[Bro] Mapping TLS scanners JA3 => User-Agent
Michał Purzyński
michalpurzynski1 at gmail.com
Tue Dec 4 13:18:51 PST 2018
That can address one of the biggest weaknesses of JA3 - the lack of a good database that is current.
There were some databases floating around, but none of them have been updated for a while.
> On Dec 4, 2018, at 2:50 PM, anthony kasza <anthony.kasza at gmail.com> wrote:
>
> This would be hugely valuable for analysis. If you could include host information such as OS version that would be useful too.
>
> -AK
>
>> On Tue, Dec 4, 2018, 09:58 Neslog <neslog at gmail.com wrote:
>> Morning everyone!
>>
>> I've been working with a colleague mapping scanning activity. We are able to capture JA3 fingerprint and match it up with the cleartext User-Agent strings.
>>
>> I'm considering throwing together a database with this information and wanted to get insight from others to see if it's worth it. User-Agent strings can obviously change so the mapping may be a bit weak.
>>
>> Please let me know what the list thinks. Worth it or not?
>>
>> Thanks!
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20181204/8d62a3c2/attachment.html
More information about the Bro
mailing list