eve: only output ja3 and ja3s if present

This will prevent JSON entries like the following that occur with the dedault configuration (ja3 deactivated and extended tls ouput activated): "tls": { "subject": "C=GB, ST=London, L=London, O=Global Security, OU=IT Department, CN=example.com", "issuerdn": "C=GB, ST=London, L=London, O=Global Security, OU=IT Department, CN=example.com", "serial": "00:9C:FC:DA:1D:A4:70:87:5D", "fingerprint": "b8:18:2d:cb:c9:f8:1a:66:75:13:18:31:24:e0:92:35:42🆎96:89", "version": "TLSv1", "notbefore": "2020-05-03T11:07:28", "notafter": "2021-05-03T11:07:28", "ja3": {}, "ja3s": {} }
5 years ago · 7304389438
parent cbb03dbb39
commit 7304389438
1 changed files with 16 additions and 8 deletions
--- a/src/output-json-tls.c
+++ b/src/output-json-tls.c
@ -215,12 +215,16 @@ static void JsonTlsLogJa3String(JsonBuilder *js, SSLState *ssl_state)

 static void JsonTlsLogJa3(JsonBuilder *js, SSLState *ssl_state)
 {
-    jb_open_object(js, "ja3");
+    if ((ssl_state->client_connp.ja3_hash != NULL) ||
+            ((ssl_state->client_connp.ja3_str != NULL) &&
+                    ssl_state->client_connp.ja3_str->data != NULL)) {
+        jb_open_object(js, "ja3");

-    JsonTlsLogJa3Hash(js, ssl_state);
-    JsonTlsLogJa3String(js, ssl_state);
+        JsonTlsLogJa3Hash(js, ssl_state);
+        JsonTlsLogJa3String(js, ssl_state);

-    jb_close(js);
+        jb_close(js);
+    }
 }

 static void JsonTlsLogJa3SHash(JsonBuilder *js, SSLState *ssl_state)
@ -242,12 +246,16 @@ static void JsonTlsLogJa3SString(JsonBuilder *js, SSLState *ssl_state)

 static void JsonTlsLogJa3S(JsonBuilder *js, SSLState *ssl_state)
 {
-    jb_open_object(js, "ja3s");
+    if ((ssl_state->server_connp.ja3_hash != NULL) ||
+            ((ssl_state->server_connp.ja3_str != NULL) &&
+                    ssl_state->server_connp.ja3_str->data != NULL)) {
+        jb_open_object(js, "ja3s");

-    JsonTlsLogJa3SHash(js, ssl_state);
-    JsonTlsLogJa3SString(js, ssl_state);
+        JsonTlsLogJa3SHash(js, ssl_state);
+        JsonTlsLogJa3SString(js, ssl_state);

-    jb_close(js);
+        jb_close(js);
+    }
 }

 static void JsonTlsLogCertificate(JsonBuilder *js, SSLState *ssl_state)