Using ja3s, extensions are never added to the JA3 string #19
Comments
|
I am not able to replicate this issue. I tested pretty extensively on multiple versions of Bro and am always seeing extensions from JA3S. is_orig must == F in order for it to capture only the server extensions. If there is no "if is_orig" statement, it will capture both the client extensions and the server extensions in the JA3S, which you don't want. You can see it working here: http://try.bro.org/#/trybro/saved/259728 Do you have a sample pcap I can test? |
|
I had both ja3 (with the single equals issue #20 ) and ja3s enabled at the same time. When I switched to the fixed version of ja3 (with ==), I started seeing the extensions in ja3s. So it seems like the assignment of T to is_orig in ja3 was affecting ja3s. I assumed is_orig was passed by value, but apparently it is passed by reference? |
|
I thought that might be the case and tested for it on try.bro but wasn't able to reproduce it. Either way, fixed. Thanks for bringing it up! |
I pulled down the JA3S Bro script and installed it on a 2.5.3 Bro installation. JA3S fingerprints are being generated, but they never include extensions. For example: JA3S: 7770094a92b1cbfa5a6de2017cfb682a Fingerprint String: 771,49200,
I added some debug print statements to ssl_extensions() and observed that is_orig is never false (F), so the logic never fires. In ja3s.py (pull request forthcoming) and Wireshark, I can see extensions in the Sever Hellos like status_request, renegotiation_info, etc. I'm not sure if this is an issue specific to my build of Bro or if others have been able to replicate it.
The text was updated successfully, but these errors were encountered: