JA4+ Fingerprinting

Moat implements the complete JA4+ fingerprinting suite for advanced threat detection and behavioral analysis.

Implementation Status

Component	Status	Description
JA4	✅ Complete	TLS ClientHello fingerprinting
JA4T	✅ Complete	TCP SYN options fingerprinting
JA4H	✅ Complete	HTTP header fingerprinting
JA4L	✅ Complete	Latency/RTT measurement
JA4S	✅ Complete	TLS ServerHello fingerprinting
JA4X	✅ Complete	X.509 certificate fingerprinting

JA4 - TLS Client Fingerprint

Format: {proto}{version}{sni}{cipher_count}{ext_count}{alpn}_{cipher_hash}_{ext_hash}

Example: t13d1516h2_8daaf6152771_b186095e22b6

What it Detects

TLS version negotiation
Cipher suite preferences
TLS extensions used
ALPN protocols
SNI behavior

Use Cases

Identify bot traffic
Detect TLS library tampering
Track client applications
Spot impersonation attempts

JA4T - TCP Fingerprint

Format: {window_size}_{tcp_options}_{mss}_{window_scale}

Example: 65535_2-4-8-1-3_1460_7

Components

Window size: TCP window size (65535)
TCP options: Ordered list of TCP option kinds (2=MSS, 4=SACK, 8=Timestamps, 1=NOP, 3=Window Scale)
MSS: Maximum segment size (1460)
Window scale: Window scale factor (7)

What it Detects

Operating system fingerprinting
Network stack behavior
Client device type
NAT/proxy presence

Use Cases

Identify botnet traffic
Detect OS spoofing
Track device types
Analyze network topology

JA4H - HTTP Header Fingerprint

Format: {method}{version}{cookie}{referer}{count}{lang}_{headers_hash}_{cookie_names_hash}_{cookie_values_hash}

Example: ge11cr15enus_a1b2c3d4e5f6_123456789abc_def012345678

Components

method: First 2 chars of HTTP method (ge for GET)
version: HTTP version (11 for HTTP/1.1)
cookie: c if Cookie header present, n otherwise
referer: r if Referer header present, n otherwise
count: Number of headers (excluding Cookie/Referer)
lang: Language code (enus for en-US)
Three 12-char SHA256 hashes

What it Detects

Browser fingerprinting
User-agent spoofing
Header manipulation
Automation tools

Use Cases

Detect scrapers
Identify bots
Track browser versions
Spot header tampering

JA4L - Latency Fingerprint

Format: {rtt_microseconds}_{ttl}

Example: 12500_64 (12.5ms RTT, TTL 64)

Components

Client: (ACK - SYNACK) / 2
Server: (SYNACK - SYN) / 2

What it Detects

Network distance
Geographic location estimation
Proxy/VPN detection
CDN usage

Use Cases

Detect proxy chains
Estimate geographic location
Identify VPN usage
Analyze network path

JA4S - TLS Server Response Fingerprint

Format: {proto}{version}{ext_count}{alpn}_{cipher}_{extensions_hash}

Example: t1302h2_1301_a56c5b993250

Components

proto: t for TCP, q for QUIC
version: TLS version (13 for TLS 1.3)
ext_count: Number of extensions (02)
alpn: ALPN protocol (h2 for HTTP/2)
cipher: Cipher suite (1301 = TLS_AES_128_GCM_SHA256)
12-char extension hash

What it Detects

Server TLS configuration
Backend infrastructure
Load balancer behavior
CDN fingerprinting

Use Cases

Map backend infrastructure
Detect server changes
Track TLS configuration
Identify load balancers

JA4X - X.509 Certificate Fingerprint

Format: {issuer_hash}_{subject_hash}_{extensions_hash}

Example: aae71e8db6d7_b186095e22b6_c1a4f9e7d8b3

Components

Three 12-char SHA256 hashes:

Issuer: Issuer RDN OIDs
Subject: Subject RDN OIDs
Extensions: Certificate extension OIDs

What it Detects

Certificate authority patterns
Certificate structure
Organization patterns
Certificate types

Use Cases

Track certificate issuers
Detect certificate changes
Identify certificate types
Map PKI structure

Access Log Integration

All JA4+ fingerprints are automatically included in access logs:

{
  "timestamp": "2025-10-29T12:34:56.789Z",
  "client_ip": "192.168.1.100",
  "http": {
    "method": "GET",
    "path": "/api/data",
    "ja4h": "ge11cr15enus_a1b2c3d4e5f6_123456789abc_def012345678"
  },
  "tls": {
    "ja4": "t13d1516h2_8daaf6152771_b186095e22b6",
    "ja4t": "65535_2-4-8-1-3_1460_7",
    "ja4s": "t1302h2_1301_a56c5b993250",
    "ja4x": "aae71e8db6d7_b186095e22b6_c1a4f9e7d8b3"
  }
}

