--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - alert:
+ payload: no
+ payload-buffer-size: 4kb
+ payload-printable: no
+ packet: no
+ metadata: no
+ - tls:
+ extended: yes
+
+app-layer:
+ protocols:
+ tls:
+ enabled: yes
+ detection-ports:
+ dp: 443
+
+ ja3-fingerprints: yes
--- /dev/null
+function init(args)
+ local needs = {}
+ needs["tls"] = tostring(true)
+ return needs
+end
+
+function match(args)
+ hash = Ja3SGetHash()
+ if hash == nil then
+ return 0
+ end
+
+ if hash == "5d79edf64e03689ff559a54e9d9487bc" then
+ return 1
+ end
+
+ return 0
+end
--- /dev/null
+function init(args)
+ local needs = {}
+ needs["tls"] = tostring(true)
+ return needs
+end
+
+function match(args)
+ str = Ja3SGetString()
+ if str == nil then
+ return 0
+ end
+
+ if str == "771,49199,65281-0-11-16-23" then
+ return 1
+ end
+
+ return 0
+end
--- /dev/null
+alert tls any any -> any any (msg:"ja3s.hash test"; requires: feature ja3; flow:established,to_client; ja3s.hash; content:"5d79edf64e03689ff559a54e9d9487bc"; sid:1;)
+alert tls any any -> any any (msg:"ja3s.string test"; requires: feature ja3; flow:established,to_client; ja3s.string; content:"771,49199,65281-0-11-16-23"; sid:2;)
+alert tls any any -> any any (msg:"ja3s.hash Lua test"; requires: feature ja3; flow:established,to_client; lua:test-ja3s-hash.lua; sid:3;)
+alert tls any any -> any any (msg:"ja3s.string Lua test"; requires: feature ja3; flow:established,to_client; lua:test-ja3s-string.lua; sid:4;)
--- /dev/null
+pcap: ../../tls/tls-certs-alert/input.pcap
+
+requires:
+ min-version: 7.0.3
+ features:
+ - HAVE_LUA
+ script:
+ - ./src/suricata --build-info | grep "JA3 support" | grep no > /dev/null
+
+args:
+ - -k none
+ - --set security.lua.allow-rules=true
+
+checks:
+ - filter:
+ count: 0
+ match:
+ event_type: alert
+ - shell:
+ args: "grep -c 'missing a required feature: feature ja3' stdout"
+ expect: 4
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - alert:
+ payload: no
+ payload-buffer-size: 4kb
+ payload-printable: no
+ packet: no
+ metadata: no
+ - tls:
+ extended: yes
+
+app-layer:
+ protocols:
+ tls:
+ enabled: yes
+ detection-ports:
+ dp: 443
+ ja3-fingerprints: no
--- /dev/null
+function init(args)
+ local needs = {}
+ needs["tls"] = tostring(true)
+ return needs
+end
+
+function match(args)
+ hash = Ja3SGetHash()
+ if hash == nil then
+ return 0
+ end
+
+ if hash == "5d79edf64e03689ff559a54e9d9487bc" then
+ return 1
+ end
+
+ return 0
+end
--- /dev/null
+function init(args)
+ local needs = {}
+ needs["tls"] = tostring(true)
+ return needs
+end
+
+function match(args)
+ str = Ja3SGetString()
+ if str == nil then
+ return 0
+ end
+
+ if str == "771,49199,65281-0-11-16-23" then
+ return 1
+ end
+
+ return 0
+end
--- /dev/null
+alert tls any any -> any any (msg:"ja3s.hash test"; requires: feature ja3; flow:established,to_client; ja3s.hash; content:"5d79edf64e03689ff559a54e9d9487bc"; sid:1;)
+alert tls any any -> any any (msg:"ja3s.string test"; requires: feature ja3; flow:established,to_client; ja3s.string; content:"771,49199,65281-0-11-16-23"; sid:2;)
+alert tls any any -> any any (msg:"ja3s.hash Lua test"; requires: feature ja3; flow:established,to_client; lua:test-ja3s-hash.lua; sid:3;)
+alert tls any any -> any any (msg:"ja3s.string Lua test"; requires: feature ja3; flow:established,to_client; lua:test-ja3s-string.lua; sid:4;)
--- /dev/null
+pcap: ../../tls/tls-certs-alert/input.pcap
+
+requires:
+ min-version: 7.0.3
+ features:
+ - HAVE_LUA
+ - HAVE_JA3
+ script:
+ - grep 'ProvidesFeature(FEATURE_JA3);' src/app-layer-ssl.c > /dev/null
+
+args:
+ - -k none
+ - --set security.lua.allow-rules=true
+
+checks:
+ - filter:
+ count: 0
+ match:
+ event_type: alert
+ - shell:
+ args: "grep -c 'missing a required feature: feature ja3' stdout"
+ expect: 4
- HAVE_LIBJANSSON
- HAVE_NSS
- HAVE_LUA
+ - HAVE_JA3
args:
- -k none
projects / thirdparty / suricata-verify.git / commitdiff
