aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '0eeccb4b17'
${ noResults }
suricata/src/log-tlslog.c

600 lines
18 KiB
C
Raw Normal View History Unescape Escape

tls: adding TLS Log support Creation of the log-tlslog file in order to log tls message. Need to add some information into suricata.yaml to work. - tls-log: enabled: yes # Log TLS connections. filename: tls.log # File to store TLS logs.
13 years ago
/* Copyright (C) 2007-2012 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
/**
* \file
*
* \author Roliers Jean-Paul <popof.fpn@gmail.co>
* \author Eric Leblond <eric@regit.org>
*
* Implements tls logging portion of the engine.
*/
#include "suricata-common.h"
#include "debug.h"
#include "detect.h"
#include "pkt-var.h"
#include "conf.h"
#include "threads.h"
#include "threadvars.h"
#include "tm-threads.h"
#include "util-print.h"
#include "util-unittest.h"
#include "util-debug.h"
#include "output.h"
#include "log-tlslog.h"
#include "app-layer-ssl.h"
#include "app-layer.h"
#include "util-privs.h"
#include "util-buffer.h"
#include "util-logopenfile.h"
tls: adding store option for TLS This patch adds a TLS store option to save certificate in PEM format. Each time the store action is met, a file and a metafile are created. Reworked-by: Eric Leblond <eric@regit.org>
13 years ago
#include "util-crypt.h"
tls: adding TLS Log support Creation of the log-tlslog file in order to log tls message. Need to add some information into suricata.yaml to work. - tls-log: enabled: yes # Log TLS connections. filename: tls.log # File to store TLS logs.
13 years ago
#define DEFAULT_LOG_FILENAME "tls.log"
tls: adding store option for TLS This patch adds a TLS store option to save certificate in PEM format. Each time the store action is met, a file and a metafile are created. Reworked-by: Eric Leblond <eric@regit.org>
13 years ago
static char tls_logfile_base_dir[PATH_MAX] = "/tmp";
SC_ATOMIC_DECLARE(unsigned int, cert_id);
tls: adding TLS Log support Creation of the log-tlslog file in order to log tls message. Need to add some information into suricata.yaml to work. - tls-log: enabled: yes # Log TLS connections. filename: tls.log # File to store TLS logs.
13 years ago
#define MODULE_NAME "LogTlsLog"
#define OUTPUT_BUFFER_SIZE 65535
tls: adding store option for TLS This patch adds a TLS store option to save certificate in PEM format. Each time the store action is met, a file and a metafile are created. Reworked-by: Eric Leblond <eric@regit.org>
13 years ago
#define CERT_ENC_BUFFER_SIZE 2048
tls: adding TLS Log support Creation of the log-tlslog file in order to log tls message. Need to add some information into suricata.yaml to work. - tls-log: enabled: yes # Log TLS connections. filename: tls.log # File to store TLS logs.
13 years ago
tls: adding fingerprint to TLS Log information. Improve TLS logging by adding the certificate fingerprint to TLS Log file. Add the extending option to the tls-log entry in suricata.yaml.
13 years ago
#define LOG_TLS_DEFAULT 0
#define LOG_TLS_EXTENDED 1
tls: adding TLS Log support Creation of the log-tlslog file in order to log tls message. Need to add some information into suricata.yaml to work. - tls-log: enabled: yes # Log TLS connections. filename: tls.log # File to store TLS logs.
13 years ago
TmEcode LogTlsLog(ThreadVars *, Packet *, void *, PacketQueue *, PacketQueue *);
TmEcode LogTlsLogIPv4(ThreadVars *, Packet *, void *, PacketQueue *, PacketQueue *);
TmEcode LogTlsLogIPv6(ThreadVars *, Packet *, void *, PacketQueue *, PacketQueue *);
TmEcode LogTlsLogThreadInit(ThreadVars *, void *, void **);
TmEcode LogTlsLogThreadDeinit(ThreadVars *, void *);
void LogTlsLogExitPrintStats(ThreadVars *, void *);
static void LogTlsLogDeInitCtx(OutputCtx *);
void TmModuleLogTlsLogRegister(void)
{
tmm_modules[TMM_LOGTLSLOG].name = MODULE_NAME;
tmm_modules[TMM_LOGTLSLOG].ThreadInit = LogTlsLogThreadInit;
tmm_modules[TMM_LOGTLSLOG].Func = LogTlsLog;
tmm_modules[TMM_LOGTLSLOG].ThreadExitPrintStats = LogTlsLogExitPrintStats;
tmm_modules[TMM_LOGTLSLOG].ThreadDeinit = LogTlsLogThreadDeinit;
tmm_modules[TMM_LOGTLSLOG].RegisterTests = NULL;
tmm_modules[TMM_LOGTLSLOG].cap_flags = 0;
OutputRegisterModule(MODULE_NAME, "tls-log", LogTlsLogInitCtx);
/* enable the logger for the app layer */
AppLayerRegisterLogger(ALPROTO_TLS);
tls: adding store option for TLS This patch adds a TLS store option to save certificate in PEM format. Each time the store action is met, a file and a metafile are created. Reworked-by: Eric Leblond <eric@regit.org>
13 years ago
SC_ATOMIC_INIT(cert_id);
tls: adding TLS Log support Creation of the log-tlslog file in order to log tls message. Need to add some information into suricata.yaml to work. - tls-log: enabled: yes # Log TLS connections. filename: tls.log # File to store TLS logs.
13 years ago
}
void TmModuleLogTlsLogIPv4Register(void)
{
tmm_modules[TMM_LOGTLSLOG4].name = "LogTlsLogIPv4";
tmm_modules[TMM_LOGTLSLOG4].ThreadInit = LogTlsLogThreadInit;
tmm_modules[TMM_LOGTLSLOG4].Func = LogTlsLogIPv4;
tmm_modules[TMM_LOGTLSLOG4].ThreadExitPrintStats = LogTlsLogExitPrintStats;
tmm_modules[TMM_LOGTLSLOG4].ThreadDeinit = LogTlsLogThreadDeinit;
tmm_modules[TMM_LOGTLSLOG4].RegisterTests = NULL;
}
void TmModuleLogTlsLogIPv6Register(void)
{
tmm_modules[TMM_LOGTLSLOG6].name = "LogTlsLogIPv6";
tmm_modules[TMM_LOGTLSLOG6].ThreadInit = LogTlsLogThreadInit;
tmm_modules[TMM_LOGTLSLOG6].Func = LogTlsLogIPv6;
tmm_modules[TMM_LOGTLSLOG6].ThreadExitPrintStats = LogTlsLogExitPrintStats;
tmm_modules[TMM_LOGTLSLOG6].ThreadDeinit = LogTlsLogThreadDeinit;
tmm_modules[TMM_LOGTLSLOG6].RegisterTests = NULL;
}
typedef struct LogTlsFileCtx_ {
LogFileCtx *file_ctx;
uint32_t flags; /** Store mode */
} LogTlsFileCtx;
typedef struct LogTlsLogThread_ {
LogTlsFileCtx *tlslog_ctx;
tls: adding store option for TLS This patch adds a TLS store option to save certificate in PEM format. Each time the store action is met, a file and a metafile are created. Reworked-by: Eric Leblond <eric@regit.org>
13 years ago
tls: adding TLS Log support Creation of the log-tlslog file in order to log tls message. Need to add some information into suricata.yaml to work. - tls-log: enabled: yes # Log TLS connections. filename: tls.log # File to store TLS logs.
13 years ago
/** LogTlsFileCtx has the pointer to the file and a mutex to allow multithreading */
uint32_t tls_cnt;
MemBuffer *buffer;
tls: adding store option for TLS This patch adds a TLS store option to save certificate in PEM format. Each time the store action is met, a file and a metafile are created. Reworked-by: Eric Leblond <eric@regit.org>
13 years ago
uint8_t* enc_buf;
size_t enc_buf_len;
tls: adding TLS Log support Creation of the log-tlslog file in order to log tls message. Need to add some information into suricata.yaml to work. - tls-log: enabled: yes # Log TLS connections. filename: tls.log # File to store TLS logs.
