[Zeek] ja3 & ja3s with resumed tls

John B. Althouse john.b.althouse at gmail.com
Thu Jan 10 17:39:49 PST 2019


Hey Daniel! I can help here. So when a TLS session resumes there is still a
Client Hello packet, however the details can be different in the resuming
hello packet vs the original, producing a different JA3, which will produce
a different response from the server and therefore a different JA3S.

Capturing this with JA3 is by design. There could be interesting unique
qualities to the resumed negotiations vs the original that could assist in
building more complex detections. The fact that Zeek is able to
differentiate between new and resumed connections makes it so you can use
this data however you want, or ignore it completely. The power of
networking metadata is in your hands.

John Althouse

On Thu, Jan 10, 2019 at 7:28 PM Daniel Guerra <daniel.guerra69 at gmail.com>
wrote:

> Hi Johanna
>
> I was thinking the same but after the results i became insecure about this.
> I have attached 2 examples.
>
> Daniel
>
> Example 1
>
> resumed false
>
> {
>     "cipher": "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
>     "established": true,
>     "client_cert_chain_fuids": "[]",
>     "curve": "secp256r1",
>     "issuerdn": "CN=DigiCert ECC Secure Server CA,O=DigiCert Inc,C=US",
>     "ja3s": "7d3eb4120cd50e889bcd3f3783be0f82",
>     "subject": "CN=*.adnxs.com,O=AppNexus\\, Inc.,L=New York,ST=New
> York,C=US",
>     "cert_chain_fuids": [
>       "FwvSeKet5kqNoujSf",
>       "FNxask2v3HjNVTB5ff"
>     ],
>     "dest_asname": "AppNexus, Inc",
>     "next_protocol": "http/1.1",
>     "type": "tls",
>     "version": "TLSv12",
>     "sni": "ib.adnxs.com",
>     "src_ip": "192.168.1.93",
>     "src_port": 58443,
>     "uid": "Cfc50Q1EnIW0GAYWch",
>     "dest_ip": "37.252.172.40",
>     "validation_status": "ok",
>     "resumed": false,
>     "ja3": "b20b44b18b853ef29ab773e921b03422",
>     "dest_port": 443,
>     "timestamp": "2018-12-16T17:16:44.801Z"
>   }
>
> next resumed true
>
> {
>     "cipher": "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
>     "established": true,
>     "ja3s": "02bdc318d9f618eea3e10d0a7ba25ba0",
>     "dest_asname": "AppNexus, Inc",
>     "next_protocol": "http/1.1",
>     "type": "tls",
>     "version": "TLSv12",
>     "sni": "ib.adnxs.com",
>     "src_ip": "192.168.1.93",
>     "src_port": 58446,
>     "uid": "CyYQVc1FuxLDABqxpj",
>     "dest_ip": "37.252.172.40",
>     "resumed": true,
>     "ja3": "334da95730484a993c6063e36bc90a47",
>     "dest_port": 443,
>     "timestamp": "2018-12-16T17:16:45.071Z"
>   }
>
> Example 2
>
> resumed false
>
> {
>     "cipher": "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
>     "established": true,
>     "client_cert_chain_fuids": "[]",
>     "curve": "secp256r1",
>     "issuerdn": "CN=DigiCert ECC Secure Server CA,O=DigiCert Inc,C=US",
>     "ja3s": "cabc8aadc20a64fa7156022319d177c0",
>     "subject": "CN=*.adnxs.com,O=AppNexus\\, Inc.,L=New York,ST=New
> York,C=US",
>     "cert_chain_fuids": [
>       "FCxxdLhSpJHRDMYv4",
>       "FYW4Fs3VrkciMfUhc6"
>     ],
>     "dest_asname": "AppNexus, Inc",
>     "next_protocol": "http/1.1",
>     "type": "tls",
>     "version": "TLSv12",
>     "sni": "secure.adnxs.com",
>     "src_ip": "192.168.1.93",
>     "src_port": 55912,
>     "uid": "CvUDsF40fhpESTJlLd",
>     "dest_ip": "37.252.172.40",
>     "validation_status": "ok",
>     "resumed": false,
>     "ja3": "5c118da645babe52f060d0754256a73c",
>     "dest_port": 443,
>     "timestamp": "2018-12-27T15:43:45.898Z"
>   }
>
> resumed true
> {
>     "cipher": "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
>     "established": true,
>     "ja3s": "93174bff9e6f484d06ff9552fe757554",
>     "dest_asname": "AppNexus, Inc",
>     "type": "tls",
>     "version": "TLSv12",
>     "sni": "secure.adnxs.com",
>     "src_ip": "192.168.1.93",
>     "src_port": 55927,
>     "uid": "Ctr8MRZepl9Z0r6E6",
>     "dest_ip": "37.252.172.40",
>     "resumed": true,
>     "ja3": "7b1ac424884b798ca987e3e27b99d1a8",
>     "dest_port": 443,
>     "timestamp": "2018-12-27T15:43:46.019Z"
>   }
>
> Op 10-01-19 om 15:40 schreef Johanna Amann:
> > Hi Daniel,
> >
> > unless I am missing something, there should be no difference in the
> > signature of a resumed and a new connection for JA3. I don’t remember
> > them hashing anything in that has to do with session resumption.
> >
> > Johanna
> >
> >
> > On 10 Jan 2019, at 5:02, Daniel Guerra wrote:
> >
> >> Hi,
> >>
> >> I'm researching ja3 and ja3s tls signatures.
> >>
> >> With resumed tls connections there is no complete
> >>
> >> handshake etc. Does it make sense to calculate a ja3
> >>
> >> on resumed tls ?
> >>
> >> Regards,
> >>
> >> Daniel
> >>
> >> _______________________________________________
> >> Zeek mailing list
> >> zeek at zeek.org
> >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190110/4700c2be/attachment.html 


More information about the Zeek mailing list