Device Fingerprinting
Rockfish Detect includes ML-based passive device fingerprinting using network signals.
Note: Requires nDPI fingerprints in flow data (Professional+ license for rockfish_probe).
Overview
Device fingerprinting identifies devices and operating systems based on their network behavior, without requiring agents or active scanning.
Signals Used
| Priority | Signal | Field | Description |
|---|---|---|---|
| Primary | TLS client | ndpi_ja4 | JA4 TLS client fingerprint |
| Primary | TLS server | ndpi_ja3s | JA3 TLS server fingerprint |
| Secondary | TCP stack | ndpi_tcp_fp | TCP fingerprint with OS hint (TTL, window size, options) |
| Secondary | Composite | ndpi_fp | nDPI combined fingerprint for device correlation |
| Tertiary | Application | - | HTTP headers, DNS patterns |
Use Cases
- Asset Inventory - Discover devices on your network
- Baseline Monitoring - Track device behavior over time
- Lateral Movement Detection - Detect hosts changing fingerprints
- Unauthorized Devices - Identify unexpected device types
Commands
Build Fingerprint Database
Build baseline from historical data:
# Build from last 7 days
rockfish_detect -c config.yaml fingerprint build --days 7
# Build from specific date range
rockfish_detect -c config.yaml fingerprint build --start 2025-01-01 --end 2025-01-28
Detect Anomalies
Find hosts with unusual fingerprint changes:
# Detect for today
rockfish_detect -c config.yaml fingerprint detect
# Detect for specific date
rockfish_detect -c config.yaml fingerprint detect --date 2025-01-28
Profile Specific Host
Get fingerprint profile for an IP:
# Profile specific IP
rockfish_detect -c config.yaml fingerprint profile --ip 192.168.1.100
# With history
rockfish_detect -c config.yaml fingerprint profile --ip 192.168.1.100 --days 30
Configuration
fingerprint:
enabled: true
history_days: 7
client_field: ndpi_ja4
server_field: ndpi_ja3s
min_observations: 10
anomaly_threshold: 0.7
max_fingerprints_per_host: 5
detect_suspicious: true
| Option | Default | Description |
|---|---|---|
enabled | false | Enable fingerprinting |
history_days | 7 | Days of history to analyze |
client_field | ndpi_ja4 | Field for client fingerprint (JA4 via nDPI) |
server_field | ndpi_ja3s | Field for server fingerprint (JA3 via nDPI) |
min_observations | 10 | Minimum flows to establish baseline |
anomaly_threshold | 0.7 | Score threshold for anomalies |
max_fingerprints_per_host | 5 | Expected max fingerprints per device |
detect_suspicious | true | Flag suspicious changes |
How It Works
1. Baseline Building
For each IP address, collect:
- Set of observed ndpi_ja4 fingerprints (client connections)
- Set of observed ndpi_ja3s fingerprints (server connections)
- Frequency of each fingerprint
- First and last seen timestamps
2. Anomaly Detection
Flag hosts that:
- Present a new, never-seen fingerprint
- Exceed
max_fingerprints_per_host - Show sudden fingerprint changes
- Have rare fingerprint combinations
3. Correlation Scoring
Score fingerprint pairs by frequency:
Rare pair (first time seen) -> High anomaly score
Common pair (seen 1000+ times) -> Low anomaly score
Detection Scenarios
New Device on Network
Alert: New fingerprint detected
Host: 192.168.1.150
Fingerprint: t13d1516h2_8daaf6152771_b0da82dd1658
First seen: 2025-01-28T14:32:00Z
Action: Verify device is authorized
Host Fingerprint Change
Alert: Fingerprint change detected
Host: 192.168.1.100
Previous: t13d1516h2_8daaf6152771_b0da82dd1658 (Windows 11)
Current: t13d1517h2_5b57614c22b0_06cda9e17597 (Linux)
Risk: Possible lateral movement or VM switch
Unusual Client/Server Pair
Alert: Rare fingerprint combination
Client: 192.168.1.100 (ndpi_ja4: t13d1516h2_...)
Server: 45.33.32.156 (ndpi_ja3s: t120200_...)
Observations: 1 (first time)
Typical for this client: 847 connections to known servers
Risk: New external communication
Integration with Hybrid Scoring
Fingerprint correlation is a component of the hybrid algorithm:
training:
algorithm: hybrid
hybrid:
hbos_weight: 0.5
correlation_weight: 0.3 # Fingerprint correlation
threat_intel_weight: 0.2
Flows with rare fingerprint combinations receive higher anomaly scores.
Output Schema
Fingerprint analysis adds these fields to scored flows:
| Field | Type | Description |
|---|---|---|
fp_client | String | Client fingerprint (ndpi_ja4) |
fp_server | String | Server fingerprint (ndpi_ja3s) |
fp_pair_count | Int | Times this pair has been seen |
fp_client_count | Int | Times client has been seen |
fp_is_new | Bool | First observation of this pair |
fp_anomaly_score | Float | Fingerprint-specific anomaly score |
Best Practices
1. Build Sufficient Baseline
- Use at least 7 days of data
- Include weekdays and weekends
- Ensure coverage of all network segments
2. Tune Thresholds
- Start with defaults
- Adjust
max_fingerprints_per_hostfor your environment - Some hosts (proxies, VMs) legitimately have many fingerprints
3. Handle Known Exceptions
- Exclude known multi-fingerprint hosts
- Document expected fingerprint changes (updates, migrations)
4. Combine with Other Signals
- Use hybrid algorithm for combined scoring
- Correlate with threat intelligence
- Consider flow volume and timing
Limitations
- Requires nDPI fingerprint fields (ndpi_ja4, ndpi_ja3s, ndpi_tcp_fp, ndpi_fp) in flow data
- TLS fingerprints only available for TLS connections
- VPN/proxy traffic may obscure true fingerprints
- Fingerprints can change with software updates