From 6bb4ee0f498dccf057e939cf509258d2ea462f80 Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Tue, 22 Feb 2022 09:20:26 +0100 Subject: [PATCH] Adds quic ietf v1 test --- tests/quic-ietf/README.md | 7 +++++++ tests/quic-ietf/input.pcap | Bin 0 -> 9263 bytes tests/quic-ietf/test.rules | 2 ++ tests/quic-ietf/test.yaml | 22 ++++++++++++++++++++++ 4 files changed, 31 insertions(+) create mode 100644 tests/quic-ietf/README.md create mode 100644 tests/quic-ietf/input.pcap create mode 100644 tests/quic-ietf/test.rules create mode 100644 tests/quic-ietf/test.yaml diff --git a/tests/quic-ietf/README.md b/tests/quic-ietf/README.md new file mode 100644 index 000000000..95cb154b1 --- /dev/null +++ b/tests/quic-ietf/README.md @@ -0,0 +1,7 @@ +# Description + +Test quic ietf v1 parsing + +# PCAP + +The pcap comes from https://www.bortzmeyer.org/quic.html diff --git a/tests/quic-ietf/input.pcap b/tests/quic-ietf/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..266ba94ad71dafe1120cf99f298a300fb5a22e2f GIT binary patch literal 9263 zc-no~Wl$ZiIBL)6@N*s$W0dbGoKz@f`&6rF2sa} zyXG9C4$Mdrx4yxFL>(2z_yl-BhCY3-48aGDy1faeWT~Gq&zW&T|z#8S6g1N z3`4l0NpN4N#6Xg2Ayi7vtDM0XNB4L%mqQ*6Eh@HcUY0H|3|wp?oYhhvWsyn_iJu{V zN6X)rqN%+mZ#A?YyrjbB{U&4})57)~F-L}9+NKiUCjXge9xjB=ayUaph5}S|?sb%l zF-hwGCItoBPXU<|@3={P(zpIJjRHWZ!QVqS{$3+7Zdd=6p%Tt%W$UtsyeT#&puN0< zSv0udC`RsrvKrKm9G}_V6YCX=`()29NIw;n-{h>2S6I2WqCgYWAkUP02iL!mtw_i6 zaX~AR+6^5=Op-=G2iuqKN|}1R+`f2F4p_YyjLw#1M#SA{-F9e# zHD^#h{eAS=BFJs)Cawe5`JMGWk<|Z2AnKNb_)=XH(6Bz#1;$s>y zBwb~tZ@(0i&FImiSHZVopCfvuLIl{Y++cVLZZa~mrYBzVv4l7m47G?Z<8q2ako-1k zf8cy9MyZy(z-RqFZm^TwWGyBQqe?S^xK9eHlBSmLpWs-Q=W!9IX6UfMw4L}h7EDUD z44yxvcTopZ=2h_{2O^Ao?&t_%rEC7)(hg{Uf{CyfGQR15BZ;E^#&c^+HN~XA;^7Gp zwdVCx@tzXCj9C^jV&C+oh3|b7`CcXm>Iw82X8=mUJ1$sFl}FwP9o95Y=#PtALJqsi zyG#rjr2Y!Z2}>RR0TSyg?91T1Z-Q(Bb{eX>va2bR<0(JTm+v7ZKdCE6mk?(rcgkQz z?>TWW`xen@AMR?`v}Nm4>=p^fNg3Dc{)Qz8N zjq>?cMr|;r2u*?4uVE(=Oq@sZeiK5Q9?X1Ijd+>WiyLfcKU=fC|4@n*<(adiu^vd=o4|*0+CY$OO&zv*s z7h+3bjxP7|@OooAL;Jp~;htq#l2q|8#az?&i^j$i(=o0IO#6oJ-#SVy0sqnQe_Z?@ zBY*1%`2DC`1YnLa8}~=XKSBaq*Qa4lGWiDn((!K;5tk3*k$mftRN(<4na951pY3EA z;*ZH8hHjT731z9O5x728=GwoG1u|f}z?c5qW#m+N$R?E(4YfAiW7zbl)o7f;0_J7| zYsA}ymy`7>-cy@!