Moloch + Suricata + JA3

This post explores setting up Moloch with JA3 support and integrating Suricata for enhanced network visibility. I was inspired by a DerbyCon presentation and provide a practical guide for implementing this security stack.

Installation

The setup uses Ubuntu 18.04 with three components installed on a single machine:

• Moloch viewer and capture
• Elasticsearch
• Suricata

Download Moloch from https://molo.ch/index.html#downloads and follow the provided installation instructions. The web interface becomes accessible at https://:8005.

JA3 Implementation

JA3 fingerprinting enables detection of suspicious TLS handshakes. I demonstrate using a “windows/x64/meterpreter/reverse_https payload” to show how Moloch computes JA3 hashes for network traffic.

Key capability: Clicking the JA3 hash initiates a search across network traffic, revealing all instances where that specific payload executed on the network.

Suricata Integration

Installation requires:

sudo add-apt-repository ppa:oisf/suricata-stable
sudo apt-get update
sudo apt-get install suricata

Configuration involves editing /etc/suricata/suricata.yaml to specify the network adapter and /data/moloch/etc/config.ini to enable the Suricata plugin and point to the eve.json file.

Results

The combination detects both TLS anomalies via JA3 and application-level threats. Suricata flagged SMB packets and PowerShell-related activity in the demonstrated attack scenario.

References

• https://github.com/salesforce/ja3
• https://github.com/aol/moloch
• https://github.com/OISF/suricata