From: Jason Ish <jason.ish@oisf.net>
Date: Thu, 17 Oct 2024 14:31:49 +0000 (-0600)
Subject: eve/tls: add alpn logging to custom output
X-Git-Tag: suricata-8.0.0-beta1~777
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6a185a8f96d1840927f416450db8f80ec4d17845;p=thirdparty%2Fsuricata.git

eve/tls: add alpn logging to custom output

Adds custom fields "client_alpns" and "server_alpns".

Ticket: #7333
---

diff --git a/src/output-json-tls.c b/src/output-json-tls.c
index 2caee8ae14..b58503a661 100644
--- a/src/output-json-tls.c
+++ b/src/output-json-tls.c
@@ -76,6 +76,8 @@ SC_ATOMIC_EXTERN(unsigned int, cert_id);
 #define LOG_TLS_FIELD_CLIENT_CHAIN      (1 << 15)
 #define LOG_TLS_FIELD_JA4               (1 << 16)
 #define LOG_TLS_FIELD_SUBJECTALTNAME    (1 << 17)
+#define LOG_TLS_FIELD_CLIENT_ALPNS      (1 << 18)
+#define LOG_TLS_FIELD_SERVER_ALPNS      (1 << 19)
 
 typedef struct {
     const char *name;
@@ -102,6 +104,8 @@ TlsFields tls_fields[] = {
     { "client_chain", LOG_TLS_FIELD_CLIENT_CHAIN },
     { "ja4", LOG_TLS_FIELD_JA4 },
     { "subjectaltname", LOG_TLS_FIELD_SUBJECTALTNAME },
+    { "client_alpns", LOG_TLS_FIELD_CLIENT_ALPNS },
+    { "server_alpns", LOG_TLS_FIELD_SERVER_ALPNS },
     { NULL, -1 },
     // clang-format on
 };
@@ -445,6 +449,14 @@ static void JsonTlsLogJSONCustom(OutputTlsCtx *tls_ctx, JsonBuilder *js,
     if (tls_ctx->fields & LOG_TLS_FIELD_JA4)
         JsonTlsLogSCJA4(js, ssl_state);
 
+    if (tls_ctx->fields & LOG_TLS_FIELD_CLIENT_ALPNS) {
+        JsonTlsLogAlpns(js, &ssl_state->client_connp, "client_alpns");
+    }
+
+    if (tls_ctx->fields & LOG_TLS_FIELD_SERVER_ALPNS) {
+        JsonTlsLogAlpns(js, &ssl_state->server_connp, "server_alpns");
+    }
+
     if (tls_ctx->fields & LOG_TLS_FIELD_CLIENT) {
         const bool log_cert = (tls_ctx->fields & LOG_TLS_FIELD_CLIENT_CERT) != 0;
         const bool log_chain = (tls_ctx->fields & LOG_TLS_FIELD_CLIENT_CHAIN) != 0;