suricata
output-json-tls.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2021 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Tom DeCanio <td@npulsetech.com>
22  *
23  * Implements TLS JSON logging portion of the engine.
24  */
25 
26 #include "suricata-common.h"
27 #include "debug.h"
28 #include "detect.h"
29 #include "pkt-var.h"
30 #include "conf.h"
31 
32 #include "threads.h"
33 #include "threadvars.h"
34 #include "tm-threads.h"
35 
36 #include "util-print.h"
37 #include "util-time.h"
38 #include "util-unittest.h"
39 
40 #include "util-debug.h"
41 #include "app-layer-parser.h"
42 #include "output.h"
43 #include "app-layer-ssl.h"
44 #include "app-layer.h"
45 #include "util-privs.h"
46 #include "util-buffer.h"
47 
48 #include "util-logopenfile.h"
49 #include "util-ja3.h"
50 
51 #include "output-json.h"
52 #include "output-json-tls.h"
53 
54 SC_ATOMIC_EXTERN(unsigned int, cert_id);
55 
56 #define MODULE_NAME "LogTlsLog"
57 #define DEFAULT_LOG_FILENAME "tls.json"
58 
59 #define LOG_TLS_DEFAULT 0
60 #define LOG_TLS_EXTENDED (1 << 0)
61 #define LOG_TLS_CUSTOM (1 << 1)
62 #define LOG_TLS_SESSION_RESUMPTION (1 << 2)
63 
64 #define LOG_TLS_FIELD_VERSION (1 << 0)
65 #define LOG_TLS_FIELD_SUBJECT (1 << 1)
66 #define LOG_TLS_FIELD_ISSUER (1 << 2)
67 #define LOG_TLS_FIELD_SERIAL (1 << 3)
68 #define LOG_TLS_FIELD_FINGERPRINT (1 << 4)
69 #define LOG_TLS_FIELD_NOTBEFORE (1 << 5)
70 #define LOG_TLS_FIELD_NOTAFTER (1 << 6)
71 #define LOG_TLS_FIELD_SNI (1 << 7)
72 #define LOG_TLS_FIELD_CERTIFICATE (1 << 8)
73 #define LOG_TLS_FIELD_CHAIN (1 << 9)
74 #define LOG_TLS_FIELD_SESSION_RESUMED (1 << 10)
75 #define LOG_TLS_FIELD_JA3 (1 << 11)
76 #define LOG_TLS_FIELD_JA3S (1 << 12)
77 
78 typedef struct {
79  const char *name;
80  uint64_t flag;
81 } TlsFields;
82 
84  { "version", LOG_TLS_FIELD_VERSION },
85  { "subject", LOG_TLS_FIELD_SUBJECT },
86  { "issuer", LOG_TLS_FIELD_ISSUER },
87  { "serial", LOG_TLS_FIELD_SERIAL },
88  { "fingerprint", LOG_TLS_FIELD_FINGERPRINT },
89  { "not_before", LOG_TLS_FIELD_NOTBEFORE },
90  { "not_after", LOG_TLS_FIELD_NOTAFTER },
91  { "sni", LOG_TLS_FIELD_SNI },
92  { "certificate", LOG_TLS_FIELD_CERTIFICATE },
93  { "chain", LOG_TLS_FIELD_CHAIN },
94  { "session_resumed", LOG_TLS_FIELD_SESSION_RESUMED },
95  { "ja3", LOG_TLS_FIELD_JA3 },
96  { "ja3s", LOG_TLS_FIELD_JA3S },
97  { NULL, -1 }
98 };
99 
100 typedef struct OutputTlsCtx_ {
101  uint32_t flags; /** Store mode */
102  uint64_t fields; /** Store fields */
105 
106 
107 typedef struct JsonTlsLogThread_ {
111 
112 static void JsonTlsLogSubject(JsonBuilder *js, SSLState *ssl_state)
113 {
114  if (ssl_state->server_connp.cert0_subject) {
115  jb_set_string(js, "subject",
116  ssl_state->server_connp.cert0_subject);
117  }
118 }
119 
120 static void JsonTlsLogIssuer(JsonBuilder *js, SSLState *ssl_state)
121 {
122  if (ssl_state->server_connp.cert0_issuerdn) {
123  jb_set_string(js, "issuerdn",
124  ssl_state->server_connp.cert0_issuerdn);
