-
Notifications
You must be signed in to change notification settings - Fork 125
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add JA4+ Network Traffic Fingerprints #1082
Conversation
@zschmerber @mikeradka @pagbabian-splunk we have had many discussions about this in the past, please let me know what y'all think. |
@Aniak5 I think Component enum makes sense. component_id will be a sorta strange as the enums will be as 1=a 2=b 3=c 4=d |
@Aniak5 @zschmerber I think we should flatten it a bit. I favor adding ja4_component_a (string) ja4_component_b (string) and so on, as that would be simpler approach for analyst usecases. With the current approach we would be adding an array of |
@floydtree I am not sure flattening would work as there are currently 9 types of Ja4+ hash: This would mean ja4H_component_a, ja4Server_component_a...... would have to exist. |
I thinks calling it
|
No, @zschmerber that's not what I meant. The type of JA4 is anyhow represented by the type_id enum in the ja4_fingerprint object. All I am saying is, the component/section values themselves can be stored in the flattened fields ( I leave the naming to you, no strong preference there) in the ja4_fingerprint object. Each object is anyhow coupled with one ja4 type. Perhaps better to discuss this in a call. |
@Aniak5 thoughts on this new format? @mikeradka @floydtree @rickmode and I like this format. |
Great suggestion, I like that a lot! Will make these changes. |
Signed-off-by: Ania Kacewicz <ania.kacewicz@gmail.com>
Signed-off-by: Ania Kacewicz <ania.kacewicz@gmail.com>
…eric Signed-off-by: Ania Kacewicz <ania.kacewicz@gmail.com>
Signed-off-by: Ania Kacewicz <ania.kacewicz@gmail.com>
Signed-off-by: Ania Kacewicz <ania.kacewicz@gmail.com>
Signed-off-by: Ania Kacewicz <ania.kacewicz@gmail.com>
Signed-off-by: Ania Kacewicz <ania.kacewicz@gmail.com>
Signed-off-by: Ania Kacewicz <ania.kacewicz@gmail.com>
… object Signed-off-by: Ania Kacewicz <ania.kacewicz@gmail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
looks good, thanks!
Related Issue:
#834
Description of changes:
ja4_fingerprint
objects.ja4_fingerprint_list
as a list ofja4_fingerprint
objects.ja4_fingerprint_list
to base network event class.