Ja3 fingerprints

Hey everyone, I’m new on Suricata and need your help. I’m trying to add new custom rules from SSLBL website and I think that on this note everything is ok:

14/6/2022 -- 06:31:30 - <Config> - Loading rule file: /var/lib/suricata/rules/suricata.rules
14/6/2022 -- 06:31:31 - <Config> - Loading rule file: /etc/suricata/rules/ja3_fingerprints.rules
14/6/2022 -- 06:31:31 - <Config> - Loading rule file: /etc/suricata/rules/local.rules
14/6/2022 -- 06:31:31 - <Info> - 3 rule files processed. 26447 rules successfully loaded, 0 rules failed

local.rules are my test file where I created only one rule:

alert tls any any -> any any (msg:"TESTING RULE";ja3.hash; content:"40adfd923eb82b89d8836ba37a19bca1";sid:1000001; rev:1;)

Now I’m using this hash for testing is because when using packetbeat (from elastic), I do see this ja3 fingerprint quite a lot.
The thing is that I can’t make Suricata trigger on this hash… and I don’t really know where else to look.
My suricata.yaml configuration considering tls and ja3 is:

        - alert:   
               - tls:
            extended: yes     # enable this for extended logging information
            # output TLS transaction where the session is resumed using a
            # session id
            #session-resumption: no
            # custom controls which TLS fields that are included in eve-log
            #custom: fingerprint, ja3, ja3s #[subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s]
            #custom: ja3, ja3s, fingerprint
      enabled: yes
        dp: 443

      # Generate JA3 fingerprint from client hello. If not specified it
      # will be disabled by default, but enabled if rules require it.
      ja3-fingerprints: yes

Don’t really know what else I could config or change and where to look. Thanks in advance for your help

Can confirm that you have Suricata running with the rule you wrote loaded and that you see the ja3 hash in your tls log but no alerts?

Yes, correct, theres no alert with my custom message or my sid. And there were events with that particular hash through the day. It might be I’m just missing something, I just don’t know what :slight_smile:

Sounds like it should be working. Taking your setup down to the bare minimum, getting it to work and then adding stuff sounds like a good way forward.

  • new default Suricata
  • local logging
  • only one rule in ruleset
  • alert on tls.sni first on some easy domain to test with using curl or something
  • do a content match on ja3.hash based on what hash you see in logs
  • double check that you are not mixing ja3s and ja3 hashes

That really should work, and then you can port stuff to your existing setup and hopefully see where it breaks.

Thanks for advice, will try that. One more question - should my own rules appear in /var/lib/suricata/rules/suricata.rules after suricata-update command?

Sure seems like it Quick Start — suricata-update 1.3.0dev0 documentation