From 1077babc5e5fcdb2bbb091060da67bb2a51ba63d Mon Sep 17 00:00:00 2001
From: Philippe Antoine <pantoine@oisf.net>
Date: Wed, 27 Sep 2023 13:57:33 +0200
Subject: [PATCH] Adds test for quic v2

---
 tests/quic-v2/README.md  |  16 ++++++++++++++++
 tests/quic-v2/input.pcap | Bin 0 -> 5466 bytes
 tests/quic-v2/test.rules |   2 ++
 tests/quic-v2/test.yaml  |  21 +++++++++++++++++++++
 4 files changed, 39 insertions(+)
 create mode 100644 tests/quic-v2/README.md
 create mode 100644 tests/quic-v2/input.pcap
 create mode 100644 tests/quic-v2/test.rules
 create mode 100644 tests/quic-v2/test.yaml

diff --git a/tests/quic-v2/README.md b/tests/quic-v2/README.md
new file mode 100644
index 000000000..9f937b004
--- /dev/null
+++ b/tests/quic-v2/README.md
@@ -0,0 +1,16 @@
+# Description
+
+Test quic v2 parsing
+
+# PCAP
+
+The pcap comes from running https://github.com/quic-go/quic-go
+
+The example server is in example
+`go run main.go -bind localhost:443`
+The example client is in example/client
+`go run main.go -insecure https://127.0.0.1:443/`
+with this patch
+```
++qconf.Versions = []quic.VersionNumber{quic.VersionNumber(0x6b3343cf)}
+```
diff --git a/tests/quic-v2/input.pcap b/tests/quic-v2/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..49384a51d1fcc6ffc02f896bc69b824cd852e16e
GIT binary patch
literal 5466
zc-n23cTiJXw1)$PBE46s(t9zXw@?JRD1p$Vi*iwlh=53!CQ=i6uL=kR0U@-2(u9B%
z=`D0Z6%eGT5FU8nd(NHfnb|XE&L7`e`?t@0>zvV!ngT)q5b*o@=iZN&@qSh*F#t#m
z__YWxp6LLH0eOZ1fCe1^5DWkiT&`1Zf@a`05#Y0noYo*cc^A<}Nc{QL(jr`+_+C*m
zNgfc|NTmwU?hI|<TQPlrIoc!e-Ov?`%K3(y9uJqBc_?|MpkAam+&(g}LmxE=mm)o}
z$`E0658wqg>JIJ73JBeXgudWf*#FzNFC7E+|5EEIyS-VBnPY~`hZnCHY@j>!b$rHK
zgXN;~0$sZprP47^Am0l1RV*{EH!N}Y{d6IC;zO$v{ecwPXdMP^IXbS$G@=qMTfrx?
zCnnox!o^Fe!&|{}&v2QD`D5OB%;#qBXVR;wFu6#=Is&xd0>@WD3(hl}PaX<?nOvQ9
zq5l2|<Aa(=<nTh#sM@Tk_$l%glc~n{#n+>GL+=;h)W(|!D*LDP_zRNJRTH{B9no^u
zJM0j9Qmi}Vwv^0Vuvf0g!K-d;%7J9T@#5p@gj%pQ-l<*`MP+A}-KECTI5WUdksA^2
zUgH18BQ68W>XY+i=}`Z+gH*;tai=zK1B~npbjW~-Q{p|HwqUV>!X2R1gzS5SJ=JJR
zcJ^Idy)_obMhx8VvQ8SV*a)R=5bHJp>$XMnjhI?!&W3!^fVTM+-d~DM?tJ1B^hUJX
zTf%VBS=<dn$mLqU%YC$yWQj8Yi*xAWi~u2uSak)YY`k-Qe-``59=C#1lgo+wAk}fg
zjxcO^$w~_QW~Krsrmk=^sv{U3YNK%SF_}!9NK3??Z&h)d$4jd3r&$UV-HqLe98yr;
zFMLF&V8&|i9W&j4E~d34O0!Rww7Vtsbuplhw@F#do{Clf9U&t9X?Y8SmD3)u%=;bd
zk}Vsd@x&mPh$ONcrR%BI4yKqy6NnlZXQZHHrX;9p-p(t9NkX)_xIB|`CYZ=+U!u8B
z-6CKlEak?Xgube58#rU*$BGk#Dv^ni%me7_O=hI?Dop3E{C^zj_Vm(tyQl{<M@IN-
zx%d^n+00pN<JJ!{D9)^EJPHu*>Ohl3PnJoTSKK_T6f2$$`a4}+en`zCdX?K5|5ih>
zqzP+QrP}GDgW+r+^T4hrJ+0M`F&F(Ph#D#Z@awg!IwNqdD%;qZn7JpuqL7+eTS#Cc
zQ=H`z+pv@nce;`d0rpzeuAW2_c7pPUvpLw*`uQM5kDd{1<q>$yGiFs;B74WI6;wy7
zc4m~)c0?&1Ak2+Qbe2{Snsf3g|55SR_8F4n=C|uqIxYuH)7BiwAv?1l>WqDrr`kS8
zsoz7mk(+JdZykJ#c5+jgq=@G#&w3Q5O2&XYI~8pVlm4;HCVB3`aOqd^M0PDUchPqS
zSMn@B-qhwJu-Y)b0_$8WRRLKu`?So~pW}pfSnq5<ka4@qhv63@_xO-0AlBOV-Ee@P
zod>@9f#mS~s+eCPih(0Cyq%snot$IT<2BH=C1g)SV7bCrq^Y33FLdU)+t;Zf#JF5<
zVKi|_4=1J9-$UV2Lup>D_-Csl%_y6_`$H%&9rpqEjfipQV5n8}Ud90Y>x%+fV=u0;
z2X0Eo{gk&Bn%%YyoGA)Cia?0H!-1qkoXD%76TMzhF9yR1UORq1zAE>(h;CKS<nGW8
zeV5WDeN$=rfIS?$j-PdR72ScWG(#4ug@0$l_>sU}RtX@gtGjSCV?`^ha%R}d?f~6>
z9wg5+c5kYXM@Mmk4Zh%W`s7pitHG_rbqW-=@+Bzg(uvYl|8?Sp5&z{xg6322|99dq
z0Rq>-23UZGcgIsHiC94J)qBCP$HAVW@hK)vB@5?nPm?~Z4=EqjhYmv=;3LM~Eu`{H
zDb)}5*1Fc~v*Mb0pXTc(*9_hK(6BI=-*SI+u_d?QuE8RgXwjB$!I+<|H35BW)(H+8
zFqxK+Q1ngsq-&bg2Udg4t-n{BJUxm3cN^M&;b7xjnQgo;#9w~#6~U>*t)CTPmd37R
zwmOdH5_bqlXwDs|X&YI`FNy`bAkMAqIF*T;oSaCX5x1-IF?OES2COle6z^vd3rn95
zf#i3kkSCN@!x%9Q;2l#NSvlJ;(TL!=$uVOI61oiO_B3&}uLldM8CrF3kaE##?MK$c
z9DPI*d=Zv2ZUfkB50%Ymlu{+CugJ6*XnTsWx$Yi)+_>cctcNn43~(`8Wo~~6yAgSh
zzE+9;tOqNwpk_mRjr@7Z@kW)r8eW^s%*GOi^_L}dG`8fGbn5u&h8z}Pf@fUwAl5+f
z0CZboTsI>V!CK_P34ITdAwBmWrB|}b`zUYu0&Gl*BbhjtYshW+W^D7#1(w*kHW4B8
zKIv6NQK2GV;K4QYpOX<4sSekfDvBd>ms4D;TRFM(jSjert<ea+`S<#<zJtX?BRuU<
zHsVd=bG63(qMVFl>EEOdbJm0`M8!dGPQ>pmw2A^<Kj~dHQiMR5j@t|z2`CWXy^P=$
z3UT2x^|*z(Pbdi4A}VNmdfU1Wh3w?>>iz(_sqj}<U2@beLm;n|3`}<KDrVuc_B-S8
zIu=)dNLae}+vUTQ?#lH<s}BK|@YJuTz+u}V_p%_qw1HMJ2Z_<x9;jO2)4-Akdke9y
zYN0<T-#^Xjb?Y%wPD(zfl=C$J1tww-TW_o2{A^*?n!*8dl~E)!M4C?ljiL7(LQIA*
z&r7D^5>OUbEwd`-XMtalI;X1m9O7sSDmXS))SrT{1;AENnn##j#|ys$9s}WF?ZtcW
