Differences

This shows you the differences between two versions of the page.

--- app:tlsfingerprint [2017/11/28 23:54] – [What is TLS Fingerprinting] veera
+++ app:tlsfingerprint [2018/03/04 13:27] (current) – veera
@@ Line 1: / Line 1: @@
+~~Title: TLS Fingerprinting using Trisul ~~
 ====== TLS Fingerprinter ======
@@ Line 10: / Line 12: @@
 ===== What is TLS Fingerprinting =====
-This technique builds upon the patterns found in the client preferences that are advertised in the "Client Hello" message that is sent as the very first message in the TLS Handshake process. This message is un-encrypted, therefore it allows for NSM tools like Trisul to look at it.  Each SSL/TLS Client such as browsers use a particular version of a particular implementation of SSL/TLS. Some major implementations are OpenSSL, GnuTLS, Windows, Java SSE, NSS, embedded libraries like WolfSSL etc.
+This technique builds upon the patterns found in the preferences that are advertised in the "Client Hello" message that is sent by the client as the very first message in the TLS Handshake process. This message is unencrypted, so it allows for NSM tools like Trisul to look at it.  Every SSL/TLS Client uses a particular version of a particular implementation of SSL/TLS library. Some major implementations are OpenSSL, GnuTLS, Windows, Java SSE, NSS, WolfSSL etc.
 The 3 major fields in the Client Hello that can identify a client are
@@ Line 20: / Line 22: @@
 So if you take all the three together there is a high likelyhood that you can minimize collisions and identify a particular client on a particular operating system.If you printed out the values of all these three fields and then computed a MD5 hash over the string, we can get a 'fingerprint'.  We can call this a //JA3 hash// as proposed by the researchers John Althouse and team.
-At first, this approach may seem a bit flaky but it is not easy for an application to change its //print// dynamically without some major code rewrite. We currently have about 300 hashes largely due to Lee Brotherston's original work. We at Trisul also added in some 50 hashes.
+At first, this approach may seem a bit flaky but it is not easy for an application to change its //print// dynamically without some major code rewrite. We currently have about 300 hashes largely due to Lee Brotherston's effort. We at Trisul also added in some 50-60 new prints.
-Links
+<note>
+Further reading
   * [[https://github.com/synackpse|Lee Brotherstons work]] on TLS Fingerprinting
+  * [[https://blog.squarelemon.com/tls-fingerprinting/|Square Lemon blog TLS Fingerprinting]]
   * [[https://github.com/salesforce/ja3|JA3 Hash]]
+</note>
 ==== Fingerprints database ====
-The fingerprints database we have at our [[https://raw.githubusercontent.com/trisulnsm/trisul-scripts/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json|Github repo]] contains some 450 signatures in a JSON file.  Each print is on a single line. The JA3 hash which identifies a particular client.
+The fingerprints database we have at our [[https://raw.githubusercontent.com/trisulnsm/trisul-scripts/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json|Github repo]] contains some 450 signatures in a JSON file.  Each print is on a single line.  If you captured on a live network the JA3 hash ''d82cbe0b93f2b02d490a14f6bc1d421a'' you can flag that as ''PaleMoon Browser 27.4.2''
 <code>
@@ Line 37: / Line 41: @@
 </code>
-So if you captured on a live network the JA3 hash ''d82cbe0b93f2b02d490a14f6bc1d421a'' you can flag that as ''PaleMoon Browser 27.4.2''
-===== Analysis of TLS Fingerprints =====
+==== Analysis of TLS Fingerprints ====
-What are you going to do with these prints. There are a few options
+There are two actionable things you can do with these prints
+  * **Malware prints**  - These are hard to come by  but if you can get a few prints from malware clients. You can flag them quickly. These will likely evade IDS because they use TLS to connect to presumably well known C&C servers with valid certificates etc.
+  * **Anomaly detection** : If you can track known prints,then you can build a large Database over a period of time. After that you can send unseen prints into a "Triage state" where a human can look into it.
-  * Malware prints  - These are hard to come by  but if you can get a few prints from malware clients. You can flag them quickly. These will likely evade IDS because they use TLS to connect to presumably well known C&C servers with valid certificates etc.
-  * Anomaly detection : If you can track known prints,then you can build a large Database over a period of time. After that you can send unseen prints into a "Triage state" where a human can look into it.
-In both analysis paths,we think TLS Prints is a valuable piece of intel, especially given we are moving to pervasive TLS.
+===== How the TrisulNSM App works  =====
+The TLS Print app is written in LuaJIT and plugs into the TrisulNSM Scripting Engine. The source code for the App is available on the [[https://github.com/trisulnsm/apps/tree/master/analyzers/tls-print|Github trisulnsm/apps repo]]. Essentially it uses the [[https://www.trisul.org/docs/lua/reassembly.html|"TCP Reassembly Handler"]] Lua script type and parses the Client Hello messages and constructs the JA3 fingerprints and pushes them back into the Trisul streaming pipeline.
-Lets look at what you can do with TrisulNSM and the new TLS Prints App.
+The app generates the following pieces of info.
+  - **Metrics** :  The app generates metrics for each TLS-Print it finds. If the print is a known one, it also updates the label. You can do long term trend analysis to see when each print was seen over the past few months.
-===== Using Trisul streaming analytics =====
+  - **Graph Analytics** : When a Print is seen , the edge vertices namely the IP Flow Tuples, and the SNI (Server Name Indication) Extension are added.
+  - **Alerts** : Right now we dont have many Malware prints, but when do we have them, the App can generate an alert.
-Since we do not yet have many malware fingerprints, we rely on anomaly detection to build a profile, then pick out the outliers.  For this purpose, the new //TLS Printer App// provides the following analysis paths.
-  - Metrics :  The app generates metrics for each TLS-Print it finds. If the print is a known one, it also updates the label. You can do long term trend analysis to see when each print was seen over the past few months.
-  - Graph Analytics : When a Print is seen , the edge vertices namely the IP Flow Tuples, and the SNI (Server Name Indication) Extension are added.
-  - Alerts : Right now we dont have many Malware prints, but when we have them, the App can generate an alert.
@@ Line 95: / Line 95: @@
 When you reveal adjacent vertices in [[https://www.trisul.org/docs/ug/edges/index.html|Trisul EDGE]] you will see vertices of all types. One of vertex types is **User-Agent** others are TLS Cert, Country, ASN etc.  We are lucky that we found a single User Agent around the same time interval as Semrush - which happens to be a SEO Bot. So there .. this **TLS Print can be pegged to SEMRUSH Bot**.  You can then go to the Key Dashboard and set the label to //resolve the previously unknown TLS Print//
-==== Programatically resolving TLS Prints ====
+===== Programatically resolving TLS Prints =====
-The TrisulNSM TLS-Print App logs all fingerprints in a file located in the following directory. It also includs the so called JA3-String which is a text string used to compute the hash (print). The format of the file is
+This App dumps all fingerprints along with the parameters used to compute them into a log file. This allows us to programatically resolve unknown fingerprints. We released a TRP Ruby script to [[app:auto_fingerprint|programatically resolve TLS Prints using Web Server Access Logs]].
-If you can access to a busy Web Server you can setup a // HTTP 301 Redirect // to help resolve TLS Prints. The way it works is
+We invite you to try this app in your network and let us know how it works. It is free to run .