Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

TLS module for packetbeat #5476

Merged
merged 13 commits into from
Nov 14, 2017
Merged

TLS module for packetbeat #5476

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
01cba8b
TLS plugin for packetbeat
adriansr Oct 24, 2017
428c5a6
Added fields description to fields.yml
adriansr Nov 6, 2017
1e8401a
Support for Subject Alternative Names in certificates
adriansr Nov 6, 2017
1eebf81
Support for ALPN extension
adriansr Nov 6, 2017
079ed4b
Golint fixes
adriansr Nov 6, 2017
5312b8a
Fix bad formatting in fields.yml
adriansr Nov 6, 2017
1a72ee9
Updated fields.asciidoc for packetbeat
adriansr Nov 7, 2017
3794223
Missing extensions fields
adriansr Nov 7, 2017
b0edb88
Report timestamp field as a date
adriansr Nov 9, 2017
4cad5f9
Use array fields for string list extensions
adriansr Nov 10, 2017
3066128
Better descriptions for ticket extension
adriansr Nov 10, 2017
05603c8
Use decimal representation for certs serial number
adriansr Nov 10, 2017
c585045
Fix spurious warning message
adriansr Nov 10, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 12 additions & 0 deletions packetbeat/_meta/beat.reference.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -421,6 +421,18 @@ packetbeat.protocols:
# incoming responses, but sent to Elasticsearch immediately.
#transaction_timeout: 10s

- type: tls
# Enable TLS monitoring. Default: true
#enabled: true

# Configure the ports where to listen for TLS traffic. You can disable
# the TLS protocol by commenting out the list of ports.
ports: [443]

# If this option is enabled, the client and server certificates and
# certificate chains are sent to Elasticsearch. The default is true.
#send_certificates: true

#=========================== Monitored processes ==============================

# Configure the processes to be monitored and how to find them. If a process is
Expand Down
5 changes: 5 additions & 0 deletions packetbeat/_meta/beat.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -93,6 +93,11 @@ packetbeat.protocols:
# the NFS protocol by commenting out the list of ports.
ports: [2049]

- type: tls
# Configure the ports where to listen for TLS traffic. You can disable
# the TLS protocol by commenting out the list of ports.
ports: [443]

#==================== Elasticsearch template setting ==========================

setup.template.settings:
Expand Down
291 changes: 291 additions & 0 deletions packetbeat/_meta/fields.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1748,3 +1748,294 @@
If the call resulted in exceptions, this field contains the exceptions in a human
readable format.

- key: tls
title: "TLS"
description: >
TLS-specific event fields.
fields:
- name: tls
type: group
fields:
- name: handshake_completed
type: boolean
description: >
Whether the TLS negotiation has been successful and the session has
transitioned to encrypted mode.

- name: resumed
type: boolean
description: >
If the TLS session has been resumed from a previous session.

- name: resumption_method
type: keyword
description: >
If the session has been resumed, the underlying method used. One of
"id" for TLS session ID or "ticket" for TLS ticket extension.

- name: client_certificate_requested
type: boolean
description: >
Whether the server has requested the client to authenticate itself
using a client certificate.

- name: client_hello
type: group
fields:
- name: version
type: keyword
description: >
The version of the TLS protocol by which the client wishes to
communicate during this session.

- name: timestamp
type: date
description: >
The current time and date according to the client's internal clock.

- name: supported_ciphers
type: array
description: >
List of ciphers the client is willing to use for this session.
See https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4

- name: supported_compression_methods
type: array
description: >
The list of compression methods the client supports.
See https://www.iana.org/assignments/comp-meth-ids/comp-meth-ids.xhtml

- name: extensions
type: group
description: The hello extensions provided by the client.
fields:
- name: server_name_indication
type: array
description: List of hostnames

- name: application_layer_protocol_negotiation
type: array
description: >
List of application-layer protocols the client is willing to use.

- name: session_ticket
type: keyword
description: >
Length of the session ticket, if provided, or an empty string
to advertise support for tickets.

