TLS Analysis

Huginn Net supports TLS analysis. TLS is a cryptographic protocol used to secure communications over a network. By analyzing the characteristics of TLS handshakes, Huginn Net can identify the client based on the JA4 signature.

TLS Signature (JA4)

Huginn Net based on JA4 (FoxIO-style) TLS fingerprinting, which encodes the structure of the ClientHello message into a compact signature. This allows for identification of client software and detection of anomalies or evasion techniques.

ja4 = version:ciphers:extensions:groups:point_formats

  • version: TLS version used in the handshake (e.g., 771 for TLS 1.2).

  • ciphers: Ordered list of cipher suites offered by the client.

  • extensions: Ordered list of TLS extensions present in the ClientHello.

  • groups: Supported groups (elliptic curves, etc.).

  • point_formats: Supported EC point formats.

TLS Client 

.-[ 192.168.1.10/45234 -> 172.217.5.46/443 (tls client) ]-
|
| client   = 192.168.1.10/45234
| ja4      = t13d1516h2_8daaf6152771_b0da82dd1658
| ja4_r    = t13d1516h2_002f,0035,009c,009d,1301,1302,1303_0005,000a,000b,000d,0012,0015,002b,0033,002d
| ja4_o    = t13d1516h2_8daaf6152771_b0da82dd1658
| ja4_or   = t13d1516h2_002f,0035,009c,009d,1301,1302,1303_0005,000a,000b,000d,0012,0015,002b,0033,002d
| sni      = www.google.com
| version  = 1.3
`----

TLS Key Fields

  • client: The source IP and port initiating the connection.

  • ja4: The computed JA4 TLS fingerprint for the ClientHello.

  • ja4_r: The raw JA4 string, showing the ordered list of ciphers and extensions.

  • ja4_o: The observed JA4 fingerprint (may be identical to ja4, but can differ if options are reordered or normalized).

  • ja4_or: The raw observed JA4 string, showing the actual order of ciphers and extensions as seen on the wire.

  • sni: The Server Name Indication (SNI) value, indicating the hostname the client is connecting to.

  • version: The TLS protocol version used (e.g., 1.3).
Http request and response