Closed IvanNardi closed 2 months ago
Great call out! DTLS sends a normal TLS client hello packet over UDP so this is very easy to fingerprint with JA4.
I've added DTLS support to the JA4 spec here: https://github.com/FoxIO-LLC/ja4/blob/main/technical_details/JA4.md
We'll start working on updating all the packages to add said support.
This update has no impact to existing JA4 fingerprints - it only adds support for DTLS.
@IvanNardi JA4 DTLS support has been added to Zeek, Wireshark, and is coming to Arkime soon.
Is JA4 algorithm supposed to work with DTLS traffic too? I am asking beacsue: 1) I didn't find any reference at all at DTLS in this repository 2) Wireshark doesn't calculate JA4 fingerprint for DTLS session, but nDPI does
AFAIK, it should work out out of the box, with only some minor changes to handle the DTLS version numbers