TLS Fingerprinter

This app helps with providing the steps for installing the TLS Fingerprinter App in Trisul Network Analytics.

To guess a SSL/TLS client intelligently with known prints and build a profile for known clients for white-listing using JA3-Hash.

• You can install the app by logging in as admin and selecting Web Admin > Manage > Apps > TLS Fingerprinter.
• Restart the probe after installing the app.

The App uses a stock TLS Fingerprint JSON database located at the following location,

#stock database /usr/local/var/lib/trisul-config/domain0/context0/profile0/lua/github.com_trisulnsm_apps

If you have a different JSON database,You can put it directly in the share directory at the following location,

#custom database,this is loaded if present first /usr/local/share/trisul-probe/plugins/tls-fingerprints.json

You can choose to log the { SSL Flow + JA3 Hash + JA3 print } on a per flow basis for troubleshooting. By default this option is turned off. To enable,

# create a file named /usr/local/var/lib/trisul-probe/domain0/probe0/context0/config/trisulnsm_tls-fingerprint.lua"
# put the lines below in that file 


return {
		-- logs for each TLS flow the FlowID, JA3-Hash, JA3-String
		-- default is false, override if you want to debug or harvest strings in  the following file
        -- /usr/local/var/lib/trisul-probe/d0/p0/cX/config/trisulnsm_tls-fingerprint.lua  config file 
        LogHashes=false,
} 

• You can view the data by selecting Retro > Retro Counters.
• Select the counter-group as JA3-Print.
• You will get the metrics for each Fingerprint.

Also,

• You can View the Edges of fingerprints by exploring a fingerprint and selecting 'View Edges'.
• Using Edges we can expose the adjacent vertices such as which IP addresses, Ports, Servers, SNI, Certificates are related to the print.