suricata
output-json-tls.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2021 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Tom DeCanio <td@npulsetech.com>
22  *
23  * Implements TLS JSON logging portion of the engine.
24  */
25 
26 #include "suricata-common.h"
27 #include "detect.h"
28 #include "pkt-var.h"
29 #include "conf.h"
30 
31 #include "threads.h"
32 #include "threadvars.h"
33 #include "tm-threads.h"
34 
35 #include "util-print.h"
36 #include "util-time.h"
37 #include "util-unittest.h"
38 
39 #include "util-debug.h"
40 #include "app-layer-parser.h"
41 #include "output.h"
42 #include "app-layer-ssl.h"
43 #include "app-layer.h"
44 #include "util-privs.h"
45 #include "util-buffer.h"
46 
47 #include "util-logopenfile.h"
48 #include "util-ja3.h"
49 
50 #include "output-json.h"
51 #include "output-json-tls.h"
52 
53 SC_ATOMIC_EXTERN(unsigned int, cert_id);
54 
55 #define MODULE_NAME "LogTlsLog"
56 #define DEFAULT_LOG_FILENAME "tls.json"
57 
58 #define LOG_TLS_DEFAULT 0
59 #define LOG_TLS_EXTENDED (1 << 0)
60 #define LOG_TLS_CUSTOM (1 << 1)
61 #define LOG_TLS_SESSION_RESUMPTION (1 << 2)
62 
63 #define LOG_TLS_FIELD_VERSION (1 << 0)
64 #define LOG_TLS_FIELD_SUBJECT (1 << 1)
65 #define LOG_TLS_FIELD_ISSUER (1 << 2)
66 #define LOG_TLS_FIELD_SERIAL (1 << 3)
67 #define LOG_TLS_FIELD_FINGERPRINT (1 << 4)
68 #define LOG_TLS_FIELD_NOTBEFORE (1 << 5)
69 #define LOG_TLS_FIELD_NOTAFTER (1 << 6)
70 #define LOG_TLS_FIELD_SNI (1 << 7)
71 #define LOG_TLS_FIELD_CERTIFICATE (1 << 8)
72 #define LOG_TLS_FIELD_CHAIN (1 << 9)
73 #define LOG_TLS_FIELD_SESSION_RESUMED (1 << 10)
74 #define LOG_TLS_FIELD_JA3 (1 << 11)
75 #define LOG_TLS_FIELD_JA3S (1 << 12)
76 #define LOG_TLS_FIELD_CLIENT (1 << 13) /**< client fields (issuer, subject, etc) */
77 #define LOG_TLS_FIELD_CLIENT_CERT (1 << 14)
78 #define LOG_TLS_FIELD_CLIENT_CHAIN (1 << 15)
79 
80 typedef struct {
81  const char *name;
82  uint64_t flag;
83 } TlsFields;
84 
86  { "subject", LOG_TLS_FIELD_SUBJECT }, { "issuer", LOG_TLS_FIELD_ISSUER },
87  { "serial", LOG_TLS_FIELD_SERIAL }, { "fingerprint", LOG_TLS_FIELD_FINGERPRINT },
88  { "not_before", LOG_TLS_FIELD_NOTBEFORE }, { "not_after", LOG_TLS_FIELD_NOTAFTER },
89  { "sni", LOG_TLS_FIELD_SNI }, { "certificate", LOG_TLS_FIELD_CERTIFICATE },
90  { "chain", LOG_TLS_FIELD_CHAIN }, { "session_resumed", LOG_TLS_FIELD_SESSION_RESUMED },
91  { "ja3", LOG_TLS_FIELD_JA3 }, { "ja3s", LOG_TLS_FIELD_JA3S },
92  { "client", LOG_TLS_FIELD_CLIENT }, { "client_certificate", LOG_TLS_FIELD_CLIENT_CERT },
93  { "client_chain", LOG_TLS_FIELD_CLIENT_CHAIN }, { NULL, -1 } };
94 
95 typedef struct OutputTlsCtx_ {
96  uint32_t flags; /** Store mode */
97  uint64_t fields; /** Store fields */
100 
101 
102 typedef struct JsonTlsLogThread_ {
106 
107 static void JsonTlsLogSubject(JsonBuilder *js, SSLState *ssl_state)
108 {
109  if (ssl_state->server_connp.cert0_subject) {
110  jb_set_string(js, "subject",
111  ssl_state->server_connp.cert0_subject);
112  }
113 }
114 
115 static void JsonTlsLogIssuer(JsonBuilder *js, SSLState *ssl_state)
116 {
117  if (ssl_state->server_connp.cert0_issuerdn) {
118  jb_set_string(js, "issuerdn",
119  ssl_state->server_connp.cert0_issuerdn);
120  }
121 }
122 
123 static void JsonTlsLogSessionResumed(JsonBuilder *js, SSLState *ssl_state)
124 {
125  if (ssl_state->flags & SSL_AL_FLAG_SESSION_RESUMED) {
126  /* Only log a session as 'resumed' if a certificate has not
