From 533e02606b6f5e1c886b838e27c3e37893064c83 Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Tue, 3 Jul 2018 18:58:45 +0200 Subject: [PATCH] Packetbeat: Update TLS protocol cipher suites (#7455) (#7498) The TLS protocol parser has been updated with 5 new cipher suites introduced in TLS 1.3: +------------------------------+-------------+ | Description | Value | +------------------------------+-------------+ | TLS_AES_128_GCM_SHA256 | {0x13,0x01} | | | | | TLS_AES_256_GCM_SHA384 | {0x13,0x02} | | | | | TLS_CHACHA20_POLY1305_SHA256 | {0x13,0x03} | | | | | TLS_AES_128_CCM_SHA256 | {0x13,0x04} | | | | | TLS_AES_128_CCM_8_SHA256 | {0x13,0x05} | +------------------------------+-------------+ --- CHANGELOG.asciidoc | 1 + packetbeat/protos/tls/algos.go | 7 +++++++ 2 files changed, 8 insertions(+) diff --git a/CHANGELOG.asciidoc b/CHANGELOG.asciidoc index 9efe9e7d7ec6..fe05a9ce9715 100644 --- a/CHANGELOG.asciidoc +++ b/CHANGELOG.asciidoc @@ -304,6 +304,7 @@ https://github.com/elastic/beats/compare/v6.2.3...master[Check the HEAD diff] - Allow to capture the HTTP request or response bodies independently. {pull}6784[6784] - HTTP publishes an Error event for unmatched requests or responses. {pull}6794[6794] - The process monitor now reports the command-line for all processes, under Linux and Windows. {pull}7135[7135] +- Updated the TLS protocol parser with new cipher suites added to TLS 1.3. {issue}7455[7455] *Winlogbeat* diff --git a/packetbeat/protos/tls/algos.go b/packetbeat/protos/tls/algos.go index 1ee8d5d3191c..b3ba6ea18672 100644 --- a/packetbeat/protos/tls/algos.go +++ b/packetbeat/protos/tls/algos.go @@ -193,6 +193,13 @@ var cipherSuites = map[cipherSuite]string{ 0x00C5: "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256", 0x00FF: "TLS_EMPTY_RENEGOTIATION_INFO_SCSV", + + 0x1301: "TLS_AES_128_GCM_SHA256", + 0x1302: "TLS_AES_256_GCM_SHA384", + 0x1303: "TLS_CHACHA20_POLY1305_SHA256", + 0x1304: "TLS_AES_128_CCM_SHA256", + 0x1305: "TLS_AES_128_CCM_8_SHA256", + 0x5600: "TLS_FALLBACK_SCSV", 0xC001: "TLS_ECDH_ECDSA_WITH_NULL_SHA",