40 #define LOG_TLS_FIELD_VERSION BIT_U64(0)
41 #define LOG_TLS_FIELD_SUBJECT BIT_U64(1)
42 #define LOG_TLS_FIELD_ISSUER BIT_U64(2)
43 #define LOG_TLS_FIELD_SERIAL BIT_U64(3)
44 #define LOG_TLS_FIELD_FINGERPRINT BIT_U64(4)
45 #define LOG_TLS_FIELD_NOTBEFORE BIT_U64(5)
46 #define LOG_TLS_FIELD_NOTAFTER BIT_U64(6)
47 #define LOG_TLS_FIELD_SNI BIT_U64(7)
48 #define LOG_TLS_FIELD_CERTIFICATE BIT_U64(8)
49 #define LOG_TLS_FIELD_CHAIN BIT_U64(9)
50 #define LOG_TLS_FIELD_SESSION_RESUMED BIT_U64(10)
51 #define LOG_TLS_FIELD_JA3 BIT_U64(11)
52 #define LOG_TLS_FIELD_JA3S BIT_U64(12)
53 #define LOG_TLS_FIELD_CLIENT BIT_U64(13)
54 #define LOG_TLS_FIELD_CLIENT_CERT BIT_U64(14)
55 #define LOG_TLS_FIELD_CLIENT_CHAIN BIT_U64(15)
56 #define LOG_TLS_FIELD_JA4 BIT_U64(16)
57 #define LOG_TLS_FIELD_SUBJECTALTNAME BIT_U64(17)
58 #define LOG_TLS_FIELD_CLIENT_ALPNS BIT_U64(18)
59 #define LOG_TLS_FIELD_SERVER_ALPNS BIT_U64(19)
60 #define LOG_TLS_FIELD_CLIENT_HANDSHAKE BIT_U64(20)
61 #define LOG_TLS_FIELD_SERVER_HANDSHAKE BIT_U64(21)
98 #define BASIC_FIELDS \
99 (LOG_TLS_FIELD_SUBJECT | \
100 LOG_TLS_FIELD_ISSUER | \
101 LOG_TLS_FIELD_SUBJECTALTNAME)
105 #define EXTENDED_FIELDS \
107 LOG_TLS_FIELD_VERSION | \
108 LOG_TLS_FIELD_SERIAL | \
109 LOG_TLS_FIELD_FINGERPRINT | \
110 LOG_TLS_FIELD_NOTBEFORE | \
111 LOG_TLS_FIELD_NOTAFTER | \
112 LOG_TLS_FIELD_JA3 | \
113 LOG_TLS_FIELD_JA3S | \
114 LOG_TLS_FIELD_JA4 | \
115 LOG_TLS_FIELD_CLIENT | \
116 LOG_TLS_FIELD_CLIENT_ALPNS | \
117 LOG_TLS_FIELD_SERVER_ALPNS | \
132 static void JsonTlsLogSubject(SCJsonBuilder *js,
SSLState *ssl_state)
139 static void JsonTlsLogIssuer(SCJsonBuilder *js,
SSLState *ssl_state)
146 static void JsonTlsLogSAN(SCJsonBuilder *js,
SSLState *ssl_state)
149 SCJbOpenArray(js,
"subjectaltname");
157 static void JsonTlsLogSessionResumed(SCJsonBuilder *js,
SSLState *ssl_state)
166 SCJbSetBool(js,
"session_resumed",
true);
171 static void JsonTlsLogFingerprint(SCJsonBuilder *js,
SSLState *ssl_state)
178 static void JsonTlsLogSni(SCJsonBuilder *js,
SSLState *ssl_state)
185 static void JsonTlsLogSerial(SCJsonBuilder *js,
SSLState *ssl_state)
192 static void JsonTlsLogVersion(SCJsonBuilder *js,
SSLState *ssl_state)
194 char ssl_version[SSL_VERSION_MAX_STRLEN];
196 SCJbSetString(js,
"version", ssl_version);
199 static void JsonTlsLogNotBefore(SCJsonBuilder *js,
SSLState *ssl_state)
206 static void JsonTlsLogNotAfter(SCJsonBuilder *js,
SSLState *ssl_state)
213 static void JsonTlsLogJa3Hash(SCJsonBuilder *js,
SSLState *ssl_state)
220 static void JsonTlsLogJa3String(SCJsonBuilder *js,
SSLState *ssl_state)
228 static void JsonTlsLogJa3(SCJsonBuilder *js,
SSLState *ssl_state)
233 SCJbOpenObject(js,
"ja3");
235 JsonTlsLogJa3Hash(js, ssl_state);
236 JsonTlsLogJa3String(js, ssl_state);
242 static void JsonTlsLogSCJA4(SCJsonBuilder *js,
SSLState *ssl_state)
246 uint8_t buffer[JA4_HEX_LEN];
248 SCJA4GetHash(ssl_state->
client_connp.
