-
Notifications
You must be signed in to change notification settings - Fork 4.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Extend TLS inspector to capture JA3n and JA4 #35739
Comments
cc @ggreenway |
PRs welcome for adding this! |
@ggreenway Should we add a new field called JA3/JA4 could be set as an ENUM:
We'll also have to change the access loggers accordingly. I see that we have For gRPC [See This], we can use |
@envoyproxy/api-shepherds can help with how to structure the config. If you're going to use an enum, I think having a default value of I'd also be fine with just adding more booleans for |
Minor clarification JA3s (server fingerprinting) is different from JA3n (what we want). JA3n just sorts the Client Hello SSL Extensions. |
This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions. |
This issue has been automatically closed because it has not had activity in the last 37 days. If this issue is still valid, please ping a maintainer and ask them to label it as "help wanted" or "no stalebot". Thank you for your contributions. |
Title: Extend TLS inspector to capture JA3n and JA4
Description:
This issue 3 years ago requested the JA3 feature. JA3 is no longer effective and gets permuted after Chrome 110 making it ineffective. Also JA4 has now been released. JA4 is a much more effective way of identifying malicious activity than IP address.
See the original issue for a detailed motivation for this.
[optional Relevant Links:]
#16622
https://github.com/FoxIO-LLC/ja4
net4people/bbs#220
https://security.stackexchange.com/questions/273101/why-the-ja3-hash-changed-everytime-refresh-the-webpage
The text was updated successfully, but these errors were encountered: