Project

General

Profile

Bug #7332

Updated by Juliana Fajardini Reichow about 1 month ago

When enabling the custom field @subjectaltname@, the JSON schema validator complains that the @issuerdn@ key 
 is duplicated: 
 <pre><code class="shell"> 
 tls-eve-custom-fields/output/eve.json: duplicate key error: key=issuerdn, current value=C=FR, ST=IDF, L=Paris, O=Stamus, CN=SELKS, new value=C=FR, ST=IDF, L=Paris, O=Stamus, CN=SELKS 
 </code></pre> 
 (output from modified version of SV test using @ja4-tls@ test's pcap) 

 Relevant YAML config: 
 <pre><code class="yaml"> 
 outputs:¬ 
   - eve-log:¬ 
       enabled: yes¬ 
       types:¬ 
         - tls:¬ 
             extended: yes       # enable this for extended logging information¬ 
             custom: [subject, issuer, subjectaltname]¬ 
 </code></pre> 


 TLS event (stripped of non-tls fields for readability): 
 <pre><code class="json"> 
 { 
   "event_type":"tls", 
   "pkt_src":"wire/pcap", 
   "tls":{ 
      "subject":"C=FR, ST=IDF, L=Paris, O=Stamus, CN=SELKS", 
      "issuerdn":"C=FR, ST=IDF, L=Paris, O=Stamus, CN=SELKS", 
      "issuerdn":"C=FR, ST=IDF, L=Paris, O=Stamus, CN=SELKS" 
   } 
 } 
 </code></pre> 


 Investigation indicates that when logging the subject alternative name we were actually calling the @issuerdn@ logging function.

Back