suricata
output-json-tls.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2021 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Tom DeCanio <td@npulsetech.com>
22  *
23  * Implements TLS JSON logging portion of the engine.
24  */
25 
26 #include "suricata-common.h"
27 #include "detect.h"
28 #include "pkt-var.h"
29 #include "conf.h"
30 
31 #include "threads.h"
32 #include "threadvars.h"
33 #include "tm-threads.h"
34 
35 #include "util-print.h"
36 #include "util-time.h"
37 #include "util-unittest.h"
38 
39 #include "util-debug.h"
40 #include "app-layer-parser.h"
41 #include "output.h"
42 #include "app-layer-ssl.h"
43 #include "app-layer.h"
44 #include "util-privs.h"
45 #include "util-buffer.h"
46 
47 #include "util-logopenfile.h"
48 #include "util-ja3.h"
49 
50 #include "output-json.h"
51 #include "output-json-tls.h"
52 
53 SC_ATOMIC_EXTERN(unsigned int, cert_id);
54 
55 #define MODULE_NAME "LogTlsLog"
56 #define DEFAULT_LOG_FILENAME "tls.json"
57 
58 #define LOG_TLS_DEFAULT 0
59 #define LOG_TLS_EXTENDED (1 << 0)
60 #define LOG_TLS_CUSTOM (1 << 1)
61 #define LOG_TLS_SESSION_RESUMPTION (1 << 2)
62 
63 #define LOG_TLS_FIELD_VERSION (1 << 0)
64 #define LOG_TLS_FIELD_SUBJECT (1 << 1)
65 #define LOG_TLS_FIELD_ISSUER (1 << 2)
66 #define LOG_TLS_FIELD_SERIAL (1 << 3)
67 #define LOG_TLS_FIELD_FINGERPRINT (1 << 4)
68 #define LOG_TLS_FIELD_NOTBEFORE (1 << 5)
69 #define LOG_TLS_FIELD_NOTAFTER (1 << 6)
70 #define LOG_TLS_FIELD_SNI (1 << 7)
71 #define LOG_TLS_FIELD_CERTIFICATE (1 << 8)
72 #define LOG_TLS_FIELD_CHAIN (1 << 9)
73 #define LOG_TLS_FIELD_SESSION_RESUMED (1 << 10)
74 #define LOG_TLS_FIELD_JA3 (1 << 11)
75 #define LOG_TLS_FIELD_JA3S (1 << 12)
76 #define LOG_TLS_FIELD_CLIENT (1 << 13) /**< client fields (issuer, subject, etc) */
77 #define LOG_TLS_FIELD_CLIENT_CERT (1 << 14)
78 #define LOG_TLS_FIELD_CLIENT_CHAIN (1 << 15)
79 
80 typedef struct {
81  const char *name;
82  uint64_t flag;
83 } TlsFields;
84 
86  { "subject", LOG_TLS_FIELD_SUBJECT }, { "issuer", LOG_TLS_FIELD_ISSUER },
87  { "serial", LOG_TLS_FIELD_SERIAL }, { "fingerprint", LOG_TLS_FIELD_FINGERPRINT },
88  { "not_before", LOG_TLS_FIELD_NOTBEFORE }, { "not_after", LOG_TLS_FIELD_NOTAFTER },
89  { "sni", LOG_TLS_FIELD_SNI }, { "certificate", LOG_TLS_FIELD_CERTIFICATE },
90  { "chain", LOG_TLS_FIELD_CHAIN }, { "session_resumed", LOG_TLS_FIELD_SESSION_RESUMED },
91  { "ja3", LOG_TLS_FIELD_JA3 }, { "ja3s", LOG_TLS_FIELD_JA3S },
92  { "client", LOG_TLS_FIELD_CLIENT }, { "client_certificate", LOG_TLS_FIELD_CLIENT_CERT },
93  { "client_chain", LOG_TLS_FIELD_CLIENT_CHAIN }, { NULL, -1 } };
94 
95 typedef struct OutputTlsCtx_ {
96  uint32_t flags; /** Store mode */
97  uint64_t fields; /** Store fields */
100 
101 
102 typedef struct JsonTlsLogThread_ {
106 
107 static void JsonTlsLogSubject(JsonBuilder *js, SSLState *ssl_state)
108 {
109  if (ssl_state->server_connp.cert0_subject) {
110  jb_set_string(js, "subject",
111  ssl_state->server_connp.cert0_subject);
112  }
113 }
114 
115 static void JsonTlsLogIssuer(JsonBuilder *js, SSLState *ssl_state)
116 {
117  if (ssl_state->server_connp.cert0_issuerdn) {
118  jb_set_string(js, "issuerdn",
119  ssl_state->server_connp.cert0_issuerdn);
120  }
121 }
122 
123 static void JsonTlsLogSessionResumed(JsonBuilder *js, SSLState *ssl_state)
124 {
125  if (ssl_state->flags & SSL_AL_FLAG_SESSION_RESUMED) {
126  /* Only log a session as 'resumed' if a certificate has not
127  been seen, and the session is not TLSv1.3 or later. */
