aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '03091dfbda'
${ noResults }
suricata/src/log-tlslog.c

595 lines
18 KiB
C
Raw Normal View History Unescape Escape

log-tls: convert to packet logger API This patch converts log-tls to use the packet logger API. The packet logger API was choosen as the TLS parser is not transaction aware. To make sure the state is only logged once, the flag SSL_AL_FLAG_STATE_LOGGED was added to the parser. This flag is checked by the condition function, and set at the end of the Logger function.
12 years ago
/* Copyright (C) 2007-2014 Open Information Security Foundation
tls: adding TLS Log support Creation of the log-tlslog file in order to log tls message. Need to add some information into suricata.yaml to work. - tls-log: enabled: yes # Log TLS connections. filename: tls.log # File to store TLS logs.
14 years ago
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
/**
* \file
*
* \author Roliers Jean-Paul <popof.fpn@gmail.co>
* \author Eric Leblond <eric@regit.org>
log-tls: convert to packet logger API This patch converts log-tls to use the packet logger API. The packet logger API was choosen as the TLS parser is not transaction aware. To make sure the state is only logged once, the flag SSL_AL_FLAG_STATE_LOGGED was added to the parser. This flag is checked by the condition function, and set at the end of the Logger function.
12 years ago
* \author Victor Julien <victor@inliniac.net>
tls: adding TLS Log support Creation of the log-tlslog file in order to log tls message. Need to add some information into suricata.yaml to work. - tls-log: enabled: yes # Log TLS connections. filename: tls.log # File to store TLS logs.
14 years ago
*
log-tls: convert to packet logger API This patch converts log-tls to use the packet logger API. The packet logger API was choosen as the TLS parser is not transaction aware. To make sure the state is only logged once, the flag SSL_AL_FLAG_STATE_LOGGED was added to the parser. This flag is checked by the condition function, and set at the end of the Logger function.
12 years ago
* Implements TLS logging portion of the engine. The TLS logger is
* implemented as a packet logger, as the TLS parser is not transaction
* aware.
tls: adding TLS Log support Creation of the log-tlslog file in order to log tls message. Need to add some information into suricata.yaml to work. - tls-log: enabled: yes # Log TLS connections. filename: tls.log # File to store TLS logs.
14 years ago
*/
#include "suricata-common.h"
#include "debug.h"
#include "detect.h"
#include "pkt-var.h"
#include "conf.h"
#include "threads.h"
#include "threadvars.h"
#include "tm-threads.h"
#include "util-print.h"
#include "util-unittest.h"
#include "util-debug.h"
#include "output.h"
#include "log-tlslog.h"
#include "app-layer-ssl.h"
#include "app-layer.h"
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
#include "app-layer-parser.h"
tls: adding TLS Log support Creation of the log-tlslog file in order to log tls message. Need to add some information into suricata.yaml to work. - tls-log: enabled: yes # Log TLS connections. filename: tls.log # File to store TLS logs.
14 years ago
#include "util-privs.h"
#include "util-buffer.h"
#include "util-logopenfile.h"
tls: adding store option for TLS This patch adds a TLS store option to save certificate in PEM format. Each time the store action is met, a file and a metafile are created. Reworked-by: Eric Leblond <eric@regit.org>
14 years ago
#include "util-crypt.h"
Merge multiple copies of CreateTimeString() to one copy. There were 8 identical copies of CreateTimeString() in 8 files. Most used SCLocalTime, to replace localtime_r(), but some did not. Created one copy in util-time.c.
12 years ago
#include "util-time.h"
tls: adding TLS Log support Creation of the log-tlslog file in order to log tls message. Need to add some information into suricata.yaml to work. - tls-log: enabled: yes # Log TLS connections. filename: tls.log # File to store TLS logs.
14 years ago
#define DEFAULT_LOG_FILENAME "tls.log"
tls: adding store option for TLS This patch adds a TLS store option to save certificate in PEM format. Each time the store action is met, a file and a metafile are created. Reworked-by: Eric Leblond <eric@regit.org>
14 years ago
static char tls_logfile_base_dir[PATH_MAX] = "/tmp";
SC_ATOMIC_DECLARE(unsigned int, cert_id);
tls: adding TLS Log support Creation of the log-tlslog file in order to log tls message. Need to add some information into suricata.yaml to work. - tls-log: enabled: yes # Log TLS connections. filename: tls.log # File to store TLS logs.
14 years ago
#define MODULE_NAME "LogTlsLog"
#define OUTPUT_BUFFER_SIZE 65535
tls: adding store option for TLS This patch adds a TLS store option to save certificate in PEM format. Each time the store action is met, a file and a metafile are created. Reworked-by: Eric Leblond <eric@regit.org>
14 years ago
#define CERT_ENC_BUFFER_SIZE 2048
tls: adding TLS Log support Creation of the log-tlslog file in order to log tls message. Need to add some information into suricata.yaml to work. - tls-log: enabled: yes # Log TLS connections. filename: tls.log # File to store TLS logs.
14 years ago
tls: adding fingerprint to TLS Log information. Improve TLS logging by adding the certificate fingerprint to TLS Log file. Add the extending option to the tls-log entry in suricata.yaml.
14 years ago
#define LOG_TLS_DEFAULT 0
#define LOG_TLS_EXTENDED 1
tls: adding TLS Log support Creation of the log-tlslog file in order to log tls message. Need to add some information into suricata.yaml to work. - tls-log: enabled: yes # Log TLS connections. filename: tls.log # File to store TLS logs.
