JA4 for TLS and QUIC -- v9 #10579

satta · 2024-03-04T23:41:38Z

Previous PR: #10341

Link to redmine ticket: https://redmine.openinfosecfoundation.org/issues/6379

Changes to previous PR:

Rebase against current master.
Removed raw JA4 plans from documentation.
Use ja4.ciphersuites.len() instead of separate counter.
Added comments for the reasoning behind some tests.
Removed stowaway #define carried over from older code.
Moved JA4_HEX_LEN into separate header to be used in detect and output code.
Reduce number of includes in JA4 detection implementation.
Do not allocate an empty JA3 hash when JA3 is disabled.
Restructure some code for better readability.
Pull out earlier feature tracking initialization into separate commit.
Change commit message prefix.
Moved JA3/4 enabled check into separate functions to improve readability.
Address overflow in ALPN extension parser code.

SV_BRANCH=pr/1682

This gives app layer code a chance to access feature information.

codecov · 2024-03-05T00:02:06Z

Codecov Report

Attention: Patch coverage is 83.37029% with 75 lines in your changes are missing coverage. Please review.

Project coverage is 82.62%. Comparing base (c6c1eac) to head (9c6d91e).
Report is 30 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #10579      +/-   ##
==========================================
- Coverage   82.67%   82.62%   -0.05%     
==========================================
  Files         922      927       +5     
  Lines      246969   247803     +834     
==========================================
+ Hits       204179   204753     +574     
- Misses      42790    43050     +260

Flag	Coverage Δ
fuzzcorpus	`64.08% <63.27%> (+0.03%)`	⬆️
suricata-verify	`61.82% <83.14%> (+0.10%)`	⬆️
unittests	`62.16% <42.57%> (-0.05%)`	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Ticket: OISF#6379

satta · 2024-03-07T08:20:53Z

Added back the ticket reference in the commit message.

doc/userguide/rules/ja4-keywords.rst

catenacyber

Thanks for the work Sascha :-)

CI : needs a rebase to fix the small conflict
Code : doing now
Commits segmentation : nice
Commit messages : ok for me
Git ID set : looks fine for me
CLA : you already contributed :-)
Doc update : Ok
Redmine ticket : ok
Rustfmt : ok for ja4.rs
Tests : Left remarks there
Dependencies added: none

src/detect-tls-ja3-hash.c

rust/src/ja4.rs

rust/src/quic/frames.rs

catenacyber · 2024-03-12T21:21:48Z

Compiling with --disable-ja4, I get "ja4": "", in my eve.json for quic and I do not want them

satta · 2024-03-24T17:48:04Z

Compiling with --disable-ja4, I get "ja4": "", in my eve.json for quic and I do not want them

True, I just addressed this and also double-checked that for JA3.

satta · 2024-03-26T09:36:56Z

New PR: #10725

satta added 2 commits March 4, 2024 19:29

suricata: initialize feature tracking earlier

c6a1c7f

This gives app layer code a chance to access feature information.

ja3: make feature compile time configurable

0de66e7

satta requested review from catenacyber, jasonish, jufajardini, victorjulien and a team as code owners March 4, 2024 23:41

satta mentioned this pull request Mar 4, 2024

JA4 for TLS and QUIC -- v8 #10341

Closed

ja4: implement for TLS and QUIC

9c6d91e

Ticket: OISF#6379

satta force-pushed the 6379-ja4-v9 branch from 829d4c4 to 9c6d91e Compare March 7, 2024 08:20

catenacyber added the needs rebase Needs rebase to master label Mar 12, 2024