128  if ((ssl_state->server_connp.cert0_issuerdn == NULL &&
129  ssl_state->server_connp.cert0_subject == NULL) &&
130  (ssl_state->flags & SSL_AL_FLAG_STATE_SERVER_HELLO) &&
131  ((ssl_state->flags & SSL_AL_FLAG_LOG_WITHOUT_CERT) == 0)) {
132  jb_set_bool(js, "session_resumed", true);
133  }
134  }
135 }
136 
137 static void JsonTlsLogFingerprint(JsonBuilder *js, SSLState *ssl_state)
138 {
139  if (ssl_state->server_connp.cert0_fingerprint) {
140  jb_set_string(js, "fingerprint",
141  ssl_state->server_connp.cert0_fingerprint);
142  }
143 }
144 
145 static void JsonTlsLogSni(JsonBuilder *js, SSLState *ssl_state)
146 {
147  if (ssl_state->client_connp.sni) {
148  jb_set_string(js, "sni",
149  ssl_state->client_connp.sni);
150  }
151 }
152 
153 static void JsonTlsLogSerial(JsonBuilder *js, SSLState *ssl_state)
154 {
155  if (ssl_state->server_connp.cert0_serial) {
156  jb_set_string(js, "serial",
157  ssl_state->server_connp.cert0_serial);
158  }
159 }
160 
161 static void JsonTlsLogVersion(JsonBuilder *js, SSLState *ssl_state)
162 {
163  char ssl_version[SSL_VERSION_MAX_STRLEN];
164  SSLVersionToString(ssl_state->server_connp.version, ssl_version);
165  jb_set_string(js, "version", ssl_version);
166 }
167 
168 static void JsonTlsLogNotBefore(JsonBuilder *js, SSLState *ssl_state)
169 {
170  if (ssl_state->server_connp.cert0_not_before != 0) {
171  char timebuf[64];
172  struct timeval tv;
173  tv.tv_sec = ssl_state->server_connp.cert0_not_before;
174  tv.tv_usec = 0;
175  CreateUtcIsoTimeString(&tv, timebuf, sizeof(timebuf));
176  jb_set_string(js, "notbefore", timebuf);
177  }
178 }
179 
180 static void JsonTlsLogNotAfter(JsonBuilder *js, SSLState *ssl_state)
181 {
182  if (ssl_state->server_connp.cert0_not_after != 0) {
183  char timebuf[64];
184  struct timeval tv;
185  tv.tv_sec = ssl_state->server_connp.cert0_not_after;
186  tv.tv_usec = 0;
187  CreateUtcIsoTimeString(&tv, timebuf, sizeof(timebuf));
188  jb_set_string(js, "notafter", timebuf);
189  }
190 }
191 
192 static void JsonTlsLogJa3Hash(JsonBuilder *js, SSLState *ssl_state)
193 {
194  if (ssl_state->client_connp.ja3_hash != NULL) {
195  jb_set_string(js, "hash",
196  ssl_state->client_connp.ja3_hash);
197  }
198 }
199 
200 static void JsonTlsLogJa3String(JsonBuilder *js, SSLState *ssl_state)
201 {
202  if ((ssl_state->client_connp.ja3_str != NULL) &&
203  ssl_state->client_connp.ja3_str->data != NULL) {
204  jb_set_string(js, "string",
205  ssl_state->client_connp.ja3_str->data);
206  }
207 }
208 
209 static void JsonTlsLogJa3(JsonBuilder *js, SSLState *ssl_state)
210 {
211  if ((ssl_state->client_connp.ja3_hash != NULL) ||
212  ((ssl_state->client_connp.ja3_str != NULL) &&
213  ssl_state->client_connp.ja3_str->data != NULL)) {
214  jb_open_object(js, "ja3");
215 
216  JsonTlsLogJa3Hash(js, ssl_state);
217  JsonTlsLogJa3String(js, ssl_state);
218 
219  jb_close(js);
220  }
221 }
222 
223 static void JsonTlsLogJa3SHash(JsonBuilder *js, SSLState *ssl_state)
224 {
225  if (ssl_state->server_connp.ja3_hash != NULL) {
226  jb_set_string(js, "hash",
227  ssl_state->server_connp.ja3_hash);
228  }
229 }
230 
231 static void JsonTlsLogJa3SString(JsonBuilder *js, SSLState *ssl_state)
232 {
233  if ((ssl_state->server_connp.ja3_str != NULL) &&
234  ssl_state->server_connp.ja3_str->data != NULL) {
235  jb_set_string(js, "string",
236  ssl_state->server_connp.ja3_str->data);
237  }
238 }
239 
240 static void JsonTlsLogJa3S(JsonBuilder *js, SSLState *ssl_state)
241 {
