[Zeek] ja3 & ja3s with resumed tls

Daniel Guerra daniel.guerra69 at gmail.com
Sat Jan 12 03:58:06 PST 2019


Hi,

I have made a change to the j3s script. It stores the server extensions
in a table

with the server_name. When a tls connection is resumed it uses the
stored extensions.

Result, resumed tls has the same ja3s as none resumed.

Regards,

Daniel


ja3s.bro:

# This Bro script appends JA3S (JA3 Server) to ssl.log
# Version 1.0 (August 2018)
# This builds a fingerprint for the SSL Server Hello packet based on
SSL/TLS version, cipher picked, and extensions used.
# Designed to be used in conjunction with JA3 to fingerprint SSL
communication between clients and servers.
#
# Authors: John B. Althouse (jalthouse at salesforce.com) Jeff Atkinson
(jatkinson at salesforce.com)
# Copyright (c) 2018, salesforce.com, inc.
# All rights reserved.
# Licensed under the BSD 3-Clause license.
# For full license text, see LICENSE.txt file in the repo root  or
https://opensource.org/licenses/BSD-3-Clause
#



module JA3_Server;

export {
    redef enum Log::ID += { LOG };
}

type JA3SExtension: record {
        extensions:      string &default="" &log;
};


global ja3s_extension: table[string] of JA3SExtension;

type JA3Sstorage: record {
   server_version:     count &default=0 &log;
   server_cipher:      count &default=0 &log;
   server_extensions:  string &default="" &log;
   server_name: string &default="" &log;
};

redef record connection += {
    ja3sfp: JA3Sstorage &optional;
};

redef record SSL::Info += {
    ja3s:            string &optional &log;
    # LOG FIELD VALUES #
    ja3s_version:  string &optional &log;
    ja3s_cipher:  string &optional &log;
    ja3s_extensions: string &optional &log;
};


const sep = "-";

event bro_init() {
    Log::create_stream(JA3_Server::LOG,[$columns=JA3Sstorage,
$path="ja3sfp"]);
}

event ssl_extension(c: connection, is_orig: bool, code: count, val: string)
{
    if ( ! c?$ja3sfp )
        c$ja3sfp=JA3Sstorage();
        if ( is_orig == F ) {
            if ( c$ja3sfp$server_extensions == "" ) {
                c$ja3sfp$server_extensions = cat(code);
            }
            else {
                c$ja3sfp$server_extensions =
string_cat(c$ja3sfp$server_extensions, sep,cat(code));
            }
        }
}

event ssl_extension_server_name(c: connection, is_orig: bool, names:
string_vec) &priority=5
{
    if ( ! c?$ja3sfp )
        c$ja3sfp=JA3Sstorage();
    if ( is_orig && |names| > 0 ) {
        c$ja3sfp$server_name = names[0];
        if ( c$ja3sfp$server_name !in ja3s_extension )
            ja3s_extension[c$ja3sfp$server_name]=JA3SExtension();
    }
}

@if ( Version::at_least("2.6") || ( Version::number == 20500 &&
Version::info$commit >= 944 ) )
event ssl_server_hello(c: connection, version: count, record_version:
count, possible_ts: time, server_random: string, session_id: string,
cipher: count, comp_method: count) &priority=1
@else
event ssl_server_hello(c: connection, version: count, possible_ts: time,
server_random: string, session_id: string, cipher: count, comp_method:
count) &priority=1
@endif
{
    if ( !c?$ja3sfp )
    c$ja3sfp=JA3Sstorage();
    c$ja3sfp$server_version = version;
    c$ja3sfp$server_cipher = cipher;
    # check if the the connection is resumed
    if ( c$ssl?$session_id && c$ssl$session_id ==
bytestring_to_hexstr(session_id) ) {
        if ( c$ja3sfp$server_name != "" )
            if ( c$ja3sfp$server_name in ja3s_extension )
                # use a non resumed extension for this host, resumed
connections use only the negotiated extensions
                if ( ja3s_extension[c$ja3sfp$server_name]$extensions != "" )
                    c$ja3sfp$server_extensions =
ja3s_extension[c$ja3sfp$server_name]$extensions;
    }
    else {
        if ( c$ja3sfp$server_name != "" )
            # store the extentions for this host if its not empty
            if ( c$ja3sfp$server_extensions != "" )
                ja3s_extension[c$ja3sfp$server_name]$extensions =
c$ja3sfp$server_extensions;
    }
    local sep2 = ",";
    local ja3s_string =
string_cat(cat(c$ja3sfp$server_version),sep2,cat(c$ja3sfp$server_cipher),sep2,c$ja3sfp$server_extensions);
    local ja3sfp_1 = md5_hash(ja3s_string);
    c$ssl$ja3s = ja3sfp_1;

