Anyone had any issues with implementing JA3 hashes into Dataset? I downloaded https://sslbl.abuse.ch/blacklist/ja3_fingerprints.csv and extracted all of the hashes into a file and added the dataset keyword to a signature. I made sure the hashes from the pcap I was using was included in the dataset and JA3 was enabled in the config. I’ve used datasets before but for some reason I can’t get the JA3 dataset to work.
If I set the dataset to isnotset then I get alerts but nothing for isset.
alert tls any any -> any any (msg:"JA3 Dataset"; ja3_hash; dataset:isset,abuse,type md5,load /home/ops/ja3.dataset; sid:2020232323; rev:1;)
I used the below signature to verify that ja3_hash was working. Which worked just fine.
alert tls any any -> any any (msg:"SSLBL: Malicious JA3 SSL-Client Fingerprint detected"; ja3_hash; content:"72a589da586844d7f0818ce684948eea"; reference:url, sslbl.abuse.ch/ja3-fingerprints/9f62c4f26b90d3d757bea609e82f2eaf/; sid:906200000; rev:1;)
Suricata version 5.0.3