[fix] JA4L: Handle "impure" TCP flags

Bug report: #22

rust/CHANGELOG.md

@@ -7,6 +7,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.15.2] - 2023-11-09
+
+### Fixed
+
+- Ignore extraneous TCP flags when choosing packets for JA4L calculation (#22).
+
 ## [0.15.1] - 2023-10-12
 
 ### Fixed
@@ -25,7 +31,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 - Add Rust sources of `ja4` and `ja4x` CLI tools.
 
-[unreleased]: https://github.com/FoxIO-LLC/ja4/compare/v0.15.1...HEAD
+[unreleased]: https://github.com/FoxIO-LLC/ja4/compare/v0.15.2...HEAD
+[0.15.2]: https://github.com/FoxIO-LLC/ja4/compare/v0.15.1...v0.15.2
 [0.15.1]: https://github.com/FoxIO-LLC/ja4/compare/v0.15.0...v0.15.1
 [0.15.0]: https://github.com/FoxIO-LLC/ja4/compare/v0.14.0...v0.15.0
 [0.14.0]: https://github.com/FoxIO-LLC/ja4/releases/tag/v0.14.0

rust/Cargo.toml

@@ -3,7 +3,7 @@ members = ["ja4", "ja4x"]
 resolver = "2"
 
 [workspace.package]
-version = "0.15.1"
+version = "0.15.2"
 license = "LicenseRef-FoxIO-Proprietary"
 repository = "https://github.com/FoxIO-LLC/ja4"
 

rust/ja4/src/snapshots/ja4__insta@macos_tcp_flags.pcap.snap

@@ -0,0 +1,16 @@
+---
+source: ja4/src/lib.rs
+expression: output
+---
+- stream: 0
+  transport: tcp
+  src: 172.16.5.16
+  dst: 172.67.24.71
+  src_port: 61311
+  dst_port: 443
+  tls_server_name: venarisecurity.com
+  ja4: t13d2613h2_2802a3db6c62_845d286b0d67
+  ja4s: t130200_1301_234ea6891581
+  ja4l_c: 62_64
+  ja4l_s: 17255_63
+

rust/ja4/src/stream.rs

@@ -12,7 +12,7 @@ use crate::{
     conf::Conf,
     http, ssh,
     time::{self, TcpTimestamps, Timestamps, UdpTimestamps},
-    tls, FormatFlags, Packet, PacketNum, Proto, Result,
+    tls, FormatFlags, Packet, Proto, Result,
 };
 
 /// User-facing record containing data obtained from a TCP or UDP stream.
@@ -375,17 +375,3 @@ impl StreamId2<'_> {
         }
     }
 }
-
-/// A fingerprint that was obtained from a single packet.
-///
-/// `PacketFingerprint` can represent JA4 (TLS client), JA4S (TLS server), or
-/// JA4H (HTTP client) fingerprint. Other types of fingerprints are derived from
-/// multiple packets.
-#[derive(Debug, Serialize)]
-// HACK: Use a configuration parameter to enable serialization of packet numbers.
-#[cfg_attr(not(debug_assertions), serde(transparent))]
-struct PacketFingerprint {
-    #[cfg_attr(not(debug_assertions), serde(skip_serializing), allow(dead_code))]
-    packet: PacketNum,
-    fp: String,
-}

rust/ja4/src/time.rs

@@ -32,7 +32,6 @@ pub(crate) trait Timestamps: Default {
 
 #[derive(Debug)]
 pub(crate) struct PacketTimestamp {
-    #[cfg_attr(not(debug_assertions), allow(dead_code))]
     #[allow(dead_code)]
     packet: PacketNum,
     pub(crate) timestamp: i64,

rust/ja4/src/time/tcp.rs

@@ -207,10 +207,12 @@ impl Timestamp {
 
         let t = || PacketTimestamp::new(pkt);
 
-        Ok(match tcp.first("tcp.flags")? {
-            "0x0002" => Some(Self::Syn((t()?, Ttl::new(pkt)?))),
-            "0x0012" => Some(Self::SynAck((t()?, Ttl::new(pkt)?))),
-            "0x0010" => Some(Self::Ack(t()?)),
+        let ack = tcp.first("tcp.flags.ack")?;
+        let syn = tcp.first("tcp.flags.syn")?;
+        Ok(match (syn, ack) {
+            ("1", "0") => Some(Self::Syn((t()?, Ttl::new(pkt)?))),
+            ("1", "1") => Some(Self::SynAck((t()?, Ttl::new(pkt)?))),
+            ("0", "1") => Some(Self::Ack(t()?)),
             _ => None,
         })
     }