From bc401e6a431852a7f060a6fc2db5f7ae79f1863b Mon Sep 17 00:00:00 2001
From: Philippe Antoine <pantoine@oisf.net>
Date: Tue, 3 Sep 2024 16:04:09 +0200
Subject: [PATCH] tls/ja3: adds test with duplicate handshake

Ticket: 6634
---
 tests/tls-duplicate-hello/README.md  |   9 +++++++++
 tests/tls-duplicate-hello/cli.py     |  15 ++++++++++++++
 tests/tls-duplicate-hello/input.pcap | Bin 0 -> 2832 bytes
 tests/tls-duplicate-hello/srv.go     |  29 +++++++++++++++++++++++++++
 tests/tls-duplicate-hello/test.rules |   1 +
 tests/tls-duplicate-hello/test.yaml  |  18 +++++++++++++++++
 6 files changed, 72 insertions(+)
 create mode 100644 tests/tls-duplicate-hello/README.md
 create mode 100644 tests/tls-duplicate-hello/cli.py
 create mode 100644 tests/tls-duplicate-hello/input.pcap
 create mode 100644 tests/tls-duplicate-hello/srv.go
 create mode 100644 tests/tls-duplicate-hello/test.rules
 create mode 100644 tests/tls-duplicate-hello/test.yaml

diff --git a/tests/tls-duplicate-hello/README.md b/tests/tls-duplicate-hello/README.md
new file mode 100644
index 000000000..a2a3f73a9
--- /dev/null
+++ b/tests/tls-duplicate-hello/README.md
@@ -0,0 +1,9 @@
+# Description
+
+Test ja3 on tls with duplicate hello
+
+https://redmine.openinfosecfoundation.org/issues/6634
+
+# PCAP
+
+The pcap is crafted from srv.go and cli.py
diff --git a/tests/tls-duplicate-hello/cli.py b/tests/tls-duplicate-hello/cli.py
new file mode 100644
index 000000000..d9dc7a608
--- /dev/null
+++ b/tests/tls-duplicate-hello/cli.py
@@ -0,0 +1,15 @@
+import socket
+import binascii
+
+HOST = "127.0.0.1"  # The server's hostname or IP address
+PORT = 8443  # The port used by the server
+
+with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
+    s.connect((HOST, PORT))
+    data = binascii.unhexlify("160301012401000120030339a503494c046e85568afb480faeb91fb861a479b4f9ef85dfa60844a0b86f6700003a1302130313011304c02ccca9c0adc00ac02bc0acc009c030cca8c014c02fc013009dc09d0035009cc09c002f009fccaac09f0039009ec09e0033010000bd000500050100000000000a000400020017000b00020100000d0020001e040108090804040308070501080a080505030601080b08060603020102030016000000170000002300000033004700450017004104519c7aa7e7b5163a55d3d116c293f717b123909e9bda1bf256972c3ddb2b730db0016c13ae75255b38d1c7591e3611381e20e614ee9cba9402dae5ea6159e749002b0009080304030303020301ff010001000000000e000c0000096c6f63616c686f7374002d0003020100")
+    s.sendall(data)
+    data2 = binascii.unhexlify("160301012401000120030339a503494c046e85568afb480faeb91fb861a479b4f9ef85dfa60844a0b86f6700003a1302130313011304c02ccca9c0adc00ac02bc0acc009c030cca8c014c02fc013009dc09d0035009cc09c002f009fccaac09f0039009ec09e0033010000bd000500050100000000000a000400020017000b00020100000d0020001e040108090804040308070501080a080505030601080b08060603020102030016000000170000002300000033004700450017004104519c7aa7e7b5163a55d3d116c293f717b123909e9bda1bf256972c3ddb2b730db0016c13ae75255b38d1c7591e3611381e20e614ee9cba9402dae5ea6159e749002c0009080304030303020301ff010001000000000e000c0000096c6f63616c686f7374002d0003020100")
+    s.sendall(data2)
+    data = s.recv(1024)
+
+print(f"Received {data!r}")
diff --git a/tests/tls-duplicate-hello/input.pcap b/tests/tls-duplicate-hello/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..1a22faae0b74f03e0245d2d124d6f006c03b8bd7
GIT binary patch
literal 2832
zc-rljdpMM7AII-!o}rnX&4g0SMK+9b93h1bo5O}(hm~46l-a0BHc=}~YA;H}#L5_U
zDdc?EBHA9bET$4g5y~5*h^2$mntAUh>#cp?+O7ZJ=X!q6^_+g6`+MKt-}SrhI}PPO
z5&#jrITr56mv!xq8j%Fn@E#8W3>yF}@zYWqfJgukJQ`@U+2bZ{$MKv}f=DDZg8vdN
z?ja~Djv%C^^^};v*Hpp+^9*F_z-OH|OwIph(q<cIcn;*AaHawvTnWGo%w1KB{Iec4
z+MMJ~Y03BLX{UviEb76TUw;6THrJr$K(5&exl*O_|I2*XeP9mfE;5;rX#!a$Z<t2!
z(J2MFPEoQ-BSN?ei~4XL&S8B3=TB`;IO}cBq9&Yk0&;v1@H!Sa$d13&qogz<a`~$s
z1r$M6BXB$vH9e2oITH6BcaNLfB2!$gTIG`yUO6*<y#E5pI;)Bm0Du{VKtU-8g^20!
z^RXgqDMrT%F*2sd&%>ygE=B<vSO#DKF2)7AAd`O)%LJx?hw*?Rlz0`00Wsut6)uI<
zNC1jJ0ubN}DL?}%M1({p5s4^ii5Qee5)*?SkR(Xr;wS+jpg;j;DZ)^PVF*5hb5#UZ
zL>KPiT*1!@W^Ns~73!0x6wA~TdFkEClkTZH8++&>Ql&@`rTCzRm&xrWPZeW16BXJJ
zb&Pw3L+BoS>f<S}19U(pp+po#2`D0h%YciM2C&M=K`cL?ASNs1Td)>D39k#_r;jpD
z#uyqWc$aY(KiD`K<Nq7?PUCbw%DCc>GEUYT8aMDR<FqjZuwf&`V}V0F`nMb<r2#_7
ze>i{O90e2wM_}?H6fG_p{3#ICAv=Egi6gIf#KmyC;n^B#j<CVHW_s0>T{WP<c{#x%
zC7?vOcneGC$Cb!QspNj{-r_W>H+zxv+<>vn`gDiLC1B54qCZv?BktdEn?-UemrD{)
zYBbEhyhT5Zncdsv@T_3tgX)phR5(6@D8j2^nt`8Nptk%e{oYe<cdusV$)sK&9X!B-
z-w0nKNSHoD`YX0a?s#up%f`_y!@Mqu*aQzv8`bhPJ?;1XM7{MErg68-&Kc2<RiqO(
zwe*#w2dxV(3D*;@SG9i0^|cDiHcj+t<!3S0l}-%A33PoNt{gO`Ung5U(J(9_Hxz_L
z+2+JLeER888!vMjX)>n%m&R7CuKJsdQD>3#%E?J4yZ6_-#M%5V?V+K<(D1&B<m|mk
zFP@$xTou_apZ{&A*Vg8Zzqa+5E7#>|`9Dz|`D%q@Po0YBz_h)I{Y~y{n_}aXA&J~q
z!Rt#gJ{_9tU0K+p*wLLZ94tKWjci`Xcbof}11+{Tu_pH;5v$<gBxF^2%$=vjFP)Pj
zG&g5osy!H@xMjOua++OK1HZO$Ix}B9qjjw8lKKVOE??dKm9J!Xu4~drzb7!r9eke9
z;-Q>G=zk@9nRBtrz(}c9Z>E*@$M(8k#Ge#|*o-AItm&+RzP-K#4T)o$)0f6e?6vo#
zYT5=XH2%nrShH+??VKw$WzKic!zYhk5L<InZ;OT2hHm{iUdz(@95ea*EFR0VD$YVB
zkrKN*`}x*hRk^cOLi-!zY;|$-e4BRPGH!oIyf>rSNOh0nqY|dg#9ZxMg}p%UWl1x~
zC&$*vbhg|tuw9HKU!pc-X4lA5dsw>ughDW>^MSFJ7AhC<NaA<5miqYbj^ynt@;94U
zkrg?K4h9uOlEy}~Eyqt!>+A~Pnx;NzEfm?^Nmzeow7LFpPE`5z{ik#|YfU?z@v(+8
zOPmc=K0CSm!HVW+=FN~?yG?7RI^8H8#BDRFmm@veH@J4<H5bkCnG+avX^H(1Gw-$k
zzS=6u9rmSd{K2B!QQw`mf`~P{eC?VF$NHMmxCM_xyS_k~O`axFEB87lSUEb=E#y0&
zZu&m^Xm#N|Hs$Q8YX(Ub?XfYP9rVGSqw8N>lHm)EZRdC}NV&s33_H!nbeHa2;WLTe
zbipUdx*D14L#D1|I<A5-KjwEUpeQXiniCVw-}BI|Qm;+EXXU>X==Z}T>iN`wxPcoR
z7;g5YVY%gL*+O6TynoZ(K0NcJ^*#++x}y&A!;50Az-H~X8&gz&bEyd1DB9tGZw=UJ
zov&+jN!|6w{aICMO51isdq<dVlgtS+i?7k@kldf)Re631C*quJ&n?$>2jvO&9cG*I
z>gmFQLm`#H{C$|Dw=3s}pFVnp#XE13=>F=wRY))OT4zkuvqQTj%&)v+eV&qXS>L^k
zoBlgf3hzjUup>FcPUQTivpK%IBV9{d>_|e(zjh>iUX&Fxn0ZaK757B{V;=i%%!IDL