127  been seen, and the session is not TLSv1.3 or later. */
128  if ((ssl_state->server_connp.cert0_issuerdn == NULL &&
129  ssl_state->server_connp.cert0_subject == NULL) &&
130  (ssl_state->flags & SSL_AL_FLAG_STATE_SERVER_HELLO) &&
131  ((ssl_state->flags & SSL_AL_FLAG_LOG_WITHOUT_CERT) == 0)) {
132  jb_set_bool(js, "session_resumed", true);
133  }
134  }
135 }
136 
137 static void JsonTlsLogFingerprint(JsonBuilder *js, SSLState *ssl_state)
138 {
139  if (ssl_state->server_connp.cert0_fingerprint) {
140  jb_set_string(js, "fingerprint",
141  ssl_state->server_connp.cert0_fingerprint);
142  }
143 }
144 
145 static void JsonTlsLogSni(JsonBuilder *js, SSLState *ssl_state)
146 {
147  if (ssl_state->client_connp.sni) {
148  jb_set_string(js, "sni",
149  ssl_state->client_connp.sni);
150  }
151 }
152 
153 static void JsonTlsLogSerial(JsonBuilder *js, SSLState *ssl_state)
154 {
155  if (ssl_state->server_connp.cert0_serial) {
156  jb_set_string(js, "serial",
157  ssl_state->server_connp.cert0_serial);
158  }
159 }
160 
161 static void JsonTlsLogVersion(JsonBuilder *js, SSLState *ssl_state)
162 {
163  char ssl_version[SSL_VERSION_MAX_STRLEN];
164  SSLVersionToString(ssl_state->server_connp.version, ssl_version);
165  jb_set_string(js, "version", ssl_version);
166 }
167 
168 static void JsonTlsLogNotBefore(JsonBuilder *js, SSLState *ssl_state)
169 {
170  if (ssl_state->server_connp.cert0_not_before != 0) {
171  sc_x509_log_timestamp(js, "notbefore", ssl_state->server_connp.cert0_not_before);
172  }
173 }
174 
175 static void JsonTlsLogNotAfter(JsonBuilder *js, SSLState *ssl_state)
176 {
177  if (ssl_state->server_connp.cert0_not_after != 0) {
178  sc_x509_log_timestamp(js, "notafter", ssl_state->server_connp.cert0_not_after);
179  }
180 }
181 
182 static void JsonTlsLogJa3Hash(JsonBuilder *js, SSLState *ssl_state)
183 {
184  if (ssl_state->client_connp.ja3_hash != NULL) {
185  jb_set_string(js, "hash",
186  ssl_state->client_connp.ja3_hash);
187  }
188 }
189 
190 static void JsonTlsLogJa3String(JsonBuilder *js, SSLState *ssl_state)
191 {
192  if ((ssl_state->client_connp.ja3_str != NULL) &&
193  ssl_state->client_connp.ja3_str->data != NULL) {
194  jb_set_string(js, "string",
195  ssl_state->client_connp.ja3_str->data);
196  }
197 }
198 
199 static void JsonTlsLogJa3(JsonBuilder *js, SSLState *ssl_state)
200 {
201  if ((ssl_state->client_connp.ja3_hash != NULL) ||
202  ((ssl_state->client_connp.ja3_str != NULL) &&
203  ssl_state->client_connp.ja3_str->data != NULL)) {
204  jb_open_object(js, "ja3");
205 
206  JsonTlsLogJa3Hash(js, ssl_state);
207  JsonTlsLogJa3String(js, ssl_state);
208 
209  jb_close(js);
210  }
211 }
212 
213 static void JsonTlsLogJa3SHash(JsonBuilder *js, SSLState *ssl_state)
214 {
215  if (ssl_state->server_connp.ja3_hash != NULL) {
216  jb_set_string(js, "hash",
217  ssl_state->server_connp.ja3_hash);
218  }
219 }
220 
221 static void JsonTlsLogJa3SString(JsonBuilder *js, SSLState *ssl_state)
222 {
223  if ((ssl_state->server_connp.ja3_str != NULL) &&
224  ssl_state->server_connp.ja3_str->data != NULL) {
225  jb_set_string(js, "string",
226  ssl_state->server_connp.ja3_str->data);
227  }
228 }
229 
230 static void JsonTlsLogJa3S(JsonBuilder *js, SSLState *ssl_state)
231 {
232  if ((ssl_state->server_connp.ja3_hash != NULL) ||
233  ((ssl_state->server_connp.ja3_str != NULL) &&
234  ssl_state->server_connp.ja3_str->data != NULL)) {