_Tz|c#V+kU7!%O3XZ&Axts8Hb-vO*5f{2*$)g@YRj;IPoO)->JUK&ui74BG`sNT| z3AI4|>dLS1&hI#z{+HypQ~e&8Ir5?v4UJBDfJjSp6`QTV>@{mjMmaR%FxJkc z&`8;ORmO8pls_%|RkdIF2U4|jdxAM(5#w>?zi0BpLa(v79|DsH#dI#EB$g+nYmG(C zD=rB(A80yzKTB?rUJu?D_#(P$CzlVK_}g|z{o>MLUP>6gW^;s$*QI&i{f%D~XUxb? zYJ_h-8gvP@%mpis?HhiGC?JTMV7jtV;t4%+YHum&8%akgR~V=&%)uv8HnItG)0gs6 zPoIOA;^AZLbo|yoKXUntctSvazJvn>6MVYlQw*8KZe28b&FkU!7Ymb?+4^+Ucf=Qy z>z&wAy;+q__sT~^I%L}M3Xkgpk9@-!z{Fsr_A0G_l7@Ec`wq$hOBalRU2wP_b`=$D2 zk}Td@Tv5{zdP>pF?Dsl&*9aBLhwNnPNX*rDipKJMW>691rRsafV4?_8ubM-xnCPb; zys$nSEJp=#T%oefCEqt|Tm>F6au;88)~fN;e##l@30x7Q1tP&o30`FsN{hPbCREZ#i`7(ak4az;OUZ^x&ne zD_CuID+HYWdbPT;+{~SX_R|Ck{hGbCIbSa!4*rYrzMjKRk609^mVsr$3JPIljda!EiH!O6# z5SvyP)+UpaLksD5i?HQ)shEFn5r-R^smLt;jr?XSmXwE&$hqV~D~YOc-Cr$Is_Ku9 z>uW%O{O=(7r~U8j2o&<=_>&z!@BDjq1TqNB?fgOJU$*?ijfgU!V(Y<_jQN3r*k+K$ zkQYAOCnbwg3QBDf1*bf^Hi3Wpt7tD@$@r@Fz|097CWKC3*#!nciH7s}9P4MfBsirU zv(2}-bw*3^CH`!(rBo>7^S{1AN{S9`mfqN&Hi~)rh3cskIXH||xBuAL8dLV;qkbl% z&UAG^YMaeOJO-5iyU0&uj65dVcWxKD+VBu%n}s~$v>7X@^hMbxwbc6*lGQ7<8SB>8 z*}C^6mPq`bkN2iE0S$$rsd>j$`Skv^_XvhF`He|&%^@@jf_Qxy({rST`D%xOgZFhb zjTa&#LPQ+Qh$Pmx-kW@%enC8Y6wr|fpyb85|J0Uy9SAu3y~G^-w_LvF z%lW6a9^(IATi78{N3VY-Os){z{6reGA>FFCn$dL8yCnCTi;T*?LOh^1wYvD@XgR1T zkw8o8eDnly%6 zi4Z^4LdOk1tP>0+PyML#IVYLq&V{W>wdm$3cOU)ZfGW#Di8G@O5vCkBvp@bt^y?R$ zSxa|EP@#=DajUg{FUJ5myh5wT(spY!g7?Z49p7XV%{sB?9OB`(Z4|}ZwhT5hKR#9P zk0BU%mw`Fs4E9ha^a8D~Z@-vtB;*F#n%o+lQ$j{hJ(Ncm*sJ`;<~vy+?g1=C7jClk zc3!Y-B0Y>Gti`MCi?Wp?eNr8BGD3U0*GQ+Q`<^*CbabL8Ix#tb%+cj5z0YO?b;!pT z0Hp->re)I`gHv(sO=gHYy%K1RRR&UD^7MwLH{KyIILD!P+@1IFgpJ)Fg;hk5&V>FV zw<}bxAW@MD5^{|K=R(5!SStfu@C)7%l5vWA6BZBt!rag;XZ zQz+-01iMW&s6;ApV-~iKYK4nd0rb|4We=HMGYN@hVRF+}FiLZN^RtFQn->Nz15^AO z?R)+TiJ}LrLf&;e*EGkoc9$huv-umHtzC>qv+)J$=ILh@rVTcXz;AoS`0O7U_0PUh zBdU@hyZVe)T+NZyZIm8GBX{z5H^Df@h*yOQ)qo=-k8v-iNhCKw=ODVxs-I3xNm%bpKrCQhZ5~0aS zwGoxq;YJs^ai8oisgnh_W)}$nPLaw#e~!SFp{Ec=xx8OK7c!$-Nv$Y<7ef3>XUXueRqIKKWY1pbZQnFl^~wCTKhc z!I3#7cMru{Rr5XtCP8nRV=D@BdUgdXZ{)s6;ee;z1gRnM1Uh?