242  if ((ssl_state->server_connp.ja3_hash != NULL) ||
243  ((ssl_state->server_connp.ja3_str != NULL) &&
244  ssl_state->server_connp.ja3_str->data != NULL)) {
245  jb_open_object(js, "ja3s");
246 
247  JsonTlsLogJa3SHash(js, ssl_state);
248  JsonTlsLogJa3SString(js, ssl_state);
249 
250  jb_close(js);
251  }
252 }
253 
254 static void JsonTlsLogCertificate(JsonBuilder *js, SSLStateConnp *connp)
255 {
256  if (TAILQ_EMPTY(&connp->certs)) {
257  return;
258  }
259 
260  SSLCertsChain *cert = TAILQ_FIRST(&connp->certs);
261  if (cert == NULL) {
262  return;
263  }
264 
265  jb_set_base64(js, "certificate", cert->cert_data, cert->cert_len);
266 }
267 
268 static void JsonTlsLogChain(JsonBuilder *js, SSLStateConnp *connp)
269 {
270  if (TAILQ_EMPTY(&connp->certs)) {
271  return;
272  }
273 
274  jb_open_array(js, "chain");
275 
276  SSLCertsChain *cert;
277  TAILQ_FOREACH (cert, &connp->certs, next) {
278  jb_append_base64(js, cert->cert_data, cert->cert_len);
279  }
280 
281  jb_close(js);
282 }
283 
284 static bool HasClientCert(SSLStateConnp *connp)
285 {
286  if (connp->cert0_subject || connp->cert0_issuerdn)
287  return true;
288  return false;
289 }
290 
291 static void JsonTlsLogClientCert(
292  JsonBuilder *js, SSLStateConnp *connp, const bool log_cert, const bool log_chain)
293 {
294  if (connp->cert0_subject != NULL) {
295  jb_set_string(js, "subject", connp->cert0_subject);
296  }
297  if (connp->cert0_issuerdn != NULL) {
298  jb_set_string(js, "issuerdn", connp->cert0_issuerdn);
299  }
300  if (connp->cert0_fingerprint) {
301  jb_set_string(js, "fingerprint", connp->cert0_fingerprint);
302  }
303  if (connp->cert0_serial) {
304  jb_set_string(js, "serial", connp->cert0_serial);
305  }
306  if (connp->cert0_not_before != 0) {
307  char timebuf[64];
308  struct timeval tv;
309  tv.tv_sec = connp->cert0_not_before;
310  tv.tv_usec = 0;
311  CreateUtcIsoTimeString(&tv, timebuf, sizeof(timebuf));
312  jb_set_string(js, "notbefore", timebuf);
313  }
314  if (connp->cert0_not_after != 0) {
315  char timebuf[64];
316  struct timeval tv;
317  tv.tv_sec = connp->cert0_not_after;
318  tv.tv_usec = 0;
319  CreateUtcIsoTimeString(&tv, timebuf, sizeof(timebuf));
320  jb_set_string(js, "notafter", timebuf);
321  }
322 
323  if (log_cert) {
324  JsonTlsLogCertificate(js, connp);
325  }
326  if (log_chain) {
327  JsonTlsLogChain(js, connp);
328  }
329 }
330 
331 void JsonTlsLogJSONBasic(JsonBuilder *js, SSLState *ssl_state)
332 {
333  /* tls subject */
334  JsonTlsLogSubject(js, ssl_state);
335 
336  /* tls issuerdn */
337  JsonTlsLogIssuer(js, ssl_state);
338 
339  /* tls session resumption */
340  JsonTlsLogSessionResumed(js, ssl_state);
341 }
342 
343 static void JsonTlsLogJSONCustom(OutputTlsCtx *tls_ctx, JsonBuilder *js,
344  SSLState *ssl_state)
345 {
346  /* tls subject */
347  if (tls_ctx->fields & LOG_TLS_FIELD_SUBJECT)
348  JsonTlsLogSubject(js, ssl_state);
349 
350  /* tls issuerdn */
351  if (tls_ctx->fields & LOG_TLS_FIELD_ISSUER)
352  JsonTlsLogIssuer(js, ssl_state);
353 
354  /* tls session resumption */
355  if (tls_ctx->fields & LOG_TLS_FIELD_SESSION_RESUMED)
356  JsonTlsLogSessionResumed(js, ssl_state);
357 
358  /* tls serial */
359  if (tls_ctx->fields & LOG_TLS_FIELD_SERIAL)
360  JsonTlsLogSerial(js, ssl_state);
361 
362  /* tls fingerprint */
363  if (tls_ctx->fields & LOG_TLS_FIELD_FINGERPRINT)
364  JsonTlsLogFingerprint(js, ssl_state);
365 
366  /* tls sni */
367  if (tls_ctx->fields & LOG_TLS_FIELD_SNI)
