Hi,
When intercepting a TLS session with another device, Suricata does not signal that it has found a match in the JA3 hash, but rule with this hash is set in the local.rules file. Other rules from this file are read and detected correctly (exclude JA3 rules), Suricata also detects JA3 hashas in other TLS-sessions.
eve log for correct session
{"timestamp":"2024-02-15T09:30:31.735779-0500","flow_id":2058437392131029,"in_iface":"eth0","event_type":"tls","src_ip":"172.18.6.40","src_port":54446,"dest_ip":"216.239.32.116","dest_port":443,"proto":"TCP","pkt_src":"wire/pcap","community_id":"1:P62/OVNMcRfWkV2y6uMdZ9DH79Y=","tls":{"sni":"beacons4.gvt2.com","version":"TLS 1.3","ja3":{"hash":"7c822e5e821268e8bd01b70e9cad0b85","string":"771,4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53-255,0-11-10-35-5-16-18-23-13-43-45-51-21,29-23-24,0-1-2"},"ja3s":{"hash":"eb1d94daa7e0344597e756a1fb6e7054","string":"771,4865,51-43"}}}
tcp session, from which the tls session is then initialized. In this session try to connect over gsocket.
{"timestamp":"2024-02-15T08:12:21.752292-0500","flow_id":76796578624630,"in_iface":"eth0","event_type":"flow","src_ip":"172.18.6.125","src_port":48278,"dest_ip":"172.18.6.124","dest_port":443,"proto":"TCP","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":74,"bytes_toclient":54,"start":"2024-02-15T08:11:20.869848-0500","end":"2024-02-15T08:11:20.869904-0500","age":0,"state":"closed","reason":"timeout","alerted":false},"community_id":"1:iPWn8H3ASYP8PFHRG5InZZyjXxQ=","tcp":{"tcp_flags":"16","tcp_flags_ts":"12","tcp_flags_tc":"14","syn":true,"rst":true,"ack":true,"state":"closed","ts_max_regions":1,"tc_max_regions":1}}
In wireshark we can see JA hashes of packets
In config file ja3-fingerprint enabled
Rules, that should be triggered
- Suricata version:7.0.2
- Kali Linux
- Suricata installed from package