支持JA3指纹

2020-09-11 18:06:09 +08:00
parent 0cd81e12e5
commit abcc94dc25
5 changed files with 115 additions and 75 deletions
--- a/bin/tsg_log_field.conf
+++ b/bin/tsg_log_field.conf
@@ -48,3 +48,4 @@ STRING		common_server_asn	40
 STRING		common_clinet_location	41
 STRING		common_server_location	42
 STRING		quic_sni		43
 STRING		ssl_ja3_fingerprint	44
--- a/inc/tsg_label.h
+++ b/inc/tsg_label.h
@@ -77,6 +77,7 @@ struct _session_attribute_label_t
 	struct _location_info_t *server_location;
 	struct _subscribe_id_info_t *client_subscribe_id;
 	struct _subscribe_id_info_t *server_subscribe_id;
 	char *ja3_fingerprint;
 };
 #endif
--- a/src/tsg_entry.cpp
+++ b/src/tsg_entry.cpp
@@ -7,6 +7,7 @@
 #include <MESA/http.h>
 #include <MESA/ftp.h>
 #include <MESA/ssl.h>
 #include <MESA/mail.h>
 #include "MESA/gquic.h"
 #include <MESA/stream.h>
@@ -138,80 +139,12 @@ static int tsg_proto_name2flag(char *proto_list, int *flag)
 	return 0;
 }
 int tsg_set_device_id_to_telegraf(char *device_sn)
 {
 	char buff[128]={0};
 	FILE *fp=NULL;
 	if(device_sn)
 	{
 		fp=fopen("/etc/default/telegraf", "wb");
 		if(fp)
 		{
 			snprintf(buff, sizeof(buff), "device_id=\"%s\"\n", device_sn);
 			fwrite(buff, strlen(buff), 1, fp);
 			fclose(fp);
 			fp=NULL;
 			return 0;
 		}
 	}
 	return -1;
 }
 static void free_policy_label(int thread_seq, void *project_req_value)
 {
 	dictator_free(thread_seq, project_req_value);
 	project_req_value=NULL;
 }
 static void free_session_attribute_label(int thread_seq, void *project_req_value)
 {
 	struct _session_attribute_label_t *label=(struct _session_attribute_label_t *)project_req_value;
 	if(label!=NULL)
 	{
 		if(label->client_asn!=NULL)
 		{
 			ASN_free_data(label->client_asn->table_id, (MAAT_PLUGIN_EX_DATA *)&(label->client_asn), 0, g_tsg_para.logger);
 			label->client_asn=NULL;
 		}
 		if(label->server_asn!=NULL)
 		{
 			ASN_free_data(label->server_asn->table_id, (MAAT_PLUGIN_EX_DATA *)&(label->server_asn), 0, g_tsg_para.logger);
 			label->server_asn=NULL;
 		}
 		if(label->client_location!=NULL)
 		{
 			location_free_data(label->client_location->table_id, (MAAT_PLUGIN_EX_DATA *)&(label->client_location), 0, g_tsg_para.logger);
 			label->client_location=NULL;
 		}
 		if(label->server_location!=NULL)
 		{
 			location_free_data(label->server_location->table_id, (MAAT_PLUGIN_EX_DATA *)&(label->server_location), 0, g_tsg_para.logger);
 			label->server_location=NULL;
 		}
 		if(label->client_subscribe_id!=NULL)
 		{
 			subscribe_id_free_data(label->client_subscribe_id->table_id, (MAAT_PLUGIN_EX_DATA *)&label->client_subscribe_id, 0, g_tsg_para.logger);
 			label->client_subscribe_id=NULL;
 		}
 		if(label->server_subscribe_id!=NULL)
 		{
 			subscribe_id_free_data(label->server_subscribe_id->table_id, (MAAT_PLUGIN_EX_DATA *)&label->server_subscribe_id, 0, g_tsg_para.logger);
 			label->server_subscribe_id=NULL;
 		}
 		dictator_free(thread_seq, project_req_value);
 		project_req_value=NULL;
 	}
 }
 static void free_context(void **pme, int thread_seq)
 {
 	struct _master_context *_context=(struct _master_context *)*pme;
@@ -338,6 +271,80 @@ static int master_send_log(struct streaminfo *a_stream, struct Maat_rule_t *p_re
