stanford-esrg · thegwan · Jun 6, 2024 · Jun 3, 2024 · Jun 3, 2024 · Jun 3, 2024
diff --git a/Cargo.toml b/Cargo.toml
@@ -9,6 +9,7 @@ members = [
     "examples/log_http",
     "examples/log_dns",
     "examples/log_tls",
+    "examples/log_quic",
     "examples/pcap_dump",
     "examples/spin",
     "examples/video",

diff --git a/core/src/filter/ast.rs b/core/src/filter/ast.rs
@@ -24,6 +24,7 @@ lazy_static! {
         let http     = g.add_node(protocol!("http"));
         let ssh      = g.add_node(protocol!("ssh"));
         let dns      = g.add_node(protocol!("dns"));
+        let quic     = g.add_node(protocol!("quic"));
         // define valid outer layers for each protocol header
         g.extend_with_edges([
             (ipv4, ethernet),
@@ -34,6 +35,7 @@ lazy_static! {
             (http, tcp),
             (ssh, tcp),
             (dns, udp), (dns, tcp),
+            (quic, udp), //TODO: tls over quic
         ]);
         g
     };
@@ -250,6 +252,8 @@ mod tests {
         assert!(!has_path(&protocol!("ipv4"), &protocol!("ipv4")));
         assert!(!has_path(&protocol!("http"), &protocol!("udp")));
         assert!(!has_path(&protocol!("tls"), &protocol!("ssh")));
+        assert!(has_path(&protocol!("quic"), &protocol!("udp")));
+        assert!(!has_path(&protocol!("quic"), &protocol!("dns")));
     }
 
     #[test]

diff --git a/core/src/protocols/stream/mod.rs b/core/src/protocols/stream/mod.rs
@@ -6,10 +6,12 @@
 
 pub mod dns;
 pub mod http;
+pub mod quic;
 pub mod tls;
 
 use self::dns::{parser::DnsParser, Dns};
 use self::http::{parser::HttpParser, Http};
+use self::quic::{parser::QuicParser, QuicPacket};
 use self::tls::{parser::TlsParser, Tls};
 use crate::conntrack::conn::conn_info::ConnState;
 use crate::conntrack::conn_id::FiveTuple;
@@ -193,6 +195,7 @@ pub enum SessionData {
     Tls(Box<Tls>),
     Dns(Box<Dns>),
     Http(Box<Http>),
+    Quic(Box<QuicPacket>),
     Null,
 }
 
@@ -235,6 +238,7 @@ pub enum ConnParser {
     Tls(TlsParser),
     Dns(DnsParser),
     Http(HttpParser),
+    Quic(QuicParser),
     Unknown,
 }
 
@@ -245,6 +249,7 @@ impl ConnParser {
             ConnParser::Tls(_) => ConnParser::Tls(TlsParser::default()),
             ConnParser::Dns(_) => ConnParser::Dns(DnsParser::default()),
             ConnParser::Http(_) => ConnParser::Http(HttpParser::default()),
+            ConnParser::Quic(_) => ConnParser::Quic(QuicParser::default()),
             ConnParser::Unknown => ConnParser::Unknown,
         }
     }
@@ -255,6 +260,7 @@ impl ConnParser {
             ConnParser::Tls(parser) => parser.parse(pdu),
             ConnParser::Dns(parser) => parser.parse(pdu),
             ConnParser::Http(parser) => parser.parse(pdu),
+            ConnParser::Quic(parser) => parser.parse(pdu),
             ConnParser::Unknown => ParseResult::Skipped,
         }
     }
@@ -265,6 +271,7 @@ impl ConnParser {
             ConnParser::Tls(parser) => parser.probe(pdu),
             ConnParser::Dns(parser) => parser.probe(pdu),
             ConnParser::Http(parser) => parser.probe(pdu),
+            ConnParser::Quic(parser) => parser.probe(pdu),
             ConnParser::Unknown => ProbeResult::Error,
         }
     }
@@ -276,6 +283,7 @@ impl ConnParser {
             ConnParser::Tls(parser) => parser.remove_session(session_id),
             ConnParser::Dns(parser) => parser.remove_session(session_id),
             ConnParser::Http(parser) => parser.remove_session(session_id),
+            ConnParser::Quic(parser) => parser.remove_session(session_id),
             ConnParser::Unknown => None,
         }
     }
@@ -286,6 +294,7 @@ impl ConnParser {
             ConnParser::Tls(parser) => parser.drain_sessions(),
             ConnParser::Dns(parser) => parser.drain_sessions(),
             ConnParser::Http(parser) => parser.drain_sessions(),
+            ConnParser::Quic(parser) => parser.drain_sessions(),
             ConnParser::Unknown => vec![],
         }
     }
@@ -296,6 +305,7 @@ impl ConnParser {
             ConnParser::Tls(parser) => parser.session_match_state(),
             ConnParser::Dns(parser) => parser.session_match_state(),
             ConnParser::Http(parser) => parser.session_match_state(),
+            ConnParser::Quic(parser) => parser.session_match_state(),
             ConnParser::Unknown => ConnState::Remove,
         }
     }
@@ -306,6 +316,7 @@ impl ConnParser {
             ConnParser::Tls(parser) => parser.session_nomatch_state(),
             ConnParser::Dns(parser) => parser.session_nomatch_state(),
             ConnParser::Http(parser) => parser.session_nomatch_state(),
+            ConnParser::Quic(parser) => parser.session_nomatch_state(),
             ConnParser::Unknown => ConnState::Remove,
         }
     }

