From 3b3da76ba06d87a4d0fac09e31e87bb76a5d4ab8 Mon Sep 17 00:00:00 2001 From: Karel Hynek Date: Wed, 9 Sep 2020 16:52:45 +0200 Subject: [PATCH] Moved ipfix probe TLS fields to already existing ones --- .../output/unirec/config/unirec-elements.txt | 62 +++++++++---------- 1 file changed, 29 insertions(+), 33 deletions(-) diff --git a/extra_plugins/output/unirec/config/unirec-elements.txt b/extra_plugins/output/unirec/config/unirec-elements.txt index bf5c17d0..60b77136 100644 --- a/extra_plugins/output/unirec/config/unirec-elements.txt +++ b/extra_plugins/output/unirec/config/unirec-elements.txt @@ -139,44 +139,40 @@ HTTP_UA_APP_MIN uint16 flowmon:httpUaAppMin HTTP_UA_APP_BLD uint16 flowmon:httpUaAppBld -# --- TLS elements --- -TLS_SNI string e8057id808 -TLS_JA3 string e8057id830 - # --- Other fields --- IPV6_TUN_TYPE uint8 e16982id405 # IPv6 tunnel type APP_ID bytes e0id95 # Application ID from libprotoident / NBAR2 / Flowmon's NBAR plugin -# --- Flowmon TLS fields -TLS_CONTENT_TYPE uint8 flowmon:tlsContentType # tlsContentType -TLS_HANDSHAKE_TYPE uint32 flowmon:tlsHandshakeType # https://tools.ietf.org/html/rfc5246#appendix-A.4 -TLS_SETUP_TIME uint64 flowmon:tlsSetupTime # tlsSetupTime -TLS_SERVER_VERSION uint16 flowmon:tlsServerVersion # 8b major and 8b minor, 0x0303 ~ TLS1.2 -TLS_SERVER_RANDOM bytes flowmon:tlsServerRandom # tlsServerRandom -TLS_SERVER_SESSIONID bytes flowmon:tlsServerSessionId # tlsServerSessionId -TLS_CIPHER_SUITE uint16 flowmon:tlsCipherSuite # https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4 -TLS_ALPN string flowmon:tlsAlpn # TLS Application-Layer Protocol Negotiation https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids -TLS_SNI string flowmon:tlsSni # Server Name Indication https://en.wikipedia.org/wiki/Server_Name_Indication -TLS_SNI_LENGTH uint16 flowmon:tlsSniLength # Length of TLS_SNI field -TLS_CLIENT_VERSION uint16 flowmon:tlsClientVersion # tlsClientVersion -TLS_CIPHER_SUITES bytes flowmon:tlsCipherSuites # List of 2B ciphers, beware of network byte order. See https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4 -TLS_CLIENT_RANDOM bytes flowmon:tlsClientRandom # tlsClientRandom -TLS_CLIENT_SESSIONID bytes flowmon:tlsClientSessionId # tlsClientSessionId -TLS_EXTENSION_TYPES bytes flowmon:tlsExtensionTypes # tlsExtensionTypes -TLS_EXTENSION_LENGTHS bytes flowmon:tlsExtensionLengths # tlsExtensionLengths -TLS_ELLIPTIC_CURVES bytes flowmon:tlsEllipticCurves # tlsEllipticCurves -TLS_EC_POINTFORMATS bytes flowmon:tlsEcPointFormats # tlsEcPointFormats -TLS_CLIENT_KEYLENGTH int32 flowmon:tlsClientKeyLength # Length of client's key -TLS_ISSUER_CN string flowmon:tlsIssuerCn # Common name of certificate issuer -TLS_SUBJECT_CN string flowmon:tlsSubjectCn # Certificate Common Name -TLS_SUBJECT_ON string flowmon:tlsSubjectOn # Certificate Organization Name -TLS_VALIDITY_NOTBEFORE int64 flowmon:tlsValidityNotBefore # UNIX timestamp of