JA4+ Quick Reference Guide

Fingerprint Format Decoder

JA4 (TLS Client) - Format: `a_b_c`

Position   Description                Example
─────────────────────────────────────────────────
a[0]       Protocol (t/q/d)          t = TCP
a[1:3]     TLS version               13 = 1.3
a[3]       SNI (d/i)                 d = domain
a[4:6]     Cipher count              15 = 15 ciphers
a[6:8]     Extension count           16 = 16 extensions
a[8:10]    ALPN                      h2 = HTTP/2
b          Cipher hash (12 char)     8daaf6152771
c          Extension hash (12 char)  02713d6af862

Example: t13d1516h2_8daaf6152771_02713d6af862

TCP traffic, TLS 1.3, to domain, 15 ciphers, 16 extensions, HTTP/2

JA4S (TLS Server) - Format: `a_b_c`

Position   Description                Example
─────────────────────────────────────────────────
a[0]       Protocol (t/q/d)          t = TCP
a[1:3]     TLS version               13 = 1.3
a[3:5]     Cipher count              02 = 2 ciphers
a[5:7]     Extension count           00 = 0 extensions
a[7:9]     ALPN                      h2 = HTTP/2
b          Selected cipher (4 char)  1301 = TLS_AES_128_GCM_SHA256
c          Extension hash (12 char)  a56c5b993250

JA4H (HTTP Client) - Format: `a_b_c_d`

Position   Description                Example
─────────────────────────────────────────────────
a[0:2]     HTTP method               ge = GET
a[2:4]     HTTP version              11 = 1.1
a[4]       Cookie flag (c/n)         c = has cookies
a[5]       Referer flag (r/n)        r = has referer
a[6:8]     Header count              17 = 17 headers
a[8:10]    Language (first 2 chars)  en = English
b          Header hash (12 char)     9ed1ff1f7b03
c          Cookie field hash         cd8dafe26982
d          Cookie value hash         ab12cd34ef56

JA4X (Certificate) - Format: `a_b_c`

Part   Description               Use Case
─────────────────────────────────────────────────
a      Issuer hash (12 char)    Track CA or self-signed
b      Subject hash (12 char)   Identify cert owner
c      Extension hash (12 char) Additional cert properties

Common Protocol Codes

Code	Protocol	Description
`t`	TCP	TLS over TCP
`q`	QUIC	QUIC (HTTP/3)
`d`	DTLS	Datagram TLS

TLS Version Codes

Code	Version	Security Level
`10`	TLS 1.0	CRITICAL (deprecated)
`11`	TLS 1.1	HIGH (deprecated)
`12`	TLS 1.2	MEDIUM (secure)
`13`	TLS 1.3	LOW (most secure)

ALPN Codes

Code	Protocol	Description
`h1`	HTTP/1.1	Legacy HTTP
`h2`	HTTP/2	Modern HTTP
`h3`	HTTP/3	HTTP over QUIC
`dt`	DNS-over-TLS	Encrypted DNS
`dq`	DNS-over-QUIC	DNS via QUIC
`00`	None	No ALPN (may not be browser)

HTTP Method Codes

Code	Method	Common Use
`ge`	GET	Retrieve data
`po`	POST	Submit data
`he`	HEAD	Get headers only
`pu`	PUT	Update resource
`de`	DELETE	Remove resource

Threat Hunting Patterns

Pattern 1: Malware Detection

JA4 + JA4S combination = High fidelity
Known malware fingerprints in database
Check for:
- Legacy TLS versions
- Missing ALPN
- Unusual cipher selection

Pattern 2: Bot Detection

JA4H indicators:
- No cookies (n flag)
- No referer (n flag)
- Low header count (<10)
- Missing Accept-Language

Pattern 3: C2 Infrastructure

JA4X indicators:
- Self-signed certs (part_a ≈ part_b)
- Unusual issuer patterns
- Certificate reuse across IPs

Pattern 4: Campaign Tracking

JA4_ac matching (ignore part_b)
- Same protocol + extensions
- Different cipher selection
- Indicates evasion tactics

Investigation Workflow

Step 1: Analyze Individual Fingerprint

analyze_ja4({ fingerprint: "..." })

Look for:

TLS version (security level)
ALPN presence
Database matches

Step 2: Get Investigation Tips

get_investigation_tips({ fingerprint: "...", fingerprint_type: "ja4" })

Review:

Threat indicators (severity)
Investigation steps
Known applications

Step 3: Compare Variants

compare_fingerprints({ fingerprint1: "...", fingerprint2: "..." })

Identify:

Related clients
Evasion attempts
Same malware family

Step 4: Pattern Detection

detect_patterns({ fingerprints: [...] })

