#define LOG_TLS_FIELD_CHAIN (1 << 9)
#define LOG_TLS_FIELD_SESSION_RESUMED (1 << 10)
#define LOG_TLS_FIELD_JA3 (1 << 11)
+#define LOG_TLS_FIELD_JA3S (1 << 12)
typedef struct {
const char *name;
{ "chain", LOG_TLS_FIELD_CHAIN },
{ "session_resumed", LOG_TLS_FIELD_SESSION_RESUMED },
{ "ja3", LOG_TLS_FIELD_JA3 },
+ { "ja3s", LOG_TLS_FIELD_JA3S },
{ NULL, -1 }
};
json_object_set_new(js, "ja3", tjs);
}
+static void JsonTlsLogJa3SHash(json_t *js, SSLState *ssl_state)
+{
+ if (ssl_state->server_connp.ja3_hash != NULL) {
+ json_object_set_new(js, "hash",
+ json_string(ssl_state->server_connp.ja3_hash));
+ }
+}
+
+static void JsonTlsLogJa3SString(json_t *js, SSLState *ssl_state)
+{
+ if ((ssl_state->server_connp.ja3_str != NULL) &&
+ ssl_state->server_connp.ja3_str->data != NULL) {
+ json_object_set_new(js, "string",
+ json_string(ssl_state->server_connp.ja3_str->data));
+ }
+}
+
+static void JsonTlsLogJa3S(json_t *js, SSLState *ssl_state)
+{
+ json_t *tjs = json_object();
+ if (unlikely(tjs == NULL))
+ return;
+
+ JsonTlsLogJa3SHash(tjs, ssl_state);
+ JsonTlsLogJa3SString(tjs, ssl_state);
+
+ json_object_set_new(js, "ja3s", tjs);
+}
static void JsonTlsLogCertificate(json_t *js, SSLState *ssl_state)
{
if (TAILQ_EMPTY(&ssl_state->server_connp.certs)) {
/* tls ja3_hash */
if (tls_ctx->fields & LOG_TLS_FIELD_JA3)
JsonTlsLogJa3(js, ssl_state);
+
+ /* tls ja3s */
+ if (tls_ctx->fields & LOG_TLS_FIELD_JA3S)
+ JsonTlsLogJa3S(js, ssl_state);
}
void JsonTlsLogJSONExtended(json_t *tjs, SSLState * state)
/* tls ja3 */
JsonTlsLogJa3(tjs, state);
+
+ /* tls ja3s */
+ JsonTlsLogJa3S(tjs, state);
}
static int JsonTlsLogger(ThreadVars *tv, void *thread_data, const Packet *p,
Ja3IsDisabled("fields")) {
/* JA3 is disabled, so don't log any JA3 fields */
tls_ctx->fields &= ~LOG_TLS_FIELD_JA3;
+ tls_ctx->fields &= ~LOG_TLS_FIELD_JA3S;
}
if ((tls_ctx->fields & LOG_TLS_FIELD_CERTIFICATE) &&
#session-resumption: no
# custom allows to control which tls fields that are included
# in eve-log
- #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3]
+ #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s]
- files:
force-magic: no # force logging magic on all logged files
# force logging of checksums, available hash functions are md5,