6.17. JA3 Keywords

Suricata comes with a JA3 integration (https://github.com/salesforce/ja3). JA3 is used to fingerprint TLS clients.

JA3 must be enabled in the Suricata config file (set ‘app-layer.protocols.tls.ja3-fingerprints’ to ‘yes’).

JA3 also requires Suricata to be built with LibNSS support.

6.17.1. ja3.hash

Match on JA3 hash (md5).

Example:

alert tls any any -> any any (msg:"match JA3 hash"; \
    ja3.hash; content:"e7eca2baf4458d095b7f45da28c16c34"; \
    sid:100001;)

ja3.hash is a ‘sticky buffer’.

ja3.hash can be used as fast_pattern.

ja3.hash replaces the previous keyword name: ja3_hash. You may continue to use the previous name, but it’s recommended that rules be converted to use the new name.

6.17.2. ja3.string

Match on JA3 string.

Example:

alert tls any any -> any any (msg:"match JA3 string"; \
    ja3.string; content:"19-20-21-22"; \
    sid:100002;)

ja3.string is a ‘sticky buffer’.

ja3.string can be used as fast_pattern.

ja3.string replaces the previous keyword name: ja3_string. You may continue to use the previous name, but it’s recommended that rules be converted to use the new name.

6.17.3. ja3s.hash

Match on JA3S hash (md5).

Example:

alert tls any any -> any any (msg:"match JA3S hash"; \
    ja3s.hash; content:"b26c652e0a402a24b5ca2a660e84f9d5"; \
    sid:100003;)

ja3s.hash is a ‘sticky buffer’.

ja3s.hash can be used as fast_pattern.

6.17.4. ja3s.string

Match on JA3S string.

Example:

alert tls any any -> any any (msg:"match on JA3S string"; \
    ja3s.string; content:"771,23-35"; sid:100004;)

ja3s.string is a ‘sticky buffer’.

ja3s.string can be used as fast_pattern.