125  }
126 }
127 
128 static void JsonTlsLogSessionResumed(JsonBuilder *js, SSLState *ssl_state)
129 {
130  if (ssl_state->flags & SSL_AL_FLAG_SESSION_RESUMED) {
131  /* Only log a session as 'resumed' if a certificate has not
132  been seen, and the session is not TLSv1.3 or later. */
133  if ((ssl_state->server_connp.cert0_issuerdn == NULL &&
134  ssl_state->server_connp.cert0_subject == NULL) &&
135  (ssl_state->flags & SSL_AL_FLAG_STATE_SERVER_HELLO) &&
136  ((ssl_state->flags & SSL_AL_FLAG_LOG_WITHOUT_CERT) == 0)) {
137  jb_set_bool(js, "session_resumed", true);
138  }
139  }
140 }
141 
142 static void JsonTlsLogFingerprint(JsonBuilder *js, SSLState *ssl_state)
143 {
144  if (ssl_state->server_connp.cert0_fingerprint) {
145  jb_set_string(js, "fingerprint",
146  ssl_state->server_connp.cert0_fingerprint);
147  }
148 }
149 
150 static void JsonTlsLogSni(JsonBuilder *js, SSLState *ssl_state)
151 {
152  if (ssl_state->client_connp.sni) {
153  jb_set_string(js, "sni",
154  ssl_state->client_connp.sni);
155  }
156 }
157 
158 static void JsonTlsLogSerial(JsonBuilder *js, SSLState *ssl_state)
159 {
160  if (ssl_state->server_connp.cert0_serial) {
161  jb_set_string(js, "serial",
162  ssl_state->server_connp.cert0_serial);
163  }
164 }
165 
166 static void JsonTlsLogVersion(JsonBuilder *js, SSLState *ssl_state)
167 {
168  char ssl_version[SSL_VERSION_MAX_STRLEN];
169  SSLVersionToString(ssl_state->server_connp.version, ssl_version);
170  jb_set_string(js, "version", ssl_version);
171 }
172 
173 static void JsonTlsLogNotBefore(JsonBuilder *js, SSLState *ssl_state)
174 {
175  if (ssl_state->server_connp.cert0_not_before != 0) {
176  char timebuf[64];
177  struct timeval tv;
178  tv.tv_sec = ssl_state->server_connp.cert0_not_before;
179  tv.tv_usec = 0;
180  CreateUtcIsoTimeString(&tv, timebuf, sizeof(timebuf));
181  jb_set_string(js, "notbefore", timebuf);
182  }
183 }
184 
185 static void JsonTlsLogNotAfter(JsonBuilder *js, SSLState *ssl_state)
186 {
187  if (ssl_state->server_connp.cert0_not_after != 0) {
188  char timebuf[64];
189  struct timeval tv;
190  tv.tv_sec = ssl_state->server_connp.cert0_not_after;
191  tv.tv_usec = 0;
192  CreateUtcIsoTimeString(&tv, timebuf, sizeof(timebuf));
193  jb_set_string(js, "notafter", timebuf);
194  }
195 }
196 
197 static void JsonTlsLogJa3Hash(JsonBuilder *js, SSLState *ssl_state)
198 {
199  if (ssl_state->client_connp.ja3_hash != NULL) {
200  jb_set_string(js, "hash",
201  ssl_state->client_connp.ja3_hash);
202  }
203 }
204 
205 static void JsonTlsLogJa3String(JsonBuilder *js, SSLState *ssl_state)
206 {
207  if ((ssl_state->client_connp.ja3_str != NULL) &&
208  ssl_state->client_connp.ja3_str->data != NULL) {
209  jb_set_string(js, "string",
210  ssl_state->client_connp.ja3_str->data);
211  }
212 }
213 
214 static void JsonTlsLogJa3(JsonBuilder *js, SSLState *ssl_state)
215 {
216  if ((ssl_state->client_connp.ja3_hash != NULL) ||
