Just Another Ruby Mod (JARM) is a tool that identifies TLS servers based on their behavior and configuration, helping security teams identify servers with outdated or insecure TLS configurations. JARM works by sending a series of TLS messages to a server and analyzing the server's response. The tool then generates a unique fingerprint from the response, which can be used to identify the server even if it uses a different IP address or domain name.
Silent Push lets you search our daily scans of the Internet's IPv4 range for JARM data. By comparing the JARM fingerprint of a server against a database of known malicious fingerprints, security teams can quickly identify potential threats and malicious servers engaged in phishing and/or malware operations, and take appropriate action.
JARM fingerprints also enable threat analysts to identify traffic patterns and connections across various attack vectors and pinpoint the infrastructure and resources used by specific threat actors.
JARM Data
From the left navigation menu, select Advanced Query Builder > IPv4 Queries > Scan Data - JARM Usage.
Specify an IPv4 address.
(Optional) Add a netmask for a range.
(Optional) Enter a jarm_hash.
(Optional) Set a window (days) for recent results.
(Optional) Skip results.
Click Search.
Save Query
Specify query parameters.
Click Save Query.
Provide a Name and Description for context.
Click Save. The query appears in Private Queries.