Bro ssl.log support

Open chrisforce1 opened this issue 6 years ago • 1 comments

Similar to https://github.com/alphasoc/nfr/issues/71.

Reading the documentation, Bro doesn't have JA3 values in their ssl.log officially. I need to ask Corelight about this and get the data format and details so we can implement this. I primarily want to pick up JA3 (client) and JA3S (server) fingerprints for now. We can extend support later to other fields and look at the certificate chain, etc.

May 19 '19 03:05 chrisforce1

The fields in Bro when it's using the JA3 scripts are ja3 and ja3s as below.

https://github.com/salesforce/ja3/tree/master/zeek

The fields in Corelight JSON ssl.log are also ja3 and ja3s as attached below.

ssl_20200410_16_22_39-16_22_46-0600.log.gz

Apr 10 '20 22:04 chrisforce1