[Bro] Mapping TLS scanners JA3 => User-Agent
Vlad Grigorescu
vlad at es.net
Tue Dec 4 12:58:18 PST 2018
Hi,
Check out Trisul NSM's data:
https://github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json
--Vlad
On Tue, Dec 4, 2018 at 8:05 PM anthony kasza <anthony.kasza at gmail.com>
wrote:
> This would be hugely valuable for analysis. If you could include host
> information such as OS version that would be useful too.
>
> -AK
>
> On Tue, Dec 4, 2018, 09:58 Neslog <neslog at gmail.com wrote:
>
>> Morning everyone!
>>
>> I've been working with a colleague mapping scanning activity. We are
>> able to capture JA3 fingerprint and match it up with the cleartext
>> User-Agent strings.
>>
>> I'm considering throwing together a database with this information and
>> wanted to get insight from others to see if it's worth it. User-Agent
>> strings can obviously change so the mapping may be a bit weak.
>>
>> Please let me know what the list thinks. Worth it or not?
>>
>> Thanks!
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20181204/aebfe19d/attachment.html
More information about the Bro
mailing list