mirror of https://github.com/OISF/suricata
				
				
				
			tls: adding TLS Log support
Creation of the log-tlslog file in order to log tls message.
Need to add some information into suricata.yaml to work.
  - tls-log:
      enabled: yes	# Log TLS connections.
      filename: tls.log # File to store TLS logs.
			
			
				pull/32/head
			
			
		
							parent
							
								
									3eb0fd878d
								
							
						
					
					
						commit
						efdf96ccba
					
				| @ -0,0 +1,341 @@ | |||||||
|  | /* Copyright (C) 2007-2012 Open Information Security Foundation
 | ||||||
|  |  * | ||||||
|  |  * You can copy, redistribute or modify this Program under the terms of | ||||||
|  |  * the GNU General Public License version 2 as published by the Free | ||||||
|  |  * Software Foundation. | ||||||
|  |  * | ||||||
|  |  * This program is distributed in the hope that it will be useful, | ||||||
|  |  * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||||||
|  |  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the | ||||||
|  |  * GNU General Public License for more details. | ||||||
|  |  * | ||||||
|  |  * You should have received a copy of the GNU General Public License | ||||||
|  |  * version 2 along with this program; if not, write to the Free Software | ||||||
|  |  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA | ||||||
|  |  * 02110-1301, USA. | ||||||
|  |  */ | ||||||
|  | 
 | ||||||
|  | /**
 | ||||||
|  |  * \file | ||||||
|  |  * | ||||||
|  |  * \author Roliers Jean-Paul <popof.fpn@gmail.co> | ||||||
|  |  * \author Eric Leblond <eric@regit.org> | ||||||
|  |  * | ||||||
|  |  * Implements tls logging portion of the engine. | ||||||
|  |  */ | ||||||
|  | 
 | ||||||
|  | #include "suricata-common.h" | ||||||
|  | #include "debug.h" | ||||||
|  | #include "detect.h" | ||||||
|  | #include "pkt-var.h" | ||||||
|  | #include "conf.h" | ||||||
|  | 
 | ||||||
|  | #include "threads.h" | ||||||
|  | #include "threadvars.h" | ||||||
|  | #include "tm-threads.h" | ||||||
|  | 
 | ||||||
|  | #include "util-print.h" | ||||||
|  | #include "util-unittest.h" | ||||||
|  | 
 | ||||||
|  | #include "util-debug.h" | ||||||
|  | 
 | ||||||
|  | #include "output.h" | ||||||
|  | #include "log-tlslog.h" | ||||||
|  | #include "app-layer-ssl.h" | ||||||
|  | #include "app-layer.h" | ||||||
|  | #include "util-privs.h" | ||||||
|  | #include "util-buffer.h" | ||||||
|  | 
 | ||||||
|  | #include "util-logopenfile.h" | ||||||
|  | 
 | ||||||
|  | #define DEFAULT_LOG_FILENAME "tls.log" | ||||||
|  | 
 | ||||||
|  | #define MODULE_NAME "LogTlsLog" | ||||||
|  | 
 | ||||||
|  | #define OUTPUT_BUFFER_SIZE 65535 | ||||||
|  | 
 | ||||||
|  | TmEcode LogTlsLog(ThreadVars *, Packet *, void *, PacketQueue *, PacketQueue *); | ||||||
|  | TmEcode LogTlsLogIPv4(ThreadVars *, Packet *, void *, PacketQueue *, PacketQueue *); | ||||||
