tls: adding fingerprint to TLS Log information.

Improve TLS logging by adding the certificate fingerprint to TLS Log file. Add the extending option to the tls-log entry in suricata.yaml.
13 years ago · bf386a396d
parent 644c1b3cad
commit bf386a396d
2 changed files with 27 additions and 1 deletions
--- a/src/log-tlslog.c
+++ b/src/log-tlslog.c
@ -54,6 +54,9 @@

 #define OUTPUT_BUFFER_SIZE 65535

+#define LOG_TLS_DEFAULT     0
+#define LOG_TLS_EXTENDED    1
+
 TmEcode LogTlsLog(ThreadVars *, Packet *, void *, PacketQueue *, PacketQueue *);
 TmEcode LogTlsLogIPv4(ThreadVars *, Packet *, void *, PacketQueue *, PacketQueue *);
 TmEcode LogTlsLogIPv6(ThreadVars *, Packet *, void *, PacketQueue *, PacketQueue *);
@ -121,6 +124,13 @@ static void CreateTimeString(const struct timeval *ts, char *str, size_t size)
    snprintf(str, size, "%02d/%02d/%02d-%02d:%02d:%02d.%06u", t->tm_mon + 1, t->tm_mday, t->tm_year + 1900, t->tm_hour, t->tm_min, t->tm_sec, (uint32_t) ts->tv_usec);
 }

+static void LogTlsLogExtended(LogTlsLogThread *aft, SSLState * state)
+{
+    if (state->server_connp.cert0_fingerprint != NULL) {
+        MemBufferWriteString(aft->buffer, " SHA1='%s'\n", state->server_connp.cert0_fingerprint);
+    }
+}
+
 static TmEcode LogTlsLogIPWrapper(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq, PacketQueue *postpq, int ipproto)
 {

@ -195,11 +205,16 @@ static TmEcode LogTlsLogIPWrapper(ThreadVars *tv, Packet *p, void *data, PacketQ
    MemBufferReset(aft->buffer);

    MemBufferWriteString(aft->buffer,
-                         "%s %s:%d -> %s:%d  TLS: Subject='%s' Issuerdn='%s'\n",
+                         "%s %s:%d -> %s:%d  TLS: Subject='%s' Issuerdn='%s'",
                         timebuf, srcip, sp, dstip, dp,
                         ssl_state->server_connp.cert0_subject, ssl_state->server_connp.cert0_issuerdn);

    AppLayerTransactionUpdateLoggedId(p->flow);
+    if (hlog->flags & LOG_TLS_EXTENDED) {
+        LogTlsLogExtended(aft, ssl_state);
+    } else {
+        MemBufferWriteString(aft->buffer, "\n");
+    }

    aft->tls_cnt ++;

@ -321,6 +336,16 @@ OutputCtx *LogTlsLogInitCtx(ConfNode *conf)
        return NULL;
    tlslog_ctx->file_ctx = file_ctx;

+    const char *extended = ConfNodeLookupChildValue(conf, "extended");
+    if (extended == NULL) {
+        tlslog_ctx->flags |= LOG_TLS_DEFAULT;
+    } else {
+        if (ConfValIsTrue(extended)) {
+            tlslog_ctx->flags |= LOG_TLS_EXTENDED;
+        }
+    }
+
+
    OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
    if (output_ctx == NULL)
        return NULL;
--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@ -79,6 +79,7 @@ outputs:
  - tls-log:
      enabled: no  # Log TLS connections.
      filename: tls.log # File to store TLS logs.
+      #extended: yes # Log extended information like fingerprint

  # a line based log to used with pcap file study.
  # this module is dedicated to offline pcap parsing (empty output