From ba00cc5f00fa9f685b93e4fd0debf0d6dcf46d09 Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Tue, 22 Feb 2022 09:20:26 +0100 Subject: [PATCH] Adds quic ietf v1 test --- tests/quic-ietf/README.md | 7 +++++++ tests/quic-ietf/input.pcap | Bin 0 -> 9263 bytes tests/quic-ietf/test.rules | 2 ++ tests/quic-ietf/test.yaml | 22 ++++++++++++++++++++++ 4 files changed, 31 insertions(+) create mode 100644 tests/quic-ietf/README.md create mode 100644 tests/quic-ietf/input.pcap create mode 100644 tests/quic-ietf/test.rules create mode 100644 tests/quic-ietf/test.yaml diff --git a/tests/quic-ietf/README.md b/tests/quic-ietf/README.md new file mode 100644 index 000000000..95cb154b1 --- /dev/null +++ b/tests/quic-ietf/README.md @@ -0,0 +1,7 @@ +# Description + +Test quic ietf v1 parsing + +# PCAP + +The pcap comes from https://www.bortzmeyer.org/quic.html diff --git a/tests/quic-ietf/input.pcap b/tests/quic-ietf/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..266ba94ad71dafe1120cf99f298a300fb5a22e2f GIT binary patch literal 9263 zcmaLcWl$a4wkY7Wa3{EHaJK|^3AT_$aQ9%r9RdUk?(S~E-QC^Yg9HywV8IRN*4}rY zbLzdW8bA6+cl8{z>YHPXp6jj2fdaq){_lbT0RP-{VVfIBM4H9i!GMejPinT0~;Ko zfHGqZkQn*w>Xq+{F=^_08db->Pf}E+Q5S9V{`;B0*VIjncc-1!wmqhHM9^?X$%UBE za95l|)PWgE;#SuV*tw&FM$XQZAQ z_wK8Q3hnUGzTosz{zT3 zQ`3ncJ4)tYyc)Hz2wj-sWLGm^I!F4DTc-#9L@5{#o=U07VBhF@C@D`&VV984-_?>A zEW;44XcF8PD$$puS_qYr^DJlZ#nCw)&E=3sLyL-So0p}_3j-G$3um>|N13ORL*i%1 z-_i2-rD$la$y*Ms2QR6xdA$i4$TYV(N6eAom$t6Nx6XeenuiOavlz}$k)Z%poqHbT zVoZ|yzez!X_ESLS#5-;hpY*LiO``x1s`K~IjlWkAppETIcd1N0UT#-BC|Qg`bS{-K~V|1@t$f z$H+u_5Rd+DY7shie+v@+IxDJvTp~nQM!H3IlZ{-5g*j>vI+mv3r_BuIe1>3TtMbhONl6azkxh8wsSPbO_R z86&CrlfICQ7qG^=)*470rMI9*8K=^B z(7y875|Yvvin7aAkPNpZPVJ`n0!mLZEGeqsA&bDl&K@vmmnAbdNab(gfZml0@DrJo zJi2Eb?y?!2{YL!`?d~89iXDjw&a&?