JA4SSH in its own log.

[zrobinette12]

Is there a reason behind the Zeek ssh.log not containing JA4SSH and having that data broken out into its own ja4ssh.log?

[john-althouse]

@zrobinette12 great question. I'm open to thoughts on this.

The reason was that JA4SSH will generate a new log line every 200 ssh packets. For immediate detection and response purposes, we did not want to wait until after the ssh session was closed to log the fingerprints. Instead, we're logging the fingerprints as they happen, in ja4ssh.log. Think of it like files.log or x509.log which log files and certs as they are seen rather than waiting for the sessions to close to log in http.log or ssl.log, respectively.

That said, we could log in ssh.log if users want us to go that route.

[zrobinette12]

@john-althouse Ah I see, the old Zeek long connections conundrum. I’d have a use case for both, logging the fingerprint in the existing ssh.log and having the ja4ssh.log but unsure if others would.

Mine is simply a budget issue where I can’t ingest new Zeek logs no matter how much we want immediate detection and response. Adding a single field to an existing log is much more doable.

Perhaps a config option to also log the fingerprint in the ssh.log?