Feature #3440
closedTask #4966: tracking: QUIC protocol support
Add GQUIC Protocol Analysis and CYU Fingerprinting
Description
QUIC traffic could be up to 20% of an organizations network traffic if they use Google products, like Chrome. Background:
https://engineering.salesforce.com/gquic-protocol-analysis-and-fingerprinting-in-zeek-a4178855d75f
Here's the protocol analyzer and fingerprinting script for Zeek for reference:
https://github.com/salesforce/GQUIC_Protocol_Analyzer
Files
Updated by Emmanuel Thompson over 4 years ago
I can look into this. Here's what I'm thinking:
QUIC AppLayer
Parser: Rust
- Look at using https://github.com/cloudflare/quiche, downside is: quiche requires Rust 1.39 or later to build.
- Write a nom parser, using nom-derive
- Long and short header versions
Keyword:
- CYU (much like JA3 but for QUIC):
- Generate CYU hash and tags for the QUIC ClientHello packet
- Create a `cyu.string` and `cyu.hash` keyword
Logging:
- Anything required here?
Other resources:
Quiche parsing: https://docs.rs/quiche/0.3.0/src/quiche/packet.rs.html#173
https://www.sans.org/reading-room/whitepapers/detection/quic-dead-common-ids-ips-tools-identify-quic-traffic-39590
RFC: https://tools.ietf.org/html/draft-ietf-quic-transport-29#section-17
Are there other areas which should be looked at?
Updated by Victor Julien over 4 years ago
- Status changed from New to Assigned
- Assignee set to Emmanuel Thompson
- Target version set to 7.0.0-beta1
The rustc 1.39 requirement is a problem. Have you looked at 'quiche' in general to see how well it would fit our parsing and state keeping model?
Wrt logging: I'd say we'd want a logger for at least the CYU hash and string.
Updated by Emmanuel Thompson over 4 years ago
Quiche could be nice for parsing, we can then manipulate on the parsed values. It also has support for many drafts of the protocol (as it's not stabilized yet)
Latest draft: https://tools.ietf.org/html/draft-ietf-quic-transport-29#section-17
I'll implement a parser for it.
Updated by Emmanuel Thompson over 4 years ago
FYI GQUIC is a predecessor of QUIC IETF
The parser in the OP parses GQUIC Versions Q039-Q046.
Updated by Emmanuel Thompson about 4 years ago
@John Althouse, would you have specific PCAPs for testing?
Updated by Caleb Yu about 4 years ago
- File GQUIC1.pcapng GQUIC1.pcapng added
- File GQUIC2.pcapng GQUIC2.pcapng added
Here are two PCAPs with GQUIC traffic from my Linux VM:
The first one should have a CYU value of a46560d4548108cf99308319b3b85346 from the version and tags "46,PAD-SNI-STK-VER-CCS-NONC-AEAD-UAID-SCID-TCID-PDMD-SMHL-ICSL-NONP-PUBS-MIDS-SCLS-KEXS-XLCT-CSCT-COPT-CCRT-IRTT-CFCW-SFCW"
The second one has two client hellos:
1. 910a5e3a4d51593bd59a44611544f209 from 46,PAD-SNI-VER-CCS-UAID-TCID-PDMD-SMHL-ICSL-NONP-MIDS-SCLS-CSCT-COPT-IRTT-CFCW-SFCW
2. 7b3ceb1adc974ad360cfa634e8d0a730 from 46,PAD-SNI-STK-SNO-VER-CCS-NONC-AEAD-UAID-SCID-TCID-PDMD-SMHL-ICSL-NONP-PUBS-MIDS-SCLS-KEXS-XLCT-CSCT-COPT-CCRT-IRTT-CFCW-SFCW
Updated by Victor Julien about 4 years ago
- Status changed from Assigned to In Review
Updated by Victor Julien almost 3 years ago
- Subject changed from Add QUIC Protocol Analysis and CYU Fingerprinting to Add GQUIC Protocol Analysis and CYU Fingerprinting
- Parent task set to #4966
Updated by Victor Julien almost 3 years ago
- Precedes Feature #4967: QUIC v1 support added
Updated by Victor Julien over 2 years ago
- Status changed from In Review to Closed