suricata
output-json-tls.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2012 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Tom DeCanio <td@npulsetech.com>
22  *
23  * Implements TLS JSON logging portion of the engine.
24  */
25 
26 #include "suricata-common.h"
27 #include "debug.h"
28 #include "detect.h"
29 #include "pkt-var.h"
30 #include "conf.h"
31 
32 #include "threads.h"
33 #include "threadvars.h"
34 #include "tm-threads.h"
35 
36 #include "util-print.h"
37 #include "util-unittest.h"
38 
39 #include "util-debug.h"
40 #include "app-layer-parser.h"
41 #include "output.h"
42 #include "app-layer-ssl.h"
43 #include "app-layer.h"
44 #include "util-privs.h"
45 #include "util-buffer.h"
46 
47 #include "util-logopenfile.h"
48 #include "util-crypt.h"
49 #include "util-ja3.h"
50 
51 #include "output-json.h"
52 #include "output-json-tls.h"
53 
54 SC_ATOMIC_DECLARE(unsigned int, cert_id);
55 
56 #define MODULE_NAME "LogTlsLog"
57 #define DEFAULT_LOG_FILENAME "tls.json"
58 
59 #define LOG_TLS_DEFAULT 0
60 #define LOG_TLS_EXTENDED (1 << 0)
61 #define LOG_TLS_CUSTOM (1 << 1)
62 #define LOG_TLS_SESSION_RESUMPTION (1 << 2)
63 
64 #define LOG_TLS_FIELD_VERSION (1 << 0)
65 #define LOG_TLS_FIELD_SUBJECT (1 << 1)
66 #define LOG_TLS_FIELD_ISSUER (1 << 2)
67 #define LOG_TLS_FIELD_SERIAL (1 << 3)
68 #define LOG_TLS_FIELD_FINGERPRINT (1 << 4)
69 #define LOG_TLS_FIELD_NOTBEFORE (1 << 5)
70 #define LOG_TLS_FIELD_NOTAFTER (1 << 6)
71 #define LOG_TLS_FIELD_SNI (1 << 7)
72 #define LOG_TLS_FIELD_CERTIFICATE (1 << 8)
73 #define LOG_TLS_FIELD_CHAIN (1 << 9)
74 #define LOG_TLS_FIELD_SESSION_RESUMED (1 << 10)
75 #define LOG_TLS_FIELD_JA3 (1 << 11)
76 #define LOG_TLS_FIELD_JA3S (1 << 12)
77 
78 typedef struct {
79  const char *name;
80  uint64_t flag;
81 } TlsFields;
82 
84  { "version", LOG_TLS_FIELD_VERSION },
85  { "subject", LOG_TLS_FIELD_SUBJECT },
86  { "issuer", LOG_TLS_FIELD_ISSUER },
87  { "serial", LOG_TLS_FIELD_SERIAL },
88  { "fingerprint", LOG_TLS_FIELD_FINGERPRINT },
89  { "not_before", LOG_TLS_FIELD_NOTBEFORE },
90  { "not_after", LOG_TLS_FIELD_NOTAFTER },
91  { "sni", LOG_TLS_FIELD_SNI },
92  { "certificate", LOG_TLS_FIELD_CERTIFICATE },
93  { "chain", LOG_TLS_FIELD_CHAIN },
94  { "session_resumed", LOG_TLS_FIELD_SESSION_RESUMED },
95  { "ja3", LOG_TLS_FIELD_JA3 },
96  { "ja3s", LOG_TLS_FIELD_JA3S },
97  { NULL, -1 }
98 };
99 
100 typedef struct OutputTlsCtx_ {
102  uint32_t flags; /** Store mode */
103  uint64_t fields; /** Store fields */
105 } OutputTlsCtx;
106 
107 
108 typedef struct JsonTlsLogThread_ {
112 
113 static void JsonTlsLogSubject(json_t *js, SSLState *ssl_state)
114 {
115  if (ssl_state->server_connp.cert0_subject) {
116  json_object_set_new(js, "subject",
118  }
119 }
120 
121 static void JsonTlsLogIssuer(json_t *js, SSLState *ssl_state)
122 {
123  if (ssl_state->server_connp.cert0_issuerdn) {
