I am running Suricata in my Home. Recently my daughter connected us with a Sumsung Q80A 55" TV. It’s nice, until I noticed that it is throwing Malicious JA3 SSL-Client Fingerprint (CoinMiner).
Has anyone else detected this?
I don’t know if there was a software update perform or not.
I am concerned about the opportunities which can exist in our home as well.
I’ve never owned a Samsung TV (or device before), and I am concerned about their ability to perform CoinMining in my Home (I’ve had it 10 years ago).
Do you happen to have the SID for this rule? I can’t seem to find it, was going to try looking up the hash and doing some research myself. If you can provide the JA3 hash/string this rule matching on, that’d be great.
I’ve found ja3er.com to be useful in helping determine how unique a JA3 hash is.
In general I’d say that JA3 hashes are likely to cause false positives, especially when used as the sole indicator of maliciousness. Because of the reuse of many TLS Libraries, overlaps are pretty common.
it is looking for the hash of 40adfd923eb82b89d8836ba37a19bca1 - details of this hash, and associated samples, can be found on abuse.ch’s ja3 page
You might be able to find additional context from the details in the logs, for instance, are there any corresponding TLS events which contain the same IP address? If you can identify the destination IP address in the alert, to a domain name or TLS certificate, you might learn some valuable context to help determine if it is a true positives or false positive.