-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add ja3 fields to Zeek SSL log #21696
Conversation
a3cc015
to
1b0bbf9
Compare
This team uses the scripts from https://github.com/salesforce/ja3/tree/master/zeek for the ja3 fields. Here are the scripts for the other fields they add:
AND
|
This is a sample entry from their ssl.log: {
"ts": 1602179457.352156,
"uid": "CK17Dl2SB8bZOVonSl",
"id.orig_h": "10.7.9.101",
"id.orig_p": 49228,
"id.resp_h": "72.205.170.179",
"id.resp_p": 443,
"version": "TLSv12",
"cipher": "TLS_RSA_WITH_AES_128_CBC_SHA256",
"resumed": false,
"established": true,
"cert_chain_fuids": [
"FOLwYQ6rs70bIMSf9"
],
"client_cert_chain_fuids": [],
"subject": "CN=afygrudeded.Alathal.owellle.bms,OU=Whe*swen and 4Ain ithe@lsath,O=Wofts Adererott FCP,L=Sanaa,C=YE",
"issuer": "CN=afygrudeded.Alathal.owellle.bms,OU=Whe*swen and 4Ain ithe@lsath,O=Wofts Adererott FCP,L=Sanaa,C=YE",
"validation_status": "self signed certificate",
"ja3": "74927e242d6c3febf8cb9cab10a7f889",
"ja3s": "80b3a14bccc8598a1f3bbe83e71f735f",
"resp_certificate_sha1": "3dad8b55621b6b9c30679d9d61248dd132a83c94",
"not_valid_before": 1562022424.0,
"not_valid_after": 1577747224.0
} *** They are happy to rename their fields output to whatever you see fit. |
1b0bbf9
to
7ca77a5
Compare
I updated the pipeline and tests to include all the fields discussed. Now I want to test out the scripts and add adjust the documentation. |
The source of the second script is: https://github.com/rocknsm/rock-scripts/blob/1abcb137c3c0cb7bc1d54248d738255d2d6eb4ba/protocols/ssl/ssl-add-cert-hash.zeek |
9887ba3
to
1c7a7e8
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Rename `ja3s` to `tls.server.ja3s` if present (requires zeek/salesforce/ja3 package package). Rename `ja3` to `tls.client.ja3` if present (requires zeek/salesforce/ja3 package package). Rename `subject` to `tls.server.subject` (instead of deleting it after parsing). Rename `not_valid_before` to `tls.server.not_before` if present. Rename `not_valid_after` to `tls.server.not_after` if present. Fix dashboard reference for `zeek.ssl.server.name` that was using `zeek.ssl.server_name`. Add links to Zeek scripts in docs.
55e3d45
to
a728701
Compare
💚 Flaky test reportTests succeeded. Expand to view the summary
Test stats 🧪
|
Rename `ja3s` to `tls.server.ja3s` if present (requires zeek/salesforce/ja3 package package). Rename `ja3` to `tls.client.ja3` if present (requires zeek/salesforce/ja3 package package). Rename `subject` to `tls.server.subject` (instead of deleting it after parsing). Rename `not_valid_before` to `tls.server.not_before` if present. Rename `not_valid_after` to `tls.server.not_after` if present. Fix dashboard reference for `zeek.ssl.server.name` that was using `zeek.ssl.server_name`. Add links to Zeek scripts in docs. (cherry picked from commit 61f7acd)
Rename `ja3s` to `tls.server.ja3s` if present (requires zeek/salesforce/ja3 package package). Rename `ja3` to `tls.client.ja3` if present (requires zeek/salesforce/ja3 package package). Rename `subject` to `tls.server.subject` (instead of deleting it after parsing). Rename `not_valid_before` to `tls.server.not_before` if present. Rename `not_valid_after` to `tls.server.not_after` if present. Fix dashboard reference for `zeek.ssl.server.name` that was using `zeek.ssl.server_name`. Add links to Zeek scripts in docs. (cherry picked from commit 61f7acd)
What does this PR do?
Rename
ja3s
totls.server.ja3s
if present (requires zeek/salesforce/ja3 package package).Rename
ja3
totls.client.ja3
if present (requires zeek/salesforce/ja3 package package).Rename
subject
totls.server.subject
(instead of deleting it after parsing).Rename
not_valid_before
totls.server.not_before
if present.Rename
not_valid_after
totls.server.not_after
if present.Fix dashboard reference for
zeek.ssl.server.name
that was usingzeek.ssl.server_name
.Why is it important?
Improves the Zeek SSL dataset's ability to populate the TLS tab in the Security app.
Checklist
CHANGELOG.next.asciidoc
orCHANGELOG-developer.next.asciidoc
.Author's Checklist
tls.server.not_after
andtls.server.hash.sha1
to the zeek.ssl log and update the pipeline for those fields.