Differences

This shows you the differences between two versions of the page.

--- lua:quic [2018/12/13 23:43] – [Explaining the scripts] veera
+++ lua:quic [2019/08/14 20:25] (current) – [QUIC protocol analysis using the Trisul Scripting API] veera
@@ Line 6: / Line 6: @@
 This article describes how you can pull out key indicators from QUIC into Trisul using the [[https://www.trisul.org/docs/lua/index.html|Lua Scripting API]].
+<note>
+**UPDATES**  14-Aug-19   Updated to support QUIC version 46</note>
+<note>
 The QUIC analysis LUA scripts can be found here in the [[https://github.com/trisulnsm/bitmaul/tree/master/examples/quic|BITMAUL/examples/quic]] repo
+</note>
 ===== Network Security Monitoring for QUIC =====
@@ Line 48: / Line 55: @@
 ===== Flow Tags =====
-If you want to pull out all QUIC flows , then go to Tools > Explore Flows > then search for tag=QUIC
+To pull out all QUIC flows go to Tools > Explore Flows > then search for tag=QUIC
+Click to zoom the image, you can see the QUIC flows tagged with QUIC, ConnectionID, Server Name, User-Agent
@@ Line 58: / Line 67: @@
 ===== Extract X.509 Certificate in QUIC =====
-Just as we do for all SSL flows, we pull out the certificates from the server. Found in the REJECT message into Trisul.
+Just as we do for all SSL flows, we pull out the certificates in QUIC from the server. Apparently QUIC also uses a 64-bit cert FLV.1 hash for well known certificate chains (like googles),but we were unable to get our Chrome browser to use them. We always got full certs.
 This took a while for me to get the certificate extraction right due to the following issues.
@@ Line 66: / Line 75: @@
   * the certificate spans multiple UDP packets hence needs some reassembly. Put together a very naive reassembly code in quic-dissect.lua
-This is the result of the extracted certificate.  Go to Resources > SSL Certs > press ENTER or search quic
+Go to Resources > SSL Certs > press ENTER or search //quic//