More crypto ID

FYI:

2016-07-01T12:35:15-0600 CyqleS3tHf607yRdrj 192.168.1.101 38151 31.13.76.102 443 TLSv12 unknown-52393 - graph.facebook.com F- h2 T Fq3gsi3bxz1RdtYqej,FiQmMNkbUAqhiOOkk (empty) CN=*.facebook.com,O=Facebook\\, Inc.,L=Menlo Park,ST=CA,C=US CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US - - ok

unkonwn-52393 is apparently QUIC crypto.

James

Hello James,

it is TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 and should be correctly identified by master. The use of that number is newer than Bro 2.4, which is why it is not present there. That cipher is specified in RFC7905.

Thanks,
  Johanna

Argh...yea you're right wrong stream. I am including a QUIC crypto session that bro does not seem to recognize. Only thing I have for bro seeing this stream is:

2016-07-02T14:46:30-0600 CWaKhQ3UAvIEem73fj 192.168.1.101 38848 31.13.76.102 443 tcp - 0.026353 1725 0 RSTR TF 0 ShADar 5 1993 5 268 (empty)

Thank you.

James

quic_working.pcapng (3.46 KB)

Bro currently does not support parsing QUIC at all - so you are correct - you won't get any data outside of conn.log for QUIC sessions.

Johanna

Ok cool...I haven't seen many tools that do support QUIC crypto yet...thanks Johanna!

James