<html><head></head><body>I am getting this when loading JA3 signatures.<div><br></div><div><div><Warning> -- [ERRCODE: SC_WARN_NO_JA3_SUPPORT(308)] - no MD5 calculation support built in (LibNSS), disabling JA3</div><div>3/4/2020 -- 02:25:46 - <Warning> -- [ERRCODE: SC_ERR_UNKNOWN_VALUE(129)] - signature at /var/lib/suricata/rules/suricata.rules:2 uses unknown classtype: "command-and-control", using default pri ority 3. This message won't be shown again for this classtype</div><div>3/4/2020 -- 02:25:46 - <Error> -- [ERRCODE: SC_WARN_JA3_DISABLED(309)] - ja3 support is not enabled</div><div>3/4/2020 -- 02:25:46 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tls any any -> any any (msg:"SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Goz i)"; ja3_hash; content:"c201b92f8b483fa388be174d6689f534"; reference:url, sslbl.abuse.ch/ja3-fingerprints/c201b92f8b483fa388be174d6689f534/; sid:906200006; rev:1;)" from file /var/lib/suricata/ rules/suricata.rules at line 441</div><div>3/4/2020 -- 02:26:00 - <Error> -- [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - Loading signatures failed.</div><div>3/4/2020 -- 02:26:00 - <Error> -- Suricata test failed, aborting.</div><div>3/4/2020 -- 02:26:00 - <Error> -- Restoring previous rules.</div><div><br></div><div>I am not sure what this means. no MD5 calculation support built in (LibNSS), disabling JA3</div><div><br></div><div>I enabled JA3 in suricata.yaml file.</div><div><br></div><div><div>app-layer:</div><div> protocols:</div><div> krb5:</div><div> enabled: yes</div><div> ikev2:</div><div> enabled: yes</div><div> tls:</div><div> enabled: yes</div><div> detection-ports:</div><div> dp: 443</div><div><br></div><div> # Generate JA3 fingerprint from client hello</div><div> ja3-fingerprints: yes</div><div><br></div><div> # What to do when the encrypted communications start:</div><div> # - default: keep tracking TLS session, check for protocol anomalies,</div><div> # inspect tls_* keywords. Disables inspection of unmodified</div><div> # 'content' signatures.</div><div> # - bypass: stop processing this flow as much as possible. No further</div><div> # TLS parsing and inspection. Offload flow bypass to kernel</div><div> # or hardware if possible.</div><div> # - full: keep tracking and inspection as normal. Unmodified content</div><div> # keyword signatures are inspected as well.</div><div> #</div><div> # For best performance, select 'bypass'.</div><div> #</div><div> encryption-handling: bypass</div></div><div><br></div><div>Running Suricata 5.0.2</div><div><br></div><div>Leonard</div><br><br></div></body></html>