@cT`B2_Cgbc?nlkJ z-iWx2_9SSN5}71Kr$}~t_=5-YIBt%s-ibJNN+3YHat%IW0_N9%r7ytvx6kVk1>?RG z&v!iRkno_iHL>eZuK0*~60wNU(rJDOW9ubSvPU<}kHu^Smu;-X-nB$lJsAiIhnhJ`P|Jy5p}_on8u)zoO8 z`4$Evir@-1_CsRcgkx@W$H3M;L&I5cuLK_m+_ChmR|Tkaanvzc@0GS)T%8z>{eZ4p z!e2M7Ut$KgAT7Po- ziGdc=p5UhRz=lFD$@j;Brc%chZ>U>kO9P(KSSeX|;CTV|E*9VUU z4M$cM1@gSX9R!DK7H?F3X?e5S@WIlnus`x!Z2|$?zt_k=?SIP;nDyoQBmWnc+8r{7-y1gBeU%GmCNIk>syK>u~7GyaQfd`y0w@C7jnCMrG>42qN> zgpA%eoiaO=mg5t|Mr+Fk$<|*#E%~F#Ib1$T=L#g~cO_G0KXwExe=X_ey?Wtht1_%h z?ED!Hg5~g0j}$^9PqBAI63|B;cJ4*)5h#9|Q`Nv32G?c{v7dXPc#FjbYMKwor;5im zW8u&PS3grdKk1@&OAM08!8vojc^g2oh+awUEMXJ)G?^waw~aLm?}`0b#DyXGdVt`h z3AQV>FI~bwbY#j!O(z3dMDy|W3FCEpyH1Qb#K}vorMiaeSZq%N{Bw-L(>(M5^qu`b zZmzM9`o|e?@Lp4>&jOU!NO%J$>FiUYlQ+ox$c@L$R|?Z@Ga7}XZAGC!L>SX(m`XM1 zDZLXbupnD#wTCK!YP}%of51tai_ZH7!=i*(LI6ITa(>zEK43#q?BQyg^<%4J^L`VV zO;9@qFQ$J-r7V$`8Rh@;y9xAVDG7g+)on^FE-QOW-T1UIs!O*(x5UBJ=U2V%bl#&?t9RgnK8`+mz`@3W2+Shl*ewbTq1fjj2xM;-9hz!Q_1pFGBXH3+~ zTLF!oTKPNbZFxnEbYUz9o9Lk*h3N zJAek2j+HYg6f#AqMHB7>Id=JDp_FKXzvvbq-F(%cG6~Uh{1Mer8q}Fu`6ct-5q*g; zSs4rHjU&UykY52bVj7cd{GhI2DD%u2 zOWS#&7OZwea0#lfU73?KxU@R~45eTKP&(#Kgl{aPvQeewQ)zSSYtDGQ$NUk8~Y};))>cxwcV=rBWdi@*jlw(NOOF2=_=iy%4<=8r~ESH4HnlCn7S8T1Nt)jn< z=Eh4sO|#Wa6vte+`S@};Ct;|U#+@NWlzaV0*~f+E&HQw}{xGPHrTFvRjh(8i!^o*5 zkC2VRt^LNN9N0c{U+{mIrJ9YF>#fRWz} zj{G+r+W@_Pbex(0cO7AigG2t&kst1?;Bblnf8*1-l21smAyu)mg@Fd#`}ek;qEKkeb;M`a;e?%)xRwEO}#b#-%#{p{l)cL$!krNTiyKSMSGf9NTT>^w)^ zQ;81JO8d#GH{S4YqQh7h!90)bET3_GH|*vhHRf;QmeRK+e)&XjQ}n+GZ#BN}$rbh< zX%jpTo@=+XT^f$nkR4FiNH7y=hw@PzVX8WbCHW^2_Ma`@w| zL5~g^WnmeJgCZTt0F5V5#0A6RUq~5%7N*P) zN^EML)#O=t3XceJO6Bd-%~yOH_5%*71oXtUsXuTs+_H@=*{=>2l8 z;E-cq^g1f8-{nIpeG)*xT&u?J--}|Dl@azG;PbX%t9+mq2Jy5$g=2A5yRn{~v`#fB zylQF_*WUfa@_^7_Vv@jb6{BTMbb~k4Q?3@}jB$>wZ(qS%m2!}^v8WwiO0VVjo>-zQ z_Dlc=rs)xbS9ncKyZvU54_z_o6V*AxfTOpc25@Vwn#j+|;>^^aiyG|D*+dCF&2Xq_ zRMaI!Xc!)j$t&3UwlyPR}DEypiHgXgmY+r6W3=d7NL zXHOs)06S^7n!~*x!0D3en<+rcrqK?Zigf20OOPR6-Upaa1+5eQk`Ze7cnDMubvL)g%^M z$8P8yR2Izl)f^p8*#=#W`*0$MsU~JtHsMEIFK2;`;tz3x72W}fX4jR~_4PSqD~>82 zdYAr>q7s^WBgYzt;EX;lA3rUE<+d(v7s5mM@zZCDWmJbv2+priu*h%&YhoPMUPyxE zc|6`z<90h(^k>R|m!tduMZ+eSw6avJy{S=>flvz+jks*>Pupy`-{=hoVKmYrp%?C!cY5EZbBt-OaBy5VQ&qRerz9 ztSB;bVqx=TpMe=h#^4)b4|@GegzU9ikFH~k&r*}66`!