I want to utilize the JA3 integration of Suricata and I changed app-layer.protocols.tls.ja3-fingerprints to yes in suricata.yaml but that seems doesn’t work. Require rules are already available in all.rules .
Is there any additional config needed? Using it for the first time.
Thanks in advance!
Update:
- Using this script I exported Ja3 digest
- Verified rule file, default rule is available with Ja3 hash value (exact same hash as point 1 output)
- Replayed same traffic but alert is not getting triggered.
Nothing helpful in log file. Please suggest.
Hi. Can you share a rule and a pcap or a rule and the tls eve json event for the request that should have triggered?
Thanks for reply-
Rule:
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Suspected Meterpreter Reverse Shell M2 (set)"; flow:established,to_server; ja3.hash; content:"72a589da586844d7f0818ce684948eea"; flowbits:set,ET.meterpreter.ja3; flowbits:noalert; classtype:command-and-control; sid:2028830; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_10_15, deployment Perimeter, former_category JA3, malware_family Meterpreter, signature_severity Major, updated_at 2019_10_15;)
"ja3_digest": "72a589da586844d7f0818ce684948eea"
Run meterpreter reverse_https shell to get same traffic.
Update: - I tried different rule with Ja3 hash 67f762b0ffe3aad00dfdb0e4b1acd8b5 and rule alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - Dridex"; ja3_hash; content:"67f762b0ffe3aad00dfdb0e4b1acd8b5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028365; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;) and that is working perfectly fine I don’t know what’s wrong with rule in my last comment.
Solved! It was parsing issue.
1 Like