RESULT_2" + }, + { + "Tuple4": "36.251.161.167.39112>143.92.57.79.443", + "ssl_sni": "a.ywgyuv.cn", + "ssl_ech": "1", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "ca54aeeb513ecacf4d7bc22c5d8f0b75", + "name": "SSL_RESULT_3" + }, + { + "Tuple4": "36.251.161.167.39423>143.92.57.79.443", + "ssl_sni": "a.ywgyuv.cn", + "ssl_ech": "1", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "9e41793e6f0a1696bedc0876465e1f42", + "name": "SSL_RESULT_4" + }, + { + "Tuple4": "36.251.161.167.39680>143.92.57.79.443", + "ssl_sni": "a.ywgyuv.cn", + "ssl_ech": "1", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "47c3fabcf1bc65a32a9d3fb8e70ab79d", + "name": "SSL_RESULT_5" + }, + { + "Tuple4": "36.251.161.167.39809>143.92.57.79.443", + "ssl_sni": "a.ywgyuv.cn", + "ssl_ech": "1", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "04331a57b3e122e689c373712edf42c0", + "name": "SSL_RESULT_6" + }, + { + "Tuple4": "36.251.161.167.39816>143.92.57.79.443", + "ssl_sni": "a.ywgyuv.cn", + "ssl_ech": "1", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "34c3efe4e6565e8eef2eaaeb7c12a1a6", + "name": "SSL_RESULT_7" + }, + { + "Tuple4": "36.251.161.167.39820>143.92.57.79.443", + "ssl_sni": "a.ywgyuv.cn", + "ssl_ech": "1", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cc97290a5bb4651489fe7a88e93ace90", + "name": "SSL_RESULT_8" + }, + { + "Tuple4": "36.251.161.167.39825>143.92.57.79.443", + "ssl_sni": "a.ywgyuv.cn", + "ssl_ech": "1", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "4e6ae21ce8b876dc7cad2f5ca9a60b23", + "name": "SSL_RESULT_9" + }, + { + "Tuple4": "36.251.161.167.39832>143.92.57.79.443", + "ssl_sni": "a.ywgyuv.cn", + "ssl_ech": "1", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "89cb560e9ee2d33728756a2d4d7b2900", + "name": "SSL_RESULT_10" + }, + { + "Tuple4": "36.251.161.167.39850>143.92.57.79.443", + "ssl_sni": "a.ywgyuv.cn", + "ssl_ech": "1", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "7324d30178b21f4c3a60550ef43d5ab0", + "name": "SSL_RESULT_11" + }, + { + "Tuple4": "36.251.161.167.39867>143.92.57.79.443", + "ssl_sni": "a.ywgyuv.cn", + "ssl_ech": "1", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "53fed08198669268c271fc320627c0c4", + "name": "SSL_RESULT_12" + }, + { + "Tuple4": "36.251.161.167.39777>143.92.57.79.443", + "ssl_sni": "a.ywgyuv.cn", + "ssl_ech": "1", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "c3db97da3b30171e5cf9de314584b555", + "name": "SSL_RESULT_13" + }, + { + "Tuple4": "36.251.161.167.39810>143.92.57.79.443", + "ssl_sni": "a.ywgyuv.cn", + "ssl_ech": "1", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "ff194650bab04e7b4cd55e66fd91c010", + "name": "SSL_RESULT_14" + } +] \ No newline at end of file diff --git a/test/case/xxg/1-18-target.com.pcap b/test/case/xxg/1-18-target.com.pcap new file mode 100644 index 0000000..c4a9fc0 Binary files /dev/null and b/test/case/xxg/1-18-target.com.pcap differ diff --git a/test/case/xxg/ssl_xxg_target_result.json b/test/case/xxg/ssl_xxg_target_result.json new file mode 100644 index 0000000..4316465 --- /dev/null +++ b/test/case/xxg/ssl_xxg_target_result.json @@ -0,0 +1,1493 @@ +[ + { + "Tuple4": "192.168.50.33.51933>54.230.21.91.443", + "name": "SSL_RESULT_1" + }, + { + "Tuple4": "192.168.50.52.17312>142.250.66.99.443", + "ssl_sni": "www.gstatic.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "ssl_ja3s_hash": "eb1d94daa7e0344597e756a1fb6e7054", + "name": "SSL_RESULT_2" + }, + { + "Tuple4": "192.168.50.52.17313>142.250.66.99.443", + "ssl_sni": "www.gstatic.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "ssl_ja3s_hash": "eb1d94daa7e0344597e756a1fb6e7054", + "name": "SSL_RESULT_3" + }, + { + "Tuple4": "192.168.50.52.17330>151.101.194.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_4" + }, + { + "Tuple4": "192.168.50.52.17332>151.101.194.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_5" + }, + { + "Tuple4": "192.168.50.52.17331>151.101.194.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_6" + }, + { + "Tuple4": "192.168.50.52.17335>151.101.194.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_7" + }, + { + "Tuple4": "192.168.50.52.17337>151.101.194.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_8" + }, + { + "Tuple4": "192.168.50.52.17336>151.101.194.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_9" + }, + { + "Tuple4": "192.168.50.52.17339>151.101.194.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_10" + }, + { + "Tuple4": "192.168.50.52.17340>151.101.194.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_11" + }, + { + "Tuple4": "192.168.50.33.63477>142.250.66.78.443", + "name": "SSL_RESULT_12" + }, + { + "Tuple4": "192.168.50.52.17356>151.101.194.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_13" + }, + { + "Tuple4": "192.168.50.52.17357>151.101.194.