JA3S Fingerprinting #293
Labels
Comments
|
For some additional contextual information for this issue, here is some research on spoofing JA3 signatures: https://medium.com/cu-cyber/impersonating-ja3-fingerprints-b9f555880e42 And a python tool that has functionality for parsing JA3 signatures from network traffic: https://github.com/0x4D31/fatt |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem?
Sometimes one application might change IP addresses and we'll result with effectively the same host on two different IP addresses. It'd be nice to have some additional data points that let us identify this sort of thing.
Describe the feature you'd like
JA3 is method of fingerprinting TLS clients/servers. Build a JA3(S) probe into natlas-agent that can run natively (versus shelling out) so that we can store this information with our scan results.
Have you considered alternative ways to get this feature
Instead of building a native probe we could find another tool, bake it into the container, and shell out to it
Additional context
I think there has been some counter-research to show that this information can be manipulated, but for most natlas use cases I don't think that's particularly a huge deal. Having the data, even if it's manipulated to mask itself, is still going to be better than not having the data.
The text was updated successfully, but these errors were encountered: