[Bro] Mapping TLS scanners JA3 => User-Agent

Neslog neslog at gmail.com
Tue Dec 4 18:45:18 PST 2018 

Thank you all for the feedback.  The goal of this work is to provide a more
realtime aggregation of JA3 information and mappings.

I've spoken with Johanna previously and completely agree aggregating the
client hello details.  This data set could be really great for research as
she said above.

My thought would be to try and host something like the SSL Notary.  This
would be continually growing while most JA3 databases are stagnant, or at
most periodically updated.  There are several different mappings that I'd
be interested in tracking.  I'd like to build a couple of scripts that
could be distributed to feed back into a database.  Some of the mappings
I'd like to see are the following:

JA3, JA3 string+(additional details), User-Agent strings.
JA3, JA3 string+(additional details), Host Application Info

Then make this data available via some type of API.  We could provide a
REST API or maybe a DNS type lookup.  It'd be quite an undertaking but if
others find it of interest and can contribute I'd be able to get more
cycles for it.

Thoughts on this approach?


On Tue, Dec 4, 2018 at 5:54 PM Michał Purzyński <michalpurzynski1 at gmail.com>
wrote:

> And you will of course add them to a public database of signatures, Joe,
> right?
> On Tue, Dec 4, 2018 at 5:38 PM Joe Blow <blackhole.em at gmail.com> wrote:
> >
> > Can you please share pcaps of the JA3s you've seen?  Feel free to DM
> me.  If you've already collected these handshakes, I'd love to look closer
> at them.
> >
> > Thanks in advance.
> >
> > Cheers,
> >
> > JB
> >
> > On Tue, Dec 4, 2018 at 3:06 PM anthony kasza <anthony.kasza at gmail.com>
> wrote:
> >>
> >> This would be hugely valuable for analysis. If you could include host
> information such as OS version that would be useful too.
> >>
> >> -AK
> >>
> >> On Tue, Dec 4, 2018, 09:58 Neslog <neslog at gmail.com wrote:
> >>>
> >>> Morning everyone!
> >>>
> >>> I've been working with a colleague mapping scanning activity.  We are
> able to capture JA3 fingerprint and match it up with the cleartext
> User-Agent strings.
> >>>
> >>> I'm considering throwing together a database with this information and
> wanted to get insight from others to see if it's worth it.  User-Agent
> strings can obviously change so the mapping may be a bit weak.
> >>>
> >>> Please let me know what the list thinks.  Worth it or not?
> >>>
> >>> Thanks!
> >>> _______________________________________________
> >>> Bro mailing list
> >>> bro at bro-ids.org
> >>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> >>
> >> _______________________________________________
> >> Bro mailing list
> >> bro at bro-ids.org
> >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> >
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20181204/417df95d/attachment.html

More information about the Bro mailing list