From 1544813e8a45b09d5576f139154872ad491d2186 Mon Sep 17 00:00:00 2001 From: "Valeriy V. Vorotyntsev" Date: Thu, 9 Nov 2023 13:57:28 +0200 Subject: [PATCH] [fix] JA4L: Handle "impure" TCP flags Bug report: #22 --- pcap/macos_tcp_flags.pcap | Bin 0 -> 14147 bytes rust/CHANGELOG.md | 9 ++++++++- rust/Cargo.lock | 4 ++-- rust/Cargo.toml | 2 +- .../ja4__insta@macos_tcp_flags.pcap.snap | 16 ++++++++++++++++ rust/ja4/src/stream.rs | 16 +--------------- rust/ja4/src/time.rs | 1 - rust/ja4/src/time/tcp.rs | 10 ++++++---- 8 files changed, 34 insertions(+), 24 deletions(-) create mode 100644 pcap/macos_tcp_flags.pcap create mode 100644 rust/ja4/src/snapshots/ja4__insta@macos_tcp_flags.pcap.snap diff --git a/pcap/macos_tcp_flags.pcap b/pcap/macos_tcp_flags.pcap new file mode 100644 index 0000000000000000000000000000000000000000..90ae4952050ac58bcb53de4409d4ecabe9676de7 GIT binary patch literal 14147 zcmdseWmp{AvSs6L!3pl}?wa5b2=49>TtaY{;O?$LgA?2#xI@t3uE7G+opW;TBzf=7 zH}}o2X(&GUx>>7s?b@rVcEfacO%6B!67ci!^aKEa0e?8i*D@kEf(FO~zXw?^_Z3F6 zPpVAt!k#TGKmq^|27L-c_ac>}LZOz6;k-QY25afdO`in57*N&q^fXBg0Dwb6eFTGm zfCdADg?ED>sRKO+3H}%Q`5rVt8u&BF{=)r>;|DrF2we!e4-JG2VgPG7@vaos`UGT{ z%2s*|iK76aL)t=u1Cg1=AwlRsCRmW)cKgr(Q6MVF{_vaqZ@+PW^Lq-2-sXb}3(@cj z7=ge1odqF-5FwAC0WX1mgX}j%aB!Z#5WAoKmxws95Ts4NB4R;+fdhjK_5cCVrWdVL zxV1RJnG==Sc(<{IfCIpS zgn)&F1cQPAhk%8Gg@OWug@y(L2LnI>pnd=Vo&jHo3P1)Rf}69#nmakYVPauq0U!W? zuK}8zMMlqSXutQDyDFLnMCt4~;mPB?@WsEs=?F5p1y$mqA*>W3o^P*6-5}vf{KQecQ4re~s_Ke@Tj~xQV zhh`?7SH5DcI#Jvtpu%DM645#{LDrvyYtDE`{k;ak5nobtEFw6U+l3oyEuF{J_{etf z8;5jRBi;2(f+*6ew+^ZyrDc3?`fQbKyKXI2V$O6b0XYbzG5qiiI3j(m{bV!dFYF)v zpr_s%jdMLZjS9&acG(1W6VIpAI95@uU<@n`$@CuFaraVnQqw0~#o8iJ#xzx?wlHBv zDN4ELN!x08XnppBFxg<3?OMH@eL)-?e0o6yy;Ptj%PM?ZxOlQ*bt)q*2)PP`Pg zQim-QZo}U+_>8sDM*a55mRocBzWg)Crx=-;(BqS^lIT{8*-x9-4cL-TYb!X;CG*)x z^u`XIG@*)nPIM&ENou!Iq8@^4cB&pz(Xf6>Y{@v?#$?nJBrCRui>a1F@8B`l9f=90l@Ch^Bf-5|SdqUOOBW*(zfeiW1nVU` zp2^Kb@wQ*BRfRlhN~zlZuDw9ZLl1oqI6>#x)FPNHj2;-RjdbiwVYU^Lm*UbjOE6zQ z|N0~))F8?e(4$~6$d89rUn6RR^aR;dEetnDPrU*$D)>!