[Emerging-Sigs] JA3 flags official Firefox distribution sites as malware

Jason Williams jwilliams at emergingthreats.net
Tue Oct 29 01:39:51 HDT 2019

Edits to all the ET/ETPRO JA3 rules concerning directionality will go out
with the rule push today and should resolve a great number of these issues.
Please let me know if it does not. Thanks again!

On Tue, Oct 29, 2019 at 3:19 AM Jason Williams <
jwilliams at emergingthreats.net> wrote:

> Thank you!
> On Mon, Oct 28, 2019 at 7:56 PM Michał Purzyński <
> michalpurzynski1 at gmail.com> wrote:
>> Be careful what you wish for ;)
>> I just spent over an hour submitting falses while also correlating each
>> JA3 and JA3S with additional domains (from my Zeek's data) that rules
>> either were or will be falsing on. I have more examples, but I have no time
>> - and I already spent several hours on sorting through this today.
>> You're gonna see pretty much entire public side of the Firefox delivery
>> infrastructure and half of Microsoft. Maybe that's BITS matching, of
>> Microsoft's CryptoAPI, or both, or more.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20191029/5f254f35/attachment.html>

More information about the Emerging-sigs mailing list