app:tlsfingerprint
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
app:tlsfingerprint [2017/11/28 23:57] – [Using Trisul streaming analytics] veera | app:tlsfingerprint [2017/11/29 23:02] – [What is TLS Fingerprinting] veera | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ~~Title: SJLJSADJA ~~ | ||
+ | |||
====== TLS Fingerprinter ====== | ====== TLS Fingerprinter ====== | ||
Line 10: | Line 12: | ||
===== What is TLS Fingerprinting ===== | ===== What is TLS Fingerprinting ===== | ||
- | This technique builds upon the patterns found in the client | + | This technique builds upon the patterns found in the preferences that are advertised in the " |
The 3 major fields in the Client Hello that can identify a client are | The 3 major fields in the Client Hello that can identify a client are | ||
Line 20: | Line 22: | ||
So if you take all the three together there is a high likelyhood that you can minimize collisions and identify a particular client on a particular operating system.If you printed out the values of all these three fields and then computed a MD5 hash over the string, we can get a ' | So if you take all the three together there is a high likelyhood that you can minimize collisions and identify a particular client on a particular operating system.If you printed out the values of all these three fields and then computed a MD5 hash over the string, we can get a ' | ||
- | At first, this approach may seem a bit flaky but it is not easy for an application to change its //print// dynamically without some major code rewrite. We currently have about 300 hashes largely due to Lee Brotherston' | + | At first, this approach may seem a bit flaky but it is not easy for an application to change its //print// dynamically without some major code rewrite. We currently have about 300 hashes largely due to Lee Brotherston' |
- | Links | + | < |
+ | Further reading | ||
* [[https:// | * [[https:// | ||
+ | * [[https:// | ||
* [[https:// | * [[https:// | ||
+ | </ | ||
==== Fingerprints database ==== | ==== Fingerprints database ==== | ||
Line 39: | Line 43: | ||
- | ===== Analysis of TLS Fingerprints | + | ==== Analysis of TLS Fingerprints ==== |
What are you going to do with these prints. There are a few options | What are you going to do with these prints. There are a few options | ||
Line 53: | Line 57: | ||
===== How the TrisulNSM App works ===== | ===== How the TrisulNSM App works ===== | ||
- | Since we do not yet have many malware fingerprints, | + | The TLS Print app is written in LuaJIT and plugs into the TrisulNSM Scripting Engine. The source code for the App is available |
+ | |||
+ | The app generates | ||
- **Metrics** : The app generates metrics for each TLS-Print it finds. If the print is a known one, it also updates the label. You can do long term trend analysis to see when each print was seen over the past few months. | - **Metrics** : The app generates metrics for each TLS-Print it finds. If the print is a known one, it also updates the label. You can do long term trend analysis to see when each print was seen over the past few months. | ||
Line 93: | Line 99: | ||
When you reveal adjacent vertices in [[https:// | When you reveal adjacent vertices in [[https:// | ||
- | ==== Programatically resolving TLS Prints ==== | + | ===== Programatically resolving TLS Prints |
- | The TrisulNSM TLS-Print | + | This App dumps all fingerprints |
- | If you can access | + | We invite |
- | + | ||
- | + | ||
- | + | ||
app/tlsfingerprint.txt · Last modified: 2018/03/04 13:27 by veera