zjTcuut}H5W6)mgQHE%2|FZLcrIA_!YpMt4AJkQ!5@DP_evsq0DC4(YsyhUM)xvRCW
zGr4n!N*iuG?*Fb|DM{B%J>p@u>5}}OX7XcId2o<G)v1)fUHxav!5eIn%L81d$FB-9
z?Ib2(_xGAdEii(2AIVy(ut3$78Z$?Hl^bMiT+*R!;g6gY%bW99yFbQ;k;?;^9l0`P
zTtho)1|DihZauGU7d)0VmvJZ2Is`;~^@KB0DjT_4+4<a@lkr(q<fusjvZg-t^oScN
zP`qA4T)~^}9S>S!B4?A1Nm}hbMl^VA&+FepUW08DAgrgjWD65xPg8E`%5-XPyd}d4
z#`Q8WHlfuvRwD2-6WLOvplY)|HO9%J{P8lOtyOcypU{*mJN<bs>Y#nl9_4OoiMzv4
z*43TruiTa8s?jw?$_s+Lf+2}5Y07j<j-3f}J$+qeLrBTTY%zYb-K)<O{nxMDn$EA^
zMm_9`hz;fWdkK*SF^m&J>r`|)<D4AJ^qHKESPzdI-7y4P@22sSXOy09o$90o8#{;O
zYMX{Shmp0#9FHPlwx`=p!t#-A+}FccG@`4z4_Q>VcW35?#qT3&p?c!NpBqpfpdevB
z(2LTStrK%GnDwSN(XwBLjVEHNY>g*oYK8q%ZZeS|(jGRWE}f`!;l#5G3tp~&oCx^-
zCno|{@h4~hmXU^AdA=nCUVbB@jiGO5s`PGonWVHt*Pxoy4&c09JaCOYgxNX?m(lg%
z$y`%D)ZQ;=RHJm`@1{Klwaw6zMcmP5G)pd<^ElcrsES!NG%4=Kowg~V5Hr#&yCcU;
z&-Gem>)f^Cz?S_91JZLZGsDZmtJ_~@7QmAthMD5q?aXV0(_=-?biWBzoy9Q~|M(W%
z{FBd-j~`lA$wo_&emC@4azP>UB%pObv-LV}VJXDFCg0B_Bl^R*3s$Y&v{|<(8AiUS
zY-heu;4OU_hUP^WDi<NB{9hP^0EIt>!H<{MzHFz>@9O-LYxQZOGN{YrJ--tJ^dONy
zr|y!qRsG*#!~FQqAK+uZg1yZ2e?Pg0J-ZXqsOhqoo9ytGr@cQPsAQ^koR*vdZ!f{a
zS6XU*^dLs<ig$^s56B9C<U7$4nry$ASmT+Vjz_g;p>IX791r#=-o9sqkh5%)bvsqG
z$nPToRaJeN)?xi9<GU64A}8Oe+@90k2s}b^EEqc&j;A(_Mv)Z4d0WFQv6A746k4X)
z9#Dc8g;$Aqbbq6*4O4DW9f@Cs&;5_CSpWn_z~Pcz!)!V8f+k}h7Gbc=z}~g-vq1bh
zN8c+L_N}g`fPOPD8B8V2;=CBs@q<%hYhfH;SrR{MdV}sYZc$Z8T7tbvBj}UdQW@Ss
zbrrF2Ai)>X<Z;KIj1NCC7NE3g520r3SPz=@K=!^#sm!lk#!u}ooAj=%>%X-SI2S<r
zsX=II2c-MTta~c}KdA2k3r#{Jv65EcwVD#W`Uy0b7>2Bn4_){iqx;jEP-Qco$w~Ls
zVsE&h@{1BTX>&O_>HQ5i6O`a;v#9&XaMpHmQgfB&z0e4axy<#k1|unqk6D7kcMNu(
z;jZhvH34zb5rGDAPGl#g%};a6e50@0IqT`EIXB{qp3AU&W>1duZ;5RSb{QB9y#*1(
zCQF*1@rtBf54q*ei*Q{IMWS811lV<M_=@B@DM<F*g6>voCvbF?7!7_d)ov0o=PB^t
z-6*6c8m1JdzK>5KdPgc#-xbdxLb=OgP`^YZ!gF#zxSv6#L<!dk@!$aZ1$Bu7B57j!
z+0Rtyd!x*4SNJ4zPNnB!X&2n4dsqaw9>>oT)bhGt+o>RXUxfImTbUDJx<$z%F!Xes
zMo_=Ufq~Zkc9jal8fBJM*hpjOIHQpxc%3iEf@iShdy@4FA99{Pz@S@^z3ePxa<4-+
zi7Q^(=iTfcXfkQP{F!OWyQuxWcjPeNzv}N$Bj@5i!F<zdNwf@2HI1`nKu7o9*QBkD
z&vt_?5F;<+)AitspYL3y@;p(;+~9feHF2js>(%H`*!3%2?~x;O%PLl3{idm{;%|Lh
zka?8**|$dpDjQCara1#WjWe$MwWNxP`3tk1Y`|&65dQ>q6M*^k6A6`9HxivvIAcZ?
