Differences

This shows you the differences between two versions of the page.

--- app:auto_fingerprint [2017/11/29 12:35]
vivek
+++ app:auto_fingerprint [2017/11/29 17:28] (current)
veera [Web Server Access Log]
@@ Line 19: / Line 19: @@
-Internally we use a Ruby TRP script that can automate this process if given access to web server logs. The script is available at [[https://github.com/trisulnsm/trisul-scripts/tree/master/lua/frontend_scripts/reassembly/ja3/prints|mk_ja3print.rb]]
+Internally we use a Ruby TRP script that can automate this process if given access to web server logs. The script is available on Github at [[https://github.com/trisulnsm/trisul-scripts/tree/master/lua/frontend_scripts/reassembly/ja3/prints|mk_ja3print.rb]]
@@ Line 35: / Line 35: @@
-Running the script
+Running the script.
+//Usage : mk_ja3fingerprint.rb  TRP-Server-Endpoint  Webserver-IP  Webserver-Access-Logs  Trisul-TLSPrint-Log-Pattern//
+A sample run of the script is shown below
 <code>
@@ Line 60: / Line 64: @@
-The output is written to ''/tmp/prints.json'' this can be easily appended to the TLS Prints database.
+Once the script is finished, the JSON output is written to ''/tmp/prints.json'' this can be easily appended to the TLS Prints database.
 <code json>
@@ Line 73: / Line 76: @@
 Iteratively running this script for a few days can resolve most of the unknown prints. That makes outlier detection much easier.
+===== Other methods to resolve =====
+Once you get the unknown prints down to 10-20% you can use Trisul's excellent Graph Analytics manually to explore and nail down each print.  We will see that in another article.

Trisul Network Analytics Developer Zone

User Tools

Site Tools

Differences

Page Tools

Trisul Network Analytics
Developer Zone