55 #define MODULE_NAME "LogTlsLog"
56 #define DEFAULT_LOG_FILENAME "tls.json"
58 #define LOG_TLS_DEFAULT 0
59 #define LOG_TLS_EXTENDED (1 << 0)
60 #define LOG_TLS_CUSTOM (1 << 1)
61 #define LOG_TLS_SESSION_RESUMPTION (1 << 2)
63 #define LOG_TLS_FIELD_VERSION (1 << 0)
64 #define LOG_TLS_FIELD_SUBJECT (1 << 1)
65 #define LOG_TLS_FIELD_ISSUER (1 << 2)
66 #define LOG_TLS_FIELD_SERIAL (1 << 3)
67 #define LOG_TLS_FIELD_FINGERPRINT (1 << 4)
68 #define LOG_TLS_FIELD_NOTBEFORE (1 << 5)
69 #define LOG_TLS_FIELD_NOTAFTER (1 << 6)
70 #define LOG_TLS_FIELD_SNI (1 << 7)
71 #define LOG_TLS_FIELD_CERTIFICATE (1 << 8)
72 #define LOG_TLS_FIELD_CHAIN (1 << 9)
73 #define LOG_TLS_FIELD_SESSION_RESUMED (1 << 10)
74 #define LOG_TLS_FIELD_JA3 (1 << 11)
75 #define LOG_TLS_FIELD_JA3S (1 << 12)
76 #define LOG_TLS_FIELD_CLIENT (1 << 13)
77 #define LOG_TLS_FIELD_CLIENT_CERT (1 << 14)
78 #define LOG_TLS_FIELD_CLIENT_CHAIN (1 << 15)
107 static void JsonTlsLogSubject(JsonBuilder *js,
SSLState *ssl_state)
110 jb_set_string(js,
"subject",
115 static void JsonTlsLogIssuer(JsonBuilder *js,
SSLState *ssl_state)
118 jb_set_string(js,
"issuerdn",
123 static void JsonTlsLogSessionResumed(JsonBuilder *js,
SSLState *ssl_state)
132 jb_set_bool(js,
"session_resumed",
true);
137 static void JsonTlsLogFingerprint(JsonBuilder *js,
SSLState *ssl_state)
140 jb_set_string(js,
"fingerprint",
145 static void JsonTlsLogSni(JsonBuilder *js,
SSLState *ssl_state)
148 jb_set_string(js,
"sni",
153 static void JsonTlsLogSerial(JsonBuilder *js,
SSLState *ssl_state)
156 jb_set_string(js,
"serial",
161 static void JsonTlsLogVersion(JsonBuilder *js,
SSLState *ssl_state)
165 jb_set_string(js,
"version", ssl_version);
168 static void JsonTlsLogNotBefore(JsonBuilder *js,
SSLState *ssl_state)
175 static void JsonTlsLogNotAfter(JsonBuilder *js,
SSLState *ssl_state)
182 static void JsonTlsLogJa3Hash(JsonBuilder *js,
SSLState *ssl_state)
185 jb_set_string(js,
"hash",
190 static void JsonTlsLogJa3String(JsonBuilder *js,
SSLState *ssl_state)
194 jb_set_string(js,
"string",
199 static void JsonTlsLogJa3(JsonBuilder *js,
SSLState *ssl_state)
204 jb_open_object(js,
"ja3");
206 JsonTlsLogJa3Hash(js, ssl_state);
207 JsonTlsLogJa3String(js, ssl_state);
213 static void JsonTlsLogJa3SHash(JsonBuilder *js,
SSLState *ssl_state)
216 jb_set_string(js,
"hash",
221 static void JsonTlsLogJa3SString(JsonBuilder *js,
SSLState *ssl_state)
225 jb_set_string(js,
"string",
230 static void JsonTlsLogJa3S(JsonBuilder *js,
SSLState *ssl_state)
235 jb_open_object(js,
"ja3s");
237 JsonTlsLogJa3SHash(js, ssl_state);
238 JsonTlsLogJa3SString(js, ssl_state);
244 static void JsonTlsLogCertificate(JsonBuilder *js,
SSLStateConnp *connp)
258 static void JsonTlsLogChain(JsonBuilder *js,
SSLStateConnp *connp)
264 jb_open_array(js,
"chain");
281 static void JsonTlsLogClientCert(
282 JsonBuilder *js,
SSLStateConnp *connp,
const bool log_cert,
const bool log_chain)
300 jb_set_string(js,
"notbefore", timebuf);
306 jb_set_string(js,
"notafter", timebuf);
310 JsonTlsLogCertificate(js, connp);
313 JsonTlsLogChain(js, connp);
320 JsonTlsLogSubject(js, ssl_state);
323 JsonTlsLogIssuer(js, ssl_state);
326 JsonTlsLogSessionResumed(js, ssl_state);
329 static void JsonTlsLogJSONCustom(
OutputTlsCtx *tls_ctx, JsonBuilder *js,
334 JsonTlsLogSubject(js, ssl_state);
338 JsonTlsLogIssuer(js, ssl_state);
342 JsonTlsLogSessionResumed(js, ssl_state);
346 JsonTlsLogSerial(js, ssl_state);
350 JsonTlsLogFingerprint(js, ssl_state);
354 JsonTlsLogSni(js, ssl_state);
358 JsonTlsLogVersion(js, ssl_state);
362 JsonTlsLogNotBefore(js, ssl_state);
366 JsonTlsLogNotAfter(js, ssl_state);
378 JsonTlsLogJa3(js, ssl_state);
382 JsonTlsLogJa3S(js, ssl_state);
388 jb_open_object(js,
"client");
389 JsonTlsLogClientCert(js, &ssl_state->
client_connp, log_cert, log_chain);
400 JsonTlsLogSerial(tjs, state);
403 JsonTlsLogFingerprint(tjs, state);
406 JsonTlsLogSni(tjs, state);
409 JsonTlsLogVersion(tjs, state);
412 JsonTlsLogNotBefore(tjs, state);
415 JsonTlsLogNotAfter(tjs, state);
418 JsonTlsLogJa3(tjs, state);
421 JsonTlsLogJa3S(tjs, state);
424 jb_open_object(tjs,
"client");
425 JsonTlsLogClientCert(tjs, &state->
client_connp,
false,
false);
431 Flow *f,
void *state,
void *txptr, uint64_t tx_id)
454 jb_open_object(js,
"tls");
458 JsonTlsLogJSONCustom(tls_ctx, js, ssl_state);
472 jb_set_string(js,
"from_proto",
485 static TmEcode JsonTlsLogThreadInit(
ThreadVars *t,
const void *initdata,
void **data)
492 if (initdata == NULL) {
493 SCLogDebug(
"Error getting context for eve-log tls 'initdata' argument NULL");
555 for ( ; valid_fields->
name != NULL; valid_fields++) {
556 if (strcasecmp(field->
val, valid_fields->
name) == 0) {
570 if (session_resumption == NULL ||
ConfValIsTrue(session_resumption)) {
583 SCLogWarning(
"Both 'certificate' and 'chain' contains the top "
584 "certificate, so only one of them should be enabled "
589 SCLogWarning(
"Both 'client_certificate' and 'client_chain' contains the top "
590 "certificate, so only one of them should be enabled "
596 SCLogConfig(
"enabling \"client\" as a dependency of \"client_certificate\"");
600 SCLogConfig(
"enabling \"client\" as a dependency of \"client_chain\"");
608 static void OutputTlsLogDeinitSub(
OutputCtx *output_ctx)
634 SCLogWarning(
"Both 'certificate' and 'chain' contains the top "
635 "certificate, so only one of them should be enabled "
639 output_ctx->
data = tls_ctx;
640 output_ctx->
DeInit = OutputTlsLogDeinitSub;
644 result.
ctx = output_ctx;
654 JsonTlsLogThreadInit, JsonTlsLogThreadDeinit, NULL);