certificate creation -TLS_VALIDITY_NOTAFTER int64 flowmon:tlsValidityNotAfter # UNIX timestamp of certificate expiration -TLS_SIGNATURE_ALG uint16 flowmon:tlsSignatureAlg # tlsSignatureAlg -TLS_PUBLIC_KEYALG uint16 flowmon:tlsPublicKeyAlg # tlsPublicKeyAlg -TLS_PUBLIC_KEYLENGTH int32 flowmon:tlsPublicKeyLength # tlsPublicKeyLength -TLS_JA_3FINGERPRINT bytes flowmon:tlsJa3Fingerprint # tlsJa3Fingerprint +# --- TLS fields +TLS_CONTENT_TYPE uint8 flowmon:tlsContentType # tlsContentType +TLS_HANDSHAKE_TYPE uint32 flowmon:tlsHandshakeType # https://tools.ietf.org/html/rfc5246#appendix-A.4 +TLS_SETUP_TIME uint64 flowmon:tlsSetupTime # tlsSetupTime +TLS_SERVER_VERSION uint16 flowmon:tlsServerVersion # 8b major and 8b minor, 0x0303 ~ TLS1.2 +TLS_SERVER_RANDOM bytes flowmon:tlsServerRandom # tlsServerRandom +TLS_SERVER_SESSIONID bytes flowmon:tlsServerSessionId # tlsServerSessionId +TLS_CIPHER_SUITE uint16 flowmon:tlsCipherSuite # https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4 +TLS_ALPN string flowmon:tlsAlpn # TLS Application-Layer Protocol Negotiation https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids +TLS_SNI string flowmon:tlsSni,e8057id808 # Server Name Indication https://en.wikipedia.org/wiki/Server_Name_Indication +TLS_SNI_LENGTH uint16 flowmon:tlsSniLength # Length of TLS_SNI field +TLS_CLIENT_VERSION uint16 flowmon:tlsClientVersion # tlsClientVersion +TLS_CIPHER_SUITES bytes flowmon:tlsCipherSuites # List of 2B ciphers, beware of network byte order. See https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4 +TLS_CLIENT_RANDOM bytes flowmon:tlsClientRandom # tlsClientRandom +TLS_CLIENT_SESSIONID bytes flowmon:tlsClientSessionId # tlsClientSessionId +TLS_EXTENSION_TYPES bytes flowmon:tlsExtensionTypes # tlsExtensionTypes +TLS_EXTENSION_LENGTHS bytes flowmon:tlsExtensionLengths # tlsExtensionLengths +TLS_ELLIPTIC_CURVES bytes flowmon:tlsEllipticCurves # tlsEllipticCurves +TLS_EC_POINTFORMATS bytes flowmon:tlsEcPointFormats # tlsEcPointFormats +TLS_CLIENT_KEYLENGTH int32 flowmon:tlsClientKeyLength # Length of client's key +TLS_ISSUER_CN string flowmon:tlsIssuerCn # Common name of certificate issuer +TLS_SUBJECT_CN string flowmon:tlsSubjectCn # Certificate Common Name +TLS_SUBJECT_ON string flowmon:tlsSubjectOn # Certificate Organization Name +TLS_VALIDITY_NOTBEFORE int64 flowmon:tlsValidityNotBefore # UNIX timestamp of certificate creation +TLS_VALIDITY_NOTAFTER int64 flowmon:tlsValidityNotAfter # UNIX timestamp of certificate expiration +TLS_SIGNATURE_ALG uint16 flowmon:tlsSignatureAlg # tlsSignatureAlg +TLS_PUBLIC_KEYALG uint16 flowmon:tlsPublicKeyAlg # tlsPublicKeyAlg +TLS_PUBLIC_KEYLENGTH int32 flowmon:tlsPublicKeyLength # tlsPublicKeyLength +TLS_JA_3FINGERPRINT bytes flowmon:tlsJa3Fingerprint,e8057id830 # tlsJa3Fingerprint # --- Per-Packet Information elements --- #PPI_TLS_REC_LENGTHS uint16* e0id291/e8057id1010 # basicList of TLS record lengths