mirror of
https://github.com/apernet/OpenGFW.git
synced 2024-11-14 22:39:26 +08:00
Merge pull request #107 from apernet/fix-trojan
fix: trojan analyzer heuristics
This commit is contained in:
commit
e1d9406fdb
@ -14,7 +14,7 @@ var ccsPattern = []byte{20, 3, 3, 0, 1, 1}
|
|||||||
// TrojanAnalyzer uses length-based heuristics to detect Trojan traffic based on
|
// TrojanAnalyzer uses length-based heuristics to detect Trojan traffic based on
|
||||||
// its "TLS-in-TLS" nature. The heuristics are trained using a decision tree with
|
// its "TLS-in-TLS" nature. The heuristics are trained using a decision tree with
|
||||||
// about 2000 samples. This is highly experimental and is known to have significant
|
// about 2000 samples. This is highly experimental and is known to have significant
|
||||||
// false positives (about 8% false positives & 2% false negatives).
|
// false positives (about 9% false positives & 3% false negatives).
|
||||||
// We do NOT recommend directly blocking all positive connections, as this is likely
|
// We do NOT recommend directly blocking all positive connections, as this is likely
|
||||||
// to break many normal TLS connections.
|
// to break many normal TLS connections.
|
||||||
type TrojanAnalyzer struct{}
|
type TrojanAnalyzer struct{}
|
||||||
@ -36,7 +36,7 @@ type trojanStream struct {
|
|||||||
first bool
|
first bool
|
||||||
count bool
|
count bool
|
||||||
rev bool
|
rev bool
|
||||||
seq [4]int
|
seq [3]int
|
||||||
seqIndex int
|
seqIndex int
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -69,16 +69,15 @@ func (s *trojanStream) Feed(rev, start, end bool, skip int, data []byte) (u *ana
|
|||||||
if s.count {
|
if s.count {
|
||||||
if rev == s.rev {
|
if rev == s.rev {
|
||||||
// Same direction as last time, just update the number
|
// Same direction as last time, just update the number
|
||||||
s.seq[s.seqIndex] = len(data)
|
s.seq[s.seqIndex] += len(data)
|
||||||
} else {
|
} else {
|
||||||
// Different direction, bump the index
|
// Different direction, bump the index
|
||||||
s.seqIndex += 1
|
s.seqIndex += 1
|
||||||
if s.seqIndex == 4 {
|
if s.seqIndex == 3 {
|
||||||
// Time to evaluate
|
// Time to evaluate
|
||||||
yes := s.seq[0] >= 100 &&
|
yes := s.seq[0] >= 180 &&
|
||||||
s.seq[1] >= 88 &&
|
s.seq[1] <= 11000 &&
|
||||||
s.seq[2] >= 40 &&
|
s.seq[2] >= 40
|
||||||
s.seq[3] >= 51
|
|
||||||
return &analyzer.PropUpdate{
|
return &analyzer.PropUpdate{
|
||||||
Type: analyzer.PropUpdateReplace,
|
Type: analyzer.PropUpdateReplace,
|
||||||
M: analyzer.PropMap{
|
M: analyzer.PropMap{
|
||||||
@ -87,7 +86,7 @@ func (s *trojanStream) Feed(rev, start, end bool, skip int, data []byte) (u *ana
|
|||||||
},
|
},
|
||||||
}, true
|
}, true
|
||||||
}
|
}
|
||||||
s.seq[s.seqIndex] = len(data)
|
s.seq[s.seqIndex] += len(data)
|
||||||
s.rev = rev
|
s.rev = rev
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -251,7 +251,7 @@ Check https://github.com/XTLS/Trojan-killer for more information.
|
|||||||
```json
|
```json
|
||||||
{
|
{
|
||||||
"trojan": {
|
"trojan": {
|
||||||
"seq": [170, 282, 167, 470],
|
"seq": [680, 4514, 293],
|
||||||
"yes": true
|
"yes": true
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user