From bc1610b3a5e0706d20d23ec751e7334a069856f8 Mon Sep 17 00:00:00 2001
From: Richard McConnell <Richard_McConnell@rapid7.com>
Date: Wed, 29 Jan 2025 09:03:34 +0000
Subject: [PATCH] Introduce TLS-JA4 client/server handshake tests

This update introduces two new tests to accompany the introduction of
client/server handshake parameters and output via JSON-EVE.

- ja4-cl-handshake: client eve output test
- ja4-sv-handshake: server eve output test
---
 tests/ja4-cl-handshake/input.pcap    | Bin 0 -> 2721 bytes
 tests/ja4-cl-handshake/suricata.yaml |  12 ++++++++++++
 tests/ja4-cl-handshake/test.yaml     |  15 +++++++++++++++
 tests/ja4-sv-handshake/input.pcap    | Bin 0 -> 2721 bytes
 tests/ja4-sv-handshake/suricata.yaml |  13 +++++++++++++
 tests/ja4-sv-handshake/test.yaml     |  14 ++++++++++++++
 6 files changed, 54 insertions(+)
 create mode 100644 tests/ja4-cl-handshake/input.pcap
 create mode 100644 tests/ja4-cl-handshake/suricata.yaml
 create mode 100644 tests/ja4-cl-handshake/test.yaml
 create mode 100644 tests/ja4-sv-handshake/input.pcap
 create mode 100644 tests/ja4-sv-handshake/suricata.yaml
 create mode 100644 tests/ja4-sv-handshake/test.yaml

diff --git a/tests/ja4-cl-handshake/input.pcap b/tests/ja4-cl-handshake/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..77c4aa27a5b30b93a405a7a522cdbbcb44bd638f
GIT binary patch
literal 2721
zcmd6odr*^C8phx6`;rhsaKps_7TL%(AV`8Bm(?YRx(tY0Mid3afFiL8f<RUUg+Rs8
zsCC5_FO-Xv0;MwC6kWA8P*hl=R$Rn#TSX`ct|At+6_!0GYba1=|K7~JGx^SZ`8`jb
z_ni0q<GbqfB+x+nnVbY5(1Vl1#;^%PI{2gSxUSd@tv-7a*!EqK$xK)cu$<f^0uiHY
z?F9}YN0pHoZV*(_cpw0i3djVG-75f+M!!fSnJkWBnh{<nC`t#Di<Zqnej$tgFBt%n
z|5=2om~If189wZPBNEZq78vg4{kwKLSsIGzS~AO<4l9uouHSfeB{yq4ub<_4Euu#$
zIMA0{gFF%%zZM)rX(;w87SX{NMS^QKkzkOanAoY9lV}Qkg;6t!T#A4@h}1+;<X3MV
z$;=W8UJZyoxtZzc#VI~-yw|+>j=JsTqLS=xF@T54Q6+$U^;harb(w0h${F%h)+#<o
zRaPoHh*7ar#^9;aRT;rj$c4{g1uO?QaE3`FAVC4Jfd!zmJuYU)&O{050gVEJL~D3`
zA((&#n1Lx+p*OjxOi<~A0G7}wI>n%vI!q>0m&s!4F=<RXlR+cs1OvrPQWQZF6iJda
zl1?&6oKe@RIa1g5)3wzbXT*w~)z7Gk##9TG`q1ZX+Ki+TsFxO)cqxDm4=K>pRO;`E
zRAZ|M6B&=@B$~nyl`%yWV<MNLz=s4_K~ZrHRvWiAX50NfqC=FvqA_fv!-vmFb>_JB
zSoFT=&__Lh5{LOHL6o63F`N)e2T{lqdO#ip@-UE@f($ZUkU<QRx^VJpQp$+(T(3Z%
zq3dwS@6a24g3zObApM|FPoT@7HqaPG<c9S^uD}>SFxmR+qWAFpB4gtdB|8(Mg+>Ac
zyspD$eHfRJlo%T)Pm*XCS!|ZCEKa_Cy(BV0Dr5^-_)UsUCCL(nHUg_DL0y8&O_ayS
zBY<cd{y`%C!IHRy7=eX}zR*M9?y^+q;p!@I4@Hlj(;oj{Y^LW=&yS!3m3|y$c!W$(
zhyJSO&)%u!!@GM1WAv|WaEto%j?=67%lF+YCt?q_`YmqE=_~Sg%ir@0Pk*rduFTdv
zy7O4%Hoiob(B3Qi`Dn^8VdyI3E4ts*^t6=+e;uD(wVxdr?6T%obk*BW|0E49e|Vke
zKO(kqP!^9}%8M(R%&3RbUo7k11_)G>@0e*MI=94hd#Jq>@>P9p-Uk(7;f8LzGrBr$
zORlL`F5L4XS=W;58|}4Y-dlrp`<()EgO7{KE<A84)(gw=fBNLs4HIH?S*O**(k-f-
zhEc^qj#tx9S!Y`AM}^27d%pe`>G_APh3!h!<B-1XYgz}(+4dG?KhD3^;W;)QXI@=a
zyUONe=z@VYy&sjT_`C4VzQ6`3rC=eCpZac}>)$<}+zS^4jPzvvrG?XScfVeHlYzLl
z6!tRsOd2TCe0=!H?Mh*)%jO@-JN%3i^N)09IMm3CsxODF?f*V`U63NY>UIdTq*BMU
z@<)M(qPF3p)cV4g#=b6TcmGycEzZw57A8E>G5WK6`f7>y*xf6;zR0V4?&ZS0{{f^Q
zF!Sg4%TN1@H#kM4c=-+&WEh+(&a&$3S2ro$iw@5t$FX7BJanM&DUS=DV{T|~7*{e(
zGp&PW&el|mVgI@@G&f$KU8+6hY1U|3i!rf2oDTVjj%#XeXo)AuaLu%SJtxr=UN=6T
zBHCgiHfzHHSi~zhTlQ^YMcsH-eVD6>HN%@U4eGVC4of|GWkpBkf>63KdXpgV`~1oD
zTesT>4(FQM-<%(K?@)HcUnk7#O+Su#Z1>GQXJv@a>48;~>g5+NVY^MSbZ|wJ2G^9`
z_hXK*ZS}!+b@$C2b9G~AaHc5Gn6o;ewJVjNF=vbAucEsg-H+xxs9cn9bglQ#qkAS8
zl1=m?WxR`fq}=pe_bz%RS9YT7az}`v<sxdwjpHL@d6}KUZnH?`%Io9b<}@ew1oj`T
zS=OA<bDhSvukmOODeujG-euFh_jj9|);)eg`{vYk`RLPA;scVpJfB*xa}R1sorh(G
zhwpq}?^gj?O3C7L%I*=%65pYX6%U?DZU#D?srT0VVvEO4UfUnfyp7Cu;|V`LaBMW^
zso>xn`<DHiOK6rqLCCZW3x;SB4`TVw-#vS2$jDOX++K1&GcM?A$;%?<&Ckxa<sOwk
z8&t}?gK>rhiFA;ncH^4LP}}k?<QB~)vYplPlwtq+0fi|+9Or2>Omjpnmzbaot>3pW
zZ}~*8M`=qT=Z7@@y_k#pszlVp?%uP(+|4ieW?0%Hi4KuS7T0g2*OL(%Y3EteMH*={
zf;crXQ+hs<UhrNzf5n+ma&beJ_{-I)KFsdar4_|kkdZvcf%)~KU5N!*AI;n^^#f?X
zG~kQ&^soCxhW3jiChDa8Pol4exN}aT0U~~){R`45;x@$`L~TD@$*r1D0%wKNfI@ku
Q;1I-Vxt5sbjQSz_4^p3e=>Px#

