From 4c1aa45fc6c0810d742b4644e148eb8c4be24bca Mon Sep 17 00:00:00 2001 From: Richard McConnell Date: Wed, 29 Jan 2025 09:03:34 +0000 Subject: [PATCH] Introduce TLS-JA4 client/server handshake tests This update introduces two new tests to accompany the introduction of client/server handshake parameters and output via JSON-EVE. - ja4-cl-handshake: client eve output test - ja4-sv-handshake: server eve output test --- tests/ja4-cl-handshake/input.pcap | Bin 0 -> 2721 bytes tests/ja4-cl-handshake/suricata.yaml | 12 ++++++++++++ tests/ja4-cl-handshake/test.yaml | 12 ++++++++++++ tests/ja4-sv-handshake/input.pcap | Bin 0 -> 2721 bytes tests/ja4-sv-handshake/suricata.yaml | 12 ++++++++++++ tests/ja4-sv-handshake/test.yaml | 11 +++++++++++ 6 files changed, 47 insertions(+) create mode 100644 tests/ja4-cl-handshake/input.pcap create mode 100644 tests/ja4-cl-handshake/suricata.yaml create mode 100644 tests/ja4-cl-handshake/test.yaml create mode 100644 tests/ja4-sv-handshake/input.pcap create mode 100644 tests/ja4-sv-handshake/suricata.yaml create mode 100644 tests/ja4-sv-handshake/test.yaml diff --git a/tests/ja4-cl-handshake/input.pcap b/tests/ja4-cl-handshake/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..77c4aa27a5b30b93a405a7a522cdbbcb44bd638f GIT binary patch literal 2721 zc-qaCdr(tX9>;(8-Xw$&-0(02i)`c>P$WT+$I22wT?WK0BZ>kdL6KO3Adpo-F;HrT*>%t}s>EMr^@wj9=wBqz}VB2*`Qkbv;U>Uhy3}Qyt zs&gDdjz&gixIs`wLAdiH`uQ?`TVx*W3#wZdzW)lep8H$OW3avyQ^c6>{^WY*A`edSS>s)1&9~HT&li+rcSi!asTQe(kgxtqU8*iqEmS!|p2|ukfLN8K z$`)c&ER`|1t8`UHump19bMQpjxqu@~A^|B1fDJ4Foh|V(Tel@iK@VsY5F}c|>+`_` z%)u0RV2R%3qG5uDJ_unkjiOTwimAh7GIg0OrXG{Vq%#>bf=)0{%p^q-BtelRNh9eb zgTxtiE!UFzR6U(ry>LdXxLNg#s%T6zN2w2e-Zqs{Yy{2;6E6hN;XVbLF`Gy=wu&*4 z@jxq)2SZfGG%*qrxfBK7B!DMH#Wz^4+tiqC`^Sh5ak^(?*gE?UpOWg#ajUWD-O-^B zdH^L3b5VjQ!>Pn9e@zEb$YXjy9tQFtkeR{^GF_NK43fHV{Bm;Yi1JLYP@kb|f57j+ zD}92{qk}MgzerE0%b?cM7)IpUH6pIi7*CjN{ngPs`F@hPge2*<#AuO`&;YONuvs6* zCnhJw#mkeWQ;RG%%U2dJ-?Bz3NsJY-g)F>Cv8iNPlE_+UIW4G5aJfnHgaiZ-Z^j=a z;SUzaC&mcPP4q=>LRY6HA~$Dep=&6by1z61f3caK|89N+9jNr9D8oZ!dOGx1HGlR- zEg#;|GZ>?PWvxrpr?(tlBwW1fS~(H7ztwMHV@_X@zf1nkU-#y?B~O&!-S!;OrYp~RnyZ}9{hDeO4S~AV6fB58_`v-KmAK=X!