search

opencybersecurityalliance / stix-shifter

This project consists of an open source library allowing software to connect to data repositories using STIX Patterning, and return results as STIX Observations.
https://stix-shifter.readthedocs.io
Other
233 stars 232 forks source link

ja3 and ja3s hashes are mapped differently across multiple data sources #972

Open pcoccoli opened 2 years ago

pcoccoli commented 2 years ago

Is your feature request related to a problem? Please describe. qradar, elastic_ecs, and darktrace connectors all map ja3 and ja3s hashes to different extensions:

Describe the solution you'd like ja3 and ja3s are hashes derived from the client and server parts of the TLS handshake. They would be more useful if all data sources that map them do it consistently. Perhaps a common extension on network-traffic?

Describe alternatives you've considered None

Additional context Background info on ja3/ja3s: https://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967

Current mappings:

./elastic_ecs/stix_translation/json/stix_2_1/to_stix_map.json:2155:      "ja3": {
./elastic_ecs/stix_translation/json/stix_2_1/to_stix_map.json:2156:        "key": "x-ecs-tls.client_ja3",
./elastic_ecs/stix_translation/json/stix_2_1/to_stix_map.json:2203:      "ja3s": {
./elastic_ecs/stix_translation/json/stix_2_1/to_stix_map.json:2204:        "key": "x-ecs-tls.server_ja3s",
./elastic_ecs/stix_translation/json/to_stix_map.json:2183:      "ja3": {
./elastic_ecs/stix_translation/json/to_stix_map.json:2184:        "key": "x-ecs-tls.client_ja3",
./elastic_ecs/stix_translation/json/to_stix_map.json:2231:      "ja3s": {
./elastic_ecs/stix_translation/json/to_stix_map.json:2232:        "key": "x-ecs-tls.server_ja3s",
./qradar/stix_translation/json/stix_2_1/to_stix_map.json:610:  "tlsja3hash": {
./qradar/stix_translation/json/stix_2_1/to_stix_map.json:611:    "key": "x-qradar.tls_ja3_hash",
./qradar/stix_translation/json/stix_2_1/to_stix_map.json:614:  "tlsja3shash": {
./qradar/stix_translation/json/stix_2_1/to_stix_map.json:615:    "key": "x-qradar.tls_ja3s_hash",
./qradar/stix_translation/json/to_stix_map.json:609:  "tlsja3hash": {
./qradar/stix_translation/json/to_stix_map.json:610:    "key": "x-qradar.tls_ja3_hash",
./qradar/stix_translation/json/to_stix_map.json:613:  "tlsja3shash": {
./qradar/stix_translation/json/to_stix_map.json:614:    "key": "x-qradar.tls_ja3s_hash",
./darktrace/stix_translation/json/stix_2_1/to_stix_map.json:373:        "ja3_client_fingerprint": [
./darktrace/stix_translation/json/stix_2_1/to_stix_map.json:375:                "key": "x509-certificate.extensions.x-darktrace-ssl.ja3_client_fingerprint",
./darktrace/stix_translation/json/stix_2_1/to_stix_map.json:379:        "ja3s_server_fingerprint": [
./darktrace/stix_translation/json/stix_2_1/to_stix_map.json:381:                "key": "x509-certificate.extensions.x-darktrace-ssl-ext.ja3s_server_fingerprint",
./darktrace/stix_translation/json/to_stix_map.json:373:     "ja3_client_fingerprint": [
./darktrace/stix_translation/json/to_stix_map.json:375:             "key": "x509-certificate.extensions.x-darktrace-ssl.ja3_client_fingerprint",
./darktrace/stix_translation/json/to_stix_map.json:379:     "ja3s_server_fingerprint": [
./darktrace/stix_translation/json/to_stix_map.json:381:             "key": "x509-certificate.extensions.x-darktrace-ssl.ja3s_server_fingerprint",
pcoccoli commented 2 years ago

Note that the darktrace module creates an extension on x509-certificate when ja3/ja3s hashes are done on the TLS handshake, not the certificate.