^4ZD>SUJqK3XVp~oaUatoFi96O4PuWpEiq|MD;B5e<`8 zlFI_)J57Dk1bFkfX{{6R*)M$}08}lvG_O9g;R%t@)D_){mGDAMo5m^X;n)rJ!4oY3 zPYZcojc)+$7Qp=0{D?MrX}vt+69-Nb*%B>+rDk^8g~W>4CLq>HuJin9|3a-zZH$nl9UyDnEXFw>#JTLvGPT!;V$~v=`hCs}4 zr6S-GU3>8cwXhK?kSIH>LEP{=-pYxylJtHTsd_JpH5Z$%!h**=fev{Tt*bjh=!hp2Jd#;>mgASsSpy@nF+i$3kDiXp6ksHMEj!5L{I# z!>Fi_62BQ46Qr={o2?Ic$<}-`ITM#YWF5Y3afFu8QS4z?CnDhuE4j$}R0KyPR`Vjl z&IZ*miRF+euO)~4I+qfz{C1Iy^nPJ{6}@FX?*lee=%*{nUL1+zW!10UR(lOW-92EU zo#Je4h{K8Nr!d^%XI*8%v^x(^3IT7jxR$sh#$fbnECu_IgiN2roa`;2y$@466L40b zp;%Hl9##?Bd%c%~p8d+wLS`QG6UUW*=xOw(!ClxrZ@ zC7)dQ4-n^O^`C{LRlq!D5JbG3RNuH{7%1#XW%ITPQ@S%e>`weB_aG3hBxd0#*sr`i z#4iIE5kGCn#rVWOiLp>mWf#G%kP03FW*4Fk13Nc1IN#GTqvkI5LfPn%LKXJ|(=n0P z<;-U)qu_oI+_jRFcz-HI`AI`csSkVJ1yMKvZcQuQi*~)ZmOQkbJvgHyk%_@jn6E;f z@4oW7mw93hISZI97%fyj>&kOIoNtF1l558 zxMIQGb~kf@Y%AB2e~jVGPkbbhWI!HCuU=C&5gna}nT5CKqX*(FHc9-OV^|0`s8-X^ zUY9l3Xf4*phy>~-`~wOt@`xHqGSxX-Ftm&r4AS z7-mNkV79~NQ_GkU3GIn|n%AK-UBT1+$`Gwbr2j<(li#;q3l*c*dTy48--EK*`+Q?| z)%pDs?xt4;R&nhrN6b9F?ts^PdYD6{GP`Jbkv5k|WH*W0J(qEN0Qp{oKw`~poYl>z z%1kERaoWSeh`zDGy@SGQqzeCW%n?1`Z`F-G(9bN%=1!82XNU~-=2u13Hlb^eZE%(L1@7JB3w4}fwqIYWHZ`Z0rovCf z*ht50(ciu*^?Z~2$=SBy)Wj9sDoHn$aCYguNCuxjIA^G)(Zqxxp8@TQV$lJ48FKe- z5WKk64Sd|Qh!-vES~P|<88r_B3D9MBW14_`sy8hwfAUi zBMYaA=ZfWeHRqjMyaMfdzC(sZS49NLW9E||y+Zq7d)-#_Q_{HnVrP2NsmFfZOHL_q z(bBM4XoRx1K$Mkd*m~Z22k26s_y6BJ=%Ct)qz{NA0XbdzsgU;Mi&9 z1;_Twh~B9BzN7NH8@P&iC%q4y<2fVm-0g(<^WsJ%8xTKWf#Z^XiMf3nju&q~*|}M1 zr$%&+ny@lSY@pVW`@n!NXXV80p;RxZN#N_Y355dq+Ujv zaZuSzgJ&!$i&on?m2ABOma(-YExCU!RQTdmB6oAdZILO%TmuzS(vq0a03vt)t5Ml_ zG@CUzqgDuSKKdMy$V*8XoF?k6Qv3@Uho{Id2?8w@Si5<`k|nr)U`)5(Qn1f6LJ=~F z>iO)VLr~>Wa~sIH^g-LoS@W-k{I@v|0Qhev$ISUkVPiiZRG77Lsh@KmDKv0$ktVi9;FbWc< zRdfM%il zkwSs%uvi(JUz!CiqjlQ1W74zZidQqgPbL@p)D-K;xu=fZZ@eGGPdNnxumN&|><@mu zzxfY;(sl75N(gA^>Hs@dk_Bzx@hroImJFpX2%{x*^j z0J3*vBhrXwM+j3j^QK`kp@81~4rgX)<6uR?1rt+bWIdFj)E11$TcXf*S8WA$;f`y0 z-M6_eF5NTbB?85!B|c!E`<-{X(>}yY5(%n!2t?18CU!|?OU`;^bhY%#J2fDB`ICwf z!&i$ku=D9S(FUm@a88ka{|upBm2O#&2Js%!&vbls_pN^@ruCa{jZU2RJDk)>*69KX z^rla2M;s|s@)la`iAFopcTUVigfh9W`U{G0#rNua2Kr1Y>TBywofnyJM_mcbb{p*y z^G(|ig#8A-S=6qxEXwq-2rk-X450bpPuu%)rgc++bJ@f4bS+J2QBi+}1m`A+^VkSTL_H@;%-8%FT5$?