tls/eve: convert to jsonbuilder

pull/5012/head
Jason Ish 6 years ago committed by Victor Julien
parent be8fa5da43
commit 037c449b85

@ -131,15 +131,12 @@ static void AlertJsonTls(const Flow *f, JsonBuilder *js)
{
SSLState *ssl_state = (SSLState *)FlowGetAppState(f);
if (ssl_state) {
json_t *tjs = json_object();
if (unlikely(tjs == NULL))
return;
jb_open_object(js, "tls");
JsonTlsLogJSONBasic(tjs, ssl_state);
JsonTlsLogJSONExtended(tjs, ssl_state);
JsonTlsLogJSONBasic(js, ssl_state);
JsonTlsLogJSONExtended(js, ssl_state);
jb_set_jsont(js, "tls", tjs);
json_decref(tjs);
jb_close(js);
}
return;

@ -110,23 +110,23 @@ typedef struct JsonTlsLogThread_ {
MemBuffer *buffer;
} JsonTlsLogThread;
static void JsonTlsLogSubject(json_t *js, SSLState *ssl_state)
static void JsonTlsLogSubject(JsonBuilder *js, SSLState *ssl_state)
{
if (ssl_state->server_connp.cert0_subject) {
json_object_set_new(js, "subject",
SCJsonString(ssl_state->server_connp.cert0_subject));
jb_set_string(js, "subject",
ssl_state->server_connp.cert0_subject);
}
}
static void JsonTlsLogIssuer(json_t *js, SSLState *ssl_state)
static void JsonTlsLogIssuer(JsonBuilder *js, SSLState *ssl_state)
{
if (ssl_state->server_connp.cert0_issuerdn) {
json_object_set_new(js, "issuerdn",
SCJsonString(ssl_state->server_connp.cert0_issuerdn));
jb_set_string(js, "issuerdn",
ssl_state->server_connp.cert0_issuerdn);
}
}
static void JsonTlsLogSessionResumed(json_t *js, SSLState *ssl_state)
static void JsonTlsLogSessionResumed(JsonBuilder *js, SSLState *ssl_state)
{
if (ssl_state->flags & SSL_AL_FLAG_SESSION_RESUMED) {
/* Only log a session as 'resumed' if a certificate has not
@ -135,43 +135,43 @@ static void JsonTlsLogSessionResumed(json_t *js, SSLState *ssl_state)
ssl_state->server_connp.cert0_subject == NULL) &&
(ssl_state->flags & SSL_AL_FLAG_STATE_SERVER_HELLO) &&
((ssl_state->flags & SSL_AL_FLAG_LOG_WITHOUT_CERT) == 0)) {
json_object_set_new(js, "session_resumed", json_boolean(true));
jb_set_bool(js, "session_resumed", true);
}
}
}
static void JsonTlsLogFingerprint(json_t *js, SSLState *ssl_state)
static void JsonTlsLogFingerprint(JsonBuilder *js, SSLState *ssl_state)
{
if (ssl_state->server_connp.cert0_fingerprint) {
json_object_set_new(js, "fingerprint",
SCJsonString(ssl_state->server_connp.cert0_fingerprint));
jb_set_string(js, "fingerprint",
ssl_state->server_connp.cert0_fingerprint);
}
}
static void JsonTlsLogSni(json_t *js, SSLState *ssl_state)
static void JsonTlsLogSni(JsonBuilder *js, SSLState *ssl_state)
{
if (ssl_state->client_connp.sni) {
json_object_set_new(js, "sni",
SCJsonString(ssl_state->client_connp.sni));
jb_set_string(js, "sni",
ssl_state->client_connp.sni);
}
}
static void JsonTlsLogSerial(json_t *js, SSLState *ssl_state)
static void JsonTlsLogSerial(JsonBuilder *js, SSLState *ssl_state)
{
if (ssl_state->server_connp.cert0_serial) {
json_object_set_new(js, "serial",
SCJsonString(ssl_state->server_connp.cert0_serial));
jb_set_string(js, "serial",
ssl_state->server_connp.cert0_serial);
}
}
static void JsonTlsLogVersion(json_t *js, SSLState *ssl_state)
static void JsonTlsLogVersion(JsonBuilder *js, SSLState *ssl_state)
{
char ssl_version[SSL_VERSION_MAX_STRLEN];
SSLVersionToString(ssl_state->server_connp.version, ssl_version);
json_object_set_new(js, "version", json_string(ssl_version));
jb_set_string(js, "version", ssl_version);
}
static void JsonTlsLogNotBefore(json_t *js, SSLState *ssl_state)
static void JsonTlsLogNotBefore(JsonBuilder *js, SSLState *ssl_state)
{
