Open ghost opened 6 years ago
jbremer
commented
6 years ago Sounds like a plan. Should figure out a good way to automatically extract / group the information though. What about matching found fingerprints as opposed to only extracting 'em?
ghost
commented
6 years ago So matching fingerprints is kind of difficult -- JA3 is more about describing the TLS handshake in a sharable way than it is matching things 1 to 1. This gives you the ability to pivot or relate samples but it describes the TLS framework that was used to establish the connection more than it does the software that ran if that makes sense. There is an example of extracted fingerprints and you can see that one JA3 can map to many processes.
I think it would be optimal to drop it in to the network tab -- perhaps under the HTTPS tab, if you click an outbound GET request where it shows the outbound request, you could display the JA3 there.
Does that make sense?
JA3 is a technique for fingerprinting and describing TLS handshakes.
It would be great if for outgoing TLS sessions this fingerprint could be calculated and stored. JA3 is widely implemented in appliances by Darktrace, available as a Bro package and the abuse.ch sandnet. This fingerprint could allow further pivoting and investigating.