Possible FP: ET JA3 Hash - [Abuse.ch] Possible Adwind

Getting a False Positive alert on the following rule.

alert tls $HOME_NET any → $EXTERNAL_NET any (msg:“ET JA3 Hash - [Abuse.ch] Possible Adwind”; ja3_hash; content:“d2935c58fe676744fecc8614ee5356c7”; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028763; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)

Have checked all of the hits and it’s my smart home controller going to api.amazon.com and api.amazonalexa.com

1 Like

hi @bigjohns97 - Welcome to the community and thank you for sending the FP our way! This signature will be removed in today’s release.

Thanks!
Isaac

1 Like

thanks for the quick response, I will keep an eye out for the update

This exchange shows how using tools like Suricata at home is a great way to hone one’s skills and contribute to the community. Thanks for reporting that, @bigjohns97, and welcome to the forum!

1 Like