JARM
The JARM module attempts to actively fingerprint an SSL/TLS server via a series of TLS Client Hello packets to extract specific responses that can be used to quickly identify default applications or malware.
JARM Request Example
curl -v -L https://api.binaryedge.io/v1/tasks -d '{"type":"scan", "options":[{"targets":["X.X.X.X"], "ports":[{"port":443, "protocol":"tcp", "modules":["jarm"]}]}]}' -H "X-Token:<Token>"
Schema
JARM Event Schema
{
...
"result": {
"data": {
"jarm": "string",
"jarm_hash": "string"
}
...
}
Contents of the fields
- jarm - JARM is a method for creating SSL/TLS fingerprints for threat intelligence, based information extracted from the server response to a TLS Client Hello. See https://github.com/salesforce/jarm for details
- jarm_bash - fuzzy hash fingerprint using the extracted information from
jarm
JARM Event Example
{
...
"result": {
"data": {
"jarm": "c02b|0303|h2|0000-0017-ff01-000b-0023-0010,cc14|0303|h2|0000-0017-ff01-000b-0023-0010,cc14|0303|h2|0000-0017-ff01-000b-0023-0010,|||,cc14|0303||0000-0017-ff01-000b-0023,c009|0302|h2|0000-0017-ff01-000b-0023-0010,1302|0303||0033-002b,1303|0303||0033-002b,|||,1301|0303||0033-002b",
"jarm_hash": "27d3ed3ed0003ed1dc42d43d00041d6183ff1bfae51ebd88d70384363d525c"
}
...
}