41 #define LOG_TLS_FIELD_VERSION BIT_U64(0)
42 #define LOG_TLS_FIELD_SUBJECT BIT_U64(1)
43 #define LOG_TLS_FIELD_ISSUER BIT_U64(2)
44 #define LOG_TLS_FIELD_SERIAL BIT_U64(3)
45 #define LOG_TLS_FIELD_FINGERPRINT BIT_U64(4)
46 #define LOG_TLS_FIELD_NOTBEFORE BIT_U64(5)
47 #define LOG_TLS_FIELD_NOTAFTER BIT_U64(6)
48 #define LOG_TLS_FIELD_SNI BIT_U64(7)
49 #define LOG_TLS_FIELD_CERTIFICATE BIT_U64(8)
50 #define LOG_TLS_FIELD_CHAIN BIT_U64(9)
51 #define LOG_TLS_FIELD_SESSION_RESUMED BIT_U64(10)
52 #define LOG_TLS_FIELD_JA3 BIT_U64(11)
53 #define LOG_TLS_FIELD_JA3S BIT_U64(12)
54 #define LOG_TLS_FIELD_CLIENT BIT_U64(13)
55 #define LOG_TLS_FIELD_CLIENT_CERT BIT_U64(14)
56 #define LOG_TLS_FIELD_CLIENT_CHAIN BIT_U64(15)
57 #define LOG_TLS_FIELD_JA4 BIT_U64(16)
58 #define LOG_TLS_FIELD_SUBJECTALTNAME BIT_U64(17)
59 #define LOG_TLS_FIELD_CLIENT_ALPNS BIT_U64(18)
60 #define LOG_TLS_FIELD_SERVER_ALPNS BIT_U64(19)
94 #define BASIC_FIELDS \
95 (LOG_TLS_FIELD_SUBJECT | \
96 LOG_TLS_FIELD_ISSUER | \
97 LOG_TLS_FIELD_SUBJECTALTNAME)
101 #define EXTENDED_FIELDS \
103 LOG_TLS_FIELD_VERSION | \
104 LOG_TLS_FIELD_SERIAL | \
105 LOG_TLS_FIELD_FINGERPRINT | \
106 LOG_TLS_FIELD_NOTBEFORE | \
107 LOG_TLS_FIELD_NOTAFTER | \
108 LOG_TLS_FIELD_JA3 | \
109 LOG_TLS_FIELD_JA3S | \
110 LOG_TLS_FIELD_JA4 | \
111 LOG_TLS_FIELD_CLIENT | \
112 LOG_TLS_FIELD_CLIENT_ALPNS | \
113 LOG_TLS_FIELD_SERVER_ALPNS | \
128 static void JsonTlsLogSubject(SCJsonBuilder *js,
SSLState *ssl_state)
135 static void JsonTlsLogIssuer(SCJsonBuilder *js,
SSLState *ssl_state)
142 static void JsonTlsLogSAN(SCJsonBuilder *js,
SSLState *ssl_state)
145 SCJbOpenArray(js,
"subjectaltname");
153 static void JsonTlsLogSessionResumed(SCJsonBuilder *js,
SSLState *ssl_state)
162 SCJbSetBool(js,
"session_resumed",
true);
167 static void JsonTlsLogFingerprint(SCJsonBuilder *js,
SSLState *ssl_state)
174 static void JsonTlsLogSni(SCJsonBuilder *js,
SSLState *ssl_state)
181 static void JsonTlsLogSerial(SCJsonBuilder *js,
SSLState *ssl_state)
188 static void JsonTlsLogVersion(SCJsonBuilder *js,
SSLState *ssl_state)
192 SCJbSetString(js,
"version", ssl_version);
195 static void JsonTlsLogNotBefore(SCJsonBuilder *js,
SSLState *ssl_state)
202 static void JsonTlsLogNotAfter(SCJsonBuilder *js,
SSLState *ssl_state)
209 static void JsonTlsLogJa3Hash(SCJsonBuilder *js,
SSLState *ssl_state)
216 static void JsonTlsLogJa3String(SCJsonBuilder *js,
SSLState *ssl_state)
224 static void JsonTlsLogJa3(SCJsonBuilder *js,
SSLState *ssl_state)
229 SCJbOpenObject(js,
"ja3");
231 JsonTlsLogJa3Hash(js, ssl_state);
232 JsonTlsLogJa3String(js, ssl_state);
238 static void JsonTlsLogSCJA4(SCJsonBuilder *js,
SSLState *ssl_state)
244 SCJbSetStringFromBytes(js,
"ja4", buffer, 36);
248 static void JsonTlsLogJa3SHash(SCJsonBuilder *js,
SSLState *ssl_state)
255 static void JsonTlsLogJa3SString(SCJsonBuilder *js,
SSLState *ssl_state)
263 static void JsonTlsLogJa3S(SCJsonBuilder *js,
