suricata
output-json-tls.c File Reference
#include "suricata-common.h"
#include "debug.h"
#include "detect.h"
#include "pkt-var.h"
#include "conf.h"
#include "threads.h"
#include "threadvars.h"
#include "tm-threads.h"
#include "util-print.h"
#include "util-unittest.h"
#include "util-debug.h"
#include "app-layer-parser.h"
#include "output.h"
#include "app-layer-ssl.h"
#include "app-layer.h"
#include "util-privs.h"
#include "util-buffer.h"
#include "util-logopenfile.h"
#include "util-crypt.h"
#include "util-ja3.h"
#include "output-json.h"
#include "output-json-tls.h"
Include dependency graph for output-json-tls.c:

Go to the source code of this file.

Data Structures

struct  TlsFields
 
struct  OutputTlsCtx_
 
struct  JsonTlsLogThread_
 

Macros

#define MODULE_NAME   "LogTlsLog"
 
#define DEFAULT_LOG_FILENAME   "tls.json"
 
#define LOG_TLS_DEFAULT   0
 
#define LOG_TLS_EXTENDED   (1 << 0)
 
#define LOG_TLS_CUSTOM   (1 << 1)
 
#define LOG_TLS_SESSION_RESUMPTION   (1 << 2)
 
#define LOG_TLS_FIELD_VERSION   (1 << 0)
 
#define LOG_TLS_FIELD_SUBJECT   (1 << 1)
 
#define LOG_TLS_FIELD_ISSUER   (1 << 2)
 
#define LOG_TLS_FIELD_SERIAL   (1 << 3)
 
#define LOG_TLS_FIELD_FINGERPRINT   (1 << 4)
 
#define LOG_TLS_FIELD_NOTBEFORE   (1 << 5)
 
#define LOG_TLS_FIELD_NOTAFTER   (1 << 6)
 
#define LOG_TLS_FIELD_SNI   (1 << 7)
 
#define LOG_TLS_FIELD_CERTIFICATE   (1 << 8)
 
#define LOG_TLS_FIELD_CHAIN   (1 << 9)
 
#define LOG_TLS_FIELD_SESSION_RESUMED   (1 << 10)
 
#define LOG_TLS_FIELD_JA3   (1 << 11)
 
#define LOG_TLS_FIELD_JA3S   (1 << 12)
 

Typedefs

typedef struct OutputTlsCtx_ OutputTlsCtx
 
typedef struct JsonTlsLogThread_ JsonTlsLogThread
 

Functions

 SC_ATOMIC_DECLARE (unsigned int, cert_id)
 
void JsonTlsLogJSONBasic (json_t *js, SSLState *ssl_state)
 
void JsonTlsLogJSONExtended (json_t *tjs, SSLState *state)
 
void JsonTlsLogRegister (void)
 

Variables

TlsFields tls_fields []
 

Detailed Description

Author
Tom DeCanio td@np.nosp@m.ulse.nosp@m.tech..nosp@m.com

Implements TLS JSON logging portion of the engine.

Definition in file output-json-tls.c.

Macro Definition Documentation

#define DEFAULT_LOG_FILENAME   "tls.json"

Definition at line 57 of file output-json-tls.c.

Referenced by JsonTlsLogJSONExtended().

#define LOG_TLS_CUSTOM   (1 << 1)

Definition at line 61 of file output-json-tls.c.

Referenced by JsonTlsLogJSONExtended().

#define LOG_TLS_DEFAULT   0

Definition at line 59 of file output-json-tls.c.

Referenced by JsonTlsLogJSONExtended().

#define LOG_TLS_EXTENDED   (1 << 0)

Definition at line 60 of file output-json-tls.c.

Referenced by JsonTlsLogJSONExtended().

#define LOG_TLS_FIELD_CERTIFICATE   (1 << 8)

Definition at line 72 of file output-json-tls.c.

Referenced by JsonTlsLogJSONBasic(), and JsonTlsLogJSONExtended().

#define LOG_TLS_FIELD_CHAIN   (1 << 9)

Definition at line 73 of file output-json-tls.c.

Referenced by JsonTlsLogJSONBasic(), and JsonTlsLogJSONExtended().

#define LOG_TLS_FIELD_FINGERPRINT   (1 << 4)

Definition at line 68 of file output-json-tls.c.

Referenced by JsonTlsLogJSONBasic().

#define LOG_TLS_FIELD_ISSUER   (1 << 2)

Definition at line 66 of file output-json-tls.c.

Referenced by JsonTlsLogJSONBasic().

#define LOG_TLS_FIELD_JA3   (1 << 11)

Definition at line 75 of file output-json-tls.c.

Referenced by JsonTlsLogJSONBasic(), and JsonTlsLogJSONExtended().

#define LOG_TLS_FIELD_JA3S   (1 << 12)

Definition at line 76 of file output-json-tls.c.

Referenced by JsonTlsLogJSONBasic(), and JsonTlsLogJSONExtended().

#define LOG_TLS_FIELD_NOTAFTER   (1 << 6)

Definition at line 70 of file output-json-tls.c.

Referenced by JsonTlsLogJSONBasic().

#define LOG_TLS_FIELD_NOTBEFORE   (1 << 5)

Definition at line 69 of file output-json-tls.c.

Referenced by JsonTlsLogJSONBasic().

#define LOG_TLS_FIELD_SERIAL   (1 << 3)

Definition at line 67 of file output-json-tls.c.

Referenced by JsonTlsLogJSONBasic().

#define LOG_TLS_FIELD_SESSION_RESUMED   (1 << 10)

Definition at line 74 of file output-json-tls.c.

Referenced by JsonTlsLogJSONBasic().

