Support #4435
closedSeem to be getting wrong hashes for JA3?
Description
I am having a problem with Suricata as it does not seem to be reporting the correct JA3 hashes. I am comparing them to the ones I have in Wireshark and the ones in Wireshark are correct. I have JA3 enabled in the YAML config file so I’m unsure as to why I am getting inaccurate hashes. I feel like I have tried a lot of different things - different OS, changing the encryption handling setting etc. I was wondering if anyone could help me with this please as my dissertation is based on investigations using Suricata and JA3.
For example: Suricata (standard chrome browser):
"ja3": {
"hash": "a0f5390b00000000e93b510000000000",
"string": "771,4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53,0-23-65281-10-11-35-16-5-13-18-51-45-43-27-21,29-23-24,0"
},
"ja3s": {
"hash": "90f5390b00000000e93b510000000000",
"string": "771,4865,51-43"
}
Wireshark (standard chrome browser):
JA3 = b32309a26951912be7dba376398abc3b
JA3 (full) = 771,4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53,0-23-65281-10-11-35-16-5-13-18-51-45-43-27-21,29-23-24,0
JA3S = eb1d94daa7e0344597e756a1fb6e7054
JA3S (full) = 771,4865,51-43
...and then when I put them into https://ja3er.com/, the hashes cannot be found.
My Suricata version is the latest. My machine uses a Windows OS. I have the JA3 setting set to "yes" in my config file and the encryption handling setting is set to "bypass".
Files