Added JA4/S support as an NFStream Plugin

[jogecodes]

Pull Request: Added JA4 support as a plugin

Description

Base application layer features of NFStream include server and user fingerprinting based on the JA3 standard. An extendable plugin was added to provide support for JA4+ fingerprinting. At the moment, JA4 and JA4S fingerprints calculation for TCP over TLS traffic was implemented, but JA4SSH and JA4HTTP will soon be available too.

There is only one additional needed dependencies: scapy, to provide packet dissection capabilities.

Type of change

Please delete options that are not relevant.

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• This change requires a documentation update

How Has This Been Tested?

Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce.
Please also list any relevant details for your test configuration

• Test A: Correct calculation of the JA4 and JA4S fingerprints was checked against the official implementation of the JA4+ Network Fingerprinting Suite
• Test B: The developed plugin passes all of the designed tests

Test Configuration:

• OS version: 22.04.1 Ubuntu
• Python version: Python 3.10.12
• Hardware: AMD Ryzen 5 3600X 6-Core Processor

Checklist:

• My code follows the style guidelines of this project
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes
• Any dependent changes have been merged and published in downstream modules
• I have checked my code and corrected any misspellings

[aouinizied]

Thanks a lot for your contribution. LGTM, left comments for tiny changes. Also could you please add your author information as part of the Plugin docstings and any link to a paper that use this plugin for credits.

[jogecodes]

Sure thing! I'll make sure to add myself as a contributor. I have a couple papers published on a related research, but I never published any results processed with NFStream. I will soon, though, and I'll be more than happy to have my paper referred here!

[jogecodes]

Alright, I think that was it. Fixed all of the stuff you asked me to. Hope it is an useful contribution!

If you have any doubts, need something double-checked, or want to change more stuff feel free to let me know :-)

[abbbe]

It is nice to have JA4 fingerprints in this project :).

@jogecodes, I understand you have reimplemented JA4/JA4S yourself according to the specs. I wonder if you considered turning it into a separate project?

JA4+ project has a python implementation (https://github.com/FoxIO-LLC/ja4/tree/main/python), which features whole bunch of other fingerprints from JA4+ suite, not only JA4 and JA4S. But they do it via pyshark, your implementation is much more compact.

[jogecodes]

Changes reviewed

[jogecodes]

Avoided a bug regarding IPv6 JA4 extraction. I'll add support for IPv6 in future versions of the plugin.

[jogecodes]

Updated the requirements too