Is there a Zeek QUIC Analyzer that anyone is aware of?
I know Corelight has this: https://github.com/corelight/bro-quic but as far as I can tell, it just identifies QUIC traffic, it doesn’t actually provide any metadata. There’s a lot of juicy information in the packets so I may have a go at writing my first analyzer followed by a JA3-style fingerprinting method - I just wanted to check here to make sure I’m not duplicating efforts.
Thanks!
I’m not aware of anyone else working on it. I’d originally taken a stab at identifying Google QUIC as well as the IETF draft versions, but as Jon pointed out to me, those are just draft and we’d have to keep changing them. I can also verify from doing that that we saw zero IETF quic traffic in the wild.
I would initially suggest forking corelight’s version and then doing a pull request with your added features rather than reinventing the wheel.
-Dop