捕获 TLS 流量
编辑捕获 TLS 流量
编辑TLS 是一种加密协议,它在现有应用程序协议(如 HTTP 或 MySQL)之上提供安全的通信。
Packetbeat 会拦截 TLS 连接中的初始握手,并提取有用的信息,以帮助操作员诊断问题并加强其网络和系统的安全性。它不会解密封装协议中的任何信息,也不会泄露任何敏感信息(如加密密钥)。支持 TLS 1.0 到 1.3 版本。
它的工作原理是拦截客户端和服务器的“hello”消息,其中包含连接的协商参数,例如加密密码和协议版本。它还可以拦截 TLS 警报,这些警报由一方发送,以表示协商存在问题,例如证书过期或加密错误。
索引事件的示例
"tls": { "client": { "supported_ciphers": [ "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_RSA_WITH_3DES_EDE_CBC_SHA", "TLS_EMPTY_RENEGOTIATION_INFO_SCSV" ], "ja3": "e6573e91e6eb777c0933c5b8f97f10cd", "server_name": "example.net" }, "server": { "subject": "CN=www.example.org,OU=Technology,O=Internet Corporation for Assigned Names and Numbers,L=Los Angeles,ST=California,C=US", "issuer": "CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US", "not_before": "2018-11-28T00:00:00.000Z", "not_after": "2020-12-02T12:00:00.000Z", "hash": { "sha1": "7BB698386970363D2919CC5772846984FFD4A889" } }, "version": "1.2", "version_protocol": "tls", "cipher": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "established": true, "next_protocol": "h2", "detailed": { "server_certificate": { "subject": { "common_name": "www.example.org", "country": "US", "organization": "Internet Corporation for Assigned Names and Numbers", "organizational_unit": "Technology", "locality": "Los Angeles", "province": "California" }, "not_after": "2020-12-02T12:00:00.000Z", "public_key_size": 2048, "alternative_names": [ "www.example.org", "example.com", "example.edu", "example.net", "example.org", "www.example.com", "www.example.edu", "www.example.net" ], "signature_algorithm": "SHA256-RSA", "version": 3, "issuer": { "organization": "DigiCert Inc", "common_name": "DigiCert SHA2 Secure Server CA", "country": "US" }, "not_before": "2018-11-28T00:00:00.000Z", "public_key_algorithm": "RSA", "serial_number": "21020869104500376438182461249190639870" }, "server_certificate_chain": [ { "public_key_algorithm": "RSA", "not_before": "2013-03-08T12:00:00.000Z", "not_after": "2023-03-08T12:00:00.000Z", "version": 3, "serial_number": "2646203786665923649276728595390119057", "issuer": { "organizational_unit": "www.digicert.com", "common_name": "DigiCert Global Root CA", "country": "US", "organization": "DigiCert Inc" }, "subject": { "country": "US", "organization": "DigiCert Inc", "common_name": "DigiCert SHA2 Secure Server CA" }, "public_key_size": 2048, "signature_algorithm": "SHA256-RSA" }, { "public_key_algorithm": "RSA", "subject": { "common_name": "DigiCert Global Root CA", "country": "US", "organization": "DigiCert Inc", "organizational_unit": "www.digicert.com" }, "issuer": { "country": "US", "organization": "DigiCert Inc", "organizational_unit": "www.digicert.com", "common_name": "DigiCert Global Root CA" }, "signature_algorithm": "SHA1-RSA", "serial_number": "10944719598952040374951832963794454346", "not_before": "2006-11-10T00:00:00.000Z", "not_after": "2031-11-10T00:00:00.000Z", "public_key_size": 2048, "version": 3 } ], "client_certificate_requested": false, "version": "TLS 1.2", "client_hello": { "version": "3.3", "supported_compression_methods": [ "NULL" ], "extensions": { "ec_points_formats": [ "uncompressed" ], "supported_groups": [ "x25519", "secp256r1", "secp384r1" ], "signature_algorithms": [ "rsa_pkcs1_sha512", "ecdsa_secp521r1_sha512", "(unknown:0xefef)", "rsa_pkcs1_sha384", "ecdsa_secp384r1_sha384", "rsa_pkcs1_sha256", "ecdsa_secp256r1_sha256", "(unknown:0xeeee)", "(unknown:0xeded)", "(unknown:0x0301)", "(unknown:0x0303)", "rsa_pkcs1_sha1", "ecdsa_sha1" ], "application_layer_protocol_negotiation": [ "h2", "http/1.1" ], "server_name_indication": [ "example.net" ] } }, "server_hello": { "version": "3.3", "session_id": "23bb2aed5d215e1228220b0a51d7aa220785e9e4b83b4f430229117971e9913f", "selected_compression_method": "NULL", "extensions": { "application_layer_protocol_negotiation": [ "h2" ], "_unparsed_": [ "renegotiation_info", "server_name_indication" ], "ec_points_formats": [ "uncompressed", "ansiX962_compressed_prime", "ansiX962_compressed_char2" ] } } } }
Packetbeat 生成的 TLS 事件遵循 Elastic 通用模式 (ECS) 格式。有关填充字段的描述,请参阅 ECS TLS 字段。
ECS 中未定义的详细信息将添加到 tls.detailed
键下。 include_detailed_fields
配置标志用于控制是否导出此信息。
tls.detailed.client_hello
下的字段包含客户端支持的算法和扩展,以及它支持的最大 TLS 版本。
tls.detailed.server_hello
下的字段包含 TLS 会话的最终设置:所选的密码、压缩方法、要使用的 TLS 版本以及其他扩展,例如应用层协议协商 (ALPN)。
有关更多信息,请参阅详细的 TLS 字段部分。
以下设置特定于 TLS 协议。以下是 packetbeat.yml
配置文件的 tls
部分的示例配置
packetbeat.protocols: - type: tls send_certificates: true include_raw_certificates: false include_detailed_fields: true fingerprints: [ md5, sha1, sha256 ]
配置选项
编辑send_certificates
和 include_detailed_fields
设置对于限制 Packetbeat 索引的数据量很有用,因为通常在单个事务中会交换多个证书,并且这些证书可能会占用大量存储空间。
另请参阅通用协议选项。
send_certificates
编辑此设置会导致有关客户端和服务器提供的证书的信息包含在详细字段中。服务器的证书在 tls.detailed.server_certificate
下索引,其证书链在 tls.detailed.server_certificate_chain
下索引。对于客户端,使用 client_certificate
和 client_certificate_chain
字段。默认值为 true。
include_raw_certificates
编辑您可以设置 include_raw_certificates
以在 tls.server.certificate_chain
和 tls.client.certificate_chain
字段下包含以 PEM 格式编码的原始证书链。默认值为 false。
include_detailed_fields
编辑控制是否将详细的 TLS 字段添加到导出的文档中。当设置为 false
时,仅包含 ECS TLS 字段。默认值为 true
。