* "client_handshake": structure containing "version", "ciphers" ([u16]), "exts" ([u16]), "sig_algs" ([u16]),
for client hello supported cipher suites, extensions, and signature algorithms,
respectively, in the order that they're mentioned (ie. unsorted)
+* "server_handshake": structure containing "version", "chosen cipher", "exts" ([u16]), for server hello
+ in the order that they're mentioned (ie. unsorted)
Examples
~~~~~~~~
}
}
},
+ "server_handshake": {
+ "type": "object",
+ "properties": {
+ "version": {
+ "description": "TLS version in server hello",
+ "type": "string"
+ },
+ "cipher": {
+ "description": "TLS server's chosen cipher",
+ "type": "integer"
+ },
+ "exts": {
+ "description": "TLS server extension(s)",
+ "type": "array",
+ "minItems": 1,
+ "items": {
+ "type": "integer"
+ }
+ }
+ }
+ },
"server_alpns": {
"description": "TLS server ALPN field(s)",
"type": "array",
Ok(())
}
+ fn log_first_cipher(&self, js: &mut JsonBuilder) -> Result<(), JsonError> {
+ let chosen = self.ciphersuites.first().map(|&v| *v).unwrap_or(0);
+ js.set_uint("cipher", chosen)?;
+ Ok(())
+ }
+
fn log_ciphers(&self, js: &mut JsonBuilder) -> Result<(), JsonError> {
if self.ciphersuites.is_empty() {
return Ok(());
return hs.log_ciphers(js.as_mut().unwrap()).is_ok()
}
+#[no_mangle]
+pub unsafe extern "C" fn SCTLSHandshakeLogFirstCipher(hs: &HandshakeParams, js: *mut JsonBuilder) -> bool {
+ if js.is_null() {
+ return false;
+ }
+ return hs.log_first_cipher(js.as_mut().unwrap()).is_ok()
+}
+
#[no_mangle]
pub unsafe extern "C" fn SCTLSHandshakeLogExtensions(hs: &HandshakeParams, js: *mut JsonBuilder) -> bool {
if js.is_null() {
uint16_t version = (uint16_t)(*input << 8) | *(input + 1);
ssl_state->curr_connp->version = version;
- if (ssl_state->current_flags & SSL_AL_FLAG_STATE_CLIENT_HELLO) {
+ if (ssl_state->current_flags &
+ (SSL_AL_FLAG_STATE_CLIENT_HELLO | SSL_AL_FLAG_STATE_SERVER_HELLO)) {
SCTLSHandshakeSetTLSVersion(ssl_state->curr_connp->hs, version);
}
input += 2;
if (TLSDecodeValueIsGREASE(cipher_suite) != 1) {
- if (ssl_state->current_flags & SSL_AL_FLAG_STATE_CLIENT_HELLO) {
+ if (ssl_state->current_flags &
+ (SSL_AL_FLAG_STATE_CLIENT_HELLO | SSL_AL_FLAG_STATE_SERVER_HELLO)) {
SCTLSHandshakeAddCipher(ssl_state->curr_connp->hs, cipher_suite);
}
if (enable_ja3) {
}
}
- if (ssl_state->current_flags & SSL_AL_FLAG_STATE_CLIENT_HELLO) {
+ if (ssl_state->current_flags &
+ (SSL_AL_FLAG_STATE_CLIENT_HELLO | SSL_AL_FLAG_STATE_SERVER_HELLO)) {
if (TLSDecodeValueIsGREASE(ext_type) != 1) {
SCTLSHandshakeAddExtension(ssl_state->curr_connp->hs, ext_type);
}
#define LOG_TLS_FIELD_CLIENT_ALPNS BIT_U64(18)
#define LOG_TLS_FIELD_SERVER_ALPNS BIT_U64(19)
#define LOG_TLS_FIELD_CLIENT_HANDSHAKE BIT_U64(20)
+#define LOG_TLS_FIELD_SERVER_HANDSHAKE BIT_U64(21)
typedef struct {
const char *name;
{ "client_alpns", LOG_TLS_FIELD_CLIENT_ALPNS },
{ "server_alpns", LOG_TLS_FIELD_SERVER_ALPNS },
{ "client_handshake", LOG_TLS_FIELD_CLIENT_HANDSHAKE },
+ { "server_handshake", LOG_TLS_FIELD_SERVER_HANDSHAKE },
{ NULL, -1 },
// clang-format on
};
SCJbClose(js);
}
+static void JsonTlsLogServerHandshake(SCJsonBuilder *js, SSLState *ssl_state)
+{
+ if (ssl_state->server_connp.hs == NULL) {
+ return;
+ }
+
+ if (SCTLSHandshakeIsEmpty(ssl_state->server_connp.hs)) {
+ return;
+ }
+
+ SCJbOpenObject(js, "server_handshake");
+
+ SCTLSHandshakeLogVersion(ssl_state->server_connp.hs, js);
+ SCTLSHandshakeLogFirstCipher(ssl_state->server_connp.hs, js);
+ SCTLSHandshakeLogExtensions(ssl_state->server_connp.hs, js);
+
+ SCJbClose(js);
+}
+
static void JsonTlsLogFields(SCJsonBuilder *js, SSLState *ssl_state, uint64_t fields)
{
/* tls subject */
if (fields & LOG_TLS_FIELD_CLIENT_HANDSHAKE)
JsonTlsLogClientHandshake(js, ssl_state);
+ /* tls server handshake parameters */
+ if (fields & LOG_TLS_FIELD_SERVER_HANDSHAKE)
+ JsonTlsLogServerHandshake(js, ssl_state);
+
if (fields & LOG_TLS_FIELD_CLIENT) {
const bool log_cert = (fields & LOG_TLS_FIELD_CLIENT_CERT) != 0;
const bool log_chain = (fields & LOG_TLS_FIELD_CLIENT_CHAIN) != 0;
#session-resumption: no
# custom controls which TLS fields that are included in eve-log
# WARNING: enabling custom disables extended logging.
- #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s, ja4, subjectaltname, client, client_certificate, client_chain, client_alpns, server_alpns, client_handshake]
+ #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s, ja4, subjectaltname, client, client_certificate, client_chain, client_alpns, server_alpns, client_handshake, server_handshake]
- files:
force-magic: no # force logging magic on all logged files
# force logging of checksums, available hash functions are md5,
projects / thirdparty / suricata.git / commitdiff
