-
Notifications
You must be signed in to change notification settings - Fork 2
/
ja4l.irule
49 lines (39 loc) · 1.36 KB
/
ja4l.irule
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
###############################################################################################
# iRule to calculate JA4L "light distance"
# See JA4L spec on GitHub for more details
# https://github.com/FoxIO-LLC/ja4/blob/main/technical_details/JA4L.md
#
# Copyright (c) 2024, FoxIO, LLC.
# All rights reserved.
# Licensed under FoxIO License 1.1
# For full license text and more details, see the repo root https://github.com/FoxIO-LLC/ja4
###############################################################################################
when FLOW_INIT {
#Set timestamp for initial received SYN
set ja4l_ts1 [clock clicks]
#log local0. "ja4l_ts1: ${ja4l_ts1}"
}
when CLIENT_ACCEPTED {
#Set timestamp for final received SYN/ACK
set ja4l_ts2 [clock clicks]
#log local0. "ja4l_ts2: ${ja4l_ts2}"
#Calculate time difference - (ts2-ts1)/2
set ja4l_tcp_latency [expr ($ja4l_ts2 - $ja4l_ts1)/2]
# Get IP TTL
set ttl [IP::ttl]
}
when CLIENTSSL_CLIENTHELLO {
set ja4l_ts3 [clock clicks]
}
when CLIENTSSL_HANDSHAKE {
set ja4l_ts4 [clock clicks]
# Calculate "application latency"
set ja4l_app_latency [expr ($ja4l_ts4 - $ja4l_ts3)/2]
# Defone JA4L string
set ja4l "${ja4l_tcp_latency}_${ttl}_${ja4l_app_latency}"
}
when HTTP_REQUEST {
if { [info exists ja4l] } {
HTTP::header insert "X-JA4L" "${ja4l}"
}
}