mirror of
https://github.com/zeek/zeek.git
synced 2025-10-03 15:18:20 +00:00
ded98cd373
This is based on commit 2731def9159247e6da8a3191783c89683363689c from the zeek-docs repo.
176 lines
5.4 KiB
ReStructuredText
176 lines
5.4 KiB
ReStructuredText
:tocdepth: 3
|
|
|
|
base/protocols/quic/main.zeek
|
|
=============================
|
|
.. zeek:namespace:: QUIC
|
|
|
|
Implements base functionality for QUIC analysis. Generates quic.log.
|
|
|
|
:Namespace: QUIC
|
|
:Imports: :doc:`base/frameworks/notice/weird.zeek </scripts/base/frameworks/notice/weird.zeek>`, :doc:`base/protocols/conn/removal-hooks.zeek </scripts/base/protocols/conn/removal-hooks.zeek>`, :doc:`base/protocols/quic/consts.zeek </scripts/base/protocols/quic/consts.zeek>`
|
|
|
|
Summary
|
|
~~~~~~~
|
|
Runtime Options
|
|
###############
|
|
=========================================================================== ========================================
|
|
:zeek:id:`QUIC::max_history_length`: :zeek:type:`count` :zeek:attr:`&redef` The maximum length of the history field.
|
|
=========================================================================== ========================================
|
|
|
|
Types
|
|
#####
|
|
============================================ =
|
|
:zeek:type:`QUIC::Info`: :zeek:type:`record`
|
|
============================================ =
|
|
|
|
Redefinitions
|
|
#############
|
|
============================================ ======================================================
|
|
:zeek:type:`Log::ID`: :zeek:type:`enum`
|
|
|
|
* :zeek:enum:`QUIC::LOG`
|
|
:zeek:type:`connection`: :zeek:type:`record`
|
|
|
|
:New Fields: :zeek:type:`connection`
|
|
|
|
quic: :zeek:type:`QUIC::Info` :zeek:attr:`&optional`
|
|
============================================ ======================================================
|
|
|
|
Events
|
|
######
|
|
============================================= =
|
|
:zeek:id:`QUIC::log_quic`: :zeek:type:`event`
|
|
============================================= =
|
|
|
|
Hooks
|
|
#####
|
|
============================================================== =
|
|
:zeek:id:`QUIC::finalize_quic`: :zeek:type:`Conn::RemovalHook`
|
|
:zeek:id:`QUIC::log_policy`: :zeek:type:`Log::PolicyHook`
|
|
============================================================== =
|
|
|
|
|
|
Detailed Interface
|
|
~~~~~~~~~~~~~~~~~~
|
|
Runtime Options
|
|
###############
|
|
.. zeek:id:: QUIC::max_history_length
|
|
:source-code: base/protocols/quic/main.zeek 79 79
|
|
|
|
:Type: :zeek:type:`count`
|
|
:Attributes: :zeek:attr:`&redef`
|
|
:Default: ``100``
|
|
|
|
The maximum length of the history field.
|
|
|
|
Types
|
|
#####
|
|
.. zeek:type:: QUIC::Info
|
|
:source-code: base/protocols/quic/main.zeek 13 70
|
|
|
|
:Type: :zeek:type:`record`
|
|
|
|
|
|
.. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
|
|
|
|
Timestamp of first QUIC packet for this entry.
|
|
|
|
|
|
.. zeek:field:: uid :zeek:type:`string` :zeek:attr:`&log`
|
|
|
|
Unique ID for the connection.
|
|
|
|
|
|
.. zeek:field:: id :zeek:type:`conn_id` :zeek:attr:`&log`
|
|
|
|
The connection's 4-tuple of endpoint addresses/ports.
|
|
|
|
|
|
.. zeek:field:: version :zeek:type:`string` :zeek:attr:`&log`
|
|
|
|
QUIC version as found in the first INITIAL packet from
|
|
the client. This will often be "1" or "quicv2", but see
|
|
the :zeek:see:`QUIC::version_strings` table for details.
|
|
|
|
|
|
.. zeek:field:: client_initial_dcid :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
|
|
|
|
First Destination Connection ID used by client. This is
|
|
random and unpredictable, but used for packet protection
|
|
by client and server.
|
|
|
|
|
|
.. zeek:field:: client_scid :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
|
|
|
|
Client's Source Connection ID from the first INITIAL packet.
|
|
|
|
|
|
.. zeek:field:: server_scid :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
|
|
|
|
Server chosen Connection ID usually from server's first
|
|
INITIAL packet. This is to be used by the client in
|
|
subsequent packets.
|
|
|
|
|
|
.. zeek:field:: server_name :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
|
|
|
|
Server name extracted from SNI extension in ClientHello
|
|
packet if available.
|
|
|
|
|
|
.. zeek:field:: client_protocol :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
|
|
|
|
First protocol extracted from ALPN extension in ClientHello
|
|
packet if available.
|
|
|
|
|
|
.. zeek:field:: history :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&default` = ``""`` :zeek:attr:`&optional`
|
|
|
|
QUIC history.
|
|
|
|
Letters have the following meaning with client-sent
|
|
letters being capitalized:
|
|
|
|
====== ====================================================
|
|
Letter Meaning
|
|
====== ====================================================
|
|
I INIT packet
|
|
H HANDSHAKE packet
|
|
Z 0RTT packet
|
|
R RETRY packet
|
|
C CONNECTION_CLOSE packet
|
|
S SSL Client/Server Hello
|
|
U Unfamiliar QUIC version
|
|
====== ====================================================
|
|
|
|
|
|
.. zeek:field:: history_state :zeek:type:`vector` of :zeek:type:`string`
|
|
|
|
|
|
.. zeek:field:: logged :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
|
|
|
|
|
|
|
|
Events
|
|
######
|
|
.. zeek:id:: QUIC::log_quic
|
|
:source-code: base/protocols/quic/main.zeek 72 72
|
|
|
|
:Type: :zeek:type:`event` (rec: :zeek:type:`QUIC::Info`)
|
|
|
|
|
|
Hooks
|
|
#####
|
|
.. zeek:id:: QUIC::finalize_quic
|
|
:source-code: base/protocols/quic/main.zeek 229 235
|
|
|
|
:Type: :zeek:type:`Conn::RemovalHook`
|
|
|
|
|
|
.. zeek:id:: QUIC::log_policy
|
|
:source-code: base/protocols/quic/main.zeek 74 74
|
|
|
|
:Type: :zeek:type:`Log::PolicyHook`
|
|
|
|
|
|
|