I'm not aware of anyone else working on it. I'd originally taken a stab at identifying Google QUIC as well as the IETF draft versions, but as Jon pointed out to me, those are just draft and we'd have to keep changing them. I can also verify from doing that that we saw zero IETF quic traffic in the wild.
I would initially suggest forking corelight's version and then doing a pull request with your added features rather than reinventing the wheel. -Dop On Thu, Mar 7, 2019 at 10:59 AM John Althouse <[email protected]> wrote: > Is there a Zeek QUIC Analyzer that anyone is aware of? > > I know Corelight has this: https://github.com/corelight/bro-quic but as > far as I can tell, it just identifies QUIC traffic, it doesn't actually > provide any metadata. There's a lot of juicy information in the packets so > I may have a go at writing my first analyzer followed by a JA3-style > fingerprinting method - I just wanted to check here to make sure I'm not > duplicating efforts. > > Thanks! > _______________________________________________ > zeek-dev mailing list > [email protected] > http://mailman.icsi.berkeley.edu/mailman/listinfo/zeek-dev >
_______________________________________________ zeek-dev mailing list [email protected] http://mailman.icsi.berkeley.edu/mailman/listinfo/zeek-dev
