suricata
output-json-tls.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2012 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Tom DeCanio <td@npulsetech.com>
22  *
23  * Implements TLS JSON logging portion of the engine.
24  */
25 
26 #include "suricata-common.h"
27 #include "debug.h"
28 #include "detect.h"
29 #include "pkt-var.h"
30 #include "conf.h"
31 
32 #include "threads.h"
33 #include "threadvars.h"
34 #include "tm-threads.h"
35 
36 #include "util-print.h"
37 #include "util-unittest.h"
38 
39 #include "util-debug.h"
40 #include "app-layer-parser.h"
41 #include "output.h"
42 #include "app-layer-ssl.h"
43 #include "app-layer.h"
44 #include "util-privs.h"
45 #include "util-buffer.h"
46 
47 #include "util-logopenfile.h"
48 #include "util-crypt.h"
49 #include "util-ja3.h"
50 
51 #include "output-json.h"
52 #include "output-json-tls.h"
53 
54 SC_ATOMIC_EXTERN(unsigned int, cert_id);
55 
56 #define MODULE_NAME "LogTlsLog"
57 #define DEFAULT_LOG_FILENAME "tls.json"
58 
59 #define LOG_TLS_DEFAULT 0
60 #define LOG_TLS_EXTENDED (1 << 0)
61 #define LOG_TLS_CUSTOM (1 << 1)
62 #define LOG_TLS_SESSION_RESUMPTION (1 << 2)
63 
64 #define LOG_TLS_FIELD_VERSION (1 << 0)
65 #define LOG_TLS_FIELD_SUBJECT (1 << 1)
66 #define LOG_TLS_FIELD_ISSUER (1 << 2)
67 #define LOG_TLS_FIELD_SERIAL (1 << 3)
68 #define LOG_TLS_FIELD_FINGERPRINT (1 << 4)
69 #define LOG_TLS_FIELD_NOTBEFORE (1 << 5)
70 #define LOG_TLS_FIELD_NOTAFTER (1 << 6)
71 #define LOG_TLS_FIELD_SNI (1 << 7)
72 #define LOG_TLS_FIELD_CERTIFICATE (1 << 8)
73 #define LOG_TLS_FIELD_CHAIN (1 << 9)
74 #define LOG_TLS_FIELD_SESSION_RESUMED (1 << 10)
75 #define LOG_TLS_FIELD_JA3 (1 << 11)
76 #define LOG_TLS_FIELD_JA3S (1 << 12)
77 
78 typedef struct {
79  const char *name;
80  uint64_t flag;
81 } TlsFields;
82 
84  { "version", LOG_TLS_FIELD_VERSION },
85  { "subject", LOG_TLS_FIELD_SUBJECT },
86  { "issuer", LOG_TLS_FIELD_ISSUER },
87  { "serial", LOG_TLS_FIELD_SERIAL },
88  { "fingerprint", LOG_TLS_FIELD_FINGERPRINT },
89  { "not_before", LOG_TLS_FIELD_NOTBEFORE },
90  { "not_after", LOG_TLS_FIELD_NOTAFTER },
91  { "sni", LOG_TLS_FIELD_SNI },
92  { "certificate", LOG_TLS_FIELD_CERTIFICATE },
93  { "chain", LOG_TLS_FIELD_CHAIN },
94  { "session_resumed", LOG_TLS_FIELD_SESSION_RESUMED },
95  { "ja3", LOG_TLS_FIELD_JA3 },
96  { "ja3s", LOG_TLS_FIELD_JA3S },
97  { NULL, -1 }
98 };
99 
100 typedef struct OutputTlsCtx_ {
102  uint32_t flags; /** Store mode */
103  uint64_t fields; /** Store fields */
106 
107 
108 typedef struct JsonTlsLogThread_ {
112 
113 static void JsonTlsLogSubject(JsonBuilder *js, SSLState *ssl_state)
114 {
115  if (ssl_state->server_connp.cert0_subject) {
116  jb_set_string(js, "subject",
117  ssl_state->server_connp.cert0_subject);
118  }
119 }
120 
121 static void JsonTlsLogIssuer(JsonBuilder *js, SSLState *ssl_state)
122 {
123  if (ssl_state->server_connp.cert0_issuerdn) {
124  jb_set_string(js, "issuerdn",
125  ssl_state->server_connp.cert0_issuerdn);
126  }
127 }
128 
129 static void JsonTlsLogSessionResumed(JsonBuilder *js, SSLState *ssl_state)
130 {
131  if (ssl_state->flags & SSL_AL_FLAG_SESSION_RESUMED) {
132  /* Only log a session as 'resumed' if a certificate has not
133  been seen, and the session is not TLSv1.3 or later. */
134  if ((ssl_state->server_connp.cert0_issuerdn == NULL &&
135  ssl_state->server_connp.cert0_subject == NULL) &&
136  (ssl_state->flags & SSL_AL_FLAG_STATE_SERVER_HELLO) &&
137  ((ssl_state->flags & SSL_AL_FLAG_LOG_WITHOUT_CERT) == 0)) {
138  jb_set_bool(js, "session_resumed", true);
139  }
140  }
141 }
142 
