From: Victor Julien <vjulien@oisf.net>
Date: Fri, 31 May 2024 12:33:31 +0000 (+0200)
Subject: eve/tls: log ALPN for client and server
X-Git-Tag: suricata-8.0.0-beta1~1136
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c79a382e4234abb150c2cd899f7c8e5393001324;p=thirdparty%2Fsuricata.git

eve/tls: log ALPN for client and server

Part of the extended logging.

Logs `client_alpns` and `server_alpns` arrays in the tls object.

Ticket: #7055.
---

diff --git a/doc/userguide/output/eve/eve-json-format.rst b/doc/userguide/output/eve/eve-json-format.rst
index 9da9e82d3e..2ea003fb96 100644
--- a/doc/userguide/output/eve/eve-json-format.rst
+++ b/doc/userguide/output/eve/eve-json-format.rst
@@ -1046,6 +1046,8 @@ If extended logging is enabled the following fields are also included:
 * "ja3": The JA3 fingerprint consisting of both a JA3 hash and a JA3 string
 * "ja3s": The JA3S fingerprint consisting of both a JA3 hash and a JA3 string
 * "ja4": The JA4 client fingerprint for TLS
+* "client_alpns": array of strings with ALPN values
+* "server_alpns": array of strings with ALPN values
 
 JA3 and JA4 must be enabled in the Suricata config file (set 'app-layer.protocols.tls.ja3-fingerprints'/'app-layer.protocols.tls.ja4-fingerprints' to 'yes').
 
diff --git a/src/output-json-tls.c b/src/output-json-tls.c
index 821e765539..406f6aca01 100644
--- a/src/output-json-tls.c
+++ b/src/output-json-tls.c
@@ -263,6 +263,24 @@ static void JsonTlsLogJa3S(JsonBuilder *js, SSLState *ssl_state)
     }
 }
 
+static void JsonTlsLogAlpns(JsonBuilder *js, SSLStateConnp *connp, const char *object)
+{
+    if (TAILQ_EMPTY(&connp->alpns)) {
+        return;
+    }
+
+    SSLAlpns *a = TAILQ_FIRST(&connp->alpns);
+    if (a == NULL) {
+        return;
+    }
+
+    jb_open_array(js, object);
+    TAILQ_FOREACH (a, &connp->alpns, next) {
+        jb_append_string_from_bytes(js, a->alpn, a->size);
+    }
+    jb_close(js);
+}
+
 static void JsonTlsLogCertificate(JsonBuilder *js, SSLStateConnp *connp)
 {
     if (TAILQ_EMPTY(&connp->certs)) {
@@ -457,6 +475,9 @@ static bool JsonTlsLogJSONExtendedAux(void *vtx, JsonBuilder *tjs)
     /* tls ja4 */
     JsonTlsLogSCJA4(tjs, state);
 
+    JsonTlsLogAlpns(tjs, &state->client_connp, "client_alpns");
+    JsonTlsLogAlpns(tjs, &state->server_connp, "server_alpns");
+
     if (HasClientCert(&state->client_connp)) {
         jb_open_object(tjs, "client");
         JsonTlsLogClientCert(tjs, &state->client_connp, false, false);