13 years ago
} LogTlsLogThread;
static void CreateTimeString(const struct timeval *ts, char *str, size_t size)
{
time_t time = ts->tv_sec;
struct tm local_tm;
struct tm *t = (struct tm *) localtime_r(&time, &local_tm);
tls: adding store option for TLS This patch adds a TLS store option to save certificate in PEM format. Each time the store action is met, a file and a metafile are created. Reworked-by: Eric Leblond <eric@regit.org>
13 years ago
snprintf(str, size, "%02d/%02d/%02d-%02d:%02d:%02d.%06u",
t->tm_mon + 1, t->tm_mday, t->tm_year + 1900, t->tm_hour,
t->tm_min, t->tm_sec, (uint32_t) ts->tv_usec);
tls: adding TLS Log support Creation of the log-tlslog file in order to log tls message. Need to add some information into suricata.yaml to work. - tls-log: enabled: yes # Log TLS connections. filename: tls.log # File to store TLS logs.
13 years ago
}
tls: adding fingerprint to TLS Log information. Improve TLS logging by adding the certificate fingerprint to TLS Log file. Add the extending option to the tls-log entry in suricata.yaml.
13 years ago
static void LogTlsLogExtended(LogTlsLogThread *aft, SSLState * state)
{
if (state->server_connp.cert0_fingerprint != NULL) {
tls-log: add protocol version to log message.
13 years ago
MemBufferWriteString(aft->buffer, " SHA1='%s'", state->server_connp.cert0_fingerprint);
tls: adding fingerprint to TLS Log information. Improve TLS logging by adding the certificate fingerprint to TLS Log file. Add the extending option to the tls-log entry in suricata.yaml.
13 years ago
}
tls-log: add protocol version to log message.
13 years ago
switch (state->server_connp.version) {
case TLS_VERSION_UNKNOWN:
MemBufferWriteString(aft->buffer, " VERSION='UNDETERMINED'");
break;
case SSL_VERSION_2:
MemBufferWriteString(aft->buffer, " VERSION='SSLv2'");
break;
case SSL_VERSION_3:
MemBufferWriteString(aft->buffer, " VERSION='SSLv3'");
break;
case TLS_VERSION_10:
MemBufferWriteString(aft->buffer, " VERSION='TLSv1'");
break;
case TLS_VERSION_11:
MemBufferWriteString(aft->buffer, " VERSION='TLS 1.1'");
break;
case TLS_VERSION_12:
MemBufferWriteString(aft->buffer, " VERSION='TLS 1.2'");
break;
default:
MemBufferWriteString(aft->buffer, " VERSION='0x%04x'",
state->server_connp.version);
break;
}
MemBufferWriteString(aft->buffer, "\n");
tls: adding fingerprint to TLS Log information. Improve TLS logging by adding the certificate fingerprint to TLS Log file. Add the extending option to the tls-log entry in suricata.yaml.
13 years ago
}
tls: adding store option for TLS This patch adds a TLS store option to save certificate in PEM format. Each time the store action is met, a file and a metafile are created. Reworked-by: Eric Leblond <eric@regit.org>
13 years ago
static int GetIPInformations(Packet *p, char* srcip, size_t srcip_len,
Port* sp, char* dstip, size_t dstip_len,
Port* dp, int ipproto)
{
if ((PKT_IS_TOSERVER(p))) {
switch (ipproto) {
case AF_INET:
PrintInet(AF_INET, (const void *) GET_IPV4_SRC_ADDR_PTR(p), srcip, srcip_len);
PrintInet(AF_INET, (const void *) GET_IPV4_DST_ADDR_PTR(p), dstip, dstip_len);
break;
case AF_INET6:
PrintInet(AF_INET6, (const void *) GET_IPV6_SRC_ADDR(p), srcip, srcip_len);
PrintInet(AF_INET6, (const void *) GET_IPV6_DST_ADDR(p), dstip, dstip_len);
break;
default:
return 0;
}
*sp = p->sp;
*dp = p->dp;
} else {
switch (ipproto) {
case AF_INET:
PrintInet(AF_INET, (const void *) GET_IPV4_DST_ADDR_PTR(p), srcip, srcip_len);
