This will add JA4+ fingerprints to respective protocol zeek logs.
JA4SSH will output to it's own log.

JA4 → ssl.log
JA4S → ssl.log
JA4H → http.log
JA4L → conn.log
JA4LS → conn.log
JA4T → conn.log
JA4TS → conn.log
JA4SSH → ja4ssh.log
JA4D → ja4d.log
JA4D6 → ja4d.log (awaiting Zeek DHCPv6 suppport)
JA4X → x509.log (awaiting Zeek object support)

See JA4+ and implementations into other open source tools for more detail on JA4+ and implementations into other open source tools.

• Install
• Requirements
• Config
• Creating a Release
• License

Run the following command on your Zeek nodes:

zkg install zeek/foxio/ja4

If you don't have the zeek package manager, copy this directory to zeek/share/zeek/site/ja4 and add this line to either __load__.zeek or local.zeek in zeek/share/zeek/site/:

@load ja4

Zeek 5+ is supported.
Zeek 6+ is required for QUIC support.

Individual JA4+ methods can be enabled or disabled in config.zeek.
The raw output for JA4+ methods (non-hashed) can also be enabled in config.zeek

To create a Zeek release, push a tag that is a pure semantic version (e.g., v1.2.3), with no prefix:

git tag v1.2.3
git push origin v1.2.3

See License FAQ for details.