New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[draft] JA4 for TLS and QUIC -- with raw support #10135
Conversation
Should #10095 be closed in favor of this one ? |
That depends on the feedback I am expecting to get from this draft PR :)
So maybe not yet, I wanted to keep #10095 to be "the" canonical PR and this to be a RfC more than a final proposal. |
The raw ja4 looks like we want a tls.extensions keyword... |
Yes, I thought of this as well. In general it might be helpful to extend the EVE-JSON output with some more readable details and also add detection capabilities on those. Different PR maybe ;) |
It allows user to extract a posteriori some information such as TLS extensions so that can be really useful
I would make it optional.
|
Why not allow logging of tls extensions then ? instead of hiding them in a ja4... |
I agree. I'd rather see the extension logging in QUIC and TLS being extended (and also maybe unified to output an identical format? 🤔) Any thoughts? |
I agree this is more interesting. |
(sorry fat fingered things, so reopened) |
Codecov ReportAttention:
Additional details and impacted files@@ Coverage Diff @@
## master #10135 +/- ##
==========================================
+ Coverage 82.15% 82.46% +0.30%
==========================================
Files 974 980 +6
Lines 271925 281170 +9245
==========================================
+ Hits 223394 231858 +8464
- Misses 48531 49312 +781
Flags with carried forward coverage won't be shown. Click here to find out more. |
I understand that #10095 rather than this PR should be the way to go, and that TLS extensions logging should get into another redmine ticket targeted to 8 (cf https://redmine.openinfosecfoundation.org/issues/2426 ) Is that correct ? |
Yes, agree. |
Closing in favor of #10095 and https://redmine.openinfosecfoundation.org/issues/6695 |
Thanks for taking this to a decision, fully in support 👍🏻 |
Previous PR: #10095
Link to redmine ticket: https://redmine.openinfosecfoundation.org/issues/6379
Changes to previous PR:
master
.ja4.r
/ja4_r
andja4.ro
/ja4_ro
Just opening this unrefined code for comments; adjusted S-V will come once the shape of the output is OK.
This change changes the output of the JA4 metadata to a sub-object containing raw descriptors in addition to the hash (see https://github.com/FoxIO-LLC/ja4/blob/main/technical_details/JA4.md#raw-output):
vs. reference implementation
I also got in touch with FoxIO to sort out some minor gaps in the JA4 specification (FoxIO-LLC/ja4#40).