mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 06:38:20 +00:00
Merge remote-tracking branch 'origin/topic/awelzel/4198-4201-quic-maintenance'
* origin/topic/awelzel/4198-4201-quic-maintenance:
QUIC/decrypt_crypto: Rename all_data to data
QUIC: Confirm before forwarding data to SSL
QUIC: Parse all QUIC packets in a UDP datagram
QUIC: Only slurp till packet end, not till &eod
(cherry picked from commit 44304973fb)
This commit is contained in:
Arne Welzel
Tim Wojtulewicz
parent
b5774f2de9
commit
de8127f3cd
32 changed files with 141 additions and 49 deletions
25
CHANGES
25
CHANGES
|
|
@ -1,3 +1,28 @@
|
|||
7.0.5-2 | 2025-03-18 16:14:21 -0700
|
||||
|
||||
* QUIC/decrypt_crypto: Rename all_data to data (Arne Welzel, Corelight)
|
||||
|
||||
(cherry picked from commit 44304973fb4ea3ffc94f13feb8592952675202f1)
|
||||
|
||||
* GH-4201: QUIC: Confirm before forwarding data to SSL (Arne Welzel, Corelight)
|
||||
|
||||
(cherry picked from commit 44304973fb4ea3ffc94f13feb8592952675202f1)
|
||||
|
||||
* GH-4198: QUIC: Parse all QUIC packets in a UDP datagram (Arne Welzel, Corelight)
|
||||
|
||||
A UDP datagram may contain multiple QUIC packets, but the parser so far
|
||||
handled only the very first packet, ignoring any subsequent packets.
|
||||
|
||||
(cherry picked from commit 44304973fb4ea3ffc94f13feb8592952675202f1)
|
||||
|
||||
* QUIC: Only slurp till packet end, not till &eod (Arne Welzel, Corelight)
|
||||
|
||||
This doesn't change behavior, but avoids slurping in more data than
|
||||
needed. A UDP packet an contain multiple QUIC packets and we'd read
|
||||
all following ones instead just the one we're interested in.
|
||||
|
||||
(cherry picked from commit 44304973fb4ea3ffc94f13feb8592952675202f1)
|
||||
|
||||
7.0.5-1 | 2025-03-18 16:12:32 -0700
|
||||
|
||||
* fix for ZAM optimization of assigning a record field to result of "in" operation (Vern Paxson, Corelight)
|
||||
|
|
|
|||
2
VERSION
2
VERSION
|
|
@ -1 +1 @@
|
|||
7.0.5-1
|
||||
7.0.5-2
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@ import zeek;
|
|||
# The interface to the C++ code that handles the decryption of the INITIAL packet payload using well-known keys
|
||||
public function decrypt_crypto_payload(
|
||||
version: uint32,
|
||||
all_data: bytes,
|
||||
data: bytes,
|
||||
connection_id: bytes,
|
||||
encrypted_offset: uint64,
|
||||
payload_offset: uint64,
|
||||
|
|
@ -417,7 +417,7 @@ type CryptoBuffer = unit() {
|
|||
##############
|
||||
type Packet = unit(from_client: bool, context: ConnectionIDInfo&) {
|
||||
var decrypted_data: bytes;
|
||||
var full_packet: bytes;
|
||||
var packet_size: uint64 = 0;
|
||||
var start: iterator<stream>;
|
||||
|
||||
sink crypto_sink;
|
||||
|
|
@ -464,8 +464,15 @@ type Packet = unit(from_client: bool, context: ConnectionIDInfo&) {
|
|||
}
|
||||
};
|
||||
|
||||
# Slurp in the whole packet if we determined we have a chance to decrypt.
|
||||
all_data: bytes &parse-at=self.start &eod if ( self?.long_header && can_decrypt(self.long_header, context, from_client) ) {
|
||||
: void {
|
||||
if (self?.long_header && can_decrypt(self.long_header, context, from_client))