 	return 1;
 }
 int tsg_set_device_id_to_telegraf(char *device_sn)
 {
 	char buff[128]={0};
 	FILE *fp=NULL;
 	if(device_sn)
 	{
 		fp=fopen("/etc/default/telegraf", "wb");
 		if(fp)
 		{
 			snprintf(buff, sizeof(buff), "device_id=\"%s\"\n", device_sn);
 			fwrite(buff, strlen(buff), 1, fp);
 			fclose(fp);
 			fp=NULL;
 			return 0;
 		}
 	}
 	return -1;
 }
 static void free_session_attribute_label(int thread_seq, void *project_req_value)
 {
 	struct _session_attribute_label_t *label=(struct _session_attribute_label_t *)project_req_value;
 	if(label!=NULL)
 	{
 		if(label->client_asn!=NULL)
 		{
 			ASN_free_data(label->client_asn->table_id, (MAAT_PLUGIN_EX_DATA *)&(label->client_asn), 0, g_tsg_para.logger);
 			label->client_asn=NULL;
 		}
 		if(label->server_asn!=NULL)
 		{
 			ASN_free_data(label->server_asn->table_id, (MAAT_PLUGIN_EX_DATA *)&(label->server_asn), 0, g_tsg_para.logger);
 			label->server_asn=NULL;
 		}
 		if(label->client_location!=NULL)
 		{
 			location_free_data(label->client_location->table_id, (MAAT_PLUGIN_EX_DATA *)&(label->client_location), 0, g_tsg_para.logger);
 			label->client_location=NULL;
 		}
 		if(label->server_location!=NULL)
 		{
 			location_free_data(label->server_location->table_id, (MAAT_PLUGIN_EX_DATA *)&(label->server_location), 0, g_tsg_para.logger);
 			label->server_location=NULL;
 		}
 		if(label->client_subscribe_id!=NULL)
 		{
 			subscribe_id_free_data(label->client_subscribe_id->table_id, (MAAT_PLUGIN_EX_DATA *)&label->client_subscribe_id, 0, g_tsg_para.logger);
 			label->client_subscribe_id=NULL;
 		}
 		if(label->server_subscribe_id!=NULL)
 		{
 			subscribe_id_free_data(label->server_subscribe_id->table_id, (MAAT_PLUGIN_EX_DATA *)&label->server_subscribe_id, 0, g_tsg_para.logger);
 			label->server_subscribe_id=NULL;
 		}
 		if(label->ja3_fingerprint!=NULL)
 		{
 			dictator_free(thread_seq, (void *)label->ja3_fingerprint);
 			label->ja3_fingerprint=NULL;
 		}
 		dictator_free(thread_seq, project_req_value);
 		project_req_value=NULL;
 	}
 }
 static struct Maat_rule_t *tsg_policy_decision_criteria(struct streaminfo *a_stream, Maat_rule_t *result, int result_num, struct _identify_info *identify_info, int thread_seq)
 {
 	int i=0,ret=0;
@@ -469,10 +476,9 @@ static struct Maat_rule_t *tsg_policy_decision_criteria(struct streaminfo *a_str
 	return p_result;
 }
-static int identify_application_protocol(struct streaminfo *a_stream, struct _identify_info *identify_info, void *a_packet)
+static int identify_application_protocol(struct streaminfo *a_stream, struct _identify_info *identify_info, struct _session_attribute_label_t *attribute_label, void *a_packet)
 {
-	int ret=0;
+	int ret=0;                            
 	identify_info->proto = PROTO_UNKONWN;
 	switch(a_stream->type)
@@ -500,6 +506,31 @@ static int identify_application_protocol(struct streaminfo *a_stream, struct _id
 			if(g_tsg_para.proto_flag&(1<<PROTO_SSL))  //ssl
 			{
 				struct _ssl_ja3_info_t *ja3_info=NULL;
 				ja3_info=ssl_get_ja3_fingerprint(a_stream, (unsigned char *)a_stream->ptcpdetail->pdata, (unsigned int)a_stream->ptcpdetail->datalen, a_stream->threadnum);
 				if(ja3_info!=NULL)
 				{
