JA3 Keywords
JA3 is an algorithm developed by Salesforce to fingerprint TLS endpoints based on metadata in their handshake.
More information about it can be found in this Salesforce Engineering blogpost
ja3.hash
Matches on the MD5 hash of the TLS client JA3 signature.
Example:
alert tls any any -> any any (classtype:misc-attack; \
msg:"content matching in ja3 fingerprint of a client"; \
ja3.hash; content:"68b329da9893e34099c7d8ad5cb9c940"; sid:1; rev:1;)
ja3.string
is a sticky buffer which can only with be used with a
content
field containing exactly 32 characters which cannot be negated.
ja3s.hash
Matches on the MD5 hash of the TLS server JA3 signature.
Example:
alert tls any any -> any any (classtype:misc-attack; \
msg:"content matching in ja3 fingerprint of a server"; \
ja3s.hash; content:"68b329da9893e34099c7d8ad5cb9c940"; sid:1; rev:1;)
ja3s.string
is a sticky buffer which can only with be used with a
content
field containing exactly 32 characters which cannot be negated.
cognitix Threat Defender also supports the deprecated ja3_hash
keyword, but we do not recommend using it.