search

FoxIO-LLC / ja4

JA4+ is a suite of network fingerprinting standards
https://foxio.io
Other
987 stars 85 forks source link

No JA4 fields in Zeek logs after installing #179

Open packetuser opened 1 week ago

packetuser commented 1 week ago

Hello!

I'm trying to use JA4 zeek plugin on an Ubuntu 22.04 system. I installed using zkg, and I can confirm that worked because I can see: $ zkg list

zeek/foxio/ja4 (installed: v0.18.4) - Official Zeek package for JA4+ network fingerprinting.

After doing this, I 'deployed' zeek with zeekctl.

However, I can't see any JA4 fields in conn.log, ssl.log, or anywhere else.

In a (perhaps misguided) effort to install using the other method indicated in the docs, I added @load ja4plus to local.zeek, but when I deploy zeek, I see fatal error in /opt/zeek/share/zeek/site/local.zeek, line 126: can't find ja4plus. The docs indicate "If you don't have the zeek package manager, copy this directory to zeek/share/zeek/site/ja4plus and add this line to either load.zeek or local.zeek in zeek/share/zeek/site/:". I don't know what 'this directory' means in this context.

Thanks in advance!

packetuser commented 6 days ago

Aha, ok I fixed it. The problem: I was trying to load the wrong package. I was doing @load ja4plus per the documentation, but that's wrong apparently. I did @load packages instead (I guess I could also have done @load ja4).