 					identify_info->proto=PROTO_SSL;
 					if(ja3_info->sni==NULL || ja3_info->sni<=0)
 					{
 						identify_info->domain_len = 0;
 					}
 					else
 					{
 						identify_info->domain_len = strnlen(ja3_info->sni, sizeof(identify_info->domain) - 1);
 						strncpy(identify_info->domain, ja3_info->sni, identify_info->domain_len);
 					}
 					if(attribute_label!=NULL && ja3_info->fp!=NULL && ja3_info->fp_len>0)
 					{
 						attribute_label->ja3_fingerprint=(char *)dictator_malloc(a_stream->threadnum, ja3_info->fp_len+1);
 						memcpy(attribute_label->ja3_fingerprint, ja3_info->fp, ja3_info->fp_len);
 						attribute_label->ja3_fingerprint[ja3_info->fp_len]='\0';
 					}
 					return 1;
 				}
 			#if 0
 				enum chello_parse_result chello_status = CHELLO_PARSE_INVALID_FORMAT;
 				struct ssl_chello *chello = NULL;
@@ -522,6 +553,7 @@ static int identify_application_protocol(struct streaminfo *a_stream, struct _id
 				}
 			    ssl_chello_free(chello);
 			#endif
 			}
 			if(g_tsg_para.proto_flag&(1<<PROTO_FTP))  //ftp
@@ -634,12 +666,12 @@ extern "C" char TSG_MASTER_TCP_ENTRY(struct streaminfo *a_tcp, void **pme, int t
 	{
 		case	OP_STATE_PENDING:
 			FS_operate(g_tsg_para.fs2_handle, g_tsg_para.fs2_field_id[TSG_FS2_LINKS], 0, FS_OP_ADD, 1);
 			memset(&identify_info, 0, sizeof(identify_info));
 			identify_application_protocol(a_tcp, &identify_info, a_packet);
 			internal_label=(struct _session_attribute_label_t *)dictator_malloc(1, sizeof(struct _session_attribute_label_t));
 			memset(internal_label, 0, sizeof(struct _session_attribute_label_t));
 			memset(&identify_info, 0, sizeof(identify_info));
 			identify_application_protocol(a_tcp, &identify_info, internal_label, a_packet);
 			internal_label->proto=identify_info.proto;
 			if(identify_info.proto==PROTO_HTTP)
@@ -836,7 +868,7 @@ extern "C" char TSG_MASTER_UDP_ENTRY(struct streaminfo *a_udp, void **pme, int t
 	{
 		case	OP_STATE_PENDING:
 			memset(&identify_info, 0, sizeof(identify_info));
-			identify_application_protocol(a_udp, &identify_info, a_packet);
+			identify_application_protocol(a_udp, &identify_info, NULL, a_packet);
 			internal_label=(struct _session_attribute_label_t *)dictator_malloc(1, sizeof(struct _session_attribute_label_t));
 			memset(internal_label, 0, sizeof(struct _session_attribute_label_t));
--- a/src/tsg_send_log.cpp
+++ b/src/tsg_send_log.cpp
@@ -221,6 +221,11 @@ int set_common_field_from_label(struct tsg_log_instance_t *_instance, struct TLD
 			snprintf(buff, sizeof(buff), "%s,%s,%s", location->city_full, location->province_full, location->country_full);
 			TLD_append(_handle, _instance->id2field[LOG_COMMON_SERVER_LOCATION].name, (void *)buff, TLD_TYPE_STRING);
 		}
 		if(internal_label->ja3_fingerprint!=NULL)
 		{
 			TLD_append(_handle, _instance->id2field[LOG_SSL_JA3_FINGERPRINT].name, (void *)internal_label->ja3_fingerprint, TLD_TYPE_STRING);
 		}
 	}
 	return 0;
--- a/src/tsg_send_log_internal.h
+++ b/src/tsg_send_log_internal.h
@@ -68,6 +68,7 @@ typedef enum _tsg_log_field_id
 	LOG_COMMON_CLINET_LOCATION,
 	LOG_COMMON_SERVER_LOCATION,
 	LOG_QUIC_SNI,
 	LOG_SSL_JA3_FINGERPRINT,
 	LOG_COMMON_MAX
 }tsg_log_field_id_t;