-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Quic ietf 4967 v9 #7144
Quic ietf 4967 v9 #7144
Conversation
Ticket: 4967 The format of initial packet for quic ietf, ie quic v1, is described in rfc 9000, section 17.2.2
so that we can use new functions in quic parser
and logs interesting extensions from crypto frame
As it can be 4, but it can also be 1, based on the first decrypted byte
The way to determine if the payload is encrypted is by storing in the state if we have seen a crypto frame in both directions...
So as to keep parse not too big
for detection
Ticket: 5143
Ticket: 5166
As the ja3 standard names it so, with an s, when it comes from the server to the client.
ja3 object with hash and string and ja3s when it comes from server
to avoid decode errors
Codecov Report
@@ Coverage Diff @@
## master #7144 +/- ##
==========================================
+ Coverage 78.06% 78.12% +0.05%
==========================================
Files 628 628
Lines 185266 185296 +30
==========================================
+ Hits 144635 144761 +126
+ Misses 40631 40535 -96
Flags with carried forward coverage won't be shown. Click here to find out more. |
Information:
Pipeline 6580 |
Quick review comment: we should not have commits that introduce a feature |
I see many "empty" version 0 txs, is that right? {
"timestamp": "2022-01-16T20:36:00.520099+0100",
"flow_id": 2148421890797475,
"pcap_cnt": 1146,
"event_type": "quic",
"src_ip": "192.168.0.30",
"src_port": 54629,
"dest_ip": "142.251.36.46",
"dest_port": 443,
"proto": "UDP",
"quic": {
"version": "0"
}
} Version distribution:
|
Indeed. Do you have some magic git command to do better ? (if I |
I think these come from the packets with so-called short header for old versions. We should not make txs out of them. |
Replaced by #7149 |
Link to redmine ticket:
https://redmine.openinfosecfoundation.org/issues/4967
https://redmine.openinfosecfoundation.org/issues/5143
https://redmine.openinfosecfoundation.org/issues/5166
Describe changes:
suricata-verify-pr: 783
OISF/suricata-verify#783
Replaces #7130 with review :
Still to do more generally about quic : see https://redmine.openinfosecfoundation.org/issues/4966 (frame support)