From a4eaef25d6ac404faba9af488fdd8d5cc12b036d Mon Sep 17 00:00:00 2001 From: Mats Klepsland Date: Thu, 15 Nov 2018 22:41:44 +0100 Subject: [PATCH] eve: add JA3S field to TLS JSON logger Add JA3S object to TLS JSON logger (extended log). --- src/output-json-tls.c | 38 ++++++++++++++++++++++++++++++++++++++ suricata.yaml.in | 2 +- 2 files changed, 39 insertions(+), 1 deletion(-) diff --git a/src/output-json-tls.c b/src/output-json-tls.c index 9f92d24b22..f1c26ba9ea 100644 --- a/src/output-json-tls.c +++ b/src/output-json-tls.c @@ -77,6 +77,7 @@ SC_ATOMIC_DECLARE(unsigned int, cert_id); #define LOG_TLS_FIELD_CHAIN (1 << 9) #define LOG_TLS_FIELD_SESSION_RESUMED (1 << 10) #define LOG_TLS_FIELD_JA3 (1 << 11) +#define LOG_TLS_FIELD_JA3S (1 << 12) typedef struct { const char *name; @@ -96,6 +97,7 @@ TlsFields tls_fields[] = { { "chain", LOG_TLS_FIELD_CHAIN }, { "session_resumed", LOG_TLS_FIELD_SESSION_RESUMED }, { "ja3", LOG_TLS_FIELD_JA3 }, + { "ja3s", LOG_TLS_FIELD_JA3S }, { NULL, -1 } }; @@ -226,6 +228,34 @@ static void JsonTlsLogJa3(json_t *js, SSLState *ssl_state) json_object_set_new(js, "ja3", tjs); } +static void JsonTlsLogJa3SHash(json_t *js, SSLState *ssl_state) +{ + if (ssl_state->server_connp.ja3_hash != NULL) { + json_object_set_new(js, "hash", + json_string(ssl_state->server_connp.ja3_hash)); + } +} + +static void JsonTlsLogJa3SString(json_t *js, SSLState *ssl_state) +{ + if ((ssl_state->server_connp.ja3_str != NULL) && + ssl_state->server_connp.ja3_str->data != NULL) { + json_object_set_new(js, "string", + json_string(ssl_state->server_connp.ja3_str->data)); + } +} + +static void JsonTlsLogJa3S(json_t *js, SSLState *ssl_state) +{ + json_t *tjs = json_object(); + if (unlikely(tjs == NULL)) + return; + + JsonTlsLogJa3SHash(tjs, ssl_state); + JsonTlsLogJa3SString(tjs, ssl_state); + + json_object_set_new(js, "ja3s", tjs); +} static void JsonTlsLogCertificate(json_t *js, SSLState *ssl_state) { if (TAILQ_EMPTY(&ssl_state->server_connp.certs)) { @@ -331,6 +361,10 @@ static void JsonTlsLogJSONCustom(OutputTlsCtx *tls_ctx, json_t *js, /* tls ja3_hash */ if (tls_ctx->fields & LOG_TLS_FIELD_JA3) JsonTlsLogJa3(js, ssl_state); + + /* tls ja3s */ + if (tls_ctx->fields & LOG_TLS_FIELD_JA3S) + JsonTlsLogJa3S(js, ssl_state); } void JsonTlsLogJSONExtended(json_t *tjs, SSLState * state) @@ -357,6 +391,9 @@ void JsonTlsLogJSONExtended(json_t *tjs, SSLState * state) /* tls ja3 */ JsonTlsLogJa3(tjs, state); + + /* tls ja3s */ + JsonTlsLogJa3S(tjs, state); } static int JsonTlsLogger(ThreadVars *tv, void *thread_data, const Packet *p, @@ -520,6 +557,7 @@ static OutputTlsCtx *OutputTlsInitCtx(ConfNode *conf) Ja3IsDisabled("fields")) { /* JA3 is disabled, so don't log any JA3 fields */ tls_ctx->fields &= ~LOG_TLS_FIELD_JA3; + tls_ctx->fields &= ~LOG_TLS_FIELD_JA3S; } if ((tls_ctx->fields & LOG_TLS_FIELD_CERTIFICATE) && diff --git a/suricata.yaml.in b/suricata.yaml.in index 7cbfc50624..1c3863575c 100644 --- a/suricata.yaml.in +++ b/suricata.yaml.in @@ -207,7 +207,7 @@ outputs: #session-resumption: no # custom allows to control which tls fields that are included # in eve-log - #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3] + #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s] - files: force-magic: no # force logging magic on all logged files # force logging of checksums, available hash functions are md5,