Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

JA4 and DTLS #101

Closed
IvanNardi opened this issue May 5, 2024 · 2 comments
Closed

JA4 and DTLS #101

IvanNardi opened this issue May 5, 2024 · 2 comments
Assignees
@john-althouse
Labels
enhancement New feature or request

Comments

@IvanNardi
Copy link

Is JA4 algorithm supposed to work with DTLS traffic too?
I am asking beacsue:

  1. I didn't find any reference at all at DTLS in this repository
  2. Wireshark doesn't calculate JA4 fingerprint for DTLS session, but nDPI does

AFAIK, it should work out out of the box, with only some minor changes to handle the DTLS version numbers
@john-althouse john-althouse self-assigned this May 8, 2024
@john-althouse john-althouse added the enhancement New feature or request label May 8, 2024
@john-althouse
Copy link
Collaborator

john-althouse commented May 8, 2024
edited

Great call out! DTLS sends a normal TLS client hello packet over UDP so this is very easy to fingerprint with JA4.

I've added DTLS support to the JA4 spec here: https://github.com/FoxIO-LLC/ja4/blob/main/technical_details/JA4.md

We'll start working on updating all the packages to add said support.

This update has no impact to existing JA4 fingerprints - it only adds support for DTLS.

@john-althouse
Copy link
Collaborator

@IvanNardi JA4 DTLS support has been added to Zeek, Wireshark, and is coming to Arkime soon.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@john-althouse john-althouse

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@IvanNardi @john-althouse