[Bro] Mapping TLS scanners JA3 => User-Agent
anthony kasza
anthony.kasza at gmail.com
Tue Dec 4 11:50:19 PST 2018
This would be hugely valuable for analysis. If you could include host
information such as OS version that would be useful too.
-AK
On Tue, Dec 4, 2018, 09:58 Neslog <neslog at gmail.com wrote:
> Morning everyone!
>
> I've been working with a colleague mapping scanning activity. We are able
> to capture JA3 fingerprint and match it up with the cleartext User-Agent
> strings.
>
> I'm considering throwing together a database with this information and
> wanted to get insight from others to see if it's worth it. User-Agent
> strings can obviously change so the mapping may be a bit weak.
>
> Please let me know what the list thinks. Worth it or not?
>
> Thanks!
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20181204/32687a3b/attachment.html
More information about the Bro
mailing list