diff --git a/core/src/protocols/stream/quic/header.rs b/core/src/protocols/stream/quic/header.rs
@@ -0,0 +1,24 @@
+//! Quic header types
+
+use serde::Serialize;
+
+/// Quic Long Header
+#[derive(Debug, Serialize, Clone)]
+pub struct QuicLongHeader {
+    pub packet_type: u8,
+    pub type_specific: u8,
+    pub version: u32,
+    pub dcid_len: u8, // length of dcid in bytes
+    pub dcid: String, // hex string
+    pub scid_len: u8, // length of scid in bytes
+    pub scid: String, // hex string
+}
+
+/// Quic Short Header
+#[derive(Debug, Serialize, Clone)]
+pub struct QuicShortHeader {
+    pub dcid: Option<String>, // optional. If not pre-existing cid then none.
+
+    #[serde(skip)]
+    pub dcid_bytes: Vec<u8>,
+}
diff --git a/core/src/protocols/stream/quic/mod.rs b/core/src/protocols/stream/quic/mod.rs
@@ -0,0 +1,108 @@
+//! QUIC protocol parser.
+//!
+//! ## Remarks
+//! [QUIC-INVARIANTS] https://datatracker.ietf.org/doc/rfc8999/
+//! [QUIC-RFC9000] https://datatracker.ietf.org/doc/rfc9000/ (Quic V1)
+//! Retina currently only parses Quic Long and Short Headers and does not attempt to parse TLS or HTTP/3 out of
+//! Quic packets. The Quic protocol parser makes several assumptions about the way that quic
+//! packets will behave:
+//! - Assume that the Quic version is one as listed in the QuicVersion Enum in the quic/parser.rs file
+//! - Assume that the dcid of a short header is a maximum of 20 bytes.
+//! - Assume that the packet will not try to grease the fixed bit.
+//!   [QUIC-GREASE](https://www.rfc-editor.org/rfc/rfc9287.html)
+//!
+//! Additionally, there are a couple decisions made in the design of the quic parser:
+//! - The parser will not parse a short header dcid if it is not a part of a pre-identified connection
+//! - The payload bytes count is a lazy counter which does not try to exclude tokens for encryption,
+//!   which is a process that happens in wireshark.
+/*
+TODO: support parsing the tls out of the initial quic packet setup
+TODO support dns over quic
+TODO: support HTTP/3
+*/
+pub(crate) mod parser;
+
+pub use self::header::{QuicLongHeader, QuicShortHeader};
+use serde::Serialize;
+pub(crate) mod header;
+
+/// Parsed Quic Packet contents
+#[derive(Debug, Serialize, Clone)]
+pub struct QuicPacket {
+    /// Quic Short header
+    pub short_header: Option<QuicShortHeader>,
+
+    /// Quic Long header
+    pub long_header: Option<QuicLongHeader>,
+
+    /// The number of bytes contained in the estimated payload
+    pub payload_bytes_count: u16,
+}
+
+impl QuicPacket {
+    /// Returns the header type of the Quic packet (ie. "long" or "short")
+    pub fn header_type(&self) -> &str {
+        match &self.long_header {
+            Some(_) => "long",
+            None => match &self.short_header {
+                Some(_) => "short",
+                None => "",
+            },
+        }
+    }
+
+    /// Returns the packet type of the Quic packet
+    pub fn packet_type(&self) -> u8 {
+        match &self.long_header {
+            Some(long_header) => long_header.packet_type,
+            None => 0,
+        }
+    }
+
+    /// Returns the version of the Quic packet
+    pub fn version(&self) -> u32 {
+        match &self.long_header {
+            Some(long_header) => long_header.version,
+            None => 0,
+        }
+    }
+
+    /// Returns the destination connection ID of the Quic packet or an empty string if it does not exist
+    pub fn dcid(&self) -> &str {
+        match &self.long_header {
+            Some(long_header) => {
+                if long_header.dcid_len > 0 {
+                    &long_header.dcid
+                } else {
+                    ""
+                }
+            }
+            None => {
+                if let Some(short_header) = &self.short_header {
+                    short_header.dcid.as_deref().unwrap_or("")
+                } else {
+                    ""
+                }
+            }
+        }
+    }
+
+    /// Returns the source connection ID of the Quic packet or an empty string if it does not exist
+    pub fn scid(&self) -> &str {
+        match &self.long_header {
+            Some(long_header) => {
+                if long_header.scid_len > 0 {
+                    &long_header.scid
+                } else {
+                    ""
+                }
+            }
+            None => "",
+        }
+    }
+
+    /// Returns the number of bytes in the payload of the Quic packet
+    pub fn payload_bytes_count(&self) -> u16 {
+        self.payload_bytes_count
+    }
+}