if (ssl_state->server_connp.cert0_not_before != 0) {
char timebuf[64];
@ -179,11 +179,11 @@ static void JsonTlsLogNotBefore(json_t *js, SSLState *ssl_state)
tv.tv_sec = ssl_state->server_connp.cert0_not_before;
tv.tv_usec = 0;
CreateUtcIsoTimeString(&tv, timebuf, sizeof(timebuf));
json_object_set_new(js, "notbefore", json_string(timebuf));
jb_set_string(js, "notbefore", timebuf);
}
}
static void JsonTlsLogNotAfter(json_t *js, SSLState *ssl_state)
static void JsonTlsLogNotAfter(JsonBuilder *js, SSLState *ssl_state)
{
if (ssl_state->server_connp.cert0_not_after != 0) {
char timebuf[64];
@ -191,68 +191,65 @@ static void JsonTlsLogNotAfter(json_t *js, SSLState *ssl_state)
tv.tv_sec = ssl_state->server_connp.cert0_not_after;
tv.tv_usec = 0;
CreateUtcIsoTimeString(&tv, timebuf, sizeof(timebuf));
json_object_set_new(js, "notafter", json_string(timebuf));
jb_set_string(js, "notafter", timebuf);
}
}
static void JsonTlsLogJa3Hash(json_t *js, SSLState *ssl_state)
static void JsonTlsLogJa3Hash(JsonBuilder *js, SSLState *ssl_state)
{
if (ssl_state->client_connp.ja3_hash != NULL) {
json_object_set_new(js, "hash",
json_string(ssl_state->client_connp.ja3_hash));
jb_set_string(js, "hash",
ssl_state->client_connp.ja3_hash);
}
}
static void JsonTlsLogJa3String(json_t *js, SSLState *ssl_state)
static void JsonTlsLogJa3String(JsonBuilder *js, SSLState *ssl_state)
{
if ((ssl_state->client_connp.ja3_str != NULL) &&
ssl_state->client_connp.ja3_str->data != NULL) {
json_object_set_new(js, "string",
json_string(ssl_state->client_connp.ja3_str->data));
jb_set_string(js, "string",
ssl_state->client_connp.ja3_str->data);
}
}
static void JsonTlsLogJa3(json_t *js, SSLState *ssl_state)
static void JsonTlsLogJa3(JsonBuilder *js, SSLState *ssl_state)
{
json_t *tjs = json_object();
if (unlikely(tjs == NULL))
return;
jb_open_object(js, "ja3");
JsonTlsLogJa3Hash(tjs, ssl_state);
JsonTlsLogJa3String(tjs, ssl_state);
JsonTlsLogJa3Hash(js, ssl_state);
JsonTlsLogJa3String(js, ssl_state);
json_object_set_new(js, "ja3", tjs);
jb_close(js);
}
static void JsonTlsLogJa3SHash(json_t *js, SSLState *ssl_state)
static void JsonTlsLogJa3SHash(JsonBuilder *js, SSLState *ssl_state)
{
if (ssl_state->server_connp.ja3_hash != NULL) {
json_object_set_new(js, "hash",
json_string(ssl_state->server_connp.ja3_hash));
jb_set_string(js, "hash",
ssl_state->server_connp.ja3_hash);
}
}
static void JsonTlsLogJa3SString(json_t *js, SSLState *ssl_state)
static void JsonTlsLogJa3SString(JsonBuilder *js, SSLState *ssl_state)
{
if ((ssl_state->server_connp.ja3_str != NULL) &&
ssl_state->server_connp.ja3_str->data != NULL) {
json_object_set_new(js, "string",
json_string(ssl_state->server_connp.ja3_str->data));
jb_set_string(js, "string",
ssl_state->server_connp.ja3_str->data);
}
}
static void JsonTlsLogJa3S(json_t *js, SSLState *ssl_state)
static void JsonTlsLogJa3S(JsonBuilder *js, SSLState *ssl_state)
{
json_t *tjs = json_object();
if (unlikely(tjs == NULL))
return;
jb_open_object(js, "ja3s");
JsonTlsLogJa3SHash(tjs, ssl_state);
JsonTlsLogJa3SString(tjs, ssl_state);
JsonTlsLogJa3SHash(js, ssl_state);
JsonTlsLogJa3SString(js, ssl_state);
json_object_set_new(js, "ja3s", tjs);
jb_close(js);
}
static void JsonTlsLogCertificate(json_t *js, SSLState *ssl_state)
static void JsonTlsLogCertificate(JsonBuilder *js, SSLState *ssl_state)
{
if (TAILQ_EMPTY(&ssl_state->server_connp.certs)) {
return;
@ -267,20 +264,17 @@ static void JsonTlsLogCertificate(json_t *js, SSLState *ssl_state)
uint8_t encoded[len];
if (Base64Encode(cert->cert_data, cert->cert_len, encoded, &len) ==
SC_BASE64_OK) {
json_object_set_new(js, "certificate", json_string((char *)encoded));
jb_set_string(js, "certificate", (char *)encoded);
}
}
static void JsonTlsLogChain(json_t *js, SSLState *ssl_state)
static void JsonTlsLogChain(JsonBuilder *js, SSLState *ssl_state)
{
if (TAILQ_EMPTY(&ssl_state->server_connp.certs)) {
return;
}
json_t *chain = json_array();
if (chain == NULL) {
return;
}
jb_open_array(js, "chain");
SSLCertsChain *cert;
TAILQ_FOREACH(cert, &ssl_state->server_connp.certs, next) {
@ -288,14 +282,14 @@ static void JsonTlsLogChain(json_t *js, SSLState *ssl_state)
uint8_t encoded[len];
if (Base64Encode(cert->cert_data, cert->cert_len, encoded, &len) ==
SC_BASE64_OK) {
json_array_append_new(chain, json_string((char *)encoded));
jb_append_string(js, (char *)encoded);
}
}
json_object_set_new(js, "chain", chain);
jb_close(js);
}
void JsonTlsLogJSONBasic(json_t *js, SSLState *ssl_state)
void JsonTlsLogJSONBasic(JsonBuilder *js, SSLState *ssl_state)
{
/* tls subject */
JsonTlsLogSubject(js, ssl_state);
@ -307,7 +301,7 @@ void JsonTlsLogJSONBasic(json_t *js, SSLState *ssl_state)
JsonTlsLogSessionResumed(js, ssl_state);
}
static void JsonTlsLogJSONCustom(OutputTlsCtx *tls_ctx, json_t *js,
static void JsonTlsLogJSONCustom(OutputTlsCtx *tls_ctx, JsonBuilder *js,
SSLState *ssl_state)
{
/* tls subject */
@ -363,7 +357,7 @@ static void JsonTlsLogJSONCustom(OutputTlsCtx *tls_ctx, json_t *js,
JsonTlsLogJa3S(js, ssl_state);
}
void JsonTlsLogJSONExtended(json_t *tjs, SSLState * state)
void JsonTlsLogJSONExtended(JsonBuilder *tjs, SSLState * state)
{
JsonTlsLogJSONBasic(tjs, state);
@ -411,47 +405,43 @@ static int JsonTlsLogger(ThreadVars *tv, void *thread_data, const Packet *p,
return 0;
}
json_t *js = CreateJSONHeader(p, LOG_DIR_FLOW, "tls", NULL);
JsonBuilder *js = CreateEveHeader(p, LOG_DIR_FLOW, "tls", NULL);
if (unlikely(js == NULL)) {
return 0;
}
JsonAddCommonOptions(&tls_ctx->cfg, p, f, js);
EveAddCommonOptions(&tls_ctx->cfg, p, f, js);
json_t *tjs = json_object();
if (tjs == NULL) {
free(js);
return 0;
}
jb_open_object(js, "tls");
/* reset */
MemBufferReset(aft->buffer);
/* log custom fields */
if (tls_ctx->flags & LOG_TLS_CUSTOM) {
JsonTlsLogJSONCustom(tls_ctx, tjs, ssl_state);
JsonTlsLogJSONCustom(tls_ctx, js, ssl_state);
}
/* log extended */
else if (tls_ctx->flags & LOG_TLS_EXTENDED) {
JsonTlsLogJSONExtended(tjs, ssl_state);
JsonTlsLogJSONExtended(js, ssl_state);
}
/* log basic */
else {
JsonTlsLogJSONBasic(tjs, ssl_state);
JsonTlsLogJSONBasic(js, ssl_state);
}
/* print original application level protocol when it have been changed
because of STARTTLS, HTTP CONNECT, or similar. */
if (f->alproto_orig != ALPROTO_UNKNOWN) {
json_object_set_new(tjs, "from_proto",
json_string(AppLayerGetProtoName(f->alproto_orig)));
jb_set_string(js, "from_proto",
AppLayerGetProtoName(f->alproto_orig));
}
json_object_set_new(js, "tls", tjs);
/* Close the tls object. */
jb_close(js);
OutputJSONBuffer(js, tls_ctx->file_ctx, &aft->buffer);
json_object_clear(js);
json_decref(js);
OutputJsonBuilderBuffer(js, tls_ctx->file_ctx, &aft->buffer);
jb_free(js);
return 0;
}

@ -28,7 +28,7 @@ void JsonTlsLogRegister(void);
#include "app-layer-ssl.h"
void JsonTlsLogJSONBasic(json_t *js, SSLState *ssl_state);
void JsonTlsLogJSONExtended(json_t *js, SSLState *ssl_state);
void JsonTlsLogJSONBasic(JsonBuilder *js, SSLState *ssl_state);
void JsonTlsLogJSONExtended(JsonBuilder *js, SSLState *ssl_state);
#endif /* __OUTPUT_JSON_TLS_H__ */

Loading…
Cancel
Save