+vKGv9G^I--O=HBgd$|>C*@rq$3gW z9aOVfzZBv!SS=%ii+;CFHLYc^m|+$70bKFP*+y_m+%4-)i5jwa94nX;%Qp7ZmDsuc z`xw(fYr>LY(c0TA;&-4erUvF!05GRO_WKqCT>j3hnP0a!hvMfJx5xjn#Q=c;JdHV- zFNY&Ib8!x#lMiN*6eAO&&&@*PNG{4hp&A`+wo#SKpxjh+rEcq?DXnOBVKRt6o7g@N zsJ}Eg0QvL*=#w|lACUdwll|X5E&k?{*-xM3i2n468&9Cas3|okykc<_by)DSJSVK{ z(km-XwccyT@Aw3YM(}(v@vV2JwGbSJ|FH%>{gZU;iQ-c`4#=Gw4cLEoAv6EuLPq4* zvTh2~mz(thbRh%m3I4h{WEwYcgCIo$Awp{YTf~JQh{FE`Vmt`3s__>@WDp|UzeimB zfhhDRVvZRQ@u6b-PsH>RSb!4nng?XRH#6YkR!cvc8T$VMG2aIV@F2_f526cj)yP1# z1^Zk=(h&3foqrryCg#FNs|`2`E4qhpM7#0#YjTmb6I-5!NQy~IZS(xY?bOvMO)5BT zBWx3|8n$8uLMd5ILp)xzl8BMk^f3^bg+Jzw`EG3~6$`1Zg%iZCc2*HQt+U6$ZK5^j zST)mp!sZ*JwnuXVPw6#;Qd()zt}-;?nXx2j63se%K^#)j*jRFL;GpgT-@L_MGqo?( zP*pHAy4#tvFfVn}Xw+$Avxm0I{KF)SwRa&A-p0aaanB7drI%b< zH1~=i>ug78IrjB^`3WLwB9~pa3z;=6bE#T%8id#m0pyC&8Z_Bi#@h1c3bmON-W*KF zh^c_@QxYOgyUJ~@w9VwcZgb)C@LldIYKEB&wJIf-?}wtlYF5+Abe`UyJpABX%c!9bcZ)A)dlr_lCO6kq=Zq zdDM_}`d%{xwFjK3)~#Zs8`ZDJr*I^!6`Jx6h=^~52m9_AEcYpYIc;q@QpJkJnbw5& zjv6>PCGG;{EPUy|PQh=-{J-t1a`G#M&9Q-9(6<6$(fjL0o>UlE&s{)>A{DRz1E6St z?Dw1nC|fQ6I0g8>=Bzn(UvAEioE6pnCuiOM&RGDSlD8&*FQWQblatn)JiV9^WdvI@ zOWK~t>r)V60FY1=NCvY1t0iy(m+(};@Xr!NfJ<-#AwE?8YYD$0f&-NQ*1ntHv=0;% zP9GeYCo9`u5kZ@T$1WYQG@7o#aZ@54t66YqKt|$s-ZdA7W)28TYi9@r ziwcoxzeSYfe(c7Tnb5X4ZrTjKwTt|19yGWXWW$A62X04Ic-E%u_;UXFmiDtb#!6e_ zL(PZhDkNR|M|4uQA*OfWk;Fvv7|-?jDi_STkZo6%^}kEQVSl@a9h;szdOYP(on_lFroWNC~zJ;z5DJMI5qZOt)cWBujcVgC8y_05T|`v7GO{yc==V$_K0CB~ihD32 zJCau_%rwc*mYA+3T@%wNqRCve^UiloM7*^hJL298Ix&3+D&s1d%ZnE+nDXpE)#hw; zBVsjsE2$vO6v3KaU`)^kJHrv?>%7OYyHg_mSJ&GF+4PnT>Xf`I^e_-bW&hXv?jjkNB>cHY^bQc*r~y63a@7=nhM|DShnHijO=wSzICSwpOe!U z&cWR&PNydhAsKtkSI}5#49?&Rs=-Zuk=05VJQgE)`lXbl{S7xZfxZMd$QhtJM)IwWMAo4o9A= zT41TckL9UnDlj5yYlV){LUCRGPMPL+ZE1~95wxi8_Ik*D|#<0Hf55ZB>MANlDfu`E-N*J77zv7@)ydvU+OEV8Ov8)$q0*o!sa_(bLP3tE9~3X{5DAQ-$%Yor>j z+kdn2)`stMwk{L110Ls9cw#8oc>aDCy*|;XG7?AmBAEmjUqom7VbhR8G{Fo_vH2DY zNVB|vnl%rUT#)^t^FvlEAkEUq`&F~7lYi=bo7u0Lb)$f#YxzcV#nK?#u_t(h8s7Xk z#mO(0bNcOj^RbeS)wPp{V8Urc`$Cb`AszVv!