JA4+: A suite of network fingerprinting standards

network fingerprinting

JA4+ Network Fingerprinting

JA4+ is a suite of network fingerprinting methods that are easy to use and easy to share. These methods are both human and machine-readable to facilitate more effective threat-hunting and analysis. The use-cases for these fingerprints include scanning for threat actors, malware detection, session hijacking prevention, compliance automation, location tracking, DDoS detection, grouping of threat actors, reverse shell detection, and many more.

Please read this blog post for more details: JA4+ Network Fingerprinting

JA4+ support is being added to:
GreyNoise
Hunt
Driftnet
Darksail
Arkime
with more to be announced…

network fingerprinting

JA4+ is a set of simple yet powerful network fingerprints for multiple protocols that are both human and machine readable, facilitating improved threat-hunting and security analysis. If you are unfamiliar with network fingerprinting, I encourage you to read my blogs releasing JA3 here, JARM here, and this excellent blog by Fastly on the State of TLS Fingerprinting which outlines the history of the aforementioned along with their problems. JA4+ brings dedicated support, keeping the methods up-to-date as the industry changes.

All JA4+ fingerprints have an a_b_c format, delimiting the different sections that make up the fingerprint. This allows for hunting and detection utilizing just ab or ac or c only. If one wanted to just do analysis on incoming cookies into their app, they would look at JA4H_c only. This new locality-preserving format facilitates deeper and richer analysis while remaining simple, easy to use, and allowing for extensibility.

For example; GreyNoise is an internet listener that identifies internet scanners and is implementing JA4+ into their product. They have an actor who scans the internet with a constantly changing single TLS cipher. This generates a massive amount of completely different JA3 fingerprints but with JA4, only the b part of the JA4 fingerprint changes, parts a and c remain the same. As such, GreyNoise can track the actor by looking at the JA4_ac fingerprint (joining a+c, dropping b).

Current methods and implementation details:
JA4: TLS Client Fingerprinting
JA4S: TLS Server/Session Fingerprinting
JA4H: HTTP Client Fingerprinting
JA4L: Light Distance Locality
JA4X: X509 TLS Certificate Fingerprinting
JA4SSH: SSH Traffic Fingerprinting
Additional JA4+ methods are in the works…

Download

Copyright (c) 2023 FoxIO