Skip to content

Commit bf1fcb9

Browse files
john-althousejohn-althouse
authored
Merge pull request #149 from p-l-/fix-zeek-ja4c
Zeek: fix ja4_c with no signature algorithms
2 parents 977da74 + c32af49 commit bf1fcb9

File tree

1 file changed

+9
-5
lines changed

1 file changed

+9
-5
lines changed

zeek/ja4/main.zeek

Lines changed: 9 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -148,9 +148,11 @@ function do_ja4(c: connection) {
148148

149149
local ja4_c: string = FINGERPRINT::vector_of_count_to_str(
150150
FINGERPRINT::order_vector_of_count(extensions));
151-
ja4_c += FINGERPRINT::delimiter;
152-
ja4_c += FINGERPRINT::vector_of_count_to_str(c$fp$client_hello$signature_algos);
153-
151+
if (|c$fp$client_hello$signature_algos| > 0) {
152+
ja4_c += FINGERPRINT::delimiter;
153+
ja4_c += FINGERPRINT::vector_of_count_to_str(c$fp$client_hello$signature_algos);
154+
}
155+
154156
# ja4, ja4, ja4, ja4, ja4, ja4. say it some more. ja4, ja4, ja4.
155157
c$fp$ja4$ja4 = ja4_a;
156158
c$fp$ja4$ja4 += FINGERPRINT::delimiter;
@@ -168,8 +170,10 @@ function do_ja4(c: connection) {
168170

169171
# original extensions ordering, including APPLN and SNI
170172
ja4_c = FINGERPRINT::vector_of_count_to_str(c$fp$client_hello$extension_codes);
171-
ja4_c += FINGERPRINT::delimiter;
172-
ja4_c += FINGERPRINT::vector_of_count_to_str(c$fp$client_hello$signature_algos);
173+
if (|c$fp$client_hello$signature_algos| > 0) {
174+
ja4_c += FINGERPRINT::delimiter;
175+
ja4_c += FINGERPRINT::vector_of_count_to_str(c$fp$client_hello$signature_algos);
176+
}
173177

174178
# ja4_o
175179
c$fp$ja4$o = ja4_a;

0 commit comments

Comments
 (0)