From 05a368681a6d76f085357fe37de3a5635d4a8e06 Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Mon, 21 Jul 2025 10:53:54 -0400
Subject: [PATCH 1/4] Create config.zeek.ja4

---
 salt/zeek/files/config.zeek.ja4 | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)
 create mode 100644 salt/zeek/files/config.zeek.ja4

diff --git a/salt/zeek/files/config.zeek.ja4 b/salt/zeek/files/config.zeek.ja4
new file mode 100644
index 000000000..e3dd08a48
--- /dev/null
+++ b/salt/zeek/files/config.zeek.ja4
@@ -0,0 +1,25 @@
+module FINGERPRINT;
+
+export {
+  option delimiter: string = "_";
+
+  # BSD licensed
+  option JA4_enabled:    bool = T;
+  option JA4_raw:        bool = F;
+
+  # FoxIO license required for JA4+
+  option JA4S_enabled:   bool = F;
+  option JA4S_raw:   bool = F;
+
+  option JA4H_enabled:   bool = F;
+  option JA4H_raw:   bool = F;
+
+  option JA4L_enabled:   bool = F;
+  
+  option JA4SSH_enabled: bool = F;
+
+  option JA4T_enabled: bool = F;
+  option JA4TS_enabled: bool = F;
+
+  option JA4X_enabled:   bool = F;
+}

From 93024738d31715f9b613520e9adbc0d7b1d4d262 Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Mon, 21 Jul 2025 10:57:45 -0400
Subject: [PATCH 2/4] Update config.sls

---
 salt/zeek/config.sls | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/salt/zeek/config.sls b/salt/zeek/config.sls
index 7fdbd8560..761c6f7d3 100644
--- a/salt/zeek/config.sls
+++ b/salt/zeek/config.sls
@@ -150,6 +150,13 @@ plcronscript:
     - source: salt://zeek/cron/packetloss.sh
     - mode: 755
 
+zeekja4cfg:
+  file.managed:
+    - name: /opt/so/conf/zeek/config.zeek
+    - source: salt://zeek/files/config.zeek.ja4
+    - user: 937
+    - group: 939
+
 # BPF compilation and configuration
 {% if ZEEKBPF %}
    {% set BPF_CALC = salt['cmd.script']('salt://common/tools/sbin/so-bpf-compile', GLOBALS.sensor.interface + ' ' + ZEEKBPF|join(" "),cwd='/root') %}

From 5dac3ff2a672fde5d7faaef2774bcf4d489bfeea Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Mon, 21 Jul 2025 10:58:25 -0400
Subject: [PATCH 3/4] Update enabled.sls

---
 salt/zeek/enabled.sls | 1 +
 1 file changed, 1 insertion(+)

diff --git a/salt/zeek/enabled.sls b/salt/zeek/enabled.sls
index 7d444ff43..ff090428f 100644
--- a/salt/zeek/enabled.sls
+++ b/salt/zeek/enabled.sls
@@ -34,6 +34,7 @@ so-zeek:
       - /opt/so/conf/zeek/policy/cve-2020-0601:/opt/zeek/share/zeek/policy/cve-2020-0601:ro
       - /opt/so/conf/zeek/policy/intel:/opt/zeek/share/zeek/policy/intel:rw
       - /opt/so/conf/zeek/bpf:/opt/zeek/etc/bpf:ro
+      - /opt/so/conf/zeek/config.zeek:/opt/zeek/share/zeek/site/packages/ja4/config.zeek:ro
       {% if DOCKER.containers['so-zeek'].custom_bind_mounts %}
         {% for BIND in DOCKER.containers['so-zeek'].custom_bind_mounts %}
       - {{ BIND }}

From eabca5df1897c9330e641bf71d4854430e2497b8 Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Mon, 21 Jul 2025 11:01:33 -0400
Subject: [PATCH 4/4] Update defaults.yaml

---
 salt/zeek/defaults.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/salt/zeek/defaults.yaml b/salt/zeek/defaults.yaml
index 1daf77102..d87a67ac6 100644
--- a/salt/zeek/defaults.yaml
+++ b/salt/zeek/defaults.yaml
@@ -52,6 +52,7 @@ zeek:
         - policy/frameworks/notice/community-id
         - policy/protocols/conn/community-id-logging
         - ja3
+        - ja4
         - hassh
         - intel
         - cve-2020-0601