Project

General

Profile

Actions

Bug #7286

closed

eve/tls: enabling JA4 breaks custom field selection

Added by Sascha Steinbiss 3 months ago. Updated 3 months ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
low
Difficulty:
Label:
C

Description

When enabling JA4 in the TLS logging configuration, the resulting `tls` metadata field does not contain regular TLS metadata anymore:

❯ rm eve.json; ./src/suricata -c suricata.yaml -r ~/Downloads/tls1.pcapng -l . -k none --set outputs.1.eve-log.types.5.tls.custom="[subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s, ja4]" --set outputs.1.eve-log.types.5.tls.ja4=off; cat eve.json | jq 'select(.event_type=="tls")'
{
  "timestamp": "2018-07-23T21:19:09.349295+0200",
  "flow_id": 1428254916048543,
  "pcap_cnt": 7,
  "event_type": "tls",
  "src_ip": "172.16.1.117",
  "src_port": 34140,
  "dest_ip": "172.16.1.130",
  "dest_port": 4433,
  "proto": "TCP",
  "pkt_src": "wire/pcap",
  "tls": {
    "subject": "C=US, ST=New Hampshire, L=Portsmouth, O=CloudShark, CN=tls, Email=support@cloudshark.org",
    "issuerdn": "C=US, ST=New Hampshire, L=Portsmouth, O=CloudShark, CN=tls, Email=support@cloudshark.org",
    "serial": "00:91:BA:74:7B:F2:8A:9A:E4",
    "fingerprint": "93:30:fe:1e:f2:ad:af:21:6f:4b:11:b9:f2:55:f3:c1:05:16:17:be",
    "sni": "dogfish",
    "version": "TLS 1.2",
    "notbefore": "2018-07-23T18:44:07",
    "notafter": "2019-07-23T18:44:07",
    "certificate": "MIICgTCCAeoCCQCRunR78oqa5DANBgkqhkiG9w0BAQsFADCBhDELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDU5ldyBIYW1wc2hpcmUxEzARBgNVBAcMClBvcnRzbW91dGgxEzARBgNVBAoMCkNsb3VkU2hhcmsxDDAKBgNVBAMMA3RsczElMCMGCSqGSIb3DQEJARYWc3VwcG9ydEBjbG91ZHNoYXJrLm9yZzAeFw0xODA3MjMxODQ0MDdaFw0xOTA3MjMxODQ0MDdaMIGEMQswCQYDVQQGEwJVUzEWMBQGA1UECAwNTmV3IEhhbXBzaGlyZTETMBEGA1UEBwwKUG9ydHNtb3V0aDETMBEGA1UECgwKQ2xvdWRTaGFyazEMMAoGA1UEAwwDdGxzMSUwIwYJKoZIhvcNAQkBFhZzdXBwb3J0QGNsb3Vkc2hhcmsub3JnMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDnscuV+8x18HHi6mcNu1U1YpTNLfFwt9E3sP1thNVIK8ib5aRKNZ93+iAN6q3ObCYcZdyMYWMoaGxy2uRs+Yt78AESNGwogN73s+LXrVSrcHqxfAxNVDJGxmWx+JRHa1qt1rwgSvJgJSqKpva1nm+n/4LCAKj6IsH4SzDA//sIfwIDAQABMA0GCSqGSIb3DQEBCwUAA4GBALK7DhuvW1wSNXGC3dwmp7vMQh137noJIhZDZTpmDvgRTnwtS51UjUCqrNMypgtbm0rj4ca+FwH1Ntwj1qhdwJvE9YCEEDrJ9JKY0tFiV2ws4qvtAjk7X6LaisDgV+VkRtXqrQwpHqrmFcbbOfb8bxyyqrZEJe9aGuhG5GqowChu",
    "chain": [
      "MIICgTCCAeoCCQCRunR78oqa5DANBgkqhkiG9w0BAQsFADCBhDELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDU5ldyBIYW1wc2hpcmUxEzARBgNVBAcMClBvcnRzbW91dGgxEzARBgNVBAoMCkNsb3VkU2hhcmsxDDAKBgNVBAMMA3RsczElMCMGCSqGSIb3DQEJARYWc3VwcG9ydEBjbG91ZHNoYXJrLm9yZzAeFw0xODA3MjMxODQ0MDdaFw0xOTA3MjMxODQ0MDdaMIGEMQswCQYDVQQGEwJVUzEWMBQGA1UECAwNTmV3IEhhbXBzaGlyZTETMBEGA1UEBwwKUG9ydHNtb3V0aDETMBEGA1UECgwKQ2xvdWRTaGFyazEMMAoGA1UEAwwDdGxzMSUwIwYJKoZIhvcNAQkBFhZzdXBwb3J0QGNsb3Vkc2hhcmsub3JnMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDnscuV+8x18HHi6mcNu1U1YpTNLfFwt9E3sP1thNVIK8ib5aRKNZ93+iAN6q3ObCYcZdyMYWMoaGxy2uRs+Yt78AESNGwogN73s+LXrVSrcHqxfAxNVDJGxmWx+JRHa1qt1rwgSvJgJSqKpva1nm+n/4LCAKj6IsH4SzDA//sIfwIDAQABMA0GCSqGSIb3DQEBCwUAA4GBALK7DhuvW1wSNXGC3dwmp7vMQh137noJIhZDZTpmDvgRTnwtS51UjUCqrNMypgtbm0rj4ca+FwH1Ntwj1qhdwJvE9YCEEDrJ9JKY0tFiV2ws4qvtAjk7X6LaisDgV+VkRtXqrQwpHqrmFcbbOfb8bxyyqrZEJe9aGuhG5GqowChu" 
    ]
  }
}

❯ rm eve.json; ./src/suricata -c suricata.yaml -r ~/Downloads/tls1.pcapng -l . -k none --set outputs.1.eve-log.types.5.tls.custom="[subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s, ja4]" --set outputs.1.eve-log.types.5.tls.ja4=on; cat eve.json | jq 'select(.event_type=="tls")'
{
  "timestamp": "2018-07-23T21:19:09.349295+0200",
  "flow_id": 1428253523590603,
  "pcap_cnt": 7,
  "event_type": "tls",
  "src_ip": "172.16.1.117",
  "src_port": 34140,
  "dest_ip": "172.16.1.130",
  "dest_port": 4433,
  "proto": "TCP",
  "pkt_src": "wire/pcap",
  "tls": {}
}

The issue has already been located and a PR will follow soon.

Actions

Also available in: Atom PDF