Trisul Network Analytics
Developer Zone

User Tools

Site Tools

You are here: Home » app » Automatically resolving unknown TLS Fingerprints
Trace:
app:auto_fingerprint

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
Last revisionBoth sides next revision
app:auto_fingerprint [2017/11/29 18:02] vivekapp:auto_fingerprint [2017/11/29 18:19] vivek
Line 34: Line 34:
  
  
-<code json> 
  
-{"desc":"RSiteAuditor","ja3_hash":"35c0a31c481927f022a3b530255ac080","ja3_str":"771,49192-159-158-157-156-49195-49187-49191-49172-49171-61-60-53-47-49196-49188-49162-49161-106-64-56-50-10-19-5-4,65281-0-10-11-13-35,23-24,0"+Running the script
-{"desc":"urlgrabber/3.10 yum/3.4.3","ja3_hash":"37f691b063c10372135db21579643bf1","ja3_str":"771,49196-49162-49195-52393-49161-49200-49172-49199-52392-49171-159-57-56-107-158-52394-51-50-103-22-19-157-53-61-156-47-60-10-5-4,0-65281-10-11-13,29-23-24-25,0"+
-{"desc":"Feedly/1.0","ja3_hash":"f22bdd57e3a52de86cda40da2d84e83b","ja3_str":"771,49188-49192-61-49190-49194-107-106-49162-49172-53-49157-49167-57-56-49187-49191-60-49189-49193-103-64-49161-49171-47-49156-49166-51-50-49196-49195-49200-157-49198-49202-159-163-49199-156-49197-49201-158-162-49160-49170-10-49155-49165-22-19-255,10-11-13-0,23-24-25-9-10-11-12-13-14-22,0"}+
  
-</code>+//Usage : mk_ja3fingerprint.rb  TRP-Server-Endpoint  Webserver-IP  Webserver-Access-Logs  Trisul-TLSPrint-Log-Pattern//
  
-Running the script +A sample run of the script is shown below
  
-<code bash>+<code> 
 + 
 +$ ruby mk_ja3fingerprint.rb  tcp://74.207.234.90:12006  138.68.45.27    'trisul_access.log*'  'lua.stdout.jahash.lua.11*'
  
-vivek@viveku14:~/bldart/s01/trisul-scripts/lua/frontend_scripts/reassembly/ja3/prints$ ruby mk_ja3fingerprint.rb  tcp://74.207.234.90:12006  138.68.45.27    'trisul_access.log*'  'lua.stdout.jahash.lua.11*' 
 "Found 29 Unresolved JA3 TLS Prints" "Found 29 Unresolved JA3 TLS Prints"
 "Sending EdgeGraph request vertex key=35c0a31c481927f022a3b530255ac080" "Sending EdgeGraph request vertex key=35c0a31c481927f022a3b530255ac080"
Line 61: Line 59:
 "Sending EdgeGraph request vertex key=f22bdd57e3a52de86cda40da2d84e83b" "Sending EdgeGraph request vertex key=f22bdd57e3a52de86cda40da2d84e83b"
 .. ..
 +"Output written to file /tmp/fingerprint.json"
 +
 </code> </code>
 +
 +
 +Once the script is finished, the JSON output is written to ''/tmp/prints.json'' this can be easily appended to the TLS Prints database. 
 +
 +<code json>
 +
 +{"desc":"RSiteAuditor","ja3_hash":"35c0a31c481927f022a3b530255ac080","ja3_str":"771,49192-159-158-157-156-49195-49187-49191-49172-49171-61-60-53-47-49196-49188-49162-49161-106-64-56-50-10-19-5-4,65281-0-10-11-13-35,23-24,0"}
 +{"desc":"urlgrabber/3.10 yum/3.4.3","ja3_hash":"37f691b063c10372135db21579643bf1","ja3_str":"771,49196-49162-49195-52393-49161-49200-49172-49199-52392-49171-159-57-56-107-158-52394-51-50-103-22-19-157-53-61-156-47-60-10-5-4,0-65281-10-11-13,29-23-24-25,0"}
 +{"desc":"Feedly/1.0","ja3_hash":"f22bdd57e3a52de86cda40da2d84e83b","ja3_str":"771,49188-49192-61-49190-49194-107-106-49162-49172-53-49157-49167-57-56-49187-49191-60-49189-49193-103-64-49161-49171-47-49156-49166-51-50-49196-49195-49200-157-49198-49202-159-163-49199-156-49197-49201-158-162-49160-49170-10-49155-49165-22-19-255,10-11-13-0,23-24-25-9-10-11-12-13-14-22,0"}
 +
 +</code>
 +
 +
 +Iteratively running this script for a few days can resolve most of the unknown prints. That makes outlier detection much easier. 
 +
 +===== Other methods to resolve =====
 +
 +Once you get the unknown prints down to 10-20% you can use Trisul's excellent Graph Analytics manually to explore and nail down each print.  We will see that in another article.
 +
  
  
app/auto_fingerprint.txt · Last modified: 2017/11/29 22:58 by veera