suricata
Data Structures | Macros | Typedefs | Functions | Variables
output-json-tls.c File Reference
#include "suricata-common.h"
#include "detect.h"
#include "pkt-var.h"
#include "conf.h"
#include "threads.h"
#include "threadvars.h"
#include "tm-threads.h"
#include "util-print.h"
#include "util-time.h"
#include "util-unittest.h"
#include "util-debug.h"
#include "app-layer-parser.h"
#include "output.h"
#include "app-layer-ssl.h"
#include "app-layer.h"
#include "util-privs.h"
#include "util-buffer.h"
#include "util-logopenfile.h"
#include "util-ja3.h"
#include "util-ja4.h"
#include "output-json.h"
#include "output-json-tls.h"
Include dependency graph for output-json-tls.c:

Go to the source code of this file.

Data Structures

struct  TlsFields
 
struct  OutputTlsCtx_
 
struct  JsonTlsLogThread_
 

Macros

#define MODULE_NAME   "LogTlsLog"
 
#define DEFAULT_LOG_FILENAME   "tls.json"
 
#define LOG_TLS_DEFAULT   0
 
#define LOG_TLS_EXTENDED   (1 << 0)
 
#define LOG_TLS_CUSTOM   (1 << 1)
 
#define LOG_TLS_SESSION_RESUMPTION   (1 << 2)
 
#define LOG_TLS_FIELD_VERSION   (1 << 0)
 
#define LOG_TLS_FIELD_SUBJECT   (1 << 1)
 
#define LOG_TLS_FIELD_ISSUER   (1 << 2)
 
#define LOG_TLS_FIELD_SERIAL   (1 << 3)
 
#define LOG_TLS_FIELD_FINGERPRINT   (1 << 4)
 
#define LOG_TLS_FIELD_NOTBEFORE   (1 << 5)
 
#define LOG_TLS_FIELD_NOTAFTER   (1 << 6)
 
#define LOG_TLS_FIELD_SNI   (1 << 7)
 
#define LOG_TLS_FIELD_CERTIFICATE   (1 << 8)
 
#define LOG_TLS_FIELD_CHAIN   (1 << 9)
 
#define LOG_TLS_FIELD_SESSION_RESUMED   (1 << 10)
 
#define LOG_TLS_FIELD_JA3   (1 << 11)
 
#define LOG_TLS_FIELD_JA3S   (1 << 12)
 
#define LOG_TLS_FIELD_CLIENT   (1 << 13)
 
#define LOG_TLS_FIELD_CLIENT_CERT   (1 << 14)
 
#define LOG_TLS_FIELD_CLIENT_CHAIN   (1 << 15)
 
#define LOG_TLS_FIELD_JA4   (1 << 16)
 

Typedefs

typedef struct OutputTlsCtx_ OutputTlsCtx
 
typedef struct JsonTlsLogThread_ JsonTlsLogThread
 

Functions

 SC_ATOMIC_EXTERN (unsigned int, cert_id)
 
void JsonTlsLogJSONBasic (JsonBuilder *js, SSLState *ssl_state)
 
bool JsonTlsLogJSONExtended (void *vtx, JsonBuilder *tjs)
 
void JsonTlsLogRegister (void)
 

Variables

TlsFields tls_fields []
 

Detailed Description

Author
Tom DeCanio td@np.nosp@m.ulse.nosp@m.tech..nosp@m.com

Implements TLS JSON logging portion of the engine.

Definition in file output-json-tls.c.

Macro Definition Documentation

◆ DEFAULT_LOG_FILENAME

#define DEFAULT_LOG_FILENAME   "tls.json"

Definition at line 58 of file output-json-tls.c.

◆ LOG_TLS_CUSTOM

#define LOG_TLS_CUSTOM   (1 << 1)

Definition at line 62 of file output-json-tls.c.

◆ LOG_TLS_DEFAULT

#define LOG_TLS_DEFAULT   0

Definition at line 60 of file output-json-tls.c.

◆ LOG_TLS_EXTENDED

#define LOG_TLS_EXTENDED   (1 << 0)

Definition at line 61 of file output-json-tls.c.

