From 84622b71b4b5dae8bd5f921b83b71b7c3dc155d7 Mon Sep 17 00:00:00 2001 From: Eric Leblond Date: Wed, 27 Jan 2021 11:38:34 +0100 Subject: [PATCH 1/2] eve: only output ja3 and ja3s if present This will prevent JSON entries like the following that occur with the dedault configuration (ja3 deactivated and extended tls ouput activated): "tls": { "subject": "C=GB, ST=London, L=London, O=Global Security, OU=IT Department, CN=example.com", "issuerdn": "C=GB, ST=London, L=London, O=Global Security, OU=IT Department, CN=example.com", "serial": "00:9C:FC:DA:1D:A4:70:87:5D", "fingerprint": "b8:18:2d:cb:c9:f8:1a:66:75:13:18:31:24:e0:92:35:42:ab:96:89", "version": "TLSv1", "notbefore": "2020-05-03T11:07:28", "notafter": "2021-05-03T11:07:28", "ja3": {}, "ja3s": {} } --- src/output-json-tls.c | 24 ++++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) diff --git a/src/output-json-tls.c b/src/output-json-tls.c index 3bf30a805898..412c18e0fff2 100644 --- a/src/output-json-tls.c +++ b/src/output-json-tls.c @@ -215,12 +215,16 @@ static void JsonTlsLogJa3String(JsonBuilder *js, SSLState *ssl_state) static void JsonTlsLogJa3(JsonBuilder *js, SSLState *ssl_state) { - jb_open_object(js, "ja3"); + if ((ssl_state->client_connp.ja3_hash != NULL) || + ((ssl_state->client_connp.ja3_str != NULL) && + ssl_state->client_connp.ja3_str->data != NULL)) { + jb_open_object(js, "ja3"); - JsonTlsLogJa3Hash(js, ssl_state); - JsonTlsLogJa3String(js, ssl_state); + JsonTlsLogJa3Hash(js, ssl_state); + JsonTlsLogJa3String(js, ssl_state); - jb_close(js); + jb_close(js); + } } static void JsonTlsLogJa3SHash(JsonBuilder *js, SSLState *ssl_state) @@ -242,12 +246,16 @@ static void JsonTlsLogJa3SString(JsonBuilder *js, SSLState *ssl_state) static void JsonTlsLogJa3S(JsonBuilder *js, SSLState *ssl_state) { - jb_open_object(js, "ja3s"); + if ((ssl_state->server_connp.ja3_hash != NULL) || + ((ssl_state->server_connp.ja3_str != NULL) && + ssl_state->server_connp.ja3_str->data != NULL)) { + jb_open_object(js, "ja3s"); - JsonTlsLogJa3SHash(js, ssl_state); - JsonTlsLogJa3SString(js, ssl_state); + JsonTlsLogJa3SHash(js, ssl_state); + JsonTlsLogJa3SString(js, ssl_state); - jb_close(js); + jb_close(js); + } } static void JsonTlsLogCertificate(JsonBuilder *js, SSLState *ssl_state) From 359ac0304a5d76d52f2e66e19960dce55b332339 Mon Sep 17 00:00:00 2001 From: Eric Leblond Date: Fri, 29 Jan 2021 23:59:11 +0100 Subject: [PATCH 2/2] suricata: unix-socket mode and -l are compatible Commit 93642a0d1dd29c96e98824935ef963f6b1ef40eb did prevent to specify the logging directory on command line and use the unix socket. It looks like the implementation has evolved and the arbitrary limitation can be removed allowing a user to start unix socket without editing the configuration file. --- src/suricata.c | 6 ------ 1 file changed, 6 deletions(-) diff --git a/src/suricata.c b/src/suricata.c index 4f054aeb1dbc..4fc13d3b180d 100644 --- a/src/suricata.c +++ b/src/suricata.c @@ -1840,12 +1840,6 @@ static TmEcode ParseCommandLine(int argc, char** argv, SCInstance *suri) return TM_ECODE_FAILED; } - if ((suri->run_mode == RUNMODE_UNIX_SOCKET) && suri->set_logdir) { - SCLogError(SC_ERR_INITIALIZATION, - "can't use -l and unix socket runmode at the same time"); - return TM_ECODE_FAILED; - } - /* save the runmode from the commandline (if any) */ suri->aux_run_mode = suri->run_mode;