Project

General

Profile

Actions

Feature #6695

closed

Feature #2426: tls: extend logging

tls: log extensions

Added by Philippe Antoine over 1 year ago. Updated 11 days ago.

Status:
Closed
Priority:
Normal
Target version:
Effort:
Difficulty:
Label:

Description

also for quic

cf discussions in https://github.com/OISF/suricata/pull/10135


Related issues 1 (0 open1 closed)

Related to Suricata - Bug #7685: tls: Invalid ja4 due to double client helloRejectedOISF DevActions
Actions #1

Updated by Victor Julien 12 months ago

  • Assignee changed from OISF Dev to Community Ticket
  • Target version changed from 8.0.0-beta1 to TBD
Actions #2

Updated by Gianni Tedesco 10 months ago

I would like to add to the TLS EVE output the following fields:
1. cipher suite list to client struct
2. cipher suite selected (to a new server struct?)
3. client extensions list to client struct
4. server extensions list to server struct (or in the root again?)
5. client supported signature algorithms in the client struct

My goal is to be able to reproduce the JA4 hash outside of suricata, but also to collect handshake parameters for eg. statistical analysis and survey purposes.. right now i am parsing them from ja3s, but it's not ideal.

Sascha also added "I agree, also unify the TLS parameter log output across tls and quic event types. Would be much cleaner -- atm one is in rust and one is in C, with different log schema."

Actions #3

Updated by Philippe Antoine 10 months ago

Thanks Gianni, you can claim this ticket and a PR is welcome

Actions #4

Updated by Gianni Tedesco 7 months ago

Okay, I have a patch for the client part, I will make the PR shortly

Actions #5

Updated by Victor Julien 7 months ago

  • Status changed from New to In Review
  • Assignee changed from Community Ticket to Gianni Tedesco
  • Target version changed from TBD to 8.0.0-beta1
Actions #6

Updated by Philippe Antoine about 2 months ago

https://github.com/OISF/suricata/pull/12650 last PR (with changes requested)

Actions #7

Updated by Shivani Bhardwaj about 2 months ago

  • Target version changed from 8.0.0-beta1 to 8.0.0-rc1
Actions #8

Updated by Philippe Antoine 25 days ago

  • Related to Bug #7685: tls: Invalid ja4 due to double client hello added
Actions #9

Updated by Juliana Fajardini Reichow 12 days ago

  • Status changed from In Review to Closed
Actions #10

Updated by Juliana Fajardini Reichow 12 days ago

  • Status changed from Closed to Resolved

Closed it, but tbh didn't confirm if the merged PR covers everything we wanted, here.

Actions #11

Updated by Philippe Antoine 11 days ago

  • Status changed from Resolved to Closed

Good for now, we can create a new ticket if we need more

Actions

Also available in: Atom PDF