output/json: log tls subjectaltname

Feature 5234
Andre4s · May 22, 2024 · 232c44e · 232c44e
1 parent 719fda3
commit 232c44e
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 2 deletions.
diff --git a/src/output-json-tls.c b/src/output-json-tls.c
@@ -78,6 +78,7 @@ SC_ATOMIC_EXTERN(unsigned int, cert_id);
 #define LOG_TLS_FIELD_CLIENT_CERT       (1 << 14)
 #define LOG_TLS_FIELD_CLIENT_CHAIN      (1 << 15)
 #define LOG_TLS_FIELD_JA4               (1 << 16)
+#define LOG_TLS_FIELD_SUBJECTALTNAME    (1 << 17)
 
 typedef struct {
     const char *name;
@@ -92,7 +93,8 @@ TlsFields tls_fields[] = { { "version", LOG_TLS_FIELD_VERSION },
     { "chain", LOG_TLS_FIELD_CHAIN }, { "session_resumed", LOG_TLS_FIELD_SESSION_RESUMED },
     { "ja3", LOG_TLS_FIELD_JA3 }, { "ja3s", LOG_TLS_FIELD_JA3S },
     { "client", LOG_TLS_FIELD_CLIENT }, { "client_certificate", LOG_TLS_FIELD_CLIENT_CERT },
-    { "client_chain", LOG_TLS_FIELD_CLIENT_CHAIN }, { "ja4", LOG_TLS_FIELD_JA4 }, { NULL, -1 } };
+    { "client_chain", LOG_TLS_FIELD_CLIENT_CHAIN }, { "ja4", LOG_TLS_FIELD_JA4 },
+    { "subjectaltname", LOG_TLS_FIELD_SUBJECTALTNAME }, { NULL, -1 } };
 
 typedef struct OutputTlsCtx_ {
     uint32_t flags;  /** Store mode */
@@ -122,6 +124,17 @@ static void JsonTlsLogIssuer(JsonBuilder *js, SSLState *ssl_state)
     }
 }
 
+static void JsonTlsLogSAN(JsonBuilder *js, SSLState *ssl_state)
+{
+    if (ssl_state->server_connp.cert0_sans_len > 0) {
+        jb_open_array(js, "subjectaltname");
+        for (uint16_t i = 0; i < ssl_state->server_connp.cert0_sans_len; i++) {
+            jb_append_string(js, ssl_state->server_connp.cert0_sans[i]);
+        }
+        jb_close(js);
+    }
+}
+
 static void JsonTlsLogSessionResumed(JsonBuilder *js, SSLState *ssl_state)
 {
     if (ssl_state->flags & SSL_AL_FLAG_SESSION_RESUMED) {
@@ -334,6 +347,9 @@ void JsonTlsLogJSONBasic(JsonBuilder *js, SSLState *ssl_state)
     /* tls issuerdn */
     JsonTlsLogIssuer(js, ssl_state);
 
+    /* tls subjectaltname */
+    JsonTlsLogSAN(js, ssl_state);
+
     /* tls session resumption */
     JsonTlsLogSessionResumed(js, ssl_state);
 }
@@ -349,6 +365,10 @@ static void JsonTlsLogJSONCustom(OutputTlsCtx *tls_ctx, JsonBuilder *js,
     if (tls_ctx->fields & LOG_TLS_FIELD_ISSUER)
         JsonTlsLogIssuer(js, ssl_state);
 
+    /* tls subjectaltname */
+    if (tls_ctx->fields & LOG_TLS_FIELD_SUBJECTALTNAME)
+        JsonTlsLogIssuer(js, ssl_state);
+
     /* tls session resumption */
     if (tls_ctx->fields & LOG_TLS_FIELD_SESSION_RESUMED)
         JsonTlsLogSessionResumed(js, ssl_state);

diff --git a/suricata.yaml.in b/suricata.yaml.in
@@ -259,7 +259,7 @@ outputs:
             # session id
             #session-resumption: no
             # custom controls which TLS fields that are included in eve-log
-            #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s, ja4]
+            #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s, ja4, subjectaltname]
         - files:
             force-magic: no   # force logging magic on all logged files
             # force logging of checksums, available hash functions are md5,