output-json-lua: log certificate serial number

9 years ago · 2b460b8d06
parent 2c1a36dd6e
commit 2b460b8d06
2 changed files with 24 additions and 7 deletions
--- a/src/output-json-tls.c
+++ b/src/output-json-tls.c
@ -67,12 +67,13 @@ SC_ATOMIC_DECLARE(unsigned int, cert_id);
 #define LOG_TLS_FIELD_VERSION     (1 << 0)
 #define LOG_TLS_FIELD_SUBJECT     (1 << 1)
 #define LOG_TLS_FIELD_ISSUER      (1 << 2)
-#define LOG_TLS_FIELD_FINGERPRINT (1 << 3)
-#define LOG_TLS_FIELD_NOTBEFORE   (1 << 4)
-#define LOG_TLS_FIELD_NOTAFTER    (1 << 5)
-#define LOG_TLS_FIELD_SNI         (1 << 6)
-#define LOG_TLS_FIELD_CERTIFICATE (1 << 7)
-#define LOG_TLS_FIELD_CHAIN       (1 << 8)
+#define LOG_TLS_FIELD_SERIAL      (1 << 3)
+#define LOG_TLS_FIELD_FINGERPRINT (1 << 4)
+#define LOG_TLS_FIELD_NOTBEFORE   (1 << 5)
+#define LOG_TLS_FIELD_NOTAFTER    (1 << 6)
+#define LOG_TLS_FIELD_SNI         (1 << 7)
+#define LOG_TLS_FIELD_CERTIFICATE (1 << 8)
+#define LOG_TLS_FIELD_CHAIN       (1 << 9)

 typedef struct {
    char *name;
@ -83,6 +84,7 @@ TlsFields tls_fields[] = {
    { "version",     LOG_TLS_FIELD_VERSION },
    { "subject",     LOG_TLS_FIELD_SUBJECT },
    { "issuer",      LOG_TLS_FIELD_ISSUER },
+    { "serial",      LOG_TLS_FIELD_SERIAL },
    { "fingerprint", LOG_TLS_FIELD_FINGERPRINT },
    { "not_before",  LOG_TLS_FIELD_NOTBEFORE },
    { "not_after",   LOG_TLS_FIELD_NOTAFTER },
@ -130,6 +132,14 @@ static void JsonTlsLogSni(json_t *js, SSLState *ssl_state)
    }
 }

+static void JsonTlsLogSerial(json_t *js, SSLState *ssl_state)
+{
+    if (ssl_state->server_connp.cert0_serial) {
+        json_object_set_new(js, "serial",
+                            json_string(ssl_state->server_connp.cert0_serial));
+    }
+}
+
 static void JsonTlsLogVersion(json_t *js, SSLState *ssl_state)
 {
    char ssl_version[SSL_VERSION_LENGTH + 1];
@ -250,6 +260,10 @@ static void JsonTlsLogJSONCustom(OutputTlsCtx *tls_ctx, json_t *js,
    if (tls_ctx->fields & LOG_TLS_FIELD_ISSUER)
        JsonTlsLogIssuer(js, ssl_state);

+    /* tls serial */
+    if (tls_ctx->fields & LOG_TLS_FIELD_SERIAL)
+        JsonTlsLogSerial(js, ssl_state);
+
    /* tls fingerprint */
    if (tls_ctx->fields & LOG_TLS_FIELD_FINGERPRINT)
        JsonTlsLogFingerprint(js, ssl_state);
@ -283,6 +297,9 @@ void JsonTlsLogJSONExtended(json_t *tjs, SSLState * state)
 {
    JsonTlsLogJSONBasic(tjs, state);

+    /* tls serial */
+    JsonTlsLogSerial(tjs, state);
+
    /* tls fingerprint */
    JsonTlsLogFingerprint(tjs, state);

--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@ -208,7 +208,7 @@ outputs:
            extended: yes     # enable this for extended logging information
            # custom allows to control which tls fields that are included
            # in eve-log
-            #custom: [subject, issuer, fingerprint, sni, version, not_before, not_after, certificate, chain]
+            #custom: [subject, issuer, serial, fingerprint, sni, version, not_before, not_after, certificate, chain]
        - files:
            force-magic: no   # force logging magic on all logged files
            # force logging of checksums, available hash functions are md5,