|  | TmEcode LogTlsLogIPv6(ThreadVars *, Packet *, void *, PacketQueue *, PacketQueue *); | ||||||
|  | TmEcode LogTlsLogThreadInit(ThreadVars *, void *, void **); | ||||||
|  | TmEcode LogTlsLogThreadDeinit(ThreadVars *, void *); | ||||||
|  | void LogTlsLogExitPrintStats(ThreadVars *, void *); | ||||||
|  | static void LogTlsLogDeInitCtx(OutputCtx *); | ||||||
|  | 
 | ||||||
|  | void TmModuleLogTlsLogRegister(void) | ||||||
|  | { | ||||||
|  |     tmm_modules[TMM_LOGTLSLOG].name = MODULE_NAME; | ||||||
|  |     tmm_modules[TMM_LOGTLSLOG].ThreadInit = LogTlsLogThreadInit; | ||||||
|  |     tmm_modules[TMM_LOGTLSLOG].Func = LogTlsLog; | ||||||
|  |     tmm_modules[TMM_LOGTLSLOG].ThreadExitPrintStats = LogTlsLogExitPrintStats; | ||||||
|  |     tmm_modules[TMM_LOGTLSLOG].ThreadDeinit = LogTlsLogThreadDeinit; | ||||||
|  |     tmm_modules[TMM_LOGTLSLOG].RegisterTests = NULL; | ||||||
|  |     tmm_modules[TMM_LOGTLSLOG].cap_flags = 0; | ||||||
|  | 
 | ||||||
|  |     OutputRegisterModule(MODULE_NAME, "tls-log", LogTlsLogInitCtx); | ||||||
|  | 
 | ||||||
|  |     /* enable the logger for the app layer */ | ||||||
|  |     AppLayerRegisterLogger(ALPROTO_TLS); | ||||||
|  | } | ||||||
|  | 
 | ||||||
|  | void TmModuleLogTlsLogIPv4Register(void) | ||||||
|  | { | ||||||
|  |     tmm_modules[TMM_LOGTLSLOG4].name = "LogTlsLogIPv4"; | ||||||
|  |     tmm_modules[TMM_LOGTLSLOG4].ThreadInit = LogTlsLogThreadInit; | ||||||
|  |     tmm_modules[TMM_LOGTLSLOG4].Func = LogTlsLogIPv4; | ||||||
|  |     tmm_modules[TMM_LOGTLSLOG4].ThreadExitPrintStats = LogTlsLogExitPrintStats; | ||||||
|  |     tmm_modules[TMM_LOGTLSLOG4].ThreadDeinit = LogTlsLogThreadDeinit; | ||||||
|  |     tmm_modules[TMM_LOGTLSLOG4].RegisterTests = NULL; | ||||||
|  | } | ||||||
|  | 
 | ||||||
|  | void TmModuleLogTlsLogIPv6Register(void) | ||||||
|  | { | ||||||
|  |     tmm_modules[TMM_LOGTLSLOG6].name = "LogTlsLogIPv6"; | ||||||
|  |     tmm_modules[TMM_LOGTLSLOG6].ThreadInit = LogTlsLogThreadInit; | ||||||
|  |     tmm_modules[TMM_LOGTLSLOG6].Func = LogTlsLogIPv6; | ||||||
|  |     tmm_modules[TMM_LOGTLSLOG6].ThreadExitPrintStats = LogTlsLogExitPrintStats; | ||||||
|  |     tmm_modules[TMM_LOGTLSLOG6].ThreadDeinit = LogTlsLogThreadDeinit; | ||||||
|  |     tmm_modules[TMM_LOGTLSLOG6].RegisterTests = NULL; | ||||||
|  | } | ||||||
|  | 
 | ||||||
|  | typedef struct LogTlsFileCtx_ { | ||||||
|  |     LogFileCtx *file_ctx; | ||||||
|  |     uint32_t flags; /** Store mode */ | ||||||
|  | } LogTlsFileCtx; | ||||||
|  | 
 | ||||||
|  | 
 | ||||||
|  | typedef struct LogTlsLogThread_ { | ||||||
|  |     LogTlsFileCtx *tlslog_ctx; | ||||||
|  |     /** LogTlsFileCtx has the pointer to the file and a mutex to allow multithreading */ | ||||||
|  |     uint32_t tls_cnt; | ||||||
|  | 
 | ||||||
|  |     MemBuffer *buffer; | ||||||
|  | } LogTlsLogThread; | ||||||
