Feature #2192
closed
JA3 TLS client fingerprinting
Added by Jeff A almost 7 years ago.
Updated about 6 years ago.
Description
Description
Comment: I'm not sure where the correct place to start is but would
like to request a feature. Bro and Moloch are adopting a JA3 TLS/SSL
client fingerprinting technique. I'd like to know if we can get Suricata
to build the capability also. Will make for a great method to share a
new IOC. It's a bit early but seems to be working well.
Here's the public information from Salesforce's Github repo.
https://github.com/salesforce/ja3/
JA3 - A new way to profile SSL Clients
JA3 is a new technique for creating SSL client fingerprints that are
easy to produce and can be easily shared for threat intelligence.
Related issues
1 (1 open — 0 closed)
- Assignee set to Anonymous
- Target version set to TBD
JA3 looks cool. It would probably not be that much job to add it. I'll be willing to implement it. I'm thinking:
- Read a list of fingerprints from a file when starting Suricata.
- Generate the fingerprint when decoding the TLS client hello packet.
- Add a detection keyword for it ("tls_ja3", or something).
- Add it both to the metadata logging in alerts and to the JSON TLS log ("ja3": {"fingerprint":"<fingerprint>", "application":"<application>"}).
- Expose it to Lua scripts.
What do you think, Victor?
Sounds like a great plan! Would accept it gladly :)
Mats Klepsland wrote:
JA3 looks cool. It would probably not be that much job to add it. I'll be willing to implement it. I'm thinking:
- Read a list of fingerprints from a file when starting Suricata.
- Generate the fingerprint when decoding the TLS client hello packet.
- Add a detection keyword for it ("tls_ja3", or something).
- Add it both to the metadata logging in alerts and to the JSON TLS log ("ja3": {"fingerprint":"<fingerprint>", "application":"<application>"}).
- Expose it to Lua scripts.
What do you think, Victor?
Mats, that would be awesome! Looking forward to seeing it implemented.
- Related to Task #2309: SuriCon 2017 brainstorm added
- Status changed from New to Assigned
- Assignee changed from Anonymous to Mats Klepsland
- Status changed from Assigned to Closed
- Target version changed from TBD to 4.1beta1
Also available in: Atom
PDF