Ja3 fingerprints

g33k · June 14, 2022, 7:25am

Hey everyone, I’m new on Suricata and need your help. I’m trying to add new custom rules from SSLBL website and I think that on this note everything is ok:

14/6/2022 -- 06:31:30 - <Config> - Loading rule file: /var/lib/suricata/rules/suricata.rules
14/6/2022 -- 06:31:31 - <Config> - Loading rule file: /etc/suricata/rules/ja3_fingerprints.rules
14/6/2022 -- 06:31:31 - <Config> - Loading rule file: /etc/suricata/rules/local.rules
14/6/2022 -- 06:31:31 - <Info> - 3 rule files processed. 26447 rules successfully loaded, 0 rules failed

local.rules are my test file where I created only one rule:

alert tls any any -> any any (msg:"TESTING RULE";ja3.hash; content:"40adfd923eb82b89d8836ba37a19bca1";sid:1000001; rev:1;)

Now I’m using this hash for testing is because when using packetbeat (from elastic), I do see this ja3 fingerprint quite a lot.
The thing is that I can’t make Suricata trigger on this hash… and I don’t really know where else to look.
My suricata.yaml configuration considering tls and ja3 is:

...
      types:
        - alert:   
...
               - tls:
            extended: yes     # enable this for extended logging information
            # output TLS transaction where the session is resumed using a
            # session id
            #session-resumption: no
            # custom controls which TLS fields that are included in eve-log
            #custom: fingerprint, ja3, ja3s #[subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s]
            #custom: ja3, ja3s, fingerprint
...
 tls:
      enabled: yes
      detection-ports:
        dp: 443

      # Generate JA3 fingerprint from client hello. If not specified it
      # will be disabled by default, but enabled if rules require it.
      ja3-fingerprints: yes

Don’t really know what else I could config or change and where to look. Thanks in advance for your help

syoc · June 14, 2022, 12:38pm

Can confirm that you have Suricata running with the rule you wrote loaded and that you see the ja3 hash in your tls log but no alerts?

g33k · June 14, 2022, 12:48pm

Yes, correct, theres no alert with my custom message or my sid. And there were events with that particular hash through the day. It might be I’m just missing something, I just don’t know what

syoc · June 14, 2022, 12:55pm

Sounds like it should be working. Taking your setup down to the bare minimum, getting it to work and then adding stuff sounds like a good way forward.

new default Suricata
local logging
only one rule in ruleset
alert on tls.sni first on some easy domain to test with using curl or something
do a content match on ja3.hash based on what hash you see in logs
double check that you are not mixing ja3s and ja3 hashes

That really should work, and then you can port stuff to your existing setup and hopefully see where it breaks.

g33k · June 15, 2022, 6:26am

Thanks for advice, will try that. One more question - should my own rules appear in /var/lib/suricata/rules/suricata.rules after suricata-update command?

syoc · June 22, 2022, 2:03pm

Sure seems like it Quick Start — suricata-update 1.3.0dev0 documentation

Topic		Replies	Views
JA3 integration Help rules	5	924	December 17, 2021
Suricaa doesn't capture JA3 hashes of TLS packets Help rules , suricata	1	247	February 28, 2024
How does one output all JA3/JA3S Hashes calculated by Suricata from a PCAP file Help	4	1195	February 8, 2022
Seem to be getting wrong hashes for JA3 Help	6	529	April 20, 2021
JA3 hashes not matching TLSv1.3 Help rules , suricata	11	309	April 18, 2024

Ja3 fingerprints

Related topics