--- /dev/null
+# JA4 QUIC
+
+This test checks whether the correct JA4 fingerprints are calculated for the
+given pcap, according to the [reference implementation](https://github.com/FoxIO-LLC/ja4).
+
+## PCAP
+
+Pcap was created on developer machine using a short `tcpdump` session:
+```
+tcpdump -w out.pcap -i wlp61s0 'port 443 and udp'
+```
+
+## Result
+
+`q13d0310h3_55b375c5d22e_cd85d2d88918` which means
+
+* `q`: QUIC
+* `13`: TLS 1.3
+* `d`: SNI is set
+* `03`: 3 cipher suites in Client Hello
+* `10`: 10 extensions in Client Hello
+* `h3`: ALPN protocol
+
+and the hashes of the corresponding sorted extension codes.
+
+
+## Reference output:
+
+```
+$ ../ja4/binaries/linux/ja4 tests/ja4-quic/input.pcap
+- stream: 0
+ transport: udp
+ src: 192.168.178.25
+ dst: 142.250.181.201
+ src_port: 51333
+ dst_port: 443
+ tls_server_name: www.blogger.com
+ ja4: q13d0310h3_55b375c5d22e_cd85d2d88918
+- stream: 1
+ transport: udp
+ src: 192.168.178.25
+ dst: 142.251.209.129
+ src_port: 53371
+ dst_port: 443
+ tls_server_name: socpuppet.blogspot.com
+ ja4: q13d0310h3_55b375c5d22e_cd85d2d88918
+- stream: 2
+ transport: udp
+ src: 192.168.178.25
+ dst: 142.250.181.206
+ src_port: 50440
+ dst_port: 443
+ tls_server_name: apis.google.com
+ ja4: q13d0310h3_55b375c5d22e_cd85d2d88918
+- stream: 3
+ transport: udp
+ src: 192.168.178.25
+ dst: 142.250.181.201
+ src_port: 37252
+ dst_port: 443
+ tls_server_name: www.blogger.com
+ ja4: q13d0310h3_55b375c5d22e_cd85d2d88918
+- stream: 4
+ transport: udp
+ src: 192.168.178.25
+ dst: 142.250.181.206
+ src_port: 57334
+ dst_port: 443
+ tls_server_name: apis.google.com
+ ja4: q13d0310h3_55b375c5d22e_cd85d2d88918
+- stream: 5
+ transport: udp
+ src: 192.168.178.25
+ dst: 142.250.185.164
+ src_port: 38677
+ dst_port: 443
+ tls_server_name: www.google.com
+ ja4: q13d0310h3_55b375c5d22e_cd85d2d88918
+- stream: 6
+ transport: udp
+ src: 192.168.178.25
+ dst: 142.250.181.195
+ src_port: 42849
+ dst_port: 443
+ tls_server_name: www.gstatic.com
+ ja4: q13d0310h3_55b375c5d22e_cd85d2d88918
+- stream: 7
+ transport: udp
+ src: 192.168.178.25
+ dst: 142.251.209.131
+ src_port: 32997
+ dst_port: 443
+ tls_server_name: fonts.gstatic.com
+ ja4: q13d0310h3_55b375c5d22e_cd85d2d88918
+- stream: 8
+ transport: udp
+ src: 192.168.178.25
+ dst: 142.250.181.193
+ src_port: 60461
+ dst_port: 443
+ tls_server_name: 4.bp.blogspot.com
+ ja4: q13d0310h3_55b375c5d22e_cd85d2d88918
+- stream: 9
+ transport: udp
+ src: 192.168.178.25
+ dst: 142.250.181.193
+ src_port: 52446
+ dst_port: 443
+ tls_server_name: 1.bp.blogspot.com
+ ja4: q13d0310h3_55b375c5d22e_cd85d2d88918
+- stream: 10
+ transport: udp
+ src: 192.168.178.25
+ dst: 142.250.181.193
+ src_port: 41171
+ dst_port: 443
+ tls_server_name: 2.bp.blogspot.com
+ ja4: q13d0310h3_55b375c5d22e_cd85d2d88918
+```
--- /dev/null
+%YAML 1.1
+---
+
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filename: eve.json
+ types:
+ - quic:
+ ja4: off
--- /dev/null
+requires:
+ min-version: 7.0.6
+ lt-version: 8
+ features:
+ - HAVE_JA4
+
+pcap: ../ja4-quic/input.pcap
+
+args:
+ - -k none
+
+checks:
+ - filter:
+ count: 11
+ match:
+ event_type: quic
+ not-has-key: quic.ja4
--- /dev/null
+# JA4 QUIC
+
+This test checks whether the correct JA4 fingerprints are calculated for the
+given pcap, according to the [reference implementation](https://github.com/FoxIO-LLC/ja4)
+and logged.
