[Bro] does bro-ids support parsing QUIC?
johanna at icir.org
Fri Jan 6 22:57:50 PST 2017
> I'm using the ssl.log files to augment our proxy logs (we have
> proxy on port 80, but I believe TLS intercept has no future, so I'm
> bro-ids to capture tcp/443 SNI data - as it's better than doing
> Works well - but I don't think QUIC is supported? Any chance of that
> supported - same outcome as HTTPS: just after the SNI data...
No, it is not supported. There is a chance of it being supported, but if
that happens it is likely not going to happen in the very near term (I
looked into it a bit ago and would like to add it, but I am quite a bit
short of time at the moment).
> FYI: QUIC is basically HTTP/2 over UDP
While that certainly is true from an outcome point of view, it sadly is
not quite true from a protocol point of view (HTTP/2 is just TLS, QUIC
does its own thing everywhere, including having special compression for
cleartext stuff if I remember it correctly - that is a bit of work...).
More information about the Bro