From 1969a87a24ba50712b31db7a576b835e1be8ffb0 Mon Sep 17 00:00:00 2001 From: Matti Bispham Date: Fri, 24 Nov 2023 13:55:40 +0900 Subject: [PATCH] Add a section on quic to the ssl.rst file Align code block with indenting in this section Add bold typeface to emphasize server name in TLS 1.3 Modified conclusion for ldap.log Add quic.rst Add quic.log to TOC Add missing char to ssl.log Add Arne's feedback --- logs/index.rst | 1 + logs/ldap.rst | 11 +++--- logs/quic.rst | 97 ++++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 102 insertions(+), 7 deletions(-) create mode 100644 logs/quic.rst diff --git a/logs/index.rst b/logs/index.rst index 20d58541d..42269f31a 100644 --- a/logs/index.rst +++ b/logs/index.rst @@ -21,6 +21,7 @@ Zeek Logs irc rdp ldap + quic traceroute tunnel dpd diff --git a/logs/ldap.rst b/logs/ldap.rst index 96d202ea2..c395c9f2a 100644 --- a/logs/ldap.rst +++ b/logs/ldap.rst @@ -100,11 +100,8 @@ from the log. } -Detection Use Cases -=================== +Conclusion +========== -With the additional information that Zeek LDAP logs provide the ability to do -string matching, pattern matching and Machine Learning modelling is improved. - -For example a list of know LDAP queries used by attackers can be found `here -`_. +The Zeek LDAP logs provide additional insights that help improve observability +into this protocol. \ No newline at end of file diff --git a/logs/quic.rst b/logs/quic.rst new file mode 100644 index 000000000..0017a498c --- /dev/null +++ b/logs/quic.rst @@ -0,0 +1,97 @@ +==== +QUIC +==== + +.. versionadded:: 6.1 + +The QUIC protocol integrates encryption, stream multiplexing and flow control at +the transport layer. QUIC uses TLS 1.3 by default. Zeek's QUIC analyzer +provides greater observability into the protocols TLS handshake. + + +quic.log +======== + +An example of a :file:`quic.log`. + +.. code-block:: console + + zeek@zeek-6.1:~ zeek -C LogAscii::use_json=T -r chromium-115.0.5790.110-api-cirrus-com.pcap + zeek@zeek-6.1:~ jq . quic.log + +:: + + { + "ts": 1692198386.837988, + "uid": "CA482y1XJVd3d0RYI7", + "id.orig_h": "82.239.54.117", + "id.orig_p": 53727, + "id.resp_h": "110.213.53.115", + "id.resp_p": 443, + "version": "1", + "client_initial_dcid": "95412c47018cdfe8", + "server_scid": "d5412c47018cdfe8", + "server_name": "api.cirrus-ci.com", + "client_protocol": "h3", + "history": "ISisH" + } + + +QUIC Info +========= + +:zeek:see:`QUIC::Info` provides further details on the current output of the +:file:`quic.log`. Current fields include: + +- **version**: The version of QUIC that was identified. Note, QUICv2 has not + been widely tested. + + +- **client_initial_dcid**: When QUIC initiates a connection it uses Random + Number Generators to create the first Destination Connection ID (DCID). This + DCID is subsequently used for routing and packet protection by client and + server. + + +- **server_scid**: A QUIC supported server responds to a DCID by + selecting a Source Connection ID (SCID). This usually occurs within the + server’s first INITIAL packet. This is typically used by the client in + subsequent packets, although the SCID can change to adapt to new network + conditions. + + +- **client_protocol**: If the ClientHello packet is successfully extracted + and contains the ALPN extension, the extension's first entry is placed in + client_protocol. + + +- **history**: An experimental feature provides a history of the QUIC + protocol usage. In the example above the history outlines: + + + An initial packet from the client (I) - a new connection + + + + An TLS ClientHello from the client (S) - the start of a + TLS handshake + + + + An initial packet response from the server (i) - an acknowledgement + from the server of the new connection + + + + A TLS ServerHello response from the server (s) - the + selection of a cipher suite from the options provided by the + client + + + A handshake packet from the client (H) + + + +Conclusion +========== + +The QUIC analyzer is an initial attempt to provide observability into QUIC +network traffic. In Zeek 6.1, although included by default, the QUIC analyzer is +still considered experimental. Contributions, feedback and issues can be reported +via [Github, Slack or the forum] (https://zeek.org/community/). +