Project

General

Profile

Actions
Copy link

Feature #6695

closed
PA GT

Feature #2426: tls: extend logging

tls: log extensions

Feature #6695: tls: log extensions

Added by Philippe Antoine about 2 years ago. Updated 11 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Gianni Tedesco
Target version:
8.0.0-rc1
Effort:
Difficulty:
Label:

Description

also for quic

cf discussions in https://github.com/OISF/suricata/pull/10135

Related issues 1 (0 open1 closed)

Related to Suricata - Bug #7685: tls: Invalid ja4 due to double client helloRejectedOISF DevActions

VJ Updated by Victor Julien almost 2 years ago Actions
Copy link
 #1

  • Assignee changed from OISF Dev to Community Ticket
  • Target version changed from 8.0.0-beta1 to TBD

GT Updated by Gianni Tedesco over 1 year ago Actions
Copy link
 #2

I would like to add to the TLS EVE output the following fields:
1. cipher suite list to client struct
2. cipher suite selected (to a new server struct?)
3. client extensions list to client struct
4. server extensions list to server struct (or in the root again?)
5. client supported signature algorithms in the client struct

My goal is to be able to reproduce the JA4 hash outside of suricata, but also to collect handshake parameters for eg. statistical analysis and survey purposes.. right now i am parsing them from ja3s, but it's not ideal.

Sascha also added "I agree, also unify the TLS parameter log output across tls and quic event types. Would be much cleaner -- atm one is in rust and one is in C, with different log schema."

PA Updated by Philippe Antoine over 1 year ago Actions
Copy link
 #3

Thanks Gianni, you can claim this ticket and a PR is welcome

GT Updated by Gianni Tedesco over 1 year ago Actions
Copy link
 #4

Okay, I have a patch for the client part, I will make the PR shortly

VJ Updated by Victor Julien over 1 year ago Actions
Copy link
 #5

  • Status changed from New to In Review
  • Assignee changed from Community Ticket to Gianni Tedesco
  • Target version changed from TBD to 8.0.0-beta1

PA Updated by Philippe Antoine about 1 year ago Actions
Copy link
 #6

https://github.com/OISF/suricata/pull/12650 last PR (with changes requested)

SB Updated by Shivani Bhardwaj 12 months ago Actions
Copy link
 #7

  • Target version changed from 8.0.0-beta1 to 8.0.0-rc1

PA Updated by Philippe Antoine 11 months ago Actions
Copy link
 #8

  • Related to Bug #7685: tls: Invalid ja4 due to double client hello added

JF Updated by Juliana Fajardini Reichow 11 months ago Actions
Copy link
 #9

  • Status changed from In Review to Closed

JF Updated by Juliana Fajardini Reichow 11 months ago Actions
Copy link
 #10

  • Status changed from Closed to Resolved

Closed it, but tbh didn't confirm if the merged PR covers everything we wanted, here.

PA Updated by Philippe Antoine 11 months ago Actions
Copy link
 #11

  • Status changed from Resolved to Closed

Good for now, we can create a new ticket if we need more

Actions
Copy link

Also available in: PDF Atom