suricata
Data Structures | Macros | Typedefs | Functions | Variables
output-json-tls.c File Reference
#include "suricata-common.h"
#include "app-layer-parser.h"
#include "app-layer-ssl.h"
#include "app-layer.h"
#include "conf.h"
#include "output-json-tls.h"
#include "output-json.h"
#include "output.h"
#include "threadvars.h"
#include "util-debug.h"
#include "util-ja3.h"
#include "util-time.h"
Include dependency graph for output-json-tls.c:

Go to the source code of this file.

Data Structures

struct  TlsFields
 
struct  OutputTlsCtx_
 
struct  JsonTlsLogThread_
 

Macros

#define LOG_TLS_FIELD_VERSION   BIT_U64(0)
 
#define LOG_TLS_FIELD_SUBJECT   BIT_U64(1)
 
#define LOG_TLS_FIELD_ISSUER   BIT_U64(2)
 
#define LOG_TLS_FIELD_SERIAL   BIT_U64(3)
 
#define LOG_TLS_FIELD_FINGERPRINT   BIT_U64(4)
 
#define LOG_TLS_FIELD_NOTBEFORE   BIT_U64(5)
 
#define LOG_TLS_FIELD_NOTAFTER   BIT_U64(6)
 
#define LOG_TLS_FIELD_SNI   BIT_U64(7)
 
#define LOG_TLS_FIELD_CERTIFICATE   BIT_U64(8)
 
#define LOG_TLS_FIELD_CHAIN   BIT_U64(9)
 
#define LOG_TLS_FIELD_SESSION_RESUMED   BIT_U64(10)
 
#define LOG_TLS_FIELD_JA3   BIT_U64(11)
 
#define LOG_TLS_FIELD_JA3S   BIT_U64(12)
 
#define LOG_TLS_FIELD_CLIENT   BIT_U64(13)
 
#define LOG_TLS_FIELD_CLIENT_CERT   BIT_U64(14)
 
#define LOG_TLS_FIELD_CLIENT_CHAIN   BIT_U64(15)
 
#define LOG_TLS_FIELD_JA4   BIT_U64(16)
 
#define LOG_TLS_FIELD_SUBJECTALTNAME   BIT_U64(17)
 
#define LOG_TLS_FIELD_CLIENT_ALPNS   BIT_U64(18)
 
#define LOG_TLS_FIELD_SERVER_ALPNS   BIT_U64(19)
 
#define LOG_TLS_FIELD_CLIENT_HANDSHAKE   BIT_U64(20)
 
#define LOG_TLS_FIELD_SERVER_HANDSHAKE   BIT_U64(21)
 
#define BASIC_FIELDS
 
#define EXTENDED_FIELDS
 

Typedefs

typedef struct OutputTlsCtx_ OutputTlsCtx
 
typedef struct JsonTlsLogThread_ JsonTlsLogThread
 

Functions

bool JsonTlsLogJSONExtended (void *vtx, SCJsonBuilder *tjs)
 
void JsonTlsLogRegister (void)
 

Variables

TlsFields tls_fields []
 

Detailed Description

Author
Tom DeCanio td@np.nosp@m.ulse.nosp@m.tech..nosp@m.com

Implements TLS JSON logging portion of the engine.

Definition in file output-json-tls.c.

Macro Definition Documentation

◆ BASIC_FIELDS

#define BASIC_FIELDS
Value:
(LOG_TLS_FIELD_SUBJECT | \
LOG_TLS_FIELD_ISSUER | \
LOG_TLS_FIELD_SUBJECTALTNAME)
LOG_TLS_FIELD_SUBJECTALTNAME
#define LOG_TLS_FIELD_SUBJECTALTNAME
Definition output-json-tls.c:57
LOG_TLS_FIELD_SUBJECT
#define LOG_TLS_FIELD_SUBJECT
Definition output-json-tls.c:41
LOG_TLS_FIELD_ISSUER
#define LOG_TLS_FIELD_ISSUER
Definition output-json-tls.c:42

Definition at line 98 of file output-json-tls.c.

