Merge pull request #107 from apernet/fix-trojan

fix: trojan analyzer heuristics
This commit is contained in:
Toby 2024-03-20 18:39:05 -07:00 committed by GitHub
commit e1d9406fdb
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 9 additions and 10 deletions

View File

@ -14,7 +14,7 @@ var ccsPattern = []byte{20, 3, 3, 0, 1, 1}
// TrojanAnalyzer uses length-based heuristics to detect Trojan traffic based on // TrojanAnalyzer uses length-based heuristics to detect Trojan traffic based on
// its "TLS-in-TLS" nature. The heuristics are trained using a decision tree with // its "TLS-in-TLS" nature. The heuristics are trained using a decision tree with
// about 2000 samples. This is highly experimental and is known to have significant // about 2000 samples. This is highly experimental and is known to have significant
// false positives (about 8% false positives & 2% false negatives). // false positives (about 9% false positives & 3% false negatives).
// We do NOT recommend directly blocking all positive connections, as this is likely // We do NOT recommend directly blocking all positive connections, as this is likely
// to break many normal TLS connections. // to break many normal TLS connections.
type TrojanAnalyzer struct{} type TrojanAnalyzer struct{}
@ -36,7 +36,7 @@ type trojanStream struct {
first bool first bool
count bool count bool
rev bool rev bool
seq [4]int seq [3]int
seqIndex int seqIndex int
} }
@ -69,16 +69,15 @@ func (s *trojanStream) Feed(rev, start, end bool, skip int, data []byte) (u *ana
if s.count { if s.count {
if rev == s.rev { if rev == s.rev {
// Same direction as last time, just update the number // Same direction as last time, just update the number
s.seq[s.seqIndex] = len(data) s.seq[s.seqIndex] += len(data)
} else { } else {
// Different direction, bump the index // Different direction, bump the index
s.seqIndex += 1 s.seqIndex += 1
if s.seqIndex == 4 { if s.seqIndex == 3 {
// Time to evaluate // Time to evaluate
yes := s.seq[0] >= 100 && yes := s.seq[0] >= 180 &&
s.seq[1] >= 88 && s.seq[1] <= 11000 &&
s.seq[2] >= 40 && s.seq[2] >= 40
s.seq[3] >= 51
return &analyzer.PropUpdate{ return &analyzer.PropUpdate{
Type: analyzer.PropUpdateReplace, Type: analyzer.PropUpdateReplace,
M: analyzer.PropMap{ M: analyzer.PropMap{
@ -87,7 +86,7 @@ func (s *trojanStream) Feed(rev, start, end bool, skip int, data []byte) (u *ana
}, },
}, true }, true
} }
s.seq[s.seqIndex] = len(data) s.seq[s.seqIndex] += len(data)
s.rev = rev s.rev = rev
} }
} }

View File

@ -251,7 +251,7 @@ Check https://github.com/XTLS/Trojan-killer for more information.
```json ```json
{ {
"trojan": { "trojan": {
"seq": [170, 282, 167, 470], "seq": [680, 4514, 293],
"yes": true "yes": true
} }
} }