124  json_object_set_new(js, "issuerdn",
126  }
127 }
128 
129 static void JsonTlsLogSessionResumed(json_t *js, SSLState *ssl_state)
130 {
131  if (ssl_state->flags & SSL_AL_FLAG_SESSION_RESUMED) {
132  /* Only log a session as 'resumed' if a certificate has not
133  been seen, and the session is not TLSv1.3 or later. */
134  if ((ssl_state->server_connp.cert0_issuerdn == NULL &&
135  ssl_state->server_connp.cert0_subject == NULL) &&
136  (ssl_state->flags & SSL_AL_FLAG_STATE_SERVER_HELLO) &&
137  ((ssl_state->flags & SSL_AL_FLAG_LOG_WITHOUT_CERT) == 0)) {
138  json_object_set_new(js, "session_resumed", json_boolean(true));
139  }
140  }
141 }
142 
143 static void JsonTlsLogFingerprint(json_t *js, SSLState *ssl_state)
144 {
145  if (ssl_state->server_connp.cert0_fingerprint) {
146  json_object_set_new(js, "fingerprint",
148  }
149 }
150 
151 static void JsonTlsLogSni(json_t *js, SSLState *ssl_state)
152 {
153  if (ssl_state->client_connp.sni) {
154  json_object_set_new(js, "sni",
155  SCJsonString(ssl_state->client_connp.sni));
156  }
157 }
158 
159 static void JsonTlsLogSerial(json_t *js, SSLState *ssl_state)
160 {
161  if (ssl_state->server_connp.cert0_serial) {
162  json_object_set_new(js, "serial",
164  }
165 }
166 
167 static void JsonTlsLogVersion(json_t *js, SSLState *ssl_state)
168 {
169  char ssl_version[SSL_VERSION_MAX_STRLEN];
170  SSLVersionToString(ssl_state->server_connp.version, ssl_version);
171  json_object_set_new(js, "version", json_string(ssl_version));
172 }
173 
174 static void JsonTlsLogNotBefore(json_t *js, SSLState *ssl_state)
175 {
176  if (ssl_state->server_connp.cert0_not_before != 0) {
177  char timebuf[64];
178  struct timeval tv;
179  tv.tv_sec = ssl_state->server_connp.cert0_not_before;
180  tv.tv_usec = 0;
181  CreateUtcIsoTimeString(&tv, timebuf, sizeof(timebuf));
182  json_object_set_new(js, "notbefore", json_string(timebuf));
183  }
184 }
185 
186 static void JsonTlsLogNotAfter(json_t *js, SSLState *ssl_state)
187 {
188  if (ssl_state->server_connp.cert0_not_after != 0) {
189  char timebuf[64];
190  struct timeval tv;
191  tv.tv_sec = ssl_state->server_connp.cert0_not_after;
192  tv.tv_usec = 0;
193  CreateUtcIsoTimeString(&tv, timebuf, sizeof(timebuf));
194  json_object_set_new(js, "notafter", json_string(timebuf));
195  }
196 }
197 
198 static void JsonTlsLogJa3Hash(json_t *js, SSLState *ssl_state)
199 {
200  if (ssl_state->client_connp.ja3_hash != NULL) {
201  json_object_set_new(js, "hash",
202  json_string(ssl_state->client_connp.ja3_hash));
203  }
204 }
205 
206 static void JsonTlsLogJa3String(json_t *js, SSLState *ssl_state)
207 {
208  if ((ssl_state->client_connp.ja3_str != NULL) &&
209  ssl_state->client_connp.ja3_str->data != NULL) {
210  json_object_set_new(js, "string",
211  json_string(ssl_state->client_connp.ja3_str->data));
212  }
213 }
214 
215 static void JsonTlsLogJa3(json_t *js, SSLState *ssl_state)
