Suricata Rule Development Part 2 (Encrypted Traffic)

How can I analyze the traffic if the local.rule there is no content in the rule

#alert tls any any → any any (msg:“Trickbot C2 SSL”; ja3.hash; content:“”; sid:100299; rev:1;)

can someone help me?

You need to calculate the JA3 hash of the trickbot.pcap file, just as they do with the sliver.pcap file in the walkthrough. Your answer must be the JA3 hash, and not the full detection command.

I hope it helps.


Thx for your quick reply going to try it out :slight_smile:

Worked <3