John Althouse
John Althouse
Hello! Hopefully I can help out here. 1. Yes, Salesforce has basically EOL'd JA3 as stated at the top of their ja3 repo. However, it's still built into most tools...
Yes, you can download the JA4 binaries as described here: https://github.com/FoxIO-LLC/ja4/blob/main/README.md#binaries And feed it pcap from here: https://github.com/FoxIO-LLC/ja4/tree/main/pcap Use option -j to output the logs in json format. I'm working...
Great call out! DTLS sends a normal TLS client hello packet over UDP so this is very easy to fingerprint with JA4. I've added DTLS support to the JA4 spec...
@zrobinette12 great question. I'm open to thoughts on this. The reason was that JA4SSH will generate a new log line every 200 ssh packets. For immediate detection and response purposes,...
@zrobinette12 did you find a solution or are you still looking for that config option?
@IvanNardi JA4 DTLS support has been added to Zeek, Wireshark, and is coming to Arkime soon.
JA4+ fingerprints are not meant to be atomic indicators on their own, though sometimes they very much can be, but rather, they are indicators to be used in combination. For...
@owah take a look at the ja4db and load that data into Splunk or Elastic or something. When loaded into a log/data management tool, it's easy to zoom in on...
@fwilliamhe Yes, Chrome will have a slightly different JA4 based on if padding is there, which can happen under a couple different circumstances. As well as if pre_shared_key is there...
@fwilliamhe Please see the ja4db.com @776998428 Please see the JA4 module for nginx Closing this out.