Nothing but a simple dirty bash script to set up Bro, JA3 script for Bro and Nginx, that can be used as a simple honeypot to capture JA3 hashes (SSL/TLS client fingerprints).
Alternatively, you can use @Andrew___Morris's one-liner to skim JA3 SSL fingerprints directly off the wire using tcpdump and some bash redirection:
tcpdump -w - -s 0 -i en0 -n -U | python -u ja3.py -a -j /dev/stdin
- JA3 - A method for profiling SSL/TLS Clients
- Splunk to CSV script
- Enrich the collected data
- Visualization script
- Complete the documentation and analysis report