PrintInet(AF_INET, (const void *) GET_IPV4_SRC_ADDR_PTR(p), dstip, dstip_len);
break;
case AF_INET6:
PrintInet(AF_INET6, (const void *) GET_IPV6_DST_ADDR(p), srcip, srcip_len);
PrintInet(AF_INET6, (const void *) GET_IPV6_SRC_ADDR(p), dstip, dstip_len);
break;
default:
return 0;
}
*sp = p->dp;
*dp = p->sp;
}
return 1;
}
static int CreateFileName(LogTlsFileCtx *log, Packet *p, SSLState *state, char *filename)
{
#define FILELEN 64 //filename len + extention + ending path / + some space
int filenamelen = FILELEN + strlen(tls_logfile_base_dir);
int file_id = SC_ATOMIC_ADD(cert_id, 1);
if (filenamelen + 1 > PATH_MAX) {
return 0;
}
/* Use format : packet time + incremental ID
* When running on same pcap it will overwrite
* On a live device, we will not be able to overwrite */
snprintf(filename, filenamelen, "%s/%ld.%ld-%d.pem",
tls_logfile_base_dir,
p->ts.tv_sec,
p->ts.tv_usec,
file_id);
return 1;
}
static void LogTlsLogPem(LogTlsLogThread *aft, Packet *p, SSLState *state, LogTlsFileCtx *log, int ipproto)
{
#define PEMHEADER "-----BEGIN CERTIFICATE-----\n"
#define PEMFOOTER "-----END CERTIFICATE-----\n"
//Logging pem certificate
char filename[PATH_MAX] = "";
FILE* fp = NULL;
FILE* fpmeta = NULL;
unsigned long pemlen;
unsigned char* pembase64ptr = NULL;
int ret;
tls: store all the certificates chain in the written PEM file. When using the tls.store command, a dump of all certificates in the chain is now done on the disk.
13 years ago
SSLCertsChain *cert;
tls: adding store option for TLS This patch adds a TLS store option to save certificate in PEM format. Each time the store action is met, a file and a metafile are created. Reworked-by: Eric Leblond <eric@regit.org>
13 years ago
if ((state->server_connp.cert_input == NULL) || (state->server_connp.cert_input_len == 0))
SCReturn;
CreateFileName(log, p, state, filename);
if (strlen(filename) == 0) {
SCLogWarning(SC_ERR_FOPEN, "Can't create PEM filename");
SCReturn;
}
fp = fopen(filename, "w");
if (fp == NULL) {
SCLogWarning(SC_ERR_FOPEN, "Can't create PEM file: %s", filename);
SCReturn;
}
tls: store all the certificates chain in the written PEM file. When using the tls.store command, a dump of all certificates in the chain is now done on the disk.
13 years ago
TAILQ_FOREACH(cert, &state->server_connp.certs, next) {
pemlen = (4 * (cert->cert_len + 2) / 3) +1;
if (pemlen > aft->enc_buf_len) {
aft->enc_buf = (uint8_t*) SCRealloc(aft->enc_buf, sizeof(uint8_t) * pemlen);
if (aft->enc_buf == NULL) {
SCLogWarning(SC_ERR_MEM_ALLOC, "Can't allocate data for base64 encoding");
goto end_fp;
}
aft->enc_buf_len = pemlen;
tls: adding store option for TLS This patch adds a TLS store option to save certificate in PEM format. Each time the store action is met, a file and a metafile are created. Reworked-by: Eric Leblond <eric@regit.org>
13 years ago
}
tls: store all the certificates chain in the written PEM file. When using the tls.store command, a dump of all certificates in the chain is now done on the disk.
13 years ago
memset(aft->enc_buf, 0, aft->enc_buf_len);
tls: adding store option for TLS This patch adds a TLS store option to save certificate in PEM format. Each time the store action is met, a file and a metafile are created. Reworked-by: Eric Leblond <eric@regit.org>
13 years ago
tls: store all the certificates chain in the written PEM file. When using the tls.store command, a dump of all certificates in the chain is now done on the disk.
