Apparently there are devices which support ERSPAN type 3, but not ERSPAN type 2. I propose to add ERSPAN type 3 support so that suricata can receive traffic from such sources.Gianni Tedesco
I would like to add to the TLS EVE output the following fields: 1. cipher suite list to client struct 2. cipher suite selected (to a new server struct?) 3. client extensions list to client struct 4. server extensions list to server s...Gianni Tedesco
A bit of extra context here. The systems this is happening on, it's happening pretty regularly (eg. every 10 minutes), the issue is that they're on 10GB NICs, which are almost fully saturated with traffic, single threaded (due to broadco...Gianni Tedesco
And another discrepancy, which I am not sure about and investigating a bit more is that, sometimes the EVE JSON reports "TLS 1.3", but both ja3-strings are saying 771 (TLS 1.2). Not sure why this is.Gianni Tedesco
I am also seeing a case where only two fields are being output, this also seems invalid: "771,4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53"Gianni Tedesco
It would be good if all the fields required for JA4 can be exported in the EVE TLS event meta-data, that way JA4's (or alternative fingerprint algorithms) can be computed independently of Suricata. We, at rapid7, are collecting passiv...Gianni Tedesco