-
Notifications
You must be signed in to change notification settings - Fork 2
/
ja4t.irule
67 lines (60 loc) · 2.2 KB
/
ja4t.irule
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
###############################################################################################
# iRule to calculate JA4T "TCP Fingerprint"
# See JA4 spec on GitHub for more details
# https://github.com/FoxIO-LLC/ja4/blob/main/technical_details/JA4.md
#
# Copyright (c) 2024, FoxIO, LLC.
# All rights reserved.
# Licensed under FoxIO License 1.1
# For full license text and more details, see the repo root https://github.com/FoxIO-LLC/ja4
###############################################################################################
when FLOW_INIT {
# To block based on a list of "bad" JA4T values, set "ja4t_blocking" to 1 (one) and
# set the name of your JA4T blocklist data group
set ja4t_blocking 0
set ja4t_blocklist "dg_ja4t_blocklist"
set ja4t_log_blocks 1
set recv_win [DATAGRAM::tcp window]
set ops_list ""
foreach option [DATAGRAM::tcp option] {
scan ${option} "%s %\[^-\]" kind value
switch ${kind} {
"2" {
binary scan ${value} S* mss
}
"3" {
binary scan ${value} c* win_scale
regexp {(?:123 )?(.*?)(?: 125)?} ${win_scale} match win_scale
}
}
append ops_list "${kind}-"
unset -nocomplain kind
unset -nocomplain value
}
set ops_list [string trimright ${ops_list} "-"]
if { ${ops_list} eq "" } {
set ops_list "00"
}
if {![info exists win_scale]}{
set win_scale "00"
}
if {![info exists mss]}{
set mss "00"
}
set ja4t "${recv_win}_${ops_list}_${mss}_${win_scale}"
if { ${ja4t_blocking} } {
if { [class exists ${ja4t_blocklist}] } {
if { [set blocked_ja4t [class match -element ${ja4t} equals ${ja4t_blocklist}]] ne "" } {
if { ${ja4t_log_blocks} } { log local0. "Dropping connection from JA4T: '${blocked_ja4t}'" }
drop
}
} else {
log local0. "JA4T blocking is enabled but data group '${ja4t_blocklist}' does not exist. Create data group to enable blocking."
}
}
}
when HTTP_REQUEST {
if {[info exists ja4t]}{
HTTP::header insert "X-JA4T" ${ja4t}
}
}