Actions
Feature #2145
openRelate directly flowid with certificate file
Description
Hi,
Tested on Suricata v3.2.2
The meta file generated with the tls-store keyword doesn't include the flowid so currently we're unable to link what flow used what certificate.
IMHO a better solution would be including in the 'tls' event_type something similar to the 'fileinfo' structure as used in the 'fileinfo' event_type, obviously this would change how the certificate files are currently named.
So the current 'tls' json event_type (snipped for brevity)...
{
"flow_id":918276836420885,
"event_type":"tls",
"tls":{ "subject":"OU=Domain Control Validated, OU=PositiveSSL Wildcard, CN=*.badssl.com",
"issuerdn":"C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA",
"fingerprint":"40:4b:bd:2f:1f:4c:c2:fd:ee:f1:3a:ab:dd:52:3e:f6:1f:1c:71:f3",
}
}
...adding a new tlsinfo structure would become...
{
"flow_id":918276836420885,
"event_type":"tls",
"tls":{ "subject":"OU=Domain Control Validated, OU=PositiveSSL Wildcard, CN=*.badssl.com",
"issuerdn":"C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA",
"fingerprint":"40:4b:bd:2f:1f:4c:c2:fd:ee:f1:3a:ab:dd:52:3e:f6:1f:1c:71:f3",
}
"tlsinfo":{
"md5":"xxxxxxxxxxxxxxxxxx",
"stored":true,
"tls_id":1,
"size":24576,
}
}
...and in the folder where Suricata stores the certificates that meta file would contain:
$ cat certificate.1.meta
TIME: 06/13/2017-16:54:27.654090
PCAP PKT NUM: 15
SRC IP: 192.168.61.100
DST IP: 104.154.89.105
PROTO: 6
SRC PORT: 51375
DST PORT: 443
TLS SUBJECT: OU=Domain Control Validated, OU=PositiveSSL Wildcard, CN=*.badssl.com
TLS ISSUERDN: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA
TLS FINGERPRINT: 40:4b:bd:2f:1f:4c:c2:fd:ee:f1:3a:ab:dd:52:3e:f6:1f:1c:71:f3
That makes sense for you?
Actions