217  ((ssl_state->client_connp.ja3_str != NULL) &&
218  ssl_state->client_connp.ja3_str->data != NULL)) {
219  jb_open_object(js, "ja3");
220 
221  JsonTlsLogJa3Hash(js, ssl_state);
222  JsonTlsLogJa3String(js, ssl_state);
223 
224  jb_close(js);
225  }
226 }
227 
228 static void JsonTlsLogJa3SHash(JsonBuilder *js, SSLState *ssl_state)
229 {
230  if (ssl_state->server_connp.ja3_hash != NULL) {
231  jb_set_string(js, "hash",
232  ssl_state->server_connp.ja3_hash);
233  }
234 }
235 
236 static void JsonTlsLogJa3SString(JsonBuilder *js, SSLState *ssl_state)
237 {
238  if ((ssl_state->server_connp.ja3_str != NULL) &&
239  ssl_state->server_connp.ja3_str->data != NULL) {
240  jb_set_string(js, "string",
241  ssl_state->server_connp.ja3_str->data);
242  }
243 }
244 
245 static void JsonTlsLogJa3S(JsonBuilder *js, SSLState *ssl_state)
246 {
247  if ((ssl_state->server_connp.ja3_hash != NULL) ||
248  ((ssl_state->server_connp.ja3_str != NULL) &&
249  ssl_state->server_connp.ja3_str->data != NULL)) {
250  jb_open_object(js, "ja3s");
251 
252  JsonTlsLogJa3SHash(js, ssl_state);
253  JsonTlsLogJa3SString(js, ssl_state);
254 
255  jb_close(js);
256  }
257 }
258 
259 static void JsonTlsLogCertificate(JsonBuilder *js, SSLState *ssl_state)
260 {
261  if (TAILQ_EMPTY(&ssl_state->server_connp.certs)) {
262  return;
263  }
264 
265  SSLCertsChain *cert = TAILQ_FIRST(&ssl_state->server_connp.certs);
266  if (cert == NULL) {
267  return;
268  }
269 
270  jb_set_base64(js, "certificate", cert->cert_data, cert->cert_len);
271 }
272 
273 static void JsonTlsLogChain(JsonBuilder *js, SSLState *ssl_state)
274 {
275  if (TAILQ_EMPTY(&ssl_state->server_connp.certs)) {
276  return;
277  }
278 
279  jb_open_array(js, "chain");
280 
281  SSLCertsChain *cert;
282  TAILQ_FOREACH(cert, &ssl_state->server_connp.certs, next) {
283  jb_append_base64(js, cert->cert_data, cert->cert_len);
284  }
285 
286  jb_close(js);
287 }
288 
289 void JsonTlsLogJSONBasic(JsonBuilder *js, SSLState *ssl_state)
290 {
291  /* tls subject */
292  JsonTlsLogSubject(js, ssl_state);
293 
294  /* tls issuerdn */
295  JsonTlsLogIssuer(js, ssl_state);
296 
297  /* tls session resumption */
298  JsonTlsLogSessionResumed(js, ssl_state);
299 }
300 
301 static void JsonTlsLogJSONCustom(OutputTlsCtx *tls_ctx, JsonBuilder *js,
302  SSLState *ssl_state)
303 {
304  /* tls subject */
305  if (tls_ctx->fields & LOG_TLS_FIELD_SUBJECT)
306  JsonTlsLogSubject(js, ssl_state);
307 
308  /* tls issuerdn */
309  if (tls_ctx->fields & LOG_TLS_FIELD_ISSUER)
310  JsonTlsLogIssuer(js, ssl_state);
311 
312  /* tls session resumption */
313  if (tls_ctx->fields & LOG_TLS_FIELD_SESSION_RESUMED)
314  JsonTlsLogSessionResumed(js, ssl_state);
315 
316  /* tls serial */
317  if (tls_ctx->fields & LOG_TLS_FIELD_SERIAL)
318  JsonTlsLogSerial(js, ssl_state);
319 
320  /* tls fingerprint */
321  if (tls_ctx->fields & LOG_TLS_FIELD_FINGERPRINT)
322  JsonTlsLogFingerprint(js, ssl_state);
323 
324  /* tls sni */
