From: Philippe Antoine Date: Tue, 3 Sep 2024 13:37:00 +0000 (+0200) Subject: tls/ja3: do not append to ja3 str once ja3 hash is computed X-Git-Tag: suricata-7.0.7~37 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=98fd40a4b3fd833df245ce44bcf879f6186418eb;p=thirdparty%2Fsuricata.git tls/ja3: do not append to ja3 str once ja3 hash is computed Ticket: 6634 That means take only the first client hello into account. This way, we do not end with ja3 string with 9 commas... (cherry picked from commit 84735251b577a284af3795708786974fd30720b0) --- diff --git a/src/app-layer-ssl.c b/src/app-layer-ssl.c index e5c1ed1eb0..907e06708b 100644 --- a/src/app-layer-ssl.c +++ b/src/app-layer-ssl.c @@ -844,7 +844,8 @@ static inline int TLSDecodeHSHelloCipherSuites(SSLState *ssl_state, goto invalid_length; } - const bool enable_ja3 = SC_ATOMIC_GET(ssl_config.enable_ja3); + const bool enable_ja3 = + SC_ATOMIC_GET(ssl_config.enable_ja3) && ssl_state->curr_connp->ja3_hash == NULL; if (enable_ja3 || SC_ATOMIC_GET(ssl_config.enable_ja4)) { JA3Buffer *ja3_cipher_suites = NULL; @@ -1314,7 +1315,9 @@ static inline int TLSDecodeHSHelloExtensions(SSLState *ssl_state, int ret; int rc; - const bool ja3 = (SC_ATOMIC_GET(ssl_config.enable_ja3) == 1); + // if ja3_hash is already computed, do not use new hello to augment ja3_str + const bool ja3 = + (SC_ATOMIC_GET(ssl_config.enable_ja3) == 1) && ssl_state->curr_connp->ja3_hash == NULL; JA3Buffer *ja3_extensions = NULL; JA3Buffer *ja3_elliptic_curves = NULL;