If extended logging is enabled the following fields are also included:
+* "serial": The serial number of the TLS certificate
* "fingerprint": The (SHA1) fingerprint of the TLS certificate
* "sni": The Server Name Indication (SNI) extension sent by the client
* "version": The SSL/TLS version used
"tls": {
"subject": "C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.google.com",
"issuerdn": "C=US, O=Google Inc, CN=Google Internet Authority G2",
+ "serial": "0C:00:99:B7:D7:54:C9:F6:77:26:31:7E:BA:EA:7C:1C",
"fingerprint": "8f:51:12:06:a0:cc:4e:cd:e8:a3:8b:38:f8:87:59:e5:af:95:ca:cd",
"sni": "calendar.google.com",
"version": "TLS 1.2",
extended: yes # enable this for extended logging information
# custom allows to control which tls fields that are included
# in eve-log
- #custom: [subject, issuer, fingerprint, sni, version, not_before, not_after, certificate, chain]
+ #custom: [subject, issuer, serial, fingerprint, sni, version, not_before, not_after, certificate, chain]
The default is to log certificate subject and issuer. If ``extended`` is
enabled, then the log gets more verbose.
``tls_cert_issuer`` can be used as ``fast_pattern``.
+tls_cert_serial
+---------------
+
+Match on the serial number in a certificate.
+
+Example::
+
+ alert tls any any -> any any (msg:"match cert serial"; \
+ tls_cert_serial; content:"5C:19:B7:B1:32:3B:1C:A1"; sid:200012;)
+
+``tls_cert_serial`` is a 'Sticky buffer'.
+
+``tls_cert_serial`` can be used as ``fast_pattern``.
+
tls_sni
-------
projects / thirdparty / suricata.git / commitdiff
