After Core 185 Update I noted if I’m using chromium based browser(Vivaldi, Brave or Edge) without Web Proxy IPS log gets flooded with these messages. If I use Firefox or enable proxy there are no new QUIC messages in log. It seems to happen every machine I have and it doesn’t matter what operating system I try.
Pages I visit always open without issue and remote ip seems to point to Google, Amazon, Cloudflare, Microsoft or Akamai datacenters even if the web page itself would be hosted somewhere else. Not all pages generate those messages but many do.
The QUIC decoder for Suricata is new. I don’t have much experience with it so I don’t know if this is simply some feature that isn’t supported or a bug.
However if the decode cannot decode some protocol, the traffic will be passed and not dropped.
When thinking privacy is it better to leave QUIC enabled?
It looks like there are still connections to similar google owned *.e100.net servers. It doesn’t matter if I block ports mentioned in post by Arne.F or use web porxy. Not even when using “Google free” Brave or Vivaldi.
It seems that currently only benefit from blocking QUIC is that your log don’t get flooded with those QUIC failed decrypt messages and you see more active connections.
I solved it!
To disable QUIC protocol in Google Chrome browser, follow these steps:
1.Open the Chrome browser and enter the following in the address bar: chrome://flags/#enable-quic
2. Find the “QUIC protocol” option and change its status to “Disabled”.
3. Restart Chrome.
I had up to 5000 records a day, I don’t know what it transmits using the QUIC protocol. This doesn’t look good on Google’s part. Usually they save you before entering =)
I think a firewall rule as shown by @porkyle in post #10 should be much more effective.
First you have to change one device ( IPFire ) only, further this rule applies to all browsers/devices not known yet.
STANDARD NETWORKS - RED … packets destined for any target in the WAN
FIREWALL - ANY … packets which target an IP in the local networks
UDP packets to 192.168.1.255:137 are usually NETBIOS packets. 192.168.1.255 is the broadcast address of the network 192.168.1.0/24
UDP packets 0.0.0.0:67 → 255.255.255.255:68 or 0.0.0.0:68 → 255.255.255.255:67 are BOOTP packets of the DHCP protocol ( see Dynamic Host Configuration Protocol - Wikipedia and Bootstrap Protocol - Wikipedia )
so if I put destination = firewall it will only reject packets meant for local networks 192.168.0.1-255 and it will ignore packets for let’s say google-analytics.com ?
Let me change it to destination = standard networks
It depends what you wan’t. To block those QUIC connections use firewall rule but if you only want to disable logging you should comment them from surricata rules.
After I posted, I realized suricata-used-rulesfiles.yaml is not a static file. It gets updated frequently, so if you comment the line, it will get undone shortly. So the firewall rule seems the only option. Thanks!