Enable JA3 fingerprinting if any rules are enabled which are using this kind of feature.
Fixes #12507.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org --- config/suricata/suricata.yaml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index 743a4716c..4e9e39967 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -387,9 +387,7 @@ app-layer:
# Generate JA3 fingerprint from client hello. If not specified it # will be disabled by default, but enabled if rules require it. - #ja3-fingerprints: auto - # Generate JA3 fingerprint from client hello - ja3-fingerprints: no + ja3-fingerprints: auto
# Completely stop processing TLS/SSL session after the handshake # completed. If bypass is enabled this will also trigger flow
Good morning Stefan,
Thanks for submitting this patch.
Is this tested and peer-reviewed and should this be merged into c152 with suricata 5.0.4, or is this to be merged with suricata 6?
Best, -Michael
On 27 Oct 2020, at 09:49, Stefan Schantl stefan.schantl@ipfire.org wrote:
Enable JA3 fingerprinting if any rules are enabled which are using this kind of feature.
Fixes #12507.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
config/suricata/suricata.yaml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index 743a4716c..4e9e39967 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -387,9 +387,7 @@ app-layer:
# Generate JA3 fingerprint from client hello. If not specified it # will be disabled by default, but enabled if rules require it.
#ja3-fingerprints: auto# Generate JA3 fingerprint from client helloja3-fingerprints: no
ja3-fingerprints: auto # Completely stop processing TLS/SSL session after the handshake # completed. If bypass is enabled this will also trigger flow-- 2.20.1
Hello Michael,
this change is not tested very well (I only tested on my productive system and got no errors), so there are definitely more testing should be done until we can ship them.
I'd suggest to bundle it with suricata 6 so we have more time for testing and collecting feedback.
Best regards,
-Stefan
Good morning Stefan,
Thanks for submitting this patch.
Is this tested and peer-reviewed and should this be merged into c152 with suricata 5.0.4, or is this to be merged with suricata 6?
Best, -Michael
On 27 Oct 2020, at 09:49, Stefan Schantl <stefan.schantl@ipfire.org
wrote:
Enable JA3 fingerprinting if any rules are enabled which are using this kind of feature.
Fixes #12507.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
config/suricata/suricata.yaml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index 743a4716c..4e9e39967 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -387,9 +387,7 @@ app-layer:
# Generate JA3 fingerprint from client hello. If notspecified it # will be disabled by default, but enabled if rules require it.
#ja3-fingerprints: auto# Generate JA3 fingerprint from client helloja3-fingerprints: no
ja3-fingerprints: auto # Completely stop processing TLS/SSL session after thehandshake # completed. If bypass is enabled this will also trigger flow -- 2.20.1
Hello Stefan,
okay. I merged this into next which will eventually become Core Update 153.
Everyone, please test and send feedback :)
Best, -Michael
On 27 Oct 2020, at 11:06, Stefan Schantl stefan.schantl@ipfire.org wrote:
Hello Michael,
this change is not tested very well (I only tested on my productive system and got no errors), so there are definitely more testing should be done until we can ship them.
I'd suggest to bundle it with suricata 6 so we have more time for testing and collecting feedback.
Best regards,
-Stefan
Good morning Stefan,
Thanks for submitting this patch.
Is this tested and peer-reviewed and should this be merged into c152 with suricata 5.0.4, or is this to be merged with suricata 6?
Best, -Michael
On 27 Oct 2020, at 09:49, Stefan Schantl <stefan.schantl@ipfire.org
wrote:
Enable JA3 fingerprinting if any rules are enabled which are using this kind of feature.
Fixes #12507.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
config/suricata/suricata.yaml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index 743a4716c..4e9e39967 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -387,9 +387,7 @@ app-layer:
# Generate JA3 fingerprint from client hello. If notspecified it # will be disabled by default, but enabled if rules require it.
#ja3-fingerprints: auto# Generate JA3 fingerprint from client helloja3-fingerprints: no
ja3-fingerprints: auto# Completely stop processing TLS/SSL session after the
handshake # completed. If bypass is enabled this will also trigger flow -- 2.20.1
-
Michael Tremer -
Stefan Schantl