235  jb_open_object(js, "ja3s");
236 
237  JsonTlsLogJa3SHash(js, ssl_state);
238  JsonTlsLogJa3SString(js, ssl_state);
239 
240  jb_close(js);
241  }
242 }
243 
244 static void JsonTlsLogCertificate(JsonBuilder *js, SSLStateConnp *connp)
245 {
246  if (TAILQ_EMPTY(&connp->certs)) {
247  return;
248  }
249 
250  SSLCertsChain *cert = TAILQ_FIRST(&connp->certs);
251  if (cert == NULL) {
252  return;
253  }
254 
255  jb_set_base64(js, "certificate", cert->cert_data, cert->cert_len);
256 }
257 
258 static void JsonTlsLogChain(JsonBuilder *js, SSLStateConnp *connp)
259 {
260  if (TAILQ_EMPTY(&connp->certs)) {
261  return;
262  }
263 
264  jb_open_array(js, "chain");
265 
266  SSLCertsChain *cert;
267  TAILQ_FOREACH (cert, &connp->certs, next) {
268  jb_append_base64(js, cert->cert_data, cert->cert_len);
269  }
270 
271  jb_close(js);
272 }
273 
274 static bool HasClientCert(SSLStateConnp *connp)
275 {
276  if (connp->cert0_subject || connp->cert0_issuerdn)
277  return true;
278  return false;
279 }
280 
281 static void JsonTlsLogClientCert(
282  JsonBuilder *js, SSLStateConnp *connp, const bool log_cert, const bool log_chain)
283 {
284  if (connp->cert0_subject != NULL) {
285  jb_set_string(js, "subject", connp->cert0_subject);
286  }
287  if (connp->cert0_issuerdn != NULL) {
288  jb_set_string(js, "issuerdn", connp->cert0_issuerdn);
289  }
290  if (connp->cert0_fingerprint) {
291  jb_set_string(js, "fingerprint", connp->cert0_fingerprint);
292  }
293  if (connp->cert0_serial) {
294  jb_set_string(js, "serial", connp->cert0_serial);
295  }
296  if (connp->cert0_not_before != 0) {
297  char timebuf[64];
299  CreateUtcIsoTimeString(ts, timebuf, sizeof(timebuf));
300  jb_set_string(js, "notbefore", timebuf);
301  }
302  if (connp->cert0_not_after != 0) {
303  char timebuf[64];
305  CreateUtcIsoTimeString(ts, timebuf, sizeof(timebuf));
306  jb_set_string(js, "notafter", timebuf);
307  }
308 
309  if (log_cert) {
310  JsonTlsLogCertificate(js, connp);
311  }
312  if (log_chain) {
313  JsonTlsLogChain(js, connp);
314  }
315 }
316 
317 void JsonTlsLogJSONBasic(JsonBuilder *js, SSLState *ssl_state)
318 {
319  /* tls subject */
320  JsonTlsLogSubject(js, ssl_state);
321 
322  /* tls issuerdn */
323  JsonTlsLogIssuer(js, ssl_state);
324 
325  /* tls session resumption */
326  JsonTlsLogSessionResumed(js, ssl_state);
327 }
328 
329 static void JsonTlsLogJSONCustom(OutputTlsCtx *tls_ctx, JsonBuilder *js,
330  SSLState *ssl_state)
331 {
332  /* tls subject */
333  if (tls_ctx->fields & LOG_TLS_FIELD_SUBJECT)
334  JsonTlsLogSubject(js, ssl_state);
335 
336  /* tls issuerdn */
337  if (tls_ctx->fields & LOG_TLS_FIELD_ISSUER)
338  JsonTlsLogIssuer(js, ssl_state);
339 
340  /* tls session resumption */
341  if (tls_ctx->fields & LOG_TLS_FIELD_SESSION_RESUMED)
342  JsonTlsLogSessionResumed(js, ssl_state);
343 
344  /* tls serial */
345  if (tls_ctx->fields & LOG_TLS_FIELD_SERIAL)
346  JsonTlsLogSerial(js, ssl_state);
347 
348  /* tls fingerprint */
349  if (tls_ctx->fields & LOG_TLS_FIELD_FINGERPRINT)
350  JsonTlsLogFingerprint(js, ssl_state);
351 
352  /* tls sni */
353  if (tls_ctx->fields & LOG_TLS_FIELD_SNI)
354  JsonTlsLogSni(js, ssl_state);
355 
356  /* tls version */
357  if (tls_ctx->fields & LOG_TLS_FIELD_VERSION)
358  JsonTlsLogVersion(js, ssl_state);
359 
360  /* tls notbefore */
361  if (tls_ctx->fields & LOG_TLS_FIELD_NOTBEFORE)
