[Zeek] ja3 & ja3s with resumed tls
Daniel Guerra
daniel.guerra69 at gmail.com
Sat Jan 12 03:58:06 PST 2019
Hi,
I have made a change to the j3s script. It stores the server extensions
in a table
with the server_name. When a tls connection is resumed it uses the
stored extensions.
Result, resumed tls has the same ja3s as none resumed.
Regards,
Daniel
ja3s.bro:
# This Bro script appends JA3S (JA3 Server) to ssl.log
# Version 1.0 (August 2018)
# This builds a fingerprint for the SSL Server Hello packet based on
SSL/TLS version, cipher picked, and extensions used.
# Designed to be used in conjunction with JA3 to fingerprint SSL
communication between clients and servers.
#
# Authors: John B. Althouse (jalthouse at salesforce.com) Jeff Atkinson
(jatkinson at salesforce.com)
# Copyright (c) 2018, salesforce.com, inc.
# All rights reserved.
# Licensed under the BSD 3-Clause license.
# For full license text, see LICENSE.txt file in the repo root or
https://opensource.org/licenses/BSD-3-Clause
#
module JA3_Server;
export {
redef enum Log::ID += { LOG };
}
type JA3SExtension: record {
extensions: string &default="" &log;
};
global ja3s_extension: table[string] of JA3SExtension;
type JA3Sstorage: record {
server_version: count &default=0 &log;
server_cipher: count &default=0 &log;
server_extensions: string &default="" &log;
server_name: string &default="" &log;
};
redef record connection += {
ja3sfp: JA3Sstorage &optional;
};
redef record SSL::Info += {
ja3s: string &optional &log;
# LOG FIELD VALUES #
ja3s_version: string &optional &log;
ja3s_cipher: string &optional &log;
ja3s_extensions: string &optional &log;
};
const sep = "-";
event bro_init() {
Log::create_stream(JA3_Server::LOG,[$columns=JA3Sstorage,
$path="ja3sfp"]);
}
event ssl_extension(c: connection, is_orig: bool, code: count, val: string)
{
if ( ! c?$ja3sfp )
c$ja3sfp=JA3Sstorage();
if ( is_orig == F ) {
if ( c$ja3sfp$server_extensions == "" ) {
c$ja3sfp$server_extensions = cat(code);
}
else {
c$ja3sfp$server_extensions =
string_cat(c$ja3sfp$server_extensions, sep,cat(code));
}
}
}
event ssl_extension_server_name(c: connection, is_orig: bool, names:
string_vec) &priority=5
{
if ( ! c?$ja3sfp )
c$ja3sfp=JA3Sstorage();
if ( is_orig && |names| > 0 ) {
c$ja3sfp$server_name = names[0];
if ( c$ja3sfp$server_name !in ja3s_extension )
ja3s_extension[c$ja3sfp$server_name]=JA3SExtension();
}
}
@if ( Version::at_least("2.6") || ( Version::number == 20500 &&
Version::info$commit >= 944 ) )
event ssl_server_hello(c: connection, version: count, record_version:
count, possible_ts: time, server_random: string, session_id: string,
cipher: count, comp_method: count) &priority=1
@else
event ssl_server_hello(c: connection, version: count, possible_ts: time,
server_random: string, session_id: string, cipher: count, comp_method:
count) &priority=1
@endif
{
if ( !c?$ja3sfp )
c$ja3sfp=JA3Sstorage();
c$ja3sfp$server_version = version;
c$ja3sfp$server_cipher = cipher;
# check if the the connection is resumed
if ( c$ssl?$session_id && c$ssl$session_id ==
bytestring_to_hexstr(session_id) ) {
if ( c$ja3sfp$server_name != "" )
if ( c$ja3sfp$server_name in ja3s_extension )
# use a non resumed extension for this host, resumed
connections use only the negotiated extensions
if ( ja3s_extension[c$ja3sfp$server_name]$extensions != "" )
c$ja3sfp$server_extensions =
ja3s_extension[c$ja3sfp$server_name]$extensions;
}
else {
if ( c$ja3sfp$server_name != "" )
# store the extentions for this host if its not empty
if ( c$ja3sfp$server_extensions != "" )
ja3s_extension[c$ja3sfp$server_name]$extensions =
c$ja3sfp$server_extensions;
}
local sep2 = ",";
local ja3s_string =
string_cat(cat(c$ja3sfp$server_version),sep2,cat(c$ja3sfp$server_cipher),sep2,c$ja3sfp$server_extensions);
local ja3sfp_1 = md5_hash(ja3s_string);
c$ssl$ja3s = ja3sfp_1;
# LOG FIELD VALUES #
c$ssl$ja3s_version = cat(c$ja3sfp$server_version);
c$ssl$ja3s_cipher = cat(c$ja3sfp$server_cipher);
c$ssl$ja3s_extensions = c$ja3sfp$server_extensions;
#
# FOR DEBUGGING #
#print "JA3S: "+ja3sfp_1+" Fingerprint String: "+ja3s_string;
}
Op 11-01-19 om 02:39 schreef John B. Althouse:
> Hey Daniel! I can help here. So when a TLS session resumes there is
> still a Client Hello packet, however the details can be different in
> the resuming hello packet vs the original, producing a different JA3,
> which will produce a different response from the server and therefore
> a different JA3S.
>
> Capturing this with JA3 is by design. There could be interesting
> unique qualities to the resumed negotiations vs the original that
> could assist in building more complex detections. The fact that Zeek
> is able to differentiate between new and resumed connections makes it
> so you can use this data however you want, or ignore it completely.
> The power of networking metadata is in your hands.
>
> John Althouse
>
> On Thu, Jan 10, 2019 at 7:28 PM Daniel Guerra
> <daniel.guerra69 at gmail.com <mailto:daniel.guerra69 at gmail.com>> wrote:
>
> Hi Johanna
>
> I was thinking the same but after the results i became insecure
> about this.
> I have attached 2 examples.
>
> Daniel
>
> Example 1
>
> resumed false
>
> {
> "cipher": "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
> "established": true,
> "client_cert_chain_fuids": "[]",
> "curve": "secp256r1",
> "issuerdn": "CN=DigiCert ECC Secure Server CA,O=DigiCert
> Inc,C=US",
> "ja3s": "7d3eb4120cd50e889bcd3f3783be0f82",
> "subject": "CN=*.adnxs.com <http://adnxs.com>,O=AppNexus\\,
> Inc.,L=New York,ST=New York,C=US",
> "cert_chain_fuids": [
> "FwvSeKet5kqNoujSf",
> "FNxask2v3HjNVTB5ff"
> ],
> "dest_asname": "AppNexus, Inc",
> "next_protocol": "http/1.1",
> "type": "tls",
> "version": "TLSv12",
> "sni": "ib.adnxs.com <http://ib.adnxs.com>",
> "src_ip": "192.168.1.93",
> "src_port": 58443,
> "uid": "Cfc50Q1EnIW0GAYWch",
> "dest_ip": "37.252.172.40",
> "validation_status": "ok",
> "resumed": false,
> "ja3": "b20b44b18b853ef29ab773e921b03422",
> "dest_port": 443,
> "timestamp": "2018-12-16T17:16:44.801Z"
> }
>
> next resumed true
>
> {
> "cipher": "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
> "established": true,
> "ja3s": "02bdc318d9f618eea3e10d0a7ba25ba0",
> "dest_asname": "AppNexus, Inc",
> "next_protocol": "http/1.1",
> "type": "tls",
> "version": "TLSv12",
> "sni": "ib.adnxs.com <http://ib.adnxs.com>",
> "src_ip": "192.168.1.93",
> "src_port": 58446,
> "uid": "CyYQVc1FuxLDABqxpj",
> "dest_ip": "37.252.172.40",
> "resumed": true,
> "ja3": "334da95730484a993c6063e36bc90a47",
> "dest_port": 443,
> "timestamp": "2018-12-16T17:16:45.071Z"
> }
>
> Example 2
>
> resumed false
>
> {
> "cipher": "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
> "established": true,
> "client_cert_chain_fuids": "[]",
> "curve": "secp256r1",
> "issuerdn": "CN=DigiCert ECC Secure Server CA,O=DigiCert
> Inc,C=US",
> "ja3s": "cabc8aadc20a64fa7156022319d177c0",
> "subject": "CN=*.adnxs.com <http://adnxs.com>,O=AppNexus\\,
> Inc.,L=New York,ST=New York,C=US",
> "cert_chain_fuids": [
> "FCxxdLhSpJHRDMYv4",
> "FYW4Fs3VrkciMfUhc6"
> ],
> "dest_asname": "AppNexus, Inc",
> "next_protocol": "http/1.1",
> "type": "tls",
> "version": "TLSv12",
> "sni": "secure.adnxs.com <http://secure.adnxs.com>",
> "src_ip": "192.168.1.93",
> "src_port": 55912,
> "uid": "CvUDsF40fhpESTJlLd",
> "dest_ip": "37.252.172.40",
> "validation_status": "ok",
> "resumed": false,
> "ja3": "5c118da645babe52f060d0754256a73c",
> "dest_port": 443,
> "timestamp": "2018-12-27T15:43:45.898Z"
> }
>
> resumed true
> {
> "cipher": "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
> "established": true,
> "ja3s": "93174bff9e6f484d06ff9552fe757554",
> "dest_asname": "AppNexus, Inc",
> "type": "tls",
> "version": "TLSv12",
> "sni": "secure.adnxs.com <http://secure.adnxs.com>",
> "src_ip": "192.168.1.93",
> "src_port": 55927,
> "uid": "Ctr8MRZepl9Z0r6E6",
> "dest_ip": "37.252.172.40",
> "resumed": true,
> "ja3": "7b1ac424884b798ca987e3e27b99d1a8",
> "dest_port": 443,
> "timestamp": "2018-12-27T15:43:46.019Z"
> }
>
> Op 10-01-19 om 15:40 schreef Johanna Amann:
> > Hi Daniel,
> >
> > unless I am missing something, there should be no difference in the
> > signature of a resumed and a new connection for JA3. I don’t
> remember
> > them hashing anything in that has to do with session resumption.
> >
> > Johanna
> >
> >
> > On 10 Jan 2019, at 5:02, Daniel Guerra wrote:
> >
> >> Hi,
> >>
> >> I'm researching ja3 and ja3s tls signatures.
> >>
> >> With resumed tls connections there is no complete
> >>
> >> handshake etc. Does it make sense to calculate a ja3
> >>
> >> on resumed tls ?
> >>
> >> Regards,
> >>
> >> Daniel
> >>
> >> _______________________________________________
> >> Zeek mailing list
> >> zeek at zeek.org <mailto:zeek at zeek.org>
> >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org <mailto:zeek at zeek.org>
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190112/606344d9/attachment-0001.html
More information about the Zeek
mailing list