Possible FP - JA3 Hash - [Abuse.ch] Possible Adware

erenhelm · August 1, 2023, 6:07pm

We are receiving alerts on this:

alert tls $HOME_NET any → $EXTERNAL_NET any (msg:“ET JA3 Hash - [Abuse.ch] Possible Adware”; ja3_hash; content:“bc6c386f480ee97b9d9e52d472b772d8”; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028781; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)

We’ve identified it as legitimate traffic from a VDI reaching out to teams.microsoft.com

Let me know if there is a change I need to make on my end, or if you need any further information from me.

ishaughnessy · August 1, 2023, 6:53pm

Hi @erenhelm - Thanks for the FP report, this sig will be disabled in today’s release.

edit: Welcome to the community, we’re glad to have you here!

Thanks!
Isaac

Topic		Replies	Views
Possible FP: ET JA3 Hash - [Abuse.ch] Possible Adwind Feedback & Support etopen	3	515	July 14, 2023
Weekly Community Review - September 21, 2023 Announcements	0	288	September 22, 2023
FP on 2856495 - "ETPRO HUNTING If-Unmodified-Since Header with Microsoft BITS User-Agent" Rule Signatures false-positives	1	136	March 27, 2024
Weekly Community Review - September 27, 2023 Announcements	0	340	October 2, 2023
Weekly Community Review - February 10, 2023 Announcements	0	169	February 10, 2023

Possible FP - JA3 Hash - [Abuse.ch] Possible Adware

Related topics