From: Victor Julien Date: Fri, 7 Mar 2025 16:42:04 +0000 (+0100) Subject: eve/schema: map tls fields to keywords X-Git-Tag: suricata-8.0.0-beta1~295 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b8ed01e23eeb614bf1ac12b1614370e9317d200b;p=thirdparty%2Fsuricata.git eve/schema: map tls fields to keywords --- diff --git a/etc/schema.json b/etc/schema.json index adfa1c40f7..5f81e4e064 100644 --- a/etc/schema.json +++ b/etc/schema.json @@ -1298,7 +1298,8 @@ "additionalProperties": false }, "grouped": { - "desription": "DNS fields grouped by type: alternative format, no direct keywords", + "desription": + "DNS fields grouped by type: alternative format, no direct keywords", "type": "object", "suricata": { "keywords": false @@ -3828,6 +3829,11 @@ "additionalProperties": false }, "ja4": { + "suricata": { + "keywords": [ + "ja4.hash" + ] + }, "type": "string" }, "sni": { @@ -6736,52 +6742,116 @@ "type": "object", "properties": { "certificate": { - "type": "string" + "type": "string", + "suricata": { + "keywords": [ + "tls.certs" + ] + } }, "chain": { "type": "array", "minItems": 1, "items": { "type": "string" + }, + "suricata": { + "keywords": [ + "tls.certs", + "tls.cert_chain_len" + ] } }, "client": { "type": "object", "properties": { "certificate": { - "type": "string" + "type": "string", + "suricata": { + "keywords": [ + "tls.certs" + ] + } }, "chain": { "type": "array", "minItems": 1, "items": { "type": "string" + }, + "suricata": { + "keywords": [ + "tls.certs", + "tls.cert_chain_len" + ] } }, "fingerprint": { - "type": "string" + "type": "string", + "suricata": { + "keywords": [ + "tls.cert_fingerprint", + "tls.fingerprint" + ] + } }, "issuerdn": { + "suricata": { + "keywords": [ + "tls.cert_issuer", + "tls.issuerdn" + ] + }, "type": "string" }, "subjectaltname": { "description": "TLS Subject Alternative Name field", "type": "array", + "suricata": { + "keywords": [ + "tls.subjectaltname" + ] + }, "items": { "type": "string" } }, "notafter": { - "$ref": "#/$defs/tls_date" + "$ref": "#/$defs/tls_date", + "suricata": { + "keywords": [ + "tls_cert_notafter", + "tls_cert_expired", + "tls_cert_valid" + ] + } }, "notbefore": { - "$ref": "#/$defs/tls_date" + "$ref": "#/$defs/tls_date", + "suricata": { + "keywords": [ + "tls_cert_notbefore", + "tls_cert_expired", + "tls_cert_valid" + ] + } }, "serial": { - "type": "string" + "type": "string", + "suricata": { + "keywords": [ + "tls.cert_serial" + ] + } }, "subject": { - "type": "string" + "type": "string", + "suricata": { + "keywords": [ + "tls.cert_subject", + "tls.subject" + ] + } } }, "additionalProperties": false @@ -6789,9 +6859,11 @@ "client_alpns": { "description": "TLS client ALPN field(s)", "type": "array", - "suricata": { - "keywords": ["tls.alpn"] - }, + "suricata": { + "keywords": [ + "tls.alpn" + ] + }, "items": { "type": "string" } @@ -6799,54 +6871,121 @@ "server_alpns": { "description": "TLS server ALPN field(s)", "type": "array", + "suricata": { + "keywords": [ + "tls.alpn" + ] + }, "items": { "type": "string" } }, "fingerprint": { - "type": "string" + "type": "string", + "suricata": { + "keywords": [ + "tls.cert_fingerprint", + "tls.fingerprint" + ] + } }, "from_proto": { "type": "string" }, "issuerdn": { + "suricata": { + "keywords": [ + "tls.cert_issuer", + "tls.issuerdn" + ] + }, "type": "string" }, "subjectaltname": { "description": "TLS Subject Alternative Name field", "type": "array", + "suricata": { + "keywords": [ + "tls.subjectaltname" + ] + }, "items": { "type": "string" } }, "notafter": { - "$ref": "#/$defs/tls_date" + "$ref": "#/$defs/tls_date", + "suricata": { + "keywords": [ + "tls_cert_notafter", + "tls_cert_expired", + "tls_cert_valid" + ] + } }, "notbefore": { - "$ref": "#/$defs/tls_date" + "$ref": "#/$defs/tls_date", + "suricata": { + "keywords": [ + "tls_cert_notbefore", + "tls_cert_expired", + "tls_cert_valid" + ] + } }, "serial": { - "type": "string" + "type": "string", + "suricata": { + "keywords": [ + "tls.cert_serial" + ] + } }, "session_resumed": { "type": "boolean" }, "sni": { - "type": "string" + "type": "string", + "suricata": { + "keywords": [ + "tls.sni" + ] + } }, "subject": { - "type": "string" + "type": "string", + "suricata": { + "keywords": [ + "tls.cert_subject", + "tls.subject" + ] + } }, "version": { - "type": "string" + "type": "string", + "suricata": { + "keywords": [ + "tls.version" + ] + } }, "ja3": { "type": "object", "properties": { "hash": { + "suricata": { + "keywords": [ + "ja3.hash" + ] + }, "type": "string" }, "string": { + "suricata": { + "keywords": [ + "ja3s.string" + ] + }, "type": "string" } }, @@ -6856,15 +6995,30 @@ "type": "object", "properties": { "hash": { + "suricata": { + "keywords": [ + "ja3s.hash" + ] + }, "type": "string" }, "string": { + "suricata": { + "keywords": [ + "ja3s.string" + ] + }, "type": "string" } }, "additionalProperties": false }, "ja4": { + "suricata": { + "keywords": [ + "ja4.hash" + ] + }, "type": "string" } },