325  if (tls_ctx->fields & LOG_TLS_FIELD_SNI)
326  JsonTlsLogSni(js, ssl_state);
327 
328  /* tls version */
329  if (tls_ctx->fields & LOG_TLS_FIELD_VERSION)
330  JsonTlsLogVersion(js, ssl_state);
331 
332  /* tls notbefore */
333  if (tls_ctx->fields & LOG_TLS_FIELD_NOTBEFORE)
334  JsonTlsLogNotBefore(js, ssl_state);
335 
336  /* tls notafter */
337  if (tls_ctx->fields & LOG_TLS_FIELD_NOTAFTER)
338  JsonTlsLogNotAfter(js, ssl_state);
339 
340  /* tls certificate */
341  if (tls_ctx->fields & LOG_TLS_FIELD_CERTIFICATE)
342  JsonTlsLogCertificate(js, ssl_state);
343 
344  /* tls chain */
345  if (tls_ctx->fields & LOG_TLS_FIELD_CHAIN)
346  JsonTlsLogChain(js, ssl_state);
347 
348  /* tls ja3_hash */
349  if (tls_ctx->fields & LOG_TLS_FIELD_JA3)
350  JsonTlsLogJa3(js, ssl_state);
351 
352  /* tls ja3s */
353  if (tls_ctx->fields & LOG_TLS_FIELD_JA3S)
354  JsonTlsLogJa3S(js, ssl_state);
355 }
356 
357 void JsonTlsLogJSONExtended(JsonBuilder *tjs, SSLState * state)
358 {
359  JsonTlsLogJSONBasic(tjs, state);
360 
361  /* tls serial */
362  JsonTlsLogSerial(tjs, state);
363 
364  /* tls fingerprint */
365  JsonTlsLogFingerprint(tjs, state);
366 
367  /* tls sni */
368  JsonTlsLogSni(tjs, state);
369 
370  /* tls version */
371  JsonTlsLogVersion(tjs, state);
372 
373  /* tls notbefore */
374  JsonTlsLogNotBefore(tjs, state);
375 
376  /* tls notafter */
377  JsonTlsLogNotAfter(tjs, state);
378 
379  /* tls ja3 */
380  JsonTlsLogJa3(tjs, state);
381 
382  /* tls ja3s */
383  JsonTlsLogJa3S(tjs, state);
384 }
385 
386 static int JsonTlsLogger(ThreadVars *tv, void *thread_data, const Packet *p,
387  Flow *f, void *state, void *txptr, uint64_t tx_id)
388 {
389  JsonTlsLogThread *aft = (JsonTlsLogThread *)thread_data;
390  OutputTlsCtx *tls_ctx = aft->tlslog_ctx;
391 
392  SSLState *ssl_state = (SSLState *)state;
393  if (unlikely(ssl_state == NULL)) {
394  return 0;
395  }
396 
397  if ((ssl_state->server_connp.cert0_issuerdn == NULL ||
398  ssl_state->server_connp.cert0_subject == NULL) &&
399  ((ssl_state->flags & SSL_AL_FLAG_SESSION_RESUMED) == 0 ||
400  (tls_ctx->flags & LOG_TLS_SESSION_RESUMPTION) == 0) &&
401  ((ssl_state->flags & SSL_AL_FLAG_LOG_WITHOUT_CERT) == 0)) {
402  return 0;
403  }
404 
405  JsonBuilder *js = CreateEveHeader(p, LOG_DIR_FLOW, "tls", NULL, aft->tlslog_ctx->eve_ctx);
406  if (unlikely(js == NULL)) {
407  return 0;
408  }
409 
410  jb_open_object(js, "tls");
411 
412  /* log custom fields */
413  if (tls_ctx->flags & LOG_TLS_CUSTOM) {
414  JsonTlsLogJSONCustom(tls_ctx, js, ssl_state);
415  }
416  /* log extended */
417  else if (tls_ctx->flags & LOG_TLS_EXTENDED) {
418  JsonTlsLogJSONExtended(js, ssl_state);
419  }
420  /* log basic */
421  else {
422  JsonTlsLogJSONBasic(js, ssl_state);
423  }
424 
425  /* print original application level protocol when it have been changed
426  because of STARTTLS, HTTP CONNECT, or similar. */
427  if (f->alproto_orig != ALPROTO_UNKNOWN) {
