From 9228f0ff9fdfca85984f9bef53389787bc60efc0 Mon Sep 17 00:00:00 2001
From: Jan Grashoefer <jan.grashoefer@corelight.com>
Date: Tue, 10 Dec 2024 14:49:02 +0100
Subject: [PATCH 1/2] Add protocol_id count to unknown protocol record

The count representation is not logged and added for access to the value
in log policy hooks without converting the logged hex representation.
---
 scripts/policy/misc/unknown-protocols.zeek | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/scripts/policy/misc/unknown-protocols.zeek b/scripts/policy/misc/unknown-protocols.zeek
index c532f7b0f5..4d5323f91c 100644
--- a/scripts/policy/misc/unknown-protocols.zeek
+++ b/scripts/policy/misc/unknown-protocols.zeek
@@ -19,9 +19,14 @@ export {
 		## The string name of the analyzer attempting to forward the protocol.
 		analyzer:     string   &log;
 
-		## The identifier of the protocol being forwarded.
+		## The identifier of the protocol being forwarded in hex notation.
 		protocol_id:  string   &log;
 
+		## The identifier of the protocol being forwarded as count.
+		## Note: The count value is not logged by default. It is provided for
+		## easy access in log policy hooks.
+		protocol_id_num: count;
+
 		## A certain number of bytes at the start of the unknown protocol's
 		## header.
 		first_bytes:  string   &log;
@@ -40,6 +45,7 @@ event unknown_protocol(analyzer_name: string, protocol: count, first_bytes: stri
 	info$ts = network_time();
 	info$analyzer = analyzer_name;
 	info$protocol_id = fmt("0x%x", protocol);
+	info$protocol_id_num = protocol;
 	info$first_bytes = bytestring_to_hexstr(first_bytes);
 	info$analyzer_history = analyzer_history;
 

From 1805afe5d989565e61640038e9ceb9aaf93015e0 Mon Sep 17 00:00:00 2001
From: Jan Grashoefer <jan.grashoefer@corelight.com>
Date: Tue, 10 Dec 2024 14:54:19 +0100
Subject: [PATCH 2/2] Add btest for unknown_protocols.log

---
 .../core.unknown-protocol-log/unknown_protocols.log   | 11 +++++++++++
 testing/btest/core/unknown-protocol-log.zeek          |  6 ++++++
 2 files changed, 17 insertions(+)
 create mode 100644 testing/btest/Baseline/core.unknown-protocol-log/unknown_protocols.log
 create mode 100644 testing/btest/core/unknown-protocol-log.zeek

diff --git a/testing/btest/Baseline/core.unknown-protocol-log/unknown_protocols.log b/testing/btest/Baseline/core.unknown-protocol-log/unknown_protocols.log
new file mode 100644
index 0000000000..fd78878bea
--- /dev/null
+++ b/testing/btest/Baseline/core.unknown-protocol-log/unknown_protocols.log
@@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	unknown_protocols
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	analyzer	protocol_id	protocol_id_num	first_bytes	analyzer_history
+#types	time	string	string	count	string	vector[string]
+XXXXXXXXXX.XXXXXX	ETHERNET	0x88cc	35020	02070400222d81db1004	ETHERNET
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/core/unknown-protocol-log.zeek b/testing/btest/core/unknown-protocol-log.zeek
new file mode 100644
index 0000000000..c059e1314c
--- /dev/null
+++ b/testing/btest/core/unknown-protocol-log.zeek
@@ -0,0 +1,6 @@
+# @TEST-EXEC: zeek -b -r $TRACES/lldp.pcap %INPUT
+# @TEST-EXEC: btest-diff unknown_protocols.log
+
+@load misc/unknown-protocols
+
+redef record UnknownProtocol::Info$protocol_id_num += { &log };