Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SNI and ALPN in JA4_ro extension list #40

Closed
satta opened this issue Dec 29, 2023 · 3 comments
Closed

SNI and ALPN in JA4_ro extension list #40

satta opened this issue Dec 29, 2023 · 3 comments
Assignees
@john-althouse
Labels
documentation Improvements or additions to documentation

Comments

@satta
Copy link

satta commented Dec 29, 2023
edited
Loading

I am wondering whether JA4_ro should or should not contain the SNI and/or ALPN extensions. In the Markdown spec (https://github.com/FoxIO-LLC/ja4/blob/main/technical_details/JA4.md#raw-output), the 0010 and 0000 values are listed as part of JA4_ro:

JA4_ro = t13d1516h2_1301,1302,1303,c02b,c02f,c02c,c030,cca9,cca8,c013,c014,009c,009d,002f,0035_001b,0000,0033,0010,4469,0017,002d,000d,0005,0023,0012,002b,ff01,000b,000a,0015_0403,0804,0401,0503,0805,0501,0806,0601

while, for instance, the Rust reference implementation as well as the Zeek one (https://github.com/FoxIO-LLC/ja4/blob/main/zeek/ja4.zeek#L162) seem to always skip these.

Is the example in the Markdown documentation wrong? It would be helpful if the spec would clarify whether these two extensions are always to be excluded or whether they should just be excluded from the sorted extension list.
@john-althouse john-althouse self-assigned this Jan 2, 2024
@john-althouse
Copy link
Collaborator

Thank you! This is my mistake. The "o" option is intended to output the original values in the original order, less GREASE values.

These values are omitted from the regular JA4 so that the same application would have the same b and c sections of the fingerprint regardless of if it were going to a domain, IP, or changing ALPNs.

However, JA4_o and JA4_ro is intended to be used for deep-dive type of investigations and troubleshooting, therefor the values should remain. I will update the spec with this information and will do the same with JA4H as well.

@john-althouse john-althouse added the documentation Improvements or additions to documentation label Jan 2, 2024
@john-althouse
Copy link
Collaborator

Specs updated. We'll work on updating the code.

@satta
Copy link
Author

satta commented Jan 3, 2024

Thanks for the changes to the spec, this makes it much clearer. Will adapt my implementation.

vvv added a commit to vvv/ja4 that referenced this issue Jan 4, 2024
@vvv
JA4: Include SNI and ALPN in the "original" outputs
e576729 
Include SNI (0000) and ALPN (0010) in `ja4_o` and `ja4_ro` output.

Context: FoxIO-LLC#40 (comment)
@vvv vvv mentioned this issue Jan 4, 2024
Merged
igr001-galactica pushed a commit that referenced this issue Jan 4, 2024
@vvv
Rust implementation fixes (#45)
fe853f6 
* JA4: Include SNI and ALPN in the "original" outputs

Include SNI (0000) and ALPN (0010) in `ja4_o` and `ja4_ro` output.

Context: #40 (comment)

* JA4H: Ignore case when searching for "Cookie" and "Referer" fields

* JA4: Take `sig_hash_alg` values from `signature_algorithms` extension only

Related issue: #41

* Update Rust dependencies
@satta satta mentioned this issue Jan 8, 2024
Closed
noeltimothy added a commit to noeltimothy/ja4 that referenced this issue Jan 24, 2024
@noeltimothy
fix for FoxIO-LLC#40
ee63b26
igr001-galactica pushed a commit that referenced this issue Jan 24, 2024
@noeltimothy
fix for #40 (#54)
fcfce8b
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@john-althouse john-althouse

Labels
documentation Improvements or additions to documentation
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@satta @igr001-galactica @john-althouse