Tune Suricata by Message Content

[DanielShmu]

Hello,

For Suricata rule 2028816 "ET JA3 Hash - [Abuse.ch] Possible Tofsee", offenses are being fired due to a JA3 fingerprint.. In the Message content, the hash is identified as (in bold):

Abuse.ch] Possible Tofsee","category":"Unknown Traffic","severity":3,"metadata":{"created_at":["2019_10_14"],"former_category":["JA3"],"updated_at":["2019_10_29"]},"rule":"alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Tofsee"; ja3_hash; content:"9f62c4f26b90d3d757bea609e82f2eaf"; reference:url,sslbl.abuse.ch/ja3-fingerprints/;"

It is a Synology Quickconnect site, false positive. How is it possible to tune this specific "content hash" in the message from firing the offense?

There is a section for Metadata on Suricata but I don't see that option there, It's unlike all other tuning I've done via suppression and disabling... Any help is greatly appreciated. https://docs.securityonion.net/en/2.3/suricata.html#metadata

Thank you.

[dougburks]

You should be able to disable, modify, or suppress the rule:
https://docs.securityonion.net/en/2.3/managing-alerts.html#so-what-s-next

[DanielShmu]

Hi Doug,

Thanks for helping. I don't think I was clear in my question. I did review the link you sent, just to verify if I was to tune by message content for the ja3_hash, would that fall under the "modify" section of your documentation? I ask because I am not able to find the identifying steps to do this. If it can't be done this way, please let me know.

Thanks.

[dougburks]

It seems like you're asking if you can change the ja3_hash found in the content section of the rule. If that's what you really want to do, then you should be able to do so following the steps at https://docs.securityonion.net/en/2.3/managing-alerts.html#modify-the-sid.

However, if it were me and the alerts were for a small number of IP addresses, I think I would instead suppress the SID based on IP address:
https://docs.securityonion.net/en/2.3/managing-alerts.html#suppressions

[DanielShmu]

I reviewed the rules more thoroughly, there's a signature per hash.... I thought the hash in the message content was dynamic based on the JA3 database and it just propagated the hash dynamically into the message content, but every rule has a different hash for JA3. So I simply tuned it this one out as advised... Thanks Doug!