JA4 Fingerprint
JA4 Fingerprint 是什么?
JA4 FingerprintA 2023 successor to JA3, published by John Althouse at FoxIO, that produces structured, human-readable TLS, HTTP, SSH, and TCP fingerprints designed to remain robust as TLS clients evolve and to be paired across protocols.
JA4 (and the JA4+ family — JA4S, JA4H, JA4X, JA4SSH, JA4T, JA4L) is a 2023 evolution of JA3 published by John Althouse at FoxIO. Where JA3 produced an opaque MD5, JA4 produces a structured string with explicit fields and a small truncated hash, so a fingerprint is both human-readable and trivially groupable by partial match. JA4 covers more parts of the handshake (e.g. signature algorithms, ALPN, the actual TLS version negotiated vs. the offered one) and ignores well-known fields that change for noise reasons, making the resulting fingerprint more stable across TLS-extension shuffling. JA4S fingerprints the server's response, JA4H fingerprints HTTP requests, JA4X fingerprints X.509 certificate issuers, JA4T fingerprints raw TCP options, JA4L estimates light-latency on the path, and JA4SSH fingerprints SSH client handshakes. The license is BSD-3, and integrations exist in Zeek, Wireshark, Suricata, Cloudflare's edge, and several commercial NDR products. JA4-based detections increasingly replace or complement JA3 in modern threat-hunt content.
● 示例
- 01
An NDR product tags a high-confidence Cobalt Strike beacon by matching its JA4 fingerprint plus a JA4H HTTP header pattern.
- 02
A defender writes a Suricata rule that alerts on any TLS client whose JA4 matches a known Go-`net/http` malware family but whose JA4H differs from the legitimate Go SDK signature.
● 常见问题
JA4 Fingerprint 是什么?
A 2023 successor to JA3, published by John Althouse at FoxIO, that produces structured, human-readable TLS, HTTP, SSH, and TCP fingerprints designed to remain robust as TLS clients evolve and to be paired across protocols. 它属于网络安全的 网络安全 分类。
JA4 Fingerprint 是什么意思?
A 2023 successor to JA3, published by John Althouse at FoxIO, that produces structured, human-readable TLS, HTTP, SSH, and TCP fingerprints designed to remain robust as TLS clients evolve and to be paired across protocols.
JA4 Fingerprint 是如何工作的?
JA4 (and the JA4+ family — JA4S, JA4H, JA4X, JA4SSH, JA4T, JA4L) is a 2023 evolution of JA3 published by John Althouse at FoxIO. Where JA3 produced an opaque MD5, JA4 produces a structured string with explicit fields and a small truncated hash, so a fingerprint is both human-readable and trivially groupable by partial match. JA4 covers more parts of the handshake (e.g. signature algorithms, ALPN, the actual TLS version negotiated vs. the offered one) and ignores well-known fields that change for noise reasons, making the resulting fingerprint more stable across TLS-extension shuffling. JA4S fingerprints the server's response, JA4H fingerprints HTTP requests, JA4X fingerprints X.509 certificate issuers, JA4T fingerprints raw TCP options, JA4L estimates light-latency on the path, and JA4SSH fingerprints SSH client handshakes. The license is BSD-3, and integrations exist in Zeek, Wireshark, Suricata, Cloudflare's edge, and several commercial NDR products. JA4-based detections increasingly replace or complement JA3 in modern threat-hunt content.
如何防御 JA4 Fingerprint?
针对 JA4 Fingerprint 的防御通常结合技术控制与运营实践,详见上方完整定义。
JA4 Fingerprint 还有哪些其他名称?
常见的别称包括: JA4+, JA4S, JA4H, JA4X。
● 相关术语
- network-security№ 628
JA3 Fingerprint
A TLS client fingerprinting method by John Althouse, Jeff Atkinson, and Josh Atkins (Salesforce, 2017) that hashes the ordered TLS ClientHello parameters into a 32-character MD5 — used to identify and group TLS clients without inspecting payload.
- network-security№ 1280
TLS 握手
Transport Layer Security 协议建立连接时的初始交换,用于验证服务器(可选地验证客户端)并派生用于加密会话后续数据的对称密钥。
- network-security№ 1279
TLS(传输层安全)
由 IETF 标准化的加密协议,为两个联网应用之间的通信提供机密性、完整性与认证。
- defense-ops№ 338
检测工程
以代码方式设计、测试、部署并维护安全检测的学科,可对对手技术实现可度量的覆盖率。
- network-security№ 326
深度包检测(DPI)
一种不仅检查报头还分析数据包整个负载的检测技术,用于识别应用、内容和威胁。
- network-security№ 609
入侵检测系统(IDS)
一种被动的安全控制措施,监控网络或主机活动以发现恶意行为并触发告警,但不主动阻断流量。