632 lines
22 KiB
C++
632 lines
22 KiB
C++
#include <netinet/ip.h>
|
|
#include <netinet/tcp.h>
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <stellar/session.h>
|
|
#include <time.h>
|
|
#include <pcap/pcap.h>
|
|
#include <pcap/sll.h>
|
|
#include <sys/socket.h>
|
|
#include <netinet/in.h>
|
|
#include <arpa/inet.h>
|
|
#include "session_flags_internal.h"
|
|
#include "gtest/gtest.h"
|
|
extern "C" {
|
|
#include "dummy.h"
|
|
}
|
|
|
|
#define MAC_FRAME_HEADER_LEN 14
|
|
#define IP_HEADER_LEN 20
|
|
#define TCP_HEADER_LEN 20
|
|
#define UDP_HEADER_LEN 8
|
|
#define LINUX_COOKED_CAPTURE 20
|
|
|
|
struct pcap_loop_arg
|
|
{
|
|
pcap_t *pcap_handle;
|
|
struct session_flags_ctx *ctx;
|
|
};
|
|
|
|
struct session_flags_plugin_info *sf_plugin_info = NULL;
|
|
|
|
extern int MESA_dir_link_to_human(int link_route_dir);
|
|
extern char *session_flags_generate_firewall_message(uint64_t flags, uint32_t identify[session_flags_all_mask]);
|
|
|
|
static inline size_t ts2ms(const timeval *ts)
|
|
{
|
|
return ts->tv_sec * 1000 + ts->tv_usec / 1000;
|
|
}
|
|
|
|
static void pcap_handle_cb(pcap_loop_arg *userarg, const struct pcap_pkthdr *pkthdr, const u_char *packet)
|
|
{
|
|
struct pcap_loop_arg *arg = (struct pcap_loop_arg *)userarg;
|
|
struct session sess;
|
|
int payload_len = 0;
|
|
char *payload = NULL;
|
|
unsigned short sport, dport;
|
|
unsigned short eth_proto_type;
|
|
unsigned char *ip_header;
|
|
int topic_id = 0;
|
|
|
|
memset(&sess, 0, sizeof(sess));
|
|
|
|
int data_link_type = pcap_datalink(arg->pcap_handle);
|
|
switch (data_link_type) {
|
|
case DLT_EN10MB:
|
|
eth_proto_type = ntohs(*(unsigned short *)(packet + 12));
|
|
ip_header = (unsigned char *)(packet + sizeof(struct ethhdr));
|
|
break;
|
|
case 276://DLT_LINUX_SLL2
|
|
eth_proto_type = ntohs(*(unsigned short *)packet);
|
|
ip_header = (unsigned char *)(packet + LINUX_COOKED_CAPTURE);
|
|
break;
|
|
default:
|
|
return;
|
|
}
|
|
|
|
if (eth_proto_type == ETH_P_IP) {
|
|
int l4_proto = *(unsigned char *)(ip_header + 9);
|
|
if (l4_proto == IPPROTO_TCP) {
|
|
topic_id = DUMMY_TCP_TOPIC_ID;
|
|
int ip_total_len = ntohs(*(unsigned short *)(ip_header + 2));
|
|
int ip_header_len = (*(unsigned char *)ip_header & 0x0f) * 4;
|
|
int tcp_header_len = 4 * ((*(unsigned char *)(ip_header + sizeof(iphdr) + 12) & 0xf0) >> 4);
|
|
payload_len = ip_total_len - ip_header_len - tcp_header_len;
|
|
payload = (char *)ip_header + ip_header_len + tcp_header_len;
|
|
} else if (l4_proto == IPPROTO_UDP) {
|
|
topic_id = DUMMY_UDP_TOPIC_ID;
|
|
payload_len = pkthdr->caplen - (ip_header - packet) - sizeof(iphdr) - sizeof(struct udphdr);
|
|
payload = (char *)ip_header + sizeof(iphdr) + sizeof(struct udphdr);
|
|
} else {
|
|
return;
|
|
}
|
|
|
|
sport = ntohs(*(unsigned short *)(ip_header + sizeof(iphdr) + 0));
|
|
dport = ntohs(*(unsigned short *)(ip_header + sizeof(iphdr) + 2));
|
|
|
|
} else if (eth_proto_type == ETH_P_IPV6) {
|
|
int l4_proto = *(unsigned char *)(ip_header + 6);
|
|
if (l4_proto == IPPROTO_TCP) {
|
|
topic_id = DUMMY_TCP_TOPIC_ID;