368  JsonTlsLogSni(js, ssl_state);
369 
370  /* tls version */
371  if (tls_ctx->fields & LOG_TLS_FIELD_VERSION)
372  JsonTlsLogVersion(js, ssl_state);
373 
374  /* tls notbefore */
375  if (tls_ctx->fields & LOG_TLS_FIELD_NOTBEFORE)
376  JsonTlsLogNotBefore(js, ssl_state);
377 
378  /* tls notafter */
379  if (tls_ctx->fields & LOG_TLS_FIELD_NOTAFTER)
380  JsonTlsLogNotAfter(js, ssl_state);
381 
382  /* tls certificate */
383  if (tls_ctx->fields & LOG_TLS_FIELD_CERTIFICATE)
384  JsonTlsLogCertificate(js, &ssl_state->server_connp);
385 
386  /* tls chain */
387  if (tls_ctx->fields & LOG_TLS_FIELD_CHAIN)
388  JsonTlsLogChain(js, &ssl_state->server_connp);
389 
390  /* tls ja3_hash */
391  if (tls_ctx->fields & LOG_TLS_FIELD_JA3)
392  JsonTlsLogJa3(js, ssl_state);
393 
394  /* tls ja3s */
395  if (tls_ctx->fields & LOG_TLS_FIELD_JA3S)
396  JsonTlsLogJa3S(js, ssl_state);
397 
398  if (tls_ctx->fields & LOG_TLS_FIELD_CLIENT) {
399  const bool log_cert = (tls_ctx->fields & LOG_TLS_FIELD_CLIENT_CERT) != 0;
400  const bool log_chain = (tls_ctx->fields & LOG_TLS_FIELD_CLIENT_CHAIN) != 0;
401  if (HasClientCert(&ssl_state->client_connp)) {
402  jb_open_object(js, "client");
403  JsonTlsLogClientCert(js, &ssl_state->client_connp, log_cert, log_chain);
404  jb_close(js);
405  }
406  }
407 }
408 
409 void JsonTlsLogJSONExtended(JsonBuilder *tjs, SSLState * state)
410 {
411  JsonTlsLogJSONBasic(tjs, state);
412 
413  /* tls serial */
414  JsonTlsLogSerial(tjs, state);
415 
416  /* tls fingerprint */
417  JsonTlsLogFingerprint(tjs, state);
418 
419  /* tls sni */
420  JsonTlsLogSni(tjs, state);
421 
422  /* tls version */
423  JsonTlsLogVersion(tjs, state);
424 
425  /* tls notbefore */
426  JsonTlsLogNotBefore(tjs, state);
427 
428  /* tls notafter */
429  JsonTlsLogNotAfter(tjs, state);
430 
431  /* tls ja3 */
432  JsonTlsLogJa3(tjs, state);
433 
434  /* tls ja3s */
435  JsonTlsLogJa3S(tjs, state);
436 
437  if (HasClientCert(&state->client_connp)) {
438  jb_open_object(tjs, "client");
439  JsonTlsLogClientCert(tjs, &state->client_connp, false, false);
440  jb_close(tjs);
441  }
442 }
443 
444 static int JsonTlsLogger(ThreadVars *tv, void *thread_data, const Packet *p,
445  Flow *f, void *state, void *txptr, uint64_t tx_id)
446 {
447  JsonTlsLogThread *aft = (JsonTlsLogThread *)thread_data;
448  OutputTlsCtx *tls_ctx = aft->tlslog_ctx;
449 
450  SSLState *ssl_state = (SSLState *)state;
451  if (unlikely(ssl_state == NULL)) {
452  return 0;
453  }
454 
455  if ((ssl_state->server_connp.cert0_issuerdn == NULL ||
456  ssl_state->server_connp.cert0_subject == NULL) &&
457  ((ssl_state->flags & SSL_AL_FLAG_SESSION_RESUMED) == 0 ||
458  (tls_ctx->flags & LOG_TLS_SESSION_RESUMPTION) == 0) &&
459  ((ssl_state->flags & SSL_AL_FLAG_LOG_WITHOUT_CERT) == 0)) {
460  return 0;
461  }
462 
463  JsonBuilder *js = CreateEveHeader(p, LOG_DIR_FLOW, "tls", NULL, aft->tlslog_ctx->eve_ctx);
464  if (unlikely(js == NULL)) {
465  return 0;
466  }
467 
468  jb_open_object(js, "tls");
469 
470  /* log custom fields */
471  if (tls_ctx->flags & LOG_TLS_CUSTOM) {
472  JsonTlsLogJSONCustom(tls_ctx, js, ssl_state);
473  }
474  /* log extended */
475  else if (tls_ctx->flags & LOG_TLS_EXTENDED) {
476  JsonTlsLogJSONExtended(js, ssl_state);
477  }
478  /* log basic */
479  else {
480  JsonTlsLogJSONBasic(js, ssl_state);
481  }
482 
483  /* print original application level protocol when it have been changed
484  because of STARTTLS, HTTP CONNECT, or similar. */
