STUN: add dissection of DTLS handshake (ntop#2018)

IvanNardi · Jun 26, 2023 · 31a9da2 · 31a9da2
1 parent 88425e0
commit 31a9da2
Show file tree

Hide file tree

Showing 6 changed files with 118 additions and 51 deletions.
diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h
@@ -1306,6 +1306,7 @@ struct ndpi_detection_module_struct {
   int opportunistic_tls_imap_enabled;
   int opportunistic_tls_pop_enabled;
   int opportunistic_tls_ftp_enabled;
+  int opportunistic_tls_stun_enabled;
 
   u_int32_t monitoring_stun_pkts_to_process;
   u_int32_t monitoring_stun_flags;
@@ -1458,8 +1459,7 @@ struct ndpi_flow_struct {
   } kerberos_buf;
 
   struct {
-    u_int8_t num_pkts, num_binding_requests;
-    u_int16_t num_processed_pkts;
+    u_int8_t num_pkts, num_binding_requests, num_processed_pkts, maybe_dtls;
   } stun;
 
   struct {

diff --git a/src/lib/ndpi_content_match.c.inc b/src/lib/ndpi_content_match.c.inc
@@ -1560,6 +1560,10 @@ static ndpi_tls_cert_name_match tls_certificate_match [] = {
   { "O=Riot Games, Inc.",              NDPI_PROTOCOL_RIOTGAMES   },
   { "O=Riot Games Inc",                NDPI_PROTOCOL_RIOTGAMES   },
 
+  { "CN=hangouts",                     NDPI_PROTOCOL_HANGOUT_DUO },
+  { "CN=Snapchat Inc.",                NDPI_PROTOCOL_SNAPCHAT_CALL },
+  { "CN=NVIDIA GameStream",            NDPI_PROTOCOL_GEFORCENOW },
+
   { NULL, 0 }
 };
 

diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
@@ -3001,6 +3001,7 @@ struct ndpi_detection_module_struct *ndpi_init_detection_module(ndpi_init_prefs
   ndpi_str->opportunistic_tls_imap_enabled = 1;
   ndpi_str->opportunistic_tls_pop_enabled = 1;
   ndpi_str->opportunistic_tls_ftp_enabled = 1;
+  ndpi_str->opportunistic_tls_stun_enabled = 1;
 
   ndpi_str->monitoring_stun_pkts_to_process = 4;
   ndpi_str->monitoring_stun_flags = 0;
@@ -9843,6 +9844,9 @@ int ndpi_set_opportunistic_tls(struct ndpi_detection_module_struct *ndpi_struct,
   case NDPI_PROTOCOL_FTP_CONTROL:
     ndpi_struct->opportunistic_tls_ftp_enabled = value;
     return 0;
+  case NDPI_PROTOCOL_STUN:
+    ndpi_struct->opportunistic_tls_stun_enabled = value;
+    return 0;
   default:
     return -1;
   }
@@ -9865,6 +9869,8 @@ int ndpi_get_opportunistic_tls(struct ndpi_detection_module_struct *ndpi_struct,
     return ndpi_struct->opportunistic_tls_pop_enabled;
   case NDPI_PROTOCOL_FTP_CONTROL:
     return ndpi_struct->opportunistic_tls_ftp_enabled;
+  case NDPI_PROTOCOL_STUN:
+    return ndpi_struct->opportunistic_tls_stun_enabled;
   default:
     return -1;
   }

diff --git a/src/lib/protocols/stun.c b/src/lib/protocols/stun.c
@@ -36,6 +36,10 @@
 
 #define STUN_HDR_LEN   20 /* STUN message header length, Classic-STUN (RFC 3489) and STUN (RFC 8489) both */
 
