[draft] JA4 for TLS and QUIC -- with raw support #10135
Conversation
satta
requested review from
catenacyber,
jasonish,
jufajardini,
victorjulien and
a team
as code owners
|
Should #10095 be closed in favor of this one ? |
That depends on the feedback I am expecting to get from this draft PR :)
So maybe not yet, I wanted to keep #10095 to be "the" canonical PR and this to be a RfC more than a final proposal. |
|
The raw ja4 looks like we want a tls.extensions keyword... |
|
Yes, I thought of this as well. In general it might be helpful to extend the EVE-JSON output with some more readable details and also add detection capabilities on those. Different PR maybe ;) |
It allows user to extract a posteriori some information such as TLS extensions so that can be really useful
I would make it optional.
|
Why not allow logging of tls extensions then ? instead of hiding them in a ja4... |
I agree. I'd rather see the extension logging in QUIC and TLS being extended (and also maybe unified to output an identical format? 🤔) Any thoughts? |
I agree this is more interesting. |
|
(sorry fat fingered things, so reopened) |
Codecov ReportAttention:
Additional details and impacted files@@ Coverage Diff @@
## master #10135 +/- ##
==========================================
+ Coverage 82.15% 82.46% +0.30%
==========================================
Files 974 980 +6
Lines 271925 281170 +9245
==========================================
+ Hits 223394 231858 +8464
- Misses 48531 49312 +781
Flags with carried forward coverage won't be shown. Click here to find out more. |
|
I understand that #10095 rather than this PR should be the way to go, and that TLS extensions logging should get into another redmine ticket targeted to 8 (cf https://redmine.openinfosecfoundation.org/issues/2426 ) Is that correct ? |
Yes, agree. |
|
Closing in favor of #10095 and https://redmine.openinfosecfoundation.org/issues/6695 |
|
Thanks for taking this to a decision, fully in support 👍🏻 |
Previous PR: #10095
Link to redmine ticket: https://redmine.openinfosecfoundation.org/issues/6379
Changes to previous PR:
master.ja4.r/ja4_randja4.ro/ja4_roJust opening this unrefined code for comments; adjusted S-V will come once the shape of the output is OK.
This change changes the output of the JA4 metadata to a sub-object containing raw descriptors in addition to the hash (see https://github.com/FoxIO-LLC/ja4/blob/main/technical_details/JA4.md#raw-output):
{ "timestamp": "2015-03-06T19:12:22.423355+0000", "flow_id": 1779718999422175, "pcap_cnt": 7, "event_type": "tls", "src_ip": "192.168.56.1", "src_port": 49365, "dest_ip": "192.168.56.101", "dest_port": 443, "proto": "TCP", "pkt_src": "wire/pcap", "tls": { "subject": "C=FR, ST=IDF, L=Paris, O=Stamus, CN=SELKS", "issuerdn": "C=FR, ST=IDF, L=Paris, O=Stamus, CN=SELKS", "serial": "00:97:E6:47:09:8E:EA:C9:B4", "fingerprint": "3a:0b:3b:23:15:2c:44:5c:27:ac:6a:0c:41:d6:fa:74:af:b4:09:5b", "version": "TLS 1.2", "notbefore": "2015-02-12T18:07:27", "notafter": "2025-02-09T18:07:27", "ja4": { "ja4": "t12i1810s1_27d4652c4487_06a4338d0495", "ja4_r": "t12i1810s1_0004,0005,000a,002f,0032,0033,0035,0039,009c,009e,c007,c009,c00a,c011,c013,c014,c02b,c02f_0005,000a,000b,000d,0012,0023,3374,7550,ff01_0401,0501,0201,0403,0503,0203,0402,0202", "ja4_ro": "t12i1810s1_c02b,c02f,009e,c00a,c009,c013,c014,c007,c011,0033,0032,0039,009c,002f,0035,000a,0005,0004_ff01,000a,000b,0023,3374,0010,7550,0005,0012,000d_0401,0501,0201,0403,0503,0203,0402,0202" } } }vs. reference implementation
I also got in touch with FoxIO to sort out some minor gaps in the JA4 specification (FoxIO-LLC/ja4#40).