hs, (uint8_t(*)[JA4_HEX_LEN])buffer);
249 SCJbSetStringFromBytes(js,
"ja4", buffer, JA4_HEX_LEN);
254 static void JsonTlsLogJa3SHash(SCJsonBuilder *js,
SSLState *ssl_state)
261 static void JsonTlsLogJa3SString(SCJsonBuilder *js,
SSLState *ssl_state)
269 static void JsonTlsLogJa3S(SCJsonBuilder *js,
SSLState *ssl_state)
274 SCJbOpenObject(js,
"ja3s");
276 JsonTlsLogJa3SHash(js, ssl_state);
277 JsonTlsLogJa3SString(js, ssl_state);
283 static void JsonTlsLogAlpns(SCJsonBuilder *js,
SSLStateConnp *connp,
const char *
object)
285 if (connp->
hs == NULL) {
289 if (SCTLSHandshakeIsEmpty(connp->
hs)) {
292 SCTLSHandshakeLogALPNs(connp->
hs, js,
object);
295 static void JsonTlsLogCertificate(SCJsonBuilder *js,
SSLStateConnp *connp)
309 static void JsonTlsLogChain(SCJsonBuilder *js,
SSLStateConnp *connp)
315 SCJbOpenArray(js,
"chain");
332 static void JsonTlsLogClientCert(
333 SCJsonBuilder *js,
SSLStateConnp *connp,
const bool log_cert,
const bool log_chain)
351 SCJbSetString(js,
"notbefore", timebuf);
357 SCJbSetString(js,
"notafter", timebuf);
361 JsonTlsLogCertificate(js, connp);
364 JsonTlsLogChain(js, connp);
368 static void JsonTlsLogClientHandshake(SCJsonBuilder *js,
SSLState *ssl_state)
379 SCJbOpenObject(js,
"client_handshake");
389 static void JsonTlsLogServerHandshake(SCJsonBuilder *js,
SSLState *ssl_state)
399 SCJbOpenObject(js,
"server_handshake");
408 static void JsonTlsLogFields(SCJsonBuilder *js,
SSLState *ssl_state, uint64_t fields)
412 JsonTlsLogSubject(js, ssl_state);
416 JsonTlsLogIssuer(js, ssl_state);
420 JsonTlsLogSAN(js, ssl_state);
424 JsonTlsLogSessionResumed(js, ssl_state);
428 JsonTlsLogSerial(js, ssl_state);
432 JsonTlsLogFingerprint(js, ssl_state);
436 JsonTlsLogSni(js, ssl_state);
440 JsonTlsLogVersion(js, ssl_state);
445 JsonTlsLogNotBefore(js, ssl_state);
449 JsonTlsLogNotAfter(js, ssl_state);
461 JsonTlsLogJa3(js, ssl_state);
465 JsonTlsLogJa3S(js, ssl_state);
469 JsonTlsLogSCJA4(js, ssl_state);
472 JsonTlsLogAlpns(js, &ssl_state->
client_connp,
"client_alpns");
476 JsonTlsLogAlpns(js, &ssl_state->
server_connp,
"server_alpns");
481 JsonTlsLogClientHandshake(js, ssl_state);
485 JsonTlsLogServerHandshake(js, ssl_state);
491 SCJbOpenObject(js,
"client");
492 JsonTlsLogClientCert(js, &ssl_state->
client_connp, log_cert, log_chain);
501 SCJbOpenObject(tjs,
"tls");
503 return SCJbClose(tjs);
507 Flow *f,
void *state,
void *txptr, uint64_t tx_id)
530 SCJbOpenObject(js,
"tls");
532 JsonTlsLogFields(js, ssl_state, tls_ctx->
fields);
549 static TmEcode JsonTlsLogThreadInit(
ThreadVars *t,
const void *initdata,
void **data)
556 if (initdata == NULL) {
557 SCLogDebug(
"Error getting context for eve-log tls 'initdata' argument NULL");
619 for ( ; valid_fields->
name != NULL; valid_fields++) {
620 if (strcasecmp(field->
val, valid_fields->
name) == 0) {
634 if (session_resumption == NULL ||
SCConfValIsTrue(session_resumption)) {
641 SCLogWarning(
"Both 'certificate' and 'chain' contains the top "
642 "certificate, so only one of them should be enabled "
647 SCLogWarning(
"Both 'client_certificate' and 'client_chain' contains the top "
648 "certificate, so only one of them should be enabled "
654 SCLogConfig(
"enabling \"client\" as a dependency of \"client_certificate\"");
658 SCLogConfig(
"enabling \"client\" as a dependency of \"client_chain\"");
666 static void OutputTlsLogDeinitSub(
OutputCtx *output_ctx)
692 SCLogWarning(
"Both 'certificate' and 'chain' contains the top "
693 "certificate, so only one of them should be enabled "
697 output_ctx->
data = tls_ctx;
698 output_ctx->
DeInit = OutputTlsLogDeinitSub;
702 result.
ctx = output_ctx;