216 {
217  json_t *tjs = json_object();
218  if (unlikely(tjs == NULL))
219  return;
220 
221  JsonTlsLogJa3Hash(tjs, ssl_state);
222  JsonTlsLogJa3String(tjs, ssl_state);
223 
224  json_object_set_new(js, "ja3", tjs);
225 }
226 
227 static void JsonTlsLogJa3SHash(json_t *js, SSLState *ssl_state)
228 {
229  if (ssl_state->server_connp.ja3_hash != NULL) {
230  json_object_set_new(js, "hash",
231  json_string(ssl_state->server_connp.ja3_hash));
232  }
233 }
234 
235 static void JsonTlsLogJa3SString(json_t *js, SSLState *ssl_state)
236 {
237  if ((ssl_state->server_connp.ja3_str != NULL) &&
238  ssl_state->server_connp.ja3_str->data != NULL) {
239  json_object_set_new(js, "string",
240  json_string(ssl_state->server_connp.ja3_str->data));
241  }
242 }
243 
244 static void JsonTlsLogJa3S(json_t *js, SSLState *ssl_state)
245 {
246  json_t *tjs = json_object();
247  if (unlikely(tjs == NULL))
248  return;
249 
250  JsonTlsLogJa3SHash(tjs, ssl_state);
251  JsonTlsLogJa3SString(tjs, ssl_state);
252 
253  json_object_set_new(js, "ja3s", tjs);
254 }
255 static void JsonTlsLogCertificate(json_t *js, SSLState *ssl_state)
256 {
257  if (TAILQ_EMPTY(&ssl_state->server_connp.certs)) {
258  return;
259  }
260 
261  SSLCertsChain *cert = TAILQ_FIRST(&ssl_state->server_connp.certs);
262  if (cert == NULL) {
263  return;
264  }
265 
266  unsigned long len = cert->cert_len * 2;
267  uint8_t encoded[len];
268  if (Base64Encode(cert->cert_data, cert->cert_len, encoded, &len) ==
269  SC_BASE64_OK) {
270  json_object_set_new(js, "certificate", json_string((char *)encoded));
271  }
272 }
273 
274 static void JsonTlsLogChain(json_t *js, SSLState *ssl_state)
275 {
276  if (TAILQ_EMPTY(&ssl_state->server_connp.certs)) {
277  return;
278  }
279 
280  json_t *chain = json_array();
281  if (chain == NULL) {
282  return;
283  }
284 
285  SSLCertsChain *cert;
286  TAILQ_FOREACH(cert, &ssl_state->server_connp.certs, next) {
287  unsigned long len = cert->cert_len * 2;
288  uint8_t encoded[len];
289  if (Base64Encode(cert->cert_data, cert->cert_len, encoded, &len) ==
290  SC_BASE64_OK) {
291  json_array_append_new(chain, json_string((char *)encoded));
292  }
293  }
294 
295  json_object_set_new(js, "chain", chain);
296 }
297 
298 void JsonTlsLogJSONBasic(json_t *js, SSLState *ssl_state)
299 {
300  /* tls subject */
301  JsonTlsLogSubject(js, ssl_state);
302 
303  /* tls issuerdn */
304  JsonTlsLogIssuer(js, ssl_state);
305 
306  /* tls session resumption */
307  JsonTlsLogSessionResumed(js, ssl_state);
308 }
309 
310 static void JsonTlsLogJSONCustom(OutputTlsCtx *tls_ctx, json_t *js,
311  SSLState *ssl_state)
312 {
313  /* tls subject */
314  if (tls_ctx->fields & LOG_TLS_FIELD_SUBJECT)
315  JsonTlsLogSubject(js, ssl_state);
316 
317  /* tls issuerdn */
318  if (tls_ctx->fields & LOG_TLS_FIELD_ISSUER)
319  JsonTlsLogIssuer(js, ssl_state);