Find:

Campaigns
Outliers
Threat actor groupings

Step 5: Database Research

search_database({ query: "Chrome", search_type: "application" })

Determine:

Known vs. unknown
Verification status
Global observation count

Common Cipher Suite Values (JA4S part_b)

Hex	Cipher Suite	Security
`1301`	TLS_AES_128_GCM_SHA256	Secure
`1302`	TLS_AES_256_GCM_SHA384	Secure
`1303`	TLS_CHACHA20_POLY1305_SHA256	Secure
`c030`	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384	Secure
`c02f`	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256	Secure

Database Fields Explained

{
  "application": "Chrome",          // Application name
  "library": "BoringSSL",           // TLS library used
  "device": "Windows PC",           // Device type
  "os": "Windows 11",               // Operating system
  "user_agent_string": "...",       // HTTP User-Agent
  "certificate_authority": "...",   // For JA4X
  "observation_count": 1523,        // Times seen globally
  "verified": true,                 // Community verified
  "notes": "...",                   // Additional context
  "ja4_fingerprint": "...",         // TLS client
  "ja4s_fingerprint": "...",        // TLS server
  "ja4h_fingerprint": "...",        // HTTP client
  "ja4x_fingerprint": "...",        // X.509 cert
}

Tool Selection Guide

Task	Tool	When to Use
Single fingerprint analysis	`analyze_ja4/s/h/x`	Understanding what a fingerprint represents
Threat assessment	`get_investigation_tips`	Generating actionable intelligence
Relationship analysis	`compare_fingerprints`	Finding similarities between 2 fingerprints
Campaign detection	`detect_patterns`	Analyzing 2+ fingerprints for groupings
Known application lookup	`search_database`	Finding what uses a fingerprint
Baseline establishment	`database_stats`	Understanding database coverage

Tips

1. Locality-Preserving Analysis

Don’t just match full fingerprints. Use partial matches:

JA4_a = Protocol + version + counts
JA4_b = Cipher selection only
JA4_c = Extensions + signatures only
JA4_ac = Everything except ciphers

2. Baseline Normal Traffic

Run pattern detection on known-good traffic
Document expected fingerprints per service
Flag deviations for review

3. Combine Fingerprint Types

Never analyze JA4 in isolation:

JA4 + JA4S = Client-server pair
JA4 + JA4H = Web traffic profile
All four = Complete picture

4. Database Intelligence

verified: true = High confidence
High observation_count = Common/legitimate
No matches = Unknown (investigate further)

5. Temporal Analysis

Track fingerprint changes over time
Sudden new fingerprints = investigate
Gradual evolution = normal updates
Sporadic appearance = potential threat

Glossary

Term	Definition
SNI	Server Name Indication - TLS extension for domain
ALPN	Application-Layer Protocol Negotiation
GREASE	Generate Random Extensions And Sustain Extensibility
Cipher stunting	Randomizing cipher order to evade detection
Part_a	Metadata (protocol, version, counts)
Part_b	Cipher/header hash
Part_c	Extension/cookie hash
Part_d	User-specific data (JA4H only)

Resources

Specification: https://github.com/FoxIO-LLC/ja4
Database: https://ja4db.com
Blog: https://blog.foxio.io/ja4+-network-fingerprinting
Hunt.io Guide: https://hunt.io/glossary/ja4-fingerprinting

JA4+ Quick Reference Guide

Fingerprint Format Decoder

JA4 (TLS Client) - Format: a_b_c

JA4S (TLS Server) - Format: a_b_c

JA4H (HTTP Client) - Format: a_b_c_d

JA4X (Certificate) - Format: a_b_c

Common Protocol Codes

TLS Version Codes

ALPN Codes

HTTP Method Codes

Threat Hunting Patterns

Pattern 1: Malware Detection

Pattern 2: Bot Detection

Pattern 3: C2 Infrastructure

Pattern 4: Campaign Tracking

Investigation Workflow

Step 1: Analyze Individual Fingerprint

Step 2: Get Investigation Tips

Step 3: Compare Variants

Step 4: Pattern Detection

Step 5: Database Research

Common Cipher Suite Values (JA4S part_b)

Database Fields Explained

Tool Selection Guide

Tips

1. Locality-Preserving Analysis

2. Baseline Normal Traffic

3. Combine Fingerprint Types

4. Database Intelligence

5. Temporal Analysis

Glossary

Resources

JA4 (TLS Client) - Format: `a_b_c`

JA4S (TLS Server) - Format: `a_b_c`

JA4H (HTTP Client) - Format: `a_b_c_d`

JA4X (Certificate) - Format: `a_b_c`