13 years ago
ret = Base64Encode((unsigned char*) cert->cert_data, cert->cert_len, aft->enc_buf, &pemlen);
if (ret != SC_BASE64_OK) {
SCLogWarning(SC_ERR_INVALID_ARGUMENTS, "Invalid return of Base64Encode function");
goto end_fwrite_fp;
}
tls: adding store option for TLS This patch adds a TLS store option to save certificate in PEM format. Each time the store action is met, a file and a metafile are created. Reworked-by: Eric Leblond <eric@regit.org>
13 years ago
tls: store all the certificates chain in the written PEM file. When using the tls.store command, a dump of all certificates in the chain is now done on the disk.
13 years ago
if (fprintf(fp, PEMHEADER) < 0)
tls: adding store option for TLS This patch adds a TLS store option to save certificate in PEM format. Each time the store action is met, a file and a metafile are created. Reworked-by: Eric Leblond <eric@regit.org>
13 years ago
goto end_fwrite_fp;
tls: store all the certificates chain in the written PEM file. When using the tls.store command, a dump of all certificates in the chain is now done on the disk.
13 years ago
pembase64ptr = aft->enc_buf;
while (pemlen > 0) {
size_t loffset = pemlen >= 64 ? 64 : pemlen;
if (fwrite(pembase64ptr, 1, loffset, fp) != loffset)
goto end_fwrite_fp;
if (fwrite("\n", 1, 1, fp) != 1)
goto end_fwrite_fp;
pembase64ptr += 64;
if (pemlen < 64)
break;
pemlen -= 64;
}
if (fprintf(fp, PEMFOOTER) < 0)
tls: adding store option for TLS This patch adds a TLS store option to save certificate in PEM format. Each time the store action is met, a file and a metafile are created. Reworked-by: Eric Leblond <eric@regit.org>
13 years ago
goto end_fwrite_fp;
}
fclose(fp);
//Logging certificate informations
memcpy(filename + (strlen(filename) - 3), "meta", 4);
fpmeta = fopen(filename, "w");
if (fpmeta != NULL) {
#define PRINT_BUF_LEN 46
char srcip[PRINT_BUF_LEN], dstip[PRINT_BUF_LEN];
char timebuf[64];
Port sp, dp;
CreateTimeString(&p->ts, timebuf, sizeof(timebuf));
if (!GetIPInformations(p, srcip, PRINT_BUF_LEN, &sp, dstip, PRINT_BUF_LEN, &dp, ipproto))
goto end_fwrite_fpmeta;
if (fprintf(fpmeta, "TIME: %s\n", timebuf) < 0)
goto end_fwrite_fpmeta;
if (p->pcap_cnt > 0) {
if (fprintf(fpmeta, "PCAP PKT NUM: %"PRIu64"\n", p->pcap_cnt) < 0)
goto end_fwrite_fpmeta;
}
if (fprintf(fpmeta, "SRC IP: %s\n", srcip) < 0)
goto end_fwrite_fpmeta;
if (fprintf(fpmeta, "DST IP: %s\n", dstip) < 0)
goto end_fwrite_fpmeta;
if (fprintf(fpmeta, "PROTO: %" PRIu32 "\n", p->proto) < 0)
goto end_fwrite_fpmeta;
if (PKT_IS_TCP(p) || PKT_IS_UDP(p)) {
if (fprintf(fpmeta, "SRC PORT: %" PRIu16 "\n", sp) < 0)
goto end_fwrite_fpmeta;
if (fprintf(fpmeta, "DST PORT: %" PRIu16 "\n", dp) < 0)
goto end_fwrite_fpmeta;
}
if (fprintf(fpmeta, "TLS SUBJECT: %s\n"
"TLS ISSUERDN: %s\n"
"TLS FINGERPRINT: %s\n",
state->server_connp.cert0_subject,
state->server_connp.cert0_issuerdn,
state->server_connp.cert0_fingerprint) < 0)
goto end_fwrite_fpmeta;
fclose(fpmeta);
} else {
SCLogWarning(SC_ERR_FOPEN, "Can't open meta file: %s",
filename);
SCReturn;
}
/* Reset the store flag */
state->server_connp.cert_log_flag &= ~SSL_TLS_LOG_PEM;
SCReturn;
end_fwrite_fp:
fclose(fp);
SCLogWarning(SC_ERR_FWRITE, "Unable to write certificate");
end_fwrite_fpmeta:
if (fpmeta) {
fclose(fpmeta);
SCLogWarning(SC_ERR_FWRITE, "Unable to write certificate metafile");
}
end_fp:
fclose(fp);
}
tls: adding TLS Log support Creation of the log-tlslog file in order to log tls message. Need to add some information into suricata.yaml to work. - tls-log: enabled: yes # Log TLS connections. filename: tls.log # File to store TLS logs.
