Feature #6695
openUpdated by Victor Julien 11 months ago
- Assignee changed from OISF Dev to Community Ticket
- Target version changed from 8.0.0-beta1 to TBD
Updated by Gianni Tedesco 9 months ago
I would like to add to the TLS EVE output the following fields:
1. cipher suite list to client struct
2. cipher suite selected (to a new server struct?)
3. client extensions list to client struct
4. server extensions list to server struct (or in the root again?)
5. client supported signature algorithms in the client struct
My goal is to be able to reproduce the JA4 hash outside of suricata, but also to collect handshake parameters for eg. statistical analysis and survey purposes.. right now i am parsing them from ja3s, but it's not ideal.
Sascha also added "I agree, also unify the TLS parameter log output across tls and quic event types. Would be much cleaner -- atm one is in rust and one is in C, with different log schema."
Updated by Philippe Antoine 9 months ago
Thanks Gianni, you can claim this ticket and a PR is welcome
Updated by Gianni Tedesco 6 months ago
Okay, I have a patch for the client part, I will make the PR shortly
Updated by Victor Julien 6 months ago
- Status changed from New to In Review
- Assignee changed from Community Ticket to Gianni Tedesco
- Target version changed from TBD to 8.0.0-beta1
Updated by Philippe Antoine about 1 month ago
https://github.com/OISF/suricata/pull/12650 last PR (with changes requested)
Updated by Shivani Bhardwaj about 1 month ago
- Target version changed from 8.0.0-beta1 to 8.0.0-rc1
Updated by Philippe Antoine 2 days ago
- Related to Bug #7685: tls: Invalid ja4 due to double client hello added