literal 0
HcmV?d00001

diff --git a/tests/ja4-cl-handshake/suricata.yaml b/tests/ja4-cl-handshake/suricata.yaml
new file mode 100644
index 000000000..1322a818d
--- /dev/null
+++ b/tests/ja4-cl-handshake/suricata.yaml
@@ -0,0 +1,12 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - tls:
+            enabled: yes
+            custom: [ja4, client_handshake]
diff --git a/tests/ja4-cl-handshake/test.yaml b/tests/ja4-cl-handshake/test.yaml
new file mode 100644
index 000000000..efa84c446
--- /dev/null
+++ b/tests/ja4-cl-handshake/test.yaml
@@ -0,0 +1,15 @@
+requires:
+  min-version: 8
+  features:
+    - HAVE_JA4
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: tls
+        tls.ja4: t12d280700_d943125447b4_3c5a66c06c35
+        tls.client_handshake.version: TLS 1.2
+        tls.client_handshake.ciphers: [49196,49200,159,52393,52392,52394,49195,49199,158,49188,49192,107,49187,49191,103,49162,49172,57,49161,49171,51,157,156,61,60,53,47,255]
+        tls.client_handshake.exts: [0,11,10,35,22,23,13]
+        tls.client_handshake.sig_algs: [1027,1283,1539,2055,2056,2057,2058,2059,2052,2053,2054,1025,1281,1537,771,515,769,513,770,514,1026,1282,1538]
diff --git a/tests/ja4-sv-handshake/input.pcap b/tests/ja4-sv-handshake/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..77c4aa27a5b30b93a405a7a522cdbbcb44bd638f
GIT binary patch
literal 2721
zcmd6odr*^C8phx6`;rhsaKps_7TL%(AV`8Bm(?YRx(tY0Mid3afFiL8f<RUUg+Rs8
zsCC5_FO-Xv0;MwC6kWA8P*hl=R$Rn#TSX`ct|At+6_!0GYba1=|K7~JGx^SZ`8`jb
z_ni0q<GbqfB+x+nnVbY5(1Vl1#;^%PI{2gSxUSd@tv-7a*!EqK$xK)cu$<f^0uiHY
z?F9}YN0pHoZV*(_cpw0i3djVG-75f+M!!fSnJkWBnh{<nC`t#Di<Zqnej$tgFBt%n
z|5=2om~If189wZPBNEZq78vg4{kwKLSsIGzS~AO<4l9uouHSfeB{yq4ub<_4Euu#$
zIMA0{gFF%%zZM)rX(;w87SX{NMS^QKkzkOanAoY9lV}Qkg;6t!T#A4@h}1+;<X3MV
z$;=W8UJZyoxtZzc#VI~-yw|+>j=JsTqLS=xF@T54Q6+$U^;harb(w0h${F%h)+#<o
zRaPoHh*7ar#^9;aRT;rj$c4{g1uO?QaE3`FAVC4Jfd!zmJuYU)&O{050gVEJL~D3`
zA((&#n1Lx+p*OjxOi<~A0G7}wI>n%vI!q>0m&s!4F=<RXlR+cs1OvrPQWQZF6iJda
zl1?&6oKe@RIa1g5)3wzbXT*w~)z7Gk##9TG`q1ZX+Ki+TsFxO)cqxDm4=K>pRO;`E
zRAZ|M6B&=@B$~nyl`%yWV<MNLz=s4_K~ZrHRvWiAX50NfqC=FvqA_fv!-vmFb>_JB
zSoFT=&__Lh5{LOHL6o63F`N)e2T{lqdO#ip@-UE@f($ZUkU<QRx^VJpQp$+(T(3Z%
zq3dwS@6a24g3zObApM|FPoT@7HqaPG<c9S^uD}>SFxmR+qWAFpB4gtdB|8(Mg+>Ac
zyspD$eHfRJlo%T)Pm*XCS!|ZCEKa_Cy(BV0Dr5^-_)UsUCCL(nHUg_DL0y8&O_ayS
zBY<cd{y`%C!IHRy7=eX}zR*M9?y^+q;p!@I4@Hlj(;oj{Y^LW=&yS!3m3|y$c!W$(
