JA3 support

Open chrisforce1 opened this issue 7 years ago • 1 comments

I'd like to save JA3 signatures when NFR encounters TLS sessions on TCP port 443.

Here's a simple way that we can load tcpdump output into ja3.py and get the signatures. The code is over at https://github.com/salesforce/ja3/ and a large list of signatures at https://github.com/salesforce/ja3/tree/master/lists. We can then use the signatures on the backend to flag infections within riswiz.

Mar 25 '18 14:03 chrisforce1

A bigger list of JA3 signatures (including some malware) is over here.

Mar 26 '18 10:03 chrisforce1