JA3 Keywords

JA3 is an algorithm developed by Salesforce to fingerprint TLS endpoints based on metadata in their handshake.

More information about it can be found in this Salesforce Engineering blogpost

ja3.hash

Matches on the MD5 hash of the TLS client JA3 signature.

Example:

alert tls any any -> any any (classtype:misc-attack; \
msg:"content matching in ja3 fingerprint of a client"; \
ja3.hash; content:"68b329da9893e34099c7d8ad5cb9c940"; sid:1; rev:1;)

ja3.string is a sticky buffer which can only with be used with a content field containing exactly 32 characters which cannot be negated.

ja3s.hash

Matches on the MD5 hash of the TLS server JA3 signature.

Example:

alert tls any any -> any any (classtype:misc-attack; \
msg:"content matching in ja3 fingerprint of a server"; \
ja3s.hash; content:"68b329da9893e34099c7d8ad5cb9c940"; sid:1; rev:1;)

ja3s.string is a sticky buffer which can only with be used with a content field containing exactly 32 characters which cannot be negated.

cognitix Threat Defender also supports the deprecated ja3_hash keyword, but we do not recommend using it.