Skip to content

Commit

Permalink
ja4 - enable ja4h on http/2
Browse files Browse the repository at this point in the history
  • Loading branch information
@astibal
astibal committed Nov 11, 2024
1 parent dee7627 commit c727f18
Show file tree
Hide file tree
Showing 3 changed files with 65 additions and 46 deletions.
13 changes: 13 additions & 0 deletions src/inspect/engine/http.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -523,12 +523,25 @@ namespace sx::engine::http {
_err("Frame: hpack decode exception: %s", e.what());
}

std::optional<sx::ja4::HTTP> ja4h;
if(ctx.options.http.ja4h) {
ja4h = sx::ja4::HTTP();
ja4h->version = "20";
}


for (auto& [ hdr, vlist ] : dec.headers()) {
for(auto const& hdr_elem: vlist) {
process_header_entry(ctx, side, my_app_data,
stream_id, flags, data, hdr, hdr_elem);
if(ja4h.has_value()) {
ja4h->process_header_pair(std::make_pair(hdr, hdr_elem));
}
}
}
if(ja4h.has_value())
my_app_data->http_data.ja4h = ja4h->ja4h();

detect_app(ctx, side, my_app_data, stream_id, flags, data);
if(ctx.origin->opt_kb_enabled) {
fill_kb(ctx, side, my_app_data, stream_id, flags, data);
Expand Down
97 changes: 51 additions & 46 deletions src/inspect/fp/ja4.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -151,6 +151,56 @@ namespace sx::ja4 {
}


bool HTTP::process_header_pair(std::pair<std::string_view,std::string_view> header_pair) {

auto locase = util::to_lower(header_pair.first);
if(locase == "cookie") {
have_cookie = true;
if(should_parse_cookies) {
auto ck = util::split_string_view(header_pair.second, "; ", false, true);
for(auto const& cookie_pair: ck) {
auto cs = util::split_string_view(cookie_pair,"=", true, true);
if(cs.size() == 2) {
cookies.push_back(cs[0]);
std::stringstream ss;
ss << cs[0] << "=" << cs[1];
cookies_values.push_back(ss.str());
}
}
}

return true;
}
else if(locase == "referer") {
have_referer = true;
return true;
}
else if(locase == "accept-language") {
lang.clear();
for(auto c: header_pair.second) {
if(isalnum(c)) {
lang += c;
}
else if (c == ',') {
// don't continue into next part
break;
}
else if(lang.size() >= 4)
// we have enough
break;
}
auto fill = 4 - lang.size();
for (size_t i = 0; i < fill ; ++i) {
lang += "0";
}

lang = util::to_lower(lang);
}
headers.emplace_back(header_pair);
return true;

}

bool HTTP::process_header(std::string_view header) {
clear();

Expand All @@ -161,52 +211,7 @@ namespace sx::ja4 {

auto parts = util::split_string_view(header, ": ", true, false);
if(parts.size() == 2) {

auto locase = util::to_lower(parts[0]);
if(locase == "cookie") {
have_cookie = true;
if(should_parse_cookies) {
auto ck = util::split_string_view(parts[1],"; ", false, true);
for(auto const& cookie_pair: ck) {
auto cs = util::split_string_view(cookie_pair,"=", true, true);
if(cs.size() == 2) {
cookies.push_back(cs[0]);
std::stringstream ss;
ss << cs[0] << "=" << cs[1];
cookies_values.push_back(ss.str());
}
}
}

return true;
}
else if(locase == "referer") {
have_referer = true;
return true;
}
else if(locase == "accept-language") {
lang.clear();
for(auto c: parts[1]) {
if(isalnum(c)) {
lang += c;
}
else if (c == ',') {
// don't continue into next part
break;
}
else if(lang.size() >= 4)
// we have enough
break;
}
auto fill = 4 - lang.size();
for (size_t i = 0; i < fill ; ++i) {
lang += "0";
}

lang = util::to_lower(lang);
}
headers.emplace_back(parts[0],parts[1]);
return true;
return process_header_pair(std::make_pair(parts[0], parts[1]));
}
return false;
}
Expand Down
1 change: 1 addition & 0 deletions src/inspect/fp/ja4.hpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -92,6 +92,7 @@ namespace sx::ja4 {
std::vector<std::string> cookies_values;


bool process_header_pair(std::pair<std::string_view,std::string_view> header_pair);
bool process_header(std::string_view header);

std::string ja4h_a() const;
Expand Down

0 comments on commit c727f18

Please sign in to comment.