Merge remote-tracking branch 'J-Gras/topic/jgras/add-unknown-proto-count'

* J-Gras/topic/jgras/add-unknown-proto-count:
  Add btest for unknown_protocols.log
  Add protocol_id count to unknown protocol record

CHANGES

@@ -1,3 +1,12 @@
+7.1.0-dev.745 | 2024-12-10 16:15:57 -0700
+
+  * Add btest for unknown_protocols.log (Jan Grashoefer, Corelight)
+
+  * Add protocol_id count to unknown protocol record (Jan Grashoefer, Corelight)
+
+    The count representation is not logged and added for access to the value
+    in log policy hooks without converting the logged hex representation.
+
 7.1.0-dev.742 | 2024-12-10 14:41:10 -0700
 
   * NEWS tweaks [skip ci] (Christian Kreibich, Corelight)

VERSION

@@ -1 +1 @@
-7.1.0-dev.742
+7.1.0-dev.745

scripts/policy/misc/unknown-protocols.zeek

@@ -19,9 +19,14 @@ export {
 		## The string name of the analyzer attempting to forward the protocol.
 		analyzer:     string   &log;
 
-		## The identifier of the protocol being forwarded.
+		## The identifier of the protocol being forwarded in hex notation.
 		protocol_id:  string   &log;
 
+		## The identifier of the protocol being forwarded as count.
+		## Note: The count value is not logged by default. It is provided for
+		## easy access in log policy hooks.
+		protocol_id_num: count;
+
 		## A certain number of bytes at the start of the unknown protocol's
 		## header.
 		first_bytes:  string   &log;
@@ -40,6 +45,7 @@ event unknown_protocol(analyzer_name: string, protocol: count, first_bytes: stri
 	info$ts = network_time();
 	info$analyzer = analyzer_name;
 	info$protocol_id = fmt("0x%x", protocol);
+	info$protocol_id_num = protocol;
 	info$first_bytes = bytestring_to_hexstr(first_bytes);
 	info$analyzer_history = analyzer_history;
 

testing/btest/Baseline/core.unknown-protocol-log/unknown_protocols.log

@@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	unknown_protocols
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	analyzer	protocol_id	protocol_id_num	first_bytes	analyzer_history
+#types	time	string	string	count	string	vector[string]
+XXXXXXXXXX.XXXXXX	ETHERNET	0x88cc	35020	02070400222d81db1004	ETHERNET
+#close XXXX-XX-XX-XX-XX-XX

testing/btest/core/unknown-protocol-log.zeek

@@ -0,0 +1,6 @@
+# @TEST-EXEC: zeek -b -r $TRACES/lldp.pcap %INPUT
+# @TEST-EXEC: btest-diff unknown_protocols.log
+
+@load misc/unknown-protocols
+
+redef record UnknownProtocol::Info$protocol_id_num += { &log };