[Bro] Mapping TLS scanners JA3 => User-Agent
Johanna Amann
johanna at icir.org
Tue Dec 4 13:14:56 PST 2018
Hi,
to chime in here a bit - I think this can be useful - but please give the
data in an as detailed format as possible. So - if that is possible,
please do not just include the JA3 hash and the user-agent, but also
include the parts that make up the JA3 hash (and consider including more
information).
That makes it possible to, e.g. see how close several fingerprints are to
each other, which can be useful.
Also - as a more generit remark - one has to be quite careful on how to
interpret such fingerprints; in our experience, collisions (several pieces
of software that use the same underlying library, or have the same
fingerprint for different reasons) are quite common; in our measurements
for a recent paper (http://icir.org/johanna/papers/imc18tlsdeployment.pdf)
it was so common that we did not use it for a whole bunch of data analysis
that we planned.
On a side-note - we also published a list of TLS fingerprints that were
generated for that paper; it is accessible at
https://github.com/platonK/tls_fingerprints and might potentially be of
interest to some people of the list.
However, the same caeveat applies - one has to be a bit careful on how to
interpret the data.
Johanna
On Tue, Dec 04, 2018 at 11:41:44AM -0500, Neslog wrote:
> Morning everyone!
>
> I've been working with a colleague mapping scanning activity. We are able
> to capture JA3 fingerprint and match it up with the cleartext User-Agent
> strings.
>
> I'm considering throwing together a database with this information and
> wanted to get insight from others to see if it's worth it. User-Agent
> strings can obviously change so the mapping may be a bit weak.
>
> Please let me know what the list thinks. Worth it or not?
>
> Thanks!
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list