SoftEther VPN JA4S (JA4S=t130200_1302_a56c5b993250) overlaps with a default nginx TLS setup

FoxIO-LLC / ja4

JA4+ is a suite of network fingerprinting standards

https://foxio.io

Other

774 stars 65 forks source link

SoftEther VPN JA4S (JA4S=t130200_1302_a56c5b993250) overlaps with a default nginx TLS setup #93

Open owah opened 2 months ago

owah commented 2 months ago

Hi all,

My nginx version is [nginx 1.24.0-2] (from debian testing) and this is my httpd config: I know that the JA4S depends on the client you use, I used MS Edge (based on chrome). (t13d1516h2_8daaf6152771_02713d6af862)

server {
        listen 443 ssl;

        server_name wildcard-domain;

        root /var/www/html;
        index index.html;

        ssl_certificate /etc/letsencrypt/live/wildcard-domain/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/wildcard-domain/privkey.pem;
}

Edit: It looks like I had accidentally deleted the second part of my comment before submission. The point I wanted to make is that it might not be too handy to have JA4S=t130200_1302_a56c5b993250 featured prominently on the mainpage of the project as belonging to SoftEther VPN, if in fact you get the same JA4S from a standard nginx httpd.

What do you think?

john-althouse commented 2 months ago

JA4+ fingerprints are not meant to be atomic indicators on their own, though sometimes they very much can be, but rather, they are indicators to be used in combination.

For example,

JA4==t13d190900_9dc949149365_97f8aa674fd9

This is GoLang, used by Sliver malware and legit applications.

JA4==t13d190900_9dc949149365_97f8aa674fd9 && 
JA4S==t130200_1301_a56c5b993250

Now that narrows it down to be more likely Sliver malware, but there's still room for false positives.

JA4==t13d190900_9dc949149365_97f8aa674fd9 && 
JA4S==t130200_1301_a56c5b993250 &&
JA4X==000000000000_4f24da86fad6_bf0f0589fc03

Now it's 100% Sliver malware, there would be no false positives with this combination.

That's not the best example because JA4X==000000000000_4f24da86fad6_bf0f0589fc03 is actually a great atomic indicator for Sliver malware, but it gets the point across.

Do you have any suggestions on a good way to make this point clear in the readme?

owah commented 1 month ago

Hi John,

I've been thinking about this problem for quite a while, but I couldn't come up with anything better. I think that the users of JA4+ just have to be made aware explicitly that passing judgement based on a single indicator might not be too prudent.

But what about this.

Description	JA4	# Overlaps
Malware A	abc	1
Malware B	def	0
HTTPd A	abc	1

In essence adding a column mentioning how often a matching JA4+ fingerprint can be found in other rows. It might not look like much but I think users instantly get primed to realize that they need more indicators to have a 'convincing match'.

(Also, I'm working on a project with many thousand unique JA4, JA4S and JA4X fingerprints, I was wondering if I could maybe shoot you an email in regards to that project.)