main.zeek

QUIC

Implements base functionality for QUIC analysis. Generates quic.log.

Namespace:: QUIC
Imports:: base/frameworks/notice/weird.zeek, base/protocols/conn/removal-hooks.zeek, base/protocols/quic/consts.zeek

Summary

Runtime Options

QUIC::max_history_length: count &redef

The maximum length of the history field.

Redefinable Options

`QUIC::doq_ports`: `set` `&redef`	Well-known ports for DNS-over-QUIC.
`QUIC::max_discarded_packet_events`: `int` `&redef`	Maximum number of QUIC::discarded packet() events to generate.
`QUIC::quic_ports`: `set` `&redef`	Well-known ports for QUIC.

Types

QUIC::Info: record

Redefinitions

`Log::ID`: `enum`	`QUIC::LOG`
`connection`: `record`	New Fields: `connection` quic: `QUIC::Info` `&optional`

Events

QUIC::log_quic: event

Hooks

`QUIC::finalize_quic`: `Conn::RemovalHook`
`QUIC::log_policy`: `Log::PolicyHook`

Detailed Interface

Runtime Options

QUIC::max_history_length 

Type:: count
Attributes:: &redef
Default:: 100

The maximum length of the history field.

Redefinable Options

QUIC::doq_ports 

Type:

set [port]

Attributes:

&redef

Default:

{
   784/udp,
   853/udp
}

Well-known ports for DNS-over-QUIC.

Currently not added to likely_server_ports to avoid spurious originator/responder changes in the private testing baseline.

You can always add these to likely_server_ports in your local.zeek file for your environment if needed:

redef likely_server_ports += { 853/udp, 784/udp };

QUIC::max_discarded_packet_events 

Type:: int
Attributes:: &redef
Default:: 100

Maximum number of QUIC::discarded packet() events to generate. Set to 0 for unlimited, -1 for disabled.

QUIC::quic_ports 

Type:

set [port]

Attributes:

&redef

Default:

{
   443/udp
}

Well-known ports for QUIC.

Types

QUIC::Info 

Type:

record

Fields:

ts: time &log: Timestamp of first QUIC packet for this entry.

uid: string &log: Unique ID for the connection.

id: conn_id &log: The connection’s 4-tuple of endpoint addresses/ports.

version: string &log: QUIC version as found in the first INITIAL packet from the client. This will often be “1” or “quicv2”, but see the QUIC::version_strings table for details.

client_initial_dcid: string &log &optional: First Destination Connection ID used by client. This is random and unpredictable, but used for packet protection by client and server.

client_scid: string &log &optional: Client’s Source Connection ID from the first INITIAL packet.

server_scid: string &log &optional: Server chosen Connection ID usually from server’s first INITIAL packet. This is to be used by the client in subsequent packets.

server_name: string &log &optional: Server name extracted from SNI extension in ClientHello packet if available.

client_protocol: string &log &optional: First protocol extracted from ALPN extension in ClientHello packet if available.

history: string &log &default = "" &optional

QUIC history.

Letters have the following meaning with client-sent letters being capitalized:

Letter	Meaning
I	INIT packet
H	HANDSHAKE packet
Z	0RTT packet
R	RETRY packet
C	CONNECTION_CLOSE packet
S	SSL Client/Server Hello
U	Unfamiliar QUIC version
X	Discarded packet after successful decryption of INITIAL packets
O	Short header packets in binary logarithmic fashion

history_state: vector of string

logged: bool &default = F &optional

Events

QUIC::log_quic 

Type:: event (rec: QUIC::Info)

Hooks

QUIC::finalize_quic 

Type:: Conn::RemovalHook

QUIC::log_policy 

Type:: Log::PolicyHook