14 years ago
typedef struct LogTlsFileCtx_ {
LogFileCtx *file_ctx;
uint32_t flags; /** Store mode */
} LogTlsFileCtx;
typedef struct LogTlsLogThread_ {
LogTlsFileCtx *tlslog_ctx;
tls: adding store option for TLS This patch adds a TLS store option to save certificate in PEM format. Each time the store action is met, a file and a metafile are created. Reworked-by: Eric Leblond <eric@regit.org>
14 years ago
tls: adding TLS Log support Creation of the log-tlslog file in order to log tls message. Need to add some information into suricata.yaml to work. - tls-log: enabled: yes # Log TLS connections. filename: tls.log # File to store TLS logs.
14 years ago
/** LogTlsFileCtx has the pointer to the file and a mutex to allow multithreading */
uint32_t tls_cnt;
MemBuffer *buffer;
tls: adding store option for TLS This patch adds a TLS store option to save certificate in PEM format. Each time the store action is met, a file and a metafile are created. Reworked-by: Eric Leblond <eric@regit.org>
14 years ago
uint8_t* enc_buf;
size_t enc_buf_len;
tls: adding TLS Log support Creation of the log-tlslog file in order to log tls message. Need to add some information into suricata.yaml to work. - tls-log: enabled: yes # Log TLS connections. filename: tls.log # File to store TLS logs.
14 years ago
} LogTlsLogThread;
tls: adding fingerprint to TLS Log information. Improve TLS logging by adding the certificate fingerprint to TLS Log file. Add the extending option to the tls-log entry in suricata.yaml.
14 years ago
static void LogTlsLogExtended(LogTlsLogThread *aft, SSLState * state)
{
if (state->server_connp.cert0_fingerprint != NULL) {
tls-log: add protocol version to log message.
13 years ago
MemBufferWriteString(aft->buffer, " SHA1='%s'", state->server_connp.cert0_fingerprint);
tls: adding fingerprint to TLS Log information. Improve TLS logging by adding the certificate fingerprint to TLS Log file. Add the extending option to the tls-log entry in suricata.yaml.
14 years ago
}
tls-log: add protocol version to log message.
13 years ago
switch (state->server_connp.version) {
case TLS_VERSION_UNKNOWN:
MemBufferWriteString(aft->buffer, " VERSION='UNDETERMINED'");
break;
case SSL_VERSION_2:
MemBufferWriteString(aft->buffer, " VERSION='SSLv2'");
break;
case SSL_VERSION_3:
MemBufferWriteString(aft->buffer, " VERSION='SSLv3'");
break;
case TLS_VERSION_10:
MemBufferWriteString(aft->buffer, " VERSION='TLSv1'");
break;
case TLS_VERSION_11:
MemBufferWriteString(aft->buffer, " VERSION='TLS 1.1'");
break;
case TLS_VERSION_12:
MemBufferWriteString(aft->buffer, " VERSION='TLS 1.2'");
break;
default:
MemBufferWriteString(aft->buffer, " VERSION='0x%04x'",
state->server_connp.version);
break;
}
MemBufferWriteString(aft->buffer, "\n");
tls: adding fingerprint to TLS Log information. Improve TLS logging by adding the certificate fingerprint to TLS Log file. Add the extending option to the tls-log entry in suricata.yaml.
14 years ago
}
log-tls: convert to packet logger API This patch converts log-tls to use the packet logger API. The packet logger API was choosen as the TLS parser is not transaction aware. To make sure the state is only logged once, the flag SSL_AL_FLAG_STATE_LOGGED was added to the parser. This flag is checked by the condition function, and set at the end of the Logger function.
12 years ago
static int GetIPInformations(const Packet *p, char* srcip, size_t srcip_len,
tls: adding store option for TLS This patch adds a TLS store option to save certificate in PEM format. Each time the store action is met, a file and a metafile are created. Reworked-by: Eric Leblond <eric@regit.org>
14 years ago
Port* sp, char* dstip, size_t dstip_len,
Port* dp, int ipproto)
{
if ((PKT_IS_TOSERVER(p))) {
switch (ipproto) {
case AF_INET:
PrintInet(AF_INET, (const void *) GET_IPV4_SRC_ADDR_PTR(p), srcip, srcip_len);
PrintInet(AF_INET, (const void *) GET_IPV4_DST_ADDR_PTR(p), dstip, dstip_len);
break;
case AF_INET6:
PrintInet(AF_INET6, (const void *) GET_IPV6_SRC_ADDR(p), srcip, srcip_len);
PrintInet(AF_INET6, (const void *) GET_IPV6_DST_ADDR(p), dstip, dstip_len);
break;
default:
return 0;
}
*sp = p->sp;
*dp = p->dp;
} else {
switch (ipproto) {
case AF_INET:
PrintInet(AF_INET, (const void *) GET_IPV4_DST_ADDR_PTR(p), srcip, srcip_len);
PrintInet(AF_INET, (const void *) GET_IPV4_SRC_ADDR_PTR(p), dstip, dstip_len);
break;
case AF_INET6:
PrintInet(AF_INET6, (const void *) GET_IPV6_DST_ADDR(p), srcip, srcip_len);
PrintInet(AF_INET6, (const void *) GET_IPV6_SRC_ADDR(p), dstip, dstip_len);
break;
default:
return 0;
}
*sp = p->dp;
*dp = p->sp;
}
return 1;
}
log-tls: convert to packet logger API This patch converts log-tls to use the packet logger API. The packet logger API was choosen as the TLS parser is not transaction aware. To make sure the state is only logged once, the flag SSL_AL_FLAG_STATE_LOGGED was added to the parser. This flag is checked by the condition function, and set at the end of the Logger function.
