Feature #6695
openUpdated by Victor Julien 5 months ago
- Assignee changed from OISF Dev to Community Ticket
- Target version changed from 8.0.0-beta1 to TBD
Updated by Gianni Tedesco 3 months ago
I would like to add to the TLS EVE output the following fields:
1. cipher suite list to client struct
2. cipher suite selected (to a new server struct?)
3. client extensions list to client struct
4. server extensions list to server struct (or in the root again?)
5. client supported signature algorithms in the client struct
My goal is to be able to reproduce the JA4 hash outside of suricata, but also to collect handshake parameters for eg. statistical analysis and survey purposes.. right now i am parsing them from ja3s, but it's not ideal.
Sascha also added "I agree, also unify the TLS parameter log output across tls and quic event types. Would be much cleaner -- atm one is in rust and one is in C, with different log schema."
Updated by Philippe Antoine 3 months ago
Thanks Gianni, you can claim this ticket and a PR is welcome
Updated by Gianni Tedesco about 2 hours ago
Okay, I have a patch for the client part, I will make the PR shortly