Skip to content

Traffic Filtering by Fingerprints

Jump to bottom Edit New page
Vladislav Kutumov edited this page Jan 10, 2025 · 3 revisions

Tempesta FW introduces traffic filtering by clients fingerprints of several types. Currently TLS and HTTP fingerprints are supported. The filtering is applied by connections and records/messages number during the last second for a particular fingerprint. Such a particular fingerprint is set by hash directive. To enable the filtering use configuration directives ja5t and ja5h for TLS and HTTP filtering respectively.

ja5t
Syntax:         ja5t <storage_size> { }
Default:        ja5t 2097152;
Context:        global
Reconfig:       true
Repeat:         false

storage_size is the size of an internal LRU storage of fingerprints. The value must be a multiple of 2^21 bytes and is optional. Default is 25 * 2^21 bytes(50 MB).

Minimum is 2^21 bytes.

Maximum is 128849018880 bytes (120 GB).

Examples
ja5t storage_size=2097152 {
}

ja5t {
}

ja5t {
    hash deadbeef12345678 10 1000;
    hash aeae463fe56e8e87 10 1000000;
}
ja5h

Has the same syntax as ja5t.

hash
Syntax:         hash <hash_string> <connections_per_second> <records_per_second>;
Default:        none
Context:        ja5h, ja5t
Reconfig:       true
Repeat:         true

hash_string is a fingerprint itself represented by a hex string without any prefixes. The value may be retrieved from dmesg, mmap access log buffer or clickhouse database supplied by mmap access log data. No default value.

connections_per_second is an allowed number of connections for clients identified by hash_string. No default value.

records_per_second is an allowed number of TLS records (if inside ja5t) or HTTP messages (if inside ja5h). No default value.

Examples
hash deadbeef12345678 10 1000;
hash aeae463fe56e8e87 0 0;
Add a custom footer

Contents

Clone this wiki locally