From: Jeff Lucovsky Date: Tue, 14 May 2024 12:56:14 +0000 (-0400) Subject: tests/ja4: Enable ja4 tests for 7.0.6 and later X-Git-Tag: suricata-6.0.20~9 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F1908%2Fhead;p=thirdparty%2Fsuricata-verify.git tests/ja4: Enable ja4 tests for 7.0.6 and later Issue: 7010 Enable the JA4 tests for Suricata 7.0.6 and later. --- diff --git a/tests/ja4-quic-7.0.x-01/README.md b/tests/ja4-quic-7.0.x-01/README.md new file mode 100644 index 000000000..fbec43af6 --- /dev/null +++ b/tests/ja4-quic-7.0.x-01/README.md @@ -0,0 +1,119 @@ +# JA4 QUIC + +This test checks whether the correct JA4 fingerprints are calculated for the +given pcap, according to the [reference implementation](https://github.com/FoxIO-LLC/ja4). + +## PCAP + +Pcap was created on developer machine using a short `tcpdump` session: +``` +tcpdump -w out.pcap -i wlp61s0 'port 443 and udp' +``` + +## Result + +`q13d0310h3_55b375c5d22e_cd85d2d88918` which means + +* `q`: QUIC +* `13`: TLS 1.3 +* `d`: SNI is set +* `03`: 3 cipher suites in Client Hello +* `10`: 10 extensions in Client Hello +* `h3`: ALPN protocol + +and the hashes of the corresponding sorted extension codes. + + +## Reference output: + +``` +$ ../ja4/binaries/linux/ja4 tests/ja4-quic/input.pcap +- stream: 0 + transport: udp + src: 192.168.178.25 + dst: 142.250.181.201 + src_port: 51333 + dst_port: 443 + tls_server_name: www.blogger.com + ja4: q13d0310h3_55b375c5d22e_cd85d2d88918 +- stream: 1 + transport: udp + src: 192.168.178.25 + dst: 142.251.209.129 + src_port: 53371 + dst_port: 443 + tls_server_name: socpuppet.blogspot.com + ja4: q13d0310h3_55b375c5d22e_cd85d2d88918 +- stream: 2 + transport: udp + src: 192.168.178.25 + dst: 142.250.181.206 + src_port: 50440 + dst_port: 443 + tls_server_name: apis.google.com + ja4: q13d0310h3_55b375c5d22e_cd85d2d88918 +- stream: 3 + transport: udp + src: 192.168.178.25 + dst: 142.250.181.201 + src_port: 37252 + dst_port: 443 + tls_server_name: www.blogger.com + ja4: q13d0310h3_55b375c5d22e_cd85d2d88918 +- stream: 4 + transport: udp + src: 192.168.178.25 + dst: 142.250.181.206 + src_port: 57334 + dst_port: 443 + tls_server_name: apis.google.com + ja4: q13d0310h3_55b375c5d22e_cd85d2d88918 +- stream: 5 + transport: udp + src: 192.168.178.25 + dst: 142.250.185.164 + src_port: 38677 + dst_port: 443 + tls_server_name: www.google.com + ja4: q13d0310h3_55b375c5d22e_cd85d2d88918 +- stream: 6 + transport: udp + src: 192.168.178.25 + dst: 142.250.181.195 + src_port: 42849 + dst_port: 443 + tls_server_name: www.gstatic.com + ja4: q13d0310h3_55b375c5d22e_cd85d2d88918 +- stream: 7 + transport: udp + src: 192.168.178.25 + dst: 142.251.209.131 + src_port: 32997 + dst_port: 443 + tls_server_name: fonts.gstatic.com + ja4: q13d0310h3_55b375c5d22e_cd85d2d88918 +- stream: 8 + transport: udp + src: 192.168.178.25 + dst: 142.250.181.193 + src_port: 60461 + dst_port: 443 + tls_server_name: 4.bp.blogspot.com + ja4: q13d0310h3_55b375c5d22e_cd85d2d88918 +- stream: 9 + transport: udp + src: 192.168.178.25 + dst: 142.250.181.193 + src_port: 52446 + dst_port: 443 + tls_server_name: 1.bp.blogspot.com + ja4: q13d0310h3_55b375c5d22e_cd85d2d88918 +- stream: 10 + transport: udp + src: 192.168.178.25 + dst: 142.250.181.193 + src_port: 41171 + dst_port: 443 + tls_server_name: 2.bp.blogspot.com + ja4: q13d0310h3_55b375c5d22e_cd85d2d88918 +``` diff --git a/tests/ja4-quic-7.0.x-01/suricata.yaml b/tests/ja4-quic-7.0.x-01/suricata.yaml new file mode 100644 index 000000000..12691e1c7 --- /dev/null +++ b/tests/ja4-quic-7.0.x-01/suricata.yaml @@ -0,0 +1,11 @@ +%YAML 1.1 +--- + + +outputs: + - eve-log: + enabled: yes + filename: eve.json + types: + - quic: + ja4: off diff --git a/tests/ja4-quic-7.0.x-01/test.yaml b/tests/ja4-quic-7.0.x-01/test.yaml new file mode 100644 index 000000000..98bfc90fb --- /dev/null +++ b/tests/ja4-quic-7.0.x-01/test.yaml @@ -0,0 +1,17 @@ +requires: + min-version: 7.0.6 + lt-version: 8 + features: + - HAVE_JA4 + +pcap: ../ja4-quic/input.pcap + +args: + - -k none + +checks: + - filter: + count: 11 + match: + event_type: quic + not-has-key: quic.ja4 diff --git a/tests/ja4-quic-7.0.x-02/README.md b/tests/ja4-quic-7.0.x-02/README.md new file mode 100644 index 000000000..6a6640ca8 --- /dev/null +++ b/tests/ja4-quic-7.0.x-02/README.md @@ -0,0 +1,120 @@ +# JA4 QUIC + +This test checks whether the correct JA4 fingerprints are calculated for the +given pcap, according to the [reference implementation](https://github.com/FoxIO-LLC/ja4) +and logged. + +## PCAP + +Pcap was created on developer machine using a short `tcpdump` session: +``` +tcpdump -w out.pcap -i wlp61s0 'port 443 and udp' +``` + +## Result + +`q13d0310h3_55b375c5d22e_cd85d2d88918` which means + +* `q`: QUIC +* `13`: TLS 1.3 +* `d`: SNI is set +* `03`: 3 cipher suites in Client Hello +* `10`: 10 extensions in Client Hello +* `h3`: ALPN protocol + +and the hashes of the corresponding sorted extension codes. + + +## Reference output: + +``` +$ ../ja4/binaries/linux/ja4 tests/ja4-quic/input.pcap +- stream: 0 + transport: udp + src: 192.168.178.25 + dst: 142.250.181.201 + src_port: 51333 + dst_port: 443 + tls_server_name: www.blogger.com + ja4: q13d0310h3_55b375c5d22e_cd85d2d88918 +- stream: 1 + transport: udp + src: 192.168.178.25 + dst: 142.251.209.129 + src_port: 53371 + dst_port: 443 + tls_server_name: socpuppet.blogspot.com + ja4: q13d0310h3_55b375c5d22e_cd85d2d88918 +- stream: 2 + transport: udp + src: 192.168.178.25 + dst: 142.250.181.206 + src_port: 50440 + dst_port: 443 + tls_server_name: apis.google.com + ja4: q13d0310h3_55b375c5d22e_cd85d2d88918 +- stream: 3 + transport: udp + src: 192.168.178.25 + dst: 142.250.181.201 + src_port: 37252 + dst_port: 443 + tls_server_name: www.blogger.com + ja4: q13d0310h3_55b375c5d22e_cd85d2d88918 +- stream: 4 + transport: udp + src: 192.168.178.25 + dst: 142.250.181.206 + src_port: 57334 + dst_port: 443 + tls_server_name: apis.google.com + ja4: q13d0310h3_55b375c5d22e_cd85d2d88918 +- stream: 5 + transport: udp + src: 192.168.178.25 + dst: 142.250.185.164 + src_port: 38677 + dst_port: 443 + tls_server_name: www.google.com + ja4: q13d0310h3_55b375c5d22e_cd85d2d88918 +- stream: 6 + transport: udp + src: 192.168.178.25 + dst: 142.250.181.195 + src_port: 42849 + dst_port: 443 + tls_server_name: www.gstatic.com + ja4: q13d0310h3_55b375c5d22e_cd85d2d88918 +- stream: 7 + transport: udp + src: 192.168.178.25 + dst: 142.251.209.131 + src_port: 32997 + dst_port: 443 + tls_server_name: fonts.gstatic.com + ja4: q13d0310h3_55b375c5d22e_cd85d2d88918 +- stream: 8 + transport: udp + src: 192.168.178.25 + dst: 142.250.181.193 + src_port: 60461 + dst_port: 443 + tls_server_name: 4.bp.blogspot.com + ja4: q13d0310h3_55b375c5d22e_cd85d2d88918 +- stream: 9 + transport: udp + src: 192.168.178.25 + dst: 142.250.181.193 + src_port: 52446 + dst_port: 443 + tls_server_name: 1.bp.blogspot.com + ja4: q13d0310h3_55b375c5d22e_cd85d2d88918 +- stream: 10 + transport: udp + src: 192.168.178.25 + dst: 142.250.181.193 + src_port: 41171 + dst_port: 443 + tls_server_name: 2.bp.blogspot.com + ja4: q13d0310h3_55b375c5d22e_cd85d2d88918 +``` diff --git a/tests/ja4-quic-7.0.x-02/suricata.yaml b/tests/ja4-quic-7.0.x-02/suricata.yaml new file mode 100644 index 000000000..9e637c4d9 --- /dev/null +++ b/tests/ja4-quic-7.0.x-02/suricata.yaml @@ -0,0 +1,11 @@ +%YAML 1.1 +--- + + +outputs: + - eve-log: + enabled: yes + filename: eve.json + types: + - quic: + ja4: on diff --git a/tests/ja4-quic-7.0.x-02/test.yaml b/tests/ja4-quic-7.0.x-02/test.yaml new file mode 100644 index 000000000..fa44196f8 --- /dev/null +++ b/tests/ja4-quic-7.0.x-02/test.yaml @@ -0,0 +1,18 @@ +requires: + min-version: 7.0.6 + lt-version: 8 + features: + - HAVE_JA4 + +pcap: ../ja4-quic/input.pcap + +args: + - -k none + +checks: + - filter: + count: 11 + match: + event_type: quic + has-key: quic.ja4 + quic.ja4: q13d0310h3_55b375c5d22e_cd85d2d88918 diff --git a/tests/ja4-quic/test.yaml b/tests/ja4-quic/test.yaml index a44b16c0f..ee275f566 100644 --- a/tests/ja4-quic/test.yaml +++ b/tests/ja4-quic/test.yaml @@ -1,5 +1,5 @@ requires: - min-version: 8.0.0 + min-version: 8 features: - HAVE_JA4 diff --git a/tests/ja4-rules-7.0.x-01/suricata.yaml b/tests/ja4-rules-7.0.x-01/suricata.yaml new file mode 100644 index 000000000..b29ad7e81 --- /dev/null +++ b/tests/ja4-rules-7.0.x-01/suricata.yaml @@ -0,0 +1,14 @@ +%YAML 1.1 +--- + + +outputs: + - eve-log: + enabled: yes + filename: eve.json + types: + - alert + - quic: + ja4: off + - tls: + ja4: off diff --git a/tests/ja4-rules-7.0.x-01/test.rules b/tests/ja4-rules-7.0.x-01/test.rules new file mode 100644 index 000000000..7339e7f94 --- /dev/null +++ b/tests/ja4-rules-7.0.x-01/test.rules @@ -0,0 +1,4 @@ +alert quic any any -> any any (msg:"JA4 QUIC Test 1"; requires: feature ja4; ja4.hash; content: "q13d0310h3_55b375c5d22e_cd85d2d88918"; sid:1;) +alert tls any any -> any any (msg:"JA4 TLS Test 1"; requires: feature ja4; ja4.hash; content: "t13d1516h2_8daaf6152771_e5627efa2ab1"; sid:2;) +alert quic any any -> any any (msg:"JA4 QUIC Test 2"; requires: feature ja4; ja4.hash; content: "q13d0310h3_55b375c5d22e_cd85d2d88918X"; sid:3;) +alert tls any any -> any any (msg:"JA4 TLS Test 2"; requires: feature ja4; ja4.hash; content: "t13d1516h2_8daaf6152771_e5627efa2ab1X"; sid:4;) diff --git a/tests/ja4-rules-7.0.x-01/test.yaml b/tests/ja4-rules-7.0.x-01/test.yaml new file mode 100644 index 000000000..139f0dbd0 --- /dev/null +++ b/tests/ja4-rules-7.0.x-01/test.yaml @@ -0,0 +1,36 @@ +requires: + min-version: 7.0.6 + lt-version: 8 + features: + - HAVE_JA4 + +pcap: ../ja4-rules/input.pcap + +args: + - -k none + +checks: + - filter: + count: 1 + match: + event_type: tls + not-has-key: tls.ja4 + - filter: + count: 3 + match: + event_type: quic + not-has-key: quic.ja4 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + alert.signature: JA4 QUIC Test 1 + quic.ja4: q13d0310h3_55b375c5d22e_cd85d2d88918 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2 + alert.signature: JA4 TLS Test 1 + tls.ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 diff --git a/tests/ja4-rules-7.0.x-02/suricata.yaml b/tests/ja4-rules-7.0.x-02/suricata.yaml new file mode 100644 index 000000000..78c665efd --- /dev/null +++ b/tests/ja4-rules-7.0.x-02/suricata.yaml @@ -0,0 +1,12 @@ +%YAML 1.1 +--- + + +outputs: + - eve-log: + enabled: yes + filename: eve.json + types: + - alert: + - tls: + ja4: on diff --git a/tests/ja4-rules-7.0.x-02/test.rules b/tests/ja4-rules-7.0.x-02/test.rules new file mode 100644 index 000000000..7339e7f94 --- /dev/null +++ b/tests/ja4-rules-7.0.x-02/test.rules @@ -0,0 +1,4 @@ +alert quic any any -> any any (msg:"JA4 QUIC Test 1"; requires: feature ja4; ja4.hash; content: "q13d0310h3_55b375c5d22e_cd85d2d88918"; sid:1;) +alert tls any any -> any any (msg:"JA4 TLS Test 1"; requires: feature ja4; ja4.hash; content: "t13d1516h2_8daaf6152771_e5627efa2ab1"; sid:2;) +alert quic any any -> any any (msg:"JA4 QUIC Test 2"; requires: feature ja4; ja4.hash; content: "q13d0310h3_55b375c5d22e_cd85d2d88918X"; sid:3;) +alert tls any any -> any any (msg:"JA4 TLS Test 2"; requires: feature ja4; ja4.hash; content: "t13d1516h2_8daaf6152771_e5627efa2ab1X"; sid:4;) diff --git a/tests/ja4-rules-7.0.x-02/test.yaml b/tests/ja4-rules-7.0.x-02/test.yaml new file mode 100644 index 000000000..756080d32 --- /dev/null +++ b/tests/ja4-rules-7.0.x-02/test.yaml @@ -0,0 +1,31 @@ +requires: + min-version: 7.0.6 + lt-version: 8 + features: + - HAVE_JA4 + +pcap: ../ja4-rules/input.pcap + +args: + - -k none + +checks: + - filter: + count: 1 + match: + event_type: tls + has-key: tls.ja4 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + alert.signature: JA4 QUIC Test 1 + quic.ja4: "q13d0310h3_55b375c5d22e_cd85d2d88918" + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2 + alert.signature: JA4 TLS Test 1 + tls.ja4: t13d1516h2_8daaf6152771_e5627efa2ab1 diff --git a/tests/ja4-rules-disabled/test.yaml b/tests/ja4-rules-disabled/test.yaml index 864144748..079be3284 100644 --- a/tests/ja4-rules-disabled/test.yaml +++ b/tests/ja4-rules-disabled/test.yaml @@ -1,5 +1,5 @@ requires: - min-version: 8.0.0 + min-version: 7.0.6 files: - rust/src/ja4.rs diff --git a/tests/ja4-rules-invalid/test.yaml b/tests/ja4-rules-invalid/test.yaml index 682c2f272..81f114d5a 100644 --- a/tests/ja4-rules-invalid/test.yaml +++ b/tests/ja4-rules-invalid/test.yaml @@ -1,5 +1,5 @@ requires: - min-version: 8.0.0 + min-version: 7.0.6 pcap: false features: - HAVE_JA4 diff --git a/tests/ja4-rules-requires-off/test.yaml