JA4+ Fingerprinting

1

image

I noticed Suricata and Arkime implemented JA4+ fingerprinting

JA4+ stands for JA4/S/H/L/X/SSH,

JA4+ provides a suite of modular network fingerprints that are easy to use and easy to share, replacing the JA3 TLS fingerprinting standard from 2017. These methods are both human and machine readable to facilitate more effective threat-hunting and analysis. The use-cases for these fingerprints include scanning for threat actors, malware detection, session hijacking prevention, compliance automation, location tracking, DDoS detection, grouping of threat actors, reverse shell detection, and many more.

JA3 fingerprinting has been disabled in IPFire Suricata 5 and 6 for a while

Quoted from

2

JA3 should be able to be used with Suricata-7 which has been merged into next and should end up in CU185 presuming no issues found with version 7.

Presuming JA4 works using the same encryption software as JA3 then that should also work. Has JA4 been released into suricata-7?

Found this link
https://redmine.openinfosecfoundation.org/issues/6379

Which suggests JA4 will be available in suricata-8.

1 Like
3

Thanks for the update, interesting discussion about all the licensing considerations

4

Yes, i was just reading the licensing bit myself.

If it is non GPL or can not be provided for commercial use that might block it from IPFire.

We can’t end up with rulesets that can be used by private individuals but are not allowed to be used by commercial organisations that use IPFire.

1 Like
5

Been reading a bit more and, as well as the licensing issues, there also appears to be an issue with regard to Lua scripts where the following comment is made.

This hits an issue the Suricata community has been dealing with re: Lua scripts. If a given rule can’t work out of the box everywhere, it won’t make it into shared signature collections like ET OPEN or ET PRO. This won’t work until it can be a plugin delivered with rules (A huge engineering task), or the licensing changes.

So this suggest it might not even make it into suricata!

Will just have to wait and see…

1 Like