Hello, I am working to write effective rules that will fire on TLS Server/Client Hello pairings. I am generating my own traffic based on various exploitation frameworks. Is there a way to output the JA3/JA3S hashes that are identified when running Suricata against a PCAP file, so that I can write rules to pivot off of them?
Suricata Version: 6.0.3
I can attach my config and a pcap (if needed).
syoc
February 7, 2022, 9:40am
2
Yes. Enable the tls logging and ja3 parsing in the config.yes
enabled: yes
ike:
enabled: yes
tls:
enabled: yes
detection-ports:
dp: 443
# Generate JA3 fingerprint from client hello. If not specified it
# will be disabled by default, but enabled if rules require it.
#ja3-fingerprints: auto
# What to do when the encrypted communications start:
# - default: keep tracking TLS session, check for protocol anomalies,
# inspect tls_* keywords. Disables inspection of unmodified
# 'content' signatures.
# - bypass: stop processing this flow as much as possible. No further
# TLS parsing and inspection. Offload flow bypass to kernel
# or hardware if possible.
# - full: keep tracking and inspection as normal. Unmodified content
# keyword signatures are inspected as well.
The TLS logger needs to be enabled
# Format of answer logging:
# - detailed: array item per answer
# - grouped: answers aggregated by type
# Default: all
#formats: [detailed, grouped]
# DNS record types to log, based on the query type.
# Default: all.
#types: [a, aaaa, cname, mx, ns, ptr, txt]
- tls:
extended: yes # enable this for extended logging information
# output TLS transaction where the session is resumed using a
# session id
#session-resumption: no
# custom controls which TLS fields that are included in eve-log
#custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s]
- files:
force-magic: no # force logging magic on all logged files
# force logging of checksums, available hash functions are md5,
# sha1 and sha256
Thank you. I have configured suricata.yaml to reflect these changes. I assume that this will be output in eve-log? Thank you again for your help.
syoc
February 8, 2022, 9:09am
4
Depends on how you have configured your logging, but barring any major changes than yes it should be in eve.json. Try it out.
I got everything to work perfectly. We have a sensor in a honeypot environment, and will be writing detections based on the hashes we find there. Thank you for all of your help!