Add QUIC Protocol Analysis and CYU Fingerprinting
QUIC traffic could be up to 20% of an organizations network traffic if they use Google products, like Chrome. Background:
Here's the protocol analyzer and fingerprinting script for Zeek for reference:
Updated by Emmanuel Thompson 12 months ago
I can look into this. Here's what I'm thinking:
- Look at using https://github.com/cloudflare/quiche, downside is: quiche requires Rust 1.39 or later to build.
- Write a nom parser, using nom-derive
- Long and short header versions
- CYU (much like JA3 but for QUIC):
- Generate CYU hash and tags for the QUIC ClientHello packet
- Create a `cyu.string` and `cyu.hash` keyword
- Anything required here?
Quiche parsing: https://docs.rs/quiche/0.3.0/src/quiche/packet.rs.html#173
Are there other areas which should be looked at?
Updated by Victor Julien 12 months ago
- Status changed from New to Assigned
- Assignee set to Emmanuel Thompson
- Target version set to 7.0rc1
The rustc 1.39 requirement is a problem. Have you looked at 'quiche' in general to see how well it would fit our parsing and state keeping model?
Wrt logging: I'd say we'd want a logger for at least the CYU hash and string.
Updated by Emmanuel Thompson 11 months ago
Quiche could be nice for parsing, we can then manipulate on the parsed values. It also has support for many drafts of the protocol (as it's not stabilized yet)
I'll implement a parser for it.
Here are two PCAPs with GQUIC traffic from my Linux VM:
The first one should have a CYU value of a46560d4548108cf99308319b3b85346 from the version and tags "46,PAD-SNI-STK-VER-CCS-NONC-AEAD-UAID-SCID-TCID-PDMD-SMHL-ICSL-NONP-PUBS-MIDS-SCLS-KEXS-XLCT-CSCT-COPT-CCRT-IRTT-CFCW-SFCW"
The second one has two client hellos:
1. 910a5e3a4d51593bd59a44611544f209 from 46,PAD-SNI-VER-CCS-UAID-TCID-PDMD-SMHL-ICSL-NONP-MIDS-SCLS-CSCT-COPT-IRTT-CFCW-SFCW
2. 7b3ceb1adc974ad360cfa634e8d0a730 from 46,PAD-SNI-STK-SNO-VER-CCS-NONC-AEAD-UAID-SCID-TCID-PDMD-SMHL-ICSL-NONP-PUBS-MIDS-SCLS-KEXS-XLCT-CSCT-COPT-CCRT-IRTT-CFCW-SFCW