56 #define MODULE_NAME "LogTlsLog"
57 #define DEFAULT_LOG_FILENAME "tls.json"
59 #define LOG_TLS_DEFAULT 0
60 #define LOG_TLS_EXTENDED (1 << 0)
61 #define LOG_TLS_CUSTOM (1 << 1)
62 #define LOG_TLS_SESSION_RESUMPTION (1 << 2)
64 #define LOG_TLS_FIELD_VERSION (1 << 0)
65 #define LOG_TLS_FIELD_SUBJECT (1 << 1)
66 #define LOG_TLS_FIELD_ISSUER (1 << 2)
67 #define LOG_TLS_FIELD_SERIAL (1 << 3)
68 #define LOG_TLS_FIELD_FINGERPRINT (1 << 4)
69 #define LOG_TLS_FIELD_NOTBEFORE (1 << 5)
70 #define LOG_TLS_FIELD_NOTAFTER (1 << 6)
71 #define LOG_TLS_FIELD_SNI (1 << 7)
72 #define LOG_TLS_FIELD_CERTIFICATE (1 << 8)
73 #define LOG_TLS_FIELD_CHAIN (1 << 9)
74 #define LOG_TLS_FIELD_SESSION_RESUMED (1 << 10)
75 #define LOG_TLS_FIELD_JA3 (1 << 11)
76 #define LOG_TLS_FIELD_JA3S (1 << 12)
77 #define LOG_TLS_FIELD_CLIENT (1 << 13)
78 #define LOG_TLS_FIELD_CLIENT_CERT (1 << 14)
79 #define LOG_TLS_FIELD_CLIENT_CHAIN (1 << 15)
80 #define LOG_TLS_FIELD_JA4 (1 << 16)
109 static void JsonTlsLogSubject(JsonBuilder *js,
SSLState *ssl_state)
112 jb_set_string(js,
"subject",
117 static void JsonTlsLogIssuer(JsonBuilder *js,
SSLState *ssl_state)
120 jb_set_string(js,
"issuerdn",
125 static void JsonTlsLogSessionResumed(JsonBuilder *js,
SSLState *ssl_state)
134 jb_set_bool(js,
"session_resumed",
true);
139 static void JsonTlsLogFingerprint(JsonBuilder *js,
SSLState *ssl_state)
142 jb_set_string(js,
"fingerprint",
147 static void JsonTlsLogSni(JsonBuilder *js,
SSLState *ssl_state)
150 jb_set_string(js,
"sni",
155 static void JsonTlsLogSerial(JsonBuilder *js,
SSLState *ssl_state)
158 jb_set_string(js,
"serial",
163 static void JsonTlsLogVersion(JsonBuilder *js,
SSLState *ssl_state)
167 jb_set_string(js,
"version", ssl_version);
170 static void JsonTlsLogNotBefore(JsonBuilder *js,
SSLState *ssl_state)
177 static void JsonTlsLogNotAfter(JsonBuilder *js,
SSLState *ssl_state)
184 static void JsonTlsLogJa3Hash(JsonBuilder *js,
SSLState *ssl_state)
187 jb_set_string(js,
"hash",
192 static void JsonTlsLogJa3String(JsonBuilder *js,
SSLState *ssl_state)
196 jb_set_string(js,
"string",
201 static void JsonTlsLogJa3(JsonBuilder *js,
SSLState *ssl_state)
206 jb_open_object(js,
"ja3");
208 JsonTlsLogJa3Hash(js, ssl_state);
209 JsonTlsLogJa3String(js, ssl_state);
215 static void JsonTlsLogSCJA4(JsonBuilder *js,
SSLState *ssl_state)
221 jb_set_string_from_bytes(js,
"ja4", buffer, 36);
225 static void JsonTlsLogJa3SHash(JsonBuilder *js,
SSLState *ssl_state)
228 jb_set_string(js,
"hash",
233 static void JsonTlsLogJa3SString(JsonBuilder *js,
SSLState *ssl_state)
237 jb_set_string(js,
"string",
242 static void JsonTlsLogJa3S(JsonBuilder *js,
SSLState *ssl_state)
247 jb_open_object(js,
"ja3s");
249 JsonTlsLogJa3SHash(js, ssl_state);
250 JsonTlsLogJa3SString(js, ssl_state);
256 static void JsonTlsLogCertificate(JsonBuilder *js,
SSLStateConnp *connp)
270 static void JsonTlsLogChain(JsonBuilder *js,
SSLStateConnp *connp)
276 jb_open_array(js,
"chain");
293 static void JsonTlsLogClientCert(