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_14" + }, + { + "Tuple4": "192.168.50.52.17358>151.101.194.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_15" + }, + { + "Tuple4": "192.168.50.52.17359>151.101.194.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_16" + }, + { + "Tuple4": "192.168.50.33.50714>142.250.66.134.443", + "name": "SSL_RESULT_17" + }, + { + "Tuple4": "192.168.50.52.17367>151.101.194.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_18" + }, + { + "Tuple4": "192.168.50.52.17368>151.101.194.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_19" + }, + { + "Tuple4": "192.168.50.52.17370>151.101.194.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_20" + }, + { + "Tuple4": "192.168.50.52.17369>151.101.194.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_21" + }, + { + "Tuple4": "192.168.50.52.17378>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_22" + }, + { + "Tuple4": "192.168.50.52.17379>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_23" + }, + { + "Tuple4": "192.168.50.52.17383>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_24" + }, + { + "Tuple4": "192.168.50.52.17382>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_25" + }, + { + "Tuple4": "192.168.50.52.17385>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_26" + }, + { + "Tuple4": "192.168.50.52.17389>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_27" + }, + { + "Tuple4": "192.168.50.52.17387>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_28" + }, + { + "Tuple4": "192.168.50.52.17386>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_29" + }, + { + "Tuple4": "192.168.50.52.17390>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_30" + }, + { + "Tuple4": "192.168.50.52.17391>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_31" + }, + { + "Tuple4": "192.168.50.52.17392>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_32" + }, + { + "Tuple4": "192.168.50.52.17395>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_33" + }, + { + "Tuple4": "192.168.50.52.17393>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_34" + }, + { + "Tuple4": "192.168.50.52.17396>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_35" + }, + { + "Tuple4": "192.168.50.52.17394>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_36" + }, + { + "Tuple4": "192.168.50.52.17397>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_37" + }, + { + "Tuple4": "192.168.50.52.17398>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_38" + }, + { + "Tuple4": "192.168.50.52.17403>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_39" + }, + { + "Tuple4": "192.168.50.52.17402>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_40" + }, + { + "Tuple4": "192.168.50.52.17405>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_41" + }, + { + "Tuple4": "192.168.50.52.17404>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_42" + }, + { + "Tuple4": "192.168.50.52.17406>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_43" + }, + { + "Tuple4": "192.168.50.52.17407>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_44" + }, + { + "Tuple4": "192.168.50.52.17409>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_45" + }, + { + "Tuple4": "192.168.50.52.17408>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_46" + }, + { + "Tuple4": "192.168.50.52.17413>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_47" + }, + { + "Tuple4": "192.168.50.52.17412>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_48" + }, + { + "Tuple4": "192.168.50.52.17415>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_49" + }, + { + "Tuple4": "192.168.50.52.17416>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_50" + }, + { + "Tuple4": "192.168.50.52.17421>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_51" + }, + { + "Tuple4": "192.168.50.52.17420>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_52" + }, + { + "Tuple4": "192.168.50.52.17422>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_53" + }, + { + "Tuple4": "192.168.50.52.17423>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_54" + }, + { + "Tuple4": "192.168.50.52.17424>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_55" + }, + { + "Tuple4": "192.168.50.52.17429>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_56" + }, + { + "Tuple4": "192.168.50.52.17430>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_57" + }, + { + "Tuple4": "192.168.50.52.17380>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_58" + }, + { + "Tuple4": "192.168.50.52.17438>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_59" + }, + { + "Tuple4": "192.168.50.52.17388>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_60" + }, + { + "Tuple4": "192.168.50.52.17439>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_61" + }, + { + "Tuple4": "192