wEY9D6edwM?)*BxKcFyj%_B^Hd7&vG1$8pNu$N3s^{%N22HpiI?IdGr(Z!(m{(EtDd

literal 0
Hc-jL100001

diff --git a/tests/tls-duplicate-hello/srv.go b/tests/tls-duplicate-hello/srv.go
new file mode 100644
index 000000000..bf42f3a57
--- /dev/null
+++ b/tests/tls-duplicate-hello/srv.go
@@ -0,0 +1,29 @@
+package main
+
+import (
+    // "fmt"
+    // "io"
+    "net/http"
+    "log"
+)
+
+/*
+openssl genrsa -out server.key 2048
+openssl ecparam -genkey -name secp384r1 -out server.key
+openssl req -new -x509 -sha256 -key server.key -out server.crt -days 3650
+*/
+
+func HelloServer(w http.ResponseWriter, req *http.Request) {
+    w.Header().Set("Content-Type", "text/plain")
+    w.Write([]byte("This is an example server.\n"))
+    // fmt.Fprintf(w, "This is an example server.\n")
+    // io.WriteString(w, "This is an example server.\n")
+}
+
+func main() {
+    http.HandleFunc("/hello", HelloServer)
+    err := http.ListenAndServeTLS(":8443", "server.crt", "server.key", nil)
+    if err != nil {
+        log.Fatal("ListenAndServe: ", err)
+    }
+}
diff --git a/tests/tls-duplicate-hello/test.rules b/tests/tls-duplicate-hello/test.rules
new file mode 100644
index 000000000..555ac2cd8
--- /dev/null
+++ b/tests/tls-duplicate-hello/test.rules
@@ -0,0 +1 @@
+alert tls any any -> any any (msg:"ja3.string test"; ja3.string; content:"771,"; sid:1;)
\ No newline at end of file
diff --git a/tests/tls-duplicate-hello/test.yaml b/tests/tls-duplicate-hello/test.yaml
new file mode 100644
index 000000000..d1243a53b
--- /dev/null
+++ b/tests/tls-duplicate-hello/test.yaml
@@ -0,0 +1,18 @@
+requires:
+  min-version: 8
+
+# disables checksum verification
+args:
+  - -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 1
+      match:
+        event_type: tls
+        tls.ja3.string: "771,4866-4867-4865-4868-49196-52393-49325-49162-49195-49324-49161-49200-52392-49172-49199-49171-157-49309-53-156-49308-47-159-52394-49311-57-158-49310-51,5-10-11-13-22-23-35-51-43-65281-0-45,23,0"
-- 
2.47.2