output/ja4: Log ja4 hashes iff configured

This commit allows ja4 hashes to be logged iff enabled in the tls/quic
section of the outputs.

With the default setting ("off"), ja4 hashes will only be logged in
alerts when the signatures uses the ja4.hash keyword.

When enabled, ja4 hashes will be inclued in quic and tls logs.

- tls:
     ja4: on
- quic:
     ja4: on

Issue: 7010
pull/11288/head
Jeff Lucovsky 2 years ago
parent 1f5e10a49c
commit ffca7658a2

@ -133,6 +133,9 @@ outputs:
# output TLS transaction where the session is resumed using a
# session id
#session-resumption: no
# ja4 hashes in tls records will never be logged unless
# the following is set to on. (Default off)
# ja4: off
# custom allows to control which tls fields that are included
# in eve-log
#custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain]
@ -164,6 +167,10 @@ outputs:
- ike
# BitTorrent DHT logging.
- bittorrent-dht
- quic:
# ja4 hashes in crecords will never be logged unless
# the following is set to on. (Default off)
# ja4: off
- ssh
- stats:
totals: yes # stats for all threads merged together

@ -59,6 +59,8 @@ Security changes
<datasets_security>` and :ref:`Datasets File Locations
<datasets_file_locations>` for more information.
- Lua rules are now disabled by default (change also introduced in 6.0.13), see :ref:`lua-detection`.
- Support for JA4 has been added. JA4 hashes will be computed when explicitly enabled or a rule uses
`ja4.hash`. JA4 hashes are output under a restricted set of conditions (see below):
Removals
~~~~~~~~
@ -133,6 +135,12 @@ Logging changes
For more information, refer to:
https://redmine.openinfosecfoundation.org/issues/1275.
- JA4 hashes are output under a restricted set of conditions when JA4 is dynamically or explicitly enabled:
- Alerts: The signature causing the alert contains the `ja4.hash` keyword
- Logs: With QUIC logs iff outputs.quic.ja4 is enabled (default off)
- Logs: With TLS logs iff outputs.tls.ja4 is enabled (default off)
Deprecations
~~~~~~~~~~~~
- Multiple "include" fields in the configuration file will now issue a

@ -35,6 +35,7 @@
#include "output.h"
#include "output-json.h"
#include "app-layer.h"
#include "app-layer-ssl.h"
#include "app-layer-parser.h"
#include "output-json-quic.h"
#include "rust.h"
@ -42,6 +43,7 @@
typedef struct LogQuicFileCtx_ {
LogFileCtx *file_ctx;
OutputJsonCtx *eve_ctx;
bool log_ja4;
} LogQuicFileCtx;
typedef struct JsonQuicLogThread_ {
@ -59,7 +61,9 @@ static int JsonQuicLogger(ThreadVars *tv, void *thread_data, const Packet *p, Fl
if (unlikely(js == NULL)) {
return TM_ECODE_OK;
}
if (!rs_quic_to_json(tx, false, js)) {
LogQuicFileCtx *quic_ctx = thread->quiclog_ctx;
if (!rs_quic_to_json(tx, quic_ctx->log_ja4, js)) {
jb_free(js);
return TM_ECODE_FAILED;
}
@ -93,6 +97,13 @@ static OutputInitResult OutputQuicLogInitSub(ConfNode *conf, OutputCtx *parent_c
SCFree(quiclog_ctx);
return result;
}
/* In 7.0.x, ja4 hash is only logged when requested */
quiclog_ctx->log_ja4 = false;
const char *ja4 = ConfNodeLookupChildValue(conf, "ja4");
if (ja4 && ConfValIsTrue(ja4)) {
quiclog_ctx->log_ja4 = true;
}
output_ctx->data = quiclog_ctx;
output_ctx->DeInit = OutputQuicLogDeInitCtxSub;

@ -479,11 +479,14 @@ static int JsonTlsLogger(ThreadVars *tv, void *thread_data, const Packet *p,
}
/* log extended */
else if (tls_ctx->flags & LOG_TLS_EXTENDED) {
JsonTlsLogJSONExtended(js, ssl_state, false);
JsonTlsLogJSONExtended(js, ssl_state, tls_ctx->fields & LOG_TLS_FIELD_JA4);
}
/* log basic */
else {
JsonTlsLogJSONBasic(js, ssl_state);
/* add ja4 hash */
if (tls_ctx->fields & LOG_TLS_FIELD_JA4)
JsonTlsLogSCJA4(js, ssl_state);
}
/* print original application level protocol when it have been changed
@ -586,6 +589,12 @@ static OutputTlsCtx *OutputTlsInitCtx(ConfNode *conf)
}
}
/* In 7.0.x, ja4 hash is only logged when requested */
const char *ja4 = ConfNodeLookupChildValue(conf, "ja4");
if (ja4 && ConfValIsTrue(ja4)) {
tls_ctx->fields = LOG_TLS_FIELD_JA4;
}
const char *session_resumption = ConfNodeLookupChildValue(conf, "session-resumption");
if (session_resumption == NULL || ConfValIsTrue(session_resumption)) {
tls_ctx->flags |= LOG_TLS_SESSION_RESUMPTION;

@ -29,6 +29,6 @@ void JsonTlsLogRegister(void);
#include "app-layer-ssl.h"
void JsonTlsLogJSONBasic(JsonBuilder *js, SSLState *ssl_state);
void JsonTlsLogJSONExtended(JsonBuilder *js, SSLState *ssl_state, bool is_alert);
void JsonTlsLogJSONExtended(JsonBuilder *js, SSLState *ssl_state, bool log_ja4);
#endif /* __OUTPUT_JSON_TLS_H__ */

@ -251,6 +251,9 @@ outputs:
# output TLS transaction where the session is resumed using a
# session id
#session-resumption: no
# ja4 hashes in tls records will never be logged unless
# the following is set to on. (Default off)
# ja4: off
# custom controls which TLS fields that are included in eve-log
#custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s, ja4]
- files:
@ -291,7 +294,10 @@ outputs:
- snmp
- rfb
- sip
- quic
- quic:
# ja4 hashes in quic records will never be logged unless
# the following is set to on. (Default off)
# ja4: off
- dhcp:
enabled: yes
# When extended mode is on, all DHCP messages are logged

Loading…
Cancel
Save