TLS Analyzer

This method accepts PCAP or a text file as input. JA3 fingerprints are extracted from PCAP and additional information is displayed. Text files analysis allows you to match JA3 hash, JA3 fulltext or User-Agent. For example, you can get JA3 hash and User-Agent list by uploading JA3 fulltext. And if the User-Agent value is entered, then the search will be performed for records that have such a substring in the User-Agent.

The sections inside the report are presented in CSV format so it can be easily analyzed in other tools like Excel or Jupyter.

The following checkboxes can be activated for this mechanism:

  • Interactive — an interactive HTML report is formed instead of a text one;
  • Search in JA3 fingerprint lists — add a section to the report displays the results of JA3 fingerprints checking against reputation lists;
  • Show all known User-Agents for JA3 fingerprints — add a section to the report displays all observable User-Agents for each JA3 fingerprint in the file.

Report

The report can be generated as a text file or as an interactive HTML page if the Interactive checkbox is set. The content of the report does not depend on the presentation form, but the interactive version has some advantages and is more convenient to use, so the report description is based on it.

The interactive report can be exported to an HTML page or JSON for later use outside of the PSG.

Each section can be collapsed. Inside the sections responsible for checking against reputation lists, a list of all sources that included the analyzed JA3 fingerprints is provided. Filtering by values and tables export to CSV are provided.

Report for PCAP input

The report contain sections:

  • Summary;

    • Packets total — number of packets in the dump;
    • Packets filtered — number of analyzed packets;
    • Fingerprints total — total number of unique fingerprints observed in the dump;
    • Fingerprints approved/rejected — the ratio of unique valid fingerprints number to invalid ones;
    • Client Hello — number of ClientHello packets found.

  • Fingerprint Analysis; Tables of unique valid and invalid JA3 fingerprints observed in the dump in descending order of quantity. For more convenient comparing JA3 fingerprints with each other provided:

    • Fields display turning off;
    • Similar fingerprints highlighting. Fingerprints are compared by Ciphers values. Ciphers that are similar to the one specified in the Mark: similar ciphers field are highlighted in blue. The darker the shade of blue, the greater the similarity. The criterion for the fingerprints similarity sets by the K coefficient, 0 is the zero match, and 1 is a full match. The default coefficient is 0.8. The value in the field can be inserted manually or by clicking on the icon at the end of the set. Press the filter icon to show only similar fingerprints in the table.

  • User-Agent Analysis; Additional user intended section. For each unique fingerprint:

    • Count — how many times the fingerprint is found in the dump;
    • MD5 — fingerprint MD5 Hash for comparison with external sources;
    • Possible User-Agent — User-Agent hint.

  • SS Feed JA3 Lists Analysis; The section contains a list of JA3 fingerprints matched the reputation lists:

    • Count — how many times the fingerprint is found in the dump;
    • MD5 — fingerprint MD5 Hash for comparison with external sources;
    • Comment — comment on the JA3 fingerprint.

  • User-Agents by MD5; Information on all observable User-Agents for each JA3 fingerprint.

  • SNI by name; Section contains the distribution table for a domain name occurrence frequency in the SNI field:

    • % — percentage of total SNIs;
    • ABS — how many times it was observed in the dump;
    • SNI — domain name.

  • IPs by SNI; Section contains the distribution table for unique IPs accessing a specific SNI:

    • % — percentage of total IPs;
    • ABS — number of IPs;
    • IPs — list of IPs;
    • SNI — domain name.

  • IPs by JA3; Section contains the distribution table for unique IPs accessing a specific JA3:

    • % — percentage of total IPs;
    • ABS — number of IPs;
    • IPs — list of IPs;
    • JA3 — JA3 fingerprint.

  • MD5 by SNI; Section contains the distribution table for JA3 fingerprints occurrence frequency for each domain:

    • % — percentage of total JA3 fingerprints;
    • ABS — number of JA3 fingerprints;
    • MD5 — list of MD5 Hash for JA3 fingerprints;
    • SNI — domain name.

Report for text file input

The report contain sections:

  • Summary;

    • MD5 — number of fingerprints in MD5 format;
    • Unique MD5 — number of unique MD5;
    • JA3 — number of fingerprints in JA3 fullstring format;
    • Unique JA3 — number of unique JA3 fullstring;
    • User-Agent — number of User-Agent;
    • Unique User-Agent — number of unique User-Agent;
    • Unique Fingerprint — number of fingerprints with any format;
    • JA3 Feed Matching Percent — share of fingerprints found in reputation lists from the analytics service.

  • Search results; The section contains the results of the search for matches in service databases.

    • Count — matches found;
    • MD5 — JA3 fingerprint MD5 Hash;
    • User-Agent — User-Agent hint.
    • JA3 — JA3 fullstring.

  • SS Feed JA3 Lists Analysis; The section contains a list of JA3 fingerprints that were found in the reputation lists:

    • Count — how many times the fingerprint is found in the dump;
    • MD5 — fingerprint MD5 Hash for comparison with external sources;
    • Comment — comment on the JA3 fingerprint.