app:tlsfingerprint
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
app:tlsfingerprint [2017/11/28 23:54] – [What is TLS Fingerprinting] veera | app:tlsfingerprint [2017/11/29 15:48] – [Programatically resolving TLS Prints] vivek | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ~~Title: SJLJSADJA ~~ | ||
+ | |||
====== TLS Fingerprinter ====== | ====== TLS Fingerprinter ====== | ||
Line 28: | Line 30: | ||
==== Fingerprints database ==== | ==== Fingerprints database ==== | ||
- | The fingerprints database we have at our [[https:// | + | The fingerprints database we have at our [[https:// |
< | < | ||
Line 37: | Line 39: | ||
</ | </ | ||
- | So if you captured on a live network the JA3 hash '' | ||
- | ===== Analysis of TLS Fingerprints | + | ==== Analysis of TLS Fingerprints ==== |
What are you going to do with these prints. There are a few options | What are you going to do with these prints. There are a few options | ||
- | * Malware prints | + | |
- | * Anomaly detection : If you can track known prints,then you can build a large Database over a period of time. After that you can send unseen prints into a " | + | |
In both analysis paths,we think TLS Prints is a valuable piece of intel, especially given we are moving to pervasive TLS. | In both analysis paths,we think TLS Prints is a valuable piece of intel, especially given we are moving to pervasive TLS. | ||
- | |||
Lets look at what you can do with TrisulNSM and the new TLS Prints App. | Lets look at what you can do with TrisulNSM and the new TLS Prints App. | ||
- | ===== Using Trisul streaming analytics | + | ===== How the TrisulNSM App works |
+ | |||
+ | The TLS Print app is written in LuaJIT and plugs into the TrisulNSM Scripting Engine. The source code for the App is available on the [[https:// | ||
- | Since we do not yet have many malware fingerprints, | + | The app generates |
- | - Metrics : The app generates metrics for each TLS-Print it finds. If the print is a known one, it also updates the label. You can do long term trend analysis to see when each print was seen over the past few months. | + | - **Metrics** : The app generates metrics for each TLS-Print it finds. If the print is a known one, it also updates the label. You can do long term trend analysis to see when each print was seen over the past few months. |
- | - Graph Analytics : When a Print is seen , the edge vertices namely the IP Flow Tuples, and the SNI (Server Name Indication) Extension are added. | + | - **Graph Analytics** : When a Print is seen , the edge vertices namely the IP Flow Tuples, and the SNI (Server Name Indication) Extension are added. |
- | - Alerts : Right now we dont have many Malware prints, but when we have them, the App can generate an alert. | + | - **Alerts** : Right now we dont have many Malware prints, but when do we have them, the App can generate an alert. |
Line 95: | Line 97: | ||
When you reveal adjacent vertices in [[https:// | When you reveal adjacent vertices in [[https:// | ||
- | ==== Programatically resolving TLS Prints ==== | + | ===== Programatically resolving TLS Prints |
- | The TrisulNSM TLS-Print | + | This App dumps all fingerprints |
- | If you can access | + | We invite |
- | + | ||
- | + | ||
- | + | ||
app/tlsfingerprint.txt · Last modified: 2018/03/04 13:27 by veera