Emerging-ja3 Warns of malware


Hi,
Wonder if I can get help on this.
I have the rule emerging-ja3 checked and I suspect that’s what’s triggering the warning shown in the picture.
I don’t know what it means or what to do. Is disabling the rule safe?
I also can’t find logs for the above jpeg although the log shown in /var/log/suricata/fast.log doesn’t have anything to do with the log in the picture and only logs

02/16/2024-22:43:41.813477  [**] [1:2210063:1] SURICATA STREAM 3way handshake excessive different SYNs [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP}

The Emerging-ja3 rules are not able to be supported in IPFire currently as they require a special crypto library, NSS, which will not be included in IPFire.

If you search the forum posts for ja3 you will find several posts and links to bugs about this issue.

IPFire asked suricata about using another crypto-library such as openssl.
Suricata’s response was that in the future they would migrate to using rust-crypto as the library.

That library has been implemented into suricata-7 which has started evaluation by the IPFire developers. Will likely be aimed at CU185 or 186. It is a big change from the suricata-6 series so the change has to be managed carefully.

Until suricata-7 is released in IPFire, I would suggest disabling the ja3 ruleset.

The warnings about flowbit ‘XXXXX’ is checked but not set are just warnings, not errors.
They are flagging that the creator of that signature is checking the flowbit but it hasn’t been set. This is a problem of signatures written that do not follow fully the syntax.
However it just means that something is being checked for that has not been enabled so it will not cause an error just consumes time.

That issue with flowbits is not just with ja3 but other suricata rules as well. The majority of the rules do follow the required syntax.

The picture you showed is showing the suricata system logs, ie errors in how it starts up and loads up the required signatures. This is accessed via the WUI menu - Logs - System Logs - then select Intrusion Prevention in the drop down box labelled Section:

The fast.log is shown in the WUI menu - Logs - IPS Logs
This shows the signatures that were triggered by traffic and caused either a warning about the traffic or dropped the traffic depending on the signatures.

1 Like

Thank You, with so many security options I’ll disable ja3, hopefully, guardian, clamav, ipblocks, webserver, and ipfire hardening can handle the lack of these specific parameters from ET provider.