+
+## PCAP
+
+Pcap was created on developer machine using a short `tcpdump` session:
+```
+tcpdump -w out.pcap -i wlp61s0 'port 443 and udp'
+```
+
+## Result
+
+`q13d0310h3_55b375c5d22e_cd85d2d88918` which means
+
+* `q`: QUIC
+* `13`: TLS 1.3
+* `d`: SNI is set
+* `03`: 3 cipher suites in Client Hello
+* `10`: 10 extensions in Client Hello
+* `h3`: ALPN protocol
+
+and the hashes of the corresponding sorted extension codes.
+
+
+## Reference output:
+
+```
+$ ../ja4/binaries/linux/ja4 tests/ja4-quic/input.pcap
+- stream: 0
+ transport: udp
+ src: 192.168.178.25
+ dst: 142.250.181.201
+ src_port: 51333
+ dst_port: 443
+ tls_server_name: www.blogger.com
+ ja4: q13d0310h3_55b375c5d22e_cd85d2d88918
+- stream: 1
+ transport: udp
+ src: 192.168.178.25
+ dst: 142.251.209.129
+ src_port: 53371
+ dst_port: 443
+ tls_server_name: socpuppet.blogspot.com
+ ja4: q13d0310h3_55b375c5d22e_cd85d2d88918
+- stream: 2
+ transport: udp
+ src: 192.168.178.25
+ dst: 142.250.181.206
+ src_port: 50440
+ dst_port: 443
+ tls_server_name: apis.google.com
+ ja4: q13d0310h3_55b375c5d22e_cd85d2d88918
+- stream: 3
+ transport: udp
+ src: 192.168.178.25
+ dst: 142.250.181.201
+ src_port: 37252
+ dst_port: 443
+ tls_server_name: www.blogger.com
+ ja4: q13d0310h3_55b375c5d22e_cd85d2d88918
+- stream: 4
+ transport: udp
+ src: 192.168.178.25
+ dst: 142.250.181.206
+ src_port: 57334
+ dst_port: 443
+ tls_server_name: apis.google.com
+ ja4: q13d0310h3_55b375c5d22e_cd85d2d88918
+- stream: 5
+ transport: udp
+ src: 192.168.178.25
+ dst: 142.250.185.164
+ src_port: 38677
+ dst_port: 443
+ tls_server_name: www.google.com
+ ja4: q13d0310h3_55b375c5d22e_cd85d2d88918
+- stream: 6
+ transport: udp
+ src: 192.168.178.25
+ dst: 142.250.181.195
+ src_port: 42849
+ dst_port: 443
+ tls_server_name: www.gstatic.com
+ ja4: q13d0310h3_55b375c5d22e_cd85d2d88918
+- stream: 7
+ transport: udp
+ src: 192.168.178.25
+ dst: 142.251.209.131
+ src_port: 32997
+ dst_port: 443
+ tls_server_name: fonts.gstatic.com
+ ja4: q13d0310h3_55b375c5d22e_cd85d2d88918
+- stream: 8
+ transport: udp
+ src: 192.168.178.25
+ dst: 142.250.181.193
+ src_port: 60461
+ dst_port: 443
+ tls_server_name: 4.bp.blogspot.com
+ ja4: q13d0310h3_55b375c5d22e_cd85d2d88918
+- stream: 9
+ transport: udp
+ src: 192.168.178.25
+ dst: 142.250.181.193
+ src_port: 52446
+ dst_port: 443
+ tls_server_name: 1.bp.blogspot.com
+ ja4: q13d0310h3_55b375c5d22e_cd85d2d88918
+- stream: 10
+ transport: udp
+ src: 192.168.178.25
+ dst: 142.250.181.193
+ src_port: 41171
+ dst_port: 443
+ tls_server_name: 2.bp.blogspot.com
