Actions
Bug #7286
closedeve/tls: enabling JA4 breaks custom field selection
Affected Versions:
Effort:
low
Difficulty:
Label:
C
Description
When enabling JA4 in the TLS logging configuration, the resulting `tls` metadata field does not contain regular TLS metadata anymore:
❯ rm eve.json; ./src/suricata -c suricata.yaml -r ~/Downloads/tls1.pcapng -l . -k none --set outputs.1.eve-log.types.5.tls.custom="[subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s, ja4]" --set outputs.1.eve-log.types.5.tls.ja4=off; cat eve.json | jq 'select(.event_type=="tls")'
{
"timestamp": "2018-07-23T21:19:09.349295+0200",
"flow_id": 1428254916048543,
"pcap_cnt": 7,
"event_type": "tls",
"src_ip": "172.16.1.117",
"src_port": 34140,
"dest_ip": "172.16.1.130",
"dest_port": 4433,
"proto": "TCP",
"pkt_src": "wire/pcap",
"tls": {
"subject": "C=US, ST=New Hampshire, L=Portsmouth, O=CloudShark, CN=tls, Email=support@cloudshark.org",
"issuerdn": "C=US, ST=New Hampshire, L=Portsmouth, O=CloudShark, CN=tls, Email=support@cloudshark.org",
"serial": "00:91:BA:74:7B:F2:8A:9A:E4",
"fingerprint": "93:30:fe:1e:f2:ad:af:21:6f:4b:11:b9:f2:55:f3:c1:05:16:17:be",
"sni": "dogfish",
"version": "TLS 1.2",
"notbefore": "2018-07-23T18:44:07",
"notafter": "2019-07-23T18:44:07",
"certificate": "MIICgTCCAeoCCQCRunR78oqa5DANBgkqhkiG9w0BAQsFADCBhDELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDU5ldyBIYW1wc2hpcmUxEzARBgNVBAcMClBvcnRzbW91dGgxEzARBgNVBAoMCkNsb3VkU2hhcmsxDDAKBgNVBAMMA3RsczElMCMGCSqGSIb3DQEJARYWc3VwcG9ydEBjbG91ZHNoYXJrLm9yZzAeFw0xODA3MjMxODQ0MDdaFw0xOTA3MjMxODQ0MDdaMIGEMQswCQYDVQQGEwJVUzEWMBQGA1UECAwNTmV3IEhhbXBzaGlyZTETMBEGA1UEBwwKUG9ydHNtb3V0aDETMBEGA1UECgwKQ2xvdWRTaGFyazEMMAoGA1UEAwwDdGxzMSUwIwYJKoZIhvcNAQkBFhZzdXBwb3J0QGNsb3Vkc2hhcmsub3JnMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDnscuV+8x18HHi6mcNu1U1YpTNLfFwt9E3sP1thNVIK8ib5aRKNZ93+iAN6q3ObCYcZdyMYWMoaGxy2uRs+Yt78AESNGwogN73s+LXrVSrcHqxfAxNVDJGxmWx+JRHa1qt1rwgSvJgJSqKpva1nm+n/4LCAKj6IsH4SzDA//sIfwIDAQABMA0GCSqGSIb3DQEBCwUAA4GBALK7DhuvW1wSNXGC3dwmp7vMQh137noJIhZDZTpmDvgRTnwtS51UjUCqrNMypgtbm0rj4ca+FwH1Ntwj1qhdwJvE9YCEEDrJ9JKY0tFiV2ws4qvtAjk7X6LaisDgV+VkRtXqrQwpHqrmFcbbOfb8bxyyqrZEJe9aGuhG5GqowChu",
"chain": [
"MIICgTCCAeoCCQCRunR78oqa5DANBgkqhkiG9w0BAQsFADCBhDELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDU5ldyBIYW1wc2hpcmUxEzARBgNVBAcMClBvcnRzbW91dGgxEzARBgNVBAoMCkNsb3VkU2hhcmsxDDAKBgNVBAMMA3RsczElMCMGCSqGSIb3DQEJARYWc3VwcG9ydEBjbG91ZHNoYXJrLm9yZzAeFw0xODA3MjMxODQ0MDdaFw0xOTA3MjMxODQ0MDdaMIGEMQswCQYDVQQGEwJVUzEWMBQGA1UECAwNTmV3IEhhbXBzaGlyZTETMBEGA1UEBwwKUG9ydHNtb3V0aDETMBEGA1UECgwKQ2xvdWRTaGFyazEMMAoGA1UEAwwDdGxzMSUwIwYJKoZIhvcNAQkBFhZzdXBwb3J0QGNsb3Vkc2hhcmsub3JnMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDnscuV+8x18HHi6mcNu1U1YpTNLfFwt9E3sP1thNVIK8ib5aRKNZ93+iAN6q3ObCYcZdyMYWMoaGxy2uRs+Yt78AESNGwogN73s+LXrVSrcHqxfAxNVDJGxmWx+JRHa1qt1rwgSvJgJSqKpva1nm+n/4LCAKj6IsH4SzDA//sIfwIDAQABMA0GCSqGSIb3DQEBCwUAA4GBALK7DhuvW1wSNXGC3dwmp7vMQh137noJIhZDZTpmDvgRTnwtS51UjUCqrNMypgtbm0rj4ca+FwH1Ntwj1qhdwJvE9YCEEDrJ9JKY0tFiV2ws4qvtAjk7X6LaisDgV+VkRtXqrQwpHqrmFcbbOfb8bxyyqrZEJe9aGuhG5GqowChu"
]
}
}
❯ rm eve.json; ./src/suricata -c suricata.yaml -r ~/Downloads/tls1.pcapng -l . -k none --set outputs.1.eve-log.types.5.tls.custom="[subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s, ja4]" --set outputs.1.eve-log.types.5.tls.ja4=on; cat eve.json | jq 'select(.event_type=="tls")'
{
"timestamp": "2018-07-23T21:19:09.349295+0200",
"flow_id": 1428253523590603,
"pcap_cnt": 7,
"event_type": "tls",
"src_ip": "172.16.1.117",
"src_port": 34140,
"dest_ip": "172.16.1.130",
"dest_port": 4433,
"proto": "TCP",
"pkt_src": "wire/pcap",
"tls": {}
}
The issue has already been located and a PR will follow soon.
Actions