.168.50.52.17401>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_62" + }, + { + "Tuple4": "192.168.50.52.17400>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_63" + }, + { + "Tuple4": "192.168.50.52.17440>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_64" + }, + { + "Tuple4": "192.168.50.52.17442>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_65" + }, + { + "Tuple4": "192.168.50.52.17443>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_66" + }, + { + "Tuple4": "192.168.50.52.17441>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_67" + }, + { + "Tuple4": "192.168.50.52.17410>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_68" + }, + { + "Tuple4": "192.168.50.52.17444>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_69" + }, + { + "Tuple4": "192.168.50.52.17445>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_70" + }, + { + "Tuple4": "192.168.50.52.17419>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_71" + }, + { + "Tuple4": "192.168.50.52.17417>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_72" + }, + { + "Tuple4": "192.168.50.52.17414>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_73" + }, + { + "Tuple4": "192.168.50.52.17411>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_74" + }, + { + "Tuple4": "192.168.50.52.17448>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_75" + }, + { + "Tuple4": "192.168.50.52.17449>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_76" + }, + { + "Tuple4": "192.168.50.52.17451>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_77" + }, + { + "Tuple4": "192.168.50.52.17452>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_78" + }, + { + "Tuple4": "192.168.50.52.17453>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_79" + }, + { + "Tuple4": "192.168.50.52.17454>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_80" + }, + { + "Tuple4": "192.168.50.52.17455>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_81" + }, + { + "Tuple4": "192.168.50.52.17425>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_82" + }, + { + "Tuple4": "192.168.50.52.17426>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_83" + }, + { + "Tuple4": "192.168.50.52.17456>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_84" + }, + { + "Tuple4": "192.168.50.52.17457>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_85" + }, + { + "Tuple4": "192.168.50.52.17458>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_86" + }, + { + "Tuple4": "192.168.50.52.17459>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_87" + }, + { + "Tuple4": "192.168.50.52.17428>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_88" + }, + { + "Tuple4": "192.168.50.52.17460>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_89" + }, + { + "Tuple4": "192.168.50.52.17461>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_90" + }, + { + "Tuple4": "192.168.50.52.17462>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_91" + }, + { + "Tuple4": "192.168.50.52.17464>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_92" + }, + { + "Tuple4": "192.168.50.52.17463>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_93" + }, + { + "Tuple4": "192.168.50.52.17466>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_94" + }, + { + "Tuple4": "192.168.50.52.17465>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_95" + }, + { + "Tuple4": "192.168.50.52.17468>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_96" + }, + { + "Tuple4": "192.168.50.52.17431>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_97" + }, + { + "Tuple4": "192.168.50.52.17469>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_98" + }, + { + "Tuple4": "192.168.50.52.17470>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_99" + }, + { + "Tuple4": "192.168.50.52.17473>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_100" + }, + { + "Tuple4": "192.168.50.52.17474>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_101" + }, + { + "Tuple4": "192.168.50.52.17471>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_102" + }, + { + "Tuple4": "192.168.50.52.17472>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_103" + }, + { + "Tuple4": "192.168.50.52.17475>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_104" + }, + { + "Tuple4": "192.168.50.52.17476>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_105" + }, + { + "Tuple4": "192.168.50.52.17477>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_106" + }, + { + "Tuple4": "192.168.50.52.17481>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_107" + }, + { + "Tuple4": "192.168.50.52.17479>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_108" + }, + { + "Tuple4": "192.168.50.52.17483>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_109" + }, + { + "Tuple4": "192.168.50