[Zeek] ja3 & ja3s with resumed tls

Daniel Guerra daniel.guerra69 at gmail.com
Thu Jan 10 18:04:08 PST 2019


So far ..

First I use a mac with firefox to generate pcap (could be something).

The hashing uses the ssl extensions, cipher and version.

The server extensions at the first connection contains all options

the server can use, but on a resumed connection it uses only the

negociated extensions. For this reason the ja3s for a resumed false

is different from a ja3s with resumed true. This is the same for clients.

If the extensions are stored when the tls connection resumed flag

is false. It could be used for a resumed connection, after a check if

one of the offered extensions is used..., to calculate the ja3s.


Op 10-01-19 om 15:40 schreef Johanna Amann:
> Hi Daniel,
>
> unless I am missing something, there should be no difference in the
> signature of a resumed and a new connection for JA3. I don’t remember
> them hashing anything in that has to do with session resumption.
>
> Johanna
>
>
> On 10 Jan 2019, at 5:02, Daniel Guerra wrote:
>
>> Hi,
>>
>> I'm researching ja3 and ja3s tls signatures.
>>
>> With resumed tls connections there is no complete
>>
>> handshake etc. Does it make sense to calculate a ja3
>>
>> on resumed tls ?
>>
>> Regards,
>>
>> Daniel
>>
>> _______________________________________________
>> Zeek mailing list
>> zeek at zeek.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek


More information about the Zeek mailing list