Trisul Network Analytics
Developer Zone

User Tools

Site Tools

You are here: Home » Getting started with Trisul LUA Scripting » QUIC protocol analysis using the Trisul Scripting API
Trace:
lua:quic

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
lua:quic [2018/12/13 23:35] – [Output of the QUIC analysis] veeralua:quic [2019/08/14 20:25] (current) – [QUIC protocol analysis using the Trisul Scripting API] veera
Line 6: Line 6:
  
 This article describes how you can pull out key indicators from QUIC into Trisul using the [[https://www.trisul.org/docs/lua/index.html|Lua Scripting API]].  This article describes how you can pull out key indicators from QUIC into Trisul using the [[https://www.trisul.org/docs/lua/index.html|Lua Scripting API]]. 
 +
 +<note>
 +**UPDATES**  14-Aug-19   Updated to support QUIC version 46</note>
 +<note>
 +
 +
 +The QUIC analysis LUA scripts can be found here in the [[https://github.com/trisulnsm/bitmaul/tree/master/examples/quic|BITMAUL/examples/quic]] repo
 +</note>
  
  
Line 12: Line 20:
 In the NSM((Network Security Monitoring involves collecting multiple types of data characterizing network traffic http://www.informit.com/articles/article.aspx?p=350391 )) worldview, we would like to collect as much as possible about the QUIC sessions. This would be in addition to //Flow records// and //PCAP// we collect for all flows.  In the NSM((Network Security Monitoring involves collecting multiple types of data characterizing network traffic http://www.informit.com/articles/article.aspx?p=350391 )) worldview, we would like to collect as much as possible about the QUIC sessions. This would be in addition to //Flow records// and //PCAP// we collect for all flows. 
  
-We were seeing quite a bit of QUIC traffic to YouTube in one of our probes, so we went ahead and got the PCAPs and started analyzing them using Wireshark and the Google QUIC Crypto document to see what can be extracted. We found the following indicators +We were seeing quite a bit of QUIC traffic to YouTube in one of our probes, so we went ahead and got the PCAPs and started analyzing them using Wireshark and the Google QUIC Crypto ((the CRYPTO protocol is documented here at https://github.com/romain-jacotin/quic/blob/master/doc/QUIC_crypto_protocol.md))  document to see what can be extracted. We found the following indicators 
  
   * **Connection ID** -  a 64-bit random number that would likely be globally unique identifying the QUIC connection.   * **Connection ID** -  a 64-bit random number that would likely be globally unique identifying the QUIC connection.
Line 24: Line 32:
 ==== Explaining the scripts ==== ==== Explaining the scripts ====
  
 +The scripts are on Github at [[https://github.com/trisulnsm/bitmaul/tree/master/examples/quic|BITMAUL/examples/quic|BITMAUL/examples/quic]]
  
-  - A new protocol_hanlder called QUIC attached to UDP 443 ( quic-protocol.lua )  +  - A new [[https://www.trisul.org/docs/lua/protocol_handler.html|protocol_handler]] for QUIC attached to UDP 443 ( ''quic-protocol.lua'' )  
-  - A Trisul simple_counter script that calls for every QUIC packet ( quic-simplecounter.lua ) +  - A Trisul [[https://www.trisul.org/docs/lua/simple_counter.html|simple_counter]] script that calls for every QUIC packet ( ''quic-simplecounter.lua'' 
-  - The actual QUIC dissector , which returns a LUA table with all fields filled in ( quic-dissect.lua )+  - The actual QUIC dissector , which returns a LUA table with all fields filled in ( ''quic-dissect.lua'' )
   - A QUIC certificate decompressor using LuaJIT FFI into zlib    - A QUIC certificate decompressor using LuaJIT FFI into zlib 
  
-The quic-dissect.lua script is where the real stuff happens, the rest of the files are plumbing into the Trisul platform. Start from there. +The [[https://github.com/trisulnsm/bitmaul/blob/master/examples/quic/quic-dissect.lua|''quic-dissect.lua'' script]] is where the real stuff happens, the rest of the files are plumbing into the Trisul platform. Start from there. 
  
 ==== Output of the QUIC analysis ==== ==== Output of the QUIC analysis ====
Line 46: Line 55:
 ===== Flow Tags ===== ===== Flow Tags =====
  
-If you want to pull out all QUIC flows , then go to Tools > Explore Flows > then search for tag=QUIC+To pull out all QUIC flows go to Tools > Explore Flows > then search for tag=QUIC 
 + 
 +Click to zoom the image, you can see the QUIC flows tagged with QUIC, ConnectionID, Server Name, User-Agent
  
  
Line 56: Line 67:
 ===== Extract X.509 Certificate in QUIC ===== ===== Extract X.509 Certificate in QUIC =====
  
-Just as we do for all SSL flows, we pull out the certificates from the server. Found in the REJECT message into Trisul+Just as we do for all SSL flows, we pull out the certificates in QUIC from the server. Apparently QUIC also uses a 64-bit cert FLV.1 hash for well known certificate chains (like googles),but we were unable to get our Chrome browser to use them. We always got full certs 
  
 This took a while for me to get the certificate extraction right due to the following issues. This took a while for me to get the certificate extraction right due to the following issues.
Line 64: Line 75:
   * the certificate spans multiple UDP packets hence needs some reassembly. Put together a very naive reassembly code in quic-dissect.lua    * the certificate spans multiple UDP packets hence needs some reassembly. Put together a very naive reassembly code in quic-dissect.lua 
  
-This is the result of the extracted certificate.  Go to Resources > SSL Certs > press ENTER or search quic  + 
 +Go to Resources > SSL Certs > press ENTER or search //quic//  
  
  
lua/quic.1544724342.txt.gz · Last modified: 2018/12/13 23:35 by veera