-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Quic ietf 4967 v4 #7101
Quic ietf 4967 v4 #7101
Conversation
Ticket: 4967 The format of initial packet for quic ietf, ie quic v1, is described in rfc 9000, section 17.2.2
so that we can use new functions in quic parser
and logs interesting extensions from crypto frame
As it can be 4, but it can also be 1, based on the first decrypted byte
The way to determine if the payload is encrypted is by storing in the state if we have seen a crypto frame in both directions...
So as to keep parse not too big
for detection
Ticket: 5143
Codecov Report
@@ Coverage Diff @@
## master #7101 +/- ##
==========================================
- Coverage 78.01% 77.99% -0.02%
==========================================
Files 628 629 +1
Lines 185402 185443 +41
==========================================
- Hits 144637 144634 -3
- Misses 40765 40809 +44
Flags with carried forward coverage won't be shown. Click here to find out more. |
Something is still off in my testing. I have a large pcap, that when I just print versions in
In this branch, suricata has almost 3.5milllion unique version values:
|
Master for the same pcap just outputs
|
TL;DR Long version : |
I think the issue for me is not that our support isn't complete, but that we somehow log garbage data. |
Replaced by #7106 |
Now I get
|
Link to redmine ticket:
https://redmine.openinfosecfoundation.org/issues/4967
https://redmine.openinfosecfoundation.org/issues/5143
Describe changes:
suricata-verify-pr: 775
OISF/suricata-verify#775
Replaces #7095 with review taken into account
Still to do more generally about quic : see https://redmine.openinfosecfoundation.org/issues/4966
Should I tackle https://redmine.openinfosecfoundation.org/issues/5166 ? ie Support previous quic versions like Q039 and Q043
We get the right version for Q050 but rustls cannot then decrypt it...