More crypto ID


2016-07-01T12:35:15-0600 CyqleS3tHf607yRdrj 38151 443 TLSv12 unknown-52393 - F- h2 T Fq3gsi3bxz1RdtYqej,FiQmMNkbUAqhiOOkk (empty) CN=*,O=Facebook\\, Inc.,L=Menlo Park,ST=CA,C=US CN=DigiCert SHA2 High Assurance Server CA,,O=DigiCert Inc,C=US - - ok

unkonwn-52393 is apparently QUIC crypto.


Hello James,

it is TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 and should be correctly identified by master. The use of that number is newer than Bro 2.4, which is why it is not present there. That cipher is specified in RFC7905.


Argh...yea you're right wrong stream. I am including a QUIC crypto session that bro does not seem to recognize. Only thing I have for bro seeing this stream is:

2016-07-02T14:46:30-0600 CWaKhQ3UAvIEem73fj 38848 443 tcp - 0.026353 1725 0 RSTR TF 0 ShADar 5 1993 5 268 (empty)

Thank you.


quic_working.pcapng (3.46 KB)

Bro currently does not support parsing QUIC at all - so you are correct - you won't get any data outside of conn.log for QUIC sessions.


Ok cool...I haven't seen many tools that do support QUIC crypto yet...thanks Johanna!