suricata
output-json-tls.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2012 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Tom DeCanio <td@npulsetech.com>
22  *
23  * Implements TLS JSON logging portion of the engine.
24  */
25 
26 #include "suricata-common.h"
27 #include "debug.h"
28 #include "detect.h"
29 #include "pkt-var.h"
30 #include "conf.h"
31 
32 #include "threads.h"
33 #include "threadvars.h"
34 #include "tm-threads.h"
35 
36 #include "util-print.h"
37 #include "util-unittest.h"
38 
39 #include "util-debug.h"
40 #include "app-layer-parser.h"
41 #include "output.h"
42 #include "app-layer-ssl.h"
43 #include "app-layer.h"
44 #include "util-privs.h"
45 #include "util-buffer.h"
46 
47 #include "util-logopenfile.h"
48 #include "util-crypt.h"
49 #include "util-ja3.h"
50 
51 #include "output-json.h"
52 #include "output-json-tls.h"
53 
54 #ifdef HAVE_LIBJANSSON
55 
56 SC_ATOMIC_DECLARE(unsigned int, cert_id);
57 
58 #define MODULE_NAME "LogTlsLog"
59 #define DEFAULT_LOG_FILENAME "tls.json"
60 
61 #define OUTPUT_BUFFER_SIZE 65535
62 
63 #define LOG_TLS_DEFAULT 0
64 #define LOG_TLS_EXTENDED (1 << 0)
65 #define LOG_TLS_CUSTOM (1 << 1)
66 #define LOG_TLS_SESSION_RESUMPTION (1 << 2)
67 
68 #define LOG_TLS_FIELD_VERSION (1 << 0)
69 #define LOG_TLS_FIELD_SUBJECT (1 << 1)
70 #define LOG_TLS_FIELD_ISSUER (1 << 2)
71 #define LOG_TLS_FIELD_SERIAL (1 << 3)
72 #define LOG_TLS_FIELD_FINGERPRINT (1 << 4)
73 #define LOG_TLS_FIELD_NOTBEFORE (1 << 5)
74 #define LOG_TLS_FIELD_NOTAFTER (1 << 6)
75 #define LOG_TLS_FIELD_SNI (1 << 7)
76 #define LOG_TLS_FIELD_CERTIFICATE (1 << 8)
77 #define LOG_TLS_FIELD_CHAIN (1 << 9)
78 #define LOG_TLS_FIELD_SESSION_RESUMED (1 << 10)
79 #define LOG_TLS_FIELD_JA3 (1 << 11)
80 
81 typedef struct {
82  const char *name;
83  uint64_t flag;
84 } TlsFields;
85 
86 TlsFields tls_fields[] = {
87  { "version", LOG_TLS_FIELD_VERSION },
88  { "subject", LOG_TLS_FIELD_SUBJECT },
89  { "issuer", LOG_TLS_FIELD_ISSUER },
90  { "serial", LOG_TLS_FIELD_SERIAL },
91  { "fingerprint", LOG_TLS_FIELD_FINGERPRINT },
92  { "not_before", LOG_TLS_FIELD_NOTBEFORE },
93  { "not_after", LOG_TLS_FIELD_NOTAFTER },
94  { "sni", LOG_TLS_FIELD_SNI },
95  { "certificate", LOG_TLS_FIELD_CERTIFICATE },
96  { "chain", LOG_TLS_FIELD_CHAIN },
97  { "session_resumed", LOG_TLS_FIELD_SESSION_RESUMED },
98  { "ja3", LOG_TLS_FIELD_JA3 },
99  { NULL, -1 }
100 };
101 
102 typedef struct OutputTlsCtx_ {
103  LogFileCtx *file_ctx;
104  uint32_t flags; /** Store mode */
105  uint64_t fields; /** Store fields */
106  OutputJsonCommonSettings cfg;
107 } OutputTlsCtx;
108 
109 
110 typedef struct JsonTlsLogThread_ {
111  OutputTlsCtx *tlslog_ctx;
112  MemBuffer *buffer;
113 } JsonTlsLogThread;
114 
115 static void JsonTlsLogSubject(json_t *js, SSLState *ssl_state)
116 {
117  if (ssl_state->server_connp.cert0_subject) {
118  json_object_set_new(js, "subject",
119  SCJsonString(ssl_state->server_connp.cert0_subject));
120  }
121 }
122 
123 static void JsonTlsLogIssuer(json_t *js, SSLState *ssl_state)
124 {
125  if (ssl_state->server_connp.cert0_issuerdn) {
