aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'a559c41295'
${ noResults }
suricata/src/log-tlslog.c

394 lines
12 KiB
C
Raw Normal View History Unescape Escape

log-tls: convert to packet logger API This patch converts log-tls to use the packet logger API. The packet logger API was choosen as the TLS parser is not transaction aware. To make sure the state is only logged once, the flag SSL_AL_FLAG_STATE_LOGGED was added to the parser. This flag is checked by the condition function, and set at the end of the Logger function.
12 years ago
/* Copyright (C) 2007-2014 Open Information Security Foundation
tls: adding TLS Log support Creation of the log-tlslog file in order to log tls message. Need to add some information into suricata.yaml to work. - tls-log: enabled: yes # Log TLS connections. filename: tls.log # File to store TLS logs.
14 years ago
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
/**
* \file
*
* \author Roliers Jean-Paul <popof.fpn@gmail.co>
* \author Eric Leblond <eric@regit.org>
log-tls: convert to packet logger API This patch converts log-tls to use the packet logger API. The packet logger API was choosen as the TLS parser is not transaction aware. To make sure the state is only logged once, the flag SSL_AL_FLAG_STATE_LOGGED was added to the parser. This flag is checked by the condition function, and set at the end of the Logger function.
12 years ago
* \author Victor Julien <victor@inliniac.net>
tls: adding TLS Log support Creation of the log-tlslog file in order to log tls message. Need to add some information into suricata.yaml to work. - tls-log: enabled: yes # Log TLS connections. filename: tls.log # File to store TLS logs.
14 years ago
*
log-tls: convert to packet logger API This patch converts log-tls to use the packet logger API. The packet logger API was choosen as the TLS parser is not transaction aware. To make sure the state is only logged once, the flag SSL_AL_FLAG_STATE_LOGGED was added to the parser. This flag is checked by the condition function, and set at the end of the Logger function.
12 years ago
* Implements TLS logging portion of the engine. The TLS logger is
* implemented as a packet logger, as the TLS parser is not transaction
* aware.
tls: adding TLS Log support Creation of the log-tlslog file in order to log tls message. Need to add some information into suricata.yaml to work. - tls-log: enabled: yes # Log TLS connections. filename: tls.log # File to store TLS logs.
14 years ago
*/
#include "suricata-common.h"
#include "debug.h"
#include "detect.h"
#include "pkt-var.h"
#include "conf.h"
#include "threads.h"
#include "threadvars.h"
#include "tm-threads.h"
#include "util-print.h"
#include "util-unittest.h"
#include "util-debug.h"
#include "output.h"
#include "log-tlslog.h"
#include "app-layer-ssl.h"
#include "app-layer.h"
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
#include "app-layer-parser.h"
tls: adding TLS Log support Creation of the log-tlslog file in order to log tls message. Need to add some information into suricata.yaml to work. - tls-log: enabled: yes # Log TLS connections. filename: tls.log # File to store TLS logs.
14 years ago
#include "util-privs.h"
#include "util-buffer.h"
#include "util-logopenfile.h"
tls: adding store option for TLS This patch adds a TLS store option to save certificate in PEM format. Each time the store action is met, a file and a metafile are created. Reworked-by: Eric Leblond <eric@regit.org>
14 years ago
#include "util-crypt.h"
Merge multiple copies of CreateTimeString() to one copy. There were 8 identical copies of CreateTimeString() in 8 files. Most used SCLocalTime, to replace localtime_r(), but some did not. Created one copy in util-time.c.
12 years ago
#include "util-time.h"
tls: adding TLS Log support Creation of the log-tlslog file in order to log tls message. Need to add some information into suricata.yaml to work. - tls-log: enabled: yes # Log TLS connections. filename: tls.log # File to store TLS logs.
