suricata: Automatically enable JA3 fingerprinting.

Message ID 20201027094931.2921-1-stefan.schantl@ipfire.org
State Accepted
Commit 0937bd9c01fd4c56fdee688e887958dc72a9b03b
Headers
Series suricata: Automatically enable JA3 fingerprinting. |

Commit Message

Stefan Schantl Oct. 27, 2020, 9:49 a.m. UTC
  Enable JA3 fingerprinting if any rules are enabled which are using this
kind of feature.

Fixes #12507.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
---
 config/suricata/suricata.yaml | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)
  

Comments

Michael Tremer Oct. 27, 2020, 9:54 a.m. UTC | #1
Good morning Stefan,

Thanks for submitting this patch.

Is this tested and peer-reviewed and should this be merged into c152 with suricata 5.0.4, or is this to be merged with suricata 6?

Best,
-Michael

> On 27 Oct 2020, at 09:49, Stefan Schantl <stefan.schantl@ipfire.org> wrote:
> 
> Enable JA3 fingerprinting if any rules are enabled which are using this
> kind of feature.
> 
> Fixes #12507.
> 
> Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
> ---
> config/suricata/suricata.yaml | 4 +---
> 1 file changed, 1 insertion(+), 3 deletions(-)
> 
> diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml
> index 743a4716c..4e9e39967 100644
> --- a/config/suricata/suricata.yaml
> +++ b/config/suricata/suricata.yaml
> @@ -387,9 +387,7 @@ app-layer:
> 
>       # Generate JA3 fingerprint from client hello. If not specified it
>       # will be disabled by default, but enabled if rules require it.
> -      #ja3-fingerprints: auto
> -      # Generate JA3 fingerprint from client hello
> -      ja3-fingerprints: no
> +      ja3-fingerprints: auto
> 
>       # Completely stop processing TLS/SSL session after the handshake
>       # completed. If bypass is enabled this will also trigger flow
> -- 
> 2.20.1
>
  
Stefan Schantl Oct. 27, 2020, 11:06 a.m. UTC | #2
Hello Michael,

this change is not tested very well (I only tested on my productive
system and got no errors), so there are definitely more testing should
be done until we can ship them.

I'd suggest to bundle it with suricata 6 so we have more time for
testing and collecting feedback.

Best regards,

-Stefan
> Good morning Stefan,
> 
> Thanks for submitting this patch.
> 
> Is this tested and peer-reviewed and should this be merged into c152
> with suricata 5.0.4, or is this to be merged with suricata 6?
> 
> Best,
> -Michael
> 
> > On 27 Oct 2020, at 09:49, Stefan Schantl <stefan.schantl@ipfire.org
> > > wrote:
> > 
> > Enable JA3 fingerprinting if any rules are enabled which are using
> > this
> > kind of feature.
> > 
> > Fixes #12507.
> > 
> > Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
> > ---
> > config/suricata/suricata.yaml | 4 +---
> > 1 file changed, 1 insertion(+), 3 deletions(-)
> > 
> > diff --git a/config/suricata/suricata.yaml
> > b/config/suricata/suricata.yaml
> > index 743a4716c..4e9e39967 100644
> > --- a/config/suricata/suricata.yaml
> > +++ b/config/suricata/suricata.yaml
> > @@ -387,9 +387,7 @@ app-layer:
> > 
> >       # Generate JA3 fingerprint from client hello. If not
> > specified it
> >       # will be disabled by default, but enabled if rules require
> > it.
> > -      #ja3-fingerprints: auto
> > -      # Generate JA3 fingerprint from client hello
> > -      ja3-fingerprints: no
> > +      ja3-fingerprints: auto
> > 
> >       # Completely stop processing TLS/SSL session after the
> > handshake
> >       # completed. If bypass is enabled this will also trigger flow
> > -- 
> > 2.20.1
> >
  
Michael Tremer Oct. 27, 2020, 12:54 p.m. UTC | #3
Hello Stefan,

okay. I merged this into next which will eventually become Core Update 153.

Everyone, please test and send feedback :)

Best,
-Michael

> On 27 Oct 2020, at 11:06, Stefan Schantl <stefan.schantl@ipfire.org> wrote:
> 
> Hello Michael,
> 
> this change is not tested very well (I only tested on my productive
> system and got no errors), so there are definitely more testing should
> be done until we can ship them.
> 
> I'd suggest to bundle it with suricata 6 so we have more time for
> testing and collecting feedback.
> 
> Best regards,
> 
> -Stefan
>> Good morning Stefan,
>> 
>> Thanks for submitting this patch.
>> 
>> Is this tested and peer-reviewed and should this be merged into c152
>> with suricata 5.0.4, or is this to be merged with suricata 6?
>> 
>> Best,
>> -Michael
>> 
>>> On 27 Oct 2020, at 09:49, Stefan Schantl <stefan.schantl@ipfire.org
>>>> wrote:
>>> 
>>> Enable JA3 fingerprinting if any rules are enabled which are using
>>> this
>>> kind of feature.
>>> 
>>> Fixes #12507.
>>> 
>>> Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
>>> ---
>>> config/suricata/suricata.yaml | 4 +---
>>> 1 file changed, 1 insertion(+), 3 deletions(-)
>>> 
>>> diff --git a/config/suricata/suricata.yaml
>>> b/config/suricata/suricata.yaml
>>> index 743a4716c..4e9e39967 100644
>>> --- a/config/suricata/suricata.yaml
>>> +++ b/config/suricata/suricata.yaml
>>> @@ -387,9 +387,7 @@ app-layer:
>>> 
>>>      # Generate JA3 fingerprint from client hello. If not
>>> specified it
>>>      # will be disabled by default, but enabled if rules require
>>> it.
>>> -      #ja3-fingerprints: auto
>>> -      # Generate JA3 fingerprint from client hello
>>> -      ja3-fingerprints: no
>>> +      ja3-fingerprints: auto
>>> 
>>>      # Completely stop processing TLS/SSL session after the
>>> handshake
>>>      # completed. If bypass is enabled this will also trigger flow
>>> -- 
>>> 2.20.1
>>> 
>
  

Patch

diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml
index 743a4716c..4e9e39967 100644
--- a/config/suricata/suricata.yaml
+++ b/config/suricata/suricata.yaml
@@ -387,9 +387,7 @@  app-layer:
 
       # Generate JA3 fingerprint from client hello. If not specified it
       # will be disabled by default, but enabled if rules require it.
-      #ja3-fingerprints: auto
-      # Generate JA3 fingerprint from client hello
-      ja3-fingerprints: no
+      ja3-fingerprints: auto
 
       # Completely stop processing TLS/SSL session after the handshake
       # completed. If bypass is enabled this will also trigger flow