13 years ago
static TmEcode LogTlsLogIPWrapper(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq, PacketQueue *postpq, int ipproto)
{
SCEnter();
LogTlsLogThread *aft = (LogTlsLogThread *) data;
LogTlsFileCtx *hlog = aft->tlslog_ctx;
char timebuf[64];
/* no flow, no tls state */
if (p->flow == NULL) {
SCReturnInt(TM_ECODE_OK);
}
/* check if we have TLS state or not */
FLOWLOCK_WRLOCK(p->flow);
uint16_t proto = AppLayerGetProtoFromPacket(p);
if (proto != ALPROTO_TLS)
goto end;
SSLState *ssl_state = (SSLState *) AppLayerGetProtoStateFromPacket(p);
if (ssl_state == NULL) {
SCLogDebug("no tls state, so no request logging");
goto end;
}
if (ssl_state->server_connp.cert0_issuerdn == NULL || ssl_state->server_connp.cert0_subject == NULL)
goto end;
tls: adding store option for TLS This patch adds a TLS store option to save certificate in PEM format. Each time the store action is met, a file and a metafile are created. Reworked-by: Eric Leblond <eric@regit.org>
13 years ago
if (ssl_state->server_connp.cert_log_flag & SSL_TLS_LOG_PEM) {
LogTlsLogPem(aft, p, ssl_state, hlog, ipproto);
}
int r = AppLayerTransactionGetLoggedId(p->flow);
if (r != 0) {
goto end;
}
tls: adding TLS Log support Creation of the log-tlslog file in order to log tls message. Need to add some information into suricata.yaml to work. - tls-log: enabled: yes # Log TLS connections. filename: tls.log # File to store TLS logs.
13 years ago
CreateTimeString(&p->ts, timebuf, sizeof(timebuf));
tls: adding store option for TLS This patch adds a TLS store option to save certificate in PEM format. Each time the store action is met, a file and a metafile are created. Reworked-by: Eric Leblond <eric@regit.org>
13 years ago
#define PRINT_BUF_LEN 46
char srcip[PRINT_BUF_LEN], dstip[PRINT_BUF_LEN];
tls: adding TLS Log support Creation of the log-tlslog file in order to log tls message. Need to add some information into suricata.yaml to work. - tls-log: enabled: yes # Log TLS connections. filename: tls.log # File to store TLS logs.
13 years ago
Port sp, dp;
tls: adding store option for TLS This patch adds a TLS store option to save certificate in PEM format. Each time the store action is met, a file and a metafile are created. Reworked-by: Eric Leblond <eric@regit.org>
13 years ago
if (!GetIPInformations(p, srcip, PRINT_BUF_LEN,
&sp, dstip, PRINT_BUF_LEN, &dp, ipproto)) {
goto end;
tls: adding TLS Log support Creation of the log-tlslog file in order to log tls message. Need to add some information into suricata.yaml to work. - tls-log: enabled: yes # Log TLS connections. filename: tls.log # File to store TLS logs.
13 years ago
}
/* reset */
MemBufferReset(aft->buffer);
MemBufferWriteString(aft->buffer,
tls: adding fingerprint to TLS Log information. Improve TLS logging by adding the certificate fingerprint to TLS Log file. Add the extending option to the tls-log entry in suricata.yaml.
13 years ago
"%s %s:%d -> %s:%d TLS: Subject='%s' Issuerdn='%s'",
tls: adding TLS Log support Creation of the log-tlslog file in order to log tls message. Need to add some information into suricata.yaml to work. - tls-log: enabled: yes # Log TLS connections. filename: tls.log # File to store TLS logs.
