[Emerging-Sigs] JA3 flags official Firefox distribution sites as malware

Michał Purzyński michalpurzynski1 at gmail.com
Tue Oct 29 19:10:53 HDT 2019


Thanks Jason (Taylor) for the tip - I did the same thing, disabling all JA3
rules and enabling only targeted rules like Metasploit, Cobalt strike and
such.

On Tue, Oct 29, 2019 at 5:34 PM James Emery-Callcott <
jcallcott at emergingthreats.net> wrote:

> Hey folks,
>
> Today's daily release is now out and there were many JA3 rule changes that
> as Jason said previously in the thread, should correct most, if not all of
> the issues you are seeing.
>
> Again, let us know if you continue to see issues with these rules.
>
>
> On Tue, Oct 29, 2019 at 5:40 PM Nelson, Cooper <cnelson at ucsd.edu> wrote:
>
>> Ok this worked **super** well for us.  We just pulled out alerts by
>> keyword for the high risk stuff and stuck it in a ja3_local.rules file.
>> This got us back to normal alerting volumes.
>>
>>
>>
>> -Coop
>>
>>
>>
>> *From:* Jason Taylor <jtfas90 at gmail.com>
>> *Sent:* Monday, October 28, 2019 4:19 PM
>> *To:* Nelson, Cooper <cnelson at ucsd.edu>
>> *Cc:* Michał Purzyński <michalpurzynski1 at gmail.com>; emerging-sigs <
>> emerging-sigs at lists.emergingthreats.net>
>> *Subject:* Re: [Emerging-Sigs] JA3 flags official Firefox distribution
>> sites as malware
>>
>>
>>
>>
>>
>> We also knocked down the ja3/ja3s rules to target specific things that we
>> otherwise didn't have an otherwise good way to detect. For instance
>> specific things like cobalt strike or meterpreter/metasploit c2.
>>
>>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at lists.emergingthreats.net
>> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>> Support Emerging Threats! Subscribe to Emerging Threats Pro
>> http://www.emergingthreats.net
>>
>>
>
> --
> ---------------------------------------
>
> James Emery-Callcott
> Security Researcher | ProofPoint Inc | Emerging Threats Team
>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20191029/f9ecf0df/attachment-0001.html>


More information about the Emerging-sigs mailing list