Suricata service Fails: [ERRCODE: SC_WARN_JA3_DISABLED(309)]

Hi,

I notice the IPS service regularly is going down because of the emerging-ja3.rules and with the following error message [ERRCODE: SC_WARN_JA3_DISABLED(309)] - ja3 support is not enabled

Running on IPFire 2.25 (x86_64) - core151 Development Build: master/c69c8200

Installation instructions

  • Installed fresh from latest 150 iso
  • restored rules from 149 backup
  • then “pakfire’d” the latest test build.

So the question is (1) do I enable ja3 or (2) disable the ja3 ruleset ?

Here is log sample showing the sequence of events…

18:37:14 suricata: [ERRCODE: SC_WARN_JA3_DISABLED(309)] - ja3(s) support is not enabled
18:37:14 suricata: [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature “alert tls $HO ME_NET any -> $EXTERNAL_NET any (msg:“ET JA3 Hash - Suspected Meterpreter Revers e Shell M1 (set)”; flow:established,to_server; ja3.hash; content:“8916410db85077 a5460817142dcbc8de”; flowbits:set,ET.meterpreter.ja3; flowbits:noalert; classtyp e:command-and-control; sid:2028828; rev:2; metadata:affected_product Windows_XP_ Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10 _15, deployment Perimeter, former_category JA3, malware_family Meterpreter, sign ature_severity Major, updated_at 2019_10_15;)” from file /var/lib/suricata/emerg ing-ja3.rules at line 45
18:37:14 suricata: [ERRCODE: SC_WARN_JA3_DISABLED(309)] - ja3 support is not enabled
18:37:13 suricata: rule reload starting
18:37:13 suricata: all 1 packet processing threads, 2 management threads initialized, engine starte d.
18:37:13 suricata: [ERRCODE: SC_WARN_NO_STATS_LOGGERS(261)] - stats are enabled but no loggers are active
18:37:13 suricata: This is Suricata version 5.0.3 RELEASE running in SYSTEM mode
18:35:26 suricata: [ERRCODE: SC_ERR_INITIALIZATION(45)] - pid file ‘/var/run/suricata.pid’ exists b ut appears stale. Make sure Suricata is not running and then remove /var/run/sur icata.pid. Aborting!
18:35:26 suricata: This is Suricata version 5.0.3 RELEASE running in SYSTEM mode
18:31:48 suricata: rule reload complete

I think JA3 should be enabled, but I am really new to IPfire.
where do you see the

log sample showing the sequence of events…

I was just trying to add JA3 from here

Hi all,

thanks for bringing up missing JA3 support again - I have noticed that a while ago, but eventually forgot about it. To prevent this from happening again, the issue is now filed as bug #12507:

Thanks, and best regards,
Peter Müller

From the web interface go …
Logs > system Logs > Intrusion prevention

Dear Peter,

has the JA3 problem been fixed in Core 151, or it will be fixed in Core 152?

best regards

UT1

Hi,

unfortunately, this neither comes with Core Update 151 nor 152 (the patch was handed in after the merge window for 152 was closed). However, it is staged for Core Update 153.

Thanks for your patience, and best regards,
Peter Müller

Thanks Peter, no problem.

Best regards.

UT1