Added counting of observed TLS common names

Dr. Brandon Wiley · Dr. Brandon Wiley · commit 9c64461fef1d · 2018-03-23T12:32:42.000-05:00
diff --git a/AdversaryLabSwift/Features/Entropy.swift b/AdversaryLabSwift/Features/Entropy.swift
@@ -41,7 +41,6 @@ func processEntropy(forConnection connection: ObservedConnection) -> (processsed
 
 func calculateEntropy(for packet: Data) -> Double
 {
-    NSLog("Entropy for \(packet as NSData)")
     let probabilities: [Double] = calculateProbabilities(for: packet)
     var entropy: Double = 0
     
diff --git a/AdversaryLabSwift/Features/Protocols/TLS12.swift b/AdversaryLabSwift/Features/Protocols/TLS12.swift
@@ -42,16 +42,14 @@ func isTls12(forConnection connection: ObservedConnection) -> Bool
         NSLog("TLS response not found \(outPacket as! NSData)")
         return false
     }
-    
-    NSLog("Found TLS: \(requestRange) \(responseRange) \(outPacket.count)")
-    
+        
     return true
 }
 
 func processTls12(_ connection: ObservedConnection) {
-    NSLog("Processing TLS")
     let outPacketHash: RMap<String, Data> = RMap(key: connection.outgoingKey)
-    
+    let tlsCommonNameSet: RSortedSet<String> = RSortedSet(key: connection.outgoingTlsCommonNameKey)
+
     // Get the out packet that corresponds with this connection ID
     guard let outPacket: Data = outPacketHash[connection.connectionID]
         else
@@ -62,7 +60,7 @@ func processTls12(_ connection: ObservedConnection) {
     
     let maybeBegin = findCommonNameStart(outPacket)
     guard let begin = maybeBegin else {
-        NSLog("No common name beginning found \(outPacket as! NSData)")
+        NSLog("No common name beginning found")
         NSLog("\(connection.outgoingKey) \(connection.connectionID) \(outPacket.count)")
         return
     }
@@ -73,9 +71,11 @@ func processTls12(_ connection: ObservedConnection) {
         return
     }
     
-    let commonData = extract(outPacket, begin+commonNameStart.count, end)
+    let commonData = extract(outPacket, begin+commonNameStart.count, end-1)
     let commonName = commonData.string
-    NSLog("Found TLS 1.2 common name: \(commonName)")
+    NSLog("Found TLS 1.2 common name: \(commonName) \(commonName.count) \(begin) \(end)")
+    
+    let _ = tlsCommonNameSet.incrementScore(ofField: commonName, byIncrement: 1)
 }
 
 private func findCommonNameStart(_ outPacket: Data) -> Int? {
@@ -84,7 +84,12 @@ private func findCommonNameStart(_ outPacket: Data) -> Int? {
         return nil
     }
     
-    return range.lowerBound
+    let maybeNextRange = outPacket.range(of: commonNameStart, options: [], in: range.upperBound..<outPacket.count)
+    guard let nextRange = maybeNextRange else {
+        return nil
+    }
+    
+    return nextRange.lowerBound
 }
 
 private func findCommonNameEnd(_ outPacket: Data, _ begin: Int) -> Int? {
diff --git a/AdversaryLabSwift/Helpers/Constants.swift b/AdversaryLabSwift/Helpers/Constants.swift
@@ -82,6 +82,9 @@ let blockedConnectionsTimeDiffBinsKey = "Blocked:Connections:TimeDifferenceBins"
 let requiredTimeDiffKey = "Required:TimeDifference"
 let forbiddenTimeDiffKey = "Forbidden:TimeDifference"
 
+let allowedTlsCommonNameKey = "Allowed:Outgoing:TLS:CommonName"
+let blockedTlsCommonNameKey = "Blocked:Outgoing:TLS:CommonName"
+
 ///
 let newConnectionMessage = "NewConnectionAdded"
 
diff --git a/AdversaryLabSwift/Models/ObservedConnections.swift b/AdversaryLabSwift/Models/ObservedConnections.swift
@@ -26,6 +26,7 @@ struct ObservedConnection
     let outgoingFloatingSequencesKey: String
     let incomingEntropyKey: String
     let outgoingEntropyKey: String
+    let outgoingTlsCommonNameKey: String
     
     let connectionID: String
     
@@ -52,6 +53,7 @@ struct ObservedConnection
                 outgoingFloatingSequencesKey = allowedOutgoingFloatingSequencesKey
                 incomingEntropyKey = allowedIncomingEntropyKey
                 outgoingEntropyKey = allowedOutgoingEntropyKey
+                outgoingTlsCommonNameKey = allowedTlsCommonNameKey
             case .blocked:
                 connectionsKey = blockedConnectionsKey
                 incomingKey = blockedIncomingKey
@@ -69,6 +71,7 @@ struct ObservedConnection
                 outgoingFloatingSequencesKey = blockedOutgoingFloatingSequencesKey
                 incomingEntropyKey = blockedIncomingEntropyKey
                 outgoingEntropyKey = blockedOutgoingEntropyKey
+                outgoingTlsCommonNameKey = blockedTlsCommonNameKey
         }
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -41,7 +41,6 @@ func processEntropy(forConnection connection: ObservedConnection) -> (processsed`
`41`	`41`
`42`	`42`	`func calculateEntropy(for packet: Data) -> Double`
`43`	`43`	`{`
`44`		`- NSLog("Entropy for \(packet as NSData)")`
`45`	`44`	`let probabilities: [Double] = calculateProbabilities(for: packet)`
`46`	`45`	`var entropy: Double = 0`
`47`	`46`