Project

General

Profile

Actions
Copy link

Bug #5264

closed

random value for ja3 and ja3s hashes during the next scan

Added by Kirill Rassokhin over 2 years ago. Updated 12 months ago.

Status:
Closed
Priority:
Normal
Assignee:
OISF Dev
Target version:
TBD
Affected Versions:
6.0.1, 6.0.3
Effort:
Difficulty:
Label:

Description

Hello,

Please, check. When rescanning a same pcap file, different md5 hashes are counted from the same "string".

Suricata 6.0.3 from: https://suricata.io/download/ (https://www.openinfosecfoundation.org/download/windows/Suricata-6.0.3-1-64bit.msi)
Windows 10 (10.0.19042)

Same result on:
Suricata 6.0.1
Windows 10 (10.0.19042)

Attached file: ja3hash_test.pcap

WireShark:
[JA3 Fullstring: 771,60-47-61-53-5-10-49191-49171-49172-49195-49187-49196-49188-49161-49162-64-50-106-56-19-4,10-11-13-65281,23-24,0]
[JA3: 66d20946a7642aab5401b79bc2aa83d3]

eve.json

try 1: {"timestamp":"2022-04-08T04:27:54.168684+0300","flow_id":1093574097180080,"pcap_cnt":8,"event_type":"tls","src_ip":"10.113.156.63","src_port":49167,"dest_ip":"202.29.239.162","dest_port":443,"proto":"TCP","tls":{"ja3":{"hash":"40f43f6ff7000000e96dac08f77f0000","string":"771,60-47-61-53-5-10-49191-49171-49172-49195-49187-49196-49188-49161-49162-64-50-106-56-19-4,10-11-13-65281,23-24,0"},"ja3s":{"hash":"30f43f6ff7000000e96dac08f77f0000","string":"771,49191,65281-11"}}}

try 2: {"timestamp":"2022-04-08T04:27:54.168684+0300","flow_id":1726038096287152,"pcap_cnt":8,"event_type":"tls","src_ip":"10.113.156.63","src_port":49167,"dest_ip":"202.29.239.162","dest_port":443,"proto":"TCP","tls":{"ja3":{"hash":"c0f0dfb166000000e96dac08f77f0000","string":"771,60-47-61-53-5-10-49191-49171-49172-49195-49187-49196-49188-49161-49162-64-50-106-56-19-4,10-11-13-65281,23-24,0"},"ja3s":{"hash":"b0f0dfb166000000e96dac08f77f0000","string":"771,49191,65281-11"}}}

try 3: {"timestamp":"2022-04-08T04:27:54.168684+0300","flow_id":921423218021808,"pcap_cnt":8,"event_type":"tls","src_ip":"10.113.156.63","src_port":49167,"dest_ip":"202.29.239.162","dest_port":443,"proto":"TCP","tls":{"ja3":{"hash":"d0f21f9593000000e96dac08f77f0000","string":"771,60-47-61-53-5-10-49191-49171-49172-49195-49187-49196-49188-49161-49162-64-50-106-56-19-4,10-11-13-65281,23-24,0"},"ja3s":{"hash":"c0f21f9593000000e96dac08f77f0000","string":"771,49191,65281-11"}}}

Files

ja3hash_test.pcap (5.09 KB) ja3hash_test.pcap Kirill Rassokhin, 04/11/2022 09:56 PM
Actions
Copy link
 #1

Updated by Philippe Antoine 12 months ago

  • Status changed from New to Closed

With latest suricata, I get the same value as Suricata

    "ja3": {
      "hash": "66d20946a7642aab5401b79bc2aa83d3",
      "string": "771,60-47-61-53-5-10-49191-49171-49172-49195-49187-49196-49188-49161-49162-64-50-106-56-19-4,10-11-13-65281,23-24,0" 
    },
    "ja3s": {
      "hash": "a4cc547f75a117e7e973bd04ad9bec50",
      "string": "771,49191,65281-11" 
    }

Actions
Copy link
 #2

Updated by Philippe Antoine 12 months ago

By the way c0f21f9593000000e96dac08f77f0000 looks like a memory address

Actions
Copy link

Also available in: Atom PDF