eve/tls: reimplement basic and extended logging in terms of custom - v1 #11984
Conversation
Adds custom fields "client_alpns" and "server_alpns". Ticket: OISF#7333
During EVE TLS setup, a broken check for Ja3 being enabled led to Ja3 being disabled, but only in custom mode. This check is not needed, if Ja3 is disabled, it won't be available, and won't be logged. This is required to implement "extended" in terms of "custom" fields.
Will prevent custom logging options getting out of sync with whats available in extended. Ticket: OISF#7333
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #11984 +/- ##
==========================================
+ Coverage 82.75% 83.06% +0.30%
==========================================
Files 910 910
Lines 249016 258153 +9137
==========================================
+ Hits 206069 214429 +8360
- Misses 42947 43724 +777
Flags with carried forward coverage won't be shown. Click here to find out more. |
There was a problem hiding this comment.
Looks much more neat! :D
We should probably also review docs and suricata.yaml mentions of the available custom fields, to ensure we list all of them (and any dependencies).
Noticed that we may be leaving session_resumed behind, in case of basic logging.
Minor existential dilemma wrt having the main function to be called be the Custom or LogFields one, but I sense this isn't of real importance.
|
Information: QA ran without warnings. Pipeline 23131 |
Dealt with in next version of PR. |
|
Replaced by #11991. |
Commit c79a382 added ALPN logging to extended TLS output but there was no way to add this to custom. To prevent this from happening in the future, implement basic and extended logging in terms of custom.
Ticket: https://redmine.openinfosecfoundation.org/issues/7333