Merge pull request #14860 from Security-Onion-Solutions/ja4

Add JA4 support

salt/zeek/config.sls

@@ -150,6 +150,13 @@ plcronscript:
     - source: salt://zeek/cron/packetloss.sh
     - mode: 755
 
+zeekja4cfg:
+  file.managed:
+    - name: /opt/so/conf/zeek/config.zeek
+    - source: salt://zeek/files/config.zeek.ja4
+    - user: 937
+    - group: 939
+
 # BPF compilation and configuration
 {% if ZEEKBPF %}
    {% set BPF_CALC = salt['cmd.script']('salt://common/tools/sbin/so-bpf-compile', GLOBALS.sensor.interface + ' ' + ZEEKBPF|join(" "),cwd='/root') %}

salt/zeek/defaults.yaml

@@ -52,6 +52,7 @@ zeek:
         - policy/frameworks/notice/community-id
         - policy/protocols/conn/community-id-logging
         - ja3
+        - ja4
         - hassh
         - intel
         - cve-2020-0601

salt/zeek/enabled.sls

@@ -34,6 +34,7 @@ so-zeek:
       - /opt/so/conf/zeek/policy/cve-2020-0601:/opt/zeek/share/zeek/policy/cve-2020-0601:ro
       - /opt/so/conf/zeek/policy/intel:/opt/zeek/share/zeek/policy/intel:rw
       - /opt/so/conf/zeek/bpf:/opt/zeek/etc/bpf:ro
+      - /opt/so/conf/zeek/config.zeek:/opt/zeek/share/zeek/site/packages/ja4/config.zeek:ro
       {% if DOCKER.containers['so-zeek'].custom_bind_mounts %}
         {% for BIND in DOCKER.containers['so-zeek'].custom_bind_mounts %}
       - {{ BIND }}

salt/zeek/files/config.zeek.ja4

@@ -0,0 +1,25 @@
+module FINGERPRINT;
+
+export {
+  option delimiter: string = "_";
+
+  # BSD licensed
+  option JA4_enabled:    bool = T;
+  option JA4_raw:        bool = F;
+
+  # FoxIO license required for JA4+
+  option JA4S_enabled:   bool = F;
+  option JA4S_raw:   bool = F;
+
+  option JA4H_enabled:   bool = F;
+  option JA4H_raw:   bool = F;
+
+  option JA4L_enabled:   bool = F;
+  
+  option JA4SSH_enabled: bool = F;
+
+  option JA4T_enabled: bool = F;
+  option JA4TS_enabled: bool = F;
+
+  option JA4X_enabled:   bool = F;
+}