Support FAQ

How to Evaluate a Network Fingerprint Database

Back to learning

A fingerprint database is only as trustworthy as the evidence behind its labels. A large row count, familiar application name or precise-looking hash does not establish that the mapping is correct, current or exclusive.

Use this checklist before importing a public database into hunting, classification or enforcement.

1. Identify the database type

First determine whether the source is:

  • an observed fingerprint-to-label mapping;
  • a prevalence observatory;
  • a matcher or signature ruleset;
  • a malware or threat feed;
  • a hosted classification service;
  • an interchange schema; or
  • a public implementation whose production data remains private.

These categories answer different questions. What Is a Network Fingerprint Database? explains the distinctions.

2. Find the independent source of the label

Ask how the application, library, operating system or malware label was established.

Stronger evidence includes:

  • a controlled capture from a named client build;
  • endpoint process telemetry joined to the network flow;
  • a reviewed malware sandbox execution;
  • a submitted PCAP with reproducible generation steps;
  • an active probe response matched by a documented rule.

Weaker evidence includes an unexplained community assertion, a user agent copied from the same connection, or a label inferred from another fingerprint database.

Watch for circular evaluation. If a row was labelled “Chrome” because its JA4 looked like Chrome, that row cannot independently prove that the same JA4 identifies Chrome.

3. Require provenance per mapping

A reusable row should record more than a hash and name:

fingerprint method and rule version
raw or reversible representation
application, library, OS and device labels
label source and collection method
capture point
first and last seen
observation count
supporting capture or evidence reference
review state and confidence
licence

Most public mappings do not meet this standard. The Salesforce JA3 examples lack per-row capture evidence and timestamps. FoxIO's public JA4 sample has useful cross-method columns but no per-row submitter, observation time or confidence. Trisul combines several historical sources but does not consistently attach provenance to each record.

That does not make the rows useless. It determines how strongly they can be interpreted.

4. Keep the source representation

Hash-only databases are easy to index and difficult to audit.

Where possible, retain:

  • the JA3 source string beside its MD5;
  • JA4_r beside JA4;
  • the full versioned Mercury NPF string beside its hash nickname;
  • HASSH algorithm lists beside the MD5;
  • the probe response or banner that satisfied a matcher rule.

The source fields let an operator see whether the difference came from a cipher, extension, signature algorithm, ordering choice or format implementation. They also make it possible to migrate when a fingerprint definition changes.

5. Record the implementation and version

Two tools can expose a field called ja4 and still disagree at malformed packets, truncated handshakes or new extensions. Record the implementation revision and configuration that produced the value.

For versioned formats, retain the rule version in the key. Mercury's tls, tls/1 and tls/2 formats make different sorting and selection decisions. A database that drops that version loses part of the fingerprint's meaning.

6. Measure coverage rather than quoting row count

“One million fingerprints” can mean one million unlabelled observations. “Six million fingerprints” may refer to combinations feeding a proprietary device classifier. “626 JA3 rows” may mostly describe 2018-era clients.

Coverage questions include:

  • How many rows have labels?
  • Which protocols and fingerprint methods are populated?
  • Which operating systems, versions, devices and regions appear?
  • How many labels come from current software?
  • Are common libraries represented across several applications?
  • How much traffic falls into unknown or conflicting labels?

The TLS Fingerprint Observatory is valuable partly because it exposes prevalence even when labels are absent. That is more honest than filling unknown observations with confident names.

7. Expect several labels per fingerprint

A database schema should support:

one fingerprint -> several candidate applications
one application -> several fingerprints

Shared TLS and SSH libraries make this unavoidable. A single “application” column encourages consumers to treat the most familiar label as exclusive.

Cisco Mercury's documented resource model records process counts, operating-system observations and destinations for each fingerprint. Its classifier then ranks candidates using context. The public production data is absent, but the schema demonstrates the right many-to-many shape. See the Mercury resource documentation.

8. Separate malicious observation from malicious identity

Threat feeds need an additional boundary.

SSLBL says its JA3 fingerprints were collected from malware-generated PCAPs and not tested against known-good traffic. A database consumer should preserve that wording as something like:

observed_in_malware_samples = true
malware_family_labels = [...]
known_good_evaluation = not_performed

It should not be rewritten as:

fingerprint_is_malware = true

The distinction matters because malware often uses common TLS libraries. Cisco's destination-context paper found that many public malware JA3 indicators were more strongly associated with benign processes in its enterprise data. Accurate TLS Fingerprinting Using Destination Context and Knowledge Bases documents that result.

9. Check capture position and context

A fingerprint observed at an origin may describe a reverse proxy rather than the original client. A DHCP fingerprint comes from a different trust boundary than an HTTP user agent. A JARM value describes the TLS server behaviour seen through the scanning path.

Store the capture position and forwarding provenance. If a fingerprint is supplied in a request header, document which trusted edge generated it and strip client-supplied copies.

10. Check freshness and expiry

For every label, ask:

  • When was it first and last observed?
  • Which client version produced it?
  • Does the database retire stale mappings?
  • Does it distinguish “not seen recently” from “known bad”?
  • How are browser, library and operating-system updates handled?

Public JA3 lists from 2018 remain useful for historical investigations. They should not silently become the baseline for current browser populations.

11. Read the dataset licence separately

An open fingerprint algorithm does not guarantee an open database.

Core JA4 is BSD-licensed, while other JA4+ methods use the FoxIO License. That still does not establish the licence of the hosted JA4DB dataset. Nmap source and data files use the Nmap Public Source License, which places conditions on proprietary incorporation. Trisul's combined mapping repository lacks a clear dataset-wide licence.

Check:

  • algorithm licence;
  • implementation licence;
  • database or API terms;
  • redistribution rights;
  • commercial-use restrictions;
  • attribution and share-alike requirements.

If the dataset licence is unclear, link to the source rather than copying it into a product or public repository.

12. Validate locally before enforcement

Before using a public mapping:

  1. Join it to local observations without taking action.
  2. Inspect the largest and highest-risk cohorts.
  3. Compare labels with independent local evidence.
  4. Measure unknown, conflicting and known-good matches.
  5. Pin the database snapshot and detector version.
  6. Start with observation or investigation.
  7. Add expiry, review and rollback before challenge, rate limit or block.

A database lookup should change the questions an analyst asks. It should not end the investigation by itself.

The current public resources are compared in Public Network Fingerprint Databases and What They Cover. For the protocol-level identity limit, see A Network Fingerprint Is a Cohort, Not a Client.

Related Articles

AI Crawler User Agents

A practical reference for common AI crawler user agents, operators, purposes, and recommended Peakhour bot-management actions.

AI For Cybersecurity

AI For Cybersecurity explains the concept in the context of AI security, with practical checks and mitigation considerations for site operators.

AI Image Generation

AI Image Generation explains the concept in the context of AI security, with practical checks and mitigation considerations for site operators.

© PEAKHOUR.IO PTY LTD 2026   ABN 76 619 930 826    All rights reserved.