|  | 
 | ||||||
|  | static void CreateTimeString(const struct timeval *ts, char *str, size_t size) | ||||||
|  | { | ||||||
|  |     time_t time = ts->tv_sec; | ||||||
|  |     struct tm local_tm; | ||||||
|  |     struct tm *t = (struct tm *) localtime_r(&time, &local_tm); | ||||||
|  | 
 | ||||||
|  |     snprintf(str, size, "%02d/%02d/%02d-%02d:%02d:%02d.%06u", t->tm_mon + 1, t->tm_mday, t->tm_year + 1900, t->tm_hour, t->tm_min, t->tm_sec, (uint32_t) ts->tv_usec); | ||||||
|  | } | ||||||
|  | 
 | ||||||
|  | static TmEcode LogTlsLogIPWrapper(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq, PacketQueue *postpq, int ipproto) | ||||||
|  | { | ||||||
|  | 
 | ||||||
|  |     SCEnter(); | ||||||
|  |     LogTlsLogThread *aft = (LogTlsLogThread *) data; | ||||||
|  |     LogTlsFileCtx *hlog = aft->tlslog_ctx; | ||||||
|  | 
 | ||||||
|  |     char timebuf[64]; | ||||||
|  | 
 | ||||||
|  |     /* no flow, no tls state */ | ||||||
|  |     if (p->flow == NULL) { | ||||||
|  |         SCReturnInt(TM_ECODE_OK); | ||||||
|  |     } | ||||||
|  | 
 | ||||||
|  |     /* check if we have TLS state or not */ | ||||||
|  |     FLOWLOCK_WRLOCK(p->flow); | ||||||
|  |     uint16_t proto = AppLayerGetProtoFromPacket(p); | ||||||
|  |     if (proto != ALPROTO_TLS) | ||||||
|  |         goto end; | ||||||
|  | 
 | ||||||
|  |     int r = AppLayerTransactionGetLoggedId(p->flow); | ||||||
|  | 
 | ||||||
|  |     if (r != 0) { | ||||||
|  |         goto end; | ||||||
|  |     } | ||||||
|  | 
 | ||||||
|  |     SSLState *ssl_state = (SSLState *) AppLayerGetProtoStateFromPacket(p); | ||||||
|  |     if (ssl_state == NULL) { | ||||||
|  |         SCLogDebug("no tls state, so no request logging"); | ||||||
|  |         goto end; | ||||||
|  |     } | ||||||
|  | 
 | ||||||
|  |     if (ssl_state->server_connp.cert0_issuerdn == NULL || ssl_state->server_connp.cert0_subject == NULL) | ||||||
|  |         goto end; | ||||||
|  | 
 | ||||||
|  |     CreateTimeString(&p->ts, timebuf, sizeof(timebuf)); | ||||||
|  |     char srcip[46], dstip[46]; | ||||||
|  |     Port sp, dp; | ||||||
|  |     if ((PKT_IS_TOSERVER(p))) { | ||||||
|  |         switch (ipproto) { | ||||||
|  |         case AF_INET: | ||||||
|  |             PrintInet(AF_INET, (const void *) GET_IPV4_SRC_ADDR_PTR(p), srcip, sizeof(srcip)); | ||||||
|  |             PrintInet(AF_INET, (const void *) GET_IPV4_DST_ADDR_PTR(p), dstip, sizeof(dstip)); | ||||||
|  |             break; | ||||||
|  |         case AF_INET6: | ||||||
|  |             PrintInet(AF_INET6, (const void *) GET_IPV6_SRC_ADDR(p), srcip, sizeof(srcip)); | ||||||
|  |             PrintInet(AF_INET6, (const void *) GET_IPV6_DST_ADDR(p), dstip, sizeof(dstip)); | ||||||
|  |             break; | ||||||
|  |         default: | ||||||
|  |             goto end; | ||||||
|  |         } | ||||||
