Skip to content

Commit

Permalink
ja4: resolve ja4 for each event in event view
Browse files Browse the repository at this point in the history 
On the webapp, display the user agent as part of the event
description.
  • Loading branch information
@jasonish
jasonish committed Jan 28, 2025
1 parent f6ddeb8 commit c237188
Show file tree
Hide file tree
Showing 6 changed files with 58 additions and 2 deletions.
14 changes: 14 additions & 0 deletions src/elastic/eventrepo/events.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -101,6 +101,20 @@ impl ElasticEventRepo {
if self.ecs {
self.transform_ecs(&mut hit);
}

if let Some(ja4) = hit["_source"]["tls"]["ja4"].as_str() {
if let Some(configdb) = crate::server::context::get_configdb() {
let sql = "SELECT data FROM ja4db WHERE fingerprint = ?";
let info: Option<serde_json::Value> = sqlx::query_scalar(sql)
.bind(ja4)
.fetch_optional(&configdb.pool)
.await?;
if let Some(info) = info {
hit["_source"]["ja4db"] = info;
}
}
}

events.push(hit);
}
}
Expand Down
20 changes: 20 additions & 0 deletions src/server/context.rs
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
// SPDX-FileCopyrightText: (C) 2025 Jason Ish <[email protected]>
// SPDX-License-Identifier: MIT

use std::sync::{OnceLock, RwLock};

use super::ConfigDb;

pub static CONFIGDB: OnceLock<RwLock<Option<ConfigDb>>> = OnceLock::new();

pub(crate) fn set_configdb(configdb: ConfigDb) {
CONFIGDB.get_or_init(|| RwLock::new(Some(configdb)));
}

pub(crate) fn get_configdb() -> Option<ConfigDb> {
CONFIGDB
.get_or_init(|| RwLock::new(None))
.read()
.unwrap()
.clone()
}
2 changes: 2 additions & 0 deletions src/server/main.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -130,6 +130,8 @@ pub async fn main(args: &clap::ArgMatches) -> Result<()> {
configdb::open(None).await?
};

crate::server::context::set_configdb(configdb.clone());

let metrics = Arc::new(crate::server::metrics::Metrics::default());

let datastore = configure_datastore(
Expand Down
1 change: 1 addition & 0 deletions src/server/mod.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ use std::sync::{Arc, RwLock};

pub(crate) mod api;
pub(crate) mod autoarchive;
pub(crate) mod context;
pub(crate) mod main;
pub(super) mod metrics;
pub(crate) mod session;
Expand Down
17 changes: 16 additions & 1 deletion src/sqlite/eventrepo/events.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,22 @@ impl SqliteEventRepo {
let mut rows = sqlx::query_with(&sql, params).fetch(&self.pool);
let mut events = vec![];
while let Some(row) = rows.try_next().await? {
events.push(row_mapper(row)?);
let mut row = row_mapper(row)?;

if let Some(ja4) = row["_source"]["tls"]["ja4"].as_str() {
if let Some(configdb) = crate::server::context::get_configdb() {
let sql = "SELECT data FROM ja4db WHERE fingerprint = ?";
let info: Option<serde_json::Value> = sqlx::query_scalar(sql)
.bind(ja4)
.fetch_optional(&configdb.pool)
.await?;
if let Some(info) = info {
row["_source"]["ja4db"] = info;
}
}
}

events.push(row);
}

debug!(
Expand Down
6 changes: 5 additions & 1 deletion webapp/src/formatters.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ import { get_duration } from "./datetime";

export function formatEventDescription(event: Event): string {
try {
const source = event._source;
switch (event._source.event_type) {
case "alert": {
const alert = event._source.alert!;
Expand Down Expand Up @@ -164,7 +165,7 @@ export function formatEventDescription(event: Event): string {
return parts.join(" ");
}
case "tls": {
const tls = event._source.tls!;
const tls = source.tls!;
let parts = [];
if (tls.version) {
parts.push(tls.version);
Expand All @@ -177,6 +178,9 @@ export function formatEventDescription(event: Event): string {
if (tls.subject) {
parts.push(tls.subject);
}
if (source.ja4db?.user_agent_string) {
parts.push(source.ja4db.user_agent_string);
}
return parts.join(" - ");
}
case "http": {
Expand Down

0 comments on commit c237188

Please sign in to comment.