does bro-ids support parsing QUIC?

Hey there

I’m using the ssl.log files to augment our proxy logs (we have transparent proxy on port 80, but I believe TLS intercept has no future, so I’m using bro-ids to capture tcp/443 SNI data - as it’s better than doing nothing)

Works well - but I don’t think QUIC is supported? Any chance of that being supported - same outcome as HTTPS: just after the SNI data…

FYI: QUIC is basically HTTP/2 over UDP

Hello Jason,

I'm using the ssl.log files to augment our proxy logs (we have transparent
proxy on port 80, but I believe TLS intercept has no future, so I'm using
bro-ids to capture tcp/443 SNI data - as it's better than doing nothing)

Works well - but I don't think QUIC is supported? Any chance of that being
supported - same outcome as HTTPS: just after the SNI data...

No, it is not supported. There is a chance of it being supported, but if that happens it is likely not going to happen in the very near term (I looked into it a bit ago and would like to add it, but I am quite a bit short of time at the moment).

FYI: QUIC is basically HTTP/2 over UDP

While that certainly is true from an outcome point of view, it sadly is not quite true from a protocol point of view (HTTP/2 is just TLS, QUIC does its own thing everywhere, including having special compression for cleartext stuff if I remember it correctly - that is a bit of work...).

Johanna

You can use protosigs (https://github.com/broala/bro-protosigs) to catch QUIC:

signature protosig_ssl_udpquic {
ip-proto == udp
dst-port ==443
payload /.*\x51\x30\x33/
eval ProtoSig::match
}

signature protosig_ssl_tcpquic {
ip-proto == tcp
dst-port ==443
payload /\x31\x51\x54\x56/
eval ProtoSig::match
}

James