362  JsonTlsLogNotBefore(js, ssl_state);
363 
364  /* tls notafter */
365  if (tls_ctx->fields & LOG_TLS_FIELD_NOTAFTER)
366  JsonTlsLogNotAfter(js, ssl_state);
367 
368  /* tls certificate */
369  if (tls_ctx->fields & LOG_TLS_FIELD_CERTIFICATE)
370  JsonTlsLogCertificate(js, &ssl_state->server_connp);
371 
372  /* tls chain */
373  if (tls_ctx->fields & LOG_TLS_FIELD_CHAIN)
374  JsonTlsLogChain(js, &ssl_state->server_connp);
375 
376  /* tls ja3_hash */
377  if (tls_ctx->fields & LOG_TLS_FIELD_JA3)
378  JsonTlsLogJa3(js, ssl_state);
379 
380  /* tls ja3s */
381  if (tls_ctx->fields & LOG_TLS_FIELD_JA3S)
382  JsonTlsLogJa3S(js, ssl_state);
383 
384  if (tls_ctx->fields & LOG_TLS_FIELD_CLIENT) {
385  const bool log_cert = (tls_ctx->fields & LOG_TLS_FIELD_CLIENT_CERT) != 0;
386  const bool log_chain = (tls_ctx->fields & LOG_TLS_FIELD_CLIENT_CHAIN) != 0;
387  if (HasClientCert(&ssl_state->client_connp)) {
388  jb_open_object(js, "client");
389  JsonTlsLogClientCert(js, &ssl_state->client_connp, log_cert, log_chain);
390  jb_close(js);
391  }
392  }
393 }
394 
395 void JsonTlsLogJSONExtended(JsonBuilder *tjs, SSLState * state)
396 {
397  JsonTlsLogJSONBasic(tjs, state);
398 
399  /* tls serial */
400  JsonTlsLogSerial(tjs, state);
401 
402  /* tls fingerprint */
403  JsonTlsLogFingerprint(tjs, state);
404 
405  /* tls sni */
406  JsonTlsLogSni(tjs, state);
407 
408  /* tls version */
409  JsonTlsLogVersion(tjs, state);
410 
411  /* tls notbefore */
412  JsonTlsLogNotBefore(tjs, state);
413 
414  /* tls notafter */
415  JsonTlsLogNotAfter(tjs, state);
416 
417  /* tls ja3 */
418  JsonTlsLogJa3(tjs, state);
419 
420  /* tls ja3s */
421  JsonTlsLogJa3S(tjs, state);
422 
423  if (HasClientCert(&state->client_connp)) {
424  jb_open_object(tjs, "client");
425  JsonTlsLogClientCert(tjs, &state->client_connp, false, false);
426  jb_close(tjs);
427  }
428 }
429 
430 static int JsonTlsLogger(ThreadVars *tv, void *thread_data, const Packet *p,
431  Flow *f, void *state, void *txptr, uint64_t tx_id)
432 {
433  JsonTlsLogThread *aft = (JsonTlsLogThread *)thread_data;
434  OutputTlsCtx *tls_ctx = aft->tlslog_ctx;
435 
436  SSLState *ssl_state = (SSLState *)state;
437  if (unlikely(ssl_state == NULL)) {
438  return 0;
439  }
440 
441  if ((ssl_state->server_connp.cert0_issuerdn == NULL ||
442  ssl_state->server_connp.cert0_subject == NULL) &&
443  ((ssl_state->flags & SSL_AL_FLAG_SESSION_RESUMED) == 0 ||
444  (tls_ctx->flags & LOG_TLS_SESSION_RESUMPTION) == 0) &&
445  ((ssl_state->flags & SSL_AL_FLAG_LOG_WITHOUT_CERT) == 0)) {
446  return 0;
447  }
448 
449  JsonBuilder *js = CreateEveHeader(p, LOG_DIR_FLOW, "tls", NULL, aft->tlslog_ctx->eve_ctx);
450  if (unlikely(js == NULL)) {
451  return 0;
452  }
453 
454  jb_open_object(js, "tls");
455 
456  /* log custom fields */
457  if (tls_ctx->flags & LOG_TLS_CUSTOM) {
458  JsonTlsLogJSONCustom(tls_ctx, js, ssl_state);
459  }
460  /* log extended */
461  else if (tls_ctx->flags & LOG_TLS_EXTENDED) {
462  JsonTlsLogJSONExtended(js, ssl_state);
463  }
464  /* log basic */
465  else {
466  JsonTlsLogJSONBasic(js, ssl_state);
467  }
468 
469  /* print original application level protocol when it have been changed
470  because of STARTTLS, HTTP CONNECT, or similar. */
471  if (f->alproto_orig != ALPROTO_UNKNOWN) {
472  jb_set_string(js, "from_proto",
474  }
475 
476  /* Close the tls object. */
477  jb_close(js);
478 
