[Emerging-Sigs] JA3 flags official Firefox distribution sites as malware

Nelson, Cooper cnelson at ucsd.edu
Tue Oct 29 08:40:01 HDT 2019


Ok this worked *super* well for us.  We just pulled out alerts by keyword for the high risk stuff and stuck it in a ja3_local.rules file.  This got us back to normal alerting volumes.

-Coop

From: Jason Taylor <jtfas90 at gmail.com>
Sent: Monday, October 28, 2019 4:19 PM
To: Nelson, Cooper <cnelson at ucsd.edu>
Cc: Michał Purzyński <michalpurzynski1 at gmail.com>; emerging-sigs <emerging-sigs at lists.emergingthreats.net>
Subject: Re: [Emerging-Sigs] JA3 flags official Firefox distribution sites as malware


We also knocked down the ja3/ja3s rules to target specific things that we otherwise didn't have an otherwise good way to detect. For instance specific things like cobalt strike or meterpreter/metasploit c2.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20191029/638d468f/attachment.html>


More information about the Emerging-sigs mailing list