Project

General

Profile

Actions

Bug #7332

closed

tls: fix duplicate EVE field issuerdn

Added by Juliana Fajardini Reichow 2 months ago. Updated 2 months ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

When enabling the field subjectaltname in custom logging, the JSON schema validator complains that the issuerdn key
is duplicated:

tls-eve-custom-fields/output/eve.json: duplicate key error: key=issuerdn, current value=C=FR, ST=IDF, L=Paris, O=Stamus, CN=SELKS, new value=C=FR, ST=IDF, L=Paris, O=Stamus, CN=SELKS

(output from modified version of SV test using ja4-tls test's pcap)

Relevant YAML config:

outputs:¬
  - eve-log:¬
      enabled: yes¬
      types:¬
        - tls:¬
            extended: yes     # enable this for extended logging information¬
            custom: [subject, issuer, subjectaltname]¬

TLS event (stripped of non-tls fields for readability):

{
  "event_type":"tls",
  "pkt_src":"wire/pcap",
  "tls":{
     "subject":"C=FR, ST=IDF, L=Paris, O=Stamus, CN=SELKS",
     "issuerdn":"C=FR, ST=IDF, L=Paris, O=Stamus, CN=SELKS",
     "issuerdn":"C=FR, ST=IDF, L=Paris, O=Stamus, CN=SELKS" 
  }
}

Investigation indicates that when logging the subject alternative name in custom logging, we were actually calling the issuerdn logging function.

Actions #1

Updated by Juliana Fajardini Reichow 2 months ago

  • Description updated (diff)
Actions #2

Updated by Juliana Fajardini Reichow 2 months ago

  • Description updated (diff)
Actions #3

Updated by Juliana Fajardini Reichow 2 months ago

  • Subject changed from tls: duplicate EVE field issuerdn to tls: fix :wqduplicate EVE field issuerdn
Actions #4

Updated by Juliana Fajardini Reichow 2 months ago

  • Subject changed from tls: fix :wqduplicate EVE field issuerdn to tls: fix duplicate EVE field issuerdn
Actions #5

Updated by Juliana Fajardini Reichow 2 months ago

  • Description updated (diff)
Actions #6

Updated by Juliana Fajardini Reichow 2 months ago

  • Status changed from New to In Review
Actions #7

Updated by Victor Julien 2 months ago

Does 7 have this issue as well?

Actions #8

Updated by Juliana Fajardini Reichow 2 months ago

Checked and didn't see it, as log is done differently, but will double-check.

Actions #9

Updated by Juliana Fajardini Reichow 2 months ago

Victor Julien wrote in #note-7:

Does 7 have this issue as well?

subjectaltname was introduced in 8, only: https://redmine.openinfosecfoundation.org/issues/5234

Actions #10

Updated by Juliana Fajardini Reichow 2 months ago

  • Status changed from In Review to Closed
Actions

Also available in: Atom PDF