.52.17484>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_110" + }, + { + "Tuple4": "192.168.50.52.17485>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_111" + }, + { + "Tuple4": "192.168.50.52.17486>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_112" + }, + { + "Tuple4": "192.168.50.52.17487>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_113" + }, + { + "Tuple4": "192.168.50.52.17488>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_114" + }, + { + "Tuple4": "192.168.50.52.17490>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_115" + }, + { + "Tuple4": "192.168.50.52.17491>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_116" + }, + { + "Tuple4": "192.168.50.52.17492>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_117" + }, + { + "Tuple4": "192.168.50.52.17493>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_118" + }, + { + "Tuple4": "192.168.50.52.17494>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_119" + }, + { + "Tuple4": "192.168.50.52.17495>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_120" + }, + { + "Tuple4": "192.168.50.52.17496>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_121" + }, + { + "Tuple4": "192.168.50.52.17497>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_122" + }, + { + "Tuple4": "192.168.50.52.17498>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_123" + }, + { + "Tuple4": "192.168.50.52.17499>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_124" + }, + { + "Tuple4": "192.168.50.52.17500>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_125" + }, + { + "Tuple4": "192.168.50.52.17501>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_126" + }, + { + "Tuple4": "192.168.50.52.17502>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_127" + }, + { + "Tuple4": "192.168.50.52.17503>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_128" + }, + { + "Tuple4": "192.168.50.52.17504>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_129" + }, + { + "Tuple4": "192.168.50.52.17505>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_130" + }, + { + "Tuple4": "192.168.50.52.17506>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_131" + }, + { + "Tuple4": "192.168.50.52.17507>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_132" + }, + { + "Tuple4": "192.168.50.52.17508>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_133" + }, + { + "Tuple4": "192.168.50.52.17509>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_134" + }, + { + "Tuple4": "192.168.50.52.17511>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_135" + }, + { + "Tuple4": "192.168.50.52.17510>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_136" + }, + { + "Tuple4": "192.168.50.52.17512>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_137" + }, + { + "Tuple4": "192.168.50.52.17513>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_138" + }, + { + "Tuple4": "192.168.50.52.17514>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_139" + }, + { + "Tuple4": "192.168.50.52.17515>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_140" + }, + { + "Tuple4": "192.168.50.52.17516>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_141" + }, + { + "Tuple4": "192.168.50.52.17519>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_142" + }, + { + "Tuple4": "192.168.50.52.17518>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_143" + }, + { + "Tuple4": "192.168.50.52.17520>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_144" + }, + { + "Tuple4": "192.168.50.52.17521>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_145" + }, + { + "Tuple4": "192.168.50.52.17522>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_146" + }, + { + "Tuple4": "192.168.50.52.17523>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_147" + }, + { + "Tuple4": "192.168.50.52.17524>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_148" + }, + { + "Tuple4": "192.168.50.52.17526>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_149" + }, + { + "Tuple4": "192.168.50.52.17525>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_150" + }, + { + "Tuple4": "192.168.50.52.17527>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_151" + }, + { + "Tuple4": "192.168.50.52.17528>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_152" + }, + { + "Tuple4": "192.168.50.52.17529>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_153" + }, + { + "Tuple4": "192.168.50.52.17530>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_154" + }, + { + "Tuple4": "192.168.50.52.17446>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_155" + }, + { + "Tuple4": "192.168.50.52.17418>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_156" + }, + { + "Tuple4": "192.168.50.52.17447>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_157" + }, + { + "Tuple4": "192.168.50.52.17531>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_158" + }, + { + "Tuple4": "192.168.50.52.17450>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_159" + }, + { + "Tuple4": "192.168.50.52.17532>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_160" + }, + { + "Tuple4": "192.168.50.52.17533>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_161" + }, + { + "Tuple4": "192.168.50.52.17480>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_162" + }, + { + "Tuple4": "192.168.50.52.17478>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_163" + }, + { + "Tuple4": "192.168.50.52.17482>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_164" + }, + { + "Tuple4": "192.168.50.52.17534>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_165" + }, + { + "Tuple4": "192.168.50.52.17536>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_166" + }, + { + "Tuple4": "192.168.50.52.17517>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_167" + }, + { + "Tuple4": "192.168.50.52.17540>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_168" + }, + { + "Tuple4": "192.168.50.52.17399>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_169" + }, + { + "Tuple4": "192.168.50.52.17541>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_170" + }, + { + "Tuple4": "192.168.50.52.17535>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_171" + }, + { + "Tuple4": "192.168.50.52.17542>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_172" + }, + { + "Tuple4": "192.168.50.52.17543>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_173" + }, + { + "Tuple4": "192.168.50.52.17545>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_174" + }, + { + "Tuple4": "192.168.50.52.17546>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_175" + }, + { + "Tuple4": "192.168.50.52.17547>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_176" + }, + { + "Tuple4": "192.168.50.52.17548>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_177" + }, + { + "Tuple4": "192.168.50.52.17549>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_178" + }, + { + "Tuple4": "192.168.50.52.17550>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_179" + }, + { + "Tuple4": "192.168.50.52.17551>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_180" + }, + { + "Tuple4": "192.168.50.52.17552>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_181" + }, + { + "Tuple4": "192.168.50.52.17554>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_182" + }, + { + "Tuple4": "192.168.50.33.64967>54.230.21.91.443", + "name": "SSL_RESULT_183" + }, + { + "Tuple4": "192.168.50.52.17553>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_184" + }, + { + "Tuple4": "192.168.50.52.17555>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_185" + }, + { + "Tuple4": "192.168.50.52.17559>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_186" + }, + { + "Tuple4": "192.168.50.33.57414>142.250.66.42.443", + "name": "SSL_RESULT_187" + }, + { + "Tuple4": "192.168.50.33.60652>142.250.66.99.443", + "name": "SSL_RESULT_188" + }, + { + "Tuple4": "192.168.50.33.58291>220.181.174.230.443", + "name": "SSL_RESULT_189" + }, + { + "Tuple4": "192.168.50.33.50525>172.217.27.35.443", + "name": "SSL_RESULT_190" + }, + { + "Tuple4": "192.168.50.33.56708>142.250.204.36.443", + "name": "SSL_RESULT_191" + }, + { + "Tuple4": "192.168.50.33.55558>142.250.66.99.443", + "name": "SSL_RESULT_192" + }, + { + "Tuple4": "192.168.50.33.65240>142.250.204.86.443", + "name": "SSL_RESULT_193" + }, + { + "Tuple4": "192.168.50.33.57554>142.250.204.65.443", + "name": "SSL_RESULT_194" + }, + { + "Tuple4": "192.168.50.33.65100>142.250.207.74.443", + "name": "SSL_RESULT_195" + }, + { + "Tuple4": "192.168.50.33.54638>142.250.204.110.443", + "name": "SSL_RESULT_196" + }, + { + "Tuple4": "192.168.50.33.63347>142.250.66.131.443", + "name": "SSL_RESULT_197" + }, + { + "Tuple4": "192.168.50.52.1079>40.119.211.203.443", + "name": "SSL_RESULT_198" + }, + { + "Tuple4": "192.168.50.52.17311>142.250.66.99.443", + "ssl_sni": "www.gstatic.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "ssl_ja3s_hash": "eb1d94daa7e0344597e756a1fb6e7054", + "name": "SSL_RESULT_199" + }, + { + "Tuple4": "192.168.50.52.14756>172.217.24.110.443", + "name": "SSL_RESULT_200" + }, + { + "Tuple4": "192.168.50.52.27956>40.90.189.152.443", + "name": "SSL_RESULT_201" + }, + { + "Tuple4": "192.168.50.52.17376>151.101.194.