tls_print
Table of Contents
TLS Fingerprinter
This app helps with providing the steps for installing the TLS Fingerprinter App in Trisul Network Analytics.
To guess a SSL/TLS client intelligently with known prints and build a profile for known clients for white-listing using JA3-Hash.
Installing
- You can install the app by logging in as admin and selecting Web Admin > Manage > Apps > TLS Fingerprinter.
- Restart the probe after installing the app.
TLS Fingerprint Database
The App uses a stock TLS Fingerprint JSON database located at the following location,
#stock database /usr/local/var/lib/trisul-config/domain0/context0/profile0/lua/github.com_trisulnsm_apps
If you have a different JSON database,You can put it directly in the share directory at the following location,
#custom database,this is loaded if present first /usr/local/share/trisul-probe/plugins/tls-fingerprints.json
Custom:Logging hashes per flow
You can choose to log the { SSL Flow + JA3 Hash + JA3 print } on a per flow basis for troubleshooting. By default this option is turned off. To enable,
# create a file named /usr/local/var/lib/trisul-probe/domain0/probe0/context0/config/trisulnsm_tls-fingerprint.lua" # put the lines below in that file return { -- logs for each TLS flow the FlowID, JA3-Hash, JA3-String -- default is false, override if you want to debug or harvest strings in the following file -- /usr/local/var/lib/trisul-probe/d0/p0/cX/config/trisulnsm_tls-fingerprint.lua config file LogHashes=false, }
Viewing Data
- You can view the data by selecting Retro > Retro Counters.
- Select the counter-group as JA3-Print.
- You will get the metrics for each Fingerprint.
For resolved fingerprints you will see the name, for unresolved the raw MD5 print. You can click on the button for further exploration.
Also,
- You can View the Edges of fingerprints by exploring a fingerprint and selecting 'View Edges'.
- Using Edges we can expose the adjacent vertices such as which IP addresses, Ports, Servers, SNI, Certificates are related to the print.
tls_print.txt · Last modified: 2020/04/03 18:58 by navaneeth