Moloch + Suricata + JA3

Inspired by the awesome Derbycon talk by John Althouse I wanted to give JA3 a try. After some Googling around the easiest way seemed like installing Moloch which has JA3 support baked in. This post is just a brief overview how to set this up and start exploring JA3 hashes. As a bonus, I also configured Suricata support for Moloch. Combined, I think this is a really good combo for network visibility.

Install

In my setup, I used Ubuntu 18.04 as a starting base.

First, grab the Moloch installation package from:

https://molo.ch/index.html#downloads

Once you've grabbed the package, follow the instructions here:

https://raw.githubusercontent.com/aol/moloch/master/release/README.txt

In my scenario, I installed the Moloch viewer & capture components and Elastic all on the same box, this was all setup via the installation instructions above automatically.

Once the setup is complete, browse to https://:8005, you should see something that looks like this:

JA3

Now that you have Moloch installed, let's look at some JA3 hashes, in this example I'm going to be using the windows/x64/meterpreter/reverse_https payload.

In this scenario I have an attacking machine at 192.168.1.116 and a victim Windows 10 machine at 192.168.1.250.

We get the shell,

Now let's take a look at this traffic in Moloch (you might have to filter a bit on the port you used for your shell):

At the very bottom of the above screenshot we can see Moloch computed a JA3 hash for our payload

If we want to see where else this payload was executed on the network, we can click the JA3 hash to initiate a search:

Which would change our query:

And we found our sneaky attacker executed their payload on more than one system, all via JA3 hash alone.

Suricata

To install Suricata on our Ubuntu distro:

sudo add\-apt\-repository ppa:oisf/suricata\-stable
sudo apt\-get update
sudo apt\-get install suricata

(via https://suricata.readthedocs.io/en/suricata-4.0.5/install.html#install-binary-packages)

In my case, I had to edit the /etc/suricata/suricata.yaml file to change the network adapter from eth0 to ens33 and restart the service.

Suricata + Moloch

Now that Suricata is installed, you need to change the Moloch configuration to load the Suricata plugin, you also need to point Moloch to your suricata eve.json file.

Find and edit your /data/moloch/etc/config.ini file, my Suricata config.ini section looks like:

When I first fired everything up, Moloch threw an access error. To fix I did:

chmod 755 /var/log/suricata/eve.josn

(I could have probably locked this down more - but this was in a lab environment)

Now when you restart your Moloch services, you should be able to see Suricata data in Moloch.

Fire your payload up and look at the traffic again, this time at the SMB not the HTTPS traffic:

We can see Suricata flagged the SMB packets and hit a bunch of PowerShell rules. Neat!

Notes + Credits

I'm usually more comfortable with Endpoint rather than Network detections, but I think the Moloch+JA3+Suricata combo is an extremely powerful layer to add to your defenses.

None of this is new info, I just wanted to provide an overview as it took some Googling to put it together, maybe this could save someone a few minutes :)

https://github.com/synackpse/tls-fingerprinting by https://twitter.com/synackpse

https://github.com/salesforce/ja3

https://github.com/aol/moloch

https://github.com/OISF/suricata

https://www.youtube.com/watch?v=NI0Lmp0K1zc

@ham3r for answering a bunch of dumb questions