[Bro] Chacha Poly ciphers

Wed Jun 22 16:19:05 PDT 2016

FYI:

1466635836.174656       C42BzN1MQAC2spvAZe      192.168.1.101   39389   
31.13.76.84     443     TLSv12  unknown-52392   -       
graph.instagram.com     F       -       h2      T       
FcMVXF29wZnV4HnQqk,Fc87jcRtH8QGurEX5    (empty) 
CN=*.instagram.com,O=Instagram LLC,L=Menlo Park,ST=CA,C=US      
CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com,O=DigiCert 
Inc,C=US     -       -       ok

"unknown-52392" is chacha-poly1305

Interestingly, this is correctly detected using ssh:

1466634297.341693       Ca8K4v48feChdL1pQg      192.168.1.253   41500   
192.168.1.5     22      2       T       -       SSH-2.0-OpenSSH_6.6.1p1 
Ubuntu-2ubuntu2.7       SSH-2.0-OpenSSH_7.2p2 Debian-5  
chacha20-poly1305 at openssh.com   umac-64-etm at openssh.com none    
curve25519-sha256 at libssh.org    ssh-rsa

James