From d227cf71c87d374c52f6da8552ffb67af39d1813 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 19 Mar 2026 11:01:40 -0400 Subject: [PATCH 1/3] ja4plus cleanup --- salt/zeek/config.sls | 2 +- salt/zeek/defaults.yaml | 2 +- salt/zeek/files/config.zeek.ja4 | 16 ++++++++-------- salt/zeek/soc_zeek.yaml | 5 +++-- 4 files changed, 13 insertions(+), 12 deletions(-) diff --git a/salt/zeek/config.sls b/salt/zeek/config.sls index 94dfa9283..2f58e3846 100644 --- a/salt/zeek/config.sls +++ b/salt/zeek/config.sls @@ -167,7 +167,7 @@ zeekja4cfg: - group: 939 - template: jinja - defaults: - JA4PLUS_ENABLED: {{ ZEEKMERGED.ja4plus_enabled }} + JA4PLUS: {{ ZEEKMERGED.ja4plus }} # BPF compilation failed {% if ZEEKBPF and not ZEEK_BPF_STATUS %} diff --git a/salt/zeek/defaults.yaml b/salt/zeek/defaults.yaml index 1189ebbc8..033ed9919 100644 --- a/salt/zeek/defaults.yaml +++ b/salt/zeek/defaults.yaml @@ -1,6 +1,6 @@ zeek: enabled: False - ja4plus_enabled: False + ja4plus: False config: node: lb_procs: 0 diff --git a/salt/zeek/files/config.zeek.ja4 b/salt/zeek/files/config.zeek.ja4 index eb9da37b4..7bde4da3c 100644 --- a/salt/zeek/files/config.zeek.ja4 +++ b/salt/zeek/files/config.zeek.ja4 @@ -8,20 +8,20 @@ export { option JA4_raw: bool = F; # FoxIO license required for JA4+ - option JA4S_enabled: bool = {{ 'T' if JA4PLUS_ENABLED else 'F' }}; + option JA4S_enabled: bool = {{ 'T' if JA4PLUS else 'F' }}; option JA4S_raw: bool = F; - option JA4D_enabled: bool = {{ 'T' if JA4PLUS_ENABLED else 'F' }}; + option JA4D_enabled: bool = {{ 'T' if JA4PLUS else 'F' }}; - option JA4H_enabled: bool = {{ 'T' if JA4PLUS_ENABLED else 'F' }}; + option JA4H_enabled: bool = {{ 'T' if JA4PLUS else 'F' }}; option JA4H_raw: bool = F; - option JA4L_enabled: bool = {{ 'T' if JA4PLUS_ENABLED else 'F' }}; + option JA4L_enabled: bool = {{ 'T' if JA4PLUS else 'F' }}; - option JA4SSH_enabled: bool = {{ 'T' if JA4PLUS_ENABLED else 'F' }}; + option JA4SSH_enabled: bool = {{ 'T' if JA4PLUS else 'F' }}; - option JA4T_enabled: bool = {{ 'T' if JA4PLUS_ENABLED else 'F' }}; - option JA4TS_enabled: bool = {{ 'T' if JA4PLUS_ENABLED else 'F' }}; + option JA4T_enabled: bool = {{ 'T' if JA4PLUS else 'F' }}; + option JA4TS_enabled: bool = {{ 'T' if JA4PLUS else 'F' }}; - option JA4X_enabled: bool = {{ 'T' if JA4PLUS_ENABLED else 'F' }}; + option JA4X_enabled: bool = {{ 'T' if JA4PLUS else 'F' }}; } diff --git a/salt/zeek/soc_zeek.yaml b/salt/zeek/soc_zeek.yaml index 787185469..f3e5012b2 100644 --- a/salt/zeek/soc_zeek.yaml +++ b/salt/zeek/soc_zeek.yaml @@ -2,10 +2,11 @@ zeek: enabled: description: Controls whether the Zeek (network packet inspection) process runs. Disabling this process could result in loss of network protocol metadata. If Suricata was selected as the protocol metadata engine during setup then this will already be disabled. helpLink: zeek - ja4plus_enabled: - description: "Enables JA4+ fingerprinting (JA4S, JA4D, JA4H, JA4L, JA4SSH, JA4T, JA4TS, JA4X). By enabling this, you agree to the terms of the JA4+ license (https://github.com/FoxIO-LLC/ja4/blob/main/LICENSE-JA4)." + ja4plus: + description: "Enables JA4+ fingerprinting (JA4S, JA4D, JA4H, JA4L, JA4SSH, JA4T, JA4TS, JA4X). By enabling this, you agree to the terms of the JA4+ license [https://github.com/FoxIO-LLC/ja4/blob/main/LICENSE-JA4](https://github.com/FoxIO-LLC/ja4/blob/main/LICENSE-JA4)." forcedType: bool helpLink: zeek + advanced: True config: local: load: From 83b7fecbbc9eb07dc49d20e53fe1fe0f062421f0 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 19 Mar 2026 11:12:24 -0400 Subject: [PATCH 2/3] ja4plus cleanup --- salt/zeek/soc_zeek.