143 static void JsonTlsLogFingerprint(JsonBuilder *js, SSLState *ssl_state)
144 {
145  if (ssl_state->server_connp.cert0_fingerprint) {
146  jb_set_string(js, "fingerprint",
147  ssl_state->server_connp.cert0_fingerprint);
148  }
149 }
150 
151 static void JsonTlsLogSni(JsonBuilder *js, SSLState *ssl_state)
152 {
153  if (ssl_state->client_connp.sni) {
154  jb_set_string(js, "sni",
155  ssl_state->client_connp.sni);
156  }
157 }
158 
159 static void JsonTlsLogSerial(JsonBuilder *js, SSLState *ssl_state)
160 {
161  if (ssl_state->server_connp.cert0_serial) {
162  jb_set_string(js, "serial",
163  ssl_state->server_connp.cert0_serial);
164  }
165 }
166 
167 static void JsonTlsLogVersion(JsonBuilder *js, SSLState *ssl_state)
168 {
169  char ssl_version[SSL_VERSION_MAX_STRLEN];
170  SSLVersionToString(ssl_state->server_connp.version, ssl_version);
171  jb_set_string(js, "version", ssl_version);
172 }
173 
174 static void JsonTlsLogNotBefore(JsonBuilder *js, SSLState *ssl_state)
175 {
176  if (ssl_state->server_connp.cert0_not_before != 0) {
177  char timebuf[64];
178  struct timeval tv;
179  tv.tv_sec = ssl_state->server_connp.cert0_not_before;
180  tv.tv_usec = 0;
181  CreateUtcIsoTimeString(&tv, timebuf, sizeof(timebuf));
182  jb_set_string(js, "notbefore", timebuf);
183  }
184 }
185 
186 static void JsonTlsLogNotAfter(JsonBuilder *js, SSLState *ssl_state)
187 {
188  if (ssl_state->server_connp.cert0_not_after != 0) {
189  char timebuf[64];
190  struct timeval tv;
191  tv.tv_sec = ssl_state->server_connp.cert0_not_after;
192  tv.tv_usec = 0;
193  CreateUtcIsoTimeString(&tv, timebuf, sizeof(timebuf));
194  jb_set_string(js, "notafter", timebuf);
195  }
196 }
197 
198 static void JsonTlsLogJa3Hash(JsonBuilder *js, SSLState *ssl_state)
199 {
200  if (ssl_state->client_connp.ja3_hash != NULL) {
201  jb_set_string(js, "hash",
202  ssl_state->client_connp.ja3_hash);
203  }
204 }
205 
206 static void JsonTlsLogJa3String(JsonBuilder *js, SSLState *ssl_state)
207 {
208  if ((ssl_state->client_connp.ja3_str != NULL) &&
209  ssl_state->client_connp.ja3_str->data != NULL) {
210  jb_set_string(js, "string",
211  ssl_state->client_connp.ja3_str->data);
212  }
213 }
214 
215 static void JsonTlsLogJa3(JsonBuilder *js, SSLState *ssl_state)
216 {
217  jb_open_object(js, "ja3");
218 
219  JsonTlsLogJa3Hash(js, ssl_state);
220  JsonTlsLogJa3String(js, ssl_state);
221 
222  jb_close(js);
223 }
224 
225 static void JsonTlsLogJa3SHash(JsonBuilder *js, SSLState *ssl_state)
226 {
227  if (ssl_state->server_connp.ja3_hash != NULL) {
228  jb_set_string(js, "hash",
229  ssl_state->server_connp.ja3_hash);
230  }
231 }
232 
233 static void JsonTlsLogJa3SString(JsonBuilder *js, SSLState *ssl_state)
234 {
235  if ((ssl_state->server_connp.ja3_str != NULL) &&
236  ssl_state->server_connp.ja3_str->data != NULL) {
237  jb_set_string(js, "string",
238  ssl_state->server_connp.ja3_str->data);
239  }
240 }
241 
242 static void JsonTlsLogJa3S(JsonBuilder *js, SSLState *ssl_state)
243 {
244  jb_open_object(js, "ja3s");
245 
246  JsonTlsLogJa3SHash(js, ssl_state);
247  JsonTlsLogJa3SString(js, ssl_state);
248 
249  jb_close(js);
250 }
251 
252 static void JsonTlsLogCertificate(JsonBuilder *js, SSLState *ssl_state)
253 {
254  if (TAILQ_EMPTY(&ssl_state->server_connp.certs)) {
255  return;
256  }
257 
258  SSLCertsChain *cert = TAILQ_FIRST(&ssl_state->server_connp.certs);
259  if (cert == NULL) {
260  return;
261  }
262 
263  unsigned long len = cert->cert_len * 2;
264  uint8_t encoded[len];
265  if (Base64Encode(cert->cert_data, cert->cert_len, encoded, &len) ==
266  SC_BASE64_OK) {
267  jb_set_string(js, "certificate", (char *)encoded);
268  }
269 }
270 
271 static void JsonTlsLogChain(JsonBuilder *js, SSLState *ssl_state)
272 {
273  if (TAILQ_EMPTY(&ssl_state->server_connp.certs)) {
274  return;
275  }
276 
277  jb_open_array(js, "chain");
278 
279  SSLCertsChain *cert;
280  TAILQ_FOREACH(cert, &ssl_state->server_connp.certs, next) {
281  unsigned long len = cert->cert_len * 2;
282  uint8_t encoded[len];
283  if (Base64Encode(cert->cert_data, cert->cert_len, encoded, &len) ==
284  SC_BASE64_OK) {
285  jb_append_string(js, (char *)encoded);
286  }
287  }
288 
289  jb_close(js);
290 }
291 
292 void JsonTlsLogJSONBasic(JsonBuilder *js, SSLState *ssl_state)
293 {
294  /* tls subject */
295  JsonTlsLogSubject(js, ssl_state);
296 
297  /* tls issuerdn */
298  JsonTlsLogIssuer(js, ssl_state);
299 
300  /* tls session resumption */
301  JsonTlsLogSessionResumed(js, ssl_state);
302 }
303 
304 static void JsonTlsLogJSONCustom(OutputTlsCtx *tls_ctx, JsonBuilder *js,
305  SSLState *ssl_state)
306 {
307  /* tls subject */
308  if (tls_ctx->fields & LOG_TLS_FIELD_SUBJECT)
309  JsonTlsLogSubject(js, ssl_state);
310 
311  /* tls issuerdn */
312  if (tls_ctx->fields & LOG_TLS_FIELD_ISSUER)
313  JsonTlsLogIssuer(js, ssl_state);
314 
315  /* tls session resumption */
316  if (tls_ctx->fields & LOG_TLS_FIELD_SESSION_RESUMED)
317  JsonTlsLogSessionResumed(js, ssl_state);
318 
319  /* tls serial */
320  if (tls_ctx->fields & LOG_TLS_FIELD_SERIAL)
321  JsonTlsLogSerial(js, ssl_state);
322 
323  /* tls fingerprint */
324  if (tls_ctx->fields & LOG_TLS_FIELD_FINGERPRINT)
325  JsonTlsLogFingerprint(js, ssl_state);
326 
327  /* tls sni */
328  if (tls_ctx->fields & LOG_TLS_FIELD_SNI)
329  JsonTlsLogSni(js, ssl_state);
330 
331  /* tls version */
332  if (tls_ctx->fields & LOG_TLS_FIELD_VERSION)
333  JsonTlsLogVersion(js, ssl_state);
334 
335  /* tls notbefore */
336  if (tls_ctx->fields & LOG_TLS_FIELD_NOTBEFORE)
337  JsonTlsLogNotBefore(js, ssl_state);
338 
339  /* tls notafter */
340  if (tls_ctx->fields & LOG_TLS_FIELD_NOTAFTER)
341  JsonTlsLogNotAfter(js, ssl_state);
342 
343  /* tls certificate */
344  if (tls_ctx->fields & LOG_TLS_FIELD_CERTIFICATE)
345  JsonTlsLogCertificate(js, ssl_state);
346 
347  /* tls chain */
348  if (tls_ctx->fields & LOG_TLS_FIELD_CHAIN)
349  JsonTlsLogChain(js, ssl_state);
350 
351  /* tls ja3_hash */
352  if (tls_ctx->fields & LOG_TLS_FIELD_JA3)
353  JsonTlsLogJa3(js, ssl_state);
354 
355  /* tls ja3s */
356  if (tls_ctx->fields & LOG_TLS_FIELD_JA3S)
357  JsonTlsLogJa3S(js, ssl_state);
358 }
359 
360 void JsonTlsLogJSONExtended(JsonBuilder *tjs, SSLState * state)
361 {
362  JsonTlsLogJSONBasic(tjs, state);
363 
364  /* tls serial */
365  JsonTlsLogSerial(tjs, state);
366 
367  /* tls fingerprint */
368  JsonTlsLogFingerprint(tjs, state);
369 
370  /* tls sni */
371  JsonTlsLogSni(tjs, state);
372 
373  /* tls version */
374  JsonTlsLogVersion(tjs, state);
375 
376  /* tls notbefore */
377  JsonTlsLogNotBefore(tjs, state);
378 
379  /* tls notafter */
380  JsonTlsLogNotAfter(tjs, state);
381 
382  /* tls ja3 */
383  JsonTlsLogJa3(tjs, state);
384 
385  /* tls ja3s */
386  JsonTlsLogJa3S(tjs, state);
387 }
388 
389 static int JsonTlsLogger(ThreadVars *tv, void *thread_data, const Packet *p,
390  Flow *f, void *state, void *txptr, uint64_t tx_id)
391 {
392  JsonTlsLogThread *aft = (JsonTlsLogThread *)thread_data;
393  OutputTlsCtx *tls_ctx = aft->tlslog_ctx;
394 
395  SSLState *ssl_state = (SSLState *)state;
396  if (unlikely(ssl_state == NULL)) {
397  return 0;
