User Tools

Site Tools


tls_print

TLS Fingerprinter

This app helps with providing the steps for installing the TLS Fingerprinter App in Trisul Network Analytics.

To guess a SSL/TLS client intelligently with known prints and build a profile for known clients for white-listing using JA3-Hash.

Installing

  • You can install the app by logging in as admin and selecting Web Admin > Manage > Apps > TLS Fingerprinter.
  • Restart the probe after installing the app.

TLS Fingerprint Database

The App uses a stock TLS Fingerprint JSON database located at the following location,

#stock database /usr/local/var/lib/trisul-config/domain0/context0/profile0/lua/github.com_trisulnsm_apps

If you have a different JSON database,You can put it directly in the share directory at the following location,

#custom database,this is loaded if present first /usr/local/share/trisul-probe/plugins/tls-fingerprints.json

Custom:Logging hashes per flow

You can choose to log the { SSL Flow + JA3 Hash + JA3 print } on a per flow basis for troubleshooting. By default this option is turned off. To enable,

# create a file named /usr/local/var/lib/trisul-probe/domain0/probe0/context0/config/trisulnsm_tls-fingerprint.lua"
# put the lines below in that file 


return {
		-- logs for each TLS flow the FlowID, JA3-Hash, JA3-String
		-- default is false, override if you want to debug or harvest strings in  the following file
        -- /usr/local/var/lib/trisul-probe/d0/p0/cX/config/trisulnsm_tls-fingerprint.lua  config file 
        LogHashes=false,
} 

Viewing Data

  • You can view the data by selecting Retro > Retro Counters.
  • Select the counter-group as JA3-Print.
  • You will get the metrics for each Fingerprint.
For resolved fingerprints you will see the name, for unresolved the raw MD5 print. You can click on the button for further exploration.

Also,

  • You can View the Edges of fingerprints by exploring a fingerprint and selecting 'View Edges'.
  • Using Edges we can expose the adjacent vertices such as which IP addresses, Ports, Servers, SNI, Certificates are related to the print.

tls_print.txt · Last modified: 2020/04/03 18:58 by navaneeth