+extern void switch_to_tls(struct ndpi_detection_module_struct *ndpi_struct,
+			  struct ndpi_flow_struct *flow);
+extern int is_dtls(const u_int8_t *buf, u_int32_t buf_len, u_int32_t *block_len);
+
 static int stun_monitoring(struct ndpi_detection_module_struct *ndpi_struct,
                            struct ndpi_flow_struct *flow)
 {
@@ -212,6 +216,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
 					   u_int16_t *app_proto) {
   struct ndpi_packet_struct *packet = &ndpi_struct->packet;
   u_int16_t msg_type, msg_len;
+  u_int32_t unused;
   int rc;
 
   if(packet->iph &&
@@ -221,6 +226,31 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
     return(NDPI_IS_NOT_STUN);
   }
 
+  /* If we're here it's because this does not look like STUN anymore
+     as this was a flow that started as STUN and turned into something
+     else. Let's investigate what is that about */
+  if(flow->stun.num_pkts > 0 && is_dtls(payload, payload_length, &unused)) {
+#ifdef DEBUG_STUN
+    printf("[STUN] DTLS?\n");
+#endif
+    /* Switching to TLS dissector is tricky, because we are calling one dissector
+       from another one, and that is not a common operation...
+       Additionally:
+       * at that point protocol stack is still empty
+       * we have room for only two protocols in flow->detected_protocol_stack[] so
+         we can't have something like STUN/DTLS/SNAPCHAT_CALL
+       * the easiest solution is skipping STUN, and let TLS dissector to set both
+         master (i.e. DTLS) and subprotocol (if any) */
+    if(ndpi_struct->opportunistic_tls_stun_enabled) {
+      flow->stun.maybe_dtls = 1;
+      switch_to_tls(ndpi_struct, flow);
+    }
+    /* We don't want to mess up with TLS classification/results but we don't want to
+       exclude STUN right away to keep trying it in the case that this packet is
+       not a real DTLS one */
+    return(NDPI_IS_NOT_STUN);
+  }
+
   if(payload_length < STUN_HDR_LEN) {
     /* This looks like an invalid packet */
 
@@ -260,29 +290,6 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
 #ifdef DEBUG_STUN
     printf("[STUN] msg_type = %04X\n", msg_type);
 #endif
-
-    /*
-      If we're here it's because this does not look like STUN anymore
-      as this was a flow that started as STUN and turned into something
-      else. Let's investigate what is that about
-    */
-    if(payload[0] == 0x16) {
-      /* Let's check if this is DTLS used by some socials */
-      struct ndpi_packet_struct *packet = &ndpi_struct->packet;
-      u_int16_t total_len, version = htons(*((u_int16_t*) &packet->payload[1]));
-
-      switch (version) {
-      case 0xFEFF: /* DTLS 1.0 */
-      case 0xFEFD: /* DTLS 1.2 */
-	total_len = ntohs(*((u_int16_t*) &packet->payload[11])) + 13;
-
-	if(payload_length == total_len) {
-	  flow->guessed_protocol_id = NDPI_PROTOCOL_DTLS;
-	  return(NDPI_IS_NOT_STUN);
-	}
-      }
-    }
-
     return(NDPI_IS_NOT_STUN);
   }
 

diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
@@ -30,6 +30,8 @@
 extern char *strptime(const char *s, const char *format, struct tm *tm);
 extern int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
 				    struct ndpi_flow_struct *flow, uint32_t quic_version);
+static void ndpi_search_tls_wrapper(struct ndpi_detection_module_struct *ndpi_struct,
+				    struct ndpi_flow_struct *flow);
 extern int http_process_user_agent(struct ndpi_detection_module_struct *ndpi_struct,
                                    struct ndpi_flow_struct *flow,
                                    const u_int8_t *ua_ptr, u_int16_t ua_ptr_len);
@@ -1188,6 +1190,36 @@ static int ndpi_search_tls_tcp(struct ndpi_detection_module_struct *ndpi_struct,
 
