Using ja3s, extensions are never added to the JA3 string
ryanpersaud opened this issue · 3 comments
I pulled down the JA3S Bro script and installed it on a 2.5.3 Bro installation. JA3S fingerprints are being generated, but they never include extensions. For example: JA3S: 7770094a92b1cbfa5a6de2017cfb682a Fingerprint String: 771,49200,
I added some debug print statements to ssl_extensions() and observed that is_orig is never false (F), so the logic never fires. In ja3s.py (pull request forthcoming) and Wireshark, I can see extensions in the Sever Hellos like status_request, renegotiation_info, etc. I'm not sure if this is an issue specific to my build of Bro or if others have been able to replicate it.
I am not able to replicate this issue. I tested pretty extensively on multiple versions of Bro and am always seeing extensions from JA3S. is_orig must == F in order for it to capture only the server extensions. If there is no "if is_orig" statement, it will capture both the client extensions and the server extensions in the JA3S, which you don't want. You can see it working here: http://try.bro.org/#/trybro/saved/259728 Do you have a sample pcap I can test?
I had both ja3 (with the single equals issue #20 ) and ja3s enabled at the same time. When I switched to the fixed version of ja3 (with ==), I started seeing the extensions in ja3s. So it seems like the assignment of T to is_orig in ja3 was affecting ja3s. I assumed is_orig was passed by value, but apparently it is passed by reference?
I thought that might be the case and tested for it on try.bro but wasn't able to reproduce it. Either way, fixed. Thanks for bringing it up!