Hfinger - Fingerprinting HTTP Requests

Hfinger is a Python3 tool that generates unique, human-readable fingerprints of HTTP requests from malware, aiding in their identification and analysis. Based on Tshark, Hfinger extracts distinct features from requests like method, protocol version, header order, payload characteristics, and specific header values. These features are encoded and concatenated to form a fingerprint, with different report modes offering varying levels of detail and collision resistance. Hfinger's strength lies in its ability to identify malware families even when requests differ slightly, making it useful for manual analysis, sandbox systems, and SIEMs. Installation requires Python 3.3+ and Tshark 2.2.0+, and the tool can be used both as a command-line utility and a Python module. Fingerprints are generated by analyzing the request URI, header structure, and payload, with each feature encoded according to predefined schemes. Five report modes allow users to adjust the fingerprint's feature representation, balancing detail with collision probability. The default mode (2) offers a good balance between information richness and uniqueness, while other modes prioritize specific aspects like minimizing collisions or maximizing entropy. Hfinger also provides verbose logging for identifying non-standard request elements, aiding in deeper analysis and anomaly detection.