Chris McNab

From our chat we could invoke this module in these kind of ways, and extend beyond DoH to DoT and DNSCrypt, e.g. ``` flightsim run encrypted-dns:doh flightsim run encrypted-dns:dnscrypt ```...

As per Slack please let's drop `spearphishing` but we can keep the others (with some adjustments..)

Is this one complete? It's similar to https://github.com/alphasoc/nfr/issues/71.

> HTTP support has been added since 1.7.0, but no TLS support yet. Renamed the issue, and it's essentially the same as https://github.com/alphasoc/nfr/issues/72.

This is a lower priority as it is blocked by https://github.com/alphasoc/riswiz/issues/321.

A bigger list of JA3 signatures (including some malware) is [over here.](https://raw.githubusercontent.com/trisulnsm/trisul-scripts/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json)

> This should be easily achievable using https://github.com/cretz/bine, but would require a `tor` binary to be accessible. In theory we could embed one into a binary, but it would inflate...

This one is a little complex as we'd need to set up servers and negotiate TLS in a particular way to generate JA3 (client) and JA3S (server) fingerprints that are...

We should roll this into the `c2` module with synthetic bad JA3 client fingerprints to a server we control that talks TLS (e.g. `tls.sandbox.alphasoc.xyz`) and we could even reply with...

The fields in Bro when it's using the JA3 scripts are `ja3` and `ja3s` as below. https://github.com/salesforce/ja3/tree/master/zeek  The fields in Corelight JSON `ssl.log` are also `ja3` and `ja3s` as...