Trisul Network Analytics
Developer Zone

User Tools

Site Tools

You are here: Home » app » TLS Fingerprinting using Trisul
Trace:
app:tlsfingerprint

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
Next revisionBoth sides next revision
app:tlsfingerprint [2017/11/28 23:57] – [Using Trisul streaming analytics] veeraapp:tlsfingerprint [2017/11/29 15:16] vivek
Line 1: Line 1:
 +~~Title: SJLJSADJA ~~ 
 +
 ====== TLS Fingerprinter ====== ====== TLS Fingerprinter ======
  
Line 39: Line 41:
  
  
-===== Analysis of TLS Fingerprints =====+==== Analysis of TLS Fingerprints ====
    
 What are you going to do with these prints. There are a few options  What are you going to do with these prints. There are a few options 
Line 53: Line 55:
 ===== How the TrisulNSM App works  ===== ===== How the TrisulNSM App works  =====
  
-Since we do not yet have many malware fingerprints, we rely on anomaly detection to build a profile, then pick out the outliers For this purpose, the new //TLS Printer App// provides the following analysis paths.+The TLS Print app is written in LuaJIT and plugs into the TrisulNSM Scripting Engine. The source code for the App is available on the [[https://github.com/trisulnsm/apps/tree/master/analyzers/tls-print|Github trisulnsm/apps repo]]Essentially it uses the [[https://www.trisul.org/docs/lua/reassembly.html|"TCP Reassembly Handler"]] Lua script type and parses the Client Hello messages and constructs the JA3 fingerprints and pushes them back into the Trisul streaming pipeline.  
 + 
 +The app generates the following pieces of info
  
   - **Metrics** :  The app generates metrics for each TLS-Print it finds. If the print is a known one, it also updates the label. You can do long term trend analysis to see when each print was seen over the past few months.   - **Metrics** :  The app generates metrics for each TLS-Print it finds. If the print is a known one, it also updates the label. You can do long term trend analysis to see when each print was seen over the past few months.
Line 93: Line 97:
 When you reveal adjacent vertices in [[https://www.trisul.org/docs/ug/edges/index.html|Trisul EDGE]] you will see vertices of all types. One of vertex types is **User-Agent** others are TLS Cert, Country, ASN etc.  We are lucky that we found a single User Agent around the same time interval as Semrush - which happens to be a SEO Bot. So there .. this **TLS Print can be pegged to SEMRUSH Bot**.  You can then go to the Key Dashboard and set the label to //resolve the previously unknown TLS Print// When you reveal adjacent vertices in [[https://www.trisul.org/docs/ug/edges/index.html|Trisul EDGE]] you will see vertices of all types. One of vertex types is **User-Agent** others are TLS Cert, Country, ASN etc.  We are lucky that we found a single User Agent around the same time interval as Semrush - which happens to be a SEO Bot. So there .. this **TLS Print can be pegged to SEMRUSH Bot**.  You can then go to the Key Dashboard and set the label to //resolve the previously unknown TLS Print//
  
-==== Programatically resolving TLS Prints ====+===== Programatically resolving TLS Prints =====
  
-The TrisulNSM TLS-Print App logs all fingerprints in a file located in the following directory. It also includs the so called JA3-String which is a text string used to compute the hash (print)The format of the file is +This App dumps all fingerprints along with the parameters used to compute them and the TCP Flow details in a log file In another article we will outline how we can programatically deduce the Client Fingerprint.
  
  
- +We invite you to try this app in your network and let us know how it works. It is free to run . 
-If you can access to a busy Web Server you can setup a // HTTP 301 Redirect // to help resolve TLS Prints. The way it works is  +
- +
-  +
- +
  
  
  
app/tlsfingerprint.txt · Last modified: 2018/03/04 13:27 by veera