lua:quic
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
lua:quic [2018/12/13 19:56] – [Network Security Monitoring for QUIC] veera | lua:quic [2018/12/13 23:35] – [Explaining the scripts] veera | ||
---|---|---|---|
Line 20: | Line 20: | ||
- | Then it is a matter of using the open source BITMAUL LUA Protocol Dissection library to do the heavy lifting. In about 150 lines of code, we have a working QUIC dissector. | + | Then it is a matter of using the open source |
+ | ==== Explaining the scripts ==== | ||
+ | - A new protocol_hanlder called QUIC attached to UDP 443 ( quic-protocol.lua ) | ||
+ | - A Trisul simple_counter script that calls for every QUIC packet ( quic-simplecounter.lua ) | ||
+ | - The actual QUIC dissector , which returns a LUA table with all fields filled in ( quic-dissect.lua ) | ||
+ | - A QUIC certificate decompressor using LuaJIT FFI into zlib | ||
+ | The quic-dissect.lua script is where the real stuff happens, the rest of the files are plumbing into the Trisul platform. Start from there. | ||
+ | ==== Output of the QUIC analysis ==== | ||
- | BITMAUL | + | The goal of all Trisul scripts is to add some piece of information into the streaming analysis. What we do in quic-simplecounter.lua is. |
+ | - Tag (Enrich) every flow with the label QUIC | ||
+ | - Tag every flow with the ConnectionID | ||
+ | - Tag every flow with User Agent and SNI (Server Name) | ||
+ | - Extract certificate chain and add to Trisul as a SSL Cert Resource (think of this as a log ) | ||
- | Extract the following information | ||
- | Flow Tags | + | This is how the outputs look like. Using the TRP API you can access these programatically too. |
+ | |||
+ | ===== Flow Tags ===== | ||
+ | |||
+ | If you want to pull out all QUIC flows , then go to Tools > Explore Flows > then search for tag=QUIC | ||
{{ : | {{ : | ||
+ | You can also search for tag=doubleclick.net to pull out QUIC flows from doubleclick.net | ||
+ | |||
+ | |||
+ | ===== Extract X.509 Certificate in QUIC ===== | ||
+ | |||
+ | Just as we do for all SSL flows, we pull out the certificates from the server. Found in the REJECT message into Trisul. | ||
+ | |||
+ | This took a while for me to get the certificate extraction right due to the following issues. | ||
+ | |||
+ | * the CRT\xff tag contains the certificate which is compressed. This is a bit unexpected because even before the authentication is done, we are running an decompress operation. | ||
+ | * you need to use a pre-shared dictionary to do the decompression, | ||
+ | * the certificate spans multiple UDP packets hence needs some reassembly. Put together a very naive reassembly code in quic-dissect.lua | ||
+ | |||
+ | This is the result of the extracted certificate. | ||
- | Extract X.509 Certificate in QUIC | ||
{{ : | {{ : | ||
+ | |||
+ | ===== Comparison to Bro/Zeek ===== | ||
+ | |||
+ | The Trisul scripting API allows you to write in LUA rather than a mix of C/Bro language which need a compilation step. We find this is a major efficiency advantage. | ||
+ | |||
+ | |||
+ | ===== Conclusion ===== | ||
+ | |||
+ | The goal here is to show the power of the Trisul scripting API rather than a production grade QUIC analyzer. | ||
+ | |||
+ | While the script is working fine in our test environment but putting into production would need some extra work. Particularly when QUIC is used for HD streaming, we need a more efficient way to shunt the stream after the initial handshake otherwise we enter the C->Lua interface for every UDP packet. | ||
+ | Head over to the Github page for the [[https:// |
lua/quic.txt · Last modified: 2024/06/04 16:58 by thiyagu