12 years ago
static int CreateFileName(LogTlsFileCtx *log, const Packet *p, SSLState *state, char *filename)
tls: adding store option for TLS This patch adds a TLS store option to save certificate in PEM format. Each time the store action is met, a file and a metafile are created. Reworked-by: Eric Leblond <eric@regit.org>
14 years ago
{
#define FILELEN 64 //filename len + extention + ending path / + some space
int filenamelen = FILELEN + strlen(tls_logfile_base_dir);
int file_id = SC_ATOMIC_ADD(cert_id, 1);
if (filenamelen + 1 > PATH_MAX) {
return 0;
}
/* Use format : packet time + incremental ID
* When running on same pcap it will overwrite
* On a live device, we will not be able to overwrite */
snprintf(filename, filenamelen, "%s/%ld.%ld-%d.pem",
tls_logfile_base_dir,
p->ts.tv_sec,
Use _mm_free for memory allocated by _mm_alloc. Bug 703. Minor compiler warning fixes.
13 years ago
(long int)p->ts.tv_usec,
tls: adding store option for TLS This patch adds a TLS store option to save certificate in PEM format. Each time the store action is met, a file and a metafile are created. Reworked-by: Eric Leblond <eric@regit.org>
14 years ago
file_id);
return 1;
}
log-tls: convert to packet logger API This patch converts log-tls to use the packet logger API. The packet logger API was choosen as the TLS parser is not transaction aware. To make sure the state is only logged once, the flag SSL_AL_FLAG_STATE_LOGGED was added to the parser. This flag is checked by the condition function, and set at the end of the Logger function.
12 years ago
static void LogTlsLogPem(LogTlsLogThread *aft, const Packet *p, SSLState *state, LogTlsFileCtx *log, int ipproto)
tls: adding store option for TLS This patch adds a TLS store option to save certificate in PEM format. Each time the store action is met, a file and a metafile are created. Reworked-by: Eric Leblond <eric@regit.org>
14 years ago
{
#define PEMHEADER "-----BEGIN CERTIFICATE-----\n"
#define PEMFOOTER "-----END CERTIFICATE-----\n"
//Logging pem certificate
char filename[PATH_MAX] = "";
FILE* fp = NULL;
FILE* fpmeta = NULL;
unsigned long pemlen;
unsigned char* pembase64ptr = NULL;
int ret;
Fix realloc error handling This patch is fixing realloc error handling. In case of a realloc failure, it free the initial memory and continue existing error handling. The patch has been obtained via the following semantic patch and a bit oh hand editing: @@ expression x, E; identifier f; @@ f(...) { + void *ptmp; <+... - x = SCRealloc(x, E); + ptmp = SCRealloc(x, E); ... when != x - if (x == NULL) + if (ptmp == NULL) { + SCFree(x); + x = NULL; ... - } + } else { + x = ptmp; + } ...+> } @@ expression x, E; identifier f; statement ES; @@ f(...) { + void *ptmp; <+... - x = SCRealloc(x, E); + ptmp = SCRealloc(x, E); ... when != x - if (x == NULL) ES + if (ptmp == NULL) { + SCFree(x); + x = NULL; + ES + } else { + x = ptmp; + } ...+> } @@ expression x, E; identifier f; @@ f(...) { + void *ptmp; <+... - x = SCRealloc(x, E); + ptmp = SCRealloc(x, E); ... when != x - if (unlikely(x == NULL)) + if (unlikely(ptmp == NULL)) { + SCFree(x); + x = NULL; ... - } + } else { + x = ptmp; + } ...+> } @@ expression x, E; identifier f; statement ES; @@ f(...) { + void *ptmp; <+... - x = SCRealloc(x, E); + ptmp = SCRealloc(x, E); ... when != x - if (unlikely(x == NULL)) ES + if (unlikely(ptmp == NULL)) { + SCFree(x); + x = NULL; + ES + } else { + x = ptmp; + } ...+> }
12 years ago
uint8_t *ptmp;
tls: store all the certificates chain in the written PEM file. When using the tls.store command, a dump of all certificates in the chain is now done on the disk.
13 years ago
SSLCertsChain *cert;
tls: adding store option for TLS This patch adds a TLS store option to save certificate in PEM format. Each time the store action is met, a file and a metafile are created. Reworked-by: Eric Leblond <eric@regit.org>
14 years ago
if ((state->server_connp.cert_input == NULL) || (state->server_connp.cert_input_len == 0))
SCReturn;
CreateFileName(log, p, state, filename);
if (strlen(filename) == 0) {
SCLogWarning(SC_ERR_FOPEN, "Can't create PEM filename");
SCReturn;
}
fp = fopen(filename, "w");
if (fp == NULL) {
SCLogWarning(SC_ERR_FOPEN, "Can't create PEM file: %s", filename);
SCReturn;
}
tls: store all the certificates chain in the written PEM file. When using the tls.store command, a dump of all certificates in the chain is now done on the disk.
13 years ago
TAILQ_FOREACH(cert, &state->server_connp.certs, next) {
pemlen = (4 * (cert->cert_len + 2) / 3) +1;
if (pemlen > aft->enc_buf_len) {
Fix realloc error handling This patch is fixing realloc error handling. In case of a realloc failure, it free the initial memory and continue existing error handling. The patch has been obtained via the following semantic patch and a bit oh hand editing: @@ expression x, E; identifier f; @@ f(...) { + void *ptmp; <+... - x = SCRealloc(x, E); + ptmp = SCRealloc(x, E); ... when != x - if (x == NULL) + if (ptmp == NULL) { + SCFree(x); + x = NULL; ... - } + } else { + x = ptmp; + } ...+> } @@ expression x, E; identifier f; statement ES; @@ f(...) { + void *ptmp; <+... - x = SCRealloc(x, E); + ptmp = SCRealloc(x, E); ... when != x - if (x == NULL) ES + if (ptmp == NULL) { + SCFree(x); + x = NULL; + ES + } else { + x = ptmp; + } ...+> } @@ expression x, E; identifier f; @@ f(...) { + void *ptmp; <+... - x = SCRealloc(x, E); + ptmp = SCRealloc(x, E); ... when != x - if (unlikely(x == NULL)) + if (unlikely(ptmp == NULL)) { + SCFree(x); + x = NULL; ... - } + } else { + x = ptmp; + } ...+> } @@ expression x, E; identifier f; statement ES; @@ f(...) { + void *ptmp; <+... - x = SCRealloc(x, E); + ptmp = SCRealloc(x, E); ... when != x - if (unlikely(x == NULL)) ES + if (unlikely(ptmp == NULL)) { + SCFree(x); + x = NULL; + ES + } else { + x = ptmp; + } ...+> }
12 years ago
ptmp = (uint8_t*) SCRealloc(aft->enc_buf, sizeof(uint8_t) * pemlen);
if (ptmp == NULL) {
SCFree(aft->enc_buf);
aft->enc_buf = NULL;
tls: store all the certificates chain in the written PEM file. When using the tls.store command, a dump of all certificates in the chain is now done on the disk.
