zeek_ja3_fingerprints
Extract and analyze JA3/JA3S TLS fingerprints from SSL logs to identify client TLS implementations and detect known malicious fingerprints.
Instructions
Extract and analyze JA3/JA3S TLS fingerprints from SSL logs. Identifies client TLS implementations and can detect known malicious fingerprints. JA3 fingerprints persist even when domains/IPs change, making them valuable for tracking threat actors.
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| dstIp | No | Filter by destination IP | |
| limit | No | Max records to analyze | |
| srcIp | No | Filter by source IP | |
| timeTo | No | End time (ISO 8601) | |
| ja3Hash | No | Search for specific JA3 hash | |
| timeFrom | No | Start time (ISO 8601) | |
| serverName | No | Filter by SNI hostname |