output/ja4: Log ja4 hashes iff configured

This commit allows ja4 hashes to be logged iff enabled in the tls/quic
section of the outputs.

With the default setting ("off"), ja4 hashes will only be logged in
alerts when the signatures uses the ja4.hash keyword.

When enabled, ja4 hashes will be inclued in quic and tls logs.

- tls:
     ja4: on
- quic:
     ja4: on

Issue: 7010

diff --git a/doc/userguide/partials/eve-log.yaml b/doc/userguide/partials/eve-log.yaml
index 96522571e0bbaa7f3dcf55d3c76a2b972718c265..4c8e4f6704e327b1674b44487effac8125a587c1 100644 (file)
--- a/doc/userguide/partials/eve-log.yaml
+++ b/doc/userguide/partials/eve-log.yaml
@@ -133,6 +133,9 @@ outputs:
             # output TLS transaction where the session is resumed using a
             # session id
             #session-resumption: no
+            # ja4 hashes in tls records will never be logged unless
+            # the following is set to on. (Default off)
+            # ja4: off
             # custom allows to control which tls fields that are included
             # in eve-log
             #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain]
@@ -164,6 +167,10 @@ outputs:
         - ike
         # BitTorrent DHT logging.
         - bittorrent-dht
+        - quic:
+            # ja4 hashes in crecords will never be logged unless
+            # the following is set to on. (Default off)
+            # ja4: off
         - ssh
         - stats:
             totals: yes       # stats for all threads merged together

diff --git a/doc/userguide/upgrade.rst b/doc/userguide/upgrade.rst
index 991e55ae75c1f8d005bcd7caf1b8f542b91d1027..d7b74a02754c010f3780a03b15912bc7fd4fead5 100644 (file)
--- a/doc/userguide/upgrade.rst
+++ b/doc/userguide/upgrade.rst
@@ -59,6 +59,8 @@ Security changes
   <datasets_security>` and :ref:`Datasets File Locations
   <datasets_file_locations>` for more information.
 - Lua rules are now disabled by default (change also introduced in 6.0.13), see :ref:`lua-detection`.
+- Support for JA4 has been added. JA4 hashes will be computed when explicitly enabled or a rule uses
+  `ja4.hash`. JA4 hashes are output under a restricted set of conditions (see below):
 
 Removals
 ~~~~~~~~
@@ -133,6 +135,12 @@ Logging changes
      For more information, refer to:
      https://redmine.openinfosecfoundation.org/issues/1275.
 
+-  JA4 hashes are output under a restricted set of conditions when JA4 is dynamically or explicitly enabled:
+
+   - Alerts: The signature causing the alert contains the `ja4.hash` keyword
+   - Logs: With QUIC logs iff outputs.quic.ja4 is enabled (default off)
+   - Logs: With TLS logs iff outputs.tls.ja4 is enabled (default off)
+
 Deprecations
 ~~~~~~~~~~~~
 - Multiple "include" fields in the configuration file will now issue a

diff --git a/src/output-json-quic.c b/src/output-json-quic.c
index 4970c31defa0fe58250638dbb374baa3806e45e4..3934f1895d93a0e46271788a0a007ade9db3b0ba 100644 (file)
--- a/src/output-json-quic.c
+++ b/src/output-json-quic.c
@@ -35,6 +35,7 @@
 #include "output.h"
 #include "output-json.h"
 #include "app-layer.h"
+#include "app-layer-ssl.h"
 #include "app-layer-parser.h"
 #include "output-json-quic.h"
 #include "rust.h"
@@ -42,6 +43,7 @@
 typedef struct LogQuicFileCtx_ {
     LogFileCtx *file_ctx;
     OutputJsonCtx *eve_ctx;
+    bool log_ja4;
 } LogQuicFileCtx;
 
