-
Notifications
You must be signed in to change notification settings - Fork 125
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Address new JA4 hashes #834
Comments
I would be careful with deprecating JA3 in OCSF. Is JA3 only no longer supported for SSH? Reason I ask - I recently ran into a couple of webapps that are using JA3 for their APIs, so it may still be a valid attribute under other scenarios beyond SSH. |
Yes we can have both JA3 and JA4 together for years and eventually when it is not longer relevant remove JA3. |
I also feel like we should preempt future JA versions so that we don't have to continue deprecating as new versions come out. What do y'all think of making just a generic JA object w/the version number specified. |
@rickmode proposed this new object be made to support JA4 and the unique values it contains. Thoughts ?
|
@zschmerber @rickmode Continuing the discussion from the slack thread, this looks good. 1 thing to note though, the nested ja4_sections need not be called ja4_sections. It adds the redundancy - ja4.ja4_sections. It can simply be called sections instead. |
If we take the new object route, what is proposed for a With that all said, now that we have abundant info on how ja4 is constructed, we could either:
|
I support the second approach @mikeradka. |
So with the ja4_sections changed to just sections it would look like this:
|
I think ja4 as a name is fine, considering the specific nature of it. On the point raised by @mikeradka - my concern is if do not have real world logs/events to ensure our modeling of ja4 in OCSF is sufficient and we release it in v1.1 we’ll have to risk a potential breaking change down the road to retrofit the object with real world usage, which is unnecessary. I reckon, if there’s no strong need to release the object today, we can get it into OCSF but not release it with 1.1. We can wait, revise if necessary & release the object in a future version. |
To gather where we landed:
If anything was missed or needs extra clarification on the derived path, please feel free to add to this thread. |
Wouldn't this create an entry in the global data dictionary called Looking at other OCSF object fields, it does look like an object's fields are not part of the overall data dictionary, so this object can (and should) use |
Two points:
I feel this new object should be JA4 specific. Indeed it should be called "JA4+ Network Fingerprint", which is the name the creators gave it. The field in the data dictionary can then be See also: https://github.com/FoxIO-LLC/ja4 |
Hello! Hopefully I can help out here.
Let me know if you have any questions. |
@john-althouse this is super helpful thanks! Also do you know where we can find some example logs with JA4+ so we can start mapping the Object into the Schema? |
Yes, you can download the JA4 binaries as described here: https://github.com/FoxIO-LLC/ja4/blob/main/README.md#binaries I'm working on the Zeek scripts but it's going to be a few weeks. |
Per @zschmerber
Looks like JA3 is static, with JA4 coming out how do we want to accommodate the new fingerprints? https://blog.foxio.io/ja4-network-fingerprinting-9376fe9ca637
.In the network sync we discussed creating a new generic JA*/JA*S fingerprint object to eventually replace the JA3 fingerprint object. This object would have a type identifier specifying the version (JA3 or JA4). The version could potentially go into the
algorithm/algorithm_id
field as @zschmerber suggestedJA4 — TLS Client JA4S — TLS Server Response JA4H — HTTP Client JA4L — Light Distance/Location JA4X — X509 TLS Certificate JA4SSH — SSH Traffic
Or we could add a type/type_id field to this new JA*/JA*S fingerprint object.
The text was updated successfully, but these errors were encountered: