Hey there
I’m using the ssl.log files to augment our proxy logs (we have transparent proxy on port 80, but I believe TLS intercept has no future, so I’m using bro-ids to capture tcp/443 SNI data - as it’s better than doing nothing)
Works well - but I don’t think QUIC is supported? Any chance of that being supported - same outcome as HTTPS: just after the SNI data…
FYI: QUIC is basically HTTP/2 over UDP
Hello Jason,
I'm using the ssl.log files to augment our proxy logs (we have transparent
proxy on port 80, but I believe TLS intercept has no future, so I'm using
bro-ids to capture tcp/443 SNI data - as it's better than doing nothing)
Works well - but I don't think QUIC is supported? Any chance of that being
supported - same outcome as HTTPS: just after the SNI data...
No, it is not supported. There is a chance of it being supported, but if that happens it is likely not going to happen in the very near term (I looked into it a bit ago and would like to add it, but I am quite a bit short of time at the moment).
FYI: QUIC is basically HTTP/2 over UDP
While that certainly is true from an outcome point of view, it sadly is not quite true from a protocol point of view (HTTP/2 is just TLS, QUIC does its own thing everywhere, including having special compression for cleartext stuff if I remember it correctly - that is a bit of work...).
Johanna
You can use protosigs (https://github.com/broala/bro-protosigs) to catch QUIC:
signature protosig_ssl_udpquic {
ip-proto == udp
dst-port ==443
payload /.*\x51\x30\x33/
eval ProtoSig::match
}
signature protosig_ssl_tcpquic {
ip-proto == tcp
dst-port ==443
payload /\x31\x51\x54\x56/
eval ProtoSig::match
}
James