2024-01-22 06:48:54 +08:00
|
|
|
package tcp
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"bytes"
|
|
|
|
|
|
|
|
|
|
"github.com/apernet/OpenGFW/analyzer"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
var _ analyzer.TCPAnalyzer = (*TrojanAnalyzer)(nil)
|
|
|
|
|
|
|
|
|
|
// CCS stands for "Change Cipher Spec"
|
2024-03-21 09:07:26 +08:00
|
|
|
var ccsPattern = []byte{20, 3, 3, 0, 1, 1}
|
2024-01-22 06:48:54 +08:00
|
|
|
|
2024-03-21 09:07:26 +08:00
|
|
|
// TrojanAnalyzer uses length-based heuristics to detect Trojan traffic based on
|
|
|
|
|
// its "TLS-in-TLS" nature. The heuristics are trained using a decision tree with
|
|
|
|
|
// about 2000 samples. This is highly experimental and is known to have significant
|
2024-03-21 09:37:43 +08:00
|
|
|
// false positives (about 9% false positives & 3% false negatives).
|
2024-03-21 09:07:26 +08:00
|
|
|
// We do NOT recommend directly blocking all positive connections, as this is likely
|
|
|
|
|
// to break many normal TLS connections.
|
2024-01-22 06:48:54 +08:00
|
|
|
type TrojanAnalyzer struct{}
|
|
|
|
|
|
|
|
|
|
func (a *TrojanAnalyzer) Name() string {
|
|
|
|
|
return "trojan"
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (a *TrojanAnalyzer) Limit() int {
|
2024-03-21 09:07:26 +08:00
|
|
|
return 512000
|
2024-01-22 06:48:54 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (a *TrojanAnalyzer) NewTCP(info analyzer.TCPInfo, logger analyzer.Logger) analyzer.TCPStream {
|
|
|
|
|
return newTrojanStream(logger)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
type trojanStream struct {
|
2024-03-21 09:07:26 +08:00
|
|
|
logger analyzer.Logger
|
|
|
|
|
first bool
|
|
|
|
|
count bool
|
|
|
|
|
rev bool
|
2024-03-21 09:37:43 +08:00
|
|
|
seq [3]int
|
2024-03-21 09:07:26 +08:00
|
|
|
seqIndex int
|
2024-01-22 06:48:54 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func newTrojanStream(logger analyzer.Logger) *trojanStream {
|
|
|
|
|
return &trojanStream{logger: logger}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (s *trojanStream) Feed(rev, start, end bool, skip int, data []byte) (u *analyzer.PropUpdate, done bool) {
|
|
|
|
|
if skip != 0 {
|
|
|
|
|
return nil, true
|
|
|
|
|
}
|
|
|
|
|
if len(data) == 0 {
|
|
|
|
|
return nil, false
|
|
|
|
|
}
|
2024-03-21 09:07:26 +08:00
|
|
|
|
|
|
|
|
if s.first {
|
|
|
|
|
s.first = false
|
|
|
|
|
// Stop if it's not a valid TLS connection
|
|
|
|
|
if !(!rev && len(data) >= 3 && data[0] >= 0x16 && data[0] <= 0x17 &&
|
|
|
|
|
data[1] == 0x03 && data[2] <= 0x09) {
|
|
|
|
|
return nil, true
|
|
|
|
|
}
|
2024-01-22 06:48:54 +08:00
|
|
|
}
|
2024-03-21 09:07:26 +08:00
|
|
|
|
|
|
|
|
if !rev && !s.count && len(data) >= 6 && bytes.Equal(data[:6], ccsPattern) {
|
|
|
|
|
// Client Change Cipher Spec encountered, start counting
|
|
|
|
|
s.count = true
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if s.count {
|
|
|
|
|
if rev == s.rev {
|
|
|
|
|
// Same direction as last time, just update the number
|
2024-03-21 09:37:43 +08:00
|
|
|
s.seq[s.seqIndex] += len(data)
|
2024-01-22 06:48:54 +08:00
|
|
|
} else {
|
2024-03-21 09:07:26 +08:00
|
|
|
// Different direction, bump the index
|
|
|
|
|
s.seqIndex += 1
|
2024-03-21 09:37:43 +08:00
|
|
|
if s.seqIndex == 3 {
|
2024-03-21 09:07:26 +08:00
|
|
|
// Time to evaluate
|
2024-03-21 09:37:43 +08:00
|
|
|
yes := s.seq[0] >= 180 &&
|
|
|
|
|
s.seq[1] <= 11000 &&
|
|
|
|
|
s.seq[2] >= 40
|
2024-01-22 06:48:54 +08:00
|
|
|
return &analyzer.PropUpdate{
|
|
|
|
|
Type: analyzer.PropUpdateReplace,
|
|
|
|
|
M: analyzer.PropMap{
|
2024-03-21 09:07:26 +08:00
|
|
|
"seq": s.seq,
|
|
|
|
|
"yes": yes,
|
2024-01-22 06:48:54 +08:00
|
|
|
},
|
|
|
|
|
}, true
|
|
|
|
|
}
|
2024-03-21 09:37:43 +08:00
|
|
|
s.seq[s.seqIndex] += len(data)
|
2024-03-21 09:07:26 +08:00
|
|
|
s.rev = rev
|
2024-01-22 06:48:54 +08:00
|
|
|
}
|
|
|
|
|
}
|
2024-03-21 09:07:26 +08:00
|
|
|
|
|
|
|
|
return nil, false
|
2024-01-22 06:48:54 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (s *trojanStream) Close(limited bool) *analyzer.PropUpdate {
|
|
|
|
|
return nil
|
|
|
|
|
}
|
