Seem to be getting wrong hashes for JA3

Hi there,

I am having a problem with Suricata as it does not seem to be reporting the correct JA3 hashes. I am comparing them to the ones I have in Wireshark and the ones in Wireshark are correct. I have JA3 enabled in the yaml config file so I’m unsure why I am getting inaccurate hashes. I feel like I have tried a lot of different things - different OS, changing the encryption handling setting etc.

I was wondering if you could help me with this please as my dissertation is based on investigations using Suricata and JA3. Thanks so much!

Kind Regards,
Ellie O’Hanlon


can you provide us with more details about your setup? Suricata version, OS, config file, setup architecture etc.
Do you have pcaps that you run for testing?

We need more details first before we can help you.

Hi Andreas, suricata.yaml (73.1 KB)

Many thanks for getting back to me so fast!

I believe my version of Suricata is the latest, the OS I am using is Windows, the config file is attached to this comment if you would like to have a look! What do you mean by setup architecture? I am very new to IDS so please bare with me!

Also, I do not have any pcaps just because I wanted to test Suricata using my standard browser first (i.e chrome, edge etc) and then I would move onto the pcaps potentially.

Thanks so much again,

Hi Ellie!

just a quick add: if you want to make sure about Suricata’s version, you can run suricata -V.
As for setup architecture I belive this is about how Suricata is interacting with your network traffic, but it’s better that someone more experienced answer that…

Thank you for that! I’ve just checked my version of Suricata using that command and it is 6.0.2!

1 Like

How do you start and run Suricata?

Please see the image as to how I start and run Suricata as this is the command I have been using