Duplicate entry in fingerprint database

[obilodeau]

Those two entries have the exact same fingerprint. They should be merged into one entry. Actually, the second entry pretty much covers the first so the first should be removed altogether.

{"id": 0, "desc": "Safari 525 - 533  534.57.2",  "record_tls_version": "0x0301", "tls_version": "0x0301",  "ciphersuite_length": "0x0018",  "ciphersuite": "0xC014 0xC013 0x0035 0x002F 0xC00A 0xC009 0x0038 0x0032 0x000A 0x0013 0x0005 0x0004",  "compression_length": "1",  "compression": "0x00",  "extensions": "0x0000 0x000A 0x000B 0x0017 0xFF01" , "e_curves": "0x0017 0x0018" , "ec_point_fmt": "0x00" }
{"id": 0, "desc": "Safari 525.21  525.29  531.22.7  533.21.1  534.57.2 / Adobe Reader DC 15.x Updater",  "record_tls_version": "0x0301", "tls_version": "0x0301",  "ciphersuite_length": "0x0018",  "ciphersuite": "0xC014 0xC013 0x0035 0x002F 0xC00A 0xC009 0x0038 0x0032 0x000A 0x0013 0x0005 0x0004",  "compression_length": "1",  "compression": "0x00",  "extensions": "0x0000 0x000A 0x000B 0x0017 0xFF01" , "e_curves": "0x0017 0x0018" , "ec_point_fmt": "0x00" }

As a side note: I'm having numerous hits on this rule on the proxy traffic of a botnet I'm tracking. There is automation involved so I think it is also the fingerprint of a popular library but don't know which yet. User-Agents are spoofed so I can't correlate with that.