Project

General

Profile

Feature #2192

JA3 TLS client fingerprinting

Added by Jeff A about 2 years ago. Updated over 1 year ago.

Status:
Closed
Priority:
Normal
Target version:
Effort:
Difficulty:
Label:

Description

Description

Comment: I'm not sure where the correct place to start is but would
like to request a feature. Bro and Moloch are adopting a JA3 TLS/SSL
client fingerprinting technique. I'd like to know if we can get Suricata
to build the capability also. Will make for a great method to share a
new IOC. It's a bit early but seems to be working well.

Here's the public information from Salesforce's Github repo.

https://github.com/salesforce/ja3/

JA3 - A new way to profile SSL Clients

JA3 is a new technique for creating SSL client fingerprints that are
easy to produce and can be easily shared for threat intelligence.


Related issues

Related to Support #2309: SuriCon 2017 brainstormNew12/01/2017Actions

History

#1

Updated by Andreas Herz about 2 years ago

  • Assignee set to Anonymous
  • Target version set to TBD
#2

Updated by Mats Klepsland about 2 years ago

JA3 looks cool. It would probably not be that much job to add it. I'll be willing to implement it. I'm thinking:
  • Read a list of fingerprints from a file when starting Suricata.
  • Generate the fingerprint when decoding the TLS client hello packet.
  • Add a detection keyword for it ("tls_ja3", or something).
  • Add it both to the metadata logging in alerts and to the JSON TLS log ("ja3": {"fingerprint":"<fingerprint>", "application":"<application>"}).
  • Expose it to Lua scripts.

What do you think, Victor?

#3

Updated by Victor Julien about 2 years ago

Sounds like a great plan! Would accept it gladly :)

#4

Updated by Jeff A almost 2 years ago

Mats Klepsland wrote:

JA3 looks cool. It would probably not be that much job to add it. I'll be willing to implement it. I'm thinking:
  • Read a list of fingerprints from a file when starting Suricata.
  • Generate the fingerprint when decoding the TLS client hello packet.
  • Add a detection keyword for it ("tls_ja3", or something).
  • Add it both to the metadata logging in alerts and to the JSON TLS log ("ja3": {"fingerprint":"<fingerprint>", "application":"<application>"}).
  • Expose it to Lua scripts.

What do you think, Victor?

Mats, that would be awesome! Looking forward to seeing it implemented.

#5

Updated by Victor Julien over 1 year ago

#6

Updated by Victor Julien over 1 year ago

  • Status changed from New to Assigned
  • Assignee changed from Anonymous to Mats Klepsland
#7

Updated by Victor Julien over 1 year ago

  • Status changed from Assigned to Closed
  • Target version changed from TBD to 4.1beta1

Also available in: Atom PDF