[Bro] More crypto ID
Johanna Amann
johanna at icir.org
Fri Jul 8 14:09:32 PDT 2016
Bro currently does not support parsing QUIC at all - so you are correct
- you won't get any data outside of conn.log for QUIC sessions.
Johanna
On 8 Jul 2016, at 13:30, James Lay wrote:
> Argh...yea you're right wrong stream. I am including a QUIC crypto
> session that bro does not seem to recognize. Only thing I have for
> bro seeing this stream is:
>
> 2016-07-02T14:46:30-0600 CWaKhQ3UAvIEem73fj 192.168.1.101
> 38848 31.13.76.102 443 tcp - 0.026353 1725
> 0 RSTR TF 0 ShADar 5 1993 5 268
> (empty)
>
> Thank you.
>
> James
>
> On 2016-07-08 14:21, Johanna Amann wrote:
>> Hello James,
>>
>> it is TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 and should be
>> correctly identified by master. The use of that number is newer than
>> Bro 2.4, which is why it is not present there. That cipher is
>> specified in RFC7905.
>>
>> Thanks,
>> Johanna
>>
>> On 8 Jul 2016, at 13:13, James Lay wrote:
>>
>>> FYI:
>>>
>>> 2016-07-01T12:35:15-0600 CyqleS3tHf607yRdrj
>>> 192.168.1.101
>>> 38151 31.13.76.102 443 TLSv12 unknown-52393 -
>>> graph.facebook.com F- h2 T
>>> Fq3gsi3bxz1RdtYqej,FiQmMNkbUAqhiOOkk (empty)
>>> CN=*.facebook.com,O=Facebook\\, Inc.,L=Menlo Park,ST=CA,C=US
>>> CN=DigiCert SHA2 High Assurance Server
>>> CA,OU=www.digicert.com,O=DigiCert
>>> Inc,C=US - - ok
>>>
>>> unkonwn-52393 is apparently QUIC crypto.
>>>
>>> James
>>> _______________________________________________
>>> Bro mailing list
>>> bro at bro-ids.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list