Suricata

Feature request for additional detail in TLS log events. It would be OK for this to be enabled by TLS extended logging.

It would be very useful for extended TLS event logs to include a history of events in some form, so that security investigators would be able to use extended TLS logs to identify connections with unique or interesting histories. Any log schema that encodes the state history would be acceptable.

Zeek has a similar feature that could be used for inspiration that densely encodes the relevant state history in a small number of bytes: https://github.com/zeek/zeek/blob/4de7a2b947d8b1367238ff7bcebcc6638764f377/scripts/base/protocols/ssl/main.zeek#L75

An example from Zeek includes the field "ssl_history": "CsxknGIi" from which we can read this sequence of events in the TLS connection:

• Client hello (C)
• Server hello (s)
• Server certificate exchange (x)
• Server key exchange (k)
• Server hello done (n)
• Client key exchange (G)
• Change cipher spec (I)
• Client finished (i)