Project

General

Profile

Actions

Feature #3204

closed

ja3(s): automatically enable when rules require it

Added by Victor Julien about 5 years ago. Updated about 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

With the ET 5.0 ruleset quite a few rules use the ja3_hash keyword. If the JA3 functionality is not enabled in the config, this will lead to ruleset loading errors. If Suricata-Update is in use, it's test phase will fail.

We should probably change the logic to enable JA3 on demand. This should be done in a thread safe way as the ruleset can be (re)loaded when traffic is already being processed.

Actions

Also available in: Atom PDF