search

FoxIO-LLC / ja4

JA4+ is a suite of network fingerprinting standards
https://foxio.io
Other
774 stars 65 forks source link

No JA4/JA4S included in zeek's ssl.log #87

Closed reg0bs closed 3 months ago

reg0bs commented 3 months ago

Hi!

I'm a total noob with zeek, but it seems my basic setup works so far. I've copied the needed files into the right folder and enabled ja4plus in local.zeek. When I checkout conn.log I see some connections have e.g. ja4t data included, but when I check my ssl.log I see the columns for JA4 and JA4S, but not a single line contains the fingerprints themselves.

Is there anything else I have to do to enable them? Is only a certain kind of TLS connections supported currently, e.g. only TLS1.2 or the like? Is there any recommendation on how to troubleshoot this?

As mentioned I'm very sorry as this is most likely an issue on my side, but I can't wrap my head around why one part of JA4 seems to work, although another part (ssl.log) seems to not work. I've tested this with the zeek stable version, as well as with the RC. I'm running Ubuntu 23.10 and used the packages provided by the opensuse service.

PS: When I run the wireshark plugin in parallel I see some fingerprints, but again, when I check ssl.log for the same time duration, there are no fingerprints in it.

Appreciate any kind of help someone could provide.

Thanks!

john-althouse commented 3 months ago

No JA4/S at all? Do you have any other pugins/scripts running?

Did you copy over the folder structure exactly as it is in the zeek folder? ie.

git clone https://github.com/FoxIO-LLC/ja4.git
cp -R ja4/zeek /opt/zeek/share/zeek/site/ja4plus
reg0bs commented 3 months ago

I tried a few things and when I connect using Wi-Fi I get the JA4 fields populated. Only when using the wired NIC, it seems to not work. I checked to see if there is some offloading going on, maybe keeping zeek to see the full picture. I found these, but I don't think any of these is doing a lot of damage:

ethtool -k enp2s0f0 | grep ": on"
rx-checksumming: on
tx-checksumming: on
    tx-checksum-ipv4: on
    tx-checksum-ipv6: on
rx-vlan-offload: on
tx-vlan-offload: on
highdma: on [fixed]

Do you maybe have another idea what could make the WLAN work, but interfere with the LAN interface? Weird thing is, that I see new entries in ssl.log appear, just the JA4 is missing :thinking:

john-althouse commented 3 months ago

@reg0bs try now with our latest update and see if it solves the problem.

reg0bs commented 3 months ago

Works like a charm now! Thanks John!