13 years ago
SCLogWarning(SC_ERR_MEM_ALLOC, "Can't allocate data for base64 encoding");
goto end_fp;
}
Fix realloc error handling This patch is fixing realloc error handling. In case of a realloc failure, it free the initial memory and continue existing error handling. The patch has been obtained via the following semantic patch and a bit oh hand editing: @@ expression x, E; identifier f; @@ f(...) { + void *ptmp; <+... - x = SCRealloc(x, E); + ptmp = SCRealloc(x, E); ... when != x - if (x == NULL) + if (ptmp == NULL) { + SCFree(x); + x = NULL; ... - } + } else { + x = ptmp; + } ...+> } @@ expression x, E; identifier f; statement ES; @@ f(...) { + void *ptmp; <+... - x = SCRealloc(x, E); + ptmp = SCRealloc(x, E); ... when != x - if (x == NULL) ES + if (ptmp == NULL) { + SCFree(x); + x = NULL; + ES + } else { + x = ptmp; + } ...+> } @@ expression x, E; identifier f; @@ f(...) { + void *ptmp; <+... - x = SCRealloc(x, E); + ptmp = SCRealloc(x, E); ... when != x - if (unlikely(x == NULL)) + if (unlikely(ptmp == NULL)) { + SCFree(x); + x = NULL; ... - } + } else { + x = ptmp; + } ...+> } @@ expression x, E; identifier f; statement ES; @@ f(...) { + void *ptmp; <+... - x = SCRealloc(x, E); + ptmp = SCRealloc(x, E); ... when != x - if (unlikely(x == NULL)) ES + if (unlikely(ptmp == NULL)) { + SCFree(x); + x = NULL; + ES + } else { + x = ptmp; + } ...+> }
12 years ago
aft->enc_buf = ptmp;
tls: store all the certificates chain in the written PEM file. When using the tls.store command, a dump of all certificates in the chain is now done on the disk.
13 years ago
aft->enc_buf_len = pemlen;
tls: adding store option for TLS This patch adds a TLS store option to save certificate in PEM format. Each time the store action is met, a file and a metafile are created. Reworked-by: Eric Leblond <eric@regit.org>
14 years ago
}
tls: store all the certificates chain in the written PEM file. When using the tls.store command, a dump of all certificates in the chain is now done on the disk.
13 years ago
memset(aft->enc_buf, 0, aft->enc_buf_len);
tls: adding store option for TLS This patch adds a TLS store option to save certificate in PEM format. Each time the store action is met, a file and a metafile are created. Reworked-by: Eric Leblond <eric@regit.org>
14 years ago
tls: store all the certificates chain in the written PEM file. When using the tls.store command, a dump of all certificates in the chain is now done on the disk.
13 years ago
ret = Base64Encode((unsigned char*) cert->cert_data, cert->cert_len, aft->enc_buf, &pemlen);
if (ret != SC_BASE64_OK) {
SCLogWarning(SC_ERR_INVALID_ARGUMENTS, "Invalid return of Base64Encode function");
goto end_fwrite_fp;
}
tls: adding store option for TLS This patch adds a TLS store option to save certificate in PEM format. Each time the store action is met, a file and a metafile are created. Reworked-by: Eric Leblond <eric@regit.org>
14 years ago
tls: store all the certificates chain in the written PEM file. When using the tls.store command, a dump of all certificates in the chain is now done on the disk.
13 years ago
if (fprintf(fp, PEMHEADER) < 0)
tls: adding store option for TLS This patch adds a TLS store option to save certificate in PEM format. Each time the store action is met, a file and a metafile are created. Reworked-by: Eric Leblond <eric@regit.org>
14 years ago
goto end_fwrite_fp;
tls: store all the certificates chain in the written PEM file. When using the tls.store command, a dump of all certificates in the chain is now done on the disk.
