Differences

This shows you the differences between two versions of the page.

--- app:tlsfingerprint [2017/11/28 23:56] – [Analysis of TLS Fingerprints] veera
+++ app:tlsfingerprint [2017/11/29 15:48] – [Programatically resolving TLS Prints] vivek
@@ Line 1: / Line 1: @@
+~~Title: SJLJSADJA ~~
 ====== TLS Fingerprinter ======
@@ Line 39: / Line 41: @@
-===== Analysis of TLS Fingerprints =====
+==== Analysis of TLS Fingerprints ====
 What are you going to do with these prints. There are a few options
@@ Line 51: / Line 53: @@
-===== Using Trisul streaming analytics =====
+===== How the TrisulNSM App works  =====
-Since we do not yet have many malware fingerprints, we rely on anomaly detection to build a profile, then pick out the outliers.  For this purpose, the new //TLS Printer App// provides the following analysis paths.
+The TLS Print app is written in LuaJIT and plugs into the TrisulNSM Scripting Engine. The source code for the App is available on the [[https://github.com/trisulnsm/apps/tree/master/analyzers/tls-print|Github trisulnsm/apps repo]]. Essentially it uses the [[https://www.trisul.org/docs/lua/reassembly.html|"TCP Reassembly Handler"]] Lua script type and parses the Client Hello messages and constructs the JA3 fingerprints and pushes them back into the Trisul streaming pipeline.
-  - Metrics :  The app generates metrics for each TLS-Print it finds. If the print is a known one, it also updates the label. You can do long term trend analysis to see when each print was seen over the past few months.
+The app generates the following pieces of info.
-  - Graph Analytics : When a Print is seen , the edge vertices namely the IP Flow Tuples, and the SNI (Server Name Indication) Extension are added.
-  - Alerts : Right now we dont have many Malware prints, but when we have them, the App can generate an alert.
+  - **Metrics** :  The app generates metrics for each TLS-Print it finds. If the print is a known one, it also updates the label. You can do long term trend analysis to see when each print was seen over the past few months.
+  - **Graph Analytics** : When a Print is seen , the edge vertices namely the IP Flow Tuples, and the SNI (Server Name Indication) Extension are added.
+  - **Alerts** : Right now we dont have many Malware prints, but when do we have them, the App can generate an alert.
@@ Line 93: / Line 97: @@
 When you reveal adjacent vertices in [[https://www.trisul.org/docs/ug/edges/index.html|Trisul EDGE]] you will see vertices of all types. One of vertex types is **User-Agent** others are TLS Cert, Country, ASN etc.  We are lucky that we found a single User Agent around the same time interval as Semrush - which happens to be a SEO Bot. So there .. this **TLS Print can be pegged to SEMRUSH Bot**.  You can then go to the Key Dashboard and set the label to //resolve the previously unknown TLS Print//
-==== Programatically resolving TLS Prints ====
+===== Programatically resolving TLS Prints =====
-The TrisulNSM TLS-Print App logs all fingerprints in a file located in the following directory. It also includs the so called JA3-String which is a text string used to compute the hash (print). The format of the file is
+This App dumps all fingerprints along with the parameters used to compute them into a log file. This allows us to programatically resolve unknown fingerprints.
-If you can access to a busy Web Server you can setup a // HTTP 301 Redirect // to help resolve TLS Prints. The way it works is
+We invite you to try this app in your network and let us know how it works. It is free to run .