479  OutputJsonBuilderBuffer(js, aft->ctx);
480  jb_free(js);
481 
482  return 0;
483 }
484 
485 static TmEcode JsonTlsLogThreadInit(ThreadVars *t, const void *initdata, void **data)
486 {
487  JsonTlsLogThread *aft = SCCalloc(1, sizeof(JsonTlsLogThread));
488  if (unlikely(aft == NULL)) {
489  return TM_ECODE_FAILED;
490  }
491 
492  if (initdata == NULL) {
493  SCLogDebug("Error getting context for eve-log tls 'initdata' argument NULL");
494  goto error_exit;
495  }
496 
497  /* use the Output Context (file pointer and mutex) */
498  aft->tlslog_ctx = ((OutputCtx *)initdata)->data;
499 
500  aft->ctx = CreateEveThreadCtx(t, aft->tlslog_ctx->eve_ctx);
501  if (!aft->ctx) {
502  goto error_exit;
503  }
504  *data = (void *)aft;
505  return TM_ECODE_OK;
506 
507 error_exit:
508  SCFree(aft);
509  return TM_ECODE_FAILED;
510 }
511 
512 static TmEcode JsonTlsLogThreadDeinit(ThreadVars *t, void *data)
513 {
514  JsonTlsLogThread *aft = (JsonTlsLogThread *)data;
515  if (aft == NULL) {
516  return TM_ECODE_OK;
517  }
518 
519  FreeEveThreadCtx(aft->ctx);
520 
521  /* clear memory */
522  memset(aft, 0, sizeof(JsonTlsLogThread));
523 
524  SCFree(aft);
525  return TM_ECODE_OK;
526 }
527 
528 static OutputTlsCtx *OutputTlsInitCtx(ConfNode *conf)
529 {
530  OutputTlsCtx *tls_ctx = SCMalloc(sizeof(OutputTlsCtx));
531  if (unlikely(tls_ctx == NULL))
532  return NULL;
533 
534  tls_ctx->flags = LOG_TLS_DEFAULT;
535  tls_ctx->fields = 0;
536 
537  if (conf == NULL)
538  return tls_ctx;
539 
540  const char *extended = ConfNodeLookupChildValue(conf, "extended");
541  if (extended) {
542  if (ConfValIsTrue(extended)) {
543  tls_ctx->flags = LOG_TLS_EXTENDED;
544  }
545  }
546 
547  ConfNode *custom = ConfNodeLookupChild(conf, "custom");
548  if (custom) {
549  tls_ctx->flags = LOG_TLS_CUSTOM;
550  ConfNode *field;
551  TAILQ_FOREACH(field, &custom->head, next)
552  {
553  bool valid = false;
554  TlsFields *valid_fields = tls_fields;
555  for ( ; valid_fields->name != NULL; valid_fields++) {
556  if (strcasecmp(field->val, valid_fields->name) == 0) {
557  tls_ctx->fields |= valid_fields->flag;
558  SCLogDebug("enabled %s", field->val);
559  valid = true;
560  break;
561  }
562  }
563  if (!valid) {
564  SCLogWarning("eve.tls: unknown 'custom' field '%s'", field->val);
565  }
566  }
567  }
568 
569  const char *session_resumption = ConfNodeLookupChildValue(conf, "session-resumption");
570  if (session_resumption == NULL || ConfValIsTrue(session_resumption)) {
571  tls_ctx->flags |= LOG_TLS_SESSION_RESUMPTION;
572  }
573 
574  if ((tls_ctx->fields & LOG_TLS_FIELD_JA3) &&
575  Ja3IsDisabled("fields")) {
576  /* JA3 is disabled, so don't log any JA3 fields */
577  tls_ctx->fields &= ~LOG_TLS_FIELD_JA3;
578  tls_ctx->fields &= ~LOG_TLS_FIELD_JA3S;
579  }
580 
581  if ((tls_ctx->fields & LOG_TLS_FIELD_CERTIFICATE) &&
582  (tls_ctx->fields & LOG_TLS_FIELD_CHAIN)) {
583  SCLogWarning("Both 'certificate' and 'chain' contains the top "
584  "certificate, so only one of them should be enabled "
585  "at a time");
586  }
587  if ((tls_ctx->fields & LOG_TLS_FIELD_CLIENT_CERT) &&
588  (tls_ctx->fields & LOG_TLS_FIELD_CLIENT_CHAIN)) {
589  SCLogWarning("Both 'client_certificate' and 'client_chain' contains the top "
590  "certificate, so only one of them should be enabled "
591  "at a time");
592  }
593 
594  if ((tls_ctx->fields & LOG_TLS_FIELD_CLIENT) == 0) {
