捕获 TLS 流量
编辑捕获 TLS 流量编辑
TLS 是一种加密协议,它在现有应用协议(如 HTTP 或 MySQL)之上提供安全通信。
Packetbeat 会拦截 TLS 连接中的初始握手,并提取有助于操作员诊断问题并增强网络和系统安全性的有用信息。它不会解密来自封装协议的任何信息,也不会泄露任何敏感信息,例如加密密钥。支持 TLS 版本 1.0 到 1.3。
它的工作原理是拦截客户端和服务器的“hello”消息,这些消息包含连接的协商参数,例如加密密码和协议版本。它还可以拦截 TLS 警告,这些警告由一方发送以指示协商存在问题,例如证书过期或加密错误。
索引事件示例
"tls": {
"client": {
"supported_ciphers": [
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_RSA_WITH_3DES_EDE_CBC_SHA",
"TLS_EMPTY_RENEGOTIATION_INFO_SCSV"
],
"ja3": "e6573e91e6eb777c0933c5b8f97f10cd",
"server_name": "example.net"
},
"server": {
"subject": "CN=www.example.org,OU=Technology,O=Internet Corporation for Assigned Names and Numbers,L=Los Angeles,ST=California,C=US",
"issuer": "CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US",
"not_before": "2018-11-28T00:00:00.000Z",
"not_after": "2020-12-02T12:00:00.000Z",
"hash": {
"sha1": "7BB698386970363D2919CC5772846984FFD4A889"
}
},
"version": "1.2",
"version_protocol": "tls",
"cipher": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"established": true,
"next_protocol": "h2",
"detailed": {
"server_certificate": {
"subject": {
"common_name": "www.example.org",
"country": "US",
"organization": "Internet Corporation for Assigned Names and Numbers",
"organizational_unit": "Technology",
"locality": "Los Angeles",
"province": "California"
},
"not_after": "2020-12-02T12:00:00.000Z",
"public_key_size": 2048,
"alternative_names": [
"www.example.org",
"example.com",
"example.edu",
"example.net",
"example.org",
"www.example.com",
"www.example.edu",
"www.example.net"
],
"signature_algorithm": "SHA256-RSA",
"version": 3,
"issuer": {
"organization": "DigiCert Inc",
"common_name": "DigiCert SHA2 Secure Server CA",
"country": "US"
},
"not_before": "2018-11-28T00:00:00.000Z",
"public_key_algorithm": "RSA",
"serial_number": "21020869104500376438182461249190639870"
},
"server_certificate_chain": [
{
"public_key_algorithm": "RSA",
"not_before": "2013-03-08T12:00:00.000Z",
"not_after": "2023-03-08T12:00:00.000Z",
"version": 3,
"serial_number": "2646203786665923649276728595390119057",
"issuer": {
"organizational_unit": "www.digicert.com",
"common_name": "DigiCert Global Root CA",
"country": "US",
"organization": "DigiCert Inc"
},
"subject": {
"country": "US",
"organization": "DigiCert Inc",
"common_name": "DigiCert SHA2 Secure Server CA"
},
"public_key_size": 2048,
"signature_algorithm": "SHA256-RSA"
},
{
"public_key_algorithm": "RSA",
"subject": {
"common_name": "DigiCert Global Root CA",
"country": "US",
"organization": "DigiCert Inc",
"organizational_unit": "www.digicert.com"
},
"issuer": {
"country": "US",
"organization": "DigiCert Inc",
"organizational_unit": "www.digicert.com",
"common_name": "DigiCert Global Root CA"
},
"signature_algorithm": "SHA1-RSA",
"serial_number": "10944719598952040374951832963794454346",
"not_before": "2006-11-10T00:00:00.000Z",
"not_after": "2031-11-10T00:00:00.000Z",
"public_key_size": 2048,
"version": 3
}
],
"client_certificate_requested": false,
"version": "TLS 1.2",
"client_hello": {
"version": "3.3",
"supported_compression_methods": [
"NULL"
],
"extensions": {
"ec_points_formats": [
"uncompressed"
],
"supported_groups": [
"x25519",
"secp256r1",
"secp384r1"
],
"signature_algorithms": [
"rsa_pkcs1_sha512",
"ecdsa_secp521r1_sha512",
"(unknown:0xefef)",
"rsa_pkcs1_sha384",
"ecdsa_secp384r1_sha384",
"rsa_pkcs1_sha256",
"ecdsa_secp256r1_sha256",
"(unknown:0xeeee)",
"(unknown:0xeded)",
"(unknown:0x0301)",
"(unknown:0x0303)",
"rsa_pkcs1_sha1",
"ecdsa_sha1"
],
"application_layer_protocol_negotiation": [
"h2",
"http/1.1"
],
"server_name_indication": [
"example.net"
]
}
},
"server_hello": {
"version": "3.3",
"session_id": "23bb2aed5d215e1228220b0a51d7aa220785e9e4b83b4f430229117971e9913f",
"selected_compression_method": "NULL",
"extensions": {
"application_layer_protocol_negotiation": [
"h2"
],
"_unparsed_": [
"renegotiation_info",
"server_name_indication"
],
"ec_points_formats": [
"uncompressed",
"ansiX962_compressed_prime",
"ansiX962_compressed_char2"
]
}
}
}
}
Packetbeat 生成的 TLS 事件遵循 Elastic Common Schema (ECS) 格式。有关填充字段的描述,请参见 ECS TLS 字段。
未在 ECS 中定义的详细信息将添加到 tls.detailed 键下。 include_detailed_fields 配置标志用于控制是否导出此信息。
tls.detailed.client_hello 下的字段包含客户端支持的算法和扩展,以及它支持的最高 TLS 版本。
tls.detailed.server_hello 下的字段包含 TLS 会话的最终设置:选择的密码、压缩方法、要使用的 TLS 版本以及其他扩展,例如应用程序层协议协商 (ALPN)。
有关更多信息,请参见 详细 TLS 字段 部分。
以下设置特定于 TLS 协议。以下是在 packetbeat.yml 配置文件中的 tls 部分的示例配置
packetbeat.protocols: - type: tls send_certificates: true include_raw_certificates: false include_detailed_fields: true fingerprints: [ md5, sha1, sha256 ]
配置选项编辑
send_certificates 和 include_detailed_fields 设置对于限制 Packetbeat 索引的数据量很有用,因为通常在一个事务中会交换多个证书,这些证书可能会占用相当大的存储空间。
另请参见 通用协议选项。
send_certificates编辑
此设置会导致有关客户端和服务器提供的证书的信息包含在详细信息字段中。服务器的证书在 tls.detailed.server_certificate 下索引,其证书链在 tls.detailed.server_certificate_chain 下索引。对于客户端,使用 client_certificate 和 client_certificate_chain 字段。默认值为 true。
include_raw_certificates编辑
您可以将 include_raw_certificates 设置为在 tls.server.certificate_chain 和 tls.client.certificate_chain 字段下包含以 PEM 格式编码的原始证书链。默认值为 false。
include_detailed_fields编辑
控制是否将 详细 TLS 字段 添加到导出的文档中。当设置为 false 时,仅包含 ECS TLS 字段。默认值为 true。