[Bro] Mapping TLS scanners JA3 => User-Agent
Michał Purzyński
michalpurzynski1 at gmail.com
Tue Dec 4 14:45:46 PST 2018
And you will of course add them to a public database of signatures, Joe, right?
On Tue, Dec 4, 2018 at 5:38 PM Joe Blow <blackhole.em at gmail.com> wrote:
>
> Can you please share pcaps of the JA3s you've seen? Feel free to DM me. If you've already collected these handshakes, I'd love to look closer at them.
>
> Thanks in advance.
>
> Cheers,
>
> JB
>
> On Tue, Dec 4, 2018 at 3:06 PM anthony kasza <anthony.kasza at gmail.com> wrote:
>>
>> This would be hugely valuable for analysis. If you could include host information such as OS version that would be useful too.
>>
>> -AK
>>
>> On Tue, Dec 4, 2018, 09:58 Neslog <neslog at gmail.com wrote:
>>>
>>> Morning everyone!
>>>
>>> I've been working with a colleague mapping scanning activity. We are able to capture JA3 fingerprint and match it up with the cleartext User-Agent strings.
>>>
>>> I'm considering throwing together a database with this information and wanted to get insight from others to see if it's worth it. User-Agent strings can obviously change so the mapping may be a bit weak.
>>>
>>> Please let me know what the list thinks. Worth it or not?
>>>
>>> Thanks!
>>> _______________________________________________
>>> Bro mailing list
>>> bro at bro-ids.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list