Trisul Network Analytics
Developer Zone

User Tools

Site Tools

You are here: Home » app » Automatically resolving unknown TLS Fingerprints
Trace:
app:auto_fingerprint

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
Last revisionBoth sides next revision
app:auto_fingerprint [2017/11/29 18:05] vivekapp:auto_fingerprint [2017/11/29 18:19] vivek
Line 35: Line 35:
  
  
-Running the script +Running the script
  
-<code bash>+//Usage : mk_ja3fingerprint.rb  TRP-Server-Endpoint  Webserver-IP  Webserver-Access-Logs  Trisul-TLSPrint-Log-Pattern// 
 + 
 +A sample run of the script is shown below 
 + 
 +<code>
  
 $ ruby mk_ja3fingerprint.rb  tcp://74.207.234.90:12006  138.68.45.27    'trisul_access.log*'  'lua.stdout.jahash.lua.11*' $ ruby mk_ja3fingerprint.rb  tcp://74.207.234.90:12006  138.68.45.27    'trisul_access.log*'  'lua.stdout.jahash.lua.11*'
Line 60: Line 64:
  
  
-The output is written to ''/tmp/prints.json'' this can be easily appended to the TLS Prints database.  +Once the script is finished, the JSON output is written to ''/tmp/prints.json'' this can be easily appended to the TLS Prints database. 
  
 <code json> <code json>
Line 73: Line 76:
  
 Iteratively running this script for a few days can resolve most of the unknown prints. That makes outlier detection much easier.  Iteratively running this script for a few days can resolve most of the unknown prints. That makes outlier detection much easier. 
 +
 +===== Other methods to resolve =====
 +
 +Once you get the unknown prints down to 10-20% you can use Trisul's excellent Graph Analytics manually to explore and nail down each print.  We will see that in another article.
 +
  
  
app/auto_fingerprint.txt · Last modified: 2017/11/29 22:58 by veera