[Bro] does bro-ids support parsing QUIC?

Johanna Amann johanna at icir.org
Fri Jan 6 22:57:50 PST 2017

Hello Jason,

> I'm using the ssl.log files to augment our proxy logs (we have 
> transparent
> proxy on port 80, but I believe TLS intercept has no future, so I'm 
> using
> bro-ids to capture tcp/443 SNI data - as it's better than doing 
> nothing)
> Works well - but I don't think QUIC is supported? Any chance of that 
> being
> supported - same outcome as HTTPS: just after the SNI data...

No, it is not supported. There is a chance of it being supported, but if 
that happens it is likely not going to happen in the very near term (I 
looked into it a bit ago and would like to add it, but I am quite a bit 
short of time at the moment).

> FYI: QUIC is basically HTTP/2 over UDP

While that certainly is true from an outcome point of view, it sadly is 
not quite true from a protocol point of view (HTTP/2 is just TLS, QUIC 
does its own thing everywhere, including having special compression for 
cleartext stuff if I remember it correctly - that is a bit of work...).


More information about the Bro mailing list