捕获 TLS 流量

编辑

TLS 是一种加密协议,它在现有应用程序协议(如 HTTP 或 MySQL)之上提供安全的通信。

Packetbeat 会拦截 TLS 连接中的初始握手,并提取有用的信息,以帮助操作员诊断问题并加强其网络和系统的安全性。它不会解密封装协议中的任何信息,也不会泄露任何敏感信息(如加密密钥)。支持 TLS 1.0 到 1.3 版本。

它的工作原理是拦截客户端和服务器的“hello”消息,其中包含连接的协商参数,例如加密密码和协议版本。它还可以拦截 TLS 警报,这些警报由一方发送,以表示协商存在问题,例如证书过期或加密错误。

索引事件的示例

"tls": {
    "client": {
      "supported_ciphers": [
        "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
        "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
        "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
        "TLS_EMPTY_RENEGOTIATION_INFO_SCSV"
      ],
      "ja3": "e6573e91e6eb777c0933c5b8f97f10cd",
      "server_name": "example.net"
    },
    "server": {
      "subject": "CN=www.example.org,OU=Technology,O=Internet Corporation for Assigned Names and Numbers,L=Los Angeles,ST=California,C=US",
      "issuer": "CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US",
      "not_before": "2018-11-28T00:00:00.000Z",
      "not_after": "2020-12-02T12:00:00.000Z",
      "hash": {
        "sha1": "7BB698386970363D2919CC5772846984FFD4A889"
      }
    },
    "version": "1.2",
    "version_protocol": "tls",
    "cipher": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
    "established": true,
    "next_protocol": "h2",
    "detailed": {
      "server_certificate": {
        "subject": {
          "common_name": "www.example.org",
          "country": "US",
          "organization": "Internet Corporation for Assigned Names and Numbers",
          "organizational_unit": "Technology",
          "locality": "Los Angeles",
          "province": "California"
        },
        "not_after": "2020-12-02T12:00:00.000Z",
        "public_key_size": 2048,
        "alternative_names": [
          "www.example.org",
          "example.com",
          "example.edu",
          "example.net",
          "example.org",
          "www.example.com",
          "www.example.edu",
          "www.example.net"
        ],
        "signature_algorithm": "SHA256-RSA",
        "version": 3,
        "issuer": {
          "organization": "DigiCert Inc",
          "common_name": "DigiCert SHA2 Secure Server CA",
          "country": "US"
        },
        "not_before": "2018-11-28T00:00:00.000Z",
        "public_key_algorithm": "RSA",
        "serial_number": "21020869104500376438182461249190639870"
      },
      "server_certificate_chain": [
        {
          "public_key_algorithm": "RSA",
          "not_before": "2013-03-08T12:00:00.000Z",
          "not_after": "2023-03-08T12:00:00.000Z",
          "version": 3,
          "serial_number": "2646203786665923649276728595390119057",
          "issuer": {
            "organizational_unit": "www.digicert.com",
            "common_name": "DigiCert Global Root CA",
            "country": "US",
            "organization": "DigiCert Inc"
          },
          "subject": {
            "country": "US",
            "organization": "DigiCert Inc",
            "common_name": "DigiCert SHA2 Secure Server CA"
          },
          "public_key_size": 2048,
          "signature_algorithm": "SHA256-RSA"
        },
        {
          "public_key_algorithm": "RSA",
          "subject": {
            "common_name": "DigiCert Global Root CA",
            "country": "US",
            "organization": "DigiCert Inc",
            "organizational_unit": "www.digicert.com"
          },
          "issuer": {
            "country": "US",
            "organization": "DigiCert Inc",
            "organizational_unit": "www.digicert.com",
            "common_name": "DigiCert Global Root CA"
          },
          "signature_algorithm": "SHA1-RSA",
          "serial_number": "10944719598952040374951832963794454346",
          "not_before": "2006-11-10T00:00:00.000Z",
          "not_after": "2031-11-10T00:00:00.000Z",
          "public_key_size": 2048,
          "version": 3
        }
      ],
      "client_certificate_requested": false,
      "version": "TLS 1.2",
      "client_hello": {
        "version": "3.3",
        "supported_compression_methods": [
          "NULL"
        ],
        "extensions": {
          "ec_points_formats": [
            "uncompressed"
          ],
          "supported_groups": [
            "x25519",
            "secp256r1",
            "secp384r1"
          ],
          "signature_algorithms": [
            "rsa_pkcs1_sha512",
            "ecdsa_secp521r1_sha512",
            "(unknown:0xefef)",
            "rsa_pkcs1_sha384",
            "ecdsa_secp384r1_sha384",
            "rsa_pkcs1_sha256",
            "ecdsa_secp256r1_sha256",
            "(unknown:0xeeee)",
            "(unknown:0xeded)",
            "(unknown:0x0301)",
            "(unknown:0x0303)",
            "rsa_pkcs1_sha1",
            "ecdsa_sha1"
          ],
          "application_layer_protocol_negotiation": [
            "h2",
            "http/1.1"
          ],
          "server_name_indication": [
            "example.net"
          ]
        }
      },
      "server_hello": {
        "version": "3.3",
        "session_id": "23bb2aed5d215e1228220b0a51d7aa220785e9e4b83b4f430229117971e9913f",
        "selected_compression_method": "NULL",
        "extensions": {
          "application_layer_protocol_negotiation": [
            "h2"
          ],
          "_unparsed_": [
            "renegotiation_info",
            "server_name_indication"
          ],
          "ec_points_formats": [
            "uncompressed",
            "ansiX962_compressed_prime",
            "ansiX962_compressed_char2"
          ]
        }
      }
    }
  }

