Add JA4 fields to event attributes

Question

Add JA4 fields to event attributes

Fekalist opened this issue 2 months ago · comments

Gustav commented 2 months ago

Is your feature request related to a problem? Please describe.

JA3-fingeprints are outdated, thus i started gathering JA4-fingerprints but MISP does not allow to add them

Describe the solution you'd like

add JA4 fields

Describe alternatives you've considered

No response

Additional context

No response

Code of Conduct

I agree to follow this project's Code of Conduct

John Althouse · Answer 1 · Sat Jun 22 2024 00:24:48 GMT+0800 (China Standard Time)

+1 I'd like to see all of JA4+ in MISP.

And because MISP is not generating these fingerprints, only consuming them, there's no licensing issues to worry about.

Alexandre Dulaunoy · Answer 2 · Sat Jun 22 2024 05:20:26 GMT+0800 (China Standard Time)

There is a patent claim on the format as mentioned there https://github.com/FoxIO-LLC/ja4/blob/main/LICENSE validator, misp modules or export won't be possible in any of the MISP code base.

John Althouse · Answer 3 · Mon Jun 24 2024 23:33:46 GMT+0800 (China Standard Time)

The patent and license is on the generation of JA4+ fingerprints and does not, and by law, can not apply to consuming or storing fingerprint strings as a an object that were generated by outside tooling. Validating fingerprints strings with regex also does not require any license and patents can not apply.

For example, Datadog or Splunk or any other tool does not need to worry about patents or licensing to store or share JA4+ fingerprints as an intel object.

There should be no concern about storing or sharing these objects. I'm happy to put together a meeting with an open source legal expert from Yale and UC Berkeley to answer any questions and put to rest any misconceptions that may exist.

Alexandre Dulaunoy · Answer 4 · Tue Jun 25 2024 00:43:56 GMT+0800 (China Standard Time)

Thank you for the feedback and confirmation that the format itself can be considered a Royalty-Free license to describe the JA4+ format in a MISP object template format.

Now on the technical side, we plan to create a MISP object template which will include the different actual and future type JA4+ types. Do you have a preference that we use the Full Name or the Short Name in the MISP object template?

John Althouse · Answer 5 · Tue Jun 25 2024 03:30:21 GMT+0800 (China Standard Time)

I find that people use the long names to describe the fingerprints at first but once they are familiar with it, they only use the short name. So... Short Name?

We also use the short name on ja4db.com

Gustav · Answer 6 · Tue Jun 25 2024 13:52:13 GMT+0800 (China Standard Time)

makes no difference for me as long as JA4 prints can be added as attributes in some way.