Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Quic ietf 4967 v9 #7144

Closed
wants to merge 19 commits into from
Closed

Quic ietf 4967 v9 #7144

wants to merge 19 commits into from

Conversation

catenacyber
Copy link
Contributor

Link to redmine ticket:
https://redmine.openinfosecfoundation.org/issues/4967
https://redmine.openinfosecfoundation.org/issues/5143
https://redmine.openinfosecfoundation.org/issues/5166

Describe changes:

  • Parses standardized QUIC IETF v1
  • bump up rust carte tls_parser already used by rep, so that it can be used by quic
  • Rustfmt previous code

suricata-verify-pr: 783
OISF/suricata-verify#783

Replaces #7130 with review :

  • log ja3 as is done in tls (object with string and hash)
  • add events and rules on them
  • improve parsing of old versions so as not to get decode errors
  • remove quic.ja3 keyword and use generic ja3.string keyword instead for quic

Still to do more generally about quic : see https://redmine.openinfosecfoundation.org/issues/4966 (frame support)

@catenacyber
quic: rustfmt
8dbe67e
@catenacyber
quic: complete parsing of initial for non gquic
6d6f589 
Ticket: 4967

The format of initial packet for quic ietf, ie quic v1,
is described in rfc 9000, section 17.2.2
@catenacyber
rdp: bump up tls-parser crate version
9c5f217 
so that we can use new functions in quic parser
@catenacyber
quic: parse more frames
6feb585 
and logs interesting extensions from crypto frame
@catenacyber
quic: use packet num length when decrypting
38c90ee 
As it can be 4, but it can also be 1, based on the first
decrypted byte
@catenacyber
quic: do not try to parse encrypted data
a6f8a2b 
The way to determine if the payload is encrypted is by storing
in the state if we have seen a crypto frame in both directions...
@catenacyber
quic: decrypt in its own function
2d77782 
So as to keep parse not too big
@catenacyber
quic: use sni from crypto frame with tls
5babeaa 
for detection
@catenacyber
quic: ja3 computation and logging and detection
556a131 
Ticket: 5143
@catenacyber
quic: function split in 2 and other style improvements
2fcce92
@catenacyber
quic: move earlier the check against header.length
48ed785
@catenacyber
quic: use Suricata's own quic_tls_extension_name
9e0d20b
@catenacyber
quic: parse gquic version Q039
6bd8d80 
Ticket: 5166
@catenacyber
quic: check against right remaining buffer
190d858
@catenacyber
quic: detect ja3 from server with keyword quic.ja3s
71bc1fd 
As the ja3 standard names it so, with an s, when it comes
from the server to the client.
@catenacyber
quic: log ja3 as is done in tls
5d61f58 
ja3 object with hash and string
and ja3s when it comes from server
@catenacyber
quic: events and rules on them
3f2be25
@catenacyber
quic: more complete parsing of all versions
d3ec94a 
to avoid decode errors
@catenacyber
quic: move quic.ja3 keyword to generic ja3.string keyword
ebb4556
@catenacyber catenacyber mentioned this pull request Mar 16, 2022
Closed
@codecov
Copy link

codecov bot commented Mar 16, 2022
edited
Loading

Codecov Report

Merging #7144 (ebb4556) into master (3a490fb) will increase coverage by 0.05%.
The diff coverage is 54.83%.

@@            Coverage Diff             @@
##           master    #7144      +/-   ##
==========================================
+ Coverage   78.06%   78.12%   +0.05%     
==========================================
  Files         628      628              
  Lines      185266   185296      +30     
==========================================
+ Hits       144635   144761     +126     
+ Misses      40631    40535      -96
Flag Coverage Δ
fuzzcorpus 60.24% <23.33%> (+0.25%) ⬆️
suricata-verify 54.55% <48.38%> (-0.05%) ⬇️
unittests 63.11% <14.28%> (-0.01%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

@suricata-qa
Copy link

Information:

field test baseline %
tlpw1_stats_chk
.app_layer.error.quic.parser 1434 1810 79.23%
tlpr1_stats_chk
.app_layer.tx.quic 713266 4198 16990.61%
.app_layer.error.quic.parser 26726 43951 60.81%

Pipeline 6580

@victorjulien
Copy link
Member

Quick review comment: we should not have commits that introduce a feature quic.ja3 and then other that remove it again in a PR.

@victorjulien
Copy link
Member

I see many "empty" version 0 txs, is that right?

{
  "timestamp": "2022-01-16T20:36:00.520099+0100",
  "flow_id": 2148421890797475,
  "pcap_cnt": 1146,
  "event_type": "quic",
  "src_ip": "192.168.0.30",
  "src_port": 54629,
  "dest_ip": "142.251.36.46",
  "dest_port": 443,
  "proto": "UDP",
  "quic": {
    "version": "0"
  }
}

Version distribution:

2356902 "0"
 319469 "1"
  26336 "faceb002"
  58647 "ff00001d"
   2754 "Q043"
    188 "Q046"

@catenacyber
Copy link
Contributor Author

Quick review comment: we should not have commits that introduce a feature quic.ja3 and then other that remove it again in a PR.

Indeed.
I did so because I find it easier to review the diff between two versions of the PR (just look at the last commits)

Do you have some magic git command to do better ? (if I git diff the 2 branches, I also see the changes induced by the newest commits on master branch)

@catenacyber
Copy link
Contributor Author

I see many "empty" version 0 txs, is that right?

I think these come from the packets with so-called short header for old versions. We should not make txs out of them.
I will fix this

@catenacyber catenacyber mentioned this pull request Mar 18, 2022
Closed
@catenacyber
Copy link
Contributor Author

Replaced by #7149

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@victorjulien victorjulien Awaiting requested review from victorjulien victorjulien is a code owner

@jasonish jasonish Awaiting requested review from jasonish jasonish is a code owner

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@catenacyber @suricata-qa @victorjulien