Trisul Network Analytics
Developer Zone

User Tools

Site Tools

You are here: Home » app » Automatically resolving unknown TLS Fingerprints
Trace:
app:auto_fingerprint

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
Next revisionBoth sides next revision
app:auto_fingerprint [2017/11/29 18:02] vivekapp:auto_fingerprint [2017/11/29 18:05] vivek
Line 34: Line 34:
  
  
-<code json> 
- 
-{"desc":"RSiteAuditor","ja3_hash":"35c0a31c481927f022a3b530255ac080","ja3_str":"771,49192-159-158-157-156-49195-49187-49191-49172-49171-61-60-53-47-49196-49188-49162-49161-106-64-56-50-10-19-5-4,65281-0-10-11-13-35,23-24,0"} 
-{"desc":"urlgrabber/3.10 yum/3.4.3","ja3_hash":"37f691b063c10372135db21579643bf1","ja3_str":"771,49196-49162-49195-52393-49161-49200-49172-49199-52392-49171-159-57-56-107-158-52394-51-50-103-22-19-157-53-61-156-47-60-10-5-4,0-65281-10-11-13,29-23-24-25,0"} 
-{"desc":"Feedly/1.0","ja3_hash":"f22bdd57e3a52de86cda40da2d84e83b","ja3_str":"771,49188-49192-61-49190-49194-107-106-49162-49172-53-49157-49167-57-56-49187-49191-60-49189-49193-103-64-49161-49171-47-49156-49166-51-50-49196-49195-49200-157-49198-49202-159-163-49199-156-49197-49201-158-162-49160-49170-10-49155-49165-22-19-255,10-11-13-0,23-24-25-9-10-11-12-13-14-22,0"} 
- 
-</code> 
  
 Running the script  Running the script 
  
-<code bash>+<code> 
 + 
 +$ ruby mk_ja3fingerprint.rb  tcp://74.207.234.90:12006  138.68.45.27    'trisul_access.log*'  'lua.stdout.jahash.lua.11*'
  
-vivek@viveku14:~/bldart/s01/trisul-scripts/lua/frontend_scripts/reassembly/ja3/prints$ ruby mk_ja3fingerprint.rb  tcp://74.207.234.90:12006  138.68.45.27    'trisul_access.log*'  'lua.stdout.jahash.lua.11*' 
 "Found 29 Unresolved JA3 TLS Prints" "Found 29 Unresolved JA3 TLS Prints"
 "Sending EdgeGraph request vertex key=35c0a31c481927f022a3b530255ac080" "Sending EdgeGraph request vertex key=35c0a31c481927f022a3b530255ac080"
Line 61: Line 55:
 "Sending EdgeGraph request vertex key=f22bdd57e3a52de86cda40da2d84e83b" "Sending EdgeGraph request vertex key=f22bdd57e3a52de86cda40da2d84e83b"
 .. ..
 +"Output written to file /tmp/fingerprint.json"
 +
 </code> </code>
 +
 +
 +The output is written to ''/tmp/prints.json'' this can be easily appended to the TLS Prints database. 
 +
 +
 +<code json>
 +
 +{"desc":"RSiteAuditor","ja3_hash":"35c0a31c481927f022a3b530255ac080","ja3_str":"771,49192-159-158-157-156-49195-49187-49191-49172-49171-61-60-53-47-49196-49188-49162-49161-106-64-56-50-10-19-5-4,65281-0-10-11-13-35,23-24,0"}
 +{"desc":"urlgrabber/3.10 yum/3.4.3","ja3_hash":"37f691b063c10372135db21579643bf1","ja3_str":"771,49196-49162-49195-52393-49161-49200-49172-49199-52392-49171-159-57-56-107-158-52394-51-50-103-22-19-157-53-61-156-47-60-10-5-4,0-65281-10-11-13,29-23-24-25,0"}
 +{"desc":"Feedly/1.0","ja3_hash":"f22bdd57e3a52de86cda40da2d84e83b","ja3_str":"771,49188-49192-61-49190-49194-107-106-49162-49172-53-49157-49167-57-56-49187-49191-60-49189-49193-103-64-49161-49171-47-49156-49166-51-50-49196-49195-49200-157-49198-49202-159-163-49199-156-49197-49201-158-162-49160-49170-10-49155-49165-22-19-255,10-11-13-0,23-24-25-9-10-11-12-13-14-22,0"}
 +
 +</code>
 +
 +
 +Iteratively running this script for a few days can resolve most of the unknown prints. That makes outlier detection much easier. 
  
  
app/auto_fingerprint.txt · Last modified: 2017/11/29 22:58 by veera