From 2389f6f6c5209a26bf7d2bb19c7530a760d23f27 Mon Sep 17 00:00:00 2001 From: Arne Welzel Date: Wed, 18 Oct 2023 11:54:25 +0200 Subject: [PATCH] quic: Add spicy-events.zeek --- scripts/base/protocols/quic/__load__.zeek | 1 + scripts/base/protocols/quic/spicy-events.zeek | 82 +++++++++++++++++++ .../canonified_loaded_scripts.log | 1 + 3 files changed, 84 insertions(+) create mode 100644 scripts/base/protocols/quic/spicy-events.zeek diff --git a/scripts/base/protocols/quic/__load__.zeek b/scripts/base/protocols/quic/__load__.zeek index 6a5d24e0c3..729d9aeb1a 100644 --- a/scripts/base/protocols/quic/__load__.zeek +++ b/scripts/base/protocols/quic/__load__.zeek @@ -1,4 +1,5 @@ @ifdef ( Analyzer::ANALYZER_QUIC ) +@load ./spicy-events @load ./consts @load ./main @endif diff --git a/scripts/base/protocols/quic/spicy-events.zeek b/scripts/base/protocols/quic/spicy-events.zeek new file mode 100644 index 0000000000..5856ae5aa8 --- /dev/null +++ b/scripts/base/protocols/quic/spicy-events.zeek @@ -0,0 +1,82 @@ +##! Events generated by the QUIC analyzer. +##! +##! See See `RFC9000 `__. + +## Generated for a QUIC Initial packet. +## +## c: The connection. +## +## is_orig: True if the packet is from the the connection's originator. +## +## version: The Version field. +## +## dcid: The Destination Connection ID field. +## +## scid: The Source Connection ID field. +## +global QUIC::initial_packet: event(c: connection, is_orig: bool, version: count, dcid: string, scid: string); + + +## Generated for a QUIC Retry packet. +## +## c: The connection. +## +## is_orig: True if the packet is from the the connection's originator. +## +## version: The Version field. +## +## dcid: The Destination Connection ID field. +## +## scid: The Source Connection ID field. +## +## retry_token: The Retry Token field. +## +## integrity_tag: The Retry Integrity Tag field. +global QUIC::retry_packet: event(c: connection, is_orig: bool, version: count, dcid: string, scid: string, retry_token: string, retry_integrity_tag: string); + + +## Generated for a QUIC Handshake packet. +## +## c: The connection. +## +## is_orig: True if the packet is from the the connection's originator. +## +## version: The Version field. +## +## dcid: The Destination Connection ID field. +## +## scid: The Source Connection ID field. +global QUIC::handshake_packet: event(c: connection, is_orig: bool, version: count, dcid: string, scid: string); + +## Generated for a QUIC 0-RTT packet. +## +## c: The connection. +## +## is_orig: True if the packet is from the the connection's originator. +## +## version: The Version field. +## +## dcid: The Destination Connection ID field. +## +## scid: The Source Connection ID field. +global QUIC::zero_rtt_packet: event(c: connection, is_orig: bool, version: count, dcid: string, scid: string); + + +## Generated for a QUIC CONNECTION_CLOSE frame. +## +## c: The connection. +## +## is_orig: True if the packet is from the the connection's originator. +## +## version: The Version field. +## +## dcid: The Destination Connection ID field. +## +## scid: The Source Connection ID field. +## +## error_code: Count indicating the reason for closing this connection. +## +## reason_phrase: Additional diagnostic information for the closure. +## +## .. note:: Packets with CONNECTION_CLOSE frames are usually encrypted after connection establishment and not visible to Zeek. +global QUIC::connection_close_frame: event(c: connection, is_orig: bool, version: count, dcid: string, scid: string, error_code: count, reason_phrase: string); diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log index d11129770b..cb332a0e4d 100644 --- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log @@ -425,6 +425,7 @@ scripts/base/init-default.zeek scripts/base/protocols/ntp/consts.zeek scripts/base/protocols/pop3/__load__.zeek scripts/base/protocols/quic/__load__.zeek + scripts/base/protocols/quic/spicy-events.zeek scripts/base/protocols/quic/consts.zeek scripts/base/protocols/quic/main.zeek scripts/base/protocols/radius/__load__.zeek