From 43a4b73d5c4dc5f282939f241d7811830ea4eaba Mon Sep 17 00:00:00 2001
From: Squiblydoo <77356206+Squiblydoo@users.noreply.github.com>
Date: Thu, 29 Aug 2024 06:25:35 -0400
Subject: [PATCH 1/3] Update release.yml

---
 .github/workflows/release.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 78004bc..e42cfc9 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -47,8 +47,8 @@ jobs:
           #- { os: ubuntu-latest, target: x86_64-unknown-linux-gnu }
           #- { os: ubuntu-latest, target: aarch64-unknown-linux-gnu }
           #- { os: ubuntu-latest, target: aarch64-unknown-linux-musl }
-          #- { os: macos-latest, target: x86_64-apple-darwin }
-          #- { os: macos-latest, target: aarch64-apple-darwin }
+          - { os: macos-latest, target: x86_64-apple-darwin }
+          - { os: macos-latest, target: aarch64-apple-darwin }
           #- { os: macos-latest, target: universal-apple-darwin }
 
     steps:

From e31f96aac8770237f062eaa38ca50ec4f8926d99 Mon Sep 17 00:00:00 2001
From: Squiblydoo <77356206+Squiblydoo@users.noreply.github.com>
Date: Mon, 2 Sep 2024 11:42:35 -0400
Subject: [PATCH 2/3] Fix empty cookie hash for Zeek

Added if statement to identify when the cookie in the Ja4h were empty when being parsed with Zeek
---
 zeek/ja4h/main.zeek | 64 ++++++++++++++++++++++++++-------------------
 1 file changed, 37 insertions(+), 27 deletions(-)

diff --git a/zeek/ja4h/main.zeek b/zeek/ja4h/main.zeek
index 678bad8..b47fc58 100644
--- a/zeek/ja4h/main.zeek
+++ b/zeek/ja4h/main.zeek
@@ -185,35 +185,45 @@ function get_ja4h_d(c: connection): string {
 
 event http_message_done(c: connection, is_orig: bool, stat: http_message_stat)
 {
-   #print(c$fp$http_client);
-
-  if (!is_orig || !c?$fp || !c$fp?$http_client ) { return; }
-
-  local ja4h_a = get_ja4h_a(c);
-  local ja4h_b_o = FINGERPRINT::vector_of_str_to_str(c$fp$http_client$header_names_o);
-  local ja4h_b_r = FINGERPRINT::vector_of_str_to_str(c$fp$http_client$header_names);
-  local ja4h_b = FINGERPRINT::sha256_12(ja4h_b_r);
-  local ja4h_c_o = FINGERPRINT::vector_of_str_to_str(c$fp$http_client$cookie_names);
-  local ja4h_c_r = get_ja4h_c(c);  
-  local ja4h_c = FINGERPRINT::sha256_12(ja4h_c_r);
-  local ja4h_d_o = FINGERPRINT::vector_of_str_to_str(c$fp$http_client$cookie_values);
-  local ja4h_d_r = get_ja4h_d(c);
-  local ja4h_d = FINGERPRINT::sha256_12(ja4h_d_r);
-  local delim =  FINGERPRINT::delimiter;
-
-  c$fp$ja4h$uid = c$uid;  
-  
-  c$fp$ja4h$ja4h = ja4h_a + delim + ja4h_b + delim + ja4h_c + delim + ja4h_d;
-  c$fp$ja4h$ja4h_r = ja4h_a + delim + ja4h_b_r + delim + ja4h_c_r + delim + ja4h_d_r;
-  c$fp$ja4h$ja4h_ro = ja4h_a + delim + ja4h_b_o + delim + ja4h_c_o + delim + ja4h_d_o;
-
-  c$http$ja4h = c$fp$ja4h$ja4h;
-  @if(FINGERPRINT::JA4H_raw)
+    #print(c$fp$http_client);
+
+    if (!is_orig || !c?$fp || !c$fp?$http_client ) { return; }
+
+    local ja4h_a = get_ja4h_a(c);
+    local ja4h_b_o = FINGERPRINT::vector_of_str_to_str(c$fp$http_client$header_names_o);
+    local ja4h_b_r = FINGERPRINT::vector_of_str_to_str(c$fp$http_client$header_names);
+    local ja4h_b = FINGERPRINT::sha256_12(ja4h_b_r);
+    local ja4h_c_o = FINGERPRINT::vector_of_str_to_str(c$fp$http_client$cookie_names);
+    local ja4h_c_r = get_ja4h_c(c);  
+    local ja4h_c: string;
+    if (ja4h_c_r == "") {
+        ja4h_c = "000000000000";
+    } else {
+        ja4h_c = FINGERPRINT::sha256_12(ja4h_c_r);
+    }
+    local ja4h_d_o = FINGERPRINT::vector_of_str_to_str(c$fp$http_client$cookie_values);
+    local ja4h_d_r = get_ja4h_d(c);
+    local ja4h_d: string;
+    if (ja4h_d_r == "") {
+        ja4h_d = "000000000000";
+    } else {
+        ja4h_d = FINGERPRINT::sha256_12(ja4h_d_r);
+    }
+    local delim =  FINGERPRINT::delimiter;
+
+    c$fp$ja4h$uid = c$uid;  
+
+    c$fp$ja4h$ja4h = ja4h_a + delim + ja4h_b + delim + ja4h_c + delim + ja4h_d;
+    c$fp$ja4h$ja4h_r = ja4h_a + delim + ja4h_b_r + delim + ja4h_c_r + delim + ja4h_d_r;
+    c$fp$ja4h$ja4h_ro = ja4h_a + delim + ja4h_b_o + delim + ja4h_c_o + delim + ja4h_d_o;
+
+    c$http$ja4h = c$fp$ja4h$ja4h;
+    @if(FINGERPRINT::JA4H_raw)
     c$http$ja4h_r = c$fp$ja4h$ja4h_r;
     c$http$ja4h_ro = c$fp$ja4h$ja4h_ro;
-  @endif
-  
+    @endif
+
 
-  #Log::write(FINGERPRINT::JA4H::LOG, c$fp$ja4h);
+    #Log::write(FINGERPRINT::JA4H::LOG, c$fp$ja4h);
 
 }
\ No newline at end of file

From ad3f5368b4df7cd8ba62ac0ecdda018a432e9dc7 Mon Sep 17 00:00:00 2001
From: Squiblydoo <77356206+Squiblydoo@users.noreply.github.com>
Date: Mon, 2 Sep 2024 11:45:54 -0400
Subject: [PATCH 3/3] Revert MacOS build for pushing

Temporarily reverting my own build script for pushing upstream.
---
 .github/workflows/release.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index e42cfc9..78004bc 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -47,8 +47,8 @@ jobs:
           #- { os: ubuntu-latest, target: x86_64-unknown-linux-gnu }
           #- { os: ubuntu-latest, target: aarch64-unknown-linux-gnu }
           #- { os: ubuntu-latest, target: aarch64-unknown-linux-musl }
-          - { os: macos-latest, target: x86_64-apple-darwin }
-          - { os: macos-latest, target: aarch64-apple-darwin }
+          #- { os: macos-latest, target: x86_64-apple-darwin }
+          #- { os: macos-latest, target: aarch64-apple-darwin }
           #- { os: macos-latest, target: universal-apple-darwin }
 
     steps: