doc/quic: Add documentation for QUIC keywords

3 years ago · 6641efb74f
parent 9ad60e7661
commit 6641efb74f
2 changed files with 51 additions and 0 deletions
--- a/doc/userguide/rules/index.rst
+++ b/doc/userguide/rules/index.rst
@ -30,6 +30,7 @@ Suricata Rules
   mqtt-keywords
   ike-keywords
   http2-keywords
+   quic-keywords
   app-layer
   xbits
   thresholding
--- a/doc/userguide/rules/quic-keywords.rst
+++ b/doc/userguide/rules/quic-keywords.rst
@ -0,0 +1,50 @@
+Quic Keywords
+=============
+
+Suricata implements initial support for Quic by parsing the Quic version.
+
+Suricata also derives a CYU hash for earlier versions of Quic.
+
+Quic app-layer parsing must be enabled in the Suricata config file (set 'app-layer.protocols.quic.enabled' to 'yes').
+
+quic.cyu.hash
+---------------
+
+Match on the CYU hash
+
+Examples::
+
+  alert quic any any -> any any (msg:"QUIC CYU HASH"; \
+    quic.cyu.hash; content:"7b3ceb1adc974ad360cfa634e8d0a730"; \
+    sid:1;)
+
+quic.cyu.string
+---------------
+
+Match on the CYU string
+
+Examples::
+
+  alert quic any any -> any any (msg:"QUIC CYU STRING"; \
+  quic.cyu.string; content:"46,PAD-SNI-VER-CCS-UAID-TCID-PDMD-SMHL-ICSL-NONP-MIDS-SCLS-CSCT-COPT-IRTT-CFCW-SFCW"; \
+  sid:2;)
+
+quic.version
+---------------
+
+Match on the Quic header version
+
+Examples::
+
+  alert quic any any -> any any (msg:"QUIC VERSION"; \
+  quic.version:1362113590; \
+  sid:3;)
+
+Additional information
+----------------------
+
+More information on CYU Hash can be found here:
+`<https://engineering.salesforce.com/gquic-protocol-analysis-and-fingerprinting-in-zeek-a4178855d75f>`_
+
+More information on the protocol can be found here:
+`<https://datatracker.ietf.org/doc/html/draft-ietf-quic-transport-17>`_