JA4.py prints "signature_algorithms" instead of JA4 fingerprint

FoxIO-LLC / ja4

JA4+ is a suite of network fingerprinting standards

https://foxio.io

Other

774 stars 65 forks source link

JA4.py prints "signature_algorithms" instead of JA4 fingerprint #89

Closed Cable-2-5 closed 3 months ago

Cable-2-5 commented 3 months ago

In this pcap, JA4.py prints out "signature_algorithms" (instead of t10d360500_77f462745360_51f6d7389324).

bug.pcap.zip

noeltimothy commented 3 months ago

Yes, confirmed this to be an issue with the provided pcap: old code produces this:

 python3 ../../noeltimothy/ja4/python/ja4.py pcap/bug.pcap --ja4
'signature_algorithms'

The new fix gives us this:

{'stream': 0, 'src': '10.0.2.15', 'dst': '172.217.13.66', 'srcport': '52269', 'dstport': '443', 'client_ttl': '64', 'server_ttl': '64', 'JA4L-S': '9759_64', 'JA4L-C': '651_64', 'domain': 'adservice.google.com', 'JA4': 't10d360500_77f462745360_51f6d7389324', 'JA4S': 't100300_c009_f8ab4e03ba67'}