aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

quic: log sni; reduce number of transactions

Browse Source 
Only create transactions for long headers.

Store SNI in tx, log it.
pull/6819/head
Victor Julien 4 years ago
parent cf4ddab6f4
commit 7b836af1b2
2 changed files with 30 additions and 7 deletions
Show Stats Download Patch File Download Diff File

4
rust/src/quic/logger.rs
Unescape Escape View File

@ -22,6 +22,10 @@ fn log_template(tx: &QuicTransaction, js: &mut JsonBuilder) -> Result<(), JsonEr
js.open_object("quic")?; js.open_object("quic")?;
if tx.header.flags.is_long { if tx.header.flags.is_long {
js.set_string("version", String::from(tx.header.version).as_str())?; js.set_string("version", String::from(tx.header.version).as_str())?;
if let Some(sni) = &tx.sni {
js.set_string("sni", &String::from_utf8_lossy(&sni))?;
}
} }
js.open_array("cyu")?; js.open_array("cyu")?;
for cyu in &tx.cyu { for cyu in &tx.cyu {

31
rust/src/quic/quic.rs
Unescape Escape View File

@ -17,7 +17,8 @@
use super::{ use super::{
cyu::Cyu, cyu::Cyu,
parser::{QuicData, QuicHeader}, parser::{QuicType, QuicData, QuicHeader},
frames::{Frame, StreamTag},
}; };
use crate::applayer::{self, *}; use crate::applayer::{self, *};
use crate::core::{AppProto, Flow, ALPROTO_FAILED, ALPROTO_UNKNOWN, IPPROTO_UDP}; use crate::core::{AppProto, Flow, ALPROTO_FAILED, ALPROTO_UNKNOWN, IPPROTO_UDP};
@ -32,16 +33,18 @@ pub struct QuicTransaction {
tx_id: u64, tx_id: u64,
pub header: QuicHeader, pub header: QuicHeader,
pub cyu: Vec<Cyu>, pub cyu: Vec<Cyu>,
pub sni: Option<Vec<u8>>,
tx_data: AppLayerTxData, tx_data: AppLayerTxData,
} }
impl QuicTransaction { impl QuicTransaction {
fn new(header: QuicHeader, data: QuicData) -> Self { fn new(header: QuicHeader, data: QuicData, sni: Option<Vec<u8>>) -> Self {
let cyu = Cyu::generate(&header, &data.frames); let cyu = Cyu::generate(&header, &data.frames);
QuicTransaction { QuicTransaction {
tx_id: 0, tx_id: 0,
header, header,
cyu, cyu,
sni,
tx_data: AppLayerTxData::new(), tx_data: AppLayerTxData::new(),
} }
} }
@ -81,8 +84,8 @@ impl QuicState {
self.transactions.iter().find(|&tx| tx.tx_id == tx_id + 1) self.transactions.iter().find(|&tx| tx.tx_id == tx_id + 1)
} }
fn new_tx(&mut self, header: QuicHeader, data: QuicData) -> QuicTransaction { fn new_tx(&mut self, header: QuicHeader, data: QuicData, sni: Option<Vec<u8>>) -> QuicTransaction {
let mut tx = QuicTransaction::new(header, data); let mut tx = QuicTransaction::new(header, data, sni);
self.max_tx_id += 1; self.max_tx_id += 1;
tx.tx_id = self.max_tx_id; tx.tx_id = self.max_tx_id;
return tx; return tx;
@ -111,9 +114,25 @@ impl QuicState {
match QuicHeader::from_bytes(input, DEFAULT_DCID_LEN) { match QuicHeader::from_bytes(input, DEFAULT_DCID_LEN) {
Ok((rest, header)) => match QuicData::from_bytes(rest) { Ok((rest, header)) => match QuicData::from_bytes(rest) {
Ok(data) => { Ok(data) => {
let transaction = self.new_tx(header, data); // no tx for the short header (data) frames
self.transactions.push(transaction); if header.ty != QuicType::Short {
let mut sni : Option<Vec<u8>> = None;
for frame in &data.frames {
if let Frame::Stream(s) = frame {
if let Some(tags) = &s.tags {
for (tag, value) in tags {
if tag == &StreamTag::Sni {
sni = Some(value.to_vec());
break;
}
}
}
}
}
let transaction = self.new_tx(header, data, sni);
self.transactions.push(transaction);
}
return true; return true;
} }
Err(_e) => { Err(_e) => {

Write Preview
Loading…
Cancel
Save