diff --git a/scripts/main.zeek b/scripts/main.zeek index ddd34a5..4d793cb 100644 --- a/scripts/main.zeek +++ b/scripts/main.zeek @@ -69,6 +69,9 @@ export { global log_policy: Log::PolicyHook; global finalize_quic: Conn::RemovalHook; + + ## The maximum length of the history field. + option max_history_length = 100; } redef record connection += { @@ -84,12 +87,15 @@ const quic_ports = { 784/udp, # DNS-over-QUIC early }; -function add_to_history(quic: Info, is_orig: bool, what: string) +function add_to_history(c: connection, is_orig: bool, what: string) { - if ( |quic$history_state| == 10 ) + if ( |c$quic$history_state| == max_history_length ) return; - quic$history_state += is_orig ? to_upper(what[0]) : to_lower(what[0]); + c$quic$history_state += is_orig ? to_upper(what[0]) : to_lower(what[0]); + + if ( |c$quic$history_state| == max_history_length ) + Reporter::conn_weird("QUIC_max_history_length_reached", c); } function log_record(quic: Info) @@ -123,19 +129,19 @@ function set_conn(c: connection, is_orig: bool, version: count, dcid: string, sc event QUIC::initial_packet(c: connection, is_orig: bool, version: count, dcid: string, scid: string) { set_conn(c, is_orig, version, dcid, scid); - add_to_history(c$quic, is_orig, "INIT"); + add_to_history(c, is_orig, "INIT"); } event QUIC::handshake_packet(c: connection, is_orig: bool, version: count, dcid: string, scid: string) { set_conn(c, is_orig, version, dcid, scid); - add_to_history(c$quic, is_orig, "HANDSHAKE"); + add_to_history(c, is_orig, "HANDSHAKE"); } event QUIC::zero_rtt_packet(c: connection, is_orig: bool, version: count, dcid: string, scid: string) { set_conn(c, is_orig, version, dcid, scid); - add_to_history(c$quic, is_orig, "ZeroRTT"); + add_to_history(c, is_orig, "ZeroRTT"); } # RETRY packets trigger a log entry and state reset. @@ -144,7 +150,7 @@ event QUIC::retry_packet(c: connection, is_orig: bool, version: count, dcid: str if ( ! c?$quic ) set_conn(c, is_orig, version, dcid, scid); - add_to_history(c$quic, is_orig, "RETRY"); + add_to_history(c, is_orig, "RETRY"); log_record(c$quic); @@ -158,7 +164,7 @@ event QUIC::connection_close_frame(c: connection, is_orig: bool, version: count, if ( ! c?$quic ) return; - add_to_history(c$quic, is_orig, "CONNECTION_CLOSE"); + add_to_history(c, is_orig, "CONNECTION_CLOSE"); log_record(c$quic); @@ -189,7 +195,7 @@ event ssl_client_hello(c: connection, version: count, record_version: count, pos if ( ! c?$quic ) return; - add_to_history(c$quic, T, "SSL"); + add_to_history(c, T, "SSL"); } event ssl_server_hello(c: connection, version: count, record_version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count) &priority=-5 @@ -197,7 +203,7 @@ event ssl_server_hello(c: connection, version: count, record_version: count, pos if ( ! c?$quic ) return; - add_to_history(c$quic, F, "SSL"); + add_to_history(c, F, "SSL"); } hook finalize_quic(c: connection) diff --git a/testing/Baseline/tests.curl-http3/quic.log b/testing/Baseline/tests.curl-http3/quic.log index e5bfa31..542adce 100644 --- a/testing/Baseline/tests.curl-http3/quic.log +++ b/testing/Baseline/tests.curl-http3/quic.log @@ -7,5 +7,5 @@ #open XXXX-XX-XX-XX-XX-XX #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version client_initial_dcid server_scid server_name client_protocol history #types time string addr port addr port string string string string string string -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.2 34347 64.233.166.94 443 1 815d62c70884f4b51e8ccadd5beed372 c15d62c70884f4b5 www.google.de h3 ISishIhHhh +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.2 34347 64.233.166.94 443 1 815d62c70884f4b51e8ccadd5beed372 c15d62c70884f4b5 www.google.de h3 ISishIhHhhH #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/Baseline/tests.firefox/quic.log b/testing/Baseline/tests.firefox/quic.log index c4f0a37..52adeb9 100644 --- a/testing/Baseline/tests.firefox/quic.log +++ b/testing/Baseline/tests.firefox/quic.log @@ -7,5 +7,5 @@ #open XXXX-XX-XX-XX-XX-XX #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version client_initial_dcid server_scid server_name client_protocol history #types time string addr port addr port string string string string string string -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 82.239.54.117 44174 250.58.23.113 443 1 c5a5015ae8f479784a 01275b138ee6aca8a6276b132ae6b3547cf7773f blog.cloudflare.com h3 ISiihIhhhH +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 82.239.54.117 44174 250.58.23.113 443 1 c5a5015ae8f479784a 01275b138ee6aca8a6276b132ae6b3547cf7773f blog.cloudflare.com h3 ISiihIhhhHHhHH #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/Baseline/tests.max-history-length/quic.log.cut b/testing/Baseline/tests.max-history-length/quic.log.cut new file mode 100644 index 0000000..2d63056 --- /dev/null +++ b/testing/Baseline/tests.max-history-length/quic.log.cut @@ -0,0 +1,3 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +ts uid history +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 ISi diff --git a/testing/Baseline/tests.max-history-length/weird.log b/testing/Baseline/tests.max-history-length/weird.log new file mode 100644 index 0000000..9375961 --- /dev/null +++ b/testing/Baseline/tests.max-history-length/weird.log @@ -0,0 +1,11 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path weird +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source +#types time string addr port addr port string string bool string string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 82.239.54.117 44174 250.58.23.113 443 QUIC_max_history_length_reached - F zeek - +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/Baseline/tests.quic-log/quic.log b/testing/Baseline/tests.quic-log/quic.log index dfc958b..514d70c 100644 --- a/testing/Baseline/tests.quic-log/quic.log +++ b/testing/Baseline/tests.quic-log/quic.log @@ -7,5 +7,5 @@ #open XXXX-XX-XX-XX-XX-XX #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version client_initial_dcid server_scid server_name client_protocol history #types time string addr port addr port string string string string string string -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 669b:cb7a:de99:6a13:4a9b:46ef:3bed:cb6c 57538 6699:ded3:da8c:be73:5a99:ca73:5a99:cadb 443 1 5a37463b0eb7cc5d da37463b0eb7cc5d www.google.de h3 ISishIhHhh +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 669b:cb7a:de99:6a13:4a9b:46ef:3bed:cb6c 57538 6699:ded3:da8c:be73:5a99:ca73:5a99:cadb 443 1 5a37463b0eb7cc5d da37463b0eb7cc5d www.google.de h3 ISishIhHhhHH #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/tests/max-history-length.zeek b/testing/tests/max-history-length.zeek new file mode 100644 index 0000000..84ac762 --- /dev/null +++ b/testing/tests/max-history-length.zeek @@ -0,0 +1,5 @@ +# @TEST-DOC: Test that runs the pcap +# @TEST-EXEC: zeek -Cr $TRACES/firefox-102.13.0esr-blog-cloudflare-com.pcap $PACKAGE QUIC::max_history_length=3 +# @TEST-EXEC: zeek-cut -m ts uid history < quic.log > quic.log.cut +# @TEST-EXEC: btest-diff quic.log.cut +# @TEST-EXEC: btest-diff weird.log