What is an Account-Control Surface?
Understand the account-control surface and why account protection has to cover more than the login form.
Support FAQ
There is no single public fingerprint database covering modern TLS clients, servers, operating systems, HTTP stacks, SSH clients and device profiles with reliable ground truth. The useful public resources solve narrower problems.
This guide groups them by what they actually contain. Counts and access conditions were checked in July 2026 and will change.
| Resource | Public format | Coverage | Current use | Main limit |
|---|---|---|---|---|
| FoxIO JA4 sample | CSV | JA4, JA4S, JA4H, JA4X, JA4T and JA4TScan | Seed mappings and format examples | Only 66 rows; sparse provenance |
| Salesforce JA3 lists | CSV | Historical macOS/Linux applications | Legacy JA3 lookup examples | Archived; roughly 159 mappings; no capture metadata |
| Trisul ja3prints | JSONL and CSV | Historical applications, browsers and malware | Inspectable legacy JA3 mappings | Last updated in 2018; unclear dataset-wide licence |
| FingerprinTLS | JSONL and compiled DB | Rich historical ClientHello signatures | Research and format lineage | Archived; most entries are from the 2010s |
FoxIO's sample columns are:
Application,Library,Device,OS,ja4,ja4s,ja4h,ja4x,ja4t,ja4tscan,Notes
Only 35 of its 66 rows contain a core JA4 value; other methods have fewer examples. The sample is useful for understanding how several observations can be combined. It is not large enough to establish broad application coverage.
The Salesforce list is simpler:
JA3 MD5 hash, application name or names
Its repository was archived in 2025 and describes the mappings as examples or best guesses. The former crowd-sourced ja3er.com service should be treated as historical unless its ownership and current availability are re-established.
FingerprinTLS keeps more of the source handshake, including record and TLS versions, cipher suites, compression, extensions, groups and signature algorithms. That detail is valuable for historical research, but the labels often lack a source PCAP, capture date and confidence.
| Service | Inputs and outputs | Access boundary |
|---|---|---|
| JA4DB | JA4-family values, application, library, device, OS, notes, observations and detection guidance | Account-oriented; public bulk export and dataset licence are unclear |
| Fingerbank | DHCPv4/v6, user agents, OUI/MAC, mDNS and destinations; returns device hierarchy and score | API key and service terms; corpus is not an open-source download |
JA4DB is the closest current service to a multi-surface network-fingerprint mapping database. Its hosted data should not be confused with the small GitHub CSV or assumed to inherit the BSD licence covering core JA4. Other JA4+ methods use different FoxIO licensing, and the hosted dataset has its own unresolved reuse questions.
Fingerbank is broader than a DHCP lookup. Its API can combine an ordered DHCP option fingerprint with HTTP user agents, MAC information, mDNS services and destination hosts. This can improve device classification, but it also makes the result dependent on contextual data and an opaque classification service.
The TLS Fingerprint Observatory exposes a public API over passive observations from the University of Colorado Boulder and Merit Network.
Its TLS records can include:
fingerprint ID
first and last seen
total and per-source observations
TLS version and cipher suites
extensions and supported groups
signature algorithms and ALPN
key-share and supported-version fields
implementation labels where available
At the time of review, the service exposed more than one million distinct TLS fingerprints and billions of observations. Its TLS label count was effectively zero. The smaller QUIC corpus contained several hundred controlled implementation labels among roughly fifteen thousand fingerprints.
The observatory is consequently strong for prevalence and protocol evolution, but weak for general application lookup. Its API and collection engine are public; a clear licence for bulk reuse of the observed dataset was not found.
| Resource | Observation method | Coverage | Format |
|---|---|---|---|
| p0f | Passive | TCP SYN/SYN+ACK, MTU, HTTP traits | INI-like signatures |
| Nmap OS DB | Active probes | OS family, generation and device type | Probe-response records |
| Nmap service probes | Active probes | Services, products, versions and devices | Probe payloads plus regex matches |
| Rapid7 Recog | Passive or collected responses | SSH, HTTP, FTP, SNMP, favicons, JARM and other surfaces | XML rules and examples |
A p0f TCP rule has compact fields for IP version, TTL, option layout, window size and quirks. Nmap's OS database instead records responses to tests such as SEQ, OPS, WIN, ECN, T1–T7, U1 and IE, with weighted approximate matching.
Nmap remains actively maintained, but its data files use the Nmap Public Source License. Incorporation into proprietary products may require separate terms. p0f's upstream signatures are effectively dormant and do not provide strong coverage of current operating systems.
Rapid7 Recog is a maintained general matcher corpus. Its XML fingerprints contain a regular expression, description, examples and labelled parameters such as product, version, vendor, device and CPE. Its public JARM mapping is useful but small—closer to a seed list than comprehensive server intelligence.
Several widely implemented fingerprints have public algorithms and a handful of labels, but no comprehensive maintained mapping database:
Zeek, Suricata, Splunk and Wireshark can compute, ingest or display fingerprint fields. Tool support is not database coverage.
| Source | Fingerprint role | Format and access | Important caution |
|---|---|---|---|
| SSLBL | Malicious JA3 observations | CC0 CSV and Suricata rules, regenerated every five minutes | Not tested against known-good traffic |
| VirusTotal | JA3, JA3S and JA4 pivots from sandbox behaviour | Gated web/search service | Shared value may mean common library, not common malware |
SSLBL's CSV contains the JA3 hash, first seen, last seen and listing reason. It is a threat feed rather than an application database. Its labels describe malware-sample observations and must not be converted into unconditional block rules.
MISP defines objects for storing and exchanging fingerprint observations. ThreatFox stores general IOC types. Neither is a canonical application mapping database merely because a JA3 value can be carried in an event or attribute.
Cisco Mercury publishes NPF generation and the schema for process, operating-system and destination-aware resources. The resource documentation describes files such as fingerprint_db.json and TLS prevalence lists.
The current Cisco-labelled resource database is not public. This distinguishes Mercury from both JA4DB and the TLS Fingerprint Observatory: it publishes the model and software, but not the operational mapping corpus.
| Question | Better starting point |
|---|---|
| Has this fingerprint appeared before, and how often? | TLS Fingerprint Observatory or local telemetry |
| What application has been observed using this value? | JA4DB/sample or legacy JA3 mappings, with provenance checks |
| Does this response match a known OS or service rule? | p0f, Nmap or Recog |
| Was this JA3 observed in malware samples? | SSLBL or VirusTotal |
| Which device class fits DHCP and other network evidence? | Fingerbank |
| How should a structured fingerprint database be modelled? | Mercury resource schema |
Before using any label for enforcement, apply the checklist in How to Evaluate a Fingerprint Database. The underlying categories are explained in What Is a Network Fingerprint Database?.
Understand the account-control surface and why account protection has to cover more than the login form.
Learn about account takeover threats, protection strategies, and detection methods to secure your digital accounts and prevent unauthorised access.
An overview of Account Takeover Attacks
A practical reference for common AI crawler user agents, operators, purposes, and recommended Peakhour bot-management actions.
AI For Cybersecurity explains the concept in the context of AI security, with practical checks and mitigation considerations for site operators.
AI Image Generation explains the concept in the context of AI security, with practical checks and mitigation considerations for site operators.
© PEAKHOUR.IO PTY LTD 2026 ABN 76 619 930 826 All rights reserved.