doc/quic: Add documentation for QUIC keywords

diff --git a/doc/userguide/rules/index.rst b/doc/userguide/rules/index.rst
index b757ff01572d87419f276ef1fded2133a423e472..4ef87bdeb88b970c113fce9cded673f7a115de07 100644 (file)
--- a/doc/userguide/rules/index.rst
+++ b/doc/userguide/rules/index.rst
@@ -30,6 +30,7 @@ Suricata Rules
    mqtt-keywords
    ike-keywords
    http2-keywords
+   quic-keywords
    app-layer
    xbits
    thresholding

diff --git a/doc/userguide/rules/quic-keywords.rst b/doc/userguide/rules/quic-keywords.rst
new file mode 100644 (file)
index 0000000..80bdd4e
--- /dev/null
+++ b/doc/userguide/rules/quic-keywords.rst
@@ -0,0 +1,50 @@
+Quic Keywords
+=============
+
+Suricata implements initial support for Quic by parsing the Quic version.
+
+Suricata also derives a CYU hash for earlier versions of Quic.
+
+Quic app-layer parsing must be enabled in the Suricata config file (set 'app-layer.protocols.quic.enabled' to 'yes').
+
+quic.cyu.hash
+---------------
+
+Match on the CYU hash
+
+Examples::
+
+  alert quic any any -> any any (msg:"QUIC CYU HASH"; \
+    quic.cyu.hash; content:"7b3ceb1adc974ad360cfa634e8d0a730"; \
+    sid:1;)
+
+quic.cyu.string
+---------------
+
+Match on the CYU string
+
+Examples::
+
+  alert quic any any -> any any (msg:"QUIC CYU STRING"; \
+  quic.cyu.string; content:"46,PAD-SNI-VER-CCS-UAID-TCID-PDMD-SMHL-ICSL-NONP-MIDS-SCLS-CSCT-COPT-IRTT-CFCW-SFCW"; \
+  sid:2;)
+
+quic.version
+---------------
+
+Match on the Quic header version
+
+Examples::
+
+  alert quic any any -> any any (msg:"QUIC VERSION"; \
+  quic.version:1362113590; \
+  sid:3;)
+
+Additional information
+----------------------
+
+More information on CYU Hash can be found here:
+`<https://engineering.salesforce.com/gquic-protocol-analysis-and-fingerprinting-in-zeek-a4178855d75f>`_
+
+More information on the protocol can be found here:
+`<https://datatracker.ietf.org/doc/html/draft-ietf-quic-transport-17>`_