Differences

This shows you the differences between two versions of the page.

--- app:auto_fingerprint [2017/11/29 18:05] – vivek
+++ app:auto_fingerprint [2017/11/29 22:58] (current) – [Web Server Access Log] veera
@@ Line 19: / Line 19: @@
-Internally we use a Ruby TRP script that can automate this process if given access to web server logs. The script is available at [[https://github.com/trisulnsm/trisul-scripts/tree/master/lua/frontend_scripts/reassembly/ja3/prints|mk_ja3print.rb]]
+Internally we use a Ruby TRP script that can automate this process if given access to web server logs. The script is available on Github at [[https://github.com/trisulnsm/trisul-scripts/tree/master/lua/frontend_scripts/reassembly/ja3/prints|mk_ja3print.rb]]
@@ Line 35: / Line 35: @@
-Running the script
+Running the script.
+//Usage : mk_ja3fingerprint.rb  TRP-Server-Endpoint  Webserver-IP  Webserver-Access-Logs  Trisul-TLSPrint-Log-Pattern//
+A sample run of the script is shown below
 <code>
@@ Line 60: / Line 64: @@
-The output is written to ''/tmp/prints.json'' this can be easily appended to the TLS Prints database.
+Once the script is finished, the JSON output is written to ''/tmp/prints.json'' this can be easily appended to the TLS Prints database.
 <code json>
@@ Line 73: / Line 76: @@
 Iteratively running this script for a few days can resolve most of the unknown prints. That makes outlier detection much easier.
+===== Other methods to resolve =====
+Once you get the unknown prints down to 10-20% you can use Trisul's excellent Graph Analytics manually to explore and nail down each print.  We will see that in another article.