Quite a bit of overhauling things

Author: LeeBrotherston

.github/workflows/golangci-lint.yml

@@ -1,41 +1,39 @@
-name: golangci-lint
+name: Checks
+
 on:
   push:
+    branches: [ "main" ]
   pull_request:
-permissions:
-  contents: read
-  # Optional: allow read access to pull request. Use with `only-new-issues` option.
-  # pull-requests: read
+    branches: [ "main" ]
+
 jobs:
-  golangci:
-    name: lint
+
+  build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/setup-go@v3
-        with:
-          go-version: '1.20'
-      - uses: actions/checkout@v3
-      - name: golangci-lint
-        uses: golangci/golangci-lint-action@v3
-        with:
-          # Optional: version of golangci-lint to use in form of v1.2 or v1.2.3 or `latest` to use the latest version
-          version: v1.29
-
-          # Optional: working directory, useful for monorepos
-          # working-directory: somedir
-
-          # Optional: golangci-lint command line arguments.
-          # args: --issues-exit-code=0
-
-          # Optional: show only new issues if it's a pull request. The default value is `false`.
-          # only-new-issues: true
-
-          # Optional: if set to true then the all caching functionality will be complete disabled,
-          #           takes precedence over all other caching options.
-          # skip-cache: true
-
-          # Optional: if set to true then the action don't cache or restore ~/go/pkg.
-          # skip-pkg-cache: true
-
-          # Optional: if set to true then the action don't cache or restore ~/.cache/go-build.
-          # skip-build-cache: true
+    - uses: actions/checkout@v4
+
+    - name: Set up Go
+      uses: actions/setup-go@v4
+      with:
+        go-version: '1.23'
+        check-latest: true
+        cache-dependency-path: "**/*.sum"
+
+    - name: Install dependencies
+      run: go mod download
+
+    - name: Unit tests
+      run: |
+        go test -v ./...
+
+    - name: Gosec Security Scanner
+      uses: securego/gosec@master
+      with:
+        args: ./...
+
+    - name: Golangci-lint
+      uses: golangci/golangci-lint-action@v6.1.1
+
+    - name: TruffleHog OSS
+      uses: trufflesecurity/trufflehog@v3.84.2

constants.go

@@ -0,0 +1,29 @@
+package dactyloscopy
+
+const (
+	// Configuration Constants
+	minPacketLength = 47
+
+	// TLS Extension types
+	ExtServerName          uint16 = 0x0000
+	ExtEllipticCurves      uint16 = 0x000a
+	ExtECPointFormats      uint16 = 0x000b
+	ExtSignatureAlgorithms uint16 = 0x000d
+	ExtALPN                uint16 = 0x0010
+	ExtSupportedVersions   uint16 = 0x002b
+	ExtPadding             uint16 = 0x0015
+
+	// TLS Protocol Versions
+	VersionTLS10 uint16 = 0x0301
+	VersionTLS11 uint16 = 0x0302
+	VersionTLS12 uint16 = 0x0303
+	VersionTLS13 uint16 = 0x0304
+)
+
+// Common GREASE values used by clients
+var GreaseValues = []uint16{
+	0x0A0A, 0x1A1A, 0x2A2A, 0x3A3A, 0x4A4A,
+	0x5A5A, 0x6A6A, 0x7A7A, 0x8A8A, 0x9A9A,
+	0xAAAA, 0xBABA, 0xCACA, 0xDADA, 0xEAEA,
+	0xFAFA,
+}

example/example

@@ -22,11 +22,16 @@ import (
 	"encoding/json"
 	"flag"
 	"fmt"
+	"log"
 	"os"
 
 	"github.com/LeeBrotherston/dactyloscopy"
 	"github.com/google/gopacket"
+	"github.com/google/gopacket/ip4defrag"
+	"github.com/google/gopacket/layers"
 	"github.com/google/gopacket/pcap"
+	"github.com/google/gopacket/tcpassembly"
+	"github.com/google/gopacket/tcpassembly/tcpreader"
 )
 
