From 180faece7cb5df942bff8f6583e68c45ed7ba19f Mon Sep 17 00:00:00 2001
From: Eric Leblond <eric@regit.org>
Date: Fri, 6 Mar 2015 20:03:13 +0100
Subject: [PATCH] json-alert: log tls info in alert

This patch adds the capabilities to log the TLS information the
same way it is currently possible to do with HTTP. As it is
quite hard to read ASN.1 directly in the stream, this will help
people to understand why suricata is firing on alert relative
to TLS.
---
 src/output-json-alert.c | 38 ++++++++++++++++++++++++++++++++++++++
 suricata.yaml.in        |  1 +
 2 files changed, 39 insertions(+)

diff --git a/src/output-json-alert.c b/src/output-json-alert.c
index cd1168aa2d..44e418f78a 100644
--- a/src/output-json-alert.c
+++ b/src/output-json-alert.c
@@ -52,6 +52,7 @@
 #include "output.h"
 #include "output-json.h"
 #include "output-json-http.h"
+#include "output-json-tls.h"
 
 #include "util-byte.h"
 #include "util-privs.h"
@@ -70,6 +71,7 @@
 #define LOG_JSON_PACKET 2
 #define LOG_JSON_PAYLOAD_BASE64 4
 #define LOG_JSON_HTTP 8
+#define LOG_JSON_TLS 16
 
 #define JSON_STREAM_BUFFER_SIZE 4096
 
@@ -124,6 +126,23 @@ static void AlertJsonHttp(const Flow *f, json_t *js)
     return;
 }
 
+static void AlertJsonTls(const Flow *f, json_t *js)
+{
+    SSLState *ssl_state = (SSLState *)f->alstate;
+    if (ssl_state) {
+        json_t *tjs = json_object();
+        if (unlikely(tjs == NULL))
+            return;
+
+        JsonTlsLogJSONBasic(tjs, ssl_state);
+        JsonTlsLogJSONExtended(tjs, ssl_state);
+
+        json_object_set_new(js, "tls", tjs);
+    }
+
+    return;
+}
+
 static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
 {
     MemBuffer *payload = aft->payload_buffer;
@@ -188,6 +207,19 @@ static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
             }
         }
 
+        if (json_output_ctx->flags & LOG_JSON_TLS) {
+            if (p->flow != NULL) {
+                FLOWLOCK_RDLOCK(p->flow);
+                uint16_t proto = FlowGetAppProtocol(p->flow);
+
+                /* http alert */
+                if (proto == ALPROTO_TLS)
+                    AlertJsonTls(p->flow, js);
+
+                FLOWLOCK_UNLOCK(p->flow);
+            }
+        }
+
         /* payload */
         if (json_output_ctx->flags & (LOG_JSON_PAYLOAD | LOG_JSON_PAYLOAD_BASE64)) {
             int stream = (p->proto == IPPROTO_TCP) ?
@@ -521,7 +553,13 @@ static OutputCtx *JsonAlertLogInitCtxSub(ConfNode *conf, OutputCtx *parent_ctx)
         const char *packet  = ConfNodeLookupChildValue(conf, "packet");
         const char *payload_printable = ConfNodeLookupChildValue(conf, "payload-printable");
         const char *http = ConfNodeLookupChildValue(conf, "http");
+        const char *tls = ConfNodeLookupChildValue(conf, "tls");
 
+        if (tls != NULL) {
+            if (ConfValIsTrue(tls)) {
+                json_output_ctx->flags |= LOG_JSON_TLS;
+            }
+        }
         if (http != NULL) {
             if (ConfValIsTrue(http)) {
                 json_output_ctx->flags |= LOG_JSON_HTTP;
diff --git a/suricata.yaml.in b/suricata.yaml.in
index 5caa0031e6..be62eeac90 100644
--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@@ -105,6 +105,7 @@ outputs:
             # payload-printable: yes # enable dumping payload in printable (lossy) format
             # packet: yes            # enable dumping of packet (without stream segments)
             # http: yes              # enable dumping of http fields
+            # tls: yes               # enable dumping of tls fields
 
             # HTTP X-Forwarded-For support by adding an extra field or overwriting
             # the source or destination IP address (depending on flow direction)