app:auto_fingerprint
Differences
This shows you the differences between two versions of the page.
Next revision | Previous revision | ||
app:auto_fingerprint [2017/11/29 17:00] – created vivek | app:auto_fingerprint [2017/11/29 22:58] (current) – [Web Server Access Log] veera | ||
---|---|---|---|
Line 2: | Line 2: | ||
- | TLS Fingerprinting is still in its early days therefore the coverage of known prints is not too deep. The Trisul [[app: | + | TLS Fingerprinting is still in its early days therefore the coverage of known prints is not too deep. The Trisul [[app: |
- | Internally we use a Ruby TRP script that can automate this process. The script is available at [[https:// | ||
- | ===== How this works ===== | + | ===== Resolving TLS Fingerprints ===== |
+ | |||
+ | Some of the techniques of resolving unknown fingerprints | ||
+ | |||
+ | - If you have access to a Web Server log - Look at the '' | ||
+ | - If not, see if you can find a '' | ||
+ | - Look at Hosts using the fingerprint, | ||
+ | |||
+ | |||
+ | |||
+ | ===== Web Server Access Log ===== | ||
+ | |||
+ | Internally we use a Ruby TRP script that can automate this process if given access to web server logs. The script is available on Github at [[https:// | ||
+ | |||
+ | |||
+ | |||
+ | The script isnt too complicated. It works in the following way. | ||
+ | |||
+ | |||
+ | - Connects and gets list of unresolved JA3 TLS Prints in a 24 hour period. | ||
+ | - For Each unresolved print | ||
+ | - Use Graph Analytics to get list of Hosts using it | ||
+ | - Look for the Host in the Web Server Access log and pick out the first User-Agent | ||
+ | - Look for the print in the TLS Print App log - this contains the print and the Print String | ||
+ | - Print it out in JSON format | ||
+ | |||
+ | |||
+ | |||
+ | Running the script. | ||
+ | |||
+ | //Usage : mk_ja3fingerprint.rb | ||
+ | |||
+ | A sample run of the script is shown below | ||
+ | |||
+ | < | ||
+ | |||
+ | $ ruby mk_ja3fingerprint.rb | ||
+ | |||
+ | "Found 29 Unresolved JA3 TLS Prints" | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | .. | ||
+ | " | ||
+ | |||
+ | </ | ||
+ | |||
+ | |||
+ | Once the script is finished, the JSON output is written to ''/ | ||
+ | |||
+ | <code json> | ||
+ | |||
+ | {" | ||
+ | {" | ||
+ | {" | ||
+ | |||
+ | </ | ||
+ | |||
+ | |||
+ | Iteratively running this script for a few days can resolve most of the unknown prints. That makes outlier detection much easier. | ||
+ | |||
+ | ===== Other methods to resolve ===== | ||
+ | |||
+ | Once you get the unknown prints down to 10-20% you can use Trisul' | ||
+ | |||
+ | |||
+ | |||
+ | |||
app/auto_fingerprint.1511955023.txt.gz · Last modified: 2017/11/29 17:00 by vivek