#define LOG_TLS_FIELD_SNI   (1 << 7)

Definition at line 71 of file output-json-tls.c.

Referenced by JsonTlsLogJSONBasic().

#define LOG_TLS_FIELD_SUBJECT   (1 << 1)

Definition at line 65 of file output-json-tls.c.

Referenced by JsonTlsLogJSONBasic().

#define LOG_TLS_FIELD_VERSION   (1 << 0)

Definition at line 64 of file output-json-tls.c.

Referenced by JsonTlsLogJSONBasic().

#define LOG_TLS_SESSION_RESUMPTION   (1 << 2)

Definition at line 62 of file output-json-tls.c.

Referenced by JsonTlsLogJSONExtended().

#define MODULE_NAME   "LogTlsLog"

Definition at line 56 of file output-json-tls.c.

Typedef Documentation

typedef struct OutputTlsCtx_ OutputTlsCtx

Function Documentation

void JsonTlsLogJSONExtended ( json_t *  tjs,
SSLState state 
)

Definition at line 366 of file output-json-tls.c.

References Flow_::alproto_orig, ALPROTO_TLS, ALPROTO_UNKNOWN, AppLayerGetProtoName(), AppLayerParserRegisterLogger(), JsonTlsLogThread_::buffer, SSLStateConnp_::cert0_issuerdn, SSLStateConnp_::cert0_subject, OutputJsonCtx_::cfg, OutputTlsCtx_::cfg, ConfNodeLookupChild(), ConfNodeLookupChildValue(), ConfValIsTrue(), CreateJSONHeader(), OutputInitResult_::ctx, OutputCtx_::data, DEFAULT_LOG_FILENAME, OutputCtx_::DeInit, OutputTlsCtx_::fields, OutputJsonCtx_::file_ctx, OutputTlsCtx_::file_ctx, TlsFields::flag, OutputTlsCtx_::flags, SSLState_::flags, Ja3IsDisabled(), JSON_OUTPUT_BUFFER_SIZE, JsonAddCommonOptions(), JsonTlsLogJSONBasic(), JsonTlsLogJSONExtended(), LOG_DIR_FLOW, LOG_TLS_CUSTOM, LOG_TLS_DEFAULT, LOG_TLS_EXTENDED, LOG_TLS_FIELD_CERTIFICATE, LOG_TLS_FIELD_CHAIN, LOG_TLS_FIELD_JA3, LOG_TLS_FIELD_JA3S, LOG_TLS_SESSION_RESUMPTION, LogFileFreeCtx(), LogFileNewCtx(), MemBufferCreateNew(), MemBufferFree(), MemBufferReset, TlsFields::name, next, OutputInitResult_::ok, OutputJSONBuffer(), SC_ERR_TLS_LOG_GENERIC, SC_WARN_DUPLICATE_OUTPUT, SCCalloc, SCConfLogOpenGeneric(), SCFree, SCLogDebug, SCLogError, SCLogWarning, SCMalloc, SSLState_::server_connp, SSL_AL_FLAG_LOG_WITHOUT_CERT, SSL_AL_FLAG_SESSION_RESUMED, TAILQ_FOREACH, tls_fields, JsonTlsLogThread_::tlslog_ctx, TM_ECODE_FAILED, TM_ECODE_OK, tx_id, unlikely, and ConfNode_::val.

Referenced by JsonTlsLogJSONExtended().

Here is the call graph for this function:

Here is the caller graph for this function:

void JsonTlsLogRegister ( void  )

Definition at line 652 of file output-json-tls.c.

References ALPROTO_TLS, LOGGER_JSON_TLS, OutputRegisterTxModuleWithProgress(), OutputRegisterTxSubModuleWithProgress(), and TLS_HANDSHAKE_DONE.

Referenced by OutputRegisterLoggers().

Here is the call graph for this function:

Here is the caller graph for this function:

SC_ATOMIC_DECLARE ( unsigned  int,
cert_id   
)

Variable Documentation

TlsFields tls_fields[]
Initial value:
= {
{ "version", LOG_TLS_FIELD_VERSION },
{ "subject", LOG_TLS_FIELD_SUBJECT },
{ "issuer", LOG_TLS_FIELD_ISSUER },
{ "serial", LOG_TLS_FIELD_SERIAL },
{ "fingerprint", LOG_TLS_FIELD_FINGERPRINT },
{ "not_before", LOG_TLS_FIELD_NOTBEFORE },
{ "not_after", LOG_TLS_FIELD_NOTAFTER },
{ "sni", LOG_TLS_FIELD_SNI },
{ "certificate", LOG_TLS_FIELD_CERTIFICATE },
{ "chain", LOG_TLS_FIELD_CHAIN },
{ "session_resumed", LOG_TLS_FIELD_SESSION_RESUMED },
{ "ja3", LOG_TLS_FIELD_JA3 },
{ "ja3s", LOG_TLS_FIELD_JA3S },
{ NULL, -1 }
}
#define LOG_TLS_FIELD_JA3
#define LOG_TLS_FIELD_SUBJECT
#define LOG_TLS_FIELD_CHAIN
#define LOG_TLS_FIELD_ISSUER
#define LOG_TLS_FIELD_NOTAFTER
#define LOG_TLS_FIELD_JA3S
#define LOG_TLS_FIELD_NOTBEFORE
#define LOG_TLS_FIELD_SESSION_RESUMED
#define LOG_TLS_FIELD_SERIAL
#define LOG_TLS_FIELD_SNI
#define LOG_TLS_FIELD_VERSION
#define LOG_TLS_FIELD_FINGERPRINT
#define LOG_TLS_FIELD_CERTIFICATE

Definition at line 83 of file output-json-tls.c.

Referenced by JsonTlsLogJSONExtended().