Closed reg0bs closed 3 months ago
No JA4/S at all? Do you have any other pugins/scripts running?
Did you copy over the folder structure exactly as it is in the zeek folder? ie.
git clone https://github.com/FoxIO-LLC/ja4.git
cp -R ja4/zeek /opt/zeek/share/zeek/site/ja4plus
I tried a few things and when I connect using Wi-Fi I get the JA4 fields populated. Only when using the wired NIC, it seems to not work. I checked to see if there is some offloading going on, maybe keeping zeek to see the full picture. I found these, but I don't think any of these is doing a lot of damage:
ethtool -k enp2s0f0 | grep ": on"
rx-checksumming: on
tx-checksumming: on
tx-checksum-ipv4: on
tx-checksum-ipv6: on
rx-vlan-offload: on
tx-vlan-offload: on
highdma: on [fixed]
Do you maybe have another idea what could make the WLAN work, but interfere with the LAN interface?
Weird thing is, that I see new entries in ssl.log
appear, just the JA4 is missing :thinking:
@reg0bs try now with our latest update and see if it solves the problem.
Works like a charm now! Thanks John!
Hi!
I'm a total noob with zeek, but it seems my basic setup works so far. I've copied the needed files into the right folder and enabled ja4plus in
local.zeek
. When I checkoutconn.log
I see some connections have e.g. ja4t data included, but when I check myssl.log
I see the columns for JA4 and JA4S, but not a single line contains the fingerprints themselves.Is there anything else I have to do to enable them? Is only a certain kind of TLS connections supported currently, e.g. only TLS1.2 or the like? Is there any recommendation on how to troubleshoot this?
As mentioned I'm very sorry as this is most likely an issue on my side, but I can't wrap my head around why one part of JA4 seems to work, although another part (
ssl.log
) seems to not work. I've tested this with the zeek stable version, as well as with the RC. I'm running Ubuntu 23.10 and used the packages provided by the opensuse service.PS: When I run the wireshark plugin in parallel I see some fingerprints, but again, when I check
ssl.log
for the same time duration, there are no fingerprints in it.Appreciate any kind of help someone could provide.
Thanks!