}
}
-fn log_template(tx: &QuicTransaction, js: &mut JsonBuilder) -> Result<(), JsonError> {
+fn log_template(tx: &QuicTransaction, log_ja4: bool, js: &mut JsonBuilder) -> Result<(), JsonError> {
js.open_object("quic")?;
if tx.header.ty != QuicType::Short {
js.set_string("version", String::from(tx.header.version).as_str())?;
js.close()?;
}
- if let Some(ref ja4) = &tx.ja4 {
- js.set_string("ja4", ja4)?;
+ if log_ja4 {
+ if let Some(ref ja4) = &tx.ja4 {
+ js.set_string("ja4", ja4)?;
+ }
}
if !tx.extv.is_empty() {
#[no_mangle]
pub unsafe extern "C" fn rs_quic_to_json(
- tx: *mut std::os::raw::c_void, js: &mut JsonBuilder,
+ tx: *mut std::os::raw::c_void, log_ja4: bool, js: &mut JsonBuilder,
) -> bool {
let tx = cast_pointer!(tx, QuicTransaction);
- log_template(tx, js).is_ok()
+ log_template(tx, log_ja4, js).is_ok()
}
}
}
s->init_data->init_flags |= SIG_FLAG_INIT_JA;
+ s->flags |= SIG_FLAG_JA4;
return 0;
}
/** Info for Source and Target identification */
#define SIG_FLAG_DEST_IS_TARGET BIT_U32(26)
+#define SIG_FLAG_JA4 BIT_U32(27) /**< signature uses JA4 */
+
#define SIG_FLAG_HAS_TARGET (SIG_FLAG_DEST_IS_TARGET|SIG_FLAG_SRC_IS_TARGET)
/* signature init flags */
return 1;
}
-static void AlertJsonTls(const Flow *f, JsonBuilder *js)
+static void AlertJsonTls(const Flow *f, const uint32_t sig_flags, JsonBuilder *js)
{
SSLState *ssl_state = (SSLState *)FlowGetAppState(f);
if (ssl_state) {
jb_open_object(js, "tls");
- JsonTlsLogJSONExtended(js, ssl_state);
+ JsonTlsLogJSONExtended(js, ssl_state, sig_flags & SIG_FLAG_JA4);
jb_close(js);
}
}
}
-static void AlertAddAppLayer(const Packet *p, JsonBuilder *jb,
- const uint64_t tx_id, const uint16_t option_flags)
+static void AlertAddAppLayer(const Packet *p, JsonBuilder *jb, const uint64_t tx_id,
+ const uint32_t sig_flags, const uint16_t option_flags)
{
const AppProto proto = FlowGetAppProtocol(p->flow);
JsonBuilderMark mark = { 0, 0, 0 };
jb_close(jb);
break;
case ALPROTO_TLS:
- AlertJsonTls(p->flow, jb);
+ AlertJsonTls(p->flow, sig_flags, jb);
break;
case ALPROTO_SSH:
AlertJsonSsh(p->flow, jb);
break;
case ALPROTO_QUIC:
jb_get_mark(jb, &mark);
- if (!JsonQuicAddMetadata(p->flow, tx_id, jb)) {
+ if (!JsonQuicAddMetadata(p->flow, sig_flags, tx_id, jb)) {
jb_restore_mark(jb, &mark);
}
break;
if (p->flow != NULL) {
if (pa->flags & PACKET_ALERT_FLAG_TX) {
if (json_output_ctx->flags & LOG_JSON_APP_LAYER) {
- AlertAddAppLayer(p, jb, pa->tx_id, json_output_ctx->flags);
+ AlertAddAppLayer(p, jb, pa->tx_id, pa->s->flags, json_output_ctx->flags);
}
/* including fileinfo data is configured by the metadata setting */
if (json_output_ctx->flags & LOG_JSON_RULE_METADATA) {
if (unlikely(js == NULL)) {
return TM_ECODE_OK;
}
- if (!rs_quic_to_json(tx, js)) {
+ if (!rs_quic_to_json(tx, false, js)) {
jb_free(js);
return TM_ECODE_FAILED;
}
return TM_ECODE_OK;
}
-bool JsonQuicAddMetadata(const Flow *f, uint64_t tx_id, JsonBuilder *js)
+bool JsonQuicAddMetadata(const Flow *f, const uint32_t sig_flags, uint64_t tx_id, JsonBuilder *js)
{
void *state = FlowGetAppState(f);
if (state) {
void *tx = AppLayerParserGetTx(f->proto, ALPROTO_QUIC, state, tx_id);
if (tx) {
- return rs_quic_to_json(tx, js);
+ return rs_quic_to_json(tx, sig_flags & SIG_FLAG_JA4, js);
}
}
#ifndef __OUTPUT_JSON_QUIC_H__
#define __OUTPUT_JSON_QUIC_H__
-bool JsonQuicAddMetadata(const Flow *f, uint64_t tx_id, JsonBuilder *js);
+bool JsonQuicAddMetadata(const Flow *f, const uint32_t sig_flags, uint64_t tx_id, JsonBuilder *js);
void JsonQuicLogRegister(void);
#endif /* __OUTPUT_JSON_QUIC_H__ */
}
}
-void JsonTlsLogJSONExtended(JsonBuilder *tjs, SSLState * state)
+void JsonTlsLogJSONExtended(JsonBuilder *tjs, SSLState *state, const bool log_ja4)
{
JsonTlsLogJSONBasic(tjs, state);
JsonTlsLogJa3S(tjs, state);
/* tls ja4 */
- JsonTlsLogSCJA4(tjs, state);
+ if (log_ja4)
+ JsonTlsLogSCJA4(tjs, state);
if (HasClientCert(&state->client_connp)) {
jb_open_object(tjs, "client");
}
/* log extended */
else if (tls_ctx->flags & LOG_TLS_EXTENDED) {
- JsonTlsLogJSONExtended(js, ssl_state);
+ JsonTlsLogJSONExtended(js, ssl_state, false);
}
/* log basic */
else {
#include "app-layer-ssl.h"
void JsonTlsLogJSONBasic(JsonBuilder *js, SSLState *ssl_state);
-void JsonTlsLogJSONExtended(JsonBuilder *js, SSLState *ssl_state);
+void JsonTlsLogJSONExtended(JsonBuilder *js, SSLState *ssl_state, bool is_alert);
#endif /* __OUTPUT_JSON_TLS_H__ */
projects / thirdparty / suricata.git / commitdiff