◆ EXTENDED_FIELDS

#define EXTENDED_FIELDS
Value:
(BASIC_FIELDS | \
LOG_TLS_FIELD_VERSION | \
LOG_TLS_FIELD_SERIAL | \
LOG_TLS_FIELD_FINGERPRINT | \
LOG_TLS_FIELD_NOTBEFORE | \
LOG_TLS_FIELD_NOTAFTER | \
LOG_TLS_FIELD_JA3 | \
LOG_TLS_FIELD_JA3S | \
LOG_TLS_FIELD_JA4 | \
LOG_TLS_FIELD_CLIENT | \
LOG_TLS_FIELD_CLIENT_ALPNS | \
LOG_TLS_FIELD_SERVER_ALPNS | \
LOG_TLS_FIELD_SNI)
LOG_TLS_FIELD_SERVER_ALPNS
#define LOG_TLS_FIELD_SERVER_ALPNS
Definition output-json-tls.c:59
LOG_TLS_FIELD_JA4
#define LOG_TLS_FIELD_JA4
Definition output-json-tls.c:56
LOG_TLS_FIELD_CLIENT_ALPNS
#define LOG_TLS_FIELD_CLIENT_ALPNS
Definition output-json-tls.c:58
LOG_TLS_FIELD_JA3S
#define LOG_TLS_FIELD_JA3S
Definition output-json-tls.c:52
LOG_TLS_FIELD_SERIAL
#define LOG_TLS_FIELD_SERIAL
Definition output-json-tls.c:43
LOG_TLS_FIELD_SNI
#define LOG_TLS_FIELD_SNI
Definition output-json-tls.c:47
LOG_TLS_FIELD_VERSION
#define LOG_TLS_FIELD_VERSION
Definition output-json-tls.c:40
BASIC_FIELDS
#define BASIC_FIELDS
Definition output-json-tls.c:98
LOG_TLS_FIELD_NOTBEFORE
#define LOG_TLS_FIELD_NOTBEFORE
Definition output-json-tls.c:45
LOG_TLS_FIELD_CLIENT
#define LOG_TLS_FIELD_CLIENT
Definition output-json-tls.c:53
LOG_TLS_FIELD_JA3
#define LOG_TLS_FIELD_JA3
Definition output-json-tls.c:51
LOG_TLS_FIELD_FINGERPRINT
#define LOG_TLS_FIELD_FINGERPRINT
Definition output-json-tls.c:44
LOG_TLS_FIELD_NOTAFTER
#define LOG_TLS_FIELD_NOTAFTER
Definition output-json-tls.c:46

Definition at line 105 of file output-json-tls.c.

◆ LOG_TLS_FIELD_CERTIFICATE

#define LOG_TLS_FIELD_CERTIFICATE   BIT_U64(8)

Definition at line 48 of file output-json-tls.c.

◆ LOG_TLS_FIELD_CHAIN

#define LOG_TLS_FIELD_CHAIN   BIT_U64(9)

Definition at line 49 of file output-json-tls.c.

◆ LOG_TLS_FIELD_CLIENT

#define LOG_TLS_FIELD_CLIENT   BIT_U64(13)

client fields (issuer, subject, etc)

Definition at line 53 of file output-json-tls.c.

◆ LOG_TLS_FIELD_CLIENT_ALPNS

#define LOG_TLS_FIELD_CLIENT_ALPNS   BIT_U64(18)

Definition at line 58 of file output-json-tls.c.

◆ LOG_TLS_FIELD_CLIENT_CERT

#define LOG_TLS_FIELD_CLIENT_CERT   BIT_U64(14)

Definition at line 54 of file output-json-tls.c.

◆ LOG_TLS_FIELD_CLIENT_CHAIN

#define LOG_TLS_FIELD_CLIENT_CHAIN   BIT_U64(15)

Definition at line 55 of file output-json-tls.c.

◆ LOG_TLS_FIELD_CLIENT_HANDSHAKE

#define LOG_TLS_FIELD_CLIENT_HANDSHAKE   BIT_U64(20)

Definition at line 60 of file output-json-tls.c.

◆ LOG_TLS_FIELD_FINGERPRINT

#define LOG_TLS_FIELD_FINGERPRINT   BIT_U64(4)

Definition at line 44 of file output-json-tls.c.

◆ LOG_TLS_FIELD_ISSUER

#define LOG_TLS_FIELD_ISSUER   BIT_U64(2)

Definition at line 42 of file output-json-tls.c.

◆ LOG_TLS_FIELD_JA3

#define LOG_TLS_FIELD_JA3   BIT_U64(11)

Definition at line 51 of file output-json-tls.c.

◆ LOG_TLS_FIELD_JA3S

#define LOG_TLS_FIELD_JA3S   BIT_U64(12)

Definition at line 52 of file output-json-tls.c.

◆ LOG_TLS_FIELD_JA4

#define LOG_TLS_FIELD_JA4   BIT_U64(16)

Definition at line 56 of file output-json-tls.c.

◆ LOG_TLS_FIELD_NOTAFTER

#define LOG_TLS_FIELD_NOTAFTER   BIT_U64(6)

Definition at line 46 of file output-json-tls.c.

◆ LOG_TLS_FIELD_NOTBEFORE

#define LOG_TLS_FIELD_NOTBEFORE   BIT_U64(5)

Definition at line 45 of file output-json-tls.c.

◆ LOG_TLS_FIELD_SERIAL

#define LOG_TLS_FIELD_SERIAL   BIT_U64(3)

Definition at line 43 of file output-json-tls.c.

◆ LOG_TLS_FIELD_SERVER_ALPNS

#define LOG_TLS_FIELD_SERVER_ALPNS   BIT_U64(19)

Definition at line 59 of file output-json-tls.c.

◆ LOG_TLS_FIELD_SERVER_HANDSHAKE

#define LOG_TLS_FIELD_SERVER_HANDSHAKE   BIT_U64(21)

Definition at line 61 of file output-json-tls.c.

