misp-objects/objects/ja3/definition.json

{
  "name": "ja3",
  "meta-category": "network",
  "description": "JA3 is a new technique for creating SSL client fingerprints that are easy to produce and can be easily shared for threat intelligence. Fingerprints are composed of Client Hello packet; SSL Version, Accepted Ciphers, List of Extensions, Elliptic Curves, and Elliptic Curve Formats. https://github.com/salesforce/ja3",
  "version": 4,
  "uuid": "09b45449-5d6e-492c-a68a-cb2e188cbfac",
  "attributes": {
    "ja3-fingerprint-md5": {
      "description": "Hash identifying source",
      "misp-attribute": "ja3-fingerprint-md5",
      "ui-priority": 1
    },
    "description": {
      "description": "Type of detected software ie software, malware",
      "misp-attribute": "text",
      "ui-priority": 1
    },
    "ip-src": {
      "description": "Source IP Address",
      "misp-attribute": "ip-src",
      "ui-priority": 1
    },
    "ip-dst": {
      "description": "Destination IP address",
      "misp-attribute": "ip-dst",
      "ui-priority": 1
    },
    "first-seen": {
      "misp-attribute": "datetime",
      "disable_correlation": true,
      "ui-priority": 0,
      "description": "First seen of the SSL/TLS handshake"
    },
    "last-seen": {
      "misp-attribute": "datetime",
      "disable_correlation": true,
      "description": "Last seen of the SSL/TLS handshake",
      "ui-priority": 0
    }
  },
  "required": [
    "ja3-fingerprint-md5"
  ]
}
First version of the ja3 object based on the proposal from @delbs 2017-09-24 20:10:59 +02:00			`{`
			`"name": "ja3",`
			`"meta-category": "network",`
			`"description": "JA3 is a new technique for creating SSL client fingerprints that are easy to produce and can be easily shared for threat intelligence. Fingerprints are composed of Client Hello packet; SSL Version, Accepted Ciphers, List of Extensions, Elliptic Curves, and Elliptic Curve Formats. https://github.com/salesforce/ja3",`
Updated JA3 to have own data type ja3-fingerprint-md5 and bumped the version 2018-12-30 12:31:17 +01:00			`"version": 4,`
First version of the ja3 object based on the proposal from @delbs 2017-09-24 20:10:59 +02:00			`"uuid": "09b45449-5d6e-492c-a68a-cb2e188cbfac",`
			`"attributes": {`
			`"ja3-fingerprint-md5": {`
			`"description": "Hash identifying source",`
Updated JA3 to have own data type ja3-fingerprint-md5 and bumped the version 2018-12-30 12:31:17 +01:00			`"misp-attribute": "ja3-fingerprint-md5",`
chg: [ja3] categories removed (default attributes categories will be used) Fix MISP/MISP/issues/3593 2018-08-28 14:30:29 +02:00			`"ui-priority": 1`
First version of the ja3 object based on the proposal from @delbs 2017-09-24 20:10:59 +02:00			`},`
			`"description": {`
			`"description": "Type of detected software ie software, malware",`
			`"misp-attribute": "text",`
chg: [ja3] categories removed (default attributes categories will be used) Fix MISP/MISP/issues/3593 2018-08-28 14:30:29 +02:00			`"ui-priority": 1`
First version of the ja3 object based on the proposal from @delbs 2017-09-24 20:10:59 +02:00			`},`
			`"ip-src": {`
			`"description": "Source IP Address",`
			`"misp-attribute": "ip-src",`
			`"ui-priority": 1`
			`},`
			`"ip-dst": {`
			`"description": "Destination IP address",`
			`"misp-attribute": "ip-dst",`
			`"ui-priority": 1`
			`},`
			`"first-seen": {`
			`"misp-attribute": "datetime",`
disable correlation for last-seen/first-seen/text 2017-12-05 11:05:56 +01:00			`"disable_correlation": true,`
First version of the ja3 object based on the proposal from @delbs 2017-09-24 20:10:59 +02:00			`"ui-priority": 0,`
			`"description": "First seen of the SSL/TLS handshake"`
			`},`
			`"last-seen": {`
			`"misp-attribute": "datetime",`
disable correlation for last-seen/first-seen/text 2017-12-05 11:05:56 +01:00			`"disable_correlation": true,`
First version of the ja3 object based on the proposal from @delbs 2017-09-24 20:10:59 +02:00			`"description": "Last seen of the SSL/TLS handshake",`
			`"ui-priority": 0`
			`}`
			`},`
			`"required": [`
			`"ja3-fingerprint-md5"`
			`]`
			`}`