From 47a7ebbbc2a97c2e2ae5e1bb0dfd3853960d89c5 Mon Sep 17 00:00:00 2001 From: Mats Klepsland Date: Thu, 28 Dec 2017 22:45:50 +0100 Subject: [PATCH] doc: add JA3 fields to the TLS logger documentation --- doc/userguide/output/eve/eve-json-format.rst | 3 +++ doc/userguide/output/eve/eve-json-output.rst | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/doc/userguide/output/eve/eve-json-format.rst b/doc/userguide/output/eve/eve-json-format.rst index 66eb7c68a5..7004b1e108 100644 --- a/doc/userguide/output/eve/eve-json-format.rst +++ b/doc/userguide/output/eve/eve-json-format.rst @@ -383,6 +383,9 @@ If extended logging is enabled the following fields are also included: * "version": The SSL/TLS version used * "notbefore": The NotBefore field from the TLS certificate * "notafter": The NotAfter field from the TLS certificate +* "ja3": The JA3 fingerprint consisting of both a JA3 hash and a JA3 string + +JA3 must be enabled in the Suricata config file (set 'app-layer.protocols.tls.ja3-fingerprints' to 'yes'). In addition to this, custom logging also allows the following fields: diff --git a/doc/userguide/output/eve/eve-json-output.rst b/doc/userguide/output/eve/eve-json-output.rst index d137f7ec03..232ef26338 100644 --- a/doc/userguide/output/eve/eve-json-output.rst +++ b/doc/userguide/output/eve/eve-json-output.rst @@ -107,7 +107,7 @@ YAML:: extended: yes # enable this for extended logging information # custom allows to control which tls fields that are included # in eve-log - #custom: [subject, issuer, serial, fingerprint, sni, version, not_before, not_after, certificate, chain] + #custom: [subject, issuer, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3] The default is to log certificate subject and issuer. If ``extended`` is enabled, then the log gets more verbose.