From: Philippe Antoine <pantoine@oisf.net>
Date: Tue, 3 Sep 2024 13:37:00 +0000 (+0200)
Subject: tls/ja3: do not append to ja3 str once ja3 hash is computed
X-Git-Tag: suricata-8.0.0-beta1~894
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=84735251b577a284af3795708786974fd30720b0;p=thirdparty%2Fsuricata.git

tls/ja3: do not append to ja3 str once ja3 hash is computed

Ticket: 6634

That means take only the first client hello into account.
This way, we do not end with ja3 string with 9 commas...
---

diff --git a/src/app-layer-ssl.c b/src/app-layer-ssl.c
index da98a1ee09..3a7a076f69 100644
--- a/src/app-layer-ssl.c
+++ b/src/app-layer-ssl.c
@@ -856,7 +856,8 @@ static inline int TLSDecodeHSHelloCipherSuites(SSLState *ssl_state,
         goto invalid_length;
     }
 
-    const bool enable_ja3 = SC_ATOMIC_GET(ssl_config.enable_ja3);
+    const bool enable_ja3 =
+            SC_ATOMIC_GET(ssl_config.enable_ja3) && ssl_state->curr_connp->ja3_hash == NULL;
 
     if (enable_ja3 || SC_ATOMIC_GET(ssl_config.enable_ja4)) {
         JA3Buffer *ja3_cipher_suites = NULL;
@@ -1336,7 +1337,9 @@ static inline int TLSDecodeHSHelloExtensions(SSLState *ssl_state,
 
     int ret;
     int rc;
-    const bool ja3 = (SC_ATOMIC_GET(ssl_config.enable_ja3) == 1);
+    // if ja3_hash is already computed, do not use new hello to augment ja3_str
+    const bool ja3 =
+            (SC_ATOMIC_GET(ssl_config.enable_ja3) == 1) && ssl_state->curr_connp->ja3_hash == NULL;
 
     JA3Buffer *ja3_extensions = NULL;
     JA3Buffer *ja3_elliptic_curves = NULL;