Quic detect not work

wsn1983 · November 13, 2023, 10:28am

hi there is an example show that quic can not detect well.
udp port not 443 or 80
quic.pcap (43.5 KB)

alert quic any any → any any (msg:“QUIC TEST”; sid:999;)

Suricata 7.0.1-dev (f58bc4d 2023-10-12)

UPDATE
modify quic decoder,add 16847 into the default port list ,it works.
why the any(dest port) not work?

Philippe_Antoine · December 12, 2023, 10:14pm

Quic detection relies on port, as there are no fixed patterns for port-independent detection.

Wonder if |C2 00 00 00 01| would be a good pattern…

wsn1983 · December 22, 2023, 8:55pm

here is my rule.
alert udp any any → any ![443,80] (msg:“quic init request”; content:“|c2 00 00 00 01 14|”; depth:6; sid:3; rev:1;)
but i want see the sni info in the eve log.
i am try to write a “text parser” for quic protocol.

Philippe_Antoine · December 22, 2023, 9:55pm

To get sni, we need to recognize quic first.
To do so, we can add ports for detection with probing parser in suricata.yaml configuration.
Or we need to modify suricata code, to add a fixed pattern like | 00 00 00 01| | at offset 1 (which can be followed by a probing parser to check)

Philippe_Antoine · December 29, 2023, 8:41am

Feature #6651: quic: detect on non-standard ports - Suricata - Open Information Security Foundation to track this feature

Topic		Replies	Views
Suricata not detecting some packets in a pcap Help rules , suricata , pcaps	4	455	August 10, 2023
Http protocol detection/parser not working on forwarded packts Help	6	1079	May 8, 2021
Some match bypass? Rules rules	27	1763	September 17, 2021
Suricata doesn't alert me on ping with basic configuration Help	3	619	January 17, 2023
Http traffic is not detected after updating to Suricata 7 Help	17	370	February 13, 2024

Quic detect not work

Related Topics