428  jb_set_string(js, "from_proto",
430  }
431 
432  /* Close the tls object. */
433  jb_close(js);
434 
435  OutputJsonBuilderBuffer(js, aft->ctx);
436  jb_free(js);
437 
438  return 0;
439 }
440 
441 static TmEcode JsonTlsLogThreadInit(ThreadVars *t, const void *initdata, void **data)
442 {
443  JsonTlsLogThread *aft = SCCalloc(1, sizeof(JsonTlsLogThread));
444  if (unlikely(aft == NULL)) {
445  return TM_ECODE_FAILED;
446  }
447 
448  if (initdata == NULL) {
449  SCLogDebug("Error getting context for eve-log tls 'initdata' argument NULL");
450  goto error_exit;
451  }
452 
453  /* use the Output Context (file pointer and mutex) */
454  aft->tlslog_ctx = ((OutputCtx *)initdata)->data;
455 
456  aft->ctx = CreateEveThreadCtx(t, aft->tlslog_ctx->eve_ctx);
457  if (!aft->ctx) {
458  goto error_exit;
459  }
460  *data = (void *)aft;
461  return TM_ECODE_OK;
462 
463 error_exit:
464  SCFree(aft);
465  return TM_ECODE_FAILED;
466 }
467 
468 static TmEcode JsonTlsLogThreadDeinit(ThreadVars *t, void *data)
469 {
470  JsonTlsLogThread *aft = (JsonTlsLogThread *)data;
471  if (aft == NULL) {
472  return TM_ECODE_OK;
473  }
474 
475  FreeEveThreadCtx(aft->ctx);
476 
477  /* clear memory */
478  memset(aft, 0, sizeof(JsonTlsLogThread));
479 
480  SCFree(aft);
481  return TM_ECODE_OK;
482 }
483 
484 static OutputTlsCtx *OutputTlsInitCtx(ConfNode *conf)
485 {
486  OutputTlsCtx *tls_ctx = SCMalloc(sizeof(OutputTlsCtx));
487  if (unlikely(tls_ctx == NULL))
488  return NULL;
489 
490  tls_ctx->flags = LOG_TLS_DEFAULT;
491  tls_ctx->fields = 0;
492 
493  if (conf == NULL)
494  return tls_ctx;
495 
496  const char *extended = ConfNodeLookupChildValue(conf, "extended");
497  if (extended) {
498  if (ConfValIsTrue(extended)) {
499  tls_ctx->flags = LOG_TLS_EXTENDED;
500  }
501  }
502 
503  ConfNode *custom = ConfNodeLookupChild(conf, "custom");
504  if (custom) {
505  tls_ctx->flags = LOG_TLS_CUSTOM;
506  ConfNode *field;
507  TAILQ_FOREACH(field, &custom->head, next)
508  {
509  TlsFields *valid_fields = tls_fields;
510  for ( ; valid_fields->name != NULL; valid_fields++) {
511  if (strcasecmp(field->val, valid_fields->name) == 0) {
512  tls_ctx->fields |= valid_fields->flag;
513  break;
514  }
515  }
516  }
517  }
518 
519  const char *session_resumption = ConfNodeLookupChildValue(conf, "session-resumption");
520  if (session_resumption == NULL || ConfValIsTrue(session_resumption)) {
521  tls_ctx->flags |= LOG_TLS_SESSION_RESUMPTION;
522  }
523 
524  if ((tls_ctx->fields & LOG_TLS_FIELD_JA3) &&
525  Ja3IsDisabled("fields")) {
526  /* JA3 is disabled, so don't log any JA3 fields */
527  tls_ctx->fields &= ~LOG_TLS_FIELD_JA3;
528  tls_ctx->fields &= ~LOG_TLS_FIELD_JA3S;
529  }
530 
531  if ((tls_ctx->fields & LOG_TLS_FIELD_CERTIFICATE) &&
532  (tls_ctx->fields & LOG_TLS_FIELD_CHAIN)) {
534  "Both 'certificate' and 'chain' contains the top "
535  "certificate, so only one of them should be enabled "
536  "at a time");
537  }
538 
539  return tls_ctx;
540 }
541 
542 static void OutputTlsLogDeinitSub(OutputCtx *output_ctx)
543 {
544  OutputTlsCtx *tls_ctx = output_ctx->data;
545  SCFree(tls_ctx);
546  SCFree(output_ctx);
547 }
548 
549 static OutputInitResult OutputTlsLogInitSub(ConfNode *conf, OutputCtx *parent_ctx)
550 {
551  OutputInitResult result = { NULL, false };
552  OutputJsonCtx *ojc = parent_ctx->data;
553 
554  OutputTlsCtx *tls_ctx = OutputTlsInitCtx(conf);
555  if (unlikely(tls_ctx == NULL))
556  return result;
557 
558  OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
559  if (unlikely(output_ctx == NULL)) {
560  SCFree(tls_ctx);
561  return result;
562  }
563 
564  tls_ctx->eve_ctx = ojc;
565 
566  if ((tls_ctx->fields & LOG_TLS_FIELD_CERTIFICATE) &&
567  (tls_ctx->fields & LOG_TLS_FIELD_CHAIN)) {
569  "Both 'certificate' and 'chain' contains the top "
570  "certificate, so only one of them should be enabled "
571  "at a time");
572  }
573 
574  output_ctx->data = tls_ctx;
575  output_ctx->DeInit = OutputTlsLogDeinitSub;
576 
578 
579  result.ctx = output_ctx;
580  result.ok = true;
581  return result;
582 }
583 
585 {
586  /* register as child of eve-log */
588  "JsonTlsLog", "eve-log.tls", OutputTlsLogInitSub, ALPROTO_TLS,
589  JsonTlsLogger, TLS_HANDSHAKE_DONE, TLS_HANDSHAKE_DONE,
590  JsonTlsLogThreadInit, JsonTlsLogThreadDeinit, NULL);
591 }
SSLStateConnp_::cert0_not_before
time_t cert0_not_before
Definition: app-layer-ssl.h:212
tm-threads.h
SSLStateConnp_::cert0_subject
char * cert0_subject
Definition: app-layer-ssl.h:209
SSLState_
SSLv[2.0|3.[0|1|2|3]] state structure.
Definition: app-layer-ssl.h:240
LOG_TLS_FIELD_NOTBEFORE
#define LOG_TLS_FIELD_NOTBEFORE
Definition: output-json-tls.c:69
SSLCertsChain_::cert_len
uint32_t cert_len
Definition: app-layer-ssl.h:181
JsonTlsLogJSONBasic
void JsonTlsLogJSONBasic(JsonBuilder *js, SSLState *ssl_state)
Definition: output-json-tls.c:289
LOG_TLS_DEFAULT
#define LOG_TLS_DEFAULT
Definition: output-json-tls.c:59
ConfNode_::val
char * val
Definition: conf.h:34
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
LOG_TLS_FIELD_JA3
#define LOG_TLS_FIELD_JA3
Definition: output-json-tls.c:75
SSLState_::client_connp
SSLStateConnp client_connp
Definition: app-layer-ssl.h:257
ALPROTO_TLS
@ ALPROTO_TLS
Definition: app-layer-protos.h:33
SC_WARN_DUPLICATE_OUTPUT
@ SC_WARN_DUPLICATE_OUTPUT
Definition: util-error.h:329
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:296
next
struct HtpBodyChunk_ * next
Definition: app-layer-htp.h:0
SSLState_::server_connp
SSLStateConnp server_connp
Definition: app-layer-ssl.h:258
SSL_AL_FLAG_SESSION_RESUMED
#define SSL_AL_FLAG_SESSION_RESUMED
Definition: app-layer-ssl.h:118
FreeEveThreadCtx
void FreeEveThreadCtx(OutputJsonThreadCtx *ctx)
Definition: output-json-common.c:73
SSLStateConnp_::ja3_hash
char * ja3_hash
Definition: app-layer-ssl.h:226
threads.h
OutputJsonCtx_
Definition: output-json.h:81
Flow_
Flow data structure.
Definition: flow.h:353
SSL_AL_FLAG_STATE_SERVER_HELLO
#define SSL_AL_FLAG_STATE_SERVER_HELLO
Definition: app-layer-ssl.h:98
TlsFields
Definition: output-json-tls.c:78
OutputJsonBuilderBuffer
int OutputJsonBuilderBuffer(JsonBuilder *js, OutputJsonThreadCtx *ctx)
Definition: output-json.c:960
SSL_VERSION_MAX_STRLEN
#define SSL_VERSION_MAX_STRLEN
Definition: app-layer-ssl.h:146
LOG_TLS_FIELD_NOTAFTER
#define LOG_TLS_FIELD_NOTAFTER
Definition: output-json-tls.c:70
TAILQ_EMPTY
#define TAILQ_EMPTY(head)
Definition: queue.h:248
TAILQ_FOREACH
#define TAILQ_FOREACH(var, head, field)
Definition: queue.h:252
Flow_::alproto_orig
AppProto alproto_orig
Definition: flow.h:466
output-json-tls.h
CreateEveThreadCtx
OutputJsonThreadCtx * CreateEveThreadCtx(ThreadVars *t, OutputJsonCtx *ctx)
Definition: output-json-common.c:44
JA3Buffer_::data
char * data
Definition: util-ja3.h:30
util-ja3.h
util-privs.h
SSLStateConnp_::sni
char * sni
Definition: app-layer-ssl.h:217
LOG_TLS_FIELD_SUBJECT
#define LOG_TLS_FIELD_SUBJECT
Definition: output-json-tls.c:65
TM_ECODE_FAILED
@ TM_ECODE_FAILED
Definition: tm-threads-common.h:83
LOGGER_JSON_TLS
@ LOGGER_JSON_TLS
Definition: suricata-common.h:447
JsonTlsLogThread
struct JsonTlsLogThread_ JsonTlsLogThread
LOG_TLS_FIELD_FINGERPRINT
#define LOG_TLS_FIELD_FINGERPRINT
Definition: output-json-tls.c:68
JsonTlsLogRegister
void JsonTlsLogRegister(void)
Definition: output-json-tls.c:584
TlsFields::flag
uint64_t flag
Definition: output-json-tls.c:80
util-unittest.h
SSLStateConnp_::cert0_issuerdn
char * cert0_issuerdn
Definition: app-layer-ssl.h:210
ConfValIsTrue
int ConfValIsTrue(const char *val)
Check if a value is true.
Definition: conf.c:521
JsonTlsLogThread_::ctx
OutputJsonThreadCtx * ctx
Definition: output-json-tls.c:109
OutputCtx_::data
void * data
Definition: tm-modules.h:81
TM_ECODE_OK
@ TM_ECODE_OK
Definition: tm-threads-common.h:82
OutputCtx_
Definition: tm-modules.h:78
OutputJsonThreadCtx_
Definition: output-json.h:89
Ja3IsDisabled
int Ja3IsDisabled(const char *type)
Check if JA3 is disabled.
Definition: util-ja3.c:249
SSLStateConnp_::cert0_not_after
time_t cert0_not_after
Definition: app-layer-ssl.h:213
OutputTlsCtx_::eve_ctx
OutputJsonCtx * eve_ctx
Definition: output-json-tls.c:103
util-debug.h
TlsFields::name
const char * name
Definition: output-json-tls.c:79
TAILQ_FIRST
#define TAILQ_FIRST(head)
Definition: queue.h:250
LOG_TLS_FIELD_JA3S
#define LOG_TLS_FIELD_JA3S
Definition: output-json-tls.c:76
OutputInitResult_::ctx
OutputCtx * ctx
Definition: output.h:45
output-json.h
OutputRegisterTxSubModuleWithProgress
void OutputRegisterTxSubModuleWithProgress(LoggerId id, const char *parent_name, const char *name, const char *conf_name, OutputInitSubFunc InitFunc, AppProto alproto, TxLogger TxLogFunc, int tc_log_progress, int ts_log_progress, ThreadInitFunc ThreadInit, ThreadDeinitFunc ThreadDeinit, ThreadExitPrintStatsFunc ThreadExitPrintStats)
Definition: output.c:381
LOG_TLS_CUSTOM
#define LOG_TLS_CUSTOM
Definition: output-json-tls.c:61
AppLayerParserRegisterLogger
void AppLayerParserRegisterLogger(uint8_t ipproto, AppProto alproto)
Definition: app-layer-parser.c:492
CreateEveHeader
JsonBuilder * CreateEveHeader(const Packet *p, enum OutputJsonLogDirection dir, const char *event_type, JsonAddrInfo *addr, OutputJsonCtx *eve_ctx)
Definition: output-json.c:822
SSLCertsChain_
Definition: app-layer-ssl.h:179
util-print.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:56
pkt-var.h
OutputTlsCtx_::flags
uint32_t flags
Definition: output-json-tls.c:101
SSLVersionToString
void SSLVersionToString(uint16_t version, char *buffer)
Definition: app-layer-ssl.c:325
util-time.h
OutputInitResult_::ok
bool ok
Definition: output.h:46
app-layer-parser.h
LOG_TLS_FIELD_SERIAL
#define LOG_TLS_FIELD_SERIAL
Definition: output-json-tls.c:67
Packet_
Definition: decode.h:433
conf.h
OutputTlsCtx
struct OutputTlsCtx_ OutputTlsCtx
TmEcode
TmEcode
Definition: tm-threads-common.h:81
SSLCertsChain_::cert_data
uint8_t * cert_data
Definition: app-layer-ssl.h:180
LOG_TLS_FIELD_ISSUER
#define LOG_TLS_FIELD_ISSUER
Definition: output-json-tls.c:66
ConfNodeLookupChild
ConfNode * ConfNodeLookupChild(const ConfNode *node, const char *name)
Lookup a child configuration node by name.