|  |         sp = p->sp; | ||||||
|  |         dp = p->dp; | ||||||
|  |     } else { | ||||||
|  |         switch (ipproto) { | ||||||
|  |         case AF_INET: | ||||||
|  |             PrintInet(AF_INET, (const void *) GET_IPV4_DST_ADDR_PTR(p), srcip, sizeof(srcip)); | ||||||
|  |             PrintInet(AF_INET, (const void *) GET_IPV4_SRC_ADDR_PTR(p), dstip, sizeof(dstip)); | ||||||
|  |             break; | ||||||
|  |         case AF_INET6: | ||||||
|  |             PrintInet(AF_INET6, (const void *) GET_IPV6_DST_ADDR(p), srcip, sizeof(srcip)); | ||||||
|  |             PrintInet(AF_INET6, (const void *) GET_IPV6_SRC_ADDR(p), dstip, sizeof(dstip)); | ||||||
|  |             break; | ||||||
|  |         default: | ||||||
|  |             goto end; | ||||||
|  |         } | ||||||
|  |         sp = p->dp; | ||||||
|  |         dp = p->sp; | ||||||
|  |     } | ||||||
|  | 
 | ||||||
|  |     /* reset */ | ||||||
|  |     MemBufferReset(aft->buffer); | ||||||
|  | 
 | ||||||
|  |     MemBufferWriteString(aft->buffer, | ||||||
|  |                          "%s %s:%d -> %s:%d  TLS: Subject='%s' Issuerdn='%s'\n", | ||||||
|  |                          timebuf, srcip, sp, dstip, dp, | ||||||
|  |                          ssl_state->server_connp.cert0_subject, ssl_state->server_connp.cert0_issuerdn); | ||||||
|  | 
 | ||||||
|  |     AppLayerTransactionUpdateLoggedId(p->flow); | ||||||
|  | 
 | ||||||
|  |     aft->tls_cnt ++; | ||||||
|  | 
 | ||||||
|  |     SCMutexLock(&hlog->file_ctx->fp_mutex); | ||||||
|  |     MemBufferPrintToFPAsString(aft->buffer, hlog->file_ctx->fp); | ||||||
|  |     fflush(hlog->file_ctx->fp); | ||||||
|  |     SCMutexUnlock(&hlog->file_ctx->fp_mutex); | ||||||
|  | 
 | ||||||
|  | end: | ||||||
|  |     FLOWLOCK_UNLOCK(p->flow); | ||||||
|  |     SCReturnInt(TM_ECODE_OK); | ||||||
|  | 
 | ||||||
|  | } | ||||||
|  | 
 | ||||||
|  | TmEcode LogTlsLogIPv4(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq, PacketQueue *postpq) | ||||||
|  | { | ||||||
|  |     return LogTlsLogIPWrapper(tv, p, data, pq, postpq, AF_INET); | ||||||
|  | } | ||||||
|  | 
 | ||||||
|  | TmEcode LogTlsLogIPv6(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq, PacketQueue *postpq) | ||||||
|  | { | ||||||
|  |     return LogTlsLogIPWrapper(tv, p, data, pq, postpq, AF_INET6); | ||||||
|  | } | ||||||
|  | 
 | ||||||
|  | TmEcode LogTlsLog(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq, PacketQueue *postpq) | ||||||
|  | { | ||||||
|  |     SCEnter(); | ||||||
|  | 
 | ||||||
|  |     /* no flow, no htp state */ | ||||||
|  |     if (p->flow == NULL) { | ||||||
|  |         SCReturnInt(TM_ECODE_OK); | ||||||
|  |     } | ||||||
|  | 
 | ||||||
|  |     if (!(PKT_IS_TCP(p))) { | ||||||
|  |         SCReturnInt(TM_ECODE_OK); | ||||||
|  |     } | ||||||
|  | 
 | ||||||
|  |     if (PKT_IS_IPV4(p)) { | ||||||