|
|
int tcp_header_len = 4 * ((*(unsigned char *)(ip_header + sizeof(struct ip6_hdr) + 12) & 0xf0) >> 4);
|
|
payload_len = pkthdr->caplen - (ip_header - packet) - sizeof(struct ip6_hdr) - tcp_header_len;
|
|
payload = (char *)ip_header + sizeof(struct ip6_hdr) + tcp_header_len;
|
|
} else if (l4_proto == IPPROTO_UDP) {
|
|
topic_id = DUMMY_UDP_TOPIC_ID;
|
|
payload_len = pkthdr->caplen - (ip_header - packet) - sizeof(struct ip6_hdr) - sizeof(struct udphdr);
|
|
payload = (char *)ip_header + sizeof(struct ip6_hdr) + sizeof(struct udphdr);
|
|
} else {
|
|
return;
|
|
}
|
|
|
|
sport = ntohs(*(unsigned short *)(ip_header + sizeof(struct ip6_hdr) + 0));
|
|
dport = ntohs(*(unsigned short *)(ip_header + sizeof(struct ip6_hdr) + 2));
|
|
} else {
|
|
return;
|
|
}
|
|
|
|
session_set_current_payload(&sess, payload, payload_len);
|
|
|
|
if (sport > dport)
|
|
{
|
|
session_flags(sf_plugin_info, arg->ctx, &sess, topic_id, pkthdr->caplen, FLOW_TYPE_C2S, ts2ms(&pkthdr->ts));
|
|
}
|
|
else
|
|
{
|
|
session_flags(sf_plugin_info, arg->ctx, &sess, topic_id, pkthdr->caplen, FLOW_TYPE_S2C, ts2ms(&pkthdr->ts));
|
|
}
|
|
|
|
}
|
|
|
|
TEST(session_flags, bulky_and_download)
|
|
{
|
|
char error[100];
|
|
struct pcap_loop_arg arg;
|
|
struct session_flags_ctx *ctx = (struct session_flags_ctx *)calloc(1, sizeof(struct session_flags_ctx));
|
|
pcap_t * handle = pcap_open_offline("pcap/ftp-data.pcap", error);
|
|
ASSERT_NE(handle, nullptr);
|
|
|
|
session_flags_stat_init(&ctx->stat, SESSION_DIRECTION_OUTBOUND);
|
|
|
|
memset(&arg, 0, sizeof(arg));
|
|
arg.ctx = ctx;
|
|
arg.pcap_handle = handle;
|
|
|
|
pcap_loop(handle, -1, (pcap_handler)pcap_handle_cb, (u_char *)&arg);
|
|
|
|
session_flags_result *flags_info = session_flags_get_flags(&ctx->stat);
|
|
EXPECT_EQ(flags_info->flags & SESSION_FLAGS_BULKY, SESSION_FLAGS_BULKY);
|
|
EXPECT_EQ(flags_info->identify[session_flags_bulky_mask], 2333);
|
|
|
|
EXPECT_EQ(flags_info->flags & SESSION_FLAGS_DOWNLOAD, SESSION_FLAGS_DOWNLOAD);
|
|
EXPECT_EQ(flags_info->identify[session_flags_download_mask], 2333);
|
|
|
|
pcap_close(handle);
|
|
free(ctx);
|
|
}
|
|
|
|
TEST(session_flags, CBR)
|
|
{
|
|
char error[100];
|
|
struct pcap_loop_arg arg;
|
|
struct session_flags_ctx *ctx = (struct session_flags_ctx *)calloc(1, sizeof(struct session_flags_ctx));
|
|
pcap_t * handle = pcap_open_offline("pcap/youtube-quic.pcap", error);
|
|
ASSERT_NE(handle, nullptr);
|
|
|
|
session_flags_stat_init(&ctx->stat, SESSION_DIRECTION_OUTBOUND);
|
|
|
|
memset(&arg, 0, sizeof(arg));
|
|
arg.ctx = ctx;
|
|
arg.pcap_handle = handle;
|
|
|
|
pcap_loop(handle, -1, (pcap_handler)pcap_handle_cb, (u_char *)&arg);
|
|
|
|
struct session_flags_result *flags_info = session_flags_get_flags(&ctx->stat);
|
|
EXPECT_EQ(flags_info->flags & SESSION_FLAGS_CBR, SESSION_FLAGS_CBR);
|
|
EXPECT_EQ(flags_info->identify[session_flags_cbr_mask], 3351);
|
|
|
|
pcap_close(handle);
|
|
free(ctx);
|
|
}
|
|
|
|
TEST(session_flags, not_CBR_ftp)
|
|
{
|
|
char error[100];
|
|
struct pcap_loop_arg arg;
|
|