13 years ago
pembase64ptr = aft->enc_buf;
while (pemlen > 0) {
size_t loffset = pemlen >= 64 ? 64 : pemlen;
if (fwrite(pembase64ptr, 1, loffset, fp) != loffset)
goto end_fwrite_fp;
if (fwrite("\n", 1, 1, fp) != 1)
goto end_fwrite_fp;
pembase64ptr += 64;
if (pemlen < 64)
break;
pemlen -= 64;
}
if (fprintf(fp, PEMFOOTER) < 0)
tls: adding store option for TLS This patch adds a TLS store option to save certificate in PEM format. Each time the store action is met, a file and a metafile are created. Reworked-by: Eric Leblond <eric@regit.org>
14 years ago
goto end_fwrite_fp;
}
fclose(fp);
//Logging certificate informations
memcpy(filename + (strlen(filename) - 3), "meta", 4);
fpmeta = fopen(filename, "w");
if (fpmeta != NULL) {
#define PRINT_BUF_LEN 46
char srcip[PRINT_BUF_LEN], dstip[PRINT_BUF_LEN];
char timebuf[64];
Port sp, dp;
CreateTimeString(&p->ts, timebuf, sizeof(timebuf));
if (!GetIPInformations(p, srcip, PRINT_BUF_LEN, &sp, dstip, PRINT_BUF_LEN, &dp, ipproto))
goto end_fwrite_fpmeta;
if (fprintf(fpmeta, "TIME: %s\n", timebuf) < 0)
goto end_fwrite_fpmeta;
if (p->pcap_cnt > 0) {
if (fprintf(fpmeta, "PCAP PKT NUM: %"PRIu64"\n", p->pcap_cnt) < 0)
goto end_fwrite_fpmeta;
}
if (fprintf(fpmeta, "SRC IP: %s\n", srcip) < 0)
goto end_fwrite_fpmeta;
if (fprintf(fpmeta, "DST IP: %s\n", dstip) < 0)
goto end_fwrite_fpmeta;
if (fprintf(fpmeta, "PROTO: %" PRIu32 "\n", p->proto) < 0)
goto end_fwrite_fpmeta;
if (PKT_IS_TCP(p) || PKT_IS_UDP(p)) {
if (fprintf(fpmeta, "SRC PORT: %" PRIu16 "\n", sp) < 0)
goto end_fwrite_fpmeta;
if (fprintf(fpmeta, "DST PORT: %" PRIu16 "\n", dp) < 0)
goto end_fwrite_fpmeta;
}
if (fprintf(fpmeta, "TLS SUBJECT: %s\n"
"TLS ISSUERDN: %s\n"
"TLS FINGERPRINT: %s\n",
state->server_connp.cert0_subject,
state->server_connp.cert0_issuerdn,
state->server_connp.cert0_fingerprint) < 0)
goto end_fwrite_fpmeta;
fclose(fpmeta);
} else {
SCLogWarning(SC_ERR_FOPEN, "Can't open meta file: %s",
filename);
SCReturn;
}
/* Reset the store flag */
state->server_connp.cert_log_flag &= ~SSL_TLS_LOG_PEM;
SCReturn;
end_fwrite_fp:
fclose(fp);
SCLogWarning(SC_ERR_FWRITE, "Unable to write certificate");
end_fwrite_fpmeta:
if (fpmeta) {
fclose(fpmeta);
SCLogWarning(SC_ERR_FWRITE, "Unable to write certificate metafile");
}
tls: avoid double close. This should fix issue 717441 reported by Coverity.
13 years ago
SCReturn;
tls: adding store option for TLS This patch adds a TLS store option to save certificate in PEM format. Each time the store action is met, a file and a metafile are created. Reworked-by: Eric Leblond <eric@regit.org>
14 years ago
end_fp:
fclose(fp);
}
log-tls: clean ups Make all functions static. Remove separate ipv4 and ipv6 registration functions. Move register function to the bottom so that we no longer need function prototype declarations.
12 years ago
static TmEcode LogTlsLogThreadInit(ThreadVars *t, void *initdata, void **data)
tls: adding TLS Log support Creation of the log-tlslog file in order to log tls message. Need to add some information into suricata.yaml to work. - tls-log: enabled: yes # Log TLS connections. filename: tls.log # File to store TLS logs.
14 years ago
{
LogTlsLogThread *aft = SCMalloc(sizeof(LogTlsLogThread));
Use unlikely for error treatment. When handling error case on SCMallog, SCCalloc or SCStrdup we are in an unlikely case. This patch adds the unlikely() expression to indicate this to gcc. This patch has been obtained via coccinelle. The transformation is the following: @istested@ identifier x; statement S1; identifier func =~ "(SCMalloc|SCStrdup|SCCalloc)"; @@ x = func(...) ... when != x - if (x == NULL) S1 + if (unlikely(x == NULL)) S1
13 years ago
if (unlikely(aft == NULL))
tls: adding TLS Log support Creation of the log-tlslog file in order to log tls message. Need to add some information into suricata.yaml to work. - tls-log: enabled: yes # Log TLS connections. filename: tls.log # File to store TLS logs.
14 years ago
return TM_ECODE_FAILED;
memset(aft, 0, sizeof(LogTlsLogThread));
if (initdata == NULL) {
SCLogDebug( "Error getting context for TLSLog. \"initdata\" argument NULL");
SCFree(aft);
return TM_ECODE_FAILED;
}
TLS: create certs directory during startup if it doesn't exist yet. Bug #710.
12 years ago
struct stat stat_buf;
if (stat(tls_logfile_base_dir, &stat_buf) != 0) {
int ret;
ret = mkdir(tls_logfile_base_dir, S_IRWXU|S_IXGRP|S_IRGRP);
if (ret != 0) {
int err = errno;
if (err != EEXIST) {
SCLogError(SC_ERR_LOGDIR_CONFIG,
"Cannot create certs drop directory %s: %s",
tls_logfile_base_dir, strerror(err));
exit(EXIT_FAILURE);
}
} else {
SCLogInfo("Created certs drop directory %s",
tls_logfile_base_dir);
}
}
tls: adding TLS Log support Creation of the log-tlslog file in order to log tls message. Need to add some information into suricata.yaml to work. - tls-log: enabled: yes # Log TLS connections. filename: tls.log # File to store TLS logs.
14 years ago
aft->buffer = MemBufferCreateNew(OUTPUT_BUFFER_SIZE);
if (aft->buffer == NULL) {
SCFree(aft);
return TM_ECODE_FAILED;
}
tls: adding store option for TLS This patch adds a TLS store option to save certificate in PEM format. Each time the store action is met, a file and a metafile are created. Reworked-by: Eric Leblond <eric@regit.org>
14 years ago
aft->enc_buf = SCMalloc(CERT_ENC_BUFFER_SIZE);
if (aft->enc_buf == NULL) {
SCFree(aft);
return TM_ECODE_FAILED;
}
aft->enc_buf_len = CERT_ENC_BUFFER_SIZE;
memset(aft->enc_buf, 0, aft->enc_buf_len);
tls: adding TLS Log support Creation of the log-tlslog file in order to log tls message. Need to add some information into suricata.yaml to work. - tls-log: enabled: yes # Log TLS connections. filename: tls.log # File to store TLS logs.