 /* **************************************** */
 
+int is_dtls(const u_int8_t *buf, u_int32_t buf_len, u_int32_t *block_len) {
+  if(buf_len <= 13)
+    return 0;
+
+  if((buf[0] != 0x16 && buf[0] != 0x14 && buf[0] != 0x17) || /* Handshake, change-cipher-spec, Application-Data */
+     !((buf[1] == 0xfe && buf[2] == 0xff) || /* Versions */
+       (buf[1] == 0xfe && buf[2] == 0xfd) ||
+       (buf[1] == 0x01 && buf[2] == 0x00))) {
+#ifdef DEBUG_TLS
+    printf("[TLS] DTLS invalid block 0x%x or old version 0x%x-0x%x-0x%x\n",
+           buf[0], buf[1], buf[2], buf[3]);
+#endif
+    return 0;
+  }
+  *block_len = ntohs(*((u_int16_t*)&buf[11]));
+#ifdef DEBUG_TLS
+  printf("[TLS] DTLS block len: %d\n", *block_len);
+#endif
+  if(*block_len == 0 || (*block_len + 12 >= buf_len)) { /* We might have multiple DTLS records */
+#ifdef DEBUG_TLS
+    printf("[TLS] DTLS invalid block len %d (buf_len %d)\n",
+           *block_len, buf_len);
+#endif
+    return 0;
+  }
+  return 1;
+}
+
+/* **************************************** */
+
 static int ndpi_search_tls_udp(struct ndpi_detection_module_struct *ndpi_struct,
 			       struct ndpi_flow_struct *flow) {
   struct ndpi_packet_struct *packet = &ndpi_struct->packet;
@@ -1210,29 +1242,23 @@ static int ndpi_search_tls_udp(struct ndpi_detection_module_struct *ndpi_struct,
     u_int32_t block_len;
     const u_int8_t *block = (const u_int8_t *)&p[processed];
 
-    if((block[0] != 0x16 && block[0] != 0x14 && block[0] != 0x17) || /* Handshake, change-cipher-spec, Application-Data */
-       !((block[1] == 0xfe && block[2] == 0xff) ||
-         (block[1] == 0xfe && block[2] == 0xfd) ||
-         (block[1] == 0x01 && block[2] == 0x00))) {
-#ifdef DEBUG_TLS
-      printf("[TLS] DTLS invalid block 0x%x or old version 0x%x-0x%x-0x%x\n",
-             block[0], block[1], block[2], block[3]);
-#endif
-      no_dtls = 1;
-      break;
-    }
-    block_len = ntohs(*((u_int16_t*)&block[11]));
+    if(!is_dtls(block, p_len, &block_len)) {
+      if(processed == 0 && /* First block */
+         flow->stun.maybe_dtls == 1) {
+	/* Sometimes STUN packets are interleaved with TLS ones. Ignore STUN ones
+	   since we already are after STUN dissection and we are interested only on
+	   TLS stuff right now */
 #ifdef DEBUG_TLS
-    printf("[TLS] DTLS block len: %d\n", block_len);
-#endif
-    if(block_len == 0 || (processed + block_len + 12 >= p_len)) {
-#ifdef DEBUG_TLS
-      printf("[TLS] DTLS invalid block len %d (processed %d, p_len %d)\n",
-             block_len, processed, p_len);
+        printf("Probably a stun packet. Keep going with TLS on next packets\n");
 #endif
+        /* Note that we can immediately "return" because, being the first block,
+	   we don't need to restore packet->payload and packet->payload_packet_len */
+        return(1); /* Keep working */
+      }
       no_dtls = 1;
       break;
     }
+
     /* We process only handshake msgs */
     if(block[0] == 0x16) {
       if(processed + block_len + 13 > p_len) {
@@ -1358,8 +1384,9 @@ static void tlsInitExtraPacketProcessing(struct ndpi_detection_module_struct *nd
 					 struct ndpi_flow_struct *flow) {
   struct ndpi_packet_struct *packet = &ndpi_struct->packet;
 