 typedef struct JsonQuicLogThread_ {
@@ -59,7 +61,9 @@ static int JsonQuicLogger(ThreadVars *tv, void *thread_data, const Packet *p, Fl
     if (unlikely(js == NULL)) {
         return TM_ECODE_OK;
     }
-    if (!rs_quic_to_json(tx, false, js)) {
+
+    LogQuicFileCtx *quic_ctx = thread->quiclog_ctx;
+    if (!rs_quic_to_json(tx, quic_ctx->log_ja4, js)) {
         jb_free(js);
         return TM_ECODE_FAILED;
     }
@@ -93,6 +97,13 @@ static OutputInitResult OutputQuicLogInitSub(ConfNode *conf, OutputCtx *parent_c
         SCFree(quiclog_ctx);
         return result;
     }
+
+    /* In 7.0.x, ja4 hash is only logged when requested */
+    quiclog_ctx->log_ja4 = false;
+    const char *ja4 = ConfNodeLookupChildValue(conf, "ja4");
+    if (ja4 && ConfValIsTrue(ja4)) {
+        quiclog_ctx->log_ja4 = true;
+    }
     output_ctx->data = quiclog_ctx;
     output_ctx->DeInit = OutputQuicLogDeInitCtxSub;
 

diff --git a/src/output-json-tls.c b/src/output-json-tls.c
index 4f5d07d49c9dc12e7bd91d0656ca5178567a1a62..88d6bdbda0fd2cadc621a2ab2ec13341c6a8adbd 100644 (file)
--- a/src/output-json-tls.c
+++ b/src/output-json-tls.c
@@ -479,11 +479,14 @@ static int JsonTlsLogger(ThreadVars *tv, void *thread_data, const Packet *p,
     }
     /* log extended */
     else if (tls_ctx->flags & LOG_TLS_EXTENDED) {
-        JsonTlsLogJSONExtended(js, ssl_state, false);
+        JsonTlsLogJSONExtended(js, ssl_state, tls_ctx->fields & LOG_TLS_FIELD_JA4);
     }
     /* log basic */
     else {
         JsonTlsLogJSONBasic(js, ssl_state);
+        /* add ja4 hash */
+        if (tls_ctx->fields & LOG_TLS_FIELD_JA4)
+            JsonTlsLogSCJA4(js, ssl_state);
     }
 
     /* print original application level protocol when it have been changed
@@ -586,6 +589,12 @@ static OutputTlsCtx *OutputTlsInitCtx(ConfNode *conf)
         }
     }
 
+    /* In 7.0.x, ja4 hash is only logged when requested */
+    const char *ja4 = ConfNodeLookupChildValue(conf, "ja4");
+    if (ja4 && ConfValIsTrue(ja4)) {
+        tls_ctx->fields = LOG_TLS_FIELD_JA4;
+    }
+
     const char *session_resumption = ConfNodeLookupChildValue(conf, "session-resumption");
     if (session_resumption == NULL || ConfValIsTrue(session_resumption)) {
         tls_ctx->flags |= LOG_TLS_SESSION_RESUMPTION;

diff --git a/src/output-json-tls.h b/src/output-json-tls.h
index 76a1190c21470a9737b212dc83655ca8706a0ab6..4988abc6d42c2f5ddbfbaf7ccd867433bf1384b0 100644 (file)
--- a/src/output-json-tls.h
+++ b/src/output-json-tls.h
@@ -29,6 +29,6 @@ void JsonTlsLogRegister(void);
 #include "app-layer-ssl.h"
 
 void JsonTlsLogJSONBasic(JsonBuilder *js, SSLState *ssl_state);
-void JsonTlsLogJSONExtended(JsonBuilder *js, SSLState *ssl_state, bool is_alert);
+void JsonTlsLogJSONExtended(JsonBuilder *js, SSLState *ssl_state, bool log_ja4);
 
 #endif /* __OUTPUT_JSON_TLS_H__ */

diff --git a/suricata.yaml.in b/suricata.yaml.in
index 7c8d62a6cdc798311e81a78dd788fe810483048b..052eef93fda90b6f41943d70804846ae4bab2369 100644 (file)
--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@@ -251,6 +251,9 @@ outputs:
             # output TLS transaction where the session is resumed using a
             # session id
             #session-resumption: no
+            # ja4 hashes in tls records will never be logged unless
+            # the following is set to on. (Default off)
+            # ja4: off
             # custom controls which TLS fields that are included in eve-log
             #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s, ja4]
         - files:
@@ -291,7 +294,10 @@ outputs:
         - snmp
         - rfb
         - sip
-        - quic
+        - quic:
+            # ja4 hashes in quic records will never be logged unless
+            # the following is set to on. (Default off)
+            # ja4: off
         - dhcp:
             enabled: yes
             # When extended mode is on, all DHCP messages are logged