Trisul Network Analytics
Developer Zone

**This is an old revision of the document!** ----

====== QUIC protocol analysis using the Trisul Scripting API ====== QUIC (Quick UDP Internet Connection) is a protocol championed by Google to speed up web services by replacing the traditional TCP/HTTP network layer with a new UDP based protocol. QUIC is almost exclusively used by Google services right now like YouTube, but there is an IETF Internet Draft on it now ((HTTP/3 Internet Draft https://quicwg.org/base-drafts/draft-ietf-quic-http.html)) . The movement is to merge HTTP semantics on the UDP based QUIC and call the new thing HTTP/3. As of today the only QUIC services found in the wild are from the Google stable. This article describes how you can pull out key indicators from QUIC into Trisul using the [[https://www.trisul.org/docs/lua/index.html|Lua Scripting API]]. ===== Network Security Monitoring for QUIC ===== In the NSM((Network Security Monitoring involves collecting multiple types of data characterizing network traffic http://www.informit.com/articles/article.aspx?p=350391 )) worldview, we would like to collect as much as possible about the QUIC sessions. This would be in addition to //Flow records// and //PCAP// we collect for all flows. BITMAUL Extract the following information Flow Tags {{ :lua:quic2.png?600 |}} Extract X.509 Certificate in QUIC {{ :lua:quic1.png?600 |}}