Closed martinscheu closed 3 years ago
POPS, IMAPS, SMTPS protocols using TLS as transport should show JA3 info now (next build)
Hi Alfredo( @cardigliano ) Thanks for the fix, I can confirm that for the 3 mentioned protocols it is working. May I ask for the lookup if the signature is blacklisted as well? E.g. for TCP I get:
Blacklisted get a little red icon and a "Possibly Malicious Signature" as flow risk. Sorry for being nitpicking. Thanks
This issue is not implemented as it should: the JA3 blacklisted signature must feed the flow risk
@cardigliano See https://github.com/ntop/nDPI/commit/f1b22b199f08469407c55dcd98ec24af85da0fd3 and ndpi_load_malicious_ja3_file() API call
Malicious JA3 signatures are now loaded to nDPI and the flow risk is displayed as in the picture
Hi Alfredo (@cardigliano ) Thank you for the update. Could the flow risk text be same as with TCP: "Possibly Malicious Signature" ? Reason: JA3 lookup can generate false positives. Thank you.
Sure, I can change it
@martinscheu please confirm this is providing the expected information now
Hi Alfredo, @cardigliano, thanks for the update, it is working as expected. Some flows in the test pcap don't show a JA3 signature, guess they are too short?
Hello If possible please add JA3 certificate lookup for other applications than HTTPS traffic, e.g. POPS, IMAPS, SMTPS. PCAP to reproduce: https://www.malware-traffic-analysis.net/2020/12/07/2020-12-07-Qakbot-with-Cobalt-Strike-and-spambot-activity.pcap.zip (password: infected) E.g. POPS
Above example should lead to [Abuse.ch] Possible Quakbot Thanks