From e508973dd7d45b99ec6d7b085752b8ba9c8212f7 Mon Sep 17 00:00:00 2001 From: Timothy Noel Date: Wed, 24 Jan 2024 21:20:35 -0500 Subject: [PATCH 1/2] fix for #56 --- python/ja4.py | 13 +++++++------ python/ja4ssh.py | 11 +++++++---- 2 files changed, 14 insertions(+), 10 deletions(-) diff --git a/python/ja4.py b/python/ja4.py index dbd5189..58a6d9b 100644 --- a/python/ja4.py +++ b/python/ja4.py @@ -507,12 +507,13 @@ def main(): # Added for SSH if 'tcp' in x['protos'] and 'ja4ssh' in output_types: - cache_update(x, 'count', 0, STREAM) - cache_update(x, 'stats', [], STREAM) - entry = get_cache(x)[x['stream']] - update_ssh_entry(entry, x, ssh_sample_count, STREAM) - if 'flags' in x and int(x['flags'], 0) & TCP_FLAGS['FIN'] and int(x['flags'], 0) & TCP_FLAGS['ACK']: - finalize_ja4ssh(x['stream']) + if (int(x['srcport']) == 22) or (int(x['dstport']) == 22): + cache_update(x, 'count', 0, STREAM) + cache_update(x, 'stats', [], STREAM) + entry = get_cache(x)[x['stream']] + update_ssh_entry(entry, x, ssh_sample_count, STREAM) + if 'flags' in x and int(x['flags'], 0) & TCP_FLAGS['FIN'] and int(x['flags'], 0) & TCP_FLAGS['ACK']: + finalize_ja4ssh(x['stream']) # Timestamp recording happens on cache here # This is for TCP diff --git a/python/ja4ssh.py b/python/ja4ssh.py index 7a28d23..ac05edb 100644 --- a/python/ja4ssh.py +++ b/python/ja4ssh.py @@ -42,11 +42,14 @@ def process_extra_parameters(entry, x, direction): ## we return 1 whenever a new stats entry is added based on the sample rate ## This way the caller can print this packet out def update_ssh_entry(entry, x, ssh_sample_count, debug_stream=None): - + if entry['count'] == 0 and len(entry['stats']) == 0: entry['stats'].append(dict(ja4sh_stats)) - entry['count'] += 1 + # Only count SSH PSHACK packets + if 'ssh' in x['protos']: + entry['count'] += 1 + e = entry['stats'][-1] direction = 'client' if entry['src'] == x['src'] else 'server' @@ -54,8 +57,8 @@ def update_ssh_entry(entry, x, ssh_sample_count, debug_stream=None): e[f'{direction}_payloads'].append(x['len']) e[f'{direction}_packets'] += 1 - # Update ACK count based on direction if the Flag has an ACK - if 'ssh' not in x['protos'] and x['flags_ack']: + # Update ACK count based on direction and Bare Acks + if 'ssh' not in x['protos'] and x['flags'] == '0x0010': e[f'{direction}_acks'] += 1 # Added extra output parameters From 8b5bf4d7f49a4f52dd3e984fff7fa7077673bb92 Mon Sep 17 00:00:00 2001 From: Timothy Noel Date: Wed, 24 Jan 2024 21:22:25 -0500 Subject: [PATCH 2/2] removed unwanted prints --- python/ja4ssh.py | 2 -- 1 file changed, 2 deletions(-) diff --git a/python/ja4ssh.py b/python/ja4ssh.py index ac05edb..ae868b4 100644 --- a/python/ja4ssh.py +++ b/python/ja4ssh.py @@ -71,7 +71,6 @@ def update_ssh_entry(entry, x, ssh_sample_count, debug_stream=None): if (entry['count'] % ssh_sample_count) == 0: to_ja4ssh(entry) if entry['count'] != 0 else None if (entry['count'] / ssh_sample_count) == len(entry['stats']): - print (f'adding new entry at count {entry["count"]}') entry['stats'].append(dict(ja4sh_stats)) if debug_stream and int(x['stream']) == debug_stream: @@ -88,7 +87,6 @@ def update_ssh_entry(entry, x, ssh_sample_count, debug_stream=None): ## def to_ja4ssh(x): idx = len(x['stats']) - print (f'calling ja4ssh with idx = {idx}') e = x['stats'][idx-1] if e['client_payloads'] or e['server_payloads']: mode_client = max(e['client_payloads'], key=e['client_payloads'].count) if e['client_payloads'] else 0