I am having a problem with Suricata as it does not seem to be reporting the correct JA3 hashes. I am comparing them to the ones I have in Wireshark and the ones in Wireshark are correct. I have JA3 enabled in the yaml config file so I’m unsure why I am getting inaccurate hashes. I feel like I have tried a lot of different things - different OS, changing the encryption handling setting etc.
I was wondering if you could help me with this please as my dissertation is based on investigations using Suricata and JA3. Thanks so much!
can you provide us with more details about your setup? Suricata version, OS, config file, setup architecture etc.
Do you have pcaps that you run for testing?
We need more details first before we can help you.
I believe my version of Suricata is the latest, the OS I am using is Windows, the config file is attached to this comment if you would like to have a look! What do you mean by setup architecture? I am very new to IDS so please bare with me!
Also, I do not have any pcaps just because I wanted to test Suricata using my standard browser first (i.e chrome, edge etc) and then I would move onto the pcaps potentially.
just a quick add: if you want to make sure about Suricata’s version, you can run suricata -V.
As for setup architecture I belive this is about how Suricata is interacting with your network traffic, but it’s better that someone more experienced answer that…