14 years ago
/* Use the Ouptut Context (file pointer and mutex) */
aft->tlslog_ctx = ((OutputCtx *) initdata)->data;
*data = (void *) aft;
return TM_ECODE_OK;
}
log-tls: clean ups Make all functions static. Remove separate ipv4 and ipv6 registration functions. Move register function to the bottom so that we no longer need function prototype declarations.
12 years ago
static TmEcode LogTlsLogThreadDeinit(ThreadVars *t, void *data)
tls: adding TLS Log support Creation of the log-tlslog file in order to log tls message. Need to add some information into suricata.yaml to work. - tls-log: enabled: yes # Log TLS connections. filename: tls.log # File to store TLS logs.
14 years ago
{
LogTlsLogThread *aft = (LogTlsLogThread *) data;
if (aft == NULL) {
return TM_ECODE_OK;
}
MemBufferFree(aft->buffer);
/* clear memory */
memset(aft, 0, sizeof(LogTlsLogThread));
SCFree(aft);
return TM_ECODE_OK;
}
log-tls: clean ups Make all functions static. Remove separate ipv4 and ipv6 registration functions. Move register function to the bottom so that we no longer need function prototype declarations.
12 years ago
static void LogTlsLogDeInitCtx(OutputCtx *output_ctx)
{
LogTlsFileCtx *tlslog_ctx = (LogTlsFileCtx *) output_ctx->data;
LogFileFreeCtx(tlslog_ctx->file_ctx);
SCFree(tlslog_ctx);
SCFree(output_ctx);
}
static void LogTlsLogExitPrintStats(ThreadVars *tv, void *data)
tls: adding TLS Log support Creation of the log-tlslog file in order to log tls message. Need to add some information into suricata.yaml to work. - tls-log: enabled: yes # Log TLS connections. filename: tls.log # File to store TLS logs.
14 years ago
{
LogTlsLogThread *aft = (LogTlsLogThread *) data;
if (aft == NULL) {
return;
}
SCLogInfo("TLS logger logged %" PRIu32 " requests", aft->tls_cnt);
}
/** \brief Create a new tls log LogFileCtx.
* \param conf Pointer to ConfNode containing this loggers configuration.
* \return NULL if failure, LogFileCtx* to the file_ctx if succesful
* */
log-tls: clean ups Make all functions static. Remove separate ipv4 and ipv6 registration functions. Move register function to the bottom so that we no longer need function prototype declarations.
12 years ago
static OutputCtx *LogTlsLogInitCtx(ConfNode *conf)
tls: adding TLS Log support Creation of the log-tlslog file in order to log tls message. Need to add some information into suricata.yaml to work. - tls-log: enabled: yes # Log TLS connections. filename: tls.log # File to store TLS logs.
14 years ago
{
output: check for multiple instances of drop and tls Both the drop and tls logs are currently not designed to have multiple instances running. So until that is changed, error out if more than one instance is started.
12 years ago
if (OutputTlsLoggerEnable() != 0) {
SCLogError(SC_ERR_CONF_YAML_ERROR, "only one 'tls' logger "
"can be enabled");
return NULL;
}
tls: adding TLS Log support Creation of the log-tlslog file in order to log tls message. Need to add some information into suricata.yaml to work. - tls-log: enabled: yes # Log TLS connections. filename: tls.log # File to store TLS logs.
14 years ago
LogFileCtx* file_ctx = LogFileNewCtx();
if (file_ctx == NULL) {
SCLogError(SC_ERR_TLS_LOG_GENERIC, "LogTlsLogInitCtx: Couldn't "
"create new file_ctx");
return NULL;
}
tls: adding store option for TLS This patch adds a TLS store option to save certificate in PEM format. Each time the store action is met, a file and a metafile are created. Reworked-by: Eric Leblond <eric@regit.org>
14 years ago
char *s_default_log_dir = NULL;
Prefix util-conf function with Config
12 years ago
s_default_log_dir = ConfigGetLogDirectory();
tls: adding store option for TLS This patch adds a TLS store option to save certificate in PEM format. Each time the store action is met, a file and a metafile are created. Reworked-by: Eric Leblond <eric@regit.org>
14 years ago
const char *s_base_dir = NULL;
s_base_dir = ConfNodeLookupChildValue(conf, "certs-log-dir");
if (s_base_dir == NULL || strlen(s_base_dir) == 0) {
strlcpy(tls_logfile_base_dir,
s_default_log_dir, sizeof(tls_logfile_base_dir));
} else {
if (PathIsAbsolute(s_base_dir)) {
strlcpy(tls_logfile_base_dir,
s_base_dir, sizeof(tls_logfile_base_dir));
} else {
snprintf(tls_logfile_base_dir, sizeof(tls_logfile_base_dir),
"%s/%s", s_default_log_dir, s_base_dir);
}
}
tls: adding TLS Log support Creation of the log-tlslog file in order to log tls message. Need to add some information into suricata.yaml to work. - tls-log: enabled: yes # Log TLS connections. filename: tls.log # File to store TLS logs.
14 years ago
if (SCConfLogOpenGeneric(conf, file_ctx, DEFAULT_LOG_FILENAME) < 0) {
tls: fix error handling Handling of error case was correct as pointed out by Coverity 717439.
13 years ago
goto filectx_error;
tls: adding TLS Log support Creation of the log-tlslog file in order to log tls message. Need to add some information into suricata.yaml to work. - tls-log: enabled: yes # Log TLS connections. filename: tls.log # File to store TLS logs.