- name: server_hello
type: group
fields:
- name: version
type: keyword
description: >
The version of the TLS protocol that is used for this session.
It is the highest version supported by the server not exceeding
the version requested in the client hello.

- name: timestamp
type: date
description: >
The current time and date according to the server's internal clock.

- name: selected_cipher
type: keyword
description: >
The cipher suite selected by the server from the list provided
by in the client hello.

- name: selected_compression_method
type: keyword
description: >
The compression method selected by the server from the list
provided in the client hello.

- name: extensions
type: group
description: The hello extensions provided by the server.
fields:
- name: application_layer_protocol_negotiation
type: array
description: Negotiated application layer protocol

- name: session_ticket
type: keyword
description: >
Used to announce that a session ticket will be provided
by the server. Always an empty string.


- name: client_certificate
type: group
description: Certificate provided by the client for authentication.
fields:

- name: version
type: long
description: X509 format version.

- name: serial_number
type: keyword
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are the some benefits to sending this as a keyword rather than a long? Will users be expecting to see hex? Maybe we should have a field formater in Kibana for hex (possibly there is one; I didn’t check).

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The serial number can be up to 160 bits long so it doesn't fit on a numeric type.

I have changed the format to decimal. The most common way of representation seems to be decimal up to 64 bit in length and then hexadecimal number or hex dump of individual bytes. I will stick with decimal in a keyword field.

description: The certificate's serial number.

- name: not_before
type: date
description: Date before which the certificate is not valid.

- name: not_after
type: date
description: Date after which the certificate expires.

- name: public_key_algorithm
type: keyword
description: >
The algorithm used for this certificate's public key.
One of RSA, DSA or ECDSA.

- name: signature_algorithm
type: keyword
description: >
The algorithm used for the certificate's signature.

- name: subject
type: group
description: Subject represented by this certificate.
fields:
- name: country
type: keyword
description: Country code.

- name: organization
type: keyword
description: Organization name.

- name: organizational_unit
type: keyword
description: Unit within organization.

- name: province
type: keyword
description: Province or region within country.

- name: common_name
type: keyword
description: Name or host name identified by the certificate.

- name: alternative_names
type: array
description: Subject Alternative Names for this certificate.

- name: issuer
type: group
description: Entity that issued and signed this certificate.
fields:
- name: country
type: keyword
description: Country code.

- name: organization
type: keyword
description: Organization name.

- name: organizational_unit
type: keyword
description: Unit within organization.

- name: province
type: keyword
description: Province or region within country.

- name: common_name
type: keyword
description: Name or host name identified by the certificate.


- name: server_certificate
type: group
description: Certificate provided by the server for authentication.
fields:

- name: version
type: long
description: X509 format version.

- name: serial_number
type: keyword
description: The certificate's serial number.

- name: not_before
type: date
description: Date before which the certificate is not valid.

- name: not_after
type: date
description: Date after which the certificate expires.

- name: public_key_algorithm
type: keyword
description: >
The algorithm used for this certificate's public key.
One of RSA, DSA or ECDSA.

- name: signature_algorithm
type: keyword
description: >
The algorithm used for the certificate's signature.

- name: subject
type: group
description: Subject represented by this certificate.
fields:
- name: country
type: keyword
description: Country code.

- name: organization
type: keyword
description: Organization name.

- name: organizational_unit
type: keyword
description: Unit within organization.

- name: province
type: keyword
description: Province or region within country.

- name: common_name
type: keyword
description: Name or host name identified by the certificate.

- name: alternative_names
type: array
description: Subject Alternative Names for this certificate.

- name: issuer
type: group
description: Entity that issued and signed this certificate.
fields:
- name: country
type: keyword
description: Country code.

- name: organization
type: keyword
description: Organization name.

- name: organizational_unit
type: keyword
description: Unit within organization.

- name: province
type: keyword
description: Province or region within country.

- name: common_name
type: keyword
description: Name or host name identified by the certificate.


- name: server_certificate_chain
type: array
description: Chain of trust for the server certificate.
Loading