-
-
Notifications
You must be signed in to change notification settings - Fork 118
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added JA4/S support as an NFStream Plugin #192
base: master
Are you sure you want to change the base?
Conversation
This file contains the JA4() class, along with the functions needed for its implementation. This class constitutes a plugin for NFStream capable of computing ja4 and ja4s fingerprints for TLS over TCP traffic.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks a lot for your contribution. LGTM, left comments for tiny changes. Also could you please add your author information as part of the Plugin docstings and any link to a paper that use this plugin for credits.
Deleted unnecessary assertions
Sure thing! I'll make sure to add myself as a contributor. I have a couple papers published on a related research, but I never published any results processed with NFStream. I will soon, though, and I'll be more than happy to have my paper referred here! |
Alright, I think that was it. Fixed all of the stuff you asked me to. Hope it is an useful contribution! If you have any doubts, need something double-checked, or want to change more stuff feel free to let me know :-) |
It is nice to have JA4 fingerprints in this project :). @jogecodes, I understand you have reimplemented JA4/JA4S yourself according to the specs. I wonder if you considered turning it into a separate project? JA4+ project has a python implementation (https://github.com/FoxIO-LLC/ja4/tree/main/python), which features whole bunch of other fingerprints from JA4+ suite, not only JA4 and JA4S. But they do it via pyshark, your implementation is much more compact. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changes reviewed
Added protection against bugs in IPv6 signature extraction (to be fixed in future versions of the plugin)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Avoided a bug regarding IPv6 JA4 extraction. I'll add support for IPv6 in future versions of the plugin.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated the requirements too
Pull Request: Added JA4 support as a plugin
Description
Base application layer features of NFStream include server and user fingerprinting based on the JA3 standard. An extendable plugin was added to provide support for JA4+ fingerprinting. At the moment, JA4 and JA4S fingerprints calculation for TCP over TLS traffic was implemented, but JA4SSH and JA4HTTP will soon be available too.
There is only one additional needed dependencies: scapy, to provide packet dissection capabilities.
Type of change
Please delete options that are not relevant.
How Has This Been Tested?
Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce.
Please also list any relevant details for your test configuration
Test Configuration:
Checklist: