| Message ID | 20201027094931.2921-1-stefan.schantl@ipfire.org |
|---|---|
| State | Accepted |
| Commit | 0937bd9c01fd4c56fdee688e887958dc72a9b03b |
| Headers |
Return-Path: <development-bounces@lists.ipfire.org> Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4CL6PM13f3z3wgp for <patchwork@web04.haj.ipfire.org>; Tue, 27 Oct 2020 09:49:43 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail02.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4CL6PK5Xmgz1hd; Tue, 27 Oct 2020 09:49:41 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4CL6PK1Smyz2xyg; Tue, 27 Oct 2020 09:49:41 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4CL6PH5xlHz2xnn for <development@lists.ipfire.org>; Tue, 27 Oct 2020 09:49:39 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4CL6PG6MZQzj3; Tue, 27 Oct 2020 09:49:38 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1603792179; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=OT5FDzRvBRDQEoPmpin7GjE1vc+0Orh7h9J4xukGV0k=; b=9APUocIccBlEVZ73T2xTeXXJj5+XvKPSVj5xydBiCStMUVUSFfh/9C/ZWsKAWc34gkVe1X /r+nWJidAipeDnDQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1603792179; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=OT5FDzRvBRDQEoPmpin7GjE1vc+0Orh7h9J4xukGV0k=; b=AADlmzd6bDV5T8tAEj4M0yTIdwFMHKgpW8ks7wZTF8MbezUcAABI/g/9YNqCdNZY/pm89P vFQbRoRhAEH2mQsCnHYLXJsdeKaBNnsp6N1E3BGEJ/J4g1NWgJJj5U7TsRh8f8Pgm9MCur tzQ/vGEyl9CM2qnPXL4n7v/9YfjdFV8+AQU+s2VhnNRFF+5IKqs0/kvU03wUOO6HcVBqg9 x6ZgD/xGm1/L4p0bV8w+KcBy9xxnCHMeXmGXiq4pcvrL6StQZd91qQiOfFayZ2PgB3UsWK /UT5J42Fcd+uN6QTR+hGb2vyNAgWYQRgeiOxsESMllHcSdc2EXUN7FsHM+5NOA== From: Stefan Schantl <stefan.schantl@ipfire.org> To: development@lists.ipfire.org Subject: [PATCH] suricata: Automatically enable JA3 fingerprinting. Date: Tue, 27 Oct 2020 10:49:31 +0100 Message-Id: <20201027094931.2921-1-stefan.schantl@ipfire.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk <development.lists.ipfire.org> List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>, <mailto:development-request@lists.ipfire.org?subject=unsubscribe> List-Archive: <http://lists.ipfire.org/pipermail/development/> List-Post: <mailto:development@lists.ipfire.org> List-Help: <mailto:development-request@lists.ipfire.org?subject=help> List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>, <mailto:development-request@lists.ipfire.org?subject=subscribe> Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org> |
| Series |
suricata: Automatically enable JA3 fingerprinting.
|
|
Commit Message
Stefan Schantl
Oct. 27, 2020, 9:49 a.m. UTC
Enable JA3 fingerprinting if any rules are enabled which are using this
kind of feature.
