From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] suricata: Automatically enable JA3 fingerprinting.
Date: Tue, 27 Oct 2020 12:54:08 +0000
Message-ID: <DE7FA39C-9491-4B72-B4DF-E00C3916D9C0@ipfire.org>
In-Reply-To: <4f5cdabfc604c9e0ea3bf103586e3545f4f66110.camel@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============7989496862787871787=="
List-Id: <development.lists.ipfire.org>

--===============7989496862787871787==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hello Stefan,

okay. I merged this into next which will eventually become Core Update 153.

Everyone, please test and send feedback :)

Best,
-Michael

> On 27 Oct 2020, at 11:06, Stefan Schantl <stefan.schantl(a)ipfire.org> wrot=
e:
>=20
> Hello Michael,
>=20
> this change is not tested very well (I only tested on my productive
> system and got no errors), so there are definitely more testing should
> be done until we can ship them.
>=20
> I'd suggest to bundle it with suricata 6 so we have more time for
> testing and collecting feedback.
>=20
> Best regards,
>=20
> -Stefan
>> Good morning Stefan,
>>=20
>> Thanks for submitting this patch.
>>=20
>> Is this tested and peer-reviewed and should this be merged into c152
>> with suricata 5.0.4, or is this to be merged with suricata 6?
>>=20
>> Best,
>> -Michael
>>=20
>>> On 27 Oct 2020, at 09:49, Stefan Schantl <stefan.schantl(a)ipfire.org
>>>> wrote:
>>>=20
>>> Enable JA3 fingerprinting if any rules are enabled which are using
>>> this
>>> kind of feature.
>>>=20
>>> Fixes #12507.
>>>=20
>>> Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
>>> ---
>>> config/suricata/suricata.yaml | 4 +---
>>> 1 file changed, 1 insertion(+), 3 deletions(-)
>>>=20
>>> diff --git a/config/suricata/suricata.yaml
>>> b/config/suricata/suricata.yaml
>>> index 743a4716c..4e9e39967 100644
>>> --- a/config/suricata/suricata.yaml
>>> +++ b/config/suricata/suricata.yaml
>>> @@ -387,9 +387,7 @@ app-layer:
>>>=20
>>>      # Generate JA3 fingerprint from client hello. If not
>>> specified it
>>>      # will be disabled by default, but enabled if rules require
>>> it.
>>> -      #ja3-fingerprints: auto
>>> -      # Generate JA3 fingerprint from client hello
>>> -      ja3-fingerprints: no
>>> +      ja3-fingerprints: auto
>>>=20
>>>      # Completely stop processing TLS/SSL session after the
>>> handshake
>>>      # completed. If bypass is enabled this will also trigger flow
>>> --=20
>>> 2.20.1
>>>=20
>=20


--===============7989496862787871787==--