eve: add JA3S field to TLS JSON logger

Add JA3S object to TLS JSON logger (extended log).

diff --git a/src/output-json-tls.c b/src/output-json-tls.c
index 9f92d24b227194b609ec80ea2c42e2b251d65ef1..f1c26ba9ea7788f4fd654079937e4f3509fdd7b0 100644 (file)
--- a/src/output-json-tls.c
+++ b/src/output-json-tls.c
@@ -77,6 +77,7 @@ SC_ATOMIC_DECLARE(unsigned int, cert_id);
 #define LOG_TLS_FIELD_CHAIN             (1 << 9)
 #define LOG_TLS_FIELD_SESSION_RESUMED   (1 << 10)
 #define LOG_TLS_FIELD_JA3               (1 << 11)
+#define LOG_TLS_FIELD_JA3S              (1 << 12)
 
 typedef struct {
     const char *name;
@@ -96,6 +97,7 @@ TlsFields tls_fields[] = {
     { "chain",           LOG_TLS_FIELD_CHAIN },
     { "session_resumed", LOG_TLS_FIELD_SESSION_RESUMED },
     { "ja3",             LOG_TLS_FIELD_JA3 },
+    { "ja3s",            LOG_TLS_FIELD_JA3S },
     { NULL,              -1 }
 };
 
@@ -226,6 +228,34 @@ static void JsonTlsLogJa3(json_t *js, SSLState *ssl_state)
     json_object_set_new(js, "ja3", tjs);
 }
 
+static void JsonTlsLogJa3SHash(json_t *js, SSLState *ssl_state)
+{
+    if (ssl_state->server_connp.ja3_hash != NULL) {
+        json_object_set_new(js, "hash",
+                            json_string(ssl_state->server_connp.ja3_hash));
+    }
+}
+
+static void JsonTlsLogJa3SString(json_t *js, SSLState *ssl_state)
+{
+    if ((ssl_state->server_connp.ja3_str != NULL) &&
+            ssl_state->server_connp.ja3_str->data != NULL) {
+        json_object_set_new(js, "string",
+                            json_string(ssl_state->server_connp.ja3_str->data));
+    }
+}
+
+static void JsonTlsLogJa3S(json_t *js, SSLState *ssl_state)
+{
+    json_t *tjs = json_object();
+    if (unlikely(tjs == NULL))
+        return;
+
+    JsonTlsLogJa3SHash(tjs, ssl_state);
+    JsonTlsLogJa3SString(tjs, ssl_state);
+
+    json_object_set_new(js, "ja3s", tjs);
+}
 static void JsonTlsLogCertificate(json_t *js, SSLState *ssl_state)
 {
     if (TAILQ_EMPTY(&ssl_state->server_connp.certs)) {
@@ -331,6 +361,10 @@ static void JsonTlsLogJSONCustom(OutputTlsCtx *tls_ctx, json_t *js,
     /* tls ja3_hash */
     if (tls_ctx->fields & LOG_TLS_FIELD_JA3)
         JsonTlsLogJa3(js, ssl_state);
+
+    /* tls ja3s */
+    if (tls_ctx->fields & LOG_TLS_FIELD_JA3S)
+        JsonTlsLogJa3S(js, ssl_state);
 }
 
 void JsonTlsLogJSONExtended(json_t *tjs, SSLState * state)
@@ -357,6 +391,9 @@ void JsonTlsLogJSONExtended(json_t *tjs, SSLState * state)
 
     /* tls ja3 */
     JsonTlsLogJa3(tjs, state);
+
+    /* tls ja3s */
+    JsonTlsLogJa3S(tjs, state);
 }
 
 static int JsonTlsLogger(ThreadVars *tv, void *thread_data, const Packet *p,
@@ -520,6 +557,7 @@ static OutputTlsCtx *OutputTlsInitCtx(ConfNode *conf)
             Ja3IsDisabled("fields")) {
         /* JA3 is disabled, so don't log any JA3 fields */
         tls_ctx->fields &= ~LOG_TLS_FIELD_JA3;
+        tls_ctx->fields &= ~LOG_TLS_FIELD_JA3S;
     }
 
     if ((tls_ctx->fields & LOG_TLS_FIELD_CERTIFICATE) &&

diff --git a/suricata.yaml.in b/suricata.yaml.in
index 7cbfc5062459dfaef1893c224a300c25da420019..1c3863575c98fa9b538dc006d063307d526c7f29 100644 (file)
--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@@ -207,7 +207,7 @@ outputs:
             #session-resumption: no
             # custom allows to control which tls fields that are included
             # in eve-log
-            #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3]
+            #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s]
         - files:
             force-magic: no   # force logging magic on all logged files
             # force logging of checksums, available hash functions are md5,