[Oisf-users] Issue Loading JA3 Signatures

Jason Ish jason.ish at oisf.net
Fri Apr 3 04:37:19 UTC 2020 

Hi Leonard,

Check your "suricata --build-info". I'm guessing your going to see
something like:

  libnss support:                          no
  libnspr support:                         no

If the libnss-devel package is installed when you build Suricata this
just be enabled with no work on your part.

On CentOS the required package is "libnss-devel", and on Ubuntu it is
"libnss3-dev".

Hope that helps,
Jason

On 2020-04-02 8:39 p.m., Leonard Jacobs wrote:
> I am getting this when loading JA3 signatures.
> 
> <Warning> -- [ERRCODE: SC_WARN_NO_JA3_SUPPORT(308)] - no MD5 calculation
> support built in (LibNSS), disabling JA3
> 3/4/2020 -- 02:25:46 - <Warning> -- [ERRCODE: SC_ERR_UNKNOWN_VALUE(129)]
> - signature at /var/lib/suricata/rules/suricata.rules:2 uses unknown
> classtype: "command-and-control", using default pri                     
>    ority 3. This message won't be shown again for this classtype
> 3/4/2020 -- 02:25:46 - <Error> -- [ERRCODE: SC_WARN_JA3_DISABLED(309)] -
> ja3 support is not enabled
> 3/4/2020 -- 02:25:46 - <Error> -- [ERRCODE:
> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tls any
> any -> any any (msg:"SSLBL: Malicious JA3 SSL-Client Fingerprint
> detected (Goz                         i)"; ja3_hash;
> content:"c201b92f8b483fa388be174d6689f534"; reference:url,
> sslbl.abuse.ch/ja3-fingerprints/c201b92f8b483fa388be174d6689f534/;
> sid:906200006; rev:1;)" from file /var/lib/suricata/                   
>      rules/suricata.rules at line 441
> 3/4/2020 -- 02:26:00 - <Error> -- [ERRCODE: SC_ERR_NO_RULES_LOADED(43)]
> - Loading signatures failed.
> 3/4/2020 -- 02:26:00 - <Error> -- Suricata test failed, aborting.
> 3/4/2020 -- 02:26:00 - <Error> -- Restoring previous rules.
> 
> I am not sure what this means. no MD5 calculation support built in
> (LibNSS), disabling JA3
> 
> I enabled JA3 in suricata.yaml file.
> 
> app-layer:
>   protocols:
>     krb5:
>       enabled: yes
>     ikev2:
>       enabled: yes
>     tls:
>       enabled: yes
>       detection-ports:
>         dp: 443
> 
>       # Generate JA3 fingerprint from client hello
>       ja3-fingerprints: yes
> 
>       # What to do when the encrypted communications start:
>       # - default: keep tracking TLS session, check for protocol anomalies,
>       #            inspect tls_* keywords. Disables inspection of unmodified
>       #            'content' signatures.
>       # - bypass:  stop processing this flow as much as possible. No further
>       #            TLS parsing and inspection. Offload flow bypass to kernel
>       #            or hardware if possible.
>       # - full:    keep tracking and inspection as normal. Unmodified
> content
>       #            keyword signatures are inspected as well.
>       #
>       # For best performance, select 'bypass'.
>       #
>       encryption-handling: bypass
> 
> Running Suricata 5.0.2
> 
> Leonard
> 
> 
> 
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> 
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
>

More information about the Oisf-users mailing list