1 files changed, 54 insertions, 0 deletions

diff --git a/doc/userguide/rules/quic-keywords.rst b/doc/userguide/rules/quic-keywords.rst
new file mode 100644
index 0000000..ffeb0be
--- /dev/null
+++ b/doc/userguide/rules/quic-keywords.rst
@@ -0,0 +1,54 @@
+Quic Keywords
+=============
+
+Suricata implements initial support for Quic by parsing the Quic version.
+
+Suricata also derives a CYU hash for earlier versions of Quic.
+
+Quic app-layer parsing must be enabled in the Suricata config file (set 'app-layer.protocols.quic.enabled' to 'yes').
+
+quic.cyu.hash
+---------------
+
+Match on the CYU hash
+
+Examples::
+
+  alert quic any any -> any any (msg:"QUIC CYU HASH"; \
+    quic.cyu.hash; content:"7b3ceb1adc974ad360cfa634e8d0a730"; \
+    sid:1;)
+
+``quic.cyu.hash`` supports multiple buffer matching, see :doc:`multi-buffer-matching`.
+
+quic.cyu.string
+---------------
+
+Match on the CYU string
+
+Examples::
+
+  alert quic any any -> any any (msg:"QUIC CYU STRING"; \
+    quic.cyu.string; content:"46,PAD-SNI-VER-CCS-UAID-TCID-PDMD-SMHL-ICSL-NONP-MIDS-SCLS-CSCT-COPT-IRTT-CFCW-SFCW"; \
+    sid:2;)
+
+``quic.cyu.string`` supports multiple buffer matching, see :doc:`multi-buffer-matching`.
+
+quic.version
+------------
+
+Sticky buffer for matching on the Quic header version in long headers.
+
+Examples::
+
+  alert quic any any -> any any (msg:"QUIC VERSION"; \
+    quic.version; content:"Q046"; \
+    sid:3;)
+
+Additional information
+----------------------
+
+More information on CYU Hash can be found here:
+`<https://engineering.salesforce.com/gquic-protocol-analysis-and-fingerprinting-in-zeek-a4178855d75f>`_
+
+More information on the protocol can be found here:
+`<https://datatracker.ietf.org/doc/html/draft-ietf-quic-transport-17>`_