Suricata service Fails: [ERRCODE: SC_WARN_JA3_DISABLED(309)]

gvelim · 15 October 2020 17:58

Hi,

I notice the IPS service regularly is going down because of the emerging-ja3.rules and with the following error message [ERRCODE: SC_WARN_JA3_DISABLED(309)] - ja3 support is not enabled

Running on IPFire 2.25 (x86_64) - core151 Development Build: master/c69c8200

Installation instructions

Installed fresh from latest 150 iso
restored rules from 149 backup
then “pakfire’d” the latest test build.

So the question is (1) do I enable ja3 or (2) disable the ja3 ruleset ?

Here is log sample showing the sequence of events…

18:37:14	suricata:	[ERRCODE: SC_WARN_JA3_DISABLED(309)] - ja3(s) support is not enabled
18:37:14	suricata:	[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature “alert tls $HO ME_NET any -> $EXTERNAL_NET any (msg:“ET JA3 Hash - Suspected Meterpreter Revers e Shell M1 (set)”; flow:established,to_server; ja3.hash; content:“8916410db85077 a5460817142dcbc8de”; flowbits:set,ET.meterpreter.ja3; flowbits:noalert; classtyp e:command-and-control; sid:2028828; rev:2; metadata:affected_product Windows_XP_ Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10 _15, deployment Perimeter, former_category JA3, malware_family Meterpreter, sign ature_severity Major, updated_at 2019_10_15;)” from file /var/lib/suricata/emerg ing-ja3.rules at line 45
18:37:14	suricata:	[ERRCODE: SC_WARN_JA3_DISABLED(309)] - ja3 support is not enabled
18:37:13	suricata:	rule reload starting
18:37:13	suricata:	all 1 packet processing threads, 2 management threads initialized, engine starte d.
18:37:13	suricata:	[ERRCODE: SC_WARN_NO_STATS_LOGGERS(261)] - stats are enabled but no loggers are active
18:37:13	suricata:	This is Suricata version 5.0.3 RELEASE running in SYSTEM mode
18:35:26	suricata:	[ERRCODE: SC_ERR_INITIALIZATION(45)] - pid file ‘/var/run/suricata.pid’ exists b ut appears stale. Make sure Suricata is not running and then remove /var/run/sur icata.pid. Aborting!
18:35:26	suricata:	This is Suricata version 5.0.3 RELEASE running in SYSTEM mode
18:31:48	suricata:	rule reload complete

trish · 18 October 2020 22:09

I think JA3 should be enabled, but I am really new to IPfire.
where do you see the

log sample showing the sequence of events…

I was just trying to add JA3 from here

pmueller · 21 October 2020 11:20

Hi all,

thanks for bringing up missing JA3 support again - I have noticed that a while ago, but eventually forgot about it. To prevent this from happening again, the issue is now filed as bug #12507:

Thanks, and best regards,
Peter Müller

gvelim · 21 October 2020 18:27

From the web interface go …
Logs > system Logs > Intrusion prevention

anon46344254 · 29 October 2020 08:30

Dear Peter,

has the JA3 problem been fixed in Core 151, or it will be fixed in Core 152?

best regards

UT1

pmueller · 29 October 2020 10:30

Hi,

unfortunately, this neither comes with Core Update 151 nor 152 (the patch was handed in after the merge window for 152 was closed). However, it is staged for Core Update 153.

Thanks for your patience, and best regards,
Peter Müller

anon46344254 · 29 October 2020 12:48

Thanks Peter, no problem.

Best regards.

UT1

metafalsevac · 18 January 2021 17:45

I’m on Core Update 153 and still seeing something like this:

Log

Total hits for log section suricata January 18, 2021: 6

Older	Newer
Time	Section
1:26:00	suricata:	rule reload complete
1:25:27	suricata:	[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature “drop tls $EXT ERNAL_NET any -> $HOME_NET any (msg:“ET JA3 Hash - Suspected Cobalt Strike Malle able C2 (ja3s) M1”; flow:established,from_server; ja3s.hash; content:“649d6810e8 392f63dc311eecb6b7098b”; tls.cert_subject; content:!“servicebus.windows.net”; fl owbits:isset,ET.cobaltstrike.ja3; classtype:command-and-control; sid:2028832; re v:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_ target Client_Endpoint, created_at 2019_10_15, deployment Perimeter, former_cate gory JA3, malware_family Cobalt_Strike, signature_severity Major, updated_at 201 9_10_15;)” from file /var/lib/suricata/emerging-ja3.rules at line 43
1:25:27	suricata:	[ERRCODE: SC_WARN_JA3_DISABLED(309)] - ja3(s) support is not enabled
1:25:27	suricata:	[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature “alert tls $HO ME_NET any -> $EXTERNAL_NET any (msg:“ET JA3 Hash - Suspected Cobalt Strike Mall eable C2 M1 (set)”; flow:established,to_server; ja3.hash; content:“eb88d0b3e1961 a0562f006e5ce2a0b87”; ja3.string; content:“771,49192-49191-49172-49171”; flowbit s:set,ET.cobaltstrike.ja3; flowbits:noalert; classtype:command-and-control; sid: 2028831; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_B it, attack_target Client_Endpoint, created_at 2019_10_15, deployment Perimeter, former_category JA3, malware_family Cobalt_Strike, signature_severity Major, upd ated_at 2019_10_15;)” from file /var/lib/suricata/emerging-ja3.rules at line 41
1:25:27	suricata:	[ERRCODE: SC_WARN_JA3_DISABLED(309)] - ja3 support is not enabled
1:25:19	suricata:	rule reload starting
Older	Newer

bonnietwin · 18 January 2021 18:10

Hi @metafalsevac,

Welcome to the IPFire Community.

The previous patch to enable JA3 is not working in Core Update 153, as you have noticed. A new bug has been raised for this, #12536. The problem is related to a missing crypto library. See the bug for more details:-

https://bugzilla.ipfire.org/show_bug.cgi?id=12536

trish · 7 March 2021 20:22

Anyone had a chance to check if the JA3 Rules will be working on Core 154?

stevee · 8 March 2021 16:50

Hello trish,

currently there is no JA3 support because of the missing crypto library.

As described in the bug report the suricata developers are going to write their crypto engine totaly new which does not require the currently missing library anymore. This is sheduled for the next major suricata version, so until it’s release we still have to wait for JA3.

Best regards,

-Stefan

trish · 30 March 2022 00:38

I added JA3, now that simultanous subscriptions are possible in Suricata, and Core 164

If anyone is interested:

Edit this file:

/var/ipfire/suricata/ruleset-sources

and add these lines before

'# Travis B. Green hunting rules


  # JA3 Abuse.ch
	ja3custom => {
		summary => "JA3 Fingerprint Ruleset",
		website => "https://sslbl.abuse.ch/blacklist/#ja3-fingerprints-suricata",
		tr_string => "ja3 fingerprint",
		requires_subscription => "False",
		dl_url => "https://sslbl.abuse.ch/blacklist/ja3_fingerprints.rules",
		dl_type => "plain",
	},

arne_f · 31 March 2022 09:34

But it will not work because Suricata has still no JA3 support and will reject all rules that uses JA3 matches with [ERRCODE: SC_WARN_JA3_DISABLED(309)] - ja3(s) support is not enabled.

This is the reason why i have removed this already added rulesets at development of core164.

trish · 1 April 2022 00:13

I think you are right, I got no errors but it is obviously not working for me.