[Emerging-Sigs] JA3 flags official Firefox distribution sites as malware

Jason Williams jwilliams at emergingthreats.net
Tue Oct 29 01:39:51 HDT 2019


Edits to all the ET/ETPRO JA3 rules concerning directionality will go out
with the rule push today and should resolve a great number of these issues.
Please let me know if it does not. Thanks again!

On Tue, Oct 29, 2019 at 3:19 AM Jason Williams <
jwilliams at emergingthreats.net> wrote:

> Thank you!
>
> On Mon, Oct 28, 2019 at 7:56 PM Michał Purzyński <
> michalpurzynski1 at gmail.com> wrote:
>
>> Be careful what you wish for ;)
>>
>> I just spent over an hour submitting falses while also correlating each
>> JA3 and JA3S with additional domains (from my Zeek's data) that rules
>> either were or will be falsing on. I have more examples, but I have no time
>> - and I already spent several hours on sorting through this today.
>>
>> You're gonna see pretty much entire public side of the Firefox delivery
>> infrastructure and half of Microsoft. Maybe that's BITS matching, of
>> Microsoft's CryptoAPI, or both, or more.
>>
>>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20191029/5f254f35/attachment.html>


More information about the Emerging-sigs mailing list