zSm}ht+DP?aQDM3IYd_9r4NP2N8_#kmC=&Qzz-}LG1(&9h7&8_dqFGqBV=@ojhB-qS
zgu-pB6P>%KnaTr<=w$q!@zN=+ZC5#q*vZG<*$+Nd+R6(sC>81YIf#)dawp9gU|*&q
zkR@S7eacq$2;UUYn%*7F%ruf7cNr^vgiN1H$0f5Wh8%K&1kGq5YRB^tL}&1aM^n>Y
zEA4MszzlviyrcSPnW@mn>T$U;#meUTlM&}=L7NP7OKtx^d65-Fds`0O>(!cBc~LfV
zP?$r0$>JmZ>aLO5GT^=RX}tx9jp0w7!(~b=O^t4n0`jim8r0YksDjqh17JcrPndE>
zf*~dUi}q8pCOVbr%IY7KwJk=_Tk1AH;fHao4Xr`Z{<6WYSEtI2**3rF7-y_)09GFQ
z@{l;_=V;T{PVNmC=bcrt>66j*5qJ$BozXx(TMJBk@pJWHsPwc8RJQs_m%3EC;e(UZ
z+O=zrOlf}n;=oEASvl%+d9C!O(UoP=N<l)$o}<!HaucPy-QF(tA+a^zOQoVL4#(xd
zk7do$q=-8IawBTIbmH-a6ZI}!sP}u=XzP*v*NFgWycYi7PSjvI^=xNc=)mc8r8-W4
zi0hCf0xOd4RkD{{#dpMjp$p#7Z|*1P{2#at_`dJIxcTS6j(@mnjoBhRM4w(Wm1KC~
z6Nz?{H76}B6%)!37|VQM4~-%p3fLA2@;gPnd|WEJX~1ogLDjeXK`x4yD(&#j15U$B
z(%Sv(y~*4mXmYunhp=4qdjN#JYA5%ot~6*>&n>}kF<!7>s9w9avq5^$q(fou-DaH^
zPNDT-ham%{GjPO`=5abj-HGG!ykU6LVH{l-1)P*V?uSTfM5lTN{BnO<7yHxr^{ev#
zb4jIq_YeCM#w#0LHgvOZ^zQP^wAqao$y=v(?nyi!%`&#qatWv(MP2d&-u-vZH5~te
zcQNNoFL`5wPL;{xWkek*Z=Ta+t;2<<_D~A)Z!cM`7cBb=hW&4r^@H?3u=Ma&uuInR
zCh^CO4t1}@uxIlfg~ZWE_2vSLaL;^J6V+`nW1|ra96Lqx387c|#&83pyEF;1AfU}V
zAy4kLi@dBSS4#|_A^`ka|I{P6^2Zr{cuuB&%lYqIu}b->{pPG5k~n$KkDt-`<0T`z
z@@MOYEmH|+;*+8bSC{Wvf}&>3@Dvyf5k!C6d2cGu{UB5WdHu^HkP!Xb_d9cKj-rSG
zet2Dyj4^pvUy(r~Jt2d%HSm?gH9_Z8?IBIgoq>%}#NkgitAe^P5eNygTdfCdrs-lZ
zUbR_bHbf&f>GE7f2+^Mqjyi+pQcuwuX!?_WeI(gN(XaP3@Jb;g-foHdsP*M1<c1!a
zWB0W_t;mwDJ?ra9XSww3wCk?#hD8Qmhx9qiHh~MK`pff*iKxjfT(3E7pbIc~MXe_r
z_UmF>m*H^K5d$nPLb3RL7_dKvqk%Wky$t7tQxo|4YPFN>*QTwqz>4edREHa`K));J
z2Bq*pY^nzyn}Y%$t_7}A_qaK!qi0O@sK+krm|xUUzu>F?uA^L>_J>0k!Yf%`9(pv#
zStcL#dD5y-WbKrtX|^rx1KRICtBD7{-pAYvoYDnG={FAi$F}+KAe+m!?Wlrlkk-d*
zBcFNc2i#4dVKkmqK9{6g6fr>gf}s4HBp(v<hsLhq!4{W|)&H#)`K`H0rT7R=mK>*#
LNSGTQw)*lv*c8lf

literal 0
Hc-jL100001

diff --git a/tests/quic-v2/test.rules b/tests/quic-v2/test.rules
new file mode 100644
index 000000000..4ed74cc10
--- /dev/null
+++ b/tests/quic-v2/test.rules
@@ -0,0 +1,2 @@
+alert quic any any -> any any (msg:"QUIC V2"; quic.version; content:"|6b 33 43 cf|"; sid:4;)
+alert quic any any -> any any (msg:"QUIC JA3"; ja3.string; content:"771,4865-4866-4867,5-10-11-13-65281-23-16-18-43-51-57,29-23-24-25,0"; sid:3;)
diff --git a/tests/quic-v2/test.yaml b/tests/quic-v2/test.yaml
new file mode 100644
index 000000000..a954b2634
--- /dev/null
+++ b/tests/quic-v2/test.yaml
@@ -0,0 +1,21 @@
+requires:
+  min-version: 7.0.0
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: quic
+        quic.extensions[0].name: "status_request"
+        quic.extensions[6].name: "alpn"
+        quic.extensions[6].values[0]: "h3"
+  - filter:
+      count: 2
+      match:
+        event_type: alert
+        alert.signature_id: 4
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 3
-- 
2.47.2