[Emerging-Sigs] JA3 flags official Firefox distribution sites as malware

James Emery-Callcott jcallcott at emergingthreats.net
Tue Oct 29 15:34:21 HDT 2019


Hey folks,

Today's daily release is now out and there were many JA3 rule changes that
as Jason said previously in the thread, should correct most, if not all of
the issues you are seeing.

Again, let us know if you continue to see issues with these rules.


On Tue, Oct 29, 2019 at 5:40 PM Nelson, Cooper <cnelson at ucsd.edu> wrote:

> Ok this worked **super** well for us.  We just pulled out alerts by
> keyword for the high risk stuff and stuck it in a ja3_local.rules file.
> This got us back to normal alerting volumes.
>
>
>
> -Coop
>
>
>
> *From:* Jason Taylor <jtfas90 at gmail.com>
> *Sent:* Monday, October 28, 2019 4:19 PM
> *To:* Nelson, Cooper <cnelson at ucsd.edu>
> *Cc:* Michał Purzyński <michalpurzynski1 at gmail.com>; emerging-sigs <
> emerging-sigs at lists.emergingthreats.net>
> *Subject:* Re: [Emerging-Sigs] JA3 flags official Firefox distribution
> sites as malware
>
>
>
>
>
> We also knocked down the ja3/ja3s rules to target specific things that we
> otherwise didn't have an otherwise good way to detect. For instance
> specific things like cobalt strike or meterpreter/metasploit c2.
>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>

-- 
---------------------------------------

James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20191030/a4786692/attachment.html>


More information about the Emerging-sigs mailing list