294 JsonBuilder *js,
SSLStateConnp *connp,
const bool log_cert,
const bool log_chain)
312 jb_set_string(js,
"notbefore", timebuf);
318 jb_set_string(js,
"notafter", timebuf);
322 JsonTlsLogCertificate(js, connp);
325 JsonTlsLogChain(js, connp);
332 JsonTlsLogSubject(js, ssl_state);
335 JsonTlsLogIssuer(js, ssl_state);
338 JsonTlsLogSessionResumed(js, ssl_state);
341 static void JsonTlsLogJSONCustom(
OutputTlsCtx *tls_ctx, JsonBuilder *js,
346 JsonTlsLogSubject(js, ssl_state);
350 JsonTlsLogIssuer(js, ssl_state);
354 JsonTlsLogSessionResumed(js, ssl_state);
358 JsonTlsLogSerial(js, ssl_state);
362 JsonTlsLogFingerprint(js, ssl_state);
366 JsonTlsLogSni(js, ssl_state);
370 JsonTlsLogVersion(js, ssl_state);
374 JsonTlsLogNotBefore(js, ssl_state);
378 JsonTlsLogNotAfter(js, ssl_state);
390 JsonTlsLogJa3(js, ssl_state);
394 JsonTlsLogJa3S(js, ssl_state);
398 JsonTlsLogSCJA4(js, ssl_state);
404 jb_open_object(js,
"client");
405 JsonTlsLogClientCert(js, &ssl_state->
client_connp, log_cert, log_chain);
411 static bool JsonTlsLogJSONExtendedAux(
void *vtx, JsonBuilder *tjs)
417 JsonTlsLogSerial(tjs, state);
420 JsonTlsLogFingerprint(tjs, state);
423 JsonTlsLogSni(tjs, state);
426 JsonTlsLogVersion(tjs, state);
429 JsonTlsLogNotBefore(tjs, state);
432 JsonTlsLogNotAfter(tjs, state);
435 JsonTlsLogJa3(tjs, state);
438 JsonTlsLogJa3S(tjs, state);
441 JsonTlsLogSCJA4(tjs, state);
444 jb_open_object(tjs,
"client");
445 JsonTlsLogClientCert(tjs, &state->
client_connp,
false,
false);
453 jb_open_object(tjs,
"tls");
454 bool r = JsonTlsLogJSONExtendedAux(vtx, tjs);
460 Flow *f,
void *state,
void *txptr, uint64_t tx_id)
483 jb_open_object(js,
"tls");
487 JsonTlsLogJSONCustom(tls_ctx, js, ssl_state);
491 JsonTlsLogJSONExtendedAux(ssl_state, js);
501 jb_set_string(js,
"from_proto",
514 static TmEcode JsonTlsLogThreadInit(
ThreadVars *t,
const void *initdata,
void **data)
521 if (initdata == NULL) {
522 SCLogDebug(
"Error getting context for eve-log tls 'initdata' argument NULL");
584 for ( ; valid_fields->
name != NULL; valid_fields++) {
585 if (strcasecmp(field->
val, valid_fields->
name) == 0) {
599 if (session_resumption == NULL ||
ConfValIsTrue(session_resumption)) {
612 SCLogWarning(
"Both 'certificate' and 'chain' contains the top "
613 "certificate, so only one of them should be enabled "
618 SCLogWarning(
"Both 'client_certificate' and 'client_chain' contains the top "
619 "certificate, so only one of them should be enabled "
625 SCLogConfig(
"enabling \"client\" as a dependency of \"client_certificate\"");
629 SCLogConfig(
"enabling \"client\" as a dependency of \"client_chain\"");
637 static void OutputTlsLogDeinitSub(
OutputCtx *output_ctx)
663 SCLogWarning(
"Both 'certificate' and 'chain' contains the top "
664 "certificate, so only one of them should be enabled "
668 output_ctx->
data = tls_ctx;
669 output_ctx->
DeInit = OutputTlsLogDeinitSub;
673 result.
ctx = output_ctx;
683 JsonTlsLogThreadInit, JsonTlsLogThreadDeinit, NULL);