This repository is a compiled list of ja3 hashes that can be used to build a master ssl blacklist for offline analyzer use within Security Onion. Adding a local file to the sensoroni pillar in the Configuration interface allows analyst that don't have access to the internet to determine if ja3 hashes are known to be malicious.
This list does have the possibility to produce false positive results; be cautious of raising the red flag or calling for reenforcements. Always conduct further investigations in order to validate results prior to implementing your Incident Response proceedures.
Entries for the master blacklist and sublists can be found at the following locations.
- abuse.ch: https://sslbl.abuse.ch/blacklist/