From 467c9b43edc877d3d1a3ca31da8dd7a7c3ac89a6 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy <a@foo.be>
Date: Wed, 26 Jun 2024 18:04:30 +0200
Subject: [PATCH] new: [ja4-plus] new MISP object template to describe JA4+
 fingerprints

fix: https://github.com/MISP/MISP/issues/9759
---
 objects/ja4-plus/definition.json | 45 ++++++++++++++++++++++++++++++++
 1 file changed, 45 insertions(+)
 create mode 100644 objects/ja4-plus/definition.json

diff --git a/objects/ja4-plus/definition.json b/objects/ja4-plus/definition.json
new file mode 100644
index 0000000..08ce89c
--- /dev/null
+++ b/objects/ja4-plus/definition.json
@@ -0,0 +1,45 @@
+{
+  "attributes": {
+    "description": {
+      "description": "Description of the JA4+ fingerprint including scope, collection or specific notes which could help an analyst to reproduce the calculation.",
+      "misp-attribute": "text",
+      "ui-priority": 1
+    },
+    "ip-src": {
+      "description": "IP address related to this JA4+ fingerprint.",
+      "misp-attribute": "ip-src",
+      "ui-priority": 1,
+      "multiple": true
+    },
+    "ja4-type": {
+      "description": "One of the JA4+ type expressed as short name.",
+      "misp-attribute": "text",
+      "ui-priority": 1,
+      "sane_default": [
+        "JA4",
+        "JA4S",
+        "JA4H",
+        "JA4L",
+        "JA4X",
+        "JA4SSH",
+        "JA4T",
+        "JA4TS",
+        "JA4TScan"
+      ]
+    },
+    "ja4-fingerprint": {
+      "description": "A JA4+ fingerprint as defined by the JA4+ standard in textual format.",
+      "misp-attribute": "text",
+      "ui-priority": 1
+    }
+  },
+  "description": "JA4 is a technique for creating network fingerprints that are easy to produce and can be easily shared for threat intelligence. https://github.com/FoxIO-LLC/ja4/blob/main/technical_details/README.md",
+  "meta-category": "network",
+  "name": "ja3",
+  "required": [
+    "ja4-fingerprint",
+    "ja4-type"
+  ],
+  "uuid": "2c15c75e-e7db-4b62-8d17-633e7571818f",
+  "version": 1
+}