struct session_flags_ctx *ctx = (struct session_flags_ctx *)calloc(1, sizeof(struct session_flags_ctx));
|
|
pcap_t * handle = pcap_open_offline("pcap/ftp-data.pcap", error);
|
|
ASSERT_NE(handle, nullptr);
|
|
|
|
session_flags_stat_init(&ctx->stat, SESSION_DIRECTION_OUTBOUND);
|
|
|
|
memset(&arg, 0, sizeof(arg));
|
|
arg.ctx = ctx;
|
|
arg.pcap_handle = handle;
|
|
|
|
pcap_loop(handle, -1, (pcap_handler)pcap_handle_cb, (u_char *)&arg);
|
|
|
|
struct session_flags_result *flags_info = session_flags_get_flags(&ctx->stat);
|
|
EXPECT_NE(flags_info->flags & SESSION_FLAGS_CBR, SESSION_FLAGS_CBR);
|
|
|
|
pcap_close(handle);
|
|
free(ctx);
|
|
}
|
|
|
|
TEST(session_flags, not_CBR_dtls)
|
|
{
|
|
char error[100];
|
|
struct pcap_loop_arg arg;
|
|
struct session_flags_ctx *ctx = (struct session_flags_ctx *)calloc(1, sizeof(struct session_flags_ctx));
|
|
pcap_t * handle = pcap_open_offline("pcap/bilibili-dtls.pcap", error);
|
|
ASSERT_NE(handle, nullptr);
|
|
|
|
session_flags_stat_init(&ctx->stat, SESSION_DIRECTION_OUTBOUND);
|
|
|
|
memset(&arg, 0, sizeof(arg));
|
|
arg.ctx = ctx;
|
|
arg.pcap_handle = handle;
|
|
|
|
pcap_loop(handle, -1, (pcap_handler)pcap_handle_cb, (u_char *)&arg);
|
|
|
|
struct session_flags_result *flags_info = session_flags_get_flags(&ctx->stat);
|
|
EXPECT_NE(flags_info->flags & SESSION_FLAGS_CBR, SESSION_FLAGS_CBR);
|
|
|
|
pcap_close(handle);
|
|
free(ctx);
|
|
}
|
|
|
|
TEST(session_flags, server_is_local)
|
|
{
|
|
char error[100];
|
|
struct pcap_loop_arg arg;
|
|
struct session_flags_ctx *ctx = (struct session_flags_ctx *)calloc(1, sizeof(struct session_flags_ctx));
|
|
// session_flags_ip(sf, inet_addr("192.168.1.1"), inet_addr("127.0.0.1"), inet_addr("192.168.1.1"));
|
|
pcap_t * handle = pcap_open_offline("pcap/ftp-data.pcap", error);
|
|
ASSERT_NE(handle, nullptr);
|
|
|
|
session_flags_stat_init(&ctx->stat, SESSION_DIRECTION_INBOUND);
|
|
|
|
memset(&arg, 0, sizeof(arg));
|
|
arg.ctx = ctx;
|
|
arg.pcap_handle = handle;
|
|
|
|
pcap_loop(handle, -1, (pcap_handler)pcap_handle_cb, (u_char *)&arg);
|
|
|
|
struct session_flags_result *flags_info = session_flags_get_flags(&ctx->stat);
|
|
EXPECT_EQ(flags_info->flags & SESSION_FLAGS_LOCAL_SERVER, SESSION_FLAGS_LOCAL_SERVER);
|
|
EXPECT_EQ(flags_info->identify[session_flags_local_server_mask], 1);
|
|
|
|
EXPECT_NE(flags_info->flags & SESSION_FLAGS_LOCAL_CLIENT, SESSION_FLAGS_LOCAL_CLIENT);
|
|
|
|
pcap_close(handle);
|
|
free(ctx);
|
|
}
|
|
|
|
TEST(session_flags, client_is_local)
|
|
{
|
|
char error[100];
|
|
struct pcap_loop_arg arg;
|
|
struct session_flags_ctx *ctx = (struct session_flags_ctx *)calloc(1, sizeof(struct session_flags_ctx));
|
|
pcap_t * handle = pcap_open_offline("pcap/ftp-data.pcap", error);
|
|
ASSERT_NE(handle, nullptr);
|
|
|
|
session_flags_stat_init(&ctx->stat, SESSION_DIRECTION_OUTBOUND);
|
|
|
|
memset(&arg, 0, sizeof(arg));
|
|
arg.ctx = ctx;
|
|
arg.pcap_handle = handle;
|
|
|
|
pcap_loop(handle, -1, (pcap_handler)pcap_handle_cb, (u_char *)&arg);
|
|
|
|
struct session_flags_result *flags_info = session_flags_get_flags(&ctx->stat);
|
|
EXPECT_NE(flags_info->flags & SESSION_FLAGS_LOCAL_SERVER, SESSION_FLAGS_LOCAL_SERVER);
|
|
|
|
EXPECT_EQ(flags_info->flags & SESSION_FLAGS_LOCAL_CLIENT, SESSION_FLAGS_LOCAL_CLIENT);
|
|
EXPECT_EQ(flags_info->identify[session_flags_local_client_mask], 1);
|
|
|
|
pcap_close(handle);
|
|
free(ctx);
|
|
}
|
|
|
|
TEST(session_flags, inbound)
|
|
{
|
|
char error[100];
|
|
struct pcap_loop_arg arg;
|
|
struct session_flags_ctx *ctx = (struct session_flags_ctx *)calloc(1, sizeof(struct session_flags_ctx));
|
|
pcap_t * handle = pcap_open_offline("pcap/ftp-data.pcap", error);
|
|
ASSERT_NE(handle, nullptr);
|
|
|
|
session_flags_stat_init(&ctx->stat, SESSION_DIRECTION_OUTBOUND);
|
|
|
|
memset(&arg, 0, sizeof(arg));
|
|
arg.ctx = ctx;
|
|
arg.pcap_handle = handle;
|
|
|
|
pcap_loop(handle, -1, (pcap_handler)pcap_handle_cb, (u_char *)&arg);
|
|
|
|
struct session_flags_result *flags_info = session_flags_get_flags(&ctx->stat);
|
|
EXPECT_EQ(flags_info->flags & SESSION_FLAGS_LOCAL_CLIENT, SESSION_FLAGS_LOCAL_CLIENT);
|
|
EXPECT_EQ(flags_info->identify[session_flags_local_client_mask], 1);
|
|
|
|
EXPECT_EQ(flags_info->flags & SESSION_FLAGS_INBOUND, SESSION_FLAGS_INBOUND);
|
|
EXPECT_EQ(flags_info->identify[session_flags_inbound_mask], 1834);
|
|
|
|
EXPECT_NE(flags_info->flags & SESSION_FLAGS_OUTBOUND, SESSION_FLAGS_OUTBOUND);
|
|
EXPECT_NE(flags_info->flags & SESSION_FLAGS_LOCAL_SERVER, SESSION_FLAGS_LOCAL_SERVER);
|
|
|
|
pcap_close(handle);
|
|
free(ctx);
|
|
}
|
|
|
|
TEST(session_flags, outbound)
|
|
{
|
|
char error[100];
|
|
struct pcap_loop_arg arg;
|
|
struct session_flags_ctx *ctx = (struct session_flags_ctx *)calloc(1, sizeof(struct session_flags_ctx));
|
|
pcap_t * handle = pcap_open_offline("pcap/ftp-data.pcap", error);
|
|
ASSERT_NE(handle, nullptr);
|
|
|
|
session_flags_stat_init(&ctx->stat, SESSION_DIRECTION_INBOUND);
|
|
|
|
memset(&arg, 0, sizeof(arg));
|
|
arg.ctx = ctx;
|
|
arg.pcap_handle = handle;
|
|
|
|
pcap_loop(handle, -1, (pcap_handler)pcap_handle_cb, (u_char *)&arg);
|
|
|
|
struct session_flags_result *flags_info = session_flags_get_flags(&ctx->stat);
|
|
EXPECT_EQ(flags_info->flags & SESSION_FLAGS_LOCAL_SERVER, SESSION_FLAGS_LOCAL_SERVER);
|
|
EXPECT_EQ(flags_info->identify[session_flags_local_server_mask], 1);
|
|
|
|
EXPECT_EQ(flags_info->flags & SESSION_FLAGS_OUTBOUND, SESSION_FLAGS_OUTBOUND);
|
|
EXPECT_EQ(flags_info->identify[session_flags_outbound_mask], 1834);
|
|
|
|
EXPECT_NE(flags_info->flags & SESSION_FLAGS_LOCAL_CLIENT, SESSION_FLAGS_LOCAL_CLIENT);
|
|
EXPECT_NE(flags_info->flags & SESSION_FLAGS_INBOUND, SESSION_FLAGS_INBOUND);
|
|
|
|
pcap_close(handle);
|
|
free(ctx);
|
|
}
|
|
|
|
TEST(session_flags, not_streaming)
|
|
{
|
|
char error[100];
|
|
struct pcap_loop_arg arg;
|
|
struct session_flags_ctx *ctx = (struct session_flags_ctx *)calloc(1, sizeof(struct session_flags_ctx));
|
|
pcap_t * handle = pcap_open_offline("pcap/1-dtls.192.168.44.32.pcap", error);
|
|
ASSERT_NE(handle, nullptr);
|
|
|
|
session_flags_stat_init(&ctx->stat, SESSION_DIRECTION_OUTBOUND);
|
|
|
|
memset(&arg, 0, sizeof(arg));
|
|
arg.ctx = ctx;
|
|
arg.pcap_handle = handle;
|
|
|
|
pcap_loop(handle, -1, (pcap_handler)pcap_handle_cb, (u_char *)&arg);
|
|
|
|
struct session_flags_result *flags_info = session_flags_get_flags(&ctx->stat);
|
|
EXPECT_NE(flags_info->flags & SESSION_FLAGS_STREAMING, SESSION_FLAGS_STREAMING);
|
|
EXPECT_NE(flags_info->flags & SESSION_FLAGS_PSEUDO_UNIDIRECTIONAL, SESSION_FLAGS_PSEUDO_UNIDIRECTIONAL);
|
|
EXPECT_NE(flags_info->flags & SESSION_FLAGS_UNIDIRECTIONAL, SESSION_FLAGS_UNIDIRECTIONAL);
|
|
|
|
pcap_close(handle);
|
|
free(ctx);
|
|
}
|
|
|
|
TEST(session_flags, streaming_pseudo_unidirectional_unidirectional)
|
|
{
|
|
char error[100];
|
|
struct pcap_loop_arg arg;
|
|
struct session_flags_ctx *ctx = (struct session_flags_ctx *)calloc(1, sizeof(struct session_flags_ctx));
|
|
pcap_t * handle = pcap_open_offline("pcap/ftp-data.pcap", error);
|
|
ASSERT_NE(handle, nullptr);
|
|
|
|
session_flags_stat_init(&ctx->stat, SESSION_DIRECTION_OUTBOUND);
|
|
|
|
memset(&arg, 0, sizeof(arg));
|
|
arg.ctx = ctx;
|
|
arg.pcap_handle = handle;
|
|
|
|
pcap_loop(handle, -1, (pcap_handler)pcap_handle_cb, (u_char *)&arg);
|
|
|
|
struct session_flags_result *flags_info = session_flags_get_flags(&ctx->stat);
|
|
EXPECT_EQ(flags_info->flags & SESSION_FLAGS_STREAMING, SESSION_FLAGS_STREAMING);
|
|
EXPECT_EQ(flags_info->identify[session_flags_streaming_mask], 2333);
|
|
|
|
EXPECT_EQ(flags_info->flags & SESSION_FLAGS_PSEUDO_UNIDIRECTIONAL, SESSION_FLAGS_PSEUDO_UNIDIRECTIONAL);
|
|
EXPECT_EQ(flags_info->identify[session_flags_pseudo_unidirectional_mask], 2333);
|
|
|
|
EXPECT_EQ(flags_info->flags & SESSION_FLAGS_UNIDIRECTIONAL, SESSION_FLAGS_UNIDIRECTIONAL);
|
|
EXPECT_EQ(flags_info->identify[session_flags_unidirectional_mask], 1834);
|
|
|
|
pcap_close(handle);
|
|
free(ctx);
|
|
}
|
|
|
|
TEST(session_flags, interactive)
|
|
{
|
|
char error[100];
|
|
struct pcap_loop_arg arg;
|
|
struct session_flags_ctx *ctx = (struct session_flags_ctx *)calloc(1, sizeof(struct session_flags_ctx));
|
|
pcap_t * handle = pcap_open_offline("pcap/ssh-interactive.pcap", error);
|
|
ASSERT_NE(handle, nullptr);
|
|
|
|
session_flags_stat_init(&ctx->stat, SESSION_DIRECTION_OUTBOUND);
|
|
|
|
memset(&arg, 0, sizeof(arg));
|
|
arg.ctx = ctx;
|
|
arg.pcap_handle = handle;
|
|
|
|
pcap_loop(handle, -1, (pcap_handler)pcap_handle_cb, (u_char *)&arg);
|
|
|
|
struct session_flags_result *flags_info = session_flags_get_flags(&ctx->stat);
|
|
EXPECT_EQ(flags_info->flags & SESSION_FLAGS_INTERACTIVE, SESSION_FLAGS_INTERACTIVE);
|
|
EXPECT_EQ(flags_info->identify[session_flags_interactive_mask], 52);
|
|
|
|
pcap_close(handle);
|
|
free(ctx);
|
|
}
|
|
|
|
TEST(session_flags, not_interactive)
|
|
{
|
|
char error[100];
|
|
struct pcap_loop_arg arg;
|
|
struct session_flags_ctx *ctx = (struct session_flags_ctx *)calloc(1, sizeof(struct session_flags_ctx));
|
|
pcap_t * handle = pcap_open_offline("pcap/youtube-quic.pcap", error);
|
|
ASSERT_NE(handle, nullptr);
|
