Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

tests: showcase bug 7286 (tls) - v2 #2073

Closed
wants to merge 1 commit into from
Closed

tests: showcase bug 7286 (tls) - v2 #2073

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions tests/tls/bug-7286-tls-metadata-01/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
### Test

Showcase how TLS metadata is logged when JA4 is disabled.

### Pcap

Reused from test ja4-tls.

### Ticket

https://redmine.openinfosecfoundation.org/issues/7286
Binary file added tests/tls/bug-7286-tls-metadata-01/input.pcap
View file
Open in desktop
Binary file not shown.
14 changes: 14 additions & 0 deletions tests/tls/bug-7286-tls-metadata-01/suricata.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
%YAML 1.1
---


outputs:
- eve-log:
enabled: yes
filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
filename: eve.json
types:
- tls:
extended: yes # enable this for extended logging information
custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s, ja4]
ja4: off
21 changes: 21 additions & 0 deletions tests/tls/bug-7286-tls-metadata-01/test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
requires:
min-version: 8

pcap: ../../ja4-tls/input.pcap

checks:
- filter:
count: 1
match:
event_type: tls
tls.subject: C=FR, ST=IDF, L=Paris, O=Stamus, CN=SELKS
tls.issuerdn: C=FR, ST=IDF, L=Paris, O=Stamus, CN=SELKS
tls.serial: 00:97:E6:47:09:8E:EA:C9:B4
tls.fingerprint: 3a:0b:3b:23:15:2c:44:5c:27:ac:6a:0c:41:d6:fa:74:af:b4:09:5b
tls.version: TLS 1.2
tls.notbefore: '2015-02-12T18:07:27'
tls.notafter: '2025-02-09T18:07:27'
tls.certificate: MIIDazCCAlOgAwIBAgIJAJfmRwmO6sm0MA0GCSqGSIb3DQEBBQUAMEwxCzAJBgNVBAYTAkZSMQwwCgYDVQQIDANJREYxDjAMBgNVBAcMBVBhcmlzMQ8wDQYDVQQKDAZTdGFtdXMxDjAMBgNVBAMMBVNFTEtTMB4XDTE1MDIxMjE4MDcyN1oXDTI1MDIwOTE4MDcyN1owTDELMAkGA1UEBhMCRlIxDDAKBgNVBAgMA0lERjEOMAwGA1UEBwwFUGFyaXMxDzANBgNVBAoMBlN0YW11czEOMAwGA1UEAwwFU0VMS1MwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCmgr7oVpNtYfdPyUd3zeU8fI0NuhU09a4ehajW2jNtX/1iU/pF8F2EdCeHcTJkPJb/85S/vwJQpYR3WI41zfDzJGmU53uT2DV62rL5Tg8kvgEJ4/L2S+7lk5ksdwy07fVV39qy6leKvfIw85LL45dnUsK8ITkuXckXO/fWM+1hPwhbQTRKT7aQqo6XiVt1EoM2GYANe396rjLRX91rR+paQVAEF4XEx511RYepdLMm+WUBHfCGAU6+MKV21OhFdo9ec3z+d6V+YvQEPDQOS/Xv9pqRKL8C1G4C/+VlLZBwenL9pwRUkgLiiAeYJ1k2+Zg+2UfrE37a+hIqHIU2RgwDAgMBAAGjUDBOMB0GA1UdDgQWBBRqzuaHms84l/2BqOJ5lY8a3qsiIjAfBgNVHSMEGDAWgBRqzuaHms84l/2BqOJ5lY8a3qsiIjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQBWjesA1fAyOyHeWw8g+6k+6uhWIVR597qzU9H29lnhygD6xSPfppisSDAj1sNGqVbRC45NR3QehYdkvfRMtXREoKjhbKPDA8KAmcHOiWC9pLbxRbmY1bIB0kVw3BLIF1/y7gADwL8L4p/rm+M8Q6upWQtEqP+S8rI45iMr1CYEiZY3lU7B8byObgXv8S6372osD7+w09L57uLzEwMz+lL2vLLllPkf3B7VqqzvC8W/7PkUVmk5dUWN0f2kbx2iYOlglGC4zBSH8ThKDPMJbKMBzgP+DhdGcrWB89EbUCSY1IDmcJ4dhDgP/E78lTt2kHKLUws9pbktzW3EqUvWw6hF
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

are these large blobs needed to show the issue? If so, please put them in quotes. If not, lets remove them for a cleaner test.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should I split this into two different PRs:

  • one test for TLS metadata in TLS events (and then I remove tls.certificate and tls.chain from these tests), which could be merged as is, I assume
  • one test for custom TLS fields in EVE log (and then adding tls.certificate and tls.chain, with quotes.) - which will require merging of the schema fixing PR first.