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "ssl_ja3s_hash": "16c0b3e6a7b8173c16d944cfeaeee9cf", + "ssl_cert_version": "v3", + "ssl_cert_Issuer": "GlobalSign Atlas R3 OV TLS CA H2 2021;GlobalSign nv-sa;;;;;BE", + "ssl_cert_IssuerCN": "GlobalSign Atlas R3 OV TLS CA H2 2021", + "ssl_cert_IssuerO": "GlobalSign nv-sa", + "ssl_cert_IssuerC": "BE", + "ssl_cert_Sub": "sites.target.com;Target Corporation;;Minneapolis;;Minnesota;US", + "ssl_cert_SubCN": "sites.target.com", + "ssl_cert_SubO": "Target Corporation", + "ssl_cert_SubC": "US", + "ssl_cert_SubP": "Minnesota", + "ssl_cert_SubL": "Minneapolis", + "ssl_cert_SubAltName": "sites.target.com;affiliate.target.com;android.studioconnect.live;api.studioconnect.live;apollo-metrics.target.com;assethub.partnersonline.com;assethub.target.com;awesomeshop.target.com;bex.partnersonline.com;bex.target.com;cartster.target.com;cartwheel.target.com;cartwheelws-secure.target.com;circle.target.com;connect.roundel.com;connectedcommerce.target.com;corporate.target.com;developer.target.com;dojo.target.com;doppler.partnersonline.com;elevate.target.com;extgargantua.partnersonline.com;factorial.partnersonline.com;finds.target.com;gql.studioconnect.live;greenfield.partnersonline.com;greenfield.target.com;hrocdocrequest.target.com;iccon.target.com;incubator.target.com;india.target.com;ios.studioconnect.live;jira.target.com;launchpad.partnersonline.com;launchpad.target.com;leads.studioconnect.live;m.target.com;marketinghub.target.com;mercury.partnersonline.com;mickra.target.com;mickradashboard.target.com;mvs.partnersonline.com;mytime.target.com;nic.target;openhouse.target.com;opensource.target.com;osmosis.partnersonline.com;partnersonline.com;pcn.partnersonline.com;peg.partnersonline.com;photosubmission.target.com;pid.partnersonline.com;plus.target.com;pmworkorderadmin.partnersonline.com;poladmin.partnersonline.com;pop.partnersonline.com;qmp.partnersonline.com;qr.target.com;r2d2.target.com;rdmplus.target.com;recognize.target.com;redcard.target.com;redirect.studioconnect.live;rik.roundel.com;roundel.com;rubix.partnersonline.com;rubix.target.com;security.target.com;servicetech.target.com;sm.partnersonline.com;spark.partnersonline.com;spark.target.com;studioconnect.live;stylehub.target.com;synergy.partnersonline.com;target.com;targetmedianetwork.target.com;targetopenhouse.com;tepagent.target.com;tgt-files.target.com;tgtdriver.partnersonline.com;ti-event-prod.target.com;tiam.target.com;tiiam.target.com;tvi.partnersonline.com;viewpoint.target.com;weeklyad.target.com;www.partnersonline.com;www.roundel.com;www.target.com;www.targetopenhouse.com", + "ssl_cert_SerialNum": "0x012ede33fc9283773396e9b1ff995262", + "ssl_cert_AgID": "1.2.840.113549.1.1.11", + "ssl_cert_From": "210928164609Z", + "ssl_cert_To": "221030164608Z", + "ssl_cert_SSLFPAg": "1.2.840.113549.1.1.11", + "name": "SSL_RESULT_202" + }, + { + "Tuple4": "192.168.50.52.17384>220.181.174.102.443", + "ssl_sni": "securepubads.g.doubleclick.net", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "598872011444709307b861ae817a4b60", + "ssl_ja3s_hash": "2b0648ab686ee45e0e7c35fcfb0eea7e", + "name": "SSL_RESULT_203" + }, + { + "Tuple4": "192.168.50.52.17427>172.217.31.2.443", + "ssl_sni": "pagead2.googlesyndication.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "598872011444709307b861ae817a4b60", + "ssl_ja3s_hash": "2b0648ab686ee45e0e7c35fcfb0eea7e", + "name": "SSL_RESULT_204" + }, + { + "Tuple4": "192.168.50.52.17381>23.57.114.38.443", + "ssl_sni": "js-sec.indexww.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "ssl_ja3s_hash": "410b9bedaf65dd26c6fe547154d60db4", + "name": "SSL_RESULT_205" + }, + { + "Tuple4": "192.168.50.52.17432>220.181.174.102.443", + "ssl_sni": "securepubads.g.doubleclick.net", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "598872011444709307b861ae817a4b60", + "ssl_ja3s_hash": "2b0648ab686ee45e0e7c35fcfb0eea7e", + "name": "SSL_RESULT_206" + }, + { + "Tuple4": "192.168.50.52.17434>15.197.193.217.443", + "ssl_sni": "match.adsrvr.org", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "ssl_ja3s_hash": "8d2a028aa94425f76ced7826b1f39039", + "ssl_cert_version": "v3", + "ssl_cert_Issuer": "GlobalSign GCC R3 DV TLS CA 2020;GlobalSign nv-sa;;;;;BE", + "ssl_cert_IssuerCN": "GlobalSign GCC R3 DV TLS CA 2020", + "ssl_cert_IssuerO": "GlobalSign nv-sa", + "ssl_cert_IssuerC": "BE", + "ssl_cert_Sub": "*.adsrvr.org;;;;;;", + "ssl_cert_SubCN": "*.adsrvr.org", + "ssl_cert_SubAltName": "*.adsrvr.org;adsrvr.org", + "ssl_cert_SerialNum": "0x2ddaa6f359d4ce458fe983f1", + "ssl_cert_AgID": "1.2.840.113549.1.1.11", + "ssl_cert_From": "220331203750Z", + "ssl_cert_To": "230502203749Z", + "ssl_cert_SSLFPAg": "1.2.840.113549.1.1.11", + "name": "SSL_RESULT_207" + }, + { + "Tuple4": "192.168.50.52.17375>151.101.194.