|
|
|
session_flags_stat_init(&ctx->stat, SESSION_DIRECTION_OUTBOUND);
|
|
|
|
memset(&arg, 0, sizeof(arg));
|
|
arg.ctx = ctx;
|
|
arg.pcap_handle = handle;
|
|
|
|
pcap_loop(handle, -1, (pcap_handler)pcap_handle_cb, (u_char *)&arg);
|
|
|
|
struct session_flags_result *flags_info = session_flags_get_flags(&ctx->stat);
|
|
EXPECT_NE(flags_info->flags & SESSION_FLAGS_INTERACTIVE, SESSION_FLAGS_INTERACTIVE);
|
|
|
|
pcap_close(handle);
|
|
free(ctx);
|
|
}
|
|
|
|
TEST(session_flags, random_looking_flags_telegram_mtproto_ipv4_key_1)
|
|
{
|
|
char error[100];
|
|
struct pcap_loop_arg arg;
|
|
struct session_flags_ctx *ctx = (struct session_flags_ctx *)calloc(1, sizeof(struct session_flags_ctx));
|
|
pcap_t * handle = pcap_open_offline("pcap/telegram_mtproto_ipv4_key_1.pcap", error);
|
|
ASSERT_NE(handle, nullptr);
|
|
|
|
session_flags_stat_init(&ctx->stat, SESSION_DIRECTION_OUTBOUND);
|
|
|
|
memset(&arg, 0, sizeof(arg));
|
|
arg.ctx = ctx;
|
|
arg.pcap_handle = handle;
|
|
|
|
pcap_loop(handle, -1, (pcap_handler)pcap_handle_cb, (u_char *)&arg);
|
|
|
|
struct session_flags_result *flags_info = session_flags_get_flags(&ctx->stat);
|
|
|
|
EXPECT_EQ(flags_info->flags & SESSION_FLAGS_RANDOM_LOOKING, SESSION_FLAGS_RANDOM_LOOKING);
|
|
#if 0
|
|
EXPECT_EQ(flags_info->random_looking_flags & SESSION_FLAGS_FREQUENCY, SESSION_FLAGS_FREQUENCY);
|
|
EXPECT_EQ(flags_info->random_looking_flags & SESSION_FLAGS_BLOCK_FREQUENCY, SESSION_FLAGS_BLOCK_FREQUENCY);
|
|
EXPECT_EQ(flags_info->random_looking_flags & SESSION_FLAGS_CUMULATIVE_SUMS, SESSION_FLAGS_CUMULATIVE_SUMS);
|
|
EXPECT_EQ(flags_info->random_looking_flags & SESSION_FLAGS_RUNS, SESSION_FLAGS_RUNS);
|
|
EXPECT_EQ(flags_info->random_looking_flags & SESSION_FLAGS_LONGEST_RUN, SESSION_FLAGS_LONGEST_RUN);
|
|
EXPECT_EQ(flags_info->random_looking_flags & SESSION_FLAGS_RANK, 0);
|
|
EXPECT_EQ(flags_info->random_looking_flags & SESSION_FLAGS_NON_OVERLAPPING_TEMPLATE_MATCHING, 0);
|
|
EXPECT_EQ(flags_info->random_looking_flags & SESSION_FLAGS_OVERLAPPING_TEMPLATE_MATCHING, SESSION_FLAGS_OVERLAPPING_TEMPLATE_MATCHING);
|
|
EXPECT_EQ(flags_info->random_looking_flags & SESSION_FLAGS_UNIVERSAL, 0);
|
|
EXPECT_EQ(flags_info->random_looking_flags & SESSION_FLAGS_RANDOM_EXCURSIONS, SESSION_FLAGS_RANDOM_EXCURSIONS);
|
|
EXPECT_EQ(flags_info->random_looking_flags & SESSION_FLAGS_RANDOM_EXCURSIONS_VARIANT, SESSION_FLAGS_RANDOM_EXCURSIONS_VARIANT);
|
|
EXPECT_EQ(flags_info->random_looking_flags & SESSION_FLAGS_POKER_DETECT, SESSION_FLAGS_POKER_DETECT);
|
|
EXPECT_EQ(flags_info->random_looking_flags & SESSION_FLAGS_RUNS_DISTRIBUTION, SESSION_FLAGS_RUNS_DISTRIBUTION);
|
|
EXPECT_EQ(flags_info->random_looking_flags & SESSION_FLAGS_SELF_CORRELATION, SESSION_FLAGS_SELF_CORRELATION);
|
|
EXPECT_EQ(flags_info->random_looking_flags & SESSION_FLAGS_BINARY_DERIVATIVE, SESSION_FLAGS_BINARY_DERIVATIVE);
|
|
#endif
|
|
|
|
pcap_close(handle);
|
|
free(ctx);
|
|
}
|
|
|
|
TEST(session_flags, random_looking_flags_telegram_mtproto_ipv6_key_1)
|
|
{
|
|
char error[100];
|
|
struct pcap_loop_arg arg;