-  /* At most 12 packets should almost always be enough to find the server certificate if it's there */
-  flow->max_extra_packets_to_check = 12 + (ndpi_struct->num_tls_blocks_to_follow*4);
+  /* At most 12 packets should almost always be enough to find the server certificate if it's there.
+     Exception: DTLS traffic with fragments, retransmissions and STUN packets */
+  flow->max_extra_packets_to_check = ((packet->udp != NULL) ? 20 : 12) + (ndpi_struct->num_tls_blocks_to_follow*4);
   flow->extra_packets_func = (packet->udp != NULL) ? ndpi_search_tls_udp : ndpi_search_tls_tcp;
 }
 
@@ -1385,6 +1412,24 @@ void switch_extra_dissection_to_tls(struct ndpi_detection_module_struct *ndpi_st
 
 /* **************************************** */
 
+void switch_to_tls(struct ndpi_detection_module_struct *ndpi_struct,
+		   struct ndpi_flow_struct *flow)
+{
+#ifdef DEBUG_TLS
+  printf("Switching to TLS\n");
+#endif
+
+  /* Reset reassemblers */
+  if(flow->tls_quic.message[0].buffer)
+    ndpi_free(flow->tls_quic.message[0].buffer);
+  memset(&flow->tls_quic.message[0], '\0', sizeof(flow->tls_quic.message[0]));
+  if(flow->tls_quic.message[1].buffer)
+    ndpi_free(flow->tls_quic.message[1].buffer);
+  memset(&flow->tls_quic.message[1], '\0', sizeof(flow->tls_quic.message[1]));
+
+  ndpi_search_tls_wrapper(ndpi_struct, flow);
+}
+
 static void tls_subclassify_by_alpn(struct ndpi_detection_module_struct *ndpi_struct,
 				    struct ndpi_flow_struct *flow) {
   /* Right now we have only one rule so we can keep it trivial */

diff --git a/tests/cfgs/default/result/stun.pcap.out b/tests/cfgs/default/result/stun.pcap.out
@@ -1,20 +1,20 @@
 Guessed flow protos:	0
 
 DPI Packets (TCP):	7	(3.50 pkts/flow)
-DPI Packets (UDP):	17	(5.67 pkts/flow)
+DPI Packets (UDP):	18	(6.00 pkts/flow)
 Confidence DPI              : 5 (flows)
-Num dissector calls: 595 (119.00 diss/flow)
+Num dissector calls: 578 (115.60 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/3/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
-LRU cache stun:       6/38/0 (insert/search/found)
-LRU cache tls_cert:   0/0/0 (insert/search/found)
+LRU cache stun:       4/34/0 (insert/search/found)
+LRU cache tls_cert:   1/2/0 (insert/search/found)
 LRU cache mining:     0/0/0 (insert/search/found)
 LRU cache msteams:    0/0/0 (insert/search/found)
 LRU cache stun_zoom:  0/0/0 (insert/search/found)
 Automa host:          0/0 (search/found)
 Automa domain:        0/0 (search/found)
-Automa tls cert:      0/0 (search/found)
+Automa tls cert:      1/1 (search/found)
 Automa risk mask:     1/0 (search/found)
 Automa common alpns:  0/0 (search/found)
 Patricia risk mask:   8/0 (search/found)
@@ -26,8 +26,13 @@ STUN	62	7620	2
 GoogleHangoutDuo	33	6292	1
 FacebookVoip	75	10554	1
 