14 years ago
}
LogTlsFileCtx *tlslog_ctx = SCCalloc(1, sizeof(LogTlsFileCtx));
Use unlikely for error treatment. When handling error case on SCMallog, SCCalloc or SCStrdup we are in an unlikely case. This patch adds the unlikely() expression to indicate this to gcc. This patch has been obtained via coccinelle. The transformation is the following: @istested@ identifier x; statement S1; identifier func =~ "(SCMalloc|SCStrdup|SCCalloc)"; @@ x = func(...) ... when != x - if (x == NULL) S1 + if (unlikely(x == NULL)) S1
13 years ago
if (unlikely(tlslog_ctx == NULL))
tls: fix error handling Handling of error case was correct as pointed out by Coverity 717439.
13 years ago
goto filectx_error;
tls: adding TLS Log support Creation of the log-tlslog file in order to log tls message. Need to add some information into suricata.yaml to work. - tls-log: enabled: yes # Log TLS connections. filename: tls.log # File to store TLS logs.
14 years ago
tlslog_ctx->file_ctx = file_ctx;
tls: adding fingerprint to TLS Log information. Improve TLS logging by adding the certificate fingerprint to TLS Log file. Add the extending option to the tls-log entry in suricata.yaml.
14 years ago
const char *extended = ConfNodeLookupChildValue(conf, "extended");
if (extended == NULL) {
tlslog_ctx->flags |= LOG_TLS_DEFAULT;
} else {
if (ConfValIsTrue(extended)) {
tlslog_ctx->flags |= LOG_TLS_EXTENDED;
}
}
tls: adding TLS Log support Creation of the log-tlslog file in order to log tls message. Need to add some information into suricata.yaml to work. - tls-log: enabled: yes # Log TLS connections. filename: tls.log # File to store TLS logs.
14 years ago
OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
Use unlikely for error treatment. When handling error case on SCMallog, SCCalloc or SCStrdup we are in an unlikely case. This patch adds the unlikely() expression to indicate this to gcc. This patch has been obtained via coccinelle. The transformation is the following: @istested@ identifier x; statement S1; identifier func =~ "(SCMalloc|SCStrdup|SCCalloc)"; @@ x = func(...) ... when != x - if (x == NULL) S1 + if (unlikely(x == NULL)) S1
13 years ago
if (unlikely(output_ctx == NULL))
tls: fix error handling Handling of error case was correct as pointed out by Coverity 717439.
13 years ago
goto tlslog_error;
tls: adding TLS Log support Creation of the log-tlslog file in order to log tls message. Need to add some information into suricata.yaml to work. - tls-log: enabled: yes # Log TLS connections. filename: tls.log # File to store TLS logs.
14 years ago
output_ctx->data = tlslog_ctx;
output_ctx->DeInit = LogTlsLogDeInitCtx;
SCLogDebug("TLS log output initialized");
http & tls: fix transaction handling When http and/or tls logging is disabled, the app layer would still be flagged as logging. This caused transactions not to be freed until the end of the flow as the logged tx id would never increment. This fix postpones the setting of the app layer parser "logger" flag to the point where we know the logger is enabled.
12 years ago
/* enable the logger for the app layer */
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
AppLayerParserRegisterLogger(IPPROTO_TCP, ALPROTO_TLS);
http & tls: fix transaction handling When http and/or tls logging is disabled, the app layer would still be flagged as logging. This caused transactions not to be freed until the end of the flow as the logged tx id would never increment. This fix postpones the setting of the app layer parser "logger" flag to the point where we know the logger is enabled.
12 years ago
tls: adding TLS Log support Creation of the log-tlslog file in order to log tls message. Need to add some information into suricata.yaml to work. - tls-log: enabled: yes # Log TLS connections. filename: tls.log # File to store TLS logs.
14 years ago
return output_ctx;
tls: fix error handling Handling of error case was correct as pointed out by Coverity 717439.
13 years ago
tlslog_error:
Coverity: 1038139 suppress sanity check The sanity check was really useless as the NULL value is checked in the code flow.
12 years ago
SCFree(tlslog_ctx);
tls: fix error handling Handling of error case was correct as pointed out by Coverity 717439.
13 years ago
filectx_error:
LogFileFreeCtx(file_ctx);
return NULL;
tls: adding TLS Log support Creation of the log-tlslog file in order to log tls message. Need to add some information into suricata.yaml to work. - tls-log: enabled: yes # Log TLS connections. filename: tls.log # File to store TLS logs.
14 years ago
}
log-tls: convert to packet logger API This patch converts log-tls to use the packet logger API. The packet logger API was choosen as the TLS parser is not transaction aware. To make sure the state is only logged once, the flag SSL_AL_FLAG_STATE_LOGGED was added to the parser. This flag is checked by the condition function, and set at the end of the Logger function.
12 years ago
/** \internal
* \brief Condition function for TLS logger
* \retval bool true or false -- log now?
