mirror of https://github.com/OISF/suricata
				
				
				
			
			You cannot select more than 25 topics
			Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
		
		
		
		
		
			
		
			
				
	
	
		
			37 lines
		
	
	
		
			791 B
		
	
	
	
		
			ReStructuredText
		
	
			
		
		
	
	
			37 lines
		
	
	
		
			791 B
		
	
	
	
		
			ReStructuredText
		
	
| JA3 Keywords
 | |
| ============
 | |
| 
 | |
| Suricata comes with a JA3 integration (https://github.com/salesforce/ja3). JA3 is used to fingerprint TLS clients.
 | |
| 
 | |
| JA3 must be enabled in the Suricata config file (set 'app-layer.protocols.tls.ja3-fingerprints' to 'yes').
 | |
| 
 | |
| ja3_hash
 | |
| --------
 | |
| 
 | |
| Match on JA3 hash (md5).
 | |
| 
 | |
| Example::
 | |
| 
 | |
|   alert tls any any -> any any (msg:"match JA3 hash"; \
 | |
|       ja3_hash; content:"e7eca2baf4458d095b7f45da28c16c34"; \
 | |
|       sid:100001;)
 | |
| 
 | |
| ``ja3_hash`` is a 'Sticky buffer'.
 | |
| 
 | |
| ``ja3_hash`` can be used as ``fast_pattern``.
 | |
| 
 | |
| ja3_string
 | |
| ----------
 | |
| 
 | |
| Match on JA3 string.
 | |
| 
 | |
| Example::
 | |
| 
 | |
|   alert tls any any -> any any (msg:"match JA3 string"; \
 | |
|       ja3_string; content:"19-20-21-22"; \
 | |
|       sid:100002;)
 | |
| 
 | |
| ``ja3_string`` is a 'Sticky buffer'.
 | |
| 
 | |
| ``ja3_string`` can be used as ``fast_pattern``.
 |