595  if (tls_ctx->fields & LOG_TLS_FIELD_CLIENT_CERT) {
596  SCLogConfig("enabling \"client\" as a dependency of \"client_certificate\"");
597  tls_ctx->fields |= LOG_TLS_FIELD_CLIENT;
598  }
599  if (tls_ctx->fields & LOG_TLS_FIELD_CLIENT_CHAIN) {
600  SCLogConfig("enabling \"client\" as a dependency of \"client_chain\"");
601  tls_ctx->fields |= LOG_TLS_FIELD_CLIENT;
602  }
603  }
604 
605  return tls_ctx;
606 }
607 
608 static void OutputTlsLogDeinitSub(OutputCtx *output_ctx)
609 {
610  OutputTlsCtx *tls_ctx = output_ctx->data;
611  SCFree(tls_ctx);
612  SCFree(output_ctx);
613 }
614 
615 static OutputInitResult OutputTlsLogInitSub(ConfNode *conf, OutputCtx *parent_ctx)
616 {
617  OutputInitResult result = { NULL, false };
618  OutputJsonCtx *ojc = parent_ctx->data;
619 
620  OutputTlsCtx *tls_ctx = OutputTlsInitCtx(conf);
621  if (unlikely(tls_ctx == NULL))
622  return result;
623 
624  OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
625  if (unlikely(output_ctx == NULL)) {
626  SCFree(tls_ctx);
627  return result;
628  }
629 
630  tls_ctx->eve_ctx = ojc;
631 
632  if ((tls_ctx->fields & LOG_TLS_FIELD_CERTIFICATE) &&
633  (tls_ctx->fields & LOG_TLS_FIELD_CHAIN)) {
634  SCLogWarning("Both 'certificate' and 'chain' contains the top "
635  "certificate, so only one of them should be enabled "
636  "at a time");
637  }
638 
639  output_ctx->data = tls_ctx;
640  output_ctx->DeInit = OutputTlsLogDeinitSub;
641 
643 
644  result.ctx = output_ctx;
645  result.ok = true;
646  return result;
647 }
648 
650 {
651  /* register as child of eve-log */
652  OutputRegisterTxSubModuleWithProgress(LOGGER_JSON_TX, "eve-log", "JsonTlsLog", "eve-log.tls",
653  OutputTlsLogInitSub, ALPROTO_TLS, JsonTlsLogger, TLS_HANDSHAKE_DONE, TLS_HANDSHAKE_DONE,
654  JsonTlsLogThreadInit, JsonTlsLogThreadDeinit, NULL);
655 }
tm-threads.h
SSLStateConnp_::cert0_subject
char * cert0_subject
Definition: app-layer-ssl.h:248
SSLState_
SSLv[2.0|3.[0|1|2|3]] state structure.
Definition: app-layer-ssl.h:284
ts
uint64_t ts
Definition: source-erf-file.c:55
LOG_TLS_FIELD_NOTBEFORE
#define LOG_TLS_FIELD_NOTBEFORE
Definition: output-json-tls.c:68
SSLCertsChain_::cert_len
uint32_t cert_len
Definition: app-layer-ssl.h:223
JsonTlsLogJSONBasic
void JsonTlsLogJSONBasic(JsonBuilder *js, SSLState *ssl_state)
Definition: output-json-tls.c:317
LOG_TLS_DEFAULT
#define LOG_TLS_DEFAULT
Definition: output-json-tls.c:58
ConfNode_::val
char * val
Definition: conf.h:34
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
LOG_TLS_FIELD_JA3
#define LOG_TLS_FIELD_JA3
Definition: output-json-tls.c:74
SSLState_::client_connp
SSLStateConnp client_connp
Definition: app-layer-ssl.h:302
ALPROTO_TLS
@ ALPROTO_TLS
Definition: app-layer-protos.h:33
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
next
struct HtpBodyChunk_ * next
Definition: app-layer-htp.h:0
SSLState_::server_connp
SSLStateConnp server_connp
Definition: app-layer-ssl.h:303
SSLStateConnp_::cert0_not_before
int64_t cert0_not_before
Definition: app-layer-ssl.h:251
SSL_AL_FLAG_SESSION_RESUMED
#define SSL_AL_FLAG_SESSION_RESUMED
Definition: app-layer-ssl.h:116
FreeEveThreadCtx
void FreeEveThreadCtx(OutputJsonThreadCtx *ctx)
Definition: output-json-common.c:58
SSLStateConnp_
Definition: app-layer-ssl.h:228
SSLStateConnp_::ja3_hash
char * ja3_hash
Definition: app-layer-ssl.h:268
threads.h
OutputJsonCtx_
Definition: output-json.h:81
Flow_
Flow data structure.
