search

FoxIO-LLC / ja4

JA4+ is a suite of network fingerprinting standards
https://foxio.io
Other
775 stars 65 forks source link

[python] `ja4.py` produces multiple output records for a single TCP stream #67

Closed vvv closed 4 months ago

vvv commented 4 months ago

I noticed strange behaviour of the Python app when processing the attached capture file.

📎 ssh-r_stream-1.pcap.gz (this is tcp.stream == 1, extracted from ssh-r.pcap)

  1. There is only one TCP stream in the pcap file, so there should be a single record (JSON object) in the output. Yet ja4.py produces 4 output records.
  2. Of the 4 output records, 2 are unique.
  3. The unique records differ in JA4SSH fingerprint only.
root@cb2229f67df7:/ja4/python# python3 ja4.py --json ../pcap/ssh-r_stream-1.pcap 2>/dev/null | jq -c . | wc -l
4
root@cb2229f67df7:/ja4/python# python3 ja4.py --json ../pcap/ssh-r_stream-1.pcap 2>/dev/null | jq -c . | sort -u | wc -l
2
root@cb2229f67df7:/ja4/python# python3 ja4.py --json ../pcap/ssh-r_stream-1.pcap 2>/dev/null | jq -c . | sort -u | jq .
{
  "stream": 0,
  "src": "192.168.1.197",
  "dst": "44.212.59.210",
  "srcport": "46394",
  "dstport": "22",
  "client_ttl": "64",
  "server_ttl": "116",
  "JA4L-S": "4171_116",
  "JA4L-C": "2058_64",
  "ssh_extras": {
    "hassh": "ec9ea89c70f5fc71cf61061bff5e4740",
    "hassh_server": "2307c390c7c9aba5b4c9519e72347f34",
    "ssh_protocol_client": "SSH-2.0-OpenSSH_7.4",
    "ssh_protocol_server": "SSH-2.0-OpenSSH_8.7",
    "encryption_algorithm": "aes256-gcm@openssh.com"
  },
  "JA4SSH.1": "c48s21_c7s5_c4s5"
}
{
  "stream": 0,
  "src": "192.168.1.197",
  "dst": "44.212.59.210",
  "srcport": "46394",
  "dstport": "22",
  "client_ttl": "64",
  "server_ttl": "116",
  "JA4L-S": "4171_116",
  "JA4L-C": "2058_64",
  "ssh_extras": {
    "hassh": "ec9ea89c70f5fc71cf61061bff5e4740",
    "hassh_server": "2307c390c7c9aba5b4c9519e72347f34",
    "ssh_protocol_client": "SSH-2.0-OpenSSH_7.4",
    "ssh_protocol_server": "SSH-2.0-OpenSSH_8.7",
    "encryption_algorithm": "aes256-gcm@openssh.com"
  },
  "JA4SSH.1": "c48s21_c7s5_c5s5"
}
root@cb2229f67df7:/ja4/python# rec1=$(python3 ja4.py --json ../pcap/1.pcap 2>/dev/null | jq -c . | sort -u | head -1 | jq .)
root@cb2229f67df7:/ja4/python# rec2=$(python3 ja4.py --json ../pcap/1.pcap 2>/dev/null | jq -c . | sort -u | tail -1 | jq .)
root@cb2229f67df7:/ja4/python# diff -u <(echo "$rec1") <(echo "$rec2")
--- /dev/fd/63  2024-02-03 20:39:00.731977007 +0000
+++ /dev/fd/62  2024-02-03 20:39:00.731977007 +0000
@@ -15,5 +15,5 @@
     "ssh_protocol_server": "SSH-2.0-OpenSSH_8.7",
     "encryption_algorithm": "aes256-gcm@openssh.com"
   },
-  "JA4SSH.1": "c48s21_c7s5_c4s5"
+  "JA4SSH.1": "c48s21_c7s5_c5s5"
 }