search

ntop / nDPI

Open Source Deep Packet Inspection Software Toolkit
http://www.ntop.org
GNU Lesser General Public License v3.0
3.85k stars 898 forks source link

ndpi tls certificate length and entropy output in csv format #2282

Closed pasitushar closed 7 months ago

pasitushar commented 10 months ago

TLS certificate length in not present in the output "ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"acplgs.goskope.com","tls": {"version":"TLSv1.2","server_names":".goskope.com,.au.goskope.com,.eu.goskope.com,.de.goskope.com,.us2.goskope.com,.ams1.goskope.com,.dfw3.goskope.com,.fra2.goskope.com,.lon2.goskope.com,.lon3.goskope.com,.mel2.goskope.com,.ruh1.goskope.com,.sin2.goskope.com,.sjc1.goskope.com,.sjc2.goskope.com,.yyz1.goskope.com,.yyz2.goskope.com,.zur2.goskope.com,goskope.com","ja3":"07ff1e545ef8ab3fcf8a4dc9272221c2","ja3s":"c4b2785a87896e19d37eee932070cb22","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=BE, O=GlobalSign nv-sa, CN=GlobalSign RSA OV SSL CA 2018","subjectDN":"C=US, ST=California, L=Santa Clara, O=Netskope, Inc., CN=*.goskope.com","advertised_alpns":"http\/1.1","negotiated_alpn":"http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"CC:CD:64:93:0E:6D:DB:30:4C:8E:92:84:38:7A:70:B9:42:59:F4:FB"}}.

The csv output format prints the packet entropy 2 times. First in the flow and then in the next line after flow 12,17,1704704800.316,1704704801.885,1.569,192.168.1.40,35259,74.125.24.84,443,188.126,QUIC.Google,Google,accounts.google.com,113,12947,8201,598,745815,720699,-0.966,Download,63.3,96.6,1,8.6,235,24.6,0,17.6,316,48.5,0,2.0,318,16.0,73,114.6,1292,183.0,63,1247.2,1292,222.2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,,TLSv1.3,5c151b096002acf13caac828fd173691,OK,,0,h3,,TLSv1.3,,,,11;14;0;0;0;0;0;0;0;0;0;0;0;0;0;0;0;0;0;0;0;0;0;0;0;0;0;0;0;0;0;0;0;0;0;0;0;0;0;68;0;0;0;0;0;0;0;0,,128.320,53.743,7.524,3784.364 ,128.320,53.743,7.524,3784.364

IvanNardi commented 10 months ago

TLS certificate length in not present in the output "ndpi": {"confidence":

AFAIK, certificate length is never exported by the library. Could you elaborate on the scenario where you need it, please?

pasitushar commented 8 months ago

I need it in the tls extension data. Wireshark captures the tls certificate length so I thought nDPI should do it as well because I think it can be used as feature in anomaly detection.

On Thu, Jan 25, 2024, 2:03 AM Ivan Nardi @.***> wrote:

TLS certificate length in not present in the output "ndpi": {"confidence":

AFAIK, certificate length is never exported by the library. Could you elaborate on the scenario where you need it, please?

— Reply to this email directly, view it on GitHub https://github.com/ntop/nDPI/issues/2282#issuecomment-1908870131, or unsubscribe https://github.com/notifications/unsubscribe-auth/AMOBASESSYPYW5WKBCLM433YQFVYDAVCNFSM6AAAAABCIT4PE2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMBYHA3TAMJTGE . You are receiving this because you authored the thread.Message ID: @.***>