Quic ietf 4967 v8 #7130
Quic ietf 4967 v8 #7130
Conversation
Ticket: 4967 The format of initial packet for quic ietf, ie quic v1, is described in rfc 9000, section 17.2.2
so that we can use new functions in quic parser
and logs interesting extensions from crypto frame
As it can be 4, but it can also be 1, based on the first decrypted byte
The way to determine if the payload is encrypted is by storing in the state if we have seen a crypto frame in both directions...
So as to keep parse not too big
for detection
Ticket: 5143
Ticket: 5166
catenacyber
requested review from
victorjulien,
jasonish and
a team
as code owners
As the ja3 standard names it so, with an s, when it comes from the server to the client.
catenacyber
force-pushed
the
quic-ietf-4967-v8
branch
from
65a0dc0
to
71bc1fd
Compare
Codecov Report
@@ Coverage Diff @@
## master #7130 +/- ##
==========================================
+ Coverage 78.06% 78.08% +0.01%
==========================================
Files 628 629 +1
Lines 185266 185319 +53
==========================================
+ Hits 144635 144702 +67
+ Misses 40631 40617 -14
Flags with carried forward coverage won't be shown. Click here to find out more. |
|
{
"timestamp": "2019-05-15T08:11:18.955582+0000",
"flow_id": 143691514005172,
"pcap_cnt": 11,
"event_type": "tls",
"src_ip": "2a03:b0c0:0002:00d0:0000:0000:0bd3:4001",
"src_port": 48106,
"dest_ip": "2606:2800:0220:0001:0248:1893:25c8:1946",
"dest_port": 443,
"proto": "TCP",
"tls": {
"subject": "C=US, ST=California, L=Los Angeles, O=Internet Corporation for Assigned Names and Numbers, OU=Technology, CN=www.example.org",
"issuerdn": "C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA",
"serial": "0F:D0:78:DD:48:F1:A2:BD:4D:0F:2B:A9:6B:60:38:FE",
"fingerprint": "7b:b6:98:38:69:70:36:3d:29:19:cc:57:72:84:69:84:ff:d4:a8:89",
"sni": "example.com",
"version": "TLS 1.2",
"notbefore": "2018-11-28T00:00:00",
"notafter": "2020-12-02T12:00:00",
"ja3": {
"hash": "1fe4c7a3544eb27afec2adfb3a3dbf60",
"string": "771,49196-49200-159-52393-52392-52394-49195-49199-158-49188-49192-107-49187-49191-103-49162-49172-57-49161-49171-51-157-156-61-60-53-47-255,0-11-10-13172-16-22-23-13,29-23-25-24,0-1-2"
},
"ja3s": {
"hash": "5d79edf64e03689ff559a54e9d9487bc",
"string": "771,49199,65281-0-11-16-23"
}
}
}As this is a bidir tx it has both Can we also log both the hash and the string link in |
|
Can you add |
|
Btw eve has no |
|
WARNING:
Pipeline 6538 |
Fewer quic flows... is that expected? |
| fn quic_get_tls_extensions( | ||
| input: Option<&[u8]>, ja3: &mut String, client: bool, | ||
| ) -> Vec<QuicTlsExtension> { | ||
| let mut extv = Vec::new(); |
There was a problem hiding this comment.
How often, if ever would we endup not adding anything to this vector?
There was a problem hiding this comment.
when parse_tls_extensions fails, that is on malformed messages...
What are you thinking of ?
Done in next version I did not do the detection part, as it is only applying a to_md5 transform... |
Done
There were no events so far, added with the rules |
I'd like to reconsider the |
I think not, I made a fix against some |
Done in next version |
|
Replaced by #7144 |
We currently pin "time" to 0.3.20, but this version no longer compiles on nightly Rust, and will likely not compile on the next stable version of Rust. During configure, set the version of "time" based on the version of rustc found, 0.3.20 for Rust < 1.67, and the current version for Rust 1.67 and newer, which also builds on Rust nightly. Issue: OISF#7130
Fixes build on rustc 1.80. Bumps the MSRV to 1.67.1. Bug: OISF#7130.
Fixes build on rustc 1.80. Bumps the MSRV to 1.67.1. Bug: OISF#7130.
Fixes build on rustc 1.80. Bumps the MSRV to 1.67.1. Bug: OISF#7130.
Fixes build on rustc 1.80. Bumps the MSRV to 1.67.1. Bug: OISF#7130.
Link to redmine ticket:
https://redmine.openinfosecfoundation.org/issues/4967
https://redmine.openinfosecfoundation.org/issues/5143
https://redmine.openinfosecfoundation.org/issues/5166
Describe changes:
suricata-verify-pr: 780
OISF/suricata-verify#780
Replaces #7122 with naming the keyword
ja3swith an s if it is from the serverStill to do more generally about quic : see https://redmine.openinfosecfoundation.org/issues/4966 (frame support)