=G=b@s+=VN8Ok-su`v>FEM3L8GVlC($gElyTh`NiGL3H^@Yp#xF6cg zsH5NNyPTGcsSQAHo_$AZq`a+i<+{nXlnYwt4sf0S*X5i2hIHqW)HUC`;OaEzc2Nd^|i425|Bu=(0D{$qk%D zFSb?X-Z6!t_1M&lKOM_rj$Ru~9#5!k$9z-`jUKp{6xA0Pj8N?Ndg=|8Aa9OU4Mt2o zU4G|FeHDl)tgkqaagf6mM-%H4n-ME0)$@&=@602xZn$p+a0-t+2Jg4be+L6AZdHIg zNi}OQ3;8aOHuFN@IMk9kkdqGe=-{eBsn2N=#h-`QgpI;qhDe<^4z{HOLhSKVA%E%E z-olITt3EjXtHxP=9>9e*`yFTz=h>bXEDYki6MWwVx7 zH099eB%j$dxg zrs^z4>Qv;P&n#xX8^?4EDvFbMm%E`@CG49CUhj9a%EO^WP{IwzCKMV*F-DF)7I_ks z+MbhR=gFFaR%jnxkhyfXI`dFETkF%loV%<;1IQzYf1|4-(E3e3`IWt**O>K7LhAVC zd;6qW%IA=8X$4SgldX683TP2|JJJ!A?7%Cx3uQhJ)M4*Y>8WF}^qSj1>J+{2O)%yY zbyNRp{QA|5w;PfUnwe&Y;8cMobB05TNx=)s=wf^Cj@sMFcvJ@;uR|Nd>2b?L+dp4%HpU$xulZom*dy~1&BExyP5q73$8*LHTZErR{6ma)Ve*(ZV#(J2a@nf+T4Lpo` zKAvx%e4@fe;I#0$NLBf+$$@XvtwLiJq8ricT*H{qNZgk0Wj~85$qDz`igG~EOEGlH zG3|uPyoN zXt1I0FWYQyb>U#!@sdjcIL^xCC0Woq-bYC8I|~BriulA4wXFpojV^9;Dxo3i5O(<3 zi>+ASqoCh|_r&BC z;rGFxr;j(@^6m}bh4x$?m%v_s``NsO@Iv4hKRDZ9#a&%SX^5{Ij#QfiJIbn;Ir*n` zL{)>4&aq(H-xTwZDY{_l{q^NFZZc(SUhoEAyHv-=b?kkB$B9Bt9Zu7$%4K_ zQ5P+lO8OUJN#qA#kgz;V;wPWDs#hkI(k0G&8#elD!-@ieQH8q)(4=|H4=9zsgOQ~* zs!nk{*^Bxr7RYL^x8GoJf5+O^x%YdX**rd2<1wok6N550rUZ6p zDLf*HfH0#nr36hf;yB7io0oNIDc9@HuX?NKhH->5?*aFAP1d;&LexA1z1xBEM>(d< z&gHVv?k?VrrR|iOH(xkHh6Fu>W}+#}NLVBy^k4@JCG^ahhVgfcr$APKQ<2z2qak9tXv$kDj!J zg%1jsDllCCNlkXh0M_LF)Tn=IvKp`^NBvI_9X)`E+bQ*bB4X11+bX~DqsmYHx}}aD zKdU?y@ZRn3Esg)D$~z&)7eawoJDs}iFx(x=1{d27m5ZWbjxymSfcC4(;?2Z=uT@GdO43w|_> z1ysD*+xE@Q?n&k+p%lTbX&x>0Y-Nk8@T<{Kyef#jM$LQWY+2|O9|-qC8v#W}t*Czo zeGk4~Sr_}$R7@HiMMT6f?q|VAvahUWsi$hXu5s#oxS%DG&MZaQ;! zD=;Eao|?V7$mg!sv#R}2^zOq{1nJ==mM6>>?m9LY3<)t7K(dAjK|Pa8wU60Lz})#p zBBBy)A}^IrYE*b8JhI&JNF!kOCc1q!S-;*r9oJ?&{zK5j{T^{KS1>k#M*%#nr>ggt zF-aN3{Cf%fX&ego?E$l17j|R(6aUKn{j`uCPZjU+3Qg4NGT!6>o)LRzKnn-_ z*q*k7hullj&(aTj`epqcJoh3n9Ba{CPut_h& zH?fS%b&o21<0E$Zn9n`JOZb5DvK_;fW+N(i6Js|<;W<85zcGU-;?moXZ#j|d2L!qh zLozP{VA%1o<#X=H>BURlt$wC;iF^$BsLjhDfpFM9;%x2ewKFlMO0)mO2J^c2S{ClO z3MW_Bn?LNhgoXZI=9Oka-!nE5rSu^0g<4T&|I488kPIX!Huj{r$(LN6>!se<&)*1r zamZaJa0_oA+-~FhcEuMJuyo#8;8#yj$eBZob+G9j8;s0fO%xzIj&Ivb^^Rx&R<$WF zMIcJ?Mpv9lF~rrX|Jv^RWaZ%cSg{s?v=fR@GMtmiaJBdjD12R zW8TG;auH|T;33=Zh%SOHs_F0hL(9eC94AA$&toVNNg^jGp&d6=1YjH&um|GE>%c{5 zjcXt7cO;R3cf~8Fz&quy-mJ8XRlOSTl>UNj*BW}#qe%?8tr zx`+;?ph3xN994nfFCb1$9`f3O(pJ5ea3Cg#wIr?GTSUl=$>}WAn3zTMcACwWVfd;X zF4;)(HOc|&5c-F3ORFSk|!1cn4fDm!G zk*7n&*yh3g{*K5($L2T+zXw54t?rHPXJJhq`k13zZ#bj*njk1v8ba0&GnT%jU17FQ zTuX5MtyWUy0(K4kgbX}E12;^;fiXFS}Ijl zEag(lvFrW%hlCTMYystWtNr*U!Z$LH#)a6MCk}qr@@KE!