From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH] suricata: Automatically enable JA3 fingerprinting. Date: Tue, 27 Oct 2020 09:54:30 +0000 Message-ID: In-Reply-To: <20201027094931.2921-1-stefan.schantl@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4963377344988354939==" List-Id: --===============4963377344988354939== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Good morning Stefan, Thanks for submitting this patch. Is this tested and peer-reviewed and should this be merged into c152 with sur= icata 5.0.4, or is this to be merged with suricata 6? Best, -Michael > On 27 Oct 2020, at 09:49, Stefan Schantl wrot= e: >=20 > Enable JA3 fingerprinting if any rules are enabled which are using this > kind of feature. >=20 > Fixes #12507. >=20 > Signed-off-by: Stefan Schantl > --- > config/suricata/suricata.yaml | 4 +--- > 1 file changed, 1 insertion(+), 3 deletions(-) >=20 > diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml > index 743a4716c..4e9e39967 100644 > --- a/config/suricata/suricata.yaml > +++ b/config/suricata/suricata.yaml > @@ -387,9 +387,7 @@ app-layer: >=20 > # Generate JA3 fingerprint from client hello. If not specified it > # will be disabled by default, but enabled if rules require it. > - #ja3-fingerprints: auto > - # Generate JA3 fingerprint from client hello > - ja3-fingerprints: no > + ja3-fingerprints: auto >=20 > # Completely stop processing TLS/SSL session after the handshake > # completed. If bypass is enabled this will also trigger flow > --=20 > 2.20.1 >=20 --===============4963377344988354939==--