Actions
Bug #7332
closedtls: fix duplicate EVE field issuerdn
Affected Versions:
Effort:
Difficulty:
Label:
Description
When enabling the field subjectaltname
in custom logging, the JSON schema validator complains that the issuerdn
key
is duplicated:
tls-eve-custom-fields/output/eve.json: duplicate key error: key=issuerdn, current value=C=FR, ST=IDF, L=Paris, O=Stamus, CN=SELKS, new value=C=FR, ST=IDF, L=Paris, O=Stamus, CN=SELKS
(output from modified version of SV test using
ja4-tls
test's pcap)
Relevant YAML config:
outputs:¬
- eve-log:¬
enabled: yes¬
types:¬
- tls:¬
extended: yes # enable this for extended logging information¬
custom: [subject, issuer, subjectaltname]¬
TLS event (stripped of non-tls fields for readability):
{
"event_type":"tls",
"pkt_src":"wire/pcap",
"tls":{
"subject":"C=FR, ST=IDF, L=Paris, O=Stamus, CN=SELKS",
"issuerdn":"C=FR, ST=IDF, L=Paris, O=Stamus, CN=SELKS",
"issuerdn":"C=FR, ST=IDF, L=Paris, O=Stamus, CN=SELKS"
}
}
Investigation indicates that when logging the subject alternative name in custom logging, we were actually calling the issuerdn
logging function.
Updated by Juliana Fajardini Reichow about 1 month ago
- Description updated (diff)
Updated by Juliana Fajardini Reichow about 1 month ago
- Description updated (diff)
Updated by Juliana Fajardini Reichow about 1 month ago
- Subject changed from tls: duplicate EVE field issuerdn to tls: fix :wqduplicate EVE field issuerdn
Updated by Juliana Fajardini Reichow about 1 month ago
- Subject changed from tls: fix :wqduplicate EVE field issuerdn to tls: fix duplicate EVE field issuerdn
Updated by Juliana Fajardini Reichow about 1 month ago
- Description updated (diff)
Updated by Juliana Fajardini Reichow about 1 month ago
- Status changed from New to In Review
PR for review: https://github.com/OISF/suricata/pull/11979
Updated by Juliana Fajardini Reichow about 1 month ago
Checked and didn't see it, as log is done differently, but will double-check.
Updated by Juliana Fajardini Reichow about 1 month ago
Victor Julien wrote in #note-7:
Does 7 have this issue as well?
subjectaltname
was introduced in 8, only: https://redmine.openinfosecfoundation.org/issues/5234
Updated by Juliana Fajardini Reichow about 1 month ago
- Status changed from In Review to Closed
Merged PR: https://github.com/OISF/suricata/pull/11979
Actions