Hey everyone, I’m new on Suricata and need your help. I’m trying to add new custom rules from SSLBL website and I think that on this note everything is ok:
14/6/2022 -- 06:31:30 - <Config> - Loading rule file: /var/lib/suricata/rules/suricata.rules 14/6/2022 -- 06:31:31 - <Config> - Loading rule file: /etc/suricata/rules/ja3_fingerprints.rules 14/6/2022 -- 06:31:31 - <Config> - Loading rule file: /etc/suricata/rules/local.rules 14/6/2022 -- 06:31:31 - <Info> - 3 rule files processed. 26447 rules successfully loaded, 0 rules failed
local.rules are my test file where I created only one rule:
alert tls any any -> any any (msg:"TESTING RULE";ja3.hash; content:"40adfd923eb82b89d8836ba37a19bca1";sid:1000001; rev:1;)
Now I’m using this hash for testing is because when using
packetbeat (from elastic), I do see this ja3 fingerprint quite a lot.
The thing is that I can’t make Suricata trigger on this hash… and I don’t really know where else to look.
suricata.yaml configuration considering
... types: - alert: ... - tls: extended: yes # enable this for extended logging information # output TLS transaction where the session is resumed using a # session id #session-resumption: no # custom controls which TLS fields that are included in eve-log #custom: fingerprint, ja3, ja3s #[subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s] #custom: ja3, ja3s, fingerprint ... tls: enabled: yes detection-ports: dp: 443 # Generate JA3 fingerprint from client hello. If not specified it # will be disabled by default, but enabled if rules require it. ja3-fingerprints: yes
Don’t really know what else I could config or change and where to look. Thanks in advance for your help