_jxj(7T_%mk}7EWP?ie-ys zDMbprE}RwRY_k9O`n%}7(LRx9`;ZcJ@n9%%1u%XW@|YAMuN zdbpTdfAaomW3%6nY7|qhM^B~FHAS5cBsoBPOFctl6>!`aKd-WiQlyKcYg2>m% zj!!j$@vWHeTFg0)qO3F$k8Vw8PoA90bK@P~?EF9u+_(EgR=u172~e`Xl;rG*7RXd! z&7iIlFT6a(%>rR+<5RDIMvC_BH2I)pMoa=R1rI#-8x$1isY<4gSH;t$zPpuIP{7n{ z1`7R;F@h~r@>0_EaeRF^)Xb_uX&$rV3FDoF+1QG(1)XVJVs$twms;?R8zRq(bPLv`rpn2m ze@W}#U(%v;7rck{+^Mu8)vQzeIta6BJRWB|dx+$|WSSqi4kau+74xNPXiI?W)^_-2 z!o^#1TgqeZmr@C#aIdiG9&Ih-Ls9@Mp5?Aw6WtlV`@U>}w}}NsNdg8VmMiRsAPiim zQjn+;L1ekhv14mAm7bT3-o{bO76wUMttal?1}l$TV9Cs`(`SbT*Y)?&{b|kHCIK=C zQAImV7RIUqs2#GS%Fb?5{r$cGwumPmxRby|o^cx2I0Su$Z3{8hg!QGwG$FQu;$kL@ zJii}pq_&yXzH9tpAlNeJ&&~&oWNy8@V%mKhrIhzc7j({Fro7i4nW#TM*~{h@7QOTI9SSxl1e*(F;j%{k0eKUtU( zR&dHlO7J6!c3&%?v}C#@xneEpL-FB}vl3eu1268VIaVr6hR%Eh?;S5k@@~I$P6Ge4 z)^wWKcOOU5_7%~{VcyjE=|#2H#9I4Vn1<6sY6|e$R)GLs4eHQ5xr5BJBZ5pu28lL_ z8~MeDb+&sm@iDc?T>R8R(X1LH`-I_@j+f4UWp42C1ET>G9LMu_lBqMBA&T#jhUqL) zGdg|oyUjBQNQ44sPSSFdl(c&T8*jCGwH8l6*7)XYw%aNY(SqH zhEl#iyp?9Wzdn`)oSTJChFcG8sGyo})o5m&?xwta_A0vrblvxVaPE&zVmD=-nsDH3@Z zI>{wnRHsR1i%YPO;@t6ZY>cuP0{B`r6|!5pE+Q^|Ws#o4R~k${?uMdI6z6~$6}&1t z{DiclS!~Q~6}*!IJbNhBh-G$zVN~|nbqdf^6gA_ox_7ImjgO_FV^9W&u<|k{ zx)fIA^rTRCMJIm5UZ17B)C*sJ!h@Tn-w+LH$ybTK&m;AubVO-58lcgPwa zk(jxZsSo{{MG)qj(|Ks{~sL}PySs;Koqo;$=^C2I#(fq zL;FAeT2I>3IG`fm3P0IsPBA%qSR?ct^SOe*kR&OIG*S>Chr92i@>CBy(SJNkGlmOB zHs_VN2iTKFAZ4@fJCwOnqQ=v4sO4I0c%9)wYrAlvh zs#RzseCb5px;$W8FkvEZarkkOP2_cpu3*7^S* any any (msg:"QUIC SNI"; quic.sni; content:"msquic.net"; sid:4;) +alert quic any any -> any any (msg:"QUIC JA3"; ja3.string; content:"771,4866,43-51-41"; sid:3;) diff --git a/tests/quic-ietf/test.yaml b/tests/quic-ietf/test.yaml new file mode 100644 index 000000000..17d841124 --- /dev/null +++ b/tests/quic-ietf/test.yaml @@ -0,0 +1,22 @@ +requires: + min-version: 7.0.0 + +checks: + - filter: + count: 1 + match: + event_type: quic + quic.extensions[1].name: "server_name" + quic.extensions[1].values[0]: "msquic.net" + quic.extensions[2].name: "alpn" + quic.extensions[2].values[0]: "h3-29" + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 4 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3 -- 2.47.2