diff --git a/pcap/tls-non-ascii-alpn.pcapng b/pcap/tls-non-ascii-alpn.pcapng new file mode 100644 index 0000000..26ce655 Binary files /dev/null and b/pcap/tls-non-ascii-alpn.pcapng differ diff --git a/rust/CHANGELOG.md b/rust/CHANGELOG.md index 9e78763..4a3ef69 100644 --- a/rust/CHANGELOG.md +++ b/rust/CHANGELOG.md @@ -7,6 +7,16 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +## [0.16.0] - 2023-12-12 + +### Changed + +- Handle non-ASCII ALPN strings (#16). + +### Fixed + +- Support tshark v4.2.0. + ## [0.15.2] - 2023-11-09 ### Fixed @@ -31,7 +41,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Add Rust sources of `ja4` and `ja4x` CLI tools. -[unreleased]: https://github.com/FoxIO-LLC/ja4/compare/v0.15.2...HEAD +[unreleased]: https://github.com/FoxIO-LLC/ja4/compare/v0.16.0...HEAD +[0.16.0]: https://github.com/FoxIO-LLC/ja4/compare/v0.15.2...v0.16.0 [0.15.2]: https://github.com/FoxIO-LLC/ja4/compare/v0.15.1...v0.15.2 [0.15.1]: https://github.com/FoxIO-LLC/ja4/compare/v0.15.0...v0.15.1 [0.15.0]: https://github.com/FoxIO-LLC/ja4/compare/v0.14.0...v0.15.0 diff --git a/rust/ja4/src/snapshots/ja4__insta@tls-non-ascii-alpn.pcapng.snap b/rust/ja4/src/snapshots/ja4__insta@tls-non-ascii-alpn.pcapng.snap new file mode 100644 index 0000000..c0599a6 --- /dev/null +++ b/rust/ja4/src/snapshots/ja4__insta@tls-non-ascii-alpn.pcapng.snap @@ -0,0 +1,14 @@ +--- +source: ja4/src/lib.rs +expression: output +--- +- stream: 0 + transport: tcp + src: 192.168.1.168 + dst: 142.251.16.94 + src_port: 50112 + dst_port: 443 + tls_server_name: clientservices.googleapis.com + ja4: t13d151699_8daaf6152771_e5627efa2ab1 + ja4s: t130200_1301_234ea6891581 + diff --git a/rust/ja4/src/ssh.rs b/rust/ja4/src/ssh.rs index eb45fe2..fab36a2 100644 --- a/rust/ja4/src/ssh.rs +++ b/rust/ja4/src/ssh.rs @@ -223,7 +223,7 @@ impl PacketCounts { self.nr_ssh_server_packets += 1; } } - } else if tcp.first("tcp.flags.ack")? == "1" { + } else if ["1", "True"].contains(&tcp.first("tcp.flags.ack")?) { match sender { Sender::Client => self.nr_tcp_client_acks += 1, Sender::Server => self.nr_tcp_server_acks += 1, diff --git a/rust/ja4/src/time/tcp.rs b/rust/ja4/src/time/tcp.rs index 5f8d908..bdc2acf 100644 --- a/rust/ja4/src/time/tcp.rs +++ b/rust/ja4/src/time/tcp.rs @@ -210,9 +210,9 @@ impl Timestamp { let ack = tcp.first("tcp.flags.ack")?; let syn = tcp.first("tcp.flags.syn")?; Ok(match (syn, ack) { - ("1", "0") => Some(Self::Syn((t()?, Ttl::new(pkt)?))), - ("1", "1") => Some(Self::SynAck((t()?, Ttl::new(pkt)?))), - ("0", "1") => Some(Self::Ack(t()?)), + ("1", "0") | ("True", "False") => Some(Self::Syn((t()?, Ttl::new(pkt)?))), + ("1", "1") | ("True", "True") => Some(Self::SynAck((t()?, Ttl::new(pkt)?))), + ("0", "1") | ("False", "True") => Some(Self::Ack(t()?)), _ => None, }) } diff --git a/rust/ja4/src/tls.rs b/rust/ja4/src/tls.rs index 9ba5226..32a5985 100644 --- a/rust/ja4/src/tls.rs +++ b/rust/ja4/src/tls.rs @@ -584,9 +584,16 @@ fn tls_extensions_server(tls: &Proto) -> Vec { } fn first_last(s: &str) -> (Option, Option) { + let replace_nonascii_with_9 = |c: char| { + if c.is_ascii() { + c + } else { + '9' + } + }; let mut chars = s.chars(); - let first = chars.next(); - let last = chars.next_back(); + let first = chars.next().map(replace_nonascii_with_9); + let last = chars.next_back().map(replace_nonascii_with_9); (first, last) } @@ -598,6 +605,16 @@ fn test_first_last() { assert_eq!(first_last("abc"), (Some('a'), Some('c'))); } +#[test] +fn test_first_last_non_ascii() { + assert_eq!('�', char::REPLACEMENT_CHARACTER); + assert_eq!(first_last("�"), (Some('9'), None)); + assert_eq!(first_last("��"), (Some('9'), Some('9'))); + assert_eq!(first_last("�x�"), (Some('9'), Some('9'))); + assert_eq!(first_last("x�"), (Some('x'), Some('9'))); + assert_eq!(first_last("�x"), (Some('9'), Some('x'))); +} + #[cfg(test)] mod tests { use super::*;