Project

General

Profile

Actions
Copy link

Feature #8520

open
JI OD

quic: include server header in default eve record as a field

Feature #8520: quic: include server header in default eve record as a field

Added by Jason Ish 3 days ago. Updated 1 day ago.

Status:
Feedback
Priority:
Normal
Assignee:
OISF Dev
Target version:
9.0.0-beta1
Effort:
Difficulty:
Label:

Description

Hoise the server header field, as it makes sense for QUIC. Much like http.

Related issues 1 (1 open0 closed)

Copied from Suricata - Feature #8516: http: include server header in default eve record as a field TriagedOISF DevActions

JI Updated by Jason Ish 3 days ago Actions
Copy link
 #1

  • Copied from Feature #8516: http: include server header in default eve record as a field added

PA Updated by Philippe Antoine 1 day ago Actions
Copy link
 #2

  • Status changed from New to Triaged

Do you mean the hostname/sni ?

PA Updated by Philippe Antoine 1 day ago Actions
Copy link
 #3

  • Status changed from Triaged to Feedback

Because you already have quic.sni hoisted up even if you can see it also in the array of extensions

  "quic": {
    "version": "1",
    "sni": "msquic.net",
    "ja3": {
      "hash": "292bd0719190dff4cb1033de8573310d",
      "string": "771,4865-4866-4867,51-0-16-43-13-10-57-45-41,23-29," 
    },
    "extensions": [
      {
        "name": "key_share",
        "type": 51
      },
      {
        "name": "server_name",
        "type": 0,
        "values": [
          "msquic.net" 
        ]
      },
      {
        "name": "alpn",
        "type": 16,
        "values": [
          "h3-29" 
        ]
      },
Actions
Copy link

Also available in: PDF Atom