[Bro] More crypto ID

James Lay jlay at slave-tothe-box.net
Fri Jul 8 14:12:45 PDT 2016


Ok cool...I haven't seen many tools that do support QUIC crypto 
yet...thanks Johanna!

James

On 2016-07-08 15:09, Johanna Amann wrote:
> Bro currently does not support parsing QUIC at all - so you are
> correct - you won't get any data outside of conn.log for QUIC
> sessions.
> 
> Johanna
> 
> On 8 Jul 2016, at 13:30, James Lay wrote:
> 
>> Argh...yea you're right wrong stream.  I am including a QUIC crypto 
>> session that bro does not seem to recognize.  Only thing I have for 
>> bro seeing this stream is:
>> 
>> 2016-07-02T14:46:30-0600        CWaKhQ3UAvIEem73fj      192.168.1.101  
>>  38848   31.13.76.102    443     tcp     -       0.026353        1725  
>>   0       RSTR   TF       0       ShADar  5       1993    5       268  
>>    (empty)
>> 
>> Thank you.
>> 
>> James
>> 
>> On 2016-07-08 14:21, Johanna Amann wrote:
>>> Hello James,
>>> 
>>> it is TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 and should be
>>> correctly identified by master. The use of that number is newer than
>>> Bro 2.4, which is why it is not present there. That cipher is
>>> specified in RFC7905.
>>> 
>>> Thanks,
>>>  Johanna
>>> 
>>> On 8 Jul 2016, at 13:13, James Lay wrote:
>>> 
>>>> FYI:
>>>> 
>>>> 2016-07-01T12:35:15-0600        CyqleS3tHf607yRdrj      
>>>> 192.168.1.101
>>>> 38151   31.13.76.102    443     TLSv12  unknown-52393   -
>>>> graph.facebook.com     F-       h2      T
>>>> Fq3gsi3bxz1RdtYqej,FiQmMNkbUAqhiOOkk    (empty)
>>>> CN=*.facebook.com,O=Facebook\\, Inc.,L=Menlo Park,ST=CA,C=US
>>>> CN=DigiCert SHA2 High Assurance Server 
>>>> CA,OU=www.digicert.com,O=DigiCert
>>>> Inc,C=US       -       -       ok
>>>> 
>>>> unkonwn-52393 is apparently QUIC crypto.
>>>> 
>>>> James
>>>> _______________________________________________
>>>> Bro mailing list
>>>> bro at bro-ids.org
>>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro


More information about the Bro mailing list