pcaps taken from this redmine attachement:
https://redmine.openinfosecfoundation.org/issues/3440#note-8
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular
+ filename: eve.json
+ types:
+ - quic
+ - alert
+
+app-layer:
+ protocols:
+ quic:
+ enabled: yes
--- /dev/null
+alert quic any any -> any any (msg:"QUIC CYU HASH"; quic.cyu.hash; content:"7b3ceb1adc974ad360cfa634e8d0a730"; sid:1;)
+alert quic any any -> any any (msg:"QUIC CYU STRING"; quic.cyu.string; content:"46,PAD-SNI-VER-CCS-UAID-TCID-PDMD-SMHL-ICSL-NONP-MIDS-SCLS-CSCT-COPT-IRTT-CFCW-SFCW"; sid:2;)
+alert quic any any -> any any (msg:"QUIC VERSION"; quic.version:1362113590; sid:3;)
--- /dev/null
+requires:
+ features:
+ - HAVE_LIBJANSSON
+ min-version: 6.0.0
+
+checks:
+ - filter:
+ count: 1
+ match:
+ event_type: quic
+ pcap_cnt: 1
+ quic.cyu[0].hash: "910a5e3a4d51593bd59a44611544f209"
+ quic.cyu[0].string: "46,PAD-SNI-VER-CCS-UAID-TCID-PDMD-SMHL-ICSL-NONP-MIDS-SCLS-CSCT-COPT-IRTT-CFCW-SFCW"
+
+ - filter:
+ count: 1
+ match:
+ event_type: quic
+ pcap_cnt: 5
+ quic.cyu[0].hash: "7b3ceb1adc974ad360cfa634e8d0a730"
+ quic.cyu[0].string: "46,PAD-SNI-STK-SNO-VER-CCS-NONC-AEAD-UAID-SCID-TCID-PDMD-SMHL-ICSL-NONP-PUBS-MIDS-SCLS-KEXS-XLCT-CSCT-COPT-CCRT-IRTT-CFCW-SFCW"
+
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature: QUIC CYU HASH
+
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature: QUIC CYU STRING
+
+ - filter:
+ count: 6
+ match:
+ event_type: alert
+ alert.signature: QUIC VERSION
--- /dev/null
+requires:
+ features:
+ - HAVE_LIBJANSSON
+ min-version: 6.0.0
+
+checks:
+ - filter:
+ count: 1
+ match:
+ event_type: quic
+ pcap_cnt: 1
+ quic.cyu[0].hash: "a46560d4548108cf99308319b3b85346"
+ quic.cyu[0].string: "46,PAD-SNI-STK-VER-CCS-NONC-AEAD-UAID-SCID-TCID-PDMD-SMHL-ICSL-NONP-PUBS-MIDS-SCLS-KEXS-XLCT-CSCT-COPT-CCRT-IRTT-CFCW-SFCW"
projects / thirdparty / suricata-verify.git / commitdiff
