Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add JA4+ Network Traffic Fingerprints #1082

Merged
merged 9 commits into from
May 17, 2024
Merged

Add JA4+ Network Traffic Fingerprints #1082

merged 9 commits into from
May 17, 2024

Conversation

Aniak5
Copy link
Contributor

@Aniak5 Aniak5 commented May 10, 2024
edited
Loading

Related Issue:

#834

Description of changes:

  • Added ja4_fingerprint objects.
  • Added ja4_fingerprint_list as a list of ja4_fingerprint objects.
  • Added ja4_fingerprint_list to base network event class.
image image

@Aniak5 Aniak5 self-assigned this May 10, 2024
@Aniak5 Aniak5 added the network_activity Issues related to Network Activity Category label May 10, 2024
@Aniak5
Copy link
Contributor Author

Aniak5 commented May 10, 2024

@zschmerber @mikeradka @pagbabian-splunk we have had many discussions about this in the past, please let me know what y'all think.

@zschmerber
Copy link
Contributor

Do we want to add a way to represent the a,b,c and d sections in the OCSF
image

https://blog.foxio.io/ja4+-network-fingerprinting

@Aniak5
Copy link
Contributor Author

Aniak5 commented May 15, 2024

Do we want to add a way to represent the a,b,c and d sections in the OCSF image

https://blog.foxio.io/ja4+-network-fingerprinting

I was wary of adding a, b, c, d to the dictionary... We could add a component_id and define those there as enums. What do you think?

@mikeradka mikeradka added enhancement New feature or request non_breaking Non Breaking, backwards compatible changes v1.3.0 Changes marked for v1.3.0 of OCSF labels May 15, 2024
@zschmerber
Copy link
Contributor

@Aniak5 I think Component enum makes sense. component_id will be a sorta strange as the enums will be as 1=a 2=b 3=c 4=d

@floydtree
Copy link
Contributor

@Aniak5 @zschmerber I think we should flatten it a bit. I favor adding ja4_component_a (string) ja4_component_b (string) and so on, as that would be simpler approach for analyst usecases. With the current approach we would be adding an array of ja4_component objects, which then would necessitate an analyst to first deal with array of objects, which is not ideal and then lookup an enum within those object just to know which component they are dealing with. I feel this complicates a simple lookup usecase.

@zschmerber
Copy link
Contributor

@floydtree I am not sure flattening would work as there are currently 9 types of Ja4+ hash:
image

This would mean ja4H_component_a, ja4Server_component_a...... would have to exist.
unless you are saying the ja4H_component_a is just a name for a and we should have 4 objects to represent that?

@zschmerber
Copy link
Contributor

zschmerber commented May 15, 2024
edited
Loading

#834

I thinks calling it sections makes more sense and it seems to be what the creators call the peaces of JA4. I also like just a,b,c,d but not sure how it affects the dictionary. @rickmode any thoughts on this ?

{
   "type_id": <enum for different JA4 fingerprints>,  // required
   "type": <string form of enum>,                     // optional
   "value": <string -- the actual fingerprint>,       // required
   "section": {                                  // optional -- split on underscore (_) and put in object
      "a": <string>, // a section of JA4
      "b": <string>, // b section of JA4
      "c": <string>, // c section of JA4
      "d": <string>, // d section of JA4
   }
}

@floydtree
Copy link
Contributor

floydtree commented May 15, 2024
edited
Loading

No, @zschmerber that's not what I meant. The type of JA4 is anyhow represented by the type_id enum in the ja4_fingerprint object. All I am saying is, the component/section values themselves can be stored in the flattened fields ( I leave the naming to you, no strong preference there) in the ja4_fingerprint object. Each object is anyhow coupled with one ja4 type.

Perhaps better to discuss this in a call.

@zschmerber
Copy link
Contributor

zschmerber commented May 15, 2024
edited
Loading 

{
   "type_id": <enum for different JA4 fingerprints>,  // required
   "type": <string form of enum>,                     // optional
   "value": <string -- the actual fingerprint>,       // required
   "section_a": <string>, // a section of JA4,      // optional
   "section_b": <string>, // b section of JA4,     // optional
   "section_c": <string>, // c section of JA4,     // optional
   "section_d": <string>, // d section of JA4,    // optional
}

@Aniak5 thoughts on this new format? @mikeradka @floydtree @rickmode and I like this format.

@Aniak5
Copy link
Contributor Author

Aniak5 commented May 15, 2024 

{
   "type_id": <enum for different JA4 fingerprints>,  // required
   "type": <string form of enum>,                     // optional
   "value": <string -- the actual fingerprint>,       // required
   "section_a": <string>, // a section of JA4,      // optional
   "section_b": <string>, // b section of JA4,     // optional
   "section_c": <string>, // c section of JA4,     // optional
   "section_d": <string>, // d section of JA4,    // optional
}

@Aniak5 thoughts on this new format? @mikeradka @floydtree @rickmode and I like this format.

Great suggestion, I like that a lot! Will make these changes.

@Aniak5
Add ja4+ component object
4541071 
Signed-off-by: Ania Kacewicz <ania.kacewicz@gmail.com>
@Aniak5
Add ja4+ fingerprint object
5d24910 
Signed-off-by: Ania Kacewicz <ania.kacewicz@gmail.com>
@Aniak5
Add ja4+ fingerprint list, ja4+ component list and make component gen…
3b45ccd 
…eric

Signed-off-by: Ania Kacewicz <ania.kacewicz@gmail.com>
@Aniak5
Make component specific w/in filesystem event class
207a5dc 
Signed-off-by: Ania Kacewicz <ania.kacewicz@gmail.com>
@Aniak5
Add ja4+ fingerprint list object to base network class
a0dc36d 
Signed-off-by: Ania Kacewicz <ania.kacewicz@gmail.com>
@Aniak5
Add ja4+ additions to changelog
8fd3907 
Signed-off-by: Ania Kacewicz <ania.kacewicz@gmail.com>
@Aniak5
Remove unused dictionary attribute
73fa09b 
Signed-off-by: Ania Kacewicz <ania.kacewicz@gmail.com>
@Aniak5
Change group to context instead of primary
5211605 
Signed-off-by: Ania Kacewicz <ania.kacewicz@gmail.com>
@Aniak5
Add 'section_a/b/c/d' attributes to dictionary and to ja4 fingerprint…
6c00052 
… object

Signed-off-by: Ania Kacewicz <ania.kacewicz@gmail.com>
mikeradka
mikeradka approved these changes May 16, 2024
View reviewed changes
Copy link
Contributor

@mikeradka mikeradka left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good

floydtree
floydtree approved these changes May 16, 2024
View reviewed changes
Copy link
Contributor

@floydtree floydtree left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks good, thanks!

@pagbabian-splunk pagbabian-splunk merged commit fea283d into ocsf:main May 17, 2024
2 checks passed
This pull request was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pagbabian-splunk pagbabian-splunk pagbabian-splunk left review comments

@zschmerber zschmerber zschmerber approved these changes

@floydtree floydtree floydtree approved these changes

@mikeradka mikeradka mikeradka approved these changes

Assignees

@Aniak5 Aniak5

Labels
enhancement New feature or request network_activity Issues related to Network Activity Category non_breaking Non Breaking, backwards compatible changes v1.3.0 Changes marked for v1.3.0 of OCSF
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@Aniak5 @zschmerber @floydtree @pagbabian-splunk @mikeradka