_JSqTF*WeU8wl%U-6;81 zGV3FsLJmeN)gSCr-&M0@o9QTC#7$c4;o)qm1FIU8<$Qr~Y^L{WP1Cx^>l|m4!6!?a zvRxzZPvv1H|X0NeM^1UFwdG+u#ET+3BJl;hAvRhQB5^5$w?yX^~<5Y}u$(smw zttk##*3)xk8yk*c<4Hy54|x+`-qz2xZfEkiI{FvD<`Bx!X^=}{YI7IjgJra9DDyG@9jTKt?0#gx^4e*4TNwm^O6HF8U!J6Uw| zprzmL<7cmO3X{3Z4y(WLk5u&pZGs=`nZkunwW> zD<5d@22AJmBGr_O*)wyjuS=}EId|q`<}i4*=@2`I{Yb$suMXU95YTNf`D7!|M_K}P zOIM)URN69ZTwx>&H1Blc>4>>SX`tOI^48g3KWa|VI@haY;R0_{;Ub)^%3cI5G&hJL zL4IBhw6~C~zr%Sdf#AKgc{{|X?kG;4xooW~ z?rOr70_@`hZsQPju*2mSdGjY^Vy=z=Gk)wqwT-Y~*=YR_D#W(nE@8)|wj=wEMR7+~ z3#`lEjHF#f%J1CsYOA6YrvRY^fzs*D3e2CeoG*pwBUnCP+KXi${po+TQ{8)k!)Df&x(`Sn*JcK{+T(St7PNJG}?LC;QBsJCB`4(Ngsd zE+TAdel;q|A>@X?2BqLTB#lOxA;|}4lkj#Y zshEY)fzuX+?|LmM0pIA>849MAlu=x4KZ+;~D<5!iJa6O9HO1MlCT^d0ou4QQ;*xOY zb41Q%f)*#%uhtzH%?K7QYLKLSu{%Cny#9F;ftEv^bi;V;+)M)B-H4MJD#ZA?f}o>I zMl2&pvuJ^u1qliK?**X!-a12ETYUv-ma6@)n&m0@vvtn-*JSde&qCP5yB;#gQzytP zUWVJbz~PF%b7r}BV27^dZ5kN(o(Y4|!B5#FZ(II$vkHS4bxcce|Ev|+U~KY+!MC14 z&|g7^|w&AWI;$3xe zOq7r*-;2qnSe{dawH+}=*;&-s4zwIYnX5sKsEJ*>jDBaW?;n#ZKS&?l-SZ;iS!g%g z{(fMx6w-k4|oYORm~i=dV#clmWJDM8mBvN!>+BQ_badBrz0)d3HI1$(FF3 zrj&8SCpxu1v-=i{i#|hU7A$7^v`+5Yjj+FJ65nKn8kh8=IU<_liRe^y={5FfgWhbV zA$O4ZSujR~`(+nxt(!?~6@WwVI?^^Gm_i?|HHGEP`B`m!Zudv7LXvGuo)QE)0pER9+POxD1XtM*++gpLvs! zTVs#=nwRh=cGQgq4*b<+r}VSo>5l=5HD9up_s*&;d=B)c_g9b0oneqCqMDK86;f+A z=X1Y^IV7MFm0ehS2kkl$p7Fn*^1IS6>chhi5N}TH8zCRnFhI?9E529^wl7m3rWSQosRoFdUZAE zmdC1v&tdn==8&Bb|9Q6dZPbPIZiw`nvL}}f40=0_;`>k4LJm(NG_!(bde-=OYygK< z@*H$ms+X4CRE1Tk@)*H8_CnR(_?=oEo0NMW8H_@7Iz=sD@y|Fi)TYkf<4q+fwlmVl zihe!YFeldn6HnjAaLx26mJ4&z;t|3Pe++0!jU*6o?~E!NDHzz(=A1ab*4rqF19yCd z)qWt0k5y|oW;TKqJZ*g4Dd+^!1ZJQn7ywT;$bQ!Z;Cql;AWhIj|5X!w06#SW!