13 years ago
timebuf, srcip, sp, dstip, dp,
ssl_state->server_connp.cert0_subject, ssl_state->server_connp.cert0_issuerdn);
AppLayerTransactionUpdateLoggedId(p->flow);
tls: adding store option for TLS This patch adds a TLS store option to save certificate in PEM format. Each time the store action is met, a file and a metafile are created. Reworked-by: Eric Leblond <eric@regit.org>
13 years ago
tls: adding fingerprint to TLS Log information. Improve TLS logging by adding the certificate fingerprint to TLS Log file. Add the extending option to the tls-log entry in suricata.yaml.
13 years ago
if (hlog->flags & LOG_TLS_EXTENDED) {
LogTlsLogExtended(aft, ssl_state);
} else {
MemBufferWriteString(aft->buffer, "\n");
}
tls: adding TLS Log support Creation of the log-tlslog file in order to log tls message. Need to add some information into suricata.yaml to work. - tls-log: enabled: yes # Log TLS connections. filename: tls.log # File to store TLS logs.
13 years ago
aft->tls_cnt ++;
SCMutexLock(&hlog->file_ctx->fp_mutex);
MemBufferPrintToFPAsString(aft->buffer, hlog->file_ctx->fp);
fflush(hlog->file_ctx->fp);
SCMutexUnlock(&hlog->file_ctx->fp_mutex);
end:
FLOWLOCK_UNLOCK(p->flow);
SCReturnInt(TM_ECODE_OK);
}
TmEcode LogTlsLogIPv4(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq, PacketQueue *postpq)
{
return LogTlsLogIPWrapper(tv, p, data, pq, postpq, AF_INET);
}
TmEcode LogTlsLogIPv6(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq, PacketQueue *postpq)
{
return LogTlsLogIPWrapper(tv, p, data, pq, postpq, AF_INET6);
}
TmEcode LogTlsLog(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq, PacketQueue *postpq)
{
SCEnter();
/* no flow, no htp state */
if (p->flow == NULL) {
SCReturnInt(TM_ECODE_OK);
}
if (!(PKT_IS_TCP(p))) {
SCReturnInt(TM_ECODE_OK);
}
if (PKT_IS_IPV4(p)) {
SCReturnInt(LogTlsLogIPv4(tv, p, data, pq, postpq));
} else if (PKT_IS_IPV6(p)) {
SCReturnInt(LogTlsLogIPv6(tv, p, data, pq, postpq));
}
SCReturnInt(TM_ECODE_OK);
}
TmEcode LogTlsLogThreadInit(ThreadVars *t, void *initdata, void **data)
{
LogTlsLogThread *aft = SCMalloc(sizeof(LogTlsLogThread));
if (aft == NULL)
return TM_ECODE_FAILED;
memset(aft, 0, sizeof(LogTlsLogThread));
if (initdata == NULL) {
SCLogDebug( "Error getting context for TLSLog. \"initdata\" argument NULL");
SCFree(aft);
return TM_ECODE_FAILED;
}
aft->buffer = MemBufferCreateNew(OUTPUT_BUFFER_SIZE);
if (aft->buffer == NULL) {
SCFree(aft);
return TM_ECODE_FAILED;
}
tls: adding store option for TLS This patch adds a TLS store option to save certificate in PEM format. Each time the store action is met, a file and a metafile are created. Reworked-by: Eric Leblond <eric@regit.org>
13 years ago
aft->enc_buf = SCMalloc(CERT_ENC_BUFFER_SIZE);
if (aft->enc_buf == NULL) {
SCFree(aft);
return TM_ECODE_FAILED;
}
aft->enc_buf_len = CERT_ENC_BUFFER_SIZE;
memset(aft->enc_buf, 0, aft->enc_buf_len);
tls: adding TLS Log support Creation of the log-tlslog file in order to log tls message. Need to add some information into suricata.yaml to work. - tls-log: enabled: yes # Log TLS connections. filename: tls.log # File to store TLS logs.
