[Emerging-Sigs] JA3 flags official Firefox distribution sites as malware
cnelson at ucsd.edu
Tue Oct 29 08:40:01 HDT 2019
Ok this worked *super* well for us. We just pulled out alerts by keyword for the high risk stuff and stuck it in a ja3_local.rules file. This got us back to normal alerting volumes.
From: Jason Taylor <jtfas90 at gmail.com>
Sent: Monday, October 28, 2019 4:19 PM
To: Nelson, Cooper <cnelson at ucsd.edu>
Cc: Michał Purzyński <michalpurzynski1 at gmail.com>; emerging-sigs <emerging-sigs at lists.emergingthreats.net>
Subject: Re: [Emerging-Sigs] JA3 flags official Firefox distribution sites as malware
We also knocked down the ja3/ja3s rules to target specific things that we otherwise didn't have an otherwise good way to detect. For instance specific things like cobalt strike or meterpreter/metasploit c2.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Emerging-sigs