SSLState *ssl_state)
268 SCJbOpenObject(js,
"ja3s");
270 JsonTlsLogJa3SHash(js, ssl_state);
271 JsonTlsLogJa3SString(js, ssl_state);
277 static void JsonTlsLogAlpns(SCJsonBuilder *js,
SSLStateConnp *connp,
const char *
object)
288 SCJbOpenArray(js,
object);
290 SCJbAppendStringFromBytes(js, a->
alpn, a->
size);
295 static void JsonTlsLogCertificate(SCJsonBuilder *js,
SSLStateConnp *connp)
309 static void JsonTlsLogChain(SCJsonBuilder *js,
SSLStateConnp *connp)
315 SCJbOpenArray(js,
"chain");
332 static void JsonTlsLogClientCert(
333 SCJsonBuilder *js,
SSLStateConnp *connp,
const bool log_cert,
const bool log_chain)
351 SCJbSetString(js,
"notbefore", timebuf);
357 SCJbSetString(js,
"notafter", timebuf);
361 JsonTlsLogCertificate(js, connp);
364 JsonTlsLogChain(js, connp);
368 static void JsonTlsLogFields(SCJsonBuilder *js,
SSLState *ssl_state, uint64_t fields)
372 JsonTlsLogSubject(js, ssl_state);
376 JsonTlsLogIssuer(js, ssl_state);
380 JsonTlsLogSAN(js, ssl_state);
384 JsonTlsLogSessionResumed(js, ssl_state);
388 JsonTlsLogSerial(js, ssl_state);
392 JsonTlsLogFingerprint(js, ssl_state);
396 JsonTlsLogSni(js, ssl_state);
400 JsonTlsLogVersion(js, ssl_state);
404 JsonTlsLogNotBefore(js, ssl_state);
408 JsonTlsLogNotAfter(js, ssl_state);
420 JsonTlsLogJa3(js, ssl_state);
424 JsonTlsLogJa3S(js, ssl_state);
428 JsonTlsLogSCJA4(js, ssl_state);
431 JsonTlsLogAlpns(js, &ssl_state->
client_connp,
"client_alpns");
435 JsonTlsLogAlpns(js, &ssl_state->
server_connp,
"server_alpns");
442 SCJbOpenObject(js,
"client");
443 JsonTlsLogClientCert(js, &ssl_state->
client_connp, log_cert, log_chain);
452 SCJbOpenObject(tjs,
"tls");
454 return SCJbClose(tjs);
458 Flow *f,
void *state,
void *txptr, uint64_t tx_id)
481 SCJbOpenObject(js,
"tls");
483 JsonTlsLogFields(js, ssl_state, tls_ctx->
fields);
500 static TmEcode JsonTlsLogThreadInit(
ThreadVars *t,
const void *initdata,
void **data)
507 if (initdata == NULL) {
508 SCLogDebug(
"Error getting context for eve-log tls 'initdata' argument NULL");
570 for ( ; valid_fields->
name != NULL; valid_fields++) {
571 if (strcasecmp(field->
val, valid_fields->
name) == 0) {
585 if (session_resumption == NULL ||
SCConfValIsTrue(session_resumption)) {
592 SCLogWarning(
"Both 'certificate' and 'chain' contains the top "
593 "certificate, so only one of them should be enabled "
598 SCLogWarning(
"Both 'client_certificate' and 'client_chain' contains the top "
599 "certificate, so only one of them should be enabled "
605 SCLogConfig(
"enabling \"client\" as a dependency of \"client_certificate\"");
609 SCLogConfig(
"enabling \"client\" as a dependency of \"client_chain\"");
617 static void OutputTlsLogDeinitSub(
OutputCtx *output_ctx)
643 SCLogWarning(
"Both 'certificate' and 'chain' contains the top "
644 "certificate, so only one of them should be enabled "
648 output_ctx->
data = tls_ctx;
649 output_ctx->
DeInit = OutputTlsLogDeinitSub;
653 result.
ctx = output_ctx;