◆ LOG_TLS_FIELD_CERTIFICATE

#define LOG_TLS_FIELD_CERTIFICATE   (1 << 8)

Definition at line 73 of file output-json-tls.c.

◆ LOG_TLS_FIELD_CHAIN

#define LOG_TLS_FIELD_CHAIN   (1 << 9)

Definition at line 74 of file output-json-tls.c.

◆ LOG_TLS_FIELD_CLIENT

#define LOG_TLS_FIELD_CLIENT   (1 << 13)

client fields (issuer, subject, etc)

Definition at line 78 of file output-json-tls.c.

◆ LOG_TLS_FIELD_CLIENT_CERT

#define LOG_TLS_FIELD_CLIENT_CERT   (1 << 14)

Definition at line 79 of file output-json-tls.c.

◆ LOG_TLS_FIELD_CLIENT_CHAIN

#define LOG_TLS_FIELD_CLIENT_CHAIN   (1 << 15)

Definition at line 80 of file output-json-tls.c.

◆ LOG_TLS_FIELD_FINGERPRINT

#define LOG_TLS_FIELD_FINGERPRINT   (1 << 4)

Definition at line 69 of file output-json-tls.c.

◆ LOG_TLS_FIELD_ISSUER

#define LOG_TLS_FIELD_ISSUER   (1 << 2)

Definition at line 67 of file output-json-tls.c.

◆ LOG_TLS_FIELD_JA3

#define LOG_TLS_FIELD_JA3   (1 << 11)

Definition at line 76 of file output-json-tls.c.

◆ LOG_TLS_FIELD_JA3S

#define LOG_TLS_FIELD_JA3S   (1 << 12)

Definition at line 77 of file output-json-tls.c.

◆ LOG_TLS_FIELD_JA4

#define LOG_TLS_FIELD_JA4   (1 << 16)

Definition at line 81 of file output-json-tls.c.

◆ LOG_TLS_FIELD_NOTAFTER

#define LOG_TLS_FIELD_NOTAFTER   (1 << 6)

Definition at line 71 of file output-json-tls.c.

◆ LOG_TLS_FIELD_NOTBEFORE

#define LOG_TLS_FIELD_NOTBEFORE   (1 << 5)

Definition at line 70 of file output-json-tls.c.

◆ LOG_TLS_FIELD_SERIAL

#define LOG_TLS_FIELD_SERIAL   (1 << 3)

Definition at line 68 of file output-json-tls.c.

◆ LOG_TLS_FIELD_SESSION_RESUMED

#define LOG_TLS_FIELD_SESSION_RESUMED   (1 << 10)

Definition at line 75 of file output-json-tls.c.

◆ LOG_TLS_FIELD_SNI

#define LOG_TLS_FIELD_SNI   (1 << 7)

Definition at line 72 of file output-json-tls.c.

◆ LOG_TLS_FIELD_SUBJECT

#define LOG_TLS_FIELD_SUBJECT   (1 << 1)

Definition at line 66 of file output-json-tls.c.

◆ LOG_TLS_FIELD_VERSION

#define LOG_TLS_FIELD_VERSION   (1 << 0)

Definition at line 65 of file output-json-tls.c.

◆ LOG_TLS_SESSION_RESUMPTION

#define LOG_TLS_SESSION_RESUMPTION   (1 << 2)

Definition at line 63 of file output-json-tls.c.

◆ MODULE_NAME

#define MODULE_NAME   "LogTlsLog"

Definition at line 57 of file output-json-tls.c.

Typedef Documentation

◆ JsonTlsLogThread

typedef struct JsonTlsLogThread_ JsonTlsLogThread

◆ OutputTlsCtx

typedef struct OutputTlsCtx_ OutputTlsCtx

Function Documentation

◆ JsonTlsLogJSONBasic()

void JsonTlsLogJSONBasic ( JsonBuilder *  js,
SSLState ssl_state 
)

Definition at line 329 of file output-json-tls.c.

◆ JsonTlsLogJSONExtended()

bool JsonTlsLogJSONExtended ( void *  vtx,
JsonBuilder *  tjs 
)

Definition at line 451 of file output-json-tls.c.

