2017-09-24 20:10:59 +02:00
{
"name" : "ja3" ,
"meta-category" : "network" ,
"description" : "JA3 is a new technique for creating SSL client fingerprints that are easy to produce and can be easily shared for threat intelligence. Fingerprints are composed of Client Hello packet; SSL Version, Accepted Ciphers, List of Extensions, Elliptic Curves, and Elliptic Curve Formats. https://github.com/salesforce/ja3" ,
2017-12-05 11:05:56 +01:00
"version" : 2 ,
2017-09-24 20:10:59 +02:00
"uuid" : "09b45449-5d6e-492c-a68a-cb2e188cbfac" ,
"attributes" : {
"ja3-fingerprint-md5" : {
"description" : "Hash identifying source" ,
"misp-attribute" : "md5" ,
"ui-priority" : 1 ,
"categories" : [
"Network activity" ,
"External analysis"
]
} ,
"description" : {
"description" : "Type of detected software ie software, malware" ,
"misp-attribute" : "text" ,
"ui-priority" : 1 ,
"categories" : [
"Network activity" ,
"External analysis"
]
} ,
"ip-src" : {
"description" : "Source IP Address" ,
"misp-attribute" : "ip-src" ,
"categories" : [
"Network activity" ,
"External analysis"
] ,
"ui-priority" : 1
} ,
"ip-dst" : {
"description" : "Destination IP address" ,
"misp-attribute" : "ip-dst" ,
"categories" : [
"Network activity" ,
"External analysis"
] ,
"ui-priority" : 1
} ,
"first-seen" : {
"misp-attribute" : "datetime" ,
2017-12-05 11:05:56 +01:00
"disable_correlation" : true ,
2017-09-24 20:10:59 +02:00
"ui-priority" : 0 ,
"description" : "First seen of the SSL/TLS handshake"
} ,
"last-seen" : {
"misp-attribute" : "datetime" ,
2017-12-05 11:05:56 +01:00
"disable_correlation" : true ,
2017-09-24 20:10:59 +02:00
"description" : "Last seen of the SSL/TLS handshake" ,
"ui-priority" : 0
}
} ,
"required" : [
"ja3-fingerprint-md5"
]
}