Definition: conf.c:770
OutputInitResult_
Definition: output.h:44
suricata-common.h
OutputCtx_::DeInit
void(* DeInit)(struct OutputCtx_ *)
Definition: tm-modules.h:84
tls_fields
TlsFields tls_fields[]
Definition: output-json-tls.c:83
LOG_TLS_FIELD_CERTIFICATE
#define LOG_TLS_FIELD_CERTIFICATE
Definition: output-json-tls.c:72
OutputTlsCtx_
Definition: output-json-tls.c:100
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:31
threadvars.h
LOG_DIR_FLOW
@ LOG_DIR_FLOW
Definition: output-json.h:40
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
SCLogWarning
#define SCLogWarning(err_code,...)
Macro used to log WARNING messages.
Definition: util-debug.h:242
SCFree
#define SCFree(p)
Definition: util-mem.h:61
ConfNode_
Definition: conf.h:32
util-logopenfile.h
util-buffer.h
AppLayerGetProtoName
const char * AppLayerGetProtoName(AppProto alproto)
Given the internal protocol id, returns a string representation of the protocol.
Definition: app-layer.c:928
ALPROTO_UNKNOWN
@ ALPROTO_UNKNOWN
Definition: app-layer-protos.h:29
OutputTlsCtx_::fields
uint64_t fields
Definition: output-json-tls.c:102
LOG_TLS_FIELD_SNI
#define LOG_TLS_FIELD_SNI
Definition: output-json-tls.c:71
SSLStateConnp_::cert0_fingerprint
char * cert0_fingerprint
Definition: app-layer-ssl.h:214
LOG_TLS_EXTENDED
#define LOG_TLS_EXTENDED
Definition: output-json-tls.c:60
SSLStateConnp_::ja3_str
JA3Buffer * ja3_str
Definition: app-layer-ssl.h:225
JsonTlsLogThread_::tlslog_ctx
OutputTlsCtx * tlslog_ctx
Definition: output-json-tls.c:108
LOG_TLS_FIELD_SESSION_RESUMED
#define LOG_TLS_FIELD_SESSION_RESUMED
Definition: output-json-tls.c:74
LOG_TLS_SESSION_RESUMPTION
#define LOG_TLS_SESSION_RESUMPTION
Definition: output-json-tls.c:62
JsonTlsLogJSONExtended
void JsonTlsLogJSONExtended(JsonBuilder *tjs, SSLState *state)
Definition: output-json-tls.c:357
TLS_HANDSHAKE_DONE
@ TLS_HANDSHAKE_DONE
Definition: app-layer-ssl.h:78
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
LOG_TLS_FIELD_CHAIN
#define LOG_TLS_FIELD_CHAIN
Definition: output-json-tls.c:73
CreateUtcIsoTimeString
void CreateUtcIsoTimeString(const struct timeval *ts, char *str, size_t size)
Definition: util-time.c:236
SSLStateConnp_::cert0_serial
char * cert0_serial
Definition: app-layer-ssl.h:211
LOG_TLS_FIELD_VERSION
#define LOG_TLS_FIELD_VERSION
Definition: output-json-tls.c:64
JsonTlsLogThread_
Definition: output-json-tls.c:107
app-layer-ssl.h
SSL_AL_FLAG_LOG_WITHOUT_CERT
#define SSL_AL_FLAG_LOG_WITHOUT_CERT
Definition: app-layer-ssl.h:125
debug.h
output.h
SC_ATOMIC_EXTERN
SC_ATOMIC_EXTERN(unsigned int, cert_id)
app-layer.h
SSLState_::flags
uint32_t flags
Definition: app-layer-ssl.h:246
SSLStateConnp_::version
uint16_t version
Definition: app-layer-ssl.h:196
ConfNodeLookupChildValue
const char * ConfNodeLookupChildValue(const ConfNode *node, const char *name)
Lookup the value of a child configuration node by name.
Definition: conf.c:798