13 years ago
/* Use the Ouptut Context (file pointer and mutex) */
aft->tlslog_ctx = ((OutputCtx *) initdata)->data;
*data = (void *) aft;
return TM_ECODE_OK;
}
TmEcode LogTlsLogThreadDeinit(ThreadVars *t, void *data)
{
LogTlsLogThread *aft = (LogTlsLogThread *) data;
if (aft == NULL) {
return TM_ECODE_OK;
}
MemBufferFree(aft->buffer);
/* clear memory */
memset(aft, 0, sizeof(LogTlsLogThread));
SCFree(aft);
return TM_ECODE_OK;
}
void LogTlsLogExitPrintStats(ThreadVars *tv, void *data)
{
LogTlsLogThread *aft = (LogTlsLogThread *) data;
if (aft == NULL) {
return;
}
SCLogInfo("TLS logger logged %" PRIu32 " requests", aft->tls_cnt);
}
/** \brief Create a new tls log LogFileCtx.
* \param conf Pointer to ConfNode containing this loggers configuration.
* \return NULL if failure, LogFileCtx* to the file_ctx if succesful
* */
OutputCtx *LogTlsLogInitCtx(ConfNode *conf)
{
LogFileCtx* file_ctx = LogFileNewCtx();
if (file_ctx == NULL) {
SCLogError(SC_ERR_TLS_LOG_GENERIC, "LogTlsLogInitCtx: Couldn't "
"create new file_ctx");
return NULL;
}
tls: adding store option for TLS This patch adds a TLS store option to save certificate in PEM format. Each time the store action is met, a file and a metafile are created. Reworked-by: Eric Leblond <eric@regit.org>
13 years ago
char *s_default_log_dir = NULL;
if (ConfGet("default-log-dir", &s_default_log_dir) != 1)
s_default_log_dir = DEFAULT_LOG_DIR;
const char *s_base_dir = NULL;
s_base_dir = ConfNodeLookupChildValue(conf, "certs-log-dir");
if (s_base_dir == NULL || strlen(s_base_dir) == 0) {
strlcpy(tls_logfile_base_dir,
s_default_log_dir, sizeof(tls_logfile_base_dir));
} else {
if (PathIsAbsolute(s_base_dir)) {
strlcpy(tls_logfile_base_dir,
s_base_dir, sizeof(tls_logfile_base_dir));
} else {
snprintf(tls_logfile_base_dir, sizeof(tls_logfile_base_dir),
"%s/%s", s_default_log_dir, s_base_dir);
}
}
tls: adding TLS Log support Creation of the log-tlslog file in order to log tls message. Need to add some information into suricata.yaml to work. - tls-log: enabled: yes # Log TLS connections. filename: tls.log # File to store TLS logs.
13 years ago
if (SCConfLogOpenGeneric(conf, file_ctx, DEFAULT_LOG_FILENAME) < 0) {
LogFileFreeCtx(file_ctx);
return NULL;
}
LogTlsFileCtx *tlslog_ctx = SCCalloc(1, sizeof(LogTlsFileCtx));
if (tlslog_ctx == NULL)
return NULL;
tlslog_ctx->file_ctx = file_ctx;
tls: adding fingerprint to TLS Log information. Improve TLS logging by adding the certificate fingerprint to TLS Log file. Add the extending option to the tls-log entry in suricata.yaml.
13 years ago
const char *extended = ConfNodeLookupChildValue(conf, "extended");
if (extended == NULL) {
tlslog_ctx->flags |= LOG_TLS_DEFAULT;
} else {
if (ConfValIsTrue(extended)) {
tlslog_ctx->flags |= LOG_TLS_EXTENDED;
}
}
tls: adding TLS Log support Creation of the log-tlslog file in order to log tls message. Need to add some information into suricata.yaml to work. - tls-log: enabled: yes # Log TLS connections. filename: tls.log # File to store TLS logs.
13 years ago
OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
if (output_ctx == NULL)
return NULL;
output_ctx->data = tlslog_ctx;
output_ctx->DeInit = LogTlsLogDeInitCtx;
SCLogDebug("TLS log output initialized");
return output_ctx;
}
static void LogTlsLogDeInitCtx(OutputCtx *output_ctx)
{
LogTlsFileCtx *tlslog_ctx = (LogTlsFileCtx *) output_ctx->data;
LogFileFreeCtx(tlslog_ctx->file_ctx);
SCFree(tlslog_ctx);
SCFree(output_ctx);
}