Home

Awesome

GQUIC Protocol Analyzer

This analyzer parses GQUIC traffic in Zeek for logging and detection purposes. It examines the initial exchange between a client and server communicating over GQUIC, and extracts the information contained in the connection's client hello packet and server rejection packet. Currently, this protocol analyzer supports GQUIC versions Q039 to Q046.

Installing the GQUIC Protocol Analyzer using Source Tree

For a standard installation
./configure --zeek-dist=/path/to/zeek/dist
make
make install
To see all options, including setting the install path, run:
./configure --help

CYU

To provide further insight and help detect anomalous (and potentially malicious) GQUIC traffic, fingerprinting is utilized. The fingerprinting method, named "CYU" works by identifying the GQUIC version and tags present in client hello packets. First, the version of the packet is extracted, immediately followed by a comma. After this, each tag in the client hello packet is gathered and concatenated together with hyphens to delimit each tag. For example: 46,PAD-SNI-STK-VER-CCS-NONC-AEAD-UAID-SCID-TCID-PDMD-SMHL-ICSL-NONP-PUBS-MIDS-SCLS-KEXS-XLCT-CSCT-COPT-CCRT-IRTT-CFCW-SFCW. After this string is created, it is then MD5 hashed to produce an easily shareable fingerprint. Hashing the previous string results in a CYU value of a46560d4548108cf99308319b3b85346. This is the most common fingerprint, making up the vast majority of GQUIC traffic.

Use case: Merlin C2

The CYU fingerprinting method can be very useful when it comes to detecting beacons transmitting to servers over GQUIC. For example, Merlin C2 clients use very few tags in their client hellos, giving them an anomalous fingerprints. Known Merlin beacon fingerprints: e030dea1f2eea44ac7db5fe4de792acd, 0811fab28e41e8c8a33e220a15b964d9, d8b208b236d176c89407500dbefb04c2.

New Events Created

The GQUIC protocol analyzer adds new four events which can be called in Zeek scripts.

gquic_packet

event (c: connection, is_orig: bool, hdr: GQUIC::PublicHeader)

Generated whenever a regular GQUIC packet is raised.

gquic_client_version

event event(c: connection, version: count)

Raised whenever a GQUIC client sends a Regular Packet with a novel GQUIC version number.

gquic_hello

event (c: connection, is_orig: bool, hdr: GQUIC::PublicHeader, hello: GQUIC::HelloInfo);

Generated whenever a client hello packet is detected in GQUIC traffic. It includes the additional information contained in the hello packet.

gquic_rej

event (c: connection, is_orig: bool, hdr: GQUIC::PublicHeader, rej: GQUIC::RejInfo);

Generated whenever a rejection packet (server hello) is detected in GQUIC traffic. It includes the additional information contained in the rejection packet.

New Constants

Defined in the init.zeek script, a constant named skip_after_confirm is set to true. This means that only the initial exchange between the client and server will be captured. This is done to reduce noise, but it also reduces some visibility. It can be set to true as one sees fit.

New Types Created

The GQUIC protocol analyzer adds three new data types which can be referenced in Zeek scripts.

type: PublicHeader

pkt_num: count
cid: string &optional
version_exists: bool
version: count &optional

type: HelloInfo

tag:	count;
tag_list: string;
padding_len:	count;
sni:	string &optional;
stk:	string &optional;
sno:	string &optional;
ver:	string &optional;
ccs:	string &optional;
nonc:	string &optional;
mspc:	string &optional;
aead:	string &optional;
uaid:	string &optional;
scid:	string &optional;
tcid:	string &optional;
pdmd:	string &optional;
smhl:	string &optional;
icsl:	string &optional;
ctim:	string &optional;	
nonp:	string &optional;
pubs:	string &optional;
mids:	string &optional;
scls:	string &optional;
kexs:	string &optional;
xlct:	string &optional;
csct:	string &optional;
copt:	string &optional;
ccrt:	string &optional;
irtt:	string &optional;
cetv:	string &optional;
cfcw:	string &optional;
sfcw:	string &optional;

type: RejInfo

tag_count: count;
tag_list: string; 
stk:	string &optional;
sno:	string &optional;
svid:	string &optional;
prof:	string &optional;
scfg:	string &optional;
rrej:	string &optional;
sttl:	string &optional;
csct:	string &optional;
ver:	string &optional;
aead:	string &optional;
scid:	string &optional;
pdmd:	string &optional;
tbkp:	string &optional;
pubs:	string &optional;
kexs:	string &optional;
obit:	string &optional;
expy:	string &optional;	
embedded_count:	count &optional;

Credits

Created by:

With assistance from:

References: