Suricata Rule Development Part 2 (Encrypted Traffic)

How can I analyze the traffic if the local.rule there is no content in the rule

#alert tls any any → any any (msg:“Trickbot C2 SSL”; ja3.hash; content:“”; sid:100299; rev:1;)

can someone help me?

You need to calculate the JA3 hash of the trickbot.pcap file, just as they do with the sliver.pcap file in the walkthrough. Your answer must be the JA3 hash, and not the full detection command.

I hope it helps.

3 Likes

Thx for your quick reply going to try it out :slight_smile:

Worked <3

It wasn’t possible for me to follow the steps in the explanation, but I figured my own way and i’d like to share it with you

Make sure you can scp from the server
example: scp username@ip:/path/to/pcap_file.pcap

If you can’t, restart spawn another target so that your box will have the route to it

On Parrot:

  1. download ja3 from gitgub
  2. install dpkt - pip3 install dpkt
  3. install pcapy - pip3 install pcapy
  4. cd to python directory within that newly copied one from github
  5. python ja3.py /path/to/pcap

you should get what you’re looking for