[Emerging-Sigs] JA3 flags official Firefox distribution sites as malware

Michał Purzyński michalpurzynski1 at gmail.com
Mon Oct 28 16:55:28 HDT 2019

Be careful what you wish for ;)

I just spent over an hour submitting falses while also correlating each JA3
and JA3S with additional domains (from my Zeek's data) that rules either
were or will be falsing on. I have more examples, but I have no time - and
I already spent several hours on sorting through this today.

You're gonna see pretty much entire public side of the Firefox delivery
infrastructure and half of Microsoft. Maybe that's BITS matching, of
Microsoft's CryptoAPI, or both, or more.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20191028/db85ee36/attachment.html>

More information about the Emerging-sigs mailing list