aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

doc: add documentation for TLS eve-log

Browse Source
pull/2580/head
Mats Klepsland 9 years ago
parent bbd32c1419
commit e91bb09c91
2 changed files with 80 additions and 0 deletions
Show Stats Download Patch File Download Diff File

58
doc/userguide/output/eve/eve-json-format.rst
Unescape Escape View File

@ -196,3 +196,61 @@ Example of a DNS answer with an IPv4 (resource record type 'A') return:
"ttl":8, "ttl":8,
"rdata": "199.16.156.6" "rdata": "199.16.156.6"
} }
Event type: TLS
---------------
Fields
~~~~~~
* "subject": The subject field from the TLS certificate
* "issuer": The issuer field from the TLS certificate
If extended logging is enabled the following fields are also included:
* "fingerprint": The (SHA1) fingerprint of the TLS certificate
* "sni": The Server Name Indication (SNI) extension sent by the client
* "version": The SSL/TLS version used
* "notbefore": The NotBefore field from the TLS certificate
* "notafter": The NotAfter field from the TLS certificate
In addition to this, custom logging also allows the following fields:
* "certificate": The TLS certificate base64 encoded
* "chain": The entire TLS certificate chain base64 encoded
Examples
~~~~~~~~
Example of regular TLS logging:
::
"tls": {
"subject": "C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.google.com",
"issuerdn": "C=US, O=Google Inc, CN=Google Internet Authority G2"
}
Example of extended TLS logging:
::
"tls": {
"subject": "C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.google.com",
"issuerdn": "C=US, O=Google Inc, CN=Google Internet Authority G2",
"fingerprint": "8f:51:12:06:a0:cc:4e:cd:e8:a3:8b:38:f8:87:59:e5:af:95:ca:cd",
"sni": "calendar.google.com",
"version": "TLS 1.2",
"notbefore": "2017-01-04T10:48:43",
"notafter": "2017-03-29T10:18:00"
}
Example of certificate logging using TLS custom logging (subject, sni, certificate):
::
"tls": {
"subject": "C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.googleapis.com
"sni": "www.googleapis.com",
"certificate": "MIIE3TCCA8WgAwIBAgIIQPsvobRZN0gwDQYJKoZIhvcNAQELBQAwSTELMA [...]"
}

22
doc/userguide/output/eve/eve-json-output.rst
Unescape Escape View File

@ -80,6 +80,10 @@ The most common way to use this is through 'EVE', which is a firehose approach w
#custom: [a, aaaa, cname, mx, ns, ptr, txt] #custom: [a, aaaa, cname, mx, ns, ptr, txt]
- tls: - tls:
extended: yes # enable this for extended logging information extended: yes # enable this for extended logging information
# custom allows to control which tls fields that are included
# in eve-log
#custom: [subject, issuer, fingerprint, sni, version, not_before, not_after, certificate, chain]
- files: - files:
force-magic: no # force logging magic on all logged files force-magic: no # force logging magic on all logged files
# force logging of checksums, available hash functions are md5, # force logging of checksums, available hash functions are md5,
@ -181,6 +185,24 @@ YAML::
To reduce verbosity the output can be filtered by supplying the record types To reduce verbosity the output can be filtered by supplying the record types
to be logged under ``custom``. to be logged under ``custom``.
TLS
~~~
TLS records are logged one record per session.
YAML::
- tls:
extended: yes # enable this for extended logging information
# custom allows to control which tls fields that are included
# in eve-log
#custom: [subject, issuer, fingerprint, sni, version, not_before, not_after, certificate, chain]
The default is to log certificate subject and issuer. If ``extended`` is
enabled, then the log gets more verbose.
By using ``custom`` it is possible to select which TLS fields to log.
Multiple Logger Instances Multiple Logger Instances
~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~

Write Preview
Loading…
Cancel
Save