diff --git a/CHANGES b/CHANGES index bc3972faae..1b82d323dc 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,7 @@ +7.2.0-dev.451 | 2025-03-31 09:37:02 -0700 + + * GH-3526: Add "U" to QUIC history docstrings and expand version string docs (Christian Kreibich, Corelight) + 7.2.0-dev.449 | 2025-03-31 15:08:05 +0200 * Use one-based index in warning message (Benjamin Bannier, Corelight) diff --git a/VERSION b/VERSION index edc6eae19a..a431d2c414 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -7.2.0-dev.449 +7.2.0-dev.451 diff --git a/scripts/base/protocols/quic/consts.zeek b/scripts/base/protocols/quic/consts.zeek index 0fa5fb5475..a763cedc1d 100644 --- a/scripts/base/protocols/quic/consts.zeek +++ b/scripts/base/protocols/quic/consts.zeek @@ -1,6 +1,9 @@ module QUIC; export { + ## A mapping from QUIC's raw version numbers to readable strings. + ## Unexpected versions become "unknown-", with a hexadecimal + ## rendering of the version number. const version_strings: table[count] of string = { [0x00000001] = "1", [0x6b3343cf] = "quicv2", diff --git a/scripts/base/protocols/quic/main.zeek b/scripts/base/protocols/quic/main.zeek index 48fd506b16..a7d90f43a5 100644 --- a/scripts/base/protocols/quic/main.zeek +++ b/scripts/base/protocols/quic/main.zeek @@ -1,4 +1,4 @@ -##! Initial idea for a quic.log. +##! Implements base functionality for QUIC analysis. Generates quic.log. @load base/frameworks/notice/weird @load base/protocols/conn/removal-hooks @@ -19,7 +19,8 @@ export { id: conn_id &log; ## QUIC version as found in the first INITIAL packet from - ## the client. + ## the client. This will often be "1" or "quicv2", but see + ## the :zeek:see:`QUIC::version_strings` table for details. version: string &log; ## First Destination Connection ID used by client. This is @@ -57,6 +58,7 @@ export { ## R RETRY packet ## C CONNECTION_CLOSE packet ## S SSL Client/Server Hello + ## U Unfamiliar QUIC version ## ====== ==================================================== history: string &log &default="";