False positive: b9103d9d134e0c59cafbe4ae0a8299a8 + suggestions

[jmlynch]

1.) Thanks for open sourcing this work!

2.) Deployed this out on multiple sensors and am getting some False Positives for b9103d9d134e0c59cafbe4ae0a8299a8 on legit OWA traffic. Thought you might like to know/update the file etc.

3.) Suggestion: Add a confidence rating and/or "last seen confirmed True Positive" date/timestamp field that individuals might contribute to.

[trisulnsm]

Thanks for reporting.

We need a way to curate this list I suppose. The fingerprints on this page are from LeeBrothersons work.

BTW, I noticed the fingerprint in question is very short "768,5-10-19-4-255,,,
This is likely to trigger false positives because it is likely a older version of SSL with no extensions or support for Elliptic curves and only legacy Cipher suites. We're unlikely to see much entropy here.

I really like your idea about confidence rating.