Handle empty cookies in JA4H Zeek parsing #158
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Added if statement to identify when the cookie in the Ja4h were empty when being parsed with Zeek
Temporarily reverting my own build script for pushing upstream.
|
Oh , I just noticed that someone else suggested a similar fix 2 days ago: #157 |
|
Thanks @Squiblydoo! I like your implementation better because it assigns the value of "000000000000" to ja4h_c and ja4h_d - which is better for if someone were to build extra Zeek scripts and call these values. |
This was referenced Sep 9, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR fixes a bug mentioned here: #123
After the sorting of the cookies and before building the JA4H string, it checks to see if the JA4H_c_r and JA4H_d_r values are empty, if so, it assigns the JA4H_c or _d values with twelve 0s; if they are not empty, it will hash them as normal.
I confirmed that this works as expected, see parsing of Zeek logs below:
The PR looks like I changed a lot more than this, but the other thing I changed was the indentation.
Some parts of this script contain 2 spaces for the first level indent, followed by a 4 spaces for the second level indent. This felt inconsistent and made it more difficult to modify the code than it should have.
Other parts of the code use 4 spaces for the first level indent, so I modified this section to fit that pattern. (I did not modify all places where two spaces were used, as it seemed out of scope.)
I confirmed that the use of 4 spaces for the first level indent did not impact functionality, and the script appears to be working as expected.