ja3 and so-import-pcap
43 views
Skip to first unread message
brandon larson
Aug 16, 2019, 11:18:01 AM8/16/19
to security-onion
Greetings all,
I am trying to do a little research on ja3. I have some ssl traffic pcaps that I am ingesting into SO via the so-import-pcap script. The script runs as planned, but I do not see any ja3 info in kibana. Is this typically located in the SSL section? I have checked the local.bro and ja3 is not commented out.
Any suggestions? Thanks
Brandon
Doug Burks
Aug 16, 2019, 1:08:53 PM8/16/19
to securit...@googlegroups.com
Hi Brandon,
Yes, the ssl.log should contain ja3 and ja3s fields. I just tested on the current 16.04.6.1 ISO image with "sudo so-import-pcap /opt/samples/mta/*.pcap" and it seems to be working fine for me:
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/e319001a-edd1-43d7-8b25-9cd69dd91062%40googlegroups.com.
Doug Burks
CEO
Security Onion Solutions, LLC
CEO
Security Onion Solutions, LLC
brandon larson
Aug 16, 2019, 1:17:07 PM8/16/19
to security-onion
Doug,
Thanks! I did see the logs in the /import directory. For some reason I thought that they were a default visualization in Kibana. I added the the ja3 and ja3s to the dashboard and everything is working as it should. Thank you again.
Brandon
On Friday, August 16, 2019 at 1:08:53 PM UTC-4, Doug Burks wrote:
> Hi Brandon,
>
>
> Yes, the ssl.log should contain ja3 and ja3s fields. I just tested on the current 16.04.6.1 ISO image with "sudo so-import-pcap /opt/samples/mta/*.pcap" and it seems to be working fine for me:
>
>
>
>
>
>
>
>
Thanks! I did see the logs in the /import directory. For some reason I thought that they were a default visualization in Kibana. I added the the ja3 and ja3s to the dashboard and everything is working as it should. Thank you again.
Brandon
On Friday, August 16, 2019 at 1:08:53 PM UTC-4, Doug Burks wrote:
> Hi Brandon,
>
>
> Yes, the ssl.log should contain ja3 and ja3s fields. I just tested on the current 16.04.6.1 ISO image with "sudo so-import-pcap /opt/samples/mta/*.pcap" and it seems to be working fine for me:
>
>
>
>
>
>
>
>
> On Fri, Aug 16, 2019 at 11:18 AM brandon larson <blars...@gmail.com> wrote:
> Greetings all,
>
>
>
> I am trying to do a little research on ja3. I have some ssl traffic pcaps that I am ingesting into SO via the so-import-pcap script. The script runs as planned, but I do not see any ja3 info in kibana. Is this typically located in the SSL section? I have checked the local.bro and ja3 is not commented out.
>
> Any suggestions? Thanks
>
>
>
> Brandon
>
>
>
> --
>
> Follow Security Onion on Twitter!
>
> https://twitter.com/securityonion
>
> ---
>
> You received this message because you are subscribed to the Google Groups "security-onion" group.
>
> To unsubscribe from this group and stop receiving emails from it, send an email to securit...@googlegroups.com.
> Greetings all,
>
>
>
> I am trying to do a little research on ja3. I have some ssl traffic pcaps that I am ingesting into SO via the so-import-pcap script. The script runs as planned, but I do not see any ja3 info in kibana. Is this typically located in the SSL section? I have checked the local.bro and ja3 is not commented out.
>
> Any suggestions? Thanks
>
>
>
> Brandon
>
>
>
> --
>
> Follow Security Onion on Twitter!
>
> https://twitter.com/securityonion
>
> ---
>
> You received this message because you are subscribed to the Google Groups "security-onion" group.
>
Reply all
Reply to author
Forward
0 new messages