()YiB{s=#HcDfVv?qRbgn4l5?C;|UCZEAcV) z7?Q5C(zjoV$!2uv(W~Iwu+I@aQy~KEmaZ^71=krFS<@5G`B*}n3kI4*zv6O=Ly-J7 zYJcE-Dn_Z6yufGuKCZu$++-yt4fBy^1aY4fQYB3--#@{zEYIUCPR-C^j%hRTdn}lg zY8gC#Nbjr$rp&A2M-D_7@$TpdVWn&S-qH?ee}sv!6EeE)etl*>f5rVH zAZpF?r{WzYd>OMWV#L15a|_@5DDu5b4%8FqGtK~%f_Gf78Y&OG5!$S29?+i_w}k9> zm3NsKGD!UuloOUZ`~xJ`SJ;=qdEW%t1Z>qm>d3C9Opd4gKwrLtl>DTw99=@3ncOLZ z6}{uc!R%W^r@gXqiU=-ul~N~u zsx`{zTN$wJbpO#&Y6udf9^7JDm-N4N{WVB>+UgZdemw(PGJEv z(}6YO?ZRJ^^(tOdn{amHh;7Br?K~J0(6MLyUw5q@EqvCs=oMWhM;mwm-Lt zRzRTl=`X+Z>uXbrht(3z;yjs;)AQpe7HT3cbitBGJ%XxUN#8j2%9wd{g8mXwwgvUg zKEMKMf%?UTU*VnKaW?&L$#186Juq|RMJwv+o$^LOfeiqWmgp)r8-dv?)|8BLXvATx zonJyDW$RTLPdQQkwCtDFe&ruXRnP4R=7dFz#+Cotf*(^b15aUJRuz` zENWhHNwC>K)7kr3a`W_h@V3Ag(N$ZyeAvW4wmaw*mk#q%!tgblA!NKP&HL_e{H8c# zMt)Q!eDg`aOQ>ZoSaEFM;6p?KLDU4(rL_`I=#gW4OG)2II!d|1KviK5K9RDab(pK3 zl&4zy9J~|{A7iJ(xBmH&U%!bb1mx#SI8ZRbr%OJ?kXh{3MZ=f89)5qZFlm{s&qsYn zd@;FRi7nNeRoQeed_<%}CLJ&ExIXa6*PH=N42G&N(h4YPXg9v^p!}gn{F)nk-Zj{J z@hF`gezKC(C-e6w6m@{*C)T&02o!t1#Cu5LC;;RXk{&&G!RXrthwEZjQGxn`)My~k zhT43AL<}FK^F4USfX$8eLoG78Kd2bz$yyJW(|9~v=?cwZY9WK{v{~fM_lhN6TCMbh zB*^PxRzhC0iEo?uvh?crff>J8(^~y>1Hff%5P+eYR4=hR%2U!=nc{#HW+G&cwAYFh z#uz84&2>aW`J+P3I_G8YL7NN8B%gTgP<80z%)p0mP%lJQogj}9?E}mEW=*iQq4nEz z$Jk;3_5h?`E&D@T{uGusiFO=1^?C5kGvm}GbskUgQJk}jB>J+(`TQCZ(0??O*ug-F zHrGRv#Y>YbYC1w!DY}{cP8;tEp+fnPolFghx%yVoNS@CWDq_4;ZSNRN6hZ1)bEp{; z{rH0y)@Os|s349jRJOU~`(}-czyn6^;*t_WD>F1t_8DfUU2}#00WGq*2RSlOn{K9W} z2dy`czE$~zmRLEvRwq(A;RvmC@Nu=+o%4Hsp*V*@g=2gwN!WSIp-T_0KIsAu12Cco z&t+Y~s2?5)lDx(RXcUyKI!^N^KtOH=E;1jJZia$Qov zF~m;N1e%Zp$>MBYaNBNHg;n=4R5#$QI@wmz7sxW&pu(eIrO6Sa1L)IHP?6BRWm~^N zp~HpPw3@IMnVcM2NWW`@4Zm~6{Co2_+|W!#X7O+2*ITiqJbXk>B^R1WRE_KYs*zGv zuR5-;0Ri%V3dz^_&)N|vuY&n8<+g+jdlrWb*f6dl?$y|F!Q6!Y{8)nh4ga2Tmh|FM%5rtGH& zy-Y^!>FR*gHtUIa3@HD1k)O#Jd5pDgT`zRB;33M^3wgw8GnP{6i?WZZsdp(PtCy-X zR;{hGb?-?mkoY|w?o4U|8VW;G^Ny?X>HTZ(5DaGW8a5F$mp~4@Yz=Lkj}oR?t_zKK!;EpkP3qxLW2#v>M@>1Uj>a^AW~)!*HG1TgYo_dRlO=;%aGv}1ArnWM{>y56P( zb;!pT0Hp->re%|B{ZnzRO=gH2y%K1RRR&UD^7w|PH{L!lILE$s+>Q6)gpJ)Fg;hk5 z&Y1opw<}bxAW@MD5^{w%dDgXp!Vjvd51)a_^>K{8*Qj(Xtfu@C)7%l5vWA6BZCzb# zev~%mQz++@1iMW&s6;ApZ5p05c;f5_{uEKk02H=Ekfn?r3QG21dBTeLb?1sBV^ z?ULg>nya^)Z#a(B+13dq6Lwnyt7X`1KzuIuQ;|9@KiC%e95B63tM%X0(Kk>ft+z){ z7%uY-n5k!VS-k}nX69ck`l%~|p+}=f(VgY-`6b-*+|*~g1TXy1^}N_2p_yUK<|P`D zjdeM}Z|JN0aMAWsCxv!y32O{*mVP>Ylj#>gI%)ZYEcyb?dHhUNvcDcBf`5_E>5l(k zE~zkHw9do*bBGZN(p0}Y=2g6@zR6?vMptd~CInQT4SNW#mr{bOx+TRmDt$&eOSP)& zB|?*vY9lJI!;LO-m)%`OrEoFbKbdq?2P&{K#aH0GIo!r7&5?CW#?n7Xr~ zKz+KJ&Q6*su|e(NEM(y?)EU6uh@|I%X8Pk)iI$d|{fEd|=p)Hc6JhQo{3gSfQOr7N z&Udh|0_M+AI9Y8x(--;4?B?a4N@%Ty$vquLtapSL^cf2BFSq9zKKok1pbZQnFl_1k zN>G0Yf+KTG?jDM@tmb_TOoHAr!&VgJ^yms!-pGBH!U0da3Q|Mj3AFbnZ>f+l?Sv)> z-Hw`by%2F3?MTojB{E5fPLXW)@COg(aal!3YhqWST=5a}Bw`VxrPKTn#@1g*$?n}SKNhnUoVPV^WLJj(_v_IZ zS@v~-K?`5_MdzU7H`!D62M)Fgd=+P{{_L%z*C=%cN=?ukS9zIFb67_27;w$*Xv1}@ z6*suuOhU`DObrSkZ24ngRcESewM&F=K=(VB*6-bCNi0V%LADh^3=3a^d!TOY?@Y{O ztEthv`4$Evir@-1_CsRcgkx@W$H3M;LBpAIuLK_m+_LnnR|Tkaanvzc?UlA&T%H(= z{eZ4p!e2M3Ut$KgAT7Po+nq*)*4&S0wbL_Yip)9b`g7Rweqk!~WfqTwMI&Ldb?XFU zeix$>iGdc=n&75%$A&^K$@j;Brc%QdZ>U>kO9P(KSSnd{;CZLP4VB=VPnX1PG_h^sEdO__C?KJM9Se=;htsSJ6KLf&()jZn*7RISj$q{__ ztvD$3QK)WC(4QuzMg$#)pT7%IGex&teV0(sux4ubs^ix(=tw7h9;_+aT}*sJ`On?S(!pEL3`{!@OytS{HA{9ok$ zDLAdM+c1_7oB0I*=#C3nScgUsm=G!hUngt_b&M7QKY-f+Tl7SK*^a zD@Zy{kptqCGNsZbKjwa|%rUb=rz@3QzZO(NVSb=#jjc!+g6e`cqR8 z9O(2#Y2y1_<>&{BeFpUmxATS3g)H9H$Z^`&1^ep3{QsJ)o_{r2vH#v=1vlCMRot^- zw%FL7SwR|Bt*7uSHoPIQRby7PzWl?0uLsHT@vzTxlVX}R^mx{|iBBWav8+|bDn1en zij*LPjNUlyGFz0E;}gV2D~krn*55xZ_@l`=oIgwF3MA-tB~xWTbObDaE$QaHeCB4W zGN?=J{22~{P7AmD1My#sE#uXuFV=^KleoO5{nJgFdL9h z6_0Jk!l4JQdQ&|;>Y#Q@43fyfIdQ&u8$hy%UP{6nWH^}_RjmFGY3e#;e8ik{6M4>-K7}2Pk zNHypxy%Q@iCtGN>gDQb)y&&no$4Q!t&ie+#qJ&sN06v^@dfx3mU_(;u;cA=pW2^f! zor=sRs2zhB)4QcomdMMD^8fkW82VQ!34fI3O-d{-D|<`b__PtKbGJaZ#KDyJi^b+R zx8usRuFKYy;8{YURzT?5D1~V??;1-%C7T&XZWI;tFg~=%#628rbjlPzt{#jq0!3N` zO&A*lG_5L3{WLH&(UcLQdZ>FtsHVy=9P92^nIrcxZpdO9Ni*l0tY@QN8$l-UZ$l?O3c;zc)E%6MdE$j~II8Qmspm z=r7DBra?ab$V?HGk{EX#0-oy|*}t~-cgM`Mu5OF{Ft^wULVG=M(TJN78I0x$_|-Me zn5dVx0vbCt^LNzR@`@Pg!dMQ-EgErt-cGiU5GlvAa!OFk&go>mD+`gwJuq=L67BUQ zS6Q&K2MsD6D`!wBWQtIWCfo{g?DEG#DbWOf(J4T>{;E!89HQ&+BdVh`s57TQ?>ooLuFPEyURdOj1x|wCnD`=hu)u zJF}4cW{m`9+iuEHFP^0wdg&_E>fdmu97DRE%ZYNlhkI?7W9z`OToNK{zSwYGv9%U9 zivHRf8_)GL&6d|u9CP7jkaJX&M9O`aBDz45sZnHes&QiUQe9{ zwOi02qyg(wxXch*np$uvsbeZQa!8qqJP=+q<CP3_lriq}r{OHuM2cu^(_!Pxf%v^~uACtI&Ng7jek zBY&EJ*Z8jyR2!i8RmYk6f9eQZ931kuj{I*xi2Ubi1pJ1Ps&bOVpLr{x#0si~Qn?`Izex!LpFE)@>y`Wdhh_(M;b zXXiQSoJw?%R@zNgz43yF6CK972yw&)= zCs){Oq)qTVc&^>TW@$t|``kGTDagK@7H-VzGrQ+Ox4h;RTn2m@PI4+OE!y+Oqs|;C zRc?mMJu(a7n{T1Ud}sij)p|fFzgs55D}4i@!7{aGSXHB3g;T69 z`ee1yZ`LKPis1Nx%SsJj_ZWI09@gF3oKC3Ja$DLE z>eZ3EDY2<~RFh}nDLf#=DV4WRH(&Cp+YQ*K63`RZrvAXmaLqQdh?66pqlX!~5R)q& zqxZ|XghP&f*6pacdY2EW^hp2#b1fUY{~U@@mWJ530Pk(VR{20p4B}}$3WwsVb|YO| zY3*uIc-7Pbn8RHyV-@by^N6JCg#-et7DczPo zJ+VYr?3n-#Ow$7fukf0fR{QlHAG%`FXR33C0S7NXb>P-oHIbjA`I(777d6%bRMGu-w+g?M!$GKYsc|v5acJ3Bmat3Kkh|U`>p} z+6zgLJdekFY}{@Ki~dX*@N|$LplI0Sl2(?AwKFlSpoo&3QBbJKSCWGA8i_xJVY$+P zy=;9j8wYBD#=Yfhh4Y$D{3;M^wkmd};CRb*POF@EFL%~aKbDTv@x*C3sP=e}64h74 zh^c?LT`QGgmCz&Et9b4b5*Q4VFFWoGu#;3)aaS}Cc_M-8j*z`l?a^_F@mXrJu;kN{E%zt&8Gque!on%c zP_bySD5Xe&*MYO7oK5y0Uw;>!H`*uiWEWC`E*=aet^mgGLLQSM1Xg{O&&>Wcc&|M7 zbT)6=+pFW@A%YMvr$*{ve4})tuyHS~aZ_G;@)+!c4o^7MI#>5>jS-Reo>R{gHIHO^ zpFuVtz3#_;Q<5@p3ZbzYEs~edk43%MRi}0op|6%oh%Ycc-(Q^6u4t8oCWtV%2iEAk z|AFzY7%14M0Fc>e7%d-9iKHSL4ZTS(ks4L^q(wLJX@QAJ<~-@k<-rziyhTv?MOpuB znLA!@GGMK_Fof=)mYc`K`eBh5WZ>X?{58Im2}c$h`nwfXq`DOBpnoclx-5D?z#1c} z%B$=ee`Npb*Xw`D4gmE1tL}~dr|d8%@tm%I)xCLeXrtqPJ+gz$Yrkkhii+JcXy;MB zpkHB(`MyI3*1KrdaJoC2S$+2UX>GmVk7^iGu1im)(lte$4kS51drLtSTI$Ib>Fc1g z8GCszh?H>EKZ3~D$c|4ng7K}G?@G)mj-sqI5|3_8drzL6%46dl-|YNA4&1l9L{{CL z0SQpDzm(+ci6+QIU`@ZS5-+?w#nl{PYU6XSfO?A7%{2L-WJXK^F$E7i_8Sxw=&4Gk zPnX5hq`teAmr%geD+UU^PcecmRPs{N^>KWCIMmD^gVNk*#}mdo3A3>kVGBBM%VrCo z&;}31z7ykDq1-rf;>n0FAt8)&^b$D02oqZQ;S3)O%s7}g?lfM85yk3oP%bs+ z8#h3n7wHzPNllfLKmU@}zrUnO=O%au>#PcxhA?Zez$$u0xx58 zijo8jMl2WD4?!5Xj-?<`C4$Iu=VOP~XewP#8QqPemMsjDwptI|+YMG8xxkW{T}N;G z1()^r(fw)7+r|Mh2vJ2lP3A@)1yDO=N0psirTY7Q0c;VEK5!?2i#+2rE^!EY4BO^n ztO@H&iD^P?1I5Km7N(YNf&fZU#7g) z9+;@TAMIp=4x4_GObOjl*)3e2FpFS+To|EToBWvz(&C-Zn!*s|KK-F(Y(u^{}^NJ{V{igsT!ptNMVB)MWO=|l11k&_Zz7XvTus2Nr&OosM+ z1n(^`NAhmJbWQ^Qljd}q*moZX(e@S5$YI{p_~}K}*2G%7S(t{?Luv}}+E#%8UJdHd zJh{EhlLLZGMh1x%i7WZVhjq3)Q}Hp?$Xxu?LeZ=mL%W3Gm5%4mer0a(@jatH6CB6W zcao_y>miEokp}53QZw3p@w?442uOqiXO7Zxla#c30~>EOdo>qNgFKSR(_`^{UuH1* z4;3$ZV~4K zLtXj;rnD6FRfK6V8;slVE=9Bm53Xww^jmJVr*_hmTs@882N74q4z_)VP68YT3bTdc z{4M}~*efs*$te5n<(JjCCk1$>~X!?6!AC zhN;9bE##+)WXvwuOtSnDAK;{JUBXT6ZrqJ$^nJ2`?9iV)*!?BZ-Ztgx&p2uFYgK7+woK= z&8^ZjI-YW7rgMFyH$BxXv=;v5NZq+|Nj8xPHb)f literal 0 HcmV?d00001 diff --git a/tests/quic-ietf/test.rules b/tests/quic-ietf/test.rules new file mode 100644 index 000000000..f94109e51 --- /dev/null +++ b/tests/quic-ietf/test.rules @@ -0,0 +1,2 @@ +alert quic any any -> any any (msg:"QUIC SNI"; quic.sni; content:"msquic.net"; sid:4;) +alert quic any any -> any any (msg:"QUIC JA3"; quic.ja3; content:"771,4866,43-51-41"; sid:3;) diff --git a/tests/quic-ietf/test.yaml b/tests/quic-ietf/test.yaml new file mode 100644 index 000000000..611d3df5d --- /dev/null +++ b/tests/quic-ietf/test.yaml @@ -0,0 +1,22 @@ +requires: + min-version: 7.0.0 + +checks: + - filter: + count: 1 + match: + event_type: quic + quic.extensions[1].type: "ServerName" + quic.extensions[1].values[0]: "msquic.net" + quic.extensions[2].type: "ApplicationLayerProtocolNegotiation" + quic.extensions[2].values[0]: "h3-29" + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 4 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3