485  if (f->alproto_orig != ALPROTO_UNKNOWN) {
486  jb_set_string(js, "from_proto",
488  }
489 
490  /* Close the tls object. */
491  jb_close(js);
492 
493  OutputJsonBuilderBuffer(js, aft->ctx);
494  jb_free(js);
495 
496  return 0;
497 }
498 
499 static TmEcode JsonTlsLogThreadInit(ThreadVars *t, const void *initdata, void **data)
500 {
501  JsonTlsLogThread *aft = SCCalloc(1, sizeof(JsonTlsLogThread));
502  if (unlikely(aft == NULL)) {
503  return TM_ECODE_FAILED;
504  }
505 
506  if (initdata == NULL) {
507  SCLogDebug("Error getting context for eve-log tls 'initdata' argument NULL");
508  goto error_exit;
509  }
510 
511  /* use the Output Context (file pointer and mutex) */
512  aft->tlslog_ctx = ((OutputCtx *)initdata)->data;
513 
514  aft->ctx = CreateEveThreadCtx(t, aft->tlslog_ctx->eve_ctx);
515  if (!aft->ctx) {
516  goto error_exit;
517  }
518  *data = (void *)aft;
519  return TM_ECODE_OK;
520 
521 error_exit:
522  SCFree(aft);
523  return TM_ECODE_FAILED;
524 }
525 
526 static TmEcode JsonTlsLogThreadDeinit(ThreadVars *t, void *data)
527 {
528  JsonTlsLogThread *aft = (JsonTlsLogThread *)data;
529  if (aft == NULL) {
530  return TM_ECODE_OK;
531  }
532 
533  FreeEveThreadCtx(aft->ctx);
534 
535  /* clear memory */
536  memset(aft, 0, sizeof(JsonTlsLogThread));
537 
538  SCFree(aft);
539  return TM_ECODE_OK;
540 }
541 
542 static OutputTlsCtx *OutputTlsInitCtx(ConfNode *conf)
543 {
544  OutputTlsCtx *tls_ctx = SCMalloc(sizeof(OutputTlsCtx));
545  if (unlikely(tls_ctx == NULL))
546  return NULL;
547 
548  tls_ctx->flags = LOG_TLS_DEFAULT;
549  tls_ctx->fields = 0;
550 
551  if (conf == NULL)
552  return tls_ctx;
553 
554  const char *extended = ConfNodeLookupChildValue(conf, "extended");
555  if (extended) {
556  if (ConfValIsTrue(extended)) {
557  tls_ctx->flags = LOG_TLS_EXTENDED;
558  }
559  }
560 
561  ConfNode *custom = ConfNodeLookupChild(conf, "custom");
562  if (custom) {
563  tls_ctx->flags = LOG_TLS_CUSTOM;
564  ConfNode *field;
565  TAILQ_FOREACH(field, &custom->head, next)
566  {
567  bool valid = false;
568  TlsFields *valid_fields = tls_fields;
569  for ( ; valid_fields->name != NULL; valid_fields++) {
570  if (strcasecmp(field->val, valid_fields->name) == 0) {
571  tls_ctx->fields |= valid_fields->flag;
572  SCLogDebug("enabled %s", field->val);
573  valid = true;
574  break;
575  }
576  }
577  if (!valid) {
578  SCLogWarning(SC_ERR_LOG_OUTPUT, "eve.tls: unknown 'custom' field '%s'", field->val);
579  }
580  }
581  }
582 
583  const char *session_resumption = ConfNodeLookupChildValue(conf, "session-resumption");
584  if (session_resumption == NULL || ConfValIsTrue(session_resumption)) {
585  tls_ctx->flags |= LOG_TLS_SESSION_RESUMPTION;
586  }
587 
588  if ((tls_ctx->fields & LOG_TLS_FIELD_JA3) &&
589  Ja3IsDisabled("fields")) {
590  /* JA3 is disabled, so don't log any JA3 fields */
591  tls_ctx->fields &= ~LOG_TLS_FIELD_JA3;
592  tls_ctx->fields &= ~LOG_TLS_FIELD_JA3S;
593  }
594 
595  if ((tls_ctx->fields & LOG_TLS_FIELD_CERTIFICATE) &&
596  (tls_ctx->fields & LOG_TLS_FIELD_CHAIN)) {
598  "Both 'certificate' and 'chain' contains the top "
599  "certificate, so only one of them should be enabled "
600  "at a time");
601  }
602  if ((tls_ctx->fields & LOG_TLS_FIELD_CLIENT_CERT) &&
603  (tls_ctx->fields & LOG_TLS_FIELD_CLIENT_CHAIN)) {
605  "Both 'client_certificate' and 'client_chain' contains the top "
606  "certificate, so only one of them should be enabled "
607  "at a time");
608  }
609 