398  }
399 
400  if ((ssl_state->server_connp.cert0_issuerdn == NULL ||
401  ssl_state->server_connp.cert0_subject == NULL) &&
402  ((ssl_state->flags & SSL_AL_FLAG_SESSION_RESUMED) == 0 ||
403  (tls_ctx->flags & LOG_TLS_SESSION_RESUMPTION) == 0) &&
404  ((ssl_state->flags & SSL_AL_FLAG_LOG_WITHOUT_CERT) == 0)) {
405  return 0;
406  }
407 
408  JsonBuilder *js = CreateEveHeader(p, LOG_DIR_FLOW, "tls", NULL);
409  if (unlikely(js == NULL)) {
410  return 0;
411  }
412 
413  EveAddCommonOptions(&tls_ctx->cfg, p, f, js);
414 
415  jb_open_object(js, "tls");
416 
417  /* reset */
418  MemBufferReset(aft->buffer);
419 
420  /* log custom fields */
421  if (tls_ctx->flags & LOG_TLS_CUSTOM) {
422  JsonTlsLogJSONCustom(tls_ctx, js, ssl_state);
423  }
424  /* log extended */
425  else if (tls_ctx->flags & LOG_TLS_EXTENDED) {
426  JsonTlsLogJSONExtended(js, ssl_state);
427  }
428  /* log basic */
429  else {
430  JsonTlsLogJSONBasic(js, ssl_state);
431  }
432 
433  /* print original application level protocol when it have been changed
434  because of STARTTLS, HTTP CONNECT, or similar. */
435  if (f->alproto_orig != ALPROTO_UNKNOWN) {
436  jb_set_string(js, "from_proto",
438  }
439 
440  /* Close the tls object. */
441  jb_close(js);
442 
443  OutputJsonBuilderBuffer(js, tls_ctx->file_ctx, &aft->buffer);
444  jb_free(js);
445 
446  return 0;
447 }
448 
449 static TmEcode JsonTlsLogThreadInit(ThreadVars *t, const void *initdata, void **data)
450 {
452  if (unlikely(aft == NULL)) {
453  return TM_ECODE_FAILED;
454  }
455 
456  memset(aft, 0, sizeof(JsonTlsLogThread));
457 
458  if (initdata == NULL) {
459  SCLogDebug("Error getting context for eve-log tls 'initdata' argument NULL");
460  SCFree(aft);
461  return TM_ECODE_FAILED;
462  }
463 
464  /* use the Output Context (file pointer and mutex) */
465  aft->tlslog_ctx = ((OutputCtx *)initdata)->data;
466 
468  if (aft->buffer == NULL) {
469  SCFree(aft);
470  return TM_ECODE_FAILED;
471  }
472 
473  *data = (void *)aft;
474  return TM_ECODE_OK;
475 }
476 
477 static TmEcode JsonTlsLogThreadDeinit(ThreadVars *t, void *data)
478 {
479  JsonTlsLogThread *aft = (JsonTlsLogThread *)data;
480  if (aft == NULL) {
481  return TM_ECODE_OK;
482  }
483 
484  MemBufferFree(aft->buffer);
485 
486  /* clear memory */
487  memset(aft, 0, sizeof(JsonTlsLogThread));
488 
489  SCFree(aft);
490  return TM_ECODE_OK;
491 }
492 
493 static void OutputTlsLogDeinit(OutputCtx *output_ctx)
494 {
495  OutputTlsCtx *tls_ctx = output_ctx->data;
496  LogFileCtx *logfile_ctx = tls_ctx->file_ctx;
497  LogFileFreeCtx(logfile_ctx);
498  SCFree(tls_ctx);
499  SCFree(output_ctx);
500 }
501 
502 static OutputTlsCtx *OutputTlsInitCtx(ConfNode *conf)
503 {
504  OutputTlsCtx *tls_ctx = SCMalloc(sizeof(OutputTlsCtx));
505  if (unlikely(tls_ctx == NULL))
506  return NULL;
507 
508  tls_ctx->flags = LOG_TLS_DEFAULT;
509  tls_ctx->fields = 0;
510 
511  if (conf == NULL)
512  return tls_ctx;
513 
514  const char *extended = ConfNodeLookupChildValue(conf, "extended");
515  if (extended) {
516  if (ConfValIsTrue(extended)) {
517  tls_ctx->flags = LOG_TLS_EXTENDED;
518  }
519  }
520 
521  ConfNode *custom = ConfNodeLookupChild(conf, "custom");
522  if (custom) {
523  tls_ctx->flags = LOG_TLS_CUSTOM;
524  ConfNode *field;
525  TAILQ_FOREACH(field, &custom->head, next)
526  {
527  TlsFields *valid_fields = tls_fields;
528  for ( ; valid_fields->name != NULL; valid_fields++) {
529  if (strcasecmp(field->val, valid_fields->name) == 0) {
530  tls_ctx->fields |= valid_fields->flag;
531  break;
532  }
533  }
534  }
535  }
536 
537  const char *session_resumption = ConfNodeLookupChildValue(conf, "session-resumption");
538  if (session_resumption == NULL || ConfValIsTrue(session_resumption)) {
539  tls_ctx->flags |= LOG_TLS_SESSION_RESUMPTION;
540  }
541 
542  if ((tls_ctx->fields & LOG_TLS_FIELD_JA3) &&
543  Ja3IsDisabled("fields")) {
544  /* JA3 is disabled, so don't log any JA3 fields */
545  tls_ctx->fields &= ~LOG_TLS_FIELD_JA3;
546  tls_ctx->fields &= ~LOG_TLS_FIELD_JA3S;
547  }
548 
549  if ((tls_ctx->fields & LOG_TLS_FIELD_CERTIFICATE) &&
550  (tls_ctx->fields & LOG_TLS_FIELD_CHAIN)) {
552  "Both 'certificate' and 'chain' contains the top "
553  "certificate, so only one of them should be enabled "
554  "at a time");
555  }
556 
557  return tls_ctx;
558 }
559 
560 static OutputInitResult OutputTlsLogInit(ConfNode *conf)
561 {
562  OutputInitResult result = { NULL, false };
563  LogFileCtx *file_ctx = LogFileNewCtx();
564  if (file_ctx == NULL) {
565  SCLogError(SC_ERR_TLS_LOG_GENERIC, "couldn't create new file_ctx");
566  return result;
567  }
568 
569  if (SCConfLogOpenGeneric(conf, file_ctx, DEFAULT_LOG_FILENAME, 1) < 0) {
570  LogFileFreeCtx(file_ctx);
571  return result;
572  }
573 
574  OutputTlsCtx *tls_ctx = OutputTlsInitCtx(conf);
575  if (unlikely(tls_ctx == NULL)) {
576  LogFileFreeCtx(file_ctx);
577  return result;
578  }
579 
580  OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
581  if (unlikely(output_ctx == NULL)) {
582  LogFileFreeCtx(file_ctx);
583  SCFree(tls_ctx);
584  return result;
585  }
586 
587  tls_ctx->file_ctx = file_ctx;
588 
589  output_ctx->data = tls_ctx;
590  output_ctx->DeInit = OutputTlsLogDeinit;
591 
593 
594  result.ctx = output_ctx;
595  result.ok = true;
596  return result;
597 }
598 
599 static void OutputTlsLogDeinitSub(OutputCtx *output_ctx)
600 {
601  OutputTlsCtx *tls_ctx = output_ctx->data;
602  SCFree(tls_ctx);
603  SCFree(output_ctx);
604 }
605 
606 static OutputInitResult OutputTlsLogInitSub(ConfNode *conf, OutputCtx *parent_ctx)
607 {
608  OutputInitResult result = { NULL, false };
609  OutputJsonCtx *ojc = parent_ctx->data;
610 
611  OutputTlsCtx *tls_ctx = OutputTlsInitCtx(conf);
612  if (unlikely(tls_ctx == NULL))
613  return result;
614 
615  OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
616  if (unlikely(output_ctx == NULL)) {
617  SCFree(tls_ctx);
618  return result;
619  }
620 
621  tls_ctx->file_ctx = ojc->file_ctx;
622  tls_ctx->cfg = ojc->cfg;
623 
624  if ((tls_ctx->fields & LOG_TLS_FIELD_CERTIFICATE) &&
625  (tls_ctx->fields & LOG_TLS_FIELD_CHAIN)) {
627  "Both 'certificate' and 'chain' contains the top "
628  "certificate, so only one of them should be enabled "
629  "at a time");
630  }
631 
632  output_ctx->data = tls_ctx;
633  output_ctx->DeInit = OutputTlsLogDeinitSub;
634 
636 
637  result.ctx = output_ctx;
638  result.ok = true;
639  return result;
640 }
641 
643 {
644  /* register as separate module */
646  "tls-json-log", OutputTlsLogInit, ALPROTO_TLS, JsonTlsLogger,
647  TLS_HANDSHAKE_DONE, TLS_HANDSHAKE_DONE, JsonTlsLogThreadInit,
648  JsonTlsLogThreadDeinit, NULL);
649 
650  /* also register as child of eve-log */
652  "JsonTlsLog", "eve-log.tls", OutputTlsLogInitSub, ALPROTO_TLS,
653  JsonTlsLogger, TLS_HANDSHAKE_DONE, TLS_HANDSHAKE_DONE,
654  JsonTlsLogThreadInit, JsonTlsLogThreadDeinit, NULL);
655 }
SSLStateConnp_::cert0_not_before
time_t cert0_not_before
Definition: app-layer-ssl.h:205
tm-threads.h
SSLStateConnp_::cert0_subject
char * cert0_subject
Definition: app-layer-ssl.h:202
SSLState_
SSLv[2.0|3.[0|1|2|3]] state structure.