14 years ago
#define DEFAULT_LOG_FILENAME "tls.log"
#define MODULE_NAME "LogTlsLog"
#define OUTPUT_BUFFER_SIZE 65535
tls: adding store option for TLS This patch adds a TLS store option to save certificate in PEM format. Each time the store action is met, a file and a metafile are created. Reworked-by: Eric Leblond <eric@regit.org>
14 years ago
#define CERT_ENC_BUFFER_SIZE 2048
tls: adding TLS Log support Creation of the log-tlslog file in order to log tls message. Need to add some information into suricata.yaml to work. - tls-log: enabled: yes # Log TLS connections. filename: tls.log # File to store TLS logs.
14 years ago
tls: adding fingerprint to TLS Log information. Improve TLS logging by adding the certificate fingerprint to TLS Log file. Add the extending option to the tls-log entry in suricata.yaml.
14 years ago
#define LOG_TLS_DEFAULT 0
#define LOG_TLS_EXTENDED 1
tls: adding TLS Log support Creation of the log-tlslog file in order to log tls message. Need to add some information into suricata.yaml to work. - tls-log: enabled: yes # Log TLS connections. filename: tls.log # File to store TLS logs.
14 years ago
typedef struct LogTlsFileCtx_ {
LogFileCtx *file_ctx;
uint32_t flags; /** Store mode */
} LogTlsFileCtx;
typedef struct LogTlsLogThread_ {
LogTlsFileCtx *tlslog_ctx;
tls: adding store option for TLS This patch adds a TLS store option to save certificate in PEM format. Each time the store action is met, a file and a metafile are created. Reworked-by: Eric Leblond <eric@regit.org>
14 years ago
tls: adding TLS Log support Creation of the log-tlslog file in order to log tls message. Need to add some information into suricata.yaml to work. - tls-log: enabled: yes # Log TLS connections. filename: tls.log # File to store TLS logs.
14 years ago
/** LogTlsFileCtx has the pointer to the file and a mutex to allow multithreading */
uint32_t tls_cnt;
MemBuffer *buffer;
} LogTlsLogThread;
tls: adding fingerprint to TLS Log information. Improve TLS logging by adding the certificate fingerprint to TLS Log file. Add the extending option to the tls-log entry in suricata.yaml.
14 years ago
static void LogTlsLogExtended(LogTlsLogThread *aft, SSLState * state)
{
if (state->server_connp.cert0_fingerprint != NULL) {
tls-log: add protocol version to log message.
13 years ago
MemBufferWriteString(aft->buffer, " SHA1='%s'", state->server_connp.cert0_fingerprint);
tls: adding fingerprint to TLS Log information. Improve TLS logging by adding the certificate fingerprint to TLS Log file. Add the extending option to the tls-log entry in suricata.yaml.
14 years ago
}
tls-log: add protocol version to log message.
13 years ago
switch (state->server_connp.version) {
case TLS_VERSION_UNKNOWN:
MemBufferWriteString(aft->buffer, " VERSION='UNDETERMINED'");
break;
case SSL_VERSION_2:
MemBufferWriteString(aft->buffer, " VERSION='SSLv2'");
break;
case SSL_VERSION_3:
MemBufferWriteString(aft->buffer, " VERSION='SSLv3'");
break;
case TLS_VERSION_10:
MemBufferWriteString(aft->buffer, " VERSION='TLSv1'");
break;
case TLS_VERSION_11:
MemBufferWriteString(aft->buffer, " VERSION='TLS 1.1'");
break;
case TLS_VERSION_12:
MemBufferWriteString(aft->buffer, " VERSION='TLS 1.2'");
break;
default:
MemBufferWriteString(aft->buffer, " VERSION='0x%04x'",
state->server_connp.version);
break;
}
MemBufferWriteString(aft->buffer, "\n");
tls: adding fingerprint to TLS Log information. Improve TLS logging by adding the certificate fingerprint to TLS Log file. Add the extending option to the tls-log entry in suricata.yaml.
14 years ago
}
tls-store: now a separate module An design error was made when doing the TLS storage module which has been made dependant of the TLS logging. At the time there was only one TLS logging module but there is now two different ones. By putting the TLS store module in a separate module, we can now use EVE output and TLS store at the same time.
10 years ago
int TLSGetIPInformations(const Packet *p, char* srcip, size_t srcip_len,
tls: adding store option for TLS This patch adds a TLS store option to save certificate in PEM format. Each time the store action is met, a file and a metafile are created. Reworked-by: Eric Leblond <eric@regit.org>
14 years ago
Port* sp, char* dstip, size_t dstip_len,
Port* dp, int ipproto)
{
if ((PKT_IS_TOSERVER(p))) {
switch (ipproto) {
case AF_INET:
PrintInet(AF_INET, (const void *) GET_IPV4_SRC_ADDR_PTR(p), srcip, srcip_len);
PrintInet(AF_INET, (const void *) GET_IPV4_DST_ADDR_PTR(p), dstip, dstip_len);
break;
case AF_INET6:
PrintInet(AF_INET6, (const void *) GET_IPV6_SRC_ADDR(p), srcip, srcip_len);
PrintInet(AF_INET6, (const void *) GET_IPV6_DST_ADDR(p), dstip, dstip_len);
break;
default:
return 0;
}
*sp = p->sp;
*dp = p->dp;
} else {
switch (ipproto) {
case AF_INET:
PrintInet(AF_INET, (const void *) GET_IPV4_DST_ADDR_PTR(p), srcip, srcip_len);
PrintInet(AF_INET, (const void *) GET_IPV4_SRC_ADDR_PTR(p), dstip, dstip_len);
break;
case AF_INET6:
PrintInet(AF_INET6, (const void *) GET_IPV6_DST_ADDR(p), srcip, srcip_len);
PrintInet(AF_INET6, (const void *) GET_IPV6_SRC_ADDR(p), dstip, dstip_len);
break;
default:
return 0;
}
*sp = p->dp;
*dp = p->sp;
}
return 1;
}
log-tls: clean ups Make all functions static. Remove separate ipv4 and ipv6 registration functions. Move register function to the bottom so that we no longer need function prototype declarations.
12 years ago
static TmEcode LogTlsLogThreadInit(ThreadVars *t, void *initdata, void **data)
tls: adding TLS Log support Creation of the log-tlslog file in order to log tls message. Need to add some information into suricata.yaml to work. - tls-log: enabled: yes # Log TLS connections. filename: tls.log # File to store TLS logs.
14 years ago
{
LogTlsLogThread *aft = SCMalloc(sizeof(LogTlsLogThread));
Use unlikely for error treatment. When handling error case on SCMallog, SCCalloc or SCStrdup we are in an unlikely case. This patch adds the unlikely() expression to indicate this to gcc. This patch has been obtained via coccinelle. The transformation is the following: @istested@ identifier x; statement S1; identifier func =~ "(SCMalloc|SCStrdup|SCCalloc)"; @@ x = func(...) ... when != x - if (x == NULL) S1 + if (unlikely(x == NULL)) S1
13 years ago
if (unlikely(aft == NULL))
tls: adding TLS Log support Creation of the log-tlslog file in order to log tls message. Need to add some information into suricata.yaml to work. - tls-log: enabled: yes # Log TLS connections. filename: tls.log # File to store TLS logs.
14 years ago
return TM_ECODE_FAILED;
memset(aft, 0, sizeof(LogTlsLogThread));
if (initdata == NULL) {
SCLogDebug( "Error getting context for TLSLog. \"initdata\" argument NULL");
SCFree(aft);
return TM_ECODE_FAILED;
}
aft->buffer = MemBufferCreateNew(OUTPUT_BUFFER_SIZE);
if (aft->buffer == NULL) {
SCFree(aft);
return TM_ECODE_FAILED;
}
/* Use the Ouptut Context (file pointer and mutex) */
aft->tlslog_ctx = ((OutputCtx *) initdata)->data;
*data = (void *) aft;
return TM_ECODE_OK;
}
log-tls: clean ups Make all functions static. Remove separate ipv4 and ipv6 registration functions. Move register function to the bottom so that we no longer need function prototype declarations.
12 years ago
static TmEcode LogTlsLogThreadDeinit(ThreadVars *t, void *data)
tls: adding TLS Log support Creation of the log-tlslog file in order to log tls message. Need to add some information into suricata.yaml to work. - tls-log: enabled: yes # Log TLS connections. filename: tls.log # File to store TLS logs.
14 years ago
{
LogTlsLogThread *aft = (LogTlsLogThread *) data;
if (aft == NULL) {
return TM_ECODE_OK;
}
MemBufferFree(aft->buffer);
/* clear memory */
memset(aft, 0, sizeof(LogTlsLogThread));
SCFree(aft);
return TM_ECODE_OK;
}
log-tls: clean ups Make all functions static. Remove separate ipv4 and ipv6 registration functions. Move register function to the bottom so that we no longer need function prototype declarations.
12 years ago
static void LogTlsLogDeInitCtx(OutputCtx *output_ctx)
{
log-tls: run Disable at shutdown Call OutputTlsLoggerDisable at cleanup.
11 years ago
OutputTlsLoggerDisable();
log-tls: clean ups Make all functions static. Remove separate ipv4 and ipv6 registration functions. Move register function to the bottom so that we no longer need function prototype declarations.
12 years ago
LogTlsFileCtx *tlslog_ctx = (LogTlsFileCtx *) output_ctx->data;
LogFileFreeCtx(tlslog_ctx->file_ctx);
SCFree(tlslog_ctx);
SCFree(output_ctx);
}
static void LogTlsLogExitPrintStats(ThreadVars *tv, void *data)
tls: adding TLS Log support Creation of the log-tlslog file in order to log tls message. Need to add some information into suricata.yaml to work. - tls-log: enabled: yes # Log TLS connections. filename: tls.log # File to store TLS logs.
14 years ago
{
LogTlsLogThread *aft = (LogTlsLogThread *) data;
if (aft == NULL) {
return;
}
SCLogInfo("TLS logger logged %" PRIu32 " requests", aft->tls_cnt);
}
/** \brief Create a new tls log LogFileCtx.
* \param conf Pointer to ConfNode containing this loggers configuration.
* \return NULL if failure, LogFileCtx* to the file_ctx if succesful
* */
log-tls: clean ups Make all functions static. Remove separate ipv4 and ipv6 registration functions. Move register function to the bottom so that we no longer need function prototype declarations.
12 years ago
static OutputCtx *LogTlsLogInitCtx(ConfNode *conf)
tls: adding TLS Log support Creation of the log-tlslog file in order to log tls message. Need to add some information into suricata.yaml to work. - tls-log: enabled: yes # Log TLS connections. filename: tls.log # File to store TLS logs.
14 years ago
{
output: check for multiple instances of drop and tls Both the drop and tls logs are currently not designed to have multiple instances running. So until that is changed, error out if more than one instance is started.
12 years ago
if (OutputTlsLoggerEnable() != 0) {
SCLogError(SC_ERR_CONF_YAML_ERROR, "only one 'tls' logger "
"can be enabled");
return NULL;
}
tls: adding TLS Log support Creation of the log-tlslog file in order to log tls message. Need to add some information into suricata.yaml to work. - tls-log: enabled: yes # Log TLS connections. filename: tls.log # File to store TLS logs.
14 years ago
LogFileCtx* file_ctx = LogFileNewCtx();
if (file_ctx == NULL) {
SCLogError(SC_ERR_TLS_LOG_GENERIC, "LogTlsLogInitCtx: Couldn't "
"create new file_ctx");
return NULL;
}
logging: integrate rotation into SCConfLogOpenGeneric. Addresses issue 1492, and will make it harder to omit rotation on new outputs.
10 years ago
if (SCConfLogOpenGeneric(conf, file_ctx, DEFAULT_LOG_FILENAME, 1) < 0) {
tls: fix error handling Handling of error case was correct as pointed out by Coverity 717439.
13 years ago
goto filectx_error;
tls: adding TLS Log support Creation of the log-tlslog file in order to log tls message. Need to add some information into suricata.yaml to work. - tls-log: enabled: yes # Log TLS connections. filename: tls.log # File to store TLS logs.
14 years ago
}
LogTlsFileCtx *tlslog_ctx = SCCalloc(1, sizeof(LogTlsFileCtx));
Use unlikely for error treatment. When handling error case on SCMallog, SCCalloc or SCStrdup we are in an unlikely case. This patch adds the unlikely() expression to indicate this to gcc. This patch has been obtained via coccinelle. The transformation is the following: @istested@ identifier x; statement S1; identifier func =~ "(SCMalloc|SCStrdup|SCCalloc)"; @@ x = func(...) ... when != x - if (x == NULL) S1 + if (unlikely(x == NULL)) S1
13 years ago
if (unlikely(tlslog_ctx == NULL))
tls: fix error handling Handling of error case was correct as pointed out by Coverity 717439.
13 years ago
goto filectx_error;
tls: adding TLS Log support Creation of the log-tlslog file in order to log tls message. Need to add some information into suricata.yaml to work. - tls-log: enabled: yes # Log TLS connections. filename: tls.log # File to store TLS logs.
14 years ago
tlslog_ctx->file_ctx = file_ctx;
tls: adding fingerprint to TLS Log information. Improve TLS logging by adding the certificate fingerprint to TLS Log file. Add the extending option to the tls-log entry in suricata.yaml.
14 years ago
const char *extended = ConfNodeLookupChildValue(conf, "extended");
if (extended == NULL) {
tlslog_ctx->flags |= LOG_TLS_DEFAULT;
} else {
if (ConfValIsTrue(extended)) {
tlslog_ctx->flags |= LOG_TLS_EXTENDED;
}
}
tls: adding TLS Log support Creation of the log-tlslog file in order to log tls message. Need to add some information into suricata.yaml to work. - tls-log: enabled: yes # Log TLS connections. filename: tls.log # File to store TLS logs.
14 years ago
OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
Use unlikely for error treatment. When handling error case on SCMallog, SCCalloc or SCStrdup we are in an unlikely case. This patch adds the unlikely() expression to indicate this to gcc. This patch has been obtained via coccinelle. The transformation is the following: @istested@ identifier x; statement S1; identifier func =~ "(SCMalloc|SCStrdup|SCCalloc)"; @@ x = func(...) ... when != x - if (x == NULL) S1 + if (unlikely(x == NULL)) S1
13 years ago
if (unlikely(output_ctx == NULL))
tls: fix error handling Handling of error case was correct as pointed out by Coverity 717439.
13 years ago
goto tlslog_error;
tls: adding TLS Log support Creation of the log-tlslog file in order to log tls message. Need to add some information into suricata.yaml to work. - tls-log: enabled: yes # Log TLS connections. filename: tls.log # File to store TLS logs.
14 years ago
output_ctx->data = tlslog_ctx;
output_ctx->DeInit = LogTlsLogDeInitCtx;
SCLogDebug("TLS log output initialized");
http & tls: fix transaction handling When http and/or tls logging is disabled, the app layer would still be flagged as logging. This caused transactions not to be freed until the end of the flow as the logged tx id would never increment. This fix postpones the setting of the app layer parser "logger" flag to the point where we know the logger is enabled.
12 years ago
/* enable the logger for the app layer */
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
AppLayerParserRegisterLogger(IPPROTO_TCP, ALPROTO_TLS);
http & tls: fix transaction handling When http and/or tls logging is disabled, the app layer would still be flagged as logging. This caused transactions not to be freed until the end of the flow as the logged tx id would never increment. This fix postpones the setting of the app layer parser "logger" flag to the point where we know the logger is enabled.
12 years ago
tls: adding TLS Log support Creation of the log-tlslog file in order to log tls message. Need to add some information into suricata.yaml to work. - tls-log: enabled: yes # Log TLS connections. filename: tls.log # File to store TLS logs.
14 years ago
return output_ctx;
tls: fix error handling Handling of error case was correct as pointed out by Coverity 717439.
13 years ago
tlslog_error:
Coverity: 1038139 suppress sanity check The sanity check was really useless as the NULL value is checked in the code flow.
12 years ago
SCFree(tlslog_ctx);
tls: fix error handling Handling of error case was correct as pointed out by Coverity 717439.
13 years ago
filectx_error:
LogFileFreeCtx(file_ctx);
return NULL;
tls: adding TLS Log support Creation of the log-tlslog file in order to log tls message. Need to add some information into suricata.yaml to work. - tls-log: enabled: yes # Log TLS connections. filename: tls.log # File to store TLS logs.
14 years ago
}
log-tls: convert to packet logger API This patch converts log-tls to use the packet logger API. The packet logger API was choosen as the TLS parser is not transaction aware. To make sure the state is only logged once, the flag SSL_AL_FLAG_STATE_LOGGED was added to the parser. This flag is checked by the condition function, and set at the end of the Logger function.
12 years ago
/** \internal
* \brief Condition function for TLS logger
* \retval bool true or false -- log now?
*/
Enforce function coding standard Functions should be defined as: int foo(void) { } Rather than: int food(void) { } All functions where changed by a script to match this standard.
11 years ago
static int LogTlsCondition(ThreadVars *tv, const Packet *p)
{
log-tls: convert to packet logger API This patch converts log-tls to use the packet logger API. The packet logger API was choosen as the TLS parser is not transaction aware. To make sure the state is only logged once, the flag SSL_AL_FLAG_STATE_LOGGED was added to the parser. This flag is checked by the condition function, and set at the end of the Logger function.
12 years ago
if (p->flow == NULL) {
return FALSE;
}
if (!(PKT_IS_TCP(p))) {
return FALSE;
}
FLOWLOCK_RDLOCK(p->flow);
uint16_t proto = FlowGetAppProtocol(p->flow);
if (proto != ALPROTO_TLS)
goto dontlog;
SSLState *ssl_state = (SSLState *)FlowGetAppState(p->flow);
if (ssl_state == NULL) {
SCLogDebug("no tls state, so no request logging");
goto dontlog;
}
tls: fix problem with tls.store keyword Pierre Chifflier pointed out that a rule like: alert tls any any -> any any (msg:"TLS store"; tls.issuerdn:!"C=FR"; tls.store;) was alerting but not storing the certificate. If the filter was removed: alert tls any any -> any any (msg:"TLS store"; tls.store;) then tls.store is working as expected. This was linked with fact that logging is only done once for a SSL state. So without filter, once we have the info we can log and we run the storage. But when there is a filter, we log and then there is a filter analysis and alerting. And as logging as already be done we don't enter in the logging function and there is no storage. This patch forces the entrance in the log function when there is a request for TLS storage. And it adds an exit in the logging function to only do the storage part if the TLS state has already being logged.
12 years ago
/* we only log the state once if we don't have to write
* the cert due to tls.store keyword. */
if (!(ssl_state->server_connp.cert_log_flag & SSL_TLS_LOG_PEM) &&
(ssl_state->flags & SSL_AL_FLAG_STATE_LOGGED))
log-tls: convert to packet logger API This patch converts log-tls to use the packet logger API. The packet logger API was choosen as the TLS parser is not transaction aware. To make sure the state is only logged once, the flag SSL_AL_FLAG_STATE_LOGGED was added to the parser. This flag is checked by the condition function, and set at the end of the Logger function.
12 years ago
goto dontlog;
if (ssl_state->server_connp.cert0_issuerdn == NULL ||
ssl_state->server_connp.cert0_subject == NULL)
goto dontlog;
/* todo: logic to log once */
FLOWLOCK_UNLOCK(p->flow);
return TRUE;
dontlog:
FLOWLOCK_UNLOCK(p->flow);
return FALSE;
}
Enforce function coding standard Functions should be defined as: int foo(void) { } Rather than: int food(void) { } All functions where changed by a script to match this standard.
11 years ago
static int LogTlsLogger(ThreadVars *tv, void *thread_data, const Packet *p)
{
log-tls: convert to packet logger API This patch converts log-tls to use the packet logger API. The packet logger API was choosen as the TLS parser is not transaction aware. To make sure the state is only logged once, the flag SSL_AL_FLAG_STATE_LOGGED was added to the parser. This flag is checked by the condition function, and set at the end of the Logger function.
12 years ago
LogTlsLogThread *aft = (LogTlsLogThread *)thread_data;
LogTlsFileCtx *hlog = aft->tlslog_ctx;
char timebuf[64];
int ipproto = (PKT_IS_IPV4(p)) ? AF_INET : AF_INET6;
if (unlikely(p->flow == NULL)) {
return 0;
}
/* check if we have TLS state or not */
FLOWLOCK_WRLOCK(p->flow);
uint16_t proto = FlowGetAppProtocol(p->flow);
if (proto != ALPROTO_TLS)
goto end;
SSLState *ssl_state = (SSLState *)FlowGetAppState(p->flow);
if (unlikely(ssl_state == NULL)) {
goto end;
}
if (ssl_state->server_connp.cert0_issuerdn == NULL || ssl_state->server_connp.cert0_subject == NULL)
goto end;
tls: fix problem with tls.store keyword Pierre Chifflier pointed out that a rule like: alert tls any any -> any any (msg:"TLS store"; tls.issuerdn:!"C=FR"; tls.store;) was alerting but not storing the certificate. If the filter was removed: alert tls any any -> any any (msg:"TLS store"; tls.store;) then tls.store is working as expected. This was linked with fact that logging is only done once for a SSL state. So without filter, once we have the info we can log and we run the storage. But when there is a filter, we log and then there is a filter analysis and alerting. And as logging as already be done we don't enter in the logging function and there is no storage. This patch forces the entrance in the log function when there is a request for TLS storage. And it adds an exit in the logging function to only do the storage part if the TLS state has already being logged.
12 years ago
/* Don't log again the state. If we are here it was because we had
* to store the cert. */
if (ssl_state->flags & SSL_AL_FLAG_STATE_LOGGED)
goto end;
log-tls: convert to packet logger API This patch converts log-tls to use the packet logger API. The packet logger API was choosen as the TLS parser is not transaction aware. To make sure the state is only logged once, the flag SSL_AL_FLAG_STATE_LOGGED was added to the parser. This flag is checked by the condition function, and set at the end of the Logger function.
12 years ago
CreateTimeString(&p->ts, timebuf, sizeof(timebuf));
#define PRINT_BUF_LEN 46
char srcip[PRINT_BUF_LEN], dstip[PRINT_BUF_LEN];
Port sp, dp;
tls-store: now a separate module An design error was made when doing the TLS storage module which has been made dependant of the TLS logging. At the time there was only one TLS logging module but there is now two different ones. By putting the TLS store module in a separate module, we can now use EVE output and TLS store at the same time.
10 years ago
if (!TLSGetIPInformations(p, srcip, PRINT_BUF_LEN,
&sp, dstip, PRINT_BUF_LEN, &dp, ipproto)) {
log-tls: convert to packet logger API This patch converts log-tls to use the packet logger API. The packet logger API was choosen as the TLS parser is not transaction aware. To make sure the state is only logged once, the flag SSL_AL_FLAG_STATE_LOGGED was added to the parser. This flag is checked by the condition function, and set at the end of the Logger function.
12 years ago
goto end;
}
MemBufferReset(aft->buffer);
MemBufferWriteString(aft->buffer,
"%s %s:%d -> %s:%d TLS: Subject='%s' Issuerdn='%s'",
timebuf, srcip, sp, dstip, dp,
ssl_state->server_connp.cert0_subject,
ssl_state->server_connp.cert0_issuerdn);
if (hlog->flags & LOG_TLS_EXTENDED) {
LogTlsLogExtended(aft, ssl_state);
} else {
MemBufferWriteString(aft->buffer, "\n");
}
aft->tls_cnt++;
SCMutexLock(&hlog->file_ctx->fp_mutex);
Add signal based file rotation for: - alert debug log - fast log - stats log - dns log - drop log - file log - http log - tls log - eve/json log
12 years ago
hlog->file_ctx->Write((const char *)MEMBUFFER_BUFFER(aft->buffer),
MEMBUFFER_OFFSET(aft->buffer), hlog->file_ctx);
log-tls: convert to packet logger API This patch converts log-tls to use the packet logger API. The packet logger API was choosen as the TLS parser is not transaction aware. To make sure the state is only logged once, the flag SSL_AL_FLAG_STATE_LOGGED was added to the parser. This flag is checked by the condition function, and set at the end of the Logger function.
12 years ago
SCMutexUnlock(&hlog->file_ctx->fp_mutex);
/* we only log the state once */
ssl_state->flags |= SSL_AL_FLAG_STATE_LOGGED;
end:
FLOWLOCK_UNLOCK(p->flow);
return 0;
}
log-tls: clean ups Make all functions static. Remove separate ipv4 and ipv6 registration functions. Move register function to the bottom so that we no longer need function prototype declarations.
12 years ago
void TmModuleLogTlsLogRegister(void)
tls: adding TLS Log support Creation of the log-tlslog file in order to log tls message. Need to add some information into suricata.yaml to work. - tls-log: enabled: yes # Log TLS connections. filename: tls.log # File to store TLS logs.
14 years ago
{
log-tls: clean ups Make all functions static. Remove separate ipv4 and ipv6 registration functions. Move register function to the bottom so that we no longer need function prototype declarations.
12 years ago
tmm_modules[TMM_LOGTLSLOG].name = MODULE_NAME;
tmm_modules[TMM_LOGTLSLOG].ThreadInit = LogTlsLogThreadInit;
log-tls: convert to packet logger API This patch converts log-tls to use the packet logger API. The packet logger API was choosen as the TLS parser is not transaction aware. To make sure the state is only logged once, the flag SSL_AL_FLAG_STATE_LOGGED was added to the parser. This flag is checked by the condition function, and set at the end of the Logger function.
12 years ago
tmm_modules[TMM_LOGTLSLOG].Func = NULL;
log-tls: clean ups Make all functions static. Remove separate ipv4 and ipv6 registration functions. Move register function to the bottom so that we no longer need function prototype declarations.
12 years ago
tmm_modules[TMM_LOGTLSLOG].ThreadExitPrintStats = LogTlsLogExitPrintStats;
tmm_modules[TMM_LOGTLSLOG].ThreadDeinit = LogTlsLogThreadDeinit;
tmm_modules[TMM_LOGTLSLOG].RegisterTests = NULL;
tmm_modules[TMM_LOGTLSLOG].cap_flags = 0;
output: add TM_FLAG_LOGAPI_TM thread module flag The TM_FLAG_LOGAPI_TM flag indicates that a module is run by the log api, not by the 'regular' thread module call functions. Set flag in all all Log API users' registration code. Purpose of this flag is in profiling. In profiling output it will be used to list log api thread modules separately.
12 years ago
tmm_modules[TMM_LOGTLSLOG].flags = TM_FLAG_LOGAPI_TM;
log-tls: clean ups Make all functions static. Remove separate ipv4 and ipv6 registration functions. Move register function to the bottom so that we no longer need function prototype declarations.
12 years ago
log-tls: convert to packet logger API This patch converts log-tls to use the packet logger API. The packet logger API was choosen as the TLS parser is not transaction aware. To make sure the state is only logged once, the flag SSL_AL_FLAG_STATE_LOGGED was added to the parser. This flag is checked by the condition function, and set at the end of the Logger function.
12 years ago
OutputRegisterPacketModule(MODULE_NAME, "tls-log", LogTlsLogInitCtx,
LogTlsLogger, LogTlsCondition);
tls: adding TLS Log support Creation of the log-tlslog file in order to log tls message. Need to add some information into suricata.yaml to work. - tls-log: enabled: yes # Log TLS connections. filename: tls.log # File to store TLS logs.
14 years ago
}