Project

General

Profile

Actions
Copy link

Feature #6695

open

Feature #2426: tls: extend logging

tls: log extensions

Added by Philippe Antoine 8 months ago. Updated 27 days ago.

Status:
New
Priority:
Normal
Assignee:
Community Ticket
Target version:
TBD
Effort:
Difficulty:
Label:

Description

also for quic

cf discussions in https://github.com/OISF/suricata/pull/10135

Actions
Copy link
 #1

Updated by Victor Julien 3 months ago

  • Assignee changed from OISF Dev to Community Ticket
  • Target version changed from 8.0.0-beta1 to TBD
Actions
Copy link
 #2

Updated by Gianni Tedesco 30 days ago

I would like to add to the TLS EVE output the following fields:
1. cipher suite list to client struct
2. cipher suite selected (to a new server struct?)
3. client extensions list to client struct
4. server extensions list to server struct (or in the root again?)
5. client supported signature algorithms in the client struct

My goal is to be able to reproduce the JA4 hash outside of suricata, but also to collect handshake parameters for eg. statistical analysis and survey purposes.. right now i am parsing them from ja3s, but it's not ideal.

Sascha also added "I agree, also unify the TLS parameter log output across tls and quic event types. Would be much cleaner -- atm one is in rust and one is in C, with different log schema."

Actions
Copy link
 #3

Updated by Philippe Antoine 27 days ago

Thanks Gianni, you can claim this ticket and a PR is welcome

Actions
Copy link

Also available in: Atom PDF