Actions
Bug #7332
closedtls: fix duplicate EVE field issuerdn
Affected Versions:
Effort:
Difficulty:
Label:
Description
When enabling the field subjectaltname in custom logging, the JSON schema validator complains that the issuerdn key
is duplicated:
tls-eve-custom-fields/output/eve.json: duplicate key error: key=issuerdn, current value=C=FR, ST=IDF, L=Paris, O=Stamus, CN=SELKS, new value=C=FR, ST=IDF, L=Paris, O=Stamus, CN=SELKS
(output from modified version of SV test using
ja4-tls test's pcap)
Relevant YAML config:
outputs:¬
- eve-log:¬
enabled: yes¬
types:¬
- tls:¬
extended: yes # enable this for extended logging information¬
custom: [subject, issuer, subjectaltname]¬
TLS event (stripped of non-tls fields for readability):
{
"event_type":"tls",
"pkt_src":"wire/pcap",
"tls":{
"subject":"C=FR, ST=IDF, L=Paris, O=Stamus, CN=SELKS",
"issuerdn":"C=FR, ST=IDF, L=Paris, O=Stamus, CN=SELKS",
"issuerdn":"C=FR, ST=IDF, L=Paris, O=Stamus, CN=SELKS"
}
}
Investigation indicates that when logging the subject alternative name in custom logging, we were actually calling the issuerdn logging function.
Actions