Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Output/TLS: Allow logging of client/server handshake parameters - V2 #12501

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Output/TLS: Allow logging of client/server handshake parameters - V2 #12501

wants to merge 1 commit into from
+333 −73

Conversation

rmcconnell-r7
Copy link
Contributor

@rmcconnell-r7 rmcconnell-r7 commented Jan 29, 2025
edited by victorjulien
Loading

Add new custom log fields:

  • "client_handshake" which logs the following:
  1. TLS version used during handshake
  2. TLS extensions, excluding GREASE, SNI and ALPN
  3. All cipher suites, excluding GREASE
  4. All signature algorithms, excluding GREASE
  • "server_handshake" which logs the following:
  1. TLS version used during handshake
  2. The chosen cipher suite, excluding GREASE
  3. TLS extensions, excluding GREASE

The use-case is for logging TLS handshake parameters in order to survey them, and so that JA4(S) hashes can be computed offline (in the case that they're not already computed for the purposes of rule matching).

As part of this update suricata now creates a JA4 object when the message type is CLIENT_HELLO | SERVER_HELLO to allow for custom fields without the need to explicitly enable JA4 via ja4-fingerprint. That enables us to produce the handshake parameters, as well as the other JA4 related fields, without the fingerprint(s). Is that ok? I think that was the intention from the previous PR discussion?

Link to my SV tests PR: OISF/suricata-verify#2265

Make sure these boxes are checked accordingly before submitting your Pull Request -- thank you.

Contribution style:

Our Contribution agreements:

Changes (if applicable):

Link to ticket: https://redmine.openinfosecfoundation.org/issues/6695

Describe changes:

Provide values to any of the below to override the defaults.

  • To use an LibHTP, Suricata-Verify or Suricata-Update pull request,
    link to the pull request in the respective _BRANCH variable.
  • Leave unused overrides blank or remove.

SV_REPO=
SV_BRANCH=OISF/suricata-verify#2265
SU_REPO=
SU_BRANCH=
LIBHTP_REPO=
LIBHTP_BRANCH=

@gtedesco-r7 @rmcconnell-r7
Output/TLS: Allow logging of client/server handshake parameters
c2df226 
Add new custom log fields:
- "client_handshake" which logs the following:
1. TLS version used during handshake
2. TLS extensions, excluding GREASE, SNI and ALPN
3. All cipher suites, excluding GREASE
4. All signature algorithms, excluding GREASE

- "server_handshake" which logs the following:
1. TLS version used during handshake
2. The chosen cipher suite, excluding GREASE
3. TLS extensions, excluding GREASE

The use-case is for logging TLS handshake parameters in order to survey
them, and so that JA4(S) hashes can be computed offline (in the case that
they're not already computed for the purposes of rule matching).
@github-actions GitHub Actions
Copy link

NOTE: This PR may contain new authors.

@rmcconnell-r7
Copy link
Contributor Author

Replaces: #12071

@victorjulien
Copy link
Member

Please specify the SV branch as

SV_BRANCH=OISF/suricata-verify#2265

This way the CI here will use it.

@rmcconnell-r7
Copy link
Contributor Author

Done. Thanks, tbh I guessed that may be needed haha..

@codecov Codecov
Copy link

codecov bot commented Jan 29, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 96.77419% with 5 lines in your changes missing coverage. Please review.

Project coverage is 80.59%. Comparing base (cfbf8fd) to head (c2df226).

Additional details and impacted files 
@@            Coverage Diff             @@
##           master   #12501      +/-   ##
==========================================
+ Coverage   80.56%   80.59%   +0.02%     
==========================================
  Files         925      925              
  Lines      259292   259399     +107     
==========================================
+ Hits       208906   209051     +145     
+ Misses      50386    50348      -38
Flag Coverage Δ
fuzzcorpus 56.12% <41.44%> (-0.03%) ⬇️
livemode 19.38% <11.84%> (-0.02%) ⬇️
pcap 44.30% <40.78%> (+0.10%) ⬆️
suricata-verify 63.44% <98.68%> (+0.04%) ⬆️
unittests 58.41% <10.32%> (-0.04%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

@catenacyber catenacyber mentioned this pull request Jan 29, 2025
Closed
5 tasks
catenacyber
catenacyber reviewed Jan 29, 2025
View reviewed changes
etc/schema.json
@@ -6792,6 +6840,9 @@
},
"ja4": {
"type": "string"
},
"ja4s": {
"type": "string"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there not some license question around ja4s ?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

And this needs at least to be in its own commit

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Adding the label [decision-required] about this point

catenacyber
catenacyber reviewed Jan 29, 2025
View reviewed changes
rust/src/ja4.rs
out[0..36].copy_from_slice(hash.as_bytes());
}

#[no_mangle]
pub unsafe extern "C" fn SCJA4SGetHash(j: &mut JA4, out: &mut [u8; 25]) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we have something like #define JA4_LEN 25 ?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Meaning it should be defined in rust and used from rust.h thanks to cbindgen ;-)

catenacyber
catenacyber reviewed Jan 29, 2025
View reviewed changes
src/app-layer-ssl.c
@@ -695,7 +695,8 @@ static inline int TLSDecodeHSHelloVersion(SSLState *ssl_state,
ssl_state->curr_connp->version = version;

if (ssl_state->curr_connp->ja4 != NULL &&
ssl_state->current_flags & SSL_AL_FLAG_STATE_CLIENT_HELLO) {
ssl_state->current_flags &
(SSL_AL_FLAG_STATE_CLIENT_HELLO | SSL_AL_FLAG_STATE_SERVER_HELLO)) {
SCJA4SetTLSVersion(ssl_state->curr_connp->ja4, version);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks like changing the behavior of ja4...

catenacyber
catenacyber reviewed Jan 29, 2025
View reviewed changes
src/output-json-tls.c
{
char ssl_version[SSL_VERSION_MAX_STRLEN];
SSLVersionToString(ssl_state->server_connp.version, ssl_version);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why this change ?

@catenacyber
Copy link
Contributor

As part of this update suricata now creates a JA4 object when the message type is CLIENT_HELLO | SERVER_HELLO to allow for custom fields without the need to explicitly enable JA4 via ja4-fingerprint. That enables us to produce the handshake parameters, as well as the other JA4 related fields, without the fingerprint(s). Is that ok? I think that was the intention from the previous PR discussion?

It was rather from #12071 (comment)

It doesn't work if JA4 is disabled. Yeah, I agree it should probably be independent.

Does it work now if JA4 is disabled ? SV PR tests require JA4...

@catenacyber catenacyber added the decision-required Waiting on deliberation from the team label Jan 29, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@catenacyber catenacyber catenacyber left review comments

@jasonish jasonish Awaiting requested review from jasonish jasonish is a code owner

@jufajardini jufajardini Awaiting requested review from jufajardini jufajardini is a code owner

@victorjulien victorjulien Awaiting requested review from victorjulien victorjulien is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
decision-required Waiting on deliberation from the team
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@rmcconnell-r7 @victorjulien @catenacyber @gtedesco-r7