The advantage of this is allowing for the SV test for bug 7286 to be merged faster.

tls.chain:
- MIIDazCCAlOgAwIBAgIJAJfmRwmO6sm0MA0GCSqGSIb3DQEBBQUAMEwxCzAJBgNVBAYTAkZSMQwwCgYDVQQIDANJREYxDjAMBgNVBAcMBVBhcmlzMQ8wDQYDVQQKDAZTdGFtdXMxDjAMBgNVBAMMBVNFTEtTMB4XDTE1MDIxMjE4MDcyN1oXDTI1MDIwOTE4MDcyN1owTDELMAkGA1UEBhMCRlIxDDAKBgNVBAgMA0lERjEOMAwGA1UEBwwFUGFyaXMxDzANBgNVBAoMBlN0YW11czEOMAwGA1UEAwwFU0VMS1MwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCmgr7oVpNtYfdPyUd3zeU8fI0NuhU09a4ehajW2jNtX/1iU/pF8F2EdCeHcTJkPJb/85S/vwJQpYR3WI41zfDzJGmU53uT2DV62rL5Tg8kvgEJ4/L2S+7lk5ksdwy07fVV39qy6leKvfIw85LL45dnUsK8ITkuXckXO/fWM+1hPwhbQTRKT7aQqo6XiVt1EoM2GYANe396rjLRX91rR+paQVAEF4XEx511RYepdLMm+WUBHfCGAU6+MKV21OhFdo9ec3z+d6V+YvQEPDQOS/Xv9pqRKL8C1G4C/+VlLZBwenL9pwRUkgLiiAeYJ1k2+Zg+2UfrE37a+hIqHIU2RgwDAgMBAAGjUDBOMB0GA1UdDgQWBBRqzuaHms84l/2BqOJ5lY8a3qsiIjAfBgNVHSMEGDAWgBRqzuaHms84l/2BqOJ5lY8a3qsiIjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQBWjesA1fAyOyHeWw8g+6k+6uhWIVR597qzU9H29lnhygD6xSPfppisSDAj1sNGqVbRC45NR3QehYdkvfRMtXREoKjhbKPDA8KAmcHOiWC9pLbxRbmY1bIB0kVw3BLIF1/y7gADwL8L4p/rm+M8Q6upWQtEqP+S8rI45iMr1CYEiZY3lU7B8byObgXv8S6372osD7+w09L57uLzEwMz+lL2vLLllPkf3B7VqqzvC8W/7PkUVmk5dUWN0f2kbx2iYOlglGC4zBSH8ThKDPMJbKMBzgP+DhdGcrWB89EbUCSY1IDmcJ4dhDgP/E78lTt2kHKLUws9pbktzW3EqUvWw6hF

11 changes: 11 additions & 0 deletions tests/tls/bug-7286-tls-metadata-02/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
### Test

Showcase how TLS metadata is logged when JA4 is enabled.

### Pcap

Reused from test ja4-tls.

### Ticket

https://redmine.openinfosecfoundation.org/issues/7286
Binary file added tests/tls/bug-7286-tls-metadata-02/input.pcap
View file
Open in desktop
Binary file not shown.
14 changes: 14 additions & 0 deletions tests/tls/bug-7286-tls-metadata-02/suricata.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
%YAML 1.1
---


outputs:
- eve-log:
enabled: yes
filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
filename: eve.json
types:
- tls:
extended: yes # enable this for extended logging information
custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s, ja4]
ja4: on
21 changes: 21 additions & 0 deletions tests/tls/bug-7286-tls-metadata-02/test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
requires:
min-version: 8

