JA3 lookup for TLS flows

[martinscheu]

Hello If possible please add JA3 certificate lookup for other applications than HTTPS traffic, e.g. POPS, IMAPS, SMTPS. PCAP to reproduce: https://www.malware-traffic-analysis.net/2020/12/07/2020-12-07-Qakbot-with-Cobalt-Strike-and-spambot-activity.pcap.zip (password: infected) E.g. POPS

Above example should lead to [Abuse.ch] Possible Quakbot Thanks

[cardigliano]

POPS, IMAPS, SMTPS protocols using TLS as transport should show JA3 info now (next build)

[martinscheu]

Hi Alfredo( @cardigliano ) Thanks for the fix, I can confirm that for the 3 mentioned protocols it is working. May I ask for the lookup if the signature is blacklisted as well? E.g. for TCP I get:

Blacklisted get a little red icon and a "Possibly Malicious Signature" as flow risk. Sorry for being nitpicking. Thanks

[lucaderi]

This issue is not implemented as it should: the JA3 blacklisted signature must feed the flow risk

[lucaderi]

@cardigliano See https://github.com/ntop/nDPI/commit/f1b22b199f08469407c55dcd98ec24af85da0fd3 and ndpi_load_malicious_ja3_file() API call

[cardigliano]

Malicious JA3 signatures are now loaded to nDPI and the flow risk is displayed as in the picture

[martinscheu]

Hi Alfredo (@cardigliano ) Thank you for the update. Could the flow risk text be same as with TCP: "Possibly Malicious Signature" ? Reason: JA3 lookup can generate false positives. Thank you.

[cardigliano]

Sure, I can change it

[cardigliano]

https://github.com/ntop/ntopng/commit/a4b6be18b4f70d6854d2e011feaf86b2ed7214aa

[cardigliano]

@martinscheu please confirm this is providing the expected information now

[martinscheu]

Hi Alfredo, @cardigliano, thanks for the update, it is working as expected. Some flows in the test pcap don't show a JA3 signature, guess they are too short?

[simonemainardi]

Fix undone in https://github.com/ntop/ntopng/commit/e68350c6d182791030cdae8f4d621e2756fe6d5b