--- /dev/null
+# Description
+
+Test ja3 on tls with duplicate hello
+
+https://redmine.openinfosecfoundation.org/issues/6634
+
+# PCAP
+
+The pcap is crafted from srv.go and cli.py
--- /dev/null
+import socket
+import binascii
+
+HOST = "127.0.0.1" # The server's hostname or IP address
+PORT = 8443 # The port used by the server
+
+with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
+ s.connect((HOST, PORT))
+ data = binascii.unhexlify("160301012401000120030339a503494c046e85568afb480faeb91fb861a479b4f9ef85dfa60844a0b86f6700003a1302130313011304c02ccca9c0adc00ac02bc0acc009c030cca8c014c02fc013009dc09d0035009cc09c002f009fccaac09f0039009ec09e0033010000bd000500050100000000000a000400020017000b00020100000d0020001e040108090804040308070501080a080505030601080b08060603020102030016000000170000002300000033004700450017004104519c7aa7e7b5163a55d3d116c293f717b123909e9bda1bf256972c3ddb2b730db0016c13ae75255b38d1c7591e3611381e20e614ee9cba9402dae5ea6159e749002b0009080304030303020301ff010001000000000e000c0000096c6f63616c686f7374002d0003020100")
+ s.sendall(data)
+ data2 = binascii.unhexlify("160301012401000120030339a503494c046e85568afb480faeb91fb861a479b4f9ef85dfa60844a0b86f6700003a1302130313011304c02ccca9c0adc00ac02bc0acc009c030cca8c014c02fc013009dc09d0035009cc09c002f009fccaac09f0039009ec09e0033010000bd000500050100000000000a000400020017000b00020100000d0020001e040108090804040308070501080a080505030601080b08060603020102030016000000170000002300000033004700450017004104519c7aa7e7b5163a55d3d116c293f717b123909e9bda1bf256972c3ddb2b730db0016c13ae75255b38d1c7591e3611381e20e614ee9cba9402dae5ea6159e749002c0009080304030303020301ff010001000000000e000c0000096c6f63616c686f7374002d0003020100")
+ s.sendall(data2)
+ data = s.recv(1024)
+
+print(f"Received {data!r}")
--- /dev/null
+package main
+
+import (
+ // "fmt"
+ // "io"
+ "net/http"
+ "log"
+)
+
+/*
+openssl genrsa -out server.key 2048
+openssl ecparam -genkey -name secp384r1 -out server.key
+openssl req -new -x509 -sha256 -key server.key -out server.crt -days 3650
+*/
+
+func HelloServer(w http.ResponseWriter, req *http.Request) {
+ w.Header().Set("Content-Type", "text/plain")
+ w.Write([]byte("This is an example server.\n"))
+ // fmt.Fprintf(w, "This is an example server.\n")
+ // io.WriteString(w, "This is an example server.\n")
+}
+
+func main() {
+ http.HandleFunc("/hello", HelloServer)
+ err := http.ListenAndServeTLS(":8443", "server.crt", "server.key", nil)
+ if err != nil {
+ log.Fatal("ListenAndServe: ", err)
+ }
+}
--- /dev/null
+alert tls any any -> any any (msg:"ja3.string test"; ja3.string; content:"771,"; sid:1;)
\ No newline at end of file
--- /dev/null
+requires:
+ min-version: 8
+
+# disables checksum verification
+args:
+ - -k none
+
+checks:
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 1
+ - filter:
+ count: 1
+ match:
+ event_type: tls
+ tls.ja3.string: "771,4866-4867-4865-4868-49196-52393-49325-49162-49195-49324-49161-49200-52392-49172-49199-49171-157-49309-53-156-49308-47-159-52394-49311-57-158-49310-51,5-10-11-13-22-23-35-51-43-65281-0-45,23,0"
projects / thirdparty / suricata-verify.git / commitdiff