◆ LOG_TLS_FIELD_SESSION_RESUMED

#define LOG_TLS_FIELD_SESSION_RESUMED   BIT_U64(10)

Definition at line 50 of file output-json-tls.c.

◆ LOG_TLS_FIELD_SNI

#define LOG_TLS_FIELD_SNI   BIT_U64(7)

Definition at line 47 of file output-json-tls.c.

◆ LOG_TLS_FIELD_SUBJECT

#define LOG_TLS_FIELD_SUBJECT   BIT_U64(1)

Definition at line 41 of file output-json-tls.c.

◆ LOG_TLS_FIELD_SUBJECTALTNAME

#define LOG_TLS_FIELD_SUBJECTALTNAME   BIT_U64(17)

Definition at line 57 of file output-json-tls.c.

◆ LOG_TLS_FIELD_VERSION

#define LOG_TLS_FIELD_VERSION   BIT_U64(0)

Definition at line 40 of file output-json-tls.c.

Typedef Documentation

◆ JsonTlsLogThread

typedef struct JsonTlsLogThread_ JsonTlsLogThread

◆ OutputTlsCtx

typedef struct OutputTlsCtx_ OutputTlsCtx

Function Documentation

◆ JsonTlsLogJSONExtended()

bool JsonTlsLogJSONExtended ( void *  vtx,
SCJsonBuilder *  tjs 
)

Definition at line 498 of file output-json-tls.c.

References EXTENDED_FIELDS.

Referenced by OutputRegisterRootLoggers().

Here is the caller graph for this function:

◆ JsonTlsLogRegister()

void JsonTlsLogRegister ( void  )

Definition at line 707 of file output-json-tls.c.

References ALPROTO_TLS, LOGGER_JSON_TX, OutputRegisterTxSubModuleWithProgress(), TLS_STATE_CLIENT_HANDSHAKE_DONE, and TLS_STATE_SERVER_HANDSHAKE_DONE.

Referenced by OutputRegisterLoggers().

Here is the call graph for this function:
Here is the caller graph for this function:

Variable Documentation

◆ tls_fields

TlsFields tls_fields[]
Initial value:
= {
{ "version", LOG_TLS_FIELD_VERSION },
{ "subject", LOG_TLS_FIELD_SUBJECT },
{ "issuer", LOG_TLS_FIELD_ISSUER },
{ "serial", LOG_TLS_FIELD_SERIAL },
{ "fingerprint", LOG_TLS_FIELD_FINGERPRINT },
{ "not_before", LOG_TLS_FIELD_NOTBEFORE },
{ "not_after", LOG_TLS_FIELD_NOTAFTER },
{ "sni", LOG_TLS_FIELD_SNI },
{ "certificate", LOG_TLS_FIELD_CERTIFICATE },
{ "chain", LOG_TLS_FIELD_CHAIN },
{ "session_resumed", LOG_TLS_FIELD_SESSION_RESUMED },
{ "ja3", LOG_TLS_FIELD_JA3 },
{ "ja3s", LOG_TLS_FIELD_JA3S },
{ "client", LOG_TLS_FIELD_CLIENT },
{ "client_certificate", LOG_TLS_FIELD_CLIENT_CERT },
{ "client_chain", LOG_TLS_FIELD_CLIENT_CHAIN },
{ "ja4", LOG_TLS_FIELD_JA4 },
{ "subjectaltname", LOG_TLS_FIELD_SUBJECTALTNAME },
{ "client_alpns", LOG_TLS_FIELD_CLIENT_ALPNS },
{ "server_alpns", LOG_TLS_FIELD_SERVER_ALPNS },
{ "client_handshake", LOG_TLS_FIELD_CLIENT_HANDSHAKE },
{ "server_handshake", LOG_TLS_FIELD_SERVER_HANDSHAKE },
{ NULL, -1 },
}
LOG_TLS_FIELD_CLIENT_CERT
#define LOG_TLS_FIELD_CLIENT_CERT
Definition output-json-tls.c:54
LOG_TLS_FIELD_SERVER_HANDSHAKE
#define LOG_TLS_FIELD_SERVER_HANDSHAKE
Definition output-json-tls.c:61
LOG_TLS_FIELD_SESSION_RESUMED
#define LOG_TLS_FIELD_SESSION_RESUMED
Definition output-json-tls.c:50
LOG_TLS_FIELD_CHAIN
#define LOG_TLS_FIELD_CHAIN
Definition output-json-tls.c:49
LOG_TLS_FIELD_CLIENT_HANDSHAKE
#define LOG_TLS_FIELD_CLIENT_HANDSHAKE
Definition output-json-tls.c:60
LOG_TLS_FIELD_CERTIFICATE
#define LOG_TLS_FIELD_CERTIFICATE
Definition output-json-tls.c:48
LOG_TLS_FIELD_CLIENT_CHAIN
#define LOG_TLS_FIELD_CLIENT_CHAIN
Definition output-json-tls.c:55

Definition at line 68 of file output-json-tls.c.