Definition: flow.h:347
SSL_AL_FLAG_STATE_SERVER_HELLO
#define SSL_AL_FLAG_STATE_SERVER_HELLO
Definition: app-layer-ssl.h:99
TlsFields
Definition: output-json-tls.c:80
OutputJsonBuilderBuffer
int OutputJsonBuilderBuffer(JsonBuilder *js, OutputJsonThreadCtx *ctx)
Definition: output-json.c:927
SSL_VERSION_MAX_STRLEN
#define SSL_VERSION_MAX_STRLEN
Definition: app-layer-ssl.h:152
LOG_TLS_FIELD_NOTAFTER
#define LOG_TLS_FIELD_NOTAFTER
Definition: output-json-tls.c:69
TAILQ_EMPTY
#define TAILQ_EMPTY(head)
Definition: queue.h:248
TAILQ_FOREACH
#define TAILQ_FOREACH(var, head, field)
Definition: queue.h:252
Flow_::alproto_orig
AppProto alproto_orig
Definition: flow.h:452
output-json-tls.h
CreateEveThreadCtx
OutputJsonThreadCtx * CreateEveThreadCtx(ThreadVars *t, OutputJsonCtx *ctx)
Definition: output-json-common.c:29
JA3Buffer_::data
char * data
Definition: util-ja3.h:32
util-ja3.h
util-privs.h
SSLStateConnp_::sni
char * sni
Definition: app-layer-ssl.h:256
LOG_TLS_FIELD_SUBJECT
#define LOG_TLS_FIELD_SUBJECT
Definition: output-json-tls.c:64
TM_ECODE_FAILED
@ TM_ECODE_FAILED
Definition: tm-threads-common.h:85
JsonTlsLogThread
struct JsonTlsLogThread_ JsonTlsLogThread
LOG_TLS_FIELD_FINGERPRINT
#define LOG_TLS_FIELD_FINGERPRINT
Definition: output-json-tls.c:67
JsonTlsLogRegister
void JsonTlsLogRegister(void)
Definition: output-json-tls.c:649
TlsFields::flag
uint64_t flag
Definition: output-json-tls.c:82
util-unittest.h
SSLStateConnp_::cert0_issuerdn
char * cert0_issuerdn
Definition: app-layer-ssl.h:249
ConfValIsTrue
int ConfValIsTrue(const char *val)
Check if a value is true.
Definition: conf.c:537
JsonTlsLogThread_::ctx
OutputJsonThreadCtx * ctx
Definition: output-json-tls.c:104
OutputCtx_::data
void * data
Definition: tm-modules.h:87
TM_ECODE_OK
@ TM_ECODE_OK
Definition: tm-threads-common.h:84
OutputCtx_
Definition: tm-modules.h:84
OutputJsonThreadCtx_
Definition: output-json.h:89
SSLStateConnp_::cert0_not_after
int64_t cert0_not_after
Definition: app-layer-ssl.h:252
Ja3IsDisabled
int Ja3IsDisabled(const char *type)
Check if JA3 is disabled.
Definition: util-ja3.c:246
SCTIME_FROM_SECS
#define SCTIME_FROM_SECS(s)
Definition: util-time.h:61
OutputTlsCtx_::eve_ctx
OutputJsonCtx * eve_ctx
Definition: output-json-tls.c:98
util-debug.h
TlsFields::name
const char * name
Definition: output-json-tls.c:81
TAILQ_FIRST
#define TAILQ_FIRST(head)
Definition: queue.h:250
LOG_TLS_FIELD_JA3S
#define LOG_TLS_FIELD_JA3S
Definition: output-json-tls.c:75
OutputInitResult_::ctx
OutputCtx * ctx
Definition: output.h:47
output-json.h
OutputRegisterTxSubModuleWithProgress
void OutputRegisterTxSubModuleWithProgress(LoggerId id, const char *parent_name, const char *name, const char *conf_name, OutputInitSubFunc InitFunc, AppProto alproto, TxLogger TxLogFunc, int tc_log_progress, int ts_log_progress, ThreadInitFunc ThreadInit, ThreadDeinitFunc ThreadDeinit, ThreadExitPrintStatsFunc ThreadExitPrintStats)
Definition: output.c:380
TLS_HANDSHAKE_DONE
@ TLS_HANDSHAKE_DONE
Definition: app-layer-ssl.h:79
LOG_TLS_CUSTOM
#define LOG_TLS_CUSTOM
Definition: output-json-tls.c:60
AppLayerParserRegisterLogger
void AppLayerParserRegisterLogger(uint8_t ipproto, AppProto alproto)
Definition: app-layer-parser.c:477
CreateEveHeader
JsonBuilder * CreateEveHeader(const Packet *p, enum OutputJsonLogDirection dir, const char *event_type, JsonAddrInfo *addr, OutputJsonCtx *eve_ctx)
Definition: output-json.c:786
SSLCertsChain_
Definition: app-layer-ssl.h:221
util-print.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
pkt-var.h
OutputTlsCtx_::flags
uint32_t flags
Definition: output-json-tls.c:96
LOG_TLS_FIELD_CLIENT_CERT
#define LOG_TLS_FIELD_CLIENT_CERT
Definition: output-json-tls.c:77
SSLVersionToString
void SSLVersionToString(uint16_t version, char *buffer)
Definition: app-layer-ssl.c:340
util-time.h
OutputInitResult_::ok
bool ok
Definition: output.h:48
SCLogWarning
#define SCLogWarning(...)
Macro used to log WARNING messages.
Definition: util-debug.h:249
app-layer-parser.h
LOG_TLS_FIELD_SERIAL
#define LOG_TLS_FIELD_SERIAL
Definition: output-json-tls.c:66
Packet_
Definition: decode.h:430
conf.h
OutputTlsCtx
struct OutputTlsCtx_ OutputTlsCtx
SCTime_t
Definition: util-time.h:40
TmEcode
TmEcode
Definition: tm-threads-common.h:83
SSLCertsChain_::cert_data
uint8_t * cert_data
Definition: app-layer-ssl.h:222
LOG_TLS_FIELD_ISSUER
#define LOG_TLS_FIELD_ISSUER
Definition: output-json-tls.c:65
ConfNodeLookupChild
ConfNode * ConfNodeLookupChild(const ConfNode *node, const char *name)
Lookup a child configuration node by name.
Definition: conf.c:786
OutputInitResult_
Definition: output.h:46
CreateUtcIsoTimeString
void CreateUtcIsoTimeString(const SCTime_t ts, char *str, size_t size)
Definition: util-time.c:230
suricata-common.h
OutputCtx_::DeInit
void(* DeInit)(struct OutputCtx_ *)
Definition: tm-modules.h:90
tls_fields
TlsFields tls_fields[]
Definition: output-json-tls.c:85
LOG_TLS_FIELD_CERTIFICATE
#define LOG_TLS_FIELD_CERTIFICATE
Definition: output-json-tls.c:71
OutputTlsCtx_
Definition: output-json-tls.c:95
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
threadvars.h
LOG_DIR_FLOW
@ LOG_DIR_FLOW
Definition: output-json.h:40
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
SCLogConfig
struct SCLogConfig_ SCLogConfig
Holds the config state used by the logging api.
LOGGER_JSON_TX
@ LOGGER_JSON_TX
Definition: suricata-common.h:462
SCFree
#define SCFree(p)
Definition: util-mem.h:61
ConfNode_
Definition: conf.h:32
util-logopenfile.h
util-buffer.h
AppLayerGetProtoName
const char * AppLayerGetProtoName(AppProto alproto)
Given the internal protocol id, returns a string representation of the protocol.
Definition: app-layer.c:937
ALPROTO_UNKNOWN
@ ALPROTO_UNKNOWN
Definition: app-layer-protos.h:29
OutputTlsCtx_::fields
uint64_t fields
Definition: output-json-tls.c:97
LOG_TLS_FIELD_SNI
#define LOG_TLS_FIELD_SNI
Definition: output-json-tls.c:70
SSLStateConnp_::cert0_fingerprint
char * cert0_fingerprint
Definition: app-layer-ssl.h:253
LOG_TLS_EXTENDED
#define LOG_TLS_EXTENDED
Definition: output-json-tls.c:59
SSLStateConnp_::ja3_str
JA3Buffer * ja3_str
Definition: app-layer-ssl.h:267
JsonTlsLogThread_::tlslog_ctx
OutputTlsCtx * tlslog_ctx
Definition: output-json-tls.c:103
LOG_TLS_FIELD_SESSION_RESUMED
#define LOG_TLS_FIELD_SESSION_RESUMED
Definition: output-json-tls.c:73
LOG_TLS_FIELD_CLIENT_CHAIN
#define LOG_TLS_FIELD_CLIENT_CHAIN
Definition: output-json-tls.c:78
LOG_TLS_SESSION_RESUMPTION
#define LOG_TLS_SESSION_RESUMPTION
Definition: output-json-tls.c:61
LOG_TLS_FIELD_CLIENT
#define LOG_TLS_FIELD_CLIENT
Definition: output-json-tls.c:76
JsonTlsLogJSONExtended
void JsonTlsLogJSONExtended(JsonBuilder *tjs, SSLState *state)
Definition: output-json-tls.c:395
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
LOG_TLS_FIELD_CHAIN
#define LOG_TLS_FIELD_CHAIN
Definition: output-json-tls.c:72
SSLStateConnp_::cert0_serial
char * cert0_serial
Definition: app-layer-ssl.h:250
LOG_TLS_FIELD_VERSION
#define LOG_TLS_FIELD_VERSION
Definition: output-json-tls.c:63
JsonTlsLogThread_
Definition: output-json-tls.c:102
app-layer-ssl.h
SSL_AL_FLAG_LOG_WITHOUT_CERT
#define SSL_AL_FLAG_LOG_WITHOUT_CERT
Definition: app-layer-ssl.h:123
output.h
SC_ATOMIC_EXTERN
SC_ATOMIC_EXTERN(unsigned int, cert_id)
app-layer.h
SSLState_::flags
uint32_t flags
Definition: app-layer-ssl.h:291
SSLStateConnp_::version
uint16_t version
Definition: app-layer-ssl.h:237
ConfNodeLookupChildValue
const char * ConfNodeLookupChildValue(const ConfNode *node, const char *name)
Lookup the value of a child configuration node by name.
Definition: conf.c:814