Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bro ssl.log support #72

Open
chrisforce1 opened this issue May 19, 2019 · 1 comment
Open

Bro ssl.log support #72

chrisforce1 opened this issue May 19, 2019 · 1 comment
Assignees
@ioj

Comments

@chrisforce1
Copy link
Contributor

Similar to #71.

Reading the documentation, Bro doesn't have JA3 values in their ssl.log officially. I need to ask Corelight about this and get the data format and details so we can implement this. I primarily want to pick up JA3 (client) and JA3S (server) fingerprints for now. We can extend support later to other fields and look at the certificate chain, etc.
@chrisforce1 chrisforce1 self-assigned this May 19, 2019
@chrisforce1 chrisforce1 mentioned this issue May 19, 2019
Open
@chrisforce1 chrisforce1 changed the title Add Bro ssl.log support Bro ssl.log support May 19, 2019
@chrisforce1
Copy link
Contributor Author

The fields in Bro when it's using the JA3 scripts are ja3 and ja3s as below.

https://github.com/salesforce/ja3/tree/master/zeek

image

The fields in Corelight JSON ssl.log are also ja3 and ja3s as attached below.

ssl_20200410_16_22_39-16_22_46-0600.log.gz

@chrisforce1 chrisforce1 assigned tg and ioj and unassigned tg and chrisforce1 Jul 12, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ioj ioj

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tg @chrisforce1 @ioj