Skip to content
Bro analyzer that detects Google's QUIC protocol
Branch: master
Clone or download
Latest commit 49c7e25 Nov 15, 2018
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
scripts
src
tests
.gitignore
CHANGES
CMakeLists.txt
COPYING
LICENSE Update symlinks May 5, 2018
Makefile First version of GQUIC analyzer, parses Q039 May 5, 2018
README
README.rst Update symlinks May 5, 2018
VERSION
bro-pkg.meta
configure
configure.plugin

README.rst

Google QUIC analyzer/detector for Bro

This analyzer can parse and detect the Google implementation of QUIC (called GQUIC here for simplicity), using the wire format described at:

https://www.chromium.org/quic.

The version of GQUIC used by Chrome at the time of writing this analyzer was Q039 with some Google servers (and possibly Chrome canary builds) also being able to use Q043. This analyzer was able to detect both those versions during testing.

The wire format described in GQUIC documents at that time (May 4-5 2018) also appeared out of sync with the actual implementations used in the wild.

Additionally, there seems to be regular effort to migrate GQUIC to track the IETF draft standard for QUIC described at:

https://github.com/quicwg/base-drafts https://datatracker.ietf.org/wg/quic/documents/

With that draft differing in significant ways from the GQUIC implementations this analyzer was tested against and also having changed its wire format recently.

To summarize, this GQUIC analyzer, if not updated in the future, isn't expected to continue working with later evolutions of the QUIC protocol.

Installation

Via bro-pkg:

bro-pkg install corelight/bro-quic

Else you will have to build and install it yourself:

./configure --bro-dist=<path>
make
make install

Usage

By default this simply detects whether a UDP connection looks like the QUIC protocol, adds the "guic" string to conn.log's "service" field and then stops parsing.

If you want to write a custom script that handles other events provided by the analyzer, you might want to have the analyzer continue to parse the connection even after the protocol has been confirmed:

redef GQUIC::skip_after_confirm = F;

The events provided can give coarse information regarding packet type (Regular Packet vs. Version Negotiation vs Public Reset) as well as the content of the Public Header (like Packet Number, QUIC Version, Connection ID, or Diversification Nonce).

References / Tools

Tools: https://github.com/quicwg/base-drafts/wiki/Tools

Implementations: https://github.com/quicwg/base-drafts/wiki/Implementations

Chromium: https://www.chromium.org/quic/playing-with-quic

Acknowledgements

Prior QUIC analyzer work by Mike Dopheide: https://github.com/dopheide-esnet/bro-quic

You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.