From 680949773018a75f2ffaf64a94fb12b781fc5ba0 Mon Sep 17 00:00:00 2001
From: Mike Reeves <reevesmk@gmail.com>
Date: Tue, 17 Mar 2026 09:35:31 -0400
Subject: [PATCH] Add SOC UI toggle for JA4+ fingerprinting in Zeek

JA4 (BSD licensed) remains always enabled, but JA4+ variants (JA4S,
JA4D, JA4H, JA4L, JA4SSH, JA4T, JA4TS, JA4X) require a FoxIO license
and are now toggleable via the SOC UI. The toggle includes a license
agreement warning and defaults to disabled.
---
 salt/zeek/config.sls            |  3 +++
 salt/zeek/defaults.yaml         |  1 +
 salt/zeek/files/config.zeek.ja4 | 22 +++++++++++-----------
 salt/zeek/soc_zeek.yaml         |  4 ++++
 4 files changed, 19 insertions(+), 11 deletions(-)

diff --git a/salt/zeek/config.sls b/salt/zeek/config.sls
index 42ea74fc9..b7d71ec76 100644
--- a/salt/zeek/config.sls
+++ b/salt/zeek/config.sls
@@ -156,6 +156,9 @@ zeekja4cfg:
     - source: salt://zeek/files/config.zeek.ja4
     - user: 937
     - group: 939
+    - template: jinja
+    - defaults:
+        JA4PLUS_ENABLED: {{ ZEEKMERGED.ja4plus_enabled }}
 
 # BPF compilation failed
 {% if ZEEKBPF and not ZEEK_BPF_STATUS %}
diff --git a/salt/zeek/defaults.yaml b/salt/zeek/defaults.yaml
index 169b6521a..1189ebbc8 100644
--- a/salt/zeek/defaults.yaml
+++ b/salt/zeek/defaults.yaml
@@ -1,5 +1,6 @@
 zeek:
   enabled: False
+  ja4plus_enabled: False
   config:
     node:
       lb_procs: 0
diff --git a/salt/zeek/files/config.zeek.ja4 b/salt/zeek/files/config.zeek.ja4
index 3d0035481..cc82ddcf8 100644
--- a/salt/zeek/files/config.zeek.ja4
+++ b/salt/zeek/files/config.zeek.ja4
@@ -8,20 +8,20 @@ export {
   option JA4_raw:        bool = F;
 
   # FoxIO license required for JA4+
-  option JA4S_enabled:   bool = F;
-  option JA4S_raw:   bool = F;
+  option JA4S_enabled:   bool = {{ 'T' if JA4PLUS_ENABLED else 'F' }};
+  option JA4S_raw:   bool = {{ 'T' if JA4PLUS_ENABLED else 'F' }};
 
-  option JA4D_enabled:  bool = F;
+  option JA4D_enabled:  bool = {{ 'T' if JA4PLUS_ENABLED else 'F' }};
 
-  option JA4H_enabled:   bool = F;
-  option JA4H_raw:   bool = F;
+  option JA4H_enabled:   bool = {{ 'T' if JA4PLUS_ENABLED else 'F' }};
+  option JA4H_raw:   bool = {{ 'T' if JA4PLUS_ENABLED else 'F' }};
 
-  option JA4L_enabled:   bool = F;
-  
-  option JA4SSH_enabled: bool = F;
+  option JA4L_enabled:   bool = {{ 'T' if JA4PLUS_ENABLED else 'F' }};
 
-  option JA4T_enabled: bool = F;
-  option JA4TS_enabled: bool = F;
+  option JA4SSH_enabled: bool = {{ 'T' if JA4PLUS_ENABLED else 'F' }};
 
-  option JA4X_enabled:   bool = F;
+  option JA4T_enabled: bool = {{ 'T' if JA4PLUS_ENABLED else 'F' }};
+  option JA4TS_enabled: bool = {{ 'T' if JA4PLUS_ENABLED else 'F' }};
+
+  option JA4X_enabled:   bool = {{ 'T' if JA4PLUS_ENABLED else 'F' }};
 }
diff --git a/salt/zeek/soc_zeek.yaml b/salt/zeek/soc_zeek.yaml
index 929b9debd..36da3ea9c 100644
--- a/salt/zeek/soc_zeek.yaml
+++ b/salt/zeek/soc_zeek.yaml
@@ -2,6 +2,10 @@ zeek:
   enabled:
     description: Controls whether the Zeek (network packet inspection) process runs. Disabling this process could result in loss of network protocol metadata. If Suricata was selected as the protocol metadata engine during setup then this will already be disabled.
     helpLink: zeek.html
+  ja4plus_enabled:
+    description: "Enables JA4+ fingerprinting (JA4S, JA4D, JA4H, JA4L, JA4SSH, JA4T, JA4TS, JA4X). By enabling this, you agree to the terms of the JA4+ license (https://github.com/FoxIO-LLC/ja4/blob/main/LICENSE-JA4)."
+    forcedType: bool
+    helpLink: zeek.html
   config:
     local:
       load: