[Oisf-users] Issue Loading JA3 Signatures

Leonard Jacobs ljacobs at netsecuris.com
Fri Apr 3 02:39:09 UTC 2020 

I am getting this when loading JA3 signatures.



<Warning> -- [ERRCODE: SC_WARN_NO_JA3_SUPPORT(308)] - no MD5 calculation support built in (LibNSS), disabling JA3
3/4/2020 -- 02:25:46 - <Warning> -- [ERRCODE: SC_ERR_UNKNOWN_VALUE(129)] - signature at /var/lib/suricata/rules/suricata.rules:2 uses unknown classtype: "command-and-control", using default pri                         ority 3. This message won't be shown again for this classtype
3/4/2020 -- 02:25:46 - <Error> -- [ERRCODE: SC_WARN_JA3_DISABLED(309)] - ja3 support is not enabled
3/4/2020 -- 02:25:46 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tls any any -> any any (msg:"SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Goz                         i)"; ja3_hash; content:"c201b92f8b483fa388be174d6689f534"; reference:url, sslbl.abuse.ch/ja3-fingerprints/c201b92f8b483fa388be174d6689f534/; sid:906200006; rev:1;)" from file /var/lib/suricata/                         rules/suricata.rules at line 441
3/4/2020 -- 02:26:00 - <Error> -- [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - Loading signatures failed.
3/4/2020 -- 02:26:00 - <Error> -- Suricata test failed, aborting.
3/4/2020 -- 02:26:00 - <Error> -- Restoring previous rules.


I am not sure what this means. no MD5 calculation support built in (LibNSS), disabling JA3


I enabled JA3 in suricata.yaml file.



app-layer:
  protocols:
    krb5:
      enabled: yes
    ikev2:
      enabled: yes
    tls:
      enabled: yes
      detection-ports:
        dp: 443


      # Generate JA3 fingerprint from client hello
      ja3-fingerprints: yes


      # What to do when the encrypted communications start:
      # - default: keep tracking TLS session, check for protocol anomalies,
      #            inspect tls_* keywords. Disables inspection of unmodified
      #            'content' signatures.
      # - bypass:  stop processing this flow as much as possible. No further
      #            TLS parsing and inspection. Offload flow bypass to kernel
      #            or hardware if possible.
      # - full:    keep tracking and inspection as normal. Unmodified content
      #            keyword signatures are inspected as well.
      #
      # For best performance, select 'bypass'.
      #
      encryption-handling: bypass


Running Suricata 5.0.2


Leonard

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20200403/b3ea673b/attachment.html>

More information about the Oisf-users mailing list