*/
static int LogTlsCondition(ThreadVars *tv, const Packet *p) {
if (p->flow == NULL) {
return FALSE;
}
if (!(PKT_IS_TCP(p))) {
return FALSE;
}
FLOWLOCK_RDLOCK(p->flow);
uint16_t proto = FlowGetAppProtocol(p->flow);
if (proto != ALPROTO_TLS)
goto dontlog;
SSLState *ssl_state = (SSLState *)FlowGetAppState(p->flow);
if (ssl_state == NULL) {
SCLogDebug("no tls state, so no request logging");
goto dontlog;
}
/* we only log the state once */
if (ssl_state->flags & SSL_AL_FLAG_STATE_LOGGED)
goto dontlog;
if (ssl_state->server_connp.cert0_issuerdn == NULL ||
ssl_state->server_connp.cert0_subject == NULL)
goto dontlog;
/* todo: logic to log once */
FLOWLOCK_UNLOCK(p->flow);
return TRUE;
dontlog:
FLOWLOCK_UNLOCK(p->flow);
return FALSE;
}
static int LogTlsLogger(ThreadVars *tv, void *thread_data, const Packet *p) {
LogTlsLogThread *aft = (LogTlsLogThread *)thread_data;
LogTlsFileCtx *hlog = aft->tlslog_ctx;
char timebuf[64];
int ipproto = (PKT_IS_IPV4(p)) ? AF_INET : AF_INET6;
if (unlikely(p->flow == NULL)) {
return 0;
}
/* check if we have TLS state or not */
FLOWLOCK_WRLOCK(p->flow);
uint16_t proto = FlowGetAppProtocol(p->flow);
if (proto != ALPROTO_TLS)
goto end;
SSLState *ssl_state = (SSLState *)FlowGetAppState(p->flow);
if (unlikely(ssl_state == NULL)) {
goto end;
}
if (ssl_state->server_connp.cert0_issuerdn == NULL || ssl_state->server_connp.cert0_subject == NULL)
goto end;
if (ssl_state->server_connp.cert_log_flag & SSL_TLS_LOG_PEM) {
LogTlsLogPem(aft, p, ssl_state, hlog, ipproto);
}
CreateTimeString(&p->ts, timebuf, sizeof(timebuf));
#define PRINT_BUF_LEN 46
char srcip[PRINT_BUF_LEN], dstip[PRINT_BUF_LEN];
Port sp, dp;
if (!GetIPInformations(p, srcip, PRINT_BUF_LEN,
&sp, dstip, PRINT_BUF_LEN, &dp, ipproto)) {
goto end;
}
MemBufferReset(aft->buffer);
MemBufferWriteString(aft->buffer,
"%s %s:%d -> %s:%d TLS: Subject='%s' Issuerdn='%s'",
timebuf, srcip, sp, dstip, dp,
ssl_state->server_connp.cert0_subject,
ssl_state->server_connp.cert0_issuerdn);
if (hlog->flags & LOG_TLS_EXTENDED) {
LogTlsLogExtended(aft, ssl_state);
} else {
MemBufferWriteString(aft->buffer, "\n");
}
aft->tls_cnt++;
SCMutexLock(&hlog->file_ctx->fp_mutex);
MemBufferPrintToFPAsString(aft->buffer, hlog->file_ctx->fp);
fflush(hlog->file_ctx->fp);
SCMutexUnlock(&hlog->file_ctx->fp_mutex);
/* we only log the state once */
ssl_state->flags |= SSL_AL_FLAG_STATE_LOGGED;
end:
FLOWLOCK_UNLOCK(p->flow);
return 0;
}
log-tls: clean ups Make all functions static. Remove separate ipv4 and ipv6 registration functions. Move register function to the bottom so that we no longer need function prototype declarations.
12 years ago
void TmModuleLogTlsLogRegister(void)
tls: adding TLS Log support Creation of the log-tlslog file in order to log tls message. Need to add some information into suricata.yaml to work. - tls-log: enabled: yes # Log TLS connections. filename: tls.log # File to store TLS logs.
14 years ago
{
log-tls: clean ups Make all functions static. Remove separate ipv4 and ipv6 registration functions. Move register function to the bottom so that we no longer need function prototype declarations.
12 years ago
tmm_modules[TMM_LOGTLSLOG].name = MODULE_NAME;
tmm_modules[TMM_LOGTLSLOG].ThreadInit = LogTlsLogThreadInit;
log-tls: convert to packet logger API This patch converts log-tls to use the packet logger API. The packet logger API was choosen as the TLS parser is not transaction aware. To make sure the state is only logged once, the flag SSL_AL_FLAG_STATE_LOGGED was added to the parser. This flag is checked by the condition function, and set at the end of the Logger function.
12 years ago
tmm_modules[TMM_LOGTLSLOG].Func = NULL;
log-tls: clean ups Make all functions static. Remove separate ipv4 and ipv6 registration functions. Move register function to the bottom so that we no longer need function prototype declarations.
12 years ago
tmm_modules[TMM_LOGTLSLOG].ThreadExitPrintStats = LogTlsLogExitPrintStats;
tmm_modules[TMM_LOGTLSLOG].ThreadDeinit = LogTlsLogThreadDeinit;
tmm_modules[TMM_LOGTLSLOG].RegisterTests = NULL;
tmm_modules[TMM_LOGTLSLOG].cap_flags = 0;
output: add TM_FLAG_LOGAPI_TM thread module flag The TM_FLAG_LOGAPI_TM flag indicates that a module is run by the log api, not by the 'regular' thread module call functions. Set flag in all all Log API users' registration code. Purpose of this flag is in profiling. In profiling output it will be used to list log api thread modules separately.
12 years ago
tmm_modules[TMM_LOGTLSLOG].flags = TM_FLAG_LOGAPI_TM;
log-tls: clean ups Make all functions static. Remove separate ipv4 and ipv6 registration functions. Move register function to the bottom so that we no longer need function prototype declarations.
12 years ago
log-tls: convert to packet logger API This patch converts log-tls to use the packet logger API. The packet logger API was choosen as the TLS parser is not transaction aware. To make sure the state is only logged once, the flag SSL_AL_FLAG_STATE_LOGGED was added to the parser. This flag is checked by the condition function, and set at the end of the Logger function.
12 years ago
OutputRegisterPacketModule(MODULE_NAME, "tls-log", LogTlsLogInitCtx,
LogTlsLogger, LogTlsCondition);
log-tls: clean ups Make all functions static. Remove separate ipv4 and ipv6 registration functions. Move register function to the bottom so that we no longer need function prototype declarations.
12 years ago
SC_ATOMIC_INIT(cert_id);
tls: adding TLS Log support Creation of the log-tlslog file in order to log tls message. Need to add some information into suricata.yaml to work. - tls-log: enabled: yes # Log TLS connections. filename: tls.log # File to store TLS logs.
14 years ago
}