search

alphasoc / nfr

A lightweight tool to score network traffic and flag anomalies
https://alphasoc.com
Other
122 stars 19 forks source link

JA3 support #56

Open chrisforce1 opened 6 years ago

chrisforce1 commented 6 years ago

I'd like to save JA3 signatures when NFR encounters TLS sessions on TCP port 443.

Here's a simple way that we can load tcpdump output into ja3.py and get the signatures. The code is over at https://github.com/salesforce/ja3/ and a large list of signatures at https://github.com/salesforce/ja3/tree/master/lists. We can then use the signatures on the backend to flag infections within riswiz.

chrisforce1 commented 6 years ago

A bigger list of JA3 signatures (including some malware) is over here.