+JA3 Host Stats: 
+		 IP Address                  	 # JA3C     
+	1	 192.168.12.169           	 1      
+
+
 	1	UDP 192.168.12.169:38123 <-> 31.13.86.54:40003 [proto: 78.268/STUN.FacebookVoip][IP: 119/Facebook][ClearText][Confidence: DPI][DPI packets: 2][cat: VoIP/10][40 pkts/6134 bytes <-> 35 pkts/4420 bytes][Goodput ratio: 73/67][10.09 sec][Hostname/SNI: turner.facebook][bytes ratio: 0.162 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 260/331 6004/5997 1040/1126][Pkt Len c2s/s2c min/avg/max/stddev: 70/68 153/126 190/174 31/39][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][PLAIN TEXT (unauthorized)][Plen Bins: 8,14,9,28,40,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	2	UDP 192.168.12.169:49153 <-> 142.250.82.99:3478 [proto: 78.201/STUN.GoogleHangoutDuo][IP: 126/Google][ClearText][Confidence: DPI][DPI packets: 4][cat: VoIP/10][18 pkts/2856 bytes <-> 15 pkts/3436 bytes][Goodput ratio: 74/82][2.12 sec][bytes ratio: -0.092 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 8/0 88/153 699/625 177/222][Pkt Len c2s/s2c min/avg/max/stddev: 107/76 159/229 588/1240 107/297][PLAIN TEXT (BwlkYDtFJ)][Plen Bins: 0,6,57,21,6,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0]
+	2	UDP 192.168.12.169:49153 <-> 142.250.82.99:3478 [proto: 30.201/DTLS.GoogleHangoutDuo][IP: 126/Google][Encrypted][Confidence: DPI][DPI packets: 5][cat: VoIP/10][18 pkts/2856 bytes <-> 15 pkts/3436 bytes][Goodput ratio: 74/82][2.12 sec][bytes ratio: -0.092 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 8/0 88/153 699/625 177/222][Pkt Len c2s/s2c min/avg/max/stddev: 107/76 159/229 588/1240 107/297][Risk: ** Self-signed Cert **** TLS (probably) Not Carrying HTTPS **** Missing SNI TLS Extn **][Risk Score: 160][Risk Info: No ALPN / CN=hangouts][DTLSv1.2][JA3C: c14667d7da3e6f7a7ab5519ef78c2452][JA3S: 1f5d6a6d0bc5d514dd84d13e6283d309][Issuer: CN=hangouts][Subject: CN=hangouts][Certificate SHA-1: 6C:D0:9A:70:A1:F1:9E:BF:8E:EF:FE:B6:F1:37:A3:E8:8A:3B:F7:C8][Validity: 2022-03-17 02:11:17 - 2023-03-18 02:11:17][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][PLAIN TEXT (BwlkYDtFJ)][Plen Bins: 0,6,57,21,6,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0]
 	3	UDP [3516:bf0b:fc53:75e7:70af:f67f:8e49:f603]:56880 <-> [2a38:e156:8167:a333:face:b00c::24d9]:3478 [proto: 78/STUN][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 11][cat: Network/14][21 pkts/1722 bytes <-> 21 pkts/2226 bytes][Goodput ratio: 24/41][191.49 sec][bytes ratio: -0.128 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 2/2 9451/9451 10358/10358 2441/2441][Pkt Len c2s/s2c min/avg/max/stddev: 82/106 82/106 82/106 0/0][PLAIN TEXT (WOBTrOXR)][Plen Bins: 50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	4	TCP 87.47.100.17:3478 <-> 54.1.57.155:37257 [proto: 78/STUN][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 4][cat: Network/14][9 pkts/1494 bytes <-> 11 pkts/2178 bytes][Goodput ratio: 60/67][0.95 sec][Hostname/SNI: apps-host.com][bytes ratio: -0.186 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 104/96 267/252 102/93][Pkt Len c2s/s2c min/avg/max/stddev: 74/94 166/198 234/354 41/65][PLAIN TEXT (Unauthorized)][Plen Bins: 10,0,15,21,42,5,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	5	TCP 10.77.110.51:41588 <-> 10.206.50.239:42000 [VLAN: 1611][proto: 78.38/STUN.Skype_TeamsCall][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 3][cat: VoIP/10][7 pkts/1006 bytes <-> 8 pkts/1118 bytes][Goodput ratio: 58/57][1.05 sec][bytes ratio: -0.053 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 189/134 369/399 144/153][Pkt Len c2s/s2c min/avg/max/stddev: 70/64 144/140 164/172 31/43][Plen Bins: 0,0,25,75,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]