Reading Time: < 1 minute

There are many sites who wrote about this TLS/SSL fingerprinting method.

JA3 and JA3S are passive fingerprints where are JARM is an active finger print.

More details on this by John Althouse himself here :

I decided to add JA3 and JA3S to my bro/zeek installation/detection threat hunting tools.

On the serveur who is running the span port and the RITA tool, I’m adding the ja3 package.

pip3 install bro-pkg

zkg list ja3 returns :

zeek/hosom/bro-ja3 – Generate and log ja3 ssl fingerprints
zeek/salesforce/ja3 – JA3 creates 32 character SSL client fingerprints and logs them as a field in ssl.log.

zkg install zeek/salesforce/ja3

That’s it. Now the ssl.log file will containt two more columns JA3 and JA3S:

For JARM in a nutshell, it’s an active scanning. It’s sending 10 different TLS Hello’s and it’s generating a hash depending on the answer of the cyphers proposed.

Code source here : or via gitpod

Shodan has now integrate the JARM scanner results for example to find CobaltStrike JARM signature