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/zeek/soc_zeek.yaml b/salt/zeek/soc_zeek.yaml index f3e5012b2..4c9b70efb 100644 --- a/salt/zeek/soc_zeek.yaml +++ b/salt/zeek/soc_zeek.yaml @@ -6,7 +6,7 @@ zeek: description: "Enables JA4+ fingerprinting (JA4S, JA4D, JA4H, JA4L, JA4SSH, JA4T, JA4TS, JA4X). By enabling this, you agree to the terms of the JA4+ license [https://github.com/FoxIO-LLC/ja4/blob/main/LICENSE-JA4](https://github.com/FoxIO-LLC/ja4/blob/main/LICENSE-JA4)." forcedType: bool helpLink: zeek - advanced: True + advanced: False config: local: load: From d3938b61d289accc1148f883182d59f17ad53aaf Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 19 Mar 2026 12:39:37 -0400 Subject: [PATCH 3/3] ja4plus nest enabled under ja4plus key for defaults --- salt/zeek/config.sls | 2 +- salt/zeek/defaults.yaml | 3 ++- salt/zeek/soc_zeek.yaml | 9 +++++---- 3 files changed, 8 insertions(+), 6 deletions(-) diff --git a/salt/zeek/config.sls b/salt/zeek/config.sls index 2f58e3846..168e950cb 100644 --- a/salt/zeek/config.sls +++ b/salt/zeek/config.sls @@ -167,7 +167,7 @@ zeekja4cfg: - group: 939 - template: jinja - defaults: - JA4PLUS: {{ ZEEKMERGED.ja4plus }} + JA4PLUS: {{ ZEEKMERGED.ja4plus.enabled }} # BPF compilation failed {% if ZEEKBPF and not ZEEK_BPF_STATUS %} diff --git a/salt/zeek/defaults.yaml b/salt/zeek/defaults.yaml index 033ed9919..4058b01b8 100644 --- a/salt/zeek/defaults.yaml +++ b/salt/zeek/defaults.yaml @@ -1,6 +1,7 @@ zeek: enabled: False - ja4plus: False + ja4plus: + enabled: False config: node: lb_procs: 0 diff --git a/salt/zeek/soc_zeek.yaml b/salt/zeek/soc_zeek.yaml index 4c9b70efb..ccb57acbb 100644 --- a/salt/zeek/soc_zeek.yaml +++ b/salt/zeek/soc_zeek.yaml @@ -3,10 +3,11 @@ zeek: description: Controls whether the Zeek (network packet inspection) process runs. Disabling this process could result in loss of network protocol metadata. If Suricata was selected as the protocol metadata engine during setup then this will already be disabled. helpLink: zeek ja4plus: - description: "Enables JA4+ fingerprinting (JA4S, JA4D, JA4H, JA4L, JA4SSH, JA4T, JA4TS, JA4X). By enabling this, you agree to the terms of the JA4+ license [https://github.com/FoxIO-LLC/ja4/blob/main/LICENSE-JA4](https://github.com/FoxIO-LLC/ja4/blob/main/LICENSE-JA4)." - forcedType: bool - helpLink: zeek - advanced: False + enabled: + description: "Enables JA4+ fingerprinting (JA4S, JA4D, JA4H, JA4L, JA4SSH, JA4T, JA4TS, JA4X). By enabling this, you agree to the terms of the JA4+ license [https://github.com/FoxIO-LLC/ja4/blob/main/LICENSE-JA4](https://github.com/FoxIO-LLC/ja4/blob/main/LICENSE-JA4)." + forcedType: bool + helpLink: zeek + advanced: False config: local: load: