json-alert: log tls info in alert

This patch adds the capabilities to log the TLS information the same way it is currently possible to do with HTTP. As it is quite hard to read ASN.1 directly in the stream, this will help people to understand why suricata is firing on alert relative to TLS.
11 years ago · 180faece7c
parent 22182e7a84
commit 180faece7c
2 changed files with 39 additions and 0 deletions
--- a/src/output-json-alert.c
+++ b/src/output-json-alert.c
@ -52,6 +52,7 @@
 #include "output.h"
 #include "output-json.h"
 #include "output-json-http.h"
+#include "output-json-tls.h"

 #include "util-byte.h"
 #include "util-privs.h"
@ -70,6 +71,7 @@
 #define LOG_JSON_PACKET 2
 #define LOG_JSON_PAYLOAD_BASE64 4
 #define LOG_JSON_HTTP 8
+#define LOG_JSON_TLS 16

 #define JSON_STREAM_BUFFER_SIZE 4096

@ -124,6 +126,23 @@ static void AlertJsonHttp(const Flow *f, json_t *js)
    return;
 }

+static void AlertJsonTls(const Flow *f, json_t *js)
+{
+    SSLState *ssl_state = (SSLState *)f->alstate;
+    if (ssl_state) {
+        json_t *tjs = json_object();
+        if (unlikely(tjs == NULL))
+            return;
+
+        JsonTlsLogJSONBasic(tjs, ssl_state);
+        JsonTlsLogJSONExtended(tjs, ssl_state);
+
+        json_object_set_new(js, "tls", tjs);
+    }
+
+    return;
+}
+
 static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
 {
    MemBuffer *payload = aft->payload_buffer;
@ -188,6 +207,19 @@ static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
            }
        }

+        if (json_output_ctx->flags & LOG_JSON_TLS) {
+            if (p->flow != NULL) {
+                FLOWLOCK_RDLOCK(p->flow);
+                uint16_t proto = FlowGetAppProtocol(p->flow);
+
+                /* http alert */
+                if (proto == ALPROTO_TLS)
+                    AlertJsonTls(p->flow, js);
+
+                FLOWLOCK_UNLOCK(p->flow);
+            }
+        }
+
        /* payload */
        if (json_output_ctx->flags & (LOG_JSON_PAYLOAD | LOG_JSON_PAYLOAD_BASE64)) {
            int stream = (p->proto == IPPROTO_TCP) ?
@ -521,7 +553,13 @@ static OutputCtx *JsonAlertLogInitCtxSub(ConfNode *conf, OutputCtx *parent_ctx)
        const char *packet  = ConfNodeLookupChildValue(conf, "packet");
        const char *payload_printable = ConfNodeLookupChildValue(conf, "payload-printable");
        const char *http = ConfNodeLookupChildValue(conf, "http");
+        const char *tls = ConfNodeLookupChildValue(conf, "tls");

+        if (tls != NULL) {
+            if (ConfValIsTrue(tls)) {
+                json_output_ctx->flags |= LOG_JSON_TLS;
+            }
+        }
        if (http != NULL) {
            if (ConfValIsTrue(http)) {
                json_output_ctx->flags |= LOG_JSON_HTTP;
--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@ -105,6 +105,7 @@ outputs:
            # payload-printable: yes # enable dumping payload in printable (lossy) format
            # packet: yes            # enable dumping of packet (without stream segments)
            # http: yes              # enable dumping of http fields
+            # tls: yes               # enable dumping of tls fields

            # HTTP X-Forwarded-For support by adding an extra field or overwriting
            # the source or destination IP address (depending on flow direction)