◆ JsonTlsLogRegister()

void JsonTlsLogRegister ( void  )

Definition at line 678 of file output-json-tls.c.

References LOGGER_JSON_TX, and OutputRegisterTxSubModuleWithProgress().

Here is the call graph for this function:

◆ SC_ATOMIC_EXTERN()

SC_ATOMIC_EXTERN ( unsigned int  ,
cert_id   
)

Variable Documentation

◆ tls_fields

TlsFields tls_fields[]
Initial value:
= { { "version", LOG_TLS_FIELD_VERSION },
{ "subject", LOG_TLS_FIELD_SUBJECT }, { "issuer", LOG_TLS_FIELD_ISSUER },
{ "serial", LOG_TLS_FIELD_SERIAL }, { "fingerprint", LOG_TLS_FIELD_FINGERPRINT },
{ "not_before", LOG_TLS_FIELD_NOTBEFORE }, { "not_after", LOG_TLS_FIELD_NOTAFTER },
{ "sni", LOG_TLS_FIELD_SNI }, { "certificate", LOG_TLS_FIELD_CERTIFICATE },
{ "chain", LOG_TLS_FIELD_CHAIN }, { "session_resumed", LOG_TLS_FIELD_SESSION_RESUMED },
{ "ja3", LOG_TLS_FIELD_JA3 }, { "ja3s", LOG_TLS_FIELD_JA3S },
{ "client", LOG_TLS_FIELD_CLIENT }, { "client_certificate", LOG_TLS_FIELD_CLIENT_CERT },
{ "client_chain", LOG_TLS_FIELD_CLIENT_CHAIN }, { "ja4", LOG_TLS_FIELD_JA4 }, { NULL, -1 } }

Definition at line 87 of file output-json-tls.c.

LOG_TLS_FIELD_NOTBEFORE
#define LOG_TLS_FIELD_NOTBEFORE
Definition: output-json-tls.c:69
LOG_TLS_FIELD_JA3
#define LOG_TLS_FIELD_JA3
Definition: output-json-tls.c:75
LOG_TLS_FIELD_NOTAFTER
#define LOG_TLS_FIELD_NOTAFTER
Definition: output-json-tls.c:70
LOG_TLS_FIELD_SUBJECT
#define LOG_TLS_FIELD_SUBJECT
Definition: output-json-tls.c:65
LOG_TLS_FIELD_FINGERPRINT
#define LOG_TLS_FIELD_FINGERPRINT
Definition: output-json-tls.c:68
LOG_TLS_FIELD_JA3S
#define LOG_TLS_FIELD_JA3S
Definition: output-json-tls.c:76
LOG_TLS_FIELD_JA4
#define LOG_TLS_FIELD_JA4
Definition: output-json-tls.c:80
LOG_TLS_FIELD_CLIENT_CERT
#define LOG_TLS_FIELD_CLIENT_CERT
Definition: output-json-tls.c:78
LOG_TLS_FIELD_SERIAL
#define LOG_TLS_FIELD_SERIAL
Definition: output-json-tls.c:67
LOG_TLS_FIELD_ISSUER
#define LOG_TLS_FIELD_ISSUER
Definition: output-json-tls.c:66
LOG_TLS_FIELD_CERTIFICATE
#define LOG_TLS_FIELD_CERTIFICATE
Definition: output-json-tls.c:72
LOG_TLS_FIELD_SNI
#define LOG_TLS_FIELD_SNI
Definition: output-json-tls.c:71
LOG_TLS_FIELD_SESSION_RESUMED
#define LOG_TLS_FIELD_SESSION_RESUMED
Definition: output-json-tls.c:74
LOG_TLS_FIELD_CLIENT_CHAIN
#define LOG_TLS_FIELD_CLIENT_CHAIN
Definition: output-json-tls.c:79
LOG_TLS_FIELD_CLIENT
#define LOG_TLS_FIELD_CLIENT
Definition: output-json-tls.c:77
LOG_TLS_FIELD_CHAIN
#define LOG_TLS_FIELD_CHAIN
Definition: output-json-tls.c:73
LOG_TLS_FIELD_VERSION
#define LOG_TLS_FIELD_VERSION
Definition: output-json-tls.c:64