|  |         SCReturnInt(LogTlsLogIPv4(tv, p, data, pq, postpq)); | ||||||
|  |     } else if (PKT_IS_IPV6(p)) { | ||||||
|  |         SCReturnInt(LogTlsLogIPv6(tv, p, data, pq, postpq)); | ||||||
|  |     } | ||||||
|  | 
 | ||||||
|  |     SCReturnInt(TM_ECODE_OK); | ||||||
|  | } | ||||||
|  | 
 | ||||||
|  | TmEcode LogTlsLogThreadInit(ThreadVars *t, void *initdata, void **data) | ||||||
|  | { | ||||||
|  |     LogTlsLogThread *aft = SCMalloc(sizeof(LogTlsLogThread)); | ||||||
|  |     if (aft == NULL) | ||||||
|  |         return TM_ECODE_FAILED; | ||||||
|  |     memset(aft, 0, sizeof(LogTlsLogThread)); | ||||||
|  | 
 | ||||||
|  |     if (initdata == NULL) { | ||||||
|  |         SCLogDebug( "Error getting context for TLSLog.  \"initdata\" argument NULL"); | ||||||
|  |         SCFree(aft); | ||||||
|  |         return TM_ECODE_FAILED; | ||||||
|  |     } | ||||||
|  | 
 | ||||||
|  |     aft->buffer = MemBufferCreateNew(OUTPUT_BUFFER_SIZE); | ||||||
|  |     if (aft->buffer == NULL) { | ||||||
|  |         SCFree(aft); | ||||||
|  |         return TM_ECODE_FAILED; | ||||||
|  |     } | ||||||
|  | 
 | ||||||
|  |     /* Use the Ouptut Context (file pointer and mutex) */ | ||||||
|  |     aft->tlslog_ctx = ((OutputCtx *) initdata)->data; | ||||||
|  | 
 | ||||||
|  |     *data = (void *) aft; | ||||||
|  |     return TM_ECODE_OK; | ||||||
|  | } | ||||||
|  | 
 | ||||||
|  | TmEcode LogTlsLogThreadDeinit(ThreadVars *t, void *data) | ||||||
|  | { | ||||||
|  |     LogTlsLogThread *aft = (LogTlsLogThread *) data; | ||||||
|  |     if (aft == NULL) { | ||||||
|  |         return TM_ECODE_OK; | ||||||
|  |     } | ||||||
|  | 
 | ||||||
|  |     MemBufferFree(aft->buffer); | ||||||
|  |     /* clear memory */ | ||||||
|  |     memset(aft, 0, sizeof(LogTlsLogThread)); | ||||||
|  | 
 | ||||||
|  |     SCFree(aft); | ||||||
|  |     return TM_ECODE_OK; | ||||||
|  | } | ||||||
|  | 
 | ||||||
|  | void LogTlsLogExitPrintStats(ThreadVars *tv, void *data) | ||||||
|  | { | ||||||
|  |     LogTlsLogThread *aft = (LogTlsLogThread *) data; | ||||||
|  |     if (aft == NULL) { | ||||||
|  |         return; | ||||||
|  |     } | ||||||
|  | 
 | ||||||
|  |     SCLogInfo("TLS logger logged %" PRIu32 " requests", aft->tls_cnt); | ||||||
|  | } | ||||||
|  | 
 | ||||||
|  | /** \brief Create a new tls log LogFileCtx.
 | ||||||
|  |  *  \param conf Pointer to ConfNode containing this loggers configuration. | ||||||
|  |  *  \return NULL if failure, LogFileCtx* to the file_ctx if succesful | ||||||
|  |  * */ | ||||||
|  | OutputCtx *LogTlsLogInitCtx(ConfNode *conf) | ||||||
|  | { | ||||||
|  |     LogFileCtx* file_ctx = LogFileNewCtx(); | ||||||
|  | 
 | ||||||
|  |     if (file_ctx == NULL) { | ||||||
|  |         SCLogError(SC_ERR_TLS_LOG_GENERIC, "LogTlsLogInitCtx: Couldn't " | ||||||
|  |         "create new file_ctx"); | ||||||
