Project

General

Profile

Actions
Copy link

Bug #3215

closed

Disable ja3_hash rules if Suricata does not have ja3 support, or ja3 support is disabled.

Added by Jason Ish about 5 years ago. Updated about 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Jason Ish
Target version:
1.1.0
Affected Versions:
1.1.0rc1
Effort:
Difficulty:
Label:

Description

When loading rules, check if the associated Suricata application has the ability to use ja3 (check for HAVE_NSS), and then check if ja3 is enabled.

If it is determined that the Suricata instance does not have ja3 enabled, emit a warning and automatically disable ja3 rules.

Actions
Copy link
 #1

Updated by Victor Julien about 5 years ago

2 things I wanted to mention:

  1. we added a new notation
  2. we had 3 more keywords that depend on ja3 support
$ ./src/suricata --list-keywords|grep ja3
- ja3.hash
- ja3.string
- ja3s.hash
- ja3s.string
Actions
Copy link
 #2

Updated by Jason Ish about 5 years ago

  • Status changed from Assigned to Closed
Actions
Copy link

Also available in: Atom PDF