320 
321  /* tls session resumption */
322  if (tls_ctx->fields & LOG_TLS_FIELD_SESSION_RESUMED)
323  JsonTlsLogSessionResumed(js, ssl_state);
324 
325  /* tls serial */
326  if (tls_ctx->fields & LOG_TLS_FIELD_SERIAL)
327  JsonTlsLogSerial(js, ssl_state);
328 
329  /* tls fingerprint */
330  if (tls_ctx->fields & LOG_TLS_FIELD_FINGERPRINT)
331  JsonTlsLogFingerprint(js, ssl_state);
332 
333  /* tls sni */
334  if (tls_ctx->fields & LOG_TLS_FIELD_SNI)
335  JsonTlsLogSni(js, ssl_state);
336 
337  /* tls version */
338  if (tls_ctx->fields & LOG_TLS_FIELD_VERSION)
339  JsonTlsLogVersion(js, ssl_state);
340 
341  /* tls notbefore */
342  if (tls_ctx->fields & LOG_TLS_FIELD_NOTBEFORE)
343  JsonTlsLogNotBefore(js, ssl_state);
344 
345  /* tls notafter */
346  if (tls_ctx->fields & LOG_TLS_FIELD_NOTAFTER)
347  JsonTlsLogNotAfter(js, ssl_state);
348 
349  /* tls certificate */
350  if (tls_ctx->fields & LOG_TLS_FIELD_CERTIFICATE)
351  JsonTlsLogCertificate(js, ssl_state);
352 
353  /* tls chain */
354  if (tls_ctx->fields & LOG_TLS_FIELD_CHAIN)
355  JsonTlsLogChain(js, ssl_state);
356 
357  /* tls ja3_hash */
358  if (tls_ctx->fields & LOG_TLS_FIELD_JA3)
359  JsonTlsLogJa3(js, ssl_state);
360 
361  /* tls ja3s */
362  if (tls_ctx->fields & LOG_TLS_FIELD_JA3S)
363  JsonTlsLogJa3S(js, ssl_state);
364 }
365 
366 void JsonTlsLogJSONExtended(json_t *tjs, SSLState * state)
367 {
368  JsonTlsLogJSONBasic(tjs, state);
369 
370  /* tls serial */
371  JsonTlsLogSerial(tjs, state);
372 
373  /* tls fingerprint */
374  JsonTlsLogFingerprint(tjs, state);
375 
376  /* tls sni */
377  JsonTlsLogSni(tjs, state);
378 
379  /* tls version */
380  JsonTlsLogVersion(tjs, state);
381 
382  /* tls notbefore */
383  JsonTlsLogNotBefore(tjs, state);
384 
385  /* tls notafter */
386  JsonTlsLogNotAfter(tjs, state);
387 
388  /* tls ja3 */
389  JsonTlsLogJa3(tjs, state);
390 
391  /* tls ja3s */
392  JsonTlsLogJa3S(tjs, state);
393 }
394 
395 static int JsonTlsLogger(ThreadVars *tv, void *thread_data, const Packet *p,
396  Flow *f, void *state, void *txptr, uint64_t tx_id)
397 {
398  JsonTlsLogThread *aft = (JsonTlsLogThread *)thread_data;
399  OutputTlsCtx *tls_ctx = aft->tlslog_ctx;
400 
401  SSLState *ssl_state = (SSLState *)state;
402  if (unlikely(ssl_state == NULL)) {
403  return 0;
404  }
405 
406  if ((ssl_state->server_connp.cert0_issuerdn == NULL ||
407  ssl_state->server_connp.cert0_subject == NULL) &&
408  ((ssl_state->flags & SSL_AL_FLAG_SESSION_RESUMED) == 0 ||
409  (tls_ctx->flags & LOG_TLS_SESSION_RESUMPTION) == 0) &&
410  ((ssl_state->flags & SSL_AL_FLAG_LOG_WITHOUT_CERT) == 0)) {
411  return 0;
412  }
413 
414  json_t *js = CreateJSONHeader(p, LOG_DIR_FLOW, "tls");
415  if (unlikely(js == NULL)) {
416  return 0;
417  }
418 
419  JsonAddCommonOptions(&tls_ctx->cfg, p, f, js);
420 
421  json_t *tjs = json_object();
