Skip to content

Latest commit

 

History

History

zeek

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
ja4
ja4
 
 
ja4h
ja4h
 
 
ja4l
ja4l
 
 
ja4s
ja4s
 
 
ja4ssh
ja4ssh
 
 
ja4t
ja4t
 
 
ja4x
ja4x
 
 
utils
utils
 
 
README.md
README.md
 
 
__load__.zeek
__load__.zeek
 
 
config.zeek
config.zeek
 
 

README.md

JA4+ for Zeek

This will add JA4+ fingerprints to respective protocol zeek logs.
JA4SSH will output to it's own log.

JA4 → ssl.log
JA4S → ssl.log
JA4H → http.log
JA4L → conn.log
JA4LS → conn.log
JA4T → conn.log
JA4TS → conn.log
JA4SSH → ja4ssh.log
JA4X → x509.log (still in development)

See https://github.com/FoxIO-LLC/ja4 for more detail on JA4+ and implementations into other open source tools.

Install

Run the following command on your Zeek nodes:

zkg install zeek/foxio/ja4

If you don't have the zeek package manager, copy this directory to zeek/share/zeek/site/ja4plus and add this line to either load.zeek or local.zeek in zeek/share/zeek/site/:

@load ja4plus

Requirements

Zeek 5+ is supported.
Zeek 6+ is required for QUIC support.

Config

Individual JA4+ methods can be enabled or disabled in config.zeek.
The raw output for JA4+ methods (non-hashed) can also be enabled in config.zeek

License

See License FAQ for details.