}r%d z=Ep!v>XbEMG!Lqwt literal 0 HcmV?d00001 diff --git a/rust/CHANGELOG.md b/rust/CHANGELOG.md index 377006c..9e78763 100644 --- a/rust/CHANGELOG.md +++ b/rust/CHANGELOG.md @@ -7,6 +7,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +## [0.15.2] - 2023-11-09 + +### Fixed + +- Ignore extraneous TCP flags when choosing packets for JA4L calculation (#22). + ## [0.15.1] - 2023-10-12 ### Fixed @@ -25,7 +31,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Add Rust sources of `ja4` and `ja4x` CLI tools. -[unreleased]: https://github.com/FoxIO-LLC/ja4/compare/v0.15.1...HEAD +[unreleased]: https://github.com/FoxIO-LLC/ja4/compare/v0.15.2...HEAD +[0.15.2]: https://github.com/FoxIO-LLC/ja4/compare/v0.15.1...v0.15.2 [0.15.1]: https://github.com/FoxIO-LLC/ja4/compare/v0.15.0...v0.15.1 [0.15.0]: https://github.com/FoxIO-LLC/ja4/compare/v0.14.0...v0.15.0 [0.14.0]: https://github.com/FoxIO-LLC/ja4/releases/tag/v0.14.0 diff --git a/rust/Cargo.lock b/rust/Cargo.lock index 7cdef65..f83069b 100644 --- a/rust/Cargo.lock +++ b/rust/Cargo.lock @@ -531,7 +531,7 @@ checksum = "af150ab688ff2122fcef229be89cb50dd66af9e01a4ff320cc137eecc9bacc38" [[package]] name = "ja4" -version = "0.15.1" +version = "0.15.2" dependencies = [ "clap", "color-eyre", @@ -559,7 +559,7 @@ dependencies = [ [[package]] name = "ja4x" -version = "0.15.1" +version = "0.15.2" dependencies = [ "clap", "color-eyre", diff --git a/rust/Cargo.toml b/rust/Cargo.toml index 8961c10..fa4659e 100644 --- a/rust/Cargo.toml +++ b/rust/Cargo.toml @@ -3,7 +3,7 @@ members = ["ja4", "ja4x"] resolver = "2" [workspace.package] -version = "0.15.1" +version = "0.15.2" license = "LicenseRef-FoxIO-Proprietary" repository = "https://github.com/FoxIO-LLC/ja4" diff --git a/rust/ja4/src/snapshots/ja4__insta@macos_tcp_flags.pcap.snap b/rust/ja4/src/snapshots/ja4__insta@macos_tcp_flags.pcap.snap new file mode 100644 index 0000000..825abe4 --- /dev/null +++ b/rust/ja4/src/snapshots/ja4__insta@macos_tcp_flags.pcap.snap @@ -0,0 +1,16 @@ +--- +source: ja4/src/lib.rs +expression: output +--- +- stream: 0 + transport: tcp + src: 172.16.5.16 + dst: 172.67.24.71 + src_port: 61311 + dst_port: 443 + tls_server_name: venarisecurity.com + ja4: t13d2613h2_2802a3db6c62_845d286b0d67 + ja4s: t130200_1301_234ea6891581 + ja4l_c: 62_64 + ja4l_s: 17255_63 + diff --git a/rust/ja4/src/stream.rs b/rust/ja4/src/stream.rs index 1b4bc0f..ec67373 100644 --- a/rust/ja4/src/stream.rs +++ b/rust/ja4/src/stream.rs @@ -12,7 +12,7 @@ use crate::{ conf::Conf, http, ssh, time::{self, TcpTimestamps, Timestamps, UdpTimestamps}, - tls, FormatFlags, Packet, PacketNum, Proto, Result, + tls, FormatFlags, Packet, Proto, Result, }; /// User-facing record containing data obtained from a TCP or UDP stream. @@ -375,17 +375,3 @@ impl StreamId2<'_> { } } } - -/// A fingerprint that was obtained from a single packet. -/// -/// `PacketFingerprint` can represent JA4 (TLS client), JA4S (TLS server), or -/// JA4H (HTTP client) fingerprint. Other types of fingerprints are derived from -/// multiple packets. -#[derive(Debug, Serialize)] -// HACK: Use a configuration parameter to enable serialization of packet numbers. -#[cfg_attr(not(debug_assertions), serde(transparent))] -struct PacketFingerprint { - #[cfg_attr(not(debug_assertions), serde(skip_serializing), allow(dead_code))] - packet: PacketNum, - fp: String, -} diff --git a/rust/ja4/src/time.rs b/rust/ja4/src/time.rs index 4987bfc..df70e31 100644 --- a/rust/ja4/src/time.rs +++ b/rust/ja4/src/time.rs @@ -32,7 +32,6 @@ pub(crate) trait Timestamps: Default { #[derive(Debug)] pub(crate) struct PacketTimestamp { - #[cfg_attr(not(debug_assertions), allow(dead_code))] #[allow(dead_code)] packet: PacketNum, pub(crate) timestamp: i64, diff --git a/rust/ja4/src/time/tcp.rs b/rust/ja4/src/time/tcp.rs index 9dcfc7d..5f8d908 100644 --- a/rust/ja4/src/time/tcp.rs +++ b/rust/ja4/src/time/tcp.rs @@ -207,10 +207,12 @@ impl Timestamp { let t = || PacketTimestamp::new(pkt); - Ok(match tcp.first("tcp.flags")? { - "0x0002" => Some(Self::Syn((t()?, Ttl::new(pkt)?))), - "0x0012" => Some(Self::SynAck((t()?, Ttl::new(pkt)?))), - "0x0010" => Some(Self::Ack(t()?)), + let ack = tcp.first("tcp.flags.ack")?; + let syn = tcp.first("tcp.flags.syn")?; + Ok(match (syn, ack) { + ("1", "0") => Some(Self::Syn((t()?, Ttl::new(pkt)?))), + ("1", "1") => Some(Self::SynAck((t()?, Ttl::new(pkt)?))), + ("0", "1") => Some(Self::Ack(t()?)), _ => None, }) }