422  if (tjs == NULL) {
423  free(js);
424  return 0;
425  }
426 
427  /* reset */
428  MemBufferReset(aft->buffer);
429 
430  /* log custom fields */
431  if (tls_ctx->flags & LOG_TLS_CUSTOM) {
432  JsonTlsLogJSONCustom(tls_ctx, tjs, ssl_state);
433  }
434  /* log extended */
435  else if (tls_ctx->flags & LOG_TLS_EXTENDED) {
436  JsonTlsLogJSONExtended(tjs, ssl_state);
437  }
438  /* log basic */
439  else {
440  JsonTlsLogJSONBasic(tjs, ssl_state);
441  }
442 
443  /* print original application level protocol when it have been changed
444  because of STARTTLS, HTTP CONNECT, or similar. */
445  if (f->alproto_orig != ALPROTO_UNKNOWN) {
446  json_object_set_new(tjs, "from_proto",
447  json_string(AppLayerGetProtoName(f->alproto_orig)));
448  }
449 
450  json_object_set_new(js, "tls", tjs);
451 
452  OutputJSONBuffer(js, tls_ctx->file_ctx, &aft->buffer);
453  json_object_clear(js);
454  json_decref(js);
455 
456  return 0;
457 }
458 
459 static TmEcode JsonTlsLogThreadInit(ThreadVars *t, const void *initdata, void **data)
460 {
462  if (unlikely(aft == NULL)) {
463  return TM_ECODE_FAILED;
464  }
465 
466  memset(aft, 0, sizeof(JsonTlsLogThread));
467 
468  if (initdata == NULL) {
469  SCLogDebug("Error getting context for eve-log tls 'initdata' argument NULL");
470  SCFree(aft);
471  return TM_ECODE_FAILED;
472  }
473 
474  /* use the Output Context (file pointer and mutex) */
475  aft->tlslog_ctx = ((OutputCtx *)initdata)->data;
476 
478  if (aft->buffer == NULL) {
479  SCFree(aft);
480  return TM_ECODE_FAILED;
481  }
482 
483  *data = (void *)aft;
484  return TM_ECODE_OK;
485 }
486 
487 static TmEcode JsonTlsLogThreadDeinit(ThreadVars *t, void *data)
488 {
489  JsonTlsLogThread *aft = (JsonTlsLogThread *)data;
490  if (aft == NULL) {
491  return TM_ECODE_OK;
492  }
493 
494  MemBufferFree(aft->buffer);
495 
496  /* clear memory */
497  memset(aft, 0, sizeof(JsonTlsLogThread));
498 
499  SCFree(aft);
500  return TM_ECODE_OK;
501 }
502 
503 static void OutputTlsLogDeinit(OutputCtx *output_ctx)
504 {
505  OutputTlsCtx *tls_ctx = output_ctx->data;
506  LogFileCtx *logfile_ctx = tls_ctx->file_ctx;
507  LogFileFreeCtx(logfile_ctx);
508  SCFree(tls_ctx);
509  SCFree(output_ctx);
510 }
511 
512 static OutputTlsCtx *OutputTlsInitCtx(ConfNode *conf)
513 {
514  OutputTlsCtx *tls_ctx = SCMalloc(sizeof(OutputTlsCtx));
515  if (unlikely(tls_ctx == NULL))
516  return NULL;
517 
518  tls_ctx->flags = LOG_TLS_DEFAULT;
519  tls_ctx->fields = 0;
520 
521  if (conf == NULL)
522  return tls_ctx;
523 
524  const char *extended = ConfNodeLookupChildValue(conf, "extended");
525  if (extended) {
526  if (ConfValIsTrue(extended)) {
527  tls_ctx->flags = LOG_TLS_EXTENDED;
528  }
529  }
530 
531  ConfNode *custom = ConfNodeLookupChild(conf, "custom");
532  if (custom) {
533  tls_ctx->flags = LOG_TLS_CUSTOM;
534  ConfNode *field;
535  TAILQ_FOREACH(field, &custom->head, next)