|
||||
# If we have parsed an initial packet that we can decrypt the payload,
|
||||
# determine the size to store into a buffer.
|
||||
self.packet_size = self.offset();
|
||||
}
|
||||
|
||||
# Buffer the whole packet if we determined we have a chance to decrypt.
|
||||
packet_data: bytes &parse-at=self.start &size=self.packet_size if ( self.packet_size > 0 ) {
|
||||
self.crypto_buffer = new CryptoBuffer();
|
||||
self.crypto_sink.connect(self.crypto_buffer);
|
||||
|
||||
|
|
@ -477,7 +484,7 @@ type Packet = unit(from_client: bool, context: ConnectionIDInfo&) {
|
|||
# All data is accessible via the `long_header` unit
|
||||
self.decrypted_data = decrypt_crypto_payload(
|
||||
self.long_header.version,
|
||||
self.all_data,
|
||||
self.packet_data,
|
||||
self.long_header.dest_conn_id,
|
||||
self.long_header.encrypted_offset,
|
||||
self.long_header.payload_length,
|
||||
|
|
@ -496,7 +503,7 @@ type Packet = unit(from_client: bool, context: ConnectionIDInfo&) {
|
|||
|
||||
self.decrypted_data = decrypt_crypto_payload(
|
||||
self.long_header.version,
|
||||
self.all_data,
|
||||
self.packet_data,
|
||||
context.initial_destination_conn_id,
|
||||
self.long_header.encrypted_offset,
|
||||
self.long_header.payload_length,
|
||||
|
|
@ -509,6 +516,9 @@ type Packet = unit(from_client: bool, context: ConnectionIDInfo&) {
|
|||
# connection.
|
||||
if ( |self.decrypted_data| == 0 )
|
||||
throw "decryption failed";
|
||||
|
||||
# We were able to decrypt the INITIAL packet. Confirm QUIC!
|
||||
spicy::accept_input();
|
||||
}
|
||||
|
||||
# Depending on the type of header and whether we were able to decrypt
|
||||
|
|
@ -543,9 +553,6 @@ type Packet = unit(from_client: bool, context: ConnectionIDInfo&) {
|
|||
context.client_initial_processed = True;
|
||||
else
|
||||
context.server_initial_processed = True;
|
||||
|
||||
# Take buffered crypto data as confirmation signal.
|
||||
spicy::accept_input();
|
||||
}
|
||||
}
|
||||
};
|
||||
|
|
@ -555,10 +562,10 @@ type Packet = unit(from_client: bool, context: ConnectionIDInfo&) {
|
|||
##############
|
||||
public type RequestFrame = unit {
|
||||
%context = ConnectionIDInfo;
|
||||
: Packet(True, self.context());
|
||||
: Packet(True, self.context())[];
|
||||
};
|
||||
|
||||
public type ResponseFrame = unit {
|
||||
%context = ConnectionIDInfo;
|
||||
: Packet(False, self.context());
|
||||
: Packet(False, self.context())[];
|
||||
};
|
||||
|
|
|
|||
|
|
@ -87,7 +87,7 @@ Removes the header protection from the INITIAL packet and returns a DecryptionIn
|
|||
that is partially filled
|
||||
*/
|
||||
DecryptionInformation remove_header_protection(const std::vector<uint8_t>& client_hp, uint64_t encrypted_offset,
|
||||
const hilti::rt::Bytes& all_data) {
|
||||
const hilti::rt::Bytes& data) {
|
||||
DecryptionInformation decryptInfo;
|
||||
int outlen;
|
||||
auto* ctx = get_aes_128_ecb();
|
||||
|
|
@ -96,16 +96,16 @@ DecryptionInformation remove_header_protection(const std::vector<uint8_t>& clien
|
|||
EVP_CipherInit_ex(ctx, NULL, NULL, client_hp.data(), NULL, 1);
|
||||
|
||||
static_assert(AEAD_SAMPLE_LENGTH > 0);
|
||||
assert(all_data.size() >= encrypted_offset + MAXIMUM_PACKET_NUMBER_LENGTH + AEAD_SAMPLE_LENGTH);
|
||||
assert(data.size() >= encrypted_offset + MAXIMUM_PACKET_NUMBER_LENGTH + AEAD_SAMPLE_LENGTH);
|
||||
|
||||
const uint8_t* sample = data_as_uint8(all_data) + encrypted_offset + MAXIMUM_PACKET_NUMBER_LENGTH;
