Possible FP: ET JA3 Hash - [Abuse.ch] Possible Adwind

bigjohns97 · July 6, 2023, 3:49am

Getting a False Positive alert on the following rule.

alert tls $HOME_NET any → $EXTERNAL_NET any (msg:“ET JA3 Hash - [Abuse.ch] Possible Adwind”; ja3_hash; content:“d2935c58fe676744fecc8614ee5356c7”; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028763; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)

Have checked all of the hits and it’s my smart home controller going to api.amazon.com and api.amazonalexa.com

ishaughnessy · July 6, 2023, 3:50pm

hi @bigjohns97 - Welcome to the community and thank you for sending the FP our way! This signature will be removed in today’s release.

Thanks!
Isaac

bigjohns97 · July 6, 2023, 6:56pm

thanks for the quick response, I will keep an eye out for the update

samjenk · July 14, 2023, 12:28pm

This exchange shows how using tools like Suricata at home is a great way to hone one’s skills and contribute to the community. Thanks for reporting that, @bigjohns97, and welcome to the forum!

Topic		Replies	Views
Possible FP - JA3 Hash - [Abuse.ch] Possible Adware Rule Signatures etopen	1	265	August 1, 2023
Possible FP: ET MALWARE Sourtoff Receiving Simda Payload Rule Signatures etopen	4	249	July 7, 2023
SID 2012870 - Outbound Request contains pw Rule Signatures snort3 , false-positives	2	188	December 19, 2023
False positive on Android Trojan Rule Signatures suricata , false-positives	1	238	October 19, 2023
Addressing an FP: 2016950 - ET MALWARE Possible Win32/Hupigon ip.txt with a Non-Mozilla UA Rule Signatures etopen , false-positives , rule-analysis	0	166	October 2, 2023

Possible FP: ET JA3 Hash - [Abuse.ch] Possible Adwind

Related Topics