Definition: app-layer-ssl.h:233
len
uint8_t len
Definition: app-layer-dnp3.h:2
LOG_TLS_FIELD_NOTBEFORE
#define LOG_TLS_FIELD_NOTBEFORE
Definition: output-json-tls.c:69
SC_ERR_TLS_LOG_GENERIC
@ SC_ERR_TLS_LOG_GENERIC
Definition: util-error.h:126
SSLCertsChain_::cert_len
uint32_t cert_len
Definition: app-layer-ssl.h:174
JsonTlsLogJSONBasic
void JsonTlsLogJSONBasic(JsonBuilder *js, SSLState *ssl_state)
Definition: output-json-tls.c:292
LOG_TLS_DEFAULT
#define LOG_TLS_DEFAULT
Definition: output-json-tls.c:59
ConfNode_::val
char * val
Definition: conf.h:34
OutputJsonCtx_::cfg
OutputJsonCommonSettings cfg
Definition: output-json.h:111
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
LOG_TLS_FIELD_JA3
#define LOG_TLS_FIELD_JA3
Definition: output-json-tls.c:75
SSLState_::client_connp
SSLStateConnp client_connp
Definition: app-layer-ssl.h:255
ALPROTO_TLS
@ ALPROTO_TLS
Definition: app-layer-protos.h:33
LogFileNewCtx
LogFileCtx * LogFileNewCtx(void)
LogFileNewCtx() Get a new LogFileCtx.
Definition: util-logopenfile.c:517
SC_WARN_DUPLICATE_OUTPUT
@ SC_WARN_DUPLICATE_OUTPUT
Definition: util-error.h:329
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:298
next
struct HtpBodyChunk_ * next
Definition: app-layer-htp.h:0
SSLState_::server_connp
SSLStateConnp server_connp
Definition: app-layer-ssl.h:256
SSL_AL_FLAG_SESSION_RESUMED
#define SSL_AL_FLAG_SESSION_RESUMED
Definition: app-layer-ssl.h:111
SSLStateConnp_::ja3_hash
char * ja3_hash
Definition: app-layer-ssl.h:219
JSON_OUTPUT_BUFFER_SIZE
#define JSON_OUTPUT_BUFFER_SIZE
Definition: output-json.h:62
threads.h
OutputJsonCtx_
Definition: output-json.h:108
Flow_
Flow data structure.
Definition: flow.h:343
OutputJsonCommonSettings_
Definition: output-json.h:99
SSL_AL_FLAG_STATE_SERVER_HELLO
#define SSL_AL_FLAG_STATE_SERVER_HELLO
Definition: app-layer-ssl.h:91
LogFileCtx_
Definition: util-logopenfile.h:52
TlsFields
Definition: output-json-tls.c:78
OutputTlsCtx_::cfg
OutputJsonCommonSettings cfg
Definition: output-json-tls.c:104
SSL_VERSION_MAX_STRLEN
#define SSL_VERSION_MAX_STRLEN
Definition: app-layer-ssl.h:139
LOG_TLS_FIELD_NOTAFTER
#define LOG_TLS_FIELD_NOTAFTER
Definition: output-json-tls.c:70
TAILQ_EMPTY
#define TAILQ_EMPTY(head)
Definition: queue.h:347
TAILQ_FOREACH
#define TAILQ_FOREACH(var, head, field)
Definition: queue.h:350
Flow_::alproto_orig
AppProto alproto_orig
Definition: flow.h:431
output-json-tls.h
JA3Buffer_::data
char * data
Definition: util-ja3.h:30
OutputJsonBuilderBuffer
int OutputJsonBuilderBuffer(JsonBuilder *js, LogFileCtx *file_ctx, MemBuffer **buffer)
Definition: output-json.c:1431
util-ja3.h
util-privs.h
EveAddCommonOptions
void EveAddCommonOptions(const OutputJsonCommonSettings *cfg, const Packet *p, const Flow *f, JsonBuilder *js)
Definition: output-json.c:673
SSLStateConnp_::sni
char * sni
Definition: app-layer-ssl.h:210
LOG_TLS_FIELD_SUBJECT
#define LOG_TLS_FIELD_SUBJECT
Definition: output-json-tls.c:65
TM_ECODE_FAILED
@ TM_ECODE_FAILED
Definition: tm-threads-common.h:79
LOGGER_JSON_TLS
@ LOGGER_JSON_TLS
Definition: suricata-common.h:452
JsonTlsLogThread
struct JsonTlsLogThread_ JsonTlsLogThread
LOG_TLS_FIELD_FINGERPRINT
#define LOG_TLS_FIELD_FINGERPRINT
Definition: output-json-tls.c:68
JsonTlsLogRegister
void JsonTlsLogRegister(void)
Definition: output-json-tls.c:642
TlsFields::flag
uint64_t flag
Definition: output-json-tls.c:80
SC_BASE64_OK
@ SC_BASE64_OK
Definition: util-crypt.h:37
OutputTlsCtx_::file_ctx
LogFileCtx * file_ctx
Definition: output-json-tls.c:101
util-unittest.h
SSLStateConnp_::cert0_issuerdn
char * cert0_issuerdn
Definition: app-layer-ssl.h:203
ConfValIsTrue
int ConfValIsTrue(const char *val)
Check if a value is true.