-rCeE*S1YkOt! z*oD0KlF5vEDE-Bv?sb4rHTj0Qk3{E|m{nd1`KrD$=Yxu{a6^|J8C{(=C0Eow^LIW= z(Y4_EMtf|X^V(qb9*2P3;G^QQbN8Hz^}=%eA3wTr&4d_T+G%;ebfYS#VN|i7)nIU2gq6bl$+q z-j7OEg6()`pJM}*QZSz{NPDx}`Je8O?u3g2MtZXT*1~DIy+^OT$sn?}6m~HLOd2Tm zd3y^|+LfX-rwu=pcla44L5jU)y)uQNu>_2@<*YYqPF3D ztkt>-7rhBUuKIxcPA5MpSM9bGkJWhsdy7fz~L>|0sd^k)i7s(6iwY3UMJATQtBXeFT-59+|5cqw;WcrPp?E?pMd3M+52HrW49r5=G zvwGggF%NCOx#Oq|(K$J=d{Vva`~_^cDUJ@#sM9zTzi)GdO{+JytGjztaWU zp~V7f>$RgJV|kgKqHa@((&y^ixzJ%Rm)YnC==^jxK}?P}bbL&|%zpLSVy@A|`f zht&@s(Y`scMLzoYMC4v+U7mNX$C-Pzq|W`a!h^TIulK8fETwee8D;l~MTzgwx{7;` zrPl);PStzqeX-GP8^7((r(R34UHGDp_Z}I|c`V%j%C2S4h7y{^PZ07>h6O{khXw4n73@A*R8arkn_Vn!JU}%yQ{?1#E#z6!Q2hc z1g2QpJedv>BrDM-y@rg?NITAwF49Pw62ys#nbLES^t`vy`JSgn$%PGBkzcMz^JaFZ zEvYERf{c{+UbH@%i}s_L`=x#Wi8kPi_T+E-MTSK&Q784iL|+YYn^vL$B7X9F;%3Er b5A`NZD1oy=X+YE`3JyV>luw7^h^hYrQlEV3 literal 0 Hc-jL100001 diff --git a/tests/ja4-cl-handshake/suricata.yaml b/tests/ja4-cl-handshake/suricata.yaml new file mode 100644 index 000000000..3f8c8305c --- /dev/null +++ b/tests/ja4-cl-handshake/suricata.yaml @@ -0,0 +1,12 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - tls: + enabled: yes + custom: [client_handshake] diff --git a/tests/ja4-cl-handshake/test.yaml b/tests/ja4-cl-handshake/test.yaml new file mode 100644 index 000000000..51f8b45be --- /dev/null +++ b/tests/ja4-cl-handshake/test.yaml @@ -0,0 +1,12 @@ +requires: + min-version: 8 + +checks: + - filter: + count: 1 + match: + event_type: tls + tls.client_handshake.version: TLS 1.2 + tls.client_handshake.ciphers: [49196,49200,159,52393,52392,52394,49195,49199,158,49188,49192,107,49187,49191,103,49162,49172,57,49161,49171,51,157,156,61,60,53,47,255] + tls.client_handshake.exts: [0,11,10,35,22,23,13] + tls.client_handshake.sig_algs: [1027,1283,1539,2055,2056,2057,2058,2059,2052,2053,2054,1025,1281,1537,771,515,769,513,770,514,1026,1282,1538] diff --git a/tests/ja4-sv-handshake/input.pcap b/tests/ja4-sv-handshake/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..77c4aa27a5b30b93a405a7a522cdbbcb44bd638f GIT binary patch literal 2721 zc-qaCdr(tX9>;(8-Xw$&-0(02i)`c>P$WT+$I22wT?WK0BZ>kdL6KO3Adpo-F;HrT*>%t}s>EMr^@wj9=wBqz}VB2*`Qkbv;U>Uhy3}Qyt zs&gDdjz&gixIs`wLAdiH`uQ?`TVx*W3#wZdzW)lep8H$OW3avyQ^c6>{^WY*A`edSS>s)1&9~HT&li+rcSi!asTQe(kgxtqU8*iqEmS!