Skip to content

Commit

Permalink
Merge branch 'topic/matti/add-quic-to-ssl-log' of https://github.com/…
Browse files Browse the repository at this point in the history
…mbispham/zeek-docs

* 'topic/matti/add-quic-to-ssl-log' of https://github.com/mbispham/zeek-docs:
  Add a section on quic to the ssl.rst file
  • Loading branch information
awelzel committed Jan 5, 2024
2 parents 1615eea + cbdaa82 commit 2008fb3
Show file tree
Hide file tree
Showing 3 changed files with 101 additions and 7 deletions.
1 change: 1 addition & 0 deletions logs/index.rst
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ Zeek Logs
irc
rdp
ldap
quic
traceroute
tunnel
dpd
Expand Down
11 changes: 4 additions & 7 deletions logs/ldap.rst
Original file line number Diff line number Diff line change
Expand Up @@ -100,11 +100,8 @@ from the log.
}


Detection Use Cases
===================
Conclusion
==========

With the additional information that Zeek LDAP logs provide the ability to do
string matching, pattern matching and Machine Learning modelling is improved.

For example a list of know LDAP queries used by attackers can be found `here
<https://gist.github.com/jsecurity101/9c7e94f95b8d90f9252d64949562ba5d>`_.
The Zeek LDAP logs provide additional insights that help improve observability
into this protocol.
96 changes: 96 additions & 0 deletions logs/quic.rst
Original file line number Diff line number Diff line change
@@ -0,0 +1,96 @@
========
quic.log
========

.. versionadded:: 6.1

Overview
========

The QUIC protocol integrates encryption, stream multiplexing and flow control at
the transport layer. QUIC uses TLS 1.3 by default. Zeek's QUIC analyzer
provides greater observability into the protocols TLS handshake.


Example
=======

An example of a :file:`quic.log`.

.. code-block:: console
[email protected]:~ zeek -C LogAscii::use_json=T -r chromium-115.0.5790.110-api-cirrus-com.pcap
[email protected]:~ jq . quic.log
::

{
"ts": 1692198386.837988,
"uid": "CA482y1XJVd3d0RYI7",
"id.orig_h": "82.239.54.117",
"id.orig_p": 53727,
"id.resp_h": "110.213.53.115",
"id.resp_p": 443,
"version": "1",
"client_initial_dcid": "95412c47018cdfe8",
"server_scid": "d5412c47018cdfe8",
"server_name": "api.cirrus-ci.com",
"client_protocol": "h3",
"history": "ISisH"
}


:zeek:see:`QUIC::Info` provides further details on the current output of the
:file:`quic.log`. Current fields include:

- **version**: The version of QUIC that was identified.


- **client_initial_dcid**: When QUIC initiates a connection it uses Random
Number Generators to create the first Destination Connection ID (DCID). This
DCID is subsequently used for routing and packet protection by client and
server.


- **server_scid**: A QUIC supported server responds to a DCID by
selecting a Source Connection ID (SCID). This usually occurs within the
server’s first INITIAL packet. This is typically used by the client in
subsequent packets, although the SCID can change to adapt to new network
conditions.


- **client_protocol**: If the ClientHello packet is successfully extracted
and contains the ALPN extension, the extension's first entry is placed in
client_protocol.


- **history**: An experimental feature provides a history of the QUIC
protocol usage. In the example above the history outlines:

+ An initial packet from the client (I) - a new connection


+ An TLS ClientHello from the client (S) - the start of a
TLS handshake


+ An initial packet from the server (i) - an acknowledgement
from the server of the new connection


+ A TLS ServerHello response from the server (s) - the
selection of a cipher suite from the options provided by the
client

+ A handshake packet from the client (H)



Conclusion
==========

The QUIC analyzer is an initial attempt to provide observability into QUIC
network traffic. In Zeek 6.1, although included by default, the QUIC analyzer is
still considered experimental. Contributions, feedback and issues can be reported
via `Github, Slack or the forum <https://zeek.org/community/>`_.

0 comments on commit 2008fb3

Please sign in to comment.