Skip to content

Releases: Crank-Git/ja4plus

v0.5.0 — JA4D, QUIC JA4S, connection cleanup API

12 Apr 02:00
@Crank-Git Crank-Git
v0.5.0
bf878ba

Choose a tag to compare

View all tags
v0.5.0 — JA4D, QUIC JA4S, connection cleanup API Latest
Latest

What's New

New: JA4D — DHCP Fingerprinting

Full DHCP fingerprinting support, ported from the Go library. Fingerprints DHCPv4 messages (Discover, Offer, Request, ACK, and 14 other types) into a three-section fingerprint encoding the message type, max message size, requested IP flag, FQDN flag, option list, and parameter request list.

Format: {msg_type}{max_size}{req_ip}{fqdn}_{option_list}_{param_list}
Example: disco1500in_61-57-60-12-55_1-3-6-15-26-28-51-58-59

New: QUIC Server Initial decryption for JA4S

JA4SFingerprinter now fingerprints QUIC Server Hello messages. It tracks the client's Destination Connection ID (DCID) from QUIC Client Initials and uses it to derive server-side decryption keys, enabling JA4S fingerprinting over QUIC in addition to TCP/TLS.

New: Connection cleanup API

All fingerprinters now implement cleanup_connection(src_ip, src_port, dst_ip, dst_port, proto) for per-connection state eviction. Essential for long-running monitors to prevent memory accumulation. Stateless fingerprinters (JA4, JA4T, JA4TS, JA4D) use a no-op; stateful ones (JA4L, JA4SSH, JA4H, JA4X, JA4S) evict their per-connection data.

Fix: JA4 raw fingerprint format

get_raw_fingerprint() now returns a clean fingerprint string instead of a display-formatted string with a "JA4_r = " or "JA4_ro = " prefix. This aligns with Go library behavior.

Changes

  • Add ja4plus/fingerprinters/ja4d.py — JA4D DHCP fingerprinter
  • Add cleanup_connection() to BaseFingerprinter (no-op default) and all stateful fingerprinters
  • Add parse_quic_server_initial() to quic_utils.py
  • Add DCID tracking state to JA4SFingerprinter
  • Fix get_raw_fingerprint() prefix in ja4.py
  • 52 new tests (529 total)
Assets 2
Loading

v0.4.1

07 Apr 03:52
@Crank-Git Crank-Git
v0.4.1
494fbc0

Choose a tag to compare

View all tags
v0.4.1

Bug Fixes

  • JA4SSH: Fixed bare ACK counting — ACK packets (no payload) for known SSH connections were silently dropped by an early return guard, making ACK counters dead code. Bare ACKs now flow through when the connection is already tracked.
  • QUIC v2: Fixed Initial packet type detection — QUIC v2 (RFC 9369) uses packet type 0x01 in bits 4-5, not 0x00 like v1. v2 Initial packets were being silently rejected.

Full Changelog: v0.4.0...v0.4.1

Loading

v0.4.0

07 Apr 02:20
@Crank-Git Crank-Git
v0.4.0
a98f99d
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v0.4.0

What's New

QUIC Support

  • QUIC Initial packet parsing (RFC 9001 v1, RFC 9369 v2) — automatically detected on UDP
  • Decrypts Initial packets using DCID-derived keys, extracts TLS ClientHello from CRYPTO frames
  • JA4 fingerprints from QUIC use the q protocol prefix

IPv6 Support

  • All fingerprinters now handle both IPv4 and IPv6 packets
  • New packet_utils module with get_ip_layer() and get_ttl() helpers

TCP Stream Reassembly

  • JA4H now handles HTTP requests spanning multiple TCP segments
  • JA4X now uses sequence-number-aware reassembly for correct out-of-order certificate extraction
  • New TCPStreamReassembler utility shared by both

Bug Fixes

  • JA4SSH: Fixed direction detection on non-standard ports — lower port now correctly identified as server

Documentation

  • New docs/implementation_notes.md documenting all spec deviations and undocumented behaviors (reference for Go port)
  • Updated usage guide and API reference

Stats

  • 23 files changed, +1242 / -129 lines
  • 48 new tests (473 total, all passing)

Full Changelog: v0.3.0...v0.4.0

Loading

v0.3.0

25 Mar 19:17
@Crank-Git Crank-Git
v0.3.0
8301a8c
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v0.3.0

JA4+ v0.3.0

New Features

  • CLI toolja4plus analyze, ja4plus live, ja4plus cert with --format table|json|csv and --types filtering
  • ja4db fingerprint lookup--lookup flag identifies known browsers, malware, and C2 frameworks from bundled FoxIO database. Install with pip install ja4plus[lookup]
  • FoxIO spec validation — test suite validates against official FoxIO test vectors (pytest -m spec_validation)
  • CI/CD — GitHub Actions testing Python 3.8-3.13 on Ubuntu + macOS, PyPI auto-publish on release

Fixes

  • Fix 20 test failures on Python < 3.11 (datetime.UTCdatetime.timezone.utc)
  • Bump cryptography>=42.0.0 (required for not_valid_before_utc API)
  • Remove dead code (parse_certificate() and 3 undefined helpers)
  • Replace 13 bare except: clauses with specific exception types
  • Add Python stdlib logging to all modules

Other Changes

  • Clarify dual-license: BSD-3-Clause (library) + FoxIO License 1.1 (JA4S/JA4H/JA4T/JA4TS/JA4L/JA4X/JA4SSH specs)
  • Remove setup.pypyproject.toml is single source of truth
  • Deprecate collector.py in favor of new CLI
  • Add .gitignore, README badges, spec validation docs
Loading