+ ja4: q13d0310h3_55b375c5d22e_cd85d2d88918
+```
--- /dev/null
+%YAML 1.1
+---
+
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filename: eve.json
+ types:
+ - quic:
+ ja4: on
--- /dev/null
+requires:
+ min-version: 7.0.6
+ lt-version: 8
+ features:
+ - HAVE_JA4
+
+pcap: ../ja4-quic/input.pcap
+
+args:
+ - -k none
+
+checks:
+ - filter:
+ count: 11
+ match:
+ event_type: quic
+ has-key: quic.ja4
+ quic.ja4: q13d0310h3_55b375c5d22e_cd85d2d88918
requires:
- min-version: 8.0.0
+ min-version: 8
features:
- HAVE_JA4
--- /dev/null
+%YAML 1.1
+---
+
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filename: eve.json
+ types:
+ - alert
+ - quic:
+ ja4: off
+ - tls:
+ ja4: off
--- /dev/null
+alert quic any any -> any any (msg:"JA4 QUIC Test 1"; requires: feature ja4; ja4.hash; content: "q13d0310h3_55b375c5d22e_cd85d2d88918"; sid:1;)
+alert tls any any -> any any (msg:"JA4 TLS Test 1"; requires: feature ja4; ja4.hash; content: "t13d1516h2_8daaf6152771_e5627efa2ab1"; sid:2;)
+alert quic any any -> any any (msg:"JA4 QUIC Test 2"; requires: feature ja4; ja4.hash; content: "q13d0310h3_55b375c5d22e_cd85d2d88918X"; sid:3;)
+alert tls any any -> any any (msg:"JA4 TLS Test 2"; requires: feature ja4; ja4.hash; content: "t13d1516h2_8daaf6152771_e5627efa2ab1X"; sid:4;)
--- /dev/null
+requires:
+ min-version: 7.0.6
+ lt-version: 8
+ features:
+ - HAVE_JA4
+
+pcap: ../ja4-rules/input.pcap
+
+args:
+ - -k none
+
+checks:
+ - filter:
+ count: 1
+ match:
+ event_type: tls
+ not-has-key: tls.ja4
+ - filter:
+ count: 3
+ match:
+ event_type: quic
+ not-has-key: quic.ja4
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 1
+ alert.signature: JA4 QUIC Test 1
+ quic.ja4: q13d0310h3_55b375c5d22e_cd85d2d88918
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 2
+ alert.signature: JA4 TLS Test 1
+ tls.ja4: t13d1516h2_8daaf6152771_e5627efa2ab1
--- /dev/null
+%YAML 1.1
+---
+
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filename: eve.json
+ types:
+ - alert:
+ - tls:
+ ja4: on
--- /dev/null
+alert quic any any -> any any (msg:"JA4 QUIC Test 1"; requires: feature ja4; ja4.hash; content: "q13d0310h3_55b375c5d22e_cd85d2d88918"; sid:1;)
+alert tls any any -> any any (msg:"JA4 TLS Test 1"; requires: feature ja4; ja4.hash; content: "t13d1516h2_8daaf6152771_e5627efa2ab1"; sid:2;)
+alert quic any any -> any any (msg:"JA4 QUIC Test 2"; requires: feature ja4; ja4.hash; content: "q13d0310h3_55b375c5d22e_cd85d2d88918X"; sid:3;)
+alert tls any any -> any any (msg:"JA4 TLS Test 2"; requires: feature ja4; ja4.hash; content: "t13d1516h2_8daaf6152771_e5627efa2ab1X"; sid:4;)
--- /dev/null
+requires:
+ min-version: 7.0.6
+ lt-version: 8
+ features:
+ - HAVE_JA4
+
+pcap: ../ja4-rules/input.pcap
+
+args:
+ - -k none
+
+checks:
+ - filter:
+ count: 1
+ match:
+ event_type: tls
+ has-key: tls.ja4
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 1
+ alert.signature: JA4 QUIC Test 1
+ quic.ja4: "q13d0310h3_55b375c5d22e_cd85d2d88918"
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 2
+ alert.signature: JA4 TLS Test 1
+ tls.ja4: t13d1516h2_8daaf6152771_e5627efa2ab1
requires:
- min-version: 8.0.0
+ min-version: 7.0.6
files:
- rust/src/ja4.rs
requires:
- min-version: 8.0.0
+ min-version: 7.0.6
pcap: false
features:
- HAVE_JA4
requires:
- min-version: 8.0.0
+ min-version: 7.0.6
script:
- ./src/suricata --build-info | grep "JA4 support" | grep no > /dev/null
args:
- -k none
+ - --set logging.default-log-level=info
checks:
- filter:
requires:
- min-version: 8.0.0
+ min-version: 7.0.6
features:
- HAVE_JA4
args:
- - -k none --set app-layer.protocols.tls.ja4-fingerprints=no
+ - -k none
+ - --set app-layer.protocols.tls.ja4-fingerprints=no
+ - --set logging.default-log-level=info
checks:
- filter:
requires:
- min-version: 8.0.0
+ min-version: 8
features:
- HAVE_JA4
--- /dev/null
+# JA4 TLS
+
+This test checks whether the correct JA4 fingerprints are calculated for the
+given pcap, according to the [reference implementation](https://github.com/FoxIO-LLC/ja4).
+
+## PCAP
+
+Pcap was taken from another TLS Suricata-Verify test.
+
+## Result
+
+`t12i1810s1_27d4652c4487_06a4338d0495` which means
+
+* `t`: TCP
+* `12`: TLS 1.2
+* `i`: SNI not is set
+* `18`: 18 cipher suites in Client Hello
+* `10`: 10 extensions in Client Hello
+* `s1`: ALPN protocol (first and last character of `spdy/3.1` which is the first protocol listed in the extension)
+
+and the hashes of the corresponding sorted extension codes.
+
+
+## Reference output:
+
+```
+$ ../ja4/binaries/linux/ja4 tests/ja4-tls/input.pcap
+- stream: 0
+ transport: tcp
+ src: 192.168.56.1
+ dst: 192.168.56.101
+ src_port: 49365
+ dst_port: 443
+ ja4: t12i1810s1_27d4652c4487_06a4338d0495
+```
--- /dev/null
+requires:
+ min-version: 7.0.6
+ lt-version: 8
+ features:
+ - HAVE_JA4
+
+pcap: ../ja4-tls/input.pcap
+
+args:
+ - -k none --set app-layer.protocols.tls.ja4-fingerprints=yes
+
+checks:
+ - filter:
+ count: 1
+ match:
+ event_type: tls
+ not-has-key: tls.ja4
requires:
- min-version: 7.0.0
+ min-version: 8
features:
- HAVE_JA4
requires:
- min-version: 7.0.0
+ min-version: 8
features:
- HAVE_JA4
projects / thirdparty / suricata-verify.git / commitdiff
