From: Mats Klepsland <mats.klepsland@gmail.com>
Date: Tue, 17 Jan 2017 08:21:30 +0000 (+0100)
Subject: output-json-lua: log certificate serial number
X-Git-Tag: suricata-4.0.0-beta1~282
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2b460b8d06390fa12415d23891098d8a9184c0dc;p=thirdparty%2Fsuricata.git

output-json-lua: log certificate serial number
---

diff --git a/src/output-json-tls.c b/src/output-json-tls.c
index a8ddf804f9..555c666cc4 100644
--- a/src/output-json-tls.c
+++ b/src/output-json-tls.c
@@ -67,12 +67,13 @@ SC_ATOMIC_DECLARE(unsigned int, cert_id);
 #define LOG_TLS_FIELD_VERSION     (1 << 0)
 #define LOG_TLS_FIELD_SUBJECT     (1 << 1)
 #define LOG_TLS_FIELD_ISSUER      (1 << 2)
-#define LOG_TLS_FIELD_FINGERPRINT (1 << 3)
-#define LOG_TLS_FIELD_NOTBEFORE   (1 << 4)
-#define LOG_TLS_FIELD_NOTAFTER    (1 << 5)
-#define LOG_TLS_FIELD_SNI         (1 << 6)
-#define LOG_TLS_FIELD_CERTIFICATE (1 << 7)
-#define LOG_TLS_FIELD_CHAIN       (1 << 8)
+#define LOG_TLS_FIELD_SERIAL      (1 << 3)
+#define LOG_TLS_FIELD_FINGERPRINT (1 << 4)
+#define LOG_TLS_FIELD_NOTBEFORE   (1 << 5)
+#define LOG_TLS_FIELD_NOTAFTER    (1 << 6)
+#define LOG_TLS_FIELD_SNI         (1 << 7)
+#define LOG_TLS_FIELD_CERTIFICATE (1 << 8)
+#define LOG_TLS_FIELD_CHAIN       (1 << 9)
 
 typedef struct {
     char *name;
@@ -83,6 +84,7 @@ TlsFields tls_fields[] = {
     { "version",     LOG_TLS_FIELD_VERSION },
     { "subject",     LOG_TLS_FIELD_SUBJECT },
     { "issuer",      LOG_TLS_FIELD_ISSUER },
+    { "serial",      LOG_TLS_FIELD_SERIAL },
     { "fingerprint", LOG_TLS_FIELD_FINGERPRINT },
     { "not_before",  LOG_TLS_FIELD_NOTBEFORE },
     { "not_after",   LOG_TLS_FIELD_NOTAFTER },
@@ -130,6 +132,14 @@ static void JsonTlsLogSni(json_t *js, SSLState *ssl_state)
     }
 }
 
+static void JsonTlsLogSerial(json_t *js, SSLState *ssl_state)
+{
+    if (ssl_state->server_connp.cert0_serial) {
+        json_object_set_new(js, "serial",
+                            json_string(ssl_state->server_connp.cert0_serial));
+    }
+}
+
 static void JsonTlsLogVersion(json_t *js, SSLState *ssl_state)
 {
     char ssl_version[SSL_VERSION_LENGTH + 1];
@@ -250,6 +260,10 @@ static void JsonTlsLogJSONCustom(OutputTlsCtx *tls_ctx, json_t *js,
     if (tls_ctx->fields & LOG_TLS_FIELD_ISSUER)
         JsonTlsLogIssuer(js, ssl_state);
 
+    /* tls serial */
+    if (tls_ctx->fields & LOG_TLS_FIELD_SERIAL)
+        JsonTlsLogSerial(js, ssl_state);
+
     /* tls fingerprint */
     if (tls_ctx->fields & LOG_TLS_FIELD_FINGERPRINT)
         JsonTlsLogFingerprint(js, ssl_state);
@@ -283,6 +297,9 @@ void JsonTlsLogJSONExtended(json_t *tjs, SSLState * state)
 {
     JsonTlsLogJSONBasic(tjs, state);
 
+    /* tls serial */
+    JsonTlsLogSerial(tjs, state);
+
     /* tls fingerprint */
     JsonTlsLogFingerprint(tjs, state);
 
diff --git a/suricata.yaml.in b/suricata.yaml.in
index 0222b187e2..a91d1fe85e 100644
--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@@ -208,7 +208,7 @@ outputs:
             extended: yes     # enable this for extended logging information
             # custom allows to control which tls fields that are included
             # in eve-log
-            #custom: [subject, issuer, fingerprint, sni, version, not_before, not_after, certificate, chain]
+            #custom: [subject, issuer, serial, fingerprint, sni, version, not_before, not_after, certificate, chain]
         - files:
             force-magic: no   # force logging magic on all logged files
             # force logging of checksums, available hash functions are md5,