app:auto_fingerprint
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
app:auto_fingerprint [2017/11/29 17:57] – [Automatically resolving unknown TLS Fingerprints] vivek | app:auto_fingerprint [2017/11/29 22:58] (current) – [Web Server Access Log] veera | ||
---|---|---|---|
Line 10: | Line 10: | ||
Some of the techniques of resolving unknown fingerprints | Some of the techniques of resolving unknown fingerprints | ||
- | - Look at the '' | + | |
- | - See if you can find a '' | + | - If not, see if you can find a '' |
- | - Look at Hosts using the print, see if you can detect a pattern or an application. Many web scanners, bots, and applications like Git, Dropbox can be detected this way. | + | - Look at Hosts using the fingerprint, see if you can detect a pattern or an application. Many web scanners, bots, and applications like Git, Dropbox can be detected this way. |
Line 19: | Line 19: | ||
- | Internally we use a Ruby TRP script that can automate this process if given access to web server logs. The script is available at [[https:// | + | Internally we use a Ruby TRP script that can automate this process if given access to web server logs. The script is available |
Line 35: | Line 35: | ||
- | {" | + | Running the script. |
- | {" | + | |
- | {" | + | |
+ | //Usage : mk_ja3fingerprint.rb | ||
+ | |||
+ | A sample run of the script is shown below | ||
+ | |||
+ | < | ||
+ | |||
+ | $ ruby mk_ja3fingerprint.rb | ||
- | vivek@viveku14: | ||
"Found 29 Unresolved JA3 TLS Prints" | "Found 29 Unresolved JA3 TLS Prints" | ||
" | " | ||
Line 54: | Line 58: | ||
" | " | ||
" | " | ||
+ | .. | ||
+ | " | ||
+ | |||
+ | </ | ||
+ | |||
+ | |||
+ | Once the script is finished, the JSON output is written to ''/ | ||
+ | |||
+ | <code json> | ||
+ | |||
+ | {" | ||
+ | {" | ||
+ | {" | ||
+ | |||
+ | </ | ||
+ | |||
+ | |||
+ | Iteratively running this script for a few days can resolve most of the unknown prints. That makes outlier detection much easier. | ||
+ | |||
+ | ===== Other methods to resolve ===== | ||
+ | |||
+ | Once you get the unknown prints down to 10-20% you can use Trisul' | ||
+ | |||
+ | |||
app/auto_fingerprint.1511958454.txt.gz · Last modified: 2017/11/29 17:57 by vivek