支持JA3指纹v3.2.6.20.09

5 files changed, 115 insertions, 75 deletions

diff --git a/bin/tsg_log_field.conf b/bin/tsg_log_field.conf
index 7ca6635..b1561b1 100644
--- a/bin/tsg_log_field.conf
+++ b/bin/tsg_log_field.conf
@@ -48,3 +48,4 @@ STRING		common_server_asn	40
 STRING		common_clinet_location	41
 STRING		common_server_location	42
 STRING		quic_sni		43
+STRING		ssl_ja3_fingerprint	44
diff --git a/inc/tsg_label.h b/inc/tsg_label.h
index 5660373..453dda6 100644
--- a/inc/tsg_label.h
+++ b/inc/tsg_label.h
@@ -77,6 +77,7 @@ struct _session_attribute_label_t
 	struct _location_info_t *server_location;
 	struct _subscribe_id_info_t *client_subscribe_id;
 	struct _subscribe_id_info_t *server_subscribe_id;
+	char *ja3_fingerprint;
 };
 
 #endif
diff --git a/src/tsg_entry.cpp b/src/tsg_entry.cpp
index 35dc369..a15b276 100644
--- a/src/tsg_entry.cpp
+++ b/src/tsg_entry.cpp
@@ -7,6 +7,7 @@
 
 #include <MESA/http.h>
 #include <MESA/ftp.h>
+#include <MESA/ssl.h>
 #include <MESA/mail.h>
 #include "MESA/gquic.h"
 #include <MESA/stream.h>
@@ -138,80 +139,12 @@ static int tsg_proto_name2flag(char *proto_list, int *flag)
 	return 0;
 }
 
-int tsg_set_device_id_to_telegraf(char *device_sn)
-{
-	char buff[128]={0};
-	FILE *fp=NULL;
-
-	if(device_sn)
-	{
-		fp=fopen("/etc/default/telegraf", "wb");
-		if(fp)
-		{
-			snprintf(buff, sizeof(buff), "device_id=\"%s\"\n", device_sn);
-			fwrite(buff, strlen(buff), 1, fp);
-			fclose(fp);
-			fp=NULL;
-			return 0;
-		}
-	}
-
-	return -1;
-}
-
 static void free_policy_label(int thread_seq, void *project_req_value)
 {
 	dictator_free(thread_seq, project_req_value);
 	project_req_value=NULL;
 }
 
-static void free_session_attribute_label(int thread_seq, void *project_req_value)
-{
-	struct _session_attribute_label_t *label=(struct _session_attribute_label_t *)project_req_value;
-
-	if(label!=NULL)
-	{
-		if(label->client_asn!=NULL)
-		{
-			ASN_free_data(label->client_asn->table_id, (MAAT_PLUGIN_EX_DATA *)&(label->client_asn), 0, g_tsg_para.logger);
-			label->client_asn=NULL;
-		}
-
-		if(label->server_asn!=NULL)
-		{
-			ASN_free_data(label->server_asn->table_id, (MAAT_PLUGIN_EX_DATA *)&(label->server_asn), 0, g_tsg_para.logger);
-			label->server_asn=NULL;
-		}
-
-		if(label->client_location!=NULL)
-		{
-			location_free_data(label->client_location->table_id, (MAAT_PLUGIN_EX_DATA *)&(label->client_location), 0, g_tsg_para.logger);
-			label->client_location=NULL;
-		}
-
-		if(label->server_location!=NULL)
-		{
-			location_free_data(label->server_location->table_id, (MAAT_PLUGIN_EX_DATA *)&(label->server_location), 0, g_tsg_para.logger);
-			label->server_location=NULL;
-		}
-
-		if(label->client_subscribe_id!=NULL)
-		{
-			subscribe_id_free_data(label->client_subscribe_id->table_id, (MAAT_PLUGIN_EX_DATA *)&label->client_subscribe_id, 0, g_tsg_para.logger);
-			label->client_subscribe_id=NULL;
-		}
-
-		if(label->server_subscribe_id!=NULL)
-		{
-			subscribe_id_free_data(label->server_subscribe_id->table_id, (MAAT_PLUGIN_EX_DATA *)&label->server_subscribe_id, 0, g_tsg_para.logger);
-			label->server_subscribe_id=NULL;
-		}
-		
-		dictator_free(thread_seq, project_req_value);
-		project_req_value=NULL;
-	}
-}
-
 static void free_context(void **pme, int thread_seq)
 {
 	struct _master_context *_context=(struct _master_context *)*pme;
@@ -338,6 +271,80 @@ static int master_send_log(struct streaminfo *a_stream, struct Maat_rule_t *p_re
 	return 1;
 }
 
