Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Quic ietf 4967 v20 #7678

Merged
merged 11 commits into from
Aug 3, 2022
Merged

Quic ietf 4967 v20 #7678

merged 11 commits into from
Aug 3, 2022

Conversation

catenacyber
Copy link
Contributor

Link to redmine ticket:
https://redmine.openinfosecfoundation.org/issues/4967
https://redmine.openinfosecfoundation.org/issues/5143
https://redmine.openinfosecfoundation.org/issues/5166

Describe changes:

  • Parses standardized QUIC IETF v1
  • Parses gquic version Q039, 0xfaceb002, etc...
  • JA3 logging and detection on quic
  • Adds quic events and rules
  • bump up rust carte tls_parser already used by rep, so that it can be used by quic
  • Rustfmt previous code

suricata-verify-pr: 783
OISF/suricata-verify#783

Replaces #7676 fixing commit-check

catenacyber and others added 11 commits August 2, 2022 14:31
@catenacyber
rdp: bump up tls-parser crate version
2294e9c 
so that we can use new functions in quic parser
@catenacyber
rust: bump up digest crates
0c346af 
so that we can use hkdf crate for quic
@catenacyber
quic: rustfmt
7044131
@catenacyber
quic: complete parsing of initial for non gquic
c6cf61a 
The format of initial packet for quic ietf, ie quic v1,
is described in rfc 9000, section 17.2.2

Parse more frames and logs interesting extensions from crypto frame

Do not try to parse encrypted data, ie after we have seen
a crypto frame in each direction.

Use sni from crypto frame with tls for detection already implemented

Ticket: OISF#4967
@catenacyber
quic: ja3 computation and logging and detection
018fef5 
Logging as is done in TLS.

Detection using the generic generic ja3.string keyword

Ticket: OISF#5143
@catenacyber
quic: parse gquic version Q039
b9c1d9e 
Ticket: OISF#5166
@catenacyber
quic: events and rules on them
f242fb7
@catenacyber
quic: complete schema.json
896f0d9 
adding ja3 and extension fields
@catenacyber
ci: have one github workflow with MSRV
301ab96
@catenacyber
quic: reassemble crypto frames and parse it
9512581
@catenacyber
quic: update to nom7
f3b6fd3
@catenacyber catenacyber mentioned this pull request Aug 2, 2022
Closed
@codecov
Copy link

codecov bot commented Aug 2, 2022

Codecov Report

Merging #7678 (f3b6fd3) into master (5f4bcfe) will decrease coverage by 0.00%.
The diff coverage is 54.83%.

@@            Coverage Diff             @@
##           master    #7678      +/-   ##
==========================================
- Coverage   75.93%   75.92%   -0.01%     
==========================================
  Files         659      659              
  Lines      185639   185669      +30     
==========================================
+ Hits       140958   140963       +5     
- Misses      44681    44706      +25
Flag Coverage Δ
fuzzcorpus 60.64% <23.33%> (-0.08%) ⬇️
suricata-verify 52.58% <48.38%> (+0.03%) ⬆️
unittests 60.71% <14.28%> (-0.01%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

@suricata-qa
Copy link

Information: QA ran without warnings.

Pipeline 8464

@victorjulien victorjulien mentioned this pull request Aug 3, 2022
Merged
@victorjulien victorjulien merged commit f3b6fd3 into OISF:master Aug 3, 2022
@victorjulien
Copy link
Member

Thanks Philippe, nice work!

@catenacyber catenacyber mentioned this pull request Aug 3, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@victorjulien victorjulien victorjulien approved these changes

@jasonish jasonish Awaiting requested review from jasonish jasonish is a code owner

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@catenacyber @suricata-qa @victorjulien