Possible FP - JA3 Hash - [Abuse.ch] Possible Adware

We are receiving alerts on this:

alert tls $HOME_NET any → $EXTERNAL_NET any (msg:“ET JA3 Hash - [Abuse.ch] Possible Adware”; ja3_hash; content:“bc6c386f480ee97b9d9e52d472b772d8”; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028781; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)

We’ve identified it as legitimate traffic from a VDI reaching out to teams.microsoft.com

Let me know if there is a change I need to make on my end, or if you need any further information from me.

1 Like

Hi @erenhelm - Thanks for the FP report, this sig will be disabled in today’s release.

edit: Welcome to the community, we’re glad to have you here!


1 Like