56 #define MODULE_NAME "LogTlsLog"
57 #define DEFAULT_LOG_FILENAME "tls.json"
59 #define LOG_TLS_DEFAULT 0
60 #define LOG_TLS_EXTENDED (1 << 0)
61 #define LOG_TLS_CUSTOM (1 << 1)
62 #define LOG_TLS_SESSION_RESUMPTION (1 << 2)
64 #define LOG_TLS_FIELD_VERSION (1 << 0)
65 #define LOG_TLS_FIELD_SUBJECT (1 << 1)
66 #define LOG_TLS_FIELD_ISSUER (1 << 2)
67 #define LOG_TLS_FIELD_SERIAL (1 << 3)
68 #define LOG_TLS_FIELD_FINGERPRINT (1 << 4)
69 #define LOG_TLS_FIELD_NOTBEFORE (1 << 5)
70 #define LOG_TLS_FIELD_NOTAFTER (1 << 6)
71 #define LOG_TLS_FIELD_SNI (1 << 7)
72 #define LOG_TLS_FIELD_CERTIFICATE (1 << 8)
73 #define LOG_TLS_FIELD_CHAIN (1 << 9)
74 #define LOG_TLS_FIELD_SESSION_RESUMED (1 << 10)
75 #define LOG_TLS_FIELD_JA3 (1 << 11)
76 #define LOG_TLS_FIELD_JA3S (1 << 12)
114 static void JsonTlsLogSubject(JsonBuilder *js,
SSLState *ssl_state)
117 jb_set_string(js,
"subject",
122 static void JsonTlsLogIssuer(JsonBuilder *js,
SSLState *ssl_state)
125 jb_set_string(js,
"issuerdn",
130 static void JsonTlsLogSessionResumed(JsonBuilder *js,
SSLState *ssl_state)
139 jb_set_bool(js,
"session_resumed",
true);
144 static void JsonTlsLogFingerprint(JsonBuilder *js,
SSLState *ssl_state)
147 jb_set_string(js,
"fingerprint",
152 static void JsonTlsLogSni(JsonBuilder *js,
SSLState *ssl_state)
155 jb_set_string(js,
"sni",
160 static void JsonTlsLogSerial(JsonBuilder *js,
SSLState *ssl_state)
163 jb_set_string(js,
"serial",
168 static void JsonTlsLogVersion(JsonBuilder *js,
SSLState *ssl_state)
172 jb_set_string(js,
"version", ssl_version);
175 static void JsonTlsLogNotBefore(JsonBuilder *js,
SSLState *ssl_state)
183 jb_set_string(js,
"notbefore", timebuf);
187 static void JsonTlsLogNotAfter(JsonBuilder *js,
SSLState *ssl_state)
195 jb_set_string(js,
"notafter", timebuf);
199 static void JsonTlsLogJa3Hash(JsonBuilder *js,
SSLState *ssl_state)
202 jb_set_string(js,
"hash",
207 static void JsonTlsLogJa3String(JsonBuilder *js,
SSLState *ssl_state)
211 jb_set_string(js,
"string",
216 static void JsonTlsLogJa3(JsonBuilder *js,
SSLState *ssl_state)
218 jb_open_object(js,
"ja3");
220 JsonTlsLogJa3Hash(js, ssl_state);
221 JsonTlsLogJa3String(js, ssl_state);
226 static void JsonTlsLogJa3SHash(JsonBuilder *js,
SSLState *ssl_state)
229 jb_set_string(js,
"hash",
234 static void JsonTlsLogJa3SString(JsonBuilder *js,
SSLState *ssl_state)
238 jb_set_string(js,
"string",
243 static void JsonTlsLogJa3S(JsonBuilder *js,
SSLState *ssl_state)
245 jb_open_object(js,
"ja3s");
247 JsonTlsLogJa3SHash(js, ssl_state);
248 JsonTlsLogJa3SString(js, ssl_state);
253 static void JsonTlsLogCertificate(JsonBuilder *js,
SSLState *ssl_state)
265 uint8_t encoded[
len];
268 jb_set_string(js,
"certificate", (
char *)encoded);
272 static void JsonTlsLogChain(JsonBuilder *js,
SSLState *ssl_state)
278 jb_open_array(js,
"chain");
283 uint8_t encoded[
len];
286 jb_append_string(js, (
char *)encoded);
296 JsonTlsLogSubject(js, ssl_state);
299 JsonTlsLogIssuer(js, ssl_state);
302 JsonTlsLogSessionResumed(js, ssl_state);
305 static void JsonTlsLogJSONCustom(
OutputTlsCtx *tls_ctx, JsonBuilder *js,
310 JsonTlsLogSubject(js, ssl_state);
314 JsonTlsLogIssuer(js, ssl_state);
318 JsonTlsLogSessionResumed(js, ssl_state);
322 JsonTlsLogSerial(js, ssl_state);
326 JsonTlsLogFingerprint(js, ssl_state);
330 JsonTlsLogSni(js, ssl_state);
334 JsonTlsLogVersion(js, ssl_state);
338 JsonTlsLogNotBefore(js, ssl_state);
342 JsonTlsLogNotAfter(js, ssl_state);
346 JsonTlsLogCertificate(js, ssl_state);
350 JsonTlsLogChain(js, ssl_state);
354 JsonTlsLogJa3(js, ssl_state);
358 JsonTlsLogJa3S(js, ssl_state);
366 JsonTlsLogSerial(tjs, state);
369 JsonTlsLogFingerprint(tjs, state);
372 JsonTlsLogSni(tjs, state);
375 JsonTlsLogVersion(tjs, state);
378 JsonTlsLogNotBefore(tjs, state);
381 JsonTlsLogNotAfter(tjs, state);
384 JsonTlsLogJa3(tjs, state);
387 JsonTlsLogJa3S(tjs, state);
391 Flow *f,
void *state,
void *txptr, uint64_t tx_id)
416 jb_open_object(js,
"tls");
423 JsonTlsLogJSONCustom(tls_ctx, js, ssl_state);
437 jb_set_string(js,
"from_proto",
450 static TmEcode JsonTlsLogThreadInit(
ThreadVars *t,
const void *initdata,
void **data)
457 if (initdata == NULL) {
458 SCLogDebug(
"Error getting context for eve-log tls 'initdata' argument NULL");
463 if (aft->
buffer == NULL) {
478 if (aft->
buffer != NULL) {
527 for ( ; valid_fields->
name != NULL; valid_fields++) {
528 if (strcasecmp(field->
val, valid_fields->
name) == 0) {
537 if (session_resumption == NULL ||
ConfValIsTrue(session_resumption)) {
551 "Both 'certificate' and 'chain' contains the top "
552 "certificate, so only one of them should be enabled "
559 static void OutputTlsLogDeinitSub(
OutputCtx *output_ctx)
587 "Both 'certificate' and 'chain' contains the top "
588 "certificate, so only one of them should be enabled "
592 output_ctx->
data = tls_ctx;
593 output_ctx->
DeInit = OutputTlsLogDeinitSub;
597 result.
ctx = output_ctx;
606 "JsonTlsLog",
"eve-log.tls", OutputTlsLogInitSub,
ALPROTO_TLS,
608 JsonTlsLogThreadInit, JsonTlsLogThreadDeinit, NULL);