Packetbeat 生成的 TLS 事件遵循 Elastic 通用模式 (ECS) 格式。有关填充字段的描述,请参阅 ECS TLS 字段

ECS 中未定义的详细信息将添加到 tls.detailed 键下。 include_detailed_fields 配置标志用于控制是否导出此信息。

tls.detailed.client_hello 下的字段包含客户端支持的算法和扩展,以及它支持的最大 TLS 版本。

tls.detailed.server_hello 下的字段包含 TLS 会话的最终设置:所选的密码、压缩方法、要使用的 TLS 版本以及其他扩展,例如应用层协议协商 (ALPN)。

有关更多信息,请参阅详细的 TLS 字段部分。

以下设置特定于 TLS 协议。以下是 packetbeat.yml 配置文件的 tls 部分的示例配置

packetbeat.protocols:
- type: tls
  send_certificates: true
  include_raw_certificates: false
  include_detailed_fields: true
  fingerprints: [ md5, sha1, sha256 ]

配置选项

编辑

send_certificatesinclude_detailed_fields 设置对于限制 Packetbeat 索引的数据量很有用,因为通常在单个事务中会交换多个证书,并且这些证书可能会占用大量存储空间。

另请参阅通用协议选项

send_certificates

编辑

此设置会导致有关客户端和服务器提供的证书的信息包含在详细字段中。服务器的证书在 tls.detailed.server_certificate 下索引,其证书链在 tls.detailed.server_certificate_chain 下索引。对于客户端,使用 client_certificateclient_certificate_chain 字段。默认值为 true。

include_raw_certificates

编辑

您可以设置 include_raw_certificates 以在 tls.server.certificate_chaintls.client.certificate_chain 字段下包含以 PEM 格式编码的原始证书链。默认值为 false。

include_detailed_fields

编辑

控制是否将详细的 TLS 字段添加到导出的文档中。当设置为 false 时,仅包含 ECS TLS 字段。默认值为 true

fingerprints

编辑

定义用于计算证书指纹的哈希算法列表。有效值为 sha1sha256md5

默认输出 SHA-1 指纹。