+int tsg_set_device_id_to_telegraf(char *device_sn)
+{
+	char buff[128]={0};
+	FILE *fp=NULL;
+
+	if(device_sn)
+	{
+		fp=fopen("/etc/default/telegraf", "wb");
+		if(fp)
+		{
+			snprintf(buff, sizeof(buff), "device_id=\"%s\"\n", device_sn);
+			fwrite(buff, strlen(buff), 1, fp);
+			fclose(fp);
+			fp=NULL;
+			return 0;
+		}
+	}
+
+	return -1;
+}
+
+static void free_session_attribute_label(int thread_seq, void *project_req_value)
+{
+	struct _session_attribute_label_t *label=(struct _session_attribute_label_t *)project_req_value;
+
+	if(label!=NULL)
+	{
+		if(label->client_asn!=NULL)
+		{
+			ASN_free_data(label->client_asn->table_id, (MAAT_PLUGIN_EX_DATA *)&(label->client_asn), 0, g_tsg_para.logger);
+			label->client_asn=NULL;
+		}
+
+		if(label->server_asn!=NULL)
+		{
+			ASN_free_data(label->server_asn->table_id, (MAAT_PLUGIN_EX_DATA *)&(label->server_asn), 0, g_tsg_para.logger);
+			label->server_asn=NULL;
+		}
+
+		if(label->client_location!=NULL)
+		{
+			location_free_data(label->client_location->table_id, (MAAT_PLUGIN_EX_DATA *)&(label->client_location), 0, g_tsg_para.logger);
+			label->client_location=NULL;
+		}
+
+		if(label->server_location!=NULL)
+		{
+			location_free_data(label->server_location->table_id, (MAAT_PLUGIN_EX_DATA *)&(label->server_location), 0, g_tsg_para.logger);
+			label->server_location=NULL;
+		}
+
+		if(label->client_subscribe_id!=NULL)
+		{
+			subscribe_id_free_data(label->client_subscribe_id->table_id, (MAAT_PLUGIN_EX_DATA *)&label->client_subscribe_id, 0, g_tsg_para.logger);
+			label->client_subscribe_id=NULL;
+		}
+
+		if(label->server_subscribe_id!=NULL)
+		{
+			subscribe_id_free_data(label->server_subscribe_id->table_id, (MAAT_PLUGIN_EX_DATA *)&label->server_subscribe_id, 0, g_tsg_para.logger);
+			label->server_subscribe_id=NULL;
+		}
+
+		if(label->ja3_fingerprint!=NULL)
+		{
+			dictator_free(thread_seq, (void *)label->ja3_fingerprint);
+			label->ja3_fingerprint=NULL;
+		}
+		
+		dictator_free(thread_seq, project_req_value);
+		project_req_value=NULL;
+	}
+}
+
 static struct Maat_rule_t *tsg_policy_decision_criteria(struct streaminfo *a_stream, Maat_rule_t *result, int result_num, struct _identify_info *identify_info, int thread_seq)
 {
 	int i=0,ret=0;
@@ -469,10 +476,9 @@ static struct Maat_rule_t *tsg_policy_decision_criteria(struct streaminfo *a_str
 	return p_result;
 }
 
-static int identify_application_protocol(struct streaminfo *a_stream, struct _identify_info *identify_info, void *a_packet)
+static int identify_application_protocol(struct streaminfo *a_stream, struct _identify_info *identify_info, struct _session_attribute_label_t *attribute_label, void *a_packet)
 {
-	int ret=0;
-                                      
+	int ret=0;                            
 	identify_info->proto = PROTO_UNKONWN;
 
 	switch(a_stream->type)
@@ -500,6 +506,31 @@ static int identify_application_protocol(struct streaminfo *a_stream, struct _id
 
