From: Jean-Paul Roliers <popof.fpn@gmail.com>
Date: Sat, 4 Feb 2012 16:15:11 +0000 (+0100)
Subject: tls: adding fingerprint to TLS Log information.
X-Git-Tag: suricata-1.4beta1~72
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bf386a396d693043b77fa58006d23474d041f0fc;p=thirdparty%2Fsuricata.git

tls: adding fingerprint to TLS Log information.

Improve TLS logging by adding the certificate fingerprint to TLS Log file.
Add the extending option to the tls-log entry in suricata.yaml.
---

diff --git a/src/log-tlslog.c b/src/log-tlslog.c
index 24602ad7db..bb1fae1b6a 100644
--- a/src/log-tlslog.c
+++ b/src/log-tlslog.c
@@ -54,6 +54,9 @@
 
 #define OUTPUT_BUFFER_SIZE 65535
 
+#define LOG_TLS_DEFAULT     0
+#define LOG_TLS_EXTENDED    1
+
 TmEcode LogTlsLog(ThreadVars *, Packet *, void *, PacketQueue *, PacketQueue *);
 TmEcode LogTlsLogIPv4(ThreadVars *, Packet *, void *, PacketQueue *, PacketQueue *);
 TmEcode LogTlsLogIPv6(ThreadVars *, Packet *, void *, PacketQueue *, PacketQueue *);
@@ -121,6 +124,13 @@ static void CreateTimeString(const struct timeval *ts, char *str, size_t size)
     snprintf(str, size, "%02d/%02d/%02d-%02d:%02d:%02d.%06u", t->tm_mon + 1, t->tm_mday, t->tm_year + 1900, t->tm_hour, t->tm_min, t->tm_sec, (uint32_t) ts->tv_usec);
 }
 
+static void LogTlsLogExtended(LogTlsLogThread *aft, SSLState * state)
+{
+    if (state->server_connp.cert0_fingerprint != NULL) {
+        MemBufferWriteString(aft->buffer, " SHA1='%s'\n", state->server_connp.cert0_fingerprint);
+    }
+}
+
 static TmEcode LogTlsLogIPWrapper(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq, PacketQueue *postpq, int ipproto)
 {
 
@@ -195,11 +205,16 @@ static TmEcode LogTlsLogIPWrapper(ThreadVars *tv, Packet *p, void *data, PacketQ
     MemBufferReset(aft->buffer);
 
     MemBufferWriteString(aft->buffer,
-                         "%s %s:%d -> %s:%d  TLS: Subject='%s' Issuerdn='%s'\n",
+                         "%s %s:%d -> %s:%d  TLS: Subject='%s' Issuerdn='%s'",
                          timebuf, srcip, sp, dstip, dp,
                          ssl_state->server_connp.cert0_subject, ssl_state->server_connp.cert0_issuerdn);
 
     AppLayerTransactionUpdateLoggedId(p->flow);
+    if (hlog->flags & LOG_TLS_EXTENDED) {
+        LogTlsLogExtended(aft, ssl_state);
+    } else {
+        MemBufferWriteString(aft->buffer, "\n");
+    }
 
     aft->tls_cnt ++;
 
@@ -321,6 +336,16 @@ OutputCtx *LogTlsLogInitCtx(ConfNode *conf)
         return NULL;
     tlslog_ctx->file_ctx = file_ctx;
 
+    const char *extended = ConfNodeLookupChildValue(conf, "extended");
+    if (extended == NULL) {
+        tlslog_ctx->flags |= LOG_TLS_DEFAULT;
+    } else {
+        if (ConfValIsTrue(extended)) {
+            tlslog_ctx->flags |= LOG_TLS_EXTENDED;
+        }
+    }
+
+
     OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
     if (output_ctx == NULL)
         return NULL;
diff --git a/suricata.yaml.in b/suricata.yaml.in
index f51cd4a501..e6ce8bacc9 100644
--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@@ -79,6 +79,7 @@ outputs:
   - tls-log:
       enabled: no  # Log TLS connections.
       filename: tls.log # File to store TLS logs.
+      #extended: yes # Log extended information like fingerprint
 
   # a line based log to used with pcap file study.
   # this module is dedicated to offline pcap parsing (empty output