# LOG FIELD VALUES #
c$ssl$ja3s_version = cat(c$ja3sfp$server_version);
c$ssl$ja3s_cipher = cat(c$ja3sfp$server_cipher);
c$ssl$ja3s_extensions = c$ja3sfp$server_extensions;
#
# FOR DEBUGGING #
#print "JA3S: "+ja3sfp_1+" Fingerprint String: "+ja3s_string;

}


Op 11-01-19 om 02:39 schreef John B. Althouse:
> Hey Daniel! I can help here. So when a TLS session resumes there is
> still a Client Hello packet, however the details can be different in
> the resuming hello packet vs the original, producing a different JA3,
> which will produce a different response from the server and therefore
> a different JA3S. 
>
> Capturing this with JA3 is by design. There could be interesting
> unique qualities to the resumed negotiations vs the original that
> could assist in building more complex detections. The fact that Zeek
> is able to differentiate between new and resumed connections makes it
> so you can use this data however you want, or ignore it completely.
> The power of networking metadata is in your hands. 
>
> John Althouse 
>
> On Thu, Jan 10, 2019 at 7:28 PM Daniel Guerra
> <daniel.guerra69 at gmail.com <mailto:daniel.guerra69 at gmail.com>> wrote:
>
>     Hi Johanna
>
>     I was thinking the same but after the results i became insecure
>     about this.
>     I have attached 2 examples.
>
>     Daniel
>
>     Example 1
>
>     resumed false
>
>     {
>         "cipher": "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
>         "established": true,
>         "client_cert_chain_fuids": "[]",
>         "curve": "secp256r1",
>         "issuerdn": "CN=DigiCert ECC Secure Server CA,O=DigiCert
>     Inc,C=US",
>         "ja3s": "7d3eb4120cd50e889bcd3f3783be0f82",
>         "subject": "CN=*.adnxs.com <http://adnxs.com>,O=AppNexus\\,
>     Inc.,L=New York,ST=New York,C=US",
>         "cert_chain_fuids": [
>           "FwvSeKet5kqNoujSf",
>           "FNxask2v3HjNVTB5ff"
>         ],
>         "dest_asname": "AppNexus, Inc",
>         "next_protocol": "http/1.1",
>         "type": "tls",
>         "version": "TLSv12",
>         "sni": "ib.adnxs.com <http://ib.adnxs.com>",
>         "src_ip": "192.168.1.93",
>         "src_port": 58443,
>         "uid": "Cfc50Q1EnIW0GAYWch",
>         "dest_ip": "37.252.172.40",
>         "validation_status": "ok",
>         "resumed": false,
>         "ja3": "b20b44b18b853ef29ab773e921b03422",
>         "dest_port": 443,
>         "timestamp": "2018-12-16T17:16:44.801Z"
>       }
>
>     next resumed true
>
>     {
>         "cipher": "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
>         "established": true,
>         "ja3s": "02bdc318d9f618eea3e10d0a7ba25ba0",
>         "dest_asname": "AppNexus, Inc",
>         "next_protocol": "http/1.1",
>         "type": "tls",
>         "version": "TLSv12",
>         "sni": "ib.adnxs.com <http://ib.adnxs.com>",
>         "src_ip": "192.168.1.93",
>         "src_port": 58446,
>         "uid": "CyYQVc1FuxLDABqxpj",
>         "dest_ip": "37.252.172.40",
>         "resumed": true,
>         "ja3": "334da95730484a993c6063e36bc90a47",