|
|
struct session_flags_ctx *ctx = (struct session_flags_ctx *)calloc(1, sizeof(struct session_flags_ctx));
|
|
pcap_t * handle = pcap_open_offline("pcap/telegram_mtproto_ipv6_key_1.pcap", error);
|
|
ASSERT_NE(handle, nullptr);
|
|
|
|
session_flags_stat_init(&ctx->stat, SESSION_DIRECTION_OUTBOUND);
|
|
|
|
memset(&arg, 0, sizeof(arg));
|
|
arg.ctx = ctx;
|
|
arg.pcap_handle = handle;
|
|
|
|
pcap_loop(handle, -1, (pcap_handler)pcap_handle_cb, (u_char *)&arg);
|
|
|
|
struct session_flags_result *flags_info = session_flags_get_flags(&ctx->stat);
|
|
|
|
EXPECT_EQ(flags_info->flags & SESSION_FLAGS_RANDOM_LOOKING, SESSION_FLAGS_RANDOM_LOOKING);
|
|
|
|
#if 0
|
|
EXPECT_EQ(flags_info->random_looking_flags & SESSION_FLAGS_FREQUENCY, SESSION_FLAGS_FREQUENCY);
|
|
EXPECT_EQ(flags_info->random_looking_flags & SESSION_FLAGS_BLOCK_FREQUENCY, SESSION_FLAGS_BLOCK_FREQUENCY);
|
|
EXPECT_EQ(flags_info->random_looking_flags & SESSION_FLAGS_CUMULATIVE_SUMS, SESSION_FLAGS_CUMULATIVE_SUMS);
|
|
EXPECT_EQ(flags_info->random_looking_flags & SESSION_FLAGS_RUNS, SESSION_FLAGS_RUNS);
|
|
EXPECT_EQ(flags_info->random_looking_flags & SESSION_FLAGS_LONGEST_RUN, SESSION_FLAGS_LONGEST_RUN);
|
|
EXPECT_EQ(flags_info->random_looking_flags & SESSION_FLAGS_RANK, 0);
|
|
EXPECT_EQ(flags_info->random_looking_flags & SESSION_FLAGS_NON_OVERLAPPING_TEMPLATE_MATCHING, 0);
|
|
EXPECT_EQ(flags_info->random_looking_flags & SESSION_FLAGS_OVERLAPPING_TEMPLATE_MATCHING, SESSION_FLAGS_OVERLAPPING_TEMPLATE_MATCHING);
|
|
EXPECT_EQ(flags_info->random_looking_flags & SESSION_FLAGS_UNIVERSAL, 0);
|
|
EXPECT_EQ(flags_info->random_looking_flags & SESSION_FLAGS_RANDOM_EXCURSIONS, SESSION_FLAGS_RANDOM_EXCURSIONS);
|
|
EXPECT_EQ(flags_info->random_looking_flags & SESSION_FLAGS_RANDOM_EXCURSIONS_VARIANT, SESSION_FLAGS_RANDOM_EXCURSIONS_VARIANT);
|
|
EXPECT_EQ(flags_info->random_looking_flags & SESSION_FLAGS_POKER_DETECT, SESSION_FLAGS_POKER_DETECT);
|
|
EXPECT_EQ(flags_info->random_looking_flags & SESSION_FLAGS_RUNS_DISTRIBUTION, SESSION_FLAGS_RUNS_DISTRIBUTION);
|
|
EXPECT_EQ(flags_info->random_looking_flags & SESSION_FLAGS_SELF_CORRELATION, SESSION_FLAGS_SELF_CORRELATION);
|
|
EXPECT_EQ(flags_info->random_looking_flags & SESSION_FLAGS_BINARY_DERIVATIVE, SESSION_FLAGS_BINARY_DERIVATIVE);
|
|
#endif
|
|
|
|
pcap_close(handle);
|
|
free(ctx);
|
|
}
|
|
|
|
TEST(session_flags, bidirectional)
|
|
{
|
|
char error[100];
|
|
struct pcap_loop_arg arg;
|
|
struct session_flags_ctx *ctx = (struct session_flags_ctx *)calloc(1, sizeof(struct session_flags_ctx));
|
|
pcap_t *handle = pcap_open_offline("pcap/wechat_voice_call.pcap", error);
|
|
ASSERT_NE(handle, nullptr);
|
|
|
|
session_flags_stat_init(&ctx->stat, SESSION_DIRECTION_INBOUND);
|
|
|
|
memset(&arg, 0, sizeof(arg));
|
|
arg.ctx = ctx;
|
|
arg.pcap_handle = handle;
|
|
|
|
pcap_loop(handle, -1, (pcap_handler)pcap_handle_cb, (u_char *)&arg);
|
|
|
|
struct session_flags_result *flags_info = session_flags_get_flags(&ctx->stat);
|
|
|
|
EXPECT_EQ(flags_info->flags & SESSION_FLAGS_BIDIRECTIONAL, SESSION_FLAGS_BIDIRECTIONAL);
