Ja3 fingerprints

g33k · June 14, 2022, 7:25am

Hey everyone, I’m new on Suricata and need your help. I’m trying to add new custom rules from SSLBL website and I think that on this note everything is ok:

14/6/2022 -- 06:31:30 - <Config> - Loading rule file: /var/lib/suricata/rules/suricata.rules
14/6/2022 -- 06:31:31 - <Config> - Loading rule file: /etc/suricata/rules/ja3_fingerprints.rules
14/6/2022 -- 06:31:31 - <Config> - Loading rule file: /etc/suricata/rules/local.rules
14/6/2022 -- 06:31:31 - <Info> - 3 rule files processed. 26447 rules successfully loaded, 0 rules failed

local.rules are my test file where I created only one rule:

alert tls any any -> any any (msg:"TESTING RULE";ja3.hash; content:"40adfd923eb82b89d8836ba37a19bca1";sid:1000001; rev:1;)

Now I’m using this hash for testing is because when using packetbeat (from elastic), I do see this ja3 fingerprint quite a lot.
The thing is that I can’t make Suricata trigger on this hash… and I don’t really know where else to look.
My suricata.yaml configuration considering tls and ja3 is:

...
      types:
        - alert:   
...
               - tls:
            extended: yes     # enable this for extended logging information
            # output TLS transaction where the session is resumed using a
            # session id
            #session-resumption: no
            # custom controls which TLS fields that are included in eve-log
            #custom: fingerprint, ja3, ja3s #[subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s]
            #custom: ja3, ja3s, fingerprint
...
 tls:
      enabled: yes
      detection-ports:
        dp: 443

      # Generate JA3 fingerprint from client hello. If not specified it
      # will be disabled by default, but enabled if rules require it.
      ja3-fingerprints: yes

Don’t really know what else I could config or change and where to look. Thanks in advance for your help

syoc · June 14, 2022, 12:38pm

Can confirm that you have Suricata running with the rule you wrote loaded and that you see the ja3 hash in your tls log but no alerts?

g33k · June 14, 2022, 12:48pm

Yes, correct, theres no alert with my custom message or my sid. And there were events with that particular hash through the day. It might be I’m just missing something, I just don’t know what

syoc · June 14, 2022, 12:55pm

Sounds like it should be working. Taking your setup down to the bare minimum, getting it to work and then adding stuff sounds like a good way forward.

new default Suricata
local logging
only one rule in ruleset
alert on tls.sni first on some easy domain to test with using curl or something
do a content match on ja3.hash based on what hash you see in logs
double check that you are not mixing ja3s and ja3 hashes

That really should work, and then you can port stuff to your existing setup and hopefully see where it breaks.

g33k · June 15, 2022, 6:26am

Thanks for advice, will try that. One more question - should my own rules appear in /var/lib/suricata/rules/suricata.rules after suricata-update command?

syoc · June 22, 2022, 2:03pm

Sure seems like it Quick Start — suricata-update 1.3.0dev0 documentation

Topic		Replies	Views
Suricata-update add custom source Help suricata-update , suricata	8	719	August 10, 2023
Suricata-Update and custom signature sets Rules	7	1976	July 2, 2020
Running Suricata default in Windows Rules	3	428	May 24, 2023
Suricata dont take into account my local.rules Help	11	1394	February 10, 2022
Cannot load my own rule Rules suricata	2	368	October 15, 2022

Ja3 fingerprints

Related Topics