Feature #2192
closedJA3 TLS client fingerprinting
Description
Description
Comment: I'm not sure where the correct place to start is but would
like to request a feature. Bro and Moloch are adopting a JA3 TLS/SSL
client fingerprinting technique. I'd like to know if we can get Suricata
to build the capability also. Will make for a great method to share a
new IOC. It's a bit early but seems to be working well.
Here's the public information from Salesforce's Github repo.
https://github.com/salesforce/ja3/
JA3 - A new way to profile SSL Clients
JA3 is a new technique for creating SSL client fingerprints that are
easy to produce and can be easily shared for threat intelligence.
Updated by Andreas Herz over 7 years ago
- Assignee set to Anonymous
- Target version set to TBD
Updated by Mats Klepsland over 7 years ago
- Read a list of fingerprints from a file when starting Suricata.
- Generate the fingerprint when decoding the TLS client hello packet.
- Add a detection keyword for it ("tls_ja3", or something).
- Add it both to the metadata logging in alerts and to the JSON TLS log ("ja3": {"fingerprint":"<fingerprint>", "application":"<application>"}).
- Expose it to Lua scripts.
What do you think, Victor?
Updated by Victor Julien over 7 years ago
Sounds like a great plan! Would accept it gladly :)
Updated by Jeff A about 7 years ago
Mats Klepsland wrote:
JA3 looks cool. It would probably not be that much job to add it. I'll be willing to implement it. I'm thinking:
- Read a list of fingerprints from a file when starting Suricata.
- Generate the fingerprint when decoding the TLS client hello packet.
- Add a detection keyword for it ("tls_ja3", or something).
- Add it both to the metadata logging in alerts and to the JSON TLS log ("ja3": {"fingerprint":"<fingerprint>", "application":"<application>"}).
- Expose it to Lua scripts.
What do you think, Victor?
Mats, that would be awesome! Looking forward to seeing it implemented.
Updated by Victor Julien almost 7 years ago
- Related to Task #2309: SuriCon 2017 brainstorm added
Updated by Victor Julien almost 7 years ago
- Status changed from New to Assigned
- Assignee changed from Anonymous to Mats Klepsland
Updated by Victor Julien over 6 years ago
- Status changed from Assigned to Closed
- Target version changed from TBD to 4.1beta1