JA4+ - Suite Of Network Fingerprinting Standards

JA4+ is a suite of user-friendly, human and machine-readable network fingerprinting methods designed for enhanced threat hunting and analysis. Use cases include malware detection, threat actor identification, session hijacking prevention, and more. JA4+ employs a unique a_b_c format, allowing analysis of specific fingerprint sections, thus enabling deeper insights. For instance, GreyNoise leverages JA4+ to track actors even with changing TLS ciphers by focusing on the consistent parts of the fingerprint. JA4+ supports various protocols, including TLS, HTTP, SSH, and TCP, with methods for both client and server fingerprinting. It's available in Python, Rust, Zeek, C, and as a Wireshark plugin, with growing support in tools like GreyNoise, Zeek, and Arkime. While JA4 (TLS Client Fingerprinting) is open-source under the BSD 3-Clause license, other JA4+ methods fall under the FoxIO License 1.1, permitting academic and internal business use but requiring an OEM license for commercialization. JA4+ fingerprints are designed to evolve with application TLS library updates, typically annually, and address challenges like cipher stunting and extension randomization by prioritizing unique cipher lists and incorporating Signature Algorithms. The project welcomes contributions to its fingerprint database and collaboration with vendors and open-source projects.