|
|
|
|
pcap_close(handle);
|
|
free(ctx);
|
|
}
|
|
|
|
#if 0
|
|
TEST(session_flags, tunneling_tls_fet)
|
|
{
|
|
char error[100];
|
|
struct pcap_loop_arg arg;
|
|
struct session_flags_ctx *ctx = (struct session_flags_ctx *)calloc(1, sizeof(struct session_flags_ctx));
|
|
pcap_t *handle = pcap_open_offline("pcap/tls1.2_no_reuse.pcap", error);
|
|
ASSERT_NE(handle, nullptr);
|
|
|
|
session_flags_stat_init(&ctx->stat, SESSION_DIRECTION_OUTBOUND);
|
|
tunneling_hs_stream_init(sf_plugin_info, ctx);
|
|
|
|
memset(&arg, 0, sizeof(arg));
|
|
arg.ctx = ctx;
|
|
arg.pcap_handle = handle;
|
|
|
|
pcap_loop(handle, -1, (pcap_handler)pcap_handle_cb, (u_char *)&arg);
|
|
|
|
struct session_flags_result *flags_info = session_flags_get_flags(&ctx->stat);
|
|
|
|
EXPECT_EQ(flags_info->flags & SESSION_FLAGS_TUNNELING, SESSION_FLAGS_TUNNELING);
|
|
|
|
tunneling_hs_stream_free(ctx);
|
|
pcap_close(handle);
|
|
free(ctx);
|
|
}
|
|
|
|
TEST(session_flags, tunneling_tls_over_tls)
|
|
{
|
|
char error[100];
|
|
struct pcap_loop_arg arg;
|
|
struct session_flags_ctx *ctx = (struct session_flags_ctx *)calloc(1, sizeof(struct session_flags_ctx));
|
|
pcap_t *handle = pcap_open_offline("pcap/tls_over_tls_1.2_no_reuse.pcap", error);
|
|
ASSERT_NE(handle, nullptr);
|
|
|
|
session_flags_stat_init(&ctx->stat, SESSION_DIRECTION_OUTBOUND);
|
|
tunneling_hs_stream_init(sf_plugin_info, ctx);
|
|
|
|
memset(&arg, 0, sizeof(arg));
|
|
arg.ctx = ctx;
|
|
arg.pcap_handle = handle;
|
|
|
|
pcap_loop(handle, -1, (pcap_handler)pcap_handle_cb, (u_char *)&arg);
|
|
|
|
struct session_flags_result *flags_info = session_flags_get_flags(&ctx->stat);
|
|
|
|
EXPECT_EQ(flags_info->flags & SESSION_FLAGS_TUNNELING, SESSION_FLAGS_TUNNELING);
|
|
|
|
tunneling_hs_stream_free(ctx);
|
|
pcap_close(handle);
|
|
free(ctx);
|
|
}
|
|
|
|
TEST(session_flags, tunneling_tls)
|
|
{
|
|
char error[100];
|
|
struct pcap_loop_arg arg;
|
|
struct session_flags_ctx *ctx = (struct session_flags_ctx *)calloc(1, sizeof(struct session_flags_ctx));
|
|
pcap_t *handle = pcap_open_offline("pcap/tls1.2.pcapng", error);
|
|
ASSERT_NE(handle, nullptr);
|
|
|
|
session_flags_stat_init(&ctx->stat, SESSION_DIRECTION_OUTBOUND);
|
|
tunneling_hs_stream_init(sf_plugin_info, ctx);
|
|
|
|
memset(&arg, 0, sizeof(arg));
|
|
arg.ctx = ctx;
|
|
arg.pcap_handle = handle;
|
|
|
|
pcap_loop(handle, -1, (pcap_handler)pcap_handle_cb, (u_char *)&arg);
|
|
|
|
struct session_flags_result *flags_info = session_flags_get_flags(&ctx->stat);
|
|
|
|
EXPECT_NE(flags_info->flags & SESSION_FLAGS_TUNNELING, SESSION_FLAGS_TUNNELING);
|
|
|
|
tunneling_hs_stream_free(ctx);
|
|
pcap_close(handle);
|
|
free(ctx);
|
|
}
|
|
#endif
|
|
|
|
int main(int argc, char **argv)
|
|
{
|
|
testing::InitGoogleTest(&argc, argv);
|
|
|
|
sf_plugin_info = (struct session_flags_plugin_info *)session_flags_plugin_init(NULL);
|
|
sf_plugin_info->log_handle = NULL;
|
|
|
|
int result = RUN_ALL_TESTS();
|
|
|
|
session_flags_plugin_exit(sf_plugin_info);
|
|
|
|
return result;
|
|
} |