|
||||
const uint8_t* sample = data_as_uint8(data) + encrypted_offset + MAXIMUM_PACKET_NUMBER_LENGTH;
|
||||
|
||||
std::array<uint8_t, AEAD_SAMPLE_LENGTH> mask;
|
||||
EVP_CipherUpdate(ctx, mask.data(), &outlen, sample, AEAD_SAMPLE_LENGTH);
|
||||
|
||||
// To determine the actual packet number length,
|
||||
// we have to remove the mask from the first byte
|
||||
uint8_t first_byte = data_as_uint8(all_data)[0];
|
||||
uint8_t first_byte = data_as_uint8(data)[0];
|
||||
|
||||
if ( first_byte & 0x80 ) {
|
||||
first_byte ^= mask[0] & 0x0F;
|
||||
|
|
@ -118,8 +118,8 @@ DecryptionInformation remove_header_protection(const std::vector<uint8_t>& clien
|
|||
int recovered_packet_number_length = (first_byte & 0x03) + 1;
|
||||
|
||||
// .. and use this to reconstruct the (partially) unprotected header
|
||||
std::vector<uint8_t> unprotected_header(data_as_uint8(all_data), data_as_uint8(all_data) + encrypted_offset +
|
||||
recovered_packet_number_length);
|
||||
std::vector<uint8_t> unprotected_header(data_as_uint8(data),
|
||||
data_as_uint8(data) + encrypted_offset + recovered_packet_number_length);
|
||||
|
||||
uint32_t decoded_packet_number = 0;
|
||||
|
||||
|
|
@ -150,8 +150,8 @@ std::vector<uint8_t> calculate_nonce(std::vector<uint8_t> client_iv, uint64_t pa
|
|||
/*
|
||||
Function that calls the AEAD decryption routine, and returns the decrypted data.
|
||||
*/
|
||||
hilti::rt::Bytes decrypt(const std::vector<uint8_t>& client_key, const hilti::rt::Bytes& all_data,
|
||||
uint64_t payload_length, const DecryptionInformation& decryptInfo) {
|
||||
hilti::rt::Bytes decrypt(const std::vector<uint8_t>& client_key, const hilti::rt::Bytes& data, uint64_t payload_length,
|
||||
const DecryptionInformation& decryptInfo) {
|
||||
int out, out2;
|
||||
|
||||
if ( payload_length < decryptInfo.packet_number_length + AEAD_TAG_LENGTH )
|
||||
|
|
@ -163,18 +163,18 @@ hilti::rt::Bytes decrypt(const std::vector<uint8_t>& client_key, const hilti::rt
|
|||
if ( payload_length > 10000 )
|
||||
throw hilti::rt::RuntimeError(hilti::rt::fmt("payload_length too large %ld", payload_length));
|
||||
|
||||
const uint8_t* encrypted_payload = data_as_uint8(all_data) + decryptInfo.unprotected_header.size();
|
||||
const uint8_t* encrypted_payload = data_as_uint8(data) + decryptInfo.unprotected_header.size();
|
||||
|
||||
int encrypted_payload_size = payload_length - decryptInfo.packet_number_length - AEAD_TAG_LENGTH;
|
||||
|
||||
if ( encrypted_payload_size < 0 )
|
||||
throw hilti::rt::RuntimeError(hilti::rt::fmt("encrypted_payload_size underflow %ld", encrypted_payload_size));
|
||||
|
||||
if ( all_data.size() < decryptInfo.unprotected_header.size() + encrypted_payload_size + AEAD_TAG_LENGTH )
|
||||
throw hilti::rt::RuntimeError(hilti::rt::fmt("all_data too short %ld < %ld", all_data.size(),
|
||||
if ( data.size() < decryptInfo.unprotected_header.size() + encrypted_payload_size + AEAD_TAG_LENGTH )
|
||||
throw hilti::rt::RuntimeError(hilti::rt::fmt("data too short %ld < %ld", data.size(),
|
||||
decryptInfo.unprotected_header.size() + encrypted_payload_size));
|
||||
|
||||
const void* tag_to_check = all_data.data() + decryptInfo.unprotected_header.size() + encrypted_payload_size;
|
||||
const void* tag_to_check = data.data() + decryptInfo.unprotected_header.size() + encrypted_payload_size;
|
||||
int tag_to_check_length = AEAD_TAG_LENGTH;
|
||||
|
||||
// Allocate memory for decryption.