536  {
537  TlsFields *valid_fields = tls_fields;
538  for ( ; valid_fields->name != NULL; valid_fields++) {
539  if (strcasecmp(field->val, valid_fields->name) == 0) {
540  tls_ctx->fields |= valid_fields->flag;
541  break;
542  }
543  }
544  }
545  }
546 
547  const char *session_resumption = ConfNodeLookupChildValue(conf, "session-resumption");
548  if (session_resumption == NULL || ConfValIsTrue(session_resumption)) {
549  tls_ctx->flags |= LOG_TLS_SESSION_RESUMPTION;
550  }
551 
552  if ((tls_ctx->fields & LOG_TLS_FIELD_JA3) &&
553  Ja3IsDisabled("fields")) {
554  /* JA3 is disabled, so don't log any JA3 fields */
555  tls_ctx->fields &= ~LOG_TLS_FIELD_JA3;
556  tls_ctx->fields &= ~LOG_TLS_FIELD_JA3S;
557  }
558 
559  if ((tls_ctx->fields & LOG_TLS_FIELD_CERTIFICATE) &&
560  (tls_ctx->fields & LOG_TLS_FIELD_CHAIN)) {
562  "Both 'certificate' and 'chain' contains the top "
563  "certificate, so only one of them should be enabled "
564  "at a time");
565  }
566 
567  return tls_ctx;
568 }
569 
570 static OutputInitResult OutputTlsLogInit(ConfNode *conf)
571 {
572  OutputInitResult result = { NULL, false };
574  if (file_ctx == NULL) {
575  SCLogError(SC_ERR_TLS_LOG_GENERIC, "couldn't create new file_ctx");
576  return result;
577  }
578 
579  if (SCConfLogOpenGeneric(conf, file_ctx, DEFAULT_LOG_FILENAME, 1) < 0) {
580  LogFileFreeCtx(file_ctx);
581  return result;
582  }
583 
584  OutputTlsCtx *tls_ctx = OutputTlsInitCtx(conf);
585  if (unlikely(tls_ctx == NULL)) {
586  LogFileFreeCtx(file_ctx);
587  return result;
588  }
589 
590  OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
591  if (unlikely(output_ctx == NULL)) {
592  LogFileFreeCtx(file_ctx);
593  SCFree(tls_ctx);
594  return result;
595  }
596 
597  tls_ctx->file_ctx = file_ctx;
598 
599  output_ctx->data = tls_ctx;
600  output_ctx->DeInit = OutputTlsLogDeinit;
601 
603 
604  result.ctx = output_ctx;
605  result.ok = true;
606  return result;
607 }
608 
609 static void OutputTlsLogDeinitSub(OutputCtx *output_ctx)
610 {
611  OutputTlsCtx *tls_ctx = output_ctx->data;
612  SCFree(tls_ctx);
613  SCFree(output_ctx);
614 }
615 
616 static OutputInitResult OutputTlsLogInitSub(ConfNode *conf, OutputCtx *parent_ctx)
617 {
618  OutputInitResult result = { NULL, false };
619  OutputJsonCtx *ojc = parent_ctx->data;
620 
621  OutputTlsCtx *tls_ctx = OutputTlsInitCtx(conf);
622  if (unlikely(tls_ctx == NULL))
623  return result;
624 
625  OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
626  if (unlikely(output_ctx == NULL)) {
627  SCFree(tls_ctx);
628  return result;
629  }
630 
631  tls_ctx->file_ctx = ojc->file_ctx;
632  tls_ctx->cfg = ojc->cfg;
633 
634  if ((tls_ctx->fields & LOG_TLS_FIELD_CERTIFICATE) &&
635  (tls_ctx->fields & LOG_TLS_FIELD_CHAIN)) {
637  "Both 'certificate' and 'chain' contains the top "
