[Request] Integrating JA4 TLS fingerprinting

[zero77]

Is there an existing issue for this?

• I have searched the existing issues.

Describe the solution you'd like

Can you please implement JA4 TLS fingerprinting as it would significantly enhance Sniffnet’s ability to analyze encrypted traffic by exposing behavioral patterns in TLS handshakes even when payloads are encrypted.

This is an existing project that could be used to generate the fingerprints:
https://github.com/biandratti/huginn-net

JSON list of known fingerprints:
curl -s "https://ja4db.com/api/read/" | jq '[.[] | select(.application != null)]'

Main JA4 repository:
https://github.com/FoxIO-LLC/ja4

Is your feature request related to a problem?

No response

[GyulyVGC]

Hey @zero77, thanks for making me aware of these fingerprinting techniques.
I already have a bunch of feature requests for the short-term, but I'll keep this into account for the future, especially since I'm interested in implementing some sort of malicious traffic detection as reported in the project roadmap as one of the long-term goals.

[zero77]

@GyulyVGC Thanks
But JA4 fingerprinting is not just for malicious activity it can be used to identify general traffic and process as well.
It identifies the specific underlying software making a network connection.
Its a fingerprint from the unencrypted Client Hello packet of a TLS handshake.

There's also legitimate software listed in the curl command above.

[GyulyVGC]

Wow, in this case I believe this could also be a game changer for #170.
I mean, instead of using libraries to get PIDs given a socket, which isn't very reliable from my experience...

[GyulyVGC]

Speaking about ClientHello, I'm really interested in extracting the SNI as I said in #944, but I didn't know it could also be used to gather process info 🤔
I'll have to investigate deeper.

[zero77]

I think it might help with a few open issues, but I wouldn't only rely on a JA4 fingerprint because sometimes after big updates, the J A4 fingerprint can change. But looking at the list of known JA4 fingerprints in the curl command, there are quite a lot of legitimate software listed, so it's a good starting point to identify processes.

[GyulyVGC]

Yeah. I think I'll end up using fingerprinting at some point.

I've had a quick look at hugging-net and it seems they require to use their library also to instantiate a packet capture, which I'd like to avoid (ideally I want to stick to the pcap crate). But maybe there's something similar that returns a fingerprint given the bytes of the packet as input (even if maybe less efficient?)

[zero77]

I've not looked into it, but you might be able to pass the raw packet data to the huginn-net library to generate a fingerprint

[GyulyVGC]

From what I'm reading fingerprinting is used more to detect the remote OS and service than the local service / app generating traffic.

But still, I think that these techniques could be a starting point for #944