tls/ja3: do not append to ja3 str once ja3 hash is computed

author Philippe Antoine <pantoine@oisf.net>

Tue, 3 Sep 2024 13:37:00 +0000 (15:37 +0200)

committer Victor Julien <victor@inliniac.net>

Tue, 10 Sep 2024 14:16:22 +0000 (16:16 +0200)
author Philippe Antoine <pantoine@oisf.net>
Tue, 3 Sep 2024 13:37:00 +0000 (15:37 +0200)
committer Victor Julien <victor@inliniac.net>
Tue, 10 Sep 2024 14:16:22 +0000 (16:16 +0200)
diff --git a/src/app-layer-ssl.c b/src/app-layer-ssl.c

index e5c1ed1eb0fbeb7f6241f9ab8803c7cada77d321..907e06708b5d59b78da01b731b5e7b5ea9f844bc 100644 (file)
--- a/src/app-layer-ssl.c
+++ b/src/app-layer-ssl.c
@@ -844,7 +844,8 @@ static inline int TLSDecodeHSHelloCipherSuites(SSLState *ssl_state,
          goto invalid_length;
      }
  
-    const bool enable_ja3 = SC_ATOMIC_GET(ssl_config.enable_ja3);
+    const bool enable_ja3 =
+            SC_ATOMIC_GET(ssl_config.enable_ja3) && ssl_state->curr_connp->ja3_hash == NULL;
  
      if (enable_ja3 || SC_ATOMIC_GET(ssl_config.enable_ja4)) {
          JA3Buffer *ja3_cipher_suites = NULL;
@@ -1314,7 +1315,9 @@ static inline int TLSDecodeHSHelloExtensions(SSLState *ssl_state,
  
      int ret;
      int rc;
-    const bool ja3 = (SC_ATOMIC_GET(ssl_config.enable_ja3) == 1);
+    // if ja3_hash is already computed, do not use new hello to augment ja3_str
+    const bool ja3 =
+            (SC_ATOMIC_GET(ssl_config.enable_ja3) == 1) && ssl_state->curr_connp->ja3_hash == NULL;
  
      JA3Buffer *ja3_extensions = NULL;
      JA3Buffer *ja3_elliptic_curves = NULL;
author	Philippe Antoine <pantoine@oisf.net>
	Tue, 3 Sep 2024 13:37:00 +0000 (15:37 +0200)
committer	Victor Julien <victor@inliniac.net>
	Tue, 10 Sep 2024 14:16:22 +0000 (16:16 +0200)