Project

General

Profile

Actions
Copy link

Feature #2754

closed

JA3 and JA3S - sets / reputation

Added by Victor Julien almost 6 years ago. Updated about 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Victor Julien
Target version:
5.0rc1
Effort:
Difficulty:
Label:

Description

Support matching on large amounts of ja3/ja3s hashes.

Related issues 3 (1 open2 closed)

Related to Suricata - Task #2685: SuriCon 2018 brainstormAssignedVictor JulienActions
Related to Suricata - Feature #2684: Add JA3SClosedMats KlepslandActions
Blocked by Suricata - Feature #2318: matching on large amounts of data with dynamic updatesClosedVictor JulienActions
Actions
Copy link
 #1

Updated by Victor Julien almost 6 years ago

  • Related to Task #2685: SuriCon 2018 brainstorm added
Actions
Copy link
 #2

Updated by Victor Julien almost 6 years ago

  • Blocked by Feature #2318: matching on large amounts of data with dynamic updates added
Actions
Copy link
 #3

Updated by Victor Julien almost 6 years ago

Actions
Copy link
 #4

Updated by Victor Julien almost 6 years ago

  • Tracker changed from Bug to Feature
Actions
Copy link
 #5

Updated by Victor Julien about 5 years ago

  • Target version changed from TBD to 5.0rc1

TLS JA3/JA3S:

Blacklist:

alert tls any any -> any any (ja3.hash; dataset:isset,bad_ja3_hash, load bad_ja3_hash.rep, type string; sid:3;)

Reputation:

alert tls any any -> any any (ja3s.hash; datarep:ja3s_rep, >, 200, load ja3s_rep.rep, type string; sid:4;)
alert tls any any -> any any (ja3s.string; datarep:ja3s_str_rep, >, 200, load ja3s_str_rep.rep, type md5; sid:5;)

https://github.com/OISF/suricata/pull/4166

https://suricata.readthedocs.io/en/latest/rules/datasets.html

Actions
Copy link
 #6

Updated by Victor Julien about 5 years ago

  • Status changed from Assigned to Closed
Actions
Copy link

Also available in: Atom PDF