Definition: conf.c:566
OutputCtx_::data
void * data
Definition: tm-modules.h:81
TM_ECODE_OK
@ TM_ECODE_OK
Definition: tm-threads-common.h:78
OutputCtx_
Definition: tm-modules.h:78
SCConfLogOpenGeneric
int SCConfLogOpenGeneric(ConfNode *conf, LogFileCtx *log_ctx, const char *default_filename, int rotate)
open a generic output "log file", which may be a regular file or a socket
Definition: util-logopenfile.c:305
Ja3IsDisabled
int Ja3IsDisabled(const char *type)
Check if JA3 is disabled.
Definition: util-ja3.c:263
SSLStateConnp_::cert0_not_after
time_t cert0_not_after
Definition: app-layer-ssl.h:206
Base64Encode
int Base64Encode(const unsigned char *in, unsigned long inlen, unsigned char *out, unsigned long *outlen)
Definition: util-crypt.c:272
util-debug.h
TlsFields::name
const char * name
Definition: output-json-tls.c:79
TAILQ_FIRST
#define TAILQ_FIRST(head)
Definition: queue.h:339
LOG_TLS_FIELD_JA3S
#define LOG_TLS_FIELD_JA3S
Definition: output-json-tls.c:76
OutputInitResult_::ctx
OutputCtx * ctx
Definition: output.h:42
CreateEveHeader
JsonBuilder * CreateEveHeader(const Packet *p, enum OutputJsonLogDirection dir, const char *event_type, JsonAddrInfo *addr)
Definition: output-json.c:1286
output-json.h
OutputRegisterTxSubModuleWithProgress
void OutputRegisterTxSubModuleWithProgress(LoggerId id, const char *parent_name, const char *name, const char *conf_name, OutputInitSubFunc InitFunc, AppProto alproto, TxLogger TxLogFunc, int tc_log_progress, int ts_log_progress, ThreadInitFunc ThreadInit, ThreadDeinitFunc ThreadDeinit, ThreadExitPrintStatsFunc ThreadExitPrintStats)
Definition: output.c:379
LOG_TLS_CUSTOM
#define LOG_TLS_CUSTOM
Definition: output-json-tls.c:61
AppLayerParserRegisterLogger
void AppLayerParserRegisterLogger(uint8_t ipproto, AppProto alproto)
Definition: app-layer-parser.c:471
SSLCertsChain_
Definition: app-layer-ssl.h:172
util-print.h
util-crypt.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
pkt-var.h
OutputTlsCtx_::flags
uint32_t flags
Definition: output-json-tls.c:102
SSLVersionToString
void SSLVersionToString(uint16_t version, char *buffer)
Definition: app-layer-ssl.c:346
OutputInitResult_::ok
bool ok
Definition: output.h:43
app-layer-parser.h
LOG_TLS_FIELD_SERIAL
#define LOG_TLS_FIELD_SERIAL
Definition: output-json-tls.c:67
Packet_
Definition: decode.h:411
conf.h
TLS_HANDSHAKE_DONE
@ TLS_HANDSHAKE_DONE
Definition: app-layer-ssl.h:71
OutputTlsCtx
struct OutputTlsCtx_ OutputTlsCtx
TmEcode
TmEcode
Definition: tm-threads-common.h:77
SSLCertsChain_::cert_data
uint8_t * cert_data
Definition: app-layer-ssl.h:173
MemBuffer_
Definition: util-buffer.h:27
LOG_TLS_FIELD_ISSUER
#define LOG_TLS_FIELD_ISSUER
Definition: output-json-tls.c:66
ConfNodeLookupChild
ConfNode * ConfNodeLookupChild(const ConfNode *node, const char *name)
Lookup a child configuration node by name.
Definition: conf.c:815
MemBufferReset
#define MemBufferReset(mem_buffer)
Reset the mem buffer.
Definition: util-buffer.h:42
OutputInitResult_
Definition: output.h:41
suricata-common.h
OutputCtx_::DeInit
void(* DeInit)(struct OutputCtx_ *)
Definition: tm-modules.h:84
MemBufferFree
void MemBufferFree(MemBuffer *buffer)
Definition: util-buffer.c:82
JsonTlsLogThread_::buffer
MemBuffer * buffer
Definition: output-json-tls.c:110
tls_fields
TlsFields tls_fields[]
Definition: output-json-tls.c:83
LOG_TLS_FIELD_CERTIFICATE
#define LOG_TLS_FIELD_CERTIFICATE
Definition: output-json-tls.c:72
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:257
LogFileFreeCtx
int LogFileFreeCtx(LogFileCtx *lf_ctx)
LogFileFreeCtx() Destroy a LogFileCtx (Close the file and free memory)
Definition: util-logopenfile.c:539
OutputTlsCtx_
Definition: output-json-tls.c:100
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:29
threadvars.h
LOG_DIR_FLOW
@ LOG_DIR_FLOW
Definition: output-json.h:39
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
SCLogWarning
#define SCLogWarning(err_code,...)
Macro used to log WARNING messages.
Definition: util-debug.h:244
SCFree
#define SCFree(p)
Definition: util-mem.h:61
ConfNode_
Definition: conf.h:32
util-logopenfile.h
util-buffer.h
AppLayerGetProtoName
const char * AppLayerGetProtoName(AppProto alproto)
Given the internal protocol id, returns a string representation of the protocol.
Definition: app-layer.c:776
OutputRegisterTxModuleWithProgress
void OutputRegisterTxModuleWithProgress(LoggerId id, const char *name, const char *conf_name, OutputInitFunc InitFunc, AppProto alproto, TxLogger TxLogFunc, int tc_log_progress, int ts_log_progress, ThreadInitFunc ThreadInit, ThreadDeinitFunc ThreadDeinit, ThreadExitPrintStatsFunc ThreadExitPrintStats)
Register a tx output module with progress.
Definition: output.c:368
ALPROTO_UNKNOWN
@ ALPROTO_UNKNOWN
Definition: app-layer-protos.h:29
OutputJsonCtx_::file_ctx
LogFileCtx * file_ctx
Definition: output-json.h:109
OutputTlsCtx_::fields
uint64_t fields
Definition: output-json-tls.c:103
LOG_TLS_FIELD_SNI
#define LOG_TLS_FIELD_SNI
Definition: output-json-tls.c:71
DEFAULT_LOG_FILENAME
#define DEFAULT_LOG_FILENAME
Definition: output-json-tls.c:57
SSLStateConnp_::cert0_fingerprint
char * cert0_fingerprint
Definition: app-layer-ssl.h:207
LOG_TLS_EXTENDED
#define LOG_TLS_EXTENDED
Definition: output-json-tls.c:60
SSLStateConnp_::ja3_str
JA3Buffer * ja3_str
Definition: app-layer-ssl.h:218
JsonTlsLogThread_::tlslog_ctx
OutputTlsCtx * tlslog_ctx
Definition: output-json-tls.c:109
LOG_TLS_FIELD_SESSION_RESUMED
#define LOG_TLS_FIELD_SESSION_RESUMED
Definition: output-json-tls.c:74
LOG_TLS_SESSION_RESUMPTION
#define LOG_TLS_SESSION_RESUMPTION
Definition: output-json-tls.c:62
JsonTlsLogJSONExtended
void JsonTlsLogJSONExtended(JsonBuilder *tjs, SSLState *state)
Definition: output-json-tls.c:360
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
LOG_TLS_FIELD_CHAIN
#define LOG_TLS_FIELD_CHAIN
Definition: output-json-tls.c:73
CreateUtcIsoTimeString
void CreateUtcIsoTimeString(const struct timeval *ts, char *str, size_t size)
Definition: util-time.c:233
SSLStateConnp_::cert0_serial
char * cert0_serial
Definition: app-layer-ssl.h:204
LOG_TLS_FIELD_VERSION
#define LOG_TLS_FIELD_VERSION
Definition: output-json-tls.c:64
JsonTlsLogThread_
Definition: output-json-tls.c:108
app-layer-ssl.h
SSL_AL_FLAG_LOG_WITHOUT_CERT
#define SSL_AL_FLAG_LOG_WITHOUT_CERT
Definition: app-layer-ssl.h:118
MemBufferCreateNew
MemBuffer * MemBufferCreateNew(uint32_t size)
Definition: util-buffer.c:32
debug.h
output.h
SC_ATOMIC_EXTERN
SC_ATOMIC_EXTERN(unsigned int, cert_id)
app-layer.h
SSLState_::flags
uint32_t flags
Definition: app-layer-ssl.h:237
SSLStateConnp_::version
uint16_t version
Definition: app-layer-ssl.h:189
ConfNodeLookupChildValue
const char * ConfNodeLookupChildValue(const ConfNode *node, const char *name)
Lookup the value of a child configuration node by name.
Definition: conf.c:843