Differences

This shows you the differences between two versions of the page.

--- lua:quic [2018/12/13 18:08]
veera [Network Security Monitoring for QUIC]
+++ lua:quic [2019/08/14 14:55] (current)
veera [QUIC protocol analysis using the Trisul Scripting API]
@@ Line 6: / Line 6: @@
 This article describes how you can pull out key indicators from QUIC into Trisul using the [[https://www.trisul.org/docs/lua/index.html|Lua Scripting API]].
+<note>
+**UPDATES**  14-Aug-19   Updated to support QUIC version 46</note>
+<note>
 The QUIC analysis LUA scripts can be found here in the [[https://github.com/trisulnsm/bitmaul/tree/master/examples/quic|BITMAUL/examples/quic]] repo
+</note>
 ===== Network Security Monitoring for QUIC =====
@@ Line 25: / Line 32: @@
 ==== Explaining the scripts ====
+The scripts are on Github at [[https://github.com/trisulnsm/bitmaul/tree/master/examples/quic|BITMAUL/examples/quic|BITMAUL/examples/quic]]
-  - A new protocol_hanlder called QUIC attached to UDP 443 ( quic-protocol.lua )
+  - A new [[https://www.trisul.org/docs/lua/protocol_handler.html|protocol_handler]] for QUIC attached to UDP 443 ( ''quic-protocol.lua'' )
-  - A Trisul simple_counter script that calls for every QUIC packet ( quic-simplecounter.lua )
+  - A Trisul [[https://www.trisul.org/docs/lua/simple_counter.html|simple_counter]] script that calls for every QUIC packet ( ''quic-simplecounter.lua'' )
-  - The actual QUIC dissector , which returns a LUA table with all fields filled in ( quic-dissect.lua )
+  - The actual QUIC dissector , which returns a LUA table with all fields filled in ( ''quic-dissect.lua'' )
   - A QUIC certificate decompressor using LuaJIT FFI into zlib
-The quic-dissect.lua script is where the real stuff happens, the rest of the files are plumbing into the Trisul platform. Start from there.
+The [[https://github.com/trisulnsm/bitmaul/blob/master/examples/quic/quic-dissect.lua|''quic-dissect.lua'' script]] is where the real stuff happens, the rest of the files are plumbing into the Trisul platform. Start from there.
 ==== Output of the QUIC analysis ====
@@ Line 47: / Line 55: @@
 ===== Flow Tags =====
-If you want to pull out all QUIC flows , then go to Tools > Explore Flows > then search for tag=QUIC
+To pull out all QUIC flows go to Tools > Explore Flows > then search for tag=QUIC
+Click to zoom the image, you can see the QUIC flows tagged with QUIC, ConnectionID, Server Name, User-Agent
@@ Line 57: / Line 67: @@
 ===== Extract X.509 Certificate in QUIC =====
-Just as we do for all SSL flows, we pull out the certificates from the server. Found in the REJECT message into Trisul.
+Just as we do for all SSL flows, we pull out the certificates in QUIC from the server. Apparently QUIC also uses a 64-bit cert FLV.1 hash for well known certificate chains (like googles),but we were unable to get our Chrome browser to use them. We always got full certs.
 This took a while for me to get the certificate extraction right due to the following issues.
@@ Line 65: / Line 75: @@
   * the certificate spans multiple UDP packets hence needs some reassembly. Put together a very naive reassembly code in quic-dissect.lua
-This is the result of the extracted certificate.  Go to Resources > SSL Certs > press ENTER or search quic
+Go to Resources > SSL Certs > press ENTER or search //quic//

Trisul Network Analytics Developer Zone

User Tools

Site Tools

Differences

Page Tools

Trisul Network Analytics
Developer Zone