Configuration

Enable TCP Fingerprinting

tcp_fingerprint:
  enabled: true
  log_interval: 60
  enable_fingerprint_events: true
  events_interval: 30
  min_packet_count: 3
  min_connection_duration: 1

Environment Variables

export AX_TCP_FINGERPRINT_ENABLED="true"
export AX_TCP_FINGERPRINT_LOG_INTERVAL="60"
export AX_TCP_FINGERPRINT_ENABLE_FINGERPRINT_EVENTS="true"
export AX_TCP_FINGERPRINT_EVENTS_INTERVAL="30"
export AX_TCP_FINGERPRINT_MIN_PACKET_COUNT="3"
export AX_TCP_FINGERPRINT_MIN_CONNECTION_DURATION="1"

Analyzing Fingerprints

Extract Unique Fingerprints

# Get unique JA4 fingerprints
tail -n 1000 moat.log | jq -r '.tls.ja4' | sort | uniq -c

# Get unique JA4T fingerprints
tail -n 1000 moat.log | jq -r '.tls.ja4t' | sort | uniq -c

# Get unique JA4H fingerprints
tail -n 1000 moat.log | jq -r '.http.ja4h' | sort | uniq -c

# Correlate client IP with fingerprints
tail -n 1000 moat.log | jq -r '[.client_ip, .tls.ja4t, .http.ja4h] | @tsv'

Statistics Endpoint

# Get TCP fingerprint statistics
curl -s http://localhost:8080/health/tcp_fingerprint_stats | jq .

Sample output:

{
  "timestamp": "2025-10-29T12:34:56.789Z",
  "syn_stats": {
    "total_syns": 150,
    "unique_fingerprints": 12
  },
  "fingerprints": [
    {
      "key": {
        "src_ip": "192.168.1.100",
        "src_port": 54321,
        "fingerprint": "064:1460:65535:007"
      },
      "data": {
        "packet_count": 25,
        "ttl": 64,
        "mss": 1460,
        "window_size": 65535,
        "window_scale": 7
      }
    }
  ]
}

Use Cases

Bot Detection

Combine multiple fingerprints to detect bot traffic:

# Find suspicious patterns
tail -n 1000 moat.log | jq 'select(.tls.ja4 and .http.ja4h) |
  {ip: .client_ip, ja4: .tls.ja4, ja4h: .http.ja4h}' |
  jq -s 'group_by(.ja4) | map({ja4: .[0].ja4, count: length, ips: map(.ip) | unique})'

OS Fingerprinting

Analyze TCP options to identify operating systems:

# Common patterns:
# Linux: TTL=64, Window=65535
# Windows: TTL=128, Window=65535
# macOS: TTL=64, Window=65535

curl -s http://localhost:8080/health/tcp_fingerprint_stats | \
  jq '.fingerprints[] | {ip: .key.src_ip, ttl: .data.ttl, window: .data.window_size}'

Threat Detection

Identify anomalies in fingerprint patterns:

# Find rare fingerprints
tail -n 10000 moat.log | jq -r '.tls.ja4' |
  sort | uniq -c | sort -n | head -20

References

License

JA4 (TLS Client) - BSD 3-Clause License
JA4+ methods (JA4S, JA4H, JA4L, JA4T, JA4X) - FoxIO License 1.1

See JA4 License for details.

Next Steps

Test JA4+ Features - Validate fingerprinting
Configuration Reference - Detailed settings

Implementation Status​

JA4 - TLS Client Fingerprint​

What it Detects​

Use Cases​

JA4T - TCP Fingerprint​

Components​

What it Detects​

Use Cases​

JA4H - HTTP Header Fingerprint​

Components​

What it Detects​

Use Cases​

JA4L - Latency Fingerprint​

Components​

What it Detects​

Use Cases​

JA4S - TLS Server Response Fingerprint​

Components​

What it Detects​

Use Cases​

JA4X - X.509 Certificate Fingerprint​

Components​

What it Detects​

Use Cases​

Access Log Integration​

Configuration​

Enable TCP Fingerprinting​

Environment Variables​

Analyzing Fingerprints​

Extract Unique Fingerprints​

Statistics Endpoint​

Use Cases​

Bot Detection​

OS Fingerprinting​

Threat Detection​

References​

License​

Next Steps​

Implementation Status

JA4 - TLS Client Fingerprint

What it Detects

Use Cases

JA4T - TCP Fingerprint

Components

What it Detects

Use Cases

JA4H - HTTP Header Fingerprint

Components

What it Detects

Use Cases

JA4L - Latency Fingerprint

Components

What it Detects

Use Cases

JA4S - TLS Server Response Fingerprint

Components

What it Detects

Use Cases

JA4X - X.509 Certificate Fingerprint

Components

What it Detects

Use Cases

Access Log Integration

Configuration

Enable TCP Fingerprinting

Environment Variables

Analyzing Fingerprints

Extract Unique Fingerprints

Statistics Endpoint

Use Cases

Bot Detection

OS Fingerprinting

Threat Detection

References

License

Next Steps