FEATURE: Zeek QUIC

[TOoSmOotH]

Discussed in #6916

^{Originally posted by petiepooo January 18, 2022}
More and more, we're seeing QUIC traffic. It would be nice to integrate https://github.com/salesforce/GQUIC_Protocol_Analyzer into zeek in SecurityOnion.

[dougburks]

At a quic glance, it looks like https://github.com/salesforce/GQUIC_Protocol_Analyzer is not yet compatible with Zeek 4.0:
salesforce/GQUIC_Protocol_Analyzer#12
salesforce/GQUIC_Protocol_Analyzer#14

https://github.com/corelight/zeek-quic may be more current.

[petiepooo]

Punny! 😂

[SliuzasLukas]

Are there any plans to implement this?

[TOoSmOotH]

Are there any plans to implement this?

I think the latest Zeek version it supports is 4.1. If the author updates it to support Zeek 6 then we can consider it.

[TOoSmOotH]

Looks like they are planning on putting it into core.

zeek/zeek#3320

[petiepooo]

QUIC v1 INITIAL packet parsing now included in Zeek v6.1, handling of v2 INITIAL packets added in v6.2.
https://github.com/zeek/zeek/blob/master/NEWS

Securityonion v2.4.70 includes Zeek v6.0.4.

[boblord]

Just curious to learn more about this work. I'm interested in tracking things like Encrypted Client Hello (ECH) handshakes and QUIC connections.

[dougburks]

Hi @boblord our upcoming version 2.4.120 includes Zeek 7 and I can confirm that it is analyzing QUIC connections and writing out a quic.log. As time allows, we'll look into ingesting that log into Elasticsearch.

[dougburks]

Here's the PR for ingesting and parsing quic.log, a new QUIC dashboard, a new QUIC query for Hunt, and custom columns for QUIC events:
#14060

[dougburks]

Tested and verified that the Zeek quic.log is ingested and parsed and displays properly in Dashboards on the new QUIC dashboard: