Home Tips & Tricks Open Sourcing JA3: SSL/TLS Client Fingerprinting for Malware Detection

Open Sourcing JA3: SSL/TLS Client Fingerprinting for Malware Detection

0
0
1,131

A JA3 hash represents the fingerprint of an SSL/TLS client application as detected via a network sensor or device, such as Bro or Suricata. This allows for simple and effective detection of client applications such as Chrome running on OSX (JA3=94c485bca29d5392be53f2b8cf7f4304) or the Dyre malware family running on Windows (JA3=b386946a5a44d1ddcc843bc75336dfce) or Metasploit’s Meterpreter running on Linux (JA3=5d65ea3fb1d4aa7d826733d2f2cbbb1d). JA3 allows analysts to detect these applications, malware families, and pen testing tools, regardless of their destination, Command and Control (C2) IPs, or SSL certificates.

Learn more about how it works reading John Althouse’s post.

 

Load More Related Articles
Load More In Tips & Tricks

Leave a Reply

Your email address will not be published. Required fields are marked *