Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove JA3C/S fingerprints #2551

Open
IvanNardi opened this issue Sep 7, 2024 · 2 comments
Open

Remove JA3C/S fingerprints #2551

IvanNardi opened this issue Sep 7, 2024 · 2 comments
Labels
question

Comments

@IvanNardi
Copy link
Collaborator

Since we have support for the new fingerprint JA4, should we remove the oldest version?
@IvanNardi
Copy link
Collaborator Author

See for example https://suricon.net/wp-content/uploads/2024/12/SuriCon2024-Eric-Leblond_Google-killed-JA3-should-we-be-scared.pdf for an explanation why JA3C is no more useful

@IvanNardi
Copy link
Collaborator Author

The current idea is:

  • remove JA3C: we already have JA4C
  • keep JA3S for the time being: we don't have another server fingerprint right now, and if we create a new one, having that code around will ease the transaction from JA3S to the new finferprint

IvanNardi added a commit to IvanNardi/nDPI that referenced this issue Dec 19, 2024
@IvanNardi
ndpiReader: update JA statistics
4868834 
Show JA4C and JA3S information (instead of JA3C and JA3S)
See ntop#2551 for context
@IvanNardi IvanNardi mentioned this issue Dec 19, 2024
Merged
IvanNardi added a commit that referenced this issue Jan 6, 2025
@IvanNardi
ndpiReader: update JA statistics (#2646)
c3d19be 
Show JA4C and JA3S information (instead of JA3C and JA3S)
See #2551 for context
IvanNardi added a commit to IvanNardi/nDPI that referenced this issue Jan 11, 2025
@IvanNardi
Remove JA3C output from ndpiReader
9fb081d 
Removing JA3C is an big task. Let's start with a simple change having an
huge impact on unit tests: remove printing of JA3C information from
ndpiReader.

This way, when we will delete the actual code, the unit tests diffs
should be a lot simpler to look at.

Note that the information if the client/server cipher is weak or
obsolete is still available via flow risk

See: ntop#2551
IvanNardi added a commit to IvanNardi/nDPI that referenced this issue Jan 11, 2025
@IvanNardi
Remove JA3C output from ndpiReader
0198ecd 
Removing JA3C is an big task. Let's start with a simple change having an
huge impact on unit tests: remove printing of JA3C information from
ndpiReader.

This way, when we will delete the actual code, the unit tests diffs
should be a lot simpler to look at.

Note that the information if the client/server cipher is weak or
obsolete is still available via flow risk

See: ntop#2551
@IvanNardi IvanNardi mentioned this issue Jan 11, 2025
Merged
IvanNardi added a commit to IvanNardi/nDPI that referenced this issue Jan 11, 2025
@IvanNardi
Remove JA3C output from ndpiReader
6528dc3 
Removing JA3C is an big task. Let's start with a simple change having an
huge impact on unit tests: remove printing of JA3C information from
ndpiReader.

This way, when we will delete the actual code, the unit tests diffs
should be a lot simpler to look at.

Note that the information if the client/server cipher is weak or
obsolete is still available via flow risk

See: ntop#2551
IvanNardi added a commit to IvanNardi/nDPI that referenced this issue Jan 12, 2025
@IvanNardi
Remove JA3C output from ndpiReader
4c515f0 
Removing JA3C is an big task. Let's start with a simple change having an
huge impact on unit tests: remove printing of JA3C information from
ndpiReader.

This way, when we will delete the actual code, the unit tests diffs
should be a lot simpler to look at.

Note that the information if the client/server cipher is weak or
obsolete is still available via flow risk

See: ntop#2551
IvanNardi added a commit that referenced this issue Jan 12, 2025
@IvanNardi
Remove JA3C output from ndpiReader (#2667)
72fd940 
Removing JA3C is an big task. Let's start with a simple change having an
huge impact on unit tests: remove printing of JA3C information from
ndpiReader.

This way, when we will delete the actual code, the unit tests diffs
should be a lot simpler to look at.

Note that the information if the client/server cipher is weak or
obsolete is still available via flow risk

See: #2551
@IvanNardi IvanNardi mentioned this issue Jan 12, 2025
Closed
IvanNardi added a commit to IvanNardi/nDPI that referenced this issue Jan 13, 2025
@IvanNardi
Add (kind of) support for loading a list of JA4C malicious fingerprints
0018ce6 
It might be usefull to be able to match traffic against a list of
suspicious JA4C fingerprints

Use the same code/logic/infrastructure used for JA3C (note that we are
going to remove JA3C...)

See: ntop#2551
@IvanNardi IvanNardi mentioned this issue Jan 13, 2025
Merged
IvanNardi added a commit to IvanNardi/nDPI that referenced this issue Jan 13, 2025
@IvanNardi
Add (kind of) support for loading a list of JA4C malicious fingerprints
afa1a68 
It might be usefull to be able to match traffic against a list of
suspicious JA4C fingerprints

Use the same code/logic/infrastructure used for JA3C (note that we are
going to remove JA3C...)

See: ntop#2551
IvanNardi added a commit to IvanNardi/nDPI that referenced this issue Jan 13, 2025
@IvanNardi
Add (kind of) support for loading a list of JA4C malicious fingerprints
88bf4f8 
It might be usefull to be able to match traffic against a list of
suspicious JA4C fingerprints

Use the same code/logic/infrastructure used for JA3C (note that we are
going to remove JA3C...)

See: ntop#2551
IvanNardi added a commit to IvanNardi/nDPI that referenced this issue Jan 13, 2025
@IvanNardi
Add (kind of) support for loading a list of JA4C malicious fingerprints
d5abbb8 
It might be usefull to be able to match traffic against a list of
suspicious JA4C fingerprints

Use the same code/logic/infrastructure used for JA3C (note that we are
going to remove JA3C...)

See: ntop#2551
IvanNardi added a commit that referenced this issue Jan 14, 2025
@IvanNardi
Add (kind of) support for loading a list of JA4C malicious fingerprin…
63a3547 
…ts (#2678)

It might be usefull to be able to match traffic against a list of
suspicious JA4C fingerprints

Use the same code/logic/infrastructure used for JA3C (note that we are
going to remove JA3C...)

See: #2551
IvanNardi added a commit to IvanNardi/nDPI that referenced this issue Jan 14, 2025
@IvanNardi
TLS: remove JA3C
62dc77b 
Last step of removing JA3C fingerprint

Remove some duplicate tests: testing with ja4c/ja3s disabled is already
performed by `disable_metadata_and_flowrisks` configuration.

Close:ntop#2551
@IvanNardi IvanNardi mentioned this issue Jan 14, 2025
Merged
IvanNardi added a commit that referenced this issue Jan 14, 2025
@IvanNardi
TLS: remove JA3C (#2679)
af011e3 
Last step of removing JA3C fingerprint

Remove some duplicate tests: testing with ja4c/ja3s disabled is already
performed by `disable_metadata_and_flowrisks` configuration.

Close:#2551
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@IvanNardi