610  if ((tls_ctx->fields & LOG_TLS_FIELD_CLIENT) == 0) {
611  if (tls_ctx->fields & LOG_TLS_FIELD_CLIENT_CERT) {
612  SCLogConfig("enabling \"client\" as a dependency of \"client_certificate\"");
613  tls_ctx->fields |= LOG_TLS_FIELD_CLIENT;
614  }
615  if (tls_ctx->fields & LOG_TLS_FIELD_CLIENT_CHAIN) {
616  SCLogConfig("enabling \"client\" as a dependency of \"client_chain\"");
617  tls_ctx->fields |= LOG_TLS_FIELD_CLIENT;
618  }
619  }
620 
621  return tls_ctx;
622 }
623 
624 static void OutputTlsLogDeinitSub(OutputCtx *output_ctx)
625 {
626  OutputTlsCtx *tls_ctx = output_ctx->data;
627  SCFree(tls_ctx);
628  SCFree(output_ctx);
629 }
630 
631 static OutputInitResult OutputTlsLogInitSub(ConfNode *conf, OutputCtx *parent_ctx)
632 {
633  OutputInitResult result = { NULL, false };
634  OutputJsonCtx *ojc = parent_ctx->data;
635 
636  OutputTlsCtx *tls_ctx = OutputTlsInitCtx(conf);
637  if (unlikely(tls_ctx == NULL))
638  return result;
639 
640  OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
641  if (unlikely(output_ctx == NULL)) {
642  SCFree(tls_ctx);
643  return result;
644  }
645 
646  tls_ctx->eve_ctx = ojc;
647 
648  if ((tls_ctx->fields & LOG_TLS_FIELD_CERTIFICATE) &&
649  (tls_ctx->fields & LOG_TLS_FIELD_CHAIN)) {
651  "Both 'certificate' and 'chain' contains the top "
652  "certificate, so only one of them should be enabled "
653  "at a time");
654  }
655 
656  output_ctx->data = tls_ctx;
657  output_ctx->DeInit = OutputTlsLogDeinitSub;
658 
660 
661  result.ctx = output_ctx;
662  result.ok = true;
663  return result;
664 }
665 
667 {
668  /* register as child of eve-log */
669  OutputRegisterTxSubModuleWithProgress(LOGGER_JSON_TX, "eve-log", "JsonTlsLog", "eve-log.tls",
670  OutputTlsLogInitSub, ALPROTO_TLS, JsonTlsLogger, TLS_HANDSHAKE_DONE, TLS_HANDSHAKE_DONE,
671  JsonTlsLogThreadInit, JsonTlsLogThreadDeinit, NULL);
672 }
SSLStateConnp_::cert0_not_before
time_t cert0_not_before
Definition: app-layer-ssl.h:255
tm-threads.h
SSLStateConnp_::cert0_subject
char * cert0_subject
Definition: app-layer-ssl.h:252
SSLState_
SSLv[2.0|3.[0|1|2|3]] state structure.
Definition: app-layer-ssl.h:288
LOG_TLS_FIELD_NOTBEFORE
#define LOG_TLS_FIELD_NOTBEFORE
Definition: output-json-tls.c:68
SSLCertsChain_::cert_len
uint32_t cert_len
Definition: app-layer-ssl.h:226
JsonTlsLogJSONBasic
void JsonTlsLogJSONBasic(JsonBuilder *js, SSLState *ssl_state)
Definition: output-json-tls.c:331
LOG_TLS_DEFAULT
#define LOG_TLS_DEFAULT
Definition: output-json-tls.c:58
ConfNode_::val
char * val
Definition: conf.h:34
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
LOG_TLS_FIELD_JA3
#define LOG_TLS_FIELD_JA3
Definition: output-json-tls.c:74
SSLState_::client_connp
SSLStateConnp client_connp
Definition: app-layer-ssl.h:306
ALPROTO_TLS
@ ALPROTO_TLS
Definition: app-layer-protos.h:33
SC_WARN_DUPLICATE_OUTPUT
@ SC_WARN_DUPLICATE_OUTPUT
Definition: util-error.h:329
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:296
next
struct HtpBodyChunk_ * next
Definition: app-layer-htp.h:0
SSLState_::server_connp
SSLStateConnp server_connp
Definition: app-layer-ssl.h:307
SSL_AL_FLAG_SESSION_RESUMED
#define SSL_AL_FLAG_SESSION_RESUMED
Definition: app-layer-ssl.h:119
FreeEveThreadCtx
void FreeEveThreadCtx(OutputJsonThreadCtx *ctx)
Definition: output-json-common.c:58
SSLStateConnp_
Definition: app-layer-ssl.h:231
SSLStateConnp_::ja3_hash
char * ja3_hash
Definition: app-layer-ssl.h:272
threads.h
OutputJsonCtx_
Definition: output-json.h:81
Flow_
Flow data structure.
