lua:quic
This is an old revision of the document!
QUIC protocol analysis using the Trisul Scripting API
QUIC (Quick UDP Internet Connection) is a protocol championed by Google to speed up web services by replacing the traditional TCP/HTTP network layer with a new UDP based protocol. QUIC is almost exclusively used by Google services right now like YouTube, but there is an IETF Internet Draft on it now 1) . The movement is to merge HTTP semantics on the UDP based QUIC and call the new thing HTTP/3. As of today the only QUIC services found in the wild are from the Google stable.
This article describes how you can pull out key indicators from QUIC into Trisul using the Lua Scripting API.
Network Security Monitoring for QUIC
In the NSM2) worldview, we would like to collect as much as possible about the QUIC sessions. This would be in addition to Flow records and PCAP we collect for all flows.
BITMAUL
Extract the following information
Flow Tags
Extract X.509 Certificate in QUIC
1)
HTTP/3 Internet Draft https://quicwg.org/base-drafts/draft-ietf-quic-http.html
2)
Network Security Monitoring involves collecting multiple types of data characterizing network traffic http://www.informit.com/articles/article.aspx?p=350391
lua/quic.1544710378.txt.gz · Last modified: 2018/12/13 19:42 by veera