Samsung Q80A TV & JA3 SSL-Client fingerprint

I am running Suricata in my Home. Recently my daughter connected us with a Sumsung Q80A 55" TV. It’s nice, until I noticed that it is throwing Malicious JA3 SSL-Client Fingerprint (CoinMiner).

Has anyone else detected this?

I don’t know if there was a software update perform or not.

I am concerned about the opportunities which can exist in our home as well.

I’ve never owned a Samsung TV (or device before), and I am concerned about their ability to perform CoinMining in my Home (I’ve had it 10 years ago).

My suggestion has nothing to do with Suricata – it’s correctly identifying activity and bringing it to your attention.

Disable/block the network connection for the TV. Suggest one of the many capable devices that provide streaming entertainment – Roku, Apple TV, etc.

Do you happen to have the SID for this rule? I can’t seem to find it, was going to try looking up the hash and doing some research myself. If you can provide the JA3 hash/string this rule matching on, that’d be great.

I’ve found to be useful in helping determine how unique a JA3 hash is.

In general I’d say that JA3 hashes are likely to cause false positives, especially when used as the sole indicator of maliciousness. Because of the reuse of many TLS Libraries, overlaps are pretty common.

The SID is 906200068

Can a fingerprint actually be faked? I think that a lot of Bio-metrics will have problems.

I believe that the Roku devices I have seen in my home are not as safe as you would think.

this rule appears to be from the JA3 rules.

it is looking for the hash of 40adfd923eb82b89d8836ba37a19bca1 - details of this hash, and associated samples, can be found on’s ja3 page

You might be able to find additional context from the details in the logs, for instance, are there any corresponding TLS events which contain the same IP address? If you can identify the destination IP address in the alert, to a domain name or TLS certificate, you might learn some valuable context to help determine if it is a true positives or false positive.

These aren’t those kind of fingerprints.