search

Security-Onion-Solutions / securityonion

Security Onion is a free and open platform for threat hunting, enterprise security monitoring, and log management. It includes our own interfaces for alerting, dashboards, hunting, PCAP, detections, and case management. It also includes other tools such as osquery, CyberChef, Elasticsearch, Logstash, Kibana, Suricata, and Zeek.
https://securityonion.net
3.03k stars 474 forks source link

FEATURE: GQUIC analyzer #6925

Open TOoSmOotH opened 2 years ago

TOoSmOotH commented 2 years ago

Discussed in https://github.com/Security-Onion-Solutions/securityonion/discussions/6916

Originally posted by **petiepooo** January 18, 2022 More and more, we're seeing QUIC traffic. It would be nice to integrate https://github.com/salesforce/GQUIC_Protocol_Analyzer into zeek in SecurityOnion.
dougburks commented 2 years ago

At a quic glance, it looks like https://github.com/salesforce/GQUIC_Protocol_Analyzer is not yet compatible with Zeek 4.0: https://github.com/salesforce/GQUIC_Protocol_Analyzer/pull/12 https://github.com/salesforce/GQUIC_Protocol_Analyzer/pull/14

https://github.com/corelight/zeek-quic may be more current.

petiepooo commented 2 years ago

Punny! 😂

SliuzasLukas commented 10 months ago

Are there any plans to implement this?

TOoSmOotH commented 10 months ago

Are there any plans to implement this?

I think the latest Zeek version it supports is 4.1. If the author updates it to support Zeek 6 then we can consider it.

TOoSmOotH commented 10 months ago

Looks like they are planning on putting it into core.

https://github.com/zeek/zeek/pull/3320

petiepooo commented 1 month ago

QUIC v1 INITIAL packet parsing now included in Zeek v6.1, handling of v2 INITIAL packets added in v6.2. https://github.com/zeek/zeek/blob/master/NEWS

Securityonion v2.4.70 includes Zeek v6.0.4.