[Bro] does bro-ids support parsing QUIC?
James Lay
jlay at slave-tothe-box.net
Sat Jan 7 04:25:39 PST 2017
On Sat, 2017-01-07 at 07:57 +0100, Johanna Amann wrote:
> Hello Jason,
>
> >
> > I'm using the ssl.log files to augment our proxy logs (we have
> > transparent
> > proxy on port 80, but I believe TLS intercept has no future, so
> > I'm
> > using
> > bro-ids to capture tcp/443 SNI data - as it's better than doing
> > nothing)
> >
> > Works well - but I don't think QUIC is supported? Any chance of
> > that
> > being
> > supported - same outcome as HTTPS: just after the SNI data...
> No, it is not supported. There is a chance of it being supported, but
> if
> that happens it is likely not going to happen in the very near term
> (I
> looked into it a bit ago and would like to add it, but I am quite a
> bit
> short of time at the moment).
>
> >
> > FYI: QUIC is basically HTTP/2 over UDP
> While that certainly is true from an outcome point of view, it sadly
> is
> not quite true from a protocol point of view (HTTP/2 is just TLS,
> QUIC
> does its own thing everywhere, including having special compression
> for
> cleartext stuff if I remember it correctly - that is a bit of
> work...).
>
> Johanna
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
You can use protosigs (https://github.com/broala/bro-protosigs) to
catch QUIC:
signature protosig_ssl_udpquic {
ip-proto == udp
dst-port ==443
payload /.*\x51\x30\x33/
eval ProtoSig::match
}
signature protosig_ssl_tcpquic {
ip-proto == tcp
dst-port ==443
payload /\x31\x51\x54\x56/
eval ProtoSig::match
}
James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170107/0781c642/attachment.html
More information about the Bro
mailing list