 func doSniff(device string, file string) error {
@@ -54,37 +59,141 @@ func doSniff(device string, file string) error {
 		return fmt.Errorf("need a file or interface")
 	}
 	// Yes yes, I know... But offsetting this to the kernel *drastically* reduces processing time
-	err = handle.SetBPFFilter("(tcp[tcp[12]/16*4]=22 and (tcp[tcp[12]/16*4+5]=1) and (tcp[tcp[12]/16*4+9]=3) and (tcp[tcp[12]/16*4+1]=3)) or (ip6[(ip6[52]/16*4)+40]=22 and (ip6[(ip6[52]/16*4+5)+40]=1) and (ip6[(ip6[52]/16*4+9)+40]=3) and (ip6[(ip6[52]/16*4+1)+40]=3)) or ((udp[14] = 6 and udp[16] = 32 and udp[17] = 1) and ((udp[(udp[60]/16*4)+48]=22) and (udp[(udp[60]/16*4)+53]=1) and (udp[(udp[60]/16*4)+57]=3) and (udp[(udp[60]/16*4)+49]=3))) or (proto 41 and ip[26] = 6 and ip[(ip[72]/16*4)+60]=22 and (ip[(ip[72]/16*4+5)+60]=1) and (ip[(ip[72]/16*4+9)+60]=3) and (ip[(ip[72]/16*4+1)+60]=3))")
-	if err != nil {
-		return err
-	}
+	//err = handle.SetBPFFilter("((tcp[tcp[12]/16*4]=22 and (tcp[tcp[12]/16*4+5]=1) and (tcp[tcp[12]/16*4+9]=3) and (tcp[tcp[12]/16*4+1]=3)) or (ip6[(ip6[52]/16*4)+40]=22 and (ip6[(ip6[52]/16*4+5)+40]=1) and (ip6[(ip6[52]/16*4+9)+40]=3) and (ip6[(ip6[52]/16*4+1)+40]=3)) or ((udp[14] = 6 and udp[16] = 32 and udp[17] = 1) and ((udp[(udp[60]/16*4)+48]=22) and (udp[(udp[60]/16*4)+53]=1) and (udp[(udp[60]/16*4)+57]=3) and (udp[(udp[60]/16*4)+49]=3))) or (proto 41 and ip[26] = 6 and ip[(ip[72]/16*4)+60]=22 and (ip[(ip[72]/16*4+5)+60]=1) and (ip[(ip[72]/16*4+9)+60]=3) and (ip[(ip[72]/16*4+1)+60]=3))) or (ip[6:2] & 0x1fff != 0)")
+	//if err != nil {
+	//	return err
+	//}
 	defer handle.Close()
 
+	ip4defragger := ip4defrag.NewIPv4Defragmenter()
+	streamFactory := &tlsStreamFactory{}
+	streamPool := tcpassembly.NewStreamPool(streamFactory)
+	assembler := tcpassembly.NewAssembler(streamPool)
+
 	// Use the handle as a packet source to process all packets
 	packetSource := gopacket.NewPacketSource(handle, handle.LinkType())
-	for packet := range packetSource.Packets() {
 
-		var clientHello dactyloscopy.Fingerprint
-		payload := packet.ApplicationLayer()
+	for packet := range packetSource.Packets() {
+		// IP defragmentation
+		if net4 := packet.NetworkLayer(); net4 != nil {
+			if ipv4, ok := net4.(*layers.IPv4); ok {
+				newIPv4, err := ip4defragger.DefragIPv4(ipv4)
+				if err != nil {
+					log.Printf("IPv4 defrag error: %v", err)
+					continue
+				}
+				if newIPv4 == nil {
+					continue // waiting for more fragments
+				}
+				//packet = packet
+			}
+		}
+		// TCP reassembly
+		if tcpLayer := packet.Layer(layers.LayerTypeTCP); tcpLayer != nil {
+			tcp := tcpLayer.(*layers.TCP)
+			assembler.AssembleWithTimestamp(packet.NetworkLayer().NetworkFlow(), tcp, packet.Metadata().Timestamp)
+			continue
+		}
+		// UDP and others: process as before
+		if incompletePacket(packet) {
+			continue
+		}
 
-		err = clientHello.ProcessClientHello(payload.Payload())
-		if err != nil {
-			fmt.Printf("Error: %v\n", err)
+		if len(packet.ApplicationLayer().Payload()) < 50 {
+			continue
 		}
 
-		output, err := json.Marshal(clientHello)
-		if err != nil {
-			return err
+		if err = dactyloscopy.IsClientHello(packet.ApplicationLayer().Payload()); err == nil {
+			var clientHello dactyloscopy.Fingerprint
+			err = clientHello.ProcessClientHello(packet.ApplicationLayer().Payload())
+			if err != nil {
+				fmt.Printf("Error: %v\n", err)
+			}
+
+			output, err := json.Marshal(clientHello)
+			if err != nil {
+				return err
+			}
+			fmt.Printf("%s\n", output)
 		}
-		fmt.Printf("%s\n", output)
 	}
 	return nil
 }
 