|
||||
|
|
@ -444,7 +444,7 @@ Function that is called from Spicy, decrypting an INITIAL packet and returning
|
|||
the decrypted payload back to the analyzer.
|
||||
*/
|
||||
hilti::rt::Bytes QUIC_decrypt_crypto_payload(const hilti::rt::integer::safe<uint32_t>& version,
|
||||
const hilti::rt::Bytes& all_data, const hilti::rt::Bytes& connection_id,
|
||||
const hilti::rt::Bytes& data, const hilti::rt::Bytes& connection_id,
|
||||
const hilti::rt::integer::safe<uint64_t>& encrypted_offset,
|
||||
const hilti::rt::integer::safe<uint64_t>& payload_length,
|
||||
const hilti::rt::Bool& from_client) {
|
||||
|
|
@ -458,9 +458,9 @@ hilti::rt::Bytes QUIC_decrypt_crypto_payload(const hilti::rt::integer::safe<uint
|
|||
if ( payload_length < 20 )
|
||||
throw hilti::rt::RuntimeError(hilti::rt::fmt("payload too small %ld < 20", payload_length));
|
||||
|
||||
if ( (all_data.size() < encrypted_offset + payload_length) )
|
||||
if ( (data.size() < encrypted_offset + payload_length) )
|
||||
throw hilti::rt::RuntimeError(
|
||||
hilti::rt::fmt("packet too small %ld %ld", all_data.size(), encrypted_offset + payload_length));
|
||||
hilti::rt::fmt("packet too small %ld %ld", data.size(), encrypted_offset + payload_length));
|
||||
|
||||
uint32_t v = version;
|
||||
QuicPacketProtection* qpp = nullptr;
|
||||
|
|
@ -480,10 +480,10 @@ hilti::rt::Bytes QUIC_decrypt_crypto_payload(const hilti::rt::integer::safe<uint
|
|||
std::vector<uint8_t> iv = qpp->GetIv(secret);
|
||||
std::vector<uint8_t> hp = qpp->GetHp(secret);
|
||||
|
||||
DecryptionInformation decryptInfo = remove_header_protection(hp, encrypted_offset, all_data);
|
||||
DecryptionInformation decryptInfo = remove_header_protection(hp, encrypted_offset, data);
|
||||
|
||||
// Calculate the correct nonce for the decryption
|
||||
decryptInfo.nonce = calculate_nonce(iv, decryptInfo.packet_number);
|
||||
|
||||
return decrypt(key, all_data, payload_length, decryptInfo);
|
||||
return decrypt(key, data, payload_length, decryptInfo);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -0,0 +1,3 @@
|
|||
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
||||
ts uid history service
|
||||
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 Dd ssl,quic
|
||||
|
|
@ -0,0 +1,3 @@
|
|||
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
||||
analyzer_confirmation, 1692198386.837988, CHhAvVGS1DHFjwGM9, Analyzer::ANALYZER_QUIC
|
||||
analyzer_confirmation, 1692198386.837988, CHhAvVGS1DHFjwGM9, Analyzer::ANALYZER_SSL
|
||||
|
|
@ -1,3 +1,3 @@
|
|||
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
||||
ts uid history service
|
||||
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 Dd quic,ssl
|
||||
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 Dd ssl,quic
|
||||
|
|
|
|||
|
|
@ -7,5 +7,5 @@
|
|||
#open XXXX-XX-XX-XX-XX-XX
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version client_initial_dcid client_scid server_scid server_name client_protocol history
|
||||
#types time string addr port addr port string string string string string string string
|
||||
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 82.239.54.117 53727 110.213.53.115 443 1 95412c47018cdfe8 (empty) d5412c47018cdfe8 api.cirrus-ci.com h3 ISisH
|
||||
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 82.239.54.117 53727 110.213.53.115 443 1 95412c47018cdfe8 (empty) d5412c47018cdfe8 api.cirrus-ci.com h3 ISishH
|
||||
#close XXXX-XX-XX-XX-XX-XX
|
||||
|
|
|
|||
|
|
@ -1,3 +1,3 @@
|
|||
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
||||
ts uid history service
|
||||
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 Dd quic,ssl
|
||||
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 Dd ssl,quic
|
||||
|
|
|
|||
|
|
@ -4,17 +4,20 @@
|
|||
1.0, initial_packet, C4J4Th3PJpwUYZZ6gc, T, 1, 1b036a11,
|
||||
1.0, initial_packet, C4J4Th3PJpwUYZZ6gc, F, 1, , fc674735
|
||||
1.0, handshake_packet, F, C4J4Th3PJpwUYZZ6gc, 1, , fc674735
|
||||
1.0, handshake_packet, F, C4J4Th3PJpwUYZZ6gc, 1, , fc674735
|
||||
1.0, initial_packet, C4J4Th3PJpwUYZZ6gc, T, 1, fc674735,
|
||||
1.0, handshake_packet, T, C4J4Th3PJpwUYZZ6gc, 1, ef3a4e06,
|
||||
zerortt.pcap
|
||||
1.0, initial_packet, C4J4Th3PJpwUYZZ6gc, T, 1, b7c7841c64883e3261d840,
|
||||
1.0, initial_packet, C4J4Th3PJpwUYZZ6gc, F, 1, , 8d2041ac
|
||||
1.0, handshake_packet, F, C4J4Th3PJpwUYZZ6gc, 1, , 8d2041ac
|
||||
1.0, handshake_packet, F, C4J4Th3PJpwUYZZ6gc, 1, , 8d2041ac
|
||||
1.0, initial_packet, C4J4Th3PJpwUYZZ6gc, T, 1, 8d2041ac,
|
||||
1.0, handshake_packet, T, C4J4Th3PJpwUYZZ6gc, 1, 5b7bc400,
|
||||
1.0, initial_packet, CtPZjS20MLrsMUOJi2, T, 1, 15ae5e5e4962163f410b5529fc125bbc,
|
||||
1.0, zero_rtt_packet, T, CtPZjS20MLrsMUOJi2, 1, 15ae5e5e4962163f410b5529fc125bbc,
|
||||
1.0, initial_packet, CtPZjS20MLrsMUOJi2, F, 1, , e483a751
|
||||
1.0, handshake_packet, F, CtPZjS20MLrsMUOJi2, 1, , e483a751
|
||||
1.0, zero_rtt_packet, T, CtPZjS20MLrsMUOJi2, 1, 15ae5e5e4962163f410b5529fc125bbc,
|
||||
1.0, zero_rtt_packet, T, CtPZjS20MLrsMUOJi2, 1, 15ae5e5e4962163f410b5529fc125bbc,
|
||||
1.0, zero_rtt_packet, T, CtPZjS20MLrsMUOJi2, 1, 15ae5e5e4962163f410b5529fc125bbc,
|
||||
|
|
|
|||
|
|
@ -1,3 +1,3 @@
|
|||
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
||||
ts uid history service
|
||||
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 Dd quic,ssl
|
||||
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 Dd ssl,quic
|
||||
|
|
|
|||
|
|
@ -1,3 +1,3 @@
|
|||
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
||||
ts uid history service
|
||||
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 Dd quic,ssl
|
||||
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 Dd ssl,quic
|
||||
|
|
|
|||
|
|
@ -2,4 +2,4 @@
|
|||
ts uid history service
|
||||
0.015059 ClEkJM2Vm5giqnMf4h - -
|
||||
0.001000 CHhAvVGS1DHFjwGM9 - -
|
||||
0.648580 C4J4Th3PJpwUYZZ6gc Dd quic,ssl
|
||||
0.648580 C4J4Th3PJpwUYZZ6gc Dd ssl,quic
|
||||
|
|
|
|||
|
|
@ -7,5 +7,5 @@
|
|||
#open XXXX-XX-XX-XX-XX-XX
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version client_initial_dcid client_scid server_scid server_name client_protocol history
|
||||
#types time string addr port addr port string string string string string string string
|
||||
1.000000 C4J4Th3PJpwUYZZ6gc 193.167.0.100 40084 193.167.100.100 443 1 a771f6161a4072c0bf10 (empty) 5911deff server4:443 hq-interop ISishIH
|
||||
1.000000 C4J4Th3PJpwUYZZ6gc 193.167.0.100 40084 193.167.100.100 443 1 a771f6161a4072c0bf10 (empty) 5911deff server4:443 hq-interop ISishhIH
|
||||
#close XXXX-XX-XX-XX-XX-XX
|
||||
|
|
|
|||
|
|
@ -2,4 +2,4 @@
|
|||
ts uid history service
|
||||
0.000000 CHhAvVGS1DHFjwGM9 - -
|
||||
0.016059 ClEkJM2Vm5giqnMf4h - -
|
||||
0.669020 C4J4Th3PJpwUYZZ6gc Dd quic,ssl
|
||||
0.669020 C4J4Th3PJpwUYZZ6gc Dd ssl,quic
|
||||
|
|
|
|||
|
|
@ -8,5 +8,5 @@
|
|||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version client_initial_dcid client_scid server_scid server_name client_protocol history
|
||||
#types time string addr port addr port string string string string string string string
|
||||
1.000000 C4J4Th3PJpwUYZZ6gc 193.167.0.100 42834 193.167.100.100 443 1 4a8294bf9201d6cf (empty) - server4:443 hq-interop ISr
|
||||
1.000000 C4J4Th3PJpwUYZZ6gc 193.167.0.100 42834 193.167.100.100 443 1 1b036a11 (empty) fc674735 server4:443 hq-interop ISishIH
|
||||
1.000000 C4J4Th3PJpwUYZZ6gc 193.167.0.100 42834 193.167.100.100 443 1 1b036a11 (empty) fc674735 server4:443 hq-interop ISishhIH
|
||||
#close XXXX-XX-XX-XX-XX-XX
|
||||
|
|
|
|||
|
|
@ -2,5 +2,5 @@
|
|||
ts uid history service
|
||||
0.015059 ClEkJM2Vm5giqnMf4h - -
|
||||
0.001000 CHhAvVGS1DHFjwGM9 - -
|
||||
0.790739 CtPZjS20MLrsMUOJi2 Dd quic,ssl
|
||||
0.718160 C4J4Th3PJpwUYZZ6gc Dd quic,ssl
|
||||
0.790739 CtPZjS20MLrsMUOJi2 Dd ssl,quic
|
||||
0.718160 C4J4Th3PJpwUYZZ6gc Dd ssl,quic
|
||||
|
|
|
|||
|
|
@ -7,6 +7,6 @@
|
|||
#open XXXX-XX-XX-XX-XX-XX
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version client_initial_dcid client_scid server_scid server_name client_protocol history
|
||||
#types time string addr port addr port string string string string string string string
|
||||
1.000000 CtPZjS20MLrsMUOJi2 193.167.0.100 49394 193.167.100.100 443 1 15ae5e5e4962163f410b5529fc125bbc (empty) e483a751 server4:443 hq-interop ISZisZZZZZZZZZZZZZZZZZZZZZZZZZZZIH
|
||||
1.000000 C4J4Th3PJpwUYZZ6gc 193.167.0.100 60492 193.167.100.100 443 1 b7c7841c64883e3261d840 (empty) 8d2041ac server4:443 hq-interop ISishIH
|
||||
1.000000 CtPZjS20MLrsMUOJi2 193.167.0.100 49394 193.167.100.100 443 1 15ae5e5e4962163f410b5529fc125bbc (empty) e483a751 server4:443 hq-interop ISZishZZZZZZZZZZZZZZZZZZZZZZZZZZZIH
|
||||
1.000000 C4J4Th3PJpwUYZZ6gc 193.167.0.100 60492 193.167.100.100 443 1 b7c7841c64883e3261d840 (empty) 8d2041ac server4:443 hq-interop ISishhIH
|
||||
#close XXXX-XX-XX-XX-XX-XX
|
||||
|
|
|
|||
|
|
@ -0,0 +1,3 @@
|
|||
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
||||
ts uid history service
|
||||
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 Dd ssl,quic
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
||||
#separator \x09
|
||||
#set_separator ,
|
||||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path quic
|
||||
#open XXXX-XX-XX-XX-XX-XX
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version client_initial_dcid client_scid server_scid server_name client_protocol history
|
||||
#types time string addr port addr port string string string string string string string
|
||||
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.4 53241 24.199.110.233 443 1 f21fdf87f736f235846c7f460ca017 1b3ff910 eab5f6f4 - h3 ISishhIH
|
||||
#close XXXX-XX-XX-XX-XX-XX
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
||||
#separator \x09
|
||||
#set_separator ,
|
||||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path ssl
|
||||
#open XXXX-XX-XX-XX-XX-XX
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established ssl_history cert_chain_fps client_cert_chain_fps sni_matches_cert
|
||||
#types time string addr port addr port string string string string bool string string bool string vector[string] vector[string] bool
|
||||
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.4 53241 24.199.110.233 443 TLSv13 TLS_AES_128_GCM_SHA256 x25519 - F - - F Cs - - -
|
||||
#close XXXX-XX-XX-XX-XX-XX
|
||||
|
|
@ -1,3 +1,3 @@
|
|||
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
||||
ts uid history service
|
||||
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 Dd quic,ssl
|
||||
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 Dd ssl,quic
|
||||
|
|
|
|||
|
|
@ -7,5 +7,5 @@
|
|||
#open XXXX-XX-XX-XX-XX-XX
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version client_initial_dcid client_scid server_scid server_name client_protocol history
|
||||
#types time string addr port addr port string string string string string string string
|
||||
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 46907 127.0.0.1 853 1 fda05288ab9ff546 0fb934775f247b8e a31f4933d8727231 - doq ISishH
|
||||
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 46907 127.0.0.1 853 1 fda05288ab9ff546 0fb934775f247b8e a31f4933d8727231 - doq ISishhH
|
||||
#close XXXX-XX-XX-XX-XX-XX
|
||||
|
|
|
|||
|
|
@ -1,3 +1,3 @@
|
|||
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
||||
ts uid history service
|
||||
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 Dd quic,ssl
|
||||
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 Dd ssl,quic
|
||||
|
|
|
|||
|
|
@ -7,5 +7,5 @@
|
|||
#open XXXX-XX-XX-XX-XX-XX
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version client_initial_dcid client_scid server_scid server_name client_protocol history
|
||||
#types time string addr port addr port string string string string string string string
|
||||
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 49320 127.0.0.1 443 quicv2 fa603212c8688817af3d3238735bc7 (empty) b168b5cc localhost quic-echo-example ISIIisIH
|
||||
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 49320 127.0.0.1 443 quicv2 fa603212c8688817af3d3238735bc7 (empty) b168b5cc localhost quic-echo-example ISIIishIH
|
||||
#close XXXX-XX-XX-XX-XX-XX
|
||||
|
|
|
|||
|
|
@ -1,3 +1,3 @@
|
|||
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
||||
ts uid history service
|
||||
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 Dd quic,ssl
|
||||
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 Dd ssl,quic
|
||||
|
|
|
|||
|
|
@ -7,5 +7,5 @@
|
|||
#open XXXX-XX-XX-XX-XX-XX
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version client_initial_dcid client_scid server_scid server_name client_protocol history
|
||||
#types time string addr port addr port string string string string string string string
|
||||
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 50841 127.0.0.1 443 quicv2 bdf0c5b27927cc667e58d95b 71b8f3f4 cdc8b6e6 - h3 ISishIHH
|
||||
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 50841 127.0.0.1 443 quicv2 bdf0c5b27927cc667e58d95b 71b8f3f4 cdc8b6e6 - h3 ISishhIHH
|
||||
#close XXXX-XX-XX-XX-XX-XX
|
||||
|
|
|
|||
|
|
@ -1,3 +1,3 @@
|
|||
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
||||
ts uid history service
|
||||
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 Dd quic,ssl
|
||||
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 Dd ssl,quic
|
||||
|
|
|
|||
|
|
@ -29,3 +29,6 @@ Trace Index/Sources:
|
|||
- http/cooper-grill-dvwa.pcapng
|
||||
Provided by cooper-grill on #3995
|
||||
https://github.com/zeek/zeek/pull/3995
|
||||
- quic/merlinc2_Zeek_example.pcapng
|
||||
Provided by Faan Rossouw on #4198
|
||||
https://github.com/zeek/zeek/issues/4198
|
||||
|
|
|
|||
BIN
testing/btest/Traces/quic/merlinc2_Zeek_example.pcapng
Normal file
BIN
testing/btest/Traces/quic/merlinc2_Zeek_example.pcapng
Normal file
Binary file not shown.
|
|
@ -0,0 +1,15 @@
|
|||
# @TEST-DOC: Test the order of analyzer confirmations for QUIC and SSL, QUIC should come first.
|
||||
|
||||
# @TEST-REQUIRES: ${SCRIPTS}/have-spicy
|
||||
# @TEST-EXEC: zeek -Cr $TRACES/quic/chromium-115.0.5790.110-api-cirrus-com.pcap %INPUT >out
|
||||
# @TEST-EXEC: zeek-cut -m ts uid history service < conn.log > conn.log.cut
|
||||
# @TEST-EXEC: TEST_DIFF_CANONIFIER= btest-diff out
|
||||
# @TEST-EXEC: btest-diff conn.log.cut
|
||||
|
||||
@load base/protocols/quic
|
||||
|
||||
|
||||
event analyzer_confirmation_info(atype: AllAnalyzers::Tag, info: AnalyzerConfirmationInfo)
|
||||
{
|
||||
print "analyzer_confirmation", network_time(), info$c$uid, atype;
|
||||
}
|
||||
8
testing/btest/scripts/base/protocols/quic/merlinc2.zeek
Normal file
8
testing/btest/scripts/base/protocols/quic/merlinc2.zeek
Normal file
|
|
@ -0,0 +1,8 @@
|
|||
# @TEST-DOC: Test PCAP for Merlin C2 from issue #4198
|
||||
|
||||
# @TEST-REQUIRES: ${SCRIPTS}/have-spicy
|
||||
# @TEST-EXEC: zeek -Cr $TRACES/quic/merlinc2_Zeek_example.pcapng base/protocols/quic
|
||||
# @TEST-EXEC: zeek-cut -m ts uid history service < conn.log > conn.log.cut
|
||||
# @TEST-EXEC: btest-diff conn.log.cut
|
||||
# @TEST-EXEC: btest-diff ssl.log
|
||||
# @TEST-EXEC: btest-diff quic.log
|
||||
Loading…
Add table
Add a link
Reference in a new issue