126  json_object_set_new(js, "issuerdn",
127  SCJsonString(ssl_state->server_connp.cert0_issuerdn));
128  }
129 }
130 
131 static void JsonTlsLogSessionResumed(json_t *js, SSLState *ssl_state)
132 {
133  if (ssl_state->flags & SSL_AL_FLAG_SESSION_RESUMED) {
134  /* Only log a session as 'resumed' if a certificate has not
135  been seen, and the session is not TLSv1.3 or later. */
136  if ((ssl_state->server_connp.cert0_issuerdn == NULL &&
137  ssl_state->server_connp.cert0_subject == NULL) &&
138  (ssl_state->flags & SSL_AL_FLAG_STATE_SERVER_HELLO) &&
139  ((ssl_state->flags & SSL_AL_FLAG_LOG_WITHOUT_CERT) == 0)) {
140  json_object_set_new(js, "session_resumed", json_boolean(true));
141  }
142  }
143 }
144 
145 static void JsonTlsLogFingerprint(json_t *js, SSLState *ssl_state)
146 {
147  if (ssl_state->server_connp.cert0_fingerprint) {
148  json_object_set_new(js, "fingerprint",
149  SCJsonString(ssl_state->server_connp.cert0_fingerprint));
150  }
151 }
152 
153 static void JsonTlsLogSni(json_t *js, SSLState *ssl_state)
154 {
155  if (ssl_state->client_connp.sni) {
156  json_object_set_new(js, "sni",
157  SCJsonString(ssl_state->client_connp.sni));
158  }
159 }
160 
161 static void JsonTlsLogSerial(json_t *js, SSLState *ssl_state)
162 {
163  if (ssl_state->server_connp.cert0_serial) {
164  json_object_set_new(js, "serial",
165  SCJsonString(ssl_state->server_connp.cert0_serial));
166  }
167 }
168 
169 static void JsonTlsLogVersion(json_t *js, SSLState *ssl_state)
170 {
171  char ssl_version[SSL_VERSION_MAX_STRLEN];
172  SSLVersionToString(ssl_state->server_connp.version, ssl_version);
173  json_object_set_new(js, "version", json_string(ssl_version));
174 }
175 
176 static void JsonTlsLogNotBefore(json_t *js, SSLState *ssl_state)
177 {
178  if (ssl_state->server_connp.cert0_not_before != 0) {
179  char timebuf[64];
180  struct timeval tv;
181  tv.tv_sec = ssl_state->server_connp.cert0_not_before;
182  tv.tv_usec = 0;
183  CreateUtcIsoTimeString(&tv, timebuf, sizeof(timebuf));
184  json_object_set_new(js, "notbefore", json_string(timebuf));
185  }
186 }
187 
188 static void JsonTlsLogNotAfter(json_t *js, SSLState *ssl_state)
189 {
190  if (ssl_state->server_connp.cert0_not_after != 0) {
191  char timebuf[64];
192  struct timeval tv;
193  tv.tv_sec = ssl_state->server_connp.cert0_not_after;
194  tv.tv_usec = 0;
195  CreateUtcIsoTimeString(&tv, timebuf, sizeof(timebuf));
196  json_object_set_new(js, "notafter", json_string(timebuf));
197  }
198 }
199 
200 static void JsonTlsLogJa3Hash(json_t *js, SSLState *ssl_state)
201 {
202  if (ssl_state->ja3_hash != NULL) {
203  json_object_set_new(js, "hash", json_string(ssl_state->ja3_hash));
204  }
205 }
206 
207 static void JsonTlsLogJa3String(json_t *js, SSLState *ssl_state)
208 {
209  if ((ssl_state->ja3_str != NULL) &&
210  ssl_state->ja3_str->data != NULL) {
211  json_object_set_new(js, "string",
212  json_string(ssl_state->ja3_str->data));
213  }
214 }
215 
216 static void JsonTlsLogJa3(json_t *js, SSLState *ssl_state)
217 {
218  json_t *tjs = json_object();
219  if (unlikely(tjs == NULL))
220  return;
221 
222  JsonTlsLogJa3Hash(tjs, ssl_state);
223  JsonTlsLogJa3String(tjs, ssl_state);
224 
225  json_object_set_new(js, "ja3", tjs);
226 }
227 
228 static void JsonTlsLogCertificate(json_t *js, SSLState *ssl_state)
229 {
230  if (TAILQ_EMPTY(&ssl_state->server_connp.certs)) {
231  return;
232  }
233 
234  SSLCertsChain *cert = TAILQ_FIRST(&ssl_state->server_connp.certs);
235  if (cert == NULL) {
236  return;
237  }
238 
239  unsigned long len = cert->cert_len * 2;
240  uint8_t encoded[len];
241  if (Base64Encode(cert->cert_data, cert->cert_len, encoded, &len) ==
242  SC_BASE64_OK) {
243  json_object_set_new(js, "certificate", json_string((char *)encoded));
244  }
245 }
246 
247 static void JsonTlsLogChain(json_t *js, SSLState *ssl_state)
248 {
249  if (TAILQ_EMPTY(&ssl_state->server_connp.certs)) {
250  return;
251  }
252 
253  json_t *chain = json_array();
254  if (chain == NULL) {
255  return;
256  }
257 
258  SSLCertsChain *cert;
259  TAILQ_FOREACH(cert, &ssl_state->server_connp.certs, next) {
260  unsigned long len = cert->cert_len * 2;
261  uint8_t encoded[len];
262  if (Base64Encode(cert->cert_data, cert->cert_len, encoded, &len) ==
263  SC_BASE64_OK) {
264  json_array_append_new(chain, json_string((char *)encoded));
265  }
266  }
267 
268  json_object_set_new(js, "chain", chain);
269 }
270 
271 void JsonTlsLogJSONBasic(json_t *js, SSLState *ssl_state)
272 {
273  /* tls subject */
274  JsonTlsLogSubject(js, ssl_state);
275 
276  /* tls issuerdn */
277  JsonTlsLogIssuer(js, ssl_state);
278 
279  /* tls session resumption */
280  JsonTlsLogSessionResumed(js, ssl_state);
281 }
282 
283 static void JsonTlsLogJSONCustom(OutputTlsCtx *tls_ctx, json_t *js,
284  SSLState *ssl_state)
285 {
286  /* tls subject */
287  if (tls_ctx->fields & LOG_TLS_FIELD_SUBJECT)
288  JsonTlsLogSubject(js, ssl_state);
289 
290  /* tls issuerdn */
291  if (tls_ctx->fields & LOG_TLS_FIELD_ISSUER)
292  JsonTlsLogIssuer(js, ssl_state);
293 
294  /* tls session resumption */
295  if (tls_ctx->fields & LOG_TLS_FIELD_SESSION_RESUMED)
296  JsonTlsLogSessionResumed(js, ssl_state);
297 
298  /* tls serial */
299  if (tls_ctx->fields & LOG_TLS_FIELD_SERIAL)
300  JsonTlsLogSerial(js, ssl_state);
301 
302  /* tls fingerprint */
303  if (tls_ctx->fields & LOG_TLS_FIELD_FINGERPRINT)
304  JsonTlsLogFingerprint(js, ssl_state);
305 
306  /* tls sni */
307  if (tls_ctx->fields & LOG_TLS_FIELD_SNI)
308  JsonTlsLogSni(js, ssl_state);
309 
310  /* tls version */
311  if (tls_ctx->fields & LOG_TLS_FIELD_VERSION)
312  JsonTlsLogVersion(js, ssl_state);
313 
314  /* tls notbefore */
315  if (tls_ctx->fields & LOG_TLS_FIELD_NOTBEFORE)
316  JsonTlsLogNotBefore(js, ssl_state);
317 
318  /* tls notafter */
319  if (tls_ctx->fields & LOG_TLS_FIELD_NOTAFTER)
320  JsonTlsLogNotAfter(js, ssl_state);
321 
322  /* tls certificate */
323  if (tls_ctx->fields & LOG_TLS_FIELD_CERTIFICATE)
324  JsonTlsLogCertificate(js, ssl_state);
325 
326  /* tls chain */
327  if (tls_ctx->fields & LOG_TLS_FIELD_CHAIN)
328  JsonTlsLogChain(js, ssl_state);
329 
330  /* tls ja3_hash */
331  if (tls_ctx->fields & LOG_TLS_FIELD_JA3)
332  JsonTlsLogJa3(js, ssl_state);
333 }
334 
335 void JsonTlsLogJSONExtended(json_t *tjs, SSLState * state)
336 {
337  JsonTlsLogJSONBasic(tjs, state);
338 
339  /* tls serial */
340  JsonTlsLogSerial(tjs, state);
341 
342  /* tls fingerprint */
343  JsonTlsLogFingerprint(tjs, state);
344 
345  /* tls sni */
346  JsonTlsLogSni(tjs, state);
347 
348  /* tls version */
349  JsonTlsLogVersion(tjs, state);
350 
351  /* tls notbefore */
352  JsonTlsLogNotBefore(tjs, state);
353 
354  /* tls notafter */
355  JsonTlsLogNotAfter(tjs, state);
356 
357  /* tls ja3 */
358  JsonTlsLogJa3(tjs, state);
359 }
360 
361 static int JsonTlsLogger(ThreadVars *tv, void *thread_data, const Packet *p,
362  Flow *f, void *state, void *txptr, uint64_t tx_id)
363 {
364  JsonTlsLogThread *aft = (JsonTlsLogThread *)thread_data;
365  OutputTlsCtx *tls_ctx = aft->tlslog_ctx;
366 
367  SSLState *ssl_state = (SSLState *)state;
368  if (unlikely(ssl_state == NULL)) {
369  return 0;
370  }
371 
372  if ((ssl_state->server_connp.cert0_issuerdn == NULL ||
373  ssl_state->server_connp.cert0_subject == NULL) &&
374  ((ssl_state->flags & SSL_AL_FLAG_SESSION_RESUMED) == 0 ||
375  (tls_ctx->flags & LOG_TLS_SESSION_RESUMPTION) == 0) &&
376  ((ssl_state->flags & SSL_AL_FLAG_LOG_WITHOUT_CERT) == 0)) {
377  return 0;
378  }
379 
380  json_t *js = CreateJSONHeader(p, LOG_DIR_FLOW, "tls");
381  if (unlikely(js == NULL)) {
382  return 0;
383  }
384 
385  JsonAddCommonOptions(&tls_ctx->cfg, p, f, js);
386 
387  json_t *tjs = json_object();
388  if (tjs == NULL) {
389  free(js);
390  return 0;
391  }
392 
393  /* reset */
394  MemBufferReset(aft->buffer);
395 
396  /* log custom fields */
397  if (tls_ctx->flags & LOG_TLS_CUSTOM) {
398  JsonTlsLogJSONCustom(tls_ctx, tjs, ssl_state);
399  }
400  /* log extended */
401  else if (tls_ctx->flags & LOG_TLS_EXTENDED) {
402  JsonTlsLogJSONExtended(tjs, ssl_state);
403  }
404  /* log basic */
405  else {
406  JsonTlsLogJSONBasic(tjs, ssl_state);
407  }
408 
409  /* print original application level protocol when it have been changed
410  because of STARTTLS, HTTP CONNECT, or similar. */
411  if (f->alproto_orig != ALPROTO_UNKNOWN) {
412  json_object_set_new(tjs, "from_proto",
413  json_string(AppLayerGetProtoName(f->alproto_orig)));
414  }
415 
416  json_object_set_new(js, "tls", tjs);
417 
418  OutputJSONBuffer(js, tls_ctx->file_ctx, &aft->buffer);
419  json_object_clear(js);
420  json_decref(js);
421 
422  return 0;
423 }
424 
425 static TmEcode JsonTlsLogThreadInit(ThreadVars *t, const void *initdata, void **data)
426 {
427  JsonTlsLogThread *aft = SCMalloc(sizeof(JsonTlsLogThread));
428  if (unlikely(aft == NULL)) {
429  return TM_ECODE_FAILED;
430  }
431 
432  memset(aft, 0, sizeof(JsonTlsLogThread));
433 
434  if (initdata == NULL) {
435  SCLogDebug("Error getting context for eve-log tls 'initdata' argument NULL");
436  SCFree(aft);
437  return TM_ECODE_FAILED;
438  }
439 
440  /* use the Output Context (file pointer and mutex) */
441  aft->tlslog_ctx = ((OutputCtx *)initdata)->data;
442 
443  aft->buffer = MemBufferCreateNew(OUTPUT_BUFFER_SIZE);
444  if (aft->buffer == NULL) {
445  SCFree(aft);
446  return TM_ECODE_FAILED;
447  }
448 
449  *data = (void *)aft;
450  return TM_ECODE_OK;
451 }
452 
453 static TmEcode JsonTlsLogThreadDeinit(ThreadVars *t, void *data)
454 {
455  JsonTlsLogThread *aft = (JsonTlsLogThread *)data;
456  if (aft == NULL) {
457  return TM_ECODE_OK;
458  }
459 
460  MemBufferFree(aft->buffer);
461 
462  /* clear memory */
463  memset(aft, 0, sizeof(JsonTlsLogThread));
464 
465  SCFree(aft);
466  return TM_ECODE_OK;
467 }
468 
469 static void OutputTlsLogDeinit(OutputCtx *output_ctx)
470 {
471  OutputTlsCtx *tls_ctx = output_ctx->data;
472  LogFileCtx *logfile_ctx = tls_ctx->file_ctx;
473  LogFileFreeCtx(logfile_ctx);
474  SCFree(tls_ctx);
475  SCFree(output_ctx);
476 }
477 
478 static OutputTlsCtx *OutputTlsInitCtx(ConfNode *conf)
479 {
480  OutputTlsCtx *tls_ctx = SCMalloc(sizeof(OutputTlsCtx));
481  if (unlikely(tls_ctx == NULL))
482  return NULL;
483 
484  tls_ctx->flags = LOG_TLS_DEFAULT;
485  tls_ctx->fields = 0;
486 
487  if (conf == NULL)
488  return tls_ctx;
489 
490  const char *extended = ConfNodeLookupChildValue(conf, "extended");
491  if (extended) {
492  if (ConfValIsTrue(extended)) {
493  tls_ctx->flags = LOG_TLS_EXTENDED;
494  }
495  }
496 
497  ConfNode *custom = ConfNodeLookupChild(conf, "custom");
498  if (custom) {
499  tls_ctx->flags = LOG_TLS_CUSTOM;
500  ConfNode *field;
501  TAILQ_FOREACH(field, &custom->head, next)
502  {
503  TlsFields *valid_fields = tls_fields;
504  for ( ; valid_fields->name != NULL; valid_fields++) {
505  if (strcasecmp(field->val, valid_fields->name) == 0) {
506  tls_ctx->fields |= valid_fields->flag;
507  break;
508  }
509  }
510  }
511  }
512 
513  const char *session_resumption = ConfNodeLookupChildValue(conf, "session-resumption");
514  if (session_resumption == NULL || ConfValIsTrue(session_resumption)) {
515  tls_ctx->flags |= LOG_TLS_SESSION_RESUMPTION;
516  }
517 
518  if ((tls_ctx->fields & LOG_TLS_FIELD_JA3) &&
519  Ja3IsDisabled("fields")) {
520  /* JA3 is disabled, so don't log any JA3 fields */
521  tls_ctx->fields &= ~LOG_TLS_FIELD_JA3;
522  }
523 
524  if ((tls_ctx->fields & LOG_TLS_FIELD_CERTIFICATE) &&
525  (tls_ctx->fields & LOG_TLS_FIELD_CHAIN)) {
527  "Both 'certificate' and 'chain' contains the top "
528  "certificate, so only one of them should be enabled "
529  "at a time");
530  }
531 
532  return tls_ctx;
533 }
534 
535 static OutputInitResult OutputTlsLogInit(ConfNode *conf)
536 {
537  OutputInitResult result = { NULL, false };
538  LogFileCtx *file_ctx = LogFileNewCtx();
539  if (file_ctx == NULL) {
540  SCLogError(SC_ERR_TLS_LOG_GENERIC, "couldn't create new file_ctx");
541  return result;
542  }
543 
544  if (SCConfLogOpenGeneric(conf, file_ctx, DEFAULT_LOG_FILENAME, 1) < 0) {
545  LogFileFreeCtx(file_ctx);
546  return result;
547  }
548 
549  OutputTlsCtx *tls_ctx = OutputTlsInitCtx(conf);
550  if (unlikely(tls_ctx == NULL)) {
