Project

General

Profile

Actions

Feature #6695

open

Feature #2426: tls: extend logging

tls: log extensions

Added by Philippe Antoine 11 months ago. Updated about 2 months ago.

Status:
In Review
Priority:
Normal
Target version:
Effort:
Difficulty:
Label:

Description

also for quic

cf discussions in https://github.com/OISF/suricata/pull/10135

Actions #1

Updated by Victor Julien 6 months ago

  • Assignee changed from OISF Dev to Community Ticket
  • Target version changed from 8.0.0-beta1 to TBD
Actions #2

Updated by Gianni Tedesco 4 months ago

I would like to add to the TLS EVE output the following fields:
1. cipher suite list to client struct
2. cipher suite selected (to a new server struct?)
3. client extensions list to client struct
4. server extensions list to server struct (or in the root again?)
5. client supported signature algorithms in the client struct

My goal is to be able to reproduce the JA4 hash outside of suricata, but also to collect handshake parameters for eg. statistical analysis and survey purposes.. right now i am parsing them from ja3s, but it's not ideal.

Sascha also added "I agree, also unify the TLS parameter log output across tls and quic event types. Would be much cleaner -- atm one is in rust and one is in C, with different log schema."

Actions #3

Updated by Philippe Antoine 4 months ago

Thanks Gianni, you can claim this ticket and a PR is welcome

Actions #4

Updated by Gianni Tedesco about 2 months ago

Okay, I have a patch for the client part, I will make the PR shortly

Actions #5

Updated by Victor Julien about 2 months ago

  • Status changed from New to In Review
  • Assignee changed from Community Ticket to Gianni Tedesco
  • Target version changed from TBD to 8.0.0-beta1
Actions

Also available in: Atom PDF