Project

General

Profile

Actions

Feature #2192

closed

JA3 TLS client fingerprinting

Added by Jeff A over 7 years ago. Updated almost 7 years ago.

Status:
Closed
Priority:
Normal
Target version:
Effort:
Difficulty:
Label:

Description

Description

Comment: I'm not sure where the correct place to start is but would
like to request a feature. Bro and Moloch are adopting a JA3 TLS/SSL
client fingerprinting technique. I'd like to know if we can get Suricata
to build the capability also. Will make for a great method to share a
new IOC. It's a bit early but seems to be working well.

Here's the public information from Salesforce's Github repo.

https://github.com/salesforce/ja3/

JA3 - A new way to profile SSL Clients

JA3 is a new technique for creating SSL client fingerprints that are
easy to produce and can be easily shared for threat intelligence.


Related issues 1 (1 open0 closed)

Related to Suricata - Task #2309: SuriCon 2017 brainstormAssignedVictor JulienActions
Actions #1

Updated by Andreas Herz over 7 years ago

  • Assignee set to Anonymous
  • Target version set to TBD
Actions #2

Updated by Mats Klepsland over 7 years ago

JA3 looks cool. It would probably not be that much job to add it. I'll be willing to implement it. I'm thinking:
  • Read a list of fingerprints from a file when starting Suricata.
  • Generate the fingerprint when decoding the TLS client hello packet.
  • Add a detection keyword for it ("tls_ja3", or something).
  • Add it both to the metadata logging in alerts and to the JSON TLS log ("ja3": {"fingerprint":"<fingerprint>", "application":"<application>"}).
  • Expose it to Lua scripts.

What do you think, Victor?

Actions #3

Updated by Victor Julien over 7 years ago

Sounds like a great plan! Would accept it gladly :)

Actions #4

Updated by Jeff A over 7 years ago

Mats Klepsland wrote:

JA3 looks cool. It would probably not be that much job to add it. I'll be willing to implement it. I'm thinking:
  • Read a list of fingerprints from a file when starting Suricata.
  • Generate the fingerprint when decoding the TLS client hello packet.
  • Add a detection keyword for it ("tls_ja3", or something).
  • Add it both to the metadata logging in alerts and to the JSON TLS log ("ja3": {"fingerprint":"<fingerprint>", "application":"<application>"}).
  • Expose it to Lua scripts.

What do you think, Victor?

Mats, that would be awesome! Looking forward to seeing it implemented.

Actions #5

Updated by Victor Julien about 7 years ago

  • Related to Task #2309: SuriCon 2017 brainstorm added
Actions #6

Updated by Victor Julien about 7 years ago

  • Status changed from New to Assigned
  • Assignee changed from Anonymous to Mats Klepsland
Actions #7

Updated by Victor Julien almost 7 years ago

  • Status changed from Assigned to Closed
  • Target version changed from TBD to 4.1beta1
Actions

Also available in: Atom PDF