638  "certificate, so only one of them should be enabled "
639  "at a time");
640  }
641 
642  output_ctx->data = tls_ctx;
643  output_ctx->DeInit = OutputTlsLogDeinitSub;
644 
646 
647  result.ctx = output_ctx;
648  result.ok = true;
649  return result;
650 }
651 
653 {
654  /* register as separate module */
656  "tls-json-log", OutputTlsLogInit, ALPROTO_TLS, JsonTlsLogger,
657  TLS_HANDSHAKE_DONE, TLS_HANDSHAKE_DONE, JsonTlsLogThreadInit,
658  JsonTlsLogThreadDeinit, NULL);
659 
660  /* also register as child of eve-log */
662  "JsonTlsLog", "eve-log.tls", OutputTlsLogInitSub, ALPROTO_TLS,
663  JsonTlsLogger, TLS_HANDSHAKE_DONE, TLS_HANDSHAKE_DONE,
664  JsonTlsLogThreadInit, JsonTlsLogThreadDeinit, NULL);
665 }
#define SSL_AL_FLAG_SESSION_RESUMED
MemBuffer * MemBufferCreateNew(uint32_t size)
Definition: util-buffer.c:32
#define SSL_AL_FLAG_STATE_SERVER_HELLO
Definition: app-layer-ssl.h:84
#define JSON_OUTPUT_BUFFER_SIZE
Definition: output-json.h:44
json_t * CreateJSONHeader(const Packet *p, enum OutputJsonLogDirection dir, const char *event_type)
Definition: output-json.c:710
#define LOG_TLS_DEFAULT
char * cert0_subject
#define SCLogDebug(...)
Definition: util-debug.h:335
time_t cert0_not_before
uint32_t flags
int OutputJSONBuffer(json_t *js, LogFileCtx *file_ctx, MemBuffer **buffer)
Definition: output-json.c:809
#define LOG_TLS_FIELD_JA3
#define TAILQ_FIRST(head)
Definition: queue.h:339
#define TAILQ_FOREACH(var, head, field)
Definition: queue.h:350
struct HtpBodyChunk_ * next
#define LOG_TLS_FIELD_SUBJECT
#define LOG_TLS_EXTENDED
uint16_t version
void JsonTlsLogJSONExtended(json_t *tjs, SSLState *state)
#define unlikely(expr)
Definition: util-optimize.h:35
void JsonTlsLogRegister(void)
OutputJsonCommonSettings cfg
#define LOG_TLS_FIELD_CHAIN
char * cert0_fingerprint
#define MemBufferReset(mem_buffer)
Reset the mem buffer.
Definition: util-buffer.h:42
#define LOG_TLS_FIELD_ISSUER
#define LOG_TLS_FIELD_NOTAFTER
SSLStateConnp server_connp
#define LOG_TLS_CUSTOM
SC_ATOMIC_DECLARE(unsigned int, cert_id)
char * data
Definition: util-ja3.h:30
void(* DeInit)(struct OutputCtx_ *)
Definition: tm-modules.h:84
int Ja3IsDisabled(const char *type)
Check if JA3 is disabled.
Definition: util-ja3.c:263
time_t cert0_not_after
#define LOG_TLS_FIELD_JA3S
LogFileCtx * file_ctx
void JsonAddCommonOptions(const OutputJsonCommonSettings *cfg, const Packet *p, const Flow *f, json_t *js)
Definition: output-json.c:390
char * val
Definition: conf.h:34
void CreateUtcIsoTimeString(const struct timeval *ts, char *str, size_t size)
Definition: util-time.c:203
#define LOG_TLS_FIELD_NOTBEFORE
ConfNode * ConfNodeLookupChild(const ConfNode *node, const char *name)
Lookup a child configuration node by name.
Definition: conf.c:815
void SSLVersionToString(uint16_t version, char *buffer)
#define json_boolean(val)
#define SSL_VERSION_MAX_STRLEN
SSLv[2.0|3.[0|1|2|3]] state structure.
AppProto alproto_orig
Definition: flow.h:415
#define SCCalloc(nm, a)
Definition: util-mem.h:253
struct JsonTlsLogThread_ JsonTlsLogThread
const char * ConfNodeLookupChildValue(const ConfNode *node, const char *name)
Lookup the value of a child configuration node by name.
Definition: conf.c:843
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:294
OutputJsonCommonSettings cfg
Definition: output-json.h:81
void AppLayerParserRegisterLogger(uint8_t ipproto, AppProto alproto)
void OutputRegisterTxModuleWithProgress(LoggerId id, const char *name, const char *conf_name, OutputInitFunc InitFunc, AppProto alproto, TxLogger TxLogFunc, int tc_log_progress, int ts_log_progress, ThreadInitFunc ThreadInit, ThreadDeinitFunc ThreadDeinit, ThreadExitPrintStatsFunc ThreadExitPrintStats)
Register a tx output module with progress.
Definition: output.c:360
LogFileCtx * file_ctx
Definition: output-json.h:79
#define LOG_TLS_FIELD_SESSION_RESUMED
#define DEFAULT_LOG_FILENAME
LogFileCtx * LogFileNewCtx(void)
LogFileNewCtx() Get a new LogFileCtx.
json_t * SCJsonString(const char *val)
Definition: output-json.c:107
int SCConfLogOpenGeneric(ConfNode *conf, LogFileCtx *log_ctx, const char *default_filename, int rotate)
open a generic output "log file", which may be a regular file or a socket
uint64_t flag
void OutputRegisterTxSubModuleWithProgress(LoggerId id, const char *parent_name, const char *name, const char *conf_name, OutputInitSubFunc InitFunc, AppProto alproto, TxLogger TxLogFunc, int tc_log_progress, int ts_log_progress, ThreadInitFunc ThreadInit, ThreadDeinitFunc ThreadDeinit, ThreadExitPrintStatsFunc ThreadExitPrintStats)
Definition: output.c:371
OutputTlsCtx * tlslog_ctx
const char * name
#define SCLogWarning(err_code,...)
Macro used to log WARNING messages.
Definition: util-debug.h:281
int ConfValIsTrue(const char *val)
Check if a value is true.
Definition: conf.c:566
Definition: conf.h:32
OutputCtx * ctx
Definition: output.h:42
#define SCMalloc(a)
Definition: util-mem.h:222
struct OutputTlsCtx_ OutputTlsCtx
int LogFileFreeCtx(LogFileCtx *lf_ctx)
LogFileFreeCtx() Destroy a LogFileCtx (Close the file and free memory)
#define SCFree(a)
Definition: util-mem.h:322
uint32_t cert_len
#define LOG_TLS_FIELD_SERIAL
void JsonTlsLogJSONBasic(json_t *js, SSLState *ssl_state)
#define LOG_TLS_FIELD_SNI
uint16_t tx_id
uint8_t * cert_data
void * data
Definition: tm-modules.h:81
#define LOG_TLS_FIELD_VERSION
int Base64Encode(const unsigned char *in, unsigned long inlen, unsigned char *out, unsigned long *outlen)
Definition: util-crypt.c:272
TlsFields tls_fields[]
const char * AppLayerGetProtoName(AppProto alproto)
Given the internal protocol id, returns a string representation of the protocol.
Definition: app-layer.c:766
#define TAILQ_EMPTY(head)
Definition: queue.h:347
uint8_t len
Per thread variable structure.
Definition: threadvars.h:57
JA3Buffer * ja3_str
#define LOG_TLS_FIELD_FINGERPRINT
#define LOG_TLS_FIELD_CERTIFICATE
#define SSL_AL_FLAG_LOG_WITHOUT_CERT
#define LOG_TLS_SESSION_RESUMPTION
Flow data structure.
Definition: flow.h:325
SSLStateConnp client_connp
char * cert0_issuerdn
void MemBufferFree(MemBuffer *buffer)
Definition: util-buffer.c:82