Hello Proofpoint Emerging Threats Team,
I am reporting a false positive alert generated by the Suricata rule with SID 2028802, which is incorrectly flagging legitimate traffic from a smart TV streaming service as adware.
The rule in question is:
Rule Message: ET JA3 Hash - [Abuse.ch] Possible Adware
Signature ID (SID): 2028802
Source File: emerging-ja3.rules
The rule is blocking the following legitimate IP addresses used by Amazon AWS and Akamai for content delivery:
-
13.227.146.3 -
18.244.102.118 -
23.64.12.163(Akamai, Warsaw, Poland) -
35.71.134.138(Amazon AWS, Tokyo, Japan) -
76.223.106.185(Amazon AWS, Pennsylvania, USA) -
108.138.51.56/108.138.51.78/108.138.51.98(Amazon AWS, Seattle, USA)
The connection generating the JA3 hash appears to be part of the standard application library used by my smart TV (brand: Samsung) to access legitimate streaming services.
Could you please review this signature and the associated JA3 hash to verify if an adjustment is needed to exclude this legitimate client behavior?
Thank you for your work on these threat feeds.
Best regards, Luka