+func incompletePacket(packet gopacket.Packet) bool {
+	netLayer := packet.NetworkLayer()
+	if netLayer == nil {
+		//log.Printf("missing network layer")
+		return true
+	}
+	if len(netLayer.LayerPayload()) == 0 {
+		//log.Printf("empty network layer")
+		return true
+	}
+
+	transLayer := packet.TransportLayer()
+	if transLayer == nil {
+		//log.Printf("missing transport layer")
+		return true
+	}
+	if len(transLayer.LayerPayload()) == 0 {
+		//log.Printf("empty transport layer")
+		return true
+	}
+
+	appLayer := packet.ApplicationLayer()
+	if appLayer == nil {
+		//log.Printf("missing application layer")
+		return true
+	}
+
+	payloadLen := uint16(len(appLayer.Payload()))
+	if payloadLen < 60 {
+		//log.Printf("insufficient payload")
+		return true
+	}
+
+	if v4, ok := netLayer.(*layers.IPv4); ok {
+		if v4.Length > payloadLen {
+			//log.Printf("length mismatch: %d %d", v4.Length, payloadLen)
+			return true
+		}
+	}
+	return false
+}
+
 func main() {
 	intStr := flag.String("i", "en0", "interface to sniff")
 	file := flag.String("f", "", "pcap file")
 	flag.Parse()
 
 	doSniff(*intStr, *file)
 }
+
+// TLS stream factory and stream for TCP reassembly
+
+type tlsStreamFactory struct{}
+
+func (f *tlsStreamFactory) New(netFlow, tcpFlow gopacket.Flow) tcpassembly.Stream {
+	r := tcpreader.NewReaderStream()
+	go processTLSStream(&r)
+	return &r
+}
+
+func processTLSStream(r *tcpreader.ReaderStream) {
+	buf := make([]byte, 4096)
+	for {
+		n, err := r.Read(buf)
+		if err != nil {
+			return
+		}
+		if n > 0 {
+			var clientHello dactyloscopy.Fingerprint
+			err = clientHello.ProcessClientHello(buf[:n])
+			if err == nil {
+				output, _ := json.Marshal(clientHello)
+				fmt.Printf("%s\n", output)
+			}
+		}
+	}
+}

example/example.go

@@ -0,0 +1,38 @@
+package main
+
+type fingerprint struct {
+	JA3Digest string
+	LB1Digest string
+	Name      string
+}
+
+var static_fingerprints = []fingerprint{{
+	JA3Digest: "579ccef312d18482fc42e2b822ca2430",
+	LB1Digest: "5d75e7f9e50ed137cd48d5ea5e9ebe36",
+	Name:      "Firefox 115.0.2",
+}, {
+	JA3Digest: "366d007990af3b100f90c88fcff57a8a",
+	LB1Digest: "7a8af08e01539e5863f202db34e5a727",
+	Name:      "Zoom",
+}}
+
+// InitFPDB creates fingerprint DB structures, currently separated into JA3 and LB1 "tables"
+func InitFPDB(fplist []fingerprint) (map[string]fingerprint, map[string]fingerprint) {
+	return initFPDBJA3(fplist), initFPDBLB1(fplist)
+}
+
+func initFPDBJA3(fp []fingerprint) map[string]fingerprint {
+	output := map[string]fingerprint{}
+	for _, y := range fp {
+		output[y.JA3Digest] = y
+	}
+	return output
+}
+
+func initFPDBLB1(fp []fingerprint) map[string]fingerprint {
+	output := map[string]fingerprint{}
+	for _, y := range fp {
+		output[y.LB1Digest] = y
+	}
+	return output
+}

example/fingerprints.go

@@ -1,15 +1,17 @@
 module example
 
-go 1.18
+go 1.23.0
+
+toolchain go1.24.3
 
 replace github.com/LeeBrotherston/dactyloscopy => ./../
 
 require (
-	github.com/LeeBrotherston/dactyloscopy v0.0.0-20211004030734-27f81f4ef3d5
+	github.com/LeeBrotherston/dactyloscopy v0.0.0-20241113013421-e4efbb39c13b
 	github.com/google/gopacket v1.1.19
 )
 
 require (
-	golang.org/x/crypto v0.17.0 // indirect
-	golang.org/x/sys v0.15.0 // indirect
+	golang.org/x/crypto v0.38.0 // indirect
+	golang.org/x/sys v0.33.0 // indirect
 )

example/go.mod

@@ -2,18 +2,19 @@ github.com/google/gopacket v1.1.19 h1:ves8RnFZPGiFnTS0uPQStjwru6uO6h+nlr9j6fL7kF
 github.com/google/gopacket v1.1.19/go.mod h1:iJ8V8n6KS+z2U1A8pUwu8bW5SyEMkXJB8Yo/Vo+TKTo=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.17.0 h1:r8bRNjWL3GshPW3gkd+RpvzWrZAwPS49OmTGZ/uhM4k=
-golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4=
+golang.org/x/crypto v0.38.0 h1:jt+WWG8IZlBnVbomuhg2Mdq0+BBQaHbtqHEFEigjUV8=
+golang.org/x/crypto v0.38.0/go.mod h1:MvrbAqul58NNYPKnOra203SB9vpuZW0e+RRZV+Ggqjw=
 golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
 golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.10.0 h1:X2//UzNDwYmtCLn7To6G58Wr6f5ahEAQgKNzv9Y951M=
+golang.org/x/net v0.21.0 h1:AQyQV4dYCvJ7vGmJyKki9+PBdyvhkSd8EIx/qb0AYv4=
+golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc=
-golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
+golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=