|  |         return NULL; | ||||||
|  |     } | ||||||
|  | 
 | ||||||
|  |     if (SCConfLogOpenGeneric(conf, file_ctx, DEFAULT_LOG_FILENAME) < 0) { | ||||||
|  |         LogFileFreeCtx(file_ctx); | ||||||
|  |         return NULL; | ||||||
|  |     } | ||||||
|  | 
 | ||||||
|  |     LogTlsFileCtx *tlslog_ctx = SCCalloc(1, sizeof(LogTlsFileCtx)); | ||||||
|  |     if (tlslog_ctx == NULL) | ||||||
|  |         return NULL; | ||||||
|  |     tlslog_ctx->file_ctx = file_ctx; | ||||||
|  | 
 | ||||||
|  |     OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx)); | ||||||
|  |     if (output_ctx == NULL) | ||||||
|  |         return NULL; | ||||||
|  |     output_ctx->data = tlslog_ctx; | ||||||
|  |     output_ctx->DeInit = LogTlsLogDeInitCtx; | ||||||
|  | 
 | ||||||
|  |     SCLogDebug("TLS log output initialized"); | ||||||
|  | 
 | ||||||
|  |     return output_ctx; | ||||||
|  | } | ||||||
|  | 
 | ||||||
|  | static void LogTlsLogDeInitCtx(OutputCtx *output_ctx) | ||||||
|  | { | ||||||
|  |     LogTlsFileCtx *tlslog_ctx = (LogTlsFileCtx *) output_ctx->data; | ||||||
|  |     LogFileFreeCtx(tlslog_ctx->file_ctx); | ||||||
|  |     SCFree(tlslog_ctx); | ||||||
|  |     SCFree(output_ctx); | ||||||
|  | } | ||||||
| @ -0,0 +1,34 @@ | |||||||
|  | /* Copyright (C) 2007-2012 Open Information Security Foundation
 | ||||||
|  |  * | ||||||
|  |  * You can copy, redistribute or modify this Program under the terms of | ||||||
|  |  * the GNU General Public License version 2 as published by the Free | ||||||
|  |  * Software Foundation. | ||||||
|  |  * | ||||||
|  |  * This program is distributed in the hope that it will be useful, | ||||||
|  |  * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||||||
|  |  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the | ||||||
|  |  * GNU General Public License for more details. | ||||||
|  |  * | ||||||
|  |  * You should have received a copy of the GNU General Public License | ||||||
|  |  * version 2 along with this program; if not, write to the Free Software | ||||||
|  |  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA | ||||||
|  |  * 02110-1301, USA. | ||||||
|  |  */ | ||||||
|  | 
 | ||||||
|  | /**
 | ||||||
|  |  * \file | ||||||
|  |  * | ||||||
|  |  * \author Roliers Jean-Paul <popof.fpn@gmail.com> | ||||||
|  |  * \author Eric Leblond <eric@regit.org> | ||||||
|  |  */ | ||||||
|  | 
 | ||||||
|  | #ifndef __LOG_TLSLOG_H__ | ||||||
|  | #define __LOG_TLSLOG_H__ | ||||||
|  | 
 | ||||||
|  | void TmModuleLogTlsLogRegister (void); | ||||||
|  | void TmModuleLogTlsLogIPv4Register (void); | ||||||
|  | void TmModuleLogTlsLogIPv6Register (void); | ||||||
|  | OutputCtx *LogTlsLogInitCtx(ConfNode *); | ||||||
|  | 
 | ||||||
|  | #endif /* __LOG_TLSLOG_H__ */ | ||||||
|  | 
 | ||||||
					Loading…
					
					
				
		Reference in New Issue