Project

General

Profile

Feature #3440

Add QUIC Protocol Analysis and CYU Fingerprinting

Added by John Althouse over 1 year ago. Updated 7 months ago.

Status:
In Review
Priority:
Normal
Target version:
Effort:
Difficulty:
Label:
Protocol

Description

QUIC traffic could be up to 20% of an organizations network traffic if they use Google products, like Chrome. Background:
https://engineering.salesforce.com/gquic-protocol-analysis-and-fingerprinting-in-zeek-a4178855d75f

Here's the protocol analyzer and fingerprinting script for Zeek for reference:
https://github.com/salesforce/GQUIC_Protocol_Analyzer


Files

GQUIC1.pcapng (7.93 KB) GQUIC1.pcapng Caleb Yu, 09/02/2020 04:22 PM
GQUIC2.pcapng (9.84 KB) GQUIC2.pcapng Caleb Yu, 09/02/2020 04:22 PM
#1

Updated by Emmanuel Thompson 12 months ago

I can look into this. Here's what I'm thinking:

QUIC AppLayer

Parser: Rust
- Look at using https://github.com/cloudflare/quiche, downside is: quiche requires Rust 1.39 or later to build.
- Write a nom parser, using nom-derive
- Long and short header versions

Keyword:
- CYU (much like JA3 but for QUIC):
- Generate CYU hash and tags for the QUIC ClientHello packet
- Create a `cyu.string` and `cyu.hash` keyword

Logging:
- Anything required here?

Other resources:
Quiche parsing: https://docs.rs/quiche/0.3.0/src/quiche/packet.rs.html#173
https://www.sans.org/reading-room/whitepapers/detection/quic-dead-common-ids-ips-tools-identify-quic-traffic-39590
RFC: https://tools.ietf.org/html/draft-ietf-quic-transport-29#section-17

Are there other areas which should be looked at?

#2

Updated by Victor Julien 12 months ago

  • Status changed from New to Assigned
  • Assignee set to Emmanuel Thompson
  • Target version set to 7.0rc1

The rustc 1.39 requirement is a problem. Have you looked at 'quiche' in general to see how well it would fit our parsing and state keeping model?

Wrt logging: I'd say we'd want a logger for at least the CYU hash and string.

#3

Updated by Victor Julien 12 months ago

  • Label Protocol added
#4

Updated by Emmanuel Thompson 11 months ago

Quiche could be nice for parsing, we can then manipulate on the parsed values. It also has support for many drafts of the protocol (as it's not stabilized yet)

Latest draft: https://tools.ietf.org/html/draft-ietf-quic-transport-29#section-17

I'll implement a parser for it.

#5

Updated by Emmanuel Thompson 11 months ago

FYI GQUIC is a predecessor of QUIC IETF

The parser in the OP parses GQUIC Versions Q039-Q046.

#6

Updated by Emmanuel Thompson 10 months ago

@John Althouse, would you have specific PCAPs for testing?

#7

Updated by John Althouse 10 months ago

Let me add in Caleb Yu here.

#8

Updated by Caleb Yu 10 months ago

Here are two PCAPs with GQUIC traffic from my Linux VM:
The first one should have a CYU value of a46560d4548108cf99308319b3b85346 from the version and tags "46,PAD-SNI-STK-VER-CCS-NONC-AEAD-UAID-SCID-TCID-PDMD-SMHL-ICSL-NONP-PUBS-MIDS-SCLS-KEXS-XLCT-CSCT-COPT-CCRT-IRTT-CFCW-SFCW"
The second one has two client hellos:
1. 910a5e3a4d51593bd59a44611544f209 from 46,PAD-SNI-VER-CCS-UAID-TCID-PDMD-SMHL-ICSL-NONP-MIDS-SCLS-CSCT-COPT-IRTT-CFCW-SFCW
2. 7b3ceb1adc974ad360cfa634e8d0a730 from 46,PAD-SNI-STK-SNO-VER-CCS-NONC-AEAD-UAID-SCID-TCID-PDMD-SMHL-ICSL-NONP-PUBS-MIDS-SCLS-KEXS-XLCT-CSCT-COPT-CCRT-IRTT-CFCW-SFCW

#9

Updated by Victor Julien 7 months ago

  • Status changed from Assigned to In Review

Also available in: Atom PDF