mmguero
commented
8 months ago Also, is this supplementing or replacing JA3?
Closed mmguero closed 4 months ago
mmguero
commented
8 months ago Also, is this supplementing or replacing JA3?
piercema
commented
8 months ago This will replace JA3. "JA4+ provides a suite of modular network fingerprints that are easy to use and easy to share, replacing the JA3 TLS fingerprinting standard from 2017. These methods are both human and machine readable to facilitate more effective threat-hunting and analysis." Source.
The FoxIO repo is company maintained. We will use this version of the package.
mmguero
commented
8 months ago Good blog post:
mmguero
commented
7 months ago Arkime JA4 fields (will be in v24.04.0 of Malcolm):
piercema
commented
7 months ago We are waiting for Suricata to also upgrade to JA4. https://github.com/OISF/suricata/pull/10725 will implement JA4. The PR is approved with a few comments and should be incorporated soon. We are pushing the release of this until Suricata is also updated.
piercema
commented
6 months ago It appears that version 8.0 of Suricata will contain the JA4 updates. See https://github.com/OISF/suricata/pull/10856
mmguero
commented
4 months ago Did a quick and dirty test to look at the field values being generated like this:
for FIELD in $(dc exec api curl -sSL localhost:5000/mapi/fields | jq | grep ja4 | awk '{print $1}' | sed 's/"//g' | cut -d: -f1 | grep -v Cnt); do \
dc exec api curl -sSL "localhost:5000/mapi/agg/event.provider,$FIELD?from=1970" | jq > /tmp/"$FIELD".json; \
doneThen examine the .json files in /tmp/
integrate JA4.
Not sure if this repo or this repo is the one we should use?