Definition: flow.h:356
SSL_AL_FLAG_STATE_SERVER_HELLO
#define SSL_AL_FLAG_STATE_SERVER_HELLO
Definition: app-layer-ssl.h:99
TlsFields
Definition: output-json-tls.c:80
OutputJsonBuilderBuffer
int OutputJsonBuilderBuffer(JsonBuilder *js, OutputJsonThreadCtx *ctx)
Definition: output-json.c:934
SSL_VERSION_MAX_STRLEN
#define SSL_VERSION_MAX_STRLEN
Definition: app-layer-ssl.h:155
LOG_TLS_FIELD_NOTAFTER
#define LOG_TLS_FIELD_NOTAFTER
Definition: output-json-tls.c:69
TAILQ_EMPTY
#define TAILQ_EMPTY(head)
Definition: queue.h:248
TAILQ_FOREACH
#define TAILQ_FOREACH(var, head, field)
Definition: queue.h:252
Flow_::alproto_orig
AppProto alproto_orig
Definition: flow.h:469
output-json-tls.h
CreateEveThreadCtx
OutputJsonThreadCtx * CreateEveThreadCtx(ThreadVars *t, OutputJsonCtx *ctx)
Definition: output-json-common.c:29
JA3Buffer_::data
char * data
Definition: util-ja3.h:32
util-ja3.h
util-privs.h
SSLStateConnp_::sni
char * sni
Definition: app-layer-ssl.h:260
LOG_TLS_FIELD_SUBJECT
#define LOG_TLS_FIELD_SUBJECT
Definition: output-json-tls.c:64
TM_ECODE_FAILED
@ TM_ECODE_FAILED
Definition: tm-threads-common.h:85
JsonTlsLogThread
struct JsonTlsLogThread_ JsonTlsLogThread
LOG_TLS_FIELD_FINGERPRINT
#define LOG_TLS_FIELD_FINGERPRINT
Definition: output-json-tls.c:67
JsonTlsLogRegister
void JsonTlsLogRegister(void)
Definition: output-json-tls.c:666
TlsFields::flag
uint64_t flag
Definition: output-json-tls.c:82
util-unittest.h
SSLStateConnp_::cert0_issuerdn
char * cert0_issuerdn
Definition: app-layer-ssl.h:253
ConfValIsTrue
int ConfValIsTrue(const char *val)
Check if a value is true.
Definition: conf.c:522
JsonTlsLogThread_::ctx
OutputJsonThreadCtx * ctx
Definition: output-json-tls.c:104
OutputCtx_::data
void * data
Definition: tm-modules.h:81
TM_ECODE_OK
@ TM_ECODE_OK
Definition: tm-threads-common.h:84
OutputCtx_
Definition: tm-modules.h:78
OutputJsonThreadCtx_
Definition: output-json.h:89
Ja3IsDisabled
int Ja3IsDisabled(const char *type)
Check if JA3 is disabled.
Definition: util-ja3.c:248
SSLStateConnp_::cert0_not_after
time_t cert0_not_after
Definition: app-layer-ssl.h:256
OutputTlsCtx_::eve_ctx
OutputJsonCtx * eve_ctx
Definition: output-json-tls.c:98
util-debug.h
TlsFields::name
const char * name
Definition: output-json-tls.c:81
TAILQ_FIRST
#define TAILQ_FIRST(head)
Definition: queue.h:250
LOG_TLS_FIELD_JA3S
#define LOG_TLS_FIELD_JA3S
Definition: output-json-tls.c:75
OutputInitResult_::ctx
OutputCtx * ctx
Definition: output.h:47
output-json.h
OutputRegisterTxSubModuleWithProgress
void OutputRegisterTxSubModuleWithProgress(LoggerId id, const char *parent_name, const char *name, const char *conf_name, OutputInitSubFunc InitFunc, AppProto alproto, TxLogger TxLogFunc, int tc_log_progress, int ts_log_progress, ThreadInitFunc ThreadInit, ThreadDeinitFunc ThreadDeinit, ThreadExitPrintStatsFunc ThreadExitPrintStats)
Definition: output.c:380
LOG_TLS_CUSTOM
#define LOG_TLS_CUSTOM
Definition: output-json-tls.c:60
AppLayerParserRegisterLogger
void AppLayerParserRegisterLogger(uint8_t ipproto, AppProto alproto)
Definition: app-layer-parser.c:477
CreateEveHeader
JsonBuilder * CreateEveHeader(const Packet *p, enum OutputJsonLogDirection dir, const char *event_type, JsonAddrInfo *addr, OutputJsonCtx *eve_ctx)
Definition: output-json.c:796
SSLCertsChain_
Definition: app-layer-ssl.h:224
util-print.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
pkt-var.h
OutputTlsCtx_::flags
uint32_t flags
Definition: output-json-tls.c:96
LOG_TLS_FIELD_CLIENT_CERT
#define LOG_TLS_FIELD_CLIENT_CERT
Definition: output-json-tls.c:77
SSLVersionToString
void SSLVersionToString(uint16_t version, char *buffer)
Definition: app-layer-ssl.c:340
util-time.h
OutputInitResult_::ok
bool ok
Definition: output.h:48
app-layer-parser.h
LOG_TLS_FIELD_SERIAL
#define LOG_TLS_FIELD_SERIAL
Definition: output-json-tls.c:66
Packet_
Definition: decode.h:428
conf.h
OutputTlsCtx
struct OutputTlsCtx_ OutputTlsCtx
TmEcode
TmEcode
Definition: tm-threads-common.h:83
SSLCertsChain_::cert_data
uint8_t * cert_data
Definition: app-layer-ssl.h:225
LOG_TLS_FIELD_ISSUER
#define LOG_TLS_FIELD_ISSUER
Definition: output-json-tls.c:65
ConfNodeLookupChild
ConfNode * ConfNodeLookupChild(const ConfNode *node, const char *name)
Lookup a child configuration node by name.
