JA4+ fingerprinting support

[dataolle]

Hi.
Are there any plans for JA4+ fingerprinting support in openargus?
I see other projects like nfdump and zeek getting support for this and was thinking this might be really useful for all sorts of things.

For more info on JA4+ see https://github.com/FoxIO-LLC/ja4/

[openargus]

Yes, integrating the JA4+ ideas into argus would be very simple … as many of the techniques have been in Argus for many years now.. We have TLS specific processing for keystroke detection, so adding additional TLS protocol metrics would be trivial. We already have the equivalent of JA4L-[CS], as we have TTL / Hop count numbers, and we have TCP 3-way timing in nSecs. We have physical distance calculations in argus clients for the 3-way handshake derived one-way delay, so we’ve got that covered. I am interested in JA4X: X509 TLS Certificate Fingerprinting as we don’t have that type of certificate identification yet. We have the ability to generate JA4SSH in argus clients (no changes to argus), because we have keystroke detection (interactive SSH Session) with direction, we have packet size reporting (including frequency distribution reporting) and all the TCP window size (max, min, current) metrics that are in the description of this metric …. For these, because the argus data has the metrics, you can generate the data and fingerprints from historical flow records … Licensing of JA4+ seems to be an issue … to generate the fingerprints, we don’t need JA4+ code, but it would make it faster to implement … their use of FoxIO License 1.1 may not work with the Argus Project GPL strategy. They claim that they have patents pending on JA4+ methods, but all of the packet processing need to generate the fingerprints, except JA4X, have been in Argus for over 15 years now, so that will be interesting to see if they get the patents in the US … We can generate the fingerprints without JA4+ software … if that is an issue, then my vote is to not implement JA4+ technology in Argus, but describe how to get the same forensics results without the actual fingerprints … Carter

…

On Aug 15, 2024, at 10:38 AM, dataolle ***@***.***> wrote: Hi. Are there any plans for JA4+ fingerprinting support in openargus? I see other projects like nfdump and zeek getting support for this and was thinking this might be really useful for all sorts of things. For more info on JA4+ see https://github.com/FoxIO-LLC/ja4/ — Reply to this email directly, view it on GitHub <#12>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AB3MTCGK4UHCQCOADXLN243ZRS4N5AVCNFSM6AAAAABMSKNPMKVHI2DSMVQWIX3LMV43ERDJONRXK43TNFXW4OZXGA2TMNRRGI>. You are receiving this because you are subscribed to this thread.