Great question. Thanks for bringing it up, I should have made it more clear. JA3 is a passive fingerprint for TLS clients, that is, it listens to the network traffic and passively fingerprints the client based on what it sees. JA3S does the same thing for the server side of that communication, just passively building a fingerprint based on the connections happening. JA3S is unable to fingerprint the server application itself, only the connection, because of how TLS handshakes work. However, combining JA3 + JA3S together on the same connection fingerprint the connection between a client and its server. This has been great for identifying when Python Empire malware connects to it’s C2 server, for example.

JARM actively scans the server and builds a fingerprint of the server application. Whereas JA3/S is passive, just listening, not reaching out, JARM is active, actively probing the target. And is able to build a fingerprint of the server application where JA3S could not. Hope that helps.