Definition: conf.c:771
OutputInitResult_
Definition: output.h:46
suricata-common.h
OutputCtx_::DeInit
void(* DeInit)(struct OutputCtx_ *)
Definition: tm-modules.h:84
tls_fields
TlsFields tls_fields[]
Definition: output-json-tls.c:85
LOG_TLS_FIELD_CERTIFICATE
#define LOG_TLS_FIELD_CERTIFICATE
Definition: output-json-tls.c:71
OutputTlsCtx_
Definition: output-json-tls.c:95
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
threadvars.h
LOG_DIR_FLOW
@ LOG_DIR_FLOW
Definition: output-json.h:40
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
SCLogConfig
struct SCLogConfig_ SCLogConfig
Holds the config state used by the logging api.
LOGGER_JSON_TX
@ LOGGER_JSON_TX
Definition: suricata-common.h:456
SCLogWarning
#define SCLogWarning(err_code,...)
Macro used to log WARNING messages.
Definition: util-debug.h:242
SCFree
#define SCFree(p)
Definition: util-mem.h:61
ConfNode_
Definition: conf.h:32
util-logopenfile.h
util-buffer.h
AppLayerGetProtoName
const char * AppLayerGetProtoName(AppProto alproto)
Given the internal protocol id, returns a string representation of the protocol.
Definition: app-layer.c:934
ALPROTO_UNKNOWN
@ ALPROTO_UNKNOWN
Definition: app-layer-protos.h:29
OutputTlsCtx_::fields
uint64_t fields
Definition: output-json-tls.c:97
SC_ERR_LOG_OUTPUT
@ SC_ERR_LOG_OUTPUT
Definition: util-error.h:368
LOG_TLS_FIELD_SNI
#define LOG_TLS_FIELD_SNI
Definition: output-json-tls.c:70
SSLStateConnp_::cert0_fingerprint
char * cert0_fingerprint
Definition: app-layer-ssl.h:257
LOG_TLS_EXTENDED
#define LOG_TLS_EXTENDED
Definition: output-json-tls.c:59
SSLStateConnp_::ja3_str
JA3Buffer * ja3_str
Definition: app-layer-ssl.h:271
JsonTlsLogThread_::tlslog_ctx
OutputTlsCtx * tlslog_ctx
Definition: output-json-tls.c:103
LOG_TLS_FIELD_SESSION_RESUMED
#define LOG_TLS_FIELD_SESSION_RESUMED
Definition: output-json-tls.c:73
LOG_TLS_FIELD_CLIENT_CHAIN
#define LOG_TLS_FIELD_CLIENT_CHAIN
Definition: output-json-tls.c:78
LOG_TLS_SESSION_RESUMPTION
#define LOG_TLS_SESSION_RESUMPTION
Definition: output-json-tls.c:61
LOG_TLS_FIELD_CLIENT
#define LOG_TLS_FIELD_CLIENT
Definition: output-json-tls.c:76
JsonTlsLogJSONExtended
void JsonTlsLogJSONExtended(JsonBuilder *tjs, SSLState *state)
Definition: output-json-tls.c:409
TLS_HANDSHAKE_DONE
@ TLS_HANDSHAKE_DONE
Definition: app-layer-ssl.h:79
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
LOG_TLS_FIELD_CHAIN
#define LOG_TLS_FIELD_CHAIN
Definition: output-json-tls.c:72
CreateUtcIsoTimeString
void CreateUtcIsoTimeString(const struct timeval *ts, char *str, size_t size)
Definition: util-time.c:236
SSLStateConnp_::cert0_serial
char * cert0_serial
Definition: app-layer-ssl.h:254
LOG_TLS_FIELD_VERSION
#define LOG_TLS_FIELD_VERSION
Definition: output-json-tls.c:63
JsonTlsLogThread_
Definition: output-json-tls.c:102
app-layer-ssl.h
SSL_AL_FLAG_LOG_WITHOUT_CERT
#define SSL_AL_FLAG_LOG_WITHOUT_CERT
Definition: app-layer-ssl.h:126
output.h
SC_ATOMIC_EXTERN
SC_ATOMIC_EXTERN(unsigned int, cert_id)
app-layer.h
SSLState_::flags
uint32_t flags
Definition: app-layer-ssl.h:295
SSLStateConnp_::version
uint16_t version
Definition: app-layer-ssl.h:240
ConfNodeLookupChildValue
const char * ConfNodeLookupChildValue(const ConfNode *node, const char *name)
Lookup the value of a child configuration node by name.
Definition: conf.c:799