 			if(g_tsg_para.proto_flag&(1<<PROTO_SSL))  //ssl
 			{
+				struct _ssl_ja3_info_t *ja3_info=NULL;
+				ja3_info=ssl_get_ja3_fingerprint(a_stream, (unsigned char *)a_stream->ptcpdetail->pdata, (unsigned int)a_stream->ptcpdetail->datalen, a_stream->threadnum);
+				if(ja3_info!=NULL)
+				{
+					identify_info->proto=PROTO_SSL;
+					if(ja3_info->sni==NULL || ja3_info->sni<=0)
+					{
+						identify_info->domain_len = 0;
+					}
+					else
+					{
+						identify_info->domain_len = strnlen(ja3_info->sni, sizeof(identify_info->domain) - 1);
+						strncpy(identify_info->domain, ja3_info->sni, identify_info->domain_len);
+					}
+
+					if(attribute_label!=NULL && ja3_info->fp!=NULL && ja3_info->fp_len>0)
+					{
+						attribute_label->ja3_fingerprint=(char *)dictator_malloc(a_stream->threadnum, ja3_info->fp_len+1);
+						memcpy(attribute_label->ja3_fingerprint, ja3_info->fp, ja3_info->fp_len);
+						attribute_label->ja3_fingerprint[ja3_info->fp_len]='\0';
+					}
+
+					return 1;
+				}
+			#if 0
 				enum chello_parse_result chello_status = CHELLO_PARSE_INVALID_FORMAT;
 				struct ssl_chello *chello = NULL;
 
@@ -522,6 +553,7 @@ static int identify_application_protocol(struct streaminfo *a_stream, struct _id
 				}
 				
 			    ssl_chello_free(chello);
+			#endif
 			}
 	
 			if(g_tsg_para.proto_flag&(1<<PROTO_FTP))  //ftp
@@ -634,12 +666,12 @@ extern "C" char TSG_MASTER_TCP_ENTRY(struct streaminfo *a_tcp, void **pme, int t
 	{
 		case	OP_STATE_PENDING:
 			FS_operate(g_tsg_para.fs2_handle, g_tsg_para.fs2_field_id[TSG_FS2_LINKS], 0, FS_OP_ADD, 1);
-			
-			memset(&identify_info, 0, sizeof(identify_info));
-			identify_application_protocol(a_tcp, &identify_info, a_packet);
 
 			internal_label=(struct _session_attribute_label_t *)dictator_malloc(1, sizeof(struct _session_attribute_label_t));
 			memset(internal_label, 0, sizeof(struct _session_attribute_label_t));
+			
+			memset(&identify_info, 0, sizeof(identify_info));
+			identify_application_protocol(a_tcp, &identify_info, internal_label, a_packet);
 			internal_label->proto=identify_info.proto;
 
 			if(identify_info.proto==PROTO_HTTP)
@@ -836,7 +868,7 @@ extern "C" char TSG_MASTER_UDP_ENTRY(struct streaminfo *a_udp, void **pme, int t
 	{
 		case	OP_STATE_PENDING:
 			memset(&identify_info, 0, sizeof(identify_info));
-			identify_application_protocol(a_udp, &identify_info, a_packet);
+			identify_application_protocol(a_udp, &identify_info, NULL, a_packet);
 
 			internal_label=(struct _session_attribute_label_t *)dictator_malloc(1, sizeof(struct _session_attribute_label_t));
 			memset(internal_label, 0, sizeof(struct _session_attribute_label_t));
diff --git a/src/tsg_send_log.cpp b/src/tsg_send_log.cpp
index bbfa37f..d7d6de5 100644
--- a/src/tsg_send_log.cpp
+++ b/src/tsg_send_log.cpp
@@ -221,6 +221,11 @@ int set_common_field_from_label(struct tsg_log_instance_t *_instance, struct TLD
 			snprintf(buff, sizeof(buff), "%s,%s,%s", location->city_full, location->province_full, location->country_full);
 			TLD_append(_handle, _instance->id2field[LOG_COMMON_SERVER_LOCATION].name, (void *)buff, TLD_TYPE_STRING);
 		}
+
+		if(internal_label->ja3_fingerprint!=NULL)
+		{
+			TLD_append(_handle, _instance->id2field[LOG_SSL_JA3_FINGERPRINT].name, (void *)internal_label->ja3_fingerprint, TLD_TYPE_STRING);
+		}
 	}
 
 	return 0;
diff --git a/src/tsg_send_log_internal.h b/src/tsg_send_log_internal.h
index 1c1b32d..e66fc68 100644
--- a/src/tsg_send_log_internal.h
+++ b/src/tsg_send_log_internal.h
@@ -68,6 +68,7 @@ typedef enum _tsg_log_field_id
 	LOG_COMMON_CLINET_LOCATION,
 	LOG_COMMON_SERVER_LOCATION,
 	LOG_QUIC_SNI,
+	LOG_SSL_JA3_FINGERPRINT,
 	LOG_COMMON_MAX
 }tsg_log_field_id_t;