>         "dest_port": 443,
>         "timestamp": "2018-12-16T17:16:45.071Z"
>       }
>
>     Example 2
>
>     resumed false
>
>     {
>         "cipher": "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
>         "established": true,
>         "client_cert_chain_fuids": "[]",
>         "curve": "secp256r1",
>         "issuerdn": "CN=DigiCert ECC Secure Server CA,O=DigiCert
>     Inc,C=US",
>         "ja3s": "cabc8aadc20a64fa7156022319d177c0",
>         "subject": "CN=*.adnxs.com <http://adnxs.com>,O=AppNexus\\,
>     Inc.,L=New York,ST=New York,C=US",
>         "cert_chain_fuids": [
>           "FCxxdLhSpJHRDMYv4",
>           "FYW4Fs3VrkciMfUhc6"
>         ],
>         "dest_asname": "AppNexus, Inc",
>         "next_protocol": "http/1.1",
>         "type": "tls",
>         "version": "TLSv12",
>         "sni": "secure.adnxs.com <http://secure.adnxs.com>",
>         "src_ip": "192.168.1.93",
>         "src_port": 55912,
>         "uid": "CvUDsF40fhpESTJlLd",
>         "dest_ip": "37.252.172.40",
>         "validation_status": "ok",
>         "resumed": false,
>         "ja3": "5c118da645babe52f060d0754256a73c",
>         "dest_port": 443,
>         "timestamp": "2018-12-27T15:43:45.898Z"
>       }
>
>     resumed true
>     {
>         "cipher": "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
>         "established": true,
>         "ja3s": "93174bff9e6f484d06ff9552fe757554",
>         "dest_asname": "AppNexus, Inc",
>         "type": "tls",
>         "version": "TLSv12",
>         "sni": "secure.adnxs.com <http://secure.adnxs.com>",
>         "src_ip": "192.168.1.93",
>         "src_port": 55927,
>         "uid": "Ctr8MRZepl9Z0r6E6",
>         "dest_ip": "37.252.172.40",
>         "resumed": true,
>         "ja3": "7b1ac424884b798ca987e3e27b99d1a8",
>         "dest_port": 443,
>         "timestamp": "2018-12-27T15:43:46.019Z"
>       }
>
>     Op 10-01-19 om 15:40 schreef Johanna Amann:
>     > Hi Daniel,
>     >
>     > unless I am missing something, there should be no difference in the
>     > signature of a resumed and a new connection for JA3. I don’t
>     remember
>     > them hashing anything in that has to do with session resumption.
>     >
>     > Johanna
>     >
>     >
>     > On 10 Jan 2019, at 5:02, Daniel Guerra wrote:
>     >
>     >> Hi,
>     >>
>     >> I'm researching ja3 and ja3s tls signatures.
>     >>
>     >> With resumed tls connections there is no complete
>     >>
>     >> handshake etc. Does it make sense to calculate a ja3
>     >>
>     >> on resumed tls ?
>     >>
>     >> Regards,
>     >>
>     >> Daniel
>     >>
>     >> _______________________________________________
>     >> Zeek mailing list
>     >> zeek at zeek.org <mailto:zeek at zeek.org>
>     >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>     _______________________________________________
>     Zeek mailing list
>     zeek at zeek.org <mailto:zeek at zeek.org>
>     http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190112/606344d9/attachment-0001.html 


More information about the Zeek mailing list