TLS events log missing fingerprint

  • Suricata 7.0.6
  • Ubuntu 18.04
  • Installed from source

Hi,

I noticed that the TLS 1.3 logs do not have the fingerprint and SNi fields. The TLS 1.2 shows this fileds.

Is this supposed to happen?

Thanks!

Could this be because you are looking at TLS 1.3 traffic which uses ESNI (encrypted SNI) or ECH (encrypted client hello)? Do you have a pcap for both the TLS 1.3 and 1.2 traffic you are observing this on?

I think that is the cause.

How can we overcome this limitation and improve detection in TLS?

There is not much that can be done. It is the purpose of these extensions to reduce the observable footprint of the TLS communication.