[Bro] Mapping TLS scanners JA3 => User-Agent

Neslog neslog at gmail.com
Wed Dec 5 12:56:08 PST 2018 

Interesting SANS web
https://www.google.com/url?q=https://www.sans.org/webcasts/109365&sa=D&source=hangouts&ust=1544128109847000&usg=AFQjCNHoIK10Lt9gIz4q2RgACnjvnf_SwA


On Tue, Dec 4, 2018 at 9:45 PM Neslog <neslog at gmail.com> wrote:

> Thank you all for the feedback.  The goal of this work is to provide a
> more realtime aggregation of JA3 information and mappings.
>
> I've spoken with Johanna previously and completely agree aggregating the
> client hello details.  This data set could be really great for research as
> she said above.
>
> My thought would be to try and host something like the SSL Notary.  This
> would be continually growing while most JA3 databases are stagnant, or at
> most periodically updated.  There are several different mappings that I'd
> be interested in tracking.  I'd like to build a couple of scripts that
> could be distributed to feed back into a database.  Some of the mappings
> I'd like to see are the following:
>
> JA3, JA3 string+(additional details), User-Agent strings.
> JA3, JA3 string+(additional details), Host Application Info
>
> Then make this data available via some type of API.  We could provide a
> REST API or maybe a DNS type lookup.  It'd be quite an undertaking but if
> others find it of interest and can contribute I'd be able to get more
> cycles for it.
>
> Thoughts on this approach?
>
>
> On Tue, Dec 4, 2018 at 5:54 PM Michał Purzyński <
> michalpurzynski1 at gmail.com> wrote:
>
>> And you will of course add them to a public database of signatures, Joe,
>> right?
>> On Tue, Dec 4, 2018 at 5:38 PM Joe Blow <blackhole.em at gmail.com> wrote:
>> >
>> > Can you please share pcaps of the JA3s you've seen?  Feel free to DM
>> me.  If you've already collected these handshakes, I'd love to look closer
>> at them.
>> >
>> > Thanks in advance.
>> >
>> > Cheers,
>> >
>> > JB
>> >
>> > On Tue, Dec 4, 2018 at 3:06 PM anthony kasza <anthony.kasza at gmail.com>
>> wrote:
>> >>
>> >> This would be hugely valuable for analysis. If you could include host
>> information such as OS version that would be useful too.
>> >>
>> >> -AK
>> >>
>> >> On Tue, Dec 4, 2018, 09:58 Neslog <neslog at gmail.com wrote:
>> >>>
>> >>> Morning everyone!
>> >>>
>> >>> I've been working with a colleague mapping scanning activity.  We are
>> able to capture JA3 fingerprint and match it up with the cleartext
>> User-Agent strings.
>> >>>
>> >>> I'm considering throwing together a database with this information
>> and wanted to get insight from others to see if it's worth it.  User-Agent
>> strings can obviously change so the mapping may be a bit weak.
>> >>>
>> >>> Please let me know what the list thinks.  Worth it or not?
>> >>>
>> >>> Thanks!
>> >>> _______________________________________________
>> >>> Bro mailing list
>> >>> bro at bro-ids.org
>> >>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>> >>
>> >> _______________________________________________
>> >> Bro mailing list
>> >> bro at bro-ids.org
>> >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>> >
>> > _______________________________________________
>> > Bro mailing list
>> > bro at bro-ids.org
>> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20181205/08f6ebd1/attachment.html

More information about the Bro mailing list