add ja4 package

[anthonykasza]

please include this new package in the zeek package source

[awelzel]

Hey @anthonykasza - thanks for doing this. Just as it's not mentioned and the package name is overly generic, the repo contains code for ja4 fingerprinting and possibly ja4+ in the future (?).

Following just my own personal thoughts:

Given the licensing concerns (you even have CAUTION_LICENSING in zkg.meta as a tag), I'd think a two-package approach would be nicer (certainly depends on the viewpoint). A plain ja4 package that just does the basic "JA4 TLS Client Fingerprinting" and then a separate ja4-plus package or some such. The latter would be for those that 1) see value in the advanced fingerprints and 2) have a good understanding and can accommodate for whatever that means with respect to licensing in their environment.

That is just a thought, I think we can merge as is (mind fixing up the sorting in the .index file though as pointed out by the pre-commit hook?)

[anthonykasza]

I have adjusted the ordering of the lines in zkg.index as requested.
Thank you for your thoughts on how to improve the organization of the package. I will take them into consideration.

[anthonykasza]

@awelzel I have heeded your thoughts and am adding just the ja4 package in this PR. Thank you for your patience.

[awelzel]

@awelzel I have heeded your thoughts and am adding just the ja4 package in this PR. Thank you for your patience.

Thanks, pulled.

The ja3 / ja3s columns in ssl.log always seemed like a good spot, I could see that be preferred over the separate ja4.log, but lets see where it goes :-)