output/json: log tls subjectaltname

Feature 5234
2 years ago · 232c44eb4a
parent 719fda3967
commit 232c44eb4a
2 changed files with 22 additions and 2 deletions
--- a/src/output-json-tls.c
+++ b/src/output-json-tls.c
@ -78,6 +78,7 @@ SC_ATOMIC_EXTERN(unsigned int, cert_id);
 #define LOG_TLS_FIELD_CLIENT_CERT       (1 << 14)
 #define LOG_TLS_FIELD_CLIENT_CHAIN      (1 << 15)
 #define LOG_TLS_FIELD_JA4               (1 << 16)
+#define LOG_TLS_FIELD_SUBJECTALTNAME    (1 << 17)

 typedef struct {
    const char *name;
@ -92,7 +93,8 @@ TlsFields tls_fields[] = { { "version", LOG_TLS_FIELD_VERSION },
    { "chain", LOG_TLS_FIELD_CHAIN }, { "session_resumed", LOG_TLS_FIELD_SESSION_RESUMED },
    { "ja3", LOG_TLS_FIELD_JA3 }, { "ja3s", LOG_TLS_FIELD_JA3S },
    { "client", LOG_TLS_FIELD_CLIENT }, { "client_certificate", LOG_TLS_FIELD_CLIENT_CERT },
-    { "client_chain", LOG_TLS_FIELD_CLIENT_CHAIN }, { "ja4", LOG_TLS_FIELD_JA4 }, { NULL, -1 } };
+    { "client_chain", LOG_TLS_FIELD_CLIENT_CHAIN }, { "ja4", LOG_TLS_FIELD_JA4 },
+    { "subjectaltname", LOG_TLS_FIELD_SUBJECTALTNAME }, { NULL, -1 } };

 typedef struct OutputTlsCtx_ {
    uint32_t flags;  /** Store mode */
@ -122,6 +124,17 @@ static void JsonTlsLogIssuer(JsonBuilder *js, SSLState *ssl_state)
    }
 }

+static void JsonTlsLogSAN(JsonBuilder *js, SSLState *ssl_state)
+{
+    if (ssl_state->server_connp.cert0_sans_len > 0) {
+        jb_open_array(js, "subjectaltname");
+        for (uint16_t i = 0; i < ssl_state->server_connp.cert0_sans_len; i++) {
+            jb_append_string(js, ssl_state->server_connp.cert0_sans[i]);
+        }
+        jb_close(js);
+    }
+}
+
 static void JsonTlsLogSessionResumed(JsonBuilder *js, SSLState *ssl_state)
 {
    if (ssl_state->flags & SSL_AL_FLAG_SESSION_RESUMED) {
@ -334,6 +347,9 @@ void JsonTlsLogJSONBasic(JsonBuilder *js, SSLState *ssl_state)
    /* tls issuerdn */
    JsonTlsLogIssuer(js, ssl_state);

+    /* tls subjectaltname */
+    JsonTlsLogSAN(js, ssl_state);
+
    /* tls session resumption */
    JsonTlsLogSessionResumed(js, ssl_state);
 }
@ -349,6 +365,10 @@ static void JsonTlsLogJSONCustom(OutputTlsCtx *tls_ctx, JsonBuilder *js,
    if (tls_ctx->fields & LOG_TLS_FIELD_ISSUER)
        JsonTlsLogIssuer(js, ssl_state);

+    /* tls subjectaltname */
+    if (tls_ctx->fields & LOG_TLS_FIELD_SUBJECTALTNAME)
+        JsonTlsLogIssuer(js, ssl_state);
+
    /* tls session resumption */
    if (tls_ctx->fields & LOG_TLS_FIELD_SESSION_RESUMED)
        JsonTlsLogSessionResumed(js, ssl_state);
--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@ -259,7 +259,7 @@ outputs:
            # session id
            #session-resumption: no
            # custom controls which TLS fields that are included in eve-log
-            #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s, ja4]
+            #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s, ja4, subjectaltname]
        - files:
            force-magic: no   # force logging magic on all logged files
            # force logging of checksums, available hash functions are md5,