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "ssl_ja3s_hash": "16c0b3e6a7b8173c16d944cfeaeee9cf", + "ssl_cert_version": "v3", + "ssl_cert_Issuer": "GlobalSign Atlas R3 OV TLS CA H2 2021;GlobalSign nv-sa;;;;;BE", + "ssl_cert_IssuerCN": "GlobalSign Atlas R3 OV TLS CA H2 2021", + "ssl_cert_IssuerO": "GlobalSign nv-sa", + "ssl_cert_IssuerC": "BE", + "ssl_cert_Sub": "sites.target.com;Target Corporation;;Minneapolis;;Minnesota;US", + "ssl_cert_SubCN": "sites.target.com", + "ssl_cert_SubO": "Target Corporation", + "ssl_cert_SubC": "US", + "ssl_cert_SubP": "Minnesota", + "ssl_cert_SubL": "Minneapolis", + "ssl_cert_SubAltName": "sites.target.com;affiliate.target.com;android.studioconnect.live;api.studioconnect.live;apollo-metrics.target.com;assethub.partnersonline.com;assethub.target.com;awesomeshop.target.com;bex.partnersonline.com;bex.target.com;cartster.target.com;cartwheel.target.com;cartwheelws-secure.target.com;circle.target.com;connect.roundel.com;connectedcommerce.target.com;corporate.target.com;developer.target.com;dojo.target.com;doppler.partnersonline.com;elevate.target.com;extgargantua.partnersonline.com;factorial.partnersonline.com;finds.target.com;gql.studioconnect.live;greenfield.partnersonline.com;greenfield.target.com;hrocdocrequest.target.com;iccon.target.com;incubator.target.com;india.target.com;ios.studioconnect.live;jira.target.com;launchpad.partnersonline.com;launchpad.target.com;leads.studioconnect.live;m.target.com;marketinghub.target.com;mercury.partnersonline.com;mickra.target.com;mickradashboard.target.com;mvs.partnersonline.com;mytime.target.com;nic.target;openhouse.target.com;opensource.target.com;osmosis.partnersonline.com;partnersonline.com;pcn.partnersonline.com;peg.partnersonline.com;photosubmission.target.com;pid.partnersonline.com;plus.target.com;pmworkorderadmin.partnersonline.com;poladmin.partnersonline.com;pop.partnersonline.com;qmp.partnersonline.com;qr.target.com;r2d2.target.com;rdmplus.target.com;recognize.target.com;redcard.target.com;redirect.studioconnect.live;rik.roundel.com;roundel.com;rubix.partnersonline.com;rubix.target.com;security.target.com;servicetech.target.com;sm.partnersonline.com;spark.partnersonline.com;spark.target.com;studioconnect.live;stylehub.target.com;synergy.partnersonline.com;target.com;targetmedianetwork.target.com;targetopenhouse.com;tepagent.target.com;tgt-files.target.com;tgtdriver.partnersonline.com;ti-event-prod.target.com;tiam.target.com;tiiam.target.com;tvi.partnersonline.com;viewpoint.target.com;weeklyad.target.com;www.partnersonline.com;www.roundel.com;www.target.com;www.targetopenhouse.com", + "ssl_cert_SerialNum": "0x012ede33fc9283773396e9b1ff995262", + "ssl_cert_AgID": "1.2.840.113549.1.1.11", + "ssl_cert_From": "210928164609Z", + "ssl_cert_To": "221030164608Z", + "ssl_cert_SSLFPAg": "1.2.840.113549.1.1.11", + "name": "SSL_RESULT_208" + }, + { + "Tuple4": "192.168.50.52.17433>3.217.136.163.443", + "ssl_sni": "idx.liadm.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "ssl_ja3s_hash": "303951d4c50efb2e991652225a6f02b1", + "name": "SSL_RESULT_209" + }, + { + "Tuple4": "192.168.50.52.17437>3.217.136.163.443", + "ssl_sni": "idx.liadm.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "ssl_ja3s_hash": "303951d4c50efb2e991652225a6f02b1", + "name": "SSL_RESULT_210" + }, + { + "Tuple4": "192.168.50.52.17544>142.250.207.74.443", + "ssl_sni": "content-autofill.googleapis.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "598872011444709307b861ae817a4b60", + "ssl_ja3s_hash": "2b0648ab686ee45e0e7c35fcfb0eea7e", + "name": "SSL_RESULT_211" + }, + { + "Tuple4": "192.168.50.57.54160>39.105.29.36.443", + "name": "SSL_RESULT_212" + }, + { + "Tuple4": "192.168.50.57.54162>39.105.29.36.443", + "name": "SSL_RESULT_213" + } +] \ No newline at end of file diff --git a/test/ssl_decoder_test.cpp b/test/ssl_decoder_test.cpp index 1f82712..7a9fb23 100644 --- a/test/ssl_decoder_test.cpp +++ b/test/ssl_decoder_test.cpp @@ -10,6 +10,7 @@ extern "C" { #include "cJSON.h" +#include "yyjson/yyjson.h" #include "ssl_decoder.h" #include "toml/toml.h" @@ -25,17 +26,20 @@ extern "C" #define ssl_DECODER_TEST_TOML_PATH "./etc/ssl/ssl_decoder.toml" +struct ssl_decoder_test_context +{ + yyjson_mut_doc *doc; + yyjson_mut_val *ssl_object; +}; + struct ssl_decoder_test_plugin_env { int plugin_id; int topic_id; int result_index; int commit_result_enable; - int decode_resource_record_enable; - int export_resource_record_enable; }; -extern "C" void perf_resource_record_decode(struct ssl_message *ssl_msg); extern "C" int commit_test_result_json(cJSON *node, const char *name); void ssl_real_result_write_file(char *result_str) @@ -50,17 +54,86 @@ void ssl_real_result_write_file(char *result_str) void ssl_decoder_test_message_cb(struct session *ss, int topic_id, const void *msg, void *per_session_ctx, void *plugin_env_str) { + struct ssl_message *ssl_msg=(struct ssl_message *)msg; + if(ssl_msg==NULL) + { + return; + } + struct ssl_decoder_test_context *per_ss_ctx=(struct ssl_decoder_test_context *)per_session_ctx; + + enum ssl_message_type msg_type=ssl_message_type_get(ssl_msg); + switch(msg_type) + { + case SSL_MESSAGE_CLIENT_HELLO: + { + yyjson_mut_obj_add_str(per_ss_ctx->doc ,per_ss_ctx->ssl_object, "ssl_client_version", ssl_message_readable_version_get0(ssl_msg)); + + char *sni=NULL; + size_t sni_sz=0; + ssl_message_sni_get0(ssl_msg, &sni, &sni_sz); + yyjson_mut_obj_add_strn(per_ss_ctx->doc ,per_ss_ctx->ssl_object, "ssl_sni", sni, sni_sz); + + char *ja3=NULL; + size_t ja3_sz=0; + ssl_message_ja3hash_get0(ssl_msg, &ja3, &ja3_sz); + yyjson_mut_obj_add_strn(per_ss_ctx->doc ,per_ss_ctx->ssl_object, "ssl_ja3_hash", ja3, ja3_sz); + + int32_t esni_flag=ssl_message_esni_is_true(ssl_msg); + yyjson_mut_obj_add_int(per_ss_ctx->doc ,per_ss_ctx->ssl_object, "ssl_esni", esni_flag); + + int32_t ech_flag=ssl_message_ech_is_true(ssl_msg); + yyjson_mut_obj_add_int(per_ss_ctx->doc ,per_ss_ctx->ssl_object, "ssl_ech", ech_flag); + } + break; + case SSL_MESSAGE_SERVER_HELLO: + { + yyjson_mut_obj_add_str(per_ss_ctx->doc ,per_ss_ctx->ssl_object, "ssl_server_version", ssl_message_readable_version_get0(ssl_msg)); + + char *ja3s=NULL; + size_t ja3s_sz=0; + ssl_message_ja3shash_get0(ssl_msg, &ja3s, &ja3s_sz); + yyjson_mut_obj_add_strn(per_ss_ctx->doc ,per_ss_ctx->ssl_object, "ssl_ja3s_hash", ja3s, ja3s_sz); + } + break; + case SSL_MESSAGE_CERTIFICATE: + break; + case SSL_PROTECTED_PAYLOAD: + break; + default: + break; + } } -void *ssl_decoder_test_per_session_context_new(struct session *sess, void *plugin_env) +void *ssl_decoder_test_per_session_context_new(struct session *ss, void *plugin_env) { - return NULL; + struct ssl_decoder_test_context *per_ss_ctx=(struct ssl_decoder_test_context *)calloc(1, sizeof(struct ssl_decoder_test_context)); + per_ss_ctx->doc=yyjson_mut_doc_new(0); + per_ss_ctx->ssl_object=yyjson_mut_obj(per_ss_ctx->doc); + + return (void *)per_ss_ctx; } -void ssl_decoder_test_per_session_context_free(struct session *sess, void *session_ctx, void *plugin_env) +void ssl_decoder_test_per_session_context_free(struct session *ss, void *per_session_ctx, void *plugin_env_str) { + struct ssl_decoder_test_plugin_env *plugin_env=(struct ssl_decoder_test_plugin_env *)plugin_env_str; + struct ssl_decoder_test_context *per_ss_ctx=(struct ssl_decoder_test_context *)per_session_ctx; + if(per_ss_ctx==NULL) + { + return; + } + yyjson_mut_doc_set_root(per_ss_ctx->doc, per_ss_ctx->ssl_object); + char *json_str=yyjson_mut_write(per_ss_ctx->doc, 0, 0); + yyjson_mut_doc_free(per_ss_ctx->doc); + + char result_name[16]=""; + sprintf(result_name, "SSL_RESULT_%d", plugin_env->result_index++); + cJSON *real_result=cJSON_Parse(json_str); + commit_test_result_json(real_result, result_name); + + free(json_str); + free(per_ss_ctx); } int32_t ssl_decoder_test_config_load(const char *cfg_path, struct ssl_decoder_test_plugin_env *plugin_env) @@ -125,62 +198,6 @@ int32_t ssl_decoder_test_config_load(const char *cfg_path, struct ssl_decoder_te } } - toml_table_t *perf_tbl=toml_table_in(test_tbl, "perf"); - if(NULL==perf_tbl) - { - fprintf(stderr, "[%s:%d] config file: %s has no key: [decoder.ssl.test.perf]", __FUNCTION__, __LINE__, cfg_path); - toml_free(root); - return -1; - } - - // decode_resource_record_enable - toml_datum_t decode_resource_record_enable_val=toml_string_in(perf_tbl, "decode_resource_record_enable"); - if(decode_resource_record_enable_val.ok==0) - { - plugin_env->decode_resource_record_enable=0; - fprintf(stderr, "[%s:%d] config file: %s has no key: [decoder.ssl.test.decode_resource_record_enable]", __FUNCTION__, __LINE__, cfg_path); - } - else - { - if(memcmp("no", decode_resource_record_enable_val.u.s, strlen("no"))==0) - { - plugin_env->decode_resource_record_enable=0; - } - else if(memcmp("yes", decode_resource_record_enable_val.u.s, strlen("yes"))==0) - { - plugin_env->decode_resource_record_enable=1; - } - else - { - plugin_env->decode_resource_record_enable=1; - fprintf(stderr, "[%s:%d] config file: %s key: [decoder.ssl.test.decode_resource_record_enable] value is not yes or no", __FUNCTION__, __LINE__, cfg_path); - } - } - - // export_resource_record_enable - toml_datum_t export_resource_record_enable_val=toml_string_in(perf_tbl, "export_resource_record_enable"); - if(export_resource_record_enable_val.ok==0) - { - plugin_env->export_resource_record_enable=0; - fprintf(stderr, "[%s:%d] config file: %s has no key: [decoder.ssl.test.export_resource_record_enable]", __FUNCTION__, __LINE__, cfg_path); - } - else - { - if(memcmp("no", export_resource_record_enable_val.u.s, strlen("no"))==0) - { - plugin_env->export_resource_record_enable=0; - } - else if(memcmp("yes", export_resource_record_enable_val.u.s, strlen("yes"))==0) - { - plugin_env->export_resource_record_enable=1; - } - else - { - plugin_env->export_resource_record_enable=1; - fprintf(stderr, "[%s:%d] config file: %s key: [decoder.ssl.test.export_resource_record_enable] value is not yes or no", __FUNCTION__, __LINE__, cfg_path); - } - } - toml_free(root); return ret;