This will add JA4+ fingerprints to respective protocol zeek logs.
JA4SSH will output to it's own log.
JA4 → ssl.log
JA4S → ssl.log
JA4H → http.log
JA4L → conn.log
JA4LS → conn.log
JA4T → conn.log
JA4TS → conn.log
JA4SSH → ja4ssh.log
JA4X → x509.log (still in development)
See JA4+ and implementations into other open source tools for more detail on JA4+ and implementations into other open source tools.
Run the following command on your Zeek nodes:
zkg install zeek/foxio/ja4If you don't have the zeek package manager, copy this directory to zeek/share/zeek/site/ja4 and add this line to either __load__.zeek or local.zeek in zeek/share/zeek/site/:
@load ja4Zeek 5+ is supported.
Zeek 6+ is required for QUIC support.
Individual JA4+ methods can be enabled or disabled in config.zeek.
The raw output for JA4+ methods (non-hashed) can also be enabled in config.zeek
See License FAQ for details.