pcap: ../../ja4-tls/input.pcap

checks:
- filter:
count: 1
match:
event_type: tls
tls.subject: C=FR, ST=IDF, L=Paris, O=Stamus, CN=SELKS
tls.issuerdn: C=FR, ST=IDF, L=Paris, O=Stamus, CN=SELKS
tls.serial: 00:97:E6:47:09:8E:EA:C9:B4
tls.fingerprint: 3a:0b:3b:23:15:2c:44:5c:27:ac:6a:0c:41:d6:fa:74:af:b4:09:5b
tls.version: TLS 1.2
tls.notbefore: '2015-02-12T18:07:27'
tls.notafter: '2025-02-09T18:07:27'
tls.certificate: MIIDazCCAlOgAwIBAgIJAJfmRwmO6sm0MA0GCSqGSIb3DQEBBQUAMEwxCzAJBgNVBAYTAkZSMQwwCgYDVQQIDANJREYxDjAMBgNVBAcMBVBhcmlzMQ8wDQYDVQQKDAZTdGFtdXMxDjAMBgNVBAMMBVNFTEtTMB4XDTE1MDIxMjE4MDcyN1oXDTI1MDIwOTE4MDcyN1owTDELMAkGA1UEBhMCRlIxDDAKBgNVBAgMA0lERjEOMAwGA1UEBwwFUGFyaXMxDzANBgNVBAoMBlN0YW11czEOMAwGA1UEAwwFU0VMS1MwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCmgr7oVpNtYfdPyUd3zeU8fI0NuhU09a4ehajW2jNtX/1iU/pF8F2EdCeHcTJkPJb/85S/vwJQpYR3WI41zfDzJGmU53uT2DV62rL5Tg8kvgEJ4/L2S+7lk5ksdwy07fVV39qy6leKvfIw85LL45dnUsK8ITkuXckXO/fWM+1hPwhbQTRKT7aQqo6XiVt1EoM2GYANe396rjLRX91rR+paQVAEF4XEx511RYepdLMm+WUBHfCGAU6+MKV21OhFdo9ec3z+d6V+YvQEPDQOS/Xv9pqRKL8C1G4C/+VlLZBwenL9pwRUkgLiiAeYJ1k2+Zg+2UfrE37a+hIqHIU2RgwDAgMBAAGjUDBOMB0GA1UdDgQWBBRqzuaHms84l/2BqOJ5lY8a3qsiIjAfBgNVHSMEGDAWgBRqzuaHms84l/2BqOJ5lY8a3qsiIjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQBWjesA1fAyOyHeWw8g+6k+6uhWIVR597qzU9H29lnhygD6xSPfppisSDAj1sNGqVbRC45NR3QehYdkvfRMtXREoKjhbKPDA8KAmcHOiWC9pLbxRbmY1bIB0kVw3BLIF1/y7gADwL8L4p/rm+M8Q6upWQtEqP+S8rI45iMr1CYEiZY3lU7B8byObgXv8S6372osD7+w09L57uLzEwMz+lL2vLLllPkf3B7VqqzvC8W/7PkUVmk5dUWN0f2kbx2iYOlglGC4zBSH8ThKDPMJbKMBzgP+DhdGcrWB89EbUCSY1IDmcJ4dhDgP/E78lTt2kHKLUws9pbktzW3EqUvWw6hF
tls.chain:
- MIIDazCCAlOgAwIBAgIJAJfmRwmO6sm0MA0GCSqGSIb3DQEBBQUAMEwxCzAJBgNVBAYTAkZSMQwwCgYDVQQIDANJREYxDjAMBgNVBAcMBVBhcmlzMQ8wDQYDVQQKDAZTdGFtdXMxDjAMBgNVBAMMBVNFTEtTMB4XDTE1MDIxMjE4MDcyN1oXDTI1MDIwOTE4MDcyN1owTDELMAkGA1UEBhMCRlIxDDAKBgNVBAgMA0lERjEOMAwGA1UEBwwFUGFyaXMxDzANBgNVBAoMBlN0YW11czEOMAwGA1UEAwwFU0VMS1MwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCmgr7oVpNtYfdPyUd3zeU8fI0NuhU09a4ehajW2jNtX/1iU/pF8F2EdCeHcTJkPJb/85S/vwJQpYR3WI41zfDzJGmU53uT2DV62rL5Tg8kvgEJ4/L2S+7lk5ksdwy07fVV39qy6leKvfIw85LL45dnUsK8ITkuXckXO/fWM+1hPwhbQTRKT7aQqo6XiVt1EoM2GYANe396rjLRX91rR+paQVAEF4XEx511RYepdLMm+WUBHfCGAU6+MKV21OhFdo9ec3z+d6V+YvQEPDQOS/Xv9pqRKL8C1G4C/+VlLZBwenL9pwRUkgLiiAeYJ1k2+Zg+2UfrE37a+hIqHIU2RgwDAgMBAAGjUDBOMB0GA1UdDgQWBBRqzuaHms84l/2BqOJ5lY8a3qsiIjAfBgNVHSMEGDAWgBRqzuaHms84l/2BqOJ5lY8a3qsiIjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQBWjesA1fAyOyHeWw8g+6k+6uhWIVR597qzU9H29lnhygD6xSPfppisSDAj1sNGqVbRC45NR3QehYdkvfRMtXREoKjhbKPDA8KAmcHOiWC9pLbxRbmY1bIB0kVw3BLIF1/y7gADwL8L4p/rm+M8Q6upWQtEqP+S8rI45iMr1CYEiZY3lU7B8byObgXv8S6372osD7+w09L57uLzEwMz+lL2vLLllPkf3B7VqqzvC8W/7PkUVmk5dUWN0f2kbx2iYOlglGC4zBSH8ThKDPMJbKMBzgP+DhdGcrWB89EbUCSY1IDmcJ4dhDgP/E78lTt2kHKLUws9pbktzW3EqUvWw6hF

Loading