56 #define LOG_TLS_DEFAULT 0
57 #define LOG_TLS_EXTENDED (1 << 0)
58 #define LOG_TLS_CUSTOM (1 << 1)
59 #define LOG_TLS_SESSION_RESUMPTION (1 << 2)
61 #define LOG_TLS_FIELD_VERSION (1 << 0)
62 #define LOG_TLS_FIELD_SUBJECT (1 << 1)
63 #define LOG_TLS_FIELD_ISSUER (1 << 2)
64 #define LOG_TLS_FIELD_SERIAL (1 << 3)
65 #define LOG_TLS_FIELD_FINGERPRINT (1 << 4)
66 #define LOG_TLS_FIELD_NOTBEFORE (1 << 5)
67 #define LOG_TLS_FIELD_NOTAFTER (1 << 6)
68 #define LOG_TLS_FIELD_SNI (1 << 7)
69 #define LOG_TLS_FIELD_CERTIFICATE (1 << 8)
70 #define LOG_TLS_FIELD_CHAIN (1 << 9)
71 #define LOG_TLS_FIELD_SESSION_RESUMED (1 << 10)
72 #define LOG_TLS_FIELD_JA3 (1 << 11)
73 #define LOG_TLS_FIELD_JA3S (1 << 12)
74 #define LOG_TLS_FIELD_CLIENT (1 << 13)
75 #define LOG_TLS_FIELD_CLIENT_CERT (1 << 14)
76 #define LOG_TLS_FIELD_CLIENT_CHAIN (1 << 15)
77 #define LOG_TLS_FIELD_JA4 (1 << 16)
78 #define LOG_TLS_FIELD_SUBJECTALTNAME (1 << 17)
108 static void JsonTlsLogSubject(JsonBuilder *js,
SSLState *ssl_state)
111 jb_set_string(js,
"subject",
116 static void JsonTlsLogIssuer(JsonBuilder *js,
SSLState *ssl_state)
119 jb_set_string(js,
"issuerdn",
124 static void JsonTlsLogSAN(JsonBuilder *js,
SSLState *ssl_state)
127 jb_open_array(js,
"subjectaltname");
135 static void JsonTlsLogSessionResumed(JsonBuilder *js,
SSLState *ssl_state)
144 jb_set_bool(js,
"session_resumed",
true);
149 static void JsonTlsLogFingerprint(JsonBuilder *js,
SSLState *ssl_state)
152 jb_set_string(js,
"fingerprint",
157 static void JsonTlsLogSni(JsonBuilder *js,
SSLState *ssl_state)
160 jb_set_string(js,
"sni",
165 static void JsonTlsLogSerial(JsonBuilder *js,
SSLState *ssl_state)
168 jb_set_string(js,
"serial",
173 static void JsonTlsLogVersion(JsonBuilder *js,
SSLState *ssl_state)
177 jb_set_string(js,
"version", ssl_version);
180 static void JsonTlsLogNotBefore(JsonBuilder *js,
SSLState *ssl_state)
187 static void JsonTlsLogNotAfter(JsonBuilder *js,
SSLState *ssl_state)
194 static void JsonTlsLogJa3Hash(JsonBuilder *js,
SSLState *ssl_state)
197 jb_set_string(js,
"hash",
202 static void JsonTlsLogJa3String(JsonBuilder *js,
SSLState *ssl_state)
206 jb_set_string(js,
"string",
211 static void JsonTlsLogJa3(JsonBuilder *js,
SSLState *ssl_state)
216 jb_open_object(js,
"ja3");
218 JsonTlsLogJa3Hash(js, ssl_state);
219 JsonTlsLogJa3String(js, ssl_state);
225 static void JsonTlsLogSCJA4(JsonBuilder *js,
SSLState *ssl_state)
231 jb_set_string_from_bytes(js,
"ja4", buffer, 36);
235 static void JsonTlsLogJa3SHash(JsonBuilder *js,
SSLState *ssl_state)
238 jb_set_string(js,
"hash",
243 static void JsonTlsLogJa3SString(JsonBuilder *js,
SSLState *ssl_state)
247 jb_set_string(js,
"string",
252 static void JsonTlsLogJa3S(JsonBuilder *js,
SSLState *ssl_state)
257 jb_open_object(js,
"ja3s");
259 JsonTlsLogJa3SHash(js, ssl_state);
260 JsonTlsLogJa3SString(js, ssl_state);
266 static void JsonTlsLogAlpns(JsonBuilder *js,
SSLStateConnp *connp,
const char *
object)
277 jb_open_array(js,
object);
279 jb_append_string_from_bytes(js, a->
alpn, a->
size);
284 static void JsonTlsLogCertificate(JsonBuilder *js,
SSLStateConnp *connp)
298 static void JsonTlsLogChain(JsonBuilder *js,
SSLStateConnp *connp)
304 jb_open_array(js,
"chain");