|p2|ukfLN8K z$`)c&ER`|1t8`UHump19bMQpjxqu@~A^|B1fDJ4Foh|V(Tel@iK@VsY5F}c|>+`_` z%)u0RV2R%3qG5uDJ_unkjiOTwimAh7GIg0OrXG{Vq%#>bf=)0{%p^q-BtelRNh9eb zgTxtiE!UFzR6U(ry>LdXxLNg#s%T6zN2w2e-Zqs{Yy{2;6E6hN;XVbLF`Gy=wu&*4 z@jxq)2SZfGG%*qrxfBK7B!DMH#Wz^4+tiqC`^Sh5ak^(?*gE?UpOWg#ajUWD-O-^B zdH^L3b5VjQ!>Pn9e@zEb$YXjy9tQFtkeR{^GF_NK43fHV{Bm;Yi1JLYP@kb|f57j+ zD}92{qk}MgzerE0%b?cM7)IpUH6pIi7*CjN{ngPs`F@hPge2*<#AuO`&;YONuvs6* zCnhJw#mkeWQ;RG%%U2dJ-?Bz3NsJY-g)F>Cv8iNPlE_+UIW4G5aJfnHgaiZ-Z^j=a z;SUzaC&mcPP4q=>LRY6HA~$Dep=&6by1z61f3caK|89N+9jNr9D8oZ!dOGx1HGlR- zEg#;|GZ>?PWvxrpr?(tlBwW1fS~(H7ztwMHV@_X@zf1nkU-#y?B~O&!-S!;OrYp~RnyZ}9{hDeO4S~AV6fB58_`v-KmAK=X!-rCeE*S1YkOt! z*oD0KlF5vEDE-Bv?sb4rHTj0Qk3{E|m{nd1`KrD$=Yxu{a6^|J8C{(=C0Eow^LIW= z(Y4_EMtf|X^V(qb9*2P3;G^QQbN8Hz^}=%eA3wTr&4d_T+G%;ebfYS#VN|i7)nIU2gq6bl$+q z-j7OEg6()`pJM}*QZSz{NPDx}`Je8O?u3g2MtZXT*1~DIy+^OT$sn?}6m~HLOd2Tm zd3y^|+LfX-rwu=pcla44L5jU)y)uQNu>_2@<*YYqPF3D ztkt>-7rhBUuKIxcPA5MpSM9bGkJWhsdy7fz~L>|0sd^k)i7s(6iwY3UMJATQtBXeFT-59+|5cqw;WcrPp?E?pMd3M+52HrW49r5=G zvwGggF%NCOx#Oq|(K$J=d{Vva`~_^cDUJ@#sM9zTzi)GdO{+JytGjztaWU zp~V7f>$RgJV|kgKqHa@((&y^ixzJ%Rm)YnC==^jxK}?P}bbL&|%zpLSVy@A|`f zht&@s(Y`scMLzoYMC4v+U7mNX$C-Pzq|W`a!h^TIulK8fETwee8D;l~MTzgwx{7;` zrPl);PStzqeX-GP8^7((r(R34UHGDp_Z}I|c`V%j%C2S4h7y{^PZ07>h6O{khXw4n73@A*R8arkn_Vn!JU}%yQ{?1#E#z6!Q2hc z1g2QpJedv>BrDM-y@rg?NITAwF49Pw62ys#nbLES^t`vy`JSgn$%PGBkzcMz^JaFZ zEvYERf{c{+UbH@%i}s_L`=x#Wi8kPi_T+E-MTSK&Q784iL|+YYn^vL$B7X9F;%3Er b5A`NZD1oy=X+YE`3JyV>luw7^h^hYrQlEV3 literal 0 Hc-jL100001 diff --git a/tests/ja4-sv-handshake/suricata.yaml b/tests/ja4-sv-handshake/suricata.yaml new file mode 100644 index 000000000..60b2f3c00 --- /dev/null +++ b/tests/ja4-sv-handshake/suricata.yaml @@ -0,0 +1,12 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - tls: + enabled: yes + custom: [server_handshake] diff --git a/tests/ja4-sv-handshake/test.yaml b/tests/ja4-sv-handshake/test.yaml new file mode 100644 index 000000000..d6cd8b2d3 --- /dev/null +++ b/tests/ja4-sv-handshake/test.yaml @@ -0,0 +1,11 @@ +requires: + min-version: 8 + +checks: + - filter: + count: 1 + match: + event_type: tls + tls.server_handshake.version: TLS 1.2 + tls.server_handshake.cipher: 49200 + tls.server_handshake.exts: [65281,11,35,23] -- 2.47.2