Fixes #12507.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
---
config/suricata/suricata.yaml | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
Comments
Good morning Stefan, Thanks for submitting this patch. Is this tested and peer-reviewed and should this be merged into c152 with suricata 5.0.4, or is this to be merged with suricata 6? Best, -Michael > On 27 Oct 2020, at 09:49, Stefan Schantl <stefan.schantl@ipfire.org> wrote: > > Enable JA3 fingerprinting if any rules are enabled which are using this > kind of feature. > > Fixes #12507. > > Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> > --- > config/suricata/suricata.yaml | 4 +--- > 1 file changed, 1 insertion(+), 3 deletions(-) > > diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml > index 743a4716c..4e9e39967 100644 > --- a/config/suricata/suricata.yaml > +++ b/config/suricata/suricata.yaml > @@ -387,9 +387,7 @@ app-layer: > > # Generate JA3 fingerprint from client hello. If not specified it > # will be disabled by default, but enabled if rules require it. > - #ja3-fingerprints: auto > - # Generate JA3 fingerprint from client hello > - ja3-fingerprints: no > + ja3-fingerprints: auto > > # Completely stop processing TLS/SSL session after the handshake > # completed. If bypass is enabled this will also trigger flow > -- > 2.20.1 >
Hello Michael, this change is not tested very well (I only tested on my productive system and got no errors), so there are definitely more testing should be done until we can ship them. I'd suggest to bundle it with suricata 6 so we have more time for testing and collecting feedback. Best regards, -Stefan > Good morning Stefan, > > Thanks for submitting this patch. > > Is this tested and peer-reviewed and should this be merged into c152 > with suricata 5.0.4, or is this to be merged with suricata 6? > > Best, > -Michael > > > On 27 Oct 2020, at 09:49, Stefan Schantl <stefan.schantl@ipfire.org > > > wrote: > > > > Enable JA3 fingerprinting if any rules are enabled which are using > > this > > kind of feature. > > > > Fixes #12507. > > > > Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> > > --- > > config/suricata/suricata.yaml | 4 +--- > > 1 file changed, 1 insertion(+), 3 deletions(-) > > > > diff --git a/config/suricata/suricata.yaml > > b/config/suricata/suricata.yaml > > index 743a4716c..4e9e39967 100644 > > --- a/config/suricata/suricata.yaml > > +++ b/config/suricata/suricata.yaml > > @@ -387,9 +387,7 @@ app-layer: > > > > # Generate JA3 fingerprint from client hello. If not > > specified it > > # will be disabled by default, but enabled if rules require > > it. > > - #ja3-fingerprints: auto > > - # Generate JA3 fingerprint from client hello > > - ja3-fingerprints: no > > + ja3-fingerprints: auto > > > > # Completely stop processing TLS/SSL session after the > > handshake > > # completed. If bypass is enabled this will also trigger flow > > -- > > 2.20.1 > >
Hello Stefan, okay. I merged this into next which will eventually become Core Update 153. Everyone, please test and send feedback :) Best, -Michael > On 27 Oct 2020, at 11:06, Stefan Schantl <stefan.schantl@ipfire.org> wrote: > > Hello Michael, > > this change is not tested very well (I only tested on my productive > system and got no errors), so there are definitely more testing should > be done until we can ship them. > > I'd suggest to bundle it with suricata 6 so we have more time for > testing and collecting feedback. > > Best regards, > > -Stefan >> Good morning Stefan, >> >> Thanks for submitting this patch. >> >> Is this tested and peer-reviewed and should this be merged into c152 >> with suricata 5.0.4, or is this to be merged with suricata 6? >> >> Best, >> -Michael >> >>> On 27 Oct 2020, at 09:49, Stefan Schantl <stefan.schantl@ipfire.org >>>> wrote: >>> >>> Enable JA3 fingerprinting if any rules are enabled which are using >>> this >>> kind of feature. >>> >>> Fixes #12507. >>> >>> Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> >>> --- >>> config/suricata/suricata.yaml | 4 +--- >>> 1 file changed, 1 insertion(+), 3 deletions(-) >>> >>> diff --git a/config/suricata/suricata.yaml >>> b/config/suricata/suricata.yaml >>> index 743a4716c..4e9e39967 100644 >>> --- a/config/suricata/suricata.yaml >>> +++ b/config/suricata/suricata.yaml >>> @@ -387,9 +387,7 @@ app-layer: >>> >>> # Generate JA3 fingerprint from client hello. If not >>> specified it >>> # will be disabled by default, but enabled if rules require >>> it. >>> - #ja3-fingerprints: auto >>> - # Generate JA3 fingerprint from client hello >>> - ja3-fingerprints: no >>> + ja3-fingerprints: auto >>> >>> # Completely stop processing TLS/SSL session after the >>> handshake >>> # completed. If bypass is enabled this will also trigger flow >>> -- >>> 2.20.1 >>> >
diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index 743a4716c..4e9e39967 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -387,9 +387,7 @@ app-layer: # Generate JA3 fingerprint from client hello. If not specified it # will be disabled by default, but enabled if rules require it. - #ja3-fingerprints: auto - # Generate JA3 fingerprint from client hello - ja3-fingerprints: no + ja3-fingerprints: auto # Completely stop processing TLS/SSL session after the handshake # completed. If bypass is enabled this will also trigger flow