QUIC (Quick UDP Internet Connection) is a protocol championed by Google to speed up web services by replacing the traditional TCP/HTTP network layer with a new UDP based protocol. QUIC is almost exclusively used by Google services right now like YouTube, but there is an IETF Internet Draft on it now ¹⁾ . The movement is to merge HTTP semantics on the UDP based QUIC and call the new thing HTTP/3. As of today the only QUIC services found in the wild are from the Google stable.

This article describes how you can pull out key indicators from QUIC into Trisul using the Lua Scripting API.

In the NSM²⁾ worldview, we would like to collect as much as possible about the QUIC sessions. This would be in addition to Flow records and PCAP we collect for all flows.

We were seeing quite a bit of QUIC traffic to YouTube in one of our probes, so we went ahead and got the PCAPs and started analyzing them using Wireshark and the Google QUIC Crypto document to see what can be extracted. We found the following indicators

• Connection ID - a 64-bit random number that would likely be globally unique identifying the QUIC connection.
• SNI - Server Name Indicator ; similar to the TLS SNI Extension
• Client User Agent : This was surprising to note that QUIC leaks this before the handshake while in HTTPS (HTTP over TLS) this is encrypted and we resort to things like JA3 Hash to guess the User Agent.
• Certificate Chain : Similar to the X.509 certificate chain found in TLS.

Then it is a matter of using the open source BITMAUL LUA Protocol Dissection library to do the heavy lifting. In about 150 lines of code, we have a working QUIC dissector.

BITMAUL

Extract the following information

Flow Tags

Extract X.509 Certificate in QUIC