321 static void JsonTlsLogClientCert(
322 JsonBuilder *js,
SSLStateConnp *connp,
const bool log_cert,
const bool log_chain)
340 jb_set_string(js,
"notbefore", timebuf);
346 jb_set_string(js,
"notafter", timebuf);
350 JsonTlsLogCertificate(js, connp);
353 JsonTlsLogChain(js, connp);
360 JsonTlsLogSubject(js, ssl_state);
363 JsonTlsLogIssuer(js, ssl_state);
366 JsonTlsLogSAN(js, ssl_state);
369 JsonTlsLogSessionResumed(js, ssl_state);
372 static void JsonTlsLogJSONCustom(
OutputTlsCtx *tls_ctx, JsonBuilder *js,
377 JsonTlsLogSubject(js, ssl_state);
381 JsonTlsLogIssuer(js, ssl_state);
385 JsonTlsLogIssuer(js, ssl_state);
389 JsonTlsLogSessionResumed(js, ssl_state);
393 JsonTlsLogSerial(js, ssl_state);
397 JsonTlsLogFingerprint(js, ssl_state);
401 JsonTlsLogSni(js, ssl_state);
405 JsonTlsLogVersion(js, ssl_state);
409 JsonTlsLogNotBefore(js, ssl_state);
413 JsonTlsLogNotAfter(js, ssl_state);
425 JsonTlsLogJa3(js, ssl_state);
429 JsonTlsLogJa3S(js, ssl_state);
433 JsonTlsLogSCJA4(js, ssl_state);
439 jb_open_object(js,
"client");
440 JsonTlsLogClientCert(js, &ssl_state->
client_connp, log_cert, log_chain);
446 static bool JsonTlsLogJSONExtendedAux(
void *vtx, JsonBuilder *tjs)
452 JsonTlsLogSerial(tjs, state);
455 JsonTlsLogFingerprint(tjs, state);
458 JsonTlsLogSni(tjs, state);
461 JsonTlsLogVersion(tjs, state);
464 JsonTlsLogNotBefore(tjs, state);
467 JsonTlsLogNotAfter(tjs, state);
470 JsonTlsLogJa3(tjs, state);
473 JsonTlsLogJa3S(tjs, state);
476 JsonTlsLogSCJA4(tjs, state);
478 JsonTlsLogAlpns(tjs, &state->
client_connp,
"client_alpns");
479 JsonTlsLogAlpns(tjs, &state->
server_connp,
"server_alpns");
482 jb_open_object(tjs,
"client");
483 JsonTlsLogClientCert(tjs, &state->
client_connp,
false,
false);
491 jb_open_object(tjs,
"tls");
492 bool r = JsonTlsLogJSONExtendedAux(vtx, tjs);
498 Flow *f,
void *state,
void *txptr, uint64_t tx_id)
521 jb_open_object(js,
"tls");
525 JsonTlsLogJSONCustom(tls_ctx, js, ssl_state);
529 JsonTlsLogJSONExtendedAux(ssl_state, js);
539 jb_set_string(js,
"from_proto",
552 static TmEcode JsonTlsLogThreadInit(
ThreadVars *t,
const void *initdata,
void **data)
559 if (initdata == NULL) {
560 SCLogDebug(
"Error getting context for eve-log tls 'initdata' argument NULL");
622 for ( ; valid_fields->
name != NULL; valid_fields++) {
623 if (strcasecmp(field->
val, valid_fields->
name) == 0) {
637 if (session_resumption == NULL ||
ConfValIsTrue(session_resumption)) {
650 SCLogWarning(
"Both 'certificate' and 'chain' contains the top "
651 "certificate, so only one of them should be enabled "
656 SCLogWarning(
"Both 'client_certificate' and 'client_chain' contains the top "
657 "certificate, so only one of them should be enabled "
663 SCLogConfig(
"enabling \"client\" as a dependency of \"client_certificate\"");
667 SCLogConfig(
"enabling \"client\" as a dependency of \"client_chain\"");
675 static void OutputTlsLogDeinitSub(
OutputCtx *output_ctx)
701 SCLogWarning(
"Both 'certificate' and 'chain' contains the top "
702 "certificate, so only one of them should be enabled "
706 output_ctx->
data = tls_ctx;
707 output_ctx->
DeInit = OutputTlsLogDeinitSub;
711 result.
ctx = output_ctx;
721 JsonTlsLogThreadInit, JsonTlsLogThreadDeinit, NULL);