-
Notifications
You must be signed in to change notification settings - Fork 706
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
22 changed files
with
362 additions
and
176 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
44 changes: 44 additions & 0 deletions
44
...thubusercontent.com/FoxIO-LLC/ja4/df3c067/technical_details/JA4/alpn-extension-value.toml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,44 @@ | ||
target = "https://raw.githubusercontent.com/FoxIO-LLC/ja4/df3c067/technical_details/JA4.md#alpn-extension-value" | ||
|
||
# ### ALPN Extension Value: | ||
# | ||
# The first and last alphanumeric characters of the ALPN (Application-Layer Protocol Negotiation) first value. | ||
# List of possible ALPN Values (scroll down): https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml | ||
# | ||
# In the above example, the first ALPN value is h2 so the first and last characters to use in the fingerprint are “h2”. If the first ALPN listed was http/1.1 then the first and last characters to use in the fingerprint would be “h1”. | ||
# | ||
# In Wireshark this field is located under tls.handshake.extensions_alpn_str | ||
# | ||
# If there is no ALPN extension, no ALPN values, or the first ALPN value is empty, then we print "00" as the value in the fingerprint. If the first ALPN value is only a single character, then that character is treated as both the first and last character. | ||
# | ||
# If the first or last byte of the first ALPN is non-alphanumeric (meaning not `0x30-0x39`, `0x41-0x5A`, or `0x61-0x7A`), then we print the first and last characters of the hex representation of the first ALPN instead. For example: | ||
# * `0xAB` would be printed as "ab" | ||
# * `0xAB 0xCD` would be printed as "ad" | ||
# * `0x30 0xAB` would be printed as "3b" | ||
# * `0x30 0x31 0xAB 0xCD` would be printed as "3d" | ||
# * `0x30 0xAB 0xCD 0x31` would be printed as "01" | ||
# | ||
|
||
[[spec]] | ||
level = "MUST" | ||
quote = ''' | ||
The first and last alphanumeric characters of the ALPN (Application-Layer Protocol Negotiation) first value. | ||
''' | ||
|
||
[[spec]] | ||
level = "MUST" | ||
quote = ''' | ||
If there is no ALPN extension, no ALPN values, or the first ALPN value is empty, then we print "00" as the value in the fingerprint. | ||
''' | ||
|
||
[[spec]] | ||
level = "MUST" | ||
quote = ''' | ||
If the first ALPN value is only a single character, then that character is treated as both the first and last character. | ||
''' | ||
|
||
[[spec]] | ||
level = "MUST" | ||
quote = ''' | ||
If the first or last byte of the first ALPN is non-alphanumeric (meaning not `0x30-0x39`, `0x41-0x5A`, or `0x61-0x7A`), then we print the first and last characters of the hex representation of the first ALPN instead. | ||
''' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
2 changes: 1 addition & 1 deletion
2
...0.18.2/technical_details/JA4/details.toml → ...f3c067/technical_details/JA4/details.toml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
2 changes: 1 addition & 1 deletion
2
...0.18.2/technical_details/JA4/example.toml → ...f3c067/technical_details/JA4/example.toml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
4 changes: 2 additions & 2 deletions
4
.../technical_details/JA4/ja4-algorithm.toml → .../technical_details/JA4/ja4-algorithm.toml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
2 changes: 1 addition & 1 deletion
2
...ls/JA4/ja4-tls-client-fingerprinting.toml → ...ls/JA4/ja4-tls-client-fingerprinting.toml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
2 changes: 1 addition & 1 deletion
2
...hnical_details/JA4/number-of-ciphers.toml → ...hnical_details/JA4/number-of-ciphers.toml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
2 changes: 1 addition & 1 deletion
2
...cal_details/JA4/number-of-extensions.toml → ...cal_details/JA4/number-of-extensions.toml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
19 changes: 19 additions & 0 deletions
19
.../raw.githubusercontent.com/FoxIO-LLC/ja4/df3c067/technical_details/JA4/quic-and-dtls.toml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
target = "https://raw.githubusercontent.com/FoxIO-LLC/ja4/df3c067/technical_details/JA4.md#quic-and-dtls" | ||
|
||
# ### QUIC and DTLS: | ||
# “q”, "d" or “t”, denotes whether the hello packet is for QUIC, DTLS, or normal TLS. | ||
# | ||
# https://en.wikipedia.org/wiki/QUIC | ||
# QUIC is the protocol which the new HTTP/3 standard utilizes, encapsulating TLS 1.3 into UDP packets. As QUIC was developed by Google, if an organization heavily utilizes Google products, QUIC could make up half of their network traffic, so this is important to capture. | ||
# | ||
# https://en.wikipedia.org/wiki/Datagram_Transport_Layer_Security | ||
# DTLS is a version of TLS that can operate over UDP or SCTP. | ||
# | ||
# If the protocol is QUIC then the first character of the fingerprint is “q”, if DTLS it is "d", else it is “t”. | ||
# | ||
|
||
[[spec]] | ||
level = "MUST" | ||
quote = ''' | ||
If the protocol is QUIC then the first character of the fingerprint is “q”, if DTLS it is "d", else it is “t”. | ||
''' |
2 changes: 1 addition & 1 deletion
2
...8.2/technical_details/JA4/raw-output.toml → ...067/technical_details/JA4/raw-output.toml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
2 changes: 1 addition & 1 deletion
2
...a4/v0.18.2/technical_details/JA4/sni.toml → ...a4/df3c067/technical_details/JA4/sni.toml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
13 changes: 7 additions & 6 deletions
13
....2/technical_details/JA4/tls-version.toml → ...cal_details/JA4/tls-and-dtls-version.toml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
26 changes: 0 additions & 26 deletions
26
...thubusercontent.com/FoxIO-LLC/ja4/v0.18.2/technical_details/JA4/alpn-extension-value.toml
This file was deleted.
Oops, something went wrong.
15 changes: 0 additions & 15 deletions
15
...nce/specs/raw.githubusercontent.com/FoxIO-LLC/ja4/v0.18.2/technical_details/JA4/quic.toml
This file was deleted.
Oops, something went wrong.
Binary file not shown.
Oops, something went wrong.