551  LogFileFreeCtx(file_ctx);
552  return result;
553  }
554 
555  OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
556  if (unlikely(output_ctx == NULL)) {
557  LogFileFreeCtx(file_ctx);
558  SCFree(tls_ctx);
559  return result;
560  }
561 
562  tls_ctx->file_ctx = file_ctx;
563 
564  output_ctx->data = tls_ctx;
565  output_ctx->DeInit = OutputTlsLogDeinit;
566 
568 
569  result.ctx = output_ctx;
570  result.ok = true;
571  return result;
572 }
573 
574 static void OutputTlsLogDeinitSub(OutputCtx *output_ctx)
575 {
576  OutputTlsCtx *tls_ctx = output_ctx->data;
577  SCFree(tls_ctx);
578  SCFree(output_ctx);
579 }
580 
581 static OutputInitResult OutputTlsLogInitSub(ConfNode *conf, OutputCtx *parent_ctx)
582 {
583  OutputInitResult result = { NULL, false };
584  OutputJsonCtx *ojc = parent_ctx->data;
585 
586  OutputTlsCtx *tls_ctx = OutputTlsInitCtx(conf);
587  if (unlikely(tls_ctx == NULL))
588  return result;
589 
590  OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
591  if (unlikely(output_ctx == NULL)) {
592  SCFree(tls_ctx);
593  return result;
594  }
595 
596  tls_ctx->file_ctx = ojc->file_ctx;
597  tls_ctx->cfg = ojc->cfg;
598 
599  if ((tls_ctx->fields & LOG_TLS_FIELD_CERTIFICATE) &&
600  (tls_ctx->fields & LOG_TLS_FIELD_CHAIN)) {
602  "Both 'certificate' and 'chain' contains the top "
603  "certificate, so only one of them should be enabled "
604  "at a time");
605  }
606 
607  output_ctx->data = tls_ctx;
608  output_ctx->DeInit = OutputTlsLogDeinitSub;
609 
611 
612  result.ctx = output_ctx;
613  result.ok = true;
614  return result;
615 }
616 
617 void JsonTlsLogRegister (void)
618 {
619  /* register as separate module */
621  "tls-json-log", OutputTlsLogInit, ALPROTO_TLS, JsonTlsLogger,
622  TLS_HANDSHAKE_DONE, TLS_HANDSHAKE_DONE, JsonTlsLogThreadInit,
623  JsonTlsLogThreadDeinit, NULL);
624 
625  /* also register as child of eve-log */
627  "JsonTlsLog", "eve-log.tls", OutputTlsLogInitSub, ALPROTO_TLS,
628  JsonTlsLogger, TLS_HANDSHAKE_DONE, TLS_HANDSHAKE_DONE,
629  JsonTlsLogThreadInit, JsonTlsLogThreadDeinit, NULL);
630 }
631 
632 #else
633 
635 {
636 }
637 
638 #endif /* HAVE_LIBJANSSON */
639 
#define SSL_AL_FLAG_SESSION_RESUMED
MemBuffer * MemBufferCreateNew(uint32_t size)
Definition: util-buffer.c:32
#define SSL_AL_FLAG_STATE_SERVER_HELLO
Definition: app-layer-ssl.h:84
uint16_t flags
char * cert0_subject
#define SCLogDebug(...)
Definition: util-debug.h:335
time_t cert0_not_before
uint32_t flags
#define TAILQ_FIRST(head)
Definition: queue.h:339
#define SC_ATOMIC_DECLARE(type, name)
wrapper to declare an atomic variable including a (spin) lock to protect it.
Definition: util-atomic.h:57
#define TAILQ_FOREACH(var, head, field)
Definition: queue.h:350
struct HtpBodyChunk_ * next
#define LOG_TLS_DEFAULT
Definition: log-tlslog.c:66
#define LOG_TLS_EXTENDED
Definition: log-tlslog.c:67
uint16_t version
#define unlikely(expr)
Definition: util-optimize.h:35
void JsonTlsLogRegister(void)
char * cert0_fingerprint
#define MemBufferReset(mem_buffer)
Reset the mem buffer.