b/tests/ja4-rules-requires-off/test.yaml index 7b3259cce..5bf55d656 100644 --- a/tests/ja4-rules-requires-off/test.yaml +++ b/tests/ja4-rules-requires-off/test.yaml @@ -1,10 +1,11 @@ requires: - min-version: 8.0.0 + min-version: 7.0.6 script: - ./src/suricata --build-info | grep "JA4 support" | grep no > /dev/null args: - -k none + - --set logging.default-log-level=info checks: - filter: diff --git a/tests/ja4-rules-requires/test.yaml b/tests/ja4-rules-requires/test.yaml index 64b17d44a..4ea60a726 100644 --- a/tests/ja4-rules-requires/test.yaml +++ b/tests/ja4-rules-requires/test.yaml @@ -1,10 +1,12 @@ requires: - min-version: 8.0.0 + min-version: 7.0.6 features: - HAVE_JA4 args: - - -k none --set app-layer.protocols.tls.ja4-fingerprints=no + - -k none + - --set app-layer.protocols.tls.ja4-fingerprints=no + - --set logging.default-log-level=info checks: - filter: diff --git a/tests/ja4-rules/test.yaml b/tests/ja4-rules/test.yaml index 6b3b8c50c..df2a7a573 100644 --- a/tests/ja4-rules/test.yaml +++ b/tests/ja4-rules/test.yaml @@ -1,5 +1,5 @@ requires: - min-version: 8.0.0 + min-version: 8 features: - HAVE_JA4 diff --git a/tests/ja4-tls-7.0.x/README.md b/tests/ja4-tls-7.0.x/README.md new file mode 100644 index 000000000..935da618d --- /dev/null +++ b/tests/ja4-tls-7.0.x/README.md @@ -0,0 +1,35 @@ +# JA4 TLS + +This test checks whether the correct JA4 fingerprints are calculated for the +given pcap, according to the [reference implementation](https://github.com/FoxIO-LLC/ja4). + +## PCAP + +Pcap was taken from another TLS Suricata-Verify test. + +## Result + +`t12i1810s1_27d4652c4487_06a4338d0495` which means + +* `t`: TCP +* `12`: TLS 1.2 +* `i`: SNI not is set +* `18`: 18 cipher suites in Client Hello +* `10`: 10 extensions in Client Hello +* `s1`: ALPN protocol (first and last character of `spdy/3.1` which is the first protocol listed in the extension) + +and the hashes of the corresponding sorted extension codes. + + +## Reference output: + +``` +$ ../ja4/binaries/linux/ja4 tests/ja4-tls/input.pcap +- stream: 0 + transport: tcp + src: 192.168.56.1 + dst: 192.168.56.101 + src_port: 49365 + dst_port: 443 + ja4: t12i1810s1_27d4652c4487_06a4338d0495 +``` diff --git a/tests/ja4-tls-7.0.x/test.yaml b/tests/ja4-tls-7.0.x/test.yaml new file mode 100644 index 000000000..521180105 --- /dev/null +++ b/tests/ja4-tls-7.0.x/test.yaml @@ -0,0 +1,17 @@ +requires: + min-version: 7.0.6 + lt-version: 8 + features: + - HAVE_JA4 + +pcap: ../ja4-tls/input.pcap + +args: + - -k none --set app-layer.protocols.tls.ja4-fingerprints=yes + +checks: + - filter: + count: 1 + match: + event_type: tls + not-has-key: tls.ja4 diff --git a/tests/ja4-tls-quic/test.yaml b/tests/ja4-tls-quic/test.yaml index 70220d2ed..1e53fcaa5 100644 --- a/tests/ja4-tls-quic/test.yaml +++ b/tests/ja4-tls-quic/test.yaml @@ -1,5 +1,5 @@ requires: - min-version: 7.0.0 + min-version: 8 features: - HAVE_JA4 diff --git a/tests/ja4-tls/test.yaml b/tests/ja4-tls/test.yaml index 948675739..29dc4cad0 100644 --- a/tests/ja4-tls/test.yaml +++ b/tests/ja4-tls/test.yaml @@ -1,5 +1,5 @@ requires: - min-version: 7.0.0 + min-version: 8 features: - HAVE_JA4