[Bro] Mapping TLS scanners JA3 => User-Agent
Joe Blow
blackhole.em at gmail.com
Tue Dec 4 14:01:43 PST 2018
Can you please share pcaps of the JA3s you've seen? Feel free to DM me.
If you've already collected these handshakes, I'd love to look closer at
them.
Thanks in advance.
Cheers,
JB
On Tue, Dec 4, 2018 at 3:06 PM anthony kasza <anthony.kasza at gmail.com>
wrote:
> This would be hugely valuable for analysis. If you could include host
> information such as OS version that would be useful too.
>
> -AK
>
> On Tue, Dec 4, 2018, 09:58 Neslog <neslog at gmail.com wrote:
>
>> Morning everyone!
>>
>> I've been working with a colleague mapping scanning activity. We are
>> able to capture JA3 fingerprint and match it up with the cleartext
>> User-Agent strings.
>>
>> I'm considering throwing together a database with this information and
>> wanted to get insight from others to see if it's worth it. User-Agent
>> strings can obviously change so the mapping may be a bit weak.
>>
>> Please let me know what the list thinks. Worth it or not?
>>
>> Thanks!
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20181204/345f7b39/attachment.html
More information about the Bro
mailing list