Definition: util-buffer.h:42
SSLStateConnp server_connp
char * data
Definition: util-ja3.h:30
void(* DeInit)(struct OutputCtx_ *)
Definition: tm-modules.h:84
int Ja3IsDisabled(const char *type)
Check if JA3 is disabled.
Definition: util-ja3.c:266
time_t cert0_not_after
char * val
Definition: conf.h:34
void CreateUtcIsoTimeString(const struct timeval *ts, char *str, size_t size)
Definition: util-time.c:195
ConfNode * ConfNodeLookupChild(const ConfNode *node, const char *name)
Lookup a child configuration node by name.
Definition: conf.c:815
void SSLVersionToString(uint16_t version, char *buffer)
#define SSL_VERSION_MAX_STRLEN
SSLv[2.0|3.[0|1|2|3]] state structure.
AppProto alproto_orig
Definition: flow.h:413
#define SCCalloc(nm, a)
Definition: util-mem.h:205
const char * ConfNodeLookupChildValue(const ConfNode *node, const char *name)
Lookup the value of a child configuration node by name.
Definition: conf.c:843
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:294
void AppLayerParserRegisterLogger(uint8_t ipproto, AppProto alproto)
void OutputRegisterTxModuleWithProgress(LoggerId id, const char *name, const char *conf_name, OutputInitFunc InitFunc, AppProto alproto, TxLogger TxLogFunc, int tc_log_progress, int ts_log_progress, ThreadInitFunc ThreadInit, ThreadDeinitFunc ThreadDeinit, ThreadExitPrintStatsFunc ThreadExitPrintStats)
Register a tx output module with progress.
Definition: output.c:357
LogFileCtx * LogFileNewCtx(void)
LogFileNewCtx() Get a new LogFileCtx.
int SCConfLogOpenGeneric(ConfNode *conf, LogFileCtx *log_ctx, const char *default_filename, int rotate)
open a generic output "log file", which may be a regular file or a socket
JA3Buffer * ja3_str
void OutputRegisterTxSubModuleWithProgress(LoggerId id, const char *parent_name, const char *name, const char *conf_name, OutputInitSubFunc InitFunc, AppProto alproto, TxLogger TxLogFunc, int tc_log_progress, int ts_log_progress, ThreadInitFunc ThreadInit, ThreadDeinitFunc ThreadDeinit, ThreadExitPrintStatsFunc ThreadExitPrintStats)
Definition: output.c:368
#define LOG_TLS_SESSION_RESUMPTION
Definition: log-tlslog.c:69
#define LOG_TLS_CUSTOM
Definition: log-tlslog.c:68
#define SCLogWarning(err_code,...)
Macro used to log WARNING messages.
Definition: util-debug.h:281
int ConfValIsTrue(const char *val)
Check if a value is true.
Definition: conf.c:566
Definition: conf.h:32
OutputCtx * ctx
Definition: output.h:42
#define DEFAULT_LOG_FILENAME
#define SCMalloc(a)
Definition: util-mem.h:174
int LogFileFreeCtx(LogFileCtx *lf_ctx)
LogFileFreeCtx() Destroy a LogFileCtx (Close the file and free memory)
char * ja3_hash
#define SCFree(a)
Definition: util-mem.h:236
uint32_t cert_len
#define OUTPUT_BUFFER_SIZE
Definition: log-dnslog.c:58
uint16_t tx_id
uint8_t * cert_data
void * data
Definition: tm-modules.h:81
int Base64Encode(const unsigned char *in, unsigned long inlen, unsigned char *out, unsigned long *outlen)
Definition: util-crypt.c:272
const char * AppLayerGetProtoName(AppProto alproto)
Given the internal protocol id, returns a string representation of the protocol.
Definition: app-layer.c:729
#define TAILQ_EMPTY(head)
Definition: queue.h:347
uint8_t len
Per thread variable structure.
Definition: threadvars.h:57
#define SSL_AL_FLAG_LOG_WITHOUT_CERT
Flow data structure.
Definition: flow.h:327
SSLStateConnp client_connp
char * cert0_issuerdn
void MemBufferFree(MemBuffer *buffer)
Definition: util-buffer.c:82