GQUIC Protocol Analyzer
#Network & Cloud#Network Security
A script for extracting network metadata and fingerprints such as JA3 and HASSH from packet capture files or live network traffic.
This analyzer processes GQUIC traffic for enhanced logging and detection
This analyzer processes GQUIC traffic in Zeek, facilitating effective logging and detection.
Overview of the Initial Exchange in GQUIC Communication
This section examines the initial exchange between a client and a server that communicate using GQUIC. It extracts information from both the connection's client hello packet and the server rejection packet. Currently, this protocol analyzer is compatible with GQUIC versions Q039 to Q046.
Installing the GQUIC Protocol Analyzer using Source Tree:
Requirements:
1. Keep all technical terms and concepts exactly as they are
2. Make the language clearer and more accessible
3. Keep the same content structure and format
4. Do not add or remove any information
5. Maintain similar length if very small length of content then add little more content
Standard Installation Instructions
To perform a standard installation, execute the following commands:
./configure --zeek-dist=/path/to/zeek/dist
make
make install
If you want to see all available options, including how to set the installation path, run:
./configure --help
For enhanced analysis and to help identify unusual (and possibly harmful) GQUIC traffic, fingerprinting techniques are employed.
The CYU Fingerprinting Method Explained
The fingerprinting method, named "CYU," operates by identifying the GQUIC version and tags found in client hello packets. First, the version of the packet is extracted, which is immediately followed by a comma. Next, each tag within the client hello packet is collected and concatenated together, using hyphens to separate each tag.
For example: Detailed String
46, PAD-SNI-STK-VER-CCS-NONC-AEAD-UAID-SCID-TCID-PDMD-SMHL-ICSL-NONP-PUBS-MIDS-SCLS-KEXS-XLCT-CSCT-COPT-CCRT-IRTT-CFCW-SFCW. Following this string, I
