Possible incorrect cert for facebook rule
novaksam opened this issue · comments
It looks like the facebook rule may need to be updated, as the fingerprint doesn't match the current production FB cert, though they have a 3 month window for certs according to the 'notbefore' and 'notafter' to perhaps there's a better item to key off of?
alert tls any any -> any any (msg:"TGI HUNT TLS Suspicious facebook.com"; tls_cert_subject; content:"facebook.com"; tls_cert_fingerprint; content:!"d3:0d:a1:54:34:44:66:05:4d:c1:81:37:4d:df:2d:27:72:12:0d:f8"; classtype:bad-unknown; sid:2600117; rev:1;)
Fingerprint:98:e4:dd:9d:21:83:d5:29:9e:80:43:73:ff:f2:a7:e1:c4:87:9f:5e
Issuerdn:C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA
Ja3.Hash:a69708a64f853c3bcc214c2c5faf84f3
Ja3.String:771,49196-49195-49188-49187-49162-49161-52393-49200-49199-49192-49191-49172-49171-52392-157-156-61-60-53-47,65281-0-23-13-5-13172-18-16-11-10,29-23-24-25,0
Notafter:2019-06-06T12:00:00
Notbefore:2019-03-08T00:00:00
Serial:0B:96:DD:18:0A:0A:F4:67:0D:21:13:62:23:94:A4:32
Sni:graph.facebook.com
Subject:C=US, ST=CA, L=Menlo Park, O=Facebook, Inc., CN=*.facebook.com
Version:TLS 1.2
Thanks! Updated. I'll look to generate these with a script in the future.