Project

General

Profile

Actions

Feature #6379

closed

JA4 support for TLS and QUIC

Added by Sascha Steinbiss about 1 year ago. Updated 6 months ago.

Status:
Closed
Priority:
Normal
Target version:
Effort:
Difficulty:
Label:
C, Needs Suricata-Verify test, Rust

Description

JA4+ is out (see https://blog.foxio.io/ja4-network-fingerprinting-9376fe9ca637 and https://github.com/FoxIO-LLC/ja4). Similar to JA3, we should include the fingerprints in the EVE output for TLS and QUIC and also provide it in a buffer for detection.

A good approach would be to implement JA4 (the TLS client fingerprint) first and decide whether the others in the JA4+ suite can be implemented in Suricata due to licensing/patents.


Subtasks 1 (0 open1 closed)

Feature #7010: JA4 support for TLS and QUIC (7.0.x backport)ClosedJeff LucovskyActions
Actions

Also available in: Atom PDF