zhyJSO&)%u!!@GM1WAv|WaEto%j?=67%lF+YCt?q_`YmqE=_~Sg%ir@0Pk*rduFTdv
zy7O4%Hoiob(B3Qi`Dn^8VdyI3E4ts*^t6=+e;uD(wVxdr?6T%obk*BW|0E49e|Vke
zKO(kqP!^9}%8M(R%&3RbUo7k11_)G>@0e*MI=94hd#Jq>@>P9p-Uk(7;f8LzGrBr$
zORlL`F5L4XS=W;58|}4Y-dlrp`<()EgO7{KE<A84)(gw=fBNLs4HIH?S*O**(k-f-
zhEc^qj#tx9S!Y`AM}^27d%pe`>G_APh3!h!<B-1XYgz}(+4dG?KhD3^;W;)QXI@=a
zyUONe=z@VYy&sjT_`C4VzQ6`3rC=eCpZac}>)$<}+zS^4jPzvvrG?XScfVeHlYzLl
z6!tRsOd2TCe0=!H?Mh*)%jO@-JN%3i^N)09IMm3CsxODF?f*V`U63NY>UIdTq*BMU
z@<)M(qPF3p)cV4g#=b6TcmGycEzZw57A8E>G5WK6`f7>y*xf6;zR0V4?&ZS0{{f^Q
zF!Sg4%TN1@H#kM4c=-+&WEh+(&a&$3S2ro$iw@5t$FX7BJanM&DUS=DV{T|~7*{e(
zGp&PW&el|mVgI@@G&f$KU8+6hY1U|3i!rf2oDTVjj%#XeXo)AuaLu%SJtxr=UN=6T
zBHCgiHfzHHSi~zhTlQ^YMcsH-eVD6>HN%@U4eGVC4of|GWkpBkf>63KdXpgV`~1oD
zTesT>4(FQM-<%(K?@)HcUnk7#O+Su#Z1>GQXJv@a>48;~>g5+NVY^MSbZ|wJ2G^9`
z_hXK*ZS}!+b@$C2b9G~AaHc5Gn6o;ewJVjNF=vbAucEsg-H+xxs9cn9bglQ#qkAS8
zl1=m?WxR`fq}=pe_bz%RS9YT7az}`v<sxdwjpHL@d6}KUZnH?`%Io9b<}@ew1oj`T
zS=OA<bDhSvukmOODeujG-euFh_jj9|);)eg`{vYk`RLPA;scVpJfB*xa}R1sorh(G
zhwpq}?^gj?O3C7L%I*=%65pYX6%U?DZU#D?srT0VVvEO4UfUnfyp7Cu;|V`LaBMW^
zso>xn`<DHiOK6rqLCCZW3x;SB4`TVw-#vS2$jDOX++K1&GcM?A$;%?<&Ckxa<sOwk
z8&t}?gK>rhiFA;ncH^4LP}}k?<QB~)vYplPlwtq+0fi|+9Or2>Omjpnmzbaot>3pW
zZ}~*8M`=qT=Z7@@y_k#pszlVp?%uP(+|4ieW?0%Hi4KuS7T0g2*OL(%Y3EteMH*={
zf;crXQ+hs<UhrNzf5n+ma&beJ_{-I)KFsdar4_|kkdZvcf%)~KU5N!*AI;n^^#f?X
zG~kQ&^soCxhW3jiChDa8Pol4exN}aT0U~~){R`45;x@$`L~TD@$*r1D0%wKNfI@ku
Q;1I-Vxt5sbjQSz_4^p3e=>Px#

literal 0
HcmV?d00001

diff --git a/tests/ja4-sv-handshake/suricata.yaml b/tests/ja4-sv-handshake/suricata.yaml
new file mode 100644
index 000000000..ad17d408d
--- /dev/null
+++ b/tests/ja4-sv-handshake/suricata.yaml
@@ -0,0 +1,13 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - tls:
+            enabled: yes
+            custom: [ja4s, server_handshake]
+
diff --git a/tests/ja4-sv-handshake/test.yaml b/tests/ja4-sv-handshake/test.yaml
new file mode 100644
index 000000000..793abfb83
--- /dev/null
+++ b/tests/ja4-sv-handshake/test.yaml
@@ -0,0 +1,14 @@
+requires:
+  min-version: 8
+  features:
+    - HAVE_JA4
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: tls
+        tls.ja4s: t120400_c030_12a20535f9be
+        tls.server_handshake.version: TLS 1.2
+        tls.server_handshake.cipher: 49200
+        tls.server_handshake.exts: [65281,11,35,23]