Feature #8520
closedquic: include server header in default eve record as a field
Description
Hoist the server header field, as it makes sense for QUIC. Much like http.
JI Updated by Jason Ish 23 days ago
- Copied from Feature #8516: http: include server header in default eve record as a field added
PA Updated by Philippe Antoine 22 days ago
- Status changed from New to Triaged
Do you mean the hostname/sni ?
PA Updated by Philippe Antoine 22 days ago
- Status changed from Triaged to Feedback
Because you already have quic.sni hoisted up even if you can see it also in the array of extensions
"quic": {
"version": "1",
"sni": "msquic.net",
"ja3": {
"hash": "292bd0719190dff4cb1033de8573310d",
"string": "771,4865-4866-4867,51-0-16-43-13-10-57-45-41,23-29,"
},
"extensions": [
{
"name": "key_share",
"type": 51
},
{
"name": "server_name",
"type": 0,
"values": [
"msquic.net"
]
},
{
"name": "alpn",
"type": 16,
"values": [
"h3-29"
]
},
JI Updated by Jason Ish 17 days ago · Edited
Ping @eleblond @Peter Manev - is the SNI here enough? Or did you have some other idea about quic?
JI Updated by Jason Ish 17 days ago
Jason Ish wrote in #note-5:
Ping
eleblond @pevma, is the SNI here enough? Or did you have some other idea about @quic?
@eleblond @Peter Manev
EL Updated by Eric Leblond 16 days ago · Edited
Jason Ish wrote in #note-6:
Jason Ish wrote in #note-5:
Ping
eleblond @pevma, is the SNI here enough? Or did you have some other idea about @quic?@eleblond @Peter Manev
IMO, the sni key is enough and it is not confusing as similar to what is in TLS.
PA Updated by Philippe Antoine 16 days ago
- Status changed from Feedback to Rejected
So, I understand there is nothing more to do thanks
PM Updated by Peter Manev 16 days ago
SNI is good for me as well. If there is fingerprint that would be lovely too as it allows matching inline.